IEEE 497:2010 pdf download IEEE Standard Criteria for Accident Monitoring Instrumentation for Nuclear Power Generating Stations
6.2 Common cause failure Design of Type A, Type B, and Type C instrumentation shall address common cause failures, as described in IEEE Std 379 and IEEE Std 603, consistent with the plant’s LBD.
For instrumentation using computers, guidance to address common cause failures can be found in IEEE Std 7-4.3.2. In addition, design of instrumentation using digital sensors, data acquisition, or display equipment for Type A, Type B, and Type C variables, shall address concerns over the possibility that the use of software could result in a common cause failure. Common cause failures for the instrumentation channels shall be addressed at the variable level. The use of identical software in redundant instrumentation channels is acceptable provided one of the following design features can be demonstrated:
⎯ Channel diversity exists using components not subject to a software common cause failure.
⎯ Defense-in-depth exists against the consequences of a software common cause failure. If neither channel diversity nor defense-in-depth can be shown, then a diverse design is required. Examples of how a diverse design may be accomplished include the following:
⎯ Two diverse display channels are used and both meet the same design criteria applicable to the variable.
⎯ Two redundant (but not diverse) display channels are used and a third diverse processing and display segment is used. In this case, the diverse channel segment does not need to meet the design criteria of Type A, Type B, and Type C variables (e.g., a plant computer display). System interaction between accident monitoring computer-based instrumentation systems and other systems that may be served by the data acquisition and display system shall be considered as part of the common cause failure evaluation.
6.3 Independence and separation The accident monitoring instrument channels for Type A, Type B, and Type C variables shall be independent and physically separated in accordance with the following criteria:
a) Instrumentation shall be physically separated from non-safety system equipment and circuits so that a failure in, or spurious action by, non-safety system equipment and circuits will not prevent the accident monitoring equipment from meeting the requirements of this standard.
b) Redundant segments shall be independent of, and physically separated from, each other to the degree necessary to retain the capability of accomplishing the accident monitoring function during and following any design basis event requiring that function. This shall also include data communication independence requirements of IEEE Std 7-4.3.2.
c) Accident monitoring equipment required to monitor a specic design basis event should be independent of, and physically separated from, the effects of the design basis event to the extent practical to retain the capability to meet the requirements of this standard. d) Separation shall meet the requirements of IEEE Std 384.
IEEE 497:2010 pdf download
