“Redundant” means having a second source of power or piece of equipment that acts as a backup in case the first fails to operate properly. . . .
The second piece of equipment replicates the function of the first. This is where designing to the “single-failure criterion” comes into play. Designing against single failures is an aspect of the defense-in-depth design mentality. “Single failure” is defined in Appendix A of 10CFR50, but a more down-to-earth definition is this one found in a report submitted to the NRC in 1977:
In principle, the Single Failure Criterion is straightforward. Simply stated it is a requirement that a system which is designed to carry out a defined safety function (e.g., an Emergency Core Cooling System) must be capable of carrying out its mission in spite of the failure of any single component within the system or in an associated system which supports its operation.
The NRC endorses adhering to this design philosophy throughout the General Design Criteria. For Class-1E electrical systems, this means having two redundant supply trains that are independent of one another. Independence is achieved when the trains are physically separated and electrically isolated from each other.
Physical separation of circuits is achieved “by the use of safety class structures, separation distance, or barriers or any combination thereof.” Electrical isolation is achieved “by the use of separation distance, isolation devices, shielding and wiring techniques, or combinations thereof.” You see these requirements play out in practice when plant procedures and design basis documents require that certain minimum distances be maintained between conduits and cable trays of different voltage levels and quality class (Class 1E vs. non-safety related).
If there are cross-over connections between Class-1E electrical buses, there are usually two or more Class 1E-rated breakers that isolate them. If there were only one breaker that isolated the two trains, and a fault occurred on one train, then if the single breaker between the two trains failed to function, both trains could be taken out of service unexpectedly.
The same is true for non-safety-related loads that are powered by Class-1E buses. There must be two means of electrical isolation between the 1E bus and the non-safety circuit. That way, a fault on that non-safety circuit couldn’t trip off an entire array of safety-related equipment. Such a massive transient could eventually result in core damage.
If the branch breaker supplying the non-safety circuit failed and there were no redundant breaker supplied as a back-up, then the next upstream breaker would be the one to break the fault. That upstream breaker is likely to feed an entire bus of equipment. The impact would be severe, especially if the non-safety load were some small and relatively trivial thing.
The combination of physical separation and electrical isolation redundancies also reduces the chance that a fire in one area can destroy both divisions of Class-1E power. Defense-in-depth design strategies against fire damage to Class-1E circuits are covered more rigorously in Appendix R to 10CFR50.