美国核监管会标准详.docx

美国核监管会标准详.docx

《美国核监管会标准详.docx》由会员分享，可在线阅读，更多相关《美国核监管会标准详.docx（33页珍藏版）》请在冰豆网上搜索。

美国核监管会标准详

IMPLEMENTATION

ExceptinthosecasesinwhichalicenseeproposesorhaspreviouslyestablishedanacceptablealternativemethodforcomplyingwithspecifiedportionsoftheNRC’sregulations,theNRCstaffwillusethemethodsdescribedinthisInterimStaffGuidance（ISG）toevaluatelicenseecompliancewithNRCrequirementsaspresentedinsubmittalsinconnectionwithapplicationsforstandardplantdesigncertificationsandcombinedlicenses.

ThisISGprovidesacceptablemethodsforaddressingHICRcindigitalI&Csystemdesigns.ThisguidanceisconsistentwithcurrentCommissionpolicyondigitalI&CsystemsandisnotintendedtobeasubstituteforNRCregulations,buttoclarifyhowalicenseeorapplicantmaysatisfythoseregulations.

ThisISGalsoclarifiesthecriteriathestaffwillusetoevaluatewhetheranapplicant/licenseedigitalsystemdesignisconsistentwithHICRcguidelines.ThestaffintendstocontinueinteractingwithstakeholderstorefinedigitalI&CISGsandtoupdateassociateguidanceandgeneratenewguidancewhereappropriate.

SCOPE

ThisInterimStaffGuidanceaddressesthedesignandreviewofdigitalsystemsproposedforsafety-relatedserviceinnuclearpowerplants.Theseguidelinesaddressonlyselecteddigitalaspectsofsuchsystems.Suchsystemsarealsosubjecttorequirementsgermanetosafety-relatedsystems,suchasrequirementsforseparation,independence,electricalisolation,seismicqualification,qualityrequirements,etc.citedintheGeneralDesignCriteriaofAppendixAtoPart50ofTitle10oftheCodeofFederalRegulations.AdditionalguidanceapplicabletosuchsystemsisalsoprovidedinvariousotherNRCandindustrydocuments.

Thisguidancespecificallyaddressesissuesrelatedtointeractionsamongsafetydivisionsandbetweensafety-relatedequipmentandequipmentthatisnotsafety-related.Thisguidanceisnotapplicabletointeractionsamongequipmentthatareallinthesamesafetydivisionorthatdonotinvolveanythingthatissafety-related.Thisguidancedoesaddresscertainaspectsofdigitalcontrolsystemsthatarenotsafety-relatedbutwhichmayaffecttheplantconformancetosafetyanalyses（accidentanalyses,transientanalyses,etc.）.

Thisdocumentpresentsguidanceandalsoreferencesrequirements.Intheinterestofmaintainingsimplicityandfocusuponthetechnicalconsiderations,adistinctionisnotalwaysclearlydrawnbetween“guidance”and“requirements.”Insomecases,requirementsaredescribedusingthelanguageofrecommendations（forexample,“should”ratherthan“must”）.Thereaderiscautionedthatthisdocumentdoesnotalteranyexistingrequirements,andthatitistheresponsibilityoftheapplicanttoensurethatallrequirementsaresatisfiedregardlessofhowtheymaybepresentedoraddressedherein.

DEFINITION

Theterm“Highly-IntegratedControlRoom”（HICR）referstoacontrolroominwhichthetraditionalcontrolpanels,withtheirassortedgauges,indicatinglights,controlswitches,annunciators,etc.,arereplacedbycomputer-drivenconsolidatedoperatorinterfaces.InanHICR:

•Theprimarymeansforprovidinginformationtotheplantoperatorisbywayofcomputer-drivendisplayscreensmountedonconsolesoronthecontrolroomwalls.

•Theprimarymeansfortheoperatortocommandtheplantisbywayoftouchscreens,keyboards,pointingdevicesorothercomputer-basedprovisions.

Adigitalworkstationisinessencejustonedevice.Unlikeaconventionalcontrolpanel,thereisnowayforitsmanyfunctionstobeindependentoforseparatedfromoneanother,becausetheyallusethesamedisplayscreen,processingequipment,operatorinterfacedevices,etc.Functionsthatmustbeindependentmustbeimplementedinindependentworkstations.

ThisISGdescribeshowcontrolsandindicationsfromallsafetydivisionscanbecombinedintoasingleintegratedworkstationwhilemaintainingseparation,isolation,andindependenceamongredundantchannels.ThisISGdoesnotalterexistingrequirementsforsafety-relatedcontrolsanddisplaystosupportmanualexecutionofsafetyfunctions.

ORGANIZATION

TaskWorkingGroup（TWG）4hasdeterminedthatHICRciscomprisedoffourbasicareasofinterest:

1.interdivisionalcommunications:

communicationsamongdifferentsafetydivisionsiorbetweenasafetydivisionandanon-safetyentity

2.commandprioritization:

selectionofaparticularcommandtosendtoanactuatorwhenmultipleandconflictingcommandsexist

3.multidivisionalcontrolanddisplaystations:

useofoperatorworkstationsordisplaysthatareassociatedwithmultiplesafetydivisionsand/orwithbothsafetyandnonsafetyfunctions

4.digitalsystemnetworkconfiguration:

thenetworkorotherinterconnectionofdigitalsystemsthatmightaffectplantsafetyorconformancetoplantsafetyanalysisassumptions（interconnectionsamongsafetydivisionsorbetweensafetyandnonsafetydivisionsshouldalsosatisfytheguidanceprovidedforinterdivisionalcommunications）AreasofInterest#1through3areeachaddressedinaseparatesectionbelow.AreaofInterest#4hasimplicationsconcerningeachofthefirstthreeandisincorporatedintothosesectionsasneeded.

RATIONALE

Inordertopreparethisinterimstaffguidance,theStaffprimarilyreliedupon:

（1）10C.F.R.§50.55a（h）,whichinvokesIEEE603-1991;and

（2）RegulatoryGuide1.152,whichendorsesIEEE7-4.3.2-2003（withcomments）.

IEEE603-1991requires,amongotherthings,independenceamongredundantsafetychannelsandredundantsafetysystemstobeindependentofoneanother.IEEE7-4.3.2-2003addressesdigitalcommunications（NOTE:

SomeprovisionsorIEEE7-4.3.2havebeenfoundtonotbesuitableforendorsementbytheNRC.Inaddition,IEEE7-4.3.2iscurrentlyundergoingrevisionandthefinalversionmayormaynotbefoundtobesuitableforendorsementandmayormaynotbeconsistentwiththeguidanceprovidedherein）.

TheguidanceprovidedhereinadherestotheprinciplessetforthinIEEE603-1991andIEEE7-4.3.2-2003bydescribingmeansforensuringindependenceamongredundantsafetychannelswhilepermittingsomedegreeofinterconnectionandcommonalityamongthoseindependentchannels.

REFERENCES

1.10C.F.R.§50.55a（h）

U.S.CodeofFederalRegulations,Part50.55,“Conditionsofconstructionpermits,”Title10,“Energy.”Washington,DC:

U.S.GovernmentPrintingOffice.

2.RegulatoryGuide1.152

NRC（2006）.“CriteriaforDigitalComputersinSafetySystemsofNuclearPowerPlants.”Washington,D.C.:

U.S.NuclearRegulatoryCommission.

3.IEEE603-1991

InstituteofElectricalandElectronicsEngineers（1991）.“IEEEStandardCriteriaforSafetySystemsforNuclearPowerGeneratingStations-Description.”NewYork:

InstituteofElectricalandElectronicsEngineers.

4.IEEE7-4.3.2-2003

InstituteofElectricalandElectronicsEngineers（2003）.“IEEEStandardCriteriaforDigitalComputersinSafetySystemsofNuclearPowerGeneratingStations.”NewYork:

InstituteofElectricalandElectronicsEngineers.

1.INTERDIVISIONALCOMMUNICATIONS

SCOPE

Asusedinthisdocument,interdivisionalcommunicationsincludestransmissionofdataandinformationamongcomponentsindifferentelectricalsafetydivisionsandcommunicationsbetweenasafetydivisionandequipmentthatisnotsafety-related.Itdoesnotincludecommunicationswithinasingledivision.Interdivisionalcommunicationsmaybebidirectionalorunidirectional.

STAFFPOSITION

Bidirectionalcommunicationsamongsafetydivisionsandbetweensafetyandnonsafetyequipmentisacceptableprovidedcertainrestrictionsareenforcedtoensurethattherewillbenoadverseimpactonsafetysystems.

Systemswhichincludecommunicationsamongsafetydivisionsand/orbidirectionalcommunicationsbetweenasafetydivisionandnonsafetyequipmentshouldadheretotheguidancedescribedintheremainderofthissection.Adherencetoeachpointshouldbedemonstratedbytheapplicantandverifiedbythereviewer.Thisverificationshouldincludedetailedreviewofthesystemconfigurationandsoftwarespecifications,andmayalsoinvolveareviewofselectedsoftwarecode.

1.Asafetychannelshouldnotbedependentuponanyinformationorresourceoriginatingorresidingoutsideitsownsafetydivisiontoaccomplishitssafetyfunction.ThisisafundamentalconsequenceoftheindependencerequirementsofIEEE603.Itisrecognizedthatdivisionvotinglogicmustreceiveinputsfrommultiplesafetydivisions.

2.Thesafetyfunctionofeachsafetychannelshouldbeprotectedfromadverseinfluencefromoutsidethedivisionofwhichthatchannelisamember.Informationandsignalsoriginatingoutsidethedivisionmustnotbeabletoinhibitordelaythesafetyfunction.Thisprotectionmustbeimplementedwithintheaffecteddivision（ratherthaninthesourcesoutsidethedivision）,andmustnotitselfbeaffectedbyanyconditionorinformationfromoutsidetheaffecteddivision.Thisprotectionmustbesustaineddespiteanyoperation,malfunction,designerror,communicationerror,orsoftwareerrororcorruptionexistingororiginatingoutsidethedivision.

3.Asafetychannelshouldnotreceiveanycommunicationfromoutsideitsownsafetydivisionunlessthatcommunicationsupportsorenhancestheperformanceofthesafetyfunction.Receiptofinformationthatdoesnotsupportorenhancethesafetyfunctionwouldinvolvetheperformanceoffunctionsthatarenotdirectlyrelatedtothesafetyfunction.Safetysystemsshouldbeassimpleaspossible.Functionsthatarenotnecessaryforsafety,eveniftheyenhancereliability,shouldbeexecutedoutsidethesafetysystem.Asafetysystemdesignedtoperformfunctionsnotdirectlyrelatedtothesafetyfunctionwouldbemorecomplexthanasystemthatperformsthe