Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC 62340: Coping with Common Cause Failure in Nuclear I&C Systems
Requirements for nuclear power plant instrumentation and control systems to defend against common cause failure (CCF).
IEC 62340 provides requirements for nuclear power plant instrumentation and control (I&C) systems important to safety to cope with Common Cause Failure (CCF). As nuclear safety depends on redundant I&C architectures, CCF represents a critical vulnerability that can simultaneously disable multiple redundant channels. This standard establishes the design principles, architectural requirements, and verification measures to reduce the likelihood of CCF to an acceptably low level.
CCF is the single most significant threat to redundant safety systems. A latent design fault incorporated in all redundant channels can defeat redundancy entirely, making defence against CCF a fundamental safety imperative for nuclear I&C.
Understanding Common Cause Failure in Nuclear I&C
A Common Cause Failure is defined as the failure of two or more structures, systems, or components due to a single specific event or cause. For I&C systems performing category A functions (the highest safety classification per IEC 61226), the standard requires systematic defences against CCF. The key insight is that redundant channels designed identically share identical vulnerabilities. A latent fault—whether from specification errors, design flaws, manufacturing defects, or maintenance mistakes—can remain undetected until triggered by a specific signal trajectory or environmental condition.
| CCF Mechanism | Description | Primary Defence |
|---|---|---|
| Specification faults | Errors in requirements propagating through all channels | Functional validation, diversity |
| Environmental stress | Seismic, EMI, or temperature extremes exceeding limits | Physical separation, derating, qualification |
| Design faults | Systematic hardware/software design errors | Diverse design, independent verification |
| Maintenance errors | Faults during calibration, repair, or modification | Strict procedures, independent inspection |
| Failure propagation | Corrupted data spreading between channels | Communication isolation, fibre optics |
Architectural Strategy: Defence-in-Depth and Diversity
The standard mandates an I&C architecture comprising at least two independent systems performing category A functions. This is not merely redundancy—it requires diversity. Diversity means achieving the same safety objective through different means: different technologies (e.g., hard-wired analogue vs. digital), different algorithms (e.g., pressure-based trip vs. temperature-based trip), or different design teams and toolchains.
Functional diversity is specifically emphasised: for example, having trip activation on both pressure and temperature limits, so that a single instrumentation fault cannot defeat both protection channels. The independent I&C systems must possess three characteristics: (a) one system’s performance is unaffected by the other’s operation or failure; (b) systems are unaffected by the effects of postulated initiating events; and (c) adequate robustness against common external influences (earthquake, EMI) is assured by design.
The defence-in-depth approach means that even if one I&C system suffers a CCF, a diverse backup system with different design, technology, and operational principles can still perform the required safety function. This layered defence is the cornerstone of nuclear safety I&C architecture.
Design Measures for Independence and Fault Tolerance
IEC 62340 prescribes detailed design measures to prevent coincidental failure of I&C systems. These include electrical isolation between redundant channels, physical separation to prevent propagation of effects (fire, flooding, missile impact), communication independence to prevent corrupted data from propagating between systems, and fail-safe design principles so that systems respond to specified faults in a predefined safe manner.
For digital I&C systems specifically, the standard addresses the risk of latent software faults. All computer-based systems performing category A functions must incorporate fault tolerance mechanisms, including self-diagnostic features, diversity in software implementation, and defence against failure propagation via communication links. The standard also requires that I&C systems be designed to tolerate postulated latent software faults without causing system failure.
Demonstrating that any individual I&C system is completely fault-free is not possible. Therefore, the standard’s strategy is to accept that latent faults may exist and focus on preventing their coincidental activation across redundant channels through diversity and independence.
Requirements for Maintenance and Lifecycle Management
The standard recognises that maintenance activities are a significant source of CCF risk. Requirements include: avoidance of failure propagation via maintenance activities, assurance of physical separation during maintenance, verification of compatibility between replaced and existing system components, and the maintenance of independence during system modifications. Special attention is given to the risk of introducing latent faults during set-point changes, spare-part upgrades, or software version updates.
For existing plants undergoing I&C modernisation, the standard acknowledges that only a subset of requirements may be applicable. Any requirements not implemented must be justified on a case-by-case basis through an overall safety assessment, comparing the consequences of not following the standard against the safety benefits of the upgrade as a whole.
Frequently Asked Questions
Q: How does IEC 62340 relate to IEC 61513?
A: IEC 62340 is a second-level document in the SC 45A standards series, supplementing IEC 61513 with specific requirements for CCF. IEC 61513 provides the general requirements for I&C systems important to safety.
A: IEC 62340 is a second-level document in the SC 45A standards series, supplementing IEC 61513 with specific requirements for CCF. IEC 61513 provides the general requirements for I&C systems important to safety.
Q: What is the difference between redundancy and diversity?
A: Redundancy uses identical channels for reliability; diversity uses different approaches (technology, algorithm, design team) to achieve the same safety function. Diversity is specifically intended as a defence against CCF, since diverse systems are unlikely to share the same latent faults.
A: Redundancy uses identical channels for reliability; diversity uses different approaches (technology, algorithm, design team) to achieve the same safety function. Diversity is specifically intended as a defence against CCF, since diverse systems are unlikely to share the same latent faults.
Q: Does the standard apply to existing nuclear power plants?
A: Yes, but with flexibility. For existing plants, a subset of requirements may be applicable, and deviations should be justified by a plant-specific safety assessment.
A: Yes, but with flexibility. For existing plants, a subset of requirements may be applicable, and deviations should be justified by a plant-specific safety assessment.
Q: What role does software play in CCF defence?
A: Software is a major concern because all software faults are design faults (software does not wear out). Latent software faults may exist in all redundant channels identically, making diversity in software design and implementation critical for CCF defence.
A: Software is a major concern because all software faults are design faults (software does not wear out). Latent software faults may exist in all redundant channels identically, making diversity in software design and implementation critical for CCF defence.
