Defense against common mode failures in protection system design

The introduction of digital instrumentation and control into reactor safety systems creates a heightened concern about common-mode failure. This paper discusses the concern and methods to cope with the concern. Common-mode failures have been a ``fact-of-life`` in existing systems. The informal introduction of defense-in-depth and diversity (D-in-D&D)-coupled with the fact that hardware common-mode failures are often distributed in time-has allowed systems to deal with past common-mode failures. However, identical software operating in identical redundant systems presents the potential for simultaneous failure. Consequently, the use of digital systems raises the concern about common-mode failure to a new level. A more methodical approach to mitigating common-mode failure is needed to address these concerns. Purposeful introduction of D-in-D&D has been used as a defense against common-mode failure in reactor protection systems. At least two diverse systems are provided to mitigate any potential initiating event. Additionally, diverse displays and controls are provided to allow the operator to monitor plant status and manually initiate engineered safety features. A special form of conimon-mode failure analysis called ``defense-in-depth and diversity analysis`` has been developed to identify possible conimon-mode failure vulnerabilities in digital systems. An overview of this analysis technique is provided.