Risk implications of digital reactor protection systems

This paper summarizes an in-depth review of the US nuclear operating experience with the first generation of digital reactor protection systems. The accumulated operating experience from 1984 through 2006 on these first generation digital reactor protection system functions exceeds 1.27 million hours (~145.5 years). A review of failure event reports identified 141 specific events associated with these systems on seven US nuclear power plants. 26 of these events involved some type of common cause failure mechanism (predominantly redundant sensors/channels being out of calibration) which temporarily rendered redundant portions of the overall trip function degraded. Most of these failures were found not to be unique to digital systems. Six of the common cause failure events were more severe and involved situations where incorrect addressable constant data sets were systematically loaded into all redundant computer channels due to personnel errors. One of these events involved a latent software design change error introduced during a software update which would prevent proper operation given an unlikely event involving failure of 3 out of 4 sensors of one type.