Risk implications of digital reactor protection system operating experience

Abstract This paper summarizes an in-depth review of the US nuclear operating experience with the first generation of digital reactor protection systems. The accumulated operating experience from 1984 to 2006 on these first generation digital reactor protection system functions exceeds 1.27 million hours (∼145.5 yr). A review of failure event reports identified 141 specific events associated with these systems on seven US nuclear power plants. Twenty-six of these events involved some type of common cause failure mechanism (predominantly redundant sensors/channels being out of calibration), which temporarily rendered redundant portions of the overall trip function degraded. Most of these failures were found not to be unique to digital systems. Six of the common cause failure events were more severe and involved situations where incorrect addressable constant data sets were systematically loaded into all redundant computer channels due to personnel errors. One of these events involved a latent software design change error introduced during a software update, which would prevent proper operation, given an unlikely event involving failure of three out of four sensors of one type. Based upon this review of digital system operating experience, a series of risk assessment calculations were performed to evaluate the safety significance of the observed failure events. From the insights gained in this work, it is possible to develop a framework for establishing digital reactor protection system reliability requirements that can be related back to regulatory safety goal objectives and operating experience.