ADVANCED SEMINAR ON COMMON CAUSE FAILURE ANALYSIS IN PROBABILISTIC ~AFETY ASSESSMENT o~~ooro- -COUR9~9 ON RELIABll..ITY AND RISK ANALYSIS A series devoted to the publication of courses and educational seminars given at the Joint Research Centre, Ispra Establishment, as part of its education and training program. Published for the Commission of the European Communities, Directorate-General Telecommunications, Information Industries and Innovation, Scientific and Technical Communications Service. The publisher will accept continuation orders for this series which may be cancelled at any time and which provide for automatic billing and shipping of each title in the series upon publication. Please write for details. ADVANCED SEMINAR ON COMMON CAUSE FAILURE ANALYSIS IN PROBABILISTIC SAFETY ASSESSMENT Proceedings of the ISPRA Course held at the Joint Research Centre, Ispra, Italy, 16-19 November 1987 Edited by ANIELLO AMENDOLA Commission o/the European Communities, Joint Research Centre, Ispra Establishment, Ispra, Italy SPRINGER-SCIENCE+BUSINESS MEDIA, B.V. Library of Congress Cataloging in Publication Data Advanced Sefi 1nar on Co.aon Cause F=a 11 ure Ana 1y s 1 s 1n Probab 11 15t 1 t S.fety Assessoent (1987 Iopra. Italy) Advanced Sel1nar an COliilon Causl! Fa l1ure Ana 1 ys 1s 1n Probab 111 5t le Safety Assess,.ent : proceedlngs of the ISPRA tourse held It the Joint Researeh Centre. Iopra. It.ly. 16-19 Nov •• ber 1987 I edtted by Anlel10 Alendola. p. CI. -- (ISPRA taurses on rel1ab111ty and rlsk analys1s) Bibliography, p. Includes index. ISBN 978-90-481-4045-9 ISBN 978-94-017-0629-2 (eBook) DOI 10.1007/978-94-017-0629-2 1. Systelll fallures (Englneerlng)--Congresses. 2. Rel1abtllty (Eng 1n aer lng )--Congresses. 3. PrObab 111t lBs--Congresses. 1. Araendola. Anlello. 1939- II. CO"III1ss1on of the European Coml1lun 1t ies. .Jo 1n t Researcr. Centre. Ispra Estab 1, shlllent. III. Tltle. IV. Ser1es. TA169.5.A34 1987 620· .00452--de20 89-8000 ISBN 978-90-481-4045-9 Commission of the European Communities _ 'oinl R=oh C",.e "",. (V""e), II.!y Publication arrangements by Commission of the European Communities, Directorate-General Telecommunications, Information Industries and Innovation, Scientific and Teclmical Communications Service, Luxembourg EUR 11760 © 1989 Springer Science+Business Media Dordrecht Originally published by Kluwer Academic Publishers in 1989 All Rights Reserved No part of the material protected by this copyright notice may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying, recording or by any information storage and retrieval system, without written permis sion from the copyright owner. TABLE OF CONTENTS Foreword vii Introduction (A. Amendola) Treatment of Common Cause Failures. The Nordic Perspective / (S. Hirschberg) 9 Classification of Multiple Related Failures (A. Amendola) 31 Design Defences against Multiple Related Failures (P. Humphreys) 47 Design-Related Defensive Measures against Dependent Failures - ABB ATOM's Approach (S. Hirschberg and L. I. Tiren) 71 Design Defences against Common Cause/Multiple Related Failure (P. Doerre and R. Schilling) 101 Measures Taken at Design Level to Counter Common Cause Failures. A Few Comments Concerning the Approach of EDF (T. Meslin) 107 Analysis Procedures for Identification of MRF's (P. Humphreys) 113 Dependent Failure Modelling by Fault Tree Technique (S. Contini) 131 Treatment of Multiple Related Failures by MARKOV Method (J. Cantarella) 145 Parametric Models for Common Cause Failures Analysis (K. N. Fleming) 159 Estimation of Parameters of Common Cause Failure Models (A. Mosleh) 175 Pitfalls in Common Cause Failure Data Evaluation (P. Doerre) 205 Experience and Results of the CCF-RBE (A. Poucet) 221 Analysis of CCF-DATA-Identification. The Experience from the Nordic Benchmark (K. E. Petersen) 235 Some Comments on CCF-Quantification. The Experience from the Nordic Benchmark (K. Porn) 243 Analysis of Common Cause Failures Based on Operating Experience: Possible Approaches and Results (T. Meslin) 257 Multiple Related Failures from the Nordic Operating Experience (K. U. Pulkkinen) 277 The Use of Abnormal Event Data from Nucleat Power Reactors for Dependent Failure Analysis (H. W. Kalfsbeek) 289 MRF's from the Analysis of Component Data (P. Humphreys, A. M. Games, N. J. Holloway) 303 Index 343 -vi- FOREWORD There is today a wide range of pubLications avaiLabLe on the theory of reLiabiLity and the technique of ProbabiListic Safety AnaLysis (PSA). To pLace this work properLy in this context, we must recaLL a basic concept underLying both theory and technique, that of redundancy. ReLiabiLity is something which can be designed into a system, by the introduction of redundancy at appropriate points. John Von Neumann's historic paper of 1952 'ProbabiListic Logics and the Synthesis of ReLiabLe Organisms from UnreLiabLe Components" has served as inspiration for aLL subsequent work on systems reLiabiLity. This paper sings the praises of redundancy as a means of designing reLiabiLity into systems, or, to use Von Neumann's words, of minimising error. Redundancy, then, is a fundamentaL characteristic which a designer seeks to buiLd in by using appropriate structuraL characteristics of the 'modeL" or representation which he uses for his work. But any modeL is estabLished through a process of de Limination and decomposition. FirstLy, a "Universe of Discourse" is delineated; its component eLements are then separated out; and moreover in a probabiListic framework for each eLement each possibLe state is defined and assigned an appropriate possibiLity measure caLLed probability. This process of deLimitation and decomposition is at the root of many probLems of modern technoLogy - divergence between the modeL and reaLity, disagreements among experts, and the consequent reLuctance on the part of the pubLic to trust the experts. But the fact is that some such process is necessary; it is the essence of modern scientific method, and as such is the basis of our modern industriaL civi Lization. In my opinion, the reLuctance among poLitico-technicaL circLes to accept and understand the vaLue of ProbabiListic Safety AnaLysis stems from the fact that a PSA has to carry this method of deLimitation and decomposition to the extreme. But we must remember that nonetheLess the PSA methodoLogy succeeds in capturing and modeLLing a Larger and more consistent segment of reaLity than any previous method of safety anaLysis. -vii- In the cases we are considering, this analysis can throw up fictitious redundancies, redundancies which appear in the model but are not reflected in reality. The solution to the problem of Common Cause Failure, Common Mode Failures, of dependencies, is in essence to avoid creating fictitious redundancies in a model, or at least to eliminate them in subsequent elaboration of the model. I must emphasise that this problem lies upstream of any mathematical manipulation of the model; it is a problem of representation of reality. Any solutions will therefore be closely linked to the reality being modelled and the type of model chosen. The importance of this book lies in its overall approach to this problem. It starts from the well-known decomposition methodology, based on familiar Boolean two value logic, of fault tree analysis. It then goes on to demonstrate, by the use of many concrete examples, how this process can be guided, refined, and corrected by successive approximations, in order to arrive at a model which is both technically correct and practically useful. This work is full of practical guidance and useful heuristics indeed, it turns out that many so-called rules should be seen as useful heuristics! These offer considerable help in the specific tasks faced by the analyst trying to model a complex system. The book also represents an important, if not unique, synthesis of experience and collection of field data. Altogether, we have here an extremely useful review of the '~tate of the art" for anyone involved in the technical work of establishing a PSA, as well as a cultural achievement which will appeal to those interested in evaluating the methodology of probabilistic representation of complex systems. Dr. Giuseppe Volta Commission of the European Communities Joint Research Centre - Ispra Site Director of the Institute for Systems Engineering -~- INTRODUCTION A. Amendola CEC-JRC Institute for Systems Engineering Systems Engineering and Reliability Division 21020 Ispra (Va) - Italy For reliability assessments, complex systems are normally decomposed into the number of their constituting items. These do not coincide with the "hardware" components only. Indeed, a physical system necessarily interacts with human operators according to control, emergency, repair and maintenance procedures, technical specifications, etc. So that such "software" elements and human operators are further constituents of the system. At a higher system level, even other factors such as the conceptual design or the overall organizational management of the macrosystem, of which the physical system is a part, can be considered as further generalized components interacting with the physical system. After the necessary decomposition a major problem for correct modelling and assessment is the reconstruction of the actual dependency structures among the items after having identified them and made them explicit: this is the only way of achieving a model as close as possible to the real system. The assumption of "independence" of the items and that of purely random failure processes are very helpful because of the easy probabilistic calculations they make possible, but, of course, they are very far from reality. Even when, by a well structured analysis procedure, functional links among the different items have been identified, dependency structures provoked by less perceivable "software" elements, or by events occurring outside the physical boundary of the operating systems (for instance events which occurred during the conceptual design or the manufacturing) can become dramatically evident at a certain time of system operation and only under particular demands. The unavoidable existence of more or less hidden dependency structures is the limiting factor which impedes a system to achieve unlimited reliability. The assignment of probabilities for failures provoked by dependencies, which can only be hypothesized from statistical evidence on systems different from those under investigation, is the crucial problem of any risk assessment project. The awareness of this problem, the need to implement adequate defences in a system against the occurrence of common cause failures A.Amendola (ed.), Advanced Seminar on Common Cause Failure Analysis in Probabilistic Safety Assessment, 1-7. © 1989 ECSC, EEC, EAEC, Brussels and Luxembourg. (as such dependency structures are being usually labelled) have encouraged several proposals for analysis procedures and mathematical models as well as significant international collaborative projects. Already in November 1975 a Task Force on Problems of Rare Events in the Reliability Analysis of Nuclear Power Plants has been set up on the basis of a recommendation of CSNI (the Committee on the Safety of Nuclear Installations of the Nuclear Energy Agency of the OECD). A subsequent CSNI Research Group placed emphasis on protective systems for nuclear reactors and elaborated a classification system (1) for common mode failures (terminology problems are discussed elsewhere in the book (2» especially directed towards defences against CCFs. Further insights from the CSNI project and from UKAEA-SRS researchers in the field came from the Watson Review in 1981 (3). In the meantime a number of probabilistic models were proposed: Fleming's model based on the ratio of CCF to total failure rate (4), the shock model by Apostolakis (5), the common load by Mankamo (6), the multivariate model by Vesely (7) and the binomial failure rate model by Atwood (8), which were followed by other models described elsewhere in the book. Together with these statistical parameter models to predict CCF rates, several procedures have been proposed to identify CCF events and to include them into the system logical diagrams (see a non exhaustive but relevant literature list at Refs.(9-l9». Also some data on Diesel generators (20) and pumps (21) have been estimated and published since then. Despite this significant theoretical effort, after the Wash 1400, that used a boundary model for including CCFs, the CCF problem was for many years either ignored in practice (the first NPP PSAs did not include CCFs) or poorly approached. This was indeed evidenced in Europe by the first Systems Reliability Benchmark Exercise (S-RBE) (22) and in the USA by the identified need to agree on a consistent classification system (23) as a basis for establishing an adequate data base of CCF occurrences. Furthermore, problems connected with sound statistical estimation procedures were identified and originated discussions which continued even in recent papers (24-29). The S-RBE project was aimed at assessing the complete procedure of a reliability evaluation of a complex system by starting from the basic documentation and familiarization with the reference system. This was the EDF Auxiliary Feedwater System of the Paluel Unit. It was constituted by two redundant trains, each one again with a double and diverse redundancy (motor-driven and turbo-driven pumps). Therefore, it presented interesting challenges to the expert teams involved in a CCF analysis. Participation in the exercise included representatives of major partners involved in NPP safety assessment in Europe, i.e. authorities, vendors, utilities and research institutes from EEC member countries and Sweden. S-RBE included both a structured qualitative analysis and reliability modelling and evaluation; furthermore, it was subdivided into several phases in order to separate the effects of the different contributors upon the overall spread of the results. During all -2-