IEEE 379:2014 pdf free download – IEEE Standard for Application of the Single-Failure Criterion to Nuclear Power Generating Station Safety Systems
5.4 Design basis events
A design basis event that results in the need for safety functions may cause consequential failures of systemcomponents,modules, or channels. In order to provide protection from these failures, the safety equipmentis designed,qualified and installed to provide protection from such anticipated challenges.An analysisshall be performed to determine the consequences of safety system failures resulting from design basisevents. For a system to meet the single-failure criterion, it shall be shown that the required safety functioncan be performed in the presence of these event-caused failures, all identifiable nondetectable failures, andany other single failure.
5.5 Common-cause failures
The requirement for a safety system to function in the presence of common-cause failures(CCFs) isbeyond the scope of the application of single-failure criterion and, therefore, this standard. However, it isimportant to screen out the potential CCFs when performing a single-failure analysis. As part of evaluatingthe overall reliability of safety systems,IEEE Std 352 extends the qualitative analysis beyond that which isdone for failure modes and effects analysis (FMEA), or fault tree analysis, by considering CCFs. Therefore,an extended qualitative analysis described in IEEE Std 352 should be used to identify and screen outcommon-causc failure mechanisms not normally considered in an analysis of independent componentfailures.
Common-cause failures not subject to single-failure analysis include causative factors from externalenvironmental effects (e.g., voltage,frequency, radiation, temperature, humidity, pressure,vibration, andelectromagnetic interference).Also, equipment qualification and quality assurance programs are intendedto afford protection from external environmental effects, design deficiencies， and manufacturing errors.Personnel training: proper control room design; and operating,maintenance, and surveillance proceduresare intended to afford protection from maintenance and operator errors.Finally, for digital safety systems,vulnerabilities to CCFs are assessed via the diversity and defense-in-depth associated with the safetysystem. IEEE Std 352 includes these causative factors contributing to CCFs and the possible preventativemeasures used to screen out these potential CCFs. The screening process is shown in Figure 1.Otherfailures may be identified that do not have preventative measures. These failures should be treated as singlefailures and should be included in the single-failure analysis
Digital safety system vulnerabilities to CCFs are assessed via the diversity and defense-in-depth associatedwith the safety system. Guidance on using diversity and defense-in-depth to address CCFs in digitalcomputers is provided in IEEE Std 7-4.3.2.
6.3.2 Interconnections between redundant channels
Interconnections between redundant channels (through devices such as data loggers and test circuitry) areareas where independence could be lost. These interconnections shall be analyzed to assure that no singlefailure can cause the loss of a safety function. The means for isolating the redundant channels shall beanalyzed for single failures that will lead to loss of a safety function.
6.3.3 System logic
The system logic is of particular importance in the single-failure analysis since it is here that redundantchannels and redundant actuator circuits may be brought together.The analysis shall verify that no singlefailure in the system logic will cause failure in the channels or actuation circuits that would then cause lossof the safety function.
6.3.4 Actuation devices
Those actuators designed to fail in a preferred mode upon loss of power shall be analyzed to assure that nosingle failure can cause a loss of a safety function.For examplc, failures that cause power to be maintainedincorrectly on the actuator system terminals (or air pressure to be unintentionally maintained to theactuator) or cause mechanical binding preventing movement to the preferred position shall be analyzed.
Thosc actuators designed to apply power when protective action is required shall be analyzed to assure thatno single open circuit, short circuit, or loss of power can cause loss of a safety function.
The complete actuator system，which can encompass pneumatic，mechanical, electrical, electronic，andhydraulic parts, shall be analyzed for failures that might affect the ability of the system to meet the single-failure criterion. Particular attention shall be directed to assuring that failures in mechanical portions ofactuators do not cause electrical failures in redundant equipment, and that electrical failures do not causemechanical failures in redundant equipment.