Embedded Safety-Critical Systems in

Nuclear Power Plants

Brief Comparison of IEC 61508 and the
Design of Systems Important to Safety

Budapest University of Technology and Economics

Department of Measurement and Information Systems

Nuclear Power Generation

Introduction to Nuclear Energy and Nuclear Power Plants

Nuclear Power Is it even necessary?

Fossil fuel power plants
o burn carbon fuels such coal, oil or gas to generate steam driving large
turbines that produce electricity
o non-renewable fuel: oil depletes soon, gas next, carbon later
o they produce large amounts carbon dioxide, which causes climate change
o they increase background radiation

Large hydro power plants

o
o
o
o

water from the dams flows through turbines to generate electricity

no greenhouse gas emissions
impact on the ecology around the dam
the number of sites suitable for new dams is limited

Other renewables
o wind, solar and small scale hydro produce electricity with no greenhouse gas
emissions
o higher cost than other forms of generation, often requiring subsidies
o they do not produce electricity predictably or consistently
o they have to be backed up by other forms of electricity generation

The Two Types of Nuclear Energy Production

Energy yield from
nuclear fission

Energy yield from

nuclear fusion

Fusion

Fission

Comparison of Fission and Fusion

Fission

Fusion

Mechanism

splitting of a large atom into two

or more smaller ones

fusing of two or more lighter atoms

into a larger one

Conditions

criticality (prompt subcriticality),

moderator, and coolant

high density, high temperature

(plasma), precise control

Energy produced

much greater than conventional

3 or 4 times greater than fission

Byproducts

highly radioactive isotopes, long

decay time, large residual heat

some helium and tritium (short halflife, very low decay energy)

Nuclear waste

byproducts, structural materials

structural materials (lower half-life)

Fuel

235U

2H

Advantages

no greenhouse emissions,
economical, highly concentrated
fuel, intrinsically safe

no greenhouse emissions, very low

amount of waste, abundant fuel,
intrinsically safe, low risk

Disadvantages

high risk, radioactive waste

commercial application is far away

(0.72%), 232Th, possibly 238U

(deuterium) and 3H (tritium)

Controllability of Nuclear Fission

Effective neutron multiplication factor (k) is the
average number of neutrons from one fission to
cause another fission
o k < 1 (subcriticality): the system cannot sustain a chain
reaction
o k = 1 (criticality): every fission causes an average of
one more fission, leading to a constant fission (and
power) level
o k > 1 (supercriticality): the number of fission reactions
increases exponentially

Delayed neutrons are created by the radioactive

decay of some of the fission fragments
o The fraction of delayed neutrons is called
o Typically less than 1% of all the neutrons
in the chain reaction are delayed

1 k < 1/(1-) is the delayed criticality region,

where all nuclear power reactors operate
6

Inherent Safety of Nuclear Power Plants

Reactivity is an expression of the departure from criticality:
= (k - 1)/k
o when the reactor is critical, = 0
o when the reactor is subcritical, < 0

The temperature coefficient (of reactivity) is a measure of

the change in reactivity (resulting in a change in power) by
a change in temperature of the reactor components or the
reactor coolant
The void coefficient (of reactivity) is a measure of the
change in reactivity as voids (typically steam bubbles) form
in the reactor moderator or coolant
Most existing nuclear reactors have negative temperature
and void coefficients in all states of operation
7

(A Few) Types of Nuclear Reactors

Graphitemoderated
reactors

Thermal
Reactors

Nuclear
Reactors

Water-cooled
reactors

RBMK

Heavy-water
reactors

CANDU

Watermoderated
reactors
Light-elementmoderated
reactors

Fast
Neutron
Reactors

Gas-cooled
reactors

Generation IV
reactors
8

BWR
Light-waterreactors
PWR

Nuclear Reactor History and Generations

Generation II: class of commercial reactors built up to the end of the 1990s
Generation III: development of Gen. II designs, improved fuel technology, superior
thermal efficiency, passive safety systems, and standardized design
Generation IV: nuclear reactor designs currently being researched, not expected to
be available for commercial construction before 2030
9

Gen. II Water Moderated Reactor Types

Pressurized Water Reactor (PWR)
Cooled and moderated by high-pressure liquid water,
primary and secondary loops
Boiling Water Reactor (BWR)
Higher thermal efficiency, simpler design (single loop),
potentially more stable and safe (?)
Pressurized Heavy Water Reactor (PHWR)
Heavy-water-cooled and -moderated pressurizedwater reactors, fuel in tubes, efficient but expensive
High Power Channel Reactor (RBMK)
Water cooled with a graphite moderator, fuel in tubes,
cheap, large and powerful reactor but unstable
10

Boiling WR

Pressurized WR

Common Light Water Moderated Reactors

11

Overview of a PWR nuclear power plant

Secondary Circuit
Control Rods

Steam Generator

Pressurizer
Primary circuit
Reactor vessel
12

Risk of Nuclear Installations

Using the Terms of the Functional Safety Concept

Functional Safety Concept: Risk

Risk based approach for determining the target
failure measure
o Risk is a measure of the probability and consequence
of a specified hazardous event occurring
o There is no such thing as Zero Risk

A safety-related system both

o implements the required safety functions necessary to
achieve a safe state for the EUC or
to maintain a safe state for the EUC

o is intended to achieve the necessary safety integrity

for the required safety functions
14

Consequence: Effects of Ionizing Radiation

Stochastic effect

Deterministic effect
Ha t s
100%

Koc k z a t

m=5*10 -2 /S v
Dz is

0%
Ks z b

Dz is

Natural radiation

Artificial radiation

o Internal radiation: 40K

o External radiation

o Medical diagnosis and

treatment
o Industrial radiation sources
o Nuclear tests
o Nuclear waste

Background radiation

TENORM
o artificially increased
background radiation
15

The Risk Assessment Framework

The three main stages of Risk Assessment are:
1. Establish the tolerable risk criteria with respect to
the frequency (or probability) of the hazardous event
and its specific consequences

2. Assess the risks associated with the

equipment under control
3. Determine the necessary risk reduction needed to
meet the risk acceptance criteria
this will determine the Safety Integrity Level of the safetyrelated systems and external risk reduction facilities

16

Zone 1
Unacceptable
Risk Region
Zone 2
Transitional
Risk Region

Major
Significant

Consequence

Catastrophic

Example Risk Bands for Tolerability of Hazards

Zone 3
Tolerable
Risk Region
Remote

10-4

Unlikely
10-3

Possible
10-2

Frequency (per year)

17

Probable
10-1

Severity of consequence

Tolerable Risk of Nuclear Installations

100

Design Basis
Accidents

Beyond Design
Basis Accidents

Severe
Accidents

Anticipated
Operational
Occurrences

Design Basis
Accidents

Beyond Design
Basis Accidents

Normal
Operation

Anticipated
Operational
Occurrences

Design Basis
Accidents

Probability of occurrence (in decreasing order)

19

10-4

Operational States and Transients of NPPs

Normal Operational State
o most probable, most frequent state

Operational Transients aka.

Anticipated Operational Occurrences (AOO)
o highly probable operational occurrences, having a minor effect
o good chance of multiple AOOs during operational life-time

Design Basis Accidents

o improbable accidents, these are included in the Design Basis

Beyond Design Basis Accidents Severe Accidents

o extremely improbable accidents
o the Design Basis of most existing units does not include BDBAs
o this is changing, many former BDBAs became DBAs in the case
of Generation III and Generation IV nuclear units
20

Classification of Events & Operating Conditions

21

Definition of Safety
Central concepts: Hazard, risk and safety
Hazard

Combination of the probability

of occurrence of harm and the
severity of that harm
Tolerable risk: Risk which is
accepted in a given context
(based on the values of society)
Residual risk: Risk remaining after
protective measures have been taken

Harm

Risk

Safety

Functional
safety

Postulated Initiating Events

A postulated initiating event (PIE) is an identified
event that leads to an anticipated operational
occurrence (AOO) or accident condition and its
consequential failure effects.
o All safety analysis, deterministic or probabilistic, begins
with definition of a set of PIEs

PIEs may be defined from various sources:

o Formal analytical techniques, such as
Failure modes and effects analysis (FMEA), or
Hazards and operability analysis (HAZOP)

o PIE lists developed for other, similar plants

o Operating experience with other plants
o Engineering judgement
23

Classification of PIEs
According to origin:
Internal events
o are those PIEs that arise
due to failures of systems, structures, or components within the
plant, or
due to internal human error, and

o provide a challenge to internal safety systems.

External events
o are those PIEs that arise from
conditions external to the plant, such as natural phenomena or
off-site human-caused events and

o provide a challenge to safety equipment and/or to plant

integrity.
24

The Design Basis

The design basis specifies the necessary
capabilities of the plant to cope with a specified
range of operational states and design basis
accidents within the defined radiological
protection requirements
The design basis includes
o the specification for normal operation,
o plant states created by the PIEs,
o the safety classification,
o important assumptions and,
o in some cases, the particular methods of analysis.
25

Identification of Internal Initiating Events

Proper operation depends on maintaining the correct
balance between
o
o
o
o

power production in the core

transport of energy in the reactor cooling system (RCS)
removal of energy from the RCS, and
production of electrical energy

Thus, PIE categories may include:

o
o
o
o
o

change in heat removal from the RCS

change in coolant flow rate
change in reactor coolant inventory, including pipe breaks
reactivity and power distribution anomalies
release of radioactive material from a component or system
26

Identification of Internal Initiating Events

Consider failures (including partial failures or malfunctions)
of safety systems and components, as well as non-safety
systems and components that impact safety function
Consider consequences of human error:
o Faulty maintenance
o Incorrect settings or calibrations
o Incorrect operator actions

Include fires, explosions, floods which could cause failure of

safety equipment
Some events from outside the plant may be analyzed as
internal events because of the nature of their impact
o Loss of off-site power
o Loss of component cooling water
27

Identification of External Initiating Events

External events can lead to an internal initiating event
and failure of safety systems that provide protection.
Naturally occurring events:
o Earthquakes
o Fires
o Floods and other high water events
o Volcanic eruptions
o Extremes of temperature, rainfall, snowfall, wind velocity

Human-caused events:
o Aircraft crashes
o External fires, explosions, and hazardous material releases
28

Nuclear Accidents
The Three Most Prominent Accidents in the History of
Nuclear Power Generation, and Lessons Learned

Main Types of Nuclear Reactor Accidents

Accident initiated by sudden reactivity increase (e.g.
control rod ejection) that causes reactor runaway
o RIA Reactivity Initiated Accident
o the nuclear chain reaction becomes uncontrollable
prompt supercritical reactor

Accident initiated by insufficient cooling (e.g. due to

loss of coolant)
o the efficiency of heat removal from the core drops
o the reactor core cooling is lost

that can cause damage to the fuel cladding

o LOCA Loss of Coolant Accident
o LOFA Loss of Flow Accident
o LOHA Loss of Heat Sink Accident
30

Reactivity Initiated Accident

31

Loss of Coolant Accident LB LOCA

32

International Nuclear Event Scale (INES)

Level 7: Major accident
Level 6: Serious accident
Level 5: Accident with wider consequences
Level 4: Accident with local consequences
Level 3: Serious incident

Level 2: Incident
Level 1: Anomaly
Level 0: Deviation (No Safety Significance)
33

Details and Examples of the INES Scale

INES Level

Level 7: Major
accident

People and
Environment

Radiological
Barriers and
Control

Chernobyl accident
(Soviet Union),
26 April 1986

Major release of
radioactive material
Widespread effects

Level 6: Serious
accident

Significant release of
radioactive material

Level 5: Accident
with wider
consequences

Limited release of
radioactive material

Example

Fukushima accident
Kyshtym disaster at
Mayak
(Soviet Union),
29 September 1957
Severe reactor core
damage
Significant release
within installation

Several deaths

34

Three Mile Island

accident
(United States),
28 March 1979

Three Mile Island Accident

In 1979 at Three Mile Island nuclear power plant in USA a cooling
malfunction caused part of the core to melt in the #2 reactor
o A relatively minor malfunction in the secondary cooling circuit caused the
temperature in the primary coolant to rise
o This in turn caused the reactor to shut down automatically
o A relief valve failed to close, but instrumentation did not reveal the fact
o So much of the primary coolant drained away that the residual decay heat in
the reactor core was not removed
o The core suffered severe damage as a result
o The operators were unable to diagnose or respond properly to the
unplanned automatic shutdown of the reactor
o Deficient control room instrumentation and inadequate emergency response
training proved to be root causes of the accident

Some radioactive gas was released a couple of days after the accident,
but not enough to cause any dose above background levels
There were no injuries or adverse health effects from the TMI accident
35

Three Mile Island Accident

36

Chernobyl Accident
The Chernobyl accident in 1986 was the result of a flawed reactor design that
was operated with inadequately trained personnel
o The crew wanted to perform a test to determine how long turbines would spin and
supply power to the main circulating pumps following a loss of main electrical power
supply
o A series of operator actions, including the disabling of automatic shutdown
mechanisms, preceded the attempted test
o By the time that the operator moved to shut down the reactor, the reactor was in an
extremely unstable condition
o A peculiarity of the design of the control rods caused a dramatic power surge as they
were inserted into the reactor
The RBMK reactor can possess a positive void coefficient

o The interaction of very hot fuel with the cooling water led to fuel fragmentation
o Intense steam generation then spread throughout the whole core causing a steam
explosion and releasing fission products to the atmosphere
o A second explosion threw out fragments from the fuel channels and hot graphite

The resulting steam explosion and fires released at least 5% of the radioactive
reactor core into the atmosphere
Two Chernobyl plant workers died on the night of the accident, and a further 28
people died within a few weeks as a result of acute radiation poisoning
37

Chernobyl Accident

38

Fukushima Accident
Following a major earthquake, a 15-metre tsunami disabled the power supply
and cooling of three Fukushima Daiichi reactors, causing a nuclear accident on
11 March 2011
o The reactors proved robust seismically, but vulnerable to the tsunami
o This disabled 12 of 13 back-up generators on site and also the heat exchangers for
dumping reactor waste heat and decay heat to the sea
o The three units lost the ability to maintain proper reactor cooling and water
circulation functions, all three cores largely melted in the first three days

Rated 7 on the INES scale, due to high radioactive releases over days 4 to 6
After two weeks the three reactors (units 1-3) were stable with water addition
but no proper heat sink for removal of decay heat from fuel
By July they were being cooled with recycled water from the new treatment
plant, and official 'cold shutdown condition' was announced in mid-December
Apart from cooling, the basic ongoing task was to prevent release of radioactive
materials, particularly in contaminated water leaked from the three units
There have been no deaths or cases of radiation sickness from the nuclear
accident, but over 100,000 people had to be evacuated from their homes
39

Fukushima Accident

40

Safety Relative to Other Energy Sources

Deaths from energy-related accidents per unit of electricity

Comparison of accident statistics in primary energy production

(Electricity generation accounts for about 40% of total primary energy)

Fuel

Immediate fatalities
1970-92

Who?

Normalized to
1/TWy* electricity

Coal

6400

workers

342

Natural gas

1200

workers & public

85

Hydro

4000

public

883

31

workers

Nuclear

41

Safety of Nuclear Power Plants

Overview of the Basic Concepts of Nuclear Safety

Characteristics of Nuclear Power Plants

They contain a large amount of radioactive
material
Employees need to be protected from radiation
even in normal operation
The release of radioactive contaminants must be
prevented even in accident conditions!
Plans must exist to handle the problems if
radioactive contaminants are still released
Residual (decay) heat removal (heat from the
decay of fission products) is of high importance
43

Safety Goals of Nuclear Power Plants

Normal operational state: intrinsically safe
o environmentally safe: no release of contaminants
o intrinsic safety: negative void coefficient

But
Potentially hazardous
o possibility of severe consequences due to an incident
o design flaws and incompetence can lead to accidents

Aim: avoidance of accidents

o design and build a safe nuclear power plant
o safe operation and maintenance of the NPP
44

Safety of Nuclear Power Plants

Nuclear power plants and its safety systems and
technical equipment must be designed so that the
safety of the environment is guaranteed even if an
accident occurs
Modern nuclear power plants satisfy these criteria
Periodic safety audits are required to
o assess the effectiveness of the safety management system
o and identify opportunities for improvements

The licensing authority permits the startup, operation

or maintenance of a nuclear power plants only if the
guaranteed safety of the reactor is proven
45

Safety of Nuclear Power Plants

Nuclear safety has three objectives:
1. to ensure that nuclear facilities operate normally and
without an excessive risk of operating staff and the
environment being exposed to radiation from the
radioactive materials contained in the facility
2. to prevent incidents, and
3. to limit the consequences of any incidents that might occur

Aim: to guarantee in every possible operational and

accident conditions (above a certain occurrence
frequency and consequence, i.e. risk) that the
radioactive material from the active zone be
contained in the reactor building
46

The Basic Principles of Nuclear Safety

Nuclear safety uses two basic strategies to
prevent releases of radioactive materials:
o the provision of leak tight safety barriers
o the concept of defense-in-depth
applies to both the design and the operation of the facility
despite the fact that measures are taken to avoid accidents,
it is assumed that accidents may still occur
systems are therefore designed and installed
to combat them and
to ensure that their consequences are limited to a level that is
acceptable for both the public and the environment

47

Five Layers of Safety Barriers in NPPs

1st layer is the inert, ceramic
quality of the uranium oxide
2nd layer is the air tight
zirconium alloy of the fuel rod
3rd layer is the reactor
pressure vessel made of steel
4th layer is the pressure
resistant, air tight
containment building
5th layer is the reactor
building or a second outer
containment building
48

Pressure Resistant, Air Tight Containment

49

Structure of the Paks NPP and Safety Barriers

50

Main Systems Shown in the Previous Figure

1.
2.
3.
4.
5.
6.

Reactor vessel
Steam generator
Refuelling machine
Cooling pond
Radiation shield
Supplementary
feedwater system
7. Reactor
8. Localization tower
9. Bubbler trays

10. Deaerator
11. Aerator
12. Turbine
13. Condenser
14. Turbine hall
15. Degasser feedwater tank
16. Feedwater pre-heater
17. Turbine hall overhead
18. Control and instrument
room
51

Levels of Defence in Depth

Level 1: Mitigation of radiological consequences of significant releases of
radioactive materials
Level 2: Control of severe plant conditions, including prevention of
accident progression and mitigation of the consequences of severe
accidents
Level 3: Control of accidents within the design basis
Level 4: Control of abnormal operation and detection of failures
Level 5: Prevention of abnormal operation and failures
Conservative design and high quality in construction and operation
Control, limiting and protection systems and other surveillance
features
Engineered safety features and accident procedures
Complementary measures and accident management
Off-site emergency response
52

Design Limits Design Basis Accidents

The design limits prescribe that for any DBA:
o the fuel cladding temperature must not exceed 1200C
o the local fuel cladding oxidation must not exceed 18%
of the initial wall thickness
o the mass of Zr converted into ZrO2 must not exceed
1% of the total mass of cladding
o the whole body dose to a member of the staff must
not exceed 50 mSv
o critical organ (i.e., thyroid) dose to a member of the
staff must not exceed 300 mSv

53

Safety Functions
To ensure safety
o in operational states
o in and following a design basis accident, and
o (to the extent practicable) on the occurrence of
selected BDBAs

The following fundamental safety functions shall

be performed:
1. control of the reactivity
2. removal of heat from the core
3. confinement of radioactive materials and control of
operational discharges, as well as limitation of
accidental releases
55

Main Safety Systems in Nuclear Power Plants

Reactor Protection System (RPS)
o Control Rods
o Safety Injection/Standby Liquid Control

Emergency Core Cooling System

o
o
o
o
o

High Pressure Coolant Injection System (HPCI)

Depressurization System (ADS)
Low Pressure Coolant Injection System (LPCI)
Core spray and Containment Spray System
Isolation Cooling System

Emergency Electrical Systems

o Diesel Generators
o Motor Generator Flywheels
o Batteries

Containment Systems
o Fuel Cladding
o Reactor Vessel
o Primary and Secondary Containment

Ventilation and Radiation Protection

56

Emergency Core Cooling System

1.
2.
3.
4.
5.
6.

Reactor
Steam Generator
Main Cooling Pump
Primary Pipe Rupture
Hidroaccumulator
Low Pressure Coolant
Injection System Vessel
7. Low Pressure Coolant
Injection System Pump
8. High Pressure Coolant
Injection System Vessel
9. High Pressure Coolant
Injection System Pump
10. Pressurizer

57

Instrumentation and control for

systems important to safety
Safety Life-cycle of I&C Systems in Nuclear Installations

Nuclear Standards: Differences from IEC 61508

Deterministic approach
o Safety function are classified into categories according to their
impact on plant safety
o Systems are classified into categories according to the safety
functions they provide
o Requirements are assigned to categories
Requirements are drawn from the plant safety design base

Requirements are tipically deterministic

o Design for reliability
Single failure criterion
Redundancy
Diversity

o Independence
o Avoidance of Common Cause Failures
59

Safety Classification of Nuclear I&C Systems

The safety classification of nuclear systems is country and authority
dependant. The requirements for the design and operation of
systems important to safety, however, are similar.

Source: IAEA TECDOC-1066, Specification Requirements for Upgrades Using Digital I&C. January 1999.
60

Examples of I&C Systems Important to Safety

61

IAEA Standards
International Atomic Energy Agency

IAEA Safety Standards Series No. NS-R-1 (2000),

Safety of Nuclear Power Plants: Design
(Requirements)
IAEA Safety Standards Series No. NS-G-1.3 (2002),
Instrumentation and Control Systems Important
to Safety in Nuclear Power Plants (Safety Guide)
IAEA Safety Standards Series No. NS-G-1.1 (2000),
Software for Computer Based Systems Important
to Safety in Nuclear Power Plants (Safety Guide)
62

IEC Nuclear Standards

International Electrotechnical Commission
IEC 61226:2009, Nuclear power plants - Instrumentation and control
important to safety - Classification of instrumentation and control
functions
IEC 61513:2001, Nuclear power plants Instrumentation and control for
systems important to safety General requirements for systems
IEC 60987-2:2007, Nuclear power plants Instrumentation and control
important to safety Hardware design requirements for computer-based
systems
IEC 60880-2:2006, Nuclear power plants Instrumentation and control
systems important to safety Software aspects for computer-based
systems performing category A functions
IEC 62138:2004, Nuclear power plants Instrumentation and control
important for safety Software aspects for computer-based systems
performing category B or C functions
IEC 62340:2007, Nuclear power plants Instrumentation and control
systems important to safety Requirements for coping with common
cause failure (CCF)
63

Correlation Between IEC Classes and Categories

Categories of I&C functions
important to safety
(according to IEC 61226)

Corresponding classes of I&C

systems important to safety
(according to IEC 61513)

(B)

(C)

(C)

I&C functions of category A may be implemented in class 1 systems only

I&C functions of category B may be implemented in class 1 and 2 systems
I&C functions of category C may be implemented in class 1, 2, and 3
systems
64

The Use of Standards in the Design Process

Requirements from the plant safety design base
IEC 61226: Classification of I&C functions
I&C Architectural design
Assignment of functions to I&C systems
IEC 61513: General requirements for systems
Design and
Implementation
of the I&C Hardware

IEC 60987: Hardware

design requirements

Design and Implementation

of the I&C Software
IEC 60880: Software
aspects for computerbased systems performing
category A functions
65

IEC 62138: Software

aspects for computerbased systems performing
category B or C functions

Simplified Safety Life-Cycle

Requirements from the plant safety design base
I&C Architectural design

Assignment of functions
to I&C systems

Safety life cycle

of I&C system 1

Safety life cycle

of I&C system n

System requirements specification

System installation

System requirements specification

System installation

Overall integration and commissioning

Overall operation and maintenance
66

Assessment of Components
Objective: contribute to confidence that system
conforms to safety requirements
Stringency of assessment depends on:
o safety class of system
o how component is used
o consequences of component errors and failures
o intrinsic component properties (e.g., complexity)

Overall Requirements - Class 1

Low complexity
Deterministic behavior for computer-based systems:
o cyclic behavior
o preferably stateless behavior
o load independent of external conditions
o static resource allocation
o guaranteed response times
o single (random) failure criterion
o robustness with respect to errors

Software developed according to stringent nuclear

industry standards (e.g., IEC 60880)

Overall Requirements - Class 2

Controlled complexity
Confidence based in particular on analysis of
system design
High quality software, not necessarily developed
according to nuclear industry standards

Overall Requirements - Class 3

No specific limit for complexity
Confidence mainly based on:
o proven application of quality standards
o global demonstration of fitness

Specific demonstrations may be required on

identified topics

Consistency with System Level Constraints

Predictable behavior (Classes 1 & 2):
o precise specification of component behavior
o documented conditions of use in system

Deterministic behavior (Class 1):

o static resource allocation
o static parameterization
o preferably stateless behavior
o clear-box (with limited exceptions)
o proven maximum response time
o proven robustness against consequences of errors