ML17285A000

From kanterella
Jump to navigation Jump to search
E-Mail: CCF Definition
ML17285A000
Person / Time
Site: Nuclear Energy Institute
Issue date: 10/11/2017
From: Fregonese V
Nuclear Energy Institute
To: Mauricio Gutierrez
NRC/OCFO
MGutierrez, 301-415-1925
References
Download: ML17285A000 (5)
v  d  e


Text

From:

FREGONESE, Victor To:

Gutierrez, Mauricio Cc:

FREGONESE, Victor; HANSON, Jerud; Holonich, Joseph

Subject:

[External_Sender] CCF Definition Date:

Wednesday, October 11, 2017 9:47:29 AM Hi Mauricio.

After much discussion, we have aligned around the IEEE-603-2009 definition. However, our team feels that some explanatory notes are required to be used in conjunction with the definition, within NEI 16-16.

We are proposing to discuss the following definition with the staff during our next meeting in November,:

CCF: Loss of function to multiple structures, systems or components due to a shared root cause (IEEE Std. 603-2009).

For this guideline, the following notes apply: 1) Loss of function means a malfunction of multiple SSCs caused by a specific I&C failure source. 2) Shared root cause is limited to I&C failure sources, including single random hardware component failure, an environmental disturbance, a software design defect, and a human error.

During the discussion, we would like to cover the following areas, and how, or if, they were considered during the staff dialogue on the CCF definition. These insights would be very important, as our discussions did cover these areas:

  • Did the staff discuss the distinction between common mode failure and common cause failure?

As an example, the SRM 93-087 uses common mode failure. BTP 7-19 initially used this, and then it was changed to common cause failure. NUREG-6303 uses common mode failure.

NUREG-2122 has 2 separate definitions.

  • Did the staff discuss the coincidence, design defect and trigger elements contained in some of the documents reviewed (for instance IEC 62340)?
  • As the scope of IEEE-603 is limited to safety systems, did the staff discuss if the CCF only applies to multiple, redundant SSCs?
  • Any other observations and insights that may be useful in understanding why the staff picked this particular definition (we will also discuss this)

Documents considered during our review include the ones listed below. I have not listed the year for some of the IEEE standards, as we looked at numerous versions, some of which are endorsed by the NRC, and some of which are not. The proposed IEEE-2009 definition in some cases is the same as the one in other later, IEEE standards. The earlier versions had no definition, or had a different definition.

Definition Source Notes

A CCF is the malfunction of two or more plant components or functions caused by a specific I&C failure source that is shared by those plant components or functions, or is common to those plant components or functions. I&C failure sources of particular concern are a single random hardware component failure, an environmental hazard, and a design defect, any of which can NEI 16-16, Draft 2, Section 2.3

cause a CCF Concurrent failures (that is, multiple failures which occur over a time interval during which it is not plausible that the failures would be corrected) of multiple systems, structures or components (SSCs) that occur as a consequence of a single event, cause or activating condition. Malfunctions of multiple SSCs are considered CCFs. A CCF may be a failure of multiple SSCs within a single train system, in redundant divisions of a multi-train system, or in multiple plant systems.

Note: I&C components and systems, and in some cases operators are SSCs (in the sense that they manipulate controlled SSCs in response to indications and alarms provided by the I&C components and systems).

EPRI, 3002005326, Section 2.1

Failures of equipment or systems that occur as a consequence of the same cause. The term is usually used with reference to redundant equipment or systems or to uses of identical equipment in multiple systems. Common cause failures can occur due to design, operational, environmental, or human factor initiators. Common cause failures in redundant systems compromise safety if the failures are concurrent failures, that is, failures which occur over a time interval during which it is not plausible that the failures would be corrected.

NEI 01-01 (EPRI 103248 Rev 1)

Section 2

Previous version was endorsed via GL 95-02 Endorsed by the NRC via RIS 2002-22 Multiple failures attributable to a common cause IEEE-352

Multiple failures which are dependent, thereby causing the joint failure probability to increase. The multiple failures are common mode or dependent because they result from a single initiating cause, where "cause" is used in its broadest context NUREG-75/014 (WASH-1400)

Section 1

Common-mode failure versus common cause failure Multiple failures which occur because of a single initiating or influencing cause NUREG-75/014 (WASH-1400)

Section 3.1

Common-mode failure versus common cause failure A software error is a common mode failure that can simultaneously defeat the functioning of all redundant channels or trains of the protection system, even if the protection system SECY-91-292

Defines software error as a common mode failure

design has minimized the sharing of databases and digital processing equipment Failure of two or more structures, systems or components due to a single event or cause.

IAEA SSR2/1, 2012 MDEP DICWG No1

US NRC participates in MDEP, and document indicates NRC support of positions in the document.

This is also identified in NUREG 7007

There is also a slightly different definition in the IAEA safety glossary that the NRC identified in their list.

IEC 61513 has the identical definition

Loss of function to multiple structures, systems or components due to a shared root cause

IEEE-379

The 2000 version of the standard is endorsed by RG 1.153, 1.47, 1.53, and 1.62. Previous versions were not endorsed by the NRC.

This is the same as the IEEE 7-4.3.2, Annex G and the IEEE-603 Definition Loss of function to multiple structures, systems or components due to a shared root cause IEEE 7-4.3.2

Numerous Reg Guides endorse both the 1993 and 2003 editions This is the same as the IEEE-379 definition Loss of function to multiple structures, systems or components due to a shared root cause IEEE-603

The 1991 version is Incorporated by reference in 10CFR50.55(a)(h)

Multiple Reg Guides reference the 1998 version RG 1.106 references the 2009 version (Motor Operated Valves TOL protection)

This definition is the same as the IEEE-379 definition Failure of two or more structures, systems or components due to a single specific event or cause

]

NOTE 1 The coincidental failure of two or more structures, systems or components is caused by any latent deficiency from design or manufacturing, from operation or maintenance errors, and which is triggered by any event induced by natural phenomenon, plant process operation or an action caused by man or by any internal event in the I&C system.

IEC 62340-2007

This is also identified in NUREG 7007

NOTE 2 Coincidental failure is interpreted in a way which covers also a sequence of system or component failures when the time interval between the failures is too short to set up repair measures.

A common cause event is the occurrence of an event that results in an unfavorable impact on the performance of two or more components at the same time or in the same time frame due to the same shared cause. When the unfavorable impact includes one or more component failures, the event is referred to as a common cause failure.

EPRI 3002000774 EPRI Guidelines for PRA data analysis

Common-mode failures (CMFs) are causally related failures of redundant or separate equipment.

NUREG-6303

Uses the term common-mode failure

because an error in the safety system requirements, design, or implementation could result in a failure in redundant channels of the same safety function (i.e., a common cause failure or CCF).

NUREG-7007 Foreword

Section 2.1.2 cites IEC 62430 as the basis for describing CCF occurrence.

A failure of two or more structures, systems, or components as a result of a single shared cause.

NUREG-2122

Separate definitions for CCF and CMF are provided

Vic Fregonese Senior Project Manager Nuclear Generation Division

Nuclear Energy Institute 1201 F Street, NW, Suite 1100 Washington, DC 20004 www.nei.org

M: 704-953-4544 E: vxf@nei.org

This electronic message transmission contains information from the Nuclear Energy Institute, Inc. The information is intended solely for the use of the addressee and its use by any other person is not authorized. If you are not the intended recipient, you have received this communication in error, and any review, use, disclosure, copying or distribution of the contents of this communication is strictly prohibited. If you have received this electronic transmission in error, please notify the sender immediately by telephone or by electronic mail and permanently delete the original message. IRS Circular 230 disclosure: To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.

Sent through www.intermedia.com

Retrieved from "https://kanterella.com/w/index.php?title=ML17285A000&oldid=5096698"