Nuclear · MIL-STD-882E / IEEE 603

Reactor Fails to SCRAM — Fault Tree

A worked nuclear-safety fault tree for failure of the reactor emergency shutdown (SCRAM) function. Aligned to MIL-STD-882E, IEEE Std 603 and the single-failure criterion of 10 CFR 50 Appendix A General Design Criterion 17. Target probability: < 10⁻⁵ per demand.

MIL-STD-882E IEEE Std 603 10 CFR 50 App. A 19 nodes · AND top

Open in FTA Studio → Download .json Embed ↗

The scenario

SCRAM is the rapid, automatic insertion of control rods into a reactor core in response to an Anticipated Operational Occurrence (AOO) or accident-class transient. The top event of this fault tree is failure of the reactor protection system to achieve sub-critical shutdown on demand — known in the IAEA literature as ATWS (Anticipated Transient Without SCRAM). It is a primary contributor to core-damage frequency in PRA studies.

Top event and decomposition

The top gate is an AND: ATWS requires that the primary SCRAM mechanism AND its diverse backup AND the residual heat-removal capability all fail to compensate. The structure embodies defence in depth.

Control-rod insertion failure — modelled as the AND of mechanical drive failure, electromagnetic latch failure, and gravity-insertion path obstruction. Each leaf has a per-demand probability calibrated to industry operating experience.
Reactor Protection System (RPS) logic failure — modelled with the canonical 2-out-of-4 sensor voting structure that nuclear architectures use, plus the AND of trip-breaker failure on each train.
Diverse Actuation System (DAS) / ECCS failure — independent backup to the primary RPS, modelled with separate λ data and exhaustive common-cause analysis (alpha-factor model).

Common-cause is the dominant contributor at this probability floor — dependent failures across redundant trains usually outweigh independent random failure by an order of magnitude or more.

Standards alignment

This template is the deductive backbone of the Level-1 PRA / IPE that NRC inspectors expect under 10 CFR 50.65 (Maintenance Rule) and the licensing safety analysis required under 10 CFR 50.34. The single-failure criterion of GDC 17 maps onto the AND-of-redundant-trains structure; the ATWS rule (10 CFR 50.62) maps onto the diverse-backup branch.

Standards covered MIL-STD-882E (System safety), IEEE Std 603 (Safety systems for nuclear power generating stations), IEEE Std 7-4.3.2 (Software for Class 1E systems), 10 CFR 50 Appendix A GDC 17 / 21 / 23, NUREG-0492 (FTA handbook).

Use this template

Open in FTA Studio, replace generic per-demand probabilities with your plant-specific operating experience and Bayesian-updated estimates, refine the alpha-factor CCF parameters from NUREG/CR-6268, and export the FTA report as part of the PRA documentation submitted to the regulator.

Reactor Fails to SCRAM — Fault Tree

The scenario

Top event and decomposition

Standards alignment

Use this template

Related