Use of Diversity in Experimental Reactor Safety Systems

  • Udo Voges
Part of the Dependable Computing and Fault-Tolerant Systems book series (DEPENDABLECOMP, volume 2)


This paper describes two projects which were conducted at the Kernforschungszentrum Karlsruhe. The first was “BPI”, a pilot implementation of parts of a reactor safety shut down system. In this experiment the problem was specified in natural language (German) with heavy use of mathematical notations. Based on this specification three teams prepared in parallel three implementations in three different languages.

The results of this experiment show that not only the errors made by the different teams were different, but also that the error detection capabilities were increased through the use of different teams. Therefore the overall reliability was higher than in a development environment without use of diversity.

The second project consisted of the design of the reactor safety shut down system “MIRA”. Analogue to the triple modular redundant hardware structure of the system, three diverse versions of the application software should be installed. The design of the system as well as the reasons leading to the incorporation of software diversity are presented. It is anticipated that not only errors in those parts which are realized diversely can be tolerated to some extent, but also errors in those parts which are identical in the redundant system.


Fuel Element Fast Breeder Reactor Fault Tree Analysis Software Requirement Specification Reactor Safety 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [Avižienis 1977]
    A. Avižienis and L. Chen: On the Implementation of N-Version Programming for Software Fault-Tolerance during Program Execution. Proceedings COMP- SAC ’77,1977, pp. 149–155.Google Scholar
  2. [Avižienis 1984]
    A. Avižienis and J.P.J. Kelly: Fault Tolerance by Design Diversity: Concepts and Experiments. IEEE Computer Vol. 17 (August 1984) 8, pp. 67–80.CrossRefGoogle Scholar
  3. [Bishop 1987]
    P.G. Bishop: The PODS Diversity Experiment, this book.Google Scholar
  4. [Boehm 1974]
    B.W. Boehm: Some Steps toward Formal and Automated Aids to Software Requirements Analysis and Design. 2nd IFIP Congress, Stockholm, 1974.Google Scholar
  5. [Eckert 1981]
    K. Eckert and J. Ludewig: ESPRESO-W - Ein Werkzeug für die Spezifikation von Prozeßrechner-Software. In: G. Goos (Ed.) Werkzeuge der Programmiertechnik, Berlin, Springer-Verlag Berlin-Heidelberg-New York 1981, pp. 101–112.CrossRefGoogle Scholar
  6. [Elies 1984]
    V. Elies: A Protocol System as an Extension of the MIRA Reactor Protection System. IAEA-Meeting Saclay, F, 1984.Google Scholar
  7. [EWICS 1981]
    EWICS: Development of Safety Related Software. EWICS TC7 Position Paper No. 268,1981.Google Scholar
  8. [Geiger 1979]
    W. Geiger, L. Gmeiner, H. Trauboth and U. Voges: Program Testing Techniques For Nuclear Reactor Protection Systems. IEEE Computer 12 (August 1979) 8, pp. 10–18.CrossRefGoogle Scholar
  9. [Gmeiner 1978]
    L. Gmeiner: Projektbegleitende Fehleraufzeichnung und -auswertung während der BESS Y-Pilotimplementierung (unpublished 1978).Google Scholar
  10. [Gmeiner 1980]
    L. Gmeiner and U. Voges: Software Diversity in Reactor Protection Systems: An Experiment. Proc. IFAC Workshop SAFECOMP’79, Oxford, Pergamon Press 1980, pp. 75–79.Google Scholar
  11. [IEEE 1984]
    IEEE: Standard for Software Quality Assurance Plans, IEEE Std 730, 1984.Google Scholar
  12. [IFTRAN 1976]
    Structured Programming Preprocessors for FORTRAN. General Research Corporation, Santa Barbara, 1976.Google Scholar
  13. [Jüngst 1976]
    U. Jüngst: Design Features of the Fuel Element Computerized Protection System. IAEA/NPPCI Specialists’ Meeting, München, 1976.Google Scholar
  14. [PHI2]
    PHI2-Programmierhilfe-Makros für strukturierte Programmierung. SIEMENS Programmbeschreibung P71100-J1015-X-X-35.Google Scholar
  15. [RXVP 1985]
    RXVP 80. The Verification and Validation System for FORTRAN. User’s Manual. General Research Corporation, Santa Barbara, 1985.Google Scholar
  16. [Schriefer 1983]
    D. Schriefer, U. Voges and G. Weber: Design and Construction of a Reliable Microcomputer-Based LMFBR Protection System. In: Proceedings of Internat. Workshop on Nuclear Power Plant Control and Instrumentation, IAEA-SM 265, 1983, pp. 355–366.Google Scholar
  17. [Voges 1975]
    U. Voges and W. Ehrenberger: Vorschläge zu Programmierrichtlinien für ein Reaktorschutzsystem. KfK-Ext. 13/75–2, Kernforschungszentrum Karlsruhe, 1975.Google Scholar
  18. [Voges 1980]
    U. Voges, L. Gmeiner and A. von Mayrhauser: SAD AT - An Automated Testing Tool. IEEE Trans. Softw. Eng. SE-6 (May 1980) 3, pp. 286–290.CrossRefGoogle Scholar
  19. [Voges 1982]
    U. Voges, F. Fetsch and L. Gmeiner: Use of Microprocessors in a Safety-Oriented Reactor Shut-Down System. EUROCON ’82, Lyngby, DK, 14–18 June 1982. E. Lauger, J. Moeltoft (Eds.), Reliability in Electrical and Electronic Components and Systems. Amsterdam: North Holland Publ. Co. 1982, pp. 493–497.Google Scholar
  20. [Voges 1983]
    U. Voges and J. R. Taylor: Systematic Software Testing, In: Proceedings of EWICS, Schriftenreihe der Österreichischen Computer-Gesellschaft 21 (1983), pp. 165–183.Google Scholar
  21. [Voges 1985]
    U. Voges: Application of a Fault-Tolerant Microprocessor-Based Core Surveillance System in a German Fast Breeder Reactor. EPRI-Seminar: Power Plant Digital Control and Fault-Tolerant Microcomputers, Scottsdale, AZ, USA, 9–12 April 1985.Google Scholar

Copyright information

© Springer-Verlag/Wien 1988

Authors and Affiliations

  • Udo Voges
    • 1
  1. 1.Kernforschungszentrum Karlsruhe GmbH Institut für Datenverarbeitung in der TechnikKarlsruheDeutschland

Personalised recommendations