Переводы документов. Translations in English

NP-026-16. Requirements for safety-related control systems of nuclear power plants

Approved by

Approved by

Order of the Federal

Environmental, Industrial

and Nuclear Supervision Service

No. 483 dated 16.11.2016

 

FEDERAL RULES AND REGULATIONS

IN THE FIELD OF ATOMIC ENERGY USE "REQUIREMENTS

FOR SAFETY-RELATED CONTROL SYSTEMS

OF NUCLEAR POWER PLANTS"

(NP-026-16)

 

I. Purpose and scope

 

1. These Federal rules and regulations in the field of atomic energy use "Requirements for safety-related control systems of nuclear power plants" (NP-026-16) (hereinafter - the Rules) are developed in accordance with Federal Law No. 170-FZ dated 21 November 1995 "On atomic energy use" (Collected Acts of the Russian Federation, 1995, N 48, art. 4552; 1997, N 7, art. 808; 2001, N 29, art. 2949; 2002, N 1, art. 2; N 13, art. 1180; 2003, N 46, art. 4436; 2004, N 35, art. 3607; 2006, N 52, art. 5498; 2007, N 7, art. 834; N 49, art. 6079; 2008, N 29, art. 3418; N 30, art. 3616; 2009, N 1, art. 17; N 52, art. 6450; 2011, N 29, art. 4281; N 30, art. 4590, art. 4596; N 45, art. 6333; N 48, art. 6732; N 49, art. 7025; 2012, N 26, art. 3446; 2013, N 27, art. 3451; 2016, N 14, art. 1904; N 15, art. 2066; N 27, art. 4289), Decree of the Government of the Russian Federation No. 1511 dated 1 December 1997 "On approval of the Regulation on development and approval of Federal rules and regulations in the field of atomic energy use" (Collected Acts of the Russian Federation, 1997, N 49, art. 5600; 1999, N 27, art. 3380; 2000, N 28, art. 2981; 2002, N 4, art. 325; N 44, art. 4392; 2003, N 40, art. 3899; 2005, N 23, art. 2278; 2006, N 50, art. 5346; 2007, N 14, art. 1692; N 46, art. 5583; 2008, N 15, art. 1549; 2012, N 51, art. 7203).

2. The requirements of these Rules shall be applicable to the full extent to designed power units of nuclear power plants.

3. Operating conditions for the power units of existing nuclear power plants as well as constructed power units of nuclear power plants with the construction licenses issued prior to entry of these Rules into effect shall be brought to compliance with these Rules with simultaneous introduction of changes to the construction or operation license conditions.

4. The list of used abbreviations is given in Appendix 1, terms and definitions are given in Appendix 2 to these Rules.

 

II. General requirements for safety-related

control systems

 

5. Configuration and functions of the safety-related control systems shall be defined in the NPP design documentation (hereinafter - the NPP design) in compliance with the requirements of federal rules and regulations in the field of atomic energy use. The following safety-related control systems shall be provided for each NPP power unit:

SR NOCS;

CSS;

control systems belonging to safety-related special-purpose hardware for beyond design basis accident management.

Safety-related normal operation control systems perform the functions referred to the first and the second levels of defense-in-depth; control safety systems perform the functions referred to the third level of defense-in-depth; control systems belonging to safety-related special-purpose hardware for beyond design basis accident management perform the functions referred to the fourth level of defense-in-depth.

6. The requirements for each safety-related control system shall be specified in the terms of reference for development of this system included into the NPP design. Compliance with the requirements specified in the terms of reference for the relevant system development and the requirements of the NPP design shall be confirmed in the SAR for each safety-related control system.

7. All components of safety-related control systems shall be referred to functional groups in the NPP design.

8. One of the categories - A, B or C - shall be assigned in the NPP design to the control and information functions performed by the functional groups.

9. Category A shall be assigned to the following control and information functions:

performed by the CSS (including emergency protection of the reactor, control of the emergency core cooling systems, control of the localizing safety systems);

intended to provide the NPP personnel with information and the control possibilities necessary in case of any initiating event of a design basis accident in order to perform any actions aimed to achieve controlled safe state of the NPP.

10. Category B shall be assigned to the following control and information functions:

control of the systems maintaining the reactor in sub-critical state after actuation of the reactor emergency protection;

control of the systems for heat removal from the shut-down reactor and the fuel pool (or other spent nuclear fuel storage facilities);

functions which, failing to perform under normal NPP operation conditions, require implementation of any control or information function of category A in order to prevent any pre-accident situation or accident;

intended to provide the NPP personnel with information and (or) control possibilities necessary to perform any actions aimed to limit the accident consequences after achievement of the NPP controlled safe state;

intended to provide the NPP personnel with information in relation to compliance with the safe operation limits and conditions as well as information on performance of safety functions in case of accidents.

11. Category C shall be assigned to the following control and information functions:

control of the NPP process within the operation limits and prevention of any deviations from the safe operation limits;

detection of dangerous events (fires, flooding) and (or) limitation of their impact on the NPP safety (for example control of fire extinguishing systems, localization of flooding);

performed by the control systems belonging to safety-related special-purpose hardware for beyond design basis accident management;

radiological control.

12. In case several classification criteria specified in par. 9-11 of these Rules may be applied to any control or information function at the same time it shall be referred to the higher category from among those defined by these criteria; in this case category A shall be considered as the highest.

13. Organizations performing their activities at any stage of the SR CS life cycle shall carry out these activities in accordance with the quality assurance programs developed in these organizations.

14. Verification shall be performed in relation to the results of activities at all stages of the SR CS life cycle. All non-conformities detected in the course of verification shall be documented and eliminated.

15. Requirements for reliable performance of control and information functions by safety-related control systems shall be specified in the NPP design.

Compliance with the reliability requirements specified in the NPP design shall be confirmed by calculations of the reliability parameters for each control and information function (in particular with due regard for the operation experience); in this case the possibility for any apparent and hidden failures (including software errors and failures of diagnostic devices), common cause failures, human errors as well as frequency of maintenance, testing (verification) and repair shall be taken into account.

16. Criteria and the procedure for assessment of limit state for safety-related control system components as well as data on their specified lifetime shall be provided in the NPP design.

17. Consequences of any failures of the SR CS components (including common cause failures in particular due to software errors) shall be analyzed in the NPP design, and measures aimed to ensure the NPP safety in case of the above-mentioned failures shall be provided.

18. Safe operation conditions, the disabling procedure, performance of periodic inspections, testing and the procedure for activation of the system components (channels), the requirements for the scope and frequency of maintenance and repair, the size and qualification of the maintenance personnel shall be specified and substantiated in the NPP design for each safety-related control system.

19. The NPP design shall provide for generation of the signal for the NPP personnel upon disabling of any SR CS channels (components) or functional groups.

20. The NPP design shall provide for continuous automatic monitoring (self-diagnostics) of operability for safety-related control systems. Besides periodic verification of safety-related control systems shall be provided in order to detect any hidden failures not revealed in the course of continuous automatic monitoring during operation.

21. Safety-related control systems shall include archiving and display means (with the regularity substantiated in the NPP design) for diagnostic information on the technical condition of the SR CS components and adjacent systems including data on any failures detected in the course of continuous automatic monitoring during operation in any cases prescribed in the NPP design.

22. All information at the NPP power unit shall be recorded in the time-standard system.

23. The NPP design for safety-related control systems shall provide measures aimed to ensure that performance of any control or information function and (or) failure to perform any control or information function of lower category would not result in failure to perform any control or information function of higher category.

24. In case any control or information function is performed with involvement of the NPP personnel it should be demonstrated in the NPP design that conditions are created for the NPP personnel in order to perform this control or information function. Measures aimed to reduce probability of human errors shall be specified and substantiated in the NPP design.

25. Functional groups performing control or information functions of category A shall comply with the principles of redundancy, independence and diversity. Selection of diversity type (types) shall be based on the analysis of potential causes of failures to perform any control or information function of the functional group and the expected consequences. In case any programmable digital devices are used within the functional group performing any control or information function of category A several diversity types shall be applied in order to comply with the principle of diversity.

26. Functional groups performing control or information functions of category B shall comply with the principles of redundancy, independence and diversity. The need to apply or not to apply the principles of independence, redundancy and diversity shall be substantiated in the NPP design.

27. Compliance assessment (in the form of testing) shall be provided in order to confirm capability of the SR CS components to perform their control and information functions.

28. Each channel in a group of SR CS channels engaged in performance of the same control (information) function of category A redundant in relation to each other shall be capable to perform the control (information) function of the channel regardless of:

inoperability (in particular due to disabling, testing, maintenance) of other channels belonging to this group of channels;

loss of operability in the signal and data transmission line between the channels of this group;

impact of any external natural and human-induced factors on other channels of this group as well as impacts of design basis accidents.

 

III. Requirements for safety-related

normal operation systems

 

29. The NPP design shall provide for automatic and (or) automated control of the process equipment of safety-related normal operation systems through the use of SR NOCSs.

30. The NPP design shall provide for transmission of control actions from the SR NOCSs to the controlled objects in case of any deviations from the preset NPP process parameters defining the safe operation limits (neutron and thermal power of the RP, pressure and temperature of the primary circuit coolant, etc.). The above-mentioned control actions shall be aimed to return the controlled parameters to the values established for normal operation and shall be transmitted to the controlled object prior to initiation of protective actions by the control safety systems.

31. The following shall be defined and substantiated in the NPP design for safety-related normal operation systems:

protection actuation conditions;

conditions for actuation of interlocks;

process control algorithms;

the range of controlled parameters necessary for control (including automated one);

the number of measuring channels sufficient for performance of control and information functions by the SR NOCS;

automated control algorithms and criteria based on the set of parameter values from different measuring channels;

the parameter monitoring mode (continuous and periodic, the parameter monitoring frequency shall be substantiated);

parameters controlled in the mode of indication, direct measurement and processing of the measurement result through the use of software.

32. Protections and interlocks implemented within the SR NOCS shall be arranged with the possibility to disable these protections and interlocks and to activate them under the conditions prescribed in the NPP design.

33. The NPP design shall provide for automated verification of the protections implemented by the SR NOCS.

34. The activated algorithm of any protection performed by the SR NOCS shall be implemented without any interruptions till completion of this algorithm regardless of any changes of the initiating condition which has caused actuation of the protection. Acceptability of any deviations from this requirement shall be substantiated in the NPP design.

35. Cancellation of the initiation command for any protection performed by the SR NOCS after completion of the protection algorithm shall be performed with adherence to any administrative and technical measures prescribed in the NPP design in order to prevent erroneous cancellation of the command (in case the NPP design provides for such cancellation performed by the NPP personnel).

 

IV. Requirements for control safety systems

 

36. Control safety systems shall ensure automatic and automated control of safety systems within the scope established and substantiated in the NPP design.

37. Automatic actuation of the SS process equipment shall be performed upon commands from the control safety systems in case of occurrence of any conditions specified and substantiated in the NPP design.

38. Automated actuation of the SS process equipment shall be arranged from the MCR as well as (in case of the MCR control failure) from the ECR.

39. The following shall be defined and substantiated in the NPP design for control safety systems:

conditions for automatic start (actuation) of safety systems;

SS control algorithms.

40. Control safety systems shall be designed in such a way so that to prevent the possibility for any intervention of the NPP personnel to the safety system operation within 10-30 minutes after their automatic actuation except for intervention related to the NPP personnel's actions stipulated by the NPP operation process regulations, operation manuals, emergency operating procedures and beyond design basis accident management guidelines.

41. Control safety systems performing the emergency protection function shall comply with the requirements specified in the nuclear safety rules for the NPP RP.

42. Automatic control commands for safety systems generated by the CSS shall have the highest priority compared to all other control commands.

43. The time for recovery of the CSS channel operability after any failure of the channel shall be defined in the NPP design with regard to each function performed by this channel.

44. Prior to activation of the CSS channels tests shall be performed in order to verify performance of all functions specified in the NPP design by the CSS channels.

 

V. Requirements for the control systems

belonging to safety-related special-purpose hardware

beyond design basis accident management

 

45. The scope of control performed by the control systems belonging to safety-related special-purpose hardware for beyond design basis accident management shall be sufficient to define the state of the basic NPP safety functions under the beyond design basis conditions (including severe ones) and also for the NPP personnel to perform any actions for beyond design basis accident management (including severe ones).

46. Sufficiency of the NPP control scope performed by the control systems belonging to safety-related special-purpose hardware for beyond design basis accident management (including the list of controlled parameters, the measurement range and accuracy, response time, independent operation duration) shall be substantiated in the NPP design.

47. Display of the controlled RP and NPP parameters by the control systems belonging to safety-related special-purpose hardware for beyond design basis accident management shall be ensured within the entire duration of the accident and the post-accident period.

48. Sufficiency of the engineering features provided in the control systems belonging to safety-related special-purpose hardware for beyond design basis accident management at a multi-unit NPP in case of a simultaneous beyond design basis (particularly severe) accident at all NPP power units shall be demonstrated in the design of these systems.

49. Power supply of the components of control systems belonging to safety-related special-purpose hardware for beyond design basis accident management shall be arranged in such a way so that these systems could retain their operability within the time period substantiated in the NPP design in case of any failure of normal operation power supply sources as well as the second group emergency power supply sources of the emergency power supply system.

50. The NPP design shall provide for all reasonably achievable measures aimed to ensure independence of the control systems belonging to safety-related special-purpose hardware for beyond design basis accident management from normal operation control systems and control safety systems.

 

VI. Requirements for human-machine interface

 

51. Systems ensuring provision of reliable information on the state of safety-related NPP systems and components to the NPP personnel shall be arranged within safety-related control systems.

52. It should be demonstrated in the NPP design that the human-machine interface ensures minimization of erroneous actions of the NPP personnel in the course of the NPP control.

53. The list of the NPP parameters to be controlled from the MCR shall be sufficient to provide unambiguous information to the NPP personnel in relation to compliance with the NPP safe operation limits, occurrence of any conditions for SS actuation as well as on automatic actuation and functioning of safety systems. The list of the NPP parameters to be controlled from the MCR and the ECR shall be justified in the NPP design and presented in the NPP SAR.

54. Safety-related control systems implementing protections shall include alarm systems for the protection actuation. In case multi-channel structure is used to implement protection warning of the NPP personnel on actuation of individual channels shall be provided.

55. Designations (including acronyms and abbreviations) used in the safety-related control systems for controlled objects, process parameters of safety-related systems, state parameters of safety-related control systems and their components shall not require usage of any additional reference documentation by the NPP personnel in order to understand the above-mentioned designations.

 

VII. Requirements for the SR CS interface with adjacent systems

 

56. The following shall be defined and substantiated in the NPP design for each safety-related control system:

the list of systems this safety-related control system should interact with (adjacent systems) in each NPP normal operation mode as well as in case of abnormal operation of NPP;

data that this safety-related control system shall receive from each adjacent system and (or) transmit to each adjacent system;

the required frequency, time for updating of the input and output data and the conditions initiating such update;

priority of the commands from adjacent systems;

methods for presentation of the input and output data in the adjacent systems;

data transmission (receiving) interface.

57. Absence of any errors in the course of data interchange between the safety-related control system and its adjacent systems shall be checked automatically during operation of this safety-related control system and periodically in the course of the NPP operation according to the procedure established in the NPP design.

58. The following shall be defined in the NPP design for the purpose of the SR CS integration with adjacent systems:

rooms for the equipment of the safety-related control system;

layout limitations in relation to the safety-related control system location at the NPP;

types of interfaces between the safety-related control system and the adjacent systems;

means for detection of any errors and malfunctions in the interfaces and communication lines.

59. The following shall be performed for the purpose of the SR CS integration with adjacent systems:

testing of the safety-related control system and the adjacent systems in order to confirm compliance of their functioning with the NPP design requirements;

verification of analogue and digital exchange signals between the safety-related control system and the adjacent systems in order to confirm that signal values and logical states prescribed in the NPP design are provided during performance of control and information functions referred to categories A, B and C.

60. Information exchange between the safety-related control system and non-safety-related normal operation systems shall be unidirectional (from the safety-related control system to non-safety-related normal operation systems) via the gates included into the safety-related control system.

 

VIII. Requirements for protection of safety-related

control systems against unauthorized access

 

61. Protection of safety-related control system components including communication lines and data against any unauthorized access shall be ensured at the NPP.

62. The objects to be protected against unauthorized access include:

means used to change setpoints of protections, interlocks, warning and emergency alarms and settings of the controllers;

switching components for connection of external (in relation to the safety-related control system) circuits;

replaceable elements inside the SR CS components;

manual controls (for example power supply circuit breakers, operation mode switches, means for disabling of the SR CS channels, etc.);

manual data entry and retrieval means (for example keyboards);

media and software on any media.

The particular list of objects subject to protection against unauthorized access shall be specified and substantiated in the NPP design.

63. Measures shall be provided for safety-related control systems engaged in performance of control or information functions of categories A or B in order to prevent unauthorized access inside the SR CS components, to ensure protection against any program and data modification particularly from adjacent systems and also immediate warning of the NPP personnel in case of any unauthorized access. The NPP design shall provide for administrative and technical measures in order to restrict access to the SR CS components.

 

IX. Requirements for maintenance of operability

of safety-related control systems in the course of operation

 

Changes of power supply parameters

 

64. Safety-related control systems shall maintain their operability under permissible changes of power supply parameters: voltage and frequency changes, power supply interruptions. Permissible values of power supply parameter changes shall be defined in the NPP design.

Permissible changes of power supply parameters for safety-related control systems must not lead to any errors in performance of control or information functions by the safety-related control systems, data loss in memory, spurious output signals and any malfunctions of the safety-related control systems requiring intervention of the NPP personnel.

65. The NPP design shall provide for storage of the information on the position of valves controlled by any safety-related control system in this control system after loss of the valve drive power supply.

66. In the absence of power supply for the SR CS sensors any signals used in the safety-related control systems shall be treated as invalid by this system.

67. Safety-related control systems shall be tested for stability under any changes of power supply parameters. Test impacts in the course of the above-mentioned testing shall be determined based on the input data specified in the NPP design with regard to any potential changes of parameters for the auxiliary power supply network of the NPP. Parameters of electrical impacts simulated in the course of testing shall be defined based on the experimental and (or) calculation data on actual or expected values of these parameters in all rooms where the safety-related control system is installed.

68. Unless absence of any possible power supply loss for the SR CS components leading to inability of this safety-related control system to perform any control or information functions of categories A and B is substantiated in the NPP design additional internal uninterruptible power supply sources shall be provided for this safety-related control system. The above-mentioned power supply sources shall be subject to operability verification with the frequency substantiated in the NPP design.

 

Impact of the environment

 

69. Operability of the components of each safety-related control system shall be retained under the environmental conditions typical for normal operation of the NPP (without any exposure time limitations) as well as for abnormal operation of NPP including accidents (within the time period exceeding or equal to the expected maximum duration of impact) when functioning of this safety-related control system is necessary.

70. Environmental conditions when the safety-related control systems shall retain their operability should be specified in the NPP design. The above-mentioned conditions shall include:

nominal (operating) values, permissible upper and lower limits of the ambient temperature;

ambient temperature change rate;

nominal and maximum humidity;

nominal and maximum barometric pressure;

absorbed dose rate limits of ionizing base_1_208887_32768-radiation and absorbed dose within the specified service life (for the SR CS components located in the controlled access area);

concentration limits for corrosive and other chemical agents;

dust concentration limits;

time limit of external impact within which the safety-related control system shall retain its operability.

71. Safety-related control systems shall be resistant to mechanical impacts characterized by the sinusoidal vibration and mechanical shock parameters and also parameters of seismic impacts specified in the NPP design.

 

Electromagnetic compatibility

 

72. Requirements for electromagnetic compatibility shall be established in the NPP design including the following:

requirements for resistance of the safety-related control systems to the impact of electromagnetic conditions (interference) from the power supply grid, the grounding circuit, the signal and command transmission circuits, communication lines, local networks as well as via the room space (hereinafter - noise immunity);

limitation of any potential adverse impact of the safety-related control system components on other systems (components) via common or electrically connected circuits as well as via the room space due to electromagnetic processes in the course of actuation, operation, malfunctions and (or) disabling of the safety-related control systems (hereinafter - noise emission).

73. When defining noise immunity requirements for the safety-related control systems in the NPP design the types of potential interference, intensity of each type of interference and quality criteria for functioning of the above-mentioned systems in the course of noise immunity testing shall be specified.

74. Noise immunity requirements for the safety-related control systems shall be specified in the NPP design for the following types of interference:

static discharges on the casing, controls and outer cable shields;

microsecond pulse interference in the power supply circuits;

nanosecond pulse interference from external sources to the information circuits and power supply circuits;

emitted radio frequency interference;

dynamic power supply voltage changes;

power frequency magnetic fields;

pulse magnetic fields;

short-term sinusoidal interference in the protective and signal grounding circuits;

microsecond pulse interference in the protective and signal grounding circuits.

75. The NPP design shall establish the requirements for safety-related control systems with regard to permissible noise emission particularly to the power supply and grounding circuits.

76. Noise emission tests shall be performed for safety-related control systems. Testing conditions including configuration of equipment and connection lines in the course of testing shall be as close to the design conditions as possible. Use of any additional grounding and noise reduction devices not provided in the NPP design in the course of testing is not permitted.

77. Noise emission testing of safety-related control systems shall be performed and electromagnetic environment shall be checked in the course of the NPP power unit commissioning and also after refurbishment of the safety-related control systems and adjacent systems directly at the operation site upon the request of the operating organization.

78. Sufficiency of the provided electromagnetic protection measures shall be substantiated in the NPP design.

 

X. Requirements for compliance assessment for the components of

safety-related control systems

 

79. Components of safety-related control systems supplied to the NPP shall be subject to assessment for compliance with the requirements of federal rules and regulations in the field of atomic energy use included into the terms of reference for development of these systems prior to commencement of their operation.

80. Compliance assessment for the SR CS components shall be performed in the form of acceptance and in the form of testing according to the requirements of federal rules and regulations in the field of atomic energy use for compliance assessment of equipment, component parts, materials and semi-finished products supplied to nuclear facilities. Operability of the above-mentioned components within the design service life under the conditions specified in the NPP design shall be assessed subsequent to the results of these tests.

81. Compliance assessment for the SR CS components shall include:

determination of requirements for these components (in accordance with par. 79 of these Rules);

obtaining of data on actual properties and characteristics of these components (by testing);

comparison of the actual properties and characteristics of these components with the established requirements;

making decision on compliance or non-compliance of each component with the established requirements.

 

XI. Requirements for testing of safety-related

control systems

 

82. Prior to commencement of operation the following shall be performed for each safety-related control system:

independent and integrated testing of the system components and acceptance testing of the system outside the NPP in order to make the decision on the possibility for the SR CS supply to the NPP site;

commissioning works and independent testing at the NPP site;

integrated testing of the system at the NPP site;

trial operation of the system;

acceptance testing of the system.

83. Independent testing of the SR CS components and integrated testing of the system shall be performed outside the NPP (for example at the testing site provided by the system manufacturer (supplier)) in accordance with the testing programs approved by the operating organization.

Acceptance testing of the SR CS components shall be performed before the system supply to the NPP. In case of split supply of the SR CS equipment to the NPP acceptance testing of the system may be performed after the system equipment delivery to the NPP in accordance with a separate resolution approved by the operating organization.

84. Independent testing of the safety-related control systems at the NPP shall be performed in order to check and adjust all components of the system and to define readiness of the system for integrated testing. Integrated testing of the safety-related control systems shall be performed in order to check and adjust joint functioning of the system components. Integrated testing of the safety-related control systems shall confirm that each control or information function of the system is performed in accordance with the requirements of the design (terms of reference). Readiness of the safety-related control system for trial operation shall be defined subsequent to the results of integrated testing.

85. Trial operation of the safety-related control system shall be performed by the NPP personnel in order to confirm actual quantitative and qualitative characteristics of the system and their compliance with the requirements established in the technical design (terms of reference) for the system development, to assess the NPP personnel preparedness for operation of the system and to assess and update the operation documentation.

86. Acceptance testing shall be performed in order to define compliance of the safety-related control system with the technical design (terms of reference) and also to assess the trial operation quality and to make the decision on the possibility to accept the system for operation.

87. The operating organization shall appoint the commission in order to perform acceptance testing of the safety-related control system with participation of the NPP (system) designer and the system manufacturer (supplier).

88. At the NPP power unit commissioning stages the safety-related control systems shall be tested for stability of the automatic control circuits according to the programs providing for real initiating signals with impact on the controlled objects.

89. Information on the results of the SR CS testing performed prior to commencement of the system operation shall be included into the NPP SAR.

90. Safety-related control systems shall be subject to checking of correct functioning in the course of operation.

 

XII. Requirements for operation and refurbishment of

safety-related control systems

 

91. Prior to commencement of operation of a newly developed or refurbished safety-related control system the necessary amendments shall be introduced to the NPP operation documentation.

92. Information on the service equipment kit as well as on the SPTA set used for installation, maintenance and restoration of the system components shall be specified for each safety-related control system in the NPP operation documentation. The list of service equipment and SPTA shall be determined and substantiated in the NPP design.

93. Recovery of operability for any safety-related control system and its components shall be arranged by replacement of faulty replaceable component parts with operable ones from the SPTA set. Faulty components without any replaceable component parts shall be replaced completely. Functional check of the relevant safety-related control system as well as calibration of the measuring channels and alarm systems with the characteristics that could have been affected by the replacement shall be performed after the replacement.

94. Safety-related control systems shall be operated in accordance with the operation guidelines for these systems and also in accordance with the process regulations for the NPP power unit operation.

95. In-process and scheduled maintenance of the components shall be performed during operation of safety-related control systems.

96. Technical condition of safety-related control systems shall be regularly checked in the course of scheduled maintenance as well as in the course of scheduled preventive repair of the NPP power unit. Regular checks shall include the system components for which no continuous automatic verification (diagnostics) is provided and also characteristics of the above-mentioned systems that cannot be controlled automatically.

97. Compatibility of the newly installed equipment with the equipment remaining in operation shall be ensured in the course of refurbishment for safety-related control systems and their components.

98. Assessment of the residual lifetime for the equipment and arrangements aimed to extend the design service life of the safety-related control systems and their components shall be performed within the framework of the lifetime management program for the NPP equipment.

 

 

 

 

 

Appendix 1

to federal rules and regulations

in the field of atomic energy use

"Requirements for safety-related

control systems of nuclear power plants"

approved by Order of the Federal

Environmental, Industrial

and Nuclear Supervision Service

dated 16 November 2016 No. 483

 

ABBREVIATIONS

 

NPP - Nuclear Power Plant

MCR - Main Control Room

SPTA - Spare Parts, Tools and Accessories

SAR - Safety Analysis Report

SW - Software

ECR - Emergency Control Room

RP - Reactor Plant

SS - Safety System

CSS – Control Safety System

SR CS - Safety-Related Control System

SR NOCS - Safety-Related Normal Operation Control System

 

 

 

 

 

Appendix 2

to federal rules and regulations

in the field of atomic energy use

"Requirements for safety-related

control systems of nuclear power plants"

approved by Order of the Federal

Environmental, Industrial

and Nuclear Supervision Service

dated 16 November 2016 No. 483

 

TERMS AND DEFINITIONS

 

The following terms and their definitions are used

for the purposes of these rules.

 

1. Automated NPP control - control performed with involvement of the personnel through the use of the safety-related control system (systems).

2. Automatic control - control performed by the safety-related control system (systems) without any involvement of the personnel.

3. Firmware devices - programmable digital devices where the software is an integral (inseparable) part of the hardware (a processor containing a microcode may serve as an example of a firmware device).

4. Interlock - a control function aimed to prevent or to stop any actions of the personnel, a safety-related control system or a controlled object.

5. Activation of the protection (interlock) - the set of operations provided in the NPP design and specified in the operation documentation which brings the safety-related control system into the state when the protection (interlock) will be actuated upon occurrence of the conditions requiring its operation in accordance with the NPP design.

6. Verification - confirmation of the fact that the result of any activity at any life cycle stage of the safety-related NPP control system is obtained in accordance with the requirements for this system at this stage of the system life cycle on the basis of objective evidence.

6. Disabling of the protection (interlock) - the set of operations provided in the NPP design and specified in the operation documentation which brings the safety-related control system into the state when the protection (interlock) will not be actuated upon occurrence of the conditions requiring its operation in accordance with the NPP design.

8. Life cycle of the safety-related control system - the set of development stages passed by the safety-related control system within the period of its existence including the following stages: development of the terms of reference, design, manufacturing, testing, acceptance, installation, adjustment and operation.

9. Protection - a control function aimed to prevent:

damages, failures, breakage of the protected equipment or components of control systems;

operation of any faulty equipment or components of control systems;

undesirable control actions of the personnel.

10. Measuring channel (control channel) - a functionally separated part of the system performing the complete function from reception of the measured value to obtaining of the measurement result.

11. Human-machine interface - the set of technical measures prescribed in the NPP design in order to provide the required information and opportunities for the NPP operator to control and monitor the NPP systems and components.

12. Information function - the set of actions of safety-related control systems (functional group) aimed to achieve a certain purpose defined in the NPP design documentation (except for the auxiliary actions of the above-mentioned systems (functional group)) and providing information to the NPP personnel with regard to the state and characteristics (parameters) of the NPP systems, components or the entire NPP without direct control of any object.

13. Channel (of the system, functional group) - a part of a system (functional group) performing the system (functional group) function within the scope defined in the NPP design.

14. Integrated testing of the safety-related control system - testing of the safety-related control system in its operation modes provided in the NPP design for normal operation conditions and any NPP operational occurrences.

15. Controlled safe state of the nuclear power plant - the NPP state maintained within an infinite period of time when all basic NPP safety functions specified in General Safety Provisions for Nuclear Power Plants are ensured.

16. Unauthorized access - access to any NPP system equipment (components) not permitted in accordance with the established procedure.

17. Trial operation of the safety-related control system - operation of a safety-related control system at the NPP in order to determine actual characteristics of the safety-related control system, to confirm their compliance with the design documentation requirements and to assess preparedness of the NPP personnel for operation of the safety-related control system.

18. Acceptance testing of the safety-related control system - testing performed after trial operation of the safety-related control system at the NPP in order to determine compliance of the system with the technical design (terms of reference) and to assess the trial operation quality.

19. Programmable digital devices - components of control systems with the use of software (including firmware devices).

20. Time-standard system - precise synchronization of clocks for all computation nodes within safety-related control systems of the NPP.

21. Special-purpose hardware for beyond design basis accident management - control systems (components) provided in the NPP design for management of beyond design basis accidents.

22. Control system - a NPP system performing control of any object (objects) in accordance with the preset aims, criteria and limitations.

23. Safety-related control system - a control system classified as safety-related in accordance with its impact on the NPP safety.

24. Control function - a set of actions of safety-related control systems (functional group) aimed to achieve a certain purpose defined in the NPP design documentation  and performing control of any object (NPP system or component) in accordance with the preset aims, criteria and limitations.

25. Control safety systems (components) - systems (components) intended to initiate actions of safety systems and to assure control and monitoring thereof during performance of the prescribed functions.

26. Normal operation control systems (components) - systems (components) intended to initiate actions of normal operation systems and to assure control and monitoring thereof during performance of the prescribed functions.

27. Functional group - a set of the SR CS components performing a control or information function within the scope defined in the NPP design.

 

 

 

 


Возврат к списку


ядерная и радиационная безопасность

Ежеквартальный научно-практический журнал
«Ядерная и радиационная безопасность»