EN 60709-2010 en Nuclear power plants - Instrumentation and control systems important to safety - Separation《核电站 对安全重要的仪器和控制系统 隔离》.pdf

1、BRITISH STANDARDBS EN 60709:2010 Nuclear power plants Instrumentation and control systems important to safety SeparationICS 27.120.20 g49g50g3g38g50g51g60g44g49g42g3g58g44g55g43g50g56g55g3g37g54g44g3g51g40g53g48g44g54g54g44g50g49g3g40g59g38g40g51g55g3g36g54g3g51g40g53g48g44g55g55g40g39g3g37g60g3g38g

2、50g51g60g53g44g42g43g55g3g47g36g58National forewordThis British Standard is the UK implementation of EN 60709:2010. It is identical to IEC 60709:2004. It supersedes BS IEC 60709:2004, which is withdrawn.The UK participation in its preparation was entrusted to Technical Committee NCE/8, Reactor instr

3、umentation.A list of organizations represented on this committee can be obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application.Compliance with a British Standard cannot confer imm

4、unity from legal obligations.BS EN 60709:2010This British Standard was published under the authority of the Standards Policy andStrategy Committee on 10 November 2004 BSI 2010Amendments/corrigenda issued since publicationDate Comments 31 August 2010 This corrigendum renumbers BS IEC 60709:2004 as BS

5、 EN 60709:2010ISBN 978 0 580 68113 4EUROPEAN STANDARD EN 60709 NORME EUROPENNE EUROPISCHE NORM May 2010 CENELEC European Committee for Electrotechnical Standardization Comit Europen de Normalisation Electrotechnique Europisches Komitee fr Elektrotechnische Normung Management Centre: Avenue Marnix 17

6、, B - 1000 Brussels 2010 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members. Ref. No. EN 60709:2010 E ICS 27.120.20 English version Nuclear power plants - Instrumentation and control systems important to safety - Separation (IEC 60709:2004) Centr

7、ales nuclaires de puissance - Systmes dinstrumentation et de contrle commande importants pour la sret - Sparation (CEI 60709:2004) Kernkraftwerke - Leittechnische Systeme mit sicherheitstechnischer Bedeutung - Physikalische und elektrische Trennung (IEC 60709:2004) This European Standard was approve

8、d by CENELEC on 2010-05-01. CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such nationa

9、l standards may be obtained on application to the Central Secretariat or to any CENELEC member. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CENELEC member into its own language a

10、nd notified to the Central Secretariat has the same status as the official versions. CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,

11、Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland and the United Kingdom. Foreword The text of the International Standard IEC 60709:2004, prepared by SC 45A, Instrumentation and control of nuclear facilities, of I

12、EC TC 45, Nuclear instrumentation, was submitted to the CENELEC formal vote for acceptance as a European Standard and was approved by CENELEC as EN 60709 on 2010-05-01. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and CENEL

13、EC shall not be held responsible for identifying any or all such patent rights. The following dates were fixed: latest date by which the EN has to be implemented at national level by publication of an identical national standard or by endorsement (dop) 2011-05-01 latest date by which the national st

14、andards conflicting with the EN have to be withdrawn (dow) 2013-05-01 Annex ZA has been added by CENELEC. As stated in the nuclear safety Directive 2009/71/EURATOM, Chapter 1, Article 2, item 2, Member States are not prevented from taking more stringent safety measures in the subject-matter covered

15、by the Directive, in compliance with Community law. In a similar manner, this European Standard does not prevent Member States from taking more stringent nuclear safety measures in the subject-matter covered by this European Standard.” _ Endorsement notice The text of the International Standard IEC

16、60709:2004 was approved by CENELEC as a European Standard without any modification. 2BS EN 60709:2010EN 60709:2010 (E)CONTENTS INTRODUCTION. 4 1 Scope. 7 2 Normative references . 7 3 Terms and definitions . 8 4 General principles for separation within I in Clause 5, to establish design basis criteri

17、a for I in Clause 6, to give requirements to be fulfilled for cabling separation within an I this subset is to be identified at the beginning of any project. Where independence is required by general safety standards such as IAEA safety guides or IEC 61513, one aspect of achieving this independence

18、is physical separation between the systems and their equipment that perform functions important to safety. This standard defines the assessments needed and the technical requirements to be met for I between systems of the same safety category; between redundant safety groups of the same I from syste

19、ms of lower category to systems of higher category and in some specific cases from systems of higher category to systems of lower category. The types of possible failure-initiating events contained in the following subclauses shall be taken into consideration (i.e. identified, documented and justifi

20、ed). Adequate provisions shall be made in the I the major weaknesses of existing I the existing separation, or feasible improvements of separation, shall be evaluated through a systematic methodology, recognising particular strengths or alternatives to the requirements of this standard; an alternati

21、ve set of separation rules may be established, recognising and justifying existing conditions proven through records of plant operation; alternative technologies shall be presented and evaluated in the case of special plant situations; e.g. through use of barriers, optical cabling, distribution of t

22、he I identification of subsystems, which can be separated without the need of intermediate interfaces; suitability of the existing separation to the new I cable routing limits and an evaluation of the needs coming from new technologies for special cable trays for fibre optic cables, bus cables and r

23、equirements for separation. Guidance for the decision on upgrading and modernisation of I b) barriers when used between redundant systems or cables shall have a fire rating commensurate with the fire hazard protection requirements. 5.2 Environmental conditions during and after accidents I b) open ci

24、rcuits; c) application of the maximum a.c. or d.c. potential that could reasonably occur, considering potentials and sources available in both the category A and non-category A systems; d) electromagnetic and electrostatic interference. The properties of an isolation device shall include tolerance o

25、f and isolation for the electrical surges and spikes defined in IEC 61000-6-5; tolerance and isolation for EMI to IEC 61000-6-5; simple barriers between close or adjacent terminals or contact groups on relay equipment used for electrical isolation; prevention of transmission of excessively high or d

26、amaging voltages. In this context, an assessment should be done of the maximum voltage that could be envisaged under normal and faulted conditions, and its potential effects on the equipment important to safety when applied to the isolation device terminals of the circuit of lesser importance to saf

27、ety. Precautions should also be taken to minimise the possibility that failure in a non-category A system causes spurious or premature actuation of a category A function. 5.3.3 Actuation priority Where plant equipment that is controlled by a category A system is also controlled by signals from a low

28、er category system, isolation devices shall be provided which ensure priority of the category A system actions over those of the lower category system. Failures of, or normal actions by, the lower category system shall not interfere with the category A functions under plant conditions requiring succ

29、ess of those category A functions. The priority isolation devices shall be categorised as part of the category A system. Failures and mal-operations in the non-category A systems shall cause no change in response, drift, accuracy, sensitivity to noise, or other characteristics of the category A syst

30、em which might impair the ability of the system to perform its safety functions. Where signals are extracted from category B or C systems for use in lower category systems, isolation devices may not be required; however, good engineering practices should be followed to prevent the propagation of fau

31、lts. In cases where systems performing category B functions need to take on the aspects of category A systems due to the functions performed, isolation shall be applied. Fibre optic communications provide a very effective means of achieving electrical isolation, and should be applied wherever practi

32、cal. 14BS EN 60709:2010EN 60709:2010 (E)5.4 Independence from control systems The use of category A system signals in control systems (regardless of category) requires precautions beyond those required when category A system signals are used only for monitoring or protection purposes. A sensor failu

33、re could cause a control system measured value outside the demand tolerance, and a consequent unsafe control action, while preventing detection of the unsafe condition by the protection system. The protection system and the control system shall be designed so that a postulated single failure includi

34、ng consequential failures concerning signals transferred between these two systems cannot cause an accident or transient requiring safety action and, at the same time, cause unacceptable degradation of the category A system. For the case where a single random failure, and any consequential failures,

35、 within the category A system could cause a control system action that results in a condition requiring safety action, then the category A system should be capable of providing this action even when degraded by a second random failure. Provisions shall be included so that this requirement can still

36、be met if a component or assembly is by-passed or removed from service for any reason including test or maintenance purposes. Acceptable provisions will depend on the type of reactor and on the possible failures. They include reducing the required majority voting coincidence when sensor failure or e

37、quipment faults are detected, removing the control signals taken from the redundant components or assemblies when the signals are determined to not represent the true process condition, initiating a safety action from the safety logic assembly, thus putting the plant in a state no longer adversely i

38、mpacted by the control system action, providing protection by use of different physical parameters. A one from two voted protection system providing control signals will require justification by trade-off arguments (see 4.7), even if effective bypasses and high sensor and equipment reliability with

39、proof testing is claimed. A two from three voted system can meet the requirements with fail-safe equipment and automatic detection of failed sensors if suitable bypass facilities are used during maintenance. Where it can be shown that, due to the original event, the simultaneous failure of redundant

40、 safety monitoring assemblies is unlikely, safety monitoring assemblies which compare signals may be provided. These safety monitoring assemblies shall provide an indication, alarm or safety action signal or make the logic more restrictive when one signal deviates excessively from other redundant si

41、gnals of the same plant condition or parameter. The safety monitoring assemblies which perform the comparison shall be provided with adequate isolation to prevent interaction between redundant channels. An example of this involves sending all sensor values to each redundant safety system channel. Ea

42、ch channel then compares the values to detect out-of-line or abnormal values. Each channel may then vote all sensors values, or detect the most adverse sensor in each channel for the voted action. The sensors which are detected as faulty should be alarmed and the values may be made available for dis

43、play. 15BS EN 60709:2010EN 60709:2010 (E)6 Requirements for cabling separation 6.1 General requirement Redundant portions of category A systems shall be designed and installed in such a way that the single events specified in all subclauses of Clause 4 cannot result in a failure of the category A fu

44、nction. Redundant portions of category B systems shall be designed and installed in such a way that the single events specified in 4.2 and 4.3 cannot result in a failure of the category B function. Treatment of failure initiating events specified in 4.4 and 4.5 to category B systems shall be on a ca

45、se by case basis as discussed in the general principles (Clause 4). The items in the following subclauses shall be taken into account. 6.2 Separation Separation shall be achieved by safety structures, barriers or physical distance or by any combination of these methods. 6.2.1 Separation of redundant

46、 cables inside the I any given route, tray, conduit, duct, vertical duct or penetration shall carry or contain only cables of the same redundant group; for the I for plant failure and external failure events (see 4.4 and 4.5), such as fire or structure collapse, greater physical separation including

47、 barriers and/or safety structures shall be applied. 6.2.2 Lesser separation distances Lesser separation distances than those specified in 6.2.1 may be established by analysis of the proposed cable installation. The analysis should be based on tests performed to determine the flame retardant charact

48、eristics of the proposed cable installation considering features such as insulation and jacket materials, raceway fill, raceway types, and arrangements. For lesser separation distances in hazardous areas, the degree of hazards (such as size of the fire or pipe break) and mitigating measures (such as

49、 sprinklers) should be considered. 16BS EN 60709:2010EN 60709:2010 (E)6.2.3 Associated circuits When functions are classified according to the requirements of IEC 61226, it will often be the case that a given system or set of equipment will perform functions of different categories. Also, certain functions of a lower category may have a very close relationship to category A functions, for example process monitoring based on the same measurements as safety functions. The requirements stated earlier in this document g