Professional Documents
Culture Documents
Safety Classification For Iandc Systems in Npps
Safety Classification For Iandc Systems in Npps
Safety Classification For Iandc Systems in Npps
Foreword 1
Executive summary 3
1. Introduction 4
1.1 Background 4
1.2 Objective 4
1.3 From process design to I&C design 4
6. References 16
Annex 2: D
ICTF actions for “Safety Classification for I&C systems in 26
nuclear power plants”
Foreword
The Digital Instrumentation & Control Task Force (DICTF) of the CORDEL
WG was set up in 2013 to investigate key issues in digital I&C related to the
licensing of new nuclear power plants, and to collaborate with the International
Electrotechnical Commission (IEC) and the Multinational Design Evaluation
Programme (MDEP) Digital Instrumentation and Control Working Group
(DICWG).
On the basis of an internal survey, the CORDEL DICTF has identified four main
issues:
• Safety Classification for I&C systems in Nuclear Power Plant’s
• Defense in Depth and Diversity (D3)1.
• Field-Programmable Gate Arrays (FPGA): criteria for acceptance
• Reliability predictions
These are discussed in more detail in CORDEL DICTF 2014-2016 Outlook [12].
This first report on Safety Classification for I&C in Nuclear Power Plants
describes the current status in classification of I&C systems, identifies key
causes for difficulties as well as potential solutions. It is important to note that
safety classification of systems and components is a multidisciplinary issue,
and this document aims to be used as a basis for exchange between those
disciplines.
1
Originally referred to as: diversity and
common cause failure (CCF)
1
List of acronyms
Definitions
Unless otherwise stated, terminology used is defined according to the IAEA
Safety Glossary [5].
2
Executive summary
3
1 Introduction
4
As a consequence of these two The process for identifying and
features there is not always a direct organizing the I&C system to achieve
link between the I&C function and the the necessary mechanical and
classification of the supported system. information system functions in a
way that provides for economical
Reactivity control using control rods design, reliable operation, and
in a typical pressurized water reactor defence against common cause
is one example. The mechanical failure is called the ‘I&C architectural
designers provide control rods design’. Such a process must be
that have two modes of operation: applied to every plant function that
a normal mode which can either is controlled by the overall I&C
withdraw or insert rods and in which system. Safety classification of I&C
the speed of movement is limited by systems and components results
the rate at which the rod drive motor from consideration of the combined
can move; and an ‘emergency’ mode mechanical functions, reactor
which cannot withdraw rods but can control functions, and I&C system
release them from the drive system architectural design.
so that they drop by gravity to shut
down the reactor. The mechanical According to IEC 61513, the
system is classified as a safety design of the I&C architecture shall
system because if the rods move in divide the entire I&C into sufficient
any other way than that commanded systems and equipment to meet the
by the control system, a reactivity requirements on:
accident might occur. • Independence of the functions in
different lines of defence.
The reactor designers require that • Adequate separation of the
the control rod and I&C systems act systems of different classes.
together to provide a capability to:
• Fulfilment of the constraints on
• Withdraw and insert the control the physical separation and
rods by operator command during electrical isolation arising from
normal operation. the environmental and layout
• Withdraw and insert control rods constraints, hazard analysis, and
under automatic control during constraints from start-up activities,
normal operation. testing, maintenance and operation.
• Automatically release the control
rods if conditions requiring reactor The elaboration of the I&C
shutdown occur. architecture and the design of
individual I&C systems within this
• Automatically release the control architecture will result in identification
rods using diverse means if of additional I&C-specific FSE, which
conditions requiring reactor also must be safety classified.
shutdown occur.
• Release the control rods by manual These requirements are based on
command of the operator. the need for the I&C to provide
appropriate operation of mechanical
Each of these functions has a components in all operational plant
different degree of safety significance states and accident conditions.
and potential to fail. One I&C system
could perform all of these functions, Annex 1 describes the different plant
but to provide for defence-in-depth, states. Alongside the different plant
the functions are allocated among states the sequence of events is of
several I&C systems. importance.
5
2 Generic approach for
I&C safety classification
Requirement 22 of IAEA No. SSR-2/1 of safety systems include:
[1] states: protection systems, safety
All items important to safety shall be actuation systems and safety
identified and shall be classified on system support features such as
the basis of their function and their power supply and HVAC.
safety significance. • Safety-related I&C systems. I&C
systems important to safety that
According to IAEA NS-G-1.3 [2] I&C are not safety systems. Examples
systems are divided broadly into two of safety-related I&C systems
classes: those performing functions include: the reactor control and
that are important to safety and those limitation system, the human-
performing functions that are not machine interface (HMI) panel,
important to safety (see Figure 1). and radiation monitoring systems.
(Where the radiation monitoring
As defined in NS-G-1.3 an item system provides an input to the
important to safety is an item that safety system it would be safety
is part of a safety group or whose classified.)
malfunction or failure could lead
to radiation exposure of the site This allocation specifies the baseline
personnel or members of the public. for the classification of the safety I&C
functions.
I&C systems important to safety
are identified on the basis of their IAEA SSR-2/1 [1] also specifies the
necessary I&C safety functions and following main safety classification
the definition of systems that perform criteria:
certain combinations of these 5.34. The method for classifying
functions. The systems important the safety significance of items
to safety are based on the following important to safety shall be based
fundamental safety functions that are primarily on deterministic methods
required for all plant states (SSR-2/1 complemented, where appropriate,
– requirement 4): by probabilistic methods, with due
• Control of reactivity. account taken of factors such as:
• Removal of heat from the reactor a. The safety function(s) to be
and from the fuel store. performed by the item;
• Confinement of radioactive b. The consequences of failure to
materials, shielding against perform a safety function;
radiation and control of planned c. The frequency with which the
radioactive releases, as well as item will be called upon to
limitation of accidental radioactive perform a safety function;
releases. d. The time following a postulated
initiating event at which, or the
Within the class ‘I&C systems period for which, the item will be
important to safety’, two main called upon to perform a safety
subdivisions are made as follows: function.
• I&C safety systems. Systems
provided to ensure the safe 5.35. The design shall be such as to
shutdown of the reactor or ensure that any interference between
residual heat removal, or to limit items important to safety will be
the consequences of anticipated prevented, and in particular that any
operational occurrences and failure of items important to safety in
design basis accidents. Examples a system in a lower safety class will
6
Plant equipment
not propagate to a system in a higher The IEC 61838 technical report (see the SSR 2/1 safety classification
safety class. Section 2.2.3) proposes methods for requirements described above. The
using probabilistic risk assessment general approach is to provide a
5.36. Equipment that performs to support the safety classification structure and method for identifying
multiple functions shall be classified process. and classifying structures,
in a safety class that is consistent systems, and components (SSCs)
with the most important function It should be noted that – in important to safety on the basis
performed by the equipment. accordance with IEC 61226 [8] – IEC of their functions and safety
61513 [7] distinguishes between the significance. According SSG-30,
Depending on the nation, different categorization of I&C functions and safety classification identifies and
codes and standards describe the classification of I&C systems. classifies those SSCs that are
different means for classifying IEC 61513 states: “The terms needed to protect people and the
I&C systems and for establishing ‘categorization’ and ‘classification’ environment from harmful effects
requirements for functions, systems, are sometimes synonymously used, of ionizing radiation, based on
equipment, and quality of I&C. even in IEC 61226. For the purpose their roles in preventing accidents,
At the top level of international of clarity in this standard, the term or limiting the radiological
standards the IAEA safety standards ‘categorization’ is reserved for the consequences of accidents. The
reflect an international consensus functions and the term ‘classification’ scope is not limited to I&C.
on what constitutes a high level of for the systems.”
safety for protecting people and the SSG-30 specifies the top-down
environment from harmful effects For discussions that apply to both process for safety classification
of ionizing radiation. The IEC takes classification and categorization, the including the link to the safety design
these standards as reference term ‘safety classification’ represents basis. The process distinguishes
requirements and recommendations. both. between the identification of functions
IAEA SSG-30 [3] and IEC 61226 [8] necessary to fulfil the main safety
establish the generic criteria and objectives in all plant states and the
methods to be used to assign the
2.1 IAEA SSG-30, identification of the design provisions
I&C functions of a nuclear power Safety Classification of necessary to prevent accidents.
plant to safety categories. Structures, Systems and
Based on the main criteria defined
Components in Nuclear
For the CORDEL Digital I&C Task by SSR-2/1, IAEA SSG-30 identifies
Force (DICTF), the focus is on the Power Plants three different safety classes of SSC
international standards which are IAEA SSG-30 [3] provides (1, 2 and 3) and describes generically
described in Sections 2.1 and 2.2. recommendations on how to meet the rules for classification.
7
At the time of drafting this report, Table 1: Correlation between classes of I&C systems and categories of I&C
the IAEA is preparing a dedicated functions (IEC 61513 [7])
TECDOC to provide guidance on
how an organization can establish a Categories of I&C functions Corresponding classes of I&C
comprehensive safety classification important to safety systems important to safety
of SSCs compliant with the IAEA A (B) (C) 1
recommendations. B (C) 2
C 3
2.2 IEC standards
2.2.1 IEC 61226 (IEC Level 2
document) IEC standards are also being a comprehensive explanation of
adopted as harmonized standards the relation between I&C functions
IEC 61226 [8]2 is an international
by other certifying bodies, thus and I&C systems, the scope of the
standard that responds to the IAEA
IEC standards are becoming nuclear plant process design phase
SSR-2/1 [1] ‘safety classification’
more important than in the past. and I&C design phase regarding
requirement 22.3
Nevertheless, depending on the safety classification.
region, national standards are still
It introduces time factors such as:
in place and in most cases the 2.2.3 IEC TR 61838 (IEC Level 4
• The duration that the I&C system is responsible authority will keep its document)
needed once it has been initiated. existing codes and standards, which The IEC 61838 [10] technical
• The time for which alternative the vendor has to consider in the report, Use of Probabilistic Safety
actions can be taken. specific project life cycle. Assessment for the Classification of
• The timeliness by which hidden Functions, provides a survey of some
faults can be detected and The classification according IEC of the methods by which probabilistic
remedied. 61226 is focused on the I&C process risk assessment results can be used
functions. The current version does to establish ‘risk-based’ classification
This standard extends the not include the requirements to criteria, so as to allow functions,
classification strategy presented classify electrical systems, but this systems and equipment (FSEs) to
in the IAEA Safety Guide SSR-2/1, might be considered in the next be placed within the four categories
and establishes the criteria and edition. established within IEC 61226.
methods to be used to assign the
I&C functions of a nuclear plant to 2.2.2 IEC 61513 (IEC Level 1 The safety principles and the
one of three categories, A, B and document) usefulness of a risk-based approach
C, depending on their importance IEC 61513 [7] introduces the concept to classification are discussed
to safety, or to an unclassified of a safety life cycle for the overall and a description of four different
category for functions with no direct I&C architecture and a safety life approaches is presented. Two of
safety role. cycle for the individual systems. these approaches are applied to a
Section 5.4.2 of IEC 61513 (Design practical example and the results
The aim of this standard is to: of the I&C architecture) specifies compared as a means to evaluate
• Classify the I&C functions important the correlation between classes of the robustness and generality of the
to safety into categories, depending I&C systems and categories of I&C risk-based approach.
on their contribution to the prevention functions (see Table 1).
and mitigation of postulated initiating
events (PIE), and to develop
2.3 Comparison of I&C
Annex B of IEC 61513 includes
requirements that are consistent with informative data on Categorization classification
the importance to safety of each of of functions and classification Table 2 shows the different safety
these categories. of systems. The current version classification schemes used by
• Assign specification and design identifies differences between the the main international standards
requirements to I&C systems IAEA and IEC which are now obsolete organizations, the MDEP member
and equipment concerned which due to release of IAEA SSG-30. states and two countries that are not
perform the classified functions. Annex B of IEC 61513 also includes members of MDEP.
8
Table 2: System safety classifications4
Organizations or
Safety Classification of I&C Functions and Systems in nuclear plants
Countries
Main international standard organizations
Systems Important to Safety
IAEA NS-G-1.3
Safety Safety-related
Safety Systems not important to
Function Safety category 2 Safety category 3 safety
category 1
IAEA SSG-30
System Safety class 1 Safety class 2 Safety class 3
Systems Important to Safety
I&C function Category A Category B Category C Non-classified
IEC 61226
I&C system Class 1 Class 2 Class 3
Systems Important to Safety
IEEE Non-safety-related
Safety-related 5
Safety level of
NS
EUR6 functions / I&C F1A F1B F2
(non-safety)
systems
MDEP member states
Canada Category 1 Category 2 Category 3 Category 4
India IA IB IC NINS
Switzerland 1 2 3 Non-classified
2
IEC 61226 (3rd edition) is currently under revision and should be read in association with the IAEA guides and IEC 61513.
3
previously IAEA NS-R-1 5.1
4
Such a table gives only a qualitative mapping between the various classification systems.
5
IEEE/NRC does not have a name for items that are important to safety, but not classed as ‘safety-related’.
6
EUR is being revised to follow the SSG-30 principles.
9
3 Causes of classification
difficulties
This Section describes the primary the Finnish safety categories and IEC
difficulties that the DICTF identified safety categories are inconsistent
for the process of safety classification with each other, it is unclear whether
of I&C functions. To date, the DICTF a SC3 categorized function should be
has identified the following difficulties: realized by a Category B (Class 2) or
• Inconsistency between international by a Category C (Class 3) qualified
standards and local regulations. system.
10
especially for topics of main interest Note: IEC 61838 [10] proposes • Communication system (telephone,
(key words). in Section 8.2.1.4 that the level of plant communication system).
requirements should be linked to the • Access control (I&C rooms, I&C
The following key words frequently selected category. For key words cabinets, manual actions).
cause trouble in interpretation of such as ‘single failure criterion’,
• Lighting.
requirements: ‘emergency electrical supply’ or
• Defence-in-depth and diversity ‘physical separation’ a suggestion
The support service systems
(assignment of different I&C is given if required, depending on
have different levels of potential to
systems and provision of diversity the safety category. But, generally
affect the safe operation of the I&C
within and between systems to standards avoid specific criteria and
systems. The HVAC and power
reduce the likelihood that common give instead more generic phrases
supply support service systems are
cause failures within the I&C such as ‘sufficient’, ‘appropriate’,
usually essential to ensure safety
system will cause failure of reactor etc.. The DICTF should assess
during normal operation9.
safety functions). to what extent criteria should
• Separation (physical separation/ be introduced into codes and
The failure of these support service
electrical isolation/functional standards.
systems can directly impact on the
independence/independence of Category A functions (operability of
communication). For associated DICTF action items
the protection system). According to
see Annex 2.
• Redundancy (level of required IEC 61226 [8] Section 5.3.3:
redundancy e.g. N+1/N+2).
• Reliability/availability (limits for 3.3 Incomplete rules for Category B also denotes functions
digital I&C systems). categorization of ‘other whose failure could initiate a DBE
• Spurious activation (inadvertent I&C functions’ or worsen the severity of a DBE.
actuation of I&C functions). Because of the presence of a
The existing codes and standards
Category A function to provide the
for safety classification are focused
Depending on the key word, slightly ultimate prevention of or mitigation
on the I&C functions required to
different meanings are given in of the consequences of a DBE, the
monitor and operate the main
regulatory documents and standards. safety requirements for the Category
process variables. As I&C is widely
B function need not be as high as
spread in nuclear plants, rules
As long as there is no harmonized those for the Category A function.”
and regulations are also required
understanding for such top level
to categorize functions important
wording, discussions will arise for The I&C functions of these support
to safety outside of this focus
every upcoming project. service systems should be at least
(‘other I&C functions’). Criteria for
Category B according to IEC 61226.
the categorization of ‘other I&C
Example: ‘separation’
functions’ discussed below are
Codes and standards do not specify Section 5.2 of IEC 61226 refers to
currently not well documented.
in detail what level of ‘separation’ IAEA NS-G-1.3 to introduce time
is required (acceptance criteria) for factors such as:
3.3.1 I&C functions for support
safety-related applications. • The duration that the I&C system is
service systems
needed once it has been initiated.
For the architecture and system For securing safe operation of the
safety-relevant I&C systems the • The time for which alternative
design it is necessary to set up the
following support service systems are actions can be taken.
design based on design constraints.
Inconsistent requirements could lead required: • The timeliness by which hidden
to late design modifications in the • Power supply (including auxiliary faults can be detected and
project life cycle. power sources). remedied.
• HVAC (heating, ventilation and air
IEC 61226 edition 3.0 from 2009 [8] These time factors could have a
conditioning).
uses the term ‘non-hazardous stable significant role in establishing the
state’. This term is subject to different • Fire/smoke detection. safety class of the I&C system
interpretations depending on local • Extinguishing system (e.g. CO2 performing such support system
practice. extinguishing system). functions.
11
Example: I&C support service of SSCs (i.e., mean down time10)
system – HVAC justification of a minimized down time
The categorization of the I&C of SSCs should support the safety
HVAC functions leads frequently to classification and design decisions
misunderstandings because of the lack regarding redundancy/diversity/etc.
of guidance. The HVAC support service
system functions are very important for For associated DICTF action items
the safe operation of I&C. see Annex 2.
12
For the I&C systems of DiD Level common cause failures (CCFs) within that analysis of design extension
1, 2, 3a, the scope and allocation the digital protection system might conditions for the plant is carried
of process and safety functions are result in unacceptable consequences out. According to IEC 62340 [9]
quite clear. for certain combinations of CCFs the design of the I&C architecture
and PIEs. When this situation is should tolerate CCF for that subset
The need to install dedicated systems encountered, a DAS is often provided of DBEs which are to be expected
for DiD Level 3b and 4 is fairly recent to back up the protection system. at a frequency that is higher than
and the existing requirements for a specified limit based on this
those I&C systems differ between There is general agreement that a analysis. Table 2 of Annex 1 gives
codes and standards (national and DAS may effectively mitigate the a correlation between the design
international). consequences of specific PIEs in extended conditions DEC-B and
conjunction with postulated CCFs DEC-C to the DiD Level 3b based
The requirements for a DiD Level 3b of a protection system. There are, on the probabilistic frequency
I&C system are mostly based on the however, different approaches of the protection system CCF in
discussion of the postulated common to safety classification, the use combination with the postulated
cause failure of the DiD Level 3a of digital DASs to back up digital design basis events. These DAS
realized by a digital I&C system protection systems, and use of I&C functions could be realized
platform. Consequently, a so-called manual actuation to mitigate the by duplication of the function with
diverse actuation system (DAS) is consequences of protection system the same or graded thresholds for
required for the DiD Level 3b. CCF. actuation or by equivalent functions
with differences in its logic.
To ensure adequate independence I&C system classification of DAS
between DiD Level 3a and 3b or Some regulatory authorities expect Use of manual actions for diverse
between Level 3 and 4, several that DASs will be classified as safety actuation
aspects must be taken into account: systems whereas others allow Generally, manual actuation may be
• Diversity. them to be systems of lower safety accepted as a diverse backup for the
classification. Depending on the protection system but the conditions
• Physical separation – structural or regulatory authority, the expected under which manual actuation
by distance. level of safety classification is based may be acceptable vary. Accepted
• Functional isolation. upon the reliability claims made for practices include12:
• However, depending on when a the DAS. • When the action is not needed in
system is assigned to level 3b or less than 30 minutes and analysis
level 4, the requirements for a DAS Technology used for DAS of human factors has confirmed
may be very different in regard to: In some cases, the regulatory that a proper decision can be taken
authorities expect that DASs will be and implemented within that time.
• Scope of functions.
hardwired systems. The use of digital
• Type of I&C platform (hardware • When action is not needed in less
systems is discouraged, but not
versus software). than 20 minutes.
prohibited by regulatory authorities.
• Safety classification. Other regulatory authorities allow the • Engineered safety feature
use of digital systems if adequate actuation, but not reactor trip.
This leads to some of the diversity is demonstrated. • No restriction on manual action.
inconsistencies between regulators
that are described below. Scope of I&C functions to be While the above illustrates the range
realized by DAS of practices among regulatory
Diverse actuation systems11 For the design of the DAS, the authorities, a regulator may take a
When digital systems are used identification of functions to be different approach based upon the
to implement protection system realized by the diverse I&C system specific situation proposed.
functions, it is not uncommon for is essential. Codes and standards
the analysis described in paragraph include different approaches for this For associated DICTF action items
4.32 of IAEA SSG-39 [4] to find that topic. IAEA SSR-2/1 [1] requests see Annex 2.
13
4 Differences between
IAEA SSG-30 and
IEC 61226
IAEA SSG-30 should be seen as the interpretation of the requirements
top-level document specifying the by the vendors and utilities in the
general constraints for the safety realisation of the overall I&C in the
classification of SSCs in nuclear power nuclear power plant.
plants. IEC 61226 should further
elaborate the specific requirements Unfortunately, the classification
for the implementation of SSG-30 as it given by IEC 61226 is not valid for
applies to I&C functions. all countries. As shown in Table 2,
different classifications for safety
IAEA SSG-30 provides categories are in place.
recommendations and guidance
on how to meet the requirements, Neither document gives more
but does not provide criteria for than a limited discussion of the
judgement on details. IEC 61226 difficulties identified in Section 5.
goes further and provides categories The CORDEL DICTF should develop
that should be assigned to functions bridges between the needs from
important to safety. Never-the- vendors and utilities to the standards
less, this approach still requires organizations.
14
5 Promoting consistency
between codes and
standards for I&C
safety classification
IAEA SSG-30 was officially released the World Nuclear Association and
in 2014. The IAEA is now working on working groups A3 and A7 of the IEC
a dedicated TECDOC describing the SC 45A has been initiated.
objectives of SSG-30. At the time of
drafting this report, a request for a Since the formation of the DICTF,
close relationship with IAEA has been regular exchange meetings with the
initiated for further exchange. MDEP DICWG have taken place,
where the topic ‘Safety Classification
For IEC 61226 the situation is for I&C systems in Nuclear Power
different. Since the 2009 revision of Plant has been presented. Further
IEC 61226, several changes occurred exchange shall be performed after
in IAEA documents, mainly on SSR publication of this report.
2/1, SSG-30, and SSG-39 as well
as IEC publications including IEC For associated DICTF action items
61513. A category D liaison between see Annex 2.
15
References
[2] IAEA Safety Guide No. NS-G-1.3, Instrumentation and Control Systems
Important to Safety in Nuclear Power Plants, International Atomic Energy
Agency, STI/PUB/1116, March 2002
[4] IAEA Specific Safety Guide No. SSG-39, Design of Instrumentation and
Control Systems for Nuclear Power Plants, (under Revision Draft Safety
Guide DS431 -supersedes NS-G-1.1 and NS-G-1.3), International Atomic
Energy Agency, Draft M step 10 2014-03-21
[5] IAEA Safety Glossary, Terminology Used in Nuclear Safety and Radiation
Protection 2007 Edition, International Atomic Energy Agency, June 2007
[9] IEC 62340:2007, Requirements for coping with common cause failure
(CCF), International Electrotechnical Commission, 2007-12
16
Annex 1 Plant states –
sequence of events
The classification of structures, systems and components (SSC) is closely
linked to the plant states and the postulated initiating event which are required
to be considered in the design of a NPP for safe plant operation. This annex
has the intention to get a common understanding regarding topics concerning
plant states and sequence of events.
Both IAEA and IEC documents uses the term ‘plant state’ for two different
subjects. On the one hand the term is used to identify the events to be
considered for plant operation (like Normal Operation, Anticipated operation
occurrences) on the other hand the term is used as status of the plant to
be reached after an event has occurred (regarding physical conditions like
temperature, pressure, radiation, etc.).
Table 1: Plant states – according to IAEA SSR 2/1 [A] / IEC 61226 (Ed.4 Draft)
17
18
Table 2: Correlation between DiD levels and allocation of events/PIEs
WENRA
Control of accidents with core
DiD Level 4
melt to limit offsite releases
Mitigation
DiD Level 5
of radi.
DBC-1 DBC-2 DBC-3 DBC-4 DEC-A DEC-B
Design Base
Reduction of risk and prevention Reduction of risk and control of core
Conditions / Limiting accidents
Transients related to Anticipated operational of core meltdown meltdown
Design Extension Infrequent accidents
normal operation occurrences (higher (lower
Conditions
frequency) frequency)
Each event in this Each PIE in this category No individual PIE in this PIEs in this category are PIEs in this category are not considered to be sufficiently credible to include
category is expected should be expected to category is expected to considered to be possible but as design basis events but are nevertheless considered in the design
to occur frequently occur one or a few times occur during the plant are believed to be excluded process inorder to ensure radioactive releases are kept within acceptable
or regularly during during plant lifetime lifetime, but one or a few by the design. Nevertheless, limits should they occur.
operation PIE within this category they are considered on order
Frequency
should be expected to understand the radiological
during plant lifetime consequences of limiting
accidents
CDF<10-5/a;LRF<
f>1/a f<10- 10-2/a<f10-3/a f<10-3/a 10-4/a<f<10-6/a
5*10-7/a
II. Plant states - Time and reactor states based
approach
In Table 1 the different type of plant states are identified for the accident
conditions (AC) which form the starting point for the next sequence of events.
Figure 1 provides a generic process after initiation of a PIE. In case the safety
I&C detect that plant parameter deviate from normal conditions, the safety I&C
shall immediately initiated dedicated measure(s) to actuate SSCs. For events
with high severity to the plant, the primary target is to reach controlled state,
realized automatically by rector trip and ESFAS functions of the protection
system. The controlled state is not a solid state for the plant but depending on
the plant design it provides alternatives regarding time and measures to bring
the plant to safe state. Depending on the complexity and the time behaviour
measures could be realized by I&C safety actuation system or by manual
means from the main control room. Safe state is equal to a maintainable state
in which the plant could be kept over long period. Plant parameter needs to be
monitored and residual heat removal system to be controlled.
The time between the initiation of a postulated event and the achievement of
reaching the subsequent events (’controlled state’ and ‘safe state’) is of high
importance.
The time frame between the PIE and the ‘actuation of process & safety
systems’ correspond to the response time requirement for the safety I&C
plus the required response time of the electrical and mechanical SSCs. This
sequence of events shall be (mostly) realized by automatic functions.
Afterwards, depending on the new situation inside the plant (corresponding to
the level of PIE), the plant could be either return to normal operation state or
managed to ensure further on the fundamental safety principles.
19
Postulated
Anticipated Operational Occurrency (AOO)
Initiating Event
Design Base Accident (DBA)
(PIE)
Recognize plant
parameter deviations Safety I&C
Safety I&C
Initiate specified
(incl. the electrical &
measures
mechanical systems)
Actuation of
Process &
Safety Systems
Safety I&C
Maintenance / Operator / Manage the systems to
(incl. the electrical &
Repair of PIE Maintenance Team reach Controlled State
mechanical systems)
Operator /
Maintenance Team
Legend
Safe State
Event Action SSC Staff
20
The need of operator actions in the early phase of the PIE sequence shall be
minimized. The required realization (automatically/manually) of subsequent
actions depends on the complexity and time duration required for response.
Based on the recommended time frame to reach the controlled state, the
instrumentation and control for the required process and safety functionality
shall be realized either automatically or manually.
Regarding the application of manual safety actions the IAEA SSG-39 [C]
provides in paragraph 7.18 to 7.26 more detailed requests which should be
taken considered in the safety and process design.
IEC has drafted in 2009 a technical report concerning the ‘Use of Probabilistic
Safety Assessment for the classification of functions’ – IEC 61838 [F]. This
technical report proposes indicative the correlation between the state of the
reactor, the timescale and the “group of PIEs” (DBCs, DECs, Internal hazards).
Table 3 is based on the Table 1 (Classification of I&C FSE†) of IEC 61838 [F].
Table 3: Time and reactor states approach for safety classification – IEC 61838 [F]
†
FSE – Function(s) and the associated systems
and equipment that implement it (them)
21
III. Assignment of safety categories based on plant
states/severity of consequences
The current version of IAEA SSG-30 [B] identifies the relationship between
functions credited in the analysis of postulated initiating events and safety
categories (see Table 4).
22
IV. Definitions of plant states
The following definitions are specified by IAEA. Both IAEA SSR 2/1 [A] and
IAEA SSG-30 [B] identifies plant states. The wording is slightly different but with
the same intention.
IEC 61226 [D]/IEC 61838 [F] uses the term ‘non-hazardous stable state’ for the
controlled state and ‘safe shutdown state’ for safe state.
23
V. References
[A] Specific Safety Requirements No. SSR-2/1, Safety of Nuclear Power
Plants: Design, International Atomic Energy Agency, STI/PUB/1534,
January 2012
[C] IAEA Specific Safety Guide No. SSG-39, Design of Instrumentation and
Control Systems for Nuclear Power Plants, (under Revision Draft Safety
Guide DS431 -supersedes NS-G-1.1 and NS-G-1.3), International Atomic
Energy Agency, Draft M step 10 2014-03-21
[G] American National Standards Institute N18.2, Nuclear Safety Criteria for
the Design of Stationary PWR Plants, 1973.
24
Annex 2 DICTF actions for
“Safety Classification
for I&C Systems in
Nuclear Power Plants”
Section 3.1 - Inconsistencies between international standards and
local regulations
PP-DICTF- Each participant in the DICTF shall provide DICTF
001_AI-1 experience and feedback on inconsistencies secretariat
in safety classification between international
standards and local regulations.
PP-DICTF- The DICTF will encourage the MDEP DICWG DICTF
001_AI-2 to make a more detailed analysis of safety chairman
classification requirements among its
membership (based on the results of AI-1).
25
Section 3.4 - Criteria for diverse backup systems
PP-DICTF- The DICTF will provide a report on identifying Safety
001_AI-8 the different statements of IAEA, IEC, MDEP and Classification
WENRA, including the topic DiD Level 3b (the list Topic leader
will be published on the CORDEL DICTF section (J. Pickelmann)
of the World Nuclear Association members
website).
26
World Nuclear Association +44 (0)20 7451 1520
Tower House www.world-nuclear.org
10 Southampton Street info@world-nuclear.org
London WC2E 7HA
United Kingdom
Safety Classification for I&C Systems in Nuclear Power Plants - Current Status & Difficulties
© 2015 World Nuclear Association. Registered in England and Wales, company number 01215741