•I• Plant •nntrnl System AP1000 Probabilistic Risk AssessmentWhile this may be a conservative...
Transcript of •I• Plant •nntrnl System AP1000 Probabilistic Risk AssessmentWhile this may be a conservative...
CHAPTER 28
PLANT CONTROL SYSTEM
28.1 System Analysis Description
This chapter evaluates the reliability of the plant control system (PLS). Specifically, the analyses presented in this chapter assess the availability of the plant control system to provide the nonsafety-related functions necessary to control the plant during normal operation and to maintain the plant in a desired condition. Included in the assessed functions are the plant control system capability to control associated nonsafety components in the plant that are operated automatically and remotely from the main control room or remote shutdown workstation, and the plant control system capability to monitor the plant functions during and following an accident. In particular, the assessed functions of the plant control system include the availability of the system to:
" Automatically initiate the operation of appropriate systems to provide regulation of the reactor and other key components in response to load changes, and maximize margins to plant safety limits and the plant's transient performance
" Sense accident conditions and initiate the operation of associated mitigating systems and components
A description of the plant control system is provided in Chapter 7 of the APIO00 Design Control Document (DCD).
The AP1000 instrumentation and control architecture contains the following three major components: 1) protection and safety monitoring system (PMS), 2) plant control system, and 3) diverse actuation system (DAS). This chapter focuses on the assessment of the plant control system. The protection and safety monitoring system and diverse actuation system are discussed in Chapters 26 and 27, respectively.
Because of the rapid changes that are taking place in the digital computer and graphic display technologies employed in a modem human system interface, design certification of the AP1000 focuses upon the process used to design and implement instrumentation and control (I&C) systems for the AP1000, rather than on the specific implementation.
AP1000 DCD Chapter 7 has been written to permit the use of current (at the time of construction) commercial off-the-shelf hardware and software for the control system. The AP1000 PRA is based on one possible control system configuration designed to meet the requirements of DCD Chapter 7. The I&C functional requirements and the degree of redundancy modeled in the PRA are representative of the expected final I&C design.
The scope of the system analyses includes the following equipment:
"* Control cabinets "* Logic cabinets "* Signal selector cabinets
AP1000 Probabilistic Risk Assessment•I•_ Plant •nntrnl System
28-1 Revision 1
28. Plant Control System AP1000 Probabilistic Risk Assessment
"* Sensors "* Operator controls "* Main control room multiplexers and remote shutdown workstation multiplexers
Note that an assessment of the rod control system, while not included in the plant control system scope, is also developed in this chapter.
The analysis of the plant control system is divided into the following functional groups:
"* Control
- Automatic - Sensors through output driver modules - Manual - Control inputs through output driver modules
" Indication - Qualified data processing system (QDPS), data display and processing system (DDS), and diverse actuation system (DAS) (These systems, although not included formally in the plant control system, are evaluated to form a generic indication model in this chapter.)
The following paragraphs discuss the general approach taken for the modeling of each of the functional groupings.
Control
As part of the system trees, developed in the other chapters of this document, an actuation signal is typically needed as one of the inputs to a system tree to model the complete control of a component. For each of these required actuation signals, an I&C subtree is developed to model the unavailability of the plant control system to provide the actuation signal upon demand. There are 62 I&C subtrees that are developed in this chapter to support that purpose. The assigned systems/functions that they support in the models are as follows:
"* Compressed and instrument air system (CAS) "* Containment cooling system (CCS) "* Condenser system (CDS) "* Chemical volume and control system (CVS - pumps only) "* Main ac power system (ECS) "* Main feedwater system (MFS) * Main steam system (MSS) "* Normal residual heat removal system (RNS) "* Rod cluster control system (RCCS) "* Startup feedwater system (SFW) "• Service water system (SWS) "* Turbine building closed cooling water system (TCS) "* Hydrogen control system (VLS) "* Chilled water system (VWS)
A detailed description of the I&C subtree development is presented later in this chapter.
Revision 128-2
Indication
Wherever manual action is credited in the assessment of the plant control system, the availability of the systems that collect and provide appropriate information to be displayed as indications to the operator are modeled. A conservative simplified model is applied generically to the plant control system assessments to bound the availability of the indication functions. That model is developed as follows:
There are three basic paths that are assumed to be normally available to provide indication to the operator. These are:
* Data display and processing system * Qualified data processing system * Diverse actuation system
The unavailability of each of these systems to provide a particular indication is assigned at 1.OE-02 failures/demand. While it is expected that the actual unavailability of each of these systems to provide indication would be substantially better than the assigned value, there is not a total overlap of indication functions provided across all systems, and the conservative assigned value reflects the consideration of that limitation. These values are also consistent with the assigned unavailability of 1.OE-02 failures/demand for the diverse actuation system in general. While this may be a conservative assignment, it is assumed that each of the systems is capable of providing the essential indications required for the plant control system functions being modeled at that assigned rate. Therefore, failure of all three systems must occur before total loss of indication to the operator is achieved. This gives a total unavailability for the combinational loss of all indication systems of 1.OE-06 failures/demand. Due to diversity between the systems, the contribution of common mode failure is minimized in this evaluation and, hence, does not have a dominant contribution in this model.
The application of the result in the plant control system models is achieved by implementing a node representing the failure of all indication, which has the resultant contribution of 1.OE-06, wherever a manual action is credited. It should be noted that wherever the "failure of all indication" node is applied, a failure node representing the common mode failure of the associated instrumentation, namely sensors, is also applied. This is done to reflect the fact that the sensors, although independent, are conservatively expected to be of the same type. Therefore, they are susceptible to a common mode failure that could inhibit the availability of an accurate indication across all systems. This, too, is considered conservative because multiple queues are usually available to the operator as indications relating to the various plant parameters being monitored. The models of the plant control system generally only consider the most direct sensor/queue path and do not credit alternate paths.
28.1.1 Analysis of Support Systems
Power Distribution
The incorporation of the ac power distribution scheme for the plant control system in the analysis can be divided into the same functional groups previously mentioned.
28. Plant Control System -. AP1000 Probabilistic Risk Assessment
28-3 Revision I
AP1000 Probabilistic Risk Assessment
" Control - Loss of power to the modules that support the control functions leads to a default state that generally results in a "stay-as-is" state for the plant control system. In addition, due to the complexity of determining appropriate default states for each plant scenario that could be modeled, a conservative modeling approach has been taken which assumes that power is required for proper processing of information and final control signal actuation. Therefore, modeling of the potential for the loss of power is included in the plant control system fault trees. Credit is taken for the multiple trains of power that are available, some of which are backed by plant batteries.
" Indication - Loss of power is assumed to cause the loss of the associated indication path under consideration. The contribution due to loss of power is included in the bounding 1.OE-02 unavailability assigned to each system in the indication model. Loss of power does not result in a high contribution due to the redundant, battery-backed busses that are available.
Table 28-4 provides a detailed list of the power supporting systems.
Equipment Cooling
Loss of cooling to the plant control system cabinets, which could eventually lead to elevated cabinet temperatures, is detected by cabinet temperature sensors that are continuously monitored by the system. On detection of high cabinet temperature, the system assumes a predefined default state. Generally, that state is stay-as-is for the plant control system. To conservatively model the possibility for failure of this mechanism, the contribution for failure of the cabinet fan unit has been included in the modeling of each cabinet subsystem. Also, conditional probabilities given fan failure, and the coincident failure of the circuits that detect the high temperature, have been included as contributions to unavailability in the models.
28.1.2 Analysis of Instrumentation
The field signals are wired directly from the sensor, transmitter, switch, relay contact, or external systems to the plant control system input/output (1/0) termination boards. Assignment of the sensors and input groups to each of the plant control system fault tree models is performed on a function-by-function basis in the analyses. Where multiple sensors are used as inputs to a function and no redundancy or combinational logic is used, all sensors are conservatively assumed to be able to fail the function independently. Table 28-11 shows the sensor types that are used in the analyses.
28.1.3 Test and Maintenance Assumptions
Table 28-5 provides a detailed list of plant control system components testing frequency. Table 28-6 provides a description of the maintenance assumptions.
Automatic Testing
Automatic testing is used to test the signal selector cabinet subsystems. This analysis assumes that the automatic tester sequence will be initiated quarterly for the signal selector cabinet and that by operation, an equivalent quarterly time between tests for the remainder of the plant
Revision 1
28. Plant Control System
28--4
control system hardware can be conservatively assigned. This is because by normal, daily operation of the plant control system, testing of those functions is implicitly performed. This
is achieved two ways: 1) a plant control system demand is initiated by the operator and no
action or different action is implemented by the plant control system and, hence, is
observable to the operator, and 2) a plant control system change in demand or control state
occurs spuriously, which would also be detectable to the operator. There is the possibility that
a plant control system control channel could undetectably fail in an "stay as-is" state and then
manifest itself when a change in plant state is demanded, either automatically or manually. In
either case, the downtime before the state change demand occurs would not count against the
system in the analysis because the "as-is" state would match the current desired state of the
plant. Once the state change demand is received, however, the downtime is counted because
the system would then be failing on demand. In each of these cases, the time to diagnose the failure as being caused by failure of the plant control system could extend the "time to restore
function" of the plant control system beyond the assumed four-hour repair time assumed for
the plant control system hardware, given detectable failures. This additional time is more than
conservatively covered in assuming a quarterly time for detection for these faults. Note that the automatic testing requires manual initiation to enable it to perform its automated testing
sequence. This test frequency is used in the analysis availability equations to define the
mission time and/or downtime, given failure for the systems under consideration.
Self-Diagnostic Testing
Automatic self-diagnostic testing is performed during all modes of plant operation. This
testing is designed to provide early detection of hardware malfunctions. It is performed continuously. This type of diagnostic testing includes tests such as processor checks,
programmable read-only memory block check sums, read/write tests of random access memory, check sums of static random access memory data, check sums of shared memory
blocks, and data link transmission error detection. Extensive, detailed failure modes and
effects analyses (FMEAs) and functional block analyses (FBAs) have been performed on the plant control system modules to determine the effectiveness of these self-tests. In general, the results indicate that approximately 90 to 99 percent of the faults that could occur will be
detected by the diagnostics and will cause the system to assume a default state. These results
are also incorporated into the unavailability equations as the percentages of faults that are detectable and/or fail-safe.
Additional test and maintenance assumptions for each of the plant control system functions are described in this chapter.
Control
The plant control system hardware is internally tested on a continuous basis through the
application of on-line diagnostics and is functionally tested quarterly to demonstrate operability of all plant control system functions.
28-5 Revision 1
APIO00 Probabilistic Risk Assessment9R Plant (?nntrnl ,•v•tpm
Revision I28-5
28. lantContol SstemAP1000 Probabilistic Risk Assessment
Indication
By providing the basic indication functions for the plant, effective testing of the various indication paths is performed during each use of the indications available. Through comparison of the redundant displays, confirmation of correct processing and display can be assumed to be obtained on a continuous basis.
28.2 Performance During Accident Conditions
This section discusses the success criteria for the plant control system assessments following different initiating events. The plant control system provides automatic and manual actuation signals for the systems or functions that have been listed earlier. Each of the initiating events generates an appropriate control demand or actuation to mitigate plant damage. Table 28-1 lists the fault trees names created in modeling the plant control system I&C
system. The success criteria for each of these fault trees are described in Table 28-2.
28.3 Initiating Event Review
This section addresses the following two issues: 1) initiating events that impact the availability of the plant control system, and 2) initiating events that can be generated due to the failure of the plant control system.
28.3.1 Initiating Events Impacting the Plant Control System
Control
There are no initiating events that will impact the availability of the plant control system.
Indication
There are no initiating events that will impact the availability of the indication functions supported by the plant control system.
28.3.2 Initiating Event due to Loss of the Plant Control System
Control
Plant control system failure could lead to the failure to actuate or control plant systems. Failure of the plant control system could result in a spurious unplanned change in the state of plant components. This is possible if any one or combinations of the following cabinets fail: control cabinets, logic cabinets, signal selector cabinets, multiplexing cabinets, and communication subsystems. In the case of communications subsystems or signal selector cabinet failure, the manual actuation of the components is still possible by the plant control system. However, failure of logic cabinets or control cabinets can stop the ability of the plant control system to control both automatic and manual actuation of components. This is because the manual signals pass through the logic and control cabinets.
Revision 1
I
28. Plant Control System
28-6
Indication
The indication functions of the plant control system have no direct control over plant component actuation and cannot cause an initiating event by the plant control system. Only by failure to indicate correctly, coupled with failure of all other sources of display, failure of the associated operator action, and failure of the protection systems, is it possible to generate the condition for an initiating event originating from the plant control system indication functions.
28.4 System Logic Model Development
This section presents the logic models used for the quantification of system performance during various conditions. Each model depicts the system, given an initiating event. The top event logic for each model is defined by the success criteria, which are directly related to the initiator.
28.4.1 Assumptions and Boundary Conditions
The following assumptions and boundary conditions apply to the assessment of the plant control system:
a. The level of detail modeled for the plant control system is limited to the circuit board or line replaceable unit level.
b. Wiring and cables are available. Typically, failures of this equipment are experienced at the termination junctions of the transmitting and receiving boards, and the failure rates for wiring are typically much lower than the transmitting and receiving hardware. The effects of these failures are incorporated into the assessed performance of the associated circuits boards. In addition, the level of complexity, coding, and dynamic signaling techniques used in the transmission of data (such as deadman timers and on-line diagnostics) throughout the system force any failures of this type to become uniquely detectable. The effect of these failures is bounded by the performance of the transmitting and receiving circuitry.
c. The automatic tester subsystem is not analyzed in this evaluation, and the communication subsystem, although part of the protection and safety monitoring system, is analyzed for the part that is used for transmitting signals from the protection and safety monitoring system to the plant control system.
d. The self-diagnostic test is conservatively assumed to be automatically completed every five minutes, with an effectiveness in excess of 90 percent for all components that are monitored within the system. The actual effectiveness assigned is dependent on the module under consideration and the function that module is performing. Each value is
used in the availability equations that form the basic event data base numbers.
e. A mean time to repair (MTTR) for the I&C components is four hours for the components located in accessible areas during the plant normal operation.
AP1000 Probabilistic Risk Assessment
Revision I28-7
28. Plant Control System
f. No contribution due to random software failure is considered, because software failure falls solely under the category of common mode design failures. Appropriate nodes reflecting the common mode software failure of individual software implementations, as well as common mode failure of all software implementations within the system, are included in the modeling. Development of the software common mode models is discussed later in this chapter.
g. Cards connected directly to computer busses are capable of causing the busses to fail.
h. Pressure transmitters are used to measure pressure, level, or flow parameters.
" The first type of pressure transmitter, used to continuously interface with the reactor pressure and high temperature, measures the following parameters:
- Pressurizer (PZR) pressure - Pressurizer water level - Steam generator (SG) narrow-range and wide-range water level - Steam generator steam line pressure - Startup feedwater flow - Reactor coolant pump (RCP) flow
Common cause failures associated with these transmitters are named CCX-XMTR and/or CCX-XMTR195, as defined in Table 28-9.
"* The second type of pressure transmitter, which interfaces with high pressure and/or high temperature following an accident, measures the containment pressure. Common cause failures associated with these transmitters are named CCX-XMTR1.
" The third type of pressure transmitter senses a system pressure (that is, no stringent operating conditions). These transmitters (generally measuring pressure or flow) are used to start a standby loop (such as service water) on the failure of the normally operating one. Common cause failures (CCFs) associated with these transmitters are named CCX-TRNSM.
" A fourth type of pressure transmitter measures in-containment refueling water storage tank (IRWST) low water level. These transmitters sense very low pressure and normal temperature, except during passive residual heat removal (PRHR) actuation. Common cause failures associated with these transmitters are named IWX-XMTR.
i. The automatic testing performed by the automatic tester subsystem comprehensively tests all associated boards and is performed every three months. A manual starting of the automatic tester subsystem is required.
j. The sensors and the field contacts are powered by the same bus of the plant control system, that is, by the Non-lE, 120-vac uninterruptible power supply (UPS).
Revision 1
AP1000 Probabilistic Risk Assessment
28-8
k. For the plant control system, when a component can be manually actuated at system level as well as component level, the failure of the common part of the chain (such as the logic cabinet) is modeled to reflect that singularity and is integrated with the individual input and output circuits required.
1. Instrument line plugging during plant normal operation is assumed undetectable until variations in plant conditions occur. Given that a plugged line occurs, the sensor/transmitters continue to record the same value as before the plugging occurred. It is assumed that the operator performs a "channel check" every 24 hours. This consists of reading and comparing the values of the same parameter coming from the four divisional sensor/transmitters.
If a large variation on the plant conditions (such as pressure and level) occurs, the sensor/transmitter connected with the plugged instrument line records a value different from the others. This alerts the operator to the degradation of the sensor/transmitter, which is put into a bypass state until the next refueling. This potential downtime is reflected in the development of the sensor unavailabilities.
m. The power source of 120 vac is modeled in all the trees because a power failure is assumed to cause a "stay-as-is" state for the plant control system and may require power for proper operation.
n. The implementation of the I&C subtrees is determined by combining the success criteria (as described in the chapters for which the subtrees are developed), the instrument lists, and information regarding the modeled function (as described in the process block diagrams) listed in Section 28.6.
o. The loss-of-cooling assembly does not affect the board's performance, but failure of the heating, ventilation, and air conditioning (HVAC) fan units has been conservatively included in the modeling of the systems.
p. In case of a blackout, one out of two subsystems of control cabinets and logic cabinets is inoperable. It is assumed in the analysis that the second subsystem works correctly because it is supplied by an uninterruptible power supply.
q. Where many (more than three) independent, diverse sensor measurements are available as inputs for the processing of a particular functional operation, a conservative 1.01E-06 failures/demand rate is assigned to represent the unavailability contribution due to failure of all the associated input sensors.
28.4.2 Fault Tree Models
The plant control system fault tree models included in this section are comprised of I&C subtrees generically labeled as:
SYS-IC - Failure of the plant control system to provide automatic and/or manual actuation signals to plant equipment, incorporating the appropriate parts of the plant control system engineered safety features I&C. There are 62 plant control system I&C
,-,AP1000 Probabilistic Risk Assessment28. Plant Control System
28-9 Revision I
28. Plant Control System AP1000 Probabilistic Risk Assessment
subtrees, each of which are detailed in Table 28-2. Note that for each of the 62 I&C subtrees, a list of their associated subtrees is provided. These trees, when linked together according to batch-run files, form the individual I&C subtrees. This is described in detail in the following.
The fault trees for the plant control system I&C subtrees and their associated subtrees can be found in Appendix E.
The fault tree analysis results provide quantitative values of the total system unavailability and the importance of specific components to that total. Table 28-1 provides a brief description of the fault trees modeled. Table 28-2 provides the success criteria summaries for these fault trees. The event file for these trees is listed in Table 28-10.
28.4.3 Description of I&C Subtree Development
The I&C subtrees are developed in a modular fashion that facilitates the construction, assembly, and review of the various I&C subtree functions required for the analysis. To illustrate, the application of this method, the CAS-ICI I&C subtree is used. The trees required to construct the CAS-IC1 I&C subtree are listed in the first column of the second entry in Table 28-2, I&C Subtree Success Criteria. They are (with description):
* CAS-ICOl: top Tree of CAS-ICI - Failure to actuate compressor B and VOOlB
* ElICASO0: failure control cabinet subsystem 1 analog input modules
* ElOCASO1: failure control cabinet subsystem 1 analog output modules
* E2ICAS01: failure control cabinet subsystem 2 analog input modules
* E2OCASO1: failure control cabinet subsystem 2 analog output modules
* EPICAS01: failure logic cabinet digital input modules
* EPOCAS01: failure logic cabinet output driver modules
* MA1CASOl: failure manual action (human error)
* SllCASO0: failure of plant control system sensor group 1
* SIICAS01: failure of plant control system sensor group 1 for indication (common cause failure)
* APLLL09: failure of plant control system logic cabinet 9 (auto-non-signal selector cabinet input)
* APLCC02: failure of plant control system control cabinet 2 (autonon-signal selector cabinet input)
* MPLL09: failure of plant control system logic cabinet 9 (manual)
28-10 Revision 1
A discussion of the assembly of these trees is presented in detail. The following paragraphs describe the naming conventions that are used for the tree types. Note that each of the tree names contains a three-character system designator (e.g., CAS) and other unique identifiers. For the top tree, the naming convention is as follows:
SYS-ICXX
where
SYS = the three-character system designator
XX = the two-digit number representing a unique individual I&C subtree number within each system
Exceptions to this convention are as follows:
The "-" is sometimes replaced by a B or P to signify a blackout or loss-of-offsite power (LOOP) tree, respectively.
The XX is sometimes made up of characters and/or numbers (e.g., 01, Al, 99) to accommodate the organization of the I&C subtrees.
The three-character system designators addressed in the PLS are:
CAS CVS MSS SFW VLS
CCS ECS RCS SWS VWS
CDS MFW RNS TCS
There are two general types of supporting trees. These are cabinet trees and I&C specific trees, the majority of which support the cabinet trees. For the plant control system cabinet trees, the naming convention is as follows:
APLIPC(Y) where Y = B, P, or Y for blackout, LOOP, or yearly frequency analysis, respectively
Note that the APL stands for automatic plant control system, and the IPC indicates the input cabinetry. These cabinet trees are not used for manual actuation.
QPLXYY(Z) where Q = A for automatic actuation and M for manual actuation
and X = C or L to indicate control cabinet versus logic cabinet, respectively
28-11
Revision 1
28. Plant Control System ,AP1000 Probabilistic Risk Assessment
28-11 Revision I
AP1000 Probabilistic Risk Assessment
and YY = 01 through 03 for control cabinets, and 01 through OD (hexadecimal notation) for logic cabinets, to indicate which cabinet of a certain type is being used
and Z = B, P, or Y for blackout, LOOP, or yearly frequency analysis, respectively
Note: PL stands for plant control system.
The list of plant control system cabinet trees is as follows:
" Automatic plant control system input cabinets (transient, blackout, LOOP):
APLIPC APLIPCB APLIPCP
" Automatic plant control system control cabinets - signal selector cabinet inputs (transient, blackout, LOOP):
APLC01 APLC01B APLCO1P
APLC03 APLC03B APLC03P
" Automatic plant control system logic cabinets - signal selector cabinet inputs (transient, blackout, LOOP):
APLL01 APLL01B APLLO1P
APLLOD APLLODB APLLODP
" Automatic plant control system control cabinets - non-signal selector cabinet inputs (transient, blackout, LOOP):
APLCCO1 APLCC01B APLCCO1P
APLCC03 APLCC03B APLCC03P
" Automatic plant control system logic cabinets - non-signal selector cabinet input (transient, blackout, LOOP):
APLLL01 APLLL01B APLLL01P
APLLLOD APLLLODB APLLLODP
" Manual plant control system control cabinets (transient, blackout, LOOP):
MPLCO1 MPLC01B MPLCO1P
MPLC03 MPLC03B MPLC03P
Revision 1
28. Plant Control System
28-12
* Manual plant control system logic cabinets (transient, blackout, LOOP):
MPLLO1 MPLLO1B MPLLO1P
MPLLOD MPLLODB MPLLODP
Tables 28-12 and 28-13 show the assignment of the various plant systems to each of the plant control system cabinets.
For the I&C-specific support trees, the following naming convention is applied:
XXXSYSNN
where
XXX = tree type, where the types with descriptions are as follows:
"* EPO: failure of plant control system logic cabinet output driver modules
"* EPI: failure of plant control system logic cabinet digital input modules
"* MALI failure of manual action (human error)
"* S 11: failure of plant control system sensor group 1 (division 1 or single sensor)
"* S12: failure of plant control system sensor group 2 (division 2)
"* S13: failure of plant control system sensor group 3 (division 3)
" S 14: failure of plant control system sensor group 4 (division 4)
"* S3D: failure of diverse actuation system sensor groups (common cause failure)
"* SC 1: failure of plant control system sensor groups (common cause failure)
"* SII: failure of plant control system sensors used for indication (common cause failure)
" Eli: failure of plant control system control cabinet subsystem 1 analog input modules
" E21: failure of plant control system control cabinet subsystem 2 analog input modules
"* E10: failure of plant control system control cabinet subsystem 1 analog output modules
28-13
Revision 1
AP1000 Probabilistic Risk Assessment
28-13 Revision I
E20: failure of plant control system control cabinet subsystem 2 analog output modules
and SYS = the system designator, where the systems are as follows:
CAS CCS CDS CVS ECS MFW MSS RCS RNS SFW SWS TCS VLS VWS
and NN = the number of the I&C subtree within each system application, where NN is made up of characters and/or numbers (e.g., 01, Al, 99) to accommodate the organization of the I&C subtrees.
To construct an I&C subtree, a top tree is first generated. For this example, to generate the CAS-ICI I&C subtree, the top tree, CAS-ICOl, is developed. When fully developed, linked, and quantified, the output of the CAS-ICO0 top tree is named to correspond with the I&C subtree name, CAS-ICI, to support linking and quantification of the calling system trees.
The logic of the CAS-ICOl top tree shows that both automatic and manual actuations must fail to cause total actuation failure. Note that the top branch is composed of two contributory elements: failure of automatic and manual plant control and common mode software failure of all boards-CCX-SFTW. Failure of either element causes failure of the actuation. The plant control branch is composed of two elements: failure of automatic plant control and failure of manual plant control-SUB-MPLL09, both of which must fail to cause total failure of the actuation. The SUB prefix in SUB-MPLL09 indicates that the MPLL09 cabinet tree will be linked into this tree. From previously, the MPLL09 cabinet tree represents failure of the plant control system manual logic cabinet 9 actuation. Expansion of the MPLL09 tree is discussed in the following.
The automatic branch of CAS-IC01 shows that either the logic control (logic cabinet) or control group (control cabinet) actuation paths can fail to cause total failure of the automatic actuation for this case. The plant control system automatic actuation failure branch calls SUB-APLLL09 and SUB-APLCC02 for the logic cabinet and control cabinet, respectively. From previously, the APLLL09 cabinet tree represents failure of the automatic plant control system logic cabinet 9-non-selector signal cabinet input, and the APLCC02 cabinet tree represents failure of the automatic plant control system control cabinet 2. Expansion of the APLLL09 and APLCC02 trees are discussed in the following. Simplified versions of the files that perform the naming and linking of the trees are shown in Table 28-3.
At this point in the discussion, top tree CAS-ICO0 and its immediate subtrees that are called have been addressed. This can be represented as follows, where indentation indicates called subtrees, and <= indicates the renaming of the application specific output file for linking as a generic name. (Called trees with no <= indicate that the called name is a specific rather than a generic call. Therefore, the called name is exactly the same as the supporting tree name, and no renaming is required.)
Revision 1
28. Plant Control System AP1000 Probabilistic Risk Assessment
28-14
CAS-IC1 <= CAS-ICO0 MPLL09 APLLL09 APLCC02
The MPLL09 tree models the logic of the manual MUX and logic cabinets. Using the same format as presented before, the subtrees that are called from the MPLL09 tree are as follows:
MPLL09 EPO ESFOPER CCXSNRS2 EDlEAll ED1EA2
EPOCASO0 MA1CASO0 SI1CASO0
Note: The MPLL09 tree always calls EDlEAll and EDlEA2, but the actual tree used for the EPO, ESFOPER, and CCXSNRS2 trees are dependent on the application; hence, EPOCAS01, MAlCASOl, and SI1CASOl are assigned, respectively, in this case.
The APLLL09 tree models the logic of the automatic plant control system logic cabinets. The subtrees that are called from the APLLL09 tree are as follows:
APLLL09 EPO EPI1 PLSENSOR ED1EA11 ED1EA2
EPOCASO1 EPICAS01 S11CASO0
Note: The APLLL09 tree always calls EDlEAl1 and ED1EA2, but the actual trees used for the EPO, EPI1, and PLSENSOR trees are dependent on the application; hence, EPOCAS01, EPICASO1, and S I1CASO0 are assigned, respectively, in this case.
The APLCC02 tree models the logic of the automatic plant control system control cabinets. The subtrees that are called from the APLCC02 tree are as follows:
APLCC02 EAOI EAO2 EAI1 EAI2 PLSENSOR ED1EAl1 ED 1EA2
EIOCAS01 E2OCAS01 EIICAS01 E2ICASOI SllCASOI
28-15
Revision I
28. Plant Control System AP1000 Probabilistic Risk Assessment
28-15 Revision 1
AP1000 Probabilistic Risk Assessment
Note: The APLCC02 tree always calls ED1EAll and ED1EA2, but the actual trees used for the EAO1, EOA2, EAI1, EAI2, and PLSENSOR trees are dependent on the application; hence, ElOCASO1, E2OCASO1, ElICAS01, E2ICAS01, and S11CASOI are assigned, respectively, in this case.
Combining the information shown previously, the full CAS-IC1 tree is then expanded as follows:
CAS-ICI <= CAS-IC01 MPLL09
EPO <= EPOCASO1 ESFOPER <= MAICAS01 CCXSNRS2 <= SIICAS01ED1EAll ED 1EA2 APLLL09 EPO EPIl PLSENSOR ED1EAl1 EDlEA2
APLCC02 EAO1 EAO2 EAI1 EAI2 PLSENSOR ED1EA11 ED1EA2
EPOCASO1 EPICASO1 S11CASOI
ElOCASO1 E2OCASO1 EIlCASO0 E2ICAS01 SlCASO1
By using this modular fault tree-linking methodology, trees that are called by many I&C subtree functions (such as the cabinet trees) can be created and reviewed once, and then configured in the overall I&C subtree linking along with the appropriate supporting input trees as many times as required. This removes the need for the same tree to be explicitly modeled repeatedly in multiple trees.
The linking of the I&C subtrees is performed automatically using a set of batch-run files to execute the running, renaming, and linking of the trees. Simplified versions of those files are shown in Table 28-3 to facilitate review of the I&C subtrees.
28.4.4 Human Interactions
Generally, human interactions are modeled in the plant control system fault trees where operator action is needed to initiate a manual control demand or actuation. Note that for the I&C subtrees in high only manual action and no automatic action is credited, the human interactions are generally modeled in the calling system level trees and not in the I&C
Revision 1
28. Plant Control System
28-16
subtrees. This is done to facilitate the correct development of the logic in those system level
trees. Table 28-8 lists a summary of the human errors included as basic events in the
two reactor trip system fault trees. Note that the details on the calculation of human errors are
discussed in Chapter 30.
28.5 Discussion of Methodology
The following subsections present the methods that have been applied in this analysis. These
are fault tree analysis (FTA), by which the system level results are calculated; data
manipulation, in which the individual part failure rates are obtained and processed for use in
the fault tree analyses as unavailabilities and failure probabilities; and common mode failure
analysis, in which the contributions of common faults across redundant portions of the design are calculated.
28.5.1 Fault Tree Analysis
The availability and reliability of the plant control system I&C systems are demonstrated
using the fault tree analysis methodology. The fault tree analysis method uses a quantified
logic diagram showing the various paths of failures and combinations of failures that can lead
to an undesired event for the system being studied. The fault tree analysis determines the probability of occurrence of each part as well as the logical sum of the probabilities, which is
the probability of failure of the undesired event of the system as a whole. The fault tree
analysis methodology applied is consistent with the specification for reliability assessments in ANSMIIEEE-352-1987.
The following paragraphs discuss the key fault tree analysis modeling and quantification methods used in the analyses. The first portion of the discussion is applicable to the spurious
failure-rate-per-year calculations, and the latter portion of the discussion applies to the fault
tree analyses that are performed to produce unavailability or failure-upon-demand results.
28.5.2 Unavailability
For the plant control system I&C analyses, the application of the fault tree analyses for the
failure-on-demand cases is performed using the standard fault tree analysis unavailability application, where ORed events effectively sum the event unavailabilities, and ANDed events have their respective unavailabilities multiplied. The result from the fault tree analyses directly produces the final unavailabilities, and no further processing is performed. This is the standard method used for evaluation of fault tree analyses to give system level unavailabilities.
28.5.3 Common Cause Failures
Several common cause failures within the plant control system are considered credible and accounted for explicitly during construction of the fault trees. Mainly two common cause failures are identified: hardware common cause failures due to the use of the same type of
boards for many subsystems and software common cause failures.
28-17
Revision 1
9• Plo• I•nntrnl .•Iv•tpm
Revision I28-17
The hardware common cause failure evaluations are based on the multiple greek letter method (MGL), which uses beta, gamma, and delta factors to represent the conditional probabilities of second-, third-, and fourth-order failures, respectively, due to common cause. These factors are then applied to the random hardware failure probabilities to produce the common cause failure probabilities. Both common cause failures of components within a system and common cause failures of components across systems are addressed. It should be noted that the method used in calculating the multiple greek letter factors for the hardware common cause failure includes a substantial contribution due to the inclusion of software in the design. This inclusion is deliberately left in the analysis as an added measure of conservatism when considering the potential impacts of software failures on the system, in addition to the contributions for software common mode failure described in the following.
The software common cause failure evaluations are based on a model that incorporates a number of factors that can affect the development and implementation of the software modules. This model yields a resultant software common mode unavailability of l.lE-05 failures/demand for any particular software module, and a software common mode unavailability of 1.2E-06 failures/demand for software failures that would manifest themselves across all types of software modules, derived from the same basic design program, in all applications.
The supporting common cause failures used in the analyses are presented in Table 28-9. The
data files used for quantification are included in Chapter 32.
28.5.4 Data Manipulation
This section discusses how individual component unavailabilities and probabilities of failure are computed for input into the logic in the fault trees.
The data used in this analysis are computed based upon the following generic formulas for computing component unavailability:
Unavailability: A = (MTTR)/(MT/F + MTTR) MTTF = mean time to failure MTTR = mean time to repair
These simple formulas are enhanced to correctly model the board utilization for multiple channel boards and the fault tolerance of the component using the following factors:
" ADJ - The adjust factor is used to adjust the component failure rate based on the percentage of the component's hardware needed to perform the function modeled. For example, the failure rate for a four-channel input module that uses only one channel to perform the required function is adjusted appropriately with the ADJ factor to account for the fact that only failures of the channel used and any hardware that is common to all of the channels can affect the required function performed by the module.
" FD - The fail-danger factor is used to apportion failures that are undetectable or result in the nondefault or undesired state. This factor is derived from the results of the failure modes and effects analyses and functional block analyses. .-
I
28. Plant Control System AP1000 Probabilistic Risk Assessment
28-18 Revision 1
The following discussion explains the data manipulations performed for the data sets used in quantifying failure-upon-demand plant control system configurations. The component unavailability is computed as follows:
AT = 1 - (MTTF/ADJ)/((MTTF/ADJ) + FD*T/2 + MTTR)
In this case, the mean time to failure is only adjusted by the adjust term, since both fail-safe and fail-danger terms are being considered. The fail-danger term, though, is used in adding additional downtime experienced by the system due to undetected failures. In this case, the average amount of downtime experience due to undetected failures is computed by apportioning the mission time (T)-divided-by-two term by the percentage of failures that can result in the nonsafe and undetectable state.
Failure probabilities calculated in this section are shown in Table 28-7.
28-19 Revision 1
AP1000 Probabilistic Risk Assessment
Revision I28-19
AP1000 Probabilistic Risk Assessment
Revision I
Table 28-1
LIST OF SYSTEM FAULT TREES
Fault Tree Name Description
SYS-IC Failure of the I&C systems to provide automatic and/or manual actuation signals to plant equipment, incorporating the appropriate parts of the plant control system and diverse actuation system.
28. Plant Control System
28-20
28. Plant Control Svstem AlO rbblsi ikAssmn
Table 28-2 (Sheet 1 of 22)
FAULT TREE SUCCESS CRITERIA SUMMARY
Components System Required to
Event Success Initial Mission Change Initiating Operator Fault Tree Description Configuration Status Time Status Signals Actions
AS01 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in
SI ICAS01 compressor B and inputs, process channels driver modules Chapter 30, Chapter 30,
SI1CASO0CAS VOO1B (loop) information, and operational Table 30-2 Table 30-2
-ICIP actuate control
CASPIC01 signals
EIICAS01 ElOCAS01 E2ICAS01 E2OCASOI EPICAS01 EPOCAS01 MA1C APLLL09P APLCC02P MPLL09P
CAS-ICI Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in
CAS-IC01 compressor B and inputs, process channels driver modules Chapter 30, Chapter 30,
EIICAS01 V001B information, and operational Table 30-2 Table 30-2
ElOCAS01 actuate control
E2ICAS01 signals
E2OCAS01 EPICAS01 EPOCAS01 MAICAS01 Sl1CAS01 SI1CAS01 APLLL09 APLCC02 MPLL09
CAS-IC2P Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in
CASPIC02 compressor A inputs, process channels driver modules Chapter 30, Chapter 30,
ElICAS02 (loop) information, and operational Table 30-2 Table 30-2
E1OCAS02 actuate control
E2ICAS02 signals
E2OCAS02 EPICAS02 EPOCAS02 S11CAS02 APL.,09P
APLCC02P
28-21
Revision 1
AP1000 Probabilistic Risk Assessment
Revision I28-21
28. Plant Control System
Table 28-2 (Sheet 2 of 22)
FAULT TREE SUCCESS CRITERIA SUMMARY
Components System Required to
Event Success Initial Mission Change Initiating Operator Fault Tree Description Configuration Status Time Status Signals Actions
CAS-IC2 Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in
CASCAS-IC02 compressor A inputs, process channels driver modules Chapter 30, Chapter 30,
EIICAS02 information, and operational Table 30-2 Table 30-2
ElOCAS02 actuate control
E2ICAS02 signals
E2OCAS02 EPICAS02 EPOCAS02 SIICAS02 APLLL09 APLCC02
CAS-IC3P Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in
CASPIC03 compressor B inputs, process channels driver modules Chapter 30, Chapter 30,
EIICAS03 (loop) information, and operational Table 30-2 Table 30-2
EIOCAS03 actuate control
E2ICAS03 signals
E2OCAS03 EPICAS03 EPOCAS03 SIICAS03 APLLL09P APLCC02P
CAS-IC3 Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in
CAS-IC03 compressor B inputs, process channels driver modules Chapter 30, Chapter 30,
ElICAS03 information, and operational Table 30-2 Table 30-2
EIOCAS03 actuate control
E2ICAS03 signals
E2OCAS03 EPICAS03 EPOCAS03 S 11CAS03 APLLL09 APLCC02
Revision 1
AP1000 Probabilistic Risk Assessment
28-22
Table 28-2 (Sheet 3 of 22)
FAULT TREE SUCCESS CRITERIA SUMMARY
Components System Required to
Event Success Initial Mission Change Initiating Operator Fault Tree Description Configuration Status Time Status Signals Actions
CAS-IC4P Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in
CASPIC04 compressor A inputs, process channels driver modules Chapter 30, Chapter 30,
EIICAS04 (loop) information, and operational Table 30-2 Table 30-2
EIOCAS04 actuate control
E2ICAS04 signals
E2OCAS04 EPICAS04 EPOCAS04 MAICAS04 SllCAS04 SIICAS04 APLLL09P APLCC02P MPLL09P
CAS-IC5 Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in
CAS-IC05 compressor A inputs, process channels driver modules Chapter 30, Chapter 30,
ElICAS05 (yearly) information, and operational Table 30-2 Table 30-2
ElOCAS05 actuate control
E2ICAS05 signals
E2OCAS05 EPICAS05 EPOCAS05 SIICAS05 APLLL09Y APLCC02Y
CCS-IC1 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in
CCS-IC01 standby pump inputs, process channels driver modules Chapter 19, Chapter 19,
EIICCS01 sub-loop B information, and operational Table 19-2 Table 19-2
EIOCCS01 actuate control
E2ICCS01 signals
E2OCCSOI EPICCS01 EPOCCS01 MA1CCS01 S1ICCS01 SIlCCS0l APLLL01 APLCCO1 MPLL01
28-23
Revision 1
28. Plant Control System AP1000 Probabilistic Risk Assessment
28-23 Revision I
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-2 (Sheet 4 of 22)
FAULT TREE SUCCESS CRITERIA SUMMARY
Components System Required to
Event Success Initial Mission Change Initiating Operator Fault Tree Description Configuration Status Time Status Signals Actions
CCS-IC2P Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in
CCSPIC02 pump sub-loop A inputs, process channels driver modules Chapter 19, Chapter 19, (loop) information, and operational Table 19-2 Table 19-2
actuate control EIOCCS02 signals E2ICCS02 E2OCCS02 EPICCS02 EPOCCS02 MA1CCS02 S1ICCS02 SIICCS02 APLLLOIP APLCCO1P MPLLO1P
CCS-IC3P Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in
CCSPIC03 standby pump inputs, process channels dnver modules Chapter 19, Chapter 19, sub-loop B (loop) information, and operational Table 19-2 Table 19-2
actuate control EIOCCS03 signals E2ICCS03 E2OCCS03 EPICCS03 EPOCCS03 MA1CCS03 SIICCS03 SI1CCS03 APLLL01P APLCCO1P MPLLOIP
Revision 1
28. Plant Control System AP1000 Probabilistic Risk Assessment
28-24
Table 28-2 (Sheet 5 of 22)
FAULT TREE SUCCESS CRITERIA SUMMARY
Components System Required to
Event Success Initial Mission Change Initiating Operator Fault Tree Description Configuration Status Time Status Signals Actions
CCS-IC3 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in
CCSIC03 standby pump inputs, process channels driver modules Chapter 19, Chapter 19, sub-loop B information, and operational Table 19-2 Table 19-2
actuate control EIOCCS03 signals E2ICCS03 E2OCCS03 EPICCS03 EPOCCS03 MAlCCS03 S11CCS03 SIICCS03 APLLL01 APLCC01 MPLL01
CDS-ICl Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in CDS pump B inputs, process channels driver modules Chapter 16, Chapter 16,
CDS-C (automatic) information, and operational Table 16-2 Table 16-2 actuate control
EIOCDS01 signals E2ICDS01 E2OCDSO1 EPICDSO1 EPOCDSO1 SI1CDSOI APLCC03 APLLLOD
CDS-IC2 Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in air-operated valve inputs, process channels driver modules Chapter 16, Chapter 16,
CDS02 V022 information, and operational Table 16-2 Table 16-2 actuate control
EIOCDS02 signals E2ICDS02 E2OCDS02 EPICDS02 EPOCDS02 S 11CDS02 APLCC03 APLLLOD
28-25
Revision 1
28. Plant Control System APIO00 Probabilistic Risk Assessment
28-25 Revision I
Table 28-2 (Sheet 6 of 22)
FAULT TREE SUCCESS CRITERIA SUMMARY
Components System Required to
Event Success Initial Mission Change Initiating Operator Fault Tree Description Configuration Status Time Status Signals Actions
CDS-IC3 Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in air-operated valve inputs, process channels driver modules Chapter 16, Chapter 16, CDS-1C03 V2 al 62 Tbe1
EICDS3 V025 information, and operational Table 16-2 Table 16-2 actuate control
EIOCDS03 signals E2ICDS03 E2OCDS03 EPICDS03 EPOCDS03 S11CDS03 APLCC03 APLLLOD
CVS-IC1 Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in CVS pump A inputs, process channels driver modules Chapter 17, Chapter 17, CVS-IC01
EPOCVSOI (manual) information, and operational Table 17-2 Table 17-2 actuate control
MAICVS01 signals SI1CVS01 MPLL03
CVS-IC2 Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in CVS pump B inputs, process channels driver modules Chapter 17, Chapter 17, CVS-IC02
EPOCVS02 (manual) information, and operational Table 17-2 Table 17-2 actuate control
MAICVS02 signals SI1CVS02 MPLL03
CVS-IC3 Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in CVS pump A inputs, process channels driver modules Chapter 17, Chapter 17, CVS-IC03
EPOCVS03 (automatic) information, and operational Table 17-2 Table 17-2 actuate control
MAICVS03 signals S IICVS03 S12CVS03 S13CVS03 S14CVS03 SCICVS03 APLIPC APLL03
Revision 1
\ *1
28. Plant Control System AP1000 Probabilistic Risk Assessment
28-26
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-2 (Sheet 7 of 22)
FAULT TREE SUCCESS CRITERIA SUMMARY
Components System Required to
Event Success Initial Mission Change Initiating Operator Fault Tree Description Configuration Status Time Status Signals Actions
CVS-1C9 Failure to trip CVS Accurately accept All 24 hours Actuate output As defined in As defined in
pump inputs, process channels driver modules Chapter 17, Chapter 17, CVS-SC09 information, and operational Table 17-2 Table 17-2
EPOCVS09 actuate control MAICVS09 signals S I1CVS09 S 12CVS09 S13CVS09 S14CVS09 SC1CVS09 SI1CVS09 APLIPC APLL03 MPLL03
CVS-IClO Failure to trip Accurately accept All 24 hours Actuate output As defined in As defined in
CVS4Clo startup feedwater inputs, process channels driver modules Chapter 17, Chapter 17,
EPOCVS10 pump information, and operational Table 17-2 Table 17-2 actuate control
MA1CVS10 signals
SlICVS10 S12CVSIO S13CVSIO S14CVS10 SCICVS10 SI1CVSl0 APLIPC APLL03 MPLL03
CVS-ICl 1 Failure to alarm Accurately accept All 24 hours Actuate output As defined in As defined in
low boric acid tank inputs, process channels driver modules Chapter 17, Chapter 17, CVS-ICll level information, and operational Table 17-2 Table 17-2
actuate control
signals
28-27
Revision 1
,AP1000 Probabilistic Risk Assessment28. Plant Control System
28-27 Revision 1
sAP1000 Probabilistic Risk Assess ent
Table 28-2 (Sheet 8 of 22)
FAULT TREE SUCCESS CRITERIA SUMMARY
Components System Required
Event Success Initial Mission to Change Initiating Operator Fault Tree Description Configuration Status Time Status Signals Actions
ECS-ICIB Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in diesel generator-1 inputs, process channels driver modules Chapter 24, Chapter 24,
ECSB 1 (blackout) information, and operational Table 24-2 Table 24-2 E 11ECS01
actuate control EIOECSOI signals E2IECS01 E2OECS01 ECSBIC01 EPIECS01 EPOECS01 MA1ECS01 SIlECS01 SIIECS01 APLLL05B APLCCO1B MPLL05B
ECS-IC2B Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in diesel generator-2 inputs, process channels driver modules Chapter 24, Chapter 24, ECSBIC02
ElIECS02 (blackout) information, and operational Table 24-2 Table 24-2 actuate control
EIOECS02 signals E2IECS02 E2OECS02 ECSBIC02 EPIECS02 EPOECS02 MAIECS02 S 11ECS02 SIIECS02 APLLL05B APLCCO1B MPLL05B
Revision 1
28. Plant Control System
-- 1/
28-28
I)Q IDln* d- .f-1 Q vc*P P0 rbblstcRs Assmn
Table 28-2 (Sheet 9 of 22)
FAULT TREE SUCCESS CRITERIA SUMMARY
Components
System Required to
Event Success Initial Mission Change Initiating Operator
Fault Tree Description Configuration Status Time Status Signals Actions
ECS-IC3B Failure to open Accurately accept All 24 hours Actuate output As defined in As defined in
motor generator inputs, process channels driver modules Chapter 24, Chapter 24, ECSBIC03 breaker (blackout) information, and operational Table 24-2 Table 24-2
EIOECS03 actuate control
E21ECS03 signals E2IECS03 E2OECS03
ECSBIC03 EPIECS03 EPOECS03 MAIECS03 SlIlECS03 SIIECS03 APLLL05B APLCC01B
MPLL05B
ECS-IC4B Failure to open Accurately accept All 24 hours Actuate output As defined in As defined in
motor generator inputs, process channels driver modules Chapter 24, Chapter 24, ECSBIC04 breaker (blackout) information, and operational Table 24-2 Table 24-2
ElIECS04 actuate control
E21ECS04 signals E20ECS04 E2OECS04
ECSBIC04 EPIECS04 EPOECS04 MAIECS04 Si1ECS04 SI1ECS04 APLLL05B APLCCO1B
MPLL05B
MFW-IC1 Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in main feedwater inputs, process channels driver modules Chapter 16, Chapter 16,
MEW-IC0I air-operated valve information, and operational Table 16-2 Table 16-2
E1IMFWOI V250A actuate control
E21MFWOI (automatic) signals
E2IMFW 1 E2OMFW01 SILMFW01 APLCC03 ______________
28-29
Revision 1
AP1000 Probabilistic Risk Assessment95/ DI•**• ll",*nf*-nl .•wcl•m
Revision I28-29
2nAP100 Probabilistic Risk Assessment
Table 28-2 (Sheet 10 of 22)
FAULT TREE SUCCESS CRITERIA SUMMARY
Components System Required to
Event Success Initial Mission Change Initiating Operator Fault Tree Description Configuration Status Time Status Signals Actions
MFW-1C2 Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in main feedwater inputs, process channels driver modules Chapter 16, Chapter 16, MFW-1C02 air-operated valve information, and operational Table 16-2 Table 16-2 V250B actuate control
ElQMFW02 (automatic) signals E2IMFW02 E2OMFW02 S 11MFW02 APLCC03
MSS-IC1 Failure to open Accurately accept All 24 hours Actuate output As defined in As defined in
MSSICO1 eight air-operated inputs, process channels driver modules Chapter 16, Chapter 16, valves MSS V001 information, and operational Table 16-2 Table 16-2 EPQMSS01 to 008 (automatic) actuate control MA1MSSOI signals
S12MSSO1 S12MSS01
S13MSSOI S14MSSO1 SC1MSS01 APLIPC APLLOA
MSS-IC2 Failure to open Accurately accept All 24 hours Actuate output As defined in As defined in one-out-of-four inputs, process channels driver modules Chapter 16, Chapter 16,
EPOMSS02 AOVs MSS V001, information, and operational Table 16-2 Table 16-2 MAIMSS02 V003, V005, and actuate control
SAIMSS02 V007 (manual) signals SI1lMSS02
MPLLOA
PLS-RODS Failure to step in Accurately accept All 24 hours Controlled Manual ATWrods (manual) inputs, process channels stepping in of action to MANOI (in
information, and operational rods on cause demand tree RTLOC)
actuate control demand signal signal signals through rod control system
IRevision 1
28. Plant Control System
28-30
Table 28-2 (Sheet 11 of 22)
FAULT TREE SUCCESS CRITERIA SUMMARY
Components System Required to
Event Success Initial Mission Change Initiating Operator
Fault Tree Description Configuration Status Time Status Signals Actions
RNS-1C3 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in
RNS pump 01A inputs, process channels drivers Chapter 17, Chapter 17, EPORNS03 information, and operational Table 17-2 Table 17-2
actuate control RNS-IC03 signals
SIIRNS03
RNS-IC3P Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in
RNS pump 01A: inputs, process channels drivers Chapter 17, Chapter 17, EPORNS03 Loss of offsite information, and operational Table 17-2 Table 17-2 MA1RNS03
RNS-IC3 power case actuate control
S11RNS03 signals
RNS-IC5 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in
RNS pump 01B inputs, process channels drivers Chapter 17, Chapter 17, EPORNS05 information, and operational Table 17-2 Table 17-2
MA1RNS05 actuate control
RNS-IC05 signals SIIRNS05
RNS-IC5P Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in RNS pump 01B: inputs, process channels drivers Chapter 17, Chapter 17,
EPORNS05 Loss of offsite information, and operational Table 17-2 Table 17-2 MA1RNS05
RNS-C05 power case actuate control
SIIRNS0505 signals
28-3 1
Revision 1
28. Plant Control System AP1000 Probabilistic Risk Assessment
28-31 Revision I
Table 28-2 (Sheet 12 of 22)
FAULT TREE SUCCESS CRITERIA SUMMARY
Components System Required to
Event Success Initial Mission Change Initiating Operator Fault Tree Description Configuration Status Time Status Signals Actions
SFW-IC1 Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in feedwater pump A inputs, process channels driver modules Chapter 16, Chapter 16, SFLLOB and open motor- information, and operational Table 16-2 Table 16-2
APLLO operated valve actuate control APLC V013A signals APLCC03
MPLLOB MAlSFW01 SI I SFW01 S13SFWO1 Sl1SFW01 S12SFWOI S14SFWOI MINSFW01 SCISFW01 ElOSFW01 EIISFW01 E2OSFWO1 E2ISFW01 S31SFW01 EPOSFW01
SFW-ICIP Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in
SFWPICOI feedwater pump A inputs, process channels driver modules Chapter 16, Chapter 16, and open motor- information, and operational Table 16-2 Table 16-2
EIOSFW01 operated valve actuate control E21SEW01 V013A (loop) signals E2ISFW01 E2OSFW01
EPOSFW01 MAISFW01 SllSFW01 S12SFWO1 S13SFWOI S 14SFWO1 S31SFWOI SC1SFW01 SI1SFW01 APLIPCP APLLOBP APLCC03P MPLLOBP
Revision 1
28. Plant Control System AP1000 Probabilistic Risk Assessment
28-32
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-2 (Sheet 13 of 22)
FAULT TREE SUCCESS CRITERIA SUMMARY
Components
System Required to Event Success Initial Mission Change Initiating Operator
Fault Tree Description Configuration Status Time Status Signals Actions
SFW-IC2P Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in feedwater pump B inputs, process channels driver modules Chapter 16, Chapter 16,
SFW02 and open motor- information, and operational Table 16-2 Table 16-2 EIOSFW02 operated valve actuate control E21SFW02 V013B (loop) signals E2ISFW02 E2OSFW02
EPOSFW02 MAISFW02 SI ISFW02 S12SFW02 S 13SFW02 S14SFW02 S31SFW02 SC1SFW02 SFWPIC02 SIISFW02 APLIPCP APLLOBP APLCC03P MPLLOBP
SFW-IC2 Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in feedwater pump B inputs, process channels driver modules Chapter 16, Chapter 16, SFW-IC02 and open motor- information, and operational Table 16-2 Table 16-2
EIOSFW02 operated valve actuate control
E2OSFWO2 V013B signals E2ISFW02 E2OSFW02
EPOSFW02 MAISFW02 SIISFW02 S12SFW02 S13SFW02 S14SFW02 S31SFW02 SC1SFW02 SIISFW02 APLIPC APLLOB APLCC03 MPLLOB
Revision 1
28. Plant Control System AP1000 Probabilistic Risk Assessment
28-33
AP1000 Probabilistic Risk Assessment
Table 28-2 (Sheet 14 of 22)
FAULT TREE SUCCESS CRITERIA SUMMARY
Components System Required to
Event Success Initial Mission Change Initiating Operator Fault Tree Description Configuration Status Time Status Signals Actions
SFW-IC3 Failure to open Accurately accept All 24 hours Actuate output As defined in As defined in
SFWIC03 motor-operated inputs, process channels driver modules Chapter 16, Chapter 16, valve V010 information, and operational Table 16-2 Table 16-2
EIOSFW03 (automatic) actuate control E21SFW03 signals E2ISFW03 E2OSFW03
EPISFW03 EPOSFW03 SIISFW03 APLCC03 APLLLOB
SFW-IC4P Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in
SFWPICO4 startup feedwater inputs, process channels driver modules Chapter 16, Chapter 16, air-operated valve information, and operational Table 16-2 Table 16-2 V255A actuate control
E20SFW04 (automatic) signals S1ISFW04 S 12SFW04 S13SFW04 S14SFW04 SCISFW04 APLIPCP APLC03P
SFW-IC4 Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in
SFW-C04 startup feedwater inputs, process channels driver modules Chapter 16, Chapter 16, air-operated valve information, and operational Table 16-2 Table 16-2 V255A actuate control
E20SFW04 (automatic) signals SIISFW04 S12SFW04 S13SFW04 S14SFW04 SC1SFW04 APLIPC APLC03
28-34
Revision 1
28. Plant Control System
28-34 Revision 1
28. Plant Control System APlOOD Probabilistic Risk Assessment
Table 28-2 (Sheet 15 of 22)
FAULT TREE SUCCESS CRITERIA SUMMARY
Components System Required to
Event Success Initial Mission Change Initiating Operator
Fault Tree Description Configuration Status Time Status Signals Actions
SFW-IC5P Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in
SFWPIC05 startup feedwater inputs, process channels driver modules Chapter 16, Chapter 16,
ElWPIC05 air-operated valve information, and operational Table 16-2 Table 16-2 E20SFW05 255B (loop) actuate control E2OSFW05 signals S 11SFW04
S12SFW04 S 13SOFW04 S14SFW04 SCISFW04 APLIPCP APLC03P
SFW-IC5 Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in
SFW4CO5 startup feedwater inputs, process channels driver modules Chapter 16, Chapter 16,
air-operated valve information, and operational Table 16-2 Table 16-2 E20SFW05 255B (automatic) actuate control
E2OSFW05 signals SI 11SFW04
S12SFW04 S13SFW04 S14SFW04 SClSFW04 APLIPC APLC03
SFW-IC6P Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in
startup feedwater inputs, process channels driver modules Chapter 16, Chapter 16, EIOSIC06 V067A (loop) information, and operational Table 16-2 Table 16-2
E 10SFW06 actuate control E2OSFW06 signals SlISFW04 S12SFWO4 S 13SFW04 S 14SFW04 SCISFW04 "APLIPCP APLC03P
28-35
Revision 1
28. Plant Control System AP1000 Probabilistic Risk Assessment
28-35 Revision I
AP1000 Probabilistic Risk Assessment
Table 28-2 (Sheet 16 of 22)
FAULT TREE SUCCESS CRITERIA SUMMARY
Components System Required to
Event Success Initial Mission Change Initiating Operator Fault Tree Description Configuration Status Time Status Signals Actions
SFW-IC6 Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in
SFW-C06 startup feedwater inputs, process channels driver modules Chapter 16, Chapter 16, V067A information, and operational Table 16-2 Table 16-2
E20SFW06 (automatic) actuate control SlISFW04 signals S12SFW04 S 12SFW04
S 13SFW04 S14SFW04 SCISFW04 APLIPC APLC03
SFW-IC7P Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in
SFWPIC07 startup feedwater inputs, process channels driver modules Chapter 16, Chapter 16, V067B (loop) information, and operational Table 16-2 Table 16-2
actuate control E20SFW07 signals SI ISFW04 S12SFW04 S13SFW04 S14SFW04 SCISFW04 APLIPCP APLC03P
SFW-IC7 Failure to control Accurately accept All 24 hours Actuate output As defined in As defined in
SFW-IC07 startup feedwater inputs, process channels driver modules Chapter 16, Chapter 16, V067B information, and operational Table 16-2 Table 16-2
E20SFW7 (automatic) actuate control E2OSIFW07
SIISFW04 signals
S12SFW04 S13SFW04 S 14SFW04 SCISFW04 APLIPC APLC03
28-36
Revision 1
28. Plant Control System
28-36 Revision 1
Table 28-2 (Sheet 17 of 22)
FAULT TREE SUCCESS CRITERIA SUMMARY
Components System Required to
Event Success Initial Mission Change Initiating Operator Fault Tree Description Configuration Status Time Status Signals Actions
SFW-IC8P Failure to open Accurately accept All 24 hours Actuate output As defined in As defined in
SFWPIC08 motor-operated inputs, process channels driver modules Chapter 16, Chapter 16, valve V028 information, and operational Table 16-2 Table 16-2
ElISFW08 (automatic) (loop) actuate control E21SFW08 signals E2ISFW08 E2OSFW08
EPISFW08 EPOSFW08 S 1ISFW08 APLCC03P APLLLOBP
SFW-IC8 Failure to open Accurately accept All 24 hours Actuate output As defined in As defined in
motor-operated inputs, process channels driver modules Chapter 16, Chapter 16, ElI-1W08 valve V028 information, and operational Table 16-2 Table 16-2 E1ISFW08
(automatic) actuate control E1OSFWO8 signals E2ISFW0O8
E2OSFW08 EPISFW08 EPOSFW08 SlISFW08 APLCC03 APLLLOB
SWS-ICI Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in air-operated valve inputs, process channels driver modules Chapter 22, Chapter 22,
SWSOI V006A (yearly) information, and operational Table 22-2 Table 22-2
actuate control E10SWS01 signals E2ISWSOI E2OSWSO1 EPISWS01 EPOSWS01 MA1SWS01 SllSWSOl SC1SWS01 SI1SWS01
APLLL07Y APLCC02Y MPLL07Y
28. Plant Control System AP1000 Probabilistic Risk Assessment
28-37 Revision I
APlO00 Probabilistic Risk Assessment
Table 28-2 (Sheet 18 of 22)
FAULT TREE SUCCESS CRITERIA SUMMARY
Components
System Required to Event Success Initial Mission Change Initiating Operator
Fault Tree Description Configuration Status Time Status Signals Actions
SWS-IC2 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in
SWS-IC02 standby pump inputs, process channels dnver modules Chapter 22, Chapter 22,
EIISWS02 sub-loop B information, and operational Table 22-2 Table 22-2 actuate control EIOSWS02 signals
E2ISWS2 E2OSWS02 EPISWS02 EPOSWS02 MA1SWS02 SIISWS02 SC1SWS02 SIISWS02 APLLL07 APLCC02 MPLL07
SWS-IC3 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in
SWSIC03 standby pump inputs, process channels driver modules Chapter 22, Chapter 22, sub-loop B (loop) information, and operational Table 22-2 Table 22-2
E Wactuate control EIOSWS03 signals E2ISWS03 E2OSWS03 EPISWS03 EPOSWS03 MAISWS03 S11SWS03 SC1SWS03 SIISWS03 APLLL07P APLCC02P MPLL07P
Revision 1
1- --
28. Plant Control System
28-38
28 Plant Control Svstem A10 rbblsi ikAssmn
Table 28-2 (Sheet 19 of 22)
FAULT TREE SUCCESS CRITERIA SUMMARY
Components System Required to
Event Success Initial Mission Change Initiating Operator
Fault Tree Description Configuration Status Time Status Signals Actions
SWS-IC4 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in
standby pump inputs, process channels driver modules Chapter 22, Chapter 22,
SWS04 sub-loop B information, and operational Table 22-2 Table 22-2 E 11SWS04 actuate control ElOSWS04 signals E2ISWS04 E20SWS04 EPISWS04 EPOSWS04 MAISWS04 S 11SWS04 SClSWS04 SIISWS04 APLLL07 APLCC02 MPLL07
SWS-IC5 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in
pump sub-loop A inputs, process channels driver modules Chapter 22, Chapter 22, SWS-SC05 (loop) information, and operational Table 22-2 Table 22-2
EIISWS05 actuate control EIOSWS05 signals E2ISWS05 E2OSWS05 EPISWS05 EPOSWS05 MAl SWS05 SIISWS05 SC1SWS05 S11SWS05 APLLL07P APLCC02P MPLL07P
28-39
Revision 1
AP1000 Probabilistic Risk Assessment
Revision 128-39
Table 28-2 (Sheet 20 of 22)
FAULT TREE SUCCESS CRITERIA SUMMARY
Components System Required to
Event Success Initial Mission Change Initiating Operator Fault Tree Description Configuration Status Time Status Signals Actions
SWS-IC6 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in cool tower blower inputs, process channels driver modules Chapter 22, Chapter 22,
SWS06 fans (loop) information, and operational Table 22-2 Table 22-2 ElISWS06
actuate control E1OSWS06 ElOSWS06signals E2ISWS06 E2OSWS06 EPISWS06 EPOSWS06 MAISWS06 SIISWS06 SC1SWS06 SIISWS06 APLLL07P APLCC02P MPLL07P
SWS-IC7 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in cool tower blower inputs, process channels driver modules Chapter 22, Chapter 22,
SWS-IC07 fans (loop) information, and operational Table 22-2 Table 22-2 SEIlSWS07 actuate control EIOSWS07 signals E2ISWS07 E2OSWS07 EPISWS07 EPOSWS07 MAISWS07 SIISWS07 SCI SWS07 SI1SWS07 APLLL07P APLCC02P MPLL07P
Revision I
28. Plant Control System AP1000 Probabilistic Risk Assessment
28-40
AP1000 Probabilistic Risk Assessment
Table 28-2 (Sheet 21 of 22)
FAULT TREE SUCCESS CRITERIA SUMMARY
Components System Required to
Event Success Initial Mission Change Initiating Operator
Fault Tree Description Configuration Status Time Status Signals Actions
SWS-IC8 Failure to open Accurately accept All 24 hours Actuate output As defined in As defined in
MOV 037B upon inputs, process channels drivers chapter 22, chapter 22, ElISWS08 loss of offsite information, and operational Table 22-2 Table 22-2
E2ISWS08 power actuate control
E20SWSOS signals
EPISWS08 EPOSWS08 MAISWS08 S11SWS08 SCISWS08 SIlSWS08 APLCC02P APLLLO7P SWS-IC08
TCS-ICl Failure to start Accurately accept All 24 hours Actuate output As defined in As defined in
standby turbine inputs, process channels driver modules Chapter 16, Chapter 16, TCS-IC01 cold-leg information, and operational Table 16-2 Table 16-2
EIlTCS01 circulating water actuate control
El21TCSl system pump B signals
E2ITCS01 E2OTCS01
MAlTCS0l EPITCS01 EPOTCS01 SllTCS0l SI1TCS0l APLCC02 APLLL06 MPLL06
28-41
Revision 1
'78 Plant Control S stem9R Plnnf Cnnfrnl .•v•tpm
Revision 128-41
sAP1000 Probabilistic Risk Assessment
Table 28-2 (Sheet 22 of 22)
Revision 1
FAULT TREE SUCCESS CRITERIA SUMMARY
Components System Required to
Event Success Initial Mission Change Initiating Operator Fault Tree Description Configuration Status Time Status Signals Actions
VLS-IC1 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in H2 ignitors inputs, process channels driver modules Chapter 18, Chapter 18, VLS-IC0 1
EPOVLSO1 information, and operational Table 18-2 Table 18-2 actuate control
MA1VLS01 signals SIlVLS01 MPLL03
VWS-IC1 Failure to actuate Accurately accept All 24 hours Actuate output As defined in As defined in H2 ignitors inputs, process channels driver modules Chapter 18, Chapter 18, VWS-IC01
EPOVWSO information, and operational Table 18-2 Table 18-2 actuate control
MAlVWS01 signals SIlVWS01 MPLL02
I
28. Plant Control Systemn
28-42
28-43
Revision 1
28-43
AP1000 Probabilistic Risk Assessment
Table 28-3 (Sheet 1 of 9)
PLS I&C SUBTREE CONSTRUCTIONS
Subtree Name Tree Naming and Linking
CAS-IC1 Rename: EPICAS01 EPI1 MAlCAS01 ESFOPER SIICAS01 CCXSNRS2 SlICAS01 PLSENSOR ElOCAS01 EAO1 ElICAS01 EAI1 E2OCASOI EAO2 E2ICAS01 EAI2 EPOCAS01 EPO APLLL09 APLCC02 MPLL09 CAS-IC01
CAS-IC2 Rename: EPICAS02 EPI1 S11CAS02 PLSENSOR E1OCAS02 EAO1 ElICAS02 EAI1 E2OCAS02 EAO2 E2ICAS02 EAI2 EPOCAS02 EPO APLLL09 APLCC02 CAS-IC02
CAS-IC5 Rename: EPICAS05 EPI1 S11CAS05 PLSENSOR E1OCAS05 EA01 EIICAS05 EAI1 E2OCAS05 EAO2 E2ICAS05 EAI2 EPOCAS05 EPO APLLL09Y APLCC02Y CAS-IC05
Revision 1
28. Plant Control System AP1000 Probabilistic Risk Assessment
/
Table 28-3 (Sheet 2 of 9)
PLS I&C SUBTREE CONSTRUCTIONS
Subtree Name
CCS-IC1
Tree Naming and Linking
Rename: EPICCS01 MA1CCS01 SIICCS01 SllCCS01 E1OCCS01 ElICCS01 E2OCCSO1 E2ICCSOI EPOCCS01 APLLL01 APLCC01 MPLL01 CCS-ICO1
EPII ESFOPER CCXSNRS2 PLSENSOR EAO 1 EAI1 EAO2 EA12 EPO
CDS-IC1 Rename: S11CDS01 PLSENSOR E1OCDS01 EAO1 EPOCDS01 EPO EPICDS01 EPI1 E2OCDSO1 EAO2 EIICDS01 EAI1 E2ICDS0l EAI2 APLCC03 APLLLOD CDS-IC01
CDS-IC2 Rename: SI1CDS02 PLSENSOR E1OCDS02 EAO1
EPOCDS02 EPO EPICDS02 EPI1 E2OCDS02 EAO2
EIICDS02 EAI1 E2ICDS02 EAI2 APLCC03 APLLLOD
CDS-IC02
CVS-IC1 Rename: MA1CVS01 ESFOPER SIlCVS01 CCXSNRS2 EPOCVS01 EPO MPLL03 CVS-IC01
Revision 1
I
28. Plant Control System AP1000 Probabilistic Risk Assessment
28-44
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-3 (Sheet 3 of 9)
PLS I&C SUBTREE CONSTRUCTIONS
Subtree Name Tree Naming and Linking
CVS-IC3 Rename: MA1CVS03 ESFOPER SClCVS03 CCXSNRS1 SlICVS03 SENS1 S 12CVS03 SENS2 S13CVS03 SENS3 S14CVS03 SENS4 EPOCVS03 EPO APLIPC APLL03 CVS-IC03
CVS-IC9 Rename: S13CVS09 SENS3 MAlCVS09 ESFOPER SIICVS09 CCXSNRS2 SC1CVS09 CCXSNRS1 S1ICVS09 SENSI S 12CVS09 SENS2 S14CVS09 SENS4 EPOCVS09 EPO APLIPC APLL03 MPLL03 CVS-IC09
CVS-IC10 Rename: S13CVS1O SENS3 MA1CVS10 ESFOPER SI1CVS10 CCXSNRS2 SCiCVS10 CCXSNRS1 SllCVS10 SENS1 S 12CVS 10 SENS2 S 14CVS 10 SENS4 EPOCVS10 EPO APLIPC APLL03 MPLL03 cVS-Ic10
CVS-IC1 1 Rename: CCXSNRS2 CVS-IC 11
28-45
Revision 1
28. Plant Control System AP1000 Probabilistic Risk Assessment
28-45 Revision 1
AP1000 Probabilistic Risk Assessment
Table 28-3 (Sheet 4 of 9)
PLS I&C SUBTREE CONSTRUCTIONS
Subtree Name Tree Naming and Linking
ECS-ICIB Rename: MAIECS01 ESFOPER EPOECS01 EPO EPIECS01 EPI1 SI1ECS01 CCXSNRS2 E1OECS01 EAO1 EIlECS01 EAI1 E2OECSOI EAO2 E2IECS01 EAI2 S1IECS01 PLSENSOR MPLL05B ECSBIC01
ECS-IC3B Rename: MAlECS03 ESFOPER EPIECS03 EPI1 SI1ECS03 CCXSNRS2 E1OECS03 EAO1 EIIECS03 EAI1 E2OECS03 EAO2 E2IECS03 EAI2 SI1ECS03 PLSENSOR EPOECS03 EPO APLLL05B APLCCO1B
MPLL05B ECSBIC03
MFW-IC1 Rename: S11MFW01 PLSENSOR E10MFW01 EAO1 E1IMFW01 EAI1 E2OMFWO1 EAO2 E2IMFWO1 EAI2 APLCC03 MFW-IC01
MSS-ICI Rename: EPOMSS01 EPO MAIMSSO1 ESFOPER SC1MSS01 CCXSNRS1 SllMSS01 SENS1 S12MSSO1 SENS2 S13MSSO1 SENS3 S14MSSO1 SENS4
APLIPC APLLOA MSS-IC01
Revision 1
'-C-,
28. Plant Control System
28-46
Table 28-3 (Sheet 5 of 9)
PLS I&C SUBTREE CONSTRUCTIONS
Subtree Name Tree Naming and Linking
MSS-1C2 Rename: MAlMSS02 ESFOPER SI1MSS02 CCXSNRS2 EPOMSS02 EPO MPLLOA MSS-IC02
PLS-RODS ROD-IC01
RNS-1C3 Rename: EPORNS03 EPO MAlRNS03 ESFOPER SI1RNS03 CCXSNR52 MPLL04 -
RNS-IC03
SFW-IC1 Rename: MA1SFW01 ESFOPER SI1SFW01 CCXSNRS2 S13SFWOI SENS3 SllSFW0l SENSI S12SFW01 SENS2 S14SFWOI SENS4 SC1SFW01 CCXSNRSI E1OSFW01 EAO1 EIlSFW01 EAI1 E2OSFW01 EAO2 E2ISFW01 EAI2 S31SFW01 PLSENSOR EPOSFW01 EPO APLIPC APLLOB APLCC03 MPLLOB SFW-IC01
SFW-IC3 Rename: S11 SFW03 PLSENSOR E1OSFW03 EAO1 EPISFW03 EPI1 E2OSFW03 EAO2 EIlSFW03 EAI1 E2ISFW03 EAI2 EPOSFW03 EPO APLCC03 APLLLOB SFW-IC03
28-47
Revision 1
28. Plant Control System AP1000 Probabilistic Risk Assessment
28-47 Revision I
Table 28-3 (Sheet 6 of 9)
PLS I&C SUBTREE CONSTRUCTIONS
Subtree Name Tree Naming and Linking
SFW-IC4 Rename: S13SFW04 SENS3 S11SFW04 SENSI S12SFW04 SENS2 S14SFW04 SENS4 SCISFW04 CCXSNRSI EIOSFW04 EAO1 E2OSFW04 EAO2 APLIPC APLC03 SFW-IC04
SFW-IC6 Rename: S13SFW06 SENS3 S11SFW06 SENSI S12SFW06 SENS2 S14SFW06 SENS4 SC1SFW06 CCXSNRS1 E1OSFW06 EAOI E2OSFW06 EAO2 APLIPC APLC03 SFW-IC06
SFW-IC8 Rename: S11SFW08 PLSENSOR E1OSFW08 EAO1 EPISFW08 EPI1 E2OSFW08 EAO2 EIISFW08 EAHI1 E2ISFW08 EAI2 EPOSFW08 EPO APLCC03 APLLLOB SFW-IC08
N-,
Revision 1
28. Plant Control System APIO00 Probabilistic Risk Assessment
28-.48
28. Plant Control System AP1000 Probabilistic Risk Assessment
SFW-IC1A
Table 28-3 (Sheet 7 of 9)
PLS I&C SUBTREE CONSTRUCTIONS
Tree Naming and LinkingSubtree Name
ESFOPER CCXSNRS2 SENS3 SENS1 SENS2 SENS4 CCXSNRS1 EAO1 EAM1 EAO2 EAI2 PLSENSOR EPO
EPI1 ESFOPER CCXSNRS2 PLSENSOR CCXSNRS 1 EA01 EAI1 EAO2 EA12 EPO
SWS-Ic1
Rename:
Rename:
MAlSFW01 SI1SFW01
S13SFWO1 SllSFW01 S12SFW01 S14SFW01 SC1SFW0l ElOSFW01 ElISFW01 E2OSFWO1 E2ISFWOI S31SFWOI EPOSFW01 APLIPC APLLOB APLCC03 SFW-IC1A
EPISWS01 MA1SWS01 SI1SwS01 SllSwS01 SC1SWS01 ElOSWS01 EIISWS01 E2OSWS01 E2ISWS01 EPOSWS01 APLLL07Y APLCC02Y MPLL07Y SWS-Ico1
28-49
Revision 1
Revision I
28. Plant Control System AP1000 Probabilistic Risk Assessment
28-49
AP1000 Probabilistic Risk Assessment
Table 28-3 (Sheet 8 of 9)
PLS I&C SUBTREE CONSTRUCTIONS
Subtree Name
SWS-IC2
SWS-IC5
SWS-IC6
Tree Naming and Linking
Rename:
-I.
Rename:
+
Rename:
EPISWS02 MAISWS02 SI1SWS02 S 1I SWS02 SCISWS02 EIOSWS02 EIlISWS02 E2OSWS02 E2ISWS02 EPOSWS02 APLLL07 APLCC02 MPLL07 SWS-IC02
EPISWS05 MAlSWS05 SIISWS05 SIISWS05 SC1SWS05 EIOSWS05 EIlISWS05 E20SWS05 E2ISWS05 EPOSWS05 APLLL07P APLCC02P MPLL07P SWS-IC05
EPISWS06 MA1SWS06 SI1SWS06 SIISWS06 SClSWS06 ElOSWS06 EIISWS06 E2OSWS06 E21SWS06 EPOSWS06 APLLL07P APLCC02P MPLL07P SWS-IC06
EPII ESFOPER CCXSNRS2 PLSENSOR CCXSNRS 1 EAO1 EAI1 EAO2 EAI2 EPO
EPI 1 ESFOPER CCXSNRS2 PLSENSOR CCXSNRS1 EAO1 EAI1 EAO2 EAI2 EPO
EPI1 ESFOPER CCXSNRS2 PLSENSOR CCXSNRS 1 EAO1 EAI1 EAO2 EAI2 EPO
Revision 1
28. Plant Control System
28-50
API000 Probabilistic Risk Assessment
28-51
Revision 1
Table 28-3 (Sheet 9 of 9)
PLS I&C SUBTREE CONSTRUCTIONS
Subtree Name Tree Naming and Linking
TCS-IC1 Rename: E1ITCS01 EAI1 E1OTCS01 EAO1 E2ITCS0l EAI2 E2OTCSO1 EAO2 EPITCS01 EPII EPOTCS01 EPO MA1TCS01 ESFOPER S11TCSO1 PLSENSOR SI1TCS01 CCXSNRS2 APLCC02 APLLL06 MPLL06 TCS-IC01
VLS-IC1 Rename: EPOVLS01 EPO MA1VLS01 ESFOPER SI1VLS0l DASSIND S11VLS01 CCXSNRS2 MPLL03 VLS-IC01
VWS-IC1 Rename: MA1VWS01 ESFOPER SI1VWS01 CCXSNRS2 EPOVWS01 EPO MPLL02 VWS-Ico1
'•R Pln•f I•nfrn| .•v,=fpm
Revision I28-51
28. lantContol SstemAP1000 Probabilistic Risk Asse~ssment
Table 28-4 (Sheet 1 of 2)
PLS DEPENDENCY MATRIX
120 vac
Distribution Distribution Plant Control System Cabinets Panel EDS1 EA1 Panel EDS1 EA2
Logic Cabinets
Subsystem I
/O x x
Processing X
Subsystem 2
1/O X X
Processing x
ILC Output Driver Modules X X
Control Cabinets
Subsystem 1
1/0 X X
Processing X
Subsystem 2
1/0 X X
Processing x
Communication Subsystem
All Cards X
Revision I
28. Plant Control System
28-52
Table 28-4 (Sheet 2 of 2)
PLS DEPENDENCY MATRIX
120 vac
Distribution Distribution
Plant Control System Cabinets Panel EDS1 EA1 Panel EDS1 EA2
Control MUX
Subsystem 1
All Cards X
Subsystem 2
All Cards X
Note: For the logic cabinets, the apportioning of each card to the power remain the same, except for the different distribution panels used, i.e.:
Distr. Panel EDSI EAl becomes Distr. Panel EDS2 EA1 Distr. Panel EDS1 EA2 becomes Distr. Panel EDS2 EA2, etc.
28-5 3 Revision 1
AP1000 Probabilistic Risk Assessment
Revision I28-53
28. Plant Control System AP1000 Probabilistic Risk Assessment
Assumed Effect on Automatic Mechanical Quarterly
Modulating On-Line Tester Component Functional Test Subsystem/ Devices Diagnostic Subsystem Surveillance Test Based on
Card (24 hrs) (5 min) (Quarterly) (Quarterly) Operation
IPC Comms X X
ILC X X
ICC X X
SSC x x
Control MUX X X
Table 28-6
COMPONENT MAINTENANCE ASSUMPTIONS
Revision 1
Table 28-5
PLS COMPONENTS TEST ASSUMPTIONS
No scheduled outage for maintenance is assumed for the plant control system. The outage for repair is accounted for together with the numerical evaluation of the cards unavailabilities.
28. Plant Control System AP1000 Probabilistic Risk Assessment
28-54
28. Plant Control System APlOOO Probabilistic Risk Assessment
Table 28-7 (Sheet 1 of 3)
FAILURE PROBABILITIES CALCULATED IN THIS SECTIONSIMON.DAT Failure
Line Number Event ID Description Probability
010 ALL-IND-FAIL Generic indication failure probability 1.00E-06
037 CCX-PMS-SENSORS CCF of PMS transmitters 4.04E-08
617 ###030##SA Logic group processing failure on demand 1.16E-03
618 ###030##BA Logic group processing spurious failure 8.01E-06
619 CCX-###03 CCF of the logic group processing 9.69E-05
620 CCX-###EHO CCF of MUX transmitters 4.03E-06
621 CCX-P##MOD1 CCF of output logic I/Os 1.41E-04
622 CCX-P##MOD1-SW Software CCF of output logic I/Os 1.10E-05
623 CCX-P##MOD2 CCF of actuation logic groups 3.04E-04
624 CCX-P##MOD2-SW Software CCF of actuation logic groups 1.10E-05
625 CCX-P##MOD4 CCF of MUX logic groups 4.98E-05
626 CCX-P##MOD4-SW Software CCF of MUX logic groups 1.10E-05
627 CCX-P##MOD5 CCF of modulating groups 6.98E-05
628 CCX-P##MOD5-SW Software CCF of modulating groups 1.10E-05
629 CCX-P##MOD3 CCF of input logic groups 1.03E-04
630 CCX-P##MOD3-SW Software CCF of input logic groups 1.10E-05
631 CCX-P##MOD6 CCF of signal selector groups - logic and I/Os 2.53E-04
632 CCX-P##MOD6-SW Software CCF of signal selector groups - logic 1.1 OE-05 and I/Os
634 P##MOD1# Failure of output logic group # 1/0 2.09E-03
635 PL#MOD5# Failure of modulating logic or 1/O group # 8.74E-04
636 P##MOD4# Failure of MUX logic group # 6.35E-04
639 P##MOD3# Failure of input group # 5.02E-03
647 ###EP####SA Failure of the power interface board 1.7 1E-04
648 ###EA####SA Failure of the analog input board 2.51E-04
650 ###TP###RY Pressure transmitter yearly failure 5.23E-03
28-55
Revision 1
AP1000 Probabilistic Risk Assessment28. Plant Control System
28-55 Revision 1
AP1000 Probabilistic Risk Assessment
.1
Table 28-7 (Sheet 2 of 3)
FAILURE PROBABILITIES CALCULATED IN THIS SECTION
SIMON.DAT Failure Line Number Event ID Description Probability
651 ###TF###RI Flow transmitter failure 5.23E-03
655 ###TL###UF Level transmitter failure 5.23E-03
656 IWX-XMTR CCF of IRWST & Boric Acid Tank Level 4.78E-04 transmitters
657 ###EU###SA Failure of the analog output board 6.42E-05
659 ###VS###UF Failure of level switch 1.00E-03
660 ###OR###SP Failure of orifice - plugged 7.22E-03
661 ###TE###UF Failure of temperature element 3.06E-03
667 CCX-EAI CCF of the analog input boards 1.27E-05
668 CCX-EAO CCF of the analog output boards 3.23E-06
669 CCX-EP-SA CCF of the power interface output boards 8.62E-06
670 CCX-EPI CCF of the power interface input boards 1.00E-10
671 CCX-LS-FA CCF of the limit switches 5.37E-06
672 CCX-MFI CCF of the main feed isolation signal sensors 1.00E-06
673 CCX-ORY-SP CCF of orifice-plugged* 1.01E-20
674 CCX-PRHR CCF of PRHR actuation signal sensors 1.00E-06
675 CCX-RM-UF CCF of radiation monitors 7.58E-05
676 CCX-S-SIG-SENS CCF of the S-signal sensors 1.00E-06
678 CCX-TRNSM CCF of pressure, flow transmitters (low) pressure 4.78E-04
679 CCX-TT-UF CCF of temperature transmitters 1.17E-04
680 CCX-TT1-UF CCF of temperature transmitters following an 1.17E-04 accident
681 CMX-VS-FA CCF of CMT level switches 3.84E-05
682 CCX-XMTR CCF of pressure or level transmitters (higher 4.78E-04 pressure)
* This basic event has been accounted for in each of the appropriate sensor common cause failure basic events (IWX-XMTR, CCX-TRNSM, CCX-XMTR, CCX-XMTR1, and CCX-XMTR195).
Revision 1
28. Plant Control System
28-56
28. Plant Control System APlOOO Probabilistic Risk Assessment
Table 28-7 (Sheet 3 of 3)
FAILURE PROBABILITIES CALCULATED IN THIS SECTION
SIMON.DAT Failure Line Number Event ID Description Probability
683 CCX-XMTR1 CCF of pressure transmitters following an 4.788E-04 accident
684 CCX-XMTR195 CCF of pressurizer level sensors 4.78E-04
686 EC#RE27BGA Failure of the undervoltage relay 4.36E-03
687 ###TP###RI Failure of pressure transmitter 5.23E-03
690 P##EH0##SA Failure of MUX transmitter to group # 8.00E-05
691 PLSMOD6# Failure of signal selector logic group # 3.46E-03
693 PM#MOD2# Failure of actuation logic group # 4.07E-03
696 P##XSO0ASA Failure of output logic group selector 8.OOE-05
699 CMT-SENS-FAIL CMT signal sensors 1.001E-06
701 DUMMY Logical zero 1.00E-10
702 S-SIG-SENS#-FAIL S-signal sensor failure 1.00E-06
703 VLX-ANLYZ CCF of the H2 analyzers 7.58E-05
706 CCX-CMT-SENS CCF of CMT signal sensors 1.OOE-06
707 ###TP###UF Failure of pressure transmitter 5.23E-03
711 DG#-LOGIC Diesel sequencing logic 5.00E-03
712 ROD-CTRL-SYS Rod control system failure to step in rods 6.60E-04
959 CCX-SFTW Software CCF among all boards 1.20E-06
28-5 7 Revision 1
AP1O00 Probabilistic Risk Assessment28. Plant Control System
Revision I28-57
28. Plant Control System APlOOG Probabilistic Risk Assessment
Table 28-8 (Sheet 1 of 2)
OPERATOR ACTIONS AND SYSTEM MISPOSITION ANALYSIS SUMMARY
Identifier Description
ADN-MAN01 Operator fails to actuate ADS before core damage
ADN-REC01 Operator fails to complete ADS actuation after core damage
ATW-MAN01 Operator fails to step in control rods via PLS within one minute after an ATWS
ATW-MAN03 Operator fails to recognize need and fails to trip reactor via PMS within one minute after an ATWS
ATW-MAN05 Operator fails to recognize need and fails to trip reactor via PMS within seven minutes after an ATWS
CAN-MAN01 Operator fails to recognize need and fails to actuate standby CAS compressor
CMN-RECO1 Operator fails to actuate CMT after core damage
CIA-MAN01 Operator fails to recognize need and fails to isolate failed SG after a main steam line break
CIC-MAN01 Operator fails to recognize need and fails to isolate CMT given core damage after a LOCA
CMN-MANO0 Operator fails to actuate CMT during a LOCA
FWN-MAN02 Operator fails to start SFW pumps after a loss of main feedwater during a transient
HPM-MANO1 Operator fails to recognize need for high-pressure decay heat removal after a loss of main feedwater
LPM-MANO0 Operator fails to recognize need for RCS depressurization during SBLOCA
LPM-MAN02 Operator fails to recognize need for RCS depressurization during MBLOCA
LPM-MAN03 Operator fails to recognize need for RCS depressurization given only DAS indication during SBLOCA
LPM-MAN04 Operator fails to recognize need for RCS depressurization given only DAS indication during MBLOCA
LPM-RECOI Operator fails to recognize need for RCS depressurization during SBLOCA with PRHR failure, CMT success
PCN-MANO1 Operator fails to recognize need and fails to actuate PCS AOVs
RCN-MAN01 Operator fails to trip the four RCPs
REC-MANDAS Operator fails to actuate manual DAS ESF functions
REN-MAN02 Operator fails to recognize need and fails to open recirculation valves during accidents
Revision 1
28. Plant Control System APIO00 Probabilistic Risk Assessment
28-58
28. Plant Control System AP1000 Probabilistic Risk Assessment
28-59
Revision 1
Table 28-8 (Sheet 2 of 2)
OPERATOR ACTIONS AND SYSTEM MISPOSITION ANALYSIS SUMMARY
Identifier Description
REN-MAN03 Operator fails to recognize need and fails to open recirculation valves after core damage
SGHL-MAN01 Operator fails to recognize need and fails to trip CVS pump and isolate SFW to failed SG after a SGTR
SWN-MAN01 Operator fails to recognize need and fails to open AOV on motor strainer line during accidents
SWN-MANO1N Operator fails to recognize need and fails to open AOV on motor strainer line during normal operation
SWN-MAN02 Operator fails to recognize need and fails to start standby SWS pump during an accident
SWN-MAN02N Operator fails to recognize need and fails to start standby SWS pump during normal operation
TCB-MAN01 Operator fails to recognize need and fails to start standby TCS pump
VLN-MAN01 Operator fails to recognize need and fails to start hydrogen control system
VWN-MAN01 Operator fails recognize need and fails to align standby chiller during a LOCA
ZON-MAN01 Operator fails to recognize need and fails to start standby diesel generator during LOSP
AIP1000 Probabilistic Risk Assessment28. Plant Control System
28-59 Revision I
AP1000 Probabilistic Risk Assessment
Table 28-9 (Sheet I of 2)
COMMON CAUSE FAILURE ANALYSIS SUMMARY
Event Name Description
CCX-CMT-SENS CCF of CMT signal sensors
CCX-EAO CCF of the analog output board
CCX-EP-SA CCF of the power interface output board (PLS)
CCX-EP-SAM CCF of the power interface output board (PMS)
CCX-EPI CCF of the power interface input board
CCX-IN-LOGIC-SW Software CCF of input logic groups
CCX-INPUT-LOGIC CCF of input logic groups
CCX-LS-FA CCF of the limit switches
CCX-MFI CCF of main feed isolation signal sensors
CCX-###03 CCF of the logic group processing
CCX-4##EHO CCF of mux transmitters
CCX-P##MOD1 CCF of output logic I/Os
CCX-P##MOD 1-SW Software CCF of output logic I/Os
CCX-PL#MOD5 CCF of modulating control groups-output logic I/Os
CCX-PL#MOD5-SW Software CCF of modulating control groups
CCX-P##MOD4 CCF of MUX logic groups
CCX-P##MOD4-SW Software CCF of MUX logic groups
CCX-PL#MOD3 CCF of input logic groups (communications subsystem of PMS IPCs)
CCX-PL#MOD3-SW Software CCF of input logic groups (communications subsystem of PMS IPCs)
CCX-PL#MOD6 CCF of signal selector groups-logic and I/Os
CCX-PL#MOD6-SW Software CCF of signal selector groups-logic and I/Os
CCX-P##MOD2 CCF of actuation logic groups
CCX-P##MOD2-SW Software CCF of actuation logic groups
CCX-PRHR CCF of PRHR actuation signal sensors
CCX-RM-UF CCF of radiation monitors
CCX-S-SIG-SENS CCF of the S-signal sensors
Revision 1
28. Plant Control System
28-60
Table 28-9 (Sheet 2 of 2)
COMMON CAUSE FAILURE ANALYSIS SUMMARY
Event Name Description
CCX-SFTW Software CCF among all boards (both PLS and PMS)
CCX-TRNSM CCF of pressure and flow transmitters (low system pressure)
CCX-TT-UF CCF of temperature transmitters
CCX-TT1-UF CCF of temperature transmitters following accident
CMX-VS-FA CCF of CMT level switches
CCX-XMTR1 CCF of pressure transmitters following accident
CCX-XMTR195 CCF of pressurizer level transmitters
IWX-XMTR CCF of IRWST and boric acid tank level transmitters
VLX-ANLYZ CCF failure of the H2 analyzers
28-61
Revision 1
iAPIO00 Probabilistic Risk Assessment
Revision I28-61
28. Plant Control System AP1000 Probabilistic Risk Assegcment
Table 28-10 (Sheet 1 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
trnvn W•TT TTnt' MflflP'•'FT -,."N. mu, flflt Vfilflutkt. SOURCEUt TIME
EP SPURIOUS FAILURE OF THE POWERADAEP001ABA
ADAEP001ASA
ADAEP002ABA
ADAEP002ASA
ADAEP003ABA
ADAEP003ASA
ADAEP0041BA
ADAEP0041SA
ADAEP0042BA
ADAEP0042SA
ADAEP004A1SA
ADAEP004A2SA
ADAEP004CISA
INTERFACE BOARD (###EP####BA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
SPURIOUS FAILURE OF THE POWER INTERFACE BOARD (###EP####BA)
FAILURE OF THE POWER INTERFACE
BOARD (###EP####SA)
SPURIOUS FAILURE OF THE POWER INTERFACE BOARD (###EP####BA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
SPURIOUS FAILURE OF THE POWER INTERFACE BOARD (###EP####BA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
SPURIOUS FAILURE OF THE POWER INTERFACE BOARD (###EP####BA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
9.150E-07
1.710E-04
9.150E-07
1.710E-04
9. 150E-07
1.710E-04
9.150E-07
1.710E-04
9. 150E-07
1.710E-04
1.710E-04
1.710E-04
0.00OE+00
0.000E+00
0.00EE+00
O.OOOE+00
O.OOOE+00
O.OOOE+00
O.OOOE+00
O.OOOE+00
0.OOOE+00
o.OOOE+00
O.OOOE+00
0.OOOE+00
PMS
PMS
PMS
PMS
PmS
PMS
PMS
PMS
PmS
PMS
PMS
PMS
1.710E-04 O.OOOE+00 PMS
O.000E+00
O.OOOE+00
0.00OE+00
O.OOOE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
O0000E+00
0. 000E00
0.OOOE+00
0.000E+00
O.OOOE+00
rm Tnr•
0.000E+00 1.71E-04 0.00E+00
28-62
(j
EP
EP
EP
EP
EP
EP
EP
EP
EP
EP
EP
QRevision 1
AP1000 Probabilistic Risk Assessment
m•lf• PROBABILITY
9.15E-07
1.71E-04
9.15E-07
1.71E-04
9.15E-07
1.71E-04
9.15E-07
1.71E-04
9.15E-07
1.71E-04
1.71E-04
1.71E-04
VARIANCE
o.00E+00
O.00E+00
O.00E+00
o.00E+00
o.00E+00
o.OOE+00
o.00E+00
o.O0E+00
o.00E+00
o.OOE+00
o.00E+00
0.00E+00
K28. Plant Control System
K.AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 2 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
"I - cn"Dýr MTMV DDnMhMTT.Trr'V 11hOTh"OV FT IDENT k-%JLlr rA.Lijunz Muým Irart fl7�rPt' �TtDTtW1Ct' CflTTflrr
ADAEP004C2SA
ADAEP011ABA
ADAEP011ASA
ADAEP012ABA
ADAEP012ASA
ADAEP013ABA
ADAEP013ASA
ADBEP001BBA
ADBEP001BSA
ADBEP002BBA
ADBEP002BSA
ADBEP003BBA
ADBEP003BSA
EP FAILURE OF THE POWER INTERFACE
EP
EP
EP
EP
EP
EP
EP
EP
EP
EP
EP
BOARD (###EP####SA)
SPURIOUS FAILURE OF THE POWER INTERFACE BOARD (###EP####BA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
SPURIOUS FAILURE OF THE POWER INTERFACE BOARD (###EP####BA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
SPURIOUS FAILURE OF THE POWER INTERFACE BOARD (###EP####BA)
FAILURE OF THE POWER INTERFACE
BOARD (###EP####SA)
SPURIOUS FAILURE OF THE POWER INTERFACE BOARD (###EP####BA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
SPURIOUS FAILURE OF THE POWER INTERFACE BOARD (###EP####BA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
SPURIOUS FAILURE OF THE POWER INTERFACE BOARD (###EP####BA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
1.710E-04
9.150E-07
1.710E-04
9.150E-07
1.710E-04
9.150E-07
1.710E-04
9.150E-07
1.710E-04
9.150E-07
1.710E-04
9.150E-07
0.000E+00
0.000E+00
O.OOOE+00
0.000E+00
0.000E+00
0.000E+00
0.000E+00
0.000E+00
0.00OE+00
0.000E+00
0.000E+00
0.000E+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
1.710E-04 0.000E+00 PMS
0.OOOE+00 1.71E-04 0.00E+00
0.000E+00
0.000E+00
0.000E+00
0.000E+00
0.000E+00
0.000E+00
0.000E+00
0.000E+00
0.000E+00
0.000E+00
0.000E+00
9.15E-07
1.71E-04
9.15E-07
1.71E-04
9.15E-07
1.71E-04
9.15E-07
1.71E-04
9.15E-07
1.71E-04
9.15E-07
0.00E+00
0.00E+00
0.00E+00
0.00E+00
0.00E+00
O.OOE+00
0.00E+00
0.00E+00
0.00E+00
O.OO+00
0.00E+00
0.000E+00 1.71E-04 0.00E+00
28-63
Revision 1
'1'TMP DD•nhTT.T'PV ¶?�flT M�7flP
Revision I
28. Plant Control System
28-63
28. Plant Control System AP1000 Probabilistic Risk Asceccmnt~n
Table 28-10 (Sheet 3 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
FT IDENT
ADBEP0041BA
ADBEP0041SA
ADBEP0042BA
ADBEP0042SA
ADBEP004B1SA
ADBEP004B2SA
ADBEP004D1SA
ADBEP004D2SA
ADBEP011BBA
ADBEP011BSA
ADBEP012BBA
ADBEP012BSA
ADBEP013BBA
COMP FAILURE MODE
EP SPURIOUS FAILURE OF THE POWER
EP
EP
EP
EP
EP
EP
EP
EP
EP
EP
EP
INTERFACE BOARD (###EP####BA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
SPURIOUS FAILURE OF THE POWER INTERFACE BOARD (###EP####BA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
SPURIOUS FAILURE OF THE POWER INTERFACE BOARD (###EP####BA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
SPURIOUS FAILURE OF THE POWER INTERFACE BOARD (###EP####BA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP SPURIOUS FAILURE OF THE POWER INTERFACE BOARD (###EP####BA)
PATE RATE TAR TAtJCP EnrTRCE
9.150E-07
1.710E-04
9. 150E-07
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
9. 150E-07
1.710E-04
9.150E-07
1.710E-04
0. OOOE+00
0.OOOE+00
O.OOOE+00
0. 000E+00
O .OOOE+00
0. 00E+00
0 OOOE+00
0 OOOE+00
O .OOOE+00
0.OOOE+00
0 .OOOE+00
0.OOOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
9.150E-07 0.OOOE+00 PMS
ST MR
0.OOOE+00
0.00OE+00
0.OOOE+00
0.OOOE+00
0.OOOE÷00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
FAIL RATE VARIANCE SOURCE TIME
0.OOOE+00 9.15E-07 0.OOE+00
28-64
(/
Revision 1
(
~A10 .................. Ris Assessment
PROBABILITY
9.15E-07
1.71E-04
9.15E-07
1.71E-04
1.71E-04
1.71E-04
1.71E-04
1.71E-04
9.15E-07
1.71E-04
9.15E-07
1.71E-04
VARIANCE
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
O.OOE+00
O.OOE+00
O.OOE+00
O.OOE+00
(28. Plant Control System
(.
AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 4 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME
ADBEP013BSA
ADCEP002ASA
ADCEP0041BA
ADCEP0041SA
ADCEP0042BA
ADCEP0042SA
ADCEP004A1SA
ADCEP004A2SA
ADCEP004C1SA
ADCEP004C2SA
ADCEP012ASA
ADDEP002BSA
ADDEP0041BA
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP SPURIOUS FAILURE OF THE POWER INTERFACE BOARD (###EP####BA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP SPURIOUS FAILURE OF THE POWER
INTERFACE BOARD (###EP####BA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD C###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP SPURIOUS FAILURE OF THE POWER INTERFACE BOARD (###EP####BA)
1.710E-04
1.710E-04
9. 150E-07
1.710E-04
9.150E-07
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
9.150E-07
0.OOOE+00
o.OOOE+00
0.OOOE+00
o.OOOE+00
0. OOOE+00
o.OOOE+00
0.OOOE+00
0.OOOE+00
O.OOOE+00
o.OOOE+00
o.OOOE+00
0.00OE+00
0.OOOE+00
0.000E+00 1.71E-04 O.OOE+00PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
1.71E-04
9. 15E-07
1.71E-04
9.15E-07
1.71E-04
1.71E-04
1.71E-04
1.71E-04
1.71E-04
1.71E-04
1.71E-04
9.15E-07
0.00E+00
0.00E÷00
0. OOE+00
o.00E+00
0.OOE+00
o.00E+00
0.00E+00
0.OOE+00
0.OOE+00
0.00E+00
0.00E+00
0.00E+00
28-65
Revision 1
FT IDENT PROBABILITY VARIANCE
0.00OE+00
o.OOOE+00
0.OOOE+00
o.OOOE+00
0.00OE+00
o.OOOE+00
0.00OE+00
0.000E+00
0.o00E+00
o.OOOE+00
0.000E+00
0.000E+00
28-65 Revision 1
28. Plant Control SystemAPi 1011 Probabilitto W-IC A.-ccwn
Table 28-10 (Sheet 5 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
FT IDENT
ADDEP0041SA
ADDEP0042BA
ADDEP0042SA
ADDEP004BISA
ADDEP004B2SA
ADDEP004DiSA
ADDEP004D2SA
ADDEP012BSA
ADN-MAN01
ADN-REC01
ALL-IND-FAIL
CA2EAPS002A1SA
CA2EAPS002A2SA
COMP FAILURE MODE
EP FAILURE OF THE POWER INTERFACE
EP
EP
EP
EP
EP
EP
EP
xx
xx
EA
EA
BOARD (###EP####SA)
SPURIOUS FAILURE OF THE POWER INTERFACE BOARD (###EP####BA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
PROBABILITY FOR SUB- BASIC EVE NTS
PROBABILITY FOR SUB- BASIC EVE NTS
GENERIC INDICATION FAILURE PRO BABILITY
FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
PATTL RATE •T• VATbMP.nrT•r m•=+rTMr
1.710E-04
9.150E-07
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.OOOE-01
1.OOOE-01
1.OOOE-06
2.510E-04
2 .510E-04
0.OOOE+00
0.OOOE+00
0. OOOE+00
0 OOOE+00
0. OOOE+00
0 OOOE+00
0 OOOE+00
0 OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
SUB
SUB
PMS
PMS
PMS
0.OOOE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
0. OOOE+00
0.00OE+00
0.00OE+00
0.OOOE+00
0.000E+00
0.OOOE+00
0.00OE+00
0.OOOE+00
0.000E+00
28-66
FAIL RATE VARIANCE SOURrr MTMV
Revision 1
((N
PROBABILITY
1.71E-04
9.15E-07
1.71E-04
1.71E-04
1.71E-04
1.71E-04
1.71E-04
1.71E-04
1.O0E-01
1.00E-01
1.00E-06
2.51E-04
2.51E-04
VARIANCE
0.00E+00
0.OOE+00
0 OOE+00
0.00E+00
0.00E+00
0. 00E+00
0. 00E00
0 OOE+00
0.OOE÷00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
(28. Plant Control System
( (IAPlO00 Probabilistic Risk Assessment
Table 28-10 (Sheet 6 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
CO•MP FATTITRE MODE FAIL RATE VARIANCE SOURCE TIME
EA FAILURE OF THE ANALOG INPUT BOCA2EAPS002B1SA
CA2EAPS002B2SA
CA9EP001BSA
CA9EPCMPASA
CA9EPCMPBSA
CAN-MAN01
CANTP011RI
CClEATF1011SA
CClEATF1012SA
CC1EPSBPASA
CC1EPSBPBSA
CCB-MAN01
CCNTF101RI
ARD (###EA####SA)
FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP##*#SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
PROBABILITY FOR SUB- BASIC EVE NTS
FAILURE OF PRESSURE TRANSMITTE R (###TP###RI)
FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
PROBABILITY FOR SUB- BASIC EVE NTS
FLOW TRANSMITTER FAILURE (###T F###RI)
2.510E-04
2.510E-04
1.710E-04
1.710E-04
1.710E-04
1.OOOE-01
5.230E-03
2.510E-04
2.510E-04
1.710E-04
1.710E-04
1.OCOE-01
5.230E-03
0. 00OE+00
o.OOOE+00
0.000E+00
0.000E+00
0. 000E+00
0.000E+00
o.OOOE+00
o.OOOE+00
0.OOOE+00
o.OOOE+00
o.OOOE+00
0.OOOE+00
o.aooE+00
PMS
PMS
PMS
PMS
PMS
SUB
PMS
PMS
PMS
PMS
PMS
SUB
PMS
O.OOOE+00 2.51E-04 0.00E+00
0.OOOE+00
o.000E+00
o.000E+00
0.OOOE+00
0.00OE+00
0 . OOOE+00
o.OOOE+00
0.OOOE+00
0.OOOE+00
0.00OE+00
0. OOOE+00
0.OOUE+00
2. 51E-04
1.71E-04
1.71E-04
1.71E-04
1. OOE-01
5.23E-03
2.51E-04
2.51E-04
1.71E-04
1.71E-04
1. OOE-01
5.23E-03
0.00E+00
0.OOE+00
0.OOE+00
O.OOE+00
0.00E+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.00E+00
0.OOE+00
28-67
Revision 1
PT TDrFh'T PROBABILITY VARIANCE
EA
EP
EP
EP
xx
TP
EA
EA
EP
EP
xx
TF
Revision 1
FT IDENT COMP FAILURE MODE
28-67
28. Plant Control System APIO00 Probabilistic Risk Assecgmant
Table 28-10 (Sheet 7 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
- - --.- -- *-~ AnA, rr~nnnD~cI VARll'IANCE.COMP FATTTI•R MC•fl T�ATr. PA'P� �Y�DT�?(Tr� �C�rTDf.t'
CCX-CMT-SENS
CCX-EAI
CCX-EAO
CCX-EP-SA
CCX-EP-SAM
CCX-EPI
CCX-IN-LOGIC-SW
CCX-INPUT-LOGIC
CCX-LS-FA
CCX-MFI
CCX-ORY-SP
CCX-PL103
CCX-PLIEH0
-- CCF OF CMT SIGNAL SENSORS (CCX -CMT-SENS)
CCF OF THE ANALOG INPUT BOARDS (CCX-EAI)
CCF OF THE ANALOG OUTPUT BOARD S (CCX-EAO)
CCF OF THE POWER INTERFACE OUT PUT BOARD (CCX-EP-SA)
CCF OF THE POWER INTERFACE OUT PUT BOARD (CCX-EP-SA)
CCF OF THE POWER INTERFACE INP UT BOARD (CCX-EPI)
SOFTWARE CCF OF INPUT LOGIC GR OUPS (CCX-PL#MOD3-SW, -IN-LOGI C-SW)
CCF OF INPUT LOGIC GROUPS (CCX -PL#MOD3, -INPUT-LOGIC)
LS CCF OF THE LIMIT SWITCHES (CCX -LS-FA)
CCF OF MAIN FEED ISOLATION SIG NAL SENSORS (SGS04) (CCX-MFI)
OR CCF OF ORIFICE - PLUGGED (CCXORY-SP)
CCF OF THE LOGIC GROUP PROCESS ING (CCX-###03)
CCF OF MUX TRANSMITTERS (CCX-# ##EHO)
1.OOOE-06
1.270E-05
3 .230E-06
8. 620E-06
8.620E-06
1.OOOE-20
1.100E-05
1.030E-04
5.370E-06
1.000E-06
1.00OE-20
9.690E-05
4.030E-06
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0. OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0 OOOE+00
0.OOOE+00
0.OOOE+00 1.OOE-06 0.OOE+00PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
1.27E-05
3 .23E-06
8. 62E-06
8. 62E-06
1.00E-20
1. lOE-05
1.03E-04
5.37E-06
1. OOE-06
1.OOE-20
9. 69E-05
4.03E-06
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0. OOE+00
0. OOE+00
0 OOE+00
0.OOE+00
0 OOE+00
0.OOE+00
0 OOE+00
28-68
(
FT TDENT
0 OOOE+00
0.OOOE+00
0 OOOE+00
0 OOOE+00
0 OOOE+00
0 OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
(Revision 1
AP1000 Probabilistic Risk Assess ent
(28. Plant Control System
( (
AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 8 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME PROBABILITY VARIANCE
CCX-PL1MOD1
CCX-PLIMODI-SW
CCX-PLIMOD5
CCX-PL1MOD5-SW
CCX-PL203
CCX-PL2EH0
CCX-PL2MOD1
CCX-PL2MOD1-SW
CCX-PL2MOD5
CCX-PL2MOD5-SW
CCX-PL303
CCX-PL3EHO
CCX-PL3MOD1
-- CCF OF OUTPUT LOGIC I/Os (CCXP##MOD1)
SOFTWARE CCF OF OUTPUT LOGIC I
/Os (CCX-P##MOD1)
CCF OF MODULATING GROUPS - OUT PUT LOGIC I/Os (CCX-PL#MOD5)
SOFTWARE CCF OF MODULATING GRO UPS (CCX-PL#MOD5-SW)
CCF OF THE LOGIC GROUP PROCESS ING (CCX-###03)
CCF OF MUX TRANSMITTERS (CCX-# ##EHO)
CCF OF OUTPUT LOGIC I/Os (CCXP##MODI)
SOFTWARE CCF OF OUTPUT LOGIC I /Os (CCX-P##MOD1)
CCF OF MODULATING GROUPS - OUT PUT LOGIC I/Os (CCX-PL#MOD5)
SOFTWARE CCF OF MODULATING GRO
UPS (CCX-PL#MOD5-SW)
CCF OF THE LOGIC GROUP PROCESS ING (CCX-###03)
CCF OF MUX TRANSMITTERS (CCX-# ##EHO)
CCF OF OUTPUT LOGIC I/Os (CCXP##MOD1)
1.410E-04
1.100E-05
6.980E-05
1.100E-05
9. 690E-05
4.030E-06
1.410E-04
1.100E-05
6.980E-05
1.100E-05
9.690E-05
4.030E-06
1.410E-04
O.OOOE+00
O.OOOE+00
o.OOOE+00
0.OOOE+00
o.OOOE+00
0.OOOE+00
o.OOOE+00
o.OOOE+00
O.OO0E+00
o.OOOE+00
0.000E+00
o.OOOE+00
o.OOOE+00
0.000E+00 1.41E-04 O.COE+00PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
1.10E-05
6.98E-05
1.10E-05
9 . 69E-05
4.03E-06
1.41E-04
1.10E-05
6.98E-05
1.10E-05
9.69E-05
4.03E-06
1.41E-04
O.OOE+00
O.00E+00
O.00E+00
0.OOE+00
O.00E+00
0.00E+00
0.00E+00
O.OOE+00
O.OOE+00
O.OOE+00
0.00E+00
O.OOE+00
28-69
Revision 1
FT IDENT
0. 00OE+00
. 000E+00
o .OOOE+00
o. 000E+00
o. 000E+00
o. 000E+00
0.000E+00
0. 000E+00
o.000E+00
0.000E+00
0. OOOE+00
0.000E+00
28-69 Revision 1
28. Plant Control System APl000 Probabilistic Risk Assessment
Table 28-10 (Sheet 9 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
FT IDENT
CCX-PL3MOD1-SW
CCX-PL3MOD5
CCX-PL3MOD5-SW
CCX-PL403
CCX-PL4EHO
CCX-PL4MODI
CCX-PL4MODI-SW
CCX-PL503
CCX-PL5EHO
CCX-PL5MOD1
CCX-PL5MODI-SW
CCX-PL603
CCX-PL6EHO
COMP FAILURE MODE
-- SOFTWARE CCF OF OUTPUT LOGIC I lOs (CCX-P##MOD1)
CCF OF MODULATING GROUPS - OUT PUT LOGIC I/Os (CCX-PL#MOD5)
SOFTWARE CCF OF MODULATING GRO UPS (CCX-PL#MOD5-SW)
CCF OF THE LOGIC GROUP PROCESS ING (CCX-###03)
CCF OF MUX TRANSMITTERS (CCX-# ##EH0)
CCF OF OUTPUT LOGIC I/Os (CCXP##MOD1)
SOFTWARE CCF OF OUTPUT LOGIC I /Os (CCX-P##MOD1)
CCF OF THE LOGIC GROUP PROCESS ING (CCX-###03)
CCF OF MUX TRANSMITTERS (CCX-# ##EHO)
CCF OF OUTPUT LOGIC I/Os (CCXP##MOD1)
SOFTWARE CCF OF OUTPUT LOGIC I /Os (CCX-P##MOD1)
CCF OF THE LOGIC GROUP PROCESS ING (CCX-###03)
CCF OF MUX TRANSMITTERS (CCX-# ##EHO)
WATT. RA'TE VAR TAN('F •(OTIWr' '• PTME
1.100E-05
6.9 80E-05
1.100E-05
9.690E-05
4.030E-06
1.410E-04
1.100E-05
9.690E-05
4.030E-06
1.410E-04
1.100E-05
9.690E-05
4. 030E-06
0 OOOE+00
0.OOOE+00
0. 00OE+00
0.OOOE+00
0 OOOE+00
0 OOOE+00
0.OOOE+00
0. 00E+00
0 OOOE+00
0 OOOE+00
0 OOOE+00
0 OOOE+00
0 OOOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
0.OOOE+00
0.OOOE+00
0.000E+00
0.00OE+00
0.00OE+00
0. 00OE+00
0.00OE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
O.OOOE+00
28-70
FT IDENT COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME
Revision 1
(
AP1000 Probabilistic Risk Assess ent
PROBABILITY
1.10E-05
6.98E-05
1.10E-05
9.69E-05
4. 03E-06
1. 41E-04
1. 10E-05
9. 69E-05
4. 03E-06
1. 41E-04
1.10E-05
9.69E-05
4.03E-06
VARIANCE
o .OOE+00
o .OOE+00
o .OOE+00
o .OOE+00
0.OOE+00
o .OOE+00
o .OOE+00
0 OOE+00
o .OOE+00
o .OOE+00
o .OOE+00
o .OOE+00
o .OOE+00
(2R. Plant Control Svstem
( (AP1O00 Probabilistic Risk Assessment
Table 28-10 (Sheet 10 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME PROBABILITY VARIANCE
CCX-PL6MOD1
CCX-PL6MOD1-SW
CCX-PL703
CCX-PL7EH0
CCX-PL7MOD1
CCX-PL7MOD1-SW
CCX-PL803
CCX-PL8EHO
CCX-PL8MOD1
CCX-PL8MOD1-SW
CCX-PL903
CCX-PL9EHO
CCX-PL9MOD1
-- CCF OF OUTPUT LOGIC I/Os (CCXP##MOD1)
SOFTWARE CCF OF OUTPUT LOGIC I
/Os (CCX-P##MOD1)
CCF OF THE LOGIC GROUP PROCESS ING (CCX-###03)
CCF OF MUX TRANSMITTERS (CCX-# ##EHO)
CCF OF OUTPUT LOGIC I/Os (CCXP##MOD1)
SOFTWARE CCF OF OUTPUT LOGIC I /Os (CCX-P##MODI)
CCF OF THE LOGIC GROUP PROCESS ING (CCX-###03)
CCF OF MUX TRANSMITTERS (CCX-# ##EHO)
CCF OF OUTPUT LOGIC I/Os (CCXP##MOD1)
SOFTWARE CCF OF OUTPUT LOGIC I /Os (CCX-P##MOD1)
CCF OF THE LOGIC GROUP PROCESS ING (CCX-###03)
CCF OF MUX TRANSMITTERS (CCX-# ##EHO)
CCF OF OUTPUT LOGIC I/Os (CCXP##MOD1)
1.410E-04
1.100E-05
9.690E-05
4.030E-06
1.410E-04
1.100E-05
9. 690E-05
4.030E-06
1.410E-04
1.100E-05
9. 690E-05
4.030E-06
1.410E-04
0.00OE+00
o.OOOE+00
o.OOOE+00
0.000E+00
0.000E+00
0.OOOE+00
0.OOOE+00
O.OOOE+00
0.00OE+00
0.000E÷00
o.000E+00
o0.000E+00 O.OOOE+00
O .OOOE+00
O.000E+00 1.41E-04 O.OOE+00PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
1.10E-05
9.69E-05
4.03E-06
1.41E-04
1.10E-05
9.69E-05
4.03E-06
1.41E-04
1.10E-05
9. 69E-05
4.03E-06
1.41E-04
O.OOE+00
0.00E+00
0.OOE+00
O.OOE+00
O.OOE+O0
O.OOE±OO
0.OOE+00
0.00E+00
O.OOE+O0
O.OOE+00
O.OOE+O0
O.OOE+00
28-7 1
Revision 1
WT TflFNT•
0. 000E+00
O.OOOE+00
0.00OE+00
0.00OE+00
0.00OE+00
o.OOOE+00
o.OOOE+00
o.OOOE+00
0.000E+00
0.00OE+00
o.000E+00
O. 00E+00
Revision I
28 Plant Control Svstem
FT IDENT COMP FAILURE MODE
28-71
28. Plant Control System AP1000 Probabilistic Risk As��m�nt
Table 28-10 (Sheet 11 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
FT IDENT
CCX-PL9MOD1-SW
CCX-PLA03
CCX-PLAEHO
CCX-PLAMOD1
CCX-PLAMOD1-SW
CCX-PLB03
CCX-PLBEHO
CCX-PLBMOD1
CCX-PLBMOD1-SW
CCX-PLC03
CCX-PLCEHO
CCX-PLCMOD1
CCX-PLCMOD1-SW
COMP FAILURE MODE
-- SOFTWARE CCF OF OUTPUT LOGIC I /Os (CCX-P##MOD1)
CCF OF THE LOGIC GROUP PROCESS ING (CCX-###03)
CCF OF MUX TRANSMITTERS (CCX-# ##EHO)
CCF OF OUTPUT LOGIC I/Os (CCXP##MOD1)
SOFTWARE CCF OF OUTPUT LOGIC I /Os (CCX-P##MOD1)
CCF OF THE LOGIC GROUP PROCESS ING (CCX-###03)
CCF OF MUX TRANSMITTERS (CCX-# ##EHO)
CCF OF OUTPUT LOGIC I/Os (CCXP##MOD1)
SOFTWARE CCF OF OUTPUT LOGIC I /Os (CCX-P##MOD1)
CCF OF THE LOGIC GROUP PROCESS ING (CCX-###03)
CCF OF MUX TRANSMITTERS (CCX-# ##EHO)
CCF OF OUTPUT LOGIC I/Os (CCXP##MOD1)
SOFTWARE CCF OF OUTPUT LOGIC I /Os (CCX-P##MOD1)
FAIL RATE VARIANCFE S•O1RCFV
1.100E-05
9. 690E-05
4.030E-06
1.410E-04
1.100E-05
9.690E-05
4 .030E-06
1.410E-04
1.100E-05
9.690E-05
4.030E-06
1.410E-04
0.00OE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
0.00EE+00
0.0OOE+00
0.OOOE+00
0. OOOE+00
0.OOOE+00
O.O00E+00
0. OOOE+00
0.0OOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
1.100E-05 0.OOOE+00 PMS
TTM1V
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
O.OOOE+00
O.OOOE+00
O.OOOE+00
O.OOOE+00
FAIL RATE VARIANCE SOURCE TIME
0.OOOE+00 1.10E-05 0.OOE+00
28-72
( Revision 1
AP1000 Probabilistic Risk Assess ent
PROBABILITY
1.10E-05
9.69E-05
4.03E-06
1.41E-04
1.10E-05
9.69E-05
4.03E-06
1.41E-04
1.10E-05
9.69E-05
4.03E-06
1.41E-04
VARIANCE
0.00E+00
0.OOE+00
0.OOE+00
0.00E+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
(28. Plant Control System
((r
AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 12 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME PROBABILITY VARIANCE
CCX-PLD03
CCX-PLDEH0
CCX-PLDMOD1
CCX-PLDMOD1-SW
CCX-PLMMOD4
CCX-PLMMOD4-SW
CCX-PLMOD3
CCX-PLMOD3-SW
CCX-PLSMOD6
CCX-PLSMOD6-SW
CCX-PMA030
CCX-PMAEHO
9. 690E-05
4.030E-06
1.410E-04
1.100E-05
4.980E-05
1. 100E-05
1.030E-04
1.100E-05
2. 530E-04
1.100E-05
9.690E-05
4.030E-06
0.000E+00
o.OOOE+00
o.OO0E+00
0.OOOE+00
o.OO0E+00
0.OOOE+00
0.000E+00
0.OO0E+00
0.000E+00
o.OOOE+00
0.000E+00
0.00OE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
0.000E+00 9.69E-05 0.OOE+00-- CCF OF THE LOGIC GROUP PROCESS ING (CCX-###03)
CCF OF MUX TRANSMITTERS (CCX-# ##EHO)
CCF OF OUTPUT LOGIC I/Os (CCXP##MODI)
SOFTWARE CCF OF OUTPUT LOGIC I 10s (CCX-P##MOD1)
CCF OF MUX LOGIC GROUPS (CCX-P ##MOD4)
SOFTWARE CCF OF MUX LOGIC GROU PS (CCX-P##MOD4-SW)
CCF OF INPUT LOGIC GROUPS (CCX -PL#MOD3, -INPUT-LOGIC)
SOFTWARE CCF OF INPUT LOGIC GR
OUPS (CCX-PL#MOD3-SW, -IN-LOGI C-SW)
CCF OF SIGNAL SELECTOR GROUPS - LOGIC AND I/Os (CCX-PL#MOD6)
SOFTWARE CCF OF SIGNAL SELECTO R GROUPS - LOGIC AND I/Os (CCX
-PL#MOD6-SW)
CCF OF THE LOGIC GROUP PROCESS ING (CCX-###03)
CCF OF MUX TRANSMITTERS (CCX-# ##EHO)
4.03E-06
1.41E-04
1.10E-05
4.98E-05
1.10E-05
1.03E-04
1.10E-05
2.53E-04
1.10E-05
9.69E-05
4.03E-06
0.00E+00
0.OOE+00
O.OOE+00
O.OOE+00
O.OOE+00
o.O0E+00
O.OOE+00
O.OOE+00
o. OE+00
0.OOE+00
0.OOE+00
28-73
Revision 1
FT IDENT
o.OOOE+00
0.OOOE+00
0.OOOE÷00
0.00OE+00
o.OOOE+00
o.OOOE+00
0.OOOE+00
o.OOOE+00
0.OOOE+00
0.OOOE+00
0.00OE+00
28-73 Revision 1
28. Plant Control System AP1000 P~robabilistic Risk Assessment
Table 28-10 (Sheet 13 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
F'I' TTWi:N'
CCX-PMAMOD1
CCX-PMAMOD1-SW
CCX-PMAMOD2
CCX-PMAMOD2-SW
CCX-PMAMOD4
CCX-PMAMOD4-SW
CCX-PMB030
CCX-PMBEHO
CCX-PMBMODI
CCX-PMBMOD1-SW
CCX-PMBMOD2
CCX-PMBMOD2-SW
CCX-PMBMOD4
tY•M P F'ATT,TIRIF MflTlS!
-- CCF OF OUTPUT LOGIC I/Os (CCXP##MOD1)
SOFTWARE CCF OF OUTPUT LOGIC I /Os (CCX-P##MOD1)
CCF OF ACTUATION LOGIC GROUPS (CCX-P##MOD2)
SOFTWARE CCF OF ACTUATION LOGI C GROUPS (CCX-P##MOD2-SW)
CCF OF MUX LOGIC GROUPS (CCX-P ##MOD4)
SOFTWARE CCF OF MUX LOGIC GROU PS (CCX-P##MOD4-SW)
CCF OF THE LOGIC GROUP PROCESS ING (CCX-###03)
CCF OF MUX TRANSMITTERS (CCX-# ##EH0)
CCF OF OUTPUT LOGIC I/Os (CCXP##MOD1)
SOFTWARE CCF OF OUTPUT LOGIC I /Os (CCX-P##MOD1)
CCF OF ACTUATION LOGIC GROUPS (CCX-P##MOD2)
SOFTWARE CCF OF ACTUATION LOGI C GROUPS (CCX-P##MOD2-SW)
CCF OF MUX LOGIC GROUPS (CCX-P ##MOD4)
fl�mQ \,ADTANTr'P CflTTOflP mTur
1.410E-04
1.100E-05
3.040E-04
1 100E-05
4.980E-05
1.100E-05
9.690E-05
4. 030E-06
1 .410E-04
1. 100E-05
3 040E-04
1. 100E-05
4. 980E-05
0.OOOE+00
0 OOOE+00
0 OOOE+00
0. 00OE+00
0.OOOE+00
0 OOOE+00
0. 00OE+00
0.00OE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
0.00OE+00
0.OOOE+00
0.OOOE+00
0. OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.000E+00
28-74
(Q
FT IDENT COMP FAILURE MODE WATTý DAMW 111- - -T-V MT-
Revision 1
K(
AP1000 Probabilistic Risk Assessment
PROBABILITY
1.41E-04
1.10E-05
3. 04E-04
1. 10E-05
4. 98E-05
1.10E-05
9. 69E-05
4. 03E-06
1 .41E-04
1.10E-05
3. 04E-04
1. 10E-05
4. 98E-05
VARIANCE
0. 00E+00
0 OOE+00
0.OOE+00
0 OOE+00
0 OOE+00
0 OOE+00
0 OOE+00
0 OOE+00
0 OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
(28. Plant Control Svstem
( (AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 14 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
E7�TI �7�rM� �7�DT?�W� CC�TTDf'� �TM1�r-r jtIDN %..U±± rn~aunr. £'Jxn~nnJJ~.,,
CCX-PMBMOD4-SW
CCX-PMC030
CCX-PMCEH0
CCX-PMCMOD1
CCX-PMCMOD1-SW
CCX-PMCMOD2
CCX-PMCMOD2-SW
CCX-PMCMOD4
CCX-PMCMOD4-SW
CCX-PMD030
CCX-PMDEHO
CCX-PMDMOD1
CCX-PMDMOD1-SW
-- SOFTWARE CCF OF MUX LOGIC GROU PS (CCX-P##MOD4-SW)
CCF OF THE LOGIC GROUP PROCESS
ING (CCX-###03)
CCF OF MUX TRANSMITTERS (CCX-# ##EHO)
CCF OF OUTPUT LOGIC I/Os (CCXP##MOD1)
SOFTWARE CCF OF OUTPUT LOGIC I /Os (CCX-P##MOD1)
CCF OF ACTUATION LOGIC GROUPS (CCX-P##MOD2)
SOFTWARE CCF OF ACTUATION LOGI C GROUPS (CCX-P##MOD2-SW)
CCF OF MUX LOGIC GROUPS (CCX-P ##MOD4)
SOFTWARE CCF OF MUX LOGIC GROU
PS (CCX-P##MOD4-SW)
CCF OF THE LOGIC GROUP PROCESS ING (CCX-###03)
CCF OF MUX TRANSMITTERS (CCX-# ##EHO)
CCF OF OUTPUT LOGIC I/Os (CCXP##MOD1)
SOFTWARE CCF OF OUTPUT LOGIC I
/Os (CCX-P##MOD1)
1.100E-05
9.690E-05
4.030E-06
1.410E-04
1.100E-05
3. 040E-04
1.100E-05
4. 980E-05
1.100E-05
9.690E-05
4.030E-06
1.410E-04
1.100E-05
o.OOOE+00
0.OOOE+00
o.OOOE+00
o.OOOE+00
o.OOOE+00
0.00OE+00
0.OOOE+00
0.00OE+00
O.OOOE+00
O.OOOE+00
0. OOOE+00
O.O00OE+O0
0. OOOE+O0
O.OOOE+00 1.10E-05PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
9. 69E-05
4.03E-06
1.41E-04
1.10E-05
3.04E-04
1.10E-05
4.98E-05
1.10E-05
9. 69E-05
4.03E-06
1.41E-04
1.10E-05
28-75
Revision 1
O.OOOE+00
O.OOOE+00
o.OOOE+00
0.000E+00
O .OOOE+OO
0.000E+00
O.000E+00
0. 000E+00
O.000E+00
0.000E+00
0 .000E+00
o.OOE+00
0.OOE+00
0.OOE+00
o.OOE+00
0.OOE+00
o.OOE+00
O.OOE+00
o.OOE+00
0.OOE+00
O.OOE+00
0.OOE+00
0.OOE+00
o.OOE+00
Revision 1
28. Plant Control Svstem
•'•l•[rJ • 7• "rT TT• •'i I•.•,T.•.• •D•TTT•V
28-75
28. Plant Control SystemAP1 000 Probabilistic Risk Ass --cpf
Table 28-10 (Sheet 15 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
FT IDFNT
CCX-PMDMOD2
CCX-PMDMOD2-SW
CCX-PMDMOD4
CCX-PMDMOD4-SW
CCX-PMXMOD1-SW
CCX-PMXMOD2-SW
CCX-PMXMOD4-SW
CCX-PRHR
CCX-RM-UF
CCX-S-SIG-SENS
CCX-SFTW
CCX-SFTWS
CCX-TRNSM
flOMP F•A T TIrn Mflfl.
-- CCF OF ACTUATION LOGIC GROUPS (CCX-P##MOD2)
SOFTWARE CCF OF ACTUATION LOGI C GROUPS (CCX-P##MOD2-SW)
CCF OF MUX LOGIC GROUPS (CCX-P ##MOD4)
SOFTWARE CCF OF MUX LOGIC GROU PS (CCX-P##MOD4-SW)
SOFTWARE CCF OF OUTPUT LOGIC I 1Os (CCX-P##MOD1)
SOFTWARE CCF OF ACTUATION LOGI C GROUPS (CCX-P##MOD2-SW)
SOFTWARE CCF OF MUX LOGIC GROU PS (CCX-P##MOD4-SW)
CCF OF PRHR ACTUATION SIGNAL S ENSORS (SGS06) (CCX-PRHR)
RM CCF OF READIATION MONITIRS (CC X-RM-UF)
CCF OF THE S-SIGNAL SENSORS (C CX-S-SIG-SENS)
SOFTWARE CCF AMONG ALL BOARDS (CCX-SFTW)
SPURIOUS CCF OF SOFTWARE (CCXSFTWS)
CCF OF PRESSURE TRANSMITTER LO W PZR (CCX-TRNSM)
t�ATT. DAm� ,IADT7U<Tr't' Cflrlflfle mr�,r.
3.040E-04
1.100E-05
4.980E-05
1. 100E-05
1.100E-05
1. 100E-05
1. 100E-05
1.OOOE-06
7.580E-05
1.OOOE-06
1.200E-06
3.000E-08
0.000E+00
0.000E+00
0.000E+00
0. OOOE+00
0.000E+00
0.OOOE+00
0. OOOE+00
0. OOOE+00
0.000E+00
0.OOOE+00
0.OOOE+00
0. OOOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
0.00OE+00
0 OOOE+00
0. 00OE+00
0. 000E+00
0.OOOE+00
0.OOOE+00
0. 000E+00
0.OOOE+00
0. OOOE+00
0.000E+00
0.OOOE+00
0.OOOE+00
4.780E-04 0.OOOE+00 PMS 0.OOOE+00
.- ý -1. FT IDENT COMP FAILURE MODE FATTý DAMV - T- -
2.01E-04 0.00E+00
28-76
(1iRevision 1
(
PROBABILITY
3.04E-04
1.1OE-05
4.98E-05
1.10E-05
1.1OE-05
1.10E-05
1.10E-05
1.OOE-06
7.58E-05
1.OOE-06
1.20E-06
3.OOE-08
VARIANCE
o.OOE+00
o.OOE+00
0.0OE+00
o.OOE+00
0.OOE+00
o.OOE+00
o.OOE+00
o.OOE+00
o.OOE+00
O.OOE+00
o.OOE+00
o.OOE+00
2
28. Plant Control System
(
Table 28-10 (Sheet 16 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
r'nMp P"A T T ImP M•fl FAIL RATE VARIANCE SOURCE TIME
CCX-TT-UF
CCX-TT1-UF
CCX-VS-FA
CCX-XMTR
CCX-XMTR1
CCX-XMTR195
CD3EA0101SA
CD3EA0102SA
CD3EA0221SA
CD3EA0222SA
CD3EA0251SA
CD3EA0252SA
CD3EA0281SA
-- CCF OF TEMPERATURE TRANSMITTER
S (CCX-TT-UF)
TT CCF OF TEMPERATURE TRANSMITTER S FOLLOWING ACCIDENT (CCX-TT1
UF)
VS CCF OF CMT LEVEL SWITCHES (CMX -VS-FA)
CCF OF PRESSURE TRANSMITTERS CCX-XMTR)
CCF OF PRESSURE TRANSMITTERS F OLLOWING ACCIDENT (CCX-XMTR1)
CCF OF PRESSURIZER LRVRL SENSO RS (CCX-XMTR195)
EA FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
EA FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
EA FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
EA FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
EA FAILURE OF THE ANALOG INPUT BO
ARD (###EA####SA)
EA FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
EA FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
1.170E-04
1.170E-04
3.840E-05
4.780E-04
4.780E-04
4.780E-04
2.510E-04
2.510E-04
2. 510E-04
2.510E-04
2.510E-04
2.510E-04
2.510E-04
O.OOOE+00
0.00OE+00
0.OOOE+00
0.000E+00
O.000E+00
o.000E+00
0.OOOE+00
0.00OE+00
o.OOOE+00
0.OOOE+00
0.000E+00
o.000E+00
0.000E+00
0.000E+00 1.17E-04 0.OOE+00
0.OOOE+00 1.17E-04 0.OOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
3.84E-05
4.78E-04
4.78E-04
4.78E-04
2 .51E-04
2.51E-04
2.51E-04
2 . 51E-04
2. 51E-04
2.51E-04
2.51E-04
0.OOE+00
o.OOE+00
0.00E+00
0. OOE+00
o.OOE+00
0.00E+00
O.OOE+O0
0.OOE+00
0.00E+00
0. 00E+00
0.00E+00
28-77
Revision 1
rm TflriYP
C
AP1000 Probabilistic Risk Assessment
PROBABILITY VARIANCE
o.000E+00
0.000E+00
o.OOOE+00
0.000E+00
0.00OE+00
0.OOOE+00
o.000E+00
0.00OE+00
0.000E+00
o.000E+00
0.000E+00
Revision I
FT IDENT COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME
28-77
28. Plant Control SystemAPI1000 Probabilistic Risk Assesscment
Table 28-10 (Sheet 17 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE
EA FAILURE OF THE ANALOG INPUT BOARD (###EA####SA)
FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FLOW TRANSMITTER FAILURE (###T F###RI)
PROBABILITY FOR SUB- BASIC EVE NTS
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
CD3EA0282SA
CD3EACPB1SA
CD3EACPB2SA
CDDEP022SA
CDDEP025SA
CDDEPCPBSA
CDNTF01BRI
CIA-MAN01
CIAEP003SA
CIAEP004SA
CIAEP014SA
CIBEP004SA
CIBEP006SA
PATT. NATF VAR TMJC' ••nrIWfl mTMP
2. 510E-04
2.510E-04
2 .510E-04
1.710E-04
1.710E-04
1.710E-04
5 .230E-03
1. OOOE-01
1.710E-04
1.710E-04
1.710E-04
1.710E-04
0.00OE+00
O.OOOE+00
0.000E+00
0.OOOE+00
0.000E+00
0. OOOE+00
0.OOOE+00
0.OOOE+00
O.000E+00
0.00OE+00
0.000E+00
O.000E+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
SUB
PMS
PMS
PMS
PMS
0 OOOE+00
0.000E+00
0 OOOE+00
0. 000E+00
0 OOOE+00
0 OOOE+00
0. 000E+00
0.OOOE+00
0. OOOE+00
0.000E+00
0.000E+00
0.000E+00
0.000OE+00
1.710E-04 O.000E+00 PMS 0.OOOE+00
FT IDENTCOMP FAILURE MODE FAIL RATE VARIANCE SOURCE TImv
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
K
1.71E-04 0.00E+00
28-78
CRevision 1
K.
PROBABILITY
2.51E-04
2.51E-04
2.51E-04
1.71E-04
1.71E-04
1.71E-04
5.23E-03
1.00E-01
1.71E-04
1.71E-04
1.71E-04
1.71E-04
VARIANCE
0.00E+00
0.OOE+00
0.OOE+00
0.00E+00
0.OOE+00
0.O0E+00
0.00E+00
0.00E+00
0.00E+00
0.0OE+00
0.OOE+00
0.00E+00
C 28. Plant Control System
(
Table 28-10 (Sheet 18 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME
CIC-MAN01
CICEP009SA
CICEP055SA
CIDEP010SA
CIDEP057SA
CMAEP014ASA
CMBEP014BSA
CMCEP015ASA
CMDEP015BSA
CMN-MAN01
CMN-REC01
CMT-SENS1-FAIL
CMT-SENS2-FAIL
XX PROBABILITY FOR SUB-
EP
EP
EP
EP
EP
EP
EP
EP
XX
XX
NTS
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
PROBABILITY FOR SUBNTS
BASIC EVE
INTERFACE
INTERFACE
INTERFACE
INTERFACE
INTERFACE
INTERFACE
INTERFACE
INTERFACE
BASIC EVE
PROBABILITY FOR SUB- BASIC EVE NTS
CMT SIGNAL SENSORS (CMT-SENS-F AIL)
CMT SIGNAL SENSORS (CMT-SENS-F AIL)
1.000E-01
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.OOOE-01
1.OCQE-01
1.00OE-06
0.000E+00
0. 00OE+00
0. OOOE+00
0.000E+00
0.000E+00
0.000E+00
0.000E+00
0.000E+00
0.000E+00
0.000E+00
0. OOOE+00
0.OOOE+00
SUB
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
SUB
SUB
PMS
1.000E-06 0.000E+00 PMS
0.OOOE+00 1.OOE-01 0.OOE+00
O.000E+00
o.OOOE+00
O.000E+00
o.000E+00
o.000E+00
o.000E+00
o.000E+00
0.000E+00
0.000E+00
0.000E+00
0.000E+00
1.71E-04
1.71E-04
1.71E-04
1.71E-04
1.71E-04
1. 71E-04
1.71E-04
1.71E-04
1.00E-01
1.OOE-01
1.OOE-06
O.00E+00
0.OOE+00
0. OOE+00
0.0OE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOOE+00 1.00E-06 0.OOE+00
28-79 Revision 1
FT I DENIT
AP100Prbabliti Rsk ssssenAP1000 Probabilistic Risk Assessment
PROBABILITY VARIANCEFT IDENT
28-79 Revision I
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 19 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE AIT., RATE WAR T A?'JC' ECTIWPC TTM•
CMT-SENS3-FAIL
CMT-SENS4-FAIL
CMX-VS-FA
CV3EPCPASA
CV3EPCPBSA
CV3EPCVPSA
CV3EPSFPSA
CVAEP067SA
CVAEP084SA
CVBEP081SA
CVCEP091SA
CVDEP090SA
DAS
-- CMT SIGNAL SENSORS (CMT-SENS-F AIL)
CMT SIGNAL SENSORS (CMT-SENS-F AIL)
VS CCF OF CMT LEVEL SWITCHES (CMX -VS-FA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE
BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
-- UNAVAILABILITY GOAL FOR DIVERS E ACTUATION SYSTEM (DAS)
1.OOOE-06
1.000E-06
3.840E-05
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
0. 00OE+00
0.OOOE+00
0.OOOE+00
0. OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0. OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0. OOOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
1.OOOE-02 0.OOOE+00 DAS
0 OOOE+00
0 .OOOE+00
0 OOOE+00
0 00 E+00
0. OOOE+00
0 000E+00
0.OOOE+00
0 OOOE+00
0.OOOE+00
0. 00OE+00
0 OOOE+00
0 OOOE+00
1. OOE-06
1.OOE-06
3.84E-05
1. 71E-04
1.71E-04
1.71E-04
1.71E-04
1.71E-04
1.71E-04
1.71E-04
1.71E-04
1.71E-04
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0. OOE+00
0.OOE+00
0.00E+00
0.OOE+00
0.OOE+00
O.OOE+00
O.OOE+00
0.OOOE+00 1.OOE-02 0.OOE+00
28-80
FT IDENT DDflUIARTT.TmV
KRevision 1
Q.
AP1000 Probabilistic Risk Assess ent
COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME DUnU1.TTT11
C28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 20 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
ti~~~~~~~~~~~~ - -ti~ 1U- -rf±jft 'u1 nJ llL nf.r-%~l.L-Dvflftn-TT.TmV Iy71flrTA1'F
DG1-LOGIC
DG2-LOGIC
DUMMY
EC1EA67B1SA
EC1EA67B2SA
EClRE27BGA
ECIREDGiGA
EC1REDG2GA
EC5EPDGISA
EC5EPDG2SA
EC5EPMGB1SA
FWN-MAN02
FWN-MAN03
-- DIESEL SEQUENCING LOGIC (DG#-L OGIC)
-- DIESEL SEQUENCING LOGIC (DG#-L OGIC)
-- LOGICAL ZERO (DUMMY)
EA FAILURE OF THE ANALOG INPUT BO
ARD (###EA####SA)
EA FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
RE FAILURE OF THE UNDER VOLTAGE R
ELAY (EC#RE27BGA)
RE FAILURE OF THE UNDER VOLTAGE R ELAY (EC#RE27BGA)
RE FAILURE OF THE UNDER VOLTAGE R ELAY (EC#RE27BGA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
XX PROBABILITY FOR SUB- BASIC EVE NTS
XX PROBABILITY FOR SUB- BASIC EVE NTS
5.OOOE-03
5.OOOE-03
1.00OE-20
2.510E-04
2.510E-04
4.360E-03
4.360E-03
4.360E-03
1.710E-04
1.710E-04
1.710E-04
1.OOOE-01
1.00CE-01
O.000E+00
0.000E+00
0.000E+00
0.000E+00
0.00OE+00
0.000E+00
0.00OE+00
0.00OE+00
0.000E+00
0.00EE+00
o.000E+00
o -OOOE+00
0.000E+00
0.OOOE+00 5.OOE-03 0.OOE+00PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
SUB
SUB-
5. OOE-03
1.OOE-20
2.51E-04
2.51E-04
4.36E-03
4.36E-03
4.36E-03
1.71E-04
1.71E-04
1.71E-04
1.OCE-01
1.OOE-01
0.00E+00
0.OOE+00
o.00E+00
0.OOE+00
0.OOE+00
0. 00E+00
0.OOE+00
0. OOE+00
o.00E+00
o.OOE+00
o.OOE+00
o.OOE+00
28-81
Revision 1
0.OOOE+00
0.00OE+00
0.00OE+00
0.OOOE+00
0.00OE+00
o.OOOE+00
0.OOOE+00
o.OOOE+00
o.OOOE+00
0.00OE+00
0.000E+00
o.OOOE+00
I,
28. Plant Control Svstem
28-81 Revision 1
28. Plant Control System APlOOD Probabilistic RMiC Asc~ment
Table 28-10 (Sheet 21 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE
XX PROBABILITY FOR SUB-NTS
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAIL RATE VARIANCE SOURCE TTMF.
BASIC EVE
INTERFACE
INTERFACE
INTERFACE
INTERFACE
INTERFACE
INTERFACE
INTERFACE
INTERFACE
INTERFACE
HPM-MAN01
IRAEP117ASA
IRBEP117BSA
IRBEP123ASA
IRBEP123BSA
IRBEP125ASA
IRBEP125BSA
IRCEP1I8ASA
IRDEP118BSA
IRDEP120ASA
IRDEP12OBSA
IWlTLO45UF
IW2TLO46UF
1. OOOE-01
1.710E-04
1 .710E-04
1 .710E-04
1. 710E-04
1. 710E-04
1 .710E-04
1.710E-04
1. 710E-04
1 .710E-04
1. 710E-04
5.230E-03
5.230E-03
O.OOOE+00
0.00OE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
O.OOOE+00
0.OOOE+00
O.OOOE+00
0.OOOE+00
SUB
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
0.00OE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0. 000E+00
0.OOOE+00
28-82
(N
FT IDENT
EP
EP
EP
EP
EP
EP
EP
EP
EP
EP
TL
TL
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
LEVEL TRANSMITTER FAILURE (### TL###UF)
LEVEL TRANSMITTER FAILURE (### TL###UF)
FAIL RATE VARIANCE SOURCE TIME
Revision 1
Q
AP1000 Probabilistic Risk Assessment
PROBABILITY
1.OCE-01
1.71E-04
1.71E-04
1.71E-04
1.71E-04
1.71E-04
1.71E-04
1.71E-04
1.71E-04
1.71E-04
1.71E-04
5.23E-03
5.23E-03
VARIANCE
0.OOE+00
0.00E+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.00E+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
(28. Plant Control System
(AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 22 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME
IW3TLO47UF
IW4TL048UF
IWN-MAN01
IWX-XMTR
LPM-MAN01
LPM-MAN02
LPM-MAN03
LPM-MAN04
LPM-MAN07
LPM-MAN08
LPM-REC01
MDAS
MF3EA250A1SA
5.230E-03
5.230E-03
1.OOOE-01
4.780E-04
1.000E-01
1.000E-01
1.000E-01
1.000E-01
1.000E-01
1.OOOE-01
1.000E-01
1.000E-02
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.000E+00
0.OOOE*00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0. OOOE+00
0.00OE+00
PMS
PMS
SUB
PMS
SUB
SUB
SUB
SUB
SUB
SUB
SUB-
0.OOOE+00 5.23E-03 O.OOE+00
0.00OE+00
0.OOOE+00
0.00OE+00
0.00OE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.00OE+00
0.00OE+00
5.23E-03
1.OOE-01
4.78E-04
1.OOE-01
1.OOE-01
1 .OOE-01
1.OOE-01
1.OOE-01
1.OOE-01
1.OOE-01
1. OE-02
TL LEVEL TRANSMITTER FAILURE (### TL###UF)
TL LEVEL TRANSMITTER FAILURE (### TL###UF)
XX PROBABILITY FOR SUB- BASIC EVE NTS
-- CCF OF PRESSURE TRANSMITTER (I WX-XMTR)
XX PROBABILITY FOR SUB- BASIC EVE NTS
XX PROBABILITY FOR SUB- BASIC EVE NTS
XX PROBABILITY FOR SUB- BASIC EVE NTS
XX PROBABILITY FOR SUB- BASIC EVE NTS
XX PROBABILITY FOR SUB- BASIC EVE NTS
XX PROBABILITY FOR SUB- BASIC EVE NTS
XX PROBABILITY FOR SUB- BASIC EVE NTS
-- UNAVAILABILITY GOAL FOR MANUAL
DIVERSE ACTUATION SYSTEM (MDAS)
EA FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
0.OOE+00
0.OOE+00
0. OOE+00
0.OOE+00
0.OOE+00
0 OOE+00
0 OOE+00
0 OOE+00
0.OOE+00
0 OOE+00
0. OOE+00
O .OOE+00
28-83
Revision 1
FT IDENT PROBABILITY VARIANCE
2.510E-04 0.OOOE+00 PMS 0.OOOE+00 2.51E-04
Revision 1
FT IDENT
28-83
28. Plant Control System API000 Probabilistic Risk Assessment
Table 28-10 (Sheet 23 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
r'r TflFI?
MF3EA25OA2SA
MF3EA250B1SA
MF3EA25OB2SA
MF3EU250A1SA
MF3EU25OA2SA
MF3EU250B1SA
MF3EU25OB2SA
MSAEPSD1SA
MSAEPSD2SA
MSAEPSD3SA
MSAEPSD4SA
MSAEPSD5SA
MSAEPSD6SA
CflMP :A T T,Trnr• MfltW.
EA FAILURE OF THE ANALOG INPUT BOARD (###EA####SA)
FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
FAILURE OF THE ANALOG OUTPUT B OARD (###EU###SA)
FAILURE OF THE ANALOG OUTPUT B OARD (###EU###SA)
FAILURE OF THE ANALOG OUTPUT B OARD (###EU###SA)
FAILURE OF THE ANALOG OUTPUT B OARD (###EU###SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
rATT. flAT1 X7AP TA•Trr CflT TPC • ; TMP
2.510E-04
2.510E-04
2 510E-04
6.420E-05
6.420E-05
6.420E-05
6.420E-05
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
0 OOOE+00
0 OOOE+00
0 OOOE+00
0 OOOE+00
0 OOOE+00
0 OOOE+00
0. 000E+00
0 00 E+00
0 OOOE+00
0.OOOE+00
0.OOOE+00
0 OOOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOEt00
0.00OE+00
0. OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
1.710E-04 0.OOOE+00 PMS 0.OOOE+00
FT IDENT COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME
1.71E-04 0.OOE+00
28-84
C.Revision 1
,.
PROBABILITY
2. 51E-04
2. 51E-04
2. 51E-04
6.42E-05
6.42E-05
6 .42E-05
6.42E-05
1. 71E-04
1. 71E-04
1.71E-04
1. 71E-04
1. 71E-04
VARIANCE
0. OOE+00
0. OOE+00
0.OOE+00
0 OOE+00
0. 00E+00
0. 00E+00
0 OOE+00
0 OOE+00
0.00E+00
0 OOE+00
0. 00E+00
0 OOE+00
C,
K,
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 24 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME
MSAEPSD7SA
MSAEPSD8SA
PCITP005UF
PC2TP006UF
PC3TP007UF
PC4TP008UF
PCAEP001ASA
PCBEPO01BSA
PCN-MAN01
PLI0301ASA
PLI0301BSA
PL10302ASA
PL10302BSA
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
TP FAILURE OF PRESSURE TRANSMITTE R (###TP###UF)
TP FAILURE OF PRESSURE TRANSMITTE R (###TP###UF)
TP FAILURE OF PRESSURE TRANSMITTE R (###TP###UF)
TP FAILURE OF PRESSURE TRANSMITTE R (###TP###UF)
EP FAILURE OF THE POWER INTERFACE
BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
XX PROBABILITY FOR SUB- BASIC EVE NTS
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
1.710E-04
1.710E-04
5.230E-03
5.230E-03
5.230E-03
5.230E-03
1.710E-04
1.710E-04
1. 000E-01
1.160E-03
1.160E-03
1.160E-03
1.160E-03
o .OOOE+00
0. 000E+00
O.000E+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
o0. OOOE+00
O.000E+00 0.000E+i00
O.OOOE+00
0. OOOE+00
0.000E+00
0. OOOE+00
0.000E+00
0.000E+00 1.71E-04 O.OOE+00PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
SUB
PMS
PMS
PMS
PMS
1.71E-04
5.23E-03
5.23E-03
5.23E-03
5.23E-03
1.71E-04
1.71E-04
1.OOE-01
1. 16E-03
1.16E-03
1.16E-03
1. 16E-03
0.OOE+00
0.00E+00
0.OOE+00
0.OOE+00
0.OOE+00
0.00E+00
0.OOE+00
0.OOE+00
0.00E+00
0.00E+00
0.00E+00
0.00E+00
28-85
Revision 1
FT IDThJT PROBABILITY VARIANCE
0.000E+00
0. 000E+00
0. 000E+00
0. 00OE+00
0.OOOE+00
0. 00OE+00
0. 000E+00
0.00OE+00
0.00OE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
Revision I
FT IDENT COMP FAILURE MODE
28-85
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 25 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE
PLIEHOAISA
PL1EH0A2SA
PLIMODi1
PLlMOD12
PLlMOD51
PLlMOD52
PL1XS00ASA
PL20301ASA
PL20301BSA
PL20302ASA
PL20302BSA
PL2EHOAlSA
PL2EHOA2SA
FAIL RATE VARIANCE SOURCE TIME
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MOD1#)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MODl#)
FAILURE OF MODULATING LOGIC OR I/O GROUP # (PL#MOD5#)
FAILURE OF MODULATING LOGIC OR I/O GROUP # (PL#MOD5#)
XS FAILURE OF OUTPUT LOGIC GROUP SELECTOR (P##XSOOASA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
8.OOOE-05
8.OOOE-05
2.090E-03
2.090E-03
8.740E-04
8.740E-04
8.000E-05
1.160E-03
1.160E-03
1.160E-03
1.160E-03
8.000E-05
8.000E-05
0.OOOE+00
0. OOOE+00
0.OOOE+00
0. 00OE+00
0.000E+00
0.00OE+00
0. OOOE+00
0.OCOE+00
0.000E+00
o.OOOE+00
o.OOOE+00
0. 000E+00
0.OOOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
28-86
(
FT IDENT
O.OOOE+00
0.OOOE+00
0.00OE+00
0. OOOE+00
o.OOOE+00
o.OOOE+00
o.OOOE+00
o.OOOE+00
o.OOOE+00
0.OOOE+00
0.OOOE+00
0 . OOOE+00
O.000E+00
FAIL RATE VARIANCE SOURCE TIME
Revision 1
( K.K,
PROBABILITY
8.00E-05
8.OOE-05
2.09E-03
2.09E-03
8.74E-04
8. 74E-04
8.O0E-05
1.16E-03
1.16E-03
1.16E-03
1.16E-03
8.OOE-05
8.OOE-05
VARIANCE
0.00E+00
0.00E+00
0.00E+00
0.00E+00
0.00E+00
o.00E+00
0.OOE+00
o.OOE+00
o.OOE+00
o.OOE+00
o.00E+00
o.OOE+00
o.00E+00
(2
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 26 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME PROBABILITY VARIANCE
PL2MOD11
PL2MOD12
PL2MOD51
PL2MOD52
PL2XSOOASA
PL30301ASA
PL30301BSA
PL30302ASA
PL30302BSA
PL3EHOA1SA
PL3EHOA2SA
PL3MOD11
PL3MOD12
-- FAILURE OF OUTPUT LOGIC GROUP
# I/O (P##MOD1#)
FAILURE OF OUTPUT LOGIC GROUP
# I/O (P##MOD1#)
FAILURE OF MODULATING LOGIC OR I/O GROUP # (PL#MOD5#)
FAILURE OF MODULATING LOGIC OR I/O GROUP # (PL#MOD5#)
XS FAILURE OF OUTPUT LOGIC GROUP SELECTOR (P##XSOOASA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EH0##SA)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MOD1#)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MOD1#)
2.090E-03
2.090E:03
8.740E-04
8.740E-04
8.OOOE-05
1.160E-03
1. 160E-03
1.160E-03
1.160E-03
8.000E-05
8.000E-05
2.090E-03
2.090E-03
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.00OE+00
0.O0OE+00
0.OOOE+00
0.OOOE+00
o.OOOE+00
0.OOOE+00
0.OOOE+00
o .OOOE+00
0.OOOE+00 2.09E-03 0.OOE+00PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
2.09E-03
8.74E-04
8.74E-04
8.OOE-05
1.16E-03
1. 16E-03
1.16E-03
1. 16E-03
8.00E-05
8.OOE-05
2.09E-03
2.09E-03
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
o.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.0OE+00
28-87
Revision 1
FT IDENT
C
o.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
O.OOOE+00
28-87 Revision 1
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 27 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE
PL3MOD51
PL3MOD52
PL3XSOOASA
PL40301ASA
PL40301BSA
PL40302ASA
PL40302BSA
PL4EHOA1SA
PL4EHOA2SA
PL4MOD11
PL4MOD12
PL4XSO0ASA
PL50301ASA
FAIL RATE VARIANCE SOURCE TIME
-- FAILURE OF MODULATING LOGIC OR I/O GROUP # (PL#MOD5#)
FAILURE OF MODULATING LOGIC OR I/O GROUP # (PL#MOD5#)
XS FAILURE OF OUTPUT LOGIC GROUP SELECTOR (P##XSOOASA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MODI#)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MODI#)
XS FAILURE OF OUTPUT LOGIC GROUP SELECTOR (P##XS0OASA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
8.740E-04
8.740E-04
8.OOOE-05
1.160E-03
1.160E-03
1.160E-03
1.160E-03
8.OOOE-05
8.000E-05
2.090E-03
2.090E-03
8. OOOE-05
1. 160E-03
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0. 00OE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0. OOOE+00
0.00OE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
28-88
C
FT IDENT
0.OOOE+00
0.000E+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0. OOOE+00
0.00OE+00
0.00OE+00
0.OOOE+00
0.OOOE+00
0. 00OE+00
0.OOOE+00
FAIL RATE VARIANCE SOURCE TIME
Revision 1
(KI,
PROBABILITY
8.74E-04
8.74E-04
8.OOE-05
1.16E-03
1.16E-03
1.16E-03
1.16E-03
8.OOE-05
8.OOE-05
2.09E-03
2.09E-03
8.OOE-05
1.16E-03
VARIANCE
o. 00E+00
0.00E+00
o .OOE+00
o .OOE+00
0 .00E+00
o. 00E+00
o .OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.00E+00
o.00E+00
o.00E+00
(28. Plant Control System
( ("
AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 28 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME
PL50301BSA
PL50302ASA
PL50302BSA
PL5EHOA1SA
PL5EHOA2SA
PL5MOD11
PL5MOD12
PL5XS0OASA
PL60301ASA
PL60301BSA
PL60302ASA
PL60302BSA
PL6EHOA1SA
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MOD1#)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MOD1#)
XS FAILURE OF OUTPUT LOGIC GROUP SELECTOR (P##XS00ASA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
1.160E-03
1.160E-03
1. 160E-03
8.000E-05
8.000E-05
2.090E-03
2.090E-03
8.OOOE-05
1.160E-03
1.160E-03
1. 160E-03
1.160E-03
8.000E-05
O.OOOE+00
O.000E+00
O.OOOE+00
O.OOOE+00
O.000E+00
0.00OE+00
0.OOOEE+00
0.00OE+00
O.OOOE+00
O.OOOE+00
O.OOOE+00
O.O00OE+O0
O.O00OE+O0
O.OOOE÷00 1.16E-03 0.00E+00PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
1. 16E-03
1.16E-03
8.00E-05
8.00E-05
2.09E-03
2.09E-03
8. OOE-05
1. 16E-03
1. 16E-03
1.16E-03
1. 16E-03
8. OOE-05
O.OOE+00
0.OOE+00
0.OOE+00
O.OOE+00
0.OOE+00
0.00E+00
0.00E+00
0.00E+00
O.OOE+00
0.OOE+00
O.OOE+00
0.00E+00
28-89
Revision 1
FT IDENT PROBABILITY VARIANCE
0.000E+00
0.OOOE+00
0. 000E+00
0.000E+00
0. OOOE+00 0. 000OE+00
0.000E+00
O.O 0E+00
O.OOOE+00
O.OOOE+00
O.OOOE+00
0.000E+00
0.000E+00
28-89 Revision 1
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 29 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE
PL6EHOA2SA
PL6MOD11
PL6MOD12
PL6XSOOASA
PL70301ASA
PL70301BSA
PL70302ASA
PL70302BSA
PL7EHOAISA
PL7EHOA2SA
PL7MOD11
PL7MOD12
PL7XSOOASA
FATL RATE VAPTANCF. flOTTIfl TTMF
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MOD1I)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MOD1#)
XS FAILURE OF OUTPUT LOGIC GROUP SELECTOR (P##XSOOASA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MOD1#)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MOD1#)
XS FAILURE OF OUTPUT LOGIC GROUP SELECTOR (P##XSOOASA)
8.OOOE-05
2.090E-03
2.090E-03
8. OOOE-05
1.160E-03
1.160E-03
1.160E-03
1.160E-03
8.OOOE-05
8.OOOE-05
2.090E-03
2.090E-03
8.OOOE-05
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0. OOOE+00
0.OOOE+00
0.000E+00
0.OOOE+00
0.000E+00
0.OOOE+00
0. OOOE+00
0. OOOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
28-90
C./
FT IDENT
0 OOOE+00
0 OOOE+00
0. 00OE+00
0. 00OE+00
0. 00E+00
0 OOOE+00
0 00 E+00
0 OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME
Revision I
CL.
PROBABILITY
8.O0E-05
2.09E-03
2.09E-03
8.OOE-05
1.16E-03
1.16E-03
1.16E-03
1.16E-03
8.00E-05
8.OOE-05
2.09E-03
2.09E-03
8.OOE-05
VARIANCE
0.OOE+00
0.00E+00
0.00E+00
0.00E+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
(28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 30 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
rflMr WA•TTTIflP. Mflfl WATT. PA'PTT UAflTAtSflW �nrrnrw 'T'TMW
PL80301ASA
PL80301BSA
PL80302ASA
PL80302BSA
PL8EHOA1SA
PL8EHOA2SA
PL8MOD11
PL8MOD12
PL8XSO0ASA
PL90301ASA
PL90301BSA
PL90302ASA
PL90302BSA
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MOD1#)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MOD1#)
XS FAILURE OF OUTPUT LOGIC GROUP SELECTOR (P##XSOOASA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
1.160E-03
1.160E-03
1.160E-03
1.160E-03
8.OOOE-05
8. OOOE-05
2.090E-03
2. 090E-03
8.000E-05
1. 160E-03
1. 160E-03
1. 160E-03
1. 160E-03
0.OOOE+00
0. OOOE+00
0.OOOE+00
0.00OE+00
0. OOOE+00
0.OOOE+00
0.00OE+00
0 OOOE+00
0 OOOE+00
0 OOOE+00
0. 000E+00
0 00. OE00
0 OOOE+00
0.OOOE+00 1.16E-03 0.00E+00PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
1.16E-03
1.16E-03
1.16E-03
8.00E-05
8.00E-05
2.09E-03
2.09E-03
8.OOE-05
1.16E-03
1.16E-03
1.16E-03
1.16E-03
0 OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
28-91
Revision 1
fl' TfF-t•l'P DPP PP• z• 1 T T.T '1'V ¶7�PT �W'P
0.000E+00
0.00OE+00
0.00OE+00
0.000E+00
0.000E+00
0.00OE+00
0.000E+00
0.00OE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.00OE+00
FT IDENT COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME XTAT) T hm"t,
28-91 Revision I
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 31 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE
PL9EHOA1SA
PL9EHOA2SA
PL9MOD1I
PL9MOD12
PL9XSOOASA
PLA0301ASA
PLA0301BSA
PLA0302ASA
PLA0302BSA
PLAEHOA1SA
PLAEHOA2SA
PLAMODI1
PLAMOD12
FAIL RATE VARIANCE 5•OIIrCF. TTMF
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EH0##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EH0##SA)
FAILURE OF OUTPUT LOGIC GROUP # I/0 (P##MOD1#)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MOD1#)
XS FAILURE OF OUTPUT LOGIC GROUP SELECTOR (P##XSOOASA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MODl#)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MOD1#)
8. OOOE-05
8.OOOE-05
2.090E-03
2.090E-03
8.OOOE-05
1.160E-03
1.160E-03
1.160E-03
1.160E-03
8.000E-05
8.OOOE-05
2. 090E-03
2.090E-03
0.00OE+00
0.00OE+00
0. OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
28-92
(.
FT IDENT
0 OOOE+00
0. OOOE+00
0 OOOE+00
0. 00OE+00
0 OOOE+00
0 OOOE+00
0 OOOE+00
0. OOOE+00
0.OOOE+00
0. OOOE+00
0.OOOE+00
0.OOOE+00
0. OOOE+00
FAIL RATE VARIANCE SOURCE TIME
Revision 1
(KI
PROBABILITY
8.OOE-05
8.OOE-05
2.09E-03
2.09E-03
8.00E-05
1.16E-03
1.16E-03
1.16E-03
1.16E-03
8.0OE-05
8.OOE-05
2.09E-03
2.09E-03
VARIANCE
0.00E+00
0.00E+00
0.OOE+00
0.00E+00
0.OOE+00
0.OOE+00
0. OOE+00
0 OOE+00
0.OOE+00
0. 00E+00
0 OOE+00
0 OOE+00
0 OOE+00
(28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 32 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME
PLAMOD31
PLAXSOOASA
PLB0301ASA
PLB0301BSA
PLB0302ASA
PLB0302BSA
PLBEHOA1SA
PLBEHOA2SA
PLBMOD11
PLBMOD12
PLBMOD32
PLBXSOOASA
PLC0301ASA
5.020E-03
8.000E-05
1. 160E-03
1.160E-03
1.160E-03
1. 160E-03
8. 000E-05
8.000E-05
2.090E-03
2.090E-03
5.020E-03
8.OOOE-05
0.000E+00
0.000E+00
0.00OE+00
0.000E+00
0.000E+00
0.00OE+00
0.OOOE+00
0.000E+00
0.00OE+00
O.OOOE+00
0.000E+00
0.000E+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
-- FAILURE OF INPUT GROUP # (P##M OD3#)
XS FAILURE OF OUTPUT LOGIC GROUP SELECTOR (P##XSO0ASA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EH0##SA)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MODI#)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MOD1#)
FAILURE OF INPUT GROUP # (P##M OD3#)
XS FAILURE OF OUTPUT LOGIC GROUP SELECTOR (P##XSO0ASA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
0.000E+00 5.02E-03 0.OOE+00
O.OOOE+00
0.OOOE+00
0.OOOE+00
0.000E+00
O.OOOE+00
0.OOOE+00
0. OOOE+00
O.000E+00
0.OOOE+00
0. 000E+00
O.OOOE+00
8.00E-05
1.16E-03
1.16E-03
1.16E-03
1. 16E-03
8.OOE-05
8.00E-05
2.09E-03
2.09E-03
5.02E-03
8.OOE-05
0.OOE+00
O.OOE+00
0.OOE+00
0.OOE+00
O.OOE+00
0.OOE+00
0.OOE+00
O.OOE+00
0.OOE+00
0.OOE+00
O.OOE+O0
0.OOOE+00 1.16E-03 O.00E+00
28-93
Revision 1
FT IDENT PROBABILITY VARIANCE
1.160E-03 0.OOOE+00 PMS
<i
28-93 Revision I
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 33 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE
PLC0301BSA
PLC0302ASA
PLC0302BSA
PLCEHOA1SA
PLCEHOA2SA
PLCMOD11
PLCMOD12
PLCMOD33
PLCXSOOASA
PLD0301ASA
PLD0301BSA
PLD0302ASA
PLD0302BSA
FAIL RATE VARIANCE SOURCE TIME
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EH0##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EH0##SA)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MOD1#)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MOD1#)
FAILURE OF INPUT GROUP # (P##M OD3#)
XS FAILURE OF OUTPUT LOGIC GROUP SELECTOR (P##XSOOASA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
1.160E-03
1.160E-03
1.160E-03
8.OOOE-05
8.OOOE-05
2.090E-03
2.090E-03
5.020E-03
8.OOOE-05
1.160E-03
1.160E-03
1.160E-03
1.160E-03
0. 00OE+00
0 OOOE+00
0 OOOE+00
0. 00OE+00
0. OOOE+00
0. OOOE+00
0o.00E+00
0.00OE+00
0.00OE+00
0.00OE+00
0.00OE+00
0.00OE+00
0.OOOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
28-94
FT IDENT
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.000E+00
0.00OE+00
0.OOOE+00
0.OOOE+00
0.00OE+00
0.00OE+00
Revision I
( (
AP1000 Probabilistic Risk Assessment
PROBABILITY
1. 16E-03
1. 16E-03
1. 16E-03
8. 00E-05
8.OOE-05
2. 09E-03
2. 09E-03
5. 02E-03
8. OOE-05
1.16E-03
1. 16E-03
1.16E-03
1. 16E-03
VARIANCE
0.OOE+00
0 OOE+00
0 OOE+00
0 OOE+00
0 OOE+00
0. 00E+00
0.OOE+00
0 OOE+00
0 OOE+00
0 OOE+00
0 OOE+00
0 OOE+00
0.OOE+00
(28. Plant Control System
(
K CAP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 34 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME
PLDEHOAISA
PLDEHOA2SA
PLDMOD11
PLDMOD12
PLDMOD34
PLDXS00ASA
PLMMOD41
PLMMOD42
PLSMOD61
PLSMOD62
PMA0301ABA
PMA0301ASA
PMA0301BBA
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EH0##SA)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MOD1#)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MOD1#)
FAILURE OF INPUT GROUP # (P##M OD3#)
XS FAILURE OF OUTPUT LOGIC GROUP SELECTOR (P##XSOOASA)
FAILURE OF MUX LOGIC GROUP #( P##MOD4#)
FAILURE OF MUX LOGIC GROUP #( P##MOD4#)
FAILURE OF SIGNAL SELECTOR LOG IC GROUP # (PLSMOD6#)
FAILURE OF SIGNAL SELECTOR LOG IC GROUP # (PLSMOD6#)
03 LOGIC GROUP PROCESSING SPURIOU S FAILURE (###030##BA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING SPURIOU S FAILURE (###030##BA)
8.OOOE-05
8.000E-05
2.090E-03
2 .090E-03
5.020E-03
8.000E-05
6.350E-04
6.350E-04
3.460E-03
3 .460E-03
8.010E-06
1.160E-03
8.010E-06
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.00OE+00
0.00OE+00
0.000E+00
0.OOOE+00
0.00OE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
0.OOOE+00 8.OOE-05 0.OOE+00PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
8. OOE-05
2. 09E-03
2. 09E-03
5.02E-03
8.00E-05
6.35E-04
6. 35E-04
3 .46E-03
3 .46E-03
8.01E-06
1. 16E-03
8. O1E-06
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0 OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
28-95
Revision 1
FT IDENT PROBABILITY VARIANCE
0.OOOE+00
0.00OE+00
0.OOOE+00
0.00OE+00
0.00OE+00
0.00OE+00
0.00OE+00
0.00OE+00
0.00OE+00
0.00OE+00
0.00OE+00
O.OOOE+00
28-95 Revision 1
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 35 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE
PMA0301BSA
PMA0302ABA
PMA0302ASA
PMA0302BBA
PMA0302BSA
PMAEHOA1SA
PMAEHOA2SA
PMAMOD11
PMAMOD12
PMAMOD21
PMAMOD22
PMAMOD31
PMAMOD41
FAIL RATE VARIANCE SOURCE TIME
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING SPURIOU S FAILURE (###030##BA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING SPURIOU S FAILURE (###030##BA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MODI#)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P#iMODI#)
FAILURE OF ACTUATION LOGIC GRO UP # (PM#MOD2#)
FAILURE OF ACTUATION LOGIC GRO UP # (PM#MOD2#)
FAILURE OF INPUT GROUP # (P##M OD3#)
FAILURE OF MUX LOGIC GROUP #i
P##MOD4#)
1. 160E-03
8.010E-06
1.160E-03
8.010E-06
1.160E-03
8.000E-05
8.OOOE-05
2. 090E-03
2. 090E-03
4.070E-03
4. 070E-03
5.020E-03
6.350E-04
O.000E+00
0.OOOE+00
0.000E+00
0.00OE+00
0 OOOE+00
O.OOOE+00
O .OOOE+00
0. 00OE+00
0 OOOE+00
O .OOOE+00
0. 000E+00
0 OOOE+00
0 OOOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
28-96
(
FT IDENT
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.000E+00
0.OOOE+00
0.OOOE+00
0. OOOE+00
0. OOOE+00
0.00OE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
0. 000E+00
PROBABILITY
1.16E-03
8.01E-06
1.16E-03
8.01E-06
1.16E-03
8.00E-05
8. OOE-05
2 .09E-03
2.09E-03
4. 07E-03
4 .07E-03
5. 02E-03
6. 35E-04
VARIANCE
0.00E+00
0.00E+00
0.00E+00
0.00E+00
o.OOE+00
0 OOE+00
0.OOE+00
0.OOE+00
0.00E+00
0. 00E+00
0. 00E+00
0 OOE+00
o. 00E+00
Revision 1
( \,
(
28. Plant Control System
(AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 36 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
PMAMOD42
PMAMSD11
PMAMSD12
PMAMSD21
PMAMSD22
PMAMSD31
PMAXS00ABA
PMAXS00ASA
PMB0301ABA
PMB0301ASA
PMB0301BBA
PMB0301BSA
PMB0302ABA
-- FAILURE OF MUX LOGIC GROUP # P##MOD4#)
SPURIOUS FAILURE OF OUTPUT LOG IC GROUP # I/O (PM#MSD1#)
SPURIOUS FAILURE OF OUTPUT LOG IC GROUP # I/O (PM#MSDI#)
SPURIOUS FAILURE OF ACTUATION LOGIC GROUP # (PM#MSD2#)
SPURIOUS FAILURE OF ACTUATION LOGIC GROUP # (PM#MSD2#)
SPURIOUS FAILURE OF INPUT GROU P # (PM#MSD3#)
XS SPURIOUS FAILURE OF OUTPUT LOG IC GROUP SELECTOR (P##XSOOABA)
XS FAILURE OF OUTPUT LOGIC GROUP SELECTOR (P##XSOOASA)
03 LOGIC GROUP PROCESSING SPURIOU S FAILURE (###030##BA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING SPURIOU S FAILURE (###030##BA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING SPURIOU S FAILURE (###030##BA)
6.350E-04
8.400E-06
8.400E-06
2.040E-05
2.040E-05
2.740E-05
1.000E-10
8.000E-05
8.010E-06
1. 160E-03
8.010E-06
1.160E-03
8.010E-06
0.00OE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.000E+00
0.OOOE+00
0.OOOE+00
0.000E+00
O.000E+00
0.OOOE+00 6.35E-04 0.00E+00PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
8.40E-06
8.40E-06
2.04E-05
2 . 04E-05
2 .74E-05
1.OOE-10
8.00E-05
8.01E-06
1. 16E-03
8.01E-06
1.16E-03
8. 01E-06
0.OOE+00
0. OOE+00
0.OOE+00
0.OOE+00
0. OOE+00
0.00±E00
0.00E+00
0.00E+00
0. OOE+00
0.OOE+00
0.00E+00
o.00E+00
28-97
Revision 1
DfllWrI TT.TmV 1.7?VDT MCTf'�
0.OOOE+00
0.00OE÷00
0.00OE+00
0.000E+00
0.000E+00
0.000E+00
0.000E÷00
0.000E+00
0.OOOE+00
0.OOOE+00
0.000E+00
0.000±E00
Revision I
ýnun VATT"DV UnnV DOnnhnTT.TMV VATT- DAMP ITAOTANTOV C!n"vrlr IPTMV A I A D T L'•m T T• "C•.Tr•
28-97
28. Plant Control System APlO0O Probabilistic Risk Assessment
Table 28-10 (Sheet 37 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE
PMB0302ASA
PMB0302BBA
PMB0302BSA
PMBEHOA1SA
PMBEHOA2SA
PMBMOD11
PMBMOD12
PMBMOD21
PMBMOD22
PMBMOD32
PMBMOD41
PMBMOD42
PMBMSD11
FAIL RATE VARIANCE SOUIRCE TIME
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING SPURIOU S FAILURE (###030##BA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MOD1#)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MODI#)
FAILURE OF ACTUATION LOGIC GRO UP # (PM#MOD2#)
FAILURE OF ACTUATION LOGIC GRO UP # (PM#MOD2#)
FAILURE OF INPUT GROUP # (P##M OD3#)
FAILURE OF MUX LOGIC GROUP #( P##MOD4#)
FAILURE OF MUX LOGIC GROUP #I
P##MOD4#)
SPURIOUS FAILURE OF OUTPUT LOG IC GROUP # I/0 (PM#MSD1I#)
1.160E-03
8.010E-06
1.160E-03
8.OOOE-05
8.000E-05
2 .090E-03
2.090E-03
4.070E-03
4. 070E-03
5 .020E-03
6.350E-04
6. 350E-04
8.400E-06
0.OOOE+00
0.OOOE+00
0.000E+00
0.000E+00
0.000E+00
0.OOOE+00
0.000E+00
0.000E+00
0.00OE+00
0.000E+00
0.000E+00
0.000E+00
0.000E+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
28-98
(.
FT IDENT
O.000E+00
O.OOOE+00
0. OOOE+00
0.000E+00
0.OOOE+00
O.000E+00
O.000E+00
0.OOOE+00
0.000E+00
0.000E+00
O.000E+00
O.OOOE+00
0.000E+00
FAIL RATE VARIANCE SOURCE TIME
Revision 1
CC
AP1000 Probabilistic Risk Assess ent
PROBABILITY
1. 16E-03
8. 01E-06
1. 16E-03
8. OOE-05
8. OOE-05
2. 09E-03
2. 09E-03
4 .07E-03
4.07E-03
5.02E-03
6.35E-04
6.35E-04
8.40E-06
VARIANCE
o. 00E+00
0.00E+00
o. 00E+00
0 OOE+00
0 OOE+00
o. 00E+00
o. 00E+00
0.00E+00
O.00E+00
O.OOE+O0
O.OOE+00
O.OOE+00
O.OOE+00
(28. Plant Control System
CAP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 38 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
('('Un t'aTTTot )AATht. �?�TT. D�m� ¶7T�('�' enrtDr'� mTM�
PMBMSD12
PMBMSD21
PMBMSD22
PMBMSD32
PMBXS0OABA
PMBXSOOASA
PMC0301ABA
PMC0301ASA
PMC0301BBA
PMC0301BSA
PMC0302ABA
PMC0302ASA
PMC0302BBA
-- SPURIOUS FAILURE OF OUTPUT LOG IC GROUP # I/O (PM#MSD1#)
SPURIOUS FAILURE OF ACTUATION LOGIC GROUP # (PM#MSD2#)
SPURIOUS FAILURE OF ACTUATION LOGIC GROUP # (PM#MSD2#)
SPURIOUS FAILURE OF INPUT GROU P # (PM#MSD3#)
XS SPURIOUS FAILURE OF OUTPUT LOG IC GROUP SELECTOR (P##XS0OABA)
XS FAILURE OF OUTPUT LOGIC GROUP SELECTOR (P##XS00ASA)
03 LOGIC GROUP PROCESSING SPURIOU S FAILURE (###030##BA)
03 LOGIC GROUP PROCESSING FAILURE
UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING SPURIOU S FAILURE (###030##BA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING SPURIOU S FAILURE (###030##BA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING SPURIOU S FAILURE (###030##BA)
8.400E-06
2.040E-05
2.040E-05
2.740E-05
1.OOOE-10
8. OOOE-05
8.010E-06
1.160E-03
8.01OE-06
1.160E-03
8.010E-06
1.160E-03
8.010E-06
0.OOOE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
0. 000E÷~00
0.00OE+00
o.OOOE+00
0. OOOE+00
0. 00OE+00
0.OOOE+00
0.OOOE+00
0. OOOE+00
0 OOOE+00
0.OOOE+00 8.40E-06 0.OOE+00PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
2.04E-05
2.04E-05
2.74E-05
1.OOE-10
8.OOE-05
8. 01E-06
1. 16E-03
8.01E-06
1. 16E-03
8.01E-06
1. 16E-03
8.01E-06
0.OOE+00
0.OOE+00
0.OOE+00
o.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
O.OOE+00
O.OOE+00
O.OOE+00
28-99
Revision 1
DDfl7ITTTT'V
0.OOOE+00
0.O0OE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
0. OOOE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
r I IV-NA - -T".v -nnv VATT VNMV A17%VT71?17rV CnTTDrlr TIMM PROBABILITY 17ARTANr-L-"•rn T 'r% "L"eK'Fel•
28-99 Revision 1
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 39 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
CON? FAILURE MODE
PMC0302BSA
PMCEHOA1SA
PMCEHOA2SA
PMCMOD11
PMCMOD12
PMCMOD21
PMCMOD22
PMCMOD33
PMCMOD41
PMCMOD42
PMCMSD11
PMCMSD12
PMCMSD21
FAIL' RATF. VA1 TA?(CW S•lTIflflF 'TT MP
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MODl#)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MODI#)
FAILURE OF ACTUATION LOGIC GRO UP # (PM#MOD2#)
FAILURE OF ACTUATION LOGIC GRO UP # (PM#MOD2#)
FAILURE OF INPUT GROUP # (P##M OD3#)
FAILURE OF MUX LOGIC GROUP #( P##MOD4#)
FAILURE OF MUX LOGIC GROUP #( P##MOD4#)
SPURIOUS FAILURE OF OUTPUT LOG IC GROUP # I/O (PM#MSD1#)
SPURIOUS FAILURE OF OUTPUT LOG IC GROUP # I/O (PM#MSD1#)
SPURIOUS FAILURE OF ACTUATION LOGIC GROUP # (PM#MSD2#)
1.160E-03
8.OOOE-05
8.OOOE-05
2.090E-03
2.090E-03
4.070E-03
4.070E-03
5.020E-03
6.350E-04
6.350E-04
8.400E-06
8.400E-06
2.040E-05
0. 00OE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0. 00OE+00
0.OOOE+00
0.OOOE+00
0. 00OE+00
0. OOOE+00
0. OOOE+00
0.00OE+00
0.OOOE+00
0.OOOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
28-100
FT IDENT
0. 000E+00
0.00OE+00
0. 00OE+00
0 OOOE+00
O .OOOE+00
0.OOOE+00
0 OOOE+00
O .OOOE+00
0.OOOE+00
O.OOOE+O0
0. 000E+00
O.000E+00
O .000+00
COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME
Revision I
( (N
PROBABILITY
1.16E-03
8.00E-05
8.OCE-05
2.09E-03
2.09E-03
4.07E-03
4.07E-03
5.02E-03
6.35E-04
6.35E-04
8.40E-06
8.40E-06
2.04E-05
VARIANCE
0.OOE+00
0.OOE+00
0.OOE+00
0.00E+00
0.00E+00
0.OOE+00
0.00E+00
0.OOE+00
0.00E+00
O.OOE+00
0.OOE+00
0.OOE+00
0.00E+00
C28. Plant Control System
( (J
AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 40 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME PROBABILITY VARIANCE
PMCMSD22
PMCMSD33
PMCXSOOABA
PMCXSOOASA
PMD0301ABA
PMD0301ASA
PMD0301BBA
PMD0301BSA
PMD0302ABA
PMD0302ASA
PMD0302BBA
PMD0302BSA
PMDEHOA1SA
2.040E-05
2.740E-05
1.OOOE-10
8. OOOE-05
8.010E-06
1.160E-03
8. O1OE-06
1.160E-03
8. O1OE-06
1.160E-03
8.010E-06
1.160E-03
8. OOOE-05
0.00OE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
0.00OE+00
o.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
o.OOOE+00
o.OOOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
0.OOOE+00 2.04E-05 0.OOE+00-- SPURIOUS FAILURE OF ACTUATION LOGIC GROUP # (PM#MSD2#)
SPURIOUS FAILURE OF INPUT GROU P # (PM#MSD3#)
XS SPURIOUS FAILURE OF OUTPUT LOG IC GROUP SELECTOR (P##XSOOABA)
XS FAILURE OF OUTPUT LOGIC GROUP
SELECTOR (P##XSOOASA)
03 LOGIC GROUP PROCESSING SPURIOU S FAILURE (###030##BA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING SPURIOU S FAILURE (###030##BA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING SPURIOU S FAILURE (###030##BA)
03 LOGIC GROUP PROCESSING FAILURE
UPON DEMAND (###030##SA)
03 LOGIC GROUP PROCESSING SPURIOU S FAILURE (###030##BA)
03 LOGIC GROUP PROCESSING FAILURE UPON DEMAND (###030##SA)
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
2.74E-05
1.O0E-10
8.00E-05
8. 01E-06
1. 16E-03
8. 01E-06
1.16E-03
8. 01E-06
1.16E-03
8.01E-06
1.16E-03
8.00E-05
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0. OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
28-101
Revision 1
FT IDENT
0.OOOE+00
0.00OE+00
0.00OE+00
0.OOOE+00
0.00OE+00
0.000E+00
0.0O0E+00
0.00OE+00
O.O00E+00
0.00OE+00
0.0OOE+00
0.00OE+00
28-101 Revision 1
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 41 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE
PMDEHOA2SA
PMDMOD11
PMDMOD12
PMDMOD21
PMDMOD22
PMDMOD34
PMDMOD41
PMDMOD42
PMDMSDII
PMDMSD12
PMDMSD21
PMDMSD22
PMDMSD34
FAIL RATE VARIANCE SOURCE TIME
EH FAILURE OF MUX TRANSMITTER FAI LURE TO GROUP ## (P##EHO##SA)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MODI#)
FAILURE OF OUTPUT LOGIC GROUP # I/O (P##MODI#)
FAILURE OF ACTUATION LOGIC GRO UP # (PM#MOD2#)
FAILURE OF ACTUATION LOGIC GRO UP # (PMtMOD2#)
FAILURE OF INPUT GROUP # (P##M OD3#)
FAILURE OF MUX LOGIC GROUP #I P##MOD4#)
FAILURE OF MUX LOGIC GROUP #I P##MOD4#)
SPURIOUS FAILURE OF OUTPUT LOG IC GROUP # I/O (PM#MSD1I#)
SPURIOUS FAILURE OF OUTPUT LOG IC GROUP # I/O (PM#MSD1I#)
SPURIOUS FAILURE OF ACTUATION LOGIC GROUP # (PM#MSD2#)
SPURIOUS FAILURE OF ACTUATION LOGIC GROUP # (PM#MSD2#)
SPURIOUS FAILURE OF INPUT GROU P # (PM#MSD3#)
8.OOOE-05
2. 090E-03
2.090E-03
4.070E-03
4.070E-03
5. 020E-03
6. 350E-04
6.350E-04
8.400E-06
8. 400E-06
2.040E-05
2.040E-05
2 .740E-05
0.OOOE+00
0.OOOE+00
0.000E+00
0. 000E+00
0.000E+00
0 OOOE+00
0 OOOE+00
0 .000E+00
0. 000E+00
0 OOOE+00
0. OOOE+00
0 OOOE+00
0 OOOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
28-102
C
FT IDENT
0.000E+00
0.000E+00
0.000E+00
0.000E+00
0.OOOE+00
0.000E+00
0.000E+00
0.000E+00
0.OOOE+00
0.000E+00
0.000E+00
0.000E+00
0.OOOE+00
Revision 1
(N.,(
AP1000 Probabilistic Risk Assessment
PROBABILITY
8.OOE-05
2.09E-03
2.09E-03
4.07E-03
4.07E-03
5. 02E-03
6.35E-04
6.35E-04
8.40E-06
8.40E-06
2.04E-05
2. 04E-05
2. 74E-05
VARIANCE
0.OOE+00
o.OOE+00
o.OOE+00
0.OOE+00
0.00E+00
o .OE+00
o .00E+00
0. 00E+00
o .OOE+00
0.OOE+00
0.00E+00
0.OOE+00
o. 00E+00
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 42 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
FT IDENT COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME PROBABILITY VARIANCE
PMDXSOOABA XS SPURIOUS FAILURE OF OUTPUT LOG 1.000E-10 O.OOOE+00 PMS O.OOOE+00 1.OOE-10 O.OOE+00 IC GROUP SELECTOR (P##XSCOABA)
PMDXSOOASA XS FAILURE OF OUTPUT LOGIC GROUP 8.OOOE-05 O.OOOE+00 PMS O.OOOE+00 8.OOE-05 0.OOE+00 SELECTOR (P##XSOOASA)
PRCEP101SA EP FAILURE OF THE POWER INTERFACE 1.710E-04 0.OOCE+00 PMS 0.OOOE+00 1.71E-04 0.OOE+00 BOARD (###EP####SA)
PRCEP108SA EP FAILURE OF THE POWER INTERFACE 1.710E-04 0.000E+00 PMS 0.OOOE+00 1.71E-04 0.OOE+00 BOARD (###EP####SA)
PRDEP101SA EP FAILURE OF THE POWER INTERFACE 1.710E-04 0.OOOE+00 PMS 0.OOOE+00 1.71E-04 0.OOE+00 BOARD (###EP####SA)
PRDEP108SA EP FAILURE OF THE POWER INTERFACE 1.710E-04 0.OOOE+00 PMS 0.OOOE+00 1.71E-04 0.OOE+00 BOARD (###EP####SA)
PRN-MAN01 XX PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 0.OOOE+00 SUB- O.OOOE+00 1.00E-01 0.OOE+00 NTS
PRN-MAN02 XX PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 0.OOOE+00 SUB- 0.COOE+00 1.OOE-01 0.OOE+00 NTS
PXAVS011BA VS SPURIOUS FAILURE OF LEVEL SWIT 2.320E-06 0.OOOE+00 PMS O.OOOE+00 2.32E-06 0.OOE+00 CH (###VS###BA)
PXAVS011UF VS FAILURE OF LEVEL SWITCH (###VS 1.OOOE-03 0.OOOE+00 PMS 0.OOOE+00 1.OOE-03 0.OOE+00 ###UF)
PXAVS013BA VS SPURIOUS FAILURE OF LEVEL SWIT 2.320E-06 0.000E+00 PMS 0.OOOE+00 2.32E-06 0.00E+00 CH (###VS###BA)
PXAVS013UF VS FAILURE OF LEVEL SWITCH (###VS 1.000E-03 0.OOOE+00 PMS 0.OOOE+00 1.00E-03 0.00E+00 ###UF)
PXAVS015BA VS SPURIOUS FAILURE OF LEVEL SWIT 2.320E-06 0.000E+00 PMS 0.OOOE+00 2.32E-06 0.00E+00 CH (###VS###BA)
28-103 Revision 1
28. Plant Control System API000 Probabilistic Risk Assessment
Table 28-10 (Sheet 43 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE
PXAVS015UF
PXAVS017BA
PXAVS017UF
PXBVS012BA
PXBVS012UF
PXBVS014BA
PXBVS014UF
PXBVS016BA
PXBVS016UF
PXBVS018BA
PXBVS018UF
RClOR195SP
RCITLI95UF
FAIL RATE VARIANCE SO[uRCE TIME
VS FAILURE OF LEVEL ###UF)
VS SPURIOUS FAILURE CH (###VS###BA)
VS FAILURE OF LEVEL ###UF)
VS SPURIOUS FAILURE CH (###VS###BA)
VS FAILURE OF LEVEL ###UF)
VS SPURIOUS FAILURE CH (###VS###BA)
VS FAILURE OF LEVEL ###UF)
VS SPURIOUS FAILURE CH (###VS###BA)
VS FAILURE OF LEVEL ##UUF)
VS SPURIOUS FAILURE CH (###VS###BA)
VS FAILURE OF LEVEL ###UF)
OR FAILURE OF ORIFI( ###OR###SP)
TL LEVEL TRANSMITTEJ TL###UF)
FT IDENT
SWITCH (###VS
OF LEVEL SWIT
SWITCH (###VS
OF LEVEL SWIT
SWITCH (###VS
OF LEVEL SWIT
SWITCH (###VS
OF LEVEL SWIT
SWITCH (###VS
OF LEVEL SWIT
SWITCH (###VS
CE - PLUGGED (
R FAILURE (###
1.OOOE-03
2 .320E-06
1.000E-03
2.320E-06
1. OOOE-03
2.320E-06
1.OOOE-03
2.320E-06
1.OOOE-03
2.320E-06
1. OOOE-03
7 .220E-03
5.230E-03
0.000E+00
0.000E+00
0.000E+00
0.000E+00
0.OOOE+00
0.OOOE+00
0.00OE+00
0.000E+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
0 OOOE+00
0 OOOE+00
0 OOOE+00
0. OOOEi-00
0. 00OE+00
0 OOOE+00
0. 00E+00
0. OOOE+00
0 OOOE+00
0 OOOE+00
0. OOOE+00
0 OOOE+00
0. OOOE+00
COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME
Revision I
C28-104
K.
PROBABILITY
1.OOE-03
2.32E-06
1.OOE-03
2.32E-06
1.OOE-03
2.32E-06
1.OOE-03
2.32E-06
1.OOE-03
2.32E-06
1.OOE-03
7.22E-03
5.23E-03
VARIANCE
0.OOE+00
0.0OE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.0OE+00
0.OOE+00
0 OOE+00
(' (728. Plant Control System
(7AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 44 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE FAIL RATE VARIANCE SOuIRCE TIME
RC20R196SP
RC2TLl96UF
RC30RI97SP
RC3TL197UF
RC40RI98SP
RC4TL198UF
RCATE211UF
RCATE212UF
RCATE213UF
RCATE214UF
RCATE215UF
RCATE221UF
RCATE225UF
OR FAILURE OF ORIFICE - PLUGGED ###OR###SP)
TL LEVEL TRANSMITTER FAILURE (### TL###UF)
OR FAILURE OF ORIFICE - PLUGGED ###OR###SP)
TL LEVEL TRANSMITTER FAILURE (### TL###UF)
OR FAILURE OF ORIFICE - PLUGGED ###OR###SP)
TL LEVEL TRANSMITTER FAILURE (### TL###UF)
TE FAILURE OF TEMPERATURE ELEMENT (###TE###UF)
TE FAILURE OF TEMPERATURE ELEMENT C###TE###UF)
TE FAILURE OF TEMPERATURE ELEMENT (###TE###UF)
TE FAILURE OF TEMPERATURE ELEMENT ###TE###UF
TE FAILURE OF TEMPERATURE ELEMENT (###TE###UF)
TE FAILURE OF TEMPERATURE ELEMENT (###TE###UF)
TE FAILURE OF TEMPERATURE ELEMENT (###TE###UF)
7.220E-03
5.230E-03
7.220E-03
5.230E-03
7.220E-03
5.230E-03
3. 060E-03
3 .060E-03
3. 060E-03
3. 060E-03
3.060E-03
3.060E-03
3.060E-03
o.OOOE+00
o.OCOE+00
O.OOOE+00
o.OOOE+00
o.OOOE+00
0.OOOE+00
O.OOOE+00
0. OOE+00
0.000E+00
o.OOOE+00
o.OOOE+00
0.OOOE+00
o.OOOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
28- 105
Revision 1
FT IDENT 1• RORA T T,T TV" VYARTAN'
O.OOOE+00 7.22E-03 O.OOE+00
O.OOOE+00 5.23E-03 O.OOE+00
O.OOOE+00 7.22E-03 O.OOE+00
O.OOOE+00 5.23E-03 O.OOE+00
O.OOOE+00 7.22E-03 O.OOE+00
O.OOOE+00 5.23E-03 O.OOE+00
O.OOOE+00 3.06E-03 O.OOE+00
O.OOOE+00 3.06E-03 O.OOE+00
O.OOOE+00 3.06E-03 O.OOE+00
O.OOOE+00 3.06E-03 O.OOE÷00
O.OOOE+00 3.06E-03 O.OOE+00
O.OOOE+00 3.06E-03 O.OOE+00
O.OOOE+00 3.06E-03 O.OOE+00
FT IDENT COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME PROBABILITY VARIANCE
28-105 Revision I
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 45 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE
TE FAILURE OF TEMPERATURE (###TE###UF)
TE FAILURE OF TEMPERATURE (###TE###UF)
TE FAILURE OF TEMPERATURE (###TE###UF)
TE FAILURE OF TEMPERATURE (###TE###UF)
TE FAILURE OF TEMPERATURE (###TE###UF)
TE FAILURE OF TEMPERATURE (###TE###UF)
TE FAILURE OF TEMPERATURE (###TE###UF)
TE FAILURE OF TEMPERATURE (###TE###UF)
TE FAILURE OF TEMPERATURE
(###TE###UF)
TE FAILURE OF TEMPERATURE (###TE###UF)
TE FAILURE OF TEMPERATURE (###TE###UF)
TE FAILURE OF TEMPERATURE
(###TE###UF)
FAIL RATE VARIANCE SOURCE TIME
ELEMENT
ELEMENT
ELEMENT
ELEMENT
ELEMENT
ELEMENT
ELEMENT
ELEMENT
ELEMENT
ELEMENT
ELEMENT
ELEMENT
RCBTE211UF
RCBTE212UF
RCBTE216UF
RCBTE222UF
RCBTE226UF
RCCTE213UF
RCCTE217UF
RCCTE223UF
RCCTE227UF
RCDTE214UF
RCDTE218UF
RCDTE224UF
RCDTE228UF
3. 060E-03
3. 060E-03
3.060E-03
3.060E-03
3.060E-03
3.060E-03
3. 060E-03
3. 060E-03
3.060E-03
3.060E-03
3. 060E-03
3.060E-03
o.OOOE+00
o.OOOE+00
0. OOOE+00
o.OOOE+00
o.OOOE+00
0.OOOE+00
0.OOOE+00
0. OOOE+00
o.OOOE+00
o.OOOE+00
0 . OOOE+00
O . OOOE+O0
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
3.060E-03 O.OOOE+00 PMS
o.OOOE+00
0.00OE+00
0.OOOE+00
0.OOOE+00
o.OOOE+00
0.OOOE+00
o.OOOE+00
o.OOOE+00
0.00OE+00
O.OOOE+O0
0.00OE+00
o.OOOE+00
FT IDENT PROBABILITY
3.06E-03
3.06E-03
3.06E-03
3.06E-03
3.06E-03
3.06E-03
3.06E-03
3.06E-03
3.06E-03
3.06E-03
3.06E-03
3.06E-03
O.OOOE+00 3.06E-03 O.OOE+00
28-106
VARIANCE
o.OOE+00
o.OOE+00
0.OOE+00
O.OOE+00
O.OOE+O0
O.OOE+O0
o.OOE+00
o.OOE+00
o.OOE+00
O.OOE+00
o.OOE+00
O.OOE+00
TE FAILURE OF TEMPERATURE ELEMENT (###TE###UF)
K'
Revision 1
K
( (i 28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 46 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
FT IDENT COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME PROBABILITY VARIANCE
RCN-MAN01 XX PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 O.OOOE+00 SUB- O.OOOE+00 1.OOE-01 O.OOE+00
NTS
RCNTP191UF TP FAILURE OF PRESSURE TRANSMITTE 5.230E-03 O.OOOE+00 PMS O.OOOE+00 5.23E-03 O.OOE+00
R (###TP###UF)
RCNTP192UF TP FAILURE OF PRESSURE TRANSMITTE 5.230E-03 O.OOOE+00 PMS O.OOOE+00 5.23E-03 O.OOE+00
R (###TP###UF)
RCNTP193UF TP FAILURE OF PRESSURE TRANSMITTE 5.230E-03 O.OOOE+00 PMS O.OOOE+00 5.23E-03 O.OOE+00
R (###TP###UF)
RCNTP194UF TP FAILURE OF PRESSURE TRANSMITTE 5.230E-03 O.OOOE+00 PMS O.OOOE+00 5.23E-03 O.OOE+00 R (###TP###UF)
RCNTP195UF TP FAILURE OF PRESSURE TRANSMITTE 5.230E-03 O.OOOE+00 PMS O.OOOE+00 5.23E-03 O.OOE+00 R (###TP###UF)
RCNTP196UF TP FAILURE OF PRESSURE TRANSMITTE 5.230E-03 0.OOOE+00 PMS O.OOOE+00 5.23E-03 O.OOE+00
R (###TP###UF)
RCNTP197UF TP FAILURE OF PRESSURE TRANSMITTE 5.230E-03 O.OOOE+00 PMS O.OOOE+00 5.23E-03 O.OOE+00 R (###TP###UF)
RCNTP198UF TP FAILURE OF PRESSURE TRANSMITTE 5.230E-03 O.OOOE+00 PMS O.OOOE+00 5.23E-03 O.OOE+00 R (###TP###UF)
REC-MANDAS XX PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 O.OOOE+00 SUB- O.OOOE+00 1.OOE-01 O.OOE+00
NTS
REN-MAN02 XX PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 O.OOOE+00 SUB- O.OOOE+00 1.00E-01 O.OOE+00 NTS
REN-MAN03 XX PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 O.OOOE+00 SUB- O.OOOE+00 1.OOE-01 O.OOE+00 NTS
REN-MAN04 XX PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 O.OOOE+00 SUB- O.OOOE+00 1.OOE-01 O.OOE+00 NTS
Revision 128-107
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 47 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
"rm TfnlVMT
RNAEP01ASA
RNAEP01BSA
RNAEP022SA
RNAEPRNPSA
RNBEP011SA
RNDEP023SA
ROD-CTRL-SYS
RPAEP051SA
RPAEP053SA
RPBEP052SA
RPBEP054SA
RPCEP061SA
RPCEP063SA
C'fMP rATT.TI• Mnnr
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
-- ROD CONTROL SYSTEM FAILURE TO STEP IN RODS (ROD-CTRL-SYS)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE
BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
rAfT. DAq'r IIAPTANTC'P CflTiDfllT m�ur
1.710E-04
1.710E-04
1.710E-04
1. 710E-04
1.710E-04
1.710E-04
6. 600E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
0. 000E00
0. 000E+00
0. 000E+00
0. OOOE+00
0. 000E+00
0 OOOE+00
0. 000E+00
0. 000E+00
0 OOOE+00
0. 000E+00
0.000E+00
0. 000E+00
0.000E+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
0.000E+00
0.000E+00
0.000E+00
0.OOOE+00
0.OOOE*00
0.000E+00
0.000E+00
0.000E+00
0.000E÷00
0.000E+00
0.000E+00
0.000E+00
0.000E+00
28-108
(
FT IDENT COMP FAILURE MODE FAIL RATE 11 AD T A NTf'V QnTIDýv MTMV
Revision 1
PROBABILITY
1. 71E-04
1. 71E-04
1. 71E-04
1. 71E-04
1. 71E-04
1 .71E-04
6. 60E-04
1 .71E-04
1. 71E-04
1. 71E-04
1. 71E-04
1. 71E-04
1. 71E-04
VARIANCE
o .OOE+00
o .OOE+00
o .OOE+00
o .OOE+00
o .OOE+00
o .OOE+00
o .OOE+00
o .OOE+00
o .OOE+00
o .OOE+00
0.OOE+00
o .OOE+00
o .OOE+00
t/
(
28. Plant Control System
(AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 48 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME PROBABILITY VARIANCE
RPDEP062SA
RPDEP064SA
S-SIG-SENSi-FAIL
S-SIG-SENS2-FAIL
S-SIG-SENS3-FAIL
S-SIG-SENS4-FAIL
SDAS
SF3EU067A1SA
SF3EU067A2SA
SF3EU067B1SA
SF3EU067B2SA
SF3EU255A1SA
SF3EU255A2SA
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
EP FAILURE OF THE POWER INTERFACE
BOARD (###EP####SA)
S-SIGNAL SENSOR FAILURE (S-SIG -SENS#-FAIL)
S-SIGNAL SENSOR FAILURE (S-SIG -SENS#-FAIL)
S-SIGNAL SENSOR FAILURE (S-SIG -SENS#-FAIL)
S-SIGNAL SENSOR FAILURE (S-SIG -SENS#-FAIL)
SPURIOUS FAILURE OF DAS (1.OOE -00) PMS (SDAS)
EU FAILURE OF THE ANALOG OUTPUT B OARD (###EU###SA)
EU FAILURE OF THE ANALOG OUTPUT B OARD (###EU###SA)
EU FAILURE OF THE ANALOG OUTPUT B OARD (###EU###SA)
EU FAILURE OF THE ANALOG OUTPUT B OARD (###EU###SA)
EU FAILURE OF THE ANALOG OUTPUT B OARD (###EU###SA)
EU FAILURE OF THE ANALOG OUTPUT B OARD (###EU###SA)
1.710E-04
1.710E-04
1.OOOE-06
1.OOOE-06
1.00OE-06
1.OOOE-06
1.OOOE-08
6.420E-05
6.420E-05
6.420E-05
6.420E-05
6.420E-05
6.420E-05
o.OOOE+00
0.OOOE+00
0.OOOE+00
o.OOOE+00
o.OOOE+00
0. OOOE+00
o.OOOE+00
0.00OE+00
0.00OE+00
0.OOOE+00
o.000E+00
0.000E+00
0. 00OE+00
0.OOOE+00 1.71E-04 0.OOE+00PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
1.71E-04
1.O0E-06
1.OOE-06
1.OOE-06
1.O0E-06
1.OOE-08
6.42E-05
6.42E-05
6.42E-05
6.42E-05
6.42E-05
6.42E-05
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
28-109
Revision 1
FT IDENT
0.000E+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.000E+00
0.00OE+00
o.000E+00
0.OOOEE+00
0.00OE+00
0.OOOE+00
0.000E+00
28-109 Revision 1
28. Plant Control System APIOO0 Proabailistic Risk Assp•cmpnt
Table 28-10 (Sheet 49 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
FT IDENT
SF3EU255B1SA
SF3EU255B2SA
SFBEATF50B1SA
SFBEATF50B2SA
SFBEATF51B1SA
SFBEATF51B2SA
SFBEP010SA
SFBEP013ASA
SFBEP013BSA
SFBEP028SA
SFBEPSFPASA
SFBEPSFPBSA
COMP FAILURE MODE
EU FAILURE OF THE ANALOG OUTPUT B
EU
EA
EA
EA
EA
EP
EP
EP
EP
EP
EP
OARD (###EU###SA)
FAILURE OF THE ANALOG OUTPUT B OARD (###EU###SA)
FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
WATT. WATF \IAPTATK!CW•T cnTrrnrr
6.420E-05
6.420E-05
2.510E-04
2.510E-04
2 .510E-04
2.510E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
O.OOOE+00
0 . OOOE+00
0. 000E+00
o .OOOE+00
0. 00E+00
o. 000E00
o .OOOE+00
0.000E+00
0. OOOE+00
0.OOOE+00
0 .OOOE+00
o.OOOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
OR FAILURE OF ORIFICE - PLUGGED ###OR###SP)
7.220E-03 0.OOOE+00 PMS 0.OOOE+00 7.22E-03 0.OOE+00
28-110
((¾
o.000E+00
0.000E+00
0.000E+00
0. 000E+00
0.000E+00
o.OOOE+00
o.000E+00
o.000E+00
o.OOOE+00
o.OOOE+00
o.OOOE+00
o.OOOE+00
COMP FAILURE MODE FAIL RATE VARIANCE cOURCE IPTMV
SG1ORO01SP
Revision 1
Q
~~A 10 ...... ........... Ris Assess entl
•TM• PROBABILITY
6.42E-05
6.42E-05
2.51E-04
2.51E-04
2. 51E-04
2. 51E-04
1. 71E-04
1. 71E-04
1. 71E-04
1. 71E-04
1.71E-04
1.71E-04
VARIANCE
0. 00E+00
o .OOE+00
o .OOE+00
o .OE+00
0 OOE+00
o .OOE+00
o .OOE+00
o .OOE+00
o .OOE+00
o.OOE+00
O.OOE+0O
o. OOE+0O
( 28. Plant Control System API000 Probabilistic Risk Assessment
Table 28-10 (Sheet 50 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME
OR FAILURE OF ORIFICE - PLUGGED###OR###SP)
FAILURE OF ORIFICE ###OR###SP)
FAILURE OF ORIFICE ###OR###SP)
FAILURE OF ORIFICE ###OR###SP)
FAILURE OF ORIFICE ###OR###SP)
FAILURE OF ORIFICE ###OR###SP)
FAILURE OF ORIFICE ###OR###SP)
FAILURE OF ORIFICE ###OR###SP)
FAILURE OF ORIFICE ###OR###SP)
FAILURE OF ORIFICE ###OR###SP)
PLUGGED
PLUGGED
PLUGGED
PLUGGED
PLUGGED
PLUGGED
PLUGGED
PLUGGED
PLUGGED
SGIOR002SP
SG1ORO03SP
SG1OR004SP
SGIORO11SP
SG1ORO12SP
SG1ORO15SP
SG1ORO16SP
SG1OR030SP
SG1OR031SP
SGIOR032SP
SG1OR033SP
SGlTF055ARI
SGlTF055BRI TF FLOW TRANSMITTER FAILURE (###T F###RI)
7.220E-03
7.220E-03
7 .220E-03
7.220E-03
7.220E-03
7.220E-03
7.220E-03
7.220E-03
7.220E-03
7.220E-03
7.220E-03
5.230E-03
0.000E+00
o.OOOE+00
0.000E+00
0.000E+00
0.00OE+00
0.000E+00
O.OOOE+00
O.OOOE+00
o.OOOE+00
O.OOOE+00
0.00OE+00
0.OOOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
5.230E-03 O.000E+00 PMS
0.000E+00 7.22E-03 0.00E+00
0.00OE+00
O.OOOE+00
0.000E+00
0.OOOE+00
0.000E+00
0.000+E00
O.OOOE+00
O.OOOE+00
0.000E+00
0.000E+00
O0.00E+00
7.22E-03
7.22E-03
7.22E-03
7.22E-03
7.22E-03
7.22E-03
7.22E-03
7.22E-03
7.22E-03
7.22E-03
5.23E-03
0.OOE+00
o.00E+00
O.OOE+00
O.OOE+00
O.00E+00
O.OOE+00
O.OOE+00
O.OOE+00
O.00E+00
O.OOE+00
o.OOE+00
0.000E+00 5.23E-03 0.OOE+00
28-111
Revision 1
FT IDENT PROBABILITY VARIANCE
OR
OR
OR
OR
OR
OR
OR
OR
OR
OR
TF
FAILURE OF ORIFICE - PLUGGED ###OR###SP)
FLOW TRANSMITTER FAILURE (###T F###RI)
FT IDENT
28-111 Revision 1
28. Plant Control System APIOOO Probabilistic Risk Assess•ment
Table 28-10 (Sheet 51 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE
SGITF51ARI
SGITF51BUF
SGITL001UF
SGlTLO02UF
SGITLO03UF
SGlTLO04UF
SGITL011UF
SGlTLO12UF
SGITLO15UF
SGlTLO16UF
SGlTP030UF
SG1TP031UF
SGlTP032UF
FAIL RATE VARIANCE SOEIRCE. TTMF
5.230E-03
5.230E-03
5.230E-03
5.230E-03
5.230E-03
5.230E-03
5.230E-03
5.230E-03
5.230E-03
5.230E-03
5.230E-03
5.230E-03
o.OOOE+00
0.OOOE+00
o.OOOE+00
o.OOOE+00
0. 000E-00
0. OOOE+00
o.OOOE+00
0 . OOOE+00
o.OOOE+00
0. OOOE+00
0. 0dE+00
o.000E+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
TF FLOW TRANSMITTER FAILURE (###T F###RI)
TF FLOW TRANSMITTER FAILURE (###T F###RI)
TL LEVEL TRANSMITTER FAILURE (### TL###UF)
TL LEVEL TRANSMITTER FAILURE (### TL###UF)
TL LEVEL TRANSMITTER FAILURE (### TL###UF)
TL LEVEL TRANSMITTER FAILURE (### TL###UF)
TL LEVEL TRANSMITTER FAILURE (### TL###UF)
TL LEVEL TRANSMITTER FAILURE (### TL###UF)
TL LEVEL TRANSMITTER FAILURE (### TL###UF)
TL LEVEL TRANSMITTER FAILURE (### TL###UF)
TP FAILURE OF PRESSURE TRANSMITTE R (###TP###UF)
TP FAILURE OF PRESSURE TRANSMITTE R (###TP###UF)
TP FAILURE OF PRESSURE TRANSMITTE R (###TP###UF)
0.00OE+00
o.OOOE+00
o.OOOE+00
0.OOOE+00
o.OOOE+00
O.OOOE+00
0.000E+00
o.000E+00
0.OOOE+00
0.00OE+00
FT IDENTFAIL RATE VARIANCE SOURCE TIME
0.000E+00 5.23E-03 0.OOE+00
28-112
C'
5.230E-03 0.000E+00 PMS
(Revision 1
(.
AP1000 Probabilistic Risk Assessment
PROBABILITY
5.23E-03
5.23E-03
5.23E-03
5.23E-03
5.23E-03
5.23E-03
5.23E-03
5.23E-03
5.23E-03
5.23E-03
5.23E-03
5.23E-03
VARIANCE
o.OOE+00
0.00E+00
0.OOE+00
o.OOE+00
O.OOE+00
o.OOE+00
O.OOE+00
0.OOE+00
o.OOE+00
o.OOE+00
0.OOE+00
o.OOE+00
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 52 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
FT IDENT COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME PROBABILITY VARIANCE
SGlTP033UF TP FAILURE OF PRESSURE TRANSMITTE 5.230E-03 C.OOOE+00 PMS 0.OOOE+00 5.23E-03 0.OOE+00 R (###TP###UF)
SG2OROO5SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 0.OOOE+00 PMS 0.OOOE+00 7.22E-03 0.00E+00 ###OR###SP)
SG2ORO06SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 0.OOOE+00 PMS O.OOOE+00 7.22E-03 O.COE+00
###OR###SP)
SG2ORO07SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 O.OCOE+00 PMS 0.OOOE+00 7.22E-03 0.OOE+00 ###OR###SP)
SG2OROO8SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 0.OOOE+00 PMS O.OOOE+00 7.22E-03 0.OOE+00 ###OR###SP)
SG2ORO13SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 0.OOOE+00 PMS 0.OOOE+00 7.22E-03 0.OOE+00 ###OR###SP)
SG2ORO14SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 0.OOOE+00 PMS O.OOOE+00 7.22E-03 0.OOE+00 ###OR###SP)
SG2ORO17SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 0.OOOE+00 PMS 0.OOOE+00 7.22E-03 0.00E+00 ###OR###SP)
SG20R018SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 0.000E+00 PMS 0.000E+00 7.22E-03 0.00E+00 ###OR###SP)
SG20R034SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 0.000E+00 PMS 0.000E+00 7.22E-03 0.00E+00
###OR###SP)
SG20R035SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 0.000E+00 PMS 0.000E+00 7.22E-03 0.00E+00 ###OR###SP)
SG2ORO36SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 0.000E+00 PMS 0.OOOE+00 7.22E-03 0.00E+00 ###OR###SP)
SG20R037SP OR FAILURE OF ORIFICE - PLUGGED 7.220E-03 0.000E+00 PMS 0.000E+00 7.22E-03 0.00E+00 ###OR###SP)
Revision 128-113
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 53 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
CORP FAITTJIRF ROF'
TF FLOW TRANSMITTER FAILURE (###TSG2TF056ARI
SG2TF056BRI
SG2TF50ARI
SG2TF50BUF
SG2TLO05UF
SG2TLO06UF
SG2TLO07UF
SG2TL008UF
SG2TLO13UF
SG2TLO14UF
SG2TLO17UF
SG2TLO18UF
SG2TP034UF
F'ATT. OATP! X7APTAMCT? QflrTWflT' mTM1�
5.230E-03
5.230E-03
5.230E-03
5.230E-03
5 .230E-03
5.230E-03
5.230E-03
5.230E-03
5.230E-03
5.230E-03
5.230E-03
5.230E-03
5.230E-03
0.000E+00
0. OOOE+00
0.OOOE+00
0.OOOE+00
0.00OE+00
0.000E+00
0.OOOE+00
0.OOOE+00
0.00OE+00
0.00OE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
28-114
FT IDENT
F###RI)
FLOW TRANSMITTER FAILURE (###T F###RI)
FLOW TRANSMITTER FAILURE (###T F###RI)
FLOW TRANSMITTER FAILURE (###T F###RI)
LEVEL TRANSMITTER FAILURE (### TL###UF)
LEVEL TRANSMITTER FAILURE (### TL###UF)
LEVEL TRANSMITTER FAILURE (### TL###UF)
LEVEL TRANSMITTER FAILURE (### TL###UF)
LEVEL TRANSMITTER FAILURE (### TL###UF)
LEVEL TRANSMITTER FAILURE (### TL###UF)
LEVEL TRANSMITTER FAILURE (### TL###UF)
LEVEL TRANSMITTER FAILURE (### TL###UF)
FAILURE OF PRESSURE TRANSMITTE R (###TP###UF)
FT IDENT COMP FAILURE MODE FAIL RATE VARIANrv Qn"ur'ý 11-
Revision 1
(1
PROBABILITY
5.23E-03
5.23E-03
5.23E-03
5.23E-03
5.23E-03
5.23E-03
5.23E-03
5.23E-03
5.23E-03
5.23E-03
5.23E-03
5.23E-03
5.23E-03
VARIANCE
o.00E+00
0.OOE+00
0.OOE+00
0.00E+00
0.OOE+00
0.OOE+00
0 OOE+00
o .OOE+00
0. 00E+00
0. OOE+00
0 OOE+00
0. OOE+00
0. OOE+00
(1128. Plant Control System
Ki (AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 54 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
CflMP FATTTT•R Mfll WFATT. 'RATWR XAR TAM]CW WflTT'RC T"RrTMF
TP FAILURE OF PRESSURE TRANSMITTER (###TP###UF)
FAILURE OF PRESSURE TRANSMITTE R (###TP###UF)
FAILURE OF PRESSURE TRANSMITTE R (###TP###UF)
FAILURE OF THE POWER INTERFACE
SG2TP035UF
SG2TP036UF
SG2TP037UF
SGAEP027BSA
SGAEP040BSA
SGAEP057BSA
SGAEP074BSA
SGAEP075BSA
SGBEP027BSA
SGBEP040BSA
SGBEP057BSA
SGBEP074BSA
SGBEP075BSA
TP
TP
EP
EP
EP
EP
EP
EP
EP
EP
EP
EP
5.230E-03
5.230E-03
5.230E-03
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.710E-04
0.00OE+00
0. 000E+00
0.000E+00
0.000E+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0. OOE+00
0.000E+00
0.000E+00
O.000E+00
0.OOOE+00
o.OOOE+00
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
PMS
0.OOOE+00 5.23E-03 O.OOE+00
0.00OE+00
O.OOOE+00
0.00OE+00
O.OOOE+00
0.00OE+00
0.OOOE+00
O.O00OE+O0
O.OOOE+00
O.OOOE+00
0.OOOE+00
O.OOOE+00
a.OOOE+00
5.23E-03
5.23E-03
1.71E-04
1. 71E-04
1. 71E-04
1.71E-04
1.71E-04
1.71E-04
1. 71E-04
1.71E-04
1 .71E-04
1.71E-04
O. 00E+00
O .OOE00
O.OOE+00
0 OOE+00
0 OOE+00
O .OOE+00
O.OOE+00
0.OOE+00
0.OOE+00
O.OOE+00
0.OOE+00
O.OOE+00
28-1 15
Revision 1
WT TflN 'Pnflfl •,lT T.TTrV ¶JAfl T h1J�F
BOARD (###EP####SA)
FAILURE OF THE POWER BOARD C###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
INTERFACE
INTERFACE
INTERFACE
INTERFACE
INTERFACE
INTERFACE
INTERFACE
INTERFACE
INTERFACE
FT IDENT COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME PROBABILITY VARIANCE
28-115 Revision 1
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 55 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
('fMD •ATT.TTW• MflI
EP FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
SGCEP040BSA
SGCEP25OBSA
SGDEP040BSA
SGDEP250BSA
SGHL-MAN01
SUB-AESIPC
SUB-AESIPCB
SUB-AESIPCP
SUB-AESOUTA
SUB-AESOUTAB
SUB-AESOUTAP
SUB-AESOUTB
SUB-AESOUTBB
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
FAILURE OF THE POWER BOARD (###EP####SA)
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
INTERFACE
INTERFACE
INTERFACE
BASIC EVE
BASIC EVE
BASIC EVE
BASIC EVE
BASIC EVE
BASIC EVE
BASIC EVE
BASIC EVE
BASIC EVE
"• ,T T. D, pam' , ¶TMP, '1•I Q(VlTD t"! 'PaTM•
1.710E-04
1.710E-04
1.710E-04
1.710E-04
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
1. OOOE-01
1.OOOE-01
1. OOOE-01
1.OOOE-01
0.00OE+00
0.00OE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
PMS
PMS
PMS
PMS
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB-
0 OOOE+00
0 OOOE+00
0. OOOE+00
0 OOOE+00
0. 000E+00
0.OOOE+00
0. OOOE+00
0. OOOE+00
0. OOOE+00
0. OOOE+00
0. OOOE+00
0. OOOE+00
0. OOOE+00
28-116
•"1 TflVP
EP
EP
EP
xx
xx
xx
xx
xx
xx
xx
xx
xx
FT IDENT COMP FAILURE MODE VhTT. DATL' 17ADTAMOV Cn"DOV MTMV
Revision 1
Q
PROBABILITY
1.71E-04
1.71E-04
1.71E-04
1.71E-04
1.00E-01
1.00E-01
1.OOE-01
1.O0E-01
1.OOE-01
1.00E-01
1.OOE-01
1.OOE-01
1.OOE-01
VARIANCE
O.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
O.OOE+00
0.OOE+00
U.00E+00
(28. Plant Control System
(AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 56 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME
SUB-AESOUTBP
SUB-AESOUTC
SUB-AESOUTCB
SUB-AESOUTCP
SUB-AESOUTD
SUB-AESOUTDB
SUB-AESOUTDP
SUB-APLC03
SUB-APLC03P
SUB-APLCC01
SUB-APLCC01B
SUB-APLCCO1P
SUB-APLCC02
XX PROBABILITY FORNTS
XX PROBABILITY NTS
XX PROBABILITY NTS
XX PROBABILITY NTS
XX PROBABILITY NTS
XX PROBABILITY NTS
XX PROBABILITY NTS
XX PROBABILITY NTS
XX PROBABILITY NTS
XX PROBABILITY NTS
XX PROBABILITY NTS
XX PROBABILITY NTS
XX PROBABILITY NTS
FOR
FOR
FOR
FOR
FOR
FOR
FOR
FOR
FOR
FOR
FOR
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB-
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
FOR SUB- BASIC EVE
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.000E-01
O.OOOE+00
0.OOOE+00
o.OOOE+00
0. OOOE+00
o.OOOE+00
o.OOOE+00
0.00OE+00
o.OOOE+00
o.000E+00
o.000E+00
0. OOOE+00
0.000E+00
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB-
1.000E-01 0.000E+00 SUB-
o.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
o.000E+00
0.00OE+00
o.OOOE+00
O.000E+00
0. OOOE+OO
O.OOOE+O0 0. 000E+00
O.O00E+O0
O.O00OE+00
O.OOOE+00
1.OOE-01 O.OOE+00
1.OOE-01
1.OOE-01
1.OOE-01
1.00E-01
1.O0E-01
1.OQE-01
1.00E-01
1.OOE-01
1.OOE-01
1.OOE-01
1.OOE-01
1.OOE-01
0.OOE+O0
0.OOE+00
0.OOE+0O
0.OOE+00
o .OOE+00
O.OOE+OO
0.OOE+00
o.OOE+00
o.OOE+00
0.OOE+00
0.OOE+O0
0.OOE+00
Revision 1
FT IDENT PROBABILITY VARIANCE
(
28-117
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 57 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE
XX PROBABILITY FOR SUB-NTS
SUB-APLCC02P
SUB-APLCC02Y
SUB-APLCC03
SUB-APLCC03P
SUB-APLIPC
SUB-APLIPCB
SUB-APLIPCP
SUB-APLL03
SUB-APLLOA
SUB-APLLOB
SUB-APLLOBP
SUB-APLLL01
SUB-APLLL01P
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
FOR SUB
FOR SUB
FOR SUB
FOR SUB
FOR SUB-
Xx
Xx
Xx
Xx
Xx
XX
XX
XX
Xx
xx
Xx
xx
SUB
SUB
SUB
SUB
SUB
SUB
SUB-
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
FAIL RATE VARIANCE SOURCE TIME
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.00OE-01
1.000E-01
1.OOOE-01
1.OOOE-01
1.000E-01
1.OOOE-01
1.000E-01
1.0 00E-01
1.OOOE-01
1.000E-01
1,000E-01
0 OOOE+00
0.000E+00
0. OOOE00
0 OOOE+00
0 OOOE+00
0 OOOE+00
0.00OE+00
0.OOOE+00
0.OOOE+00
0,00OE+00
0.OOOE+00
0.OOOE+00
0.00OE+00
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB-
0.OOOE+00
0.000E+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
O.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.000E+00
28-118
(K(I"
FT IDENT
FOR
FOR
FOR
FOR
FOR
FOR
FOR
PROBABILITY
1.00E-01
1.00E-01
1.OOE-01
1.O0E-01
1.OQE-01
1.00E-01
1.00E-01
1.OCE-01
1.OCE-01
1.00E-01
1.00E-01
1.OOE-01
1.OOE-01
VARIANCE
O.OOE+00
O.OOE+00
o.OOE+00
O.00E+00
O.00E+00
0.OOE+00
0.00E+00
O.OOE+00
O.00E+00
0.OOE+00
o.00E+00
0.00E+00
O.OOE+00
Revision 1
C
( (28. Plant Control System
(AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 58 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
CflMP FATT.tTPr MflflW rATr. RATF VARTA•fF •Tr•rr TTMF
XX PROBABILITY FORSUB-APLLL05B
SUB-APLLL06
SUB-APLLL07
SUB-APLLL07P
SUB-APLLL07Y
SUB-APLLL09
SUB-APLLL09P
SUB-APLLL09Y
SUB-APLLLOB
SUB-APLLLOBP
SUB-APLLLOD
SUB-APOADS83
SUB-BPOADS83
NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
FOR
FOR
FOR
FOR
FOR
FOR
FOR
FOR
FOR
FOR
FOR
FOR
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB-
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
1.000E-01
1.0ODE-01
1. 00CE-01
1.CODE-01
1.CODE-01
1.OOE-01
1.OOOE-01
1.OC0E-01
1.O00E-01
1.CODE-01
1.0O0E-01
1.O00E-01
1.COOE-01
o.OOOE+00
0.0O0E+00
0.00E+÷00
0.000E+00
C.000E+00
o.000E+00
0.OO0E+00
0.000E+00
C.000E+00
o.000E+00
O.OOOE+C0
O.OD0E+O0
0.0O0E+00
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB-
O.OOE+00 1.00E-01 0.OE+00
0. 00E+00
0. 00E+00
.COOE+00
0. OOOE+00
o .00E+00
o .00E+00
0.O0OE+00
0.0O0E+00
0.000E+00
0. 000E+00
0.000E+00
0.CO0E+00
1.ODE-01
1.ODE-01
1.OOE-01
1.ODE-01
1.C0E-01
1.COE-01
1. OE-01
1.ODE-01
1. OE-01
1. 00E-01
1. OE-01
1. OE-01
C.00E+00
O.OOE+00
O.OOE+00
O.00E+00
0.00OE+00
O.COE+00
0. OE+00
0.C0E+00
C.OOE+00
0.OOE+00
C.00E+00
C.00E+00
28-1 19
Revision 1
FT TflFMT Pfl nl a nTT, T V lflflTAT'Jflr
xx
XX
xx
XX
xx
XX
XX
xx
XX
XX
XX
XX
Revision 1
FT IDENT COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME PROBABILITY VARIANCE
28-119
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 59 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
FT IDENT
SUB-CCXSNRS1
SUB-CCXSNRS2
SUB-CPOADS83
SUB-DASSENS
SUB-DASSIND
SUB-DPOADS83
SUB-EAI1
SUB-EAI2
SUB-EA0I
SUB-EAO2
SUB-EDlEA1l
SUB-EDlEA1IB
SUB-EDlEA1iP
COMP FAILURE MODE
XX PROBABILITY FOR SUB-
XX
XX
XX
Xx
XX
XX
XX
XX
XX
XX
XX
Xx
NTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
FAIL RATE VARIANCE SOURCE TIME
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.000E-01
1.000E-01
1.000E-01
1.000E-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.000E-01
0.OOOE+00
0. 00OE+00
0. 00OE+00
0 OOOE+00
0 OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
0.OOOE+00
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB-
0. OOOE+00
0.000E+00
O.000E+00
O.OOOE+00
0. OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0 .OOOE+00
0 .OOOE+00
O.000E+00
O.OOOE+00
28-120
,
PROBABILITY
1. 00E-01
1. 00E-01
1.00E-01
1. OOE-01
1. OOE-01
1. 00E-01
1. 00E-01
1. 00E-01
1. 00E-01
1. 00E-01
1. 00E-01
1. 00E-01
1. 00E-01
VARIANCE
0.OOE+00
0. 00E+00
. 00E+00
o. 00E+00
0.00E+00
0.00E+00
o. 00E+00
. 00E+00
O.00E+00
. 00E+00
. 00E+00
o. 00E+00
o. 0E+00
Revision 1
/ (28. Plant Control System
(AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 60 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
SUB-ED1EA2
SUB-ED1EA2P
SUB-ED2EAI1
SUB-ED2EA11B
SUB-ED2EA11P
SUB-ED2EA2
SUB-ED2EA2P
SUB-ED32HR
SUB-ED3EAI
SUB-ED3EAII
SUB-ED3EA1IB
SUB-ED3EA11P
SUB-ED3EA11Y
XX PROBABILITY FOR SUB-NTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
XX PROBABILITY FOR SUB- BASIC EVE NTS
1.OOOE-01
1.000E-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.000E-01
1.000E-01
1.OOOE-01
1.OOOE-01
1.000E-01
0.00OE+00
0.00OE+00
0.OOOE+00
0.OOOE+00
0. OOOE+00
o.OOOE+00
0.OOOE+00
O.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.000E+00
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB-
0.00OE+00
0.000E+00
o.000E+00
0.00OE+00
0.00OE+00
0.00OE+00
o.OOOE+00
0.OOOE+00
0.0OOE+00
0.00OE+00
0.00OE+00
O.OOOE+00
1.OOOE-01 0.OOOE+00 SUB- U.000E+00
1.OOE-01 0.OOE+00
1.OOE-01
1.00E-01
1. OOE-01
1. OOE-01
1. 00E-01
1. OOE-01
1. OOE-01
1. OOE-01
1. 00E-01
1. 00E-01
1.OOE-01
0.00E+00
0. 00E+00
0.00E+00
0. 00E+00
0.00E+00
o OOE+00
o 00E+00
o OOE+00
0. 00E+00
0. 00E+00
0.00E+00
1.00E-01 0.00E+00
Revision 1
•"'9 T T•'•m �MP �TT.TTP� MflrY�FT IDENT COMP FAILURE MODE FAIT. DhMV X771DThNjt1W c4n"Dýv MTUV
28-121
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 61 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE
XX PROBABILITY FOR SUB-SUB-ED3EA1B
SUB-ED3EA1P
SUB-ED3EA2
SUB-ED3EA2P
SUB-ED3EA2Y
SUB-EPIl
SUB-EPO
SUB-ESFOPER
SUB-IDAEA1
SUB-IDAEA1B
SUB-IDAEA1P
SUB-IDAEA2
SUB-IDAEA2P
FOR SUB-
FOR
FOR
FOR
FOR
FOR
FOR
FOR
FOR
FOR
FOR
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB-
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
XX PROBABILITY NTS
XX PROBABILITY NTS
XX PROBABILITY NTS
XX PROBABILITY NTS
XX PROBABILITY NTS
XX PROBABILITY NTS
XX PROBABILITY hTS
XX PROBABILITY NTS
XX PROBABILITY NTS
XX PROBABILITY NTS
XX PROBABILITY NTS
XX PROBABILITY NTS
FAIL RATE VARIANCE SOURCE TIME
1.OOOE-01
1.00OE-01
1.000E-01
1.00OE-01
1.00OE-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.000E-01
1 .OOOE-01
1.00OE-01
1.OOOE-01
1.OOOE-01
O.OOOE+00
O.OOOE+00
O.000E+00
O.OOOE+00
O.OOOE+00
O.OOOE+00
O.OOOE+00
0.00OE+00
0. OOOE+00
O.OOOE+00
O.O0OE+0O
O.OOOE+00
O.OOOE+00
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB-
O.OOOE+00
O.O00E+0O
O.OOOE+0O
O.0OOE+0O
O .0OOE+0O
O .00OE+0O
O .0OE+0O
O .O00E+0O
O .O00E+0O
O .OOOE+0O
O .OOOE+00
O .0OOE+0O
O .0OOE+0O
28-122
FT IDENT
FOR SUB- BASIC EVE
PROBABILITY
1.OOE-01
1.OOE-01
1.OQE-01
1.OOE-01
1.OOE-01
1.OOE-01
1.OOE-01
1.OOE-01
1.OOE-01
1.OOE-01
1.OOE-01
1.OOE-01
1.00E-01
VARIANCE
O.OOE+00
O.OOE+00
O.OOE+00
0.OOE+00
O.OOE+00
O.OOE+00
O.OOE+00
O.OOE+00
O.OOE+00
O.OOE+00
O.OOE+00
O.OOE+00
O.OOE+00
Revision 1
K
28. Plant Control System
Table 28-10 (Sheet 62 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
CPCMP V•TTTW• M(NTh VATT, TWATRD ,' UTD•1•C'i •'lT C'i ,. T TMR
XX PROBABILITY FORNTS
PROBABILITY FOR NTS
PROBABILITY FOR NTS
PROBABILITY FOR NTS
PROBABILITY FOR NTS
PROBABILITY FOR NTS
PROBABILITY FOR NTS
PROBABILITY FOR NTS
PROBABILITY FOR NTS
PROBABILITY FOR NTS
PROBABILITY FOR NTS
PROBABILITY FOR NTS
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB-
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
SUB-IDBEA1
SUB-IDBEA1B
SUB-IDBEAIP
SUB-IDBEA2
SUB-IDBEA2P
SUB-IDBEA3
SUB-IDBEA3B
SUB-IDBEA3P
SUB-IDCEAI
SUB-IDCEA1B
SUB-IDCEA1P
SUB-IDCEA2
SUB-IDCEA2P
1.000E-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.000E-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
1. 00E-01
1.OOOE-01
1.000E-01
o.OOOE+00
o.OOOE+00
o.OOOE+00
o.OOOE+00
o.OOOE+00
o.OOOE+00
0.OOOE+00
o.OOOE+00
o.OOOE+00
0.OOOE+00
o.OOOE+00
0.OOOE+00
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB-
o.OOOE+00
0.00OE+00
o.OOOE+00
o.OOOE+00
0.OOOE+00
0.OOOE+00
o.OOOE+00
O.O00OE+O0
o.OOOE+00
o.OOOE+00
O.O00OE+00
O.O00OE+O0
1.OOOE-01 0.OOOE+00 SUB- 0.OOOE+00
1.OOE-01 O.OOE+00
1.OOE-01
1.OOE-01
1. OOE-01
1. OOE-01
1. 00E-01
1. OE-01
1. 00E-01
1. 00E-01
1. 00E-01
1 OOE-01
1.OOE-01
O.OOE+00
0.00E+00
0.OOE+00
O.OOE+00
o.OOE+00
o.OOE+00
o.OOE+00
o.OOE+00
0.OOE+00
O.OOE+00
0.OOE+00
1.OOE-01 O.OOE+00
28-123
Revision 1
T~qT Tfl~g1Tr
(
A P1000 Probabilistic Risk Assessment
P�T�TT.TTV
XX PROBABILITY FOR SUB- BASIC EVE NTS
xx
xx
XX
XX
xx
xx
XX
XX
XX
xx
xx
FT IDENT COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME PROBABILITY VARIANCEV•WT•NOV
28-123 Revision I
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 63 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
cnwP WATT.TTRF M~nnr
XX PROBABILITY FOR SUB-SUB-IDCEA3
SUB-IDCEA3B
SUB-IDCEA3P
SUB-IDDEAI
SUB-IDDEA1B
SUB-IDDEAIP
SUB-IDDEA2
SUB-IDDEA2P
SUB-MESOUTA
SUB-MESOUTAB
SUB-MESOUTAP
SUB-MESOUTB
SUB-MESOUTBB
NTS
PROBABILITY FOR NTS
PROBABILITY FOR NTS
PROBABILITY FOR NTS
PROBABILITY FOR NTS
PROBABILITY FOR NTS
PROBABILITY FOR NTS
PROBABILITY FOR NTS
PROBABILITY FOR NTS
PROBABILITY FOR NTS
PROBABILITY FOR NTS
PROBABILITY FOR NTS
PROBABILITY FOR NTS
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB-
WATT. RATR \?APTAMr'W CflTTPC'P '1'TMr
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
1.000E-01
1.OOOE-01
1.000E-01
1. 000E-01
1. 000E-01
1.000E-01
1.OOOE-01
1.OOOE-01
1.000E-01
1.OOOE-01
1.000E-01
1.000E-01
1.OOOE-01
0.000E+00
0. 000E+00
O.000E+00
0.000E+00
0 OOOE+00
0. 000E+00
0. 000E00
0.000E+00
0.000+E00
O.OOOE+00
0.000E+00
0. 000E+00
0 000E+00
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB-
0.000E+00
0.000E+00
0.000E+00
0. 000E+00
0.000E+00
O.000E+00
0.000E+00
O.000E+00
0.000E+00
0.000E+00
0.000E+00
0. 000E+00
0.000E+00
28-124
(,
FT TflF'r••
XX
XX
XX
XX
XX
XX
XX
XX
XX
XX
XX
XX
FT IDENT COMP FAILURE MODE FAIL RATE VARIANCE Qn"Vr-ý MTMV
Revision 1
(
PROBABILITY
1.OOE-01
1.OOE-01
1.OOE-01
1.OOE-01
1 .00E-01
1.OOE-01
1. OE-01
1.OOE-01
1. OOE-01
1. OE-01
1.OOE-01
1.OOE-01
1. OOE-01
VARIANCE
0 OOE+00
0 OOE+00
0 OOE+00
0.00E+00
0.OOE+00
0. 00E+00
0 OOE+00
0 OOE+00
0 OOE+00
0.OOE÷00
0. 00E+00
0 OOE+00
0 OOE+00
/
(28. Plant Control System
(AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 64 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME PROBABILITY VARIANCE
XX PROBABILITY FOR SUB-SUB-MESOUTBP
SUB-MESOUTC
SUB-MESOUTCB
SUB-MESOUTCP
SUB-MESOUTD
SUB-MESOUTDB
SUB-MESOUTDP
SUB-MPLL01
SUB-MPLL01P
SUB-MPLL02
SUB-MPLL03
SUB-MPLL04
SUB-MPLL04P
NTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
PROBABILITY FOR SUBNTS
BASIC EVE
BASIC EVE
BASIC EVE
BASIC EVE
BASIC EVE
BASIC EVE
BASIC EVE
BASIC EVE
BASIC EVE
BASIC EVE
BASIC EVE
BASIC EVE
BASIC EVE
1.OOOE-01
1.000E-01
1.000E-01
1.OOOE-01
1.OOOE-01
1.000E-01
1.000E-01
1. 00OE-01
1. 00E-01
1. 000E-01
1. 000E-01
1.000E-01
1.OOOE-01
0.OOOE+00
0.OOOE+00
0.000E+00
0.000E+00
0.OOOE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0. 000E+00
0.000E+00
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB-
0.000E+00
0.OOOE+00
0.OOOE+00
0.000E+00
0.00OE+00
0.OOOE+00
0.00OE+00
0.00OE+00
0.00OE÷00
0.OOOE+00
0.OOOE+00
0.00OE+00
0.00OE+00
1.OOE-01 0.OOE+00
1. OOE-01
1. OOE-01
1.00E-01
1.OOE-01
1. OOE-01
1. OOE-01
1. OOE-01
1.O0E-01
1.OOE-01
1.OOE-01
1.OOE-01
1.OOE-01
0.OOE+00
0.00E+00
0.OOE+00
0.0OE+00
0.OOE+00
0.OOE+00
O.OOE+00
.0 OE+00
0 OOE+00
0.OOE+00
0.OOE+00
O.OOE+00
Revision 1
FT IDENT
XX
XX
XX
Xx
xx
xx
xx
XX
xx
xx
XX
xx
FT IDENT COMP FAILURE MODE PROBABILITY VARIANCE
28-125
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 65 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
FT IDENT
SUB-MPLL05B
SUB-MPLL06
SUB-MPLL07
SUB-MPLL07P
SUB-MPLL07Y
SUB-MPLL09
SUB-MPLL09P
SUB-MPLLOA
SUB-MPLLOB
SUB-MPLLOBP
SUB-PLSENSOR
SUB-SENS1
COMP FAILURE MODE
XX PROBABILITY FORNTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
PROBABILITY NTS
FOR
FOR
FOR
FOR
FOR
FOR
FOR
FOR
FOR
FOR
FOR
FAIL RATE VARIANCE SOURCE
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB-
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
BASIC
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
EVE
1.OOOE-01
1.00OE-01
1.OOOE-01
1.000E-01
1.OOOE-01
1.OOOE-01
1. OOOE-01
1.OOOE-01
1.0O0E-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
0. OOOE+00
0. OOOE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
0.OOOE+00
0. 000E+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB
SUB-
XX PROBABILITY FOR NTS
SUB- BASIC EVE 1.OOOE-01 0.OOOE+00 SUB- 0.OOE+00 1.00E-01 0.OOE+00
28-126
TIME
0 OOOE+00
0 OOOE+00
0. 00OE+00
0 OOOE+00
0. OOOE+00
0 OOOE+00
0 OOOE+00
0.00OE+00
0.OOOE+00
0. OOOE+00
0.OOOE+00
0.000E+00
SUB-SENS2
Revision 1
Q.
AP1000 Probabilistic Risk Assess ent
PROBABILITY
1.00E-01
1.OOE-01
1.00E-01
1.00E-01
1.OOE-01
1.OOE-01
1.00E-01
1.00E-01
1.00E-01
1.00E-01
1.OOE-01
1.OOE-01
VARIANCE
0.OOE+00
0.00E+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.OOE+00
0.00E+00
(28. Plant Control System
C (AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 66 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
rOMP F'A TTTrnFT MOB F FATT, T• A'1' UATAU T rhT ~C•TTP(•'P FTM1•
XX PROBABILITY FOR SUB- BASIC EVESUB-SENS3
SUB-SENS4
SUB-SESIPC
SUB-SESOUTA
SUB-SESOUTB
SUB-SESOUTC
SUB-SESOUTD
SW2EAPD02A1SA
SW2EAPD02A2SA
SW2EAPF0011SA
SW2EAPF0012SA
SW7EP006ASA
SW7EPCTFASA
NTS
PROBABILITY FOR SUB- BASIC EVE NTS
PROBABILITY FOR SUB- BASIC EVE NTS
PROBABILITY FOR SUB- BASIC EVE NTS
PROBABILITY FOR SUB- BASIC EVE NTS
PROBABILITY FOR SUB- BASIC EVE NTS
PROBABILITY FOR SUB- BASIC EVE NTS
FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
1.000E-01
1.000E-01
1.000E-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
2 .510E-04
2.510E-04
2. 510E-04
2.510E-04
1.710E-04
1.710E-04
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0. OOOE+00
0.OOOE+00
0.OOOE+00
SUB
SUB
SUB
SUB
SUB
SUB
SUB
PMS
PMS
PMS
PMS
PMS
PMS
0.00OE+00
0.000E+00
0.OOOE+00
0.000E+00
0.OOOE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.00OE+00
0.OOOE+00
1.OOE-01 0.00E+00
1. OOE-01
1. OOE-01
1. OOE-01
1. OOE-01
1.00E-01
1 .OOE-01
2 .51E-04
2 51E-04
2. 51E-04
2. 51E-04
1.71E-04
1. 71E-04
0.OOE+00
0.OOE+00
0 OOE+00
0. 00E+00
0 OOE+00
0. 00E+00
0. 00E+00
0 OOE+00
0 OOE+00
0 OOE+00
0 OOE+00
0.OOE+00
28-127
Revision 1
FT TfDl-NT 0Dn•T T.TMPV I rR T 7WT
XX
XX
XX
XX
XX
XX
EA
EA
EA
EA
EP
EP
FT IDENT COMP FAILURE MODE FAIL RATE VARIANCE SOURCE TIME
28-127 Revision 1
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 67 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
FT IDENT
SW7EPCTFBSA
SW7EPSBPASA
SW7EPSBPBSA
SW7EPV037BSA
SWATP002RY
SWB-MAN02
SWB-MAN02N
SWN-MAN01
SWN-MANOiN
SWNTP001RI
TC2EATCSP1SA
TC2EATCSP2SA
TC6EPTCPBSA
COMP FAILURE MODE
EP FAILURE OF THE POWER INTERFACEBOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
PRESSURE TRANSMITTER YEARLY FA ILURE (###TP###RY)
PROBABILITY FOR SUB- BASIC EVE NTS
PROBABILITY FOR SUB- BASIC EVE NTS
PROBABILITY FOR SUB- BASIC EVE NTS
PROBABILITY FOR SUB- BASIC EVE NTS
FAILURE OF PRESSURE TRANSMITTE R (###TP###RI)
FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
FAILURE OF THE ANALOG INPUT BO ARD (###EA####SA)
FAILURE OF THE POWER INTERFACE BOARD (###EP####SA)
FAIL RATE VARIANCE SOURCE TIME
1.710E-04
1.710E-04
1.710E-04
1.710E-04
5.230E-03
1.000E-01
1.OOOE-01
1.OOOE-01
1.OOOE-01
5.230E-03
2.510E-04
2. 510E-04
1.710E-04
0. 000E+00
0 OOOE+00
O .OOOE+00
0.OOOE+00
0 OOOE+00
0.000E+00
0.OOOE+00
0.OOOE+00
0.000E+00
0.OOOE+00
0.000E+00
0.OOOE+00
0.000E+00
PMS
PMS
PMS
PMS
PMS
SUB
SUB
SUB
SUB
PMS
PMS
PMS
PMS
O.OOOE+00
O.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
O.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
0.OOOE+00
28-128
PROBABILITY
1.71E-04
1.71E-04
1.71E-04
1.71E-04
5.23E-03
1.OOE-01
1.OOE-01
1.OOE-01
1.OOE-01
5.23E-03
2.51E-04
2.51E-04
1.71E-04
VARIANCE
0.OOE+00
0 OOE+00
0.OOE+00
o .OOE+00
0.OOE+00
o .OOE+00
o .OOE+00
o. 00E+00
0.OOE+00
0.OOE+00
o.OOE+00
0.00E+00
o.OOE+00
Revision 1
(
( (28. Plant Control System
(AP1000 Probabilistic Risk Assessment
Table 28-10 (Sheet 68 of 68)
FAULT TREE BASIC EVENTS FOR I&C SUBSYSTEM
FAILURE MODE FAIL RATE VARIANCE SOURCE TIME
PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 0.OOOE+00 SUB- 0.0OOE+00 NTS
FLOW TRANSMITTER FAILURE (###T 5.230E-03 O.OOOE+00 PMS 0.OOOE+00 F###RI)
FLOW TRANSMITTER FAILURE (###T 5.230E-03 O.OOOE+00 PMS O.OOOE+00 F###RI)
PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 0.OOOE+00 SUB- 0.OOOE+00 NTS
PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 0.OOOE+00 SUB- 0.OOOE+00 NTS
FAILURE OF THE POWER INTERFACE 1.710E-04 0.OOOE+00 PMS O.OOOE+00 BOARD (###EP####SA)
PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 0.OOOE+00 SUB- 0.OOOE+00 NTS
PROBABILITY FOR SUB- BASIC EVE 1.OOOE-01 0.000E+00 SUB- 0.OOOE+00 NTS
28-129
Revision 1
FT IDENT
TCB-MAN01
TCNTF109ARI
TCNTF109BRI
VLN-MAN01
VLX-ANLYZ
VW2EPTRBSA
VWN-MAN01
ZON-MAN01
COMP
xx
TF
TF
xx
xx
EP
xx
xx
PROBABILITY
1.OOE-01
5.23E-03
5.23E-03
1.OOE-01
1.COE-01
1.71E-04
1.00E-01
1.00E-01
VARIANCE
0.OOE+00
o.OOE+00
o.OOE+00
O.OOE+0O
O.OOE+00
o.OOE+00
0.OOE+00
0.OOE+00
28-129 Revision 1
Table 28-11 (Sheet I of 3)
ASSUMED LIST OF I&C INSTRUMENTATION
Parameter Channel Sensor Instr. Lines
SG-1 Narrow-Range Level 1 SGITLOOlUF SG1OROOSP 2 SGlTLO02UF SG10RO02SP 3 SG1TLO03UF SG1ORO03SP 4 SG1TLO04UF SG1ORO04SP
SG-2 Narrow-Range Level 1 SG2TLO05UF SG2ORO05SP 2 SG2TLO06UF SG2ORO06SP 3 SG2TLO07UF SG2ORO07SP 4 SG2TLO08UF SG2ORO08SP
SG-l Startup Feedwater Flow I SGITF055ARI 2 SG1TF055BRI
SG-2 Startup Feedwater Flow 1 SG2TF056ARI 2 SG2TF056BRI
SG-1 Wide-Range Level 1 SGITL01lUF SGIOR011SP 2 SGlTLO12UF SGIOR012SP 3 SGITLO15UF SG1ORO15SP 4 SGlTLO16UF SGIOR016SP
SG-2 Wide-Range Level 1 SG2TLO13UF SG2ORO13SP 2 SG2TLO14UF SG2ORO14SP 3 SG2TLO17UF SG2ORO17SP 4 SG2TLO18UF SG2ORO18SP
CMT-A Level Switch 1 PXAVSO11UF 2 PXAVS013UF 3 PXAVS015UF 4 PXAVS017UF
CMT-B Level Switch 1 PXBVS012UF 2 PXBVS014UF 3 PXBVS016UF 4 PXBVS018UF
CMT Signal 1 CMT-SENS 1-FAIL 2 CMT-SENS2-FAIL 3 CMT-SENS3-FAIL 4 CMT-SENS4-FAIL
Safety Injection Signal 1 S-SIG-SENS 1-FAIL 2 S-SIG-SENS2-FAIL 3 S-SIG-SENS3-FAIL 4 S-SIG-SENS4-FAIL
28-130
Revision 1
28. Plant Control System AP1O00 Probabilistic Risk Assessment
28-130 Revision I
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-11 (Sheet 2 of 3)
ASSUMED LIST OF I&C INSTRUMENTATION
Parameter Channel Sensor Instr. Lines
Condensate Pump Flow CDNTFO1BRI
SG-1 Feedwater Wide-Range SG2TF50ARI Flow
SG-2 Feedwater Wide-Range SGITF51ARI Flow
SG-1 Steam Line Pressure 1 SGlTP030UF SG1OR030SP 2 SGITP031UF SG1OR031SP 3 SG1TP032UF SGIOR032SP 4 SGITP033UF SGIOR033SP
SG-2 Steam Line Pressure I SG2TP034UF SG2ORO34SP 2 SG2TP035UF SG2ORO35SP 3 SG2TP036UF SG2ORO36SP 4 SG2TP037UF SG2ORO37SP
SG-l Feedwater Narrow-Range SG2TF50BUF Flow
SG-2 Feedwater Narrow-Range SGlTF51BUF Flow
Containment Pressure I PC1TP005UF 2 PC2TP006UF 3 PC3TP007UF 4 PC4TP008UF
Pressure Level 1 RCITLI95UF RC1OR195SP 2 RC2TL196UF RC2OR196SP 3 RC3TL197UF RC3OR197SP 4 RC4TL198UF RC4OR198SP
Differential Pressure Transmitter SWATP002RY
Pressure Transmitter SWNTPOO1RI
Undervoltage Relay EC 1RE27B GA
In-Containment Refueling Water 1 IW1TLO45UF Storage Tank Level 2 IW2TLO46LTF
3 IW3TLO47UF 4 IW4TLO48UF
Component Cooling Water CCNTF101RI System Pump Discharge Flow
28-131
Revision 1
•AP1000 Probabilistic Risk Assessment28. Plant Control System 11
28-131 Revision I
AP1000 Probabilistic Risk Assessment
Table 28-11 (Sheet 3 of 3)
ASSUMED LIST OF I&C INSTRUMENTATION
Parameter Channel Sensor Instr. Lines
Instrument Air Pressure Signal CANTP011RI
Diesel Generator 1 Undervoltage ECIREDGIGA Relay
Diesel Generator 2 Undervoltage EC1REDG2GA Relay
Heat Exchanger ME01A Flow TCNTF109ARI
Heat Exchanger MEO1B Flow TCNTF109BRI
Reactor Coolant Pump 1A 1 RCATE21 lUF Bearing Water Temperature 2 RCATE212UF
3 RCATE213UF 4 RCATE214UF
Reactor Coolant Pump 1B 1 RCATE215UF Beanng Water Temperature 2 RCATE216UF
3 RCATE217UF 4 RCATE218UF
Reactor Coolant Pump 2A 1 RCATE221UF Bearing Water Temperature 2 RCATE222UF
3 RCATE223UF 4 RCATE224UF
Reactor Coolant Pump 2B 1 RCATE225UF Bearing Water Temperature 2 RCATE226UF
3 RCATE227UF 4 RCATE228UF
Pressurizer Pressure 1 RCNTP191UF RCNTP195UF 2 RCNTP192UF RCNTP196UF 3 RCNTP193UF RCNTP197UF 4 RCNTP194UF RCNTP198UF
Revision 1
28. Plant Control System
28-132
28. Plant Control System AP1000 Probabilistic Risk Assessment
Table 28-12
ASSIGNMENTS OF PLANT SYSTEMS TO LOGIC CABINETS
CLC 1 Component cooling water system (CCS)
CLC 2 Central chilled water system (VWS)
CLC 3 Chemical and volume control system (CVS)
CLC 4 Normal residual heat removal (RNS)
CLC 5 Diesel generators Starting sequences, main generator breaker, switchgear breakers
CLC 6 Turbine building closed cooling water system (TCS)
CLC 7 Service water system (SWS)
CLC 8 Circulating water system (CWS)
CLC 9 Compressed and instrument air system (CAS)
CLC A Steam dump valves function
CLC B Startup feedwater system (FWS)
CLC C Main feedwater system (FWS)
CLC D Condensate system (CDS)
28-133
Revision 1
28. Plant Control System AP1000 Probabilistic Risk Assessment
28-133 Revision 1
AP1000 Probabilistic Risk Assessment
Control Group 1
Table 28-13
ASSIGNMENTS OF PLANT SYSTEMS TO THE CONTROL GROUP CABINETS
Pressurizer Pressure and Level Control Reactor Coolant Level and Flow Control Component Cooling Water System Central Chilled Water System Chemical and Volume Control System Normal Residual Heat Removal Diesel Generators Starting Sequences, Main Generator Breaker, Switchgear Breakers
Turbine Building Closed Cooling Water System Service Water System Circulating Water System Main Steam System (MSS) Compressed And Instrument Air System Steam Dump Valves Function
Main and Startup Feedwater System Condensate System Feedwater Control Valves Function Feedwater Pump Speed Function
Control Group 2
Revision 1
28. Plant Control System
J
28-134
CHAPTER 29
COMMON-CAUSE ANALYSIS
29.1 Introduction
Dependent and common-cause failures (CCF) defeat the redundancy incorporated into the design to improve the availability of some plant functions, such as coolant injection. A dependent, or a common-cause failure arises from some causes that fail more than one system or more than one train of a system simultaneously or within the surveillance time interval.
The methodology described in Attachment 29A is applied to consider the different types of dependent failures, with particular emphasis on common-cause failures. Common-cause failures are those failures in which fault states exist in two or more components at the same time, or within a short interval, and are direct results of shared causes.
Common-cause parameters for the Multiple-Greek Letter (MGL) method are taken from the Electric Power Research Institute (EPRI) Advanced Light Water Reactor Utility Requirements Document (Reference 29-1).
The common-cause basic events are defined in the system fault trees and are tabulated in each system chapter. The failure probabilities of these basic events are calculated and are given in Sections 29.4 and 29.5, except for instrumentation and control common-cause failures that are calculated in their respective system chapters. Table 29-2 summarizes the common-cause failure probabilities calculated in this section.
29.2 Dependent Failures
In the AP1000 Probabilistic Risk Assessment (PRA), the following dependent failures are analyzed:
"* Sequence functional dependencies, "* Intersystem dependencies, "* Dependencies due to human actions, "* Inter-component dependencies (common cause).
Sequence Functional Dependencies
The sequence functional dependencies indicate the effects of the status of one system or safety function on the success or failure of another. These dependencies are explicitly accounted for in the event tree analysis.
Additionally, a set of common-cause initiating events are identified that not only result in a plant transient or accident, but also in failure or degradation of systems required to operate following the initiating event. One group of these events includes those associated with total or partial failure of support systems, such as loss of turbine closed cooling water system, loss of component cooling water system, loss of service water system, loss of compressed air system, and loss of one high voltage AC electrical bus. The dependencies
29. Common-Cause Analysis AP1000 Probabilistic Risk Assessment
29-1 Revision 1
introduced as a result of these initiating events are addressed by constructing specific event trees for each event.
Intersystem Dependencies
In the APlOO0 plant design, most of the safety-related systems are essentially passive systems with substantially reduced dependency on auxiliary systems. However, the dependency on dc power for these systems and the dependency on other auxiliaries for the non-safety-related systems are carefully analyzed in the probabilistic risk assessment.
Intersystem dependencies include both hard-wired dependencies (such as through electric power and cooling water) and functional dependencies (such as ambient cooling and adequate net-positive suction head). These are incorporated explicitly in the different system fault trees using the same basic event name or subtree name (SUB-XXXXXX) to identify the same component failure mode or the same supporting system failure mode.
Some auxiliary systems require supporting systems to operate correctly. Therefore, the redundant systems or components could have dependencies due to the supporting systems.
A systems dependency matrix, provided in Support Systems Analysis summarizes these interdependencies. These dependencies are incorporated explicitly in the different system fault trees using the same basic event name.
Human Action Dependencies
Dependencies due to human actions or diagnostic errors, which might affect the manual actuation of redundant systems, are explicitly modeled as separate events in the fault trees. Other dependencies due to human actions, such as incorrect calibration of sensors or instruments, which might affect the annual actuation of redundant systems, are explicitly modeled as separate events in the fault trees.
Dependencies of the operator actions that affect multiple systems are analyzed in the Human Reliability Analysis, where the human interactions are treated for consideration in the fault tree/event tree quantification. The Human Reliability Analysis is discussed in Chapter 30.
Inter-Component Dependencies (Common-Cause Failures)
Inter-component dependencies, also called common-cause failures, are root-cause events leading directly to multiple component outages from the shared causes. Common-cause failures are significant because they can lead to simultaneous (or nearly simultaneous; that is, within the mission time) failure of redundant components. Therefore, they can prevent the maximum theoretical gain in reliability being achieved from adding redundant components/trains. Common-cause failures arise because the components are susceptible to the same failure causes. However, there may also need to be some triggering events or preconditioning that leads to the simultaneous failures.
Revision 1
29. Common-Cause Analysis APIO00 Probabilistic Risk Assessment
29-2
AP1000 Probabilistic Risk Assessment
There are three basic groups of common-cause failures, as discussed in the following paragraphs.
1. DesignlManufacturing/Construction/Installation Inadequacy, or Internal Causes
This root-cause event generally affects similar components. It encompasses actions and decisions made during design, manufacturing, or installation of components - both before and after the plant is operational. Also included in this category is the malfunctioning of something internal to the component as a result of normal wear out or other intrinsic failure, and the influence of the normal ambient environment of the component. However, diversification in design, quality assurance during the manufacturing process, and good plant management practices can provide significant defense against these potential common-cause failures.
2. Abnormal Environmental Stress
Abnormal environmental stress includes causes related to a harsh environment that is not within component specific design criteria. These root-cause events affect equipment in the same location that is also sensitive to the same harsh environment.
This potential is significantly reduced if there are defenses in place to reduce the susceptibility of the redundant components to the effect of the trigger event. For example, locating the components of redundant trains of a safety system in different rooms reduces their susceptibility to failure from factors in the internal environment.
For components located in a harsh environment, such as inside primary containment, a specific qualification program can adequately reduce the susceptibility to this type of common-cause failure.
Common-cause failures due to harsh environmental conditions are recognized to be negligible in the AP1O00 design. In fact, safety components located outside the containment, such as the automatic logic and the dc electrical power, are located in divisional areas. Environmental conditions, more severe than those predicted by the designers for equipment qualification, occurring simultaneously in more than one divisional area are unlikely. Potential for common-cause failure is to be identified only for components located inside the primary containment. However, the expected frequency of encountering a severe harsh environment is small because of the requirement of considering the severe accident conditions. The design and operational defenses lead to screening out the occurrence of these events.
3. Maintenance or Operation Errors
Maintenance or operation errors affect equipment operated according to the same procedures. However, good management practices and well-conducted testing and maintenance programs provide significant defense against these potential common-cause failures.
Revision 1
29. Common-Cause Analysis
29-3
AP1000 Probabilistic Risk Assessment
29.3 Common-Cause Analysis
The methodology described in Attachment 29A is used for common-cause failure analysis. The following steps are performed:
1. Identification of the common-cause component groups. These are a group of similar components that are considered to have a high potential for failure due to the same cause. The identification is based on a qualitative screening analysis within each system and among different redundant systems performing the same function.
2. Identification of design or operational defenses to reduce the susceptibility to root-cause and to coupling mechanisms that provide the bases to screen out a component from the common-cause component group or to provide the bases for a quantitative evaluation. Quantification of the common-cause component groups not screened out is performed by using data derived from the Electric Power Research Institute (EPRI) Requirements Document (Reference 29-1).
3. Identify inter-component dependencies, also called common-cause failures, due to shared root cause of failures. These dependencies are modeled and quantified in Table 29-2.
The analysis is performed looking for potential common-cause failures within each system and, later, when the event tree sequences are identified, for the potential common-cause failures among the several systems called upon during each event tree sequence.
29.3.1 Assumptions
Basic assumptions used to perform the present, common-cause failure analysis are the following:
1. Common-cause failures of heat exchangers (HXs) belonging to different systems to plug or leak are not considered because the water characteristics and system operation conditions (pressure, temperature, and flow) are different for heat exchangers used in different systems. Furthermore, within the same system, one heat exchanger is in operation and the other is in standby. Therefore, it is unlikely to have more than one heat exchanger fail at the same time.
2. Common-cause failures for plugging of orifices or strainers belonging to different systems or to different loops of the same system (with one normally operating and the other in standby) are evaluated and are not included for the same reasons as described previously for heat exchangers. The only exception is for strainers, which treat water in different conditions during an accident (such as sump strainers). In this particular case, an analysis is performed as needed.
3. Several common-cause failures affecting only electrical components are disregarded due to their negligible failure probability (1E-5/d and less) and because they are always connected through an "AND" gate (in the fault tree) with random failures or other common-cause failures. A typical example is circuit breakers spuriously opening for
Revision 1
29. Common-Cause Analysis
29-4
which the common-cause failure (from Table 29-1), evaluated as 0.05 x 6E-7/hr x 24 hr = 7.2E-07 per demand, is always connected through an "AND" gate with other random or common-cause failures. Therefore the failure probability is negligible. The evaluation of components that were disregarded is included in Table 29-1.
4. Common-cause failures of electrical busses are also disregarded because different types of busses are used according to the different voltages. Furthermore, the common-cause failure unavailability (from Table 29-1), evaluated as 0.05 x 2E-7/hr x 24 hr = 2.4E-07 per demand, is negligible with respect to other failures. In addition, the performance and environmental conditions during an accident should be similar to those during normal operation. Therefore, it is unlikely that failures such as spurious openings or bus malfunctions not detected during one or two years would occur during the accident. The evaluation of components that were disregarded is included in Table 29-1.
5. No catastrophic tank common-cause failure among systems is assumed credible because of the differences in operating fluid pressure, tank size, and volume. Only common-cause failures within the same systems are considered credible, such as within the core makeup tank (CMT).
6. Common-cause failures of standby components (such as pumps and check valves) that operate when a normally operating component fails are not taken into account as potential common-cause failures within the system. They are always combined with random or common-cause failures of normally running equipment. Therefore, the total failure has a negligible probability to occur. In addition, these common-cause failures are not considered among different systems because:
- The standby component is called at different times and probably at different plant conditions during the progress of the accident.
- Generally, there are some differences among the components.
Therefore, the failure to start standby pumps and the failure to open check valves on standby loops are not considered as potential common-cause failures within and among systems.
7. Plugging due to loose parts on accumulators, core makeup tanks, or the passive residual heat removal (PRHR) system are not accounted as susceptible to common-cause failures. The plugging mechanism is related to the maintenance procedures. Different maintenance crews and different access times for system maintenance allow this common-mode failure event to be disregarded, because it is negligible even within the same system.
8. Plugging is assumed credible only within the in-containment refueling water storage tank (IRWST) during the gravity injection phase, where the two injection lines take water from the same pool. There is a probability of the plugging of both protective suction screens in a short time.
29-5
Revision 1
AP1000 Probabilistic Risk Assessment29. Common-Cause Analysis
Revision I29-5
9. The IRWST injection system consists of four high-pressure (HP) explosive valves (EV). The IRWST recirculation system consists of two HP EVs and two low-pressure (LP) EVs. For this analysis, these valves are grouped into one common-cause failure group of six HP EVs and one common-cause failure group of 2 LP EVs.
In order to fail both injection lines, all EVs on the injection lines must fail. But, when four of the HP EVs fail due to common cause, it is assumed that all of the HP EVs will fail due to common cause. Therefore, when analyzing the failure of two IRWST injection lines, common-cause failure of 6 out of 6 HP EVs is used.
10. When calculating independent failure probabilities, it is assumed that the component will fail at the midpoint of the testing frequency. Therefore, when converting an hourly failure probability to a per demand failure probability, a time interval of "testing frequency"/2 shall be used.
29.3.2 Analysis of Potential Common-Cause Failures within the Systems
Each system analysis section contains a summary table for common-cause failure basic events modeled in that section. The probabilities of these basic events are calculated and or summarized in Table 29-2. The equations used to determine the QK/QT values are shown in Table 29-3.
29.3.3 Analysis of Potential Common-Cause Failures among Several Systems
An evaluation of potential intersystem common cause failures determined that one such failure does exist. The intersystem common cause failure is failure of the operating train's motor-driven pump to continue to run for the component cooling water, chilled water, and turbine building closed cooling water systems. This event (CCX-PM-ER) probability is summarized in Table 29-2.
29.4 Calculations For Component Groups
For some components identified by the common-cause analyst as having potential importance to the total risk, a detailed analysis is performed and reported in the following subsections. In addition, the Multiple-Greek Letter method is applied to those components.
The susceptible components that have a detailed analysis are:
A. DC batteries B. Reactor trip breakers C. Explosive valves on the Automatic Depressurization System D. Air-operated valves (AOVs) on the core makeup tanks (CMTs) E. Motor-operated valves on the Automatic Depressurization System
Common-cause failures of IRWST valves are calculated in Section 29.5.
29. Common-Cause Analysis AP1000 Probabilistic Risk Assessment
29-6 Revision 1
29.4.1 DC Batteries
A description of the onsite dc power system is provided in Chapters 22 and 23.
Eight batteries are used to supply the four Class 1E electrical divisions. Four batteries are used to supply the non-Class 1E switchboards.
Each of the Class 1E electrical divisions B and C is supplied by one battery for 24 hours of operation and another one for 72 hours of operation. This results in a total of 4 batteries.
Class 1E electrical divisions, A and D, are supplied by one battery each. Both batteries are sized to operate for 24 hours.
Each of the four non-Class 1E switchgear buses is powered by its own battery. Each battery is
sized to operate for 2 hours.
Two different analyses have been performed:
Al - Common-cause failure of batteries on Class 1E, and A2 - Common-cause failure of batteries on non-Class lE.
Al - Common-cause failure of batteries on Class 1E
This calculation is made for a single train of two batteries in parallel, where the failure is defined as both batteries in the train fail.
From Reference 29-1, the common-cause parameters for a three-battery system are:
S= 4.2E-2 ,y= 4.3E-1
It is assumed that the same parameters are applicable for a group of eight batteries.
The common-cause multipliers obtained, using equations from Table 29-3, are:
Q2/QT = 3.4E-3, Q3/QT = ... = Q7/QT = 0,
Qs/QT = 1.8E-2.
The independent failure is:
QT = 2E-6/hr x 2190 hr/2 = 2.2E-3/d.
Only the global common-cause failure affecting all the batteries, and one combination with common-cause failure of two batteries have numerical contribution with respect to the others.
29-7
Revision 1
29. Common-Cause Analysis 'AP1000 Probabilistic Risk Assessment
Revision 129-7
AP1000 Probabilistic Risk Assessment
Therefore, the common-cause failure of batteries that provide output on demand, named CCX-BY-PN, is evaluated as:
CCX-BY-PN = Q2/QT x QT + Qd/QT x QT.
The value is:
CCX-BY-PN = 4.7E-5/d.
A2 - Common-cause failure of batteries on non-Class 1E
This system has only four batteries; one in each train. However, two of them may be connected in some cases. For this reason the common-cause failure is calculated to include a two-out-of-two common-cause failure also.
From Reference 29-1, the common-cause parameters for a three-battery system are:
P = 4.2E-2, and y = 4.3E-1.
It is assumed that the same parameters are applicable for a group of four batteries.
The common-cause multipliers obtained, using equations from Table 29-3, are:
Q2/QT = 7.980E-3, Q3/QT = 0, Qn/QT = 1.806E-2.
The independent failure is:
QT = 2E-6/hr x 2190 hr/2 = 2.20E-3/d.
Only the global common-cause failure affecting all four batteries, and one combination with common-cause failure of two batteries have numerical contribution with respect to the others.
Therefore, the common-cause failure of batteries that provide output on demand, named CCX-BY-PN1, is evaluated as:
CCX-BY-PN1 = Q2/QT X QT + Q4SQT X QT.
The value is:
CCX-BY-PN1 = 5.703E-5/d - 5.7E-5/d.
29.4.2 Reactor Trip Breakers
There are four redundant protection sets with each protection set controlling the tripping of two circuit breakers in the reactor trip switchgear (eight breakers total). The reactor trip is obtained when two-out-of-four protection sets deliver a trip signal to the breakers.
Revision 1
29. Common-Cause Analysis
29-8
From Reference 29-1, the common-cause parameters for a four reactor trip breaker system are:
P3= 0.2, y = 0.3,
85= 1.0.
It is assumed that the same parameters are applicable for a group of eight breakers.
The common-cause multipliers obtained, using equations from Table 29-3, are:
Q2/QT = 2E-2, Q3/QT = ... = Q/QT = 0,
Q8/QT = 6E-2.
The independent failure is:
QT = 3E-3/d.
The contribution to the common-cause failure caused by combinations of two and two and four breakers have a negligible contribution with respect to the global common-cause failure of all breakers. Therefore, the common-cause failure of reactor trip breakers to remain closed, named RCX-RB-FA, is evaluated as:
RCX-RB-FA = Q8/QT x QT
The value is:
RCX-RB-FA = 1.8E-4/d.
29.4.3 Automatic Depressurization System Explosive Valves
There are four explosive valves (EVs) on the fourth stage of the Automatic Depressurization System. The evaluated success criterion is that at least two-out-of-four explosive valves open.
From Reference 29-1, the common-cause failure parameters for a group of four components are:
I3= 1E-l, =5E-1,
5= 9E-1.
The common-cause multipliers obtained, using equations from Table 29-3, are:
Q2/QT = 1.7E-2, QJ/QT = 1.7E-3, Q4/QT = 4.5E-2.
Revision 129-9
AP1000 Probabilistic Risk Assessment29. Common-Cause Analysis
The independent failure is:
Qr = 5.8 E4/d.
Four combinations of three-out-of-four and global failure of four are assessed to contribute to the numerical evaluation with respect to the others.
ADX-EV-SA = 4 x Q3/QT x QT + Qg/Q- X Qr.
The value is:
ADX-EV-SA = 3.0 E-05 /d.
The common-cause failure of six combinations of two-out-of-four valves is assessed.
ADX-EV-SA2 = 6 x Q2/Qrx QT.
The value is:
ADX-EV-SA2 = 5.90 E-05 /d.
29.4.4 Air-Operated Valves in Core Makeup Tanks
Two different analyses have been performed:
D 1- Failure to open air-operated valves in both core makeup tanks, and D2 - Failure to open air-operated valves in one core makeup tank (either is broken).
D1 - AOVs in Both CMTs
The failure of both the core makeup tanks occurs when all of the four air-operated valves fail to open. From Reference 29-1, the common-cause failure parameters for a group of four air-operated valves are:
P3 = 7.8E-2, y = 0.93, 8 = 0.77.
The common-cause multipliers obtained, using equations from Table 29-3, are:
Q2IQT = 1.8E-3, Q3/QT = 5.6E-3, Q4/Qr = 5.6E-2.
The independent failure is:
QT = 1E-6/hr x 2190 hr/2 = 1.1E-3/d.
29-10
Revision 1
29. Common-Cause Analysis AP1000 Probabilistic Risk Assessment
-.._t'
Revision 129-10
The combinations of two-out-of-four and three-out-of-four valves are assessed to have a negligible contribution with respect to the global common-cause failure. Therefore, the common cause of check valves to open, leading to the failure of both core
makeup tanks, named CCX-AV-LA, is evaluated as:
CCX-AV-LA = Q4/QT x QT.
Its value is:
CCX-AV-LA = 6.2E - 5/d.
D2 - Air-Operated Valve in One Core Makeup Tank
In the event of a break in one core makeup tank line, only one core makeup tank is available, and no passive residual heat removal is requested. Therefore, conservatively a group of only two air-operated valves is considered. The common-cause failure for a group of two valves are:
P = 8.8E-2.
The common-cause multiplier obtained, using equations from Table 29-3, are:
Q2/QT = 8.8E-2.
The independent failure is:
Qr = 1E-6/hr x 2190 hr/2 = 1.09E-3/d.
Therefore, the common-cause failure of the air-operated valves on one line of core makeup tank to open, named CMX-AV-LA, is evaluated as:
CMX-AV-LA = Q2/QT x QT.
The value is:
CMX-AV-LA = 9.6E-5/d.
29.4.5 Automatic Depressurization System Motor-Operated Valves
There are different failure criteria for spurious opening of Automatic Depressurization System motor-operated valves considered in this analysis, according to consequences contributing to the large or medium LOCA initiating event. Criteria for failure of valves to open are considered in this analysis.
El - Medium LOCA: Either line of the ist stage, both lines of the 1' stage or any line of the 2 nd or 3rd stage,
29-Il
Revision 1
AP1000 Probabilistic Risk Assessment29. Common-Cause Analysis
29-11 Revision 1
E2 - Large LOCA: Any lines of the 4"h stage or any two lines of the 1t, 2 d , and 3rd stage
that have a combined diameter greater than 9 inches.
E3 - Fail to open: ADS motor-operated valves fail to open.
From Reference 29-1, the common-cause failure parameters for a group of four motoroperated valves are:
P = 1.7E-2, y = 4.4E-1, 8 = 2.6E-1.
It is assumed that the same parameters are applicable for a group of twelve motor-operated valves.
The common-cause multipliers obtained, using equations from Table 29-3, are:
Q2/QT = 8.655E-4, Q}QT = 1.006E-4, QgQT = ... = Qll/ QT = O, Q12/QT = 1.945E-3.
The independent failure is:
QT = 5E-9/hr x 8760 hr/2 = 2.19E-5/d.
Independent failures generally include failures such as hardware failure and signal failure, etc. The independent failure from Reference 29-1 is 1.4E-07/hr. This value was deemed unnecessarily conservative. Thus, the value of 5.OE-09/hr was chosen to represent independent hardware failure. The fault trees using this failure rate also include a basic event for signal failure, etc.
El - Contribution to Medium LOCA
The number of combinations with common-cause failure of two motor-operated valves that lead to the failure of 1 out of 2 lines of the 1 t stage is 2. The number of combinations with common-cause failure of three motor-operated valves that lead to the failure of 1 out of 2 lines of the 1"t stage is 20. The other combinations of two and three valves are assessed to have a negligible contribution.
Therefore, the common-cause failure of Automatic Depressurization System motor-operated valves to remain closed with consequences contributing to the medium LOCA event, named ADX-MV1-EB, is evaluated as:
ADX-MV 1-EB = 2 x Q2/QT x Qr + 20 x Q3/QT x QT.
The value is:
ADX-MV1-EB = 8.20E-8/d.
29. Common-Cause Analysis APIO00 Probabilistic Risk Assessment
29-12 Revision 1
The number of combinations with common-cause failure of two motor-operated valves that lead to the failure of 1 out of 4 lines of the 2 "d & 3rd stage is 4. The number of combinations with common-cause failure of three motor-operated valves that lead to the failure of 1 out of 4 lines of the 2 nd & 3d stage is 40. The other combination of two and three valves are assessed to have a negligible contribution.
Therefore, the common-cause failure of Automatic Depressurization System motor-operated valves to remain closed with consequences contributing to the medium LOCA event, named ADX-MV2-EB, is evaluated as:
ADX-MV2-EB = 4 x Q2/QT x QT + 40 x Q3/Q" x QT.
The value is:
ADX-MV2-EB = 1.64E-7/d.
E2 - Contribution to Large LOCA
The combinations with common-cause failure of two and three motor-operated valves are assessed to have a negligible contribution with respect to the global common-cause failure. Therefore, the common-cause failure of Automatic Depressurization System motor-operated valves to remain closed with consequences contributing to the large LOCA event, named ADX-MV3-EB, is evaluated as:
ADX-MV3-EB = Q12/QT x QT.
The value is:
ADX-MV3-EB = 4.26E-8 /d.
E3 - Motor-operated Valves Failure to Open
From Reference 29-1, the common-cause failure parameters for a group of four motoroperated valves to fail to operate are:
= 4.9E-2, y = 9.OE-l,
= 7.8E-1.
It is assumed that the same parameters are applicable for a group of eight motor-operated valves. The common-cause multipliers obtained, using equations from Table 29-3, are:
Q2/QT = 7.00E-4, Q3/QT = 4.62E-4, Q 4/QT = ... = Q7/QT = 0, Q8/QT = 3.44E-2.
Revision 1
29. Common-Cause Analysis AP1000 Probabilistic Risk Assessment
29-13
AP1000 Probabilistic Risk Assessment
The independent failure is:
QT = 1.OE-05/hr. x 4380 hr/2 = 2.19E-02/demand.
The common-cause failures of the motor-operated valves of the Automatic Depressurization System first, second, and third stage to operate is evaluated as:
ADX-MV-GO = Q8IQr X QT.
The value is:
ADX-MV-GO = 7.48E-04/d.
It is required that at least two lines of the Automatic Depressurization System stages 2 and 3 open in order to have success. There are 32 combinations of motor-operated valve failure that will cause Automatic Depressurization System stages 2 and 3 to fail. The common-cause failures of 32 combinations of three stage 2 and stage 3 motor-operated valves to fail to operate is evaluated as:
ADX-MV3-GO = 32 x QVQT x QT.
The value is:
ADX-MV3-GO = 3.24E-04/d.
29.4.6 Common-Cause Failure for IRWST Valves
29.4.6.1 Definitions
In this section, the common-cause failure probabilities for various missions of the IRWST injection, recirculation, and sump flooding are calculated. The common-cause failures are associated with the 16 valves shown in Figure 29-1. These valves are classified for common-cause failure modeling as follows:
4 High pressure explosive valves for injection (EV)
4 Injection check valves (CV)
2 Recirculation check valves (CV) (different from injection CVs)
2 Recirculation/sump flooding motor operated valves (MOV)
2 High pressure explosive valves for recirculation/sump flooding (EV)
2 Low pressure explosive valves for recirculation/sump flooding (EV)
16 Valves
29-14
Revision 1
29. Common-Cause Analysis
29-14 Revision 1
AP1000 Probabilistic Risk Assessment
There are five distinct missions of the IRWST injection, recirculation, sump flooding, as represented by the following five fault trees:
1. IW2AB
2. IWlA
3. RECIRC
4. IWF
5. RECIRCI
IRWST injection into the reactor coolant system through 1 out of 2 check valve/squib valve paths (with 1 check valve and 1 squib valve per path) in I out of 2 gravity injection lines.
IRWST injection into the reactor coolant system through I out of 2 check valve/squib valve paths (with 1 check valve and 1 squib valve per path) in 1 out of 1 gravity injection lines.
Flow from containment sump (via opening of either the squib valve flow path or the check valve/squib valve flow path) to the RCS (via the opening of either check valve/squib valve flow path) through 1 out of 4 gravity-injection/recirculation lines.
Sump flooding through 1 of 2 lines of the two recirculation trains with 1 MOV and 1 EV per path following core damage.
Flow from containment sump (via opening of either the squib valve flow path or the check valve/squib valve flow path) to the RCS (via the opening of either check 4 gravity injection lines, given the success of IRWST/gravity and failure of containment isolation.
In the next sections, common-cause failure basic events associated with the above missions are defined, and their failure probabilities are calculated.
29.4.6.2 Common-Cause Failure Models
In this section, the common-cause failure (CCF) models for the different missions defined in the previous section are modeled. The common-cause failure basic events are also defined. The probabilities of these basic events are calculated in the next section.
IW2AB
CCF of 6 HP injection EVs = 6 of 6 EVs* = IWX-EV-SA CCF of 4 injection CVs = 4 of 4 CVs = IWX-CV-AO
(1) (2)
Other common-cause failure combinations are of much lower probability, since they contain products of failures; thus they are not modeled.
*See Assumption 9 in Section 29.3.1.
Revision I
29. Common-Cause Analysis
29-15
AP1000 Probabilistic Risk Assessment
IWIA
The common-cause failures defined for IW2AB will fail this mission. Moreover, two other common-cause failures will also fail this mission. These are given below.
CCF of 6 HP EVs = 6 of 6 EVs* = IWX-EV-SA (1) CCF of 4 injection CVs = 4 of 4 CVs = IWX-CV-AO (2) CCF of 2 injection CVs = 2 of 4 CVs (V122A, 124A) = IWX-CVl-AO (3) CCF of 2 injection EVs = 2 of 6 EVs (123A, A125A) = IWX-EV1-SA (4)
*See Assumption 9 in Section 29.3.1
RECIRC
Failure of 2 of 2 low pressure EVs with failure of 2 of 6 high pressure EVs (V120A/B) will fail the whole system. Combinations of CV/EV/MOV common-cause failures that have a lower probability are not modeled.
CCF of 2 HP EVs = CCF of 6/6 HP EVs = LWX-EV-SA (1) CCF of 2 HP EVs = CCF of 2/6 HP EVs (V120A/B) = IWX-EV2-SA (6) CCF of 2 HP EVs = CCF of 3/6 HP EVs = IWX-EV3-SA (7) CCF of 2 LP EVs = 2/2 LP EVs (1 18A, 118B) = IWX-EV4-SA (8)
IWF '
Failure of two recirculation lines will fail the system. This includes common-cause failure of 2 LP recirculation EVs and common-cause failure of 2 recirculation motor-operated valves (MOVs).
CCF of 2 MOVs = 2/2 MOVs (1 17A, 117B) = IWX-MV-GO (5) CCF of 2 LP EVs = 2/2 LP EVs (118A, 118B) = IWX-EV4-SA (8)
RECIRCI
Failure of 2 of 2 low pressure EVs, with failure of 2 HP EVs (V120 A/B) will fail the whole system. If containment isolation fails, failure of 3 of 4 recirculation EVs will fail the system. Combinations of CV/EV/MOV common-cause failures have a lower probability, and are not modeled.
CCF of 2 HP EVs = CCF of 6/6 HP EVs = IWX-EV-SA (1) CCF of 2 HP EVs = CCF of 2/6 HP EVs (V120A/B) = IWX-EV2-SA (6) CCF of 2 HP EVs = CCF of 3/6 HP EVs = IWX-EV3-SA (7) CCF of 2 LP EVs = 2/2 LP EVs (118A, 11 8B) = IWX-EV4-SA (8)
Revision 1
29. Common-Cause Analysis
29-16
AP1000 Probabilistic Risk Assessment
29.4.6.3 Common-Cause Failure Calculations
In section 29.4.6.2, eight common-cause failures basic events are defined. In this section, their common-cause failure probabilities are calculated. These basic events are:
IWX-EV-SA IWX-CV-AO IWX-CV 1-AO IWX-EV 1-SA IWX-MV-GO IWX-EV2-SA IWX-EV3-SA IWX-EV4-SA
CCF of 6/6 IRWST (HP) EVs. CCF of 4/4 IRWST injection CVs. CCF of 2/4 (V 122A, 124A) IRWST injection CVs. CCF of 2/6 IRWST injection (HP) EVs (V123A, V125A). CCF of 2/2 sump recirculation MOVs. CCF of 2/6 (HP) sump recirculation EVs (V120A/B). CCF of 4 combinations of 3/6 IRWST (HP) EVs. CCF of 2/2 sump recirculation (LP) EVs.
The random failure probabilities and common-cause failure data for the three types of valves are as follows:
Basic Event
Random Failure
Probability (Ur.)
IWX-CV-AO 2.OOE-07
IWX-CV1-AO 2.00E-07
IWX-EV-SA N/A
IWX-EV3-SA N/A
IWX-EV1-SA N/A
IWX-EV2-SA N/A
IWX-EV4-SA N/A
IWX-MV-GO 1.OOE-05
29.5
Random Failure
Probability
1.75E-03 /d.
1.75E-03 /d.
5.80E-04 /d.
5.80E-04 /d.
5.80E-04 /d.
5.80E-04 /d.
5.80E-04 /d.
8.76E-02 /d.
CCF Combinations Grouping of Failures
CommonCause
MultiplierCCF
Probability
1 1.70E-02 3.OOE-05 /d.
I 3.47E-04 6.07E-07/ d.
4/4
2/4
6/6
3/6
2/6
2/6
2/2
2/2
1 0.045 2.60E-05 /d.
4 0.0005 1.16E-06 /d.
1 0.01
1 0.01
1 0.1
1 0.05
5.80E-06 /d.
5.80E-06 /d.
5.80E-05 /d.
4.40E-03 /d.
Results
In each system analysis, the common-cause basic events needed are defined and are reported in a table. These basic events are analyzed and their probabilities of failure are calculated and reported in this section.
The common-cause failure probabilities are given in Table 29-2. These probabilities are either calculated in the table, or are reported and referenced in the table.
References
29-1 "Advanced Light Water Reactor Requirements Document," Vol. III, Appendix A to Chapter 1, "PRA Key Assumptions and Ground Rules," EPRI Rev. 5&6, 12/93.
Revision 1
1. 2. 3. 4. 5. 6. 7. 8.
Master Data Bank Location
051
105
860
062
862
862
861
061
29.6
29. Common-Cause Analysis
29-17
Table 29-1
ELECTRICAL COMPONENTS WITH LOW CCF RATE
Mean (1) (d =
demand Error I.D. Simon File Mission CCF Component Failure Mode hr = hour) Factor Code Line # Time (hr) p(2) Rate
Circuit Breaker Spurious open 6.OE-7/hr 3 -- CB---RQ 515 24 0.05 7.2E-7/d (>4 kV)
Circuit Breaker Spurious open 5.OE-7/hr 3 -- CR---RQ 495 24 0.05 6.OE-6/d (<600 V)
Relay Contacts fail to 1.OE-4/d 10 ---RE---CA 561 0.05 5.OE-6/d (electromechanical) operate (open or 1.OE-6/hr
close) Operate spuriously to 10 ---RE---DQ 563 24 0.05 1.2E-6/d de-energize state
Electrical Failure during 2.OE-7/hr 5 ---BS---LF 531 24 0.05 2.4E-7/d Buswork operation
Transformer High voltage: failure 1.2E-6/hr 3 ---TR---HF 541 24 0.05 1.4E-6/d to continue operating
Fuse Spurious opening 5.OE-7/hr 10 ---FU---RQ 521 24 0.05 6.OE-7/d
Relay Spurious operation 2.OE-7/hr 10 ---RS--AA 986 24 0.05 2.4E-7/d
Notes: 1. Value from AP600 PRA 2. Beta factor from Reference 29-1.
29-18
Revision 1
29-18
AP1000 Probabilistic Risk Assessment29. Common-Cause Analysis
Revision 1
29. Common-Cause Analysis AP1000 Probabilistic Risk Assessment
Table 29-2 (Sheet 1 of 5)
COMMON-CAUSE FAILURE CALCULATIONS
Basic Event Identifier Description Failure Probability MDB Comments
ACX-CV-GO Accumulator check valves V028A/B 2E-7/hr x (17520/2) x 2.9E-2 = 49 or V029A/B fail to open 5.1E-5/d
ACX-TK-AF Both accumulator tanks fail 1 E-7/hr x 24 x 5E-2 = 1.2E-7/d 50
ADX-EV-SA ADS EVs of fourth stage fail to open 3.OE-5/d 46 29.4.3
ADX-EV-SA2 6 combinations of 2/4 ADS EVs fail to 5.9E-05/d 40 29.4.3 open
ADX-MV-GO ADS MOVs of first, second, third 7.48E-4/d 45 29.4.5/1E3 stages fail to open
ADX-MV3-GO 32 combinations of 3 stage 2 & 3 3.24E-4/d 35 29.4.5/1E3 MOVs failure to open
ADX-MV1-EB ADS MOVs fail remain closed - 8.2E-8/d 435 29.4.5/E1 medium LOCA
ADX-MV2-EB ADS MOVs fail remain closed - 1.64E-7/d 436 29.4.5/El medium LOCA
ADX-MV3-EB ADS MOVs fail remain closed - large 4.26E-8/d 437 29.4.5/E2 LOCA
CAX-CM-ER CAS air compressors fail to run 1E-4/hr x 24 x 5E-2 =l.2E-4/d 80
CCX-AV-LA CMT AOVs fail to operate to 6.2E-5/d 41 29.4.4/D1 de-energized position
CCX-BC-SA Battery chargers on IDS fail to 7E-6/hr x 24 x 5E-2 = 8.4E-6/d 848 IDS continue operating
CCX-BC-SA1 Battery chargers on EDS fail to 7E-6/hr x 24 x 5E-2 = 8.4E-6/d 848 EDS continue operating
CCX-BL-ER Tower blower fans fail to continue 1E-5/hr x 24 x 5E-2 = 1.2E-5/d 44 VWS operating
CCX-BY-PN Battery on IDS fail to operate 4.7E-5/d 849 29.4.1/Al
CCX-BY-PNI Battery on EDS fail to operate 5.7E-5/d 850 29.4.1/A2
CCX-HE-AF CCS HXs leak or plug 1E-6/hr x 24 x 5E-2 = 1.2E-6/d 434
CCX-IV-XR Inverters 125 vdc/120 vac on IDS fail 2E-5/hr x 24 x 5E-2 = 2.4E-5/d 846 IDS to continue operating
29-19
Revision I
'AP1000 Probabilistic Risk Assessment29. Common-Cause Analysis
Revision I29-19
29. Common-Cause Analysis APlOOO Probabilistic Risk Assessment
Table 29-2 (Sheet 2 of 5)
COMMON-CAUSE FAILURE CALCULATIONS
Basic Event Identifier Description Failure Probability MDB Comments
CCX-IV-XR1 Inverters 125 vdc/120 vac on EDS fail 2E-5/hr x 24 x 5E-2 = 2.4E-5/d 846 EDS to continue operating
CCX-PM-ER Motor-driven pumps fail to run 2.5E-5/hr x 24 x 2.3E-2 = 42 Intersys 1.4E-5/d CCS, TCS,
VWS
CCX-RE-TA Static transfer switches on 120 vac 2.5E-6/hr x 24 x 5E-2 = 3E-6/d 847 IDS IDS fail to transfer
CCX-RE-TA1 Static transfer switches on 120 vac 2.5E-6/hr x 24 x 5E-2 = 3E-6/d 847 EDS EDS fail to transfer
CDX-AV-AA CCF Condensate System AOVs 1E-6/hr x 24 x 8.8E-2 = 2.1E-6/d 74 V022&V025 -spurious closure
CDX-PM-ER Condensate pumps POIA/B fail to run 2.5E-5/hr x 24 x 9.9E-3 = 73 5.9E-6/d
CIX-AV-LA Containment isolation AOVs fail to 1E-6/hr x (17520/2) x 8.8E-2 = 95 operate to de-energized position 7.7E-4/d
CMX-AV-LA AOVs in one CMT line fail to open 9.6E-5/d 103 29.4.4/1D2
CMX-CV-GO CMT check valves VO16A/B and 2E-7/hr x (17520/2) x 2.9E-2 = 47 V017A/B fail to open 5.1E-5/d
CMX-TK-AF CMT tanks 002 A/B failure 1 E-7/hr x 24 x 5E-2 = 1.2E-7/d 48
CVX-MV-GC2 CVS MOVs (V090/091) (SGHL Fr) 1E-5/hr x 17520/2 x 5E-2 = 36 fail to close 4.4E-3/d
CVX-PM-ER CVS P01A/B fail to run 2.5E-5/hr x 24 x 6.2E-2 = 53 3.7E-5/d
CWX-PM-ER CWS pumps fail to run 2.5E-5/hr x 24 x 2.3E-2 = 78 1.4E-5/d
ECX-CB-GC 6.9 kV circuit breakers fail to close 8.3E-7/hr x (17520/2) x 0.1 = 841 7.3E-4/d
ECX-CB-GO 6.9 kV circuit breakers fail to open 4.8E-7/hr x (17520/2) x 0.1 = 844 4.2E-4/d
FWX-AV-AA MFW modulated AOV-V25OA/B 1E-6/hr x 24 x 8.8E-2 = 2. 1E-6/d 65 spurious closure
Revision 1
29. Common-Cause Analysis AP1000 Probabilistic Risk Assessment
29-20
29. Common-Cause Analysis AP1000 Probabilistic Risk Assessment
Table 29-2 (Sheet 3 of 5)
COMMON-CAUSE FAILURE CALCULATIONS
Basic Event Identifier Description Failure Probability MDB Comments
FWX-CV2-GO SFW check valves V012 A/B fail to 2E-7/hr x 2190/2 x 2.9 E-2 = 71 open 6.4E-06/d
FWX-HV-AA CCF of MFW isolation valves V057 1.0E-6/hr x 24 x 5E-2 = 1.2E-6/d 55 A/B - spurious closure
FWX-MV2-GO SFW MOV-013A/B fail to open 1E-5/hr x (2190/2) x 5E-2 = 69 5.5E-4/d
FWX-PM-ER Main FW pumps or booster pumps fail 2.5E-5/hr x 24 x 9.9E-3 = 64 to run 5.9E-6/d
FWX-PM2-ER SFW pumps P03A/B fail to run 2.5E-5/hr x 24 x 9.9E-3 = 68 5.9E-6/d
FWX-PM2-FS SFW pumps P03A/B fail to start 5E-6/hr x (2190/2) x 9.8E-2 = 67 5.4E-4/d
IWX-CV-AO CCF of 4 of 4 check valves in IRWST 3.0E-5/d 51 29.4.6 injection trains.
IWX-CV1-AO CCF of 2/4 check valves in one 6.07E-7/d 105 29.4.6 IRWST injection train (V122A & 124A).
IWX-EV-SA CCF of 6/6 IRWST HP EVs 2.6 E-05/d 860 29.4.6
IWX-EV1-SA CCF of 2/6 HP EVs (V123A and 5.80E-06/d 862 29.4.6 125A)
IWX-EV2-SA CCF of 2/6 HP EVs (V120A and 5.80E-06/d 862 29.4.6 120B)
IWX-EV3-SA CCF of 3/6 HP EVs 1.16 E-06/d 62 29.4.6
IWX-EV4-SA CCF of 2/2 LP EVs (V118A and 5.80E-05/d 861 29.4.6 V118B)
IWX-FL-GP CCF of IRWST strainers plugging 1E-5/hr x 24 x 5E-2 = 1.2E-5/d 99 during operation
IWX-MV-GO CCF of MOVs in both recirculation 4.4E-3/d 61 29.4.6 trains
IWX-PLUG CCF of orifices in IRWST injection 8.3E-8/hr x (17520/2) x 0.1 = 108 -OR-SP lines plugging 7.3E-5/d
29-21
Revision 1
AP1000 Probabilistic Risk Assessment29. Common-Cause Analysis
29-21 Revision I
29. Common-Cause Analysis AP1000 Probabilistic Risk Assessment
Table 29-2 (Sheet 4 of 5)
COMMON-CAUSE FAILURE CALCULATIONS
Basic Event Identifier Description Failure Probability MDB Comments
IWX-MTRLW MOVs on recirculation line fail to 5E-9/hr x 24 x 7.7E-2 = 9.2E-9/d 958 -MV-RP remain open
MSX-AV2-FA CCF of steam dump valves (2 out of 2 3E-6/hr x 17520/2 x 8.8E-2 = 63 fail to open) 2.3 1E-3/d
MSX-AV4-FA CCF of steam dump valves (2 out of 4 4 x 3E-6/hr x 17520/2 x 75 fail to open) 1.90E-03 = 2.00E-4/d
PCX-AV-LA PCS AOV-V001 A/B fail to open 1E-6/hr x (2190/2) x 8.8E-2 = 84 9.6E-5/d
PRX-HR-ML CCF of PRHR HXs leak 1E-7/hr x 24 x 5E-2 = 1. 2E-7/d 52
PXX-AV-LA AOVs fall to operate to de-energized 1E-6/d x 2190/2 x 8.8E-2 = 58 position 9.6E-5/d
PXX-AV-LAI Failure of IRWST gutter AOVs to See calculation for PXX-AV-LA 58 operate to de-energized position
RCX-RB-FA Reactor trip breakers fail to open 1.8E-4/d N/A 29.4.2
REX-FL-GP CCF of IRWST recirculation sump 1 E-5/hr x 24 x 5E-2 = 1.2E-5/d 99 strainers plugging during recirculation
RNS-HE-CCF CCF of 2/2 RNS heat exchangers See TCX-HE-AF 34
RNX-CV-GO NRHR check valves 2E-7/hr x (17520/2) x 2.9E-2 = 59 V0l5A/V015B/V0l7A/V017B fail to 5.1 E-5/d open
RNX-KV-GO NRHR stop check valves V007A/B 5.6E-6/hr x 2190/2 x 0.1 = 60 fail to open 6.1E-4/d
RNX-KV1-GO NRHR stop check valves V007A/B 5.6E-6/hr x 17520/2 x 0.1 = 4.9 870 fail to open E-03/d
RNX-PM-ER NRHR pumps PO1A/B fail to run 2.5E-5/hr x 24 x 2.6E-2 = 1.6E-5 57
RPX-CB-GO 6.9 kV circuit breakers fail to open 4.8E-07 x (17520/2) x 0.10 = 844 4.2 E-04/d
RNX-PM-FS NRHR pumps POIA/B fail to start 5E-6/hr x (2190/2) x 0.14 = 56 7.7E-4/d
SGX-AV-FA CCF of SFW AOV-255A/B on 3E-6/hr x 24 x 8.8E-2 = 6.3E-6/d 70 discharge lines A/B to operate properly
Revision 1
29. Common-Cause Analysis AP1000 Probabilistic Risk Assessment
29-22
29. Common-Cause Analysis APi 000 Probabilistic Risk Assessment
29-23
Revision 1
Table 29-2 (Sheet 5 of 5)
COMMON-CAUSE FAILURE CALCULATIONS
Basic Event Identifier Description Failure Probability MDB Comments
SGX-MV-RP CCF of SFW MOVs 067A/B to 1.4E-07/hr x 2190/2 x 5E-2 = 72 remain open 7.67E-6/d
SWX-PM-ER SWS pumps fail to run 2.51E-5/hr x 24 x 2.3E-2 = 76 1.4 E-5/d
TCX-HE-AF TCS HXs leak or plug 1E-6/hr x 24 x 5E-2 =1. 2E-6/d 43
VLX-HI-SA CCF hydrogen igniters fail to operate 3.6E-7/hr x 17520/2 x 0.1 853 3.2E-4/d
VWX-RF-ER CCF to run of chillers 1.0 E-5/hr x 24 x 5E-2 = 116 1.2E-5/d
VWX-TK-AF CCF of chilled water high capacity air 1E-7/hr x 24 x 5E-2 = 1.2E-7/d 83 separator tanks MV03/5/7 (catastrophic failure)
ZOX-BL-ES CCF of fans to start (monthly tested) 6E-4/d x 0.1 = 6E-5/d 824
ZOX-BL-ER CCF of fans to run for 2.5 hrs IE-5/hr x 2.5 x 5E-2 = 1.3E-6/d 825
ZOX-DG-DR CCF of DGs to run for 2.5 hours 2.4E-3/hr x 2.5 x 7.3E-2 = 4.4E- 842 4/d
ZOX-DG-DS CCF of DGs to start 1.4E-2/d x 2E-2 = 2.8E-4/d 843
ZOX-FL-GP CCF of DG filters to plug 1E-5/hr x 2.5 x 5E-2 = 1.3E-6/d 832
ZOX-PD-ER CCF of DG engine-driven fuel pumps 1E-3/hr x 2.5 x 5E-2 = 1.3E-4/d 829 to run for 2.5 hrs (four pumps per DG) I
ZOX-PD-ES CCF of DG engine-driven fuel pumps 2E-2/d x 0.1 = 2E-3/d 830 to start (four pumps per DG)
29. Common-Cause Analysis AP1000 Probabilistic Risk Assessment
29-23 Revision I
AP1000 Probabilistic Risk Assessment
Notes: M represents the number of components in the analysis group. Subscript K represents the number of failed components. Qr is the component independent failure.
Revision 1
Table 29-3
SIMPLIFICATION OF QK/QT EQUATIONS
M Q1 Q2 Q3 Q4 Qs Q6 Q7 Qs Q9 Q10 Qn Q12
1 1 ....
2 1-J3 [3 -
3 1-13 (1/2)13(1-),) 13v -
4 1-13 (1/3)0l(1-/) (1/3 )13y(1- 8 ) 13y8 -
5 1-f3 (1/4)fl(1-y) (1/6)fly(1-8) 0 13y8 -
6 1-fl (1/5)03(1-y) (1/10)fly(1-8) 0 0 ly58 -
7 1-f3 (1/6 )fl(1-y) (1/15)p3y(l-8) 0 0 0 1ly6 -
8 1-fl (1/7)J3(1-y) (1/21)fly(I-8) 0 0 0 0 fly8 -
9 1-fl (1/8)f3(1-y) (1/2 8 )fly(1-8) 0 0 0 0 0 ly58 -
10 1-fl (1/9)f3(1-y) (1/3 6 )PAy(l- 8 ) 0 0 0 0 0 0 f7y8 -
11 1-fl (1110)f3(1-y) (1/45)f3y(1-8) 0 0 0 0 0 0 0 oys8 -
12 1-fl (1/11)[3(1-y) (1/55)fly(1-8) 0 0 0 0 0 0 0 0 fly5
29. Common-Cause Analysis
29-24
29. Common-Cause Analysis AP1000 Probabilistic Risk Assessment
l117A
TO AND -< FROM SUMPd IN~
FROM SUMP
119A 120A
122A
123A j
IRST TANK
124A
*f "X,
125A
ItII
122B
123B ItII
TO RCS
HP EVs Injection. CVs Rec. CVs ReciSump MOVs LP EVs
117B
1188 ,f ,Q F TO AND
/ / /FROM SUMP
F-FROM SUMP
1208 1198
124B
S\.J
1258
U1I
TO RCS
123A/B, 125 MB, 120 A/B. 122A/B, 124 A/B. 119 A/B. 117 A/B. 118 A/B. Valves
IRWST Valve Configuration
Revision 1
6 4 2 2 2 16
Figure 29-1
29. Common-Cause Analysis . AP1000 Probabilistic Risk Assessment
29-25
AP1000 Probabilistic Risk Assessment
ATTACHMENT 29A
COMMON-CAUSE ANALYSIS GUIDELINES
29A.1 Introduction
Dependent failures are those failures that defeat the redundancy that is employed in the design to improve the availability of some plant functions such as a coolant injection, etc.
In the absence of dependent failures, separate trains of a redundant system, or diverse methods of providing the same function, are regarded as independent, so that the unavailability of the function is essentially the product of the unavailability of the separate trains or diverse systems.
However, a dependent failure arises from some causes that fail more than one system or more than one train of a system simultaneously, or in a short interval (during the mission time or during two surveillance tests). Thus the effect of dependent failures is to increase the unavailability of the function with respect to the situation of the independence.
This guidebook describes the methodology to consider the different types of dependent failures, with particular emphasis for common-cause failures (CCFs), in which two or more component fault states exist at the same time or in a short time interval and are a direct result of a shared cause.
The methodology is in compliance with the Electric Power Research Institute (EPRI) ALWR Requirements (Reference 29A- 1).
29A.2 Types of Dependencies
The following paragraphs discuss the types of dependencies that should be considered in the present Probabilistic Safety Study (PSS) analysis:
Sequence Functional Dependencies, which indicate the effects of the status of one system or safety function on the success or failure of another.
These dependencies are expected to be addressed in the event tree analysis chapter (Chapter 40).
Particular care should be used to consider the dependencies due to interactions of core-cooling systems and containment systems, where the response of containment or containment systems may impact the ability of the system providing core cooling to continue to operate.
Intersystem Dependencies, including both hard-wired dependencies (e.g., through electric power, cooling water, interlocks, permissive, etc.) and functional dependencies (e.g., ambient cooling, adequate net-positive suction head, etc.). These are incorporated explicitly in the different system fault trees using the same basic event name or the same
29A. Common-Cause Analysis Guidelines
29A-1 Revision I
subtree name (SUB-XXXXXX) to identify the same component failure mode or the same supporting system failure mode.
Furthermore, in the system notebooks, a Dependency Matrix showing the dependencies among the frontline and supporting systems will be reported.
* Inter-component Dependencies, also called common-cause failures, due to shared root causes of failures. These dependencies shall be modeled and quantified using the methodology described in the following Sections 29A.3, 29A.4, 29A.5 and 29A.6.
* Dependencies due to Human Actions, such as incorrect calibration of sensors or instruments, or such as diagnostic error which might affect the manual actuation of redundant systems are explicitly modeled as separate events in the fault trees and are evaluated in human reliability analysis.
29A.3 Common-Cause Failures Definition
The multiple dependent failures, whose root causes are not modeled explicitly in the plant model, are defined as common-cause failures. The common-cause events are treated using the parametric common-cause models discussed in Section 29A.6.
In particular, in the present analysis, it is assumed that sequence functional dependencies, intersystem dependencies, and most of the dependencies due to human actions, such as plant staff errors of omission and commission (i.e., failure to follow a correct procedure, or incorrect calibration of instruments, or failure to restore components to service after test or maintenance) are addressed explicitly in the plant model, where they are included as separate events.
It is further assumed that common-cause initiating events are explicitly addressed under external events (e.g., earthquake) and specific internal events. Therefore, only root-cause events leading directly to multiple component outages from the shared cause and coming from the following categories are addressed:
"* Design/Manufacturing/Construction Installation Inadequacy, or Internal Causes "* Abnormal Environmental Stress "* Maintenance or Operation Actions not explicitly modeled (addressed hereafter).
Design/Manufacturing/Construction/Installation Inadequacy encompasses actions and decisions during design, manufacturing or installation of components both before and after the plant is operational. Also included in this category is the malfunctioning of something internal to the component as a result of normal wear-out or other intrinsic failure and the influence of the normal ambient environment of the component. These root-cause events affect similar components.
Abnormal Environmental Stress includes all causes related to a harsh environment that are not within a component's specific design criteria. Table 29A-1 contains illustrated dependencies coupled by a common environment as derived from NUREG/CR 2300
Revision 1
29A. Common-Cause Analysis Guidelines AP1000 Probabilistic Risk Assessment
29A-2
(Reference 29A-2). This type of root-cause event affects equipment in the same location that is sensitive to the same harsh environment.
Maintenance or Operator Actions affect equipment operated according to the same
procedures. Errors include procedure error, plant staff error and scheduled or unscheduled maintenance.
Only the multiple failures due to root causes that are not explicitly modeled should be
considered in the common-cause failure category. Generally, they are related to operator
errors in sub-components at a level lower than those normally considered in the fault tree
construction. Examples of potential root-cause events leading to common-cause failure are:
"* Use of improper lubrication type which might damage equipment "* Lack of sufficient antifreeze liquid in the diesel radiator during severe cold weather "* Wrong setting of protection device (such as torque switch) if not explicitly modeled
Instead, the failure to restore components to service after their isolation for test and maintenance are explicitly modeled in the fault trees and should not be considered again.
29A.4 Methodology
The methodology described in the EPRI NP-5613 report (Reference 29A-3) on common-cause analysis procedures shall be used.
One of the most important tasks is the identification of the common-cause component groups to be considered in the analysis. The common-cause component group is defined as a group
of (usually similar) components that are considered to have a potential of failing due to the same cause. This identification is based on a qualitative screening analysis within each system and among different redundant systems performing the same function.
This qualitative analysis is based on the fact that common-cause failures, and generally dependent failures, can be thought of as resulting from the coexistence of two factors:
" A susceptibility for components to fail or to be unavailable from a particular root cause of failure
" A coupling mechanism that creates the conditions for multiple components to be affected by the same cause simultaneously or in short time.
The susceptibility to root cause and the coupling mechanisms can be reduced if design or operational defenses are present.
These defenses will provide the bases to screen out a component from the common-cause component group. Section 29A.5 provides a more detailed procedure. Quantification of the common-cause component group, which is not screened out, is needed.
29A-3 Revision 1
APIO00 Probabilistic Risk Assessment
Revision I29A-3
For screening purposes the generic "beta" factors reported in Reference 29A-1 should be used. These beta factors are collected from the common-cause factors presented in Reference 29A-1. The values are derived from the common-cause factors for two-of-two failures.
For the components not listed in the previous sources, a generic "beta" factor value of 0.1 should be used if the number of components that could lead to the failure of the function is low (approximately 5). Otherwise, a value of 4.5E-2 will be used for "failure to operate" and 2.3E-2 for "failure to continue to operate" as derived from the multiplication of values for 0, -, 8 reported in Reference 29A-1 for generic components. Exception is made for microprocessor based components (boards or cards) for which a dedicated analysis is performed and reported in the Protection and Safety Monitoring System analysis and Plant Control System analysis of the PRA.
For the cases in which the analyst desires to investigate the effects of levels of redundancy beyond two-fold, or if the use of a single factor for a common-cause failure of more than two components within a group leads to overestimation of an important sequence frequency, the Multiple-Greek Letter (MGL) approach will be used.
In these cases, the common-cause factors reported in Reference 29A-1 should be used or, in lack of those, an in-depth analysis should be performed according to the methodology reported in Section 3.3 (common-cause modeling and data analysis) of EPRI-5613 (Reference 29A-3). In Section 4 of Reference 29A-3, some examples of application of the methodology are given.
An in-depth analysis, according to Reference 29A-3, should also be performed when the common-cause component group results in a dominant contributor to the plant risk and there are reasons to believe that the data of Reference 29A-1, or the generic beta factor value of 0.1, is too conservative.
29A.5 Common-Cause Failures Calculation Procedure
Two distinct procedures are hereafter described according to whether the common-cause failure evaluation should be performed for common components group within the system or among more systems.
For the passive plants (AP1000), there is a need to consider the common-cause failures also among systems while, for the PRA of the present plants, generally the analysis is limited to intra-system common-cause failure. The reason is that the supporting systems, such as the diesel generators and the service water systems, are traditionally the dominant contributors for the present plant generation because many redundant systems are dependent on them.
Therefore, the common-cause failures of the components of the supporting systems are the dominant contributors, such that the increase of the model complexity by inserting other intersystem common-cause failure for other components might not be worthwhile.
Revision 1
I
29A. Common-Cause Analysis Guidelines AP1000 Probabilistic Risk Assessment
29A-4
The passive systems have very slight dependencies from support systems such that the common-cause failure of other components (e.g., check valves) have the potential for becoming more important.
The common-cause failures within a system are those failures that affect only the components of that system susceptible to the same root cause, considered as completely independent from other plant systems. For this case, the analysis is performed considering the different alignment that the system can assume and identifying all probable common-cause failures.
The common-cause failures among systems are those failures that can affect the components susceptible to the same root cause in different plant systems. For these common-cause failures, the analysis will be performed later in the program when the event tree sequences and, therefore, the front-line systems, called upon to perform the mitigating function, are identified.
In the first phase of the analysis, the system analyst, together with the common-cause failure analyst, must identify only the common-cause failures within the system and model those into the fault tree.
The common-cause failure analyst will provide data for the quantification of these common-cause failures, according to the generic beta factors reported in Reference 29A-1.
Later, the common-cause failure analyst will identify the common-cause failures among the systems and their value, and together with the system analyst, will insert them into the fault trees.
Where a common-cause failure among the systems is discovered to already be considered as a common-cause failure within the system, its identification name will be changed to allow for identifying similarities among more systems using the WLINK3 Code System.
29A.5.1 Procedure for Treatment of Common-Cause Failures Within a System
Before starting a common-cause failure analysis, it is strongly recommended that a table be created which identifies for each system, and for each fault tree performed, the components (and the related failure modes) that are required to change status. This type of table can easily provide all component failures considered in the fault tree models.
Such a table should be provided by each system analyst, as part of a system calculation note, irrespective of the common-cause failure analysis.
The following procedure should be used to model and evaluate common-cause failure within a system:
Step 1: Identification of Common-Cause Component Groups
In this step, important common-cause component groups are identified for inclusion in the system fault tree. A typical component group contains components of the same type which might cause failure of redundant loops of the system by the same failure mode.
AP1000 Probabilistic Risk Assessment
29A-5 Revision I
29A. Common-Cause Analysis Guidelines AP1000 Probabilistic Risk Assessment
Common-cause events for other component groups in a system may be defined if it appears that such an event would be an important contributor to system unavailability. These events may also be defined if the components in the group can be linked to conceivable common-cause failures such as those defined previously (design/manufacturing/construction inadequacy, abnormal environmental stress, etc.).
Common-cause failures due to abnormal environmental stress will be eventually accounted only for components that are located inside the containment. This is because the systems located outside the containment are assumed to be in separate rooms and, therefore, no common environmental conditions can affect them.
The components identified for inclusion in the common-cause failure analysis should not only be of the same type (pumps, valves, etc.), but should also meet all the following conditions:
" Same initial conditions (i.e., normally open, normally closed, energized, de-energized, etc.) and operating characteristics (normally running, standby). One valve that is normally open and another valve which is normally closed should not be included as a common-cause component group.
" Same use or function such as system isolation, flow modulation, parameter sensing, motive force, etc. For example, a check valve in the discharge lines of the safety injection system (e.g., accumulator discharge valves) and a check valve that follows a pump should not be included in the same common-cause component group.
" Same failure mode (failure to open on demand, failure to start on demand, etc.). A normally operating pump that fails to run and a standby pump that fails to start and run should be included in the same common-cause group only for the pump failure to run.
Also, diverse redundant components that have piece parts that are identically redundant, and are not already contained in the common-cause component groups previously identified, should not be assumed to be fully independent. One approach in this case is to break down the component boundaries and identify the common piece parts as a common-cause component group (this could be the case of the electrical motors used in both pumps and fans).
Components affected by maintenance or operator errors (not already explicitly modeled) and operated according to the same procedures might belong to this group. This will be performed only if this event is estimated to be an important contributor. Examples are limit or torque switch setting error, use of improper lubrication, etc.
The analysis should also identify these potential common-cause failures and justify the reason for eventually screening them out (e.g., components already considered negligible compared to other common-cause failures, detection during frequent operation, etc.).
Therefore, a table similar to Table 29A-2, which contains a list of the components activated (as provided by each system analyst), will identify if two or more components within the system can be affected by the same failure mode at the same time.
I
29A-6 Revision I
AP1000 Probabilistic Risk Assessment
Step 2: Quantitative Evaluation
Make a quantitative evaluation of the common-cause failures resulting from the qualitative screening. The evaluation should be performed at the beginning, using the beta factors reported in Reference 29A-1.
Step 3: Replacement of Common-Cause Failure in the Fault Tree and Quantification
Insert the common-cause failures evaluated in the fault tree, and try to understand if more common-cause failures can be coalesced in a module without impairing the identification of possible similarities.
Step 4: Re-quantification (If necessary)
If the common-cause method causes common-cause failures to be dominant contributors to system failure, core damage, or serious release, the data and process should be reevaluated to determine whether any conservatism might be removed.
For the cases in which the use of a single factor for a common-cause failure of more than two components within a group leads to overestimation of an important sequence frequency, the Multiple-Greek Letter (MGL) approach will be used.
In these cases, the common-cause factors reported in Reference 29A-1 should be used or, lacking those, an in-depth analysis should be performed according the methodology reported in Section 3.3 of EPRI NP-5613 (Reference 29A-3).
Step 5: Documentation
Each system notebook will report the common-cause failures considered together with their numerical evaluation and identification code.
29A.5.2 Procedure for Treatment of Common-Cause Failures Among More Systems
To identify potential common-cause failures among different systems, an expert opinion session is used. Fault tree analysts, as well as designers are a part of this session. In this session, the various component groups are discussed to see if they have common-cause potential among different systems, due to:
* Components being identical * Environment "* Test and maintenance related errors "* Other factors
If any common-cause candidates are found, they are documented. Then the failure probabilities for these components are calculated in the section.
29A-7 Revision 1
29A. Common-Cause Analysis Guidelines
29A-7 Revision 1
29A.6 Common-Cause Failure Numerical Evaluation
This section reports how the "beta" factors and the common-cause factors for the MultipleGreek Letter method should be used for a proper numerical evaluation of the common-cause failures.
29A.6.1 Evaluation through Beta Factor Method
The beta factor method assumes that Qr, the total failure probability of the specific component, can be expanded into independent (Q,) and dependent (Qoc) failure contributions:
QT = Qr + Qcc,
where Q, = (1-P) QT, and
QCC= P QT,
where "P3" is the conditional probability that the common cause of a component failure will be shared by one or more additional components. The "P3" value may be taken from Reference 29A-1.
For calculation ease we assume, conservatively, Qr = QT.
The failure probability QT is that taken from the Data Analysis section of the PRA. Therefore, the contribution of Qcc is easily found.
For each common-cause group, a single basic event that accounts for dependent failure should be inserted in the fault tree with each random component failure or, preferably, only one time at a highest level.
As an example, if motor-operated valves A, B, C and D have been identified as a common-cause group for the "failure to open" mode, this failure mode should be considered in the fault tree as follows:
Q, = QT = 4.E-3, as independent failure for each motor-operated valve to open, and
Qcc = 0.05 x 4E-3 = 2.OE-4, as concurrent failure of A, B, C and D due to common causes.
29A.6.2 Evaluation through Multiple-Greek Letter (MGL) Method
The Multiple-Greek Letter method model is an extension of the beta factor model. In this method, others parameters in addition to the beta factor, are introduced to distinguish among common-cause events affecting larger numbers of components in a higher order redundant system.
The Multiple-Greek Letter parameters consist of a set of failure fractions used to quantify the conditional probabilities of all the possible ways a common-cause failure of a component can be shared with other components in the same group, given a component failure has occurred.
Revision 1
I
29A. Common-Cause Analysis Guidelines
29A-8
For a system of "m" redundant components and for each given root cause, "m" different
parameters are defined. For simplification purposes, only the first three parameters are
generally used.
The first three parameters of the Multiple-Greek Letter model are:
P = conditional probability that the common cause of a component failure will be shared
by one or more additional components,
y = conditional probability that the common cause of a component failure that is shared
by one or more components will be shared by two or more components additional to the
first,
5 = conditional probability that the common cause of a component failure that is shared
by two or more components will be shared by three or more components additional to
the first.
Table 29A-3 shows the equations that are used to calculate the probability of a basic event
(Qk where 1 < k < m) involving the failure of four ("in") or fewer specific components.
The failure probability of a component due only to independent causes (therefore, not
common cause) is evaluated as:
Q1 = (1-P) QT that will be approximated at Qr
The meaning of the above common-cause (CC) factors is as follows:
CC Factor 2 of 4 = P3 (l-y)/3
CC Factor 3 of 4 = P3 y (1-8)/3
CC Factor 4 of 4 = P y 8
As example, for the case of four motor-operated valves identified as a common-cause group
for the "failure to open" mode, in the fault tree for each component, the following eight
distinct basic events should be considered:
for MOV "A": QA, QAB, QAC, QAD, QABC, QABD, QACD, QABCD
for MOV "B": QB, QAB, QBC, QBD, QABC, QABD, QBCD, QABCD
for MOV "C": Qc, QAC, QBC, QCD, Q~Ac, QACD, QBCD, QABCD
for MOV "D": QD, QAD, QBD, QCD, QACD, QBCD, QABD, QABCD
29A-9 Revision 1
AP1000 Probabilistic Risk Assessment
Revision I29A-9
the values are:
Q1 = QA = QB = Qc = QD = Qr = 4E-3, as independent basic event, and
Q2 = QAB = QBC = QBD = QAC = (CC Factor 2 of 4) x QT = 1.7E-3 x 4E-3 = 6.8E-6/d,
as common-cause failure of two components failing simultaneously, and
Q3 = QABC = QABD = QBCD = QACD = (CC Factor 3 of 4) x QT = 3.3E-3 x 4E-3 = 1.3E-5/d,
as common-cause failure of three components failing simultaneously, and
Q4 = QABCD = (CC Factor 4 of 4) x QT = 3.4E-2 x 4E-3 = 1.4E-4/d,
as common-cause failure of all four components failing simultaneously.
This method leads to some illogical combinations of events in the resulting system cutsets when more than two components are contained in a common-cause group.
For example, if three components are identified to be in the same common-cause group, cutsets of type QAB and QAC may appear. The definition of QAB and QAC events precludes their occurrence in logic "AND" otherwise, the component A would be supposed to have been failed twice by the same root cause. In general, the contribution of these type of cutsets is considerably smaller than that of cutsets like QABC, and thus the inclusion of this cutset does not make significant numerical difference to the results.
29A.7 References
29A- 1 "Advanced Light Water Reactor Requirements Document," Vol. III, Appendix A to Chapter 1, "PRA Key Assumptions and Ground Rules," EPRI Rev. 5&6, December 1993.
29A-2 NUREG/CR-2300 "PRA Procedure Guide," Volume January 1983
29A-3 EPRI NP-5613 "Procedure for Treating Common-Cause Reliability Studies," January 1988.
1, ANS and IEEE,
Failures in Safety and
Revision 1
I
29A. Common-Cause Analysis Guidelines AP1000 Probabilistic Risk Assessment
29A-10
29A Co mon-Cause Analysis Guidelines A10 rbblsi ikAssmn
Table 29A-1
EXTREME ENVIRONMENTAL CONDITIONS (GENERIC CAUSES OF DEPENDENT FAILURES)
EXCERPTED FROM THE ANS/IEEE PRA PROCEDURES GUIDE (NUREG-2300)
Extreme Condition Environmental
(Generic Cause) Example of Source Channel
I Impact Pipe whip, water hammer, missiles, structural failure, Common location, earthquakes* hydraulic coupling,
common structural base
2 Vibration Machinery in motion, earthquakes Common structural base
3 Temperature Fire*, hghtning*, welding equipment, cooling system Common location,
faults, electrical short circuits ventilation ducts
4 Moisture Condensation, pipe rupture, rainwater*, floods* Common location, ventilation ducts, hydraulic coupling
5 Pressure Explosion, out-of tolerance system changes (pump over- Common location, speed), flow blockage ventilation ducts,
hydraulic coupling
6 Grit Airborne dust, metal fragments generated by moving Common location, parts with inadequate tolerances, crystallized boric acid ventilation ducts from control system
7 Electromagnetic Welding equipment, rotating electrical machinery, Spatial proximity to
interference hghtning*, power supplies, transmission lines source
8 Radiation Neutron sources and charged-particle radiation Spatial proximity to source
9 Corrosion or other Acid, water, or chemical attack Common location,
chemical reaction ventilation ducts, hydraulic coupling
10 Conductive Medium Conductive gases Common location, ventilation ducts
*These events will be covered by the External and/or Internal Events Analysis
29A-1l
Revision 1
AP1000 Probabilistic Risk Assessment
Revision 129A-11I
Table 29A-2
COMMON-CAUSE FAILURES AMONG SYSTEMS
System "A" System "B"
1 Motor-driven Pump:
- fails to start
- fails to run X X
2 Check Valves:
- fails to open X X
- fails to close
3 Air-Operated Valves:
- fails to operate X
Revision 1
I
29A. Common-Cause Analysis Guidelines AP1000 Probabilistic Risk Assessment
29A-12
Table 29A-3
COMMON-CAUSE FAILURE EQUATIONS FOR MGL METHOD
Number of Failed Components (k)
Number of Components in Common-Cause Group (m) 1 2 3 4
2 QT 0(-1) QT -P ..
3 Qr (I-13) QT rP(l-7)/2 QTPY -
4 QT (1-13) QT P3(l-7)/3 QT P 0(l-6)13 QTP Y6
where:
Qr = total failure frequency of the component due to all independent events. This value can be obtained from the Data Analysis Section.
and common
29A-13
Revision 1
29A. Comnmon-Cause Analysis Guidelines AP1000 Probabilistic Risk Assessment
29A-13 Revision I