To search for a specific term in the publication, please load the entire page first and then use Ctrl F to ensure complete search results.
Design of Instrumentation and Control Systems for Nuclear Power Plants
Design of Instrumentation and Control Systems for Nuclear Power Plants
1INTERNATIONAL ATOMIC ENERGY AGENCY, Software for Computer Based Systems Important to Safety in Nuclear Power Plants, IAEA Safety Standards Series No. NS-G-1.1, IAEA, Vienna (2000).
2INTERNATIONAL ATOMIC ENERGY AGENCY, Instrumentation and Control Systems Important to Safety in Nuclear Power Plants, IAEA Safety Standards Series No. NS-G-1.3, IAEA, Vienna (2002).
3See footnote 1.
4A draft Safety Guide on the topic of auxiliary systems that will provide recommendations for other support features is currently under development.
5See footnote 1.
6See footnote 2.
7I&C components include hardware, software, such as application software and firmware, and hardware description language.
8Items for which a configuration baseline is established may include individual components, systems or the overall I&C system. The baseline for any item will cover all of the systems and components that comprise the item.
9For I&C systems, a combination of qualitative analysis, quantitative analysis and testing is usually needed to verify compliance with reliability requirements.
10If the design makes use of assumptions about the operating organization’s operational security policies and practices (including policies and practices relating to computer security), these are to be communicated to the user. It might be appropriate to include elements of such descriptions in separate documents, so that their distribution can be more restricted than other system information.
11The level of reliability and availability might be defined quantitatively or qualitatively, for example, in terms of the supporting requirements referred to above, such as requirements for implementation of specific reliability strategies, requirements for characteristics of the development process or requirements for compliance with specified standards.
12Examples of design constraints include constraints to support independence or diversity requirements.
13Interface signals include, for example, inputs and outputs to or from other systems, sensors, actuators and operator interfaces.
14The design documentation for older systems might be incomplete or inaccurate. Consequently, major modifications to, or replacement of, such systems might require some degree of ‘reverse engineering’ to recreate the original design bases and specifications.
15Functional requirements define, for example, the transformations of inputs to outputs and the actions to be taken.
16Reliability and availability limits for systems and components may be specified using probabilistic criteria, deterministic criteria (e.g. compliance with the single failure criterion or specific procedures and verification methods for software) or both.
17Plant environmental conditions of concern include the normal conditions, abnormal conditions and the extreme conditions that I&C equipment might experience during design basis accidents, internal events or external events. Any interactions across I&C systems, and particularly between components qualified to different degrees, may compromise the requirements for defence in depth if not fully taken into account.
18Topics to be considered consistently across all I&C systems include, for example, the application of the operational concept of the plant, the application of design standards for the human–machine interface, the constraints on cable routing, grounding practices and the philosophy of alarm management.
19Strategies for determining reliability requirements might include compliance with the single failure criterion, redundancy, independence between redundant functions, fail-safe design, diversity and verifiability (including analysability and testability). Section 6 describes considerations in implementing strategies to achieve reliability.
20Typically, safety systems will be organized into redundant divisions in order to comply with the single failure criterion. Systems in a lower safety class might not need to have redundant elements for reasons of safety, but might be redundant to improve their reliability in normal operation.
21Probabilistic studies include, for example, reliability analysis and probabilistic safety assessment.
22In probabilistic studies, systems are treated as fully independent by simply taking the product of their individual failure probabilities.
23Examples include space to attenuate the effects of electromagnetic interference and separation between systems and components qualified to different levels. Environmental qualification, seismic qualification and electromagnetic qualification may also be used by themselves, or in conjunction with physical separation, to protect against the effects of accidents, internal hazards or external hazards.
24For example, the analysis or test may consider the maximum voltages within the associated circuit, in comparison with the voltages that the safety circuit can tolerate.
25Wireless systems and devices include, for example, mobile telephones, radio transceivers and wireless data communication networks.
26For example, test interfaces with the capability of introducing simulated process conditions or electrical signals.
27Example considerations in determining the location of provisions for testing include:- Location of sensors such that testing and calibration can be performed at their location; - Location of test devices and test equipment in areas convenient for the equipment to be tested;- Plant or administrative features that could make it difficult to bring test equipment to the location of components to be tested, for example, the necessity to move equipment along narrow paths, or in and out of contaminated areas;- Convenience of the status indication of components and test connections.
28Evaluation and documentation of the reasons for, root causes of, and actions taken after a failed test are normally necessary before the results of a repeated test can be used to demonstrate operability of the system or component involved. Corrective actions may include maintenance or repair of components, or changes to test procedures. If corrective actions are determined to be unnecessary, the reasons are to be documented.
29Test equipment may be temporarily connected to plant equipment if the equipment to be tested has facilities specifically designed for the connection of this test equipment. Where temporary connections are required for periodic testing or calibration, the connection and use of such equipment are to be subject to appropriate administrative controls.
30Such an on-line test will be able to identify specific defects directly when initiated, without the need for making test connections or disturbing the on-line equipment or its operation for more than a limited time.
31Redundant equipment might be equipment in redundant divisions or redundant equipment within a single division.
32The safety limits are sometimes given in terms of parameters that are not directly measurable by the I&C system.
33The margin between the analytical limit and the safety limit takes into account the response time of the instrument channel and the range of transients due to the accident considered.
34‘Limiting settings for safety systems’, also called ‘safety system settings’ or ‘limiting safety system settings’, is a legal term in some States. These might be expressed as trip set points, allowable values, or both. IAEA Safety Standards Series No. NS-G-2.2, Operational Limits and Conditions and Operating Procedures for Nuclear Power Plants  provides additional guidance on establishing and implementing safety system settings.
35For new designs or significant modifications, it is advisable to design the plant such that during the first 30 min of a design basis accident, operator actions are not necessary to maintain plant parameters within the established limits.
36A Safety Guide on design of auxiliary and supporting systems in nuclear power plants is also in preparation.
37Functions other than principal functions include, for example, functions used to maintain or configure the device and functions that are not needed for the intended application.
38Associated facilities include other facilities that might be affected by the operation of units of the nuclear power plant (e.g. other units on the same site).
39Display of information in an easily understood form reduces operator cognitive workload. Designs of the human–machine interface that meet this guidance will, for example, minimize the need for operators to make mental calculations and transformations and use recall memory.
40Human physiological characteristics include, for example, visual/auditory perception and biomechanics (reach and motion).
41Examples of distributed human–machine interface stations include the supplementary control room and other field locations where operator actions are expected to occur.
42Interface examples include those between the software and the operator, between sensors and actuators, between computer hardware and other software, and between systems.
43Timing performance includes failure detection and recovery times.
44Examples of security are validity checks and access privileges.
45The level of reliability and availability might be defined quantitatively or qualitatively, for example in terms of the supporting software requirements referred to in items (a)–(f) of para. 9.11 and the development processes (e.g. compliance with standards).
Tags applicable to this publication
- Publication type:Specific Safety Guide
- Publication number: SSG-39
- Publication year: 2016