September/October 2011
Standards

Proactive versus reactive standards for nuclear plant design

By Jeremy Shook and Mark Burzynski

Today, the U.S. nuclear industry is in the process of designing and licensing a new generation of nuclear power plants with modern, digital instrumentation and control (I&C) safety systems. These systems are being licensed against standards historically based on analog technology. At the same time, other process industries have adopted a newer set of standards for the design of safety instrumented systems (SIS) that reflect advances in I&C technology. While the nuclear industry has struggled in this area, the general process industry has been able to develop and implement standards for safety I&C systems that use various types of digital technology.

The ISA-84 series of standards addresses functional safety of safety instrumented systems through a more proactive approach, as opposed to the U.S. Nuclear Regulatory Commission's (NRC) reactive approach in its regulations. The NRC regulations regarding quality are high level in nature. However, there are other NRC requirements (10 CFR 50 Appendix B) and guidance documents (various regulatory guides, endorsed IEEE standards, and branch technical positions, or BTPs) on software quality management that would apply to a SIS. Take a look at how the two compare and contrast to get a broader perspective of both standards.

ANSI/ISA-84.00.01-2004 Part 1 (IEC 61511-1 MOD), Functional Safety: Safety Instrumented Systems for the Process Industry Sector - Part 1, is the primary standard in the U.S. for the design of SIS, which is based on IEC 61511. This standard is written specifically to deal with the types of technology typically found in I&C systems today, including electrical, electronic, and programmable electronic technology.

The scope includes requirements for the entire life cycle of a SIS, ensuring it can be confidently entrusted to place or maintain the process in a safe state. This starts with overall management of functional safety, going through SIS installation, operation, and decommissioning.

In comparison, the approach in the NRC requirements and guidance is generally a reactive approach, analyzing what is there to see if it is acceptable versus the ISA-84 approach of de:fining defense-in-depth diversity (D3) at the top and flowing it down.

The NRC's BTP 7-14 only addresses safety software and is generally silent on the broader life cycle in which the software must reside. By not addressing the whole system (while still recognizing the role that software plays as ISA-84 does), the remainder of the quality assurance under the NRC rules falls under 10 CFR 50 Appendix B, which is not well coordinated with BTP 7-14.

In contrast, ISA-84 considers the whole system, including sensors, logic solvers, and final elements. In addition, it provides a quality management and safety life-cycle framework for the entire system, while still recognizing the special role software plays. This approach is more integrated with greater assurance the SIS will perform its intended high-quality functions.

NRC requirements regarding D3 are also general in nature. General Design Criteria (GDC) 22 discusses the use of functional diversity to reduce the probability of a complete loss of the protection function. NRC guidance in BTP 7-19 provides more specifics with regard to acceptance criteria for software common cause failures.

ISA-84 deals with D3 proactively in two parts. First, the layers of protection (LOPs) are defined. The safety instrumented functions (SIFs) are defined as a result of the process hazard and risk assessment and are allocated to the various LOPs (i.e., defensive levels using nuclear terminology). In addition, the SIL level associated with each SIF is defined and allocated at the same time. This integrates the activities of the deterministic safety analysis and the probabilistic safety analyses performed in nuclear power plant design. Second, independence of the LOPs is specified and analyzed.

Reliability

NRC requirements regarding reliability include GDC 21 and IEEE Std 603 clauses 4i, 5.1, 5.6.1, and 5.15. While GDC 21 states "the protection system shall be designed for high functional reliability and in-service testability commensurate with the safety functions to be performed," in general, the reliability requirements are qualitative in nature and do not require quantitative reliability goals. Specifically, NRC requirements use the single failure criteria, along with independence between redundant divisions, to provide a certain measure of reliability in the performance of safety functions.

ISA-84 uses a qualitative and a quantitative approach for reliability, using the SIL concept. In this concept, a specific quantitative reliability goal is established for each SIF based on the level of risk reduction required. In addition, clause 11.4 specifies minimum hardware tolerance for a given SIL. It is interesting to note while in some cases SIL 1 functions do not require any tolerance to hardware failures, SIL 4 functions (the level at which many reactor trips and engineered safety features actuations may be specified), would require tolerance to three hardware failures at a minimum.

The primary advantage of the ISA-84 approach is in the treatment of independence. In the NRC approach, reliability is provided by the single failure criteria, which is ensured by redundancy and independence. The challenge in many recent reviews of digital safety I&C designs is how to achieve and demonstrate independence. With the ISA-84 approach, reliability is defined quantitatively with the SIL criteria, along with a qualitative hardware fault tolerance. As such, independence is not a specific requirement, but the degree of independence between redundant elements either simplifies or complicates the reliability analysis, which is the true design objective.

Only two main areas are not specifically discussed in the ISA-84 framework-support system operation (such as electrical, cooling water, and HVAC) and post-accident operation. Both stem from the fundamental difference in nuclear plants from typical process facilities, which is the generation of decay heat after reactor shutdown, and thus the need for continued operation of the SIS after initial accident mitigation.

ABOUT THE AUTHORS

Jeremy Shook is a I&C Engineering Discipline Lead at Areva in Charlotte, N.C. (jeremy.shook@areva.com) Mark Burzynski is a I&C Licensing Manager at Rolls-Royce in Chattanooga, Tenn. (mark.j.burzynski@ds-s.com) This article was edited from a paper entitled, "An Evaluation of ISA84 for Use in the Design and Licensing of Nuclear Power Plants," presented at the 54th ISA POWID Symposium in June 2011. Read the entire paper, attached below.