美国核监管会标准

IMPLEMENTATION Except in those cases in which a licensee proposes or has previously established an acceptable alternative method for complying with specified portions of the NRC s regulations the NRC staff will use the methods described in this Interim Staff Guidance ISG to evaluate licensee compliance with NRC requirements as presented in submittals in connection with applications for standard plant design certifications and combined licenses This ISG provides acceptable methods for addressing HICRc in digital I and 2 Regulatory Guide 1 152 which endorses IEEE 7 4 3 2 2003 with comments IEEE 603 1991 requires among other things independence among redundant safety channels and redundant safety systems to be independent of one another IEEE 7 4 3 2 2003 addresses digital communications NOTE Some provisions or IEEE 7 4 3 2 have been found to not be suitable for endorsement by the NRC In addition IEEE7 4 3 2 is currently undergoing revision and the final version may or may not be found to be suitable for endorsement and may or may not be consistent with the guidance provided herein 安全性或电厂安全分析 假设的一致性 在安全部门之间或安全 和互连非安全部门也应满足规定的内部指导通信 一到三点 均在 单独区域分开讨论 第四点和 前三点皆有关联 需要时和前三部 分一起讨论 Rational 为了准备这次临时人员指导方案 方案主要是依据 1 0 C F R 50 55a h 它调用 IEEE 603 1991 和 2 监督管理指南 1 152 即支持 IEEE 7 4 3 2 2003 评论 IEEE 603 1991 要求 冗余安全通道相互独立和冗余安全系统之间 是相互独立的 IEEE7 4 3 2 2003 地址数字通信 注 一些规定或 IEEE 7 4 3 2 被发现不适合由 NRC 撰写 此外 IEEE7 4 3 2 目前 正在修订和最终版本可能会或可能不会被发现是不适用及可能会 或可能不会与指导规定一致 The guidance provided herein adheres to the principles set forth in IEEE 603 1991 and IEEE 7 4 3 2 2003 by describing means for ensuring independence among redundant safety channels while permitting some degree of interconnection and commonality among those independent channels REFERENCES 1 10 C F R 50 55a h U S Code of Federal Regulations Part 50 55 Conditions of construction permits Title 10 Energy Washington DC U S Government Printing Office 2 Regulatory Guide 1 152 NRC 2006 Criteria for Digital Computers in Safety Systems of Nuclear Power Plants Washington D C U S Nuclear Regulatory Commission 3 IEEE 603 1991 Institute of Electrical and Electronics Engineers 1991 IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations Description New York Institute of Electrical and Electronics Engineers 本指导在 IEEE 603 1991 和 IEEE 7 4 3 2 2003 基础上 描述保证 冗余安全信道间的独立性而允许一定程度的互连和通用性的独立 通道之间的原则 Reference 1 10 C F R 50 55a h U S Code of Federal Regulations Part 50 55 Conditions of construction permits Title 10 Energy Washington DC U S Government Printing Office 2 Regulatory Guide 1 152 NRC 2006 Criteria for Digital Computers in Safety Systems of Nuclear Power Plants Washington D C U S Nuclear Regulatory Commission 3 IEEE 603 1991 Institute of Electrical and Electronics Engineers 1991 IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations Description New York Institute of Electrical and Electronics Engineers 4 IEEE 7 4 3 2 2003 4 IEEE 7 4 3 2 2003 Institute of Electrical and Electronics Engineers 2003 IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations New York Institute of Electrical and Electronics Engineers 1 INTERDIVISIONAL COMMUNICATIONS SCOPE As used in this document interdivisional communications includes transmission of data and information among components in different electrical safety divisions and communications between a safety division and equipment that is not safety related It does not include communications within a single division Interdivisional communications may be bidirectional or unidirectional STAFF POSITION Bidirectional communications among safety divisions and between safety and nonsafety equipment is acceptable provided certain restrictions are enforced to ensure that there will be no adverse impact on safety systems Systems which include communications among safety divisions and or bidirectional communications between a safety division and nonsafety Institute of Electrical and Electronics Engineers 2003 IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations New York Institute of Electrical and Electronics Engineers Interdivisional communication Scope 范围 内部间的通信 包括不同的电气安全组件之间数据和消息传递 和安全部门和非安全相关的设备之间的通信 它不包括在一个单 一的部门内部沟通 区域间的通信可以是双向或单向的 Staff position 对安全部门间双向通信和安全和非安全设备之间双向通信提供了 一定的可接受的限制 确保不会对安全系统存在不良影响 系统中 安全部门间的通信和 或安全部门和非安全设备之间的双 向通信应遵守以下所描述的指导 坚持每一点被申请人所证明和 被评审验证 此验证应包括详细的系统配置审查和软件规格 还 equipment should adhere to the guidance described in the remainder of this section Adherence to each point should be demonstrated by the applicant and verified by the reviewer This verification should include detailed review of the system configuration and software specifications and may also involve a review of selected software code 1 A safety channel should not be dependent upon any information or resource originating or residing outside its own safety division to accomplish its safety function This is a fundamental consequence of the independence requirements of IEEE603 It is recognized that division voting logic must receive inputs from multiple safety divisions 2 The safety function of each safety channel should be protected from adverse influence from outside the division of which that channel is a member Information and signals originating outside the division must not be able to inhibit or delay the safety function This protection must be implemented within the affected division rather than in the sources outside the division and must not itself be affected by any condition or information from outside the affected division This protection must be sustained despite any operation malfunction design error communication error or software error or corruption existing or originating outside the division 可能涉及特定的软件代码审查 1 一个安全通道不应依赖其安全分区以外的信息或资源实现其安 全功能 这是 IEEE603 所要求独立的最基本结果 还有公认的是 分区投票逻辑信息必须从多个安全部门接收输入 2 每一个安全通道的安全功能应防止通道外部的不利的影响 安全区以外的信息和信号源必须不能抑制或延缓安全功能 这种 保护必须在受影响的部门实现 而非区域以外 受影响区自身 必须不受本身之外的信息和状况所影响 不管区域外任何操作如 故障 设计错误 通信错误 或软件错误 安全保护措施必须持 续有效 3 A safety channel should not receive any communication from outside its own safety division unless that communication supports or enhances the performance of the safety function Receipt of information that does not support or enhance the safety function would involve the performance of functions that are not directly related to the safety function Safety systems should be as simple as possible Functions that are not necessary for safety even if they enhance reliability should be executed outside the safety system A safety system designed to perform functions not directly related to the safety function would be more complex than a system that performs the same safety function but is not designed to perform other functions The more complex system would increase the likelihood of failures and software errors Such a complex design therefore should be avoided within the safety system For example comparison of readings from sensors in different divisions may provide useful information concerning the behavior of the sensors for example On Line Monitoring Such a function executed within a safety system however could also result in unacceptable influence of one division over another or could involve functions not directly related to the safety functions and should not be executed within the safety system Receipt of information from outside the division and the performance of functions not directly related to the safety function if used should be justified It should be demonstrated that the added system software complexity associated with the performance of functions not directly related to the safety function and with the receipt 3 安全通道不应得到其自身以外任何通信影响 除非该通信支持 或增强的安全功能的性能 接受不支持或增强的安全功能的信息 会影响不是与安全相关的 功能的性能 安全系统应该尽可能的简单 不是负责安全功能的 功能模块 即使他们能提高系统的可靠性 都应在安全系统外运 行 设计用来执行安全的功能但是不直接与安全相关安全系统 比直接安全相关的安全系统复杂 这不久叫做设计失败么 更 复杂的系统会增加故障和软件错误的可能性 这样一个复杂失败 的设计 应避免出现在安全系统中 例如 不同部门传感器的读 数的对比可能会给相关传感器的行为提供有用的信息 例如 在 线监测 这种功能不应在安全系统内执行 可能会给其他部门 带来不可接受的影响 或可能影响不直接与安全相关的功能 接受区域外的信息 和不直接与安全功能相关的功能的表现 如 果被使用 应是合理的功能 需要证明的是 即使增加与安全功 能 非直接相关的功能 及其接受支持这些功能的信息性能表现 相关系统 或者软件的复杂性也不会显著地增加软件代码的长度 或者是编码错误 其中包括影响多个功能区域的错误 申请人 必须在他的申请书里证明他定义的 显著 是恰当的 of information in support of those functions does not significantly increase the likelihood of software specification or coding errors including errors that would affect more than one division The applicant should justify the definition of significantly used in the demonstration 4 The communication process itself should be carried out by a communications processorii separate from the processor that executes the safety function so that communications errors and malfunctions will not interfere with the execution of the safety function The communication and function processors should operate asynchronously sharing information only by means of dual ported memory or some other shared memory resource that is dedicated exclusively to this exchange of information The function processor the communications processor and the shared memory along with all supporting circuits and software are all considered to be safety related and must be designed qualified fabricated etc in accordance with 10 C F R Part 50 Appendix A and B Access to the shared memory should be controlled in such a manner that the function processor has priority access to the shared memory to complete the safety function in a deterministic manner For example if the communication processor is accessing the shared memory at a time when the function processor needs to access it the function processor should gain access within a timeframe that does not impact the loop cycle time assumed in the plant safety analyses If the shared memory cannot support unrestricted simultaneous access by both processors then the access 4 通信过程应该用通信处理器处理 而通信处理器与安全功能的 处理器相互分开 这样通信错误和故障不会影响安全功能 通信 功能的处理器异步操作 只有通过特定信息交流双端口存储器或 其他共享存储资源方式通信 功能处理器 通信处理器 和共享 内存 以及所有的配套电路和软件 都被认为是与安全相关的 而且必须是按照 10 C F R Part 50 Appendix A and B 标准设计 检 测 调试等 访问共享内存应该以这样的规则 控制安全功能的 处理器访问内存的有优先权 例如 如果通信处理器访问共享内 存的时候 安全功能的处理器需要访问它 功能处理器应该不影 响循环时间在电厂的安全分析的时候获得访问权 如果共享内存 区无法支持两个处理器无限制的同时访问 那么应该设置安全功 能处理器总是优先使用内存 安全功能的电路和程序逻辑 应确保 安全功能将在安全分析时间内运行 并将顺利完成 没有因为安 全功能处理器无法获得共享内存而存在堆积的数据 controls should be configured such that the function processor always has precedence The safety function circuits and program logic should ensure that the safety function will be performed within the timeframe established in the safety analysis and will be completed successfully without data from the shared memory in the event that the function processor is unable to gain access to the shared memory 5 The cycle time for the safety function processor should be determined in consideration of the longest possible completion time for each access to the shared memory This longest possible completion time should include the response time of the memory itself and of the circuits associated with it and should also include the longest possible delay in access to the memory by the function processor assuming worst case conditions for the transfer of access from the communications processor to the function processor Failure of the system to meet the limiting cycle time should be detected and alarmed 6 The safety function processor should perform no communication handshaking and should not accept interrupts from outside its own safety division 7 Only predefined data sets should be used by the receiving system Unrecognized messages and data should be identified and dispositioned by the receiving system in accordance with the pre specified design requirements Data from unrecognized messages 5 安全功能处理器的周期应该考虑处理器获得内存使用权可能的 最长时间 这个最长可能完成时间应该包括 存储器本身和它相 关电路的响应时间 应该也包括各种可能存在的最糟糕情况下处 理器获得内存的最长时延 在限制的周期时间能系统的失败应该 是可以被检测和报警的 6 安全功能的处理器应该不执行通信握手 不应该接受自己安全 部门以外的中断 7 只有按照预先设定数据才能被接收系统使用 不确认的消息不 经过安全功能处理器执行安全逻辑检验的数据是禁止使用的 报 文格式和协议应预先确定 每个消息都应该有同样的消息字段的 结构和序列 包括报文识别 状态 数据位 等 must not be used within the safety logic executed by the safety function processor Message format and protocol should be pre determined Every message should have the same message field structure and sequence including message identification status information data bits etc in the same locations in every message Every datum should be included in every transmit cycle whether it has changed since the previous transmission or not to ensure deterministic system behavior 8 Data exchanged between redundant safety divisions or between safety and nonsafety divisions should be processed in a manner that does not adversely affect the safety function of the sending divisions the receiving divisions or any other independent divisions 9 Incoming message data should be stored in fixed predetermined locations in the shared memory and in the memory associated with the function processor These memory locations should not be used for any other purpose The memory locations should be allocated such that input data and output data are segregated from each other in separate memory devices or in separate pre specified physical areas within a memory device 10 Safety division software should be protected from alteration while the safety division is in operation On line changes to safety system software should be prevented by hardwired interlocks or by physical disconnection of maintenance and monitoring equipment A 每个数据应包括在每个传输周期内 是否已从以前的传输或没有 改变 以确保确定性系统的行为 8 冗余安全部门之间或安全和非安全部门之间数据传递 应以 不影响的安全系统的发送部门 接收部门 或任何其他区域的安 全性 9 接受的信息数据将存储在与安全处理器相关的固定的共享内存 预定地址中 这些内存地址不应被用于任何其他目的 存储器地 址应这样分配 输入数据和输出数据都是分开存储在不同的存储 设备 或在单独的预先指定的存储装置内的物理地址内 10 安全部门在操作时安全部门的软件应防止变更 系统安全软件 在线的改变应该可以通过硬联锁 或者维修和监视设备物理切断 阻止 一个工作站 如工程师或程序员站 只有通过本指南中所 workstation e g engineer or programmer station may alter addressable constants setpoints parameters and other settings associated with a safety function only by way of the dual processor shared memory scheme described in this guidance or when the associated channel is inoperable Such a workstation should be physically restricted from making changes in more than one division at a time The restriction should be by means of physical cable disconnect or by means of keylock switch that either physically opens the data transmission circuit or interrupts the connection by means of hardwired logic Hardwired logic as used here refers to circuitry that physically interrupts the flow of information such as an electronic AND gate circuit that does not use software or firmware with one input controlled by the hardware switch and the other connected to the information source the information appears at the output of the gate only when the switch is in a position that applies a TRUE or 1 at the input to which it is connected Provisions that rely on software to effect the disconnection are not acceptable It is noted that software may be used in the safety system or in the workstation to accommodate the effects of the open circuit or for status logging or other purposes 11 Provisions for interdivisional communication should explicitly preclude the ability to send software instructions to a safety function processor unless all safety functions associated with that processor are either bypassed or otherwise not in service The progress of a safety function processor through its instruction sequence should not be 描述的双处理器 共享存储器方案或者是相关通道不可操作时 才 可能会改变寻址常数 设定值 安全相关的其他设定值 这种工 作站应该被物理上的限制多个区域同时作出改变 限制应该是通 过物理线路断开 或者是通过钥匙锁定开关实现物理上断开传输 回路或中断硬连线逻辑连接 硬线逻辑 用在这里是指物理上 切断电路信息流通 如 一个硬件控制输入开关与信息源电子相与 的门电路 不使用软件或固件 信息出现在输出门只有当开关 是在一个位置 只有开关输入一个 真 或 1 信息才会输出 依靠软件断开连接的规定是不可接受的 值得注意的是 软件也 是可用于安全系统或工作站适应影响的开路或状态记录或其他用 途 11 区域间通信的规则 除非所有的安全功能处理器是被忽略或 是不可用 否则应明确排除发送安全软件指令到安全处理器的能 力 安全处理器的处理指令的进程 不应该被任何器区域以外的信 affected by any message from outside its division For example a received message should not be able to direct the processor to execute a subroutine or branch to a new instruction sequence 12 Communication faults should not adversely affect the performance of required safety functions in any way Faults including communication faults originating in nonsafety equipment do not constitute single failures as described in the single failure criterion of 10 C F R Part 50 Appendix A Examples of credible communication faults include but are not limited to the following Messages may be corrupted due to errors in communications processors errors introduced in buffer interfaces errors introduced in the transmission media or from interference or electrical noise Messages may be repeated at an incorrect point in time Messages may be sent in the incorrect sequence Messages may be lost which includes both failures to receive an uncorrupted message or to acknowledge receipt of a message Messages may be delayed beyond their permitted arrival time window for several reasons including errors in the transmission medium congested transmission lines interference or by delay in 息影响 例如 被接收到的消息是不能直接让处理器执行一个子 程序或分到一个新的指令序列 12 通信故障无论如何都不能影响所要求的安全功能的性能 按照 10 C F R Part 50 Appendix A 所描述的 故障 包括通信故障 源于非安全设备 不构成 单一故障 可靠通信故障的例子包 括但不限于以下 由于通信处理器错误 缓冲接口引入错误 传输媒介引入的错误 或从干扰或电气噪声引入错误 信息可能已被损坏 消息可能在一个不正确的节点重复 消息不按正确的顺序发送 消息可能会丢失 包括没有接受到完整的消息或没有得到确认收 到的消息 消息可能会延迟超过允许的到达时间窗口数的原因包括 传输中 的错误 拥挤的传输线 干扰 或通过发送缓冲的消息延迟 通信介质中可能被注入意料之外或者是来源不明的消息 sending buffered messages Messages may be inserted into the communication medium from unexpected or unknown sources Messages may be sent to the wrong destination which could treat the message as a valid message Messages may be longer than the receiving buffer resulting in buffer overflow and memory corruption Messages may contain data that is outside the expected range Messages may appear valid but data may be placed in incorrect locations within the message Messages may occur at a high rate that degrades or causes the system to fail i e broadcast storm Message headers or addresses may be corrupted 13 Vitaliii communications such as the sharing of channel trip decisions for the purpose of voting should include provisions for ensuring that received messages are correct and are correctly understood Such communications should employ error detecting or error correcting coding along with