ML19324C057
| ML19324C057 | |
| Person / Time | |
|---|---|
| Issue date: | 11/02/1989 |
| From: | Michaels T Office of Nuclear Reactor Regulation |
| To: | Newberry S Office of Nuclear Reactor Regulation |
| References | |
| NUDOCS 8911130288 | |
| Download: ML19324C057 (26) | |
Text
i November 2, 1989 MEMORANDUM FOR: Scott Newberry, Chief Instrumentation and Control Systems Branch Division of Engineering and Systems Technology FROM:
Theodore S. Michaels, Senior Project Manager
~
Non-Power Reactor, Deconmissioning and Environmental Project Directorate Division of Reactor Projects - III, IV, V and Special Projects
SUBJECT:
REVIEW 0F DRAFT ANSI /ANS 15.20 - CRITERIA FOR THE REACTOR AND SAFETY SYSTEMS FOR RESEARCH REACTORS A Working Group has been formed to rewrite ANS 15.15 - Criteria for the Reactor Safety Systems of Research Reactors (1978:R86), which will be withdrawn when the new standard, ANS 15.20 is ready for approval. The new standard will include digital control systems.
A draft "strawman" has been developed for review (Enclosure 1). Also enclosed are draft. inputs to go into the standard under the Hardware and Software sections (Enclosures 2 & 3). Your assistance is requested in reviewing these sections and the draft of ANS 15.20 (Enclosure 1).
Your comments / concurrence are requested by November 24, 1989.
If you will be unable to meet this date, please notify me at x21102 within 10 days of the date of this memorandum.
Original signed by:
Theodore S. Michaels, Senior Project Manager Nori-Power Reactor, Decommissioning and Environmental Project Direc?. orate Division of Reactor Projects - III,
Enclosures:
IV, V and Special Projects As stated cc:
A. Adams DISTRIBUTION E
~C file b F.
r/f g
o WIravers
/
2, 8 THichaels
,) k,y 5
oFX1
-I
[TM M2 SNEWBERRY]
/
gg g)'
/ ,b))e
(
-i 1
C 'i PDNP:PM8v Ph h
$US TMichaels:dmj SW s 11/ v /89 11/ y /89
((
iw j uw w L
e,
!([s.R WtC UNITED STATES t
NUCLEAR REGULATORY COMMISSION i
- ,E W ASHINGTON. D. C. 20555 p#
November 2, 1989 s
- ..+
)
MEMORANDUM FOR: Scott Newberry, Chief Instrumentation and Control Systems Branch Division of Engineering and Systems Technology FROM:
Theodore S. Michaels, Senior Project Manager Non-Power Reactor, Decommissioning and Environmental Project Directorate Division of Reactor Projects - III, IV, V and Special Projects i
SUBJECT:
REVIEW 0F DRAFT ANSI /ANS 15.20 - CRITERIA FOR THE' REACTOR AND SAFETY SYSTEMS FOR RESEARCH REACTORS A Working Group has been formed to rewrite ANS 15.15 - Criteria for the Reactor Safety Systems of Research Reactors.(1978:R86), which will be withdrawn when the new standard, ANS 15.20 is ready for approval. The new stand rd will include digital control systems.
A draft "strawman" has been developed for review (Enclosure 1).- Also enclosed are draft inputs to'go into the standard under the Hardware and Software sections (Enclosures 2 & 3).
Your assistance is requested in reviewing these sections'and the draft of ANS 15.20 (Enclosure 1).
Your comments / concurrence are requested by November 24, 1989.
If you will.be unable to meet this date, please notify me at x21102 within 10 days of the date of this memorandum.
V 8. /
Theodore S. Micisels, Senior Project Manager Non-Power Reactor, Decommissioning and Environmental Projact Directorate Division of Reactor Projects - III, IV, V and Special Projects
Enclosures:
As stated cc:
A. Adams l
5Witosetf A
~
w s
1 DRAFT ANSI /ANS 15.20 2
November 1989 3
Criteria for the Reactor and Safety Systems 4
for Research Reactors e
- ~, _--
1-FORIWORD j
Y i
2 (This foreword is not a part of American National Standard Criteria for the 1
3 Control and Safety Systems of Research Reactors, ANSI /ANS-15.20-19XX) 1 4
The American Nuclear Society Standards Secretariat established subcommittee j
5 ANS-15 in the fall of 1970 with the task of preparing a standard on the operation 6
of research reactors. In January 1972 this charter was expanded to the multiple 7
tasks of preparing all standards for research reactors.
To implement this 8
enlarged responsibility,- a number of subcommittee working groups has been 9
established to develop standards for consideration and complementary action by 10 subcommittee ANS-15.
s 11 In 1978, a standard dealing with reactor safety systems at research reactors was 12 published; ANSI /ANS-15.15-1978, " Criteria for the Reactor Safety Systems of 13 Research Reactors."
In 1987, subcommittee ANS-15 decided that the standard 14 should be revised in light of the advent and use of computer technology in 15 research reactors which could potentially affect the relationship of control and 16 safety systems associated with research reactors.
Accordingly, a new working 17 group, ANS-15.15, was established in the f all of 1987 under the chairmanship of 18 Dr. Robert C. Nelson of the Urated States Air Force with the task of developing 19 an updated standard for control and safety systems at research reactors.
The 20 final work group draf t was completed and reviewed by ANS-15 or.
21 The standard was approved by ANS-15 on and preserded for processing The standard has been redesignated as 22 by N-17 on 23 ANSI /ANS-15.20-19XX, Criteria for the Reactor Safety Systems for Research 1
l 3
y-wr-<-.,*"wr-
-~'-tc TwvT*5v
- -W'-
'r
--r-"N
'--+N'
- --*^'*-+v~
C't
'T r
4 h
'1' Reactors."
{
2 The membership of ANS-15.20 at the time of completion of the revised standard 3
was:
~
4 Robert C. Nelson, Chairman, Un$ted States Air Force 5
John Bernard, Massachusetts Institute of Technology 6
Bill Hyde, General Atomics 7
Robert Walston, U.S. Department of Energy 8
Jensid Rasvi, General Atomics 9
Frank DiMigglio, Rhode Island Atomic Energy Commission 10 Phil Middleton, MIDCO Inc.
7 la
, Sandia National Laboratories 12
, Los Alamos National Laboratory 13
, Nuclear Regulatory Commission 14 Several of the requirements of this standard are based on the collective judgment 13 and experience of the work group as applied to this class of reactors.
The 16 composition of the work group offers a broad spectrum of expertise in research 17 reactor operation, control, and safety system development and engineering. They 18 represent a wide variety of research reactors, large and small, and come from 19 universities, national laboratories, government, and private industry.
30 Therefore, the requirements specified in the standard represent a reasonable and 21 responsible approach to the design of control and safety systems for research 22 reactors.
23 In preparing this standard, the intent has been to specify objectives which:
2
~. -,..... -,., _ - -... _, _ _ - -. _ _ _. -. -... _ _.. _... _ -.
i l'
Describe a systemetic approach to establishing requirements for the a.
2 control system of a new research reactor which is commensurate with the risks 3
involved.
4 b.
Describe a systematic approach to establishing requirements for the 5
Reactor Safety System (RSS) of a new research reactor which is commensurate with 6
the risks involved.
7 c.
Ensure that importas.t items such as safety intericcks are given proper 8
attention with the greatest degree of latitude given the designer that safety 9
permits.
-i
=
10 In this process of creating standards against the background of established and i
11 varied practices in many operating facilities, it is important to consider that 12 a.
It is not intended that the standard be used as a demand model for 13 backfitting parposes.
14 b.
It should be a vital aid for existing and new ovr.er-agency.
It should be helpful for the f acility undergoing change / modification.
15 c.
16 d.
Its thoughtful use by industry should ease the burden of regulatory 17 a g e r. :.d e s.
18 The family of standards and task assignments include:
19 ANS-15.1 Development of Technical Specifications for Research Reactors 20 ANS-15.2 Quality Control for Plate-Type Uranium-AluminumcTuel Elements 21 ANS-la,4 Selection and Training of Personnel for Research Reactors 22 ANS-15.7 Research Reactor Site Evaluation 23 ANS-15.8 Quality Assurance Program Requirements for Research Reactors 24 ANS-15.10 Decommissioning of Research Reactors 3
~
~
g O
h i-
- ANS-15.11 Radiological Protection of Research Reactor Facilities l
2 ANS-15.14 Physical Security for Research Reactors 3
ANS-15.16 Emergency Planning for Research Reactors 4
ANS-15.17 Fire Protection Criteria for Research Reactore 5
ANS-15.19 Shipment and Receipt of Special Nuclear Material (SNM) by Research 6
Reactor Facilities 7
ANS-15.20 Criteria for the Reactor Safety Systems for Research Reactors 8
The membership of Subcommittee ANS-15 at the time of its approval of this 9
standard was:
b i
10 W. J. Richards, Chairman, McClellan Air Force Base 11 L. C. Brinkerhoff, U.S. Department of Energy 12 W. J. Brynde. Lrookhaven National Laboratory 13 B. L. Corbett, ORNL, Martin Marrietta Energy Systems, Inc.
14 A. F. DiMeglio, R. I. Nuclear Science Center 15 J. P. Farrar, University of Virginia i
)
16 D. E. Feltz, Texas A & M University 17 T. F. Luera, Sandia National Laboratory 18 C. W. Nelson, University of Arizons 19 R. C. Nelson, United States Air Force I
20 D. P. Pruett, Argonne National Laboratory - West f
21 T. M. Raby, U.S. National Institute of Standards and Technology 22 E. Roybal, U.S. Department of Energy 23 L. S. Rubenstein, U.S. Nuclear Regulatory Commission 24 R. R. Walston, U.S. Department of Energy 4
i e
y-g
-1 ee.
-ywa..m_wr,,,rw--.y
,mq 4-g w----.,
7-,,, +,,,yw--
.is-v-vr---,v-.-.-
,.y--.e,w---,a w
---g-----,
---w.g+--t-,wg e-,.t
~*
y l
^
M. H. Yoth, Pennsylvania State University 1
2 W. L. Whittemore, General Atomics i
i 3
The American National Stendards Committee N-17 Research Reactors, Reactor 4
Physics, and Radiation Shielding had the following membership at the time it 5
reviewed and approved this standard:
6 R. S. Carter, Chairman i
7 T. M. Raby Secretary, r
8 Organization Representative 9
American College of Radiology M. M. Ter Pogossian 10 American Institute of Chemical Engineers D. Duffey 11 American Nuclear Society R. S. Carter I
12 American Physical Society H. Goldstein 13 American Public Health Association W. A. Holt 14 Bealth Physics Society S. H. Brown 15 A. C. Johnson (alt) 16 National Institute of Standards & Technology T. M. Raby j
17 U. S. Department of Energy P. B. Bemming f
r 18 J. W. Levellen ( Alt) 19 U. S. Nuclear Regulatory Commission L. I; Kopp ( ANS-10) 20 L. S. Rubenstein 21 McClellan Air Force Base W. J. Richards (ANS-15) 22 ORNL, Martin Marietta Energy Systems. Inc.
D. K. Trubey ( ANS-6) 23 Union Csrbide Corp (retired)
A. D. Callihen (ANS-1) j 5
'1 U. S. Army, White Sands Missile Range A. DeLaFaz ( ANS-14) 2 Individual Members J. D. Buchanan 3
W. L. Whittemore R. E.' Carter 4
5 J. E. 01hoeft 6
A. Weitzberg 6
~
1
're.-
i 1_
Crdteria for the Control and Safety Systems 2
of Research Reactors.
3
- 1. SCOPE 4-This standard documente the criteria from which design requirements are 5
established for the reactor safety system of an individual research reactor.
6 2.
PURPOSE 7
This standard is intended to serve the research reactor community for 8
establishing criteria for control and safety systems.
Its application should 9
be in lieu of ad hoc application of part or all of any similar standards for 10 power reactors.
11 3.
DEFINITIONS 12 The following terms are defined in order to establish their usage in this 13 standard and to document the meaning of terms used frequently in the community.
14 The definitions of several terms (such as Safety Limit. Limiting Safety System 15 Setting, Engineered Safety Feature. Safety Analysis Report, and Restricted Area)
~
16 are not included because they are generally well known or are readily available 17 in other documents such as Title 10 Cc'.e of Federal Regulations, Par
- 20 18
" Standards for Protection Against Radiations" Title 10, Code of Federsi 19 Regulations, Part 50, " Licencing of Production and Utilization Facilities;" and 20 American National Standard for the Development of Technical Specifications for 7
A
l 1
Research Reactors.
2 bypass.
The deliberate inhibition of the capability to provide a protective 3
action; for example, the application of a short circuit across the contacts of 4
low-flow trip relay either in order to perform a test of the channel or to i
5 operate in a natural convection mode.
6 credible. A postulated event or condition is considered credible unless it has 7
been shown to have a probability of occurrence that 's so infinitesimal that 8
there is virtually no chance that it will occur. (Usually taken to be an event l
h 9
probability > 104.)
10 Design Basis Event (DBE). Anticipated operational occurrence (such as the loss 11 of coolant flow or a reactivity excursion) which is used to determine the 12 specific design requirements for the reactor safety system.
13 negligible-risk research reactor.
A research reactor for which, in the 14 postulated event of the complete f ailure of the reactor safety system coincident 15 with the occurrence of the most adverse Design basis Tvent, the radiological 16 consequences with respect to Public Health and Safety would be negligible.
17 Negligible radiological consequences are taken to be an exposure / release of 18 radioactivity, in one day due to an accident, in a qu'antity which would not 19 exceed the limit permitted to be releesed over a year due to routine operations.
20 Specifically, the consequences could not exceed:
y 8
M I
1 (1) the exposure of the whole body of an individual in an unrestri ted area 2
to 0.5 rem of radiation or the exposure of *any other organ" of such an 3
individual to 1.5 rem of radiation; or 4
(2) the exposure of the whole body of an individual located at an allowed 5
position in a restricted area of the reactor facility to 5 rem of radiation or 6
the exposure of *any other organ" of such individual to 15 rem of radiation: or 7
(3) the release of radioactive materials in concentrations at a point where 8
a member of the public could be located which, if averaged over a period of 24 9
hours, would exceed.365 times the limits specified for such materials in Title 10
- 10. Code of Federal Regulations, Part 20, Appendix B, ' Concentrations in Air and 11 Water above Natural Background,' Table II.
1>
operable. Cepable of performing the intended function (providing the protective 13 action when requircd) in an acceptable manner.
14 protective action.
The initiation of a signal or the operation of equipment 15 within the reactor safety system in response to a variable or condition of the 16 reactor facility having reached a limit specified in the Design Basis.
17 (1)
At the protective instrument channel level, protection action is the 18 generation and transmission of a trip signal indicating that a react or variable 19 has reached the specified limit.
20 (2)
At the protective instrument subsystem level, protection action is the r
21 generation and transmission of a trip signal indicating that the decision has 22 been made that a Design Basis Event has occurred.
1 23 The "whole body
- value shall also apply to the active blood-forming organs, 24 gonads, fetuses, and lenses of eyes.
9 l
1 l
j I
Note: Protective action at this level would lead to the operation of the 2
safety shutdown equipment.
i 3
(3)
At the protective instrument system level, protection action is the 4
gsneration and transmission of the cosunand signal for the safety shutdown 5
equipment to operate.
6 (4) At the reactor safety system level, protective action is the operation 7
of sufficient equipment to immediately shutdown the reactor.
8 protective instrument channel.
That combination of discrete modules and 9-interconnections necessary to sense one reactor variable related to a Design 10 Basis Event and to initiate and transmit a protective signal if and when that 11 variable reaches the specified limit.
12 protective instrument subsystem.
The combination of protective instrument i
13 channels and any decision logic units (e.g.,
two-out-of-three) necessary to
)
14 determine that one of the Design Basis Events has occurred and to transmit the 15 necessary protective signals.
l l
16 ahall, should, and may.
The word "shall" is used to denote a requirement; the 17 word *should" to denote a recommendation; and the word "may" to denote 18 permission, neither a requirement nor a recommendation.
19 unsafe failure.
Any malfunction such that the unit (i.e., module, channel.
20 subsystem, system, or piece of equipment) is no longer operable. A malfunction 21 which results in the immediste execution of the protective action of the unit 22 is not an unsafe failure.
10
- + * -
v-c-
_- <.. _ ~ -.. -,.,,
---s.
er-
-.we--,,-.
-e e-e
--p.,s.-
,,,1-
,.--g,c
,.S-
..p,ei
=_.
a
.~.
}
1-4.
DESIGN BASIS 2
The reactor control system (RCS) and reactor safety system (RSS) shall i
3 have a documented design basis, which shall be kept available to facilitate a i
4 determination of the adequacy of the RCS and RSS design, including design 5
changes.
Appropriate sections of the safety analysis report may serve this 6
purpose.
t t
7 4.1 CONTROL SYSTEM.
Pj i
,1
, 1, I
,-3+'*-
B 4.2 SAFETY SYSTEM.
9 For each mode of operation of the research reactor, the design basis shall 10 address and discuss in appropriate detail at least the following iteme:
11 (1) Each Design Basis Event for which the RSS must function; the limits of 4
12 allowable facility conditions for each event.
I 13 (2) The decision criteria for determining which events have consequences i
14 capable of transcending the RSS and therefore are to be accommodated by either 15 tafety interlocks or engineered safety features.
[
16 (3) Safety interlocks to be provided and the specific function of each.
17 s4) Those protective actions which must be automatic; those which may be solely 18 manual.
19 (5) The reactor variables to be monitored to detect the occu:rence of each 20 Design Basis Event: for those variables that have spatial dependence, the minimum 21 number and locations of sensors needed for safety purposes.
22 (6) The limiting values of the setpoints at which protective actions must be i
11 IJ
.. +, _.,
.__,-,_,_._,,..,,,,...,,,mm._,...
..,,_,,r,,,._m.__.
,.,e..,.,,,,
e 1
initiated; requirements to change setpoints to accommodate different modes of 2
operation of the reactor.
3 (7) The protective instrument subsystem intended to monitor the reactor 4
variables associated with each Design Basis Event; the number of channels 3
required in each subsystem; the required separation between both the units of 6
and interconnections for redundant channels; any required decision logic.
7 (B) Minimum performance requirements for each protective instrument subsystem 8
including such items as range, accuracy, and response time.
9 (9) The required characteristics of the si.fety sl:utdown equipment including 10 sucn items as response time and interface with the protective instrument system.
11 (10) The ranges of external conditions (both steady-state and transient; 12 normal, abnormal, and accident cases) throughout which the RSS must remain 13 operable.
14 Note: External conditions include such items as the supply power, temperature, 15 humidity, vibration, radiation, fire, explosion, earthquake, flood, lightning, 16 missiles, and wind.
17 (11) The conditions having the potential for functional degradation of the RSS 18 and for which provisions must be incorporated to retain the capability for 19 protective actions.
20 (12) Bypass capability needed for any part of the RSS; the permissive 21 conditions associated with the use of each bypass; and re? ated special 22 precautions.
23 (13) Any design reliability goals fcr the RSS; the need for test provisions 24 during reactor operations; objectives,
- methods, and acceptance limits; 25 recommended intervals for checks, tests, and calibrations.
26 (14) Beyond those normally provided, any quality assurance requirements needed 12
i a:
Q l
1 to accommodate any unusual or unique aspe7ts of the design of the RSd.
2 (15) The administrative controls necessary to satisfy the requirements of this f
3 standard to conjunction with the physical-features of the RS,S.
4'
- 5. DESIGN CRITERIA 5
5.1 SINGLE FAILURE 6
5.1.1 Statement of the Criterion: The reactor safety system (RSS) design shall provide a level of reliability and redundancy such that the RSS con, as 8
a minimum, perform the required protective actions in the presence of any single 9
failure within the RSS con:urrent with:
10 (1) the occurrence of all 'ailures caused by the single failure and 11 (2) ell failures caused by the Design Basis Event.
12 S>ecifically the protective actions required are:
13 (a) those for each :Jafety interlock.
14 (b) the intended automatic detection of each Design Basis Event and the 15 immediate execution of the safety shutdown of the reactor.
16 (c) the manual execution of safety shutdown of the reactor.
17
5.1.2 Applicacion
Except as provided below, the single f ailure criterf an 18 stated above shall be applied to tne design of the RSS for each research resetor.
19 (1) A probabilistic assessment of the RSS may be used to eliminate certain 20 postulated f ailures from consideration on the basis that such f ailures are shown 21 not to be credible.
22 (2) For negligible-risk research reactors, compliance with the single 23 failure criterion for protective actions (a) and (b) of 5.1.1 is no* mandatory.
13
=
m--
7-s,
,s
4 1
(3) For pulse reactors, compliance with the single failure criterion for 2
protective action (b) in 5.1.1 is not mas.datory for those portions of the RSS 3
which function only for reactivity excursion-type events.
A pulse reactor is 4
a reactor that has been specially designed with an inherent shutdown mechanism 5
sufficient to allow the reactor to accept large reactivity insertions without 6
exceeding any safety limit.
7 (4) If trustworthy failtr.e rate data are available, reliability analysis 6
may be used to demonstrate that the RSS satisfies such sufficient reliability 9
goals that exemption from compliance with the single failure criterion for 10 protective actions (a) and (b) in 5.1.1 is justified.
The minimum level of 11 reliability considereo generally acceptable for this purpose is that equivalent 12 to 95% confidence that operation without the needed protective action for a 13 Design Basis Event will occur no more often than once in the operating life of 14 the research reactor and 951 confidence that such a failure of the RSS will be f
15 detected prior to or during the startup for the next day of operation.
16 (5) As an alternative to compliance with the single failure criterion for 17 protective actions (a) and (b) in 5.1.1, the RSS may include methods that 18 promptly detect unsafe failures and alert the reactor operator, provided that:
19 (a) the composite reliability of the basis portion of the RSS and its 20 associated f ault detection method is comparable to trst which would be attained 21 by direct compliance.
22 (b) the fault detection methods do not introduce cr' edible common f ailure 23 mode.
24 (c) written administrative controls are provided which include appropriate 25 specific actions to be taken when e failure is detected.
14 g
a w'-,
w eic.yy.*
we-e mame---
w..*
nc 7
+- -
- - -. - - - - - - * - - - - - - - - - - = -
,7 m.
- 4=
- 4 1
5.2 REDUNDANCY.
i 2
The following types of redundancy shall be considered.
To the extent 3
advantageous and practical, the indicated order of preference shall **
4 incorporated:
i 5
(1) Functional diversity - monitoring different reactor variables related 6
to the Design Basis Event.
7 (2) Equipment diversity - monitoring the same reactor variable using 8
equipment with different principles of operation.
monitoring the same reactor variable using 9
(3) Simple redundancy 5
10 duplicate equipment.
11 5.3 INDEPENDENCE, t
12 Where the application of the single failure criterion is mandatory, the 13 following are also required.
14 5.3.1 Redundant channelr and subsystems shall be physically separated from 15 each other either by suitable barriers or by distances sufficient to accommodate i
16 the external conditions detailed in the design basis.
17 5.3.2 Where signals from redundant units are necessarily brought together.
{
18 such as at the inputs of logic units, the RSS she.11 include sufficient isolation 19 to prevent an unsafe failure in one uni-from causinD an u.nafe failure in a 20 redundant unit.
21 5.3.3 Attention shall be given ts the situatio* whe e a credible single 22 failure could both initiate a Design Basis Event and cause the loss of the 23 corresponding crotective action at the channel or subsystem level.
One such j
"4 situation is where a control rystem input signal is derived from a protective
- 5 instrument enannel (a neutron-level channel, for example).
15
._~
e+
4
'.g 1
For any such situation, additional redundancy shall be provided to the 2^
extent recessary ti. assure that loss of protective action at the system level 3
is not credible. The additional units shall themselves satisfy 5.1.2 along with 4
the other requirements of this standard.
l 5
5.4 FAIL-SAFE DESIGN.
6 A desig i objective shall be that no malfunction within the systes, caused 7
solely by the variations of external conditions within the ranges detailed in 8
the design basis, will result in an unsafe failure.
9 5.5 SETPOINTS.
10 The RSS shall include physical features that assure that the proper 11 setpoints are automatically made active or include features that facilitate 12 administrative controls to verify the proper setpoints, or both, with the
-13 operating mode of the reactor is changed.
14 5.6 MANUAL INITIATION.
15 Simple and direct means shall be provided for the reactor operator to I t, immedi.ately activate the safety shutdown equipment.
l t
17 5.7 BYPASSES.
18 5.7.1 The design of the CS and RSS sh.-11 provide bypass capability only 19 where necessary to accommodate essential functions such as: changes in the 20 operating mode of the reactor or periodic testing which must be conducted during 21 reactor operation.
16
- - - - - ~
'e;
'J-e e
i i
1 5.7.2 Bypass of manual initiation provisions of the RSS shall not be 2
allowed.
3 5.7.3 The RSS shall include features which either physica '.y provide for 4
or facilitate administrative controls to:
5 (1) prevent unauthorized use of bypasses.
6 (2) limit the types and number of simultaneous bypasses for each mode of 7
operation to that shown to be acceptable in the design basis, and 8
(3) prevent bypasses being inadvertently left active.
9 5.7.4 The initiation of any bypass ;during operation shall be immediately 10 announced both audibly and visually. Thereafter, continuous indication of each 11 active bypass shall be provided in the normal and immediate field of vision of 12 the reactor operator.
13 5.7.5 Bypasses of a part of the RSS to perform periodic testing during 14 reactor operation shall be allowed only when the remainder of the RSS satisfies 15 5.1.2 and 5.3.4.
16 For one-out-of-two portions of the RSS: whiin a bypass is necessary for a 17 brief time to perform periodic testing, compliance with 5 1.2 is not mandatory 7
18 if the reliability of the portion remaining active has been shown to be 19 acceptable.
For example, the time permittef for the bypass has been shown to 20 be so brief that the probability that the active portion might fail during the 21 bypass time is commensurate with the probability that the one-out-of-two system 22 might f ail during the normal operating time between tests.
17
. - ~
3
)
i I
I 1
1 5.6 COMPLETION OF PROTECTIVE ACTIONS.
l i
2 5.8.1 Each channel shall indicate in a distinctive manner when it is in 3
the tripped state.
4 5.8.2 Once tripped, the RSS shall recain in the tripped state at the system 5
level and shall indicate the protective instrument subsystem initiating the 6
shutdown until deliberate action is taken by the reactor operator.
7 The manual reset mechanism shall not be capable of preventing the j
8 initiation of protective action. The manual reset mechanism for the RSS ahall 9
be physically and electrically separate from mechanisms for any acknowledgement 10 and reset for alarms that are not part of the RSS 11 5.9 SURVEILLANCE.
l 1
12 5.9.1 The RSS shall include capability for periodic checks, tests and 13 calibrations.
14 5.9.2 In the event that the disabling of a channel (for example, by the 15 disconnection of a detector) is necessary to conduct a surveillance activity, 1
16 the RSS shall include either features which physically assure that operability 17 is restored before allowing any operation of the reactor for which the 18 operability is required or features which facilitate administrative controls 19 which specifically accomplish the same function; for example, a prestart 20 instrument checklist.
4 1
18 i
.--~_.
-- 1
0*
4 a
e 4
l'
.5.9.3 Where on-line perdodic testing is necessary, such testing shall not 2
reduce the capability of the RSS below that required by 5.7.5.
y 3
5.10 ACCESS CONTROL.
l 4
5.10.1 The RSS shall include physical provisions, such as a keysvitch, to 5
prevent the unauthorized use of the reactor controls.
.s.
6 5.10.2 The' RSS shall include physical means, such as recessed screwdriver 7
adjustments or protective covers, to limit access to setpoint and calibration 8
adjustments to the extent necessary to p event inadvertent misadjustments.
9 5.11 CLASSIFICATION AND IDENTIFICATION 10 5.11.1 Any unit that is used both to perform protective actions of the RSS 11 and nonsafety actions shall be classified as part of the RSS.
12 5.11.2 All RSS equipment, including interconnections, shall be physically 13 marked in a manner that is obvious and is distinctively indicative of RSS 14 equipment.
When components or modules are mounted within assemblies that are 15 clearly marked as being part of the RSS, the marking of individual components 16 or modules is not required.
17 5.11.3 RSS features on drawing, design change documents, etc. shall be 18 distinctively identified. All RSS drawings shall be kept current.
19
-am-g.
v -
.w,
,n.,
m w.
r.
e*-
4 l
o 1
- 6. QUALITY ASSURANCE.
2 6.1 The quality assurance requirements for the RSS are to be satisfied through 3
the overall quality assurance program approved for the reactor facility.
4 6.2 The quality of components and modules shall be commensurate with the degree 5
of their safety importance and any reliability goals of the RSS. Where the use 6
of one-of-a-kind or unproven designs becomes necessary, such cases are to be 7
identified and supported by special quality assurance measures.
8
- 7. BARDWARE.
9
- 8. SOFTWARE.
10
- 9. FIFERENCES.
r 20 l
a n
SM w3e rti L n
HARDWARE Issues that shall be reviewed for hardware are as follow:
a.
Environmental and Seismic Qualification The hardware should be built and designed to withstand the environmental and seismic background in which the system will operate.
b.
Electromagnetic ~ Interference (EMI) Environment Provisions for precluding or minimizing EMI should be provided.
Features such as optical isolation, shielding, bypass filters and signal conditioners should be provided.
c.
Power Supplies The power supplies for the system should be buffered to reduce the possible impact of minor power line fluctuations. Random access memories should be backed-up by battery power. Scram circuits should scram when power is lost to them and self-diagnostic circuits should scram the reactor when fault conditions are detected, d.
Failure Modes and Effects Probability risk assessment techniques may be used to tredict failure to scram for various failure modes.
Failure modes such as the following should be considered:
1)
Physical System failure (wire breaks, shorts, ground fault circuits) 2)
Limiting Safety System Setting Failure (failure to detect) 3)
System Operable Failure (loss of monitoring) 4)
Ccmputer/ Manual Control failure (automatic and manual scram).
l i
Emus.rg 3 a
s 3
SOFTWARE j
_An approved verification and validation (Y&V) plan for the development o Use of Standard software which performs a safety function shall be provided.
ANSI /IEEE-ANS-7-4.3.2-1982 " Application Criteria for Programmable Digit Computer Systems in Safety Systems of Nuclear Power Generating Statio appropriate standard for use in Y&V of research reactor software except as noted below in Section d.
V&V plan Verification and validation (V&V) are two separate but related activities that Verification determines whether the follow the development of software.
requirements of one phase of the development cycle have been consistently correctly, and completely transformed (fulfill the requirements) to theVa subsequent phase of the cycle.
l to ensure that performance conforms to the requirements of the i
prone to human errors of omission, commission and interpretation.
specification.
for an independent verifier to work in parallel with, tmt independent of, the development team to ensure that human errors do not hinder the productio safety software that is reliable and testable.
In executing VEV, certain principles have proven over time to be ve in software development programs.
l i
f reference base for applying the applicable criteria for software eva uat ons o Class IE safety systems.
Well defined systems requirements expressed in a we a.
that are to be performed by the digital safety system, The primary A development methodology to guide the production of software.
specification for the sof tware provides the foundation for not only sou b.
development but also of effective verification and validation activities.
in the specification for any software system The individual requireme d.3 The describe how the software is to tahave in any circumstance.? reliable specification specification must be reliable and tedable.
exhibits the following characteristics:
Correct - Each requirement of the safety function has been stated correctly.
Complete - All of the requirements for the safety function are included.
Consister.t - The requirements are complementary and do not contradict each other.
Feasible - The requirements can be satisfied with available technology.
Maintainability - The requirements will be satisfied for the lifetime of the equipment.
p;. r.
b-K 2-Accuracy - The requirements include the acceptable bounds of c.
Comprehensive testing procedures should be developed which validate the specific functions that the digital control system and its software are to perform. The organization that tests these functions shall acknowledge that each of these functions have been tested.
d.
A key ingredient in.an effective V8V process is the independence of the V&V team from the development organization. The level of independence shall be such that the V&V team shall at least report to a different supervisor than the development organization. This requirement differs from the requirements of Section 4 of Supplement 3S-1 of NQA-1-1979 referred to in ANSI /IEEE-ANS-7-4.3.2-1982 in Section 7.1.
In Supplement 35-1 the V&V team and the development team can report to the same supervisor.
t d
[
6
--v---
r w--r t-ive
-r
-=
-*v'-
e-
+w ww->
- -w-+ww--
--*~m
-e---
- e-e-ww--
--wrre-*---'&--*' + -r