Common Cause Failure Analysis

1. Introduction In order to demonstrate that risk of Nuclear Power Plant to general public as low as reasonably achievable, Probabilistic Safety Assessment study (PSA) is carried out PSA also identifies the dominant contributors to risk and there by providing means for design changes!modifications in operating procedures for reduction in risk "he PSA study tries to include all possible accident scenarios and their #uantification in terms of core damage fre#uency and conse#uences "his is in contrast to the deterministic safety study where in worst case accident scenario is considered and is shown that the engineered safety features are provided to counteract such accident scenarios PSA level $ study is an application of reliability engineering to ensure the reliability and availability of various reactor systems in order to minimi%e the over all core damage fre#uency &eliability of the system is enhanced by better design practice and selecting reliable components and further enhancement of reliability is achieved using redundancy techni#ue &edundancy means increase in volume, weight, cost and reduced maintainability 'oreover, $(() reliability can not be achieved using redundancy techni#ue "he limitation is dependent failures or common cause failures (**+) 2. Common cause failures A common cause failure is the result of an event(s) which because of dependencies, causes a coincidence of failure states of components in two or more separate channels of a redundancy system, leading to the defined system failing to perform its intended function "he types of events which are identified as common cause failures leading to a system failing to perform its intended function are, - "he coincidence of failures of two or more identical components in separate channels of a redundancy system, due to a common cause. - "he coincidence of failures of two or more different components in separate channels of a redundancy system due to a common cause - "he failure of one or more components which result in the coincidence of failures of one or more other components not necessarily of the same type, as the conse#uence of some single initial cause - "he failure of some single component or service which is common to all channels in an otherwise redundant system 3. CCF Classification *omprehensive classification scheme as developed by S&/ 01 23, 45 is shown in +ig $ 6hich is based on **+ causes which are attributed to the following, (a) 7ngineering design and construction 8 "he common characteristic of the two classes of **+ cause under this is that they include management and technical software errors due to the human factors involved in these activities If these errors are not revealed and corrected prior to the operations stage they will persist as an actual or a potential **+ until revealed by some operational procedure or by a system failure at a time when a demand is made on it to operate (b) 9perational (procedural and environment) 8 **+ can be introduced by the activities which are associated with the interfaces between the system and the various types of operations staff involved 7vents of failures due to **+ of selected components observed in the field cases are shown in fig 3, 4, : and ;

**+ *auses 9perations (9) 7nvironmental (97) Procedural (9P)

7ngineering (7)

/esign (7/) *onstruction (7*)

7*I 9P9 'aintenance = "est 97N Installation = *ommissioning

9P'

7/&

7*'

977 7nergetic 7vents Normal 7<tremes

+unctional /eficiencies

&eali%ation faults

'anufacture

9peration

>a%ard undetectable Imperfect testing Inade#uate standards Imperfect calibration Inade#uate inspection Imperfect procedures Inade#uate testing = commissioning Inade#uate supervision

*hannel dependency

Inade#uate #uality control

Inade#uate #uality control

Imperfect repair

9perator errors Inade#uate procedures Inade#uate supervision *ommunication error

Inade#uate instrumentation

*ommon operation and protection components

Inade#uate standards

Inade#uate control

Inade#uate inspection

9perational deficiencies

Inade#uate testing

Inade#uate components

/esign errors

/esign limitations

+ire "emperature +lood Pressure 6eather >umidity 7arth#uake ?ibration 7<plosion Acceleration 'issiles Stress 7lectrical power *orrosion &adiation *ontamination *hemical sources Interference

+ig $, **+ *lassification scheme

&adiation Static charge

+ig 4, **+@*ircuit Areakers

7/+

+ig 3, **+@Pumps

+ig :, **+@ /iesel Benerators

+ig ;@ 'otor 9perated ?alves

4. Defences against CCF It is considered to be essential that in the design and operation of safety systems the general policy must be the prevention of **+ or at least the minimi%ation of their fre#uency of occurrence and their effects upon the system "he degree to which this policy is applied will depend on financial, plant design, operational or other constraints Beneral awareness by both design and operation staff help a lot towards elimination!minimi%ation of **+s Aased on the **+ classification mitigating factors or defence against common cause failures can then be evolved, these factors are as given in +ig C and +ig D "he areas of causes where impact of technical and management defences are felt are also shown in +ig C

+ig C, **+ defences related their causes

+ig D, **+ defences related their causes 5. CCF Modelling *ommon cause basic events are event that represent multiple failures of components from shared root causes "he obEective is to provide transition from the fault tree logic model to a model that can be #uantified /ifferent **+ models are available to

#uantify multiple failure probabilities Beneral **+ analysis strategy to be followed is shown in +ig F "he **+ models are described below,
/evelop System Jogic

/etermine dependency categories

Identify components affected

3 or more components affected

N9

No dependency

Potential /ependency

*omponents in same cut@ setK

N9

Potential dependency not significant

Potentially significant dependency

/efences inade#uate

N9

/ependency not significant

Significant dependency

Huantify

+ig F, **+ Analysis Strategy Beta factor model, "he beta factor model is a single parameter model. that is, it uses one parameter in addition to the total component failure probability to calculate the **+ probabilities A fraction (G) of the component failure rate can be associated with common cause events shared by other component in that group According to this model, whenever a common cause event occurs, all components within the common cause component group are assumed to fail HI I ($@ G)Ht Hm I G Ht

"his implies that G I Hm!( H$L Hm) 6here Ht, is the total failure probability of one component (H tIHILHm), HI is the independent failure probability of the single component, Hm is the probability of basic event failure involving m specific components, and m is the ma<imum number of components in a common cause group Although historical data collected from the operation of nuclear power plants indicate that common cause events do not always fail all redundant components, e<perience from using this simple model shows that, in many cases, it gives reasonably accurate (only slightly conservative results for redundancy levels up to about three or four items) >owever, beyond such redundancy levels, this model generally yields results that are conservative In such cases, the beta factor can be modified based on the operating e<perience and defences provided (partial beta factor model), these factors are shown in +ig D 6hen interest centers around specific contributions from third or higher order trains, more general parametric models are recommended Multiple ree! "etter Model, "he 'BJ model is an e<tension of the beta factor model "he 'BJ model was the one used most fre#uently in the International *ommon *ause +ailure &eliability Aenchmark 7<ercise In this method, other parameters in addition to the G factor are introduced to distinguish among common cause events affecting different numbers of components in a higher order redundant system "he 'BJ parameters consist of the total component failure fre#uency and common cause contributions to that component failure and a set of failure fractions, which are used to #uantify the conditional probabilities of all the possible ways a common cause failure of a component that can be shared with other components in the same group, given the component failure has occurred "he failure probability of k components, Hk, due to a common cause for a given total failure probability of Ht is given by,

Alp#a factor model$ "he alpha factor model defines common cause failure probabilities from a set of failure fre#uency, Ht In terms of the basic even probabilities, the alpha factor parameters are defined as shown below km is ratio of the probability of failure events involving any k components divided by the total probability of all failure events in a group of m components

"he difference between the M@factor parameters and the 'BJ parameters is that the former are system@failure based while the later are component failure based "he M@ factor parameters are thus more directly related to the observable number of events than are the 'BJ parameters Jike 'BJ model, the M@factor model develops common cause failure fre#uencies from a set of failure ratios and the total component failure rate %. CCF data "he modelling of **+ re#uires data on plant events in order to both refine and calibrate the models used Any collection actively will need to collect information on both dependent and independent failures if the models are to be supported "he data collection must include, "he causal mechanism (e g design error, operator error) Applied defences +ailure mode and number of failures &. Conclusions *ommon cause failures have been generally defined and classified according to cause A large body of supporting evidence has been produced and analysed, which indicates that there is a dominace of **+ in system reliability #uantification and that human errors in design and maintenance are the main **+ causes /efences against **+ have been described and related to engineering management, design, manufacture and operation An integrated **+

defensive strategy is re#uired in all aspects of proEect management with the aim of minimi%ing **+ fre#uency **+s are related to the environment that produced the system and also to that in which it operates So that e<isting or future information can be ade#uately applied In any particular redundant system being evaluated for **+, the #uantitative conclusions can only be used as a rough guide &esearch is re#uired to obtain a better understanding of human factors relating to system design and maintenance with a view to generating the capability of assessment and control of human error leading to **+

Ac!no'ledgement$ Author is grateful to /r ? ? S S &ao and 'r 1 /urga &ao of &eactor Safety /ivision, AA&* for their support in preparation of the article (eferences $ Probabilistic Safety Assessment Buidelines, A7&A!SB!9@$;, Atomic 7nergy &egulatory Aoard, 'umbai, Nune 3((3 3 B " 7dwards and I A 6atson, A Study of *ommon *ause +ailures, S&/ & $:C, Safety and &eliability /irectorate, 0nited 1ingdom Atomic 7nergy Authority 4 P >umphreys and A / Nohnston, S&/ /ependent +ailures Procedures Buide, Safety and &eliability /irectorate, 0nited 1ingdom Atomic 7nergy Authority : 7nrico Oio, *ommon *ause +ailures, An Analysis 'ethodology and 7<amples, April 3((3 ; N0&7B@*&CF$P