Environmental Engineering Reference
In-Depth Information
The single failure criterion is also used in the
context of category В functions, at the same time
the possibility of hidden operability failures is
usually not considered.
• Operability recovery by operative replace-
ment of a failed removable part of a redun-
dant channel without taking out of opera-
tion other channels.
Observance of Redundancy Principle
Redundancy of emergency reactor protection
function (ERP) is performed in the following way:
Observance of the determined reliability criteria
and single failure criterion for category А functions
is provided by redundancy (application of addi-
tional means and / or possibilities, redundant with
regard to that, are minimally required for function
performance). Redundancy supposes the presence
of several identical and different components,
forming redundant channels of I&C system (or
SHC), where each may perform a required func-
tion independently of the technical state of other
channels. Redundancy of power supply, sources
and receivers of data and connecting lines used
for transmission of signals and massages between
I&C systems, SHC or channels, taking part in
performance of category А functions, especially
those, access to which during power unit opera-
tion is impossible (for example, placed inside the
containment), are also provided.
The redundancy approach is selected in such
a way that improvement of reliability of perfor-
mance of required functions was not followed by
increase of probability of faulty actions, etc. an
acceptable relation between a probability of failure
type “nonoperation” and “false operation” was
provided. Efficiency of redundancy is provided by:
• In the structure of ERP system, two inde-
pendent SHCs, at least, are provided, in
each SHC - not less than three independent
redundant channels.
• Power supply of each channel is provided
through two inputs from diferent sources
of reliable supply.
• Each channel has a complete set of input
signals and generates an output signal by
any of speciied conditions of initiating
protective actions.
• In case of disconnection failure of one
channel (without taking out of operation
the whole SHC) at the output of this chan-
nel a trip signal should be automatically
determined.
• Each SHC should initiate protective actions
by channel trip signals according to a log-
ic condition, selected by results of safety
analysis (minimum - “two-out-of-three”).
• Command, initiating protective actions,
should transfer from each SHC to an ac-
tuating system through, at least, two lines.
• Actuating system should execute speciied
protective actions by a command obtained
from any SHC.
• Observance of independence principle of
power supply of redundant channels, data
sources and receivers, connecting lines.
•
SHC, taken out of operation, should not
in any conditions issue commands, initiat-
ing protective actions and prevent actuat-
ing system from executing commands ob-
tained from other SHC.
•
Continuous automatic monitoring of tech-
nical state of redundant channels and diag-
nostic of operability failures on the level
of removable component parts of each
channel.
Search WWH ::
Custom Search