There is now an increasing awareness of the potential for common mode failures arising from shortcomings or defects both in plant design and in subsequent manufacture, installation and operation. There is no agreed mathematical method of calculating a value for the limiting effects of common failure on system reliability. There is, however, agreement that systems with identical redundant channels should not be as­sumed to be capable of achieving reliabilities better than about 10”4 to 10”s per demand. This limitation is applied even though random failure rate data might indicate a lower failure probability.

The design safety guidelines issued by the CEGB specify a protection system reliability of better than 10~4 failures per demand for faults which are pos­tulated to occur at frequencies of 10”3 per year or greater. To design a system to meet these stringent requirements has required the specification of two diverse protection systems each with four-way redun­dancy. For the PWR it was decided to base one system on multiple distributed microprocessors with digital processing, and the other on the well proven Laddie guard lines with analogue trip amplifiers as used on existing magnox and AGR stations.

The microprocessor system does employ core logic for the guard line voting, but the two systems are sufficiently different in design and hardware to avoid common mode effects.

The two systems are referred to respectively as the primary protection system (PPS) and the secondary

protection system (SPS).

The safety case for the station is made on the basis that the PPS and SPS each independently provide protection for all frequent faults (frequency of 10~3 per year or greater). The PPS provides protection for all faults (frequent and infrequent) that are within the station design basis, and two independent para­meters are generally available to detect each fault.

11.1.6 System design

The primary and secondary protection system have measurements of almost identical parameters from which to generate reactor trip and ESF action. The instrumentation used for the measurements in each system is chosen to be as diverse as practicable within the limitations of the transducers available.

An example listing of the parameters that are mea­sured for trip protection purposes for the two systems is given in Table 2.17.

The primary protection is implemented with mi­croprocessors and is therefore able to provide for an extensive range of parameters and functions with com­plex logic. The use of microprocessors permits protec­tion to be derived using algorithms to assess limiting core conditions dependent upon control rod positions and operating power levels. This protection would not have been possible using analogue based equipment without excessive complexity.