SAFETY P R A C TIC E S - gnssn - International Atomic Energy Agency

More documents

Recommendations

Info

This publication is no longer validPlease see http://www-ns.iaea.org/standards/RedundancyThe design of the EPS must be adapted to the redundancy concept of the othersafety systems. This means in simple applications that the number of divisions in theEPS is the same as the number of divisions of safety systems it supplies. Examplesare:— 2 X 100% divisions of safety systems powered by 2 X 100% divisions of theEPS. This form of redundancy takes into account the single failure criterion.— 3 X 100% divisions of safety systems powered by 3 x 100% divisions of theEPS. This form of redundancy covers the combination of single failure, asabove, and simultaneous outage of one division — either in the EPS or thepowered safety systems — for maintenance.Another form of redundancy, which gives similar results to the example above,is a 4 X 50% division redundancy.Some components may not be connected to a single redundancy division. Suchcomponents, for example, are those which can be connected to either redundant division(e.g. spare converter). In other cases it is necessary to have redundant componentswithin one fluid system (e.g. redundant containment isolation valves) whichwould therefore have to be powered from different divisions of the EPS to meet thesingle failure criterion. In these cases the reviewer must verify that the redundantcomponents are physically separated by a sufficient distance and that appropriateisolation devices are incorporated.Basis for acceptanceCode, paras 329-336.Safety Guide 50-SG-D7, paras 307, 308, 401.Assessment questions(1) Is the redundancy such that for on-site power operation of the EPS, power canbe supplied to systems and components important to safety assuming unavailabilityof off-site power from the grid and a single failure within the EPS?(2) Is the number of divisions which are considered independent at least as largeas the largest number of functionally independent safety related system divisionswhich have to be supplied by the EPS?(3) What provisions are incorporated to permit the outage of one redundant divisionfor maintenance purposes without unacceptable increase of systemunavailability?(4) Has a quantitative outage time analysis identified the permissible outage periodfor one division?10
This publication is no longer validPlease see http://www-ns.iaea.org/standards/(5) Is a maintenance and test plan available which is consistent with the permissibleoutage periods?(6) Is the redundancy of the I&C system consistent with the redundancy of theEPS?3.2.3. Independence and physical separationBasis for acceptanceCode, paras 340-342, 345.Safety Guide 50-SG-D7, paras 309, 402-407.Assessment questions(1) Are the redundant divisions of the EPS, including control, instrumentation andprotection systems, sufficiently separated and independent from each other,both physically and electrically, to minimize the probability of common causefailures?(2) Are the redundant divisions housed in separate enclosures so as to protect themagainst the effects of all postulated initiating events considered in the designbasis, e.g. fire, chemical explosion, missiles and pipe ruptures?(3) Will the components of the redundant division of the EPS be qualified to withstandthe effects of environmental conditions identified for their locations, e.g.earthquakes, radiation, heat and humidity?(4) Are the vital supporting systems for a division of the EPS arranged so that afailure of such a system will not affect more than one redundant division, e.g.one switchgear room ventilation circuit for each division? Are the vitalsupporting systems designed to the same criteria as for those safety systemsand equipment that they support?(5) Are interconnections between redundant divisions of the EPS, where these arenecessary, made such that no single failure in an interconnection will causeredundant divisions to be connected? For example, where loads are arrangedto be supplied from either of two redundant divisions independently, is interlockingbetween the two divisions sufficient to ensure that no single failure inthe connection will cause the redundant divisions to be connected? Have theinterconnections been designed to avoid the propagation of failures or faultsin such loads to both divisions?(6) Is the EPS sufficiently independent with respect to the normal power suppliesthat no single failure will prevent the separation of the normal power suppliesand the connection of an adequate stand-by power supply to the EPS when itis required?11
Page 3: This publication is no longer valid
Page 9 and 10: This publication is no longer valid
Page 19: This publication is no longer valid
Page 70 and 71:
This publication is no longer valid
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
92-05131This publication is no long
Page 100:
show all

SAFETY P R A C TIC E S - gnssn - International Atomic Energy Agency

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?