database and analysis system: event data collection,power industry. the ccf data effort consists of...

106
NUREG/CR-6268, Rev. 1 INL/EXT-07-12969 Common-Cause Failure Database and Analysis System: Event Data Collection, Classification, and Coding Idaho National Laboratory U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Washington, DC 20555-0001

Upload: others

Post on 11-Jun-2020

3 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

NUREG/CR-6268, Rev. 1INL/EXT-07-12969

Common-Cause FailureDatabase and AnalysisSystem: Event Data Collection,Classification, and Coding

Idaho National Laboratory

U.S. Nuclear Regulatory CommissionOffice of Nuclear Regulatory ResearchWashington, DC 20555-0001

Page 2: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

AVAILABILITY OF REFERENCE MATERIALSIN NRC PUBLICATIONS

NRC Reference Material

As of November 1999, you may electronically accessNUREG-series publications and other NRC records atNRC's Public Electronic Reading Room athttp://www.nrc..ov/readincq-rm.html. Publicly releasedrecords include, to name a few, NUREG-seriespublications; Federal Register notices; applicant,licensee, and vendor documents and correspondence;NRC correspondence and internal memoranda;bulletins and information notices; inspection andinvestigative reports; licensee event reports; andCommission papers and their attachments.

NRC publications in the NUREG series, NRCregulations, and Title 10, Energy, in the Code ofFederal Regulations may also be purchased from oneof these two sources.1. The Superintendent of Documents

U.S. Government Printing OfficeMail Stop SSOPWashington, DC 20402-0001Internet: bookstore.gpo.govTelephone: 202-512-1800Fax: 202-512-2250

2. The National Technical Information ServiceSpringfield, VA 22161-0002www.ntis.gov1-800-553-6847 or, locally, 703-605-6000

A single copy of each NRC draft report for comment isavailable free, to the extent of supply, upon writtenrequest as follows:Address: U.S. Nuclear Regulatory Commission

Office of AdministrationMail, Distribution and Messenger TeamWashington, DC 20555-0001

E-mail: [email protected]: 301-415-2289

Some publications in the NUREG series that areposted at NRC's Web site addresshttp:l/www.nrc.qov/readinq-rm/doc-collections/nureas

Non-NRC Reference Material

Documents available from public and special technicallibraries include all open literature items, such asbooks, journal articles, and transactions, FederalRegister notices, Federal and State legislation, andcongressional reports. Such documents as theses,dissertations, foreign reports and translations, andnon-NRC conference proceedings may be purchasedfrom their sponsoring organization.

Copies of industry codes and standards used in asubstantive manner in the NRC regulatory process aremaintained at-

The NRC Technical LibraryTwo White Flint North11545 Rockville PikeRockville, MD 20852-2738

These standards are available in the library forreference use by the public. Codes and standards areusually copyrighted and may be purchased from theoriginating organization or, if they are AmericanNational Standards, from-

American National Standards Institute11 West 42nd StreetNew York, NY 10036-8002www.ansi.org212-642-4900

Legally binding regulatory requirements are statedonly in laws; NRC regulations; licenses, includingtechnical specifications; or orders, not inNUREG-series publications. The views expressedin contractor-prepared publications in this series arenot necessarily those of the NRC.

The NUREG series comprises (1) technical andadministrative reports and books prepared by thestaff (NUREG-XXXX) or agency contractors(NUREG/CR-XXXX), (2) proceedings ofconferences (NUREG/CP-XXXX), (3) reportsresulting from international agreements(NUREG/IA-XXXX), (4) brochures(NUREG/BR-XXXX), and (5) compilations of legaldecisions and orders of the Commission and Atomicand Safety Licensing Boards and of Directors'decisions under Section 2.206 of NRC's regulations(NUREG-0750).

are updated periodically and may differ from the lastprinted version. Although references to material foundon a Web site bear the date the material was accessed,the material available on the date cited maysubsequently be removed from the site.

DISCLAIMER: This report was prepared as an account of work sponsored by an agency of the U.S. Government.Neither the U.S. Government nor any agency thereof, nor any employee, makes any warranty, expressed orimplied, or assumes any legal liability or responsibility for any third party's use, or the results of such use, of anyinformation, apparatus, product, or process disclosed in this publication, or represents that its use by such thirdparty would not infringe privately owned rights.

Page 3: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

NUREG/CR-6268, Rev. 1INL/EXT-07-12969

Common-Cause FailureDatabase and AnalysisSystem: Event Data Collection,Classification, and Coding

Manuscript Completed: August 2007Date Published: September 2007

Prepared byT.E. Wierman/INLD.M. Rasmuson/NRCA. Mosleh/Univ. of MD

Idaho National LaboratoryRisk and Reliability Assessment DepartmentP.O. Box 1625Idaho Falls, ID 83415-3850

Department of Materials and Nuclear EngineeringUniversity of MarylandCollege Park, MD 20742-2115

A.D. Salomon, NRC Project Manager

Prepared forDivision of Risk Assessment and Special ProjectsOffice of Nuclear Regulatory ResearchU.S. Nuclear Regulatory CommissionWashington, DC 20555-0001NRC Job Code Y6546

Page 4: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events
Page 5: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

ABSTRACT

This report on the Common-Cause Failure Database and Analysis Systempresents an overview of common-cause failure (CCF) analysis methods for use inthe U.S. commercial nuclear power industry. Idaho National Laboratory staffidentify equipment failures that contribute to CCF events through searches ofLicensee Event Reports, Nuclear Plant Reliability Data System failure reports,and Equipment Performance and Information Exchange failure reports. The staffthen enter the event information into a personal computer-based data analysissystem (CCF system). This report summarizes how data are gathered, evaluated,and coded into the CCF system, and describes the process for using the data toestimate probabilistic risk assessment common-cause failure parameters.

iii

Page 6: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events
Page 7: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

FOREWORD

This report presents guidance for collecting, classifying, and coding common-cause failure (CCF)events. It updates NUREG/CR-6268, "Common-Cause Failure Database and Analysis System," publishedin 1998. The U.S. Nuclear Regulatory Commission's (NRC's) Office of Nuclear Regulatory Research(RES) and the Idaho National Laboratory (INL) maintain a CCF database for the U.S. commeicial nuclearpower industry. The CCF data effort consists of CCF event identification, CCF event coding and CCFparameter estimation.

CCF events are component failures that satisfy four criteria: (1) two or more individualcomponents fail, are degraded (including failures during demand or in-service testing), or havedeficiencies that would result in component failures if a demand signal had been received;(2) components fail within a selected period of time such that success of the probabilistic risk assessment(PRA) mission would be uncertain; (3) components fail because of a single shared cause and couplingmechanism; and (4) components fail within the established component boundary.

The NRC draws from three data sources to select equipment failure reports for CCF eventidentification: (1) the Nuclear Plant Reliability Data System (NPRDS), which contains component failureinformation from 1980 through 1996; (2) the Equipment Performance and Information Exchange (EPIX)System, which contains component failure information since 1997; and (3) Licensee Event Reports(LERs). RES and INL data analysts review failure data to identify independent and CCF events.

The CCF data collection and analysis activity consists of CCF event identification, event coding,and loading the CCF events into a software system to estimate CCF parameters. The CCF eventidentification process includes reviewing failure data to identify independent and CCF events. The dataanalyst uses the guidance in this report to code the CCF events consistently and accurately. The dataanalysts then load the CCF events into the CCF database. The events are stored in a format that allowsPRA analysts to review the events and develop an understanding of how they occurred and to estimateCCF parameters and their uncertainties.

The CCF database not only stores the CCF event descriptions but also event counts andinformation associated with the events. It also automates the estimation of CCF parameters. NRC riskanalysts and senior reactor analysts use these CCF parameters estimates in Standardized Plant AnalysisRisk models, reliability studies, and other PRA regulatory activities. The NRC staff also use CCF insightsin inspection activities. The industry uses the CCF parameter estimates in their probabilistic safetyassessments.

Farouk Eltawila, DirectorDivision of Risk Assessment

and Special ApplicationsOffice of Nuclear Regulatory Research

V

Page 8: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events
Page 9: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

CONTENTS

A b stra c t ....................................................................................................................................................... iii

F o rew o rd ....................................................................................................................................................... v

Executive Summ ary .................................................................................................................................... xi

Abbreviations .............................................................................................................................................. xv

1. Introduction ............................................................................................................................................. 1

2. Definition of Comm on-Cause Failures .............................................................................................. 5

2.1 Intrinsic Dependency ............................ I ....... ................................................................................. 5

2.2 Extrinsic Dependency ................................................................................................ : .................... 6

3. CCF Event Classification ........................................................................................................................ 9

3.1 Failure Causes ................................................................................................................................ 9

3.2 Coupling Factors .......................................................................................................................... 113.2.1 Quality Based ...................................................................... ........... ............................. 113.2.2 Design Based .................................................................................................... .... 123.2.3 M aintenance Based ..................................................................................................... 123.2.4 Operation Based ................................... I ................................................. 133.2.5 Environm ent Based ..................................................................................................... 14

3.3 Defense M echanism s .............................................................. : ..................................................... 14

4. The CCF Data Analysis Process ....................................................................................................... 17

4.1 Identification of Analysis Boundaries ..................................................................................... 17

4..2 Data Collection ............................................................................................................................. 18

4.3 Event Analysis ............................................................................................................................ 18

4.4 Data Loading ................................................................................................................................ 19

4.5 Quality Assurance ................................ ........................................................................................ 19

5. Event Coding Guidance ........................................................................................................................ 21

5.1 CCF Event Coding ....................................................................................................................... 215.1.1 Event Nam e ..................................................................................................................... 215.1.2 Plant Nam e ...................................................................................................................... 215.1.3 Power Level ..................................................................................................................... 215.1.4 Event Title ....................................................................................................................... 215 .1 .5 S y stem ............................................................................................................................. 2 15.1.6 Proxim ate Cause .............................................................................................................. 21

vii

Page 10: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

5.1.7 Timing Factor .................................................................................................................. 245.1.8 Component ...................................................................................................................... 265.1.9 Sub-Component and Piece-Part ....................................................................................... 285.1.10 Shock Type ...................................................................................................................... 285.1.11 CCF Event Operational Status .................................................................................. 285.1.12 CCF Event Detection Operational Status ......... ......................................................... 285.1.13 Failure Mode ............................................................ 285.1.14 Coupling Factor ........................................................................................................... 285.1.15 Event Type ................................................................... I .................................................. 285.1.16 Failure M ode Applicability ....................................................................................... 365.1.17 Shared Cause Factor .......................................... I ....................... ...... 365.1.18 CCF Event Level ................................................ 375.1.19 Comm on-cause Component Group ............................................................................ 375.1.20 M ultiple Unit ............................................................................................ 385.1.21 Defense M echanism .................................... I ............................................................ 385.1.22 Safety Function: .............................................................................................................. 385.1.23 Component Degradation Values .................................................. ................................... 395.1.24 Use ..................................................................................................... ............ 395.1.25 Date ........................................................................................................... 395.1.26 Comm ents ...................................................................................... * ...... ............ 395.1.27 Narrative .......................................................................................................................... 405.1.28 Insights Description ................................................................................................... 40

5.2 Independent Failure Coding .................................................................................................... 405 .2 .1 S y stem ............................................................................................................................. 4 05.2.2 Component ...................................................................................................................... 405.2.3 Sub-Component and Piece-Part ................................................................................. 405.2.4 Failure M ode .................................................................................................................... 405.2.5 Safety Function ................................................................................................................ 405.2.6 Component Degradation Values ................................................................................. 405.2.7 Number of Failures ..................................................................................................... 405.2.8 Event Type ...................................................................................................................... 405.2.9 Detection M ethod .................................................... ; .................................................. 415.2.10 Comments .............................................................. 41

6. Event Coding Examples ........................................................................................................................ 43

6.1 Coding Example 1: BW R Safety-Relief Valve Corrosion Bonding ....................................... 44

6.2 Coding Example 2: Low-Suction Pressure Trips on AFW Pumps .......................................... 46

6.3 Coding Example 3: Loss of Power to Safety Injection Valves ................................................... 48

6.4 Coding Example 4: Excessive Packing Leaks .......................................................................... 50

6.5 Coding Example 5: Start Relay on Auxiliary Feedwater Pumps ............................................ 52

6.6 Coding Example 6: Aging/W ear ............................................................................................. 54

7. Quantitative Analysis Of Comm on-cause Failure Events .............................................................. 57

7.1 Event Impact Vector ..................................................................................................................... 57

7.2 Generic Impact Vector Assessment .............. ........................................................................... 597.2.1 Case 1: Events Involving Degraded Component States ...................... 59

viii

Page 11: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

7.2.2 Case 2: Events Involving Failures Distributed in Time ............................................ 597.2.3 Case 3: Events Involving Uncertainty about Shared Cause .................... 627.2.4 Cases Involving Degraded States, Time Delay, and Uncertain Shared Cause ........... 62

7.3 Specializing Impact Vectors for Plant Specific Analyses ....................................................... 627.3.1 Adjustment Based on Qualitative Differences ............................................................ 637.3.2 Adjustment for Quantitative Difference ..................................................................... 64

.7.4 Estimation of CCF Event Frequencies from Impact Vectors ............................................... 68

7.5 CCF Basic Event Equation Development ................................................................................ 707.5.1 Any-k-of-m Combinations ......................................................................................... 707.5.2 Specific Failure Criterion ................................................................................................ 717.5.3 One-Out-of-Two-Twice Logic .................................................................................. 717.5.4 CCF Basic Event Probability Equations ................................. 71

7.6 Treatment of Uncertainties ....................................................................................................... 71

8. CCF Parameter Estimation .................................................................................................................. 75

8 .1 D atabase S earch ............................................................................................................................ 76

8 .2 D ata A n aly sis ............................................................................................................................... 76

8.3 Estimation of CCF Parameters ................................................................................................ 77

9 . G lo ssary ................................. ....................................................... . ..................................................... 79

10 . R eferen ces ............................................................................................................................................. 8 3

FIGURES

Figure ES-1. CCF data analysis process ..................................................................................................... xii

Figure 1-1. CCF data analysis process .................................................................................................... 3

Figure 3-1. Proximate failure causes hierarchy ................................................ .. ............................ 10

Figure 3-2. Categories for coupling factors ................................................................................................. 11

Figure 7-1. Example of the assessment of impact vectors involving multiple interpretation of event ....... 58

Figure 7-2. Schematic representation of the role of shared cause factor and root cause strengthinformation of different classes of events ....................................................................................... 65

Figure 7-3. Example of a specific failure criterion ................................................................................ 72

Figure 7-4. Example of a one-out-of-two-twice logic failure criterion for a 2-out-of-4 system ............ 72

Figure 8-1. Parameter estimation example ............................................................................................. 78

ix

Page 12: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

TABLES

Table 3-1. Defense mechanisms ................................................................................ 15

Table 5-1. CCF system codes ...................................................................................................................... 22

Table 5-2. Proximate cause codes .............................................................................................................. 23

Table 5-3. Component codes ....................................................................................................................... 27

Table 5-4. Component group, sub-component, and piece-part listing ................................................... 29

Table 5-5. Operating mode codes ................................................................................................................ 34

Table 5-6. Detection codes ........................................................................................................................... 34

Table 5-7. Failure mode codes .................................................................................................................... 34

Table 5-8. Coupling factors .................................................... : .................................................................... 35

Table 5-9. CCF event types ......................................................................................................................... 35

Table 5-10. CCF event levels........................................................................................... 5 ............................ 37

Table 5-11. Defense codes .......................................................................................................................... 38

Table 5-12. Safety function codes ........................................................................................................ 38

Table 7-1. Impact vector assessment for various degrees of component degradations ................. ; ............. 60

Table 7-2. Suggested values for r, and r2 . . . . . . . . ... .. . . . .. . . .. . . .. . . .. . . . .. . . .. . . . .. . . 64

Table 7-3. Formulas for mapping down event impact vectors .............................. 67

Table 7-4. Formulas for upward mapping of events classified as non-lethal shocks ............................. 69

Table 7-5. Failure criteria and basic event equation table ..................................................................... 73

X

Page 13: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

EXECUTIVE SUMMARY

This report presents guidance for collecting, classifying, and coding common-cause failure (CCF)events. It updates NUREG/CR-6268, "Common-Cause Failure Database and Analysis System," publishedin 1998. The U.S. Nuclear Regulatory Commission's (NRC's) Office of Nuclear Regulatory Research(RES) and the Idaho National Laboratory (INL) maintain a CCF database for the U.S. commercial nuclearpower industry. The CCF data effort consists of CCF event identification, CCF event coding, and CCFparameter estimation.

A CCF event consists of component failures that meet four criteria: (1) two or more individualcomponents fail, are degraded (including failures during demand or in-service testing), or havedeficiencies that would result in component failures if a demand signal had been received, (2) componentsfail within a selected period of time such that success of the probabilistic risk assessment (PRA) missionwould be uncertain, (3) components fail because of a single shared cause and coupling mechanism, and(4) components fail within the established component boundary.

Three data sources are used to select equipment failure reports to be reviewed for CCF eventidentification: (1) the Nuclear Plant Reliability Data System (NPRDS), which contains component failureinformation from 1980 through 1996; (2) the Equipment Performance and Information Exchange (EPIX),which contains component failure information since 1997; and (3) LER Search, which contains LicenseeEvent Reports (LERs). All events that meet the above criteria are identified as CCF events and areincluded in the CCF database. The database contains CCFs beginning in 1980 and is continuouslyupdated to remain current.

The CCF material has been updated to include the coding guidance applicable to EPIX. It alsocontains corrections and changes that have been made to the data collection and coding process.Figure ES-1 shows the steps of the data analysis process. They are the following: collection of sourcedata, identification of CCF events, coding of CCF events, database quality assurance, data analysis, andparameter estimation.

The initial step in the process is to identify the boundaries of the analysis, including the plantsystems and components to be analyzed and operational event boundaries. The system and componentcombinations that have been selected for analysis are those addressed in PRA modeling for which CCFparameters are needed.

The next step is to perform searches for events using available data sources. The sources ofcomponent failure data most readily available to the NRC were the NPRDS failure reports, which havebeen replaced by EPIX failure reports, and LERs. For the first data searches, sophisticated algorithmswere developed to locate and pre-process event data from NPRDS and LERs to compile potential CCFevents. The current updates are of much smaller scope. Routine searches are performed that filter EPIXdata to obtain failure reports for components of interest to the CCF study. All LERs submitted bylicensees are reviewed for events applicable to the CCF program as well as other ongoing programs at theINL pertaining to plant performance indicators, system reliability studies, and initiating event studies.

Data analysts read the LER and EPIX report narratives of events to determine the system,component, failure mode, degree of degradation, and plant status. Event records that either have no failureor do not involve a component included in the CCF study are not considered. The LER events are thencompared to EPIX events to eliminate any duplication of events.

xi

Page 14: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Figure ES-1. CCF data analysis process.

All of the data analysis takes place external to the CCF database so that unreviewed data are notreleased. The data-loading step adds qualified data to the CCF database. After the CCF events have beenreviewed, comments resolved, and duplicate events removed, the CCF and independent events are loadedinto the CCF database.

Once the independent event count and CCF event information have been entered into the CCFdatabase and quality assurance verification has been completed, the next step is the estimation of CCFparameters using the CCF software system. The parameter estimation software developed for this projectuses the impact vector method based on physical characteristics of the event. These characteristics includecomponent degradation parameter, timing factor, and shared cause factor. In addition, the software allowsthe user to modify the generic event impact factors. for plant-specific applications, including mapping theimpact vectors to account for differences in common-cause component group (CCCG) size between theplant in which the event occurred and the plant for which the data are being modified. Other softwarefeatures include parameter estimations for both Alpha Factor and Multiple Greek Letter models.

xii

Page 15: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

In May 1998, the NRC published NUREG/CR-5497, "Common-Cause Failure ParameterEstimations." In September 2003, the NRC started publishing the common-causeparameter estimationson the NRC web site. The parameter estimations file contains the same information, but is updated on ayearly basis. The web page containing the common-cause parameter estimations downloadable file ishttp://nrcoe.inel.gov/results/.

* Uncertainties exist in the development of a statistical database from CCF event reports. Theseuncertainties can be categorized as follows:

* Uncertainty because of lack of sufficient information in the event reports for unambiguous eventclassification and impact vector assessment

* Uncertainty in translating event characteristics to numerical parameters for impact vectorassessment

" Uncertainty in determining the applicability of an event to a specific plant design and operatingcharacteristics.

The guidelines provided in this report help to reduce the uncertainties by providing a reasonablelevel of accuracy and consistency and to reduce analyst-to-analyst variability.

xiii

Page 16: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events
Page 17: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

ABBREVIATIONS

AFW auxiliary feed water

BE basic eventBWR boiling water reactors

CCCG common-cause component groupCCF common-cause failureCCW component cooling waterCST condensate storage tank

EDG emergency diesel generatorEPIX Equipment Performance and Information Exchange

HPCI high-pressure coolant injection

INL Idaho National LaboratoryIPE individual plant examination

LER Licensee Event Report

MGL Multiple Greek Letter (model).MOV motor operated valve

NPRDS Nuclear Plant Reliability Data SystemNRC Nuclear Regulatory Commission

PRA probabilistic risk assessmentPWR pressurized water reactors

RCIC reactor core isolation coolingRES NRC's Office of Nuclear Regulatory ResearchRHR residual heat removalRPS reactor protection system

SRV safety relief valve

xv

Page 18: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events
Page 19: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Common-Cause Failure Database and Analysis

System: Event Data Collection, Classification, andCoding

1. INTRODUCTION

A general conclusion from probabilistic riskassessments (PRAs) of commercial nuclearpower plants is that common-causefailuresa(CCFs) are significant contributors to theunavailability of safety systems. A CCF eventconsists of component failures that meet thefollowing four criteria: (1) two or moreindividual components fail, are degraded(including failures during demand or in-servicetesting), or have deficiencies that would result incomponent failures if a demand signal had beenreceived, (2) components fail within a selectedperiod of time such that success of theprobabilistic risk assessment (PRA) missionwould be uncertain, (3) components fail becauseof a single shared cause mechanism andcoupling mechanism, and (4) components failwithin the established component boundary.

Efforts in past years to improveunderstanding and modeling of CCF events haveproduced several models, procedures, computercodes, and databases. Some efforts havecollected limited amounts of data for use in CCFanalyses. Most of these efforts used operationalexperience data prior to 1984. Until recently,lack of CCF event data was a major problem,though significant progress was made with thepublication of "Classification and Analysis ofReactor Operating Experience InvolvingDependent Events," EPRI NP-3967 (Ref. 1).Two known deficiencies of EPRI NP-3967 arethe limited timeframe for the study and the lackof details regarding independent events. In theareas of data classification, analysis, and modelparameter estimation, the detailed procedures of"Procedures for Treating Common-cause

Failures in Safety and Reliability Studies,"NUREG/CR-4780, Volumes I and 2 (Ref. 2),and "Procedure for Analysis of Common-causeFailures in Probabilistic Safety Analysis,"NUREG/CR-5801 (Ref. 3), have been viewed astoo time consuming, despite wide acceptance ofthe basic approach.

In response to these deficiencies, the IdahoNational Laboratory (INL) staff and the U. S.Nuclear Regulatory Commission's (NRC's)Division of Risk Assessment and SpecialProjects have developed a CCF data collectionand analysis system that includes a method foridentifying CCF events, coding and classifyingthose events for use in CCF studies, and storingand analyzing the data. The system is based, inpart, on previous CCF methods and models andis designed to run on a personal computer. Thedata collection effort added a substantial numberof CCF events for use in CCF analyses abovethe previous industry efforts to collect CCF data.The generic data generated from these paststudies have been divided by component type,with no allowance given for differences thatmight exist between systems. The current datacollection effort has separated the data bysystem. The principal products of this CCF datacollection and analysis system (CCF system)project are the method for identifying andclassifying CCF events, the CCF databasecontaining both CCF events and, independentfailure counts, and the CCF parameterestimation software. The computer softwareproduced for this project uses the impact vectormethod introduced in Reference 2 and furtherrefined in Reference 3.

a. Glossary terms are italicized at first use in the text.

1

Page 20: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Three data sources are used to selectequipment failure reports to be reviewed forCCF event identification: the Nuclear PlantReliability Data System (NPRDS), whichcontained component failure information prior to1997; the Equipment Performance andInformation Exchange (EPIX), which containscomponent failure information since 1997; andLER Search, which contains Licensee EventReports (LERs). All events that meet the abovecriteria are identified as CCF events and areincluded in the CCF database. The databasecontains CCFs beginning in 1980 and iscontinuously updated to remain current. In 1997,the NRC published NUREG/CR-6268,"Common-Cause Failure Database and AnalysisSystem" (Refs. .4, 5, 6, and 7). Volume 1presented an overview of the data collection andclassification process. Volume 2 containedbackground information for the coders. Thecoding guidelines were presented in Volume 3.Volume 4 was the user's'guide for the softwaresystem.

In May 1998, the NRC publishedNUREG/CR-5497, "Common-Cause FailureParameter Estimations" (Ref. 8). In September2003, the NRC started publishing the common-cause parameter estimations on the NRC website. The parameter estimations file contains thesame information, but is updated on a yearlybasis. The web page containing the common-cause parameter estimations downiloadable file ishttp://nrcoe.inel.gov/results/'

This report is.an update ofNUREG/CR-6268 and combines Volumes 1, 2,and 3. The material has been updated to includethe coding guidance applicable to EPIX. It alsocontains corrections and changes that have beenmade to the data collection and coding process.Figure 1-1 shows the steps in the data analysisprocess: collection of source data, identificationof CCF events, coding of CCF events, databasequality assurance, data analysis, and parameterestimation.

Section 2 of this report presents thedefinition of common-cause failures. Section 3contains the description of the basic concepts forcoding the CCF events. Section 4 provides anoverview of the CCF data analysis process. Thedetailed coding guidance is presented inSection 5, and Section 6 contains examples ofcoded events. Section 7 provides an overview ofthe quantification process. CCF parameterestimation is contained in Section 8. Section 9 isa glossary. Section 10 lists the references.

2

Page 21: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Figure 1-1. CCF data analysis process.

3

Page 22: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events
Page 23: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

2. DEFINITION OF COMMON-CAUSE FAILURES

The definition of a CCF is closely tied to anunderstanding of the nature and significance ofdependent events. Therefore, a definition of adependent event is provided here. To simplifythe presentation, consider two failure events, Aand B.

Events A and B are said to be dependentevents if

P[Ar)B]= P[B f A]P[A]

P[AIB]P[B]

P[A]P[B]

(2-1)

where P[X] denotes the probability of event X.

In the presence of dependencies, often, butnot always, P(A fl B) > P(A)P(B). Therefore, ifA and B represent failure of safety functions, theactual probability of both failures will be higherthan the expected probability, if that probabilityis calculated based on the assumption ofindependence. In cases where the systemsprovide multiple layers of defense against totalsystem or functional failure, the presence ofdependence may translate into a reduced safetymargin and over-estimation of the reliabilitylevel.

Dependencies that result in dependentfailures can be classified in many ways. Aclassification useful in relating operational datato reliability characteristics of systems is offeredbelow. In this classification, dependencies arefirst categorized based on whether they stemfrom intended intrinsic functional and physicalcharacteristics of the system or are caused byexternal factors and unintended characteristics.Therefore, the dependence is either intrinsic orextrinsic to the system.

2.1 Intrinsic Dependency

An intrinsic dependency refers to caseswhere the functional status of one component is

affected by the functional status of anothercomponent. These types of dependenciesnormally stem from the way the system isdesigned to perform its intended function. Thereare several sub-classes of intrinsic dependenciesdepending on the type of influence thatcomponents have on each other. The sub-classifications are

* Functional Requirement Dependency. Afunctional requirement dependency refers tothe cases where the functional status ofcomponent A determines the functionalrequirements of component B. Possiblecases include

B is not needed when A works

- B is not needed when A fails

B is needed when A works

B is needed when A fails.

Functional requirement dependency alsoincludes cases where component B isrequired to perform its function in excess ofits design because of the failure of A.

" Functional Input Dependency. A functionalinput dependency (or functionalunavailability) refers to cases where thefunctional status of B depends on thefunctional status of A. For example, A mustwork for B to work. In other words, B isfunctionally unavailable as long as A is notworking. An example is the dependence of apump on electric power. Loss of electricpower makes the pump unavailable. Onceelectric power becomes available, the pumpwill also be operable.

" Cascade Failure. A cascade failure refers tothe cases where failure of A leads to failureof B, a cascading effect within a design. Anexample is a valve on a pump suction linethat fails to open. The valve failure causesthe pump to fail when a start signal isgenerated because of flashing in the suction

5

Page 24: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

line from a lack of flow. Because the pumpmay be physically damaged, even if thevalve is made operable, the pump wouldremain inoperable.

Through the above dependencies, othertypes of intrinsic dependencies are created. Ashared equipment dependency, when severalcomponents are functionally dependent on thesame component, is one such type. An exampleof shared equipment dependency is if both B andC are functionally dependent on A operating,then B and C have a shared equipmentdependency.

Known intrinsic dependencies should be,and often are, modeled explicitly in the logicmodel (e.g., fault tree) of the system.

2.2 Extrinsic Dependency

Extrinsic dependency refers to cases wherethe dependency or coupling is not inherent orintended in the functional characteristics of thesystem. The source and mechanism of suchdependencies are often external to the system.Examples of extrinsic dependencies are

* Physical/Environmental. Physical/environmental dependency is caused by

. common environmental factors such asharsh or abnormal environments created bya component. For example, high vibrationinduced by A causes B to fail.

Human Interaction. Human interactiondependency is caused by man-machineinteraction (e.g., multiple componentfailures from the same maintenance error).

In nuclear power plant risk and reliabilitystudies, a large number of extrinsicdependencies are treated through modeling ofthe phenomenology and the physical processesinvolved. Examples are fire and earthquakeevents, which are physical/environmentdependencies. Nevertheless, there are a largenumber of extrinsic mechanisms that areunpredictable (or misunderstood) and cannot bemodeled. In many cases, even when themechanisms are well understood, it is not cost-

effective to model the effects explicitly. In thesecases, the combined probabilistic effect ofdependencies is treated parametrically. Thismeans that these types of events are treatedtogether as one group known as common CCFs.

Viewed in this fashion, CCF events areinseparable from the class of dependent failures.The distinction is based on the level of treatmentand choice of modeling approach in reliabilityanalysis.

In the past 25 years, several definitions ofcommon-cause failures have been suggested inliterature. Some definitions are broad andessentially cover the entire set of dependentfailures. Other definitions focus on dependentevents in the context of a particular application,such as PRA. NUREG/CR-4780 (Ref. 2) definesCCFs as a subset of dependent failures in whichtwo or more component fault states exist at thesame time, or within a short interval, because ofa shared cause. Consistent with current practicesin reliability analysis systems modeling,Reference 2 excludes failure or unavailability ofother components as a shared cause of a CCFevent. This is particularly true where the failureof one component cascades down to thecomponents being analyzed. This exclusion isbased on the premise that functionaldependencies are modeled explicitly in the logicmodels.

According to Reference 2, CCFs result fromthe coexistence of two main factors: (1) asusceptibility for components to fail or becomeunavailable because of a particular root cause,or (2) a coupling factor or mechanism thatcreates the condition for multiple components tobe affected by the same cause. An example istwo pressure relief valves that failed to openbecause the setpoints were set too high. Thesetpoint oversight was human error. Overall,each component failed because of itssusceptibility to the conditions created by theroot cause and the role of coupling factors thatcreated the conditions common to severalcomponents. Defenses against root causesimprove the reliability of each component, butdo not necessarily reduce the fraction of totalfailures that occur because of a common-cause.

6

Page 25: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

The susceptibility of a system of components todependent failures compared with independentfailures is determined by coupling factors.

Characterization of CCF events, in terms ofthese main factors, enables effective engineeringassessment of the CCF phenomenon.Characterization identifies plant vulnerabilitiesto CCFs and establishes a basis for the defensesagainst them. It is equally effective in theevaluation and classification of operational dataand quantitative analysis of CCF frequencies.

The NUREG/CR-4780 (Ref. 2) definition ofCCFs-in terms of root cause, coupling factor,and the timing of failures--expresses (explicitlyor implicitly) the main features of CCFs formost, applications. The concept of a shared causeof malfunction or change in component state isthe key aspect of a CCF event. The use of theword "shared" implicitly includes the concept of

coupling factor or mechanism. In addition, thereference to a time interval between failuresacknowledges the reliability significance ofthese events. Multiple component failures from ashared cause, but without affecting missionrequirements, in a period required forperformance are of little or no significance froma reliability point of view. It is the correlation offailure times and their simultaneity in referenceto the specified mission time that carries theirreliability significance. Often when the samecause is acting on multiple components, failuretimes are also closely correlated. It should bementioned that the term "common-mode failure"which was used in the early literature and is stillused by some practitioners is more indicative ofthe most common symptom of CCF (i.e., failureof multiple components). As such, it is not aprecise term for communicating the maincharacter of CCF events.

7

Page 26: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events
Page 27: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

3. CCF EVENT CLASSIFICATION

A classification system for the mainelements of CCF events (specifically the failurecause, coupling factor, and defense) is providedin the following sections, including a codingsystem for each of these elements.

3.1 Failure Causes

In the context of the present discussion, thecause of a failure event is a condition orcombination of conditions to which a change inthe state of a component can be attributed. It isrecognized that the description of a failure interms of a single causeis often too simplistic.For example, for some purposes it may beadequate to identify that a pump failed becauseof high humidity. However, to develop acomplete understanding of the potential formultiple failures, it is necessary to identify whythe humidity was high and why it affected thepump (i.e., it is necessary to identify the ultimatereason for the failure). There are many differentpaths by which the ultimate reason for failurecould be reached. The sequence of events thatconstitute a failure path, or failure mechanism, isnot necessarily simple. As an aid to consideringfailure mechanisms, NUREG/CR-5460 (Ref. 9)introduces the following concepts.

A proximate cause associated with acomponent failure event is a characterization ofthe condition that is readily identifiable ashaving led to the failure. In the pump exampleabove, humidity could be identified as theproximate cause. The proximate cause is usuallyeasy to identify and is adequate for identifyingand classifying CCF events. However, theproximate cause can be regarded as a symptomof the failure cause and does not necessarilyprovide a complete understanding of what led tothat failed condition. As such, the proximatecause may not be the most usefulcharacterization of failure events for thepurposes of identifying appropriate correctiveactions.

To expand the description of the causalchain of conditions resulting in a failure, it is

useful to introduce the concepts of conditioningevents and trigger events. These concepts aid in'a systematic review of event data and are usefulin analyzing component failures. For a singleevent, however, it is not always necessary toconsider both concepts.

A conditioning event is an event thatpredisposes a component to fail or increases itssusceptibility to fail. A conditioning event doesnot cause a failure. In the pump example, aconditioning event could have been the failure ofmaintenance personnel to seal the pump controlcabinet properly after maintenance. The effect ofthe conditioning event is latent but contributes tothe failure mechanism. A trigger event activatesa failure or initiates the transition to the failedstate. The trigger event is important whether thefailure is revealed at the time the trigger eventoccurs or not. A steam leak that led to highhumidity in a room (and subsequent pumpfailure) would be considered a trigger event. Atrigger event is therefore a dynamic feature ofthe failure mechanism. A trigger event,particularly in the case of CCF events, is usuallyan external event relative to the components inquestion. It is not always necessary or possibleto define conditioning and trigger events for afailure. However, the concepts are useful in thatthey focus on immediate and subsidiary causesthat increase susceptibility to failure given theappropriate ensuing conditions.

The root cause is the basic reason whycomponents fail. Correction of a root cause canprevent recurrence. The identification of rootcause, therefore, can be tied to theimplementation of defenses. The root cause maybe determined to be the trigger event or theconditioning event. Often, failure investigationsdo not determine the root causes of failures eventhough this determination is crucial for judgingdefense adequacy. Additionally, the utilityfailure reports (LERs, EPIX reports, andNPRDS reports) often do not identify the actualroot cause. Therefore, the failure cause codedinto the CCF database is usually the proximatecause.

9

Page 28: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Causes are grouped into seven categories,which are then subdivided to provide a means ofrecording more detailed information whenavailable. This failure cause classificationscheme can be used for either the root or the

proximate cause. The specific CCF databasefailure cause codes are identified inSection 5.1.6. The major failure cause categoriesare shown in Figure 3-1.

FAILURE CAUSE

I- Design/Construction/Ma nufacture

D esign Error- Manufacturing Error

Installation/Construction Error,

Design Modification Error

-Operations/Human Error

- ccidental Action

Inadequate/Incorrect ProcedureFailure to Follow Procedure

Inadquate TrainingInadequate Maintenance

- External Environment

Design/Construction/Manufacture Inadequacy.Encompasses actions and decisions taken duringdesign, manufacture, or installation of components bothbefore and after the plant is operational.

Operations/Human Error (Plant Staff Error).Represents causes related to errors of omission andcommission on the part of plant staff. An example is afailure to follow the correct procedure. This categoryincludes accidental actions and failure to followprocedures for construction, modification, operation,maintenance, calibration, and testing. It also includesambiguity, incompleteness, or error in procedures foroperation and maintenance of equipment. This includesinadequacy in construction, modification, administrative,operational, maintenance, test, and calibrationprocedures.

External Environment. Represents causes related to aharsh external environment that is not within componentdesign specifications. Specific mechanisms includeelectromagnetic interference, fire/ smoke, impact loads,moisture (sprays, floods, etc.), radiation, abnormally highor low temperature, and acts of nature.

Internal to Component. Associated with themalfunctioning of something internal to the component.Internal causes result from phenomena such as normalwear or other intrinsic failure mechanisms. It includes theinfluence of the internal environment of a component.Specific mechanisms include erosion/ corrosion,vibration, internal contamination, fatigue, and wear-out/end of life.

State of Other Component. The component isfunctionally unavailable because of failure of asupporting component or system. For example, an airsupply line to a valve breaks or a fuse in a control circuitblows. CCF events exclude those events that havedependencies that would reasonably be expected to bemodeled in an individual plant examination or PRA.

Unknown. Used when the cause of the component statecannot be identified.

Other. Used when the cause cannot be attributed to anyof the previous cause categories. This category is mostfrequently used for cases of setpoint drift.

- Fire/Smoke-Humid ity/Moisture.

- High/Low Temperature

-Electromagnetic Field-- Radiation-- Bio-organisms

-Contamination/Dust/Dirt

-Acts of Nature- Wind- Flood- Lightning- Snow/Ice

- Internal to Component

Normal WearInternal EnvironmentEarly Failure

- State of Other ComponentSupporting SystemInter-connection

- Unknown

- Other

Figure 3-1. Proximate failure causes hierarchy.

10

Page 29: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

3.2 Coupling Factors

As described earlier, for failures to originatefrom the same cause and be classified as a CCF,the conditions for the trigger or conditioningevents have to affect multiple componentssimultaneously. Simultaneity, in this context,refers to failures that occur close enough in timeto lead to the inability of multiple components toperform their intended safety function for a PRAmission. The condition or mechanism throughwhich failures of multiple components arecoupled is termed the coupling factor. Thecoupling factor is a characteristic of a group ofcomponents or piece-parts that identifies them assusceptible to the same causal mechanisms of-,failure. Such factors include similarity in design,location, environment, mission, operation,maintenance, and test procedures.

The report "On Quantitative Analysis ofCommon-cause Failure Data for Plant-SpecificProbabilistic Safety Assessments" (Ref. 10)presents a coupling factor classification system,which is used as a systematic and consistentmethod for classifying coupling factors ofmultiple component unavailability. A modifiedversion of this classification system is used inthe analysis of operational data and in evaluatingplant-specific defenses against multiple failures.The coupling factor classification formatconsists of five major classes:

* Quality based

• Design based/

* Maintenance based

* Operation based

* Environment based.

These five classes are divided into subcategoriesto provide more detail for important parametersand attributes (see Figure 3-2). The multi-layered coding approach acknowledges thatoften during classification only major categoriesare identified because event descriptions do nothave enough detail to allow distinction ofsubcategories. Details of the database coding

system and coding guidance for coupling factorsare contained'in Section 5.1.14.

Coupling Factors

Hardware Quality

Design Based

K Componmi PMS)vlC.rllCofgurtion

Maintenance• Sch.,hle

Prmwcdr

Staff

Operational

Staff

Environmental

Internal1.1-1~

Figure 3-2. Categories for coupling factors.

3.2.1 Quality Based

Quality coupling factors refer tocharacteristics introduced as common elementsfor the quality of the hardware and include thefollowing:

* Manufacturing Attributes. Refers to thesame manufacturing staff, quality controlprocedure, manufacturing method, andmaterial.

Example: Two diesel generators failed dueto failed roll pins on the exhaust damperlinkage. The roll pins failed due to temper-embrittlement that resulted from the roll pinmanufacturing process.

* Construction/Installation Attributes (bothinitial and later modifications). Refers to thesame construction/installation staff,construction/installation procedure,

11

Page 30: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

construction/installation testing/verificationprocedure, and construction/installationschedule.

Example: A reactor core isolation cooling(RCIC) turbine tripped on high exhaustpressure immediately after starting. Acommon reference jumper between thespeed ramp generator and the electronicgovernor module was missing. It was alsomissing from the high-pressure coolantinjection (HPCI) turbine.

3.2.2 Design Based

Design coupling factors result from commoncharacteristics among components determined atthe hardware design level. There are two groupsof design-related hardware couplings: systemlevel and component level. System-levelcoupling factors include features of the systemor groups of components external to, thecomponents that can cause propagation offailures to multiple components. Component-level coupling factors represent features withinthe boundary of each component. The followingare coupling factors in the design category:

* System Layout/Configuration. Refers to thearrangement of components to form asystem.

Example: Two motor-driven auxiliaryfeedwater (AFW) pumps lost suctionbecause of air trapped in the supply headerthat provides condensate flow between thecondensate storage tank (CST) and the hotwells. The two failed pumps took suctionfrom the top of the header, while theturbine-driven pump (which took suctionfrom the side of the header) was unaffected.A vent was installed on the condensaterejection line.

Example: Two containment spray pumpsfailed to meet differential pressurerequirements because of air binding at thepump suction. These failures resulted from asystem piping design error.

* Component Internal Parts. Refers tocharacteristics that could lead to severalcomponents failing because of the failure ofsimilar internal parts or sub-components.This category is used when investigating theroot cause of component failures and whenthe investigation is limited to identifying thesub-components or piece-part at fault, ratherthan the root cause of failure of the piece-part.

Example: On two occasions, both the HPCIand RCIC pumps tripped during tests. Thecause was failed Teflon rupture discs. Thediscs were inadequate for their intendedpurpose.

Example: During normal operations, it wasfound that two AFW pump turbinesexperienced speed oscillations; in one case,the turbine tripped. Both oscillationproblems were researched and it wasdetermined that the buffer springs on thegovernor were the wrong size. The springswere removed and replaced with the correctsprings.

3.2.3 Maintenance Based

The maintenance based coupling factorspropagate a failure mechanism from identicalmaintenance program characteristics amongseveral components. The categories ofmaintenance based coupling factors are

Maintenance/Test/Calibration Schedule.Refers to the maintenance/test/calibrationactivities on multiple components beingperformed simultaneously or sequentiallyduring the same event.

Example: A number of breakers in the ACpower system failed to close due to dirt andforeign material accumulation in breakerrelays. Existing maintenance and testingrequirements allowed the relays to beinoperable and not detected as inoperableuntil the breakers were called on to operate.The maintenance requirements or cleaningschedules had not been established oridentified as being necessary.

12

Page 31: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

" Maintenance/Test/Calibration Procedures.Refers to propagation of errors throughprocedural errors and operator interpretationof procedural steps. It is recognized that fornon-diverse equipment, it is impractical todevelop and implement diverse procedures.

Example: During surveillance testing, two offive electromagnetic relief valves in theautomatic depressurization system failed tooperate per design. A leak path around athreaded retainer prevented the valves fromventing the lower chamber and subsequentlyopening. The maintenance procedures wererevised to seal weld the retainers. The valveswere bench tested to ensure operabilitybefore installation.

* Maintenance/Test/Calibration Staff. Refersto the same maintenance/test/calibrationteam being in charge of maintainingmultiple systems/components.

Example: Component cooling water (CCW)pump C sounded a high bearing temperaturealarm. The pump bearing had rotated,blocking oil flow to the bearing. Theapparent cause was pump/motormisalignment. During repairs, pumps A andB maintained CCW flow. Eleven days later,pump. B sounded a high bearing temperaturealarm. Again, bearing failure was due topump/motor misalignment.

3.2.4 Operation Based

The operation based coupling factorspropagate a failure mechanism from identicaloperational characteristics among severalcomponents. The categories of operation basedcoupling factors are

Operating Procedure. Refers to the caseswhen operation of all (functionally orphysically) identical components isgoverned by the same operating procedures.Consequently, any deficiency in theprocedures could affect these components asshown in the first example. Sometimes, a setof procedures or a combination of procedureand human action act as the proximate cause

and coupling factor, as seen in the secondexample. In other cases, a commonprocedure results in failure or multiplefailures of multiple trains as demonstratedby the third example.

Example: Two AFW pumps failed todevelop the proper flow output. It wasdetermined that the manual governor speedcontrol knobs had been placed in the wrongposition because of an error in theprocedure.

Example: The RCIC turbine tripped on highexhaust pressure during a test. The RCICturbine exhaust stop check valve was foundclosed and locked. The stop check valve onthe exhaust of the HPCI turbine was alsofound closed, but not locked. One otherRCIC valve was found locked closed thatshould have been locked open, but this valvehad no effect on RCIC operability. Mis-positioning the valves was due to operatorerror and an incomplete procedure.

Example: Due to procedure and personnelerrors, the nitrogen for the air-operatedvalves on two trains of the AFW system wasincorrectly aligned causing a loss of thenitrogen supply. The procedures wererevised to increase surveillance and clearlydelineate the nitrogen bottle valve alignmentrequirements.

Operating Staff. Refers to the events thatresult if the same operator (team ofoperators) is assigned to operate all trains ofa system, increasing the probability thatoperator errors will affect multiplecomponents simultaneously.

Example: All .of the emergency servicewater pumps were found in the trippedcondition. The trips were the result of anemergency engine shutdown device beingtripped. The operations personnel did notrecognize that the trip devices had to bereset following testing. The procedures wereenhanced to include information that is moredetailed and the operator training wasenhanced on operating the trip devices.

13

Page 32: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

3.2.5 Environment Based

The environment based coupling factorspropagate a failure mechanism via identicalexternal or internal environmentalcharacteristics. These coupling factors are

* External Environment. Refers to allredundant systems/components exposed tothe same external environmental stresses(e.g., flood, fire, high humidity, andearthquake). The impact of several of theseenvironmental stresses is normally modeledexplicitly in current PRAs (by analyzing thephenomena involved and incorporating theirimpact into the plant/system models). Otherenvironmental causes such as high humidityand temperature fluctuations are typicallyconsidered in CCF analysis and treatedparametrically.

Example: "A service water system leak on aninlet pipe caused the AFW pump motors tobe sprayed with water. The pumps weresubsequently declared inoperable until themotors could be repaired.

* Internal Environment. Refers tocommonality of multiple components interms of the medium of their operation suchas internal fluids (water, lube oil, gas, etc.).

Example: Three of four service water pumpsfailed because of wear causing a high pumpvibration. The ocean is the suction sourcefor the pumps, and the failures were causedby excessive quantities of abrasive particlesin the water. The pumps were replaced.

3.3 Defense Mechanisms

To understand a defense strategy against aCCF event, it is necessary to understand thatdefending against a CCF event is no differentthan defending against an independent failurethat has a single root cause, except that morethan one failure has occurred and the failures arerelated through a coupling mechanism. Thedefense mechanisms for the CCF system arefunctional barrier, physical barrier, monitoringand awareness, maintenance staffing and

scheduling, component identification, diversity,no practical defense, and unknown. Thesedefenses are constructed primarily based ondefending against the CCF coupling factors. Asummary of the defenses is provided in Table3-1.

There are three methods of defense against aCCF: (1) defend against the failure proximatecause, (2) defend against the CCF couplingfactor, or (3) defend against both items 1 and 2.A defense strategy against proximate causestypically includes design control, use ofqualified equipment, testing and preventivemaintenance programs, procedure review,personnel training, quality control, redundancy,diversity, and barriers. When a defense strategyis developed using protection against aproximate cause as a basis, the number ofindividual failures may decrease. During a CCFanalysis, a defense based on the proximate causemay be difficult to assess particularly when aroot cause analysis is not performed on eachfailure and those that are performed are notcomplete. However, given that a defensestrategy is established based on reducing thenumber of failures by addressing proximatecauses, it is reasonable to postulate that if fewercomponent failures occur, fewer CCF eventswould occur. The above approach does notaddress the way that failures are coupled.Therefore, CCF events can occur but at a lowerfrequency.

If a defense strategy is developed usingprotection against a coupling factor as a basis,the relationship between the failures iseliminated. During a CCF analysis, defensebased on the coupling factor is easier to assessbecause the coupling mechanism betweenfailures is more readily apparent and thereforeeasier to interrupt. For coupling factors, adefense strategy typically includes diversity(functional, equipment, and staff), barriers, andstaggered testing and maintenance. With thisdefense strategy, component failures may occurthat may not be related to any other failures.

A defense strategy addressing both theproximate cause and coupling factor is the mostcomprehensive.

14

Page 33: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Table 3-1. Defense mechanisms.

Defense Mechanism Description

Physical Barrier A physical restriction, barrier, or separation could have

prevented a CCF. An example would be installation of awatertight door to preclude flooding of an equipment room.

Moi~itriiiý)/Awarriess-In~esy~ed or-chiomponent dresign ange.O~erwonld ffall ' undcrtlsr. o7 .Y*~

a- caeg r ev444t .44

Maintenance Staffing and Scheduling A maintenance program modification could have prevented aCCF. This would include modifications such as staggeredtesting and maintenance/operation staff diversity.

C~omilpoi'iinetgIdenet s icatn4omprovemeits in, componen. dentificatin, especally between.enth.. . - t entlt s m a system an smiar systems mu

:;."";,•:'• , .. :.•":".;",;• ;,:.': ,:•,-...;r,,..•) =:s, i:denti fcation,ý,bar'co'*ding, ýand color -;codm~ig:,; ...,. •... .o> .D iversity A modification to diversity could have prevented a CCF. This

includes diversity in equipment, types of equipment,procedures, equipment functions, manufacturers, suppliers,

. 4personnel, etc.

Unknown Adequate deitail is not provided on the cause and coupling

factor for a CCF event to make an adequate defensemechanism identification.

15

Page 34: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events
Page 35: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

4. THE CCF DATA ANALYSIS PROCESS

The CCF data analysis process consists ofsix activities: identification of analysisboundaries, data collection, failure eventanalysis and data coding, independent qualityassurance verification, and CCF parameterestimation. Most of these activities are discussedin the following sections. Data coding isdiscussed in Section 5; CCF parameterestimation is discussed in Section 8. Figure 1-1shows the major steps in the CCF data analysisprocess.

4.1 Identification of AnalysisBoundaries

The initial step in the process is to identifythe boundaries of the analysis, including theplant systems and components to be analyzedand operational event boundaries. The systemand component combinations that have beenselected for analysis are those addressed in PRAmodeling for which CCF parameters are needed.

The data in the CCF database was codedbased on predefined component boundaries thatmay include numerous sub-components.Component boundaries were defined before thedata review so that each data analyst canconsistently identify failure reports that shouldbe included within a single component analysis.Examples of multiple sub-components within acomponent boundary include the actuator, valve,and power supply circuit breaker in a motor-operated valve (MOV) component; the turbineand pump for a turbine-driven pump component;and the engine, generator, starting/control air,and output breaker for an emergency dieselgenerator (EDG) component. Systems currentlyincludedin the CCF database and the boundariesfor these components are described in detail inSection 5.1.5 of this report.

The system success criteria were identifiedby defining system and componentfailuremodes. These are descriptions of how the systemand components within the system are requiredto operate and accomplish their safety or PRA-specific mission. The failure modes defined

were those that correspond primarily to the onesused in PRAs. For example, the safety functionof a pump is to start on specific demand criteriaand then run for a given length of time (missiontime). Pump failure to start includes events suchas the motor circuit breaker not racked in orfailure to achieve rated pressure and flow. Pumpfailure to run events include failures such aserratic speed control, lubrication systemproblems, or high vibration that may preventoperation for the full duration of mission time.Analysts determine the failure modes for boththe CCF events and the independent failures.The applicable failure modes for eachcomponent are defined in Section 5.1.13 of thisreport.

The component and system combinationsare referred to as a common-cause componentgroup (CCCG). The number of components in aCCCG is referred to as the size of the group, theCCCG size, or the redundancy level. EachCCCG (e.g., EDGs, AFW air-operated valves[AOVs]) is unique in the application of systemand component boundaries, definition of failure,and the applicable failure modes. Beforereviewing the failure records for identification ofCCF events, it is necessary to understand thesystem configuration at each plant.Understanding the configuration enables theanalyst to properly interpret the event anddetermine the impact of the reported failure onthe system and component operability withrespect to the PRA mission. The systemconfigurations were determined using plantdrawings, information in the plant final safetyanalysis reports, "Overview and Comparison ofU.S. Commercial Nuclear Power Plants"(Ref. 11), and other available sources. Thesystem configuration analysis consists ofidentifying the number of trains involved, thenumber of each type of component (CCCG), andcomponent configuration.

Before performing any data searches anddownloads, the analysts established the CCCGboundaries and defined the applicable failuremodes to ensure that the data were properlycollected and consistently analyzed. For

17

Page 36: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

example, the AFW pump boundary includes thedriver (motor and circuit breaker or turbine andturbine governor) and the mechanical portion ofthe pump. Examples of possible failure eventsfor each component set were given to the dataanalyst to assist in determining the applicabilityof the reported failure event to the CCF study.When a licensee reported degradation of acomponent, the analyst had to determine theeffect of the degradation on the actualoperability of the component. For example,failure of one indicator light on a valve positionindicator was determined not to be a failure ofthe valve. Conversely, an incorrectly positionedpump circuit breaker that would have preventeda successful pump start was considered a failure,although the deficiency was identified before anactual demand.

4.2 Data Collection

After identifying the analysis boundaries,the next step is to perform searches for eventsusing available data sources. The sources ofcomponent failure data most readily available tothe NRC were the NPRDS failure reports, whichwere replaced by EPIX failure reports, andLERs. For the first data searches, sophisticatedalgorithms were developed to locate and pre-process event data from NPRDS and LERs tocompile potential CCF events. The currentupdates are of much smaller scope. Routinesearches are performed that filter EPIX data toobtain failure reports for components of interestto the CCF study. All LERs submitted bylicensees are reviewed for events applicable tothe CCF program as well as other ongoing-programs at the INL pertaining to plantperformance indicators, system reliabilitystudies, and initiating event studies.

The NPRDS and EPIX reports containdetailed information about the failure of a singlecomponent; thus, they must be considered bygroups of two or more records with specificcharacteristics to constitute CCF events.Conversely, LERs contain information aboutmore complex plant events, and, because of thereporting criteria, often contain informationabout simultaneous failures in a single report.

4.3 Event Analysis

Once the event data are collected, dataanalysts read the LER and the NPRDS or EPIXreport narratives of events to determine thesystem, component, failure mode, degree ofdegradation, and plant status. Event records thateither have no failure or do not involve acomponent included in the CCF study aremarked either NOF (no failure) or NIS (not inscope). The LER events are then compared toNPRDS or EPIX events to eliminate anyduplication of events.

Once each failure record is categorized, allvalid data are grouped by plant, system,component, failure mode, and failure date. The.grouping is to assist the analyst in identifyingNPRDS/EPIX/LER failure reports that occurwithin a specified time interval and may beassociated with a CCF event.

The failure date for each report is comparedto the failure date for all other failure reports atthat plant to determine whether the failure datefor one or more reports falls within the PRAmission time or the testing interval (plus theallowed 25%), as applicable per the method ofdetection. All reports within the applicableperiod are considered a possible CCF event andare grouped together for narrative screening.More discussion of this timing factor is inSection 5.1.7.

As part of the data grouping, two filters areapplied to failure data to identify failure reportsthat do not fit the CCF event definition. If thereis only one failure in the data set, then it is codedas an independent failure. If all failures in agroup involve the same component, they are allcoded as independent failures because theremust be failures of at least two differentcomponents to qualify as a CCF event. Inaddition, for the specified period, only onefailure of each component in the CCCG iscounted for a CCF event; otherwise, countingmultiple failures of one or more components inthe CCCG would make the event appear to bemore severe. For example, if two MOVs withina CCCG size of six each failed three times andsix failures were counted in the CCF event, it

18

Page 37: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

would appear that the CCF event involvedfailure of all valves in the group. However, inthis example it may be acceptable to classify thesix failures into more than one CCF event,depending on the timing of the failures for eachvalve.

Groups of failures are identified as CCFevents if they meet the following criteria:

1. Two or more similar components have failedor are degraded. The failures occurred ondemand, during testing, or in situationswhere the equipment would have failed hadit been called upon to operate.

2. The period of the failures is within or nearthe PRA mission time. For standbyequipment, the time interval is assumed tobe the surveillance testing interval plus 25%.

3:,jThe failures share a single cause and arelinked by a coupling mechanism.

4. The equipment failures are not caused by thefailure of equipment outside the establishedcomponent boundary, such as cooling wateror AC power. These failures are dependentbut are not CCF events.

Failure of shared equipment (e.g., commoncooling water or AC power systems) is notconsidered a CCF event because these events areusually modeled explicitly in the reliability logicmodels. Another convention adopted in theinitial effort of this project is that similar failureswithin a short time interval in different powerplants of a multiple unit power plant site are notconsidered a CCF event. This is because anindividual plant design typically does not rely onuse of systems from another unit. Exceptions tothis are the EDGs and ultimate heat sinks. Incases where similar failures (e.g., all four EDGsat a two-unit site with the same defective design)are detected at multiple plants, a CCF event is.entered into the database for each unit affected.

After all CCF events have been identified,they are entered into the CCF database.Section 5.1 describes the criteria for coding

events into the CCF database. Independentfailure events are coded into the independentfailure database and counted because they areused in the overall CCF parameter estimation, asdescribed in Section 5.2. Independent failureevent data must be provided by system,component, failure mode, and docket. Thisinformation is determined for each independentfailure identified during the review of theNPRDS, EPIX, and LER data. The NPRDS andEPIX failure reports and LERs for all eventscollected in the data searches are stored forquality assurance tractability.

4.4 Data Loading

All of the data analysis takes place externalto the CCF database so that un-reviewed data arenot released. The data-loading step addsqualified data to the CCF database. After theCCF events have been reviewed, commentsresolved, and duplicate events removed, theCCF and independent events are loaded into theCCF database.

4.5 Quality Assurance

The primary goal of CCF quality assuranceis to ensure consistency and accuracy in the dataanalysis and CCF event coding. The major stepsof CCF analysis (data handling, screening, andcoding activities) are based on engineeringjudgment, which all have a potential for error.The quality assurance process for CCF dataincludes (1) INL coding and review by PRAqualified data analysts and (2) independentquality assurance verification by a subcontractornot at the 1NL. A second INL data analystevaluates every coded CCF event to ensureproper identification of the C(F event,verification of coding accuracy, andconsideration of appropriate PRA concepts. Thetwo data analysts resolve any differencesbetween the first and second coding before dataacceptance. During failure data analysis toidentify CCF events, a large number of failurereports are downloaded and reviewed. To ensurethat the failure report review is auditable andthat the findings can be reproduced, all data for

19

Page 38: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

each system/component study are maintained.Included are

* All NPRDS failure records

" All EPIX failure records

* All LERs

" Coding disposition of each record (e.g.,CCF, independent, or no failure)

* Quality assurance comments.

20

Page 39: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

5. EVENT CODING GUIDANCE

This section provides guidance for theanalyst for both CCF events and independentevents.

5.1 CCF Event Coding

This sub-section describes the informationcoded into each CCF event data field andpresents associated codes for most fields.Sample CCF coding forms are provided inSection 6, with several coding examples.

5.1.1 Event Name

The event name is a unique character stringused to identify each CCF event. The format is

S-DDD-YY-####-FM

where

S - source document where the CCF eventwas identified (N represents NPRDS, Lrepresents LER, and E represents EPIX)

DDD - plant's docket number

YY ý year of the event

#### -sequential four digit event numberassigned by the CCF systemadministrator

FM two-character code for the failure modeof the event.

Detailed guidance regarding failure modesapplicable to systems and components and acomplete list of failure mode codes is containedin Section 5.1.13.

5.1.2 Plant Name

The plant name is the name of the nuclearpower plant where the CCF event occurred. Thefull name is entered when the data are loadedinto the database.

5.1.3 Power Level

The power field contains the plant powerlevel at the time of the CCF event as apercentage of full power. For CCF eventsidentified from NPRDS or EPIX, thisinformation is not always available and the fieldmay be left blank. At least two NPRDS or EPIXrecords are required to define a CCF event. Ifthe power level identified for both failures isconflicting, the power reported for the first eventis used. For CCF events identified from LERs,the power level is given in Block 10 on the LERform; this number may be changed ifinformation within the LER contradicts it. If it isknown that the event occurred at power but theactual power level is not given, 100% is used.

5.1.4 Event Title

The title field provides a 60-character spacefor a title or short description of the event.

5.1.5 System

System codes identify groups of componentsthat work together to perform a specificfunction. The system code used in event codingrepresents the group that includes the failedcomponents. The system codes are listed inTable 5-1.

5.1.6 Proximate Cause

The proximate cause field identifies thereason the components failed. Most failurereports address an immediate cause and anunderlying cause. The appropriate code is theone representing the common-cause or, if alllevels of causes are common, the most readilyidentifiable or proximate cause. The proximatecause codes and their descriptions are shown inTable 5-2. A detailed discussion of failurecauses is contained in Section 3.1 of this report.

21

Page 40: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Table 5-1. CCF system codes.

Code System Descriptioný,, P ~Der scriputionl.

AFW Auxiliary feedwater

JCSS: - Cntqjhtietjti~apt&".'systenrý,

CVR Containment vacuum reliefDP DC - . .- --

EPS Emergency power system

ESW vEmergicese ia- ser-vice ýwater 7 ¼ -

HCI High-pressure coolant injection (BWR)

HCS ýH -e spray,,<HiglPurescore. o'-2-- 4., - .

HPI High-pressure safety injection (PWR)

IS- isolatiP&5coden 1 '5-2 ~--,.

LCS Low-pressure core spray

s generator and steam lines at aaPWR anda the boile

RCI Reactor core isolation cooling

RC S Reactor~cdoant'system <-

RHR Residual heat removal (this includes the low pressure coolant injection and the low pressureinjection systems in both BWRs and PWRs)

;':SDC Shutdown cooling system (only used for the stand-alone shutdown cooling system in someBWRs)

a. BWR =boiling water reactor, PWR =pressurized water reactor.

22

Page 41: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Table 5-2. Proximate cause codes.

Code Cause Description

DC Constnfictionin' stalHation erroP' :A mitui ointlaion4 error was rnade-during die'original

-or inad equiacy ý. or moiiaio. sjtalatio: ',i ihchd u'in' icretc4inn

r

or, friciht oied ngeit&ati n, incorrct component or.

ni.,

. 4- .'

ater al~ s' C -0ýpcfcto ot'inc4

4' 4'4"von~ or

DE Design error or inadequacy A design error was mnade

DM iddri e'~o o A man"Uffactuir•l eror war~s inaui during, comp~onent' rianufacturej,

HA Accidental action A human error (during the performance of an activity) resulted in

(unintentional or undesired an unintentional or undesired action

human errors)

lID- W'ron-,, ioeduý'Nl 6 w ed7

4 4 4 -"J t'~'"

7'4-''"47"

HP ailre to folo pocdres'' procedure was, fllowed'4

HP Filue tofolow poceure The correct procedure was not followed; applies to

" Calibration/test staff

" Construct ion/test staff

" Maintenance staff

* Operations staff

* Other plant staff

IT-T ' inadequate training Tann~j dqae.'.'.~~'~~:~

IC Internal to component, The cause of the failure is the result of a failure internal to the

piece-part component that failed; applies to

* Erosion/corrosion

* Equipment fatigue

* Wear out/end of life

& Internal contamination

I'L Amnbient environmeta stress Tecueo tefiue sti'euto nevrnetl

.. ' ondition'i I0COM from teI-oati'oni of the cmoneh , applies to

'4 " " Chetnucal reactio'n:'IS'~'.

e- ,*ElIectromagnetic inte-rTer-ence ''

4'.,' '4, '

' ~' * Fire/smoke.'

fimpact loads '

Mois ure (pa loec

-: Acts of nature(ý ig

44 e~praur~(anormal

low)o

4 '4,4 ' V' 0 Viration l'oads. (excludin setismicevns

23

Page 42: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Table 5-2. (continued).

Code Cause Description

OT Other (stated cause does niot fit The cause of the failure is provided but it does not meet any oneother categories) of the descniptions

P' -InadiauateprocedUre~ >-1liTh cauisep ofthe. failure is the~result of an inadoquatp, procedure; :

Calibra~tion/test pro6cduieAdmmIst ativc'

M ainitenance;

* ~ ' .~.p~eratioinaf>

-~ ~ ~~I ,Crsritii'idfication

* , -~ ... ~ tlherjK~

QI Setpoint dnift The cause of the failure is the result of setpoirnt drift

'QP State of other coiijiPon~ert Tecueof the failureiste'fs i' acnpobiIi~tt o-iscacvil thcntponerit'thatvfaileds

U Unknowxn The cause of the failure is not known

5.1.7 Timing Factor

This is a measure of how close in timemultiple failures occurred. In general, the goal ofthe timing factor is to assign a weighting factorto the CCF event based on the time betweenindividual failures. The acceptable input for thisfield is a decimal number from 0.1 to- 1.0.

The definition of timing factor is presentedin two parts based on whether failures areannounced or unannounced. The two classes offailures are the following:

Announced (Overt) Failures. Failures wereannounced, inspected for, or monitoredbefore a demand or failure. It includesfailures of operating components and self-revealing failures of components in standbystate (e.g., low cooling water flow, low tanklevel, low oil level, or high exhausttemperature). If any of these conditionsoccurs during scheduled testing, theUnannounced or Latent failure class isappropriate. Announced failures anddegradations are usually detectedimmediately (e.g., an operating pump alarmsand is shut down by procedure during a non-

test demand). Thus, the probability of failureis related to a mission time. Hence, theassignment of a value for the timing factorshould be related to the mission time.

Unannounced (Latent) Failures. Coversfailures of components in a standby statethat are not announced but are subsequentlydetected by testing or a valid demand (e.g.,pump does not start on demand, EDG failsto produce required voltage on a test,residual heat removal [RHR] pump exhibitslow suction pressure-during a test, or a valvefails to completely open on a demand).Unannounced failures occur in equipmentthat is demanded without a prior indicationof failure (e.g., standby safety pumps, valvesbeing opened). Failure probabilities for suchcomponents are usually estimated by thenumber of failures and number of demands.Here, the assignment of a value should bebased on the opportunity for a demand todetect the component degradations. Twobasic means of detection are validoperational demands and surveillancetesting.

24

Page 43: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

As a simple but conservative rule for CCFevents containing more than two components,the maximum value of timing factor values foreach pair of consecutive componentdegradations in the event should be assigned tothe event.

5.1.7.1 Announced Failures. For announcedfailures, the timing factor is based on a time-based model. Thus, the timing factor is assignedvalues based upon a PRA mission time (theperiod of time the component is usually requiredto perform its function in a PRA or individualplant examination [WPE], usually 24 hours). Thefollowing classifications may be used for twoconsecutive degradations of two componentscontained in a CCF event:

" High (1.0): The component events areseparated by no more than the PRA missiontime.

" Medium (0.5): The component events didnot occur within the PRA mission time andtwo times the PRA mission time.

" Low (0.1): The component events areseparated by more than two times the PRAmission time and less than three times thePRA mission time.

* Not CCF: More than three times the PRAmission time or during the interval betweenthe component events, the component(which was detected, failed, or degradedlater) has undergone maintenance, overhaul,or other action that can be regarded as arenewal event for the failure mechanisms.(Note: In this case, the event is not classifiedas a CCF event.)

The specification of the time intervals based onthe PRA mission time indicates that there wasone success between failures for "medium"events and two successes between failures for"low" events.

5.1.7.2 Unannounced Failures.Unannounced failures are related to two(redundant) component degradations (failureevents) occurring and being detected during a

demand situation. In the following, the term"challenge" means an opportunity to detect theconsidered failure mechanism with highprobability. Test and demand events are theprimary challenges. The following classificationis for two consecutive failures/degradations oftwo components that are members of a CCFevent:

High (1.0): During the time interval betweenthe degradation events of components 1 and2, there was no successful challenge tocomponent 2. For example

- Two RHR pumps are tested and bothfail to run for the required period oftime. The tests are performed within thesame surveillance cycle. (Success ofother RHR pumps does not impact thetiming of the two recorded failures.)

- Two AFW MOVs fail to open during avalid operational demand. The demandsare not separated by a valid success ofone of the two MOVs before failure.(Success of another MOV does notprovide a valid challenge.)

Medium (0.5): During the time intervalbetween the degradation events ofcomponents 1 and 2, there was one and onlyone successful challenge of component 2.For example

The EDGs were tested during testingcycle 1. One failure of the "A" EDG isrecorded. (No failure records are foundfor the other EDGs.) In the next testingcycle, one failure of the "B" EDG isrecorded.

The AFW pumps are all demandedduring a scram event. The "A" AFWpump fails to start. Later, anotherdemand is made of the AFW system.The "B" AFW pump fails to start. Thisset of circumstances may lead theanalyst to code a CCF event with a"medium" timing factor if the analystbelieves that no other successfuldemands of the AFW system occurredbetween these two recorded events. Thiswill mostly fall on the calendar time

25

Page 44: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

between the events. Very short times(< day, < week, etc.) may warrant thiscategory.

Low (0.1): During the time interval betweenthe degradation events of components 1 and2, there were two and only two successfulchallenges of component 2. For example

- The EDGs were tested during testingcycle 1. One failure of the "A" EDG isrecorded. (No failure records are foundfor the other EDGs.) In the next testingcycle, no failures of the EDGs arerecorded. In the third testing cycle, onefailure of the "B" EDG is recorded.

- The AFW pumps are all demandedduring a scram event. The "A" AFWpump fails to start. Later, anotherdemand is made of the AFW system inwhich no failures are recorded. Later,another demand is made of the AFWsystem. The "B" AFW pump fails tostart. This set of circumstances may leadthe analyst to code a CCF event with a"low" timing factor if the analystbelieves that no other successfuldemands of the AFW system occurredbetween these three recorded events.This will mostly fall on the calendartime between the events. Very shorttimes (< day, < week, eic.) may warrantthis category.

Not CCF: During the interval between thedegradation events of components 1 and 2,there were more than two successfulchallenges of component 2. (Note: In thiscase, the event is not classified as a CCFevent.)

If the component time histories are notknown in detail regarding actual test andmaintenance timing and real demands, anassumed pattern can be used based on testinterval and scheme of possible test staggering,time-based maintenance pattern, and typicalpattern of demands. In practice, the analyst willhave to have a very strong sense that somethingis going on. For example, the failure mechanismis very likely to occur within very few demands.The more successes between failures required,

the more likely the analyst is to record the eventsas a CCF event.

The above classification scheme isindependent of the type of testing scheme (e.g.,staggered, sequential) and technicalspecifications considerations (testing redundantcomponents when a component failure isdetected). The key discriminating factor is thespacing Of failures and opportunities to detectfailures of the two components.

The majority of safety-related systems andcomponents considered for CCF event analysisare normally in a standby condition. Thisimplies that most system operation occursduring testing, which is when a large portion ofthe failures are discovered. The inservice testingrequirements of 10 CFR 50.55a and thecontainment penetration leakage testingrequirements of 10 CFR 50, Appendix J, governmost safety-related component testing (Refs. 12and 13). Licensees are allowed to extend thetesting interval by up to 25% to allow forscheduling. Testing intervals for eachcomponent set are considered individually. Forexample, EDGs have monthly testingrequirements that are specified in the technicalspecifications. Considering the 25% extension, itis recommended that 39 days be used for EDGfailure report grouping.

In addition, for most standby safety systemcomponents, technical specifications andlimiting conditions-of operation require thatwhen a test or other source reveals that acomponent is inoperable, the other similarredundant components must be tested. If it isnoted that the first failure triggers testing of theother components, then the-next cycle mayassume a success in between the failures.

5.1.8 Component

The component field describes theequipment that experienced the CCF event. Thecodes reflect operational system componentsthat are normally modeled in a PRA. Table 5-3provides a listing of available component codesand component descriptions.

26

Page 45: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Table 5-3. Component codes.Code Component Description

BAT Battery Provides DC power

CB2 Reactor protection trip Provides electrical power connection between power source andcircuit breakers load, or opens on electrical fault or demand

i3?:•,7,• 6,9*-,VACcircut ,bvreal ers rdne etweenpnowe~rsource, aiind•:

CB4 4160 V AC circuit Provides electrical power connection between power source andbreakers load, or opens on electrical fault or demand

C~ 4•: •.d480V A crcuit-brakers-o ,,irov.ie eleetncal.,power. connection between power source.ando>-

CB7 DC distribution circuit Provides electrical power connection between power source andbreakers load, or opens on electrical fault or demand

cB8f7K& 12k• esVe eiftcal-'po'wrconnec&tinbetween power§source annd

CKB Vacuum breaker check Closes or opens to isolate or permit flow on specific differentialvalve • pressure

CK iWceckyalve- Asols'' orUW01:S 'St - ,Closes or opens tioate :rpermt fl ow ospectidfferent ia;._ pressore .i ,K .!',-'.[;< ," -' K. ": :,'6' - .

•CKV Check valve Closes or opens to isolate or permit flow on specific differentialpressure

EDG ~",'l-I lEaree:desel:: •:.•••'.`•`P~ds elcbc poowcr.wWtli Iaidese. epngreTv-.-dq *.•'`:• •::...

HSV Hydraulically operated Hydraulically operated main steam isolation valvemain steam isolation valve

HTtHrta Ifsoif6i'1 fl6ý,;.44,`c`ntains pr~o&&s. fluid>MDP Motor-driven pump Pump with an electrical driverMOV6 ! M6o t oroperated valve, - s oatesw er.orp s flowon ndeand , ,operatebY nmotor

water ~-' 'oerat2jK L , -

MSV Main Steam Isolation Air- or gas-operated main steam isolation valveValve

WAV, i prtd~av ~ ~~'C~ibslgo wae'r -thog pump nimuni..fiow Tecirculation-,?recirculation -.- Iiie½

RVA Relief valve, air or Provides process system pressure relief, operated by valve operatornitrogen operated

•E e'eti&ae solenoid'ie Prodes process: sys't~emypressure relief-opera d byva' ve operator.

RVH Relief valve, hydraulic Provides process system pressure relief, operated by valve operatoroperator

RVM eh e o ,Prodsrocess system pressure relief operated by.valve operator

STR Strainer, main pump Filters debris in main piping linesuction or discharge

SVV•.. Safety valve. -: .u • ,;Provides;process, system pressurerelief operated bsystem

TAV Air operated valve, steam Controls flow of steam to pump turbineTMY #M~tor.-.perated valve,.~: • Isolates or pe-mits steam= low, topump'turbinez; ,oerated. by motor'

;Q ... steam ,' :. : '. - . 9 operator .' ,, • :...

27

Page 46: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

5.1.9 Sub-Component and Piece-Part

The sub-component and piece-part fieldsfurther identify which parts of the componentfailed. The list of sub-components and piece-parts, is shown in Table 5-4.

5.1.10 Shock Type

This field describes the relationship of onecomponent failure to another. The allowablecodes are L (lethal) or NL (non-lethal). Givenone failure, a lethal shock type means that allother components in the CCCG will always failas well, independent of the group size. Thecoding of a shock type as lethal requires that theshared cause factor = 1.0, the timing factor= 1.0 and all components in the group failed,and all p-values = 1.0. A non-lethal shock typemeans the cause of failure may affect allcomponents in a CCCG or a subset of the CCCGwithin the PRA mission time.

5.1.11 CCF Event Operational Status

The CCF event operational status fieldindicates when the CCF event occurred or couldoccur. Allowable codes for this field areprovided in Table 5-5.

5.1.12 CCF Event Detection OperationalStatus

This field is used to indicate the plantoperational status when the CCF event wasdetected. Table 5-6 provides the allowablecodes.

5.1.13 Failure Mode

The failure mode field describes whichfunction the components did not perform. Propercoding of the failure mode is essential becausethe CCF events are sorted by failure mode forparameter estimations. The failure mode codesare shown in Table 5-7, along with a shortdiscussion of each failure mode code. The tableidentifies the applicable component for each

failure mode because some failure modesdepend on the component being coded. Theboundary identification includes specificguidance on the use of failure modes and PRAconsiderations for the system and component ofinterest.

It is possible for a component to fail inmultiple ways; therefore, a CCF event may havemultiple failure modes. In these cases, only onefailure mode code is entered with an eventrecord. To track multiple failure modes, a CCFrecord is created for each failure mode. Anexample is a loss of lubrication event for apump. In most cases, the pump would start andoperate. However, because the pump wouldeventually seize and fail, the failure mode isfailure to run. Another pump may suffer acatastrophic loss of lubrication that prevents asuccessful start and the failure mode would befailure to start. Two CCF records would beentered into the database, with the failure modeapplicability of 0.5 for each event.

5.1.14 Coupling Factor

The coupling factor field describes themechanism that ties multiple componentstogether resulting in susceptibility to the same-shared cause to create the CCF. The allowablecodes and their descriptions are presented inTable 5-8. A detailed discussion of couplingfactors is contained in Section 3.2 of this report.

5.1.15 Event Type

The event type field indicates which eventsshould be included in the parameter estimation.Some dependent events are explicitly modeledin other areas of a PRA while some CCF eventsare not modeled in a PRA because they do notcontribute significantly to plant risk. Other CCFevents need to be considered as CCF events inPRA analysis. The allowable codes and theirdescriptions are given in Table 5-9.

28

Page 47: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

TAV.*"` Acc umulator check valves

RAVY' "'"u ress regu ator,,.

... ,.nstrmentar

Sinstr-umentation.-& control

Gasketl ig

-Air,solenoid valvestemn

Valve ' Stem.

'~''~ 4 alve body

BAT BAT Lead acid batteries Cell

Lithium batteries Cell

CAbarircuit breaker

.... s. . .{4-. :..None,Various

Ukown"

B piChargerg hlter n modul

CB7 L~-imitswtr

Vntumnarious cnto

AuSilicon Tintctier

' '. ~ 4Power mnodule-

~~ ~ Norie-.

ar;f G odule"-F.47i~g'Fi 1nmo-dule-<

~<,..,.; Votage regulating-modu Ce'1

...........'Current l imiter -module

Conarol module

.elam d

FusctmNne re ay

DC breaker'-'- *-- .t-aous;

BKR C132 4160 Vac, Mechanical assembly

C133 480 Vac UV trip assembly

C134 6.9 kVac Stabs/connectors

C135 Spring charging motor

C136 Overcurrent relay

CB37 Limit switch

CR8 .Latch assembly

Instrumentation & controlClosing coil

Auxiliary contactorArc chute

RelayFuse

29

Page 48: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Table 5-4. (continued).Component Group Component Sub-Component/Type Piece-Part

Main contactsDC distribution Control switch

Mechanical assemblyOvercurrent relay

RPS trip breakers Shunt tripWires/connectors/board

UV trip assemblyUnknown

Spring

Mechanical assemblyLatch assembly

Auxiliary contactorClosing coil

Relay

CA- ing :pin

A 9sCKSes *>'gUnk I,--.,

VACs.!fi rSteni:in!t vc•:<

Sef•.int a.y.G st/ent nutESea att&edisk

BraerScat7. Packing

Hnge pisll beanngousingDisk

- None' A-

Closure springDiska ati-rotation device'

Disk.nugstudpin,Disk stonp

'Gasked/seal(Jisllaeostud

HTge an

EDG Battery BatteryBreaker Logic circuit

RelaySwitch

Cooling MiscellaneousValve.

Heat exchangerPumpPiping

Engine PipingValve

TurbochargerShaftPiston

MiscellaneousGovernorFuel rack

Fuel nozzlesBearingSensors

Exhaust Valve

30

Page 49: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Table 5-4. (continued).Component Group Component Sub-Component/Type Piece-Part

Fuel oil Fuel rackStrainer

TankValvePump

MiscellaneousPiping

Generator CasingGenerator excitation

Load sequencerLogic circuit

Power resistorRelayRotor

Voltage regulatorInstrumentation & control Instrumentation

FuseGovernor

Load sequencerMiscellaneous

PipingRelay

SensorsValve

Voltage regulatorGenerator excitation

Lube Oil TankCheck valve

Heat exchangerStarting Valve

StrainerMiscellaneous

MotorHTX -Heatexcl-an erk

- LShelllbaffles,S Tib6'/ ubeshet

MOV MOV Actuator Torque switchTMV Breaker

TransmissionCircuitMotor

Limit switchValve Body

DiskPacking

Stem'. MSV -- tto 4.. : , ,. , Stem i v

HSV - - - "I'ntrumenitation'&cotl-- .Limit'switch .S,-? :<;"' . - :7 ,, :-: ,,! ,: ,:9 ,; :>.:~ ;:? :':: " : 3 .• .: -; > :•" ' ~ i :••,{i:•..' !:" .:'" :' :' ': < ':':.".<,n '; " 5:, . •: •2 '.• :' : t'./ :•: b • "• ': '-: " :" : ., " ? ,• "? v - " .• ': •:•on e2 .•

31

Page 50: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Table 5-4. (continued).

Unknow

• •,;r. g@

'Actuator stanc no

Accurnulat'r chei

Hiydraulic piloi

AiDrPpingotya

~ CylinderFuse~

Hydraulic cylilHydraulic Oi1~

Actuator guide

OVave., Seat/disk-Stuffing~bk

Unknowr

~... .~Poppet pilot asý* Padcking/lubr

r~ ~ Valve hod

P PMP Discharge Check val)NMP . PipingTDP RecircMOT Valve

Driver BearingSupportsPiping

Packing/sealsMotor

LubricationBreaker

Instrumentation & controlPacking

CouplingShaft

Plunger/cylinderPacking/seals

BearingImpeller/wear rings

Lubrication

Pump

32

Page 51: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Table 5-4. (continued).Component Group Component Sub-Component/Type Piece-Part

CasingBreaker

Suction ValveTank

StrainerPiping

Instrumentation & controlBooster pump

SVuator Sackin'RVE~' ~~' Accumiulat.6r chckyalves~RVI{47 Wires

'SVV Unknown -

Str usg/fiutingshoes

TrSt ollari

Teavlssets/o rngs

Valve stemn- None,

sfLmt ',itches~ ~ffinstrumentaition & control,

~~Fuse' Diaphiragm.ý

~ ~J~-:~ ~> ~ B ~ :oosterv, ve

Valve Noz lermgs

'U ~ '~-Valve, roke,s' av tein

2-P~cicdgGu6ide bus..ib l.

"Valve seat/diskSTR SRS Strainer Various

SRK Backflush regulatorDrive couplingFilters/screens

Shear pmnStrainer adjustment shoes

Strainer basketThrust collar

Traveline screens

33

Page 52: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Table 5-5. Operating mode codes.

Code Description

OP The CCF event could occur only during a power operation condition

SD [Fhe.,CCF. en ol cu'ydrn sudw vrt~~odto

Table 5-6. Detection codes.Code DescriptionD ~ ~~~~~s ... •: ,•i vn a etected during'lant shuitdown... •, .... , ,D Thebvet w"'

O The event was detected during power operations

Table 5-7. Failure mode codes.

Code Description Component Discussion

cirut eaer f- WVA66'--btopen on de~ma dr•CC K Fai:?.El to openi %:>': •ptet. V~:.alve .•A•circuit breaker 6r.valverdoe-otpeodmnd

-'n. " ..n-A V 616se . ... -

FR Fail to run Pump, EDGs The component fails to continue running at ratedconditions after reaching rated conditions

F a il to s ta rt -.. o.-df iPu m p ,E D C s ,, . . • , 4 , I1 i e s ta or ea c ti ,a te d

FX Fail to stop Pump, EDGs The component fails to stop operating£,-C.

ughvo-ageb~:.c~o~n

NO No voltage/ Battery, charger A device, such as a battery or instrument, fails toamperage output provide an output signal

ýý, flow/plugged<:ý-ý.-ýHa-ec ;er L>!ý f jw-6rfure-:o fa fea~excger,- ~ .~AP- sffa-4 r. sfrha-bec..~ý,,'f ýuig&p

00 Fail to close Circuit breaker, valve A component fails to close within the required(normally open) amount of time

S .' Spurous Circuit breaker;,valve'-,'dvidcetrtnps tob an•.unmtend positionib&ausefma~n~ cause (loose ' jgý

actioi ' ,

VR Fail to remain Valve A valve is leaking internally past the valve seat,closed (detectable with detectable system effect, including leakage inleakage) excess of technical specification or safety analysis

limits; if evidence exists that the valve didn't closefully initially, the 00 code is used

34

Page 53: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Table 5-8. Coupling factors.

Code Description DiscussionEE J. eet Oi

El Environment, internal The internal environment couples component failuresenvironment/working medium

DP tHardware- dem aa .co componentfb Týrýeifý,6fpýhe,safr &jna~ trnlpngu~~~pfiejd d'nv

(itra alrts) :.

HDSC Hardware design, system Component failures are coupled by design features within theconfiguration (physical system in which they are locatedappearance)

HQC- Hardwýare q--ýu-a-1iit y ia rs-aecuiedyf ~,*s. .istallation/,onstruction (initial: `on toifeaturesi.fronm itiaal, itaton,construction,

or modifictioi n or subs

HQMM Hardware quality, Component failures are coupled by hardware qualitymanufacturing deficiencies from the manufacturing processc~~le mamtenancetet cmesareupe(ymamtenance and(test-

OMTP Operational, maintenance/test Component failures are coupled by the same maintenance orprocedure test procedure

OMT.S •Operatiotinh.ma•itenance/rest) v- di m nnfailures`are-cqupedOby(maiteha estatUfV- ;e .

OOOP Operational, operation Component failures are coupled by operations proceduresprocedure

OOOS. perationa, 6prtoi "A ffa .Componen 'taiftiies ar,c pd b~o~ais taf pefsonnei~000~ero a,,pr io C,'idain

Table 5-9. CCF event types.Code Description DiscussionCCF x:•.``CCF •estimatinoh .::-: Eevenits:hat'atr•egenfer~alc~nstd~dErapphicableto PRA CGCRFparametncA?;

'AW hp svstemnbecaiise6

c fifEXP Explicitly Events that are modeled explicitly in system analyses include events caused

modeled by failure of support systems, cascade failures from system configuration,and certain types of operator actions. For example, a failure in the EngineeredSafety Feature Actuation System caused the AFW pumps failure to start. Thistype of failure would be modeled as part of the Engineered Safety FeatureActuation System PRA model.

.. .:n.ii--ic'.-•'- a trmg,d g cns'ai siaiur tadot not.e.....- ipacfo fi'ysterii p tf6nin iif ~id th s:a-erfotgeneraily -ih'iilded iif-PRA

-ode'.(g c knp .Wsepoint slightly ousiae.of ecncaspifatolimts,-pac ig.,ak thjat were iiisignifcn)i

35

Page 54: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

5.1.16 Failure Mode Applicability

Failure mode applicability represents thepercentage of specific failure modes for multiplecomponent failures involved in the CCF event.This is a weighting factor for parameterestimation for a CCF event involving multiplefailure modes. Failure mode applicability is adecimal number from 0.0 to 1.0. If there is onlyone failure mode for multiple failure events, thefailure mode applicability is 1.0 because onlyone failure mode resulted from all componentfailures. If there is more than one failure modeassigned to a single CCF event, the sum offailure mode applicabilities is equal to 1.0.Failure mode applicabilities for a multiplefailure mode event is a percentage of failuresaffected by each failure mode. For example, iftwo pumps fail to start and one fails to run, thefailure mode applicabilities are assigned 0.67and 0.33, respectively.

5.1.17 Shared Cause Factor

By definition, a CCF event must result froma single, shared cause of failure. However, theevent reports may not provide sufficientinformation to determine whether the multiplefailures result from the same cause or differentcauses. Because of this, the analyst sometimesmust make a subjective assessment about thepotential of a shared cause. The shared causefactor allows the analyst to express a degree ofassurance about the multiple failures, resultingfrom the same cause. The acceptable input forthis field is a decimal number from 0.1 to 1.0.To ensure consistency in the coding, 0.1, 0.5,and 1.0 are used. Guidance and examples areprovided in the following:

1.0 Used when the analyst believes that thecause of the multiple failures is the same,often resulting in the samefailure/degradation mechanism and affectingthe same piece-parts in each of thecomponents. The corrective action(s) takenfor each of the components involved in theevent is (are) also typically the same. Thefollowing illustrates an event with a sharedcause factor of 1.0:

"Three turbine-driven steam-supply checkvalves failed to open. Investigation revealedsimilar internal damage to all three valves.The failures for each valve were due tosteam system flow oscillations causing thevalve discs to hammer against the seat. Theoscillations were ultimately attributed toinadequate design. The valve internals werereplaced, and a design review is beingconducted to identify ways of reducingflow-induced oscillations."

Statements in the event report that indicatethe same cause, failure mechanism, orfailure symptoms are usually goodindicators of a shared cause of failure. Thisis true even if little information isprovidedabout the exact nature of the problem.Statements such as "investigation revealedsimilar damage to all three redundantvalves," "loose screws found in five circuitbreakers," and "several air-operated valvesmalfunctions because of moisture in the airsupply," indicate a shared cause factor equalto 1.0.

Any information available that is not in theevent narrative (the NPRDS or EPIX failurereport or the LER abstract) is included in theComments field.

0.5 This value is used when the eventdescription does not directly indicate thatmultiple failures resulted from the samecause, involved the same failure mechanism,or affected the same piece-parts, but there isevidence that the underlying root cause ofthe multiple failures is the same. Thefollowing example illustrates a shared causefactor equal to 0.5:

"Binding was observed in two check valves.Wear of the hinge pin/pin bearing issuspected to have caused the binding of thevalve disc, resulting in failure of the firstvalve. The hinge pins were binding in thesecond valve due to misalignment. Furtherinvestigation of the second valve failurerevealed inadequate repair/maintenanceinstructions from the vendor andengineering department."

36

Page 55: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

The event description presents two differentcauses of failure (wear and misalignment)for these valves. Therefore, these failurescould be considered independent. However,it is clear that there is a programmaticdeficiency associated with repair andmaintenance of these valves. It is possible,for example, that the inadequate instructionsfrom the vendor and engineering departmentresulted in the first valve being misalignedand the misalignment caused abnormal orexcessive wear. It is also possible that theevent descriptions were written by differentmechanics and the difference in the causedescription is simply a difference in theirwriting styles (one focused on the actualcause [misalignment], the other on thesymptom [wear]). In either case, both valveswould have failed because of misalignment,making this a CCF.

•;0.1I This value is used when the eventdescription indicates that the multiplefailures resulted from different causes,involved different failure mechanisms, oraffected different piece-parts, but there isstill some evidence that the underlying rootcause of the multiple failures is the same.The following examples illustrate a sharedcause factor equal to 0. 1:

"Water was found in the lubricating oil forthe motor of the RHR 'D' pump. The sourceof the water was a loose fitting at the motorcooling coil. The fitting was replaced."

"A severe seal water leak was observed atthe RHR 'B' pump. The source of this leakwas a missing ferrule in the seal water linepurge fitting. The ferrule was possibly leftout during a previous pump seal repair. Anew pump seal fitting ferrule was installed."

These events involved different pump sub-components (motor cooling and seal water)and the specific causes of failure aredifferent (loose fitting and missing ferrule).These are indications that the failures areindependent. However, it can also bespeculated that the utility has programmaticdeficiencies -(e.g., inadequate training andprocedures) regarding water pipingconnections and fittings, particularly if therehas been a history of similar events. If so,the root cause of the problem is lack oftraining, inadequate procedures, etc., makingthe cause of the multiple failures the same.Since this hypothesis is highly speculative,the shared cause factor is small.

5.1.18 CCF Event Level

The CCF event level field indicates whetherevents impact overall system operation or onlyaffect specific components within the system.The allowable codes for this field and theirdescriptions are provided in Table 5-10.

5.1.19 Common-cause ComponentGroup

This field indicates the size of thepopulation that can be exposed to a CCF. Theacceptable values for this field are integers from2 to 16 with at least two being required to meetCCF event definition; If there are more than 16components, 16 should be entered in the CCCGfield and additional information should beincluded in the event comments. Each CCFevent needs to be considered before assigningthe CCCG. Some failures will not affect allsimilar components in the system, so theappropriate CCCG is the number of componentssusceptible to that specific failure event.

Table 5-10. CCF event levels.Code Description Discussion

SYS System Level

iThie ECCey.t, i•acomponent level failure(e.g., a CCF:event~that caused two.}:v;alve iinlegifrain of a three-train system to.fail;iin~tt ekample, :thftrains;

weeavaila bleThe CCF event is a system functional level failure (e.g., a CCF event thatresulted in the failure of two trains of a three-train system)

37

Page 56: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

5.1.20 Multiple Unit 5.1.21 Defense Mechanism

This field is to indicate if the CCF eventaffects more than one power plant at a single site("Y" or "N"). Very few events will be coded Y;most are for the EDGs. A CCF event will becoded for each unit, and both will have multi-unit = Y. Some licensees check operability ofcomponents at a second unit once they havefound failures at one unit.

This field describes the actions a licenseecan take to eliminate the coupling factor andprevent the CCF event firom recurring. Thedefense mechanism selection is based on anassessment of the coupling factor between thefailures. The allowable defense mechanisms areprovided in Table 5-11.

Table 5-11. Defense codes.Code Description DiscussionD,,D s."; Increased diyersityouldhavde prevented aýCCF,;this includes diversity* i

-=• .,:,,, :•:,•.•.,,,..•• .:•.•.p •,.e quipmenL, ty,t es of equipment, ro e ues,,.eqUipment, funictions,- .... •...:.

+mandufacturers, supiers,, pprsotnel;,etc;.jIFSB Functional A decoupling of a CCF event could have been accomplished if the

equipment barrier (functional and/or physical interconnections) had beenmodified

IDE, l'i Cmponent.If the comp6nentidenticatiniihad been modified byearly-a ~O hCCF elefltiould' hae ben, revetld''rlyml...- identiirati 0• iittei•igqipnenta ,:eVebneen

iviaintenthn e ýttlcais,, are ibett e'eulpmendentýifiecath ono1 o io ge tc,:MAI Maintenance staffing A maintenance program modification could have prevented a CCF; the

and scheduling modification includes items such as staggered testing andmaintenance/operation staff diversity

MON ,Monitor"'ing/''..areness.,.... , ,ireasd momtormg,:surveillance, ... "persofinel traiig" :could" have"

NON No practical defense No practical defense could be identifiedP B K P.h.y s¢ia1barri pl bi ' e s epIarti n dla e..pev ented.a CCFUKN Unknown Sufficient detail is not provided to make adequate defense mechanism

identification

5.1.22 Safety Function

The safety function field represents theobserved failure mode as it pertains to the safety

function of the component as installed in thesystem. The allowable codes and theirdescriptions are given in Table 5-12.

Table 5-12. Safety function codes.Code Description Discussion

Fii-safey< 11> an efind its 'iife.

NFS Non-fail-safe Normal safety function was impaired

K Ui:k2 wn:U ,Saf etyunction caiot bedeiiiiin,,•

38

Page 57: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

5.1.23 Component Degradation Values

The component degradation value fieldindicates the extent of each component failure asa probability that the degree of degradationwould have led to failure during systemoperation. If the shock type is "lethal," allcomponents in the CCCG will have adegradation value equal to 1.0. The allowablevalues are decimal numbers from 0.0 to 1.0.There must be as many p-values as the numberof components listed in the CCCG field. If somecomponents are not degraded, their p-values arecoded as 0.0, indicating no degradation. Apotential failure (e.g., a design flaw that wouldhave resulted in failure) will be coded as theactual degradation on the parallel failedcomponent only if it is certain that thedegradation would have occurred. For example,a wiring discrepancy that would have preventeda pump start is coded as p = 1.0 because it is

•certain the pump would not have started and it isa complete failure. If the CCF event onlyaffected two of three pumps, P3 = 0.0. Codingguidance for different values follows:

1.0 The component has completely failed andwill not perform its specific function. Forexample, if a pump will not start, thepump has completely failed, anddegradation is complete.

0.5 The component is capable of performingsome portion of the safety function and isonly partially degraded. For example, highbearing temperatures on a pump will notcompletely disable a pump but willincrease the potential for failing within theduration of the PRA mission.

0.1 The component is only slightly degradedbut component safety function isimpacted. An example would be a safetyvalve with setpoint drift in excess oftechnical specification but still within thebounds of the plant safety analyses. Thisalso includes incipient failures wheresome degradation or a degradationmechanism has become apparent, has notyet impacted component function, but hascaused failures in other components. For

example, casing bolt failures fromcorrosion lead to a pump failure. Thecause of the corrosion ii determined to beincorrect bolt material. Other pumps in theCCCG that had not failed would beconsidered degraded if they had theincorrect bolts installed, even if notseverely corroded, and the failures wouldbe considered incipient.

0.01 The component was Considered inoperablein the failure report; however, the failurewas so slight that failure did not seriouslyaffect component function. An examplewould be a pump packing leak that wouldnot prevent the pump from performing itsfunction.

0.0 The component did not fail.

5.1.24 Use

The use field is marked with an X if thecomponent applies to the parameter estimationanalysis.

5.1.25 Date

This is the failure occurrence date or thedate it was detected if the actual failure date isunknown. The format of the date field isYYYY/MM/DD.

5.1.26 Comments

This field contains the analyst's commentsand assumptions on coding decisions. Forexample, if there were two different failuremodes for two failures within the CCF event, thesecond failure mode would be discussed here,even though an additional record was created forthe second failure mode. Coder assumptionsabout the applicability of an event to the CCFdatabase are discussed here, as are assumptionsabout the CCCG or any other data field. ForCCF events identified from LERs, the LERnumber is referenced here. A number is listedfor NPRDS and EPIX as well; this is internal tothe INL data tracking system and does not referto anything specific in the NPRDS database.

39

Page 58: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

5.1.27 Narrative

LER abstracts and NPRDS failure reportnarratives are in this field. EPIX narratives aretoo lengthy to replicate in the Narrative field.The analyst will paraphrase the event in thisfield.

5.1.28 Insights Description

The analyst will compose a short butinformative description of the event. Thisdescription will then be used to populate theevent description tables in the Insights Studies.The description will be in sentence structure andwill use correct grammar and spelling.

5.2 Independent Failure Coding

During the initial analysis of the failureevents, all failures from both NPRDS/EPDIfailure reports and LER text are characterizedand counted as though they are independentfailures. Common dependencies are determinedlater.

Five pieces of information, discussed below,are recorded for each failure: failure mode,system, component, number of failures, andp-value. The NPRDS or EPIX data set iscompared to the LER data set to ensure that

4'independent failures are not counted more thanonce. Once independent failure count data aredeveloped, the independent event count data areentered into the CCF database for use in theparameter estimations.

5.2.1 System

The system code identifies the power plantsystem, which includes the individual failedcomponents. Table 5-1 provides the systemcodes.

5.2.2 Component

The component code describes theequipment that experienced the failure. Thiscode corresponds to the component code for thecomponent analyzed for CCF events. The codesare intended to be operational system

components and not piece-parts. The codes aredefined in Table 5-3.

5.2.3 Sub-Component and Piece-Part

The sub-component and piece-part fieldsfurther identify which parts of the componentfailed. The appropriate sub-components andpiece-parts are listed in Table 5-4.

5.2.4 Failure Mode

The failure mode describes the function thecomponent did not perform. The codes aredefined in Table 5-7.

5.2.5 Safety Function

The safety function field represents theobserved failure mode as it pertains to the safetyfunction of the component as installed in thesystem. If the normal safety function wasimpaired, the code will be Non-Fail-Safe (NFS).If the component failed and performed its safetyfunction, the code will be Fail-Safe (FS). If itcannot be determined, the event shall be code asUnknown (UKN).

5.2.6 Component Degradation Values

This is the same as the CCF componentdegradation value, discussed in theSection 5.1.23, but applied here to singlefailures.

5.2.7 Number of Failures

This is the number of failures discussed in asingle report for each combination of system,component, and failure mode. An NPRDS orEPIX record generally reports only one failurefor one component. LERs, however, can reportseveral failures of either the same componenttype or multiple component types in a singleLER.

5.2.8 Event Type

The appropriate event types are as follows:

* Independent (IND): The event is a validfailure event for the CCF study.

40

Page 59: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Common-cause Failure (CCF): The eventeither contains multiple failures that qualifyas-a CCF or the event is one of a set ofevents that are part of a CCF event.

* No Failure (NOF): The event is not a validfailure.

" Not in Study (NIS): The event describes thefailure of a component that is not in the listof components for which data is beingcollected.

" Duplicate Event (DUP): The eventdocument is a duplicate record of acomponent failure. This usually occurs whenan LER has been written for a failure that isalso recorded in NPRDS or EPIX. Byconvention, the EPIX or NPRDS eventshould be the one selected as a duplicate.

5.2.9 Detection Method

This field denotes the circumstances underwhich the failure was detected. Four categoriesare provided:

Discovered during Surveillance. Theseevents are detected during the performanceof scheduled surveillance tests. In somecases, the surveillance test is performed toensure that previous maintenance wasperformed correctly; these are not countedas valid failures because the component hasnot yet been declared operable.

" Discovered during Inspection. Theinspection detection method includesalarms, walk downs, observation, etc.

* Discovered during a Demand. Componentdemand means that the component wasstarted, opened, closed, or operated foreither normal plant operations or in responseto a safety signal. Spurious demands areincluded in this category.

" Discovered during Maintenance.Maintenance activities generally detectlatent conditions. The analyst must ensurethat the failure is not detected before thecomponent is declared operable.

5.2.10 Comments

The comments memo field is provided sothe analyst can paraphrase the event and recordobservations about the coding.

41

Page 60: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events
Page 61: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

6. EVENT CODING EXAMPLES

This section contains six examples of codedevents. Sample coding forms are also shown:

1. Boiling water reactor (BWR) safety reliefvalve corrosion bonding

2. Low-suction pressure trips on AFW pumps

3. Loss of power to safety injection valves

4. Excessive packing leaks

5. Start relay on AFW pumps

6. Aging/wear.

43

Page 62: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

6.1 Coding Example 1: BWR Safety-Relief Valve Corrosion Bonding

Testing of the main steam safety relief valves (SRVs) revealed twelve of the fourteen valves failed tolift within technical specification acceptance limits because of corrosion bonding of the pilot seat anddisk. Setpoint drift is caused by (potentially) numerous and often indeterminate random variables. Valvefailures from corrosion bonding of the seat and disk are specifically design-related failures involvingmaterial selection, operating conditions, and system design. The following codes were assigned:

System

Proximate cause

Timing factor

Component

Shock type

CCF event operational status

CCF event detectionoperational status

Failure mode

Coupling factor

CCF event type

Failure mode applicability

= BWR main steam system (MSS).

= DC (construction/installation error or inadequacy) because the corrosionbonding phenomena is related to the material selection for the pilot valve seatand disk.

= 1.0 because all valves failed during the same test.

= RVA (relief valve, air)

= NL (non-lethal) because the prevalent failure mechanism did not affect allcomponents.

= BO because this event can occur in operation or shutdown.

= D because the event can only be detected during shutdown.

= CC (fail to open) because the setpoints were significantly out of tolerance(high) from corrosion bonding of the pilot seat and disk. Technicalspecification tolerance is +/- 1%. The valves lifted in the range of 3% to 9%above the allowable tolerance.

= HDCP (Hardware Design: Component Parts) because the failures are linkedby the same valve designs.

= CCF because this type of event is considered during a CCF parameterestimation.

= 1.0 because there is only one failure mode that is appropriate for this eventand all valves failed in this mode.

= 1•.0 because the failure mechanism is the same for all valves.

SYS because the majority of the SRVs failed.

14 because there are fourteen SRVs.

N because the event only affected Limerick 1

FSB because design modifications could have prevented the CCF event.

"X" for all 14 events because they all apply to the parameter estimationanalysis.

0.1 for SRVs numbers 1-12, which were slightly degraded, and 0.0 for SRVnumbers 13 and 14, which were unaffected.

Shared cause factor

CCF event level

CCCG

Multiple unit

Defense mechanism

Use field

Degradation factor

44

Page 63: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Name

Title

System

Compon

Failure I\

FMA

CCCG

E-352-(

Twelve of F

)0-0366-CC Plant Limerick 1

ourteen SRVs Failed High Due to Corrosion Bonding

Power 0

MSS Cause DC

ent RVA Shock Type NL Op. Status BO

4ode CC Coupling Factor HDCP

1.0 Shared Cause Factor 1.0

14 Multiple Units N

Timing Factor

Det. Status

Event Type

Event Level

Defense Mech.

1.0

D

CCF

SYS

FSB

1

2

3

4

5

6

7

8

Usex

x

x

x

x

x

x

x

P0.1

0.1

0.1

0.1

0.1

0.1

0.1

0.1

Date04/04/00

04/04/00

04/04/00

04/04/00

04/04/00

04/04/00

04/04/00

04/04/00

Component Degradation Values

Time Use P

9 X 0.1

10 X 0.1

S11 X 0.1

12 X 0.1

13 X 0.0

14 X 0.0

15

16

Date04/04/00

04/04/00

04/04/00

04/04/00

Time

Comments:

The cause was attributed to corrosion bonding of the pilot seat and disk. 12/14 SRVs fail to openwithin technical specification tolerance. As-found lifts ranged 3.6 to 9.7% above the required setpoint.

45

Page 64: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

6.2 Coding Example 2: Low-Suction Pressure Trips on AFW Pumps

During surveillance testing, two of three AFW pumps tripped on low-suction pressure. It wasdetermined that the trips were the result of momentary drops in suction pressure as the pumps werestarted. The pump vendor felt that the trips were not needed and should be removed. The trips wereoriginally designed and installed to protect the pumps, and the low-pressure trips were not considered tohave a safety-related function. The following codes were assigned:

System

Proximate cause

Timing factor

Component

Shock type

CCF event operational status

CCF event detectionoperational status

Failure mode

Coupling factor

CCF event type

Failure mode applicability

Shared cause factor

CCF event level

SCCCG

Multiple unit

Defense mechanism

Use

Degradation factor

= The AFW system.

= DE (design error or inadequacy). The failure is the result of a design error becausethe trip circuits were erroneously installed and the design not adjusted.

= 1.0 because both pumps failed closely in time.

= MDP (motor-driven pump). The component boundary is pumps including thesuction lines and control circuitry. With the low-suction pressure trips in operation,the pumps were considered failed because they tripped. The component is MDPbecause the LER indicates that only the motor-driven pumps were affected.

= NL (non-lethal). The shared cause factor is applicable to the entire componentpopulation. However, the failures were random and not consistent.

= BO because the condition could have been noted during shutdown or operation.

= 0 because the event was detected during testing at power.

= FR (fail to run) because the pump would not run long enough to fulfill its safetyfunction, even though it actuated and started.

- HDCP (Hardware Design: Component Part [Internal Parts: Ease of Maintenance &Operation])) because it is a design error in the component part.

= CCF because this type of event is considered during a CCF parameter estimation.

- 1.0 because there is only one failure mode and it is applicable to both failures.

- 1.0 because the failures of both pumps are of the same design and installation.

= SYS because two parallel pumps failed.

= 2 because at this plant there are two motor-driven pumps in the AFW system withlow suction pressure trips. The LER indicates that only the motor-driven pumpswere affected, so the turbine-driven pump is not included.

= N because the event only affected Millstone 3.

= FSB (functional physical barrier) because the shared cause factor is the systemdesign.

= "X" for the two failures that occurred because they both apply to the parameter.

= 0.5 for both events because both motor-driven pumps would perform their functionintermittently and therefore are partially degraded.

46

Page 65: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Name

Title

System

L-423-87-0047-FR Plant Millstone 3 Power 100

Both Motor-Driven Aux. Feedwater Pumps Tripped due to Suction Pressure Fluctuations

AFW

Component MDP Shock Type

Failure Mode FR

FMA 1.0

CCCG 2

Cause DE

NL Op. Status BO

Coupling Factor HDCP

Shared Cause Factor 1.0

Multiple Units N

Timing Factor

Det. Status

Event Type

Event Level

Defense Mech.

1.0

0

CCF

SYS

FSB

Component Degradation ValuesTime Use

1

2

3

4

5

6

7

8

Usex

X

P0.5

0.5

Date01/27/87

01/27/87

P Date9

10

11

12

13

14

1516

Time

Comments:

Both motor-driven auxiliary feedwater pumps tripped due to fluctuations in suction pressure.. This tripfunction was not safety-related so it was removed. The turbine driven pump was not affected.

47

Page 66: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

6.3 Coding Example 3: Loss of Power to Safety Injection Valves

An overload condition resulted in loss of power to a load center that supplied two safety injectionvalves. The following codes were assigned:

System = The HPI system.

Proximate cause = QP (state of other component) because the state of the injection valves arecaused by another component failure.

Timing factor 1.0 because both injection valves failed simultaneously.

Component = MOV and the boundary includes the circuit breaker.

Shock type NL (non-lethal) because the prevalent failure mechanism did not affect allcomponents and trains.

The CCF event operational = OP because this event can only occur during an operational condition.status

CCF event detectionoperational status

Failure mode

Coupling factor

CCF event type

• Failure mode applicability

Shared cause factor

CCF event level

CCCG

Multiple units

Defense mechanism

Use

Degradation factor

O because the event was detected at operation.

CC (fail to open) because the injection valves are normally closed and failedto open because of not receiving an actuation signal.

HDSC (hardware design, system configuration) because the electrical sourceis shared by the two components.

EXP (explicitly modeled) because this type of event is explicitly modeled inPRA in combination with electric power. Coding this event in this mannerwill allow the analyst the ability to develop PRA specific parameter.estimations.

= 1.0 because there is only one failure mode that is appropriate for this eventand both valves failed in this mode.

= 1.0 because the failure of both injection valves is closely linked because ofshared equipment dependence.

= COM (component level) because this event affected only one train.

= 6 because there are six injection valves, two on each train.

= N because the event only affects San Onofre 1

= FSB (functional/physical barrier) because a decoupling of the CCF eventcould have accomplished if functional barriers were administered.

= "X" for all six events because they all apply to the parameter estimationanalysis.

= 1.0 for the two failed injection valves and 0.0 for the unaffected injectionvalves in the other trains.

48

Page 67: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Name

Title

System

Componi

Failure N\

FMA

CCCG

L-206-8:

Loss of Powe

5-0556-CC Plant San Onofre 1 Power

er to MCC Caused Loss of High Pressure Safety Injection Valves

92

HPI Cause QP Timing Factor

ent MOV Shock Type NL Op. Status OP Det. Status

4ode CC. Coupling Factor HDSC Event Type

1.0 Shared Cause Factor 1.0 Event Level

6 Multiple Units N Defense Mech.

1.0

ý0

EXP

COM

FSB

1

2

3

4

5

6

7

8

Usex

x

x

x

x

x

P1.0

1.0

0.0

0.0

0.0

0.0

Date06/16/85

06/16/85

Component Degradation ValuesTime Use P Date

9

10

11

12

13

14

15

16

Time

Comments:

An overload condition on the motor control center, caused by a faulty vacuum pump breaker, resulted*in the loss of power to 2 HPSI valves.

49

Page 68: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

6.4 Coding Example 4: Excessive Packing Leaks

The packing in two pumps failed because of normal wear and aging. The leakage was reported by thelicensee as "excessive." The following codes were assigned:

System = AFW system.

Proximate cause

Timing factor

Component

Shock type

CCF event operational status

CCF event detectionoperational status

Failure mode

Coupling factor

CCF event type

Failure mode applicability

Shared cause factor

CCF event level

CCCG

Multiple units

= IC (internal to the component, piece-part) The failure resulted from wear-out.

= 0.1 because the failures occurred more than a month apart.

= PMP (pump). With the pump packing failing, the pumps failed. Although onlythe motor-driven pumps were affected in this event, there's no indication thatturbine-driven pumps are not susceptible to the same causal factors.

NL (non-lethal) because failures are loosely coupled and not likely to affect theentire component population.

= BO because the CCF event can occur during operating or shutdown conditions.

= 0 because it was detected while the plant was at power.

= FR (fail to run) because the pumps would start but would not continue tooperate.

= OMTC (Operational: Maintenance/Test Schedule) because it is assumed thatmore frequent maintenance would have replaced the packing before it leaked.

= CCF because this type of event is included in a PRA system model. The reportindicated that the leakage was excessive, and would impact pump operation. Aleak not indicated to be "excessive" would be considered "INS."

= 1.0 because there is only one failure mode and it applies to both failures.

= 0.5 because the failure of both pumps is linked by maintenance schedules. It isuncertain if more frequent maintenance may eliminate the coupling betweenthese components with respect to this cause.

= COM because this is a component-level type failure because parallel pumpswere degraded, but multiple trains were not disabled simultaneously.

= 3 because there are three pumps.

= N because the event only affected San Onofre 1.

= MAI because the shared cause factor is operating and maintenance schedule,where a change in the maintenance staffing or scheduling may have preventedthe CCF event.

= "X" for three events, two that occurred and one that did not occur (one pumpdid not fail).

= 0.1 for the two failures, because these failures did not significantly affect theoperation of the pumps. A degradation factor of 0.0 was assigned to the pumpthat did not fail.

Defense mechanism

Use

Degradation factor

50

Page 69: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Name

Title

System

Compon

Failure I•

FMA

CCCG

N-206-

Both Motor-

90-0050-FR Plant San Onofre 1 I

-Driven Auxiliary Feedwater Pumps had Excessive Leakage

Power 100

AFW Cause IC Timing Factor

ent PMP Shock Type NL Op. Status BO Det. Status

4ode FR Coupling Factor OMTC Event Type

1.0 Shared Cause Factor 0.5 Event Level

3 Multiple Units N Defense Mech.

0.1

0

CCF

COM

MAI

1

2

3

4

5

6

7

8

Usex

X

X

P

0.1

0.1

0.0

Date04/24/90

07/03/90

Component Degradation Values

Time Use P Date

9

10

11

12

13

14

15

16

Time

Comments:

Both motor-driven auxiliary feedwater pumps had excessive packing leakage resulting in degradedsystem operation. The cause of the leakage was determined to be normal wear.

51

Page 70: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

6.5 Coding Example 5: Start Relay on Auxiliary Feedwater Pumps

The circuit breakers on the motor-driven pumps failed to operate properly. In one case, it was unclearwhether or not the breaker had closed and the motor started; in the second case the breaker did not close.Both cases were the result of broken or dirty switch contacts. The following codes were assigned:

System

Proximate cause

Timing factor

Component

Shock type

CCF event operational status

CCF event detectionoperational status

Failure mode

Coupling factor

CCF event type

Failure mode applicability

Shared cause factor

CCF event level

CCCG

Multiple units

Defense mechanism

Use

Degradation factor

= AFW system.

= IE because the failure is the result of an environmental condition external to thecomponent.

= 1.0 because the failures occurred simultaneously.

= MOT (motor). The component boundary is the motor, including the motor,breaker, and control circuit. When the control switches fail, the motors areconsidered failed.

= L (lethal) because the failures are tightly coupled.

= BO because the event can occur during either operating or shutdown conditions.

= D because it was detected during a refueling outage.

= FS (fail to start) because neither motor started.= EE (external environment) because of the shared external environment.

= CCF because this event is considered 'important during a CCF parameterestimation.

= 1.0 because there is only one failure mode and it applies to both failures.1.0 because failure of both motors is linked by a factor that will always affect thecomponents in a similar manner.

= SYS because this is a system type failure.

= 2 because there are two motor-driven pumps.

= N because the event only affected Indian Point 2.

= PBR (physical barrier) because the shared cause factor is an environmental factorwhere separation between the two components could have prevented the CCFevent.

= "X" for both events because they apply to the parameter estimation analysis.

= 1.0 for both failures because the motors did not start.

52

Page 71: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Name

Title

L-247-84-0001-FS Plant Indian Point 2

Two Auxiliary Feedwater Pumps Failed due to Start Relay Failure

Power 0

System

Component MOT

Failure Mode

FMA

CCCG

ALFW

Shock Type

FS

1.0

2

Cause IE

L Op. Status BO

Coupling Factor EE

Shared Cause Factor 1.0

Multiple Units N

Timing Factor

Det. Status

Event Type

Event Level

Defense Mech.

1.0

D

CCF

SYS

PBR

1

2

3

4

5

6

7

8

Usex

x

P1.0

1.0

Date09/10/84

09/10/84

Component Degradation Values

Time Use P Date

9

10

11

12

13

14

15

16

Time

Comments:

Both motor-driven auxiliary feedwater pumps failed to start on demand. One relay for each pumpmotor had failed due to insulation degradation.

53

Page 72: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

6.6 Coding Example 6: Aging/Wear

The AFW pumps were susceptible to corrosion cracking of their bushings. A different material wasneeded for the shaft sleeves. All four pumps at the two units were affected. A separate 'record was inputfor Unit 2. The following codes were assigned:

System

Proximate cause

Timing factor

Component

Shock type

CCF event operational status

CCF event detectionoperational status

Failure mode

'Coupling factor

CCF event type

Failure mode applicability

Shared cause factor

,'CCF event level

CCCG

Multiple units

Defense rimechanism

Use

Degradation value

= AFW system

= DE (design deficiency). It was determined that the stainless steel materialused for the sleeve material was too hard, which resulted in higher stress-related corrosion susceptibility.

= 1.0 because the degraded condition existed in all components simultaneously.

= PMP (pump). The component boundary is the pump, including the pumpshaft.

= L (lethal) because the failure is applicable to the entire population.

= BO because the event can occur in operation or shutdown mode.

= D because detection occurred and'is most likely to occur when the plant isshut down.

= FR (fail to run) because it is assumed that the pump shaft will fail duringstress loading when the pump is running. This would disable the pump fromcontinuing to deliver discharge pressure after it had been successfully started.

= (HDCP) hardware/design of the component (HDCP). All components usedthe same material.

= CCF because it would not typically be modeled explicitly in a PRA andshould be included in an estimation of the CCF basic event (BE) for the AFWpump.

= 1.0 because there is only one failure mode and it is applicable to both failuresand potential failures in the record.

= 1.0 because a design error in the manufacturing process will closely tie thecomponents together.

= Component level failure since other trains were available for AFW.

= 2 because there are two pumps affected by this event at each unit.

= Y because the event also affected South Texas 2.

= DIV (diversity). This defense mechanism states that an increase in thediversity of the pumps could have prevented a similar CCF.

= "X" for both components because they both apply to the analysis.

= 1.0 for one of the pumps because it failed. The other pumps contained thesame material that failed. One of the three remaining pumps at the two unitswas inspected and revealed that similar cracking to the sleeve shaft hadoccurred; therefore, the second degradation value was assigned 0.1 to indicatepotential cracking and failure of the pump.

54

Page 73: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Name

Title

System

Compon

Failure

FMA

CCCG

L-498-.

Stress Corrc

88-0048-FR Plant South Texas 1 P

sion Cracking/Hydrogen Embrittlement of AFP Shaft Sleeve

ower 0

AFW Cause DE,

ent PMP Shock Type NL Op. Status BO

Aode FR Coupling Factor HDCP

1.0 Shared Cause Factor 1.0

2 Multiple Units Y

Timing Factor

Det. Status

Event Type

Event Level

Defense Mech.

1.0

D

CCF

COM

DIV

1

2

3

4

5

6

7

8

Use

xx

P1.0

-0.1

Date

02/28/88

05/12/88

Component Degradation Values

Time Use P Date9

10

11

12

13

14

15

16

Time

Comments:

An AFW pump failed its performance test because of internal damage, including a split in the shaftsleeve. A second pump, used as a replacement for the first one, also had the same damage. The causewas determined to be stress corrosion cracking/hydrogen embrittlement of the sleeve material. Allpumps at both units were considered affected and the sleeve material in all pumps was replaced.

55

Page 74: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events
Page 75: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

7. QUANTITATIVE ANALYSIS OF COMMON-CAUSE FAILUREEVENTS

Because of the rarity of common-causeevents and the limited experience base forindividual plants, the quantity of data for CCFanalysis and plant-specific assessment of theirfrequencies is statistically insignificant. Toovercome this difficulty, Reference 2 proposescreating plant-specific data through screeningand evaluating generic data for plant-specificcharacteristics. Two techniques were presentedin Reference 2 to facilitate the estimation ofplant-specific CCF frequencies from genericindustry experience. One technique proposedusing an "event impact vector" to classifygeneric events according to the level of impactof common-cause events and the associateduncertainties in numerical terms. The secondwas impact vector specialization in whichgeneric event impact vectors were modified toreflect the likelihood of the occurrence of theevent in the plant of interest and the degree of itspotential impact. These techniques would be anassessment of the differences between theoriginal plant and the plant being analyzed(target plant) for susceptibility to various CCFevents.

7.1 Event Impact Vector

An impact vector is a numericalrepresentation of a CCF event. According toReference 2, for a component group of size m,the impact vector has m+J elements. The (k+])element,. denoted by Fk, equals 1 if failure ofexactly k components occurred, and 0 otherwise.Note that one and only one Fk equals 1; theothers equal zero. For example, consider acomponent group of size 2. Possible impactvectors are the following:

[1, 0, 0] No components failed.

[0, 1, 0] One and only one component failed.

[0, 0, 1] Two components failed due to ashared cause.

A model such as the impact vector describedabove would be a sufficient numericalrepresentation of the event if no sources ofuncertainty existed in classifying the event as aCCF from the information available in the eventreport. However, many event descriptions lacksufficient detail. For example, the exact status ofcomponents is not known, and the causes andcoupling factors associated with the failures aredifficult to identify. Therefore, the classificationof the event, including the assessment of itsimpact vector, may require establishing severalhypotheses with each representing a differentinterpretation of the event.

Consider the event depicted in Figure 7-1,which affects a component group of size 3. It isnot clear whether two or three components areaffected by a shared cause. Thus, twohypotheses related to the number of failedcomponents are formulated: (1) two of the threecomponents failed, and (2) three of the threecomponents failed. The impact vector forhypothesis I is

Il = [0, 0, 1, 0]

and the impact vector for hypothesis 2 is

1ý2 [0, 0, 0, 1].

The analyst assigns a weight (or probability) tothe first hypothesis equal to 0.9, and a weight of0.1 to hypothesis 2. That is, he believes thatthere is a 90% chance that hypothesis I is trueand only a 10% chance that hypothesis 2 is true.To use these in a CCF analysis, the average orweighted impact vector is calculated. Theweighted impact vector for this example is

0.91, + 0.1i = [0, 0, 0.9, 0.1] (7-1)

57

Page 76: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Event Description: Main Yankee, August 1977. Plant at power. Twodiesel generators failed to run due to pluggedradiators. The third unit radiator was also plugged.

Failure Mode: Fail to Run

Common-cause Component Group Size: 3

Elements of Impact VectorHypothesis Probability

Fo F, F 2 F 3

"Twoftthrecm nntfi 0"~.9: " 0~ 10All three components fail 0.1 0 0 0 1

13~.~~~..verge Inapacteco(I)0

Figure 7-1. Example of the assessment of impact vectors involving multiple interpretation of event.

The average impact vector for a set of Nhypotheses is obtained by

N

I W'I'(7-2)

where

N = number of hypotheses

wi = weight or probability of hypothesis I

1i = impact vector.

The average impact vector is given by

consider a component group of size 2. Supposethat it is clear from the information that twocomponents failed, but judging whether thefailures were independent or not is hard becauseof the lack of information in the event report.Thus, there are two hypotheses for this case: (1)the two failures were due to a shared cause, and(2) the two failures were independent. Theimpact vector for hypothesis 1 is [0, 0, 1]. Forhypothesis 2, the analyst postulates independentfailures of two components. Therefore, twoimpact vectors exist for this hypothesis---one foreach component-because two componentsfailed independently. Both are equal to [0, 1, 0].If the weight for hypothesis 1 is 0.6 and 0.4 forhypothesis 2, the average impact vector equals

0.6 [0, 0, 1] + 0.4 [0, 1, 0] + 0.4 [0, 1, 0] (7-4)[0, 0.8, 0.6]

The probabilities for the hypotheses(relating to degree of impact of causes andcoupling factors in the event being classified)are assessed by the analyst. As an aid to theanalyst and to improve consistency and qualityof results, some guidelines for assessing the

(7-3)

Some events occur where judging whethermultiple failures occurred because of a sharedcause or whether the failures are due to randomor independent causes is difficult. In such cases,the analyst again develops hypotheses andassigns probabilities to each. For example,

58

Page 77: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

impact vectors are provided below. Theproposed methods do not eliminate the need forthe analyst to make subjective judgments.Rather, they provide guidance and techniques todevelop the impact vectors from specificfeatures of the events that can be characterizedby numerical values more consistently.

7.2 Generic Impact VectorAssessment

For an event to be classified as a CCF, morethan one component must fail simultaneouslybecause of a shared cause. Simultaneity andfailure are defined with respect to certainperformance criteria. For such events, the impactvector is uniquely and unambiguously defined asdescribed in the previous section.

For many events, assigning a single impactcategory (i.e., Fk = 1 for some k) is not possible.This was also illustrated in the previous section.Such cases generally involve one or both of thefollowing factors (Refs. 3, 10, and 14):

1. Characteristics of the event may not matchthe criteria for the event to be assigned aunique impact vector. An example is anevent involving two components in adegraded state owing to a known sharedcause and coupling factor. The event doesnot meet the criteria of "failed componentstate" to be classified as a full CCF.

2. Critical information about individual failuresinvolved in the CCF event may be lacking(e.g., the number of components affected,their functional state, and root causes of theevent).

In general, three event types require multiple'

hypotheses:

1. Events involving degraded component states

2. Events involving multiple componentfailures closely related in time but notsimultaneously

3. Events involving multiple failures for whichthe presence of a shared cause cannot be

* established with certainty.

There are also events that involve combinationsof these cases. The event types are discussedseparately.

7.2.1 Case 1: Events InvolvingDegraded Component States

For events in this category, the analyst needsto assess the severity of degradation for eachcomponent in the event using componentperformance criteria as a reference (i.e., typicalPRA component success criteria). In otherwords, given a degraded state, the analystassesses the probability that the degree ofdegradation would have led to failure during atypical system mission as defined in PRAs. Thisis called the component degradation value. It isdenoted by pk and takes values in the range of0< Pk < 1 (see Section 5.1.23 for recommendedvalues).

The values of the different elements of theaverage event impact vector can be calculatedbased on the possible combinations of failuresexpected if the component degradation value isviewed as probability of failure. Table 7-1shows how the various elements of the averageimpact vector may be calculated for componentsgroups of sizes 2, 3, and 4. This technique doesnot require the formulation of multiplehypotheses, but it uses the information about thedegraded component states to obtain the averageimpact vector.

7.2.2 Case 2: Events Involving FailuresDistributed in Time

In this case, the presence of a shared causefor the component states is determined but thecomponent states (failure, degraded, etc.) do notoccur or are not detected simultaneously. Ratherthey are recorded at different but closelycorrelated times (or test cycles). In this case, aprobability q can be assigned that reflects thedegree the events (component degradations)represent a CCF event during the mission timeof interest (e.g., typical PRA mission times).

59

Page 78: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Table 7-1. Impact vector assessment for various degrees of component degradations.

ComponentGroup Size Elements of the Impact Vector

Fo F1 F2 F 3 F 4

2 (1O-ft 2)(I ~7-pI~2) :PIP2

3 (1 3p0(1-p2) p1(1-p2)(1-p3) PP2(l-P3) PIP2P3+ P2(1IP)(1-P3) + PIpN(I-P2)

~<(l-p3)(l~+r( i( 3( 4 i~lp)lp)+PPP( 3+ p3(1-P2)(1-P0 + P2p3(1P-P )

n) ++ P2 P 00 pP30pP( P3P)I ::iGP4( + • ) 1 P2)4 ýP3

Specific guidelines for assigning values of q arecontained in Section 5.1.7. The values used inassigning q are in part based on the probabilityof failures given a successive number of trialsusing a binomial distribution.

The values for q are impacted by operationalcharacteristics. For operating components,assigning the time delay probability, q isstraightforward, and it is based solely on thereported time of the failures. There is noassumption about the time of failure or whetherthe multiple failures or degraded states occurredat the same time. For standby components, thesituation is more complex. If redundantcomponents fail from a shared cause and atconsecutive tests separated in time, there isevidence that the same mechanism is at work(some "randomizing" effect is also taking place,which on other occasions may not be soeffective at decoupling failure time). If failuresoccur more than one test apart, then therandomizing effect is stronger. To account forthe randomizing effect, consideration is given tothe strategies and frequency. However, teststrategies for generic events are usually notknown to the analyst; therefore, conservativeassumptions may be made based on thefollowing two approaches.

7.2.2.1 Standby Failure Rate ModelApproach. If non-staggered testing is adopted,it is possible for the components to failimmediately following the test; in this case, thelatent CCF state could exist for the test interval.However, the average time a latent CCF statecould exist is half the test interval.

For staggered testing, the situation is morecomplex. While the tests will be conducted onindividual components at intervalscorresponding to the same interval (TI) asdiscussed above (usually determined bytechnical specifications), there will be a test onsome component at intervals of T/rm where m isthe redundancy level of the system. Thus, evenif there were no immediate testing of redundantcomponents following a revealed failure, therewould be evidence of a CCF within an intervalTj/m. Thus, the average exposure time to anunrevealed CCF should be less in staggeredtesting cases. Because test intervals varybetween plants and systems for like components,some average values may have to be assumed.Test intervals must be determined for eachindividual system/ component combination. Forexample, a month is appropriate for dieselgenerators in U.S. plants, but is too short formost other components.

60

Page 79: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

7. 2. 2. 2 Probability of Failure on DemandModel Approach. For standby systems wherea CCF is considered for failure on demand, thevalue chosen for probability q depends on thenumber of tests (challenges) of the secondcomponent between its failure and the failure ofthe first component (assuming a two componentsystem to illustrate the point). To.clarifyterminology, it is instructive to discuss teststrategies. With a non-staggered testing regime,components are usually tested sequentially butwithin a short time. If the first componentworks, there may be no CCF. However, if thefirst fails, the subsequent test performed on thesecond will reveal if there is a CCF. In the caseof staggered testing, there are two extremes: theredundant component is tested immediatelyupon failure of the component being tested, or itis tested on the next scheduled test. If the secondcomponent fails on the first challenge afterfailure of the first component, the event isinterpreted as CCF with q = 1.0.

Using the binomial concept, if the failuresare separated by one successful challenge then apoint estimate for the probability of failure ofthe second component given the failure of thefirst one is 1/2 (one failure in two challenges). Inthis case, the event is interpreted as a CCF withq = 0.5. If the failures were separated by two

-`%successful challenges, then following the sameline of reasoning, a point estimate for q wouldbe 1/3. However, it is felt that this value isconservative. A more realistic value is q = 0.1.Failures separated by more than two successfulchallenges can be assumed independent.Because generic failure reports usually do notprovide the number of successful challengesbetween demands, the Probability of Failure onDemand Model was not used for coding thetiming factor of events in the NRC CCFdatabase.

7.2.2.3 Average Impact VectorCalculation. Regardless of how q isdetermined, the impact vector for thesesituations is obtained from two sets of impactvectors: one representing the common-causehypothesis with probability q and anotherrepresenting the hypothesis of independentevents. The probability q is the probability that

on a real demand, the mechanisms would haveled to a CCF.

As an example, if two of three componentsfail because of a shared cause but at differenttimes, then the set of impact vectors will be thefollowing:

For common-cause failure

ICC = q [0,0,1,0]

= [0,0,q,O]

(7-5)

For independent failure of component 1

I,, = -q) [0, 1,0,0]= [0, 1l-q, 0, 0]

(7-6)

For independent failure of component 2

IC (I-q) [0,1)0,0]

= [0, l-q, 0, 0]

(7-7)

The average impact vector for this specificcase is

I = [0,2(l-q), ... , q, ... , 0] (7-8)

Generally, for an event involving a timedelay failure of k components in a system of mredundant components, there are k+l impactvectors as follows:

ICCF = [0, 0,...q, ... ,0] (7-9)

where q is the k+1 element of the vector,

I,, = [0, l-q, 0,..., 0] for component 1, (7-10)

IC = [0, l--q, 0 ... , 0] for component k.

The average impact vector in this case is

I = [0, k(l-q), ..., q, ..., 0] (7-11)

where q is the k+] element of the vector.

61

Page 80: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

7.2.3 Case 3: Events InvolvingUncertainty about Shared Cause

Uncertainty because of insufficientinformation regarding component states andfailure times can be folded in the componentdegradation parameters, Pi, and timing factor, q,respectively. Uncertainty stemming frominability to determine whether the multiplefailures were due to a shared cause deserves aparameter of its own because it relates to animportant and distinct element of CCF events(i.e., the coupling factor). For this reason, aparameter called the "shared cause factor," c, isintroduced as the analyst's degree of confidenceabout the presence of a shared cause in theevent. The values of c may range from 0 < c <1(see Section 5.1.17 for recommended values).

The effect of this factor on the event impactvector can be obtained similarly to the timing'factor, q. More specifically, the following set ofequations can be used after replacing q with c.

ICCF = [0, 0, ... , c, ... , 0] (7-12)

where c is the k+1 element of the vector,

/•, = [0, (l-c), 0 ... , 0] for component 1,

I = [0, (l-c), 0, ... , 0] for component k.

The average impact vector in this case is

vector as if the events did not involve any timedelay or uncertainty about shared cause, and -

then modifying the resulting impact vector toreflect separation of failures or degraded statesin time and or cause. The resulting set of impactvectors is given by

ICCF = [cqFo, cqF1,..., cqF,,],

Ic, = [(l-cq)(1-P,), (I--cq)Ph, 0, ..., 0]

(7-14)

for component 1,

I'c = [(l-cq)(l-Pm), (l-cq)Pm,, 0, ..., 0]

where

Pi = degree of degradation of the ith component

Fi = calculated from Pi according to therelations in Table 7-1 for m = 2, 3, and 4,or similar ones for m > 4.

The average impact vector is obtained by addinglCCF and the I, values.

Note that the product of cq represents anoverall measure of coupling strength. Thedecomposition of this measure, in terms of c andq, is merely an aid to the analyst's subjectiveassessment of the strength~based on differentmanifestations of the degree of couplingpresence. As can be seen from Equation (7-14),the quantity modifying the impact vectors forshared cause strength is cq, which could bereplaced by a single parameter.

7.3 Specializing Impact Vectorsfor Plant Specific Analyses

The discussions to this point have addressedusing industry data to perform generic analyses.According to Reference 2, modification to theoriginal impact vector for application to plant-specific analyses requires a two-step adjustmentof the original impact vector to account forqualitative and quantitative differences betweenthe original and target systems. Thesemodifications are discussed separately.

I = [0, kJ(1-c) .... c,..., 0] (7-13)

where c is the k+1 element of the vector.

7.2.4 Cases Involving Degraded States,Time Delay, and Uncertain SharedCause

In cases where the event involves degraded* states, time delay, and uncertainty aboutpresence of a shared cause, the impact vectorcan be obtained by first developing the impact

62

Page 81: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

7.3.1 Adjustment Based on QualitativeDifferences

In this step, the following question isaddressed: Considering design, environmental,and operational characteristics of the originaland target systems, could the same event occurin a target system? In other words, is the systemthat is being analyzed vulnerable to the cause(s)and coupling factor(s) of historic events?

In answering, the analyst must rely onknowledge of the target system, specificcomponent design, and characteristics of thesystem in which they operate. In addition, theanalyst uses information -contained in the eventreports to decide which characteristics of thetarget system are similar to those of the originalsystems and which are different. Thisinformation helps the analyst determine theapplicability of an event. Because there aremany possibilities, no specific guidelines areprovided here.

Generally, if the cause or couplingmechanism of an event cannot exist in thesystem being analyzed, the event is screenedout; otherwise, it is retained for furtherconsideration in the data specialization step.Here it is recognized that the analyst may beuncertain whether the event is applicable based.on the available information. According toReference 2, in this situation, the analyst canmultiply the original impact vector by an eventapplicability factor r (0 < r < 1), which issubjectively assessed and is a measure ofapplicability of the cause and coupling factor ofthe event to the target system. The r number is ameasure of the physical, operational, andenvironmental differences between the originaland the target system, as well as the analyst'suncertainty as to whether such differences exist.The modified application-specific impact vectoris then written as

The r factor may be written as the product oftwo factors rl and r2, which are measures ofapplicability of the root cause and couplingfactor of the event, respectively (Refs. 3, 10, and14). The "strength" of a root cause manifestsitself in the degree to which each of thecomponents is affected. Therefore, on thearbitrary scale of zero to one, a root cause ofzero strength results in no failure. The likelihoodof a failure increases as the root cause strengthmoves toward one. In contrast, the couplingfactor strength represents the degree to whichmultiple failures share a common-cause.Coupling strength of zero means failures areindependent, while CCFs are characterized by acoupling strength of one. The role of these twofactors in creating various types of events isshown schematically in the diagram ofFigure 7-2.

Estimates of rl and r2 are the analyst'sassessment of the quality of target systemdefenses against the root cause and couplingfactor of the event as compared with the originalsystem. Again, this requires subjectivejudgment, which is often a difficult task becauseof lack of sufficient information, particularlyconcerning the original system. In such cases, itis recommended that the analyst compare thetarget system against an "average" system. Thevalues listed in Table 7-2 are suggested valuesfor rj and r2.

Another issue which influences the applicabilityfactor and is often encountered in data analysisis what to do with events that have led tomodifications and improvements to the system.It is frequently argued that given a modificationto correct a root cause of an event, the eventshould be screened from the database because itis not expected to occur. In contrast, some arguethat the events observed in the past are merelyrealizations of a class of failures, and that theevidence for the frequency of occurrence of thatclass should not be removed. It is also arguedthat modifications do not always lead toimprovements, at least not immediately, becauseof the potential for introduction of new problemsand failure mechanisms.

Ir =r* (7-15)

63

Page 82: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Table 7-2. Suggested values for r, and r2.

Strength of Target Plant Defenses Compared Applicability Factor

with Original/Average Plant Root Cause Coupling(ri) (r2)

C6 mptefDefcnse 00,.._ 0.0 .

Superor Defense 01.1. 0.1

Motderatel'.Betterefense,, .05 -, 0.5:O

Weaker or No Defense 1.0 1.0

Both sides of this debate have valid points.The essential issue is how much credit can begiven to a design improvement. As an approach,the success rate of past design changes (toremove failure causes) can be considered. Thiscan be done by reviewing the operatingexperience for a specific class of componentsand systems over several years to ascertain thechange in the ratio of design-related failurenumbers to the total number of failures. Theslope of change can be used as an effectivemeasure of design improvements and as aweight for database events that have led todesign changes. This weighting can be used asan estimator for the values of rl and r2. Dataneed to be collected and classified with this inmind because the level of detail contained incurrent data compilations does not support thistype of estimation.

7.3.2 Adjustment for QuantitativeDifference

7.3.2.1 Exposed Population versusComponent Group Size. There is adifference between the concepts of exposedpopulation and the CCCG size. The exposedpopulation is a data analysis concept and CCCGsize is a modeling concept. An example of thedifference is provided in the context of theReactor Protection System (RPS).

Pressurized water reactor (PWR) plantscontain up to 40 bistables in the RPS. The actualnumber of bistables in a particular plantrepresents the exposed population and remainsthe same for a given plant. For a given scramscenario, one or more bistables are required tofunction in each channel. The CCCG size is thenumber of bistables required per channel timesthe number of channels. This varies as thenumber of modeled scram parameters change,depending upon the channel design. Therefore, itis possible to have events with in-plant ipopulations of up to 24 components; modeledevents have a CCCG from two to the exposedpopulation. In the case of a maintenance event,one channel's worth of components is removedfrom the CCCG.

An impact vector represents a CCF in aspecific group of components of exposedpopulation size m. A collection of impactvectors used to calculate the CCF BE probabilityfor a particular component may contain impactvectors of many different exposed populationsizes (i.e., events that occur in different plants ordifferent systems). In this case, the impactvectors are mapped to the CCCG size of interest.

64

Page 83: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

1 .0

- - -- - - - -- - - - - - - -i IS 'i I

- I II-- --------' It I

II I I

SI I I I I

I .III I I

I LI I I

- - -- - - - - -- - - - - - - - - - - - - - - - - -i - - - - - -

W eak Commo n C ause Failure

- I I I I I

II I I I I

0.10.1

S h a red C a s e S tr e ngth

Figure 7-2. Schematic representation of the role of shared cause factor and root cause strengthinformation of different classes of events.

110

7.3.Z2 Mapping of Data. The level impact ofthe event on the target system is analyzedbecause of the difference that may exist betweenthe level of exposed populations in the targetand original systems. Depending on whether thetarget system size (i.e., the number of similarcomponents in the system, typically the level ofexposed population), is larger, equal, or smallerthan the original system, the impact vector mustbe "mapped up," kept unchanged, or "mappeddown." Reference 2 provides mapping rules forthe following cases:

Mapping Up. Mapping up is done when thecomponent group size in the original systemis smaller than in the system being analyzed(target system).

Mapping Down. Mapping down is donewhen the component group size in theoriginal system is larger than in the systembeing analyzed (target system).

The parameter p in Equation (7-16) is called*the mapping up parameter. It is the probabilitythat the non-lethal shock or cause would havefailed a single component added to the system.One method for estimating p is given by thefollowing equation (Ref. 15):

65

Page 84: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

'i(i -1)f(7-16)

(m - 1)- i(f,.)i=1

where

m = the number of elements in the group(CCCG)

f = the ith element of the generic impactvector.

This method works well when the systemsizes are close to one another (e.g., mappingfrom size 2 to size 3 or 4) or when at least one ofthe component degradation values is less than1.0. When all of the component degradationvalues are equal to 1.0, p is also equal to 1.0.When used in the mapping up equations for theRPS data, this method tends to overestimate the'probability that components added to a systemwill exhibit the same lethal shock-like behavior.Examination of trends in the unmapped RPSdata shows that as the number of components ina system increases, the likelihood of lethalbehavior in that group of components decreasesrapidly. Based on these observed trends andempirical studies, a maximum value of 0.85 wasestablished for p.

7.3.Z 3 Mapping Techniques. A completeset of formulas for mapping down data fromsystems having four, three, or two componentsto a system having fewer components ispresented in Table 7-3. In this table, Fk(m)

represents the kth element of the average impactvector in a system (or component group) ofsize m. The formulas show how to obtain theelements of the impact vector for smaller sizesystems when the elements of the impact vectorof a larger system are known.

It is evident from the information presentedabove that downward mapping is"deterministic"; that is, given an impact vectorfor a system having more components than thesystem being analyzed, the impact vector for thesame size system can be calculated withoutintroducing new uncertainties. Mapping up,

however, (see Ref. 2, Volume 2), is notdeterministic.

To reduce the uncertainty inherent inupward mapping of impact vectors, use is madeof a concept that is the basis of the binomialfailure rate common-cause model (Ref. 1). Theconcept is that all events can be classified intoone of three categories:

* Independent Events. Causal events that acton components singly and independently.

* Non-lethal Shocks. Causal events that act onthe system as a whole with some chance thatany number of components within thesystem can fail. Alternatively, non-lethalshocks can occur when a causal event actsonly on a subset of the components in thesystem.

* Lethal Shocks. Causal events that fail all thecomponents in the system.

When enough is known about the cause of agiven event (i.e.,, root cause and couplingmechanism), it can usually be classified in oneof the above categories. If, in the course ofupward mapping, each event can be identified asbelonging to one of the above categories, theuncertainty associated with upward mapping canbe reduced (but not eliminated). To categorizean event, the analyst needs to understand thenature of the cause. Random, independentfailures (category 1) are usually due to internalor external causes. Lethal shocks can often beidentified as impacting all components present.Design errors and procedural errors areexamples of causes that could result in lethalshocks. The remaining causes are externalcauses that have an uncertain impact on eachcomponent and can be either lethal or non-lethal.

If an event is identified as either anindependent event or lethal shock, the impactvectors can be mapped upward deterministically.It is in the case of non-lethal shocks that anadded element of uncertainty is introduced inmapping upward. How each event is handled issummarized below.

66

Page 85: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Table 7-3. Formulas for mapping down event impact.vectors.

Size of System Ma

5 46)6', **r I ') .... ....f- (6) (4)' (6)- - (% 6)-

56 f~i(i)~ ( fi4-=2/5) f•(l+(25) 3

f= =(1/3)f t(516) _ f1 .f/5)f 4 (l+f 5 ,

6)f5 .: f,

f1(3)=(3/5)f1 (5 )+(3/5)f 2(S)4+(3/1 O)f3 (

5)

f-(3)= (f(((1/10f()(/ )f(5 -(5

fi(3)-,{3/4)fi. 4(i2 ;~K

JýV i(2) 1 - (4) ýf4l (4)+(-2/3)f, (1/2

,ý,O -6; ýji (4)_ýý+n +f4(4)

J,

44

f, (2)=(2/3 )fl(3 )+(2/3 )f2(3)

f2(2)=( 1 /3 )f2(3)+f3(3)

+f4 j4)

f, / <f ('+2/)2'' )

......... ~-

Page 86: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

7.3.2.4 Mapping up Independent Events.Because the number of independent events in thedatabase is proportional to the number ofcomponents in the system, in the case ofindependent events, it can be shown that Fg(l)and F,(k) (the number of independent events insystems with sizes I and k, respectively) arerelated by the following equation:

Ft I) t= (I/k) Fi(k) (7-17)

7.3.2.5 Mapping up Lethal Shocks. Bydefinition, a lethal shock fails the redundantcomponents present within a common-causegroup. The underlying assumption in thefollowing formula for upward mapping ofimpact vectors involving lethal shock is that thelethal shock rate acting on the system is constantand independent of system size. From thisassumption follows the relationship

lethal shock (i.e., all Pi = 1.0, the timing factorequals 1.0 and the shared cause factor equals1.0). For this case, p given by Equation (7-16)equals 1. Thus, Equation (7-16) treats non-lethalshock complete failure events as lethal shockevents. Examination of the complete CCF eventsshows that this is overly conservative becausethe number of complete CCF events decreases asthe CCCG size/increases. Empirical studiesshow that using a value of p = 0.5 is a goodchoice for the non-lethal shock complete CCFevents.

By using this model, the uncertaintyinherent in mapping up impact vectors isreduced to the uncertainty in estimating theparameter p, which is the probability that thenon-lethal shock or cause would have failed asingle hypothetical component added to thesystem.

7.4 Estimation of CCF EventFrequencies from ImpactVectors

Once the impact vectors for all the events inthe database are assessed for the system beinganalyzed, the number of events in each impactcategory can be calculated by adding thecorresponding elements of the impact vectors.That is,

WFj (7-18)

Hence, for lethal shocks, the impact vectoris mapped directly. The probability thatjcomponents in a system of] components havefailed because of a lethal shock is mappeddirectly to the probability of failing all 1components in an I component system.

7;3.2.6 Mapping up Non-lethal Shocks.Non-lethal shock failures are viewed as theresult of a non-lethal shock that acts on thesystem at a rate that is independent of systemsize. For each shock, the quantity p is theconditional probability of each componentfailure (given a shock). The process of mappinga non-lethal shock that occurs in aone-component system up to a four-componentsystem is illustrated in Reference 2. Table 7-4includes formulas to cover all upward mappingpossibilities with system sizes up to four. In thelimiting cases of p = 0 and p = 1, the formulas inTable 7-4 become identical to the equations formapping up independent events and theequations for mapping up lethal shocks,respectively.

A special case occurs when a completecommon-cause failure event involves a non-

nk = T3k~ (7-19)

where

nk = total number of BEs involving failureof k similar components

m = number of elements in the group(CCCG)

Fk (i) = the kth element of the average impactvector for event I.

68

Page 87: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Table 7-4. Formulas for upward mapping of events classified as non-lethal shocks.

Size of System Mapping To (Number2 .3 4

f 3(2) '(0(/2)( 1:3 -p.f3 0() ff 4 =( ) (21

=p(l ff4 =5 f+

ff(=f, 3 f f, p +2p(1-p)f( 2

22 f4(4)a p2 f2(2 )

..0

001N_

f20/Of

6f

mP(!

f, ' 5)=10ý (I'ItLpYtl

15 )-5p-o-of (1)

5- P

(6) 1 f 1, =0Pf'

)f2(

5')=(9I2)p( I _P) 2f1 (2)+( 1 -P)3f2 (2)f3 (

5 ')(7/2)p2(1 -P)ft(2)+3p( I-P)2f2(2f4(5)=P3fj( 2)+3 P2(j_ P)f2

2)

f5 (5)=P3

f2 (2)

f1(t`=3( I p)4 f1)2)

f,(6)-7p( 1 _p) 3 f1 (2)+(1 _P) 4 f2(

2 )

43(1)-8p2( I P)2f1()+4p( l-p)3f2 (2 )

f (5)-(5/4)( I -P)f 1 (41

f,(5)=pf1(4)+( I -P)f2 (4 )

fj(5)=Pf2(4)+(j I P)f3 (4 )

f4(5)_~Pf3(

4)+( I P)f4 (4

f5(5)=Pf4(

4)

f.(6)=(3/2)( I -P)2f1 (4 )

f4(6)_P2f2(

4)+2p( I -P)f3 (4)+( 1 _P)2f( 4 )

f5(6=P~f3(4+2p( I -p)f4(4)I

*.5:

Page 88: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

In order to provide estimates of theprobability of a common-cause event involvingk specific components in a CCCG of size m, amodel needed to be selected from among theavailable models. The available models includedthe Basic Parameter model, the Beta model, theMultiple Greek Letter (MGL) model, and theAlpha Factor model.

The parametric Alpha Factor model waschosen because it is (1) a multi-parameter modelthat can handle any redundancy level, (2) basedon ratios of failure rates that make theassessment of its parameters easier when nostatistical data are available, and (3) a simplerstatistical model and produces more accuratepoint estimates as well as uncertaintydistributions compared to other parametricmodels that have the abovetwo properties.

Event statistics are used to develop estimatesof CCF model parameters. The Alpha Factormodel estimates CCF frequencies from a set ofratios of failures and the total component failurerate. The parameters of the model are

QT - The total failure frequency of eachcomponent (includes independent andcommon-cause events)

ak =."The fraction of the total frequency of

failure events that occur in the systeminvolving the failure of k components in asystem of m components because of acommon-cause

7.5 CCF Basic Event EquationDevelopment

With the alpha factors calculated for thetarget component, the next step is to develop theBE equation. The CCF BE equation depends onthe failure criterion and the number of redundantcomponents in the system. The most basicfailure criterion is that any k of m componentsfail and the function of the system ofcomponents fails (e.g., three of four (3/4) pumpsfail to start, meaning that two of the four pumpsare sufficient). Other criteria typically used insystems that are more complicated includespecific failure criteria (e.g., three of fourchannels and two out of two components to faila channel) and a special case of specific logic,one-out-of-two-twice failure criteria.

7.5.1 Any-k-of-m Combinations

The form of the CCF BE equation for any kout of m components failing is given byfollowing equation for staggered testing:

m CtQCCF=QTZ aiQT .ma

i=k m li i=k 1

(7-22)where

QCCF = the failure probability of k and

greater than k components due to CCF

QT = the random failure rate (total)

m the number of total rods in thecomponent group

k = the failure criteria for a number of rodfailures in the component group

a, = the ratio of i and only i CCFs to totalfailures.

m

k=1 (7-20)

The parameters of the Alpha Factor modelcan be estimated using the following maximumlikelihood estimators:

Snk

Snjj=

(7-21)

70

Page 89: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

7.5.2 Specific Failure Criterion

In terms of the Alpha Factor model, the BEprobability for a specific k failures out of asystem of m components (assuming a staggeredtesting scheme) is shown in the followingequation:

BECCF m QT ( Ci-1)! aM)i=k (m -- )!

where(7-23)

Ci -= number of combinations of k componentfailures that will fail the system.

A specific failure criterion is represented bythe Ci term in Equation (7-23). An example of aspecific failure criterion is shown in Figure 7-3.This example applies to the 6/8 bistable CCF

,event used in some RPS fault trees. In thisexample, the failure criterion is described inshorthand as 6/8. This is based on specificcriteria of failure of two of two components tofail a channel and failure of at least three of fourchannels to fail the system or function. Some ofthe combinations of six component failures willfail three channels (e.g., those combinationswhere two failures are in each of threechannels). Some combinations of six will fail

"only two channels (e.g., those combinations thathave less than two failures in a channel). Thevalid failure combinations are counted and thesum becomes the Ci term in the BE equation.When a channel is taken out of service formaintenance, it is placed in a non-tripped status.The criteria then become two of two componentsand two or more of the remaining threechannels. This maintenance event is described inshorthand as 4/6 18.

7.5.3 One-Out-of-Two-Twice Logic

In one-out-of-two-twice logic,Equation (7-23) is used again but the counting ofthe Ci term is based ona different system. Anexample of this failure criterion is shown inFigure 7-4. This example applies to the two offour reactor trip breaker CCF events used insome RPS fault trees. In this example, the failure

criterion is described in shorthand as 2/4. This isbased on failure of two of two components tofail a channel and failure of one of two channelsto fail a train. Some of the combinations of fourcomponent failures will fail two channels but notrains (e.g., those combinations where twofailures are in each of two trains). Somecombinations of four will fail an entire train (anexample is shown in the failure side ofFigure 7-4). The valid failure combinations arecounted and the sum becomes the Ci term inEquation (7-23). When a component is taken outof service for maintenance, it is placed in a non-tripped (bypassed) status: The possiblecombinations are counted with the componentalways failed. This maintenance event isdescribed in shorthand as 1/3 14.

7.5.4 CCF Basic Event ProbabilityEquations

Table 7-5 shows some CCF BE probabilityequations used in various fault trees. All of theequations are based on staggered testing.

7.6 Treatment of Uncertainties

From earlier discussions, it is evident thatthere are potentially significant uncertainties inthe development of a statistical database fromCCF event reports. These uncertainties can becategorized as follows:

* Uncertainty because of lack of sufficientinformation in the event reports forunambiguous event classification and impactvector assessment

* Uncertainty in translating eventcharacteristics to numerical parameters forimpact vector assessment

* Uncertainty in determining the applicabilityof an event to a specific plant design andoperating characteristics.

71

Page 90: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

,IMF~Components

Channels

6 of 8 failure criterion2 of 2 components to fail channel

3 of 4 channels to fail system INote: Black ellipses => failure

White ellipses =>.success

Figure 7-3. Example of a specific failure criterion.

ComponentsChannels

Trains

2 of 4 failure criterion,one-of-two-twice logic

2 of 2 components to fail channel

Specific I of 2 channels to failtrain (system)

ME=

Note: Black ellipses => failure

White ellipses => success

Figure 7-4. Example of a one-out-of-two-twice logic failure criterion for a 2-out-of-4 system.

72

Page 91: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Table 7-5. Failure criteria and basic event equation table.

Failure Criteria

Channel Componentor Train (within channel Shorthand

aLevel or train) Criterion Basic Event Probability Equations1/2 2/2'4C 342

3/4 1/1 3/4 c (ct4+ 4/3 aX3)* QT

3/4+ 1/ 2/1 4 ~(x 4,+.4la4./ )*QT3/4 2/2 6/8 d (Ca8 + 8a7/7 + 4a 6/21).* QT

(/2s 8ci'/ 12ct5 35 + 3cc35*Q6/6 1/1 6/6 c (X6)* QT

a. Shorthand criteria with the form x/y Iz are maintenance events involving one channel or train taken out of servicedue to maintenance.

b. This criterion is based on the one-out-of-two logic described in Section 7.5.3.

c. This criterion is based on the any-k-of-m logic described in Section 7.5.1.

d.. This criterion is based on the specific failure criterion described in Section 7.5.2.

In these cases, significant amounts of judgmentare required. Analysts are likely to havedifferent interpretations of the events and makedifferent assumptions about what is missingfrom both the event reports and physical andoperational descriptions of the plants involved.This is true although specific guidelines havebeen provided in this report to ensure, as aminimum, a reasonable level of accuracy andconsistency and to reduce analyst-to-analystvariability. Nevertheless, the potential for majorvariability in the results exist.

It is essential that the uncertainties in theestimated CCF probabilities be assessed. Thisrequires a systematic procedure to capture themagnitude of variability in the estimated impactvectors. Similarly, potential incompleteness andbiases in the raw data (event reports) should beconsidered and their magnitude estimated.Finally, statistical techniques should be appliedto measure the effect of uncertainties on thedistribution of CCF frequencies.

The method described in Section 7.4develops statistical evidence needed forparameter estimation by averaging event impactvectors over multiple hypotheses and

corresponding probabilities. The averagingprocedure leads, as described in Reference 2, toan underestimation of uncertainties whileproducing nearly exact mean values.Reference 2 proposed a formal uncertaintyanalysis method to account for the impact of themultiple-hypothesis approach to dataclassification.

Limited exercise with typical data sets(Ref. 16) has indicated the difference betweenthe results of the formal approach and thosebased on average impact vectors is notsignificant. This is particularly true whencompared with the impact of other sources ofuncertainty, such as plant-to-plant and analyst-to-analyst variability of impact vector values.The computational complexity and relativelysmall impact of the formal method add to theappeal of the average impact vector approach asthe method of choice implemented in the CCFsoftware.

Certain formal and rigorous methods forhandling uncertainties in CCF frequencies as afunction of analyst uncertainty in the impactvector assessment have been suggested andapplied to a small data sample. These methods,

73

Page 92: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

however, tend to be tedious for large databases.A rough approximation of the range ofuncertainty in CCF frequency estimates can bedeveloped through ad-hoc techniques, such asbounding of the uncertainties. For example, theanalyst assesses the impact vectors"optimistically" (tends to judge events"independent" when in doubt) and then assessesthe impact vectors "pessimistically" (tends tojudge events as common-cause). Distributions ofCCF frequency are then developed from thestatistics obtained from each of the two sets ofimpact vectors according to the methodsdescribed in Reference 2. These distributions arecombined to obtain the overall range ofuncertainty in the CCF frequency estimate.

Among the models available, the fulluncertainty treatment is only provided for theAlpha Factor model. This is because thesampling model on which the Alpha Factormodel can be based is simple and can bejustified with very few assumptions regarding

the process used to generate the data. (This isnot the case, however, for the MGL model.) Thestatistical uncertainty distribution of the AlphaFactor model parameters can be developed usingBayesian techniques as described inReference 2.

Both the homogeneous and non-homogeneous models are available in the CCFsoftware. The non-homogeneous option can beused to develop generic and global assessmentof the ranges of CCF parameters across theindustry. It can also be used as a priordistribution in plant-specific estimations. Forthis use, the data from the plant being analyzedshould be excluded from the non-homogeneousdatabase. The resulting distribution from thisprocedure is expected to be wider than thedistribution obtained based on the non-homogeneous assumption.

74

Page 93: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

8. CCF PARAMETER ESTIMATION

After independent event count and CCFevent information have been entered into theCCF database and quality assurance verificationcompleted, the next step is the estimation ofCCF parameters using the software developedfor performing quantifications. The parameterestimation software developed for this projectuses the impact vector method described inReference 2; the approach introduced inReference 3 is used to evaluate the event impactvector based on physical characteristics of theevent. These physical characteristics includecomponent degradation parameter, timing factor,'and shared cause factor. In addition, the softwareallows the user to modify the generic eventimpact factors for plant-specific applications,including mapping the impact vectors to accountfor differences in CCCG size between the plantin which the event occurred and the plant forwhich the data'are being modified. Othersoftware features include parameter estimationsfor both Alpha Factor and MGL models.

The CCF database system was developed forthe personal computer. It contains the CCFevents in a searchable database and options toestimate CCF parameters. It provides a numberof capabilities to users with different interestsand levels of expertise in CCF event-analysis.The parameter estimation process is a three-stepprocess: (1) search the CCF database to obtainthe events of interest, usually sorted by system,component, and failure mode, (2) analyze thedata from the search, and (3) estimate the CCFparameters. Mechanics of using the software toperform parameter estimations is contained inthe CCF database software help file. The CCFsystem has two main options, allowing users toperform either generic analyses or plant-specific-analyses of CCF events included in the database.

Generic analysis uses data pooled frommultiple plants. Generic analysis of CCF eventsin the database includes a qualitative analysis ofcauses and severity of CCF events and aquantification of generic CCF parameters (AlphaFactor and MGL models). These can be used inrisk and reliability studies or other applications

such as trending of industry performance withrespect to a single class of failures.

Plant-specific analysis allows users tospecialize (modify) the CCF events in thedatabase for application to a specific plant byconsidering design and operational differencesbetween the plant where the event occurred andthe plant of interest (target plant), and toestimate CCF parameters that reflect the specificfeatures of the plant being studied. This isrecommended in Reference 2 as the preferredapproach for plant-specific analyses.

Flexibility is built into the CCF system toenable the PRA analyst to add or remove CCFevents from a set of data (application) providedby the database search capability in recognitionthat a precise definition of a CCF may vary fromone PRA study to another. The events in thedatabase, therefore, include more events thanthose that might be appropriate for use in a givenPRA or other studies.

The classification of events (both CCFs andindependent failure data) represents the bestjudgment of experienced analysts who haveapplied a set of carefully designed rules toensure consistency and minimize subjectivity.The PRA analyst, however, can modify variousattributes of the events in a copy of the database,leaving the original database intact as areference point. This type of modificationrequires a relatively high degree of experienceand is not expected to be the primary applicationof the CCF system.

While in the CCF system, an analyst maysearch CCF database to obtain information onvarious aspects of the CCF data, such as thedistribution of proximate causes (collectively orcomponent by component). The software allowsthe user to specify. a subset of the attributes ofthe events as the search criteria to obtain asubset of the database having those attributes,This enables the user to develop a statistical basefor the study of generic differences amongdifferent classes of plants or systems, as well as

75

Page 94: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

a trend of CCF events by plant or across theindustry.

8.1 Database Search

The CCF events that have been entered intothe database cover a large range of systems andcomponents and vary in importance from a PRAperspective. Searches for CCF events to beincluded in parameter estimations can bestructured to prevent inclusion of eventsirrelevant to an individual study. For example,before searching for AFW pump events (whichinclude either motor-driven pump CCF events,turbine-driven pump CCF events, or CCF eventsthat include both pump types), the analyst mustdecide to include either all pump types(searching for motors, turbines, and pumps) oronly one pump type and then search the CCFdatabase accordingly.

Using the" search option, the PRA analystcan select the data fields of interest (system,component, failure mode, shared cause factor,cause, type, etc.), search the database based onthe coded event information entered in thosefields, and identify the events whose fields meetthe specified search criteria. For example, tosearch the database for the AFW pumps that failto start on demand and the events that areimportant from a PRA perspective, the searchcriteria would specify

* System code for AFW

* Component code for motor-driven pumps;turbine-driven pumps; motors, turbines, andpumps

* Failure mode of failure to start

" Event type of CCF.

Following the search, the events are saved in anapplication for analysis. The search criteria arealso saved in each user's profile. When new dataare distributed to users, the applications can beupdated to include new data without having torecreate the search criteria.

8.2 Data Analysis,

Once the analyst selects the events to beincluded in the analysis, the CCF databasesystem performs all calculations for theparameter estimations. Because of the relativerarity of CCF events in operational experience,CCF events from similar plants can be pooledtogether to obtain enough data for use inreliability and risk studies; these are the"generic" estimations. The analysis uses CCFdata that involve degradations as well as thoseinvolving total failures. The data from anysearch can be saved for future reference and canbe used with either the generic or plant-specificsoftware options.

All CCF event data saved from a search canbe reviewed for applicability for specific studies.Some events may be coded in a manner thatdoes not reflect the PRA analyst's perception ofthe events. Each event can be reviewed to givethe analyst an opportunity to modify or delete acopy of the event from consideration in thespecific application. The data fields that can bemodified are component degradation level,timing factor, shared cause factor, and averageimpact vector. The software system defaults tonot modifying the data. Once the PRA analysthas determined and entered the data imodifications, the software calculates theaverage impact vector for the selected set ofCCF events. During sensitivity studies, theaverage impact vector values can be changedand saved for calculating parameter estimates.

Additionally, the PRA analyst may want toanalyze the CCF data for applicability to aparticular plant using the plant-specific option.In this case, some data may not be applicablebecause of a difference in plant configuration orin shared cause factors between the originalevent and the target plant. As in the genericoption, event data can be modified or an eventmay be deleted from the analysis. The fields thatcan be modified are cause, shock type,component degradation level, shared causefactor, map up factor, event type, timing factor,shared cause factor, average impact vector, andapplication-specific impact vector. Once theanalyst has determined and entered the

76

Page 95: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

applicability of an event, the software calculatesthe specific impact vector. Similar to the averageimpact vector values, the specific impact vectorvalues can be modified and stored for use inparameter estimations.

8.3 Estimation of CCFParameters

After event data are prepared for parameterestimation, the final analytical step is to performthe parameter estimation using either of the twodifferent quantification methods (generic orspecific). In both options, a CCF parametricmodel is selected (Alpha Factor, MGL, or both)and the calculations are performed.

The output of the parameter estimations isdisplayed in several ways: tabular, graphically,or electronically for transfer to other softwareapplications. Uncertainty calculations are alsoprovided. Figure 8-1 displays an example ofoutput from the CCF system showing summaryresults of an EDG analysis, including genericestimates of the CCF frequency parameters forthe failure-to-start mode.

The parameter estimation software uses theimpact vector approach. Reference 2 discussesthe use of event impact vectors. Using theassessments from the event coding, this methodclassifies the individual CCF events according tothe level of their impact on the overall CCFeffect on the PRA study and the associateduncertainties in numerical terms. These impactvectors represent the certainty that each event isa CCF event. They are based on the componentdegradation factor, timing factor, and sharedcause factor. Once the individual event impactvectors are determined, the average impactvector for the CCCG of interest (e.g., EDGs) iscalculated. The independent event counts areincluded in the CCF database and are sorted bysystem, component, failure mode, source (LER,

NPRDS, or EPIX), and docket. The user has theoption of modifying the independent event valueif there is uncertainty about the number providedor if there are additional assumptions orinformation to be used in the analysis.

The generic analysis option of the CCFsoftware performs an estimation of CCFparameters from pooled plant data, which can beused in risk and reliability studies, or otherapplications such as trending of industryperformance with respect to specific types offailures. CCF data are used in the AccidentSequence Precursor Program, safety systemreliability studies, Standardized Plant AnalysisRisk models, and for resolution of NRC genericissues.

The plant-specific analysis option of theCCF software allows the analyst to modify eventcoding to adjust CCF event data for design oroperational differences between the plant wherethe actual CCF event occurred and the plant towhich the data are applied. The software allowsthe analyst to review each event and modifyvarious attributes of the event or delete the eventfrom consideration in parameter estimations.Two adjustment factors, the cause applicabilityfactor and the shared cause factor applicability,can be used to reflect the analyst's interpretationof the differences between the two plants. Thechanges are saved in a copy of the database forthe particular application for later use, while thedata in the original database are not changed. Aswith the generic estimations, the analyst may usethe independent events that are in the CCFdatabase by individual plant or the analyst maychoose another value based on knowledge of thetarget plant. Additionally, the software includesthe capability to adjust the size of the CCCG(using mapping factors) so that an event thatoccurred at a plant with n similar componentsmay be applied to a plant that has m suchcomponents.

77

Page 96: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Special Quantification Report

Application: EDG-FS Unadjusted Independent Events: .76;4

Component: EDG Total Common-cause Events: 55Failure Modte: FS Average Event CCCG: 2.83

Adjusted Ind.CCCG Size Events Count Summary Alpha Factors MGL Factors

` 52-2 96 " n, '30.08~2 a 6328 ' 1Bt 8E00'~2 18:0860'a 3. 16E'-00'2' ,Bt ' 3lE~

3 784.45 n, 24.0867 al 0.9620172. 1-Beta 9.62E-001

n2 17.2720 a 2 2.05E-002 Beta 3.79E-002

n3 14.6510 at3 1.74E-002 Gamma 4.58E-001

Figure 8-1. Parameter estimation example.

78

Page 97: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

9., GLOSSARY

Alpha Factor.' The fraction of the totalfrequency of failure events that occur in thesystem involving the failure of k componentsin a system of m components due to acommon-cause.

Application: A particular set of CCF eventsselected from the CCF database for use in aspecific study.

Available: Describes a component that iscapable of performing its function accordingto a specified success criterion. (Note:available is not the same as availability.)

Average Impact Vector: An average over theimpact vectors for different hypothesesregarding the number of components failedin an event.

Basic Event: An event in a reliability logicmodel that represents the state in which acomponent or group of components isunavailable and does not require furtherdevelopment in terms of contributing causes.

Common-cause Event: A dependent failure inwhich two or more component fault statesexist simultaneously, or within, a short timeinterval, and are a direct result of a sharedcause.

Common-cause Basic Event: In systemmodeling, a basic event that represents theunavailability of a specific set of componentsbecause of shared causes that are notexplicitly represented in the system logicmodel as other basic events.

Common-cause Component Group: A group ofusually similar components (in mission,manufacturer, maintenance, environment,etc.) that are considered to have a highpotential for failure because of the samecause or causes.

Common-cause Failure Model: The basis forquantifying the frequency of common-causeevents. Examples include the Beta Factor,

Alpha Factor, Basic Parameter, and BinomialFailure Rate models.

Complete Common-cause Failure: A common-cause failure in which all redundantcomponents are failed simultaneously as adirect result of a shared cause (i.e., thecomponent degradation value equals 1.0 forall components and both the timing factorand the shared cause factor are equal to 1.0).

Component: An element of plant hardwaredesigned to provide a particular function.

Component Boundary: Encompasses the set ofpiece-parts that are considered to form thecomponent.

Component Degradation Value (p): Theassessed probability (0.0 : p < 1.0) that afunctionally or physically degradedcomponent would fail to complete themission.

Component State: The component statusconcerning its intended function. Twogeneral categories of component states aredefined as available and unavailable.

Coupling Factor.- The condition or mechanismthrough which failures of multiplecomponents are coupled.

Failure: Describes a component not capable ofperforming its specified operation accordingto a success criterion.

Functionally Unavailable: Describes acomponent that is capable of operation, butthe function normally provided by thecomponent is unavailable because of lack ofproper input, lack of support function from asource outside the component (i.e., motivepower, actuation signal), maintenance,testing, improper interference of a person,etc.

Degraded: Describes a component in such astate that it exhibits reduced performance but

79

Page 98: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

insufficient degradation to declare thecomponent unavailable according to thespecified success criterion.

Date: The date of the failure event or date -thefailure was discovered.

Defense: Any operational, maintenance, anddesign measures taken to diminish thefrequency and/or consequences of CCFs.

Dependent Events: Two or more basic events, Aand B, are statistically dependent if, andonly if,

P[A rn B] = P[B I A]P[A] = P[A I B]P[B] P[A]P[B]

where P[X] denotes the probability of-'event X.

Event: The occurrence of a component state or agroup of component states.

Exposed Population: The set of componentswithin the plant that are potentially affectedby the CCF under consideration.

Failure Mechanism: The history describing theevents and influences leading to a givenfailure.

Failure Mode: A description of componentfailure in terms of the component functionthat was actually or potentially unavailable.

Failure Mode Applicability: The analyst'sdetermined probability that the specifiedcomponent failure mode for a given event isappropriate to the particular application.

Impact, Vector: An assessment of the impact anevent would have on a common-causecomponent group. The impact is usuallymeasured as the number of failedcomponents out of a set of similarcomponents in the common-causecomponent group.

Incipient: Describes a component in a conditionthat, if left un-remedied, could ultimatelylead to a degraded or unavailable state.

Independent Events: Two basic events, A and B,are statistically independent if, and onlyif,

P[A r B] = P[AJP[B]

where P[X] denotes the probability ofevent X.

Mapping: The impact vector of an event must be"mapped up" or "mapped down" when theexposed population of the target plant ishigher or lower than that of the original plantthat experienced the CCF. The result ofmapping an impact vector is an adjustedimpact vector applicable to the target plant.

Mapping Down Factor: A factor used to adjustthe impact vector of an event when the.exposed population of the target plant islower than that of the original plant thatexperienced the CCF.

Mapping Up Factor: A factor used to adjust theimpact vector of an event when the exposedpopulation of the target plant is higher thanthat of the original plant that experienced theCCF.

Multiple Greek Letter: For a system of mredundant components and for each givenfailure mode, m different parameters aredefined. Each parameter represents theconditional probability that the common-cause of a component failure will be sharedby n or more additional components.

p-value: A probability that indicates a measureof statistical significance. The smaller the p-value, the greater the significance. A p-valueof less than 0.05 is generally consideredstatistically significant.

Potential Common-cause Failure: Anycommon-cause event in which at least onecomponent degradation value is less than 1.0.

Potentially Unavailable: Describes a componentthat is capable of performing its functionaccording to a success criterion but anincipient or degraded condition exists. (Note:

80

Page 99: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Potentially unavailable is not synonymouswith hypothetical.)

Mission Time: The time period (usually in hours)that a component is generally required tosuccessfully operate to mitigate an eventwhen modeled in a PRA or IPE. Most PRAmission times are assumed to be 24 hours.

Proximate Cause: A characterization of thecondition that is readily identified as leadingto failure of the component. It mightalternatively be characterized as a symptom.

Reliability Logic Model: A logical representationof the combinations of component states thatcould lead to system failure. A fault tree is anexample of a system logic model.

Root Cause: The most basic reason for acomponent failure, which, if corrected, couldprevent recurrence. The identified root causemay vary depending on the particulardefensive strategy adopted against the failuremechanism.

Shared Cause Factor (c): A number that reflectsthe analyst's uncertainty (0.0 < c:< 1.0)about the existence of coupling among thefailures of two or more components (i.e.,whether a shared cause of failure can beclearly identified).

Shared Cause Mechanism: A set of causes andfactors characterizing why and how a failureis systematically induced in severalcomponents.

Shock: A shock is an event that occurs at arandom point in time and acts on the system(i.e., all the components in the systemsimultaneously). There are two kinds ofshocks distinguished by the potential impactof the shock event: lethal and non-lethal.

System: The entity that encompasses aninteracting collection of components toprovide a particular function or functions.

Timing Factor (q): The probability(0.0 '< q < 1.0) that two or more componentfailures (or degraded states) separated in timerepresent a CCF. This can be viewed as anindication of the strength-of-coupling insynchronizing failure times.

Unavailable: Describes a component that isunable to perform its intended functionaccording to a stated success criterion. Twosubsets of unavailable states are failure andfunctionally unavailable.

81

Page 100: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events
Page 101: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

10. REFERENCES

1. Fleming, K. N., and A. Mosleh, "Classification and Analysis of Reactor Operating ExperienceInvolving Dependent Events," EPRI NP-3967, June 1985.

2. U.S. Nuclear Regulatory Commission, "Procedures for Treating Common-cause Failures inSafety and Reliability Studies," NUREG/CR-4780, Volume 1, January 1988, and Volume 2,January 1989.

3. U.S. Nuclear Regulatory Commission, "Procedure for Analysis of Common-cause Failures inProbabilistic Safety Analysis," NUREG/CR-5801 (SAND91-7087), April 1993.

4 U.S. Nuclear Regulatory Commission, "Common-Cause Failure Database and Analysis System:Overview," NUREG/CR-6268 (INEEL/EXT-97-00696), Volume 1, June 1988.

5 U.S. Nuclear Regulatory Commission, "Common-Cause Failure Database and Analysis System:Event Definition and Classification," NUREG/CR-6268 (INEEL/EXT-97-00696), Volume 2,June 1998.

6 U.S. Nuclear Regulatory Commission, "Common-Cause Failure Database and Analysis System.-Data Collection and Event. Coding," NUREG/CR-6268 (INEEL/EXT-97-00696), Volume 3, June1998.

7 U.S. Nuclear Regulatory Commission, "Common-Cause Failure Database and Analysis System:Software Reference Manual," NUREG/CR-6268 (INEEL/EXT-97-00696), Volume 4, June 1998.

8. U.S. Nuclear Regulatory Commission, "Common-Cause Failure Parameter Estimations,"NUREG/CR-5497 (INEEL/EXT-97-01328), October 1998.

9. U.S. Nuclear Regulatory Commission, "A Cause-Defense Approach to the Understanding andAnalysis of Common-cause Failures," NUREG/CR-5460 (SAND 89-2368), March 1990.

10. Mosleh, A., et al., "On Quantitative Analysis of Common-cause Failure Data for Plant-SpecificProbabilistic Safety Assessments," UMNE-92-004, University of Maryland Nuclear Engineering,prepared for the U.S. Nuclear Regulatory Commission, August 1992..

11. U.S. Nuclear Regulatory Commission, "Overview and Comparison of.U.S. Commercial NuclearPower Plants,." NUREG/CR-5640 (SAIC 89/1541), September 1990.

12. US. Code of Federal Regulations, Subpart 55a, "Codes and Standards," Part 50, "DomesticLicensing of Production and Utilization Facilities," Chapter 1, Title 10, "Energy."

13. U.S. Code of Federal Regulations, Appendix J, "Primary Reactor Containment Leakage Testingfor Water-Cooled Power Reactors," Part 50, "Domestic Licensing of Production and UtilizationFacilities," Chapter I, Title 10, "Energy."

14. Mosleh, A., G. Parry, and A. F. Zikria, "An Approach to the Analysis of Common-cause FailureData for Plant-Specific Application," Nuclear Engineering and Design, 150:25-47, 1994.

Page 102: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

15. Kvam, P., "Estimation Techniques for Common-cause Failure Data with Different System Sizes,"Technometrics, 38(4):382-388, 1996.

16. Siu, N., and A. Mosleh, "Treating Data Uncertainties in Common-cause Failure Analysis,"Nuclear Technology, 84:265-281, 1989.

84

Page 103: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

NRC FORM 335 U.S. NUCLEAR REGULATORY COMMISSION 1. REPORT NUMBER(9-2004) (Assigned by NRC, Add Vol., Supp., Rev.,NRCMD 3.7 and Addendum Numbers, If any.)

BIBLIOGRAPHIC DATA SHEET(See instructions on the reverse) NUREG/CR-6268, Rev. 1

2. TITLE AND SUBTITLE 3. DATE REPORT PUBLISHED

Common-Cause Failure Database and Analysis System: Event Data Collection, Classification, MONTH YEAR

and Coding September 2007

4. FIN OR GRANT NUMBER

Y65465. AUTHOR(S) 6. TYPE OF REPORT

T,E. Wierman, INL; D.M. Rasmuson, NRC; A. Mosleh, University of Maryland Technical

7. PERIOD COVERED (Inclusive Dates)

NA8. PERFORMING ORGANIZATION - NAME AND ADDRESS (If NRC, pruvide Division, Office or Region, U.S. Nuclear Regulatory Commission, and mailing address; if contractor,

provide name and mailing address.)

Idaho National Laboratory, Risk & Reliability Assessment, P.O. Box 1625, Idaho Falls ID 84315-3850University of Maryland, 2181 Glenn L. Martin Hall, College Park, MD 20742

9. SPONSORING ORGANIZATION - NAME AND ADDRESS (If NRC, type Saeas above",; if contractor, provide NRC Division, Office or Region, U.S. Nuclear Regulatory Commission,arnd mailing address.)

.Division of Risk Assessment and Special Projects

Office of Nulcear Regulatory ResearchU.S. Nuclear Regulatory CommissionWashington, D.C. 20555-0001

10. SUPPLEMENTARY NOTES

-A.D. Salomon. Proiect Manaaerf J

11: ABSTRACT (200 words or less)

This report on the Common Cause Failure Database and Analysis System presents an overview of common cause failure(CCF) analysis methods for use in the U.S. commercial nuclear power industry. Idaho National Laboratory staff identifyequipment failures that contribute to CCF events through searches of Licensee Event Reports, Nuclear Plant Reliability DataSystem failure reports, and Equipment Performance and Information Exchange failure reports. The staff then enter the eventinformation into a personal computer-based data analysis system (CCF system). This report summarizes how data aregathered, evaluated, and coded into the CCF system, and describes the process for using the data to estimate probabilistic riskassessment common cause failure parameters.

12. KEY WORDS/DESCRIPTORS (List words or phrases that will assist researchers in locating the report.) 13. AVAILABILITY STATEMENT

common-cause failure, CCF, shared cause, proximate cause, timing factor, dependent failure, Unlimiteddata collection 14. SECURITY CLASSIFICATION

(This Page)

Unclassified(This Report)

Unclassified15. NUMBER OF PAGES

16. PRICE

NRC FORM 335 (9-2004) PRINTED ON RECYCLED PAPER:

Page 104: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

Federal Recycling Program

Page 105: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events
Page 106: Database and Analysis System: Event Data Collection,power industry. The CCF data effort consists of CCF event identification, CCF event coding and CCF parameter estimation. CCF events

NUREG/CR-6268, Rev. 1 COMMON-CAUSE FAILURE DATABASE AND ANALYSISSYSTEM: EVENT DATA COLLECTION, CLASSIFICATION, AND CODING

SEPTEMBER 2007

UNITED STATESNUCLEAR REGULATORY COMMISSION

WASHINGTON, DC 20555-0001

OFFICIAL BUSINESS