1、raising standards worldwideNO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAWBSI Standards PublicationNuclear power plants Instrumentation and controlimportant to safety Data communication in systems performing category A functionsBS EN 61500:2011National forewordThis British Sta
2、ndard is the UK implementation of EN 61500:2011.The UK participation in its preparation was entrusted to Technical CommitteeNCE/8, Reactor instrumentation.A list of organizations represented on this committee can be obtained onrequest to its secretary.This publication does not purport to include all
3、 the necessary provisions of acontract. Users are responsible for its correct application. BSI 2011ISBN 978 0 580 70693 6ICS 27.120.20Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was published under the authority of the StandardsPolicy and Str
4、ategy Committee on 31 January 2010Amendments/corrigenda issued since publicationBRITISH STANDARDBS EN 61500:2011Date Text affected31 October 2011 This corrigendum renumbers BS IEC 61500:2009 as BS EN 61500:2011It supersedes BS IEC 61500:2009, which is withdrawn.EUROPEAN STANDARD EN 61500 NORME EUROP
5、ENNE EUROPISCHE NORM August 2011 CENELEC European Committee for Electrotechnical Standardization Comit Europen de Normalisation Electrotechnique Europisches Komitee fr Elektrotechnische Normung Management Centre: Avenue Marnix 17, B - 1000 Brussels 2011 CENELEC - All rights of exploitation in any fo
6、rm and by any means reserved worldwide for CENELEC members. Ref. No. EN 61500:2011 E ICS 27.120.20 English version Nuclear power plants - Instrumentation and control important to safety - Data communication in systems performing category A functions (IEC 61500:2009) Centrales nuclaires de puissance
7、- Instrumentation et contrle-commande importants pour la sret - Communication de donnes dans les systmes ralisant des fonctions de catgorie A (CEI 61500:2009) Kernkraftwerke - Leittechnik mit sicherheitstechnischer Bedeutung - Datenkommunikation in Systemen, die Kategorie-A-Funktionen ausfhren (IEC
8、61500:2009) This European Standard was approved by CENELEC on 2011-08-08. CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibl
9、iographical references concerning such national standards may be obtained on application to the Central Secretariat or to any CENELEC member. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibili
10、ty of a CENELEC member into its own language and notified to the Central Secretariat has the same status as the official versions. CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germa
11、ny, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland and the United Kingdom. Foreword The text of the International Standard IEC 61500:2009, prepared by SC 45A, Instrumen
12、tation and control of nuclear facilities, of IEC TC 45, Nuclear instrumentation, was submitted to the formal vote and was approved by CENELEC as EN 61500 on 2011-08-08 without any modification. Attention is drawn to the possibility that some of the elements of this document may be the subject of pat
13、ent rights. CEN and CENELEC shall not be held responsible for identifying any or all such patent rights. The following dates were fixed: latest date by which the EN has to be implemented at national level by publication of an identical national standard or by endorsement (dop) 2012-08-08 latest date
14、 by which the national standards conflicting with the EN have to be withdrawn (dow) 2014-08-08 As stated in the nuclear safety directive 2009/71/EURATOM, Chapter 1, Article 2, item 2, Member States are not prevented from taking more stringent safety measures in the subject-matter covered by the Dire
15、ctive, in compliance with Community law. In a similar manner, this European standard does not prevent Member States from taking more stringent nuclear safety measures in the subject-matter covered by this standard. Annex ZA has been added by CENELEC. _ Endorsement notice The text of the Internationa
16、l Standard IEC 61500:2009 was approved by CENELEC as a European Standard without any modification. In the official version, for Bibliography, the following notes have to be added for the standards indicated: IEC 60068 series NOTE Harmonized in EN 60068 series (not modified). IEC 60721 series NOTE Ha
17、rmonized in EN 60721 series (not modified). IEC 60964 NOTE Harmonized as EN 60964. IEC 60965 NOTE Harmonized as EN 60965. IEC 61158-3-19 NOTE Harmonized as EN 61158-3-19. IEC 61508-1 NOTE Harmonized as EN 61508-1. IEC 61508-2 NOTE Harmonized as EN 61508-2. IEC 61508-3 NOTE Harmonized as EN 61508-3.
18、IEC 61508-4 NOTE Harmonized as EN 61508-4. IEC 61784-3 NOTE Harmonized as EN 61784-3. IEC 62138 NOTE Harmonized as EN 62138. _ BS EN 61500:2011 EN 61500:2011 (E) 2 Annex ZA (normative) Normative references to international publications with their corresponding European publications The following ref
19、erenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. NOTE When an international publication has been modified by common
20、 modifications, indicated by (mod), the relevant EN/HD applies. Publication Year Title EN/HD Year IEC 60709 - Nuclear power plants - Instrumentation and control systems important to safety - Separation EN 60709 - IEC 60780 1998 Nuclear power plants - Electrical equipment of the safety system - Quali
21、fication - - IEC 60880 2006 Nuclear power plants - Instrumentation and control systems important to safety - Software aspects for computer-based systems performing category A functions EN 60880 2009 IEC 60980 - Recommended practices for seismic qualification of electrical equipment of the safety sys
22、tem for nuclear generating stations - - IEC 60987 (mod) 2007 Nuclear power plants - Instrumentation and control important to safety - Hardware design requirements for computer-based systems EN 60987 2009 IEC 61000 Series Electromagnetic compatibility (EMC) EN 61000 Series IEC 61226 - Nuclear power p
23、lants - Instrumentation and control important to safety - Classification of instrumentation and control functions EN 61226 - IEC 61513 - Nuclear power plants - Instrumentation and control for systems important to safety - General requirements for systems - - IEC 62340 2007 Nuclear power plants - Ins
24、trumentation and control systems important to safety - Requirements for coping with common cause failure (CCF) EN 62340 2010 IAEA Safety guide NS-G-1.3 2002 Instrumentation and control systems important to safety in nuclear power plants - - BS EN 61500:2011 EN 61500:2011 (E) 3 CONTENTS INTRODUCTION.
25、1 Scope.2 Normative references .3 Terms and definitions 4 Symbols and abbreviations5 General requirements5.1 Principles of selection of data communication techniques and equipment.5.2 Functional requirements . 5.3 Performance requirements 105.4 Failure detection .105.5 Communication within division.
26、105.6 Interfaces to systems of lower importance to safety.106 Physical separation and isolation116.1 Electrical isolation . 11 6.2 Physical separation .11 7 Functional independence11 8 Reliability .12 8.1 Self-supervision and failure mitigation .128.1.1 Communication error detection 128.1.2 Response
27、 to failure .128.2 Test.128.3 Prevention of failures (including CCF) .139 Qualification .1310 Maintenance and modification 14Bibliography15BS EN 61500:2011 EN 61500:2011 (E) 4 577.89999INTRODUCTION a) Technical background, main issues and organization of the standard The equipment for data communica
28、tion of on-line plant data can simplify the hardwired cables connecting distributed systems for instrumentation, control, protection and monitoring needed for safe Nuclear Power Plants operation. Such communication systems can have advantages over direct cables, for electrical isolation, for reducti
29、on of cable fire loads or other reasons. In a distributed computer based system, communication equipment is an essential part of the system. Data communication is usually essential for implementing I use of industrial standard protocols with added safety layers; use of protocols where higher protoco
30、l layers implementing unsafe or not needed functionality are removed or replaced by ones with reduced and safe functionality. The hardware and the software shall be qualified, see Clause 9. 5.2 Functional requirements Generally each data communication channel is part of an overall system providing s
31、ervices of information gathering and presentation, control or protection of the nuclear power plant. Equipment providing cyclic data over a communication channel shall not depend on the receipt of acknowledge messages from the receiver for continued operation. Communication channels shall not be all
32、ocated dynamically during the run time of the system but shall be statically allocated and predefined by design. All messages of application software shall be transmitted periodically within a pre-defined variation of cycle time. Messages should have fixed length predefined by design. The communicat
33、ion system shall enable messages from instruments or other outstation equipment using a communications channel to be sent and received within a specified time frame, together with data integrity status information (if implemented). The data communication network topology and media access control sha
34、ll be designed and implemented to avoid CCF of independent systems or subsystems (see 8.3). BS EN 61500:2011 EN 61500:2011 (E) 9 Data may be distributed via data communication to redundant systems to enable continued operation if one system is damaged. The security threats arising from the use of da
35、ta communication shall be taken into consideration within the scope of the security plans according to IEC 61513. 5.3 Performance requirements Data communication channels shall provide sufficient performance to ensure that any message sent from any communication node is received by the intended dest
36、ination node in a timely manner. Data communication shall meet the requirements of the functions. The mechanisms and protocols used shall guarantee that any delay which may occur during communication or during access to the communication equipment is known and bounded by design. Communication channe
37、ls shall be verified to meet the specified real time response requirements of the Category A functions to be performed, under credible worst-case conditions. The required real time response and the worst-case conditions shall be justified by analysis. Deterministic communications shall be used so th
38、at communications load does not vary, irrespective of plant conditions. Where communication equipment is used for manual plant control and indication through a control room, the time from operating the physical switch or soft control until the confirmation of the action by indication of the changed
39、state in the control room should be assessed under all potential circumstances including worst case conditions. 5.4 Failure detection Hardware failures of Communication equipment shall be detected and reported. Detected failures of the communication equipment that result in unacceptable degradation
40、of the nuclear safety functions of the I such soft errors should not lead to the shutdown of a channel, but these errors should be logged by the system. 8.2 Test The relevant testing requirements of IEC 60987, Clause 10, shall apply to class 1 communication channels. Also, the relevant subclauses 7.
41、10 (testability), 7.11 (operational bypasses) and 7.12 (control of access to protection systems equipment) of IAEA safety guide No. NS-G-1.3 shall apply to communication channels of systems performing category A functions. BS EN 61500:2011 EN 61500:2011 (E) 12 The performance of data communication f
42、unctions shall be verified before equipment is placed in full operational service. The following aspects of system functionality shall be covered: a) transmission error handling, b) correct operation when under the maximum data transfer rates. IEC 60880 and IEC 60987 require that the data communicat
43、ion system shall have self-test capabilities (see 8.1). Additional periodic tests as a supplement to self-tests should be possible during the lifetime of the equipment as required to reduce the probability of unrevealed hardware failures compromising the performance of category A functions, e.g. 1)
44、alteration of the state or value of input signals, and monitoring of the alteration at the receiving equipment; 2) interruption of transmission, and confirmation that the receiving equipment will detect this and take correct actions. NOTE Nuclear safety considerations may make such testing undesirab
45、le at power operation. The communication equipment shall be qualified for operational use by functional testing in accordance with 4.79 to 4.96 of IAEA safety guide No. NS-G-1.3. Testing of the equipment modules shall be performed during factory tests or on-site commissioning tests, or evidence of p
46、revious type testing in accordance with 5.3 of IEC 60780 shall be provided. 8.3 Prevention of failures (including CCF) Data communication equipment could be affected by conditions which cause several redundant parts of the system to fail at the same time. In order to eliminate or minimize the possib
47、ility of simultaneous failures of several modules by hazards which a system is required to survive, consideration shall be given to the following potential hazards: seismic disturbance or other relevant external hazards; fire, smoke or flooding in equipment or cable areas; loss of environmental cont
48、rol, heating and ventilation; excessive radiation or other factors external to the equipment, and factors internal to the equipment itself. The cable trays which contain the cables for data communication between separated redundancies/trains shall be designed and separated in accordance with the req
49、uirements of IEC 60709, so that possible hazards are limited and the required fault tolerance for the overall I&C system is met. Data communication shall be designed to prevent failure propagation, e.g. by transfer of corrupted data (see IEC 62340, 7.4). The potential failures taken into account and the claimed features to prevent or mitigate these failures shall be analyzed and documented. NOTE Requirements for coping with common cause failures are given in IEC 62340. 9 Qualification Class 1 commun
