美国核监管会标准详.docx

1、美国核监管会标准详IMPLEMENTATIONExcept in those cases in which a licensee proposes or has previously established an acceptable alternative method for complying with specified portions of the NRCs regulations, the NRC staff will use the methods described in this Interim Staff Guidance (ISG) to evaluate licens

2、ee compliance with NRC requirements as presented in submittals in connection with applications for standard plant design certifications and combined licenses.This ISG provides acceptable methods for addressing HICRc in digital I&C system designs. This guidance is consistent with current Commission p

3、olicy on digital I&C systems and is not intended to be a substitute for NRC regulations, but to clarify how a licensee or applicant may satisfy those regulations.This ISG also clarifies the criteria the staff will use to evaluate whether an applicant/licensee digital system design is consistent with

4、 HICRc guidelines. The staff intends to continue interacting with stakeholders to refine digital I&C ISGs and to update associate guidance and generate new guidance where appropriate.SCOPEThis Interim Staff Guidance addresses the design and review of digital systems proposed for safety-related servi

5、ce in nuclear power plants. These guidelines address only selected digital aspects of such systems. Such systems are also subject to requirements germane to safety-related systems, such as requirements for separation, independence, electrical isolation, seismic qualification, quality requirements, e

6、tc. cited in the General Design Criteria of Appendix A to Part 50 of Title 10 of the Code of Federal Regulations. Additional guidance applicable to such systems is also provided in various other NRC and industry documents.This guidance specifically addresses issues related to interactions among safe

7、ty divisions and between safety-related equipment and equipment that is not safety-related. This guidance is not applicable to interactions among equipment that are all in the same safety division or that do not involve anything that is safety-related. This guidance does address certain aspects of d

8、igital control systems that are not safety-related but which may affect the plant conformance to safety analyses (accident analyses, transient analyses, etc.). This document presents guidance and also references requirements. In the interest of maintaining simplicity and focus upon the technical con

9、siderations, a distinction is not always clearly drawn between “guidance” and “requirements.” In some cases, requirements are described using the language of recommendations (for example, “should” rather than “must”). The reader is cautioned that this document does not alter any existing requirement

10、s, and that it is the responsibility of the applicant to ensure that all requirements are satisfied regardless of how they may be presented or addressed herein.DEFINITIONThe term “Highly-Integrated Control Room” (HICR) refers to a control room in which the traditional control panels, with their asso

11、rted gauges, indicating lights, control switches, annunciators, etc., are replaced by computer-driven consolidated operator interfaces. In an HICR: The primary means for providing information to the plant operator is by way of computer- driven display screens mounted on consoles or on the control ro

12、om walls. The primary means for the operator to command the plant is by way of touch screens, keyboards, pointing devices or other computer-based provisions.A digital workstation is in essence just one device. Unlike a conventional control panel, there is no way for its many functions to be independ

13、ent of or separated from one another, because they all use the same display screen, processing equipment, operator interface devices, etc. Functions that must be independent must be implemented in independent workstations.This ISG describes how controls and indications from all safety divisions can

14、be combined into a single integrated workstation while maintaining separation, isolation, and independence among redundant channels. This ISG does not alter existing requirements for safety-related controls and displays to support manual execution of safety functions.ORGANIZATIONTask Working Group (

15、TWG) 4 has determined that HICRc is comprised of four basic areas of interest:1. interdivisional communications: communications among different safety divisionsi or between a safety division and a non-safety entity2. command prioritization: selection of a particular command to send to an actuator wh

16、en multiple and conflicting commands exist3. multidivisional control and display stations: use of operator workstations or displays that are associated with multiple safety divisions and/or with both safety and nonsafety functions4. digital system network configuration: the network or other intercon

17、nection of digital systems that might affect plant safety or conformance to plant safety analysis assumptions (interconnections among safety divisions or between safety and nonsafety divisions should also satisfy the guidance provided for interdivisional communications) Areas of Interest #1 through

18、3 are each addressed in a separate section below. Area of Interest #4 has implications concerning each of the first three and is incorporated into those sections as needed.RATIONALEIn order to prepare this interim staff guidance, the Staff primarily relied upon: (1) 10 C.F.R. 50.55a(h), which invoke

19、s IEEE 603-1991; and (2) Regulatory Guide 1.152, which endorses IEEE 7-4.3.2-2003 (with comments).IEEE 603-1991 requires, among other things, independence among redundant safety channels and redundant safety systems to be independent of one another. IEEE 7-4.3.2-2003 addresses digital communications

20、 (NOTE: Some provisions or IEEE 7-4.3.2 have been found to not be suitable for endorsement by the NRC. In addition, IEEE7-4.3.2 is currently undergoing revision and the final version may or may not be found to be suitable for endorsement and may or may not be consistent with the guidance provided he

21、rein).The guidance provided herein adheres to the principles set forth in IEEE 603-1991 and IEEE 7-4.3.2-2003 by describing means for ensuring independence among redundant safety channels while permitting some degree of interconnection and commonality among those independent channels.REFERENCES1. 10

22、 C.F.R. 50.55a(h)U.S. Code of Federal Regulations, Part 50.55, “Conditions of construction permits,” Title 10, “Energy.” Washington, DC: U.S. Government Printing Office.2. Regulatory Guide 1.152NRC (2006). “Criteria for Digital Computers in Safety Systems of Nuclear Power Plants.” Washington, D.C.:

23、U.S. Nuclear Regulatory Commission.3. IEEE 603-1991Institute of Electrical and Electronics Engineers (1991). “IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations -Description.” New York: Institute of Electrical and Electronics Engineers.4. IEEE 7-4.3.2-2003Institute of El

24、ectrical and Electronics Engineers (2003). “IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations.” New York: Institute of Electrical and Electronics Engineers. 1. INTERDIVISIONAL COMMUNICATIONSSCOPEAs used in this document, interdivisional communication

25、s includes transmission of data and information among components in different electrical safety divisions and communications between a safety division and equipment that is not safety-related. It does not include communications within a single division. Interdivisional communications may be bidirect

26、ional or unidirectional.STAFF POSITIONBidirectional communications among safety divisions and between safety and nonsafety equipment is acceptable provided certain restrictions are enforced to ensure that there will be no adverse impact on safety systems.Systems which include communications among sa

27、fety divisions and/or bidirectional communications between a safety division and nonsafety equipment should adhere to the guidance described in the remainder of this section. Adherence to each point should be demonstrated by the applicant and verified by the reviewer. This verification should includ

28、e detailed review of the system configuration and software specifications, and may also involve a review of selected software code.1. A safety channel should not be dependent upon any information or resource originating or residing outside its own safety division to accomplish its safety function. T

29、his is a fundamental consequence of the independence requirements of IEEE603. It is recognized that division voting logic must receive inputs from multiple safety divisions.2. The safety function of each safety channel should be protected from adverse influence from outside the division of which tha

30、t channel is a member. Information and signals originating outside the division must not be able to inhibit or delay the safety function. This protection must be implemented within the affected division (rather than in the sources outside the division), and must not itself be affected by any conditi

31、on or information from outside the affected division. This protection must be sustained despite any operation, malfunction, design error, communication error, or software error or corruption existing or originating outside the division.3. A safety channel should not receive any communication from ou

32、tside its own safety division unless that communication supports or enhances the performance of the safety function. Receipt of information that does not support or enhance the safety function would involve the performance of functions that are not directly related to the safety function. Safety sys

33、tems should be as simple as possible. Functions that are not necessary for safety, even if they enhance reliability, should be executed outside the safety system. A safety system designed to perform functions not directly related to the safety function would be more complex than a system that performs the