Graded approach for assessing digital system failure susceptibilities - 305
- Electric Power Research Institute 3420 Hillview Ave., Palo Alto, CA 94304 (United States)
- Applied Reliability Engineering, Inc. 3428 Balboa St.San Francisco, CA 94121 (United States)
Owner/operators of nuclear plants must be able to identify and assess susceptibilities to digital system failures and unintended behaviors that could lead to plant system malfunctions, including common-cause failures (CCFs) of multiple controlled components that may impact overall plant safety. Nuclear plant designers and regulators often assess and manage potential failure modes by assuming the failure occurs and showing by analysis that the results are acceptable. In 2016 EPRI published a guideline on Methods for Assuring Safety and Dependability when Applying Digital Instrumentation and Control Systems (EPRI 3002005326), which takes a more holistic approach that considers digital system failure modes from the perspective of their impact on plant risk and includes a graded approach based on safety significance. This paper describes that graded approach. The methodology in EPRI 3002005326 systematically identifies potential I and C vulnerabilities that could lead to significant malfunctions of controlled components and systems, including common-cause failures (CCF), and discusses in detail methods to protect against them. It considers both preventive measures that reduce the likelihood of failures, and plant systems and features that mitigate the effects of component failures and misbehaviors. Coping analysis is then performed as appropriate to provide additional assurance of protection. The safety significance based graded approach is an important feature in that it can help users focus attention on overall plant safety, including potentially risk-significant scenarios that might not be considered in traditional safety analyses. The purpose is to help the user ensure that modifications to the I and C that could potentially be safety significant are treated appropriately and at the same time not waste valuable resources on excessive protection against changes that have little or no impact on safety. The graded approach allows the design engineer to tailor the rigor of the preventive, limiting, and mitigative measures commensurately with the effects the I and C modification has on overall plant safety. The graded approach focuses on safety significance impact, which is effectively a qualitative measure of the potential change in safety (or risk) caused by a proposed I and C modification, as compared to the I and C that is being replaced. Safety significance impact should not be confused with importance to safety or risk significance. It is possible that an upgrade to safety-related and/or risk-significant I and C systems may have little or no safety significant impact and vice versa. The approach considers three factors that influence the impact on safety significance of a proposed I and C modification: context, likelihood of failure, and consequences of failure. The most significant of the three factors is context - what the I and C is connected to, both directly and indirectly, including its potential effects on plant systems that respond to transients or accidents. The graded approach is particularly helpful in assessing potential CCFs resulting from digital I and C failures, and shows why the most problematic CCFs will be those that can affect multiple plant systems. (authors)
- Research Organization:
- American Nuclear Society - ANS, 555 North Kensington Avenue, La Grange Park, IL 60526 (United States)
- OSTI ID:
- 23035407
- Resource Relation:
- Conference: NPIC and HIMIT 2017: 10. International Conference on Nuclear Plant Instrumentation, Control, and Human-Machine Interface Technologies, San Francisco, CA (United States), 11-15 Jun 2017; Other Information: Country of input: France; 4 refs.; available from American Nuclear Society - ANS, 555 North Kensington Avenue, La Grange Park, IL 60526 (US)
- Country of Publication:
- United States
- Language:
- English
Similar Records
NRC technical basis for evaluation of its position on protection against common cause failure in digital systems used in nuclear power plants - 378
Comparative Assessment of Experimental Testing of Instrument with an Embedded Digital Device Using Model-Based and Conventional Methods