Trip Monitor Customization and

Implementation Guideline

Technical Report

10427354
10427354
Trip Monitor Customization and
Implementation Guideline

1009112

Final Report, January 2004

EPRI Project Manager

F. Rahn

EPRI • 3412 Hillview Avenue, Palo Alto, California 94304 • PO Box 10412, Palo Alto, California 94303 • USA
800.313.3774 • 650.855.2121 • askepri@epri.com • www.epri.com

10427354
DISCLAIMER OF WARRANTIES AND LIMITATION OF LIABILITIES
THIS DOCUMENT WAS PREPARED BY THE ORGANIZATION(S) NAMED BELOW AS AN
ACCOUNT OF WORK SPONSORED OR COSPONSORED BY THE ELECTRIC POWER RESEARCH
INSTITUTE, INC. (EPRI). NEITHER EPRI, ANY MEMBER OF EPRI, ANY COSPONSOR, THE
ORGANIZATION(S) BELOW, NOR ANY PERSON ACTING ON BEHALF OF ANY OF THEM:

(A) MAKES ANY WARRANTY OR REPRESENTATION WHATSOEVER, EXPRESS OR IMPLIED, (I)

WITH RESPECT TO THE USE OF ANY INFORMATION, APPARATUS, METHOD, PROCESS, OR
SIMILAR ITEM DISCLOSED IN THIS DOCUMENT, INCLUDING MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE, OR (II) THAT SUCH USE DOES NOT INFRINGE ON OR
INTERFERE WITH PRIVATELY OWNED RIGHTS, INCLUDING ANY PARTY'S INTELLECTUAL
PROPERTY, OR (III) THAT THIS DOCUMENT IS SUITABLE TO ANY PARTICULAR USER'S
CIRCUMSTANCE; OR

(B) ASSUMES RESPONSIBILITY FOR ANY DAMAGES OR OTHER LIABILITY WHATSOEVER

(INCLUDING ANY CONSEQUENTIAL DAMAGES, EVEN IF EPRI OR ANY EPRI REPRESENTATIVE
HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES) RESULTING FROM YOUR
SELECTION OR USE OF THIS DOCUMENT OR ANY INFORMATION, APPARATUS, METHOD,
PROCESS, OR SIMILAR ITEM DISCLOSED IN THIS DOCUMENT.

ORGANIZATION(S) THAT PREPARED THIS DOCUMENT

Data Systems and Solutions

ORDERING INFORMATION
Requests for copies of this report should be directed to EPRI Orders and Conferences, 1355 Willow
Way, Suite 278, Concord, CA 94520, (800) 313-3774, press 2 or internally x5379, (925) 609-9169,
(925) 609-1310 (fax).

Electric Power Research Institute and EPRI are registered service marks of the Electric Power
Research Institute, Inc. EPRI. ELECTRIFY THE WORLD is a service mark of the Electric Power
Research Institute, Inc.

Copyright © 2004 Electric Power Research Institute, Inc. All rights reserved.

10427354
CITATIONS

This report was prepared by

Data Systems and Solutions

4290 El Camino Real
Los Altos, CA 94022

Principal Investigators
K. Canavan
G. Hannaman

This report describes research sponsored by EPRI.

The report is a corporate document that should be cited in the literature in the following manner:

Trip Monitor Customization and Implementation Guideline, EPRI, Palo Alto, CA: 2004.
1009112.

iii
10427354
10427354
REPORT SUMMARY

Trip monitors are valuable tools for keeping track of the status of nuclear power plants based on
components that are in and out of service during operation. Lessons learned from early trip
monitors and improvement in software capabilities have led to trip and derate models that can be
more focused and therefore less costly to implement. This document describes a method for
quantifying the trip and derate conditions for a simplified monitoring system and Generation
Risk Model.

Background
Regulated energy providers have a regulated rate of return on investments and make resource
allocation decisions based mainly on safety risk. Economically, costs, not revenues, affect
decisions. In a market-driven industry, treatment of both business and safety risks is crucial for
success. Plants need tools to assist management in making decisions involving the operation and
maintenance of equipment whose failure can cause reactor trips or down-power events and
impact productivity and revenues. Development of asset management and life cycle management
methods and software requires a model for quantifying the decrease in plant generation caused
by system and component failures. Trip monitoring provides a necessary input to such a model.

Objectives
• To provide nuclear plants with a simplified generic trip modeling method as an approach for
the construction of a plant-specific trip model that includes down-power
• To provide plants the output of the generic trip model in a form and with the required content
for use as an availability model within generation risk assessment (GRA) tools.

Approach
The researchers used their expertise in probabilistic risk assessment (PRA) to develop a
simplified trip modeling process and, working with a pilot utility, developed a trip monitor. The
researchers summarized the lessons learned during this process to help future model building.
They used the model they developed as input for building a framework for demonstrating a
generation risk model (GRM). The trip model developed in this project can be viewed as a
module of a GRM. The GRM, in turn, is an important module of a future nuclear asset
management tool for analyzing the effects of equipment reliability and availability on plant value
and resource allocation decision-making.

v
10427354
Results
The trip model framework consists of the generic “top logic” of an event tree and two detailed
demonstration system availability models for PWR designs. The generic top logic will provide a
logic structure that defines the scope of systems to be modeled in a trip model. This logic
structure facilitates the calculation of plant trip frequency based on current plant configuration
and conditions. A plant’s PRA staff can customize the framework provided in the report to fit
plant-specific systems and meet the plant’s needs. The report also describes how the trip model
can be used as a module of a risk-informed asset value model or to predict future lost power
generation for value optimization in equipment life cycle management (LCM) planning.

EPRI Perspective
The example provided in this report was developed in partnership with a Westinghouse four-loop
plant. Most plants can supply comparable information from documentation developed for other
activities.

Keywords
Trip monitors
Probabilistic risk assessment
Life cycle management
Generation risk model

vi
10427354
CONTENTS

1 INTRODUCTION ................................................................................................................. 1-1

2 OVERVIEW OF SIMPLIFIED TRIP MONITOR .................................................................... 2-1

2.1 Computer Screen Interface ....................................................................................... 2-1
2.2 Trip Model Top Logic ................................................................................................ 2-1
2.3 Detailed System Models............................................................................................ 2-2
2.4 Interface With Other Tools ........................................................................................ 2-3
2.4.1 Life Cycle Management .................................................................................... 2-4
2.4.2 Grid reliability Model ......................................................................................... 2-5

3 DEFINITIONS AND TERMS ................................................................................................ 3-1

4 TRIP MONITOR INTERFACE.............................................................................................. 4-1

4.1 Organization of the Top Computer Screen ................................................................ 4-1
4.2 Secondary System Detail Screens............................................................................ 4-3
4.3 Relationship to components within a segment........................................................... 4-4
4.4 Setting up a new condition........................................................................................ 4-5

5 TOP LOGIC DEVELOPMENT ............................................................................................. 5-1

5.1 Basic structure of top logic and links to system models ............................................. 5-1
5.1.1 Top Logic.......................................................................................................... 5-1
5.1.2 Link to Detailed System Analysis ...................................................................... 5-2
5.1.2.1 Intermediate Logic......................................................................................... 5-3
5.1.2.2 Basic events.................................................................................................. 5-3
5.1.2.3 Component data............................................................................................ 5-3
5.1.3 Prioritizing systems by trip potential.................................................................. 5-4
5.1.3.1 Maintenance Rule Classification.................................................................... 5-4
5.1.3.2 Questions for Assessing Trip Potential .......................................................... 5-6
5.1.3.3 Frequency of occurrence............................................................................... 5-6

vii
10427354
 5.2 Scenarios for trip and derate top events.................................................................... 5-7
5.2.1 Immediate trip or derate following component failure........................................ 5-8
5.2.2 Delayed shutdown following a component failure ............................................. 5-8
5.2.3 Reduced control margin following a component failure ..................................... 5-8
5.2.4 Technical Specification when exceeding a time limit for SSC repair ................. 5-8
5.2.5 Component failure generates a trip signal (ESFAS).......................................... 5-9
5.2.6 Safety System failure causes a trip................................................................... 5-9
5.3 Data on trips and derates .......................................................................................... 5-9
5.4 Organizing Top Logic for Trips and Derates ............................................................5-12

6 DETAILED MODELING OF SYSTEMS ............................................................................... 6-1

6.1 Selecting Key Systems.............................................................................................. 6-1
6.2 Modeling assumptions and conditions....................................................................... 6-1
6.3 Guidelines for Detailed modeling............................................................................... 6-2
6.3.1 Development of System Simplified Schematics ................................................ 6-2
6.3.2 System Dependencies...................................................................................... 6-2
6.3.3 Determining the method of system failure modeling ......................................... 6-3
6.3.4 Fault Tree Development ................................................................................... 6-3
6.3.4.1 Top Event...................................................................................................... 6-4
6.3.4.2 Logical Gates ................................................................................................ 6-5
6.3.4.3 Developed Events ......................................................................................... 6-5
6.3.4.4 Basic Events ................................................................................................. 6-6
6.3.4.4.1 Active components................................................................................. 6-6
6.3.4.4.2 Passive components.............................................................................. 6-6
6.3.4.4.3 Subtle Interaction Failures ..................................................................... 6-7
6.4 Basic events from a list ............................................................................................. 6-7
6.5 Using PRA Models as a Starting Point.................................................................6-10
6.5.1 Identify the key scenarios that lead to a trip within the key systems.................6-10
6.5.1.1 System review to identify PRA logic and models ..........................................6-10
6.5.1.2 Use the PRA model and database where appropriate ..................................6-11
6.5.2 Modifying the PRA models ..............................................................................6-11
6.6 Fault Tree Quantification ..........................................................................................6-12
6.6.1 Component Operational Failures .....................................................................6-12
6.6.2 Demand Failure of a Standby Component .......................................................6-12
6.6.3 Unavailability Of A Standby Component ..........................................................6-13

viii
10427354
 6.7 Developing system segment boundaries for trip and derate conditions ....................6-13
6.7.1 Determination of System Boundaries...............................................................6-13
6.7.2 Defining List of Components by Systems ........................................................6-13
6.8 Example system modeling details for trip fault tree...................................................6-14
6.8.1 Circulating water system CW...........................................................................6-14
6.8.1.1 Key Assumptions in PRA model ...................................................................6-14
6.8.1.2 CW PRA fault tree applicability to trip monitor ..............................................6-14
6.8.2 Condenser Vacuum pump ...................................................................................6-15
6.8.2.1 Key assumptions ..........................................................................................6-15
6.8.2.2 Applicability to Trip monitor...........................................................................6-15
6.8.2.3 Condenser Vacuum Faults ...........................................................................6-15
6.8.3 Electro-hydraulic control (EH) ..........................................................................6-15
6.8.3.1 System description .......................................................................................6-15
6.8.3.2 Key components and redundancies in the system........................................6-16
6.8.4 Condensate System (CO)................................................................................6-17
6.8.4.1 System description .......................................................................................6-17
6.8.4.2 Key components and redundancies..............................................................6-17
6.9 Lessons from Modeling ............................................................................................6-19
6.9.1 Modeling Segment Boundaries........................................................................6-19
6.9.2 Priority of inputs...............................................................................................6-19
6.9.3 Evaluate each system for impact on trip and derate ........................................6-20
6.9.4 Calibration of the trip monitor...........................................................................6-20

7 REFERENCES .................................................................................................................... 7-1

ix
10427354
10427354
LIST OF FIGURES

Figure 4-1 Top-level screen .................................................................................................... 4-3

Figure 4-2 Secondary components in the top screen .............................................................. 4-4
Figure 4-3 Condensate system ............................................................................................... 4-5
Figure 4-4 Use of a list to select a component outage............................................................. 4-6
Figure 4-5 Direct selection of components for outage ............................................................. 4-7
Figure 5-1 Basic layout of Top Logic and connection to Detailed System models ................... 5-2
Figure 5-2 Types of system level trips that lead to a plant trip ................................................. 5-7
Figure 6-1 Top logic expansion to the MR functional criteria ................................................... 6-5
Figure 6-2 Expansion of EH1 to the Basic event level ............................................................. 6-6
Figure 6-3 Using the Pick list to take out an EH system component........................................ 6-9
Figure 6-4 Trip monitor interface with layout of the EH critical components............................. 6-9
Figure 6-5 Impact of taking a component out of service .........................................................6-10

xi
10427354
10427354
LIST OF TABLES

Table 5-1 List of Systems with an identified potential for causing a plant trip .......................... 5-5
Table 5-2 Causes of load reduction or trip in PWRs ................................................................ 5-7
Table 5-3 Relative cause ranking of outage and derates for US PWRs from NERC...............5-10
Table 5-4 Listing of systems to be modeled in the top logic....................................................5-11
Table 5-5 Descriptions of potential trip causes by function in each system from Ref 2 ...........5-13
Table 6-1 Example components from the PM databases ........................................................ 6-8

xiii
10427354
10427354
1
INTRODUCTION

Trip monitors are valuable tools for keeping track of the plant status based on components that
are in and out of service during operation. This promotes better decision making when
prioritizing and selecting components to maintain while online to avoid trips and minimize
potential power reductions or derates. The early trip monitors have been proven to be resource
intensive to build and implement. The lessons learned from the early trip monitors and the
improvement in software capabilities, has resulted in the ability to build trip and derate models
that can be more focused and therefore less costly to implement. The focused approach builds
the trip and derate modeled in a top down manner so that the models can be useful even though
some of the detailed system models are not developed to the same level of refinement. If
justified by benefit and cost, the simplified trip and derate model can be improved as new
situations are developed and a wider range of systems that are much less likely to trigger a trip or
derate are included and further refined.

This document addresses the processes for developing the model that quantifies the trip and
derate conditions for a simplified monitoring system and Generation Risk Model. The idea is to
develop a prioritized process that addresses the important systems that can lead to a trip or derate
condition in detail, while the less important systems are modeled with less refinement. An
iterative process can then be used to refine the models based on plant specific needs and benefit-
cost.

The model is also used to support other assessments that support decision-making. For
example, the base model provides input information for performing life cycle management
(LCM) assessments. The LCMs use the frequency of a component failure and associated
impacts on the plant to develop an outage frequency and plant restoration time. Then changes to
the component reliability and plant restoration strategy can be used to evaluate alternate LCMs
for the component.

The example provided in this report was developed in partnership with a pilot plant. The pilot
plant is a Westinghouse four-loop plant. The information used is typically available from most
plants as developed for other activities and requirements for documentation.

1-1
10427354
10427354
2
OVERVIEW OF SIMPLIFIED TRIP MONITOR

The key elements needed to produce a simplified trip monitor are (1) the interface screen, (2) the
top logic of the plant systems, and (3) the detailed system models. The simplified trip and derate
model can operate with trial values for failure rate data that can be applied at the system, train,
segment or basic component level. The main use of the simplified trip and derate monitor is as a
decision support tool for plant operators to gauge the risk of trip and derate when selecting
components for maintenance and testing while at full power. The results of the trip monitor may
also be used as inputs to other analysis activities such as support for grid power flow analysis,
nuclear asset management (NAM), or life cycle cost (LCC) analysis and evaluation.

2.1 Computer Screen Interface

The first element for trip and derate monitor development is to lay out the information interface
to the operator or other users. This process helps define the global systems to be considered and
the risk measurement scales. The screen development and updates are iterative with the
development of the top logic and detailed system models.

In this guideline the modeling approach uses the EOOS software to produce the main interface
screens. Other interface tools can also be used to implement the process. However, the key
interface objective is to define the indicators to be monitored. In this example, the indicators
chosen are frequencies of trip and derate. The interface is then connected to the supporting files
and databases, which is performed within the EOOS software.

2.2 Trip Model Top Logic

The second element for trip monitor development is to develop a top logic model that includes
selected systems whose failure can cause a plant trip or derate. The top logic model serves to
connect the screen interface with the causes of trip within a system, and to the detailed modeling
within the system. The top logic modeling is iterative with both the screen interface and the
detailed modeling.

Iterations between the top logic and detailed systems typically take place in the upper portion of
the detailed system logic models, which is termed intermediate logic. Iterations between the top
logic and screen take place within the EOOS software.

Information for developing the top logic can be found in the plant maintenance rule
documentation, which typically provides an assessment of each system’s potential to cause a trip

2-1
10427354
Overview of Simplified Trip Monitor

or derate. The maintenance rule initially addressed safety components, but has been extended to
all systems that can cause a trip or derate of the plant.

The listing of the systems that can cause trips should be prioritized so that the detailed modeling
can address the most likely systems to cause trips or derates in the order of importance. This
provides a road map for the systems to evaluate next. Information to support the prioritization
can include plant or industry data on trip causes, scenarios identified in the maintenance rule by
function, or categories for trip in the PSA. Some judgment is needed to prioritize the list
according to the needs of the plant.

In the example, the top logic model is developed within the EOOS/CAFTA software modules
(although other fault tree modeling software can be used). Development of the top logic model
makes use of the best plant information available. Identification and review of existing
information can help structure the way the top logic is developed. In the customization example
the maintenance rule (MR) database, and plant specific preventive maintenance (PM) database
and other information were used to support the top logic fault tree model. The objective is to
develop a model that becomes active and useful using the minimal amount of resources while
still providing the key contributors to trip and derate. Therefore, the historical key contributors
to power reductions and trips, for both the nuclear industry and plant specific were identified by
review of various databases. In the example, the MR information provided success functions for
each system in the plant and the hardware required for each function were listed in the PM
database.

The systems included in the trip monitor finally incorporated 50 systems out of the 114
addressed in the MR database. The listing includes non-safety equipment that is important to
production. The priorities were on systems that had clear means of causing rapid trips and power
reductions through failure of a component or components in the system. The lower priority
systems were those that did not appear in the trip experience databases, the functions for trip
were less direct (e.g., technical specification required, operator judgment based on signal
information, and loss of the ability to withstand internal and external transients).

Additional considerations for top logic were (1) grouping by the cause of trip (e.g., turbine trip)
for possible calibrations with the database information, and (2) expanding the systems to
functional success criteria (e.g., provide manual and automatic regulation of turbine control
system, in operation in modes 1-3), which are listed in the plant specific MR document. The
resulting functional events then become system level inputs, which can be used to support logic
differences between systems and components leading to the trip and derate top events.

2.3 Detailed System Models

The third key element for a simplified trip monitor is the detailed systems assessment and
modeling. The role of the systems analysis is to make the monitor responsive to realistic plant
behavior, and consider the special protections in the plant to avoid trip and derate conditions
even though some equipment is out of service. The process for developing the detailed system
logic and incorporating it into the trip monitor uses fault tree methods and software such as
CAFTA and EOOS, but other codes may be used as well. This portion of the analysis
determines how conservative or realistic the trip monitor operates by incorporating intermediate

2-2
10427354
 Overview of Simplified Trip Monitor

logic models that recognize redundancies within the system and link the component, train, or
segment information to the top logic.

Modeling of plant trip and outage for components in each system are reflected as different levels
of detail. They are represented as basic events, simple or detailed fault trees, and updated cutset
evaluations. The models of each system are integrated through EOOS to include the level of
detail necessary to describe different possible impacts on the trip frequency and outage duration.
New plant configurations (e.g., conditions with components or trains out for service while the
plant is at full power) can be modeled to evaluate the change in predicted outage frequency. The
results are provided in terms of a status panel.

The component or lowest level basic event in the model can be assigned trial values for the
failure probability, or detailed failure rate assessments can be made to support the probability
quantification.

There are two approaches for providing the inputs to the system models. The first is to
incorporate the system components into the model through OR gates via a database if this
information is available. The database approach connects the systems to the specific databases.
It provides for a rapid startup of the model, however, it is conservative because it does not
consider the key system redundancies that protect the plant from a derate or trip. The second is
to examine the systems in detail to understand where key redundancies do exist and then develop
the appropriate logic model adjustments by including system specific AND gates. This logic
element is called “intermediate logic1.” Within this approach the fault tree models can draw
upon existing PRA fault trees, if applicable. If the PRA fault trees are used as starting points,
some adjustments are needed to make them applicable. Removing dependent information such
as CCF, out for maintenance, and support systems will require changes to gate names for
compatibility with the PRA models.

For systems with known redundancies, but without an existing fault tree model, the database
connections to the trip monitor can be improved by building intermediate logic models of the
system. The models can address the redundancies and connect to the grouped components
within the train or segment. New fault trees are built from the lists of the system components,
review of the drawings and discussion of the operation to identify the redundancies that apply to
trip and derate.

2.4 Interface With Other Tools

Since trip monitors are valuable tools for keeping track of the combination of SSC failures that
can cause a reduction in power generation, they become valuable inputs to other types of

1
Intermediate logic is the important upper level of the detailed system logic where train and segment level events
are placed into either AND or OR gates to the top events of trip and derate developed in the top logic. The
intermediate logic includes forms of redundancy (e.g., AND gates) that account for operational factors and segment
or train redundancy that protect against a full trip. In the case of the derate tree there are fewer needs for this
intermediate logic, because each component failure generally results in a direct derate, there are some exceptions, of
course.

2-3
10427354
Overview of Simplified Trip Monitor

assessments. Two examples are discussed below. Life cycle management studies can benefit
from models that can be used to predict future plant power production when considering the
failure rate of SSC and their impact on plant power production. Likewise, the grid stability
assessments with up to date assessments of the plant trip probability can help grid power
controllers provide adequate spinning reserve to meet requirements for electrical blackout
protection. Use of such models and analysis promotes better decision making when prioritizing
decisions involving investments and cost of power delivery.

2.4.1 Life Cycle Management

A key objective of Life Cycle Management (LCM) is the development of a complete life cycle
approach for the maintenance of each system, structure, and component (SSC) important to plant
operation and safety to optimize its value to the plant. Broadly, this involves management
decisions about SSCs during design, operation, and decommissioning of a facility. With the
plants currently in the operational phase, LCM addresses preventive and corrective maintenance
inspection schedules, (including SSC replacement/refurbishment) and/or redesign, with benefit-
cost ratio in mind.

Cost optimization could be achieved, if maintenance on any item in the plant could be performed
“just in time”. In this way the maximum reliability and availability of each SSC would be
obtained with the minimum maintenance cost. However, there can be significant uncertainty in
the estimate of an SSC failure rate and thus its predicted time of failure. The contributors to this
uncertainty include the type of failure, the time between inspections when the health of the SSC
is monitored, the uncertainty in the ability of a measuring system to detect impending failure, the
impact of reduced SSC margin to failure on the overall plant operation, and uncertainty in
stressors the SSC will see during an inspection cycle.

In the case of large nuclear power generating stations the cost of interrupted generation due to a
trip amounts to on the order of 1 million dollars per day in lost revenue. During normal
operation the fixed costs amount to 30 to 40% of the revenue; thus huge savings accrue when
avoiding a plant trip. Also, the cost of repair or replacement of most components is small with
respect to the cost of lost generation. Plant operators have significant incentive to avoid
unplanned trips and lengthy outages for SSC maintenance and repair.

To overcome uncertainties in the failure probability of SSCs that can cause a trip or render a
safety system unavailable, plant operators often take the approach of frequent inspections, and
full refurbishment if anything is found wrong. Frequent inspections are built into most technical
specifications for safety equipment. In the case of balance of plant equipment there is more
flexibility in inspections and repair approaches. Calling for frequent SSC inspections that
require the plant to be taken off line is clearly not an optimal approach from a cost viewpoint,
especially if we can more accurately predict failure of SSCs, and understand the priority of a
component by knowing the potential impact of its failure and replacement or repair on
generation.

LCM during the operational phase of a plant can benefit from improved prediction of the effect
of equipment outage on plant productivity. The trip model developed here provides the key
element of the frequency of combined SSC failures into a Generation Risk model (GRM) that

2-4
10427354
 Overview of Simplified Trip Monitor

can provide estimates of the potential for lost megawatt hours when the plant is generating less
than full power and under SSC repair.

The details of a GRM are discussed in a companion report [12].

2.4.2 Grid reliability Model

With the shift to competitive power supplies the nations electrical grid is the key element
permitting flow of electricity from one power source to a load center. From the grid reliability
perspective the loads and generation sources must be in continuous balance consistent with
2
constraints imposed by the physical transmission network and the physics of electricity . This
requires metering, control systems, computing, and telecommunication systems to monitor loads,
generation, and the avoid transmission bottlenecks by balancing the generation output to match
the load. The control is primarily by adjusting the generation output and by opening and closing
breakers to add or remove transmission lines from service and slightly adjust the voltage level.
Thus, every action on the grid affects all the other actions on the grid.

Thus, knowledge of an increased trip or derate potential would assist the grid planners in
increasing the spinning reserve, and verifying the ability to reroute power flow should a large
generator trip off line. Thus, the trip and derate indicators can provide a probability value to grid
flow modelers that represents the potential for internal plant faults that either cause the plant to
trip or limit the ability of the plant to adjust to small grid instabilities.

2
Electricity flows at the speed of light requiring instantaneous control actions (within small fractions of a second).

2-5
10427354
10427354
3
DEFINITIONS AND TERMS

Accident mitigating systems - front-line systems and their associated support systems.

Accident sequence - a representation in terms of an initiating event followed by a combination of

system, function and operator failures or successes, of an accident that can lead to undesired
consequences, with a specified end state (e.g., derate, trip, core damage or large early release).

Active component - a component whose parts move and functioning depends on proper
operation of another system or component (e.g., control device, power source, etc.)

Aging (noun)- general process in which characteristics of an SSC gradually change with time or
use

Aging assessment - evaluation of appropriate information for determining the effects of aging on
the current and future ability of SSCs to function within acceptance criteria

Aging degradation - aging effects that could impair the ability of an SSC to function within
acceptance criteria

Examples: reductions in diameter from wear of a rotating shaft, loss in material strength
from fatigue or thermal aging, swell of potting compounds, and loss of dielectric strength
or insulation cracking

Aging effects - net changes in characteristics of an SSC that occur with time or use and are due
to aging mechanisms

Examples: negative effects -- see aging degradation; positive effects -- increase in

concrete strength from curing; reduced vibration from wear-in of rotating machinery

Aging management engineering, operations, and maintenance actions to control within

acceptable limits aging degradation and wearout of SSCs

Examples of engineering actions: design, qualification, and failure analysis.

Examples of operations actions: surveillance, carrying out operational procedures within

specified limits, and performing environmental measurements

3-1
10427354
Definitions and Terms

Aging mechanism specific process that gradually changes characteristics of an SSC with time or
use

Examples: curing, wear, fatigue, creep, erosion, microbiological fouling, corrosion,

embrittlement, and chemical or biological reactions

Basic event - an event at the lowest level in fault tree that is logically independent of other events

Boolean expression - is a mathematical expression that presents by means of logical statements

the failure set resulting trip or derate.

Characteristic - property or attribute of an SSC (such as shape; dimension; weight; condition

indicator; functional indicator; performance; or mechanical, chemical, or electrical property)

Common cause failure (CCF) - the failure of a number of components that is a result of a single
specific event (failure of associated component (system), human error, internal or external
impact)

Components – An identifiable element in terms of equipment, devices, pipes, cables,

constructions, and other elements designated to perform specific fictions solely or as a part of the
system and considered as a design structural element when performing reliability and safety
analysis.

Condition - surrounding physical state or influence that can affect an SSC; also, the state or level
of characteristics of an SSC that can affect its ability to perform a design function

Condition indicator -characteristic that can be observed, measured, or trended to infer or directly
indicate the current and future ability of an SSC to function within acceptance criteria

Condition monitoring - observation, measurement, and evaluation of condition or functional

indicators with respect to some independent parameter (usually time or cycles) to indicate the
past and current ability of an SSC to function within acceptance criteria (operational assessment
uses the observations to predict future ability of the SSC to function within the acceptance
criteria).

Conditional Probability of Trip (CPT) - A performance factor that accounts for failure to reach a
derate state and instead losses all generation, depends on control systems and operators to avoid
a full trip and is a plant specific factor for each system.

Control and monitoring systems - those designed to control and monitor normal operation
systems.

Control safety systems - those designed to actuate and control safety systems functioning.

Cut set - a sequence of component failures and/or human errors that results to non-performance
of safety function.

3-2
10427354
 Definitions and Terms

Developed event- a complex event that is the result of logical interactions of a number of basic
events and/or other developed events.

Event tree - a logical model that expresses in graphic form the different ways of accident
sequence development for an initiating event group being considered that depends on
accomplishing or default of safety functions and successful or not successful personnel activities
necessary for prevention of core damage.

Failure - an event of disrupting operating conditions of a component, system train, or structure or

whole system.

Failure criterion - failure to meet the functional success criterion

Fault tree - a logical model presenting in diagram form the various failure combinations resulting
to safety function non-performance.

Front-line systems- those normal operation systems or protective safety systems, which are
directly involved into safety function performance necessary for prevention of core damage

Generation Risk Model - combines the results of a trip/derate model and the repair/recovery
models to estimate the future energy production lost due to failures of SSC’s.

Life Cycle Management - a long-range plan for SSC’s important to plant safety and operation
that includes preventive maintenance, replacement, refurbishment and/or redesign to optimize
the SSC’s contribution to plant value.

Logical operators - operators describing logical interactions of fault tree elements.

Minimal cut set (of the system) - a failure cut set that contains the minimal number of component
failures and/or human errors. Any minor combination of events does not result to system failure.

Normal operation systems - those designated for normal operation.

Passive component - Passive components or structures are those that perform an intended
function without moving parts or without a change in configuration or properties. For example a
passive component does not depend on functioning of active component (e.g., control
component, power source, etc.).

Periodic maintenance - form of preventive maintenance consisting of servicing, parts

replacement, surveillance, or testing at predetermined intervals of calendar time, operating time,
or number of cycles

Planned maintenance - form of preventive maintenance consisting of refurbishment or

replacement that is scheduled and performed prior to failure of an SSC

3-3
10427354
Definitions and Terms

Plant Availability Model - a logic model for evaluating the probability of generation loss for any
future time period the likelihood and repair time (unit down times) associated with a trip or
derate.

Post-maintenance testing - testing after maintenance to verify that maintenance was performed
correctly and that the SSC can function within acceptance criteria

Pre-service conditions - actual physical states or influences on an SSC prior to initial operation
(e.g., fabrication, storage, transportation, installation, and pre-operational testing)

Preventive maintenance - actions that detect, preclude, or mitigate degradation of a functional

SSC to sustain or extend its useful life by controlling degradation and failures to an acceptable
level; there are three types of preventive maintenance: periodic, predictive, and planned

Protection safety system - those process systems designed for preventing or limiting damages to
fuel, fuel cladding, equipment and pipes, containing radioactive products.

Qualified life - period for which an SSC has been demonstrated, through testing, analysis, or
experience, to be capable of functioning within acceptance criteria during specified operating
conditions while retaining the ability to perform its safety functions in a design basis accident or
earthquake

Quantification - calculation of fault tree element’s reliability parameters, total system

unavailability and/or accident sequence probability.

Remaining life - actual period from a stated time to retirement of an SSC

Repair - actions to return a failed SSC to an acceptable condition

Replacement - removal of an undegraded, degraded, or failed SSC or a part thereof and

installation of another in its place that can function within the original acceptance criteria

Retirement - final withdrawal from service of an SSC

Rework - correction of inadequately performed fabrication, installation, or maintenance

Root cause - fundamental reason(s) for an observed condition of an SSC that if corrected
prevents recurrence of the condition

Safety function - a specific purpose and actions for its accomplishment aimed at accident
prevention or limiting the consciences of the accident

Safety systems - those designed to perform safety functions.

Segment - the boundary of components within a system whose failures have a common impact
on the train or system. All components within the segment are logically connected by an OR
gate.

3-4
10427354
 Definitions and Terms

Service conditions - actual physical states or influences during the service life of an SSC,
including operating conditions (normal and error-induced), design basis event conditions, and
post design basis event conditions

Service life - actual period from initial operation to retirement of an SSC

Servicing - routine actions (including cleaning, adjustment, calibration, and replacement of

consumables) that sustain or extend the useful life of an SSC

Simultaneous effects - combined effects from stressors acting simultaneously

SSC - Those systems, structures, and components whose failure or derate leads to a loss of
electrical power production

Stressor - agent or stimulus that stems from pre-service and service conditions and can produce
immediate or aging degradation of an SSC Examples: heat, radiation, humidity, steam,
chemicals, pressure, vibration, seismic motion, electrical cycling, and mechanical cycling

Subtle failures - a failure, which cannot be identified during plant normal operation or scheduled
tests, and can appear in some abnormal conditions

Success criterion - are the minimum number of trains or components of mitigating systems,
needed in order to accomplish a safety function to prevent core damage for an initiating event
being considered.

Support systems - normal operation systems, control and monitoring systems, control safety
systems, and support safety systems that are required for the front-line system successful
operation.

Surveillance - observation or measurement of condition or functional indicators to verify that an

SSC currently can function within acceptance criteria

Surveillance requirements - test, calibration, or inspection to assure that the necessary quality of
systems and components is maintained, that facility operation will be within the safety limits,
and that the limiting conditions of operation will be met [10 CFR 50.36] (use only when specific
regulatory and legal connotations are called for)

Surveillance testing - synonym for surveillance, surveillance requirements, and testing (use only
when specific regulatory and legal connotations are called for)

Synergistic effects - portion of changes in characteristics of an SSC produced solely by the

interaction of stressors acting simultaneously, as distinguished from changes produced by
superposition from each stressor acting independently

System - a set of components designed to perform specified functions.

System train - a system part designed to perform system function in a design specified scope.

3-5
10427354
Definitions and Terms

Testing - observation or measurement of condition indicators under controlled conditions to

verify that an SSC currently conforms to acceptance criteria

Time in service - time from initial operation of an SSC to a stated time

Top event - an element of fault tree that designates the system or plant failure conditions of
interest

Train - the elements of a system that can operate independently from parallel elements required
to achieve the same function.

Trip Model - a logic model such as a fault tree with a component database for evaluating
frequency of trip and derates given a specified plant configuration

Wearout - failure produced by an aging mechanism

3-6
10427354
4
TRIP MONITOR INTERFACE

The trip monitor interface provides the means for operators to provide current system
configuration information to the model and to visually obtaining information on the trip and
derate potential associated with plant configuration. Hypothetical changes to the system
configuration can be assessed to evaluate the trip and derate potential before taking the action
during operation. The trip model provides the system status in terms of the trip and derate
probabilities for the current plant configuration. The interface between the trip monitor and the
GRM can be in terms of each SSC importance value or in terms of accident sequence
combinations for a specified plant configuration. The trip monitor interface screen permits
systems to be represented as blocks with drill downs to lower level trains and components. The
control elements permit the identification of key components within each system and the ability
to set a specific plant configuration for evaluation. .

4.1 Organization of the Top Computer Screen

In the example below the top screen was developed using the EOOS software package, although
other software packages can also be used. Three steps were used develop the interface.

First is development of the top screen system gauges. This step benefits from having top logic
tree names and knowledge of the scales to be developed. A software wizard (software help in
the form of a step by step process for identifying files and selections that are inputs to the trip
and derate monitor) helps organize the files to be used in this process. In the example, CAFTA
and Cutset files were used to support the initial startup of the screens.

The second step is to provide an operator status panel layout of the major plant systems. This
portion of the screen provides a means for the operator to select systems to take out of service.
Sublevel expansions of the systems into trains or segments where redundancies for trip and
derate are found can be used to link the components. This was accomplished using the drawing
tools within EOOS and the demonstration plant information. Several options for operator status
panel layout can be considered. For example, develop the layout according to the approximate
layout of the systems on the plant panels. This has the advantage of being familiar to the
operator. Another possible layout is to define the blocks according to the process flow from
inputs to the outputs, or according to P&IDs. The advantage of this approach is that this is very
easy to follow and is similar to a reliability block diagram. The supporting sub-trees can easily
be connected.

The operator status panel can also include other features such as alarm panels and technical
specifications. The demonstration model includes alarm panels based on the materials available
from the pilot plant, while it is a simple job to copy pictures of the alarm panel layout into the

4-1
10427354
Trip Monitor Interface

EOOS software, it requires some engineering time to link each alarm to the failures of the
equipment in the fault tree or pick list. If the alarm panel information was linked to the trip and
derate monitor, it would give operators a quick check on the importance of the alarm.

Technical specification conditions can also be linked to the fault trees to alert operator when
removal of a combination of components triggers a technical specification time window. This
would help the operators identify technical specification issues prior to a planned repair or taking
equipment out of service for repair. Both the technical specification and alarm panels can be
added later, since neither are essential for a simplified trip and derate model. They provide
some ideas where the model can grow in the future.

The third step is to provide a database of components that can cause trips organized by system.
This database provides a pick list of components to remove or place back into service. The PM
database was very useful in this process, which required reconnection of specific fields within
the database to match the pick list requirements.

Although the interface screen can be started without existing fault trees, the screen hookups to
fault trees is a key activity for making the trip and derate scales operate properly. This is done
during the detailed modeling element development. Detailed modeling development can benefit
from the use of the existing PRA fault trees as a starting point. The main drawback is the need to
adjust the trees to account for trip and derate conditions. If one starts with no detailed system
fault trees a top logic model should be available to interface with the pick list and the system
layout diagrams. The fault tree can be solved using estimated failure probabilities for each
component to produce an ordered listing of “cutsets.” These cutsets provide the probability of
trip or derate with all components in service. Using the cutset file for this activity eliminates the
need for resolving the fault tree each time a change is made. The EOOS software provides the
means to link the cutset results to the scales for trip and derate, or choose fault tree
requantification each time.

Figure 4-1 shows the resulting top screen for the simplified trip and derate monitor. An operator
status panel is provided on the lower part of the top screen. The interface screen development
has iterations with the other elements of the derate model. These include adjustments to the
color ranges, expansion of the operator status panel, and interactions with the fault tree models.

4-2
10427354
 Trip Monitor Interface

Figure 4-1
Top-level screen

The example systems were selected by addressing the systems expected to cause trips and
derates in the secondary in the secondary plant. The initial systems involve the turbine-
generator, and the feedwater and condensate systems. Other systems can be added and should be
addressed on the priority of their trip and derate likelihood.

4.2 Secondary System Detail Screens

Secondary screens provide additional detail to a block in the initial operator status screen. By
clicking on the “Secondary Plant” block the key secondary systems are displayed. The intent of
the secondary screen is to provide the key elements of the secondary system in a layout that is
similar to the control room configuration or as a process flow diagram. The example below
shows key elements in larger blocks and the key supporting elements in smaller blocks. The
screens parallel the top logic breakdown of systems into functional trains or segments where
redundancy exists. The detail for each system can be developed on its own, thus building up the
trip monitor to more detail over time beginning with a single top block as shown in Figure 4-2.

4-3
10427354
Trip Monitor Interface

Figure 4-2
Secondary components in the top screen

4.3 Relationship to components within a segment

For each system within the secondary plant a detailed block diagram can be developed. By
clicking on the triangle in the condenser segment the lower screen provides a detailed summary
of the key redundancies within the condensate system in block diagram form. The screen in
Figure 4-3 parallels the development of intermediate logic in the detailed modeling element. In
the example the screen is laid out to match flow into and out of the system. A component known
to be out of service is provided in the activity block. It has a minor impact on the trip and derate
levels, because it is associated with the bypass control on low suction pressure. By itself it has
no impact on the full power operation, however if a condensate pump trips and the by pass
system is not available, it is expected that the plant will trip on low feedwater suction pressure.
If the bypass works, then it is expected that a derate to about 50% would occur. Comparing
Figure 4-2 with Figure 4-3 shows that there is a small increase in the trip probability if the by
pass valve becomes unavailable.

4-4
10427354
 Trip Monitor Interface

Figure 4-3
Condensate system

4.4 Setting up a new condition

Any component can be placed in or out of service by selecting it from a list of components or
from the detail of the bypass system. Figure 4-4 below shows how any component associated
with the CO (condensate) system can be selected from a pick list.

4-5
10427354
Trip Monitor Interface

Figure 4-4
Use of a list to select a component outage

The database supporting this system provides a link between names in the fault tree and tags that
can be recognized by plant operators. Figure 4-5 shows how basic events in the fault tree can be
selected by clicking on the block diagram in this case feedwater heater segments are selected.
The result is that the plant is most likely derated but not tripped.

4-6
10427354
 Trip Monitor Interface

Figure 4-5
Direct selection of components for outage

4-7
10427354
10427354
5
TOP LOGIC DEVELOPMENT

Guidance on the process for development of the top logic information behind the main screens is
based on using the CAFTA and EOOS software.

5.1 Basic structure of top logic and links to system models

The top logic modeling includes identification of each system that can cause a trip or derate.
Top logic is expanded to include intermediate logic and basic events at a high preliminary level
or connect to detailed models.

5.1.1 Top Logic

As shown in Figure 5-1 below the top block includes inputs from all systems that can cause trips
connected by OR gates. Thus, if a system function is lost the plant is assumed to trip. The top
logic can include additional layers to match with the databases as to the type of trip or to address
sub functions within the system. This permits the user to calibrate the model by comparison with
the existing databases for system impact on trip and derate conditions.

5-1
10427354
Top Logic Development

Trip

Top Logic

System Template Detailed System Assessment

Single - Dual- Triple train Redundancy

Intermediate
Logic Selection
Performance
Train B Train A
factor

Module Module Module Module Module

Module Selections
•Pump (motor, pump casing,
breaker, snubber, etc.)
•Valves (operator, body,
Component Component Component instrumentation, etc.)
•Electrical (cable trays,
raceways, etc.)
Component failure data •Piping and appurtenances,
snubbers, etc.
•Screening estimate •Structural
•Failure rate / repair time

Figure 5-1
Basic layout of Top Logic and connection to Detailed System models

In the customization example, the systems that could cause a trip or derate were identified
through the MR database, plant specific preventive maintenance PM database. Review of
historical records for contributors to power reductions and trips, and other information sources.

The systems included in the trip monitor finally incorporated 50 systems out of the 114
addressed in the MR database. The priorities were on systems that had clear means of causing
rapid trips and power reductions through failure of a component or components in the system.
The lower priority systems were those that did not appear in the trip experience databases, the
functions for trip were less direct (e.g., technical specification required, operator judgment based
on signal information, and loss of the ability to withstand internal and external transients).

Additional considerations for top logic were (1) grouping by the cause of trip (e.g., turbine trip)
for possible calibrations with the database information, and (2) expanding the systems to
functional success criteria (e.g., provide manual and automatic regulation of turbine control
system, in operation in modes 1-3), which are listed in the plant specific MR document. The
resulting functional events then become top events for the detailed system models

5.1.2 Link to Detailed System Analysis

Figure 5-1 implies that iterations between the top logic and detailed systems are expected
between the Top Logic and Detailed analysis. Such iterations between the top logic and screen
take place within the EOOS software.

5-2
10427354
 Top Logic Development

5.1.2.1 Intermediate Logic

The intermediate level logic level addresses differences between trip and derate conditions. This
is where the redundancies and conditional probability of trip (CPT) are considered in the
modeling. This modeling segment includes the AND gates that apply to trip conditions and OR
gates for derate model. The level of detail here goes to the train and segment boundaries where
redundancies can be modeled. The train and segment boundaries should include all components
needed to make the segment available. In principle this includes all piping, valves, pumps,
motors, breakers, control systems, protection circuits, and cables leading to the segment specific
function. There should be no additional redundancies within the segment or train as all
components go into OR gates. When more than one and gate applies to a component care must
be given to insure that the model is working properly.

The intermediate logic supports modeling of both explicit and subtle redundancies within the
system. Inputs to the intermediate logic should have as a minimum segments or trains that group
lists of the components whose failure can cause the same impact on trip or derate. This type of
information can be found in the PM database.

5.1.2.2 Basic events

Basic events or modules should be identified for all components that can be put into an OR gate.
The modules can be broken into an organizational structure. Figure 5-1 groups the components
into categories for the convenience of identification and possible modeling applications.

The priority of component inputs should be:

• Internal failure of active components
• Internal failure of passive electrical
• Internal failure of passive mechanical

The fault tree structure at this point can be organized as database or fault tree logic. The lowest
level of input includes basic components whose failure causes loss of the train or segment
function via binary logic. The component level in the fault tree can be linked to a listing of
components linked by an OR gate or a single basic event. In this case the result of the failure of
any component produces the same condition.

Although such detail is not required for the simplified trip monitor, a refinement is to more
precisely address the specific failure modes for each component. This will more accurately
capture the condition causing and immediate trip or derate compared with finding an unavailable
component during maintenance inspections (e.g., valve transfers open rather than stuck in a
closed position) as a trip cause.

5.1.2.3 Component data

Figure 5-1 also indicates how the component failure data link to the top logic. The component or
lowest level basic event in the model can be assigned a screening value for the failure

5-3
10427354
Top Logic Development

probability. The screening value can be based on judgment of analyst during initial set up and
then refined later with more accurate data or models. The basic unit for a trip monitor is events
per year. If fault trees from other sources such as the PRA are used, the units can be adjusted by
including a factor in the database or the logic model. Detailed failure rate assessments for a
component can be made after the basic model is working to support more accurate the
probability quantifications. The trip monitor can function with screening values, but users
should not rely on the probability values.

5.1.3 Prioritizing systems by trip potential

As a starting point for developing the top logic one can select the Maintenance Rule Functions
listing [2] to help identify those plant specific systems that are generally covered by statistical
estimates in the PSAs, but whose potential for causing a trip has not been modeled in a clear
enough manner to build an accurate trip monitor.

5.1.3.1 Maintenance Rule Classification

The maintenance rule classification system includes five classification boundaries that are
addressed as yes /no conditions for each system

M1 - Safety-related structures, systems, or components (These are typically in PSAs)

M2 - Nonsafety related structures, systems, or components that are relied upon to mitigate
accidents or transients (In level 2 PSA or HRA)

M3 - Nonsafety related structures, systems, or components that are used in plant emergency
operating procedures (EOPs) (HRA and In level 1 & 2 PSAs)

M4 - Nonsafety related structures, systems, or components whose failure could prevent safety-
related structures, systems, and components from fulfilling their safety-related function (In level
1 & 2 PSAs)

M5 - Nonsafety related structures, systems, or components whose failure could cause a reactor
scram or actuation of a safety-related system. (Generally grouped into statistical estimates of
trip, but not modeled in the PRA with enough detail to examine impact on trip frequency.)

Yes, answers to question 5 help identify the maintenance interactions where modeling is needed
to address a potential trip or derate. All systems with at least one element of MR evaluation
addressed with a yes for question 5 were selected for the top logic. The list of systems with a yes
in question #5 is shown in Table 5-1. This reduces the number of systems in the Maintenance
rule from 114 to 34.

Since Table 5-1 does not include safety systems whose component failure might also produce a
trip, a reexamination of the systems identified 16 additional safety systems whose component
failures might produce a trip or derates. Thus, 50 systems are included in the example
assessment.

5-4
10427354
 Top Logic Development

Table 5-1
List of Systems with an identified potential for causing a plant trip

No. Identified Symbol System name

Trip
Causes
1 3 AF Auxiliary Feedwater
2 1 CC Component Cooling Water
3 4 CI Instrument Air
4 3 CO Condensate
5 1 CP Condensate Polishing
6 1 CR Reactor Rod Control and Indication
7 2 CV Condenser Vacuum & Water Box Priming
8 2 CW Circulating Water
9 1 ECI Electrical Control Inverters
10 1 ECP Electrical Control Panels
11 5 EH Turbine Electro-hydraulic Control
12 1 EP Electric Power 345Kv & 138Kv
13 1 EPA Electric Power 6.9Kv Switchgear
14 1 EPS Electrical Power Panels
15 2 ES Safe Shutdown Protection
16 3 EX Extraction Steam
17 1 FW Steam Generator Feedwater
18 1 GE Generator and Exciter
19 1 GG Generator Gas Cooling
20 2 GS Turbine Gland Steam and Drains
21 2 GS1 Turbine Gland Seal
22 4 HD Turbine Heater Drains
23 2 IG Instrumentation Grounding
24 2 LO Main Turbine Lube Oil
25 1 MS Main Steam, Reheat, and Steam Dump
26 1 PR Generator Primary Water
27 3 RC Reactor Coolant
28 1 RM Radiation Monitoring
29 2 SO Generator Seal Oil
30 20 SY Switchyard Equipment
31 6 TA Turbine (High & Low)
32 1 TW Turbine Plant Cooling
33 1 VAT Turbine Building HVAC
34 1 XI Westinghouse Process Instruments

5-5
10427354
Top Logic Development

5.1.3.2 Questions for Assessing Trip Potential

Top logic development benefits from review of trips and derate. The objective is to select and
incorporate first those systems that represent the largest contributors to system outage. To help
set the priorities for systems in the top logic model five additional examinations are made.

What is the relative trip frequency contribution for the system?

Can internal system failures produce an ESFAS trip signal?

Is the system a standby system?

Is the system already modeled in the PRA?

Can a safety system cause an immediate derate or trip?

Information from the MR, the PM database, experience base and discussions with the engineers
provide answers to these questions.

5.1.3.3 Frequency of occurrence

A means of prioritizing the systems is to examine the frequency of occurrence. The evaluation
of question 1 requires the review of trip causes from industry and plant experience. Such work
has been accomplished by the authors of Reference [3] who provide a table of trip causes, which
can be ranked by frequency of occurrence as shown in Table 5-2. Column 2 is the relative
frequency of various events based on industry information. An assumption is that the industry
averages can be matched to an individual plant by adjusting the turbine trip frequency. There are
some uncertainties in doing this such as system boundaries may have different names, the ratios
may be somewhat different, and event naming can differ between plants. Also, for rare events
the occurrence of one event at one plant can significantly impact the moving average of a
particular initiating event by the plant group over a five-year average. Thus, there is a dynamic
element to the statistical estimates of a component failure leading to a loss of production. Even
with these uncertainties it is expected that on the order of 90% of the trip causes can be identified
and related to specific systems and hardware. The top fault tree representation is shown in
Figure 5-2.

5-6
10427354
 Top Logic Development

Table 5-2
Causes of load reduction or trip in PWRs

Relative
Description Freq. Priority

Turbine Trip 1 1

Feedwater Partial Loss 0.9 2

Loss of primary flow 0.2 3

Loss of Main Transformer 0.07 4

Feedwater Total Loss 0.05 5

Feedwater Excessive 0.04 6

Loss of Condenser Vacuum 0.015 7

Reactor Trip 8

Power reduction 9

Other (multiple causes) 10

Plant trip

TRIPCAUSE

Turbine Trip Loss of primary flow Loss Feedwater Loss of Main Loss of Condenser Reactor trip Support Functions
Transformer Vacuum

%TT %LPF %LFW %LMTFMR %LCV %RT SUPF

Figure 5-2
Types of system level trips that lead to a plant trip

5.2 Scenarios for trip and derate top events

The way that a plant enters into a trip or derate depends on the component and the plant
response. The simplified trip monitor includes two categories for measuring loss of generation -
trip and derate. This requires two top events, because the top logic and intermediate logic for
these cases differs. Some component failures cause only the trip and not derate, others cause
derate with almost no chance of trip, and other component failures can lead to either trip or
derate with about the same likelihood.

Magnitude of derates can vary from very small power reductions of a few percent to more than
50% of the power level. Differentiation of power loss on derate is not a requirement for the
simplified trip monitor because in most cases the operators can estimate the power loss by
viewing the component that is lost. The components involved should provide a qualitative

5-7
10427354
Top Logic Development

indication of the derate level to the operators based on their training and experience. For
example, 50% derate on loss of a condensate pump, and 4 % on loss of the feedwater heaters in
one train. In updated versions of the trip monitor the level of derate can be addressed more
explicitly by converting the top event for derate into tops for separate derate level groupings.

The development of top logic takes into account these differences by first considering
simplifying assumptions, component failure types, and trip scenarios.

5.2.1 Immediate trip or derate following component failure

A scenario for both top events is that the trip or derate occurs immediately following failure of
the component. An example is loss of oil to the turbine bearing. This is the highest priority trip
scenario for the simplified trip monitor. This type requires spinning reserve to avoid a loss of the
grid.

5.2.2 Delayed shutdown following a component failure

Delayed shutdowns can occur to repair failed equipment even though the failure did not trigger a
shutdown. Typically repair of these component failures are grouped until a shutdown is required
for other reasons. In the databases if is not always clear how the outage time is applied to such
components. An example is loss of reheater flow, which causes a reduction in power initially,
but can be repaired by shutting the plant down. The timing of this type of shutdown can be
controlled and while important to LCM is not as important to the grid system because the planner
can prepare for the loss of the generation in advance. This scenario is not a high priority for the
simplified trip monitor, and can be addressed as the system is developed.

5.2.3 Reduced control margin following a component failure

This type of shutdown occurs when a transient occurs that exceeds the reduced capability of the
plant systems to cope with the magnitude of the transient. Example cases occur when control
systems are degraded or control valves are limited and create a reduced potential to withstand
transients from both internal and external causes. It is possible to provide some warning about
these events if it is known that the plant can’t handle load following. This scenario is not a high
priority for the simplified trip monitor, and can be addressed as the system is developed.

5.2.4 Technical Specification when exceeding a time limit for SSC repair

This scenario occurs when a system is in standby. If a system is in standby during normal
operation, and discovery of its failure can cause a technical specification limit to be started, then
the system was added to the listing in Table 5-1. This type of shutdown occurs when a failed
component can’t be repaired within a time limit. In some cases the plant manager is permitted to
extend the allowed time to avoid a shutdown. It is a very rare cause of shutdown. Advanced
warning of the shutdown can be provided. This scenario is not a high priority for the simplified
trip monitor, and can be addressed as the system is developed.

5-8
10427354
 Top Logic Development

5.2.5 Component failure generates a trip signal (ESFAS)

Another form of trip is caused by systems that trigger an ESFAS signal that either leads the
operator to trip the plant or causes an automatic trip. Scenarios for this occurrence were
identified in Ref 2. Systems were added to the list in Table 5-1 when they could generate a trip
signal upon which the operators decide when to initiate the trip. This scenario is not a high
priority for the simplified trip monitor, and can be addressed as the system is developed.

5.2.6 Safety System failure causes a trip

If the system was already considered in the PRA and the logic from the PRA was appropriate for
trip then it was included in the trip/derate monitor trees by asking the question, “Can a safety
system cause an immediate derate or trip?” If yes, then the system is included in the listing and
modeled in the top logic. This scenario is not a high priority for the simplified trip monitor, and
can be addressed as the system is developed.

5.3 Data on trips and derates

A source of data for categorizing the type of trip is the GADs database maintained by the North
American Electric Reliability Council (NERC) [6]. Plant availability reports can be generated
by a class of units (fossil-steam, nuclear, etc.), grouped by size (turbine nameplate rating), and,
in some cases, primary fuel. There are several report formats defined including the top 25
individual cause codes over the last five years. Table 5-3 uses the information in reference 6 to
rank the cause codes from different groupings of PWR plant sizes (400 to 799 Mwe, 800 to
999Mwe, and 1000Mwe and above). The older plants are in the smaller plant sizes and the
newer plants are in the 1000Mwe and above group. The table focuses on specific systems and
components. It therefore, excludes planned outage/derate causes such as thermal derating,
normal refueling, core coastdown, end-of-life reactivity restrictions, investigation of possible
safety problems, total unit performance testing, major turbine overhaul, reactor overhaul, and
other safety problems that were also provided in the database material for Table 5-3. The “Ave
MWH per outage or derate” column in Table 5-3 provides information about the outage duration
in terms of lost MWH attributed to the cause code. It is clear that some of the cases are primarily
related to derates and short outages rather than trips. For example, in the case of MSIVs, the
testing requirements in BWRs require small power reductions, where as in PWRs the tests are
not required as part of the containment boundary.

The relative occurrence frequency column in Table 5-3 was developed to correlate more closely
with the initiating event frequencies considered in risk studies.

The values in the table will match to reference 6 by using a normalization factor of 11.25. The
cause codes are assigned by judgment of the plant personnel and there might be some double
counting of events where more than two outage causes are shared by the same event.

The next step is to use a top logic structure that combines each system capable of causing a trip
or derate with OR gates into derate and trip fault tree tops that represent the combinations of SSC
failures that can lead to a power reduction. Plant personnel who developed the MR functions

5-9
10427354
Top Logic Development

and PM databases qualitatively performed the screening of systems. The caution here is that
basis for classifying the components in this way does not clearly indicate the impact of
redundancies or different failure modes. Just that the component could qualitatively cause a trip
or derate
Table 5-3
Relative cause ranking of outage and derates for US PWRs from NERC

System/Component Description Relative Ave MWH Ave age of

occurrences per outage plants in
/unit-yr or derate group
Main Steam Isolation Valves (BWR & PWR) 1.755 1,336 14.93
Steam Generator Chemistry (Ex Feedwater) 1.000 1,192 14.93
Other Steam Generator Problems 0.580 4,499 14.93
Turbine Moisture Separator/Reheater 0.178 13,157 14.93
Condenser Tube and Water Box Cleaning 0.147 2,935 28.4
Condenser Tube Leaks 0.059 16,700 22.74
Main Transformer 0.055 22,204 14.93
Reactor Coolant/ Recirculating Pumps 0.053 71,453 22.74
Steam Generator Feedwater Nozzles 0.036 73,903 19.64
Feedwater Pump 0.031 11,711 28.4
Feedwater Regulating (Boiler Level Control) Valve 0.028 46,706 14.93
Control Rod Drive Controls 0.023 17,110 28.4
Reactor Coolant/Recirculating Pump Motor 0.022 58,279 22.74
Other Reactor Coolant Valves 0.022 75,421 22.74
Heater Drain Piping 0.022 430,278 22.74
Reactor Control System / Integrated Control System 0.021 48,636 19.64
Other High Pressure Heater Problems 0.020 19,268 28.4
Reactor Coolant System Piping 0.018 76,005 22.74
Steam Generator Tube Leaks 0.015 172,022 14.93
Reactor Vessel Flanges and Seals 0.014 100,218 28.4
Turbine Hydraulic System Pipes and Valves 0.012 111,926 14.93
Emergency Diesel Generators (Inc. Actuating System) 0.012 357,954 19.64
Other Steam Generator Internals Problems 0.010 732,201 19.64
Power Operated Relief and Safety/Relief Valves 0.009 417,658 22.74
Auxiliary Feedwater Piping 0.009 347,552 28.4
DC Safety System Power Supplies 0.008 100,045 14.93
Other High Pressure Injection Problems 0.006 229,019 22.74
Circuit Breakers 0.006 829,267 14.93
Control Rod Magnetic Jack Drives 0.005 97,025 28.4
Control Rod Assemblies Other Than Drive 0.005 58,405 28.4
Hydrogen Coolers 0.004 438,609 14.93
Nuclear Service Water Valves 0.004 251,746 22.74
Pressurizer 0.003 171,093 28.4
Extraction Steam Piping 0.003 248,740 28.4
Motors for Low Pressure Pumps 0.001 562,252 22.74

5-10
10427354
 Top Logic Development

Table 5-4
Listing of systems to be modeled in the top logic

# Sym bol Maintenance Rule(MR) system description # Trip Causes Trains in Mode Run
1 TA Turbine (High & Low) 6 2 of 3
2 EH Turbine Electrohydraulic Control 5 1 of 1 and 1 of 3
3 FW Steam Generator Feedwater 1 2 of 2
4 CO Condensate 3 2 of 2
5 SY Switchyard Equipm ent 20 2 of 2
6 GS Turbine Gland Steam and Drains 2 2 of 2
7 SO Generator Seal Oil 2 2 of 2
8 GS Turbine Gland Seal 2 2 of 2
9 CV Condenser Vacuum & W ater Box Priming 2 1 of 3 & 1 of 2
10 EX Extraction Steam 3 2 of 2
11 LO Main Turbine Lube Oil 2 2 of 2
12 GG Generator Gas Cooling 1 6 of 8
13 GE Generator and Exciter 1 1 of 1
14 EPS Electrical Power Panels 1 1 of 2?
15 MS Main Steam, Reheat, and Steam Dump 1 4 of 4
16 HA Hydrogen Air - Generator 4 6 of 8
17 HD Turbine Heater Drains 4 2 of 2
18 CP Condensate Polishing 1 4 of 5
19 IG Instrumentation Grounding 2
20 RC Reactor Coolant 3 4 of 4
21 TW Turbine Plant Cooling 1 1 of 2
22 CI Instrument Air 4 1 of 3
23 VAT Turbine Building HVAC 1
24 AF Auxiliary Feedwater 3
25 PS Process Plant Sam pling 0
26 CW Circulating W ater 2 3 of 4
27 XI W estinghouse Process Instruments 1
28 ECI Electrical Control Inverters 1
29 ECP Electrical Control Panels 1
30 CT Containment Spray 0
31 PR Generator Primary W ater 1 1 of 1
32 EPA Electric Power 6.9Kv Switchgear 1 4 of 4
33 CR Reactor Rod Control and Indication 1
34 CC Component Cooling W ater 1 1 of 2
35 EP Electric Power 345Kv & 138Kv 1 1 of 2
36 AM Containment Atmosphere Monitor 0
37 RM Radiation Monitoring 1
38 VAR Control Room HVAC 0
39 VAA Auxiliary Building HVAC 0
40 SI Safety Injection 0
41 NI Nuclear Instrumentation 0
42 VAH Containment Hydrogen Purge 0
43 CH Safety Chilled W ater 0
44 CS Chemical and Volum e Control System 0
45 CZ Containment Isolation 0
46 DD Demineralized W ater 0
47 EPB Electric Power 480v 0
48 RH Residual Heat Removal 0
49 SW Station Service W ater 0 1 of 2 plus cross connect
50 ES/RPS Eng. Safeguards Actuation Sys./Reactor Protection Sys. 0

5-11
10427354
Top Logic Development

5.4 Organizing Top Logic for Trips and Derates

The basic top logic model as a minimum must include each system whose component failures
can cause a trip or derate.

Another level of detail is to include the functional categories from the maintenance rule. This
helps keep track of the specific functions associated with each system, and supports intermediate
logic modeling, it is not required for development of the trip monitor. This information is found
in Reference 2, and repeated in Table 5-5.

Finally, the breakdown of the top events into the type of trip can be used to verify that the value
of the quantitative values in the model match to the statistics available from sources such as the
GADs database and others.

5-12
10427354
 Top Logic Development

Table 5-5
Descriptions of potential trip causes by function in each system from Ref 2

Symbol Maintenance Rule (MR) Reason for including addresses functional causes and failure of the trip system itself.
system description

TA Turbine (High & Low) Convert thermal energy in the form of steam to mechanical energy & transmit to the generator, in operation in modes 1-3. (Modes 2 &
3 only if the main steam isolation valves are open). Provide: (1) ability to isolate Turbine Steam Supply upon trip signal (2) necessary
controls, signals, and instrumentation to operate and monitor the Turbine in a controlled fashion, (3) manual and automatic regulation of
Turbine Control System, (4) Protect the turbine from abnormal operating conditions, (5) for on-line testing of protective components, (6)
reactor protection/ESFAS signals to SSPS, (7) Non-Class 1E instrument signals for indicating and alarming system parameters, in
operation in modes 1-6.

EH Turbine Electro-hydraulic Position the turbine valves to achieve the desired turbine - generator loading, provide manual and automatic regulation of turbine
Control control system, provide ability for on-line testing of protective components, provide input signal to RPS for anticipatory trip, in operation
in modes 1-3.

FW Steam Generator Provide heated feedwater at desired temperature and flow rate, in operation in modes 1 & 2.
Feedwater

CO Condensate Provide manual/automatic regulation of hotwell level and system flow to maintain FW pump suction, Maintain sufficient vacuum, and
condense exhaust steam from low pressure turbine, FW pump turbines and the Steam Dump System, operation in modes 1-5.

SY Switchyard Equipment Provides two physically independent circuits between offsite transmission network and the onsite Class 1E dist. in operation in modes
1, 2, 3 and 4, and provide electrical power from the main unit transformers to the grid, in operation in mode 1

IG Instrumentation Grounding Provide single point grounding system to reduce noise and interference, and provide a path to ground to prevent lightening strikes from
effecting plant operations in modes 1-6.

GS Turbine Gland Steam and Provide an adequate supply of steam to the main and feedwater pump turbine seals at startup, shutdown and low load conditions, and
Drains provide pressure boundary / relief compliance with applicable requirements and functional needs, in operation in modes 1-5.

SO Generator Seal Oil Maintain H2 pressure in generator and supply temperature regulated seal oil to shaft seals, in operation in modes 1-6.

GS1 Turbine Gland Seal Provide an adequate supply of steam to the main and feedwater pump turbine seals at startup, shutdown and low load conditions, and
provide pressure boundary / relief compliance with applicable requirements and functional needs, in operation in modes 1-5.

CV Condenser Vacuum & Provide the removal of the non-condensable gases from the steam side of the main and auxiliary condensers and maintain vacuum,
Water Box Priming and a vacuum breaker arrangement for the main and auxiliary condenser shells as an alternative means of initiating turbine trips, in
operation in modes 1-5.

CI Instrument Air Provide clean plant air at the required pressure and desired humidity, in operation in modes 1-6

HD Turbine Heater Drains Return saturated water from extraction steam and Mrs.’s to feedwater and condensate systems for efficiency, and provide a portion of
flow to the feedwater pumps, in operation in modes 1-4.

5-13
10427354
Top Logic Development

Table 5-5 (continued)

Descriptions of potential trip causes by function in each system from Ref 2

Symbol Maintenance Rule (MR) Reason for including addresses functional causes and failure of the trip system itself.
system description

EX Extraction Steam Provide pressure boundary / relief in compliance with applicable requirements and functional needs, in operation in modes 1-3. Isolate
the turbine from the Feedwater heaters and provide automatic isolation of the Auxiliary Steam system in the event of a high-energy line
break thru closure of valves ½-LV-2035, in standby in modes 1-3.

LO Main Turbine Lube Oil Provide turbine lube oil and actuating fluid to various components at the desired temperature, purity, and pressure, in operation, and
provide turbine trip signals under abnormal conditions, in standby in modes 1-4

GG Generator Gas Cooling Cool and maintain proper casing pressure, in operation in modes 1 & 2.

TW Turbine Plant Cooling Remove heat from Turbine Gen Aux Systems & various secondary plant systems in modes 1-5.

VAT Turbine Building HVAC Provide heat removal for various turbine-building areas, in operation in modes 1-6.

GE Generator and Exciter Produce reliable electric power, in operation in modes 1 & 2. This includes voltage regulation, isophase bus and associated cooling.

EPS Electrical Power Panels Provide low voltage electrical power for operation and control of non-class 1E loads within acceptable design limits, in operation in
modes 1-6.

MS Main Steam, Reheat, and Provide adequate supply of steam for reheating service in the MSRs, for the main feedwater pump and the main turbine, in operation in
Steam Dump modes 1-3. Provide isolation of steam flow (MSIV’s, ARV’s and steam dump valves) from steam generator, in standby in modes 1-4.
Provide via the Steam Generator Atmospheric relief valves, removal of heat from the NSSS when the condenser is not available and
during abnormal conditions, in standby in modes 1-4. Provide via the Main Steam Dump Valves, an artificial steam load for the steam
generators to dissipate or regulate heat during abnormal conditions, in standby in modes 1-4. Provide reactor protection/ESFAS
signals to SSPS in operation in modes 1-3. Provide steam generator level and turbine pressure signals to AMSAC in operation in mode
1 (above 40% power).

CP Condensate Polishing Provide a flow path from the Condensate System to the Feedwater System, in operation in modes 1-6.

RC Reactor Coolant Provide intermediate heat removal capability from the reactor core to the steam generators and from the steam generators to the
secondary side, in normal operation in modes 1-4. Maintain pressure boundary integrity to enable decay heat removal in compliance
with applicable NEI 97-06 limits and prevent significant offsite releases, in operation in modes 1-6 Requirements for SG tubes. Provide
pressure relief (PORV’s and safeties), in standby in modes 1-5. Provide Reactor Coolant System pressure control and
depressurization in operation in modes 1-4. Convert process signals to analog and digital signals (N16), in operation in modes 1-6.
Provide reactor protection functions (N16), in operation in modes 1-3.

AF Auxiliary Feedwater Provide feedwater flow to the steam generators when the main feedwater system is unavailable, in operation in modes 1-6.

5-14
10427354
 Top Logic Development

Table 5-5 (continued)

Descriptions of potential trip causes by function in each system from Ref 2

Symbol Maintenance Rule (MR) Reason for including addresses functional causes and failure of the trip system itself.
system description

CW Circulating Water Provide screened cooling water for sufficient heat removal capacity during partial and full load operation as well as during a turbine trip
followed by activation of the steam dumps to the condenser, provide automatic trip of the circulating water pumps on failure of any main
condenser expansion joint, in operation in modes 1-6.

ES Safe Shutdown Protection Provide a non-safety related backup system (AMSAC) to the Reactor Trip and ESF Actuation System for initiating feedwater flow in the
event of an anticipated transient, in standby in mode 1.

CC Component Cooling Water Provide cooling RCP in operation in modes 1-4, could cause a plant trip or ESF

CR Reactor Rod Control and Raise and lower control and shutdown rods, in operation in modes 1-4.
Indication

ECI Electrical Control Inverters Provide reliable regulated non-IE 118 VAC electric instrumentation power, in operation in modes 1-6. Under Mel Review

ECP Electrical Control Panels Control Panel circuit (fuses, circuit breakers, etc.) protection, control, termination, etc., in operation in modes 1-6.

EP Electric Power 345Kv & Provide electrical power for non-safety related plant loads and to the switchyard, in operation in modes 1-6.
138Kv

EPA Electric Power 6.9Kv Provide electrical power for non-safety related plant loads, in operation in modes 1-6.
Switchgear

PR Generator Primary Water Provide sufficient cooling water to absorb the heat from the generator stator winding, rotor winding, terminal bushings & phase
connectors & dissipate the heat to the TPCW Sys, in operation in modes 1 & 2.

XI Westinghouse Process Provide reliable electrical power (cabinet power supplies) for the Westinghouse 7300 System. Provide miscellaneous
Instruments electrical/electronic functions of a non-specific nature. Provide reactor protection/ESFAS signals to SSPS. System in operation in
modes 1-6

RM Radiation Monitoring Provide wide range gas monitoring for detection of noble gas releases thru the plant vent stacks for post acc monitoring. Initiate
closure of the gas release valve upon detection of hi radiation, in operation in mode 1-6.

5-15
10427354
10427354
6
DETAILED MODELING OF SYSTEMS

The third key element for a simplified trip monitor is the detailed systems assessment and
modeling. Detailed modeling is reflected in EOOS through the incorporation of fault trees,
updated cutset evaluations and addition of detailed operator status panels. This integrates the
information from the plant into a simplified model that can be used to assess the plant conditions.
This modeling element is the key to a successful trip monitor. The examples below are based on
the CAFTA and EOOS software, but other codes may be used as well. This portion of the
analysis determines how conservative or realistic the trip monitor operates by incorporating
intermediate logic models that recognize redundancies within the system and link the
component, train, or segment information to the topic logic.

6.1 Selecting Key Systems

The objective of the simplified trip monitor is to rapidly establish a working system that will
capture the key issues associated with the trip and derate causes. For this demonstration the
Condensate and Electro-hydraulic control system were selected as initial models with the
Feedwater and Turbine (High & Low Pressure control) as the demonstration systems. The basis
of the selection was that these are important systems from the trip cause viewpoint, they are not
modeled in detail in PRA studies and information was available for these systems. Additional
system detail can be added to replace any high-level top logic models as the trip monitor model
is improved.

6.2 Modeling assumptions and conditions

1. Those systems addressed in the maintenance rule file [2] that are identified as a potential
cause of trip are selected as systems for the top logic model.

2. The reference plant is a four loop Westinghouse design, where local naming conventions
apply to the systems and to the components in the systems.

3. The priority of the systems analyzed is based on addressing the largest contributors in the
first grouping that are not fully addressed in the PRA.

4. The largest contributor grouping by trip cause can be found from descriptions of events and
statistics compiled to evaluate the various causes of trips, and previous work in trip monitor
development.

5. The top logic model has several layers that help in organizing the model. The type of trip
experienced provides a top down way of including statistical results maintained at the level

6-1
10427354
Detailed Modeling of Systems

of turbine trip, feedwater trip, etc. Another level is a list of sub functions under each system
developed during the maintenance rule. Redundancies within a system are typically modeled
in this intermediate logic area.

6. The outage scenario model should concentrate on an immediate trip or power reductions.
Subsequent planned outages to repair damaged equipment are not seen as an equivalent
threat to Grid stability as the immediate power reductions, but are needed when considering
life cycle costs.

7. The use of OR gates is expected for all sublevel systems, because operator actions that
restore power are addressed by taking components in and out of service at the trip monitor
interface.

6.3 Guidelines for Detailed modeling

General guidance to follow concerning the inclusion of component failures in the fault tree
models consists of the following analysis elements.

6.3.1 Development of System Simplified Schematics

Usually the plant system drawings contain considerably more information than is required for
system modeling. To assist the system analysis, a simplified system schematic is developed on
the basis of full-sized plant schematics. It includes solely the components to be included in the
modeled. The schematic can be in the form of a drawing or block diagram.

The requirements for simplified schematics are the same as for full-sized plant schematics. The
identifier used to label each component on the schematic is the plant Equipment ID number. In
addition, the position of components in normal operation mode has to be shown at the simplified
schematics.

The following rules are applied for the development of simplified schematics:

6.3.2 System Dependencies

Usually a system has interconnections with other systems via electric supply, cooling water,
heating and ventilation, transported substance, shared components, control signals, etc. The
information characterizing these dependencies is prepared during the course of the systems
analysis data collection stage. In the case of the trip monitor the support systems can be treated
separately. If components are not treated elsewhere, then they should be included in the
segment or train in the block diagram. The support systems can be treated as separate systems
with there own internal redundancies. This step and the use of primarily OR gates eliminates
the need for explicit dependency modeling in the case of a trip or derate monitor.

6-2
10427354
 Detailed Modeling of Systems

6.3.3 Determining the method of system failure modeling

The final target of system analysis is a system model with the top event for trip causes (e.g.,
rapid trip, delayed trip, loss of control margin, immediate loss of power with a trip and technical
specification required trip), and for derates causes (e.g., immediate power reduction, potential for
a power reduction, delayed power reduction). In the simplified trip monitor the success criteria
are simply no trip or no power reduction. The top event is true if the success criteria are not met.
This can be modeled by two methods:

The system failure (or train failure, or failure of part of the system) may be modeled as single
developed event if all the inputs can be modeled through an OR gate. This can also be termed a
module and then any equipment in the system can be linked to this basic event or fault tree.

If there are redundancies that prevent single element from causing a trip then intermediate logic
using fault tree methods should be developed to address system redundancies. If the
redundancies are not addressed, the trip monitor will be overly conservative and signal a trip
when any equipment is removed.

The level of fault tree detail is determined during system analysis and for a simplified trip
monitor should consider how the PRA has been modeled, operating experience with equipment
out of service, and other potential uses of the information as outlined by the project goals. Less
important are quality of initial data, and comprehensiveness of component failure database.

6.3.4 Fault Tree Development

The fault tree development and quantification for the demonstration model was carried out using
the CAFTA code. The rules described below are oriented towards the use of relevant features of
CAFTA.

A fault tree consists of the following basic components:

Fault tree elements must have a unique name; the CAFTA software will identify identical names
with different logic input before quantification. For example, if the results of the PRA are to be
used for some elements of the trip monitor, but are adjusted by removing the common cause,
human errors, and out for maintenance and support systems, then using the same gate names in
the trip model could cause conflicts if the models are run together as fault trees. One way to
address this is by developing separate cutset files for each top event with direct input data.

Guidance for the naming scheme for fault tree elements is provided in appendix e.

At least one fault tree is required for each monitored plant condition (e.g., Trip and Derate).
While the same components are in both trees, the logic for causing the top event to be true can be
very different. Thus, the gate names leading from the basic events to the top event need to be
changed (i.e., a D added to the derate names). This permits the use of alternate logic (e.g., AND
gates versus OR gates), different equipment models (e.g., feedwater heaters and by pass for
derate top event, and redundant EH pumps for the trip tree), and different performance factors.

6-3
10427354
Detailed Modeling of Systems

Fault tree construction is guided by the definition of the top event, which is found in the top logic
tree. After the definition of the top event, the fault tree is developed by deductively determining
the cause of the previous fault continually approaching finer resolution until the limit of
resolution is reached. The limit of resolution is reached when the fault tree development below a
gate consists only of basic events that feed only into an OR gate. Thus, the initial assumption

6.3.4.1 Top Event

The top event means that either a trip or a derate occurs if the combination of components taken
out of service causes the top event to be true. A secondary consideration is how close the
probability is to 1.0. The colors indicate how close the system is to failure if the multiple
components are taken out of service but the top event might not have occurred yet.

For each system fault tree, the top event definition is determined from the system success criteria
defined by examination of the system functions (See Table 5-5). The top event shown in Figure
6-1 is derived by converting the system functional requirement for the system into a statement of
system failure. If, for example, the functional requirements for the EH system during in
operation in modes 1-3 are:

(1) Position the turbine valves to achieve the desired turbine - generator loading,

(2) Provide manual operation of turbine control system,

(3) Provide Automatic regulation of turbine control system,

(4) Provide ability for on-line testing of protective components,

(5) Provide input signal to RPS for anticipatory trip.

For these functions the top events would be “Failure to prevent trip” and “Failure to prevent
derate,” given a component failure in the system. The maintenance rule document and PM
database identify components that could cause loss of each function. However, the estimate of
how they enter into the cause of trip or derate is by qualitative judgment, and should be carefully
examined to validate the “scenario for trip or derate.”

For support systems, the top event is determined by the performance requirements of the
supported system. For example, in developing the fault tree for Instrument Air (CI) the top event
function is to provide clean plant air at the required pressure and desired humidity, in operation
in modes 1-6. A modeling approach is noting that the system can operate on one air compressor
if the demand is low, and since storage tank capacity is in the system the active components can
be modeled in a 1 of 2 logic for both trip and derate.

6-4
10427354
 Detailed Modeling of Systems

Turbine Trip

%TT

Turbine control Turbine Internals Turbine support Generator Main Steam, Reheat,
and Steam Dump

TURBCNT GST TURBSP GEN MS

Page 2 Page 3 Page 4 Page 5

Turbine (High & Low) Turbine

Electrohydraulic
Control

TA EH

Inadvertant Isolation Failure to manually Failure to position Failure of manual

of Turbine Steam control turbine turbine valves to regulation of turbine
Supply upon false match turbine - control system
trigger signal generator loading

TA1 TA2 EH1 EH2

Failure of automatic Failure of turbine Failure of automatic Failure during

regulation of Turbine protection system regulation of turbine on-line testing of
Control System control system protective components

TA3 TA4 EH3 EH4

Failure of on-line False reactor False input signal to

testing of protective protection/ESFAS anticipatory RPS trip
components signals from turbine
systems

TA5 TA6 EH5

Figure 6-1
Top logic expansion to the MR functional criteria

6.3.4.2 Logical Gates

Logical gates are used to describe logical interactions between events in fault tree. While many
specialized gates are available in CAFTA the key gates needed for the simplified trip monitor are
OR, AND, and X of M. As more complex models are considered then additional gates can be
considered.

6.3.4.3 Developed Events

A developed event is an expansion of the Top Event into intermediate events that address
combinations of AND and OR logic, and break the system components into trains or segments
connected by an OR gate. Each system may have its own pattern due to the specific nature of the
functional requirements and logical interactions between basic events and/or other developed
events.

Developed events can be modeled in the following cases:

The usage of developed events is desired for visual obviousness and easy verification.

6-5
10427354
Detailed Modeling of Systems

For easier modeling, a system is usually divided into a number of subsystems (see Figure 5-1).
Figure 6-2 shows the link to basic events, and the addition of a performance factor.

Failure to control
turbine generator
load via valve
control

EH1P
Page 12

Failure to position Performance factor

turbine valves to for manual turbine
match turbine - control adjustments
generator loading

EH1 EH1PF
5.00E-01

Steam flow through Steam flow through Steam flow through Steam flow through MAIN TURBINE TRIP
HP-2 admission valve HP-3 admission valve HP-1 admission valve HP-4 admission valve FLUID COMPONENT
reduceddue to control reduced due to reduced due to reduced due to FAILURES
failure control failure control failure control failure

MSG005T MSG004T MSG003T MSG002T MSG001A

Page 21 Page 22

HYDRAULIC STOP VALVE HYDRAULIC control HYDRAULIC STOP VALVE HYDRAULIC Control HYDRAULIC STOP VALVE HYDRAULIC Control
UV-2431A ISOLATEs due VALVE UV-2431B closes UV-2430A ISOLATEs due VALVE UV-2430B closes UV-2429 A ISOLATEs VALVE UV-2429B closes
to trip signal due to control signal to trip signal due to control signal due to trip signal due to control signal
failures failures failures failures failures failures

MSXVH2431AFF MSXVH2431BFF MSXVH2430AFF MSXVH2430BFF MSXVH2429AFF MSXVH2429BFF

4.00E-03 4.00E-03 4.00E-03 4.00E-03 4.00E-03 4.00E-03

Figure 6-2
Expansion of EH1 to the Basic event level

The basic events or higher-level logic gates can act as nodes for linking additional components to
the trip monitor logic in EOOS when the components are listed in a database and linked to the
monitor via a pick list. This assumes that the response to a failure is the same as the logic at the
linked basic event or gate.

6.3.4.4 Basic Events

Basic event is the lowest level in fault tree, which is logically independent of other events. The
types of basic event component failures to include in the fault tree when a trip or derate scenario
is defined are:

6.3.4.4.1 Active components

Operating (pumps, casing, motors, breakers, etc)

Switching components (Valves (operator, body, instrumentation, controls)

Electrical (control systems, protection systems, cable, trays, junctions, fuses, etc.)

6.3.4.4.2 Passive components

Piping (Lengths, relief system, snubbers, elbows and appurtenances, etc.)

Structural (Walls, support beams, anchors, etc.)

6-6
10427354
 Detailed Modeling of Systems

6.3.4.4.3 Subtle Interaction Failures

Conditional probability of failure given a component fails (operator control actions)

Backup components that protect from trip or derate (measured conditions that trigger an action)

When a component fails and challenges a trip that is subsequently avoided when a backup
system changes state, it should be modeled in the fault tree to represent the likelihood that the
plant stays on line. For example, if low suction pressure appears at the Feedwater Pump Suction,
then bypass of the polishers to restore suction pressure should be included.

Consider a performance factor for trains or systems where by experience it can be shown that
operators can prevent a trip or derate through operational controls. For example, if two of three
EH pumps are lost the turbine admission valves can be operated manually keeping the plant
online (at full power).

For a simplified trip monitor only the component failures should be considered. Thus, Test and
Maintenance Unavailabilities, Human Errors, and Common Cause Failures should not be
considered. It is possible that some House Events, and Subtle Failures may need to be modeled
to account for special situations.

6.4 Basic events from a list

In the cases where failure of components leads to the same outcome from the logic standpoint, it
is convent to link them to a point in the fault tree where they have the same impact on trip and
derate as the other components. Table 6-1 provides a listing of the identified as causes of trips
for EH1 function of positioning the turbine control valves to match generator demand. The
identification of components as a cause of trip or derate is also listed. From this list the
components can be associated with the both the trip and derate trees, just the derate or just the
trip tree.

Figure 6-3 shows the use of a pick list to take a component out of service from the listing. These
connect to the EH1 gate in the fault tree. Figure 6-4 shows an operator screen for monitoring
the trip and derate and trip conditions. Note that the EH system key components that provide
redundancy are shown as blocks. The input to each block can include a component or a module
with a list of components.

When a pump component is taken out of service, the trip monitor goes to about a 0.5 chance of a
trip as shown in Figure 6-5. This is the performance factor associated with manual control of the
turbine control valves. The derate monitor is not impacted because there is no need to change
power when addressing hydraulic fluid flow issues if the pressure is constant.

6-7
10427354
Detailed Modeling of Systems

Table 6-1
Example components from the PM databases
TAG_ID DESCRIPTION Trip Derate
CP1-EHFLTG-01 ELECTRO HYDRAULIC CONTROL FLUID FULLERS EARTH FILTER 1-01 1 0
CP1-EHFLTG-02 ELECTRO HYDRAULIC CONTROL FLUID MECHANICAL FILTER 1-02 1 0
CPX-CBFURP-01 CONTROL FLUID FILTER X-01 1 0
1C2/11/BKR TURBINE TRIP TEST CABINET (CHAN I) 1-CV-13 SUPPLY BREAKER 1 1
1C3/4/BKR TURBINE TRIP TEST CABINET (CHAN II) 1-CV-14 SUPPLY BREAKER 1 1
1-SE10C001 UNIT 1 TURBINE HYDRAULIC SPEED GOVERNOR 1 1
1-SE10C002 UNIT 1 TURBINE REFERENCE SPEED SETTER 1 1
1-SE10C003 UNIT 1 TURBINE STARTING AND LOAD LIMITING DEVICE 1 1
1-SE10C005 TURBINE CONTROL FLUID ELECTRO HYDRAULIC CONVERTER 1-SE10C005 1 1
1-P-6590 U1 TURBINE TRIP FLUID PRESSURE LOOP 1 1
1-P-6591 U1 TURBINE TRIP FLUID PRESSURE LOOP 1 1
1-P-6592 U1 TURBINE TRIP FLUID PRESSURE LOOP 1 1
1-SD10P008 U1 MAIN CONDENSER LOW VACUUM ELECTRIC TRIP PRESSURE LOOP 1 1
1-SD10P008 U1 MAIN CONDENSER LOW VACUUM ELECTRIC TRIP PRESSURE TRANSMITTER 008 1 1
1-SJ21P011 ELECTRO HYDRAULIC CONTROL FLUID PUMP 1-A HP AUTO TRIP PRESS LOOP 1 1
1-SJ21P011 ELECTRO HYDRAULIC CONTROL FLUID PUMP 1-A HP AUTO TRIP PRESS SW 011 1 1
1-SJ21P012 ELECTRO HYDRAULIC CONTROL FLUID PUMP 1-B HP AUTO TRIP PRESS 1 1
1-SJ21P012 ELECTRO HYDRAULIC CONTROL FLUID PUMP 1-B HP AUTO TRIP PRESS SW 012 1 1
1-SJ21P013 ELECTRO HYDRAULIC CONTROL FLUID PUMP 1-C HP AUTO TRIP PRESS SW 013 1 1
1-SJ21P014 ELECTRO HYDRAULIC CONTROL FLUID PUMP 1-A HP AUTO TRIP PRESS LOOP 1 1
1-SJ21P014 ELECTRO HYDRAULIC CONTROL FLUID PUMP 1-A HP AUTO TRIP PRESS SW 014 1 1
1-SJ21P015 ELECTRO HYDRAULIC CONTROL FLUID PUMP 1-B HP AUTO TRIP PRESS 1 1
1-SJ21P015 ELECTRO HYDRAULIC CONTROL FLUID PUMP 1-B HP AUTO TRIP PRESS SW 015 1 1
1-SJ21P016 ELECTRO HYDRAULIC CONTROL FLUID PUMP 1-C HP AUTO TRIP PRESS LOOP 1 1
1-SJ21P016 ELECTRO HYDRAULIC CONTROL FLUID PUMP 1-C HP AUTO TRIP PRESS SW 016 1 1
1-SJ22S001S01 TURB CTRL FLUID EH CONV 1-01 AUX SEL FLUID LOAD SHEDDING SOL VLV SO 1 1
1-SJ22S002S01 TURB CTRL FLUID EH CONV 1-02 AUX SEL FLUID LOAD SHEDDING SOL VLV SO 1 1
1-SJ24S041S01 SOL VLV TRIP FLUID 1 1
1-SJ24S042S01 SOL VLV TRIP FLUID 1 1
1-JC01 ELECTRO HYDRAULIC CONTROLLER CABINET 1-01 1 1
1-JC02 ELECTRO HYDRAULIC CONTROLLER CABINET 1-02 1 1
1-JC21 TURBINE STRESS EVALUATOR/SPEED TARGET UNIT CABINET 1-21 1 1
1-JC71 TURBINE TRIP SYSTEM CABINET 1-71 1 1
1-PIS-6590 U1 TURBINE TRIP FLUID PRESSURE INDICATING SWITCH 6590 1 1
1-PIS-6591 U1 TURBINE TRIP FLUID PRESSURE INDICATING SWITCH 6591 1 1
1-PIS-6592 U1 TURBINE TRIP FLUID PRESSURE INDICATING SWITCH 6592 1 1
1-SJ21P011E01 ELECTRO HYDRAULIC CONTROL FLUID PUMP 1-A HP AUTO TRIP PRESS SW 011 1 1
1-SJ21P012E01 ELECTRO HYDRAULIC CONTROL FLUID PUMP 1-B HP AUTO TRIP PRESS SW 012 1 1
1-SJ21P013E01 ELECTRO HYDRAULIC CONTROL FLUID PUMP 1-C HP AUTO TRIP PRESS SW 013 1 1
1-SJ21P014E01 ELECTRO HYDRAULIC CONTROL FLUID PUMP 1-A HP AUTO TRIP PRESS SW 014 1 1
1-SJ21P015E01 ELECTRO HYDRAULIC CONTROL FLUID PUMP 1-B HP AUTO TRIP PRESS SW 015 1 1
1-SJ21P016E01 ELECTRO HYDRAULIC CONTROL FLUID PUMP 1-C HP AUTO TRIP PRESS SW 016 1 1
1-SJ24K004 UNIT 1 CONDENSER LOW VACUUM TURBINE TRIP DEVICE 1 1
1-SJ24K001 U1 TURBINE OVERSPEED TRIP TEST DEVICE 1 1
1-SE10C005T07 U1 EHC FLUID CONV 10C005 PILOT VLV 1 1
1-SJ22S002 TURB CTRL FLUID EH CONV 1-02 AUX SEC FLUID LOAD SHEDDING SOL VLV 1 1
1-SJ24S041 U1 TURB AUX TRIP FLUID RMT TRIP VLV 041 1 1
1-SJ24S042 U1 TURB AUX TRIP FLUID RMT TRIP VLV 042 1 1
1-SD10P007F01 U1 MN CNDSR LO VAC ELEC TRIP PRESS XMTR 007 1 1
1-SD10P008F01 U1 MN CNDSR LO VAC ELEC TRIP PRESS XMTR 008 1 1
1-SJ10D015M ELECTRO HYDRAULIC CONTROL FLUID PUMP 2-A MOTOR 0 1
1-SJ10D016M ELECTRO HYDRAULIC CONTROL FLUID PUMP 2-B MOTOR 0 1
1-SJ10D017M ELECTRO HYDRAULIC CONTROL FLUID PUMP 2-C MOTOR 0 1
1-SJ10D015 ELECTRO HYDRAULIC CONTROL FLUID PUMP 2-A 0 1
1-SJ10D016 ELECTRO HYDRAULIC CONTROL FLUID PUMP 2-B 0 1
1-SJ10D017 ELECTRO HYDRAULIC CONTROL FLUID PUMP 2-C 0 1

6-8
10427354
 Detailed Modeling of Systems

Figure 6-3
Using the Pick list to take out an EH system component

Figure 6-4
Trip monitor interface with layout of the EH critical components

6-9
10427354
Detailed Modeling of Systems

Figure 6-5
Impact of taking a component out of service

6.5 Using PRA Models as a Starting Point

If using PRA fault trees, the following items should be deleted because they are not likely to
cause an immediate trip and require some excessive detail when taking components in and out of
service. Eliminate CCF events, Plugged normally open valves, and Maintenance unavailability.
This also requires renaming the Gates to handle new inputs. Maintenance unavailability is
addressed in EOOS by taking the component out of service. If it were not possible to remove a
component without tripping or derating the plant, then the plant would trip anyway; therefore
such a system is redundant. A caution is that removal of these components below the module
level requires renaming of the module, if the PRA model and trip monitors are run at the same
time.

6.5.1 Identify the key scenarios that lead to a trip within the key systems

Review the generic industry trip history and prioritize the listing of listing of systems that can
contribute to an outage or derate. Systems that contribute to trip and derate can be identified
from the GADs database. Other resources within the plant include the Maintenance rule, and
PM database.

6.5.1.1 System review to identify PRA logic and models

System reviews can rely on a variety of sources to identify the PRA logic and models for use in
the monitor. Information sources include the system description, training material and
maintenance rule reports.

6-10
10427354
 Detailed Modeling of Systems

• Examples are fully running systems that also might be used during plant cool down following
a trip (Condensate, Feedwater, Transformers and electrical systems, and support systems
such as cooling water systems, air supply and battery systems).
• Examples with same equipment but much different (and lower probability failure modes are
the relief valves, the isolation valves, protective trip circuits.
• Examples that are not (Auxiliary feedwater, Safety injection, containment spray, etc.
Identify trains and segments in the system where redundancy protection from trip or derate
apply. Note that many failure models may not apply. The logic for safety may not apply,
switch all logic to OR gates for the derate model.

6.5.1.2 Use the PRA model and database where appropriate

Verify that failure scenarios developed in the MR PM database are considered in the models.
While some scenarios for trip or derate are clear many others are not and must be investigated.
If components causing trip are not in the PRA model, then supplement the basic PRA fault tree
as needed.

Consider the role of internal component failures

Consider the combinations with other systems

Identify elements of redundancy within the system that prevent trip or derate. It is expected that
below the train level that the lists of components can be used as input to an OR gate to represent
the impact of the component on the output.

6.5.2 Modifying the PRA models

In the PRA models the support system failures are sent to multiple system trees to accurately
model the interaction between the support system and the front line system. This is not needed
for simplified trip derate monitor, because the impact of the loss of a support system can be
treated directly as an impact on the power level or trip likelihood. For example, a simple
scenario can be developed to identify the effect of component cooling on trip (i.e., loss of
cooling to the charging pumps leads to failure of the charging pumps and then a trip because
plant is not able to balance the primary pressure and level in response to small transients). Thus,
loss of components in the cooling water system for charging pumps becomes a trip cause. Only
one direct input of a basic event from the cooling water system in the trip tree is sufficient to
model this system and the links to other trees is unnecessary.

This greatly simplifies the overall tree by avoiding the logical loops that typical appear in the
PRA models (e.g., electric power depends on operating diesel generators and starting diesel
generators depends on have electrical power available, thus sequence of events is important). By
considering components only and removing the support systems logical loops can be eliminated
a priori during the modeling process.

6-11
10427354
Detailed Modeling of Systems

6.6 Fault Tree Quantification

Quantification is calculation of fault tree element reliability parameters, total system

unavailability and/or accident sequence probability. Each basic and developed event in the fault
tree must be quantified to take advantage of the trip and derate scales used. Event quantification
depends on the component status during operation. For example, mainline components can be
normally operating or in standby mode. If they are in test or maintenance mode, then the trip
monitor would indicate a derate condition if the plant needed to reduce power. (For example,
monthly testing of the turbine admission valves). The quantification method is also dependent
upon availability and details of component operating history data. The CAFTA code can be
used for quantification. The quantification method is defined when inputting basic event data
into the code.

Two types of contributions to component unavailability are assessed in the simplified trip
monitor since the maintenance unavailability is addressed by taking equipment out of service.

6.6.1 Component Operational Failures

For the trip and derate monitor the most important type of failure is when an operating
component fails while performing its mission during normal operation. To compute this failure
probability a variety of methods in the CAFTA formulation selection can be used. This includes
the estimate of probability of failure over a year. (e.g., P= λt where this is an approximation
P=1-e λ ). This is conservative and accurate to within ~5% if P< 0.1. For higher probabilities,
- t

the exponential can be used.

Table 6-1 summarizes both the component unavailability and component operational failure
probabilities.

6.6.2 Demand Failure of a Standby Component

The unavailability of a standby component due to its failure in a latent mode may appear in some
cases for the trip monitor (e.g., condensate bypass valve (AKA slam dunk valve) operation
following low feedwater suction pressure, standby air ejector pump following a decrease in
condenser vacuum, and use of alternate manual control when turbine admission valve controls
are degraded). The failure probability can be determined by one of the following three
expressions:

For standby components that are periodically tested where plant-specific data is available, the
average failure unavailability is calculated as P = λt/2.

When using generic data to represent component unavailability for electrical equipment (i.e.,
relays, circuit breakers, switches, etc.), the demand failure probability, Qd should be used.
Failure of an operator to perform a certain function as in the performance factor can also be
modeled using a demand failure probability, Qd.

6-12
10427354
 Detailed Modeling of Systems

Occasionally a situation is discovered where a standby component is never tested or maintained

during the plant lifetime. In this case, a point wise unavailability of the component that
corresponds to the current operating time of the plant should be computed.

6.6.3 Unavailability Of A Standby Component

The impact of component outages on system reliability is identical to the impact of component
failures, with the exception that the reliability of outages may be different from the reliability of
failures. Since the trip monitor takes components out of service there is no need to count this
twice in the model.

It is recommended to quantify fault tree in the following sequence: first, to quantify parts of fault
tree (developed events), then main system fault tree as a whole by gradually merging the
additional systems. It facilitates the verification of fault tree and identification of logic errors.
The analyst should review the cut sets generated in the fault tree evaluations for mutually
exclusive events. Mutually exclusive events are events which both cannot occur within the same
cut set.

6.7 Developing system segment boundaries for trip and derate

conditions

6.7.1 Determination of System Boundaries

A clear definition of the system boundary is necessary to consider all components that belong to
each system. Components important to system failure need only be included once in the trees.
Care must be exercised to avoid taking have multiple components for the same component
failures in different systems. The next section provides rules for establishing system boundaries.

6.7.2 Defining List of Components by Systems

Fault trees should be developed down to a level defined by the trip and derate functional logic
and availability of appropriate failure data. All system components do not have equal
significance for the purpose of satisfying trip avoidance success criteria. Thus, not all
components should be considered in the scope of the system analysis. System reviews are used to
identify redundancies and differentiate between the trips and derate models.

6-13
10427354
Detailed Modeling of Systems

6.8 Example system modeling details for trip fault tree

6.8.1 Circulating water system CW

6.8.1.1 Key Assumptions in PRA model

The PRA fault tree model for the Circulating Water System considers the functions of providing
adequate cooling to the Main Condenser, and providing adequate cooling to the other loads.
Major assumptions and judgments incorporated in this model include the following. No less
than two (2) Circulating Water Pumps and their associated trains must operate in order to
provide adequate cooling capacity for the steam dump system and the “other loads”. Based on
the flow rate requirement of these two (2) pumps, no less than four (4) traveling screens must
operate correctly when demanded. The model accounts for winter and summer operation.

Failure of the traveling screens is modeled as one Basic Event, CWINTAKEFN, CW INTAKE
BAY CLOGGED (TRAVELING SCREENS REQUIRED with a probability of 1E-4 based on
the plant engineer’s comment of a low probability of screen clogging. Under the worst
conditions, it is expected that only the top section would clog, but the lower section would be
available. A fault exposure time of 8 hours is assumed for using the screen back washing pumps.

6.8.1.2 CW PRA fault tree applicability to trip monitor

The CW fault tree is applied to the Trip monitor by using the following assumptions and
judgments: During operation at 100% power the CW system must supply 3 of 4 pumps (one is
standby) to maintain power level. Loss of one pump reduces the power to about 66% and loss of
two pumps to 33%. If the backup can be brought on line the system can be restored to 100%
power.

The failure modes are generally correct for this tree since both cases apply to the loss of a system
under operation. The tree was stripped of common cause failures, external initiating events and
other causes of loss of condenser vacuum (e.g., vacuum pumps because they are treated
separately in the MR breakdown) so that only failures of the internal system components would
apply to the trip monitor and derate trees.

An issue is that the component listing for the PRA doesn’t match the DP-Tag numbers set up by
the maintenance rule. The PRA model logic applies, but the name will be different than the
CPSES operators use in the MR tag system.

The traveling screens are put in CO3 as single input, but could be modeled more explicitly to
account for power reductions.

6-14
10427354
 Detailed Modeling of Systems

6.8.2 Condenser Vacuum pump

6.8.2.1 Key assumptions

There are two basic modes of operation for this system depending on the season - summer and
winter. This model specifically accounts for these differences by having 2/3 CEVs initially
operating for the winter, and 1/3 CEVs in the summer. Condenser Evacuation pump 2 is
modeled to always be in standby. CEV 3 is running during winter (for chemistry purposes), and
secured in the summer. To simplify the modeling, the Fault Exposure Time (FET) for CEV 3 is
left in the segment for winter operation, although the pump is operating. This FET is required in
the summer. The impact is negligible on the system unavailability.

During operation at 100% power the CEV system must supply 1 of 3 pumps (two are in standby)
to maintain vacuum. If vacuum increases, the second and third pumps are started for winter
conditions. Loss of the running pump with out back up is assumed to cause a trip. If the backup
can be brought on line the system can be restored to 100% power.

6.8.2.2 Applicability to Trip monitor

The failure modes are generally correct for this tree since both cases apply to the loss of a system
under operation. This CW sub tree was extracted and placed under CV1. It was stripped of
common cause failures, external initiating events and other causes of loss of condenser vacuum
(e.g., condenser seal failures) so that only failures of the internal system components would
apply.

6.8.2.3 Condenser Vacuum Faults

This considers mechanical leaks in the system and matches the assumptions of the PRA model.

6.8.3 Electro-hydraulic control (EH)

6.8.3.1 System description

The Turbine Control System is required for the speed and load control of the turbine. In
addition, the turbine trip system (TTS) and Extended Turbine Protection (ETP) are required for
immediate automatic or manual shut down of the turbine in the event of exceeding certain
operational limits such as speed, vacuum, shaft displacement and vibration.

The functional requirements of the Turbine Control System at power are:

1. To control the turbine speed by changing turbine admission valve positions and thereby helps
maintain synchronization of the generator (very fast responses are controlled by the exciter ~
0.02 to 2.0 seconds, Admission valve control ~ 1.0 to 100 seconds, and the heat generation
system ~ 1 minute and longer).

6-15
10427354
 Detailed Modeling of Systems

2. To control the load and respond to rapid load changes according to the requirements of the
grid or the plant.

3. To change the load to electrical phase angle influence, when required by the grid control
requirements.

4. To respond to conditions requiring a limit in the generator load, when required by either
internal plant conditions or changes in the grid.

5. To control the steam pressure at the turbine generator, and maintain desired conditions for
the BOP and NSS.

6. To prevent overspeeding of the turbine in the event of load loss from full power, and allow
the continued operation no load or auxiliary load with a minimum residual speed deviation

7. To provide input signals to the Reactor Protection System for an anticipatory reactor trip on
turbine trip
a. To shut down the turbine in the event of exceeding certain operational values,
thereby protecting the turbine and minimizing the probability of turbine missiles
b. To allow the remote resetting of the hydraulic trip devices
8. The functional requirements of the EHC fluid supply system are to supply control fluid to the
turbine control system, the TTS, ATT and to the steam valve actuators

6.8.3.2 Key components and redundancies in the system

Two electro-hydraulic converters are required for the control of the MCVs and the LP-control
valves. At normal operation both work in parallel, but only one can control the turbine over the
full speed/load range. A manually operated mechanical hydraulic controller is a back-up system.
Thus, trip involves a performance factor, and failure of the system leads to trip but not derate.

The ATT is required as a combined mechanical/electrical system for the testing of the hydraulic
trip devices (overspeed, thrust bearing, vacuum and trip solenoids) and the testing of all stop and
control valves during operation of the turbine. This can be done at power with a small derate
penalty. Errors in testing can lead to a trip.

During start-up and load changing operations two 50% AC motor driven control fluid pumps are
required to supply the control and trip system of the turbine with low pressure and the steam
valve actuators with high pressure control fluid. During operation it is assumed that one pump is
sufficient to maintain the valve positions based on operational experience. A third 50% pump is
on standby if one of the running pumps fails. This is modeled as a one of three failure of the
pump, but the trip probability is high if tow pumps are out.

Hydraulic control systems have to maintain strict tolerances to achieve a high level of
performance. While very fast acting they are subject to degradation by dirt and use flammable
materials as the non-compressible fluid. Therefore, the control fluid must be constantly

6-16
10427354
 Detailed Modeling of Systems

conditioned and filtered. It is assumed that the loss of filtering for time periods of several days is
permitted without a trip. Filtering use the following equipment:

1. A conditioning unit consisting of an AC motor driven circulating pump, an earth filter and a
mechanical filter

2. A mechanical duplex filter for high-pressure control fluid in each supply unit for the
actuators of the steam valves

3. A mechanical double plate type filter for each low-pressure control fluid supply line to the
hydraulic turbine control rack

4. A mechanical basket-type filter for the fluid return to the control fluid tank

Hydraulic accumulators are required in the low pressure and high-pressure control fluid system
as devices for the storage of pressure energy. They support the maintaining of a certain system
pressure during brief periods of high demand (e.g. sudden turbine load changes) and absorbed
pressure peaks and oscillations. Thus, loss of the accumulators reduces the margin for control
actions and load following. Rupture of an accumulator would cause loss of the system pressure
and a trip.

Two 100% coolers are required to cool the control fluid to operational temperature. Loss of
cooling would lead to a delayed trip.

6.8.4 Condensate System (CO)

6.8.4.1 System description

The functional requirements of the Condensate System are to collect condensed steam from the
Main and Steam Generator FWP Turbines, Low Pressure Feedwater Heaters, and miscellaneous
drains during normal plant operation and to supply approximately two thirds of the feedwater
flow to the Steam Generator FWPs suction.

6.8.4.2 Key components and redundancies

The main condenser is required to function effectively at all turbine loads and perform the
following functions:

1. Condense steam released to the condenser by the turbine exhaust during plant normal and the
steam dump system for transient operating conditions. Loss of this function causes plant trip.

2. To deaerate the condensate. Loss of this function causes plant trip (See Condenser vacuum
pumps above).

6-17
10427354
Detailed Modeling of Systems

3. To accept drains from the feedwater heaters, gravity drains from the auxiliary condenser and
other miscellaneous sources. Interruptions of drain can lead to derate if bypassed or trip if
not.

4. To accept a total heat load of approximately 7.754 x 109 Btu/hr with circulating water flow
of 1.03 x 106 gpm. Loss of circulating water will trip plant and this system is treated
separately.

Auxiliary Condensers

Two auxiliary condensers provide a heat sink for the Steam Generator FWP Turbines exhaust
steam. One auxiliary condenser is provided for each Steam Generator FWP Turbine. The plant
can operate with one condenser out of service; the transient to reach this condition has a very
high chance of tripping the plant.

Condensate Storage Tank

The Condensate Storage Tank is designed to store condensate for the Auxiliary Feedwater and
Condensate Systems. The Condensate Storage Tank provides makeup water to the condenser
hotwell when required. It provides sufficient volume to maintain secondary side inventory
during normal operation and transient conditions. If it is isolated or low then the ability to
manage transients is lost and could lead to a trip.

Condensate Pumps

Two motor-driven, constant-speed, vertical, canned-type condensate pumps are required. Each
is required to be capable of delivering approximately 65 percent of the total condensate flow.
Normally the condensate pumps are required to supply 50 percent of full load condensate flow.
The pumps draw condensate from the two main condenser hot wells via a common suction
header, which cross-connects the two condenser shells, minimizing level differences between the
two hot wells. The condensate pump(s) must provide sufficient suction pressure to the Steam
Generator FWPs while, at the same time, provide pump head flow characteristics compatible
with the heater drain pumps head flow characteristics for stable drain system operation at all load
points. It is assumed that if one pump is lost during operation the bypass valve must operate to
help avoid a trip. A performance factor is needed, as this is a very difficult manual control
operation.

Low Pressure Feedwater Heaters Numbers 03 through 06, A and B

There are no specific general mechanical equipment requirements for the low pressure feedwater
heaters except for design temperature and pressure, however bypass of these heat exchangers
results in a 4 to 8% reduction in plant power output, thus they contribute to derate but not trip.

Key valve - Emergency Low Pressure Heater Bypass Control Valve (PV-2286)

The low-pressure heater bypass pressure control valve opens in the event of 2 out of 3 coincident
low steam generator FWP suction pressure signals or receipt of 2 out of 3 coincident high-

6-18
10427354
 Detailed Modeling of Systems

pressure signal across the auxiliary gland steam condenser when turbine power is greater than 15
percent. The valve bypasses the condensate polishing system and both trains of low-pressure
feedwater heaters and discharges into the common 30- inch steam generator FWP suction header.
The valve is fail-open, piston operated, capable of fully positioning within 2.5 seconds of
receiving an actuation signal. The fast timing is required to maintain the FWP suction pressure.
This valve provides a redundancy to the condenser pumps for avoiding a full trip, with a derate
to about 50% power. If it fails as is, then loss of either condenser pump causes a full trip.

6.9 Lessons from Modeling

6.9.1 Modeling Segment Boundaries

The segment boundaries should include all components needed to make the segment available.
This permits integration of many items with the same impact on the results from a pick list. In
principle trip and derates can be caused by failures in piping, valves, pumps, motors, breakers,
control systems, protection circuits, and cables leading to the segment specific function. Use
tagging labels in MR and PM databases to identify the system and individual components.

Air and electrical supplies are independent systems treated on their own, so the system
dependencies are removed. It is a conservative assumption to simplify the modeling and can be
reviewed later and adjusted by including either an explicit model or a performance factor where
judgment can be used to estimate the likelihood of not tripping given failure of components in
the segment.

Listed components included in the MR and PM database system listing can be assumed to have
no significant redundancies within the segment or train they are linked to (e.g., all equipment go
into OR gates).

Failures of the components are modeled with binary logic. Thus the train or segment function is
lost if any component within the segment fails. Binary logic supports the in-service, out of
service conditions.

Thus, the simplified trip model is based on layers of fault tree sections to focus on those systems,
trains, and components that are likely to cause an outage or derate. Systems with little
redundancy can be addressed as a module consisting of all the components within it. When any
component within the system is taken out of service the whole system is assumed to be out of
service. This remains a conservative assumption that over predicts the likelihood of trip. If this
gives a distorted picture of the system impact then a performance basic event (logic with an
AND gate at the train or segment level) can be used to incorporate plant knowledge about ability
to avoid trip or derate conditions given a failure.

6.9.2 Priority of inputs

1. Internal failure of active components (e.g., pumps, motors control systems, control loops and
control valves). These are the most likely to cause failure and trip.

6-19
10427354
Detailed Modeling of Systems

2. Internal failure of passive electrical (e.g., breakers, fuses, cable, protection circuits, and
transformers). Can be considered as part of the systems boundary, if it simplifies the logic
model. Can be represented as one block in the fault tree.

3. Internal failure of passive mechanical (relief valves, manual valves, check valves, and pipes).
Can be represented as one block in the fault tree.

4. Small support lines, sampling lines, information only instruments. Can be represented as one
block in the fault tree.

6.9.3 Evaluate each system for impact on trip and derate

The impact of each system on the results is first assumed to come through an OR gate. This is an
overly conservative assumption, but permits quick start up of the trip monitor. Then when
assessing the impact of the components on the output by binary logic the plant will trip when any
component is removed. Thus, the intermediate logic must be adjusted to more accurately reflect
the plant operation. This is done by introduction of AND gates in the existing model, and the
addition of a conditional probability of trip that represent the likelihood difference between a trip
and derate given the failed segment or train combination. Identification of these factors takes
time with plant personnel, review of drawings system information and training material.

6.9.4 Calibration of the trip monitor

Ideally the models would be calibrated on average failure rates for the each component. Since
individual components have large uncertainties in the failure rate, generic data based on pooled
sources similar equipment have been used to develop failure rates for PRA. Thus, where
possible in the initial start up of the model the PRA data provide a valuable starting point.
However, care must be taken in applying this data to the monitoring systems, because the
mission time in the PRA is much shorter than the mission time for a plant refueling cycle. A
factor can be used to balance the calibration of trees developed under different mission times.

When building new models engineering judgment can be used to apply data by first studying
existing databases such as GADs, and then consider order of magnitude groupings for systems
and components on a probability per year or causing an outage if the component fails. This
provides a first rough approximation for starting the model.

The next step is to calibrate the model for the key systems when testing to verify that the logic
correctly addresses the major components in the system. As the system is updated with plant
specific data the calibration ranges can be adjusted accordingly. Furthermore, new detailed
systems can be added that address less likely trip and derate scenarios to replace the listing of
components through the OR gate with a better model of the system interactions.

As the initial simplified trip monitor is used separating development work from application uses
can control the configuration. Then when updating the model a new version can be installed that
takes account of the comments from the model users. With more time in use the models will
become more refined and accurately reflect the plant susceptibility to derate and trip.

6-20
10427354
7
REFERENCES

1. Canavan, K., J. Liming, T. Morgan, “Trip Monitor – Lessons Learned and Experience,”
EPRI task report, January 2002.

2. McCutchen, M, “Maintenance Rules Functions,” (CPSES Maintenance Rule System List)

Functions rev. 3-7-01.doc electronic mail from J. Green.

3. Kee, E. et. al., “Extensions to On-line Maintenance Using BOP PRA Results: Initial
Deployment in STPNOC Units 1 and 2,” PSAM6, 6th International Conference on
Probabilistic Safety Assessment and Management, Elsevier Science, Ltd. June 23-28, 2002

4. CAFTA file Trip cause.caf, NAM1.BE, NAM1. GT , NAM1.TC in zip file

Namdemoavailmodel.zip 10/11/2002.

5. Letter Dan Tirsun to Frank Rahn EPRI, CPSES –200203533, Oct. 9, 2002.

6. North American Electric Reliability Council, “Generating Availability Report 1996-2000,”

www.nerc.com, Princeton, NJ, May 2002.

7. EPRI TR-100844 (CAT) – Common Aging Terminology,

8. EPRI NP-6780-L. (CEG) – Cost Estimating Ground rules, Chapter 1, Appendix C of the
EPRI Advanced Light Water Reactor Requirements Document.

9. EPRI TR-107541. (NOM) –Valuation and Management of Nuclear Assets,

10. EPRI 1000893. (RIISMS 1) – Risk-Informed Integrated Safety Management Specification

(RIISMS) Implementation Programs,

11. EPRI TR-100281 (TAG) – Technical Assessment Guide, Vol. 3, Rev. 7,.

12. EPRI Draft report, “Guide for Constructing a Nuclear Power Plant Generation Risk Model,
Draft, August 2003.

7-1
10427354
10427354
10427354
Program: About EPRI
Nuclear Power EPRI creates science and technology solutions for
the global energy and energy services industry. U.S.
electric utilities established the Electric Power
Research Institute in 1973 as a nonprofit research
consortium for the benefit of utility members, their
customers, and society. Now known simply as EPRI,
the company provides a wide range of innovative
products and services to more than 1000 energy-
related organizations in 40 countries. EPRI’s
multidisciplinary team of scientists and engineers
draws on a worldwide network of technical and
business expertise to help solve today’s toughest
energy and environmental problems.
EPRI. Electrify the World

© 2004 Electric Power Research Institute (EPRI), Inc. All rights

reserved. Electric Power Research Institute and EPRI are registered
service marks of the Electric Power Research Institute, Inc.
EPRI. ELECTRIFY THE WORLD is a service mark of the Electric
Power Research Institute, Inc.

Printed on recycled paper in the United States of America

1009112

EPRI • 3412 Hillview Avenue, Palo Alto, California 94304 • PO Box 10412, Palo Alto, California 94303 • USA
800.313.3774 • 650.855.2121 • askepri@epri.com • www.epri.com
10427354