RAPPORT TECHNIQUE CEI IEC TECHNICAL REPORT TR 61838 Première édition First edition 2001 02 Centrales nucléaires – Fonctions d''''instrumentation et de contrôle commande importants pour la sûreté – Utilis[.]
Définitions
Diversity refers to the existence of two or more distinct methods to achieve a specific objective It serves as a safeguard against common mode failures This can be achieved through the implementation of physically different systems or through functional diversity, where similar systems meet specific goals in varied ways For instance, this can be accomplished by separating design teams from verification and validation teams during the development process.
NOTE Cette définition est plus large que celle utilisée par l’AIEA 50-C-D, qui est la suivante:
"Existence de composants ou de systèmes redondants prévus pour remplir une fonction déterminée, quand ces composants ou systèmes pris collectivement possèdent une ou plusieurs caractéristiques qui les différencient.
Examples of these characteristics include varying operating conditions, different equipment sizes, diverse manufacturers, distinct operating principles, and types of equipment utilizing different physical methods.
3.1.2 matériel* partie(s) d’un système Un matériel est un élément unique (et généralement amovible) ou une partie d’un système
3.1.3 fonction* but ou objectif spécifique à réaliser et qui peut être spécifié ou décrit sans référence aux moyens physiques nécessaires à sa réalisation
Functionality refers to the qualitative indication of the range or domain of functions that a system or hardware can perform A system that can execute a variety of complex functions is considered to have high functionality, while a system that can only perform a limited number of simple tasks is described as having reduced functionality.
Important safety functions (FSE) of the control center (CC) include: a) FSE whose failure could lead to unacceptable radiation exposure for site personnel or the public; b) FSE that prevent planned operational events from causing significant sequences; c) FSE that mitigate the consequences of failures or malfunctions of structures, systems, or components.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
This technical report utilizes specific definitions that align with or are identical to those found in other IEC or IAEA codes and standards, as indicated by an asterisk.
3.1.1 diversity the existence of two or more different ways or means of achieving a specified objective.
Diversity serves as a crucial safeguard against common mode failure by implementing distinct systems or functional diversity, where similar systems fulfill objectives through varied functions This can also be achieved during the development process by utilizing separate design teams alongside independent verification and validation teams.
NOTE This definition is wider than that used by the IAEA 50-C-D, which is as follows:
“The existence of redundant components or systems to perform an identified function, where such components or systems collectively incorporate one or more different attributes.
Examples of such attributes are: different operating conditions, different sizes of equipment, different manufacturers, different working principles and types of equipment that use different physical methods”.
3.1.2 equipment* one or more parts of a system An item of equipment is a single definable (and usually removable) element or part of a system
3.1.3 function* a specific purpose or objective to be accomplished, that can be specified or described without reference to the physical means of achieving it
Functionality refers to the qualitative measure of the range of functions that a system or piece of equipment can perform A system exhibiting a wide array of complex functions is considered to have "high functionality," while a system limited to a few basic functions is categorized as having "low functionality."
I&C FSE plays a crucial role in ensuring safety by encompassing systems whose malfunction could result in excessive radiation exposure to site personnel or the public Additionally, these systems are essential in preventing anticipated operational occurrences from escalating into significant events Furthermore, I&C FSE is vital for mitigating the consequences of failures in structures, systems, or components.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
3.1.6 sûreté de la centrale* prévention de tout rejet radioactif imprévu ou incontrôlé susceptible d'être préjudiciable à la santé du personnel d'exploitation de la centrale ou du public
3.1.7 sûreté nucléaire* aptitude d’une centrale à éviter ou empêcher un accident nucléaire, c'est-à-dire une criticité incontrôlée dont l'importance serait susceptible de créer des dommages inacceptables
3.1.8 en continu* état d’un système qui remplit ses fonctions spécifiées comme l’exige la conception de la centrale
3.1.9 performances* efficacité avec laquelle une fonction prévue est exécutée (par exemple temps de réponse, précision, sensibilité aux modifications des paramètres)
3.1.10 événements initiateurs hypothétiques (EIH)* ộvộnements qui entraợnent des incidents de fonctionnement et des situations accidentelles, leurs effets plausibles, causes de défaillances et leurs combinaisons plausibles
Redundancy refers to the presence of elements or systems, whether identical or different, in quantities exceeding a minimum threshold This ensures that the failure of one component does not result in the complete loss of functionality.
3.1.12 fonction de sûreté* but particulier à atteindre aux fins de la sûreté
The safety system is crucial for ensuring the secure shutdown of the reactor and the removal of heat from the core under all conditions It is designed to mitigate the consequences of hypothetical initiating events and significant sequences.
FSE de CC liés à la sûreté*
FSE de CC importants pour la sûreté qui ne font pas partie des systèmes de sûreté
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
NPP safety* the prevention of an unplanned or uncontrolled release of radioactive material that might injure the health of the NPP operating staff or the public
3.1.7 nuclear safety* the ability of an NPP to avoid or prevent a nuclear accident, that is an unplanned or uncontrolled criticality of magnitude that causes damage
3.1.8 on-line* the state of a system that is carrying out its specified functions as required by the NPP design
3.1.9 performance the effectiveness with which an intended function is performed (e.g time response, accuracy, sensitivity to parameter changes)
3.1.10 postulated initiating event (PIE)* events that lead to anticipated operational occurences and accident conditions, their credible causal failure effects and their credible combinations
Redundancy refers to the inclusion of additional identical or diverse elements or systems beyond the minimum requirement, ensuring that the failure of one component does not compromise the overall functionality.
3.1.12 safety function* a specific purpose that must be accomplished for safety
The safety systems are crucial for ensuring the safe shutdown of the reactor and effective heat removal from the core under all conditions They also play a vital role in limiting the consequences of potential incidents and significant sequences.
3.1.14 safety related I&C FSE* those I&C FSE important for safety that are not part of the safety systems
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
3.1.15 séquence significative* série ou ensemble d’événements crédibles susceptibles de provoquer des conséquences inacceptables comme par exemple:
Unacceptable radioactive release on the site or in the environment can occur in two ways: either as a massive, uncontrolled discharge that exceeds the design basis frequency of the plant, or as releases that fall within the design basis frequency but exceed the specified limits of amplitude and/or frequency.
An unacceptable deterioration of fuel can occur, which may involve damage to the fuel cladding leading to an unacceptable increase in primary coolant activity or compromising the cooling of the fuel itself.
A unique failure criterion (UFC) refers to a set of equipment that can still achieve its intended purpose despite a single, random failure occurring at any point within the system The failures that arise from this assumed unique failure are regarded as integral to the overall unique failure.
3.1.17 sous-système* division d’un système dotée elle-même des caractéristiques de ce système
3.1.18 système* groupement d'éléments connectés entre eux, constitué, dans un objectif donné, pour accomplir une fonction spécifiée
DCC Défaillance de cause commune
CFD Conditions de fonctionnement de dimensionnement
CFCA Conditions de fonctionnement complémentaires et accident grave
FSE Fonction(s), systèmes et matériels associés qui la (les) mettent en oeuvre
AMDE Analyse des modes de défaillance et de leurs effets
AIEA Agence internationale de l’énergie atomique
EPS Evaluations probabilistes de sûreté
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
3.1.15 significant sequence* a credible series or set of events that would result in unacceptable consequences such as:
Introduction
La conception d’une centrale nucléaire est principalement basée sur des exigences déterministes strictes et sur des principes de défense en profondeur bien connus et éprouvés.
Probabilistic studies can be conducted to quantitatively assess the relative importance of instrumentation and control functions in the overall safety of a nuclear power plant.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
4 Limitations regarding the use of PSA
Probabilistic safety assessment (PSA) technology enhances risk-informed decision-making and promotes the efficient allocation of resources to bolster the safety of nuclear power plants (NPPs) Despite its advantages, the application of PSA techniques in the design and operational support of NPPs has been constrained by various factors.
• the development and use of probabilistic safety assessment techniques continues to evolve within member nations and its level of acceptance is not consistent.
Incorporating probabilistic safety assessment (PSA) techniques as a classification tool in nuclear power plant (NPP) design necessitates conducting a PSA early in the design phase However, this practice is not widely adopted, primarily due to the evolving nature of plant designs and the limited availability of quantitative data during this initial stage.
The application of Probabilistic Safety Assessment (PSA) to existing designs often encounters technical limitations that hinder a comprehensive design review based solely on probabilistic data This is primarily due to the potential inaccuracy and lack of exhaustiveness in the PSA results.
• the difficulties related to modelling and quantifying common cause failures, software errors, and human errors,
• the lack or the unavailability of plant specific information,
• the exclusion of operational states other than the full power state,
• the scope limitations of the level of the PSA performed,
• the exclusion of some potential initiating events (e.g fire, flood, earthquake),
• the completeness of the uncertainty analysis.
When designing new systems, the application of PSA results to instrumentation and control (I&C) systems is limited by the designer's inability to specify all necessary I&C functions in detail.
The use of Probabilistic Safety Assessment (PSA) alone is insufficient for developing and classifying Instrumentation and Control (I&C) safety functions However, when combined with a qualitative approach grounded in the defence-in-depth principle, PSA proves to be a valuable tool in enhancing safety design.
During the design phase of future Nuclear Power Plants (NPPs) and the review of existing designs, Probabilistic Safety Assessment (PSA) should be utilized in conjunction with qualitative methods, as outlined in IEC 61226.
5 The use of PSA: methods and results
The design of a nuclear power plant (NPP) relies on strict deterministic requirements and established defense-in-depth principles Additionally, probabilistic studies can quantitatively assess the significance of instrumentation and control functions in enhancing the overall safety of the NPP.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
En fait, les études probabilistes de sûreté peuvent être utilisées dans deux différents domaines:
The article emphasizes the importance of supporting the design process of new nuclear power plants by accurately determining the classification of control functions This is crucial to prevent both over-classification and under-classification of these functions.
The use of probabilistic techniques is particularly suitable for verifying design and identifying the most effective improvements to control systems This approach is essential in the context of safety reviews for existing nuclear power plants.
Probabilistic risk assessments can enhance the design of nuclear power plants by focusing efforts on the most critical safety functions.
However, it is important to note that the use of EPS is continually evolving, and their level of acceptance varies among member states, even though EPS are utilized in certain countries as part of the authorization procedures.
Utilisation des EPS pour la conception des futures centrales nucléaires
Domaine d’application général
Les évaluations probabilistes de la sûreté peuvent être utilisées dans la phase de conception avec les buts suivants:
• identifier la fiabilité des équipements et systèmes requis pour faire face aux objectifs de sûreté;
• compléter l’approche qualitative dans l’évaluation de la fréquence des événements initiateurs;
• identifier les séquences de défaillances complexes à prendre en considération dans la phase de conception;
• comme support de la définition des spécifications techniques et des procédures d’urgence;
• confirmer la phase de conception.
Les EPS permettent habituellement l'évaluation de la fréquence d’endommagement du cœur, l’évaluation de la robustesse de l’enceinte de confinement et l’évaluation de la fréquence et de l'ampleur des rejets.
In the initial stage of design, simplified Event Tree Analysis (ETA) is typically employed for assessing Common Cause Failure (CCF), particularly to evaluate the adequacy of redundancy measures and to address potential human errors in simple redundant systems Additionally, understanding and accounting for uncertainties is crucial in risk assessment and subsequent ranking Therefore, special attention must be given to these factors.
• les études de sensibilité et l’évaluation des incertitudes dans la modélisation;
• la qualité de la fiabilité des bases de données qui sont utilisées pour servir de référence.
Méthodes
It is recommended that the probabilistic safety objectives for the control functions be aligned with those established for the entire nuclear power plant An example of such objectives can be found in the IAEA INSAG 3 document.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
In fact, probabilistic safety assessments may be used in two areas:
• to support the design process of new NPPs in order to determine the correct classification of the I&C functions, especially to avoid down or upgradings of classification;
To enhance the effectiveness of Instrumentation and Control (I&C) systems, it is essential to verify their design and identify potential improvements Employing probabilistic techniques is especially relevant for conducting safety reviews of existing Nuclear Power Plants (NPPs).
In this way, probabilistic safety assessments can be used to improve the design of NPPs and focus resources on the provision of I&C functions which have the greatest safety significance.
The use of PSA is evolving among member nations, with varying levels of acceptance; while some countries incorporate PSA into their licensing processes, this practice is not universally adopted.
5.2 Use of PSA in the design of future NPPs
PSA may be used in the design phase with the following purposes:
• to identify the reliability of equipment and systems required to cope with safety targets;
• to complement the qualitative approach in assessing the frequency of initiating events;
• to identify the complex failure sequences to be considered in the design;
• to support the definition of technical specifications and emergency procedures;
Typically, PSA covers the assessment of the core damage frequency, the evaluation of the containment response and the estimation of release frequencies and magnitudes.
Simplified PSA methods for I&C assessment are primarily employed in the early design stages to evaluate redundancy adequacy and identify safeguards against common cause failures in simple redundant systems, as well as to mitigate human error impacts Additionally, understanding and incorporating uncertainties is crucial in safety assessments and subsequent classifications.
Therefore, particular attention must be given to the following points:
• sensitivity studies and the evaluation of the uncertainties in the modelling;
• the quality of the reliability data bases which are used to provide reference data.
Probabilistic safety targets for the I&C functions should be consistent with those set for the overall NPP An example of such targets is provided in IAEA INSAG 3 document as follows:
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
• le risque global d’endommagement du cœur doit être inférieur à 10 –5 par année réacteur;
• le risque global de dépassement des rejets limites doit être inférieur à 10 –6 par année réacteur;
• les séquences impliquant de très importants rejets avec une défaillance brutale du confinement doivent avoir une fréquence cumulée très inférieure à l'objectif précédent de
The initiating events considered in probabilistic studies primarily include those events that justify the design of a basic system or a specific CC function.
As a result, designers frequently communicate in terms of event families An event family is essentially a group of elementary events that lead to the same main event The categorization of elementary events into event families may differ from one installation to another, but it is essential that the chosen categorization is clearly defined at the outset of the design process.
During the design phase, it is common to rely on a generic reliability database due to the lack of specific data about the installation at this early stage It is advised to use this data with caution, as it may not be validated for application in the nuclear power plant environment.
It is possible to use specific values; in this case, conducting sensitivity analyses is essential to assess their impact on the design concerning the most critical assumptions and baseline data.
5.2.2.4 Défaillance de cause commune (DCC)
CC equipment is prone to common cause failures due to the use of identical components and techniques These failures can arise from design, manufacturing, operational, and maintenance errors, as well as shared environmental stresses.
For equipment made up of components where the absence of failures due to design errors, manufacturing issues, or environmental constraints can be reasonably assessed through testing, experimentation, or analysis, it is essential to quantify the probability of common cause failure using β factor modeling or any other suitable equivalent technique.
For materials made up of components where the absence of failures due to design errors, manufacturing issues, or environmental constraints cannot be determined through testing, experimentation, or analysis, the modeling of factor β is not applicable This situation is particularly relevant for programmable electronic and computer components.
The common practice for quantifying the reliability of redundant systems that utilize software for critical safety functions involves qualitatively assuming a failure on demand for the corresponding redundant system.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
• core damage cumulative frequency shall be lower than 10 –5 per reactor year;
• cumulative frequency of exceeding the limiting release shall be lower than 10 –6 per reactor year;
• sequences involving very large releases with gross failure of containment shall have a cumulative frequency well below the previous target of 10 –6 per reactor year.
The initiating events that will be considered in the probabilistic studies are principally the events used to justify the design of a specific plant system or of a specific I&C function.
A family of events consists of a collection of elementary events that culminate in a single main event While the organization of these elementary events may vary from one plant to another, it is essential to establish a clear definition of the chosen arrangement at the outset of the design process.
In the design phase, it is common to rely on a generic reliability database due to the lack of specific data from the plant However, this data should be used cautiously, as it may not be validated for the specific application and environment of the nuclear power plant (NPP).
Point values may be used, in which case sensitivity studies should be carried out to evaluate the influence on the design of the critical assumptions and base data.
I&C equipment can experience common cause failures due to the use of identical components and techniques These failures may arise from errors in design, manufacturing, operation, and maintenance processes, as well as shared environmental stresses.
Analyse de l’installation et modélisation du CC dans les EPS
Il convient que le modèle soit constitué
Event trees illustrate the sequences of incidents by detailing the progression from an initiating event to a final state, encompassing both the successes and failures of systems, as well as the actions taken by the operator.
• d’arbres de défaillances ou des fonctions mathématiques équivalentes qui décrivent les défaillances des systèmes sous la forme de combinaisons d’événements élémentaires
(défaillances des composants, erreurs humaines, etc.).
Les arbres d’événements et les arbres de défaillances peuvent être combinés afin d’identifier les combinaisons d’événements élémentaires spécifiques à chaque séquence accidentelle.
Une proposition de modélisation des fonctions d’instrumentation et de contrôle-commande à utiliser dans les EPS est donnée à l’annexe A.
Avantages de l'utilisation des EPS pour les centrales nucléaires existantes
Pour les centrales nucléaires existantes, les EPS sont largement utilisés lors des réexamens périodiques de la sûreté afin de
• mettre en évidence et hiérarchiser les séquences dominantes;
• aider à la décision concernant la mise en œuvre des modifications qu’il convient d’apporter aux systèmes de sûreté et aux matériels de CC correspondants;
• évaluer le niveau de sûreté global des installations.
Priorities can be assigned to potential improvements based on the reduction of risks, considering both probability and consequences The use of EPS also allows for a focused attention on sequences that may lead to significant outcomes.
• à la fusion du cœur à haute pression;
• aux autres séquences dominantes, telles que celles incluant des erreurs humaines ou des défaillances de matériels.
Les EPS constituent un outil très utile pour évaluer l’importance des fonctions de CC et estimer le bénéfice de modifications potentielles Le concepteur peut ainsi utiliser les résultats des
By comparing EPS with other deterministic studies, optimal improvements for safety can be identified This approach enables the development of cost-benefit arguments based on reliable information and technological analyses.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
Human reliability, which refers to the likelihood of human error, is a crucial factor in design considerations Consequently, evaluating the probability of human error must be integrated into the Probabilistic Safety Assessment (PSA) This assessment should take into account both time-independent factors, such as latent errors, and time-dependent factors, like diagnostic errors.
5.2.3 Plant analysis and modelling I&C in PSA
The plant model should consist of
• event trees that describe the accident sequences in terms of progression from an initiating event to a final state including the successes or failures of systems and operator actions;
• fault trees or the equivalent mathematical functions that describe the system failures as combinations of basic events (component failures, human errors, etc.).
Event trees and fault trees can be combined in order to identify the basic event combinations specific to each accident sequence.
A proposal of modelling instrumentation and control functions for use in PSAs is presented in annex A.
5.3 Benefits of the use of PSA for existing NPPs
For existing NPPs, PSA is widely used during the periodic safety reviews in order to
• highlight and to place in the dominant sequences a hierarchy;
• help decide whether to implement modifications to the safety and safety-related I&C systems and equipment;
• evaluate the global safety level of the plants.
The possible improvements can be prioritized according to the reduction of risk (probability and consequences) Also the PSA allows attention to be paid to sequences which can lead to
• other dominant sequences, such as those including human errors or equipment failures.
PSA is an essential tool for evaluating the significance of I&C functions and assessing the advantages of potential modifications Designers can leverage PSA results alongside other deterministic studies to identify which enhancements will yield the most significant safety improvements This approach facilitates cost-benefit analyses grounded in reliable engineering data and thorough analysis.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
6 Utilisation des EPS pour le classement
Généralités
As outlined in Article 4, quantitative risk assessments can enhance the deterministic approach to ranking critical functions It is widely recognized that the development and application of risk assessment techniques, often referred to as probabilistic risk assessments or probabilistic safety assessments, are evolving among member states and have not yet received approval.
Les informations obtenues grâce à l’utilisation des EPS peuvent faciliter la prise efficace de décisions concernant les risques et permettre une utilisation plus efficace des ressources.
The methods and technology of EPS should not replace the defense-in-depth approach; rather, they should complement deterministic methods, especially when EPS are recognized and data is available.
For optimal results, it is advisable to utilize EPS during the design phase of a nuclear power plant and its control system to ensure the accurate classification of the required control functions.
EPS can be utilized in existing nuclear power plants to identify which components of the control and command system should be modified or enhanced This approach aims to increase safety and improve the design and operation of the nuclear plant and its control system It is particularly relevant for safety assessments of current nuclear facilities.
This article outlines four distinct approaches to the use of probabilistic methods in nuclear power plant design While this list is not exhaustive, it highlights various scenarios where probabilistic techniques can enhance decision-making during the design phase The report aims to encourage discussion on the optimal application of these probabilistic methods in the development of instrumentation and control systems for nuclear facilities.
Les quatre approches sont les suivantes:
Approche 1, voir 6.2 – Approche basée sur le temps et l’état du réacteur
Cette approche a été introduite dans le document European Utility Requirements pour le classement des équipements, notamment de contrôle-commande.
Approche 2, voir 6.3 – Approche basée sur l’importance quantitative
This approach relies entirely on a probabilistic technique to assess the contribution of each CC function in the failure sequences of the plant Consequently, the significance of each CC function can be quantitatively evaluated This technique has been implemented in a power plant in the United States as a foundation for ongoing risk monitoring.
Approche 3, voir 6.4 – Approche basée sur les conséquences et la mitigation
Cette approche a été utilisée au Canada pour la conception des centrales nucléaires CANDU.
Approche 4, voir 6.5 – Approche basée sur la défense en profondeur
This approach focuses on utilizing probabilistic techniques to adjust the previously determined ranking of the critical component (CC) established by an approved qualitative method It explores the potential of employing probabilistic methods to elevate the CC ranking by one level, thereby reducing the risk of excessive reliance on probabilistic data based on the generic reliability of components.
Cette approche n’a pas encore été appliquée à un classement des fonctions d'une centrale nucléaire.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
6 The use of PSA for classification
Quantitative risk assessment serves as a valuable complement to the deterministic classification of Instrumentation and Control (I&C) functions, as outlined in clause 4 The evolution of risk assessment techniques, commonly referred to as probabilistic risk assessment or probabilistic safety assessment, is acknowledged among member nations, although a consistent level of acceptance has yet to be achieved.
The information obtained from the use of PSA technology can lead to the improvement of risk- effective decision making and a more focused and efficient use of resources.
PSA methods and technology should enhance, rather than replace, the defence-in-depth approach They are particularly effective when used alongside established deterministic methods, especially in scenarios where reliable data is accessible.
For the most effective results, PSA should be used during the design phase of the NPP and its
I&C system to confirm the correct classification of the required I&C functions.
PSA can be applied to current Nuclear Power Plants (NPPs) to identify components of the Instrumentation and Control (I&C) system that require modifications or enhancements, ultimately enhancing the safety, design, and operation of both the plant and its I&C system This approach is especially relevant for conducting safety reviews of existing facilities.
This clause outlines four distinct approaches to utilizing PSA techniques, acknowledging that the list is not exhaustive There are numerous ways in which probabilistic methods can enhance decision-making in the design of nuclear power plants (NPPs) The report aims to encourage discussion on the optimal application of probabilistic techniques during the design phase of NPP instrumentation and control systems.
The four approaches are as follows:
Approach 1, see 6.2 – Time and reactor states based approach
This has been introduced in the European Utility Requirements document to be used for future
NPP to decide how I&C functions should be classified.
Approach 2, see 6.3 – Quantitative importance based approach
This approach is based on a full probabilistic technique to determine the contribution of each
The I&C function is essential for identifying fault sequences in plants, allowing for a quantitative assessment of each function's significance This technique has been implemented in the USA as a foundation for real-time risk monitoring in plants.
Approach 3, see 6.4 – Consequence – mitigation based approach
This approach has been used in Canada for the design of CANDU NPPs.
Approach 4, see 6.5 – Defence in depth based approach
This approach utilizes probabilistic techniques to adjust Instrumentation and Control (I&C) classifications established by traditional qualitative methods It emphasizes that these probabilistic techniques should be restricted to altering classifications by no more than one level, thereby reducing the risk of excessive dependence on probabilistic data that may rely on generic component reliability information.
The approach has not yet been applied to a classification of functions of NPPs.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
Approche 1: approche basée sur le temps et l’état du réacteur
Utilisation des EPS conjointement avec une méthode déterministe fonctionnelle
Pour classer les fonctions, systèmes et équipements, le concepteur peut procéder en deux étapes:
• en premier lieu, définir et classer les fonctions de CC en utilisant une approche déterministe pour répondre aux objectifs de sûreté pour les CFD;
Secondly, utilize the Event Probability Scenarios (EPS) to validate and categorize the systems and equipment required to meet safety objectives in terms of probabilistic safety targets This step primarily focuses on the Core Damage Frequency Analysis (CFCA), which examines a series of accident sequences beyond the design operating conditions.
Classement des fonctions, systèmes et équipements
The goal of categorization and classification is to create a rational and justifiable hierarchy in the requirements applied to functions, systems, and equipment This hierarchy must align with the safety function provided, without imposing excessive qualification or quality levels on the materials.
6.2.2.1 Première étape: mitigation des événements initiateurs hypothétiques
Pour atteindre les objectifs mentionnés précédemment, le processus de classement s'appuie sur deux paramètres:
• le temps disponible pour déclencher les fonctions de sûreté.
Deux états physiques de la centrale sont considérés dans la définition des classes de sûreté afin de permettre la hiérarchisation des fonctions de sûreté et des exigences associées.
Ces états correspondent aux conditions d’arrêt et sont l’état contrôlé et l’état d'arrêt sûr.
Ils sont définis comme suit:
Etat contrôlé: cet état correspond à la fin du transitoire rapide Dans cette situation, l’exploitation de la centrale est stabilisée avec
• la chaleur du cœur évacuée avec un inventaire stable du réfrigérant du coeur.
Etat d’arrêt sûr: il s’agit de l’état au cours duquel la décroissance de la puissance résiduelle est durablement assurée Les paramètres physiques de l’installation sont dans l'état suivant:
• le cœur est sous-critique,
• les rejets sont maintenus dans les limites de la catégorie de la CFD considérée,
• la chaleur de dộcroissance est durablement assurộe (par une chaợne de refroidissement fermée telle que le système d’injection de secours ou le système d’évacuation de chaleur du réacteur à l'arrêt).
1) Dans la pratique, le cœur est en général sous-critique, mais un retour à la criticité est accepté, uniquement pour quelques évènements et pendant un court délai.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
6.2 Approach 1: time and reactor states based approach
6.2.1 Use of PSA in conjunction with a functional deterministic method
For the classification of functions, systems and equipment, the designer may proceed in two steps:
• firstly, define and classify I&C functions using a deterministic approach to meet the safety goals for each DBC;
In the second step, the Probabilistic Safety Assessment (PSA) is utilized to verify and categorize the necessary systems and equipment aimed at meeting safety objectives based on probabilistic safety targets This phase mainly focuses on Design Extension Conditions (DEC), which encompass a distinct group of accident scenarios that exceed the established design basis conditions.
6.2.2 Classification of functions, systems and equipment
The goal of safety categorization and classification is to create a logical and justifiable hierarchy of requirements for functions, systems, and equipment These graded requirements should align with the safety significance of the functions while avoiding excessively high standards for quality and equipment qualification.
6.2.2.1 First step: mitigation of postulated initiating events
To achieve the objectives mentioned above, the classification process is based on two considerations:
• the physical state of the reactor;
• the time available to initiate safety functions.
The safety classes of a plant are defined by considering two physical states, which facilitates the establishment of a hierarchy among safety functions and their corresponding requirements.
These states correspond to shutdown conditions and are the controlled state and the safe shutdown state.
They are defined as follows:
Controlled state: this state is the state which puts an end to the rapid transient In this situation, the plant operation is stabilized with:
• core heat removed with a stable core coolant inventory.
Safe shutdown state: this is a state where residual power decay is durably ensured Physical plant parameters are in the following situation:
• activity release is within the limits of the corresponding DBC,
• decay heat is durably ensured (by a closed cooling chain such as the safety injection system or the reactor heat removal system).
1) In practice, subcriticality in general but limited re-criticality is accepted for a few events and a short period of time.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
Considérant ces deux états, les fonctions de sûreté nécessaires pour réduire les EIH sont classées en fonction du moment auquel elles interviennent L'étude du déroulement type des
EIH montre qu’il est possible de distinguer trois phases:
The initial phase involves a swift evolution of the reactor's physical parameters, requiring the activation of automatic safety systems to achieve a state where all parameters are under control.
• la seconde est caractérisée par une lente évolution des paramètres d'état autorisant des interventions humaines; elle se termine par l’atteinte de l’arrêt sûr;
The third phase involves stabilizing all reactor parameters, except for a slight decrease in the temperature of the equipment used to dissipate residual power Due to the low level of residual power, any equipment failure would lead to a very gradual change in physical parameters Under these conditions, the available time for local actions becomes more significant, allowing for more extensive interventions.
Safety functions can be categorized based on their involvement in the first, second, or third phase of reactor stabilization Additionally, it is feasible to assign varying requirements to these categories, as the recovery capabilities of mitigation measures significantly improve during the second phase and even more so in the third phase.
Du point de vue de la sûreté, il faut que l’état d'arrêt sûr soit maintenu sans limite de temps.
It is reasonable to allow some flexibility for the safety-related systems (SRS) required to maintain a safe shutdown beyond a certain duration, as this time is sufficient to restore internal systems or make additional external arrangements Therefore, it is proposed to relax the requirements for SRS necessary to maintain a safe shutdown after 24 hours (Phase 3) and to accept the use of unclassified SRS after 72 hours, based on the potential for implementing additional measures during this period.
Cette approche conduit à la définition suivante des catégories de fonctions de CC:
• catégorie A: tous les FSE de sûreté nécessaires après un EIH pour atteindre l’état contrôlé;
• catégorie B: tous les FSE de sûreté (non déjà classés A) nécessaires à partir de l’état contrôlé pour atteindre l'état d'arrêt sûr et le maintenir jusqu'à 24 heures après l’événement initiateur;
Category C encompasses all additional safety functions required to ensure a safe shutdown for a duration extending beyond 24 hours and up to 72 hours following the initiating event After this period, the use of non-classified systems is permitted, provided that a safe shutdown is achieved.
The schematic representation in section 6.2.2.3 illustrates that the classification is deterministic Categories A and B are established for the necessary Safety Functions (FSE) required to achieve a safe shutdown state in the event of an Emergency Incident Hazard (EIH) under design operating conditions.
6.2.2.2 Seconde étape: base probabiliste pour la mitigation des CFCA et la prévention des événements
The ranking process can be enhanced by utilizing EPS results to meet probabilistic safety objectives EPS should be employed to identify complex sequences that necessitate the design of additional or modified systems, as well as the implementation of new or revised operational procedures Safety functions essential for achieving and maintaining a final state in these complex sequences are categorized as C, based on EPS results, if they are critical for fulfilling overall probabilistic safety goals.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
The safety functions needed to address Potential Initiating Events (PIEs) are categorized based on the timing of their required operation An analysis of typical PIE evolutions reveals three distinct time periods for these safety functions.
The rapid evolution of the reactor's physical parameters necessitates the activation of automatic safety systems to maintain a controlled state, ensuring that all parameters remain within safe limits.
• the second one is characterized by a slow evolution of the plant parameters, thus allowing human actions to be taken; it ends in the achievement of the safe shutdown;
The third phase involves stabilizing all plant parameters, with only a minor reduction in the temperature of the equipment responsible for dissipating residual heat Due to the low residual heat levels, any equipment failure would lead to a gradual change in physical parameters This scenario extends the time available for local actions and facilitates external interventions.
Safety functions can be classified based on their operational requirements during the first, second, or third time periods As facilities and stabilization methods improve, these categories can be assigned progressively higher requirements, making it easier to implement safety measures in the third phase.
Exigences techniques associées
Certaines exigences techniques générales doivent être appliquées à la conception des fonctions de CC dans chacune des catégories ci-dessus Par exemple
• la prise en compte du critère de défaillance unique;
• la nécessité d’une alimentation électrique de secours;
• la nécessité d’une séparation physique entre les voies fonctionnelles d’un système;
• la nécessité d’une mise en marche automatique.
Celles-ci sont rộsumộes de faỗon gộnộrale dans le tableau 2.
Critère de défaillance unique OUI OUI 1) NON 2)
Alimentation électrique de secours OUI OUI NON 3)
Séparation physique OUI OUI 1) NON
Mise en marche automatique Jusqu’à 30 min Jusqu’à 30 min NON 4)
1) Utilisation possible de la diversification fonctionnelle avec des critères appropriés pour cette diversification.
2) La redondance peut être exigée dans le cas d’un équipement inaccessible ou, si nécessaire, pour atteindre les objectifs probabilistes, ou pour certaines agressions.
3) Oui pour les fonctions qui requièrent une alimentation électrique de haute fiabilité dans les conditions applicables.
4) Il peut exister des exceptions pour certaines CFCA.
Il faut que d’autres exigences relatives aux systèmes soient également appliquées, comme cela est illustré au tableau 3.
Code de calcul OUI OUI OUI 1)
Assurance qualité OUI OUI OUI
Essais périodiques OUI OUI OUI
Base de données pour la fiabilité OUI OUI SI UTILISÉE DANS
Qualification OUI OUI SI NÉCESSAIRE
Qualification sismique OUI OUI NON
1) Un code de calcul est requis, mais pas nécessairement un code nucléaire.
Utilisation complémentaire des EPS lors du processus itératif de
As indicated in section 6.2.1, EPS are utilized during the design phase to complement deterministic methods This practice ensures a well-balanced and optimized design, providing a reasonable assurance that the design will meet the overall safety objectives of the plant.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
There are certain general technical requirements which shall be applied to the design of I&C functions in each of the above categories For example:
• the need to consider the single failure criterion;
• the need for emergency electrical supply;
• the need for physical separation between functional trains in a system;
• the need for automatic actuation.
These are summarized in their most general application in table 2.
Single failure criterion YES YES 1) NO 2)
Emergency electrical supply YES YES NO 3)
Physical separation YES YES 1) NO
Automatic actuation Until 30 min Until 30 min NO 4)
1) Possible use of functional diversification with appropriate criteria for that diversification.
2) Redundancy may be required for the case of equipment which is inaccessible or, if required, to meet probabilistic targets, or for certain hazards.
3) Yes for those functions which require electrical supply of high reliability in the relevant conditions.
4) For certain DEC, there may be exceptions.
Further requirements on the systems design must also be applied as illustrated in the table 3.
Design code YES YES YES 1)
Quality assurance YES YES YES
Periodic tests YES YES YES
Data base for reliability YES YES IF USED IN PSA
Qualification YES YES IF NECESSARY
Seismic qualification YES YES NO
1) A design code is required but not necessarily a nuclear code.
6.2.4 Complementary use of PSA alongside the iterative design process
In the design phase, PSA is utilized to enhance deterministic methods, leading to a balanced and optimized design This approach ensures reasonable assurance that the design aligns with the overall safety objectives of the plant.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
Safety assessments can be conducted during the design phase of new nuclear power plants as well as for the safety reviews of existing facilities Multiple safety assessments may be required to fully optimize the design, with each assessment performed at a different level.
• une première évaluation préliminaire au stade précoce de la conception afin de vérifier approximativement que les objectifs probabilistes de sûreté peuvent être atteints;
• une évaluation plus fine pendant la conception détaillée afin de déterminer les séquences complexes qui nécessitent la mise en oeuvre de mesures supplémentaires;
• une dernière, au stade de la conception, afin d’effectuer une vérification finale de la conception globale.
During the operational lifespan of the power plant, it is essential to conduct a Probabilistic Safety Assessment (PSA) for each safety review to ensure that the probabilistic safety objectives continue to be met.
Approche 2: approche basée sur l’importance quantitative
Critères d’affectation quantitatifs
To establish the importance of safety for each CC function, a set of criteria must be determined An example of these criteria is based on work conducted in the United States, utilizing a quantitative analysis of risk contribution through set theory to achieve a coherent mathematical approach In certain instances, a function may be assigned to multiple categories due to its contribution to various event sequences In such cases, the final assignment of these functions should reflect the highest applicable category.
Critères quantitatifs
6.3.2.1 Expressions quantitatives du risque pour les centrales nucléaires
When conducting a quantitative risk assessment of a nuclear power plant, one or more risk expressions can be developed based on the level of the implemented Safety Management System (SMS).
• fréquence de la fusion du cœur (ou de l’endommagement du cœur) (EPS de niveau 1);
• fréquence des rejets radiologiques et termes sources associés (EPS de niveau 2);
• effets sur la santộ, mesurộs en terme de possibilitộs latentes et/ou aiguởs (EPS de niveau 3).
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
Probabilistic Safety Assessments (PSA) can be conducted during the design phase of new nuclear power plants and during safety reviews of existing facilities Multiple PSAs may be required to thoroughly optimize the design, with each assessment performed at varying levels.
• a first preliminary one early in the design to check roughly that the probabilistic safety targets can be met;
• a more detailed one during the detailed design to determine the complex sequences that require additional measures;
• a last one, at the design stage to make a final check of the overall design.
Then, during the lifetime of the plant, PSA should be performed for each safety review to confirm that the probabilistic safety objectives are always met.
6.3 Approach 2: quantitative importance based approach
The significance of instrumentation and control (I&C) functions for safety can be evaluated by examining the potential consequences of their failure, including non-operation when needed or unintended activation The assessment should begin with the performance influencing factors (PIEs) outlined in the nuclear power plant's (NPP) design basis A comprehensive analysis of all critical event sequences is essential to identify the key functions that the I&C systems must fulfill.
The functions performed by I&C systems and equipment can be utilized to classify each Functional Safety Element (FSE) into one of the categories outlined in IEC 61226.
A, B, C or unclassified An unclassified assignment is made if the FSE is not significant to safety.
I&C FSE falling within the boundary of the safety system as defined in IAEA Safety Guide 50-
SG-D8 are generally to be assigned to category A I&C FSE defined as safety related in that guide are generally assigned to category B or C (and occasionally category A).
To establish the safety significance of each Instrumentation and Control (I&C) function, it is essential to define a set of criteria An example of these criteria, derived from research conducted in the USA, utilizes a quantitative analysis of risk contribution through cut set theory, providing a consistent mathematical framework Occasionally, a function may belong to multiple categories due to its involvement in various event sequences; in such instances, the function should ultimately be classified in the highest relevant category.
6.3.2.1 Quantitative risk expressions for NPPs
When a quantitative risk assessment is performed, on a NPP one or more of the following risk expressions may be developed depending upon the level of the PSA performed:
• core melt (or core damage) frequency (level 1 PSA);
• radiological release frequency and associated source terms (level 2 PSA);
• health effects measured in terms of latent and/or fatalities (level 3 PSA).
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
In general, as a basic requirement for a Level 1 Probabilistic Safety Assessment (PSA), a Boolean expression representing core damage is formulated This expression is derived from the Boolean union of all accident sequences within the event trees that lead to core damage.
This expression is typically formulated as the Boolean union of all minimal cuts that contribute, beyond a certain threshold, to one or more significant accidental sequences In other words, heart damage can be expressed in terms of the occurrence frequencies of all initiating events (IEHs) The probabilities of each potential sequence resulting from an individual IEH or heart damage frequency are considered.
C(t) est la somme des fréquences pour lesquelles les événements initiateurs causent des dommages au cœur.
C (t) produit se événement l' orsque l critique état un dans sont FSE
Ei, est l'ộvộnement de la coupe minimale ôkằ sachant que l’EIH ôiằ se produit;
Ui est l’union boolộenne des coupes minimales contenant l’EIH ôiằ; ni est le nombre d’EIH;
C f,i (t) est la frộquence d'occurrence de l’EIH ôiằ.
L’expression ci-dessus peut être évaluée, à condition que
• les FSE soient raisonnablement fiables (à savoir que la probabilité qu'au moins deux coupes minimales surviennent simultanément soit faible);
• les événements individuels composant les coupes minimales (à savoir les événements de base) puissent être considérés comme indépendants;
• la probabilitộ conditionnelle de dộfaillance par unitộ de temps ôλằ soit une approximation suffisamment précise pour la fréquence de défaillance.
Dans ce cas, l’expression (1) devient:
2) La fréquence d’endommagement du cœur est choisie comme un exemple de mesure du risque pour laquelle l’importance des contributions à la sûreté peut être déterminée pour les FSE Cependant, l’approche utilisant l’importance pour l’évaluation de la sûreté est générale et peut être employée d’une manière similaire pour toute fréquence d'occurrence d’événement sommet (comme les fréquences de rejet et l’effet sur la santé qui peuvent être exprimées sous la forme d’une union booléenne de coupes minimales associées).
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
For a level 1 Probabilistic Safety Assessment (PSA), a Boolean expression representing core damage is derived from the union of all accident sequences identified in event trees This expression encompasses the minimum cut sets that significantly contribute to various accident sequences Essentially, core damage can be quantified by the frequency of all Potential Initiating Events (PIEs) The core damage frequency, denoted as C(t), is calculated as the sum of the probabilities associated with each initiating event that leads to core damage.
C ( occurs event initiating the when state critical a in are
Ei, k is the event that minimal cut set “k” containing PIE “i” recurs;
Ui is the Boolean union of the minimal cut sets containing PIE “i”; ni is the number of PIEs;
C f,i (t) is the failure frequency of PIE “i”.
The above expression can be evaluated provided that
• the FSEs are reasonably reliable (i.e the probability of two or more minimal cut sets occurring simultaneously is small);
• the individual events making up the cut sets (i.e basic events) can be considered to be independent;
• the conditional probability of failure per unit time "λ" is a satisfactorily accurate approximation for the failure frequency.
In this case, expression (1) becomes:
2) Core damage frequency is chosen as the example risk measure for which importance to safety contributions can be determined for the FSE However, the importance approach to safety evaluation is a general one and can be employed in a similar fashion for any top event occurrence frequency (such as release frequencies and health effect which can be expressed as a Boolean union of underlying minimal cut sets).
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU. ó j est le domaine d’indice pour les coupes minimales;
The symbol \$\in\$ denotes "belongs to." The variable \$q\$ represents the probability of an event, while \$l\$ indicates the index domain of the relevant events The expression \$i \approx C_{f,i}(t)\$ signifies that \$i\$ is the index domain for the EIH (Event Impact Hypothesis) Additionally, \$n_i\$ refers to the number of EIH across all minimal cuts.
It is important to note that the term in parentheses in expression (2) serves as a first-order approximation for the unavailability due to the critical state of the FSE associated with the EIH This term represents the sum of the probabilities of the minimal cuts containing the EIH Expression (2) is generally accurate enough for most risk calculations and can therefore be utilized to establish the significance of the contribution of minimal cuts to the overall frequency of core damage.
6.3.2.2 Importance pour l’évaluation de la sûreté
The importance of safety for the FSE can be assessed through weighting functions that evaluate the contribution of each basic event to the overall frequency of core damage Developing an importance expression for a function, along with the associated systems and equipment, involves three steps: first, establishing a new core damage top event as the Boolean union of the minimal cuts containing the EIH or the relevant event; second, using the specified expression to calculate the occurrence frequency of this new top event (for EIH importance expressions, a single initiating event is used); and third, dividing the resulting occurrence frequency by the core damage frequency.
Exprimée mathématiquement, l’importance pour la sûreté des événements de base (ou des
FSE dont ils sont constitués) pondérée par la fréquence d’endommagement du cœur est:
Fréquence de l’union booléenne des coupes minimales
IEC = contenant les événements intéressants
Fréquence d'occurrence de l'événement sommet, C(t)
The importance for safety is determined by the relative contribution of minimal cuts (including the initiating event or relevant event) to the total frequency of core damage In many risk assessment cases, C(t) can be treated as a constant or represented as such, depending on the required accuracy for establishing a reasonable order of importance It is important to note that the numerator in this ranking model is a linear function of the failure frequency of the initiating events For the relevant events, the numerator is a linear function of the unavailability of these events Conceptually, the significance of the relevant events (or pivots) serves as a constituent measure of importance, provided that these events do not trigger the occurrence of the top event (in this case, core damage).
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU. where j is the domain of index for the minimal cut sets;
Kj is the jth minimal cut set;
In probability theory, the symbol ∈ signifies "belongs to," while q represents the probability of an event The variable l denotes the domain of the index for Probabilistic Importance Evaluation (PIE), and i is approximately equal to C f,i (t), indicating the domain of the index for PIEs Additionally, n i refers to the total number of PIEs present in all minimal cut sets.
Affectation à une catégorie
Based on the importance derived from the previous analysis, the instrumentation and control system FSEs can be classified according to a scale of significance It appears that a logarithmic scale is the most suitable, although other scales may also be utilized For instance, it is appropriate that
• un FSE de CC soit affecté à la catégorie A si son importance calculée est 1,0 > I ≥ 0,01;
• un FSE de CC soit affecté à la catégorie B si son importance calculée est 0,01 > I ≥ 0,001;
• un FSE de CC soit affecté à la catégorie C si son importance calculée est 0,001 > I ≥ 0,0001.
Procédure de classement
Using the method outlined in section 6.3, CC functions can be prioritized based on their significance Most phases of nuclear power plant design involve iterative cycles during the evaluation of design options.
During these cycles, the requirements for criticality control (CC) are gradually refined, and the significance of individual functions varies in relation to safety This procedure is outlined below.
6.3.4.1 Identification de la base de conception
One of the key factors in the ranking process of Safety Significant Features (FSE) is the type of nuclear power plant and reactor (such as PWR, BWR, or other reactor types), along with the associated Important to Safety Features (EIH) and the primary design criteria regarding the redundancy of mechanical and electrical systems and equipment Another crucial aspect is the identification of the main mitigation FSE and their supporting FSE for each EIH.
The classification of Safety Features (FSE) into categories is based on their role in the prevention and mitigation of External Initiating Hazards (EIH) This classification process must consider the FSE's effectiveness across various operational modes of the facility, such as startup, normal operation, and refueling It is crucial to recognize that FSE may only be significant in specific operational contexts Additionally, the classification must account for various EIH, including natural disasters like seismic disturbances, floods, extreme winds, and lightning, as well as hazards such as fires, internal flooding, missile threats, and radioactive releases from nearby nuclear plants.
6.3.4.2 Identification et classement des FSE
In the early stages of designing a nuclear power plant, it is essential to identify safety-related functions It is advisable that the process of identifying these functions and assigning them to the Safety Significant Functions (SSF) of the Control Center or human operators be carried out in accordance with established guidelines.
CEI 60964 Suite à cette identification initiale des FSE, il convient d’affecter une catégorie à chaque FSE.
It will not be possible to identify all the significant safety features (FSE) in detail at an early stage of the design process, as the characteristics of the nuclear power plant have not yet been fully defined Therefore, the process of identifying and classifying the FSE must continue iteratively throughout the entire design phase.
Lorsque l’affectation initiale des FSE à une catégorie est incertaine, il convient d’ajouter une note explicative au classement Il convient que les fonctions effectuées par chaque système de
CC soient analysées afin d’identifier les sous-FSE au sein des FSE et d’affecter la catégorie appropriée à chaque sous FSE.
Individual FSEs may be involved in implementing various aspects of specifications, which can lead to their assignment to multiple categories In cases of multiple assignments, it is essential that the final designation of each FSE and all sub-FSEs reflects the highest applicable category.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
Based on the analysis, instrumentation and control FSE can be categorized according to a logarithmic scale of importance, which has proven to be the most suitable method, although alternative scales may also be considered.
• an I&C FSE should be assigned to category A if its calculated importance is 1,0 > I ≥ 0,01;
• an I&C FSE should be assigned to category B if its calculated importance is 0,01 > I ≥ 0,001;
• an I&C FSE should be assigned to category C if its calculated importance is 0,001 > I ≥ 0,0001.
The classification of I&C functions based on their importance is achieved through the method outlined in section 6.3 Throughout the various design phases of a nuclear power plant (NPP), iterative cycles occur as different design options are evaluated During these cycles, the I&C requirements are continuously refined, leading to a shift in the significance of individual functions concerning safety This process is detailed in the following sections.
A main input to the FSE categorization process is the nature of the NPP and the reactor type
The article discusses various reactor types, such as PWR and BWR, focusing on the associated postulated initiating events (PIEs) and the critical design criteria for ensuring redundancy in mechanical and electrical systems Additionally, it emphasizes the importance of identifying the primary and supporting functional safety elements (FSEs) for each PIE.
The assignment of FSE to categories depends upon their role in preventing or mitigating PIEs.
The categorization process must take into account the role of the Functional Safety Element (FSE) in preventing and mitigating Potential Initiating Events (PIEs) across various operating modes and plant conditions, including start-up, normal operation, and refueling It is essential to recognize that the FSE may play a crucial role in specific operating modes while also addressing PIEs triggered by natural events such as seismic disturbances, floods, extreme winds, and lightning, as well as hazards like fire, internal flooding, missiles, and radioactive releases from nearby sources.
6.3.4.2 Identification and categorization of FSE
In the early design phase of a Nuclear Power Plant (NPP), it is crucial to identify safety-related functions This identification process, along with the assignment of these functions to either the Instrumentation and Control (I&C) Functional Safety Engineering (FSE) or human operators, should adhere to the guidelines set forth in IEC 60964.
FSE, a category should be assigned for each FSE.
Identifying all Functional Safety Elements (FSE) in the early design stages of a Nuclear Power Plant (NPP) is challenging due to incomplete specifications Therefore, the identification and categorization of FSE must be an iterative process throughout the design phase If there is uncertainty in categorizing an FSE, an explanatory note should accompany the classification Additionally, a review of the functions performed by each Instrumentation and Control (I&C) system is essential to identify sub-FSEs and assign the correct categories to them.
The assignment process for individual FSEs may lead to them being categorized into multiple areas due to their involvement in various aspects of the requirements specification In instances of multiple assignments, it is essential that each FSE and all sub-FSEs are ultimately assigned to the highest applicable category.
LICENSED TO MECON Limited - RANCHI/BANGALORE FOR INTERNAL USE AT THIS LOCATION ONLY, SUPPLIED BY BOOK SUPPLY BUREAU.
As the requirements for redundancy, diversity, and other technical aspects of the Safety and Security Framework (FSE) are defined more precisely through ongoing safety analysis and the development of operational procedures, the ranking list is refined and reviewed to produce a final version It is essential that this final list is included in the documentation necessary for obtaining and maintaining the operating license of the nuclear power plant.
Détermination des exigences
Les exigences techniques et de qualité spécifiques aux FSE qui ont été affectés aux catégories
A, B et C en utilisant l’approche probabiliste susmentionnée sont présentées dans la CEI 61226.