KTA 3501 (1985-06) Reactor Protection System and ... 3501 Page 3 KTA SAFETY STANDARD June 1985...

Safety Standards of the Nuclear Safety Standards Commission (KTA)

KTA 3501 (1985-06) Reactor Protection System and Monitoring Equipment of the

Safety System (Reaktorschutzsystem und Überwachungseinrichtungen des Sicherheits-

systems)

The previous version of this safety standard was issued in 1978-08

If there is any doubt regarding the information contained in this translation, the German wording shall apply.

Editor: Gesellschaft für Reaktorsicherheit (GRS) mbh Schwertnergasse 1 D-5000 Köln 1 F.R.G. Phone (0221) 20 68-0 Teletex 2214 123 grs d

KTA 3501

KTA 3501

KTA SAFETY STANDARD

June 1985 Reactor Protection System and Monitoring Equipment

of the Safety System KTA 3501

Previous versions of this safety standard: 1977-03 (BAnz No. 107 of June 11, 1977)

Contents

Nuclear Safety Standards Commission (KTA).................................................................................................... 1 Comments by the Editor: .................................................................................................................................... 4 Basic Principles .................................................................................................................................................. 5 1 Scope ...................................................................................................................................................... 5 2 Definitions ............................................................................................................................................... 5 3 Determination of Required Functions of the Reactor Protection System............................................... 10 3.1 Basic Requirements .............................................................................................................................. 10 3.2 Chains of Events and Consequential Effects ........................................................................................ 10 3.3 Initial Plant Condition............................................................................................................................. 10 3.4 Detection of Incidents............................................................................................................................ 10 4 Design Principles for the Reactor Protection......................................................................................... 10 4.1 Basic Requirements .............................................................................................................................. 10 4.2 Failure-Inducing Events......................................................................................................................... 10 4.3 Design Against Failure-Inducing Events Outside of the Nuclear Power Plant....................................... 11 4.4 Combination of Failures ........................................................................................................................ 11 4.5 Initiation of Protective Actions ............................................................................................................... 16 4.6 Redundancy and Independence............................................................................................................ 16 4.7 Separation of the Reactor Protection System from other Systems ....................................................... 16 4.8 Operation of the Reactor Protection System during Maintenance Tasks .............................................. 17 4.9 Coordination of the Reactor Protection System and Active Safety System Equipment......................... 17 4.10 Monitoring Readiness and Capability for Testing .................................................................................. 17 4.11 Protective Limitations ............................................................................................................................ 18 4.12 Functional Group control of the Reactor Protection System.................................................................. 18 4.13 Determining the Limit Values for the Initiation of Protective Actions...................................................... 18 4.14 Manual Actions...................................................................................................................................... 18 5 Design of the Reactor Protection System.............................................................................................. 18 5.1 Equipment Quality ................................................................................................................................. 18 5.2 Environmental Effects ........................................................................................................................... 19 5.3 Spatial Layout Separation of Redundant Systems ................................................................................ 19 5.4 Mechanical Construction ....................................................................................................................... 20 5.5 Construction of Protection System Subunits ......................................................................................... 20 5.6 Circuitry ................................................................................................................................................. 21 6 Equipment Protection ............................................................................................................................ 21 7 Limitations of Process Variables ........................................................................................................... 22 8 Ventilation Systems for Cooling the Reactor Protection ........................................................................ 22 9 Electrical Power..................................................................................................................................... 22 10 Alarms ................................................................................................................................................... 22 10.1 General ................................................................................................................................................. 22 10.2 Class S Alarm Equipment ..................................................................................................................... 22 10.3 Class I Alarm Equipment....................................................................................................................... 23 11 Tests and Inspections ........................................................................................................................... 23 11.1 Tests and Inspections of the Reactor Protection System and of the Equipment of Class S Alarms...... 23 11.2 Tests and Inspections of the Equipment for Class I Alarms .................................................................. 24 12 Compilation of Information on the Reactor Protection System Required in the Licensing and Supervisory Procedure ............................................................................................................................. 24 Appendix A Regulations Referred to in this Safety Standard ........................................................................... 24

PLEASE NOTE: Only the original German version of this safety standard represents the joint resolution of the 50-member Nuclear Safety Standards Commission (Kerntechnischer Ausschuss, KTA). The German version was made public in the Bundesanzeiger (BAnz) of January, 23th, 2013. Copies may be ordered through the Wolters Kluwer Deutschland GmbH, Post-fach 2352, 56513 Neuwied, Germany (Telefax +49 (0) 2631 801-2223, E-Mail: [email protected]).

All questions regarding this English translation should please be directed to:

KTA-Geschaeftsstelle c/o BfS, Willy-Brandt-Str. 5, 38226 Salzgitter, Germany

KTA 3501

Comments by the Editor: Taking into account the meaning and usage of auxiliary verbs in the German language, in this translation

the following agreements are effective: shall indicates a mandatory requirement, shall basically is used in the case of mandatory requirements to which specific exceptions (and

only those!) are permitted. It is a requirement of the KTA that these exceptions - other than those in the case of shall normally - are specified in the text of the safety standard,

shall normally indicates a requirement to which exceptions are allowed. However, exceptions used shall be substantiated during the licensing procedure,

should indicates a recommendation or an example of good practice, may indicates an acceptable or permissible method within the scope of this safety stan-

dard.

KTA 3501

Basic Principles

(1) KTA Safety Standards have the purpose of specifying safety-related requirements by the adherence of which the precautions required according to the state of the art regarding dangers from the construction and operation of the nuclear facility are taken (Sec. 7 para. 2 Nr. 3 Atomic Energy Act), thus achieving, in particular, the protective goals of the Atomic Energy Act and the Radiological Protection Ordinance.

(2) Based on Criteria 2.1”Quality Assurance”, 2.2 „Testabil-ity”, 5.1 „Monitoring and Alarm Equipment” and 6.1 „Reactor Protection System” of the Safety Criteria for Nuclear Power Plants by the Federal Minister of Interior, this safety standard specifies the requirements of the reactor protection system and of the monitoring equipment of the safety system.

(3) This safety standard is supplemented by the safety stan-dards KTA 3503 „Type Testing of Electrical Modules of the Reactor Protection System”, KTA 3504 „Electrical Drives of the Safety System”, KTA 3505 „Type Testing of Measuring Transmitters and Transducers of the Reactor Protection Sys-tem”, KTA 3506 „System Test of the Electrotechnical Equip-ment of the Safety System” and KTA 3507 „Factory Tests on Electrotechnical Modules Equipment and System Components of the Safety system”.

(4) The electrical power supply of the safety system, in addi-tion to Section 9, is also treated in the safety standards KTA 3701 through KTA 3705.

(5) The requirements regarding the ventilation equipment for cooling the reactor protection system, in addition to Section 8 are also treated in RTA 3601 „Ventilation and Air Filtration Systems in Nuclear Power Plants“.

(6) The requirements regarding the „demonstration of dura-bility of electrical equipment under incident conditions“ are being treated in safety standard KTA 3706. The results of this standards activity are closely related to KTA 3503 and KTA 3505 (see (3) above).

(7) The general requirements regarding quality assurance according to KTA 1401 also; apply.

(8) This safety standard is based on the assumption that the requirements of conventional regulations and standards (e.g., Accident Prevention Regulations, DIN-Standards, VDE-Regulations) are met if other nuclear power plant specific requirements are not specified.

1 Scope

(1) This safety standard applies to the reactor protection system and to the monitoring equipment of the safety system of stationary nuclear power plants.

(2) This safety standard specifies requirements for the de-sign, equipment quality, installation and testing of the reactor safety system and its components. It comprises a summary of design criteria, the requirements regarding quality and quality assurance and the requirements regarding the functional ca-pability of the reactor protection system.

(3) This safety standard specifies the basic requirements regarding the recording equipment, the alarm equipment for class I alarms, as well as the limitations of process variables and the equipment protection devices whose signals have priority over the signals of the reactor protection system. De-tailed design requirements regarding this equipment are not part of this safety standard.

(4) Not part of the scope of this safety standard are:

a) those parts of the controls required only during specified normal operation, the operational interlocks, the opera-tional limitations and the equipment for class II alarms,

b) the devices of the equipment protection, whose signals do not have priority over the signals of the reactor protection system. Note: Requirements for this equipment are specified in the safety stan-dards KTA 3504 and KTA 3705.

c) the electrical drives, the power cables, the switch gear connections including the control circuitry. Note: Requirements for this equipment are specified in the safety stan-dards KTA 3701 through KTA 3705.

2 Definitions

The following words are defined in this safety standard and are given here in alphabetical order: active safety system equipment (49) actuation signals (11) binary monitor class I alarm (58) class I (21) class II alarm (22) class S alarm (20) coincidence logic (31) common–mode failure (10) comparator (56) computing circuit (34 control level (53) critical load test (24) equipment diversity (23) equipment protection (1) erroneous initiation (17) failure (9) fault (55) full protective action (46) functional group control (19) incident (54) individual drive control (16) initiation channel (3) initiation channel group (4) initiation criterion (5) initiation level (2) initiation signal (6) limitation of process variable (61) limit signal (25) limit value monitor 26) limit value of the limit value monitor (27) logic gating (30) logic level (29) maintenance (28) non equivalence monitor (8) non-interaction (37) operational interlock (15)

KTA 3501

operational limitation (13) operational system (14) partial protective action (42) part of the safety system equipment (51) passive safety equipment (49) priority control (57) process variable (32) protection bypass (44) protection system subunit (45) protective action (38) protective action, not definitely safety-oriented (40) protective action, safety-oriented (39) protective limitation (41) protective subsystem (43) random failure (60) reactor protection system (33) redundancy (35) redundancy group (36) response delay (7) safety margin (48) safety system (50) safety variable (52) secondary failure (18) self-monitoring (47) specified normal operation (12) works inspector (59)

(1) Equipment protection The equipment protection is a device allocated to a compo-nent and designed such that it should protect it against operat-ing conditions for which the component is not designed and intended.

(2) Initiation level The initiation level is that part of the reactor protection system encompassing all initiation channel groups.

(3) Initiation channel The initiation channel is a device required for monitoring and conditioning process variables and for the creation of an initia-tion signal. An initiation channel comprises all equipment be-ginning with the sensor and ending at the output of a limit value monitor.

(4) Initiation channel group The initiation channel group is a system of several initiation channels for the redundant monitoring of process variables and the creation of redundant initiation signals.

(5) Initiation criterion The initiation criterion is that condition, under which a protec-tive action is initiated.

(6) Initiation signal The initiation signal is the output signal of an initiation channel and the input signal into the logic level.

(7) Response delay The response delay is the sum of those characteristics of a system that determine the delay between the onset, of the input signal and the output of the output signal.

(8) Non-equivalence monitor The non-equivalence monitor is a device for monitoring binary circuit outputs for the unambiguity of their output signals (e.g. interrupted and shorted circuits).

(9) Failure A failure is the break-down of a component in such a way, that it no longer is able to perform one or more design require-ments.

(10) Common-mode failure

The common-mode failure is the failure of components due to the same cause.

Note: The common-mode failure can be caused by, e.g., wrong design, faults in a production series incorrect operation, flooding or fire in the plant.

(11) Actuation signal The actuation signal is an output signal of the logic level or of the control level which initiates protective actions.

(12) Specified normal operation a) Operating processes for which the plant, assuming the

functional condition of all systems (unperturbed condition) is intended and suited (normal operation);

b) Operating processes which occur in the event of malfunc-tions in parts of toe plant or in systems (perturbed condi-tion), in so far as safety-related reasons do not stand against continued operation (abnormal operation);

c) Maintenance procedures (inspections, servicing, repair).

(13) Operational limitation The operational limitation is a device that limits process vari-ables to specified values in order to increase plant availability.

(14) Operational system The operational system comprises all devices, circuit systems and auxiliary systems necessary only for specified normal operation.

(15) Operational interlock The operational interlock is a device for the operational control or operational protection of components and systems.

(16) Individual drive controls The individual drive controls are the controlling device for the individual drive.

Note: This safety standard specifies the requirements for the individual drive controls of the reactor protection system (including the cou-pling relays). The requirements for the subsequent controls cir-cuitry are specified in safety standard KTA 3705

(17) Erroneous initiation The erroneous initiation is the initiation of a signal that was not warranted by the plant condition.

(18) Secondary failure (cascading failure) The secondary failure is the failure (indirectly) caused by an incident or by a failure inducing event.

(19) Functional group control The functional group control is an automatic control device for functionally related parts of a specific process, where the mutual actuation of the drives with their individual controls is required for a proper proceeding of the process.

Note: This safety standard specifies requirements only for the functional group controls of the reactor protection system.

KTA 3501

(20) Class S alarm The class S alarm (safety-hazard alarm) is a signal of a safety subsystem; when it occurs, the operating personnel is re-quired to initiate a protective action within a prescribed time period.

(21) Class I alarm The class I alarm is a signal that indicates to the operating personnel that a fault exists in the safety system.

(22) Class II alarm The class II alarm is a signal that indicates to the operating personnel that a fault exists in the operational system.

(23) Equipment diversity The equipment diversity is the use of redundant equipment of different design or working principle.

(24) Critical load test The critical load test is a fest in which the behavior of the equipment is determined for the most unfavorable combination of operating and ambient conditions for which the equipment is designed.

(25) Limit signal The limit signal is the output signal of a limit value monitor.

(26) Limit value monitor (bistable trip unit) The limit value monitor is a device which compares the value of a safety variable with a fixed of variable limit value. As the value passes above or below the limit value, the output signal changes abruptly.

(27) Limit value of a limit value monitor The limit value of a limit value monitor is the value (trip set point) preset in the limit value monitor.

(28) Maintenance The maintenance comprises all measures for preserving and restoring the required condition as well as measures for evaluating the actual condition. Maintenance is subdivided into repair, servicing and inspection.

(29) Logic level The logic level is that part of the reactor protection system in which the initiation signals are combined and the evaluation of initiation criteria is carried out.

(30) Logic gating The logic gating is a method by which several binary signals are combined to obtain a single output.

Note: Logic gatings are, e.g., AND, OR.

(31) Coincidence logic The coincidence logic is a method by which redundant signals are combined in such a way that its output is more reliable than the individual signal inputs.

Note: A coincidence logic is, e.g., a two-out-of-three coincidence.

(32) Process variable The process variable is a chemical or physical quantity of the process that can be measured directly.

(33) Reactor protection system The reactor protection system is that part of the safety system which monitors and processes the values of process variables relevant to the safety of the nuclear power plant and the envi-ronment in order to prevent unallowable loads and to detect

incidents and which initiates protective actions such that the condition of the nuclear power plant is kept within safe limits.

Note: The number and type of the process variables to be controlled by the reactor protection system and the resulting safety variables, the specifications of their limit values and of the number and type of the protective actions are specified on the basis of the incident analysis. The reactor protection system is part of the safety system of a nu-clear power plant and comprises all devices and equipment for the monitoring of process variables, for the treatment of signals, the logic level and those parts of the controls of the individual drives required for the actuation of protective actions, and the functional group controls.

(34) Computing circuit The computing circuit is a device which calculates from the values of one or more process variables a safety variable that is not directly measurable.

Note: A computing circuit is, e.g., the circuit for: determining the reactor period from the neutron flux or: the departure-from-nucleate-boiling from pressure and temperature.

(35) Redundancy The redundancy is the existence of more functionable techni-cal means than are necessary for fulfilling the required func-tions.

Note: In this safety standard, the requirement for redundancy is consid-ered satisfied if technical means of the same type are employed.

(36) Redundancy group The redundancy group is the aggregate of devices having a certain correlation while keeping up a sufficient independence of devices that are redundant to each other.

(37) Non-interaction

The non-interaction of a device is its characteristic that input signals of the device are not impermissibly affected by faults at its output.

Note: Faults can be, e.g., short circuit, overvoltage, short-to-ground, open circuit.

(38) Protective action The protective action is the actuation or operation of active safety system equipment that are needed to influence the course of incidents and to mitigate damaging effects.

(39) Protective action, safety-oriented The safety-oriented protective action is a protective action which, in the event of its erroneous actuation, will not prevent another protective action.

Note: The reactor fast shut-down is, in this sense a safety oriented-protective action.

(40) Protective action, not definitely safety-oriented The not definitely safety-oriented protective action is a protec-tive action which, in the event of its erroneous actuation, might prevent other protective actions.

(41) Protective limitation The protective limitation is a device which actuates such pro-tective actions that cause the value of the monitored safety variable to be returned to a value at which specified normal operation can be continued.

KTA 3501

(42) Partial protective action The partial protective action is the actuation or the operation of one or of several redundant components of one part of an active safety system equipment that are needed to influence the course of incidents and to mitigate damaging effects.

(43) Protective subsystem The protective subsystem is that part of the reactor protection system which is needed for actuating a partial protective ac-tion.

Note: A protective subsystem is, e.g., that part of the reactor protection system that is required for the start-up of one of a number of re-dundant pumps.

(44) Protection bypass The protection bypass is a measure by which a function of the reactor protection system is modified in relation to the opera-tional condition. The protection bypasses are affected in the logic level or at the control level Examples for protection bypasses are: control rod removal prohibitions in case the minimum level of the neutron flux density is not reached in the start up range or in the fixed measuring ranges of the multiple range channels; bypasses of initiation criteria.

(45) Protection system subunit The protection system subunit is a part of the reactor protec-tion system which, on account of its principle o£ operation, forms a unit.

Note: Examples are the initiation level, logic level, control level.

(46) Full protective action The full protective action is the actuation or operation of an active safety system equipment which, by itself fulfills the required safety function.

Note: An example is the reactor fast shutdown.

(47) Self-monitoring Self-monitoring is the characteristic of components or systems to automatically make their failure detectable.

(48) Safety margin The safety margin is the difference between the limit value preset in the limit value monitor and the hazard limit value established in the incident analysis.

(49) Active safety system equipment The active safety system equipment is a technical device of the safety system which per- forms protective actions.

Note: Active safety system equipment are, e.g. equipment for shutting down the reactor, for the residual heat removal for the isolation of the containment vessel penetrations.

Safety system equipment that perform their safety function without control elements or without mechanical actuators (e.g., core coolant confinement system, containment vessel, shield-ing) are referred to as passive safety system equipment.

(50) Safety system The safety system is the entirety of all technical equipment of the nuclear power plant that have the purpose to protect the plant from impermissible loadings and, in case of incidents, to contain their effects on the operating personnel, the environ-ment and the plant within specified limits.

(51) Part of the safety system equipment A part of the safety system equipment is that which is required for accomplishing a partial protective action.

(52) Safety variable The safety variable is a value derived from one or more proc-ess variables and which characterizes the safety of the plant and is required for the actuation of protective actions.

(53) Control level

The control level is a protection system subunit in which ac-tuation signals of the logic level are adapted to the circuit-technological requirements of the active safety system equip-ment.

(54) Incident An incident is a chain of events upon whose occurrence the operation of the plant or the activity cannot be continued for safety-related reasons and which was considered in the plant design or for which activities precautionary protective meas-ures were installed.

Note: In the case of plants in accordance with Sec. 7 Atomic Energy Act, „incident“ is understood to be a Chain of events upon whose oc-currence the operation of the plant cannot be continued for safety reasons and which was considered in the plant design.

(55) Fault The fault is the irregular behavior of a subassembly, a compo-nent or a system.

(56) Comparator The comparator is a device which compares the values of two safety variables or of two process variables with each other and which delivers a binary signal in case of a specified devia-tion.

(57) Priority control The priority control is a control unit which causes a control signal to be treated with priority over one or more control sig-nals.

(58) Binary monitor The binary monitor is a binary measuring device which con-verts a process variable directly into a binary output signal without intermediate processing in a limit value monitor.

Note: An example for a binary monitor is a pressure monitor.

(59) Works inspector The works inspector is an expert authorized by the manufac-turer and who is independent of the fabrication in the manu-facturing plant.

(60) Random failure The random failure is a failure which occurs statistically inde-pendent of failures of other devices of the same type.

(61) Limitation of process variables The limitation of process variables is a device that limits the values of process variables such that the initial conditions of specified incidents which have to be considered are met.

Note: An example is the limitation of the reactor power to such a level as was assumed to be the initial condition for the analysis of the loss-of-coolant incident.

Figure 2-1: Example of the Correlation of terms Regarding the Functional Design of the Reactor Protection System

3 Determination of Required Functions of the Reactor Protection System

3.1 Basic Requirements

To determine the functions which the reactor protection sys-tem has to fulfill, chains of events specified in Section 3.2 shall be analyzed. The analysis of the chains of events shall be out using analytical procedures, experimental methods or plausi-bility considerations. The bases for all assumptions made in the analysis shall be specified. The result of the analysis must supply all requirements for the design of the reactor protection system. In this analysis, the effects of erroneous actuations in accordance with Section 4.4.4 shall be considered.

Note: The probability of certain chains of events can be reduced by technical means outside of the reactor protection system to such an extent that these events do not need to be taken into account in the design of the reactor protection system and of the active safety system equipment.

3.2 Chains of Events and Consequential Effects

(1) Chains of events of the following types shall be consid-ered: a) Chains of events involving the release of unallowable

thermal energy in the reactor, b) Chains of events involving the impairment of heat removal

from the reactor, c) Chains of events involving the release of radioactivity.

Note: The chains of events according to items a, b or c can partly be caused by external events. The preface to the Incident Guidelines shall, in particular, be considered.

(2) In this context the effects of releases specified below are not tolerable if these releases exceed specified values or if they can indirectly trigger chains of events with similar conse-quences: a) release of radioactive materials or thermal energy from the

fuel elements into the coolant b) release of radioactive materials or thermal energy from the

core coolant pressure boundary into the containment, c) release of radioactive materials from the containment into

the environment, d) release of toxic combustible or explosive materials.

(3) In addition to the chains of events specified above, those faults shall be considered that restrict or cancel the proper functioning of the active safety system equipment.

3.3 Initial Plant Condition

Normal operation shall be assumed as the initial plant condi-tion for the analysis of chains of events. In each case the most probable operating condition of the plant shall be chosen in view of the effects of an event. In addition, analyses based on the most unfavourable initial condition shall be made. These initial conditions are determined on the basis of quasi-steady-state operating conditions plus possible deviations from the required values of process variables which affect the respec-tive operating parameters, superposed by one quasi-steady-state deviation of a process variable due to a single random failure within the measuring or control system as a whole.

3.4 Detection of Incidents

(1) In the analysis of chains of events, representative safety variables shall be selected for the detection of incidents.

(2) For each incident to be controlled by the reactor protec-tion system at least two physically different initiation criteria should be employed (see Section 4. S. 2 (1)). A separate analysis of chains of events in accordance with Section 3.1 shall be carried out for each initiation criterion.

(3) The procedure of the protective actions shall be analyzed for the first and second initiation criterion considering the re-sponse delay and the accuracy of the initiation channels; the effect upon the sequence of the incidents shall be described.

(4) If the same process variables are used for operation and control and for reactor protection, analyses of faults in moni-toring the process variable shall be carried out considering Section 3.4(1) and (2).

Note: In these analyses it is considered that, due to a common-mode failure, all similar devices of one manufacturer in the signal chan-nels will fail simultaneously and with the same effect.

These analyses are not required if, due to the use of diverse measuring devices for operation and control on one hand and for the reactor protection system on the other, a common-mode failure of these measuring devices need not be as-sumed.

4 Design Principles for the Reactor Protection

4.1 Basic Requirements

(1) It shall be demonstrated that the reactor protection sys-tem together with the active and passive safety system equipment is designed, manufactured and operated such that intolerable effects are prevented from occurring. Here, the failure inducing events in accordance with Section 4.2 shall be assumed to occur simultaneously with, but independently of, the incident.

(2) The failures resulting from these failure-inducing events shall be combined in accordance with Section 4.4 if they can-not be prevented from occurring by technical means.

Note: It is permitted to present this demonstration collectively for all components of the safety system.

4.2 Failure-Inducing Events

4.2.1 Failure-Inducing Events within the Reactor Protection System

Failure-inducing events within the reactor protection system shall be considered; these are, for instance, a) failures due to short circuits, open circuits, shorts to

ground, changes in voltage and frequency , mechanical failures or fires,

b) several failures in accordance with item a) occurring simul-taneously or in rapid succession of each other and having a common cause (e.g., manufacturing defects, design de-fects, drift) within the system itself,

c) human error in the operation and servicing of the reactor protection system.

4.2.3 Failure-Inducing Events in the Nuclear

Power Plant

Failure-inducing events in the nuclear power plant that are within the framework of the „single-failure concept” shall be considered.

KTA 3501

Note: The single-failure concept is dealt with in „Interpretations of the Safety Criteria for Nuclear Power Plants, Single-Failure Concept“.

Examples for failure-inducing events in the nuclear power plant are fires, flooding, pipe whip debris from a failed compo-nent, mechanical jet effects of media such as steam, water, liquid metal, gas and oil.

4.3 Design Against Failure-Inducing Events Outside of the Nuclear Power Plant

It shall be demonstrated that sufficient protective measures are taken against events like floods, lightning, storms and earthquake such that these events will not impermissibly influ-ence the functioning of the reactor protection system.

4.4 Combination of Failures

4.4.1 Basic Assumptions

(1) The following failures shall be considered. a) random failure b) common-mode failure c) secondary failure d) maintenance (inspection, servicing, repair).

(2) It shall be demonstrated that the reactor protection sys-tem in cooperation with the active and passive safety system equipment is able to control, in addition to the incident, a) one random failure b) and one common-mode failure (if it cannot be precluded in

accordance with (5) below) c) and secondary failures

(3) During specified normal operation of the nuclear power plant the failure combination according to Figure 4-1 shall be

controlled whereby, in case of maintenance (I), it need not be assumed that the common-mode failure (S) and the random failure will occur simultaneously within a time period of 100h. Maintenance begins with the time of detecting the failure.

(4) The-random failure and maintenance shall be assumed only once within the entirety of the components of the safety system equipment required for controlling the incident.

(5) The effects of common-mode failures within the reactor protection system shall be analyzed. Depending upon the result of these analyses, additional measures shall be taken to reduce the probability of occurrence of common-mode failures or to mitigate their effects.

Note: The probability of occurrence of common-mode failures can be reduced, e.g. by the selection of suitable equipment, test cycles, critical load tests, to an extent such that the critical load failures need no longer be considered in the failure combination in accor-dance with Section 4.4.1 (2). To reduce the effects, additional measures outside of the reactor protection system may be re-quired.

4.4.2 Full Protective Action

The initiation of the full protective action shall be ensured in all cases of the basic assumptions in accordance with Section 4.4.1.

Note: Examples that fulfill these requirements are shown in Figures 4-2 through 4-7. Figure 4-2 shows the unperturbed operation and Fig-ures 4-3 through 4-7 various failure combinations. Only those fail-ures are considered that impair the safety. In this context, only those full protective actions are considered that are definitely safety oriented full protective actions, e.g. reac-tor scram.

Figure 4-1: Failure combinations to be considered

KTA 3501

Figure 4-2: One possible schematic for the initiation of a reactor scram due to a reactivity disturbance the reactor scram is initiated on account of initiation criteria derived from two different process variables, e.g., neutron flux density and pressure, secondary failures in monitoring the process variable are precluded.

Figure 4-3: Due to maintenance or due to failure of one initiation channel resulting from a single random failure, one initiation channel of initiation-channel group A is inoperable. The incident is covered at least by initiation-channel group A (2-out-of-2) and initiation channel group B (2-out-of-3).

KTA 3501

Figure 4-4: During the repair of an initiation channel in initiation channel group A, a random failure occurs in initiation channel group B. The incident is covered by initiation channel group A (2-out-of-2) and by channel group B (2-out-of-2),

Figure 4-5: During the repair of one initiation channel in initiation channel group A, a random failure occurs in another initia-tion channel of the same initiation channel group. The incident is covered by initiation channel group B (2-out-of-3).

KTA 3501

Figure 4-6: During the repair of an initiation channel in channel group A, a common-mode failure occurs in initiation channel group B. The incident is covered by initiation channel group A.

Figure 4-7: During the repair of one initiation channel in initiation channel group A, a common-mode failure occurs in the same initiation channel group. The incident is covered by initiation channel group B.

KTA 3501

Figure 4.8: This schematic shows the possible layout for the initiation of a fourfold redundant, 50% part of the safety system equipment due to an incident where only a single-safety variable is available and where secondary failures in monitoring the process variable (e.g., a break in the differential pressure line) must be assumed as physically possible and as being not initiation, oriented. The devices for monitoring the process variable up to and including the signal transmitters in the initiation channel groups are of diverse types(device type a, device type b).

Figure 4-9: In case of the most unfavourable combination of failures, the system described in Figure 4-8 may develop as follows: During the repair of one initiation channel in initiation channel group A2, a common-mode failure occurs in the device type a. Additionally, one initiation channel group A2 becomes inoperative due to a secondary failure. The incident is sufficiently covered by actuating two of the 50% protective subsystems.

4.4.3 Partial Protective Actions

4.4.3.1 Definitely Safety-Oriented Partial Protective Actions

The initiation of definitely safety-oriented partial protective actions shall; in consideration of the basic assumptions ac-cording to Section 4.4.1, be ensured such that the partial pro-tective actions which remain as a result of the assumed com-binations of failures will fulfill the required safety related func-tions.

Note: Figures 4-8 and 4-9 show examples that fulfill these requirements; only those failures are considered that impair the safety.

4.4.3.2 Not Definitely Safety-Oriented Partial Protective Actions

Note: The partial protective actions considered in this context are those which, in the case of their erroneous actuation, can prevent other protective actions.

(1) The initiation of not definitely safety- oriented partial protective actions shall, in consideration of the basic assump-tions according to Section 4.4.1, be ensured such that the partial protective actions which remain as a result of the as-sumed combinations of failures will fulfill the required safety related functions.

(2) In the case of an erroneous actuation of not definitely safety oriented partial protective actions due to a random failure it shall be ensured that, even during a maintenance task in the safety system, the required safety related tasks of the safety system are fulfilled by the remaining protective actions.

(3) With regard to the erroneous actuations of not definitely safety oriented partial protective actions due to random fail-ures, the requirements of Section 4.4.1(5) shall be met.

Note: In designing this part of the reactor protection system, special at-tention shall be paid to actuation- oriented failures, because erro-neous actuations can unallowably reduce the effectiveness of the safety system.

4.4.4 Erroneous Actuation of Protective Actions

Erroneous actuations of protective actions shall be prevented under consideration of the basic assumptions according to Section 4.4.1 if they lead to failures that go beyond the conse-quences of the incidents to be considered. Even a mainte-nance case in the safety system with random failures in the reactor protection system including consequential failures may not lead to incidents with damaging effects.

4.5 Initiation of Protective Actions

4.5.1 Establishing Safety Variables

A safety variable should be derived from only one process variable (see Section 5.5.1.2).

4.5.2 Establishing Initiation Criteria

(1) The creation of the initiation criteria for the detection of an incident should be derived from different kinds of process variables.

Note: This serves to compensate for uncertainties in the analysis of the course of the incident and to control common-mode failures in the monitoring of process variables.

(2) If the requirements according to Section 4.5.2 (1) cannot be met or cannot be realized by reasonable technical means then the use of diverse measuring techniques or diverse measuring devices in the respective initiation channel groups as well as shortened test cycles or equivalent measures shall be employed in the monitoring of process variables.

4.5.3 Degree of Automation

The reactor protection system should automatically initiate protective actions. Manual measures such as initiation, inter-ruption or resetting of protective actions shall be provided for only in substantiated exceptions. The safety system shall be designed such that necessary manual initiations of protective actions for controlling incidents are not required before a time span of 30 minutes.

Note: In the case of actuations of protective -actions that are required for controlling extremely seldom events, exceptions are allowed if they are well substantiated (e.g., external events during refueling).

4.5.4 Records

The initiation signals of the reactor protection system and other alarms from the active safety system equipment shall be recorded in chronological order. These records should be produced by automatically recording the alarms, e.g., by using fault-recorders or incident sequence logs. Signals not related to the incident may also be contained in the alarm logs as long as visual clarity is not impaired.

4.6 Redundancy and Independence

(1) The reactor protection system shall be constructed redun-dantly in order to be able to cope with failure-inducing events within the reactor protection system itself.

(2) Redundancy groups must be independent of each other to such a degree that, upon failure of redundancy groups due to a failure-inducing event in accordance with Section 4. 2, the remaining redundancy groups are sufficient to control the incident.

(3) At the junction points of several redundancy groups of the reactor pr6tection system, the independence of the differ-ent redundancy groups shall be ensured by means of decoup-ling (junction points exist, e.g., at the comparators, the coinci-dence logics, and the averaging logics). The decoupling de-vices must separate the redundancy groups from each other such that no interaction effects occur.

(4) Redundantly duplicated devices should be spatially separated from each other as a protection against failure in-ducing events within the reactor protection system and within the nuclear power plant. Spatial separation is not necessary if these events cannot hinder the initiation of protective actions and can only lead to the initiation of definitely safety-oriented protective actions.

4.7 Separation of the Reactor Protection System from other Systems

(1) Components of the reactor protection system may be used for tasks of the operating system.

(2) The reactor protection system shall be independent of operational systems to such an extent that the reactor protec-tion system remains operable during specified normal operation and during failure-inducing events in the operational system.

(3) If signals of the reactor protection system are used for data processing outside of the re actor protection system, e. g., signals routed to chart-recorders and display devices, then

KTA 3501

these signals shall be decoupled such that no interaction ef-fects occur.

(4) Where common measuring devices are used for control and for reactor protection, it must be demonstrated that the failure of these measuring devices either does not lead to incidents or that the respective incidents are detected in ac-cordance with Sections 3.4 (1) and (2), 4.5.1 and 4.5.2.

(5) The control of active safety system equipment by the re actor protection system shall be designed such that the signal for actuating the protective actions has priority over operational control signals unless otherwise provided for in Section 6.

(6) The reactor protection system shall be designed against, or decoupled from, overvoltages to be considered. The decoupling elements shall be designed for an a.c. or d.c. voltage of 220 V. The plant specific voltage tolerances shall be considered.

4.8 Operation of the Reactor Protection System during Maintenance Tasks

(1) In case of maintenance tasks in the reactor protection sys tem, the reactor shall be immediately brought into a safe condition if, as a result of a random failure including conse-quential failures, the functioning part of the safety system is no longer able to fulfill its safety functions.

Note: The transfer into a safe condition can be brought about, e.g., by immediate repair or by controlled shut- down of the nuclear power plant. Preference shall be given to an immediate repair if the re-pair can be completed faster than the controlled shut-down.

(2) The reactor protection system may need to be adapted to the operation of the nuclear power plant in case of mainte-nance tasks in the operational system, e.g. ,repair of a primary coolant pump. If a manual adaptation is planned for, it shall be possible to carry it out at pre-arranged locations.

(3) After a switching procedure it shall be checked if it was effected correctly.

(4) Complete equipment and circuit documentation shall be on hand for rapid and accurate location and repair of failures.

(5) The maintenance tasks shall be carried out by personnel authorized for this work.

(6) Only such spare parts which are service proved or whose quality is proven to comply with the requirements specified for the type test, may be used in repair procedures. If, in exceptional cases, novel or modified components are installed, then tests in accordance with Section 11.1.1.2 shall be carried out.

(7) Failures and their causes indentified during maintenance tasks, as well as the method of repair shall be documented.

4.9 Coordination of the Reactor Protection System and Active Safety System Equipment

(1) The reactor protection system shall be designed such that it is not the determining factor in the unavailability of the safety system.

(2) The reactor protection system shall be designed such that the degree of redundancy of the active safety system equipment given by their subdivision into safety relevant sub-system is maintained.

Note: A mutual monitoring of process variables is allowed for the control of redundant safety system equipment if the requirements accord-ing to Section 4.4 are met.

(3) The process engineering of the nuclear power plant shall be such as to avoid not definitely safety oriented protective

actions. The reasons for required not definitely safety oriented protective actions shall be presented.

4.10 Monitoring Readiness and Capability for Testing

4.10.1 Monitoring Readiness

(1) A display shall be provided for, giving a survey of the condition of the components of the reactor protection system and the active safety system equipment including their power and auxiliary media supplies.

(2) The reactor protection system should be designed to be self-monitoring.

Note: Self-monitoring can be accomplished by, e.g., comparison of sig-nals in redundant channels, non-equivalence monitoring, systems operating dynamically.

The non-self-monitoring parts of the reactor protection system and of the active safety system equipment shall be equipped with devices that permit a regular and complete testing during shut-down-phases and, as far as required for reliability rea-sons, also during normal operation.

(3) Failures detected in the reactor protection system shall allow for an exact localisation.

Note: Locating measures are, e.g., optical alarms in the control room, on the cabinet rows, the cabinets themselves and the plug-in units (see Section 10).

4.10.2 Capability for Testing the Reactor Protection System

(1) The reactor protection system shall be designed such that tests can be carried out during specified normal operation without unallowable reduction of plant safety. The independ-ence of the redundancy groups shall be maintained during testing. A simultaneous testing of redundant subsystems shall be prevented if the functional capability of the reactor protec-tion system is impaired.

Note: Administrative measures are permitted for achieving this goal.

(2) The reactor protection system shall be designed such that in a preoperational test and during the shut-down phase of the plant complete tests can be carried out to check individ-ual equipment and subassemblies for deviation of design tolerances and the protective subsystems and the entire reac-tor protection system for correct operation.

(3) During power operation of the plant, it shall be possible to carry out tests that verify correct operation of [protective system] subunits. By testing the [protective system] subunits, it must be possible to demonstrate the correct operation of the entire reactor protection system. It shall be possible to perform partial tests in an overlapping fashion.

Note: To meet this requirement, devices shall be built into the reactor protection system, which allow for the injection of simulation sig-nals (via test sockets or test switches and the like) as well as de-termining the results of these tests (by the display of status indica-tors or of continuously measured variables).

(4) The reactor protection system shall be designed and operated such that functional tests can be performed from central test locations (e.g., from test panels).

(5) In the case that automatic testing equipment is employed for testing the functional capability of the reactor protection system (fixed circuit or RAM1-programmable testing equip-ment), the following conditions shall be met:

1 RAM: random access memory

KTA 3501

a) The test results should be automatically recorded. b) The test record should contain the test sequence and a

fault log. c) The test equipment should test for proper coupling to the

device to be tested. d) The test equipment should perform the test without manual

intervention after being connected to the devices to be tested and the test procedure being initiated

e) The quality of automatic tests shall correspond at least to the quality of comparable manual tests.

4.11 Protective Limitations

(1) A protective limitation is acceptable if the incident analy-sis reveals that due to the possibility of only minimal damaging effects, a limitation is a sufficient measure.

(2) Protective limitations shall be designed in accordance with this standard except that two initiation criteria are not required.

(3) The following is valid for the local protection of the core: if second protective limitation is superimposed on a protective action initiated by the protective limitation, and if this second protective action controls the incident at a higher, still permis-sible damage level, then multiple sensing of the same process variable at the same location need not be carried out for the protective limitation.

4.12 Functional Group control of the Reactor Protection System

(1) If functional group controls are used in the reactor pro-tection system, they shall be designed such that the step se-quence required with regard to process engineering are ad-hered to considering the time period for switching and startup of the active safety system equipment.

(2) Functional group controls of the reactor protection sys-tem should not be employed for operational tasks. An opera-tional task is permitted if the operational function is identical with the safety function.

(3) Separate process engineering systems of the safety system should be controlled by separate functional group controls of the reactor-protection system. This applies, for instance, to the high-pressure and low-pressure emergency core cooling systems.

4.13 Determining the Limit Values for the Initiation of Protec-tive Actions

(1) The limit values shall be determined by analyses under consideration of operational transients, incident dynamics, measuring errors and the response delay of the reactor pro-tection system and the corresponding active safety system equipment.

(2) The limit values shall be specified together with the safety margin.

4.14 Manual Actions

(1) In the case that manual actions are required for the op-eration and maintenance of the reactor protection system, faults due to mistakes and negligence shall be prevented a) preferably, by circuit design of the system, b) by alarm equipment of the safety system, c) by administrative instructions for operation and mainte-

nance.

Note:

Proper measures in this regard are e.g., a) redundant construction of the reactor protection system, b) decoupling of the reactor protection system from the operating

system, c) priority of- reactor protection signals over testing signals, d) interlocks for preventing the simultaneous testing of redundant

devices, e) employment of self-monitoring systems, f) [permanent] installation of testing equipment, g) minimizing, through proper system design, the number of on-

site tests that cannot be performed by testing equipment r h) unambiguous system- and component markings, i) status indication of active safety components of the safety-

system, j) monitoring analog measuring channels by comparators, k) alarm equipment for the detection and location of failures, l) insertion monitoring of electronic modules, m) securing the operating position of components by lead seals

or other mechanical measures, n) unambiguous specifications for the operation of the reactor

protection system, o) performance of maintenance tasks on the reactor protection

system by qualified personnel in accordance with written in-structions,

p) monitoring the execution of maintenance tasks on the reactor protection system and its documentation,

r) clear arrangement of the components of the safety system.

(2) Manual actions in the reactor protection system by unau-thorized personnel shall be rendered difficult

a) preferably; by technical means,

b) by administrative means. Note:

Effective measures are, e.g., a) spatial separation of redundant components, b) monitored access barriers to buildings, rooms and cabinets, c) administrative procedures for authorizing and monitoring the

access to components of the reactor system.

(3) Measures for making manual actions difficult shall be such as not to unwarrantably hinder required operating and maintenance procedures by authorized personnel.

5 Design of the Reactor Protection System

5.1 Equipment Quality

5.1.1 Demonstration of Suitability of Service Proved Equip-ment

(1) Service proved equipment and components should be employed.

(2) The demonstration of service proveness should be car-ried out by statistical analysis of service records on the basis of operational characteristics specified in the data sheet and of the operating conditions.

(3) Regarding the service proveness, supplementary tests in accordance with Section 11.1.1.1 shall be carried out if the operational conditions exceed the operational characteristics specified in the data sheet or if they were not covered by the demonstration of service proveness. Certain characteristics of the equipment may, in coordination with the authorized expert (under Sec. 20 Atomic Energy Act) be demonstrated analyti-cally.

KTA 3501

5.1.2 Demonstration of Suitability for Newly Developed or Modified Equipment

Newly developed or modified equipment shall be subjected to tests in accordance with Section 11.1.1.2.

5.1.3 Quality Planning in the Circuit Design of Newly De-veloped or Modified Equipment

(1) The circuit concept shall be simple, clear and functional.

(2) Proven and reliable components and circuits should be employed, operational experience shall be taken into account.

(3) The equipment shall be designed such that a test for equipment operation can be carried out without modification of the wiring.

(4) The equipment shall be designed for the environmental effects referred to in Section 5.2.

(5) The equipment shall satisfy the requirements of the reac-tor protection system with regard to static and dynamic char-acteristics.

Note: This relates, e.g., to stability, accuracy, signal-to-noise ratio, drift, hysteresis, response time, reproducibility.

5.1.4 Reliability and Quality Testing

(1) Data regarding the reliability of the equipment types shall be presented based on, e.g., statistical methods failure effect analyses, critical load tests or the evaluation of operating experience.

(2) The required equipment quality of production lots shall be verified within the frame Work of the factory tests on a representative random sample that are subjected to operating loads and critical loads.

(3) The quality assurance system for ensuring the equip-ment quality shall be demonstrated.

Note: Requirements for the quality assurance system are given in KTA 1401.

5.2 Environmental Effects

5.2.1 Load Conditions during Specified Normal Operation

(1) All components of the reactor protection system, e.g., sensors, measuring transmitters wiring, penetrations, shall withstand the environmental and operational conditions at the place of installation. Their functioning shall, in particular, not be unallowably impaired by: a) mechanical loading (e.g. vibrations) , b) influences of the measuring medium, c) temperature, pressure, moisture and radiation, d) chemical effects.

Note: For instance, in the case of resistance thermometers, the self-heating due to the measuring current and the heating due to ra-diation absorption shall not lead to unallowable measuring errors. In the case of thermo-couples, the following effects shall not lead to unallowable measuring errors: - structural change of the cladding tube due to neutron irradia-

tion, - change of the ceramic irradiation material due to neutron and

gamma irradiation , - structural change of the thermo-couple conductors due to ther-

mal neutrons,

- heating of the thermo-couple due to gamma and thermal radia-tion.

(2) Initiation channels shall be constructed such that noise-voltages induced galvanically, inductively or capacitatively will neither prevent the initiation of protective actions nor cause erroneous actuations.

Note: Examples of suitable measures against galvanically induced noise voltages are, e.g. single-point grounding (sensors insulated from the housing or measuring transducers with galvanic isolation) separate power supply. Examples of measures against inductively induced noise- voltages are e.g., twisting of wires, magnetic shielding by running the sensor cables in steel conduits, electric shielding by running the sensor ca-bles in conductive tubes, sufficient distance of the sensor cables from other cables capable of influencing them (power cables). Examples of suitable measures against capacitatively induced noise-voltages are e.g., electric shielding, running of sensor ca-bles in conductive tubes, and the use of coaxial or triaxial cables in case of small currents.

5.2.2 Stresses during Leakage Rate Tests of the Reactor Containment Vessel

The equipment, cables and cable connections installed inside the containment vessel should be capable of withstanding the stresses arising from leakage rate tests. If in exceptional cases this is not possible they shall be removed prior to, or shall be protected against, stresses from the leakage rate tests. After leakage rate tests, in-service inspections in accor-dance with KTA 3506 are required.

5.2.3 Stresses during incidents

(1) Components of the reactor protection system which must survive incidents because they are still required after the inci-dent, e.g., for residual heat removal, shall be designed and constructed such that the components (sensors, components of the signal path and supply line including cables and pene-trations) will withstand the respective conditions during inci-dents and their effects and that quantities to be measured are monitored continuously throughout the entire design range.

Note: For example, temperatures and pressures, steam or water caused by an incident at electric penetrations, equipment and distribution boxes as well as thermal stresses at material interfaces due to incident tem-peratures may not unallowably affect the functional capability.

(2) Parts of the reactor protection system which are required only for initiating the necessary protective action at the onset of an incident and can then become inoperative shall be proven to be designed such that the components will with-stand the respective incident conditions, e.g., radiation, tem-perature, pressure and moisture, until the required protective action has been initiated, and such that their failure will not unallowably affect the components of the reactor protection system required for controlling the incident.

5.3 Spatial Layout Separation of Redundant Systems

5.3.1 Overall System

(1) Redundant equipment of the reactor protection shall be grouped together and separated sufficiently from other redun-dancies such that a single failure-inducing event in accor-dance with section 4.2 cannot lead to the failure of an unal-lowable number of redundant equipment.

(2) If a spatial separation is not possible, adequate me-chanical protection shall be provided e.g. installation behind protective walls or in bunkers. A mechanical protection or the installation in separate cabinets is not required if a damage

KTA 3501

will not prevent actuation of protective actions or can only lead to the erroneous actuation of definitely safety oriented protec-tive actions.

5.3.2 Cables

(1) Cables of redundant equipment of the reactor protection system shall be spatially separated in accordance with Section 5.3.1 or shall be routed such that they are physically protected from each other.

(2) Signals of redundant equipment shall not be fed through one and the same cable, local cable distributor box and cable penetration.

(3) A non-protected routing of cables of the reactor protection system is permitted only if an unintentional mechanical dam-age is impossible during specified normal operation. In all other cases cables must be physically protected, e.g., by con-duits or sheet steel covers.

(4) Cables of the reactor protection system shall be either routed spatially separated or physically protected from com-ponents constituting a hazard to them, e.g., pipes.

(5) Signal transmission cables and power supply cables of redundant sensor and control equipment of the reactor protec-tion systems should be routed to the signal processing mod-ules without use of a central cable distributor.

5.3.3 Differential Pressure Lines

(1) The requirements of Section 5.3.1 shall apply to differen-tial pressure lines.

(2) Separate nozzles should be provided for redundant measuring devices at a single measuring location, e.g., a common throttle device. Common nozzles are permitted if the requirements of Section 4. 4 are met.

(3) An unintentional closing of shutoff valves in differential pressure lines shall be prevented; e.g., hand wheels shall be removed. Automatic shutoff devices should not be installed.

5.4 Mechanical Construction

5.4.1 Connectors and Connections

(1) Screw and plug-in connections shall be secured such that inadvertent disconnections are not possible, or that the disconnected condition is automatically indicated by an alarm.

(2) A sufficient gap shall be left between connections of different equipment belonging to the same redundancy group such that an accidental bypass of an actuation or an errone-ous actuation is prevented; otherwise, equivalent measures shall be taken.

5.4.2 Markings

(1) Equipment of the reactor protection system shall be clearly and unambiguously marked.

(2) Cables of the reactor protection system shall be clearly and unambiguously marked at both ends.

(3) In case of modular system the locations and modules assigned to these locations shall be clearly and unambigu-ously marked.

5.4.3 Adjustment Devices

(1) Wherever equipment requires readjustment during op-eration, permanently installed adjustment devices shall be provided.

(2) All adjustment devices on equipment of the reactor pro-tection system shall be positioned or secured such that an alteration of the adjustment by unauthorized personnel is made as difficult as possible. A misadjustment of the setting on its own accord, e.g., through vibrations, shall be made impossible.

5.4.4 Maintenance

(l) All devices of the reactor protection system should be positioned such that they are easily accessible for mainte-nance tasks.

(2) To facilitate and speed up maintenance tasks and to reduce the radiation exposure of maintenance personnel, systems with easily exchangeable equipment should be used.

Note: For example, the electrical connections of equipment positioned close to the reactor should be of the plug-in type.

5.5 Construction of Protection System Subunits

5.5.1 Initiation Channels

5.5.1.1 Comparison of Sensor Signals

In the initiation channel, instruments should be used that per-mit a continuous comparison of sensor signals.

5.5.1.2 Analog Initiation Channels

The safety variable should be a continuous function of the process variable. If a direct measurement of the safety vari-able is not possible (e.g., DNB-ratio) or if the use of a direct measuring technique is technically not reasonable computing circuits may be used, e.g., flow measurements using an orifice together with a radicating signal transducer.

5.5.1.3 Digital Initiation Channels

If digital initiation channels are used in the reactor protection system these shall be designed in accordance with the re-quirements of Section .5.5.1.2.

5.5.1.4 Limit Value Monitors and comparators

(1) Self-monitoring limit value monitors should be used. In the case of electronic limit value monitors, the limit value itself (reference voltage) should be monitored.

Note: A self-monitoring of the comparators is not required.

(2) Limit value monitors and comparators should have an adjustable switching-hysteresis and should not be equipped with seal-in circuits.

(3) The limit value shall be adjustable with sufficient accu-racy (resolution) right at the unit. It should be possible to check the limit value during operation without having to change its setting.

(4) Under consideration of the accuracy and hysteresis of the limit value monitor, the measuring range of the initiation channel shall be set such that a sufficient distance is main-tained from the end-points of the measuring range.

(5) The response of a limit value monitor and comparator shall be indicated on the unit itself and in the control room.

KTA 3501

5.5.1.5 Binary Monitors

Binary monitors should be used only where an analog meas-uring device cannot be realized in a quality required for the reactor protection. The contacts shall be monitored by suitable control circuits (non-equivalence monitoring, wire breakage monitoring).

5.5.1.6 Limit Switches

(1) Limit switches should be used for the generation of initia-tion signals only where an analog measuring device cannot be realized in a quality required for the reactor protection.

(2) If initiation signals are to be created by limit switches that do not possess positively actuated contacts, then, if a second initiation criterion is not available, the requirements of Section 4.5.2 (2) shall be met. The contacts shall be monitored by suitable control circuits (non-equivalence monitoring).

(3) The actuating devices of redundant limit switches, e.g. spindles, pushrods, cams, switching bars, should be con-structed separate for each redundant limit switch.

5.5.2 Logic Level

(1) The trip channels parallel to each other in the logic level that are responsible for the fast shut-down of the reactor shall belong to different redundancy groups. Their outputs should be combined at least twofold in a coincidence logic. The out-put signals of each of the coincidence logics shall lead to an actuation.

(2) For the actuation of each of a number of parallel partial protective actions, a separate trip channel shall be provided for. Each of these parallel trip channels shall belong to a dif-ferent redundancy group.

5.5.3 Priority Controls

(1) The priority of the signals from the reactor protection system over those from the operating controls shall be en-sured. Signals of the operating controls and of the reactor protection system should be combined only in the control level which comes after the logic level. The signals of the operating controls shall be decoupled from the signals of the reactor protection system.

(2) The priority controls shall be constructed to be separate in accordance with the individual trains. Signal connections between different trains are not permitted after the priority formation.

(3) In the case that, on account of the analysis of the chain of events in accordance with Section 3.1, protective actions for controlling the incident are designed to be manually actuated, the possibilities for manual intervention should not be realized in the control level but rather in the logic level of the reactor protection system.

(4) The combination of the signals of different safety related significance should occur in the control level according to priorities.

5.5.4 Individual Drive Controls

(1) The individual drive controls for a process engineering system shall be constructed to be separate in accordance with the individual trains and without intermeshing.

Note: It is assumed that the process engineering system is itself con-structed in different trains.

(2) The time period that a control signal is sustained includ-ing the permitted tolerances shall be chosen such that the minimum time period required by the switching devices is adhered to.

(3) Coupling elements, e.g., interposing relays, shall safely function within the limits of the input and output voltages.

(4) In the case that control signals are transformed to differ-ent voltages and frequencies by coupling elements, e.g., in-terposing relays; the inputs and outputs of the coupling ele-ments shall be reliably isolated from each other.

(5) The coupling elements, e.g.; interposing relays, shall be designed and positioned such that no unallowable mechani-cal, thermal or electrical loading conditions will be caused in them by switching procedures in the switch gear.

5.5.5 Interlocks

(1) In the case of only one initiation criterion for the detection of an incident, the protection bypass of this initiation criterion shall be designed in accordance with Section 4.5.2.

(2) In the case of redundantly constructed initiation chan-nels, the devices for switching or transferring measuring ranges shall be redundantly constructed.

Note: Three initiation channels require, e.g., three switching or transfer-ring devices. The switching may be carried out manually or auto-matically.

(3) The switching and transfer actions regarding measuring ranges as well as the protection bypasses shall be cancelled automatically if the enabling, conditions do not exist anymore.

5.6 Circuitry

The circuitry of the equipment of the reactor protection system shall be designed such that a definite operating procedure is ensured. Component characteristics such as reaction time [EIGENZEIT], tolerances, drift and incident behavior shall not unallowably influence the time dependent procedure of the control signals.

6 Equipment Protection

(1) When an equipment is demanded by the reactor protec-tion system, the equipment protection should not become effective. This is not valid if consequential failures could be caused that impair the safety of the reactor facility more than a failure of the equipment. The suppression of the equipment protection shall be effected by the reactor protection system.

(2) Devices of the equipment protection whose signals have priority over signals of the reactor protection system shall be designed to such reliability that they do not determine the unavailability of the equipment and that erroneous actuations are reliably avoided. A common-mode failure in a device of the equipment protection shall not initiate protective actions with consequences according to Section 4.4.4 and shall not pre-vent full protective actions. These devices of the equipment protection shall shut off the equipment by a 2-out-of-2 or 2-out-of-3 evaluation logic when limit values are exceeded. A device of the equipment protection whose signals have priority over signals of the reactor protection system need not have a multichannel design if it is demonstrated that failures are im-probable to such an extent that an erroneous shutdown of the equipment caused by this failure need not be considered.

(3) Devices of the equipment protection whose signals have priority over the signals of the reactor protection system shall be correlated to the train of the equipment to be protected and

KTA 3501

shall be designed in accordance with the requirements of Section 5.

(4) Devices for the manual override in the equipment protec-tion shall be designed such that unauthorized interventions are made difficult.

7 Limitations of Process Variables

(1) The initiation signals of the limitations of process vari-ables shall be automatically recorded.

(2) The limitations of process variables shall be constructed redundantly and shall be decoupled for non-interaction from each other and from the operating system.

(3) They should not. be able to be deactivated except for the sake of testing.

(4) The limitation of process variables shall have priority over operational controls.

(5) Detected failures shall be signaled by class I alarms and such that they can definitely be localized

(6) It shall be possible to test them for functional capability during specified normal operation without unallowable reduc-tion in safety of the plant.

(7) It shall be possible to test for a deviation of the limitation value from the design-base value.

(8) The limitation values including the safety margins shall be specified under consideration of the measurement errors.

(9) The quality of the equipment shall be demonstrated.

(10) The equipment shall meet the requirements of the envi-ronmental and operating conditions.

(11) The mechanical construction shall correspond to the reactor protection system in accordance with Section 5.4.

(12) The initiation channels shall be equipped with a continu-ous measurement value comparator.

(13) The limitations of process variables shall be subjected to preoperational and commissioning tests as well as in-service inspections.

8 Ventilation Systems for Cooling the Reactor Protec-tion

(1) The spatial accommodation of the equipment of the reactor protection system shall be such that it is ensured that the room temperature allowed for the reactor protection sys-tem is not exceeded upon failure of the entire ventilation sys-tem; otherwise, ventilation systems shall be provided for that are designed in accordance with (2) and (3) of this section.

Note: For example equipment which is not relevant to safety may be shut off to maintain the permissible room temperature.

(2) The ventilation system for the reactor protection system including the respective cooling circuits shall be constructed redundantly such that the equipment of the reactor protection system is properly cooled and the reactor protection system is ensured to remain in functioning order even in the event of a random failure in the reactor protection system or of a failure-inducing event in accordance with Sect ion 4.2.2.

Note: A simultaneous occurrence of the failure-inducing events accord-ing to Section 4.2 need not be assumed.

(3) Equipment of the reactor protection system that requires cooling shall be provided with ventilation systems that are connected to the emergency power supply

(4) In deviation from the requirements of (2) and (3), equip-ment of the reactor protection system which is located in plant component rooms or measuring-transducer rooms may be cooled by the general ventilation systems of the restricted-access area due to its comparatively negligible heat develop-ment, provided that the requirements in accordance with (1) are met.

9 Electrical Power

(1) Equipment of the reactor protection system that requires electrical power shall be supplied from a non-interruptible emergency power supply with battery power storage operating in parallel to a rectifier facility. The corresponding emergency power supply system is subject to the requirements of KTA 3701.1. Power supply equipment inside the reactor protection system shall comply with the requirements of Sections 5.1 and 11.1 KTA 3501.

(2) The power supply equipment of the reactor protection system shall be redundantly constructed such that the reactor protection system is sufficiently supplied even upon occur-rence of a failure-inducing event in accordance with section 4.2 under consideration of the basic assumptions in accor-dance with Section 4.4.1.

(3) The power supply equipment shall be redundantly con-structed such that, even in case of a failure of a subsystem of the supply equipment, the power requirements of the reactor protection system are met.

(4) The equipment of the electrical power supply and of the reactor protection system shall be tuned to each other with respect to their characteristics, e.g. voltage, power, current, frequency, capacity.

(5) The capacity of each battery, on the assumption that the power requirement of a train is supplied from only this battery, shall be designed such that the supply can be kept up for at least 30 minutes without the voltage at a component of the reactor protection system falling below the allowed minimum voltage.

10 Alarms

10.1 General

The following classes shall be distinguished in the design of alarm equipment: a) class S alarms (safety hazard alarms), b) class I alarms, c) class II alarms.

10.2 Class S Alarm Equipment

10.2.1 Application

Manual initiation of protective actions is permitted provided the requirements according to Section 4. 5. 3 are met and the time-span between detection of the incident and initiation of the protective action is sufficiently large. The countermeasures that are to be initiated following class S alarms (safety hazard alarms) shall be unambiguously correlated to the respective alarms; the class S alarms, the respective countermeasures and time-span available for their initiation, the expected dis-plays and checkback signals shall be specified in writing as a definite instruction to the operating personnel.

KTA 3501

10.2.2 Design

(1) Class S alarms shall signal the hazard condition by vis-ual and acoustical means.

(2) Class S alarm equipment and the optical an acoustical alarm facility shall be designed such that, in the event of an incident, an incident alarm is given even if a random failure occurs in the class S alarm facility.

(3) Class S alarm equipment shall be constructed to be redundant and independent of each other and shall be able to be tested during specified normal operation. Signals may be decoupled from that part of the reactor protection system that is used for the automatic actuation of protective actions. This shall not lead to any interactions.

(4) Class S alarms shall be displayed as distinctly different from the class I and class II ala rms.

(5) Class s alarms shall be stored [buffered].

(6) The visual alarms of the class S alarms shall, within the framework of the concept of the control room, be spatially grouped together.

(7) The visual alarms of the class S alarms shall be de-signed such that the alarm condition is continuously indicated, e.g., as registered acknowledged, cancelled.

(8) The visual alarms of the class S alarms shall be supplied from a non-interruptible emergency power supply with battery power storage operating in parallel to a rectifier facility.

(9) It shall be ensured by lettering, illumination and unambi-guous wording that class S alarms are recognizable.

(10) Visual alarms of the class S alarms should be designed for a sufficient operating life and shall be able to be tested at all times using built-in testing devices.

10.3 Class I Alarm Equipment

10.3.1 Application

The reactor protection system and the active safety system equipment shall be equipped with class I alarms for alerting the operating personnel to eliminate the respective fault.

Note: This class encompasses, e.g. , in case of the reactor protection system the collective alarm „limit value monitor triggered“ , in case of the emergency feed-water supply the alarm „demineralized wa-ter supply tank level too low” , in case of actuator drives the collec-tive alarm „faulted position operating-readiness“.

10.3.2 Design

(1) Class I alarms must indicate the hazard condition by visual and acoustical means.

(2) Class I alarms shall be differently displayed from class II alarms, such that they can be distinguished from each other.

(3) The individual alarms of functionally related components may be combined into collective alarms if the origin of the individual alarms can be localized. In this case the individual alarms need not belong to class I.

(4) Visual class I alarms which functionally belong together should be spatially grouped together and located where with respect to the control room concept it is best suited regarding the process controls.

(5) The visual class I alarms shall be designed such that the state of the alarm is continuously indicated, e.g., as registered, acknowledged or cancelled.

(6) The class I alarm facility including the individual alarms combined into collective alarms shall be supplied from a non-interruptible emergency power supply with battery power stor-age operating in parallel to a rectifier facility.

(7) The recognizability of the class I alarms shall be ensured by proper lettering, illumination and unambiguity in the wording.

(8) Visual class I alarm facilities should be designed for a sufficient service life and shall be able to be tested at all times using built-in testing devices.

11 Tests and Inspections

11.1 Tests and Inspections of the Reactor Protection Sys-tem and of the Equipment of Class S Alarms

11.1.1 Qualification Tests of the Equipment types

11.1.1.1. Supplementary Type Tests for Service-Proved Equipment

(1) In the case of service-proved equipment, supplementary type tests shall be carried out to demonstrate certain not certi-fied characteristics in accordance with Section 5.1.1.

(2) The documents for the theoretical part of the type tests should be prepared by the manufacturer. These documents should be checked by the authorized expert (under Sec. 20 Atomic Energy Act). The testing program for the practical part of the type tests should be prepared by the manufacturer and agreed upon by the authorized expert (under Sec. 20 Atomic Energy Act). The practical tests should be carried out by the works inspector.

(3) In the case of modules of the reactor protection system and of the protection limitations, the type tests shall be carried out in accordance with KTA 3503.

(4) In the case of sensors and measuring transducers of the reactor protection system and of the protection limitations the type tests shall be carried out in accordance with KTA 3505.

11.1.1.2 Demonstration of Suitability

The plant specific suitability of service- proved equipment in accordance with Section 5.1.1 (2) or of type tested equipment in accordance with Sections 11.1.1.1 or 11.1.1.2 shall be demonstrated during the procedure at the design review by comparing the characteristics of the equipment with the re-quirements in accordance with sections 4, 5 and, in the case of equipment for class S alarms 10.2.

Note: The demonstration of suitability can lead to the result that in addi-tion to the type test in accordance with Sections 11.1.1.1 or 11.l.1.2, further practical or theoretical tests are required.

11.1.2 Factory Tests

The correct manufacturing of the electrotechnical modules, equipment and system parts of the safety system shall be demonstrated by a factory test.

Note: Requirements regarding the factory tests are dealt with in safety standard KTA 3507.

11.1.3 System Tests

The system tests shall be per formed in accordance with KTA 3506.

KTA 3501

11.2 Tests and Inspections of the Equipment for Class I Alarms

(1) Equipment for class I alarms shall be subjected to factory tests.

Note: Requirements regarding the factory tests are dealt with in safety standard KTA 3507.

(2) Equipment for class I alarms shall be subjected to a system test in accordance with KTA 3506.

12 Compilation of Information on the Reactor Protection System Required in the Licensing and Supervisory Procedure

The documents on the reactor protection system that are required for review in the nuclear licensing and supervisory procedure are specified in the „Compilation of Information Required for Review in the Nuclear Licensing and Supervisory Procedure for Nuclear Power Plants (ZPI)“ ratified by the States Committee on Nuclear Energy on Sep. 7, 1982 and made public by the Federal Minister of the Interior on Oct. 20, 1982.

Appendix A

Regulations Referred to in this Safety Standard

(Regulations referred to in this safety standard are valid only in the versions cited below. Regulations which are referred to within these regulations are valid only in the version that was valid when the latter regulations were established or issued.)

Atomic Energy Act Act on the Peaceful Use of Nuclear Energy and the Protection Against its Hazards (Atomic Energy Act - Atomgesetz) made public on Oct, 31, 1976 (BGBl. I, page 3053), last modified on Aug. 20, 1980 (BGBl. 1, page 1556)

Incident Guidelines 1983-10 Guidelines for the Assessment of the Design of Nuclear Power Plants with Pressur-ized Water Reactors against Incidents pursuant to Section 28(3) of the Radiological Protection Ordinance, made public on Oct. 18, 1983 (BAnz No. 245a of: Dec. 31, 1983)

Single Failure Concept 1983-03 Interpretations regarding Safety Criteria for Nuclear Power Plants, Single Failure Con-cept Basics for Applying the Single Failure Criterion made public on May 10, 1984 (GMBl. No. 13, page 208)

ZPI 1982-10 Compilation of Information Required for Review Purposes under the Licensing and Supervisory Procedures for Nuclear Power Plants, made public on Oct. 20, 1982 (BAnz No. 6a of Jan. 11, 1983)

KTA 3503 1982-06 Type Testing of Electrical Modules for the Reactor Protection System KTA 3505 1984-11 Type Testing for Measuring Transmitters and Transducers of the Reactor Protections

System. KTA 3506 1984-11 Type Testing for Measuring Transmitters and Transducers of the Reactor Protections

System.

KTA 3701.1 1978-06 General Requirements for the Electrical Power Supply of the Safety System in Nuclear Power Plants; Part 1; Single-Unit Plants

KTA 3501 (1985-06) Reactor Protection System and ... 3501 Page 3 KTA SAFETY STANDARD June 1985...

Documents

Transcript of KTA 3501 (1985-06) Reactor Protection System and ... 3501 Page 3 KTA SAFETY STANDARD June 1985...