NA by Utsch, Frank R.
Calhoun: The NPS Institutional Archive
Theses and Dissertations Thesis Collection
1976





COMPUTER LOGIC REDUNDANCY IN





COMPUTER LOGIC REDUNDANCY IN






The Pennsylvania State University
The Graduate School
Department of Nuclear Engineering
Computer Logic Redundancy in Nuclear





Submitted in Partial Fulfillment
of the Requirements




M. A. Schultz, Professor of
Nuclear Engineering
Warren F. Witzig, Head of the






The author wishes to express his deepest appre-
ciation and sincere thanks to Professor M. A. Schultz for
his guidance, assistance and advice in the course of this






LIST OF TABLES iv
LIST OF FIGURES v
I. INTRODUCTION 1
II. ANALYSIS OF BABCOCK-241 NSS SAFETY
SHUTDOWN SYSTEM 5
III. BACKGROUND OF LOW LEVEL LOGIC REDUNDANCY
IN COMPUTER SYSTEMS 27
IV. VARIATIONS OF BABCOCK-241 NSS SAFETY
SHUTDOWN SYSTEM 35
V. NUMERICAL ANALYSIS OF MODIFIED SAFETY
SHUTDOWN SYSTEMS 43
VI. SUMMARY AND CONCLUSIONS 47
BIBLIOGRAPHY 53
APPENDIX I - Failure Rate Data 56
APPENDIX II - Failure Rates Used in Analysis 59





1 Legend for Reliability Block Diagrams 11
2 Failure Rates Used in Analysis 21
3 Unreliability of Voters and Voter-Switches
with Powered Standby Channels 28




Fail-to-Danger Reliability Diagram for
Babcock-241 NSS Automatic Safety
Shutdown System
2 False Scram Reliability Diagram for
Babcock-241 NSS Automatic Safety
Shutdown System 17
3 Reliability Diagram Main and Secondary
Power SCR's 19
4 Babcock-241 NSS Automatic Safety Shutdown
System Failure Probability vs. Repair
Time Interval 25
5 Life Stages of a THISS-2 Voter-Switch 32
6 Fail-to-Danger Reliability Diagram for
Automatic Safety Shutdown System with
three-out-of-f ive Voter Device 36
7 False Scram Reliability Diagram for
Automatic Safety Shutdown System with
three-out-of-five Voter Device 37
8 Fail-to-Danger Reliability Diagram for
Automatic Safety Shutdown System with
THISS-2 Voter-Switch 38
9 False Scram Reliability Diagram for
Automatic Safety Shutdown System with
THISS-2 Voter-Switch 39
10 Life Stages of a THISS-2 Voter-Switch
with Two Undetected Failures . 41
11 Automatic Safety Shutdown System Failure
Probability with three-out-of-five Voter
Device vs. Repair Time Interval 44
12 Automatic Safety Shutdown System Failure
Probability with THISS-2 Voter-Switch
vs. Repair Time Interval 45
13 False Scram Failure Probability of Automatic




LIST OF FIGURES (cont.)
Figure Page
14 Automatic Safety Shutdown Systems
Failure Probability for Overpower
Accident vs. Repair Time Interval 48
15 Automatic Safety Shutdown Systems
Failure Probability for Loss of
Coolant Accident vs. Repair Time Interval 49
16 False Scram Failure Probability of
Automatic Safety Shutdown Systems vs.
Repair Time Interval ..... 50

I. INTRODUCTION
Present day reactor safety shutdown circuits and engineered safe-
guard circuits are highly reliable. Yet public pressure continues to
provide impetus to make them even more reliable. The present high
reliability is obtained primarily through the use of on-line testing
of redundant coincident circuits. Safety shutdown systems of new
nuclear power plants will also employ either functional or equipment
diversity in some form to further increase the reliability. These
techniques have now increased the circuit reliability to the extent
where further improvement in circuit reliability is masked by the
limitations imposed by extrinsic common mode faults. Progress is also
being made in this area as designers and architect engineers begin to
employ separation criteria and standards for cabling and equipment,
and become more conscious of the need to take extreme precautions to
insure the independence of individual safety channels.
A new element, however, is beginning to appear in advanced safety
system designs. This is the use of the computer to create alarms, set-
12 3 4backs or scrams from derived variables . Variables and functions
such as power vs. flow, departure from nucleate boiling, local power
density, etc. can all be calculated and used as advanced safety trips
that will enable maximum core utilization. In addition, future
projections of input safety variables indicate the use of possibly
hundreds of in-core signals, which can be handled efficiently only by
computer techniques.
The problem now arises as to the reliability of the computer.
This problem can be split into two parts, hardware reliability

and software reliability. With the continual decline in prices of
computer hardware over the last several years, the projections call
for the use of redundant calculators or computers to again increase
the reliability through the use of on-line repair. References 1 to 4
indicate designing in two-out-of-three or two-out-of-four computers to
be used as simple hardware components.
The software situation is more complex in that it is most diffi-
cult to prove that the software will first be able to respond properly
to every safety situation, and secondly, that the software which must
be used to test the hardware provides complete and thorough tests.
Considerable, if not all, software problems may be eliminated through
the use of small dedicated microcomputers that perform only specific
functions and receive their instructions through fixed read only
memories.
To obtain high reliability for the computers and the system still
calls for relatively high frequency periodic test and maintenance.
Self-checking schemes are possible, but these again usually increase
the required software. So it appears that some manual maintenance
would be required to test and repair the computer, as well as its
adjacent components in the system.
The introduction of people via the maintenance and repair process
then raises again the spectre of the common mode faults. It has been
indicated in a study of cause of plant outages in 1973 that operator
error was the cause of 18% of all forced outages. By far the largest
proportion of these errors were in some way related to a test and
maintenance operation. So it appears as though worthwhile gains in
availability might be possible if the high reliability of the safety

systems could be maintained by some scheme that increased the
maintenance interval and lessened the dependence upon people.
An adjacent problem was faced by NASA in the development of a
computer for on-board use for deep space probes. Here the mission
length was to be ten years or more and obviously direct human mainte-
nance was impossible. Initial studies were begun in 1961 that led to
the ultimate development of the STAR (Self-Testing and Repairing)
computer . This computer was a fault tolerant design, and employed
several forms of advanced redundancy, some of which were at a logic
system level.
It is these advanced forms of computer logic redundancy which
will be investigated in this paper for their potential use in nuclear
safety circuits. Prior to this step, a reliability analysis of an
advanced safety system employing conventional logic redundancy is
required. This will serve as a standard for comparison purposes to
determine if these advanced forms of computer logic redundancy do
indeed result in substantial increases in either system reliability
or availability over a system employing conventional logic redundancy.
As previously indicated, a number of vendors have begun employing
the use of computers or mini-computers (calculating modules) in their
advanced safety system designs to create alarms, setbacks or scrams from
derived variables. In the United States, Combustion Engineering (CE)
3 4
and Babcock and Wilcox (B&W) have submitted proposals for advanced
nuclear steam supply systems to the Nuclear Regulatory Commission (NRC)
.
Both safety system designs employ conventional two-out-of-four logic
redundancy at the channel logic level. The CE design relies heavily
on the use of relays in the various logic circuits in the system.

Conversely, the B&W design utilizes solid state technology in
the logic circuits and in many other components as well. Thus, since
the general trend appears to be in the solid state direction and the
use of integrated circuits is on the increase, the B&W design was
chosen as the standard against which identical safety systems employing
computer logic redundancy would be compared.

II. ANALYSIS OF BABCOCK-241 NSS
SAFETY SHUTDOWN SYSTEM
Babcock and Wilcox have prepared reference 4, referred to as
Babcock-241 NSS, as a step towards standardization of a new nuclear
steam system in accordance with the "reference system" option set
forth in the AEC standardization statement of 5 March 1973. The major
design features of all the safety related instrumentation and control
systems are similar to those of the Washington Public Power Supply
System (WPPSS) Nuclear Project No. 1 (WNP-1) Plant with a number of
differences. There are two principal differences:
1. The Babcock-241 NSS utilizes a Plant Protection System (PPS)
which comprises the Reactor Protection System (RPS) and the Engineered
Safety Features Actuation System (ESFAS) . The logic of the ESFAS has
been changed from a two-out-of-three logic to a "one-out-of-two taken
twice" logic.
2. The Babcock-241 NSS utilizes a computer (calculating module)
to create alarms, setbacks or scrams from derived variables.
The RPS is described in section 7.2 and the RPS logic is shown
in Figure 7.2-1 of reference 4. The Control Rod Drive Control System
(CRDCS) trip portion of the ESFAS is described in section 7.4 and illus-
trated in Figure 7.7-4, also in reference 4. The reader is referred to
reference 4 for a detailed discussion of the RPS and CRDCS. A brief
summary is provided here.
The RPS is a redundant four-channel system in which the four
protection channels are brought together in identical two-out-of-four
logic networks in the reactor trip modules. A trip in any two of the
four protection channels initiates a trip of all four logic networks.

6Each of the reactor trip modules controls a CRDCS trip device.
Thus, a trip in any two of the four protection channels initiates a
trip of all the CRDCS trip devices. The power trip devices, however,
are arranged in a "one-out-of-two taken twice" logic system.
Before any reliability analysis can be performed, the system to
be analyzed must be explicitly defined and what is meant by a failure
must be clearly specified.
In this study the action of the safety shutdown system can be one
of two functions: either the safety system shuts down the reactor
when a situation arises that requires reactor shutdown, or the safety
system does not shut down the reactor when nothing is wrong.
Because the reliabilities encountered are often very close to
1.0, it is more convenient to talk in terms of failure probabilities.
In this context, failure probability is defined to be, "the probability
that a system, subsystem or component will suffer a defined failure
o
in a specified period of time."
In this study the system to be analyzed includes all the sensing
instruments and their associated equipment that monitor plant para-
meters, the protection system logic, the devices that provide shutdown
signals to the control rods and all power supplies for the components
listed above. The system does not include the control portion of the
CRDCS which positions the reactor control rods or the latching mech-
anisms which hold the control rods in place ready for a free-fall
gravity trip. Schematically, this is the system represented by
Figures 7.2-1 and 7.7-4 of reference 4.
It is also necessary to specify the type of accident being
analyzed because each sensor is only designed to protect against

certain accidents. For example, the ion chambers will not protect
against a loss of coolant accident.
The method of analysis used in this study is identical to the
method employed in reference 9. Four basic steps are followed and
are summarized below:
1. The system is qualitatively analyzed, component by component,
for types of failures that can occur and what effect these failures
have on the system.
2. A reliability block diagram is constructed.
3. Failure rate data or estimates are obtained.
4. Numerical calculations are performed to determine a failure
probability for the repair interval specified.
As previously indicated, this study will look at the safety
shutdown system from two failure probability viewpoints: fail-to-
danger failure probability (safety shutdown system failure) ; and
false scram failure probability of the shutdown system. Additionally,
the fail-to-danger failure probability will be broken down into two
specific accidents: loss of coolant and overpower.
With the types of failure probabilities now specified, steps 1
and 2 listed above can be executed. Each component of Figure 7.2-1
and the CRDCS trip portion of Figure 7.7-4, both of reference 4, was
analyzed for its applicability to that type of failure and a relia-
bility block diagram was formed. Figure 1 shows the resulting
reliability block diagram for the fail-to-danger failure probability,
while Figure 2 is the reliability diagram obtained for the false
scram failure probability. It is pointed out that the logic combina-
tions 1/m and 1/n on Figure 1 are general expressions, and the exact

-3-
O <»H o cj S
rt pq en V
COQ c-oH C3 cj a
P4 pq en cj
CN1Q CMH & CJ a

















a -cr pqH !=» C_> pq
ptj PQ co ca
co COQ en
H 1 != CJ 13
























!-l fn X p i pq
< CJ < <: Pm cr s Pm
h-I M H-I CO T3 CO < Pm
CO S
CO h-I H
































































PSCR PSCR PSCR PSCR
1 1 1 1

























configuration is determined by the accident specified. This will be
discussed in greater detail further on in the analysis.
As previously described, the RPS consists of four identical
protection channels which are redundant and independent. When combined
in the system's logic, they automatically trip the reactor to protect
the core and the coolant system. Each channel is served by its own
independent sensors. Each sensor supplies an input signal to one or
more signal processing strings in the RPS channel. Each signal proces-
sing string terminates in a bistable which electronically compares the
processed signal with trip setpoints. All bistable trip outputs are
connected in series. In the normal, untripped state the output asso-
ciated with each bistable will be closed, thereby sending a constant
signal to the Channel Trip Memory (CTM) . Referring to Figure 1 and
Table 1, a brief description of each trip initiating circuit for the
fail-to-danger failure probability is presented:
1. High and low reactor coolant pressure trip - Each channel
monitors the reactor coolant pressure. The signal from the pressure
transmitter (RCPX) is processed and fed to a buffer amplifier (Bl)
.
The signal is then sent to both the high and low pressure bistables
(HPBS, LPBS) . If the pressure signal exceeds the high pressure trip
setpoint or is lower than the low pressure trip setpoint, the appropriate
bistable will trip causing the channel to trip.
2. High and low pressurizer level trip - Each RPS channel also
monitors the pressurizer level. The signal from the differential
pressure (level) transmitter (dPLX) is processed and fed to a buffer
amplifier (B2). The signal is then sent to the high and low

















































High RC Pressure Bistable
High Pressurizer Level Bistable






Low RC Pressure Bistable
Low Pressurizer Level Bistable
Module Interlock
Main Motor Return Gate Drive
Main 440V Power Supply







































Secondary 440V Power Supply
Secondary 440V Power Supply SCR's
Solid State Switch
Test Circuit




24V DC Power Supply (SCR's)

13
exceeds the high level trip setpoint or is lower than the low level
trip setpoint, the appropriate bistable will trip causing the channel
to trip.
3. High outlet temperature trip - Each channel monitors the
temperature of both RC outlet loops. The signal from each resistance
temperature detector (RTD3, RTD4) is sent to separate matched bridge
networks (BU3, BU4) and fed to a signal converter (SC) which also acts
as an isolation device. The loop A and loop B outlet temperature
signals are then sent to separate high temperature bistables (HABS,
HBBS) . If the temperature signal exceeds the high temperature trip
setpoint, the bistable will trip causing the channel to trip.
4. Overpower trip - Each channel also monitors the flux in a
quadrant of the core. Signals from each half of a two section, out-of-
core, uncompensated ion chamber (ICH, ICL) are sent to separate linear
amplifiers (LA) . The signals proportional to the neutron flux in the
top and bottom halves of the core are then summed in a summing
amplifier (SA) which also acts as an isolation device. The total
power signal is then sent to the overpower bistable (OPBS) . If the
total power signal exceeds the overpower trip setpoint, the bistable
trips causing the channel to trip.
5. Power/Flow trip - Each RPS channel monitors the total RC flow.
A differential pressure transmitter (dPFX) measures the pressure drop
across the core and provides a signal, proportional to the flow
squared, to a square root extractor (SQX). The signal from the
extractor is then sent to an amplifier (AMP) to produce a total flow
signal. The amplifier also acts as a scaling amplifier and isolation
device. The scaled total flow signal is then sent to the power/flow

14
bistable (PFBS) . The total reactor power signal discussed in 4
is also sent to the power/flow bistable. If the total power signal
exceeds the total reactor coolant flow signal scaled by the power-to-
flow ratio trip, the power/flow bistable will trip causing the channel
to trip.
6. Calculating module trip - The calculating module (CM)
provides the offset, low DNBR and power/AT (used only during startup)
trip functions. The calculating module utilizes analog and digital
signals processed by the RPS instrumentation channels as input. The
input signals used by the module are:
a. The reactor coolant pressure signal from the buffer
amplifier used by the high and low pressure trip bistables discussed
in item 1.
b. The two reactor coolant inlet temperatures monitored
by RTDs (RTD1, RTD2) . The signals from each RTD are sent to a
separate matched bridge network (BUI, BU2) and fed to a signal con-
verter (SC) which acts as an isolation device.
c. The two reactor coolant outlet temperature signals from
the signal converter used by the high temperature trip bistables
discussed in item 3 above.
d. The neutron flux signal in the bottom half of the core
is subtracted from the flux signal for the top half of the core in a
difference amplifier (DFA) . The imbalance signal is then inputted to
the calculating module.
e. The total power signal from the summing amplifier (SA)
discussed in item 4.

15
The calculating module then provides the following trip signals to
the calculating module bistable (CMBS)
:
a. Offset trip - This trip prevents the core from operating
with axial power distributions that could cause the local linear heat
rate to exceed the kW/ft safety limit. The offset trip lines are
intended to provide offset protection for only the power levels that
can be reached without activating the overpower trip or the power/flow
trip bistables.
b. Low DNBR trip - The low DNBR trip prevents the reactor
from operating in a steady-state condition below the minimum allowable
DNBR.
c. Power/AT (Startup) trip - If the total reactor power
signal exceeds a preset value and the differential temperature across
the reactor core (AT) is less than a preset value, the calculating
module provides a trip signal to the bistable.
Any one of these trip signals will trip the bistable which in turn will
trip the channel.
In the event there is a trip of one of the discussed bistables,
the signal to the Channel Trip Memory (CTM) in that channel will be
interrupted. The channel trip memory can only be reset through use
of a reset switch (RS) by deliberate operator action once the trip
condition has cleared. The channel trip memory will then send a con-
stant trip signal to a line driver (LD) which is isolated from the
trip memory by a photo-transistor isolation device (PTID) . At this
point on the reliability diagram, the four channels are brought together
in four two-out-of-four logic voter devices. Since voter devices are

16
not perfect devices, the voter can be regarded as two series elements
consisting of a perfect logic circuit in series with the actual
22
components used in the formation of the logic . Each logic network
is separated from a solid state switch (SSSW) by a photo SCR isolation
device (PSCR) . The switch provides 120 volt AC power to the under-
voltage coils on the main and secondary 440 volt power circuit
breakers (CBA, CBB) and to the electronic type relay coils in the
main and secondary SCR circuits. For a reactor shutdown, both solid
state switches in each channel are required to be switched off, thereby
cutting power to the circuit breaker coils or the SCR circuit electronic
type relay coils.
As previously indicated, the power trip devices are arranged in
a "one-out-of-two taken twice" logic system. This arrangement has
circuit breaker A and the main SCR circuit linked in series, while
circuit breaker B and the secondary SCR circuit are in series. Thus
for a reactor shutdown, one power trip device from each series must
be tripped.
Figure 2 depicts the false scram reliability diagram. In this
diagram, all sensors and their signal processing strings are connected
in series since a failure of one component can cause the channel to
trip. The remaining portions of the system after the Channel Trip
Memory (CTM) are identical to that previously discussed, except for
the logic combinations and the inclusion of the vital buses (VBA, VBB,
VBC, VBD) , the 440 volt power supplies (MPS, SPS) and the step down
transformers (XMFR) . The logic required at the channel level is three-
out-of-four since at least three channels in a non-tripped state are

17
dPFX SQX AMP ICH LA ICL LA SA PFBS DFA
I
BU4 BU3 BU2 BUI RTD4 RTD3 RTD2 RTD1 RLY CPS
sc RCPX Bl CM CMBS LPBS HPBS HABS HBBS OPBS
|
























PSCR PSCR PSCR PSCR







Figure 2. False Scram Reliability Diagram for Babcock-241
NSS Automatic Safety Shutdown System

18
required for continued reactor operation. The logic required at the
solid state switch level (SSSW) is one-out-of-two, since one non-tripped
switch supplying 120 volt AC power to either the circuit breaker under-
voltage coils or SCR circuit electronic type relay coils is required
for reactor operation.
The power trip devices (CBA, CBB, MSCR, SSCR) are arranged in a
"one-out-of-two taken twice" logic in the fail-to-danger reliability
diagram. In the false scram reliability diagram, a "two-out-of-two
taken once" logic is required. This means that either the power train
with circuit breaker A (CBA) and the main SCR circuit (MSCR) in series
or the power train with circuit breaker B (CBB) and secondary SCR
circuit (SSCR) in series is required for reactor operation.
Figure 3 gives a detailed reliability diagram for the blocks
labeled MSCR and SSCR on Figures 1 and 2. Figure 3a is for the fail-
to-danger failure, while Figure 3b is for the false scram failure.
These figures depict the second method of interruption of power to the
control rod drive mechanisms (CRDM) , the first being the previously
discussed circuit breakers. In this method the gate control signals
to the silicon controlled rectifiers (SCRs) in each of the nine CRDM
group power supplies and the motor return power supply are interrupted.
The trip devices are ten electronic type relays connected with their
coils in parallel (RLY1 through RLY10) . Contacts of these relays
serve to remove the gate control signals passing through the optical
encoder (OPEC) and gate drive (GD) to the SCRs in each power supply.
Because the power supplies have redundant halves, two sets of ten













































































































state only if the associated trip channel is energized. For the
configuration depicted in Figure 3a, interruption of only one relay
out of the ten shown is required. Conversely, Figure 3b indicates that
all ten relay configurations must work to prevent a false trip signal
from being propagated further on in the shutdown system. It should
be noted that for purposes of this study, the ganged manual trip
switches (SI and S2) shown on Figure 7.2-1 of reference 4 have been
neglected since the area of interest is in the automatic shutdown
circuit. In a more extensive reliability analysis of the system,
these switches would be taken into account along with the failure
5 8
rate associated with the human operator '
.
With the reliability block diagrams now formulated for the
specified failure probabilities, failure rates for each component
on these diagrams can be assigned. Based upon the data accumulated
in Appendix I and justified in Appendix II, Table 2 assigns the
failure rates to the components of Figures 1-3 (identified in Table 1)
for the specific failure.
Two components remain to have failure rates assigned, the OR
gates and the voter device. For these components a failure rate can
be calculated from the formulas of MIL-HDBK-217B, reference 10. The
failure rate is calculated from the expression given on page 2.1.1-1
X^ = TT TT (C, TT + C n TT ) /1NPLQ1 2E (1)
where
X is the device failure rate in failures/10 hrs,





Failure Rates Used in Analysis
Component
Failure Rate (failures/10 hrs.)
Fail-to-Danger False Scram
AMP, Bl, B2, DFA, GD, LA,
LD, MRGD, SA, SQX
BUI, BU2, BU3, BU4
CBA, CBB
CM
CTM, HPBS, HZBS, HABS,
HBBS, LPBS, LZBS, OPBS,







MPS, SPS, VBA, VBB,
VBC, VBD
RCPX












































7T is the quality factor
tt is the temperature acceleration factor




C„ are the circuit complexity factors. All of the factors
are available in tabular form in reference 10 and the following values
are assigned:
tt = 1.0 (Table 2.1.5-2)
Li
tt = 10 (Table 2.1.5-1)
tt - 0.545 (Table 2.1.5-4 at 60°C T.)
tt = 1.0 (Table 2.1.5-3)
For the OR gate, the values for C and C are 0.0013 and 0.0039
respectively. For the voter device (in the proposed Babcock-241 NSS
design this is a two-out-of-four logic device containing seven gates)
,
C and C are assigned the values 0.0048 and 0.0078 respectively.
These values are obtained from Table 2.1.5-5 of reference 10.
Using these values and equation (1) , failure rates for the OR gate
—8
(ORG) and voter device (VD) are calculated to be 5 x 10 failures/hr.
and 1.0416 x 10 ' failures/hr. respectively.
With failure rates assigned to each component in Figures 1-3,
step four of the method of analysis, the numerical calculation of a
failure probability for the automatic safety shutdown system, can be
performed. Prior to this though, a number of additional assumptions




1. Failures are statistically independent and no common mode
situations exist. In general this is not true, but for purposes of
this study, this is assumed.
2. Any voter or voter-switch can be regarded as a series element
in the reliability block diagrams.
3. Channels are identical.
4. Channels are either good or bad. There is no intermediate
state.
5. The hazard rates (instantaneous failure rates) associated
with the components and channels are constant which gives rise to
the exponential distribution for all subsequent reliability calculations,
Using conventional reliability analysis procedures for independ-
ent processes , the component blocks on the reliability diagrams
can be combined until a failure probability for the system defined is
found as a function of some specified time interval. The reference
to a specified period of time is extremely important. Reactor protec-
tion systems are periodically tested, inspected and repaired. If one
can assume that all failures are instantaneously corrected at the
end of the test interval, then that interval is also the repair
interval over which the reliability calculations are made. Thus,
for this study the test and repair interval is assumed to be the
9
same and is referred to as the "repair interval. For plug-in
type electronic circuit boards this is a reasonable assumption.
As indicated earlier, the fail-to-danger failure probability
is being analyzed for two types of accidents: loss of coolant and
overpower. Each accident will have a different logic combination in

24
the 1/m and 1/n logic circles shown on Figure 1. This is because
each sensor is only designed to protect against certain accidents.
In the loss of coolant accident the 1/m logic becomes 1/1 since
only the input from the reactor containment (RC) pressure detector
train is utilized by the calculating module. The 1/n logic becomes
1/3 since only the inputs from the low pressurizer level bistable, low
RC pressure bistable, and the calculating module bistable trains are
involved. All other bistable trains are not associated with this
accident.
Similarly, the logic for the overpower accident assumes the
following form: the 1/m logic becomes 1/4 with both ion chamber
trains and the two RTD trains associated with the coolant outlet
temperature involved. The 1/n logic becomes 1/5 with the power/flow
bistable, overpower bistable, both coolant outlet temperature RTD
bistables, and the calculating module bistable trains participating.
Again, all other components not associated with this accident are
neglected. With these substitutions, a fail-to-danger failure
probability for the automatic system for the two accidents as a
function of repair interval time can be determined.
The results of the calculations for the fail-to-danger and
false scram failure probabilities are presented in Figure 4. The
false scram curve indicates a marked increase in the failure probabil-
ity for a repair interval between 100 and 1000 hours. This is due to
the fact that at low time intervals (<100 hours), the components in a
— ft
channel with high failure rates such as the ion chambers (A=50 x 10















O O Loss of Coolant Accident
Q Overpower Accident
Repair Interval-Hours
Figure A. Babcock-241 NSS Automatic Safety Shutdown




remaining components contribute little. As the time interval increases,
however, these components with low failure rates begin to play an
increasingly important role in the reliability of the system. Thus,
to decrease the false scram failure probability to an acceptable value
at high time intervals would require ultra-reliable components.
Conversely, the two accident curves show no abrupt increase in
their fail-to-danger failure probabilities over the repair intervals
considered. As before the components with high failure rates dominate
the reliability calculations at low time intervals. However, due to
the logic combination unique to each type of accident specified, the
failure probabilities are almost identical. So, in spite of the
fact that the bistable trains used in the overpower accident contain
a considerable number of high failure rate items, because of the
combinational logic used for the accident, the failure probability
is comparable to that of an accident employing different bistable
trains with low failure rate components.

27
III. BACKGROUND OF LOW LEVEL LOGIC
REDUNDANCY IN COMPUTER SYSTEMS
In this section, computer system fault masking logic redundant
circuits are investigated for potential use in nuclear safety circuits.
Not all circuits or devices investigated in the computer field are
evaluated in this study; only those with the highest system reliability
potential.
Bazovsky has shown that the highest reliability is obtained in
redundant systems when the redundancy is at the lowest possible level.
In computer systems this implies that the redundancy should be at
least at the logic element level. Numerous investigators over the
past 15 years have developed and analyzed several forms of computer
and logic redundancy
,
and the reliabilities of the various
22
configurations have been summarized by Dennis
Table 3 made from the Dennis summary and using his notation
indicates the various types of redundancy that have been studied in
the space and computer industries. The configurations A to H are
of increasing order of reliability and complexity. Most of the higher
letter configurations have not been employed in nuclear safety shutdown
circuits, but variations of Type C redundancy are commonly found.
For later comparison purposes, a more detailed description of
the Type H voter-switch, the potentially highest reliability configura-
23
tion, is now presented. This system is credited to Goldberg and
is sometimes referred to in the literature as a THISS (TMR/Hybrid/
24
Single/Single) voter-switch . TMR refers to triple modular redundant























































































































a) 5-1 X) »»





rH 4-1 0) 4-J
00 a CO 3


















3 CO CO 43
CO 4J !-i CJ
c 3 3
co cu M cn
rH Cfl •H
0) 0) 4-1 ca •
3 5-1 (3 rH CU
a ex o OJ 4-1
CO OJ u 3 O
co
a)Q
43 H 3 >
o 3 CO
4J o 43 m
4H 3 s CJ
O CX g 4-1
4-1 o 4-1 O
M 3 u O
0) O 4-t
42 5-1 3
s 01 • 0) O
3 CO OJ X)
(3 o 4-1 6 CO
43 o 3




































0) O s 3
rH d H Xi
CU g 3




Cu • cd 4-1
0) cn CJ 3
o rH ex
X 01 cn s




0) CJ cO •H
a




cO tH g X)
CU 3
CU 2 cn 3
i CU Tl
cO Cfl cn 0)












S-i 3 -3 -3 4-1
01 4-1 4-J 4-1 cn XJ 3
4-J ^H OJ
-3
o >. 00 3 OJ S-i 4-1
> 0) 3 3 3 3 3
-3 •H -3 3 OD o
0) 4-1 S-i S 3 •H g 3
r-H 3 -3 4-4 § 4-J
43 cn X) 01 O 3 o cn
cO 3 .-H O u >,
S-4 3 -43 O O CO
3 Cfl O 3 3
00 r-H •H 5-4 4-1 OJ • vfr
H OJ 4-1 OJ 43 cn
'4-1 3 O a OJ s^ 4-1
3 3 3 o -3 3 3 O
O 3 3 3 4-1 3 4-1
O 43 4-1 •H O o 4-J
OJ CJ 3 > 3 •
5-4 00 CO 3 4-J O CO
cn 3 3 3 H 0)
S-i OJ •H e 3 rH CN 4H
o 4-> 4-1 o 4J P< O
3 o o 3 • •rH 3
0) 3 > 3 ^J 3 4-1 4-1
> •H -C •H rH cn 3
•H cn 4-J 3 3 •H O
4J •H 4-1 4-1 3 e
CX rH rH H 3 3 CU rH
3 OJ 6 5-i U rH
T3 cn 3 o Cu 3
3 4-1 3 • 3 >>M H 3 S-i ^H 3 3 O
3 3 o 00 i-l rH X 4-J
3 4J H 3 3 00 3
• 3 4-1 cn 3 3 cn
to 4-1 •H 3 •H •rH H S-4 3
•H •H 3 3 -3 4H cn 3 XJ
3 e •H 3 3
cn O s 3 4-J -3 rH S-i
•H S-I T3 •H 3 4-J CJ aO











































































CO 03 rH CD
-Q 4J rH 3X CJ CO 3
4-> 10 cu CJ COH cu 3 H X
5 o 3 4-1 o •M o CO x.
LH CJ 6 -a 4J
m rH en o o CO
o QJ •H 4-1 o a
3 *d 3 bC
co 6 cd rH
u cO >^ toO QJ
M -C rH CD a 3
CO o rH CJ •H a
4J CO •H c cO
CO cu CJ > •H x:
3 •H CU CO o
c 3 o 4-1 X) e
o O CO CD QJ
•H •H M-4 e CD H rH
4-) 4-1 M o X toO
CX cfl 4-) 4-1 CD 3
•H U 3 rS •H
S-i P • CO CD 4-1 toO bO co £
to •H rH CD •H C4-4 cO
QJ 14-4 CU CJ 4-J OQ c c •H ^
o 3 > 0) 0) rH






H TJ •H 0) CD a
O tod X > •H
CO o O 4-> o >
•H 00 rH S cO
4= 4J CD QJ



















o H O •H
H toO 3
3 CJ CJ
o CO X> M
•H QJ CD H
CO x> X> CJ
c i-j
CD CD cO cu
4-J CJ CJ X












CO 0) rH XS
>> 4-1 & CD


















-a CO 3 CO
QJ cu CD cO CO
4-) u CJ X -Q
3 cO CO CJ
CD CX rH CO
C CO CX QJ
CU CD U CO
rH CD U CO 3
ex co CX •H
Q< CU o CO Cfl
3 X 4J s




CO X) 3 CD
c rH CD QJ 4-1
o CD X r] CO
•H c O 3 >,
4J c 4-1 co
CO CO •H
U X L^ . a)
3 CJ co CO x
60 rH 4-1
•H r*. >> QJ
LH X rH 3 A
ti TJ rH 3 o.
O PJ CO co 3
O CO CJ
-3
4J •H O -a
^d CO 4-J cu§ cO X) coH CD 6 QJ 3
U o rH
a.) CO 4-1 •H 0)X CX 3 CO r4


























CD cfl QJ rH
X) X X 3 QJ
0) 4-J CJ O 3
4-1 3
CO T3 4-1 X) 3
a 3 X 3 rS
•H cfl CU 3 CJ
-d 3
3 p. rH XI
•H 3 CD CD OX 3 O




CD 3 -3 CJ 3
S-i CD 3
cfl QJ 3 X) H
5-J H 3 4-4
CO Cfl 3 -O
3 4-1 3
o CO 4-1 cu rH
•H CD 3 X 00
4-1 5-i 4-) 3
Cfl cfl 4-1 •H
5^ CX 3 4-1 CO
3 co CD 3
OJ3 e O 3
•H QJ CD
UH A toO CO 00
3 4-J 3 CD 3
o 3 -C •H
CJ 5-1 r-l CJ >
CD 5-4 4-1 3
rH 4-1 3 •H 3
CO (4-1 s rH
•H «i P^i Cfl
4J § 3H • H cu 3
3 [^ r-l O
•H rH 3
QJ cfl rH X)
CU (X 3 •H o




















































































CO 4J T3 -a





















•H CJ ~^. 42
4J 4-J -3 4-)
CO •H rl •H
V4 IS M £
3 CO 43
50 1 >i CU
•H u 22 rH
M-l (U t>0
[2 4-1 ££i cO o sj •HO > H to
rs CU
4-) V4
•H •HH 3 CUH cr 43
43 cu





















o • M-l rH
> ^*s O a)
> 4-J
PQ a 4-1 cO
Nw' a u
CU CD CO
a, M CM a




CU > cu -3
42 42 CD
4J CU 4-1 -3
42 3
>. 4-J 4-1 rH
rH CO CJ







incremental reliability gain as a function of the number of spares in
1 f\ 17
the THISS configuration has been shown ' to rapidly decrease beyond
two spare channels, and it is the operation of a THISS-2, a two spare
combination, that will be examined. Figure 5 shows a possible life
cycle of the system. Here originally channels A, B, and C are working
and channels D and E are unconnected standby spares, and at this time
may be either powered or unpowered. Figure 5 first assumes that
channel C has failed. Actually any one of the original working
channels may fail and the system will degenerate into a THISS-1. The
next failure causes deterioration into the simple TMR arrangement
(THISS-O) which is still triple voting. In other words, even after
two failures the system still votes two-out-of-three. The THISS system
will survive two more failures, but will no longer have the desired
voting capability. Single channel operation only is provided after
the spares are used up. The reason for switching from an effective
three channel operation to a one channel system, rather than a two
channel system, is because the single channel has a higher reliability.
If two channels are used in a two-out-of-two configuration there simply
would be twice as many components involved as in the single channel
and given the same component failure rates, the reliability must
be reduced. A one-out-of-two configuration is unsuitable in that
there is the problem of knowing which channel is correct in the event
of a failure. As is, the single channel can no longer rely on simple
comparison diagnostics to determine proper switching operation, but











No Spares, A has failed
- Non-voting single channel
Life Stage 4
1 Spare, B has failed
- Non-voting single channel
mp r. i. r -i j Life Stage 5No Spares, E has failed b
Figure 5. Life Stages of a THISS-2 Voter-Switch

33
With any form of hard-wired working majority voters all channels
obviously must be powered. However, when switchable standby channels
are employed they may be either powered or unpowered. The principal
difference is in the failure rate. Powered channel failure rates are
generally higher than unpowered ones with references 25 and 26,
indicating that A ,
,
(A ) is of the order of 10 to 30% of
unpowered up
A , , (A ). The approximate unreliabilities indicated in Table 3powered p
are for channels including spares fully powered. For the THISS-2
circuit having a perfect switching circuit this condition leads to
the unreliability of f where f is the unreliability of a single
channel. Dennis further shows that if A for a channel is in the
up
unpowered standby situation, then the THISS-2 system unreliability
would only be reduced to 9/40 f . And for A between and A one
up p
might use linear interpolation without serious error.
The reliability of the switch is crucial in all standby redundancy
situations. In computer terms this reliability is sometimes called
coverage. There coverage is defined as the probability, given that a
fault has occurred, that the fault will be detected in time to prevent
22 24
the loss of significant information or function . For the
relatively slow nuclear service, coverage may be considered simply as
switch reliability, and uncoverage as switch unreliability or failure
probability.
Reference 24 indicates the extreme sensitivity of the THISS-2
logic system to uncoverage. An approximate formula is developed
(for At < 0.4) that indicates that the system unreliability





F = the system unreliability
f = the original channel unreliability, and
f = the uncoverage, or switch unreliability.
It can be seen that the switch must be highly reliable in order
for the overall redundant system to achieve its promised reliability.
The second term of equation (2) as previously indicated represents
the unpowered, perfect switch, system reliability. In order for the
4
first term not to dominate, f must be on the order of f
,
calling
for the switch to have extreme reliability especially if the original
channel reliability is high. Fortunately the switch can be a relatively
simple solid state integrated circuit. Two generic types of switching
may be employed. The first may be considered to be a brute force
solution using only discrete logic elements, whereas the second solution
27-30
employs the technique of logic through memory
.
Integrated circuits
of this sort may be carefully built and inspected to have failure rates
—8 —9 10 31
between X= 10 to 10 /hr ' . Hence considerable improvement in
system reliability may be obtained over single complex channels
employing process detectors, analog networks, A to D converters, and
finally a micro-processor all effectively connected in series if
these types of voter-switches can be used as low level logic elements.

35
IV. RECONFIGURATION OF BABCOCK-241 NSS
SAFETY SHUTDOWN SYSTEM
In order to evaluate the failure probability of a safety shutdown
system containing one of the higher lettered voters/voter-switches
listed in Table 3, Figures 1 and 2 must be modified to include a fifth
channel and power interruption device.
The fifth channel to be added will be designated channel E and is
identical to the first four channels (A, B, C, and D) shown on Figures
1 and 2. In addition, a third source of 440V power, designated TPS,
must be added and is connected to both the main and secondary 440V power
supply circuits shown on Figure 7.7-4 of reference 4. The power trip
device associated with this third 440V power supply is assumed to be a
circuit breaker which is labeled CBE.
At this point, the voter or voter-switch to be included in the
modified reliability block diagrams must be chosen. For comparison
purposes with the two-out-of-four system, a three-out-of-f ive voter
and the THISS-2 voter-switch previously discussed are chosen.
Figures 6 through 9 are the resultant reliability diagrams for the
fail-to-danger and false scram failure probabilities.
Figures 6 and 7 are, respectively, the reliability diagrams for
the three-out-of-five voter fail-to-danger and false scram failure
modes. Figures 8 and 9 are, respectively, the fail-to-danger and
false scram reliability diagrams for the THISS-2 voter-switch.
Figure 8 requires some additional discussion. As indicated on
the reliability diagram, the THISS-2 voter-switch is a four-out-of-f ive












































Figure 6. Fail-to-Danger Reliability Diagram for Automatic












































Figure 7. False Scram Reliability Diagram for Automatic


















PSCR PSCR PSCR PSCR PSCR PSCR












Figure 8. Fail-to-Danger Reliability Diagram for Auto-





















































Figure 9. False Scram Reliability Diagram for Automatic
Safety Shutdown System with THISS-2 Voter-Switch

40
tolerate only at most one undetected failure and still operate in a
safe manner. Two undetected failures will cause the voter-switch to
switch out the wrong channel, in this instance the channel which has
detected a dangerous condition. This comes about because switching
is caused by the output of a difference detector. If any input to the
switch is different than the output, then the differing channel is
switched out. At this point the voter-switch has unwittingly incapaci-
tated itself when needed if two previously undetected faults have
existed. Even if the voter-switch switches in the standby channels
one at a time, the two undetected failures cannot be overridden by
the new channels. In fact, the switched in channels will be rejected
as they are switched in, eventually leaving the safety system with a
non-voting single channel containing an undetected failure as the only
channel. This is best represented by Figure 10 which illustrates
this key point against the THISS-2 voter-switch. For the false scram
failure this problem does not exist. The voter-switch works exactly
as discussed in section III and depicted in Figure 5.
Even though the logic has been changed at the channel voting
level, the "one-out-of-two taken twice" feature of the CRDCS trip
portion of the ESFAS of the original safety system has been retained.
A modified expression for the logic at the point where blocks CBA,
MSCR and CBE and CBB, SSCR and CBE come together is required, however.
A truth table is constructed with a reliability expression written
from the results. For the fail-to-danger failure mode the truth













1 Spare, Good Channel C Switched Out
Life Stage 3





1 = Trip Signal
Figure 10. Life Stages of a THISS-2 Voter-Switch







































Similarly, the truth table for the false scram failure gives rise to
the failure probability expressions
QA



























V. NUMERICAL ANALYSIS OF MODIFIED
SAFETY SHUTDOWN SYSTEMS
The numerical analysis procedure necessary to determine a failure
probability value for the reliability diagrams shown as Figures 6, 7,
8 and 9 is identical to that in section II. Failure rates are
assigned to each component block on the reliability diagrams using the
values listed in Table 2. Equations (3), (4), (5) and (6) are used
for the modified CRDCS trip trains. For the voter/voter-switch in
each reliability diagram, a failure rate is calculated using equation
(1) of section II with the exception that the three-out-of-five voter
contains 11 gates and the THISS-2 voter-switch is assumed to be
equivalent to 100 gates. From Table 2.1.5-5 of reference 10, C and
C for the three-out-of-five voter are assigned the values 0.0065 and
0.0092 respectively. Table 2.1.5-7 of reference 10 assigns the
values of 0.030 and 0.020 to C and C , respectively, for the THISS-2
voter-switch. Using the values assigned in section II to the other
variables i n equation (1) , failure rates for the three-out-of-f ive
voter and THISS-2 voter-switch are computed to be 1.27425 x 10
failures/hr and 3.5805 x 10 ' failures/hr, respectively.
The results of the numerical analysis of the safety shutdown
systems are presented in Figures 11, 12 and 13. Figure 11 is for
the fail-to-danger failure probability for the three-out-of-five
voter device while Figure 12 is the fail-to-danger failure probability
for the THISS-2 voter-switch (in this particular analysis four-out-of-
f ive voter) . Figure 13 gives the results for a false scram failure





















/\ /\ Loss of Coolant Accident
Overpower Accident
10 10 10 10
Repair Interval-Hours
Figure 11. Automatic Safety Shutdown System Failure
Probability with Three-out-of-Five Voter






















10 10 10 10
Repair Interval-Hours
Figure 12: Automatic Safety Shutdown System Failure























Q Q Three-out-of-Five Logic
QTHISS-2 Logic
T
10 10 10 10
Repair Interval-Hours
Figure 13. False Scram Failure Probability of Automatic




VI. SUMMARY AND CONCLUSIONS
Three safety shutdown systems have been analyzed in this study:
1. The original Babcock-241 NSS safety shutdown system utilizing
a two-out-of-four channel voter device,
2. A modified Babcock-241 NSS safety system employing a three-out-
of-five channel voter device and modified CRDCS trip train, and
3. A second modified form of the Babcock safety system; this
system utilizing a THISS-2 voter-switch with modified CRDCS trip train.
For comparison purposes the results presented previously in
Figure 4 and Figures 11, 12 and 13 are combined, with the results
displayed on Figures 14, 15 and 16.
Figure 14 is the failure probability of the automatic safety
shutdown systems for an overpower accident as a function of the repair
time interval. The figure indicates that the original two-out-of-four
channel voter logic of the Babcock-241 NSS safety system is slightly
superior to the two modified systems for all repair time intervals
considered. The two modified systems show little difference between
3
each other although at time intervals greater than 10 hours, the
THISS-2 voter-switch, in this instance a four-out-of-five voter,
begins to have a slightly higher failure probability.
Likewise, in Figure 15 the same results exist for the loss of
coolant accident. The two-out-of-four channel voter logic system is
slightly superior to the two modified systems and little difference
exists between these two modified systems except at repair time
3intervals greater than 10 hours. Once again the THISS-2 voter-switch













A /\ Two-out-of-Four Logic
O G Three-out-of-Five Logic
THISS-2 Logic
10 10' 10- 10'
Repair Interval-Hours
Figure 14. Automatic Safety Shutdown Systems Failure

















10 10 10 10
Repair Interval-Hours
4
Figure 15. Automatic Safety Shutdown Systems Failure
Probability for Loss of Coolant Accident












A A Two-out-of-Four Logic
O O Three-out-of-Five Logic
THISS-2 Logic
1_
1 10 10* io
J nr
Repair Interval-Hours
Figure 16. False Scram Failure Probability of Automatic




Therefore, for a fail-to-danger failure mode, Figures 14 and 15
show no advantage in using computer logic redundancy in safety shutdown
circuits. It must be borne in mind, though, that the THISS-2 voter-
switch is limited here to being a four-out-of-f ive voter. This is
due to its limitation of being able to tolerate only one undetected
failure.
In Figure 16 the advantage of using computer logic redundancy
in the safety systems is clearly indicated. As is evident from the
figure, a marked decrease in the false scram probability is achieved
by using a three-out-of-f ive voter or THISS-2 voter-switch, especially
4
the voter-switch at repair time intervals approaching 10 hours. An
improvement on the order of 200 is noted for the THISS-2 voter-switch
as compared to the two-out-of-four and three-out-of-f ive logic at
4
10 hours.
In summary, the THISS-2 voter-switch does and does not offer an
advantage in its use in an automatic safety shutdown circuit. For a
fail-to-danger failure mode no real advantage is presented for the
additional circuit complexity. For the false scram mode a marked
improvement in the false scram failure probability is obtainable.
In reality this improvement in the false scram failure probability
is not an increase in the automatic system reliability. It is,
however, an increase in the availability of the reactor which is
highly desirable since unwarranted outages are extremely costly to a
utility. If the problem with the THISS-2 voter-switch in dealing
with its tolerance of undetected failures can be overcome, extreme
reliability of the automatic safety shutdown systems, as demanded by

52
the public, can be achieved along with an increase in the availability




1. Schallopp, B. Protection System Developments and Trends in the
Federal Republic of Germany. Nuclear Safety
,
Vol. 15, No. 4,
p. 409, July-August 1974.
2. Welbourne, D. Computers for Reactor Safety Systems. Nuclear
Engineering International
,
p. 945, November 1974.
3. System 80, Preliminary Safety Analysis Report, CESSAR
, Standard
Nuclear Steam System Supply, Section 7, Instrumentation and
Controls. Combustion Engineering Company, 1974.
4. Babcock 241, Safety Analysis Report. B-SAR-241
,
Standard Nuclear
Steam System, Section 7, Instrumentation and Control. Babcock
and Wilcox Company, 1974.
5. Thompson, D. , et al. Summary of Abnormal Occurrances Reported to
the Atomic Energy Commission During 1973. OOE-OS-OOl . USAEC
Office of Operations Evaluation, May 1974.
6. Avizienis, A., et al. The STAR (Self-Testing and Repairing)
Computer: An Investigation of the Theory and Practice of Fault-
Tolerant Computer Design. IEEE Transactions on Computers
,
Vol.
C-20, No. 11, p. 1312, November 1971.
7. Washington Public Power Supply System, WPPSS Nuclear Project No. 1,
Preliminary Safety Analysis Report, Vol. 4, Sec. 7, October 15,
1973. DOCKET-50460-5 .
8. Reactor Safety Study. An Assessment of Accident Risks in U.S.




9. Howard, R. S. A Reliability Analysis of Five Reactor Protection
Systems Using a Monte Carlo Technique. M.S. Thesis, The Pennsyl-
vania State University, June 1971.
10. Military Standardization Handbook. Reliability Prediction of
Electronic Equipment. MIL-HDBK-217B . Department of Defense,
September 1974.
11. ARINC Research Corp. Reliability Engineering . Prentice-Hall,
New Jersey, 1964.
12. Shooman, M. L. Probabilistic Reliability: An Engineering Approach ,
McGraw-Hill, Inc., New York, 1968.
13. Bourne, A. J. and A. E. Green. Reliability Technology . Wiley-
Interscience, New York, 1972.

54
14. Mazzilli, F. , et al. RADC Reliability Notebook, Vol. I, Tech-
nical Report No. RADC-TR-67-108
. (National Technical Information
Service No. AD-845304) , November 1968.
15. Bazovsky, I. Reliability Theory and Practice . Prentice-Hall,
New Jersey, 1961.
16. Taylor, D. S. Reliability and Comparative Analysis of Two Standby
System Configurations. IEEE Transactions on Reliability
, Vol. R-22,
No. 1, p. 13, April 1973.
17. Mathur, F. P. and A. Avizienis. Reliability Analysis and Archi-
tecture of a Hybrid-Redundant Digital System: Generalized Triple
Modular Redundancy with Self Repair. 1970 Spring Joint Computer
Conference. AFIPS Conference Proc
.
, Vol. 36, p. 375, Montvale,
New Jersey, AFIPS Press, 1970.
18. Koczella, L. J. A Three-Failure-Tolerant Computer System. IEEE
Transactions on Computers
, Vol. C-20, p. 1389, November 1971.
19. Ball, M. , and F. Hardie. Majority Voter Design Considerations for
a TMR Computer. Computer Design
,
p. 100, April 1969.
20. Brown, W. G. , et al. Improvement of Electronic-Computer Relia-
bility Through the Use of Redundancy. IRE Transactions on
Electronic Computers
,
p. 407, September 1961.
21. Mathur, F. P. Reliability Modeling and Analysis of Ultrareliable
Fault-Tolerant Digital Systems. IEEE Transactions on Computers
,
p. 1376, November 1971.
22. Dennis, N. G. Reliability Analysis of Combined Voting and
Standby Redundancies. IEEE Transactions on Reliability , Vol. R-23,
No. 2, p. 66, June 1974.
23. Goldberg, J. Network Schemes for Combined Fault Masking and
Replacement. Working paper presented at the workshop on the
organization of reliable automata, Pacific Palisades, California,
February 1966. Obtainable from J. Goldberg, Stanford Research
Institute, Menlo Park, California, 94025.
24. Dennis, N. G. THISS Voter-Switch Analysis. Proc. Inst. Elec .
Eng . (London), Vol. 120, p. 954, September 1973.
25. Bouricius, W. G. , et al. Reliability Modeling for Fault-Tolerant
Computers. IEEE Trans. Comput ., Vol. C-20, p. 1306, November 1971.
26. Mathur, F. P. Reliability Modeling Analysis and Prediction of
Ultra-Reliable Fault-Tolerant Digital Systems. 1971 Int. Symp .
Digest Fault-Tolerant Computing
,
p. 79, Computer Society IEEE.

55
27. Davidow, W. The Rationale of Logic from Semiconductor Memory.




28. Thurber, K. and R. Berg. Universal Logic Modules Implemented
Using LSI Memory Techniques. 1971 Fall Joint Computer Conference.
AFIPS Conference Proceedings , Vol. 39, p. 177.
29. Lowenschuss, D. Universal LSI Package for Implementing Control
Logic Functions. Comp. Design
, Vol. 9, p. 67, September 1970.
30. Lapidus, G. Electronic Memories I: Especially Useful as Control
Components. Control Eng
.
, Vol. 18, p. 71, October 1971.
31. Peatie, G. , et al. Elements of Semiconductor-Device Reliability.
Proceedings of IEEE , Vol. 62, p. 149, February 1974.
32. Balfanz, H. P. Failure Rate Compilation. USAEC Report AEC-tr-7564 ,
W. J. Grimes and Company, December 1973.
33. Government-Industry Data Exchange Program. Summaries of Failure





Failure rate data used in this study is collected from a variety
8 9 13 32 33
of sources ' ' ' ' The following table lists the failure rates
found in the literature and where possible, a range of values is given
to indicate the uncertainty of the values.
Table 4
Selected Failure Rate Data
Component
Failure Rate (failures per 10 hours)





















































Failure Rate (failures per 10" hours)
High Mean Low Reference
Line, Gate Driver
Logic (Voter) Device
Power Supply - Instrument

























Signal Converter 357 53.5
Square Root Extractor 20
Switches





Fails to function 3
Shorts 1
Low power applications





















* see Appendix II
Table 4 (cont.)
Failure Rate (failures per 10° hours)
Component High Mean Low Reference
Transformer





Failure Rates Used in Analysis
The purpose of this appendix is to assign a failure rate to the
various components in this study and justify the value assigned.
Observation of Appendix I indicates a wide range of values existing
for some of the components. Data in Appendix I is taken from five
8 9 13 32 33
sources ' ' ' ' .No one source is considered more reliable than
the others, although more consideration is given to reference 8 due
to its origin. Each source is used to complement the others and point
out the uncertainty that exists today. It should be noted that
references 8, 32 and 33 obtain their data from the same basic sources
(FARADA, MIL-HDBK-217A, etc.). In some instances values for particular
components could not be located and an intuitive approach is employed
in assigning a failure rate. This approach assigns a value for an
analogous or similar component or circuit. It is further assumed
that since the Babcock and Wilcox design is at the present time a
proposal, when a plant is actually built, integrated circuits will
be used in a large number of components and thus these components
will have lower failure rates than listed in Table 4 in Appendix I.
Finally, the value for the voter /voter-switch is computed using the
procedure outlined in reference 10.
All types of amplifiers in this study are assigned the same
failure rate. The value assigned is 5 x 10 failures per hour based




Bridge completion units are used to convert the signals from
— ft
the RTD's to current signals. A failure rate of 1 x 10 failures
per hour is used in this study based on the premise of integrated
circuits being used.
Buffers are used to isolate certain portions of the RPS and as
— fi
such are isolation amplifiers. A value of 5 x 10 failures per hour
is therefore assigned to this component.
A number of values for circuit breakers can be found (see
— fi
reference 32 for a listing) in the literature. A value of 1 x 10
failures per hour for premature transfer is assigned. Additionally,
-3
a value of 1 x 10 failures per demand is assigned for failures to
operate.
— ft
A value of 35 x 10 failures per hour is given in reference 32
for a dP flow transmitter. Reference 8 also gives a value for instru-
mentation but also includes amplification, annunciators, transducers,
etc. in the value. It is felt for purposes of this study that to
break the system down into greater detail is more advantageous.
A wide range of failure rates for ion chambers is found to exist,
—ft
A value of 50 x 10 failures per hour is arbitrarily assigned to the
ion chambers.
References 9 and 32 are in agreement on a value for a dP level
— ft
transducer. A value of 15 x 10 failures per hour is assigned to
this component.
— ft
Reference 33 gives a median value of 22 x 10 failures per hour
for a line driver. For purposes of this study however, it is assumed




5 x 10 failures per hour is assigned. Additionally, a gate drive
is assumed to be similar to a line driver and is assigned the same
failure rate.
All types of instrument power supplies are considered to be the
same type of device and are arbitrarily assigned a value of 10 x 10
failures per hour. The vital bus and rod group power supplies are
— fi
assigned a value of 0.5 x 10 failures per hour.
References 9 and 32 give failure rate values for a pressure
— fi
transducer. Using these references, a value of 25 x 10 failures
per hour is assigned.
Three different failure rates are assigned to relays depending
— f-i
upon the failure mode. A value of 0.1 x 10 failures per hour is
assigned to a normally closed (NC) contact which opens, a value of
0.3 x 10 failures per hour to a normally open (NO) contact which
— fi>
fails to close and a value of 0.01 x 10 failures per hour for a
short across a NC/NO contact.
References 9, 13 and 32 are in close agreement on a failure rate
— f>
for an RTD. A value of 15 x 10 failures per hour is assigned.
—fi — fi
Values of 1 x 10 and 3 x 10 failures per hour are arbitrarily
assigned to a SCR which shorts or opens.
—6
Based upon the data found in reference 2, a value of 20 x 10
failures per hour is assigned to the signal converter.
For the purposes of this study, a square root extractor is assumed
to be similar to a differential amplifier and is accordingly assigned
a value of 5 x 10 failures per hour.
Values of 1 x 10 failures per demand for a manual switch for a
failure to transfer and 0.1 x 10 failures per hour for switch

62
contacts shorting are assigned.
All solid state devices are assumed to be similar for purposes
of assigning failure rates. The following failure rates are therefore
assigned:
High power application (circuits involving currents of
1 ampere or above and/or voltage - 28 volts and above)
:
—ft
Fails to function: 3 x 10 failures per hour
—ft
Shorts: 1 x 10 failures per hour
Low power application:
—ft
Fails to function: 1 x 10 failures per hour
— ft
Shorts: 0.1 x 10 failures per hour.
Considered to be solid state items in this analysis are the bistable
elements, the channel trip memory circuit, all photo (optical) isola-
tion devices. The calculating module is also considered to be solid
state (low power) but is assumed to be five times as complex as the
previously mentioned devices, and therefore has a failure rate five
times as great.
—6
Finally, transformers are assigned the value 1 x 10 failures





A truth table approach is used to determine the logic expressions
for the modified reliability diagrams using a three-out-of-f ive voter
and the THISS-2 voter-switch.
The truth table associated with the fail-to-danger failure
probability is







1 1 1 1
where = false
1 = true.
To warrant a 1 in the T column indicates that the safety system will
trip the reactor. Out of eight possible trip combinations, five will
trip the reactor. The resulting reliability expression is therefore
r
ace
= We + We + We + We + We (iii-D
A similar expression exists for IL,^. Using the relation R = 1-Q and
making note of the fact that \=RA which in turn means QE=QA

64
equation (III-l) can be simplified to the failure probability form







Once again, a similar expression exists for Q'.
B
An identical procedure is followed for the false scram failure








1 1 1 1
gives rise to the reliability expression
r
ace " We + We + We- (i1i" 3)
Here, only three combinations out of eight will not result in a false
scram. Again using the relation R=l-Q and R^=R , equation (III-3) can



























dancy in nuclear reactor
safety shutdown circuits.
thesU8
Computer logic redundancy in nuclear rea
3 2768 001 88961 1
DUDLEY KNOX LIBRARY
