Occurrence of common mode failure

Abstract

Abstract In technical facilities, for example in nuclear power plants, redundant systems are used to prevent random failures from deleting the complete system function. However, although this redundancy concept is adequate to cope with random failures in single redundancies, its applicability is limited in case of multiple failures due to a systematic failure cause to which all redundancies are submitted due to their identical features. Some general considerations have been formulated to rule out the occurrence of such common mode failure (CMF) in redundant systems under certain circumstances. CMF means that in more than one redundancy the systematic failure cause is activated at the same time, or within the same frame of time (e.g. during the mission time for an accident). It therefore has to be distinguished between the systematic cause and the actual occurrence of CMF: a latently existing systematic cause does not necessarily lead to simultaneous failure; it must be activated and therefore is only the prerequisite for CMF. A systematic cause results in simultaneous failure if • —the systematic cause is activated by specific circumstances associated with the accident: a triggering effect to which the redundancies are subjected due to their identical features. • —previous failures have accumulated undetectedly before the accident. They now appear on demand due to the accident. For exclusion of CMF, both exclusion of a triggering effect and of accumulation is necessary. A trigger can be excluded, if the components are not affected by the accident at all, or are not submitted to any ‘abnormal’ operation. Accumulation can be ruled out by self annuciation. From this a matrix for excluding CMF-susceptibility has been derived.