CORDEL Defence-in-Depth and Diversity: Challenges Related to I&C Architecture
April 2018
Inconsistencies in the definitions of terms, attributes, assessment methodologies, and scope associated with the concepts of ‘defence-in-depth’ and ‘diversity’ can lead to significant challenges in design, licensing and cost of nuclear power plants. The differences between these definitions were first investigated in Safety Classification for I&C Systems in Nuclear Power Plants: Comparison of Definitions of Key Concepts and are expanded upon in this report.
The concept of ‘diversity’ in particular has changed as concern over common cause failure (CCF) in digital instrumentation and control (I&C) systems has become more prevalent. This has in turn affected the development of I&C design for the main line of defence (e.g. protection system).
Previously, redundancy and separation of structures and components – such as the use of identical equipment in four-fold and three-fold redundant safety divisions – was an acceptable approach to demonstrate diversity. However as a result of conservative assumptions associated with digital I&C concerns, digital CCF has come to replace redundancy as the main driver for designing diverse digital protection systems.
This report is organized as follows:
- A review of the terms and definitions associated with defence-in-depth and diversity used by different organizations.
- Outline of the challenges in defining ‘defence-in-depth’ and ‘diversity’.
- Analysis of the challenges related to the application of defence-in-depth and diversity, for example during the upgrading of existing nuclear plants or the implementation of regulatory guidance.
- Recommendations of potential solutions.
Its main recommendations are:
- To avoid conflating the terms ‘defence in depth’ and ‘diversity’ into a single term ‘defence-in-depth and diversity’ and to also abandon the use of the abbreviation ‘D3’. Both ‘defence-in-depth’ and ‘diversity’ should be considered as separate, though related, concepts.
- To discontinue using the term ‘echelons of defence’, which may cause confusion, and to instead refer to ‘levels of defence’, which is used by the International Atomic Energy Agency (IAEA).
- To continue working towards quantifying the attributes relating to ‘defence-in-depth’ and ‘diversity’ so that analysis completion criteria can be identified and agreed to.