Common cause failures

As a common cause failures (also failure of common cause , common cause failure or failures common cause, GVA ; English common cause failures , CCF ) are in the risk analysis referred to failures of more components or systems, as a result of a single fault cause or single event. Their failure behavior is therefore statistically dependent on one another.

Types of dependent failures

Failures due to a common cause must first be distinguished from failures of the same type ( common mode failure ), which are characterized by the same sequence.

There are three fundamentally different types of failures based on a common cause :

Failures due to a common external cause ( secondary failures ),
Failures due to functional dependencies of the components ( commanded failures ),
Failures due to a common cause inherent in the components ( GVA ).

Secondary failures can be caused by unexpected environmental conditions such as B. moisture, vibration, heat can be triggered, which let several components fail (according to "extrinsic dependency" ). If all pumps of a sprinkler system are in the same room, then all these pumps can fail at the same time if the room becomes too hot (e.g. as a result of a fire) or is flooded by a water leak (possible common causes of failure).

Commanded failures occur when several components have common control or supply systems (energy supply, ventilation, cooling water) which, in the event of failure, simultaneously lead to the subsequent failure of the components to be supplied (according to "intrinsic / functional input dependency" ). (In the detailed fault tree analysis , these functional dependencies are shown in the fault tree model and can therefore be explicitly assessed.)

Failures due to a common cause - inherent in several components - occur with components of the same type from one manufacturer, in particular under the same operating conditions. The same applies to equipment of the same type for several components. The causes of errors can be caused by hidden design or manufacturing errors, by incorrect maintenance measures (such as a faulty test concept, faulty lubricant or cleaning agent) or through the use of the same (faulty) software .

Importance of common cause failures

Possible failures due to a common cause in the event of an undesired cancellation of redundancies in safety-relevant subsystems are of particular importance . Great importance must therefore be attached to avoiding this possibility, especially in the event of failures that cause great dangers. Examples of this are the safety systems of nuclear power plants or aircraft .

In the probabilistic safety analyzes ( PSA) and especially in the fault tree analysis , the jointly caused failure (GVA) is explicitly analyzed (see Chapter 3.3).

Common cause failure strategies

Strategies against common cause failures (GVA) include, for example, spatial separation, the use of diverse software and the use of diverse redundant components, e.g. B. of components connected in parallel from different manufacturers, see diversity (technology) .

By shortening the test intervals for redundant components, the probability of a GVA can also be reduced, since the times of component failures of a redundancy group occur offset for a number of causes (such as in particular due to contamination, corrosion, sticking, wear - GVA events of the category "non- lethal shock ”). When the first error is detected, an impending GVA can be averted by eliminating the cause of the error, since the other components of the redundancy group are still intact.

Models for the quantification of GVA

A “jointly caused failure” (GVA) of a component group arises in principle from two factors, (1.) the susceptibility of the components with regard to a certain cause of failure (“root cause”) and (2.) a mechanism (coupling factor) that sets the conditions for the multiple failure.

Example: Two pressure relief valves fail to open in the event of overpressure due to a response pressure that has been set too high (due to a personnel error / "human error").

The GVA models differentiate between two main types of failure behavior of redundant component groups:

Lethal shock - all components of the redundancy group have failed due to a common cause of failure (the coupling probability of all components is 1).

Non-lethal shock - the components of the redundancy group are affected by a common failure mechanism, whereby the degree of damage to the individual components can vary, from weak to complete (coupling probabilities from 0 to 1).

The evaluation of the operating experience to obtain GVA probabilities is clear in the cases of "lethal shock" , ie failure of all components of the redundancy group.

In the case of “non-lethal shock” events , the degree of damage to the individual components must be estimated in the form of a coupling probability (“expert estimate”) in order to obtain the GVA probabilities. This estimate is usually subject to considerable uncertainty, as it depends on the level of experience of the expert and, in particular, on the quality of the description of the damage and cause. The determination and description of the basic cause of damage (“ root cause ”) is not trivial, it often goes undetected and often only becomes apparent in the event of a recurrence. In addition to the statistical spread of the data collection, an interpretation uncertainty is determined with which the uncertainty factor or scatter factor (K) is expanded (K ≥ 4).

Determination of GVA probabilities

The GVA probabilities of the component groups are determined from the number of observed GVA events, the estimated coupling probabilities and the observation times (the power plant operating times) of the respective group. They thus represent unavailability variables in the probabilistic model.

In (Appendix A: Generic GVA probabilities), GVA probabilities derived from the operating experience of nuclear power plants are shown for various redundancy groups (such as for valves, slide valves, heat exchangers, fans, pumps, diesel units, measuring devices, Batteries, switches, relays, see examples in the table below).

Table : GVA probabilities of redundancy groups (2 of 2) and (3 of 3) according to.

Component group (Observation time)	GVA events	Failure mode	Test interval	GVA- probability 2 of 2 (Spreading factor)	GVA- probability 3 of 3 (Spreading factor)
Centrifugal pump (920 years)	8th	Does not start	per month	1.2x10 ^-4 (4.0)	8.1x10 ^-5 (4.9)
Diesel generator (326 years)	7th	Does not start	per month	2.2x10 ^-4 (4.0)	1.4x10 ^-4 (5.5)
Gate valve with motor drive in the cooling water system (3,950 years)	21st	Does not open	per month	1.3x10 ^-4 (4.0)	9.3x10 ^-5 (4.2)
	21st	Does not open	yearly	1.7x10 ^-3 (4.0)	1.2x10 ^-3 (4.2)
	14th	Do not close	per month	1.1x10 ^-4 (4.0)	8.2x10 ^-5 (4.2)
	14th	Do not close	yearly	1.5x10 ^-3 (4.0)	1.1x10 ^-3 (4.2)

The GVA probability of the redundancy groups (2 of 2) and (3 of 3) differ only slightly due to their coupling probabilities, ie an increase in reliability through an increase in the degree of redundancy is therefore marginal.

The test interval, on the other hand, has a significantly greater influence, since the majority of GVA events fall into the “non-lethal shock” category and the GVA event can already be recognized by the test before all components of a redundancy group have failed. The GVA probabilities of groups tested monthly therefore differ from groups tested annually by practically an order of magnitude, ie the test interval is included in the GVA probabilities almost linearly.

swell

↑ ^a ^b Safety of machines ZVEI, April 2012
↑ ^a ^b ^c ^d ^e ^f ^g ^h "Methods for probabilistic safety analysis for nuclear power plants" (PDF; 2.9 MB), Appendix D1 Models for the quantification of GVA, Dec. 1996, BfS-KT-16-97.
↑ DIN EN ISO 12100 Safety of machines - General design principles - Risk assessment and risk reduction
↑ DIN 25424 Fault Tree Analysis , Edition 1981-09, Beuth Verlag Berlin.
↑ ^a ^b ^c ^d ^e Common-Cause Failure Database and Analysis, System: Event Data Collection, Classification, and Coding, NUREG / CR-6268, Rev. 1, September 2007 (PDF; 6.64 MB)
↑ ^a ^b ^c ^d Data for the quantification of event flow diagrams and fault trees, Appendix A: Generic GVA probabilities, pages A1 - A166, March 1997, BfS-KT-18/97.

[ZVEI-1] Safety of machines ZVEI, April 2012

[BfS_2005-2] ↑ ^a ^b ^c ^d ^e ^f ^g ^h "Methods for probabilistic safety analysis for nuclear power plants" (PDF; 2.9 MB), Appendix D1 Models for the quantification of GVA, Dec. 1996, BfS-KT-16-97.

[3] DIN EN ISO 12100 Safety of machines - General design principles - Risk assessment and risk reduction

[DIN_25424-4] DIN 25424 Fault Tree Analysis , Edition 1981-09, Beuth Verlag Berlin.

[NUREG/CR-6268-5] Common-Cause Failure Database and Analysis, System: Event Data Collection, Classification, and Coding, NUREG / CR-6268, Rev. 1, September 2007 (PDF; 6.64 MB)

[BfS-Daten-6] Data for the quantification of event flow diagrams and fault trees, Appendix A: Generic GVA probabilities, pages A1 - A166, March 1997, BfS-KT-18/97.