Diversity in computerized reactor protection systems

Based on engineering judgement, the most important measures to increase the independency of redundant trains of a computerized safety instrumentation and control system (I&C) in a nuclear power plant are evaluated with respect to practical applications. This paper will contribute to an objective discussion on the necessary and justifiable arrangement of diversity in a computerized safety I&C system. Important conclusions are: verse equipment may be used to control dependent failures only if measures necessary for designing, licensing, and operating a computerized safety I&C system homogeneous in equipment are neither technically nor economically feasible; he considerable large operating experience in France with a non-diverse equipment digital reactor protection system does not call for equipment diversity. Although there are no generally accepted methods, the licensing authority is still required to take into account dependent failures in a probabilistic safety analysis; he frequency of postulated initiating events implies which I&C functionality should be implemented on diverse equipment. Using non-safety I&C equipment in addition to safety I&C equipment is attractive because its necessary unavailability to control an initiating event in teamwork with the safety I&C equipment is estimated to range from 0.01 to 0.1. This can be achieved by operational experience.