BS PD IEC TR 62987-2015 Nuclear power plants Instrumentation and control systems important to safety Use of Failure Mode and Effects Analysis (FMEA) and related methods to support .pdf

1、BSI Standards PublicationNuclear power plants Instrumentation and control systems important to safety Use of Failure Mode and Effects Analysis (FMEA) and related methods to support the justification of systemsPD IEC/TR 62987:2015National forewordThis Published Document is the UK implementation of IE

2、C/TR 62987:2015. The UK participation in its preparation was entrusted to TechnicalCommittee NCE/8, Reactor instrumentation.A list of organizations represented on this committee can be obtained onrequest to its secretary.This publication does not purport to include all the necessary provisions ofa c

3、ontract. Users are responsible for its correct application. The British Standards Institution 2015.Published by BSI Standards Limited 2015ISBN 978 0 580 89868 6ICS 27.120.20Compliance with a British Standard cannot confer immunity fromlegal obligations.This Published Document was published under the

4、 authority of theStandards Policy and Strategy Committee on 30 September 2015.Amendments/corrigenda issued since publicationDate Text affectedPUBLISHED DOCUMENTPD IEC/TR 62987:2015IEC TR 62987 Edition 1.0 2015-09 TECHNICAL REPORT Nuclear power plants Instrumentation and control systems important to

5、safety Use of Failure Mode and Effects Analysis (FMEA) and related methods to support the justification of systems INTERNATIONAL ELECTROTECHNICAL COMMISSION ICS 27.120.20 ISBN 978-2-8322-2886-9 Registered trademark of the International Electrotechnical Commission Warning! Make sure that you obtained

6、 this publication from an authorized distributor. colourinsidePD IEC/TR 62987:2015 2 IEC TR 62987:2015 IEC 2015 CONTENTS FOREWORD . 3 INTRODUCTION . 5 1 Scope 7 2 Normative references 7 3 Terms and definitions 8 4 References to FMEA in published standards 8 4.1 General . 8 4.2 IEC standards . 8 4.2.

7、1 IEC 60812 . 8 4.2.2 IEC 61513 . 9 4.2.3 IEC 61226 . 9 4.3 Other standards 9 4.3.1 General . 9 4.3.2 IEEE Std 7-4.3.2-2003 . 9 4.3.3 ANSI/IEEE Std 352-1987 . 9 4.3.4 IEEE Std 577-2004 10 5 Scope of application of FMEA 10 5.1 Relationships to other methods . 10 5.2 Analysis subjects 10 5.3 Common ca

8、use failure 10 6 Examples of applications . 11 6.1 General . 11 6.2 Replacement items . 11 6.3 Survey results . 12 7 Industry practice and regulatory relevance 12 7.1 General . 12 7.2 France 12 7.2.1 Experience of practice for FMEA records authority (licensing) . 12 7.2.2 Board-level FMEA 13 7.2.3 S

9、ystem-level FMEA . 14 7.2.4 Subset-level FMEA 15 7.2.5 Tools to support FMEA 16 7.2.6 Current research 17 7.2.7 Dissemination of FMEA practice 17 7.3 United Kingdom 18 7.4 United States 18 8 Conclusions . 19 Annex A (informative) Standardized form used in survey 20 Bibliography 21 Figure 1 Safety ca

10、se studies including FMEAs . 13 PD IEC/TR 62987:2015IEC TR 62987:2015 IEC 2015 3 INTERNATIONAL ELECTROTECHNICAL COMMISSION _ NUCLEAR POWER PLANTS INSTRUMENTATION AND CONTROL SYSTEMS IMPORTANT TO SAFETY USE OF FAILURE MODE AND EFFECTS ANALYSIS (FMEA) AND RELATED METHODS TO SUPPORT THE JUSTIFICATION O

11、F SYSTEMS FOREWORD 1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international co-operation on all questions concerning standardizat

12、ion in the electrical and electronic fields. To this end and in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their preparation is e

13、ntrusted to technical committees; any IEC National Committee interested in the subject dealt with may participate in this preparatory work. International, governmental and non-governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely with the Int

14、ernational Organization for Standardization (ISO) in accordance with conditions determined by agreement between the two organizations. 2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international consensus of opinion on the relevant subjects sinc

15、e each technical committee has representation from all interested IEC National Committees. 3) IEC Publications have the form of recommendations for international use and are accepted by IEC National Committees in that sense. While all reasonable efforts are made to ensure that the technical content

16、of IEC Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any misinterpretation by any end user. 4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications transparently to the maximum extent possible i

17、n their national and regional publications. Any divergence between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter. 5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity as

18、sessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any services carried out by independent certification bodies. 6) All users should ensure that they have the latest edition of this publication. 7) No liability shall attach to IEC or its directors, em

19、ployees, servants or agents including individual experts and members of its technical committees and IEC National Committees for any personal injury, property damage or other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and expenses arising out of

20、the publication, use of, or reliance upon, this IEC Publication or any other IEC Publications. 8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is indispensable for the correct application of this publication. 9) Attention is drawn to th

21、e possibility that some of the elements of this IEC Publication may be the subject of patent rights. IEC shall not be held responsible for identifying any or all such patent rights. The main task of IEC technical committees is to prepare International Standards. However, a technical committee may pr

22、opose the publication of a technical report when it has collected data of a different kind from that which is normally published as an International Standard, for example “state of the art“. IEC TR 62987, which is a technical report, has been prepared by subcommittee 45A: Instrumentation, control an

23、d electrical systems of nuclear facilities, of IEC technical committee 45: Nuclear instrumentation. The text of this technical report is based on the following documents: Enquiry draft Report on voting 45A/1006/DTR 45A/1028/RVC Full information on the voting for the approval of this technical report

24、 can be found in the report on voting indicated in the above table. PD IEC/TR 62987:2015 4 IEC TR 62987:2015 IEC 2015 This publication has been drafted in accordance with the ISO/IEC Directives, Part 2. The committee has decided that the contents of this publication will remain unchanged until the s

25、tability date indicated on the IEC website under “http:/webstore.iec.ch“ in the data related to the specific publication. At this date, the publication will be reconfirmed, withdrawn, replaced by a revised edition, or amended. A bilingual version of this publication may be issued at a later date. IM

26、PORTANT The colour inside logo on the cover page of this publication indicates that it contains colours which are considered to be useful for the correct understanding of its contents. Users should therefore print this document using a colour printer. PD IEC/TR 62987:2015IEC TR 62987:2015 IEC 2015 5

27、 INTRODUCTION a) Technical background, main issues and organisation of the Technical Report Failure mode and effects analysis (FMEA) is a qualitative method of reliability analysis that may be applied to many different types of systems. It is an inductive method of performing system reliability or s

28、afety analysis from a low to a high level (IEC 60812). There is a need to provide guidance on nuclear-specific issues, for example common cause failure and meeting the single failure criteria, when applying failure mode and effects analysis (FMEA) and related methods to instrumentation and control s

29、ystems important to safety in nuclear power plants. The information gathered in the development of this technical report was used to determine if the topic can be standardised. If a positive conclusion was reached the intent was to produce a scope and a first draft CD of a standard. Such a standard

30、would use IEC 60812 as its basis and provide guidance specific to the nuclear industry for implementing IEC 60812. The conclusion in this technical report is that the topic is not yet amenable to standardisation, however, additional development of the topic by the committee would be beneficial and c

31、ould result in a standard at a later date. This Technical Report identifies international standards applicable to nuclear power plant instrumentation and control systems that invoke FMEA as a method. It describes the contexts in which the standards invoke FMEA. The Technical Report describes how FME

32、A and associated methods have been applied to nuclear power plant instrumentation and control systems important to safety and to systems with similar attributes. The examples are followed by descriptions of the response of regulators to the use of FMEA and related methods in regulatory processes. Th

33、e examples and regulatory experiences are based on a survey of and contributions by participating national committees. A bibliography is provided for further reference. b) Situation of the current Technical Report in the structure of the IEC SC 45A standard series IEC TR 62987 as a technical report

34、is a fourth level IEC SC 45A document. For more details on the structure of the IEC SC 45A standard series, see item d) of this introduction. c) Recommendations and limitations regarding the application of the Technical Report It is important to note that a technical report is entirely informative i

35、n nature. It gathers data collected from different origins and it establishes no requirements. d) Description of the structure of the IEC SC 45A standard series and relationships with other IEC documents and other bodies documents (IAEA, ISO) The top-level document of the IEC SC 45A standard series

36、is IEC 61513. It provides general requirements for I build fault tree(s) and compute the probability and occurrence frequencies of postulated events previously identified; verify that no hardware single failure could cause the loss of the safety function (complemented by the minimal cut (the order)

37、provided by fault trees). Outputs of FMEA on boards include the list of failures non-detected by the self-test that shall be covered by periodic tests and the board lifetime that leads to recommendation on preventive maintenance. IEC Fault-tree analysis(Safety)Probabilities/FrequenciesAvailabilityAv

38、ailabilityMTBFCCF (Common cause failure)Justification of single failure criterionMinimal cut-setsMaintainabilityFailure modes (d,nd,i)Preventive maintenanceFMECA + FMESReliability and safety studies of boardsFailure modes(d,nd,i,c)ReliabilityLifetimeUndetected failuresPerodic testsCCFDescribedstudyP

39、D IEC/TR 62987:2015 14 IEC TR 62987:2015 IEC 2015 System FMEA feeds different objectives. Its primary purpose is to summarize all the effects that the board (sub-system) failure modes can generate and provide monitoring test coverage. The types of failures and the system effects are used in upper le

40、vel studies according to their relevance. This study also allows taking into account the fall-back positions, degradation, inhibitions and optional self-tests at the system level in order to build the rationale using fault trees and availability studies with regards to the system safety requirements

41、. 7.2.3 System-level FMEA The system level FMEA, which has been implemented for PWRs in France, followed the following steps: Determination of safety objectives of the protection system from reactor design requirements Description of the functional architecture of the system Statement of undesirable

42、 events of the system Identification of the critical paths1 FMEA: description of the principles used for the analysis, definition of information and data used to carry out FMEA, identification of means of detection (with location) for the effects of postulated failures Summary of FMEA. At that level

43、, hypotheses have to be assumed for describing the limits of that study in terms of: Analysis method: A single failure at a time is analysed (multiple failures are analysed by other types of studies). Human errors are excluded. Manual operations are excluded. Mechanical and electrical interfaces are

44、 assumed to be reliable (brackets, screws, nuts, cables, etc.), consequences of their degradation are thus not taken into account. Programmable systems have a deterministic behaviour (outputs depend on a finite set of observable input parameters and of a non-degraded state of the system hardware com

45、ponents). Catalectic failure is excluded (failure that causes an unexpected, full stop). Non-explicit failures are assumed undetected. Input data: those coming from studies of reliability and safety of the boards that will be used as failure modes of the (sub-) system FMEA. The FMEA conducted typica

46、lly encompasses: A Functional Analysis, which contains: a description of the functional architecture of the system, a description of the critical paths to understand at first the nominal operation of the system and better infer the effects of failures (dysfunctional aspects). A critical path highlig

47、hts the elements/components directly affecting the safety of the system, and therefore the parts that are particularly important for the analysis. A Dysfunctional Analysis which contains: _ 1All necessary components directly related to the fulfilment of the safety function carried out. PD IEC/TR 629

48、87:2015IEC TR 62987:2015 IEC 2015 15 a description of the methodology: description of the principles adopted for that FMEA (for example: analysis of all board failure modes identifying for each the effect on equipment and the system with respect to monitoring still existing at each level), a definit

49、ion of degraded modes if inhibition or in case of a failure detection causing degradation in the voting logics (for example). A system(s) FMEA that includes: identification of the means of detection implemented (or to be implemented if necessary) which can be used in that FMEA (location, type, frequency, triggered action). The description of the action upon detection allows for identification and determination of the system behaviour due to sel