Performance of safety functions

The safety functions executed on the controllers have been exclusively implemented using the Siemens S7 Distributed Safety Program tools. The main advantage of this approach is the availabihty to the programmer of a library of functional objects tested and certified to safety integrity level (SIL) 3 (according to lEC 61508). The safety program can only be implemented by the combination of these certified fimctional blocks. 

Two types of objects have been used to produce the LASS software the safety matrix and the certified functional blocks. 

The SIL 3 certified functional blocks from the S7 library are instantiated and interconnected to create new blocks, which will be used in the program. However, the interconnection logic should be exhaustively tested in order to detect interconnection or design errors that would lead to an unsafe behavior of the system. Each functional block has been tested and certified SIL 3 by the German body TUV. This is made possible by the fact that each functional block performs simple funetions, as required by an interlock system. Conversely, eomplex mathematical operations are not permitted or possible in this type of environment. 

---

SSCs which are relied on to remain functional following a design basis accident to ensure the continued performance of safety functions, or whose failure could prevent safety related SSCs from performing their safety related functions ... 

A small Boiling Water Reactor (BWR) design concept has been developed at GE which maximizes the use of BWR design, technology and operating experience. Modest innovations are included to simplify the performance of safety functions. These, as well as other system simplifications, and a reduced power rating less than 600 MW(e) can reduce total costs and speed construction. 

No moving mechanical parts are provided in the RAPED. The LEMs, LEVls and LRMs are passive systems that are driven by natural phenomena, such as volume expansion of lithium-6 and meltdown of the freeze seal. The reactor will be equipped with flow meter(s) and thermocouple(s) to monitor the primary flow rate and core outlet temperature, however, this instrumentation is only to monitor the reactor and has nothing to do with the performance of safety functions. Fig. XVE-8. 

This issue is directly related to the performance of safety functions by protection systems and other safety systems. 

Long term resolution to this issue will be achieved through the maintenance rule which requires 1) assessment of overall effect of out-of-service equipment on performance of safety functions and 2) balancing of component monitoring or preventive maintenance against system unavailability. 

Maximum authorized unavailability limits for operation of the research reactor shall be estabhshed for certain safety systems or components to ensure the required reliability in the performance of safety functions. The following measures shah be used, if necessary in combination, to achieve and maintain the required reliability, in accordance with the importance of the safety functions to be performed by the SSCs. Consideration shall be given to software systems as well as to hardware systems. 

Challenges generalized mechanisms, processes or circumstances (conditions) that may have an impact on the intended performance of safety functions. Challenges are caused by a set of mechanisms having consequences that are similar in nature. 

Mechanisms specific reasons, processes or situations whose consequences might create challenges to the performance of safety functions. 

This section describes the ageing mechanisms that can affect BWR RPVIs and evaluates the potential significance of the effects of these mechanisms on the continued performance of safety functions of the RPVIs throughout the plant service life. 

Safety of Computer Architectures 12.3.3. Performance of safety functions... 

Function event trees include primarily the engineered safety features of the plant, but other systems provide necessary support functions. For example, electric power system failure amid reduce the effectiveness of the RCS heat-removal function after a transient or small UJ( A. Therefore, EP should be included among the systems that perform this safety function. Siipfiort systems such as component-cooling water and electric power do not perform safety functions directly. However, they significantly contribute to the unavailability of a system or group of systems that perform safety functions. It is necessary, therefore, to identify support systems for each frontline ssstcm and include them in the system analysis. 

Non-IE units shall be clearly separated from IE units. Nevertheless, non-IE units may have to exchange data with IE units. SPINLINE 3 makes it possible, thanks to the safety properties of the NERVIA network. These properties ensure that non-IE units can never prevent IE units from performing their safety function. 

The first step in the acceptance process is the identification of the environment within which the pre-developed software will have to work. This environment is determined by the system-level safety function as described in the system requirements specification. Also the interface and performance requirements, as well as the safety category should be contained in the system requirements specification. This means, that during the establishment of the plant safety design base a risk and hazards analysis has been performed which rendered the categories of safety functions to be implemented by pre-developed software. This risk and hazard analysis - in spite of being out of the scope of I C engineering - has been taken as the first of four acceptance criteria that should be applied to pre-developed software independently of its safety category. 

The requirements for hazard and risk assessment are specified only in terms of the results of the task. This means that an organization may use any technique that it considers to be effective, provided it results in a clear description of safety functions and associated levels of performance. 

As stated above, the hazard and risk assessment and allocation may be concurrent activities or allocation may in some circumstances take place prior to hazard and risk assessment. Decisions on the allocation of safety functions to safety layers are often taken on the basis of what has been found to be practicable by the user organization. Established industry good practice should also be taken Into account. Decisions will then be taken on the safety instrumented systems, assuming credit for the other safety layers. For example, where relief valves have been installed and these have been designed and installed according to industry codes, it may then be decided that these are adequate on their own to achieve adequate risk reduction. Safety instrumented systems would then only limit pressure where size or performance of the relief valve(s) was insufficient for the application or release to the atmosphere is to be prevented. 

It is required that the structural integrity and the safe shutdown functions of the neutron control assemblies are maintained for the OBE and SSE events. At the OBE level, the neutron control assemblies must be able to perform their safety function. Additionally, the ability to perform their power generation function during and after the earthquake should also be oiaintained. Their operation must be unaffected by any credible misalignment of the core control channels due to core deflections as a result of the seismic disturbance. A maximum misalignment of 7.6 cm (3 in) is allowed. At the SSE level, the neutron control assemblies must retain their safety function during and after the earthquake. The failure modes which could cause the seismic requirements not to be satisfied are identified as follows ... 

In addition, ex post social control in the form of various liability laws provide an independent basis for shaping industrial safety performance by posing the threat of liability when, for example, a company s behavior fails to meet a reqnisite standard of care and causes harm, or incurs harmful results which may lead to strict or nofault liability under a prevailing legal doctrine. Although actual liability in either case necessarily requires the occurrence of harm and proof of causation, the threat of such liability may be sufhcient to deter a company and others in its industrial sector from negligent or inferior performance of safety management functions, or cause them to reduce or eliminate hazardous aspects of their activities. ... 

In order to return to the performance of safety-sensitive functions, a driver must ... 

Stand down means a driver is temporarily removed from the performance of safety-sensitive functions based only on a report from a laboratory to the medical review officer (MRO) of a confirmed positive, adulterated, or substituted drug test. The removal of the driver from safety-sensitive functions happens before the MRO has completed verification of the test result. 

When following this chart without an exception, the designer must use two transmitters for S1L2 and trip if either transmitter indicates a trip. When designing a S1L3 SIF without an exception, the designer must use three transmitters or three valves, each capable of performing the safety function. 

Solution The design has a hardware fault tolerance of 1 since one instrument can fail and the SIF can still perform the safety function. The SFF is between 60% and 90%, therefore the design qualifies for SIL 2. 

Sharing of Structures. Systems, and Components. Safety class structures, systems, and components shall not be shared among nuclear facilities unless it can be shown that such sharing will not impair their ability to perform their safety functions, including, in the event of an accident in one nuclear facility, an orderly shutdown and cooldown of the remaining nuclear reactor fac i I i t i es. 

A single failure of a passive component (assuming active components function properly), results in a loss of the capability of the system to perform its safety functions. 

Safety class structures, systems, and components should be designed to withstand the effects of natural phenomena, without loss of capability to perform their safety functions. 

Components may be withdrawn from service for repair, periodic maintenance or testing. For the systems they belong to, the SFC is not applicable during this limited time period. During this period, the combined frequency of postulated initiating event and loss of safety function or the effect on the system s capability to perform its safety function shall be demonstrated to be insignificantly low. 

The portions of the HCF that are below grade are not subject to winds or tornadoes, with the exception of the roll up door entrance at the southwest comer of the facility, which faces west. This entrance performs no safety function and has no performance requirement. The above grade HCF structures would be subjected to winds. Recommended wind speeds for performance category 1 or 2 structures are specified in DOE-STD-1020-94 as 78 miles per hour for Albuquerque. 

DOE Order 420.1, Facility Safety, requires the detailed application of that order s requirements to be guided by safety analyses that establish the identification and functions of safety (safety class and safety significant) structures, systems, and components (SSCs) for a facility and establish the significance of safety functions performed by those SSCs. It specifies that nuclear facilities shall be designed with the objective of providing multiple layers of protection to prevent or mitigate the unintended release of radioactive materials to the environment. The safety analyses must consider facility hazards, natural phenomena hazards, and external man-induced hazards. Paragraph 4.4.1 requires safety analyses for hazardous facilities to include the ability of SSCs and personnel to perform their intended safety functions under the effects of natural phenomena. DOE O 420.1 (DOE 1995) incorporates requirements from the cancelled DOE Orders 5480.28, 5480.7A, and 6430.1A(DOE 1993). 

---