AUG 0 8 19S<* NUREG/CR-6144

OSTI BNL-NUREG-52399
- Vol. 2, Part IB

Evaluation of Potential
Severe Accidents During
Low Power and Shutdown
Operations at Surry, Unit 1
Analysis of Core Damage Frequency from
Internal Events During Mid-Loop Operations

Main Report (Chapters 7-12)

Prepared by
T. L. Chu, Z. Musicki, P. Kohut, D. Bley, J. Yang, B. Holmes,
G. Bozoki, C. J. Hsu, D. J. Diamond, D. Johnson, J. Lin,
R. E Su, V. Dang, D. Ilberg, S. M. Wong, N. Siu

Brookhaven National Laboratory

Prepared for
U.S. Nuclear Regulatory Commission

DISTRIBUTION OF THIS DOCUMENT IS UNLIMITED

 AVAILABILITY NOTICE

Availability of Reference Materials Cited in NRC Publications

Most documents cited in NRC publications will be available from one of the following sources:
1. The NRC Public Document Room, 2120 L Street, NW., Lower Level, Washington, DC 20555-0001

2. The Superintendent of Documents, U.S. Government Printing Office, Mail Stop SSOP, Washington. DC
20402-9328

3. The National Technical Information Service, Springfield, VA 22161

Although the listing that follows represents the majority of documents cited in NRC publications, it is not In-
tended to be exhaustive.

Referenced documents available for inspection and copying for a fee from the NRC Public Document Room
include NRC correspondence and internal NRC memoranda; NRC bulletins, circulars, information notices, In-
spection and investigation notices: licensee event reports: vendor reports and correspondence; Commission
papers; and applicant and licensee documents and correspondence.

The following documents in the NUREG series are available for purchase from the GPO Sales Program: formal
NRC staff and contractor reports, NRC-sponsored conference proceedings, international agreement reports,
grant publications, and NRC booklets and brochures. Also available are regulatory guides, NRC regulations In
the Code of Federal Regulations, and Nuclear Regulatory Commission Issuances.

Documents available from the National Technical Information Service include NUREG-series reports and tech-
nical reports prepared by other Federal agencies and reports prepared by the Atomic Energy Commission,
forerunner agency to the Nuclear Regulatory Commission.

Documents available from public and special technical libraries include all open literature items, such as books,
journal articles, and transactions. Federal Register notices, Federal and State legislation, and congressional
reports can usually be obtained from these libraries.

Documents such as theses, dissertations, foreign reports and translations, and non-NRC conference pro-
ceedings are available for purchase from the organization sponsoring the publication cited.

Single copies of NRC draft reports are available free, to the extent of supply, upon written request to the Office
of Administration, Distribution and Mail Services Section. U.S. Nuclear Regulatory Commission,-Washington,
DC 20555-0001.

Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are main-
tained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, for use by the public. Codes and stan-
dards are usually copyrighted and may be purchased from the originating organization or, if they are American
National Standards, from the American National Standards Institute, 1430 Broadway, New York, NY 10018.

DISCLAIMER NOTICE

This report was prepared as an account of work sponsored by an agency of the United States Government.
Neitherthe United States Government nor any agency thereof, or any oftheir employees, makes any warranty,
expressed or implied, or assumes any legal liability of responsibility for any third party's use, or the results of
such use, of any information, apparatus, product or process disclosed in this report, or represents that its use
by such third party would not infringe privately owned rights.
 DISCLAIMER

Portions of this document may be illegible

in electronic image products, images are
produced from the best available original
document.
 NUREG/CR-6144
BNL-NUREG-52399
Vol. 2, Part IB

Evaluation of Potential
Severe Accidents During
Low Power and Shutdown
Operations at Surry, Unit 1
Analysis of Core Damage Frequency from
Internal Events During Mid-Loop Operations
Main Report (Chapters 7-12)

Manuscript Completed: January 1994

Date Published: June 1994

Prepared by
T. L. Chu, Z. Musicki, P. Kohut, D. Bley , J. Yang, B. Holmes ,
1 2

G. Bozoki, C. J. Hsu, D. J. Diamond, D. Johnson , J. Lin ,

1 1

R. F. Su , V. Dang , D. Ilberg , S. M. Wong, N. Siu

3 3 4 3

Brookhaven National Laboratory

Upton, NY 11973

Prepared for
Division of Safety Issue Resolution
Office of Nuclear Regulatory Research
U.S. Nuclear Regulatory Commission
Washington, DC 20555-0001
NRC FIN L1922

TLG Inc., 4590 MacArthur Boulevard, Newport Beach, CA 92660-2027

2
AEA Technology, Winfrith, Dorchester, Dorset, England, DT2 8DH
3
MIT, Cambridge, MA 02139 (N. Siu currently at EG&G, Idaho Falls, ID 83415) I M f t T f r
"Soreq Nuclear Research Center, Yavne 70600, Israel | M | O \ § sU O

DISTRIBUTION OF THIS DOCUMENT IS UNLIMITED

 ABSTRACT

Traditionally, probabilistic risk assessments (PRA) of severe accidents in nuclear power plants have
considered initiating events potentially occurring only during full power operation. Some previous screening
analyses that were performed for other modes of operation suggested that risks during those modes were small
relative to full power operation. However, more recent studies and operational experience have implied that
accidents during low power and shutdown could be significant contributors to risk.

During 1989, the Nuclear Regulatory Commission (NRC) initiated an extensive program to carefully
examine the potential risks during low power and shutdown operations. The program includes two parallel
projects being performed by Brookhaven National Laboratory (BNL) and Sandia National Laboratories (SNL).
Two plants, Surry (pressurized water reactor) and Grand Gulf (boiling water reactor), were selected as the
plants to be studied.

The objectives of the program are to assess the risks of severe accidents initiated during plant
operational states other than full power operation and to compare the estimated core damage frequencies,
important accident sequences and other qualitative and quantitative results with those accidents initiated
during full power operation as assessed in NUREG-1150. The scope of the program includes that of a level-3
PRA.

The objective of this volume of the report is to document the approach utilized in the level-1 internal
events PRA for the Surry plant, and discuss the results obtained. A phased approach was used in the level-1
program. In phase 1, which was completed in Fall 1991, a coarse screening analysis examining accidents
initiated by internal events (including internal fire and flood) was performed for all plant operational states
(POSs). The objective of the phase 1 study was to identify potential vulnerable plant configurations, to
characterize (on a high, medium, or low basis) the potential core damage accident scenarios, and to provide
a foundation for a detailed phase 2 analysis.

In phase 2, mid-loop operation was selected as the plant configuration to be analyzed based on the
results of the phase 1 study. The objective of the phase 2 study is to perform a detailed analysis of the
potential accident scenarios that may occur during mid-loop operation, and compare the results with those
of NUREG-1150. The scope of the level-1 study includes plant damage state analysis, and uncertainty analysis.
Volume 1 summarizes the results of the study. Internal events analysis is documented in Volume 2. It also
contains an appendix that documents the part of the phase 1 study that has to do with POSs other than mid-
loop operation. Internal fire and internal flood analyses are documented in Volumes 3 and 4. A separate
study on seismic analysis, documented in Volume 5, was performed for the NRC by Future Resources
Associates, Inc. Volume 6 documents the accident progression, source terms, and consequences analysis.

In the phase 2 study, system models applicable for shutdown conditions were developed and
supporting thermal hydraulic analysis were performed to determine both the timing of the accidents and
success criteria for systems. Initiating events that may occur during mid-loop operations were identified and
accident sequence event trees were developed and quantified. In the preliminary quantification of the mid-
loop accident sequences, it was found that the decay heat at which the accident initiating event occurs is an
important parameter that determines both the success criteria for the mitigating functions and the time
available for operator actions. In order to better account for the decay heat, a "time window" approach was

iii NUREG/CR-6144
developed. In this approach, time windows after shutdown were defined based on the success criteria
established for the various methods that can be used to mitigate the accident. Within each time window, the
decay heat and accident sequence timing are more accurately defined and new event trees developed and
quantified accordingly. Statistical analysis of the past outage data was performed to determine the time at
which a mid-loop condition is reached, and the duration of the mid-loop operation. Past outage data were
used to determine the probability that an accident initiating event occurs in each of the time windows. This
probability is used in the quantification of the accident sequences.

The mean core damage frequency of the Surry plant due to internal events that may take place during
mid-loop operations is SE-06 per year, and the Sth and 95th percentiles are 5E-07 and 2E-05 per year,
respectively. This can be compared with the mean core damage frequency from internal events of 4E-05 per
year estimated in the NUREG-1150 study for full power operations.

NUREG/CR-6144 iv
 TABLE OF CONTENTS
Abstract iii
Table of Contents v
List of Figures xv
List of Tables xxi
Executive Summary xxvii
Foreword xli
Acknowledgements xliii
Acronyms xlv

1.' Introduction and Approach

1.1 Background 1-1
12 Objectives 1-1
1.3 Methodology 1-2
1.4 Organization of the Report 1-6
15 References 1-6

2. Program Scope 2-1

2.1 References 2-1

3. Definition and Characterization of Outage Types and Plant Operational States (POSs) 3-1
3.1 Introduction 3-1
3.2 Outage Types 3-1
33 Definition of Plant Operational States for a Refueling Outage 3-1
3.4 Plant Operational States for Other Types of Outages 3-2
3.5 Low Power and Shutdown Outage Activities 3-3
35.1 POS 1-Low Power Operation and Reactor Shutdown 3-3
3.5.1.1 Summary of POS 1 Activities 3-3
3.5.1.2 Significant POS 1 Activities 3-3
3.5.1.3 Associated POS 1 Operating Procedures 3-4
35.2 POS 2-Cooldown with SGs to 345°F 3-4
35.2.1 Summary of POS 2 Activities 3-4
3.5.2.2 Significant POS 2 Activities 3-5
3.5.2.3 Associated POS 2 Operating Procedures 3-5
3.5.3 POS 3-Cooldown with RHR to 200°F 3-6
35.3.1 Summary POS 3 Activities 3-6
35.3.2 Significant POS 3 Activities 3-6
3.5.3.3 Associated POS 3 Operating Procedure 3-6
3.5.4 POS 4-Cooldown to Ambient Temperatures (using RHR) 3-7
3.5.4.1 Summary of POS 4 Activities 3-7
35.4.2 Significant POS 4 Activities 3-7
35.4.3 Associated POS 4 Operating Procedures 3-7
3.5.5 POS 5-Draining the RCS to Mid-loop 3-7
3.5.5.1 Summary of POS 5 Activities 3-7
3.5.5.2 Significant POS 5 Activities 3-8
355.2.1 Draining the RCS to 5% Pressurizer Level 829.0 ft) 3-8
355.2.2 Draining the RCS from 5% Pressurizer Level
(29.0 ft) to Mid-Nozzle (12.5 ft) 3-9
35.5.3 Associated POS 5 Operating Procedures 3-10
3.5.6 POS 6-Mid-loop Operation 3-10

v NUREG/CR-6144
Table of Contents (continued)

3.5.6.1 Summary of POS 6 Activities (including Significant ones) 3-10

3.5.6.2 Associated POS 6 (Maintenance) Operating Procedure 3-10
3.5.7 POS 7-Fill for Refueling 3-10
3.5.7.1 Summary of POS 7 Activities (including Significant ones) 3-10
3.5.7.2 Associated POS 7 Operating Procedure 3-11
3.5.8 POS 8-Refueling 3-11
3.5.8.1 Summary of POS 8 Activities (including Significant ones) 3-11
3.5.8.2 Associated.POS_8_OperatingJ»rocedures 3-11
3.5.9 POS 9-DrainingRCS to Mid-loop After Refueling 3-11
3.5.9.1 Summary of POS 9 Activities (including Significant ones) 3-11
3.5.9.2 Associated POS 9 Operating Procedures 3-12
3.5.10 POS 10-Mid-loop Operations After Refueling 3-12
3.5.10.1 Summary of POS 10 Activities (including Significant ones) 3-12
3.5.10.2 Associated POS 10 (Maintenance) Operating Procedures 3-12
3J.11 POS 11-Refill RCS Completely (After Mid-loop Operation) 3-12
3.5.11.1 Summary of POS 11 Activities 3-12
3.5.11.2 Significant POS 11 Activities 3-12
3.5.11.3 Associated POS 11 Operating Procedures 3-13
3.5.12 POS 12-RCS Heatup Solid and Draw Bubble 3-13
3.5.12.1 Summary of POS 12 Activities 3-13
3.5.12.2 Significant POS 12 Activities 3-13
3.5.12.3 Associated POS 12 Operating Procedures 3-14
3.5.13 POS 13-RCS Heatup to 350»F 3-14
3.5.13.1 Summary of POS 13 Activities 3-14
3.5.13.2 Significant POS 13 Activities 3-14
3.5.133 Associated POS 13 Operating Procedures 3-14
3.5.14 POS 14-Startup with SGs 3-15
3.5.14.1 Summary of POS 14 Activities 3-15
3.5.14.2 Significant POS 14 Activities 3-15
3.5.14.3 Associate POS 14 Operating Procedures 3-15
3.5.15 POS 15-Reactor Startup and Low Power Operation 3-15
3.5.15.1 Summary of POS 15 Activities 3-15
3.5.15.2 Significant POS 15 Activities 3-16
3.5.15.3 Associated POS 15 Operating Procedures 3-17
3.6 Characterization of Mid-Loop POSs 3-17
3.7 References: 3-18

4. Initiating Event Anarysis 4-1

4.1 Approach and Summary 4-1
4.1.1 Review of Existing Shutdown Studies 4-2
4.1.2 Review of Procedures Used during Shutdown 4-2
4.1.3 Review of Initiators for Power Operations 4-3
4.1.4 Review of NRC Generic Letters, Information Notices, Bulletin, and Circulars . 4-3
4.1.5 Review of Other Documents 4-3
4.1.6 References 4-4
4.2 Loss of RHR Events 4-16
4.2.1 References 4-17
4.3 Loss of Off-Site Power 4-24
4.3.1 Statistical Anarysis of Loss of Offsite Power Frequency and Recovery 4-24
4.3.2 Definition, Logical Model and Quantification of Categories of

NUREG/CR-6144 vi
 Table of Contents (continued)

Loss of Offsite Power and Station Blackout Initiators 4-41

4.3.2.1 System Configuration 4-41
4.3.2.2 LOSP Categories 4-41
43.2.3 Fault Trees for Breakdown of LOSP Initiator Into Categories 4-42
4.3.2.4 Quantification 4-42
4.3 J References 4-43
4.4. Support System Failures 4-52
4.4.1 Loss of a 4.16KV AC Emergency Bus 4-52
4.4.2 Loss of a 125V DC Bus 4-53
4.4.3 Loss of a 120V AC Vital Bus 4-54
4.4.4 Loss of Instrument Air 4-54
4.4.5 Loss of Component Cooling Water (CCW) 4-56
4.4.6 Loss of Service Water 4-56
4.4.7 Loss of Emergency Switchgear Room Cooling (ESGR) 4-57
4.4.8 Loss of Charging Pump Cooling 4-58
4.4.9 Non-Recovery Curves for Support System Failures 4-58
4.4.10 References 4-58

Appendix 4.4.7.A Fault Tree to Determine the Frequency of the Initiator

"Loss of Emergency Switchgear Room (ESGR) Cooling" for POS (6) and (10) 4-66

4.5 Loss of Coolant Accidents (LOCAs) 4-72

4.5.1 Introduction 4-72
4.5.2 LOCAs Unique to Shutdown States 4-72
4.5.3 Applicability of LOCA Categories in Various Plant States 4-75
4.5.4 LOCA Frequencies 4-75
4.5.5 System Impact and Success Criteria 4-78
4.5.6 References 4-78
4.6 Interfacing Systems LOCA 4-91
4.6.1 Extended Interfacing System LOCA Analysis 4-91
4.6.2 Methodology 4-91
4.6.3 ISLOCA Scenarios 4-91
4.6.3.1 Low Pressure Safety Injection System V-Event Scenario 4-92
4.6.3.2 Residual Heat Removal System ISLOCA Scenarios 4-93
4.6.3.2.1 Interfacing Configurations of the RHRS 4-93
4.6.3.2.2 RHR Suction Line and RHR Discharge Line ISLOCAs
V-Event Through the RHR-CVCS Letdown Line 4-95
4.63.2.3 V-Event through the RHRS-CVCS Letdown Line
Associated With the Low Temperature
Overpressurization (LTOP) of the RHRS 4-98
4.63.2.4 V-Event Through the RHRS-RWST Connecting Line 4-98
4.63.3 Accumulator Discharge Line ISLOCA Scenario 4-99
4.6.4 References 4-101

APPENDIX 4.6.A - List of Component Failure Rates Used in the ISLOCA Analysis 4-112
4.6.A1 Check Valve Failure Rates 4-112
4.6.A1.1 Check Valve, Large Reverse Leakage 4-112
4.6.Al.2 Check Valve Failure to Operate (to Close) on Demand 4-112
4.6.A2 Motor Operated Valve Failure Rates 4-113
4.6.A2.1 MOV Internal Leakage 4-113

vii NUREG/CR-6144
Table of Contents (continued)

4.6.A2.2 MOV Disk Fails Open While Indicating Closed 4-113

4.6.A2.3 MOV Transfers Open 4-113
4.6.A2.4 MOV Failure to Operate (to Close and Stay Closed) 4-113
4.6.A2.5 MOV External Rupture 4-113
4.6.A3 Manual Valve Failure Rates 4-114
4.6.A3.1 Manual Valve Massive Internal Leakage 4-114
4.6.A3.2 Manual Valve Fails to Close ..._...._.. . . . . 4-114
4.6.A3.3 Manual Valve Inadvertently Left Open by the Operator.
Failure of Its Recovery 4-114
4.6.A4 RHRS Rupture Probability 4-114
4.6.A5 Rupture Probability of the RHRS-CVCS LetdqwnJLine^......_ 4-116
4.7 Steam Generator Tube Rupture (SGTR) 4-116
4.7.1 SGTR Initiating Frequency 4-118
4.7.2 Success Criteria 4-119
4.8 Spurious Emergency Safety Features Actuation Signals (SI, CLS, RMT) 4-121
4.9 Transients-Turbine Trips and Loss of Main Feedwater r 4-122
4.9.1 Identification and Grouping of Transient Initiating Event 4-122
4.9.2 Estimation of Transient Initiating Event Frequencies 4-123
4.10 Estimate of Core Damage Frequency Due to Pressurized Thermal Shock 4-129
4.10.1 The Pressurized Thermal Shock Phenomenon 4-129
4.10.2 The Assessment of Core Damage Frequency due to PTS
in the Surry NUREG-1150 Study 4-129
4.10.3 Assessment of PTS Core Damage Frequency During
Low Power Operation and Shutdown at Surry 4-130
4.10.4 References 4-132
4.11 Reactivity Accidents 4-135
4.11.1 General Comments 4-135
4.11.2 Addition of Diluted Accumulator Water 4-135
4.11.2.1 Description of Event 4-136
4.11.2.2 Probabilistic Analysis 4-137
4.11.3 Addition of DUutedRWST Water 4-137
4.113.1 Description 4-137
4.113.2 Probabilistic Analysis 4-137
4.11.4 Boron Dilution Due to Maintenance Problems 4-138
4.11.4.1 Description of Events 4-138
4.11.4.2 Dilution When Cleaning Cavity 4-138
4.11.4.3 Dilution due to Steam Generator Maintenance 4-138
4.11.4.4_ProbabilisticAnah/sis 4-139
4.11.5 Uncontrolled Boron Dilution from CVCS 4-139
4.11.5.1 Description of Event 4-139
4.11.5.2 Probabilistic Analysis 4-139
4.11.6 Boron Dilution via the RHR 4-140
4.11.6.1 Description of Event 4-140
4.11.6.2 Probabilistic Analysis 4-140
4.11.7 Startup of RCPafter Improper Boron Dilution 4-140
4.11.7.1 Description of Event 4-140
4.11.7.2 Probabilisti&Analysis 4-141
4.11.8 Rod Ejection Accident 4-142
4.11.8.1 Description of Event 4-142
4.11.8.2 Probabilistic Analysis 4-142

NUREG/CR-6144 viii
 Table of Contents (continued)

4.11.9 Misloading of Fuel Assemblies 4-143

4.11.9.1 Description of Event 4-143
4.11.9.2 Probabilistic Anah/sis 4-143
4.11.10 Uncontrolled Bank Withdrawal 4-143
4.11.10.1 Description of Event 4-143
4.11.10.2 Probabilistic Anah/sis 4-143
4.11.11 References 4-144
4.12 Initiating Events That Are Applicable to the Mid-Loop POSs 4-145

5.0 Supporting Thermal Hydraulic Analysis 5-1

5.1 Gravity Reflood Via the RWST 5-1
5.1.1 The Melcor Model 5-1
5.1.2 Results 5-3
5.13 Discussion 5-6
5.1.4 Conclusions 5-8
5.2 Primary Feed and Spill 5-31
5.2.1 Introduction 5-31
52.2 Analysis 5-31
5.2.3 Discussion of Results 5-34
5.2.4 Summary 5-38
5 3 Reflux Cooling 5-59
53.1 INEL Analysis 5-59
53.2 Westinghouse Analysis 5-61
5 3 3 Summary and General Remark 5-63
5.4 Summary of Results and Their Application to PRA Assumptions 5-65
5.5 References: 5-70

6.0 System Descriptions and Fault Tree Analysis

6.1 System Analysis Approach and Scope 6-1
6.2!l Accumulator System 6-15
6.2.1.1 Accumulator Description 6-15
6.2.1.2 Accumulator Interfaces and Dependencies 6-15
6.2.13 Accumulator Operational Constraints 6-16
6.2.1.4 Accumulators Shutdown Configuration 6-16
6.2.1.5 Accumulator System Logic 6-16
6.2.2 Auxiliary Feedwater System 6-18
6.2.2.1 Auxiliary Feedwater System Description 6-18
6.2.2.2 Auxiliary Feedwater System Interfaces and Dependencies 6-18
6.2.2.3 Auxiliary Feedwater System Operating Constraints 6-19
6.2.2.4 Auxiliary Feedwater System Shutdown Configuration 6-19
6.2.2.5 Auxiliary Feedwater Logic Model 6-19
6.2.3 Charging Pump Cooling System 6-24
6.2.3.1 CPC System Description 6-24
6.2.3.2 Charging Pump Cooling System Interfaces and Dependencies 6-25
6.2.3.3 CPC System Operational Constraints 6-25
6.23.4 CPC System Shutdown Configuration 6-25
6.2.3.5 CPC System Logic Model 6-26
6.2.4 Component Cooling Water System 6-31
6.2.4.1 System Configuration and Description 6-31
6.2.4.2 Dependency on Other Support Systems 6-32

ix NUREG/CR-6144
Table of Contents (continued)

6.2.4.3 CCW System Operating Constraints 6-32

6.2.4.4 Fault Tree Modeling of the CCW System 6-33
6.2.4.5 Assumptions in the Fault Tree Models 6-33
6.2.5 Instrument Air System 6-41
6.2.5.1 Instrument Air System Description 6-41
6.2.5.2 Instrument Air System Interfaces and Dependencies 6-42
6.2.5.3 Instrument Air System Operating Constraints 6-42
6.2.5.4 Instrument Air System Shutdown Configuration 6-42
6.2.5.5 Instrument Air System Logic Model 6-42
6.2.6 Containment Spray System 6-50
6.2.6.1 Containment Spray System Description 6-50
6.2.6.2 Containment Spray System Interfaces and Dependencies 6-51
6.2.6.3 Tech Specs and Minimum Equipment List 6-51
6.2.6.4 Testing, Maintenance and Shutdown Configuration 6-51
6.2.6.5 Modifications to the 1150 Fault Trees 6-51
6.2.7 Emergency Power System 6-57
6.2.7.1 EPS Description 6-57
6.2.7.2 EPS Interfaces and Dependencies 6-61
6.2.7.3 Technical Specifications and Periodic Tests 6-63
6.2.7.4 Fault Tree Modeling ' 6-63
6.2.7.4.1 General Description 6-63
6.2.7.4.2 Assumptions in the Fault Tree Model of the EPS 6-64
6.2.7.5 Modification in the Line up of the EPS during Schedule maintenance of
main components 6-64
6.2.8 Emergency Switchgear Room Ventilation Systems 6-75
6.2.8.1 Normal Air Conditioning Chilled Water System 6-75
6.2.8.2 Backup Air Conditioning (Central) Chilled Water System 6-76
6.2.83 Emergency Switchgear and Relay Rooms Air Conditioning
Subsystem 6-76
6.2.8.4 Interfaces and Dependencies 6-77
6.2.8.5 Fault Tree Modeling 6-77
6.2.9 High Pressure Injection/Recirculation System 6-86
6.2.9.1 High Pressure Injection/Recirculation System Description 6-86
6.2.9.2 HPI/HPR System Interfaces and Dependencies 6-88
6.2.9.3 HPI/HPR System Operational Constraints 6-88
6.2.9.4 HPI/HPR System Shutdown Configuration 6-89
6.2.9.5 HPI/HPR System Logic Model 6-93
6.2.10 Low Pressure Injection/Recirculation System 6-103
6.2.10.1 Low Pressure Injection/Recirculation System Description 6-103
6.2.10.2 LPI/LPR System Interfaces and Dependencies 6-104
6.2.10.3 LPI/LPR'System Operational Constraints 6-104
6.2.10.4 LPI/LPR System Shutdown Configuration 6-104
6.2.10.5 LPI/LPR System Logic Model 6-105
6.2.11 Primary Pressure Relief System 6-111
6.2.11.1 Primary Pressure Relief System Description 6-111
6.2.11.2 Dependencies .wvrr. .77 ."TTTTT. ~... 7.;..: 6-111
6.2.11.3 Tech Specs and Minimum Equipment List 6-111
6.2.11.4 Test and Maintenance ._....._... 6-111
6.2.11.5 Faul Tree Modifications . 7 . . . . . . . . 7 . . T 6-111
6.2.12 The Recirculation Spray Systems - Inside (ISR) and Outside (OSR) 6-116

NUREG/CR-6144 x
 Table of Contents (continued)

6.2.12.2 Support System Dependencies 6-117

6.2.12.3 Tech Specs and Minimum Equipment List 6-118
6.2.12.4 Testing and Maintenance of the RS system 6-118
6.2.12.5 Modifications to the 1150 Fault Trees 6-118
6.2.13 Residual Heat Removal System 6-126
6.2.13.1 Residual Heat Removal System Description 6-126
6.2.13.2 Residual Heat Removal System Interfaces and Dependencies . . . . 6-127
6.2.13.3 Residual Heat Removal System Operating Constraints 6-127
6.2.13.4 Residual Heat Removal System Shutdown Configuration 6-128
6.2.13.5 Residual Heat Removal System Logic Model 6-128
6.2.14 Service Water System/Circulating Water System 6-134
6.2.14.1.1 Service Water System Description 6-134
6.2.14.1.2 Service Water System Interfaces and Dependency 6-134
6.2.14.1.3 Service Water System Operational Constraints 6-134
6.2.14.1.4 Service Water System Shutdown Configurations 6-135
6.2.14.1.5 Logic Models of Service Water System 6-135
6.2.14.2.1 Circulating Water System Description 6-135
6.2.14.2.2 Circulating Water System Interfaces and Dependency... 6-136
6.2.15 Steam Generator Recirculation and Transfer System 6-143
6.2.15.1 Steam Generator Recirculation and Transfer System Description.. 6-143
6.2.15.2 Steam Generator Recirculation and Transfer System Interfaces and
Dependencies 6-144
6.2.15.3 Steam Generator Recirculation and Transfer System Operating
Constraints 6-144
6.2.15.4 Steam Generator Recirculation and Transfer System Shutdown
Configuration 6-144
6.2.15.5 Steam Generator Recirculation and Transfer System Logic
Model 6-145
6.2.16 Steam Generator Secondary Relief System 6-148
6.2.16.1 Steam Generator Secondary Relief System Description 6-148
6.2.16.2 Steam Generator Secondary Relief System Dependencies 6-149
6.2.16.3 Steam Generator Secondary Relief System Operational
Constraints 6-149
6.2.16.4 Steam Generator Secondary Relief System Shutdown
Configuration 6-149
6.2.16.5 Steam Generator Secondary Relief Logic Model 6-150
6.2.17 Consequence Limiting Control System 6-151
6.2.18 Reactor Protection System 6-151
6.2.19 Recirculation Mode Transfer System 6-156
6.2.20 Safety Injection Actuation System 6-156

7.0 Event Tree Analysis 7-1

7.1 Event Tree Approach and Nomenclature 7-1
7.1.1 References: 7-4
7.2 Success Criteria for the Time Window Approach 7-8
7.2.1 References: 7-12
7.3 Loss of Residual Heat Removal Event Trees 7-21
7.3.1 Event Tree for Over-draining to Mid-Loop (RHR2A) 7-21
7.3.1.1 "Over-Draining to Mid-Loop" POS 6 - Refueling Event Tree 7-21
7.3.1.2 "Over-Draining to Mid-Loop" Event Tree - Refueling POS 10 7-25

xi NUREG/CR-6144
Table of Contents (continued)

7.3.1.3 "Over-Drainingto Mid-Loop" Event Tree-

Drained Maintenance POS 6 7-25
7.3.2 Event Trees for Loss of Inventory (RHR2B) 7-38
73.3 Event Trees for Total Loss Residual Heat Removal (RHR3) 7-49
73.4 Event Trees for Loss of Operating Train of RHR (RHR4) 7-60
7.3.5 Event Trees for Recoverable Loss of RHR (RHR5) 7-71
73.6 References: 7-82
7.4 Loss of Offsite Power and Station Blackout Event Trees 7-83
7.4.1 Event Trees for Loss of Offsite Power with
Both Emergency Buses Available (LI) 7-86
7.4.1.1 LI Event Tree for Window 1 of R6 (L1W1R6) 7-86
7:471.2 LI Event Tree for Window 1oHD6 (L1W1D6) 7-89
7.4.1.3 LI Event Tree for Window 2 of R6 (L1W2R6) 7-90
7.4.1.4 LI Event Tree for Window 2 of D6 (L1W2D6) 7-90
7.4.1.5 LI Event Tree for Window 3 of R6 (L1W3R6) 7-90
7.4.1.6 LI Event Tree for Window 3 of RIO (L1W3R10) 7-91
7.4.1.7 LI Event Tree for Window 3 of D6 (L1W3D6) 7-91
7.4.1.8 LI Event Tree for Window 4 of R6 (L1W4R6) 7-91
7.4.1.9 LI Event Tree for Window 4 of RIO (L1W4R10) 7-91
7.4.1.10 LI Event Tree for Window 4 of D6 (L1W4D6) 7-91
7.4.2 Event Tree for Loss of Offsite Power with onty One Emergency
Bus Available (L2) 7-91
7.43 Event Tree for Loss of Offsite Power with Only One Emergency Bus
at Unit One and Station Black-out at Unit 2 (13) 7-92
7.4.4 Event Trees for Station Blackout at Unit 1 (Bl) 7-92
7.4.4.1 Bl Event Tree for Window 1 of R6 (B1W1R6) 7-94
7.4.4.2 Bl Event Tree for Window 1 of D6 (B1W1D6) 7-95
7.4.43 Bl Event Trees in Other Windows 7-96
7.4.5 Event Trees for Station Blackout at Both Units (B2) 7-96
7.4.6 References 7-96
7.5 Support System Failure Event Trees 7-149
7.5.1 Event Trees for Loss of a 4.16 kV AC Emergency Bus 7-149
7.5.1.1 "Loss of a 4.16 kV AC Emergency Bus" Event Tree -
Refueling POS 6 7-150
7.5.1.2 "Loss of a 4.16 kV AC Emergency Bus" Event Tree -
Refueling POS 10 7-151
7.5.1.3 "Loss of a 4.16 kV AC Emergency Bus" Event Tree -
Drained Maintenance POS 6 7-152
7.5.2 Event Trees for Loss of a 120 V AC Vital Bus (VB) 7-164
7.5.2.1 "Loss of a 120 V AC Vital Bus" Event Tree -
Refueling POS 6 7-164
7.5.2.2 "Loss of a 120 V AC Vital Bus" Event Tree
Refueling POS 10 7-166

7.5.23 "Loss of a 120 V AC Vital Bus" Event Tree-

Drained Maintenance POS 6 7-166
7.5.3 Event Trees for the "Spurious ESFAS Signal" 7-178
7.53.1 "Spurious ESFAS Signal" Event Tree - Refueling POS 6 7-178
7.53.2 "Spurious ESFAS Signal" Event Tree - Refueling POS 10 7-179
7.5.3.3 "Spurious ESFAS Signal" Event Tree - Drained Maintenance POS 6 7-180

NUREG/CR-6144 xii
 Table of Contents (continued)

7.5.4 Event Trees for Loss of Instrument Air (AR) 7-192

7.5.5 Event Trees for Loss of Component Cooling Water (CC) 7-204
7.5.5.1 "Loss of CCW" Event Tree - Refueling POS 6 7-204
7.5.5.2 "Loss of CCW" Event Tree - Refueling POS 10 7-206
7.5.5.3 "Loss of CCW" Event Tree - Drained Maintenance POS 6 7-206
7.5.6 Event Trees for Loss of Emergency Switchgear Room Cooling (SR) 7-218
7.6 Reactivity Accident Event Trees 7-230
7.6.1 Uncontrolled Boron Dilution from CVCS 7-230
7.6.2 Probabilistic Analysis of Boron Dilution Events During RCS Mid-Loop
Operation 7-230
7.6.3 References 7-231

Chapter 8. Human Interface Analysis 8-1

8.1 Overview of the Approach and Scope 8-1
8.2 Plant Design and Practice — Special Features at Surry 8-2
8.2.1 Surry Plant Procedures and Training 8-2
8.2.2 Surry Plant Operational Staffing 8-3
8.3 Approach for HRA 8-4
8.3.1 Incorporation Of Human Actions Into The Plant Model 8-5
8.3.2 Routine Actions Before An Initiating Event 8-6
8.3.3 Methodology For Evaluation Of Dynamic Operator
Actions and Recovery Actions 8-6
8.3.3.1 Qualitative Evaluation 8-7
8.3.3.2 Quantitative Evaluation 8-8
8.3.3.3 Quantification Process 8-10
8.3.3.4 Uncertainty 8-11
8.3.3.5 Summary 8-11
8.4 Actions while at Mid-loop 8-12
8.4.1 Human Responses 8-13
8.4.2 Factors Affecting Performance 8-15
8.5 Results of Human Actions Analysis 8-16
8.5.1 Qualitative Description Of The Dynamic Human Actions 8-17
8.5.2 Quantitative Evaluations 8-18
8.6 Recommendations 8-18
8.7 References 8-19

9.0 Data Base Development 9-1

9.1 Maintenance Unavailability 9-1
9.2 Duration and Frequency of Plant Operational States 9-17
9.3 Time to Mid-loop and Duration of Mid-loop Operations 9-26
9.4 Use of Log Book Data 9-30
9.4.1 Isolation of RCS LOOPs 9-30
9.4.2 Steam Generator in Wet Layup vs Drained 9-30
9.4.3 RCS Vented with Pressurizer Safety Valves Removed 9-31
9.4.4 Time Period in Which the RCS Is Closed and The
Temporary Seals at the Seal Table Were Installed 9-31

10. Accident Sequence Quantification 10-1

10.1 Descriptions of Recovery Actions 10-1
10.2 Results 10-4

xiii NUREG/CR-6144
TaUeof Contents (continued)

10.3 Descriptions of Dominant Core Damage Cutsets 10-6

11.0 Plant Damage State^ Analysis . . _ . _ . . . . . . . . . . _ . 11-1

12.0 Uncertainty and Sensitivity Analysis 12-1

12.1 Sources and Treatment of Uncertainty 12-1
12.2 Parameter Uncertainty 12-3
12.3 Uncertainty Analysis Results ... ._. .— 12-5
12.4 References 12-6

NUREG/CR-6144 xiv
 LIST OF FIGURES

Figure No. Title Page No.

3.1 Connection of the Standpipe System to the Vessel Head Vent 3-20

4.3.1-1 Non-Recovery Curves for POS 1 and 15 4-25

4.3.1-2 Non Recovery Curves for POS 2 to 14 4-26
4.3.2-1 Fault Tree for Failure of 1H Bus 4-44
4.3.2-2, Fault Tree for Failure of 1J Bus 4-45
4.3.2.3 Fault Tree for Failure of 2H Bus 4-46
43.2.4 Fault Tree for Failure of 2J Bus 4-47
4.4.7-A-l Fault Tree for Initiating Event "Loss of Emergency Switchgear Room Cooling" . 4-66
4.6.1 Schematic of the Low Pressure Safety Injection System V-Event Pathway 4-102
4.6.2 Schematic of the External Nonintrusive dc Magnet
Check Valve Monitoring Method 4-103
4.6.3 Disc Position and Motion Diagram of a 10-inch Carbon Steel
Check Valve Monitored by the External dc Magnet Method. 4-104
4.6-4 Schematic of the Residual Heat Removal System
ISLOCA/V Event Pathways 4-105
4.6-5 Schematic of the Accumulator ISLOCA Pathways 4-106

5.1-1 State 6 (24 hours), Mid-loop Operation, Loops are Isolated 5-9
5.1-2 Melcor Noding 5-10
5.1-3 Case 3 - Primary Circuit Collapsed Liquid Levels (ft) 5-11
5.1-4 Case 3 - Primary Circuit Pressure (psia) 5-12
5.1-5 Case3 - RWSTMassFlow (Ibm/s) 5-13
5.1-6 Case 3 - Rod Temperatures (F) 5-14
5.1-7 Case 3 - RWST Flow Path Fraction Open 5-15
5.1-8 Case3 - Pressurizer and RWST Liquid Levels (ft) 5-16
5.1-9 Case3 - SRV Manifold Mass Flow (Ibm/s) 5-17
5.1-10 Case 3 - Surge Line Mass Flow (lbm/s) 5-18
5.1-11 Case 3 - Containment Vapor Temperatures (F) 5-19
5.1-12 Case 3 - Containment Pressures (psia) 5-20
5.1-13 Impact of Delayed Injection - Pressurizer Pressure (psia) 5-21
5.1-14 Impact of Delayed Injection - SRV Manifold Flow Velocity (ft/s) 5-22
5.1-15 Impact of Delayed Injection - RWST Mass Flow (lbm/s) 5-23
5.1-16 Case 3 - Hot Leg C and Pressurizer Vapor Temperatures (F) 5-24
5.1-17 Base Cases - RWST How Path Fraction Open 5-25
5.2-1 Diagram of RCS and Pressurizer 5-41
5.2-2 PRV Pressure at Decay Time of 1 Day and with the Opening of 2 PORVs 5-42
5.2-3 PRV Pressure at Decay Time of 2 Days and with the Opening of 2 PORVs 5-43
5.2-4 PRV Pressure at Decay Time of 29 Days and with the Opening of 2 PORVs 5-44
5.2-5 PRV Pressure at Decay Time of 1 Day and with the Opening of 1 PORV 5-45
5.2-6 PRV Pressure at Decay Time of 2 Days and with the Opening of 1 PORV 5-46
5.2-7 PRV Pressure at Decay Time of 29 days and with the Opening of 1 PORV 5-47

xv NUREG/CR-6144
list of Figures (continued)

6.2.1-1 Accumulator System Simplified Sketch 6-17

6.2.2-1 AFW System 6-22
6.23-1 CPCSystem Simplified Sketch 6-29
62.4-1 Simplified Flow Diagram. Component Cooling Water System,
Pumps & Heat Exchangers 6-35
6.2.4-2 Simplified Flow Diagram. Component Cooling Water System 6-36
62.4-3 Simplified Flow Diagram. Component Cooling Water System, RC
Pump Thermal Barrier Cooling 6-37
6.2.5-1 Compressed Air System 6-44
6.2.5-2 Instrument Air System '... 6-45
6.25-3 Containment Instrument Air System 6-46
6.2.6-1 CS System Simplified Diagram 6-53
6.2.6-2 CS System Diagram (Sheet 1) 6-54
6.2.7-1 Simplified Diagram showing the EPS (Unit 1)
as part of the Basic Electrical Distribution System 6-68
6.2.7-2 Plant 4160 VAC Electrical Distribution System (Unit 1 and Unit 2) 6-69
6.2.7-3 Detailed Diagram of the EPS (Unit 1) 6-70
6.2.8-1 Emergency Switchgear Room Ventilation System Service Water Side 6-79
6.2.8-2 Emergency Switchgear Room Ventilation System Chilled Water Side 6-80
6.2.8-3 Central Chilled Water System Support for
Emergency Switchgear Room Ventilation System Chilled Water Side 6-81
62.9-1 HPI/HPR System Simplified Sketch 6-100
6.2.10-1 LPI/LPR System Simplified Sketch 6-109
62.11-1 PPRS System Simplified Sketch 6-112
6.2.11-2 Primary Pressure Relief System Dependency Diagram 6-113
62.12-1 RS System Simplified Diagram 6-121
62.12-2 Recirculation Spray System 6-122
62.13-1 Simplified Drawing of the RHR System (Use 1150 drawing 4. Modify if necessary) 6-130
62.13-2 Component Cooling Water Supply to Loads Inside the Containment 6-131
62.13-3 Head Vent and Standpipe Diagram 6-132
6.2.14-1 Service Water System 6-137
62.15-1 Steam Generator Recirculation and Transfer Systems 6-146
62.16-1 Simplified Diagram Main Steam System Steam Generator
to Main Steam Header 6-151
62.16-2 Simplified Flow Diagram Main Steam Condenser Steam Dump Valves 6-152

7.1-1 Event Tree (R5W1R6) for a Recoverable Loss of RHR(RHR5) Initiating Event
in Window 1 of POS 6 of a Refueling Outage 7-5
7.1-2 Fault Tree for the T Top Event of Event Tree R5W1R6 7-6
7.1-3 High Level Fault Tree for Recovery of RHR Given a RHR5
Initiating Event in Window 1 7-7
72-1 Reflux Cooling in Window 1 7-13
72-2 Feed and Bleed RCS with V failed in RHR4, Window 1 7-14
7.2-3 Failure of Recirculation in Window 1 7-15
7.2-4 Gravity from RWST in RHR5, Window 1 7-16
73.1-1 Event Tree for Over-draining to Mid-loop in Window 1 R6 (RAW1R6) 7-28
73.1-2 Event Tree for Over-draining to Mid-loop in Window 2 R6 (RAW2R6) 7-29
73.1-3 Event Tree for Over-draining to Mid-loop in Window 3 R6 (RAW3R6) 7-30
73.1-4 Event Tree for Over-draining to Mid-loop in Window 4 R6 (RAW4R6) 7-31
7.3.1-5 Event Tree for Over-draining to Mid-loop in Window 1 D6 (RAW1D6) 7-32

NUREG/CR-6144 xvi
 List of Figures (continued)

73.1-6 Event Tree for Over-draining to Mid-loop in Window 2 D6 (RAW2D6) 7-33

7.3.1-7 Event Tree for Over-draining to Mid-loop in Window 3 D6 (RAW3D6) 7-34
73.1-8 Event Tree for Over-draining to Mid-loop in Window 4 D6 (RAW4D6) 7-35
73.1-9 Event Tree for Over-draining to Mid-loop in Window 3 RIO (RAW3R10) 7-36
73.1-10 Event Tree for Over-draining to Mid-loop in Window 4 RIO (RAW4R10) 7-37
73.2-1 Event Tree for Loss of Inventory in Window 1 R6 (RBW1R6) 7-39
73.2-2 Event Tree for Loss of Inventory in Window 2 R6 (RBW2R6) 7-40
73.2-3 Event Tree for Loss of Inventory in Window 3 R6 (RBW3R6) 7-41
73.2-4 Event Tree for Loss of Inventory in Window 4 R6 (RBW4R6) 7-42
73.2-5 Event Tree for Loss of Inventory in Window 1 D6 (RBW1D6) 7-43
73.2-6 Event Tree for Loss of Inventory in Window 2 D6 (RBW2D6) 7-44
73.2-7 Event Tree for Loss of Inventory in Window 3 D6 (RBW3D6) 7-45
73.2-8 Event Tree for Loss of Inventory in Window 4 D6 (RBW4D6) 7-46
73.2-9 Event Tree for Loss of Inventory in Window 3 RIO (RBW3R10) 7-47
73.2-10 Event Tree for Loss of Inventory in Window 4 RIO (RBW4R10) 7-48
7.33-1 Event Tree for Total Loss of RHR in Window 1 R6 (R3W1R6) 7-50
7.33-2 Event Tree for Total Loss of RHR in Window 2 R6 (R3W2R6) 7-51
7.3.3-3 Event Tree for Total Loss of RHR in Window 3 R6 (R3W3R6) 7-52
733-4 Event Tree for Total Loss of RHR in Window 4 R6 (R3W4R6) 7-53
73.3-5 Event Tree for Total Loss of RHR in Window 1 D6 (R3W1D6) 7-54
733-6 Event Tree for Total Loss of RHR in Window 2 D6 (R3W2D6) 7-55
733-7 Event Tree for Total Loss of RHR in Window 3 D6 (R3W3D6) 7-56
7.33-8 Event Tree for Total Loss of RHR in Window 4 D6 (R3W4D6) 7-57
7.33-9 Event Tree for Total Loss of RHR in Window 3 RIO (R3W3R10) 7-58
7.33-10 Event Tree for Total Loss of RHR in Window 4 R10 (R3W4R10) 7-59
7.3.4-1 Event Tree for Loss of Operating Train of RHR in Window 1 R6 (R4W1R6) 7-61
7.3.4-2 Event Tree for Loss of Operating Train of RHR in Window 2 R6 (R4W2R6) 7-62
7.3.4-3 Event Tree for Loss of Operating Train of RHR in Window 3 R6 (R4W3R6) 7-63
7.3.4-4 Event Tree for Loss of Operating Train of RHR in Window 4 R6 (R4W4R6) 7-64
73.4-5 Event Tree for Loss of Operating Train of RHR in Window 1 D6 (R4W1D6) 7-65
7.3.4-6 Event Tree for Loss of Operating Train of RHR in Window 2 D6 (R4W2D6) 7-66
73.4-7 Event Tree for Loss of Operating Train of RHR in Window 3 D6 (R4W3D6) 7-67
7.3.4-8 Event Tree for Loss of Operating Train of RHR in Window 4 D6 (R4W4D6) 7-68
73.4-9 Event Tree for Loss of Operating Train of RHR in Window 3 R10 (R4W3R10) 7-69
73.4-10 Event Tree for Loss of Operating Train of RHR in Window 4 R10 (R4W4R10) 7-70
7.3.5-1 Event Tree for Recoverable Loss of RHR in Window 1 R6 (R5W1R6) 7-72
7.3.5-2 Event Tree for Recoverable Loss of RHR in Window 2 R6 (R5W2R6) 7-73
7.3.5-3 Event Tree for Recoverable Loss of RHR in Window 3 R6 (R5W3R6) 7-74
73.5-4 Event Tree for Recoverable Loss of RHR in Window 4 R6 (R5W4R6) 7-75
7.3.5-5 Event Tree for Recoverable Loss of RHR in Window 1 D6 (R5W1D6) 7-76
73.5-6 Event Tree for Recoverable Loss of RHR in Window 2 D6 (R5W2D6) 7-77
7.3.5-7 Event Tree for Recoverable Loss of RHR in Window 3 D6 (R5W3D6) 7-78
73.5-8 Event Tree for Recoverable Loss of RHR in Window 4 D6 (R5W4D6) 7-79
7.3.5-9 Event Tree for Recoverable Loss of RHR in Window 3 R10 (R5W3R10) 7-80
73.5-10 Event Tree for Recoverable Loss of RHR in Window 4 R10 (R5W4R10) 7-81
7.4-1 LI Event Tree for Window 1 of R6 (L1W1R6) 7-97
7.4-2 LI Event Tree for Window 1 of D6 (L1W1D6) 7-98
7.4-3 LI Event Tree for Window 2 of R6 (L1W2R6) 7-99
7.4-4 LI Event Tree for Window 2 of D6 (L1W2D6) 7-100
7.4-5 LI Event Tree for Window 3 of R6 (L1W3R6) 7-101

xvii NUREG/CR-6144
List of Figures (continued)

7.4-6 LI Event Tree for Window 3 of RIO (L1W3R10) 7-102

7.4-7 LI Event Tree for Window 3 of D6 (L1W3D6) 7-103
7.4-8 LI Event Tree for Window 4 of R6 (L1W4R6) 7-104
7.4-9 LI Event Tree for Window *of RTO (L1W4RT0) 7 .T7V77777 .77-7-105
7.4-10 LI Event Tree for Window 4 of D6 (L1W4D6) 7-106
7.4-11 L2 Event Tree for Widow 1 of R6 (L2W1R6) 7-107
7.4-12 L2 Event Tree for Window 1 of D6 (L2W1D6) 7-108
7.4-13 L2 Event Tree for Window 2 of R6 (L2W2R6) 7-109
7.4-14 L2 Event Tree for Window 2 of D6 (L2W2D6) 7-110
7.4-15 L2 Event Tree for Window 3 of R6 (L2W3R6) 7-111
7.4-16 L2 Event Tree for Window 3 of R10 (L2W3R10) . . . . . . . . ..... ......7-112
7.4-17 L2 Event Tree for Window 3 of D6 (L2W3D6) 7-113
7.4-18 L2 Event Tree for Window 4 of R6 (L2W4R6) 7-114
7.4-19 L2 Event Tree for Window 4 of R10 (L2W4R10) 7-115
7.4-20 L2 Event Tree for Window 4 of D6 (L2W4D6) 7-116
7.4-21 L3 Event Tree for WindowlT5f"R6 (L3W1R6) 7777777.7. 77.777.7".. 7 7 . . . 77.. 77 77-117
7.4-22 L3 Event Tree for Window LofD6(L3WlD6) 7-118
7.4-23 L3 Event Tree for Window2 of R6 (L3W2R6) 7-119
7.4-24 L3 Event Tree for Window 2 of D6 (L3W2D6) 7-120
7.4-25 L3 EventTreefor Window3 of R6 (L3W3R6) 7-121
7.4-26 L3 Event Tree for Window 3 of R10 (L3W3R10) 7-122
7.4-27 L3 Event Tree for Window 3 of D6 (L3W3D6) . . . . . . . . . . - . . . . . . . . . . 7-123
7.4-28 L3 Event,Treefor Window4 of R6 (L3W4R6) ^ 7-124
7.4-29 L3 Event tree for Window 4 of R10 (L3W4R10) . . . . . . . . . 7-125
7.4-30 L3 Event Tree for Window 4 of D6 (L3W4D6) 7-126
7.4-31 Event Tree for Unit-1 Station Blackout in Window 1 of R6 (B1W1R6) 7-127
7.4-32 Event Tree for Unit-1 Station Blackout in Window 1 of D6 (B1W1D6) 7-128
7.4-33 Event Tree for Unit-1 Station Blackout in Window 2 of R6 (B1W2R6) 7-129
7.4-34 Event Tree for Unit-1 Station Blackout in Window 2 of D6 (B1W2D6) 7-130
7.4-35 Event Tree for Unit-1 Station Blackout in Window 3 of R6 (B1W3R6) 7-131
7.4-36 Event Tree for Unit-1 Station Blackout in Window 3 of R10 (B1W3R10) 7-132
7.4-37 Event Tree for Unit-1 Station Blackout in Window 3 of D6 (B1W3D6) 7-133
7.4-38 Event Tree for Unit-1 Station Blackout in Window 4 of R6 (B1W4R6) 7-134
7.4-39 Event Tree for Uhit-1Station[Blackout in Window 4 of R10 (B1W4R10) . . . 7 . 7-135
7.4-40 Event Tree for Unit-1 Station Blackout in Window 4 of D6 (B1W4D6) . . . . . . . . . . 7-136
7.4-41 Event Tree for Station Blackout at Both Units in Window 1 of R6(B2W1R6). ^ . . . . . . - . 7-137
7.4-42 Event Tree for Station Blackout at Both Units in Window 1 of D6 (B2W1D6) 7-138
7.4-43 Event Tree for Station Blackout at Both Units in Window 2 of R6 (B2W2R6) 7-139
7.4-44 Event Tree for Station Blackout at Both Units in Window 2 of D6 (B2W2D6) 7-140
7.4-45 Event Tree for Station Blackout at Both Units in Window 3 of R6 (B2W3R6) 7-141
7.4-46 Event Tree for Station Blackout at Both Units in Window 3 of R10 (B2W3R10) 7-142
7.4-47 Event TreeforLStationilackoutat Both_Units_in_Window.3_x)LD6_(B2W3a6) ._.._......... .7-143
7,4-48 T Event-Tree for-Station Blackout-at-Both-Units in-Window-4^f-R6 (B2W4R6)-.-.-. 7-144
7.4-49 /Event Tree for Station Blackout at Both Units in Window 4 of R10 (B2W4R10) 7-145
7.4-50 Event Tree for Station Blackout at Both Units in Window 4 of D6 (B2W4D6) 7-146
7.5.1-1 Event Tree for Loss of 4KV Bus in Window lof~R6 (4KW1R6) — — . - . . - - . . . - . - .-7-154
7.5.1-2 Event Tree for Loss of 4KV Bus in Window 1 of R6 (4KW2R6) 7-155
7.5.1-3 Event Tree for Loss of 4KV Bus in Window 3 of R6 (4KW3R6) 7-156
7.5.1-4 Event Tree for Loss of 4KV Bus in Window 4 of R6(4KW4R6) . . . . . . . .7-157
7.5.1-5 Event Tree for Loss of 4KV Bus in Window 3 of R10 (4KW3^10) 7-158

NUREG/CR-6144 xviii
 List of Figures (continued)

7.5.1-6 Event Tree for Loss of 4KV Bus in Window 3 of RIO (4KW3R10) 7-159
7.5.1-7 Event Tree for Loss of 4KV Bus in Window 1 of D6 (4KW1D6) 7-160
7.5.1-8 Event Tree for Loss of 4KV Bus in Window 2 of D6 (4KW2D6) 7-161
7.5.1-9 Event Tree for Loss of 4KV Bus in Window 3 of D6 (4KW3D6) 7-162
7.5.1-10 Event Tree for Loss of 4KV Bus in Window 4 of D6 (4KW4D6) 7-163
7.5.2-1 Event Tree for Loss of Vital Bus - (VBW1R6) 7-168
7.5.2-2 Event Tree for Loss of Vital Bus - (VBW2R6) 7-169
7.5.2-3 Event Treefor Loss of Vital Bus- (VBW3R6) 7-170
7.5.2-4 Event Tree for Loss of Vital Bus - (VBW4R6) 7-171
7.5.2-5 Event Tree for Loss of Vital Bus - (VBW3R10) 7-172
7.5.2-6 Event Tree for Loss of Vital Bus - (VBW4R10) 7-173
7.5.2-7 Event Tree for Loss of Vital Bus - (VBW1D6) 7-174
7.5.2-8 Event Tree for Loss of Vital Bus - (VBW2D6) 7-175
7.5.2-9 Event Tree for Loss of Vital Bus - (VBW3D6) 7-176
7.5.2-10 Event Tree for Loss of Vital Bus - (VBW4D6) 7-177
7.5.3-1 Event Tree for Spurious SI - in Window 1 of R6 (SIW1R6) 7-182
7.5.3-2 Event Tree for Spurious SI - in Window 2 of R6 (SIW2R6) 7-183
7.5.3-3 Event Tree for Spurious SI - in Window 3 of R6 (SIW3R6) 7-184
7.5.3-4 Event Tree for Spurious SI - in Window 4 of R6 (SIW4R6) 7-185
7.5.3-5 Event Tree for Spurious SI - in Window 3 of RIO (SIW3R10) 7-186
7.5.3-6 Event Tree for Spurious SI - in Window 4 of RIO (SIW4R10) 7-187
7.5.3-7 Event Tree for Spurious SI - in Window 1 od D6 (SIW1D6) 7-188
7.5.3-8 Event Tree for Spurious SI - in Window 2 of D6 (SIW2D6) 7-189
7.5.3-9 Event Tree for Spurious SI - in Window 3 of D6 (SIW3D6) 7-190
7.5.3-10 Event Tree for Spurious SI - in Window 4 of D6 (SIW4D6) 7-191
7.5.4-1 Event Tree for Loss of Instrument Air in Window 1 R6 (ARW1R6) 7-194
7.5.4-2 Event Tree for Loss of Instrument Air in Window 2 R6 (ARW2R6) 7-195
7.5.4-3 Event Tree for Loss of Instrument Air in Window 3 R6 (ARW3R6) 7-196
7.5.4-4 Event Tree for Loss of Instrument Air in Window 4 R6 (ARW4R6) 7-197
7.5.4-5 Event Tree for Loss of Instrument Air in Window 1 D6 (ARW1D6) 7-198
7.5.4-6 Event Tree for Loss of Instrument Air in Window 2 D6 (ARW2D6) 7-199
7.5.4-7 Event Tree for Loss of Instrument Air in Window 3 D6 (ARW3D6) 7-200
7.5.4-8 Event Tree for Loss of Instrument Air in Window 4 D6 (ARW4D6) 7-201
7.5.4-9 Event Tree for Loss of Instrument Air in Window 3 R10 (ARW3R10) 7-202
7.5.4-10 Event Tree for Loss of Instrument Air in Window 4 R10 (ARW4R10) 7-203
7.5.5-1 Event Tree for Loss of CCW in Window 1 of R6 (CCW1R6) 7-208
7.5.5-2 Event Tree for Loss of CCW in Window 2 of R6 (CCW2R6) 7-209
7.5.5-3 Event Tree for Loss of CCW in Window 2 of R6 (CCW3R6) 7-210
7.5.5-4 Event Tree for Loss of CCW in Window 4 of R6 (CCW4R6) 7-211
7.5.5-5 Event Tree for Loss of CCW in Window 3 of R10 (CCW3R10) 7-212
7.5.5-6 Event Tree for Loss of CCW in Window 4 of R10 (CCW4R10) 7-213
7.5.5-7 Event Tree for Loss of CCW in Window 1 of D6 (CCW1D6) 7-214
7.5.5-8 Event Tree for Loss of CCW in Window 2 of D6 (CCW2D6) 7-215
7.5.5-9 Event Tree for Loss of CCW in Window 3 of D6 (CCW3D6) 7-216
7.5.5-10 Event Tree for Loss of CCW in Window 3 of D6 (CCW3D6) 7-217
7.5.6-1 Event Tree for Loss of ESGR Cooling in Window 1 of R6 (SRW1R6) 7-220
7.5.6-2 Event Tree for Loss of ESGR Cooling in Window 2 of R6 (SRW2R6) 7-221
7.5.6-3 Event Tree for Loss of ESGR Cooling in Window 3 of R6 (SRW3R6) 7-222
7.5.6-4 Event Tree for Loss of ESGR Cooling in Window 4 of R6 (SRW4R6) 7-223
7.5.6-5 Event Tree for Loss of ESGR Cooling in Window 3 of R10 (SRW3R10) 7-224

xix NUREG/CR-6144
List of Figures (continued)
73.6-6 Event Tree for Loss of ESGR CooUng in Window 4 of RIO (SRW4R10) 7-225
73.6-7 Event Tree for Loss of ESGR CooUng in Window 1 of D6 (SRW1D6) 7-226
73.6-8 Event Tree for Loss of ESGR CooUng in Window 2 of D6 (SRW2D6) 7-227
73.6-9 Event Tree for Loss of ESGR CooUng in Window 3 of D6 (SRW3D6) 7-228
73.6-10 Event Tree for Loss of ESGR CooUng in Window 4 of D6 (SRW4D6) 7-229
7.6-1 Surry Reactivity Accident Due to Unplanned Boron Dilution During RCS
Mid-Loop Operation 7-232

9.1-1 An Example of Information Collected on Component Down Time

During a Refueling Outage 9-3
9.1-2 Time-Line Diagram for Safety-Related Component Down Time that Covered
Mid-loop Operations (POS 6) during Surry 1.1986 Refueling Outage . . . . . . . . . . 9-5
9.1-3 Time-Line Diagram for Safety-Related Component Down Time that Covered
Mid-loop Operations (POS 6/POS 10) during Surry 2,1986 Refueling Outage •. 9-6
9.1-4 Time-Line Diagram for Safety-Related Component Down Time that Covered
Mid-loop Operations (POS 6/POS 10) during Surry 1,1990 RefueUng Outage 9-7
10.1 An Example Event Tree for Calculating Failure Probability .. _
of Recovery Actions . . . .-;-.-;-.-.-.T.V; . T . .r7TT.v.^....T ..VTT .77 . . . . . . . . T . . . . . . 10-9
10.2 MainSteam Non-ReturnValve77 .7.77. 7 . . . . . . . . . . . 7 . . . . . . 7.. 7... 7 . . . . 7... 7. 10-10
103 Surry Station 4Kv Electrical Distribution System 10-11

NUREG/CR-6144 xx
 LIST OF TABLES
5.1 Summary of Results-Core-Damage Frequency by Initiating Event and
Plant Operational States xxviii
5.2 Comparison of Total Core-Damage Frequency with NUREG-1150 and IPE xxvix
5.3 Result of the Uncertainty Analysis for Total Core-Damage Frequency (per year) xl
1.1 Summary of Results-Core Damage Frequency by
Initiating Event and Plant Operational States 1-15
1.2 Comparison of Total Core Damage Frequency
with NUREG-1150 and IPE 1-16
1.3 Result of the Uncertainty Analysis for
Total Core Damage Frequency(per year) 1-17

3.1 Operational Modes Defined in Technical Specifications

of the Surry Plant t 3-21
3.2 Operational Modes Westinghouse Standard Technical SpeciGcations
Rev. 3 3-22
3.3 Outage Types and Their Estimated Frequencies
(based on data in 1985-1989) 3-23
3.4 Parameters Used in the Definition and
Characterization of POSs 3-24
3.5 Estimated Durations of Plant Operational Modes
(based on data in 1985-1989) 3-25
3.6 Plant Operational States for Surry Unit 1 - Low Power and Shutdown Outage Activities . . 3-32
3.7 Duration of Plant Operational States - Non-Drained Maintenance w.RHR (Nl) 3-33
3.8 Duration of Plant Operational States - Non-Drained Maintenance w/o RHR (N2) 3-34
3.9 Duration of Plant Operational States - Drained Maintenance D 3-35
3.10 Duration of Plant Operational States - Refueling (R) 3-36
3.11 Reduced Inventory (153 ft) Checklist 3-37
3.12 Time to Mid-loop, and Duration of Mid-loop 3-38
3.13 Probability that the Initiating Event Occurs in the Time Windows 3-39
3.14 Probability that the RCS Loops Are Isolated So that Cooling Is Unavailable or Ineffective . 3-40
3.15 Probability that the Safety Valves on the Pressurizer Are Removed 3-41

4.1-1 Approach Used in Identification of Initiating Events 4-6

4.1-2 Initiating Events Categories 4-7
4.1-3 Applicability of Initiating Events to Plant Operational States 4-9
4.1-4 Estimated Initiating Event Frequency 4-11
4.1.5 Operating Procedures that Were Reviewed Step by Step 4-14
4.1.6 Summary of Findings in Reviewing NRC Information Notices, Bulletin,
Generic Letters, and Circulars Potential Degradation of Systems
that Can Be Used for Accident Mitigation 4-15
4.2.1 Sources of Loss of RHR Events 4-18
4.2.2 Estimated Frequency of Loss of RHR 4-19
4.2-3 Data Used in Two Stage Bayesian Analysis 4-20
4.2-4 Data Used in Two Stage Bayesian Analysis
Demand Type Failures 4-22
4.3.1-1 Loss of Off-Site Power Data Base 4-27
4.3.1-2 Loss of OffSite Power Data Base Events Considered as Category IV
(Applicable to Shutdown States) 4-30
4.3.1-3 Data Used in Estimating Loss of Offsite Power Frequency (up to 1988) 4-31

xxi NUREG/CR-6144
 List of Tables (continued)

43.1-4 Estimated Frequency of Loss of Offsite Power Using Data up to End of 1988 4-34
43.1-5 Mean Non-Recovery Curves for POSs 1 and 15 4-35
43.1-6 Mean Non-Recovery Curves for^ POS 2 to 14 4-38
43.2-1 LOSP/SBO Analysis Cases 4-48
43.2-2 LOSP/SBO Analysis Cases 4-49
432-3 Conditional Probabilities of Various Bus Failures 4-50
432-4 LOSP Initiating Event Frequencies 4-51
4.4-1 Data Used in Two Stage Bayesian Analysis .. 4-59
4.4-2 Data used in Two Stage Bayesian Analysis for Loss of Instrument Air 4-61
4.4-3 Mean Non-Recovery Curves for Support System Initiators 4-64
44-1 State Applicability of LOCAs . ._„_.. ,..,^_.,_,._._.... ^...__............._._._..._. ^ .__ .4-79
44-2 Fraction of Time that the Plant stays in the POSs 4^80
44-3 A LOCA Frequency vs. POS vs. Outage Type (Without ISL Contribution) 4-81
4.5-4 ALOCAs Initiator Frequency (/yr) Corresponding to POSSpecificEvent Trees
(Without ISL Contribution) 4-82
44-5 A LOCAs Initiator Frequency With ISL Contribution 4-83
4.5-6 SI LOCA Initiator Frequency vs. POS vs. Outage Type (Without ISL Contribution) 4-84
44-7 SI LOCA Initiator Frequency Corresponding to POS-Specific Event Trees 4-85
44-8 S2 LOCA Initiator Frequency vs. POS vs. Outage Type (Without ISL Contribution) 4-86
4.5-9 S2 LOCA Initiator Frequency Corresponding to POS-Specific Event Trees 4-87
44-10 S3 LOCA Initiator Frequency vs. POS vs. Outage Type 4-88
—44-11 S3-LOCA-Initiator-Erequency-for-POS^Specific-Event-Trees . . 4=89
4.5-12 Other LOCA Initiator Frequencies Considered in Report 4-90
4.6-1 CbreT)amageTrequency uTVarious POSs^ueTo^the^LPIS V-Eveht"Scenario" 4-107
—4;6-2 Initiating^FrequenciesforSmauVMediumand-Large-LOGAs Inside-Containment due to
ISLOCAs through RHR Suction and Discharge Lines
RHR Rupture Probability: 0.98 4-108
4.6-3 Core Damage Frequencies due to "V-Events"
through the RHR-CVCS Letdown Line 4-109
4.6-4 Core Damage Frequencies due to V-Events through the Connecting Line to the RWST . 4-110
__4.6-5 Initiating Frequencies for Small and Medium LOCAs Inside Containment
due to ISLOCAs through the Accumulator Discharge Lines
Probability for the Loss oLAccumulator_Integrity:_1.0 ._...._ 4-111
4.6-A1 RHR System Rupture Probabilities as a Function of RCS Pressure
(Pipe failure pressure log-std-dev = 036) 4-115
4.7-1 SGTR tatiating Frequency . . . . . . . . . . . . . . _ . _ ^ ^ ^ . . _. ^_..._. _-^L-^ • 4-1 2 0

4.9-1 Initiating Event Categorization for Surry Plant At Low Power/Shutdown States 4-124
4.9.2 TotalHours in POSs 4-126
4.93 Frequency Estimates of-Initiators .— — - 4-127
4.9-4 Frequency Estimates of Transient Event Categories 4-128
"4710-1 Mean ConditionalCore Damage FrequenciesHue"to~PTS"for
Various Initiating Events at Robinson Unit 2 Power Plant 4-133
4.10-2 PTS Core Damage Frequencies due to Various Initiating Events
DliringLow Power Operation and Shutdown at Surry UniFl Power Plant . V\.. 77^134
4.12-1 Initiating Events that Are Applicable to the Mid-Loop POSs 4-146

5.1-1 Summary of Cases Analyzed 5-26

5A-2 Base Case Results. Cold Leg Injection after 30 minutes,
1 Pressurizer SRV Removed 5-27
5.1-3 No Injection, 1 Pressurizer SRV Removed 5-28

NUREG/CR-6144 xxii
 List of Tables (continued)

5.1-4 Cold Leg Injection after 30 minutes,

3 Pressurizer SRVs Removed 5-29
5.1-5 Effect of Delayed Cold Leg Injection,
1 Pressurizer SRV Removed. 5-30
5.1-6 Effect of Delayed Cold Leg Injection,
Pressurizer SRVs Removed. 5-30
5.2-1 Summary of Case 1 (Bleed Onry-2 PORVs OPEN-SRV CLOSED) 5-48
5.2-2 Summary of Case 2 (Bleed onfy-1 PORV Open-SRV Closed_ 5-50
5.2-3 Summary of Case 3 (Bleed Onry-SRVs & 2 PORVs OPEN) T 5-52
5.2-4 RCS Pressure for the Feed and Spill Operation 5-54
5.2-5 RCS Fill Time and RWST Depletion Time (Time in Hour) 5-56
5.2-6 Summary of Feed-and-Steam Operation Time in Minute) 5-58
53.1 Steam Generator Secondary Water Boil-Off Time 5-64
5.4-1 Success Criteria for Mitigating Features 5-67
5.4-2 Definition and Characterization of Time Windows 5-68

6.1-1 System Fault Trees and Their Applicable POSs 6-4

6.1-2 System, Component, and Event Identifiers
Part 1: System Identifiers 6-7
6.1-2 System, Component, and Event Identifiers
Part 2: Component Identifiers 6-10
6.1-3 Failure Mode Codes* 6-13
6.2.2-1 AFW System Component Status and Dependency Summary AFW System 6-23
6.2.3-1 CPC Component Status and Dependency Summary 6-30
6.2.4-1 Component Dependency of the CCWS 6-38
6.2.4-2 Top Event Definition and Identifiers for CCWS 6-40
6.2.5-1 Instrument Air System Component Status and Dependency 6-47
6.2.5-2 Impacts of loss of Turbine Building Instrument Air System and Containment . . . . 6-49
6.2.6-1 CS Dependency Matrix 6-55
6.2.6-2 New Events for CSS 6-56
6.2.7-1 AC/DC Power Supplies and Dependencies 6-71
6.2.7-2 Dependency Matrix of 4160 VAC Breakers 6-73
6.2.7-3 Top Event Definitions and Identifiers for the EPS 6-74
6.2.8-1 Dependency Matrix of ESGR Ventilation System 6-82
6.2.9-1 HPI/HPR Component Status and Dependency Summary 6-101
6.2.10-1 LPI/LPR Component Status and Dependency Summary 6-110
6.2.11-1 PPRS Component Status and Dependency Summary 6-114
6.2.11-2 New Events for PPRS 6-115
6.2.12-1 RS Dependency Matrix 6-123
6.2.13-1 RHR System Component Status and Dependency Summary 6-133
6.2.14-1 SW System Operating Flow Rates 6-140
6.2.14-2 Power Supply of the Emergency Service Water Pumps 6-141
6.2.14-3 Power Supplies for Circulation Water Inlet and Outlet Isolation Valves 6-142
6.2.15-1 Steam Generator Recirculation and Transfer Systems
Component Status and Dependency Summary 6-147
6.2.16-1 Steam Generator Secondary Relief System Component Dependency 6-153

7.2-1 Success Criteria for Mitigating Features 7-17

7.2-2 Definition and Characterization of Time windows 7-18

xxiii NUREG/CR-6144
List of Tables (continued)

7.2-3 Probability that the RCS Loops Are Isolated Such that Reflux Cooling Is Unavailable or
Ineffective 7-20
7.2-4 Probability that the Safety Valves on the Pressurizer Is Removed 7-20
7.4-1 LOSP/SB Analysis Cases 7-147
7.4-2 Power Supplies for Circulating Water Main Condensers' Inlet and Outlet Valves 7-148
7.6-1 Summary of Inadvertent RCS Boron Dilution Which Occurred
at Surry Plants During Cold Shutdown 7-233

8.1 Guidance Regarding Information to~Include in Operator-Response Forms . . - . . . . . . . . . -.-.-8*22

8.2 Guidance for Scoring the Degree of Difficulty Presented by Each PSF Associated with Each
Dynamic Human Action 8-23
83 Guidance for Assigning Relative Weights to the PSF Scores
Associated with Each Dynamic Human Action 8-30
8.4 Summary of the Relationship between the Scoring and Weighing Processes 8-37
8.5 Qualitative Descriptions of Dynamic Human Actions
Evaluated for the Surry Shutdown PRA 8-38
8.6 Qualitative Descriptions of Dynamic Human Actions
Evaluated for the Surry Shutdown PRA 8-39
8.7 Qualitative Descriptions of Dynamic Human Actions
Evaluated for the Surry Shutdown PRA 8-40
8.8 Qualitative Descriptions of Dynamic Human Actions
Evaluated for the Surry Shutdown PRA 8-42
8.9 Qualitative Descriptions of Dynamic Human Actions
Evaluated for the Surry Shutdown PRA 8-44
8.10 Relationship between Loss of Support System/
Loss of Offsite Power/Safety Injection Initiating Events
and RHR Initiating Events 8-46
8.11 Recovery Factors Initiators RA, RB, R3, R4 and R5 8-47
8.12 Recovery Factors for Initiators SR, SI, 4KW, AR, and CC 8-51
8.13 Qualitative Results of BNL/Surry Human Action Evaluations 8-55

9.1-1 Maintenance Unavailability Estimates Based on Data Collected

from Log Books and Minimum Equipment Lists 9-8
9.1-2 Component Downtime (that covered POS-6/POS-10) for Surry 1, May 1986 9-11
9.1-3 Component Downtime (that covered POS-6/POS-10) for Surry 2, October 1986 9-12
9.1-4 Component Downtime (that covered POS-6/POS-10) for Surry 1, October 1990 9-15
9.1-5 Modified Maintenance Unavailability for POS 6 and POS 10 9-16
9.2-1 Duration of Plant Operational States - Non-Drained Maintenance w.RHR (Nl) 9-18
9.2-2 Duration of Plant Operational States - Non-Drained Maintenance w/o RHR (N2) 9-19
9.2-3 Duration of Plant Operational States - Drained Maintenance (D) 9-20
9.2-4 Duration of Plant Operational States - Refueling ( R ) . . . r . . . . . v. 9-21
9.2-5 Conservative Estimates of the Earliest Time (after shutdown) That a POS Can Be Reached 9-22
9.2-6 Operational Experience Data of Elapsed Time to Mid-loop at Surry 9-23
^.2r7^^Grray BopkJJataJBase . . . . . . . . . . . . ^._^_ _^ _._._^_._._._ ^_._._._._._._...........9^25
J J J

9.3-1 Characteristics of Time to Mid-loop and Characteristic Duration of Mid-loop 9-27

9.3-2 Distribution of the Time When the Accident Initiating Event Occurs 9-28
9.3-3 Probability that IE Occurs in the Window 9-29
9.4-1 Probability that the RCS Loops Are Isolated Such that Reflux
Cooling Is Unavailable or Ineffective 9-33
9.4-2 Probability that the Safety Valves on the Pressurizer Are Removed 9-34

NUREG/CR-6144 xxiv
 List of Tables (continued)

10.1 Core Damage Frequencies of Loss RHR Event Trees RAW#R6

Over-Draining to POS 6 of Refueling 10-12
10.2 Core Damage Frequencies of Loss RHR Event Tree RBW#R6
Inventory Problem in POS 6 of Refueling 10-14
10.3 Core Damage Frequencies of Loss RHR Event Tree R3W#R6
Non-Recoverable Loss of RHR in POS 6 of Refueling 10-16
10.4 Core Damage Frequencies of Loss RHR Event Tree R4W#R6
Non-Recoverable Loss of Operating Train of RHR in POS 6 of Refueling 10-17
10.5 Core Damage Frequencies of Loss RHR Event Tree R5W#R6
Recoverable Loss of RHR in POS 6 of refueling 10-18
10.6 Core Damage Frequencies of Loss RHR Event Tree RAW#D6
Over-Draining to POS 6 of Drained Maintenance 10-19
10.7 Core Damage Frequencies of Loss RHR Event Tree RBW#D6
Inventory Problem in POS 6 of Drained Maintenance 10-20
10.8 Core Damage Frequencies of Loss RHR Event Tree R3W#D6
Non-Recoverable Loss of RHR in POS 6 of Drained Maintenance 10-21
10.9 Core Damage Frequencies of Loss RHR Event Tree R4W#D6
Non-Recoverable Loss of Operating Train of RHR
in POS 6 of Drained Maintenance 10-22
10.10 Core Damage Frequencies of Loss RHR Event Tree R5W#D6
Recoverable Loss of RHR in POS 6 of Drained Maintenance 10-23
10.11 Core Damage Frequencies of Loss RHR Event Tree- RAW#R10
Over-Draining to POS 10 of Refueling 10-24
10.12 Core Damage Frequencies of Loss RHR Event Tree RBW#R10
Inventory Problem in POS 10 of Refueling 10-25
10.13 Core Damage Frequencies of Loss RHR Event Tree R3W#R10
Non-Recoverable Loss of RHR in POS 10 of Refueling 10-26
10.14 Core Damage Frequencies of Loss RHR Event Tree R4W#R10
Non-Recoverable Loss of Operating Train of RHR in POS 10 of Refueling 10-27
10.15 Core Damage Frequencies of Loss RHR Event Tree R5W#R10 10-28
10.16 Core Damage Frequencies of Loss of Offsite Power for Event Tree L1W#D6 10-29
10.17 Core Damage Frequencies of Loss of Offsite Power for Event Tree L1W#R6 10-30
10.18 Core Damage Frequencies of Loss of Offsite Power for Event Tree L1W#R10 10-32
10.19 Core Damage Frequencies of Loss of Offsite Power for Event Tree L2W#D6 10-33
10.20 Core Dafmage Frequencies of Loss of Offsite Power for Event Tree L2W#R6 10-34
10.21 Core Damage Frequencies of Loss of Offsite Power for Event Tree L2W#R10 10-36
10.22 Core Damage Frequencies of Loss of Offsite Power for Event Tree L3W#D6 10-37
10.23 Core Damage Frequencies of Loss of Offsite Power for Event Tree L3W#R6 10-38
10.24 Core Damage Frequencies of Loss of Offsite Power for Event Tree L3W#R10 10-40
10.25 Core Damage Frequencies of Unit-1 Blackout for Event Tree B1W#D6 10-41
10.26 Core Damage Frequencies of Unit-1 Blackout for Event Tree B1W#R6 10-42
10.27 Core Damage Frequencies of Unit-1 Blackout for Event Tree B1W#R10 10-44
10.28 Core Damage Frequencies of 2-Units Blackout for Event Tree B2W#D6 10-45
10.29 Core Damage Frequencies of 2-Units Blackout for Event Tree B2W#R6 10-46
10.30 Core Damage Frequencies of 2-Units Blackout for Event Tree B2W#R10 10-48
10.31 Core Damage Frequencies of Loss of 4KV Event Tree 4KW#D6 10-49
10.32 Core Damage Frequencies of Loss of 4KV Event Tree 4KW#R6 10-50
10.33 Core Damage Frequencies of Loss of 4KV Event Tree 4KW#R10 10-52
10.34 Core Damage Frequencies of Inadvertent SI Signal - SIW#D6 10-53
10.35 Core Damage Frequencies of Inadvertent SI Signal - SIW#R6 10-54

xxv NUREG/CR-6144
 List of Tables (continued)

1036 Core Damage Frequencies of Inadvertent SI Signal - SIW#R10 10-56

1037 Core Damage Frequenciesof Loss of Vital Bus - VBW#D6 10-57
1038 Core Damage Frequenciesof Loss of Vital Bus - VBW#R6 10-58
1039 Core Damage Frequencies of Loss of Vital Bus - VBW#R10 10-60
10.40 Core Damage Frequencies of Loss RHR Event Tree ARW#R6
Loss of Instrument Afr.in.POS 6 Refueling„._.„._...._._. _._ ._ .._ _l.Qr61
10.41 Core Damage Frequencies of Loss RHR Event tree ARW#D664
Loss of Instrument Air in POS 6 Refueling 10-62
10.42 Core Damage Frequencies of Loss RHR Event Tree ARW#R10
Loss of Instrument Air in POS 6 Refueling 10-63
10.43 Core Damage Frequenciesof Loss of CCW - CCW#D6 10-64
10.44 Core Damage Frequencies of Loss of CCW - CCW#R6 10-65
10.45 Core DamageTrequenciesof Loss of CCW - CCW#R10 10-66
10.46 Core Damage Frequencies for SR Loss of Emergency Switchgear Room Cooling
for Event Tree SRW#D6 10-67
10.47 CpreDj^nwge^Fr^ue.ndes_foj_SR_Lo
Room Cooling for Event free SRW#R6 10-68
10.48 Core Damage Frequencies for SR Loss of Emergency Switchgear
Room Cooling for Event Tree SRW#R10 10-69
10.49 Dominant Core Damage Cutsets Before Recovery Actions ' . . . . 10-70
10.50 Dominant Core Damage Cutsets After Recovery Actions 10-88
10.51 Recovery Actions and Their Applicability to the Event Tree
Sequences (Loss of RHR and Loss of Instrument Air) 10-92
10.52 Recovery Actions and Their Applicability to the
Loss of Support System Event Trees 10-98
10.53 Time To Recovery of Failed Diesel Generator 10-102
10.54 Calculation of -q Parameters in Windows 1-4 10-103
10.55 p for LOSP Categories and Windows 1-4
2 10-105
10.56 p for LOSP Categories
3 10-106
10.57 LOSP Recovery Actions, Parameters (ij, 7j, 7j» Pi d Pi) d
2
a Q a Q

Total Pr0babffities~.^.7T..— T777~V.T777 77/T.T77.T777777V. . T 7 . 10-107

.. ,10.58 Recovery.Actions Sequence Rules for_LQSP_Sequences .10-110
10.59 Summary of Results-Core Damage Frequency by Initiating Event
and Plant Operational States 10-129
10.60 Core Damage Frequency as a Function of the Time Windows and POSs (per year) 10-130
10.61 Eractionof a Year that the^Plant is in a Time Window of a POS . . . . . . . . . . . . . . . . . . 10-131
10.62 Instantaneous Core Damage Frequency As a Function of the
Time Windows and POSs (per year) 10-132

11.1 PDS Definition 11-3

11.2 Plant Damage State Assignment of the Dominant Cutsets 11-4
113 Results of Uncertainty Anatysis of Plant Damage States 11-7

12-1 Sources and Treatment of Uncertainty 12-7

12.2 Failure Data Associated with the Correlation Classes 12-9
12.3 Result of the Uncertainty Analysis for Total Core Damage Frequency(per year) 12-13

NUREG/CR-6144
 S. EXECUTIVE SUMMARY
5.1 Background
This volume presents the results of a level one probabilistic risk assessment (PRA) of the Surry Nuclear Power
Plant for accidents initiated during mid-loop operations. It also contains accident initiating event analysis, and
system analysis for other low power and shutdown conditions. The work was performed by Brookhaven
National Laboratory (BNL) for the Nuclear Regulatory Commission (NRC) Office of Nuclear Regulatory
Research (RES) in support of the NRC response to the Chernobyl accident; and the program was later
modified by the NRC staffs follow-up actions to the March 20, 1990 Vogtle incident.

A phased approach was taken in this project. In phase 1, a broadly-scoped screening analysis, which included
internal Ores and flooding, was completed in November, 1991. This analysis produced a preliminary level one
PRA for accidents initiated during low power and shutdown (LP&S) and also gave insights on potential
accident scenarios and potentially vulnerable configurations during low power and shutdown conditions. Phase
2 focused on a detailed analysis of mid-loop operation which was selected because many incidents have
occurred during mid-loop operations throughout the world. Further, recent studies, including phase 1 of this
program, found that the core-damage frequency during mid-loop operation is comparable to that of power
operation. This report documents the results of the analysis of phase 2 internal events. It contains also an
appendix, Appendix I, that documents an updated version of the key chapters/sections of the Phase 1 draft
report. The work on internal fire, internal flood, seismic analysis, and level 2/3 analysis are reported in
separate volumes.

Surry Unit 1 was chosen for this study in part because the Surry plant was previously analyzed in the Reactor
Safety Study and NUREG-1150, and in part because Virginia Power offered to cooperate. The core-damage
frequency during low power and shutdown calculated in this study will be compared with that calculated in
NUREG-1150 for accidents during full power. The Surry plant has two Pressurized Water Reactors (PWRs),
each rated at 788 megawatts (electrical) capacity, and is located near Surry in Virginia. Grand Gulf, a boiling
water reactor, was selected as the plant for a parallel analysis performed by Sandia National Laboratories
(SNL).

Throughout the study, the LP&S team had many trips to the Surry plant to gather plant information, walk
down the plant, and participate in meetings with the Virginia Power staff. The draft reports were also
provided to Virginia Power for their comments. The comments received were resolved and incorporated into
the final report.

A total of 5 meetings of the Senior Consulting Group (SCG) were held, during which the BNL and SNL staff
presented the details of the analyses as well as the approaches used in various tasks. The SCG members
provided their suggestions and comments. The comments from the SCG were addressed by the PRA teams
at the two labs and the proposed resolutions were presented at the following SCG meeting.

In addition to the comments from the SCG and Virginia Power, an internal BNL Quality Assurance team
reviewed the draft reports and provided comments. The comments received were resolved and incorporated
into the final report.

5.2 Objectives
The objectives of phase 2 of this program are:

1) Estimate the frequencies of severe accidents that might be initiated during mid-loop
operation,

xxvii NUREG/CR-6144
S. Executive Summary (continued)

2) Compare the estimated core-damage frequencies, important accident sequences, and other
qualitative and quantitative results of this study with those of accidents initiated during full
power operation (as assessed in NUREG-1150), and
3) Demonstrate methodologies for accident sequence analysis for plants in modes of operation
other than full power.

SL3 Methodology
Due to the changing plant configuration during low power and shutdown operation, it was necessary to define
different outage types, and different plant operational states (POSs) within each outage type. Within each
POS, the plant configuration continues to change with time, and the decay heat continues to decrease. These
factors significantly affect scenario frequencies. Therefore, a "time window" approach was developed in which
different time windows were defined representing different levels of decay heat and success criteria. Within
each time window, the approach used in performing the PRA for a particular POS in a particular outage type
is similar to that used in the NUREG-1150 study. The approach includes typical PRA tasks, such as
identification of initiating events, development of fault trees and event trees, and their quantification. The
following is a summary of the approach used in the key tasks of this study. We believe that the approached
developed in this study can be readily adopted for studies of POSs other than mid-loop and for other PWRs.

Outage Types. Plant Operational States and Time Windows

Outages were grouped into four different types: refueling, drained maintenance, non-drained maintenance
with use of the residual heat removal (RHR) system, and non-drained maintenance without the RHR system.
Due to the continuously changing plant configuration in any outage, plant operational states (POSs) were
defined and characterized within each outage type. Each POS represents a unique set of operating conditions
(e.g. temperature, pressure, and configuration). For example, in a refueling outage, up to 15 POSs were used,
representing the evolution of the plant throughout a refueling from low power down to cold shutdown and
refueling, and back-up to low power. An extensive effort was made to collect Surry-specific data to
characterize each POS, that included reviewing operating and abnormal procedures for shutdown operations,
the shift supervisor's log books, and the monthly operating reports, and performing supporting thermal
hydraulic calculations. Three mid-loop POSs, in which the reactor coolant system (RCS) level is lowered to
the mid-plane of the hot leg, were selected for detailed analysis. Two of them occur in a refueling outage,
POSs R6 and RIO, and one in a drained maintenance outage, POS D6. They are characterized by different
levels of decay heat, and different plant configurations, such as the number of RCS loops that are isolated,
and whether or not the RCS has a large vent. R6 represents a mid-loop operation that takes place early in
a refueling outage allowing the RCS loops to drain quickly to permit eddy current testing of the steam
generator tubes. RIO takes place after the refueling operation is completed to allow additional maintenance
of equipment in the RCS loops. D6 represents mid-loop operation in which maintenance activities require
the plant to go to mid-loop, and is characterized by the highest level of decay heat among the three mid-loop
POSs.

To more accurately define the decay heat level when an accident is initiated, a time-window approach was
developed. Four time windows after shutdown were defined, each with its unique set of success criteria
reflecting the decay-heat level. For POSs R6 and D6, all four windows were needed. For POS RIO, onty time
windows 3 and 4 were applicable. One hundred and sixty event trees were developed for 16 initiating events.

During the latest Surry Unit 1 refueling outage that started on February 28,1992, the utility changed previous
practice and avoided going to mid-loop operation. It is our understanding that the plant staff intends to
continue this new practice. However, it is believed that certain maintenance requirements may prevent totally

NUREG/CR-6144 xxviii
 S. Executive Summary (continued)

avoiding going to mid-loop in the future. With NRC concurrence, BNL developed the PRA model based on
outages (that included mid-loop operation) before the February 1992 refueling. Since the results are presented
on a per-unit-time basis, the present results can be used to draw conclusions on the management of mid-loop
outages.

Initiating Event Analysis

To identify initiating events, review of existing studies, licensee event reports, (LERs), published NRC
documents, and current Surry operating procedures was performed. This approach should ensure that any
incident that has occurred or any scenario that has been studied will be considered in the present study.
However, no systematic approach was undertaken, such as a failure mode and effect analysis (FMEA) or a
hazard and operability study (HAZOP), to further assure that all possible initiating events in all possible
operating states were identified.

Event Tree Analysis

In phase 1 of this study, accident scenarios were developed for all low power and shutdown POSs. For those
POSs that are similar to power operations,'(e.g., low power operations), the relevant NUREG-1150 event trees
developed for Surry were reviewed and modified (if necessary) to reflect the current plant design and
operation. For other POSs, event trees were developed in group discussions, involving typically four or more
BNL staff members with expertise in PWR operations, PRA, human reliability analysis (HRA), and thermal
hydraulics. Fequent communications were held with the staff at Virginia Power to ensure that the PRA
reflects the current plant design and operations.

In phase 2, the event trees developed for the mid-loop POSs were reviewed and modified to incorporate
additional information obtained in the system analysis, and to reflect our current understanding of the
expected operator responses to the accidents. A two-day meeting with Virginia Power operations personnel
was held to discuss potential accident scenarios, and the expected responses of the plant and operator.

System Analysis

The fault tree models, developed as part of NUREG-1150 study, were reviewed and modified, when necessary,
to develop two fault tree models for the plant applicable to shutdown and to low power operation for each
system. The system configuration during shutdown was identified by reviewing the operating procedures used
during shutdown, shift supervisor's log books, and the system training manual. Typically, the following
changes were made to NUREG-1150 fault trees to derive the fault trees applicable to shutdown conditions.

1) Valve failure modes were changed. The position of valves during shutdown may be different
from that during power operation. Therefore, the applicable failure modes of the valves will
be different from those of power operations.

2) Human error events associated with backup of automatic actuated systems or components
which failed were modified to manual actuation with no automatic backup.

3) Maintenance unavailabilities relevant to the specific POS were estimated. For mid-loop
POSs, the reduced inventory check list was used to determine whether certain maintenance
events are permitted; those events prohibited, e.g., diesel generator maintenance, were
deleted from the model.

4) System success criteria were changed, if necessary.

XXIX NUREG/CR-6144
S^Executive Summary (continued)

Definition of Core-Damage - In the NUREG-1150 study, core-damage is defined for PWRs to be the RCS
level reaching the top of active fuel. Due to the high decay heat level, the difference between this time and
the time of cladding failure is small. In the low power and shutdown condition, the decay heat level may be
significantly lower, and this difference becomes more significant. In this study, core-damage is defined to be
the collapsed RCS level reaching 2.5 feet above the bottom of the core. This is based on the result of a
MELCOR calculation of RCS level in the core region when cladding temperature reaches 1340 degree F,
above which phenomena such as clad oxidation and ballooning will have an impact on core behavior. Time
to core- damage is used in the level-1 study as the time available for operator actions such as initiating safety
injection. The more realistic estimate of the time available has the tendancy of lowering the associated human
error probabilities.

Supporting Thermal Hydraulic Analysis

The main purpose of the thermal hydraulic analysis was to support the development of event trees and
quantification of accident sequences. Thermal hydraulic considerations are the basis of the time-window
approach. Basically, the time windows were defined on the times when the success criteria of important
mitigating functions change. In the phase 1 study, assumptions were made based on simple "back of the
envelope" calculations. It was found that more detailed calculations were needed to confirm the simple
calculations, and support the assumptions made.

In the phase 2 study, a more detailed calculation was done to determine the timing of a feed and bleed
operation during mid-loop operation. The calculation also gave information on the amount of water from the
refueling water storage tank (RWST) needed to sustain the feed and bleed operation, as well as the timing
of core uncovery for different initial conditions.

The MELCOR codealso was used toassess whether or notgravity feed from the RWST could be used to
provide long term cooling (i.e. 24 hours, decay heat removal). It was found that although gravity feed is
sufficient only when the decay heat is low, it can provide a few hours for restoring other means of removing
decay heat even when the decay heat is high.

For reflux cooling, the studies at the Idaho National Engineering Laboratory (INEL), Westinghouse, and
Virginia Power were used to determine the success criteria. The analysis of feed and spill, gravity feed and
reflux cooling were used to determine the boundary of the time windows. For example, the time boundary
between windows 2 and 3 was chosen to be the time when recirculation is not necessary for the first 24 hours
after the accident started. The boundary was estimated to be 10 days, based on the inventory available in the
refueling water storage tank (RWST) and the flow needed in the feed-and-spill operation.

Quantification

A Bayesian approach was used to estimate the initiating event frequencies. The basic event data for hardware
failures were derived from the NUREG-1150 data base for Surry. The IRRAS computer code was used to
quantify the fault tree and event tree. An uncertainty analysis of the total core- damage frequency was
performed by propagating the uncertaihty c)f th^^afalneteTs^use^ in the model.

NUREG/CR-6144 XXX
 S. Executive Summary (continued)

Human Reliability Analysis

Two types of human error events were identified and modeled in this study: pre- and post-accident errors.
The pre-accident errors identified in the NUREG/CR-4550 study for Surry were adopted, together with others
identified in the system analysis task and added to the system fault trees.

To evaluate human actions and recovery actions that follow an initiator we first qualitatively defined the event
scenario, required actions, important factors affecting operator performance, and the consequences of the
action being unsuccessful. Two types of post accident human errors were modeled, failure to diagnose and
failure to carry out the needed action given successful diagnosis. They were used in the fault trees for the top
events of the event trees. It was assumed that, given failure to diagnose, the operator would fail to perform
the needed actions; therefore, core-damage would result. The same basic event representing failure to
diagnose was used in all fault trees of a given event tree. On the other hand, failure to carry out the action
given successful diagnosis would only fail the specific top event of the event tree.

The qualitative evaluation of the actions and the important parameters that affect operator's performance were
used to derive the human error probabilities (HEPs) by adapting the success likelihood index methodology.
This methodology assumes that the likelihood of operator error in a particular situation depends on the
combined effects of a small set of performance-shaping factors (PSFs) that influence the operator's ability to
accomplish the action.

To quantify the HEPs, the PSFs were rated with weights that reflect the relative influence of each PSF on the
likelihood of the success of the action, and a score that reflects whether the PSF helps or hinders the operator
in canying out the actions. With the rating for PSF, the numerical model was calibrated using well-defined
actions obtained from analysis for other PRAs. Calibration ensures that the error probabilities are realistic
and consistent with the data, observed human behavior, and the results from comparable expert evaluations
of similar activities.

Data Base Analysis

An extensive effort was devoted to collecting data to characterize the plant during shutdown.

1) A data base of initiating events was compiled for the initiating event analysis.

2) The shift supervisor's log books, outage schedules, minimum equipment list, and monthly
operating report were reviewed to collect the data needed to estimate the frequency of
shutdown, duration of plant operational states, and maintenance unavailabilities.

3) The shift supervisor's log books were reviewed to determine the time that the plant is in
different configurations. For example, the reactor coolant loops were found to be isolated
for a long period in a refueling.

S.4 Results and Insights

Table S-l summarizes the results of the event tree quantification, showing the core-damage frequency as a
function of the initiating events and POSs. The core damage frequency is the frequency that core-damage
occurs while the reactor is at mid-loop, and includes the fraction of a year that the reactor is at mid-loop.
POS 6 of a drained maintenance outage (D6), and POS 6 of a refueling outage are the most dominant POSs.

xxxi NUREG/CR-6144
S. Executive Summary (continued)

Their characteristics are high decay-heat level and a relatively short time available for operator action.In
contrast, POS 10 of a refueling outage has a very low decay heat, and its core-damage frequency is
approximately one order of magnitude lower.

Table S-2 compares the results of this study with those of NUREG-llSO and the individual plant examination
(IPE) performed by Virginia Power. The results are displayed in two ways. The core-damage frequency,
shown in the first row, is the frequency that core-damage occurs when the plant is at mid-loop, and the
conditional core-damage frequency, shown in the third row, is the core-damage frequency divided by the
fraction of time the plant is at mid-loop. The former accounts for the fact that the plant is at mid-loop only
a small fraction of the time, while the latter is the conditional frequency^ which core-damage occurs given
the plant is at mid-loop. The contribution to total core-damage frequency due to mid-loop operations is
approximately one eighth of that of power operation as estimated in NUREG-llSO, since the plant is in mid-
loop operation approximately 7% of a year. The numbers in the parentheses of the third row of the table are
the conditional probability of core-damage due to over-draining events, given that the plant enters mid-loop
operation in the POS.

The core-damage frequencies shown in the first row of Table S-2 are additive. That is, the sum of the core-
damage frequencies of the 3 POSs is the total core-damage frequency of mid-loop operation. This total, 5
E-06 per year, can be added to the core-damage frequency of power operation, e.g., 4 E-05 per year for
NUREG-llSO. Therefore, the sum of 4.S E-05 per year is the frequency per year that core-damage occurs
while the plant is at full power or mid-loop operation.

The conditional core-damage frequency shown in the third row of Table S-2 is a measure of how susceptible
a plant configuration is with respect to core-damage. For example, the fact that the conditional core-damage
frequency of mid-loop operation, 8 E-05 per year, is higher than that of full power operation, 4 E-05 per year,
shows that mid-loop operation is more susceptible to core-damage than full power operation, although the
plant is at mid-loop only a small fraction of the time.

Table S-3 lists the key uncertainty characteristics of the core-damage frequencies for mid-loop operation and
power operation, and shows that the core-damage frequency for mid-loop operation has a broader distribution
than that of power operation. Note also that the mean total CDF in Table S-3 is slightly different for the total
CDF in Tables S-l and S-2. This is because the numbers in Tables S-l and S-2 are point estimates whereas
the information in Table S-3 reflects an uncertainty analysis.

The following insights were gained from this study. They are based on the Surry specific design and operation.
Their applicability and significance with respect to other PWRs have to be assessed separately.

Operator Response- The dominant cause of core-damage was the operator's failure to mitigate the accident.
(Note that there is very large uncertainty in the human error probabilities used in this study.) In general, it
would be beneficial to have good training, procedures, and instrumentation to ensure that the utility's staff
can respond to shutdown accidents.

Procedures for Shutdown Accidents- Very few procedures are available for accidents during shutdown; the
procedure for loss of decay heat removal, AP 27.00, is the only one that was written specifically for the
shutdown scenarios analyzed in this study. The procedure is conservative with regard to the equipment needed
to establish reflux cooling and feed-and-bleed. In this study, the use of fewer than the number of steam
generators specified in the procedure for reflux cooling was treated as a recovery action, and a more realistic
success criteria was used for feed-and-bleed when the decay heat is high. In most cases, the information in
the procedures for power operation is helpful, for shutdown accidents. For example, the procedure for station
blackout, ECA-0.0, gives instructions for dumping steam to the condenser. Credit for this procedure was taken

NUREG/CR-6144 xxxii
 S. Executive Summary (continued)

into account in this study. However, some procedures written for power operation would mislead the operator
if followed during shutdown. For example, the procedure for loss of offsite power, AP 10.00, states that
"When the EDG is the only source of power to an emergency bus, the Component Cooling Pump should NOT
be in service". During shutdown, CCW flow to the RHR heat exchanger is necessary for decay heat removal.
Therefore, following this procedure under these circumstances would not be the most appropriate operator
response.

Instrumentation- It was recognized that the level instrumentation used during mid-loop operation, i.e.,
standpipe level instrumentation and ultra-sonic level instrumentation, has limited applicability during a
shutdown accident. The standpipe system indicates the correct level only when there is no build-up of
pressure in the system. The ultra-sonic level instrumentation only provides level indication when the level is
within the reactor coolant loops, and therefore, may not be useful during a feed and bleed operation.

Supporting Thermal Hydraulic Analysis- The thermal hydraulic behavior of the reactor coolant system is
rather complex, mainly because the pressurizer is usually the relief path for coolant or steam, and the vessel
head does not have a large vent. When performing thermal hydraulic analysis in support of the PRA effort,
consideration must be given to longer term system behavior, at least 24 hours into the accident. In this study,
such calculations were done for feed-and-bleed operation using a charging pump, and with gravity feed from
the RWST. It is believed that additional calculations would be helpful to better understanding the
effectiveness of reflux cooling, and feed and bleed using a low pressure injection pump. In this study, the
conservative results of the Virginia Power Technical Report # 865 (Revision 1, dated July 3,1992) were used
to determine the number of steam generators needed as a function of time after shutdown, because such
criteria are explicitly written in the procedure for loss of RHR. In the event trees and fault trees, it was
assumed that if there were too few, then no credit was given to reflux cooling. In this case, reflux cooling still
would help. In fact, a review of the studies performed by Westinghouse and Idaho National Engineering
Laboratory found that one steam generator is sufficient for any level of decay heat. To take some credit for
reflux cooling in this case, a recovery action with failure probability 0.1 was applied to those core-damage
cutsets that involve failure of reflux cooling due to insufficient steam generators. It was assumed that hot-leg
injection using a low head injection pump is adequate to prevent core-damage. Due to the low shut-off head
of the pumps, approximately ISO psig, the concern is that if boiling takes place in the system, the low head
pump may be unable to inject.

Maintenance Unavailability- A review of shift supervisor's log books and minimum equipment lists for three
refueling outages showed that the maintenance unavailabilities of equipment that can be used to mitigate an
accident were very high. For example, two out of three charging pumps were found to be tagged out
practically throughout the whole mid-loop period. The two low-head injection pumps also were unavailable
a large fraction of the time. Generic letter 88-17, requires the plant to have one high-head pump and one low-
head pump available. In our quantifications, we assumed that charging pump A, charging pump cooling water
pump A, and low head injection pump B are available. Based on the check list used for reduced inventory
conditions, it was also assumed that the maintenance of diesel generators, 4 kv emergency buses, and stub
buses is not allowed.

We found that maintenance unavailability is the dominant cause of equipment unavailability. In combination
with human errors, maintenance of the charging pump cooling water pump, the charging pump, and the low
head injection pump appear in the dominant cutsets for some of the core-damage sequences.

Isolation of Reactor Coolant Loops- It was found that isolation of the RCS loops is an important contributor
to core-damage frequency. Review of the plant shutdown experience indicated that the reactor coolant loops
are isolated for extendedperiods in a refueling outage, making the steam generators unavailable for decay-heat
removal upon loss of RHR. In a cold shutdown condition, the steam generators are usually maintained in the

xxxiii NUREG/CR-6144
S. Executive Summary (continued)

wet lay-up condition with the secondary side filled with water. During mid-loop operation, the availability of
the SGs makes reflux cooling a possible method of mitigating a loss of RHR; this might be the only mitigation
function available in a station blackout.

Single Failures of the RHR System- The RHR system at Surry has no active safety function (i.e., it does not
perform the safety injection function in scenarios initiated at full power). Consequently, many single
component failures can cause loss of RHR. In the RHR system, a single suction line from the loop A hot
leg and a single flow control valve HCV-1758 are used. During its operation, a single CCW header provides
cooling to both RHR pump seal coolers and the operating RHR heat exchanger, and two CCW return lines
from the RHR system are used. Hence, a failure of the trip valve 109A or B in one of the two CCW return
lines can. cause loss of the system. .These trip valves also fail closed on loss of instrument air, or vital bus.
It was found that closure of the TV-109 valves is a significant contributor to loss of RHR. It was assumed
that the opening of the RHR flow control valve HCV-1758 as a result of loss of vital bus HI will cause RHR
pump run out; this also was a significant contributor to loss of RHR.

Valve Arrangement of Auxiliary Feedwater System and Main Steam System During Shutdown- The auxiliary
feedwater system has six MOVs (151AJB, C, D, E, and F) in the flow path to the steam generators, that are
normally closed during shutdown. They are difficult to locate during a station blackout. Similarly, the main
steam non-return valves are normally closed during shutdown, and have to be opened to use steam dump to
the condenser. They depend on offsite power and would be very difficult to open without it.

Potential for Plugging the Containment Sump When Recirculation Is Needed- Because of activities inside the
containment, transient material and equipment are brought into it during shutdown. For example, large plastic
Herculite sheets are often used to separate work areas from the rest of the containment. If an accident
requiring recirculation from the containment sump occurs, as is the case in time windows 1 and 2, the material
would increase the potential for plugging the containment sump.

SL5 Conclusion
This study shows that the core-damage frequency during mid-loop operation at the Surry plant is comparable
to that of power operation. The probability distribution of the core damage frequency during mid-loop
operation is wider than that of power operation. This is due to the large uncertainty in the human error
probabilities used in this study. It was identified that only a few procedures are available for mitigating
accidents that may occur during shutdown. Procedures written specifically for shutdown accidents would be
useful. Realistic thermal hydraulic analysis should be used as the basis of the procedures.

It was assumed that reduced inventory check list was followed, and found that the maintenance unavailability
of equipment not on the list were dominant contributors to system unavailability. However, the check list is
believe to be sufficient for ensuring the availability of essential equipment.

S.6 Key Assumptions and Sources of Uncertainty

The following is a discussion of the various modeling issues and how they were treated in this study.

Changine plant practices and information- BNL observed that the plant is aware of the potential safety
concerns of reduced inventory operations and is constantly improving its practice regarding such operation.
This is reflected in the improvement in the operating procedures and abnormal procedures used during
shutdown, as well as changes in the plant practice. The most significant change in plant practice started in

NUREG/CR-6144 xxxiv
 S. Executive Summary (continued)

the refueling outage of unit one in 1992, during which mid-loop operation was totally avoided; this appears
to be the new policy. Another way of reducing the risk is to carry out reduced inventory operation while the
fuel in the core is removed during refueling operation.

To limit the changes in the model developed for this study to account for the changes in plant practice and
information, it was decided to use the procedures and other plant information available as of April 30,1993.
Regarding the plant's policy of avoiding mid-loop operation, it was decided that this study would use the data
collected from past outages before the unit 1 refueling outage of 1992. Consequently, the estimated core-
damage frequency .could be an overestimation of that of the current plant. However, it is emphasized that
the core-damage frequency calculated in the current study was reduced significantly by changes made after
the start of the study and before April 1, 1993.

Changing Plant Configuration- Due to the activities taking place during shutdown, the plant configuration
changes with time, which, in turn, affects the likelihood of accident initiating events and the plant's ability to
mitigate the accidents. In this study, the constantly changing plant configuration is approximated by a few
discrete configurations, by introducing different outage types, POSs, and time windows. It also is reflected
by the different basic events and different event trees for different outage types, POSs, and time windows.
The following is a description of the basic events and how they are varied.

Initiating event frequency- The initiating events are assumed to occur with constant rates independent of the
outage type or POS. The conditional probability that an IE occurs in a POS is calculated as the product of
the rate and the duration of the POS. The initiating event frequency is the frequency of the POS multiplied
by the conditional probability. The frequency that it occurs in a given time window of a given POS of a given
outage type is the initiating event frequency times the conditional probability of the time window of the given
POS.

Loop isolation probability- Isolating the loops makes it impossible to establish reflux cooling. Its probability
was estimated by judgment using the information from the log books for outages, and an outage plan for a
refueling outage. It was estimated as a function of the outage types, and time windows.

Removal of pressurizer safety valves- The fraction of time that the safety valves are removed in a given time
window of a given POS in a given outage type was estimated by judgment, using information from the log
books for outages, and an outage plan for a refueling outage. With the safety valves removed, it is possible
to use gravity feed from the RWST, but not reflux cooling because of inventory loss through the opening.

Maintenance unavailabilities- Maintenance unavailability was estimated as a function of the POSs of a

refueling outage by reviewing the log books for 3 refueling outages. The data was collected for the period
when the plant was at mid-loop. Due to lack of sufficient information, it is assumed to be independent of the
time windows. It was also assumed that the data for a refueling outage is applicable to a drained maintenance
outage.

Success Criteria- The success criteria for shutdown conditions were determined by reviewing various studies,
and performing supporting thermal hydraulic analysis based on the Surry-specific design. The changing level
of decay heat was accounted for by defining four time windows after shutdown, each with its own set of success
criteria. In general, whenever the success criteria for one system or mitigating function changes, a new time
window needs to be defined, and potentially, more than four time windows would be needed. The use of four,
therefore, is a trade-off between the accuracy of the model and the level of effort needed to arrive at a
solution; it is believed that four time windows gives an adequate representation.

xxxv NUREG/CR-6144
S. Executive Summary (continued)

During development of the time window approach, it was recognized that the procedure for loss of RHR, AP-
27.00, is conservative with respect to the success criteria for reflux cooling and feed-and-spill, and does not
include all possible methods of establishing recirculation. These are the areas in which the plant model used
in this study deviated from the abnormal procedure. The following describes how these issues were treated.

Reflux cooling- In AP 27.00, the number of steam generators (SGs) needed for reflux cooling is given as a
function of the decay heat, e.g, 3 SGs are needed for the Grst 75 hours after shutdown. This value is based
on the thermal hydraulic consideration of Virginia Power NE technical report 865. From a review of existing
studies performed by INEL and Westinghouse on reflux cooling, and BNL calculations, we determined that
one steam generator should be sufficient. Therefore our current understanding is that one SG would be
sufficient, while the abnormal procedure states that three would be needed. The issue is, how much credit
should be given to reflux cooling when less than three SGs are available. In this study, the success criterion
based on the procedure was used in the logic model, and whenever reflux cooling was failed due to insufficient
SGs, a recovery action was entered with a failure probability of 0.1.

Feed-and-spill- In AP27.00 and its supporting study (Virginia Power NE technical report 865), the number
of pumps and PORVs needed for this operation was determined based on the flow from the RWST needed
to maintain sub-cooling, the capacity and shut-off head of the pumps, and the relieving capability of the
PORVs. For example, during the first 129 hours after shutdown, 2 charging pumps and 2 PORVs would be
needed. This success criterion was derived from the requirement to maintain sub-cooling, and is more
stringent than the criterion needed for feed-and-bleed during an accident that occurs during full power
operation. An alternative to feed-and-spill, (i.e. feed-and-steam), which is also discussed in technical report
865, is much less demanding in terms of the needed flow. However, feed and steam is not the recommended
method because of the difficulty in maintaining the RCS level, and the potential for over pressurization. In
this study, a success criterion of 1 charging pump and 1 PORV was used, based on the understanding that this
is sufficient to prevent core-damage.

Recirculation- AP 27.00 instructs the operators to establish high pressure recirculation by using the low-
pressure injection pump to take suction from the containment sump, and discharge to the suction of the high
pressure injection system; this requires that a low head injection pump and a charging pump are available.
In the fault tree model for recirculation, two alternative methods also are modeled, low-pressure feed-and-
steam (by taking suction from the containment sump), and low-pressure feed and spill (by taking suction from
the sump and using spray recirculation). Inthese modes,~low-head"injectionis neededr The feed-and-steam
mode requires that the safety valves be removed to provide an adequate vent path, and does not require
cooling of the sump water. The feed-and-spill operation requires operation of the spray recirculation systems
to cool the water in the sump, so that sub-cooling in the reactor vessel can be established.

Operator Response- The operator's actions modeled in this study were identified in developing the event
freesT The identification process involved reviewing abnormal and emergency procedures, and discussing the
accident scenarios with plant personnel. In most cases, the operator's responses to various accidents are
identified in the procedures. For example, abnormal procedures for loss of RHR, loss of instrument air, and
loss of offsite power give guidance on what to do in case of respective losses during shutdown. The latter two
procedures are not written specifically for shutdown conditions. In case of a station blackout, the procedure
written for power operation in mind, (l-ECA-0.0), does not address shutdown conditions. Therefore, only the
relevant steps in the procedure are applicable. Similarly, for other initiating events, such as loss of component
cooling, spurious safety injection, and loss of a vital bus, there is no specific procedure for shutdown condition,
and the ability of the operators to use the relevant steps in the procedures for power operations becomes very
important. As discussed under success criteria, some of the operator's actions modeled in this study are not
explicitly spelled-out in the existingplant procedures, and some recovery actions modeled are extension of the
existing procedures.

NUREG/CR-6144 xxxvi
 S. Executive Summary (continued)

The operator actions needed to mitigate an accident are included in the high level fault trees. A high level
fault tree models one method of mitigating the accident, e.g., feed-and-spill operation which typically contains
two human error events, and one transfer to the fault tree for hardware failures. One human error event
represents the failure of the operator to diagnose, so that the correct actions cannot be decided upon; the
other represents failure to carry out the action after correct diagnosis. Assuming that the failure to diagnose
would lead to core damage, many of the dominant core-damage cutsets are caused by such events. Human
error probabilities were quantified using the method of failure likelihood index that involves assessing weights
and scores on various performance-shaping factors, and calibration using the HEPs from existing studies.

xxxvii NUREG/CR-6144
S. Executive Summary (continued)

Table S.l Summary of Results-Core-Damage Freqnency by Initiating Event and Plant Operational States

Initiating Event IE Frequency Core-Damage Frequency (per year)

1. Loss of RHR R6 RIO D6 Total J

RHR2A-Over Draining 1.6E-02/Demand 1.8E-7 5.3E-8 2.6E-7 4.9E-7

RHR2B-Failure to Maintain Level 1.2E-05/hr 2.1E-08 2.0E-8 2.9E-8 7.0E-8

RHR3-Non-Recoverable Loss of RHR 4.1E-06/hr 1.5E-7 8.4E-9 3.0E-7 4.6E-7

RHR4-Non-Recoverable Loss of Operating Train of RHR 5.3E-06/hr 7.6E-9 1.2E-9 2.3E-8 3.2E-8

RHR5-Recoverable Loss of RHR 2.1E-05/hr 4.0E-8 4.1E-09 9.3E-8 1.4E-7

2. LOOP-Loss of Offsite Power 7.0E-06/hr

Ll-Both 1H and 1J Energized 6.2E-06/hr 3.3E-7 7.0E-8 7.6E-7 1.2E-6

L2-1H and 2H energized, not 1J 7.4E-07/hr 1.0E-7 1.3E-8 1.7E-7 2.9E-7

L3-1H energized, not U, unit 2 blackout 3.8E-08/hr 4.2E-8 1.3E-8 9.9E-8 UE-7

Bl-Unit 1 Black Out 2.0E-08/hr 4.8E-8 1.1E-8 1.7E-7 2.3E-7

B2-2 Unit Blackout 3.2E-09/hr 3.8E-8 4.2E-8 1.1E-7 1.9E-7

3. 4KV-Loss of 4kv Bus 2.1E-05/hr 1.4E-7 1.9E-8 2.4E-7 4.0E-7

4. VITAL-Loss of Vital Bus 5.6E-06/hr 2.8E-8 5.1E-9 7.3E-8 1.1E-7

5. AIR-Loss of Outside Instrument Air 2.1E-6/hr 7.9E-10 - 3.2-9 4.0E-9

6. CCW-Loss of CCW 3.8E-06/hr 6.3E-8 1.1E-10 2.1E-7 2.7E-7

7. SWGR-Loss of Emergency Switchgear Room Cooling 1.8E-08/hr 3.6E-8 1.2E-8 7.4E-8 1.2E-7

8. ESFAS-Inadvertent Safety Feature Actuation UE-04/hr 2.7E-7 2.7E-8 6.8E-7 9.8E-7

9. Dilute-Boron Dilution (CDF) 2.0E-07/hr 6.8E-08

TOTAL 1.5E-6 3.0E-7 3.3E-6 5.1E-6*

* Not including boron dilution

 Table S.2 Comparison of Total Core-Damage Frequency with NUREG-1150 and IPE

Study Results

PWR Low Power and Shutdown Study R6 RIO D6 TOTAL

(Mid-Loop POSs, Internal Events Only)
CDF* per year 1.5E-06 3.1E-07 3.3E-06 5.1E-06
(1.8E-07)** (5.5E-08)** (2.7E-07)** (5.0E-07)**
Fraction of 1.6E-02 1.5E-02 3.5E-02 6.6E-02
a year the plant
is in mid-loop
Conditional 8.1E-05 1.7E-05 8.6E-05 7.6E-05
C D F per year
,M
(3.0E-07) (1.8E-07) (2.2E-07) (2.4E-07)
(CDP)
NUREG-1150 (Internal Events Only) 4.0E-05
IPE(Internal Events Only) 7.4E-05
X

5 * CDF reflects the fraction of time the plant is at mid-loop

** Contribution of over-draining events
*** Frequency of core-damage given that the plant is at mid-loop (core damage frequency due to non-over-draining events divided by the fraction
of time the plant is at mid-loop)
CDP probability of core-damage due to over-draining to the POS
1
Table S3 Result of the Uncertainty Analysis for Total Core-Damage Frequency (per year)

Mid-Loop Full Power

Operation Operation*
(per year) (per year)
1 Mean 4.9E-06 4.0E-05
1 5th Percentile 4.8E-07 6.8E-06
1 50th Percentile 2.1E-06 2.3E-05
| 95th Percentile 1.5E-05 1.3E-04
1 Error Factor 5.7 4.4

NUREG-1150

NUREG/CR-6144 xl
 FOREWORD

(NUREG/CR-6143 and 6144)

Low Power and Shutdown Probabilistic Risk Assessment Program
Traditionally, probabilistic risk assessments (PRA) of severe accidents in nuclear power plants have considered
initiating events potentially occurring only during full power operation. Some previous screening analysis that
were performed for other modes of operation suggested that risks during those modes were small relative to
full power operation. However, more recent studies and operational experience have implied that accidents
during low power and shutdown could be significant contributors to risk.

During 1989, the Nuclear Regulatory Commission (NRC) initiated an extensive program to carefully examine
the potential risks during low power and shutdown operations. The program includes two parallel projects
performed by Brookhaven National Laboratory(BNL) and Sandia National Laboratories(SNL), with the
seismic analysis performed by Future Resources Associates. Two plants, Surry (pressurized water reactor) and
Grand Gulf (boiling water reactor), were selected as the plants to be studied.

The objectives of the program are to assess the risks of severe accidents due to internal events, internal fires,
internal floods, and seismic events initiated during plant operational states other than full power operation
and to compare the estimated core damage frequencies, important accident sequences and other qualitative
and quantitative results with those accidents initiated during full power operation as assessed in NUREG-1150.
The scope of the program includes that of a level-3 PRA.

The results of the program are documented in two reports, NUREG/CR-6143 and 6144. The reports are
organized as follows:

For Grand Gulf:

NUREG/CR-6143 - Evaluation of Potential Severe Accidents during Low Power and Shutdown
Operations at Grand Gulf, Unit 1

Volume 1: Summary of Results

Volume 2: Analysis of Core Damage Frequency from Internal Events for
Operational State 5 During a Refueling Outage
Part 1: Main Report
Part 1A: Sections 1 - 9
Part IB: Section 10
Part 1C: Sections 11-14
Part 2: Internal Events Appendices A to H
Part 3: Internal Events Appendices I and J
Part 4: Internal Events Appendices K to M
Volume 3: Analysis of Core Damage Frequency from Internal Fire Events for
Plant Operational State 5 During a Refueling Outage
Volume 4: Analysis of Core Damage Frequency from Internal Flooding Events
for Plant Operational State 5 During a Refueling Outage
Volume 5: Analysis of Core Damage Frequency from Seismic Events for Plant
Operational State 5 During a Refueling Outage

xli NUREG/CR-6144
Foreword (continued)

Volume 6: Evaluation of Severe Accident Risks for Plant Operational State 5

During a Refueling Outage
Part 1: Main Report
Part 2: Supporting MELCOR Calculations

For Surry:

NUREG/CR-6144- Evaluation of Potential Severe Accidents during Low Power and Shutdown
Operations at Surry Unit-1

Volume 1: Summary of Results

Volume 2: Analysis of Core Damage Frequency from Internal Events during

Mid-loop Operations
Part 1: Main Report
Part 1A: Chapters 1 - 6
ParLlB:_ChaptersJ_^12
Part 2: Internal Events Appendices A to D
Part 3: Internal Events Appendix E
Part 3A: Sections E.1 - E.8
Part3B: Sections E.9 - E.16
Part 4: Internal Events Appendices F to H
Part 5: Internal Events Appendix I
Volume 3: Analysis of Core Damage Frequency from Internal Fires during
Mid-loop Operations
Part 1: Main Report
Part 2: Appendices
Volume 4: Analysis of Core Damage Frequency from Internal Floods during
Mid-loop Operations
Volume 5: Analysis of Core Damage Frequency from Seismic Events during
Mid-loop Operations
Volume 6: Evaluation of Severe Accident Risks during Mid-loop Operations
Part 1: Main Report
Part 2: Appendices

NUREG/CR-6144 xlii
 ACKNOWLEDGEMENTS

The authors wish to acknowledge the following individuals for their contribution to the study.
Ms. Candee Lovett, of Virginia Power, for promptly providing the plant information needed for developing
the model.

Mr. Kenneth Russell of Idaho Nuclear Engineering Laboratory for his help in using the latest versions of the
IRRAS computer code.

Ms. Florence O'Brien, Kathy Ryan, and Barbara Kponou for their working long hours throughout the project
in providing secretarial support.

Mr. William J. Luckas for his help with interpretation of plant information and participation in the accident
scenario development.

Ms. Cheryl Conrad, Mr. Chun-Chang Chao of National Tsing Hua University, Taiwan, and Mr. Tsu-Jen Lin
of Institute of Nuclear Energy Research, Taiwan, for their technical support.

xliii NUREG/CR-6144
 ACRONYMS
Acronym Meaning

ACC Accumulator
AEOD Office for Analysis and Evaluation Operational
Data, US NRC
AFW Auxiliary Feedwater
AHU Air Handling Unit
ANS American Nuclear society
AOT Allowed Outage Time
AOV Air Operated Valve
AP Abnormal Procedure
ASEP Accident Sequence Evaluation Program
ASME American Society of Mechanical Engineers
ATWS Anticipated Transient Without Scram
BAT Boric Acid Tank
BHEP Basic Human Error Probability
BAST Boric Acid Storage Tank '
BIT Boron Injection Tank
BNL Brookhaven National Laboratory
BRT Boron Recovery Tank
CAS Compressed Air System
CCW Component Cooling Water
CD Core Damage
CDF Core Damage Frequency
CEDM Control Element Drive Mechanism
CESSAR Combustion Engineering Standard Safety Analysis
Report
CFR Code of Federal Regulation
CIS Containment Isolation Signal
CLCS Consequence Limiting Control System
CPC Charging Pump Cooling

NUREG/CR-6144 xlv
 Acronyms

CPS Containment Pressure Suppression

CRA Control Rod Assembly
CS Containment Spray
CSD Cold Shutdown
CSR Cable Spreading Room
CSS Containment Spray System
CST Condensate Storage Tank
CVCS Chemical and Volume Control System
CW Circulating Water
DHR Decay Heat Removal
ECA Emergency Contigency Action
ECCS Emergency Core Cooling System
EDG Emergency Diesel Generator
EF Error Factor
ELO End of Licensed Life
EP Emergency Procedure
EPS Emergency Power System
JboF Emergency Safety Feature
ESFAS Emergency Safety Feature Actuation System
ESGR Emergency Switchgear Room
ESR Emergency Switchgear Room
FAI Fail as Is
FCV Flow Control Valve
FMEA Failure Mode and Effect Analysis
FO Fail Open
FW Feed Water
GOP General Operating Procedure
HAZOP Hazard and Operability Study
HEP Human Error Probability
HHSI High Head Safety Injection
HPI High Pressure Injection
HPR High Pressure Recirculation

xlvi NUREG/CR-6144
Acronyms

HRA Human Reliability Analysis

HSD Hot Shutdown
HVAC Heating Ventilation and Air Conditioning
HX Heat Exchanger
HZP Hot Zero Power
IAEA International Atomic Energy Agency
IAW In Accordance With
IE Initiating Event
INEL Idaho National Engineering Laboratory
IPE Individual Plant Evaluation
IRRAS Integrated Reliability and Risk Analysis System
ISD Intermediate Shutdown
ISLOCA Interfacing Systems LOCA
ISR Inside Spray Recirculation
KV Kilo-volt
LCO Limiting condition of Operation
LER Licensee Event Report
LHS Latin Hypercube Sampling
LHSI Low Head Safety Injection
LOCA Loss of Coolant Accident
LOSP Loss of Offsite Power
LPR Low Pressure Recirculation
LP&S Low Power and Shutdown
LTOP Low Temperature Overpressurization
MCC Motor Control Center
MCR Main Control Room
MELCOR A Computer Code for Nuclear Reactor Severe
Accident Source Term and Risk Assessment
Analysis
MFW Main Feedwater
MOP Maintenance Operating Procedure
MOV Motor Operated Valve

NUREG/CR-6144 xlvii
 Acryonyms

MSTV Main Steam Trip Valve

MW Mega-watt
MWt Mega-watt Thermal
NC Normally Closed
NO Normally Open
NPSH Net Positive Suction Head
NRC ____'__ r.~." Nuclear Regulatory Commission
NRR Nuclear Reactor Regulation, US NRC
NRV Non-Return Valve
NSAC Nuclear Safety Analysis Center
NSS Normal Station Service
NSS Nuclear Steam System
OD Operator Depressurization
OOS Out of Service
OP Operating Procedure
OSR Outside Spray Recirculation
PCS Power Conversion System
PCV Pressure Control Valve
PG Primary Grade
PORV Pilot Operated Relief Valve
POS Plant Operational State
PPM Parts Per Million
PPRS Primary Pressure Relief System
PRA Probabilistic Risk Assessment
PRT Pressurizer Relief Tank
PRZR Pressurizer
PSA Probabilistic Safety Analysis
PSF Performance Shaping Factor
PSIA Pound Per Square Inch Absolute
PSID Pound Per Square Inch Defferential
PSIG Pound Per Square Inch Gauge

xlviii NUREG/CR-6144
Acronyms

PTL Pull-to-lock
PTS Pressurized Thermal Shock
R&D Refueling and Drained Maintenance
RC Reactor Coolant
RCCA leactor Control Cluster Assembfy
RCP Reactor Coolant Pump
RCS Reactor Coolant System
REA Rod Ejection Accident
RES Office of Nuclear Regulatory Research, US NRC
RF Recovery Factor
RF Range Factor
RHR Residual Heat Removal
RMP Remote Monitoring Panels
RMT Recirculation Mode Transfer
RMTS Recirculation Mode Transfer System
RPS Reactor Protection System
RPV Reactor Pressure Vessel
RSS Reserve Station Service
RTND Reference Temperature for Transition to
Nil-Ductility
RTS Return to Service
RVLIS Reactor Vessel Level Indication System
RWST Refueling Water Storage Tank
RX Reactor
RY Reactor year
SBO Station Blackout
SCSS Sequence Coding Search System
SFP Spent Fuel Pool
SG Steam Generator
SGRCT Steam Generator Reactivity
SGRTS Steam Generator Recirculation and Transfer

NUREG/CR-6144 xlix
 Acryonyms

SGTR Steam Generator Tube Rupture

SI Safety Injection
SIAS Safety Injection Actuation System
SIS Safety Injection System
SLB Steam Line Break
SNL Sandia National Laboratories
SRV Safety Relief Valve
SV Safety Valve
SWS Service Water System
TAF Top of Active Fuel
TOP Temporary Operating Procedure
TWC Through the Wall Crack
UFSAR Updated Final Safety Analysis Report
VCT Volume Control Tank
VEPCO Virginia Electric Power Company
WR Wide Range

1 NUREG/CR-6144
 7 EVENT TREE ANALYSIS

7.1 Event Tree Approach and Nomenclature

Event trees model the responses of the plant and operators to the initiating events. For power operations,
there are various procedures to assist the operators. In most cases, many of the possible scenarios were
recognized and analyzed, and methods for mitigating the initiating events are specified in the procedures. The
procedures give good guidance on developing event trees. For shutdown conditions, very few procedures are
written specifically for possible accidents. For the Surry plant, the only procedure that is specifically written
for shutdown accidents analyzed in this study, is the procedure for loss of decay heat removal, AP-27.00' ', 1

Revision 4, February 15, 1993. It provides guidance on restoring RHR, primary inventory makeup and
alternate methods of decay heat removal. In addition, the Virginia Power technical report # 865 ', revision
12

1 and its supplement' give a supporting analysis and updated guidance for ensuring adequate backup of decay
31

heat removal after a loss of RHR. For other initiators, the expected responses of the plant and operator are
not as clearly defined. Therefore, information gathered from the procedures developed for power operations
has to be used. In the procedures for loss of offsite power' ', AP 10.00 Rev. 7, and loss of instrument air' ',
4 5

AP 40.00 Rev. 3, the operators are instructed to check if the unit was on RHR, and a few steps needed to
restore RHR are given. No other procedure has guidance specifically for the shutdown accidents analyzed
in this study.

We developed event trees in this study by a talk-through format. Typically, a team of 4 members, including
engineers with background and training in the area of plant operations, PRA, and thermal hydraulics met to
discuss the plant's initial conditions and the responses to the initiators. Related procedures and documents
were reviewed, and then, accident scenarios were developed. The process was very time consuming and
sometimes agreement was hard to reach. In general, it was found that deterministic analysis is very helpful
to better understand the behavior of the plant. The expected responses of the plant and possible operator
actions were also discussed with plant operations personnel during a two-day meeting at the plant.

In the time window approach, each accident initiating can occur in 4 different time windows and 3 POSs. In
principle, 12 event trees would be needed to delineate the possible accident scenarios. Because POS 10 of
a refueling outage occurs after refueling is completed, it cannot occur in time windows 1 and 2. Therefore,
ten event trees were developed for each initiating event.

The structure of the event trees that we developed differs from that of a typical event tree in that the first top
event of the event tree is used as part of the calculation of initiating event frequency. That is, the first top
event (the "I" top event) is used to calculate the frequency that the initiating event occurs in the POS and time
window. For example, Figure 7.1-1 is the loss of RHR event tree for an initiating event (RHR5) that occurs
in time window 1. The first top event "IR5W1", shown in Figure 7.1-2, represents the fault tree that is used
to calculate the frequency that the RHR5 initiating event occurs in window 1 of the POS. Its top gate is an
"AND" gate with a basic event, representing the rate that the R5 initiating event occurs, and an "OR" gate as
its input. The "OR" gate has three "AND" gates as inputs. Each "AND" gate, combined with the hourly rate
that the initiating event occurs, is used to calculate the frequency that the RHR5 initiating event occurs in
each of the three POSs. "HOUSE" events are used to select the right part ("AND" gate) of the fault tree that
is appropriate for the POS being analyzed. For example, the left most "AND" gate is used to calculate the
frequency that the initiating event occurs in POS 6 of a refueling outage. As discussed in chapter 4, this
frequency is the product of the frequency of refueling outage, the frequency of the initiating event, the
duration of POS 6 of a refueling outage, and the probability that the initiating event occurs in time window
1, given that it occurred in this POS.

7-1 NUREG/CR-6144
7 Event Tree Analysis

Most other top events of the event trees have the same structure as that shown in Figure 7.1-3 for restoring
RHR subsequent to the loss of RHR event. Two high-level human error events represent failure to diagnose
the initiating event and failure to carry out the action, and a transfer to the system fault trees models hardware
failures. Human errors at a lower level, e.g., operator failure to open a valve, are included in the system fault
trees. This approach allows the system fault trees to be shared by many top events in the event trees.

The following is the convention used to name POSs, event trees, event tree top-events, and human-error
events in the high-level fault trees. It was used in the computer model, using the IRRAS code.

(1) The name of an event tree has three parts, the initiating event, window number, and POS. For example,
"R5W1R6" represents the event tree for non-recoverable loss of RHR (R5) in window 1 (Wl) in POS
6 of a refueling outage (R6)

Initiating Event
RA-over draining to mid-loop
RB-failure to maintain level
R3-non recoverable loss of RHR
R4-non-recoverable loss of operating train of RHR
R5-recoverable loss of RHR
Si-inadvertent safety injection
CC-loss of ccw
4K-loss of 4 kv bus . _ - . _ . - .
Ll-loss of offsite power case 1
L2-loss of offsite power case 2
L3-loss of offsite power case 3
Bl-Unit 1 blackout
B2-2 unit blackout
VB-loss of vital bus
AR-loss of instrument air
SR-loss of emergency switch-gear room cooling

Window Number
Wl-Window 1
W2-Window2
W3-Window3
W4-Window4

POS and Outage Type

R6-POS 6 of a refueling outage
R10-POS 10 of a refueling outage
D6-POS 6 of a drained maintenance outage

(2) The names of event tree top events are chosen by adding a prefix to the event tree name (without the
POS designator) to represent the generic type of the top event. For example, the fourth top event
"SR5W1" in Figure 7.1-1 has a prefix of "S" to represent reflux cooling using the steam generators. The
high-level fault trees were built such that they depend on the initiating event and time window, but are

NUREG/CR-6144 7-2
 7 Event Tree Analysis

independent of the POSs. Therefore, the POS designators are not needed in naming the top events.
The following is a list of the prefixes for the generic top events.

I-Initiating Event Frequency Calculation

H-Recovery of Support System Failures
M-RCS Makeup
R-Restore RHR
V-RCS Vented
F-RCS Feed-and-Spill
S-Steam Generator Feed-and-Bleed
G-Gravity Feed from RWST
N-Recovery of Off-Site Power
• C-High Pressure Recirculation
P-Spray Recirculation-both ISR and OSR (not a top event, an input to "C" event)

(3) The names of human error events modeled in the system fault trees follow the convention of
NUREG/CR-4550, and are indicated by "XHE" in the names. The name of high-level human error
events consists of the following fields separated by hyphens:
(a) The first letter in the name is either an "A" or "D" representing failure to take Action and failure
to Diagnose, respectively. (X-,2 letters)
(b) Name of event tree without POS designator, (XXXX-,5 letters)
(c) "XHE" representing a human error event, (XHE-,4 letters)
(d) a one-letter top event prefix representing the generic top event type, (X-, 2 letters)
(e) a sequence number indicating the sequence that the event is applicable to. (XX,2 letters)

For example, A-R5W1-XHE-SF-9 means that in sequence 9 of the event tree "R5W1", the operator fails to
establish feed to the steam generators. In this example, "SF' was used instead of "S" because 3 separate
operator actions are modeled. "SF' represents feeding the SGs. "SI" represents bleeding the SGs before
rupture of the PRT rupture disk. "S2" represents bleeding the SGs and closing the PORVs after the PRT has
ruptured. D-R5W1-XHE represents failure to diagnose the loss of RHR in window 1, resulting in core
damage.

7-3 NUREG/CR-6144
7 Event Tree Analysis

7.1.1 References

1. "Loss of Decay Heat Removal Capability," Virginia Power Surry Power Station, Abnormal Procedure 1-AP-
27.00, Revision 4, February 15, 1993.

2. "Background and Guidance for Ensuring Adequate Backup Decay Heat Removal Following Loss of RHR
Surry and North Anna Power Stations,", Nuclear Analysis and Fuel Nuclear Engineering Services, Virginia
Power, NE Technical Report No. 865, Revision 1, June 1992.

3. "North Anna Power Station, Surry Power Station, NE Technical Report 856 Rev. 1, Supplemental
Information", Virginia Power, October 9, 1992.

4. "Station Blackout," Virginia Power Surry Power Station, Abnormal Procedure 1-AP 10.00, Revision 7, July
2,1992.

5. "Non-Recoverable Loss of Instrument Air," Virginia Power Surry Power Station, Abnormal Procedure AP
1-40.00, Revision 3, December 19, 1991.

NUREG/CR-6144 7-4
 UNITY RR5W1 VW1 SR5W1 FR5W1 GR5W1 CR5W1 SEQ # END-STATE

1 OK
2 OK
3 CD
4 CD
5 CD
6 OK
7 OK
8 CD
9 CD

'•1
I

Figure 7.1-1 Event Tree (R5W1R6) for a Recoverable Loss of RHR Initiating Event (RHR5) in Window 1 of POS 6 of a Refueling Outage
 I top event for loss of RHR- R5 in Window 1

E Frequency
CdculaUon for
R5VY1

RS[n

Frequency of
Loss ,0f RhR
(RHR5)

\^^y IB5V LQ2

FR£Q-RrR5

o\

IT

n
Frequency of , R-obcbllfty t L Probcblty
)3 10 5 Refueling Refueling Refueling Outage f POS 10 Grwn , l h d E occurs
Outage E«fuMng Outogt w wl gwe-n RW

R5WC4-

DURM10N-R10 REFUEL POS-Rt> FRM>-POSt>

PO J 6 of o RffutBn? Probobffity . Duration of Frequency of t *dmd Molntononoe Duration of ProbobnHy Ft 6 S of a Drcfcwd

Outogo that E occurs F DS 6 of R«fuoEng RaftwCng F»OS 6 of Drdrwd thai E occtri h oinfctnanc* Oulaga
In «1 fltvtn R6 OuioQfl k otnttnonc* Outagt In wl gV/tn DG

Figure 7.1-2 Fault Tree for the T* Top Event of Event Tree R5W1R6
 Restore RHR
Given RHR5
in Window 1

Failure to Restore
RHR, given RHR5 Failure to Diagnose
Loss of RMR5 Loss of RHR
in Window 1 POSs 3-13
Event in Window
1

W3-S
A-R5W1-XHE-R-4
D-R5W1-XHE

Figure 7.1-3 High Level Fault Tree for Recovery of RHR Given a RHR5 Initiating Event in Window 1
7 Event Tree Analysis

7.2 Success Criteria for the Time Window Approach

In chapter 5, we analyzed the thermal-hydraulic behavior of the reactor coolant system (RCS) in response to
a loss of RHR during mid-loop operation. Three alternate cooling methods were investigated, i.e., gravity feed
from RWST, reflux cooling, and feed-and-bleed operation. Gravity feed was analyzed using the MELCOR
codeM covering different levels of decay power corresponding to 1 day to 29 days after the shutdown. Reflux
cooling was based largely on studies by Idaho National Engineering Laboratory " , and the Westinghouse
12 41

Corporation . Feed-and-spill operation was analyzed using simplified models developed for the LP&S
151

program, covering a large range of initial and operating conditions. For all three cooling methods, we
attempted to identify the conditions under which the operation could be successful.

In this section, the results of chapter 5 are summarized and their use in the event tree analysis is described.
In this study, a mission time of 24 hours is used; that is, we assumed that if the operators can prevent core
damage during the first 24 hours after an initiating event, then it can be avoided because of the additional help
that would become available. Thermal hydraulic calculations are used to determine the success criteria of the
various systems or mitigation functions based on the 24-hours mission time. In addition, the calculations
determine the timing of the accident scenarios and the time available for the operators to act.

Table 7.2-1 summarizes the success criteria as functions of the decay heat. Table 7.2-2 summarizes the success
criteria for the time windows, and the timing of the important events that determine the time available for
operator actions. Table 7.2-2 differs from table 7.2-1 in the success criteria for feed-and-bleed. The latter
shows the success criteria based on Virginia Power technical report 865 , which is intended to maintain
[6]

sub-cooling in the RCS to allow restoration 6 of RHR, and is conservative in preventing core damage. Table
7.2-2 is more realistic in some areas, and is used in the PRA analysis.

The following important assumptions were made about the possible plant configurations that affect the plant's
ability to mitigate the accident cenarios:

(1) In a refueling outage, the plant keeps the loops isolated for an extended period. If the reactor coolant
loops are isolated, no heat removal using steam generators can be taken credit for. Table 7.2-3
summarizes the estimated fraction of time that the loops are isolated in the time windows, such that
reflux cooling would be ineffective (the success criteria specified in table 7.2-2 is not satisfied); this value
was estimated in chapter 9, based on a review of the log books of past refueling outages. In a drained
maintenance, one loop is assumed to be isolated for maintenance.

(2) If the safety valves on the pressurizer are removed, then gravity feed from RWST is possible. Review
of the log books for past refueling outages indicates that the 3 safety valves are usually removed at the
same time. Table 7.2-4 lists the estimated probability that the safety valves are removed in each time
window of each POS. Section 5.1 analyzed gravity feed from RWST and found that before 32 days
after shutdown, gravity feed from RWST is not adequate to provide 24 hours of decay heat removal.
Therefore, in windows 1 to 3, if gravity feed is the only way to remove decay heat in a given sequence,
then there would be additional time for recovery actions before core damage occurs. In window 4,
successful gravity feed is assumed to terminate the accident. In reviewing the log books of drained
maintenance outages, no removal of safety valve was found. Therefore, we assumed that gravity feed
is not possible in a drained maintenance.

(3) For reflux cooling to take place to remove decay heat, the following conditions must exist:

NUREG/CR-6144 7-8
 7 Event Tree Analysis

(a) The RCS must not be vented with the pressurizer safety valves removed, otherwise, steam loss
through the vents is assumed to defeat reflux cooling.
(b) The pressurizer PORVs are normally open during mid-loop operation. Inventory loss through them
during reflux cooling can uncover the core in a few hours. Therefore, as part of the procedure of
establishing reflux cooling, the operators are supposed to close the PORVs.
(c) The number of steam generators needed for reflux cooling was based on the Virginia Power technical
report # 865. For example, in window 2, 2 out of 3 steam generators are needed.
(d) The ability to relieve secondary pressure in the needed steam generators must be maintained by
opening the steam generator PORVs, or dumping steam to the condenser.
(e) The amount of water in the steam generator is sufficient for approximately 10 hours of reflux
cooling. Therefore, to remove decay heat for 24 hours, feed to the steam generators is required.

The following discussions summarize the success criteria of the generic top events of the event trees.

Reflux Cooling The success criteria for reflux cooling was based on Virginia Power Technical Report 865.
It is also specified in AP 27.00. There, the number of steam generators needed is specified as a function
of decay heat. It is known that the success criteria is conservative. Also, it is assumed that the operators
would follow the procedure. For Window 1 of a drained maintenance, this means that the success criteria
cannot be satisfied, because 3 steam generators are needed and only 2 are available. In such case, the
possibility of using 2 steam generators is modeled as a recovery action.
As part of the procedure for establishing reflux cooling, the operators are supposed to close the vessel head
vent and PORVs to ensure no inventory is lost through these openings. In section 5.3, it was estimated that
the leakage through the tygon tube connected to the vessel head is insignificant. If the PRT rupture disks are
ruptured, the leakage through an open PORV is large enough to lead to core damage in a few hours. If reflux
cooling is established before the PRT is ruptured, the PRT becomes a part of the RCS boundary, and no
significant loss of inventory is expected. Therefore, if the operators can establish reflux cooling by venting
the secondary side of the SGs before PRT rupture disks rupture, then there is no need to close the PORVs.
If reflux cooling is established after PRT ruptures, then the PORVs must be closed to prevent inventory loss.
It is assumed that reflux cooling is sufficient to remove decay heat if it is established before the core is
uncovered. When reflux cooling is established, the SG inventory is sufficient for about 10 hours. Feeding the
steam generator after the SG inventory becomes low is modeled as a long-term operator action.

Figure 7.2-1 is the high-level fault tree for the reflux cooling top event of the example event tree.
Feed-and-Spill Section 5.2 documents the determination of the success criteria for feed-and-spill operation.
There, both the Virginia Power Technical Report 865 and BNL analysis are discussed. Table 7.2-1 summarizes
the success criteria, based on the Virginia Power Technical Report 865 which is the basis of AP 27.00. In AP
27.00, LHSI to hot legs is the preferred method for feed-and-spill. If hot leg injection is not available, then
cold leg injection is used. If LHSI is not available, the HHSI is used. Similar to LHSI, HHSI prefers hot leg
injection to cold leg injection. The needed number of PORVs is specified as a function of the time after
shutdown. The operators are expected to throttle the injection flow to maintain 200 F° at the core exit
thermal couple.

The success criteria in the Virginia Power technical report are intended to maintain sub-cooling in the RCS.
In reality, much more relaxed success criteria are sufficient to prevent core damage. For example, the Virginia
Power technical report requires that 2 charging pumps and 2 PORVs are needed for feed-and-spill during the
first 129 hours. As an alternative to feed-and-spill, the report discussed the option of using feed-and-steam
operation that demands much less flow from the RWST. If only 1 charging pump and 1 PORV are available,

7-9 NUREG/CR-6144
7 Event Tree Analysis

feed-and-steam should be sufficient to keep the core covered as long as water is available in the RWST. The
success criteria of Table 7.2-2 is used in this study.

To account for the low shut off head of the LHSI pumps, the time at which RCS pressure reaches 165 psia
was determined and used as the time available for operator to use LHSI. For HHSI, it is assumed that the
time to core damage is the time available. In the high-level fault trees, two separate human error events are
used. <
Figure 7.2-2 is the high-level fault tree for the feed-and-spill top event of the example event tree.

Recirculation As the level in the RWST becomes low, the operators are instructed to establish either
RWST cross connect or high- head recirculation. Section 5.2 estimated that approximately 10 days after
shutdown, recirculation is not needed. The calculation shows that with successful feed-and-spill, the core will
not be damaged within24hoursaftertheloss ofRHRinitiating event^Thereforerhigh-pressure recirculation
is needed only during the first 10 days after shutdown; this 10 days is used as the boundary between windows
2 and 3. In time window 2, either high-pressure recirculation or cross-connection of RWSTs would be
sufficient to remove decay heat for 24 hours. In the-fault-tree model for high-pressure recirculation in window
2, failure of recirculation requires failure to cross connect the RWSTs. In time window 1, cross connection
of RWSTs is not sufficient for 24 hours, and is not taken credit for.

AP 27.00 provides instructions on how high-pressure recirculation can be estabUshed, and states the possible
need for the spray recirculation heat exchangers. High-pressure recirculation is established by using the low
pressure injection pump to take suction from the containment sump, and discharge to the suction of the high-
pressure injection-system. In-the fault tree model for-recirculation^Figure-7-.2-3rtwo alternative methods also
are modeled; the low-pressure feed-and-steam by taking suction from the containment sump, and the low-
pressure feed-and-spill by taking suction from the sump and using spray recirculation. In both modes, only
low head injection is needed. The feed-and-steam mode requires that the safety valves are removed to provide
an adequate vent path,and does not-require cooling of-the sump water; The-feed-and-spill operation requires
operation of the spray recirculation systems to cool the water in_the sump, so that subcooling can be
established.

Spray Recirculation In section 5.2, it was estimated that during the first 10 days after shutdown the RWST
inventory is not sufficient for feed-and-spill and recirculation is needed. High-pressure recirculation would
introduce steam into the containment, introducing the potential of containment failure. In this study, we
assumed that if spray recirculation is not available, then the containment would fail. The impact of
containment failure on recirculation is that there is a small probability, 0.02, that the low head pumps would
lose their needed net positive suction head. This cause of failure is similar to the failure mode considered
in NUREG-1150, that is, failure of recirculation is modeled as a potential failure mode of the low-head
injection pumps.

Another function of the spray recirculation systems is to support the operation of low-pressure feed-and -spill
by taking suction from the containment sump. It cools the containment sump water so maintaining subcooling
in the reactor vessel.

Gravity feed from RWST Gravity feed from RWST is established by opening the low-head injection flow
path from RWST to the RCS cold legs or hot legs. The RCS must be vented by removing the SVs on the
pressurizer so that gravity flow can be established. Depending on the level of decay heat and the number of
SVs removed, gravity feed may or may not provide 24 hours of cooling after the initiating event. The analysis

NUREG/CR-6144 7-10
 7 Event Tree Analysis

documented in section 5.1 found that with 1 SV removed approximately 32 days after shutdown (5MW decay
heat), the core is damaged after 24 hours. Therefore, 32 days was chosen as a boundary of the time windows.
In the PRA model, for an accident initiating event that takes place after 32 days after shutdown, gravity feed
from RWST is sufficient to terminate the accident. For accidents that start'before 32 days, gravity feed from
RWST would give some additional time for operators to restore failed mitigation systems. Table 7.2-2 lists
the additional amount of time for each of the time windows. These times are the estimated delays in core
damage based on the modeling of gravity feed using MELCOR , and the amount of time that subcooling is
maintained, as estimated in attachment 9 of AP 27.00. Operator recovery using these times is modeled as
recovery actions in the event-tree analysis. In section 5.1, sensitivity calculations were made to determine the
effect of the timing of gravity feed. They showed that at 2 days after shutdown (13.2 MW) with only 1 SV
on the pressurizer removed, gravity feed from RWST became ineffective if initiated after 50 minutes after the
loss of RHR, due to the build up of RCS pressure. For lower decay heat, gravity feed is effective if
established less than 1 hour before the core is uncovered. The review of refueling outage log books found
that the plant usually remove the 3 SVs together. Therefore, the vent capacity of the safety valves is always
sufficient for gravity feed. The time available for the operators to establish gravity feed is assumed to be the
same time as that before core uncovery occurs.

Figure 7.2-4 is the high-level fault tree used for the gravity feed top event in the example event tree R5W1R6.
In this study, the use of gravity feed from RWST is taken credit for only in station blackout. In other cases,
there are many other methods of mitigating an accident, and use of gravity feed is judged to be either not
needed or not helpful. In these cases, the human-error probability of establishing gravity feed was assigned
a value of 1.0.

7-11 NUREG/CR-6144
7 Event Tree Analysis

7.2.1 References

1. Summers, R.M., et. al., "MELCOR 1.8.0: A computer code for Nuclear Reactor Severe Accident Source
Term and Risk Assessment Analysis, "NUREG/CR-5531, Sandia National Laboratories, Albuquerque, NM,
January 1991.

2. Naff, SA., et. al., "Thermal Hydraulic Processes During Reduced Inventory Operation with Loss of
Residual Heat Removal," NUREG/CR-5855, Idaho National Engineering Laboratory, April 1992.

3. Fletcher, CD., et. al., "Thermal-Hydraulic Processes Involved in Loss of Residual Heat Removal During
Mid-Loop Operation, EGG-East-9337, Idaho National Engineering Laboratory, October 1990.

4. Wald, L.W., et. al., "Consequence of the Loss of Residual Heat Removal Systems in Pressurized Water
Reactors," NUREG/CR-5820, Idaho National Engineering Laboratory, May 1992.

5. Audreycheck, T.S., et. al., "Loss of RHRs Cooling While the RCS is Partially Filled," WCAP - 11916,
Westinghouse Electric Corporation, July 1988.

6. "Background and Guidance For Ensuring Adequate Decay Heat Removal when RCS Loop Stop Valves
are closed, Surry and North Anna Power Stations, "NE Technical Report No. 865, Rev.l, Virginia Power,
June 1992.

NUREG/CR-6144 7-12
 Reflu* Cootng
Glvon o RHR5
In Window

u
Failure to Wognooo RCS Loops Isoloted
Loss of RHR5 to Causa Failure
Event in Window of Reflux Cooling

SR5WKM0 BO-W1
D-R5W1-XHE

NSUF FLOW TO Operator Failure

SG FRM AT LEAST to Feed SGs in
1 AFW POM3
Window 1-R5

LSW1 SR6VK53 SR5VW11

A-R5W1-XHE-SF-9

Operator Foflure FALLRE OF F A l TO aOSE FAtURE OF Operator faiure

to Bleed the SECONDARY SIDE BOTH PORVS SECONDARY SIDE to establish
SGB I grvren R5 HEAT REMOVAL H£AT REMOVAL reflux otter

SSHWI P0RV1 SSHWI

A-A5W1-XHE-51-9 A-R5W1-XHE-S2-9

Figure 7.2-1 Reflux-Cooling Top Event for RHR5 in Window 1 of POS R6

 Feed and Bleed
the RCS Given RHR5
in Window 1

FREW1V

Failure to Diagnose

n
Loss of RHR5
Event in Window
1

FR5V1VG0
D-R5W1-XHE

FR5VWG2 FR5V 1VG3

Operator Failure FALURE OF FEED Operator failure FALURE OF FEED

to use HHSI in AMD SPILL USING ot use LHSI in AND SPLL USING
feed and spill HPI Feed and Spill LPI
in Window 1 in Window 1

FSW12H FSW12L-
A-R5W1-XHE-FH-10 A-R5W1-XHE-FL-10

Figure 7.2-2 Feed-and-BIeed Top Event for RHR5 with V Failed in Window 1 of POS R6
 Fo3tr» ot Kch
terorBRecirgulatK

HPR

Fotbr* to Diocnow roikr* ef R«cVcukrtlo i Cptrotor Fctlrt HSUF FLOW FM NSUF FUW FRU
Sfray m Window
High P Iwcffe ctAfio nap SUCT
F&Steam h gnftt 1 —
F&Spill
•with LPil
Witts' LPft
ZJ n-nawi-XHB JI-R3V1-IHS-C-*

I
I—' Mctv Ww» Follire of RecVcuWio i Operator FoiLre Operator Folure
Nat R*mov* In Sffioy In Window to Ettobtah BtomuUtlm to DHcblah

n a
Virttow 1 H.oh P R«drc Krfi P RBCI-C
fa qfapw '

0-1WWI-IMB A-RWI-XBB-C-* A-RTITl-IHB-C-* D-R»WI-XKC

WSIF FLW FRU , NSLF FLW FUM .,

LW FfiES SI PMP-OJ • LFB to LFI ta LW FRES SI PUP-OJ I
Sot Lif not !*•£ LOT ftECR UCE

Figure 7.2-3 Failure-of-Recirculation Top Event for RHR5 in Window 1 of POS R67747
 Gravity from
RWST Given RHR5
in Window 1

GR!iW1

Safety Valve
Removed in Window
1

GR5V1G2 SV-W1

Failure to Diagnose Operator Failure INSUF FLOW

Loss of RHR5 to establish THROUGH LOW HEAD
Event in Window gravity feed INJECTION FLOW
1 in window 1 PATH

D6-CG
D-R5W1-XHE A-R5W1-XHE-G-6

Figure 7.2-4 Gravity-from-RWST Top Event for RHR5 in Window 1 of POS R6

 7 Event Tree Analysis

Table 7.2-1 Success Criteria for Mitigating Features

Feature Time Window Success Criteria

Reflux Cooling ' Short Term Long Term
< 75 hours 3SGs AFW to3SGs
> = 75 hours and 2SGs AFW to 2 SGs
< 475 hours

> = 475 hours 1SG AFW to 1 SG

Feed-and- Spill < 107 hour 1LHSI * (SV removed + 2PORV)
> 107 hours 1LHSI * (SV removed + 1 PORV)
< 129 hours 2HHSI * (SV removed + 2 PORV)
> 129 and < 138 1HHSI * (SV removed + 2 PORV)
hours
> = 138 hours 1HHSI * (SV removed + 1 PORV)
Gravity Feed < 70 hours at least 1 SV removed , less than 1 hour of subcooling
> 70 hours and at least 1 SV removed, 2 hours of subcooling
< 150 hours
> 150 hours and at least 1 SV removed, 3 hours of subcooling
less than 768 hours
> = 768 hours at least 1 SV removed, sufficient for 24 hours

Recirculation < = 3 days needed

> 3 days and not needed if RWSTs are cross tied, otherwise needed
< = 10 days
> 10 days not needed
Spray < = 3 days needed to prevent recirculation failure
Recirculation
> 3 days and not needed if RWSTs are cross tied, otherwise needed to prevent
< = 10 days recirculation failure
> 10 days not needed

7-17 NUREG/CR-6144
7 Event Tree Analysis

Table 7.2-2 Definition and Characterization of Time Windows

WINDOW 1 WINDOW 2 — WINDOW 3 —WINDOW 4

Definition < = 75 hours > 75 hours and > 240 hours and > 32 days
< = 240 hours < = 32 days
Representative 13.23 MW(2days)' 10 MW(5 days) 7 MW(12 days) 5 MW(32 days)
Decay Heat
Success Criteria
Reflux Cooling 3SGs 2SG 2SG 1SG
Feed and Bleed
LHSI 1LHSI*(SV ' 1LHSI*(SV 1LHSI *(SV 1LHSI *(SV removed
removed + 2 removed + 2 removed + + 1PORV)
PORV) PORV) 1PORV)
1HHSI*(SV 1HHSI*(SV 1HHSI*(SV 1HHSI*(SV removed
HHSI removed + 1 removed + 1 removed + 1 + 1 PORV)
PORV) PORV) PORV)
Gravity Feed 1 SV removed * 1 SV removed * 1 SV removed * 1 SV removed *
LHSI flow path LHSI flow path LHSI flow path LHSI flow path
provides provides 6.5 hours provides provides sufficient
4.3 hours for for operator actions 12 hours for cooling for 24 hours
operator actions (with 2 hours of operator actions (with more than 3
(with less than 2 subcooling) (with 2 hours of hours of subcooling)
hours of subcooling)
subcooling)

Recirculation needed(HPR + 1 RWST,needed not needed not needed

LPF&Steam
+ LPF&Spill) 2 RWST, not
needed
Recirculation needed 1 RWST,needed not needed not needed
Spray
2 RWST,not
needed
Probability that IE Occurs in the Window
D6 0.117 0.436 0.375 7.20E-02
(0.31)* (0.454) (0.21) (2.6E-02)

NUREG/CR-6144 7-18
 7 Event Tree Analysis
Table 7.2-2 (continued)

WINDOW 1 WINDOW 2 WINDOW 3 WINDOW 4

R6 1.7E-02 0.543 0.41 3.4E-02
(5.82E-02) (0.7) (0.24) (1.48E-03)

RIO 0.0 0.0 0.016 9.84E-01

i
(2.2E-02) (0.98)

* RHR2A based on time to mid-loop

Decay Heat 13.23 MW(2 days) 10 MW(5 days) 7 MW(12 days) 5 MW(32 days)

Time to Boiling 15 min. 20 min. 27min. 37 min

Time to Tygon 23 min. 31 min. 43 min. 59 min.
Tube Rupture(40
psia)

Time to PRT 51 min. 63 min. 78 min. 96 min.

Rupture(100
psig)
Time to 165 psia 41 min. with 2 63 min. with 2 227 min. with 2 352 min. with 2
PORV PORV PORV PORV
43 min. with 1 60 min. with 1 89 min. with 1 147 min. with 1
PORV PORV PORV PORV

Time to 615 psig 145 min. with 1 - - -

PORV
- with two
Time to RWST lOhrs 13.5 hrs 18.7 hrs 38.6 hrs
Depletion
Time to AFW 743 min. 669 min. 925 min. 628 min.
Initiation(with
25% SG
inventory
remaining)
Time to Core 120 min. 157 min. 209 min. 273 min.
Uncovery
Time to Core 219 min. 297 min. 411 min. 557 min.
Damage

7-19 NUREG/CR-6144
7 Event Tree Analysis

Table 7.2-3

Probability that the RCS Loops Are Isolated

Such that Reflux Cooling Is Unavailable or Ineffective

R6 RIO D6
Wl 0.3 - True
W2 0.7 - False
W3 True True False
W4 True True False

Table 7.2-4

Probability that the Safety Valves on the Pressurizer Are Removed

R6 R10 D6
Wl 0.01 - False
W2 0.05 - False
W3 0.9 0.9 False
W4 0.3 0.3 False

NUREG/CR-6144 7-20
 7 Event Tree Analysis

73 Loss of Residual Heat Removal Event Trees

Figures 7.3-1 to 7.3-50 are the event trees for the loss of RHR initiating events applicable to mid-loop
operations. The initiating events are described in section 4.2. In the time window approach, each accident
initiating can occur in 4 different time windows and 3 POSs. In principle, 12 event trees would be needed to
delineate the possible accident scenarios. Because POS 10 of a refueling outage occurs after refueling is
completed, it cannot occur in time windows 1 and 2; this is demonstrated in the conditional probability that
an accident initiating event occurs in the time windows of table 7.2-2. Therefore, ten event trees were
developed for each initiating event. They were based on abnormal procedure AP 27.00, revision 4,
supplemented with information obtained during meetings with plant personnel, and information documented
in Virginia Power technical report ' on "Background and Guidance for Ensuring Adequate Backup Decay
11

Heat Removal Following Loss of RHR".

In sections 7.1 and 7.2, the nomenclature used in the event trees and high level fault trees was discussed, using
event tree R5W1R6 and its associated high-level fault trees as an example. In this section, the accident
sequences defined in the event trees are discussed.

73.1 Event Tree for Over-draining to Mid-Loop (RHR2A)

This event occurs at the beginning of the POS due to overdraining. It may be annunciated by the shutdown
cooling low-level annunciator and RHR heat exchanger low-flow annunciator, and indicated by motor
amperage and flow oscillation, and excessive noise on the RHR pump. The expected responses of the
operator include stopping the votexing pump, locally venting the RHR pump if necessary, restoring RCS level,
and restoring RHR.

73.1.1 "Over-Draining to Mid-Loop" Event Tree - Refueling POS 6

Window 1 (RAW1R6)
The event tree top events of this event tree, Figure 7.3.1-1, are described below.

IRAW1 - Over Draining

This top event is used to calculate the frequency of the initiating event that overdraining occurs in window
1 of the refueling outage. The overdraining event is modeled as a basic event. As discussed in section 7.1,
the fault tree for this top event was built so that it can be used to quantify the frequency for all 3 POSs, R6,
D6, and RIO. HOUSE events are used to select the portion of the tree that is applicable to the POS.

MRAW1 - RCS Makeup

This event tree represents RCS inventory makeup using the charging pumps, low-head injection pumps, or
gravity feed from RWST. Only a small amount of makeup is needed to raise the level to allow restoration
of the RHR. It is assumed that if the RHR is not restored before the rupture disks of the pressurizer relief
tank break (51 minutes for time window 1), it will be impossible to restore RHR due to the radiation inside
the containment.

7-21 NUREG/CR-6144
7 Event Tree Analysis

RRAW1 • Restore RHR

This event represents restoration of the RHR, after the RCS inventory is restored. The restoration requires
local venting the RHR pumps, verifying RHR heat sink, and restarting a RHR pump.

VRAW1 - RCS Initially Vented

This event represents the initial condition that the RCS is vented with the three pressurizer safety relief valves
removed; it does not represent an operator action. It is needed in the event trees, because it affects
subsequent events. Each safety valve leaves a 4-inch diameter opening on top of the pressurizer. If the RCS
is vented this way, then gravity feed from RWST is possible. However, it was assumed that reflux cooling will
not be possible, due to the potential loss of inventory through the vents on the pressurizer. Venting through
the safety valves allows gravity feed from the RWST.

SRAW1 - Steam Generator Feed-and-BIeed

This event represents use of reflux cooling to remove heat. Reflux cooling is possible when the reactor coolant
loops are not isolated, and the secondary side of the steam generators are in wet lay-up. Loop isolation and
draining of the SGs are modeled as failure causes for this top event. The number of steam generators needed
and the time to secondary dry out depend on the decay heat, and are estimated in chapter 5. Based on AP
27.00, for time window 1, 3 steam generators are needed. Based on Table 7.2-2, the secondary inventory in
the steam generators is sufficient for 743 minutes. Venting of the secondary side can be done by dumping
steam to the condenser, or venting to the atmosphere using the steam generator PORVs. Dumping steam to
the condenser requires opening the bypass valves around the MSTV, the main steam non-return valves, and
the steam dump valves. In this time window, the initial SG inventory can last approximately 743 minutes.
Therefore, the SGs must be fed with auxiliary feedwater pumps.

FRAW1 • Primary Feed-and-BIeed

This event represents primary feed-and-bleed using a charging pump or low-head injection pump, and relieving
through the pressurizer PORVs. According to abnormal procedure, AP 27.00, cold leg injection is preferred,
but hot leg injection is an option. According to reference 1, feed-and-spill operation is preferred to the feed-
and-steam operation. In the former, the.operators.feedtheRCS until.the system isLcompletely filledand there
is spilling out through the PORVs. In this mode, the injected flow must be high enough to keep the reactor
coolant sub-cool, making it easy to restore RHR. For time window 1 (represented by decay heat 2 days after
shutdown), 644 gpm of flow from is necessary to remove decay heat; the flow from one charging pump, 600
gpm or less, is not enough. The other concern with this mode of decay-heat removal is whether or not the
amount of water is sufficient. The unit 1 RWST should be sufficient for approximately 10 hours of injection.
When the RWST level becomes low, recirculation has to be initiated.

In the feed-and-steam operation, much less flow is needed, and the RWST inventory can, potentially, last
much longer. However, the control of the injected flow and level poses an operational challenge. There is
the potential for pressurized thermal shock and over-pressurization if the vent path is insufficient.

In time window 1, we decided that 1 charging pump with 1 open PORV flow path is sufficient for the feed-
and-bleed operation. This is more relaxed than what is required for feed-and-bleed during power operations
where two PORVs are needed. In the case of low-pressure injection pumps, 2 PORVs are needed to ensure
that the system pressure is below 165 psia. The PORVs are normally blocked open with the block valves de-

NUREG/CR-6144 7-22
 7 Event Tree Analysis

energized open. It is assumed that there is a small chance that one PORV flow path is closed, due to the
problem of PORV leakage during power operations. For bleeding purposes, the flow path can be re-opened.

In those sequences in which the VW1 top event is successful, i.e., the pressurizer safety valves are removed,
the fault tree for the feed-and-bleed operation contains an event representing removal of the safety valves.
This event is needed to quantify these sequences correctly, because treatment of the successful event is not
automatically included. For those sequences in which the VW1 top event failed, i.e., the safety valves are not
removed, the basic event representing this condition is automatically included as the cutset of the VW1 top
event.

CRAW1 - Recirculation
Recirculation can be established in 3 ways. The first method, high-pressure recirculation, is defined in AP
27.00, and requires one charging pump running and taking suction from the discharge of a low pressure
injection pump that is running and taking suction from the containment sump. This method requires two
pumps and the associated flow path to be available. The second method, feed-and-steam with the low-
pressure injection pump, uses the pump to take suction from the containment and inject into the RCS. In
chapter 5, it was estimated that the water in the containment sump would be approximately 140 degrees F.
Therefore, NPSH should not be a problem. To bleed the steam successfully, it is assumed that the pressurizer
safety valves have to be removed. The third method, low- pressure feed-and-spill, uses the low-pressure
injection pump to take suction from the containment sump, and inject into the RCS. For this method to
succeed, at least one of the spray recirculation systems have to operate to cool the water in the containment
sump.

In time window 1, cross connection of RWSTs is not sufficient to support feed-and-spill operation for 24
hours. Therefore, it is not taken credit for.

In those sequences in which the VW1 top event is successful, i.e., the pressurizer safety valves are removed,
the fault tree for the recirculation operation contains the event representing removal of the safety valves. This
is needed to correctly quantify these sequences because the treatment of the successful event is not
automatically included. For sequences in which the VW1 top event failed, i.e., safety valves are not removed,
the basic event representing this condition is automatically included as the cutset of the VW1 top event.

GRAW1 - Gravity Feed from RWST

Gravity feed from RWST is possible if the pressurizer safety valves are removed; therefore, this is modeled
in the fault tree as a necessary condition. For window 1, this method of removing decay heat is not sufficient
for 24 hours. However, it delays core damage by more than 4 hours, and potentially, allows the operator to
establish other ways of removing decay heat. Gravity feed is modeled in the event tree, and if successful, is
assumed to lead to core damage. The fault tree for gravity feed is basically the fault tree for low-head
injection with the pump-failure mode removed. It is assumed that if the associated pump is down for
maintenance, then the flow path through the pump is unavailable.

We conservatively assumed that the human-error probability associated with establishing gravity feed is one
except for station blackout scenarios in which gravity feed may be the only method of decay heat removal.
The frequency of those sequence with no credit given to gravity feed was found to be insignificant.

7-23 NUREG/CR-6144
7 Event Tree Analysis

Sequence Descriptions of Event Tree RAW1R6

Sequence 4: In this sequence, an overdraining event (IRAW1) occurs in window 1 of a refueling outage. The
RCS makeup (MRAWl) is successful, but restoration (RRAWl) of RHR is not. The pressurizer safety valves
are removed (VW1) that makes reflux cooling (SRAW1) impossible. Feed-and-spill operation (FRAW1) is
successful, and recirculation (CRAW1) fails.

Sequence 5 - This sequence is similar to sequence 4, except that feed-and-spill fails, but gravity feed from
RWST is successful, so that there is more time for the operator to recover from the preceding failures.
Recovery actions could be applied to this sequence. Because the human-error probability for gravity feed is
set to TRUE", this sequence becomes logically impossible.

Sequence 6 - This sequence differs from sequence 5 in that the gravity feed from RWST fails. The HEP for
gravity feed is set to TRUE".

Sequence 9 - This sequence is the same as sequence 4, except that the pressurizer safety valves (VW1) are
not removed that allow reflux cooling. Reflux cooling fails in this sequence, and causes core damage to occur.

Sequence 10 - In this sequence, the RHR is not restored (RRAWl), safety valves are not removed (VW1),
reflux cooling is failed (SRAW1), and feed-and-spill failed (FRAW1).

Sequence 12 - In this sequence, RCS makeup (MRAWl) fails, making restoring RHR (RRAWl) impossible.
The pressurizer safety valves (VW1) are removed, so that reflux cooling (SRAW1) is impossible. Feed-and-
spill (FRAW1) is successful, and recirculation (CRAWl) is not.

Sequences 13 to 18 - These sequences are similar to sequences 5 to 10 , except that RHR can not be
restored due to failure of RCS makeup, while in sequence 5 to 10, restoration of RHR itself failed.

Window 2 (RAW2R6)
The event tree, Figure 7.3.1-2, for time window 2 has the same structure as that of window 1. The only
differences are in the timing of the scenarios, and in the success criteria for recirculation and reflux cooling.
Due to the difference in timing of the accidents, the various HEPs may differ. Those event tree top events
that have different success criteria than those of window 1 are described below.

SRAW2 - Steam Generator Feed-and-Bleed

The success criteria for time window 2 is that 2 steam generators are needed for reflux cooling.

CRA.W2 - Recirculation
In time window 2, cross connection of RWSTs would provide 24 hours of feed-and-spill. In the fault tree for
failure of recirculation, failure to cross-connect the RWSTs is a required condition. It is assumed that for
cross connection to be successful, a unit 1 charging pump must be available and the operator action must be
successful. No credit was taken for this in the logic model. The use of unit 2 charging pump is modeled as
a recovery action.

NUREG/CR-6144 7-24
 7 Event Tree Analysis

Window 3 (RAW3R6)
This event tree, figure 7.3.1-3, differs from that of window 1 in that no top event representing reflux cooling
or recirculation is used. Reflux cooling is not possible because the RCS loops are known to be isolated in this
time window during refueling. Recirculation is not necessary, because the flow needed for feed-and-spill
operation is low enough so that the RWST inventory is sufficient for 24 hours.

Window 4 (RAW4R6)
This event tree, figure 7.3.1-4, should be identical to that of window 3, except that here successful gravity feed
does not damage the core. The thermal hydraulic analysis of section 5.1 found that after 24 days the decay
heat is low enough so that gravity feed from RWST is sufficient to remove decay heat for 24 hours. The top
event on reflux cooling was inadvertently kept in this event tree, so that the event tree appears different from
that of window 3; this does not affect the results, because reflux cooling is always failed in this time window.

7.3.1.2 "Over-Draining to Mid-Loop" Event Tree - Refueling POS 10

POS 10 of a refueling outage occurs after refueling is completed. As a result, it can only take place in
windows 3 and 4. The event trees for POS 10, Figures 7.3.1-5 to 7.3.1-6, have the same structure as those of
POS 6 of a refueling outage. The only differences are the maintenance unavailabilities,conditional probability
of the time windows, and the frequency of the POSs. Section 3.6 gives detailed discussions on the differences
among the POSs.

73.13 "Over-Draining to Mid-Loop" Event Tree - Drained Maintenance POS 6

Besides the frequency and conditional probabilities of time windows, POS 6 of a drained maintenance outage
differs from the POS6 of refueling outage in

1. the probability of RCS loop isolation,

2. the removal of the pressurizer safety valves, and
3. the probability that the steam generators are drained.

Tables 7.1-3 and 7.1-4 summarize the differences of items 1 and 2. In a drained maintenance, it is assumed
that one RCS loop is unavailable/isolated for maintenance. Depending on the time window, the success
criteria for reflux cooling may or may not be satisfied. It is also assumed that the safety valves on the
pressurizer are not removed. Therefore, gravity feed is not an option for a drained maintenance. The
probability that the SGs are drained is modeled as a failure mode for reflux cooling. These differences, and
their effects on the event trees and fault trees, are discussed for each time window.

Window 1 (RAW1D6)
The event tree for this POS, figure 7.3.1-7, differs from that of RAW1R6, figure 7.3.1-1, in that the safety
valves are not removed, and success criteria for reflux cooling cannot be satisfied. In this POS, the safety
valves are not removed making gravity feed impossible. Reflux cooling is failed because the success criteria
of requiring 3 SGs cannot be satisfied. Therefore, top events VW1, SRAW1, and GRAW1 of event tree
RAW1R6 do not appear in this event tree. The top events in this event tree have the same meaning as those
of R6. Due to the differences in the frequency of the POSs, conditional probability of the time window,

7-25 NUREG/CR-6144
7 Event Tree Analysis

probability of SGs draining, and probability of RCS loops isolation, the quantitative results of the sequences
in this event tree differ from those of RAW1R6.

ntAWl - Over Draining

This top event is used to calculate the frequency of the initiating event that overdraining occurs in window
1 of the drained maintenance outage. The overdraining event is modeled as a basic event in the fault tree.
The frequency of the initiating event in this event tree differs from that of RAW1R6 because of the differences
in the frequency of outage type, and conditional probability of time window.

MRAW1 - RCS Makeup

This event tree represents RCS inventory makeup using the charging pumps, low-head injection pumps, or
gravity feed from RWST. It is identical to the same top event in the event for R6.

RRAW1 • Restore RHR

This event represents restoration of the RHR, given that the RCS inventory is restored. The restoration
requires local venting the RHR pumps, verifying RHR heat sink, and restarting a RHR pump. Again, this
top event is the same as that of R6.

FRAW1 • Primary Feed-and-BIeed

This top event is the same as that of R6.

CRAW1 - Recirculation
This top event is the same as that of R6.

Window 2 (RAW2D6)
This event tree, figure 7.3.1-8, differs from that of R6, figure 7.3.1-2, in that the safety valves are not removed
and gravity feed is not possible. As a result, top events VW2 and GRAW2 are not used in the event tree.
The rest of the top events are the same as those of R6, with the following difference in quantification:

IRAW2 - Over Draining

This top event is used to calculate the frequency of the initiating event that overdraining occurs in window
2 of the drained maintenance outage. The overdraining event is modeled as a basic event in the fault tree.
Thefrequencyof the initiating event in this event tree differs from that of RAW2R6 because of the differences
in the frequency of outage type, and conditional probability of time window.

SRAW2 - Reflux Cooling

In time window 2,2 SGs are needed for reflux cooling. For a drained maintenance, one RCS loop is assumed
to be isolated. Therefore, the 2 remaining loops should be sufficient for reflux cooling. For a refueling
outage, the RCS loops are either isolated together or not isolated. Loop isolation in a refueling outage is
modeled as a basic event that fails reflux cooling.

Window 3 (RAW3D6)
The event tree, figure 7.3.1-9, differs from that of R6, figure 7.3.1-3, in that safety valves are not removed,
reflux cooling is possible, and gravity feed is not in this time window of a drained maintenance outage. In

NUREG/CR-6144 7-26
 7 Event Tree Analysis

time window 3 of a refueling outage, the RCS loop are all isolated, so reflux cooling is impossible. The top
events of this event tree represent the same top events for R6, except the following:

IRAW3 • Over Draining

This top event is used to calculate the frequency of the initiating event that overdraining occurs in window
3 of the drained maintenance outage. The overdraining event is modeled as a basic event in the fault tree.
The frequency of the initiating event in this event tree differs from that of RAW3R6 because of the differences
in the frequency of outage type, and conditional probability of time window.

SRAW3 • Reflux Cooling

In time window 3,2 SGs are needed for reflux cooling. For a drained maintenance, one RCS loop is assumed
to be isolated. Therefore, the 2 remaining loops should be sufficient for reflux cooling. For a refueling
outage, the 3 RCS loops are isolated. Therefore, this top event is not used in the event tree for R6.

Window 4 (RAW4D6)
The event tree, figure 7.3.1-10, differs from that of R6, figure 7.3.1-4, in that safety valves are not removed,
reflux cooling is possible, and gravity feed is not in this time window of a drained maintenance outage. In
time window 4 of a refueling outage, the RCS loop are all isolated, making reflux cooling impossible. The
top events of this event tree represent the same top events for R6, except the following:

IRAW4 - Over Draining

This top event is used to calculate the frequency of the initiating event that overdraining occurs in window
4 of the drained maintenance outage. The overdraining event is modeled as a basic event in the fault tree.
The frequency of the initiating event in this event tree differs from that of RAW3R6 because of the differences
in the frequency of outage type, and conditional probability of time window.

SRAW4 • Reflux Cooling

In time window 4, only 1 steam generator is needed for reflux cooling. For a drained maintenance, one RCS
loop is assumed to be isolated. Therefore, the 2 remaining loops are more than sufficient for reflux cooling.
For a refueling outage, 3 RCS loops are isolated. Therefore, this top event is not used in the event tree for
R6. (We note that the top event of reflux cooling appears in figure 7.3.1-4 for the refueling outage; it was
left there inadvertently. In quantifying the event tree, this top event is automatically failed.)

7-27 NUREG/CR-6144
m
u
2
<
i
CO
E-
~^~
in
i
a
U gggS88gg88§8S8ggS8

—<CMC3'^in<0t*C00)O" WC0Ti lO<Dt«*C0

M ,

<
o £

a
5:
<:
§
a

IX
i
o
_o
13
S
(X
CO o
wo

>
I

5:
IX
CX

<
K
a
3>
5=
<:
(X

S
3

7-28
UNITY IRAW2 MRAW2 RRAW2 VW2 SRAW2 FRAW2 GRAW2 CRAW2 SEQ 8 END-STA TE -NAMES

1 OK
2 OK
3 OK
4 CD
5 CD
6 CD
7 OK
8 OK
9 CD
10 CD
11 OK
12 CD
13 CD
CD
14 OK
15 OK
16 CD
17 CD
18

Figure 73.1-2 Event Tree for Over-draining to Mid-loop in Window 2 of R6 (RAW2R6)

 UNITY IRAW3 MRAW3 RRAW3 VW3 FRAW3 GRAW3 SEQ # END-STATE-NAMES

1 OK
2 OK
3 OK
4 CD
5 CD
6 OK
7 CD
O 8 OK
9 CD
10 CD
11 OK
12 CD

Figure 73.1-3 Event Tree for Over-draining to Mid-loop in Window 3 of R6 (RAW3R6)

UNITY IRAW4 MrtAW4 RRAW4 VW4 SRAW4 FRAW4 GRAW4 SEQ # END-STATE-NAMES

1 OK
2 OK
3 OK
4 OK
5 CD
6 OK
7 OK
8 CD
9 OK
10 OK
11 CD
12 OK
13 OK
14 CD

Figure 7.3.1-4 Event Tree for Over-draining to Mid-loop in Window 4 of R6 (RAW4R6)

 UNITY IRAW3 MRAW3 RRAW3 VW3 FRAW3 CRAW3 SEQ H END-STATE-NAMES

1 OK
2 OK
3 OK
4 CD
5 CD
6 OK
7 CD
to 8 OK
9 CD
10 CD
U OK
12 CD

Figure 73.1-5 Event Tree for Over-draining to Mid-loop in Window 3 of RIO (RAW3R10)
UNITY IRAW4 MRAW4 RRAW4 VW4 SRAW4 FRAW4 CRAW4 SEQ # END-STATE-NAMES

1 OK
2 OK
3 OK
4 OK
5 CD
6 OK
7 OK
8 CD
9 OK
10 OK
11 CD
12 OK
13 OK
14 CD

Figure 73.1-6 Event Tree for Over-draining to Mid-loop in Window 4 of RIO (RAW4R10)
 UNITY IRAW1 MRAW1 RRAW1 FRAW1V CRAW IV SEQ # END-STATE-NAMES

OK
OK
OK
CD
CD
OK
CD
CD
•p.

Figure 7.3.1-7 Event Tree for Over-draining to Mid-loop in Window 1 of D6 (RAW1D6)

UNITY 1RAW2 MRAW2 RRAW2 SRAW2 FRAW2V CRAW2V SEQ H END-STATE-NAMES

1 OK
2 OK
3 OK
4 OK
5 CD
6 CD
7 OK
8 OK
9 CD
10 CD

Figure 7.3.1-8 Event Tree for Over-draining to Mid-loop In Window 2 of D6 (RAW2D6)

 UNITY IRAW3 MRAW3 RRAW3 SRAW3 FRAW3V SEQ H END-STATE-NAMES

1 OK
2 OK
3 OK
OK
•

1 1 4
5 CD
<i 6 OK
OJ 7 OK
0\ 1 8 CD

Figure 73.1-9 Event Tree for Over-draining to Mid-loop in Window 3 of D6 (RAW3D6)

UNITY IRAW4 MRAW4 RRAW4 SRAW4 FRAW4V SEQ # END-STATE-NAMES

OK
OK
OK
OK
CD
OK
OK
CD

Figure 73.1-10 Event Tree for Over-draining to Mid-loop in Window 4 of D6 (RAW4D6)

7 Event Tree Analysis

73.2 Event Trees for Loss of Inventory (RHR2B)

This initiating event is very similar to the over-draining event discussed in section 7.3.1; it differs in that this
event could occur any time during mid-loop, while RHR2A event occurs at the beginning. This difference is
accounted for in the conditional probability of the time windows. These probabilities for RHR2A were
calculated from the distribution of time to mid-loop. The same for RHR2B and other initiating events were
calculated using the distribution of time to mid-loop plus the duration of mid-loop times, a uniform random
variable. Table 7.2.-2, tabulates these probabilities, and shows that RHR2A has higher probability of occurring
in the earlier windows.

The event trees for this initiating event are shown in figures 7.3.2-1 to 7.3.2-10. They have the same structure
as the event trees for RHR2A; the only difference between the two sets is the way the initiating event
frequency is calculated, using the "I" top event. In the "P top event for RHR2A, the probability of
overdraining is used, while for RHR2B as well as other initiating events, the probability that the initiating
event occurs is calculated as the product of an hourly frequency of the initiating event and the duration of the
POS.

NUREG/CR-6144 7-38
 UNITY IRBW1 MRBWl RRBW1 VW1 SRBW1 FRBW1 GRBWl CRBW1 SEQ # END-STA TE-NAMES

1 OK
2 OK
3 OK
4 CD
5 CO
6 CD
7 OK
8 OK
9 CD
10 CD
11 OK
<1i 12 CD
13 CD
14 CD
15 OK
16 OK
17 CD
18 CD

Figure 73.2-1 Event Tree for Loss of Inventory in Window 1 of R6 (RBW1R6)

UNITY IRBW2 MRBW2 RRBW2 VW2 SRBW2 FRBW2 GRBW2 'CRBW2. SEQ # END-STA TE -NAMES

1 OK
2 OK
i — 3 OK
4 CD
5 CD
1 1 6 CD
7 OK

1 1
8
9
10
OK
CD
CD
11 OK
12 CD
11 13 CD
14 CD
15 OK
16 OK
1
17 CD
18 CD

Figure 7.3.2-2 Event Tree for Loss of Inventory in Window 2 of R6 (RBW2R6)

UNITY IRBW3 MRBW3 RRBW3 VW3 FRBW3 CRBW3 SEQ # END-STATE-NAMES

1 OK
2 OK
3 OK
4 CD
5 CD
6 OK
7 CD
8 OK
9 CD
10 CD
11 OK
12 CD

J
Figure 7.3.2-3 Event Tree for Loss of Inventory in Window 3 of R6 (RBW3R6)
 UNITY IRBW4 MRBW4 RRBW4 VW4 FRBW4 CRBW4 . SEQ # END-STATE-NAMES

1 OK
2 OK
1 3 OK
l | - 4 OK
1 5 CD
6 OK
' 1
6 7
8
CD
OK
1 , 9
10
OK
CD
|l 11 OK
IS CD

Figure 7.3.2-4 Event Tree for Loss of Inventory in Window 4 of R6 (RBW4R6)

 UNITY IRBW3 MRBW3 RRBW3 SRBW3 FRBW3V SEQ 8 END-STATE-NAMES

1 OK

if*'l
OK
OK
OK
•^J CD
OK
OK
CD

Figure 7.3.2-5 Event Tree for Loss of Inventory in Window 3 of RIO (RBW3R10)
 UNITY IRBW4 MRBW4 RRBW4 SRBW4 FRBW4V SEQ U END-STATE-NAMES

OK
OK
OK
OK
CD
OK
£ OK
CD

Figure 73.2-6 Event Tree for Loss of Inventory in Window 4 of RIO (RBW4R10)
UNITY IRBW3 MRBW3 RRBW3 VW3 FRBW3 CR8W3 SEQ # END-STATE-NAMES

1 OK
2 OK
3 OK
4- CD
5 CD
6 OK
7 CD
8 OK
9 CD
10 CD
tl OK
12 CD

Figure 7.3.2-7 Event Tree for Loss of Inventory in Window 1 of D6 (RBW1D6)

 UNITY IRBW4 MRBW4 RRBW4 VW4 FRBW4 GRBW4 SEQ # END-STAT.E-NAMES

1 OK
2 OK
3 OK
4 OK
5 CD
ON 6 OK
7 CD
8 OK
9 OK
10 CD
IX OK
12 CD

Figure 73.2-8 Event Tree for Loss of Inventory in Window 2 of D6 (RBW2D6)

 UNITY IRBW1 MRBW1 RRBW1 FRBWIV CRBW1V SEQ » END-STATE-NAMES

1 OK
2 OK
3 OK
1 I 4 CD
<x 1 5 CD
**
-J 1 6 OK
1 7 CD
1 f) CD

•$£

Figure 73.2-9 Event Tree for Loss of Inventory in Window 3 of D6 (RBW3D6)

 UNITY IRBW2 MRBW2 RRBW2 SRBW2 FRBW2V CRBW2V SEQ H END-STATE-NAMES

1 OK
2 OK
3 OK
4 OK
5 CD
6 CD
7 OK
oo 8 OK
9 CD
10 CD

Figure 73.2-10 Event Tree for Loss of Inventory in Window 4 of D6 (RBW4D6)

 7 Event Tree Analysis

7.3.3 Event Trees for Total Loss Residual Heat Removal (RHR3)

This initiating event represents a loss of RHR event that can not be easily recovered from. For example, a
small leak in the RHR system requiring isolation of the system would be assigned to this category. The event
trees for this initiating event, Figure 7.3.3-1 to 7.3.3-10, were derived from the event trees for RHR2B by
removing the top events on RCS makeup and recovery of RHR and replacing the RHR2B frequency with that
of RHR3 in the "F top events. The HEPs used in the event trees may also be different.

7-49 NUREG/CR-6144
 UNITY IR3W1 VW1 SR3W1 FR3W1 GR3W1 CR3W1 SEQ # END-STATE-NAMES

OK
OK
CD
CD
CD
OK
OK
Lft CD
O CD

Figure 733-1. Event Tree for Total Loss of RHR in Window 1 of R6 (R3W1R6)
UNITY IR3W2 vwa SR3W2 FR3W2 GR3W2 CR3W2 SEQ # END-STATE-NAMES

1 OK
2 OK
3 CD
+ CD
5 CD
6 OK
7 OK
8 CD
9 CD

Figure 73.3-2 Event Tree for Total Loss of RHR in Window 2 of R6 (R3W2R6)
 UNITY IR3W3 VW3 FR3W3 GR3W3 SEQ H

to

Figure 7334 Event Tree forTbtal Loss of RHR in Window 3 of R6 (R3W3R6)

UNITY IR3W4 VW4 FR3W4 GR3W4 SEQ # END-STATE-NAMES

OK
OK
OK
CD
OK
CD

Figure 73.3-4 Event Tree for Total Loss of RHR in Window 4 of R6 (R3W4R6)
UNITY IR3W3 VW3 FR3W3 GR3W3 SEQ » END-STATE-NAMES

OK
OK
CD
CD
OK
CD

Figure 733-5 Event Tree for Total Loss of RHR in Window 3 of RIO (R3W3R10)
 UNITY IR3W4 VW4 FR3W4 GR3W4 SEQ § END-STATE-NAMES

OK
OK
OK
CD
OK
CD
tyi

Figure 7.33-6 Event Tree for Total Loss of RHR in Window 4 of RIO (R3W4R10)
 UNITY IR3W1 FR3W1V CR3W1V SEQ g END-STATE-NAMES

OK
OK
CD
CD

2
ON

Figure 133-1 Event Tree for Total Loss of RHR in Window 1 of D6 (R3W1D6)

L.
 UNITY IR3W2 SR3W2 FR3W2V CR3W2V SEQ g END-STATE-NAMES

OK
OK
OK
CD
CD

Figure 7.3.3-8 Event Tree for Total Loss of RHR in Window 2 of D6 (R3W2D6)
 UNITY 1R3W3 SR3W3 FR3W3 SEQ 8 END-STATE-NAMES

OK
OK
OK
CD

oo

Figure 733-9 Event Tree for Total Loss of RHR in Window 3 of D6 (R3W3D6)
 UNITY IR3W4 SR3W4 FB3W4V GR3W4 SEQ # END-STATE-NAMES

OK
OK
OK
CD

•M

Figure 7.3.3-10 Event Tree for Total Loss of RHR in Window 4 of D6 (R3W4D6)
7 Event Tree Analysis

73.4 Event Trees for Loss of Operating Train of RHR (RHR4)

This initiating event represents an event that causes failure of the operating train of the RHR system, and the
failure can not be recovered within the time frame of the accident scenarios that may result. For example,
a hardware failure of the operating RHR pump would be assigned to this category. The event trees for this
initiating event, Figure 7.3.4-1 to 7.3.4-10, were derived from those for RHR2B by removing the top event on
RCS makeup and failing the normally running RHR train by setting a house event "HOUSE-RHR5" to true.
Other differences between the two sets of event trees are the frequency of the initiating event and the HEPs
used.

NUREG/CR-6144 7-60
UNITY IR4W1 RR4W1 VW1 SR4W1 FR4W1 GR4WI CR4W1 SEQ H END-STATE-NAMES

1 OK
2 OK
3 OK
4 CD
5 CD
6 CD
7 OK
8 OK
9 CD
10 CD

Figure 73.4-1 Event Tree for Loss of Operating Train of RHR in Window 1 of R6 (R4W1R6)
 UNITY IR4W2 RR4W2 VW2 SR4W2 FR4W2 GR4W2 CR4W2 SEQ g END--STATE-NAMES

I OK
2 OK
3 OK
1 4 CD
5 CD
to ' 6 CD
7 OK
8 OK
1 9 CD
10 CD

Figure 7.3.4.-2 Event Tree for Loss of Operating Train of RHR in Window 2 of R6 (R4W2R6)
 UNITY IR4W3 RR4W3 VW3 FR4W3 CR4W3 SEQ # END-STATE-NAMES

OK
OK
OK
CD
CD
OK
CD
0\

Figure 7.3.4-3 Event Tree for Loss of Operating Train of RHR in Window 3 of R6 (R4W3R6)

J
 UNITY IR4W4 RR4W4 VW4 FR4W4 GR4W4 SEQ # END-STATE-NAMES

1 OK
2 OK
* 3 OK
1 OK
1 1 4
5 CD
1 6 OK
7 CD
2

Figure 73.4-4 Event Tree, for Loss of Operating Train of RHR in Window 4 of R6 (R4W4R6)
 UNITY IR4W3 RR4W3 VW3 FR4W3 CR4W3 SEQ I END-STATE-NAMES

OK
OK
OK
CD
CD
OK
ON
CD

Figure 73.4-5 Event Tree for Loss of Operating Train of RHR in Window 3 of RIO (R4W3R10)
 UNITY IR4W4 RR4W4 VW4 FR4W4 GR4W4 SEQ I END-STATE-NAMES

OK
OK
OK
OK
CD
OK
0\ CD
0\

Figure"73.4-6 Event Tree for Loss, of Operating Train of RHR in Window 4 of RIO (R4W4R10)
UNITY 1R4W1 RR4WI FR4W1V CR4W1V SEQ # END-STATE-NAMES

OK
OK
OK
CD
CD

Figure 7.3.4-7 Event Tree for Loss of Operating Train of RHR In Window 1 of D6 (R4W1D6)
 UNITY IR4W2 RR4W2 SR4W2 FR4W2V CR4W2V SEQ g END-STATE-NAMES

OK
OK
OK
OK
CD
CD
00

Figure 7.3.4-8 Event Tree for Loss of Operating Train of RHR in Window 2 of D6 (R4W2D6)

I
 UNITY IR4W3 RR4W3 SR4W3 FR4W3V SEQ g END-STATE-NAMES

OK
OK
OK
OK
CD

0\

Figure 73.4-9 Event Tree for Loss of Operating Train of RHR in Window 3 of D6 (R4W3D6)
 UNITY IR4W4 RR4W4 SR4W4 FR4W4V SEQ H END-STATE-NAMES

OK
OK
OK
OK
CD
o

Figure 73.4-10 Event Tree for Loss of Operating Train of RHR in Window 4 of D6 (R4W4D6)
 7 Event Tree Analysis

73.5 Event Trees for Recoverable Loss of RHR (RHR5)

This initiating event represents interruption of the RHR that can be recovered in the time frame of the
accident scenarios that may result: for example, a spurious trip of the RHR pump would be assigned to this
category. The event trees for this initiating event, Figure 7.3.5-1 to 7.3.5-10, were derived from those for
RHR2B by removing the top event on RCS makeup. Other differences between the two sets of event trees
are the frequency of the initiating event and the HEPs used.

7-71 NUREG/CR-6144
CO
u
2£
z<
f
f-
u
«s
H
W
a
z v^^Qcia^^aa
Ed OOOOUCJOOUU

ac
Gr ->N03-*OCD^OOO>2
w
w

-H
5
m
IS
^ N

o ^

-*
;£
t
s
<o
GR5

wlofR
-s
1
tu

Rin
•

—H
§
CM
3: O
o
cc 09
m

iLos
2.
£ 2
or Reco'

>

«•=!.
.«
-*
vent Tre

o
«
«
w
— i-i
? • J
o V)
£ "J

2
sM
>
H« E
•z.
3

7-72
 UNITY IR5W2 RR5W2 VW2 SR5W2 FR5W2 GR5W2 CR5W2 SEQ END-STATE-NAMES

I OK
z OK
3 OK
4 CD
5 CD
6 CD
7 OK
a 8
9
OK
CD
10 CD

Figure 7.3.5-2 Event Tree for Recoverable Loss of RHR In Window 2 of R6 (R5W2R6)
 UNITY IR5W3 RR5W3 VW3 FR3W3 OR5W3 SEQ g END-STATE-NAMES

OK
OK
OK
CD
CD
OK
CD

Figure 7.3.5.3 Event Ttee for Recoverable Loss of RHR In Window 3 of R6 (R5W3R6)
UNITY IR5W4 RR5W4 VW4 FR5W4 GR5W4 SEQ # END-STATE-NAMES

OK
OK
OK
OK
CD
OK
CD

Figure 73.5-4 Event Tree for Recoverable Loss of RHR in Window 4 of R6.(R5W4R6)
 r
i

UNITY IR5W3 RR5W3 VW3 FR3W3 GR5W3 SEQ # END-STATE-NAMES

OK
OK
OK
CD
CD

a OK
CD

Figure 7.3.5-5 Event Tree for Recoverable Loss of RHR in Window 3 of RIO (R5W3R10)
 UNITY IR5W4 RR5W4 VW4 FR5W4 CR5W4 SEQ » END-STATE-NAMES

OK
OK
OK
OK
CD
OK
-~1 CD

Figure 7.3.5-6. Event Tree for Recoverable Loss of RHR in Window 4 of RIO (R5W4R10)
 UNITY IR5W1 RR5W1 FRSW1 GR5W1 CR5W1 SEQ ft END-STATE-NAMES

OK
OK
OK
CD
CD
£

Figure 73.5-7 JEvent Tree for Recoverable Loss of RHR In Window 1 of D6 (R5W1D6)
 UNITY IR5W2 RR5W2 SR3W2 FR3W2V CR5W2V SEQ # END-STATE-NAMES

j l OK
z OK
3 OK
4 OK
i 1 5 CD
1 6 CD
7-79

Figure 7.3.5-8 Event Tree for Recoverable Loss of RHR in Window 2 of D6 (R5W2D6)
UNITY IR5W3 RR5W3 SR5W3 FR5W3V SEQ ft END-STATE-NAMES

OK
OK
OK
OK
CD

Figure- 7.3.5-9 Event Tree for Recoverable Loss of RHR in Window 3 of D6 (R5W3D6)
 UNITY 1R5W4 RR5W4 SR5W4 FR5W4V SEQ # END-STATE-NAMES

OK
OK
OK
OK
CD
00

Figure 73.5-10 Event Tree for Recoverable Loss of RHR in Window 4 of D6 (R5W4D6)
7 Event Tree Analysis

73.6 References

1. "Background and Guidance for Ensuring Adequate Backup Decay Heat Removal Following Loss of RHR
Surry and North Anna Power Stations," Nuclear Analysis and Fuel Nuclear Engineering Services, Virginia
Power, NE Technical Report No. 865, Revision 1, June 1992.

NUREG/CR-6144 7-82
 7 Event Tree Analysis

7.4 Loss of Offsite Power and Station Blackout Event Trees

This section describes the event tree models that were developed to investigate accident sequences initiated
by a loss of offsite power event during mid-loop operations at the Surry Nuclear Plant. Upon loss of offsite
power (LOSP), the supply breakers to the 4.16 kV AC buses open, the emergency diesel generators (EDGs)
start automatically and each EDG output breaker closes to load the EDG on to its respective 4.16 kV
emergency AC buses. EDG 1 is aligned to the 1H 4 kV AC bus, while EDG 3 (the swing DG) can be
connected to the 1J (Unit 1) or 2J (Unit 2) 4 kV AC bus. These 4 kV AC buses provide power to the HPI
pumps, the stub buses which each supply power to one CCW and RHR pump, and the 480V AC buses
through transformers. The 480 V AC emergency buses are 1H, 1H-1, 1J, and 1J-1 in Unit l's electrical
distribution system. The 1H 480 V AC bus provides power to pumps such as the A train low pressure
injection pump, or the A trains of the spray recirculation systems; the 1H-1 480 V AC bus feeds the motor
control centers (MCCs) which provide power to various motor operated valves (MOVs) and small pumps such,
as the charging pump cooling pumps. In the LOSP scenario, the 1A 125 Vdc bus provides control power to
the switchgear for the pumps powered from the 1H buses, and if all AC power is lost, this bus is powered from
the DC battery 1A.

In accordance with the approach discussed in Section 7.1 of this study, event trees were developed to evaluate
the LOSP initiating event at plant operational states (POS) during the mid-loop configuration for five
boundary conditions.

(1) LOSP where both 4 kV emergency buses 1H and 1J are available,

(2) LOSP where 4 kV emergency buses 1H (or 1J) and 2H (or 2J) are available,
(3) LOSP where only 4 kV emergency buses 1H (or 1J) are available and station blackout at Unit 2,
(4) Station blackout (SBO) at Unit 1, and
(5) Station blackout at both units.

In the first case (LI), EDGs 1 and 3 (swing diesel generator) are aligned to 4 kV emergency buses 1H and
1J respectively, and both EDGs are assumed to start successfully and continue operating to supply emergency
AC power to vital safety equipment throughout the LOSP event. In the second scenario (L2), either
combination of EDGs 1 and 2, EDGs 1 and 3, or EDGs 2 and 3, are successful. Therefore, the 4 kV
emergency buses 1H (or 1J) and 2H (or 2J), or combinations thereof, are assumed to be available to provide
AC power to safety-related equipment. In the third case (L3), either EDG 1 or 3 is assumed to start
successfully and continue operating to supply emergency AC power to vital safety equipment at Unit 1. One
of the two EDGs may be in maintenance, and Unit 2 is under station blackout conditions as a result of EDG
2 being unavailable due to its failure to start or continue to run. Therefore, only one 4 kV emergency bus
1H (or 1J) is assumed to be available at Unit 1. For the fourth case (Bl), SBO at Unit 1 occurs when there
is no emergency AC power supply to its vital safety equipment. EDG 1 fails to start or continue to run;
however, there is one operable DG at Unit 2 to provide AC power to operate cross-connectable systems, such
as the charging and AFW systems. This DG could be EDG 2, supplying power to the 2 H bus, or EDG 3
supplying power to the 2J bus. A critical event during an SBO is depletion of the batteries which will result
in loss of instrumentation and control power. In the fifth case (B2), an SBO at both units is caused by the
unavailability of all three DGs upon loss of offsite power. This condition arises when EDG 1 and EDG 3 are

7-83 NUREG/CR-6144
7 Event Tree Analysis

in failed states, and EDG 2 is under maintenance. Therefore, the unavailability of AC power at Unit 2 results
in the unavailability to provide charging flow and AFW supply from Unit 2 systems.

Table 7.4-1 lists the diesel-generator unavailability states corresponding to each of the five LOSP/SBO cases.
In section 4.3.2, fault trees were developed to determine the conditional probabilities for these five cases. By
combining the success, failure, or maintenance states of each EDG, the conditional probabilities of the five
LOSP/SBO cases were derived. The assumptions made in modelling EDG failures are similar to those made
in Section 6.2.7.4.2 for developing the Emergency Power System (EPS) fault trees. In addition, maintenance
unavailability of EDG 1 and EDG 3 during mid-loop operations is not allowed because of the requirements
stipulated in the newly implemented "Reduced Inventory (15.3 ft) Checklist", which is included as an
attachment in the station operating procedure OP-RC-005 (Rev. 1, 4/07/92). Specifically, this checklist
requires that EDG 1 and EDG 3 be verified operable before the RCS level is dropped to its reduced inventory
configuration. Procedure OP-RC-005 also requires that the checklist is completed once every shift while the
RCS is in this configuration.

Since failures of the diesels to start and run are incorporated in the definition of the LOSP initiator, these
failures are disallowed from the subsequent model (unless power is recovered and a subsequent LOSP event
occurs). This is true also for some other failures (e.g. failures of the batteries used to power the switches
connecting the EDGs to the appropriate electrical buses). The failure of various components to start (e.g.
RHR pumps, CCW pumps,) also is included in the model, as these will be temporarily disconnected after a
LOSP.

The LOSP and SBO event trees were developed by considering the specific actions required of the hardware
and operators to recover the plant from the LOSP event in the related Surry plant procedures:

(a) AP-10.00: Loss of Offsite Power (Rev. 7, 7/2/92)

(b) AP-17.00: Auto Start Failure of 1 or 2 EDG (Rev. 1, 3/28/91)
(c) AP-27.00: Loss of Decay Heat Removal Capability (Rev. 4, 2/15/92)
(d) ECA-0.0: Loss of All AC Power (Rev. 6, 4/27/92)
(e) 1-FR-H.l: Response to Loss of Secondary Heat Sink (Rev. 4, 3/28/91)

The procedures for loss of offsite power emphasize full power operation; therefore, some interpretation may
be needed to apply them to mid-loop LOSP events. For instance, the procedure cautions the operator not
to reconnect the CCW pump (which is on the stub bus) if the only source of power is a diesel generator. The
EDG maximum load is 2750 kW, and this may be approached, if, at full power, a LOCA coincides with a loss
of offsite power. The following equipment may be running at the same time, shortly after the event: charging
pumps (600 HP each, with possibility of 2 pumps on the same bus), AFW pump (400 HP), CSS (250 HP), ISR
(300 HP), OSR (300 HP), and LPI (300 HP). At Surry, the spray recirculation systems (ISR and OSR) run
concurrently with the injection spray system (CSS). In addition, some smaller systems will be connected
(charging pump cooling, recirculation fans). A CCW pump has a rating of 600 HP, i.e. it is relatively big in
terms of power consumption. Therefore, loading it onto a diesel under these conditions may bring the diesel
generator down (and it is not strictly necessary, if everything else is working). However, in the events analyzed
here for mid-loop operation, the diesel's power requirements will be much smaller, depending on the
availability of equipment. An RHR pump has a capacity of 300 HP, and CCW is needed to operate the RHR

NUREG/CR-6144 7-84
 7 Event Tree Analysis

system. Therefore, if an attempt is made to restart the RHR, it is assumed that the operators will connect
the CCW pump(s).

As discussed in section 7.2, success criteria in the procedures were relaxed when we judged that the operators
(or the TSC) will realistically try to save the core rather than strictly follow the rigid guidelines. For example,
low pressure recirculation is taken credit for when the pressurizer safety valves are removed.

An LOSP event will have the following consequences: Compressed air will be lost, at least temporarily (due
to loss of bearing cooling water to the instrument air compressor), which will incapacitate the RHR (as the
CCW valves 109 A and B will close) and the reflux bleed path via steam generator PORVs. It is assumed
(and included in the model) that the operators will quickly recover from this loss (as written in the procedure)
by connecting the standby diesel compressor and/or using fire-water to cool the bearings of the instrument air
compressor. Even then, further action may be needed to operate the steam generator PORVs, as the semi-
vital bus is used for control power. This bus can be powered from either emergency bus (via MCCs 1H1-1
or 1J1-1), so it may be necessary to align this semi-vital bus to the live source of emergency power, depending
on the initiator (in a blackout, control of the steam generator PORV will be lost). If the SG PORVs cannot
be recovered, reflux cooling (which is the preferred method of cooling, except for a restart of the RHR
system) can be effected by dumping the steam into the condenser. If the condenser is not available, the steam
eventually will be dumped inside the turbine building (the procedure cautions that this building should first
be evacuated). For the steam dump to work, the operators have to open the main steam non-return valve
(along with the manual bypass valve around the main steam trip valve). This valve is powered from normal
buses, so it must be opened manually, which is not a simple operation.

On loss of compressed air, the air-operated valves cross-connecting the two Units' RWSTs will fail open, so
this connection will be established automatically, at least initially.

The charging, LPI, recirculation spray, and AFW systems will lose power temporarily and then be reconnected
to the live buses. In case of charging, it may be possible to cross-connect from Unit 2.

AFW also can be cross-connected (from any pump on Unit 2, including the steam-driven pump, as Unit 2 is
assumed to be initially at power). The steam-driven pump on Unit 1 will not work due to the low quality of
the steam. A fallback option for AFW is to use fire-water to replenish the steam generator secondary (which
is not necessary until several hours into the accident).

Since the LPI is needed for recirculation and since LPI train A, charging trains B and C, and spray
recirculation train B are assumed down for maintenance, the recirculation function will have a high
unavailability unless both emergency buses are powered. If bus 1H is down, then high-pressure recirculation
and spray recirculation both will be down. Low pressure recirculation will be up, but this configuration will
work only if the pressurizer safety valves are removed. These valves are never removed in drained
maintenance, and have a certain probability of not being removed in a refueling outage. If bus 1J is down,
then the low-pressure recirculation system, an essential component of recirculation function, will be down and
recirculation will not work. The recirculation function is needed in windows 1 and 2 (unless the RWSTs are
successfully cross-connected in window 2).

7-85 NUREG/CR-6144
7 Event Tree Analysis

In case of a blackout at either Unit (initiators L3, Bl and B2), there is a high probability that service water
will be lost to both Units due to draining of the Intake Canal through the open condenser 96" intake lines.
These lines are likely to be open even on Unit 1 (the shutdown Unit). These valves have to be closed
manually in the absence of emergency power, which probably will take longer than the time to drain the Canal.
If the service water is lost, then the RHR, the charging system, and the recirculation sprays will be lost.

If all else fails, gravity feed can be used to extend the time to core damage. This option will give a full 24
hours of cooling in window 4. Gravity feed uses essentially the same flowpath from the RWSTs as the forced
feed-and-bleed, so certain valves may need power; without power, these valves can be opened manually.

The success criteria used in the event trees and the timing of the accident scenarios were determined by the
thermal hydraulic analysis discussed in Chapter 5. These analyses also estimated the time available for AC
power recovery to allow mitigating actions. Recovery of offsite power is modeled as a top event in the event
trees. The time for offsite power recovery was taken to equal the time to uncovery of the core if no action
is taken, since, after that, reflux cooling will not be effective due to loss of inventory. In some scenarios, some
mitigating function may be operating but is not sufficient to provide 24 hours of decay heat removal (gravity
feed, reflux cooling or feed-and-bleed). After the cutsets were generated, the offsite power non-recovery
probability was adjusted to account for additional time available should certain mitigating features be effective.

Once offsite power is recovered, the conditional probability of core damage will be significantly reduced.
Instrument air will be recovered, so reflux cooling will have a higher availability (steam generator PORVs will
be operable, as power will be available to the semi-vital bus and compressed air will be available from regular
sources); also, the RHR system will have a higher availability once instrument air is recovered. The feed-and-
bleed function will have a higher availabilitybecause there will be no degradation in power supplies coincident
with a high probability of maintenance of trains (e.g. trains B and C of charging are in maintenance, as are
train B of LPI and train B of the recirculation sprays). The same is true for the AFW system (train B has a
high probability of downtime due to maintenance). Circulating water pumps will be started to recover the
service water system if it was lost in a blackout (see discussion in L3, Bl and B2). Also, there will be a higher
probability of help from Unit 2. For instance, for charging cross-connect, charging pump 2C must be operable,
i.e. electrical bus 2H must be up, which may or may not have been before the recovery of offsite power.

In the following Sections, the event trees for each LOSP category will be discussed. Ten event trees for each
LOSP category were constructed to define the accident sequences; one for each combination of time windows
and POSs. They are shown in Figures 7.4-1 to 7.4-50. The event trees for LI, L2 and L3 are identical for a
given window and POS, although the structure of certain fault trees will be different and some basic events
will be quantified differently.

7.4.1 Event Trees for Loss of Offsite Power with Both Emergency Buses Available (LI)

7.4.1.1 LI Event Tree for Window 1 of R6 (L1W1R6)

In Window 1, the plant conditions are characterized by a decay heat load of 13.2 MW attained in 2 days after
shutdown from full-power operation. Figure 7.4-1 shows the event tree for the LOSP initiating event, LI,
where both 4 kV AC emergency buses 1H and 1J are available. Following a LOSP, the RHR pump is tripped

NUREG/CR-6144 7-86
 7 Event Tree Analysis

by load shedding of stub buses from the 4 kV emergency buses. The stub buses must be manually reconnected
to the 4 kV emergency buses to restore power supply to the RHR pumps, before the core starts to boil,
otherwise, the RHR pumps will be vapor-bound and unstartable. Because of the estimated decay-heat load
in the reactor coolant system (RCS), the time to core uncovery is 2.0 hours if no mitigating systems are
available to keep it covered and cooled. If the ability of the RCS to remove decay heat is lost due to the
inability to restore RHR pumps, the operator must control RCS temperature by dumping secondary steam
to the main condenser via main turbine steam dump valves. Long-term makeup to the steam generators (SGs)
is required, while RCS makeup can be provided by gravity feed from RWST inventory when depressurized,
or by feed-and-bleed operation using a charging pump or low head injection pump. Long-term cooling has
to be supplied by the recirculation systems when feed-and-bleed or gravity feed are used. Recovery of offsite
AC power within 2.0 hours would restore the plant to stable conditions; therefore, non-recovery of offsite AC
power is modeled in the event tree as a decision point for successful mitigation of the initiator. Due to the
similarity of top event definitions for the L2W1R6 and L3W1R6 event trees, only the top events of the
L1W1R6 event tree are described below:

IL1W1 - LOSP Initiator

This event represents the frequency of occurrence of LOSP category LI in window 1. A house event inside
the fault tree is used to switch between POS R6 and POS D6, with the proper initiator frequency assigned.

RL1W1 . Restore RHR

This top event represents the restoration of the RHR pumps and the return to pre-initiator conditions. Upon
LOSP, the stub buses that supply power to the RHR pumps are shed from the emergency buses, and must
be manually reconnected to restore power to the RHR pumps. When the stub buses are reconnected to the
energized 4 kV emergency buses, the CCW system also is restored to service. Except for CCW pump P-1A,
one CCW pump (P-1B, P-1C or P-1D) per unit is initially started in the loading sequence to provide cooling
water to the RHR heat exchangers (HXs), and other components. The restoration of RHR pumps to service
may require local venting to prevent injection of air into the RHR lines, and also verifying that heat removal
is available via CCW flow through the RHR heat exchangers before restarting the pumps. This event is asked
first, because RHR would have to be restored immediately after the initiator; once the core starts to boil, the
RHR pumps will become vapor-bound and restarting will be very difficult.

VW1 - RCS Initially Vented

This top event represents the plant evolution in which the RCS is initially vented when the three pressurizer
safety relief valves are removed. The removal of each safety valve gives a 4-inch-diameter opening on top of
the pressurizer. If the RCS is vented in this way, gravity feed of the RWST inventory can be used for makeup
to the RCS. However, reflux cooling ("fall back" cooling) is not possible in this configuration due to the
potential loss of RCS inventory through the vents on the pressurizer.

NL1W1 - Non-recovery of Offsite Power

This event represents failure to recover offsite AC power within the allowable time before core uncovery (2.0
hours).

7-87 NUREG/CR-6144
7 Event Tree Analysis

SL1W1 - Steam Generator Feed-and-BIeed

This top event represents the use of reflux cooling to adequately remove heat and prevent core damage.
Reflux cooling is possible when the RCS loops are not isolated, and the secondary side of the SGs is in wet
layup. Also, AFW is needed for long-term makeup to the SGs. Isolation of the RCS loop and drained SGs
are modeled as failure causes for this top event. In window 1, successful removal of decay heat is
accomplished by all 3 SGs in the reflux cooling mode, and the secondary side inventory is adequate to prevent
drying out of the J5Gs forjhe first 10 hours. Afterwards, AFWJias to supply makeup water to the secondary
side. When secondary steam is generated, it can be dumped via the main condenser to the Turbine Bldg.
deckVor ihrougrTth^SG PORVs to the atmosphere.

FL1W1 - Primary System Feed-and-BIeed

This event represents forcedflow,using a charging pump or low head injection pump to provide RCS makeup,
and bleeding through the pressurizerJPORVs or RHR-relief valve. According to recent thermal-hydraulic
studies made by VEPCO personnel, a feed-and-spill mode of operation is preferred where the operators are
directed to feed the RCS through any cold-leg injection path until the primary system is completely full and
spilling out of the PORVs. In this mode, the injection flowrate must be adequate to maintain a subcooled
RCS, and thus, allow RHR flow to be more easily e^tab^lis^e^ Jfa^indowJ , 644 gpmof injection flow would
be needed. Such flow rate can only be supplied by a low pressure injection pump and is beyond the capacity
of a charging pump. However, as discussed in section 7.2, feed-and-steam operation can be performed by a
charging pump. In this study it was judged that one charging pump and one PORV or one low head injection
pump and 2 PORVs would be sufficient. A concern with this mode of removing decay heat is the adequacy
of fluid inventory. The unit 1RWST inventory is sufficient for approximatefy 10 hours of unthrottled injection
flow. Discussions with Surry plant operators indicate that in-core thermal couples would be used to determine
that adequate subcopling is achieved.before throttling_the-injectionflow.- In addition, the unit-2 RWST can
be cross-tied to further supply any needed injection flow, provided the charging pumps are used for injection.
Thereafter, injection and heat removal has to be accomplished with recirculation systems. In window 2, the
inventory in 2 RWSTs is sufficient for 24 hours of feed-and-bleed operation; recirculation is not needed. The
PORVs are normally blocked open with a small chance, probability of 0.05, that one PORV is closed.

GLIW1 - Gravity Feed from RWST

This event represents gravity feed of RWST inventory through the low-head injection flowpath to the RCS
if RCS is vented when pressurizer safety relief valves are removed from service. In Window 1, this mode of
removing decay heat provides an additional 4.3 hours to allow the operators to establish alternate means of
decay heat removal. Successful actions to establish gravity feed do not preclude potential core-damage, and
therefore, further recovery actions are necessary to mitigate the onset of core uncovery. Therefore, in our
event tree, success of gravity feed results in core damage, pending operator recovery. No credit is given for
recirculation systems as the pumps are assumed failed (otherwise forced feed-and- bleed would have been
successful). The logic model for the gravity feed option is represented by a modified fault tree for the
unavailability of the low-head injection, deleting basic events representing pump failure modes.

CL1W1 - Recirculation Systems

This event represents the recirculation systems. According to AP27.00, recirculation injection is accomplished
by a combination of high-head and low-head pumps. Recirculation heat removal is accomplished by the heat
exchangers in the recirculation sprays' circuits. Failure of the sprays results in only a 2% chance of

NUREG/CR-6144 7-88
 7 Event Tree Analysis

recirculation failing if the full combination of HHSI and LHSI pumps is used (taken from the NUREG-1150
analysis ' ). If the HHSI is not available, two methods of recirculation were taken credit for (as discussed in
1 1

section 7.2), low pressure feed-and-spill and low pressure feed-and-steam. The low pressure feed-and-spill
requires that the sprays must operate for the LHSI pump to be effective in pushing the coolant out of the
pressurizer PORVs (there is not enough head for the pressure drop from saturated coolant flowing out the
PORVs). In low pressure feed-and-steam operation with the safety valves removed, the LHSI pump has
adequate head to overcome the pressure drop, even in the absence of sprays. The LHSI pump then is subject
to the same 2% probability of failure if the recirculation sprays are unavailable.

Core Damage Sequence Description for L1W1R6 event tree

Sequence 4 has a loss of offsite power initiator with failure to recover RHR. The safety valves are removed,
which means reflux cooling cannot be used. Offsite power is recovered within 2 hours and forced feed-and-
bleed works in the injection mode. However, failure of recirculation eventually leads to core damage.

Sequence 5 is similar, except forced feed-and-bleed fails. Gravity feed is successful, but insufficient to keep
the core cooled for 24 hours. Any actions taken after gravity feed are addressed in the recovery analysis.

Sequence 6 is similar to sequence 5, except that gravity feed fails.

Sequences 8, 9, and 10 are similar to sequences 4, 5, and 6, respectively, except that offsite power is not
recovered within 2 hrs.

In Sequence 13, RHR is not recovered after the initiator, pressurizer safety valves are not removed, but reflux
cooling fails nevertheless. Offsite power is recovered within 2 hours, forced feed-and-bleed works, but
recirculation fails, causing core damage (gravity feed cannot be used because the safety valves were not
removed).

Sequence 14 is similar, except forced feed-and-bleed fails, resulting in core damage.

Sequences 17 and 18 are similar to sequences 13 and 14, respectively, except that offsite power is not
recovered within 2 hrs.

7.4.1.2 LI Event Tree for Window 1 of D6 (L1W1B6)

This event tree, Figure 7.4-2, has a similar structure to the POS R6 trees except events VWl, reflux cooling
and gravity feed are absent. In POS D6, one loop is isolated, so 2 steam generators are not enough to provide
reflux cooling. VWl is not questioned because the safety valves are not removed in drained maintenance.
Therefore, gravity feed cannot be used.

7-89 NUREG/CR-6144
7 Event Tree Analysis

Core Damage Sequence description for L1W1D6 event tree

Sequence 4 has the LOSP initiator followed by failure to recover RHR, recovery of offsite power within 2 hrs,
success of forced feed-and-bleed in the injection mode, but failure in recirculation mode, resulting damage
to the core.

Sequence 5 is similar, except feed-and-bleed fails in the injection mode, resulting in early core damage.

Sequences 7 and 8 are similar to sequences 4 and 5, respectively, except that offsite power is not recovered
within 2 hrs.

7.4.13 LI Event Tree for Window 2 of R6 (L1W2R6)

The event tree structure and sequence logic of this event tree, Figure 7.4-3, are the same as those for the
L1W1R6 event tree. Success criteria of top events are somewhat relaxed due the to lower decay power (10
MW). The time available to recover offsite power increases to 2.62 hrs. Onfy 2 steam generators are needed
for successful reflux cooling (+ AFW for long-term cooling after 10 hours). Gravity feed will provide an
additional 6.5 hours,AnAcrp_ss tyjng.the„RWSTs_(withchargmg available) will give a t l e a s t ^
z

i.e., recirculation would not be needed.

7.4.1.4 LI Event Tree for Window 2 of D6 (L1W2D6)

This tree,Figure 7.4-4, is similar to the window 1 tree in D6 (i.e., Figure 7.4-2), except that credit is taken for
reflux cooling, because, with one loop isolated in this POS, reflux cooling will still be successful with two steam
generators. The core-damage sequences are 5, 6, 9, and 10 (corresponding to 4, 5, 7, and 8 in the L1W1D6
trees, except that reflux cooling is an additional failure in all of these sequences).

7.4.1.5 LI Event Tree for Window 3 of R6 (L1W3R6)

This tree, Figure 7.4-5, is similar to W1R6 and W2R6 trees, except that all three loops are isolated, so there
is no reflux cooling, but decay power is sufficiently low (7MW) that recirculation cooling is not needed in the
first 24 hours. Gravity feed is still not sufficient for 24 hours (so its failure results in core damage, pending
analysis of recovery actions), but provides an additional 12 hours of cooling. Success criteria are further
relaxed; the time for recovery of offsite power increases to 3.46 hrs. Two SGs are'still needed for reflux
cooling, but AFW is not needed for 15 hours.

Sequences 4,5, 7, and 8 have the safety valves.removed. Sequences^ and 7 have failure of forced feed-and-
bleedI but success of gravity feed (which isinsufficient torpyeveBt COTe^ma^)] se^ueMe^ haYoffafe^ower
recovered within 3.5 hours. Sequences 5 and 8 are similar to 4 and 7, except that gravity feed fails.

Sequences 10 and 12 are caused by failure of forced feed-and-bleed (with or without restoration of offsite
power); gravity feed cannot be used because the pressurizer safety valves are not removed.

NUREG/CR-6144 7-90
 7 Event Tree Analysis

7.4.1.6 LI Event Tree for Window 3 of RIO (L1W3R10)

This event tree, Figure 7.4-6, has exactly the same structure as that of L1W3R6. The only differences are the
frequency that the initiating event occurs and maintenance unavailabilities.

7.4.1.7 LI Event Tree for Window 3 of D6 (L1W3D6)

In D6, only one loop is isolated, so credit can be given to reflux cooling in window 3. The tree structure in
Figure 7.4-7 is similar to that of L1W2D6 trees, except recirculation cooling is not needed, so that successful
forced feed- and-bleed avoids core damage. The core-damage sequences are 5 and 8, resulting from failure
of reflux cooling, forced feed-and-bleed, and non-restoration of RHR. In addition, in sequence 5, offsite
power is restored within 3.5 hours.

7.4.1.8 LI Event Tree for Window 4 of R6 (L1W4R6)

This event tree, Figure 7.4-8, has a similar structure to the corresponding L1W3R6 event tree, except that now
gravity feed is sufficient to cool the core for at least 24 hours, due to a lower decay power (5 MW); hence,
its success avoids core damage within the 24 hr mission time. The success criteria are further relaxed; offsite
power recovery is credited within 4.6 hours after the initial event. Only one SG is needed for reflux cooling
(and AFW is not needed for 10 hours, as only one SG is assumed available).

The description of the core damage sequences' is the same as that of L1W3D6, except that sequences involving
success of gravity feed are no longer core damage (sequences 4 and 7).

7.4.1.9 LI Event Tree for Window 4 of RIO (L1W4R10)

This event tree, Figure 7.4.1-9, has exactly the same structure as that of L1W4R6. The only differences are
the frequency that the initiating event occurs and maintenance unavailabilities.

7.4.1.10 LI Event Tree for Window 4 of D6 (L1W4D6)

This event tree, Figure 7.4.1-10, is the same in structure, and the core damage sequences are the same as in
window 3.

7.4.2 Event Tree for Loss of Offsite Power with Only One Emergency Bus Available (L2)

The L2 event trees are shown in Figures 7.4-11 to 7.4-20. The event tree model for this initiator is similar to
that of the LI initiator. Basic events (such as HEPs) may be given different values due to availability of only
one bus. Some fault trees are changed to account for availability of only one emergency bus, with a
probability calculated for unavailability of 1H vs. 1J bus in this event (see section 4.3.2), which will impact the
availability of equipment powered from these buses. Also, the availability of 2H bus is calculated in case it
is necessary to cross-connect the charging pump cooling systems.

Otherwise, the descriptions of event trees and sequences for L2 event trees is the same as those of the LI
event trees.

7-91 NUREG/CR-6144
7 Event Tree Analysis

7.43 Event Tree for Loss of Offsite Power with Only One Emergency Bus at Unit One
and Station Black-out at Unit 2 (L3)

The L3 event trees are not shown in Figures 7.4-21 to 7.4-30. The event tree model for this initiator is similar
to that of the LI initiator. Basic events (such as HEPs) may be given different values due to availability of
only one bus. Some fault trees are changed to account for availability of only one emergency bus, with a
probability calculated for unavailability of 1H vs. 1J bus in this event (see section 4.3.2), which will impact the
availability of equipmentpoweredfrom these buses.

Another consideration in the L3 event tree (blackout on Unit 2)-is the availability of service water and its
impact on frontline systems. The Intake Canal drains quickly (30-60 min) unless the condenser valves are
closed. This is because the main circulating water (CW) pumps run on normal power, and the emergency
service water pumps are badly mismatched to the outflow through the condenser inlet lines. Also, the outlet
isolation valves automatically close to the 25% open (75% closed) position on receipt of a blackout signal.
However, this is not perceived to have much effect on the flow through the valves (it may make them easier
to close) due to their construction. Also, there is a certain chance that the shutdown Unit will not have water
running through its condensers due to maintenance. The vacuum priming system may be off, which will slow-
down the outflow from the Canal. These considerations will not have much effect on the conclusion that
powered closure of these valves is the only option, because the manual closure will take too much time.

Table 7.4-2 shows the power sources of these valves. Those marked "106" and "206" are the condenser inlet
valves for Unit 1 and Unit 2, respectively, whereas the valves marked "100" and "200" are the condenser outlet
valves for the two Units. ILpower is available to the 1J bus, all 8 condenser lines can be successfully isolated
througL a_ combination ofinletand outlet valves. If-power-is available-to-the-2J bus,-there are provisions
(hardware and procedure) for tying the 2J bus to the MGG lJl-LVso that the Canal can again be isolated
from the condensers. If either 1H or 2H (but not both) buses have power, then only 4 out of 8 lines can be
isolated, and the buses must be cross-tied tO"close~the"remainingUnes"(th'e proce*dures afe'in^pla^e fOT tKis
_ _ _ _

action).

In the model for initiating events L3 and Bl, a high-level HEP event is used to model failure of the operator
to isolate the Canal.

If offsite power is recovered ('N' event successful), the model assumes service water is recovered, as the CW
valves are assumed closed by the operators once the power is available. Otherwise, the descriptions of event
trees and sequences for L3 event trees are the same as those of the LI event trees.

7.4:4 EventTrees for Station Blackout atUnit 1 (Bl)

Event trees were constructed to analyze the accident sequences during mid-loop operation where Unit 1 has
no AC power, but Unit 2 has one operable DG, that could be EDG-2, supplying power to the 2H bus, or
EDG3, supplying power to the 2J bus. As shown on Figures 7.4-31 to 7.4-40, these event trees areBlWlR6,
B1W1D6, B1W2R6, B1W2D6, B1W3R6, B1W3R10, B1W3D6, B1W4R6, B1W4R10, and B1W4D6 which
represent the response to the initiating event at the mid-loop POSs of the two outage types. During SBOs,
loss of instrument air causes the main steam-trip valves (MSTVs) to fail closed, the SG PORVs to fail closed,
while AFW flow distribution to the SGs is lost. A critical event in timing for SBO evaluations is the depletion

NUREG/CR-6144 7-92
 7 Event Tree Analysis

of the vital batteries causes the loss of instrumentation or control power throughout the plant. The batteries
at the Surry plant are designed for a two-hour load discharge; however, depletion time could be extended by
shedding non-essential loads. An assumption of four hours to the expected battery depletion was considered
in the SBO sequences in the event tree models that are discussed next.

Important considerations during an SBO event are the preservation of the RCS inventory, the removal of
decay heat by the supply of feedwater to the steam generators, and the extension of battery life. In the Unit
1 SBO scenarios, cross-connecting the Unit 2 charging pump to provide HPI flow for RCS makeup is a
reliable, alternative source of fluid inventory to the primary system. We note that the charging pumps depend
on the Charging Pump Cooling (CPC) system to provide cooling to the charging pump's seal coolers (via the
charging pump cooling water system) and the lube-oil coolers (via the charging pump service water system).
Seal cooling is not required as long as the pumped fluid is below 115°F (the RWST water is kept at 45°F,
except right after refueling, i.e. possibly in POS 10)' . Therefore, the CPC system would be needed only in
2)

recirculation mode, and only if the recirculation sprays are not working (only windows 1 and 2 would be
affected). If needed, the ultimate heat sink for this system would be the service water. The lubricating oil
to charging pump bearings also is cooled by service water via lube-oil coolers of the CPC system. Therefore,
sufficient service water is necessary for the continued operation of charging pumps in either unit of the Surry
station.

The service water lines tap off the 96-inch circulating water inlet pipes upstream of the inlet isolation valves
of the main condenser. Circulating water or service water inventory is gravity-fed from the Intake Canal,
which depends on the difference in pressure head between the Intake Canal and the Discharge Tunnel. The
Intake Canal inventory, which is commonly shared by both units of the Surry nuclear station, is provided by
the motor-driven Circulating Water Pumps (CWPs), which draw suction from the James River. When offsite
AC power supply is lost, the CWPs become unavailable. Then, if the main condenser is not isolated, the
outflow of circulating water through the condenser will be much greater than the makeup provided by the
diesel-driven emergency service water pumps. The canal may be drained before the offsite AC power needed
to operate CWPs is restored, depending on the number of condensers that are not isolated. The inlet and
outlet isolation MOVs of the condensers are powered by the 4kv emergency AC buses. As described in
Section 6.2.14.2.2, the distribution of power supply for these MOVs ensures that at least one isolation MOV
in each of the eight CW lines can be closed to conserve Intake Canal level if the offsite AC power supply is
lost.

If there is a station blackout at both units, there will be no electrical power to operate the CW isolation
MOVs. Assuming that all eight CW lines are filled with running water when both units are at full power, it
is conservatively estimated that the canal would drain in about 30 minutes to an hour. This estimate is
conservative because credit can be taken for operational constraints on the plants configuration during
shutdown conditions. For example, if Unit 1 is in a refueling outage, part or all of the four tube bundles of
the main condenser may be under eddy-current testing. Then, the associated inlet and outlet CW lines are
required to be isolated. Also, when a unit is in cold shutdown, the Discharge Tunnel is open to the
atmosphere via the vacuum breaker vents. This configuration would reduce the gravity flow through
unisolated CW lines, and thus, somewhat increase the time to canal drainage.

In previous PRA studies (e.g., NUREG-1150' ), manual isolation of the condenser isolation valves by the
11

operator was identified as a viable means to maintain sufficient inventory in the Intake Canal in the event of
loss of offsite AC power or station blackout at one unit. However, from discussions with Virginia Power

7-93 NUREG/CR-6144
7 Event Tree Analysis

personnel, we estimated that it would take two operators about 30 minutes to close the handwheel of any one
of the 96-inch butterfly-type isolation valves. We concluded that manual isolation of the condensers to
conserve Intake Canal inventory during SBO is not achievable. Thus, remote isolation of condenser inlet and
outlet valves by electrical means is considered in the SBO event trees. In the case of SBO at Unit 1, there is
at least one operable EDG at Unit 2. If the 2J bus is energized, either the inlet or outlet MOV in each of
the eight CW lines is powered by the 2J bus and can be closed electrically (this is possible because the 2J bus
can be cross-tied to the MCC 1J1-1A, normally connected to the 1J bus on Unit 1; this MCC powers a
sufficient combination of inlet and outlet CW MOVs to successfully isolate the Canal from the condensers).
If only the 2H bus is energized and 2J bus is not, then local cross-tying of the 2H and 2J buses is required to
establish power supply to the Unit 1 CW MOVs. The conservative assumption is that 2J bus is not energized
during a Unit 1 station blackout.

When SBO occurs at Unit 1 during mid-loop conditions, the RHR pumps are tripped and the capability to
remove decay heat is lost. If the RCS is vented, RCS makeup from Unit 2 charging system, or gravity feed
from RWST inventory can be used to maintain RCS water level upon loss of RHR capability. If the SGs are
in wet layup conditions, the SG inventory is a heat sink that helps to mitigate any heatup of the primary
system unless the RCS loops are isolated for maintenance.

7.4.4.1 Bl Event Tree for Window 1 of R6 (B1W1R6)

The Bl event tree for window 1 of R6 is shown in Figure 7.4-31. The top events of the event tree are
described below:

IB1W1 • SBO Initiator

This event represents the SBO occurrence, Bl at Unit 1, where no emergency AC power supply is available
to its vital safety equipment. EDG 1 fails to start or continue to operate after start; however, one operable
DG at Unit 2 could provide AC power to cross-connectable systems, such as the charging and AFW systems.

VB1W1 - RCS Initially Vented

This top event represents the RCS-vented conditions, such as when the pressurizer safety relief valves are
removed.
NB1W1 - Non-recovery of AC Power
This event represents the failure to restore AC power within the allowable time for mitigating actions. If the
power is restored, the event tree transfers to the R5 event tree. Then, event "R" in that event tree (restoration
of RHR) is set to "T", as the RHR pumps are assumed to be vapor-bound and not recoverable.

SB1W1 - Steam Generator Feed-and-BIeed

This top event represents the use of reflux cooling to adequately remove heat when the RCS loops are not
isolated, and the secondary side of the SGs are in the wet layup condition. It is assumed failed in the logic
model, and venting the SGs and cross-connecting the AFW are treated as recovery actions.

2CHGW1 • Cross-connection of Unit 2 Charging System

This event represents the cross-tie of the operable Unit 2 charging pump to provide RCS makeup to the
primary system for feed-and-bleed operation to maintain RCS cooldown and depressurization. The
unavailability of AC power results in the need to balance charging flow at both units by manually throttling
the valves. As discussed in section 7.2, the inventory of RWST is not sufficient to provide 24 hours of feed-

NUREG/CR-6144 7-94
 7 Event Tree Analysis

and-spill operation. Therefore, the success of this top event still leads to core damage. However, it provides
more time for recovery actions such as recovery of offsite power and reflux cooling.

GB1W1 - Gravity Feed from RWST

This event represents gravity feed of RWST through the low-head injection flowpath to the RCS when the
RCS is vented. In POS 6 of the refueling outage, this mode of decay heat removal cannot effectively remove
decay heat within 24 hours. However, it provides an additional time beyond 4 hours to allow the operators
to establish alternate ways to remove decay heat.

Sequence Description of B1W1R6 Event Tree

Sequence 1 characterizes the initial conditions in POS 6 of a refueling outage before the SBO initiator, Bl,
occurs, where no AC power supply is available to either 4 kV emergency buses 1H or U. However, there is
one operable DG at Unit 2 to provide AC power to its vital equipment. The availability of AC power supply
at Unit 2 allows the operators to attempt to cross-tie vital equipment for various recovery actions. Sequences
2 through 5 delineate the sequences when the RCS is vented. Sequence 2 represents successful recovery of
offsite AC power before core uncovery and transfers to the R5W1R6 (recoverable loss of RHR) event tree
for further evaluation. In sequence 3, RCS makeup from Unit 2 charging system is sufficient in the near term
to maintain RCS cooldown when RHR capability is lost in a SBO. However, the core is damaged due to the
unavailability of long-term cooling via recirculation systems. Sequence 4 represents the unavailability of RCS
makeup from the Unit 2 charging system; however, gravity feed from the RWST will delay core damage so
recovery actions can be considered. Sequence 5 represents unavailability of RCS makeup from either sources,
forced flow from Unit 2 charging system or gravity feed from the RWST inventory. Core damage results from
RCS boiloff.

Sequences 6 through 8 delineate outcomes when RCS is not vented. Sequence 6 represents the successful
restoration of offsite AC power supply and is transferred to the R5W1R6 (recoverable loss of RHR) event
tree for further evaluation. Sequence 7 is a logically impossible sequence, because reflux cooling is not taken
credit for in the logic model and is modeled as a recovery action. In sequence 8, forced flow from the Unit
2 charging system provides RCS makeup to prevent heatup of the primary system and subsequent core damage
in the near term. In sequence 9, the unavailability of RCS makeup from the Unit 2 charging system results
in RCS boiloff and subsequently, the core is damaged.

7AAJ, Bl Event Tree for Window 1 of D6 (B1W1D6)

The Bl event tree for window 1 of D6 is shown in Figure 7.4-32. The top events of this event tree have the
same definition as those of the event tree for R6. The 2 event trees differ in their structure due to the facts
that the safety valves on the pressurizer are not removed in D6, and in window 1, the success criterion for
reflux cooling cannot be satisfied in D6.

Sequence Description of B1W1D6 Event Tree

Sequence 1 characterizes the initial conditions in POS 6 of the drained maintenance outage. Sequence 2
represents the recovery of AC power supply and transfers to the R5W1D6 (recoverable loss of RHR) event
tree for further evaluation. In sequence 3, RCS makeup from the Unit 2 charging system is sufficient to
maintain RCS cooldown and depressurization. In the near term, however, core damage results due to
unavailability of recirculation systems on Unit 1. Sequence 4 represents the unavailability of RCS makeup

7-95 NUREG/CR-6144
7 Event Tree Analysis

from the Unit 2 charging system to the primary system, and this results in RCS boiloff and the ensuing core
damage.

7.4.43 Bl Event "frees in Other Windows

The differences between sequences and event tree structure in other windows are similar to the considerations
described in Section 7.4.1, for LI event trees.

7.4.5 Event Trees for Station Blackout at Both Units (B2)

Station blackout at both units occurs when all three diesel generators are unavailable upon loss of offsite
power. Due to the unavailability of AC power supply at Unit 2, the charging pump flow to provide RCS
makeup to the Unit 1 primary system is not available. Therefore, the event tree models for dual unit SBO
event, B2, differ from the single unit SBO event trees only in that the availability of charging flow from Unit
2 is not considered.

As shown in Figures 7.4-41 to 7.4-50, the event tree models developed for the dual unit SBO event are the
B2W1R6, B2W1D6, B2W2R6, B2W2D6, B2W3R6, B2W3R10, B2W3D6, B2W4R6, B2W4R10, and B2W4D6
event trees which represent the response to the initiating event, B2, at the mid-loop POSs. The definitions
of top events for these event trees are similar to the single unit SBO event, Bl; therefore, the descriptions are
analogous. The accident sequences identified for the B2 event are also analogous to those identified for the
Bl event, without considering the availability of RCS makeup from the Unit 2 charging system.

7.4.6 References:

1. Bertucio, R.C. and Julius, J.A. "Analysis of Core Damage Frequency: Surry, Unit 1, Internal Events",
April, 1990, NUREG/CR-4550.

2. Virginia Power Company, "10CFR50 Appendix R Report, Surry Power Station - Units 1 and 2", Chapter
10, Volume IV.

NUREG/CR-6144 7-96
UNITY IL1W1 RL1W1 VW1 NL1W1 SL1W1 FL1W1 GL1W1 CL1W1 SEQ # END-STATE-NAhiES

L1WR6 — LOSP L1, WINDOW W1, POS R6

1 @
2 @
3 @
4 CD
5 CD
6 CD
7 @
8 CD
9 CD
10 CD
11 ®
12 @
13 CD
14 CD
15 ®
16 @
17 CD
18 CD

Figure 7.4-1 LI Event Tree for Window 1 of R6 (L1W1R6)

 UNITY IL1W1 RL1W1 NL1W1 FL1W1 CL1W1 SEQ # END-STATI

L1W1D6

LOSS OF OFFSITE POWER

CAT. U , WINDOW 1
DRAINED MAINTENANCE

1 @
2 @ '
3 @

oo
i CD
5 CD
6 @
7 CD
8 CD

Figure 7.4-2 LI Event Tree for Window 1 of D6 (L1W1D6).

 UNITY IL1W2 RL1W2 VW2 NL1W2 SL1W2 FL1W2 GL1W2 CL1W2 SEQ # END-STATE-NAME.-:

L1W2R6 — LOSP L1. WINDOW W2, POS R6

1 <s>
2 @
3 @
4: CD
5 CD
6 CD
7 @
8 CD
VO 9 CD
10 CD
11 (s>
12 @
13 CD
14 CD
15 (2?
16 <s>
17 CD
18 CD

Figure 7.4-3 LI Event Tree for Window 2 of R6 (L1W2R6)

 E-<
-fi-
1
END-

QQ QQ
<§><§) <§)(§; 0 0(§J@ O O

=«=
Of
£
CD

ca (7)
£ O
Q_
d

1W2D6)
1-1
^ -r-1 d
P* O S
Q e

1
Z
^
iH

172
_J

Q_
1a
CVi
£ CO
S5
O
_l
1 3
1 «>
w | |
£
i
E
w
RLl

CD
O
Csl
CV2
_J
^1 1

}M
EH
t—i
»
13

7-100
 UNITY IL1W3 RL1W3 VW3 NL1W3 FL1W3 GL1W3 SEQ #

L1W3R6 — LOSP L1, WINDOW W3, POS Rt>

Figure 7.4-5 LI Event Tree for Window 3 of R6 (L1W3R6)

 UNITY IL1W3 RL1W3 VW3 NL1W3 FL1W3 GL1W3 SEQ 4 END-STATE-NAMES

L1W3R10 — LOSP L1, WINDOW: W3, POS R 10

1 @
2 <s>
3 @
4 CD
5 CD
6 @
7 CD
8 CD
S 9 &
10 CD
11 <s>
12 CD

Figure 7.4-6 LI Event Tree for Window 3 of RIO (L1W3R10)

 UNITY IL1W3 RL1W3 NL1W3 SL1W3 FL1W3 SEQ # END-STATE-NAME:;

L1W3D6 — LOSP L1, WINDOW W3, POS D6

1 @

o
2 @
3 @
4 @
5 CD
6 @
7 @
8 CD

Figure 7.4-7 LI Event Tree for Window 3 of D6 (L1W3D6)

UNITY IL1W4 RL1W4 VW4 NL1W4 FL1W4 GL1W4 SEQ # END-STATE-NAMES

L1W4R6 — LOSP L1, WINDOW W4, POS Rt>

1 @
2 @
3 @
4 OK
5 CD
6 @
7 OK
8 en
9 @
10 CD
11 <s?
12 CD

Figure 7.4-8 LI Event Tree for Window 4 of R6 (L1W4R6)

 UNITY IL1W4 RL1W4 VW4 NL1W4 FL1W4 GL1W4 SEQ # END--STATE- -NAMES

L1W4R10 — LOSP L1, WINDOW W4, POS F 10

1 S'
2 @
3 @
4 OK
5 CD
6 @
7 OK
o
8 CD
9
10 CD
11 @
12 CD

Figure 7.4-9 LI Event Tree for Window 4 of RIO (L1W4R10)

 I
H

IS
Q P
40-
Q
or - H Cv2 CO _ i , I D CO * > CO

CO O
-a-
^h

o Q

CQ

a
Q_
if) £
O

K
-* I I-I

&
•M o
J CD •
K
Q «>
2
S,
• *
E
£

E-<
r—I

7-106
UNITY IL2W1 RL2W1 VW1 NL2W1 SL2W1 FL2W1 GL2W1 CL2W1 SEQ # END-STATE-NJ

L2W1R6 — LOSP L2, WINDOW W1, POS R6

1 @
2 @
3 @
4 CD
5 CD
6 CD
7 @
8 CD
9 CD
10 CD
11 <s>
12 @
13 CD
14 CD
15 <2>
16 <s>
17 CD
18 CD

Figure 7.4-11 L2 Event Tree for Widow 1 of R6 (L2W1R6) )

 UNITY IL2W1 RL2W1 NL2W1 FL2W1 CL2W1 SEQ # END-STATE

L2W1D6 — LOSP L2, WINDOW W1, DRAINED MAINT. POS 6

1 @
2 @
3 @
4 CD
o
00
5 CD
6 @
7 CD
8 CD

Figure 7.4-12 L2 Event Tree for Window 1 of D6 (L2W1D6)

 UNITY IL2W2 RL2W2 VW2 NL2W2 SL2W2 FL2W2 GL2W2 CL2W2 SEQ # E N D - STATE -NA1*:ES

L2W2R6 — LOSP L2, WINDOW W2, POS R6

1 @
2 @
3 @
4 CD
5 CD
6 CD
o 7 ©
8 CD
9 CD
10 CD
11 <s>
12 <s>
13 CD
14 CD
15 <2>
16 @
17 CD
18 CD

Figure 7.4-13 L2 Event Tree for Window 2 of R6 (L2W2R6)

UNITY IL2W2 RL2W2 NL2W2 SL2W2 FL2W2 CL2W2 SEQ # END-ST\TI

L2W2D6 — LOSP L2, WINDOW W2, POS D6

1 @
2 @
3 @
4 @
5 CD
6 CD
7 @
8 <§>
9 CD
LO CD

Figure 7.4-14 L2 Event Tree for Window 2 of D6 (L2W2D6)

UNITY IL2W3 RL2W3 VW3 NL2W3 FL2W3 GL2W3 SEQ # END-STATE-NAMES

L2W3R6 — LOSP L2, WINDOW W3, POS R6

1 <s>
2 @
3 @
4r CD
5 CD
6 @
7 CD
8 CD
9 ®
10 CD
11 te>
12 CD

Figure 7.4-15 L2 Event Tree for Window 3 of R6 (L2W3R6)

 UNITY IL2W3 RL2W3 VW3 NL2W3 FL2W3 GL2W3 SEQ # END-STATE-NAMES

L2W3R10 — LOSP L2, WINDOW W3, POS R10

1 @
2 @
3 @
4 CD
5 CD
6 @
• 7 CD
8 CD
9 ©
10 CD
11 <s>
12 CD

Figure 7.4-16 L2 Event Tree for Window 3 of RIO (L2W3R10)

UNITY IL2W3 RL2W3 NL2W3 SL2W3 FL2W3 SEQ # END-STATE-NAME!3

L2W3D6 — LOSP L2, WINDOW W3, 'OS D6

1 @
z <§>
3 @
4 @
5 CD
6 @
7 @
8 CD

Figure 7.4-17 L2 Event TVee for Window 3 of D6 (L2W3D6)

 UNITY IL2W4 RL2W4 VW4 NL2W4 FL2W4 GL2W4 SEQ # END-STATE-NAMES

L2W4R6 — LOSP L2, WINDOW W4, POS R6

1 <§>
2 @
3 @
4 OK
5 CD
6 @
7 OK
i 8 CD
i—* 9 @
10 CD
11 @
12 CD

Figure 7.4-18 L2 Event Tree for Window 4 of R6 (L2W4R6)

 UNITY IL2W4 RL2W4 VW4 NL2W4 FL2W4 GL2W4 SEQ # END-STATE-NAMES

L2W4R10 — LOSP L2, WINDOW W4, POS RV

1 @
2 @
3 @
4 OK
5 CD
6 @
7 OK
>—* 8 CD
I—' 9 ®
10 CD
11 ©
12 CD

Figure 7.4-19 L2 Event Tree for Window 4 of RIO (L2W4R10)

 UNITY IL2W4 RL2W4 NL2W4 SL2W4 FL2W4 SEQ # END-STATE-NAME$

L2W4D6 — LOSP L2, WINDOW W4, POS d6

1 <s>
<3\
2 <§>
3 @
4 @
5 CD
6 @
7 @
8 CD

Figure 7.4-20 L2 Event Tree for Window 4 of D6 (L2W4D6)

 UNITY IL3W1 RL3W1 VW1 NL3W1 SL3W1 FL3W1 GL3W1 CL3W1 SEQ # E N D - S T A T E - tfAfc

L3W1R6 — LOSP L3, WINDOW W1, POS R6

1 @
z3 ®
®
4 CD
5 CD
6 CD
7 <9>
8 CD
9 CD
-a 10 CD
3 11
12
®
©
13 CD
14 CD
15 <s>
16 <s>
17 CD
18 CD

Figure 7.4-21 L3 Event Tree for Window 1 of R6 (L3W1R6)

 m
H
1—^"~
CQ
1

on np
END-

<3;@<3> o o @ O O

=«*
<H C\2 CO ^ LO CO Z> CO
Qt
H
Ul

T-*

^
CO
H3

(L3W1D6)
o

H VO
Q
£
CO e
yA CD
i-H

Indow
b
POS D

£
fc.
,—T
•<H <s
£=
0>
5
.8.
CO ^
J o a

L3 Eve:
WIND

:s

fO
T-|
_i
RL3W

igure 7.4-
LOSP

1 £
I
co
Q
T H
^
^
CO 1
^
i—i

t
i—i
!z;
D

1
7-118
UNITY IL3W2 RL3W2 VW2 NL3W2 SL3W2 FL3W2 GL3W2 CL3W2 SEQ # END-STATE-NAMES

L3W2R6 — LOSP L3, WINDOW W2, POS R6

1 <s>
2 @
3 @
4r CD
5 CD
6 CD
7 ®
8 CD
9 CD
10 CD
11 ®
12 @
13 CD
14 CD
15 <£>
16 <a>
17 CD
18 CD

Figure 7.4-23 L3 Event Tree for Window 2 of R6 (L3W2R6)

 UNITY IL3W2 RL3W2 NL3W2 SL3W2 FL3W2 CL3W2 SEQ # END-STALTI

L3W2D6 — LOSP L3, WINDOW W2, POS D6

1 @
o 2 @
!

3 @
4 @
5 CD
6 CD
7 @
8 <§>
9 CD
10 CD

Figure 7.4-24 L3 Event Tree for Window 2 of D6 (L3W2D6)

 UNITY IL3W3 RL3W3 VW3 NL3W3 FL3W3 GL3W3 SEQ #

L3W3R6 — LOSP L3, WINDOW W3, POS R6

1
2
3
5
t—*
to
6
7
8
9
10
11
12

Figure 7.4-25 L3 Event Tree for Window 3 of R6 (L3W3R6)

 UNITY IL3W3 RL3W3 VW3 NL3W3 FL3W3 GL3W3 SEQ # END-STATE-NAMES

L3W3R10 — LOSP L3, WINDOW W3, POS R10

1 @
2 @
3 @
4 CD
5 CD
6 @
7 CD
8 CD
to 9 ©
10 CD
11 ft*
12 CD

Figure 7.4-26 L3 Event Tree for Window 3 of RIO (L3W3R10)

S
<!
i
i
E-
<J
E-<
(73
i
i
ft
52; Q Q^
W ^3 <§><§;<§; @> o@ @ o
Q
=te
(/) " H C\2 CO - i , I D CO J > 0 3

(72 o
Q_

rO~
^
CO

CO ^
J
fc O
Q Q

CO ^ a
£
>«-•
v©
CO ,»
J
Q

ow 3 of
C/2
_J

CO
Q_
00
1
£
CO O £

ent Tree 1
J
J5 _l

1
| >
W
CO
£
CO
2
to t-
Cd
Q •

rO
£
^ g>
CO K) £
CO -J
J
1—1

!«
E-"
»—1

2
P

7-123
 UNITY IL3W4 RL3W4 VW4 NL3W4 FL3W4 GL3W4 SEQ # END-STATE-NAMES

L3W4R6 LOSP L3, WINDOW W4, POS R 6

1 @
2 @
3 @
4 OK
5 CD
6 @
7 OK
8 CD
S 9 <2>
10 CD
11 ©
12 CD

Figure 7.4-28 L3 Event Tree for Window 4 of R6 (L3W4R6)

UNITY IL3W4 RL3W4 VW4 NL3W4 FL3W4 GL3W4 SEQ # END-STATE-NAMES

L3W4R10 — LOSP L3, WINDOW W4, POS R10

1 @
2 <§>
3 @
4 OK
5 CD
6 <s>
7 OK
8 CD
9 <<?
10 CD
11 <<*
12 CD

Figure 7.4-29 L3 Event Tree for Window 4 of RIO (L3W4R10)

 UNITY IL3W4 RL3W4 NL3W4 SL3W4 FL3W4 SEQ # END-STATE-NAMEI3

L3W4D6 — LOSP L3, WINDOW W4, POS C6

1 @
2 @
to
3 @
i @
5 CD
6 @
7 @
8 CD

Figure 7.4-30 L3 Event Tree for Window 4 of D6 (L3W4D6)

 UNITY IB1W1 VW1 NB1W1 SB1W1 2CHGW1 GBlWi SEQ § .END-STATE -NAME

1
2 R5W1R6
3 CD
4 CD
5 CD
6 R5W1R6
7 @
8 CD
9 CD

to
-J
B1W1R6 EVENT TREE

Figure 7.4-31 Event Tree for Unit-1 Station Blackout in Window 1 of R6 (B1W1R6)
 UNITY IB1W1 NB1W1 2CHGW1 SEQ # END-STATE-NAMES

1
2 T R5W1D6
3 CD
4 CD

B1W1D6 EVENT TREE

oo

Figure 7.4-32 Event Ttee for Unlt-1 StaUon Blackout In Window 1 of D6 (B1W1D6)
 UNITY IB1W2 VW2 NB1W2 SB1W2 2CHGW2 GB1W2 SEQ # END-STATE -NAMES

1 •a
2 R5W2R6
3 CD
4- CD
5 CD
6 R5W2R6
7 3>
8 CD
9 CD

to

B1W2R6 EVENT TREE

H1

Figure 7.4-33 Event Tree for Unlt-l Station Blackout in Window 2 of R6 (B1W2R6)
 UNITY IB1W2 NB1W2 SB1W2 2CHGW2 SEQ # END-STATE-NAMES

1 @
2 T {5W2D6
3
4 CD
5 CD

B1W2D6 EVENT TREE

Figure 7.4-34 Event Tree for Unit-1 Station Blackout in Window 2 of D6 (B1W2D6)
 UNITY IB1W3 VW3 NB1W3 2CHGW3 GB1W3 SEQ # END-STATE-NAMES

@
2 tR5W3R6
3 @
4 CD
5 CD
6 TR5W3R6
7 @
8 CD

B1W3R6 EVENT TREE

Figure 7.4-35 Event Tree for Unlt-1 Station Blackout In Window 3 of R6 (B1W3R6)
 UNITY IB1W3 VW3 NB1W3 2CHGW3 GB1W3 SEQ # END-STA-TE-NAMES

1
2 R5W3R10
3 @
4 CD
5 CD
6 RW3R10
7 @
8 CD

to
B1W3R10 EVENT TREE

Figure 7.4-36 Event Tree for Unit-1 Station Blackout in Window 3 of RIO (B1W3R10)
 UNITY IB1W3 NB1TC3 SB1W3 2CHGW3 SEQ # END-STATE-NAMES

1 @
2 T R5W3D6
3 <§>
4 @
5 CD

B1W3D6 EVENT TREE

Figure 7.4-37 Event Tree for Unit-1 Station Blackout in Window 3 of D6 (B1W3D6)
 UNITY IB1W4 VW4 NB1W4 2CHGW4 GB1W4 SEQ # END-STATE-NAMES

1 @
2 VR5W4R6
3 @
45 @
CD
6 VR5W4R6
7 @
8 CD

B1W4R6 EVENT TREE

Figure 7.4-38 Event Tree for Unit-1 Station Blackout In Window 4 of R6 (B1W4R6)
 UNITY IB1W4 VW4 NB1W4 2CHGW4 GB1W4 SEQ # END-STATE-NAMES

1
2 R5W4R10
3 @
4 @
5 CD
6
7
r@
R5W4R10
8 CD

B1W4R10 EVENT TREE

Figure 7.4-39 Event Tree for Unlt-l Station Blackout In Window 4 of RIO (B1W4R10) }
 UNITY IB1W4 NB1W4 SB1W4 2CHGW4 SEQ # END-STATE-NAMES

1 @
2 T R5W4D6
3 <§>
4 @
5 CD

B1W4D6 EVENT TREE

Figure 7.4-40 Event Tree for Unit-1 Station Blackout in Window 4 of D6 (B1W4D6)
 UNITY IB2W1 VW1 NB2W1 GB2W1 SEQ # END-STATE-NAMES

1 @
2 T R5W1R6
3 CD
4 CD
5 T R5W1R6
6 CD

B2W1R6 EVENT TREE

00

Figure 7.4-41 Event Tree for Station Blackout at Both Units in Window 1 of R6 (B2W1R6)
 UNITY IB2W1 NB2W1 SEQ # END-STATE-NAMES

B2W1D6 - UNIT 1&2 BLACKOUT

WINDOW 1, POS D6

1
2 T R5W1D6
oo 3 CD

Figure 7.4-42 Event Tree for Station Blackout at Both Units in Window 1 of D6 (B2W1D6)
 UNITY IB2W2 VW2 NB2W2 GB2W2 SEQ # END-STATE-NAMES

1 @
2 T R5W2R6
3 CD
4 CD
5 R5W2R6
6 CD

B2W2R6 EVENT TREE

Figure 7.4-43 Event Tree for Station Blackout at Both Units In Window 2 of R6 (B2W2R6)
 UNITY IB2W2 NB2W2 SEQ # END-STATE-NAMES

I
2 T R5W2D6
6 3 CD

B2W2D6 EVENT TRElE

Figure 7.4-44 Event Tree for Station Blackout at Both Units in Window 2 of D6 (B2W2D6)
 UNITY IB2W3 VW3 NB2W3 GB2W3 SEQ # END-STATE-NAMES

1 @
2 R5W3R6
3 CD
4 CD
5 R5W3R6
6 CD

B2W3R6 EVENT TREE

I—i

Figure 7.4-45 Event Tree for Station Blackout at Both Units in Window 3 of R6 (B2W3R6)
 UNITY IB2W3 VW3 NB2W3 GB2W3 SEQ # END-STATE-NAMES

1 ®
2 R5W3R10
3 CD
4 CD
5 R5W3R10
6 CD

B2W3R10 EVENT TREE

Figure 7.4-46 Event Tree for Station Blackout at Both Units in Window 3 of RIO (B2W3R10)
 UNITY IB2W3 NB2W3 SEQ # END-STATE-NAMES

1
2 T R5W3D6
6 3 CD

B2W3D6 EVENT TREE

Figure 7.4-47 Event Tree for Station Blackout at Both Units in Window 3 of D6 (B2W3D6)
 UNITY IB2W4 VW4 NB2W4 GB2W4 SEQ # END-STATE-NAMES

l @
2 R5W4R6
3 ®
4 CD
5 R5W4R6
6 CD

B2W4R6 EVENT TREE

It

Figure 7.4^18 Event Tree for Station Blackout at Both Units In Window 4 of R6 (B2W4R6)
 UNITY IB2W4-" VW4 NB2W4 GB2W4 SEQ # END-STATE-NAMES

1 <s>
2 T R5W4R10
3 <s>
4 CD
5 T R5W4R10
6 CD

B2W4R10 EVENT TREE

ft

Figure 7.4-49 Event Tree for Station Blackout at Both Units in Window 4 of RIO (B2W4R10)
 UNITY IB2W4 NB2W4 SEQ # END-STATE-NAMES

1 @
2 T R5W4D6
£ 3 CD

B2W4D6 EVENT TREE

Figure 7.4-50 Event Tree for Station Blackout at Both Units in Window 4 of D6 (B2W4D6)
 7 Event Tree Analysis

Table 7.4-1

LOSP/SB Analysis Cases

LOSP/SB DG#1 DG#2 DG#3

Case (1H Bus) (2H Bus)
(1J Bus) (2J Bus)
LI S F S
LI S S S
L2 S S S
L2 S S F F
L2 S F S
L2 S M S
L2 F S S
L3 S F F F
L3 s M F
L3 F F S
Bl F S S
Bl F S F F
Bl F F S
Bl F M S
B2 F F F F
B2 F M F F

NOTES:

F - DG fails to start, fails to run, or fails to load onto

The emergency bus
M - DG down for maintenance, only maintenance on DG 2
taken into account here, and in which case DG 3 is assumed
as being aligned to 2Jbus
S - Success

7-147
7 Event Tree Analysis

Table 7.4-2

Power Supplies for Circulating Water Main Condensers' Inlet and

Outlet Valves

Motor-operated Power Supply Breaker

valves
MOV-CW-100A MCC1J1-1A 3A
MOV-CW-100B MCC1H1-1 8A
MOV-CW-100C MCC 1J1-1A 3B
MOV-CW-100D MCC 1H1-1 7A
MOV-CW-106A MCC 1H1-1 7C
MOV-CW-106B MCC 1J1-1A 3C
MOV-CW-106C MCC 1H1-1 6B
MOV-CW-106D MCC 1J1-1A 3D
MOV-CW-200A MCC 1J1-1A 4D
MOV-CW-200B MCC2H1-1 8A
MOV-CW-200C MCC D M A 4E
MOV-CW-200D MCC2H1-1 7A
MOV-CW-206A MCC2H1-1 7C
MOV-CW-206B MCC 1J1-1A 5A
MOV-CW-206C MCC2H1-1 6B
MOV-CW-206D MCC D M A 5D

NUREG/CR-6144 7-148
 t

7 Event Tree Analysis

7.5 Support-System Failure Event Trees

This section describes the event trees developed for the following initiating events:

(1) Loss of 4.16 kV AC Emergency Bus.

(2) Loss of a 120 V AC Vital Bus.
(3) Spurious ESFAS Signal.
(4) Loss of Instrument Air.
(5) Loss of Component Cooling Water.

Ten event trees were developed for each initiating event. The different event trees reflect the different system
configurations and other conditions in the respective mid-loop operation modes: POS 6 -Refueling, POS 10 -
Refueling, and POS 6 - Drained Maintenance, as well as the different success criteria used in different time
windows.

The event trees were based on:

(a) abnormal procedure AP 27.00 Rev. 4 describing the operator's actions given a generic loss of the RHR
system,
(b) abnormal procedures describing the operator's actions given loss of a particular support system (under
power operation),
l-ECA-0.0 Loss of All AC Power (Rev. 6), 4/22/92
l-ECA-0.1 Loss of All AC Power Without SI Required (Rev. 6), 4/22/92
l-ECA-0.2 Loss of all AC Power With SI Required (Rev. 4), 4/22/92
O-AP-17.00Auto Start Failure of #1 or #2 EDG (Rev. 1), 3/29/91
O-AP-17.01#l or #2 EDG Fails to Accept Electrical Load (Rev. l),3/28/91
O-AP-17.02Auto Start Failure of 3 EDG (Rev. 0), 8/14/90
O-AP-17.03#3 EDG Fails to Accept Electrical Load (Rev. 1), 3/28/91
l-AP-10.01 Loss of Vital Bus I (Rev. 3), 4/23/92
1-AP-10.02 Loss of Vital Bus II (Rev. 2), 4/23/92
l-AP-10.03 Loss of Vital Bus III (Rev. 2), 4/23/92
l-AP-10.04 Loss of Vital Bus IV (Rev. 1), 4/23/92
l-AP-10.05 Loss of Semi-Vital Bus (Rev. 1), 12/12/91
l-AP-15.00 Loss of Component Cooling (Rev. 1), 12/5/91
O-AP-40.0 Non-Reversible Loss of Instrument Air (Rev. 3), 12/5/91
(c) information obtained from plant personnel.

The support system event trees are similar to the event trees for loss of RHR. Each loss of support system
initiating event has its own impacts on the plant. The impacts and how they were modeled are discussed in
this section. The recovery from such loss is modeled as a top event, the "H" top event, in the event trees.
The recovery is modeled using the recovery curves estimated using industry data, (see Chapter 4 and
Appendix D)

7.5.1 Event Trees for Loss of a 4.16 kV AC Emergency Bus

"Loss of a 4.16 kV AC Emergency Bus" initiator is defined as a power failure either due to a loss of preferred
feed from the Reserve Station Service Supply or due to a local bus/breaker failure (short), causing a
momentary loss of all the loads on the bus affected. The power can be recovered after the failure is cleared
by the associated diesel generator, by the RSS Supply or by backfeed.

7-149 NUREG/CR-6144
7 Event Tree Analysis

We selected, the loss of 4.16 kV AC Emergency Bus "H" event for analysis because it interrupts the operating
RHR train. The associated event tree treats the "Loss of a 4.16 kV AC Emergency Bus" event as a loss of
RHR event, coupled with the unavailability of one of the two essential power supplies to the RHR System.

7.5.1.1 "Loss of a 4.16 kV AC Emergency Bus" Event Tree - Refueling POS 6

Window 1
The event tree, 4KW1R6, applicable to this POS in this window is presented in Figure 7.5.1-1.

The top events of the tree represent the following events:

I4KW1 • Probability of "Loss of a 4.16 kV AC Emergency Bus" initiating event during Wl

The initiating event frequency, as well as the duration of Wl, were based on industrial experience (see Chapter
4 and Appendix D).
H4KW1 • Recovery of the 4.16 kV AC Emergency Bus H
The recovery assumes, as was mentioned above, that the direct failure of the bus was cleared before power
is resupplied to the bus. The time for successful recovery is taken to be equal to the time to boiling of the
coolant in this POS. The non-recovery factor (PRNR = 0.018) represents the inability of the associated diesel
generator to start (P = .05) and provide the power demand of the loads (4 KV bus non-recovery, PNR = .35;
PRNR = P*PNR). The non-recovery factor of the 4KV bus was determined from operating experience that
is documented in Appendix D.

R4KW1 • Restoring RHR

The event represents the restoration of the RHR system, conditional on the preceding event: if Emergency
Bus H is recovered, both RHR trains A and B, can be rendered operable; however, if it is not recovered, the
operator will restore only the standby RHR train. The restoration of the RHR requires local venting of the
RHR pumps, verifying RHR heat sink, and restarting an RHR pump.

VW1 - RCS Vented

The event represents the initial condition of the RCS, whether or not the three pressurizer safety relief valves
are removed. The event is required because it affects the applicability of alternative heat-removal techniques:
gravity-feed from the RWST needs vented RCS. The availability of reflux cooling is affected also because such
cooling cannot be accomplished if there was a loss of RCS inventory through the vents of the pressurizer (each
safety valve removed leaves a 4-inch diameter opening on top of the pressurizer). For such an event, a
probability of 0.01 was estimated in window 1 (see Sections 3.6 and 9.4).

S4KW1 • Reflux Cooling through the Steam Generators

The event represents the reflux cooling to remove heat. It is described in detail in the previous section for
this POS. Its availability is evaluated with and without the availability of the Emergency Bus H.

F4KW1 • Primary Feed-and-BIeed

The event represents the feed-and-bleed (spill) operation of the primary systems that is described in section
7.2. Its availability is determined in the event tree with and without the availability of the Emergency Bus H.

G4KW1 • Gravity Feed from the RWST

The event represents the gravity feeding of RWST water into the RCS through the LPI System; it can only
be used if the RCS is vented. The gravity feed and its preconditions are discussed thoroughly in the previous
section. Its availability is evaluated in the event tree with and without the availability of the Emergency
BusH.

NUREG/CR-6144 7-150
 7 Event Tree Analysis

C4KW1 • Recirculation
The feed-and-bleed method must be supplemented by the recirculation function to insure long-term heat
removal.

The event tree shows that Sequences 4, 5, 6, 9,10,13,14 15,18, and 19 lead to core damage, because of the
failed methods of decay- heat removal. We note that Sequences 4, 5, 6, 9, and 10 have to be quantified with
recovered Emergency Bus H, and Sequences 13 through 19 with the condition that Emergency Bus H is not
available.

Window 2
Figure 7.5.1-2 shows the event tree, 4KW 2R6, applicable to this POS in window 2. The meanings of the top
events are similar to top events in window 1, and only those are described which are different (the notation
changes by replacing Wl to W2, i.e., I4KW1 - I4KW2, etc.)

H4KW2 - Recovery of 4KV Bus

The 4KV bus non-recovery probability is .25 and the total non-recovery probability, including the failure of
the diesel generator to start, is PRNR = .013.

VW2 - RCS Vented

The probability of removal of the pressurizer safety valves is estimated at .05.

C4KW2 • Recirculation
If the unit 2 RWST can be cross-connected to unit 1 RWST, then there is no need for a recirculation function.

Window 3
Figure 7.5.1-3 shows the event tree, 4KW3R6.

H4KW3 • Recovery of 4KV Bus

The value of PRNR = .009.

VW3 - RCS Vented

The probability that the safety valves are removed, P = .9.

Window 4
Figure 7.5.1-4 shows the event tree, 4KW4R6.
i

H4KW4 • Recovery of 4KV Bus

The value of PRNR = .008.

VW4 - RCS Vented

The probability that the safety valves are removed, P = .3.

7.5.1.2 "Loss of a 4.16 kV AC Emergency Bus" Event Tree - Refueling POS 10

Window 3
The event tree, 4KW3R10, applicable to this POS is given in Figure 7.5.1-5. Due to the different conditions
and features characterizing this POS, top events questioning the availability of reflux cooling (S) and the
necessity of recirculation function are not needed.

7-151 NUREG/CR-6144
7 Event Tree Analysis

The meanings of the top events are identical to those involved in the window 3 POS 6 - Refueling Event Tree.

I4KW3 • Initiating event probability during RIO

H4KYV3 • Recovery of Emergency Bus H, provided by the associated dlesel generator

R4KW3 • Restoration of the RHR

VW3 - RCS Vented

F4KW3 - Primary Feed-and-BIeed

G4KW3 - Gravity-Feedfrom the RWST

In the event tree, the following sequences lead to core damage: Sequences: 4,5,7,10,11, and 13. Sequences
4,5, and 7 are quantified with recovered Emergency Bus H, and Sequences 10,11, and 13 with the condition
that Emergency Bus H is not available.

Window 4
Figure 73.1-6 shows the event tree, 4KW4R10. The top events are functionally the same as in window 3, and
identical to the POS 6 refueling event tree.

7.5.13 "Loss of a 4.16 kV AC Emergency Bus" Event Tree - Drained Maintenance POS 6

Window 1
The event tree, 4KW1D6, applicable to POS 6 - Drained Maintenance is shown in Figure 7.5.1-7. Due to
stringent success criteria for successful heat removal, there is only one alternate technique besides the RHR
System: Primary Feed-and-BIeed, coupled with the recirculation function.

The top events are described below:

i

I4KW1 - Initiating event probability during D6

H4KW1 - Recovery of Emergency Bus H, as provided by the associated diesel generator

R4KW1 • Restoration of the RHR

F4KW1 • Primary Feed-and-BIeed

C4KW1 • Recirculation Function.
In the event tree, the following sequences lead to core damage: Sequences 4, 5, 8, and 9. Sequences 4 and
5 are quantified with recovered Emergency Bus H, Sequences 8 and 9 are quantified with the condition that
Emergency Bus H is not available.

Window 2
The event tree 4KW2D6 is presented in Figure 7.5.1-8.

S4KW2 - Reflux Cooling

Reflux cooling is available in this window for drained maintenance.

NUREG/CR-6144 7-152
 7 Event Tree Analysis

Window 3
Figure 7.5.1-9 shows the event tree, 4KW3D6. The recirculation function (c) is removed.

Window 4
The event tree, 4KW4D6, is given in Figure 7.5.1-10, which is the same as window 3 with the appropriate top
events.

7-153 NUREG/CR-6144
X/i
w
£
I
w
E-

® ® ® u o o<§> © o o@ @ u o o® ® o u

'-<WC0T}<inCDt«-000JO'HWC0rJ<IOCDtN0005
w
CO

is
M

is
M

e
is
w
in

is

is
M

is
w
•<*
w

is
M

7-154
UNITY I4EW2 H4EW2 R4EW2 VW2 S4EW2 F4EW2 G4EW2 C4EW2 SEQ # END-STATE-NAMES

1 @
2 @
3 @
4 CD
5 CD
6 CD
7 <s>
8 @
9 CD
10 CD
11 @
12 <s>
13 CD
14 CD
15 CD
16 ®
17 @
18 CD
19 CD

Figure 7.5.1-2 Event Tree for Loss of 4KV Bus in Window 2 of R6 (4KW2R6)
 UNITY I4KW3 H4KW3 R4KW3 VW3 P4KW3 G4EW3 SEQ # END-STATE-NAMES

1 @
2 @
3 @
4 CD
5 CD
6 @
7 CD
ON
8 @
9 @
10 CD
11 CD
12 ®
13 CD

Figure 7.5.1-3 Event Tree for Loss of 4KV Bus in Window 3 of R6 (4KW3R6)
UNITY I4KW4 H4KW4 R4KW4 VW4 F4EW4 G4KW4 SEQ # END-STATE-NAMES

1 @
2 @
3 @
4 OK
5 CD
6 @
7 CD
8 ®
9 @
10 OK
11 CD
12 ®
13 CD

Figure 73.1-4 Event Tree for Loss of 4KV Bus in Window 4 of R6 (4KW4R6)
 UNITY I4KTV3 H4KW3 R4KW3 VW3 P4EW3 G4EW3 SEQ # END-STATE-NAMES

1 @
2 @
3 @
4 CD
5 CD
6 @
7 CD
8 @
9 @
oo 10 CD
11 CD
12 <£?
13 CD

Figure 73.1-5 Event Tree for Loss of 4KV Bus in Window 3 of RIO (4KW3R10)
UNITY I4EW4 H4EW4 R4EW4 VW4 F4EW4 G4EW4 SEQ # END-STATE-NAMES

1 @
2 @
3 @
4 OK
5 CD
6 <s>
7 CD
8 @
9 @
10 OK
11 CD
12 <S5>
13 CD

Figure 7.5.1-6 Event Tree for Loss of 4KV Bus in Window 4 of RIO (4KW4R10)
 UNITY I4KW1 H4KW1 R4KW1 F4KW1 C4KW1 SEQ # END-STATE

1 @
2 @
3 @
4 CD
5 CD
8 6 @ '
7 @,
8 CD
9 CD

Figure 7.5.1-7 Event Tree for Loss of 4KV Bus in Window 1 of D6 (4KW1D6)
m
I
O
<§><§> O ® OU<§) O ® UU

Qf
i cu co TH to co *>• co a> q
m
w

00

0J

0J

CV2

°?

2
CV2 I

i—i

7-161
UNITY I4KW3 H4KW3 R4KW3 S4KW3 F4KW3 SEQ # END-STATE

1 @'
2 @"
3 OK
4
5 CD
6 @-
7 OK
8 @
9 CD

Figure 73.1-9 Event Tree for Loss of 4KV Bus in Window 3 of D6 (4KW3D6) >
UNITY I4KW4 H4KW4 R4KW4 S4KW4 F4KW4 SEQ # END-STATE

1
2 @
3 OK
4 @
5 CD
6 @
7 OK
8 @
9 CD

Figure 7.5.1-10 Event Tree for Loss of 4KV Bus in Window 4 of D6 (4KW4D6)
7 Event Tree Analysis

7.5.2 Event Trees for Loss of a 120 V AC Vital Bus (VB)

In Section 4.43 we pointed out that during mid-loop operations "Loss of a 120 V AC Vital Bus" is a valid
initiator with the potential to damage the core. The loss of 120 V AC Vital Bus l-III was selected as
representative of the initiator. The loss of this bus interrupts the operation of the RHR system because it
1

causes the flow control valve l-RH-HCV-1758 (RHR HX flow) to fail open with the potential of starting RHR
pump runout.

The bus can be recovered after its local failure has been cleared. If not, the operator has to adjust the flow
control valve locally to restore the operation of the RHR. If the operator could not regain flow control, but
started the standby RHR train, there would be a risk of losing the whole RHR.

7.5.2.1 "Loss of . 1 2 0 VAC Vital Bos" Event Tre*-Refueling POS 6

Window 1

Figure 7.5.2-1 presents the event tree, VBW1R6, applicable to this POS in Window 1.

The top events of the tree represent the following events:

IVBW1 - "Loss of a 120 V AC Vital Bus" initiating event probability

The initiating event frequency, as well as the duration of Wl were determined from industrial experience (see
Appendix D).

HVBW1 - Recovery of the 120 V AC Vital Bus, 1-m

The recovery presupposes that the bus failure has been cleared before power is resupplied to it. The interval
for successful recovery is taken to be equal to the time to boiling of the coolant in this time window. The
recovery factor (3) corresponding to this interval was determined using experienced data. The recovery data
describing Vital Bus/RHR recovery as a function of time are given in Section 4.4.9.

RVBW1 • Restore RHR

The event represents the restoration of the RHR system. The restoration is conditional on the preceding
event: if Vital Bus 1-IH is recovered before boiling takes place it is assumed that the operating RHR pump
is not affected. If the bus is not recovered, the operating RHR pump is failed and the operator has to enter
the containment and manually adjust the RHR flow control valve 1-RC-HCV 1758. The restoration of the
RHR requires local venting of the pumps, verifying the heat sink, and starting the standby RHR pump.

VW1 - RCS Vented

'The loss of Vital Bus 1-1 or l-II has the possibility of failing the operation of the RHR because it causes
the isolation valve 1-TV-CC-109A or 109B (CCW return from RHR) to close. If the 109A valve is closed,
CCW is lost to the operating RHR heat exchanger. Closure of the 109B valve will isolate the CCW to both
RHR pump seal coolers. According to plant personnel, loss of RHR pump seal cooling does not represent
real initiating event because the RHR pumps can operate, even for 24 hours, without seal cooling provided
that relatively cool water is circulating in the RHR. Therefore, it would be conservative to assume that loss
of bus l-II leads to loss of RHR. If the Vital Bus cannot be recovered, the operator will have to local
manualry open the 109 valve with a portable air bottle and restore the CCW to RHR.

NUREG/CR-6144 7-164
 7 Event Tree Analysis

The event represents the initial condition of the RCS, whether the three pressurizer safety relief valves are
removed or not. The event is required because it affects the applicability of alternative heat removal
techniques: gravity feed from the RWST needs vented RCS. The availability of reflux cooling also is affected
because such cooling is not possible if there was a loss of RCS inventory through the vents of the pressurizer
(each safety valve removed leaves a 4-inch diameter opening on top of the pressurizer). For such an event,
a probability of 0.01 was estimated in window 1 (see Sections 3.6 and 9.4).

SVBW1 - Reflux cooling through the Steam generators

The event represents the reflux cooling to remove heat, that is fully described in Section 7.2. The availability
of the reflux cooling is evaluated with and without the availability of Vital Bus l-III.

FVBW1 - Primary Feed-and-Bleed

The event represents the feed-and-bleed (spill) operation of the primary system that also is described in
Section 7.2. The availability of the feed-and-bleed operation is determined in the event tree with and without
the availability of Vital Bus MIL

GVBW1 - Gravity Feed from the RWST

The event represents the gravity feeding of RWST water into the RCS through the LPI System; this can only
be used if the RCS is vented. The gravity feed and its preconditions are discussed in Section 7.2. The
availability of the gravity feed is evaluated in the event tree with and without the availability of Vital Bus l-III.

C4KW1 - Recirculation
Recirculation function provides long term heat removal once the RWST inventory is injected.

The event tree shows that Sequences 4, 5, 6, 9, 10, 13, 14, 15, 18, and 19 lead to core damage because of the
failure of decay heat removal. Sequences 4, 5, 6, 9, and 10 have to be quantified with recovered Vital Bus
l-III, and sequences 13, 14, 15, 17, 18, and 19 with the condition that Vital Bus l-III is not available.

Window 2
Figure 7.5.2-2 shows the event tree, VBW2R6.

HVBW2 • Recovery of Vital Bus

The value of non-recovery of the vital Bus is PRNR = .2.

VW2 - RCS vented

The probability of safety valves being removed is estimated at .05.

Window 3
The event tree, VBW3R6, is presented in Figure 7.5.2-3. Reflux cooling is not available due to isolation of
the loops. Recirculation is not needed due to low decay heat.

HVBW3 - Recovery of Vital Bus

The value of non-recovery of the vital bus is PRNR = .15.

VW3 - RCS vented

Safety valves removed, P = .9.

Window 4
Figure 7.5.2-4 gives the event tree, VBW4R6. In this time window, reflux cooling is not available due to
isolation of the RCS loops, and recirculation is not needed due to low decay heat level.

7-165 NUREG/CR-6144
7 Event Tree Analysis

HVBW4 - Recovery of Vital Bus

The value of non-recovery of the vital bus is PRNR = .12.

VW4 • RCS vented

Safety valves removed, P = .3.

7.S.7.7. "Loss of a 120 VAC Vital Bns Event Tree - Refueling POS 10
a

Window 3
The event tree, VBW3R10, applicable to this POS is presented in Figure 7.5.2-5. Due to the different
conditions and features characterizing this POS, the top events questioning the availability of reflux cooling
(S) and recirculation function (C) are not needed.

The meanings of the top events are very similar to those involved in the POS 6 - Refueling Event Tree.
However, for completeness, they are described again emphasizing the differences.

IVBW3 • Initiating event probability during the duration of RIO

HVBW3 - Recovery of the Vital Bus

The non-recovery probability is .15.

RVBW3 - Restore RHR

The event represents the restoration of the RHR. The difference between this and the same event of Wl tree
is that more time is available for the operator to accomplish the task.

VW3 - RCS Vented

FVBW3 - Primary Feed-and-BIeed

GVBW3 - Gravity Feed from the RWST

In the event tree the following six sequences lead to core damage: Sequences 4, 5, 7, 10, 11, and 13.
Sequences 4,5, and 7 are quantified with recovered Vital Bus l-III. Sequences 10,11, and 13 are quantified
with the condition that the Vital Bus is not available.

Window 4
The event tree for this time window is shown in Figure 7.5.2-6. It has the same structure as that of window
3 except that those sequences with successful gravity feed lead to successful termination.

7.5.23 "Loss of a 120 VAC Vital Bus" Event Tree - Drained Maintenance POS 6

Window 1
Figure 7.5.2-7 shows the event tree, VBW1D6, applicable to POS 6 - Drained Maintenance condition. Due
to the stringent success criteria for successful heat removal, there is only one alternate technique besides the
RHR System: Primary Feed-and-BIeed coupled with the recirculation function.

The top events are described below:

NUREG/CR-6144 7-166
 7 Event Tree Analysis

IVBW1 • Initiating event probability

HVBW1 • Recovery of the Vital Bus

The time for successful recovery is shorter than in Wl; correspondingly, the probability recovery is smaller
(.71).

RVBW1 - Restoration of the RHR

FVBW1 • Primary Feed-and-BIeed

CVBW1 • Recirculation Function

In the event tree, the following sequences lead to core damage: Sequences 4, 5, 8, and 9. Sequences 4 and
5 are quantified with recovered Vital Bus l-III. Sequences 8 and 9 are quantified with the condition that the
Vital Bus is not available.

Window 2
The event tree, VBW2D6, is presented in Figure 7.5.2-8

SVBW2 - Reflux cooling

Reflux cooling is available.

Window 3
Figure 7.5.2-9 shows the event tree, VBW3D6. The recirculation function (C) is removed.

Window 4
The event tree, VBW4D6, is presented in Figure 7.5.2-10 similar to window 3, and the top events are described
in tree VBW4R6.

7-167 NUREG/CR-6144
 OT
m

l
m
• $ •

OT
I
a ^ ^ ^ OOfl p f l ^ Pflfl^ „ Pfl
a a a
w @ <§) (3) u U U@ <§> O O ® <§> O O U<§> <§> U O

Of i-t ~H ~H ~H ^ -rH T H f H -^H I H

w
OT

it

is

is
m
IS

is

is
«

S3

7-168
UNITY IVBW2 HVBW2 RVBW2 VW2 SVBW2 FVBW2 GVBW2 CVBW2 SEQ # END-STATE-NAMES

1 @
2 @
3 @
4- CD
5 CD
6 cn
7 ®
8 @
9 CD
10 CD
11 @
12 <3>
13 CD
14 CD
15 CD
16 <$
17 @
18 CD
19 CD

Figure 7.5.2-2 Event Tree for Loss of Vital Bos in Window 2 of R6 (VBW2R6)
UNITY. IVBW3 HVBW3 RVBW3 VW3 FVBW3 GVBW3 SEQ # END-STATE-NAMES

I
I
i

1 @
2 @
3 @
4 CD
5 CD
6 @
7 CD
8 @
9 @
10 CD
11 CD
12 @
13 CD

Figure 7.5.2-3 Event Tree for Loss of Vital Bos in Window 3 of R6 (VBW3R6)
UNITY IVBW4 HVBW4 RVBW4 VW4 FVBW4 GVBW4 SEQ # END-STATE-NAMES

1 @
2 @
3 @
4 OK
5 CD
6 @
7 CD
8 @
9 @
10 OK
11 CD
12 @
13 CD

Figure 7.5.2-4 Event TWe for Loss of Vital Bus in Window 4 of R6 (VBW4R6)
UNITY IVBW3 HVBW3 RVBW3 VW3 PVBW3 GVBW3 SEQ # END-STATE-NAMES

1 @
2 @
3 @
4 CD
5 CD
6 ®
7 CD
8 @
9 @
10 CD
11 CD
12 <S>
13 CD

Figure 7.5.2-5 Event Tree for Loss of Vital Bus in Window 3 of RIO (VBW3R10)
UNITY IVBW4 HVBW4 RVBW4 VW4 FVBW4 GVBW4 SEQ # END-STATE-NAMES

1 @
2 ®
3 @
4 OK
5 CD
6 ®
7 CD
8 @
9 @
10 OK
11 CD
12 <*
13 CD

Figure 7.5.2-6 Event Tree for Loss of Vital Bus in Window 4 of RIO (VBW4R10)
 UNITY IVBWi HVBWI RVBWl FVBW1 CVBW1 SEQ # END-STATE

1 @
2 @
3 @
4 CD
5 CD
2 6 @
7 @
8 CD
9 CD

Figure 7 3J-7 Event Tree for Loss of Vital Bus In Window 1 of D6 (VBW1D6)
CO

p
®@ O® UU@ O® U U

l CM CO ^ lO CO i S CO 05 O
H
CO

>

ffl
>
En

CV2

>
CO

CV2

>

CV2

>

CV2

PQ
>

7-175
EH
<!
EH

P
W P • W P
@ <§> o@ o@ o@ u

^-1 C\2 CO ^ ID CO JS CO 0 )
or

CO

>

CO

CO

CO

>

CO

PQ

EH
I—I
Sz;

7-176
H
E-«
<!
co.
I
Q
Sz: W Q W Q
H <§; @ OQ) o@ OQ) cj

=tfc

-Hcaco^mcD^coCT)
H
CO

8
PQ
>
2

PQ
I
>
CO
S
«

PQ

£
I
a
PQ

PQ

EH
I—i
Sz;

7-177
7 Event Tree Analysis

7JS3 Event Trees for "Spurious ESFAS Signal" (SI)

Spuriously generated signals, ESFAS, Safety Injection (SI), and Consequence Limiting Safeguard-Hi (CLS-Hi)
signals, have the potential to initiate accident scenarios which may lead to core damage. These signals
represent a separate initiating event category, the "Spurious ESFAS Signal" initiator. Such signal interrupts
the operation of the RHR by closing the containment isolation valves 1-CC-TV-109A and 1-CC-TV-109B.

The event can be recovered by resetting the spurious signal or manually opening one of the isolation valves
and restoring the operation of the RHR.

7.53.1 "Spurioas ESFAS Signal" Event Tree - Befwling FOS 6

Window 1
Figure 7.5.3-1 shows the event tree, S1W1R6, applicable to this POS.

The top events of the tree represent the following events:

ISIW1 • The probability of Spurious ESFAS Signal" initiating event

The initiating event frequency, as well as the duration of Wl, were determined from industrial experience (see
Appendix A).
HSIW1 - Recovery of the Spurious ESFAS Signal
The recovery assumes that the direct cause of generating spurious ESFAS signal was cleared before the signal
is reset. The time for successful recovery is taken to be equal to the time to boiling of the coolant in this
POS. The non-recovery factor (.35) corresponding to this time was determined using experience data. The
recovery data describing Spurious ESFAS Signal/RHR recovery as a function of time are given in
Appendix D. '

RSIW1 - Restoring RHR

The event represents the restoration of the RHR system, is conditional on the preceding event: if the spurious
ESFAS signal is reset, both RHR trains can be rendered operable. However, if it is not recovered, the
operating RHR pump is assumed failed due to loss of seal cooling and both isolation valves 1-CC-109A and
B have to be opened. Valve 1-CC-109A Providesflowthrough the RHR heat exchanger and valve 1-CC109B
to the pump seal coolers.

VSIW1 - RCS Vented

The event represents the initial condition of the RCS, whether the three pressurizer safety relief valves are
removed or not. The event is required because it affects the applicability of the alternative-heat removal
technique: gravity feed from the RWST needs vented RCS and reflux cooling is not possible if there was an
RCS inventory loss through the vents of the pressurizer (each safety valve removed leaves a 4-inch diameter
opening on top of the pressurizer). For such an event, a probability of 0.01 was estimated in Window 1 (see
Sections 3.6 and 9.4).

SSIW1 - Reflux cooling through the Steam Generators

The event represents the reflux cooling to remove decay heat; it is described in Section 7.2.

FSIW1 - Primary Feed-and-Bleed

The event represents the feed-and-bleed (spill) operation of the primary system.

NUREG/CR-6144 7-178
 7 Event Tree Analysis

GSIW1 • Gravity Feed from the RWST

The event represents the gravity feeding of RWST water into the RCS through the LPI System. That can only
be used if the RCS is vented. The gravity feed and its preconditions are discussed in section 7.2.

CSIW1 • Recirculation
The Feed-and-Bleed method of heat removal must be supplemented by the recirculation function to insure
long term heat removal.

The event tree one can see that Sequences 4, 5, 6, 9,10, 13,14, 15,18, and 19 lead to core damage, because
of failure of decay heat removal.

Window 2
The event tree, SIW2R6, applicable to this POS in window 2 is presented in Figure 7.5.3-2. The meanings
of the top events are similar to top events in window 1, and only those are described which are different.

HSIW2 • Recovery from spurious SI

The spurious ESFAS signal non-recovery probability is .22.

VW2 - RCS Vented

The probability of pressurizer safety valves removal is estimated at .05.

CSIW2 - Recirculation
If the unit 2 RWST can be cross-connected to the unit 1 RWST, then there is no need for recirculation.

Window 3
Figure 7.5.3-3 shows the event tree, SIW3R6.

HSIW3 - Recovery from Spurious SI

The value of PRNR = .16.

VW3 - RCS Vented

The probability that the safety valves are removed P = .9: Reflux cooling is unavailable (Function S), and
there is no need for Recirculation (Function C).

Window 4
The event tree SIW4R6 is presented in Figure 7.5.3-4.

HSIW4 - Recovery from Spurious SI

The value of PRNR = .13.

VW4 - RCS Vented

The probability that the safety valves are removed P = .3.

7.5.3.2 "Spurious ESFAS Signal" Event Tree - Refueling POS 10

Window 3
The event tree, SIW3R10, applicable to this POS is given in Figure 7.5.3-5. Due to the different conditions
and features characterizing this POS, the top events questioning the availability of reflux cooling (S), and the
necessity of recirculation function are not needed.

7-179 NUREG/CR-6144
7 Event Tree Analysis

The meanings of the top events are identical to those in POS 6 - Refueling Event Tree.

ISIW3 - Initiating event probability during RIO

HSIW3 • Recovery from Spurious SI

RSIW3 • Restoring RHR

VW3 - RCS Vented

FSIW3 - Primary Feed-and-BIeed

GSIW3 - Gravity Feed from the RWST

For the event tree the following sequences lead to core damage, sequences 4, 5, 7,10,11, and 13.

Window 4
The event tree, SIW4R10, is presented in Figure 7.5.3-6. The top events are functionally the same as in
Window 3.

7.5.33 "Spurious ESFAS Signal" Event Tree - Drained Maintenance POS 6

Window 1
The Figure 7.5.3-7 is the event tree, SDV1D6, applicable to POS 6 of Drained Maintenance. Due to stringent
success criteria for successful heat removal, there is only one alternate technique besides the RHR system:
Primary Feed-and-BIeed coupled with the recirculation function.
The top events are described below:

ISrWl - Initiating event (ISI) probability throughout D6

HSWl - Recovery from Spurious SI

RSIW1 • Restoration of the RHR

FSIW1 - Primary Feed-and-BIeed

CSHVl - Recirculation Function

In the event-tree, sequences 4, 5, 8, and 9 lead to core damage.

Window 2
The event tree, SIW2D6 is presented in Figure 7.5.3-8.
SSIW2 - Reflux Cooling
Reflux cooling is available.

Window 3
Figure 7.5.3-9 shows the event tree, SIW3D6. The recirculation function (C) is removed.

NUREG/CR-6144 7-180
 7 Event Tree Analysis
Window 4
The event tree, SIW4D6, is presented in Figure 7.5.3-10, the same as in Window 3 with the appropriate top
events.

7-181 NUREG/CR-6144
UNITY ISIW1 HSIW1 RSIW1 VW1 SSIW1 FSIW1 GSIW1 CSIW1 SEQ # END-STATE-NAMES

1 @
2 @
3 @
4 CD
5 CD
6 CD
7 @
8 @
9 CD
10 CD
11 @
12 <&
13 CD
14 CD
15 CD
16 <s>
17 @
18 CD
19 CD

Figure 7.5.3-1 Event Tree for Spurious SI in Window 1 of R6 (SIW1R6)

 UNITY ISIW2 HSIW2 RSIW2 VW2 SSIW2 FSIW2 GSIW2 CSIW2 SEQ # END-STATE-NAMES

1 @
2 @
3 @
4 CD
5 CD
6 CD
7 @
82 8 @
9 CD
10 CD
11 <s>
12 @
13 CD
14 CD
15 CD
16 <2>
17 @
18 CD
19 CD

Figure 7.53 2 Event Tree for Spurious SI in Window 2 of R6 (SIW2R6)

 UNITY ISIW3 HSIW3 RSIW3 VW3 FSIW3 GSIW3 SEQ # END-STATE-NAMES

1 @
2 @
3 @
4 CD
5 CD
6 @
7 CD
8 @
8 9 @
10 CD
11 CD
12 <«>
13 CD

Figure 7.5.3-3 Event Tree for Spurious SI in Window 3 of R6 (SIW3R6)

 UNITY ISIW4 HSIW4 RSIW4 VW4 FSIW4 GSFW4 SEQ # END-STATE-NAMES

1 @
2 @-
3 @
4 OK
5 CD
6 <2>
7 CD
8 @
9 @
10 OK
11 CD
12 <2>
13 CD

Figure 7.53-4 Event Tree for Spurious SI in Window 4 of R6 (SIW4R6)

UNITY ISIW3 HSIW3 RSIW3 VW3 PSIW3 GSIW3 SEQ # END-STATE-NAMES

1 @
2 @
3 @
4 CD
5 CD
6 @
7 CD
8 @
9 @
10 CD
11 CD
12 @
13 CD

Figure 7.53-5 Event Tree for Spurious SI in Window 3 of RIO (SIW3R10)

 UNITY ISIW4 HSIW4 RSIW4 VW4 FSIW4 GSIW4 SEQ # END-STATE-NAMES

£;

'•i

1 @
2 @
3 @
4 OK
5 CD
6 @
7 CD
8 @
9 @
10 OK
11 CD
12 ®
13 CD

Figure 7.53-6 Event TIree for Spurious SI in Window 4 of RIO (SIW4R10)

 H
E-*
<l
EH
m
1
QQ- 3Q
H <§J @ <§) U U<§) <§J U O

=tfc
—1 C\2 CO T}< m CO Z> CO 0)
' Of
H
GO

•»H c?
£
6
i—i
GQ
Cfl
U

dow lod D6(

-H
£
l—l
— l
a
Ul £
fe
OS
ce
3

Ipurio
HH Cfl
GQ U

*H c
*
£ W
GQ •

W
3
•H i
i—i
GQ
i—i

i*
E-«
i—i
!z;
^

7-188
UNITY ISIW2 HSIW2 RSIW2 SSIW2 FSIW2 CSIW2 SEQ # END-S'

1 @
2 @
3 OK
4 @
5 CD
6 CD
7 @
8 OK
9 @
10 CD
11 CD

Figure 7.5 3-8 Event Tree for Spurious SI in Window 2 of D6 (SIW2D6)

UNITY ISIW3 HSIW3 RSIW3 SSIW3 FSIW3 SEQ # END- -STATE

1 @

1 2 @. •

3 OK
4 @
5
•

CD
6 @
7 OK

coco
CD

Figure 7.5.3-9 Event Tree for Spurious SI in Window 3 of D6 (SIW3D6)

UNITY ISIW4 HSIW4 RSIW4 SSIW4 FSIW4 SEQ # END-STATE

1 @
2 @'
3 OK
4 @
5 CD
6 @
7 OK
8
9 CD

Figure 7.5 J-10 Event Tree for Spurious SI in Window 4 of D6 (SIW4D6)

7 Event Tree Analysis

7.5.4 Event Trees for Loss of Instrument Air (AR)

Loss of instrument air while at mid-loop will cause the 109 A and B valves in the CCW return lines from the
RHR system to fail closed. Therefore, there is a loss of RHR. Other impacts of loss of instrument air are
discussed below:

(1) Loss of instrument air to the main steam relief valves MS-RV-101A/B/C will cause them to fail closed
and become inoperable. To relieve the steam generators and dump steam to the condenser, the
operators will have to localfy open the by-pass valves, l-MS-84, l-MS-116 and l-MS-155, and the steam
dump valves TCV-MS-105 A and B. The main steam non-return valves NRV 101 A, B and C in the
flow path can be remotely operated as long as offsite power is available. The steam dump valve will
also lose the air needed to operate. However, they can be localfy operated in the turbine building.

(2) The RHR flow control valve HCV-1758 will fail open and FCV-1605 will fail closed, causing full RHR
flow through the RHR heat exchangers.

(3) l-SW-263 in the service-water supply to the emergency switchgear room cooling system will fail closed
causing loss of redundancy in the service-water supply.

(4) Letdown will be isolated by the air-operated valves HCV-1142 and TV-1204 in the letdown line. A full
charging flow to loop B cold leg will occur, due to the failed open charging flow control valve, FCV-
1122.

The procedure for loss of instrument air, AP 40.00, instructs the operators to block open valve TV-CC-109
A or B using a portable air bottle, and locally throttle the CCW outlet valve, l-CC-104 or 100, for the in-
service RHR heat exchanger; this should restore the RHR function. Then, the operators are instructed to
isolate charging by closing the charging line isolation valves MOV-1289A and manual valve l-CH-304. The
operators also will attempt to determine the cause for loss of air, and restore instrument air. If the loss is due
to failure of the dryer, then the operator will bypass it. If the loss is due to a leak, the procedure gives the
locations of various isolation valves that can be closed to isolate the instrument air system from other air
systems, or different parts of the instrument air system. When the instrument air is restored, the operators
will return the air supply to 109 valves to the normal condition and unblock the valves, return the RHR flow
control valves to normal position, and open the outlet valve for the in-service RHR heat exchanger.

Upon loss of offsite power, the normally running service air compressor would lose its power, and the
instrument air compressor should start automatically to supply the instrument air loads. Because the
instrument air compressor depends on bearing cooling water for cooling, and the bearing cooling water cooling
system depends on offsite power, the compressor would eventually fail. In the procedure for loss of offsite
power, the operators are instructed to use the fire pump to provide cooling to the instrument air compressor;
these are modeled in the loss of offsite power and station blackout event trees.

Figures 7.5.4-1 to 7.5.4-10 are the loss of instrument air event trees for the 3 mid-loop POSs in 4 different time
windows. They are somewhat similar in structure to the loss of RHR event trees, except that an additional
top event, "H" top event, representing recovery of instrument air, was included as the first mitigating event.
The recovery of the instrument air is modeled using the recovery curve derived in appendix D. If instrument
air is recovered before the RCS boils, then it is assumed that RHR can be easily recovered and the transient
is terminated successfully. If the instrument air is not restored before RCS boiling, then RHR has to be
recovered by the local actions of the operator. It is conservatively assumed that the running RHR pump is
failed due to either run out or cavitation, and the standby pump is the only pump that can be used. In the

NUREG/CR-6144 7-192
 7 Event Tree Analysis

fault tree for the RHR system, loss of instrument air would lead to a failure of the RHR system. To take
credit for the local action of the operator in restoring RHR, this dependency is removed by setting a house
event, HOUSE-AIR, to false. In the fault tree for reflux cooling, loss of instrument air would cause failure
of the SG PORVs, steam dump valves, and reflux cooling. The same house event is used to remove the
dependency of steam dump valves on instrument air to take credit for the operator opening the steam dump
valves locally.

The top events in the event trees for loss of instrument air that differ from those of the loss of RHR event
trees are described below. Window 1 of R6 is used as an example, and other time windows and POSs are
similar, except for the frequency of the POSs, probability of time windows, non-recovery probability of
instrument air, and the HEPs.

IARW1 - Probability of Loss of Instrument Air

This event is used to calculate the probability of loss of instrument air in the POS. For window 1 of R6, it
is equal to the product of
1. frequency of refueling outage,
2. frequency of loss of instrument air,
3. the duration of the POS R6, and
4. the conditional probability that it occurs in window 1, given it occurs in R6.

HARR6 - Recovery of Instrument Air

This event represents recovery of instrument air before the RHR pump is damaged. We assumed that before
the CCW to the RHR is restored, the RHR pump continues running. Because of the fully open flow-control
valve 1758, the RHR pump run out may cause the running pump to fail. Another reason for failure of the
running pump occurs when the RCS becomes saturated; then, it fails due to loss of seal cooling. In window
1, this allows 15 minutes for restoring instrument air. In appendix D, a recovery curve was estimated using
the experienced data on loss of instrument air. A successful restoration of instrument air is assumed to
successfully terminate the accident. Failure to restore instrument air is assumed to cause failure of the
running RHR pump; other impacts were modeled by failing the system and letting the fault-tree logic of the
systems account for the impacts.

RARR6 - Restoring RHR

This event represents restoration of RHR by locally opening the 109 valves and starting the standby RHR
pump, if instrument air is not recovered. The 109 A or B valve can be opened using a portable air bottle, and
then, blocked open. The standby RHR pump can be started from the control room. Due to the failed open
flow-control valve, the RHR flow has to be throttled by manually throttling the RHR heat-exchanger outlet
valve.

SARW1 • Reflux Cooling

This event represents the establishment of reflux cooling by opening the non-return valves from the control
room, locally opening the manual valves around the MSTVs and steam dump valves, and, later, establishing
feed to the steam generators.

7-193 NUREG/CR-6144
 UNITY IARW1 HARW1 RARVU VW1 SARW1 FARW1 GARWl CARW1 SEQ # END-STATE-NAMES

l OK
2 OK
3 OK
4 OK
5 CD
6 CD
7 CD
* 8 OK
9 OK
10 CD
11 CD

ARW1R6 Event Tree

Figure 7.5.4-1 Event Tree for Loss of Instrument Air in Window 1 of R6 (ARW1R6)
UNITY IARW2 HARW2 RARW2 VW2 SARW2 FARW2 GARW2 CARW2 SEQ f END-STATE

1 OK
2 OK
3 OK
4 OK
5 CD
6 CD
7 CD
8 OK
9 OK
10 CD
11 CD

ARW2R6 Event. Tree

Figure 7.5.4-2 Event Tree for Loss of Instrument Air in Window 2 of R6 (ARW2R6)
 UNITY IARW3 HARW3 RARW3 VW3 FARW3 CARW3 SEQ # END-STATE-NAMES

OK
OK
OK
OK
CD
CD
OK
£ CD

ARW3R6 Event Tree

Figure 7.5.4-3 Event Tree for Loss of Instrument Air in Window 3 of R6 (ARW3R6)
 UNITY IARW4 HARW4 RARW4 VW4 FARW4 GARW4 SEQ # END-STATE-NAMES

OK
OK
OK
OK
OK
CD
OK
CD

ARW4R6 Event Tree

Figure 13.44 Event Tree for Loss of Instrument Air in Window 4 of R6 (ARW4R6)

1
UNITY IARW3 HARW3 RARW3 VW3 FARW3 GARW3 SEQ ft END-STATE-NA&ES

OK
OK
OK
OK
CD
CD
OK
CD

ARW3R10 Event Tree

Figure 7.5.4-5 Event Tree for LOM of Instrument Air in Window 3 of RIO (ARW3R10)
UNITY IARW4 HARW4 RARW4 VW4 FARW4 CARW4 SEQ 8 END-STATE-NAMES

OK
OK
OK
OK
OK
CD
OK
CD

ARW4R10 Event Tree

Figure 7^.4-6 Event IVee for Loss of Instrument Air In Window 4 of RIO (ARW4R10)
 UNITY IARW1 HARW1 RARW1 FARW1V CARW1V SEQ H END-STATE-NAMES

OK
OK
OK
OK
CD
CD

sto

ARW1D6 Event Tree

Figure 7.5.4-7 Event Tree for Loss of Instrument Air in Window 1 of D6 (ARW1D6)
UNITY IARW2 HARW2 RARW2 SARW2 FARW2V CARW2V SEQ # END-STATE-NAMES

OK
OK
OK
OK
OK
CD
CD

ARW2D6 Event Tree

Figure 7.5.4-8 Event Tree for Loss of Instrument Air in Window 2 of D6 (ARW2D6)
 UNITY IARW3 HARW3 RARW3 SARW3 FARW3V SEQ » END-STATE-NAMES

OK
OK
OK
OK
OK
CD

to

ARW3D6 Event Tree

Figure 7.5.4-9 Event Tree for Loss of Instrument Air in Window 3 of D6(ARW3D6)
 UNITY IARW4 HARW4 RARW4 SARW4 FARW4V SEQ # END-STATE-NAMES

OK
OK
OK
8 OK
OK
CD

ARW4D6 Event Tree

figure 7.5.4-10 Event Tree for Loss of Instrument Air in Window 4 of D6*<ARW4D6)
7 Event Tree Analysis

7SJ5 Event Trees for LASS of Component Cooling Water (CC)

A loss of Component Cooling Water (CCW) event is defined as the total loss of CCW function at both units
without any backup service available (see Section 4.4.5 for more details). The RHR heat exchangers, as well
as the RHR pumps, reject heat to the CCW system whose loss effectively leads to the loss of decay-heat
removal (failure of the RHR heat exchangers) and the direct loss of the operating RHR pump. Therefore,
a loss of CCW event must be treated as a loss of RHR event coupled with the unavailability of the CCW
function.

Three event trees were developed for the mid-loop POSs in each windows to reflect the different system
configurations and other conditions in the respective operating modes, POS 6 Refueling, POS 6 Drained
Maintenance, and POS 10 windows 1,2,3, and 4. The event trees are derived from the generic loss of RHR
event tree, specialized for the loss of CCW conditions.

7.5.5.1 "Loss <rf CCW" Event Tree-Refbeling POS 6

Window 1

Figure 7.5.5-1 shows the event tree, CCW1, applicable in this POS. The top events represent the various
alternate possibilities for heat removal available to the operator:

ICCW1 - Loss of CCW Initiating Probability

The initiating probability represents the loss of CCW function at both units. It was established, based on
operating experiences, and discussed in detail in Section 4.4.5. It is the combination of the loss of CCW
initiating event frequency w^th the duration of the POS 6 refueling period in window 1.

HCCW1 - Recovery of the CCW System

The loss of the CCW system leads to the loss of RHR heat-removal from the RHR heat exchangers, and the
RHR pumps also lose their cooling, which may directly damage the operating pump. For loss of heat
exchanger cooling, the effect is a slow heat-up of the reactor core. Based on the calculations in Chapter 5,
given the loss of heat removal by the RHR system, void formation in the primary coolant is expected to occur
after about 12 minutes.
The loss of cooling to the RHR pump seals could lead to some direct damage, but even this may take some
time, estimated as 30-60 minutes per pump. Therefore, if it is recovered in about 20 minutes, the loss of CCW
event may not challenge the mitigating systems and not lead to a loss of the RHR system.

The top event, HCCW1, questions the non-recovery probability of the loss of CCW event, which, again, was
obtained from the operating experiences (PRNR = .8).

VW1 - RCS Vented

This top event represents the question of venting the RCS. The removal of heat by gravity feeding of the RCS
requires that the RCS is vented; this may be done in POS 6 by removing the pressurizer safety valves.

SCCW1 - Steam Generator Reflux Cooling

This top event represents an alternate method of decay-heat removal using the steam generators. In this case,
the primary side would boil and the steam could condensate in the steam generators if heat transfer to the
secondary side can be established. This may be assured by letting the SG inventory boil and releasing the
generated steam either through the secondary-side relief valves or by using the turbine bypass and the main
condenser. Section 7.2 discusses in more detail this mode of cooling and decay-heat removal.

NUREG/CR-6144 7-204
 7 Event Tree Analysis

FCCW1 - Feed-and-BIeed of the RCS

This top event represents the feed-and-bleed operation to the primary system. The RCS may be fed by the
charging/HPI or LPI system. The pressure of the RCS is not expected to increase greatly, during the initial
heat-up period, because it is vented and the LPI system could provide additional coolant. However, later in
the accident, the LPI injection may be prevented by the gradual build up of pressure in the RCS, since the
vent capacity is relatively small, and this may be increased if the rupture disk on the pressurizer relief tank
ruptures.

GCCW1 . Gravity Feed to the RCS

This top event represents the gravity feeding of RWST water into the RCS through the LPI system; it can only
be used if the RCS vented.

The first 3 sequences are successes without core damage. Sequence 2 represents the case when the CCW
recovers in the first 20 minutes and decay-heat removal can be reestablished by the RHR system. It is
assumed that, if the operating RHR pump is damaged, the other RHR pump is available and may be
restarted.
Sequences 4, 5, 6, 9, and 10 lead to core damage.

Window 2
The event tree, CCW2R6, applicable to this POS in window 2 is presented in figure 7.5.5-2. The meanings
of the top events are similar to top events in window 1, and only those are described which are different.
-

H4KW2 - Recovery of CCW

The CCW system non-recovery probability is .45.

VW2 - RCS Vented

The probability of pressurizer safety valves removal is .05.

CCCW2 - Recirculation
If the unit 2 RWST is cross-connected to the unit 1 tank, then there is no need for recirculation.

Window 3
Figure 7.5.5-3 shows the event tree, CCW3R6.

II4KVV3 - Recovery of CCW

The value of PRNR = .25.

VW3 - RCS Vented

The probability that the safety valves are removed P = .9: reflux cooling is unavailable (Function S),
and there is no need for recirculation (Function C).

Window 4
The event tree, CCW4R6, is presented in Figure 7.5.5-4.

H4KW4 - Recovery of CCW

The value of PRNR = .15

VW4 - RCS Vented

The probability that the safety valves are removed P = .3.

7-205 NUREG/CR-6144
7 Event Tree Analysis

7JSJSJZ "Loss of CCW" Ewnt Tree - Refueling POS 10

Window 3
In POS 10, all three RCS loops are isolated and the SGs cannot be used for alternate heat-removal. The
event tree was modified accordingly (Figure 7.5.5-5). The top events are essentially the same as for CCW3R6.

CCW3 - Loss of CCW Initiating Probability

The initiating probability expresses the probability of the loss of CCW event during POS 10 in a refueling
period.

HCCW3 - Recovery of the CCW System

The recovery time base is 1 hour, which is the period before the primary coolant starts to boil. It is assumed
that the RHR pumps are not damaged, even after the loss of seal cooling.

VW3 - RCS Vented

FCCW3 - Feed-and-Bleed of the Primary System

GCCW3 - Gravity Feed of the Primary System

Sequences 4, 5, and 7 lead to core damage.

Window 4
The event tree CCW4R10 is presented in Figure 7.5.5-6. The top events are functionally the same as in
window 3, and identical to the ones in the POS 6 event.

7SJS3 "Loss of CCW" Event Tree-Drained Maintenance POS 6

Decay-heat removal through the secondary side is not available, since successful reflux cooling would require
3 SGs, but only two are available. In addition, the pressurizer safety valves are not removed, potentially
preventing the use of the gravity feed function. Figure 7.5.5-7 presents the event tree, CCW1D6.

ICCW1 • Loss of CCW Initiating Probability

The initiating event probability is functionally similar to the one used previously.

HCCW1 - Recovery of the CCW System

The operating RHR pump is assumed not to be damaged during this time period.

FCCW1 - Feed-and-Bleed of the RCS

Identical to the same top event in the POS 6 refueling event tree, CCW1R6.

CCCW1 - Recirculation Function

In POS 6 - Drained Maintenance, the only option to remove decay heat is to use feed-and-bleed, given the
failure of the RHR system. Sequences 4 and 5 lead to core damage.

Window 2
The event tree CCW2D6 is presented in Figure 7.5.5-8.

SCCW2 - Reflux Cooling

Reflux Cooling is available in this window for drained maintenance.

NUREG/CR-6144 7-206
 7 Event Tree Analysis
Window 3
Figure 7.5.5-9 shows the event tree CCW3D6. The recirculation function (c) is removed.
Window 4
The event tree CCW4D6 is shown in Figure 7.5.5-10, which is the same as in window 3 with the appropriate
top events.

7-207 NUREG/CR-6144
 UNITT ICCTT1 HCCWl viri sccwi FCCWl GCCWl CCCW1 BBQ # BND-STATB-HAMBS

l OK
2 OK
3 OK
4- CD
5 CD
6 CD
7 OK
8 OK
00 9 CD
10 CD

Figure 7.5.5-1 Event Tree for Loss of CCW in Window 1 of R6 (CCW1R6)

 UNITT iccwa HCCW2 vrra SCCW2 Fccnra cccwa cccwa SEQ jf BND-8TATB-NAMB8

1%

l OK
2 OK
3 OK
4 CD
5 CD
6 CD
OK
8 7
8 OK
CD
9
10 CD

Figure 7.5.5-2 Event Tree for Loss of CCW in Window 2 of R6 (CCW2R6)

 umrr iccwa Hccwa W3 pccwa accwa SEQ #

^1

Figure 7.5.5-3 Event Tree for Loss of CCW in Window 3 of R6 (CCW3R6)

 UNITT ICCW4 HCCTT* VW4 PCCTT4 GCCTT+ SSQ t

to

Figure 7.5.5-4 Event Tree for Loss of CCW in Window 4 of R6 (CCW4R6)

 UNITY ICCTT3 HC0W3 VW3 PCCW3 cccrwa SEQ # BND-BTATE-HAUBS

OK
z OK
3 OK
4 CD
5 CD
to 6 OK
7 CD

Figure 7.5.5-5 Event Tree for Loss of CCW in Window 3 of RIO (CCW3R10)
 UNITT ICCW4 HCCTW4 V¥4 FCCW4 GCCTW4 SEQ # BND-STATB-NAMES

1 OK
2 OK
3 OK
4 OK
to 5 CD
6 OK
7 CD

Figure 7.5.5-6 Event Tree for Loss of CCW in Window 4 of RIO (CCW4R10)
UNITY ICCW1 HCCWi. Fccrwiv CCCV1V SBQ #

1
2
3
4
5

Figure 7.5.5-7 Event Tree for Loss of CCW in Window 1 of D6 (CCW1D6)

 DNITT ICCW8 HCCW2 sccnra FCCW2V CCCTT2V SBQ f BND-STATB-NAMBB

1 OK
2 OK
3 OK
4 OK
5 CD
6 CD
N»

Figure 7.5.5-8 Event Tree for Loss of CCW in Window 2 of D6 (CCW2D6)

 UNHT iccwa HCCW3 SCCW3 pccwav SEQ #

1
2
3
4-
5
to
I—'
ON

Figure 7.5.5-9 Event Tree for Loss of CCW in Window 3 of Dti (CCW3D6)
 UMTT ICCTTt HCCTT4 BCCTTt pccnr+v SSQ t

to
Fig. 7.5.5-8
Event Tree for
Loss of CCW in 06-Window 4-

Figure 7.5.5-10 Event Tree for Loss of CCW in Window 4 of D6 (CCW4D6)

7 Event Tree Analysis

7.5.6 Event Trees for Loss of Emergency Switehgear Room Cooling (SR)
This section describes the event tree models that were developed to analyze the accident sequences initiated
by a loss of emergency switchgear room (ESGR) cooling event during mid-loop operations in two types of
outages at the Surry nuclear plant. ESGR ventilation is required to maintain the temperature in the
emergency switchgear room below the acceptable limit at both Units 1 and 2 under abnormal and normal
operating conditions. The acceptable limit was defined as 120°F, and, at temperatures above this limit, several
deleterious effects could degrade the functionality of the electrical equipment. The most important failure
modes of electrical equipment operating under adverse ambient temperatures include spurious transfer of the
relays, loss of thermal overload margin in the load breakers which trip the circuit breakers, and eventual
failure of solid-state components in the UPS subsystems. The temperatures at which each of these types of
electrical equipment failures would occur was not specifically determined.

Cooling and ventilation for the ESGR is provided for both units by a single air conditioning system consisting
of air handling units (AHUs) and a Chilled Water System (CHWS). The CHWS is a closed-cycle system
consisting of six pumps and three chillers; the heat sink for the normal ESGR chillers is the Service Water
System. Backup chilled water is supplied by the Backup Air-Conditioning Chilled Water System. The backup
chillers can be cross-connected to a single Main Control Room/ESGR AHU group by opening two manual
valves; one on the supply and the other on the discharge of the chilled water side of the AHUs. Loss of
ESGR ventilation as an initiating event was assessed by fault-tree modeling considering that operational
constraints require at least one ESGR AHU and that any two of three chillers are operable when any unit is
in shutdown.

If ESGR cooling is lost due to failures of the chillers or service water, there is no immediate impact on the
unit. As the emergency switchgear room will heat up eventually, it is postulated that loss of vital power
supplies or perturbations in DC power supply will trip the unit. The emergency systems are operable for a
limited time as long as DC control power is available. Depending on the cause of the loss of room cooling,
it is possible to restore ventilation by cross-connecting chilled water from the Central Conditioning System
chillers or by establishing cross flow of air from the Unit 2 ESGR. This must be accomplished prior to loss
of AC and DC power supplies. Failure to restore room cooling causes a station blackout that eventually
damages the core. Thus, the event tree models for the loss of ESGR cooling during mid-loop operations are
somewhat similar in structure to those developed for the Unit 1 SBO event, Bl.

Figures 7.5.6-1 through 7.5.6-10 show the event trees for loss of switchgear room cooling (SR initiator).

If not recovered in time, this initiator will damage the emergency equipment in the switchgear room so that
it cannot be recovered. This equipment is the power source for all the frontline systems. The only systems
that can be used are the reflux bleed (via the steam dump), gravity feed, and cross-connect of Unit 2 charging.
As a recovery action, feeding the steam generators with AFW from Unit 2 or with fire-water is a possibility.

Due to the similarity of top event definitions for the other windows and POSs, only the top events of the
SRW1R6 event tree, Figure 7.5.6-1, are described below:

ISRW1 - SR Initiator - This event represents the loss of ESGR occurrence, SR, where failure of ESGR
ventilation results in heat up of the room and causes the eventual failure of the 4kv AC distribution system
and DC power supplies.

ARCW1 - Restore ESGR Cooling - This top event represents the restoration of the ESGR ventilation system
by cross-connecting the Central Air Conditioning System chillers to the ESGR chilled water system.

NUREG/CR-6144 7-218
 7 Event Tree Analysis

VWl - RCS Initially Vented - This top event represents the plant configuration in which the RCS is initially
vented with the pressurizer safety relief valves removed.

SSRWl - Steam Generator Feed-and-Bleed- This top event represents the use of reflux cooling to adequately
remove decay heat and prevent core damage. Reflux cooling is possible when the RCS loops are not isolated,
and the secondary side of the SGs is in the wet layup condition. The PORV control will be lost due to loss
of emergency power, so the bleed operation has to be accomplished by dumping the steam into the condenser.
The feed function from Unit 1 will be unavailable, as the AFW systems depends on emergency power. The
feed function is not necessary for the first 10 hours; it can then be accomplished by AFW cross-tie from Unit
2, or by using fire-water to replenish the steam generators' secondary side.

2CHSW1 - Cross-connection of Unit 2 Charging System - This event represents the cross-tie of the operable
Unit 2 charging pump to provide RCS makeup to the primary system for feed-and-bleedoperation to maintain
RCS cooldown and depressurization.

GSRW1 - Gravity Feed from RWST - This event represents gravity feed of RWST inventory through the low
head injection flowpath to the RCS if the RCS is vented. In window 1, this option provides about 4 hours
of cooling. In window 4, gravity feed is enough for at least 24 hours, which is defined as the mission time.
In other windows, the allowable time can be extended by cross-connecting the two Units' RWSTs.

The descriptions of the sequence outcomes in the event trees are similar to those for the sequences initiated
by the Unit 1 SBO event, Bl, thus, the descriptions are not discussed here.

7-219 NUREG/CR-6144
 UNITY ISRW1 ARCWl VW1 SSRWi 2CHSW1 GSRWi SEQ # END-STATE-M.ME

1 @ '
2 @
3 CD.
4 CD
5 CD
6 @
7 CD
8 CD

Figure 7.5.6-1 Event TVee for Loss of ESGR Cooling in Window 1 of R6 (SRW1R6)
 UNITY ISRW2 ARCW2 VW2 SSRW2 2CHSW2 GSRW2 SEQ # END-STATE-MAME

1 @
2 @
3 CD
4 CD
CD

en
6 @
7 CD
8 CD

to

Figure 7.5.6-2 Event Tree for Loss of ESGR Cooling in Window 2 of R6 (SRW2R6)
 UNITY ISRW3 ARCW3 VW3 2CHSW3 GSRW3 SEQ # END-STATE-NAMES

1 @
2 @
3 @
4 CD
5 CD
6 @
7 CD

to
JO

Figure 7^.6-3 Event Ire* for Loss of ESGR Cooling In Window 3 of R6 (SRW3R6)
 UNITY ISRW4 ARCW4 VW4 2CHSW4 GSRW4 SEQ # END-STATE-NAMES

1 @
2 @
3 @
4 @
5 CD
6 @
7 CD

Figure 7.5.6-4 Event Tree for Loss of ESGR Cooling in Window 4 of R6 (SRW4R6)
 ' -

CO
«
S
<
• i

E-<
<
E-<
CO
1
Q
on
<§> <§><§> O U ® O
O
W
=tfc
^-l CV2 CO - * I D <D t>-
cy
w
CO

^\

RIO
CO

CO
O
-J li
^s

ofRl
CO

CO
ffi T ***
CM i
a
CO
Z
£
> a

ESGR Cooli
CO
RCW

<J •3
CO
£
3iu
P5 &

1
CO <D
1—1

*>
ven

£ t—I
w
&
D
Figure 7,.5.6-5

7-224
 UNITY ISRW4 ARCW4 VW4 2CHSW4 GSRW4 SEQ # END-STATE-NAMES

1 @
2 @
3 @
4 @
5 CD
6 @
7 CD

to

Figure 7.5.6-6 Event Tree for Loss of ESGR Cooling in Window 4 of RIO (SRW4R10)
 UNITY ISRW1 ARCWl 2CHSW1 SEQ # END-STATE-NAMES

1 @
2 @
3 CD
4 CD

to
to

Figure 7.5.6-7 Event Tree for Loss of ESGR Cooling in Window 1 of D6 (SRW1D6)
 UNITY ISRW2 ARCW2 SSRW2 2CHSW2 SEQ # END-STATE-NAMES

1 @
2 ®
3 @
4 CD
5 CD

Figure 7.5.6-8 Event Tree for Loss of ESGR Cooling in Window 2 of D6 (SRW2D6)
 UNITY ISRW3 ARCW3 SSRW3 2CHSW3 SEQ # END-STATE-NAMES

1 @
3 @
3 @
4 <s>
5 CD

^i
k
£

Figure 7.5.6-9 Event Tree for Loss of ESGR Coollnj? In Wtadow 3 of D6 (SRW3D6)
 UNITY ISRW4 ARCW4 SSRW4 2CHSW4 SEQ # END-STATE-NAMES

1 @
2 @
3 @
4 @
5 CD

to
to
VO

Figure 7.5.6-10 Event free for Loss of ESGR Cooling in Window 4 of D6 (SRW4D6)
7 Event Tree Analysis

7.6 Reactivity Accident Event Trees

In Section 4.11, we discussed several categories of potential reactivity events during shutdown including thej
following: I

(1) Addition of diluted accumulator water.

(2) Addition of diluted RWST water.
(3) Boron dilution due to maintenance problems.
(4) Uncontrolled boron dilution from CVCS.
(5) Boron dilution via the RHR.
(6) Startup of RCP after improper boron dilution.
(7) Rod ejection accident.
(8) Misloading of fuel assemblies.
(9) Uncontrolled bank withdrawal.

After screening each of these categories, we determined that only uncontrolled boron dilution from CVCS
(category 4) during mid-loop operations is relatively risk significant, requiring an in-depth study. The
probabilistic assessment of this reactivity accident for Surry is presented next.

7.6.1 Uncontrolled Boron Dilution from CVCS

The Surry Chemical and Volume Control System (CVCS) is composed of two major subsystems, charging and
letdown, and makeup. The operation of the two subsystems is coordinated to perform the various functions
of the CVCS, the primary purposes of which include the following: 1) Adjusts boron concentration in the
RCS for reactivity control; 2) Maintains proper water inventory in the RCS; 3) Provides high pressure flow
to the RCS upon initiation of safety injection (SI); 4) Maintains proper concentration of corrosion-inhibiting
chemicals in the RCS; and 5) Injects seal water into the reactor coolant pumps (RCPs).

Uncontrolled boron dilution is defined as the reduction in the RCS boron concentration caused by the
inadvertent addition of unborated water. Such an event can occur as a result of operator errors or CVCS
equipment failures, such as failure in the blending system or failure in the boric acid/demineralized water
makeup flow path to the suction of the charging pump.

If allowed to continue, uncontrolled dilution could add enough positive reactivity to cause recriticality during
reactor shutdown, leading eventually to core damage. Although inadvertent dilution can occur during any
plant operating state (POS), the problem can become particularly acute if it occurs when the RCS is in mid-
loop operation (POSs 6 and 10) when, because of the relatively small amount of water remaining in the RCS,
the effects can be more easily felt and transients can proceed faster. Furthermore, since the RCS is operating
at near atmospheric pressure, addition of neutronic power to the decay heat can easily cause the reactor
coolant to heat up quickly and eventually boil, inducing RHRS failure. Therefore, for Surry, the probabilistic
analysis of reactivity accidents due to boron dilution from CVCS, centered on those which are assumed to
occur when the RCS is in mid-loop operation.

7.&2 Probabilistic Analysis of Boron Dilution Events During RCS Mid-Loop Operation

From 1973 through 1985, there were six reported incidents of uncontrolled boron dilution at Surry Units 1
and 2, five of which occurred during cold shutdown and one during hot shutdown. One half of these events
were attributed to equipment failures, the other half to human errors. Table 7.6-1 briefly describes the five
dilution events that occurred during cold shutdown.

NUREG/CR-6144 7-230
 7 Event Tree Analysis

To estimate the core-damage frequency associated with boron dilution during RCS mid-loop operations, an
event tree was developed (Figure 7.6-1). Since the five Surry events did not necessarily occur during mid-loop
operations, we estimated the probability that they occurred during mid-loop operations. To do this, we divided
the average duration of mid-loop operation (277 hrs/yr) by the average number of hours the RHR was in
operation during shutdown (3332 hrs/yr). Taking the reactor years during the period given above to be 25
years, the initiating event frequency was calculated as 1.66 E-2 event/year.

When an inadvertent dilution from CVCS occurs, the first positive indication of low boron concentration in
the RCS could come from a high neutron-flux alarm. Assuming a balance between charging and letdown
flows, the alarm could come on about 40 minutes after the inception of the accident. Upon receiving the
alarm, the operator is instructed to look for the cause of dilution and terminate it by, for example, stopping
the charging pump and isolating letdown. Depending upon the dilution flow rate, there is about 20 to 30
minutes to take these mitigative actions before criticality is reached. Once recriticality occurs, the reactor
power will cause the reactor coolant to heat up rapidly, and eventually boil. This will induce cavitation of
RHRS pumps and, hence, failure of RHRS. To terminate the boron dilution event at this point would require
the operator to actuate emergency boration by injecting borated water into the RCS via the CVCS or the low-
head safety injection (LHSI) lines. Failure to initiate the emergency boration and supply makeup to the RCS
will lead to core damage.

The branch point probability assigned to the fourth event-tree top event (no makeup water to RCS) takes into
account both operator's failure to initiate the makeup flow and failure of the low-pressure injection system.
The second top event models the possible failure of the high neutron flux alarm. The failure probability of
the alarm was calculated based on an alarm failure rate of 6.06 E-6 per hour! and an average mid-loop
11

operation duration of 277 hours at Surry. Even if the high flux alarm fails, the operator could realize the
abnormal situation through other symptoms of contingency, such as an increase in coolant temperature or
failure of RHRS pumps. If the operator becomes aware of the adverse circumstance after RHRS is lost,
emergency boration would have to be started within 15 to 20 minutes to prevent core damage. All the human
error probabilities used in this event tree are taken from Swain and Guttmann' . Quantification of the event
21

tree yields a core damage frequency of 6.8 E-8tyr for boron dilution events during RCS mid-loop operations
at Surry.

7.63 References
(1) Davis, R.E., et al, "PRAM Procedures Guide, Volume 1: Analysis of Accidents Leading to Radiological
Releases at a High-Level Waste Repository" Draft, Department of Nuclear Energy, Brookhaven
National Laboratory, February, 1988.

(2) Swain, A.D. and Guttmann, H.E. "Handbook of Human Reliability Analysis with Emphasis on Nuclear
Power Plant Applications," NUREG/CR-1363, Idaho National Engineering Laboratory, 1982.

7-231 NUREG/CR-6144
 Unplanned Doton Operator Falls to Operator Falls to
No Makeup Water
Dilution During High Flux Identity Ihe Causo Rcallio the Situation
to RCS alter
Alarm Falls and Take
ncs. and Tcrmlnoto LossolRHRS
Mid-Loop Operation Ihc Dilution Preventive Action

OK

OK

5.0 E-4
~4
&
to
1.66 E - 2 / y r 7.82 E-3
CD 6.49 E-8

OK

8.4 E-4

2.0 E-4
CD 2.79 E-9

Figure 7.6-1 Surry Reactivity Accident Due to Unplanned Boron Dilution During RCS Mid-Loop Operation
 7 Event Tree Analysis

Table 7.6-1 Summary of Inadvertent RCS Boron Dilution Which Occurred

at Surry Plants During Cold Shutdown

Unit Date Brief Description of Event

1 2/24/75 Over 4 days, too great a flow of primary -grade

water to the blender produced a boron
concentration of 1312 ppm, which diluted RCS
from the required 2000 ppm to 1842 ppm.
2 7/30/76 Leakage from three tubes that had been cut
while removing a section of the seventh tube
support plate on the secondary side of the steam
generator diluted the RCS boron concentration
from 2356 to 1836 ppm.
2 4/6/78 A failed flow controller caused the primary-grade
water valve to overfeed during blending. The
RCS boron concentration decreased from 1372 to
1259 ppm in 13 hours. The failure also affected
the deviation of the primary-grade water flow.
1 5/12/80 Inadvertent deboronation of the RCS occurred
when a mixed-bed demineralizer was placed in
service without verifying that boron concentration
of the effluent was equalized with that of the
RCS.
2 10/85 RCS boron dilution occurred at cold shutdown.
The dilution was caused by problems in the boric
acid/P.G. water blend system, which was used to
control boric acid concentration in the RCS.
Inaccurate operation of boric acid controller.

7-233 NUREG/CR-6144
 8 HUMAN INTERFACE ANALYSIS

Human reliability of the Surry plant operators is analyzed for a small subset of plant operating conditions.
Only those event sequences originating during reactor shutdown with the reactor coolant loops drained to
midloop in the hot legs are considered. In truth, the Surry Low Power and Shutdown Probabilistic Risk
Assessment (PRA) analyzes a "Surry-like" plant that is assumed to operate under administrative controls that
differ from those currently in place at Surry. In particular, the model assumes more time at midloop than
Surry management currently anticipates, and assumes that the "Surry-like" plant does not procedurally prevent
entering reduced inventory at less than 200 hours after shutdown as in the current version of Surry
Procedure OP-RC-005 (Reference 8-1). The model, while based on former practice at Surry, can be valuable
to the U.S. Nuclear Regulatory Commission (NRC) because it is representative of current operations at many
pressurized water reactors (PWR).

This analysis supports the Brookhaven National Laboratory (BNL) Phase 2 PRA for midloop conditions. PLG
analysts Dr. Dennis C. Bley, Dr. David H. Johnson, and Mr. James C. Lin performed the human reliability
analysis (HRA). In support of this effort, they participated in the development of the POS 6 and POS 10
event trees at BNL, reviewed the available thermal-hydraulics calculations (performed by BNL, Virginia Power,
and the Westinghouse Owners Group), reviewed the Phase 1 and draft Phase 2 BNL shutdown PRA reports
(References 8-2 and 8-3), and studied plant procedures. Dr. Bley visited the plant to interview operators and
to tour the facility.

8.1 Overview of the Approach and Scope

The Senior Consulting Group that reviewed the Phase 1 Surry Low Power and Shutdown PRA recommended
an HRA approach similar to that used in NSAC-84 (Reference 8-4). We have developed an extension to the
NSAC-84 HRA based on success likelihood index methodology (SLIM) (Reference 8-5) that provides a more
structured ranking scheme to ensure internal consistency. The project scope precluded a complete integration
of the HRA approach with the accident sequence analysis. At this time, the capability of the HRA to track
dependencies among human actions, and dependencies relative to previous hardware failures, exceeds the
ability of the event tree/fault tree computer model to incorporate and process this detailed information in an
efficient way. A related NRC project is developing data and methods to support integration and consideration
of correlated impacts on human performance (Reference 8-6).

The HRA identifies key dependency issues and flags them for consideration during the comprehensive human
reliability analysis following the work described in Reference 8-6. For the current analysis, we have tried to
match the most appropriately conditioned human actions to the event tree models. That is, using judgment
based on our PRA and HRA experience, we have quantified the human action events that we believe would
most contribute to the risk if the full set of dependent actions were analyzed on a cutset-by-cutset basis. The
current event tree model imbeds the human actions within a series of functional top events that include
hardware failures in safety systems and their support systems. The imbedded human actions are modeled in
two parts: a global diagnosis event affecting all actions and the top event-related action events.

The crux of the judgment for selecting human action models was that, for subsequent events, the most
important cases would be those in which the previous event tree's functional top event failures were caused
by equipment failure or were the result of the physics of the process rather than the cognitive failure of the
operator. Rough estimates indicate that, in many cases, equipment failure dominates those top events. In
most other cases, because global diagnosis has been successful, the operators are on the right track, but the

8-1 NUREG/CR-6144
8 Human Interface Analysis

difficulties of the physical operation (e.g., residual heat removal (RHR) pump venting) are causing long time
delays. There are substantial cues to encourage the operators to proceed to alternative cooling options. In
addition, the procedures are reasonably clear in this regard; training, simulator exercise, and experience are
supportive; and discussions with Surry operators have demonstrated that their focus is on moving through
alternative options until clear evidence (instrument readings) demonstrates that cooling is restored and system
conditions are returning to normal.

&2 Plant Design and Practice — Special Features at Surry

Earlier PRAs and examinationsof operational events during shutdown at PWRs (References 8-7 through 8-9)
have identified several characteristics of shutdown operations that contribute to risk. The most significant
include time at midloop (especially soon after shutdown when decay heat levels are high), the lack of reliable
indications of reactor coolant system (RCS) level and RHR flow, the lack of alarms to warn operators in case
of a loss of cooling, the lack of automatic functions, and the lack of training and procedures.

Surry has implemented many of the recommendations of the available guidance for controlling shutdown PWR
risk (References 8-10 through 8-13) that directly address the most important scenarios contributing to
shutdown risk. In addition, there are design features that make the plant less vulnerable to certain scenarios.

Surry has implemented administrative and response procedures for shutdown conditions, and a training
program for operators. The plant has loop isolation valves, which permit draining a loop for maintenance
without maintaining drained conditions in all three loops. Plant policy is to minimize time drained to midloop.
If extensive reduced inventory work is required, the plan is to off-load the core.

The RHR system provides no other service (such as safety injection), and is completely inside containment.
No automatic trip function is provided for the RHR isolation valves so a major cause of interruption of
cooling at other plants is eliminated. Two independent, permanently installed level systems are provided. One
is a standpipe with local indication by flags on the standpipe. The other is an ultrasonic sensor on one loop.
Both are monitored and alarmed in the control room. The RHR pump piping and valves are configured so
that if one pump vortexes and becomes air bound, the other pump remains flooded. After level is restored,
the pump lineup can be shifted from the control room, and the standby pump can be started without first
venting the air bound pump.

&2.1 Surry Plant Procedures and Training

The keynote procedure for shutdown conditions is AP-27.00, "Loss of Decay Heat Capability"
(Reference 8-14). According to plant personnel, this procedure has been in the plant for 5 years, and the
operators have performed simulator drills for shutdown conditions, including midloop operations, for that
entire time.

The procedure follows standard Westinghouse Owners Group format defining the entry conditions (initiating
events), then sequentially diagnosing the event and restoring stable conditions. Loss of inventory problems
are addressed first, followed by other causes for interruption of cooling. Restoration is orderly: first, trying
to recover normal modes of RHR cooling; next, checking time until boiling, protecting personnel, isolating
containment, and trying steam generator cooling (reflux cooling if drained); and then moving on to feed and
spill, use of a charging pump from the opposite unit, and gravity feed.

NUREG/CR-6144 8-2
 8 Human Interface Analysis

The operators are well trained on this procedure. We have reviewed the simulator drill scenarios and
critiques. The operators train on all of the basic scenarios that were analyzed. In addition, they have a sense
of the potential importance of these actions and indicate that they would not wait long in a configuration that
failed to yield the expected temperature reduction. They understand that the ultimate measure of the
effectiveness of any cooling mode is the core exit thermocouple temperatures, which are displayed on the
control panel and monitored throughout the procedure. The procedure is based on vendor and utility
thermal-hydraulics analyses for shutdown conditions (References 8-15 and 8-16).

Additional procedures apply during shutdown. There are general operating procedures that guide cooldown,
depressurization, and draining operations (References 8-17 through 8-23). These provide detailed
requirements for maintaining control of the shutdown machine. There are special procedures, such as OC-28,
"Operational Check, Assessment of Maintenance Activities for Potential Loss of Reactor Coolant Inventory"
(Reference 8-24), and a reduced inventory checklist (Reference 8-1), that provide special guidance for reducing
the chance of loss of cooling events when RCS maintenance can lead to reduced inventory conditions. Other
procedures have been expanded to provide a focus on shutdown conditions. For example, in AP-40.00,
"Non-Recoverable Loss of Instrument Air" (Reference 8-25), if the unit is shut down on RHR, the first step
requires use of a portable air bottle and fitting to reopen the containment isolation valves in the component
cooling water system that supplies the RHR heat exchanger. We found the bottles and fitting in the Appendix
R locker, as expected.

Similarly, the blackout, loss of AC power, loss of intake canal level, main control room inaccessibility, and fire
procedures (References 8-26 through 8-30) provide important guidance.

8.2.2 S u n y Plant Operational Staffing

Crew staffing for the two-unit plant includes the following:

• Three to Four Senior Reactor Operators (SRO). At least one SRO is required in the control room at all
times; usually two will be there.

— One Shift Supervisor (SRO) for both units.

— Two to three Assistant Shift Supervisors (SRO).

• Four to Five Licensed Reactor Operators (RO). Three in the control room and one to two outside; after
shutdown, a second RO is shifted to the shutdown plant.

• Eight Auxiliary Operators (AO).

• One Shift Technical Advisor (STA). The STA is assigned to licensing, not operations. STAs are not
licensed. They take the same licensed operator requalification training (LORT) and testing. STAs perform
calculations (shutdown margin, mass balance, etc.) and know technical bases for operations (ultrasonic level
detector, critical safety function monitoring, etc.).

During alert or higher emergency action levels, the Technical Support Center (TSC) must be called to action.
Approximately 15 to 20 people staff the TSC, including the plant superintendent, the emergency manager, and
four or five department heads. During the daytime, the center is manned within about 15 minutes; at other
times, when people must be called in, less than 1 hour is required. A review of Plant Procedure EPIP-1.01,

8-3 NUREG/CR-6144
8 Human Interface Analysis

"Emergency Action Level Table (Tab A) System Shutdown, or Assessment System Shutdown"
(Reference 8-31), indicates that, for cold shutdown conditions at midloop, the TSC will be called to duty for
the following defined conditions:

Secondary System Cooling Capability Unavailable

AND
Loss of {(Service Water) OR (Component Cooling) OR (RHR)}
AND
RCS T > 140°F

8 3 Approach for HRA

Human errors and human solutions are vital parts of nuclear power plant operation and accident response.
In fact, the causes for nearly all plant problems can ultimately be traced to some form of human fallibility,
and nearly all plant problems can be solved by humans if they are provided with the appropriate information,
guidance, and tools. Within the context of this study, however, the evaluation of human errors encompasses
only those actions accomplished within the plant that directly:

• Impact the availability of support or safety systems at the time of the initiating event.

• Mitigate against core damage during the sequence of events following the initiating event.

With this in mind, the following types of human action's are evaluated:

• Routine Actions before an Initiating Event Routine actions considered in the PRA involve restoring a
component or flow path to normal after completing the testing, inspection, or maintenance, and ensuring
that the sensing equipment is correctly aligned and calibrated for automatic response to emergency
actuation conditions. Errors that are important to plant risk leave safety-related equipment disabled or
in an undetected, misaligned state, causing it to be unavailable to accomplish its function on demand during
an event sequence.

• Actions That Can Cause Initiating Events. Actions that can initiate plant transients are implicitly
accounted for in the quantification of initiating event frequencies to the extent that these human actions
are the cause of such events. Generic plant data are used to assign total initiating event frequencies of
which human errors is only one cause. These types of human actions are accounted for in the initiating
event analysis and are not discussed further here. However, as pointed out in References 8-4 and 8-6,
human-induced initiating events during shutdown often influence the likelihood of subsequent human
failures. This issue is being addressed in the program of Reference 8-6.

• Dynamic Operator Actions Accomplished during the Plant Response to an Initiator. Guided by the plant
abnormal and emergency response procedures, the operators make active decisions and take appropriate
actions in response to a complex series of stimuli during the sequence of events following an initiator.
They are scenario specific and include well-defined tasks for manual initiation, control, and alignment of
plant emergency equipment or selected backup systems. Usually, the operators must complete a particular
activity within a specified period of time to avoid an unfavorable change in the state of the plant. These
actions are an integral part of the plant response to the initiating event.

NUREG/CR-6144 8-4
 8 Human Interface Analysis

• Recovery Actions. Recovery actions generally involve recovery from failures that completely or partially
disable the standard system response during an event sequence. They generally involve alignment of
alternate systems or repair and restoration of the failed system. They may be well defined in procedures
or based on general guidance and the training and knowledge of the operators and plant staff. For the
purposes of this study, recovery actions are those identified through the first quantification, after the
dominant scenarios have been identified.

83.1 Incorporation of Human Actions into the Plant Model

The approach to human interaction modeling provides a systematic and consistent framework for identifying,
evaluating, and documenting human responses at all levels of the study. The approach emphasizes a detailed
interview with plant operators and a thorough review of their procedures.

Quantified human error probabilities (HEP) can be incorporated into the plant model in a number of ways,
depending on the influence of the action on other events in the sequence and, in particular, how they impact
the quantification of other events. The potential dependencies of HEPs on other elements of the plant model
can strongly affect how the action and subsequent events are quantified. There are three general types, as
follows:

• Plant-human dependency accounts for the impact of'the plant instrumentation and other performance
indications on the ability of the operators to accomplish the action. They are scenario dependent and
influence the potential-for-failure that the operators face when responding to the scenario.

• Human-plant dependency accounts for those actions that can cause more than one system to fail. The
event trees that are used to express the plant response to an initiating event can serve as a vehicle to
represent these dependencies.

• Human-human dependency involves the increased potential for making a series of errors once the first
error is made.

Depending on the type of dependency involved, any one of the following approaches can be used to
incorporate human actions into the overall risk model:

• An action may be included within the system fault trees if the human error affects subsequent events in
the sequence in the same way as hardware causes of system failure. Errors that occur before the initiating
event, and some dynamic operator actions, fall into this category.

• If failure of an operator action that fails a system has a different effect on the subsequent response of the
plant than a hardware failure, a separate top event may be used to represent the human action. Dynamic
operator actions may, but not always, fall into this category.

• Recovery actions are often appended to accident sequence cutsets as separate basic events. In this way,
they can be made very cutset-specific and not alter the remainder of the model.

8-5 NUREG/CR-6144
8 Human Interface Analysis

83.2 Routine Actions before an Initiating Event

Routine human actions considered in the PRA are system-specific activities performed by one or more
operations staff members as part of their normal workday duties to align a safety function properly before
leaving it in its ready condition. These include:

• Realignment of a component or flow path to normal after completing the testing, inspection, or
maintenance.

• Removal of jumpers or other temporary system alterations to restore it back to service.

• Calibration and alignment of sensing equipment to ensure proper automatic response to emergency
actuation conditions.

Errors that are important to plant risk cause the system to be unavailable to accomplish its function properly
following an initiating event. Failure modes that could produce this condition involve, primariry, leaving
safety-related equipment disabled or, in an undetected misaligned state, causing it to fail to operate upon
demand.

The system analyst is responsible for evaluating routine actions that cause equipment unavailability. This
approach is used because the system analyst is most familiar with the equipment, its location, control room
alarms and indications, and details of all procedures and other guidance impacting the maintenance and
surveillance testing of the system.

Normally, only surveillance procedures are evaluated to identify specific causes of equipment unavailability.
Maintenance procedures are evaluated only if the operability of the system is not verified by a surveillance
procedure at the conclusion of the maintenance or repair activity.

These routine actions were quantified in the Phase 1 report (Reference 8-2) and are unchanged.

8 3 3 Methodology for Evaluation of Dynamic Operator Actions and Recovery Actions

Dynamic operator actions and recovery actions that take place following an initiator are identified and
qualitatively described during the construction of the plant model event trees and quantification of the accident
sequence, respectively. The licensed plant operators were consulted for evaluation and feedback on the
process for restoring RHR cooling and establishing alternate decay heat removal. The qualitative descriptions
for the operator actions are expanded to account for all factors significant to quantification. The methodology
laid out in this section is an abbreviated approach to adapt to project scope. Rather than evaluation by teams
of operators, quantification is based on the judgment of the analysts. Because of the similarity in assigned
weights, only one calibration group was used.

The anah/sts bring extensive experience to the evaluation including actual nuclear plant operations and
supervision, performance of many PRAs, thorough familiaritywith emergency operatingprocedures, interviews
with many operators at many plants, and performance of many HRAs with extensive operator interaction,
including quantitative evaluations by multiple crews of operators.

NUREG/CR-6144 8-6
 8 Human Interface Analysis

Although multiple calibration groups were not used, the calibration actions bracketed the range of HEPs from
1 x 10" tol x 10' . The actions were rank ordered by likelihood index and verified by extensive consistency
5 1

checking. Given confidence in the rank ordering and the HEP endpoints, error among the intermediate HEPs
is limited.

Section 8.3.3.1 describes the qualitative process by which the actions are identified and described.
Section 8.3.3.2 describes the procedure used for evaluations within the context of the failure likelihood index
(FLI) methodology (Reference 8-32), a modified versio'n of SLIM. Finally, Sections 8.3.3.3 and 8.3.3.4
summarize the quantification process, including an assessment of uncertainty.

83.3.1 Qualitative Evaluation

The purposes of the qualitative evaluation are to:

• Identify dynamic operator actions to include in the event tree sequence evaluation.
• Identify recovery actions to realistically model the accident sequence.
• Ensure that the impact of the success or failure of those actions is properly modeled.
• Develop descriptions of those actions in a form that will facilitate evaluation.

During event tree construction and accident sequence evaluation, a variety of operator tasks are considered
for inclusion in the model. These include:

• Manual actions required in abnormal and emergency procedures to prevent core damage following
an initiating event.

• Control of preferred cooling systems.

• Backup of automatically controlled systems.

• Immediate response to failures of active systems.

Once individual actions are identified for evaluation, the action boundary conditions, success criteria, and
event scenario timing are identified and recorded on the Operator Response Forms. The Operator Response
Form follows the format shown in Table 8-1. The purpose of this form is to provide a consistent format to
convey the context of the action to the evaluation team who will analyze its potential-for-failure, and to
provide a short summary of what is required to accomplish it. The available thermodynamic calculations
supporting the timing considerations and arguments supporting engineering judgments regarding timing are
contained in Chapter 5.

The first two sections of the form set up the situation facing the operators. They describe where in the event
tree model this action will take place and what indications the operators are expected to respond to in the
control room. The next three sections describe what is involved in accomplishing the action, the relevant
training and experiences, and those factors that compete for the operators' attention or divert them from the
task. Two sections are then provided to describe what happens in the event sequence model if the action
succeeds or fails. Finally, the time frame over which the action can be expected to be accomplished is
addressed.

8-7 NUREG/CR-6144
8 Human Interface Analysis

Plant-human dependencies are described explicitly on the Operator Response Form, both in the section that
relates the action to the plant model and in the discussion of required actions and competing factors. This
permits the assessment team to understand the context of the action during the quantification of the action
so that the dependencies can be reflected property in the final error frequency.

The Operator Response Form presents human-human dependenciesby asking the assessment team to identify
with the situation at hand and to consider how an operating team may have made previous errors from which
they must recover. They are then asked to identify ways to recognize and recover from previous errors when
quantifying the dependent action.

8332. Quantitative Evaluation

This study uses an adaptation of SLIM to elicit judgment and to convert the operator evaluations into
quantitative error frequencies. SLIM is based on the following assumptions:

• The likelihood of operator error in a particular situation depends on the combined effects of a
relatively small set of performance-shaping factors (PSF) that influence the operator's ability to
accomplish the action successfully.

• Evaluators can address each of these PSFs independently so that the overall evaluation can be
expressed as the sum of the results of each PSF to form a numerical likelihood index.

• The actual quantitative error rate is related to the numerical likelihood index by a logarithmic
relationship.

• The logarithmic relationship can be calibrated on a situational basis by use of appropriately selected
calibration tasks having generally accepted error rates.

The basis for the logarithmic relationship between the likelihood index and error rate is documented in
References 8-5,8-33, and 8-34. Each of the other assumptions is addressed in the implementation procedure
below.

A small set of generic PSFs has been selected that are judged to encompass the major influences on operator
success or failure. These PSFs were chosen after a review of both the instructions and examples of the SLIM
documentation and the discussion of PSFs in Reference 8-34. Seven PSFs have been chosen to relate the
impact of the following:

• Conditions of the work setting under which the action must be accomplished. The PSFs are as
follows:

— Significant preceding and concurrent actions; i.e., the dependencies between actions..

— Plant interface and indications.

— Adequacy of time to accomplish the action.

NUREG/CR-6144 8-8
 8 Human Interface Analysis

• Requirements of the task itself. The PSFs are as follows:

— Procedural guidance.

— Complexity of the task relative to resources, coordination, and location.

• Psychological and cognitive condition of the operators. The PSFs are as follows:

— Training and experience relative to the action.

— Stress due to the situation and environmental conditions.
Performance-shaping factors are evaluated against two criteria:

• A rating relates the degree to which the conditions of PSF help or hinder the operator to perform
the action.

• A weight relates the relative influence of each PSF on the likelihood of the success of the action.

The evaluation of dynamic human errors with SLIM is made consistent by the development of a set of forms
and instructions to explain and expand on the rating procedures for the PSFs. These instructions constitute
behaviorally anchored rating scales (BARS) of Reference 8-35 that enhance consistency throughout the
evaluation process.

• Table 8-2 provides detailed guidance regarding the definition, interpretation, and application of each
PSF and the thought process that could lead to a specific potential-for-failure rating.

• Table 8-3 provides a summary of the definition of each PSF and detailed guidance regarding the
thought process that could lead to a relative influence weight.

• Table 8-4 summarizes the relationship between the rating and weighting processes. The rating
addresses the actual conditions under which the action must be accomplished. The weight is
equivalent to the operators stating how much the conditions relative to a specific PSF actually impact
the potential for success or failure of the action. If it is not a factor that controls their ability to do
the action, it is weighted low or insignificant.

The SLIM methodology has been modified so that the evaluators scale the potential-for-failure, rather than
the potential for success, when they rate the action. This change in orientation produces an FLI rather than
a success likelihood index. This approach has the advantage of quantitatively highlighting the causes of
operator difficulty. A high rating combined with a high weight produces a large FLI. This permits efficient
analysis of the potential problem areas and trends.

The shift to FLI is a simple algebraic transformation that does not affect the underlying assumptions of SLIM.
While the benchmarking of MAUD (Reference 8-5), Embrey's computer code to enforce consistency among
the weighting factors, may no longer apply, we do not rely on MAUD. Rather, we enforce consistency through
the BARS of Table 8-3, and we review the rank-ordered actions for reasonableness.

The independence of the PSFs is addressed by the definition at the top of each evaluation form that
emphasizes the different influences that each PSF is intended to address. While independence is impossible

8-9 NUREG/CR-6144
8 Human Interface Analysis

to achieve, the structured approach defined by the form provides a practical approach for controlling the
influence of one PSF on another. Another major premise of the SLIM methodology is that the evaluation
team can rate the weight and rate independently. The thought process necessary to distinguish between these
two orientations of the process is stressed in Table 8-4.

During evaluation of the operator actions, the evaluation team is also requested to consider a number of
possible errors. These include:

• Nonresponse Errors, Also Called Errors of Omission. This would include problems generatedby both
the plant interface and the competition of other actions.

• Time and Resource Limitations. For certain actions, the operators are requested to identify the
number of people and the coordination required to get the job done. The potential-for-failurewill
then be impacted by the personnel and communications they have available.

• Nonviable Errors. Under some conditions, the operators may correctly diagnose the accident scenario
but select the wrong response. These errors are believed to be governed by operator slips; e.g.,
selecting the wrong controls for the tasks. The control room feedback problems that could keep such
errors from being detected are also considered.

83.33 Qwwtificatioa Process

The quantification process is done in a series of stages.

First, a normalized weight for each PSF is obtained by dividing the weight assigned by the evaluation team
by the total of all of the weights for that particular action.

The FLI is calculated by multiplying the normalized weight of the PSF by its rating and adding that result to
similar results for the other PSFs, or

FLI = E w R i i

where

i = PSF that has an influence on the error rate of the action.

w, = weight of PSF„ normalized so that z2 Wj = 1.

Ri = potential-for-failure rating for PSFj, from 0 to 10.

The error rate of each action is estimated by comparing the overall FLI to a correlation that follows the
relationship:

Logarithm (human error rate) = A + B(FLI)

The coefficients of the correlation are obtained from a least squares fit of the FLI of calibration actions that
have reasonable or generally accepted error rates in the industry.

NUREG/CR-6144 8-10
 8 Human Interface Analysis

To provide error rates that are consistent with other studies, the calibration of the human error rate model
generally uses well-defined actions obtained from evaluations for other PRAs and other statistical or analytical
evidence of failure frequencies for these actions. A human interaction database that encompasses these
sources and provides this documented evidence is available for events occurring at power.
No such database is yet available for shutdown events. Reference 8-6 offers a first gathering of the necessary
data, but events from Reference 8-4 are used for calibration at this time. The calibration procedure should
ensure that the numerical error rate estimates are realistic and consistent with available data, observed human
behavior, and the results from comparable expert evaluations of similar activities.

The use of some combinations of calibration actions may produce human error rates of 1.0 per demand for
FLI values of less than 10. When this occurs, all actions with an FLI above that value are quantified as being
guaranteed to fail.

A series of spreadsheets is used to accomplish the quantification process.

83.3.4 Uncertainly

The point estimate calculations are mean values because the calibration tasks provide mean values.
Uncertainty is quantified by direct judgment based on consideration of the absolute value of the point estimate
mean, type of action modeled, and judgments concerning the range of possible specific scenarios imbedded
in the definitions of events analyzed. For dynamic actions (A) and recovery actions (R), previous successful
actions have occurred. We believe that the uncertainty range should be larger as the mean value decreases.
The more frequent errors are of types we have observed on many occasions, while the rare events rely more
heavily on judgment and decomposition. For A and R events, we assign lognormal distributions with the
following range factors:

Mean of Distribution* Range Factor

(x) < 1 x lO" 3
5
1 x 10- < (x) < 1 x 10
3 1
3
1 x 10 < (x)
1
2
•Truncated lognormal if (x) > 1 x 10' . 1

For diagnosis events (D), the mean values are almost all very low, in the 1 x 10"* to 1 x 10" range. Given
4

the alarms and procedures at the plant, failing to diagnose and act in response to an initiating event is difficult
to imagine. Still, such events do happen. In particular, they occur when some unusual characteristic of the
initiating event or the sequence interferes with the operators' normally straightforward thinking process. Thus,
we believe that the distributions should be skewed toward low values, with a high end tail that affects the
mean. For diagnosis events, we assign a lognormal distribution with a range factor of 20. Numerical
experiments with such a distribution will convince the reader that it meets the requirements stated above.

83.3.4 Summary

The error rates resulting from the evaluation and the quantification are displayed in tabular format. This
permits easy review, comparison, and identification of the most important factors influencing each assessment.

8-11 NUREG/CR-6144
8 Human Interface Analysis
It is important to recognize that the quantification of human error rates is only a small portion of the
information obtained from the SLIM approach. The trends of weights and ratings provide much valuable
information regarding the evaluator's judgment with respect to the focus of safety-related actions and the
difficulties involved in accomplishing them.

8.4 Actions while at Midloop

Several hundred specific actions are considered in this analysis, and over ISO are quantified directly. Others
are assigned HEPs equal to one of those actually quantified directly because of similarities in required
response, cues, timing, and all other factors.

The large number of specific action scenarios are actually special cases of a small number of functional
responses defined by plant procedures and colored by special conditions of the sequence of events that leads
to the need for action. To aid in understanding the many special cases, we organize their presentation under
the following topics:

• Human Responses

— Global Actions
— Primary Cognitive Response
— Specific Activities
— Recovery Actions

• Factors Affecting Response

— Initiating Event
— Previous/Concurrent Hardware Failures and Human Actions
— Other Performance-Shaping Factors

NUREG/CR-6144 8-12
 8 Human Interface Analysis

8.4.1 Human Responses

All of the actions discussed and quantified in this section fall into four broad categories, as shown in the
following table. Under each category, there are several specific cases described.
Category Specific Cases Code Discussion
Global Actions These global events strongly affect other
actions within the same event tree. If they
fail, the subsequent actions that depend on
them cannot succeed.
Diagnosis D The initiator for each event tree creates a
loss of RHR cooling condition that must
be recognized. Furthermore, it must be
understood to the extent that appropriate
procedures are begun that can restore
core cooling within the time available.
Isolation of A2 The loss of power events trip the major
Canal water supplies to the canal. If action is
not taken quickly, the canal will drain
through the main condensers, and service
water cooling will be lost. No actions that
involve equipment that requires cooling
(pumps and heat exchangers) can succeed.
Category Specific Cases Code Discussion
Primary Cognitive A- These actions are associated with the
Responses individual top events in the event trees.
They represent the likelihood that, given a
successful diagnosis (and, if necessary,
successful isolation of the canal), the
operators carry out the actions required by
procedure to provide core cooling.
Make-Up M If the reactor vessel level falls, either
because of active overdraining or failure to
property maintain level, the operators can
restore level to permit recovery of RHR
system flow.
Restore RHR R If the loss of RHR cooling is recoverable,
Cooling the operators can shift to standby
equipment or recover failed equipment.
Steam S The reactor can be cooled by boiling water
Generator on the secondary side of the steam
Bleed and generator. For conditions analyzed here,
Feed Cooling only reflux cooling is possible, as described
in Chapters 5 and 7. While procedures
call for feeding the steam generators, the
cases of interest have sufficient inventory
to support steaming alone.

8-13 NUREG/CR-6144
8 Human Interface Analysis

Primary Feed F Under the guidance of recent

and Bleed thermal-hydraulic calculations, the mode
of preference for this cooling method is
known as fill and spill. The procedures
and training are being modified to follow
this approach-forced feeding of the
primary until water spills out the power
operated relief valves. Operators indicate
that they would throttle flow gradually to
conserve water as long as the RCS is
cooling down.
2CH For scenarios in which no injection source
is available, procedures guide operators to
the use of the adjacent unit's charging
pump.
Gravity G For many cases, gravity draining water to
the RCS can provide acceptable cooling.
Often this cooling mode cannot provide
long-term stability, but can greatly extend
the time available for recovery of other
cooling paths.
Recovery of ARC For loss of emergency switchgear
Room Cooling ventilation scenarios, early recovery by
opening doors and rigging portable fans
can avoid the loss of RHR initiating event
entirety. When the operators respond
effectively to high room temperature
alarms, no impact on the plant occurs.

NUREG/CR-6144
 8 Human Interface Analysis

Category Specific Cases Code Discussion

Specific Activities Individual In several cases, detailed low level
Identificatio operator actions associated with specific
n Code equipment recovery in support of the
activities described above are modeled
separately in the fault trees. In such
cases, diagnosis (global) and the cognitive
aspects of the detailed action are
quantified by high level events in the fault
tree. If those activities are successful,
then the lower level actions are possible.
Recovery R- Recovery actions beyond those indicated
above are considered on a limited
case-by-case (i.e., cutset-by- cutset) basis.

Note that the decomposition of human actions shown above is for the convenience of coupling the HRA with
the event tree/fault tree model. It is not a cognitive model of human behavior. Nevertheless, it is a scheme
for decomposing the actions into a form amenable to application of the analysis process of Section 8.3.

8.4.2 Factors Affecting Performance

Once the required actions are understood, we must go further to understand them within the context of their
application. We can think of the continuum of factors affecting performance in terms of a discrete set of
conditions as described below.

Factor Phase 2 PRA Model

Initiating Event Each human action is conditioned on the initiating event that
begins the event sequence. They are all identified and explicitly
considered. In some cases, the effects of different initiators are
identical, and the same quantification is used for those cases. The
detailed cause of the initiating event is not considered in Phase 2.
Previous/Concurrent Hardware
Failures and Human Actions
All actions are first analyzed under this condition. For the reasons
described in Section 8.1, this value of the human action
quantification is used for some cases in which complicating factors
should degrade human performance. Therefore, some cutsets with
additional failures are optimistically quantified. That such cutsets
No Other Complicating Factors would have negligible impact on risk should be verified at the time
of the comprehensive HRA.
The impact of the action occurring on different branches of an
event tree is quantified for cases with significant differences.

Event Tree Sequence

8-15 NUREG/CR-6144
8 Human Interface Analysis

Factor Phase 2 PSA Model

Previous/Concurrent Hardware
Failures and Human Actions
(continued)
Isolated Hardware Failures and These effects are not modeled, except that possible failure of the
Maintenance Activities that backup equipment is modeled. Because they have little impact on
Create an Impediment to human cognitive response, and because few situations have
Successful Action Due to the extremely short time windows for action, these cases are expected
Hardware Failure Alone, but to have a minimal impact on the results.
Create No Confusion and
Require No Special Response
Significant Support System These effects are not modeled except for some recovery action
Failures cases. They can lead to very severe degradation in human
performance for scenarios with substantial functional failures, but
such cases are expected to be of very low frequency.
Previous Failure of Human These effects are not thoroughly modeled except for some recovery
Action action cases. However, if diagnosis fails, all subsequent actions are
failed. Otherwise, because diagnosis was successful, the operators
are on the right track. Therefore, the failures are probably due to
minor slips or physical difficulties that can be bypassed by
continuing with the procedure. While we do not expect this
approach to lead to major errors in quantification, the validity of
this judgment requires verification through detailed modeling.
Other Performance- Shaping The other performance-shaping factors described in Section 8.3 are
Factors thoroughly considered.
lime after Shutdown No special maintenance unavailability conditions that apply during
each POS are considered other than positions of the LIVs,
inventory in the steam generators, and likelihood of the pressurizer
safety valves being removed. Draindown initiators must happen on
entering the respective POS. Realistic treatment of timing
throughout each POS is supported through the use of multiple time
windows. Time is discretized into four ranges that affect success
criteria differently as described in Chapter 5.

Thus, the current analysis is thorough'in terms of modeling actions for which the operators are well trained.
However, for some unlikely but possible situations, the analysis is optimistic. It is believed that the overall
impact of not quantifying such situations will be small. That belief must be tested during the comprehensive
work that is to follow (Reference 8-6).

8.5 Results of Human Actions Analysis

The event tree and systems evaluations identified the dynamic operator actions and recovery actions that are
listed in Tables 8-5 through 8-9 as being potentially important influences for the mitigation of severe core
damage sequences. The reasoning for their explicit inclusion in the plant model is discussed in the description
of the fault trees/event trees and the definition of the event tree top events in Chapters 6 and 7. This section
presents the following:

NUREG/CR-6144 8-16
 8 Human Interface Analysis

• Qualitative description of the tasks required to accomplish the actions successfully, and the conditions
under which they must be accomplished.

• Quantitative evaluation of performance-shaping factors reflecting the evaluation team's judgments

regarding the potential-for-failure for successfully accomplishing the actions.

• Mean value of the human error rates derived from the quantification evaluation using the adaption
of the SLIM methodology discussed in Section 8.3.3.

8J5.1 Qualitative Description of the Dynamic Human Actions

For the loss of RHR initiating events, Tables 8-5 through 8-9 present the qualitative evaluation (i.e., Operator
Response Forms) for each analyzed dynamic human action. The qualitative evaluations for the inadvertent
safety injection signal, loss of support system, and loss of offsite power initiating events are similar, and are
described in Table 8-10. Tables 8-11 and 8-12 show the qualitative evaluation for each recovery action
modeled. The descriptions on the forms were developed by the human action analysts, with information
provided by the event tree and fault tree analysts regarding the conditions under which each action is
demanded. The forms are written in accordance with the guidelines contained in Section 8.3.3.1. Sufficient
detail is provided to define the context of the action. The justifications of the time windows for the actions
are presented in Chapter 5.

The naming convention for the human error basic events used the following format:

A-BBCC-DDD-EEE-F

where

A is the type of human action event:

D for the global diagnosis part of the dynamic human actions.

A for the action part of the dynamic human actions.
R for recovery actions.

BB is the initiating event designator:

RA for overdraining.
RB for failure to maintain level.
R3 for nonrecoverable loss of RHR.
R4 for nonrecoverable loss of the operating RHR train.
R5 for recoverable loss of RHR.
SI for inadvertent safety injection.
CC for loss of CCW.
AR for loss of instrument air.
SR for loss of emergency switchgear room cooling.
VB for loss of a vital bus.
4K for loss of a 4-kV emergency bus.
LI for loss of offsite power Case 1.
L2 for loss of offsite power Case 2.
L3 for loss of offsite power Case 3.
BI for Unit I blackout.
B2 for Unit 2 blackout.

8-17 NUREG/CR-6144
8 Human Interface Analysis

CC is the time window Wl, W2, W3, or W4 as defined in Chapter 5. For recovery events, the POS
D6, R6, or RIO is also necessary.

DDD is the designation for dynamic actions and recovery actions: XHE.

EEE is the identifier for human actions:

M for makeup of RCS inventory.

R for restoration of RHR.
F for RCS feed and bleed.
S for steam generator feed and bleed.
G for gravity feed from RWST.
Or a unique identifier with one to three characters for the recovery considerations.
F is the sequence number in the event tree.

For global failure to diagnose, core damage is assumed to result, and no sequence number is needed. For
failure to take the correct action, a sequence number is necessary.

&5.2 Quantitative Evaluations

The evaluation team quantitatively assessed the weights and potential-for-failure ratings of the seven PSFs in
accordance with the guidelines in Section 83.3.2, as summarized in Tables 8-2 and 8-3. Calibration actions
obtained from evaluations in NSAC-84 (Reference 8-4) are used to derive the failure rates. The calibration
PSF weights and ratings were provided by the analysts based on the discussions in NSAC-84.

To keep the differences in judgments explicit, no adjustment is made to the normalized weights or individual
PSF rating of either the evaluated actions or the calibration actions during this process. The FLI evaluations
are converted to human error rate estimates in accordance with the procedures outlined in Section 83.3.3.
The quantitative results for mean value HEPs covered a wide range:

Diagnoses: 1 x W -» 5 x lO'
6 2

Actions: 1 x lO -* 1.0
-4

Recoveries 1 x 10" -»• 03

4

The individual human error rates are organized in Table 8-13. Evaluation details, and the weights and ratings
for the PSFs, are shown in Table 8-14.

8.6 Recommendations
Assumptions made to support the quantifications need to be verified to increase confidence in the results of
this human action analysis. In addition, we believe that it is important to test the assumption that low
frequency scenarios involving dependent human actions not rigorously quantified will not contribute
substantially to risk. The dependencies involve previous human failures and previous support system failures.
The comprehensive HRA program is designed to provide this information (Reference 8-6).

However, as discussed elsewhere in this report, there are reasons to believe that the effects of dependencies
among human actions during shutdown are not as severe a problem at Surry as at other PWRs. The most
significant problems during shutdown identified in References 8-6 through 8-9 have been addressed by the
modifications at Surry. Table 8-15 summarizes special factors affecting human response at PWRs, and
compares the impacts of those factors during full-power operations, shutdown at most plants, and shutdown

NUREG/CR-6144 8-18
 8 Human Interface Analysis

at Surry. The additional alarms, procedures, and training at Surry lead to the conclusion that modeling human
response at Surry should be more similar to full-power operations at other PWRs than shutdown conditions
at them. Dependency is still an issue but is more on the order of that found in a typical full-power PRA.

For those modeling shutdown at other PWRs, more thorough care for dependencies will be required than is
found here. The results of the comprehensive HRA program (Reference 8-6) will be especially important.

8.7 References
8-1. Virginia Power, Operating Procedure, "Draining the RCS from 5% Pressurizer Level (29.0 ft) to
Mid-Nozzle (12.5 ft)," Surry Power Station, l-OP-RC-005, Rev. 1, April 7, 1992.

8-2. Chu, T-L., et al., "PWR Low Power and Shutdown Accident Frequencies Program, Phase 1A —
Coarse Screening Analysis," Rough Draft Letter Report, Brookhaven National Laboratory,
November 13, 1991.

8-3. Chu, T-L., et al., "PWR Low Power and Shutdown Accident Frequencies Program, Phase 2 —
Internal Events," Rough Draft Letter Report, Brookhaven National Laboratory, August 31, 1992.

8-4. Bley, D. C , et al., "Zion Nuclear Plant Residual Heat Removal PRA," Pickard, Lowe, and Garrick,
Inc., prepared for Electric Power Research Institute, EPRI/NSAC Report NSAC-84, July 1985.

8-5. Embrey, D. E., et al., "SLIM-MAUD: An Approach To Assessing Human Error Probabilities Using
Structured Expert Judgment," Brookhaven National Laboratory, prepared for U.S. Nuclear Regulatory
Commission, NUREG/CR-3518, Vols. 1-2, March 1984.

8-6. Barriere, M., W. Luckas, D. Whitehead, A. Ramey-Smith, D. Bley, W. Brown, S. Cooper, J.

Wreathall, M. Donovan, J. Forester, P. Haas, and G. Parry, "An Analysis of Operational Experience
during Low Power and Shutdown and A Plan for Addressing Human Reliability Assessment Issues,
"Brookhaven National Laboratory, prepared for U.S. Nuclear Regulatory Commission,
NUREG/CR-6093, BNL-NUREG-52388 June 1994.

8-7. Vine, G., et al., "Residual Hoat Removal Experience Review and Safety Analysis - Pressurized Water
Reactors," Electric Power Research Institute, Nuclear Safety Analysis Center, NSAC-52, January 1983.

8-8. Mollerus Engineering Corporation, "Residual Heat Removal Experience Review and Safety Analysis
— Pressurized Water Reactors, 1982-1989," prepared for Electric Power Research Institute, Nuclear
Safety Analysis Center, NSAC-156, August 1991.

8-9. Jones, W. R., "AEOD Special Evaluation — Review of Operating Events Occurring during Hot and
Cold Shutdown and Refueling," December 1991.

8-10. Westinghouse Electric Company, "Background Information for Westinghouse Owners Group
Abnormal Response Guideline ARG-1, Loss of RHR While Operating at Mid-Loop Conditions,"
March 15, 1991.

8-11. EG&G Idaho, Inc., "Thermal-Hydraulic Processes Involved in Loss of Residual Heat Removal During
Reduced Inventory Operation," Technical Report EGG-EAST-9337, Rev. 1, February 1991.

8-12. U.S. Nuclear Regulatory Commission, "Shutdown and Low-Power Operation at Commercial Nuclear
Power Plants in the United States," Draft Report for Comment, NUREG-1449, February 1992.

8-19 NUREG/CR-6144
8 Human Interface Analysis

8-13. Nuclear Management and Resources Council, Inc., "Guidelines for Industry Actions to Assess
Shutdown Management," NUMARC 91-06, December 1991.

8-14. Virginia Power, Abnormal Procedure, "Loss of Decay Heat Removal Capability," Surry Power Station,
l-AP-27.00, Rev. 4, February 18,1993.

8-15. Technical Report NE-865, "Background and Guidance for Ensuring Adequate Decay Heat Removal
following Loss of RHR," Surry and North Anna Power Stations, June 1992.

8-16. Technical Report NE-801, "Evaluation and Development of Setpoints for Abnormal Response
Guideline ARG-1, Loss of RHR While Operating at Mid-Loop Conditions," Surry Power Station
Units 1 and 2, December 1990.

8-17. Virginia Power, General Operating Procedure, "Unit Shutdown, RCS Cooldown from HSD to 345°F
— 350°F," Surry Power Station, l-GOP-2.4, Rev. 1, February 27,1992.

8-18. Virginia Power, General Operating Procedure, "Unit Shutdown, RCS Cooldown from 345°F—350°F
to 195°F," Surry Power Station, l-GOP-2.5, Rev. 1, February 27,1992.

8-19. Virginia Power, General Operating Procedure, "Unit Shutdown, RCS Cooldown from 195°F to
Ambient," Surry Power Station, l-GOP-2.6, Rev. 1, February 27,1992.

8-20. Virginia Power, Operating Procedure, "Draining the RCS to 5% Pressurizer Level (29.0 ft)," Surry
Power Station, l-OP-RC-004.

8-21. Virginia Power, Operating Procedure, "Isolation and Drain of One Reactor Coolant Loop with the
Drained Loop Stop Valves Closed and RHR in Service," Surry Power Station, l-OP-RC-006, Rev. 0,
March 2,1992.

8-22. Virginia Power, Operating Procedure, "Isolation and Drain of All Reactor Coolant Loops with All
Loop Stop Valves Closed and RHR in Service," Surry Power Station, l-OP-RC-007, Rev. 0., March 2,
1992.

8-23. Virginia Power, Operating Surveillance Procedure, "Unit 1 Safety Systems Status List for Cold
Shutdown/Refueling Conditions," Surry Power Station, l-OSP-ZZ-004, Rev. 1, March 6,1993.

8-24. Virginia Power, Operational Check, "Assessment of Maintenance Activities for Potential Loss of
Reactor Coolant Inventory," Surry Power Station, OC-28, January 22,1991.

8-25. Virginia Power, Abnormal Procedure, "Non-Recoverable Loss of Instrument Air," Surry Power
Station, 0-AP-X0.00, Rev. 3, December 19,1991.

8-26. Virginia Power, Abnormal Procedure, "Station Blackout," Surry Power Station, 0-AP-10.00, Rev. 5,
September 19,1991.

8-27. Virginia Power, Emergency Contingency Action, "Loss of All AC Power," Surry Power Station,
1-ECA-0.0, Rev. 6, April 27,1992.

8-28. Virginia Power, Abnormal Procedure, "Loss of Intake Canal Level," Surry Power Station, O-AP-12.01,
Rev. 2, January 31, 1992.

8-29. Virginia Power, Abnormal Procedure, "Main Control Room Inaccessibility," Surry Power Station,
0-AP-20.00, Rev. 1, no date.

NUREG/CR-6144 8-20
 8 Human Interface Analysis

8-30. Virginia Power, Abnormal Procedure, "Fire Protection — Operator Response," Surry Power Station,
O-AP-48.00, Rev. 3, no date. •

8-31. Virginia Power, Emergency Procedure, "Emergency Action Level Table (Tab A) System Shutdown
or Assessment System Shutdown," Surry Power Station, EPIP-1.01.

8-32. Chien, S. H., A. A. Dykes, J. W. Stetkar, and D. C. Bley, "Quantification of Human Error Rates
Using a SLIM-Based Approach," Proceedings of the 1988 IEEE Fourth Conference on Human Factors
and Power Plants, Monterey, California, June 5-9, 1988.

8-33. Embrey, D. E., "The Use of Performance Shaping Factors and Quantified Expert Judgment in the
Evaluation of Human Reliability: An Initial Appraisal," Brookhaven National Laboratory, prepared
for U.S. Nuclear Regulatory Commission, NUREG/CR-2986, May 1983.

8-34. Rosa, E., et al., "Application of SLIM-MAUD: A Test of an Interactive Computer-Based Method
for Organizing Expert Assessment of Human Performance and Reliability," Brookhaven National
Laboratory, prepared for U.S. Nuclear Regulatory Commission, NUREG/CR-4016, September 1985.

8-35. Jacobs, R., J. Mathieu, F. Landy, et al., "Organizational Processes and Nuclear Power Plant Safety,"
Proceedings of the Probabilistic SafetyAssessment International Topical Meeting, pp. 211-215, Clearwater
Beach, Florida, January 26-29, 1993.

8-21 NUREG/CR-6144
8 Human Interface Analysis

Table 8-1. Guidance Regarding Information To Include In Operator Response Forms

TASK IDENTIFIER with the summary reproduced from operation action summary table.

PRECEDING EVENTS
• List initiating events after which action may be required.
• Briefly summarize sequence of events leading to action.
— Base the sequences on the fault tree and event tree descriptions.
— Bound the range of possibilities (identify if influenced by initiating event).
• Identify any abnormal plant responses that may complicate the situation.

INDICATIONS OF PLANT CONDITION

• List what the operating crew sees that permits diagnosis that the action is required.
• Estimate, how long the condition could exist before indications sufficient for diagnosis are
available to the operators.
• Describe parallel indications that can mask the action requirement.

PROCEDURAL GUTOANCE/REOUntED ACTIONS

• Reference the procedure and steps that will be followed.
• State whether the task is an immediate memorized action.
• Briefly summarize the aspects of the action that could influence the operators' ability to
diagnose and accomplish it.
• Identify considerations in addition to procedures that could influence likelihood of success.

TRAINING AND EXPERIENCE

• List the relevant training and experience for this type of scenario.

CONCURRENT ACTIONS/COMPETING FACTORS

• Identify concurrent actions that could compete for attention.
• Briefly describe alarms, environmental conditions, and other distractions that could impact the
operating shift's concentration and produce stress.
• Discuss important aspects of the operator team interactions.

INDICATION OF SUCCESSFUL COMPLETION/SUCCESS IMPACT

• Characterize plant state upon completion based on fault tree and event tree success criteria.
• Describe how the operators can determine they have been successful.

FAILURE IMPACT
• Characterize the plant condition following failure to accomplish based on fault tree and event
tree success criteria.
• Identify later actions the operators have available to respond with once the plant has made a
transition to the failed condition.

TIME CONSTRAINTS
• List thermal/hydraulic and physical/equipment response considerations that influence time
available before transition to failed condition.
• Summarize what is known about time required to both diagnose and accomplish the tasks.

NUREG/CR-6144 8-22
 8 Human Interface Analysis

Table 8-2 (Page 1 of 7). Guidance for Rating the Potential for Failure Presented by Each PSF
Associated with Each Dynamic Human Action

PSF: Task Complexity

Definition: This performance-shaping factor rates the effect of multiple requirements on task success. It
can range through the entire gamut of coordination, multiple locations, remote operations, variety of
tasks, and communications requirements. It also rates the availability of resources.

Scaling Guidance: Compare different types of complexity, or lack of complexity, by judging how much
the operator is helped or hindered. Consider how the system is designed to avoid error if complex
actions must be accomplished. Also consider the availability of resources to accomplish the various parts
of the action.

Rating Example of Thought Process That Might Produce This Rating

-0 Very clearly understood and straightforward task with no interpretation of current situation
required.

-1

-2 Skill-based response by one operator with SRO concurrence that can be performed and verified
at one location.
-3

-4

-5 Series of tasks accomplished under direct control of one operator with SRO concurrence with a
rule-based response.

-6

-7 Knowledge-based response.

-8 Tasks involving coordination of more than one operator at more than one location.

-9 Tasks with contingencies that require coordinating decisions during different stages of the

transient event and among multiple operators at,multiple locations.

-10

Notes:

8-23 NUREG/CR-6144
8 Human Interface Analysis

Table 8-2 (Page 2 of 7). Guidance for Rating the Potential for Failure Presented by Each PSF
Associated with Each Dynamic Human Action

PSF: Plant Man-Machine Interface and Indications of Conditions

DeBnition: This performance-shaping factor relates the impact of the man-machine interface on the
likelihood of success. It measures the degree to which the instruments, alarms and controls available to
the operators at the time when the action must be accomplished assist them to preform the action.

Scaling Guidance:

Rating Example of Thought Process That Might Produce This Rating

-0 A wide variety of instruments and/or alarms focus the operators' attention on the blatant need

to act and provide an easy method to do so. Feedback on success is obvious.

-1 i

-2 Alarms and indications are clear and easily interpreted. Feedback is readily available close to

the point of action. -

-3

-4

-5 Indications for this action are found within a familiar pattern of alarms, which operators are

trained to diagnose.

-6

-7

-8 Action requires that two or more operators work together because of controls and indications
that are far apart.
-9
-10 Indications confuse the operators and cause actions that could be wrong or inappropriate.

Notes:

NUREG/CR-6144 8-24
 8 Human Interface Analysis

Table 8-2 (Page 3 of 7). Guidance for Rating the Potential for Failure Presented by Each PSF
Associated with Each Dynamic Human Action

PSF: Adequacy of Time To Accomplish Action

Definition: Measure of time required to act compared with the time available and the effect on success.
The rating reflects the operator's confidence that the task can be accomplished in time to avert a change
to a failed state.

Scaling Guidance: Judgment should be based on the time required compared with the time available to
recognize, diagnose, and accomplish the action. Judgment about the length of these times may be
reflected by noting the task description times. Both the absolute difference in time and the ratios of the
time may be useful for making these judgments.

Rating Example of Thought Process That Might Produce This Rating

-0 Adequate time to accomplish action, bring in assistance if necessary, and correct errors.

-1 Time is on the operator's side.

-2 Enough time to complete procedures carefully and methodically with some outside assistance.

-3 Enough time to complete procedures carefully and methodically if no outside assistance needed.

-4

-5 Enough time to complete at a normal speed and to verify results, but with limited time to
correct significant errors.
-6

-7 Success requires rapid, practiced operator actions with little time to correct anything but a small
slip. Requires skillful and well-trained actions for success with any problem endangering the
chance for success.

-8

-9

-10 Time required about the same as time available. Operators can complete the task, but it will be
a very close call.

Notes: If the time required to complete the action exceeds time available, the action is guaranteed to
fail. Under these circumstances the reason why the action cannot be done is documented and
no PSF evaluation is required.

8-25 NUREG/CR-6144
8 Human Interface Analysis

Table 8-2 (Page 4 of 7). Guidance for Rating the Potential for Failure Presented by Each PSF
Associated with Each Dynamic Human Action

PSF: Significant Preceding and Concurrent Actions

Definition: Preceding and concurrent actions set the stage for the modeled action and make it necessary
and obvious to the operators. They can also divert the operators' attention from this action or even
cause failure. (If necessary, some strongly dependent failures may be accounted for by specific split
fractions in the event trees.) Lack of preceding actions may create a surprise effect that should be
accounted for in this performance-shaping factor.

Scaling Guidance:

Rating Example of Thought Process That Might Produce This Rating

-0 Previous actions focus operators on the urgent need to act.

-1 There are no distractions from this action; it could also get close supervision and follow-up, if
necessary.
-2

-3 Operators are alerted to the need for possible action and are expecting it.

-4 Another step in standard or procedure-based responses.

-5 Action is not a surprise, but previous actions create some competition for operator attention.

-6

-7 This is one of many concurrent actions and could possibly be overlooked. Operator is taking

recovery actions from one or two previous problems.

-8 Operators are busy with other work and this is "an unexpected, unusual transient

-9 Previous operator problems create an unusual situation.

- 10 The need to accomplislTth& action is unexpected and inconsistent with previous actions.

Notes:

NUREG/CR-6144 8-26
 8 Human Interface Analysis

Table 8-2 (Page 5 of 7). Guidance for Rating the Potential for Failure Presented by Each PSF
Associated with Each Dynamic Human Action

PSF: Procedural Guidance

Definition: This performance-shaping factor accounts for the extent to which plant procedures enhance
the operator's ability to perform the action. The operator may have available not only step-by-step
instructions but also guidance on when the action has been correctly done.

Scaling Guidance:

Rating Example of Thought Process That Might Produce This Rating

-0 Procedures are clear and definite. Operators can easily follow them.

-1

-2 Procedures are clear and definite. Operators can easily follow them but clarity could be
impacted by recent changes or other modifications.
-3
-4

-5 Procedures are available. Some operator interpretation of procedures required to perform

specific actions.

-6 Sequence of steps in procedure may require operators to return a place that has been passed
(eg. continuous action (WHEN) or retainment override steps)

-7 Procedures are being used but because of the need to act, the operator can use them only as a
backup check.

-8 Action is a chance event for which procedures can give only vague guidance.

-9 Procedures are poorly written and may be misleading.

- 10 There are no procedures for this action.

Notes:

8-27 NUREG/CR-6144
8 Human Interface Analysis

Table 8-2 (Page 6 of 7). Guidance for Rating the Potential for Failure Presented by Each PSF
Associated with Each Dynamic Human Action

PSF: Training and Experience

Definition: This performance-shaping factor measures the effect of the familiarity and confidence the
operators have about the actions

Scaling Guidance:

Rating Example of Thought Process That Might Produce This Rating

-0 Action is normally carried out during plant trip situations. Operators are thoroughly familiar
with this action and competent at it.
-1 Action is repeatedly carried out during simulator training. Operators are thoroughly familiar
with this action and competent at it.

-2 Actions that are normally carried out during typical plant trip situations can be easily applied to
this situation. Operators are well trained.

-3 Action is part of focus on safety functions. It is subject to thorough and repeated training.

-4 Action receives emphasis during normal training.

-5 Action is part of normal training, but receives no particular emphasis. Same action is used
during surveillance testing.
-6 Nonroutine action that is included in annual training. Surveillance test routinely carried out has
different steps than the required action.

-7 Nonroutine action that is included in annual training.

-8 Nonroutine action that is an option in annual or biannual training.

- 9 Nonroutine action that gets no simulator training.

-10 Action is unfamiliar or contrary to normal operational practice; e.g., defeating a safety system
and no procedures.

Notes:

NUREG/CR-6144 8-28
 8 Human Interface Analysis

Table 8-2 (Page 7 of 7). Guidance for Rating the Potential for Failure Presented by Each PSF
Associated with Each Dynamic Human Action

PSF: Stress

Definition: This performance-shaping factor accounts for the impact of adverse environmental
conditions and situations that may endanger the operator or damage or contaminate either the plant or
the environment. Depending on its nature and level, stress can serve as an incentive to accomplish the
action, or provide a diversion of attention that increases the likelihood of failure.

Scaling Guidance: Rating should focus on how the presence of stress will affect the concentration of the
operator on successfully accomplishing the action. In this context, stress can have both beneficial and
detrimental effects, and it is the judge's responsibility to assess the relative importance of the two.

Rating Example of Thought Process That Might Produce This Rating

-0 Stress level has made the operators alert, but they are not yet threatened; provides best incentive
to act.

-1

-2 Stress level is moderate; operators are aware of potential consequences; situation is typical of

training or experience.

-3

-4 Stress level is too low to keep the operators alert.

-5 Stress level is moderate; operators are aware of potential consequences; situation is unusual.

-6 Concern about possible outcome is increasing.

-7 Fatigue or the tediousness effect performance.

-8 Potential loss is high if action is not successful; situation is unfamiliar. Consequences are high
enough to create physical tension.
- 9 Action must be done under severe environmental conditions of heat and humidity, loud noise, or
significant vibration.
- 10 Operators fight fear, tension and uncertainty while acting. Consequence could be high radiation
exposure, significant release, core damage, or threat to life.

Notes:

8-29 NUREG/CR-6144
8 Human Interface Analysis

Table 8-3 (Page 1 of 7). Guidance for Assigning Relative Weights to the PSF Ratings Associated with
Each Dynamic Human Action

Significant Preceding and Concurrent Actions: The rating evaluates the impact of the preceding
scenario and other concurrent actions for either focusing the operators on or distracting them from
accomplishing the action.

The weight relates whether the above factors have any influence on the potential for the successful
completion of this action.

Weight Example of Thought Process

0 Insignificant Other PSFs, such as time and indications, are so important to the success of this action
that what else has previously occurred or is going on has no influence on the success of
this action.

1 Low Other PSFs, such as time and indications, are so important to the success of this action
that what else has previously occurred or is going on has little influence on the success
of this action.

2 Normal The action must be accomplished in the context of what else is going on. We have no
reason for considering it more or less important than other PSFs.

4 High The context in which the requirement for this action arises is a prime influence in our
potential for successfully completing it.

NUREG/CR-6144 8-30
 8 Human Interface Analysis

Table 8-3 (Page 2 of 7). Guidance for Assigning Relative Weights to the PSF Ratings Associated with
Each Dynamic Human Action

Plant Man-Machine Interface and Indications of Conditions: Scaled on the ability of the man-machine
interface to provide the information necessary to make the action a success.

The weight measures whether the above factors have any influence on the potential for the successful
completion of this action.

Weight Example of Thought Process

0 Insignificant Other factors dominate so much that I don't care how bad or good the indications are
because they are not going to change the likelihood of the success of this particular
action.

1 Low This is a skill-based action done in response to many alarms, with little or no diagnosis
required. I can easily verify my action in a variety of ways.

2 Normal Patterns of indications are required to take action and verify proper plant response, but
no sophisticated diagnostics or control are required.

4 High The success of the action is not possible without the proper response to feedback from
the plant instruments. We must use specific parameters to diagnose the problem and/or
control the plant.

8-31 NUREG/CR-6144
8 Human Interface Analysis

Table 8-3 (Page 3 of 7). Guidance for Assigning Relative Weights to the PSF Ratings Associated with
Each Dynamic Human Action

Adequacy of Time To Accomplish Action: Measure of how the relationship between the time required to
recognize and to accomplish the action to the time available can influence the likelihood of success.

The weight relates whether the above factors have any influence on the potential for the successful
completion of this action.

Weight Example of Thought Process

0 Insignificant Events evolve so gradually that the relationship between available and required time
does not matter. If we fail to do the action, it will be due to reasons other than time.

1 Low A slowly evolving situation in which there should be sufficient time to act. Under these
circumstances, other PSFs would tend to be more important for determining the
potential for successful accomplishment.

2 Normal Task must be done within a fairly well-understood period of time that has some
flexibility.

4 High Time frame in which we must accomplish the action is well defined. The transitions
that present the initial requirement to accomplish the action are not gradual. If the
action is not accomplished, something definite will happen at a well-understood point in
the transient.

NUREG/CR-6144 8-32
 8 Human Interface Analysis

Table 8-3 (Page 4 of 7). Guidance for Assigning Relative Weights to the PSF Ratings Associated with
Each Dynamic Human Action

Procedural Guidance: The rating evaluates the extent to which the written procedures enhance the
operator's ability to perform the task correctly.
•

The weight relates whether the above factors have any influence on the potential for the successful
completion of this action.

Weight Example of Thought Process

0 Insignificant Immediate action task in which the operators do not have time, nor are expected, to
refer to the procedure before acting.

1 Low Specific skill-based actions for which procedures provide only general guidance
regarding options.

2 Normal Operators are tracking and responding to plant status using procedures, indications, and
other cognitive resources.

4 High Tasks that would be very difficult to accomplish without procedures.

8-33 NUREG/CR-6144
8 Human Interface Analysis

Table 8-3 (Page 5 of 7). Guidance for Assigning Relative Weights to the PSF Ratings Associated with
Each Dynamic Human Action

Task Complexity: The rating evaluates how the presence or the lack of the following influences the
potential for the success of this action: available resources, multiple objectives, coordination,
communication, location of action, and sequencing of tasks.

The weight relates whether the above factors have any influence on the potential for the successful
completion of this action.

Weight Example of Thought Process

0 Insignificant Other PSFs dominate the considerations of the action so much that the complexity (or
lack of complexity) of this action has little or no influence on the potential for its
failure.

1 Low Other PSFs control the likelihood for the success of this action, but complexity does
have some influence.

2 Normal The number and sequencing of tasks and coordination necessary to accomplish them,
along with other factors definitely have an influence.

4 High It makes a big difference to us that this type of action is simple and straightforward, of
normal complexity, or really hard to accomplish without communication, coordination,
sequencing, etc.

NUREG/CR-6144 8-34
 8 Human Interface Analysis

Table 8-3 (Page 6 of 7). Guidance for Assigning Relative Weights to the PSF Ratings Associated with
Each Dynamic Human Action

Training and Experience: The rating evaluates the degree to which familiarity, skill level, and
confidence that the operators have regarding an action can influence its success.

The weight relates whether the above factors have any influence on the potential for the successful
completion of this action.

Weight Example of Thought Process

0 Insignificant

1 Low Simple actions that we are confident of being able to do when other factors are
controlling whether we can do them.
2 Normal Training and experience will have an influence on our ability to do this action, but many
other factors are of similar importance.

4 High Skill- or knowledge-based task for which the operators must rely on their training and
experience to be successful.

8-35
8 Human Interface Analysis

Table 8-3 (Page 7 of 7). Guidance for Assigning Relative Weights to the PSF Ratings Associated with
Each Dynamic Human Action

Stress. The rating evaluates the impact of the state of mind of the operators as they attempt to
accomplish the action or their ability to successfully concentrate on the requirements summarized in the
other six PSFs.

The weight relates whether the above factors have any influence on the potential for the successful
completion of this action.

Weight Example of Thought Process

0 Insignificant

1 Low Other PSFs are so important to the success of this action that our frame of mind has
little influence.
2 Normal Operators are tracking plant status and required responses during a transient.

4 High Because of the nature of the situation (either environmental or threat), our frame of
mind will have a strong impact on our ability to focus on the other PSFs that influence
success.

NUREG/CR-6144 8-36
 8 Human Interface Analysis

Table 8-4. Summary of the Relationship between the Rating and Weighting Processes

Rating; With respect to the things addressed by this PSF, are the conditions under which the action
must be accomplished helping or hindering us to successfully complete it? In other words, we are rating
the impact of the conditions on our likelihood to fail in accomplishing the action. Interpretation of the
range of ratings:

0-3 Helps
4-6 Is Neutral
7-10 Hinders

Weight: Does a variation between helping and hindering have more influence on the probability that we
will fail to complete it than other PSFs? In other words, is this PSF a focus of the action? Do we key
in on the things addressed by this PSF?

0 Insignificant compared to other PSFs.

1 Low: unimportant compared to other PSFs.
2 Normal: about the same as other PSFs.
4 High: much more important than other PSFs.

Weighting Thought Process

1. Initially set the weights of every PSF equal to 2.

2. Adjust weights of the PSFs only if you believe that their importance for judging the likelihood of
accomplishing the action is significantly (a factor of 2) greater or less than the other PSFs. The
weights will be normalized so that the maximum overall failure likelihood index will be a 10, so
the effect of increasing all of the weights is the same as increasing none.

3. Generally, actions requiring similar types of skills have the same PSF weights. Some examples
of groups of actions where differences in the focus may require different PSF weights are as
follows:

Immediate recognition and reaction.

Actions where diagnosis of need would dominate success.
Actions requiring a long sequence of manipulations.
Local actions involving coordination of activities.
Adjusting or controlling against indications.

Impact of Weight on How the Failure Likelihood Index Changes

Weight Rating Change Producing the Same Change in the FLI

1 1—9
2 3-7
4 4-6

8-37 NUREG/CR-6144
8 Human Interface Analysis

Table 8-5. Qualitative Descriptions of Dynamic Human Actions Evaluated for the Surry Shutdown PBA
MRA(B):
Operator makes up RCS inventory following a loss of RHR at mid-loop.

PRECEDING EVENTS
• Loss of RHR due to
• over-draining (RA) or
• Mure to maintain RCS level (RB).
• For the action event of accomplishing the RCS inventory makeup, operators have successfully diagnosed that a loss of RHR has occurred andreferredto
l-AP-27.00 (Loss of Decay Heat Removal Capability).

INDICATIONS OF PLANT CONDITIONS

• Low RCS level.
• Control room RCS staodprpe level 1-RC-LI-100A (may not be accurate when RCS boiling starts).
- Control room cold shutdown RCS level narrow range l-RC-LR-105.
(ultrasonic Indication of RCS level within the loop, he,frommiddle to top of the loop; may be partially unavailable when vital bus is unavailable)
- RCS standplpe level local indication.
- Shutdown cooling low level annunciator B-C-8.
• RHR pump motor amperage oscillation.
• Excessive RHR pump noise.
• No RHR Bow
- Control room RHRflowindication l-RH-FI-1605.
- RHR heat exchanger lowflowannumdator B-C-6.

PROCEDURAL GUIDANCE
• l-OP-RC-005 Draining the RCS from 5% Pressurizer Level (29X1 ft) to Mid-Nozzle (125 ft); for RAW1(23,4)-XHE-M-12
- Step 5.2: Draining the RCS from 5% Pressurizer Level to between 183 ft and 153 ft
(There is no level indication from 0 * in the pressurizer to 24.0 ft in the ttandpipe)
• Step 53: Requirements for entering Reduced Inventory (less than 153 ft).
- Step 5A: Draining from 153 ft to 123 ft (Mid-Nozzle)
• l-AP-27.00 Loss of Decay Heat Removal Capability
- Steps 2 & 9: Stop inventory loss and restore RCS level by increasing RCS makeup (dose letdown line pressure control valve l-CH-PCV-1145
and open chargingflowcontrol valve 1-CH-FCV-l 122).
- Steps 4,11,15,27, and 28: Stop and isolate vortodng RHR pump; start other RHR pump.

TRAINING AND EXPERIENCE

• Operators train on this scenario during simulator drills.
• Experience in maintaining RCS inventory and restoring RCS level during previous mid-loop operations.

CONCURRENT ACTIONS/COMPETING FACTORS

• None.

INDICATION OF SUCCESSFUL COMPLETION/IMPACT OF SUCCESS

• RCS level is restored.
- RCS standpipe level and cold shutdown RCS level narrow range are stable.
- Volume control tank level is stable.
- VCT level control valve 1-CH-LCV-U15A is not diverting to the boron recovery tank.
• Standby RHR pump may be started and RHRflowmay be restored.

IMPACT OF FAILURE/ADDITIONAL CUES

• RHR pumps continue to vortex; no RHR flow.
• At RCS heats up RCS temperature increases; loss of subcooling and alarms.
• BoDoff would lead to decreasing RCS levels.

TIME CONSTRAINTS
• Time until boiling and time until core damage are time window dependent and are given in Chapter 5.
• It may be difficult to restore RHR when RCS starts boiling.
• Restoration of level should have taken only a few minutes.

SPECIAL CASES ANALYZED

• D-RAW1(23,4)-XHE. Operator diagnoses that a loss of RHR hat occurred due to over-draining at mid-loop. (Also see tablesforRRA, SRA, FRA, and GRA)
• D-RAW1(23,4)-XHE. As described aboveforD-RAW1(23,4)-XHE, except the initiating event is failure to maintain RCS level.
•A-RAW1(23,4)-XHE-M-12. Operator makes up following over-draining at midioop.
• A-RBW1(23,4)-XHE-M-12. As described above for A-RAW1(23,4)-XHE-M-12, except the Initiating event is failure to maintain level at
midioop.

NUREG/CR-6144 8-38
 8 Human Interface Analysis

Table 8-6. Qualitative Descriptions of Dynamic Human Actions Evaluated for the Surry Shutdown PRA
RRA(BA5):

Restore RHR cooling following a loss of RHR at mid-loop.

PRECEDING EVENTS

• Loss of RHR due to

• over-draining (RA),
• failure to maintain RCS level (RB),
-operating RHR train failure (R4), or
• recoverable RHR failure (R5).
• For the action event of restoring the RHR cooling, operators have successfully diagnosed that a loss of RHR has occurred and referred to 1-AP-27JX) (Loss of
Decay Heat Removal Capability).
• Operators have successfully restored the RCS inventory (for RA(B)Wl(£3,4)-XHE-R-5).

INDICATIONS OF PLANT CONDITIONS

• Low RCS level (for RA(B)W1(2A4)-XHE-R-S), restored RCS level (for RA(B)Wl(2A4)-XHE-R-5), and slowly decreasing RCS level.
• Control room RCS standplpe level 1-RC-U-100A (may not be accurate when RCS boiling starts).
• Control room cold shutdown RCS level narrow range l-RC-LR-105.
(ultrasonic Indication of RCS level within the loop, i.e, from middle to top of the loop; may be partially unavailable when vital bus is unavailable)
- RCS standpipe level local indication.
• Shutdown cooling low level annunciator B-C-6.
• RHR pump motor amperage oscillation (for RA(B)Wl(2A4)-XHE-R-5).
• Excessive RHR pump noise (for RA(B)Wl(2A4)-XHE-R-5).
• No RHR flow
- Control room RHRflowIndication l-RH-FI-1605.
- RHR heat exchanger lowflowannumdator B-C-6.

PROCEDURAL GUIDANCE
• l-AP-27.00 Lou of Decay Heat removal Capability.
- Steps 4,11,15,27, and 28: Stop and Isolate vortexing RHR pump; start other RHR pump.

TRAINING AND EXPERIENCE

• Operators train on this scenario during simulator drills.
• Experience In restoring RHR cooling during previous mid-loop operations.

CONCURRENT ACTIONS/COMPETING FACTORS

• Restore RCS level (for RA(B)Wl(2A4)-XHE-R-5).

INDICATION OF SUCCESSFUL COMPLETION/IMPACT OF SUCCESS

• RHRflowis restored; RCS temperature is stable or decreasing

IMPACT OF FAILURE/ADDITIONAL CUES

• RHR pumps continue to vortex (for RA(B)Wl(2A4)-XHE-R-5); no RHR flow.
• As RCS heals up RCS temperature increases; loss of subcooling and alarms.
• Bonos'would lead to decreasing RCS levels.

TIME CONSTRAINTS
•lime until boiling and time until core damage are time window dependent and are given in Chapter 5.
• Restoration of level should have taken only a few minutes (for RA(B)Wl(2A4)-XHE-R-5). Stopping the vortexing RHR pump, and starting the standby RHR pump
should not talce
more than several minutes.

SPECIAL CASES ANALYZED

• D-RAW1(2A4)-XHE. Operator diagnoses that a loss of RHR has occurred due to over-draining at mid-loop.
(Also see tables for MRA, SRA, FRAR6, and GRA.)
• D-RBW1 (2^,4)-XHE. As described above for D-RAW1 (2A4)-XHE, except the initiating event is failure to maintain RCS level.
• D-R4Wl(2 3,4)-XHE.
r At described aboveforD-RAW1(2A4)-XHE, except the initiating event is loss of one (operating) RHR train.
• D-R5W1 (12/iyXHE. At described aboveforD-RAW1(2A4)-XHE, except the initiating event is recoverable loss of RHR.
• A-RAWl(2J,4)-XHE-R-5. Operator restores RHR coolingfollowingover-draining at midloop.
• A-RBWl(2A4)-XHE-R-5. At described aboveforA-RAWl(2^,4)-XHE-R-5, except the initiating event is failure to maintain level; all else is identical.
Use same value as A-RAWl(2A4)-XHE-R-5.
• A-R4Wl(2^,4)-XHE-R-5.i As described aboveforA-RAWl(2^,4)-XHE-R-5, except the initiating event is loss of one RHR train (operating); no preceding actions; no
Indication of low or restored RCS levels; there may not be RHR pump motor amperage oscillation and excessive RHR pump noise.
• A-R5Wl(2A4)-XHE-R-5. Identical to A-R4Wl(2A4)-XHE-R-5, except the initiating event is a recoverable loss of RHR.
Use same value as A-R4W1(2A4)-XHE-R-J.

8-39 NUREG/CR-6144
8 Human Interface Analysis

Table 8-7 (Page 1 of 2). Qualitative Descriptions of Dynamic Human Actions

Evaluated for the Surry Shutdown PRA
SRA(B,3,4,5):
Operator establish steam generator bleed and feed (reflux cooling) following a loss of RHR at mid-loop.

PRECEDING EVENTS

• Loss of RHR due to

- over-draining (RA),
- failure to maintain RCS level (RB),
- unrecoverable RHR failure (R3),
• operating RHR train failure (R4), or
- recoverable RHR failure (R5).
• For the action event of establishing SG reflux cooling. Operators have successfully diagnosed that a loss of RHR has occurred and referred
to 1-AP-27JX) (Loss of Decay Heat Removal Capability).
• Restoration of RCS level has failed (for RA(B)W1(2A4)-XHE-S-16) or Restoration of RHR cooling has failed after successfully restoring level
(for RA(BAS)WipA4)-XHE-S-9).

INDICATIONS OF PLANT CONDITIONS

• Low RCS level (for RA(B)W1(2^,4>XHE-S-9(16)), restored RCS level (In the event of failure to restore RHR coding; for RA(B)Wl(2A4)-XHE-S-9)), and slowing
decreasing RCS level.
- Control room RCS standpipe level 1-RC-LI-100A (may not be accurate if RCS boiling starts).
- Control room cold shutdown RCS level narrow range l-RC-LR-105.
(ultrasonic indication of RCS level within the loop, Le» from middle to top of the loop; may be partially unavailable if vital bus Is unavailable)
• RCS standpipe level local indication.
- Shutdown cooling low level annunciator B-C-8.
• RHR pump motor amperage oscillation (for RA(B)W1(2 3,4)-XHE-S-9(16)).
T

•.Excessive RHR pump noise (for RA(B)W1(2J,4)-XHE-S-9(16)).

• No RHR flow
• Control room RHRflowIndication l-RH-FI-1605.
- RHR heat exchanger lowflowarmumdator B-C-6.
• Incore thermal couples for RCS temperature monitoring (may be partially unavailable if vital bus Is unavailable).

PROCEDURAL GUIDANCE
• l-AP-27.00 Loss of Decay Heat Removal Capability
- Steps 25,27, and 28 and Attachment 5, Fart 4: Maintain SGs near 33% NR level and dump steam using SG FORVs or main condenser to control RCS
temperature.

TRAINING A N D E X P E R I E N C E

• Operators train on this scenario during simulator drills.

C O N C U R R E N T ACTIONS/COMPETING FACTORS

• Restoration of RCS level (forRA(B)Wl(2A4)-XHE-S-9(16)).

• Restoration of RHR cooling (for RA(B 44)Wl(y,4)-XHE-S-9).
)

INDICATION OF SUCCESSFUL COMPLETION/IMPACT OF SUCCESS

• SG pressure is stable or slowly decreasing.
• SG level is slowly decreasing If water Is not feeding Into the SGs.
• WR hot leg temperatures are stable or slowly decreasing.
• WR cold leg temperatures are at saturation for SG pressure.
• RCS level is stable.
• Successful decay heat removal is established.

IMPACT OF FAILURE/ADDITIONAL CUES

• SG pressure is Increasing if steam dump is unsuccessful.

• SG level Is decreasing If no water is provided to the SGs.
• As RCS heats up RCS temperature increases; low of subcooling and alarms.
• Boiloff would lead to decreasing RCS levels.

TIME CONSTRAINTS
• Time until boiling and time until core damage are time window dependent and are given In Chapter 5.
• Establishing SG reflux cooling should only take a few minutes if Instrument air and semi-vital bus are available and if providing water to the SGs Is not necessary.

NUREG/CR-6144 8-40
 8 Human Interface Analysis

Table 8-7 (Page 2 of 2). Qualitative Descriptions of Dynamic Human Actions

Evaluated for the Surry Shutdown PRA

SPECIAL CASES ANALYZED

• D-RAW1(24.4)-XHE. Operator diagnoses that a lots of RHR hat oocurred due to over-draining at mid-loop.
(Alto tee tablet forMRA, RRA, FRA, and GRA.)
• D-RBW1(2A4)-XHE. As detaibed aboveforD-RAW1(2A4)-XHE, except the Initiating event Is Mure to maintain RCS level.
• D-RSW1(24,4)-XHE. At described aboveforD-RAW1(2£,4)-XHE, except the Initiating event it unrecoverable lost of RHR.
• D-R4W1(2A4)-XHE. At described aboveforD-RAW1(2^,4)-XHE, except the Initiating event Is loss of one (operating) RHR tram.
• D-RJW1(W,4)-XHE- As described aboveforD-RAW1(2J,4)-XHE, except the Initiating event Is recoverable lots of RHR.
• A-RAWl(2A4)-XHE-S-9. Operator establishes SG reflux coolingfollowingover-draining at midloop, tnocessf.il RCS makeup, and failure to restore RHR cooling
It Is assumed that failure of RHR cooling restoration it primarily attributed to hardware failure or difficulty In executing the restoration
process (Le, not due to incompetent operator performance).
• A-RAWl(2^,4)-XBE-S-Io. Operator establishes SG reflux coolingfollowingover^rauung at midloop and failure to provide RCS makeup. It is assumed that Mure
of RHR coolingrestorationis primarily attributed to hardware Mure or difficulty in executing the restoration process (i-e., not due to
Incompetent operator performance).
• A-RBWl(W,4)-XH&S-9. As described aboveforA-RAW1 (£3,4)-XHE-S-9 except the initiating event Is Mure to maintain level; all else is identical.
Use tame value as A-RAWl(W,4)-XHE-S-9.
• A-RBW1(2J,4)-XHE-S-16. As described aboveforA-RAW1(13,4)-XHE-S-16 except the initiating event is Mure to maintain level; all else Is Identical.
Use same value as A-RAW1(2^,4>XXHE-S-16.
• A-R3W1(2A4)-XHE-S* As described aboveforA-RAWl(2A4)-XHE-S-9 except adequate RCS level has been maintained and an unrecoverable lou of RHR has
occurred; all else is identical; no preceding actions; no indication of low or restored RCS levels; there may not be RHR pump motor
amperage oscillation and excessive RHR pump noise.
• A-R4Wl(W.4)-XHE-S-9. As described above for A-R3Wl(2A4)-XHE-S-8 except adequate RCS level hat been maintained, the Initiating event it loss of one RHR
train (operating), and restoration of RHR cooling has failed; preceding actions do not include Mure of RCS makeup; no indication of
low or restored RCS levels; there may not be RHR pump motor amperage oscillation and excessive RHR pump noise. Use same value as
A-RAWl(£3,4)-XHE-S-9.
• A,R5W1(2A4)-XHE-M. Identical to A-R4Wl(2J,4)-XHE-S-9, except the initiating event is a recoverable loss of RHR.
Use same value as A-RAWl(2A4)-XHE-S-9.

8-41 NUREG/CR-6144
8 Human Interface Analysis

Table 8-8 (Page 1 of 2). Qualitative Descriptions of Dynamic Human Actions

Evaluated for the Surry Shutdown PRA
FRA(B,3,4,5):
Operator establishes RCSfeedand bleed following loss of RHR at mid-loop.

PRECEDING EVENTS
• Lots of RHR due to
• over-draining (RA),
- Mure to msintaln RCS level (RB),
- uncoverabte RHR Mure (R3),
- operating RHR train failure (R4), or
- recoverable loss of RHR (R5).
• For the action event of establishing RCS feed and bleed, operators have successfully diagnosed that a loss of RHR has occurred and referred to
l-AP-27.00 (Lots of Decay Heat Removal Capability).
• RCS feed and bleed Is considered In 4 sequences:
- Pretsurizer safety varve(s) was removed, restoration of RCS inventory has been successful (for RA(B)Wl(23.4)-XHE-F-5), and recovery of RHR cooling has failed
(RA(B,4,S)W1(2A4>XHE.F.5).
- Presturizer safety valve(s) was not removed, restoration of RCS inventory has been successful (for RA(B)Wl(2A4)-XHE-F-9), recovery of RHR cooling has failed (for
RA(B,4,5)W1 (2A4>XHE-F-9), and SG bleed and feed has not been established.
- Pressurizer safety vatve(s) was removed and restoration of RCS inventory has failed (for RA(B)Wl(2 3,4)-XHE-F-12).
r

- Pressurizer safety vatve(s) was not removed, restoration of RCS inventory has failed (for RAR(B)W1(£3,4)-XHE-F-16), and SG bleed and feed has not been established.

INDICATIONS OF PLANT CONDITIONS

• Low RCS level (in the event of over-draining or failure to maintain level; for RA(B)Wl(2 3,4)-XHE-F-5(9,12,16)), restored RCS level (in the event of successful RCS
r

makeup; for
RA(B)Wl(2A4)-XHE-F-5(9)), and slowly decreasing RCS level.
• Control room RCS standpipe level 1-RC-LI-lOOA (may not be accurate when RCS boiling starts).
- Control room cold shutdown RCS level narrow range l-RC-LR-105.
(ultrasonic indication of RCS level within the loop, i.e, from middle to top of the loop; may be partially unavailable if vital bus is unavailable)
- RCS standpipe level local indication.
• Shutdown cooling low level annunciator B-C-8.
• RHR pump motor amperage oscillation (in the event of over-draining or failure to maintain level; for RA(B)W1(2A4)-XHE-F-5(9,12,16)).
• Excessive RHR pump noise (in the event of over-draining or failure to maintain level;forRA(B)W1(2A4)-XHE-F-5(9,12,16)).
• No RHR flow
- Control room RHR flow Indication l-RH-FI-1605.
- RHR heat exchanger lowflowannunciator B-C-6.
• Incore thermal couples for RCS temperature (may be partially unavailable if vital bus Is unavailable) and sub-cooling monitoring.

PROCEDURAL GUIDANCE
• l-AP-27.00 Loss of Decay Heat Removal Capability.
- Steps 23 A 25.C, 27, and 28 and Attachment 5, Parts 2 and 3: Feed and bleed of RCS and charging pump cross connect from unit 2; cold leg injection is the preferred
cooling
path; however, this procedure instructs the operators to use the hot leg injection path Erst; this procedure only instructs the operators to
open 1PORV (both PORVs are blocked open in the mid-loop operation); this procedure does not mention the feed and spill mode of operation which Is the
preferred mode of operation, suppresses core boiling, and maintains RCS subcooling.

TRAINING A N D E X P E R I E N C E

• Operators train on this scenario during simulator drills.

C O N C U R R E N T ACTIONS/COMPETING FACTORS

• Restoration of RCS inventory (for RA(B)W1(2A4)-XHE-F-5(9,12,16)).

• Restoration of RHR cooling (for RA(B,4,5)Wl(2A4)-XHE-F-5(9)).
• Establishing SG bleed and feed.

INDICATION OF SUCCESSFUL COMPLETION/IMPACT OF SUCCESS

• RCS temperatures are stable or slowly decreasing
• RCS sub-cooling is maintained,
• Flow injection into RCS from HHSI or LHSI.
• Bleeding Mew out of the pressurizer.
- PORV discharge temperature.
- Fressurizer relief tank level.
• Sufficient RCS level
• Successful decay heat removal is established.

IMPACT OF FAILURE/ADDITIONAL CUES

• As RCS heats up RCS temperature increases; loss of subcooling and alarms.

• Boiloff would lead to decreasing RCS levels.

NUREG/CR-6144 8-42
 8 Human Interface Analysis

Table 8-8 (Page 2 of 2). Qualitative Descriptions of Dynamic Human Actions

Evaluated for the Surry Shutdown PRA

TIME CONSTRAINTS
• Time until boiling and time until core damage are time window dependent and are gtven in Chapter 5.
• Establishing RCS feed and bleed should only take a few minutes unless local valve manipulations are necessary (e.£, crosstying unit 2 charging pump).

SPECIAL CASES ANALYZED

• D-RAW1(2A4)-XHE. Operator diagnoses that a loss of RRR has occurred due to over-draining at mid-loop.
(Also see tables for MRA, RRA, SRA, and GRA.)
• D-RBW1(2A4)-XHE. As described above for D-RAW1 (2J,4)-XHE, except the initiating event is Mure to maintain RCS level.
• D-R3W1(2A4>XHE. As described above for D-RAW1(2A4)-XHE, except the Initiating event is unrecoverable loss of RHR.
• D-R4W1(2A4)-XHE. As described above for D-RAW1 (23,4)-XHE, except the initiating event Is loss of one (operating) RHR train.
• D-R5Wl(i3,4)-XHE. As described above for D-RAW1(2A4)-XHE, except the initiating event is recoverable loss of RHR.
• A-RAWl (2A4)-XHE-F-£ Operator establishes RCS feed and bleed following over-draining at midloop, successful RCS makeup, failure to restore RHR cooling,
and pressurizer safety valve removed. It is assumed that failure of RHR cooling restoration is primarily attributed to hardware Mure or
difficulty in executing therestorationprocess (Le, not due to incompetent operator performance).
• A-RAWl(2A4)-XHE-F-9. Operator establishes RCS feed and bleed following over-draining at midloop, successful RCS makeup, failure to restore RHR cooling
and failure to establish SG reflux cooling It is assumed that failures of RHR coolingrestorationand failure of SG reflux cooling are
primarUyartributed to hardware failures or difficulty in executing the restoration or establishing process (i.e, not due to incompetent
operator performance).
• A-RAW1(2A4)-XHE-F-12. Operator establishes RCS feed and bleed following over-draining at midloop. Mure to provide RCS makeup, and pressurizer safety
valve removed. It is assumed that Mure of RCS makeup is primarily attributed to hardware Mure or difficulty in executing the
restoration process (i.e, not due to incompetent operator performance).
• A-RAWl (2A4)-XHE-F-16. Operator establishes RCS feed and bleed following over-draining at midloop. Mure to provide RCS makeup, and Mure to establish
SG reflux cooling It is assumed that Mure of RCS makeup and SGrefluxcooling are primarily attributed to hardware Mure or
difficulty In executing the restoration process (i.e, not due to incompetent operator performance).
• A-RBW1(23.4)-XHE-F-S. As described above for A-RAWl(24.4)-XHE-F-5 except the initiating event is Mure to maintain level; all else is identical.
Use same value as A-RAWl(23,4)-XHE-F-5.
• A-RBWl(23.4)-XHE-F-9. As described above for A-RAWl(23,4)-XHE-F-9 except the initiating event is Mure to maintain level; all else is identical.
Use same value as A-RAWI(2A4)-XHE-F-9.
• A-RBWI(2A4)-XHE-F-1Z As described above for A-RAW1(2^,4)-XHE-F-12 except the initiating event is Mure to maintain level; all else is identical.
Use same value as A-RAW1(2A4)-XHE-F-12.
• A-RBW1(£3,4)-XHE-F-16. As described above for A-RAW1(23,4)-XHE-F-16 except the initiating event is Mure to maintain level; all else is identical.
Use same value as A-RAWl (2A4)-XHE-F-16.
As described above for A-RAW1 (2,3,4)-XHE-F-12 except adequate RCS level has been maintained and an unrecoverable loss of RHR has
• A-R3Wl(W,4)-XHE-F-4. occurredgill else is identical; no proceeding actions; no indication of low and restored RCS levels; there may not be RHR pump motor
amperage oscillation or excessive pump noise.
As described above for A-RAW1(2^,4)-XHE-F-16 except adequate RCS level has been maintained and an unrecoverable loss of RHR
• A-R3Wl(2^,4)-XHE-F-8. has occurred^ else Is identical; no proceeding actions; no indication of low andrestoredRCS levels; there may not be RHR pump motor
amperage oscillation or excessive pump noise.
As described above for A-RAWl (23,4)-XHE-F-5 except adequate RCS level has been maintained and the initiating event is loss of one
• A-R4Wl(2A4)-XHE-F-5. RHR train (operating); preceding actions do not include success of RCS makeup; no indication of low and restored RCS levels; there may
not be RHR pump motor amperage oscillation and excessive pump noise.
Use same value as A-RAWl (23,4)-XHE-F-5.
• A-R4Wl(2A4)-XHE-F-9. As described above for A-RAWl (2^,4)-XHE-F-9 except adequate RCS level has been maintained and the initiating event is loss of one
RHR train (operating); preceding actions do not include success of RCS makeup; no indication of low and restored RCS levels; there may
not be RHR pump motor amperage oscillation and excessive pump noise.
Use same value as A-RAWl(2^,4)-XHE-F-9.
• A-R5Wl(2A4)-XHE-F-5. Identical to A-R4W1 (2A4)-XHE-F-5, except the initiating event is a recoverable loss of RHR.
Use same value as A-RAWl (13,4)-XHE-F-5.
• A-R5Wl(2A4)-XHE-F-9. Identical to A-R4Wl(2A4)-XHE-F-9, except the initiating event is a recoverable loss of RHR.
Use same value as A-RAWl (2£,4)-XHE-F-9.

8-43 NUREG/CR-6144
8 Human Interface Analysis

Table 8-9 (Page 1 of 2). Qualitative Descriptions of Dynamic Human Actions

Evaluated for the Surry Shutdown PRA
GRA(B^,4£)R&
Optrttor«rtAlaWprbaMj>tiw^f»«dfogort«galettotRlgt,>t»iWoopL

PRECEDING EVENTS

• Low of RHR da* to

- ovar-cVaiatag (RAX
- EaUmra to m i a t t i a RCS laval (RB>
- cataeovarabk RHRbifera (R3),
• ofaratbg RHRtraia {a3*ra (R4), oe
• raoawarabla RHRtaUan (R5>
• Par tW actioa mmt of wt^BiltTupripiiyywity fead, oparatort fcw taccaatlaliy oagtoaed tiat i k m of RHR hat oooarrad tad rafacrad to
l-AP-27.00 (Lot* of Decay Haat R*«x»al Capability
v Pnawygfmty EHO is tmwhlsied n 2 soqaeecesl
• Praoiaiitar safer* aelvefs) was naiuisi, restoratba of RCS UroaUaj bat beea saoceesfsl (for RA(B)Wl(23.4>XHS^r-o).ietuseii ot RHRooeliaa bas (tiled(tor
R A ( B , « ) w l ( 2 A 4 > X H £ o ^ e . d RCS teed s»d bleed easf«il«l
• Praesarb»sai^siha<s)w«r«sniwe4t*sioralio«otRCSta^^

INDICATIONS OF PLANT CONDITIONS

• Low RCS lose! (Car RA<B)W1(1M>XH&<3-<S(1J)), restated RCS level ( b tbe eseat of n a n h l RCS«j»to.p;fof R A ( B ) W l ( U , « > X H & < M ) , M d i l o . l y d « r t u i « R C S
level. — ~ " ' " ~
- dottrel toon RCS studprpe level l-RC-LI-lOOA (nay sot be m m wbea RCS boiliaa starts>
- Coetrol rooei eold sbaldowa RCS level aarrow r u g * 1*RC-LR>IQ5.
(eltrtsoatoiadkatioaof RCS level wilbb the loop, l e . Crow atiddbto top of the bop; ataybepsitialr/aasffa3sbtoif*italbesbeatrailabb)
• RCS staadpipe bed local iadfcatio*.
• SaatbWacooIiae low level asaeaoiatorlVC4L
• RHRpaetp aaotor anperaje eedllatba(br RA(B)Wl(2J.4)-XHEO-6(15)).
• EzoeitieeRHR p e s v e e e w (tor RA(B)WI(2J.4>XH&<M(13)).
• N o RHR Clow
- Coatrol rooo RHR Boar isdkatioe I-RH-H-16DJ.
- RHR keat exobsaaer low flow aaaenoiator H C 4
• leooretberaiaJcQaplestorRCSteapBratBreXaiaybe^retftisiyasa^

PROCEDURAL GUIDANCE

• l-AP-27.00 Loss ot Decay Heat ReoonlCtpabilir/.

-Attacfaioat3.Part2:r^aadbbodof RC&cceaicgbjocrioektWiasfa^
l e f f a > c t i o a r ^ G r » t ; « ^ t i s s u e Dow pstb with tWpioisaiiiocssio^

TRAINING AND EXPERIENCE

• Operators trata oa this soeaarb deriae siselstor drills.

CONCURRENT ACTIONS/COMPETING FACTORS

• Restoratioa ot RCS iereeioty (tor RA(B)Wl(13,<)-XHE-0-(5(l J)>

• Restorslioaof RHRoooliaa((or RA(B.t3)Wt(i3,4>XH&0-«>
• RCS feed aad bleed

INDICATION OF SUCCESSFULCOMPLETION/IMPACT OF SUCCESS

*> RCS tegperstates are stabb or slowly oVcrcastac,

• Howtajeotba tato RCS Cross LKSL
• RWST levet is decreasiag.
• Bleec«a«,flowoetofihe|Jias»siUoi. - - - - - - -
• Pressartser dboharee tenperstare,
-Pretsarixer relief task teveL
• SetGcieai RCS best.
• Semrssfsl decay beat reaaosal is oafttMflherl

IMPACT OF FAILURE/ADDmONALCUES

• As RCS heels ep RCS taatpitstaieiacreesos; loss of mbmoltaaaadalanra.

• BoUoff sfoald bad to decraetiat RCS levels.

TIME CONSTRAINTS

• Tisaoaatilboiliaaaadlbsaatril core dsatage are tiaTowiadowcieprafWet aad are gjesa b Chapter 3. (It aisy be dilticelt to establish priesary parity feed whea RCS beiliag
starts).
• Estabtisbbg prbnary gravity Ceed sboeld oar/ take a few niaates.

NUREG/CR-6144 8-44
 8 Human Interface Analysis

Tabic 8-9 (Page 2 of 2). Qualitative Descriptions of Dynamic Hunan Actions

Evaluated for the Sorry Shutdown PRA

SPECIAL CASES ANALYZED

• D-RAW1(2A4)-XHE. Operatorrijagnnteathat a loss of RHR has occurred due to over-draining at mid-loop.
(Also see tablesforMRA, RRA, SRA. and FRA.)
• D-RBW1(W,4)-XHE, As described aboveforD-RAWl(2 3,4)-XHE, except the initiating event is Mure to maintain RCS IevcL
r

• D-R3W1(2A4)-XHE. As described aboveforD-RAW1(2£,4)-XHE, except the initiating event is unrecoverable loss of RHR.
• D-R4Wl(i3,4)-XHE. As described aboveforD-RAW1(£3,4)-XHE, except the initialing event is loss of one (operating) RHR train.
• D-R5W1(2J,4)-XHE. As described aboveforD-RAW1(2^,4)-XHE, except the initiating event is recoverable loss of RHR.
• A-RAW1(2J,4)-XHE-<W. Operator establishes primary gravityfeedfollowing over-draining at midloop, snccessfiil RCS makeup, failure to restore RHR cooling,
pressurizer safety valve removed, and Wlure of primary 'feed and spill*. It U -*""*•*'< that failure of RHR coolingrestorationand
establishing primary 'feed and spill* are primarily attributed to hardware failures or difficulty in executing the restoration or establishing
process; i.e, not due to incompetent operator performance.
• A-RAWl(23,4)-XHE-0-13. Operatorftstahllshesprimary gravityfeedfollowingover-draining at midloop, faflnre to provide RCS makeup, pressarlzer safetyvalve
removed, and failure of primary 'feed and spill*. It is assumed that failure of RCS makeup and failure of primary 'feed and spill* are
primarily attributed to hardware failures or difficulty In executing the restoration or establishing process (Le, not due to incompetent
operator performance).
• A-RBWI(24,4)-XHE-0-6. As described above for A-RAWl(2 J,4)-XHE^-6 except the initiating event Is failure to maintain level; all else Is identical.
r

Use same value as A-RAWl(2A4)-XHE-G-6.

• A-RBWl(i3,4)-XHE-G-13. As described aboveforA-RAW1(2A4)-XHE-G-13 except the Initiating event is Mure to maintain level; all else Is identical.
Use same value as A-RAW1(2£,4)-XHE-G-13.
• A-R3Wl(i3,4)-XHE-0-5. At described aboveforA-RAW1(24.4)-XHE-G-13 except adequate RCS level has been maintained and an unrecoverable loss of RHR
has occurred; no indication of low or restored RCS levels; there may not be RHR pump motor amperage oscillation and excessive RHR
pump noise; preceding actions do not include Increase RCS makeup and recovery of RHR cooling; all else is identical.
• A-R4Wl(2A4>XHE-G-6'. As described aboveforA-RAW1(24,4)-XHE-G^ except adequate RCS level has been maintained and the initiating event is loss of one
RHR train (operating); preceding actions do not include success of RCS makeup.
Use same value as A-RAWl(2A4)-XHE-G-6.
• A-R5Wl(23.4)-XHE-G-6. Identical to A-R4Wl(2J,4)-XHE-G-6, except the initiating event is a recoverable loss of RHR.
Use same value as A-RAWl(2A4)-XHE-G-6.

8-45 NUREG/CR-6144
 Table 8-10. Relationship between Loss of Support
System/Loss of Ofisfte Power/Safety Injection Initiating Events
and RHR Initiating Events

INITIATOR CONDITION TOP EVENTS SIMILAR RHR Notes

INITIATOR
1. Means R, S, F, G,
SI SI Recovered All 1
R5 2. Additional stress and concurrent actions, valve 109 needs to be opened using
portable air supply,
SI SI Not Recovered All R5 2

3. Some additional complications, but not of high impact,

cc CCW Not Recovered R R5 J
4. If restore RHR fails after CC, then the listed top events are equivalent to R3,
there are some additional complications, but not of high impact,
cc CCW Not Recovered S.F.G R3 4
5. Additional stress and concurrent demands, but no need to shift heat exchangers
inside containment,
4K Bus Recovered All R5
6. Additional diversion due to loss of non-vital power, Canal isolation is required,
4K Bus Not Recovered All R4 5
7. Additional diversion due to loss of non-vital power,
8. Additional stress and concurrent demands, no need to shift heat exchangers
LI AC Power Recovered S.F.G R5 inside containment, canal isolation is required.
9. Means primary feed and bleed using Unit 2 charging pump after LOSP at
LI AC Power Not Recovered S.F.G R5 6

midloop,
L2 R5 10. Unique conditions and the associated HEPs,
AC Power Recovered S.F.G 7

11. Use HEPs for Bl,

L2 AC Power Not Recovered S,F,G R4" 12. Running RHR pump is damaged by runout,
13. Running RHR pump is lost and CCW valve 109 requires air to open. It is
L3 AC Power Recovered S,F,G R5' similar to SI with additional stress, complexity, and difficulty in diagnosis,
14. Identical to SI sequences,
L3 AC Power Not Recovered S.F.G R4'
15. Primary feed and bleed using Unit 2 charging pump after loss of emergency
Bl AC Power Recovered or Not S, 2CHG', G .10 switch-gear room cooling at midloop,
16. Similar to B1/B2.
.11
B2 AC Power Recovered or Not S,G
VB Vital Bus Recovered All R4 12

VB Vital Bus Not Recovered All R5 IJ

AR AR Recovered or Not All R5"

.16
SR SR Recovered or Not S, 2CHG", G
 Table 8-11 (Page 1 of 4). Recovery Factors Initiators RA, RB, R3, R4 and R5

Hnsttta Cats*
Basic Event Condition AppUcaMeCntxU Functions! Deseriptioii,Tliiitntj, etc Recovery Possibilities Tirbsslrsl Potato
Adloa 1M3/M/3*

R-A1W1D6-XHE-C-A1 A1W1D6[A] LPIMDP-MA-SHA Redrc failure-RWST suction valve FTC, 2 'Recoveries:" man dose vtv & 4J1E-03 Analyses by Westinghouse, INEL, and 140,39,47
LPR-MOV-FT-1S62B after HP F&S success. No reflux-WlD6 uncertainty in success criteria. {If valve BNL (undocumented) indicate that 1
[A-RAW1-XHE-R-4 assumption of 3/3 SG req'd and 1 locally operable, dosed before pump SG is adequate at all times. VEPOO
or (CCW-LF.RHE2A and unavailable. If valve not ihut before air bound? If dosed later, can pump analysis and AP27 give more stringent
CCW-LF-RHE2B)] RWST empties, the LPI pump may prime?} {2/3 SG OK.OR U2 RWST success criteria. Operator fails to
become air bound. Because Wl, x-con to + MU} recover RHR early; shift to redrc Is >
U 2 RWST Insufficient. 10 hours later.

R-A2W1D6-XHE-OA2 A2W1D6[A] LFI-MDF-MA-SI1A Recirc failure-sump suction FTO, after 2 "Recoveries:" man open vtv & 431E-03 Analyses by Westinghouse, INEL, and 548
LPR-MOV-FT-1860B HP F&S success. No refluic-WlD6 uncertainty in success criteria. {If valve BNL (undocumented) indicate that 1
[A-RAW1-XHE-R-4] assumption of 3/3 SG req'd and 1 locally operable, open before core SG is adequate at all times. VEPCO
unavailable. Because W l , x-con to U2 damage) {2/3 SG OK.OR U 2 RWST analysis and AP27 give more stringent
RWST Insufficient. + MU) success criteria. Operator rails to
recover RHR carry; shift to recirc is >
10 hours later.

R-A3W1D6-XHE-C-A3 A3W1D6(A] {LPI-MDP-MA-SI1A Recirc fallure-both low pressure pumps "Recovery:* uncertainty in success N Analyses by Westinghouse, INEL, and 4,17
LFI-MDP-FS-SI1B unavail, after HP F&S success. No criteria {2/3 SG OK.OR U2 RWST + BNL (undocumented) indicate that 1
[A-RAW1-XHE-R-4]} reflux-WlD6 assumption of 3/3 SG req'd MU) SG is adequate at all times. VEPCO
or and 1 unavailable. Because Wl, x-con to analysis and AP27 give more stringent
{LPI-MDP-MA-SHA U2 RWST insufficient. success criteria. Operator fails to
((DCP-BAT-LP-BAT1B recover RHR early; shift to redrc is >
and 10 hours later.
(ACP-BCH-MA-UPSB1) or
DCP-BDC-ST-BUS1B)
CCW-LF-RHE2A)

R-A4W1D6-XHE-C-A4 A4VV1D6 CON-VFC-RP-COREM Delayed recirc failure-HP F&S success. "Recovery:" uncertainty in success N Analyses by Westinghouse, INEL, and 15
OSR-TRA-MA No recirc spray, when sump overheats, criteria {2/3 SG OK.OR U2 RWST + BNL (undocumented) indicate that 1
ISR-TRA-MA containment fails and LP pump fails. No MU> SG is adequate at all times. VEPCO
reflux-WlD6 assumption of 3/3 SG req'd analysis and AP27 give more stringent
and 1 unavailable. Because Wl, x-con to success criteria.
U 2 RWST insufficient.

R-A5W1 D6-XH&C-A5 A5W1D«[A) {ACP-BAC-ST-4KV1J 4KV1J and UPSB1 cause valve 109B to "Recovery:* uncertainty in success N Analyses by Westinghouse, INEL, and 19,21,22,52
orACP-BAC-ST-Ul-2 dose. Isolating CCW to RHR pump seal criteria {2/3 SG OK.OR U2 RWST + BNL (undocumented) indicate that 1
orACP-BAC-ST-Ul) cooler No reflux-WlD6 assumption of MU> SG is adequate at all times. VEPCO
ACP-INV-NO-UPSBl 3/3 SG req'd and 1 unavailable. Because analysis and AP27 give more stringent
LPI-MDP-MA-SI1A W l , x-con to VI RWST insufficient. success criteria. Operator tails to
recover RHR carry; shift to redrc is >
10 hours later.

R-A6W1D6-XHE-C-A6 A6W1D6[A) {ACP-BAC-ST-4KV1H or UPSA2 causes RHR flow control valve to "Recovery:" uncertainty in success N Analyses by Westinghouse, INEL, and 20,25,26
ACP-BAC-ST-1H1) open resulting in runout of RHR. Loss of criteria {2/3 SG OK.OR U2 RWST + BNL (undocumented) indicate that 1
ACP-INV-NO-UPSA2 H bus results in failure of recirc spray. No MU) SG is adequate at ail times. VEPCO
(HPI-MDP-MA-CHIB or reflux-WlD6 assumption of 3/3 SG req'd analysis and AP27 give more stringent
CPC-MDP-MA-SW10B) and 1 unavailable. Because Wl, x-con to success criteria. Operator tails to
U 2 RWST insufficient. recover RHR early, shift to redrc Is >
10 hours later.
 Table 8-11 (Page 2 of 4). Recovery Factors Initiators RA, RB, R3, R4 and R5

Csawt
Bask Eves* Ceatltlea AaalkakkCatsets FaactlMMl Descri»ti**,TlBWs«, etc Racsmsy Feasibilities Tectaical Petals
ActlM

R-A6W1D6-XHE-C-A6 A6W1D6[A] (ACP-BAC-ST-4KV1H RHR and LPI lott. High head Injection "Recovery:" uncertainty in success N Analyses by Wesdnghouse, INEL, and 50,51
HPI-MDP-MA-CH1B > or possible. No creditforreflux due to criteria {2/3 SO OK.OR U2 RWST + BNL (undocumented) indicate that 1
{ACP-BAC-ST-4KV1J •ucceu criteria assumption. Because MU> SO Is adequate at all times. VEPCO
Ln-MDP-MA-SHA) Wl, x-con to U2 RWSTinnifficient. analrtk and AP27 give more stringent
CCW-LF-RHE2B success criteria. Operator rails to
recover RHR early; shift to redre is >
10 hours later.

R-A7W2R6-XHE-C-A7 A7W2R6[A] {ACP-BAC-ST-4KV1H or UPSA2 causes RHRflowcontrol valve to 3.15E-03 Operator fails to recover RHR eariy; 33,36,37
ACP-BAC-ST-1H1) open resulting in runout of RHR. Loss of shift to redrc is > 10 hours later.
ACP-INV-NO-UPSA2 H bus results in failure of redrc spray. No
LOOPISOLATED2R6 reflux-vowel isolated.
{Hn-MDP-MA-CH1B or
CPC-MDP-MA-SW10B)

R-A8W1R6-XHE-C-A8 A8W1R6[A] LPI-MDP-MA-SI1A Redrc failure-RWST suction valve FTC, "Recovery:* man dosevhr (If valve 4.43E-03 Operator Wis to recover RHR early; 38
LFR-MOV-FT-1862B after HP F&S success. No reflux-vessel Is locally operable, dosed before pump shift to redrc is > 10 hours later.
LOOPISOLATED1R6 isolated If valve not shut before RWST air bound? If dosed later, can pump
empties, the LPI pump may become air prime?)
bound. Because Wl, x-con to U2 RWST
insufficient.

R-B1DR6-XHE-D-B1 B1DR6 D-RAWl-XHE Fail to diagnose. No recoveiy. N The most Hkery cause of diagnosis 2,8,941,14,
D-RAW2-XHE failure involves complications 23,28,43,48
D-RAW3-XHE associated with human-induced IEs
D-RBW2-XHE causing misdirection on the part of the
D-RSW2-XHE operators. The likelihood of failure to
D-R5W3-XHE diag depends on the IE, time window
and POS, as previously quantified.

R-C1W1D6A-XHE-R-C1 C1W1D6A CPC-MDP-FR-SW10A Failure to recover RHR andfailureof "Recoveiy." account for realistic CPC N For cases in which the safety valves 3,54
CPC-MDP-MA-SW10B F&S. Assumes that failure of charging pump run rime (initially assumed to be are not removed and loops unisolated,
{(LPI-MDP-FS-SI1B and pump cooling water prevents recoveiy of 24 hours) to refill RHR. Cutset is reflux cooling under less severe success
LPI-MDP-MA-SI1A) or RHR. recovered if CPC runs for 1 hour and criteria may be possible. For windows
LFI-CCF-FS-SIIAB) operator recovers RHR (eg, 1 and 2, the time available may be too
A-RAWl-XHE-R-n). short to restore RHR by gravity feed.

R-C2W2D6A-XHE-R-C2 C2W2D6A CPC-MDP-FR-SW10A Failure to recover RHR and failure of "Recoveiy." account for realistic CPC N For windows 2, thetimeavailable 6
CPC-MDP-MA-SW10B F&S; no reflux because pressurlzer safety pump run rime (initially assumed to be may be too short to restore RHR by
LPI-MDP-FS-SI1B valves have been. Assumes that failure of 24 hours) to refill RHR. Cutset is gravity feed.
LPI-MDP-MA-SI1A charging pump cooling water prevents recovered if CPC runs for 1 hour and
/PZR-SV-REMOVEDW2 recovery of RHR. operatorrecoversRHR
(A-RAWl-XHE-R-n).
 Table 8-11 (Page 3 of 4). Recovery Factors Initiators RA, RB, R3, R4 and R5

Cats*
Basic E r a * CeaaltUa AsflicaM* Cossets Ftaactteaal D«scrit<le»,Tla»l«i, H e Recant? PMsiUUtict Tn M i l l f l a t s
Actlm

R-C2W3D6A-XHE-R-C2 C2W3D6A CPC-MDP-FR-SW10A Failure to recover RHR and failure of "Recovery." account for realistic CPC N 16
CPC-MDP-MA-SW10B F&S; no reflux because pressurizer safety pump run time (initially assumed to be
LPI-MDP-FS-SI1B valves have been. Assumes that failure of 24 hours) to refill RHR. Cutset is
LPI-MDP-MA-SI1A charging pump cooling water prevents recovered if CPC runt for 1 hour and
/PZR-SV-REMOVEDW3 recovery of RHR. operator recovers RHR
(A-RAWl-XHE-R-n). More time
available for recovery than for
window 2.

R-C2W3D6A-XHE-R-C2 C2W3D6A CPC-MDP-FR-SW10A Failure to recover RHR and failure of "Recovery." account for eallstic CPC N 16
CPC-MDP-MA-SW10B F&S; no refulx because pressurizer safety pump run time (initially assumed to be
LPI-MDP-FS-SI1B valves have been. Assumes that failure of 24 hours) to refill RHR. Cutset it
LPI-MDP-MA-SI1A charging pump cooling water prevents recovered If CPC runt for 1 hour and
/PZR-SV-REMOVEDW3 recovery of RHR. operator recovers RHR (A-RAW1-
XHE-R-n). More time available for
recovery than for window 2.

R-C3W4R10A-XHE-R- C3W4R10A CPC-MDP-FR-SW10A Failure to recover RHR and failure of "Recovery." account for realistic CPC N For case* in which the safety valves 29
C3 CPC-MDP-MA-SWIOB F&S. Assumes that failure of charging pump run time (initially assumed to be are not removed and loops unlsolatcd,
LPI-MDP-FS-SI1B pump cooling water prevents recovery of 24 hours) to refill RHR. Cutset is reflux cooling under less severe success
LPI-MDP-MA-SI1A RHR. recovered if CPC runs for 1 hour and criteria may be possible.
operator recovers, RHR (e.g,
A-R10W4-XHE-R-n).

R-D1W2R6-XHE-C-D1 D1W2R6 {CPC-MDP-FR-SW10A or Redrc spray failure, successful low head cross connect unit 2 charging pump 3.15E-03 Reflux cooling is not possible. Lost of 7,27,30
ACP-BAC-ST-4KV1H) F&S, unrecoverable loss of RHR and RWST. but H fails HPI pump A and
{CPC-MDP-MA-SWIOB or recirculation.
HPI-MDP-MA-CH1B)
(OSR-TRA-MA
ISR-TRA-MA)

R-E1W2D6-XHE-C-E1 E1W2D6 ACP-BAC-ST-4KV1H Redrc spray failure, no high head action required starting at 10 hrs 1.20E-O4 gravity feed could be used to extend 12,13
AFW-MDP-MA-FW3B injection, aux feedwater unavailable extends time to 21 hrs. fire pump or time to align unit 2 AFW
{HPI-MDP-MA-CH1B or prevents long term reflux, low pressure unit 2 AFW needed for long term
CPC-MDP-MA-SWIOB} F&S successful. Reflux lasts about 10 hrs. success. Recovery considers only the
use of unit 2 AFW.

R-F1W1D6-XHE-C-FI FIW1D6 A-R3W1-XHE-C-8 Operator falls to establish redrc "Recovery:" uncertainty in success N Revisit basis for quantification of 24
criteria (2/3 SO OK. While alignment event.
to U2 RWST + MU could succeed,
no credit it given for operators to shift
toU2}

R-G1W2DR6-XHE-C-G1 G1W2DR6A ACP-BAC-ST-4KV1H RHR pump falls due to runout (loss of 1. feed SO via U2 AFW or fire pump; 1.03E-04 32,35,40,42,
ACP-INV-NO-UPSA2 bus UPSA2 results in RHR discharge valve or, 2. feed reactor via U2 RWST and 44,46
AFW-MDP-MA-FW3B to FO). Reflux cooling falls, SO dryout at charging pump
{HPI-MDP-MA-CH1B or 10 hrs. LPI successful; bus H fails redrc
CPC-MDP-MA-SWIOB} spray.
 Table 8-11 (Page 4 of 4). Recovery Factors Initiators RA, RB, R3, R4 and R5

Catset
BulcEvtai Coalition A>pllc»MeCiitt«U Faactloaal DeKripUon/rlmlaf, eta Recovery Poulhilltios TecMcal Folate
Adieu

R-H1W1DR5-XHE-T?? H1W1DR6A RWT-TNK-LF-RWST RWST Inventory low. rcvitlt iyitem model for RWST N 34,45

£ i
o

!
:

j
 Table 8-12 (Page 1 of 5). Recovery Factors for Initiators SR, SI, 4KYV, AR, and CC

Hassan Cats*
Basic Event CeaslltlM ApaUcahkCntsrts Fnctieaal Dacrisitiaa.tlmlai, etc Rsctrety Pusibilltlt* Tscfcsslcal Fafatts
ActlM 1M3/M0*

R-A1W1D6-XHE A1W1D6(A] {(FREOCCW and Redrc failure-RWST suction valve FTC, 2 'Recoveries:' man dose vtv & 430E-03 Analyses by Westinghouse, INEL, and 13,63,69
H-CCW-REC-Wl)or after HP F&S success. Noreflux-WlD6 uncertainty in success criteria. {If valve BNL (undocumented) indicate that 1
(FREQ-SIand assumption of 3/3 SG req'd and 1 locally operable, dosed before pump SG Is adequate at ad rimes. VEPCO
H-SI-REC-W1) or unavailable. If valve not thut before air bound? If dosed later, o n pump analysis and AP27 give more stringent
(FREOVBaud RWST empties, the LPI pump may prime?) {2/3 SG OK.OR U 2 RWST success criteria. Operator b u s to
H-VB-REC-W1)} become air bound. Became W l , x-con to + MU) recover RHR carry; shift to redrc is >
LPI-MDP-MA-SIIA U 2 RWST insufficient. 10 hours later.
LPR-MOV-FT-1862B

R-A2W1D6-XHE-C A2W1D6{A] {(FREOCCW and Redrc failure-sump suction FTO. after 2 "Recoveries:'' man open vlv & 4.30E-03 Analyses by Westingaouse, INEL. and 22
H-CCW-REC-Wl) or HP F&S success. No reflux-WlD6 uncertainty in success criteria. {If valve BNL (undocumented) Indicate that 1
(FREQ-SIand assumption of 3/3 SG req'd and 1 locally operable, open before core SG is adequate at all times. VEPCO
H-SI-REC-W1) or unavailable. Because Wl, x-con to TJ2 damage) {2/3 SG OK.OR U2 RWST analysis and AP27 give more stringent
(FREQ-VBand RWST insufficient. + MU) sucoess criteria. Operator fails to
H-VB-REC-W1)} recover RHR early; shift to redrc is >
LPI-MDP-MA-SIIA 10 hours later.
LPR-MOV-FT-1S60B

R-A3W1D6-XHE-C A3W1D6(A] {(FREOCCW and Redrc failure-both low pressure pumps "Recovery:" uncertainty in success N Analyses by Westinghouse, INEL, and 23,37,38
H-CCW-REC-Wl) or unavaU, after HP F&S success. No criteria {2/3 SG OK.OR U 2 RWST + BNL (undocumented) indicate that 1
(FREOSIand reflux-WlD6 assumption of 3 0 SG req'd MU> SG is adequate at all times. VEPCO
H-SI-REC-W1) or and 1 unavailable. Because Wl, x-con to analysis and AP27 give more stringent
(FREOVB and U2 RWST insufficient. success criteria. Operator fails to
H-VB-REC-W1)} recover RHR early; shift to redrc is >
{(LPI-MDP-MA-SIIA and 10 hours later.
LPI-MDP-FS-SUB)
or
CCW-LF-RHE2A)

R-A4W1D6-XHE-C A4W1D6 FREOCCW Delayed redrc failure-HP F&S success. "Recovery:" uncertainty in success N Analyses by Westinghouse, INEL, and 49
H-CCW-REC-Wl No redrc spray, when sump overheats, criteria {2/3 SG OK.OR U2 RWST + BNL (undocumented) indicate that 1
CON-VFC-RP-COREM containment (alls and LP pump fails. No MU) SG Is adequate at all nines. VEPCO
OSR-TRA-MA reflux-WlDo assumption of 3/3 SG req'd analysis and AP27 give moro stringent
ISR-TRA-MA and 1 unavailable. Because Wl, x-con to success criteria.
U2RWSTlnsuffident.

R-A6W1D6-XHE-C A6W1D6[A] {ACP-BAC-ST-4KV1H or UPSA2 causes RHR flow control valve to "Recovery:" uncertainty in success N Analyses by Westinghouse, INEL, and 14,15
ACP-BAC-ST-1H1) open resulting in runout of RHR. Loss of criteria {2/3 SG OK.OR U2 RWST + BNL (undocumented) indicate that 1
ACP-INV-NOUPSA2 H bus results in failure of redrc spray. No MU) SG is adequate at all times. VEPCO
{HPI-MDP-MA-CH1B or reftux-WlD6 assumption of 3/3 SG req'd analysis and AP27 give more stringent
CPC-MDP-MA-SW10B) and 1 unavailable. Because Wl, x-con to success criteria. Operator fails to
U2 RWST Insufficient. recover RHR early, shift to redrc is >
10 hours later.
 Table 8-12 (Page 2 of 5). Recovery Factors for Initiators SR, SI, 4KW, AR, and CC

C«s*t
Basic BvssU CeaaltUa AnlicaMe Cutsets FmKti«ulD<url|Ml«a,UaJac«(c. RsemtyPeuiMUUs* Tiih»iiir«fcsto
ActlM 1M3/M/M

R-A9W2D6-XHE-C A9W2D6(A) FREQ-4KV 'Recovery" unoeratinty is success N 30,31,53,54,

H-4KV-REC-W2 criteria of reflux cooling (window 2), 37,58
{ACP-INV-NO.UPSA2 or orU2RWST + MU
CCW-LF.RHF2B) :
(HPI-MDP-MA-CH1B or
1 i
CPC-MDP-MA-SW10B)
<SGB-DRAINEb-R or
SGA-DRAINED-R }

1 i
R-A10W1D6-XHE-C A10W1D6(A) FREQ-CCW "Recovery" usceratinty in success N 64
1 1
H-CCW-REC-W1 criteria of reflux cooling
A-CCWl-XHE-d-9 1 !

R-AI1W1R5-XHE-C A11W1R6[A] {(FRET>CCW and Redrc fallure-RWST tucdon valve FTC, "Recovery:" man dose vtv {U2 4.30E-O3 77
H-CCW-REC-Wl)or after HP F&S success. No reflux-loops RWST + MU)
(FREQ-SI and isolated If valve not shut before RWST
H-SI-REOWl)or empties, the LPI pump may become air
(FREQ-VBand bound. Because Wl,x-oon to U2 RWST
H-VB-REC-W1)} Insufficient.
LPI-MDP-MA-SI1A
LFR-MOV-FT-1862B
1
LOOPISOLATED1R6
i
R-A12W1R6-XHE-C A12W1R6[A] FREQ-4KV Redrc faUure-RWST sucdon valve FTC, "Recovery:' man dose vhr {U2 430E-03 79,88
H-4KV-REC-W1 after HP F&S success. No reflux-loops RWST + MU)
{HPI-MDP-MA-CH1B or Isolated If valve not shut before RWST '
CPC-MDP-MA-SW10B) empties, the LPI pump may become air
ACP-INV-NO-UPSA2 bound. Because Wl[ x-con to U2 RWST
LOOPISOLATED1R6 insufficient.

R-B1DR6-XHE-D B1DR6 D-4KW2-XHE Fall to diagnose. No recovery. 1 The most likely cause of diagnosis 29,45,55,73
LWKW3-XHE failure Involves complications
associated with human-Induced IEs
i
causing misdirection on the part of the
operators. The likelihood of failure to
diag depends on the IE,timewindow
and POS, as previously quantified.

R-D2W2DR6-XHE-C D2W2DR6 FREQ-4KV Redrc spray failure, successful low head cross connect unit 2 charging pump 3.20E-03 Reflux cooling Is not possible. Loss of 26,33
H-4KV-REC-W2 F&S, unrecoverable loss of RHR and RWST. bus H fails HPI pump A and
{CPC-MDP-MA-SW10B or recirculation.
HPI-MDP-MA-CH1B} 1
(RHR-MDP-FS-RHR1B or
CCW-MDP-FS-CCP1B)
LOOHSOLATED2R6 i
 Table 8-12 (Page 3 of 5). Recovery Factors for Initiators SR, SI, 4KVV, AR, and CC

Csttst
Bask Eras* CMSSUUM ApplkaMsCatsets Foaclieaal Ds«cris)tt*a,tuatif, «& Reomsy P«slMIltlt« Tecftaical ratals
Actlwi 1M3/MKU

R-D3W2R6-XHE-C D3W2R6 FREQ-4KV Rodrc spray failure, successful low head cross connect unit 2 charging pump 3.20BO3 Reflux cooling is not possible. Loss of 27,28,32,34,
H-4KV-REC-W2 FftS, unreooverable loss of RHR and RWST. bus H falls HFI pump A and 62,68
{CPC-MDP-MA-SW10B or recirculation.
HPI-MDP-MA-CH1B)
A-4KW2-XHE-R-12
LOOPISOLATEDW2

R-E1W2D6-XHE-C E1W2D6 FREQ-4KV Redrc spray failure, no high head action required starting at 10 hrs 1.20E-04 gravity feed could be used t o extend 5 9 , 6 a 66,67
H-4KV-REC-W2 Injection, aux feedwater unavailable extends time to 21 hrs. fire pump or time to align unit 2 AFW
AFW-MDP-MA-FW3B prevents long term reflux; low pressure unit 2 AFW needed for long term
{HFI-MDP-MA-CH1B or F&S successful. Reflux lasts about 10 hit. success. Recovery considers only the
CPC-MDP-MA-SW10B) use of unit 2 AFW.

R-G1W2DR6-XHE-C G1W2DR6A FRBCMKV RHR pump falls due to runout (loss of 1. Feed SG via U 2 AFW or fire
H-RKV-REC-W2 bus UPSA2 results in RHR discharge valve pump; or
{ACP-1NV-NO-UPSA2 or to FO). Reflux cooling falls, SG dtyout at - 2. Feed reactor via U 2 RWST and
RHR-CCF-FS-MDPAB or 10 hrs. LFI successful; bus H falls redrc charging pump
RHR-XVM-PG-XV6or spray.
1, 2, 6,61, 6578,
DCP-BAT-LLP-BAT1A) 1.00E-04
SO, 81 82, 83, 84
{AFW-MDP-MA-FW3B or
AFW-MDP-FS-FW3B)
{HPI-MDP-MA-CH1B or
HPI-MOD-FT-101B or
CPC-MDP-MA-SW10B)

R-G1W2DR6-XHE-C G1W2DR6A FREO-4KV RHR pump fails due to runout (loss of 1. feed SG via U2 AFW or fire pump; 1.00E-04 1,2,6,61,6578,
H-4KV-REC-W2 bus UPSA2 results in RHR discharge valve or, 2. feed reactor via U2 RWST and 80,81,82,83,
(ACP-INV-NO-UPSA2 or to FO). Reflux cooling fails, SG diyout at charging pump 84
RHR-CCF-FS-MDPAB or 10 hrs. LPI successful; bus H fails redrc
RHR-XVM-PG-XV6 or spray.
DCP-BAT-LP-BAT1A)
{AFW-MDP-MA-FW3B or
AFW-MDP-FS-FW3B}
(HFI-MDP-MA-CH1B or
HFI-MOD-FT-101B or
CPC-MDP-MA-SW10B)

R-G2W2DR6-XHE-C G1W2DR6A FREQ-4KV RHR pump fails due to runout (loss of . feed reactor via U2 RWST and 1.00E-04 3 , 4 , 7 0 , 7 1 , 74,
H-4KV-REC-W2 bus UPSA2 resulu in RHR discharge valve charging pump 75,85,86, 87
{ACP-INV-NO-UPSA2 or to FO). Reflux cooling falls, SG diyout at
RHR-MDP-FR-B24HR or 10 hrs. LPI successful; bus H fails redrc
CCW-MDP-FR-CCP1B or spray.
DCP-BAT-LP-BAT1A)
AFW-MDP-MA-FW3B
{HFI-MDP-MA-CH1B or
CPC-MDP-MA-SW10B)
{LOOFISOLATED2R6 or
(MS-AOV-FC-101A/B and
MSS-NRV-MA-101A/B)}
 Table 8-12 (Page 4 of 5). Recovery Factors for Initiators SR, SI, 4KW, AR, and CC

Cats*
Basic Enai CeaalUea Applicable Cntstts Rnxtleatl Description, tiinlaf, etc, ReenrsfyPMsikUJtks TecaalcalPeiats
ActiM 1M3/M/3*

R-G3W2DR6-XHE-C G3W2DR6A FRECMKV RHR pump fails due tofailureof CCW 1. feed SG via U2AFW orfirepump; 1.00E-04 5,7,8.11,12,
H-4KV-REC-W2 (assumed to fail RHR due to loss of seal or, 2. feed reactor via U2RWST and 16,17,2a 21,
<CCW-LF-RHE3Bor cooling). Reflux cooling fails, SGdiyout charging pump 24,25,39,41,
CCW-MDP-FS-CCPIB or atlOhrs. LPI successful; bus H M i 42,44,48,5a
RHR-MDP-FS-RHR1B) redrc spray. 72,76
AFW-MDP-MA-FW3B
{HPI-MDP-MA-CHlBor
CPC-MDP-MA-SW10B)

R-G4W2DR5-XHE-C G4W2DR6A FREtWKV RHR pump fails due to failure of CCW . feed reactor via U2RWST and 1J00E44 9,10,46,47
H-4KV-REC-W2 (assumed to fail RHR due to Ion of seal charging pump
<CCW.LF-RHE3Bor cooling). Reflux cooling falls, SGdiyout
CCW-MDP-FS-CCPIB or atlOhrs. LPI successful; bus H falls
RHR-MDP-FS-RHR1B) redrc spray.
AFW-MDP-MA-FW3B
{HPI-MDP-MA-CH1B or
CPC-MDP-MA-SW10B)
LOOPISOLATED2R6

R-G5W2DR6-XHE-C G5W2DR6A FREQ4KV Failure to recover RHR; reflux cooling 1. feed SG via U2AFW orfirepump; 1D0E-04 4a 43
H-4KV-REC-W2 falls; LPI successful; failure of bus H fails or, 2. feed reactor via U2RWST and
A-4KW2-XHE-R-12 redrc spray charging pump
AFW-MDP-MA-FW3B
{HPI-MDP-MA-CH1B or
CPC-MDP-MA-SW10B)

R-G6W1DR6-XHE-C G6W1DR6A FREQ-tKV RHR pump fails due to runout (loss of 1. feed SG via U2AFW orfirepump; U00RO4 52,56
H-4KV-REC-W1 bus UPSA2 results In RHR discharge valve or, 2. feed reactor via U2RWST and
{ACP-INV-NO-UPSA2 or toFO). Reflux cooling falls, SG dryout at charging pump
DCP-BAT-LP-BATIA) 10 hrs. LPI successful; bus H fails redrc
AFW-MDP-MA-FW3B spray.
{HPI-MDP-MA-CH1B or
CPC-MDP-MA-SW10B)
 Table 8-13 (Page 1 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Baals Description
RG D6 R10

D-RAW1-XHE Calculated 1.50E-05 Same as R6 N/A Failure to Diagnose Overdraining

D-RAW2-XHE Calculated 5.10E-06 Same as R6 N/A

D-RAW3-XHE D-RAW2-XHE 5.10E-06 Same as R6 Same as R6

D-RAW4-XHE Calculated 1.10E-06 Same as R6 Same as R6

A-RAW1-XHE-M-12 Calculated 1.10E-04 Same as R6 N/A Fail To Makeup Given Inventory Loss

A-RAW2-XHE-M-12 Calculated 2.00E-05 Same as R6 N/A

A-RAW3-XHE-M-12 A-RAW2-XHE-M-12 2.00E-05 Same as R6 Same as R6

A-RAW4-XHE-M-12 Calculated 6.70E-06 Same as R6 Same as R6

A-RAW1-XHE-R-4 Calculated 1.20E-03 Same as R6 N/A Failure To Restore RHR Given Successful

A-RAW2-XHE-R-4 Calculated 5.20E-04 Same as R6 N/A Makeup

A-RAW3-XHE-R-4 A-RAW2-XHE-R-4 5.20E-04 Same as R6 Same as R6

A-RAW4-XHE-R-4 Calculated 1.20E-04 Same as R6 Same as R6

A-RAW1-XHE-SF-9 Calculated 1.00E-03 N/A N/A REFLUX: Fail To Feed SGs Given Fail To Restore

A-RAW2-XHE-SF-9 Calculated 1.00E-03 Same as R6 N/A RHR but Successful Level Control

A-RAW3-XHE-SF-9 A-RAW2-XHE-SF-9 1.00E-03 Same as R6 Same as R6

A-RAW4-XHE-SF-9 Calculated 1.00E-03 Same as R6 Same as R6

 Table 8-13 (Page 2 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10
'<

A-RAW1-XHE-S1-9 Calculated 4.00E-02 N/A N/A REFLUX: Fail To Bleed SGs Given Fail To Restore

A-RAW2-XHE-S1-9 Calculated 2.60E-03 Same as R6 N/A RHR but Successful Level Control

A-RAW3-XHE-S1-9 A-RAW2-XHE-S1-9 2.60E-03 Same as R6 Same as R6

A-RAW4-XHE-S1-9 Calculated 1.00E-03 Same as R6 Same as R6

A-RAW1-XHE-S2-8 Conserv Assumption 1 N/A N/A REFLUX: Fail To Establish Reflux after PRT

A-RAW2-XHE-S2-8 Conserv Assumption 1 Same as R6 N/A Rupture Given Fail To Restore RHR but Successful

A-RAW3-XHE-S2-8 Conserv Assumption 1 Same as R6 Same as R6 Level Control

A-RAW4-XHE-S2-8 Conserv Assumption 1 Same as R6 Same as R6

A-RAW1-XHE-FL-5 Calculated 5.00E-03 Same as R6 N/A B&F, SV Removed: Fail To Use LHSI in Feed and

A-RAW2-XHE-FL-5 Calculated 1.20E-03 Same as R6 N/A Spill Mode Given Fail To Restore RHR but

A-RAW3-XHE-FL-5 A-RAW2-XHE-FL-5 1.20E-03 Same as R6 Same as R6 Successful Level Control

A-RAW4-XHE-FL-5 Calculated 1.20E-03 Same as R6 Same as R6

A-RAW1-XHE-FH-5, Calculated 5.00E-05 Same as R6 N/A B&F: Fail HHSI in Feed and Spill Mode Given Fail

A-RAW2-XHE-FH-5 Calculated 2.00E-05 Same as R6 N/A To Restore RHR but Successful Level Control
 Table 8-13 (Page 3 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-RAW3-XHE-FH-5 A-RAW2-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-RAW4-XHE-FH-5 Calculated 2.00E-05 Same as R6 Same as R6

A-RAW1-XHE-FH-10 Calculated 5.00E-05 Same as R6 N/A B&F SV Not Removed: Fail HHSI in Feed and

A-RAW2-XHE-FH-10 Calculated 2.00E-05 Same as R6 N/A Spill Given Fail To Restore RHR but Successful

A-RAW3-XHE-FH-10 A-RAW2-XHE-FH-10 2.00E-05 Same as R6 Same as R6 Level Control; Failure of Reflux Cooling

A-RAW4-XHE-FH-10 A-RAW2-XHE-FH-10 2.00E-05 Same as R6 Same as R6

A-RAW1-XHE-FL-10 Calculated 1 .OOE-02 Same as R6 N/A B&F: Fail LHSI in Feed and Spill Given Fail To

A-RAW2-XHE-FL-10 Calculated 1.20E-03 Same as R6 N/A Restore RHR but Successful Level Control;

A-RAW3-XHE-FL-10 A-RAW2-XHE-FL-10 1.20E-03 Same as R6 Same as R6 Failure of Reflux Cooling

A-RAW4-XHE-FL-10 A-RAW2-XHE-FL-10 1.20E-03 Same as R6 Same as R6

A-RAW1-XHE-C-9 Calculated 1.00E-03 Same as R6 N/A RECIRC: Fail HP Recirc with SV Not Removed

A-RAW2-XHE-C-9 Calculated 1.20E-03 Same as R6 N/A Given Fail To Restore RHR

A-RAW3-XHE-C-9 A-RAW2-XHE-C-9 1.20E-03 N/A Same as R6

A-RAW4-XHE-C-9 A-RAW2-XHE-C-9 1.20E-03 N/A Same as R6

 Table 8-13 (Page 4 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Baals Doscrlptlon
R6 D6 R10

A-RAW1-XHE-C-4 Calculated 1.00E-03 Same as R6 N/A RECIRC: Fail HP Recirc with SV Removed Given

A-RAW2-XHE-C-4 A-RAW1-XHE-C-4 1.00E-03 Same as R6 N/A Fail To Restore RHR

A-RAW3-XHE-C4 A-RAW1-XHE-C-4 1.00E-03 N/A Same as R6

A-RAW4-XHE-C-4 A-RAW1-XHE-C-4 1.00E-03 N/A Same as R6

A-RAW2-XHE-X Calculated 1.00E-03 Same as R6 N/A Fail To Cross Connect RWST

A-RAW3-XHE-X A-RAW2-XHE-X 1.00E-03 Same as R6 N/A

A-RAW1-XHE-P-4 Calculated 1.00E-03 Same as R6 N/A RECIRC: Fail To Establish Recirc Spray

A-RAW2-XHE-P-4 A-RAW1-XHE-P-4 1.00E-03 Same as R6 N/A

A-RAW1-XHE-G-6 Conserv Assumption 1 N/A Same as R6 GRAVITY: Fail To Establish Gravity Feed Given

A-RAW2-XHE-Q-6 Conserv Assumption 1 N/A Same as R6 Successful Level Control but Fail To Restore RHR

A-RAW3-XHE-G-6 Conserv Assumption 1 N/A Same as R6

A-RAW4-XHE-G-6 Conserv Assumption 1 N/A Same as R6

D-RBW1-XHE Calculated 1.50E-05 Same as R6 N/A Failure To Diagnose Failure To Maintain Level

D-RBW2-XHE Calculated 5.10E-06 Same as R6 N/A

 Table 8-13 (Page 5 of 84). Quantitative Results of BNL/Suny Human Action Evaluations

Mean Failure Likelihood

Human Action Baals Description
R6 D6 R10

D-RBW3-XHE D-RBW2-XHE 5.10E-06 Same as R6 Same as R6

D-RBW4-XHE Calculated 1.10E-06 Same as R6 Same as R6

A-RBW1-XHE-M-12 A-RAW1-XHE-M-12 1.10E-04 Same as R6 N/A Fail To Makeup Given Inventory Loss

A-RBW2-XHE-M-12 A-RAW2-XHE-M-12 2.00E-05 Same as R6 N/A

A-RBW3-XHE-M-12 A-RAW3-XHE-M-12 2.00E-05 Same as R6 Same as R6

A-RBW4-XHE-M-12 A-RAW4-XHE-M-12 6.70E-06 Same as R6 Same as R6

A-RBW1-XHE-R-4 A-RAW1-XHE-R-4 1.20E-03 Same as R6 N/A Failure To Restore RHR Given Successful

A-RBW2-XHE-R-4 A-RAW2-XHE-R-4 5.20E-04 Same as R6 N/A Makeup

A-RBW3-XHE-R-4 A-RAW3-XHE-R-4 5.20E-04 Same as R6 Same as R6

A-RBW4-XHE-R-4 A-RAW4-XHE-R-4 1.20E-04 Same as R6 Same as R6

A-RBW1-XHE-SF-9 A-RAW1-XHE-SF-9 1.00E-03 N/A N/A REFLUX: Fail To Feed SGs Given Fail To Restore

A-RBW2-XHE-SF-9 A-RAW2-XHE-SF-9 1.00E-03 N/A N/A RHR but Successful Level Control

A-RBW3-XHE-SF-9 A-RAW3-XHE-SF-9 1.00E-03 N/A Same as R6

A-RBW4-XHE-SF-9 A-RAW4-XHE-SF-9 1.00E-03 N/A Same as R6

 Table 8-13 (Page 6 of 84). Quantitative Results of BNIVSurry Human Action Evaluations

Mean Failure Likelihood

Human Action Baals Description
R6 D6 " R10

A-RBW1-XHE-S1-9 A-RAW1-XHE-S1-9 4.00E-02 N/A N/A REFLUX: Fail To Bleed SGs Given Fail To Restore

A-RBW2-XHE-S1-9 A-RAW2-XHE-S1-9 2.60E-03 N/A N/A RHR but Successful Level Control

A-RBW3-XHE-S1-9 A-RAW3-XHE-S1-9 2.60E-03 N/A Same as R6

A-RBW4-XHE-S1-9 A-RAW4-XHE-S1-9 1.00E-03 N/A Same as R6

.
A-RBW1-XHE-S2-8 Conserv Assumption 1 Same as R6 N/A REFLUX: Fail To Establish Reflux after PRT

A-RBW2-XHE-S2-8 Conserv Assumption 1 Same as R6 N/A Rupture Given Fail To Restore RHR but Successful

A-RBW3-XHE-S2-8 Conserv Assumption 1 Same as R6 Same as R6 Level Control

A-RBW4-XHE-S2-8 Conserv Assumption 1 Same as R6 Same as R6

A-RBW1-XHE-FL-5 A-RAW1-XHE-FL-5 5.00E-03 Same as R6 N/A B&F, SV Removed: Fail To Use LHSI in Feed and

A-RBW2-XHE-FL-5 A-RAW2-XHE-FL-5 1.20E-03 Same as R6 N/A Spill Mode Given Fail To Restore RHR but

A-RBW3-XHE-FL-5 A-RAW3-XHE-FL-5 1.20E-03 Same as R6 Same as R6 Successful Level Control

A-RBW4-XHE-FL-5 A-RAW4-XHE-FL-5 1.20E-03 Same as R6 Same as R6

A-RBW1-XHE-FH-5 A-RAW1-XHE-FH-5 5.00E-05 Same as R6 N/A B&F: Fail HHSI in Feed and Spill Mode Given Fail

A-RBW2-XHE-FH-5 A-RAW2-XHE-FH-5 2.00E-05 Same as R6 N/A To Restore RHR but Successful Level Control

A-RBW3-XHE-FH-5 A-RAW3-XHE-FH-5 2.00E-05 Same as R6 Same as R6

 Table 8-13 (Page 7 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-RBW4-XHE-FH-5 A-RAW4-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-RBW1-XHE-FH-10 A-RAW1-XHE-FH-10 5.00E-05 Same as R6 N/A B&F SV Not Removed: Fail HHSI in Feed and

A-RBW2-XHE-FH-10 A-RAW2-XHE-FH-10 2.00E-05 _Same as R6 N/A Spill Given Fail To Restore RHR But Successful

A-RBW3-XHE-FH-10 A-RAW3-XHE-FH-10 2.00E-05 Same as R6 Same as R6 Level Control; Failure of Reflux Cooling

A-RBW4-XHE-FH-10 A-RAW4-XHE-FH-10 2.00E-05 Same as R6 Same as R6

A-RBW1-XHE-FL-10 A-RAW1-XHE-FL-10 1.00E-02 Same as R6 N/A B&F: Fail LHSI in Feed and Spill Given Fail To

A-RBW2-XHE-FL-10 A-RAW2-XHE-FL-10 1.20E-03 Same as R6 N/A Restore RHR But Successful Level Control;

A-RBW3-XHE-FL-10 A-RAW3-XHE-FL-10 1.20E-03 Same as R6 Same as R6 Failure of Reflux Cooling

A-RBW4-XHE-FL-10 A-RAW4-XHE-FL-10 1.20E-03 Same as R6 Same as R6

A-RBW1-XHE-C-9 A-RAW1-XHE-C-9 1.00E-03 Same as R6 N/A RECIRC: Fail HP Recirc with SV Not Removed

A-RBW2-XHE-C-9 A-RAW2-XHE-C-4 1.00E-03 Same as R6 N/A Given Fail To Restore RHR

A-RBW1-XHE-C-4 A-RAW1-XHE-C-4 1.00E-03 Same as R6 N/A RECIRC: Fail HP Recirc with SV Removed Given

A-RBW2-XHE-C-4 A-RAW2-XHE-C-4 1.00E-03 Same as R6 N/A Fail To Restore RHR

 Table 8-13 (Page 8 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basle Description
R6 D6 R10

A-RBW2-XHE-X A-RAW2-XHE-X 1.00E-03 Same as R6 N/A Fail To Cross Connect RWST

A-RBW3-XHE-X A-RAW3-XHE-X 1.00E-03 Same as R6 Same as R6

A-RBW1-XHE-P-4 Calculated 1.00E-04 Same as R6 N/A RECIRC: Fail To Establish Recirc Spray

A-RBW2-XHE-P-4 A-RBW1-XHE-P-4 1.00E-04 Same as R6 N/A

A-RBW1-XHE-G-6 Conserv Assumption 1 Same as R6 N/A GRAVITY: Fail To Establish Gravity Feed Given

A-RBW2-XHE-G-6 Conserv Assumption 1 Same as R6 N/A Successful Level Control but Fail To Restore RHR

A-RBW3-XHE-G-6 Conserv Assumption 1 Same as R6 Same as R6

A-RBW4-XHE-G-6 Conserv Assumption 1 Same as R6 Same as R6

D-R3W1-XHE Calculated 2.30E-05 Same as R6 N/A Fail To Dianose Loss of RHR

D-R3W2-XHE Calculated 7.70E-06 Same as R6 N/A

D-R3W3-XHE D-R3W2-XHE 7.70E-06 Same as R6 Same as R6

D-R3W4-XHE Calculated 1.10E-06 Same as R6 Same as R6

A-R3W1-XHE-SF-8 A-RAW1-XHE-SF-9 1.00E-03 Same as R6 N/A REFLUX: Fail To Feed SG @ ~ 10 Hr = = >

A-R3W2-XHE-SF-8 A-RAW2-XHE-SF-9 1.00E-03 Same as R6 N/A Recognition of Low SG Level Req'd

 Table 8-13 (Page 9 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-R3W3-XHE-SF-7 A-RAW3-XHE-SF-9 1.00E-03 Same as R6 Same as R6

A-R3W4-XHE-SF-7 A-RAW4-XHE-SF-9 1.00E-03 Same as R6 Same as R6

A-R3W1-XHE-S1-8 Calculated 4.10E-02 N/A N/A REFLUX: Fail To Bleed SQ via ADV -Operator

A-R3W2-XHE-S1-8 Calculated 4.20E-02 Same as R6 N/A will Attempt (Successful Diagnosis)

A-R3W3-XHE-S1-7 A-R3W2-XHE-S1-8 4.20E-02 Same as R6 N/A

A-R3W4-XHE-S1-7 A-R3W2-XHE-S1-8 4.20E-02 Same as R6 Same as R6

A-R3W1-XHE-S2-8 Conserv Assumption 1 N/A N/A REFLUX: After PRT O/P, FTC PORVs & Fail To

A-R3W2-XHE-S2-8 Conserv Assumption 1 Same as R6 N/A Bleed SQ via ADV; Late Action in Response to

A-R3W3-XHE-S2-7 Conserv Assumption 1 Same as R6 Same as R6 PRT Rupture-Only Reasonable Scenario is that

A-R3W4-XHE-S2-7 Conserv Assumption 1 Same as R6 Same as R6 Operator is Distracted by HW or Other Failures.

PRT Rupture is Strong Cue To Move Ahead in

AP-27

SSHR-AOV-XHE-105 Calculated 1.30E-02 Same as R6 Same as R6 REFLUX: Fail To Est. B/P Path to cond-

-dperator will Attempt (Successful Diagnosis &

PORV FTC)
 Table 8-13 (Page 10 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Baals Description
R6 D6 R10

A-R3W1-XHE-FL-4 A-RAW1-XHE-FL-5 5.00E-03 Same as R6 N/A B&F, SV Removed==>First Action.

A-R3W2-XHE-FL-4 A-RAW2-XHE-FL-5 1.20E-03 Same as R6 N/A Fail To Use LHSI F&S - -Operator will Attempt

A-R3W3-XHE-FL-3 A-RAW3-XHE-FL-5 1.20E-03 Same as R6 Same as R6 (Successful Diagnosis)

A-R3W4-XHE-FL-3 A-RAW4-XHE-FL-5 1.20E-03 Same as R6 Same as R6 -

A-R3W1-XHE-FH-4 A-RAW1-XHE-FH-5 5.00E-05 Same as R6 N/A B&F: Fail To Use HHSI | LHSI Failed - -Operator

A-R3W2-XHE-FH-4 A-RAW2-XHE-FH-5 2.00E-05 Same as R6 N/A will Attempt (Successful Diagnosis & LHSI

A-R3W3-XHE-FH-4 A-RAW3-XHE-FH-5 2.00E-05 Same as R6 Same as R6 Attempted and Failed)

A-R3W4-XHE-FH-4 A-RAW4-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-R3W1-XHE-FL-9 A-RAW1-XHE-FL-10 1.00E-02 Same as R6 N/A B&F, SV Not Removed==>Reflux Failed.

A-R3W2-XHE-FL-9 A-RAW2-XHE-FL-10 1.20E-03 Same as R6 N/A Fail To Use LHSI F&S - -Operator will Attempt

A-R3W3-XHE-FL-7 A-RAW3-XHE-FL-10 1.20E-03 Same as R6 Same as R6 when Reflux Fails To Provide Cooling (Successful

A-R3W4-XHE-FL-7 A-RAW4-XHE-FL-10 1.20E-03 Same as R6 Same as R6 Diagnosis). Timing and Cues Worse than FL-4

A-R3W1-XHE-FH-9 A-RAW1-XHE-FH-10 5.00E-05 Same as R6 N/A B&FifiFail To Use HHSI | LHSI Failed - -Operator

A-R3W2-XHE-FH-9 A-RAW2-XHE-FH-10 2.00E-05 Same as R6 N/A will Attempt (Successful Diagnosis & LHSI Failed)
 Table 8-13 (Page 11 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-R3W3-XHE-FH-7 A-RAW3-XHE-FH-10 2.00E-05 Same as R6 Same as R6

A-F13W4-XHE-FH-7 A-RAW4-XHE-FH-10 2.00E-05 Same as R6 Same as R6

A-R3W1-XHE-G-5 Conserv Assumption 1 N/A N/A GRAVITY: Fail To Est. Gravity Feed Following

A-R3W2-XHE-G-5 Conserv Assumption 1 N/A N/A Failure of Fill and Spill. Only Reasonable Case is if

A-R3W3-XHE-Q-4 Conserv Assumption 1 N/A N/A FR3W1 Failed due to HW. Use Guaranteed

A-R3W4-XHE-G-4 Conserv Assumption 1 N/A N/A Failure. Edit to Old Gravity Feed Event Only for

Cutsets with Success of A-R3W#-XHE-FL-4.

A-R3W1-XHE-C-3 A-RAW1-XHE-C-4 1.00E-03 Same as R6 N/A RECIRC: Fail To Est HP Recirc (B&F Successful

A-R3W2-XHE-C-3 A-RBW2-XHE-C-4 1.00E-03 Same as R6 N/A and SVs Removed)-® 8 - 20 Hr, ==>Recognition

A-R3W3-XHE-C-3 N/A N/A N/A N/A of Low RWST Level Req'd

A-R3W4-XHE-C-3 N/A N/A N/A N/A

A-R3W1-XHE-C-8 A-RAW1-XHE-C-4 1.00E-03 Same as R6 N/A RECIRC: Fail To Est. HP Recirc (B&F Successful

A-R3W2-XHE-C-8 A-RBW2-XHE-C-4 1.00E-03 Same as R6 N/A and SVs Not Removed)-® 8 - 20 Hr, = = >

A-R3W3-XHE-C-8 N/A N/A N/A N/A Recognition of Low RWST Level Req'd

A-R3W4-XHE-C-8 N/A N/A N/A N/A

 Table 8-13 (Page 12 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Baals Description
R6 D6 R10

A-R3W1-XHE-P-3 A-RBW1-XHE-P-4 1.00E-04 Same as R6 N/A RECIRC: Fail To Est. Recirc Spray

A-R3W2-XHE-P-3 A-RBW2-XHE-P-4 1.00E-04 Same as R6 N/A

A-R3W3-XHE-P-3 N/A N/A N/A N/A

A-R3W4-XHE-P-3 N/A N/A N/A N/A

A-R3W2-XHE-X A-RAW2-XHE-X 1.00E-03 Same as R6 N/A CrossConnect RWST

D-R4W1-XHE Calculated 1.50E-05 Same as R6 N/A Diagnose Loss of RHR

Calculated 5.10E-06 Same as R6 N/A

D-R4W3-XHE D-R4W2-XHE 5.10E-06 Same as R6 Same as R6

D-R4W4-XHE Calculated 1.10E-06 Same as R6 Same as R6

A-R4W1-XHE-R-4 A-RAW1-XHE-R-4 1.20E-03 Same as R6 N/A Restore RHR

A-R4W2-XHE-R-4 A-RAW2-XHE-R-4 5.20E-04 Same as R6 N/A

A-R4W3-XHE-R-4 A-RAW3-XHE-R-4 5.20E-04 Same as R6 Same as R6

A-R4W4-XHE-R-4 A-RAW4-XHE-R-4 1.20E-04 Same as R6 Same as R6

A-R4W1-XHE-SF-9 A-RAW1-XHE-SF-9 1.00E-03 N/A N/A REFLUX: Fail To Bleed SG via ADV -Operator
 Table 8-13 (Page 13 of 84). Quantitative Results of BNL/Suiry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-R4W2-XHE-SF-9 A-RAW2-XHE-SF-9 1.00E-03 Same as R6 N/A will Attempt (Successful Diagnosis)

A-R4W3-XHE-SF-4 A-RAW3-XHE-SF-9 1.00E-03 Same as R6 Same as R6

A-R4W4-XHE-SF-4 A-RAW4-XHE-SF-9 1.00E-03 Same as R6 Same as R6

A-R4W1-XHE-S1-9 A-RAW1-XHE-S1-9 4.00E-02 N/A N/A REFLUX: Fail To Bleed SG via ADV -Operator

A-R4W2-XHE-S1-9 A-RAW2-XHE-S1-9 2.60E-03 Same as R6 N/A will Attempt (Successful Diagnosis)

A-R4W3-XHE-S1-4 A-RAW3-XHE-S1-9 2.60E-03 Same as R6 Same as R6

A-R4W4-XHE-S1-4 A-RAW4-XHE-S1-9 1.00E-03 Same as R6 Same as R6

A-R4W1-XHE-S2-9 Conserv Assumption 1 N/A N/A REFLUX: After PRT O/P. FTC PORVs & Fail To

A-R4W2-XHE-S2-9 Conserv Assumption 1 Same as R6 N/A Bleed SG via ADV; Late Action in Response to

A-R4W3-XHE-S2-4 Conserv Assumption 1 Same as R6 Same as R6 PRT Rupture—Only Reasonable Scenario Is that

A-R4W4-XHE-S2-4 Conserv Assumption 1 Same as R6 Same as R6 Operator is Distracted by HW or Other Failures.

PRT Rupture is Strong Cue To Move Ahead in

AP-27

A-R4W1-XHE-FL-5 A-RAW1-XHE-FL-5 5.00E-03 Same as R6 N/A Fail LHSI in Feed and Spill Mode Given Fail To
Restore RHR but Successful Level Control

A-R4W2-XHE-FL-5 A-RAW2-XHE-FL-5 1.20E-03 Same as R6 N/A

 /
/
Table 8-13 (Page 14 of 84). Quantitative Results of BNl/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-R4W3-XHE-FL-5 A-RAW3-XHE-FL-5 1.20E-03 Same as R6 Same as R6

A-R4W4-XHE-FL-5 A-RAW4-XHE-FL-5 1.20E-03 Same as R6 Same as R6

A-R4W1-XHE-FH-5 A-RAW1-XHE-FH-5 5.00E-05 Same as R6 N/A Fail HHSI In Feed and Spill Mode Given Fail To
Restore RHR but Successful Level Control

A-R4W2-XHE-FH-5 A-RAW2-XHE-FH-5 2.00E-05 Same as R6 N/A

A-R4W3-XHE-FH-5 A-RAW3-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-R4W4-XHE-FH-5 A-RAW4-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-R4W1-XHE-FL-10 A-RAW1-XHE-FL-10 5.00E-05 Same as R6 N/A Fail LHSI in Feed and Spill Given Fail To Restore
RHR but Successful Level Control; Failure of Reflux
Cooling

A-R4W2-XHE-FL-10 A-RAW2-XHE-FL-10 2.00E-05 Same as R6 N/A

A-R4W3-XHE-FL-7 A-RAW3-XHE-FL-10 2.00E-05 Same as R6 Same as R6

A-R4W4-XHE-FL-7 A-RAW4-XHE-FL-10 2.00E-05 Same as R6 Same as R6

A-R4W1-XHE-FH-10 Calculated 1.00E-02 Same as R6 N/A Fail HHSI in Feed and Spill Given Fail To Restore
RHR but Successful Level Control; Failure of Reflux
Cooling
A-R4W2-XHE-FH-10 Calculated 1.20E-03 Same as R6 N/A
 Table 8-13 (Page 15 of 84). Quantitative Results of BNIVSurry Human Action Evaluations

Mean Failure Likelihood

Human Action Bfl8l8 Description
R6 D6 R10

A-R4W3-XHE-FH-8 A-R4W2-XHE-FH-10 1.20E-03 Same as R6 Same as R6

A-R4W4-XHE-FH-8 A-R4W2-XHE-FH-10 1.20E-03 Same as R6 Same as R6

A-R4W1-XHE-G-6 Consetv Assumption 1 N/A N/A GRAVITY: Fail To Est Gravity Feed Following

A-R4W2-XHE-Q-6 Conserv Assumption 1 N/A N/A Failure of Fill and Spill. Only Reasonable Case is if

A-R4W3-XHE-G-5 Conserv Assumption 1 N/A Same as R6 F&S Failed due to HW. Use Guaranteed

A-R4W4-XHE-G-5 Conserv Assumption 1 N/A Same as R6 Failure. Edit to Old Gravity Feed Event Only for

Cutsets with Success of A-R4W#-XHE-FL-5

A-R4W1-XHE-C-4 A-RAW1-XHE-C-4 1.00E-03 Same as R6 N/A RECIRC: Fail To Est. HP Recirc (B&F Successful

A-R4W2-XHE-C-4 A-RAW2-XHE-C-4 1.00E-03 Same as R6 N/A and SVs Removed)-® 8 - 20 Hr, = = > Recognition

A-R4W3-XHE-C-4 N/A N/A N/A N/A of Low RWST Level Req'd

A-R4W4-XHE-C-4 N/A N/A N/A N/A

A-R4W1-XHE-C-9 A-RAW1-XHE-C-9 1.00E-03 Same as R6 N/A RECIRC: Fail To Est. HP Recirc (B&F Successful

A-R4W2-XHE-C-9 A-RAW2-XHE-C-9 1.20E-03 Same as R6 N/A and SVs Not Removed)-® 8 - 20 Hr, = = >

A-R4W3-XHE-C-9 N/A N/A N/A N/A Recognition of Low RWST Level Req'd

A-R4W4-XHE-C-9 N/A N/A N/A N/A

 Table 8-13 (Page 16 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Baals Description
R6 D6 R10

A-R4W1-XHE-P-4 A-RBW1-XHE-P-4 1.00E-04 Same as R6 N/A RECIRC: Fail To Est. Recirc Spray

A-R4W2-XHE-P-4 A-RBW2-XHE-P-4 1.00E-04 Same as R6 N/A

A-R4W3-XHE-P-4 N/A N/A N/A N/A

A-R4W4-XHE-P-4 N/A N/A N/A N/A

A-R4W1-XHE-P-9 A-RBW1-XHE-P-4 1.00E-04 Same as R6 N/A RECIRC: Fail To Est. Recirc Spray

A-R4W2-XHE-P-9 A-RBW2-XHE-P-4 1.00E-04 Same as R6 N/A

A-R4W3-XHE-P-9 N/A N/A N/A N/A

A-R4W4-XHE-P-9 N/A N/A N/A N/A

A-R4W2-XHE-X A-RAW2-XHE-X 1.00E-03 N/A Fail To Cross Connect RWST

D-R5W1-XHE Calculated 2.30E-05 Same as R6 N/A Diagnose Loss of RHR

D-R5W2-XHE Calculated 1.20E-05 Same as R6 N/A

D-R5W3-XHE D-R5W2-XHE 1.20E-05 Same as R6 Same as R6

D-R5W4-XHE Calculated 1.10E-06 Same as R6 Same as R6

 Table 8-13 (Page 17 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Baals Description
R6 D6 R10

A-R5W1-XHE-R-4 A-RAW1-XHE-R-4 1.20E-03 Same as R6 N/A Fail To Restore RHR

A-R5W2-XHE-R-4 A-RAW2-XHE-R-4 5.20E-04 Same as R6 N/A

A-R5W3-XHE-R-4 A-RAW3-XHE-R-4 5.20E-04 Same as R6 Same as R6

A-R5W4-XHE-R-5 A-RAW4-XHE-R-4 1.20E-04 Same as R6 Same as R6

A-R5W1-XHE-SF-9 A-RAW1-XHE-SF-9 1.00E-03 N/A N/A REFLUX: Fail To Feed SQs Given Fail To Restore
RHR but Successful Level Control

A-R5W2-XHE-SF-9 A-RAW2-XHE-SF-9 1.00E-03 Same as R6 N/A

A-R5W3-XHE-SF-6 N/A N/A N/A N/A

A-R5W4-XHE-SF-6 N/A N/A N/A N/A

A-R5W1-XHE-S1-9 A-RAW1-XHE-S1-9 4.00E-02 N/A N/A REFLUX: Fail To Bleed SG via ADV -Operator

A-R5W2-XHE-S1-9 A-RAW2-XHE-S1-9 2.60E-03 Same as R6 N/A will Attempt (Successful Diagnosis)

A-R5W3-XHE-S1-6 N/A N/A N/A N/A

A-R5W4-XHE-S1-6 N/A N/A N/A N/A

A-R5W1-XHE-S2-9 Conserv Assumption 1 N/A N/A Fair To Establish Reflux after PRT Rupture Given Fail
To Restore RHR but Successful Level Control

A-R5W2-XHE-S2-9 Conserv Assumption 1 Same as R6 N/A

 Table 8-13 (Page 18 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Baals Description
R6 D6 R10

A-R5W3-XHE-S2-6 N/A N/A N/A N/A

A-R5W4-XHE-S2-6 N/A N/A N/A N/A

A-R5W1-XHE-FH-5 A-RAW1-XHE-FH-5 5.00E-05 Same as R6 N/A Fail HHSI in Feed and Spill Mode Given Fail To
Restore RHR but Successful Level Control

A-R5W2-XHE-FH-5 A-RAW2-XHE-FH-5 2.00E-05 Same as R6 N/A

A-R5W3-XHE-FH-4 A-RAW3-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-R5W4-XHE-FH-5 A-RAW4-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-R5W1-XHE-FL-5 A-RAW1-XHE-FL-5 5.00E-03 Same as R6 N/A Fail LHSI in Feed and Spill Mode Given Fail To
Restore RHR but Successful Level Control

A-R5W2-XHE-FL-5 A-RAW2-XHE-FL-5 1.20E-03 Same as R6 N/A

A-R5W3-XHE-FL-4 A-RAW3-XHE-FL-5 1.20E-03 Same as R6 Same as R6

A-R5W4-XHE-FL-5 A-RAW4-XHE-FL-5 1.20E-03 Same as R6 Same as R6

A-R5W1-XHE-FH-10 A-R4W1-XHE-FH-10 1.00E-02 N/A N/A Fail HHSI in Feed and Spill Given Fail To Restore
RHR but Successful Level Control; Failure of Reflux
Cooling

A-R5W2-XHE-FH-10 A-R4W2-XHE-FH-10 1.20E-03 N/A N/A

A-R5W3-XHE-FH-6 A-R4W3-XHE-FH-8 1.20E-03 N/A Same as R6

 Table 8-13 (Page 19 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-R5W4-XHE-FH-6 A-R4W4-XHE-FH-8 1.20E-03 N/A Same as R6

A-R5W1-XHE-FL-10 A-RAW1-XHE-FL-10 5.00E-05 N/A N/A Fail LHSI in Feed and Spill Given Fail To Restore
RHR but Successful Level Control; Failure of Reflux
Cooling

A-R5W2-XHE-FL-10 A-RAW2-XHE-FL-10 2.00E-05 N/A N/A

A-R5W3-XHE-FL-8 A-RAW3-XHE-FL-10 2.00E-05 N/A Same as R6

A-R5W4-XHE-FL-8 A-RAW4-XHE-FL-10 2.00E-05 N/A Same as R6

A-R5W1-XHE-G-6 Conserv Assumption 1 N/A N/A GRAVITY: Fail To Est. Gravity Feed Following

A-R5W2-XHE-G-6 Conserv Assumption 1 N/A N/A Failure of Fill and Spill. Only Reasonable Case is if

A-R5W3-XHE-G-5 Conserv Assumption 1 N/A Same as R6 F&S Failed due to HW. Use Guaranteed

A-R5W4-XHE-G-5 Conserv Assumption 1 N/A Same as R6 Failure. Edit to Old Gravity Feed Event Only for

Cutsets with Success of A-R5#-XHE-FL-5.

A-R5W1-XHE-C-4 A-RAW1-XHE-C-4 1.00E-03 Same as R6 N/A RECIRC: Fail To Est. HP Recirc (B&F Successful

A-R5W2-XHE-C-4 A-RAW2-XHE-C-4 1.00E-03 Same as R6 N/A and SVs Removed)-® 8 - 20 Hr, = = > Recognition

A-R5W3-XHE-C-4 N/A N/A N/A N/A of Low RWST Level Req'd

A-R5W4-XHE-C-4 N/A N/A N/A N/A

 Table 8-13 (Page 20 of 84). Quantitative Results of BNIVSurry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-R5W1-XHE-C-9 A-RAW1-XHE-C-9 1.00E-03 Same as R6 N/A RECIRC: Fail To Est HP Recirc (B&F Successful

A-R5W2-XHE-C-9 A-RAW2-XHE-C-9 1.20E-03 Same as R6 N/JV and SVs Not Removed)-© 8 - 20 Hr, = = >

A-R5W3-XHE-C-9 N/A N/A N/A N/^ Recognition of Low RWST Level Req'd

A-R5W4-XHE-C-9 N/A N/A N/A N/^

A-R5W1-XHE-P-4 A-RBW1-XHE-P-4 1.00E-04 Same as R6 N/A RECIRC: Fail To Est Recirc Spray
i

A-R5W2-XHE-P-4 A-RBW2-XHE-P-4 t 1.00E-04 Same as R6 N/|

A-R5W3-XHE-P-4 N/A N/A N/A N/|

A-R5W4-XHE-P-4 N/A hi/A N/A N/A

!
A-R5W1-XHE-P-9 A-RBW1-XHE-P-4 | 1.00E-04 Same as R6 N/A REFLUX: Fail To Feed SGs Given Fail To Restore
I
I
RHR but Successful Level Control

A-R5W2-XHE-P-9 A-RBW2-XHE-P-4 , 1.00E-04 Same as R6 N/A

A-R5W3-XHE-P-9 N/A N/A N/A N/A

A-R5W4-XHE-P-9 N/A N/A N/A N/|

, I
D-SIW1-XHE Calculated i 0.00002 Same as R6 N/A Failure To Diagnose Inadvertent Safety Injection in
POS6
 Table 8-13 (Page 21 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

D-SIW2-XHE Calculated 0.00001 Same as R6 N/A

D-SIW3-XHE D-SIW2-XHE 0.00001 Same as R6 N/A

D-SIW4-XHE "Calculated 1.1e-06 Same as R6 N/A

A-SIW1-XHE-R-4 A-R5W1-XHW-R-4 0.0012 Same as 06 N/A Fail To Restore RHR Given Inadvertent SI in POS 6

A-SIW2-XHE-R-4 A-R5W2-XHW-R-4 0.00052 Same as D6 N/A

A-SIW3-XHE-R-4 A-R5W3-XHW-R-4 0.00052 Same as D6 Same as D6

A-SIW4-XHE-R-4 A-R5W4-XHW-R-5 0.00012 Same as D6 Same as D6

A-SIW1-XHE-R-13 Calculated 0.0085 Same as D6 N/A Fail To Restore RHR Given Inadvertent SI in POS 6
and Failure To Restore Power to Bus H

A-SIW2-XHE-R-13 Calculated 0.003 Same as D6 N/A

A-SIW3-XHE-R-9 A-SIW2-XHE-R-13 0.003 Same as D6 Same as D6

A-SIW4-X ^-R-9 Calculated 0.00096 Same as D6 Same as D6

A-SIW1-XHE-S1-9 A-R5W1-XHE-SF-9 0.001 N/A N/A REFLUX: Fail To Feed SG @ ~ 10 Hr = = >

A-SIW2-XHE-S1-9 A-R5W2-XHE-SF-9 0.001 Same as R6 N/A Recognition of Low SG Level Req'd

A-SIW3-XHE-S1-4 A-R5W2-XHE-SF-9 N/A 0.001 N/A

A-SIW4-XHE-S1-4 A-R5W2-XHE-SF-9 N/A 0.001 N/A

 Table 8-13 (Page 22 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Baals Description
R6 D6 R10

A-SIW1-XHE-S2-9 A-R5W1-XHE-S1-9 0.04 N/A N/A REFLUX: Fail To Bleed SG via ADV -Operator

A-SIW2-XHE-S2-9 A-R5W2-XHE-S1-9_ 0.0026 Same as R6 N/A will Attempt (Successful Diagnosis)

A-SIW3-XHE-S2-4 A-SIW2-XHE-S2-9 N/A 0.0026 N/A

A-SIW4-XHE-S2-4 A-RAW4-XHE-S1-9 N/A 0.001 N/A

A-SIW1-XHE-S3-9 Conserv Assumption 1 N/A N/A REFLUX: After PRT O/P, FTC PORVs & Fail To

A-SIW2-XHE-S3-9 Conserv Assumption 1 Same as R6 N/A Bleed SG via ADV; Late Action in Response to

A-SIW3-XHE-S3-4 Conserv Assumption N/A 1 N/A PRT Rupture-Only Reasonable Scenario is that

A-SIW4-XHE-S3-4 Conserv Assumption N/A 1 N/A Operator is Distracted by HW or Other Failures.

PRT Rupture is Strong Cue To Move Ahead in

AP-27

A-SIW1-XHE-S1-18 A-R5W1-XHE-SF-9 0.001 N/A N/A REFLUX: Given Failure To Restore RHR Fail To Feed
SG @ ~ 10 Hr = = >

A-SIW2-XHE-S1-18 A-R5W2-XHE-SF-9 0.001 Same as R6 N/A Recognition of Low SG Level Req'd

A-SIW3-XHE-S1-18 A-R5W2-XHE-SF-9 N/A 0.001 N/A

A-SIW4-XHE-S1-18 A-R5W2-XHE-SF-9 N/A 0.001 N/A

 Table 8-13 (Page 23 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-SIW1-XHE-S2-18 Calculated 0.08 N/A N/A REFLUX: Given Failure To Restore RHR,Fail To Bleed
SG via ADV -Operator

A-SIW2-XHE-S2-18 Calculated 0.0053 Same as R6 N/A will Attempt (Successful Diagnosis)

A-SIW3-XHE-S2-18 A-SIW2-XHE-S2-18 N/A 0.0053 N/A

A-SIW4-XHE-S2-18 Calculated N/A 0.002 N/A

"

A-SIW1-XHE-S3-18 Conserv Assumption 1 N/A N/A REFLUX: After PRT O/P Given Failure To Restore
RHR, FTC PORVs & Fail To

A-SIW2-XHE-S3-18 Conserv Assumption 1 Same as R6 N/A Bleed SG via ADV; Late Action in Response to

A-SIW3-XHE-S3-18 Conserv Assumption N/A 1 N/A PRT Rupture-Only Reasonable Scenario is that

A-SIW4-XHE-S3-18 Conserv Assumption N/A 1 N/A Operator is Distracted by HW or Other Failures.

PRT Rupture is Strong Cue To Move Ahead in

AP-27

A-SIW1-XHE-FL-5 Calculated 0.01 Same as R6 N/A Fail F&B: SI System Recovered (Secured); RHR Not
Restored; SVs Removed

A-SIW2-XHE-FL-5 Calculated 0.00076 Same as R6 N/A

A-SIW3-XHE-FL-4 A-SIW2-XHE-FL-5 0.00076 Same as R6 Same as R6

A-SIW4-XHE-FL-4 Calculated 0.00007 Same as R6 Same as R6

 Table 8-13 (Page 24 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-SIW1-XHE-FL-10 Calculated 0.066 Same as R6 N/A Fail F&B: SI Secured; RHR Not Restored; SVs Not
Removed

A-SIW2-XHE-FL-10 Calculated 0.002 Same as R6 N/A

A-SIW3-XHE-FL-13 A-SIW2-XHE-FL-10 0.002 Same as R6 Same as R6

A-SIW4-XHE-FL-13 Calculated 0.00007 Same as R6 Same as R6

A-SIW1-XHE-FL-14 Calculated 0.061 Same as R6 N/A Fail F&B: SI Secured; RHR Not Restored; SVs
Removed

A-SIW2-XHE-FL-14 Calculated 0.008 Same as R6 N/A

A-SIW3-XHE-FL-10 A-SIW2-XHE-FL-14 0.008 Same as R6 Same as R6

A-SIW4-XHE-FL-10 Calculated 0.0011 Same as R6 Same as R6

A-SIW1-XHE-FL-19 A-SIW1-XHE-FL-14 0.061 Same as R6 N/A Fail F&B: SI Secured; RHR Not Restored; SVs Not
Removed

A-SIW2-XHE-FL-19 A-SIW2-XHE-FL-14 0.013 Same as R6 N/A

A-SIW3-XHE-FL-7 A-SIW3-XHE-FL-10 0.013 Same as R6 Same as R6

A-SIW4-XHE-FL-7 A-SIW4-XHE-FL-10 0.0011 Same as R6 Same as R6

 Table 8-13 (Page 25 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-SIW1-XHE-FH-5 A-R5W1-XHE-FH-5 0.00005 Same as R6 N/A Fail F&B: SI Secured; RHR Not Restored; SVs
Removed

A-SIW2-XHE-FH-5 A-R5W2-XHE-FH-5 0.00002 Same as R6 N/A

A-SIW3-XHE-FH-4 A-R5W3-XHE-FH-5 0.00002 Same as R6 Same as R6

A-SIW4-XHE-FH-4 A-R5W4-XHE-FH-5 0.00002 Same as R6 Same as R6

A-SIW1-XHE-FH-10 A-R5W1-XHE-FH-5 0.00005 Same as R6 N/A Fail F&B: SI Secured; RHR Not Restored; SVs Not
Removed

A-SIW2-XHE-FH-10 A-R5W2-XHE-FH-5 0.00002 Same as R6 N/A

A-SIW3-XHE-FH-13 A-R5W3-XHE-FH-5 0.00002 Same as R6 Same as R6

A-SIW4-XHE-FH-13 A-R5W4-XHE-FH-5 0.00002 Same as R6 Same as R6

A-SIW1-XHE-FH-14 A-R5W1-XHE-FH-5 0.00005 Same as R6 N/A Fail F&B: SI Secured; RHR Not Restored; SVs
Removed

A-SIW2-XHE-FH-14 A-R5W2-XHE-FH-5 0.00002 Same as R6 N/A

A-SIW3-XHE-FH-10 A-R5W3-XHE-FH-5 0.00002 Same as R6 Same as R6

A-SIW4-XHE-FH-10 A-R5W4-XHE-FH-5 0.00002 Same as R6 Same as R6

A-SIW1-XHE-FH-19 A-R5W1-XHE-FH-5 0.00005 Same as R6 N/A Fail F&B: SI Secured; RHR Not Restored; SVs Not
Removed
 Table 8-13 (Page 26 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-SIW2-XHE-FH-19 A-R5W2-XHE-FH-5 0.00002 Same as R6 N/A

A-SIW3-XHE-FH-7 A-R5W3-XHE-FH-5 0.00002 Same as R6 Same as R6

A-SIW4-XHE-FH-7 A-R5W4-XHE-FH-5 0.00002 Same as R6 Same as R6

A-SIW1-XHE-G6 Conserv Assumption N/A N/A GRAVITY: Fail To Est Gravity Feed Following

A-SIW2-XHE-G6 Conserv Assumption N/A N/A Failure of Fill and Spill. SI Secured

A-SIW3-XHE-G5 Conserv Assumption N/A Same as R6

A-SIW4-XHE-G5 Conserv Assumption N/A Same as R6

A-SIW1-XHE-G15 Conserv Assumption N/A N/A GRAVITY: Fail To Est Gravity Feed Following

A-SIW2-XHE-G15 Conserv Assumption N/A N/A Failure of Fill and Spill. SI Continues

A-SIW3-XHE-G11 Conserv Assumption N/A Same as R6

A-SIW4-XHE-G11 Conserv Assumption N/A Same as R6

A-SIW1-XHE-C-4 A-R5W1-XHE-C-4 0.001 Same as R6 N/A RECIRC: Fail To Est. HP Recirc (SI Secured, B&F
Successful)

A-SIW2-XHE-C-4 A-R5W2-XHE-C-4 0.001 Same as R6 N/A and^BVs Removed)-® 8 - 20 Hr, = = > Recognition

A-SIW3-XHE-C-4 N/A N/A N/A N/A of Low RWST Level Req'd

A-SIW4-XHE-C-4 N/A N/A N/A N/A

 Table 8-13 (Page 27 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Moan Failure Likelihood

Human Action Basis Description
R6 D6 R10
-

A-SIW1-XHE-C-13 A-R5W1-XHE-C-4 0.001 Same as R6 N/A RECIRC: Fail To Est HP Recirc (SI Continues, B&F
Successful

A-SIW2-XHE-C-13 A-R5W2-XHE-C-4 0.001 Same as R6 N/A and SVs Removed)-® 8 -20 Hr, = = > Recognition

A-SIW3-XHE-C-13 N/A N/A N/A N/A of Low RWST Level Req'd

A-SIW4-XHE-C-13 N/A N/A N/A N/A

A-SIW1-XHE-C-9 A-R5W1-XHE-C-4 0.001 Same as R6 N/A RECIRC: Fail To Est. HP Recirc (SI Secured, B&F
Successful

A-SIW2-XHE-C-9 A-R5W2-XHE-C-4 0.001 Same as R6 N/A and SVs Not Removed)-® 8 - 20 Hr, = = >
Recognition

A-SIW3-XHE-C-9 N/A N/A N/A N/A of Low RWST Level Req'd

A-SIW4-XHE-C-9 N/A N/A N/A N/A

A-SIW1-XHE-C-18 A-R5W1-XHE-C-4 0.001 Same as R6 N/A RECIRC: Fail To Est. HP Recirc (SI Continues, B&F
Successful and SVs Not Removed

A-SIW2-XHE-C-18 A-R5W2-XHE-C-4 0.001 Same as R6 N/A - @ 8 - 20 Hr, = = > Recognition

A-SIW3-XHE-C-18 N/A N/A N/A N/A of .Low RWST Level Req'd

A-SIW4-XHE-C-18 N/A N/A N/A N/A

 Table 8-13 (Page 28 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Baals Description
R6 - D6 R10

A-SIW2-XHE-X A-RAW2-XHE-X 0.001 Same as R6 N/A

A-SIW1-XHE-P-4 A-R5W1-XHE-P-4 0.0001 Same as R6 N/A RECIRC: Fail To Est. Recirc Spray (SI Secured, B&F
Successful and SVs Not Removed)

A-SIW2-XHE-P-4 A-R5W2-XHE-P-4 0.0001 Same as R6 N/A

A-SIW3-XHE-P-4 N/A N/A N/A N/A

A-SIW4-XHE-P-4 N/A N/A N/A N/A

A-SIW1-XHE-P-13 A-R5W1-XHE-P-4 0.0001 Same as R6 N/A RECIRC: Fail To Est. Recirc Spray (SI Continues,
B&F Successful and SVs Not Removed)

A-SIW2-XHE-P-13 A-R5W2-XHE-P-4 0.0001 Same as R6 N/A

A-SIW3-XHE-P-13 N/A N/A N/A N/A

A-SIW4-XHE-P-13 N/A N/A N/A N/A

A-SIW1-XHE-P-9 A-R5W1-XHE-P-4 0.0001 Same as R6 N/A RECIRC: Fail To Est. Recirc Spray (SI Secured, B&F
Successful and SVs Not Removed)

A-SIW2-XHE-P-9 A-R5W2-XHE-P-4 0.0001 Same as R6 N/A

A-SIW3-XHE-P-9 N/A N/A N/A N/A

A-SIW4-XHE-P-9 N/A N/A N/A N/A

 Table 8-13 (Page 29 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-SIW1-XHE-P-18 A-R5W1-XHE-P-4 0.0001 Same as R6 N/A RECIRC: Fail To Est. Recirc Spray (SI Continues,
B&F Successful and SVs Not RemovedO

A-SIW2-XHE-P-18 A-R5W2-XHE-P-4 0.0001 Same as R6 N/A

A-SIW3-XHE-P-18 N/A N/A N/A N/A

A-SIW4-XHE-P-18 N/A N/A N/A N/A

D-CCW1-XHE Calculated 2.30E-05 Same as R6 N/A Fail To Diagnose Loss of Component Cooling Water

D-CCW2-XHE Calculated 7.70E-06 Same as R6 N/A

D-CCW3-XHE D-CCW2-XHE 7.70E-06 Same as R6 Same as R6

D-CCW4-XHE Calculated 1.10E-06 Same as R6 Same as R6

A-CCW1-XHE-HCC Not HRA based N/A Fail To locally Recover Air to HX Valves

A-CCW2-XHE-HCC Not HRA based N/A NOTE: Based on Review of Data Presented
Elsewhere in this Report

A-CCW3-XHE-HCC Not HRA based

A-CCW4-XHE-HCC Not HRA based

A-CCW1-XHE-SF-8 A-R5W1-XHE-SF-9 1.00E-03 N/A N/A REFLUX: Fail To Feed S G @ ~ 1 0 H r = = >

 Table 8-13 (Page 30 of 84). Quantitative Results of BNIVSurry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-CCW2-XHE-SF-8 A-R5W2-XHE-SF-9 1.00E-03 1.00E-03 N/A Recognition of Low SG Level Req'd

A-CCW3-XHE-SF-7 A-R5W2-XHE-SF-9 N/A 1.00E-03 N/A

A-CCW4-XHE-SF-7 A-R5W2-XHE-SF-9 N/A 1.00E-03 N/A

A-CCW1-XHE-S1-8 Calculated 4.10E-02 N/A N/A REFLUX: Fail To Bleed SG via ADV -Operator

A-CCW2-XHE-S1-8 A-CCW1-XHE-S1-8 4.20E-02 4.20E-02 N/A will Attempt (Successful Diagnosis)

A-CCW3-XHE-S1-7 A-CCW1-XHE-S1-8 N/A 4.20E-02 N/A

A-CCW4-XHE-S1-7 A-CCW1-XHE-S1-8 N/A 4.20E-02 N/A

A-CCW1-XHE-S2-8 Conserv Assumptfon 1 N/A N/A REFLUX: After PRT O/P, FTC PORVs & Fail To

A-CCW2-XHE-S2-8 Conserv Assumption 1 1 N/A Bleed SG via ADV; Late Action in Response to

A-CCW3-XHE-S2-7 Conserv Assumption N/A 1 N/A PRT Rupture-Only Reasonable Scenario is that

A-CCW4-XHE-S2-7 Conserv Assumption N/A 1 N/A Operator is Distracted by HW or Other Failures.

PRT Rupture is Strong Cue To Move Ahead in

AP-27

A-CCW1-XHE-FL-7 A-R5W1-XHE-FL-5 5.00E-03 Same as R6 N/A B&P Fail To Use LHSI

A-CCW2-XHE-FL-7 A-R5W2-XHE-FL-5 1.20E-03 Same as R6 N/A

 Table 8-13 (Page 31 of 84). Quantitative Results of BNl/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-CCW3-XHE-FL-7 A-R5W3-XHE-FL-4 1.20E-03 Same as R6 Same as R6

A-CCW4-XHE-FL-7 A-R5W4-XHE-FL-5 1.20E-03 Same as R6 Same as R6

A-CCW1-XHE-FH-5 A-FI5W1-XHE-FH-5 5.00E-05 Same as R6 N/A B&F: Fail To Use HHSI

A-CCW2-XHE-FH-5 A-R5W2-XHE-FH-5 2.00E-05 Same as R6 N/A

A-CCW3-XHE-FH-5 A-R5W3-XHE-FH-4 2.00E-05 Same as R6 Same as R6

A-CCW4-XHE-FH-5 A-FI5W4-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-CCW1-XHE-FL-10 A-R5W1-XHE-FL-10 1.00E-02 Same as R6 N/A Fail Low Pressure F&B Given SVs in Place

A-CCW2-XHE-FL-10 A-R5W2-XHE-FL-10 1.20E-03 Same as R6 N/A

A-CCW3-XHE-FL-10 A-R5W3-XHE-FL-8 1.20E-03 Same as R6 Same as R6

A-CCW4-XHE-FL-10 A-R5W4-XHE-FL-8 1.20E-03 Same as R6 Same as R6

A-CCW1-XHE-FH-10 A-R5W1-XHE-FH-5 5.00E-05 Same as R6 N/A Fail High Pressure F&B Given SVs in Place

A-CCW2-XHE-FH-10 A-R5W2-XHE-FH-5 2.00E-05 Same as R6 N/A

A-CCW3-XHE-FH-10 A-R5W3-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-CCW4-XHE-FH-10 A-R5W4-XHE-FH-5 2.00E-05 Same as R6 Same as R6

 Table 8-13 (Page 32 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Baals . Description
R6 D6 R10

A-CCW1-XHE-G-6 Conserv Assumption 1 N/A N/A GRAVITY: Fail To Est Gravity Feed Following

A-CCW2-XHE-G-6 Conserv Assumption 1 N/A N/A Failure of Fill and Spill

A-CCW3-XHE-G-6 Conserv Assumption 1 N/A Same as R6

A-CCW4-XHE-G-6 Conserv Assumption 1 N/A Same as R6

A-CCW1-XHE-C-4 A-R5W1-XHE-C-4 1.00E-03 Same as R6 N/A RECIRC: Fail To Est. HP Recirc

A-CCW2-XHE-C-4 A-R5W2-XHE-C-4 1.00E-03 Same as R6 N/A

A-CCW3-XHE-C-4 N/A N/A N/A N/A

A-CCW4-XHE-C-4 N/A N/A N/A N/A

A-CCW1-XHE-C-9 A-R5W1-XHE-C-9 1.00E-03 Same as R6 N/A RECIRC: Fail To Est. HP Recirc (B&F Successful

A-CCW2-XHE-C-9 A-R5W2-XHE-C-9 1.00E-03 Same as R6 N/A and SVs Not Removed)-® 8 - 20 Hr, = = >

A-CCW3-XHE-C-9 N/A N/A N/A N/A Recognition of Low RWST Level Req'd

A-CCW4-XHE-C-9 N/A N/A N/A N/A

A-CCW2-XHE-X A-RAW2-XHE-X 1.00E-03 Same as R6 N/A Fail To Cross Tie RWST

A-CCW1-XHE-P-4 A-R5W1-XHE-P-4 1.00E-04 Same as R6 N/A RECIRC: Fail To Est. Recirc Spray
 Table 8-13 (Page 33 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-CCW2-XHE-P-4 A-R5W2-XHE-P-4 1.00E-04 Same as R6 N/A

A-CCW3-XHE-P-4 N/A N/A N/A N/A

A-CCW4-XHE-P-4 N/A N/A N/A N/A

-

D-4KD6-XHE Calculated N/A N/A N/A Failure To Diagnose Loss of 4kV Bus for D6

D-4KW1-XHE Calculated 2.30E-05 Same as R6 N/A Failure To Diagnose Loss of 4kV Bus in POS 6

D-4KW2-XHE Calculated 1.20E-05 Same as R6 N/A

D-4KW3-XHE D-4KW2-XHE 1.20E-05 Same as R6 N/A

D-4KW4-XHE Calculated 1.10E-06 Same as R6 N/A

A-4KW1-XHE-HCC Not HRA based. N/A Operator Action Fails To Restore 4kV Bus H

A-4KW2-XHE-HCC Not HRA based. N/A NOTE: Based on a Review of Data Presented
Elsewhere in this Report

A-4KW3-XHE-HCC Not HRA based.

A-4KW4-XHE-HCC Not HRA based.

A-4KD6-XHE-R-4 Not quantified. N/A N/A N/A Fail To Restore RHR Given Loss of 4kV in D6
 Table 8 4 3 (Page 34 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-4KW1-XHE-R-3 A-R5W1-XHE-R-4 1.20E-03 Same as D6 N/A Fail To Restore RHR Given Loss of 4kV In POS 6

A-4KW2-XHE-R-3 A-R5W2-XHE-R-4 5.20E-04 Same as D6 N/A

A-4KW3-XHE-R-3 A-R5W3-XHE-R-4 5.20E-04 Same as D6 Same as D6

A-4KW4-XHE-R-3 A-R5W4-XHE-R-5 1.20E-04 Same as D6 Same as D6

A-4KW1-XHE-R-12 Calculated 8.50E-03 Same as D6 N/A Fail To Restore RHR Given Loss of 4kV in POS 6 and
Failure To Restore Power to Bus H

A-4KW2-XHE-R-12 Calculated 3.00E-03 Same as D6 N/A

A-4KW3-XHE-R-9 A-4KW2-XHE-R-12 3.00E-03 Same as D6 Same as D6

A-4KW4-XHE-R-9 Calculated 9.60E-04 Same as D6 Same as D6

A-4KW1-XHE-S1-8 A-R5W1-XHE-SF-9 1.00E-03 N/A N/A REFLUX: Fail To Feed SG @ ~ 10 Hr = = >

A-4KW2-XHE-S1-8 A-R5W2-XHE-SF-9 1.00E-03 Same as R6 N/A Recognition of Low SG Level Req'd

A-4KW3-XHE-S1-8 A-R5W2-XHE-SF-9 N/A 1.00E-03 N/A

A-4KW4-XHE-S1-8 A-R5W2-XHE-SF-9 N/A 1.00E-03 N/A

A-4KW1-XHE-S2-8 A-RAW1-XHE-S1-9 4.00E-02 N/A N/A REFLUX: Fail To Bleed SG via ADV -Operator

A-4KW2-XHE-S2-8 A-RAW2-XHE-S1-9 2.60E-03 Same as R6 N/A will Attempt (Successful Diagnosis)

A-4KW3-XHE-S2-8 A-RAW3-XHE-S1-9 N/A 2.60E-03 N/A

 Table 8-13 (Page 35 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-4KW4-XHE-S2-8 A-RAW4-XHE-S1-9 N/A 1.00E-03 N/A

A-4KW1-XHE-S3-8 Conserv Assumption 1 N/A N/A REFLUX: After PRT O/P, FTC PORVs & Fail To

A-4KW2-XHE-S3-8 Conserv Assumption" 1 Same as R6 N/A Bleed SG via ADV; Late Action in Response To

A-4KW3-XHE-S3-8 Conserv Assumption N/A 1 N/A PRT Rupture-Only Reasonable Scenario is that

A-4KW4-XHE-S3-8 Conserv Assumption N/A 1 N/A Operator is Distracted by HW or Other Failures.

PRT Rupture is Strong Cue To Move Ahead in

AP-27

A-4KW1-XHE-S1-17 A-R5W1-XHE-SF-9 1.00E-03 N/A N/A REFLUX: Given Failure To Restore RHR Fail To Feed
SG @ ~ 10 Hr = = >

A-4KW2-XHE-S1-17 A-R5W2-XHE-SF-9 1.00E-03 Same as R6 N/A Recognition of Low SG Level Req'd

A-4KW3-XHE-S1-17 A-R5W2-XHE-SF-9 N/A 1.00E-O3 N/A

A-4KW4-XHE-S1-17 A-R5W2-XHE-SF-9 N/A 1.00E-03 N/A

A-4KW1-XHE-S2-17 A-SIW1-XHE-S2-18 8.00E-02 N/A N/A REFLUX: Given Failure To Restore RHR, Fail To
Bleed SG via ADV -Operator

A-4KW2-XHE-S2-17 A-SIW2-XHE-S2-18 5.30E-03 Same as R6 N/A will Attempt (Successful Diagnosis)

A-4KW3-XHE-S2-17 A-SIW3-XHE-S2-18 N/A 5.30E-03 N/A

 Table 8-13 (Page 36 of 84). Quantitative Results of BNIVSurry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-4KW4-XHE-S2-17 A-SIW4-XHE-S2-18 N/A 2.00E-03 N/A

A-4KW1-XHE-S3-17 Conserv Assumption 1 N/A N/A REFLUX: After PRT O/P Given Failure To Restore
RHR, FTC PORVs & Fail To

-Ar4KW2-XHE-S3-17 Conserv Assumption 1 Same as R6 N/A Bleed SG via ADV; Late Action in Response to

A-4KW3-XHE-S3-17 Conserv Assumption N/A 1 N/A PRT Rupture-Only Reasonable Scenario is that

A-4KW4-XHE-S3-17 Conserv Assumption N/A 1 N/A Operator is Distracted by HW or Other Failures.

PRTRupture is Strong Cue To Move Ahead in

AP-27

A-4KW1-XHE-FL-5 A-S1W1-XHE-FL-5 1.00E-02 Same as R6 N/A Fail F&B: Power Recovered at 4kV Bus H; RHR Not
Restored; SVs Removed

A-4KW2-XHE-FL-5 A-SIW2-XHE-FL-5 7.60E-04 Same as R6 N/A

A-4KW3-XHE-FL-4 A-SIW3-XHE-FL-4 7.60E-04 Same as R6 Same as R6

A-4KW4-XHE-FL-4 A-SIW4-XHE-FU-4 6.90E-05 Same as R6 Same as R6

A-4KW1-XHE-FL-10 A-SIW1-XHE-FL-10 6.60E-02 Same as R6 N/A Fail F&B: Power Recovered at 4kV BBs H; RHR Not
Restored; SVs Not Removed

A-4KW2-XHE-FL-10 A-SIW2-XHE-FL-10 2.00E-03 Same as R6 N/A

 Table 8-13 (Page 37 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-4KW3-XHE-FL-13 A-SIW3-XHE-FL-13 2.00E-03 Same as R6 Same as R6

A-4KW4-XHE-FL-13 A-SIW4-XHE-FL-13 6.90E-05 Same as R6 Same as R6

A-4KW1-XHE-FL-14 A-SIW1-XHE-FL-14 6.10E-02 Same as R6 N/A Fail F&B: Power Not Restored to 4kV Bus H; RHR
Not Restored; SVs Removed

A-4KW2-XHE-FL-14 A-SIW2-XHE-FL-14 8.00E-03 Same as R6 N/A

A-4KW3-XHE-FL-10 A-SIW3-XHE-FL-10 8.00E-03 Same as R6 Same as R6

A-4KW4-XHE-FL-10 A-SIW4-XHE-FL-10 1.10E-03 Same as R6 Same as R6

A-4KW1-XHE-FL-19 A-SIW1-XHE-FL-19 6.10E-02 Same as R6 N/A Fail F&B: Power Not Restored to 4kV Bus H; RHR
Not Restored; SVs Not Removed

A-4KW2-XHE-FL-19 A-SIW2-XHE-FL-19 1.30E-02 Same as R6 N/A

A-4KW3-XHE-FL-7 A-SIW3-XHE-FL-7 1.30E-02 Same as R6 Same as R6

A-4KW4-XHE-FL-7 A-SIW4-XHE-FL-7 1.10E-03 Same as R6 Same as R6

A-4KW1-XHE-FH-5 A-R5W1-XHE-FH-5 5.00E-05 Same as R6 N/A Fail F&B: Power Recovered at 4kV Bus H; RHR Not
Restored; SVs Removed

A-4KW2-XHE-FH-5 A-R5W2-XHE-FH-5 2.00E-05 Same as R6 N/A

A-4KW3-XHE-FH-4 A-R5W3-XHE-FH-5 2.00E-05 Same as R6 Same as R6

 Table 8-13 (Page 38 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-4KW4-XHE-FH-4 A-R5W4-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-4KW1-XHE-FH-10 A-R5W1-XHE-FH-5 5.00E-05 Same as R6 N/A Fail F&B: Power Recovered at 4kV Bus H; RHR Not
Restored; SVs Not Removed

A-4KW2-XHE-FH-10 A-R5W2-XHE-FH-5 2.00E-05 Same as R6 N/A

A-4KW3-XHE-FH-13 A-R5W3-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-4KW4-XHE-FH-13 A-R5W4-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-4KW1-XHE-FH-14 A-R5W1-XHE-FH-5 5.00E-05 Same as R6 N/A Fail F&B: Power Not Restored to 4kV Bus H; RHR
Not Restored; SVs Removed

A-4KW2-XHE-FH-14 A-R5W2-XHE-FH-5 2.00E-05 Same as R6 N/A

A-4KW3-XHE-FH-10 A-R5W3-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-4KW4-XHE-FH-10 A-R5W4-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-4KW1-XHE-FH-19 A-R5W1-XHE-FH-5 5.00E-05 Same as R6 N/A Fail F&B: Power Not Restored to 4kV Bus H; RHR
Not Restored; SVs Not Removed

A-4KW2-XHE-FH-19 A-R5W2-XHE-FH-5 2.00E-05 Same as R6 N/A

A-4KW3-XHE-FH-7 A-R5W3-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-4KW4-XHE-FH-7 A-R5W4-XHE-FH-5 2.00E-05 Same as R6 Same as R6

 Table 8-13 (Page 39 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 08 R10

A-4KW1-XHE-G6 Conserv Assumption N/A N/A GRAVITY: Fail To Est. Gravity Feed Following

A-4KW2-XHE-G6 Conserv Assumption N/A N/A Failure of Fill and Spill. Power Restored to 4 kV
BusH

A-4KW3-XHE-G5 Conserv Assumption N/A Same as R6

A-4KW4-XHE-G5 Conserv Assumption N/A Same as R6

A-4KW1-XHE-G15 Conserv Assumption N/A N/A GRAVITY: Fail To Est. Gravity Feed Following

A-4KW2-XHE-G15 Conserv Assumption N/A N/A Failure of Fill and Spill. Power Not Restored to 4 kV
BusH

A-4KW3-XHE-G11 Conserv Assumption N/A Same as R6

A-4KW4-XHE-G11 Conserv Assumption N/A Same as R6

A-4KW1-XHE-C-4 A-R5W1-XHE-C-4 1.00E-03 Same as R6 N/A RECIRC: Fail To Est. HP Recirc (Power Restored to
4kV Bus, B&F Successful

A-4KW2-XHE-C-4 A-R5W2-XHE-C-4 1.00E-03 Same as R6 N/A and SVs Removed)-® 8 - 20 Hr, = = >

A-4KW3-XHE-C-4 N/A N/A N/A N/A Recognition of Low RWST Level Req'd

A-4KW4-XHE-C-4 N/A N/A N/A N/A

 Table 8-13 (Page 40 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-4KW1-XHE-C-13 A-R5W1-XHE-C-9 1.00E-03 Same as R6 N/A RECIRC: Fall To Est HP Recirc (Power Not Restored
to 4kV Bus, B&F Successful

A-4KW2-XHE-C-13 A-R5W2-XHE-C-9 1.00E-03 Same as R6 N/A and SVs Removed)-® 8 - 20 Hr, = = >

A-4KW3-XHE-C-13 N/A N/A N/A N/A Recognition of Low RWST Level Req'd.

A-4KW4-XHE-C-13 N/A N/A N/A N/A

A-4KW1-XHE-C-9 A-R5W1-XHE-C-4 1.00E-03 Same as R6 N/A RECIRC: Fail To Est. HP Recirc (Power Restored to
4kV Bus, B&F Successful

A-4KW2-XHE-C-9 A-R5W2-XHE-C-4 1.00E-03 Same as R6 N/A and SVs Not Removed)-® 8 - 20 Hr, = = >
Recognition

A-4KW3-XHE-C-9 N/A N/A N/A N/A of Low RWST Level Req'd

A-4KW4-XHE-C-9 N/A N/A N/A N/A

A-4KW1-XHE-C-18 A-R5W1-XHE-C-9 1.00E-03 Same as R6 N/A RECIRC: Fail To Est. HP Recirc (Power Not Restored
to 4kV Bus, B&F Successful

A-4KW2-XHE-C-18 A-R5W2-XHE-C-9 1.00E-03 Same as R6 N/A and SVs Not Removed)-® 8 - 20 Hr, = = >
Recognition

A-4KW3-XHE-C-18 N/A N/A N/A N/A of Low RWST Level Req'd

A-4KW4-XHE-C-18 N/A N/A N/A N/A

 Table 8-13 (Page 41 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Baals Description
R6 D6 R10

A-4KW2-XHE-X A-R5W2-XHE-X 1.00E-03 Same as R6 N/A Fail To Cross Tie RWST

A-4KW1-XHE-P-4 A-R5W1-XHE-P-4 1.00E-04 Same as R6 N/A RECIRC: Fail To Est Recirc Spray (Power Restored
to 4kV Bus, B&F Successful

A-4KW2-XHE-P-4 A-R5W2-XHE-P-4 1.00E-04 Same as*R6 N/A and SVs Removed)

A-4KW3-XHE-P-4 N/A N/A N/A N/A

A-4KW4-XHE-P-4 N/A N/A N/A N/A

A-4KW1-XHE-P-13 A-R5W1-XHE-P-4 1 .OOE-04 Same as R6 N/A RECIRC: Fail To Est Recirc Spray (Power Not
Restored to 4kV Bus B&F Successful

A-4KW2-XHE-P-13 A-R5W2-XHE-P-4 1.00E-04 Same as R6 N/A and SVs Removed)

A-4KW3-XHE-P-13 N/A N/A N/A N/A

A-4KW4-XHE-P-13 N/A N/A N/A N/A

A-4KW1-XHE-P-9 A-R5W1-XHE-P-4 1 .OOE-04 Same as R6 N/A RECIRC: Fail To Est Recirc Spray (Power Restored to
4kV Bus, B&F Successful

A-4KW2-XHE-P-9 A-R5W2-XHE-P-4 1 .OOE-04 Same as R6 N/A and SVs Not Removed)-

A-4KW3-XHE-P-9 N/A N/A N/A N/A

A-4KW4-XHE-P-9 N/A N/A N/A N/A

 Table 8-13 (Page 42 of 84). Quantitative Results of BNIVSurry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-4KW1-XHE-P-18 A-R5W1-XHE-P-4 1.00E-04 Same as R6 N/A RECIRC: Fail To Est Recirc Spray (Power Not
Restored to 4kV Bus B&F Successful

A-4KW2-XHE-P-18 A-R5W2-XHE-P-4 1.00E-04 Same as R6 N/A and SVs Not Removed)

A-4KW3-XHE-P-18 N/A N/A N/A N7A

A-4KW4-XHE-P-18 N/A N/A N/A N/A

D-L1W1-XHE Calculated 8.20E-04 Same as R6 N/A Diagnose Loss of Offeite Power

D-L1W2-XHE Calculated 3.60E-04 Same as R6 N/A

D-L1W3-XHE D-L1W2-XHE 3.60E-04 Same as R6 Same as R6

D-L1W4-XHE Calculated 8.00E-05 Same as R6 Same as R6

A-L1W1-XHE-R-4 Calculated 1.60E-02 Same as R6 N/A Fail To Restore RHR

A-L1W2-XHE-R-4 Calculated 5.90E-03 Same as R6 N/A

A-L1W3-XHE-R-4 A-L1W2-XHE-R-4 5.90E-03 Same as R6 Same as R6

A-L1W4-XHE-R-4 Calculated 1.60E-03 Same as R6 Same as R6

A-L1W1-XHE-SF-13 A-R5W1-XHE-SF-9 1.00E-03 N/A N/A Fail To Feed SGs Given Fail To Restore RHR but
Successful Level Control
 Table 8-13 (Page 43 of 84). Quantitative Results of BNIVSurry Human Action Evaluations

Mean Failure Likelihood

Human Action Baals Description
R6 D6 R10

A-L1W2-XHE-SF-13 A-R5W2-XHE-SF-9 1.00E-03 1.00E-03 N/A

A-L1W3-XHE-SF-13 A-RAW3-XHE-SF-9 N/A 1.00E-03 N/A

A-L1W4-XHE-SF-13 A-RAW4-XHE-SF-9 N/A 1.00E-03 N/A

A-L1W1-XHE-S1-13 A-R5W1-XHE-S1-9 4.00E-02 N/A N/A REFLUX: Fail To Bleed SQ via ADV -Operator

A-L1W2-XHE-S1-13 A-R5W2-XHE-S1-9 2.60E-03 2.60E-03 N/A will Attempt (Successful Diagnosis)

A-L1W3-XHE-S1-13 A-RAW3-XHE-S1-9 N/A 2.60E-03 N/A

A-L1W4-XHE-S1-13 A-RAW4-XHE-S1-9 N/A 1.00E-03 N/A

A-L1W1-XHE-S2-13 Conserv Assumption 1 N/A N/A Fail To Establish Reflux after PRT Rupture Given F?.il
To Restore RHR but Successful Level Control

A-L1W2-XHE-S2-13 Conserv Assumption 1 1 N/A

A-L1W3-XHE-S2-13 Conserv Assumption N/A 1 N/A

A-L1W4-XHE-S2-13 Conserv Assumption N/A 1 N/A

A-L1W1-XHE-SF-17 A-R5W1-XHE-SF-9 1.00E-03 N/A N/A Fail To Feed SGs Given Fail To Restore RHR but
Successful Level Control;SVs Not Removed

A-L1W2-XHE-SF-17 A-R5W2-XHE-SF-9 1.00E-03 1.00E-03 N/A

A-L1W3-XHE-SF-17 A-RAW3-XHE-SF-9 N/A 1.00E-03 N/A

 Table 8-13 (Page 44 of 84). Quantitative Results of BNIVSurry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-L1W4-XHE-SF-17 A-RAW4-XHE-SF-9 N/A 1.00E-03 N/A

A-L1W1-XHE-S1-17 A-SIW1-XHE-S2-18 8.00E-02 N/A N/A REFLUX: Fail To Bleed SQ via ADV -Operator

A-L1W2-XHE-S1-17 A-SIW2-XHE-S2-18 5.30E-03 5.30E-03 N/A will Attempt (Successful Diagnosis)

A-L1W3-XHE-S1-17 A-SIW3-XHE-S2-18 N/A 5.30E-03 N/A SVs Not Removed

A-L1W4-XHE-S1-17 A-SIW4-XHE-S2-18 N/A 2.00E-03 N/A

A-L1W1-XHE-S2-17 Conserv Assumption 1 N/A N/A Fail To Establish Reflux after PRT Rupture Given Fail
To Restore RHR but Successful Level Control;,SVs
Not Removed

A-L1W2-XHE-S2-17 Conserv Assumption 1 1 N/A

A-L1W3-XHE-S2-17 Conserv Assumption N/A 1 N/A

A-L1W4-XHE-S2-17 Conserv Assumption N/A 1 N/A

A-L1W1-XHE-FL-5 A-SIW1-XHE-FL-5 1.00E-02 Same as R6 N/A B&F, SV Removed==>First Action.

A-L1W2-XHE-FL-5 A-SIW2-XHE-FL-5 7.60E-04 Same as R6 N/A Fail To Use LHSI F&S - -Operator will Attempt

A-L1W3-XHE-FL-4 A-SIW3-XHE-FL-4 7.60E-04 Same as R6 Same as R6 (Successful Diagnosis) ;POWER RESTORED

A-L1W4-XHE-FL-4 A-SIW4-XHE-FL-4 6.90E-05 Same as R6 Same as R6

 Table 8-13 (Page 45 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-L1W1-XHE-FH-5 A-R5W1-XHE-FH-5 5.00E-05 Same as R6 N/A B&F: Fail To Use HHSI | LHSI Failed - -Operator

A-L1W2-XHE-FH-5 A-R5W2-XHE-F.H-5 2.00E-05 Same as R6 N/A will Attempt (Successful Diagnosis & LHSI

A-L1W3-XHE-FH-4 A-R5W3-XHE-FH-4 2.00E-05 Same as R6 Same as R6 Attempted and Failed) POWER RESTORED

A-L1W4-XHE-FH-4 A-R5W4-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-L1W1-XHE-FL-9 A-SIW1-XHE-FL-10 6.60E-02 Same as R6 N/A B&F, SV Removed==>First Action.

A-L1W2-XHE-FL-9 A-SIW2-XHE-FL-10 2.00E-03 Same as R6 N/A Fail To Use LHSI F&S - -Operator will Attempt

A-L1W3-XHE-FL-7 A-SIW3-XHE-FL-13 2.00E-03 Same as R6 Same as R6 (Successful Diagnosis) ;POWER NOT RESTORED

A-L1W4-XHE-FL-7 A-SIW4-XHE-FL-13 6.90E-05 Same as R6 Same as R6

A-L1W1-XHE-FH-9 A-R5W1-XHE-FH-10 5.00E-05 Same as R6 N/A B&F: Fail To Use HHSI | LHSI Failed - -Operator

A-L1W2-XHE-FH-9 A-R5W2-XHE-FH-10 2.00E-05 Same as R6 N/A will Attempt (Successful Diagnosis & LHSI

A-L1W3-XHE-FH-7 A-R5W3-XHE-FH-13 2.00E-05 Same as R6 Same as R6 Attempted and Failed) POWER NOT RESTORED

A-L1W4-XHE-FH-7 A-R5W4-XHE-FH-13 2.00E-05 Same as R6 Same as R6

A-L1W1-XHE-FL-14 A-SIW1-XHE-FL-14 6.10E-02 Same as R6 N/A B&F, SV Not Removed==> Reflux Failed.

A-L1W2-XHE-FL-14 A-SIW2-XHE-FL-14 8.00E-03 Same as R6 N/A Faikfo Use LHSI F&S - -Operator will Attempt

A-L1W3-XHE-FL-14 A-SIW3-XHE-FL-10 8.00E-03 Same as R6 Same as R6 when Reflux Fails To Provide Cooling (Successful
 Table 8-13 (Page 46 of 84). Quantitative Results of BNIySurry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-L1W4-XHE-FL-14 A-SIW4-XHE-FL-10 1.10E-03 Same as R6 Same as R6 Diagnosis). Timing and Cues Worse than FL-5
POWER RESTORED

A-L1W1-XHE-FH-14 A-R5W1-XHE-FH-14 5.00E-05 Same as R6 N/A BaF: Fail To Use HHSI | LHSI Failed - -Operator

A-L1W2-XHE-FH-14 A-R5W2-XHE-FH-14 2.00E-05 Same as R6 N/A will Attempt (Successful Diagnosis & LHSI Failed)
POWER RESTORED

A-L1W3-XHE-FH-14 A-R5W3-XHE-FH-10 2.00E-05 Same as R6 Same as R6

A-L1W4-XHE-FH-14 A-R5W4-XHE-FH-10 2.00E-05 Same as R6 Same as R6

A-L1W1-XHE-FL-18 A-SIW1-XHE-FL-19 6.10E-02 Same as R6 N/A B&F, SV Not Removed==>Reflux Failed.

A-L1W2-XHE-FL-18 A-SIW2-XHE-FL-19 1.30E-02 Same as R6 N/A Fail To Use LHSI F&S - -Operator will Attempt

A-L1W3-XHE-FL-10 A-SIW3-XHE-FL-7 1.30E-02 Same as R6 Same as R6 when Reflux Fails To Provide Cooling (Successful

A-L1W4-XHE-FL-10 A-SIW4-XHE-FL-7 1.10E-03 Same as R6 Same as R6 Diagnosis). Timing and Cues Worse than FL-5
POWER NOT RESTORED

A-L1W1-XHE-FH-18 A-R5W1-XHE-FH-19 5.00E-05 Same as R6 N/A B&F: Fail To Use HHSI | LHSI Failed - -Operator

A-L1W2-XHE-FH-18 A-R5W2-XHE-FH-19 2.00E-05 Same as R6 N/A will Attempt (Successful Diagnosis & LHSI Failed)
POWER NOT RESTORED

A-L1W3-XHE-FH-10 A-R5W3-XHE-FH-7 2.00E-05 Same as R6 Same as R6

A-L1W4-XHE-FH-10 A-R5W4-XHE-FH-7 2.00E-05 Same as R6 Same as R6

 Table 8-13 (Page 47 of 84). Quantitative Results of BNIVSurry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-L1W1-XHE-G-6 Conserv Assumption 1 N/A N/A GRAVITY: Fail To Est Gravity Feed Following

A-L1W2-XHE-G-6 Conserv Assumption 1 N/A N/A Failure of Fill and Spill. Only Reasonable Case is if

A-L1W3-XHE-Q-5 Conserv Assumption 1 N/A Same as R6 FR3W1 Failed due to HW. Use Guaranteed

A-L1W4-XHE-G-5 Conserv Assumption 1 N/A Same as R6 Failure. Edit to Old Gravity Feed Event Only for

Cutsets with Success of A-R3W#-XHE-FL-5 POWER

RESTORED

A-L1W1-XHE-G-10 Conserv Assumption 1 N/A N/A GRAVITY: Fail To Est. Gravity Feed Following

A-L1W2-XHE-G-10 Conserv Assumption 1 N/A N/A Failure of Fill and Spill. Only Reasonable Case is if

A-L1W3-XHE-G-7 Conserv Assumption 1 N/A Same as R6 FR3W1 Failed due to HW. Use Guaranteed

A-L1W4-XHE-G-7 Conserv Assumption 1 N/A Same as R6 Failure. Edit to Old Gravity Feed Event only for

Cutsets with Success of A-R3W#-XHE-FL-5. POWER

NOT RESTORED

A-L1W1-XHE-C-4 A-R5W1-XHE-C-4 1.00E-03 Same as R6 N/A Fail HP Recirc with SV Removed Given Fail To
Restore RHR POWER RESTORED

A-L1W2-XHE-C-4 A-R5W2-XHE-C-4 1.00E-03 Same as R6 N/A

A-L1W3-XHE-C-4 N/A N/A N/A N/A

 Table 8-13 (Page 48 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-L1W4-XHE-C-4 N/A N/A N/A N/A

A-L1W1-XHE-C-8 A-R5W1-XHE-C-9 1.00E-03 Same as R6 N/A Fail HP Recirc with SV Removed Given Fail To
Restore RHR POWER NOT RESTORED

A-L1W2-XHE-C-8 A-R5W2-XHE-C-9 1.00E-03 Same as R6 N/A

A-L1W3-XHE-C-8 N/A N/A N/A N/A

A-L1W4-XHE-C-8 N/A N/A N/A N/A

A-L1W1-XHE-C-13 A-R5W1-XHE-C-4 1.00E-03 Same as R6 N/A Fail HP Recirc with SV Not Removed Given Fail To
Restore RHR POWER RESTORED

A-L1W2-XHE-C-13 A-R5W2-XHE-C-4 1.00E-03 Same as R6 N/A

A-L1W3-XHE-C-13 N/A N/A N/A N/A

A-L1W4-XHE-C-13 N/A N/A N/A N/A

A-L1W1-XHE-C-17 A-R5W1-XHE-C-9 1.00E-03 Same as R6 N/A Fail HP Recirc with SV Not Removed Given Fail To
Restore RHR POWER NOT RESTORED

A-L1W2-XHE-C-17 A-R5W2-XHE-C-9 1.00E-03 Same as R6 N/A

A-L1W3-XHE-C-17 N/A N/A N/A N/A

A-L1W4-XHE-C-17 N/A N/A N/A N/A

 Table 8-13 (Page 49 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-L1W1-XHE-P-4 A-R5W1-XHE-P-4 1.00E-04 Same as R6 N/A Fail Recirc Spray: SVs Removed, POWER
RESTORED

A-L1W2-XHE-P-4 A-R5W2-XHE-P-4 1.00E-04 Same as R6 N/A

A-L1W3-XHE-P-4 N/A N/A N/A N/A

A-L1W4-XHE-P-4 N/A N/A N/A N/A

A-L1W1-XHE-P-8 A-R5W1-XHE-P-9 1 .OOE-04 Same as R6 N/A Fail Recirc Spray: SVs Removed. POWER NOT
RESTORED

A-L1W2-XHE-P-8 A-R5W2-XHE-P-9 1 .OOE-04 Same as R6 N/A

A-L1W3-XHE-P-8 N/A N/A N/A N/A

A-L1W4-XHE-P-8 N/A N/A N/A N/A

A-L1W1-XHE-P-13 A-R5W1-XHE-P-4 1 .OOE-04 Same as R6 N/A Fail Recirc Spray: SVs Not Removed, POWER
RESTORED

A-L1W2-XHE-P-13 A-R5W2-XHE-P-4 1.OOE-04 Same as R6 N/A

A-L1W3-XHE-P-13 N/A N/A N/A N/A

A-L1W4-XHE-P-13 N/A N/A N/A N/A

 Table 8-13 (Page 50 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Moan Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-L1W1-XHE-P-17 A-R5W1-XHE-P-9 1.00E-04 Same as R6 N/A Fail Recirc Spray: SVs Not Removed, POWER NOT
RESTORED

A-L1W2-XHE-P-17 A-R5W2-XHE-P-9 1.00E-04 Same as R6 N/A

A-L1W3-XHE-P-17 N/A N/A N/A N/A

A-L1W4-XHE-P-17 N/A N/A N/A N/A

D-L2W1-XHE Calculated 1.10E-03 Same as R6 N/A Diagnose Loss of Offsite Power

J D-L2W2-XHE Calculated 4.70E-04 Same as R6 N/A

j D-L2W3-XHE D-L2W2-XHE 4.70E-04 Same as R6 Same as R6

D-L2W4-XHE Calculated 1.00E-04 Same as R6 Same as R6

A-L2W1-XHE-R-4 A-L1W1-XHE-R-4 1.60E-02 Same as R6 N/A Fail To Restore RHR

A-L2W2-XHE-R-4 A-L1W2-XHE-P.-4 5.90E-03 Same as R6 N/A

A-L2W3-XHE-R-4 A-L1W3-XHE-R-4 5.90E-03 Same as R6 Same as R6

A-L2W4-XHE-R-4 A-L1W4-XHE-R-4 1.60E-03 Same as R6 Same as R6

A-L2W1-XHE-SF-13 A-R5W1-XHE-SF-9 1.00E-03 N/A N/A Fail To Feed SGs given Fail To Restore RHR but
Successful Level Control

A-L2W2-XHE-SF-13 A-R5W2-XHE-SF-9 1.00E-03 1.00E-03 N/A

 Table 8-13 (Page 51 of 84). Quantitative Results of BNIVSurry Human Action Evaluations

Mean Failure Likelihood

Human Action Baals Description
R6 D6 R10

A-L2W3-XHE-SF-13 A-RAW3-XHE-SF-9 N/A 1.00E-03 N/A

A-L2W4-XHE-SF-13 A-RAW4-XHE-SF-9 N/A 1.00E-03 N/A

A-L2W1-XHE-S1-13 A-R5W1-XHE-S1-9 4.00E-02 N/A N/A. REFLUX: Fail To Bleed SG via ADV -Operator

A-L2W2-XHE-S1-13 A-R5W2-XHE-S1-9 • 2.60E-03 2.60E-03 N/A will Attempt (Successful Diagnosis)

A-L2W3-XHE-S1-13 A-RAW3-XHE-S1-9 N/A 2.60E-03 N/A

A-L2W4-XHE-S1-13 A-RAW4-XHE-S1-9 N/A 1.00E-03 N/A

A-L2W1-XHE-S2-13 Conserv Assumption 1 N/A N/A Fail To Establish Reflux after PRT Rupture Given Fail
To Restore RHR but Successful Level Control

A-L2W2-XHE-S2-13 Conserv Assumption 1 1 N/A

A-L2W3-XHE-S2-13 Conserv Assumption N/A 1 N/A

A-L2W4-XHE-S2-13 Conserv Assumption N/A 1 N/A

A-L2W1-XHE-SF-17 A-R5W1-XHE-SF-9 1.00E-03 N/A N/A Fail To Feed SGs Given Fail To Restore RHR but
Successful Level Control;SVs Not Removed

A-L2W2-XHE-SF-17 A-R5W2-XHE-SF-9 1.00E-03 1.00E-03 N/A

A-L2W3-XHE-SF-17 A-RAW3-XHE-SF-9 N/A 1.00E-03 N/A

A-L2W4-XHE-SF-17 A-RAW4-XHE-SF-9 N/A 1.00E-03 N/A

 Table 8-13 (Page 52 of 84). Quantitative Resulto of BNL/Surry Human Action Evaluations

Mean Failure Ukollhood

Human Action Baals Description
R6 D6 R10
•

A-L2W1-XHE-S1-17 A-SIW1-XHE-S2-18 8.00E-02 N/A N/A REFLUX: Fail To Bleed SQ via ADV -Operator

A-L2W2-XHE-S1-17 A-SIW2-XHE-S2-18 5.30E-03 5.30E-03 N/A will Attempt (Successful Diagnosis)

A-L2W3-XHE-S1-17 A-SIW3-XHE-S2-18 N/A 5.30E-03 N/A SVs Not Removed

A-L2W4-XHE-S1-17 A-SIW4-XHE-S2-18 N/A 2.00E-03 N/A

A-L2W1-XHE-S2-17 Conserv Assumption 1 N/A N/A Fail To Establish Reflux after PRT Rupture Given Fail
To Restore RHR but Successful Level Control; SVs
Not Removed

A-L2W2-XHE-S2-17 Conserv Assumption 1 1 N/A

A-L2W3-XHE-S2-17 Conserv Assumption N/A 1 N/A

A-L2W4-XHE-S2-17 Conserv Assumption N/A 1 N/A

A-L2W1-XHE-FL-5 A-SIW1-XHE-FL-5 1.00E-02 Same as R6 N/A B&F, SV Removed==>First Action.

A-L2W2-XHE-FL-5 A-SIW2-XHE-FL-5 7.60E-04 Same as R6 N/A Fail To Use LHSI F&S - -Operator will Attempt

A-L2W3-XHE-FL-4 A-SIW3-XHE-FL-4 7.60E-04 Same as R6 Same as R6 (Successful Dlagnosis);POWER RESTORED

A-L2W4-XHE-FL-4 A-SIW4-XHE-FL-4 6.90E-05 Same as R6 Same as R6

•

A-L2W1-XHE-FH-5 A-R5W1-XHE-FH-5 5.00E-05 Same as R6 N/A B&F: Fail To Use HHSI | LHSI Failed - -Operator
 Table 8-13 (Page 53 of 84). Quantitative Results of BNIVSurry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 06 R10

A-L2W2-XHE-FH-5 A-R5W2-XHE-FH-5 2.00E-05 Same as R6 N/A will Attempt (Successful Diagnosis & LHSI

A-L2W3-XHE-FH-4 A-R5W3-XHE-FH-4 2.00E-05 Same as R6 Same as R6 Attempted and Failed) POWER RESTORED

A-L2W4-XHE-FH-4 A-R5W4-XHE-FH-5 2.00E-05 Same as R6 Same as R6

-
A-L2W1-XHE-FL-9 A-SIW1-XHE-FL-10 6.60E-02 Same as R6 N/A B&F, SV Removed==>First Action.

A-L2W2-XHE-FL-9 A-SIW2-XHE-FL-10 2.00E-03 Same as R6 N/A Fail To Use LHSI F&S - -Operator will Attempt

A-L2W3-XHE-FL-7 A-SIW3-XHE-FL-13 2.00E-03 Same as R6 Same as R6 (Successful Diagnosis) ;POWER NOT RESTORED

A-L2W4-XHE-FL-7 A-SIW4-XHE-FL-13 6.90E-05 Same as R6 Same as R6

A-L2W1-XHE-FH-9 A-R5W1-XHE-FH-10 5.00E-05 Same as R6 N/A B&F: Fail To Use HHSI | LHSI Failed - -Operator

A-L2W2-XHE-FH-9 A-R5W2-XHE-FH-10 2.00E-05 Same as R6 N/A will Attempt (Successful Diagnosis & LHSI

A-L2W3-XHE-FH-7 A-R5W3-XHE-FH-13 2.00E-05 Same as R6 Same as R6 Attempted and Failed) POWER NOT RESTORED

A-L2W4-XHE-FH-7 A-R5W4-XHE-FH-13 2.00E-05 Same as R6 Same as R6

A-L2W1-XHE-FL-14 A-SIW1-XHE-FL-14 6.10E-02 Same as R6 N/A B&F, SV Not Removed==>Reflux Failed.

A-L2W2-XHE-FL-14 A-SIW2-XHE-FL-14 8.00E-03 Same as R6 N/A Fail To Use LHSI F&S - -Operator will Attempt

A-L2W3-XHE-FL-14 A-SIW3-XHE-FL-10 8.00E-03 Same as R6 Same as R6 when Reflux Fails To Provide Cooling (Successful

A-L2W4-XHE-FL-14 A-SIW4-XHE-FL-10 1.10E-03 Same as R6 Same as R6 diagnosis). Timing and Cues Worse than FL-5
POWER RESTORED
 Table 8-13 (Page 54 of 84). Quantitative Results of BNIVSurry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-L2W1-XHE-FH-14 A-R5W1-XHE-FH-14 5.00E-05 Same as R6 N/A B&F: Fail To Use HHSI | LHSI Failed - -Operator

A-L2W2-XHE-FH-14 A-R5W2-XHE-FH-14 2.00E-05 Same as R6 N/A will Attempt (Successful Diagnosis & LHSI Failed)
POWER RESTORED

A-L2W3-XHE-FH-14 A-R5W3-XHE-FH-10 2.00E-05 Same as R6 Same as R6

A-L2W4-XHE-FH-14 A-R5W4-XHE-FH-10 2.00E-05 Same as R6 Same as R6

A-L2W1-XHE-FL-18 A-SIW1-XHE-FL-19 6.10E-02 Same as R6 N/A B&F, SV Not Removed==>Reflux Failed.

A-L2W2-XHE-FL-18 A-SIW2-XHE-FL-19 1.30E-02 Same as R6 N/A Fail To Use LHSI F&S - -Operator will Attempt

A-L2W3-XHE-FL-10 A-SIW3-XHE-FL-7 1.30E-02 Same as R6 Same as R6 when Reflux Fails To Provide Cooling (Successful

A-L2W4-XHE-FL-10 A-SIW4-XHE-FL-7 1.10E-03 Same as R6 Same as R6 Diagnosis). Timing and Cues Worse than FL-5
POWER NOT RESTORED

A-L2W1-XHE-FH-18 A-R5W1-XHE-FH-19 5.00E-05 Same as R6 N/A B&F: Fail To Use HHSI | LHSI Failed - -Operator

A-L2W2-XHE-FH-18 A-R5W2-XHE-FH-19 2.00E-05 Same as R6 N/A will Attempt (Successful Diagnosis & LHSI Failed)
POWER NOT RESTORED

A-L2W3-XHE-FH-10 A-R5W3-XHE-FH-7 2.00E-05 Same as R6 Same as R6

A-L2W4-XHE-FH-10 A-R5W4-XHE-FH-7 2.00E-05 Same as R6 Same as R6

 Table 8-13 (Page 55 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Moan Failure Likelihood

Human Action Baals Description
R6 D6 R10

A-L2W1-XHE-Q-6 Conserv Assumption 1 N/A N/A GRAVITY: Fail To Est Gravity Feed Following

A-L2W2-XHE-G-6 Conserv Assumption 1 N/A N/A Failure of Fill and Spill. Only Reasonable Case is if

A-L2W3-XHE-G-5 Conserv Assumption 1 N/A Same as R6 FR3W1 Failed due to HW. Use Guaranteed

A-L2W4-XHE-G-5 Conserv Assumption 1 N/A Same as R6 Failure. Edit to Old Gravity Feed Event Only for

Cutsets with Success of A-R3W#-XHE-FL-5 POWER

•- RESTORED

A-L2W1-XHE-Q-10 Conserv Assumption 1 N/A N/A GRAVITY: Fail To Est. Gravity Feed Following

A-L2W2-XHE-G-10 Conserv Assumption 1 N/A N/A Failure of Fill and Spill. Only Reasonable Case is if

A-L2W3-XHE-G-7 Conserv Assumption 1 N/A Same as R6 FR3W1 Failed due to HW. Use Guaranteed

A-L2W4-XHE-G-7 Conserv Assumption 1 N/A Same as R6 Failure. Edit to Old Gravity Feed Event Only for

Cutsets with Success of A-R3W#-XHE-FL-5. POWER

NOT RESTORED

A-L2W1-XHE-C-4 A-R5W1-XHE-C-4 1.00E-03 Same as R6 N/A Fail HP Recirc with SV Removed Given Fail To
Restore RHR POWER RESTORED

A-L2W2-XHE-C-4 A-R5W2-XHE-C-4 1.00E-03 Same as R6 N/A

A-L2W3-XHE-C-4 N/A N/A N/A N/A

A-L2W4-XHE-C-4 N/A N/A N/A N/A

 Table 8-13 (Page 56 of 84). Quantitative Results of BNIVSurry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-l ?W1-XHF.r.-B
A-R5W1-XHE-C-9 1.00E-03 Same as R6 N/A Fail HP Recirc with SV Removed Given Fail To
Restore RHR POWER NOT RESTORED

A-L2W2-XHE-C-8 A-R5W2-XHE-C-9 1.00E-03 Same as R6 N/A

/
A-L2W3-XHE-C-8 N/A N/A N/A N/A

A-L2W4-XHE-C-8 N/A N/A • • N/A N/A

A-L2W1-XHE-C-13 A-R5W1-XHE-C-4 1.00E-03 Same as R6 N/A Fail HP Recirc with SV Not Removed Given Fail To
Restore RHR POWER RESTORED

A-L2W2-XHE-C-13 A-R5W2-XHE-C-4 1.00E-03 Same as R6 N/A

A-L2W3-XHE-C-13 N/A N/A N/A N/A

A-L2W4-XHE-C-13 N/A N/A N/A N/A

A-L2W1-XHE-C-17 A-R5W1-XHE-C-9 1.00E-03 Same as R6 N/A Fail HP Recirc with SV Not Removed Given Fail To
Restore RHR POWER NOT RESTORED

A-L2W2-XHE-C-17 A-R5W2-XHE-C-9 1.00E-03 Same as R6 N/A

A-L2W3-XHE-C-17 N/A N/A N/A N/A

A-L2W4-XHE-C-17 N/A N/A N/A N/A

 Table 8-13 (Page 57 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Moan Failure Likelihood

Human Action Baals Description
R6 D6 R10

A-L2W1-XHE-P-4 A-R5W1-XHE-P-4 1.00E-04 Same as R6 N/A Fail Recirc Spray: SVs Removed, POWER
RESTORED

A-L2W2-XHE-P-4 A-R5W2-XHE-P-4 1.00E-04 Same as R6 N/A

A-L2W3-XHE-P-4 N/A N/A N/A N/A

A-L2W4-XHE-P-4 N/A N/A N/A N/A

-

A-L2W1-XHE-P-8 A-R5W1-XHE-P-9 1.00E-04 Same as R6 N/A Fail Recirc Spray: SVs Removed, POWER NOT
RESTORED

A-L2W2-XHE-P-8 A-R5W2-XHE-P-9 1.00E-04 Same as R6 N/A

A-L2W3-XHE-P-8 N/A N/A N/A N/A

A-L2W4-XHE-P-8 N/A N/A N/A N/A

A-L2W1-XHE-P-13 A-R5W1-XHE-P-4 1.00E-04 Same as R6 N/A Fail Recirc Spray: SVs Not Removed, POWER
RESTORED

A-L2W2-XHE-P-13 A-R5W2-XHE-P-4 1.00E-04 Same as R6 N/A

A-L2W3-XHE-P-13 N/A N/A N/A N/A

A-L2W4-XHE-P-13 N/A N/A N/A N/A

A-L2W1-XHE-P-17 A-R5W1-XHE-P-9 1.00E-04 Same as R6 N/A Fail Recirc Spray: SVs Not Removed, POWER NOT
RESTORED
 Table 8-13 (Page 58 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Baals Description
R6 D6 R10

A-L2W2-XHE-P-17 A-R5W2-XHE-P-9 1.00E-04 Same as R6 N/A

A-L2W3-XHE-P-17 N/A N/A N/A N/A

A-L2W4-XHE-P-17 N/A N/A N/A N/A

D-L3W1-XHE Calculated 4.30E-03 Same as R6 N/A- Diagnose Loss of Offsite Power

D-L3W2-XHE Calculated 1.90E-03 Same as R6 N/A

D-L3W3-XHE D-L3W2-XHE 1.90E-03 Same as R6 Same as R6

D-L3W4-XHE Calculated 4.10E-04 Same as R6 Same as R6

. A-L3W1-XHE-R-4 A-L1W1-XHE-R-4 1.60E-02 Same as R6 N/A Fail To Restore RHR

A-L3W2-XHE-R-4 A-L1W2-XHE-R-4 5.90E-03 Same as R6 N/A

A-L3W3-XHE-R-4 A-L1W3-XHE-R-4 5.90E-03 Same as R6 Same as R6

A-L3W4-XHE-R-4 A-L1W4-XHE-R-4 1.60E-03 Same as R6 Same as R6

A-L3W1-XHE-SF-13 A-R5W1-XHE-SF-9 1.00E-03 N/A N/A Fail To Feed SGs Given Fail To Restore RHR but
Successful Level Control

A-L3W2-XHE-SF-13 A-R5W2-XHE-SF-9 1.00E-03 1.00E-03 N/A

A-L3W3-XHE-SF-13 A-RAW3-XHE-SF-9 N/A 1.00E-03 N/A

A-L3W4-XHE-SF-13 A-RAW4-XHE-SF-9 N/A 1.00E-03 N/A

 Table 8-13 (Page 59 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-L3W1-XHE-S1-13 A-R5W1-XHE-S1-9 4.00E-02 N/A N/A REFLUX: Fail To Bleed SG via ADV -Operator

A-L3W2-XHE-S1-13 A-R5W2-XHE-S1-9 2.60E-03 2.60E-03 N/A will Attempt (Successful Diagnosis)

A-L3W3-XHE-S1-13 A-RAW3-XHE-S1-9 N/A 2.60E-03 N/A

-
A-L3W4-XHE-S1-13 A-RAW4-XHE-S1-9 N/A 1.00E-03 N/A

A-L3W1-XHE-S2-13 Conserv Assumption 1 N/A N/A Fail To Establish Reflux after PRT Rupture given Fail
To Restore RHR but Successful Level Control

A-L3W2-XHE-S2-13 Conserv Assumption 1 1 N/A

A-L3W3-XHE-S2-13 Conserv Assumption N/A 1 N/A

A-L3W4-XHE-S2-13 Conserv Assumption N/A 1 N/A

A-L3W1-XHE-SF-17 A-R5W1-XHE-SF-9 1.00E-03 N/A N/A Fail To Feed SGs Given fail To Restore RHR but
Successful Level Control;SVs Not Removed

A-L3W2-XHE-SF-17 A-R5W2-XHE-SF-9 1.00E-03 1.00E-03 N/A

A-L3W3-XHE-SF-17 A-RAW3-XHE-SF-9 N/A 1.00E-03 N/A

A-L3W4-XHE-SF-17 A-RAW4-XHE-SF-9 N/A 1.00E-03 N/A

A-L3W1-XHE-S1-17 A-SIW1-XHE-S2-18 8.00E-02 N/A N/A REFLUX: Fail To Bleed SG via ADV -Operator
 Table 8-13 (Page 60 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-L3W2-XHE-S1-17 A-SIW2-XHE-S2-18 5.30E-03 5.30E-03 N/A will Attempt (Successful Diagnosis)

A-L3W3-XHE-S1-17 A-SIW3-XHE-S2-18 N/A 5.30E-03 N/A SVs Not Removed

A-L3W4-XHE-S1-17 A-SIW4-XHE-S2-18 N/A 2.00E-03 N/A

-

A-L3W1-XHE-S2-17 Conserv Assumption 1 N/A N/A Fail To Extablish Reflux after PRT Rupture Given Fail
To Restore RHR but Successful Level Control;,SVs
Not Removed

A-L3W2-XHE-S2-17 Conserv Assumption 1 1 N/A

A-L3W3-XHE-S2-17 Conserv Assumption N/A 1 N/A

A-L3W4-XHE-S2-17 Conserv Assumption N/A 1 N/A

A-L3W1-XHE-FL-5 A-SIW1-XHE-FL-5 1.00E-02 Same as R6 N/A B&F, SV Removed==>First Action.

A-L3W2-XHE-FL-5 A-SIW2-XHE-FL-5 7.60E-04 Same as R6 N/A Fail To Use LHSI F&S - -Operator will Attempt

A-L3W3-XHE-FL-4 A-SIW3-XHE-FL-4 7.60E-04 Same as R6 Same as R6 (Successful Diagnosis);POWER RESTORED

A-L3W4-XHE-FL-4 A-SIW4-XHE-FL-4 6.90E-05 Same as R6 Same as R6

A-L3W1-XHE-FH-5 A-R5W1-XHE-FH-5 5.00E-05 Same as R6 N/A B&F: Fail To Use HHSI | LHSi Failed - -Operator

A-L3W2-XHE-FH-5 A-R5W2-XHE-FH-5 2.00E-05 Same as R6 N/A wilt Attempt (Successful Diagnosis & LHSI

A-L3W3-XHE-FH-4 A-R5W3-XHE-FH-4 2.00E-05 Same as R6 Same as R6 Attempted and Failed) POWER RESTORED
 Table 8-13 (Page 61 of 84). Quantitative Results of BNIVSurry Human Action Evalnatfons

Mean Failure Likelihood

Human Action Baals Description
R6 06 R10

A-L3W4-XHE-FH-4 A-R5W4-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-L3W1-XHE-FL-9 A-SIW1-XHE-FL-10 6.60E-02 Same as R6 N/A B&F, SV Removed==>First Action.

A-L3W2-XHE-FL-9 A-SIW2-XHE-FL-10 2.00E-03 Same as R6 N/A Fail To Use LHSI F&S - -Operator will Attempt

A-L3W3-XHE-FL-7 A-SIW3-XHE-FL-13 2.00E-03 Same as R6 Same as R6 (Successful Diagnosis);POWER NOT RESTORED

A-L3W4-XHE-FL-7 A-SIW4-XHE-FL-13 6.90E-05 Same as R6 Same as R6

A-L3W1-XHE-FH-9 A-R5W1-XHE-FH-10 5.00E-05 Same as R6 N/A B&F: Fail To Use HHSI | LHSI Failed - -Operator

A-L3W2-XHE-FH-9 A-R5W2-XHE-FH-10 2.00E-05 Same as R6 N/A will Attempt (Successful Diagnosis & LHSI

A-L3W3-XHE-FH-7 A-R5W3-XHE-FH-13 2.00E-05 Same as R6 Same as R6 Attempted and Failed) POWER NOT RESTORED

A-L3W4-XHE-FH-7 A-R5W4-XHE-FH-13 2.00E-05 Same as R6 Same as R6

A-L3W1-XHE-FL-14 A-SIW1-XHE-FL-14 6.10E-02 Same as R6 N/A B&F, SV Not Removed==>Reflux Failed.

A-L3W2-XHE-FL-14 A-SIW2-XHE-FL-14 8.00E-03 Same as R6 N/A Fail To Use LHSI F&S - -Operator will Attempt

A-L3W3-XHE-FL-14 A-SIW3-XHE-FL-10 8.00E-03 Same as R6 Same as R6 when Reflux Fails To Provide Cooling (Successful

A-L3W4-XHE-FL-14 A-SIW4-XHE-FL-10 1.10E-03 Same as R6 Same as R6 Diagnosis). Timing and Cues Worse than FL-5
POWER RESTORED

A-L3W1-XHE-FH-14 A-R5W1-XHE-FH-14 5.00E-05 Same as R6 N/A B&F: Fail To Use HHSI | LHSI Failed - -Operator
 Table 8-13 (Page 62 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Moan Failure Likelihood

Human Action Baals • Description
R6 D6 RIO

A-L3W2-XHE-FH-14 A-R5W2-XHE-FH-14 2.00E-05 Same as R6 N/A will Attempt (Successful Diagnosis & LHSI failed)
POWER RESTORED

A-L3W3-XHE-FH-14 A-R5W3-XHE-FH-10 2.00E-05 Same as R6 Same as R6

A-L3W4-XHE-FH-14 A-R5W4-XHE-FH-10 2.00E-05 Same as R6 Same as R6

A-L3W1-XHE-FL-18 A-SIW1-XHE-FL-19 6.10E-02 Same as R6 N/A B&F, SV Not Removed==>Reflux Failed.

A-L3W2-XHE-FL-18 A-SIW2-XHE-FL-19 1.30E-02 Same as R6 N/A Fail To Use LHSI F&S - -Operator will Attempt

A-L3W3-XHE-FL-10 A-SIW3-XHE-FL-7 1.30E-02 Same as R6 Same as R6 when Reflux Fails To Provide Cooling (Successful

A-L3W4-XHE-FL-10 A-SIW4-XHE-FL-7 1.10E-03 Same as R6 Same as R6 diagnosis). Timing and Cues Worse than FL-5
POWER NOT RESTORED

A-L3W1-XHE-FH-18 A-R5W1-XHE-FH-19 5.00E-05 Same as R6 N/A B&F: Fail To Use HHSI | LHSI Failed - -Operator

A-L3W2-XHE-FH-18 A-R5W2-XHE-FH-19 2.00E-05 Same as R6 N/A will Attempt (Successful Diagnosis & LHSI Failed)
POWER NOT RESTORED

A-L3W3-XHE-FH-10 A-R5W3-XHE-FH-7 2.00E-05 Same as R6 Same as R6

A-L3W4-XHE-FH-10 A-R5W4-XHE-FH-7 2.00E-05 Same as R6 Same as R6

A-L3W1-XHE-G-6 Conserv Assumption 1 N/A N/A GRAVITY: Fail To Est Gravity Feed Following

A-L3W2-XHE-G-6 Conserv Assumption 1 N/A N/A Failure of Fill and Spill. Only Reasonable Case is if
 Table 8-13 (Page 63 of 84). Quantitative Results of BNL/Surrv Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-L3W3-XHE-G-5 Conserv Assumption 1 N/A Same as R6 FR3W1 Failed Due to HW. Use Guaranteed

A-L3W4-XHE-Q-5 Conserv Assumption 1 N/A Same as R6 Failure. Edit to Old Gravity Feed Event Only for

Cutsets with Success of A-R3W#-XHE-FL-5 POWER

RESTORED

A-L3W1-XHE-G-10 Conserv Assumption 1 N/A N/A GRAVITY: Fail To Est. Gravity Feed Following

A-L3W2-XHE-G-10 Conserv Assumption 1 N/A N/A Failure of Fill and Spill. Only Reasonable Case is if

A-L3W3-XHE-Q-7 Conserv Assumption 1 N/A Same as R6 FR3W1 Failed due to HW. Use Guaranteed

A-L3W4-XHE-G-7 Conserv Assumption 1 N/A Same as R6 Failure. Edit to Old Gravity Feed Event Only for

Cutsets with Success of A-R3W#-XHE-FL-5. POWER

NOT RESTORED

A-L3W1-XHE-C-4 A-R5W1-XHE-C-4 1.00E-03 Same as R6 N/A Fail HP Recirc with SV Removed Given Fail To
Restore RHR POWER RESTORED

A-L3W2-XHE-C-4 A-R5W2-XHE-C-4 1.00E-03 Same as R6 N/A

A-L3W3-XHE-C-4 N/A N/A N/A N/A

A-L3W4-XHE-C-4 N/A N/A N/A N/A

A-L3W1-XHE-C-8 A-R5W1-XHE-C-9 1.00E-03 Same as R6 N/A Fail HP Recirc with SV Removed Given Fail To
Restore RHR. POWER NOT RESTORED
 Table 8*13 (Page 64 of 84). Quantitative Remits of BNI/Suny Human Action Evaluations

Mean Failure Ukollhood

Human Action Baals Description
R6 D6 RIO

A-L3W2-XHE-C-8 A-R5W2-XHE-C-9 1.00E-03 Same as R6 N/A

A-L3W3-XHE-C-8 N/A N/A N/A N/A

A-L3W4-XHE-C-8 N/A N/A N/A N/A

A-L3W1-XHE-C-13 A-R5W1-XHE-C-4 1.00E-03 Same as R6 N/A Fail HP Recirc with SV Not Removed Given Fail To
Restore RHR POWER RESTORED

A-L3W2-XHE-C-13 A-R5W2-XHE-C-4 1.00E-03 Same as R6 N/A

A-L3W3-XHE-C-13 N/A N/A N/A N/A

A-L3W4-XHE-C-13 N/A N/A N/A N/A

A-L3W1-XHE-C-17 A-R5W1-XHE-C-9 1.00E-03 Same as R6 N/A Fail HP Recirc with SV Not Removed Given Fail To
Restore RHR POWER NOT RESTORED

A-L3W2-XHE-C-17 A-R5W2-XHE-C-9 1.00E-03 Same as R6 N/A

A-L3W3-XHE-C-17 N/A N/A N/A N/A

A-L3W4-XHE-C-17 N/A N/A N/A N/A

A-L3W1-XHE-P-4 A-R5W1-XHE-P-4 1.00E-04 Same as R6 N/A Fail Recirc Spray: SVs Removed, POWER
RESTORED

A-U3W2-XHE-P-4 A-R5W2-XHE-P-4 1.00E-04 Same as R6 N/A -

 Table 8-13 (Page 65 of 84). Quantitative Results of BNIVSurry Human Action Evaluations

Moan Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-L3W3-XHE-P-4 N/A N/A N/A N/A

A-L3W4-XHE-P-4 N/A N/A N/A N/A

A-L3W1-XHE-P-8 A-R5W1-XHE-P-9 1.00E-04 Same as R6 N/A Fail Recirc Spray: SVs Removed, POWER NOT
RESTORED

A-L3W2-XHE-P-8 A-R5W2-XHE-P-9 1.00E-04 Same as R6 N/A

A-L3W3-XHE-P-8 N/A N/A N/A N/A

A-L3W4-XHE-P-8 N/A N/A N/A N/A

A-L3W1-XHE-P-13 A-R5W1-XHE-P-4 1.00E-04 Same as R6 N/A Fail Recirc Spray: SVs Not Removed, POWER
RESTORED

A-L3W2-XHE-P-13 A-R5W2-XHE-P-4 1.00E-04 Same as R6 N/A

A-L3W3-XHE-P-13 N/A N/A N/A N/A

A-L3W4-XHE-P-13 N/A N/A N/A N/A

A-L3W1-XHE-P-17 A-R5W1-XHE-P-9 1.00E-04 Same as R6 N/A Fail Recirc Spray: SVs Not Removed, POWER NOT
RESTORED

A-L3W2-XHE-P-17 A-R5W2-XHE-P-9 1.00E-04 Same as R6 N/A

A-L3W3-XHE-P-17 N/A N/A N/A N/A

 Table 8-13 (Page 66 of 84). Quantitative Results of BNIVSurry Human Action Evaluations

Mean Failure Likelihood

Human Action B08l8 Description
R6 D6 R10

A-L3W4-XHE-P-17 N/A N/A N/A N/A

D-B1W1-XHE Calculated 2.20E-02 Same as R6 N/A Diagnose Blackout

D-B1W2-XHE Calculated 4.30E-02 Same as R6 N/A

D-B1W3-XHE D-B1W2-XHE 4.30E-02 Same as R6 Same as R6

D-B1W4-XHE Calculated 1.20E-03 Same as R6 Same as R6

A-B1W1-XHE-CW-4 Calculated 1.50E-01 Same as R6 N/A Fait To Isolate CW Valves In SBO Event

A-B1W2-XHE-CW-4 Calculated 3.80E-02 Same as R6 N/A

A-B1W3-XHE-CW-4 A-B1W2-XHE-CW-4 3.80E-02 Same as R6 Same as R6

A-B1W4-XHE-CW-4 Calculated 1.50E-02 Same as R6 Same as R6

A-B1W1-XHE-CW-7 A-B1W1-XHE-CW-4 1.50E-01 Same as R6 N/A Fail To Isolate CW Valves in SBO Event; SVs Not
Removed

A-B1W2-XHE-CW-7 A-B1W2-XHE-CW-4 3.80E-02 Same as R6 N/A

A-B1W3-XHE-CW-7 A-B1W3-XHE-CW-4 3.80E-02 Same as R6 Same as R6

A-B1W4-XHE-CW-7 A-B1W4-XHE-CW-4 1.50E-02 Same as R6 Same as R6

A-B1W1-XHE-2CH-4 Calculated 3.30E-01 Same as R6 N/A Fail to x-tie CHQ Row from U2 to U1
 Table 8-13 (Page 67 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-B1W2-XHE-2CH-4 Calculated 3.70E-02 Same as R6 N/A

A-B1W3-XHE-2CH-4 A-B1W2-XHE-2CH-4 3.70E-02 Same as R6 Same as R6

A-B1W4-XHE-2CH-4 Calculated 1.40E-03 Same as R6 Same as R6

A-B1W1-XHE-2CH-7 Calculated 3.30E-01 Same as R6 N/A Fail to x-tie CHG Flow from U2 to U1; SVs Not
Removed

A-B1W2-XHE-2CH-7 Calculated 3.70E-02 Same as R6 N/A

A-B1W3-XHE-2CH-7 A-B1W2-XHE-2CH-4 3.70E-02 Same as R6 Same as R6

A-B1W4-XHE-2CH-7 Calculated 1.40E-03 Same as R6 Same as R6

A-B1W1-XHE-S1 Calculated 0.55 Same as R6 N/A

A-B1W2-XHE-S1 Calculated 0.36 Same as R6 N/A

—

A-B1W3-XHE-S1 Calculated 0.11 Same as R6 Same as R6

A-B1W4-XHE-S1 A-B1W3-XHE-S1 0.11 Same as R6 Same as R6

A-B1W1-XHE-G-6 Conserv Assumptbn 1 N/A N/A GRAVITY: Fail To Est Gravity Feed Following

A-B1W2-XHE-G-6 Conserv Assumption 1 N/A N/A Failure of Fill and Spill. Only Reasonable Case is if

A-B1W3-XHE-G-6 Conserv Assumptbn 1 N/A FR3W1 Failed Due to HW. Use Guaranteed

A-B1W4-XHE-G-6 Conserv Assumption 1 N/A Failure. Edit to Old Gravity Feed Event only for
 Table 8-13 (Page 68 of 84). Quantitative Results of BNL/Suny Human Action Evaluations

Mean Failure Likelihood

Human Action Baals Description
R6 D6 R10

Proper Cutsets

D-B2W1-XHE Calculated 9.70E-03 Same as R6 N/A Diagnose Blackout

D-B2W2-XHE Calculated 7.40E-03 Same as R6 N/A

D-B2W3-XHE D-B2W2-XHE 7.40E-03 Same as R6 Same asR6

D-B2W4-XHE Calculated 7.20E-04 Same as R6 Same as R6

A-B2W1-XHE-G-3 Calculated 6.00E-03 Same as R6 N/A GRAVITY: Fail To Est Gravity Feed Following

A-B2W2-XHE-G-3 Calculated 6.20E-04 Same as R6 N/A Failure of Rll and Spill. Only Reasonable Case is if

A-B2W3-XHE-G-3 D-B2W2-XHE 6.20E-04 Same as R6 Same as R6 FR3W1 Failed Due to HW. Use Guaranteed

A-B2W4-XHE-Q-3 Calculated 1.70E-04 Same as R6 Same as R6 Failure. Edit to Old Gravity Feed Event only for

Proper Cutsets

D-VBW1-XHE Calculated 8.00E-05 Same as R6 N/A Failure To Diagnose Loss of Vital Bus in POS 6

D-VBW2-XHE Calculated 2.70E-05 Same as R6 N/A

D-VBW3-XHE D-VBW2-XHE 2.70E-05 Same as R6 N/A

D-VBW4-XHE Calculated 5.90E-06 Same as R6 N/A

 Table 8-13 (Page 69 of 84). Quantitative Results of BNL/Suny Human Action Evaluations

Mean Failure Likelihood

Human Action Baals Description
R6 D6 R10

A-VBW1-XHE-R-4 A-R4W1-XHE-R-4 1.20E-03 Same as D6 N/A Fail To Restore RHR Given Loss of Vital Bus in POS
6

A-VBW2-XHE-R-4 A-R4W2-XHE-R-4 5.20E-04 Same as D6 N/A

A-VBW3-XHE-R-4 A-R4W3-XHE-R-4 5.20E-04 Same as D6 Same as D6

A-VBW4-XHE-R-4 A-R4W4-XHE-R-4 1.20E-04 Same as D6 Same as D6

A-VBW1-XHE-R-13 Calculated 3.30E-02 Same as D6 N/A Fail To Restore RHR Given Loss of Vital Bus in
POS 6 and Failure To Restore Power

A-VBW2-XHE-R-13 Calculated 1.30E-02 Same as D6 N/A

A-VBW3-XHE-R-9 A-VBW2-XHE-R-13 1.30E-02 Same as D6 Same as D6

A-VBW4-XHE-R-9 Calculated 5.00E-03 Same as D6 Same as D6

A-VBW1-XHE-S1-9 A-R4W1-XHE-SF-9 1.00E-03 N/A N/A REFLUX: Fail To Feed SG @ ~ 10 Hr = = >

A-VBW2-XHE-S1-9 A-R4W2-XHE-SF-9 1.00E-03 Same as R6 N/A Recognition of Low SG Level Req'd

A-VBW3-XHE-S1-4 A-R4W3-XHE-SF-4 N/A 1.00E-03 N/A

A-VBW4-XHE-S1-4 A-R4W4-XHE-SF-4 N/A 1.00E-03 N/A

A-VBW1-XHE-S2-9 A-R4W1-XHE-S1-9 4.00E-02 N/A N/A REFLUX: Fail To Bleed SG via ADY -Operator

A-VBW2-XHE-S2-9 A-R4W2-XHE-S1-9 2.60E-03 Same as R6 N/A will Attempt (Successful Diagnosis)

 Table 8-13 (Page 70 of 84). Quantitative Results of BNIVSurry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-VBW3-XHE-S2-4 A-R4W3-XHE-S1-4 N/A 2.60E-03 N/A

A-VBW4-XHE-S2-4 A-R4W4-XHE-S1-4 N/A 1.00E-03 N/A

A-VBW1-XHE-S3-9 Conserv Assumption 1 N/A N/A REFLUX: After PRT O/P, FTC PORVs & Fail To

A-VBW2-XHE-S3-9 Conserv Assumption 1 Same as R6 N/A Bleed SG via ADV; Late Action in Response to

A-VBW3-XHE-S3-4 Conserv Assumption N/A 1 N/A PRT Rupture-Only Reasonable Scenario is that

A-VBW4-XHE-S3-4 Conserv Assumption N/A 1 N/A Operator is Distracted by HW or Other Failures.

PRT Rupture is Strong Cue To Move Ahead in

AP-27

A-VBW1-XHE-S1-18 A-SIW1-XHE-S1-9 1.00E-03 N/A N/A REFLUX: Given Failure To Restore RHR Fail To Feed
SG @ ~ 10 Hr = = >

A-VBW2-XHE-S1-18 A-SIW2-XHE-S1-9 1.00E-03 Same as R6 N/A Recognition of Low SG Level Req'd

A-VBW3-XHE-S1-18 A-SIW3-XHE-S1-4 N/A 1.00E-03 N/A

A-VBW4-XHE-S1-18 A-SIW4-XHE-S1-4 N/A 1.00E-03 N/A

A-VBW1-XHE-S2-18 Calculated 4.00E-01 N/A N/A REFLUX: Given failure to restore RHR,Fail to bleed
SG via ADV -Operator

A-VBW2-XHE-S2-18 Calculated 2.60E-02 Same as R6 N/A will Attempt (Successful Diagnosis)

 Table 8-13 (Page 71 of 84). Quantitative Results of BNIVSurry Human Action Evaluations

Mean Failure Likelihood

Human Action Baals Description
R6 D6 R10

A-VBW3-XHE-S2-18 A-VBW2-XHE-S2-18 N/A 2.60E-02 N/A

A-VBW4-XHE-S2-18 Calculated N/A 9.80E-03 N/A

A-VBW1-XHE-S3-18 Conserv Assumption 1 N/A N/A REFLUX: After PRT O/P Given Failure To Restore
RHR, FTC PORVs & Fail To

A-VBW2-XHE-S3-18 Conserv Assumption 1 Same as R6 N/A Bleed SG via ADV; Late Action in Response to

A-VBW3-XHE-S3-18 Conserv Assumption N/A 1 N/A PRT Rupture-Only Reasonable Scenario is that

A-VBW4-XHE-S3-18 Conserv Assumption N/A 1 N/A Operator is Distracted by HW or Other Failures.

PRT Rupture is Strong Cue To Move Ahead in

AP-27

A-VBW1-XHE-FL-5 A-SIW1-XHE-FL-5 1.00E-02 Same as R6 N/A Fail F&B: Vital Bus Recovered; RHR Not Restored;
SVs Removed

A-VBW2-XHE-FL-5 A-SIW2-XHE-FL-5 7.60E-04 Same as R6 N/A

A-VBW3-XHE-FL-4 A-SIW3-XHE-FL-4 7.60E-04 Same as R6 Same as R6

A-VBW4-XHE-FL-4 A-SIW4-XHE-FL-4 6.90E-05 Same as R6 Same as R6

A-VBW1-XHE-FL-10 A-SIW1-XHE-FL-10 6.60E-02 Same as R6 N/A Fail F&B: Vital Bus Recovered; RHR Not Restored;
SVs Not Removed
 Table 8-13 (Page 72 of 84). Quantitative Results of BNIVSurry Human Action Evaluations

Moan Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-VBW2-XHE-FL-10 A-SIW2-XHE-FL-10 2.00E-03 Same as R6 N/A

A-VBW3-XHE-FL-13 A-SIW3-XHE-FL-13 2.00E-03 Same as R6 Same as R6

A-VBW4-XHE-FL-13 A-SIW4-XHE-FL-13 6.90E-05 Same as R6 Same as R6

A-VBW1-XHE-FL-14 Calculated 2.50E-01 Same as R6 N/A Fail F&B: Vital Bus Recovered; RHR Not Restored;
SVs Removed

A-VBW2-XHE-FL-14 Calculated 3.50E-02 Same as R6 N/A

A-VBW3-XHE-FL-10 A-VBW2-XHE-FL-14 3.50E-02 Same as R6 Same as R6

A-VBW4-XHE-FL-10 Calculated 5.00E-03 Same as R6 Same as R6

A-VBW1-XHE-FL-19 A-VBW1-XHE-FL-14 2.50E-01 Same as R6 N/A Fail F&B: Vital Bus Recovered; RHR Not Restored;
SVs Not Removed

A-VBW2-XHE-FL-19 A-VBW2-XHE-FL-14 5.40E-02 Same as R6 N/A

A-VBW3-XHE-FL-7 A-VBW3-XHE-FL-10 5.40E-02 Same as R6 Same as R6

A-VBW4-XHE-FL-7 A-VBW4-XHE-FL-10 5.00E-03 Same as R6 Same as R6

A-VBW1-XHE-FH-5 A-RAW1-XHE-FH-5 5.00E-05 Same as R6 N/A Fail F&B: Vital Bus Recovered; RHR Not Restored;
SVs Removed

A-VBW2-XHE-FH-5 A-RAW2-XHE-FH-5 2.00E-05 Same as R6 N/A

 Table 8-13 (Page 73 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 06 R10

A-VBW3-XHE-FH-4 A-RAW3-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-VBW4-XHE-FH-4 A-RAW4-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-VBW1-XHE-FH-10 A-RAW1-XHE-FH-5 5.00E-05 Same as R6 N/A Fail F&B: Vital Bus Recovered; RHR Not Restored;
SVs Not Removed

A-VBW2-XHE-FH-10 A-RAW2-XHE-FH-5 2.00E-05 Same as R6 N/A

A-VBW3-XHE-FH-13 A-RAW3-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-VBW4-XHE-FH-13 A-RAW4-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-VBW1-XHE-FH-14 A-RAW1-XHE-FH-5 5.00E-05 Same as R6 N/A Fail F&B: Vital Bus Recovered; RHR Not Restored;
SVs Removed

A-VBW2-XHE-FH-14 A-RAW2-XHE-FH-5 2.00E-05 Same as R6 N/A

A-VBW3-XHE-FH-10 A-RAW3-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-VBW4-XHE-FH-10 A-RAW4-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-VBW1-XHE-FH-19 A-RAW1-XHE-FH-5 5.00E-05 Same as R6 N/A Fail F&B: Vital Bus Recovered; RHR Not Restored;
SVs Not Removed

A-VBW2-XHE-FH-19 A-RAW2-XHE-FH-5 2.00E-05 Same as R6 N/A

A-VBW3-XHE-FH-7 A-RAW3-XHE-FK-5 2.00E-05 Same as R6 Same as R6

 Table 8-13 (Page 74 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-VBW4-XHE-FH-7 A-RAW4-XHE-FH-5 2.00E-05 Same as R6 Same as R6

A-VBW1-XHE-G6 Conserv Assumption N/A N/A GRAVITY: Fail To Est Gravity Feed Following

A-VBW2-XHE-G6 Conserv Assumption N/A N/A Failure of Fill and Spill. Vital Bus Recovered.

A-VBW3-XHE-G5 Conserv Assumption N/A Same as R6

A-VBW4-XHE-G5 Conserv Assumption N/A Same as R6

'•

A-VBW1-XHE-G15 Conserv Assumption N/A N/A GRAVITY: Fail To Est Gravity Feed Following

A-VBW2-XHE-G15 Conserv Assumption N/A N/A Failure of Fill and Spill. Vital Bus Not Recovered
i
A-VBW3-XHE-G11 Conseh/ Assumption N/A Same as R6
i

A-VBW4-XHE-G11 Conserv Assumption N/A Same as R6

! •

A^VBW1-XHE-C-4 A-R4W1-XHE-C-4 1.00E-03 Same as R6 N/A RECIRC: Fail To Est. HP Recirc (Vital Bus Recovered,
i B&F Successful)

A-VBW2-XHE-C-4 A-R4W2-XHE-C-4 1.00E-03 Same as R6 N/A and SVs Removed)-© 8 - 20 Hr, = = > Recognition

A-VBW3-XHE-C-4 N/A N/A N/A N/A of Low RWST Level Req'd.

A-VBW4-XHE-C-4 N/A N/A N/A N/A

'
 Table 8-13 (Page 75 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D8 R10

A-VBW1-XHE-C-13 A-R5W1-XHE-C-9 1.00E-03 Same as R6 N/A RECIRC: Fail To Est HP Recirc (Vital Bus Not
Recovered, B&F Successful

A-VBW2-XHE-C-13 A-R5W2-XHE-C-9 1.00E-03 Same as R6 N/A and SVs Removed)-® 8 - 20 Hr, = = > Recognition

A-VBW3-XHE-C-13 N/A N/A N/A N/A of Low RWST Level Req'd

A-VBW4-XHE-C-13 N/A N/A N/A N/A

'
A-VBW1-XHE-C-9 A-R4W1-XHE-C-4 1 .OOE-03 Same as R6 N/A RECIRC: Fail To Est. HP Recirc (Vital Bus Recovered
B&F Successful

A-VBW2-XHE-C-9 A-R4W2-XHE-C-4 1.00E-03 Same as R6 N/A and SVs Not Removed)-® 8 - 20 Hr, = = >
Recognition

A-VBW3-XHE-C-9 N/A N/A N/A N/A of Low RWST Level Req'd

A-VBW4-XHE-C-9 N/A N/A N/A N/A

A-VBW1-XHE-C-18 A-R5W1-XHE-C-9 1.OOE-03 Same as R6 N/A RECIRC: Fail To Est HP Recirc (Vital Bus Not
Recovered, B&F Successful

A-VBW2-XHE-C-18 A-R5W2-XHE-C-9 1 .OOE-03 Same as R6 N/A and SVs Not Removed)-® 8 - 20 Hr, = = >
Recognition

A-VBW3-XHE-C-18 N/A N/A N/A N/A of Low RWST Level Req'd

A-VBW4-XHE-C-18 N/A N/A N/A N/A

 Table 8-13 (Page 76 of 84). Quantitative Results of BNL/Suny Human Action Evaluations

Mean Failure Ukollhood

Human Action Baals Doacrlptlon
R6 06 RIO

A-VBW2-XHE-X A-RAW2-XHE-X 1.00E-03 Same as R6 N/A Fail To Cross Tie RWST

A-VBW1-XHE-P-4 A-R4W1-XHE-P-4 1.00E-04 Same as R6 N/A RECIRC: Fail To Est Recirc Spray (Vital Bus
Recovered, B&F Successful

A-VBW2-XHE-P-4 A-R4W2-XHE-P-4 1.00E-04 Same as R6 N/A and SVs Removed)

A-VBW3-XHE-P-4 N/A N/A N/A N/A

A-VBW4-XHE-P-4 N/A N/A N/A N/A

A-VBW1-XHE-P-13 A-R5W1-XHE-P-9 1.00E-04 Same as R6 N/A RECIRC: Fail To Est Recirc Spray (Vital Bus Not
Recovered, B&F Successful

A-VBW2-XHE-P-13 A-R5W2-XHE-P-9 1.00E-04 Same as R6 N/A and SVs Removed)

A-VBW3-XHE-P-13 N/A N/A N/A N/A

A-VBW4-XHE-P-13 N/A N/A N/A N/A

A-VBW1-XHE-P-9 A-R4W1-XHE-P-4 1.00E-04 Same as R6 N/A RECIRC: Fail To Est Recirc Spray (Vital Bus
Recovered, B&F Successful

A-VBW2-XHE-P-9 A-R4W2-XHE-P-4 1.00E-04 Same as R6 N/A and SVs Not Removed)

A-VBW3-XHE-P-9 N/A N/A N/A N/A

A-VBW4-XHE-P-9 N/A N/A N/A N/A

 Table 8-13 (Page 77 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-VBW1-XHE-P-18 A-R5W1-XHE-P-9 1.00E-04 Same as R6 N/A RECIRC: Fail To Est Reclrc Spray (Vital Bus Not
Recovered; B&F Successful

A-VBW2-XHE-P-18 A-R5W2-XHE-P-9 1.00E-04 Same as R6 N/A and SVs Not Removed)

A-VBW3-XHE-P-18 N/A N/A N/A N/A

A-VBW4-XHE-P-18 N/A N/A N/A N/A

-
D-ARW1-XHE Calculated 2.30E-05 N/A Diagnose Loss of Air

D-ARW2-XHE Calculated 1.20E-05 N/A

D-ARW3-XHE D-ARW2-XHE 1.20E-05

D-ARW4-XHE Calculated 1.10E-06

A-ARW1-XHE-R-5 A-SIW1-XHE-R-13 0.0085 N/A Fail To Restore RHR Given Loss of Air

A-ARW2-XHE-R-5 A-SIW2-XHE-R-13 0.003 N/A

A-ARW3-XHE-R-5 A-SIW3-XHE-R-13 0.003

A-ARW4-XHE-R-5 A-SIW4-XHE-R-13 0.00096

A-ARW1-XHE-SF-10 A-R5W1-XHE-SF-10 0.001 N/A N/A Reflux: Feed SQs

A-ARW2-XHE-SF-10 A-R5W2-XHE-SF-10 0.001 N/A N/A

 Table 8-13 (Page 78 of 84). Quantitative Results of BNIVSurry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-ARW3-XHE-SF-10 A-R5W3-XHE-SF-10 N/A 0.001 N/A

A-ARW4-XHE-SF-10 A-R5W4-XHE-SF-10 N/A 0.001 N/A

A-ARW1-XHE-S1-10 A-SIW1-XHE-S2-18 0.08 N/A N/A REFLUX: Fail To Bleed SG via ADV -Operator

A-ARW2-XHE-S1-10 A-SIW2-XHE-S2-18 0.0053 N/A N/A will Attempt (Successful Diagnosis)

A-ARW3-XHE-S1-10 A-SIW3-XHE-S2-18 N/A 0.0053 N/A

A-ARW4-XHE-S1-1& A-SIW4-XHE-S2-18 N/A 0.002 N/A

A-ARW1-XHE-S2-10 Conserv Assumption 1 N/A N/A REFLUX: After PRT O/P, FTC PORVs & Fail To

A-ARW2-XHE-S2-10 Conserv Assumptfon 1 N/A N/A Bleed SG via ADV; Late Action in Response to

A-ARW3-XHE-S2-10 Conserv Assumption N/A 1 N/A PRT Rupture-Only Reasonable Scenario is that

A-ARW4-XHE-S2-10 Conserv Assumption N/A 1 N/A Operator is Distracted by HW or Other Failures.

PRT Rupture is Strong Cue To Move Ahead in

AP-27

A-ARW1-XHE-FL-6 A-SIW1-XHE-FL-14 0.061 Same as R6 N/A B&F, SV Removed==>First Action.

A-ARW2-XHE-FL-6 A-SIW2-XHE-FL-14 0.008 Same as R6 N/A Fail To Use LHSI F&S - -Operator will Attempt

A-ARW3-XHE-FL-5 A-SIW3-XHE-FL-10 0.008 Same as R6 Same as R6 (Successful Diagnosis)

 Table 8-13 (Page 79 of 84). Quantitative Results of BNL/Surty Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-ARW4-XHE-FL-5 A-SIW4-XHE-FL-10 0.0011 Same as R6 Same as R6

A-ARW1-XHE-FH-6 A-R5W1-XHE-FH-5 0.00005 Same as R6 N/A B&F: Fail To Use HHSI | LHSI Failed - -Operator

A-ARW2-XHE-FH-6 A-R5W2-XHE-FH-5 0.00002 Same as R6 N/A will Attempt (Successful Diagnosis & LHSI Failed)

A-ARW3-XHE-FH-5 A-R5W3-XHE-FH-5 0.00002 Same as R6 Same as R6

A-ARW4-XHE-FH-5 A-R5W4-XHE-FH-5 0.00002 Same as R6 Same as R6

A-ARW1-XHE-FL-11 A-SIW1-XHE-FL-14 0.061 N/A N/A B&F, SV Not Removed==>Reflux Failed.

A-ARW2-XHE-FL-11 A-SIW2-XHE-FL-14 0.013 N/A N/A Fail To Use LHSI F&S - -Operator will Attempt

A-ARW3-XHE-FL-8 A-SIW3-XHE-FL-10 0.013 N/A Same as R6 when Reflux Fails To Provide Cooling (Successful

A-ARW4-XHE-FL-8 A-SIW4-XHE-FL-10 0.0011 N/A Same as R6 Diagnosis). Timing and Cues Worse than FL-6

A-ARW1-XHE-FH-11 A-R5W1-XHE-FH-5 0.00005 N/A N/A B&F: Fail To Use HHSI | LHSI Failed - Operator

A-ARW2-XHE-FH-11 A-R5W2-XHE-FH-5 0.00002 N/A N/A will Attempt (Successful Diagnosis & LHSI Failed)

A-ARW3-XHE-FH-8 A-R5W3-XHE-FH-5 0.00002 N/A Same as R6

A-ARW4-XHE-FH-8 A-R5W4-XHE-FH-5 0.00002 N/A Same as R6

A-ARW1-XHE-Q-7 Conserv Assumption 1 N/A N/A GRAVITY: Fail To Eat Gravity Feed Following
 Table 8-13 (Page 80 of 84). Quantitative Results of BNL/Suny Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 RIO

A-ARW2-XHE-Q-7 Conserv Assumption 1 N/A N/A Failure of Rll and Spill. Only Reasonable Case is if

A-ARW3-XHE-G-6 Conserv Assumption 1 N/A Same as R6 F&S Failed Due to HW. Use Guaranteed

A-ARW4-XHE-G-6 Conserv Assumption 1 N/A Same as R6 Failure. Edit to Old Gravity Feed Event Only for

Cutsets with Success of A-ARW#-XHE-FL-6.

A-ARW1-XHE-C-5 A-R5W1-XHE-C-4 0.001 Same as R6 N/A RECIRC: Fail T Est HP Rcirc (B&F Successful

A-ARW2-XHE-C-5 A-R5W2-XHE-C-4 0.001 Same as R6 N/A and SVs Removed)-® 8 - 20 Hr, = = > Recognition

A-ARW3-XHE-C-5 A-R5W3-XHE-C-4 N/A N/A N/A of Low RWST Level Req'd.

A-ARW4-XHE-C-5 A-R5W4-XHE-C-4 N/A N/A N/A

A-ARW1-XHE-C-10 A-R5W1-XHE-C-9 0.001 N/A N/A RECIRC: Fail To Est HP Recirc (B&F Successful

A-ARW2-XHE-C-10 A-R5W2-XHE-C-9 0.001 N/A N/A and SVs-Not Removed)-® 8 - 20 Hr, = = >

A-ARW3-XHE-C-10 A-R5W3-XHE-C-9 N/A N/A N/A Recognition of Low RWST Level Req'd

A-ARW4-XHE-C-10 A-R5W4-XHE-C-9 N/A N/A N/A

A-ARW1-XHE-P-5 A-R4W1-XHE-P-4 0.0001 Same as R6 N/A RECIRC: Fail To Est Recirc Spray

A-ARW2-XHE-P-5 A-R4W2-XHE-P-4 0.0001 Same as R6 N/A

A-ARW3-XHE-P-5 N/A N/A N/A N/A

 Table 8-13 (Page 81 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

A-ARW4-XHE-P-5 N/A N/A N/A N/A

A-ARW1-XHE-P-10 A-R5W1-XHE-P-9 0.0001 Same as R6 N/A RECIRC: Fail To Est Recirc Spray Given SVs Not
Removed; Failure of Reflux but Succcess of F&B

A-ARW2-XHE-P-10 A-R5W2-XHE-P-9 0.0001 Same as R6 N/A

A-ARW3-XHE-P-10 N/A N/A N/A N/A

A-ARW4-XHE-P-10 N/A N/A N/A N/A

A-ARW2-XHE-X A-RAW2-XHE-X 0.001 Same as R6 N/A Fail To Cross Connect RWST

D-SRW1-XHE Calculated 1.40E-02 Same as R6 N/A Diagnose Loss of Room Cooling

D-SRW2-XHE Calculated 1.40E-02 Same as R6 N/A

D-SRW3-XHE D-SRW2-XHE 1.40E-02 Same as R6 Same as R6

D-SRW4-XHE Calculated 4.80E-03 Same as R6 Same as R6

R-SRW1-XHE-RC-3 Calculated 2.90E-04 Same as R6 N/A Fail to Resore Room Cooling

R-SRW2-XHE-RC-3 Calculated 1.20E-04 Same as R6 N/A

R-SRW3-XHE-RC-3 R-SRW2-XHE-RC-3 1.20E-04 Same as R6 Same as R6

R-SRW4-XHE-RC-3 Calculated 6.70E-05 Same as R6 Same as R6

 Table 8-13 (Page 82 of 84). Quantitative Results of BNI/Surry Human Action Evaluations

Mean Failure UkeHhood

Human Action Basis Description
R8 D6 R10

A-SRW1-XHE-CW-3 A-B1W1-XHE-CW-4 1.50E-01 Same as R6 N/A Fail To Isolate CW Valves in Loss of ESQ Room
Cooling Event

A-SRW2-XHE-CW-3 A-B1W2-XHE-CW-4 3.80E-02 Same as R6 N/A

A-SRW3-XHE-CW-3 A-B1W3-XHE-CW-4 3.80E-02 Same as R6 Same as R6

. A-SRW4-XHE-CW-3 A-B1W4-XHE-CW-4 1.50E-02 Same as R6 Same as R6

R-A1W1D6-XHE-C Calculated 0.00431 Recovery:

R-A1W1D6-XHE-C-A1 Calculated 0.00431 Recovery:

R-A2W1D6-XHE-C Calculated 0.00431 Recovery:

R-A2W1D6-XHE-C-A2 Calculated 0.00431 Recovery:

R-A7W2R6-XHE-C-A7 Calculated 0.00315 Recovery:

R-A8W1R6-XHE-C-A8 Calculated 0.00443 Recovery:

R-A11W1R6-XHE-C Calculated 0.00431 Recovery:

R-A12W1R6-XHE-C Calculated 0.00431 Recovery:

R-B1DR6-XHE-D Assumed 1 1 Recovery: No Recovery from Diagnostic Error

R-D1W2R6-XHE-C-D1 Calculated 0.00315 Recovery:

R-D2W2DR6-XHE-C Calculated 0.00315 0.00315 Recovery:

R-D3W2R6-XHE-C Calculated 0.00315 Recovery:

 Table 8-13 (Page 83 of 84). Quantitative Results of BNL/Surry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

R-E1W2D6-XHE-C Calculated 0.00012 Recovery:

R-E1W2D6-XHE-C-E1 Calculated 0.00012 Recovery:

R-E2W2D6-XHE-C Calculated 0.00012 Recovery:

R-E2W2D6-XHE-C Calculated 0.00012 Recovery:

R-G1W2DR6-XHE-C Calculated 0.0001 0.000103 Recovery:

R-G1W2DR6-XHE-C-G1 Calculated 0.0001 0.000103 Recovery:

R-G2W2DR6-XHE-C Calculated 0.0001 0.000103 Recovery:

R-G3W2DR6-XHE-C Calculated 0.0001 0.000103 Recovery:

R-G4W2DR6-XHE-C Calculated 0.0001 0.000103 Recovery:

R-G5W2DR6-XHE-C Calculated 0.0001 0.000103 Recovery:

R-G6W1DR6-XHE-C Calculated 0.0001 0.000103 Recovery:

R-B1W2-XHE-S-1 A-B1W2-XHE-S1 0.36 0.36 Recovery:

R-L2W2-XHE-S-2 Calculated 0.00471 0.004706475879 Recovery:

R-B2W2-XHE-S-3 Calculated 0.03115 0.031147032624 Recovery:

R-L3W2-XHE-S-4 Calculated 0.01787 0.017866035608 Recovery:

R-B2W3-XHE-S-5 Calculated 0.02494 0.024937980714 Recovery:

R-B2W4-XHE-S-6 Calculated 0.01997 0.019966681566 Recovery:

R-L3W2-XHE-S-7 Calculated 0.00302 0.003017067671 Recovery:

 Table 8-13 (Page 84 of 84). Quantitative Results of BNIVSurry Human Action Evaluations

Mean Failure Likelihood

Human Action Basis Description
R6 D6 R10

R-L3W2-XHE-C-8 Calculated 0.01568 0.015680300366 Recovery:

R-B1W3-XHE-S-9 Calculated 0.32942 0.329415064253 Recovery:

9°
w
00
 9 DATA BASE DEVELOPMENT

9.1 Maintenance Unavailability

Maintenance unavailability of components was estimated for each plant operational state (POS) using data
extracted from the shift supervisor's log books and the minimum equipment lists. Ten years of log books, five
years for each unit (from 1985 to 1989), plus the 1990 refueling outage of unit 1, were obtained from Virginia
Power. Deciphering the information in the hand written log books was a very time-consuming task; therefore,
we selected to review the log books for only three of these refueling outages. The outages selected were 1986
refueling outages of unit 1 and unit 2, respectively, and 1990 refueling outage of unit 1.

The following four types of information were of particular interest:

(a) Maintenance/repair on safety and support systems

(b) Important events associated with important systems or components.
(c) Potential fire, and flood-related events.
(d) Periodic tests.

The information collected was entered into DBASE databases.

Minimum equipment lists for these three refueling outages also were obtained from Virginia Power. During
an outage, these lists are filled out once every shift for components that are subject to requirements as
stipulated in plant technical specifications for a given operational mode. Surry Station uses two types of
minimum equipment lists: one for cold shutdown conditions, and the other for non-cold shutdown conditions.
In this study, these minimum equipment lists were used to supplement information obtained from the log
books. Figure 9.1-1 is an example of the information collected from the log books and minimum equipment
lists.

In collecting maintenance data, the times at which a component was taken out of service (OOS) and later
returned to service (RTS) were identified. However, some data in the log books or the minimum equipment
lists were ambiguous. Sometimes an entry in the log book indicated that a particular component was tagged
out, but the record of the tag-in of the same component could not be found. In contrast, a component might
be mentioned several times as being taken out of service but without any entry in-between about its return-to-
service. In these situations, the relevant OOS and RTS times were estimated based on judgment, and these
times then were used to derive the duration that the specific component was available in each POS. The
maintenance unavailabilities were estimated by taking the average over all three refueling outages. For
example, the maintenance unavailability of a particular component during POS-6 is the sum of its downtime
during POS-6 of each outage divided by the total duration of POS-6 for all three outages. Table 9.1-1 lists
the estimated maintenance unavailabilities for each POS.

Since POS-6 and POS-10 were of most interest, Figures 9.1-2 to 9.1-4 illustrate the time lines for components
whose downtimes covered the midloop operations. These time lines are based on data collected specifically
at BNL for quantitatively assessing the risks associated with mid-loop operations. The same sets of data are
listed in Tables 9.1-2 to 9.1-4.

To supplement the maintenance unavailabilities listed in Table 9.1-1, the NUREG/CR-4550, Vol. 3 estimates
for full-power operations are used in accordance with the following rules:

9-1 NUREG/CR-6144
 9 Database Development

(a) If no shutdown data is available for a maintenance event modeled in NUREG/CR-4550, the full power
data is used.
(b) If shutdown data is available for a maintenance event modeled in NUREG/CR-4550, the shutdown data
is used.
(c) If shutdown data is collected for a maintenance event that was not modeled in NUREG/CR-4550, it is
added by modifying the NUREG/CR-4550 fault trees.

We further assumed that the maintenance unavailabilities estimated using refueling outage data are
applicable to "like" POSs of other types of outage.

Recently, the Surry Station implemented a change to the operating procedures that involve reduced (reactor
vessel) inventory conditions during an outage. Before entering a reduced inventory condition, such as mid-
loop, a check list must be completed for certain pieces of equipment that are not allowed for maintenance.
Therefore, the maintenance unavailabilities in Table 9.1-1 were modified by eliminating from the database
the maintenance and/or periodic test activities that are not allowed for in the check list. The results are given
in Table 9.1-5, which is used as the basis for the quantifying of risk in this study.

NUREG/CR-6144 9-2
 e
IO/WO icwn lawo IVTM im«o lvtsn lonsno nnwo IUBM linwo IUUTC onsm 'tmiM amm OPIIK
ou« m» 3iM iia* in? raj tin no I7» MM BO IMS CM 1UB SO Mlt
|wgi |yos» | r o n | >o»4 I K « I I POX _£2U_ r°», iront _tca
rwu I f°«"|'
»3ifl j »m.M»
l-CH-MB
IgHMC 1-OI-MC J-Q1-MU
l-OT-ll
I I

1.fTmj i-rr.B-lA I
1-tWII

1-pMt
^ l«MC (

t-Cgl
IWB-liy 1CC-B-1D

iwn
ifiatm
«IWIV
i
i-cw-mai.cw.MD
l^fMr
roo ^ I^IBDQ^ «WjPO I I
_OH22_ I-C^IB
1-sw.fjc . -« M r-H
w
»_ i-ay-T-jc i-iy-u
"*"^ I IJW.H.1B ~*j*"
HWIM
ASlUlSJ.

D Wattrtwx (tmwttd frooa Mivteaj DWyrtJ. | I

ByMtitwT/0

•Vi-TVI 1-31 n i l I
Ifrl-frl

<MOV-151A,CB
(Jj; ' rcv-H

••^ f C T - N s i r 0U4_
I I
IFWf-
_| LQJtA.
•,1-rw.p.^
irw-iA-4» ^
JJ&PJJ
I-3W-MA

1ME»Ajr;
BMH8 Mr BCQIM
I I
HB«nto

lAS3jm>Bu
Pl-MSA

^JUB—L I
IBH-B-1B MHTI

' «C*-IA

_| MYfrlil-l- |_
w-vtyjyp

Figure 9.1-1 An ExampU of Iafonaatloa ColUctod oa Conaoamt Daw* Tlaw Daring a lalWUag
 10/6/90 IUUH IWt/M IV7/M 1W10/S0 IO/1S0O IOT5/SO iin/» Il/IS/M 1I/1M0 II/15/M ll/U/H 111** UflS/M U/I7/M IUMM
OUJ 0711 IIM 1140 1M7 0511 1157 no 1750 0550 1101 |M0 0110 1(10 2MT WW
|POS1 |TO51 \TOS* | PO!H | TOS1 |POS« | _ K»7 w»» IPOS» IPOS 11 |ro»i> rosu | w i n i
r«> |ro»» Iran |„ r«n
• JV-CC-IMA

HM-OW-104

M?v-1W|i

< »C-nHM

OBMitDcucur JoJM Sfff BnaaaK

ri.va.iitnowMm
UXM01
"•'>»
ft-"
W-M

£
a-TV-ioji
^M-TV-IOIA

KC-'XB
LCoodUwr

Figure 9.1-1 (continued)

 5/10/86 5/13/86 5/16/86 7/18/86
0224 2216 1200 0809

CH-P-1A

CH-P-1B

EDG#1

FW-P-3B

SI-P-1A J*
SI-P-1B

SW-P-1B k-
SW-P-10A

Figure 9.1-2 Time-Line Diagram for Safety-Related Component Down Time that Covered Mid-loop Operations (POS 6) during Surry 1, 1986
Refueling OutageFig.
 10/04/86 10/08/86 10/10/86 11/11/86 11/14/86 12/01/86.
0221 0123
123 0015
001 0915 0415 0646

I POS| POS
10
I I I I I
CH-P-1A
CH-P-1B
1• \ " 1
CH-P-1C •m »- _
* »
BATTERYB
BATCGRB1
BATCGRB2
INVERTER B2
EDG#2

FW-P-3B
i l l T \
RC-MOV-2595
RC-PCV-2455C
RC-PCV-2456
SI-P-1A
SW-E-1A
SW-E-1B
SW-P-10A
VS-E4A t i i * i i

VS-E-4B
I

Figure 9.1-3 Time-Line Diagram for Safety-Related Component Downtime that Covered Midloop Operations (POS6/POS 10) during Sorry 2,1986
Refueling Outage
 10/6/90 10/15/90 10/15/90 11/23/90 11/25/90 12/20/90
0625 0523 1353 0550 1203 0416

POI POS
1 1 0

CC-E-1A • * — j
I'j ^-
CC-E-1B -* ••

CC-E-1D
CH-P-1A -^ >
CH-P-1B * — * •

FW-P-3B < 1

SW-P-1B -« ».
SW-P-1C ~*—K -

SW-P-10A •^i
FW-M0V-151A/C/B • ^ — 1 — — •

FW-MOV-260A -« r——— fc

Figure 9.1-4 Time-line Diagram for Safety-Related Component Downtime that

Covered Mldloop Operations (POS 6/POS 10) during Surry 1, 1990 Refueling Outage
 Table 9.1-1
Maintenance Unavailability Estimates Based on Data Collected from Log Books
and Minimum Equipment Lists

State 1 State 2 State 3 State 4 State 5 State 6 State 7 State 8 State 9 State 10 State 11 State 12 State 13 State 14 State 15

ACP-BAC-MA-1A+ 0.0124

ACP-BAC-MA-1B+ 0.0222 0.0891 0.6490

ACP-BAC-MA-1C+ 0.0316

ACP-BAC-HA-1G+ 0.0533 0.0752

ACP-BAC-HA-1H+ 0.0193

ACP-BAC-MA-1J+ 0.0158

ACP-BAC-MA-VB1II 0.2412

<*> ACP-BCH-MA-UPSB1* 0.4003

ACP-BCH-MA-UPSB2* 0.4003

AFW-MDP-MA-FW3A 0.3863 0.2089 0.2515 0.4304

AFW-MDP-MA-FW38 0.1097 0.2784 0.0869 0.5272 0.1297 0.2564 0.5110 0.0154 0.2694

AFW-MOV-MA-151* A/C/E 0.0726

AFW-HOV-HA-260A+ 0.2118 0.0726 0.5460 0.2491 0.6002 0.5093 0.0154 0.4602

AFW-TDP-HA-FW2+ 0.2341 0.2175 0.2695 0.1381 0.3719 0.3154 0.3185 0.3998 0.4907 0.1094 0.4584 0.7414. 0.5404 0.41.28

CCW-HTX-MA-E1B 0.0614 0.8152 0.1452 1.0000 0.5947 0.8946 0.8946 0.0308 0.6533

CCW-HTX-MA-U2E1A' 0.2375 0.6317 0.0050 0.0162 0.0425 0.0528 0.0049

CPC-MDP-MA-CC2B 0.3128 0.13S5

 Table 9.1-1 (continued)

State 1 State 2 State 3 State 4 State 5 State 6 State 7 State 8 State 9 State 10 State 11 State 12 State 13 State 14 State 15

CPC-H0P-HA-SW108 0.3816 0.2175 0.2695 0.1381 0.9274 0.5013 0.4540 0.7384 0.4473 0.1094 0.1832

CSS-HDP-MA-CS1B 0.0198

DCP-BDC-MA-BAT1B 0.4003 0.0875

DCP-CGR-HA-1A1+ 0.0018

HPI-MDP-MA-CH1A* 0.3864

HPI-MDP-MA-CH1B 0.2470 0.2175 0.2695 1.0000 1.0000 1.0000 1.0000 1.0000 1.0000 0.1445 0.3184 0.3776 0.3096

HPI-MDP-MA-CH1C 0.0319 1.0000 1.0000 1.0000 1.0000 1.0000 1.0000 0.1094 0.1964
VO

LPI-MDP-MA-SI1A 0.3422 0.9127 0.5468 0.5480 0.5527 0.5527 0.1248 0.7348

LPI-H0P-HA-S11B 0.4339 0.2591 0.6002 0.5093 0.8904 0.6158 0.3184 0.2887 0.1989

LPI-H0V-MA-1862A 0.1965 0.0363

OEP-DGN-MA-DG01 0.1627 0.0869 0.5272 0.1359 0.2990 0.1289 0.5527 0.0650 0.2531

OEP-DGN-MA-DG03 0.2919 0.2422

PPS-PCV-HA-1455C 0.0024 0.3294 0.2425 0.4293 0.7509 0.3998 0.8125

PPS-PCV-MA-1456 0.0024 0.3294 0.2425 0.1859 0.7509 0.3998 0.0441 0.7110

RCS-HDP-HA-RCP1B+ 0.0706

RCS-MDP-MA-RCP1C 0.0951
 TabU 9.1-1 (continued)

State 1 State 2 State 3 State 4 State 5 State 6 State 7 State 8 State 9 State 10 State 11 State 12 State 13 State 14 State 15

RHR-MDP-MA-RHR1B 0.5760 0.6002 0.5093 0.0154 0.4760 0.3184 0.2228

RHR-MOV-MA-1720A 0.1887

SWS-HTX-MA-E1B+ 0.4781 0.2935 0.2004

SUS-MOV-MA-103A 0.2527 0.1062

SWS-MOV-MA-1040 0.0255

Y"> VS-CHL-MA-VSE4B* 0.4163

o

+ These basic events are not modelled for State 6 and State 10.
* These events were added July 1992.

table911.wq1
 Table 9.1-2 Component Downtime (that covered POS-6/POS-10) for Surry 1, May 1986

OOS/INOP RTS/Operable Downtime (br)

Component
Date / Time POS Date / Time POS Total POS-6 POS-10
1-CH-P-1A 05/10/86 0224 1 06/27/86 1252 11 1162.47 61.73 NA
(100%)
1-CH-P-1B 05/13/86 0000 5 06/27/86 1255 11 1092.92 61.73 NA:
(100%)
EDG#1 05/12/86. 0600 4 06/02/86 1812 8 516.20 61.73 NA
(100%)
1-FW-P-3B 05/11/86 0630 3~ 05/18/86 0520 7 166.83 61.73 NA
(100%)
1-SI-P-1A 05/11/86 1900 4 05/16/86 0147 6 102.78 51.51 NA
(83.45%)
1-SI-P-1B 05/11/86 1900 4 05/16/86 0147 6 102.78 51.51 NA
(83.45%)
1-SW-P-1B 05/10/86 0224 1 05/15/86 0000 6 117.60 25.73 NA
(42%)
1-SW-P-10A 05/13/86 0000 5 06/27/86 0116 11 1081.27 61.73 NA
(100%)
•• r = = = = = = =
 Table 9.1-3 Component Downtime (that covered POS-6/POS-10) for Surry 2, October 1986

OOS/INOP RTS/Operable Downtime (hr)

Component
Date/Time POS Date/Time POS Total POS-6 POS-10 |
2-CH-P-1A 10/04/86 1440 2 11/13/86 1305 10 958.42 46.87 51.83
(100%) (77.36%)
11/13/86 2115 10 11/14/86 0413 10 6.97 - 6.97
(10.40%)
2-CH-P-1B 10/05/86 2112 4 11/29/86 1838 14 1317.43 46.87 67.00
(100%) (100%)
2-CH-P-1C 10/08/86 0300 6 10/11/86 1200 7 81.00 45.25 -
(96.54%)
11/13/86 1500 10 11/20/86 0626 12 159.43 - 13.25
(19.78%)
2B-Battery 10/05/86 1325 4 10/29/86 1500 8 577.58 46.87 -
(100%)
2B1 10/06/86 0912 4 10/29/86 1500 8 557.80 46.87 -
Battery (100%)
Charger
2B2 10/06/86 0912 4 10/29/86 1500 8 557.80 46.87 -
Battery (100%)
Charger
2B3 10/05/86 1325 4 10/29/86 1500 8 577.58 46.87 -
Inverter (100%)
EDG#2 11/10/86 0922 9 11/15/86 1936 11 130.23 - 67.00
(100%)
 Table 9.1-3 (continued)

OOS/INOP RTS/Operable Downtime (hr)

Component
Date/Time POS Date/Time POS Total POS-6 POS-10
2-SI-P-1A 10/20/86 2136 8 11/27/86 1131 12 901.92 - 67.00
(100%)
2-FW-P-1A 10/07/86 1100 5 11/19/86 1440 12 1035.67 46.87 67.00
(100%) (100%)
2-FW-P-3B 11/11/86 0706 10 11/11/86 1658 10 9.87 - 7.72
(11.52%)
2-RC- 10/08/86 - 1749 6 10/13/86 2357 7 126.13 42.07 -
MOV-2595 (89.75%)
2-RC- 10/04/86 1730 1 11/15/86 0210 11 992.67
PCV- C) (*)
2455C
2-RC- 10/04/86 1730 1 11/14/86 1504 11 981.57 5.35
PCV- C) (7.99%)
2456
2-SW-E-1A 10/06/86 2215 4 11/12/86 2050 10 88658 46.87 35.58
(100%) (53.11%)
2-SW-E-1B 10/06/86 2332 4 10/08/86 1030 6 34.97 9.12 -
(19.46%)
2-SW-P-10- 10/06/86 2215 4 11/12/86 2050 10 886.58 46.87 35.58
A (100%) (53.11%)
1-VS-E-4A 10/04/86 0221 1 10/18/86 2400 7 333.65 46.87 -
(100%)
 Table 9.1-3 (continued)

OOS/INOP RTS/Operable Downtime (hr)

Component
Date/Time POS Date/Time POS Total POS-6 POS-10
1-VS-E-4B 10/09/86 0137 6 10/09/86 0330 6 1.88 1.99 -
(4.02%)

[*]: Valve blocked open, thus deemed available, during marked state.

I
\o i
i

i
 Table 9.1-4 Component Downtime (that covered POS-6/POS-10)
for Surry 1, October 1990

OOS/INOP RTS/Operable Downtime (hr)

Component
Date / Time POS Date / Time POS Total POS-6 POS-10
1-CC-E-1A 10/12/90 2058 5 12/09/90 1305 12 1384.12 8.50 54.22
(100%) (100%)
1-CC-E-1B 10/12/90 2058 5 12/08/90 1300 12 1360.03 8.50 54.22
(100%) (100%)
1-CC-E-1D 11/23/90 1800 10 11/24/90 0024 10 6.40 - 6.40
(11.80%)
1-CH-P-1A 10/09/90 2335 4 12/20/90 0416 15 1708.68 8.50 54.22
(100%) (100%)
1-CH-P-1B 10/11/90 0125 5 11/28/90 1439 12 1165.23 8.50 54.22
(100%) (100%)
1-FW-P-3B 11/21/90 0109 9 11/30/90 0511 12 220.03 - 54.22
(100%)
1-SW-P-1B 10/17/90 0502 7 12/12/90 1420 12 1353.30 - 54.22
(100%)
1-SW-P-1C 11/21/90 1842 9 11/23/90 1835 10 47.88 - 12.75
(23.52%)
1-SW-P-10A 11/22/90 1554 9 11/25/90 1509 12 71.25 - 54.22
(100%)
1-FW-MOV- 10/14/90 0004 5 10/19/90 1720 7 137.27 8.50 -
151A/C/E (100%)
1-FW-MOV- 10/14/90 0004 5 10/19/90 1720 7 137.27 8.50 -
260A (100%)
9 Database Development

Table 9.1-5 Modified Maintenance Unavailability for POS 6 and POS 10

COMPONENT POS 6 POS 10 SOURCE

ACP-BAC-MA-VB1II 0.0 0.0 Log Book

ACP-BCH-MA-UPSB1 0.4 0.0 Log Book

ACP-BCH-MA-UPSB2 0.4 0.0 Log Book

AFW-MDP-MA-FW3A 2.00E-03 2.00E-03 NUREG-1150

AFW-MDP-MA-FW3B 05272 05110 Log Book

AFW-MOV-MA-151A/C/E 0.0726 0.0 Log Book

. CCW-HTX-MA-E1B 0.1452 0.8946 Log Book

CCW-HTX-MA-U2E-1A 0.0 0.0528 Log Book

CCW-MDP-MA-CCP1B 2.0E-03 2.0E-03 NUREG-1150

CPC-MDP-MA-CC2B 2.0E-03 2.0E-03 NUREG-1150

CPC-MDP-MA-SW10A 0.0 0.0 Log Book

CPC-MDP-MA-SW10B 0.9274 0.4473 Log Book

CSS-MDP-MA-CS1B 2.0E-03 2.0E-03 NUREG-1150

DCP-BDC-MA-BAT1B 0. 0.0 Log Book & Checklist

HPI-MDP-MA-CHIA 0. 0.

HPI-MDP-MA-CH1B 1.0 1.0 Log Book & Checklist

HPI-MDP-MA-CH1C 1.0 1.0 Log Book & Checklist

LPI-MDP-MA-SI1A 1.0 1.0 Log Book & Checklist

LPI-MDP-MA-SI1B 0.0 0.0 Log Book & Checklist

LPI-MOV-MA-1862A 0.0 0.0 Log Book

OEP-DGN-MA-DG01 0.0 0.0 Log Book & Checklist

OEP-DGN-MA-DG03 0.0 0.0 Log Book

PPS-PCV-MA-1455C 0.0 0.0 Log Book

PPS-PCV-MA-1456 0.0 0.0441 Log Book

RCS-MDP-MA-RCP1C 0.0 0.0 Log Book

RHR-MDP-MA-RHR1B 0.0 0.0 Log Book & Checklist

RHR-MOV-MA-1720A 0.0 0.0 Log Book & Checklist

SWS-HTX-MA-E1B 0.4781 (not modeled) 0.2935 (not modeled) Log Book

SWS-MOV-MA-103A i 2.0E-04 2.0E-04 NUREG-1150

SWS-MOV-MA-104D 0.0 0.0 Log Book

VS-AHU-MA-VSAC6 0.0 0.0 IPE & Checklist

VS-CHL-MA-VSE4B 0.0 0.0 Log Book & Checklist

NUREG/CR-6144 9-16
 9 Database Developement

9.2 Duration and Frequency of Plant Operational States

The duration of each plant operational state is used to determine some important parameters related to the
time after shutdown, e.g., decay heat level and the frequency that an initiating events occurs in a POS. The
durations were estimated from the monthly operating reports that Virginia Power submitted to NRC, and the
shift supervisor's log books. Monthly operating reports (or, so called "gray books") from the Surry Station for
about ten years were obtained from the NRC public document room, which explicitly tabulate the instants and
durations when the plant condition changes. The gray books, along with the log books, allowed us to construct
Tables 9.2-1 to 9.2-4 for every outage between 1985 and 1989. Some judgment was exercised in estimating
these durations because the plant may not always follow the evolution depicted in the definitions of each POS
for this study. For example, the plant may reach the mid-loop condition at an early stage of the outage, and
then keep varying the RCS levels, as needed, between mid-loop and the vessel flange for quite some time,
before conducting refueling. Thus, in an actual plant outage, the line to be drawn between POS 6 and POS
7 might be ambiguous and to distinguish between theses two states needs some judgment by the analyst.

In the phase 1 study, the mean durations of the POSs, (Tables 9.2-1 to 9.2-4), were used to calculate the
frequency of initiating events. For the thermal hydraulic calculations, a more conservative approach was used.
In reviewing the data in Tables 9.2-1 to 9.2-4, as well as the operating procedures for cooling down and
draining to mid-loop, the earliest time at which a POS can be reached was estimated. These times are listed
in Table 9.2-5 and were used to determine the representative decay heat for each of the POSs due to their
conservative nature, these times were not used in the PRA for mid-loop operation. In the time window
approach, the time when the accident occurs is modeled by a probability distribution which is estimated in
Section 9.3. Table 9.2-6 lists the elapsed periods, determined from the log books and the gray books; the
shortest elapsed time to mid-loop was approximately 1 day after reactor shutdown. The times to mid-loop
of Table 9.2-6 were used in the statistical analysis.

In searching for data on the duration of each outage and of each POS, the NRC graybook data-base, in the
form of a magnetic tape, was used. The tape was converted into a DBASE file at BNL. The graybook data-
base compiles records of every nuclear power plant shutdown in the United States. It can be used to estimate
the frequency and duration of different types of outages. Unfortunately, the information in the graybook was
not sufficient for estimating the duration of each POS. Table 9.2-7 lists a summary of some statistics that were
obtained from the graybook data base. In Chapter 4, the graybook data base was used to estimate the number
of hours that a plant was on RHR during 1979 to 1989. Such information is important for estimating the
frequency of loss of RHR.

9-17 NUREG/CR-6144
 Table 9.2-1 Duration of Plant Operational States -Non-Drained Maintenance w.RHR(Nl)

POS 1 POS 2 POS 3 POS 4 POS 5 POS 6 POS 7 POS 8 POS 9 POS 10 POS 11 POS 12 POS 13 POS 14 POS 15
Date Unit hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in
02/16/86 Surry 2 0 2 13 41 14 3 143 82 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 18 1 15 54
07/23/86 Surry 2 0 17 6 28 7 49 44 100 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0i 0 0 0 20 7 2 46
09/19/86 Surry 1 0 0 12 5 9 19 66 63 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 !l7 33 i 70 9
06/08/87 Surry 1 0 11 13 3 55! 7 253 70 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 16 2 i 4 55
{

09/20/87 Surry 1 0 0 16 47 13 43 166 42 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Oi 0 0 0 |36 18 i 6 17

10/03/87 Surry 1 0 5 11 28 4i 32 73 56 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 116 4 5 14
11/26/87 Surry 1 0 6 8 25 12 34 111 79 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 119 15 i 16 16
03/27/88 Surry 2 0 0 16 57 17 40 158 95 0 0 0 0 0 0 0 0 0 0 0 0 0 0 o; 0 0 0 24 57 27 1
57
Total 0 41 95 234 1311 227 1014 587 166 137 !145 268
Mean duration of 0.08 12.3 16.8 127.9 21.0 18.
POS !
I i
 Table 9.2-2 Duration of Plant Operational States - Non-Drained Maintenance w/oRHR (N2)

POS 1 _POS 2 POS 3 POS 4 POS 5 POS 6 POS 7 POS 8 POS 9 POS 10 POS 11 POS 12 POS 13 POS 14 POS 15 I
Date Unit hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in |

01/13/85 Surry 1 0 12 19 30 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 10 1H
01/13/85 Surry 1 0 0 2 28 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 21
01/26/85 Surry 1 0 0 17 11 0 0 0 0 0 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0 0 0 0 5 6
01/27/85 Surry 1 0 0 11 53 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 47
01/28/85 Surry 1 0 0 5 8 0 0 0 0 0 0 0 0 0 0 0 "o 0 0 0 0 0 0 0 0 0 0 0 0 2 22
06/ /85 Surry 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2
07/ /85 Surry 2 12 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
09/11/85 Surry 1 0 0 12 39 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 9 59
09/27/85 Surry 1 0 49 32 14 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 7 56
11/06/85 Surry 2 0 0 3 31 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 23
01/07/86 Surry 1 0 0 8 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 9 6
01/19/86 Surry 1 0 0 9 55 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 13 35
02/07/86 Surry 1 0 0 5 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 5 19
05/11/86 Surry 2 0 0 19 25 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 9 15
12/01/86 Surry 2 0 0 0 59 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 36 48
04/04/87 Surry 2 0 0 7 30 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 30 49
08/07/87 Surry 1 0 0 20 18 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 9 57
02/16/88 Surry 1 0 0 16 27 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 7 34
03/11/88 Surry 1 0 35 48 ' 33 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 6 4
08/15/88 Surry 1 0 0 35 22 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 20 44
07/09/89 Surry 1 0 0 17 9 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 5 10
09/19/89 Surry 2 0 0 6 71 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 13 4
09/22/89 Surry 2 0 0 19 49 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
09/28/89 Surry 2 0 0 40 40 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 21 54
Total 12 96 350 670 226 597
Mean Duration of POS 0.56 15.0 9.8
 Table 9.2-3 Duration of Plant Operational; States - Drained Maintenance (D)

Date Unit POS 1 POS 2 POS 3 POS 4 POS 5 POS 6 POS 7l POS 8 POS 9 POS 10 POS. 11 POS 12 POS 13 POS 14 POS 15
hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in hr •in
04/29/85 Surry 1 0 0 8 7 14 45 40 40 31 10 153 25 0 0 i 0 0 0 0 0 0 47 39 26 11 10 0 27 3 15 56
08/06/85 Surry 1 0 0 16 29 10 15 60 47 17 53 42 30 0 o ; 0 0 0 0 0 0 99 25 69 18 11 12 27 9 30 19
10/29/85 Surry 2 0 23 12 19 12 31 3 43 32 34 79 23 0 o ; 0 0 0 0 0 0 61 50 165 131 7 52 72 130 3 34
01/24/86 Surry 1 0 0 11 10 12 30 38 20 12 50 180 101 0 0 0 0 0 0 0 0 20 24 29 53 6 4 32 45 5 31
06/17/86 Surry 2 0 0 9 12 16 41 16 49 10 38 190 55 0 o ,0 0 0 0 0 0 34 17 3? 19 12 31 35 59 5 1
12/11/86 Surry 1 7 20 9 0 11 33 228 92 17 50 1071 60 0 oi 0 0 0 0 0 0 43 0 358 90 11 5 36 37 5 28
12/09/86 Surry 2 0 0 9 53 6 50 1264 57 0 0 59 56 0 0 0 0 0 0 0 0 21 46 845 62 14 16 53 31 24 4
05/16/87 Surry 1 0 0 21 36 14 17 17 23 21 37 144 13 0 o ! 0 0 0 0 0 0 33 0 30 -21 25 45 19 7 7 58
06/23/87 Surry 1 0 18 13 7 7 25 22 2 10 52 10 56 0 o !0 0 0 0 0 0 10 27 17 -8 4 34 24 59 0 50
12/09/87 Surry 2 0 17 8 37 18 33 120 32 35 50 28 19 0 o !0 0 0 0 0 0 24 34 74 -44 6 52 20 59 42 30
05/16/88 Surry 2 0 0 33 31 17 79 215 65 22 41 206 28 0 0 ' 0 0 0 0 0 0 100 63 244 245 5 15 23 49 5 40
10/12/89 Surry 2 0 13 28 73 19 49 325
13 28
73 265 44 0 '' 0 0 0 0 0 0 0 31 78 178 43 8 50 108 70 5 55
Total 7 91 177 314 156 448 2348 483 235 488 2427 510 0 0 ' 0 0 0 0 0 0 523 403 2073 599 119 316 476 558 146 406
Mean Duration of 0.70 15.1 13.6 196.3 20.2 202. 0 ' 0 0 0 44.1 173. 10.3 40.4 12.
POSs
 Table 9.2-4 Duration of Plant Operational States - Refueling (R)

DATE Unit P081 POS2 POSS POS4 POSS PO86 POS7 PO88 P08 9 PO810 P0811 POS12 P0813 P0814 POSI
1 5
[
hrs mln hrs mln hr* mln hrs mln hrs mln hr mln hr mln hr mln hr mln hr mln hr mln hr ml" hr ml hr ml hr mI
n n n • In |
•
03/20/85 Surry 2 0 42 13 47 15 10 29 4 179 45 134 11 130 39 736 45 667 70 141 8 210 24 48 18 12 5 54 58 2
72 3
05/10/86 Surry 1 0 55 20 19 10 18 48 18 12 2 61 44 103 0 593 57 0 0 0 0 395 3 230 -20 13 50 96 15 76 2
4
10/04/86 Surry 2 0 18 27 18 6 48 46 45 19 7 41 38 234 27 437 28 119 50 52 15 49 23 274 -10 11 44 52 43 22 5
1
04/09/88 Surry 1 0 50 33 111 14 95 376 65 24 13 79 21 479 17 537 50 442 30 0 0 37 0 453 31 12 17 63 99 84 4
6
09/14/88 Surry 1 0 34 16 44 6 8 270 18 21 50 100 0 43 2 1801 75 0 0 0 0 0 0 462 83 87 30 56 27 46 1
6 8
09/10/88 Surry 2 0 4 21 21 10 25 155 28 16 8 680 78 125 51 756 68 9 452 452 4 18 51 540 175 69 3 71 32 47 5
3 6 6
10/ /90 Surry 0.85 14.2 14.1 78.4 107 8.5 405. 342.1 179 54.2 6.95 463. 8.8 60 52.
5 7 3 .4
TOTAL 0 203 130 260 61 204 924 178 271 125 109 192 224 136 4860 323 123 202 645 27 709 101 115 287 20 14 41 27 33 2
5 2 7 00 4 S 0 0 3 1
8

Msan Duration of 0.56 0 22.3 0 10.7 0 154. 0 45. 0 183 0 374. 0 810.8 0 206 0 107. 0 118. 0 184 0 34. 0 69 0 56 0
POSs 4 5 0 4 .0

Oct. 90 Unit 1 outage was not ussd in calculating ths msan durations
9 Database Developement

Table 9.2-5 Conservative Estimates of the Earliest Time (after shutdown)

That a POS Can Be Reached

Refueling Drained Non-Drained (w. Non-Drained

Maintenance RHR) (w/o RHR)

POS1 N.A. N.A. NA N.A.

POS 2 0. 0. 0. 0.
POS 3 6hr 6hr 6hr
POS 4 6 hrs 6 hrs 6 hrs
POS 5 6hrs 6 hrs
POS 6 4 days 1 day
POS 7 4 days
POS 8 6 days
POS 9 27 days
POS 10 29 days
POSH 34 days 34 hrs
POS 12 39 days 54 hrs
POS 13 49 days 78 hrs
POS 14 50 days 84 hrs 24 hrs
POS 15 50 days 108 hrs 48 hrs

NUREG/CR-6144 9-22
 9 Database Development

Table 9.2-6 Operational Experience Data of Elapsed Time to Mid-loop at Surry

Date of Outage Time to Mid-Loop 1

Cause of Shutdown
May 1988 444 Hours 56 minutes "A" RCP failure
Drained Maintenance
April 1988 173 hours 44 minutes Refueling
Refuel
December 1987 180 hours 54 minutes Scheduled Maintenance
Drained Maintenance
June 1987 54 hours 14 minutes Excessive RCS leakage
Drained Maintenance MOV-RC-1593 and
MOV-RC-1591 were repacked.
May 1987 74 hours 53* minutes Low flow in "A" RC loop.
Drained Maintenance MOV-1591 valve shaft cracked.
December 1986 82 hours 24 minutes Secondary Piping
Drained Maintenance Inspection, Snubber Outage
October 1986 100 hours 16 minutes Refueling
Refueling
June 1986 53 hours 20 minutes Increasing level in "A" steam
Drained Maintenance generator. Indication of a SG tube leak.
Feed regulating valve inspected and
repaired.
May 1986 91 hours 52 minutes Refuel
Refuel
January 1986 74 hours 50 minutes Snubber outage
Drained Maintenance
October 1985 61 hours 30 minutes Scheduled snubber outage.
Drained Maintenance
August 1985 105 hours 24 minutes Repair of l-SI-243.
Drained Maintenance
March 1985 238 hours 28 minutes 1. Refueling
Refueling 2. MOV-RH-2700 packing gland
leakage.
October 1984 82 hours 32 minutes Repair of "A" RCP.
Drained Maintenance
September 1984 161 hours 1 minute Loss of "C" RCP.
Refueling
March 1984 37 hours 37 minutes "B" RCP tripping. Scheduled
Drained Maintenance snubber outage.

9-23 NUREG/CR-6144
 9 Database Developement
Table 9.2-6 (Continued)

r—^— "
Date of Outage
" Time to Mid-Loop Cause of Shutdown
February 1984 88 Hours 4 minutes Snubber outage with head evacuation.
Refuel
December 1983 Drained 27 hours 53 minutes Repair " C RCP # 1 seaL
Maintenance
December 1983 42 hours 5 minutes Repair 2-SI-88.238
Drained Maintenance
September 1983 105 hours 50 minutes Snubber Outage
Drained Maintenance
June 1983 292 hours 5 minutes Scheduled refueling outage.
Refueling
June 1983 23 hours 58 minutes Repair l-SI-82 bonnet leak. Shutdown
Drained Maintenance to balance turbine Unit was delayed in
Startup to repack MOV-1587.
Does not begin with 11 hours 47 minutes Repair 1-RCP-1B seals.
reactor shutdown.
February 1983 183 hours 30 minutes " C S/G low level with a steam/feed flow
Refueling mismatch.
Scheduled refueling outage.
December 1982 44 hours 3 minutes Scheduled maintenance outage.
Drained Maintenance Repair " C RCP flange leak.
October 1982 120 hours 40 minutes
._ . - - . -
Drained Maintenance

NUREG/CR-6144 9-24
 9 Database Development

Table 9.2-7 Gray Book Data Base

1. Covers 1979-1989

2. Data on Frequency and Duration of Outages

3.15587 Outages

WCEB&WSurrv GE

Refueling 247 71 47 9 185

Total 654112871689 3275694

4. Duration of Refueling Outages

WestinghouseSurrv

Mean 22902860

Std. 12901910

9-25 NUREG/CR-6144
9 Database Developement

93 Time to Mid-loop and Duration of Mid-loop Operations

The time after shutdown when the assumed accident initiator occurs is an important parameter in this study
because it determines the level of decay heat in the reactor core. The decay heat, in turn, determines the
timing of the accident scenarios and time available for operator actions. A statistical analysis of the time to
mid-loop and the duration of mid-loop was made; it is documented in Appendix D. In the analysis, a two-
stage Bayesian analysis was done for the time to POS 6. The PWR plants' responses to generic letter 87-12
were used as the prior information, and Surry specific data was used in the second stage. For the time to
POS 10, and the duration of the POSs, a single-stage Bayesian analysis was done, using Surry-specific data.
In Appendix D, a statistical analysis also is given of the duration of mid-loop operation for the 3 POSs. Table
93-1 lists the key characteristics of the time to mid-loop, and duration of mid-loop. Table 9.3-2 lists the
characteristicparameters for the time when the accident initiating event is assumed to occur for the three mid-
loop POSs. It was calculated as the time to mid-loop plus the duration of mid-loop multiplied by an uniform
distribution between 0 and 1. For the over-draining initiating event, RHR2A, the time when the initiating
event occurs is assumed to be the same as the time to mid-loop.

The mean values of the durations of the POSs were used to calculate the frequency of initiating events and
the point-estimate quantification of the core-damage cutsets. The distribution for the time after shutdown
when an initiating event is assumed to occur, is used to determine the conditional probability that the
initiating event occurs in each of the time windows. Table 9.3-3 lists the probability as a function of the time
windows and POSs. The values in parenthesis are the probabilities for the over-draining event.

NUREG/CR-6144 9-26
 9 Database Development

Table 9.3-1 Characteristics of Time to Midloop and

Characteristic Duration of Mid-loop

Time to Mid-loop Mean (hrs.) 5% 50% 95% EF

POS 6 Refuel 191 72.2 167.6 388.8 2.32
POS 10 Refuel 2619 833 968 4828 2.41
POS 6 Drained 190 27.0 105 618 4.78

Duration of Mid-loop Mean (hrs.) 5% 50% 95% EF

POS 6 Refuel 238 14.2 112 876 7.85
POS 10 Refuel 444 6.3 151 2586 20.3
POS 6 255 11.9 109 958 8.97

9-27 NUREG/CR-6144
-9_Database.D.ev.elopement

Table 9.3-2

Distribution of the Time When the Accident Initiating Event Occurs

Time of IE Mean (hrs.) 5% 50% 95% EF

(all IE except RHR2A)
POS 6 Refuel 310 98.7 260.5 687.6 2.64
POS 10 Refuel 2819 1009 2440 5903 • 2.42
POS 6 Drained 313.1 50.4 213.2 901.8 4.23

Time of IE Mean (hrs*) 5% 50% 95% EF

(RHR2A only)
POS 6 Refuel 191 72.2 167.6 388.8 2.32
POS 10 Refuel 2619 833.3 968 4828 2.41
POS 6 Drained 190 27 105 618 4.78

NUREG/CR-6144 9-28
 9 Database Development

Table 93-3

Probability that IE Occurs in the Window

WINDOW 1 WINDOW 2 WINDOW 3 WINDOW 4

Definition < = 75 hours > 75 hours and > 240 hours and > 32days
< = 240 hours < = 32 days
Representative 13.23 MW(2days) 10 MW(5 days) 7 MW(12 days) 5 MW(32 days)
Decay Heat
D6 0.117 0.436 0.375 7.20E-02
(0.31)' (0.454) (0.21) (2.6E-02)
R6 1.7E-02 0.543 0.41 3.4E-02
(5.82E-02) (0.7) (0.24) (1.48E-03)
RIO 0.0 0.0 0.016 9.84E-01
(2.2E-02) (0.98)

* Applicable to RHR2A, over-draining event, only.

9-29 NUREG/CR-6144
9 Database Developement

9.4 Use of Log Book Data

The shift supervisor's log books were reviewed to identify the fraction of the duration that the plant might be
placed in some specific configurations that are of particular concern in terms of risk. These configurations
may occur in some of the POSs, and can affect plant response to the initiating events. In addition, discussions
with Virginia Power staff and Westinghouse staff also provided some information needed for making relevant
estimates.

9.4.1 Isolation of RCS LOOPs

At Surry, the RCS loops are routinely isolated for an extended period during a refueling outage. This is
necessary for the tests and maintenance that are performed on components in the RCS loops, e.g., the steam-
generator eddy current test. To ensure that primary coolant in the steam generator tubes is drained, the RCS
loops will not be isolated until the reactor vessel level is low enough (close to mid-loop). The individual RCS
loops, LAW OP S.12, are drained after they are isolated.

When refueling operations are completed LAW OP 4.1, preparation is made for startup from ambient to
195oF LAW OP 1.1, where OP 5.1.1, (fffling^the RCS), is referenced. In OP 5.1.1, the loop stop valves are
to be verified open. However, the loops remain isolated until a level in the pressurizer is established.

It is recognized that a temporary operating procedure (TOP 3061) allows un-isolation of one loop when the
RCS level is above 18 feet; this was implemented during the 1990 outage of Unit 1, after refueling operations
were completed and the vessel head was tensioned.

The impact of isolated RCS loops on shutdown safety lies in loss of secondary heat-removal capability when
it could be needed. This is included in the fault tree for the function of secondary heat removal.

The fraction of time that the RCS loops were isolated is estimated for both refueling outages and drained
maintenance outages and as discussed in the following sections:

Refueling

At the beginning of mid-loop operation, the RCS loops may remain un-isolated as was the case in the Unit
2 outage during October 1986, and the Unit 1 outage during October 1990. In the Unit one refueling outage
in October 1986, the loops were isolated just before the level reached mid-loop. Past plant experience shows
that the 3 loops are isolated and un-isolated at about the same time. Hence, the probability that the loops
are isolated could be estimated for each of the time windows of a refueling outage. Table 9.4-1 lists the
resulting probabilities.

Drained Maintenance

In a drained maintenance, only one loop would be possibly isolated. In this study, we assumed that only one
loop is isolated during D6. In window 1, this means that the success criteria for reflux cooling can not be met,
but in other time windows, reflux cooling is possible.

9.4.2 Steam Generator in Wet Layup vs Drained

If an outage is scheduled for longer than 5 days, the steam generators are placed in wet layup (LAW GOP 2.6)
Judging from the mean duration of the outage types, it is assumed that in all cold shutdown outages, the steam
generators are placed in wet layup in POS 3. In wet layup, the steam generator recirculation and transfer
system is placed in service to ensure homogeneity of the SG water chemistry.

NUREG/CR-6144 9-30
 9 Database Development

Based on discussion with Virginia Power staff, we ascertained that the secondary side of the steam generators
is almost always filled with a large quantity of water. There are two commonly known situations that require
draining of the secondary side of the steam generators, i.e., before placing the SGs in wet layup, and during
sludge-lancing of the steam generators. From a review of the log books, we judged that before placing the
SGs in wet layup, they stay in a drained condition only for a short period. Furthermore, the SGs are drained
one at a time. Therefore, the unavailability of the SGs before wet layup is small. For each steam generator,
a probability of 2.3E-02 is used to model the individual draining.

Refueling

Through discussions with on-site Westinghouse personnel familiar with sludge lancing, it was estimated that
three steam generators may be in a drained condition for S-days during a refueling outage. Among other
things, sludge-lancing is done on a SG when the plant is in cold shutdown condition with the SG drained. No
other constraint is imposed on planning sludge-lancing operations, except that operation of the reactor's
coolant pump requires the secondary side to be filled. Therefore, we assumed that sludge lancing is equally
likely to take place any time when the plant is in cold shutdown with no RCP running, i.e., in POSs 5 to 11.
Using the log book data on the time the plant is in such a condition during a refueling, an unavailability of
8.3E-03(SGS-DRAINED-R) was estimated for the SGs to be drained in these POSs.

Others^

In the March 27,1988 Unit 1 outage, all three steam generators were drained for less than one day, with the
plant in cold shutdown. Therefore, an unavailability of 1.0E-03(SGS-DRAINED-CSD) is used for all CSD
POSs of outages other than refueling.

Due to insufficient information on the time ,when the activities requiring draining the SGs take place, these
probabilities are assumed to be the same for all time windows.

9.43 RCS Vented with Pressurizer Safety Valves Removed

In reviewing the log books, we recognized that in past refueling outages, the safety valves on the pressurizer
were removed for an extended period. They were removed while the RCS was in mid-loop, and re-installed
after refueling was completed and the vessel head set. This removal of the safety valves provided a large vent
of the RCS and would help relieve the system pressure if needed. It makes gravity feed from RWST possible.
On the other hand, with such a large opening, reflux cooling becomes impossible, due to loss of inventory
through the opening. The effects of safety valve removal are modeled in the fault trees and event trees.

Based on the log books of the 3 refueling outages, and the outage plan of the 1992 Unit 1 refueling outage,
the safety valves are removed approximately 2 weeks into the refueling outage, and re-installed after refueling
is completed. Table 9.4-2 lists the estimated probability that the safety valves are removed in each of the time
windows. We assumed that the pressurized safety valves are not removed during drained maintenance.

9.4.4 Time Period in Which the RCS Is Closed and The Temporary Seals at the Seal
Table Were Installed
At step 5.8 of OP 4.1, refueling operations, the flux mapping detectors and thimbles are verified retracted.
Therefore, the high pressure seals at the seal table are removed. At step 5.9, the vessel level is raised to 20
feet to check the temporary seals for leakage. At step 5.26, the vessel head is lifted. Between step 5.8 and
step 5.26, the RCS should be closed. The vessel head vent hose is removed at step 5.24 and the head vent
valve l-RC-36 is left open. The head vent is a 3/4 inch line.

9-31 NUREG/CR-6144
9 Database Developement

These activities occur in POS 7. The RCS is vented through the open PORVs and pressurizer relief tank to
the process vent. The vessel level is changed by adjusting the charging and letdown flow rates. A similar
configuration may exist in POS 9, after refueling is completed, and the vessel head is set. The concern is that
a pressurization of the RCS may open the temporary seals, and further pressurization may expel coolant
through the opening. Pressurization could result from RCS heatup and boiling caused by, e.g., a loss of RHR.
In POS 7 of a refueling outage, the RCS loops are isolated and secondary heat removal is not available. The
head vent, if opened, or the PORVs should be capable of relieving nitrogen during heatup. POS 7 can be
reached as early as 4 days into a shutdown, and the level of decay heat could be as high as 8.7 MW. When
boiling occurs in the vessel, the relief paths cannot keep the RCS pressure below 40 psia, that the temporary
seals can withstand. Then the core is expected to uncover relatively rapidly.

From the log books, and through discussions with on-site Westinghouse personnel who are familiar with the
use of the seals, we concluded that the plant may be in a closed condition with the temporary seal in place
for 5 to 7 days during a refueling outage. There is little information about the time span that the RCS would
possibly be in such a configuration when the vessel head is set after the refueling is done. Based on the Unit
1 refueling outage plan, there are approximately 3 days between the time the vessel is set and the high
pressure seals are installed. We estimated that, for approximatery 10 days per refueling, the RCS is in such
a configuration.

NUREG/CR-6144 9-32
 9 Database Development

Table 9.4-1
Probability that the RCS Loops Are Isolated
Such that Reflux Cooling Is Unavailable or Ineffective

R6 RIO D6
Wl 0.3 - True
W2 0.7 - False
W3 True' True False
W4 True True False

9-33 NUREG/CR-6144
9 Database Developement

Table 9.4-2
Probability that the Safety Valves on the Pressurizer Are Removed

R6 RIO D6
Wl 0.01 - False
W2 0.05 - False
W3 0.9 0.9 False
W4 0.3 0.3 False

NUREG/CR-6144 9-34
 10 ACCIDENT SEQUENCE QUANTIFICATION
The core-damage sequences were quantified using the IRRAS code. A truncation limit of 1.00E-10 per year
was used to generate the system cutsets and sequence cutsets. Tables 10-1 to 10-48 list the results of the event
tree quantifications,which show the frequency of each core-damage sequence before and after recovery actions
are modeled. Recovery actions are operator actions that are not included in the fault-tree model and are
added to the applicable cutsets after they are generated. A hyphen in the table indicates that there is no
cutset above the truncation limit. Table 10-49 lists the dominant core-damage cutsets before core uncovery.
Table 10-50 lists the dominant cutsets after the recovery actions are applied. Appendix F lists the complete
sets of core damage cutsets before and after recovery actions are applied. The important measures of the
basic events are also listed.

10.1 Descriptions of Recovery Actions

Recovery factors were applied to individual cutsets using the IRRAS code by specifying the rules that define
their applicability. Tables 10-51 to 10-58 list the recovery actions, their failure probabilities, applicable
sequences, and applicability rules. The basic events used to model recovery actions usually have two
contributors, human-error probability and hardware failure probability. The following types of recovery actions
were modeled; they were quantified on the different boundary conditions in different sequence cutsets.
Chapter 8 gives details of the operator actions and their quantification. Tables 10-51 to 10-58 summarize the
calculation of the basic event probabilities.

Uncertainty in the Success Criteria of Reflux Cooling in window 1 of Drained Maintenance- In the window
1 event trees for POS 6 of drained maintenance (D6), no credit was taken for reflux cooling because we
assumed only 2 steam generators are available, while 3 are needed for reflux cooling. It was assumed that one
reactor coolant loop is isolated due to maintenance in POS 6 of a drained maintenance outage. The decay
heat of this time window corresponds to that of 2 days after shutdown. The conservative thermal hydraulic
considerations of Virginia Power technical report 865' ', rev. 1, led to the requirement of 3 steam generators
1

during the first 75 hours after shutdown, which is specifically written into the procedure for loss
of RHR, AP 27.00P1, rev. 4.

INEL' * and Westinghouse' ' performed more realistic thermal hydraulic analyses of reflux cooling. Their
3 51 6

studies show that reflux cooling with only one steam generator is sufficient to remove decay heat as early as
one day after shutdown. To eliminate the conservatism in the loss of RHR procedure, it was decided that
when everything else failed, the operators will use the 2 steam generators to establish reflux cooling. A failure
probability of 0.1 was used.

Local Manual Operation of MOVs- In some cutsets, recirculation failure occurs when the MOVs in the low
head injection/recirculation suction fail. Based on the data on MOV failure, we estimated that only 10%
171

of the MOV failures cannot be manually corrected locally. This is used as a recovery factor for those cutsets
that involve failure of the low pressure injection/recirculation suction valves. Figure 10-1 is a simple event
tree that is used to calculate the non-recovery probability for a cutset that contains such failure and is in time
window 1 of a drained maintenance outage; this example involves the above 2 recovery actions.

Use of Unit 2 Charging Pump in Time Window 2- In time window 2, recirculation from the containment
sump is needed in a feed-and-spill operation. Use of the unit 2 RWST by cross-connection of the 2 RWSTs
is modeled in the fault trees for recirculation, by using the unit 1-charging pump taking suction from the unit
2 RWST. In some core damage cutsets, no unit 1 charging pump is available so causing this method of

10-1 NUREG/CR-6144
10 Accident Sequence Quantification

operation to fail. For these cutsets, the recovery action would be use of the unit 2 charging pump as well as
the unit 2 RWST to support the feed and spill operation. A simplified fault tree model for the unit 2 charging
pump was used to quantify the hardware contribution, 1.91E-02, to the failure of this recovery action.

Use of Unit 2 AFW to Support Reflux Cooling- In some cutsets, reflux cooling is failed due to failure of the
auxiliary feedwater system. The use of unit 2 auxiliary feedwater pump to support reflux cooling is treated
as a recovery action. Typically, this action is not needed until after 10 hours of successful reflux cooling. The
hardware failure contribution of 7.33E-03 is calculated using the fault tree for the unit 1 auxiliary feedwater
system.

Use of RWST to Provide Initial Makeup to Restore RHR- In the fault tree analysis, a basic event RWT-
TNK-LF-RWST representing insufficient inventory in the RWST would cause failures of RCS makeup, and
feed-and-spill operation. Failure of RCS makeup in an over-draining or loss of inventory event would cause
failure to restore RHR. In reality, for either event, only a small amount of makeup is needed, and a low
RWST inventory should not be a cause of failure. Therefore, in those cutsets containing this event, a recovery
was used to model recovery of RHR.

Recovery Actions for Loss of Offsite Power Sequences

Recovery actions in loss of offsite power sequences have several possibilities: cross-connect from Unit 2
(charging, AFW or RWST), gravity feed, reflux cooling (bleed path) recovery actions and cross-tying of
emergency electrical buses, either within the Unit or between the Units. These are arranged in three steps
for every cutset, but some steps may not apply to certain cutsets.

The first step that might be tried by the operators is a simple action such as cross-connecting the Unit 2
charging, or the gravity feed. These actions were not credited in quantifying most unrecovered sequences, as
it was a screening evaluation (charging cross-connect was only credited in Bl sequences, and gravity feed was
only credited in B2 sequences). These actions will extend the time available for recovery of offsite power (or,
depending on the window, will lead to success in the 24 hr mission time).

The second step is more complicated, such as establishing the bleed path for reflux cooling. When a LOSP
event occurs, instrument air will be lost due to failure of bearing cooling water system, which depends on
normal power. This, in turn, will lead to a loss of steam generator PORVs, i.e. the normal bleed path in
reflux cooling. The model gives credit to the operators for a quick recovery of compressed air (by connecting
the standby diesel compressor, or using fire-water for cooling of instrument compressor bearings, both
proceduralized actions). Then, the operators may need to switch the semi-vital bus (controlling the PORVs)
to a live source of power, depending on which emergency bus is up. Therefore, in LI, L2 and L3, the reflux
cooling bleed path will be established (except for operator failure to follow procedure, or hardware failures),
and Step 2 will be automatically accomplished, i.e. no recovery action is needed.

In Bl and B2, no power will be available to the semi-vital bus, and the PORV bleed path will fail. Another
option then would be for the operators to open the steam dump path to the condensers (into the turbine
building), which will involve manually opening the main steam non-return valve. This action is not simple and
may take a lot of time, so the HEPs, given this recovery action in Bl and B2, are relatively high. Fig. 10-2 |8J

shows the construction of this valve. The valve disc is supported by steam pressure drop against gravity when
the valve is open and the shaft is unscrewed. To open the valve, steam pressure is needed on the "in" side
and the shaft has to be unscrewed (normally done with electric power). The shaft screw has a very low pitch

NUREG/CR-6144 10-2
 10 Accident Sequence Quantification

(as it is a big valve) and it would take a couple of operators 15-20 minutes to open it (per discussion with the
plant). The valve needs to be only partially open to relieve steam pressure. Once open, the steam pressure
may burst the condenser rupture discs (depending on conditions), thus relieving the steam inside the turbine
building.

The second step will further extend the time available for recovery of offsite power. Depending on the
window, the combination of the first two steps could extend the allowable time past the 24 hour success
criterion.

As discussed in Section 7.4, recovery of offsite power will open up many possibilities for recovery, so the
residual core-damage frequency will be small compared to the situation where offsite power is not recovered.

The third step would involve cross-tying the emergency buses. There are hardware provisions for this (see
Fig. 10-3) , and it is assumed to successfully conclude the sequence.
[9)

The LOSP recovery action will be calculated using the following equation:

RLOSP = Vi * \pi + (1-P2)*%*P ]3

= * Vl + {i-PiYTiS-nSpi
P2 (io.i)

where ijs refer to adjustments in probability of non-recovery of offsite power due to extension of time to core
uncovery as a result of recovery actions (simple recovery actions in Step 1, or more complex actions in Step
2); ps refer to human error probabilities assigned to recovery actions in Steps 2 and 3. Furthermore,

7j, = NRAC(tO * DG(t,) / NRAC(t ) 0 (10.2)

7J,*TJ 2 = NRAQt,) * D G ^ ) / NRAC(g (10.3)

where NRAC(t) is the probabiUty of non-recovery of a.c. power at time t (taken from Table 4.3-5); DG(t) is
the probability of non-recovery of the diesel generator at time t (see Table 10-53);' ' t is the original time
10
0

given for recovery of offsite power (i.e. time to core uncovery, see Section 7.4); t, is the new (i.e. extended)
time given for recovery of offsite power or the diesel generator, due to simple recovery actions taken in Step
1 (Unit 2 charging cross-connect, gravity feed); t is the new (i.e. extended) time given for recovery from
2

combination of Steps 1 and 2. Step 2 is recovery by reflux cooling bleed path, and further extends the time
available for recovery of offsite power or the diesel generator.

Hardware failures are not included in equation 10.1, because they are included in the rules for recovery action;
otherwise they are small compared to the NRACs andps.

If step 1 does not apply to a cutset (e.g. Unit 2 is having a blackout, and gravity feed does not work in drained
maintenance) then 77 = 1; if step 2 does not apply (e.g. steam generator PORVs fail to open), then r] = 1
x 2

andp = 0; if step 3 does not apply (e.g. in a two Unit blackout), thenp = 1.
2 3

The names of the recovery action basic event have the following form:
R-IEWK-LMN-S1-S3-F
where IE refers to the LOSP initiating event category (e.g. IE = LI or IE = B2); WK refers to the window
(e.g. W2 would be window 2); LMN is a string of 1-3 digits, depending on which steps in the recovery action,
discussed above, are applicable (e.g. 123 means all three steps are applicable, 13 means steps 1 and 3 are

10-3 NUREG/CR-6144
10 Accident Sequence Quantification

applicable, and 2 means only step 2 is applicable); SI refers to the type of system used in step 1 (C stands for
charging from Unit 2, G stands for gravity feed); S3 refers to the systems that will be enabled by step 3 in
recovery (A refers to AFW, C refers to forced circulation and recirculation); the last character in the string,
F, appears only in recovery actions that apply to sequences where forced feed and bleed has failed (however,
the recovery action was quantified the same as for other sequences, if everything else was the same).

Tables 10-54 and 10-57 show different steps in the quantification of LOSP recovery actions.

Table 10-54 shows calculation of the 77 parameters in the 4 windows, including the time available for recovery
of offsite power or diesel generators, if various combinations of steps 1 and 2 are successful. The offsite power
non-recovery probability is shown, as well as the diesel generator non-recovery probabilities; these are
combined to show the 77 values as per equations 10.2 and 10.3. If steps 1 and/or 2 do not apply in a certain
situation, the corresponding 77 will be calculated using the procedure above for non-applicability of that step
(i.e. that procedure has precedence over Table 10-54)

Table 10-55 shows the HEP parameter p for recovery action in step 2, for the five LOSP categories, and the
2

4 windows. This action (reflux bleed path) is included in the model for LI, L2 and L3, so p = 0 for these
2

categories. If step 2 does not apply for a certain recovery, the non-applicability procedure above has priority.

Table 10-56 shows the HEP parameter p . The same caveat as above applies if step 3 does not apply.
3

Table 10-57 shows the summary of calculation for each recovery action that is used in the LOSP analysis.

The rules for applying recovery actions are shown in Table 10-58.

10.2 Results
Table 10-59 summarizes the results of the event tree quantification, showing the core damage frequency as
a function of the initiating events and POSs taken from Tables 10-1 to 10-48. The frequencies in this table
include the fraction of a year that the plant is in each of the POS. This makes the frequencies additive, i.e.,
the sum of a row or a column is meaningful. POS 6 of a drained maintenance outage (D6) and POS 6 of a
refueling outage are the most dominant POSs. The characteristics of these POSs are high level of decay heat
and a relatively short time available for operator action. In contrast, POS 10 of a refueling outage has a very
low decay heat, and its core-damage frequency is approximately 1 order of magnitude lower.

Table 10-60 shows the core damage frequency as a function of the time windows and POSs. The frequencies
were estimated using the basic event importance measures with respect to the total core damage frequency.
Note that the totals for POSs R10 and D6 differ from those of Table 10-59. This is due to the different
methods used in estimating them. The frequencies in parenthesis are the contribution of over-draining events
whose occurrence is modeled by a demand failure probability, while other initiating events are modeled by
failure rates. Table 10-61 lists the estimated fraction of a year that the plant is in each of the time windows
and POSs. It is obtained by multiplying the fraction of a year that the plant is in a POS by the conditional
probability (Table 9.3-3) that the initiating event occurs in the time window given it occurred in the POS. The
fraction of a year that the plant spent in a given POS is the frequency of the POS times its mean duration.
Table 10-62 lists the conditional core damage frequency as a function of the time windows and POSs.

NUREG/CR-6144 10-4
 10 Accident Sequence Quantification

Conditional core damage frequency is the rate at which core damage occurs given that the plant is in the time
window of the POS. It is obtained by dividing the core damage frequency (minus the contribution of over-
draining events) of Table 10-60 by the fraction of Table 10-61. The numbers in parenthesis are the conditional
probability of core damage due to over-draining, given that the plant reaches mid-loop in the time window
of the given POS. This probability is the ratio of the frequency of core damage due to over draining listed
in Table 10-60 and the frequency that the plant reaches mid-loop in the time window of the given POS. The
latter is the frequency of the POS times the conditional probability of the time window for the given POS.

The conditional core damage frequency/probability is a measure that can be used to compare the vulnerability
of the time windows and POSs with respect to core damage. It can be seen, from Table 10-62, that for each
POS the conditional core damage frequency decreases with time window. This is due to the relaxed success
criteria and more time available for operator actions. The same is true with the conditional probability of core
damage due to over-draining(with the exception for R10 discussed in the next paragraph). The conditional
core damage frequency/probability for R6 or R10 is higher than that of D6 mainly due to that the RCS loops
have a high probability of being isolated in a refueling outage; that makes reflux cooling impossible. For
example, in window 1, the probability that the loops are isolated in a refueling outage is 0.3, and the
probability that reflux cooling fails in a drained maintenance outage is 0.1 (modeled as a recovery action). The
difference between R6 and R10 in windows 3 and 4 is due to the difference in maintenance unavailabilities.

Two reversals of the expected trend occur in Table 10-62. First, the conditional core damage probability for
window 4 of R6 is zero, while that for D6 is not. It is zero because the core damage frequency due to over-
draining, listed in Table 10-60, is zero. The core damage frequency due to over-draining is zero because no
cutsets survived truncation(at 1.00E-10 per year). If a lower truncation limit is used, then the core damage
frequency due to over draining would not be zero. As a result, the conditional probability of core damage
would be non-zero and is expected to be higher than that of D6. The second reversal is in the conditional
probability of core damage for windows 3 and 4 of R10. This is also caused by the error introduced by the
truncation limit used. A lower truncation limit shows that the conditional probability of core damage for
window 3 is, as expected, higher than that for window 4.

The total and sub-totals in Table 10-62 represent the averaged conditional core damage frequency/probability.
For example, the averaged conditional core damage frequency for R6 is 8.09E-05 per year, while that for D6
is 8.55E-05 per year. This means that the plant is better off if in R6, given it is at mid-loop. This does not
contradict the comparison made earlier for a given time window of the POSs, because given that plant is in
D6 the plant is more likely to be in the earlier time windows that have higher conditional core damage
frequency. The averaged conditional core damage frequency over the POSs, shown in the right most column
of Table 10-62, does show the trend of decreasing with decay heat. The reversed trend for the averaged
conditional core damage probability for windows 3 and 4 is caused by the same error introduced by truncation
that made the trend reversed for the conditional core damage probability of R10 in windows 3 and 4.

Below we discuss some of the results:

Human Errors-We found that operator failure is the dominant cause of core damage. In particular, failure
to diagnose, such that the correct actions are not taken to prevent core damage, is the most important
operator error. It occurs in many different initiating events, time windows, and POSs, and contributes to
approximately 56% the total core-damage frequency. Failure to diagnose is assumed to lead directly to core
damage. It represents the inability of the operator to use the information available and determine the proper

10-5 NUREG/CR-6144
10 Accident Sequence Quantification

corrective actions. It is recognized that the quantification of such human errors has a very large uncertainty;
an error factor of 20 was used in the uncertainty analysis.

Isolation of Reactor Coolant Loops- Review of the plant shutdown experience indicated that the reactor
coolant loops are isolated for an extended period in a refueling outage. This practice makes the steam
generators unavailable for removing decay heat upon loss of RHR. In a cold shutdown condition, the steam
generators are usually maintained in the wet lay-up condition with the secondary side filled with water. During
mid-loop operation, the availability of the SGs makes reflux cooling a possible way to mitigate a loss of RHR;
it might be the only mitigation function available in a station blackout. In this study, we found that isolation
of the RCS loops is an important contributor to core damage frequency, being responsible for approximately
22% of the total core-damage frequency.

Plugging the Containment Sump When Recirculation Is Needed- Due to the activitiesinside the containment,
transient material and equipment are brought in. For example, large plastic Herculite sheets are often used
to separate work areas from the rest of the containment. When an accident requiring recirculation from the
containment sump occurs, as is the case in time windows 1 and 2, this material would increase the chance that
the containment sump would be blocked. In this study, the probability of the sump plugging was assumed to
be 0.01 and 0.1 for time windows 1 and 2, respectively. It contributed to approximately 11% of the total core-
damage frequency.

103 Descriptions of Dominant Core Damage Cutsets

The following are the descriptions of those cutsets whose frequency is above 1.0E-07 per year:

1. 2.203E-007 PROB-W2D6, FREQ-L1, DR-MT, DURATION-D6, D-L1W2-XHE,/NRAC262

In this cutset, a loss of offsite power event(FREQ-Ll) occurs in time window 2(PROB-W2D6) of a drained
maintenance outage(DR-MT) and diesel generators 1 and 3 start and feed the two unit 1 emergency buses
1H and 1J(FREQ-L1). Because offsite power is lost, the stub bus that supplies power to the normally running
RHR pump is shed and will not be automatically connected to the emergency bus. The component cooling
water system would stop functioning for the same reason. Loss of offsite power also causes loss of motive
power of the normally running service-air compressor. The instrument air compressor also will lose its cooling
due to loss of power to the bearing cooling water system. Loss of instrument air causes the RHR flow control
valve to open fully, and the CCW 109A and B valves in the CCW flow paths to the RHR pumps and RHR
heat exchangers to close.

In this cutset, the operators fail to diagnose(D-LlW2-XHE) the accident scenario correctly, and fail to decide
on the proper corrective actions to mitigate the accident. As a result, core damage occurs even if the offsite
power is recovered(/NRAC262).

2. 2.074E-007 PROB-W3D6, FREQ-L1, DR-MT, DURATION-D6, D-L1W3-XHE, /NRAC346

This cutset is the same as cutset number 1, except that it occurs in time window 3(PROB-W3D6) instead of
2.

3. 1.697E-007 PROB-W2D6, DR-MT, DURATION-D6, D-SIW2-XHE, FREQ-SI

NUREG/CR-6144 10-6
 10 Accident Sequence Quantification

In this cutset, a spurious safety-injection signal(FREQ-SI) occurs in time window 2(PROB-W2D6) of a drained
maintenance outage(DR-MT). As a result, the CCW 109A and B valves close automatically and shut off the
CCWflowto the RHR heat exchangers and RHR pumps. The operators fail to diagnose(D-SIW2-XHE) the
scenario correctly, and fail to decide on the proper corrective actions. As a result, the core is damaged.

4. 1.464E-007 FREQ-RHR3, PROB-W1D6, DR-MT, DURATION-D6, LPR-CCF-PG-SUMP1,

R-A3W1D6-XHE-C
In this cutset, a loss of RHR event(FREQ-RHR3) occurs in time window 1(PR0B-W1D6) of a drained
maintenance outage(DR-MT) and is not recoverable within the time available. Insufficient steam generators
are available for reflux cooling in time window 1 of a drained maintenance outage because 1 steam generator
is assumed to be unavailable due to maintenance and 3 are needed. Because studies have shown that 1 steam
generator is enough for all decay-heat levels, a recovery action(R-A3WlD6-XHE-C) with failure probability
of 0.1 is used to take some credit for reflux cooling. With reflux cooling failed, the operators use feed-and-
spill to remove decay heat. This mode of cooling lasts approximately 10 hours until the RWST inventory
becomes low. Then, the operators switch to recirculation from the containment sump. Recirculation fails
because the containment sump is plugged (LPR-CCF-PG-SUMP1) by transient material inside the
containment. As a result, core damage occurs.

5. 1.460E-007 PROB-W3D6, DR-MT, DURATION-D6, D-SIW3-XHE, FREQ-SI

This cutset is the same as cutset 3, except that it occurs in time window 3(PROB-W3D6) instead of 2.

6. 1.237E-007 PROB-W1D6, FREQ-L1, D-L1W1-XHE, DR-MT, DURATION-D6, /NRAC200

This cutset is the same as cutset 1, except that it occurs in time window l(PROB-WlD6) instead of 2.

7. 1.216E-007 REFUEL, DURATION-R6, /PZR-SV-REMOVEDW2.PROB-W2R6, FREQ-L1,

D-L1W2-XHE, /NRAC262
This cutset is the same as cutset 1, except that it occurs in a refueling outage(REFUEL) instead of a drained
maintenance outage.

8. 1.077E-007 FREQ-CCW, H-CCW-REC-W1, PROB-W1D6, LPR-CCF-PG-SUMP1, DR-MT,

DURATION-D6,R-WlD6-XHE-C-A3
This cutset is the same as cutset 4, except that the initiating event is a loss of CCW(FREQ-CCW) that is not
recovered(FREQ-CCW) instead of loss of RHR.

10-7 NUREG/CR-6144
10 Accident Sequence Quantification

10.4 References:
1. "Background and Guidance For Ensuring Adequate Decay Heat Removal when RCS Loop stop valves are
closed, Surry and North Anna Power Stations, "NE technical Report No. 865, Rev. 1, Virginia Power, June
1992.
2. "Loss of Decay Heat Removal Capability," Virginia Power Surry Power Station, Abnormal Procedure 1-AP-
27.00, Revision 4, February 15, 1993.
3. Naff, S.A., et. al., "Thermal Hydraulic Processes During Reduced inventory Operation with Loss of
Residual Heat Removal," Idaho National Engineering Laboratory, NUREG/CR-5855, April 1992.
4. Fletcher, CD., et. al., "Thermal-Hydraulic Processes Involved in Loss of Residual Heat Removal During
Mid-Loop Operation, EGG-East-9337, Idaho National Engineering Laboratory, October 1990.
5. Wald, L.W., et. al., "Consequence of the Loss of Residual Heat Removal Systems in Pressurized Water
Reactors," Idaho National Engineering Laboratory, NUREG/CR-5820, May 1992.
6. T.S. Audreycheck, et. al., "Loss of RHRs Cooling while the RCS is partially filled," WCAP - 11916,
Westinghouse Electric Corporation, Jury 1988.
7. "FERMI 2 - Level 1 Probabilistic Risk Assessment," Pickard, Lowe, and Garrick, Inc., PLG-0676, January
1989.
8. Virginia Power Company, "Main Steam Suppty System", Nuclear Control Room Operator Development
Program, Surry Power Station, module NCRODP-23.
9. Virginia Power Company, "Vital and Emergency Electrical Distribution System", Nuclear Control Room
Operator Development Program, Surry Power Station, module NCRODP-35, May 1990.
10. Consolidated Edison Company of New York, Inc. & Power Authority of the State of New York, "Indian
Point Probabilistic Safety Study", Volume 1, Section 1.3,1982.

NUREG/CR-6144 10-8
 MOV1862B OPEN-MOV HEP REFLUX SEQ E^D-STATE

0.9 s
4.3E-03
0.1 3F
\o 0.1
0.1

Prob(Fbilure)= 0.9 * 4.2E-03 * 0.1

+0.1 * 0.1
= 1.04E-02

Ffgare 10-1 An Example Event Tree to Calculate Recovery Event Probability

 STEM EQUALIZING
UNE

BODY

OUT

MAIN STEAM NON-RETURN VALVE

Figure 10-2 Main Steam Non-Return Valve
NUREG/CR-6144 10-10
 UN1T-1 STATION RESERVE STATION UNIT-2 STATION
SERVICE TRANSFORMERS SERVICE TKANSFORMERS SERVICE TRANSFORMERS
. SZ'KVVA.K, KV 34.5 KV/4.16 KV
22 KV/4.16 KV
B [~A~| B C

15A2 QNC

IA BUS.
15B2QNC 15C2 Q t
5
ISDILJNC

D BUS
ISEUJNC

E BUS
Si
15F1[JNC

F BUS
25A2L1NC

2A BUS
25B2[JNC 25C2LJ HC

NO NO

-o -o-
IB BUS 15A1 25A1 2B BUS
NO NO

-o- -O-
25B1
15BI
1C BUS .2C BUS
NO NO
-Ch-
isel -Ch-
25C1

DIESEL DIESEL DIESEL

£
NCM 15H8 lSJerjNC N C D 25J8 NCD25H8

1H BUS l-J BUS © 2J BUS 2H BUS

LfiJ NO
L-Ch
15H1
NO
-O-
NO

-O-
NO
-Ch
NO

25H3
15H3 15J3 25J3 25H1

Figure 10-3 Surry Station 4kV Electrical Distribution System

10 Accident Sequence Quantification

Table 10-1

Core Damage Frequencies of Loss RHR Event Trees RAW#R6

Over-Draining in POS 6 of Refueling
Core Damage Core Damage
Event Tree Sequence Frequency-No Frequency with
Recovery Recovery (Per
(Per Year) Year)
RAW1R6 4 - -

5 - -

6 - -

9 4.070E-08 2.998E-08
10 - -

12 - -

13 - -

14 - -

17 1.848E-10 1.848E-10
18 1.189E-08 8.722E-09
RAW2R6 4 4.746E-10 -

5 - -

i 6 - -

9 1.307E-07 1.270E-08
10 - -

12 - -

13 - -

14 8.576E-09 3.629E-09
17 - -

18 1.537E-07 8.591E-08
RAW3R6 4 - -

5 - -

7 - -

9 - -

10 6.305E-08 3.223E-08

NUREG/CR-6144 10-12
 10 Accident Sequence Quantification

Table 10-1 (continued)

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery (Per
(Per Year) Year)
12 5.249E-09 1.857E-09
RAW4R6 5 - -

8 - -

11 - -

14 1.075E-10 -

TOTAL 4.146E-07 1.752E-07

10-13 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-2

Core Damage Frequencies of Loss RHR Event Tree RBW#R6

Inventory Problem in POS 6 of Refueling

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery (Per
(Per Year) Year)
RBW1R6 4 - -

5 - -

6 - -

9 7.127E-10 6.050E-10
10 - -

12 - -

13 - -

14 - -

17 - -

18 4.398E-10 4.398E-10
RBW2R6 4 - -

5 - -

6 - -

9 1.608E-08 1.289E-09
10 - -

12 - -

13 -

14 8.742E-10 2.412E-10
1
17 - -

18 1.898E-08 9.728E-09
RBW3R6 4 - -

5 - -

7 - -

9 - -

NUREG/CR-6144 10-14
 10 Accident Sequence Quantification

Table 10-2 (continued)

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery (Per
(Per Year) Year)
10 1.749E-08 8.145E-09
12 1.434E-09 3.642E-10
RBW4R6 5 - -

7 - -

10 1.898E-10 -

12 5.549E-10 -

TOTAL 5.675E-08 2.081E-08

10-15 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-3

Core Damage Frequencies of Loss RHR Event Tree R3W#R6

Non-Recoverable Loss of RHR in POS 6 of Refueling

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery
(Per Year) (Per Year)
R3W1R6 3 2.229E-09 1.414E-09
4 - -

5 - -

8 1.125E-07 7.709E-08
9 3.311E-10 3.311E-10
R3W2R6 3 9.696E-09 3.305E-09
4 - -

.5 2.915E-10 2.915E-10
8 2.980E-07 5.575E-08
9 8.797E-09 8.797E-09
R3W3R6 3 - -

4 6.330E-09 6.330E-09
6 5.425E-10 5.425E-10
R3W4R6 4 - -

6 1.485E-10 1.485E-10
TOTAL 4.388E-07 1.540E-07

NUREG/CR-6144 10-16
 10 Accident Sequence Quantification

Table 10-4

Core Damage Frequencies of Loss RHR Event Tree R4W#R6

Non-Recoverable Loss of Operating Train of RHR in POS 6 of Refueling

Event Tree Sequence Core Damage Frequency- Core Damage

No Recovery Frequency with Recovery
(Per Year) (Per Year)
R4W1R6 4 - -
5 - -
6 - -
9 2.739E-09 2.159E-09
10 1.903E-10 1.903E-10
R4W2R6 4 1.355E-10 -
5 - -
6 1.044E-10 1.044E-10
9 1.158E-08 1.333E-09
10 2.095E-09 2.095E-09
R4W3R6 4 - -
5 1.533E-09 1.533E-09
7 1.576E-10 1.576E-10
R4W4R6 5 - -
7 - -
TOTAL 1.853E-08 7.572E-09

10-17 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-5

Core Damage Frequencies of Loss RHR Event Tree R5W#R6

Recoverable Loss of RHR in POS 6 of Refueling

Event Tree Sequence Core Damage Core Damage

Frequency-No Frequency with
Recovery Recovery (Per Year)
(Per Year)
R5W1R6 4 - -

5 - -

6 - -

9 1.442E-09 1.051E-09
10 1.171E-09 1.171E-09
R5W2R6 4 - -

5 - -

6 9.863E-10 9.863E-10
9 2.897E-08 2.240E-09
10 1.938E-08 1.906E-08
R5W3R6 4 - -

5 1.370E-08 1.356E-08
7 1.489E-09 1.489E-09
R5W4R6 5 - -

7 - -

TOTAL 6.713E-08 3.955E-08

NUREG/CR-6144 10-18
 10 Accident Sequence Quantification

Table 10-6

. Core Damage Frequencies of Loss RHR Event Tree RAW#D6

Over-Draining in POS 6 of Drained Maintenance

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery (Per Year)
(Per Year)
RAW1D6 4 1.001E-06 7.082E-08
5 1.199E-09 -

7 1.646E-08 8.617E-10
8 2.472E-07 9.536E-08
RAW2D6 5 8.806E-08 1.522E-08
6 - -

8 - -

10 6.149E-08 5.103E-08
RAW3D6 5 - -

8 2.744E-08 2.316E-08
RAW4D6 5 - -

8 5.559E-10 5.559E-10
TOTAL 1.443E-06 2.570E-07

10-19 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-7

Core Damage Frequencies of Loss RHR Event Tree RBW#D6

Inventory Problem in POS 6 of Drained Maintenance

Core Damage Frequency- Core Damage

Event Tree Sequence No Recovery Frequency with
(Per Year) Recovery (Per Year)
RBW1D6 4 6.308E-08 2.839E-09
5 - -

7 1.018E-09 -

8 1.613E-08 6.746E-09
RBW2D6 5 1.39SE-08 2.335E-09
6 - -

9 - -

10 1.070E-08 9.101E-09
RBW3D6 5 - -

8 8.935E-09 7.734E-09
RBW4D6 5 - -

8 2.956E-10 2.956E-10
TOTAL 1.141E-07 2.905E-08

NUREG/CR-6144 10-20
 10 Accident Sequence Quantification

Table 10-8

Core Damage Frequencies of Loss RHR Event Tree R3W#D6

Non-Recoverable Loss of RHR in POS 6 of Drained Maintenance

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery (Per
(Per Year) Year)
R3W1D6 3 3.888E-06 2.731E-07
4 1.405E-08 4.150E-09
R3W2D6 4 1.020E-07 1.295E-08
5 4.877E-09 4.877E-09
R3W3D6 4 4.055E-09 4.055E-09
R3W4D6 4 - -

TOTAL 4.013E-06 2.991E-07

10-21 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-9

Core Damage Frequencies of Loss RHR Event Tree R4W#D6

Non-Recoverable Loss of Operating Train of RHR in POS 6 of Drained Maintenance

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery (Per
(Per Year) Year)
R4W1D6 4 1.943E-07 1.262E-08
5 3.499E-09 2.835E-09
R4W2D6 5 5.550E-09 9.119E-10
6 3.592E-09 3.592E-09
R4W3D6 5 3.090E-09 3.090E-09
R4W4D6 5 1.279E-10 1.279E-10
TOTAL 2.101E-07 2.317E-08

NUREG/CR-6144 10-22
 10 Accident Sequence Quantification

Table 10-10

Core Damage Frequencies of Loss RHR Event Tree R5W#D6

Recoverable Loss of RHR in POS 6 of Drained Maintenance

Core Damage Frequency- Core Damage Frequency

Event Tree Sequence No Recovery with Recovery (Per Year)
(Per Year)
R5W1D6 4 1.140E-07 6.060E-09
5 1.756E-08 1.745E-08
R5W2D6 5 2.507E-08 4.275E-09
6 3.510E-08 3.452E-08
R5W3D6 5 3.019E-08 2.969E-08
R5W4D6 5 5.137E-10 5.137E-10
TOTAL 2.224E-07 9.250E-08

10-23 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-11

Core Damage Frequencies of Loss RHR Event Tree- RAW#R10

Over-Draining in POS 10 of Refueling

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery (Per
(Per Year) Year)
RAW3R10 4 - -
1
5 - -

7 - -

9 - -

10 1.355E-09 1.095E-09
12 - -

RAW4R10 5 - -

8 - -

11 2.344E-08 1.928E-08
14 5.841E-08 3.226E-08
TOTAL 8.320E-08 5.263E-08

NUREG/CR-6144 10-24
 10 Accident Sequence Quantification

Table 10-12

Core Damage Frequencies of Loss RHR Event Tree RBW#R10

Inventory Problem in POS 10 of Refueling

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery (Per Year)
(Per Year)
RBW3R10 4 - -

5 - -

7 - -
i
9 - -

10 2.399E-10 2.399E-10
12 - -

RBW4R10 5 - -

7 - -

10 6.671E-09 5.376E-09
12 1.799E-08 1.483E-08
TOTAL 2.490E-08 2.044E-08

10-25 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-13

Core Damage Frequencies of Loss RHR Event Tree R3W#R10

Non-Recoverable Loss of RHR in POS 10 of Refueling

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery (Per
(Per Year) Year)
i
R3W3R10 3 - -

4 - -

6 - -

R3W4R10 4 2.203E-09 2.203E-09

6 6.188E-09 6.188E-09
TOTAL 8.391E-09 8.391E-09

NUREG/CR-6144 10-26
 10 Accident Sequence Quantification

Table 10-14
i
Core Damage Frequencies of Loss RHR Event Tree R4W#R10
Non-Recoverable Loss of Operating Train of RHR in POS 10 of Refueling

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery (Per Year)
(Per Year)
R4W3R10 4 - -

5 - -

7 - -

R4W4R10 5 2.283E-10 2.283E-10

7 9.618E-10 9.618E-10
TOTAL 1.190E-09 1.190E-09

10-27 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-15

Core Damage Frequencies of Loss RHR Event Tree R5W#R10

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery (Per Year)
(Per Year)
R5W3R10 4 - -

5 4.879E-10 4.879E-10
7 - -

R5W4R10 5 1.138E-09 1.033E-09

7 - 2.942E-09 2.542E-09
TOTAL 4.567E-09 4.062E-09

NUREG/CR-6144 10-28
 10 Accident Sequence Quantification

Table 10-16

Core Damage Frequencies of Loss of Offsite Power for

Event Tree L1W#D6

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery
(Per Year) (Per Year)
L1W1D6 4 1.163E-07 3.925E-09
5 1.827E-07 1.242E-07
7 3.471E-08 1.596E-09
8 5.846E-08 5.846E-08
L1W2D6 5 6.836E-09 2.664E-09
6 2.977E-07 2.202E-07
9 2.153E-10 2.153E-10
10 7.738E-08 7.738E-08
L1W3D6 5 2.560E-07 2.073E-07
8 4.864E-08 4.864E-08
L1W4D6 5 1.092E-08 9.393E-09
8 1.529E-09 1.529E-09
TOTAL 1.091E-06 7.555E-07

10-29 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-17

Core Damage Frequencies of Loss of Offsite Power for

Event Tree L1W#R6

Event Tree Sequence Core Damage Core Damage

Frequency-No Frequency with
Recovery Recovery
(Per Year) (Per Year)
L1W1R6 4 - -

5 - -

6 1.233E-10 -

8 - -

9 - -

10 - -

13 1.515E-09 1.030E-09
14 1.221E-08 8.304E-09
17 6.908E-10 6.908E-10
18 3.908E-09 3.908E-09
L1W2R6 4 - -

5 - -

6 8.649E-09 6.400E-09
8 - -

9 - -

, 10 2.248E-09 2.248E-09
13 9.092E-09 5.468E-09
14 1.643E-07 1.216E-07
17 6.867E-10 6.867E-10
18 4.272E-08 4.272E-08
L1W3R6 4 - -

5 1.175E-07 9.521E-08
7 - -

8 2.233E-08 2.233E-08

NUREG/CR-6144 10-30
 10 Accident Sequence Quantification

Table 10-17 (continued)

Event Tree Sequence Core Damage Core Damage

Frequency-No Frequency with
Recovery Recovery
(Per Year) (Per Year)
10 1.306E-08 1.058E-08
12 2.481E-09 2.481E-09
L1W4R6 5 7.221E-10 6.210E-10
8 1.010E-10 1.010E-10
10 1.684E-09 1.449E-09
12 2.358E-10 2.358E-10
TOTAL 4.042E-07 3.260E-07

10-31 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-18

Core Damage Frequencies of Loss of Offsite Power for

Event Tree L1W#R10

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery
(Per Year) (Per Year)
L1W3R10 4 - -

5 4.279E-09 3.466E-09
7 - -

8 8.130E-10 8.130E-10
10 4.754E-10 3.851E-10
12 - -

L1W4R10 5 1.949E-08 1.676E-08

8 2.729E-09 2.729E-09
10 4.548E-08 3.911E-08
12 6.367E-09 6.367E-09
TOTAL 7.963E-08 6.963E-08

NUREG/CR-6144 10-32
 10 Accident Sequence Quantification

Table 10-19

Core Damage Frequencies of Loss of Offsite Power for

Event Tree L2W#D6

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery 1
(Per Year) (Per Year)
L2W1D6 4 1.074E-08 2.870E-10
• 5 2.637E-08 1.793E-08
7 7.541E-07 1.153E-09
8 1.203E-07 8.766E-09
L2W2D6 5 5.478E-10 5.478E-10
6 7.274E-08 5.383E-08
9 6.870E-07 1.839E-09
10 1.507E-07 1.911E-08
L2W3D6 5 6.256E-08 5.067E-08
8 9.101E-08 1.188E-08
L2W4D6 5 1.623E-09 1.396E-09
8 1.022E-09 1.022E-09
TOTAL 1.978E-06 1.684E-07

10-33 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-20

Core Damage Frequencies of Loss of Offsite Power for

Event Tree L2W#R6

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery
(Per Year) (Per Year)
L2W1R6 4 - -

5 - -

6 - -

8 1.536E-10 1.536E-10
9 - -

10 - -

13 i - -

14 1.770E-09 1.204E-09
• 17 5.767E-08 -

18 5.840E-09 5.840E-09
L2W2R6 4 - -

5 - -

6 2.113E-09 1.564E-09
8 1.771E-09 1.771E-09
9 - -

10 7.062E-09 7.062E-09
13 5.660E-10 1.012E-10
14 4.016E-08 2.972E-08
17 5.213E-07 2.469E-09
18 1.379E-07 1.094E-08
L2W3R6 4 - -

5 2.873E-08 2.327E-08
7 - -

8 7.877E-08 5.458E-09

NUREG/CR-6144 10-34
 10 Accident Sequence Quantification

Table 10-20 (continued)

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery
(Per Year) (Per Year)
10 3.192E-09 2.585E-09
12 7.933E-09 7.933E-09
L2W4R6 5 1.073E-10 -

8 " 1.069E-09 1.069E-09

10 2.504E-10 2.153E-10
i 12 2.750E-09 2.750E-09
TOTAL 8.991E-07 1.041E-07

10-35 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-21

Core Damage Frequencies of Loss of Offsite Power for

Event Tree L2W#R10

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery
(Per Year) (Per Year)
L2W3R10 4 - -

5 1.045E-09 8.471E-10
7 - -

8 2.302E-09 2.302E-09
10 1.162E-10 -

12 1.449E-10 1.449E-10
L2W4R10 5 2.897E-09 2.491E-09
8 3.795E-08 4.056E-10
10 6.760E-09 5.813E-09
12 9.066E-08 9.464E-10
TOTAL 1.418E-07 1.295E-08

NUREG/CR-6144 10-36
10 Accident Sequence Quantification

Table 10-22

Core Damage Frequencies of Loss of Offsite Power for

Event Tree L3W#D6

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery
(Per Year) (Per Year)
L3W1D6 4 3.317E-10 1.484E-10
5 5.865E-09 3.988E-09
7 5.162E-08 3.273E-08
8 4.083E-08 2.060E-08
L3W2D6 5 - -

6 9.658E-09 7.146E-09
9 6.827E-08 1.268E-08
10 3.237E-08 8.806E-09
L3W3D6 5 8.306E-09 6.728E-09
8 1.994E-08 5.535E-09
L3W4D6 5 3.441E-10 2.959E-10
8 - -

TOTAL 2.375E-07 9.865E-08

10-37 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-23

Core Damage Frequencies of Loss of Offsite Power for

Event Tree L3W#R6

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery
(Per Year) (Per Year)
L3W1R6 4 - -

5 - -

6 - -

8 - -

9 - -

10 - -

13 - -

14 2.677E-10 2.677E-10
17 3.455E-09 3.455E-09
18 1.147E-09 1.147E-09
L3W2R6 4 - -

5 - -

6 2.806E-10 2.806E-10
8 - -

9 - -

10 1.638E-09 1.638E-09
13 - -

14 5.332E-09 5.332E-09
17 5.305E-08 1.248E-08
18 3.051E-08 7.396E-09
L3W3R6 4 - -

5 3.814E-09 3.089E-09
7 - -

8 1.892E-08 4.428E-09

NUREG/CR-6144 10-38
 10 Accident Sequence Quantiflcation

Table 10-23 (continued)

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery
(Per Year) (Per Year)
10 4.238E-10 3.433E-10
12 1.808E-09 1.808E-09
L3W4R6 5 - -

8 1.588E-10 1.588E-10
10 - -

12 5.428E-10 5.428E-10
TOTAL 1.213E-07 4.236E-08

10-39 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-24

Core Damage Frequencies of Loss of Offsite Power for

Event Tree L3W#R10

Core Damage Core Damage

Event Tree Sequence Frequency-No Recovery Frequency with Recovery
(Per Year) (Per Year)
L3W3R10 4 - -

5 1.388E-10 1.124E-10
7 - -

8 5.505E-10 5.505E-10
10 - -

12 - -

| L3W4R10 5 6.142E-10 5.282E-10

8 8.081E-09 8.081E-09
10 1.433E-09 1.232E-09
12 2.004E-08 2.076E-09
TOTAL 3.085E-08 1.258E-08

NUREG/CR-6144 10-40
 10 Accident Sequence Quantification

Table 10-25

Core Damage Frequencies of Unit-1 Blackout for

Event Tree B1W#D6

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery
(Per Year) (Per Year)
B1W1D6 2-3 1.735E-08 6.177E-10
2-4 - -

3 2.236E-07 4.405E-10
4 9.950E-08 9.611E-08
B1W2D6 2-4 1.235E-10 -

2-5 - -

4 6.771E-07 2.906E-09
5 7.981E-08 4.719E-08
B1W3D6 2-4 - -

5 4.993E-08 2.168E-08
B1W4D6 2-4 - -

5 1.354E-09 1.354E-09
TOTAL 1.148E-06 1.703E-07

10-41 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-26

Core Damage Frequencies of Unit-1 Blackout for

Event Tree B1W#R6

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery
(Per Year) (Per Year)
B1W1R6 2-3 - -

2-4 - -

2-5 - -

3 1.516E-10 1.516E-10
4 - -

5 - -

6-8 - -

6-9 - -

8 1.501E-08 1.621E-10
9 6.530E-09 6.530E-09
B1W2R6 2-3 - -

2-4 - -

2-5 - -

3 ' 1.967E-08 -

4 - -

5 2.105E-09 2.105E-09
6-8 - -

6-9 - -

8 3.738E-07 1.604E-09
9 4.386E-08 2.605E-08
B1W3R6 2-3 - -

2-4 - -

4 - -

5 2.285E-08 8.530E-09

NUREG/CR-6144 10-42
 10 Accident Sequence Quantification

Table 10-26 (continued)

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery
(Per Year) (Per Year)
6-6 - -

8 2.323E-09 2.323E-09
B1W4R6 2-4 - -

5 - -

6-6 - -

8 - -

TOTAL 4.863E-07 4.745E-08

10-43 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-27

Core Damage Frequencies of Unlt-1 Blackout for

Event Tree B1W#R10

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery Recovery
(Per Year) (Per Year)
B1W3R10 2-3 - -

2-4 - -

4 1 - -

5 7.042E-10 7.042E-10
6-6 - -

8 - -

B1W4R10 2-4 - -

5 3.015E-09 3.015E-09
6-6 - -

8 7.035E-09 7.035E-09
TOTAL 1.075E-08 1.075E-08

NUREG/CR-6144 10-44
 10 Accident Sequence Quantification

Table 10-28

Core Damage Frequencies of 2-Units Blackout for

Event Tree B2W#D6

Event Tree Sequence < Core Damage Core Damage

Frequency-No Frequency with
Recovery Recovery
(Per Year) (Per Year)
B2W1D6 2-3 2.658E-09 1.634E-09
2-4 - -

3 3.628E-08 3.628E-08
B2W2D6 2-4 - -

2-5 - -

3 1.098E-07 4.745E-08
B2W3D6 2-4 - -

3 6.904E-08 2.126E-08
B2W4D6 2-4 - -

3 9.768E-09 2.041E-09
TOTAL 2.275E-07 1.086E-07

10-45 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-29

Core Damage Frequencies of 2-Units Blackout for

Event Tree B2W#R6

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery (Per Year) Recovery (Per Year)
B2W1R6 2-3 - -

2-4 - -

2-5 - -

3 - -

4 - -

5-8 - -

5-9 - -

6 2.435E-09 2.435E-09
B2W2R6 2-3 - -

2-4 - -

2-5 - -

3 3.192E-09 3.192E-09
4 - -

5-8 - -

5-9 - -

6 6.065E-08 2.620E-08
B2W3R6 2-3 - -

2-4 - -

3 5.548E-08 5.548E-10
4 2.346E-10 2.346E-10
5-6 - -

6 3.523E-09 3.523E-09
B2W4R6 2-4 - -

4 - -

5-6 - -

NUREG/CR-6144 10-46
 10 Accident Sequence Quantification
Table 10-29 (continued)

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery (Per Year) Recovery (Per Year)
6 1.506E-09 1.506E-09
TOTAL 7.209E-08 3.764E-08

10-47 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-30

Core Damage Frequencies of 2-Units Blackout for

Event Tree B2W#R10

Event Tree Sequence Core Damage Core Damage

Frequency-No Frequency with
Recovery (Per Year) Recovery (Per Year)
B2W3R10 2-3 - -

2-4 - -

3 1.154E-09 1.154E-09
4 - -

5-6 - -

6 1.282E-10 1.282E-10
B2W4R10 2-4 - -

. 4 - -

5-6 - -

6 4.067E-08 4.067E-08
TOTAL 4.195E-08 4.195E-08

NUREG/CR-6144 10-48
 10 Accident Sequence Quantification

Table 10-31

Core Damage Frequencies of Loss of

4KV Event Tree 4KW#D6

Event Tree Sequence Core Damage Core Damage

Frequency - No Frequency with
Recovery (Per Year) Recovery (Per Year)
4KW1D6 4 1.130E-07 6.002E-09
5 1.830E-08 1.729E-08
8 1.103E-06 1.095E-07
9 7.963E-08 7.343E-09
4KW2D6 5 2.484E-08 -
• 6 3.477E-08 3.420E-08
10 1.740E-06 1.453E-08
11- 4.571E-08 1.303E-08
4KW3D6 5 3.002E-08 2.941E-08
9 1.887E-08 7.108E-09
4KW4D6 5 5.089E-10 5.089E-10
9 1.779E-09 1.093E-09
TOTAL 3.210E-06 2.400E-07

10-49 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-32

Core Damage Frequencies of Loss of

4KV Event Tree 4KW#R6

Event Tree Sequence Core Damage Core Damage

Frequency - No Frequency With
Recovery (Per Year) Recovery (Per Year)
4KW1R6 4 - -

5 - -

6 - -

9 1.428E-09 1.041E-09
10 1.160E-09 1.160E-09
13 - -

14 - -

15 - -

18 7.201E-08 3.438E-08
19 3.358E-09 1.397E-09
4KW2R6 4 - -

5 - -

6 9.770E-10 9.770E-10
9 2.869E-08 -

10 1.920E-08 1.888E-08
13 9.056E-09 -

14 - -

15 8.723E-10 8.723E-10
18 1.907E-06 2.926E-08
19 4.421E-08 2.855E-08
4KW3R6 4 - -

5 1.357E-08 1.343E-08
7 1.475E-09 1.475E-09
10 - -

11 8.397E-09 8.397E-09

NUREG/CR-6144 10-50
 10 Accident Sequence Quantification
Table 10-32 (continued)

Event Tree Sequence Core Damage Core Damage 1

Frequency - No Frequency With 1
Recovery (Per Year) Recovery (Per Year) |
13 9.119E-10 9.119E-10
4KW4R6 5 - -

7 -

11 - -

13 - -

TOTAL 2.112E-06 1.407E-07

10-51 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-33

Core Damage Frequencies of Loss of

4KV Event Tree 4KW#R10

Event Tree Sequence Core Damage Core Damage

Frequency - No Frequency with
Recovery (Per Year) Recovery (Per Year)
4KW3R10 4 - -

5 4.833E-10 4.833E-10
7 - -

10 - -

11 - -

13 - -

4KW4R10 5 1.127E-09 1.024E-09

7 2.915E-09 2.518E-09
11 3.805E-09 3.805E-09
13 1.090E-08 1.090E-08
TOTAL ! 1.923E-08 1.873E-08

NUREG/CR-6144 10-52
 10 Accident Sequence Quantification

Table 10-34

Core Damage Frequencies of

Inadvertent SI Signal - SIW#D6

Event Tree Sequence Core Damage Core Damage

Frequency - No Frequency with
Recovery (Per Year) Recovery (Per Year)
SIW1D6 4 6.234E-07 4.309E-08
5 9.707E-08 8.739E-08
8 1.644E-06 1.220E-07
9 4.692E-08 3.133E-08
SIW2D6 , 5 1.434E-07 6.140E-10
6 ' 1.786E-07 1.753E-07
10 3.122E-08 -

11 3.876E-08 3.798E-08
SIW3D6 5 1.545E-07 1.509E-07
9 2.415E-08 2.375E-08
SIW4D6 5 3.533E-09 3.052E-09
9 3.339E-10 3.339E-10
TOTAL 2.985E-06 6.757E-07

10-53 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-35

Core Damage Frequencies of

Inadvertent SI Signal - SIW#R6

Event Tree Sequence Core Damage Core Damage

Frequency - No Frequency with
1 Recovery (Per Year) Recovery (Per Year)
SIW1R6 4 - -

5 - -

6 - -

9 1.604E-08 1.127E-08
10 5.859E-09 5.859E-09
13 2.714E-10 2.714E-10
14 - -
i 15 - -

18 4.366E-08 3.355E-08
19 2.158E-09 2.158E-09
SIW2R6 4 1.553E-09 -

5 - -

6 4.931E-09 4.931E-09
9 1.606E-07 1.615E-09
10 9.760E-08 9.611E-08
13 2.823E-09 -

14 - -

15 1.084E-09 1.084E-09
18 6.419E-08 2.899E-10
19 2.514E-08 2.479E-08
SIW3R6 4 - -

5 6.945E-08 6.830E-08
7 7.447E-09 7.447E-09
10 - -

11 1.305E-08 1.294E-08

NUREG/CR-6144 10-54
 10 Accident Sequence Quantification
Table 10-35 (continued)

Event Tree Sequence Core Damage Core Damage

Frequency - No Frequency with
Recovery (Per Year) Recovery (Per Year)
13 1.191E-09 1.191E-09
SIW4R6 5 1.698E-10 1.698E-10
7 3.962E-10 3.962E-10
11 - -

13 - -

TOTAL 5.176E-07 2.723E-07

10-55 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-36

Core Damage Frequencies of

Inadvertent SI Signal • SIW#R10

Event Tree Sequence Core Damage Core Damage

Frequency - No Frequency with
Recovery (Per Year) Recovery (Per Year)
SIW3R10 4 - -

5 2.439E-09 2.439E-09
7 2.710E-10 2.710E-10
10 - -

11 3.903E-10 3.903E-10
13 - -

SIW4R10 5 6.305E-09 5.448E-09

7 1.686E-08 1.469E-08
11 1.075E-09 1.075E-09
13 3.264E-09 3.004E-09
TOTAL 3.060E-08 2.731E-08

NUREG/CR-6144 10-56
 10 Accident Sequence Quantification

Table 10-37

Core Damage Frequencies of

Loss of Vital Bus • VBW#D6

Event Tree Sequence Core Damage Core Damage

Frequency - No Frequency with
Recovery (Per Year) Recovery (Per Year)
VBW1D6 4 2.511E-08 3.531E-10
5 1.598E-08 1.598E-08
8 1.058E-07 6.777E-09
9 8.128E-09 4.970E-09
VBW2D6 5 5.947E-09 -

6 2.020E-08 2.020E-08
10 9.611E-10 -

11 4.020E-09 4.020E-09
VBW3D6 5 1.741E-08 1.728E-08
9 2.593E-09 2.593E-09
VBW4D6 5 7.253E-10 7.253E-10
9 - -

TOTAL 2.068E-07 7.289E-08

10-57 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-38

Core Damage Frequencies of

Loss of Vital Bus - VBW#R6

Event Tree Sequence Core Damage Core Damage

Frequency - No Frequency with
Recovery (Per Year) Recovery (Per Year)
VBW1R6 4 - -

5 ' - -

6 - -

9 - -

10 1.072E-09 1.072E-09
13 - -

14 - -

15 - -

18 3.598E-09 2.563E-09
19 3.218E-10 3.218E-10
VBW2R6 4 - -

5 - -

6 5.841E-10 5.841E-10
9 6.529E-09 -

10 1.109E-08 1.109E-08
13 - -

14 - -

15 1.168E-10 1.168E-10
18 2.016E-09 -

19 2.569E-09 2.569E-09
VBW3R6 4 - -

5 7.938E-09 7.938E-09
7 8.820E-10 8.820E-10
10 - "

NUREG/CR-6144 10-58
 10 Accident Sequence Quantification
Table 10-38 (continued)

Event Tree Sequence Core Damage Core Damage

Frequency - No Frequency with
Recovery (Per Year) Recovery (Per Year)
11 1.022E-10 1.022E-10
VBW3R6 13 1.323E-10 1.323E-10
VBW4R6 5 - -

7 1.118E-10 1.118E-10
• 11 - -

13 - -

TOTAL 3.706E-08 2.748E-08

10-59 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-39

Core Damage Frequencies of

Loss of Vital Bus • VBW#R10

Event Tree Sequence Core Damage Core Damage

Frequency - No Frequency with
Recovery (Per Year) Recovery (Per Year)
VBW3R10 4 -

5 2.889E-10 2.889E-10
7 - -

10 - -

11 - -

13 - -

VBW4R10 5 1.294E-09 1.294E-09

7 3.020E-09 3.020E-09
11 1.553E-10 1.553E-10
13 3.624E-10 3.624E-10
TOTAL 5.120E-09 5.120E-09

NUREG/CR-6144 10-60
 10 Accident Sequence Quantification

Table 10-40

Core Damage Frequencies of Loss RHR Event Tree ARW#R6

Loss of Instrument Air in POS 6 of Refueling

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery (Per Year) Recovery (Per Year)
ARW1R6 5 - -
6 - -
7 - -
10 - -
11 - -
ARW2R6 5 - -
6 - -
7 - -
10 3.692E-10 -
11 6.559E-10 6.559E-10
ARW3R6 5 - -
6 1.340E-10 1.340E-10
8 - -
ARW4R6 6 - -
8 - -
TOTAL 1.159E-09 7.899E-10

10-61 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-41

Core Damage Frequencies of Loss RHR Event Tree ARW#D6

Loss of Instrument Air in POS 6 of Refueling

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery (Per Year) Recovery (Per Year)
ARW1D6 5 1.376E-08 5.451E-10
6 1.134E-09 1.134E-09
ARW2D6 6 1.878E-09 -

7 1.187E-09 1.187E-09
ARW3D6 6 2.919E-10 2.919E-10
ARW4D6 6 - -

TOTAL 1.656E-08 3.158E-09

NUREG/CR-6144 10-62
 10 Accident Sequence Quantification

Table 10-42

Core Damage Frequencies of Loss RHR Event Tree ARW#R10

Loss of Instrument Air in POS 6 of Refueling

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery (Per Year) Recovery (Per Year)
ARW3R10 5 - -

6 - -

8 - -

ARW4R10 6 - -

8 - -

TOTAL - -

10-63 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-43

Core Damage Frequencies of

LossofCCW-CCW#D6

Core Damage Core Damage

Event Tree Sequence Frequency - No Frequency with
Recovery (Per Year) Recovery (Per Year)
CCW1D6 4 2.859E-06 2.005E-07
5 9.897E-09 2.975E-09
CCW2D6 5 3.813E-08 -

6 1.839E-09 1.839E-09
CCW3D6 5 8.305E-10 8.305E-10
CCW4D6 5 - -

TOTAL i
2.909E-06 2.061E-07

NUREG/CR-6144 10-64
 10 Accident Sequence Quantification

Table 10-44

Core Damage Frequencies of

LossofCCW-CCW#R6

Core Damage Core Damage |

Event Tree Sequence Frequency - No Frequency with |
Recovery (Per Year) Recovery (Per Year) j
CCW1R6 4 1.548E-09 9.492E-10 I
5 -
"
6 - -

9 8.155E-08 5.560E-08
10 1.662E-10 1.662E-10
CCW2R6 4 3.641E-09 -

5 - -

6 - -

9 • 1.205E-07 1.665E-09
i

10 3.261E-09 3.261E-09
CCW3R6 4 - -

5 1.256E-09 1.256E-09
7 - -

CCW4R6 5 - -

7 - -

TOTAL 2.119E-07 6.289E-08

10-65 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-45

Core Damage Frequencies of

Loss of CCW - CCW#R10

Core Damage Core Damage

Event Tree Sequence Frequency - No Frequency with
Recovery (Per Year) Recovery (Per Year)
CCW3R10 4 - -

5 - -

7 - -

CCW4R10 5 1.142E-10 1.142E-10

7 - -

TOTAL 1.142E-10 1.142E-10

NUREG/CR-6144 10-66
 10 Accident Sequence Quantification

Table 10-46

Core Damage Frequencies for SR Loss of Emergency Switchgear

Room Cooling for Event Tree SRW#D6

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery (Per Year) Recovery (Per Year)
SRW1D6 3 1.879E-10 1.879E-10
4 9.072E-09 9.072E-09
SRW2D6 4 - -

5 3.380E-08 3.380E-08
SRW3D6 5 2.907E-08 2.907E-08
SRW4D6 5 1.914E-09 1.914E-09
TOTAL 7.404E-08 7.404E-08

10-67 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-47

Core Damage Frequencies for SR Loss of Emergency Switchgear

Room Cooling for Event Tree SRW#R6

Core Damage Core Damage H

Event Tree Sequence Frequency-No Frequency with
Recovery (Per Year) Recovery (Per Year)
SRW1R6 3 6.151E-10
4 - -

5 - -

7 - -

8 6.090E-10 6.090E-10
SRW2R6 ' 3 1.981E-08 1.684E-10
4 - -

5 9.824E-10 9.824E-10
7 1.120E-10 1.120E-10
8 1.866E-08 1.866E-08
SRW3R6 4 - -

5 1.335E-08 1.335E-08
7 1.483E-09 1.483E-09
SRW4R6 5 1.265E-10 1.265E-10
7 2.952E-10 2.952E-10
TOTAL 5.604E-08 3.578E-08

NUREG/CR-6144 10-68
 10 Accident Sequence Quantification

Table 10-48

Core Damage Frequencies for SR Loss of Emergency Switchgear

Room Cooling for Event Tree SRW#R10

Core Damage Core Damage

Event Tree Sequence Frequency-No Frequency with
Recovery (Per Year) Recovery (Per Year)
SRW3R10 • 4 - -

5 4.860E-10 4.860E-10
7 - -

SRW4R10 5 3.416E-09 3.416E-09

7 7.971E-09 7.971E-09
TOTAL 1.187E-08 1.187E-08

10-69 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-49
Dominant Core Damage Cutsets
Before Recovery Actions

Famify->RHRMODEL End State ->CD

Mincut Upper Bound -> 2.011E-005 This Partition -> 2.011E-005

Cut % % Cut
No. Total Set Frequency Cut Sets

1 12 12 1.464E-006 UNITY, FREQ-RHR3, PROB-W1D6, DR-MT, DURATION-D6,

LPR-CCF-PG-SUMP1
2 12.6 53 1.077E-006 UNITY, FREQ-CCW, H-CCW-REC-W1, PROB-W1D6,
LPR-CCF-PG-SUMP1, DR-MT, DURATION-D6
3 16.4 3.8 7.681E-007 UNITY, ACP-INV-NO-UPSA2, AFW-MDP-MA-FW3B,
PROB-W2D6, DR-MT, DURATION-D6, H-4KV-REC-W2,
FREQ-4KV
4 20.2 3.7 7.614E-007 UNITY, LPR-MOV-FT-1862B, FREQ-RHR3, PROB-W1D6,
DR-MT, DURATION-D6
5 23.6 33 6.771E-007 UNITY, PROB-W2D6, DR-MT, DURATION-D6, FREQ-B1,
NRAC262
6 26.4 2.8 5.631E-007 UNITY, ACP-INV-NO-UPSA2, LOOPISOLATED2R6,
REFUEL, DURATION-R6, /PZR-SV-REMOVEDW2,
PROB-W2R6, H-4KV-REC-W2, FREQ-4KV
7 29.1 2.7 5.600E-007 UNITY, FREQ-CCW, LPR-MOV-FT-1862B, H-CCW-REC-W1,
PROB-W1D6, DR-MT, DURATION-D6
8 31.8 2.6 5.413E-007 UNITY, ACP-INV-NO-UPSA2, PROB-W1D6, DR-MT,
DURATION-D6, H-4KV-REC-W1, FREQ-4KV
9 34.0 2.1 4393E-007 UNITY, LPI-MDP-FS-SI1B, FREQ-RHR3, PROB-W1D6,
DR-MT, DURATION-D6
10 36.2 2.1 4393E-007 UNITY, LPR-MOV-FT-1860B, FREQ-RHR3, PROB-W1D6,
DR-MT, DURATION-D6
11 383 2.1 4.241E-007 UNITY, ACP-INV-NO-UPSA2, AFW-MDP-MA-FW3B,
REFUEL, DURATION-R6, /PZR-SV-REMOVEDW2,
PROB-W2R6, H-4KV-REC-W2, FREQ-4KV
12 40.2 1.8 3.739E-007 UNITY, REFUEL, DURATION-R6,/PZR-SV-REMOVEDW2,
PROB-W2R6, FREQ-B1, NRAC262
13 42.0 1.7 3.572E-007 UNITY, AFW-MDP-MA-FW3B, CCW-LF-RHE2B, PROB-W2D6,
DR-MT, DURATION-D6, H-4KV-REC-W2, FREQ-4KV
14 43.6 1.6 3.231E-007 UNITY, FREQ-CCW, LPI-MDP-FS-SI1B, H-CCW-REC-W1,
PROB-W1D6, DR-MT, DURATION-D6
15 452 1.6 3231E-007 UNITY, FREQ-CCW, LPR-MOV-FT-1860B, H-CCW-REC-W1,
PROB-W1D6, DR-MT, DURATION-D6
16 46.6 1.4 2.976E-007 UNITY, PROB-W2D6, DR-MT, DURATION-D6, FREQ-L1,
D-L1W2-XHE
17 47.9 13 2.618E-007 UNITY, LOOPISOLATED2R6, REFUEL, DURATION-R6,
CCW-LF-RHE2B, /PZR-SV-REMOVEDW2, PROB-W2R6,
H-4KV-REC-W2, FREQ4KV
18 49.2 1.2 2.560E-007 UNITY, PROB-W3D6, DR-MT, DURATION-D6, FREQ-L1,

NUREG/CR-6144 10-70
 10 Accident Sequence Quantification

Table 10-49 (continued)

Family->RHRMODEL End State ->CD

Mincut Upper Bound -> 2.011E-005 This Partition -> 2.011E-005

Cut % % Cut
No. Total Set Frequency Cut Sets
D-L1W3-XHE
19 50.5 1.2 2517E-007 UNITY, CCW-LF-RHE2B, PROB-W1D6, DR-MT,
DURATION-D6, H-4KV-REC-W1, FREQ-4KV
20 51.7 1.2 2.471E-007 UNITY, CCW-LF-RHE2B, PROB-W1D6,
LPR-CCF-PG-SUMP1, DR-MT, DURATION-D6,
H-SI-REC-W1, FREQ-SI
21 52.8 1.1 2.266E-007 UNITY, ACP-INV-NO-UPSB1, PROB-W1D6, DR-MT,
DURATION-D6, FREQ-L2, NRAC200, /PROB-1HFAILEDL2
22 53.9 1.1 2.236E-007 UNITY, PROB-W1D6, DR-MT, DURATION-D6, FREQ-B1,
NRAC200
23 54.9 0.9 1.972E-007 UNITY, AFW-MDP-MA-FW3B, REFUEL, DURATION-R6,
CCW-LF-RHE2B, /PZR-SV-REMOVEDW2, PROB-W2R6,
H-4KV-REC-W2, FREQ-4KV
24 55.8 0.9 1.830E-007 UNITY, CON-VFC-RP-COREM, OSR-TRA-MA, ISR-TRA-MA,
FREQ-RHR3, PROB-W1D6, DR-MT, DURATION-D6
25 56.7 0.9 1.819E-007 UNITY, PROB-W1D6, DR-MT, DURATION-D6, FREQ-L1,
D-L1W1-XHE
26 57.6 0.8 1.773E-007 UNITY, ACP-INV-NO-UPSA2, AFW-MDP-MA-FW3B,
PROB-W2D6, DR-MT, DURATION-D6, FREQ-L2, NRAC262,
PROB-1HFAILEDL2
27 58.5 0.8 1.697E-007 UNITY, PROB-W2D6, DR-MT, DURATION-D6,
D-SIW2-XHE, FREQ-SI
28 59.3 0.8 1.643E-007 UNITY, REFUEL, DURATION-R6,/PZR-SV-REMOVEDW2,
PROB-W2R6, FREQ-L1, D-L1W2-XHE
29 60.0 0.7 1.532E-007 UNITY, DCP-BAT-LP-BAT1B, ACP-BCH-MA-UPSB1,
ACP-BCH-MA-UPSB2, PROB-W1D6, DR-MT, DURATION-D6,
H-SI-REC-W1, FREQ-SI
30 60.8 0.7 1.464E-007 UNITY, FREQ-RHR3, PROB-W1D6, A-R3W1-XHE-C-8,
DR-MT, DURATION-D6
31 61.5 0.7 1.460E-007 UNITY, PROB-W3D6, DR-MT, DURATION-D6,
D-SIW3-XHE, FREQ-SI
32 62.2 0.6 1.346E-007 UNITY, CON-VFC-RP-COREM, FREQ-CCW, OSR-TRA-MA,
ISR-TRA-MA, H-CCW-REC-W1, PROB-W1D6, DR-MT,
DURATION-D6
33 62.8 0.6 1300E-007 UNITY, ACP-INV-NO-UPSA2, LOOPISOLATED2R6,
REFUEL, DURATION-R6, /PZR-SV-REMOVEDW2,
PROB-W2R6, FREQ-L2, NRAC262, PROB-1HFAILEDL2

10-71 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-49 (continued)

Famify->RHRMODEL End State ->CD

Mincui Upper Bound -> 2.011E-005 This Partition -> 2.011E-005

Cut % % Cut
No. Total Set Frequency Cut Sets

34 63.4 0.6 1.285E-007 UNITY, LPR-MOV-FT-1862B, CCW-LF-RHE2B,

PROB-W1D6, DR-MT, DURATION-D6, H-SI-REC-W1,
FREQ-SI
35 64.0 05 1.195E-007 UNITY, DCP-BDC-ST-BUS1B, PROB-W1D6, DR-MT,
DURATION-D6, H-SI-REC-W1, FREQ-SI
36 64.6 05 1.195E-007 UNITY, ACP-BAC-ST-4KV1J, PROB-W1D6, DR-MT,
DURATION-D6, H-SI-REC-W1, FREQ-SI
37 652 05 1.176E-007 UNITY, REFUEL, DURATION-R6, PZR-SV-REMOVEDW3,
PROB-W3R6, FREQ-L1, D-L1W3-XHE
38 65.8 05 1.150E-007 UNITY, PROB-W1D6, DR-MT, DURATION-D6,
H-4KV-REC-W1, FREQ-4KV, A-4KW1-XHE-R-12
Partition Cut Set Report
39 66.4 05 1.129E-007 UNITY, PROB-W1D6, LPR-CCF-PG-SUMP1, DR-MT,
DURATION-D6, H-SI-REC-W1, FREQ-SI,
A-SIW1-XHE-R-12
40 66.9 05 1.111E-007 UNITY, ACP-INV-NO-UPSA2, PROB-W1D6, DR-MT,
DURATION-D6, FREQ-L2, NRAC200, PROB-1HFADLEDL2
41 675 05 1.099E-007 UNITY, PROB-W2D6, DR-MT, DURATION-D6, FREQ-B2,
NRAC262
42 68.0 05 1.077E-007 UNITY, FREQ-CCW, H-CCW-REC-W1, PROB-W1D6,
A-CCW1-XHE-C-9, DR-MT, DURATION-D6
43 685 05 1.054E-007 UNITY, CCW-LF-RHE2A, PROB-W1D6, DR-MT,
DURATION-D6, FREQ-L2, NRAC200, /PROB-1HFAILEDL2
44 69.0 0.4 9.791E-008 UNITY, ACP-INV-NO-UPSA2, AFW-MDP-MA-FW3B,
REFUEL, DURATION-R6, /PZR-SV-REMOVEDW2,
PROB-W2R6, FREQ-L2, NRAC262, PROB-1HFAILEDL2
45 695 0.4 9370E-008 UNITY, REFUEL, DURATION-R6,/PZR-SV-REMOVEDW2,
PROB-W2R6, D-SIW2-XHE, FREQ-SI
46 69.9 0.4 9.063E-008 UNITY, PROB-W1D6, DR-MT, DURATION-D6, FREQ-L2,
NRAC200, /PROB-1HFADLEDL2, A-L2W1-XHE-R-4
47 70.4 0.4 9.040E-008 UNITY, PROB-RHR2A, DR-MT, D-RAW1-XHE,
PROB-W1D6A
48 70.8 0.4 8.729E-008 UNITY, PROB-W1D6, DR-MT, DURATION-D6,
D-SIW1-XHE, FREQ-SI
49 71.2 0.4 8.245E-008 UNITY, AFW-MDP-MA-FW3B, CCW-LF-RHE2B, PROB-W2D6,
DR-MT, DURATION-D6, FREQ-L2, NRAC262,
PROB-1HFAILEDL2
50 71.6 03 7511E-008 UNITY, LOOPISOLATED2R6, CPC-MDP-FR-SW10A,
CPC-MDP-MA-SW10B, REFUEL, DURATION-R6,
FREQ-RHR3, /PZR-SV-REMOVEDW2, PROB-W2R6,
LPR-CCF-PG-SUMP2

NUREG/CR-6144 10-72
 10 Accident Sequence Quantification

Table 10-49 (continued)

Famity->RHRMODEL End State ->CD

Mincut Upper Bound -> 2.011E-005 This Partition -> 2.011E-005

Cut % % Cut
No. Total Set Frequency Cut Sets

51 72.0 03 7.412E-008 UNITY, LPI-MDP-FS-SIIB, CCW-LF-RHE2B, PROB-W1D6,

DR-MT, DURATION-D6, H-SI-REC-W1, FREQ-SI
52 723 03 7.412E-008 UNITY, LPR-MOV-FT-1860B, CCW-LF-RHE2B,
PROB-W1D6, DR-MT, DURATION-D6, H-SI-REC-W1,
FREQ-SI
53 72.7 03 7.274E-008 UNITY, PROB-W2D6, DR-MT, DURATION-D6, FREQ-L2,
D-L2W2-XHE
54 73.0 03 7.232E-008 UNITY, PROB-RHR2A, DR-MT, A-RAW1-XHE-R-4,
PROB-W1D6A, LPR-CCF-PG-SUMP1
55 73.4 03 6.905E-008 UNITY, PROB-W3D6, DR-MT, DURATION-D6, FREQ-B2,
NRAC346
56 73.7 03 6.703E-008 UNITY, REFUEL, DURATION-R6, PZR-SV-REMOVEDW3,
PROB-W3R6, D-SIW3-XHE, FREQ-SI
57 74.0 03 6.589E-008 UNITY, LPI-CCF-FS-SI1AB, FREQ-RHR3, PROB-W1D6,
DR-MT, DURATION-D6
58 74.4 03 6.438E-008 UNITY, CPC-MDP-FR-SW10A, CPC-MDP-MA-SW10B,
LPI-MDP-FS-SIIB, PROB-RHR2A, DR-MT, PROB-W1D6A
59 74.7 03 6.257E-008 UNITY, PROB-W3D6, DR-MT, DURATION-D6, FREQ-L2,
D-L2W3-XHE
60 75.0 03 6.066E-008 UNITY, REFUEL, DURATION-R6,/PZR-SV-REMOVEDW2,
PROB-W2R6, FREQ-B2, NRAC262
61 753 03 6.045E-008 UNITY, LOOPISOLATED2R6, REFUEL, DURATION-R6,
CCW-LF-RHE2B, /PZR-SV-REMOVEDW2, PROB-W2R6,
FREQ-L2, NRAC262, PROB-1HFAILEDL2
62 75.6 0.2 5.871E-008 UNITY, LPR-MOV-FT-1862B, PROB-W1D6, DR-MT,
DURATION-D6, H-SI-REC-W1, FREQ-SI,
A-SIW1-XHE-R-12
63 75.9 0.2 5.761E-008 UNITY, AFW-MDP-MA-FW3B, PROB-W2D6, DR-MT,
DURATION-D6, H-4KV-REC-W2, FREQ-4KV,
A-4KW2-XHE-R-12
64 76.1 0.2 5.761E-008 UNITY, AFW-MDP-MA-FW3B, RHR-MDP-FS-RHR1B,
PROB-W2D6, DR-MT, DURATION-D6, H-4KV-REC-W2,
FREQ-4KV
65 76.4 0.2 5.761E-008 UNITY, AFW-MDP-MA-FW3B, CCW-MDP-FS-CCPIB,
PROB-W2D6, DR-MT, DURATION-D6, H-4KV-REC-W2,
FREQ-4KV
66 76.7 0.2 5.197E-008 UNITY, LOSP, OEP-DGN-FS-DG01, PROB-W2D6, DR-MT,
DURATION-D6, FREQ-SI
67 76.9 0.2 5.166E-008 UNITY, CCW-LF-RHE2B, PROB-W1D6, DR-MT,
DURATION-D6, FREQ-L2, NRAC200, PROB-1HFAILEDL2

10-73 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-49 (continued)

Famfly->RHRMODEL End State ->CD

Mincut Upper Bound -> 2.011E-005 This Partition -> 2.011E-005

Cut % % Cut
No. Total Set Frequency Cut Sets

68 112 02 5.045E-008 UNITY, ACP-INV-NO-UPSA2, MSS-AOV-FC-101B,

PROB-W2D6, DR-MT, DURATION-D6, FREQ-L2, NRAC262,
PROB-1HFAILEDL2
69 77.4 02 5.045E-008 UNITY, ACP-INV-NO-UPSA2, MSS-AOV-FC-101A,
PROB-W2D6, DR-MT, DURATION-D6, FREQ-L2, NRAC262,
PROB-1HFAILEDL2
70 77.7 0.2 4.846E-008 UNITY, LPI-CCF-FS-SIIAB, FREQ-CCW, H-CCW-REC-Wl,
PROB-W1D6, DR-MT, DURATION-D6
71 77.9 02 4.834E-008 UNITY, LOOPISOLATED2R6, CPC-MDP-FR-SW10A,
CPC-MDP-MA-SW10B, REFUEL, LPI-MDP-FS-SI1B,
PROB-RHR2A, /PZR-SV-REMOVEDW2, PROB-W2R6A
72 182 02 4.799E-008 UNITY, ACP-INV-NO-UPSB1, LOOPISOLATED2R6,
REFUEL, DURATION-R6, /PZR-SV-REMOVEDW2,
PROB-W2R6, FREQ-L2, NRAC262, /PROB-1HFAILEDL2,
2EH1L2
73 78.4 02 4.694E-008 UNITY, LOOPISOLATED2R6, CPC-MDP-FR-SW10A,
CPC-MDP-MA-SW10B, REFUEL, DURATION-R6,
OSR-TRA-MA, ISR-TRA-MA, FREQ-RHR3,
/PZR-SV-REMOVEDW2, PROB-W2R6
74 78.6 02 4.598E-008 UNITY, ACP-INV-NO-UPSB1, REFUEL,
/PZR-SV-REMOVEDW4, PROB-W4R10, FRAC-POS10,
DURATION-R10, FREQ-L2, NRAC455,
/PROB-1HFAILEDL2, 2EH1L2
75 78.9 02 4.554E-008 UNITY, PROB-W1D6, LPR-CCF-PG-SUMP1, DR-MT,
DURATION-D6, FREQ-SI, A-SIW1-XHE-R-3
76 79.1 02 4.553E-008 UNITY, AFW-MDP-MA-FW3B, REFUEL, DURATION-R6,
CCW-LF-RHE2B, /PZR-SV-REMOVEDW2, PROB-W2R6,
FREQ-L2, NRAC262, PROB-1HFAILEDL2
77 793 02 4549E-008 UNITY, REFUEL,/PZR-SV-REMOVEDW4, PROB-W4R10,
FRAC-POS10, DURATION-R10, FREQ-L1, D-L1W4-XHE
78 79.5 02 4.501E-008 UNITY, PROB-RHR2A, DR-MT, D-RAW2-XHE,
PROB-W2D6A
79 79.8 02 4.443E-008 UNITY, PROB-W1D6, DR-MT, DURATION-D6, FREQ-L2,
NRAC200, PROB-1HFAILEDL2, A-L2W1-XHE-R-4
80 80.0 02 4223E-008 UNITY, LOOPISOLATED2R6, REFUEL, DURATION-R6,
/PZR-SV-REMOVEDW2, PROB-W2R6, H-4KV-REC-W2,
FREQ-4KV, A-4KW2-XHE-R-12
81 802 02 4223E-008 UNITY, LOOPISOLATED2R6, REFUEL,
RHR-MDP-FS-RHR1B, DURATION-R6,
, /PZR-SV-REMOVEDW2, PROB-W2R6, H-4KV-REC-W2,
FREQ-4KV

NUREG/CR-6144 10-74
 10 Accident Sequence Quantification

Table 10-49 (continued)

Famiry->RHRMODEL End State ->CD

Mincut Upper Bound -> 2.011E-005 This Partition -> 2.011E-005

Cut % % Cut
No. Total Set Frequency Cut Sets

82 80.4 0.2 4.223E-008 UNITY, CCW-MDP-FS-CCP IB, LOOPISOLATED2R6,

REFUEL, DURATION-R6, /PZR-SV-REMOVEDW2,
PROB-W2R6, H-4KV-REC-W2, FREQ4KV
83 80.6 0.2 4.068E-O08 UNITY, REFUEL,/PZR-SV-REMOVEDW4, PROB-W4R10,
FRAC-POS10, DURATION-R10, FREQ-B2, NRAC455
84 80.8 02 4.060E-008 UNITY, RHR-MDP-FS-RHR1B, PROB-W1D6, DR-MT,
DURATION-D6, H-4KV-REC-W1, FREQ-4KV
85 81.0 0.2 4.060E-008 UNITY, CCW-MDP-FS-CCP IB, PROB-W1D6, DR-MT,
DURATION-D6, H-4KV-REC-W1, FREQ-4KV
86 81.2 0.2 4.016E-008 UNITY, REFUEL, DURATION-R6,/PZR-SV-REMOVEDW2,
PROB-W2R6, FREQ-L2, D-L2W2-XHE
87 81.4 0.2 3.985E-008 UNITY, RHR-MDP-FS-RHR1B, PROB-W1D6,
LPR-CCF-PG-SUMP1, DR-MT, DURATION-D6,
H-SI-REC-W1, FREQ-SI
88 81.6 0.1 3.840E-008 UNITY, AFW-MDP-MA-FW3B, CCW-MDP-MA-CCP1B,
PROB-W2D6, DR-MT, DURATION-D6, H-4KV-REC-W2,
FREQ-4KV
89 81.8 0.1 3.807E-008 UNITY, LPR-CCF-FT-862AB, FREQ-RHR3, PROB-W1D6,
DR-MT, DURATION-D6
90 82.0 0.1 3.807E-008 UNITY, LPR-CCF-FT-860AB, FREQ-RHR3, PROB-W1D6,
DR-MT, DURATION-D6
91 82.1 0.1 3.760E-008 UNITY, LPR-MOV-FT-1862B, PROB-RHR2A, DR-MT,
A-RAW1-XHE-R-4, PROB-W1D6A
92 823 0.1 3.628E-008 UNITY, PROB-W1D6, DR-MT, DURATION-D6, FREQ-B2,
NRAC200
93 825 0.1 3.584E-008 UNITY, ACP-INV-NO-UPSB1, REFUEL, DURATION-R6,
PZR-SV-REMOVEDW3, PROB-W3R6, FREQ-L2, NRAC346,
/PROB-1HFAILEDL2, 2EH1L2
94 82.7 0.1 3.550E-008 UNITY, PROB-W1D6, DR-MT, DURATION-D6,
LPR-CCF-PG-SUMP1, FREQ-L1, A-L1W1-XHE-R-4
95 82.9 0.1 3516E-008 UNITY, CCW-LF-RHE2B, PROB-W1D6, FREQ-RHR4,
' DR-MT, DURATION-D6, LPR-CCF-PG-SUMP1
96 83.0 0.1 3.423E-008 UNITY, LOSP, OEP-DGN-FC-DG3U2, PROB-RHR2A,
DR-MT, PROB-W1D6A
97 83.2 0.1 3394E-008 UNITY, PROB-W2D6, FREQ-RHR5, DR-MT, DURATION-D6,
D-R5W2-XHE
98 83.4 0.1 3387E-008 UNITY, LPI-MDP-FS-SI1B, PROB-W1D6, DR-MT,
DURATION-D6, H-SI-REC-W1, FREQ-SI,
A-SIW1-XHE-R-12

10-75 NUREG/CR-6144
10 Accident Sequence Quantification

Table 1049 (continued)

Famny->RHRMODEL End State ->CD

Mincut Upper Bound -> 2.011E-005 This Partition -> 2.011E-005

Cut % % Cut
No. Total Set Frequency Cut Sets

99 835 0.1 3387E-008 UNITY, LPR-MOV-FT-1860B, PROB-W1D6, DR-MT,

DURATION-D6, H-SI-REC-W1, FREQ-SI,
A-SIW1-XHE-R-12
100 83.7 0.1 3381E-008 UNITY, PROB-W2D6, DR-MT, DURATION-D6, FREQ-SR,
D-SRW2-XHE
101 83.9 0.1 3362E-008 UNITY, PROB-W2D6, DR-MT, DURATION-D6, FREQ-4KV,
D-4KW2-XHE
102 84.0 0.1 3351E-008 UNITY, ACP-INV-NO-UPSA2, SGB-DRAINED-R,
PROB-W2D6, DR-MT, DURATION-D6, H4KV-REC-W2,
FREQ-4KV
103 84.2 0.1 3351E-008 UNITY, ACP-INV-NO-UPSA2, SGA-DRAINED-R,
PROB-W2D6, DR-MT, DURATION-D6, H4KV-REC-W2,
FREQ4KV
104 84.4 0.1 3.297E-008 UNITY, REFUEL, PROB-RHR2A /PZR-SV-REMOVEDW2,
D-RAW2-XHE, PROB-W2R6A
105 845 0.1 3.274E-008 UNITY, PROB-W1D6, DR-MT, DURATION-D6, FREQ-L3,
NRAC200, A-L3W1-XHE-CW-4
106 84.7 0.1 3.259E-008 UNITY, CPC-MDP-FR-SW10A CPC-MDP-MA-SW10B,
OSR-TRA-MA, ISR-TRA-MA, FREQ-RHR3, PROB-W1D6,
DR-MT, DURATION-D6
107 84.9 0.1 3.243E-008 UNITY, LOSP, OEP-DGN-FS-DGOl, PROB-RHR2A, DR-MT,
, PROB-W2D6A
108 85.0 0.1 3.181E-008 UNITY, AFW-MDP-MA-FW3B, REFUEL,
RHR-MDP-FS-RHR1B, DURATION-R6,
/PZR-SV-REMOVEDW2, PROB-W2R6, H4KV-REC-W2,
FREQ4KV
109 852 0.1 3.181E-008 UNITY, AFW-MDP-MA-FW3B, REFUEL, DURATION-R6,
/PZR-SV-REMOVEDW2, PROB-W2R6, H4KV-REC-W2,
FREQ-4KV, A-4KW2-XHE-R-12
110 853 0.1 3.181E-008 UNITY, AFW-MDP-MA-FW3B, CCW-MDP-FS-CCP1B,
REFUEL, DURATION-R6, /PZR-SV-REMOVEDW2,
PROB-W2R6, H-4KV-REC-W2, FREQ4KV
111 855 0.1 3.107E-008 UNITY, LOOPISOLATED2R6, CPC-MDP-FR-SW10A,
CPC-MDP-MA-SW10B, REFUEL, FREQ-CCW, DURATION-R6,
H-CCW-REC-W2, /PZR-SV-REMOVEDW2, PROB-W2R6,
LPR-CCF-PG-SUMP2
112 85.6 0.1 3.088E-008 UNITY, CON-VFC-RP-COREM, OSR-TRA-MA, ISR-TRA-MA
CCW-LF-RHE2B, PROB-W1D6, DR-MT, DURATION-D6,
H-SI-REC-W1, FREQ-SI

NUREG/CR-6144 10-76
 10 Accident Sequence Quantification

Table 10-49 (continued)

Family->RHRMODEL End State ->CD

Mincut Upper Bound -> 2.011E-005 This Partition -> 2.011E-005

Cut % % Cut
No. Total Set Frequency Cut Sets

113 85.8 0.1 2.949E-008 UNITY, REFUEL, DURATION-R6, FREQ-RHR3,

PROB-W1R6, LOOPISOLATED1R6, /PZR-SV-REMOVEDW1,
LPR-CCF-PG-SUMP1
114 85.9 0.1 2.919E-008 UNITY, PROB-W3D6, FREQ-RHR5, DR-MT, DURATION-D6,
D-R5W3-XHE
115 86.1 0.1 2.908E-008 UNITY, PROB-W3D6, DR-MT, DURATION-D6, FREQ-SR,
D-SRW3-XHE
116 86.2 0.1 2.892E-008 UNITY, PROB-W3D6, DR-MT, DURATION-D6, FREQ-4KV,
D-4KW3-XHE
117 86.4 0.1 2.873E-008 UNITY, REFUEL, DURATION-R6, PZR-SV-REMOVEDW3,
PROB-W3R6, FREQ-L2, D-L2W3-XHE
118 865 0.1 2.869E-008 UNITY, REFUEL, LOSP, OEP-DGN-FS-DG01,
•DURATION-R6, /PZR-SV-REMOVEDW2, PROB-W2R6,
FREQ-SI
119 86.6 0.1 2.815E-008 UNITY, CCW-MDP-MA-CCP1B, LOOPISOLATED2R6,
REFUEL, DURATION-R6, /PZR-SV-REMOVEDW2,
PROB-W2R6, H-4KV-REC-W2, FREQ-4KV
120 86.8 0.1 2.800E-008 UNITY, FREQ-CCW, LPR-CCF-FT-862AB, H-CCW-REC-Wl,
PROB-W1D6, DR-MT, DURATION-D6
121 86.9 0.1 2.800E-008 UNITY, FREQ-CCW, LPR-CCF-FT-860AB, H-CCW-REC-Wl,
PROB-W1D6, DR-MT, DURATION-D6
122 87.1 0.1 2.782E-008 UNITY, CON-VFC-RP-COREM, ISR-MDP-FS-RS1A,
OSR-TRA-MA, FREQ-RHR3, PROB-W1D6, DR-MT,
DURATION-D6
123 87.2 0.1 2.712E-008 UNITY, PROB-RHR2A, RHR-CCF-FS-MDPAB, DR-MT,
PROB-W1D6A, LPR-CCF-PG-SUMP1
124 873 0.1 2.707E-008 UNITY, CCW-MDP-MA-CCP1B, PROB-W1D6, DR-MT,
DURATION-D6, H-4KV-REC-W1, FREQ4KV
125 87.5 0.1 2.684E-008 UNITY, ACP-BAC-ST-4KV1H, ACP-INV-NO-UPSA2,
AFW-MDP-MA-FW3B, PROB-W2D6, DR-MT, DURATION-D6,
FREQ-SI
126 87.6 0.1 2.638E-O08 UNITY, PROB-W1D6, DR-MT, DURATION-D6, FREQ-L2,
D-L2W1-XHE
127 87.7 0.1 2.615E-008 UNITY, AFW-MDP-MA-FW3B, PROB-W2D6, DR-MT,
DURATION-D6, FREQ-L2, NRAC262, PROB-1HFAILEDL2,
A-L2W2-XHE-R-4
128 87.8 0.1 2.589E-008 UNITY, ACP-BAC-ST-4KV1H, AFW-MDP-MA-FW3B,
FREQ-RHR3, PROB-W2D6, DR-MT, DURATION-D6

10-77 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-49 (continued)

Famfly->RHRMODEL End State ->CD

Mincut Upper Bound -> 2.011E-005 This Partition -> 2.011E-005

Cut % % Cut
No. Total Set Frequency Cut Sets

129 88.0 0.1 2.471E-008 UNITY, CCW-LF-RHE2B, PROB-W1D6, DR-MT,

DURATION-D6, A-SIW1-XHE-C-18, H-SI-REC-W1,
FREQ-SI
130 88.1 0.1 2397E-008 UNITY, CPC-MDP-FR-SW10A, CPC-MDP-MA-SW10B,
«FREQ-CCW, OSR-TRA-MA, ISR-TRA-MA, H-CCW-REC-W1,
PROB-W1D6, DR-MT, DURATION-D6
131 882 0.1 2375E-008 UNITY, REFUEL, LOSP, OEP-DGN-FS-DGOl,
PROB-RHR2A, /PZR-SV-REMOVEDW2, PROB-W2R6A
132 883 0.1 2368E-008 UNITY, LPR-MOV-FT-1862B, PROB-W1D6, DR-MT,
DURATION-D6, FREQ-SI, A-SIW1-XHE-R-3
133 88.4 0.1 2346E-008 UNITY, MSS-AOV-FC-101B, CCW-LF-RHE2B, PROB-W2D6,
DR-MT, DURATION-D6, FREQ-L2, NRAC262,
PROB-1HFAHJEDL2
134 88.6 0.1 2346E-008 UNITY, MSS-AOV-FC-101A, CCW-LF-RHE2B, PROB-W2D6,
DR-MT, DURATION-D6, FREQ-L2, NRAC262,
PROB-1HFADLEDL2
135 88.7 0.1 2314E-008 UNITY, PROB-RHR2A, SAS-CPS-FR-1SAC1,
IAS-CPS-FS-IAC-1, DR-MT, PROB-W1D6A,
LPR-CCF-PG-SUMP1
136 88.8 0.1 2314E-008 UNITY, PROB-RHR2A, SAS-CPS-FR-2SAC1,
IAS-CPS-FS-IAC-1, DR-MT, PROB-W1D6A,
LPR-CCF-PG-SUMP1
137 88.9 0.1 2.243E-008 UNITY, CPC-MDP-FR-SW10A, CPC-MDP-MA-SW10B,
REFUEL, LPI-MDP-FS-SI1B, PROB-RHR2A,
PZR-SV-REMOVEDW3, PROB-W3R6A
138 89.0 0.1 2.231E-008 UNITY, LOOPISOLATED2R6, REFUEL, DURATION-R6,
CCW-LF-RHE2A, /PZR-SV-REMOVEDW2, PROB-W2R6,
FREQ-L2, NRAC262, /PROB-1HFAILEDL2, 2EH1L2
139 89.1 0.1 2.215E-008 UNITY, LOSP, OEP-DGN-FS-DGOl, PROB-RHR2A, DR-MT,
PROB-W1D6A
140 892 0.1 2.215E-008 UNITY, LOSP, OEP-DGN-FS-DG03, PROB-RHR2A, DR-MT,
PROB-W1D6A
141 893 0.1 2.181E-008 UNITY, DCP-BAT-LP-BAT1B, ACP-BCH-MA-UPSB1,
ACP-BCH-MA-UPSB2, PROB-W1D6, FREQ-RHR4, DR-MT,
DURATION-D6
142 89.4 0.1 2.170E-008 UNITY, ACP-BAC-ST-4KV1H, ACP-INV-NO-UPSA2,
PROB-RHR2A, DR-MT, PROB-W1D6A
143 89.6 0.1 2.170E-008 UNITY, ACP-BAC-ST-4KV1J, ACP-INV-NO-UPSB1,
PROB-RHR2A, DR-MT, PROB-W1D6A
144 89.7 0.1 2.170E-008 UNITY, ACP-BAC-ST-1J1, ACP-INV-NO-UPSB1,
PROB-RHR2A, DR-MT, PROB-W1D6A

NUREG/CR-6144 10-78
 10 Accident Sequence Quantification

Table 10-49 (continued)

Famify->RHRMODEL End State ->CD

Mincut Upper Bound -:> 2.011E-005 This Partition -> 2.011E-005

Cut % % Cut
No. Total Set Frequency Cut Sets

145 89.8 0.1 2.170E-008 UNITY, ACP-BAC-ST-1J1-2, ACP-INV-NO-UPSB1,

PROB-RHR2A, DR-MT, PROB-W1D6A
146 89.9 0.1 2.170E-008 UNITY, LPI-MDP-FS-SI1B, PROB-RHR2A, DR-MT,
A-RAW1-XHE-R-4, PROB-W1D6A
147 90.0 0.1 2.170E-008 UNITY, LPR-MOV-FT-1860B, PROB-RHR2A, DR-MT,
A-RAW1-XHE-R-4, PROB-W1D6A
148 90.1 0.1 2.169E-008 UNITY, REFUEL, FREQ-CCW, DURATION-R6,
H-CCW-REC-W1, PROB-W1R6, LOOPISOLATED1R6,
/PZR-SV-REMOVEDW1, LPR-CCF-PG-SUMP1
149 90.2 0.1 2.155E-008 UNITY, LOSP, OEP-DGN-FC-DG3U2, PROB-W1D6, DR-MT,
DURATION-D6, FREQ-SI
150 903 0.1 2.138E-008 UNITY, REFUEL, CCW-LF-RHE2A,/PZR-SV-REMOVEDW4,
PROB-W4R10, FRAC-POS10, DURATION-R10, FREQ-L2,
NRAC455, /PROB-1HFAILEDL2, 2EH1L2
151 90.4 0.1 2.120E-008 UNITY, AFW-MDP-MA-FW3B, CCW-MDP-MA-CCP IB,
REFUEL, DURATION-R6, /PZR-SV-REMOVEDW2,
PROB-W2R6, H-4KV-REC-W2, FREQ^KV
152 90.5 0.1 2.109E-008 UNITY, LOOPISOLATED2R6, REFUEL, DURATION-R6,
FREQ-RHR3, /PZR-SV-REMOVEDW2, PROB-W2R6,
A-R3W2-XHE-X, LPR-CCF-PG-SUMP2
153 90.6 0.1 2.085E-008 UNITY, PROB-RHR2A, CCW-LF-RHE2A, CCW-LF-RHE2B,
DR-MT, PROB-W1D6A, LPR-CCF-PG-SUMP1
154 90.7 0.1 2.082E-008 UNITY, PROB-RHR2A, DR-MT, D-RAW3-XHE,
PROB-W3D6A
155 90.8 0.1 2.072E-008 UNITY, LPR-MOV-FT-1862B, RHR-MDP-FS-RHR1B,
PROB-W1D6, DR-MT, DURATION-D6, H-SI-REC-W1,
FREQ-SI
156 90.9 0.1 2.046E-008 UNITY, CON-VFC-RP-COREM, ISR-MDP-FS-RS1A,
FREQ-CCW, OSR-TRA-MA, H-CCW-REC-W1, PROB-W1D6,
DR-MT, DURATION-D6
157 91.0 0.1 2.012E-008 UNITY, ACP-BAC-ST-1H1, ACP-INV-NO-UPSA2,
CPC-MDP-MA-SW10B, PROB-RHR2A, DR-MT, PROB-W1D6A
158 91.1 0.1 2.010E-008 UNITY, PROB-W2D6, DR-MT, DURATION-D6,
D-VBW2-XHE, FREQ-VB
159 91.2 0.1 1.978E-008 UNITY, PROB-W1D6, LPR-CCF-PG-SUMP1, DR-MT,
DURATION-D6, H-VB-REC-W1, FREQ-VB,
A-VBW1-XHE-R-12
160 91.3 0.1 1.970E-008 UNITY, ACP-INV-NO-UPSB1, REFUEL,
PZR-SV-REMOVEDW4, PROB-W4R10, FRAC-POS10,
DURATION-R10, FREQ-L2, NRAC455,
/PROB-1HFAILEDL2, 2EH1L2

10-79 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-49 (continued)

Famify->RHRMODEL End State ->CD

Mincut Upper Bound -> 2.011E-005 This Partition -> 2.011E-005

Cut % % Cut
No. Total Set Frequency Cut Sets

161 91.4 0.1 1.968E-008 UNITY, ACP-BAC-ST-4KV1H, ACP-INV-NO-UPSA2,

LOOPISOLATED2R6, REFUEL, DURATION-R6,
/PZR-SV-REMOVEDW2, PROB-W2R6, FREQ-SI
162 915 0.1 1.968E-008 UNITY, REFUEL, DURATION-R6, PZR-SV-REMOVEDW2,
PROB-W2R6, FREQ-B1, NRAC262
163 91.6 0.1 1.965E-008 UNITY, REFUEL, DURATION-R6, PROB-W2R6, FREQ-SR,
D-SRW2-XHE
164 91.7 0.1 1.949E-008 UNITY, REFUEL, PZR-SV-REMOVEDW4, PROB-W4R10,
FRAC-POS10, DURATION-R10, FREQ-L1, D-L1W4-XHE
165 91.8 0.1 1.942E-008 UNITY, LOOPISOLATED2R6, CPC-MDP-FR-SW10A,
CPC-MDP-MA-SW10B, REFUEL, FREQ-CCW, DURATION-R6,
OSR-TRA-MA, ISR-TRA-MA, H-CCW-REC-W2,
/PZR-SV-REMOVEDW2, PROB-W2R6
166 91.9 0.1 1.917E-008 UNITY, LOOPISOLATED2R6, REFUEL, DURATION-R6,
/PZR-SV-REMOVEDW2, PROB-W2R6, FREQ-L2, NRAC262,
PROB-1HFAILEDL2, A-L2W2-XHE-R-4
167 92.0 0.1 1.916E-008 UNITY, ACP-INV-NO-UPSA2, AFW-MDP-MA-FW3B,
REFUEL, DURATION-R6, PROB-W1R6,
/PZR-SV-REMOVEDW1, H-4KV-REC-W1, FREQ-4KV
168 92.1 0.0 1.898E-008 UNITY, ACP-BAC-ST-4KV1H, LOOPISOLATED2R6,
REFUEL, DURATION-R6, FREQ-RHR3,
/PZR-SV-REMOVEDW2, PROB-W2R6
169 922 0.0 1.874E-008 UNITY, REFUEL, DURATION-R6,/PZR-SV-REMOVEDW2,
PROB-W2R6, FREQ-RHR5, D-R5W2-XHE
170 923 0.0 1.862E-008 UNITY, ACP-INV-NO-UPSB1, MSS-AOV-FC-101B,
PROB-W2D6, DR-MT, DURATION-D6, FREQ-L2, NRAC262,
/PROB-1HFAILEDL2, 2EH1L2
171 92.4 0.0 1.862E-008 UNITY, ACP-INV-NO-UPSB1, MSS-AOV-FC-101A,
PROB-W2D6, DR-MT, DURATION-D6, FREQ-L2, NRAC262,
/PROB-1HFAILEDL2, 2EH1L2
172 925 0.0 1.856E-008 UNITY, REFUEL, DURATION-R6,/PZR-SV-REMOVEDW2,
PROB-W2R6, FREQ-4KV, D-4KW2-XHE
173 92.6 0.0 1.846E-008 UNITY, LPR-MOV-FT-1862B, PROB-W1D6, DR-MT,
DURATION-D6, FREQ-L1, A-L1W1-XHE-R-4
174 92.7 0.0 1.830E-008 UNITY, PROB-W3D6, DR-MT, DURATION-D6, FREQ-B1,
NRAC346, D-B1W3-XHE
175 92.7 0.0 1.828E-008 UNITY, LPR-MOV-FT-1862B, CCW-LF-RHE2B,
PROB-W1D6, FREQ-RHR4, DR-MT, DURATION-D6

NUREG/CR-6144 10-80
 10 Accident Sequence Quantification

Table 10-49 (continued)

Family->RHRMODEL End State ->CD

Mincut Upper Bound -> 2.011E-005 This Partition -> 2.011E-005

Cut % % Cut
No. Total Set Frequency Cut Sets

176 92.8 0.0 1.825E-008 UNITY, ACP-BAC-ST-1H1, ACP-INV-NO-UPSA2,

LOOPISOLATED2R6, CPC-MDP-MA-SW10B, REFUEL,
DURATION-R6, /PZR-SV-REMOVEDW2, PROB-W2R6,
FREQ-SI
177 92.9 0.0 1.808E-008 UNITY, PROB-RHR2A, RHR-ASF-PG-1605, DR-MT,
PROB-W1D6A, LPR-CCF-PG-SUMP1
178 93.0 0.0 1.760E-008 UNITY, ACP-BAC-ST-1H1, LOOPISOLATED2R6,
CPC-MDP-MA-SW10B, REFUEL, DURATION-R6,
FREQ-RHR3, /PZR-SV-REMOVEDW2, PROB-W2R6
179 93.1 0.0 1.746E-008 UNITY, PROB-W1D6, FREQ-RHR5, DR-MT, DURATION-D6,
D-R5W1-XHE
180 93.2 0.0 1.729E-O08 UNITY, PROB-W1D6, DR-MT, DURATION-D6, FREQ-4KV,
D-4KW1-XHE
181 933 0.0 1.729E-008 UNITY, PROB-W3D6, DR-MT, DURATION-D6,
D-VBW3-XHE, FREQ-VB
182 93.4 0.0 1.718E-008 UNITY, CPC-MDP-FR-SW10A, REFUEL,
LPI-MDP-FS-SI1B, PROB-RHR2A, /PZR-SV-REMOVEDW4,
FRAC-POS10, PROB-W4R10A, CPC-MDP-MA0SW10B
183 93.4 0.0 1.708E-008 UNITY, RHR-CCF-FS-MDPAB, PROB-W1D6,
LPR-CCF-PG-SUMP1, DR-MT, DURATION-D6, FREQ-SI
184 93.5 0.0 1.701E-O08 UNITY, DCP-BDC-ST-BUS1B, PROB-W1D6, FREQ-RHR4,
DR-MT, DURATION-D6
185 93.6 0.0 1.701E-008 UNITY, ACP-BAC-ST-4KV1J, PROB-W1D6, FREQ-RHR4,
DR-MT, DURATION-D6
186 93.7 0.0 1.699E-008 UNITY, RHR-MDP-FS-RHR1A, PROB-W1D6, DR-MT,
DURATION-D6, FREQ-L2, NRAC200, /PROB-1HFAILEDL2
187 93.8 0.0 1.699E-008 UNITY, PROB-W1D6, DR-MT, DURATION-D6, FREQ-L2,
NRAC200, /PROB-1HFAILEDL2, CCW-MDP-FS-CCP1A
188 93.9 0.0 1.689E-008 UNITY, DCP-BAT-LP-BAT1B, FREQ-RHR3,
ACP-BCH-MA-UPSB1, ACP-BCH-MA-UPSB2, PROB-W1D6,
DR-MT, DURATION-D6
189 93.9 0.0 1.682E-008 UNITY, ACP-INV-NO-UPSA2, MSS-AOV-MA-101B,
PROB-W2D6, DR-MT, DURATION-D6, FREQ-L2, NRAC262,
PROB-1HFAILEDL2
190 94.0 0.0 1.682E-008 UNITY, ACP-INV-NO-UPSA2, MSS-AOV-MA-101A,
PROB-W2D6, DR-MT, DURATION-D6, FREQ-L2, NRAC262,
PROB-1HFAILEDL2
191 94.1 0.0 1.675E-008 UNITY, ACP-BAC-ST-4KV1H, ACP-INV-NO-UPSA2,
AFW-MDP-MA-FW3B, PROB-RHR2A, DR-MT, PROB-W2D6A

10-81 NUREG/CR-6144
10 Accident Sequence Quantification

Table 1049 (continued)

Famify->RHRMODEL End State ->CD

Mincut Upper Bound -> 2.011E-005 This Partition -> 2.011E-005

Cut % % Cut
No. Total Set Frequency Cut Sets

192 94.2 0.0 1.666E-008 UNITY, REFUEL, DURATION-R6, CCW-LF-RHE2A,

PZR-SV-REMOVEDW3, PROB-W3R6, FREQ-L2, NRAC346,
/PROB-1HFAILEDL2, 2EH1L2
193 943 0.0 1.629E-008 UNITY, ACP-BAC-ST-4KV1H, ACP-INV-NO-UPSA2,
LOOPISOLATED2R6, REFUEL, PROB-RHR2A,
/PZR-SV-REMOVEDW2, PROB-W2R6A
194 94.4 0.0 1.627E-008 UNITY, PROB-RHR2A, RWT-TNK-LF-RWST, DR-MT,
PROB-W1D6A
195 94.4 0.0 1.598E-008 UNITY, PROB-W1D6, DR-MT, DURATION-D6,
D-VBW1-XHE, FREQ-VB
196 945 0.0 1575E-008 UNITY, PROB-W3D6, DR-MT, DURATION-D6, FREQ-B1,
NRAC346, A-B1W3-XHE-2CH-8
197 94.6 0.0 1.558E-008 UNITY, SGB-DRAINED-R, CCW-LF-RHE2B, PROB-W2D6,
DR-MT, DURATION-D6, H-4KV-REC-W2, FREQ-4KV
198 94.7 0.0 1558E-008 UNITY, SGA-DRAINED-R, CCW-LF-RHE2B, PROB-W2D6,
DR-MT, DURATION-D6, H-4KV-REC-W2, FREQ-4KV
199 94.7 0.0 1.533E-008 UNITY, REFUEL, LPR-MOV-FT-1862B, DURATION-R6,
FREQ-RHR3, PROB-W1R6, LOOPISOLATED1R6,
/PZR-SV-REMOVEDW1
200 94.8 0.0 1.511E-008 UNITY, ACP-BAC-ST-1H1, ACP-INV-NO-UPSA2,
LOOPISOLATED2R6, CPC-MDP-MA-SW10B, REFUEL,
PROB-RHR2A, /PZR-SV-REMOVEDW2, PROB-W2R6A
201 94.9 0.0 1.501E-008 UNITY, REFUEL, DURATION-R6, PROB-W1R6,
/PZR-SV-REMOVEDW1, FREQ-B1, NRAC200
202 95.0 0.0 1.482E-008 UNITY, ACP-BAC-ST-4KV1H, ACP-INV-NO-UPSA2,
AFW-MDP-MA-FW3B, REFUEL, DURATION-R6,
/PZR-SV-REMOVEDW2, PROB-W2R6, FREQ-SI
203 95.0 0.0 1.464E-008 UNITY, LPI-CKV-FT-CV50, FREQ-RHR3, PROB-W1D6,
DR-MT, DURATION-D6
204 95.1 0.0 1.464E-008 UNITY, LPR-CKV-FT-CV47, FREQ-RHR3, PROB-W1D6,
DR-MT, DURATION-D6
205 95.2 0.0 1.457E-008 UNITY, SAS-CPS-FR-1SAC1, IAS-CPS-FS-IAC-1,
PROB-W1D6, LPR-CCF-PG-SUMP1, DR-MT, DURATION-D6,
FREQ-SI
206 953 0.0 1.457E-008 UNITY, SAS-CPS-FR-2SAC1, IAS-CPS-FS-IAC-1,
PROB-W1D6, LPR-CCF-PG-SUMP1, DR-MT, DURATION-D6,
FREQ-SI
207 953 0.0 1.444E-008 UNITY, AFW-MDP-MA-FW3B, REFUEL, DURATION-R6,
/PZR-SV-REMOVEDW2, PROB-W2R6, FREQ-L2, NRAC262,
PROB-1HFAILEDL2, A-L2W2-XHE-R-4

NUREG/CR-6144 10-82
 10 Accident Sequence Quantification

Table 10-49 (continued)

Family->RHRMODEL End State ->CD

Mincut Upper Bound -> 2.011E-005 This Partition -> 2.011E-005

Cut % % Cut
No. Total Set Frequency Cut Sets

208 95.4 0.0 1.430E-008 UNITY, ACP-BAC-ST-4KV1H, AFW-MDP-MA-FW3B,

REFUEL, DURATION-R6, FREQ-RHR3,
/PZR-SV-REMOVEDW2, PROB-W2R6
209 953 0.0 1.411E-008 UNITY, CON-VFC-RP-COREM, OSR-TRA-MA, ISR-TRA-MA,
PROB-W1D6, DR-MT, DURATION-D6, H-SI-REC-W1,
FREQ-SI, A-SIW1-XHE-R-12
210 953 0.0 1.410E-008 UNITY, LPR-MOV-FT-1862B, PROB-RHR2A,
RHR-CCF-FS-MDPAB, DR-MT, PROB-W1D6A
211 95.6 0.0 1399E-008 UNITY, SAS-CPS-FR-1SAC1, IAS-CPS-FS-IAC-1,
PROB-W2D6, DR-MT, DURATION-D6, H-4KV-REC-W2,
FREQ-4KV
212 95.7 0.0 1399E-008 UNITY, SAS-CPS-FR-2SAC1, IAS-CPS-FS-IAC-1,
PROB-W2D6, DR-MT, DURATION-D6, H-4KV-REC-W2,
FREQ-4KV
213 95.8 0.0 1395E-008 UNITY, LOSP, OEP-DGN-FS-DGOl, PROB-W1D6, DR-MT,
DURATION-D6, FREQ-SI
214 95.8 0.0 1395E-008 UNITY, LOSP, OEP-DGN-FS-DG03, PROB-W1D6, DR-MT,
DURATION-D6, FREQ-SI
215 95.9 0.0 1383E-008 UNITY, AFW-MDP-MA-FW3B, DCP-BAT-LP-BAT1A,
PROB-W2D6, DR-MT, DURATION-D6, H-4KV-REC-W2,
FREQ-4KV
216 96.0 0.0 1383E-008 UNITY, AFW-MDP-MA-FW3B, RHR-MDP-FR-B24HR,
PROB-W2D6, DR-MT, DURATION-D6, H-4KV-REC-W2,
FREQ-4KV
217 96.0 0.0 1383E-008 UNITY, AFW-MDP-MA-FW3B, CCW-MDP-FR-CCP1B,
PROB-W2D6, DR-MT, DURATION-D6, H-4KV-REC-W2,
FREQ-4KV
218 96.1 0.0 1366E-008 UNITY, LPI-MDP-FS-SI1B, PROB-W1D6, DR-MT,
DURATION-D6, FREQ-SI, A-SIW1-XHE-R-3
219 96.2 0.0 1366E-008 UNITY, LPR-MOV-FT-1860B, PROB-W1D6, DR-MT,
DURATION-D6, FREQ-SI, A-SIW1-XHE-R-3
220 96.2 0.0 1366E-008 UNITY, ACP-BAC-ST-4KV1H, ACP-INV-NO-UPSA2,
PROB-W1D6, DR-MT, DURATION-D6, FREQ-SI
221 963 0.0 1366E-008 UNITY, ACP-BAC-ST-1J1-2, ACP-INV-NO-UPSB1,
PROB-W1D6, DR-MT, DURATION-D6, FREQ-SI
222 96.4 0.0 1366E-008 UNITY, ACP-BAC-ST-4KV1J, ACP-INV-NO-UPSB1,
PROB-W1D6, DR-MT, DURATION-D6, FREQ-SI
223 96.4 0.0 1366E-008 UNITY, ACP-BAC-ST-1J1, ACP-INV-NO-UPSB1,
PROB-W1D6, DR-MT, DURATION-D6, FREQ-SI

10-83 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-49 (continued)

Famify->RHRMODEL End State ->CD

Mincut Upper Bound -> 2.011E-005 This Partition -> 2.011E-005

Cut % % Cut
No. Total Set Frequency Cut Sets

224 96.5 0.0 1363E-008 UNITY, ACP-INV-NO-UPSA2, AFW-MDP-MA-FW3B,

PROB-W2D6, DR-MT, DURATION-D6, FREQ-L3, NRAC262,
PROB-1HFAILEDL3
225 96.6 0.0 1341E-008 UNITY, REFUEL, DURATION-R6, PZR-SV-REMOVEDW3,
PROB-W3R6, FREQ-RHR5, D-R5W3-XHE
226 96.6 0.0 1335E-008 UNITY, REFUEL, DURATION-R6, PZR-SV-REMOVEDW3,
PROB-W3R6, FREQ-SR, D-SRW3-XHE
227 96.7 0.0 1330E-008 UNITY, AFW-MDP-MA-FW3B, RHR-MDP-FS-RHR1B,
PROB-W2D6, DR-MT, DURATION-D6, FREQ-L2, NRAC262,
PROB-1HFAILEDL2
228 96.8 0.0 1330E-008 UNITY, AFW-MDP-MA-FW3B, CCW-MDP-FS-CCP1B,
PROB-W2D6, DR-MT, DURATION-D6, FREQ-L2, NRAC262,
PROB-1HFAILEDL2
229 96.8 0.0 1328E-008 UNITY, REFUEL, DURATION-R6, PZR-SV-REMOVEDW3,
PROB-W3R6, FREQ-4KV, D-4KW3-XHE
230 96.9 0.0 1318E-008 UNITY, DCP-BDC-ST-BUS1B, FREQ-RHR3, PROB-W1D6,
DR-MT, DURATION-D6
231 97.0 0.0 1318E-008 UNITY, ACP-BAC-ST-1J1, FREQ-RHR3, PROB-W1D6,
DR-MT, DURATION-D6
232 97.0 0.0 1318E-008 UNITY, ACP-BAC-ST-4KV1J, FREQ-RHR3, PROB-W1D6,
DR-MT, DURATION-D6
233 97.1 0.0 1318E-008 UNITY, ACP-BAC-ST-1J1-2, FREQ-RHR3, PROB-W1D6,
DR-MT, DURATION-D6
234 972 0.0 1318E-008 UNITY, ACP-BAC-ST-4KV1H, FREQ-RHR3, PROB-W1D6,
DR-MT, DURATION-D6
235 97.2 0.0 1318E-008 UNITY, ACP-BAC-ST-4801J, FREQ-RHR3, PROB-W1D6,
DR-MT, DURATION-D6
236 973 0.0 1313E-008 UNITY, CCW-LF-RHE2A, CCW-LF-RHE2B, PROB-W1D6,
LPR-CCF-PG-SUMP1, DR-MT, DURATION-D6, FREQ-SI
237 97.4 0.0 1306E-008 UNITY, REFUEL, DURATION-R6,/PZR-SV-REMOVEDW3,
PROB-W3R6, FREQ-L1, D-L1W3-XHE
238 97.4 0.0 1.293E-008 UNITY, DCP-BAT-LP-BAT1B, PROB-RHR2A,
CCW-LF-RHE2A, ACP-BCH-MA-UPSB1,
, ACP-BCH-MA-UPSB2, DR-MT, PROB-W1D6A
239 97.5 0.0 1.267E-008 UNITY, ACP-BAC-ST-1H1, ACP-INV-NO-UPSA2,
CPC-MDP-MA-SW10B, PROB-W1D6, DR-MT, DURATION-D6,
FREQ-SI
240 97.5 0.0 1.248E-008 UNITY, ACP-BAC-ST-4KV1H, AFW-MDP-MA-FW3B,
CCW-LF-RHE2B, PROB-W2D6, DR-MT, DURATION-D6,
FREQ-SI

NUREG/CR-6144 10-84
 10 Accident Sequence Quantification

Table 10-49 (continued)

Famify->RHRMODEL End State ->CD

Mincut Upper Bound -> 2.011E-005 This Partition -> 2.011E-005

Cut % % Cut
No. Total Set Frequency Cut Sets

241 97.6 0.0 1.242E-008 UNITY, DCP-BAT-LP-BAT1B, FREQ-CCW,

ACP-BCH-MA-UPSB1, ACP-BCH-MA-UPSB2,
H-CCW-REC-W1, PROB-W1D6, DR-MT, DURATION-D6
242 97.7 0.0 1.227E-008 UNITY, ACP-BAC-ST4KV1H, ACP-INV-NO-UPSA2,
AFW-MDP-MA-FW3B, REFUEL, PROB-RHR2A,
/PZR-SV-REMOVEDW2, PROB-W2R6A
243 97.7 0.0 1.222E-008 UNITY, ACP-BAC-ST-1H1, CPC-MDP-MA-SW10B,
FREQ-RHR3, PROB-W1D6, DR-MT, DURATION-D6
244 97.8 0.0 1.222E-008 UNITY, LOOPISOLATED2R6, REFUEL, PROB-RHR2A,
RWT-TNK-LF-RWST, /PZR-SV-REMOVEDW2, PROB-W2R6A
245 97.9 0.0 1.221E-008 UNITY, REFUEL, DURATION-R6, PROB-W1R6,
/PZR-SV-REMOVEDW1, FREQ-L1, D-L1W1-XHE
246 97.9 0.0 1.203E-008 UNITY, LPR-MOV-FT-1862B, PROB-RHR2A,
SAS-CPS-FR-1SAC1, IAS-CPS-FS-IAC-1, DR-MT,
PROB-W1D6A
247 98.0 0.0 1.203E-008 UNITY, LPR-MOV-FT-1862B, PROB-RHR2A,
SAS-CPS-FR-2SAC1, IAS-CPS-FS-IAC-1, DR-MT,
PROB-W1D6A
248 98.0 0.0 1.195E-008 UNITY, LPI-MDP-FS-SI1B, RHR-MDP-FS-RHR1B,
PROB-W1D6, DR-MT, DURATION-D6, H-SI-REC-W1,
FREQ-SI
249 98.1 0.0 1.195E-008 UNITY, LPR-MOV-FT-1860B, RHR-MDP-FS-RHR1B,
PROB-W1D6, DR-MT, DURATION-D6, H-SI-REC-W1,
FREQ-SI
250 98.2 0.0 1.171E-008 UNITY, ACP-INV-NO-UPSB1, MSS-AOV-FC-101B,
PROB-W3D6, DR-MT, DURATION-D6, FREQ-L2, NRAC346,
/PROB-1HFAILEDL2, 2EH1L2
251 98.2 0.0 1.171E-008 UNITY, ACP-INV-NO-UPSB1, MSS-AOV-FC-101A,
PROB-W3D6, DR-MT, DURATION-D6, FREQ-L2, NRAC346,
/PROB-1HFAILEDL2, 2EH1L2
252 983 0.0 1.139E-O08 UNITY, RHR-ASF-PG-1605, PROB-W1D6,
LPR-CCF-PG-SUMP1, DR-MT, DURATION-D6, FREQ-SI
253 983 0.0 1.129E-008 UNITY, PROB-W1D6, DR-MT, DURATION-D6,
A-SIW1-XHE-C-18, H-SI-REC-W1, FREQ-SI,
A-SIW1-XHE-R-12
254 98.4 0.0 1.128E-008 UNITY, REFUEL, FREQ-CCW, LPR-MOV-FT-1862B,
DURATION-R6, H-CCW-REC-W1, PROB-W1R6,
LOOPISOLATED1R6, /PZR-SV-REMOVEDW1
255 98.4 0.0 1.120E-008 UNITY, HPR-MDP-FR-A18HR, OSR-TRA-MA, ISR-TRA-MA,
FREQ-RHR3, PROB-W1D6, DR-MT, DURATION-D6

10-85 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-49 (continued)

Famiry->RHRMODEL End State ->CD

Mincut Upper Bound -> 2.011E-005 This Partition -> 2.011E-005

Cut % % Cut
No. Total Set Frequency Cut Sets

256 98.5 0.0 1.115E-008 UNITY, CCW-LF-RHE2B, PROB-W1D6,

LPR-CCF-PG-SUMP1, DR-MT, DURATION-D6,
H-VB-REC-W1, FREQ-VB
257 985 0.0 1.112E-008 UNITY, LPI-CCF-FS-SI1AB, CCW-LF-RHE2B,
PROB-W1D6, DR-MT, DURATION-D6, H-SI-REC-Wl,
FREQ-SI
258 98.6 0.0 1.110E-008 UNITY, REFUEL, DURATION-R6, /PZR-SV-REMOVEDW2,
PROB-W2R6, D-VBW2-XHE, FREQ-VB
259 98.7 0.0 1.093E-008 UNITY, ACP-INV-NO-UPSA2, MSS-AOV-FC-101A,
MSS-NRV-MA-101A, PROB-W2D6, DR-MT, DURATION-D6,
H-4KV-REC-W2, FREQ-4KV
260 98.7 0.0 1.093E-008 UNITY, ACP-INV-NO-UPSA2, MSS-AOV-FC-101B,
MSS-NRV-MA-101B, PROB-W2D6, DR-MT, DURATION-D6,
H-4KV-REC-W2, FREQ-4KV
261 98.8 0.0 1.092E-008 UNITY, PROB-W4D6, DR-MT, DURATION-D6, FREQ-L1,
D-L1W4-XHE
262 98.8 0.0 1.090E-008 UNITY, ACP-INV-NO-UPSA2, REFUEL, DURATION-R6,
PROB-W1R6, LOOPISOLATED1R6, /PZR-SV-REMOVEDW1,
H-4KV-REC-W1, FREQ-4KV
263 98.9 0.0 1.084E-008 UNITY, LPR-MOV-FT-1862B, PROB-RHR2A,
CCW-LF-RHE2A, CCW-LF-RHE2B, DR-MT, PROB-W1D6A
264 98.9 0.0 1.077E-008 UNITY, FREQ-CCW, LPR-CKV-FT-CV47, H-CCW-REC-Wl,
PROB-W1D6, DR-MT, DURATION-D6
265 99.0 0.0 1.077E-008 UNITY, LPI-CKV-FT-CV50, FREQ-CCW, H-CCW-REC-Wl,
PROB-W1D6, DR-MT, DURATION-D6
266 99.0 0.0 1.071E-008 UNITY, ACP-BAC-ST-4KV1H, AFW-MDP-MA-FW3B,
FREQ-CCW, H-CCW-REC-W2, PROB-W2D6, DR-MT,
DURATION-D6
267 99.1 0.0 1.071E-008 UNITY, REFUEL, PROB-RHR2A, PZR-SV-REMOVEDW3,
D-RAW3-XHE, PROB-W3R6A
268 99.1 0.0 1.070E-008 UNITY, REFUEL, /PZR-SV-REMOVEDW4, PROB-W4R10,
FRAC-POS10, DURATION-R10, D-SIW4-XHE, FREQ-SI
269 99.2 0.0 1.065E-008 UNITY, LPI-MDP-FS-SI1B, PROB-W1D6, DR-MT,
DURATION-D6, FREQ-L1, A-L1W1-XHE-R-4
270 99.2 0.0 1.065E-008 UNITY, LPR-MOV-FT-1860B, PROB-W1D6, DR-MT,
DURATION-D6, FREQ-L1, A-L1W1-XHE-R-4
271 993 0.0 1.055E-008 UNITY, LPI-MDP-FS-SI1B, CCW-LF-RHE2B, PROB-W1D6,
FREQ-RHR4, DR-MT, DURATION-D6
272 993 0.0 1.055E-008 UNITY, LPR-MOV-FT-1860B, CCW-LF-RHE2B,
PROB-W1D6, FREQ-RHR4, DR-MT, DURATION-D6

NUREG/CR-6144 10-86
 10 Accident Sequence Quantification

Table 10-49 (continued)

Famify->RHRMODEL End State ->CD

Mincut Upper Bound -> 2.011E-005 This Partition -> 2.011E-005

Cut % % Cut
No. Total Set Frequency Cut Sets

273 99.4 0.0 1.044E-008 UNITY, ACP-INV-NO-UPSB1, LOOPISOLATED2R6,

REFUEL, DURATION-R6, /PZR-SV-REMOVEDW2,
PROB-W2R6, FREQ-L3, NRAC262, /PROB-1HFAILEDL3
274 995 0.0 1.039E-008 UNITY, LOSP, OEP-DGN-FS-DGOl, PROB-W2D6,
FREQ-RHR5, DR-MT, DURATION-D6
275 995 0.0 1.030E-008 UNITY, LOSP, OEP-DGN-FS-DGOl, PROB-W2D6, DR-MT,
DURATION-D6, FREQ-4KV
276 99.6 0.0 1.028E-008 UNITY, LPR-MOV-FT-1862B, PROB-W1D6, DR-MT,
DURATION-D6, H-VB-REC-W1, FREQ-VB,
A-VBW1-XHE-R-12
277 99.6 0.0 1.014E-008 UNITY, CCW-MDP-FR-CCPIB, LOOPISOLATED2R6,
REFUEL, DURATION-R6, /PZR-SV-REMOVEDW2,
PROB-W2R6, H-4KV-REC-W2, FREQ-4KV
278 99.7 0.0 1.014E-008 UNITY, LOOPISOLATED2R6, REFUEL,
RHR-MDP-FR-B24HR, DURAHON-R6,
/PZR-SV-REMOVEDW2, PROB-W2R6, H-4KV-REC-W2,
FREQ-4KV
279 99.7 0.0 1.014E-008 UNITY, LOOPISOLATED2R6, DCP-BAT-LP-BAT1A,
REFUEL, DURATION-R6, /PZR-SV-REMOVEDW2,
PROB-W2R6, H-4KV-REC-W2, FREQ^KV
280 99.8 0.0 1.009E-008 UNITY, DCP-BDC-ST-BUS1B, PROB-RHR2A,
CCW-LF-RHE2A, DR-MT, PROB-W1D6A
281 99.8 0.0 1.009E-008 UNITY, ACP-BAC-ST-4KV1H, PROB-RHR2A,
CCW-LF-RHE2B, DR-MT, PROB-W1D6A
282 99.9 0.0 1.009E-O08 UNITY, ACP-BAC-ST4KV1J, PROB-RHR2A,
CCW-LF-RHE2A, DR-MT, PROB-W1D6A
283 99.9 0.0 1.007E-008 UNITY, LOSP, PROB-RHR2A, DR-MT, PROB-W1D6A,
LPR-CCF-PG-SUMP1
284 100.0 0.0 1.000E-008 UNITY, ACP-INV-NO-UPSB1, REFUEL,
/PZR-SV-REMOVEDW4, PROB-W4R10, FRAC-POS10,
DURATION-R10, FREQ-L3, NRAC455,
/PROB-1HFAILEDL3

10-87 NUREG/CR-6144
 Table 10-50

Dominant Core Damage Cutsets After Recovery Actions

Famiry->RHRMODEL End State ->CD

Mincut Upper Bound -> 3.466E-006 This Partition -> 3.466E-006

Cut % % Cut
No. Total Set Frequency Cut Sets

1 6.3 6.3 2.203E-007 UNITY, PROB-W2D6, DR-MT, DURATION-D6, FREQ-L1,

D-L1W2-XHE, /NRAC262
2 12.3 5.9 2.074E-007 UNITY, PROB-W3D6, DR-MT, DURATION-D6, FREQ-L1,
D-L1W3-XHE, /NRAC346
3 17.2 4.9 1.697E-007 UNITY, PROB-W2D6, DR-MT, DURATION-D6,
D-SIW2-XHE, FREQ-SI
4 21.4 4.2 1.464E-007 UNITY, FREQ-RHR3, PROB-W1D6, DR-MT, DURATION-D6
LPR-CCF-PG-SUMP1, R-A3W1D6-XHE-C
5 25.6 4.2 1.460E-007 UNITY, PROB-W3D6, DR-MT, DURATION-D6,
D-SIW3-XHE, FREQ-SI
6 29.2 3.5 1.237E-007 UNITY, PROB-W1D6, DR-MT, DURATION-D6, FREQ-L1,
D-L1W1-XHE, /NRAC200
7 32.7 3.5 1.216E-007 UNITY, REFUEL, DURATION-R6,/PZR-SV-REMOVEDW2,
PROB-W2R6, FREQ-L1, D-L1W2-XHE, /NRAC262
8 35.8 3.1 1.077E-007 UNITY, FREQ-CCW, H-CCW-REC-W1, PROB-W1D6,
LPR-CCF-PG-SUMP1, DR-MT, DURATION-D6,
R-W1D6-XHE-C-A3
9 38.5 2.7 9.522E-008 UNITY, REFUEL, DURATION-R6, PZR-SV-REMOVEDW3,
PROB-W3R6, FREQ-L1, D-L1W3-XHE, /NRAC346
10 41.3 2.7 9.370E-008 UNITY, REFUEL, DURATION-R6,/PZR-SV-REMOVEDW2,
PROB-W2R6, D-SIW2-XHE, FREQ-SI
11 43.9 2.6 9.040E-008 UNITY, PROB-RHR2A, DR-MT, D-RAW1-XHE,
PROB-W1D6A
12 46.4 2.5 8.729E-008 UNITY, PROB-W1D6, DR-MT, DURATION-D6,
D-SIW1-XHE, FREQ-SI
13 48.6 2.2 7.739E-008 UNITY, PROB-W2D6, DR-MT, DURATION-D6, FREQ-L1,
NRAC262, D-L1W2-XHE
14 50.7 2.1 7.380E-008 UNITY, PROB-W1D6, DR-MT, DURATION-D6, FREQ-B1,
NRAC200, A-B1W1-XHE-2CH-8
15 52.7 1.9 6.703E-008 UNITY, REFUEL, DURATION-R6, PZR-SV-REMOVEDW3,
PROB-W3R6, D-SIW3-XHE, FREQ-SI
16 54.4 1.6 5.822E-008 UNITY, PROB-W1D6, DR-MT, DURATION-D6, FREQ-L1,
NRAC200, D-L1W1-XHE
17 55.9 1.5 5.413E-008 UNITY, ACP-INV-NO-UPSA2, PROB-W1D6, DR-MT,
DURATION-D6, H-4KV-REC-W1, FREQ-4KV,
R-W1D6-XHE-C-A3
18 57.5 1.5 5.383E-008 UNITY, PROB-W2D6, DR-MT, DURATION-D6, FREQ-L2,
D-L2W2-XHE, /NRAC262
19 58.9 1.4 5.068E-008 UNITY, PROB-W3D6, DR-MT, DURATION-D6, FREQ-L2,
D-L2W3-XHE, /NRAC346
20 60.3 1.4 4.864E-008 UNITY, PROB-W3D6, DR-MT, DURATION-D6, FREQ-L1,
NRAC346, D-L1W3-XHE

NUREG/CR-6144 10-88
 10 Accident Sequence Quantification
Table 10-50 (continued)

21 61.7 1.3 4.746E-008 UNITY, PROB-W2D6, DR-MT, DURATION-D6, FREQ-B2,

NRAC262, R-B2W2-2
22 63.0 1.3 4.501E-008 UNITY, PROB-RHR2A, DR-MT, D-RAW2-XHE,
PROB-W2D6A
23 64.3 1.2 4.393E-008 UNITY, LPI-MDP-FS-SI1B, FREQ-RHR3, PROB-W1D6,
DR-MT, DURATION-D6, R-A3W1D6-XHE-C
24 65.5 1.2 4.273E-008 UNITY, REFUEL, DURATION-R6,/PZR-SV-REMOVEDW2,
PROB-W2R6, FREQ-L1, NRAC262, D-L1W2-XHE
25 66.7 1.1 4.068E-008 UNITY, REFUEL,/PZR-SV-REMOVEDW4, PROB-W4R10,
FRAC-POS10, DURATION-RIO, FREQ-B2, NRAC455
26 67.8 1.1 3.912E-008 UNITY, REFUEL, /PZR-SV-REMOVEDW4, PROB-W4R10,
FRAC-POS10, DURATION-RIO, FREQ-L1, D-L1W4-XHE,
/NRAC455
27 68.8 1.0 3.628E-008 UNITY, PROB-W1D6, DR-MT, DURATION-D6, FREQ-B2,
NRAC200
28 69.8 0.9 3.394E-008 UNITY, PROB-W2D6, FREQ-RHR5, DR-MT, DURATION-D6
D-R5W2-XHE
29 70.8 0.9 3.381E-008 UNITY, PROB-W2D6, DR-MT, DURATION-D6, FREQ-SR,
D-SRW2-XHE
30 71.8 0.9 3.362E-008 UNITY, PROB-W2D6, DR-MT, DURATION-D6, FREQ-4KV,
D-4KW2-XHE
31 72.7 0.9 3.297E-008 UNITY, REFUEL, PROB-RHR2A, /PZR-SV-REMOVEDW2,
D-RAW2-XHE, PROB-W2R6A
32 73.7 0.9 3.274E-008 UNITY, PROB-W1D6, DR-MT, DURATION-D6, FREQ-L3,
NRAC200, A-L3W1-XHE-CW-4
33 74.6 0.9 3.231E-008 UNITY, FREQ-CCW, LPI-MDP-FS-SI1B, H-CCW-REC-W1,
PROB-W1D6, DR-MT, DURATION-D6, R-W1D6-XHE-C-A3
34 75.5 0.8 2.972E-008 UNITY, REFUEL, DURATION-R6,/PZR-SV-REMOVEDW2,
PROB-W2R6, FREQ-L2, D-L2W2-XHE, /NRAC262
35 76.3 0.8 2.949E-008 UNITY, REFUEL, DURATION-R6, FREQ-RHR3,
PROB-W1R6, LOOPISOLATED1R6, /PZR-SV-REMOVEDW1,
LPR-CCF-PG-SUMP1
36 77.1 0.8 2.919E-008 UNITY, PROB-W3D6, FREQ-RHR5, DR-MT, DURATION-D6
D-R5W3-XHE
37 78.0 0.8 2.912E-008 UNITY, PROB-W2D6, DR-MT, DURATION-D6, FREQ-B1,
NRAC262, D-B1W2-XHE
38 78.8 0.8 2.908E-008 UNITY, PROB-W3D6, DR-MT, DURATION-D6, FREQ-SR,
D-SRW3-XHE
39 79.7 0.8 2.892E-008 UNITY, PROB-W3D6, DR-MT, DURATION-D6, FREQ-4KV,
D-4KW3-XHE

40 80.4 0.7 2.620E-008 UNITY, REFUEL, DURATION-R6,/PZR-SV-REMOVEDW2,

PROB-W2R6, FREQ-B2, NRAC262, R-B2W2-2
41 81.1 0.7 2.517E-008 UNITY, CCW-LF-RHE2B, PROB-W1D6, DR-MT,
DURATION-D6, H-4KV-REC-W1, FREQ-4KV,
R-W1D6-XHE-C-A3
42 81.9 0.7 2.471E-008 UNITY, CCW-LF-RHE2B, PROB-W1D6,
LPR-CCF-PG-SUMP1, DR-MT, DURATION-D6,
H-SI-REC-W1, FREQ-SI, R-W1D6-XHE-C-A3

10-89 NUREG/CR-6144
10 Accident Sequence Quantification
Table 10-50 (continued)

43 82.5 0.6 2.327E-008 UNITY, REFUEL, DURATION-R6, PZR-SV-REMOVEDW3,

PROB-W3R6, FREQ-L2, D-L2W3-XHE, /NRAC346
44 &.2 0.6 2.234E-008 UNITY, REFUEL, DURATION-R6, PZR-SV-REMOVEDW3,
PROB-W3R6, FREQ-L1, NRAC346, D-L1W3-XHE
45 83.8 0.6 2.169E-008 UNITY, REFUEL, FREQ-CCW, DURATION-R6,
H-CCW-REC-W1, PROB-W1R6, LOOPISOLATED1R6,
/PZR-SV-REMOVEDW1, LPR-CCF-PG-SUMP1
46 84.4 0.6 2.127E-008 UNITY, PROB-W3D6, DR-MT, DURATION-D6, FREQ-B2,
NRAC346, R-B2W3-2
47 85.0 0.6 2.109E-008 UNITY, LOOPISOLATED2R6, REFUEL, DURATION-R6,
FREQ-RHR3, /PZR-SV-REMOVEDW2, PROB-W2R6,
A-R3W2-XHE-X, LPR-CCF-PG-SUMP2
48 85.6 0.6 2.082E-008 UNITY, PROB-RHR2A, DR-MT, D-RAW3-XHE,
PROB-W3D6A
49 86.2 0.5 2.010E-008 UNITY, PROB-W2D6, DR-MT, DURATION-D6,
D-VBW2-XHE, FREQ-VB
50 86.7 0.5 1.891E-008 UNITY, PROB-W2D6, DR-MT, DURATION-D6, FREQ-L2,
NRAC262, D-L2W2-XHE
51 87.3 0.5 1.874E-008 UNITY, REFUEL, DURATION-R6,/PZR-SV-REMOVEDW2,
PROB-W2R6, FREQ-RHR5, D-R5W2-XHE
52 87.8 0.5 1.867E-008 UNITY, REFUEL, DURATION-R6,/PZR-SV-REMOVEDW2,
PROB-W2R6, FREQ-SR, D-SRW2-XHE
53 88.4 0.5 1.856E-008 UNITY, REFUEL, DURATION-R6,/PZR-SV-REMOVEDW2,
PROB-W2R6, FREQ-4KV, D-4KW2-XHE
54 88.9 0.5 1.830E-008 UNITY, CON-VFC-RP-COREM, OSR-TRA-MA, ISR-TRA-MA,
FREQ-RHR3, PROB-W1D6, DR-MT, DURATION-D6,
R-A3W1D6-XHE-C
55 89.4 0.5 1.830E-008 UNITY, PROB-W3D6, DR-MT, DURATION-D6, FREQ-B1,
NRAC346, D-B1W3-XHE
56 89.9 0.5 1.794E-008 UNITY, PROB-W1D6, DR-MT, DURATION-D6, FREQ-L2,
D-L2W1-XHE, /NRAC200

57 90.4 0.5 1.746E-008 UNITY, PROB-W1D6, FREQ-RHR5, DR-MT, DURATION-D6,

D-R5W1-XHE
58 90.9 0.5 1.729E-008 UNITY, PROB-W1D6, DR-MT, DURATION-D6, FREQ-4KV,
D-4KW1-XHE
59 91.4 0.5 1.729E-008 UNITY, PROB-W3D6, DR-MT, DURATION-D6,
D-VBW3-XHE, FREQ-VB
60 91.9 0.4 1.677E-008 UNITY, PROB-W1D6, DR-MT, DURATION-D6, FREQ-B1,
NRAC200, A-B1W1-XHE-CW-8
61 92.4 0.4 1.676E-008 UNITY, REFUEL, PZR-SV-REMOVEDW4, PROB-W4R10,
FRAC-POS10, DURATION-R10, FREQ-L1, D-L1W4-XHE,
/NRAC455
62 92.9 0.4 1.608E-008 UNITY, REFUEL, DURATION-R6,/PZR-SV-REMOVEDW2,
PROB-W2R6, FREQ-B1, NRAC262, D-B1W2-XHE
63 93.3 0.4 1.598E-008 UNITY, PROB-W1D6, DR-MT, DURATION-D6,
D-VBW1-XHE, FREQ-VB
64 93.8 0.4 1.532E-008 UNITY, DCP-BAT-LP-BAT1B, ACP-BCH-MA-UPSB1,
ACP-BCH-MA-UPSB2, PROB-W1D6, DR-MT, DURATION-D6,

NUREG/CR-6144 10-90
 10 Accident Sequence Quantification
Table 10-50 (continued)

H-SI-REC-W1, FREQ-SI, R-W1D6-XHE-C-A3

65 94.2 0.4 1.464E-008 UNITY, FREQ-RHR3, PROB-W1D6, A-R3W1-XHE-C-8,
DR-MT, DURATION-D6, R-A3W1D6-XHE-C
66 94.6 0.3 1.346E-008 UNITY, CON-VFC-RP-COREM, FREQ-CCW, OSR-TRA-MA,
ISR-TRA-MA, H-CCW-REC-W1, PROB-W1D6, DR-MT,
DURATION-D6, R-W1D6-XHE-C-A3
67 95.0 0.3 1.341E-008 UNITY, REFUEL, DURATION-R6, PZR-SV-REMOVEDW3,
PROB-W3R6, FREQ-RHR5, D-R5W3-XHE
68 95.3 0.3 1.335E-008 UNITY, REFUEL, DURATION-R6, PZR-SV-REMOVEDW3,
PROB-W3R6, FREQ-SR, D-SRW3-XHE
69 95.7 0.3 1.328E-008 UNITY, REFUEL, DURATION-R6, PZR-SV-REMOVEDW3,
PROB-W3R6, FREQ-4KV, D-4KW3-XHE
70 96.1 0.3 1.261E-008 UNITY, ACP-INV-NO-UPSA2, LOOPISOLATED2R6,
REFUEL, DURATION-R6, /PZR-SV-REMOVEDW2,
PROB-W2R6, H-4KV-REC-W2, FREQ-4KV,
R-W2D6-XHE-C-A9
71 96.4 0.3 1.195E-008 UNITY, ACP-BAC-ST-4KV1J, PROB-W1D6, DR-MT,
DURATION-D6, H-SI-REC-W1, FREQ-SI,
R-W1D6-XHE-C-A3
72 96.8 0.3 1.195E-008 UNITY, DCP-BDC-ST-BUS1B, PROB-W1D6, DR-MT,
DURATION-D6, H-SI-REC-W1, FREQ-SI,
R-W1D6-XHE-C-A3

73 97.1 0.3 1.189E-008 UNITY, PROB-W3D6, DR-MT, DURATION-D6, FREQ-L2,

NRAC346, D-L2W3-XHE
74 97.5 0.3 1.150E-008 UNITY, PROB-W1D6, DR-MT, DURATION-D6,
H-4KV-REC-W1, FREQ-4KV, A-4KW1-XHE-R-12,
R-W1D6-XHE-C-A3
75 97.8 0.3 1.129E-008 UNITY, PROB-W1D6, LPR-CCF-PG-SUMP1, DR-MT,
DURATION-D6, H-SI-REC-W1, FREQ-SI,
A-SIW1-XHE-R-12, R-W1D6-XHE-C-A3
76 98.1 0.3 1.110E-008 UNITY, REFUEL, DURATION-R6,/PZR-SV-REMOVEDW2,
PROB-W2R6, D-VBW2-XHE, FREQ-VB
77 98.4 0.3 1.090E-008 UNITY, ACP-INV-NO-UPSA2, REFUEL, DURATION-R6,
PROB-W1R6, LOOPISOLATED1R6, /PZR-SV-REMOVEDW1,
H-4KV-REC-W1, FREQ-4KV
78 98.7 0.3 1.077E-008 UNITY, FREQ-CCW, H-CCW-REC-W1, PROB-W1D6,
A-CCW1-XHE-C-9, DR-MT, DURATION-D6,
R-W1D6-XHE-C-A3
79 99.0 0.3 1.071E-008 UNITY, REFUEL, PROB-RHR2A, PZR-SV-REMOVEDW3,
D-RAW3-XHE, PROB-W3R6A
80 99.3 0.3 1.070E-008 UNITY, REFUEL,/PZR-SV-REMOVEDW4, PROB-W4R10,
FRAC-POS10, DURATION-R10, FREQ-SI, D-SIW4-XHE
81 99.7 0.3 1.058E-008 UNITY, REFUEL, DURATION-R6,/PZR-SV-REMOVEDW3,
PROB-W3R6, FREQ-L1, D-L1W3-XHE, /NRAC346
82 100.0 0.3 1.044E-008 UNITY, REFUEL, DURATION-R6, /PZR-SV-REMOVEDW2,
PROB-W2R6, FREQ-L2, NRAC262, D-L2W2-XHE

10-91 NUREG/CR-6144
 Table 10-51
a;
C Recovery Actions and Their Applicability to the Event Tree Sequences(Loss of RHR and Loss of Instrument Air)

Basic Event Name Recovery Rules Calculation of Basic Applicable Sequences Notes
Event Probability

R-A1W1D6-XHB-C LPR-MOV-FT-1862B + LPR-(XF-FT-862AB 0.9 * 4.3&03 • 0.1 RAW1D6 #4,#7 Manually close the MOV or wae
+0.1 • 0.1 RBW1D6 #4 #7 reflux cooling with 2 SGs
=1.04E-02 R3W1D6 #3
R4W1D6 #4 1.A11 W1D6 sequences with failure
R5W1D6#4 of recirculation(Those sequences
ARW1D6 #5 without failure of recirc will not
meet the rule)

R-A2W1D6-XHE-C LPR-MOV-FT-1860B + LPR-CCF-FT-860AB SAME RAW1D6 #4,#7 Manually Open the MOV or use
RBW1D6 #4 #7 reflux cooling with 2 SGs
R3W1D6 #3
R4W1D6 #4 1.A11 W1D6 sequences with failure
R5W1D6 #4 of recirculation(Those sequences
ARW1D6 #5 without failure of recirc will not
meet the rule)

R-A3W1D6-XHE-C All W1D6 cutsets except those meeting Al or 0.1 RAW1D6 #4,#7 Use reflux cooling with 2 SGs
A2. RBW1D6 #4 #7
R3W1D6 #3 1.A11 W1D6 cutsets that do not meet
R4W1D6 #4 AlorA2.
R5W1D6#4
ARW1D6 #5

R-A4W1D6-XHE-C Covered by A3 0.1 RAW1D6 #4,#7 Use reflux cooling with 2 SG§
RBW1D6 #4 #7
R3W1D6 #3 1.A11 W1D6 sequences with failure
R4W1D6 #4 of recirculation.
R5W1D6#4
ARW1D6 #5 2. Covered by A3.
R-A5W1D6-XHE-C Covered by A3 0.1 RAW1D6 #4,#7 Use reflux cooling with 2 SGs
RBW1D6 #4 #7
R3W1D6 #3 1.A1I W1D6 sequences with failure
R4W1D6 #4 of recirculation.
R5W1D6#4
ARW1D6 #5 2. Covered by A3.

R-A6W1D6-XHE- Covered by A3 0.1 RAW1D6 #4,#7 Use reflux cooling with 2 SGs
C RBW1D6 # 4 #7
R3W1D6#3 1.A11 W1D6 sequences with
R4W1D6 # 4 failure of recirculation.
R5W1D6#4
ARW1D6#5 2. Covered by A3.
 Table 10-51 (continued)

Basic Event Name Recovery Rules Calculation of Basic Applicable Sequences Notes
Event Probability

R-A7W2R6-XHE-C ACP-BAC-ST-4KV1H * 3.2E-03 + 1.91E-02 (U2 RAW2R6 #4 #9 Use of U2 charging p u p and

/AFW-MDP-MA-FW3B charging) #12 #17 RWST
+ ACP-BAC-ST-1H1 * =2.23E-02 RAW2D6 #5 #9
CPC-MDP-MA-SW10B * RBW2R6 #4 #9 #12 IJMI W2 sequences with failure of
/AFW-MDP-MA-FW3B #17 recirculation EXCEPT those covered
+ CPC-MDP-MA-SW10B * RBW2D6 #5 #9 by El (AFW-MDP-MA-3B).
/AFW-MDP-MA-FW3B * ACP-TFM-NO-1H1 R3W2R6 #3 #8
+ ACP-CRB-CO-14H15 • R3W2D6 #4 2.The recovery action is possible
CPC-MDP-MA-SW10B * R4W2R6 #4 #9 when unit 1 charging pumps or their
/AFW-MDP-MA-FW3B R4W2D6 #5 support system are not available.
+ ACP-CRB-CO-15H7 • R5W2R6 #4 #9
CPC-MDP-MA-SW10B • R5W2D6#5 3. Use of unit 2 charging pump was
/AFW-MDP-MA-FW3B ARW2R6 #5 #10 not taken credit in the logic model.
+ ACP-BAC-ST-1H1-1 • ARW2D6 #6
CPC-MDP-MA-SW10B *
/AFW-MDP-MA-FW3B
+ ACP-BAC-MA-1H1 *
CPC-MDP-MA-SW10B *
/AFW-MDP-MA-FW3B
+ CPC-MDP-MA-SW10B *
/AFW-MDP-MA-FW3B *
CPC-MDP-FR-SW10A
+ ACP-CRB-CO-14H14 •
CPC-MDP-MA-SW10B •
/AFW-MDP-MA-FW3B
+ ACP-BAC-ST-1H1 * CPC-MDP-FS-SW10B
• /AFW-MDP-MA-FW3B
+ ACP-BAC-MA-1H1-1 •
CPC-MDP-MA-SW10B •
/AFW-MDP-MA-FW3B

2
C
JO
m
p
n
i
 Table 10-51 (continued)

Basic Event Name Recovery Rules Calculation of Basic Applicable Sequences Notes
Event Probability
R-A8W1R6-XHE-C LPR-MOV-FT-1862B + LPR-MOV-FT-1850B 4.4E-03 + 0.1 RAW1R6 #4 #9 Manually open or close MOV.
+ LPR-MOV-CCF-862AB + LPR-CCF-FT- =1.00E-01 #12 #17
860AB RBW1R6 #4 #9 #12 1.A11 W1R6.W2R6, W2D6 sequences
#17 with failure of recirculation.
R3W1R6 #3 #8
R4W1R6 #4 #9
R5W1R6 #4 #9
ARW1R6 #5
#10RAW2R6 #4 #9
#12 #17
RAW2D6 #5 #9
RBW2R6 #4 #9 #12
#17
RBW2D6 #5 #9
R3W2R6 #3 #8
R3W2D6 #4
R4W2R6 #4 #9
R4W2D6 #5
R5W2R6 #4 #9
R5W2D6 #5
ARW2R6 #5 #10
ARW2D6 #6

R-C1W1D6A-XHE- CPC-MDP-FR-SW10A • l/24=4.17E-2 RAW1R6 #14 #18 Use more realistic mission time for
R CPC-MDP-MA-SW10B • LPI-MDP-FS-SI1B RAW1D6 #8 SW10A in providing makeup
RAW2R6 #14 #18
RAW2D6 #10 1.A11 RHR2A and RHR 2B
RAW3R6 #10 #12 sequences with failure to makeup
RAW3D6 #8 and failure to feed and spill.
RAW3R10 #10 #12
RAW4R6 #11 #14
RAW4D6 #8
RAW4R10 #11 #14
RBW1R6 #14 #18
RBW1D6 #8
RBW2R6 #14 #18
RBW2D6 #10
RBW3R6 #10 #12
RBW3D6 #8
RBW3R10 #10 #12
RBW4R6 #10 #12
RBW4D6 #8
RBW4R10 #10 #12
 Table 10-51 (continued)

Basic Event Name Recovery Rules Calculation of Basic Applicable Sequences Notes
Event Probability

R-C2W2D6A-XHE- CPC-MDP-FR-SW10A • l/24=4.17E-2 SAME SAME

R CPC-MDP-MA-SW10B • LPI-CCF-FS-SI1AB
R-C2W3D6A-XHE- covered by CI or C2 l/24=4.17E-2 SAME SAME
R

R-C3W4D6A-XHE- covered by CI or C2 l/24=4.17E-2 SAME SAME

R

R-D1W2R6-XHE-C ISR-TRA-MA • OSR-TRA-MA 3.2E-03 RAW2R6 #4 #9 Use of U2 charging pump and

#12 #17 RWST
RAW2D6 #5 #9
RBW2R6 #4 #9 #12 1. All W2 sequences with failure of
#17 recirculation.
RBW2D6 #5 #9
R3W2R6 #3 #8 2. This recovery action is covered by
R3W2D6 #4 A7 event, except the cutsets
R4W2R6 #4 #9 involving maintenance of
R4W2D6 #5 recirculation spray trains.
R5W2R6 #4 #9
R5W2D6 #5 3.The only recovery rule entered
ARW2R6 #5 #10 involves maintenance of recirculation
ARW2D6 #6 spray trains.
 Table 10-51 (continued)

Basic Event Name Recovery Rules Calculation of Basic Applicable Sequences Notes
Event Probability
R-E1W2D6-XHE-C AFW-MDP-MA-FW3B 1E-04 + 7.33E-03(LSW1) RAW1R6 #4 #9 Use of 172 AFW to rapport reflux
= 7.43E-03 #12 #17 cooling (use of U2 charging and
RBW1R6 #4 #9 #12 RWST also possible)
#17
R3W1R6 #3 #8 1.A11 W1R6, W2R6 and W2D6
R4W1R6 #4 #9 sequences with recir failed and MA-
R5W1R6 #4 #9 FW3B.
ARW1R6 #5
#10RAW2R6 #4 #9
#12 #17
RAW2D6 #5 #9
RBW2R6 #4 #9 #12
#17
RBW2D6 #5 #9
R3W2R6 # 3 #8
R3W2D6 #4
R4W2R6 #4 #9
R4W2D6 #5
R5W2R6 #4 #9
R5W2D6 #5
ARW2R6 #5 #10
ARW2D6 #6

R-F1W1D6-XHE-C cover by A3 0.1 RAW1D6 #4, #7 Use reflux cooling with 2 SGs
RBW1D6 #4 #7
R3W1D6 # 3 1. All W1D6 sequences with failure
R4W1D6 #4 #9 to retire.
R5W1D6 #4
RBW1D6 #4 #7 2. This is covered by A3.
ARW1D6 #5

R-G1W2DR6-XHE- covered by El 1E-04 + 7.33E-03(LSW1) Practically the same Use of U2 AFW to support reflux
C = 7.43E-03 as El. cooling (use of U2 charging and
RWST also possible)

1. This is the same as El. The

operator can use Unit 2 AFW or
charging. AFW is modeled.
 Table 10-51 (continued)

Basic Event Name Recoveiy Rules Calculation of Basic Applicable Sequences Notes
Event Probability

R-H1W1DR6-XHE- RWT-TNK-LF-RWST 1.2E-03(HEP for A- RAW1R6 #14 #18 UM ofKWST to provide short ten*
R RAWl-Xhe-R) RAW1D6 #8 •akcnp in order torestoreRHR
RAW2R6 #14 #18
RAW2D6 #10 1.AU RHR2A and RHR2B
RAW3R6 #10 #12 sequences.
RAW3D6 #8
RAW3RJ0 #10 #12 2. The HEP is based on restoring
RAW4R6 #11 #14 RHR.(A-RAW1D6-XHE-R)
RAW4D6 #8
RAW4R10 #11 #14
RBW1R6 #14 #18
RBW1D6 #8
RBW2R6 #14 #18
RBW2D6 #10
RBW3R6 #10 #12
RBW3D6 #8
RBW3R10 #10 #12
RBW4R6 #10 #12
RBW4D6 #8
RBW4R10 #10 #12

•z
c
m
o
o

^
£ Table 10-52
9
^ Recovery Actions and Their Applicability to the Loss of Support System Event Trees
I
ON

Basic Event Name Recoveiy Rules Calculation of Basic Event Applicable Sequences Notes
Probability
R-W1D6-XHE-C-A1 LPR-MOV-FT-1862B + LPR- 0.9 * 4.3E-03 * 0.1 4KWlD6-#4,#8 Manually close the MOV or use reflux
CCF-FT-862AB +0.1 * 0.1 VBWlD6-#4,#8 cooling with 2 SGs
=1.04E-02 SIWlD6-#4,#8 1. All W1D6 sequences with failure of
CCWlD6-#4 recirculation.
R-W1D6-XHE-C-A2 LPR-MOV-FT-1860B + same 4KWlD6-#4,#8 Manually open the MOV or use reflux
LPR-CCF-FT-860AB VBWlD6-#4,#8 cooling with 2 SGs
SIWlD6-#4,#8 - 1. All W1D6 sequences with failure of
CCWlD6-#4 recirculation.
R-W1D6-XHE-C-A3 1. All W1D6 cutsets that do not .1 4KWlD6-#4,#5,#8,#9 Use reflux cooling with 2 SGs
meet Al, A2 and A10 and not VBWlD6-#4,#5,#8,#9 1. All W1D6 cutsets that do not meet Al
due to failure to diagnose. SIWlD6-#4,#5,#8,#9 or A2 and not due to failure to diagnose.
CCWlD6-#4,#5
2. SGA-DRAINED-R + 2. All W1R6, W2D6, and W2R6
SGB-DRAINED-R + 4KW1R6-#10,#19 sequences with "S" top event Failed and
SGC-DRAINED-R VBW1R5-#10,#19 "SG*-DRAINED-R" that are not
SIW1R6-#10,#19 otherwise recoverable.
CCW1R6-#10
4KW2D6-#6,#11
VBW2D6-#6,#11
SIW2D6-#6,#11
CCW2D6-#6
4KW2R6-#10,#19
VBW2R6-#10,#19
SIW2R6-#10,#19
CCW2R6-#10
R-W1D6-XHE-C-A4 Covered by A3 .1 Covered by A3 Use reflux cooling with 2 SGs
1. Covered by A3
R-W1D6-XHE-C-A5 Covered by A3 .1 Covered by A3 Use reflux cooling with 2 SGs
1. Covered by A3
 Table 10-52 (continued)

Basic Event Name Recovery Rules Calculation of Basic Event Applicable Sequences Notes
Probability
R-W2D6-XHE-C-A9 All except those meeting 3.2E-03 + 1.91E-02 4KW2D6-#05,#10,#11? Use of Unit 2 charging pump and RWST
E1(AFW-MDP-MA-FW3B) = 2.23E-02 VBW2D6-#05,#10 1. All W2D6 and W2R6 sequences with
SIW2D6-#O5,#10 failure to recirculate except those
CCW2D6-#5 covered by El (AFW-MDP-MA-3B)
4KW2R6-#04,#09,#13,#18
VBW2R6-#04,#09,#13,#18
SIW2R6-#04,#08,#13,#18
CCW2R6-#4,#9
R-W1D6-XHE-C-A10 A-CCW1-XHE-C-9 1. CCW1D6 - 4 Not recoverable
R-W1R6-XHE-C-A11 (LPR-MOV-FT-1862B + LPR- 4.31E-03 + 0.1 4KW1R6-#04,#09,#13,#18 Manually open or close the MOV
CCF-FT-862AB + = 1.04E-01 VBW1R6-#04,#09,#13,#18 1. All W1R6 sequences with failure to
LPR-MOV-FT-1860B + SIW1R6-#04,#09,#13,#18 recirculate and not covered by El.
LPR-CCF-FT-860AB) * /AFW- CCWlR6-#04,#09
MDP-MA-FW3B
R-W1R6-XHE-C-A12 ACP-INV-NO-UPSA2 * 1.0 4KW1R6 - 18,19 Not recoverable(in my judgment)
LOOPISOLATED1R6
R-B1W2/W3/D6/R6- D-4KW2-XHE 1.0 4KW2D6VR6 Not recoverable
XHE-D D-4KW3-XHE 4KW3D6/R6
R-W2D6-XHE-C-D2 Covered by A9. 3.2E-03 + 1.91E-02 Covered by A9. Use of Unit 2 charging pump and
= 2.23E-02 RWST(same as A9)
1. All W2D6 and W2R6 sequences with
failure to recirculate except those
covered by El (AFW-MDP-MA-3B)
R-D3W2R6-XHE-C Covered by A9. 3.2E-03 + 1.91E-02 Covered by A9. Use of Unit 2 charging pump and
= 2.23E-02 RWST(same as A9)
1. All W2D6 and W2R6 sequences with
failure to recirculate except those
covered by El (AFW-MDP-MA-3B)

fc
 Table 10-52 (continued)

Basic Event Name Recovery Rules Calculation of Basic Event Applicable Sequences Notes
Probability
R-W2D6-XHE-C-E1 AFW-MDP-MA-FW3B 1.20E-04 + 7.33E-03 4KW1R6-#04,#09,#13,#18 Use of U2 AFW to support reflux
= 7.45E-03 VBW1R6-#04,#09,#13,#18 cooling(use of U2 charging and RWST
SIW1R6-#04,#09,#13,#18 also possible)
CCWlR6-#04,#09 1. All WlR6(charging not sufficient),
4KW2D6-#05,#10 W2R6 and W2D6 sequences with
VBW2D6-#05,#10 recirculation failed.
SIW2D6-#05,#10
CCW2D6-#5
4KW2R6-#04,#09,#13,#18
VBW2R6-#04,#09,#13,#18
SIW2R6-#04,#08,#13,#18
CCW2R6-#4,#9 2. All sequences not otherwise
recoverable.
4KW3D6-#5
4KW4D6-#9
SIW3D6-#5
4KW1R6-#10,#19
VBW1R6-#10,#19
SIW1R6-#10,#19
CCW1R6-#10
4KW2D6-#6,#11
VBW2D6-#6,#11
SIW2D6-#6,#11
CCW2D6-#6
4KW2R6-#10,#19
VBW2R6-#10,#19
SIW2R6-#10,#19
CCW2R6-#10
R-W2D6-XHE-C-E2 Covered by El. 1.20E-04 + 7.33E-03 Covered by El. Use of U2 AFW to support reflux
= 7.45E-03 coollng(use of U2 charging and RWST
also possible)
1. Covered by El.
2R-W2D6-XHE-C-G1 Covered by El. 1.20E-04 + 7.33E-03 Covered by El. Use of U2 AFW to support reflux
= 7.45E-03 cooling(use of U2 charging and RWST
also possible)
1. Covered by El.
 Table 10-52 (continued)

Basic Event Name Recovery Rules Calculation of Basic Event Applicable Sequences Notes 1
Probability
R-W2R6-XHE-C-G2 Covered by El. 1.20E-04 + 7.33E-03 Covered by El. Use of U2 AFW to support reflux 1
= 7.45E-03 cooling(use of U2 charging and RWST 1
also possible)
1. Covered by El.
R-W2D6-XHE-C-G3 Covered by El. 1.20E-04 + 7.33E-03 Covered by El. Use of U2 AFW to support reflux
= 7.45E-03 cooling(use of U2 charging and RWST
also possible)
1. Covered by El.
R-W2R6-XHE-C-G4 Covered by A9. 3.2E-03 + 1.91E-02 Covered by A9. Use of Unit 2 charging pump and
= 2.23E-02 RWST(same as A9)
1. All W2D6 and W2R6 sequences with
failure to recirculate except those
covered by El (AFW-MDP-MA-3B)
R-W2D6/R6-XHE-C- Covered by El. 1.20E-04 + 7.33E-03 Covered by El. Use of U2 AFW to support reflux
G5 = 7.45E-03 cooIing(use of U2 charging and RWST
also possible)
1. Covered by El.
R-W1D6/R6-XHE-C- Covered by El. 1.20E-04 + 7.33E-03 Covered by El. Use of U2 AFW to support reflux
G6 = 7.45E-03 cooling(use of U2 charging and RWST
also possible)
1. Covered by El.
C Table 10-53
S
P Time To Recovery of Failed Diesel Generator
O
l
ON

Time Following Operator Response Probability Density

0-5 minutes .05
5-15 minutes .10
15-30 minutes .10
30-60 minutes .05
1-2 hours .13
2-4 hours .12
4-8 hours .25
8-24 hours .10
24-72 hours .07
3-7 days .025
> 7 days .005
 Table 10-54

Calculation of t/ Parameters in Windows 1-4

Wl W2
Time(hr) NRAC DG v Time(hr) NRAC DG
1 2 3
V
Original 2.0 0.32 N/A N/A 2.62 0.26 N/A N/A
Evaluation
Action 1 12 0.034 0.175 0.0186 16.1 0.02 0.15 0.0115
only, 7j
Action 1&2, 22 0.012 0.113 0.0042 26.1 N/A N/A N/A

Action 2 only, 12 0.034 0.175 0.0186 12.6 0.03 0.175 0.0202

• Action 1 only, 6.3 0.09 0.325 0.91 9.1 0.05 0.194 0.0373
but with gravity
feed, i) 1 /

1
NRAC = Probability of non-recovery of offsite power in designed time
2
DG = Probability of non-recovery of emergency diesel generator in designated time
3
V — V2 o r
'"liHi f° r t n e
designated combination of recovery actions
 Table 10-54 (continued)

Calculation of TJ Parameters in Windows 1-4

W3 W4
Time(hr) NRAC 4
DG 5
V Time(hr) NRAC DG 17

Original 3.46 0.19 N/A N/A 4.55 0.14 N/A N/A

Evaluation
Action 1 22.5 0.011 0.1125 0.0065 43 N/A N/A N/A
only, 77
Action 1&2, 32.5 N/A N/A N/A 53 N/A N/A N/A

Action 2 only, 13.5 0.03 0.1625 0.0257 14.6 0.02 0.16 0.0229

Action 1 only, 15.5 0.02 0.15 0.0158 N/A N/A N/A v

N/A
but with gravity
feed, 7/!

4
NRAC = Probability of non-recovery of offsite power in designated time
5
DG = Probability of non-recovery of emergency diesel generator in designated time
6
77 = 771 or 77i77 for the designated combination of recovery actions
2
 Table 10-55
p for LOSP Categories and Windows 1-4
2

Wl W2 W3 W4
LI 0 0 0 0
L2 0 0 0 0
L3 0 0 0 0
Bl .55 .36 .11 .11
B2 N/A .42 .29 .19

10-105 NUREG/CR-6144
10 Accident Sequence QuantiJScation

Table 10-56
p for LOSP Categories
3

P 3

LI 1.0
L2 0.1
L3 0.1
Bl 0.1
B2 1.0

NUREG/CR-6144 10-106
 Table 10-57

LOSP Recovery Actions, Parameters (17, J/, rj , p and p ) and

2 2 3

Total Probabilities

Vi V1V1 P 2 P, TOTAL

R-B1W1-123-C-C 0.0186 4.22-3 0.55 0.1 1.04-2

R-B1W1-13-C-C 0.0186 0.0186 0 0.1 1.86-3

R-B1W1-3-C 1 1 0 0.1 0.1

R-B1W2-123-C-A 0.0115 0 0.36 0.1 4.14-3

R-B1W2-13-C-C 0.0115 oions 0 0.1 1.15-3

R-B1W2-23-A 1 0.0202 0.36 0.1 0361

R-B1W2-23-AC 1 0.0202 0.36 0.1 0361

R-B1W3-1-G 0.0158 0.0158 0 1.0 1.58-2

R-B1W3-13-G-C 0.0158 0.0158 0 0.1 1.58-3

R-B1W3-23-A 1 0.0257 0.11 0.1 0.112

R-B1W3-23-AC 1 0.0257 0.11 0.1 0.112

R-B2W2-2 1 0.0202 0.42 1.0 0.432

R-B2W3-1-G 0.0158 0.0158 0 1.0 1.58-2

R-B2W3-2 1 0.0257 0.29 1.0 0.308

R-B2W4-2 1 0.0229 0.19 1.0 0.209

R-L1W1-1-C 0.0186 0.0186 0 1.0 1.86-2

R-L2W1-1-C 0.0186 0.0186 0 1.0 1.86-2

R-L2W1-1-C-F 0.0186 0.0186 0 1.0 1.86-2

R-L2W1-123-C-A 0.0186 4.22-3 0 0.1 4.22-4

R-L2W1-123-C-C 0.0186 4.22-3 0 0.1 4.22-4

R-L2W1-13-C-C 0.0186 0.0186 0 0.1 1.86-3

 Table 10-57 (continued)

1l liti r* p 3 TOTAL

R-L2W1-13-C-C-F 0.0186 0.0186 0 0.1 1.86-3

R-L2W2-123-C-A 0.0115 0 0 0.1 0

R-L2W2-123-C-A-F 0.0115 0 0 0.1 0

R-L2W2-123-C-C 0.0115 0 0 0.1 0

R-L2W2-123-C-C-F 0.0115 0 0 0.1 0

R-L2W2-13-C-C 0.0115 0.0115 0 0.1 1.15-3

R-L2W2-13-C-C-F 0.0115 0.0115 0 0.1 1.15-3

R-L2W2-13-G-C 0.0373 0.0373 0 0.1 3r73-3

R-L2W2-13-G-C-F 0.0373 0.0373 0 0.1 3.73-3

R-L2W2-3-C 1 1 0 0.1 0.1

R-L2W3-123-C-A-F 6.51-3 0 0 0.1 0

R-L2W3-123-C-C-F 6.51-3 0 0 0.1 0

R-L2W3-13-C-C-F 6.51-3 6.51-3 0 0.1 6.51-4

R-L2W4-13-C-C-F 0 0 0 0.1 0

R-L3W1-1-C 0.0186 0.0186 0 1.0 1.86-2

R-L3W1-1-C-F 0.0186 0.0186 0 1.0 1.86-2

R-L3W1-13-C-C 0.0186 0.0186 0 0.1 1.86-3

R-L3W1-13-C-C-F 0.0186 0.0186 0 0.1 1.86-3

R-L3W2-123-C-A 0.0115 0 0 0.1 0

R-L3W2-123-C-A-F 0.0115 0 0 0.1 0

R-L3W2-123-C-C 0.0115 0 0 0.1 0

R-L3W2-123-C-C-F 0.0115 0 0 0.1 0

 Table 10-57 (continued)

1i 1ll2 P p 3 TOTAL
2

R-L3W2-13-C-C 0.0115 0.0115 0 0.1 1.15-3

R-L3W2-13-C-C-F 0.0115 0.0115 0 0.1 1.15-3

R-L3W2-13-G-C 0.0373 0.0373 0 0.1 3.73-3

R-L3W2-23-A 1 0.0202 0 0.1 2.02-3

R-L3W2-23-A-F 1 0.0202 0 0.1 2.02-3

R-L3W3-123-C-A-F 6.51-3 0 0 0.1 0

R-L3W3-123-C-C-F 6.51-3 0 0 0.1 0

R-L3W3-I3-C-C-F 6.51-3 6.51-3 0 0.1 6.51-4

R-L3W3-23-A-F 1 0.0257 0 0.1 2.57-3

R-L3W4-13-C-C-F 0 0 0 0.1 0

<
10 Accident Sequence Quantification
Table 10-58

Recovery Actions Sequence Rules for LOSP Sequences

RHRMODEL, B1W1D6,2-3=
DES Al LPR-MOV-FT-1862B
IF LPR-MOV-FT-1862B
THEN R-A1W1D6-XHE-C.
DES A2 LPR-MOV-FT-1860B
IF LPR-MOV-FT-1860B
THEN R-A2W1D6-XHE-C.
DES Al LPR-CCF-FT-862AB
IF LPR-CCF-FT-862AB
THEN R-A1W1D6-XHE-C.
DES A2 LPR-CCF-FT-860AB
IF LPR-CCF-FT-860AB
THEN R-A2W1D6-XHE-C.
DES A3 CREDIT REFLUX IN W1D6 (INCLUDE A4-A6)
IF NOT LPR-MOV-FT-1862B * NOT LPR-MOV-FT-1860B * NOT LPR-CCF-FT-862AB *
NOT LPR-CCF-FT-860AB * NOT D-R3W1-XHE
THEN R-A3W1D6-XHE-C.
DES /NRAC200
IF DURATION-D6
THEN A-CCW3-XHE-S1-7.
~EOS
RHRMODEL, B1W1D6,3=
DES/XXX
IF NOT XXX
THEN R-B1W1-13-C-C.
~EOS
RHRMODEL, B1W1D6,4=
DES /D-B1W1-XHENOT A-B1W1-XHE-2CH-8NOT A-BlWl-XHE-CW-8 *
IF NOT D-B1W1-XHE * NOT A-B1W1-XHE-2CH-8 * NOT A-BlWl-XHE-CW-8 *
NOT HPI-CKV-00-267U2 * NOT HPI-CKV-00-276U2
THEN R-B1W1-3-C.
~EOS
RHRMODEL, B1W1R6, 8=
DES/XXX
IF NOT XXX
THEN R-B1W1-123-C-C.
~EOS
RHRMODEL, B1W2D6,2-4=
DES Use U2 AFW to Support Reflux Cooling
IF ACP-BAC-ST-4KV1H = AFW-MDP-MA-FW3B = PROB-W2D6 = DR-MT = DURATION-D6 =
FREQ-B1
THEN R-E1W2D6-XHE-C.
DES /NRAC262
IF DURATION-D6
THEN A-CCW3-XHE-S1-7.
'"EOS
RHRMODEL, B1W2D6,4=

NUREG/CR-6144 10-110
DES/XXX
IF NOT XXX
THEN R-B1W2-123-C-A.
~EOS
RHRMODEL, B1W2D6,5=
DES /D-B1W2-XHENOT A-B1W2-XHE-2CH-8NOT A-B1W2-XHE-CW-8 *
IF NOT D-B1W2-XHE * NOT A-B1W2-XHE-2CH-8 * NOT A-B1W2-XHE-CW-8 *
NOT HPI-CKV-00-267U2 * NOT HPI-CKV-00-276U2
THEN R-B1W2-23-AC
DES /D-B1W2-XHE * NOT R-B1W2-23-AC
IF NOT D-B1W2-XHE * NOT R-B1W2-23-AC
THEN R-B1W2-23-A.
~EOS
RHRMODEL, B1W2R6, 3=
DES/XXX
IF NOT XXX
THEN R-B1W2-13-C-C
'"EOS
RHRMODEL, B1W2R6, 8=
DES/XXX
IF NOT XXX
THEN R-B1W2-123-C-A.
~EOS
RHRMODEL, B1W2R6, 9=
DES /D-B1W2-XHENOT A-B1W2-XHE-2CH-8NOT A-B1W2-XHE-CW-8 *
IF NOT D-B1W2-XHE * NOT A-B1W2-XHE-2CH-8 * NOT A-B1W2-XHE-CW-8 *
' NOT HPI-CKV-00-267U2 * NOT HPI-CKV-00-276U2
THEN R-B1W2-23-AC.
DES /D-B1W2-XHE * NOT R-B1W2-23-AC
IF NOT D-B1W2-XHE * NOT R-Bl\V2-23-AC
THEN R-B1W2-23-A.
^EOS
RHRMODEL, B1W3D6,5=
DES /D-B1W3-XHENOT A-B1W3-XHE-CW-8NOT A-B1W3-XHE-2CH-8 *
IF NOT D-B1W3-XHE * NOT A-B1W3-XHE-CW-8 * NOT A-B1W3-XHE-2CH-8 *
NOT HPI-CKV-00-267U2 * NOT HPI-CKV-00-276U2
THEN R-B1W3-23-AC
DES /D-B1W3-XHE * NOT R-B1W3-23-AC
IF NOT D-B1W3-XHE * NOT R-B1W3-23-AC
THEN R-B1W3-23-A.
~EOS
RHRMODEL, B1W3R6, 5=
DES /D-B1W3-XHENOT A-B1W3-XHE-2CH-4NOT A-B1W3-XHE-CW-4 *
IF NOT D-B1W3-XHE * NOT A-B1W3-XHE-2CH-4 * NOT A-B1W3-XHE-CW-4 *
NOT HPI-CKV-00-267U2 * NOT HPI-CKV-00-276U2
THEN R-B1W3-13-G-C.
DES /D-B1W3-XHE * NOT R-B1W3-13-G-C
IF NOT D-B1W3-XHE * NOT R-B1W3-13-G-C
THEN R-B1W3-1-G.
~EOS
RHRMODEL, B2W1D6,2-3=
DES /nrac200

10-111 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-58 (continued)

IF FREQ-B2
THEN A-CCW3-XHE-S1-7.
~EOS
RHRMODEL, B2W2D6,3=
DES/XXX
IF NOT XXX
THEN R-B2W2-2.
~EOS
RHRMODEL, B2W2R6, 6=
DES/XXX
IF NOT XXX
THEN R-B2W2-2.
~EOS
RHRMODEL, B2W3D6,3=
DES/XXX
IF, NOT XXX
THEN R-B2W3-2.
~EOS
RHRMODEL, B2W3R6, 3=
DES/XXX
IF NOT XXX
THEN R-B2W3-1-G.
~EOS
RHRMODEL, B2W4D6,3=
DES/XXX
IF NOT XXX
THEN R-B2W4-2.
~EOS
RHRMODEL, L1W1D6, 4=
DES Al LPR-MOV-FT-1862B
IF LPR-MOV-FT-1862B
THEN R-A1W1D6-XHE-C.
DES A2 LPR-MOV-FT-1860B
IF LPR-MOV-FT-1860B
THEN R-A2W1D6-XHE-C.
DES Al LPR-CCF-FT-862AB
IF LPR-CCF-FT-862AB
THEN R-A1W1D6-XHE-C.
DES A2 LPR-CCF-FT-860AB
IF LPR-CCF-FT-860AB
THEN R-A2W1D6-XHE-C
DES A3 CREDIT REFLUX IN W1D6 (INCLUDE A4-A6)
IF NOT LPR-MOV-FT-1862B * NOT LPR-MOV-FT-1860B * NOT LPR-CCF-FT-862AB *
NOT LPR-CCF-FT-860AB * NOT D-R3W1-XHE
THEN R-A3W1D6-XHE-C.
DES/NRAC200 L1W1D6
IF FREQ-L1
THEN A-CCW3-XHE-S1-7.

NUREG/CR-6144 10-112
 10 Accident Sequence Quantification

Table 10-58 (continued)

~EOS
RHRMODEL, L1W1D6, 5=
DES/NRAC200 L1W1D6
IF FREQ-L1
THEN A-CCW3-XHE-S1-7.
~EOS
RHRMODEL, L1W1D6, 7=
DES /A-LlWl-XHE-C-17 * NOT D-LIWI-XHE
IF NOT A-LlWl-XHE-C-17 * NOT D-LIWI-XHE
THEN R-L1W1-1-C.
~EOS
RHRMODEL, L1W1R6, 06=
DES /NRAC200 L1W1R6
IF FREQ-L1
THEN A-CCW3-XHE-S1-7.
~EOS
RHRMODEL, L1W1R6, 13=
DES /NRAC200 L1W1R6
IF FREQ-L1
THEN A-CCW3-XHE-S1-7.
~EOS
RHRMODEL, L1W1R6, 14=
DES /NRAC200 L1W1R6
IF FREQ-L1
THEN A-CCW3-XHE-S1-7.
~EOS
RHRMODEL, L1W2D6, 05=
DES/NRAC262 L1W2D6
IF FREQ-L1
THEN A-CCW3-XHE-S1-7.
~EOS
RHRMODEL, L1W2D6, 06=
DES/NRAC262 L1W2D6
IF FREQ-L1
THEN A-CCW3-XHE-S1-7.
~EOS
RHRMODEL, L1W2R6, 06=
DES /nrac262
IF FREQ-L1
THEN A-CCW3-XHE-S1-7.
~EOS
RHRMODEL, L1W2R6, 13=
DES /NRAC262 L1W2R6
IF FREQ-L1
THEN A-CCW3-XHE.S1-7.
~EOS
RHRMODEL, L1W2R6, 14=
DES /NRAC262

10-113 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-58 (continued)

IF FREQ-L1
THEN A-CCW3-XHE-S1-7.
~EOS
RHRMODEL, L1W3D6,5=
DES/NRAC346 L1W3D6
IF FREQ-L1
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L1W3R10, 05=
DES/NRAC346 L1W3R10
IF FREQ-L1
THEN A-CCW3-XHE-S2-7.
'"EOS
RHRMODEL, L1W3R10,10=
DES/NRAC346 L1W3R10
IF FREQ-L1
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L1W3R6, 05=
DES /NRAC346 L1W3R6
IF FREQ-L1
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L1W3R6,10=
DES /NRAC346 L1W3R6
IF FREQ-L1
THEN A-CCW3-XHE-S2-7.
'"EOS
RHRMODEL, L1W4D6, 5=
DES/NRAC455 L1W4D6
IF FREQ-L1
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L1W4R10, 05=
DES/NRAC455 L1W4R10
IF FREQ-L1
THEN A-CCW3-XHE-S2-7.
'"EOS
RHRMODEL, L1W4R10, 10=
DES/NRAC455 L1W4R10
IF FREQ-L1
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L1W4R6, 05=
DES /NRAC455 L1W4R6
IF FREQ-L1
THEN A-CCW3-XHE-S2-7.
'"EOS

NUREG/CR-6144 10-114
 10 Accident Sequence Quantification

Table 10-58 (continued)

RHRMODEL, L1W4R6, 10=

DES/NRAC455 L1W4R6
IF FREQ-L1
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L2W1D6, 4=
DES Al LPR-MOV-FT-1862B
IF LPR-MOV-FT-1862B
THEN R-A1W1D6-XHE-C.
DES A2 LPR-MOV-FT-1860B
IF LPR-MOV-FT-1860B
THEN R-A2W1D6-XHE-C
DES Al LPR-CCF-FT-862AB
IF LPR-CCF-FT-862AB
THEN R-A1W1D6-XHE-C.
DES A2 LPR-CCF-FT-860AB
IF LPR-CCF-FT-860AB
THEN R-A2W1D6-XHE-C.
DES A3 CREDIT REFLUX IN W1D6 (INCLUDE A4-A6)
IF NOT LPR-MOV-FT-1862B * NOT LPR-MOV-FT-1860B * NOT LPR-CCF-FT-862AB *
NOT LPR-CCF-FT-860AB * NOT D-R3W1-XHE
THEN R-A3W1D6-XHE-C.
DES/NRAC200 L2W1D6
IF FREQ-L2
THEN A-CCW3-XHE-S1-7.
'"EOS
RHRMODEL, L2W1D6, 5=
DES/NRAC200 L2W1D6
IF FREQ-L2
THEN A-CCW3-XHE-S1-7.
'"EOS
RHRMODEL, L2W1D6, 7=
DES /LPR-CCF-PG-SUMP1NOTLPI-MDP-FS-SI1BNOT A-L2W1-XHE-C-17 *
IF NOT LPR-CCF-PG-SUMPl * NOT LPI-MDP-FS-SIIB * NOT A-L2W1-XHE-C-17 *
NOT CON-VFC-RP-COREM * NOT 2EH1L2 * NOT SWS-XHE-AP12 *
NOT A-L2W1-XHE-FH-18 * NOT A-L2W1-XHE-FL-18 * NOT D-L2W1-XHE
THEN R-L2W1-13-C-C.
DES /D-L2W1-XHE * NOT R-L2W1-13-C-C
IF NOT D-L2W1-XHE * NOT R-L2W1-13-C-C
THEN R-L2W1-1-C.
'"EOS
RHRMODEL, L2W1D6, 8=
DES /D-L2W1-XHE * NOT PORV-PATH-CLSD *
IF NOT D-L2W1-XHE * NOT PORV-PATH-CLSD * A-L2W1-XHE-FL-18
THEN R-L2W1-1-C-F.
DES /D-L2W1-XHE * NOT PORV-PATH-CLSD *
IF NOT D-L2W1-XHE * NOT PORV-PATH-CLSD * LPI-MDP-FS-SIIB
THEN R-L2W1-1-C-F.

10-115 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-58 (continued)

DES /D-L2W1-XHE * NOT PORV-PATH-CLSD *

IF NOT D-L2W1-XHE * NOT PORV-PATH-CLSD * DCP-BDC-ST-BUS1B
THEN R-L2W1-1-C-F.
DES /D-L2W1-XHE * NOT PORV-PATH-CLSD * NOT R-L2W1-1-C
IF NOT D-L2W1-XHE * NOT PORV-PATH-CLSD * NOT R-L2W1-1-C
THEN R-L2W1-13-C-C-F.
~EOS
RHRMODEL, L2W1R6,14=
DES/NRAC200 L2W1R6
IF FREQ-L2
THEN A-CCW3-XHE-S1-7.
~EOS
RHRMODEL, L2W1R6, 17=
DES AFW-MDP-MA-FW3B * PROB-1HFAILEDL2 * NOT D-L2W1-XHE
IF AFW-MDP-MA-FW3B * PROB-1HFAILEDL2 * NOT D-L2W1-XHE
THEN R-L2W1-123-C-A.
DES AFW-MDP-MA-FW3A * /PROB-1HFAILEDL2 * NOT D-L2W1-XHE
IF AFW-MDP-MA-FW3A * PROB-1HFAILEDL2 * NOT D-L2W1-XHE
THEN R-L2W1-123-C-A.
DES /R-L2W1-123-C-A * NOT D-L2W1-XHENOT MSS-AOV-FC-101A *
IF NOT R-L2W1-123-C-A * NOT D-L2W1-XHE * NOT MSS-AOV-FC-101A *
NOT MSS-AOV-FC-101B * NOT MSS-AOV-FC-101C * NOT MSS-AOV-MA-101A *
NOT MSS-AOV-MA-101B * NOT MSS-AOV-MA-101C * NOT LOOPISOLATED1R6 *
NOT SGA-DRAINED-R * NOT SGB-DRAINED-R * NOT SGC-DRAINED-R *
NOT A-L2W1-XHE-S1-17 * NOT SOLAIR-COMP * NOT FIRE-PUMP *
NOT SAS-CPS-FR 1SAC1 * NOT SAS-CPS-FR-2SAC1 * NOT IAS-CPS-FS-IAC-1 *
7

NOT IAS-CPS-FR-IAC-1
THEN R-L2W1-123-C-C.
DES /R-L2W1-123-C-A * NOT D-L2W1-XHE * NOT R-L2W1-123-C-C
IF NOT R-L2W1-123-C-A * NOT D-L2W1-XHE * NOT R-L2W1-123-C-C
THEN R-L2W1-13-C-C.
~EOS
RHRMODEL, L2W2D6,05=
DES/NRAC262 L2W2D6
IF FREQ-L2
THEN A-CCW3-XHE-S1-7.
~EOS
RHRMODEL, L2W2D6, 06=
DES/NRAC262 L2W2D6
IF FREQ-L2
THEN A-CCW3-XHE-S1-7.
~EOS
RHRMODEL, L2W2D6, 09=
DES AFW-MDP-MA-FW3B + AFW-MDP-MA-FW3A + AFW-MDP-FS-FW3A +
IF AFW-MDP-MA-FW3B + AFW-MDP-MA-FW3A + AFW-MDP-FS-FW3A + AFW-MDP-FS-FW3B +
AFW-MOV-MA-151A + AFW-MOV-MA-151B + AFW-MOV-MA-151C + AFW-MOV-MA-151D +
AFW-MOV-MA-151E + AFW-MOV-MA-151F + AFW-MOV-FT-151A + AFW-MOV-FT-151B +
AFW-MOV-FT-151C + AFW-MOV-FT-151D + AFW-MOV-FT-151E + AFW-MOV-FT-151F

NUREG/CR-6144 10-116
 10 Accident Sequence Quantification

Table 10-58 (continued)

THEN R-L2W2-123-C-A.
DES /R-L2W2-123-C-A * NOT D-L2W2-XHENOT MSS-AOV-FC-101A *
IF NOT R-L2W2-123-C-A * NOT D-L2W2-XHE * NOT MSS-AOV-FC-101A *
NOT MSS-AOV-FC-101B * NOT MSS-AOV-FC-101C * NOT MSS-AOV-MA-101A *
NOT MSS-AOV-MA-101B * NOT MSS-AOV-MA-101C * NOT LOOPISOLATED2D6 *
NOT SGA-DRAINED-R * NOT SGB-DRAINED-R * NOT SGC-DRAINED-R *
NOT A-L2W2-XHE-S1-17 * NOT SOLAIR-COMP * NOT FIRE-PUMP *
NOT SAS-CPS-FR-1SAC1 * NOT SAS-CPS-FR-2SAC1 * NOT IAS-CPS-FS-IAC-1 *
NOT IAS-CPS-FR-IAC-1 * NOT SGS-DRAINED-CSD * NOT A-L2-XHE-S *
NOT MSS-AOV-FT-IOIA * NOT MSS-AOV-FT-101B * NOT MSS-AOV-FT-101C *
NOT ISR-TRA-MA * NOT OSR-TRA-MA * NOT LPR-CCF-PG-SUMP2 *
NOT IAS-CCF-LF-INAIR
THEN R-L2W2-123-C-C.
DES AFW-CCF-FS-FW3AB + AFW-CKV-00-CV142 + A-L2W2-XHE-SF-17
IF AFW-CCF-FS-FW3AB + AFW-CKV-00-CV142 + A-L2W2-XHE-SF-17
THEN R-L2W2-123-C-C.
DES A-L2W2-XHE-X
IF A-L2W2-XHE-X
THEN R-L2W2-3-C.
DES /R-L2W2-123-C-A * NOT D-L2W2-XHE * NOT R-L2W2-123-C-C *
IF NOT R-L2W2-123-C-A * NOT D-L2W2-XHE * NOT R-L2W2-123-C-C *
NOT ISR-TRA-MA * NOT OSR-TRA-MA * NOT LPR-CCF-PG-SUMP2 * NOT R-L2W2-3-C
THEN R-L2W2-13-C-C
~EOS
RHRMODEL, L2W2D6,10=
DES AFW-MDP-MA-FW3B + AFW-MDP-MA-FW3A + AFW-MDP-FS-FW3A +
IF AFW-MDP-MA-FW3B + AFW-MDP-MA-FW3A + AFW-MDP-FS-FW3A + AFW-MDP-FS-FW3B +
AFW-MOV-MA-151A + AFW-MOV-MA-151B + AFW-MOV-MA-151C + AFW-MOV-MA-151D +
AFW-MOV-MA-151E + AFW-MOV-MA-151F + AFW-MOV-FT-151A + AFW-MOV-FT-151B +
AFW-MOV-FT-151C + AFW-MOV-FT-151D + AFW-MOV-FT-151E + AFW-MOV-FT-151F
THEN R-L2W2-123-C-A-F.
DES DCP-BDC-ST-BUS1B
IF DCP-BDC-ST-BUS1B
THEN R-L2W2-123-C-A-F.
DES LPI-MDP-FS-SI1B * AFW-MDP-MA-FW3B
IF LPI-MDP-FS-SI1B * AFW-MDP-MA-FW3B
THEN R-L2W2-123-C-A-F.
DES A-L2W2-XHE-FL-18 * AFW-MDP-MA-FW3B
IF A-L2W2-XHE-FL-18 * AFW-MDP-MA-FW3B
THEN R-L2W2-123-C-A-F.
DES LPI-MDP-FS-SI1B * AFW-MDP-FS-FW3B
IF LPI-MDP-FS-SI1B * AFW-MDP-FS-FW3B
THEN R-L2W2-123-C-A-F.
DES A-L2W2-XHE-FL-18 * AFW-MDP-FS-FW3B
IF A-L2W2-XHE-FL-18 * AFW-MDP-FS-FW3B
THEN R-L2W2-123-C-A-F.
DES /R-L2W2-123-C-A-F * NOT D-L2W2-XHENOT MSS-AOV-FC-101A *
IF NOT R-L2W2-123-C-A-F * NOT D-L2W2-XHE * NOT MSS-AOV-FC-101A *

10-117 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-58 (continued)

NOT MSS-AOV-FC-101B * NOT MSS-AOV-FC-101C * NOT MSS-AOV-MA-101A *

NOT MSS-AOV-MA-101B * NOT MSS-AOV-MA-101C * NOT LOOPISOLATED2D6 *
NOT SGA-DRAINED-R * NOT SGB-DRAINED-R * NOT SGC-DRAINED-R *
NOT A-L2W2-XHE-S1-17 * NOT SOLAIR-COMP * NOT FIRE-PUMP *
NOT SAS-CPS-FR-1SAC1 * NOT SAS-CPS-FR-2SAC1 * NOT IAS-CPS-FS-IAC-1 *
NOT IAS-CPS-FR-IAC-1 * NOT SGS-DRAINED-CSD * NOT A-L2-XHE-S *
NOT MSS-AOV-FT-101A * NOT MSS-AOV-FT-101B * NOT MSS-AOV-FT-101C *
NOT IAS-CCF-LF-INAIR * NOT PORV-PATH-CLSD * NOT DCP-BDC-ST-BUS1B *
NOT LPI-MDP-FS-SI1B * NOT A-L2W2-XHE-FL-18
THEN R-L2W2-123-C-C-F.
DES AFW-CCF-FS-FW3AB + AFW-CKV-00-CV142 + A-L2W2-XHE-SF-17
IF AFW-CCF-FS-FW3AB + AFW-CKV-00-CV142 + A-L2W2-XHE-SF-17
THEN R-L2W2-123-C-C-F.
DES /R-L2W2-123-C-A-F * NOT D-L2W2-XHE * NOT R-L2W2-123-C-C-F *
IF NOT R-L2W2-123-C-A-F * NOT D-L2W2-XHE * NOT R-L2W2-123-C-C-F *
NOT PORV-PATH-CLSD * NOT DCP-BDC-ST-BUS1B * NOT LPI-MDP-FS-SI1B *
NOT A-L2W2-XHE-FL-18
THEN R-L2W2-13-C-C-F.
DES LPI-MDP-FS-SI1BNOT R-L2W2-123-C-A-F
IF LPI-MDP-FS-SI1B * NOT R-L2W2-123-C-A-F
THEN R-L2W2-13-C-C-F.
DES A-L2W2-XHE-FL-18NOT R-L2W2-123-C-A-F
IF A-L2W2-XHE-FL-18 * NOT R-L2W2-123-C-A-F
THEN R-L2W2-13-C-C-F.
~EOS
RHRMODEL, L2W2R6, 06=
DES/NRAC262 L2W2R6
IF FREQ-L2
THEN A-CCW3-XHE-S1-7.
~EOS
RHRMODEL, L2W2R6,13=
DES/NRAC262 L2W2R6
IF FREQ-L2
THEN A-CCW3-XHE-S1-7.
'"EOS
RHRMODEL, L2W2R6, 14=
DES/NRAC262 L2W2R6
IF FREQ-L2
THEN A-CCW3-XHE-S1-7.
~EOS
RHRMODEL, L2W2R6, 17=
DES AFW-MDP-MA-FW3B + AFW-MDP-MA-FW3A + AFW-MDP-FS-FW3A +
IF AFW-MDP-MA-FW3B + AFW-MDP-MA-FW3A + AFW-MDP-FS-FW3A + AFW-MDP-FS-FW3B +
AFW-MOV-MA-151A + AFW-MOV-MA-151B + AFW-MOV-MA-151C + AFW-MOV-MA-151D +
AFW-MOV-MA-151E + AFW-MOV-MA-151F + AFW-MOV-FT-151A + AFW-MOV-FT-151B +
AFW-MOV-FT-151C + AFW-MOV-FT-151D + AFW-MOV-FT-151E + AFW-MOV-FT-151F
THEN R-L2W2-123-C-A.
DES /R-L2W2-123-C-A * NOT D-L2W2-XHENOT MSS-AOV-FC-101A *

NUREG/CR-6144 10-118
 10 Accident Sequence Quantification

Table 10-58 (continued)

IF NOT R-L2W2-123-C-A * NOT D-L2W2-XHE * NOT MSS-AOV-FC-101A *

NOT MSS-AOV-FC-101B * NOT MSS-AOV-FC-101C * NOT MSS-AOV-MA-101A *
NOT MSS-AOV-MA-101B * NOT MSS-AOV-MA-101C * NOT LOOPISOLATED2R6 *
NOT SGA-DRAINED-R * NOT SGB-DRAINED-R * NOT SGC-DRAINED-R *
NOT A-L2W2-XHE-S1-17 * NOT SOLAIR-COMP * NOT FIRE-PUMP *
NOT SAS-CPS-FR-1SAC1 * NOT SAS-CPS-FR-2SAC1 * NOT IAS-CPS-FS-IAC-1 *
NOT IAS-CPS-FR-IAC-1 * NOT SGS-DRAINED-CSD * NOT A-L2-XHE-S *
NOT MSS-AOV-FT-101A * NOT MSS-AOV-FT-101B * NOT MSS-AOV-FT-101C *
NOT ISR-TRA-MA * NOT OSR-TRA-MA * NOT LPR-CCF-PG-SUMP2 *
NOT IAS-CCF-LF-INAIR
THEN R-L2W2-123-C-C.
DES AFW-CCF-FS-FW3AB + AFW-CKV-00-CV142 + A-L2W2-XHE-SF-17
IF AFW-CCF-FS-FW3AB + AFW-CKV-00-CV142 + A-L2W2-XHE-SF-17
THEN R-L2W2-123-C-C.
DES A-L2W2-XHE-X
IF A-L2W2-XHE-X
THEN R-L2W2-13-G-C.
DES /R-L2W2-123-C-A * NOT D-L2W2-XHE * NOT R-L2W2-123-C-C *
IF NOT R-L2W2-123-C-A * NOT D-L2W2-XHE * NOT R-L2W2-123-C-C *
NOT ISR-TRA-MA * NOT OSR-TRA-MA * NOT LPR-CCF-PG-SUMP2 * NOT R-L2W2-13-G-C
THEN R-L2W2-13-C-C.
~EOS
RHRMODEL, L2W2R6, 18=
DES AFW-MDP-MA-FW3B + AFW-MDP-MA-FW3A + AFW-MDP-FS-FW3A +
IF AFW-MDP-MA-FW3B + AFW-MDP-MA-FW3A + AFW-MDP-FS-FW3A + AFW-MDP-FS-FW3B +
AFW-MOV-MA-151A + AFW-MOV-MA-151B + AFW-MOV-MA-151C + AFW-MOV-MA-151D +
AFW-MOV-MA-151E + AFW-MOV-MA-151F + AFW-MOV-FT-151A + AFW-MOV-FT-151B +
AFW-MOV-FT-151C + AFW-MOV-FT-151D + AFW-MOV-FT-151E + AFW-MOV-FT-151F
THEN R-L2W2-123-C-A-F.
DES DCP-BDC-ST-BUS1B
IF DCP-BDC-ST-BUS1B
THEN R-L2W2-123-C-A-F.
DES LPI-MDP-FS-SI1B * AFW-MDP-MA-FW3B
IF LPI-MDP-FS-SI1B * AFW-MDP-MA-FW3B
THEN R-L2W2-123-C-A-F.
DES A-L2W2-XHE-FL-18 * AFW-MDP-MA-FW3B
IF A-L2W2-XHE-FL-18 * AFW-MDP-MA-FW3B
THEN R-L2W2-123-C-A-F.
DES LPI-MDP-FS-SI1B * AFW-MDP-FS-FW3B
IF LPI-MDP-FS-SI1B * AFW-MDP-FS-FW3B
THEN R-L2W2-123-C-A-F.
DES A-L2W2-XHE-FL-18 * AFW-MDP-FS-FW3B
IF A-L2W2-XHE-FL-18 * AFW-MDP-FS-FW3B
THEN R-L2W2-123-C-A-F.
DES /R-L2W2-123-C-A-F * NOT D-L2W2-XHENOT MSS-AOV-FC-101A *
IF NOT R-L2W2-123-C-A-F * NOT D-L2W2-XHE * NOT MSS-AOV-FC-101A *
NOT MSS-AOV-FC-101B * NOT MSS-AOV-FC-101C * NOT MSS-AOV-MA-101A *
NOT MSS-AOV-MA-101B * NOT MSS-AOV-MA-101C * NOT LOOPISOLATED2R6 *

10-119 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-58 (continued)

NOT SGA-DRAINED-R * NOT SGB-DRAINED-R * NOT SGC-DRAINED-R *

NOT A-L2W2-XHE-S1-17 * NOT SOLAIR-COMP * NOT FIRE-PUMP *
NOT SAS-CPS-FRllSACl * NOT SAS-CPS-FR-2SAC1 * NOT IAS-CPS-FS-IAC-1 *
NOT IAS-CPS-FR-IAC-1 * NOT SGS-DRAINED-CSD * NOT A-L2-XHE-S *
NOT MSS-AOV-FT-101A * NOT MSS-AOV-FT-101B * NOT MSS-AOV-FT-IOIC *
NOT IAS-CCF-LF-INAIR * NOT PORV-PATH-CLSD * NOT DCP-BDC-ST-BUS1B *
NOT LPI-MDP-FS-SI1B * NOT A-L2W2-XHE-FL-18
THEN R-L2W2-123-C-C-F.
DES AFW-CCF-FS-FW3AB + AFW-CKV-00-CV142 + A-L2W2-XHE-SF-17
IF AFW-CCF-FS-FW3AB + AFW-CKV-00-CV142 + A-L2W2-XHE-SF-17
THEN R-L2W2-123-C-C-F.
DES A-L2W2-XHE-X
IF A-L2W2-XHE-X
THEN R-L2W2-13-G-C-F.
DES /R-L2W2-123-C-A-F * NOT D-L2W2-XHE * NOT R-L2W2-123-C-C-F *
IF NOT R-L2W2-123-C-A-F * NOT D-L2W2-XHE * NOT R-L2W2-123-C-C-F *
NOT PORV-PATH-CLSD * NOT DCP-BDC-ST-BUS1B * NOT LPI-MDP-FS-SI1B *
NOT A-L2W2-XHE-FL-18 * NOT R-L2W2-13-G-C-F
THEN R-L2W2-13-C-C-F.
DES LPI-MDP-FS-SI1BNOT R-L2W2-123-C-A-F
IF LPI-MDP-FS-SI1B * NOT R-L2W2-123-C-A-F
THEN R-L2W2-13-C-C-F.
DES A-L2W2-XHE-FL-18NOT R-L2W2-123-C-A-F
IF A-L2W2-XHE-FL-18 * NOT R-L2W2-123-C-A-F
THEN R-L2W2-13-C-C-F.
~EOS
RHRMODEL, L2W3D6, 5=
DES/NRAC346 L2W3D6
IF FREQ-L2
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L2W3D6, 8=
DES AFW-MDP-MA-FW3B + AFW-MDP-MA-FW3A + AFW-MDP-FS-FW3A +
IF AFW-MDP-MA-FW3B + AFW-MDP-MA-FW3A + AFW-MDP-FS-FW3A + AFW-MDP-FS-FW3B +
AFW-MOV-MA-151A + AFW-MOV-MA-151B + AFW-MOV-MA-151C + AFW-MOV-MA-151D +
AFW-MOV-MA-151E + AFW-MOV-MA-151F + AFW-MOV-FT-151A + AFW-MOV-FT-151B +
AFW-MOV-FT-151C + AFW-MOV-FT-151D + AFW-MOV-FT-151E + AFW-MOV-FT-151F
THEN R-L2W3-123-C-A-F.
DES DCP-BDC-ST-BUS1B
IF DCP-BDC-ST-BUS1B
THEN R-L2W3-123-C-A-F.
DES LPI-MDP-FS-SI1B * AFW-MDP-MA-FW3B
IF LPI-MDP-FS-SI1B * AFW-MDP-MA-FW3B
THEN R-L2W3-123-C-A-F.
DES A-L2W3-XHE-FL-12 * AFW-MDP-MA-FW3B
IF A-L2W3-XHE-FL-12 * AFW-MDP-MA-FW3B
THEN R-L2W3-123-C-A-F.
DES LPI-MDP-FS-SI1B * AFW-MDP-FS-FW3B

NUREG/CR-6144 10-120
 10 Accident Sequence Quantification

Table 10-58 (continued)

IF LPI-MDP-FS-SI1B * AFW-MDP-FS-FW3B
THEN R-L2W3-123-C-A-F.
DES A-L2W3-XHE-FL-12 * AFW-MDP-FS-FW3B
IF A-L2W3-XHE-FL-12 * AFW-MDP-FS-FW3B
THEN R-L2W3-123-C-A-F.
DES /R-L2W3-123-C-A-F * NOT D-L2W3-XHENOT MSS-AOV-FC-101A *
IF NOT R-L2W3-123-C-A-F * NOT D-L2W3-XHE * NOT MSS-AOV-FC-101A *
NOT MSS-AOV-FC-IOIB * NOT MSS-AOV-FC-IOIC * NOT MSS-AOV-MA-IOIA *
NOT MSS-AOV-MA-IOIB * NOT MSS-AOV-MA-IOIC * NOT LOOPISOLATED3D6 *
NOT SGA-DRAINED-R * NOT SGB-DRAINED-R * NOT SGC-DRAINED-R *
NOT A-L2W3-XHE-S1-8 * NOT SOLAIR-COMP * NOT FIRE-PUMP *
NOT SAS-CPS-FR-1SAC1 * NOT SAS-CPS-FR-2SAC1 * NOT IAS-CPS-FS-IAC-1 *
NOT IAS-CPS-FR-IAC-1 * NOT SGS-DRAINED-CSD * NOT A-L2-XHE-S *
NOT MSS-AOV-FT-101A * NOT MSS-AOV-FT-101B * NOT MSS-AOV-FT-101C *
NOT IAS-CCF-LF-INAIR * NOT PORV-PATH-CLSD * NOT DCP-BDC-ST-BUSIB *
NOT LPI-MDP-FS-SI1B * NOT A-L2W3-XHE-FL-12
THEN R-L2W3-123-C-C-F.
DES AFW-CCF-FS-FW3AB + AFW-CKV-00-CV142 + A-L2W3-XHE-SF-8
IF AFW-CCF-FS-FW3AB + AFW-CKV-00-CV142 + A-L2W3-XHE-SF-8
THEN R-L2W3-123-C-C-F.
DES /R-L2W3-123-C-A-F * NOT D-L2W3-XHE * NOT R-L2W3-123-C-C-F *
IF NOT R-L2W3-123-C-A-F * NOT D-L2W3-XHE * NOT R-L2W3-123-C-C-F *
NOT PORV-PATH-CLSD * NOT DCP-BDC-ST-BUSIB* NOT LPI-MDP-FS-SI1B *
NOT A-L2W3-XHE-FL-12
THEN R-L2W3-13-C-C-F.
DES LPI-MDP-FS-SI1BNOT R-L2W3-123-C-A-F
IF LPI-MDP-FS-SI1B * NOT R-L2W3-123-C-A-F
THEN R-L2W3-13-C-C-F.
DES A-L2W3-XHE-FL-12NOT R-L2W3-123-C-A-F
IF A-L2W3-XHE-FL-12 * NOT R-L2W3-123-C-A-F
THEN R-L2W3-13-C-C-F.
~EOS
RHRMODEL, L2W3R10, 05=
DES/NRAC346 L2W3R10
IF FREQ-L2
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L2W3R10, 10=
DES/NRAC346 L2W3R10
IF FREQ-L2
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L2W3R6, 05=
DES/NRAC346 L2W3R6
IF FREQ-L2
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L2W3R6, 08=

10-121 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-58 (continued)

DES /D-L2W3-XHE
IF NOT D-L2W3-XHE
THEN R-L2W3-13-C-C-F.
~EOS
RHRMODEL, L2W3R6, 10=
DES/NRAC346 L2W3R6
IF FREQ-L2
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L2W4D6, 5=
DES/NRAC455 L2W4D6
IF FREQ-L2
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L2W4R10, 05=
DES/NRAC455 L2W4R10
IF FREQ-L2
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L2W4R10, 08=
DES /D-L2W4-XHE
IF NOTD-L2W4-XHE
THEN R-L2W4-13-C-C-F.
~EOS
RHRMODEL, L2W4R10, 10=
DES/NRAC455 L2W4R10
IF FREQ-L2
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L2W4R10, 12=
DES/D-L2W4-XHE
IF NOTD-L2W4-XHE
THEN R-L2W4-13-C-C-F.
~EOS
RHRMODEL, L2W4R6, 05=
DES/NRAC455 L2W4R6
IF FREQ-L2
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L2W4R6, 10=
DES/NRAC455 L2W4R6
IF FREQ-L2
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L3W1D6, 4=
DES/NRAC200 L3W1D6
IF FREQ-L3
THEN A-CCW3-XHE-S1-7.

NUREG/CR-6144 10-122
 10 Accident Sequence Quantification

Table 10-58 (continued)

~EOS
RHRMODEL, L3W1D6, 5=
DES/NRAC200 L3W1D6
IF FREQ-L3
THEN A-CCW3-XHE-S1-7.
~EOS
RHRMODEL, L3W1D6, 7=
DES /LPR-CCF-PG-SUMP1NOTLPI-MDP-FS-SI1BNOTA-L3W1-XHE-C-17 *
IF NOT LPR-CCF-PG-SUMPl * NOT LPI-MDP-FS-SIIB * NOT A-L3W1-XHE-C-17 *
NOT CON-VFC-RP-COREM * NOT 2EH1L3 * NOT SWS-XHE-AP12 *
NOT A-L3W1-XHE-FH-18 * NOT A-L3W1-XHE-FL-18 * NOT D-L3W1-XHE *
NOT ISR-TRA-MA * NOT OSR-TRA-MA * NOT A-L3W1-XHE-CW-4
THEN R-L3W1-13-C-C.
DES /D-L3W1-XHE * NOT R-L3W1-13-C-C * NOT A-L3W1-XHE-CW-4
IF NOT D-L3W1-XHE * NOT R-L3W1-13-C-C * NOT A-L3W1-XHE-CW-4
THEN R-L3W1-1-C.
~EOS
RHRMODEL, L3W1D6, 8=
DES /D-L3W1-XHE * NOT PORV-PATH-CLSD *
IF NOT D-L3W1-XHE * NOT PORV-PATH-CLSD * NOT A-L3W1-XHE-CW-4 *
A-L3W1-XHE-FL-18
THEN R-L3W1-1-C-F.
DES /D-L3W1-XHE * NOT PORV-PATH-CLSD *
IF NOT D-L3W1-XHE * NOT PORV-PATH-CLSD * NOT A-L3W1-XHE-CW-4 * LPI-MDP-FS-SIIB
THEN R-L3W1-1-C-F.
DES /D-L3W1-XHE * NOT PORV-PATH-CLSD *
IF, NOT D-L3W1-XHE * NOT PORV-PATH-CLSD * NOT A-L3W1-XHE-CW-4 *
DCP-BDC-ST-BUS1B
THEN R-L3W1-1-C-F.
DES /D-L3W1-XHE * NOT PORV-PATH-CLSD * NOT R-L3W1-1-C-F
IF NOT D-L3W1-XHE * NOT PORy-PATH-CLSD * NOT R-L3W1-1-C-F *
NOT A-L3W1-XHE-CW-4
THEN R-L3W1-13-C-C-F.
~EOS
RHRMODEL, L3W1R6, 14=
DES/NRAC200 L3W1R6
IF FREQ-L3
THEN A-CCW3-XHE-S1-7.
~EOS
RHRMODEL, L3W2D6, 06=
DES/NRAC262 L3W2D6
IF FREQ-L3
THEN A-CCW3-XHE-S1-7.
~EOS
RHRMODEL, L3W2D6, 09=
DES AFW-MDP-MA-FW3B * A-L3W2-XHE-CW-4
IF AFW-MDP-MA-FW3B * A-L3W2-XHE-CW-4
THEN R-L3W2-23-A.

10-123 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-58 (continued)

DES AFW-MDP-FS-FW3B * A-L3W2-XHE-CW-4

IF AFW-MDP-FS-FW3B * A-L3W2-XHE-CW-4
THEN R-L3W2-23-A
DES AFW-MDP-MA-FW3B * NOT A-L3W2-XHE-CW-4
IF AFW-MDP-MA-FW3B*NOTA-L3W2-XHE-CW-4
THEN R-L3W2-123-C-A.
DES AFW-MDP-FS-FW3B * NOT A-L3W2-XHE-CW-4
IF AFW-MDP-FS-FW3B * NOT A-L3W2-XHE-CW-4
THEN R-L3W2-123-C-A.
DES /R-L3W2-123-C-A * NOT D-L3W2-XHENOT MSS-AOV-FC-101A *
IF NOT R-L3W2-123-C-A * NOT D-L3W2-XHE * NOT MSS-AOV-FC-101A *
NOT MSS-AOV-FC-IOIB * NOT MSS-AOV-FC-IOIC * NOT MSS-AOV-MA-IOIA *
NOT MSS-AOV-MA-IOIB * NOT MSS-AOV-MA-IOIC * NOT LOOPISOLATED2R6 *
NOT SGA-DRAINED-R * NOT SGB-DRAINED-R * NOT SGC-DRAINED-R *
NOT A-L3W2-XHE-S1-17 * NOT SOLAIR-COMP * NOT FIRE-PUMP *
NOT SAS-CPS-FR-1SAC1 * NOT SAS-CPS-FR-2SAC1 * NOT IAS-CPS-FS-IAC-1 *
NOT IAS-CPS-FR-IAC-1 * NOT SGS-DRAINED-CSD * NOT A-L3-XHE-S *
NOT MSS-AOV-FT-IOIA * NOT MSS-AOV-FT-IOIB * NOT MSS-AOV-FT-IOIC *
NOT ISR-TRA-MA * NOT OSR-TRA-MA * NOT LPR-CCF-PG-SUMP2 *
NOT IAS-CCF-LF-INAIR * NOT A-L3W2-XHE-CW-4
THEN R-L3W2-123-C-C.
DES AFW-CCF-FS-FW3AB + AFW-CKV-00-CV142 + A-L3W2-XHE-SF-17
IF AFW-CCF-FS-FW3AB + AFW-CKV-00-CV142 + A-L3W2-XHE-SF-17
THEN R-L3W2-123-C-C.
DES A-L3W2-XHE-X
IF A-L3W2-XHE-X * NOT A-L3W2-XHE-CW-4
THEN R-L3W2-13-C-C.
DES /R-L3W2-123-C-A * NOT D-L3W2-XHE * NOT R-L3W2-123-C-C *
IF NOT R-L3W2-123-C-A * NOT D-L3W2-XHE * NOT R-L3W2-123-C-C *
NOT ISR-TRA-MA * NOT OSR-TRA-MA * NOT LPR-CCF-PG-SUMP2 *
NOT R-L3W2-13-C-C * NOT A-L3W2-XHE-CW-4
THEN R-L3W2-13-C-C.
~EOS
RHRMODEL, L3W2D6,10=
DES AFW-MDP-MA-FW3B * A-L3W2-XHE-CW-4
IF AFW-MDP-MA-FW3B * A-L3W2-XHE-CW-4
THEN R-L3W2-23-A-F.
DES AFW-MDP-FS-FW3B * A-L3W2-XHE-CW-4
IF AFW-MDP-FS-FW3B * A-L3W2-XHE-CW-4
THEN R-L3W2-23-A-F.
DES AFW-MDP-MA-FW3B * NOT A-L3W2-XHE-CW-4
IF AFW-MDP-MA-FW3B * NOT A-L3W2-XHE-CW-4
THEN R-L3W2-123-C-A-F.
DES AFW-MDP-FS-FW3B * NOT A-L3W2-XHE-CW-4
IF AFW-MDP-FS-FW3B * NOT A-L3W2-XHE-CW-4
THEN R-L3W2-123-C-A-F.
DES A-L3W2-XHE-FL-18 * AFW-MDP-MA-FW3B
IF A-L3W2-XHE-FL-18 * AFW-MDP-MA-FW3B

NUREG/CR-6144 10-124
 10 Accident Sequence Quantification

Table 10-58 (continued)

THEN R-L3W2-123-C-A-R
DES /R-L3W2-123-C-A-F * NOT D-L3W2-XHENOT MSS-AOV-FC-101A *
IF NOT R-L3W2-123-C-A-F * NOT D-L3W2-XHE * NOT MSS-AOV-FC-101A *
NOT MSS-AOV-FC-101B * NOT MSS-AOV-FC-101C * NOT MSS-AOV-MA-101A *
NOT MSS-AOV-MA-IOIB * NOT MSS-AOV-MA-IOIC * NOT LOOPISOLATED2D6 *
NOT SGA-DRAINED-R * NOT SGB-DRAINED-R * NOT SGC-DRAINED-R *
NOT A-L3W2-XHE-S1-17 * NOT SOLAIR-COMP * NOT FIRE-PUMP *
NOT SAS-CPS-FR-1SAC1 * NOT SAS-CPS-FR-2SAC1 * NOT IAS-CPS-FS-IAC-1 *
NOT IAS-CPS-FR-IAC-1 * NOT SGS-DRAINED-CSD * NOT A-L3-XHE-S *
NOT MSS-AOV-FT-101A * NOT MSS-AOV-FT-101B * NOT MSS-AOV-FT-101C *
NOT IAS-CCF-LF-INAIR * NOT PORV-PATH-CLSD * NOT DCP-BDC-ST-BUSIB *
NOT LPI-MDP-FS-SI1B * NOT A-L3W2-XHE-FL-18 * NOT A-L3W2-XHE-CW-4
THEN R-L3W2-123-C-C-F.
DES /R-L3W2-123-C-A-F * NOT D-L3W2-XHE * NOT R-L3W2-123-C-C-F *
IF, NOT R-L3W2-123-C-A-F * NOT D-L3W2-XHE * NOT R-L3W2-123-C-C-F *
' NOT PORV-PATH-CLSD * NOT DCP-BDC-ST-BUSIB* NOT LPI-MDP-FS-SI1B *
NOT A-L3W2-XHE-FL-18 * NOT A-L3W2-XHE-CW-4
THEN R-L3W2-13-C-C-F.
'"EOS
RHRMODEL, L3W2R6, 06=
DES/NRAC262 L3W2R6
IF FREQ-L3
THEN A-CCW3-XHE-S1-7.
~EOS
RHRMODEL, L3W2R6, 14=
DES/NRAC262 L3W2R6
IF FREQ-L3
THEN A-CCW3-XHE-S1-7.
~EOS
RHRMODEL, L3W2R6, 17=
DES AFW-MDP-MA-FW3B * A-L3W2-XHE-CW-4
IF AFW-MDP-MA-FW3B * A-L3W2-XHE-CW-4
THEN R-L3W2-23-A
DES AFW-MDP-FS-FW3B * A-L3W2-XHE-CW-4
IF AFW-MDP-FS-FW3B * A-L3W2-XHE-CW-4
THEN R-L3W2-23-A
DES AFW-MDP-MA-FW3B * NOT A-L3 W2-XHE-CW-4
l

IF AFW-MDP-MA-FW3B * NOT A-L3W2-XHE-CW-4

THEN R-L3W2-123-C-A
DES AFW-MDP-FS-FW3B * NOT A-L3W2-XHE-CW-4
IF AFW-MDP-FS-FW3B * NOT A-L3W2-XHE-CW-4
THEN R-L3W2-123-C-A
DES /R-L3W2-123-C-A * NOT D-L3W2-XHENOT MSS-AOV-FC-101A *
IF NOT R-L3W2-123-C-A * NOT D-L3W2-XHE * NOT MSS-AOV-FC-101A *
NOT MSS-AOV-FC-101B * NOT MSS-AOV-FC-101C * NOT MSS-AOV-MA-101A *
NOT MSS-AOV-MA-IOIB * NOT MSS-AOV-MA-IOIC * NOT LOOPISOLATED2R6 *
NOT SGA-DRAINED-R * NOT SGB-DRAINED-R * NOT SGC-DRAINED-R *
NOT A-L3W2-XHE-S1-17 * NOT SOLAIR-COMP * NOT FIRE-PUMP *

10-125 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-58 (continued)

NOT SAS-CPS-FR-1SAC1 * NOT SAS-CPS-FR-2SAC1 * NOT IAS-CPS-FS-IAC-1 *

NOT IAS-CPS-FR-IAC-1 * NOT SGS-DRAINED-CSD * NOT A-L3-XHE-S *
NOT MSS-AOV-FT-101A * NOT MSS-AOV-FT-101B * NOT MSS-AOV-FT-101C *
NOT ISR-TRA-MA * NOT OSR-TRA-MA * NOT LPR-CCF-PG-SUMP2 *
NOT IAS-CCF-LF-ESfAIR * NOT A-L3W2-XHE-CW-4 * NOT A-L3W2-XHE-FL-18
THEN R-L3W2-123-C-C.
DES /R-L3W2-123-C-A * NOT D-L3W2-XHE * NOT R-L3W2-123-C-C *
IF NOT R-L3W2-123-C-A * NOT D-L3W2-XHE * NOT R-L3W2-123-C-C *
NOT ISR-TRA-MA * NOT OSR-TRA-MA * NOT LPR-CCF-PG-SUMP2 *
'• NOT A-L3W2-XHE-CW-4 * NOT A-L3W2-XHE-FL-18
THEN R-L3W2-13-C-C.
~EOS
RHRMODEL, L3W2R6, 18=
DES AFW-MDP-MA-FW3B * A-L3W2f-XHE-CW-4
IF AFW-MDP-MA-FW3B * A-L3W2-XHE-CW-4
THEN R-L3W2-23-A-F.
DES AFW-MDP-FS-FW3B * A-L3W2-XHE-CW-4
IF AFW-MDP-FS-FW3B * A-L3W2-XHE-CW-4
THEN R-L3W2-23-A-F.
DES AFW-MDP-MA-FW3B * NOT A-L3W2-XHE-CW-4
IF AFW-MDP-MA-FW3B * NOT A-L3W2-XHE-CW-4
THEN R-L3W2-123-C-A-F.
DES AFW-MDP-FS-FW3B * NOT A-L3W2-XHE-CW-4
IF AFW-MDP-FS-FW3B * NOT A-L3W2-XHE-CW-4
THEN R-L3W2-123-C-A-F.
DES A-L3W2-XHE-FL-18 * AFW-MDP-MA-FW3B
IF A-L3W2-XHE-FL-18 * AFW-MDP-MA-FW3B
THEN R-L3W2-123-C-A-F.
DES /R-L3W2-123-C-A-F * NOT D-L3W2-XHENOT MSS-AOV-FC-101A *
IF NOT R-L3W2-123-C-A-F * NOT D-L3W2-XHE * NOT MSS-AOV-FC-101A *
NOT MSS-AOV-FC-101B * NOT MSS-AOV-FC-101C * NOT MSS-AOV-MA-101A *
NOT MSS-AOV-MA-IOIB * NOT MSS-AOV-MA-IOIC * NOT LOOPISOLATED2R6 *
NOT SGA-DRAINED-R * NOT SGB-DRAINED-R * NOT SGC-DRAINED-R *
NOT A-L3W2-XHE-S1-17 * NOT SOLAIR-COMP * NOT FIRE-PUMP *
NOT SAS-CPS-FR-1SAC1 * NOT SAS-CPS-FR-2SAC1 * NOT IAS-CPS-FS-IAC-1 *
NOT IAS-CPS-FR-IAC-1 * NOT SGS-DRAINED-CSD * NOT A-L3-XHE-S *
NOT MSS-AOV-FT-101A * NOT MSS-AOV-FT-101B * NOT MSS-AOV-FT-101C *
NOT IAS-CCF-LF-INAIR * NOT PORV-PATH-CLSD * NOT DCP-BDC-ST-BUSIB *
NOT LPI-MDP-FS-SI1B * NOT A-L3W2-XHE-FL-18 * NOT A-L3W2-XHE-CW-4
THEN R-L3W2-123-C-C-F.
DES /R-L3W2-123-C-A-F * NOT D-L3W2-XHE * NOT R-L3W2-123-C-C-F *
IF NOT R-L3W2-123-C-A-F * NOT D-L3W2-XHE * NOT R-L3W2-123-C-C-F *
NOT PORV-PATH-CLSD * NOT DCP-BDC-ST-BUSIB* NOT LPI-MDP-FS-SI1B *
NOTA-L3W2-XHE-FL-18 * NOT A-L3W2-XHE-CW-4
THEN R-L3W2-13-C-C-F.
~EOS
RHRMODEL, L3W3D6, 5=
DES/NRAC346 L3W3D6

NUREG/CR-6144 10-126
 10 Accident Sequence Quantification

Table 10-58 (continued)

IF FREQ-L3
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L3W3D6, 8=
DES AFW-MDP-MA-FW3B * A-L3W3-XHE-CW-4
IF AFW-MDP-MA-FW3B * A-L3W3-XHE-CW-4
THEN R-L3W3-23-A-F.
DES AFW-MDP-FS-FW3B * A-L3W3-£HE-CW-4
IF AFW-MDP-FS-FW3B * A-L3W3-XHE-CW-4
THEN R-L3W3-23-A-F.
DES AFW-MDP-MA-FW3B * NOT A-L3W3-XHE-CW-4
IF AFW-MDP-MA-FW3B * NOT A-L3W3-XHE-CW-4
THEN R-L3W3-123-C-A-F.
DES AFW-MDP-FS-FW3B * NOT A-L3W3-XHE-CW-4
IF AFW-MDP-FS-FW3B * NOT A-L3W3-XHE-CW-4
THEN R-L3W3-123-C-A-F.
DES A-L3W3-XHE-FL-12 * AFW-MDP-MA-FW3B
IF A-L3W3-XHE-FL-12 * AFW-MDP-MA-FW3B
THEN R-L3W3-123-C-A-F.
DES /R-L3W3-123-C-A-F * NOT D-L3W3-XHENOT MSS-AOV-FC-101A *
IF NOT R-L3W3-123-C-A-F * NOT D-L3W3-XHE * NOT MSS-AOV-FC-101A *
NOT MSS-AOV-FC-IOIB * NOT MSS-AOV-FC-IOIC * NOT MSS-AOV-MA-IOIA *
NOT MSS-AOV-MA-IOIB * NOT MSS-AOV-MA-IOIC * NOT LOOPISOLATED3D6 *
NOT SGA-DRAINED-R * NOT SGB.-DRAINED-R * NOT SGC-DRAINED-R *
NOT A-L3W3-XHE-S1-12 * NOT SOLAIR-COMP * NOT FIRE-PUMP *
NOT SAS-CPS-FR-1SAC1 * NOT SAS-CPS-FR-2SAC1 * NOT IAS-CPS-FS-IAC-1 *
NOT IAS-CPS-FR-IAC-1 * NOT SGS-DRAINED-CSD * NOT A-L3-XHE-S *
NOT MSS-AOV-FT-101A * NOT MSS-AOV-FT-101B * NOT MSS-AOV-FT-101C *
NOT lAS-CCF-LF-INAIR * NOT PORV-PATH-CLSD * NOT DCP-BDC-ST-BUSIB *
NOT LPI-MDP-FS-SI1B * NOT A-L3W3-XHE-FL-12 * NOT A-L3W3-XHE-CW-4
THEN R-L3W3-123-C-C-F.
DES /R-L3W3-123-C-A-F * NOT D-L3W3-XHE * NOT R-L3W3-123-C-C-F *
IF NOT R-L3W3-123-C-A-F * NOT D-L3W3-XHE * NOT R-L3W3-123-C-C-F *
NOT PORV-PATH-CLSD * NOT DCP-BDC-ST-BUSIB * NOT LPI-MDP-FS-SI1B *
NOT A-L3W3-XHE-FL-12 * NOT A-L3W3-XHE-CW-4
THEN R-L3W3-13-C-C-F.
~EOS
RHRMODEL, L3W3R10, 05=
DES/NRAC346 L3W3R10
IF FREQ-L3
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L3W3R6, 05=
DES/NRAC346 L3W3R6
IF FREQ-L3
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L3W3R6, 08=

10-127 NUREG/CR-6144
10 Accident Sequence Quantification

Table 10-58 (continued)

DES /D-L3W3-XHENOT A-L3W3-XHE-CW-4

IF NOT D-L3W3-XHE * NOT A-L3W3-XHE-CW-4
THEN R-L3W3-13-C-C-F.
~EOS
RHRMODEL, L3W3R6, 10=
DES/NRAC346 L3W3R6
IF FREQ-L3
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L3W4D6, 5=
DES /nrac455
IF DURATION-D6
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L3W4R10, 05=
DES /NRAC455 L3W4R10
IF FREQ-L3
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L3W4R10, 10=
DES/NRAC455 L3W4R10
IF FREQ-L3
THEN A-CCW3-XHE-S2-7.
~EOS
RHRMODEL, L3W4R10, 12=
DES /D-L3W4-XHENOT A-L3W4-XHE-CW-5
IF NOT D-L3W4-XHE * NOT A-L3W4-XHE-CW-5
THEN R-L3W4-13-C-C-F.

NUREG/CR-6144 10-128
 Table 10-59

Summary of Results-Core Damage Frequency by Initiating Event and Plant Operational States

Initiating Event IE Frequency Core Outage

Fr*qa«»cy
(paryur)

1. Loss of RHR R6 RIO D6 Total

RHR2A-Over Draining 1.62E-02 1.75E-7 5.26E-8 2.57E-7 4.85E-7

/Demand
RHR2B-Failure to Maintain Level 1.22E-05/hr 2.08E-08 2.04E-8 2.91E-8 7.03E-8
RHR3-Non-Recoverable Loss of RHR 7.29E-06/hr 1.54E-7 839E-9 2.99E-7 4.62E-7

RHR4-Non-Recoverable Loss of Operating Train of RHR 4.09E-06/hr 7.57E-9 1.19E-9 232E-8 3.19E-8
RHR5-Recoverable Loss of RHR 2.12E-05/hr 3.96E-8 4.06E-09 9.25E-8 136E-7

2. LOOP-Loss of Offsite Power 6.96E-06/hr

Ll-Both 1H and U Energized 6.20E-06/hr 3.26E-7 6.96E-8 7.56E-7 1.15E-6

L2-1H and 2H energized, not 1J 737E-07/hr 1.04E-7 1J0E-8 1.68E-7 2.85E-7

L3-1H energized, not U, unit 2 blackout 3.81E-08/hr 4.24E-8 1.26E-8 9.87E-8 1.54E-7

Bl-Unit 1 Black Out 1.95E-08/hr 4.75E-8 1.08E-8 1.70E-7 2.29E-7

B2-2 Unit Blackout 3.17E-09/hr 3.76E-8 4.20E-8 1.09E-7 1.88E-7

3. 4KV-Loss of 4kv Bus 2.10E-05/hr 1.41E-7 1.87E-8 2.40E-7 3.99E-7

4. VITAL-Loss of Vital Bus 5.58E-06/hr 2.75E-8 5.12E-9 7.29E-8 1.06E-7

5. AIR-Loss of Outside Instrument Air 2.12E-6/hr 7.90E-10 - 3.16-9 3.95E-9

6. CCW-Loss of CCW 3.76E-06/hr 6.29E-8 1.14E-10 2.06E-7 2.69E-7

7. SWGR-Loss of Emergency Switchgear Room Cooling 1.81E-08/hr 3.58E-8 1.19E-8 7.40E-8 1.22E-7
8. ESFAS-Inadvertent Safety Feature Actuation 1.06E-04/hr 2.72E-7 2.73E-8 6.76E-7 9.75E-7

9. Dilute-Boron Dilution (CDF) 2.00E-07/hr 6.8E-08

TOTAL 1.49E-6 2.98E-7 3.27E-6 5.06E-6*

* Not including boron dilution

 Table 10-60
Core Damage Frequency As a Function of the Time Windows and POSs (per year)
R6 RIO D6 Total

Window 1 (13hr-75hr) 3.16E-07(4.04E-08)» - U6E-06(1.74E-07)» 1.88E-06(2.14E-07)»

Window 2 (75hr-240hr) 7.71E-07(1.06E-07)* - 9.65E-07(6.88E-08)* 1.74E-06(1.75E-07)»

Window 3 (240-768hr) 4.03E-07(3.54E-08)* 1.70E-08(1.14E-09)* 7.02E-07(2.41E-08)* 1.12E-06(6.06E-08)*

Window 4 (> 768 hr) 1.03E-08(<1.0E-10)» 2.89E-07(536E-08)* 2.68E-08(5.78E-10)* 3.26E-07(5.41E-08)*

TOTAL 1.49E-06(1.82E-07)» 3.06E-07(5.47E-08)* 3.25E-06(2.67E-07)» 5.06E-06(5.04E-07)»

* The numbers in parenthesis are the contributions of over-draining events.

NUREG/CR-6144 10-130
 Table 10-61
Fraction of a Year That the Plant is in a Time Window of a POS
R6 RIO D6 Total
Window 1 (13hr-75hr) 2.77E-02% - 0.41% 0.44%
Window 2 (75hr-240hr) 0.88% ' - 1.52% 2.4%
Window 3 (240-768hr) 0.67% 2.43E-02% 1.31% 2.00%
Window 4 (> 768hr) 5.50E-02% 1.50% 0.25% 1.81%

TOTAL 1.63% 1.52% 3.49% 6.64%

10-131 NUREG/CR-6144
 Table 10-62
Conditional Core Damage Frequency As a Function of the Time Windows and POSs (per year)
R6 RIO D6 Total
Window 1 9.96E-04(1.16E-06)* - 3.37E-04(4.68E-07)* 3.77E-
(13hr-75hr) 04(5.27E-07)*
Window 2 7.55E-05(2.52E-07)* - 5.90E-05(1.26E-07)* 7.25E-
(75hr- 05(1.81E-07)*
240hr)
Window 3 5.49E-05(2.46E-07)* 6.54E-05(1.73E-7)* 5.18E-05(9.56E-08)* 5.60E-
(240-768hr) 05(1.51E-07)*
Window 4 1.87E-05( - )* 1.57E-05(1.82E-7)* 1.05E-05(1.85E-08)* 1.80E-
(> 768hr) 05(1.66E-07)*
TOTAL 8.09E-05(3.03E-07)* 1.65E-05(1.82E-07)* 8.55E-05(2.23E-07)* 7.62E-
05(2.40E-07)*

* Conditional core damage probability due to an over-draining event, given that mid-loop is reached in the
time window.

NUREG/CR-6144 10-132
 11 PLANT DAMAGE STATE ANALYSIS
Plant damage state analysis was performed using the following approach:

Discussion with level-2/3 staffAfter a total of 2186 core damage cutsets above the 1.00E-10 per truncation limit
were generated, the scenarios depicted by the dominant cutsets were discussed with level-2/3 staff. This allows
a common understanding of the level-1 scenarios and permit the level-2/3 effort to proceed accordingly. It
was found that 82 cutsets above the frequency of l.OOE-08 per year, listed in Tables 10-50, constitutes only
71% of the total core damage frequency and 409 cutsets above 1.00E-09 per year constitutes 89% of the total.
It was decided to include all cutsets above 1.00E-10 per year in the plant damage state analysis.

Development of 7 letter designator for plant damage statesBy a joined effort of the level 1, 2, and 3 staff, a
list of 7 questions were developed. Those 82 cutsets above l.OOE-08 per year were evaluated based on the
questions. Depending on the answer to each of the questions, a letter is assigned to the cutset. Table 11-1
lists the questions and the associated letters. An important consideration of the level-2 analysis is the
possibility of preventing vessel breach given that core damage had occurred. This corresponds to what
happened at Three Mile island accident in which the release to the environment is very limited. Table 11-2
shows the assignment of the plant damage states to the first 82 cutsets.

The following discusses the assignment of answers to the questions listed in Table 11-1.

1. Time Window-The time window in which the accident represented by the core damage cutset occurs can
be easily determined by the basic event names used.

2. AC Power- This question determines whether or not recovery of offsite power after core damage can
prevent further degradation of the condition. If core damage is caused by loss of offsite power, then it may
be possible to re-establish injection after offsite power is recovered.

Y: If AC power is available in the cutset, then recovery of offsite power would not be beneficial.
U: This answer is used when the initiating event is a loss of emergency switchgear room cooling and cooling
is not recovered. For such cutsets, the loss of power is not recoverable and vessel breach is unavoidable.
B: If the cutset represents a station blackout, then recovery of offsite power should restore power to the
equipment that can be used to prevent vessel breach. Recovery of offsite power is characterized by the
recovery curve given in chapter 4.
F: If the cutset involves a loss of the 4KV Bus, then restoring power to the bus should restore power to the
equipment needed to prevent vessel breach. The recovery of 4KV bus is characterized by a different recovery
curve than that of offsite power.

3. Human Error-If the core damage is the result of human error, then with more time available after core
damage and additional alarms as a result of core damage, it is possible that the operators could recover from
the error and initiate safety injection to prevent vessel breach. The type of human errors can be easily
identified by the names of the human error events used.

4. RCS Status at onset of Core Damage-Based on the thermal hydraulic analysis of chapter 5, the RCS
pressure could reach 600 psi if core damage occurs in time window 1 with only 1 PORV open to relieve system
pressure. This is a condition for potential direct containment heating(DCH) to take place. Therefore, for
those window 1 cutsets in which the pressurizer safety valves are not removed, a letter "G" is assigned. For
these cutsets, only 2 PORVs are potentially available to relieve the pressure. By, judgment, we estimated that

11-1 NUREG/CR-6144
 11 Plant Damage State Analysis

during mid-loop operation there is a probability of 0.05 that one of the PORVs is closed. This is the
probability that the condition for DCH exists for the cutsets.

5. ECCS Status-This question determines the cause of failure of the ECCS, which in turn determines the
possibility to restore safety injection to prevent vessel breach.
i

U: This represents that hardware failure is the reason that ECCS is not available. Therefore, it is
impossible to establish safety injection.
R: It the cause is due to either human error, loss of offsite power, or loss of 4KV bus, the recovery from
these would permit safety injection to prevent vessel breach.
C: This letter is never used.

6. Recirculation Spray Status-The operation of recirculation spray systems can reduce the release inside the
containment. Therefore, its operability is questioned. Unavailability of recirculation spray is determined by
a set of basic events that were identified by reviewing the cutsets involving loss of recirculation spray. The
set is used in the rules to assign the "U" letter to this question.

7. RWST Status-The availability of RWST inventory determines the possibility of safety injection to prevent
vessel breach. The RWST is injected in those event tree sequences in which failure occurs in the recirculation
phase, gravity feed is successful, or use of unit 2 charging pump is successful. Otherwise, RWST inventory
is available.

Development of Rules of PDS Assignmentln manually assigning PDS to the first 82 cutsets, the patterns or
rules for the assignment were identified. The rules were implemented using a database software, REFLEX,
to automatically assign the PDSs to all the cutsets. An ASCII file containing all the core damage cutsets was
created using the IRRAS code and imported into the REFLEX database. The results of the assignment were
verified to ensure that the assignments for the first 82 cutsets agree with the results of manual assignment.
A total of 48 different PDS were obtained. The are listed in Table 11-3.

Performance of uncertainty analysis of the PDSsUncertainty analyses of the PDSs were performed in two
ways. First, uncertainty analysis of each PDS was performed using the IRRAS code with 10,000 Latin
Hyper-cube Sampling (LHS) samples. The results of the analysis are shown in Table 11-3. Then, a "group"
analyses of all 48 PDSs was performed using 1,000 LHS samples. In the "group" analysis, the same samples
for a basic event that appears in many PDSs were used in those PDSs. This allows the uncertainty analysis
to account for the fact that the PDSs share many basic events. An ASCII file containing the values of the
samples of the basic events and the calculated values of the PDSs using these basic event values was created.
This file is used in the uncertainty analysis of the overall risks.

NUREG/CR-6144 11-2
11 Plant Damage State Analysis

Table 11-1PDS Definition

1. Time of Accident Initiation
1: Window 1
2: Window 2
3: Window 3
4: Window 4

2. AC Power
Y: Available
U: Non-recoverable blackout(FREQ-SR)
B: Blackout(recoverable by recovery of offsite power)
F: Loss of 4KV Bus(its own recovery curve)

3. Human Error
N: No human error or non-recoverable human error
D: Diagnosis error
A: Action error

4. RCS Status at Onset of Core Damage

L: Low pressure
G: 5% probability that pressure is high

5. ECCS Status
U: Hardware failure
R: Recoverable if human error, LOSP, or 4KV is recovered
C: Failure of recirculation

6. Recirculation Spray Status

R: recoverable
U: not recoverable

7. RWST Status
Y: Injected
R: Not injected but recoverable
N: Not injected and not recoverable

11-3 NUREG/CR-6144

• •?,'!'
 11 Plant Damage State Analysis

Table 11-2
Plant Damage State Assignment of the Dominant Cutsets

1 2YDLRRR 2.20E-07
2 3YDLRRR 2.07E-07
3 2YDLRRR 1.70E-07
4 1YNGCUY 1.46E-07
5 3YDLRRR 1.46E-07
6 1YDGRRR 1.24E-07
7 2YDLRRR 1.22E-07
8 1YNGCUY 1.08E-07
9 3YDLRRR 9.52E-08
10 2YDLRRR 9.37E-08
11 1YDGRRR 9.04E-08
12 1YDGRRR 8.73E-08
13 2YDLRRR 7.74E-08
14 1BNGRRR 7.38E-08
15 3YDLRRR 6.70E-08
16 1YDGRRR 5.82E-08
17 1FNGRRY 5.41E-08
18 2YDLRRR 5.38E-08
19 3YDLRRR 5.29E-08
20 3YDLRRR 5.07E-08
21 3YDLRRR 4.86E-08
22 2BNLRRR 4.75E-08
23 1YNGCYY 4.39E-08
24 2YDLRRR 4.27E-08
25 4BNLRRR 4.07E-08
26 4YDLRRR 3.91E-08
27 1BNGRRR 3.63E-08
28 2YDLRRR 3.39E-08

NUREG/CR-6144 11-4
 11 Plant Damage State Analysis
Table 11-2 (continued)

29 2UDLRUR 3.38E-08

30 2YDLRRR 3.36E-08

31 2YDLRRR 3.30E-08

32 1BNGRRR 3.27E-08

33 1YNGCYY 3.23E-08
34 2YDLRRR 2.97E-08
35 1YNGCUY 2.95E-08
36 3YDLRRR 2.92E-08
37 2YDLRRR 2.91E-08
38 3UDLRUR 2.91E-08

39 3YDLRRR 2.89E-08
40 2BNLRRR 2.62E-08
41 1FNGRRY 2.52E-08
42 1YNGCUY 2.47E-08
43 3YDLRRR 2.33E-08
44 3YDLRRR 2.23E-08
45 1YNGCUY 2.17E-08
46 3BNLRRR 2.13E-08
47 2YALRUY 2.11E-08

48 2YDLRRR 2.01E-08
49 2YDLRRR 1.89E-08
50 2YDLRRR 1.87E-08
51 2UDLRUR 1.87E-08
52 2YDLRRR 1.86E-08
53 1YNGCUY 1.83E-08
54 3YDLRRR 1.83E-08
55 1YDGRRR 1.79E-08

56 1YDGRRR 1.75E-08

11-5 NUREG/CR-6144
11 Plant Damage State Analysis
Table 11-2 (continued)

57 1YDGRRR 1.73E-08

58 3YDLRRR 1.73E-08

59 1BNGRRR 1.68E-08
60 4YDLRRR 1.68E-08
61 2YDLRRR 1.61E-08
62 1YDGRRR 1.60E-08
63 1YNGCYY 1.53E-08
64 1YAGCRY 1.46E-08
65 1YNGCUY 1.35E-08
66 3YDLRRR 1.34E-08
67 3UDLRUR 1.34E-08
68 3YDLRRR 1.33E-08
69 2YDLRRR 1.29E-08
70 2FALRRY 1.26E-08
71 1YNGCYY 1.19E-08
72 1YNGCYY 1.19E-08
73 3YDLRRR 1.19E-08
74 1FNGRRY 1.15E-08
75 1YNGCUY 1.13E-08
76 2YDLRRR 1.11E-08
77 1FNGRRY 1.09E-08
78 1YAGCRY 1.08E-08
79 3YDLRRR 1.07E-08
80 4YDLRRR 1.07E-08
81 3YDLRRR 1.06E-08
82 2YDLRRR 1.04E-08

NUREG/CR-6144 11-6
 11 Plant Damage State Analysis
Table 11-3

Results of Uncertainty Analysis of Plant Damage States

PDS MEAN 5% MEDIAN 95%

1 1BNGCRY 2.95E-09 5.90E-11 7.48E-10 1.11E-08

2 1BNGRRR 1.71E-07 4.07E-09 4.40E-08 6.35E-07

3 1BNLCRY 1.43E-10 3.93E-13 1.40E-11 4.70E-10

4 1FAGRRY 9.07E-09 1.39E-10 2.12E-09 3.31E-08

5 1FNGRRR 4.78E-10 6.02E-12 9.57E-11 1.73E-09

6 1FNGRRY 1.25E-07 2.69E-09 3.43E-08 4.62E-07

7 1UAGCUY 1.89E-10 1.27E-12 2.92E-11 7.31E-10

8 1UDGUUR 8.29E-09 7.73E-12 4.40E-10 2.51E-08

9 1UDLCUY 6.08E-10 8.79E-13 4.23E-11 1.86E-09

10 1YAGCRY 8.11E-08 4.12E-09 2.84E-08 2.76E-07

11 1YAGCUY 2.12E-08 5.18E-10 5.48E-09 7.93E-08

12 1YAGRRR 2.75E-09 1.46E-10 1.04E-09 9.32E-09

13 1YDGRRR 4.64E-07 1.22E-08 1.19E-07 1.68E-06

14 1YNGCUY 5.41E-07 1.29E-08 1.28E-07 1.96E-06

15 1YNGCYY 3.15E-07 1.90E-08 1.08E-07 1.01E-06

16 1YNGUUR 1.49E-09 2.67E-11 3.54E-10 5.50E-09

17 1YNGUYR 8.84E-09 6.17E-10 3.93E-09 3.03E-08

18 1YNLCUY 2.22E-09 2.91E-12 1.30E-10 6.00E-09

19 1YNLCYY 7.02E-10 2.15E-12 7.03E-11 2.45E-09

20 2BNLCRY 3.34E-08 9.03E-10 9.76E-09 1.18E-07

21 2BNLCUY 2.99E-09 1.12E-11 4.46E-10 1.09E-08

22 2BNLRR 1.05E-07 4.01E-09 3.57E-08 3.75E-07

23 2FALRRR 1.46E-08 2.44E-10 3.57E-09 5.48E-08

24 2FALRRY 4.31E-08 1.17E-09 1.41E-08 1.62E-07

11-7 NUREG/CR-6144
11 Plant Damage State Analysis
Table 11-3 (continued)

PDS MEAN S% MEDIAN 95%

25 2FNLRRR 2.75E-08 7.12E-10 8.11E-09 9.97E-08

26 2UALRUY 1.17E-10 1.26E-12 2.40E-11 4.19E-10

27 2UDLRUR 5.12E-08 1.08E-10 4.21E-09 1.68E-07

28 2YALRRR 7.30E-09 4.48E-10 3.08E-09 2.58E-08

29 2YALRRY 8.72E-09 5.40E-10 3.78E-09 3.02E-08

30 2YALRUR 1.50E-08 8.43E-10 5.81E-09 5.20E-08

31 2YALRUY 4.93E-08 2.05E-09 1.61E-08 1.85E-07

32 2YALRYR 7.06E-08 1.14E-08 4.11E-08 2.06E-07

33 2YDLRRR 1.08E-06 3.10E-08 2.80E-07 3.62E-06

34 2YNLCUY 4.84E-08 1.12E-09 1.28E-08 1.59E-07

35 2YNLCYY 1.94E-08 1.39E-09 8.11E-09 6.61E-08

36 3BDLRRR 2.39E-10 2.31E-13 1.30E-11 6.68E-10

37 3BNLRRR 4.18E-08 1.65E-09 1.38E-08 1.40E-07

38 3UDLRUR 4.24E-08 9.48E-11 3.49E-09 1.34E-07

39 3YALRRR 5.31E-09 4.18E-10 2.41E-09 1.80E-08

40 3YALRUR 2.55E-08 1.53E-09 1.05E-08 8.64E-08

41 3YALRYR 4.38E-08 6.96E-09 2.57E-08 1.30E-07

42 3YDLRRR 9.15E-07 2.51E-08 2.42E-07 3.19E-06

43 4BNLRRR 5.81E-08 7.00E-10 8.98E-09 1.96E-07

44 4UDLRUR 1.16E-08 1.47E-11 6.35E-10 3.37E-08

45 4YALRRR 2.75EJ-09 1.37E-11 3.86E-10 9.32E-09

46 4YALRUR 2.28E-08 3.76E-10 4.85E-09 7.55E-08

47 4YALRYR 8.06E-08 3.34E-09 2.95E-08 2.54E-07

48 4YDLRRR 1.28E-07 1.42E-09 1.81E-08 3.85E-07

NUREG/CR-6144 11-8
 12 UNCERTAINTY AND SENSITIVITY ANALYSIS
This chapter discusses the sources of uncertainty in this study and briefly summarizes how they are treated
(Table 12-1). The discussions address the uncertainty analysis of mid-loop operation only. Chapters 4 and
6 contain analyses of initiating events and fault trees that cover the 15 POSs defined for low power and
shutdown conditions. Section 12.1 discusses the sources of uncertainty, in particular, the modeling uncertainty,
i.e., due to the assumptions made in the model. Section 12.2 discusses the uncertainty in the parameters used
in the analysis. Section 12.3 discusses the propagation of uncertainty. The results of the uncertainty analysis
are described in Section 12.4.

12.1 Sources and Treatment of Uncertainty

Two types of uncertainty were addressed in this study, parameter uncertainty and modeling uncertainty. The
parameters used in the model, e.g., frequency of outage types, frequency of initiating events, duration of POSs,
hardware failure rates, and human error probabilities are represented by various probabilistic distributions.
Section 12.2 discusses the assessment of parameter uncertainty in more detail. Modeling uncertainty addresses
the uncertainty in the assumptions used in the model. Different assumptions can lead to different logic
models. The following is a discussion of the various modeling issues and how they were treated in this study.

Success Criteria - Success criteria were determined by reviewing various existing studies,^" ' and making a
7

supporting thermal hydraulic analysis based on the Surry-specific design. Chapter 5 gives details of this effort.

The determination of success criteria for shutdown conditions is complicated by the changing levels of decay
heat. This was accounted for by defining 4 time windows after shutdown, each with its own set of success
criteria. In general, whenever the success criteria for one system or mitigating function changes, a new time
window must be defined and significantly more than 4 time windows are needed. The use of 4 time windows
is a trade off between the accuracy of the model and the level of effort involed. We believe that 4 time
windows adequately represent a much larger set of time windows.

In developing the time window approach, we recognized that the procedure for loss of RHR, AP-27.00,' ' is 8

conservative in the success criteria for reflux cooling and feed-and-spill, and does not include all possible
methods of establishing recirculation; these are the areas in which the model of this study deviated from the
abnormal procedure. The following describes how these issues were treated.

Reflux cooling - In AP 27.00, the number of steam generators needed for reflux cooling is given as a function
of the decay heat, e.g, 3 SGs are needed for the first 75 hours after shutdown. The number is based on the
thermal hydraulic considerations of Virginia Power NE technical report 865 J ' From our review of studies^ " '
7 1 4

on reflux cooling, and unpublished BNL calculations, one steam generator should be sufficient although the
abnormal procedure states 3 would be needed. The issue is how much credit should be given to reflux cooling
when insufficient SGs are available, based on the procedure. In this study, the conservative success criteria
of the procedure is used in the logic model, and whenever reflux cooling is failed due to insufficient SGs, a
recovery action is entered with a failure probability of 0.1.

Feed-and-spill - In AP27.00' ' and its supporting study,t ' the number of pumps and PORVs needed for this
8 7

operation was determined from the flow from RWST needed to maintain the sub-cooling capacity and shut-off
head of the pumps, and the relieving capability of the PORVs. For example, during the first 129 hours after
shutdown, 2 charging pumps and 2 PORVs would be needed. Such success criteria were derived from the
requirement of maintaining sub-cooling. This requirement is more stringent than what is needed for feed-and-

12-1 NUREG/CR-6144
12 Uncertainty and Sensitivity Analysis

shutdown, 2 charging pumps and 2 PORVs would be needed. Such success criteria were derived from the
requirement of maintainingsub-cooling. This requirement is more stringent than what is needed for feed-and-
bleed in an accident that occurs during full power operations. An alternative to feed-and-spill, namely feed-
and-steam, (discussed in reference [7]), is much less demanding in terms of the needed flow. However, it is
not the recommended method because of the difficulty in maintaining level, and potential for
overpressurization. In this study, a success criterion of 1 charging pump and 1 PORV is used, based on the
understanding that this is sufficient to prevent core damage.

Recirculation - AP 27.00^ instructs the operators to establish high-pressure recirculation by using the low
pressure injection pump to take suction from the containment sump, and discharge to the suction of high
pressure injection system. This requires a low head injection pump and a charging pump be available. In the
fault-tree model for recirculation, two alternative methods are also modeled; the low-pressure feed-and-steam
by .taking suction from the containment sump, and low-pressure feed-and-spill by taking suction from the sump
and using spray recirculation. For both, only low head injection is needed. The feed-and-steammode requires
that the safety valves are removed to give an adequate vent path, and does not require cooling of the sump
water. The feed-and-spill operation requires operation of the spray recirculation systems to cool the water
in the sump, so establishing sub-cooling in the reactor vessel.

Changing Plant Configuration - Due to the activities taking place during shutdown, the plant's configuration
changes in time, which, in turn, affects the likelihood of accident initiating events and the plant's ability to
mitigate the accidents. In general, at any time, the plant could be in a different configuration. In this study,
the constantly changing plant configuration is approximated by a few discrete configurations, by introducing
different outage types, POSs, and time windows. Chapter 3 discusses the differences among the outage types,
POSs and time windows that are reflected in the different basic events and different event trees. Chapter 9
discusses the estimation of some of the basic event probabilities that vary with outage types, POSs, and time
windows. The following is a description of the basic events and how they are varied.

1. Initiating event frequency - The initiating events are assumed to occur with constant rates independent of
the outage type or POS. The conditional probability that an IE occurs in a POS is the product of the rate
and the duration of the POS. The initiating event frequency is the frequency of the POS times this conditional
probability. The frequency that it occurs in a given time window of a given POS of a given outage type is the
frequency that the initiating event occurs in the POS times the conditional probability of the time window of
the given POS.

2. Loop isolation probability - Isolation of the loops makes it impossible to establish reflux cooling. Its
probability was estimated by judgment, using information gathered by reviewing the log books for outages, and
an outage plan for a refueling outage. It was estimated as a function of the outage types, and time windows.

3. Removal of pressurizer safety valves - The fraction of time that the safety valves are removed in a given
time window of a given POS in a given outage type was estimated by judgment using information gathered
by reviewing log books for outages, and an outage plan for a refueling outage. With the safety valves
removed, it is possible to use gravity feed from the RWST, and impossible to use reflux cooling due to loss,
through the opening.

4. Maintenance unavailabilities - Maintenance unavailability was estimated as a function of the POSs of a

refueling outage by reviewing the log books for 3 refueling outages. The data was collected for the time
period when the plant was at mid-loop. Due to insufficient information, maintenance unavailability is assumed

NUREG/CR-6144 12-2
 12 Uncertainty and Sensitivity Analysis

to be independent of the time windows. It also is assumed that the data collected for a refueling outage is
applicable to a drained maintenance outage.

Changing plant practices and information - It has been BNL's observation that the plant is aware of the
potential safety concerns of reduced inventory operations and is constantly improving its practice regarding
such operations. This concern is reflected in the improvement in the operating procedures and abnormal
procedures used during shutdown as well as changes in plant practice. The most significant practice started
in the refueling outage of unit one in 1992, during which mid-loop operation was totally avoided; this appears
to be the new plant policy. Another way of reducing the risk due to reduced inventory operation is to perform
it while the fuel in the core is removed refueling.

To limit the changes in the model developed in this study to account for the changes in plant practice and
information, it was decided that the study would use the procedures and other plant information available as
of April 30,1993. Regarding the plant's policy of avoiding mid-loop operation, it was decided that this study
would use the data collected from past outages prior to the unit 1 refueling outage of 1992 when mid-loop
operation was avoided. As a result, the estimated core-damage frequency of this study is expected to be an
over estimation of that of the current plant.

Operator Response - The operator's actions modeled in this study were identified while developing the event
trees that involved reviewing the relevant abnormal and emergency procedures, talking through the accident
scenarios, and discussing them with plant personnel. Chapter 7 gives details of the scenario development.
The operator's response to various accidents are in most cases, identified in the applicable procedures. For
example, abnormal procedures for loss of RHRj ^ loss of instrument air^ ', and loss of offsite power^ J provide
8 9 10

guidance on what to do in case of these losses during shutdown. The latter two procedures are not written
specifically for shutdown conditions. In case of a station blackout, the procedure, 1-ECA-0.0,' ! written with
11

power operation in mind, does not address shutdown conditions. Therefore, only the relevant steps in the
procedure are applicable. Similarly, for other initiating events, such as loss of component cooling, spurious
safety injection, and loss of a vital bus, there is no specific procedure for shutdown, and the knowledge of the
operators about the relevant steps of the procedures for power operations becomes very important. As
discussed under success criteria, some of the operator's action modeled in this study are not explicitly spelled
out in the existing plant procedures, and some recovery actions modeled are extension of the existings
procedures.

The operator actions needed to mitigate an accident are included in the high-level fault trees that model
different methods of mitigating the accident, e.g., feed-and-spill operation. The model typically contains two
human error events and one transfer to the fault tree for hardware failures. One human error event
represents failure of the operator to diagnose, so that the correct actions can not be decided upon; the other
represents failure to carry out the action after successful diagnosis. Human error probabilitieswere quantified
using the failure likelihood index method that involves assessing weights and scores on various performance-
shaping factors, and calibration using the HEPs from existing studies.

12.2 Parameter Uncertainty

The following is a discussion of the assessment of the uncertainty associated with the parameters used in this
study.

12-3 NUREG/CR-6144
12 Uncertainty and Sensitivity Analysis

Initiating Event Frequency - The initiating event frequency was estimated by using the two-stage Bayesian
analysis. In the first stage, data from the population of reactors was collected and used to derive a population
variability curve. This curve, then was used as the prior distribution of the second stage in which the Surry-
specific data was used as the evidence. The only exception is the initiating event of loss of emergency
switch-gear room cooling, for which a fault tree was used to derive a point estimate of the initiating event
frequency, and an error factor of 4 was estimated by propagating the uncertainty of parameters used in the
fault tree.

Hardware Failure Data - The hardware failure data was taken from the NUREG-1150 study for Surry. In
some cases, new failure events were added to the system models using information and data from the IPE of
Surry. To account for the state of knowledge uncertainty, similar events were assigned the same "correlation
class" as defined in the IRRAS computer code J l In propagating uncertainty, a single sample is taken from
12

one correlation class and used for all events in the same class. Table 12-2 lists the failure data associated with
each correlation class.

MaintenanceUnavailabilitv- The assessment of maintenance unavailability is documented in chapter 9 in more

detail; basically, it was accomplished by reviewing the outage log books for 3 refueling outages. The fraction
of time that equipment is out of service in a given POS is used as maintenance unavailability. Just like other
parameters discussed under changing plant practice, such use of an averaged parameter represents an
approximation of the real-time dependent behavior of the plant. The accuracy of the approximation has to
be assessed by performing sensitivity calculations.

The uncertainty of the maintenance unavailabilitieswas derived by judgement using the following rules:

1. If the mean is small, a lognormal distribution with some EF is assumed.

2. If the mean is close to 1, a uniform distribution is assumed. If the mean is larger than 0.5, the upper
bound is set to 1. If the mean is lower than 0.5, the upper bound is set to twice the mean.

Human Error Probability - The quantification of HEPs is documented in chapter 8. Chapter 10 documents
the quantification of the recovery actions that consist of hardware failures and human errors. Similar to the
failure events for hardware failures, the human error events, that represent similar operator actions and were
estimated to have the same HEPs, were assigned the same correlation class. The following guidelines were
used in assigning the error factors for the HEPs:

1) Action(A) and Recovery(R) events:

Mean of DistributionError Factor
mean < = 1E-035
1E-03 < mean < = 0.13
0.1 < mean2

2) Diagnosis(D) events:
Error factor = 20.

Recovery from Initiating Events - All the experienced loss of RHR events throughout the population
terminated successfully before core damage occurs. To account for this fact, in some of the event trees, a top
event is used representing recovery from the initiating event. The probability that the initiating event is

NUREG/CR-6144 12-4
 12 Uncertainty and Sensitivity Analysis

recovered before bulk boiling takes place in the RCS is estimated from the respective "recovery curves",
derived by using the experienced recovery times in a Bayesian analysis. Appendix D provides more detail of
the recovery curves. The error factor of the non-recovery probability was assumed to be 3.

123 Uncertainty Analysis Results

The uncertainty of total core damage frequency was assessed using the IRRAS computer code^ ' using 10,000
12

LHS samples. The basic event uncertainty data is given in appendix G. Table 12-3 lists the results of the
uncertainty analysis.

12-5 NUREG/CR-6144
12 Uncertainty and Sensitivity Analysis

12.4 References:

1. Naff, S.A., et. al., "Thermal Hydraulic Processes During Reduced inventory Operation with Loss of
Residual Heat Removal," Idaho National Engineering Laboratory, NUREG/CR-5855, April 1992.
2. Fletcher, CD., et. al., "Thermal-HydraulicProcesses Involved in Loss of Residual Heat Removal During
Mid-Loop Operation, EGG-East-9337, Idaho National Engineering Laboratory, October 1990.
3. Wald, L.W. and W.C Arcieri, "Evaluation of the Loss of Residual Heat Removal Systems in pressurized
water Reactors," Idaho National Engineering Laboratory, NUREG/CR-5820, May 1992.
4. Audreycheck, T.S., et. al., "Loss of RHRs Cooling while the RCS is partially filled," WCAP - 11916,
Westinghouse Electric Corporation, July 1988.
5. "Loss of Residual Heat Removal System," NUREG-1269, U.S. Nuclear Regulatory Commission, June
1987.
6. Loss of Vital AC Power and the Residual Heat Removal System During Mid-Loop Operations at Vogtle
Unit 1 on March 20, 1990," NUREG-1410, U. S. Nuclear Regulatory Commission, June, 1990.
7. "Background and Guidance for Ensuring Adequate Backup Decay Heat Removal Following Loss of
RHR Surry and North Anna Power Stations,", Nuclear Analysis and Fuel Nuclear Engineering Services,
Virginia Power, NE Technical Report No. 865, Revision 1, June 1992.
8. "Loss of Decay Heat Removal Capability," Virginia Power Surry Power Station, Abnormal Procedure
l-AP-27.00, Revision 4, February 15, 1993.
9. "Non-Recoverable Loss of Instrument Air," Virginia Power Surry Power Station, Abnormal Procedure
AP 1-40.00, Revision 3, December 19,1991.
10. "Station Blackout," Virginia Power Surry Power Station, Abnormal Procedure 1-AP 10.00, Revision 7,
July 2, 1992.
11. "Loss of All AC Power," Virginia Power Surry Power Station, Emergency Contingency Action, Rev. 6,
April 27, 1992.
12. Russell, K., et. al., "Integrated Reliability and Risk Analysis System," Version NEWS, (a test
version)Developedby Idaho National Engineering Laboratory.

NUREG/CR-6144 12-6
 12 Uncertainty and Sensitivity Analysis

Table 12-1

Sources and Treatment of Uncertainty

Sources of Uncertainty Description Treatment

Success Criteria a. Insufficient a. Performance of
understanding of thermal supporting analysis,
hydraulic behavior review of existing
studies
b. Conservatism in Virginia
Power Procedure b. relaxed success criteria in
some cases
c. Changing success
criteria with decay heat
c. time window approach
allows window dependent
success criteria
Changing Plant Configuration Ability to mitigate an Used basic events whose
accident depends on the probabilities vary with
plant configuration. For outage types, POSs, and time
example: windows. The probabilities
1. SGs in wet lay-up were estimated by reviewing
ensures that SG past plant outage experience,
inventory is initially outage plans, and operating
sufficient for reflux procedures.
cooling,
2. RCS loops isolation or
PZR SVs removal
makes reflux cooling
impossible, and
3. PZR SVs removal
makes gravity feed from
RWST possible.

Changing Plant Practice a. Procedures and other a. Used what is available to

plant information BNL as of April 30, 1993.

b. Virginia Power avoided b. Used past plant

going to mid-loop in the experience prior to this
most recent refueling change.
i
outages
Operator Response a. Lack of abnormal or Used procedures that
emergency procedure contain relevant instructions
for the specific scenarios to the operators.

b. Extension of the existing Discussions with plant

procedures personnel.

12-7 NUREG/CR-6144
12 Uncertainty and Sensitivity Analysis

Table 12-1 (continued)

Sources of Uncertainty Description Treatment

Parameter Uncertainty:
1. Initiating Event Frequency Two-stage Bayesian Analysis
2. Hardware Failure Data Used data from NUREG-
1150 and IPE
3. Maintenance Unavailability a. High maintenance a. Mean values were
unavailability of estimated using plant data.
component Uncertainty parameters
were assigned by
judgment.

b. Changing component b. Use of average

status with time unavailability instead of
time dependent
unavailability

4. Recovery of Initiating Event Actual incidents during Use of recovery curves

shutdown always ended derived from Bayesian
before core damage occurs. analysis for loss of offsite
power, and loss of support
systems

NUREG/CR-6144 12-8
 12 Uncertainty and Sensitivity Analysis
Table 12-2

Failure Data Associated with the Correlation Classes

cc* Description Mean Error

Factor
1 No signal from CLCS train 1.6E-03 5
2 No actuation signal for AFW 6.0E-04 5
3 No actuation Signal to CPC Pump 3.2E-04 5
4 SG PORV Bolcked 1.5E-01 3
5 AOV Fails to Open 1.0E-03 3
6 AOV Leaks 2.4E-05 3
7 AOV transfers closed 7.5E-07 3
8 AOV Spuriously Opens 2.4E-06 10
9 AOV plugged 4.0E-05 3
10 Flow Orifice Plugged 3.0E-04 3
11 Bus Failure 9.0E-05 5
12 Battery Failure 7.2E-04 3
13 Beta Factor for AFW MDPs 5.6E-02 3
14 HPI MDP CCF 8.4E-04 5
15 MOV CCF 2.6E-04 13
16 CPC TCV CCF 1.0E-04 5
17 Beta Factor for DGs 3.8E-02 3
18 Beta Factor for 3 DGs 1.8E-02 3
20 Beta Factor for LPI Pumps 1.5E-01 3
21 Beta Factor for SRV 7.0E-02 3
24 Beta Factor for MOV 8.8E-02 3
25 AFW CCF 1.0E-5 30
26 Compressor CCF 2.7E-05 10
27 Containment Sump Plugged 5.0E-05 100
30 Mis-calibration of Signals 3.0E-04 10
31 Check Valve Fails on Demand 1.0E-04 3
32 Back Flow through Check Valve 2.0E-03 3

12-9 NUREG/CR-6144
12 Uncertainty and Sensitivity Analysis

Table 12-2 (continued)

cc* Description Mean Error

Factor
33 Back Flow through CHK VLV 1.0E-03 3
34 Breaker Spurious Opens 2.9E-05 3
35 DG Breaker Fails to Close 3.0E-03 10
37 DG Fails to Run (1 hr) 2.0E-03 10
38 DG Fails to Run (6 hrs) 1.2E-02 10
39 DG Fails to Start 2.2E-02 3
41 CCW HTX Leaks 7.2E-05 10
43 CCW HTX Plugged 1.4E-04 10
44 Inverter Failure 4.0E-02 3
45 CPC MDP Fail to Run (24 hrs) 3.8E-03 3
47 CPC MDP Fails to Run (6 hrs) 9.6E-04 3
47A CPC MDP Fails to Run (24 hrs) 3.84E-03 3
49 PHI MDP Fails to Run (24 hrs) 1.6E-03 2.9
50 MPD Fails to Run (18 hrs) 1.2E-03 2.9
51 HPI MDP Fails to Run (12 hrs) 8.0E-04 2.9
52 HPI MDP Fails to Run 4.0E-04 2.9
55 MDP Fails to Run (1 hr) 3.0E-05 10
57 MDP Fails to Run 7.2E-04 10
58 LPI MDP Fails to Run (18 hrs) 5.4E-04 3
59 LPI MDP Fails to Run (21 hrs) 6.3E-04 3
60 MDP Fails to Run (6 hrs) 1.8E-04 10
61 MDP Fails to Start 6.3E-03 3
62 CPC MDP Fails to Start 8.0E-03 3.5
63 HPI MDP Fails to Start 4.0E-03 3.5
64 ISR MDP Fails to Start 3.3E-02 3.8
65 MDP Fails to Start 3.0E-03 10
66 AFW Pump Maintenance 2.0E-3 10
68 MOV Fails to Close 5.2E-03 10

NUREG/CR-6144 12-10
 12 Uncertainty and Sensitivity Analysis

Table 12-2 (continued)

cc* Description Mean Error

Factor
69 MOV Fails on Demand 3.0E-03 10
70 SWS MOV Maintenance 2.0E-04 10
71 MOV Plugged 6.6E-04 3
72 MOV Plugged 6.5E-04 3
73 MOV Plugged 4.4E-04 3
74 MOV Plugged 4.0E-5 3
75 Flow Diversion to Unit 2 1.5E-04 3
77 Rectifier Failure 4.0E-4 3
78 PORV Fails to Open 1.0E-03 3
79 PORV Fails to Re-close 3.0E-02 10
80 RV Spuriously Opens 9.36E-05 10
81 Strainer Plugged (1 hr) 3.0E-05 10
82 Strainer Plugged (3 hrs) 9.0E-05 10
83 Strainer Plugged (6 hrs) 1.8E-04 10
85 Strainer Plugged 924 hrs) 7.2E-04 10
86 TOP Fails to Run 5.0E-03 10
87 TOP Fails to Run 3.0E-02 10
89 TOP Fails to Start 1.1E-02 10
91 Transformer Failure 4.0E-05 3
93 Tank Insufficient Inventory 1.0E-06 3
94 Containment Failure Induced LPI Failure 2.0E-02 3
133 Manual Valve Plugged (standby) 4.4E-04 3
134 Manual Valve Plugged (during operation) 4.0E-5 10
135 Manual Valve Plugged 8.4E-06 3
136 Manual Valve Left Open 3.0E-03 10
193 SRV Fails to Open 1.0E-03 3
196 MOV Plugged 1.095E-04 3
198 Manual Valve Plugged 3.65E-05 3

12-11 NUREG/CR-6144
12 Uncertainty and Sensitivity Analysis

Table 12-2 (continued)

cc* Description Mean Error

Factor
201 Manual Valve Fails to Open 1.0E-04 3
202 Compressor Fails to Run 4.8E-3 10
203 Compressor Fails to Start 8.0E-02 3
301 AOV CCF 1.0E-04 3
302 CHK CCF 1.0E-05 10
304 NRV Plugged 6.0E-04 3
303 Battery CCF 5.8E-06 3
305 MOV CCF 2.6E-04 3
306 LPIMDP CCF to Start 4.5E-04 3
307 SG Drained 2.3E-02 5
801 Inverter Maintenance 2.0E-4 3
802 SG PORV Maintenance 5.0E-02 5
804 Recirculation Spray Maintenance U(0,0.5)
903 AFW MOV Maintenance 1.0E-03 10
IPEO Fan Motor Fails to Start 3.9E-03 3
IPE Air Handling Unit Maintenance 3.75E-03 3
IPE1 Bus Maintenance 7.27E-06 3
IPE2 MDP Fails to Run 1.08E-02 3
IPE3 RHR Pump Seal Cooler Failure 1.86E-02 3
IPE4 RV Spuriour Opens 9.33E-05 3
IPE5 Motor Operated Damper Fails to Operate 1.09E-02 3
IPE6 AOV Opens Spuriously 1.2E-05 3
IPE7 Air Handling Unit Failure 3.4E-05 10
IPE8 Chiller Fails to Run 3.6E-03 10
IPE9 Evaporative Condenser Fails to Run 3.6E-03 10

* CC: Correlation Class

NUREG/CR-6144 12-12
 Table 12-3

Result of the Uncertainty Analysis for Total Core Damage Frequency (per year)

Point Estimate 4.88E-06

Mean 4.86E-06
5th Percentile 4.76E-07
50th Percentile 2.14E-06
95th Percentile 1.54E-05
Error Factor 5.69

12-13 NUREG/CR-6144
Kiyoharu Abe Ephraim Asculai
Dept. of Reactor Safety Research Division of Nuclear Safety
Nuclear Safety Research Center Wagramestrasse, 5
Tokai Research Establishment P.O. Box 100
JAERI A-1400 Wien
Tokai-mura, Naga-gun AUSTRIA
Ibaraki-ken,
JAPAN
Vladimar Asmolov
Head, Nuclear Safety Department
Sarbes Acharya I. V. Kurchatov Institute
Department of Energy of Atomic Enegry
NS-1/F0RS Moscow, 123181
Washington, DC 20585 RUSSIA

Dr. Ulvi Adalioglu J. de Assuncao

Cekmece Nukleer Arastraima ve Cabinete de Proteccao e
Egitim Merekezi Seguranca Nuclear
P.K. 1 Ministerio da Indusstria
Havaalani/ISTANBUL Ave. de Republica 45-6
TURKEY 1000 Lisbon
PORTUGAL

Dr. Eng. Kiyoto Aizawa

Senior Engineer H.P. Balfanz, Head
Reactor Eng. Dev. Department Institute of Probabilistic
PNC Safety Analysis
9-13, Chome, Akasaka TUV Nord
Minato-K, Tokyo Grosse Bahnstrasse 31
JAPAN D-22525 Hamburg 54
GERMANY
Harry Alter
Manager Applied Tech Pat Baranowsky
Nuclear Systems Tech USNRC- AEOD/TPAB
NE-4S MS: T-4A9
US DOE
Washington, DC 20585
Robert A. Bari, Deputy Chairman
Dept of Nuclear Energy
R.M. Andrews Bldg 197C
Nuclear Installations Xnsp. Brookhaven National Laboratory
St. Peters House Upton, NY 11973
Balliol Raod, Bootle
Merseyside L20 31Z
UNITED KINGDOM Librarian
Technical Information Section
Battelle Pacific Northwest Lab
George Apostolakis P. O. Box 999
UCLA Richland, WA 99352
Boelter Hall, Room 5532
Los Angeles, CA 90024-1597
Dr. John Baum
Dept of Nuclear Energy
Director of Reactor Engineering Radiological Sciences Div
Argonne National Laboratory Bldg 703 M
9700 S Cass Ave Brookhaven N a t i o n a l L a b o r a t o r y
Bldg 208 Upton, NY 11973
Argonne, IL 60439

Dist-1
Eric Beckjord Dennis Bley
USNRC-RES/DO Buttonwood Consulting
MS: T-10F12 17291 Buttonwood St.
Fountain Valley, CA 92708
Robert Bernero
USNRC-NMSS/DO Roger Blond
MS: T-8A23 Booz-Allen & Hamilton
4330 East West Highway
Bethesda, MD 20814
Andrea Besi
Institute for Systems Engineering
and Informatics M. P. Bonn
CEC Joint Research Centre Division 6449
CP N 1 Sandia National Laboratories
1-21020 Ispra (Varese) Albuquerque, NM 87185
ITALY
Dr. Mario Bonaca
John Bickel Manager, Reactor Engineering
Idaho National Engineering Lab. Northeast Utilities
EG&G MS: 3850 P.O. Box 270
P.O. Box 1625 Hartford, Conn. 06141
Idaho Falls, ID 83415
Robert B. Borsum
Vicki Bier Nuclear Power Division
Dept. of Industrial Engineering B & W Nuclear Tech
University of Wisconsin-Madison 1700 Rockville Pike
1513 University Avenue, Room 389 Suite 525
Wisconsin, WI 53706 Rockville, MD 20852

Scott Bigelow Stephen Boult

S-CUBED Electrowatt Engineering Services
2501 Yale SE, Suite 300 (UK) Ltd.
Albuquerque, NM 87106 Grandford House
16 Carfax, Horsham
West. Sussex RH12 IUP
Prof. Dr. Dr.-Ing. E. H. Adolf ENGLAND
Birkhofer
Gesellschaft fur Anlagen und
Reaktorsicherheit (GRS) mbH Gary Boyd
Forschungsgelande Safety & Reliability Optimization
D-8046 Garching Services
Federal Republic of Germany 9724 Kingston Pike, Suite 102
Knoxville, TN 37922
David Black
American Electric Power Brookhaven National Laboratory (2)
1 Riverside Plaza Attn: Lev Neymotin
Columbus, OH 43215 Arthur Tingle
Building 130
Upton, NY 11973
Harold Blackman
Idaho National Engineering Lab.
EG&G MS: 3850 David M. Brown
P.O. Box 1625 Paul C. Rizzo Associates, Inc.
Idaho Falls, ID 83415-3850 300 Oxford Drive
Monroeville, PA 15146-2347

Dist-2
Tom D. Brown A. L. Camp
Sandia National Laboratories Division 6412
Dept. 6413 MS: 0748
P.O. Box 5800 Sandia National Laboratories
Albuquerque, NM 87185 Albuquerque, NM 87185-0748

Robert J. Budnitz John Forbes Campbel

Future Resources Associates, Inc. HM Superintending Inspector
2039 Shattuck Avenue, Suite 402 Health & Safety Executive
Berkeley, CA 94704 St. Peter's House
Balliol Road
Bootle L20 31Z
Gary Burdick UNITED KINGDOM
USNRC-RES/SAIB
MS: T-10F13
Leonel Canelas
New University of Lisbon
Arthur Buslik Quinta de Torre
USNRC-RES/PRAB 2825 Monte de Caparica
MS: T-9F31 PORTUGAL

Edward Butcher Harold Careway

USNRC-NRR/SPSB General Electric Co., M/C 754
MS: O-10E4 175 Curtner Ave.
San Jose, CA 95129
Technical Library
B&W Nuclear Service Co D. D. Carlson
P. O. Box 10935 Division 6411
Lynchburg, VA 24506 Sandia National Laboratories
Albuquerque, NM 87185
Stefaan Caeymaex
Safety & Systems Section Jose E. De Carlos
Nuclear Generation Dept. CSN International Coordinator
TRACTEBEL Consejo de Seguridad Nuclear
Avenue Ariane 7 Calle Justo Dorado 11
B-1200 Bruxelles 28040 Madrid
BELGIUM SPAIN

Leonard Callan, Administrator Annick Carnino

U.S. Nuclear Regulatory Commission International Atomic Energy Agency
Harris Tower and Pavilion Wagramerstrasse 5, P.O. Box 100
611 Ryan Plaza Drive, Suite 400 A-1400 Vienna
Arlington, TX 76011-8064 AUSTRIA

J. Calvo S. Chakraborty
Division of PSA & Human Factors Swiss Federal Nuclear Safety
Consejo de Seguridad Nuclear Inspectorate
Calle Justo Dorado, 11 Hauptabteilung fur die Sicherheit
28040 Madrid der Kernanlagen
SPAIN CH-5232 Villigen-HSK
SWITZERLAND
Erulappa Chelliah
USNRC-RES/PRAB
MS: T-9F31

Dist-3
Mike Cheok S. Daggupaty
NUS Environment Canada
910 Clopper Road 4905 Dufferin Street
Gaithersburg, MD 20878 Downsview
Ontario, M3H ST4
CANADA
Nilesh Chokshi
USNRC-RES/SSEB
MS: T-10L1 Louise Dahlerup
Inspectorate of Nuclear Inst.
Danish Civil Defense &
T. L. Chu Emergency Planning Agency
Brookhaven National Laboratory 16, Datavej
Department of Nuclear Energy DK-3460 Birkerod
Bldg. 130 DENMARK
Upton, NY 11973
John Darby
Peter Cooper SEA, Inc.
SRD/AEA Technology 6100 Uptown Blvd. NE
Wigshaw Lane Albuquerque, NM 87110
Culcheth
Cheshire WA3 4NE
England Gerald Davidson
Fauske and Associates, Inc.
16 W 070 West 83rd Street
Susan E. Cooper Burr Ridge, IL 60521
Science Applications Int'l. Corp.
11251 Roger Bacon Drive
Reston, VA 22090 Peter Davis
PRD Consulting
P.O. Box 2046
Michael Corradini Sheridan, WY 82801
University of Wisconsin
1500 Johnson Drive
Madison, WI 53706 P. De Gelder
Secretary, BELGIAN NUCLEAR
SOCIETY (BNS)
E.R. Corran A V Nuclear
ANSTO Reasearch Establishment Avenue du Roi 157
Lucas Heights Reserch Labs. B-1060 Brussels
Private Mail Bag 1 BELGIUM
Manai, NSW 2234
AUSTRALIA
Lennart Devell
Studsvik Nuclear
Massimo Cozzone Studsvik Energiteknik AB
A.N.P.A. S-611 82 Nykoping
Via V. Brancati, 48 SWEDEN
1-00144 Rome
ITALY
J. Devooght
Service de la Metrologie Nucl
George Crane University Libre de Bruxelles
1570 E. Hobble Creek Dr. Faculte des Sciees Appliqu.
Springville, Utah 84663 50 Avenue F-D Roosevelt
Bruxelles 5
BELGIUM
Mark Cunningham
USNRC-RES/PRAB
MS: T-9F31

Dist-4
0. Diederick John Flack
Commonwealth Edison Co. USNRC-RES/SAIB
LaSalle County Station MS: T-10F13
RR1, Box 220
2601 North 21st Rd.
Marsielles, IL 61341 Karl Fleming
Pickard, Lowe & Garrick
2260 University Drive
Chuck Dobbe Newport Beach, CA 92660
Idaho National Engineering Lab.
EG&G MS: 3840
P.O. Box 1625 Terry Foppe
Idaho Falls, ID 83415 Safety Analysis Engineering
Rocky Flats Plant
Energy Systems Group
Mary Drouin Rockwell International Corp
USNRC-RES\SAIB P.O. Box 464
MS: T-10F13 Golden, CO 80401

Duke Power Co. (2) R H. Gauger

Attn: Duncan Brewer Manager-Reliability Engr
Steve Deskevich A/E Div
422 South Church Street Holmes & Narver Inc.
Charlotte, NC 28242 R Roanne Circle
Irvine, CA 92714
Bill Eakin
Northeast Utilities Robert Gobel
Box 270 Clark University
Hartford, CT 06141 Center for Technology, Environment
and Development
950 Main St.
Stewart D. Ebneter Worcester, MA 01610-1477
USNRC
101 Marietta St., Suite 2900
Atlanta, GA 30323-0199 Paul Govaerts
Studiecentrum voor Kernenergie
(SCK/CEN)
Adel A. El-Bassioni Boeretang, 200
USNRC-NRR/PRAB B-2400 Mol
MS: O-10E4 BELGIUM

ENEA/DISP (2) Mr. Gubler

Attn: Alvaro Valeri International Atomic Energy Agency
Alfredo Bottino NENS/SAD B0842
Via Vitaliano Brancati, 48 Wagramerstrasse 5, P.O. Box 100
00144 Roma EUR A-1140 Vienna
ITALY AUSTRIA

Walter P. Engel Paul M. Haas, President

PRA6 MGR Analysis & Reg Matter Concord Associates, Inc.
NB-60 725 Pellissippi Parkway
CRYCITY Suite 101, Box 6
US DOE Knoxville, TN 37933
Washington, DC 20585

Dist-5
F. T. Harper Steven Hodge
Division 6413 Oak Ridge National Laboratories
MS: 0748 P. 0. Box Y
Sandia National Laboratories Oak Ridge, TN 37831
Albuquerque, NM 87185-0748
Gary Holahan
Dr. U. Hauptmanns USNRC-AEOD/OSP
Gesellschaft Fur Anlagen und MS: T-4A9
Reaktorsicherheit (GRS) mgH
Schwertnergasse 1
D-5000 K61n 1 N.J. Holloway
GERMANY A72.1
Atomic Weapons Establishment
Ademaston
Sharif Heger Reading RG7 4PR
UNM Chemical and Nuclear UNITED KINGDOM
Engineering Department
Farris Engineering, Room 209
Albuquerque, NM 87131 Griff Holmes
Westinghouse Electric Co.
Energy Center East
Jon C. Helton Bldg. 371
Dept. f Mathematics
u P.O. Box 355
Arizona State University Pittsburgh, PA 15230
Tempa, AZ 85287
William Hopkins
Dr. P. M. Herttrich Bechtel Power Corporation
Gesellschaft fur Anlagen und 15740 Shady Grove Road
Reaktorsicherheit (GRS) mbH Gaithersburg, MD 20877
Schwertnergasse 1
5000 K61n 1
GERMANY Dean Houston
USNRC-ACRS
MS: P-315
Dr. D.J. Higson
Radiological Safety Bureau
Australian Nuclear Science & Der-Yu Hsia
Technology Organisation Institute of Nuclear Energy Research
P.O. Box 153 Lung-Tan 325
Roseberry, NSW 2018 TAIWAN
AUSTRALIA
Alejandro Huerta-Bahena
Dr. Mitsumasa Hirano National Commission on Nuclear
Deputy General Manager Safety and Safeguards (CNSNS)
Institute of Nuclear Safety Insurgentes Sur N. 1776
NUPEC C. P. 04230 Mexico, D. F.
3-6-2, Toranomon, Minato-ku MEXICO
Tokyo 108
JAPAN
Peter Humphreys
US Atomic Energy Authority
Dr. S. Hirschberg Wigshaw Lane, Culcheth
Paul Scherrer Institute Warrington, Cheshire
Vurenlingen and Villigen UNITED KINGDOM, WA3 4NE
CH-5232 Villigen PSI
SWITZERLAND

Dist-6
W. Huntington Dr. H. Kalfsbeek
Commonwealth Edison Co. DG/XII/D/1
LaSalle County Station Commission of the European
RR1, Box 220 Communities
2601 North 21st Rd. Rue de la Loi, 200
Marsielles, IL 61341 B-1049 Brussels
BELGIUM

J.S. Hyslop
USNRC-RES/PRAB Yoshio Kano
MS: T-9F31 General Mngr. & Sr. Engineer
Systems Analysis Section
O-arai Engineer. Centr, PNC
Idaho National Engineering Lab. (2) Higashi-Ibaraki-gun
Attn: Doug Brownson Ibaraki-Ken, 133-13
Darrel Knudson JAPAN
EG&G MS: 3840
P.O. Box 1625
Idaho Falls, ID 83415 William Kastenberg
UCLA
Boelter Hall, Room 5532
Idaho National Engineering Lab. (2) Los Angeles, CA 90024
Attn: Art Rood
Mike Abbott
EG&G MS: 2110 Barry Kaufer
P.O. Box 1625 OECD/NEA
Idaho Falls, ID 83415 "Le Seine St. Germain" 12
Boulevard des lies
92130 Issy-les-Moulineaux
Hanspeter Isaak FRANCE
Abteilung Strahlenschutz
Hauptabteilung fur die Sicherheit
der Kernanlagen (HSK) Paul Kayser
CH-5303 Wurenlingen Division de la Radioprotection
SWITZERLAND Avenue des Archiducs, 1
L-1135 Luxembourg-Belair
LUXEMBOURG
Brian Ives
UNC Nuclear Industries
P. O. Box 490 Ken Keith
Richland, WA 99352 TVA
W 20 D 201
400 West Surmnit Hill
Kamiar Jamili Knoxville, TN 37092
DP-62/FTN
Department of Energy
Washington, D.C. 20585 G. Neale Kelly
Commission of the European
Communities
Robert Jones Joint Research Centre
USNRC-NRR/DSSA Rue de la Loi 200
MS: 0-8E1 B-1049 Brussels
BELGIUM

Edward Jordan
USNRC-AEOD/DO John Kelly
MS: T-4D18 Sandia National Laboratories
P. O. Box 5800
MS 0742
Albuquerque, NM 87185

Dist-7
Knolls Atomic Power Laboratory (2) Dr. J.M. Lanore
Attn: Ken McDonough CEA/IPSN/DAS
Dominic Sciaudone Centre d'Etudes NuclSaires de
Box 1072 Fontenay-aux-Roses
Schenectady, NY 12301 B.P. n° 6
92265 Fontenay-aux-Roses CEDEX
FRANCE
Dr. K. Koberlein
Gesellschaft fur
Reaktorsicherheit mbH Jose A. Lantaron
Forschungsgelande Consejo de Seguridad Nuclear
D-8046 Garching Sub. Analisis y Evaluaciones
GERMANY Calle Justo Dorado, 11
28040 Madrid
SPAIN
Alan Kolaczkowski
Science Applications International
Corporation Josette Larchier-Boulanger
2109 Air Park Rd. S. E. Electricte de France
Albuquerque, NM 871,06 Direction des Etudes Et Recherches
30, Rue de Conde
75006 Paris
Jim Kolanowski FRANCE
Commonwealth Edison Co.
35 1st National West
Chicago, IL 60690 H. Larsen
Head of Department
Riso National Laboratory
John G. Kollas P.O. Box 49
Institute of Nuclear Technology and DK-4000 Roskilde
Radiation Protection DENMARK
N.R.C.P.S. "Demokritos11

P.O. Box 60228

GR-153 10 Aghia Paraskevi Lawrence Livermore Nat'l Lab. (4)
Attiki Attn: George Greenly
GREECE Marvin Dickerson
Rolf Lange
Sandra Brereton
S. Kondo Livermore, CA 94550
Department of Nuclear Engineering
Facility of Engineering
University of Tokyo Shengdar Lee
3-1, Hongo 7, Bunkyo-ku Yankee Atomic Electric Company
Tokyo • 580 Main St.
JAPAN Boston, MA. 17407

D. Lamy B.T.F. Liwaang

CEN/SCK Dept. of Plant Safety Assessment
Dept. Scientific Irradiation Swedish Nuclear Power Inspec.
Experiment & Study BR2 P.O. Box 27106
Boeretang, 200 S-10252 Stockholm
B-2400 Mol SWEDEN
BELGIUM
Peter Lohnberg
Expresswork International, Inc.
1740 Technology Drive
San Jose, CA 95110

Dist-8
Steven M. Long Hideo Matsuzuru
USNRC-NRR/SPSB Tokai Research Establishment
MS: O-10E4 Tokai-mur
Maka-gun
Ibaraki-ken, 319-11
D. Eugenio Gil Lopez JAPAN
Consejo de Seguridad Nuclear
Calle Justo Dorado, 11
28040 Madrid Jim Mayberry
SPAIN Ebasco Services
60 Chubb Ave.
Lyndhurst, NJ 07071
Los Alamos National Laboratory (2)
Attn: Kent Sasser
N-6, K-557 Andrew S. McClymont
Los Alamos, NM 87545 IT-Delian Corporation
1340 Saratoga-Sunnyvale Rd.
Suite 206
Christiana H. Lui San Jose, CA 95129
USNRC-RES/PRAB
MS: T-9F31
Michael McKay
Los Alamos National Laboratory
John Luke A-l, MS F600 Services
Florida Power & Light P.O. Box 1663
P.O. Box 14000 Los Alamos, NM87545
Juno Beach, FL 33408
Zen Mendoza
Daniel Manesse SAIC
ISPN 5150 El Camino Real
Boite Postale n° 6 Suite C3 1
92265 Fontenay-aux-Roses CEDEX LOS AltOS, CA 94022
FRANCE
Dr. J. Mertens
Fred Mann Division of Risk Analysis &
Westinghouse Hanford Co. Reactor Technology
WIA-53 Institute of Safety Research
P.O. Box 1970 Research Centre Julich (KFA)
Richland, WA 99352 D-52425 Julich
GERMANY

Nadia Soido Falcao Martins

Comissao Nacional de Energia Nuclear Jim Meyer
R General Severianao 90 S/408-1 Scientech •
Rio de Janeiro 11821 Parklawn Dr.
BRAZIL Suite 100
Rockville, MD 20852

Harry F. Martz
Analysis and Assessment Division Joe Minarick
Los Alamos National Laboratory Science Applications Int'l Corp.
Los Alamos, NM 87545 301 Laboratory Road
P.O. Box 2501
Oak R i d g e , TN 37830
Herbert Massin
Commonwealth Edison Co.
35 1st National West
Chicago, IL 60690

Dist-9
Jose I. Calvo Molms, Head Ken O'Brien
Division of P.S.A. and Human Factors University of Wisconsin
Consejo de Seguridad Nuclear Nuclear Engineering Dept.
Calle Justo Dorado, 11 153 Engineering Research Blvd.
28040 Madrid Madison, WI 53706
SPAIN
Theresa Oh
Ken Muramatsu INEL Tech Library
Risk Analysis Laboratory EG&G MS: 2300
Japan Atomic Energy Research P. O. Box 1625
Institute Idaho Falls, ID 83415-2300
Tokai-mura, Naka-gun
Ibaraki-ken, 319-11, Tokyo
JAPAN N. R. Ortiz, Director
Nuclear Energy Technology
Division 6400
Joseph A. Murphy Sandia National Laboratories
Division of Safety Issue Resolution Albuquerque, NM 87185
U.S. Nuclear Regulatory Commission
MS: T-10E50
Washington, DC 20555 Robert Ostmeyer
U.S. Department of Energy
Rocky Flats Area Office
Kenneth G. Murphy, Jr. P. O. Box 928
US Department of Energy Golden, CO 80402
19901 Germantown Rd.
Germantown, MD 20545
Robert Palla
USNRC-NRR/SPSB
Shankaran Nair MS: O-10E4
Central Electricity
Generating Board
Berkeley Nuclear Laboratories Gareth Parry
Berkeley NUS Corporation
Gloucestrshire CL13 9PB 910 Clopper Rd.
UNITED KINGDOM Gaithersburg, MD 20878

Ray Ng Vern Peterson

NEI Building T886B
1776 Eye St. N EG&G Rocky Flats
Suite 300 P.O. Box 464
Washington, DC 20006-2496 Golden, CO 80402

G. Niederauer G. Petrangeli
Los Alamos National Laboratory ENEA Nuclear Energy ALT Disp
P. 0. Box 1663 Via V. Brancati, 48
MSK 575 00144 Rome
Los Alamos, NM 87545 ITALY

Oak Ridge National Laboratory (2) Ing. Jose Antonio Becerra Perez
Attn: Steve Fisher Comision Nacional De Seguridad
Sherrel Greene Nuclear Y Salvaguardias
MS-8057 Insurgentes Sur 1806
P.O. Box 2009 01030 Mexico, D. F.
Oak Ridge, TN 37831 MEXICO

Dist-10
William T. Pratt M. Roch
Brookhaven National Laboratory Manager of Design, Nuclear
Building 130 Department
Upton, NY 11973 TRACTEBEL
Avenue Ariane 7
B-1200 Bruxelles
Urho Pulkkinen BELGIUM
Technical Research Centre of
Finland A.E. Rogers
Laboratory of Electrical & General Electric Co
Automation Engineeering 175 Curtner Ave
Otakaari 7B, 02150 Espoo 15 MC-489
FINLAND San Jose, CA 95125

Blake Putney Judy Rollstin

Science Applications GRAM Inc
International Corporation 8500 Menual Blvd. NE
5150 El Camino Real, Suite C31 Albuquerque, NM 87112
Los Altos, Ca 94022

Marc Rothschild
Dr. V. M. Raina Halliburton NUS
Project Manager-Risk Assessment 1303 S. Central Ave.
Ontario Hydro Hll Gl Suite 202
700 University Ave. Kent, WA 98032
Toronto, Ontario M5G 1X6
CANADA
Christopher Ryder
USNRC-RES/PRAB
William Raisin MS: T-9F31
NEI
1726 M. St. NW
Suite 904 Takashi Sato, Deputy Manager
Washington, DC 20036 Nuclear Safety Engineering Section
Reactor Design Engineering Dept.
Nuclear Energy Group, Toshiba Corp.
Ann Ramey-Smith Isogo Engineering Center
USNRC-RES/PRAB 8, Shinsugita-cho, Isogo-ku,
MS: T-9F31 Yokohama 235, JAPAN

Dale Rasmuson Martin Sattison

USNRC-AEOD/TPAB Idaho National Engineering Lab.
MS: T-4A9 P. O. Box 1625
Idaho Falls, ID 83415

John Ridgely
USNRC-RES/SAIB Dr. U. Schmocker
MS: T-10F13 Hauptabteilung fur die
Sicherheit der Kernanlagen
CH-5232 Villigen HSK
Richard Robinson (2) SWITZERLAND
USNRC-RES/PRAB
MS: T-9F31
A.J. Seebregts
ECN Nuclear Energy
Westerduinweg, 3
Postbus 1
NL-1755 Petten ZG
THE NETHERLANDS

Dist-ll
Dr. S. Serra Stone & Webster Engineering Corp
Ente Naxionale per I'Energia Technical Information Center
Electtrica (ENEL) A. Hosford
via G.B. Martini 3 245 Summer Street
1-00198 Rome 245/01
ITALY Boston, MA 02210

H. Shapiro Dennis Strenge

Licensing & Risk Branch Pacific Northwest Laboratory
Atomic Energy of Canada Ltd. RTO/ 125
Sheridan Park Research Comm. P.O. Box 999
Mississauga, Ontario L5K 1B2 Richland, WA 99352
CANADA
Technadyne Engineer. Consultants (3)
Nathan O. Siu Attn: David Chanin
•Center for Reliability and Risk Jeffery Foster
Assessment Walt Murfin
Idaho National Engineering Lab. Suite A225
EG&G MS: 3850 8500 Menual Blvd. N
P.O. Box 1625 Albuquerque, NM 87112
Idaho Falls, ID 83415-3855

Ashok Thadani
E. Soederman USNRC-NRR/ADT
ES-Konsult AB MS: 0-12G18
Energy and Safety
P.O. Box 3096
S-16103 Bromma T. G. Theofanous
SWEDEN University of California, S. B.
Department of Chemical and Nuclear
Engineering
Desmond Stack Santa Barbara, CA 93106
Los Alamos National Laboratory
Group Q-6, Mail Stop K556
Los Alamos, NM 87545 Catherine Thompson
USNRC-RES/SAIB
MS: T-10F13
Jao Van de Steen
KEMA Laboratories
Utrechtseweg, 310 Soren Thykier-Nielsen
Postbus 9035 Riso National Laboratory
NL 800 ET Arnhem Postbox 49
THE NETHERLANDS DK4000 Roskile
DENMARK

Eli Stern
Israel AEC Licensing Div. R. Toossi
P.O. Box 7061 Physical Research, Inc.
Tel-Aviv 61070 25500 Hawthorn Blvd.
ISRAEL Torrance, CA 90505

Dr. Egil Stokke Ennio Traine

Advisory Group ENEL
OECD Halden Reactor Project Via V i a l i a n o , 48
P.O. Box 173 00144 Rome
N-1751 Halden ITALY
NORWAY

Dist-12
Ulf Tveten
Environmental Physics Section Seppo Vuori
Institutt for Energiteknikk Technical Research Centre of Finland
Postboks 40 Nuclear Engineering Laboratory
N-2007 Kjeller Lonnrotinkatu 37
NORWAY P.O. Box 169
Sf-00181 Helsinki 18
FINLAND
DS Department of Energy
Energy Library
Room G 034 /GTN Dr. Ian B. Wall
AD-622.1 81 Irving Avenue
Washington, DC 20585 Atherton, CA 94027

US Department of Energy Edward Warman

NS-50 (GTN) Stone & Webster Engineering Corp.
NS-10.1 P.O. Box 2325
S-161 Boston, MA 02107
Washington, DC 20585

J.E. Werner
U.S. Envi ronmental Reactor Research & Techn Division
Protection Agency (2) DS DOE Idaho Operations
Attn: Allen Richardson MS: 1219
Joe Logsdon 850 Energy Drive
Office of Radiation Programs
Idaho Falls, ID 83401-1563
Environmental Analysis Division
Washington, DC 20460
Dr. Wolfgang Werner
Safety Assessment Consulting GmbH
Harold VanderMolen Veilchenweg 8
USNRC-RES/PRAB D 83254 Breitbrunn
MS: T-9F31 GERMANY

Dr. A. Valeri Westinghouse Electric Corp

A.N.P.A. Technical Library
Via Vitaliano Brancati, 48 P. O. Box 355
1-00144 Rome East 209
ITALY Pittsburgh, PA 15230

Magiel F. Versteeg Westinghouse Electric Corp

Ministry of Social Affairs NTD
and Employment Central File Nuclear Safety
P.O. Box 90804 P. O. Box 355
2509 LV Den Haag 408 1-A
THE NETHERLANDS Pittsburgh, PA 15230

Martin Virgilio Westinghouse Electric Company (3)

USNRC-NRR/DSSA Attn: John Lacovin
MS: 0-8E2 Burt Morris
Griff Holmes
Energy Center East, Bldg. 371
R. Virolainen, (Chairman PWG5) P.O. Box 355
Systems Integ. Off. (STUK) Pittsburgh, PA 15230
P.O. Box 268
Kumpulanite 7
SF-60101 Helsinki
FINLAND

Dist-13
Westinghouse Savannah River Co. (2)
Attn: Kevin O'Kula
Jackie East
Safety Technology Section
1991 S. Centennial Ave., Bldg. 1
Aiken, SC 29803

Donnie Whitehead
Department 6412, MS: 0747
Sandia National Laboratories
P.O. Box 5800
Albuquerque, NM 87185-0747

Keith Woodard
PLG, Inc.
7315 Wisconsin Ave.
Suite 620 East
Bethesda, MD 20814-3209

John Wreathall
John Wreathall & Co.
4157 MacDuff Way
Dubin, OH 43017

M. K. Yeung
University of Hong Kong
Mechanical Engineering Dept.
Polfulam
HONG KONG

Bob Youngblood
Brookhaven National Laboratory
Department of Nuclear Energy
Bldg. 130
Upton, NY 11973

Carlo Zaffiro
A.N.P.A.
Directorate for Nuclear
Via Vitaliano Brancate, 48
1-00144 Rome
ITALY

Dr. X. Zikidis
Greek Atomic Energy Comm.
N.R.C.P.S. "Demokritos"
GR-153 10 Agia Paraskevi
Attiki
GREECE

Dist-14
NRC FORM 335 U.S. NUCLEAR REGULATORY COMMISSION 1. REPORT NUMBER
(2491 (Aliened by NRC. Add Vol., Supp., Rev.,
and Addendum Numbers, If any.)
wSaw?" BIBLIOGRAPHIC DATA SHEET
(See instructions on the reverse)
NUREG/CR-6144
2. TITLE AND SUBTITLE BNL-NUREG-52399
Evaluation of Potential S e v e r e Accidents During Low Vol.2, P a r t IB
Power a n d S h u t d o w n O p e r a t i o n s a t S u r r y , Unit 1: 3. DATE REPORT PUBLISHED
Analysis of Core Damage F r e q u e n c y from I n t e r n a l MONTH I YEAR

E v e n t s During Mid-loop Operations-Main Report June 1994

4. FIN OR GRANT NUMBER
( C h a p t e r s 7-12)
L1922
5. AUTHOR (S) 6. TYPE OF REPORT
T.L. Chu, Z. Musicki, P. Kohut, D. Bley , J.Yang, 1

B. Holmes , G. Bozoki, C.J, Hsu, D.J. Diamond, D. J o h n s o n ,

J. Lin , R.F. S u , V. Dang , D. I l b e r g , S.M. Wong, N. Siu
1 3 3 4 3
7. PERIOD COVERED (Inclusive Dates!

8. PERFORMING ORGANIZATION — NAME AND ADDRESS (If NRC, provide Division. Office or Region, U.S. Nuclear Regulatory Commission, and mailing address; if contractor, provide
name and mailing address.)

BrOOkhaVen National Laboratory 1

PLG I n c . , 4 5 9 0 McArthur B l v d . Newport Bch. CA 9 2 6 6 0 - 2 0 2 7
Upton, NY 11973 AEA T e c h n o l o g y , W i n f r i t h , D o r c h e s t e r , D o r s e t , E n g l a n d , DT2 8DH
3
M I T , Cambridge, MA 02139 (N. S i u c u r r e n t l y a t EG&G, Idaho F a l l s ,
ID 84315)
S o r e q N u c l e a r R e s e a r c h C e n t e r , Yavne 7 0 6 0 0 , I s r a e l
9. SPONSORING ORGANIZATION — NAME AND ADDRESS (If NRC, type "Same as above"; if contractor, provide NRC Division, Office or Region, U.S. Nuclear Regulatory Commission,
and mailing address.)
Division of Safety I s s u e Resolution
Office of Nuclear R e g u l a t o r y R e s e a r c h
U.S. Nuclear R e g u l a t o r y Commission
Washington, DC 20555-0001
10. SUPPLEMENTARY NOTES

11. ABSTRACT (200 words or less)

During 1989, t h e Nuclear R e g u l a t o r y Commission (NRC) i n i t i a t e d an e x t e n s i v e p r o g r a m to
carefully examine t h e potential r i s k s d u r i n g low power a n d s h u t d o w n o p e r a t i o n s . The
p r o g r a m i n c l u d e s two parallel p r o j e c t s b e i n g performed b y B r o o k h a v e n National
L a b o r a t o r y (BNL) a n d Sandia National L a b o r a t o r i e s (SNL). Two p l a n t s , S u r r y
( p r e s s u r i z e d w a t e r r e a c t o r ) a n d Grand Gulf (boiling w a t e r r e a c t o r ) , w e r e s e l e c t e d a s t h e
p l a n t s to b e s t u d i e d . T h e o b j e c t i v e s of t h e p r o g r a m a r e to a s s e s s t h e r i s k s of s e v e r e
a c c i d e n t s initiated d u r i n g p l a n t o p e r a t i o n a l s t a t e s o t h e r t h a n full power o p e r a t i o n a n d
to compare t h e estimated c o r e damage f r e q u e n c i e s , i m p o r t a n t a c c i d e n t s e q u e n c e s a n d
o t h e r q u a l i t a t i v e a n d q u a n t i t a t i v e r e s u l t s with t h o s e a c c i d e n t s initiated d u r i n g full
power o p e r a t i o n a s a s s e s s e d in NUREG-1150. T h e o b j e c t i v e of t h i s r e p o r t is to
document t h e a p p r o a c h utilized in t h e S u r r y p l a n t a n d d i s c u s s t h e r e s u l t s o b t a i n e d . A
parallel r e p o r t f o r t h e Grand Gulf p l a n t i s p r e p a r e d b y SNL. This s t u d y s h o w s t h a t t h e
c o r e - d a m a g e f r e q u e n c y d u r i n g mid-loop o p e r a t i o n a t t h e S u r r y p l a n t is comparable to
t h a t of power o p e r a t i o n . We r e c o g n i z e t h a t t h e r e is v e r y l a r g e u n c e r t a i n t y in t h e
human e r r o r p r o b a b i l i t i e s in t h i s s t u d y . This s t u d y identified t h a t only a few
p r o c e d u r e s a r e available for mitigating a c c i d e n t s t h a t may o c c u r d u r i n g s h u t d o w n .
P r o c e d u r e s w r i t t e n specifically for s h u t d o w n a c c i d e n t s would b e useful.
12.KEYWORDS/DESCRI PTO R S (List words or phrases that will assist researchers in locating the report.) 13. AVAILABILITY STATEMENT

S u r r y - 1 R e a c t o r - R e a c t o r S h u t d o w n ; S u r r y - 1 R e a c t o r - R i s k Assessment; > Unlimited

14. SECURITY CLASSIFICATION
S u r r y - 2 R e a c t o r - R e a c t o r S h u t d o w n ; S u r r y - 2 Reactor-Risk Assessment;
Failure Mode Analysis, Reactor Accidents, Reactor Core Disruption, (This Page)

Reactor S t a r t - u p , RHR S y s t e m s , Systems Analysis, Thermodynamics, Unclassified

(This Report)
Sandia National L a b o r a t o r i e s
Unclassified
15. NUMBER OF PAGES

16. PRICE

NRC FORM 335 (2-89)