Nuclear I&C Design³ria/oktatás...(according to IEC 61513) A (B) (C) 1 B (C) 2 C 3 2015.12.07....

Nuclear I&C DesignDesign Process and Requirements of Nuclear

Instrumentation and Control Systems

Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering

Department of Control for Transportation and Vehicle Systems

Simplified I&C Safety Life-Cycle

Requirements from the plant safety design base

I&C Architectural designAssignment of functions

to I&C systems

Safety life cycleof I&C system 1

• System requirements specification• …• System installation

Overall operation and maintenance

Safety life cycleof I&C system n

• System requirements specification• …• System installation

Overall integration and commissioning

12/7/2015 Nuclear I&C Systems Safety 2



Safety Standards for Different Fields



IEC Nuclear I&C Standards

IEC No. MSZ No. Title

IEC 61226:2009 MSZ EN 61226:2011 Nuclear power plants - Instrumentation and control important to safety - Classification of instrumentation and control functions

IEC 61513:2001 MSZ IEC 61513:2011 Nuclear power plants – Instrumentation and control for systems important to safety – General requirements for systems

IEC 60987-2:2007 MSZ EN 60987:2009 Nuclear power plants – Instrumentation and control important to safety – Hardware design requirements for computer-based systems

IEC 60880-2:2006 MSZ EN 60880:2010 Nuclear power plants – Instrumentation and control systems important to safety – Software aspects for computer-based systems performing category A functions

IEC 62138:2004 MSZ EN 62138:2009 Nuclear power plants – Instrumentation and control important for safety – Software aspects for computer-based systems performing category B or C functions

2015.12.07. Nuclear I&C Systems Safety 4



IEC Nuclear I&C Standards

IEC No. MSZ No. Title

IEC 61227:2008 MSZ IEC 61227:2011 Nuclear power plants - Control rooms - Operator controls

IEC 61225:2005 MSZ IEC 61225:2011 Nuclear power plants - Instrumentation and control systems important to safety - Requirements for electrical supplies

IEC 62340:2007 Nuclear power plants – Instrumentation and control systems important to safety – Requirements for coping with common cause failure (CCF)

IEC 60709:2004 MSZ EN 60709:2011 Nuclear power plants - Instrumentation and control systems important to safety - Separation

IEC 60780:1998 MSZ IEC 60780:2011 Nuclear power plants - Electrical equipment of the safety system - Qualification

IEC 61500:2009 MSZ IEC 61500:2011 Nuclear power plants - Instrumentation and control important to safety - Data communication in systems performing category A functions

IEC TR 61000 ser. MSZ EN 61000 ser. Electromagnetic compatibility requirements




The Use of IEC Standards in the Design Process

Requirements from the plant safety design base

IEC 61226: Classification of I&C functions

I&C Architectural designAssignment of functions to I&C systems

IEC 61513: General requirements for systems

Design and Implementation

of the I&C Hardware

IEC 60987: Hardware design requirements

Design and Implementation of the I&C Software

IEC 60880: Software aspects for computer-

based systems performing category A functions

IEC 62138: Software aspects for computer-

based systems performing category B or C functions




Comparison of Different Classification Systems

Nat. or intl.standard Classification of the importance to safety

IAEA NS-R-1Systems Important to Safety Systems Not

Important to SafetySafety Safety Related

IEC 61226FunctionsSystems

Systems Important to Safety

UnclassifiedCategory AClass 1

Category BClass 2

Category CClass 3

Canada Category 1 Category 2 Category 3 Category 4

France N4 1E 2E SHImportant to

SafetySystems Not

Important to Safety

EUR F1A (Aut.) F1B (A./M.) F2 Unclassified

Russian Fed. Class 2 Class 3 Class 4 (N/I. to Safety)

USA and IEEE

Systems Important to SafetyNon-nuclear Safety

SR / Class 1E (No name assigned)

R. of Korea IC-1 IC-2 IC-3




Correlation Between IEC Classes and Categories

Categories of I&C functions important to safety

(according to IEC 61226)

Corresponding classes of I&C systems important to safety

(according to IEC 61513)

A (B) (C) 1

B (C) 2

C 3


• I&C functions of category A may be implemented in class 1 systems only

• I&C functions of category B may be implemented in class 1 and 2 systems

• I&C functions of category C may be implemented in class 1, 2, and 3 systems



System Architecture

The architecture of the system is constrained by the category of functions to be implemented within the system and the defence in-depth concept.

a) The system may implement functions of the highest category allowed for its class and functions of lower categories:1) the design requirements for each subsystem shall not be lower than those required by the

function of the highest category implemented by the subsystem;

2) the design of the system shall ensure that the requirements of the subsystems or equipment of the higher classes are satisfied in case of failure of the equipment of the lower class.

b) The design of the system shall include redundancy and other features necessary to provide tolerance to failure and to accommodate the functions important to safety.• The system may also include redundancy to fulfil availability requirements. The need for such

redundancies is defined at the level of system design.

c) The design of the system shall satisfy any independence requirements to• prevent propagation of failures from systems of lower importance to safety;

• prevent propagation of failures between redundant trains providing category A functions.

d) The design of class 1 systems shall include sufficient redundancy to meet the single-failure criterion for category A functions during operation and maintenance.



Overall Requirements: IEC Class 1

• Single (random) failure criterion• robustness with respect to errors

• Low complexity• defensive design against CCF

• Deterministic behavior for computer-based systems:• cyclic behavior• preferably stateless behavior• load independent of external conditions• static resource allocation• guaranteed response times

• Software developed according to stringent nuclear industry standards (e.g. IEC 60880)




Overall Requirements - Class 2

• Controlled complexity

• Confidence based in particular on analysis of system design

• High quality software• IEC 61238 is usually required for new development

• not necessarily developed according to nuclear industry standards (e.g. pre-developed software)




Overall Requirements - Class 3

• No specific limit for complexity

• Confidence mainly based on: • proven application of quality standards

• global demonstration of fitness

• Specific demonstrations may be required on identified topics




Consistency with System-Level Constraints

• Predictable behavior (Classes 1 & 2):• precise specification of component behavior

• documented conditions of use in system

• Deterministic behavior (Class 1):• static resource allocation

• static parameterization

• preferably stateless behavior

• clear-box (with limited exceptions)

• proven maximum response time

• proven robustness against consequences of errors




Specific Design RequirementsSelected Requirements from the Nuclear Safety Code



NSC: Safety Level of Plant Functions

Operating state Description Event frequency (f [1/y])

DBC1 Normal operation -

DBC2 Anticipated operational occurrences f ≥ 10-2

DBC3 Infrequent design basis accidents 10-2 > f ≥10-4

DBC4 Rare design basis accidents 10-4 > f ≥ 10-6


a) F1A level to the safety functions that are required to bring DBC2-4 operating states to a checked condition;

b) F1B level to the safety functions that

ba) are required to bring the nuclear power plant unit from DBC2-4 operating states to a safe shutdown state and keep it in a safe shutdown state for at least 24 hours,

bb) replace the F1A functions following their failure, and help to keep the BDB operating states in the DEC1 operating state,

bc) all normal operating functions, the loss of which may result directly in TA3-4 operating states.



NSC: Safety Level of Plant Functions

c) F2 level to the safety functions thatca) are required after 24 hours following the DBC2-4

operating states to keep the nuclear power plant unit for at least 72 more hours in a safe shutdown state,

cb) the safety functions taken into consideration in the extension of the design basis,

cc) are designed to prevent malfunctions not related to the active zone of the nuclear reactor, and

cd) all normal operating functions, the loss of which may cause DBC2 operating state and directly initiate reactor protection function activation.




Fundamental Safety Functions

„The fundamental safety functions shall be fulfilled in case of DBC1-4 operating conditions. The fundamental safety functions shall be met after DEC1 operational status to the extent necessary for bringing the nuclear reactor to a controlled, safe shutdown state; and following DEC2 plant damage status to the extent necessary for bringing the plant to a safe state after a major accident.” (NSC 3a.2.1.1000)

„Systems shall be designed to fulfill the fundamental safety functions.”(NSC 3a.2.1.1100)

„In order to meet the fundamental safety functions, all safety functions and the systems executing them must be defined for all operating conditions —including normal operation as well— by safety and other analyzes.” (NSC 3a.2.1.1200)

„Removal of the residual heat into the final heat sink must be ensured, so that the frequency of the loss of heat removal function is smaller than 10-7/year.” (NSC 3a.2.1.1300)



Connection with the Plant Design Basis

„The technological function specification of the I&C systems must comply with the following requirements:

a) It identifies the control tasks in accordance with the technological objectives and requirements,

b) Assigns a unique identification code to every control task,

c) Classifies the control tasks into functional safety levels based on the importance to safety of the given task and assigns them to the appropriate level of defense in depth,

d) Specifies the independence criteria related to the functions, including the diversity requirements,

e) Determines the response times for the functions,

f) Defines the safe state or position for every output, which must be set in case of the detected failure of the output,

g) Defines the tasks, which require operator intervention in the DBC1-4 and DEC1 operation conditions of the nuclear power plant in such a way, that the operating personnel are able to perform them,

h) Applies a multi-level, well-structured, formal language description method beside the human language description form,

i) Prescribes an automated system for the formal checking and verification,

j) Contains the information necessary for performing the operator tasks and for monitoring the automatic tasks,

k) Defines the accuracy requirements for the operational limits and for displaying the analog values,

l) Defines the requested reliability requirements, and

m) Specifies simulation methods for the functional assessment and validation of programmable I&C systems classified into safety class ABOS2.” (NSC 3a.4.5.3200)



Single Failure Criterion

„The principle of single failure criterion must be applied in the design process. Thepossibility of inadvertent operation of the system components must be handled as apossible failure mode. The failure of a passive component must be taken into account unless it can be demonstrated that the failure of the passive component is of very low probability or it has no effect on the given function.” (NSC 3a.3.1.1100)

The compliance with the principle of the single failure criterion during the designprocess of the I&C system architecture can be achieved by incorporating the appropriate level of redundancy. The effectiveness of the design solutions applied to fulfill the single failure criterion must be proved by deterministic and probabilistic analyses (e.g. fault tree analysis) (cf. NSC 3a.4.5.4400).

„In point of F1A, F1B and F2 functions the single failure tolerance capability must bemaintained continuously. F1A, F1B or F2 function loss must not be allowed even incase of maintenance or manually initiated tests. In case of F1A and F1B functions asingle failure must not cause undesired operation either. It must be demonstrated that the applied architecture complies with the reliability requirements.” (NSC 3a.4.5.4400)



Redundancy schemes

• Stand-by redundancy

• Stand-by system does not participate in normal operation

• Cold redundancy

• Failover / switchover

static dynamic passive dynamic active

• Distributed functionality

• Error handling

• Error detection

• Fault diagnosis

• Fault isolation

• Reconfiguration

• Graceful degradation

• m-out-of-n redundancy

• Parallel channels (trains)

• Majority voting• Voter is „hard core”

• Safety orientation• Fail-safe intervention

• Safety > availability



Paks NPP Safety Architecture

• Triple Redundancy• 2-out-of-3 voting

• Safety orientation

• Self-testing and error detection

• Double Diversity• Functional and signal

diversity

• TELEPERM XS Platform



Testing, self-tests

„In point of F1A, F1B and F2 functions the single failure tolerance capability must bemaintained continuously. F1A, F1B or F2 function loss must not be allowed even in case of maintenance or manually initiated tests. In case of F1A and F1B functions a single failure must not cause undesired operation either. It must be demonstrated that the applied architecture complies with the reliability requirements.” (NSC 3a.4.5.4400)

„All components of the I&C systems classified into safety class ABOS2 and ABOS3 must have an automatic self-diagnostic capability. In case of a failure identified during the self-test a message must be generated for the operator and - if necessary – the outputs of the subsystem must be set to predetermined states that acts in the direction of safety according to the requirements in NSC 3a.4.5.3200.” (NSC 3a.4.5.4500)

„Manually initiated automated testing option must be provided for the identification ofthe failures, which cannot be detected by self-tests in the I&C systems classified intosafety class ABOS2 and ABOS3, and for the demonstration of the operability of safetyfunctions. Built-in equipment must be applied for the execution of manually initiableautomated testing. The appropriateness of the test cycle time must be verified by safetyassessment.” (NSC 3a.4.5.4600)



4-out-of-2 Protection Architecture

• 1st channel• Functionality

• 2nd channel• Fault detection

• Prevention of actuation masking

• Fail-safe intervention

• 3rd channel• Prevention of

spurious actuation

• 4th channel• Guarantee of

safety during maintenance and testing



Redundant distributed I&C in a modern NPP

M M

Conventional control panels

SR and NC I&C SPPA-T2000

ES 680

Engineering System

Process Information and Operating System

OM 690 DS 670

Diagnosis System

Reactor Protection System

Reactor Limitation and Control System

AV42

Priority Actuator Control

Plant Bus ~ ~

~

Automation System

AS 620

SPACE

Engineering System

~ ~

Safety and SR I&C TELEPERM XS

PAC

FUM

Profibus DP

SPPA-T2000

AP

U

cabinet bus/

Profibus DP

plant bus

AS 620B

… FUM

M M M M

PAC

. . .



Defence-in-Depth, CCF

„The architecture of the I&C systems must correspond to the levels of defense in depth. The levels suited with the defense in depth must be separated from each other to the maximum extent reasonably practicable.” (NSC 3a.4.5.4100)

„In case of I&C systems classified into safety class ABOS2 the possibility of common cause failures must be minimized by applying an appropriate level of functional or component-level diversity. The necessary extent of diversity must be derived from the required reliability requirements. It must be demonstrated by analysis that the probability of the common cause failures is sufficiently low when applying the selected solution.” (NSC 3a.4.5.4700)

„In case of commands belonging to different safety levels priority should be given to the command of the higher safety level led to the actuator. The deviation from the above must be verified by an analysis. The safety class of the system component that realizes the priority generation function must be determined based on the safety level of the command belonging to the highest safety level function, which is managed by it.” (NSC 3a.4.5.3000)



Defence-in-Depth, CCF

The different levels of defense in depth must be realized by separated, independent sub-systems in the I&C system. The extent of the separation between the levels and the method of the applied diversity is determined by the technological function specification of the I&C system. The separated, independent sub-systems must not be affected by each other, they must not use common measurements and must be separated from each other as much as practicable on the intervention level. If the application of a common measurement is inevitable, its necessity and the appropriateness of the measures used to achieve the desired reliability must be analyzed individually. It must be guaranteed (and demonstrated) that any failure of a system classified into a lower safety level cannot affect the functions of systems at a higher safety level.

„In case of systems classified into safety class ABOS2 or ABOS3 the following justificatory analyzes must be prepared:a) Deterministic analysis of the fulfillment of the single failure criterion,b) Hardware and software failure modes and effects analysis,c) Function and task analysis for the creation of human-system interface and the

determination of the level of automation,d) Analysis of common cause failure probabilities, particularly the specified design,

manufacturing, software and hardware, environmental impact, maintenance problems, the application of the same system or system component in different lines of defense in depth, architecture, separations, sufficient diversity,

e) Probabilistic reliability analysis,f) Test coverage analysis.” (NSC 3a.4.5.2100)



Diversity Concept

• Signal diversity• Functional diversity• Hardware diversity:

• Different data representation;• Different program execution

principle;• Different architecture.

• Software diversity:• Different algorithms, logic and

program architecture; • Different timing or order of

actions;• Different operating systems;• Different programming

languages.



Hardware (Equipment) Diversity

Programmable Hardware

Digital

Microprocessor, Microcontroller

MIPS, ARM

VLIW, Superscalar

Programmable Logic Device

CPLD, Complex programmable

logic device

FPGA, Field-programmable

gate array

SRAM FPGA

Flash FPGA

Silicon antifuse FPGA

Analog

Analog Computer

FPAA, Field-programmable

analog array

Hybrid (mixed-signal)

Hybrid Customizable

System-on-Chip



Hybrid Customizable System-on-Chip (cSoC)



Diverse Implementation (on-chip)

Same technology (μP)

• Two-core implementation

• Redundant Similar Processes

• Same algorithm → code

• Potential for CCF

• Different code/algorithms

• Requires higher speed processors

Diverse (Hybrid) technologies

• MCU/FPGA implementation

• Redundant Dissimilar Processes

• Same algorithm designed twice

• HW & SW implemented on same die

• Different code / algorithms

• Build parallel processing elements



WENRA Defence-in-Depth Concept for New NPPs

Levels of defence indepth Objective Essential means

Radiological consequences

Associated plantcondition categories

Level 1Prevention of abnormal operation and failures

Conservative design and high quality in construction and operation

No off-site radiological impact (bounded by regulatory operating limits for discharge)

Normal operation

Level 2Control of abnormal operation and detection of failures

Control, limiting and protection systems and other surveillance features

Anticipated operational occurrences

Level 3

3.a Control of accident to limit radiological releases and prevent escalation to core melt conditions

Reactor protection system, safety systems, accident procedures

No off-site radiological impact or only minor radiological impact

Postulated single initiating events

3.bAdditional safety features, accident procedures

Postulated multiple failure events

Level 4Control of accidents with core melt to limit off-site releases

Complementary measures and accident management

Off-site radiologicalimpact may imply limited protective measures in area and time

Postulated core melt accidents (short and long term)

Level 5

Mitigation of radiological consequences of significant releases of radioactive material

Off-site emergency response

Off site radiological impact necessitating protective measures




Defence-in-Depth levels in I&C architecture

2015.12.07. Mátraháza 2015. 33



Backlash-freeness, Connections

„Non-safety functions, or functions assigned to a lower level of functional safety must not be implemented into a subsystem classified into a safety class or into a safety class higher than necessary. If this is not possible, it must be demonstrated by safety assessment that the subsystem performing the function assigned to the lower safety level does not obstruct in any way the execution of functions assigned to a higher safety level.” (NSC 3a.4.5.4200)

„In case of connections between I&C systems classified into different safety classes itmust be demonstrated that the system classified into the lower class does not affect the operation of the system classified into the higher class. In case of connections between I&C systems classified into the same safety class it must demonstrated that the failure of a system does not obstruct the performance of the autonomous safety functions of the other.” (NSC 3a.4.5.4300)

„A system or system component classified into safety class ABOS2 must notcommunicate with systems outside of the given unit, and can provide data to a system or system component classified into a lower safety class in the same unit only through a physically unidirectional communication.” (NSC 3a.4.5.3700)



Possible Separation at a Multi-unit Site

Level 0 Level 0 Level 0

Level 1Level 1Level 1

Level 2Level 2Level 2

Process interface levelProcess interface levelProcess interface level

Automation levelAutomation levelAutomation level

Supervision levelSupervision levelSupervision level

SC2SC3SC4

Common systemsUNIT 2UNIT 1

DMZ

Technical management level

Corporate network

Level 3

Level 4HR emailSAP …

Technical information system

Simulator Core design and modelling

Design tools

Document management system

Emergency Control Centre

Work order system

SC2SC3SC4

SC2SC3SC4

SC2SC3SC4

SC2SC3SC4

SC2SC3SC4

SC2SC3SC4

SC2SC3SC4

SC2SC3SC4

12/7/2015 Computer Security at Nuclear Facilities 35



Quality Assurance, Independent Review

„Programmed systems performing safety functions —in addition to the generalrequirements for the programmed systems— must fulfill the following requirements:a) Hardware and software tools with references, which fulfill the most strict quality

assurance standards, are to be used,b) The entire development process, including the monitoring, testing and commissioning

of design changes must be systematically documented and evaluated,c) To validate the reliability of computer-based systems these systems must be reviewed

by experts independent from the designer and the contractor, and furthermored) If the required reliability level of a system cannot be validated, the fulfillment of the

safety functions assigned to it must be ensured with diverse tools.” (NSC 3a.3.1.1700)

The controllability of the design and manufacturing processes require the simplicity andtransparency of the applied methods, manufacturing techniques and V&V methods. Toensure this, priority must be given to typified and structured solutions. It is preferred that such tools and methods are used, which support verification and requirement traceability during both hardware and software design and manufacturing phases.



Certification

„The fact that the applied I&C platform is certified as error-free and suitable to use in safety systems of nuclear power plants by a specialized, independent, accredited certification body must be demonstrated with a certificate in case of safety class ABOS2 and safety class ABOS3 systems. In case of programmable I&C systems the certificate must verify the appropriateness of the software and hardware platforms, the development tools and the code generators, as well.” (NSC 3a.4.5.2000)

• The set of standards, on which the certification is based, must be defined in case of installation, modification and refurbishment of safety class ABOS2 and ABOS3 systems

• The certificate issued by the certification body must include consideration of the following:

• Compliance to the relevant nuclear requirements,

• Development methods for minimizing the systematic error to an acceptable level,

• Potential failure states and frequency of their occurrence,

• Conditions of the application in the required safety class (e.g. configuration rules, environmental requirements, maintenance needs, etc.).

• The appropriate use of hardware and software platforms and the achievement of the expected and specified safety level for the planned life-cycle of the I&C system must also be demonstrated and verified by an independent expert organization



Independence (certification)

Independent body:

• Independence (impartiality) is defined based on requirements specified at the certification and inspection bodies.

• An independent body is one that complies with the requirements for the impartial body according to EN ISO/IEC 17065 (“Conformity assessment. Requirements for bodies certifying products, processes and services”) :

"No part of the certification body and of the same legal person or persons under its control can:

a) Be the designer, manufacturer, commissioner, distributor or maintainer of thecertified product;

b) Be the designer, implementer, operator or maintainer of the certified process;

c) Be the designer, implementer, service provider or maintainer of the certifiedservice;

d) Offer or provide advice to its clients;

e) Offer or provide advice or internal audit services related to the managementsystem to customers in cases where the certification system requires theassessment of the client’s management system."



Independence (certification)

Independent expert:

• An independent expert is one who complies with the independence defined by the implicit application of the definition given for the independent body.

• In case of independent experts acting in the field of application of nuclear energy the requirements in Paragraph 19/A (1) and (2) of Act No. CXVI of 1996 on Atomic Energy and its executive decree (Government Decree No. 247/2011 (XI. 25.) on independent experts acting in the field of application of nuclear energy) must be considered.

Certification body:

• A body, which is suitable for product certification activities according to EN ISO/IEC 17065 and has the necessary properties and skills (organizational structure, processes, personnel, etc.).

• In case there are international specialty standards in the given area, the certification activity must be based on them.

• The certification body must realize the inspection (according to EN ISO/IEC 17020 – “General criteria for the operation of various types of bodies performing inspection”) and/or testing laboratory (according to ISO/IEC 17025 – “General requirements for the competence of testing and calibration laboratories”) functions either by itself (of course, in the specialty field identical to the specialty field of the certification) or through the involvement of a body (or bodies), which has monitoring and/or testing properties and skills according to these standards.

Nuclear I&C Design³ria/oktatás...(according to IEC 61513) A (B) (C) 1 B (C) 2 C 3 2015.12.07....

Documents

Transcript of Nuclear I&C Design³ria/oktatás...(according to IEC 61513) A (B) (C) 1 B (C) 2 C 3 2015.12.07....