ML20112F370

From kanterella
Revision as of 22:50, 4 September 2020 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Final ASP Analysis - Callaway (LER 483-02-001)
ML20112F370
Person / Time
Site: Callaway Ameren icon.png
Issue date: 02/03/2001
From: Christopher Hunter
NRC/RES/DRA/PRB
To:
Hunter C (301) 415-1394
References
LER 483/01-002, LER 483/02-001
Download: ML20112F370 (34)
v  d  e


Text

Final Precursor Analysis Accident Sequence Precursor Program --- Office of Nuclear Regulatory Research Callaway Foreign Object Renders the B Essential Service Water Pump Inoperable and Failure of the A Auxiliary Feedwater Pumps Due to Foreign Material in the Condensate Storage Tank Event Date: 2/3/2001 LERs: 483/01-002 and 483/02-001 CDP = 1x10-5 August 19, 2004 Condition Summary During 2001, two conditions occurred involving foreign material that affected safety-related equipment. In February 2001, a foreign object rendered the B essential service water (ESW) pump inoperable for 132 hours0.00153 days <br />0.0367 hours <br />2.18254e-4 weeks <br />5.0226e-5 months <br />. In December 2001, foreign material from the condensate storage tank (CST) caused failure of the A motor-driven auxiliary feedwater (AFW) pump. The condition, a degraded seal on the tanks floating diaphragm, had existed for some time. Additionally, a component cooling water (CCW) pump was inoperable for 21 days due to improper maintenance.

Because the time period for AFW condition overlaps the ESW and CCW conditions, a single condition assessment for all three conditions was performed. (See Attachment 1 for a detailed timeline for these events.)

Event 1- Foreign object renders the B essential service water pump inoperable (LER 483/01-002)

On February 14, 2001, the B ESW pump was started to support performance of a surveillance procedure. Upon starting, the pump experienced low discharge pressure and flow. (The pumps flow and discharge pressure were 4 Mlbm/hr at 80 psi vs. its normal flow and discharge pressure of 7 Mlbm/hr at 140 psi.) The pump was secured and declared inoperable, rendering train B ESW inoperable. Had a loss of offsite power or other event requiring ESW system flow occurred while the B ESW pump was inoperable, safety systems supported by train B ESW, including the B emergency diesel generator, would not have been available to perform their safety function (Refs. 1, 2, and 3).

Cause. Pump inspection revealed a 20-foot-long section of 1.25-inch diameter-reinforced tygon hose wrapped around the rotor assembly in the first stage impeller of the pump casing, blocking a portion of the pumps suction path (Refs. 1, 2, 3, and 4).

Condition duration. At 2:15 p.m. on February 9, 2001, a leak collection rig was installed on the B ESW prelube tank. The rig consisted of a funnel with a 20-foot-long section of tygon hose attached to the funnel. The tygon hose detached from the funnel, fell into the pump bay, and was subsequently drawn into the pumps intake when the pump started. The hose was removed, and the pump was returned to service at 2:31 a.m. on February 15, 2001. The pump was inoperable for a period of 132 hours0.00153 days <br />0.0367 hours <br />2.18254e-4 weeks <br />5.0226e-5 months <br /> (from 2:15 p.m. on February 9, 2001, until 2:31 a.m. on February 15, 2001).

Recovery opportunities. Due to the cause of failure (i.e., tygon hose wrapped around the pump rotor assembly), the B ESW pump could not have been recovered in a timely manner during an accident condition.

1

LERs 483/01-002 and 483/02-001 An alternate source of water can be provided to the train B ESW system from either (1) the train A ESW pump, through a cross-connection, or (2) the train B normal service water (NSW) pump, if the pump has electric power and is operating (i.e., offsite power has not been lost).

To align flow from the train A ESW pump to train B, two locked-closed manual valves must be opened. To align flow from the train B NSW pump to the train B ESW system, operators must override a safety injection signal to the two motor-operated valves isolating the systems and open the valves. Because equipment directly cooled by the train B ESW system or by the train B component cooling water (CCW) system (which is cooled by the train B ESW) could fail before either of these actions could be taken, credit for an alternate source of water was not included in this assessment.

Event 2- Potential unavailability of the auxiliary feedwater pumps due to foreign material in the CST (LER 483/02-001)

On December 3, 2001, both motor-driven AFW pumps were manually started to support a plant shutdown. Both pumps started successfully, but the A pump failed to deliver sufficient pressure or flow. Inspection of the pump revealed that the pump was gas bound due to foreign material from the CST entering the pump. (Refs. 5, 6, 7, and 8).

Cause. The cause of the A AFW pump failure was entry of foreign material into the pumps suction. A piece of foam from the CSTs floating diaphragm had entered the AFW suction piping and become lodged in the eye of the A AFW pumps first-stage impeller, where it created a localized low pressure area, causing gases to come out of the solution. The gases created voids in the pumps casing, partially air-binding the remaining stages and rendering the pump incapable of developing sufficient discharge pressure and flow.

On January 26, 2002, inspection of the CST revealed damage to a 5-foot section of the diaphragms foam seal ring. Several pieces of foam, a piece of cloth, and two small rubber pads were found in the tanks sump. Some caulking and two small rubber pads were found on the tanks floor. A 25-inch section of foam was hanging from the diaphragm. Failure of the seal ring on the tanks floating diaphragm was due to low-stress, high-cycle fatigue caused by years of constant nitrogen sparging of the tank (Refs. 6 and 8).

Condition duration. A limited inspection of the CST was performed on October 17, 2000; however, the inspection did not identify degradation of the tanks diaphragm. Therefore, the exact time when portions of the diaphragms foam ring and fabric detached is not known. The time for the condition assessment is 1 year (8,760 hours0.0088 days <br />0.211 hours <br />0.00126 weeks <br />2.8918e-4 months <br />).1 The period selected for the analysis is from January 27, 2001, to January 26, 2002, the date that degradation of the foam seal ring and foreign material in the CST were discovered.

Prior to its failure to run on December 3, 2001, the A AFW pump was last tested on October 22, 2001. Because there is uncertainty about when foreign material entered the A AFW pump, this analysis conservatively assumes that the debris was in or near the line that it eventually clogged for the entire period (from October 22, 2001, to December 3, 2001), a total of 42 days (1008 hours0.0117 days <br />0.28 hours <br />0.00167 weeks <br />3.83544e-4 months <br />).

Recovery opportunities. On December 3, 2001, following failure to run the A AFW pump, operators quickly vented the pump. However, the licensee did not declare the pump operable until December 5, 2001, 2 days later.

1 The Accident Sequence Precursor Program limits the conditional assessment of risk to a 1-year period.

2

LERs 483/01-002 and 483/02-001 Other conditions, failures, and unavailable equipment. The licensee identified four instances when train A essential equipment was unavailable during the time period when the B ESW pump was inoperable (Ref. 1). They are as follows:

  • For 2 minutes on February 12, 2001, the train A ESW flow to the train A containment coolers was isolated.
  • For 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and 42 minutes on February 12, 2001, the air conditioning unit for the train A class 1E electrical equipment room was inoperable.
  • For 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 29 minutes on February 13, 2001, train A of the residual heat removal system was inoperable while hydrazine was being added.
  • For 38 minutes on February 13, 2001, the room cooler for the train A safety injection pumps room was inoperable.

A review of licensee event reports and inspection reports for 2001 identified other equipment unavailabilities. They are as follows:

  • For less than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> on March 19, 2001, and for about 4.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> on June 12, 2001, the turbine-driven AFW pump was inoperable due to a failed steam trap on the turbines steam supply line, while the drain bypass level valve was removed from service for maintenance (Ref. 9).
  • For approximately 21 days (from November 15, 2001, until December 5, 2001), the C CCW pump was inoperable due to improper maintenance (failure to add the proper amount of lubricating oil), resulting in the pump suffering a bearing failure (Ref. 5).

Screening runs were made using the Callaway Rev. 3 simplified plant analysis risk (SPAR) model (Ref. 10) to evaluate the risk significance of these equipment unavailabilities. Except for failure of the C CCW pump, none of the equipment unavailabilities significantly contributed to risk. Therefore, only the failure of the C CCW pump was included in the analysis.

Analysis Results

! Importance2 The CST seal was assumed to be in a degraded state for the entire 1-year period, increasing the risk of failure for all three of the AFW pumps. The B ESW pump was unavailable for 132 hours0.00153 days <br />0.0367 hours <br />2.18254e-4 weeks <br />5.0226e-5 months <br /> of the year duration the C CCW was unavailable for 504 hours0.00583 days <br />0.14 hours <br />8.333333e-4 weeks <br />1.91772e-4 months <br />, and the A AFW pump was unavailable for 1008 hours0.0117 days <br />0.28 hours <br />0.00167 weeks <br />3.83544e-4 months <br />. To assess the overall risk significance of these three failures, the analysis was performed in four parts.

2 Since this condition did not involve an actual initiating event, the parameter of interest is the measure of the incremental increase between the conditional probability for the period in which the condition existed and the nominal probability for the same period but with the condition nonexistent and plant equipment available. This incremental increase or importance is determined by subtracting the CDP from the CCDP. This measure is used to assess the risk significance of hardware unavailabilities, especially for those cases where the nominal CDP is high with respect to the incremental increase of the conditional probability caused by the hardware unavailability.

3

LERs 483/01-002 and 483/02-001

- Part 1 (132 hours0.00153 days <br />0.0367 hours <br />2.18254e-4 weeks <br />5.0226e-5 months <br />) reflects the time period when the B ESW pump was inoperable in addition to the increased failure probability of all three AFW pumps due to debris in the CST.

- Part 2 (504 hours0.00583 days <br />0.14 hours <br />8.333333e-4 weeks <br />1.91772e-4 months <br />) reflects the time period when the C CCW and A AFW pumps were both inoperable in addition to the increased failure probability of the B motor-driven AFW pump and the turbine-driven AFW pump due to debris in the CST.

- Part 3 (504 hours0.00583 days <br />0.14 hours <br />8.333333e-4 weeks <br />1.91772e-4 months <br />) reflects the remaining time period when the A AFW pump was inoperable in addition to the increased failure probability of the B motor-driven AFW pump and the turbine-driven AFW pump due to debris in the CST.

- Part 4 (7620 hours0.0882 days <br />2.117 hours <br />0.0126 weeks <br />0.0029 months <br />) reflects the remaining time during which there was an increased failure probability of all three AFW pumps due to debris in the CST during the 1-year period at which Callaway was at power operations. (See Attachment 1 for a detailed timeline for this analysis and a description of the time periods for the analysis.) The risk significance is determined by subtracting the nominal core damage probability from the conditional core damage probability:

Part 1 Part 2 Part 3 Part 4 Total Conditional core damage probability 4.4E-06 2.9E-06 2.6E-06 3.0E-05 4.0E-05 (CCDP) - point estimate Nominal core damage probability 4.2E-07 1.6E-06 1.6E-06 2.4E-05 2.8E-05 (CDP) - point estimate Importance (CCDP) - point estimate - 4.0E-06 1.3E-06 1.0E-06 5.6E-06 (CDP) - point estimate Importance (CDP = CCDP - CDP) - point estimate 1.2E-05 This is an increase of 1.2E-05 over the nominal CDP for the 1-year period for this condition assessment.

The Accident Sequence Precursor Program acceptance threshold is an importance (CDP) of 1.0E-06, which these integrated events meet.

- Alternate to Part 1 reflects the time period when only the B ESW pump was inoperable for 132 hours0.00153 days <br />0.0367 hours <br />2.18254e-4 weeks <br />5.0226e-5 months <br />.

- Alternate to Part 2 reflects the time period when only the C CCW inoperable in addition to the increased for 504 hours0.00583 days <br />0.14 hours <br />8.333333e-4 weeks <br />1.91772e-4 months <br />.

- Alternate to Part 4 reflects the time period when there was an increased failure probability of all three AFW pumps due to debris in the CST during the 1-year (8760 hours0.101 days <br />2.433 hours <br />0.0145 weeks <br />0.00333 months <br />) period at which Callaway was at power operations.

4

LERs 483/01-002 and 483/02-001 ESW B only CCW C only AFW only Conditional core damage probability (CCDP) 4.2E-06 1.8E-06 3.4E-05

- point estimate Nominal core damage probability (CDP) - 4.2E-07 1.6E-06 2.8E-05 point estimate Importance (CCDP) - point estimate - (CDP) 4.0E-06 1.6E-07 6.5E-06

- point estimate

! Dominant Sequences The dominant core damage sequence is from part 4 of the analysis. The dominant sequence is a transient (TRANS) sequence (Sequence 19), which contributes 15% to the total importance of all four parts. The events and important component failures in Sequence 19 (shown in Figure 1) include:

- TRANS occurs,

- reactor shutdown succeeds,

- AFW fails to provide sufficient flow,

- main feedwater fails to provide sufficient flow, and

- high-pressure injection (for feed and bleed) is unavailable.

! Results Tables

- The conditional probability of the dominant sequences is shown in Table 1.

- The event tree sequence logic for the dominant sequences is provided in Table 2a.

- Table 2b defines the nomenclature used in Table 2a.

- The conditional cut sets for the dominant sequences for parts 1, 2, 3, and 4 are provided in Tables 3a, 3b, 3c, and 3d respectively.

- Table 4 provides the definitions and probabilities for modified or dominant events.

Modeling Assumptions

! Assessment summary This event was modeled as an at-power condition assessment for 1 year. Rev. 3 of the Callaway SPAR model (Ref. 10) was used for this assessment. During the 1-year period, the B ESW pump was inoperable for 132 hours0.00153 days <br />0.0367 hours <br />2.18254e-4 weeks <br />5.0226e-5 months <br />, and the C CCW pump was inoperable for 504 hours0.00583 days <br />0.14 hours <br />8.333333e-4 weeks <br />1.91772e-4 months <br />. The A AFW pump was inoperable for 1008 hours0.0117 days <br />0.28 hours <br />0.00167 weeks <br />3.83544e-4 months <br /> and was at an increased risk of failure due to foreign material from the CST for the rest of the condition duration. The other AFW pumps were at an increased risk of failure to run due to foreign material from the CST.

To appropriately model the various component unavailabilities and the degraded seal and foreign material in the CST, the condition assessment was performed in four parts. (See Attachment 1 for a detailed timeline for this analysis, a description of equipment downtimes, and time periods for the analysis.) The discussion below provides the bases for the analysis.

For this analysis, the only failure mode of the AFW pumps being considered is a condition where debris is blocking the pump suction. Actual ingestion of debris into the pump internals is assumed not to be a credible failure mode for this condition. Therefore, recovery of a pump 5

LERs 483/01-002 and 483/02-001 from debris blocking the suction is assumed to be entirely recoverable with the recovery action being the venting of an air-bound pump.

! Event and Fault Trees Modifications The AFW pumps were at an increased risk for failure due to foreign material from the CST.

This specific failure was not modeled in the AFW pump fault trees in the base SPAR model; therefore, the AFW-A, AFW-B, and AFW-TDP fault trees were updated to include failures due to debris ingestion in addition to the standard mechanical failure probabilities. The updated fault trees are shown in Figures 2 through 4. To properly model the debris ingestion failure, three new basic events were created for each pump. The new events represented (1) the probability that the pump ingests debris, (2) the probability that the pump fails to run due to debris ingestion, and (3) the probability that the operator fails to recover the pumps failure-to-run due to debris ingestion. The description and base values for each of the new events are as follows:

S Probability that debris is ingested into AFW MDP A (AFW-MDP-DI-1A). Under normal operating conditions there is no debris in the CST. Therefore, there is no opportunity for AFW MDP A to ingest debris. AFW-MDP-DI-1A was set to FALSE in the base case.

S Probability that debris is ingested into AFW MDP B (AFW-MDP-DI-1B). Under normal operating conditions there is no debris in the CST. Therefore, there is no opportunity for AFW MDP B to ingest debris. AFW-MDP-DI-1B was set to FALSE in the base case.

S Probability that AFW MDP A fails-to-run due to ingestion of debris (AFW-MDP-FRD-1A). During the event, AFW MDP A failed to provide sufficient pressure because the pump was gas bound due to foreign material from the CST entering the pump suction.

Therefore, failure is assumed if debris blocks the suction of an AFW MDP. MDP-FRD-1A was set to TRUE in the base case.

S Probability that AFW MDP B fails-to-run due to ingestion of debris (AFW-MDP-FRD-1B). During the event, AFW MDP A failed to provide sufficient pressure because the pump was gas bound due to foreign material from the CST entering the pump suction, and since the B AFW pump has the same design and system setup, it is assumed that, given debris ingestion into the pump suction, the B pump would have failed in a similar manner. MDP-FRD-1B was set to TRUE in the base case.

S Probability that debris is ingested into AFW TDP (AFW-TDP-DI). Under normal operating conditions there is no debris in the CST. Therefore, there is no opportunity for AFW MDP B to ingest debris. AFW-TDP-DI was set to FALSE in the base case.

S Probability that AFW TDP fails-to-run due to ingestion of debris (AFW-TDP-FRD).

The internal configuration of the TDP is fundamentally different from the internal configuration of the MDPs, and upon analysis of the type and size of the debris, it was determined that the TDP was less susceptible to failure due to debris ingestion as compared to the MDPs. AFW-TDP-FRD was assumed to be 5.0E-02 for the base case.

S Operator fails to recover AFW MDP A failure-to-run due to ingestion of debris (AFW-XHE-XL-MDPFRD-1A). For this analysis, the assumed AFW pump failure mode is debris blocking the pump suction, leading to air-binding in the pump. Therefore, the recovery considered in this event is the operator recovery of an air-bound pump. Using the SPAR 6

LERs 483/01-002 and 483/02-001 Human Error Model (see Attachment 2) to determine the operator nonrecovery probability, AFW-XHE-XL-MDPFRD-1A was set to 5.0E-2 for the base case.

S Operator fails to recover AFW MDP A failure-to-run due to ingestion of debris (dependent value) (AFW-XHE-XL-MDPFRD-1A1). For this analysis, there is an assumed complete dependency between the operator recovery of AFW MDP B and AFW MDP A from debris ingestion failures. Therefore, a project rule was created to substitute the dependent version of AFW-XHE-XL-MDPFRD-1A when it appears in the same cut sets as AFW-XHE-XL-MDP-FRD-1B. Using the SPAR Human Error Model to determine the value of the completely dependent event, AFW-XHE-XL-MDPFRD-1A1 was set to 1.0 for the base case.

S Operator fails to recover AFW MDP B failure-to-run due to ingestion of debris (AFW-XHE-XL-MDPFRD-1B). For this analysis, the assumed AFW pump failure mode is debris blocking the pump suction, leading to air-binding in the pump. Therefore, the recovery considered in this event is the operator recovery of an air-bound pump. Using the SPAR Human Error Model (see Attachment 2) to determine the operator nonrecovery probability, AFW-XHE-XL-MDPFRD-1B was set to 5.0E-2 for the base case.

S Operator fails to recover AFW TDP failure-to-run due to ingestion of debris (AFW-XHE-XL-TDPFRD). For this analysis, the assumed AFW pump failure mode is debris blocking the pump suction, leading to air-binding in the pump. Therefore, the recovery considered in this event is the operator recovery of an air-bound pump. Using the SPAR Human Error Model (see Attachment 2) to determine the operator nonrecovery probability, AFW-XHE-XL-TDPFRD was set to 5.0E-2 for the base case.

S Operator fails to recover AFW TDP failure-to-run due to ingestion of debris (dependent value) (AFW-XHE-XL-TDPFRD1). For this analysis, there is an assumed high dependency between the operator recovery of AFW MDP B and AFW TDP from debris ingestion failures. Therefore, a project rule was created to substitute the dependent version of AFW-XHE-XL-TDPFRD when it appears in the same cut sets as AFW-XHE-XL-MDP-FRD-1B. Using the SPAR Human Error Model (see Attachment 2) to determine the value of the highly dependent event, AFW-XHE-XL-TDPFRD1 was set to 5.3E-1 for the base case.

! Basic Event Probability changes Table 4 provides the basic events that were modified to reflect the event condition being analyzed. The bases for these changes are as follows:

S Probability that debris is ingested into AFW MDP A (AFW-MDP-DI-1A). Based on the pump velocity, the size and number of debris particles, and the pumps operation scenarios, the probability of ingestion of debris into AFW MDP B was assumed to be 5.0E-1 for parts 1 and 3 of the condition assessment. During the event, foreign material from the CST was ingested into the suction of AFW MDP A. Therefore, for this analysis, AFW-MDP-DI-1A was set to TRUE for part 2 of the condition assessment.

S Probability that debris is ingested into AFW MDP B (AFW-MDP-DI-1B). Based on the pump velocity, the size and number of debris particles, and the pumps operation scenarios, the probability of ingestion of debris into AFW MDP B was assumed to be 5.0E-1 for all three parts of the condition assessment.

7

LERs 483/01-002 and 483/02-001 S Probability that debris is ingested into AFW TDP (AFW-TDP-DI). Based on the pump velocity, the size and number of debris particles, and the pumps operation scenarios, the probability of ingestion of debris into AFW TDP A was assumed to be 5.0E-1 for all three parts of the condition assessment.

S Operator fails to recover AFW MDP A failure-to-run due to ingestion of debris (AFW-XHE-XL-MDPFRD-1A). During the event, when A AFW MDP failed to provide sufficient pressure, the operators responded by quickly venting the pump. However, the licensee did not declare the pump operable until 2 days later. Therefore, for this analysis, AFW MDP A is assumed to be unrecovered. AFW-XHE-XL-MDPFRD-1A was set to TRUE for part 2 of the condition assessment. For parts 1 and 3 of the condition assessment, the failure probability for this event was set to its nominal value.

S Probability of failure of the motor-driven CCW pump (CCW-MDP-FR-P1C). The C CCW pump was assumed to be inoperable for approximately 21 days (from November 15, 2001, until December 5, 2001). (See Attachment 1 for a detailed description of the timeline and period of inoperability.) This event was set to TRUE for part 2 (504 hours0.00583 days <br />0.14 hours <br />8.333333e-4 weeks <br />1.91772e-4 months <br />) of the condition assessment. For parts 1 and 3 of the condition assessment, the failure probability for this event was set to its nominal value.

S Probability of failure to run of the B ESW pump (ESW-MDP-FS-1B). The B ESW pump was estimated to be inoperable for a period of 132 hours0.00153 days <br />0.0367 hours <br />2.18254e-4 weeks <br />5.0226e-5 months <br />. (See Attachment 1 for a detailed description of the timeline and period of inoperability.) This event was set to TRUE for part 1 (132 hours0.00153 days <br />0.0367 hours <br />2.18254e-4 weeks <br />5.0226e-5 months <br />) of the condition assessment. For parts 2 and 3 of the condition assessment, the failure probability for this event was set to its nominal value.

Equipment supported by train B ESW includes the B emergency diesel generator; train B of the CCW system; and air conditioning units and room coolers for the control room, the Division B Class 1E switchgear room, the train B safety injection pump room, the train B residual heat removal pump room, the train B centrifugal charging pump room, the train B AFW pump room, and the room for CCW pumps B and D. The train B ESW also serves as the backup water source for the B AFW pump. Had a loss of offsite power (or other event resulting in a safety injection signal) occurred while the train B ESW pump was inoperable, this equipment would not have been available to perform its safety function.

Except for the Division B Class 1E switchgear, the Rev. 3 SPAR model explicitly models dependency on ESW (for direct cooling or room cooling) for all of this equipment.

However, because this failure occurred during cold weather months (February 2001), loss of room cooling is assumed to not result in failure of the division 1B ac power 4160 bus (ACP-BAC-LP-NB02).

! Sensitivity Analysis An additional sensitivity analysis was performed to model the reactor trip coinciding with the failure of the A AFW pump due to debris ingestion and the failure of the CCW MDP P1C. This was analyzed as a TRANS initiating event with the components failed. The CCDP of the initiating event analysis was 1.3E-05.

8

LERs 483/01-002 and 483/02-001

! Model Update Changes to the Rev. 3 SPAR model for Callaway are as follows:

S The model was updated to incorporate changes in the reactor coolant pump (RCP) seal loss-of-coolant accident model (Refs. 11 and 12). These changes account for the high temperature seals that were installed on all RCPs at the time of these events.

S Failure data for the turbine-driven AFW pump were updated, including the fail-to-run lambda and mission time and the fail-to-start probability.

S Failure data for the power-operated relief valves (PORVs) were updated.

These updates are independent of the actual events being analyzed. Bases for the updates are described in the footnotes to Table 4.

References

1. Licensee Event Report 483/01-002, Revision 0, Foreign Object Renders B Essential Service Water Pump Inoperable, event date February 14, 2001 (ADAMS Accession No. ML011070538).
2. NRC Inspection Report 05000483/2001-02, April 20, 2001 (ADAMS Accession No. ML01100295).
3. NRC Inspection Report 05000483/2001-09, June 22, 2001 (ADAMS Accession No. ML011760446).
4. NRC Supplemental Inspection Report 05000483/2002-08, April 23, 2002 (ADAMS Accession No. ML0211400981).
5. NRC Inspection Report 05000483/2001-06, January 16, 2002 (ADAMS Accession No. ML0201601760).
6. Licensee Event Report 483/02-001, Revision 1, Manual Auxiliary Feedwater Actuation and Subsequent Gas Binding of the A Motor Driven Auxiliary Feedwater Pump, December 3, 2001 (ADAMS Accession No. ML020720446).
7. Callaway Public Meeting Inspector Notes, February 27, 2002 (ADAMS Accession No. ML020640016).
8. NRC Augmented Inspection Team Report 50-483/02-07, March 21, 2002 (ADAMS Accession No. ML0208181770).
9. NRC Inspection Report 05000483/2001-03, July 24, 2001 (ADAMS Accession No. ML012050531).
10. John A. Schroeder and Scott T. Beck, Standardized Plant Analysis Risk Model for Callaway (ASP PWR B), Revision 3.02, November 2003.

9

LERs 483/01-002 and 483/02-001

11. R. G. Neve, et al., Cost/Benefit Analysis for Generic Issue 23: Reactor Coolant Pump Seal Failure, NUREG/CR-5167, U.S. Nuclear Regulatory Commission, Washington, D.C., April 1991.
12. Memorandum from Ashok C. Thadani to William D. Travers, Closeout of Generic Safety Issue 23: Reactor Coolant Pump Seal Failure, U.S. Nuclear Regulatory Commission, Washington, D.C., November 8, 1999.
13. Equipment Performance and Information Exchange System (EPIX), Volume 1 - Instructions for Data Entry, Maintenance Rule and Reliability Information Module, INPO 98-001, Institute of Nuclear Power Operations, February 1998.

10

LERs 483/01-002 and 483/02-001 Table 1. Conditional probabilities associated with the highest probability sequences.

Conditional core Core damage Event tree Sequence damage probability Importance Percentage name no. probability (CDP) (CCDP - CDP)6 contribution7 (CCDP)

Part 11 LOOP 26-03 2.1E-06 1.4E-07 2.0E-06 50.0%

LOOP 26-16 1.1E-06 7.5E-08 1.0E-06 25.0%

Total (all sequences)5 4.4E-06 4.2E-07 4.0E-06 2

Part 2 TRANS 19 3.7E-07 3.1E-09 3.7E-07 28.4%

TRANS 18 2.8E-07 4.3E-09 2.7E-07 21.0%

Total (all sequences) 5 2.9E-06 1.6E-06 1.3E-06 3

Part 3 TRANS 19 3.5E-07 3.1E-09 3.5E-07 30.9%

Total (all sequences)5 2.6E-06 1.6E-06 1.0E-06 4

Part 4 TRANS 19 2.3E-06 4.7E-08 2.2E-06 31.4%

LODCB 10 2.1E-06 3.6E-07 1.8E-06 25.7%

TRANS 18 1.6E-06 6.5E-08 1.5E-06 21.4%

Total (all sequences) 5 3.0E-05 2.4E-05 5.6E-06 Total (all sequences)4 Total (all sequences)5 4.0E-05 2.8E-05 1.2E-05 Note:

1. Values for part 1 are point estimates. (File name: GEM 483-02-001 05-04-04 093411 (Part 1).wpd)
2. Values for part 2 are point estimates. (File name: GEM 483-02-001 06-17-04 115505 (Part 2).wpd)
3. Values for part 3 are point estimates. (File name: GEM 483-02-001 07-01-04 085209 (Part 3).wpd)
4. Values for part 4 are point estimates. (File name: GEM 483-02-001 07-01-04 085342 (Part 4).wpd)
5. Total CCDP and CDP includes all sequences (including those not shown in this table).
6. Importance is calculated using the total CCDP and total CDP from all sequences. Sequence level importance measures are not additive.
7. Percentage contribution is the ratio of the importance of the sequence in relation to the importance of the part.

11

LERs 483/01-002 and 483/02-001 Table 2a. Event tree sequence logic for the dominant sequences.

Event tree Sequence Logic name no. (/ denotes success; see Table 2b for top event names)

TRANS 19 /RPS, AFW, MFW, HPI1 LOOP 26-03 /RPS, EPS, OEP-30M, /AFW3, /PORV4, /RCPSL, OEP-BD LODCB 10 /RPS, AFW, /HPI1, BLEED TRANS 18 /RPS, AFW, MFW. /HPI1, BLEED LOOP 09 /RPS, /EPS, /AFW2, /PORV3, RCPSL3, HPI2 LOOP 26-16 /RPS, EPS, OEP-30M, AFW3 Table 2b. Definitions of fault trees listed in Table 2a.

AFW AFW IS UNAVAILABLE AFW2 AFW USING LOOP-FTF FAULT TREE FLAGS AFW3 AFW IS UNAVAILABLE (USING SBO-FTF FAULT TREE FLAGS)

BLEED FAILURE TO PROVIDE BLEED PORTION OF FEED AND BLEED COOLING EPS EMERGENCY POWER FAILS HPI1 HIGH-PRESSURE INJECTION FAILS HPI2 HPI USING LOOP-FTF FAULT TREE FLAGS MFW MAIN FEEDWATER IS UNAVAILABLE OEP-30M OFFSITE POWER RECOVERY WITHIN 30 MINUTES OEP-BD OFFSITE POWER RECOVERY PRIOR TO BATTERY DEPLETION PORV3 PORVs/SRVs OPEN DURING LOOP PORV4 PORVs/SRVs OPEN DURING STATION BLACKOUT RCPSL REACTOR COOLANT PUMP SEALS FAIL FROM LACK OF COOLING RCPSL3 RCPSL USING LOOP-FTF FAULT TREE FLAGS RPS REACTOR PROTECTION SYSTEM FAILS 12

LERs 483/01-002 and 483/02-001 Table 3a. Conditional cut sets for dominant sequences (part 1).

Percent CCDP1 contribution Minimal cut sets2 Event Tree: LOOP, Sequence 26-03 6.6E-07 30.8 OEP-XHE-NOREC-ST OEP-XHE-NOREC-BD ESW-MDP-CF-START 5.5E-07 26.4 OEP-XHE-NOREC-ST OEP-XHE-NOREC-BD EPS-DGN-TM-DGA 3.6E-07 17.0 OEP-XHE-NOREC-ST OEP-XHE-NOREC-BD EPS-DGN-FS-DGA 2.1E-06 Total (all cut sets/this sequence)3 Event Tree: LOOP, Sequence 26-16 1.3E-07 11.8 OEP-XHE-NOREC-ST AFW-TDP-FR-PAL02 ESW-MDP-CF-START 1.1E-07 10.1 OEP-XHE-NOREC-ST EPS-DGN-TM-DGA AFW-TDP-FR-PAL02 1.1E-06 Total (all cut sets/this sequence)3 4.0E-06 Total (all cut sets/all sequences)3 Notes:

1. Values are point estimates.
2. See Table 4 for definitions and probabilities for the basic events.
3. Totals include all cut sets (including those not shown in this table).

Table 3b. Conditional cut sets for dominant sequences (part 2).

Percent Minimal cut sets2 1

CCDP contribution Event Tree: TRANS, Sequence 19 1.3E-06 13.5 MFW-XHE-ERROR AFW- MFW-SYS-TRIP MDP-DI-1B AFW-XHE-XL-MDPFRD-1B AFW-TDP-FRD AFW-TDP-DI HPI-XHE-XM-FB AFW-XHE-XL-MDPFRD-1B 3.7E-07 Total (all cut sets/this sequence)3 1.3E-06 Total (all cut sets/all sequences)3 Notes:

1. Values are point estimates.
2. See Table 4 for definitions and probabilities for the basic events.
3. Totals include all cut sets (including those not shown in this table).

13

LERs 483/01-002 and 483/02-001 Table 3c. Conditional cut sets for dominant sequences (part 3).

Percent CCDP1 contribution Minimal cut sets2 Event Tree: TRANS, Sequence 19 5.0E-08 14.5 MFW-XHE-ERROR MFW-SYS-TRIP AFW-MDP-DI-1B AFW-XHE-XL-MDPFRD-1B AFW-TDP-FRD AFW-TDP-DI HPI-XHE-XM-FB1 AFW-XHE-XL-TDPFRD1 4.6E-08 13.1 HPI-XHE-XM-FB MFW-SYS-UNAVAIL AFW-MDP-DI-1B AFW-XHE-XL-MDPFRD-1B AFW-TDP-FRD AFW-TDP-DI AFW-XHE-XL-TDPFRD1 3.6E-08 10.4 MFW-XHE-ERROR MFW-SYS-TRIP AFW-TDP-FR-PAL02 AFW-MDP-DI-1B AFW-XHE-XL-MDPFRD-1B HPI-XHE-XM-FB1 3.5E-07 Total (all cut sets/this sequence)3 2.6E-06 Total (all cut sets/all sequences)3 Notes:

1. Values are point estimates.
2. See Table 4 for definitions and probabilities for the basic events.
3. Totals include all cut sets (including those not shown in this table).

14

LERs 483/01-002 and 483/02-001 Table 3d. Conditional cut sets for dominant sequences (part 4).

Percent CCDP1 contribution Minimal cut sets2 Event Tree: TRANS, Sequence 19 3.8E-07 16.9 MFW-XHE-ERROR MFW-SYS-TRIP AFW-MDP-DI-1A AFW-MDP-DI-1B AFW-XHE-XL-MDPFRD-1B AFW-TDP-FRD AFW-TDP-DI HPI-XHE-XM-FB1 AFW-XHE-XL-TDPFRD1 AFW-XHE-XL-MDPFRD-1A1 3.4E-07 15.3 HPI-XHE-XM-FB MFW-SYS-UNAVAIL AFW-MDP-DI-1A AFW-MDP-DI-1B AFW-XHE-XL-MDPFRD-1B AFW-TDP-FRD AFW-TDP-DI AFW-XHE-XL-TDPFRD1 AFW-XHE-XL-MDPFRD-1A1 2.7E-07 12.1 MFW-XHE-ERROR MFW-SYS-TRIP AFW-TDP-FR-PAL02 AFW-MDP-DI-1A AFW-MDP-DI-1B AFW-XHE-XL-MDPFRD-1B HPI-XHE-XM-FB1 AFW-XHE-XL-MDPFRD-1A1 2.5E-07 10.9 HPI-XHE-XM-FB MFW-SYS-UNAVAIL AFW-TDP-FR-PAL02 AFW-MDP-DI-1A AFW-MDP-DI-1B AFW-XHE-XL-MDPFRD-1B AFW-XHE-XL-MDPFRD-1A1 2.3E-06 Total (all cut sets/this sequence)3 Event Tree: LODCB, Sequence 10 6.1E-07 28.4 AFW-MDP-DI-1B AFW-XHE-XL-MDPFRD-1B AFW-TDP-FRD AFW-TDP-DI AFW-XHE-XL-TDPFRD1 4.3E-07 20.3 AFW-TDP-FR-PAL02 AFW-MDP-DI-1B AFW-XHE-XL-MDPFRD-1B 3.5E-07 16.3 AFW-TDP-TM-PAL02 AFW-MDP-DI-1B AFW-XHE-XL-MDPFRD-1B 3.1E-07 14.7 AFW-TDP-FS-PAL02 AFW-MDP-DI-1B AFW-XHE-XL-MDPFRD-1B 2.1E-06 Total (all cut sets/this sequence)3 Event Tree: TRANS, Sequence 18 2.2E-07 13.7 MFW-SYS-UNAVAIL AFW-MDP-DI-1A AFW-MDP-DI-1B AFW-XHE-XL-MDPFRD-1B AFW-TDP-FRD AFW-TDP-DI PPR-SRV-CC-PRV1 AFW-XHE-XL-TDPFRD1 AFW-XHE-XL-MDPFRD-1A1 2.2E-07 13.7 MFW-SYS-UNAVAIL PPR-SRV-CC-PRV2 AFW-MDP-DI-1A AFW-MDP-DI-1B AFW-XHE-XL-MDPFRD-1B AFW-TDP-FRD AFW-TDP-DI AFW-XHE-XL-TDPFRD1 AFW-XHE-XL-MDPFRD-1A1 1.6E-06 Total (all cut sets/this sequence)3 3.0E-05 Total (all cut sets/all sequences)3 Notes:

1. Values are point estimates.
2. See Table 4 for definitions and probabilities for the basic events.
3. Totals include all cut sets (including those not shown in this table).

15

LERs 483/01-002 and 483/02-001 Table 4. Definitions and probabilities for modified or dominant basic events.

Probability/

Event name Description frequency Modified AFW-MDP-DI-1A DEBRIS INGESTED IN AFW MDP1A TRUE Yes1 AFW-MDP-DI-1B DEBRIS INGESTED IN AFW MDP1B 5.0E-001 Yes2 AFW-MDP-FRD-1A AFW MOTOR-DRIVEN PUMP 1A FAILS TO TRUE Yes2 RUN (DEBRIS)

AFW-MDP-FRD-1B AFW MOTOR-DRIVEN PUMP 1B FAILS TO TRUE Yes2 RUN (DEBRIS)

AFW-TDP-DI DEBRIS INGESTED IN AFW TDP 5.0E-001 Yes2 AFW-TDP-FR-PAL02 TURBINE DRIVEN FEED PUMP PAL02 FAILS 9.5E-003 Yes3 TO RUN AFW-TDP-FRD AFW TURBINE-DRIVEN PUMP FAILS TO RUN 5.0E-002 Yes2 (DEBRIS)

AFW-TDP-FS-PAL02 TURBINE DRIVEN FEED PUMP PAL02 FAILS 6.8E-003 Yes3 TO START AFW-TDP-TM-PAL02 TURBINE DRIVEN FEED PUMP PAL02 7.6E-003 No UNAVAILABLE DUE TO TEST AND MAINTENANCE AFW-XHE-XL-MDPFR OPERATOR FAILS TO RECOVER AFW MDP TRUE Yes1 D-1A 1A (DEBRIS INGESTION)

AFW-XHE-XL-MDPFR OPERATOR FAILS TO RECOVER AFW MDP 1.0 Yes4 D-1A1 1B (DEBRIS INGESTION) (DEPENDENT)

AFW-XHE-XL-MDPFR OPERATOR FAILS TO RECOVER AFW MDP 5.0E-002 Yes4 D-1B 1B (DEBRIS INGESTION)

AFW-XHE-XL-TDPFR OPERATOR FAILS TO RECOVER AFW TDP 5.0E-002 Yes4 D (DEBRIS INGESTION)

AFW-XHE-XL-TDPFR OPERATOR FAILS TO RECOVER AFW TDP 5.3E-001 Yes4 D1 (DEBRIS INGESTION) (DEPENDENT)

CCW-MDP-CF-RUN CCW PUMPS FAIL FROM COMMON CAUSE 1.3E-002 Yes5 TO RUN CCW-MDP-FR-P1C CCW MDP P1C FAILS TO RUN TRUE Yes6 CVC-MDP-TM-P1C PUMP P1C IS IN TEST OR MAINTENANCE 2.0E-001 No EPS-DGN-FS-DGA DIESEL GENERATOR A FAILS TO START 2.0E-002 No EPS-DGN-TM-DGA DG A UNAVAILABLE DUE TO TEST AND 3.1E-002 No MAINTENANCE EPS-DGN-TM-DGB DG B UNAVAILABLE DUE TO TEST AND 3.1E-002 No MAINTENANCE ESW-MDP-CF-START ESW PUMPS FAIL FROM COMMON CAUSE 3.6E-002 Yes5 TO START ESW-MDP-FS-1B ESW TRAIN B MDP 1B FAILS TO START TRUE Yes7 16

LERs 483/01-002 and 483/02-001 Table 4. Definitions and probabilities for modified or dominant basic events (cont).

HPI-XHE-XM-FB OPERATOR FAILS TO INITIATE FEED AND 1.0E-002 No BLEED COOLING HPI-XHE-XM-FB1 OPERATOR FAILS TO INITIATE FEED AND 6.9E-002 No BLEED COOLING MFW-SYS-TRIP MAIN FEEDWATER SYSTEM UNAVAILABLE 8.0E-001 No GIVEN RX TRIP MFW-SYS-UNAVAIL OPERATOR FAILS TO RESTORE MFW FLOW 2.0E-001 No MFW-XHE-ERROR OPERATOR FAILS TO RESTORE MFW FLOW 4.0E-002 No OEP-XHE-NOREC-BD OPERATOR FAILS TO RECOVER OFFSITE 4.9E-002 No POWER BEFORE BATTERY DEPLETION GIVEN THAT POWER IS NOT RECOVERED IN SHORT TERM OEP-XHE-NOREC-SL OPERATOR FAILS TO RECOVER OFFSITE 2.4E-002 Yes8 POWER PRIOR TO SEAL LOCA OEP-XHE-NOREC-ST OPERATOR FAILS TO RECOVER OFFSITE 5.3E-001 No POWER IN SHORT TERM PPR-SRV-CC-PRV1 PORV 1 FAILS TO OPEN ON DEMAND 6.3E-003 No PPR-SRV-CC-PRV2 PORV 2 FAILS TO OPEN ON DEMAND 6.3E-003 No PPR-SRV-OO-1 PORV 1 FAILS TO RECLOSE AFTER 2.0E-003 Yes9 OPENING PPR-SRV-OO-2 PORV 2 FAILS TO RECLOSE AFTER 2.0E-003 Yes9 OPENING RCS-MDP-LK-SEALS RCP SEALS FAIL W/O COOLING AND 2.0E-001 Yes8 INJECTION RCS-MDP-LK-SEALS1 RCP SEALS FAIL W/O COOLING AND 1.9E-001 No INJECTION CCW-MDP-FR-04A01 MOTOR DRIVEN PUMP ALPHA FACTOR 1 9.72E-01 Yes10 FOR 4 TRAINS CCW-MDP-FR-04A02 MOTOR DRIVEN PUMP ALPHA FACTOR 2 1.85E-02 Yes10 FOR 4 TRAINS CCW-MDP-FR-04A03 MOTOR DRIVEN PUMP ALPHA FACTOR 3 7.79E-03 Yes10 FOR 4 TRAINS CCW-MDP-FR-04A04 MOTOR DRIVEN PUMP ALPHA FACTOR 4 1.36E-03 Yes10 FOR 4 TRAINS CCW-MDP-FS-04A01 MOTOR DRIVEN PUMP ALPHA FACTOR 1 9.67e-01 Yes10 FOR 4 TRAINS CCW-MDP-FS-04A02 MOTOR DRIVEN PUMP ALPHA FACTOR 2 1.66E-02 Yes10 FOR 4 TRAINS CCW-MDP-FS-04A03 MOTOR DRIVEN PUMP ALPHA FACTOR 3 1.35E-02 Yes10 FOR 4 TRAINS CCW-MDP-FS-04A04 MOTOR DRIVEN PUMP ALPHA FACTOR 4 3.01E-03 Yes10 FOR 4 TRAINS Notes:

1. Basic event changed to reflect event being analyzed (parts 2 and 3).
2. Basic event changed to reflect event being analyzed (parts 1 through 4).

17

LERs 483/01-002 and 483/02-001

3. For the turbine-driven AFW pump, the failure rate for failure to run was updated to 1.19E-03/hr and the mission time was reduced from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. Additionally, the probability of failure to start was updated to 6.8E-03 per demand, based on guidance provided by INEEL. Failure data based on data covering the period of January 1, 1997, through December 31, 2001, from Ref. 13. Failure data based on unrecovered failures: therefore, operator recovery events associated with recovery of failure to start and failure to run were set to TRUE.
4. Operator recovery values were determined the SPAR Model Human Error worksheet (see Attachment 2).
5. Common-cause probability values automatically calculated by GEMS.
6. Basic event changed to reflect event being analyzed (part 2).
7. Basic event changed to reflect event being analyzed (part 1).
8. Model update to incorporate the Rhodes model. Modifications to top events were made in accordance with guidance provided in Refs. 11 and 12. High temperature seals are assumed to be installed on all RCPs. Therefore, RCS-MDP-LK-SEALS was set to 0.20. Based on the Rhodes model, the time available to prevent core damage by restoring ac power and starting high-pressure injection if RCP seals fail is 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> (time until core uncovery and battery depletion). To account for increased time to recover electric power, top event OP-SL was updated (basic event OEP-XHE-NOREC-SL).
9. NUREG 4550, Vol. 1, Rev 1. Table 8.2.5
10. The Alpha factors changed from generic values for motor driven pumps to specified Alpha factors that commensurate for CCW pumps type.( http://nrcoe.inel.gov/index.cfm?fuseaction=CCF.showMenu U.S. Nuclear Regulatory Commission Reactor Operating Experience Results and Databases )

18

LERs 483/01-002 and 483/02-001 TRANSIENT REACTOR AUXILIARY MAIN PORVs HIGH BLEED SECONDARY RCS RESIDUAL HIGH TRIP FEEDWATER FEEDWATER ARE PRESSURE PATH COOLING COOLDOWN HEAT PRESSURE CLOSED INJECTION ESTABLISHED RECOVERED REMOVAL RECIRC IE-TRANS RPS AFW MFW PORV HPI BLEED SGCOOL COOLDOWN RHR HPR # STATE NOTES 1 OK 2 OK 3 OK 4 CD 5 OK 6 CD 7 CD 8 OK 9 OK 10 OK 11 CD 12 OK PORV1 13 CD 14 CD 15 OK 16 OK 17 CD 18 CD HPI1 19 CD 20 T ATWS TRANS - CALLAW AY TRANSIENT 2001/08/21 Figure 1. Callaway TRANS event tree.

19

LERs 483/01-002 and 483/02-001 AFW MOTOR DRIVEN PUMP TRAIN A IS UNAVAILABLE AFW-MDPA AFW MDP FAILS TO AFW MDP UNAVAILABLE AFW M DP CCF OF AFW CCF OF AFW FAILURE OF 4160 VAC BUS NB01 IS 125 VDC POWER RUN DUE TO TEST AND F AILS TO MDPS TO START PUMPS TO RUN ROOM COOLI NG TO UNAVAILABLE PANEL DP-NK01 IS M AINTENANCE START AFW MDP A UNAVAILABLE 1.1E-3 3.6E-5 2.3E-5 5 45 AFW-MDPA-1 AFW -M DP-TM -1A AF W-M DPA-2 AFW-MDP-CF-START AFW-MDP-CF-RUN AFW-MDPA-3 ACP-NB01 DCP-NK01 AF W MOTOR-DRIVEN OPERATOR FAILS TO PUM P 1A FAILS TO RECOVER AFW MDP START (FAILS TO START) 1.3E-3 2.1E-1 AF W-MDP-FS-1A AF W-XHE-XL-MDPFS AFW M DP FAILS TO AFW MDP FAILS TO ESSENTIAL SERVICE AFW MDP A HVAC FAN OP FAILS TO RESTORE CCF OF AFW MDP RUN DUE TO DEBRIS RUN DUE TO WATER SYSTEM LOOP A FAILS TO RUN AFW MDP A HVAC ROOM COOLING INGESTION MECHANI CAL FAILURE IS UNAVAILABLE F AN AF TER T&M FANS TO RUN 59 2.4E-4 1.0E-3 7. 7E-6 AF W-MDPA-4 AFW-MDPA-5 ESW-A AFW-FAN-FR-MDPA AFW-XHE-XR-FANM A AFW-FAN-CF-RM CFR DEBRIS INGESTED IN AFW MOTOR-DRIVEN OPERATOR FAILS TO AFW MOTOR-DRIVEN OPERATOR FAILS TO AFW MDP1A PUMP 1A FAILS TO RECOVER AFW MDP 1A PUMP FAILS TO RUN RECOVER AFW M DP RUN (DEBRIS) (DEBRIS INGESTED) (FAILS TO RUN)

AFW MDP A HVAC FAN AFW MDP A HVAC CCF OF AFW MDP FAI LS TO START F AN UNAVAILABLE ROOM COOLING DUE TO T&M FANS TO ST ART 0.0E+0 TRUE 5.0E-2 7.6E-4 7.5E-1 AFW-MDP-DI-1A AF W-MDP-FRD-1A AFW-XHE-XL-MDPFRD-1A AFW-MDP-FR-1A AFW-XHE-XL-MDPF R 3.0E-4 2.0E-3 1.8E-5 AFW -FAN-F S-MDPA AFW-FAN-TM-M DPA AFW-FAN-CF-RM CF S AFW-MDPA - CALLAW AY AUXILIARY FEEDWATER PUMP PAL01A 2004/04/29 Page 15 Figure 2. AFW motor-driven pump A fault tree.

20

LERs 483/01-002 and 483/02-001 AFW MOTOR DRIVEN PUMP TRAIN B IS UNAVAILABLE AFW-MDPB AFW M DP AFW MDP UNAVAILABLE AFW MDP FAILURE OF 125 VDC POWER CCF OF AF W AFW M DP 4160 VAC BUS NB02 I S FAILS TO DUE TO TEST AND FAILS TO ROOM COOLING TO PANEL DP-NK04 IS RUN MDPS TO START FAILS TO RUN UNAVAILABLE MAINTENANCE START AFW MDP B UNAVAILABLE 1.1E-3 3. 6E-5 2.3E-5 6 48 AFW-MDPB-1 AFW-M DP-TM -1B AFW -M DPB-2 AF W-MDP-CF-START AF W-MDP-CF -RUN AFW-MDPB-3 ACP-NB02 DCP-NK04 AFW MOTOR-DRIVEN OPERATOR FAILS TO PUMP 1B FAILS TO RECOVER AF W MDP START (FAILS TO START) 1.3E-3 2.1E-1 AFW-MDP-FS-1B AFW-XHE-XL-MDPFS AF W MDP FAILS TO AF W MDP FAILS TO ESSENTIAL SERVICE AFW MDP B HVAC FAN OP FAILS TO RESTORE CCF OF AFW MDP RUN DUE TO RUN DUE TO WATER SYSTEM LOOP B F AILS TO RUN AFW MDP B HVAC ROOM COOLING DEBRIS INGESTION M ECHANICAL FAILURE IS UNAVAILABLE FAN AFTER T&M F ANS TO RUN 60 2.4E-4 1.0E-3 7.7E-6 AFW-MDPB-4 AFW -M DPB-5 ESW-B AFW-FAN-FR-MDPB AFW -XHE-XR-FANMB AFW-FAN-CF -RMCFR DEBRIS INGESTED IN AFW MOTOR-DRIVEN OPERATOR FAI LS TO AFW MOTOR-DRIVEN OPERATOR FAILS TO AFW MDP1B PUM P 1B FAILS TO RECOVER AFW MDP B PUM P FAILS TO RUN RECOVER AF W MDP RUN (DEBRIS) (DEBRIS INGESTED) (F AILS TO RUN)

AF W MDP B HVAC FAN AFW M DP B HVAC CCF OF AF W M DP FAILS TO START FAN UNAVAILABLE ROOM COOLI NG DUE TO T&M FANS TO START 0.0E+0 TRUE 5.0E-2 7.6E-4 7.5E-1 AFW-MDP-DI-1B AFW-MDP-F RD-1B AF W-XHE-XL-MDPFRD-1B AFW-MDP-FR-1B AFW-XHE-XL-MDPFR 3.0E-4 2.0E-3 1.8E-5 AFW -F AN-F S-MDPB AFW-FAN-TM-MDPB AFW-FAN-CF-RM CFS AFW-MDPB - CALLAW AY AUXILIARY FEEDWATER PUMP PAL01B 2004/04/29 Page 16 Figure 3. AFW motor-driven pump B fault tree.

21

LERs 483/01-002 and 483/02-001 T URBI NE DRIVEN PUM P TRAIN IS UNAVAILABLE AFW-T DP STEAM SUPPLY F EED PUM P PAL02 PUMP 125 VDC POWER AFW TDP F AILS TO IS UNAVAILABL E IS IN T EST OR FAILS TO ST ART PANEL DP-NK02 IS RUN M AINTENANCE UNAVAILABLE 7.6E-3 46 AF W-TDP-1 AFW -TDP-T M-PAL02 AFW-T DP-2 DCP-NK02 AF W-TDP-3 STEAM OPERATO R FAILS TO TURBINE DRIVEN OPERATOR FAILS T O PUMP F AILS TO RUN PUMP FAILS T O RUN SUPPLY VALVES RECOVER F AILURE OF FEED PUMP PAL02 RECOVER PUMP DUE T O MECHANICAL DUE TO DEBRIS FAIL TO OPEN STEAM SUPPLY F AI LS TO START FAILURE TO ST ART FAILURE INGESTION 1.4E-3 7.5E-1 6.8E-3 TRUE AFW-AOV-CC-F TSST AF W-XHE-XL-F TSST AFW -T DP-F S-PAL0 2 AF W-XHE-XL-TDPFS AFW -TDP-4 AFW -TDP-5 T URBI NE DRIVEN OPERATO R FAILS TO DEBRIS INGESTED IN AFW TURBINE-DRIVEN OPERAT OR FAI LS TO F EED PUMP PAL0 2 RECOVER PUM P AF W TDP PUMP F AILS TO RUN RECOVER THE AFW TDP FAILS T O RUN F AILURE TO RUN (DEBRIS) (DEBRIS INGESTED) 9.5E-3 TRUE 0.0E+0 5.0E-2 5.0E-2 AF W-TDP-FR-PAL02 AFW -XHE-XL-TDPFR AF W-TDP-DI AFW -TDP-F RD AFW -XHE-XL-TDPFRD AFW-TDP - CALLAWAY AUXILIARY FEEDWATER PUMP PAL02 2004/04/29 Page 18 Figure 4. AFW turbine-driven pump fault tree.

22

LERs 483/01-002 and 483/02-001 - Timeline for Events in Condition Assessment The time period for the condition assessment is 1 year. The period selected for the analysis is from January 27, 2001, to January 26, 2002, the date that degradation of the foam seal ring and foreign material in the condensate storage tank (CST) were discovered. The following is a timeline for events that occurred during the time period, including (1) failure of the B emergency service water (ESW) pump, as described in LER 483/01-002 (Ref. 1) and (2) failure of A motor-driven auxiliary feedwater (AFW) pump due to foreign material from the CST, as described in LER 483/02-001 (Ref.

6).

February 9, 2001 At 2:15 p.m., a leak collection rig was installed on the B ESW prelube tank.

Tygon hose subsequently detached from the leak collection rig and fell into the suction bay for the B ESW pump, effectively rendering the pump inoperable.

February 14, 2001 At 8:51 a.m., the B ESW pump B was manually started, but failed to deliver rated flow and pressure. (The pumps flow and discharge pressure were 4 Mlbm/hr at 80 psi vs. its normal flow and discharge pressure of 7 Mlbm/hr at 140 psi.)

February 15, 2001 A foreign object (hose) was removed from the B ESW pump and the pump was declared operable at 2:31 a.m.

March 9, 2001 Reactor scram occurs due to loss of both rod drive motor generators. Plant shut down (reactor not critical) for a total of 47 hours5.439815e-4 days <br />0.0131 hours <br />7.771164e-5 weeks <br />1.78835e-5 months <br />.

April 7, 2001 Reactor shut down for refueling outage from April 7, 2001, to May 21, 2001.

Plant shut down (reactor not critical) for a total of 1,045 hours5.208333e-4 days <br />0.0125 hours <br />7.440476e-5 weeks <br />1.71225e-5 months <br />.

October 22, 2001 Quarterly test of the A AFW pump.

November 15, 2001 Improper maintenance on the C component cooling water (CCW) pump results in the pump being inoperable.

December 3, 2001 During a plant shutdown (to repair generator stator cooling leak), AFW pumps A and B were manually started. Both pumps start, but A pump fails to deliver any flow. Cause not initially known but later discovered to be foam from the CST's floating diaphragm. Plant shut down (reactor not critical) for 77 hours8.912037e-4 days <br />0.0214 hours <br />1.273148e-4 weeks <br />2.92985e-5 months <br />.

January 26, 2002 Inspection of the CST identifies foreign material (foam pieces from the tank's floating diaphragm in the tank sump).

The following describes bases for the durations of the equipment unavailabilities and degraded conditions, based on the above timeline.

S Condition duration for failed B ESW pump. The B ESW pump is assumed to be failed from the time the leak collection rig was installed on the B ESW prelube tank (at 2:15 p.m. on February 9, 2001) until the time when the pump was returned to service (at 2:31 a.m. on February 15, 2001). The pump was assumed inoperable for a period of 132 hours0.00153 days <br />0.0367 hours <br />2.18254e-4 weeks <br />5.0226e-5 months <br />.

23

LERs 483/01-002 and 483/02-001 S Condition duration for failed A AFW pump. Prior to its failure to run on December 3, 2001, the A AFW pump was last tested on October 22, 2001. The time from the last successful test until its failure is about 42 days. Because there is uncertainty about when foreign material entered the A AFW pump, rendering it inoperable, it is conservatively assumed that the debris was in or near the line that it eventually clogged for the entire interval (from October 22, 2001, to December 3, 2001), a total of 42 days (1008 hours0.0117 days <br />0.28 hours <br />0.00167 weeks <br />3.83544e-4 months <br />). (The A AFW pump was vented and declared operable on December 5, 2001. The 2-day time period after the A AFW pump failed until it was returned to service is not added to the condition duration because the reactor was being shut down when the pump failed and entered Mode 3 shortly after the pump failed.)

S Condition duration for degraded condition of the CST. On January 26, 2002, inspection of the CST revealed damage to a 5-foot section of the diaphragms foam seal ring. Several pieces of foam, a piece of cloth, and four small rubber pads were found in the bottom of the tank. A 25-inch section of foam was hanging from the diaphragm. The material in the bottom of the tank and the degraded portion of the seal ring posed a foreign material risk to the AFW pumps. Prior to the inspection on January 26, 2002, a limited inspection of the tank was performed on October 17, 2000; however, the inspection did not identify degradation of the tanks diaphragm. Therefore, the exact time when portions of the diaphragms foam ring and fabric detached is not known. The degraded condition is assumed to have existed for at least 1 year (8,760 hours0.0088 days <br />0.211 hours <br />0.00126 weeks <br />2.8918e-4 months <br />).

S Condition duration for failed C CCW pump. On November 27, 2001, the C CCW pump was started to support planned maintenance of Train B CCW. After about an hour of operation, the pumps drive bearing temperature exceeded the alarm setpoint. The pump was shut down and the A CCW pump (redundant Train A pump) was started. The licensee determined that the high bearing temperature and resultant bearing failure had been caused by a lack of lubricating oil. Preventive maintenance had been performed on the C CCW pump on November 15, 2001. Maintenance personnel had not added the proper amount of oil. The pump was repaired and passed a post-maintenance test on December 5, 2001. The C CCW pump is assumed to be failed from the time of maintenance on November 15, 2001, until it passed testing on December 5, 2001, (a total of 21 days or 504 hours0.00583 days <br />0.14 hours <br />8.333333e-4 weeks <br />1.91772e-4 months <br />).

To appropriately model the various component unavailabilities and the degraded seal and foreign material in the CST, the condition assessment was performed in four parts. The following describes the time period for each of the three parts that make up the 1-year condition assessment.

S Time period for part 1 of the condition assessment. Part 1 of the condition assessment is 132 hours0.00153 days <br />0.0367 hours <br />2.18254e-4 weeks <br />5.0226e-5 months <br />. This corresponds to the time period from February 9, 2001, to February 15, 2001, when the B ESW pump was unavailable. During this 132-hour time period, (1) the B ESW pump and equipment dependent upon the train B ESW could have failed to perform their safety function and (2) all three of the AFW pumps were operable but at an increased risk of failure due to foreign material in the CST.

S Time period for part 2 of the condition assessment. Part 2 of the condition assessment is 504 hours0.00583 days <br />0.14 hours <br />8.333333e-4 weeks <br />1.91772e-4 months <br />. Chronologically, the time period for part 2 is assumed to be from November 11, 2001, to December 3, 2001. During this 504-hour time period, (1) the A AFW pump was unavailable, (2) the B AFW pump and the turbine-driven AFW pump were operable but at an increased risk of failure due to foreign material in the CST, and (3) the C CCW pump was unavailable. (Because the time period when the C CCW pump was unavailable corresponds closely to the time period when the A AFW pump was unavailable, the unavailability of the C CCW pump is included in part 2.)

24

LERs 483/01-002 and 483/02-001 S Time period for part 3 of the condition assessment. Part 3 of the condition assessment is 504 hours0.00583 days <br />0.14 hours <br />8.333333e-4 weeks <br />1.91772e-4 months <br />. This corresponds to the remaining time that the A AFW pump was unavailable when the C CCW pump was operable (from October 22 until November 11, 2001).

Additionally, the B AFW pump and the turbine-driven AFW pump were operable but at an increased risk of failure due to foreign material in the CST.

S Time period for part 4 of the condition assessment. Part 4 of the condition assessment is 7620 hours0.0882 days <br />2.117 hours <br />0.0126 weeks <br />0.0029 months <br />. This time period includes the periods during the 1-year condition assessment not covered by parts 1, 2,or 3. During this 7620-hour time period, all three AFW pumps were operable but at an increased risk of failure due to foreign material in the CST.

25

LERs 483/01-002 and 483/02-001 - Operator Recovery Modeling SPAR Model Human Error Worksheet (Page 1 of 3)

Plant: Callaway Event Name: NA Task Error

Description:

Operator fails to recover AFW pump failure-to-run due to ingestion of debris Events: AFW-XHE-XL-MDPFRD-1A, AFW-XHE-XL-MDPFRD-1B, AFW-XHE-XL-TDPFRD Does this task contain a significant amount of diagnosis activity ? YES NO X If Yes, Use Table 1 below to evaluate the PSFs for the Diagnosis portion of the task before going to Table 2. If No, go directly to Table 2.

Table 1. Diagnosis worksheet.

Multiplier If non-nominal PSF levels are selected, please for note specific reasons in this column PSFs PSF Levels Diagnosis

1. Available Inadequate 1.0a Time Barely adequate < 20 m 10 Nominal . 30 m 1 Extra > 60 m 0.1 Expansive > 24 h 0.01
2. Stress Extreme 5 High 2 Nominal 1
3. Complexity Highly 5 Moderately 2 Nominal 1
4. Experience/ Low 10 Training Nominal 1 High 0.5
5. Procedures Not available 50 Available, but poor 5 Nominal 1 Diagnostic/symptom oriented 0.5
6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1 Good 0.5
7. Fitness for Unfit 1.0a Duty Degraded Fitness 5 Nominal 1
8. Work Poor 2 Processes Nominal 1 Good 0.8
a. Task failure probability is 1.0 regardless of other PSFs.

26

LERs 483/01-002 and 483/02-001 SPAR Model Human Error Worksheet (Page 2 of 3)

Table 2. Action worksheet.

PSFs PSF Levels Multiplier If non-nominal PSF levels are selected, please for note specific reasons in this column Action

1. Available Inadequate 1.0a Recovery of AFW is needed 30 minutes after Time Time available . time required 10U failure.

Nominal 1 Available > 5x time required 0.1 Available > 50x time required 0.01

2. Stress Extreme 5U AFW system is needed to prevent core High 2 damage.

Nominal 1

3. Complexity Highly 5 Moderately 2 Nominal 1U
4. Experience/ Low 3 Training Nominal 1U High 0.5
5. Procedures Not available 50 Available, but poor 5 Nominal 1U
6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1U Good 0.5
7. Fitness for Unfit 1.0a Duty Degraded Fitness 5 Nominal 1U
8. Work Poor 2 Processes Nominal 1U Good 0.8
a. Task failure probability is 1.0 regardless of other PSFs.

Table 3. Task failure probability without formal dependence worksheet.

Task Nom. Time Stress Compl. Exper./ Proced. Ergon. Fitness Work Prob.

Portion Prob. Train. Process Diag. 1.0E-2 na Action 1.0E-3 10 5 1 1 1 1 1 1 5.0E-2 Total 5.0E-2 27

LERs 483/01-002 and 483/02-001 SPAR Model Human Error Worksheet (Page 3 of 3)

For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence.

Table 4. Dependency condition worksheet.

Condition Crew (same Location Time (close Cues Dependency Number of Human Action Number or (same or in time or not (additional or Failures Rule different) different) close in time) not additional) 1 s s c - complete If this error is the 3rd error in 2 s s nc na high the sequence, then the dependency is at least 3 s s nc a moderate moderate.

4 s d c - high 5 s d nc na moderate If this error is the 4th error in 6 s d nc a low the sequence, then the 7 d s c - moderate dependency is at least high.

8 d s nc na low This rule may be ignored only if 9 d s nc a low there is compelling evidence for 10 d d c - moderate less dependence with the 11 d d nc na low previous tasks.

12 d d nc a low 13 zero Using P = Task Failure Probability Without Formal Dependence (calculated on page 2):

For Complete Dependence the probability of failure = 1.0 For High Dependence the probability of failure = (1 + P)/2 For Moderate Dependence the probability of failure = (1 +6P)/7 For Low Dependence the probability of failure = (1 + 19P)/20 UFor Zero Dependence the probability of failure = P Task Failure Probability With Formal Dependence = (1 + ( * )) / =

Additional Notes:

28

LERs 483/01-002 and 483/02-001 SPAR Model Human Error Worksheet (Page 1 of 3)

Plant: Callaway Event Name: NA Task Error

Description:

Operator fails to recover AFW TDP pump failure-to-run due to ingestion of debris (highly dependent value) Event: AFW-XHE-XL-TDPFRD1 Does this task contain a significant amount of diagnosis activity ? YES NO X If Yes, Use Table 1 below to evaluate the PSFs for the Diagnosis portion of the task before going to Table 2. If No, go directly to Table 2.

Table 1. Diagnosis worksheet.

Multiplier If non-nominal PSF levels are selected, please for note specific reasons in this column PSFs PSF Levels Diagnosis

1. Available Inadequate 1.0a Time Barely adequate < 20 m 10 Nominal . 30 m 1 Extra > 60 m 0.1 Expansive > 24 h 0.01
2. Stress Extreme 5 High 2 Nominal 1
3. Complexity Highly 5 Moderately 2 Nominal 1
4. Experience/ Low 10 Training Nominal 1 High 0.5
5. Procedures Not available 50 Available, but poor 5 Nominal 1 Diagnostic/symptom oriented 0.5
6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1 Good 0.5
7. Fitness for Unfit 1.0a Duty Degraded Fitness 5 Nominal 1
8. Work Poor 2 Processes Nominal 1 Good 0.8
a. Task failure probability is 1.0 regardless of other PSFs.

29

LERs 483/01-002 and 483/02-001 SPAR Model Human Error Worksheet (Page 2 of 3)

Table 2. Action worksheet.

PSFs PSF Levels Multiplier If non-nominal PSF levels are selected, please for note specific reasons in this column Action

1. Available Inadequate 1.0a Recovery of AFW is needed 30 minutes after Time Time available . time required 10U failure.

Nominal 1 Available > 5x time required 0.1 Available > 50x time required 0.01

2. Stress Extreme 5U AFW system is needed to prevent core High 2 damage.

Nominal 1

3. Complexity Highly 5 Moderately 2 Nominal 1U
4. Experience/ Low 3 Training Nominal 1U High 0.5
5. Procedures Not available 50 Available, but poor 5 Nominal 1U
6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1U Good 0.5
7. Fitness for Unfit 1.0a Duty Degraded Fitness 5 Nominal 1U
8. Work Poor 2 Processes Nominal 1U Good 0.8
a. Task failure probability is 1.0 regardless of other PSFs.

Table 3. Task failure probability without formal dependence worksheet.

Task Nom. Time Stress Compl. Exper./ Proced. Ergon. Fitness Work Prob.

Portion Prob. Train. Process Diag. 1.0E-2 na Action 1.0E-3 10 5 1 1 1 1 1 1 5.0E-2 Total 5.0E-2 30

LERs 483/01-002 and 483/02-001 SPAR Model Human Error Worksheet (Page 3 of 3)

For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence.

Table 4. Dependency condition worksheet.

Condition Crew (same Location Time (close Cues Dependency Number of Human Action Number or (same or in time or not (additional or Failures Rule different) different) close in time) not additional) 1 s s c - complete If this error is the 3rd error in 2 s s nc na high the sequence, then the dependency is at least 3 s s nc a moderate moderate.

U4 s d c - high 5 s d nc na moderate If this error is the 4th error in 6 s d nc a low the sequence, then the dependency is at least high.

7 d s c - moderate 8 d s nc na low This rule may be ignored only if 9 d s nc a low there is compelling evidence for 10 d d c - moderate less dependence with the previous tasks.

11 d d nc na low 12 d d nc a low 13 zero Using P = Task Failure Probability Without Formal Dependence (calculated on page 2):

For Complete Dependence the probability of failure = 1.0 UFor High Dependence the probability of failure = (1 + P)/2 For Moderate Dependence the probability of failure = (1 +6P)/7 For Low Dependence the probability of failure = (1 + 19P)/20 For Zero Dependence the probability of failure = P Task Failure Probability With Formal Dependence = (1 + 5E-02) / 2 = 5.3E-01 31

LERs 483/01-002 and 483/02-001 SPAR Model Human Error Worksheet (Page 1 of 3)

Plant: Callaway Event Name: NA Task Error

Description:

Operator fails to recover AFW MDP pump failure-to-run due to ingestion of debris (completely dependent value) Event: AFW-XHE-XL-MDPFRD-1A1 Does this task contain a significant amount of diagnosis activity ? YES NO X If Yes, Use Table 1 below to evaluate the PSFs for the Diagnosis portion of the task before going to Table 2. If No, go directly to Table 2.

Table 1. Diagnosis worksheet.

Multiplier If non-nominal PSF levels are selected, please for note specific reasons in this column PSFs PSF Levels Diagnosis

1. Available Inadequate 1.0a Time Barely adequate < 20 m 10 Nominal . 30 m 1 Extra > 60 m 0.1 Expansive > 24 h 0.01
2. Stress Extreme 5 High 2 Nominal 1
3. Complexity Highly 5 Moderately 2 Nominal 1
4. Experience/ Low 10 Training Nominal 1 High 0.5
5. Procedures Not available 50 Available, but poor 5 Nominal 1 Diagnostic/symptom oriented 0.5
6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1 Good 0.5
7. Fitness for Unfit 1.0a Duty Degraded Fitness 5 Nominal 1
8. Work Poor 2 Processes Nominal 1 Good 0.8
a. Task failure probability is 1.0 regardless of other PSFs.

32

LERs 483/01-002 and 483/02-001 SPAR Model Human Error Worksheet (Page 2 of 3)

Table 2. Action worksheet.

PSFs PSF Levels Multiplier If non-nominal PSF levels are selected, please for note specific reasons in this column Action

1. Available Inadequate 1.0a Recovery of AFW is needed 30 minutes after Time Time available . time required 10U failure.

Nominal 1 Available > 5x time required 0.1 Available > 50x time required 0.01

2. Stress Extreme 5U AFW system is needed to prevent core High 2 damage.

Nominal 1

3. Complexity Highly 5 Moderately 2 Nominal 1U
4. Experience/ Low 3 Training Nominal 1U High 0.5
5. Procedures Not available 50 Available, but poor 5 Nominal 1U
6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1U Good 0.5
7. Fitness for Unfit 1.0a Duty Degraded Fitness 5 Nominal 1U
8. Work Poor 2 Processes Nominal 1U Good 0.8
a. Task failure probability is 1.0 regardless of other PSFs.

Table 3. Task failure probability without formal dependence worksheet.

Task Nom. Time Stress Compl. Exper./ Proced. Ergon. Fitness Work Prob.

Portion Prob. Train. Process Diag. 1.0E-2 na Action 1.0E-3 10 5 1 1 1 1 1 1 5.0E-2 Total 5.0E-2 33

LERs 483/01-002 and 483/02-001 SPAR Model Human Error Worksheet (Page 3 of 3)

For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence.

Table 4. Dependency condition worksheet.

Condition Crew (same Location Time (close Cues Dependency Number of Human Action Number or (same or in time or not (additional or Failures Rule different) different) close in time) not additional)

U1 s s c - complete If this error is the 3rd error in 2 s s nc na high the sequence, then the dependency is at least 3 s s nc a moderate moderate.

4 s d c - high 5 s d nc na moderate If this error is the 4th error in 6 s d nc a low the sequence, then the dependency is at least high.

7 d s c - moderate 8 d s nc na low This rule may be ignored only if 9 d s nc a low there is compelling evidence for 10 d d c - moderate less dependence with the previous tasks.

11 d d nc na low 12 d d nc a low 13 zero Using P = Task Failure Probability Without Formal Dependence (calculated on page 2):

UFor Complete Dependence the probability of failure = 1.0 For High Dependence the probability of failure = (1 + P)/2 For Moderate Dependence the probability of failure = (1 +6P)/7 For Low Dependence the probability of failure = (1 + 19P)/20 For Zero Dependence the probability of failure = P Task Failure Probability With Formal Dependence = 1.0 34

Retrieved from "https://kanterella.com/w/index.php?title=ML20112F370&oldid=2942019"