IEC TR 62987:2015 – Nuclear Power Plants – Use of FMEA for I&C Systems Important to Safety

Published: September 2015 | Edition: 1.0 | Category: Technical Report | SC 45A: Instrumentation and Control of Nuclear Facilities

💡 Key Insight: This technical report investigates whether FMEA methodology for nuclear I&C systems is ready for formal standardization. The conclusion reveals that while FMEA is widely used across the nuclear industry, the topic is not yet amenable to standardization due to diverse national regulatory approaches and varying implementation practices. However, the report provides valuable foundational work toward a future standard.

1. FMEA in the Nuclear I&C Context

Failure Mode and Effects Analysis (FMEA) is a qualitative, inductive reliability analysis method that systematically examines potential failure modes of components and their effects on system operation. In nuclear power plants (NPPs), FMEA plays a crucial role in the safety justification of instrumentation and control (I&C) systems that perform functions important to safety. IEC TR 62987 complements the general FMEA procedure defined in IEC 60812 by addressing nuclear-specific issues.

The report identifies that FMEA is referenced by several key nuclear standards including IEC 61513 (general requirements for NPP I&C systems), IEC 61226 (classification of I&C functions), and IEEE standards 7-4.3.2, 352, and 577. Each standard invokes FMEA in different contexts, ranging from design validation to reliability analysis and safety case development.

⚠ Nuclear-Specific Challenge: Standard FMEA methodology must be extended for nuclear applications to address common cause failure (CCF) — a critical concern where a single event or condition can cause multiple redundant components to fail simultaneously, defeating the purpose of defence-in-depth. The report emphasizes that CCF analysis requires additional techniques beyond conventional FMEA, including diversity analysis and postulated CCF initiator evaluation.

2. Industry Practice and Regulatory Perspectives

2.1 International Survey Results

Based on a comprehensive survey of participating national committees, the report documents current FMEA practices across different countries. The survey results reveal significant variation in how FMEA is applied, documented, and reviewed across jurisdictions:

Country	Regulatory Stance	FMEA Application Level	Key Practices
France	FMEA records required as part of safety case	Board, system, and subset levels	Multi-level FMEA approach; dedicated tools; strong regulatory review
United Kingdom	FMEA used in safety case justification	System and component levels	Integrated with probabilistic safety assessment (PSA)
United States	FMEA referenced in IEEE standards	Design and operational phases	Focus on single failure criterion and CCF analysis

2.2 French Multi-Level FMEA Practice

The French experience, documented in detail within the report, illustrates a particularly mature application of FMEA methodology. French practice applies FMEA at three distinct levels:

Board-level FMEA: Analyzes failure modes of printed circuit boards and electronic modules, focusing on component-level failures and their effects on board outputs.
System-level FMEA: Examines the interaction between subsystems, including cabling, power supplies, communication links, and the effects of board-level failures on system behavior.
Subset-level FMEA: Addresses the functional subsets within the overall I&C architecture, evaluating how failures propagate through the system hierarchy and affect safety functions.

✅ Engineering Insight: The French experience demonstrates that FMEA effectiveness depends heavily on the quality of the analysis team’s knowledge of the system design, operating conditions, and failure mechanisms. Dedicated software tools (e.g., Alta-Sim, Risk Spectrum) are used to manage the complexity of multi-level FMEA, maintain traceability, and support regulatory review. Current research in France is exploring methods to quantify FMEA results and integrate them with probabilistic safety assessment.

3. Scope, Limitations and Future Standardization

3.1 Applicability and Limitations of FMEA

The report provides a balanced assessment of FMEA strengths and limitations for nuclear applications. FMEA is particularly effective for:

Identifying single-point failures in system design
Evaluating the effects of component failures on safety functions
Supporting the demonstration of compliance with the single failure criterion
Providing input to test and maintenance program development
Documenting the rationale for system design decisions

However, FMEA has important limitations that must be recognized:

It is less effective for analyzing complex interactions between multiple simultaneous failures
It does not inherently address Common Cause Failure (CCF) — supplementary methods are needed
The quality of results depends heavily on the expertise of the analysis team
It can become unwieldy for very large or highly redundant systems
It is a qualitative method and does not directly provide probability or frequency estimates

3.2 Path to Standardization

IEC TR 62987 concludes that while FMEA methodology is well-established and widely used in the nuclear industry, the diversity of national regulatory requirements and implementation practices precludes immediate standardization. However, the report identifies the following areas as candidates for future standardization work:

Area	Current Status	Standardization Potential
Terminology harmonization	Multiple conflicting definitions exist across standards	High
CCF analysis methodology	Various approaches used, no consensus on best practice	Medium
FMEA documentation format	Country-specific formats with limited cross-recognition	Medium
Quantification techniques	Research stage, limited operational experience	Low (near term)
Digital I&C specific guidance	Software FMEA methods under development	Medium

🚨 Regulatory Significance: The report highlights that FMEA findings are often central to nuclear licensing decisions. In France, for example, FMEA records are formally reviewed by the regulatory authority (ASN) as part of the safety case evaluation. Therefore, the rigor, completeness, and traceability of FMEA documentation are not merely technical considerations but have direct regulatory and legal implications for plant operators.

Frequently Asked Questions

Q1: How does FMEA differ from Fault Tree Analysis (FTA) in nuclear applications?

FMEA is an inductive (bottom-up) method that starts with component failures and examines their effects on the system. FTA is a deductive (top-down) method that starts with a top-level undesired event and identifies combinations of failures that could cause it. Both methods are complementary and are often used together in nuclear safety analysis.

Q2: Is FMEA applicable to software-based I&C systems?

Yes, but with important caveats. Software FMEA requires adaptation because software does not “fail” in the same way as hardware. Software FMEA typically focuses on requirements errors, design flaws, and interface issues rather than physical failure modes. The report acknowledges that FMEA methods for digital I&C are still an area of active development.

Q3: What is the relationship between FMEA and the single failure criterion?

FMEA is a primary tool for demonstrating compliance with the single failure criterion, which requires that a safety system must be capable of performing its safety function despite any single component failure. FMEA systematically identifies potential single failures and verifies that redundant or backup components can maintain the required safety function.

Q4: Why has a formal FMEA standard for nuclear not yet been developed?

The report found that national regulatory approaches differ significantly, making consensus on a single standardized approach difficult. Additionally, the rapid evolution of digital I&C technology and analysis methods suggests that the field is not yet mature enough for formal standardization. The technical report serves as a foundation for future standardization efforts.