It is possible to IPL the system without Top Secret if it fails at startup.

How is this done exactly? 

Release : 16.0

Component : CA Top Secret for z/OS

TSS being inoperable could fall under 2 scenarios: 

1) TSS was up and then became inoperable. 
While TSS is down, anyone currently signed on (or any batch job currently running)
will continue to process normally since the user's security record is in memory. 
Any new initiations (signons, batch submits, etc), will go by the DOWN control option in TSS. 

Issue TSS MODIFY to see what your DOWN options are currently set to. 

2) An IPL was done and TSS never came up and never could be brought up. 
In this situation, you can start a system without security and use a profile in SYS1.UADS in the 
same way as without RACF. 
If there is a situation where TSS is up and all administrator acids, 
including the MSCA, are suspended/revoked, you can do the following: 
1) Allocate new security files (BDAM and VSAM) with MSCA and password 
(specified in the input parameters when allocating the BDAM security file). 
2) Recycle TSS (temporary shutdown and restart) pointing to the new security files. 
(An IPL is not necessary to pick up a new security file.) 
3) Signon as the MSCA. 
4) Stay signed on as the MSCA and do another temporary shutdown 
and restart of TSS pointing to the old security files. 
5) Use the signed on MSCA password to remove suspends and/or reset 
passwords for the revoked administrators.