Types of diversity

Paragraph 6.60 of Ref. [2] provides an overview of the different types of diversity:

— Design diversity;

— Signal diversity;

— Equipment diversity;

— Functional diversity;

— Diversity in the development process;

— Logic diversity.

Following the analysis described in Section 3.4, the adequate types of diversity can be selected for the design of a DAS. This selection will consider the strong points and potentially negative consequences of each type of diversification.

The analysis considers not only that a certain type of diversification mitigates against certain types of faults which could potentially lead to coincident CCF of multiple systems, it also evaluates the

likelihood of particular types of faults existing in multiple components within the overall design and considers, if such faults did exist, their potential to give rise to multiple coincident failures (i.e. CCF):

— If postulated systematic faults are sensitive to a common triggering event;

— If there are credible barriers to prevent fault-propagation;

— If rapid development of multiple failures can be excluded.

Errors and deficiencies to which diversity is expected to reduce the vulnerability are as follows:

— Errors in the functional requirements;

— Design errors: incorrect specification or implementation of software algorithms; incorrect coding;

— Inadequate specification of hardware boards and electrical circuitry;

— Manufacturing errors: systematic errors in the manufacturing of electronic components;

electronic boards, cabinet wiring, and plant level cabling;

— Maintenance errors: triggering system failures by erroneous maintenance actions.

It has to be noted that addressing these errors may lead to very different design solutions. While some of the items given may be addressed by adequate robustness / simplicity of the characteristics of the reactor protection system, others may be considered as critical and need to be addressed by diversity in the DAS. This means that the defined set of criteria for diversification allows for a certain range of approaches. The finally selected design of the DAS is reviewed to confirm that certain types of failures of the primary protection system due to systematic deficiencies can either be excluded, have acceptable consequences or are managed by the DAS.

The following subsections provide a discussion of types of diversification aspects and their relative strength and side effects.

3.6.2. Design diversity

Design diversity is achieved using different design approaches to solve the same problem or a similar problem. It can be considered as an overarching approach which includes several of the other types of diversification. Design diversity comprises the use of different architectures and different technologies. Use of different technologies for the reactor protection system and the DAS would be the strongest form of design diversity.

Globally, it provides defences against systematic faults intrinsic to the design of an I&C system itself.

It is effective:

— To resolve issues created by errors in the design concept;

— To avoid common implementation errors (for hardware and software);

— To minimize common errors in sizing of allocated resources.

By itself, it may be less effective in other areas, for example:

— To mitigate common maintenance errors (as different maintenance approaches / procedures are enforced);

— To correct errors in the functional requirements for the I&C systems.

3.6.3. Signal diversity

Signal diversity is achieved by systems in which a safety action may be initiated based upon different plant parameters. It is a powerful approach to mitigate faults outside the technology of the I&C system and also implementation errors in the I&C system itself, as it enforces different types of sensors,

different algorithms and thus different exposure of the software execution to signal trajectories. Signal diversity is effective:

— To reduce issues due to errors in the specification of functional requirements;

— To address certain implementation errors (e.g. in the implementation of functional algorithms);

— To address design or specification errors of the related sensors / transmitters;

— To address certain maintenance errors (because different signals imply different setpoints and thresholds to be maintained separately).

Independently from the DAS, signal diversity is traditionally applied to some level already in the reactor protection systems in many plant designs, e.g. in subsystems of the reactor protection system.

Consequently for plant designs with a DAS, it may be convenient to assign one of the diverse signals to the DAS.

Signal diversity solutions may add additional hardware and associated mechanical connections and failure points. The maintenance associated with the additional hardware adds cost and personnel radiation exposure.

3.6.4. Equipment diversity

Equipment diversity is achieved by hardware that employs different technological characteristics, e.g.

analogue equipment versus programmable digital equipment, solid state equipment versus electromagnetic equipment, or computer based equipment versus programmable logic equipment.

Equipment diversity can also be implemented within a single technology, e.g. software-based technology, relying on central processing unit types of different designs, with different instruction sets.

A different aspect of equipment diversity is manufacturing diversity.

Equipment diversity may thus be seen as a special approach of ‘design diversity’. It is effective in similar areas and also:

— To address systematic manufacturing faults;

— To enforce diversity in software components (as far as these are tailored for a given hardware type / family, programming because the central processing unit is by nature different from programmable logic equipment, so that common implementation errors are excluded).

Equipment diversity is not effective to address errors in the specification of functional requirements (as essentially the implementation aspects are addressed).

3.6.5. Functional diversity

Functional diversity is achieved by systems that take different actions to achieve the same safety outcome.

It is very effective to resolve issues due to errors in the specification of functional requirements and to address certain implementation errors (e.g. in the implementation of functional algorithms) and certain maintenance errors. Functional diversity is typically implemented together with signal diversity.

3.6.6. Diversity in the development process

Diversity in the development process can be achieved by using different design organizations, different management teams, different design and development teams, and different implementation and testing teams [2]. Generally, it is not considered a diversification approach on its own. It will be considered as complementary to other diversification approaches (e.g. functional diversity, signal diversity, design diversity, equipment diversity).

It is beneficial to further reduce risk of errors in the implementation of diverse systems. When equipment diversity is chosen as the approach for a DAS, it could be an adequate practice to impose also a certain diversity in the development process, e.g. through selection of a dedicated, independent design team. However, the efficiency of the approach does not have to be overestimated, unless there are also restrictions on the complexity of the design, or other diversification elements. This is because experience shows that designers tend to make similar errors, and simplicity will help to reduce the likelihood of errors.

‘Diversity’ for the verification and validation team seems to be consensus, as practically all standards for computer based safety systems impose adequate independence for the verification and validation teams, to ensure an independent, unbiased view on the development results.

3.6.7. Logic diversity

Paragraph 6.60 of Ref. [2] states logic diversity is “achieved by use of different software or hardware description languages, different algorithms, different timings of logical functions, and different sequencing of logical functions.” Logic diversity is similar to design diversity and equipment diversity where errors are dealt with at the implementation level of the logic and at the coding level. It is an option when hardware diversity is not imposed, and signal diversity / functional diversity do not exist.

Logic diversity is efficient to address assumed errors in the use of a given tool set to produce functionally equivalent algorithms that are different in implementation.