The relation between redundancy and reliability, which is treated in Chap. 11, is discussed here only on a large scale The minimum addition in providing a dual or backup computer control system is adding another central processor, further duplication of equipment then depends on plant-design concepts, such as whether or not the reactor will be operable if the computer fails Also to be considered is duplication of critical functions by indepen­dent hardware. Analog and manual backup are examples 1 5

Table 8.2 shows some of the reasons for having or not having redundant computers The use of a nonredundant system is usually justified by the requirement that the reactor and processes be capable of at least steady-state operation if the computer tails This implies either exten­sive analog backup control or a plant small enough to be
influenced plant designers to allow shutdown in case of total control-system failure if redundancy is used 1 6

Restating the above if a high plant factor is important, then frequent shutdown cannot be tolerated and a redundant control system is required. This is the pre­dominant reason for dual computers A second reason, especially applicable to prototype facilities, is the impor­tance of maintaining continuity of plant operating data, a criterion that applies to pure data-acquisition equipment as well as control systems. A third justification is that a standby computer can be used for off-line program prepara­tion and data processing but can be automatically inter­rupted when the unit is called into service to replace the operating computer

It has become common to design nuclear power stations with two complete reactor—generator units operating in­dependently At first sight it seems that reliable computer control could be effected by placing a control system on each reactor unit using the computers as backup for each other, at least for the essential control functions Although this configuration has been given much consideration, few, if any, such systems have been built Both computers would have to be larger, peripheral switching to one or the other would be difficult, and developing the complex switching programs would be very costly. The result is that dual plants usually have three computers, one as standby for an operating system on each reactor unit.1 7

The basic justifications for the triple control system are the same as for redundancy in general the importance of reliability, as it affects plant factor, and the convenience of having a standby for off-line programming

The final objective of redundancy is to improve plant availability or, in project terms, to ensure that the system

will permit attaining the target plant factor The immediate objective is to make the control system more reliable However, a precise estimate of the reliability of a redundant computer system cannot be made because the reliabilities of the constituent parts—processor, peripherals, interfaces, and displays—are not precisely known. So it is not surprising that past and present justifications for replicating components are commonly based on judgment and infer­ence from statistically inadequate data on past operating experience. This state of affairs will prevail until reactor power plants with computer control are commonplace, at which time the need for stringent justification will be far less.