美国核监管会标准详Word下载.docx
《美国核监管会标准详Word下载.docx》由会员分享,可在线阅读,更多相关《美国核监管会标准详Word下载.docx(33页珍藏版)》请在冰豆网上搜索。
CsystemsandisnotintendedtobeasubstituteforNRCregulations,buttoclarifyhowalicenseeorapplicantmaysatisfythoseregulations.
ThisISGalsoclarifiesthecriteriathestaffwillusetoevaluatewhetheranapplicant/licenseedigitalsystemdesignisconsistentwithHICRcguidelines.ThestaffintendstocontinueinteractingwithstakeholderstorefinedigitalI&
CISGsandtoupdateassociateguidanceandgeneratenewguidancewhereappropriate.
SCOPE
ThisInterimStaffGuidanceaddressesthedesignandreviewofdigitalsystemsproposedforsafety-relatedserviceinnuclearpowerplants.Theseguidelinesaddressonlyselecteddigitalaspectsofsuchsystems.Suchsystemsarealsosubjecttorequirementsgermanetosafety-relatedsystems,suchasrequirementsforseparation,independence,electricalisolation,seismicqualification,qualityrequirements,etc.citedintheGeneralDesignCriteriaofAppendixAtoPart50ofTitle10oftheCodeofFederalRegulations.AdditionalguidanceapplicabletosuchsystemsisalsoprovidedinvariousotherNRCandindustrydocuments.
Thisguidancespecificallyaddressesissuesrelatedtointeractionsamongsafetydivisionsandbetweensafety-relatedequipmentandequipmentthatisnotsafety-related.Thisguidanceisnotapplicabletointeractionsamongequipmentthatareallinthesamesafetydivisionorthatdonotinvolveanythingthatissafety-related.Thisguidancedoesaddresscertainaspectsofdigitalcontrolsystemsthatarenotsafety-relatedbutwhichmayaffecttheplantconformancetosafetyanalyses(accidentanalyses,transientanalyses,etc.).
Thisdocumentpresentsguidanceandalsoreferencesrequirements.Intheinterestofmaintainingsimplicityandfocusuponthetechnicalconsiderations,adistinctionisnotalwaysclearlydrawnbetween“guidance”and“requirements.”Insomecases,requirementsaredescribedusingthelanguageofrecommendations(forexample,“should”ratherthan“must”).Thereaderiscautionedthatthisdocumentdoesnotalteranyexistingrequirements,andthatitistheresponsibilityoftheapplicanttoensurethatallrequirementsaresatisfiedregardlessofhowtheymaybepresentedoraddressedherein.
DEFINITION
Theterm“Highly-IntegratedControlRoom”(HICR)referstoacontrolroominwhichthetraditionalcontrolpanels,withtheirassortedgauges,indicatinglights,controlswitches,annunciators,etc.,arereplacedbycomputer-drivenconsolidatedoperatorinterfaces.InanHICR:
•Theprimarymeansforprovidinginformationtotheplantoperatorisbywayofcomputer-drivendisplayscreensmountedonconsolesoronthecontrolroomwalls.
•Theprimarymeansfortheoperatortocommandtheplantisbywayoftouchscreens,keyboards,pointingdevicesorothercomputer-basedprovisions.
Adigitalworkstationisinessencejustonedevice.Unlikeaconventionalcontrolpanel,thereisnowayforitsmanyfunctionstobeindependentoforseparatedfromoneanother,becausetheyallusethesamedisplayscreen,processingequipment,operatorinterfacedevices,etc.Functionsthatmustbeindependentmustbeimplementedinindependentworkstations.
ThisISGdescribeshowcontrolsandindicationsfromallsafetydivisionscanbecombinedintoasingleintegratedworkstationwhilemaintainingseparation,isolation,andindependenceamongredundantchannels.ThisISGdoesnotalterexistingrequirementsforsafety-relatedcontrolsanddisplaystosupportmanualexecutionofsafetyfunctions.
ORGANIZATION
TaskWorkingGroup(TWG)4hasdeterminedthatHICRciscomprisedoffourbasicareasofinterest:
1.interdivisionalcommunications:
communicationsamongdifferentsafetydivisionsiorbetweenasafetydivisionandanon-safetyentity
2.commandprioritization:
selectionofaparticularcommandtosendtoanactuatorwhenmultipleandconflictingcommandsexist
3.multidivisionalcontrolanddisplaystations:
useofoperatorworkstationsordisplaysthatareassociatedwithmultiplesafetydivisionsand/orwithbothsafetyandnonsafetyfunctions
4.digitalsystemnetworkconfiguration:
thenetworkorotherinterconnectionofdigitalsystemsthatmightaffectplantsafetyorconformancetoplantsafetyanalysisassumptions(interconnectionsamongsafetydivisionsorbetweensafetyandnonsafetydivisionsshouldalsosatisfytheguidanceprovidedforinterdivisionalcommunications)AreasofInterest#1through3areeachaddressedinaseparatesectionbelow.AreaofInterest#4hasimplicationsconcerningeachofthefirstthreeandisincorporatedintothosesectionsasneeded.
RATIONALE
Inordertopreparethisinterimstaffguidance,theStaffprimarilyreliedupon:
(1)10C.F.R.§
50.55a(h),whichinvokesIEEE603-1991;
and
(2)RegulatoryGuide1.152,whichendorsesIEEE7-4.3.2-2003(withcomments).
IEEE603-1991requires,amongotherthings,independenceamongredundantsafetychannelsandredundantsafetysystemstobeindependentofoneanother.IEEE7-4.3.2-2003addressesdigitalcommunications(NOTE:
SomeprovisionsorIEEE7-4.3.2havebeenfoundtonotbesuitableforendorsementbytheNRC.Inaddition,IEEE7-4.3.2iscurrentlyundergoingrevisionandthefinalversionmayormaynotbefoundtobesuitableforendorsementandmayormaynotbeconsistentwiththeguidanceprovidedherein).
TheguidanceprovidedhereinadherestotheprinciplessetforthinIEEE603-1991andIEEE7-4.3.2-2003bydescribingmeansforensuringindependenceamongredundantsafetychannelswhilepermittingsomedegreeofinterconnectionandcommonalityamongthoseindependentchannels.
REFERENCES
1.10C.F.R.§
50.55a(h)
U.S.CodeofFederalRegulations,Part50.55,“Conditionsofconstructionpermits,”Title10,“Energy.”Washington,DC:
U.S.GovernmentPrintingOffice.
2.RegulatoryGuide1.152
NRC(2006).“CriteriaforDigitalComputersinSafetySystemsofNuclearPowerPlants.”Washington,D.C.:
U.S.NuclearRegulatoryCommission.
3.IEEE603-1991
InstituteofElectricalandElectronicsEngineers(1991).“IEEEStandardCriteriaforSafetySystemsforNuclearPowerGeneratingStations-Description.”NewYork:
InstituteofElectricalandElectronicsEngineers.
4.IEEE7-4.3.2-2003
InstituteofElectricalandElectronicsEngineers(2003).“IEEEStandardCriteriaforDigitalComputersinSafetySystemsofNuclearPowerGeneratingStations.”NewYork:
InstituteofElectricalandElectronicsEngineers.
1.INTERDIVISIONALCOMMUNICATIONS
Asusedinthisdocument,interdivisionalcommunicationsincludestransmissionofdataandinformationamongcomponentsindifferentelectricalsafetydivisionsandcommunicationsbetweenasafetydivisionandequipmentthatisnotsafety-related.Itdoesnotincludecommunicationswithinasingledivision.Interdivisionalcommunicationsmaybebidirectionalorunidirectional.
STAFFPOSITION
Bidirectionalcommunicationsamongsafetydivisionsandbetweensafetyandnonsafetyequipmentisacceptableprovidedcertainrestrictionsareenforcedtoensurethattherewillbenoadverseimpactonsafetysystems.
Systemswhichincludecommunicationsamongsafetydivisionsand/orbidirectionalcommunicationsbetweenasafetydivisionandnonsafetyequipmentshouldadheretotheguidancedescribedintheremainderofthissection.Adherencetoeachpointshouldbedemonstratedbytheapplicantandverifiedbythereviewer.Thisverificationshouldincludedetailedreviewofthesystemconfigurationandsoftwarespecifications,andmayalsoinvolveareviewofselectedsoftwarecode.
1.Asafetychannelshouldnotbedependentuponanyinformationorresourceoriginatingorresidingoutsideitsownsafetydivisiontoaccomplishitssafetyfunction.ThisisafundamentalconsequenceoftheindependencerequirementsofIEEE603.Itisrecognizedthatdivisionvotinglogicmustreceiveinputsfrommultiplesafetydivisions.
2.Thesafetyfunctionofeachsafetychannelshouldbeprotectedfromadverseinfluencefromoutsidethedivisionofwhichthatchannelisamember.Informationandsignalsoriginatingoutsidethedivisionmustnotbeabletoinhibitordelaythesafetyfunction.Thisprotectionmustbeimplementedwithintheaffecteddivision(ratherthaninthesourcesoutsidethedivision),andmustnotitselfbeaffectedbyanyconditionorinformationfromoutsidetheaffecteddivision.Thisprotectionmustbesustaineddespiteanyoperation,malfunction,designerror,communicationerror,orsoftwareerrororcorruptionexistingororiginatingoutsidethedivision.
3.Asafetychannelshouldnotreceiveanycommunicationfromoutsideitsownsafetydivisionunlessthatcommunicationsupportsorenhancestheperformanceofthesafetyfunction.Receiptofinformationthatdoesnotsupportorenhancethesafetyfunctionwouldinvolvetheperformanceoffunctionsthatarenotdirectlyrelatedtothesafetyfunction.Safetysystemsshouldbeassimpleaspossible.Functionsthatarenotnecessaryforsafety,eveniftheyenhancereliability,shouldbeexecutedoutsidethesafetysystem.Asafetysystemdesignedtoperformfunctionsnotdirectlyrelatedtothesafetyfunctionwouldbemorecomplexthanasystemthatperformsthe