ML19323B959
| ML19323B959 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 07/03/1974 |
| From: | BABCOCK & WILCOX CO. |
| To: | |
| Shared Package | |
| ML19323B958 | List: |
| References | |
| TASK-TF, TASK-TMR NUDOCS 8005140457 | |
| Download: ML19323B959 (11) | |
Text
-
Revision 0 - May u, we:
8005140 [
CPITERI A FOR SAFETY RELATED Fl.ECTRICAL EQUIP!:Et!1 FOR !!UCLEl.R POUER CEliER/.TII:0 STAT 10;;S 1.
Scope These criteria establish minimum requirements for the safety-rela.ted func-tional performance and reliability of electrical equipment for stationary nuclear reactors producing steam for clectric power generation.
For i
purposes of these criteria, the nuclear power generating s tation safety mleted electrical equipment encompasses the folicwing:
Safety Class 1 Electrical Equipment would apply to any electrical equipment contained in an electrical system the failure of which could cause an ANS Condition III or Ccadition IV loss of reactor coolant.
i lhere is no electrical equipment in Safety Class 1 and, thus, re-quimments fo'r Safety Class 1 Electrical Equipment have not been developed.
f
\\
Safety Class 2 Electrical Equipment applies te the electrical equipment:
I That is required to perform thet.e safety system functions:
a.
shutdownjhe reactor, isolate the reactor containment, cool _ the. reactor core, cool the reacter containment, main-
{
tain hydrogen inside the reactor containnent to within i
acceptable limits, and maintain radicactivity inside or '
outside the reactor containment to within acceptable limits.
4 b.
That is provided in the ucy of interiocks to prevent an operator crror whicii could Icad to o Conditicn III or I" acciden t.
That is required to maintain the plant in a safe and secure c.
shutdown condition.
d.
That is requiyed to eneble the operator to take manual. action
~
. cssenfial.to safety during the course of an accident or during post accident ccatrol.
4 o
t 'i J $
t-W@$
e 9.a n1,-
.--_,____c-
4 c.
That is required to remove decay heat frc:a spent fue!.
f.
That'is required to provide and distribute energy for the functions of Itenc 'a through c above'.
Safety Class 3 Electrical Equipment applies to the electrical equip-m:rnt not in Safety Class 2:
1 a.
ht is required to verify that plant operating conditions are within limits assumed for the safety analysis of the plant.
~
b.
That is required to indicate the status of safety system bypasses that are not automatically removed as part of the safety system operation.
2 c.
That is required to monitor radioactive effluents to assure
.)
that release rates and total releases are within limits 124
,/
established for plant operation.
e t
- 3b,
,...-V,Q g/
(
v cr' hf 2.
Definitions The definitions in this section establish the meanings of words in the con-text of their use in these criteria.
Electrical Equip:nent.
Electrical equipment applies to electric motors, electric generatois, and other equipment which employs electro-mechanical principles such as. control rod drive mechanisms, circuit breakeis, and o'ther hardware.
It applies also to electrical and electronic devices and pneumatic and hydraulic instrumentation and actuators necessary to the functioning of
~
!o 9:TfTIUmeni.e Lion er eciuoi.or systims.
I Safety System. A safety system in these criteria is any sy' stem p.erfonning the functions listed in the Scope under Safety Clau 2 item (a),
i j
Safety Related Electrical Equipment. Safety related electrical equipment is equipment in safety classes as defined above.
Components.
Items from which the system is assembled (for example, resis-ters, capacitors, wires, connectors, transistnes tubec. switches. springs. etc.).
l Module.
Any assembly of intercennected components which constitutes an identifiable..dovice,.. instruincat, or piece of equipment.
A module can be-t g.m 1
6 disconnected, rcroved es a unit, and replaced with a spare.
It has defincble perfonnence characteris tics which nennit it to be tested as a unit.
A module could be.a card or other subassembly of a larger device', provided it meets the requiremsnts of this definition.
Ch annel.
In arrangement of canponents and modules as required to generate a single infonuation signal to monitor a generating station condition or to generate a single signal to actuate safety related equipment when required by a generating station condition.
System.
The word system refers to an assembly of electric and mechanical devices and circuitry (including sensors) involved in perfonning a particular safaty function.
Train.
A train of equipment refers to a portion of a system which is' capable of independently performing a safety function at some fraction of the capa-bil i ty o.f the en ti re sys tem.
Redundant trains may be provided in order that the portion of a system which remains operable following the failure of one
' ~
train vill in all cases be sufficient to maintain applicable nuclear safety limiis.
Type Tes ts.
Tests made on one or more units to verify adequacy of design.
'3 Requi remen ts Protection Sys tems are considered to be Safety Class 2 electrical equipment.
The design requirements for Protection Systems are given in IEEE Standard 279-1971 " Criteria for Protection Systems for Nuclear Power Generating Stations".
~
J The rcquirements uhich follow apply to Safety Class 2 and Safety Class 3
' i electrical equipment other than the Protection Systems.
r
3.1 G"ner !1' Functional Requirement.
The nuclear power generating station saftty related electrical equipment shall, uith precision and _ reliability, perform its safety related functions.
This requirement applies for the full range of_.cnvironmental and plant conditions under which the equip-ment has a safety function.
4 ehe
-d e-emu'*-
-ee m
- amm, e
b epso
3.2 Single Failure Criterion.
!!o single failut e shall prevent any safety related electrical syste.n (or cc:sination of electricei systens) from performing its (or their) uinimu.c safety re16 Led functien.
For Sa fe ty Class 3 electrical systems, the single failure criterien need not be met provided the piant can be pct inte a condition where the equipment lost as a result of the failure is not required. Ilowever, the reliability of the system design should minimize forcad restrictions in plant opera-tica due to a failure.
For Safety Class 3 cic trical systems, identified postulated single failures which could recuit ln the los.e o f a s afety function shall be detectable.
A pes tulated failure mode can be made detectable by the use of appropriate alanas or by providing means for periodic testing.
If alarms are used to meet this criterion, the equipment and each status alarm related to that equipment must be separate to the extent required to assure that a postulated failure cannot cause failure of both the system and the related alarm.
For infonnation systems, failures can also be made detectable by the use of redundant channels to monitor the same par =netor or by the usa of o w ch mne' to m M tnr nre p m = +n" and m' appropriate backup channel to monitor another functionally equivalent parameter.
In these cases, a failure can be detected by comparing one channel display against a second channel display.j A single failure includes such events as the shorting or open-circuiting of interconnecting signal or power cables.
It also includes single credible malfunctions or events that cause a number of consequential component, module, or channel failures.
For example, the overheating of an amplifier module is a single failure evcn though several transistor failur es result.
Mechanical damage to a mode switch would be a single failure although several channels might become involved.
3.3 Quality of Components and Modules.
Components and moduies shall be of l
a quality that is consistent with minimum maintenance requiicments and low failure rates.
Quality levels shall be achieved through the specification of requirements kno.:n to t romote high quality, such as i
requirements for design, for the derating of components, for manufacturing, quality control, inspection, calibration, and test.
e 3.4 Equipment Qualification.
Type test data or reasonable engineering extra-
- >olation based on test data shall be available to verify that safety related equipment shall meet, on a continuing basis, the safety per-fonnance requirements.
Safety Class 3 equipment need not be qualified for accident environments or for seismic events provided that the plant can be put into a condition where the equipment i~s not required fol-luding either an accident or seismic event.
3.5 Safety System Integrity.
All Safety Class 2 equipment shall be designed to maintain functional capability under extremes of conditions (as applicable) relating to environment, energy supply, accidents, and seismic even ts.
Safety Class 3 equipment need not be designed to main-tain functional capability following an accident or seismic event provided that the plant can be put into.a condition where the equipment i
is not required following either an accident or seismic event.
3.6 System Redundant Channel or Train Independence.
Redundant channels or trains of Safety Class 2 equipment that provide the sane safety function I
shall De independent and physically separated to accomplish decoup nng of the effects of, unsafe environmental factors, electric transients, and physical accident consequences, and to reduce the likelihood of interactions between redundant channels or trains of equipment during maintenance operations or in the event of a malfunction in one redundant channel or train.
For Safety Class 3 systems where the requirements of Section 3.2 are met by the use of redundant channels or trains of equipment, the redundant channels or trains that provide the same safety function shall be electrically independent to accomplish decoupling of the effects of electric transients and to redot.e-the likelihood of interaction between redundant channels or trains during main,tenance operations or in the event of equipment malfunction.
Redundant channels or trains of Safety Class 3 equipment need not be physically separated provided the plant can be put into a condition where the equipment is not required l
should all redundant channels or trains be physically damaged.
~ ~
In lieu cf providing independent and redundant channels or trains for h ihe performance of one safety function, an appropriate backup may be pro-i vided bv another system which perfonns an equivalent safety function.
The t
R system used to provide the safety function and its functionally equivalent
't V a~
l o
e t
backup system should be separate and indepen6nt to the same extent as required for redundanL channels above.
3.7 Interfaces i;eineen Equipmait of Gae Suieiy Class end i.iiai. of a L' o.ver Safeiy Class.
3.7.1 Classi fication of Equipment.
Equipment shall be classified in a Safety Class consistent with its most impcetant function rela ted to nuclear safety.
3.7.2 Isolation Devices.
The transu)ission of signals or power fran Safety Class 2 equipnent to equipaent of a louer safety class (including nrn nuclear safety equipnmnt) shall be through isolation devices which shall be classified as Safety Class 2 and designed to the criteria applicable to Safety Class 2 equipment. flo credible failure at the output of an isolation device shall prevent the equipment in Safety Class 2 from meeting the minimtn1 perfonnance requi.^ements.
Examples of
[
c.cdibla Teilurcs ir.cludt,hert circuit-cpcn circuits, grounds, and the application of the maximun credible ac or dc poten tial.
A failure in an isolation device is evaluated in the same manner as a failure of other equipment in Safety Clt.ss 2.
The transmission of signals or power from Safety Class 3 equipment to non nuclear safety equipment need be through isolation devices only if the isolation is required to mtet the criteria of Section 3.2.
3.7.3 Physical Interaction Petween Equipment in 'Different Safety
~
nm r ysicr.1 location of Saf.'ty Class 2 and 3 a
o.u3 m.
equipment and non nuclear safety equipment must be such that any physical interaction between equipment in a lo'wer safety class (including non nuclear safety equipment) and equipment in a higher safety class shall not prevent the equipment in the higher safety class from meeting the minimun perfonnance requirements. _The effects of physical interaction on Safety Ciass 2 couipaent nust inclu:le any interaction resulting f om
(
t
6 applicable accidents and from seismic events.
Tne effects of physical interaction on Sorely Class 3 equip.ricnt need not include interaction resulting from accidents or seismic events provided that the plant can be put into a condition uhere the equipment is not required follouing an accident or seismic event.
3.7.4 Single Random Failure. Where a single random failure can cause a condition requiring the use of safety related er,uipment and can also prevent proper perfomance of one or more channels or trains of safety related equipctent, the remaining safety related equipment shall be capable of performing the minimum required functions even when degraded by a second random failure.
3.8 Derivation of Sysicm Inputs.
To the extent feasible cnd practical, inputs to safety related equipment shall be derived from signals that are direct measures of the desired variables.
(
3.9 pe: er.Scurce.
Safety Close v, :i,w, t d a l l h^ ca n*' a of oneratinn n
independent of off-site power availability unless a documented design basis is prepared demons trating that operability without off-site poder is unnecessary. Safety Class 3 equipment need not be capable of operating independent of off-site power availability if the plant can be put in a condition where the equipment is not rcquired, following a loss of off-site power.
3.10 Capability of Sensor Checks. Means shall be provided for checking, with a high degree of confidance, the operational avaiilability during reactor operation of each senser "
l to provide input for any safety related electrical equipment.
This may be acconplished in various ways, for example:
1.
by varying the menitored variable; or 2.
by introducing.and varying, as appropriale. a substitute input-to the !.cnsor of the same nature as the measured varicble; or
(
3.
by cross-chreking between channets triat bear a known relationship
~
to each cLher and that have readouts available.
3.11 Capability f or Tes t and Calibration.
Capability shall be provided for testing and calibrating safety related electrical equipment.
For equip-ment where the. required interval bei.neen testing will be less than the nonnal time interval between generating station shutdowns, there shall, I
to the maximum cxtent possible, be capability for testing during power l
operation.
i j
3.17 Safety Equip.wnt Bypass or Removal from Operation. Safety Class 2 equi eient shall be arranged in systems such that one channel or train of l
equipment can be maintained, and when required, tested or calibrated during power operation without interfering with plant operations.. Safety k
related equipment arrangcd in tio redundant channels or trains is per-s l
mitted to violate the single failure criterion during bypass of one channel or train provided that acceptable reliability of operation can be otherwise demonstrated: The bypass time interval allowed for a main-teriance operation will be specified in the plant Technical Specifications.
Safety Class 3 equipment need not be provided with sufficient redundancy i
/
f n, ' '.~i > > >.n c e. c. and maintenanco or one cnannei n" train during power operation provided the plant can be brought to a condition where the Safety Class 3 equipment is not needed should bypass and maintenance be rcquired.
j 3.13 Access to Means for Dypassing.
The design shall pennit the administra-tive control of the means for manually bypas' sing safety related equipment.
4 3.14 Access to Setpoint Adjustments, Calibration and Test Points.
The design shall permit the administrative control of access ta all setpoint adjust-
{
ments. equipment calibration adjustments, an'd test points.
l 3.15 Identification of Redundant Safety Equipment Trains.. Safety Class 2 i
redundant equipment channels or trains shall be identified down to the channel or train level.
Safety Class 3 redundant equipment channel or trains shall be identified down to the channel or train level if for the j
particular equipment' involved the design basis requires physical, separation of the redundartt channels or trains.
This identification shall distinguish between redundent portions of the safety class system.
In the installed equipments, conponents.or modules mounted in assemblics that are clearly L
I. *7tT
- J*~.
~,.
_9_
o identified as being in a safety class do not themselves require identi-fication.
s 3.16 In iuncation Peadoo L.
One of the cisannels used to monitor encia parmneter providing the infonaation required to perform the function lis+;d in the Scope under Safety Class 2 item (d) shall be recorded to pr ide a historical record of the bchavior of the parameter.
The equipment used to record information need not be redundant nor meet the single failure c ri terion.
A failure of the recording equipment should not negate the operability of the remaining portion of the information channel.
3.17 Repair of Safety Related Equipment.
Safety related equipment shall be desicacd to facilitate the recognition, location, replacement, repair, or cJjus tu:nt of malfunctioning components or modules.
h e
9 t
- ~
h
.~
j WD
- s-
Criteria for Elec.ric Equipment Safety Clv;ses o
Sin gl e Octectabil ity El ect ri cal Physicti Scismic Failure of Pos tulated Sepa ra tion Separa ti on Qualificction l, (Sys tem Failures (Sy: tem
' System (Equipment f.sequi remen t)
(System Requirement)
Requiremen t)
Requi rem:n t)
Raouiremen t) l 9
q Safety Class II Yes Yes Yes
'fes Yes Safety :las:; III i c, provided Yes Yes, where fio. prcvided flo, provided the plant can red::r dancy the plant can the plant car be put into or diversity be put into 1 be out into c a condition is es ed to conditien where con di tion whc r2
<!he re the r:ce' the the equiprent the equipment equipmen t fai'. t re is not tecui*ed is 1ot reat' ired icst as a cri':c ria.
should it be fol le.eing a resul t of physically seismic evan t..
the f ail ure danaged.
l is not required.
B
1 O
n Accident In dependen t Color Envi rcnmerit Qt ali ty of Off-Si te Cci:d Qualification Ass urance Pcrer R n!;nda 1:v (Equipnent Requircraent)
(Equipmen t Requi remen t)
(Sys tem Requiretr,ent)
(Sys tem fi:qu i rc.i 21 5
Safety Clast. II For any accit'ent Yes Yes, un:ess Yes durin; which reason fo.-
equip: rent is not is docu-requi red.
me'1ted in de:;ica basis.
Safety Class III No, provided Y3s Ho, p rovided No, unles the plant can th ! Flant can physical separa-be put into a condicion where he plt in to tion of redu.1 den t a condition or diverse the equipment is where the channeh or not rzcuired ec,uipaent is trains i-felicling an no'; requi:ed requi re d.
e cci dm: c.
fe newing a less of o fsite d
pcter.
't e
3 h
9 I