Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Nuclear I&C DesignDesign Process and Requirements of Nuclear
Instrumentation and Control Systems
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Simplified I&C Safety Life-Cycle
Requirements from the plant safety design base
I&C Architectural designAssignment of functions
to I&C systems
Safety life cycleof I&C system 1
• System requirements specification• …• System installation
Overall operation and maintenance
Safety life cycleof I&C system n
• System requirements specification• …• System installation
Overall integration and commissioning
12/7/2015 Nuclear I&C Systems Safety 2
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Safety Standards for Different Fields
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
IEC Nuclear I&C Standards
IEC No. MSZ No. Title
IEC 61226:2009 MSZ EN 61226:2011 Nuclear power plants - Instrumentation and control important to safety - Classification of instrumentation and control functions
IEC 61513:2001 MSZ IEC 61513:2011 Nuclear power plants – Instrumentation and control for systems important to safety – General requirements for systems
IEC 60987-2:2007 MSZ EN 60987:2009 Nuclear power plants – Instrumentation and control important to safety – Hardware design requirements for computer-based systems
IEC 60880-2:2006 MSZ EN 60880:2010 Nuclear power plants – Instrumentation and control systems important to safety – Software aspects for computer-based systems performing category A functions
IEC 62138:2004 MSZ EN 62138:2009 Nuclear power plants – Instrumentation and control important for safety – Software aspects for computer-based systems performing category B or C functions
2015.12.07. Nuclear I&C Systems Safety 4
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
IEC Nuclear I&C Standards
IEC No. MSZ No. Title
IEC 61227:2008 MSZ IEC 61227:2011 Nuclear power plants - Control rooms - Operator controls
IEC 61225:2005 MSZ IEC 61225:2011 Nuclear power plants - Instrumentation and control systems important to safety - Requirements for electrical supplies
IEC 62340:2007 Nuclear power plants – Instrumentation and control systems important to safety – Requirements for coping with common cause failure (CCF)
IEC 60709:2004 MSZ EN 60709:2011 Nuclear power plants - Instrumentation and control systems important to safety - Separation
IEC 60780:1998 MSZ IEC 60780:2011 Nuclear power plants - Electrical equipment of the safety system - Qualification
IEC 61500:2009 MSZ IEC 61500:2011 Nuclear power plants - Instrumentation and control important to safety - Data communication in systems performing category A functions
IEC TR 61000 ser. MSZ EN 61000 ser. Electromagnetic compatibility requirements
2015.12.07. Nuclear I&C Systems Safety 5
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
The Use of IEC Standards in the Design Process
Requirements from the plant safety design base
IEC 61226: Classification of I&C functions
I&C Architectural designAssignment of functions to I&C systems
IEC 61513: General requirements for systems
Design and Implementation
of the I&C Hardware
IEC 60987: Hardware design requirements
Design and Implementation of the I&C Software
IEC 60880: Software aspects for computer-
based systems performing category A functions
IEC 62138: Software aspects for computer-
based systems performing category B or C functions
2015.12.07. Nuclear I&C Systems Safety 6
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Comparison of Different Classification Systems
Nat. or intl.standard Classification of the importance to safety
IAEA NS-R-1Systems Important to Safety Systems Not
Important to SafetySafety Safety Related
IEC 61226FunctionsSystems
Systems Important to Safety
UnclassifiedCategory AClass 1
Category BClass 2
Category CClass 3
Canada Category 1 Category 2 Category 3 Category 4
France N4 1E 2E SHImportant to
SafetySystems Not
Important to Safety
EUR F1A (Aut.) F1B (A./M.) F2 Unclassified
Russian Fed. Class 2 Class 3 Class 4 (N/I. to Safety)
USA and IEEE
Systems Important to SafetyNon-nuclear Safety
SR / Class 1E (No name assigned)
R. of Korea IC-1 IC-2 IC-3
2015.12.07. Nuclear I&C Systems Safety 7
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Correlation Between IEC Classes and Categories
Categories of I&C functions important to safety
(according to IEC 61226)
Corresponding classes of I&C systems important to safety
(according to IEC 61513)
A (B) (C) 1
B (C) 2
C 3
2015.12.07. Nuclear I&C Systems Safety 8
• I&C functions of category A may be implemented in class 1 systems only
• I&C functions of category B may be implemented in class 1 and 2 systems
• I&C functions of category C may be implemented in class 1, 2, and 3 systems
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
System Architecture
The architecture of the system is constrained by the category of functions to be implemented within the system and the defence in-depth concept.
a) The system may implement functions of the highest category allowed for its class and functions of lower categories:1) the design requirements for each subsystem shall not be lower than those required by the
function of the highest category implemented by the subsystem;
2) the design of the system shall ensure that the requirements of the subsystems or equipment of the higher classes are satisfied in case of failure of the equipment of the lower class.
b) The design of the system shall include redundancy and other features necessary to provide tolerance to failure and to accommodate the functions important to safety.• The system may also include redundancy to fulfil availability requirements. The need for such
redundancies is defined at the level of system design.
c) The design of the system shall satisfy any independence requirements to• prevent propagation of failures from systems of lower importance to safety;
• prevent propagation of failures between redundant trains providing category A functions.
d) The design of class 1 systems shall include sufficient redundancy to meet the single-failure criterion for category A functions during operation and maintenance.
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Overall Requirements: IEC Class 1
• Single (random) failure criterion• robustness with respect to errors
• Low complexity• defensive design against CCF
• Deterministic behavior for computer-based systems:• cyclic behavior• preferably stateless behavior• load independent of external conditions• static resource allocation• guaranteed response times
• Software developed according to stringent nuclear industry standards (e.g. IEC 60880)
2015.12.07. Nuclear I&C Systems Safety 10
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Overall Requirements - Class 2
• Controlled complexity
• Confidence based in particular on analysis of system design
• High quality software• IEC 61238 is usually required for new development
• not necessarily developed according to nuclear industry standards (e.g. pre-developed software)
2015.12.07. Nuclear I&C Systems Safety 11
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Overall Requirements - Class 3
• No specific limit for complexity
• Confidence mainly based on: • proven application of quality standards
• global demonstration of fitness
• Specific demonstrations may be required on identified topics
2015.12.07. Nuclear I&C Systems Safety 12
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Consistency with System-Level Constraints
• Predictable behavior (Classes 1 & 2):• precise specification of component behavior
• documented conditions of use in system
• Deterministic behavior (Class 1):• static resource allocation
• static parameterization
• preferably stateless behavior
• clear-box (with limited exceptions)
• proven maximum response time
• proven robustness against consequences of errors
2015.12.07. Nuclear I&C Systems Safety 13
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Specific Design RequirementsSelected Requirements from the Nuclear Safety Code
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
NSC: Safety Level of Plant Functions
Operating state Description Event frequency (f [1/y])
DBC1 Normal operation -
DBC2 Anticipated operational occurrences f ≥ 10-2
DBC3 Infrequent design basis accidents 10-2 > f ≥10-4
DBC4 Rare design basis accidents 10-4 > f ≥ 10-6
12/7/2015 Nuclear I&C Systems Safety 15
a) F1A level to the safety functions that are required to bring DBC2-4 operating states to a checked condition;
b) F1B level to the safety functions that
ba) are required to bring the nuclear power plant unit from DBC2-4 operating states to a safe shutdown state and keep it in a safe shutdown state for at least 24 hours,
bb) replace the F1A functions following their failure, and help to keep the BDB operating states in the DEC1 operating state,
bc) all normal operating functions, the loss of which may result directly in TA3-4 operating states.
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
NSC: Safety Level of Plant Functions
c) F2 level to the safety functions thatca) are required after 24 hours following the DBC2-4
operating states to keep the nuclear power plant unit for at least 72 more hours in a safe shutdown state,
cb) the safety functions taken into consideration in the extension of the design basis,
cc) are designed to prevent malfunctions not related to the active zone of the nuclear reactor, and
cd) all normal operating functions, the loss of which may cause DBC2 operating state and directly initiate reactor protection function activation.
2015.12.07. Nuclear I&C Systems Safety 16
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Fundamental Safety Functions
„The fundamental safety functions shall be fulfilled in case of DBC1-4 operating conditions. The fundamental safety functions shall be met after DEC1 operational status to the extent necessary for bringing the nuclear reactor to a controlled, safe shutdown state; and following DEC2 plant damage status to the extent necessary for bringing the plant to a safe state after a major accident.” (NSC 3a.2.1.1000)
„Systems shall be designed to fulfill the fundamental safety functions.”(NSC 3a.2.1.1100)
„In order to meet the fundamental safety functions, all safety functions and the systems executing them must be defined for all operating conditions —including normal operation as well— by safety and other analyzes.” (NSC 3a.2.1.1200)
„Removal of the residual heat into the final heat sink must be ensured, so that the frequency of the loss of heat removal function is smaller than 10-7/year.” (NSC 3a.2.1.1300)
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Connection with the Plant Design Basis
„The technological function specification of the I&C systems must comply with the following requirements:
a) It identifies the control tasks in accordance with the technological objectives and requirements,
b) Assigns a unique identification code to every control task,
c) Classifies the control tasks into functional safety levels based on the importance to safety of the given task and assigns them to the appropriate level of defense in depth,
d) Specifies the independence criteria related to the functions, including the diversity requirements,
e) Determines the response times for the functions,
f) Defines the safe state or position for every output, which must be set in case of the detected failure of the output,
g) Defines the tasks, which require operator intervention in the DBC1-4 and DEC1 operation conditions of the nuclear power plant in such a way, that the operating personnel are able to perform them,
h) Applies a multi-level, well-structured, formal language description method beside the human language description form,
i) Prescribes an automated system for the formal checking and verification,
j) Contains the information necessary for performing the operator tasks and for monitoring the automatic tasks,
k) Defines the accuracy requirements for the operational limits and for displaying the analog values,
l) Defines the requested reliability requirements, and
m) Specifies simulation methods for the functional assessment and validation of programmable I&C systems classified into safety class ABOS2.” (NSC 3a.4.5.3200)
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Single Failure Criterion
„The principle of single failure criterion must be applied in the design process. Thepossibility of inadvertent operation of the system components must be handled as apossible failure mode. The failure of a passive component must be taken into account unless it can be demonstrated that the failure of the passive component is of very low probability or it has no effect on the given function.” (NSC 3a.3.1.1100)
The compliance with the principle of the single failure criterion during the designprocess of the I&C system architecture can be achieved by incorporating the appropriate level of redundancy. The effectiveness of the design solutions applied to fulfill the single failure criterion must be proved by deterministic and probabilistic analyses (e.g. fault tree analysis) (cf. NSC 3a.4.5.4400).
„In point of F1A, F1B and F2 functions the single failure tolerance capability must bemaintained continuously. F1A, F1B or F2 function loss must not be allowed even incase of maintenance or manually initiated tests. In case of F1A and F1B functions asingle failure must not cause undesired operation either. It must be demonstrated that the applied architecture complies with the reliability requirements.” (NSC 3a.4.5.4400)
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Redundancy schemes
• Stand-by redundancy
• Stand-by system does not participate in normal operation
• Cold redundancy
• Failover / switchover
static dynamic passive dynamic active
• Distributed functionality
• Error handling
• Error detection
• Fault diagnosis
• Fault isolation
• Reconfiguration
• Graceful degradation
• m-out-of-n redundancy
• Parallel channels (trains)
• Majority voting• Voter is „hard core”
• Safety orientation• Fail-safe intervention
• Safety > availability
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Paks NPP Safety Architecture
• Triple Redundancy• 2-out-of-3 voting
• Safety orientation
• Self-testing and error detection
• Double Diversity• Functional and signal
diversity
• TELEPERM XS Platform
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Testing, self-tests
„In point of F1A, F1B and F2 functions the single failure tolerance capability must bemaintained continuously. F1A, F1B or F2 function loss must not be allowed even in case of maintenance or manually initiated tests. In case of F1A and F1B functions a single failure must not cause undesired operation either. It must be demonstrated that the applied architecture complies with the reliability requirements.” (NSC 3a.4.5.4400)
„All components of the I&C systems classified into safety class ABOS2 and ABOS3 must have an automatic self-diagnostic capability. In case of a failure identified during the self-test a message must be generated for the operator and - if necessary – the outputs of the subsystem must be set to predetermined states that acts in the direction of safety according to the requirements in NSC 3a.4.5.3200.” (NSC 3a.4.5.4500)
„Manually initiated automated testing option must be provided for the identification ofthe failures, which cannot be detected by self-tests in the I&C systems classified intosafety class ABOS2 and ABOS3, and for the demonstration of the operability of safetyfunctions. Built-in equipment must be applied for the execution of manually initiableautomated testing. The appropriateness of the test cycle time must be verified by safetyassessment.” (NSC 3a.4.5.4600)
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
4-out-of-2 Protection Architecture
• 1st channel• Functionality
• 2nd channel• Fault detection
• Prevention of actuation masking
• Fail-safe intervention
• 3rd channel• Prevention of
spurious actuation
• 4th channel• Guarantee of
safety during maintenance and testing
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Redundant distributed I&C in a modern NPP
M M
Conventional control panels
SR and NC I&C SPPA-T2000
ES 680
Engineering System
Process Information and Operating System
OM 690 DS 670
Diagnosis System
Reactor Protection System
Reactor Limitation and Control System
AV42
Priority Actuator Control
Plant Bus ~ ~
~
Automation System
AS 620
SPACE
Engineering System
~ ~
Safety and SR I&C TELEPERM XS
PAC
FUM
Profibus DP
SPPA-T2000
AP
U
cabinet bus/
Profibus DP
plant bus
AS 620B
… FUM
M M M M
PAC
. . .
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Defence-in-Depth, CCF
„The architecture of the I&C systems must correspond to the levels of defense in depth. The levels suited with the defense in depth must be separated from each other to the maximum extent reasonably practicable.” (NSC 3a.4.5.4100)
„In case of I&C systems classified into safety class ABOS2 the possibility of common cause failures must be minimized by applying an appropriate level of functional or component-level diversity. The necessary extent of diversity must be derived from the required reliability requirements. It must be demonstrated by analysis that the probability of the common cause failures is sufficiently low when applying the selected solution.” (NSC 3a.4.5.4700)
„In case of commands belonging to different safety levels priority should be given to the command of the higher safety level led to the actuator. The deviation from the above must be verified by an analysis. The safety class of the system component that realizes the priority generation function must be determined based on the safety level of the command belonging to the highest safety level function, which is managed by it.” (NSC 3a.4.5.3000)
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Defence-in-Depth, CCF
The different levels of defense in depth must be realized by separated, independent sub-systems in the I&C system. The extent of the separation between the levels and the method of the applied diversity is determined by the technological function specification of the I&C system. The separated, independent sub-systems must not be affected by each other, they must not use common measurements and must be separated from each other as much as practicable on the intervention level. If the application of a common measurement is inevitable, its necessity and the appropriateness of the measures used to achieve the desired reliability must be analyzed individually. It must be guaranteed (and demonstrated) that any failure of a system classified into a lower safety level cannot affect the functions of systems at a higher safety level.
„In case of systems classified into safety class ABOS2 or ABOS3 the following justificatory analyzes must be prepared:a) Deterministic analysis of the fulfillment of the single failure criterion,b) Hardware and software failure modes and effects analysis,c) Function and task analysis for the creation of human-system interface and the
determination of the level of automation,d) Analysis of common cause failure probabilities, particularly the specified design,
manufacturing, software and hardware, environmental impact, maintenance problems, the application of the same system or system component in different lines of defense in depth, architecture, separations, sufficient diversity,
e) Probabilistic reliability analysis,f) Test coverage analysis.” (NSC 3a.4.5.2100)
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Diversity Concept
• Signal diversity• Functional diversity• Hardware diversity:
• Different data representation;• Different program execution
principle;• Different architecture.
• Software diversity:• Different algorithms, logic and
program architecture; • Different timing or order of
actions;• Different operating systems;• Different programming
languages.
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Hardware (Equipment) Diversity
Programmable Hardware
Digital
Microprocessor, Microcontroller
MIPS, ARM
VLIW, Superscalar
Programmable Logic Device
CPLD, Complex programmable
logic device
FPGA, Field-programmable
gate array
SRAM FPGA
Flash FPGA
Silicon antifuse FPGA
Analog
Analog Computer
FPAA, Field-programmable
analog array
Hybrid (mixed-signal)
Hybrid Customizable
System-on-Chip
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Hybrid Customizable System-on-Chip (cSoC)
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Diverse Implementation (on-chip)
Same technology (μP)
• Two-core implementation
• Redundant Similar Processes
• Same algorithm → code
• Potential for CCF
• Different code/algorithms
• Requires higher speed processors
Diverse (Hybrid) technologies
• MCU/FPGA implementation
• Redundant Dissimilar Processes
• Same algorithm designed twice
• HW & SW implemented on same die
• Different code / algorithms
• Build parallel processing elements
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
WENRA Defence-in-Depth Concept for New NPPs
Levels of defence indepth Objective Essential means
Radiological consequences
Associated plantcondition categories
Level 1Prevention of abnormal operation and failures
Conservative design and high quality in construction and operation
No off-site radiological impact (bounded by regulatory operating limits for discharge)
Normal operation
Level 2Control of abnormal operation and detection of failures
Control, limiting and protection systems and other surveillance features
Anticipated operational occurrences
Level 3
3.a Control of accident to limit radiological releases and prevent escalation to core melt conditions
Reactor protection system, safety systems, accident procedures
No off-site radiological impact or only minor radiological impact
Postulated single initiating events
3.bAdditional safety features, accident procedures
Postulated multiple failure events
Level 4Control of accidents with core melt to limit off-site releases
Complementary measures and accident management
Off-site radiologicalimpact may imply limited protective measures in area and time
Postulated core melt accidents (short and long term)
Level 5
Mitigation of radiological consequences of significant releases of radioactive material
Off-site emergency response
Off site radiological impact necessitating protective measures
07/12/2015 Nuclear I&C Systems Safety 32
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Defence-in-Depth levels in I&C architecture
2015.12.07. Mátraháza 2015. 33
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Backlash-freeness, Connections
„Non-safety functions, or functions assigned to a lower level of functional safety must not be implemented into a subsystem classified into a safety class or into a safety class higher than necessary. If this is not possible, it must be demonstrated by safety assessment that the subsystem performing the function assigned to the lower safety level does not obstruct in any way the execution of functions assigned to a higher safety level.” (NSC 3a.4.5.4200)
„In case of connections between I&C systems classified into different safety classes itmust be demonstrated that the system classified into the lower class does not affect the operation of the system classified into the higher class. In case of connections between I&C systems classified into the same safety class it must demonstrated that the failure of a system does not obstruct the performance of the autonomous safety functions of the other.” (NSC 3a.4.5.4300)
„A system or system component classified into safety class ABOS2 must notcommunicate with systems outside of the given unit, and can provide data to a system or system component classified into a lower safety class in the same unit only through a physically unidirectional communication.” (NSC 3a.4.5.3700)
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Possible Separation at a Multi-unit Site
Level 0 Level 0 Level 0
Level 1Level 1Level 1
Level 2Level 2Level 2
Process interface levelProcess interface levelProcess interface level
Automation levelAutomation levelAutomation level
Supervision levelSupervision levelSupervision level
SC2SC3SC4
Common systemsUNIT 2UNIT 1
DMZ
Technical management level
Corporate network
Level 3
Level 4HR emailSAP …
Technical information system
Simulator Core design and modelling
Design tools
Document management system
Emergency Control Centre
Work order system
SC2SC3SC4
SC2SC3SC4
SC2SC3SC4
SC2SC3SC4
SC2SC3SC4
SC2SC3SC4
SC2SC3SC4
SC2SC3SC4
12/7/2015 Computer Security at Nuclear Facilities 35
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Quality Assurance, Independent Review
„Programmed systems performing safety functions —in addition to the generalrequirements for the programmed systems— must fulfill the following requirements:a) Hardware and software tools with references, which fulfill the most strict quality
assurance standards, are to be used,b) The entire development process, including the monitoring, testing and commissioning
of design changes must be systematically documented and evaluated,c) To validate the reliability of computer-based systems these systems must be reviewed
by experts independent from the designer and the contractor, and furthermored) If the required reliability level of a system cannot be validated, the fulfillment of the
safety functions assigned to it must be ensured with diverse tools.” (NSC 3a.3.1.1700)
The controllability of the design and manufacturing processes require the simplicity andtransparency of the applied methods, manufacturing techniques and V&V methods. Toensure this, priority must be given to typified and structured solutions. It is preferred that such tools and methods are used, which support verification and requirement traceability during both hardware and software design and manufacturing phases.
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Certification
„The fact that the applied I&C platform is certified as error-free and suitable to use in safety systems of nuclear power plants by a specialized, independent, accredited certification body must be demonstrated with a certificate in case of safety class ABOS2 and safety class ABOS3 systems. In case of programmable I&C systems the certificate must verify the appropriateness of the software and hardware platforms, the development tools and the code generators, as well.” (NSC 3a.4.5.2000)
• The set of standards, on which the certification is based, must be defined in case of installation, modification and refurbishment of safety class ABOS2 and ABOS3 systems
• The certificate issued by the certification body must include consideration of the following:
• Compliance to the relevant nuclear requirements,
• Development methods for minimizing the systematic error to an acceptable level,
• Potential failure states and frequency of their occurrence,
• Conditions of the application in the required safety class (e.g. configuration rules, environmental requirements, maintenance needs, etc.).
• The appropriate use of hardware and software platforms and the achievement of the expected and specified safety level for the planned life-cycle of the I&C system must also be demonstrated and verified by an independent expert organization
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Independence (certification)
Independent body:
• Independence (impartiality) is defined based on requirements specified at the certification and inspection bodies.
• An independent body is one that complies with the requirements for the impartial body according to EN ISO/IEC 17065 (“Conformity assessment. Requirements for bodies certifying products, processes and services”) :
"No part of the certification body and of the same legal person or persons under its control can:
a) Be the designer, manufacturer, commissioner, distributor or maintainer of thecertified product;
b) Be the designer, implementer, operator or maintainer of the certified process;
c) Be the designer, implementer, service provider or maintainer of the certifiedservice;
d) Offer or provide advice to its clients;
e) Offer or provide advice or internal audit services related to the managementsystem to customers in cases where the certification system requires theassessment of the client’s management system."
Budapest University of Technology and EconomicsFaculty of Transportation Engineering and Vehicle Engineering
Department of Control for Transportation and Vehicle Systems
Independence (certification)
Independent expert:
• An independent expert is one who complies with the independence defined by the implicit application of the definition given for the independent body.
• In case of independent experts acting in the field of application of nuclear energy the requirements in Paragraph 19/A (1) and (2) of Act No. CXVI of 1996 on Atomic Energy and its executive decree (Government Decree No. 247/2011 (XI. 25.) on independent experts acting in the field of application of nuclear energy) must be considered.
Certification body:
• A body, which is suitable for product certification activities according to EN ISO/IEC 17065 and has the necessary properties and skills (organizational structure, processes, personnel, etc.).
• In case there are international specialty standards in the given area, the certification activity must be based on them.
• The certification body must realize the inspection (according to EN ISO/IEC 17020 – “General criteria for the operation of various types of bodies performing inspection”) and/or testing laboratory (according to ISO/IEC 17025 – “General requirements for the competence of testing and calibration laboratories”) functions either by itself (of course, in the specialty field identical to the specialty field of the certification) or through the involvement of a body (or bodies), which has monitoring and/or testing properties and skills according to these standards.