• 20463 Cox Road, Athens, AL 35611
www.esinuclear.com

This Attachment is used as a template for the preparation of Failure Modes and Effects Analysis (FMEA). FMECA (Failure Modes, Effects and Criticality Analysis) is an extension to the FMEA that also includes a means of ranking the severity of the failure modes to allow prioritization of countermeasures.

Note that customer formats may be used instead of this template.

FAILURE MODES AND EFFECTS ANALYSIS (FMEA)

Title

PROJECT NUMBER

xxx

DOCUMENT NUMBER

xxx

REVISION xx

Proprietary Information
The information contained in this document is proprietary and confidential to Engineered Solutions, Inc. for the specific use of {customer name}. No copies shall be transmitted or otherwise disclosed without written permission from Engineered Solutions, Inc.

EP-11, Attachment A Page 1 of 16

Engineered Solutions, Inc.

Failure Modes and Effects Analysis (FMEA)

REVISION LOG

REV. NO. / DATE / DESCRIPTION OF REVISION
0
Prepared by:
Date
Verified by:
Date

Table of Contents

1.0 PURPOSE 4

2.0 REFERENCES 4

3.0 SCOPE OF ANALYSIS 5

3.1 Annotated Drawings [Optional] 5

3.2 Modification Scope – Component List 5

4.0 FAILURE MODES AND EFFECTS ANALYSIS APPROACH 6

4.1 Definitions and Acronyms 6

4.2 Analysis Methodology 7

4.2.1. Events Evaluated for System Effects [Typically Reference the FSAR] 7

4.2.2. xxxx Operating Modes Evaluated for System Effects 7

4.2.3. xxxx Component Failure Modes Evaluated 7

4.2.4. xxxx System Single Failure Criterion 7

4.2.5. xxxx System Level Failure Modes 7

4.2.6. Effects of a Loss of Offsite Power 7

4.2.7. Physical and Electrical Separation 7

4.2.8. Cascading Failures 7

4.2.9. Common Cause Failures 7

4.2.10. Common Mode Software Failure 8

4.2.11. Software/firmware Errors 8

4.2.12. Configuration Settings Errors 8

4.2.13. Instrumentation Evaluated 8

4.2.14. Control Panel Lamps and Meters 8

4.2.15. Application of Operator Error 8

4.2.16. Interface with other systems 8

4.2.17. Beyond Design Basis Events 8

4.3 Assumptions 9

5.0 FMEA (OR FMECA) TABLE FORMAT 9

6.0 CONCLUSIONS 15

EP-11, Attachment A Page 1 of 16

Engineered Solutions, Inc.

Failure Modes and Effects Analysis (FMEA)

1.0 PURPOSE

This report presents a Failure Modes and Effects Analysis (FMEA) for the …..

2.0 REFERENCES

2.1.  Technical Specification and Bases (Amendment 139)

a)  List sections

b) 

c) 

d) 

2.2.  FSAR Sections

a)  List Sections

b) 

c) 

d) 

2.3.  Design Basis Documents (or design criteria)

a)  List documents

b) 

c) 

d) 

2.4.  Specifications

a) 

b) 

2.5.  Drawings

a) 

b) 

c) 

2.6.  Calculations

a) 

b) 

c) 

2.7.  Vendor Manuals:

a) 

b) 

c) 

d) 

2.8.  Standards

a) 

b) 

c) 

d) 

2.9.  Procedures

a) 

b) 

c) 

2.10.  Vendor Qualification Reports

a) 

b) 

c) 

d) 

2.11.  Maintenance and Surveillance Test Instructions

a) 

b) 

c) 

d) 

2.12. 

2.13. 

3.0 SCOPE OF ANALYSIS

This Section defines the components that are within the scope of the xxxx System FMEA. The xxxx Control System drawings were reviewed to define the applicable components. The applicable drawings are attached [optional] to identify those components within the analysis scope.

Describe the modified system.

3.1 Annotated Drawings [Optional]

The following drawings have been annotated to define the boundary of the FMEA. These annotated drawings are attached to this analysis. [May also provide a sketch or reference the drawings]

a) 

b) 

c) 

3.2 Modification Scope – Component List

Describe the scope of the modification. The table below may be used to identify the impacted components.

Component ID / Component Description / Impact of Modification /

4.0 FAILURE MODES AND EFFECTS ANALYSIS APPROACH

This section presents the approach used by the analyst in the preparation of the FMEA of the xxxxx System.

4.1 Definitions and Acronyms

TERMS / ACRONYMS / DESCRIPTION / DEFINITION /

4.2 Analysis Methodology

4.2.1.  Events Evaluated for System Effects [Typically Reference the FSAR]

4.2.2.  xxxx Operating Modes Evaluated for System Effects

4.2.3.  xxxx Component Failure Modes Evaluated

[e.g. valves fail open, closed as is. Relays fail de-energized, fail energized]

4.2.4.  xxxx System Single Failure Criterion

The xxxxx system is (or is not) required to be single failure proof. Redundancy is provided by xxxxxxx.

4.2.5.  xxxx System Level Failure Modes

.

4.2.6.  Effects of a Loss of Offsite Power

The xxxxx system is powered from the xxxxx The effects of a loss of offsite power are (or are not) considered in this evaluation.

4.2.7.  Physical and Electrical Separation

Physical and electrical separation between the xxxxx system and redundant systems ensure that there are no common cause failures that could impact both systems. Therefore, redundancy and defense in depth for a postulated single failure in the xxxxx system is provided by the xxxxx system to ensure that system functions are performed.

4.2.8.  Cascading Failures

4.2.9.  Common Cause Failures

4.2.10.  Common Mode Software Failure

There is (or is not) a potential for a common mode software failure in the new xxxx digital system that could also impact the redundant systems.

4.2.11.  Software/firmware Errors

Software/firmware errors are considered a failure mechanism of the xxxx system component containing the software/firmware. Therefore, the failure modes of any component containing software/firmware also evaluate the effects of a software/firmware error. Operator error that results in incorrect configuration parameters or jumper settings is considered a failure mechanism that results in a software error.

4.2.12.  Configuration Settings Errors

Configuration settings for the xxxxx may be entered or verified by the xxxx display panel or by connection of a maintenance laptop computer. Connection of this laptop computer would only be made during xxxxx maintenance periods when xxx is not considered operable. Therefore, a failure of the laptop computer impacting the xxxx system during operation is not evaluated.

4.2.13.  Instrumentation Evaluated

Instrumentation is limited to active system components that provide a control function. Not all instrumentation shown on the flow schematic and control drawings are within the scope of the FMEA evaluation (list ).

4.2.14.  Control Panel Lamps and Meters

Panel status lamps and meters that only provide indications are evaluated together as a group of components where it is shown that their failure cannot adversely impact the control system function.

4.2.15.  Application of Operator Error

Operator error is considered as an applicable failure mode during xxxx system operation for components that require manual operation. Operator error that results in incorrect configuration parameters or jumper settings is considered a failure mechanism that results in a software error.

4.2.16.  Interface with other systems

xxxxxx.

4.2.17.  Beyond Design Basis Events

xxxxxx.

4.3 Assumptions

Document any assumptions and justification for the assumptions.

4.3.1.  Xxxx

4.3.2.  xxxx

5.0 FMEA (OR FMECA) TABLE FORMAT

FMECA (Failure Modes, Effects and Criticality Analysis) is an extension to a FMEA to include a means of ranking the severity of the failure modes to allow prioritization of countermeasures. This is done by combining the severity measure and frequency of occurrence to produce a metric called criticality.

Criticality analysis should only be performed when known and documented component failure rates are available or can be determined. Subjective or estimated failure rate information should not be used.

5.1.  Item Reference Number – Individual components, and in some instances a group of components, are assigned a reference number in the analysis worksheets (e.g., 1.0, 2.0, 3.0,...). When more than one failure mode is applicable to a specific component a secondary level of reference is applied (e.g., 1.1 – fails open, 1.2 – fails closed, 1.3 – fails as is). When the discussion and format of the analysis worksheets (e.g., failure symptoms and local effects, inherent compensating provisions, and effect on the System) are similar or applicable for more than one component failure, the initial discussion is normally referenced in lieu of repeating an identical discussion..

5.2.  Component ID, Description and Function – The name and description of the hardware (equipment, component, or subcomponent) being analyzed in the FMECA. Provide the description of the function of the component. Identify if the item provides an active safety function (e.g. the device must operate to perform its safety function), or if it provides a passive safety function (e.g. the device is not electrically isolated from active safety components and if failed as a short could adversely impact other components). Separate line items should be listed in cases where components must perform multiple functions.

5.3.  Component Safety Classification

Component Safety Classification / IEEE 323 Electrical Classification / Description /
SR - Active
Safety Related / 1E / Active component must operate for the system to satisfy a safety function during operation.
SR - Associated
Safety Related / 1E / Component does not have to operate for the system to satisfy a safety function during operation, but is not electrically isolated from SR Components.
SR - Passive / 1E or Mechanical Structural / Passive Component does not have to change state for the system to satisfy a safety function during operation.
Non-SR
Non Safety Related / Non-1E / The component does not have to operate for the system to satisfy a system safety function during operation. Is electrically isolated from Safety Related 1E components by a separate power supply or 1E fuse such that a failure will not adversely impact any Safety Related 1E components.

5.4.  Failure Mode - A list of each credible failure mode for the component, system, or feature being analyzed (e.g. fails high, fails low, fails as is). In many cases, different failure states should be addressed separately. For example, if a switch could fail either open or closed, these failures will result in different effects on the system, and they should be assessed separately. Multiple operating modes can be listed for each failure mode if the impact of the failure mode is dependent on the operating modes. In some cases, failures can result in different effects under different operating modes, and the FMEA should address all potential effects.

5.5.  Failure Mechanism – List the possible causes of each failure mode for the component, system, or feature being analyzed. Since failure modes may have more than one cause, all probable independent causes for each failure mode should be identified.

5.6.  Failure Effects – This should include the following:

·  Local Effects – the immediate effects of the failure on the component or function being analyzed. Local effects should include whether the failure reduces the reliability or redundancy of the equipment, or otherwise reduces its capabilities.

·  End Effects the total effect that the failure being analyzed has on system operation, function, or status of the component or function being analyzed. End effects include assessing whether correcting the failure can be accomplished with the equipment on-line.

5.7.  Method of Detection – A description of the manner in which the failure mode can be identified. Where applicable, specific alarms or indicators should be identified where failure modes are automatically detected. In cases where a common set of symptoms occurs for more than one failure mode, then detection methods should be sufficiently detailed to identify a unique failure mode. The FMEA table should state whether the postulated failure must be detected through periodic testing or revealed by an alarm or indication, or is detectable by other means. Where latent failures or compromised material conditions could exist for extended periods of time before they are identified or corrected, then the FMEA should consider the possibility of these compromised conditions at the time of other types of failures. For failure modes that can only be identified by detailed tests or equipment troubleshooting methods, then a description of the necessary tests should be provided.

5.8.  Compensating Provisions or Mitigating Actions – Identify any actions to mitigate or minimize the potential for the failure (e.g. periodic maintenance, operator rounds, etc).

5.9.  Remarks – Provide and amplifying discussion and applicable references that are specific to the components (e.g. vendor information).

5.10.  OPTIONAL for FMECA -- Probability of Detection - An estimate of the chance to identify and eliminate the failure before the system safety related functions are affected.

Probability of Detection Ranking / Detection Probability / Criteria: Likelihood of detection during operation /
1 / Certain / Proven detection methods available such that the failure would be detected and initiate the applicable main control room alarm.
2 / Very high / Monitoring of system performance by plant operators using available indications would provide indications of a potential failure.
3 / High / Proven detection methods available such that the failure would be detected during the performance of routine testing (monthly or quarterly) and initiate the applicable main control room alarm.
4 / Moderately high / Monitoring of system performance by plant operators using available indications would provide indications of a potential failure during frequently performed routine testing (monthly or quarterly).
5 / Medium / Monitoring of system performance by plant operators using available indications during operation.
6 / Low / Performance of periodic plant surveillance tests (18 – 24 months) would reveal the failure. Includes verification of software configuration parameters as applicable.
7 / Slight / Performance of system component maintenance and inspections of system components.
8 / Very slight / Performance of infrequent special plant tests. Typically only performed as a type test during first unit installation.
9 / Remote / Re-performance of individual component tests that are typically only performed during the manufacturing process such as routine transformer tests or tests utilizing only unproven or unreliable methods.
10 / Impossible / No known methods of detection available.

5.11.  OPTIONAL for FMECA -- Severity – A classification of the importance of the failure mode on equipment operation.

Severity
Class / Severity Level / Consequence to Safety Related Functions or Personnel Safety / Comments /
10 / Catastrophic
Time to repair > one week / A failure mode which could immediately result in the failure of the system such that it cannot perform its safety functions, or causes serious damage to the system and its environment and/or personal injury. / Repair parts are not readily available and must be ordered.
9 / Catastrophic
Time to repair between 72 hours to one week / A failure mode which could immediately result in the failure of the system such that it cannot perform its safety functions (such as system trip), or causes serious damage to the system and its environment and/or personal injury. / Repair parts available but not on site (assume 2-3 days delivery time) and a maintenance work package is required. Estimated time is 3-6 twelve hour shifts to effect repairs.
8 / Catastrophic
Time to repair between 48 to 72 hours / A failure mode which could immediately result in the failure of the system such that it cannot perform its safety functions (such as system trip), or causes serious damage to the system and its environment and/or personal injury. / Repair parts available on site and a maintenance work package is required. Estimated time is 3-6 twelve hour shifts to effect repairs.
7 / Catastrophic
Time to repair between 24 to 48 hours / A failure mode which could immediately result in the failure of the system such that it cannot perform its safety functions (such as system trip), or causes serious damage to the system and its environment and/or personal injury. / Repair parts available on site and a maintenance work package is required. Estimated time is 1-3 twelve hour shifts to effect repairs.
6 / Catastrophic
Time to repair between 12 to 24 hours / A failure mode which could immediately result in the failure of the system such that it cannot perform its safety functions (such as system trip), or causes serious damage to the system and its environment and/or personal injury. / Repair parts available on site and a maintenance work package is required. Estimated time is less than one shift to effect repairs.
5 / Catastrophic
Time to repair < 12 hours / A failure mode which could immediately result in the failure of the system such that it cannot perform its safety functions (such as system trip), or causes serious damage to the system and its environment and/or personal injury. / Repair parts available on site and a maintenance work package is not required (e.g. fuse replacement). Estimated time is less than one shift to effect repairs
4 / Critical / A failure mode which could potentially degrade system performance or redundancy (such as failure of an automatic start input), but the system can still perform its safety functions with manual operator action assumed during the event and with no appreciable damage to system or personnel injury. / Immediate Action Required
3 / Major / A failure mode which could over time result in the failure of the system such that it cannot perform its safety functions and where operators have time to correct the deficiency. / No Immediate Action Required
2 / Marginal / A failure mode which could potentially degrade system performance or redundancy (such as a cell bypass or loss of a single cooling fan), but the system can still perform its safety functions without any operator action and no appreciable damage to the system or personnel injury. / No Immediate Action Required
1 / Insignificant / A failure mode which does not adversely impact any safety function. However it could potentially degrade a system component that does not perform any active safety functions (such as a loss of local power indication) and causes no damage to the system or potential for personnel injury. / No Immediate Action Required

5.12.  OPTIONAL for FMECA -- Probability of Occurrence – Component failure rates indicating the probability of a failure derived from a documented source.