Search Options | ||||
Index | Site Map | FAQ | Facility Info | Reading Rm | New | Help | Glossary | Contact Us |
|
Highly Integrated Control Rooms—Digital Communication SystemsOn this page
Communication between Safety and Nonsafety SystemsWith digital I&C technology, judicious communication between redundant safety channels and between safety and nonsafety systems may enhance reliability and safety more than could have been attained when existing operating nuclear power plants were designed with analog technology. Proposed designs include varying degrees of communication between redundant safety channels and between safety and nonsafety systems to validate signals and ensure high reliability. Requirement for Unimpaired Safety FunctionIt should be demonstrated that the provisions for the implementation of communications among redundant safety channels and between safety and nonsafety systems and the communication processes and messages themselves do not impair the proper execution of the associated safety functions through unintended behaviors or inadequately managed failure modes or by any other means or influence. The NRC is developing consolidated guidelines to support staff reviews of proposed communication protocols and systems. Issues such as two-way communication, data density, and communication traffic levels appropriate for safety-related applications need to be addressed in the documentation of the proposed designs. General Design Criterion 24In Appendix A to 10 CFR Part 50, General Design Criterion (GDC 24), “Separation of Protection and Control Systems,” states the following requirement:
GDC 24 provisions regarding interconnection of the protection and control systems limit two-way communication between safety and nonsafety systems. Consensus standards indicate that such communication pathways are acceptable as long as
The NRC has approved digital safety systems that use limited two-way communications between safety and nonsafety components to allow safety system reconfigurations while in operating modes specifically designed to accept changes (e.g., test mode for testing a channel and Inop mode for changing setpoints and performing channel maintenance). Requirement for Independence and IsolationSome of the new control room designs may apply strategies for integrating safety- and nonsafety-related controls within the same controller or display device. The proposed controls and displays could include extensive two-way communications among safety channels and between safety and nonsafety channels. Applicants should demonstrate that proposed mixed channel displays and controls and operation of safety devices by means of nonsafety controls or of controls in other channels maintain the required independence and isolation of redundant safety systems. Failure Analysis Techniques and Mitigation MeasuresThe NRC is developing failure analysis techniques for use in the evaluation of complex digital communication systems proposed for use within and among redundant safety channels and between safety and nonsafety channels. As part of this development, the NRC will use case studies of current technologies to identify scenarios that could challenge a safety system and to identify mitigation measures to address those challenges. The primary objective of this effort is to develop a comprehensive process for confirming that an integrated control room design conforms with 10 CFR Part 50.55a(h), “Protection and Safety Systems” requirements and the requirements in associated standards and regulatory criteria for areas such as
The regulatory criteria for these requirements are found in Regulatory Guide 1.152, “Criteria for Digital Computers in Safety Systems of Nuclear Power Plants,” which endorses with exceptions IEEE 7-4.3.2-2003, “IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations.” |
Privacy Policy |
Site Disclaimer |