IEEE Std 379 pdf download IEEE Standard for Application of the Single-Failure Criterion to Nuclear Power Generating Station Safety Systems
The safety systems shall perform all required safety functions for a design basis event in the presence of thefollowing:
Any single detectable failure within the safety systems concurrent with all identifiable but non-detectable failures
-All failures caused by the single failure
— All failures and spurious system actions that cause or are caused by the design basis event requiring the safety function
The single failure could occur prior to, or at any time during, the design basis event for which the safetysystem is required to function.
5.1 Independence and redundancy
The principle of independence is basic to the effective utilization of the single-failure criterion.The designof a safety system shall be such that no single failure of a component will interfere with the properoperation of an independent redundant component or system.
5.2 Nondetectable failure
The detectability of failures is implicit in the application of the single-failure criterion.Detectability is afunction of the system design and the specified tests. A failure that cannot be detected through periodictesting or revealed by an alarm or anomalous indication is nondetectable. An objective in an analysis ofsafety systems is to identify nondetectable failures. Nondetectable failures should be identified byperforming an evaluation of the safety system design that includes postulated component level failures andevaluating the effects of these failures including the ability to detect them. Some designs include redundantcomponents to mitigate the effects of a failure, to improve system availability, or to support maintenancewithout impacting system availability. When evaluating the effects of a failure in such a configuration, careshall be taken to identify components whose failure will not be revealed by periodic test，alarm oranomalous indication.
When nondetectable failures are identified, one of the following courses of action shall be taken:
– Preferred course: The system or the test scheme shall be redesigned to make the failure detectable
AIternative course: When analyzing the effect of each single failure, all identified nondetectablefailures shall be assumed to have occurred.
5.3 Cascaded failures
Whenever the design is such that additional failures could be expected from the occurrence of a singlefailure, these cascaded failures shall be included in the single-failure analysis.
5.4 Design basis events A design basis event that results in the need for safety functions may cause consequential failures of system components, modules, or channels. In order to provide protection from these failures, the safety equipment is designed, qualified and installed to provide protection from such anticipated challenges. An analysis shall be performed to determine the consequences of safety system failures resulting from design basis events. For a system to meet the single-failure criterion, it shall be shown that the required safety function can be performed in the presence of these event-caused failures, all identifiable nondetectable failures, and any other single failure.
5.5 Common-cause failures The requirement for a safety system to function in the presence of common-cause failures (CCFs) is beyond the scope of the application of single-failure criterion and, therefore, this standard. However, it is important to screen out the potential CCFs when performing a single-failure analysis. As part of evaluating the overall reliability of safety systems, IEEE Std 352 extends the qualitative analysis beyond that which is done for failure modes and effects analysis (FMEA), or fault tree analysis, by considering CCFs. Therefore, an extended qualitative analysis described in IEEE Std 352 should be used to identify and screen out common-cause failure mechanisms not normally considered in an analysis of independent component failures. Common-cause failures not subject to single-failure analysis include causative factors from external environmental effects (e.g., voltage, frequency, radiation, temperature, humidity, pressure, vibration, and electromagnetic interference). Also, equipment qualification and quality assurance programs are intended to afford protection from external environmental effects, design deficiencies, and manufacturing errors.
Personnel training; proper control room design; and operating, maintenance, and surveillance procedures are intended to afford protection from maintenance and operator errors. Finally, for digital safety systems, vulnerabilities to CCFs are assessed via the diversity and defense-in-depth associated with the safety system. IEEE Std 352 includes these causative factors contributing to CCFs and the possible preventative measures used to screen out these potential CCFs. The screening process is shown in Figure 1. Other failures may be identified that do not have preventative measures. These failures should be treated as single failures and should be included in the single-failure analysis Digital safety system vulnerabilities to CCFs are assessed via the diversity and defense-in-depth associated with the safety system. Guidance on using diversity and defense-in-depth to address CCFs in digital computers is provided in IEEE Std 7-4.3.2.