Environmental Engineering Reference
In-Depth Information
Reconfiguration of the I&C System
system, which eliminate possibility of reconfigu-
ration without receiving a relevant approval and
warning of operational personnel, are specified.
Operational personnel in the main control
room is immediately warned about unavailability
of a system, SHC or channel to perform safety
functions, at the same time relevant outputs of
the safety I&C system are automatically set in
preliminary specified logical state, determined
and grounded during safety analysis, in such a
way to minimize negative influence of a detected
failure on a power unit safety.
In cases, when actions of the I&C system, specified
by the design for a specific operating or standby
mode of a power unit, can prevent its transfer to
another mode, system reconfiguration is provided,
for example, intentional prohibition of issuing
unnecessary individual commands and their
performance in a new mode becomes needless
and undesirable (in the international standard
IAEA, 2002,a such blocks are called “operational
bypasses”).
For the safety I&C system, operational by-
passes are possible after authorized transfer of
SHC into a special mode and only for a limited
time period. Data on commands of SHC, whose
issue is locked by bypasses, are archived and dis-
played in the main control room. After locking of
one or another command becomes unnecessary,
initial system configuration is restored (opera-
tional bypass, fixed on a proper output of SHC
is disconnected).
Reconfiguration of the safety I&C system or
normal operation system can be also required in
case of detection of sensor failure, connecting
line break, unreliability of received signal or
message, etc. if it is impossible to promptly repair
a detected failure. In such cases, an operational
bypass is executed by a temporary modification
of the performed data processing algorithm that
eliminates the use of information from a relevant
input of SHC.
Reconfiguration of the I&C system can become
necessary after execution of some tests during
maintenance. Implementation of such changes
(mounting of “maintenance bypasses”) requires
measures to eliminate the possibility of results'
falsification during tests with installed bypasses
and provide absence of errors after initial system
configuration recovery (disconnection of by-
passes) at the final stage of maintenance (IAEA,
2002). In particular, procedures of sequential
deactivating redundant channels of a safety control
system and/or redundant SHC, contained in the
RELIABILITY OF I&C
FUNCTIONS EXECUTION
Coping with Common Cause Failures
For safety I&C systems and SHC, related to 2(А)
safety class, measures for coping with common
cause failures - simultaneous failure due to one
and the same cause of two or more elements in
different redundant parts, which can result in a
failure of I&C function of А category are taken
(simultaneous failures are considered ones, where
a period between them is insufficient to restore
operability of the I&C system or SHC after each
of such failures). For I&C systems and SHC,
related to 3(В) and 3(С) safety classes, require-
ments for coping with common cause failures are
recommended.
As common cause failures the following is
considered:
• Appearance of not detected (hidden) er-
rors, which may occur during design, de-
velopment of hardware and software, pro-
duction, delivery, assembling, integration,
adjustments, maintenance and / or recov-
ery of the I&C system.
•
Components interference in the I&C sys-
tem or SHC through common parts of in-
put, output, power supply, ground circuits
Search WWH ::
Custom Search