7/25/2019 13 Embedded Nuclear Safety-Critical Systems
1/69
Budapest University of Technology and Economics
Department of Measurement and Information Systems
Embedded Safety-Critical Systems in
Nuclear Power Plants
Brief Comparison of IEC 61508 and the
Design of Systems Important to Safety
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
2/69
Nuclear Power Generation
Introduction to Nuclear Energy and Nuclear Power Plants
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
3/69
Nuclear Power Is it even necessary?
Fossil fuel power plantso burn carbon fuels such coal, oil or gas to generate steam driving large
turbines that produce electricity
o non-renewable fuel: oil depletes soon, gas next, carbon later
o they produce large amounts carbon dioxide, which causes climate change
o they increase background radiation
Large hydro power plantso water from the dams flows through turbines to generate electricityo no greenhouse gas emissions
o impact on the ecology around the dam
o the number of sites suitable for new dams is limited
Other renewables
o wind, solar and small scale hydro produce electricity with no greenhouse gasemissions
o higher cost than other forms of generation, often requiring subsidies
o they do not produce electricity predictably or consistently
o they have to be backed up by other forms of electricity generation
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
4/69
The Two Types of Nuclear Energy Production
4
Fission
Energy yield from
nuclear fission
Fusion
Energy yield from
nuclear fusion
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
5/69
Comparison of Fission and Fusion
Fission Fusion
Mechanism splitting of a large atom into two
or more smaller ones
fusing of two or more lighter atoms
into a larger one
Conditions criticality (prompt subcriticality),
moderator, and coolant
high density, high temperature
(plasma), precise control
Energy produced much greater than conventional 3 or 4 times greater than fission
Byproducts highly radioactive isotopes, long
decay time, large residual heat
some helium and tritium (short half-
life, very low decay energy)
Nuclear waste byproducts, structural materials structural materials (lower half-life)
Fuel 235U (0.72%), 232Th, possibly 238U 2H (deuterium) and 3H (tritium)
Advantages no greenhouse emissions,
economical, highly concentrated
fuel, intrinsically safe
no greenhouse emissions, very low
amount of waste, abundant fuel,
intrinsically safe, low risk
Disadvantages high risk, radioactive waste commercial application is far away
5
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
6/69
Controllability of Nuclear Fission
Effective neutron multiplication factor (k) is theaverage number of neutrons from one fission to
cause another fissiono k < 1 (subcriticality): the system cannot sustain a chain
reaction
o k = 1 (criticality): every fission causes an average ofone more fission, leading to a constant fission (and
power) levelo k > 1 (supercriticality): the number of fission reactions
increases exponentially
Delayed neutronsare created by the radioactivedecay of some of the fission fragments
o The fraction of delayed neutrons is called o Typically less than 1% of all the neutrons
in the chain reaction are delayed
1 k < 1/(1-) is the delayed criticality region,where all nuclear power reactors operate
6
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
7/69
Inherent Safety of Nuclear Power Plants
Reactivityis an expression of the departure from criticality:
= (k - 1)/ko when the reactor is critical, = 0
o when the reactor is subcritical, < 0
The temperature coefficient (of reactivity) is a measure of
the change in reactivity (resulting in a change in power) bya change in temperature of the reactor components or thereactor coolant
The void coefficient (of reactivity) is a measure of thechange in reactivity as voids (typically steam bubbles) formin the reactor moderator or coolant
Most existing nuclear reactors have negative temperatureand void coefficients in all states of operation
7
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
8/69
(A Few) Types of Nuclear Reactors
NuclearReactors
ThermalReactors
Graphite-
moderatedreactors
Gas-cooledreactors
Water-cooledreactors
RBMK
Water-moderated
reactors
Heavy-water
reactors
CANDU
Light-water-reactors
BWR
PWRLight-element-
moderatedreactors
FastNeutronReactors
Generation IVreactors
8
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
9/69
Nuclear Reactor History and Generations
Generation II: class of commercial reactors built up to the end of the 1990s
Generation III: development of Gen. II designs, improved fuel technology, superiorthermal efficiency, passive safety systems, and standardized design
Generation IV: nuclear reactor designs currently being researched, not expected tobe available for commercial construction before 2030
9
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
10/69
Gen. II Water Moderated Reactor Types
Pressurized Water Reactor (PWR)
Cooled and moderated by high-pressure liquid water,primary and secondary loops
Boiling Water Reactor (BWR)
Higher thermal efficiency, simpler design (single loop),
potentially more stable and safe (?)
Pressurized Heavy Water Reactor (PHWR)
Heavy-water-cooled and -moderated pressurized-
water reactors, fuel in tubes, efficient but expensive
High Power Channel Reactor (RBMK)
Water cooled with a graphite moderator, fuel in tubes,cheap, large and powerful reactor but unstable
10
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
11/69
Common Light Water Moderated Reactors
11
P
ressurizedW
R
BoilingWR
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
12/69
Overview of a PWR nuclear power plant
12
Primary circuit
Reactor vessel
Pressurizer
Secondary Circuit
Steam GeneratorControl Rods
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
13/69
Risk of Nuclear Installations
Using the Terms of the Functional Safety Concept
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
14/69
Functional Safety Concept: Risk
Risk based approach for determining the target
failure measureo Risk is a measure of the probabilityand consequence
of a specified hazardous event occurring
o There is no such thing as Zero Risk A safety-related system both
o implements the required safety functions necessary to
achievea safe state for the EUC or
to maintaina safe state for the EUC
o is intended to achieve the necessary safety integrity
for the required safety functions
14
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
15/69
Consequence: Effects of Ionizing Radiation
Natural radiation
o Internal radiation: 40K
o External radiation
Background radiation
TENORM
o artificially increased
background radiation
15
Hats
100%
Ksz b Dzis
0%
Kockzat
Dzis
m=5*10-2/S v
Deterministic effect Stochastic effect
Artificial radiation
o Medical diagnosis and
treatment
o Industrial radiation sources
o Nuclear tests
o Nuclear waste
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
16/69
The Risk Assessment Framework
The three main stages of Risk Assessment are:
1. Establish the tolerable risk criteria with respect to
the frequency (or probability) of the hazardous event
and its specific consequences
2. Assess the risks associated with theequipment under control
3. Determine the necessary risk reduction needed to
meet the risk acceptance criteria this will determine the Safety Integrity Level of the safety-
related systems and external risk reduction facilities
16
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
17/69
Example Risk Bands for Tolerability of Hazards
17
Remote Unlikely Possible Probable
Significant
Major
Catastr
ophic
Consequence
Frequency (per year)10-4 10-3 10
-210-1 1
Zone 3
Tolerable
Risk Region
Zone 1
UnacceptableRisk Region
Zone 2
TransitionalRisk Region
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
18/69
Tolerable Risk of Nuclear Installations
Design BasisAccidents
Beyond DesignBasis Accidents
SevereAccidents
AnticipatedOperational
Occurrences
Design BasisAccidents
Beyond DesignBasis Accidents
NormalOperation
AnticipatedOperational
Occurrences
Design BasisAccidents
19
Probability of occurrence (in decreasing order)
Severityofcons
equence
100 10-4
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
19/69
Operational States and Transients of NPPs
Normal Operational State
o
most probable, most frequent state Operational Transients aka.
Anticipated Operational Occurrences (AOO)
o highly probable operational occurrences, having a minor effect
o
good chance of multiple AOOs during operational life-time Design Basis Accidents
o improbable accidents, these are included in the Design Basis
Beyond Design Basis AccidentsSevere Accidents
o extremely improbable accidentso the Design Basis of most existing units does not include BDBAs
o this is changing, many former BDBAs became DBAs in the caseof Generation III and Generation IV nuclear units
20
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
20/69
Classification of Events & Operating Conditions
21
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
21/69
Definition of Safety
Central concepts: Hazard,risk and safety
Safety
Harm
Risk
Hazard
Functional
safety
Combination of the probabilityof occurrenceof harm and the
severityof that harmTolerable risk: Risk which is
accepted in a given context
(based on the values of society)
Residual risk: Risk remaining after
protective measures have been taken
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
22/69
Postulated Initiating Events
A postulated initiating event (PIE) is an identified
event that leads to an anticipated operationaloccurrence (AOO) or accident condition and itsconsequential failure effects.
o All safety analysis, deterministic or probabilistic, begins
with definition of a set of PIEs PIEs may be defined from various sources:
o Formal analytical techniques, such as
Failure modes and effects analysis (FMEA), or
Hazards and operability analysis (HAZOP)o PIE lists developed for other, similar plants
o Operating experience with other plants
o Engineering judgement
23
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
23/69
Classification of PIEs
According to origin:
Internal eventso are those PIEs that arise
due to failures of systems, structures, or components within theplant, or
due to internal human error, ando provide a challenge to internal safety systems.
External events
o are those PIEs that arise from
conditions external to the plant, such as natural phenomena or off-site human-caused events and
o provide a challenge to safety equipment and/or to plantintegrity.
24
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
24/69
The Design Basis
The design basis specifies the necessary
capabilities of the plant to cope with a specifiedrange of operational states and design basisaccidents within the defined radiologicalprotection requirements
The design basis includes
o the specification for normal operation,
o plant states created by the PIEs,
o the safety classification,o important assumptions and,
o in some cases, the particular methods of analysis.
25
d f f l
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
25/69
Identification of Internal Initiating Events
Proper operation depends on maintaining the correct
balance betweeno power production in the core
o transport of energy in the reactor cooling system (RCS)
o removal of energy from the RCS, and
o production of electrical energy
Thus, PIE categories may include:
o change in heat removal from the RCS
o change in coolant flow rate
o change in reactor coolant inventory, including pipe breaks
o reactivity and power distribution anomalies
o release of radioactive material from a component or system
26
d f f l
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
26/69
Identification of Internal Initiating Events
Consider failures (including partial failures or malfunctions)of safety systems and components, as well as non-safetysystems and components that impact safety function
Consider consequences of human error:
o Faulty maintenance
o Incorrect settings or calibrations
o Incorrect operator actions
Include fires, explosions, floods which could cause failure ofsafety equipment
Some events from outside the plant may be analyzed asinternal events because of the nature of their impact
o Loss of off-site power
o Loss of component cooling water
27
Id ifi i f l I i i i
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
27/69
Identification of External Initiating Events
External events can lead to an internal initiating event
and failure of safety systems that provide protection. Naturally occurring events:
o Earthquakes
o
Fireso Floods and other high water events
o Volcanic eruptions
o Extremes of temperature, rainfall, snowfall, wind velocity
Human-caused events:
o Aircraft crashes
o External fires, explosions, and hazardous material releases
28
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
28/69
Nuclear Accidents
The Three Most Prominent Accidents in the History ofNuclear Power Generation, and Lessons Learned
M i T f N l R A id
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
29/69
Main Types of Nuclear Reactor Accidents
Accident initiated by sudden reactivity increase (e.g.control rod ejection) that causes reactor runawayo RIAReactivity Initiated Accident
o the nuclear chain reaction becomes uncontrollable prompt supercritical reactor
Accident initiated by insufficient cooling (e.g. due toloss of coolant)o the efficiency of heat removal from the core drops
o the reactor core cooling is lost
that can cause damage to the fuel claddingo LOCALoss of Coolant Accident
o LOFALoss of Flow Accident
o LOHALoss of Heat Sink Accident
30
R ti it I iti t d A id t
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
30/69
Reactivity Initiated Accident
31
L f C l t A id t LB LOCA
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
31/69
Loss of Coolant AccidentLB LOCA
32
I t ti l N l E t S l (INES)
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
32/69
International Nuclear Event Scale (INES)
Level 7: Major accident
Level 6: Serious accident
Level 5: Accident with wider consequences
Level 4: Accident with local consequences
Level 3: Serious incident
Level 2: Incident
Level 1: Anomaly
Level 0: Deviation (No Safety Significance)
33
D t il d E l f th INES S l
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
33/69
Details and Examples of the INES Scale
INES Level
Level 7: Majoraccident
Level 6: Seriousaccident
Level 5: Accidentwith wider
consequences
People andEnvironment
Major release ofradioactive material
Widespread effects
Significant release ofradioactive material
Limited release ofradioactive material
Several deaths
Radiological
Barriers andControl
Severe reactor coredamage
Significant releasewithin installation
Example
Chernobyl accident(Soviet Union),26 April 1986
Fukushima accident
Kyshtym disaster atMayak
(Soviet Union),29 September 1957
Three Mile Islandaccident
(United States),28 March 1979
34
Th Mil I l d A id t
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
34/69
Three Mile Island Accident
In 1979 at Three Mile Island nuclear power plant in USA a cooling
malfunction caused part of the core to melt in the #2 reactor
o A relatively minor malfunction in the secondary cooling circuit caused the
temperature in the primary coolant to rise
o This in turn caused the reactor to shut down automatically
o A relief valve failed to close, but instrumentation did not reveal the fact
o So much of the primary coolant drained away that the residual decay heat in
the reactor core was not removed
o The core suffered severe damage as a result
o The operators were unable to diagnose or respond properly to the
unplanned automatic shutdown of the reactor
o Deficient control room instrumentation and inadequate emergency response
training proved to be root causes of the accident
Some radioactive gas was released a couple of days after the accident,
but not enough to cause any dose above background levels
There were no injuries or adverse health effects from the TMI accident
35
Th Mil I l d A id t
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
35/69
Three Mile Island Accident
36
Ch b l A id t
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
36/69
Chernobyl Accident
The Chernobyl accident in 1986 was the result of a flawed reactor design thatwas operated with inadequately trained personnelo
The crew wanted to perform a test to determine how long turbines would spin andsupply power to the main circulating pumps following a loss of main electrical powersupply
o A series of operator actions, including the disabling of automatic shutdownmechanisms, preceded the attempted test
o By the time that the operator moved to shut down the reactor, the reactor was in anextremely unstable condition
o A peculiarity of the design of the control rods caused a dramatic power surge as theywere inserted into the reactor
The RBMK reactor can possess a positive void coefficient
o The interaction of very hot fuel with the cooling water led to fuel fragmentation
o Intense steam generation then spread throughout the whole core causing a steamexplosion and releasing fission products to the atmosphere
o A second explosion threw out fragments from the fuel channels and hot graphite The resulting steam explosion and fires released at least 5% of the radioactive
reactor core into the atmosphere
Two Chernobyl plant workers died on the night of the accident, and a further 28people died within a few weeks as a result of acute radiation poisoning
37
Chernobyl Accident
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
37/69
Chernobyl Accident
38
Fukushima Accident
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
38/69
Fukushima Accident
Following a major earthquake, a 15-metre tsunami disabled the power supply
and cooling of three Fukushima Daiichi reactors, causing a nuclear accident on
11 March 2011o The reactors proved robust seismically, but vulnerable to the tsunami
o This disabled 12 of 13 back-up generators on site and also the heat exchangers for
dumping reactor waste heat and decay heat to the sea
o The three units lost the ability to maintain proper reactor cooling and water
circulation functions, all three cores largely melted in the first three days Rated 7 on the INES scale, due to high radioactive releases over days 4 to 6
After two weeks the three reactors (units 1-3) were stable with water addition
but no proper heat sink for removal of decay heat from fuel
By July they were being cooled with recycled water from the new treatment
plant, and official 'cold shutdown condition' was announced in mid-December Apart from cooling, the basic ongoing task was to prevent release of radioactive
materials, particularly in contaminated water leaked from the three units
There have been no deaths or cases of radiation sickness from the nuclear
accident, but over 100,000 people had to be evacuated from their homes
39
Fukushima Accident
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
39/69
Fukushima Accident
40
Safety Relative to Other Energy Sources
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
40/69
Safety Relative to Other Energy Sources
Fuel
Immediate fatalities
1970-92 Who?
Normalized to
1/TWy* electricity
Coal 6400 workers 342
Natural gas 1200 workers & public 85
Hydro 4000 public 883
Nuclear 31 workers 8
41
Comparison of accident statistics in primary energy production
(Electricity generation accounts for about 40% of total primary energy)
Deaths from energy-related accidents per unit of electricity
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
41/69
Safety of Nuclear Power Plants
Overview of the Basic Concepts of Nuclear Safety
Characteristics of Nuclear Power Plants
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
42/69
Characteristics of Nuclear Power Plants
They contain a large amount of radioactive
material Employees need to be protected from radiation
even in normal operation
The release of radioactive contaminants must beprevented even in accident conditions!
Plans must exist to handle the problems if
radioactive contaminants are still released Residual (decay) heat removal (heat from the
decay of fission products) is of high importance
43
Safety Goals of Nuclear Power Plants
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
43/69
Safety Goals of Nuclear Power Plants
Normal operational state: intrinsically safe
o environmentally safe: no release of contaminantso intrinsic safety: negative void coefficient
But
Potentially hazardouso possibility of severe consequences due to an incident
o design flaws and incompetence can lead to accidents
Aim: avoidance of accidentso design and build a safe nuclear power plant
o safe operation and maintenance of the NPP
44
Safety of Nuclear Power Plants
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
44/69
Safety of Nuclear Power Plants
Nuclear power plants and its safety systems and
technical equipment must be designed so that thesafety of the environment is guaranteed even if an
accident occurs
Modern nuclear power plants satisfy these criteria
Periodic safety audits are required to
o assess the effectiveness of the safety management system
o and identify opportunities for improvements
The licensing authority permits the startup, operation
or maintenance of a nuclear power plants only if the
guaranteed safety of the reactor is proven
45
Safety of Nuclear Power Plants
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
45/69
Safety of Nuclear Power Plants
Nuclear safety has three objectives:
1. to ensure that nuclear facilities operate normally andwithout an excessive riskof operating staff and the
environment being exposed to radiation from the
radioactive materials contained in the facility
2. to prevent incidents, and3. to limit the consequences of any incidents that might occur
Aim: to guarantee in every possible operational and
accident conditions (above a certain occurrence
frequency and consequence, i.e. risk) that the
radioactive material from the active zone be
contained in the reactor building
46
The Basic Principles of Nuclear Safety
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
46/69
The Basic Principles of Nuclear Safety
Nuclear safety uses two basic strategies to
prevent releases of radioactive materials:o the provision of leak tight safety barriers
o the concept of defense-in-depth
applies to both the design and the operation of the facility despite the fact that measures are taken to avoid accidents,
it is assumed that accidents may still occur
systems are therefore designed and installed
to combat them and to ensure that their consequences are limited to a level that is
acceptable for both the public and the environment
47
Five Layers of Safety Barriers in NPPs
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
47/69
Five Layers of Safety Barriers in NPPs
1st layer is the inert, ceramic
quality of the uranium oxide 2nd layer is the air tight
zirconium alloy of the fuel rod
3rd layer is the reactor
pressure vessel made of steel 4th layer is the pressure
resistant, air tight
containment building
5th layer is the reactor
building or a second outer
containment building
48
Pressure Resistant Air Tight Containment
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
48/69
Pressure Resistant, Air Tight Containment
49
Structure of the Paks NPP and Safety Barriers
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
49/69
Structure of the Paks NPP and Safety Barriers
50
Main Systems Shown in the Previous Figure
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
50/69
Main Systems Shown in the Previous Figure
1. Reactor vessel
2. Steam generator3. Refuelling machine
4. Cooling pond
5. Radiation shield6. Supplementary
feedwater system
7. Reactor
8. Localization tower
9. Bubbler trays
10. Deaerator
11. Aerator12. Turbine
13. Condenser
14. Turbine hall15. Degasser feedwater tank
16. Feedwater pre-heater
17. Turbine hall overhead
18. Control and instrument
room
51
Levels of Defence in Depth
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
51/69
Levels of Defence in Depth
Level 1: Mitigation of radiological consequences of significant releases of
radioactive materials
Level 2: Control of severe plant conditions, including prevention of
accident progression and mitigation of the consequences of severe
accidents
Level 3: Control of accidents within the design basis
Level 4: Control of abnormal operation and detection of failuresLevel 5: Prevention of abnormal operation and failures
Conservative design and high quality in construction and operation
Control, limiting and protection systems and other surveillance
featuresEngineered safety features and accident procedures
Complementary measures and accident management
Off-site emergency response
52
Design Limits Design Basis Accidents
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
52/69
Design Limits Design Basis Accidents
The design limits prescribe that for any DBA:
o the fuel cladding temperature must not exceed 1200Co the local fuel cladding oxidation must not exceed 18%
of the initial wall thickness
o
the mass of Zr converted into ZrO2must not exceed1% of the total mass of cladding
o the whole body dose to a member of the staff must
not exceed 50 mSv
o critical organ (i.e., thyroid) dose to a member of thestaff must not exceed 300 mSv
53
Safety Functions
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
53/69
Safety Functions
To ensure safety
o in operational stateso in and following a design basis accident, and
o (to the extent practicable) on the occurrence ofselected BDBAs
The following fundamental safety functions shallbe performed:
1. control of the reactivity
2. removal of heat from the core3. confinement of radioactive materials and control of
operational discharges, as well as limitation ofaccidental releases
55
Main Safety Systems in Nuclear Power Plants
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
54/69
Main Safety Systems in Nuclear Power Plants
Reactor Protection System (RPS)
o Control Rods
o
Safety Injection/Standby Liquid Control Emergency Core Cooling System
o High Pressure Coolant Injection System (HPCI)
o Depressurization System (ADS)
o Low Pressure Coolant Injection System (LPCI)
o Core spray and Containment Spray System
o Isolation Cooling System
Emergency Electrical Systems
o Diesel Generators
o Motor Generator Flywheels
o Batteries
Containment Systemso Fuel Cladding
o Reactor Vessel
o Primary and Secondary Containment
Ventilation and Radiation Protection
56
Emergency Core Cooling System
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
55/69
Emergency Core Cooling System
1. Reactor
2. Steam Generator
3. Main Cooling Pump
4. Primary Pipe Rupture
5. Hidroaccumulator
6. Low Pressure CoolantInjection System Vessel
7. Low Pressure CoolantInjection System Pump
8. High Pressure CoolantInjection System Vessel
9. High Pressure CoolantInjection System Pump
10. Pressurizer
57
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
56/69
Instrumentation and control forsystems important to safety
Safety Life-cycle of I&C Systems in Nuclear Installations
Nuclear Standards: Differences from IEC 61508
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
57/69
Nuclear Standards: Differences from IEC 61508
Deterministic approach
o Safety function are classified into categories according to theirimpact on plant safety
o Systems are classified into categories according to the safetyfunctions they provide
o Requirements are assigned to categories
Requirements are drawn from the plant safety design base
Requirements are tipically deterministic
o Design for reliability
Single failure criterion
Redundancy Diversity
o Independence
o Avoidance of Common Cause Failures
59
Safety Classification of Nuclear I&C Systems
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
58/69
Safety Classification of Nuclear I&C Systems
60
Source: IAEA TECDOC-1066, Specification Requirements for Upgrades Using Digital I&C. January 1999.
The safety classification of nuclear systems is country and authority
dependant. The requirements for the design and operation of
systems important to safety, however, are similar.
Examples of I&C Systems Important to Safety
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
59/69
Examples of I&C Systems Important to Safety
61
IAEA Standards
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
60/69
IAEA Standards
International Atomic Energy Agency
IAEA Safety Standards Series No. NS-R-1(2000),Safety of Nuclear Power Plants: Design
(Requirements)
IAEA Safety Standards Series No. NS-G-1.3(2002),Instrumentation and Control Systems Important
to Safety in Nuclear Power Plants (Safety Guide)
IAEA Safety Standards Series No. NS-G-1.1(2000),Software for Computer Based Systems Important
to Safety in Nuclear Power Plants (Safety Guide)
62
IEC Nuclear Standards
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
61/69
IEC Nuclear Standards
International Electrotechnical Commission IEC 61226:2009, Nuclear power plants - Instrumentation and control
important to safety - Classification of instrumentation and controlfunctions IEC 61513:2001, Nuclear power plantsInstrumentation and control for
systems important to safetyGeneral requirements for systems IEC 60987-2:2007, Nuclear power plantsInstrumentation and control
important to safetyHardware design requirements for computer-basedsystems
IEC 60880-2:2006, Nuclear power plantsInstrumentation and controlsystems important to safetySoftware aspects for computer-basedsystems performing category A functions
IEC 62138:2004, Nuclear power plantsInstrumentation and control
important for safetySoftware aspects for computer-based systemsperforming category B or C functions
IEC 62340:2007, Nuclear power plantsInstrumentation and controlsystems important to safetyRequirements for coping with commoncause failure (CCF)
63
Correlation Between IEC Classes and Categories
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
62/69
Correlation Between IEC Classes and Categories
Categories of I&C functions
important to safety
(according to IEC 61226)
Corresponding classes of I&C
systems important to safety
(according to IEC 61513)
A (B) (C) 1
B (C) 2
C 3
64
I&C functions of category A may be implemented in class 1 systems only I&C functions of category B may be implemented in class 1 and 2 systems
I&C functions of category C may be implemented in class 1, 2, and 3
systems
The Use of Standards in the Design Process
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
63/69
The Use of Standards in the Design Process
Requirements from the plant safety design base
IEC 61226: Classification of I&C functions
I&C Architectural design
Assignment of functions to I&C systemsIEC 61513: General requirements for systems
Design andImplementation
of the I&C Hardware
IEC 60987: Hardware
design requirements
Design and Implementationof the I&C Software
IEC 60880: Softwareaspects for computer-
based systems performingcategory A functions
IEC 62138: Softwareaspects for computer-
based systems performingcategory B or C functions
65
Simplified Safety Life-Cycle
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
64/69
Simplified Safety Life Cycle
66
Requirements from the plant safety design base
I&C Architectural designAssignment of functions
to I&C systems
Safety life cycleof I&C system 1
System requirements specification
System installation
Overall operation and maintenance
Safety life cycleof I&C system n
System requirements specification
System installation
Overall integration and commissioning
Assessment of Components
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
65/69
p
Objective: contribute to confidence that system
conforms to safety requirements Stringency of assessment depends on:
o safety class of system
o how component is usedo consequences of component errors and failures
o intrinsic component properties (e.g., complexity)
Overall Requirements - Class 1
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
66/69
q
Low complexity
Deterministic behavior for computer-based systems:o cyclic behavior
o preferably stateless behavior
o load independent of external conditions
o static resource allocation
o guaranteed response times
o single (random) failure criterion
o robustness with respect to errors
Software developed according to stringent nuclear
industry standards (e.g., IEC 60880)
Overall Requirements - Class 2
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
67/69
q
Controlled complexity
Confidence based in particular on analysis ofsystem design
High quality software, not necessarily developed
according to nuclear industry standards
Overall Requirements - Class 3
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
68/69
q
No specific limit for complexity
Confidence mainly based on:o proven application of quality standards
o global demonstration of fitness
Specific demonstrations may be required onidentified topics
Consistency with System Level Constraints
7/25/2019 13 Embedded Nuclear Safety-Critical Systems
69/69
y y
Predictable behavior (Classes 1 & 2):
o precise specification of component behavioro documented conditions of use in system
Deterministic behavior (Class 1):
o static resource allocationo static parameterization
o preferably stateless behavior
o clear-box (with limited exceptions)o proven maximum response time
o proven robustness against consequences of errors