Credible failure mode

The above criteria are used to accept/reject failure mode hypotheses. The result of this selection process is a list of credible failure modes that is passed to the subsequent step, the failure mode injection campaign. 

Failure mode describes how the component can fail. All credible failure modes and their causes should be listed. Since a failure mode may have more than one cause, all probable independent causes for each failure mode should be identified and described. Three failure mode causes are shown in the sample worksheet. Some engineers will create a separate failure cause column tied to each failure mode so that causes are more easily tracked. Here, the two are combined for ease of understanding. Typical failure modes (conditions) that should be considered are... 

A credible failure mode is a failure mode resulting from the failure of either a single component, or the combination of multiple components, which has a reasonable probability of occurring during the systems life cycle. A credible failure mode is an identified potential failure that is reasonable and realistic based on the best information available. System safety should consider all credible failure modes when conducting an HA to identify system hazards. 

FMEA is an analysis tool for evaluating the effect(s) of potential failure modes of subsystems, assemblies, components, or functions. It is primarily a reliability tool to identify credible failure modes that would adversely affect overall system reliability. FMEA has the capability to include failure rates for each failure mode, in order to achieve a quantitative analysis. Additionally, the FMEA can be extended to evaluate failure modes that may result in an undesired system state, such as a system hazard, and thereby also be used for HA. 

FMEA is used to assist analysts to perform hazard analyses and it is regarded as a supplement rather than a replacement for hazard analyses. Safety analysts can use FMEA to verify that all safety critical hardware has been addressed in the hazard analyses. The FMEA for hardware systems is an important technique for evaluating the design and documenting the review process. All credible failure modes and their resultant effects at the component and system levels are identified and documented. Items that meet defined criteria are identified as critical items and are placed on the Critical Item List (CEL). Each entry of the CIL is then evaluated to see if design changes can be implemented so that the item can be deleted from the CIL. Items that cannot be deleted from the CIL must be accepted by the programme/project, based on the rationale for acceptance of the risk. The analysis follows a well-deflned sequence of steps that encompass (1) failure mode, (2) failure effects, (3) causes, (4) detectability, (S) corrective or preventive actions, and (6) rationale for acceptance. 

Technology advances in electronics such as process control instrumentation systems, computer capabilities, programmable logic controllers, and the use of independent PC s (personal computers) at field locations for special dedicated functions present new challenges to incident investigation. Some of the advances are so rapid that the team may not have the internal expertise to determine failure scenarios, sequences, and modes. The suppliers and manufacturers of these high-tech devices are sometimes the only source of credible information on failure modes of these devices. 

Reliance on outside expertise may be the most feasible option for some of these issues. The incident investigation team may act as facilitators and advisors in a similar mode to a PHA (process hazard analysis) study. The outside expert would supply the failure mode information on which possible failures are credible. 

The above criteria form a sort of a checklist to be followed while formulating the failure hypotheses for a component. The criteria C1-C4 protect against omissions but cannot be solely used as a tool to identify valid failure hypotheses. Application of C1-C4 can force us to consider a large number of possible failure modes, disregarding their credibility. To provide for a more focused set of failure modes we apply additional criteria that provide for early rejection of incredible failure modes. Those that withstand this selection are passed to the subsequent analysis step. 

The choice between the above interpretations depends on the judgment of the analysts/designer and is beyond the OF-FMEA method. The criteria used to support such decision include availability of the resources for redesign, availability of candidate components to replace a given one, and the assessment of the credibility of the considered failure mode. 

It is required that the structural integrity and the safe shutdown functions of the neutron control assemblies are maintained for the OBE and SSE events. At the OBE level, the neutron control assemblies must be able to perform their safety function. Additionally, the ability to perform their power generation function during and after the earthquake should also be oiaintained. Their operation must be unaffected by any credible misalignment of the core control channels due to core deflections as a result of the seismic disturbance. A maximum misalignment of 7.6 cm (3 in) is allowed. At the SSE level, the neutron control assemblies must retain their safety function during and after the earthquake. The failure modes which could cause the seismic requirements not to be satisfied are identified as follows ... 

It is important to understand that this is not a model of all possible system failures or all possible causes, but rather, a model of particular system failure modes and their constituent faults that lead to the top event. Not all system or component failures are listed, only the ones leading to the top event. Like the other safety analysis techniques discussed previously, only credible faults are assessed. The faults can be events associated with component hardware failures, software glitches, human errors, and environmental conditions—in short, any of the elements that make up the complete system. 

For each failure mode, assess the failure s effects. Usually, engineers assess the worst credible case with consequence severity and probability of occurrence, if possible. 

Failure modes/faults - initiating events in terms of radioactive safety are modelled as credible (foreseeable) faults during normal operating processes for both at power and shutdown phases ... 

A fault tree (FT) covers a particular Mlure mode given by the top event. Consequently, it does not cover the total feilure space of the system. It includes those fiiults which contribute to a given failure mode. Usually, only those contributing faults which are most credible according to the analyst s assessment are included. The basic semantic notion of FT is that of event. The following classification of events is applied. 

These functions are the basis for the Functional Hazard Assessment (FHA), for the identification of possible hazards. In workshops with experts - to combine technical, domain and safety know-how - various techniques are applied. This includes brainstorming, use of historical data and functional failure modes and effects analysis to identrfy possible failure modes, their operational effects and the respective severity of the worst credible outcome. Based on the safety-relevant failure modes, potential hazards are determined and respective risks are allocated according to the risk matrix. The FHA leads to derivation of top level hazards. 

There are other ways to describe safety. The simplest approach would be to use a scale for scoring the safety of a failure mode. While this may be easy for safety aggregation to produce an average indicator about system safety, it could not capture uncertainty inherent in safety assessment and thereby the credibility of such assessment may become questionable. Unfortunately, several well known multiple criteria decision analysis methods, which could be used for safety synthesis, can only be implemented using certain types of scores. This will be discussed in detail in the next section. 

Each identified hazard is allocated severity classification according to the defined safety criteria. Accident severity categories are defined to provide a qualitative measure of the consequences resulting from personnel error, environmental conditions, design inadequacies, procedural deficiencies or system, sub-system or component failures. The severity is the worst credible consequence of a hazard (i.e. the worst accident) and is independent of random or systemic failure modes. 

Review of planned operation of process, especially the possibility of upsets, modes of failure, unexpec ted delays, redundancy of equipment and instrumentation, critical instruments and controls, and worst-credible-case scenarios... 

Robustness. (Arguments and evidence should be available which show that all credible modes of failure have been covered, including software failures, interface failures, power-loss and restoration, failures of linked equipment, and breaks in communication links.),... 

In the Seventies huge efforts have been made to provide the nuclear and chemical engineers with a credible set of data on pressure vessels failure frequencies and modes. In an article by Bush (1988), the historical studies, conducted in previous decades at three major industrial countries, USA, UK and Germany, are reviewed and compared in a critical way. In the review eight national studies on pressure vessels are reported in detail. In each study, 10.000 to 100.000 pieces of equipment were observed for ten years and more. Those studies consider, as a whole, 3 million years-vessel (both fired and unfired) with some 8.600 minor faults and 155 major events. In following decades the world of pressure equipment changed dramatically, because the new steels alloys introduced in the years, the new certification rules introduced by the PED Directive in 1998, the new design and production techniques, the new inspection and maintenance... 

---