Failure Mode Recovery

DOE-HDBK-1132-99

4.2.5

Failure Mode Recovery . The system should be designed so that it is capable of

completely recovering from plant power loss without manual intervention.

System software necessary for computer reboot and operation should be stored

in nonvolatile memory.

4.2.6

Operator Workstations. Operator workstations should have access to the

communications bus so that if one goes out of service, another can assume the

functions of the disabled unit. In general, response time from the completion of a

user inquiry to the completion of resulting display should be 2 seconds. The

availability of easy-to-use graphical interface makes plant operation safer and

more economical. Graphics displays should be user-configurable. Designers

should consider using high-resolution workstations, the ability of the workstations

to be scaled, and color vector graphics that are configured with a computer-aided

design (CAD)-type drawing package.

System Diagnostics. Consideration should be given to providing self-

4.2.7

diagnostics on all circuits (to the smallest replaceable plug-in module or

component) and reporting failures to the operator workstations to indicate the

source of the failure.

4.2.8

Real Time Database. The data base should be hierarchical in structure to

match the controller database. Capability to exchange data with standard third

party applications should be provided.

4.2.9

Data Historian. For trending purposes, the designer should consider use of a

data historian capable of recording both process and system events and off-

loading the records to permanent storage or other computer systems. Data

compression algorithms may be used to minimize long-term storage

requirements.

4.2.10 Acceptance Tests . Various system hardware and software acceptance tests

should be performed and documented both at the vendor' shop and at the site

II-43