• No results found

Instrumentation and control (3.7.1–3.7.33)

3.6.17. The habitability of control locations under design extension conditions with core melting should be addressed in this section of the safety analysis report. For remote sites, the description should include a demonstration of the habitability of these locations in the case of external hazards exceeding the design basis events combined with internal events.

Systems for the removal and control of fission products

3.6.18. This section should provide relevant information on the systems for the removal and control of fission products (if not already described as a part of the containment systems). The following specific information should be presented to demonstrate the performance capability of these systems:

(a) Considerations of the coolant pH and chemical conditioning in all necessary conditions of system operation;

(b) The effects on filter operability of postulated design basis loads due to fission products;

(c) The effects on filter operability of design basis release mechanisms for fission products.

Other engineered safety features

3.6.19. This section should present relevant information on any other engineered safety features implemented in the plant design that are not covered in any previous sections. Examples include the steam dump to the atmosphere and the backup cooling systems. The list of these systems to be described will depend on the type of plant under consideration. It should be decided whether certain systems (e.g. the auxiliary feedwater system) are described here or in chapter 9 of the safety analysis report, which deals with auxiliary systems in a much broader sense, or in chapter 10, which deals with steam and power conversion systems.

CHAPTER 7: INSTRUMENTATION AND CONTROL

and control systems is provided in IAEA Safety Standards Series No. SSG‑39, Design of Instrumentation and Control Systems for Nuclear Power Plants [30].

3.7.2. This chapter of the safety analysis report should identify the instruments and the associated equipment necessary for operational states and for accident conditions. All the important instrumentation and control components — those important to safety and those not important to safety — should be described in this section.

3.7.3. This chapter of the safety analysis report should also describe the instrumentation and control systems and components that are qualified for their intended function, during their service life and for all plant states.

Design basis, overall architecture and functional allocation of the instrumentation and control system

3.7.4. This section should identify all instrumentation, control and supporting systems, including alarm, communication and display instrumentation, and should specify the functions allocated to each individual system. Furthermore, this section should describe the following:

(a) The overall architecture of the instrumentation and control system;

(b) The design basis for the instrumentation and control system;

(c) Provisions for normal operation and accident conditions;

(d) Safety classification of instrumentation and control systems and equipment;

(e) The strategies for defence in depth and for diversity;

(f) The identification of safety criteria.

General design considerations for instrumentation and control systems 3.7.5. This section should describe how the applicable design criteria are addressed, taking into account the importance of the system to safety, and should include the following:

(a) Quality of components and modules;

(b) Software quality, including its verification, validation and life cycle processes, as applicable, together with the quality of the related safety system;

(c) A description of how the performance requirements of all supported systems are met;

(d) Potential hazards to the system, including inadvertent actuations, and hazards relating to error recovery, self‑testing and surveillance testing;

(e) Design criteria for access control, computer security and other aspects regarding nuclear security that might interfere with design criteria relating to safety;

(f) Redundancy and diversity requirements;

(g) Independence requirements;

(h) Fail‑safe design of the protection systems;

(i) System calibration, testing and surveillance;

(j) Design of bypass and inoperable status indications;

(k) Prevention of a fault propagation path for environmental effects (e.g. high energy electrical faults, lightning) from one redundant portion of a system to another, or from another system to a safety system;

(l) Analysis of the application of the concept of defence in depth and diversity analysis for each potential failure mode, common cause failure (including software) and exposure of the system to internal and external hazards;

(m) The human–machine interface;

(n) Set points;

(o) Hardware and software classification;

(p) Equipment qualification;

(q) Replacement, upgrades and modifications to instrumentation and control systems.

The description of how the ‘security by design’ principle is applied on the basis of a computer security analysis is typically given in a separate document that contains sensitive information (see paras 2.29 and 3.13.29).

Control systems important to safety

3.7.6. This section should provide relevant information on the control system and demonstrate that Requirement 60 of SSR‑2/1 (Rev. 1) [3] is met; that is:

“Appropriate and reliable control systems shall be provided at the nuclear power plant to maintain and limit the relevant process variables within the specified operational ranges.”

Reactor protection system

3.7.7. This section should provide relevant information on the reactor protection system and demonstrate that Requirement 61 of SSR‑2/1 (Rev. 1) [3] is met. In particular, information on the following specific aspects should be provided:

(a) The design bases for each individual reactor trip parameter, with reference to the postulated initiating events whose consequences the trip parameter is credited with mitigating.

(b) The specification of reactor trip system set points, time delays in system operation and uncertainties in measurement, and how these relate to the assumptions made in chapter 15 on safety analysis.

(c) Any interfaces with the actuation system for engineered safety features (including the use of shared signals and parameter measurement channels).

(d) Any interfaces with non‑safety‑related instrumentation, control or display systems, together with the provisions to ensure independence.

(e) The means employed to ensure the separation of redundant reactor trip system channels and the means by which coincidence signals are generated from redundant independent channels.

(f) Provisions for the manual actuation of the reactor trip system from the main control room, the supplementary control room and other emergency response facilities.

(g) In cases in which the actuation logic for the reactor trip is implemented by programmable digital means, a description of the development process that provides for disciplined specification and implementation of design requirements and the verification and validation activities planned to ensure that the final product is suitable for use. Interfaces with nuclear security provisions should be included as applicable (paras 2.29 and 3.13.29 should be taken into account).

(h) Monitoring, inspection, testing and maintenance of system and equipment.

Actuation systems for engineered safety features

3.7.8. This section should provide relevant information on the actuation systems for engineered safety features and demonstrate how Requirement 61 of SSR‑2/1 (Rev. 1) [3] is met. In particular, information on the specific aspects listed in para. 3.7.7 regarding the reactor protection system, as applicable, should be provided here also.

3.7.9. In some plant designs, the actuation systems for reactor trip and the actuation system for engineered safety features are designed as one system. In

such cases, it should be demonstrated how the independence of safety systems is ensured, and the strategies to protect against common cause failure within the safety systems should be specified.

Systems required for safe shutdown

3.7.10. This section should describe the instrumentation and control systems required to achieve and maintain a safe state (these systems are described in chapters 5, 9 and 10 of the safety analysis report). This includes instrumentation and control systems used to maintain the reactor core in a subcritical condition and to provide adequate core cooling to achieve and maintain both hot and cold shutdown. A list should be provided of the indications, controls, alarms and displays available in the control room and in the supplementary control room that are used by operating personnel to bring the plant to a safe state, to confirm that a safe state has been reached and is maintained, and to monitor the status of the plant and the trends in key plant parameters.

Information systems important to safety

3.7.11. This section should describe plant information systems important to safety. The information provided should include the following:

(a) A list of the parameters that are measured, the physical locations of the sensors, and the environmental qualification envelope, defined by the most severe operational states or accident conditions and by how long the reliable operation of the sensors is required.

(b) A specification of the parameters that are monitored by the plant computer displays in the control room, in the supplementary control room and in other emergency response facilities. The characteristics of any computer software (e.g. scan frequency, parameter validation and cross‑channel sensor checking) used for filtering, analysis of trends, generation of alarms and long term storage of data should be described. If data processing and storage are performed by multiple computers, the means of achieving the synchronization of the different computer systems should also be described.

3.7.12. This section should also provide relevant information on any other diagnostic and instrumentation systems required for safety, for example any particular system needed for the management of severe accidents, leak detection systems, monitoring systems for vibrations and loose parts, and protective interlock systems that are credited in the safety analyses with preventing damage to safety related equipment and preventing accidents of certain types.

Interlock systems important to safety

3.7.13. This section should describe all other instrumentation systems that include interlock systems important to safety.

3.7.14. This section should describe relevant analyses and considerations of interlocks that prevent overpressurization of low pressure systems, interlocks to prevent overpressurization of the reactor coolant system during low temperature conditions, interlocks to isolate safety systems from non‑safety systems and interlocks to preclude inadvertent interconnections between redundant or diverse safety systems for the purposes of testing or maintenance.

Diverse actuation system

3.7.15. This section should provide a description of the design of the diverse actuation system, including sensors, initiating circuits, bypasses, interlocks, priority actuation logic for automatic and manual control of plant equipment, operator interfaces, and support systems.

3.7.16. This section should provide an assessment of the level of diversity in digital instrumentation and control system architecture, a description of the independence of the safety functions, information on the application of the single failure criterion, a consideration of common cause failure, and the safety classification and qualification requirements. All plant states should be taken into account in the assessment.

Data communication systems

3.7.17. This section should describe all the data communication systems that are part of (or support) the other systems described in this chapter of the safety analysis report, addressing both safety and non‑safety data communication systems.

3.7.18. The information provided should be sufficient to demonstrate that the data communication systems conform to relevant regulatory requirements and associated regulatory guidance and to recommendations in industry codes and standards applicable to data communication systems.

3.7.19. The means of and criteria for determining if a function has failed as a result of a communications failure should also be described.

Instrumentation and control in the main control room

3.7.20. This section should provide a description of the general philosophy followed in the design of the main control room and demonstrate that Requirement 65 of SSR‑2/1 (Rev. 1) [3] is met.

3.7.21. This section should describe how the instrumentation and control systems allow the operating personnel in the control room to initiate or take manual control of each function necessary to control the plant and maintain safety.

3.7.22. This section should provide a description of the main control room layout, with emphasis on the presentation of information from the instrumentation and control in the main control room and the human–machine interface, including the following:

(a) Demonstration that there are sufficient displays in the control room to monitor all functions important to safety;

(b) The means by which the status of the plant is displayed;

(c) The means by which the safety status and trends of the key plant operating parameters are displayed;

(d) The safety classified indications and controls to implement emergency operating procedures and severe accident management guidelines.

3.7.23. This section should describe how the human–machine interface aspects of the design of the main control room conform to the human factors engineering programme described in chapter 18 of the safety analysis report.

3.7.24. The instrumentation and control relating to the habitability of the main control room, the supplementary control room and other emergency response facilities should also be described and should be consistent with the description of the corresponding systems in chapter 6 of the safety analysis report.

Instrumentation and control in supplementary control rooms

3.7.25. This section should provide an appropriate description of the supplementary control room functions and layout and should demonstrate that Requirement 66 of SSR‑2/1 (Rev. 1) [3] is met.

3.7.26. This section should describe how the supplementary control room contains controls, indications, alarms and displays that are sufficient for the operator to bring the plant to a safe state, to confirm that a safe state has been

reached and is maintained, and to monitor the status of the plant and the trends in key plant parameters.

3.7.27. This section should describe how the human–machine interface aspects of the design of the supplementary control room conform to the human factors engineering programme described in chapter 18 of the safety analysis report.

3.7.28. The means of physical and electrical isolation between the plant systems and the communication signals routed to the main control room and the supplementary control room should be described in detail to demonstrate that the supplementary control room is redundant and independent of the main control room.

3.7.29. The mechanisms for transferring priority control and communications from the main control room to the supplementary control room should be described so as to demonstrate how this transfer would occur under accident conditions.

Emergency response facilities

3.7.30. This section should describe the instrumentation and control in the emergency response facilitie (see paras 3.19.8 and 3.19.9) and should demonstrate that Requirement 67 of SSR‑2/1 (Rev. 1) [3] is met. In particular, it should be shown that information about important plant parameters and the radiological conditions at the plant and in its surroundings, and a means of communication on the site and off the site, are provided to the emergency response facilities.

This should include those facilities provided for plant staff to perform expected tasks for managing the response to an emergency under conditions generated by accidents and hazards, including certain control functions, if applicable.

Automatic control systems not important to safety

3.7.31. This section should describe the automatic control systems not important to safety. It should be demonstrated that postulated failures of these control systems will not degrade the operation of systems important to safety. It should also be demonstrated that the effects of a failure of an automatic control system will not create a condition that exceeds the acceptance criteria or assumptions established for design basis accidents.

Digital instrumentation and control systems

3.7.32. If digital instrumentation and control systems are used, this section should describe the overall scope of their application, including information on the following:

(a) The design qualification of digital systems, including software verification and validation;

(b) Protection against common cause failure;

(c) Functional requirements when implementing a digital protection system;

(d) Qualification and verification of predeveloped software;

(e) Software tools used to support the life cycle development of digital systems;

(f) Digital data communication.

The information provided in this section should demonstrate that Requirement 63 of SSR‑2/1 (Rev. 1) [3] is met. Additionally, information to demonstrate that security measures for digital instrumentation and control systems [31] do not interfere with safety provisions should be provided (see 3.13.29).

Hazard analysis for instrumentation and control systems

3.7.33. This section should provide relevant information to demonstrate that the hazard analysis undertaken for instrumentation and control systems considered all plant states and modes of normal operation, including transitions between different modes of normal operation and the failure or non‑availability of instrumentation and control systems.

CHAPTER 8: ELECTRICAL POWER Description of the electrical power system

3.8.1. This chapter of the safety analysis report should provide relevant information on the electrical power systems. The information provided for individual electrical power systems should follow, to the extent applicable, the structure specified in Appendix II.

3.8.2. This chapter of the safety analysis report should describe how Requirement 68 of SSR‑2/1 (Rev. 1) [3] on withstanding the loss of off‑site power is met. Specific recommendations and guidance regarding the design

of electrical power systems are provided in IAEA Safety Standards Series No.

SSG‑34, Design of Electrical Power Systems for Nuclear Power Plants [32].

3.8.3. This chapter should provide definitions, design features and classifications of the off‑site power system, the on‑site power system, the standby power system, and the alternate alternating current (AC) and direct current (DC) power systems.

3.8.4. The prioritization of the power supply from the power supply systems described in para. 3.8.3 to the non‑safety loads and to the safety loads, during operational states and in accident conditions, should be described.

3.8.5. This chapter of the safety analysis report should also provide relevant information on how the safety power systems can be supplied (i.e. by either the preferred power supplies or the standby power sources). The description should include the alternate AC power system that supplies the safety power systems in design extension conditions.

General principles and design approach

3.8.6. In addition to the safety design criteria and rules and regulations, information on the following issues specific to electrical systems should be included:

(a) Postulated initiating events considered in the design, together with the functional requirements applicable to the electrical systems under the steady state conditions, short term operation conditions and transient conditions defined in the design basis;

(b) The impact of such events on all the on‑site electrical power systems (AC and DC);

(c) The plant’s capability to continue to fulfil safety functions and to remove decay heat from spent fuel for the period for which the plant is in a station blackout condition (loss of all AC power supplies);

(d) The design for reliability (redundancy, independence, diversity);

(e) The possibility of common cause failures that could render the safety power systems unavailable to fulfil their safety functions when called on, in the design, maintenance, testing and operation of the safety power systems and their support systems;

(f) The specific divisions of the electrical power systems in the plant, including the various system voltages and the designation of parts of the system that are considered essential;

(g) A demonstration of the functional adequacy of the electrical power systems important to safety (including breakers) and assurance that these

systems have adequate redundancy, physical separation, independence and testability, in conformance with the design criteria;

(h) A general description of the off‑site power system, which is composed of the transmission system (grid), the switchyard connecting the plant with the grid and its interconnection to other grids, and the connection points to the on‑site electrical system (or switchyard);

(i) The provisions for replacement and upgrades of and modifications to the electrical power systems.

Off‑site power systems

3.8.7. This section should provide information relevant to the plant on the off‑site electrical power systems. It should include a description of the off‑site power systems, with emphasis on features for control and protection (breaker arrangements, manual and automatic disconnect switches) at the interconnection to the on‑site power system.

3.8.8. This section should also describe the design requirements for the off‑site power system (e.g. the switchyard design, the number of circuits to the on‑site power system) — including the design requirements to support the safety function of the system — to provide sufficient reliability, capacity and capability.

3.8.9. This section should describe the design provisions used to protect the plant from off‑site electrical disturbances and to maintain the power supply to in‑plant auxiliaries. Information on grid reliability should also be provided, as should information on design provisions necessary to cope with frequent grid failures.

3.8.10. This section should describe the failure mode and effects analysis for off‑site power system components. In addition, the results of a grid stability analysis (including stability after the main generator trip) should be provided.

On‑site AC power systems

3.8.11. This section should provide relevant information on the AC power system at the plant and its main equipment. It should include a description of the on‑site AC power systems, including the standby AC power systems (diesel or gas turbine driven systems), the generator configuration and the uninterruptible AC power system available for anticipated operational occurrences and accident conditions. Information on the selection of the following should also be included:

(a) Undervoltage (underfrequency and overvoltage) protection set points;

(b) Short circuit protection measures;

(c) Power quality limits;

(d) Equipment size, protection measures and means of coordination.

3.8.12. This section should describe the power requirements for each AC load in the plant, including the following:

(a) The steady state load and the startup kilovolt‑amperes for motor loads;

(b) The nominal voltage and the allowable voltage drop (to achieve full functional capability within the required time period);

(c) The sequence and time necessary to achieve full functional capability for each load;

(d) The nominal frequency and the allowable frequency fluctuation;

(e) The number of divisions and the minimum number of divisions of engineered safety features to be energized simultaneously.

3.8.13. This section should describe the following:

(a) How the on‑site AC power system is engineered to ensure the reliable delivery of emergency power to engineered safety features and uninterruptible AC power system loads.

(b) In the event of a loss of off‑site power, how the standby AC power source is started and safety loads are sequenced to the safety buses without overloading the primary mover, and in time frames consistent with the assumptions presented in chapter 15 on safety analysis.

(c) In design basis accidents with a subsequent loss of off‑site power, how the required safety loads can be sequenced onto the standby AC power source without overloading the primary mover and in time frames consistent with the assumptions presented in chapter 15 on safety analysis.

(d) How uninterruptible AC power is continuously provided to essential safety systems and instrumentation and control systems important to safety, irrespective of the availability of off‑site AC power.

(e) How an alternate AC power supply is provided at the nuclear power plant, if the plant design depends on AC power to bring the plant to a controlled state following loss of off‑site power and on‑site safety standby power sources.

It should also be described how the alternate AC power supply addresses diversity (e.g. that it is not susceptible to the events that caused the loss of on‑site and off‑site power sources) and has sufficient capacity to operate the systems necessary for coping with a station blackout, and how auxiliaries are qualified for their intended use.

(f) The provisions for the protection of AC power systems.