Diversity and Defense in Depth in Digital Instrumentation and Controls
Each safety system in an NRC-licensed nuclear plant or other facility must operate regardless of failures from within or outside the safety system. The NRC regulations establishing this requirement are found in Title 10, Part 50, "Domestic Licensing of Production and Utilization Facilities," of the Code of Federal Regulations (10 CFR Part 50).
General Design Criteria for Diversity and Defense in Depth
In particular, General Design Criterion (GDC) 21, "Protection System Reliability and Testability," in 10 CFR Part 50 requires in part that "…(1) no single failure results in the loss of the protection system…." In addition, GDC 22, "Protection System Independence," requires that
[t]he protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function.
These GDCs mandate diverse design features to minimize the possibility of a common-cause failure (CCF) that could result in the loss of a protection function. Nuclear power plant safety system designs rely on three design principles to compensate for failures that could degrade safety system reliability, specifically
- functional defense in depth,
- functional diversity, and
- system diversity.
Ensuring Against Common-Cause Failure
Industry experience with digital I&C systems has shown that reliance upon quality assurance processes alone has not been adequately effective at preventing CCFs even in high-integrity digital systems. Unanticipated CCFs are more likely in digital systems than in analog systems. Therefore, it is also more important to ensure that digital technology is applied in a manner that addresses functional defense-in-depth, functional diversity, and system diversity features. Additionally, it is necessary to confirm that CCF vulnerabilities are not introduced when a system is modified.