- •Iaea safety standards
- •Objective
- •Structure
- •Relationship to other standards
- •2. Management systems for I&c design
- •2.8. The management systems for development of I&c systems should comply with the recommendations of Safety Guides gs-g-3.1, Ref. [5] and gs-g-3.5, Ref. [6].
- •Generic management system processes
- •Configuration management
- •2.15. All I&c configuration items and their associated configuration documents should be designated, given a unique identification, and placed under configuration control.
- •2.31. Insights gained from probabilistic safety assessments (psAs) should be considered in the design of I&c systems.
- •Documentation
- •2.33. Before I&c systems are declared operable their documentation should be complete and should reflect the as-built configuration.
- •2.34. I&c documentation should:
- •2.36. I&c documents should be grouped according to their primary or secondary role in the design process.
- •2.38. Documentation for I&c systems and components should, as a minimum, cover the following topics:
- •3. Design bases
- •Inputs to I&c design bases
- •Identification of I&c functions
- •3.4. The required functions of the I&c systems should be determined as part of the nuclear power plant design process.
- •Content of I&c design bases
- •3.7. The overall I&c system architecture and each I&c system should have a design basis.
- •3.9. The I&c systems required for the safety of the plant should be identified systematically.
- •3.10. I&c system design bases should specify the following:
- •3.12. In addition to the above the design basis for the reactor protection system should specify the following:
- •Variables and states that must be displayed so that the operators can confirm the operation of protective system functions;
- •4. Guidance for overall I&c system architecture architectural design
- •4.3. The overall I&c architecture should:
- •4.4. The inputs to the overall I&c architecture design process should refer to the plant safety design basis documents, which should provide the following information:
- •Defence in depth
- •4.28. When diverse I&c systems are provided to meet requirements for defence-in-depth, the diverse systems should not both be subject to the same errors in design or fabrication.
- •5. Safety classification of I&c functions, systems, and equipment
- •6. Life cycle activities
- •Process implementation
- •Verification that the effects of automatic control system failures will not exceed the acceptance criteria established for anticipated operational occurrences.
- •6.58. The I&c architecture should be designed to fully satisfy the system requirements, including system interfaces and non-functional requirements (e.G., performance and reliability).
- •6.109. The benefits of changes should be weighed against potential negative safety consequences and this assessment documented as part of the justification for the changes.
- •Design for reliability
- •Single failure criterion
- •7.10. Each safety group should perform all actions required to respond to a pie in the presence of:
- •7.15. Non-compliance with the single failure criterion should be exceptional and clearly justified in the safety analysis.
- •7.19. I&c systems should be redundant to the degree needed to meet design basis reliability requirements.
- •Independence
- •7.27. When isolation devices are used between systems of different safety importance, they should be a part of the system of higher importance.
- •7.29. The adequacy of design features provided to meet the independence recommendations should be justified. Physical separation
- •7.31. Items that are part of safety systems should be physically separated from items of lower safety classification.
- •7.32. Redundant items of safety systems should be physically separated from each other.
- •Electrical isolation
- •Diversity
- •7.49. The decision to use diversity or not use diversity should be justified.
- •7.50. Where diversity is provided to cope with ccf several types of diversity should be used.
- •7.51. Where diversity is provided the choice of the types of diversity used should be justified.
- •Failure modes
- •7.57. The failure modes of I&c components should be known and documented.
- •7.60. Failures of I&c components should be detectable by periodic testing or self-revealed by alarm or anomalous indication.
- •7.73. Analysis that is part of the evidence of equipment qualification should include a justification of the methods, theories and assumptions used.
- •7.75. Traceability should be established between each installed system and component important to safety and the applicable evidence of qualification.
- •Suitability and correctness
- •7.81. The equipment qualification program should demonstrate that the as-built I&c systems and installed components correctly implement the qualified design.
- •7.90. Environmental qualification of safety components that must operate in harsh environments should include type testing.
- •7.102. Detailed emc requirements should be determined for safety systems and components and their compliance with the requirements demonstrated.
- •7.105. Equipment and systems, including associated cables, should be designed and installed to withstand the electromagnetic environment in which they are located.
- •7.109. Limits on radiated and conducted electromagnetic emissions should be established for all plant equipment.
- •7.112. The equipment qualification program should show that electromagnetic emissions of plant equipment are within the defined limits.
- •7.114. Instrumentation cables should have twisting and shielding sufficient to minimize interference from electromagnetic and electrostatic interference.
- •Design to cope with ageing
- •7.119. Ageing mechanisms that could significantly affect I&c components and means for following the effects of these mechanisms should be identified during design.
- •7.122. Maintenance programs should include activities to identify any trend towards degradation (ageing) that could result in the loss of operability of equipment.
- •Control of access to systems important to safety
- •7.130. Access to equipment in I&c systems should be limited to prevent unauthorized access and to reduce the possibility of error.
- •Testing and testability during operation
- •Test provisions
- •7.150. Arrangements for testing should neither compromise the independence of safety systems nor introduce the potential for common cause failures.
- •Test interfaces
- •7.153. Provisions for testing I&c systems and components should:
- •7.154. Where equipment to be tested is located in hazardous areas, facilities should be provided to allow testing from outside the hazardous area.
- •7.164. The test program should define processes for periodic tests and calibration of systems that:
- •Individually test each sensor, to the extent practicable.
- •7.165. In addition to the recommendations of paragraph 7.164, the processes defined for periodic tests and calibration of safety systems should:
- •Independently confirm the functional and performance requirements of each channel of sense, command, execute, and support functions;
- •Include as much of the function under test as practical (including sensors and actuators) without jeopardizing continued normal plant operation;
- •Maintainability
- •7.169. The design of I&c systems should include maintenance plans for all systems and components.
- •Setpoints
- •7.185. Trip setpoints used to initiate safety actions should be selected to ensure that required mitigating actions occur before the monitored variable reaches the analytical limit.
- •Operational identification of items important to safety
- •7.186. A consistent and coherent method of naming and identifying all I&c components should be determined and followed throughout the design, installation and, operation phases of the plant.
- •7.190. I&c components in the plant should be marked with their identifying information.
- •8.4. To the extent practicable, the plant conditions of concern should be monitored by direct measurement rather than being inferred from indirect measurements.
- •8.17. Means should also be provided to manually initiate the mechanical safety systems and the individual components necessary to initiate and control performance of their safety functions.
- •Digital computer systems and digital equipment
- •8.68. Specific skilled staff should be available during operation to allow controlled software and configuration data changes to be made when necessary to computer based systems.
- •8.91. Data received and data transmitted should be stored in separate, pre-determined memory locations.
- •8.154. Tools should be used to support all aspects of the I&c life cycle where benefits result through their use and where tools are available.
- •8.173. Confirmation of the suitability and correctness of industrial digital devices for their intended functions should produce evidence:
- •V&V at each stage of development for the final product;
- •9.4. The I&c system should allow the operator in the control room to initiate or take manual control of each function necessary to control the plant and maintain safety.
- •9.21. Instrumentation performing the functions given in 9.20 items a, b, and c should be classified as safety systems.
- •9.32. The main control room, the supplementary control room, and the Emergency Control Centre should have at least two diverse communications links with:
- •9.42. The Human System Interface (hmi) design should retain positive features and avoid hfe issues and problems of previous designs.
- •9.57. Where hmi stations are distributed, plant staff should have means to access these different locations in a safe and timely manner.
- •10.4. Development of software for systems should follow a previously defined life cycle, be duly documented and include thorough verification and validation. (See Chapter 6.)
- •10.49. Coding rules should be prescribed and adherence verified.
- •10.72. Verification should include the following techniques:
- •Software tools
- •Glossary
- •Annex I defense in depth in I&c systems
- •Annex II traceability to previouse I&c safety guides
- •Annex III bibliography of supporting international standards
6.58. The I&c architecture should be designed to fully satisfy the system requirements, including system interfaces and non-functional requirements (e.G., performance and reliability).
6.59. The design should be analyzed to ensure that requirements not essential for the functions important to safety do not impact these functions (see paragraph 6.41).
6.60. Design the overall I&C architecture is covered by the discussion of system architecture in chapter 4.
6.61. The HMI design of an I&C system should be justified by analyses with considerations for:
Defining information needs (including considerations for defining a subset of indications and controls required to address accident and post accident conditions);
Defining control needs and allocation;
Including human error in safety analysis (i.e. Human Reliability Analysis);
Defining user roles and responsibilities and other staffing requirements; and
Task process, time constraints, flow of staff and information through analyses (i.e. task analysis).
6.62. The considerations in paragraph 6.62 are normally activities of the Human Factors Engineering life cycle. The output of these activities are inputs to the I&C life cycles as illustrated in Figure 2.
I&C system integration plan:
6.63. A documented traceability analysis should demonstrate that the system integration plan is complete with respect to the system design specification.
6.64. In particular, the traceability analysis should document that system integration activities cover: the full ranges of inputs and outputs (including out-of-range values for interface signals), exceptions handling, timing related requirements, and robustness tests to demonstrate that the system responds safely to all possible interface and load conditions.
6.65. The system integration plan should be verified to check that all integration interfaces (such as hardware–software or software module to module) will be challenged.
Detailed system design and implementation
6.66. Requirements should be met by the detailed system design.
System integration
6.67. System integration should check and document that the interface requirements between the various components of the system are satisfied, and that the components and subsystems operate as designed in the integrated system to enable the system to meet its specified requirements.
6.68. This is essentially a clear-box process (i.e., undertaken with an understanding of the structure and behaviour of the system and components).
6.69. Integration testing should be performed according to the provisions of a system integration plan.
6.70. Only the current version of verified modules (hardware and software) should be submitted to system integration.
6.71. It is advisable to use software tools to control issue of modules for assembly into system components and to control the build used for validation and for on-site use in operation so that traceability can be established between installed components and validated components.
6.72. For safety systems, the team designing and undertaking the system integration tests should be independent of the designers and developers.
6.73. Technical communication between the test team and the designers should be recorded.
6.74. All changes to approved test procedures should be recorded and subjected to re-approval.
System validation
6.75. Validation should demonstrate and document that the I&C system complies with its functional and non-functional requirements.
6.76. This is essentially a black-box process (i.e., undertaken solely on the basis of the system’s external behaviour).
6.77. Validation testing should be performed according to the provisions of a system validation plan.
6.78. Test documentation should be sufficient to enable the testing process to be repeated with confidence of achieving the same results.
6.79. The system operation and maintenance manuals should be validated, as far as possible, in this phase.
6.80. The system subjected to validation testing should be fully representative of the final configuration of the I&C system at the site and the software of the system should be identical.
6.81. The team designing the system validation tests should be independent of the designers and developers.
6.82. Technical communication between the test team and the designers should be recorded.
6.83. All changes to approved test procedures should be recorded and subjected to re-approval.
Installation and commissioning
6.84. The I&C system should be installed in the plant in accordance with the approved design.
6.85. Commissioning should be performed in accordance with the guidance of IAEA NS-G-2.9, Ref. [22].
6.86. The following paragraphs discuss considerations in implementing the guidance of NS-G-2.9, Ref. [22] for I&C systems.
6.87. Commissioning should progressively integrate the I&C system with the other components and other plant items, and verify that they are in accordance with design assumptions and that they meet the performance criteria.
6.88. Testing within the plant environment is an important part of the commissioning.
6.89. In particular, modes of operation and interaction between the I&C system and the plant which could not be readily tested at the validation stage should be tested then.
6.90. Equipment receipt inspection, pre-commissioning, or commissioning tests should verify that the system has not suffered damage during transportation.
6.91. Commissioning should give particular attention to verification of external system interfaces and to the confirmation of correct performance with the interfacing equipment.
6.92. During the commissioning period software-based I&C systems should be operated for an extended time under operation, testing and maintenance conditions that are as representative of the in-service conditions as possible.
6.93. The validation of operation and maintenance manuals should be completed in this phase.
6.94. The team designing the commissioning tests should be independent of the designers of the I&C system and those who specified the I&C system functions and performance.
Operation
6.95. Maintenance and surveillance of I&C systems should be performed in accordance with the guidance of IAEA NS-G-2.6, Ref. [20].
6.96. NS-G-2.6, Ref. [20] provides guidance on planning, organisational aspects, and implementation of maintenance and surveillance, including calibration, of I&C systems.
6.97. The following paragraphs discuss considerations in implementing the guidance of NS-G-2.6, Ref [20] for I&C systems.
6.98. Modification of parameters that might require variation during the operation of the plant (such as trip settings and calibration constants) should be undertaken using facilities that have been shown to be fit for the purpose.
6.99. Human performance monitoring of the operation and maintenance of the I&C system should be performed to document operating experience that may identify modifications to be considered for implementation.
Modifications
6.100. Upgrade and modification of I&C systems should be performed in accordance with the guidance of IAEA NS-G-2.3, Ref. [18].
6.101. NS-G-2.3, Ref. [18] provides guidance on planning, organisational aspects, implementation, training, and documentation of plant modifications.
6.102. Development of the modification or upgrade of I&C systems should follow a defined life cycle.
6.103. The complexity of the life cycle process needed for modifications is related to the complexity and safety significance of the modification.
6.104. The life cycle for even the simplest changes should include at least the phases of the individual system life cycle shown in Figure 2.
6.105. For a simple change, many of these elements will be simple. Normally, such life cycles are defined in plant modification procedures. For modifications that involve changes to overall I&C system architecture or interactions between individual systems it will be necessary to also implement elements of the overall I&C system life cycle.
6.106. When an I&C system is modified or is part of an upgrade, the level of rigour applied in justifying and executing the change should be established based upon its role and function in ensuring the safety of the nuclear power plant, in association with the existing systems and any of them that will remain in operation after the work. This also applies to changes to software tools.
6.107. Change control procedures should be in place, including appropriate procedures and organizational structures for the review and approval of the safety aspects of the modification.
6.108. The design of I&C upgrades and modification should consider:
The limitations due to the physical characteristics of the installed plant, which effectively restrict the design options for I&C systems;
The possible need to maintain consistency between the design of replacement equipment and existing I&C equipment to, for example, reduce the complexity of the overall operator interface and maintenance tasks of the plant; and
Practical considerations with respect to the equipment or technology commercially available when required by the project programme, and the prospects for securing support of such equipment and technology by manufactures or third parties for the installed life of the equipment.