COMMON CAUSE FAILURE (CCF), INDEPENDENCE AND DIVERSITY

Making the likelihood of an accident having harmful consequences extremely low cannot be achieved without any consideration of vulnerabilities for common cause failures among the consecutive levels with the goal of their elimination from the design to a reasonable extent.

40

A common cause failure is defined as the failure of two or more structures, systems or components due to a single event or cause.

CCF may be initiated by the propagation of the effects of an external or internal hazard to different SSCs, by the propagation of a failure originating in one system to other systems, or by unpredictable latent fault in design, manufacturing, or human errors which may cause the coincidental failure of several equipment, channels or systems when triggered by a specific event. Consequently physical separation, independence and diversity are generally implemented by designers to decrease the likelihood of failure by common cause. While physical separation and independence are effective to prevent the propagation of the effects of a hazard or the propagation of a failure, diversity is more appropriate to eliminate latent faults.

CCF to be considered for design can be identified by either probabilistic or deterministic approaches. The likelihood of the combination formed by the initiating event and the common cause failure might be nevertheless considered when the deterministic approach is preferred. Moreover, its elimination is usually not requested in so far as the consequences do not exceed those accepted for accidents caused by multiple failures. If exceeded, decision should be made to implement complementary safety features unlikely to be subjected to the same common cause failure.

Such principles are generally applied to define the needs of complementary safety features necessary to cope with multiple failures in the safety systems.

6. APPLICATION OF THE DEFENCE IN DEPTH STRATEGY IN THE DESIGN OF I&C SYSTEMS

6.1. I&C Architecture

I&C functions necessary to operate the plant during normal plant operation or to bring the reactor back to safe conditions in case of an accident are allocated to and implemented in different I&C systems. As I&C systems are necessary for monitoring and operating the plant in all conditions, I&C systems shall be designed according to design principles making sure that the defence in depth concept is correctly reflected at the overall I&C architecture level and not compromised in case of failures affecting a system. According to the general roles allocated to the defence in depth levels, the I&C architecture should comply with the following structure:

• At level 1, I&C functions should aim to prevent deviations from normal operation by keeping the plant parameters within the specified range for normal operation,

• at level 2, I&C functions should aim to detect and control deviations from normal operational states in order to prevent anticipated operational occurrences from escalating to accident conditions,

• at level 3, I&C functions should aim to detect and control design basis accidents to prevent excessive core damage and evolution towards severe accidents,

• at level 4, I&C functions aim to manage the consequences of accidents that result from failure of the third level of defence so as to prevent progression of the accident or to mitigate the consequences of a severe accident by limiting the radioactive release, and

• at level 5, I&C functions aim to support and facilitate decisions with regard to the appropriate off-site emergency measures to be implemented to protect the public in the event of a significant release.

As multiple failures in one or several I&C systems could prevent protection actions from being initiated and accomplished, quality of each level and appropriate independence

41 and diversity between I&C systems are essential elements to achieve the necessary overall reliability requested by the defence in depth concept. However, as I&C systems do not have the same safety significance, the expectations in terms of reliability allocated to each of them are not the same. Commonly:

• at level 1, I&C systems should be reliable enough to limit the number of occurrences of Anticipated Operational Occurrences (AOOs) initiated by its malfunctioning. The target for the total AOO frequency commonly accepted by the Member States is less than 1/reactor/year,

• level 2 includes both protection I&C systems designed to prevent anticipated operational occurrences from escalating to accident conditions, and I&C limitation systems designed to the number of challenges of reactor trips. The probability of failure per demand of each of them should consider the magnitude of the consequences of their failures (e.g. if the consequences exceeded the criteria established for design basis accidents, the frequency of occurrence of the sequence should be in the range of that defined for the design extension category),

• at level 3, I&C systems should be reliable enough so that the conditional probability of a transient or accident without response of the I&C functions be low enough not to challenge level 4 I&C functions more than expected . An order of magnitude for the probability of failure per demand less than 10^-4 is widely shared by Member States,

• I&C systems at level 4 aim to control the consequences of a core melt accident. The I&C system should have the appropriate reliability to implement with confidence its intended functions with account taken of the low probability of a core melt accident to occur.

Level 4 should also include complementary I&C system to overcome situations caused by the non-response of the reactor protection system (level 3) when

challenged. As generally the concomitance of failures of these 2 I&C systems is ruled out, vulnerabilities for CCF should be eliminated and the reliability of each of them should be such that this hypothesis is correct.

The individual reliability target of I&C system is typically achieved by making appropriate use of:

• Redundancy: redundancy is commonly used in I&C systems to achieve system reliability and availability goals (tolerance to a failure or prevention of spurious actuation), or conformity with the single failure criterion. To be fully effective, either/

or independence and physical separation may be necessary.

• Independence: independence is intended to prevent the propagation of failures between redundant channels or from system to system.

• Physical separation: physical separation is intended to prevent common cause failures due to internal hazards.

• Environmental qualification: environmental qualification is intended to protect from global effects of hazards (e.g., environmental conditions, earthquake, electromagnetic interferences).

• Fail safe design: the principle of fail-safe design should be considered and incorporated into the design of the reactor protection system.

• Diversity is intended to prevent common cause failures due to design, manufacturing, maintenance or other human intervention.

• Testability: I&C systems important to safety shall be designed to permit periodic testing to provide clear evidence of system availability and performance.

42

Adequate and proven codes or standards should be used for the design of I&C systems to give confidence that they will be designed, commissioned, maintained and tested according to their safety significance.

6.2. Common cause failure (CCF), independence and diversity

Principles described in paragraph 4 also apply to I&C systems. Taking into account the number of possible origins for a latent fault², and irrespective of all preventive measures, demonstration that an I&C system is proven to be error free is very difficult and may always be disputed. Therefore, postulating deterministic common cause failure is becoming the best practice. As a consequence, for new builds, I&C functions, necessary to cope with a non-response of the Reactor Protection System implemented at level 3, are expected to be implemented in an independent and diverse I&C system. This diverse I&C system should have a sufficient quality to accomplish its intended safety functions.

Methodologies and rules used for assessing the consequences of multiple failures, and methodologies and rules used to demonstrate the effectiveness of the diverse I&C system may be less conservative than those usually used for the design basis accidents analyses. Here again, the Secretariat recognizes that there is a need for harmonizing the approach to defining what that less conservative approach could be.

Finally how far independence and diversity should be implemented should be assessed by performing a defence in depth and diversity analysis of the overall I&C architecture to verify if independence and diversity have been adequately implemented in the consecutive levels of defence. Particular attention should be paid to verify the elimination of CCF vulnerabilities resulting in a core melt accident and the effective independence of I&C necessary to mitigate the consequences of a core melt accident.

REFERENCES

[1] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP (INSAG), Basic Safety Principles for Nuclear Power Plants, 75-INSAG-3 Rev. 1, INSAG Series No. 12, IAEA, Vienna (1999).

[2] INTERNATIONAL NUCLEAR SAFETY ADVISORY GROUP (INSAG), Defence in Depth in Nuclear Safety, INSAG-10, INSAG Series No. 10, IAEA, Vienna (1996).

[3] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants:

Design, IAEA Safety Standards Series, Requirements No. NS-R-1, IAEA, Vienna (2000).

[4] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants:

Design, IAEA Safety Standards, Specific Safety Requirements No. SSR-2/1, IAEA, Vienna (2012).

[5] INTERNATIONAL ATOMIC ENERGY AGENCY, Fundamental Safety Principles, IAEA Safety Standards Series, Safety Fundamentals No. SF-1, IAEA, Vienna (2006).

[6] INTERNATIONAL ATOMIC ENERGY AGENCY IAEA, Code on the Safety of Nuclear Power Plants: Design, Safety Series No. 50-C-D (Rev. 1), IAEA, Vienna (1988).

2 Errors in the design/manufacturing process, inadequate specification, software errors and data transfer errors, etc.

43

**European Commission - Joint Research Centre Institute for Energy and Transport Email: [email protected]

***European Commission - Joint Research Centre Headquarters, Brussels Email: [email protected]

Abstract

The design of the safety architecture of innovative as well as the assessment of existing nuclear systems needs to integrate the constraints related to the safety principles, requirements and objectives. Among these constraints, the compliance of the installation’s architecture with the principles of Defence in Depth (DiD), and its different levels, is certainly one of the most structuring. Defence in depth is the key to achieve safety robustness, thereby helping to ensure that nuclear systems do not exhibit any particularly dominant risk vulnerability. To help designers of innovative systems to correctly implement the defence-in-depth, or to assess how well the latter has been applied for existing reactor systems, the Objection-Provision Tree (OPT) methodology, which is part of the Integrated Safety Assessment Methodology (ISAM) promoted by the Generation IV Risk and Safety Working Group (GIF/RSWG), is suggested as a useful tool to complement the required traditional deterministic and probabilistic safety assessments. The document recalls the content of the OPT method and gives some details for its implementation, including for the systematic identification of the initiating events to be considered in designing the system. This step is essential especially for new systems for which there is no sufficient operational to support their design. The interactions with other tools (e.g. Failure Mode and Effect Analyses (FMEA) or ISAM Tools) are also commented.

1. INTRODUCTION

The design of the safety architecture of innovative as well as the assessment of existing nuclear systems needs to integrate the constraints related to the safety principles, requirements and objectives. Among these constraints, the compliance of the installation’s architecture with the principles of Defence in Depth (DiD), and its different levels, is certainly one of the most structuring.

The safety architecture is defined as the set of provisions and their articulation in place to:

• Ensure completion of the tasks allocated to the process, in satisfactory safety conditions, i.e. maintaining the parameters representative of the facility safety within the allowable ranges for the operational criteria (e.g. maximum fuel & coolant pressure & temperature).

• To prevent, as much as feasible, initiators of accident.

• Detect and control deviations from the normal operation.

• In case of abnormal conditions, prevent the degradation of the plant - i.e. prevent exceeding the permissible range for the operational and safety criteria¹ - while keeping and / or restoring the facility in a safe condition.

• In case of accidental conditions with plant degradation, mitigate the consequences.

In practice, the achievement and maintenance in safe condition requires to satisfy simultaneously a set of safety functions (SF - cf. §3.2).

1 The criteria are usually related to categories of situations (i.e. design basis conditions, design extension conditions;

cf. the notion of allowable risk space - Farmer curve) rather than to levels of DiD. That said, for the design of provisions implemented within the different levels of defence in depth it is essential to have criteria to be met. The latter, which are expressed both in physical terms and in terms of reliability, shall be connected directly to the allowable ranges of parameters for the different categories of situations.

44

To help designers of innovative systems to correctly implement the defence-in-depth, or to assess how well the latter has been applied for existing reactor systems, the Objection-Provision Tree (OPT) methodology which is part of the ISAM method, promoted by the GIF/RSWG, is suggested as a useful tool to complement the required traditional deterministic and probabilistic safety assessments.

2. OBJECTIVE PROVISION TREE: OBJECTIVES AND SCOPE