ML17285A000

From kanterella
Jump to navigation Jump to search
E-Mail: CCF Definition
ML17285A000
Person / Time
Site: Nuclear Energy Institute
Issue date: 10/11/2017
From: Fregonese V
Nuclear Energy Institute
To: Mauricio Gutierrez
NRC/OCFO
MGutierrez, 301-415-1925
References
Download: ML17285A000 (5)


Text

From: FREGONESE, Victor To: Gutierrez, Mauricio Cc: FREGONESE, Victor; HANSON, Jerud; Holonich, Joseph

Subject:

[External_Sender] CCF Definition Date: Wednesday, October 11, 2017 9:47:29 AM Hi Mauricio.

After much discussion, we have aligned around the IEEE-603-2009 definition. However, our team feels that some explanatory notes are required to be used in conjunction with the definition, within NEI 16-16.

We are proposing to discuss the following definition with the staff during our next meeting in November,:

CCF: Loss of function to multiple structures, systems or components due to a shared root cause (IEEE Std. 603-2009).

For this guideline, the following notes apply: 1) Loss of function means a malfunction of multiple SSCs caused by a specific I&C failure source. 2) Shared root cause is limited to I&C failure sources, including single random hardware component failure, an environmental disturbance, a software design defect, and a human error.

During the discussion, we would like to cover the following areas, and how, or if, they were considered during the staff dialogue on the CCF definition. These insights would be very important, as our discussions did cover these areas:

  • Did the staff discuss the distinction between common mode failure and common cause failure?

As an example, the SRM 93-087 uses common mode failure. BTP 7-19 initially used this, and then it was changed to common cause failure. NUREG-6303 uses common mode failure.

NUREG-2122 has 2 separate definitions.

  • Did the staff discuss the coincidence, design defect and trigger elements contained in some of the documents reviewed (for instance IEC 62340)?
  • As the scope of IEEE-603 is limited to safety systems, did the staff discuss if the CCF only applies to multiple, redundant SSCs?
  • Any other observations and insights that may be useful in understanding why the staff picked this particular definition (we will also discuss this)

Documents considered during our review include the ones listed below. I have not listed the year for some of the IEEE standards, as we looked at numerous versions, some of which are endorsed by the NRC, and some of which are not. The proposed IEEE-2009 definition in some cases is the same as the one in other later, IEEE standards. The earlier versions had no definition, or had a different definition.

Definition Source Notes A CCF is the malfunction of two or NEI 16-16, Draft 2, more plant components or functions Section 2.3 caused by a specific I&C failure source that is shared by those plant components or functions, or is common to those plant components or functions. I&C failure sources of particular concern are a single random hardware component failure, an environmental hazard, and a design defect, any of which can

cause a CCF Concurrent failures (that is, multiple EPRI, 3002005326, failures which occur over a time Section 2.1 interval during which it is not plausible that the failures would be corrected) of multiple systems, structures or components (SSCs) that occur as a consequence of a single event, cause or activating condition. Malfunctions of multiple SSCs are considered CCFs. A CCF may be a failure of multiple SSCs within a single train system, in redundant divisions of a multi-train system, or in multiple plant systems.

Note: I&C components and systems, and in some cases operators are SSCs (in the sense that they manipulate controlled SSCs in response to indications and alarms provided by the I&C components and systems).

Failures of equipment or systems NEI 01-01 (EPRI Previous version was endorsed via that occur as a consequence of the 103248 Rev 1) GL 95-02 same cause. The term is usually Section 2 Endorsed by the NRC via RIS used with reference to redundant 2002-22 equipment or systems or to uses of identical equipment in multiple systems. Common cause failures can occur due to design, operational, environmental, or human factor initiators. Common cause failures in redundant systems compromise safety if the failures are concurrent failures, that is, failures which occur over a time interval during which it is not plausible that the failures would be corrected.

Multiple failures attributable to a IEEE-352 common cause Multiple failures which are NUREG-75/014 Common-mode failure versus dependent, thereby causing the joint (WASH-1400) common cause failure failure probability to increase. The Section 1 multiple failures are common mode or dependent because they result from a single initiating cause, where "cause" is used in its broadest context Multiple failures which occur because NUREG-75/014 Common-mode failure versus of a single initiating or influencing (WASH-1400) common cause failure cause Section 3.1 A software error is a common mode SECY-91-292 Defines software error as a failure that can simultaneously defeat common mode failure the functioning of all redundant channels or trains of the protection system, even if the protection system

design has minimized the sharing of databases and digital processing equipment Failure of two or more structures, IAEA SSR2/1, 2012 US NRC participates in MDEP, systems or components due to a MDEP DICWG No1 and document indicates NRC single event or cause. support of positions in the document.

This is also identified in NUREG 7007 There is also a slightly different definition in the IAEA safety glossary that the NRC identified in their list.

IEC 61513 has the identical definition Loss of function to multiple The 2000 version of the standard structures, systems or components IEEE-379 is endorsed by RG 1.153, 1.47, due to a shared root cause 1.53, and 1.62. Previous versions were not endorsed by the NRC.

This is the same as the IEEE 7-4.3.2, Annex G and the IEEE-603 Definition Loss of function to multiple IEEE 7-4.3.2 Numerous Reg Guides endorse structures, systems or components both the 1993 and 2003 editions due to a shared root cause This is the same as the IEEE-379 definition Loss of function to multiple IEEE-603 The 1991 version is Incorporated structures, systems or components by reference in 10CFR50.55(a)(h) due to a shared root cause Multiple Reg Guides reference the 1998 version RG 1.106 references the 2009 version (Motor Operated Valves TOL protection)

This definition is the same as the IEEE-379 definition Failure of two or more structures, IEC 62340-2007 This is also identified in NUREG systems or components due to a 7007 single specific event or cause

]

NOTE 1 The coincidental failure of two or more structures, systems or components is caused by any latent deficiency from design or manufacturing, from operation or maintenance errors, and which is triggered by any event induced by natural phenomenon, plant process operation or an action caused by man or by any internal event in the I&C system.

NOTE 2 Coincidental failure is interpreted in a way which covers also a sequence of system or component failures when the time interval between the failures is too short to set up repair measures.

A common cause event is the EPRI 3002000774 occurrence of an event that results in EPRI Guidelines for an unfavorable impact on the PRA data analysis performance of two or more components at the same time or in the same time frame due to the same shared cause. When the unfavorable impact includes one or more component failures, the event is referred to as a common cause failure.

Common-mode failures (CMFs) are NUREG-6303 Uses the term common-mode causally related failures of redundant failure or separate equipment.

because an error in the safety NUREG-7007 Section 2.1.2 cites IEC 62430 as system requirements, design, or Foreword the basis for describing CCF implementation could result in a occurrence.

failure in redundant channels of the same safety function (i.e., a common cause failure or CCF).

A failure of two or more structures, NUREG-2122 Separate definitions for CCF and systems, or components as a result of a CMF are provided single shared cause.

Vic Fregonese Senior Project Manager Nuclear Generation Division Nuclear Energy Institute 1201 F Street, NW, Suite 1100 Washington, DC 20004 www.nei.org M: 704-953-4544 E: vxf@nei.org This electronic message transmission contains information from the Nuclear Energy Institute, Inc. The information is intended solely for the use of the addressee and its use by any other person is not authorized. If you are not the intended recipient, you have received this communication in error, and any review, use, disclosure, copying or distribution of the contents of this communication is strictly prohibited. If you have received this electronic transmission in error, please notify the sender immediately by telephone or by electronic mail and permanently delete the original message. IRS Circular 230 disclosure: To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.

Sent through www.intermedia.com