new regulatory documents with requirements for...

1

UDC 621.039.586

Yu. V. Rozen, M. O. Yastrebenetsky State Scientific and Technical Center for Nuclear and Radiation Safety, Kyiv, Ukraine

New Regulatory Documents with Requirements for Instrumentation and Control Systems Important to NPP Safety

The paper presents information on the new draft regulatory documents developed by SSTC NRS (regulation of the State Nuclear Regulatory Inspectorate of Ukraine and branch standard of the Ministry for Energy and Coal Industry of Ukraine) to replace NP 306.5.02/3.035 “Requirements for Nuclear and Radiation Safety of Instrumentation and Control Systems Important to NPP Safety”.

Keywords: NPP, safety, instrumentation and control systems, seismic resistance category, safety class, regulatory framework, regulation, branch standard, safety function.

Modernization of the existing instrumentation and control systems (I&C systems) is

currently underway at all nuclear power plants of Ukraine in the framework of safety

improvement programs and programs for lifetime extension of operating power units.

Modernization of operating I&C systems and development of new ones involve the use of

modern information technologies, new electronic components, local networks, fiber-optic

data transmission lines, computer-aided diagnostics, display and archiving tools.

Regulation NP 306.5.02/3.035 [1] is used for the development and assessment of all

new and upgraded I&C systems. However, after the issue of this Regulation in 2000, the

following new regulations were introduced in Ukraine: NP 306.2.141 NP [2], NP 306.2.145

[3], NP 306.2.106 [4], etc., as well as new standards of the International Atomic Energy

Agency (IAEA), International Electrotechnical Commission (IEC), International

Organization for Standardization (ISO) and European Committee for Electrotechnical

Standardization (CENELEC). They significantly tightened the requirements for

instrumentation and control systems and their components with regard to safety

classification, electromagnetic compatibility, seismic resistance, equipment certification,

software verification, etc.

2

Some international standards were implemented in Ukraine by issuing relevant state

standards that are identical to international standards (DSTU IEC, DSTU ISO, etc.). The

requirements for I&C and their components are also established in a series of interstate

standards (GOST) and/or in identical state standards of Ukraine (DSTU). However, these

requirements are currently out of date in many respects and contradict not only new

Ukrainian regulations and international standards but also each other.

This necessitated the revision and improvement of the current regulatory framework

taking into account results of the design (modernization, upgrading) and operation of I&C

systems and their components at Ukrainian NPPs, peculiarities of modern information

technologies and world experience accumulated in national and international safety

standards for NPPs.

In compliance with the plan of applied research and development in the field of

nuclear regulation for 2008, approved by SNRIU Chairperson, SSTC NRS revised

NP 306.5.02/3.035 [1], taking into account experience in its application, IAEA

recommendations and proposals of interested Ukrainian organizations and enterprises, and

submitted the draft of new Regulation in March 2010. In considering the proposed draft, the

SNRIU decided that it was necessary to differentiate regulatory requirements (which should

be included in SNRIU regulations) and technical requirements (which should be the subject

of regulation in corresponding branch standards) in the development of the national

regulatory and legal framework of Ukraine in the field of nuclear and radiation safety. It

was meant that such differentiation should contribute to the improvement of regulations and

standards on nuclear and radiation safety and to the adaptation of the national legal

framework to EU legislation. Accordingly, the State Nuclear Regulatory Inspectorate of

Ukraine and the Ministry for Energy and Coal Industry of Ukraine decided, preserving the

total scope and structure of the proposed draft, to differentiate all the requirements for this

draft in the following two regulations:

Regulation “Nuclear and Radiation Safety Requirements for Instrumentation and

Control Systems Important to NPP Safety” (hereinafter - Regulation);

Branch Standard “Instrumentation and Control Systems Important to NPP Safety.

General Technical Requirements” (hereinafter – Branch Standard) requested by the

National Nuclear Utility Energoatom.

3

It was envisaged that the same approach to the differentiation of regulatory

requirements for nuclear and radiation safety and technical requirements ensuring

compliance of supplied products and/or performed work with these regulatory requirements

should be used in the development of other SNRIU regulations and corresponding standards

of lower level.

Development Objectives

The objective of the Regulation is to establish regulatory requirements for design,

manufacture, testing and commissioning of I&C systems and their components: digital I&C

and their independently operating components; independently operating automation

hardware included to I&C and/or digital I&C structure; software, as an integral part of I&C,

digital I&C, and perhaps automation hardware. The compliance with these regulatory

requirements is considered an obligatory condition to ensure the functional safety1 of I&C,

digital I&C, automation hardware and software.

The objective of the Branch Standard is to establish technical requirements to

ensure, at all stages of the I&C life cycle, compliance of safety-important I&C systems and

their components with regulatory requirements set forth in the Regulation.

The documents under development will be used by experts of Energoatom, other

organizations and enterprises, State Nuclear Regulatory Inspectorate of Ukraine and expert

organizations dealing with:

design of new I&C systems and modernization (modification, refurbishment) of

operating safety-important I&C systems at Ukrainian NPPs;

development, manufacture, testing and supply of components (digital I&C,

automation hardware and software) to complete such systems;

installation, adjustment, integration, preliminarily tests of new and upgraded safety-

important I&C systems;

operation (proper use, scheduled maintenance, periodic tests, serviceability

maintenance) and subsequent modernization of I&C systems and/or their components;

safety assessment of I&C systems and their components at all stages of the life cycle. 1 Functional safety is the capability to perform properly all the required safety important functions and to

comply the relevant characteristics under all design-basis operating conditions, operational occurrences and

design-basis accidents. As far as I&C, digital I&C, automation hardware and software are concerned,

functional safety is meant.

4

Development and Agreement of Regulations

The requirements of (Fig. 1):

Standards and rules on nuclear and radiation safety of NPPs in force in Ukraine

[2-9];

International standards on NPP safety [10-23] and similar Ukrainian standards

[24-29];

International industrial standards [30-44] and similar Ukrainian standards [45-57]

that apply to domestic I&C systems and/or their components

were taken into account in the development of the Regulation and Branch Standard.

Both documents were developed by SSTC NRS2, the final drafts of the Regulation

and Branch Standard were submitted to the organizations concerned in 2012.

The first and final drafts of the Regulation and Branch Standard were submitted for

comments to Energoatom and its NPPs, Kharkov and Kyiv Design & Research Institutes

Energoproject, Westron Ltd., Research and Production Corporation Radiy, Severodonetsk

Research and Production Association Impulse, Kharkov Machine-Tool Building Plant and

Kharkov Research Institute of Complex Automation. All organization provided their

comments and proposals on each draft and noted that introduction of the developed

documents would be a timely and necessary step. They pointed out the high scientific and

technical level of development and adequate harmonization with international standards.

The comments and proposals were related to the terminology, classification,

accuracy requirements, immunity to electromagnetic interference and development & test

procedure. All comments and proposals were finalized as summaries of comments and were

considered by the developers of the Regulation and Branch Standard drafts.

2 Besides the authors of this paper, employees of SSTC NRS Kharkiv Subsidiary (O. Butova, S.

Vinogradskaya, V.Gol’drin, A. Klevtsov and S. Trubchaninov), Kirovograd Research and Production

Corporation Radiy (V. Sklyar and А. Yurtsevich), SSTC NRS (V. Kritskii), Severodonetsk Research and

Production Association Impulse (G. Pivovarov), Energoatom (Yu. Gasheva), experts of Ukrainian NPPs,

Design Institutes and other organizations and enterprises that reviewed the drafts and made practical

proposals and recommendations, took part in the development of the Regulation and Branch Standard.

5

General assessments that do not require changes in the text, as well as comments and

proposals that are considered reasonable but cannot be incorporated completely or partially

because this requires a special decision or approval by State Nuclear Regulatory

Inspectorate of Ukraine and/or Energoatom, were considered.

The comments and proposals that indicate mistakes in the text, improve the

statement of specific requirements, set new and clarify current requirements, taking into

account actual conditions and/or experience and do not contradict current regulations and

standards on nuclear and radiation safety and international standards, were accepted.

The comments and proposals that contain reasonable statements that, however,

cannot be taken into account completely or should be reworded were taken into account.

The mistaken or groundless comments or proposals that have no significant

differences with the draft Regulation (Branch Standard), do not belong to the subject of

regulation, do not comply with current Ukrainian regulations standards, do not take into

account or contradict requirements of international standards were rejected.

Each comment (proposal) included in the summary of comments was provided with

a conclusion of the developers and appropriate justification or explanation. The rejected

comments and proposals were included in statements of disagreement along with

explanations. All accepted comments and proposals were incorporated in the final drafts of

Regulation and Branch Standard.

The final drafts of Regulation and Branch Standard were reviewed and agreed by

Energoatom and all NPPs of Ukraine. The final draft of Regulation was agreed upon with

the SNRIU Legal Department and Ministry for Energy and Coal Industry of Ukraine, and is

to be submitted to the Ministry of Justice of Ukraine for registration.

It was proposed to implement the Regulation and Branch Standard simultaneously,

and then NP 306.5.02/3.035 [1] should be canceled. It would be reasonable to revise and, if

necessary, cancel a number of interstate standards on I&C and their components in force in

Ukraine (Table 1).

6

*STATE STANDARD OF UKRAINE IDENTICAL TO THIS INTERNATIONAL STANDARD WAS DEVELOPED

Figure 1. Regulations and Standards with Requirements for Functional Safety of I&C

Systems and Their Components

UKRAINIAN REGULATIONS AND STANDARDS APPLICABLE TO I&C SYSTEMS IMPORTANT

TO NPP SAFETY

REQUIREMENTS FOR

NUCLEAR AND RADIATION SAFETY FOR I&C SYSTEMS

IMPORTANT TO NPP SAFETY

IEC STANDARDS APPLICABLE TO I&C SYSTEMS AND THEIR

COMPONENTS

I&C IMPORTANT TO NPP SAFETY. GENERAL TECHNICAL

REQUIREMENTS UKRAINIAN STANDARDS

IDENTICAL TO INTERNATIONAL

STANDARDS

GENERAL PROVISIONS

BASIC TERMS, DEFINITIONS AND ABBREVIATIONS

CLASSIFICATION

FUNCTIONAL REQUIREMENTS

REQUIREMENTS FOR RELIABILITY OF FUNCTION PERFORMANCE

REQUIREMENTS FOR STABILITY OF FUNCTION PERFORMANCE

REQUIREMENTS FOR

PERFORMANCE QUALITY

REQUIREMENTS FOR INDEPENDENCE OF PERFORMED

FUNCTIONS

REQUIREMENTS FOR SOFTWARE

REQUIREMENTS FOR DATAWARE

REQUIREMENTS FOR DEVELOPMENT

ASSESSMENT AND CONFIRMATION OF COMPLIANCE

REQUIREMENTS FOR OPERATION

7

Table 1. Standards to be revised

Standard Number Title Assessment

GOST 23765-79 NPP Radiation Safety Monitoring Instrumentation. General Technical Requirements for Data Transfer Channel

To be revised taking into account new national and international regulations and standards

GOST 24789-81

Instrumentation Channels of In-core Instrumentation System of Pressurized Water Reactors. General Technical Requirements


GOST 25804.1-83 GOST 25804.2-83 GOST 25804.3-83 GOST 25804.5-83 GOST 25804.6-83 GOST 25804.7-83

Equipment and Instrumentation for NPP Process Control Systems

Does not comply with requirements of new national and international regulations and standards. Should be cancelled in Ukraine

GOST 25804.4-83 GOST 25804.8-83


GOST 26344.0-84 Nuclear Instrumentation for Nuclear Power Plants. Basic Provisions

Does not comply with requirements of new national and international regulations and standards. Should be cancelled in Ukraine

GOST 26635-85 Pressurized Water Reactors.General Requirements for In-core Instrumentation System


GOST 26843-86 Рower Reactors.General Requirements for Control and Protection System


GOST 27445-87 Neutron Flux Monitoring System for Power Reactor Control and Protection. General Technical Requirements


GOST 27452-87 NPP Radiation Safety Monitoring Instrumentation. General Technical Requirements


GOST 29075-91 DSTU GOST 29075

Nuclear Instrumentation for Nuclear Power Plants. General Requirements


Description of Documents

The Regulation includes the following sections3.

General Provisions. This section determines the regulatory framework and

development sources as well as commitment to comply with the regulatory requirements set 3 The Branch Standard has the same structure and its volume is 2.5 times greater than that of the Regulation

(more than 9 printed pages in the Ukrainian version) because of detailed description of each section.

8

forth in the Regulation. In particular, it indicates that new and modernized I&C systems and

their components shall comply with these requirements if there is no SNRIU authorization

to proceed with their installation as of the date this Regulation is implemented. The

Operator (Energoatom), after agreement with the State Nuclear Regulatory Inspectorate of

Ukraine, shall specify the necessity, scope and timeframe for brining I&C systems and/or

their components that have been authorized for installation or are already operated at NPPs

into compliance with the Regulation.

Basic Terms, Definitions and Abbreviations. About 60 main notions that

complement the terms introduced by the regulations and standards [2-9] or make more

specific the available definitions with regard to I&C systems and their components were

defined. In particular, the following terms were defied: verification; basic, complementary,

preset and required function; alarm, emergency and process protection; function category;

system (component) configuration and configuration control; normal operation and limiting

conditions of operation; resistance to external hazards; and independently operating device

were defined. In addition, about 40 terms were defined in the Branch Standard.

Classification. Automatic control functions for processes and equipment are

classified by categories, while I&C and their components are categorized by purpose and

safety class.

Categorization of functions (Category А, В and С) takes into account the

contribution of these functions to safety and to potential consequences caused by failure to

perform the function or by incorrect performance, as recommended in International

Standard IEC 61226 [20] accepted in most European countries.

Category А is set for the functions:

that ensure emergency protection (reactor scram and core subcritical state),

emergency heat removal, prevention (limitation) of radioactive releases beyond the design

limits;

that support operating personnel actions on prevention of emergencies or accidents;

whose failure can cause an emergency or accident if these consequences cannot be

mitigated by any other Category A function;

that detect and/or limit the consequences of hazards (for example, earthquake or fire)

that can cause an emergency or accident.

9

Category B is set for the functions (if do not relate to Category А):

that prevent initiating events that may lead to operational events or detect such

events or limit their negative consequences;

that support operating personnel actions on prevention of operational events or

limitation of their negative consequences;

whose failures under normal operation require initiation of Category A functions to

prevent an emergency or accident;

that keep the main process parameters within set (permissible) limits provided that

failures of these functions necessitate the initiation of Category A functions to prevent an

emergency or accident;

that are intended for automated control of the technical state of systems and

components involved in the performance of Category A functions, for continuous

demonstration of the preparedness of systems and components to perform such functions

and/or for detection of system and component failures and for warning personnel on the

failures.

Category C is set for other safety-important functions. Functions that do not affect

safety are not classified.

I&C classification (Fig. 2) envisages I&C subdivision into:

I&C-U (I&C systems that perform safety functions);

I&C-N (I&C systems that perform normal operation functions);

I&S-NU (I&C systems that combine the above functions).

I&C-U, I&C-NU and those I&C-N whose failures cause operational events or hinder

their mitigation and thus can lead to an emergency are safety-important systems.

Each safety important I&C system should relate to one of the three safety classes,

whose indication combines a number and a letter (as per NP 306.2-141 [2]) specifying the

highest category of the main functions performed by I&C. In this connection, I&C systems

relate to the following safety classes:

2(А), if at least one of the functions performed by I&C relates to Category A;

3(В), if I&C is not involved in performance of Category A functions and at least

one of its functions relates to Category В;

10

3(С), if I&C is not involved in performance of Category A and/or В functions and

at least one of its functions relates to Category С;

4, if none of the functions performed by I&C is classified with by categories (this

I&C is not safety-related).

The safety classes of digital I&C, automation hardware and their components are

established in the same way by highest category of the functions performed.

Functional Requirements. This section governs functions of control safety systems

and normal operation systems, including radiation monitoring systems, in-core

instrumentation systems, post-accident monitoring systems, data transfer systems, and also

functions of the main control room and emergency control room systems and equipment.

General requirements are formulated for the power unit automated process control

system, in compliance with NP 306.2.141 [2], which includes I&C systems that interact

with protection, confining and support safety systems, normal operation systems, process

equipment and operating personnel (Fig. 2).

If one I&C system (digital I&C and automation hardware) combines normal

operation and safety functions, the latter functions should be the priority; failure of any

normal operation function should not affect the performance of safety functions by the

system (component). If one I&C system (digital I&C and automation hardware) combines

functions that relate to different categories, it should not cause incompliance with

requirements that relate to functions of higher category, and any function failure should not

affect the performance and characteristics of higher-category functions performed by this

system (component).

Functions of control safety systems are established for I&C-U and I&C-NU, which

together with protection, confining and support safety systems and/or components should

perform emergency protection functions, emergency heat removal and core and spent fuel

pool decay heat removal, prevention or limitation of radioactive releases in case of

accidents.

Control safety systems should perform their functions in cases when normal

operation systems are not capable to keep process parameters within set operational limits

(for example, as a result of failure) and quick and reliable response to failure to comply with

design limits or safe operation conditions is required.

11

Figure 2. I&C classification by Purpose and Nature of Functions and Safety Impact

Safety Important Systems

I&C-U

Safe

ty S

yste

ms

Nor

mal

Ope

ratio

n Sy

stem

s

Protection

Support

Confining

I&C-NU

Instrumentation

I&C-N

Control

Normal Operation Process Systems

Non-Safety-Related Systems

Instrumentation

I&C-N

Control

Normal Operation Process Systems

I&C Systems Process Systems

12

After I&C-U (I&C-NU) actuation:

personnel intervention should not be required;

all signals should be held on system outputs until complete performance of all

initiated actions;

potential deactivation of signals should be blocked automatically for the time agreed

with SNRIU but not less than for 10 min.

I&C-U (I&C-NU) and their components should remain capable of performing all

functions necessary for safety assurance at any events that may occur under normal

operation, anticipated operational occurrences, emergencies and design-basis accidents.

Failures of components should be automatically detected with subsequent initiation of

actions necessary for safety assurance.

Functions of normal operation systems are established for I&C-N and I&C-NU,

which together with process equipment and operating personnel should automatically

control the electricity production process and prevent operational events:

keep power unit parameters within set limits in case of internal and external hazards

that may occur in each operating state;

receive and generate remote control signals, display the results, support all other

actions of operating personnel in power increase and decrease, reactor scheduled shutdown,

cooldown and refueling;

provide relevant data to personnel monitoring the processes, performance of normal

operation systems and process equipment, physical barriers to the spread of ionizing

radiation and radioactive releases.

In case of an operational event, I&C-N and I&C-NU should perform functions

preventing emergencies:

detect deviations from operating limits and/or normal operation conditions and

initiate actions to eliminate them;

detect hazards (earthquake, fire, radioactive release) and perform automatic actions

to mitigate their consequences (personnel warning, interlocking of mechanisms, fire

suppression control, etc.).

This section also establishes requirements for functions of I&C-N that deal with:

13

automatic control of core neutronic and thermal hydraulic parameters, calculation of

neutron flux and power density field distribution, generation of signals in case of deviation

of core and heat exchanger state indicators from the design values;

automated radiation monitoring inside NPP premises and within NPP territory, in the

controlled and observation areas under all operating states, during and after accidents and in

decommissioning;

generation, output and/or reception and decoding of digital signals transmitted by

electrical and optic fiber cables;

support of personnel in analyzing the causes and sequence of design-basis and

beyond design-basis accidents, in accident management and mitigation of consequences.

Requirements for Reliability of Functions. This section envisages prevention of

and protection from the common-cause failures; compliance with the single failure,

redundancy and diversity principles; prevention of human errors; protection from

unauthorized access; testing.

Common-cause failures are defined as loss of the possibility to perform the required

function as a result of simultaneous failure of two or more redundant parts caused by one

and the same event that may result from a design drawback, fabrication defect, human error

in operation or maintenance, external hazards and dependent failures of I&C (digital I&C)

redundant parts.

To prevent common-cause failures, the Regulation and Branch Standard

requirements that relate to the development (design), assessment and confirmation of

compliance, testing and maintenance should be met. To ensure protection against common-

cause failures, the requirements for compliance with the principles of diversity,

independence, prevention of human errors and resistance (immunity) to external hazards

should be met. These requirements are obligatory for I&C and digital I&C that relate to

safety class 2(А) and recommended for I&C and digital I&C that relate to safety class 3(В)

and 3(С).

Single failure principle envisages that I&C (digital I&C) should perform all required

Category A functions at any initiating event combined with a failure of one (any)

component dependent failures of other components and combined with failures caused by

latent malfunctions and/or possible effect of the initiating event. The principle should be

14

also observed during maintenance and testing of I&C (digital I&C) that perform Category A

functions at operating power units4.

For I&C and digital I&C that relate to safety class 2(А) and 3(В), it is recommended

to observe the single failure principle in relation to Category B functions (it is allowed not

to take into account potential latent malfunctions).

Redundancy principle should be observed for I&C and digital I&C that relate to

safety class 2(А) by using auxiliary features that are redundant to minimally required ones

to perform the Category A functions. For I&C and digital I&C that relate to safety class

2(А) and 3(В), it is recommended to observe the redundancy principle also in relation to the

required Category B functions, and if these functions relate to the control and protection

system, then redundancy is obligatory. The requirements of NP 306.2.145 [3] should be

taken into account for redundancy of the emergency protection system and neutron flux

monitoring system.

Diversity principle is formulated for a group consisting of two or more systems

(I&C, digital I&C) that simultaneously and with inter-redundancy perform safety functions

identical in terms of the objective to be achieved if they, to a certain extent, physically differ

from one another and/or if they differently achieve the required objective. The difference

between the systems determines the type of diversity (design, functional, signal, hardware,

software, subject or any their combination). The diversity allows decreasing the probability

of common-cause failure of several redundant systems.

It is recommended to reasonably observe the diversity principle in the design of

I&C-B that participate in the performance of safety functions and/or in the development of

digital I&C components for such systems. To determine the need for or expediency of

diversity and select an appropriate type (types) of diversity, potential failure causes, their

probability and consequences are analyzed.

Compliance with the diversity principle is obligatory for I&C (digital I&C) that

participate in the emergency protection function and is to be agreed between the I&C

(digital I&C) designer and operator or customer (user) for I&C (digital I&C) involved in the

4 Upon agreement with the State Nuclear Regulatory Inspectorate of Ukraine, the single failure principle may be not observed within a limited period of time required for maintenance, testing or recovery of I&C systems (digital I&C) and/or their redundant parts provided that the probability of the single failure principle for this time does not exceed the minimum allowed value set for Category A functions performed by I&C systems.

15

performance of other safety functions.

Prevention of human errors in power unit control, inspections, maintenance,

reconfiguration and accident management should be ensured by providing personnel with

complete, timely and reliable data on the process parameters, state and performance of I&C

systems and their components, process systems and equipment and on physical barriers to

the spread of ionizing radiation and radioactive releases.

Data on the removal of I&C components that perform Category A and B functions

from service for maintenance, inspections or recovery and subsequent connection should be

transmitted to operating personnel prior and after completion of these actions. Human errors

should also be prevented by ensuring compliance with the requirements established in the

Regulation and the Branch Standard for testing, man-machine interface, software and

operation.

Protection against unauthorized access to the automation hardware, independently

operating components, software, databases and archives for digital I&C should prevent the

possibility of intentional or unintentional removal from service, change of conditions or

output signal and command generation algorithm, change of programs and archive data, and

damage or theft that may jeopardize safety. The MCR personnel should be warned

immediately about any attempt to change programs and/or data of digital I&C that relate to

safety class 2(А), including other I&C or digital I&C, and also on unauthorized use of ECR.

Reliability indicators should be established for:

basic functions performed by I&C, digital I&C and automation hardware;

replacement components of digital I&C and automation hardware.

The mean time to or between failures is the reliability indicator for replacement

components. The mean time between failures or failure rate are the reliability factors for

continuously performed functions. The availability factor and/or failure rate should be

regulated for the functions performed in required conditions or on demand. The reliability

indicators of all components directly involved in the function should be taken into account

in reliability (availability) assessment. Aging and wear of components, common-cause

failures, software failures and human errors should be considered if there are proven

methodologies and initial data that allow numerical evaluation of their impact on reliability.

The mean time to recovery (replacement of a failed component and subsequent

testing of instrumentation reliability) is regulated for digital I&C and automation hardware

16

recovered on-site.

The service life indicated in documentation on I&C, digital I&C and automation

hardware is accepted as the life indicator. The I&C should be upgraded (digital I&C,

automation hardware should be replaced) before their actual life reaches the regulated

period, or a decision should be made and agreed in compliance with the procedure

established in NP 306.5.02/2.068 [58] to continue operation over a new regulated period.

Requirements for Reliability of Function Performance. This section regulates the

capability to perform appropriate functions under certain environmental conditions,

operating media, mechanical (including seismic) and electrical impacts, variation in power

supply parameters and electromagnetic disturbances that may occur in locations of I&C and

automation hardware components:

under normal operation;

under boundary conditions caused by design-basis accidents, operation of powerful

electrical facilities, failures of support systems, abnormal natural phenomena (earthquake,

lightning stroke) or internal events (fire, flooding);

under beyond design-basis accidents.

Environmental resistance is regulated with regard to upper and/or lower temperature

limits and temperature change rate, humidity, atmospheric pressure, γ-radiation absorbed

dose rate and dose absorbed during regulated operation life, and concentration of corrosive

agents and dust.

To verify environmental resistance, test loads are determined on the basis of test data

on operating values of the environmental parameters provided by the operator or customer

and also based on evaluation of possible limits of these parameters, expected frequency of

occurrence and duration. If such data are absent, it is necessary to rely on generic operating

values and limits of environmental parameters indicated in the Branch Standard for the

group of operation conditions to which the automation hardware or independently operating

digital I&C components (hereinafter - equipment) are related.

Mechanical stability (resistance to vibrations and shock loads) is determined for each

independently operating component under test loads indicated by the operator or customer

using test data on actual values of operating mechanical parameters or generic operating

values indicated in the Branch Standard for the group of arrangement conditions to which

this equipment is related.

17

The seismic resistance category (I, II or III) should be established for all

independently operating equipment.

Seismic Category I includes equipment involved in functions to be initiated and/or

performed in case of the safe shutdown earthquake at NPP site (seismic load detection,

emergency reactor shutdown, interlocking of moving mechanisms, etc.) or directly after this

event (maintenance of core subcriticality, emergency core cooldown, residual heat removal,

control of critical parameters, prevention of radioactive releases, post-accident control and

monitoring).

Seismic Category II includes equipment that does not relate to category I if its

failure caused by an earthquake can cause power supply failure. This equipment should

perform all the established functions after seismic impacts caused by the design-basis

earthquake at NPP site.

Seismic Category III includes equipment that does not relate to categories I and II;

seismic resistance requirements are not established for such equipment.

Seismic impacts are simulated in response spectrum tests in compliance with

GOST 30546 [59], taking into account possible response of civil engineering structures to

ground vibrations. The response spectrum is determined by calculation and/or modeling, or

with use of generic values indicated in the Branch Standard that take into account possible

earthquake intensity, equipment height and installation methods.

Immunity to variation in power supply parameters is regulated with regard to long-

term deviations of frequency and voltage; short-term voltage fluctuations and power

interruptions [38, 52]; voltage fluctuations [40, 53]; short-term variation in current

frequency [42, 55].

Immunity to electromagnetic disturbances (see [60, 61]) includes:

electrostatic discharge interference [30, 45];

electromagnetic field radio frequency interference [31, 46];

electrical fast transient/burst interference [32, 47];

current surge interference [33, 48];

conducted disturbances induced by radio frequency fields [34, 49];

power frequency magnetic field interference [35, 62];

pulse magnetic field interference [36, 50];

damped oscillatory magnetic field interference [37, 51];

18

damped oscillatory interference [39];

conductive, common mode disturbances in the frequency range from 0 to 150 kHz

[41, 54];

ground line disturbances [1].

Requirements for Performance Quality. Requirements for accuracy, time

characteristics and man-machine interface are established.

Requirements for accuracy in the measurement of physical quantities that

characterize the processes and equipment state are determined as metrological

characteristics of I&C (digital I&C) instrumentation channels: limits of allowed error in

operating conditions or limits of basic allowed error and complementary errors caused by

change in each affecting factor within its nominal range.

The accuracy of I&C (digital I&C) alarm and/or control instrumentation channels is

characterized by the absolute allowed error in alarm actuation and disabling and/or

generation and disabling of control signals that are established for normal or limiting

operation conditions.

The instrumentation channels should undergo metrological certification prior to I&C

commercial operation. Digital I&C and automation hardware, regulated with regard to

accuracy requirements, should undergo primary calibration after the production and periodic

calibration during operation.

Time characteristics regulate the data input rate and time resolution in data input and

backup, permissible delays of discrete functions, data exchange rate, time of digital I&C

(automation hardware) connection after power supply renewal.

Requirements for Independence. This section establishes independence

requirements for the groups of I&C (digital I&C) redundant channels. Each of the channels

should remain capable of performing required Category A or B (recommended) functions

irrespective of the following:

failure or removal from service of other channels in this group for maintenance, tests

and recovery;

external impacts on other channels in this group that may cause their characteristics

to exceed the set limits.

I&C components that relate to safety class 2(А) or 3(В) should remain capable of

performing required Category A or B functions irrespective of failure or removal from

19

operation of related components in this or another I&C system that relates to lower safety

class.

To ensure independence, the following should be provided:

functional and/or physical separation of I&C components (digital I&C constituents)

that relate to different safety classes;

functional and/or physical separation of the redundant digital I&C systems (within

one I&C) and redundant alarm and control channels (within one digital I&C);

electric isolation of lines that transmit signals from a common source to several

receivers and from several sources to a common receiver;

use of local networks that can exchange data between all other (remaining in

operation) equipment after failure or removal from operation of any connected device.

Functional separation is ensured by a complete set of input data required for each

digital I&C and/or alarm and control channel in the group of inter-redundant digital I&C

(channels) to perform all the required functions.

Physical separation provides for allocating each of these digital I&C systems and/or

instrumentation channels in separate rooms or in separate load-bearing structures, separation

of their cables, use of separate cable trays and penetrations for each system/channel.

Electric isolation provides for galvanic isolation and shielding of feeds and leads.

Isolation quality of each power circuit (electric strength and electrical insulation resistance)

is regulated for operating and limiting conditions.

20

Figure 3. Classification of Functions, Systems and Components in Different Countries

Revision of Regulations

The final revisions of the Regulation and Brand Standard include the lessons learned

from the Fukushima accident. These lessons revealed the need to reassess and establish

stricter requirements for functional safety of I&C systems and their components [63]. These

requirements are intended, in particular, to minimize the risk of hazards, including

earthquakes, and to keep data that may be necessary for accident management and/or for

mitigation of accident consequences.

21

To mitigate the risk of earthquakes:

control and monitoring functions to be performed during and/or immediately after an

earthquake are identified;

classification criteria for seismic resistance and test severity are specified for

equipment involved in these functions, taking into account seismic resistance categories and

equipment arrangement conditions;

requirements for test loads that simulate earthquakes are identified. Methods of

seismic resistance assessment and compliance criteria are clarified.

To mitigate the risk of other hazards:

requirements for functional safety of the instrumentation systems that should detect

such hazards (fire detection and alarm, actuation of automated fire extinguishing) are

established;

measures on fire prevention and protection of independently operating equipment in

case of fire hazards are determined;

requirements for resistance to substances that are released in actuation of the

automated fire extinguishing system are identified.

To store the data on accidents:

requirements for the system for monitoring of radioactive releases within NPP rooms

and territory, controlled and observation areas during operation and after accidents,

including beyond design-basis accidents, are established;

requirements for post-accident monitoring systems that support NPP technical

personnel and safety experts in accident management, mitigation of accident consequences,

analysis of the causes and ways of accident progression (including requirements on data

storage reliability in case of a beyond design-basis accident) are identified.

Differences from Current Requirements NP 306.5.02/3.035 [1]

1. The requirements for I&C systems and their components are divided into

regulatory requirements included in the Regulation and technical requirements detailed by

the Branch Standard in order that this document can be used directly for regulation and

assessment of the functional safety of I&C systems and their components.

22

2. Process control and monitoring functions (performed by combined actions of

control, protection, confining and support systems, process equipment and operating

personnel) and I&C functions are separated.

3. Classification by categories, which take into account the importance of these

functions to safety and complies with the classification accepted in IEC 61226 [20] and

reflected in DSTU IEC 61226 [27], is introduced for process control and monitoring

functions. The categories of I&C functions and functions of their components agree with

the processes in which control and monitoring functions are involved.

4. Safety classification of I&C systems and their components is harmonized with

international standards [64]: the categories of functions were taken as a basis; the number

of safety classes was increased from two to three, as in IEC 61513 [13]; the safety

requirements were differentiated taking into account the categories of functions as

recommended in IEC 60880 [17], IEC 61226 [20], IEC 62138 [22] and in identical State

Standards of Ukraine DSTU ІЕС 60880 [25], DSTU IEC 61226 [27] and

DSTU ІЕС 62138 [29]. At the same time, the consistency with current Ukrainian

classification established in NP 306.2.141 [2] is preserved so as the classified criteria can

be specified and detailed and other classification features can be used (Fig. 3).

5. Requirements of the Regulation and Branch Standard cover all life stages: I&C

design; development of digital I&C, automation hardware and software; equipment

qualification, software verification; acceptance tests of digital I&C and automation

hardware performed by manufacturers; integration of components and I&C tests in

commissioning at NPPs; maintenance, inspections and recovery during operation;

modification and modernization the operating system.

6. Functional requirements for normal operation and safety systems, in-core

instrumentation systems, radiation monitoring system, fire alarm and automated fire

extinguishing system are established.

7. Requirements for emergency and post-accident control (monitoring) systems,

including requirements for backup of the data needed for analysis of accident causes,

accident progression and state of structures, systems and equipment, and requirements for

safety of these data at any impacts that may occur in case of design-basis accidents and

beyond design-basis accidents are specified.

23

8. The classification criteria for seismic resistance and methods for simulation of

seismic loads during tests are clarified. Much more severe seismic resistance requirements

are established. They take into account conservative assessment of the damping coefficient

for civil engineering structures to determine their possible response to ground vibrations.

9. In establishing regulatory requirements for immunity (electromagnetic disturbance

immunity), instead of general assessment of electromagnetic environment, it is proposed

that immunity be analyzed separately for each type of disturbance.

The list of electromagnetic disturbances for which immunity requirements were

established was extended. It additionally includes conductive disturbances induced by radio

frequency fields; damped oscillatory magnetic field interferences; damped oscillatory

interferences; conductive, common mode disturbances in the frequency range from 0 up to

150 kHz; feed voltage fluctuations; short-term variations in supply frequency.

10. Electromagnetic compatibility requirements are specified taking into account

new international standards [30-43] and state standards of Ukraine [45-56, 62]. Stricter

requirements are set for tests of Safety Class 2(А) and 3(В) in comparison with these

standards.

11. Contemporary tendencies in the use of the Field Programmable Logical Devices

(FPLDs) and technology for their development and implementation were taken into account

for safety functions.

12. Requirements for software protection from unwanted and unsafe interference and

from unauthorized change through external computer networks and/or transient carriers

(these requirements should be further detailed taking into account IAEA efforts and new

IEC standards pertaining to the protection against cyber threats) are provided for.

13. Configuration management requirements that allow (at any time) identification

and recording of distinctive features and connections of all elements, whose combination

determines the actual configuration of I&C and digital I&C at the relevant life stage are

included.

24

GND 306.7.013.088–2004. Methodology on State Supervision of Quality Management System in Nuclear Facility Operation GND 306.6.01/1.075–2003. Procedure for Review and Agreement of Product Technical Specifications KND 306.302–96. Requirements for Contents of Safety Analysis Reports for WWER NPPs in Licensing of Commissioning ND 306.711–96. Lifetime Extension for I&C Related to the Safety Important Systems. General Requirements for Work Procedure and Contents SOU-N YaЕК 1.005:2007. Automated Radiation Monitoring Systems at NPPs with WWER. General Technical Requirements SOU-N MPЕ 40.1.35.109:2005. Technical Requirements for Microprocessor-based Protections and Interlocks STP 0.03.069:2007. Metrology. Process Control and Instrumentation Systems. Pilot Model. Metrological Certification Procedure STP 0.03.050–2009. Certification of NPP Equipment and Technical Devices

Fig. 4. Hierarchical Pyramid of Ukrainian Regulations Related to I&C systems and Their

Components Important to Safety

Conclusions

The advances in information technologies, electronic components, local-area

networks, computerized diagnostics, display and archiving tools that serve as the basis for

developing new I&C systems and upgrading the existing ones designed for automation of

nuclear installations have necessitated regular updating of the regulatory framework

governing the functional safety of these systems and their components. Two new revisions

of the standard that relates to the instrumentation and control systems important to NPP

safety (IAEA NS-G-1.3 [13] and IAEA DS-431 [15]), two revisions of international

standard IEC 61513 [21] establishing general requirements for functional safety of such

LAWS OF UKRAINE AND INTERNATIONAL AGREEMENTS

RESOLUTIONS OF THE PRESIDENT AND THE CABINET OF MINISTERS OF UKRAINE

REGULATIONS OF THE STATE REGULATORY BODIES OF UKRAINE

GUIDELINES OF THE STATE REGULATORY BODIES OF UKRAINE

INTERSTATE AND STATE STANDARDS BRANCH REGULATIONS OF THE MINISTRY FOR ENERGY AND COAL INDUSTRY OF UKRAINE REGULATIONS OF THE OPERATOR

25

systems, and three revisions of standard IEC 61226 [20] that relates to the classification of

NPP I&C were issued after NP 306.5.02/3.035 [1] was put into effect in March 2000.

Meanwhile, Ukrainian experts gained substantial experience in design, development,

manufacture and assessment of the functional safety of I&C systems and their components

at Ukrainian NPPs [65]. Under these circumstances, it was recognized that Regulation NP

306.5.02/3.035 [1] should be revised and a new Branch Standard with requirements

harmonized with the latest revisions of international standards should be developed.

The development and implementation of the Regulation and Branch Standard will

contribute to solving top priority issues related to the prevention of nuclear accidents at

Ukrainian NPPs and to the safety of personnel, the public and the environment.

The application of new regulations will improve understanding between experts

involved in the development (modernization), implementation and operation of I&C

systems important to safety, as well as with the State Nuclear Regulatory Inspectorate of

Ukraine, licensing these activities, and with its expert organizations.

The harmonization with international standards will enable export of systems and

components designed and produced in compliance with the Regulation and Branch

Standard, allow extensive use of advanced international experience in regulation and safety

assessment of I&C systems and their components, and facilitate the of the national legal

framework to legislation of the European Union.

The developed Regulation “Nuclear and Radiation Safety Requirements for I&C

Systems Important to NPP Safety” (NP 306.2.XXX-2014) and associated Branch Standard

“Instrumentation and Control Systems Important to NPP Safety. General Technical

Requirements” (SOU N YaEK X.00X:2014) will be included in the hierarchical pyramid of

nuclear and radiation safety regulations (Fig. 4) developed by the SNRIU.

The revision of Guideline GND 306.7.02/2.041 [66], which sets requirements for the

structure and contents of safety justification documents for I&C systems and their

components at all life stages and describes the procedure for assessment of compliance with

these requirements, is a top priority too. The assessment is carried out by the SNRIU in

licensing of the development (modernization) of I&C systems at Ukrainian NPPs. The

revision is to be aimed at bringing the document into compliance with the new Regulation

and Branch Standard and harmonizing it with IEC 61513 [21] and other IEC standards, in

which the completeness and quality of technical documentation are regarded as very

26

important aspects ensuring the functional safety of I&C systems, automation hardware and

digital I&C.

References

1. NP 306.5.02/3.035-2000. Requirements for Nuclear and Radiation Safety of Instrumentation

and Control Systems Important to NPP Safety. (Rus)

2. NP 306.2.141-2008. General Safety Provisions for Nuclear Power Plants. (Ukr)

3. NP306.2.145-2008. Nuclear Safety Rules for Reactors of Nuclear Power Plants with PWR.

(Ukr)

4. NP 306.2.106-2005. Requirements for Modification of Nuclear Installations and Procedure

for Safety Assessment. (Ukr)

5. NP 306.5.02/2.068-2003. Requirements for Procedure and Contents of Lifetime Extension

Measures for Instrumentation and Control Systems Important to NPP Safety. (Ukr)

6. NP 306.5.02/3.017-99. Requirements for Quality Assurance Program at All Stages of NPP

Lifecycle. (Rus)

7. NP 306.5.02/3.076-2003. Requirements for Arrangement and Procedure of NPP

Commissioning. (Ukr)

8. NAPB 03.005-2002 (VBN V.1.1-034-03.307-2003). Fire Protection. Fire Safety Regulations

for Design of Nuclear Power Plants with WWER. (Ukr)

9. PNAE G-5-006-87. Seismic Design Rules for Nuclear Power Plants. (Rus)

10. IAEA SSR-2/2-2011. Safety of Nuclear Power Plants: Commissioning and Operation. Specific

Safety Requirements.

11. IAEA SSR-2/1 2012. Safety of Nuclear Power Plants: Design. Specific Safety.

12. IAEA NS-G-1.1:2000. Software for Computer Based Systems Important to Safety in Nuclear

Power Plants. Safety Guide.

13. IAEA NS-G-1.3:2002. Instrumentation and Control Systems Important to Safety in Nuclear

Power Plants. Safety Guide.

14. IAEA NS-G-2.3:2001. Modifications to Nuclear Power Plants. Safety Guide.

15. IAEA DS-431. Design of Instrumentation and Control Systems for Nuclear Power Plants.

Draft Safety Guide.

16. IEC 60780:1998. Nuclear Power Plants — Electrical Equipment of the Safety Systems —

Qualification.

17. IEC 60880:2006. Nuclear Power Plants — Instrumentation and Control Systems Important to

Safety — Software Aspects for Computer-Based Systems Performing Category A Functions.

27

18. IEC 60980:2007. Recommended Practice for Seismic Qualification of Electrical Equipment

for Nuclear Power Plants.

19. IEC 60987:2007. Nuclear Power Plants — Instrumentation and Control Important to Safety.

Programmed Digital Computers Important to Safety for Nuclear Power Plants.


Safety — Classification. Ed. 3.0.

21. IEC 61513:2011. Nuclear Power Plants — Instrumentation and Control Important to

Safety — General Requirements for Systems.

22. IEC 62138:2005. Nuclear Power Plants — Instrumentation and Control Important for Safety.

Software Aspects for Computer-Based Systems Performing Category B or C Functions.


Safety - Requirements for Coping with Common Cause Failure (CCF).

24. DSTU ІЕС 60780:2007. Nuclear Power Plants. Electric Equipment of the Safety Systems.

Qualification (ІEC 60780:1998, ІDT). (Ukr)

25. DSTU ІЕС 60880:2008. Nuclear Power Plants. Instrumentation and Control Systems

Important to Safety. Software Aspects of Computer-Based Systems Performing Category A

Functions (ІEC 60880:2006, ІDT). (Ukr)


Important to Safety. Requirements for Design of Hardware for Computer-Based Systems

(ІEC 60987:2007, ІDT). (Ukr)


Important to Safety. Classification of Instrumentation and Control Functions

(ІEC 61226:2005, ІDT). (Ukr)


Important to Safety. General Requirements for Systems (ІEC 61513:2001, ІDT). (Ukr)


Important to Safety. Software Aspects for Computer-Based Systems Performing Category B

or C Functions (ІEC 62138:2004, ІDT). (Ukr)

30. IEC 61000-4-2:2001. Electromagnetic Compatibility (EMC) — Part 4-2: Testing and

Measurement Techniques — Electrostatic Discharge Immunity Test.


Measurement Techniques - Radiated, Radio-Frequency, Electromagnetic Field Immunity.


Measurement Techniques — Electrical Fast Transient / Burst Immunity Test. Basic EMS

Publication.

28


Measurement Techniques — Surge Immunity Test.


Measurement Techniques - Immunity to Conducted Disturbances, Induced by Radio-

Frequency Fields.


Measurement Techniques - Power Frequency Magnetic Field Immunity Test.


Measurement Techniques - Pulse Magnetic Field Immunity Test.


Measurement Techniques - Damped Oscillatory Magnetic Field Immunity.


Measurement Techniques — Voltage Dips, Short Interruptions and Voltage Variations

Immunity Tests.


Measurement Techniques - Oscillatory Waves Immunity Test.


Measurement Techniques - Voltage Fluctuation Immunity Test.


Measurement Techniques - Test for Immunity to Conducted, Common Mode Disturbances in

the Frequency Range 0 Hz to 150 kHz.


Measurement Techniques — Variation of Power Frequency, Immunity Test.

43. CISPR 22:2006. Information Technology Equipment — Radio Disturbance Characteristics —

Limits and Methods of Measurement.

44. ISO 9001-2000. Quality Management Systems — Requirements.

45. DSTU ІЕС 61000-4-2:2008. Electromagnetic Compatibility (EMC) — Part 4-2. Testing and

Measurement Techniques. Electrostatic Discharge Immunity Test (ІEC 61000-4-2:2001,

ІDT). (Ukr)


Measurement Techniques — Radiated, Radio-Frequency, Electromagnetic Field Immunity

(ІEC 61000-4-3:2006, ІDT). (Ukr)


Measurement Techniques - Electrical Fast Transient / Burst Immunity Test (ІEC 61000-4-

4:2004, ІDT). (Ukr)

29

48. DSTU ІЕС 61000-4-5:2008. Electromagnetic Compatibility (EMC) — Part 4-5: Testing and

Measurement Techniques — Surge Immunity Test (ІEC 61000-4-5:2005, ІDT). (Ukr)


Measurement Techniques — Immunity to Conducted Disturbances, Induced by Radio-

Frequency Fields (ІEC 61000-4-6:2006, ІDT). (Ukr)


Measurement Techniques — Pulse Magnetic Field Immunity Test (ІEC 61000-4-9:2001,

ІDT). (Ukr)

51. DSTU ІЕС 61000-4-10:2008. Electromagnetic Compatibility (EMC) — Part 4-10: Testing

and Measurement Techniques — Damped Oscillatory Magnetic Field Immunity. (ІEC 61000-

4-10:2001, ІDT). (Ukr)


and Measurement Techniques — Voltage Dips, Short Interruptions and Voltage Variations

Immunity Tests (ІEC 61000-4-11:2004, ІDT). (Ukr)


and Measurement Techniques - Voltage Fluctuation Immunity Test (ІEC 61000-4-14:2002,

ІDT). (Ukr)


and Measurement Techniques — Test for Immunity to Conducted, Common Mode

Disturbances in the Frequency Range 0 Hz to 150 kHz (ІEC 61000-4-16:2002, ІDT). (Ukr)


and Measurement Techniques — Variation of Power Frequency, Immunity Test (ІEC 61000-

4-28:2002, ІDT). (Ukr)

56. DSTU CISPR 22:2007. Information Technology Equipment — Radio Disturbance

Characteristics — Limits and Methods of Measurement (CISPR 22:2006, ІDT). (Ukr)

57. DSTU ISO 9001 2009. Quality Management Systems — Requirements (ISO 9001:2008,

IDT). (Ukr)

58. NP 306.5.02/2.068-2003. Requirements for Order and Contents of Lifetime Extension

Measures for Instrumentation and Control Systems Important to NPP Safety. (Rus)

59. GOST 30546.1-98. General Requirements for Machines, Devices and Secondary Technical

Equipment and Methods to Calculate Seismic Resistance of Complex Structures. (Rus)

60. Yu. Rozen. Electromagnetic Compatibility of Instrumentation and Control System

Components (1): Rules for Regulation and Assessment of Noise Immunity. Nuclear and

Radiation Safety, 2007, No. 2. – P. 9-26. (Rus)

30

61. Yu. Rozen. Electromagnetic Compatibility of Instrumentation and Control System

Components (2): Electromagnetic Noise Immunity. Nuclear and Radiation Safety, 2008, No.

4. – P. 58-76. (Rus)

62. DSTU 2465-94. Electromagnetic Compatibility of Technical Measures. Power Frequency

Magnetic Field Immunity Test. Technical Requirements and Test Methods. (Ukr)

63. M. Yastrebenetsky, Yu. Rozen, G. Gromov, V. Inyushev, A. Nosovsky, M. Gashev,

B. Stolyarchuk. Requirements for Instrumentation and Control Systems of Ukrainian NPPs

Following Analysis of the Fukushima-1 Accident // Nuclear and Radiation Safety. —

2011. — No. 4. — P. 3—10. (Rus)

64. M. Yastrebenetsky, Yu. Rozen. About Safety Classification of Instrumentation and Control

Systems and Their Components // Nuclear and Radiation Safety. — 2004. — No. 4. —

P. 13—33. (Rus)

65. M. Yastrebenetsky, Yu. Rosen, S. Vinogradskaya, G. Jonhson, V. Eliseev, A. Siora, V. Skliar,

L. Spector, V. Kharchenko. Nuclear reactors control and protection systems / Ed.

M. Yastrebenetsky. — Kiev: Osnova-Print, 2011. — 768. — (Nuclear power plants safety).

(Rus)

66. GND 306.7.02/2.041-2000. Methodology for Assessing Compliance of Instrumentation and

Control Systems Important to Safety of Nuclear Power Plants with Nuclear and Radiation

Safety Requirements. (Ukr)