Therefore, it is the intent of this standard to – classify the I&C functions important to safety into categories, depending on their contribution to the prevention and mitigation of post
General
I&C systems must categorize functions based on their safety importance, which is assessed by the potential consequences of failure during operation and the effects of unintended activation This categorization influences the design and quality standards for I&C systems and equipment, which should be established independently of the specific technology used For further details on the classification scheme, refer to subclause 5.2.
Subclause 5.3 describes the three categories that are used to classify functions The categories are based upon those defined originally in the first edition of IEC 61226 published in 1993
Subclause 5.4 presents the assignment criteria for each category
Clause 6 provides guidance on the classification process
Clause 7 outlines the technical specifications for the three categories, with the majority of the requirements focused on the systems and equipment responsible for performing the functions, while certain requirements pertain exclusively to the functions themselves.
Annex A contains typical examples of the classification of NPP I&C functions It is only for information because it may depend on the reactor type
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
Background
The principle of defense in depth is a key element in the safety design of nuclear power plants, emphasizing the need for multiple layers of defense to prevent unsafe conditions Prioritizing the prevention of unsafe conditions over mitigation is essential Given the numerous functions necessary for the safe operation of a nuclear power plant, which increase with the implementation of this principle, it is crucial to understand the safety significance of each function.
The IAEA safety standard series NS-R-1 outlines the classification of nuclear power plant (NPP) systems based on their safety significance It emphasizes the need to identify and classify all safety-critical structures, systems, and components, including instrumentation and control (I&C) software, according to their functions and safety importance Furthermore, these items must be designed, constructed, and maintained to ensure their quality and reliability align with their designated classification.
The IAEA safety guide NS-G-1.3 gives guidance on the classification of systems according to the importance to safety of the functions they perform It introduces time factors such as
– the duration that the I&C system is needed once it has been initiated;
– the time for which alternative actions can be taken;
– the timeliness by which hidden faults can be detected and remedied
This standard builds upon the classification strategy outlined in IAEA Safety Guide NS-G-1.3, establishing criteria and methods for categorizing the Instrumentation and Control (I&C) functions of a Nuclear Power Plant (NPP) into three categories: A, B, and C, based on their safety significance Functions that are part of safety systems are typically classified as category A or B, while safety-related functions are generally assigned to categories B or C Additionally, functions with no direct safety role are placed in an unclassified category.
The significance of safety systems and safety-related instrumentation and control (I&C) systems varies, necessitating their classification into different safety categories Certain I&C systems can greatly impact safety and thus demand careful consideration, while others may have intermediate, low, or negligible safety significance Consequently, these systems are subject to varying levels of requirements for performance assurance and safety justification, leading to distinct technical specifications.
The national implementation of this standard may use different names for categories A, B, and C It is essential that this implementation adheres to the principles, criteria, and requirements outlined in the standard, ensuring proper documentation and alignment with the defined categories.
Description of categories
General
I&C systems in nuclear power plants (NPPs) are crucial for safety, with each function's importance varying based on its role in maintaining safety, the potential consequences of failure, and the likelihood of such failures An initial safety analysis of the NPP design is essential before classifying I&C functions The severity of potential consequences from a failure determines the required assurance levels for system attributes, particularly functionality, performance, and reliability.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
For the design, assessment and licensing procedures, safety categories A, B and C are defined, with associated sets of technical and quality requirements on the properties of the
I&C systems to be applied for the design and implementation of I&C systems and equipment important to safety.
Category A
Category A encompasses functions crucial for ensuring the safety of nuclear power plants (NPP) by preventing design basis events (DBE) from resulting in unacceptable outcomes These functions are particularly vital during the initial phase of a transient when no alternative actions are feasible, even if latent faults are identified They are instrumental in achieving and maintaining a non-hazardous stable state When manual actions are required to attain this stable state, it is important to consider factors such as the availability of redundant and validated information sources, the adequacy of the grace period for operators to assess alternative information, and whether these manual actions are the sole means of mitigating the sequence of events to uphold NPP safety.
Category A also denotes functions whose failure could directly lead to accident conditions which may cause unacceptable consequences if not mitigated by other category A functions
Category A functions have high reliability requirements Consequently, it may be necessary to limit their functionality and complexity.
Category B
Category B functions are essential for complementing Category A functions in ensuring and maintaining NPP safety These functions are particularly crucial for operations following the attainment of a non-hazardous stable state, as they help prevent design basis events.
(DBE) from leading to unacceptable consequences, or mitigate the consequences of DBE
The operation of a category B function may avoid the need to initiate a category A function
Category B functions can enhance or support the performance of Category A functions in reducing the impacts of a Design Basis Event (DBE), thereby preventing or minimizing potential damage to plant or equipment and limiting the release of hazardous materials.
Category B functions are those whose failure may trigger or exacerbate a Design Basis Event (DBE) Since a Category A function exists to ultimately prevent or mitigate the consequences of a DBE, the safety requirements for Category B functions can be less stringent than those for Category A This flexibility allows Category B functions to potentially offer greater functionality than Category A functions in terms of detecting the need for action and executing subsequent responses.
Category C
Category C encompasses functions that support or indirectly contribute to the safety of Nuclear Power Plants (NPP) While these functions hold some safety importance, they do not fall under Categories A or B They may play a role in the overall response to Design Basis Accidents (DBA) but are not directly responsible for mitigating the physical impacts of such accidents, nor are they essential for addressing beyond design basis accidents.
To manage rapid transients, the plant relies on automatic control actions, while slower transients can be addressed through manual actions after a designated grace period This grace time is a critical design requirement that accounts for diagnosis and action delays, influenced by human factors It is important to note that manual actions can still be taken during this period In certain countries and for older plants, the grace time may serve as the limit for category A, rather than a non-hazardous stable state.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
Assignment criteria
General
The criteria that shall be applied for assignment of functions to categories A, B and C are given below
If a function does not meet any of the criteria given below, then it shall be "non-classified"
In the case of multiple assignment, the final assignment of a function to a category shall be the highest relevant category
The final assignment of the function may be modified using probabilistic methods in consistency with the principles outlined in 6.3.
Category A
An I&C function is classified as category A if it fulfills any of the following conditions: it is essential for achieving a non-hazardous stable state, preventing unacceptable consequences from a Design Basis Event (DBE), or mitigating its effects; its failure or unintended activation would result in unacceptable consequences without another category A function to prevent them; or it is necessary for providing information and control capabilities that enable specific manual actions to attain a non-hazardous stable state.
Category B
An I&C function is classified as category B if it fulfills specific criteria and is not categorized as A This includes functions needed after achieving a non-hazardous stable state of a Design Basis Event (DBE) to prevent unacceptable consequences or to mitigate their effects Additionally, it encompasses functions that provide essential information or control capabilities for manual actions required after reaching this stable state.
To address Design Basis Events (DBEs) effectively, it is crucial to implement functions that either lead to unacceptable consequences or mitigate their impact Key functions include those that, if they fail during normal operations, necessitate the activation of a category A function to avert potential accidents Additionally, functions should significantly reduce the frequency of DBEs as outlined in the safety analysis Plant process control functions must ensure that main process variables remain within the safety analysis limits, especially if they are the sole means of control Furthermore, it is essential to have functions in place to prevent or mitigate radioactive releases or fuel degradation beyond the defined limits and conditions of normal operation.
NOTE 1 This refers to functions that are not already covered by the analysis of DBE leading to category A classification
MECON Limited is licensed for internal use at the Ranchi and Bangalore locations, with supplies provided by the Book Supply Bureau The functions in category A are designed to offer continuous or intermittent testing and monitoring to ensure their operational availability, alerting control room staff to any failures, especially when no alternative verification methods, such as periodic tests, are in place.
NOTE 2 Where the monitoring function is the only means of detecting otherwise unrevealed failures, then assigning the function to category B ensures that the equipment providing the function is suitably qualified.
Category C
An I&C function is classified as category C if it meets specific criteria and is not categorized as A or B This includes plant process control functions that ensure main process variables remain within safety analysis limits, excluding those addressed in section 5.4.3 e) If multiple category C functions are utilized, a justification for their sufficiency must be provided.
NOTE 1 According to national practices a possible acceptable application of clause 5.4.4 a) is the combination of a regulation function and suitable manual actuation based on independent alarms including a justification of the use of manual action b) functions used to prevent or mitigate a minor radioactive release, or minor degradation of fuel, within the NPP design basis;
NOTE 2 A minor release or minor fuel degradation is considered to be that which falls within the normal limits and conditions of operation (e.g discharge limits) c) functions that provide continuous or intermittent tests or monitoring of functions in category A and B to indicate their continued availability for operation and alert control room staff to their failures, and are not classified category B according to 5.4.3 g); d) functions necessary to reach the safety probabilistic goals including those to reduce the expected frequency of a DBE; e) functions to reduce the demands on a category A function, as claimed in the safety analysis; f) functions to monitor and take mitigating action following internal hazards within the NPP design basis (e.g fire, flood); g) functions to warn personnel or to ensure personnel safety during or following events that involve or result in release of radioactivity in the NPP, or risk of radiation exposure; h) functions to monitor and take mitigating action following natural events (e.g seismic disturbance, extreme wind); i) functions provided for the benefit of the accident management strategy to reach and maintain a safe state for beyond design accidents; j) functions provided to minimise the consequences of severe accidents; k) functions which provide access control for the NPP
General
An outline of the procedure is shown in Figure 1
According to Subclause 4.2.6 of IEC 60671, it is essential to classify equipment used for implementing functions carefully Specifically, if test features may disrupt the proper operation of safety-critical systems or equipment, they must be categorized accordingly.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
Identification of design basis
The classification of functions in nuclear power plants (NPP) relies heavily on the type of reactor, such as pressurized water reactors (PWR) or boiling water reactors (BWR), along with the associated postulated initiating events (PIEs) and key design criteria for redundancy in mechanical and electrical systems Additionally, identifying the primary mitigation functions and their supporting functions for each PIE is crucial to the classification process.
The assessment of the frequency and consequences of PIEs leads to the identification of
DBEs serve as the foundational design elements of the plant It is essential to incorporate the specified operational ranges and accident conditions, along with the established radiological limits, into the design features These individual safety principles collectively contribute to the overall safety framework of the facility.
An integrated overall safety approach is essential for ensuring the safety of a nuclear power plant (NPP) This methodology incorporates the identification of Design Basis Events (DBEs) and the implementation of successive physical barriers to maintain radioactive exposure within permissible limits The principles guiding this approach are fundamental to the design process and are aligned with major design criteria.
(redundancy, separation, etc) of the plant, as well as the identification of the prevention and mitigation functions, and their supporting functions are the main input to the classification process
The safety significance of each Instrumentation and Control (I&C) function is determined by its role in ensuring the safety of the Nuclear Power Plant (NPP) and the potential consequences of its failure to operate when needed Consequently, an initial safety analysis of the specific NPP design must be conducted before classifying the I&C functions.
Identification and classification of functions
At an early stage in the design of the NPP, the safety relevant functions shall be identified
The identification of functions and their assignment to the I&C function or human operators must adhere to IEC 60964 standards After this initial identification, each function should be categorized based on the criteria outlined in Clause 5.
The classification of safety significance for functions should primarily rely on deterministic methods, while also incorporating probabilistic methods and engineering judgment as needed, considering various relevant factors.
• the safety function(s) to be performed;
• the role of the function in preventing or mitigating postulated initiating events;
• the role of the function during all operating modes (e.g start-up, normal operation, refuelling, etc);
The function of PIEs encompasses both natural events, such as seismic disturbances, floods, extreme winds, and lightning, as well as internal hazards like fires, internal floods, missile threats, and the release of radioactive or chemical substances from nearby units or industries.
• the consequences of failure of the I&C functions;
• the effects of spurious actuation of the I&C functions;
• the probability that it will be required to perform a function important to safety;
• the time following a DBE at which, or during which it will be required to operate;
• the maintenance, repair and testing strategy
In the early stages of the design process, it is challenging to fully identify all functions of the NPP due to incomplete specifications Therefore, the identification and classification of functions must be an iterative process throughout the design phase If there is uncertainty in categorizing a function, an explanatory note should accompany the classification.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
Functions involved in various aspects of the requirements specification can belong to multiple categories In such cases, the highest assigned category will be applied.
As technical requirements such as redundancy and diversity are clarified through safety analysis and the development of operating procedures, the classification list will be updated to create a final version This finalized list must be documented and maintained under configuration control, as it will be essential for plant and instrumentation/control designers throughout the nuclear power plant's lifecycle and may also be requested by regulatory authorities.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
– major plant characteristics (architecture of plant systems and their redundancy);
– list of PIEs and their likely frequency of occurrence;
– list of preventing and mitigating functions
2 Initial list of functions including functional requirements
3 Assignment of category A, B, C or non-classified
4 Development of detailed systems requirements
5 Identification of detailed I&C subsystems and equipment items
6 Refinement of assignments, repeating steps 3 to 6 as necessary
7 Final list of functions and assigned categories
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
7 Assignment of technical requirements to categories
General requirements
Technical requirements for each of the categories A, B and C are given in this clause
The requirements shall be applied to the specification, design, validation, qualification, manufacturing, installation, operation and maintenance phases of the I&C lifecycle as appropriate The technical requirements constitute four groups:
– requirements that apply to the functions concerning the specification and validation of functionality, performance and reliability;
The design of Instrumentation and Control (I&C) systems must adhere to specific requirements that emphasize key characteristics such as redundancy, diversity, testability, and separation, which are crucial for ensuring the reliability of associated functions Additionally, these requirements encompass Human-Machine Interface (HMI) standards to enhance user interaction and system effectiveness.
– requirements concerning the equipment features for the assurance of seismic and environmental durability and electro-magnetic compatibility;
– requirements that are associated with the quality assurance, verification and maintenance which apply to functions, systems and equipment
In most cases, these requirements are already detailed in appropriate codes and standards
Clause 2 of this standard outlines normative references, detailing the explicit requirements for I&C safety categories established herein Table 1 summarizes the correlation between these categories and the applicable standards, while the main types of requirements for each category are also highlighted Additional details are provided in the following text.
Wherever possible, equipment with a documented, proven history of reliable operation in nuclear or other industrial applications should be used.
Requirements related to functions
Basic requirements
To ensure functionality, it is essential to have a clear and comprehensive set of functional requirements and design specifications These documents serve as a reference for verifying functions during design, manufacturing, installation, and service, as well as for any modifications made during the product's lifecycle.
The reliability of functions in categories A, B, or C must be established through either a quantitative probabilistic assessment of the NPP or qualitative engineering judgment, and this should be reflected in the specification Additionally, the performance requirements for these functions should be defined through appropriate analyses, which must adhere to approved procedures and be thoroughly documented.
While the reliability requirements for functions across various categories may be identical, the assurance level for achieving the specified reliability varies Category A demands the highest level of assurance.
There shall be adequate separation between the functions of different categories
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
Specific requirements
The design must adhere to established codes, guides, and standards that ensure a high level of functionality for category A functions It should prioritize simplicity to facilitate the verification and validation of the final functionality This approach will help prevent the implementation of unrelated lower category functions within category A systems, such as special display calculations and communication protocol translations, which should not be handled by safety system software.
The reliability requirements for category A I&C functions shall be specified as indicated in 7.1
To ensure an acceptably low risk of unacceptable consequences, it is essential to establish the reliability requirements for the necessary functions Subsequently, these requirements will guide the determination of the reliability standards for the I&C functions.
The design process must adhere to established codes, guidelines, and standards, or utilize systems and equipment that have a proven track record of successful operation in similar applications.
The design must be evaluated to ensure that systems and equipment are capable of delivering the specified functions across all designated operating conditions, including the most challenging anticipated scenarios in which these functions are necessary.
Requirements related to I&C systems
Basic requirements
To ensure the system design meets specified reliability standards, it is essential to incorporate appropriate redundancy, diversity, and effective spatial, physical, and electrical separation These fundamental requirements are crucial for achieving high reliability in system functions.
HMI For all systems, means of fault detection and repair shall be considered during design and subsequent modifications
Reliability and availability assessments must consider repair, testing, and maintenance periods, along with the likelihood of both self-revealed and non-self-revealed failures It is essential to verify the assumptions made during the reliability analysis regarding these periods during operation, and to implement corrective actions if any discrepancies are found.
Incorporating specific human factor and HMI requirements into the design process is essential These requirements should stem from a human factor engineering program that is initiated during the early stages of design.
The system design must facilitate online and periodic testing during operation to ensure consistent performance Section 7.5 outlines the requirements for periodic tests and maintenance activities necessary to uphold the long-term reliability of safety-critical instrumentation and control (I&C) systems.
For optimal safety, it is essential to position adequate information and control equipment at a designated location that is both physically and electrically distinct from the main control room This setup ensures that the reactor can be safely placed and maintained in a shutdown state while allowing for the monitoring of critical plant variables, especially during instances when the main control room's operational capabilities are compromised.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
Specific requirements
An Instrumentation and Control (I&C) system designated for category A functions must incorporate redundancy and ensure appropriate separation to prevent any single internal hazard from disabling redundant components It is essential that a single failure does not compromise the intended safety function, even during preventive maintenance, testing, inspection, or repair Compliance with the single failure criterion is mandated by the IAEA Code NS-R-1, sections 5.34 to 5.39.
NOTE 1 In consideration of inappropriate actuations of the I&C, only spurious actuations (single or multiple) which can be the result of one single failure in I&C subsystems or support systems are generally considered
For category A functions performed by operators, dedicated monitoring and control systems must be implemented These systems should be distinct from other monitoring and control systems and designed to meet the necessary reaction time requirements effectively.
The reliability of I&C systems performing category A functions must be evaluated against specifications, with any discrepancies addressed This assessment should account for common cause failures, including hardware, software, and human errors during operation, maintenance, and repairs Various techniques, from qualitative engineering judgment to detailed quantitative analyses, can be employed, with the chosen method aligning with the reliability requirements; more stringent reliability demands necessitate more rigorous assessment techniques.
To achieve the necessary reliability in redundant systems, it is essential to consider the impact of common cause failures, which may necessitate the implementation of diversity in independent systems based on probabilistic criteria When a category A function is executed by multiple independent systems, these systems should be classified as class 1 If lower-class systems are utilized, at least one must comply with class 1 requirements, and a safety justification must be provided for any systems that do not meet these standards to facilitate their acceptability assessment.
NOTE 2 For an individual system which is specified and designed in accordance with the highest quality criteria, a figure of the order of 10 –4 failure/demand may be an appropriate overall limit to place on the reliability that may be claimed, when all of the potential sources of failure due to the specification, design, manufacture, installation, operating environment, and maintenance practices, are taken into account This figure includes the risk of common mode failure in the redundant channels of the system, and applies to the whole of the system, from sensors through processing to the outputs to the actuated equipment Claims for better reliabilities than this are not precluded, but will need special justification, taking into account all of the factors mentioned Alternatively, the design of independent I&C systems important to safety with an acceptable level of diversity may be applied
Testing may require suppression of output signals, or the provision of bypass facilities
Incorporating bypass facilities requires a justification of their integrity to ensure they do not hinder the system's ability to meet its safety functions For instance, their application may be limited to a single train within a redundant system at any given time.
In certain implementations, it is essential to provide extra redundancy to facilitate routine testing during plant operations This is particularly important when testing an active channel cannot occur at power, necessitating tests during operation to maintain functional reliability However, it is not required to add redundancy for the entire system in these situations.
The power supply shall be backed-up by auxiliary power sources
For category A systems, a formal system failure analysis, for example a failure modes and effects analysis (FMEA), shall be carried out to identify system vulnerability to component
MECON Limited, located in Ranchi and Bangalore, is licensed for internal use only, as supplied by the Book Supply Bureau The focus is on evaluating failures and determining the effectiveness of design strategies implemented to identify these failures and reduce their impacts.
In systems equipped with built-in self-testing capabilities, it is essential to evaluate the effectiveness of these features during reliability analysis If the failure analysis indicates that certain failures may go undetected by the self-testing mechanisms, it becomes necessary to establish proof tests to identify these failures The timing for these proof tests should be based on the expected frequency of undetected failures and the reliability standards required for the system's functionality.
In the absence of reliability data, the test interval should be determined by comparing it with similar systems As more experience is gained, the test interval for the function will be reassessed.
The reliability of systems executing category B I&C functions must be evaluated against specifications These functions should be achieved through redundant and separated means, unless a valid justification is provided Justifications may include the system's capability to meet reliability targets without redundancy, the acceptable consequences of a function's failure, or the time available to implement alternative responses in the event of a failure.
The power supply shall be backed-up by auxiliary power sources
The components employed shall be shown to be of high quality and reliability, and means to ensure that faults can be quickly detected and repaired shall be incorporated
The main goals of the functional design for control room systems are to ensure operators receive accurate, complete, and timely information about the status of plant equipment and systems during Design Basis Events (DBEs) Additionally, the design aims to reduce the movement required by operators to effectively monitor and control the plant, thereby enhancing operational efficiency and safety.
On-line and/or periodic testing of performance shall include confirmation of the functional capacity of subsystems, especially individual testing of redundant trains
A system in this category typically does not require redundancy or separation, unless necessary to meet the desired reliability of its functions Additionally, it may need to be tolerant to both internal and external hazards.
The power supply may be backed-up by auxiliary power sources on a case by case basis
For systems performing category C functions where redundancy is necessary to achieve the specified reliability, redundancy should be considered as for category B
Where redundancy is provided, periodic individual testing of the functional capacity of all redundant systems or subsystems shall be included On-line tests are a means of meeting this requirement
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
Requirements related to equipment
Basic requirements
To ensure equipment reliability during and after a Performance Integrity Evaluation (PIE), it is essential to qualify the equipment against potential environmental conditions This qualification can be achieved through various methods, including testing, analysis, or leveraging existing operational data It is crucial to define the most challenging anticipated environment, such as earthquake conditions, in the requirements specification to guarantee optimal equipment performance.
When functions not initially designed for severe accidents are anticipated to be involved, it is crucial to assess the capabilities of their components This evaluation ensures that these components can operate effectively under the expected environmental conditions during such incidents.
Specific requirements
To ensure the reliable operation of category A equipment under all expected conditions, it is essential to conduct thorough equipment qualification Test results must be documented and preserved in the lifetime records of the nuclear power plant (NPP) In the event of any failures during qualification tests, a detailed investigation must be carried out, with the causes and corrective actions clearly documented.
Equipment in category B shall be subject to qualification, to be performed as for category A equipment
Equipment in category C may need qualification based on its function A systematic review of the equipment's design should be conducted to ensure it meets the specifications for the most challenging environment in which it will operate.
When dealing with novel equipment or those required to function under atypical conditions, such as seismic events or extreme environments, it is essential to establish a set of design rules These rules should be informed by the experiences gained from the specialized design requirements of category A equipment Additionally, equipment intended for functions classified under criteria 5.4.4 i) and j) must be specifically engineered to withstand the extreme process and environmental conditions identified through analysis A thorough review is necessary to assess the suitability of using commercially produced equipment for these critical functions.
Category C equipment may be accepted under standard commercial design criteria, except when specific qualifications are necessary, such as for seismic or fire prevention standards Additionally, measures must be taken to ensure that overvoltages or electrical noise from category C equipment do not interfere with the functions of category A or B equipment Any claims regarding operation in abnormal environmental conditions must be substantiated with appropriate documentation.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
Requirements related to quality aspects
Basic requirements
Quality assurance is essential throughout the design, manufacture, installation, commissioning, and operation phases to guarantee the optimal performance of systems and equipment.
The objectives of Quality Assurance (QA) include configuration management, change control, and traceability It is essential to document the design in detail to support the manufacturing, installation, commissioning, and operational phases of the Nuclear Power Plant (NPP), along with the verifications conducted at each stage Additionally, sufficient documentation must be provided to facilitate future design modifications.
Specialized QA and testing must be conducted for new designs or modifications based on their novelty and complexity It is essential to document these development activities according to their significance to safety functions.
A QA plan shall be established according to an appropriate adequate code or standard This shall require specifications of performance and testing to be defined and verified
Component, module, subsystem, and system testing will be conducted in accordance with the QA plan to ensure satisfactory performance throughout the manufacturing, assembly, and site installation phases, tailored to the specific function category.
Tests shall be carried out on components, modules and subsystems to ensure that, with the manufacturing QA, the functions are fulfilled according to the requirements specification
Before the nuclear power plant (NPP) begins operations that necessitate the safety functions of the installed instrumentation and control (I&C) system, comprehensive testing of the I&C system alongside the mechanical and fluid systems must be conducted.
The intention of the site tests is the same, regardless of category, but the quality control and documentation requirements vary according to category, as stated hereinafter
Operational testing is essential to ensure that the hardware components of safety-critical I&C systems remain unaffected by faults These systems must be designed for effective testing and failure detection Any identified deficiencies should be rectified following a modification control procedure, with appropriate records maintained In cases where redundancy is implemented, individual functionality checks of the redundant channels are necessary The testing interval must be determined to ensure that the assessed failure rate aligns with the reliability analysis requirements.
Where computer equipment is used, a software life cycle quality programme appropriate to the category of the function shall be implemented.
Specific requirements
The QA requirements must align with the IAEA safety standard GS-R-3, ensuring comprehensive documentation that establishes the history of equipment, including design, manufacturing, and operational details This encompasses all equipment down to the module level, with strict configuration control maintained at the lowest traceable element Additionally, traceability of lot numbers and materials must be upheld throughout the system, extending to individual modules.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
The QA documentation must enable investigators to trace back from hardware or software to the defining specifications, as well as to move forward from any requirement in the specifications to the corresponding implementing components.
Type testing must be conducted to demonstrate that equipment with the same construction as that intended for installation at the NPP will operate effectively according to design specifications under the expected operating conditions.
Functional testing of components, modules, subsystems and, whenever practicable, complete systems, shall be carried out These tests shall be witnessed by the licensee, or his representative
Functional testing can be conducted either at the factory or on-site, with a coordinated approach necessary to ensure comprehensive coverage of all tests If full coverage of the specified functions cannot be demonstrated, a special justification must be provided.
Site testing will evaluate the ability of installed systems and equipment to meet all specified safety functions with the necessary performance levels, considering variations in operating parameters This process, known as the site acceptance test (SAT), must be observed by the licensee or their representative.
Online or periodic testing must ensure that the capability to execute all essential safety functions, along with the necessary subsystems, remains intact Testing intervals should be determined by considering the self-monitoring level to meet reliability targets for safety-critical instrumentation and control (I&C) systems, while also factoring in the anticipated or observed failure rates of I&C components.
QA requirements must align with IAEA safety standard GS-R-3, ensuring that documentation captures the complete history of equipment, including design, manufacturing, and operational details While the QA level for category B functions, systems, or equipment may be less stringent than for category A, the QA program should remain consistent with the standards set for category A.
Type testing must be conducted using equipment that is similar in construction to what will be installed at the Nuclear Power Plant (NPP), ensuring that any differences in the equipment do not compromise the validity of the test results.
Functional testing must be completed before operation to demonstrate that the system can achieve each specified function using equipment similar to what will be installed at the nuclear power plant (NPP) This testing may be conducted either on-site or off-site.
SAT testing aims to demonstrate that all specified safety functions of the installed equipment are achievable Control equipment tests must verify the system's ability to respond accurately to transients and demand changes Additionally, display and alarm equipment testing should incorporate injection tests of relevant input signals to ensure satisfactory performance.
Systems and equipment performing category C functions may be accepted at a commercial
The licensee may accept that the manufacturer's tests are adequate to demonstrate that the specified performance will be achieved These tests shall be performed on similar equipment
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
Specific type and functional testing should be performed when necessary, but is not generally required
SATs should be carried to show that the system achieves the specified safety related functionality and performance
Periodic testing of performance may be limited to checks at refuelling outages, or at similar shutdown periods, for functions which are not continuously operating
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
Table 1 presents a tabular correlation between various categories and applicable IEC standards, highlighting the main requirements for systems, equipment functions, design specifications, and equipment features The relevant IEC standards include IEC 61513, IEC 60964, IEC 60965, IEC 61771, IEC 61772, IEC 61839, and IEC 60709.
IE C 610 00 -4 IE C 610 00 -6 -2 Fu n ctio n a l s p e cific a ti o n Te st a b ilit y HM I s p ec if ic at ion
E lec tr om agnet ic co m p a tib ility QA pro g ra m Qual it y c ont rol FAT, SAT Pe ri o d ic te stin g A IE C 608 12
The article emphasizes the importance of adhering to relevant codes and standards such as IEC 60880, IEC 60987, IEC 60780, and IEC 60980 It highlights the necessity of ensuring high reliability through the implementation of single failure criteria and independence, along with effective separation from lower categories Additionally, the design must be capable of addressing internal common cause failures, and a case-by-case diversification strategy should be employed Finally, the inclusion of a backup power supply is crucial for maintaining system integrity.
Qual if ic at ion t o pos tu la ted e n vi ro nm ent and t o s ei sm ic condi ti o ns
IAEA G S- R -3 Ve ri fica tio n o n i d e n tica l equi pm ent Full FAT/SAT Freq ue nt pe ri o di c t es ti ng B IE C 609 87 IE C 621 38
The article discusses the importance of adhering to appropriate codes and standards, such as IEC 60780 and IEC 60980, for equipment qualification in various environments, including seismic conditions It emphasizes the necessity of implementing a single failure criterion and ensuring separation from lower categories, as well as the use of backup power supplies Verification of similar equipment is guided by IAEA GS-R-3, and it highlights the need for limited Site Acceptance Testing (SAT) and periodic testing in line with IEC 62138 The article also notes that redundancy and separation should be evaluated on a case-by-case basis, following normal industrial practices, particularly when failure analysis is conducted using Failure Mode and Effects Analysis (FMEA).
This annex presents examples of how typical functions and instrumentation and control (I&C) systems are categorized into groups A, B, and C It is important to recognize that these examples may not be universally applicable to all types of reactors.
The I&C functions designated for category A are crucial for ensuring reactor shutdown and maintaining sub-criticality, isolating containment, providing essential information for operator actions, and facilitating the transport of decay heat to the ultimate heat sink.