The Electric Power Research Institute (EPRI) is conducting research in cooperation with the Nuclear Energy Institute (NEI) regarding Operating Experience of digital Instrumentation and Control (I&C) systems in US nuclear power plants. The primary objective of this work is to extract insights from US nuclear power plant Operating Experience (OE) reports that can be applied to improve Diversity and Defense in Depth (D3) evaluations and methods for protecting nuclear plants against I&C related Common Cause Failures (CCF) that could disable safety functions and thereby degrade plant safety. Between 1987 and 2007, over 500 OE events involving digital equipment in US nuclear power plants were reported through various channels. OE reports for 324 of these events were found in databases maintained by the Nuclear Regulatory Commission (NRC) and the Institute of Nuclear Power Operations (INPO). A database was prepared for capturing the characteristics of each of the 324 events in terms of when, where, how, and why the event occurred, what steps were taken to correct the deficiency that caused the event, and what defensive measures could have been employed to prevent recurrence of these events. The database also captures the plant system type, its safety classification, and whether or not the event involved a common cause failure. This work has revealed the following results and insights: - 82 of the 324 “digital” events did not actually involve a digital failure. Of these 82 non-digital events, 34 might have been prevented by making full use of digital system fault tolerance features. - 242 of the 324 events did involve failures in digital systems. The leading contributors to the 242 digital failures were hardware failure modes. Software change appears as a corrective action twice as often as it appears as an event root cause. This suggests that software features are being added to avoid recurrence of hardware failures, and that adequately designed software is a strong defensive measure against hardware failure modes, preventing them from propagating into system failures and ultimately plant events. 54 of the 242 digital failures involved a Common Cause Failure (CCF). - 13 of the 54 CCF events affected safety (1E) systems, and only 2 of those were due to Inadequate Software Design. This finding suggests that software related CCFs on 1E systems are no more prevalent than other CCF mechanisms for which adherence to various regulations and standards is considered to provide adequate protection against CCF. This research provides an extensive data set that is being used to investigate many different questions related to failure modes, causes, corrective actions, and other event attributes that can be compared and contrasted to reveal useful insights. Specific considerations in this study included comparison of 1E vs. non-1E systems, active vs. potential CCFs, and possible defensive measures to prevent these events. This paper documents the dominant attributes of the evaluated events and the associated insights that can be used to improve methods for protecting against digital I&C related CCFs, applying a test of reasonable assurance.
A Survey of Defensive Measures for Digital Persecution in the Global South