- HSE
- Guidance
- Industries
- Office for Nuclear Regulation
- Nuclear Guidance
- Internal operations
- Permissioning inspection
- Computer based safety systems - use of diverse computer based systems important to safety
Computer based safety systems - use of diverse computer based systems important to safety
T/AST/046 App 4
A4.1 A major issue on Sizewell B was justifying the high level of risk reduction provided by the Reactor Protection System (RPS) comprising the Primary Protection System (PPS) and Secondary Protection System (SPS). The risk reduction requirement for the RPS was 10-7 pfd (e.g. typically 10-3 pfd from the PPS combined with 10-4 from the SPS to give 10-7pfd). The justification relied on a claim that the SPS was a simple hardware based system.
A4.2 Demonstrating that two complex computer based protection systems are "independent" (e.g. would not tend to fail on the same demands) and hence the reliability numbers for each can be multiplied together remains an open question despite significant research (e.g. undertaken by City University and Bristol University). Hence, where a high level of risk reduction is required that is greater than the accepted common cause cut-off limit for a single computer based SS (i.e. 10-4 pfd for a software based SS where the consequence in the event of failure of the SS could potentially involve very large releases of radioactive material) then our current expectation is that ideally a simple hardware based secondary SS should be provided.
A4.3 However, ONR would consider the use of two diverse computer based safety systems to implement a safety function requiring high reliability (e.g. such as a reactor protection system comprising primary and secondary systems) provided the guidance in SAP ERL.1 paragraph 177 is followed. This “special case” procedure should also be considered for application where high reliability is required from a combination of a computer based safety system and a computer based safety related system. In this context “high reliability” is taken as a reliability requirement for a safety function that is lower than the common cause cut-off limit (i.e. 10-4 pfd/pdfy for a computer based system important to safety where the consequence in the event of failure of the system could potentially involve very large releases of radioactive material). For ease of reference the content of SAP ERL.1 paragraph 177 is repeated below:
“177 Where reliability data is unavailable, the demonstration should be based on a case-by-case analysis and include:
- a comprehensive examination of all the relevant scientific and technical issues;
- a review of precedents set under comparable circumstances in the past;
- an independent third-party assessment in addition to the normal checks and conventional design;
- periodic review of further developments in technical information, precedent and best practice.”
A4.4 Each of the diverse computer based systems important to safety would need to meet the requirements of SAP ESS.27. With regard to the implementation of SAP ERL.1 in the context of diverse computer based systems important to safety the case should include:
- application of best technical design practice (e.g. functional and equipment diversity),
- adoption of appropriate nuclear standards [e.g. 7, 12,13 and 14 ] for the production and assessment of diverse computer based systems,
- an independent assessment of all factors that could lead to CCF,
- examination and implementation of relevant research.
A4.5 The section on diversity contained in the document “Licensing of safety critical software for nuclear reactors. Common position of seven European nuclear regulators and authorised technical support organisations [736KB}”
is particularly relevant (e.g. providing recommendations on functional diversity, use of current best practice, simplicity of software design, analysis of CCF within the safety demonstration, use of dissimilar means throughout the development lifecycle and conservative reliability claims etc.).
Safety Assessment Principles for Nuclear Facilities
Nuclear site licence conditions
The use of computers in safety-critical applications
The licensing of nuclear
installations
The tolerability of risk from nuclear power stations
ONR Corporate plan 2011-2015