Redundancy with systems or components of different principles may force a designer to adopt a second system simply because it has a different principle, even though it is not as reliable or rapid or as safe as a second system of the same principle would be.

For example, two reactivity control systems provided according to Cri­terion 26 might comprise a group of normal absorber rods together with a poison injection system with speed, distribution, and effectiveness problems. This system would not be as safe as two rod systems, especially if they use different drive mechanisms. However, in the two rod system case, the designer would have to ensure that no common mode failure (such as a core distortion) were possible.

The principle of requiring an engineered safety feature to operate after a fault even in the event of an active component failure at any time, has been extended to requiring an engineered safety feature to operate after a fault even in the event of a passive component failure (see Section 3.3.2).

Thus, for example, an emergency cooling system which goes into opera­tion after a pump failure must be able to withstand subsequently a failure of an active component (valve or even part of its own pump), or a failure of a passive component (circuit or pipe wall or an electromagnetic pump component). This is an extension of the original active component failure criterion of the 1967 set.

So far it is not suggested that the engineered safety features must with­stand both an active and a passive failure after the original fault. However one of the paradoxes of criteria is that they grow. It is important to strike a balance between the maintenance of safety and an unreasonable limita­tion on the design. Overredundancy results in complex systems which are often less amenable to maintenance and are possibly less safe than the simpler less redundant system which is easier to design and test. For safe design it is important not to rely on redundancy as a cure-all.