Diversity, redundancy, segregation and layout of mechanical plant

T/AST/036 - Issue 02

Issue Date:

22-06-2009

Review Date:

22-06-2013

Open Government Status:

Fully Open

Approved By:

A N Hall

1. Purpose and scope

1.1  This Assessment Guide provides additional information to support the points set out in Health and Safety Executive (HSE) Safety Assessment Principles (SAP) for Nuclear facilities (1) addressing diversity, redundancy, segregation and layout of mechanical plant. It contains guidance to advise and inform ND inspectors in the exercise of their professional judgement in reaching regulatory decisions in relation to the assessment of licensee’s safety submissions.

1.2  The Guide applies to all measures that contribute to system reliability in the performance of particular safety functions for applications in both nuclear reactors and nuclear chemical plants.

1.3  The Guide is applicable to both new plants, throughout the design, construction and commissioning phases, and to existing operating and decommissioning plants.  Because of development in safety standards, existing plant may not comply in every respect with the revised SAPs.  Where this is the case ALARP arguments that take account of other factors, such as the age of the plant and projected lifetime, should be considered.

1.4  The Guide does not extend to the detailed design, categorisation, qualification or specification of structures, systems or components (SSCs) particularly in relation to their ability to perform their safety function.  What it does consider is the safety duty identified for safety-related SSCs in the broad terms of their safety functional requirements.

2  Relationship to licence and other relevant legislation

Licence Condition (LC) 14: Safety documentation - The Safety case for the plant, is produced and assessed by the licensee under this condition, which also requires documentation to be submitted to HSE on request. It should make appropriate reference to diversity, redundancy, segregation and layout.

Licence Condition (LC) 15: Periodic review - The adequacy of the safety case, including diversity, redundancy, segregation and layout aspects, should be periodically reviewed by the licensee against the original design intent, the current operating conditions and statutory requirements to ensure that there has been no significant change. It is NII policy that all safety cases should be reviewed at least every 10 years.

Licence Condition (LC) 19: Construction or installation of new plant - Consideration of the requirements, at an early stage in the design for diversity, redundancy, segregation and layout should be the subject of guidance in the licensee's arrangements to ensure that adequate reliability is achievable.

Licence Conditions (LC) 20 and 22: - Modification to plant - Modifications should be assessed by the licensee to ensure that they do not adversely affect the diversity, redundancy, segregation and layout of safety related systems.

Licence Condition (LC) 23 and 24: Operating rules and instructions - These will be required in respect, for example, of the availability of diverse and redundant safety related systems and components.

Licence Condition (LC) 27: Safety mechanisms, devices and circuits - This licence condition requires there to be suitable and sufficient safety mechanisms, devices and circuits, and licensee’s assessment of the requirements for diversity, redundancy, segregation and layout will be important in judging compliance with it.

Licence Condition (LC) 28: Examination, inspection, maintenance and testing - An important consideration under this licence condition is that during examination, inspection, maintenance and testing by the licensee or the licensee’s contractor, there will be the provision of adequately diverse and redundant systems.

Relationship to SAPs, WENRA reference levels and IAEA safety standards addressed

Relevant SAPs

3.1  The following safety assessment principles and supporting information given in brackets are relevant to diversity, redundancy, segregation and layout: EDR.2 and EDR.3 (paragraphs 170 to 174), ESS.18 (paragraph 352), ELO.1, ELO.2 and ELO.4 (paragraphs 205 and 206) and EMC.29 (p48).

3.2  The treatment given to diversity, redundancy, segregation and layout in the SAPs, should not be regarded as necessarily complete.  The specific principles are intended to address issues of general significance throughout the nuclear industry, particularly relating to the adequate provision, in relation to safety applications, of:  i) measures to promote robust design and ii) plant and equipment layout displaying adequate system functional reliability. Additional or related issues not directly addressed in the SAPs may be of equal importance in specific circumstances and these aspects of a thorough nuclear safety assessment may need to be identified and considered by the licensee. Such licensee assessments will need to be carefully considered in regulatory assessments.

WENRA Reference levels

3.3  A review of diversity, redundancy, segregation and layout of mechanical plant against WENRA Reactor Reference Levels are tabulated in Appendix 1.  Other WENRA Reference Levels are not related to the topics in this guide.

IAEA Safety standards

3.4  The subject of diversity, redundancy, segregation and layout of mechanical plant spans a number of IAEA documents.  IAEA documentation that has been drawn upon in the production of this document includes ^[2-6]:

IAEA Requirements NS-R-1 Safety of Nuclear Power Plants: Design.

IAEA Safety Guide NS-G-1.10 Design of Reactor Containment Systems for Nuclear Power Plants.

IAEA Safety Guide NS-G-1.12 Design of the Reactor Core for Nuclear Power Plants.

IAEA Safety Guide NS-G-1.7 Protection against Internal Fires and Explosions in the Design of Nuclear Power Plants.

IAEA Safety Guide NS-G-1.9 Design of the Reactor Coolant System and Associated Systems in Nuclear Power Plants NS-G-1.9.

Advice to inspectors

4.1  It is particularly important in nuclear applications to ensure, so far as is reasonably practicable, that safety related equipment will be capable of performing its safety function with an adequate reliability even when the potential for the occurrence of a number of identified faults and/or hazards is significant.  This objective may be achieved by the adoption of a number of different plant and equipment provisions, together with the use of techniques to demonstrate the adequacy of the specified measures.

4.2  In assessing the fitness for purpose of safety related plant, and particularly the ability to perform a primary safety function, a number of issues relating to redundant and diverse provisions need to be considered.  Safety cases should identify clearly the safety function of all structures, systems and components (SSCs) so that this fit for purpose assessment can be carried out.  A distillation of the more important criteria to judge the acceptability of specific safety related provisions is briefly discussed in the following text, and the technical considerations are more comprehensively covered in Section 5.

Redundancy

4.3  Experience dictates that there are both deterministic and probabilistic arguments for the provision of redundancy in SSCs.  A design which is considered acceptable will display adequate levels of redundancy in plant to ensure that it is fit for purpose and should perform a required safety function.  These characteristics will include final provisions which satisfy the deterministic and probabilistic requirements of a potential nuclear safety system design.

Dependent failure

4.4  A possible threat to redundant plant is that from dependent failure mechanisms.  These have the potential to prevent the performance of a required safety function by simultaneous loss of redundant provisions.  Particular illustrations of this type of failure are common cause failures (CCF) and the subset of common mode failures (CMF), with plant hazards being a potential initiator of each.  The assessor should be satisfied, that the risk from dependent failures has been reduced to a level which is acceptable within the limits set by the documented safety case.  This should include both deterministic and probabilistic considerations where appropriate.

4.5  A further consequence of the dependent failure mechanism is the limit frequently applied to the reliability benefits claimed from multiple redundancies.  System reliability does not generally increase indefinitely with increasing levels of redundancy, and this is primarily due to common origin (cause?) effects.  It should be ensured that excessive benefit is not claimed from multiple redundant systems, and that an appropriate common cause cut-off is applied and justified.

Diversity

4.6  Where redundant plant is at potential risk from common cause failures, one means of reducing the susceptibility of plant to such effects is to employ diverse provisions in separate redundant trains or systems.  For example gas or steam turbine driven pumps could be provided in addition to electric motor driven pumps.  Provision of plant which is both redundant and diverse can increase the likelihood of success in performance of the safety function, and thereby reduce the likelihood of system failure.  A licensee’s provision for safety systems should contain appropriate measures to include diversity within the redundant elements of the particular system, and/or across systems (e.g. primary and secondary protection systems).

Segregation

4.7  In a redundant system and despite diverse provisions, the threat of common cause failures particularly from hazards such as fire may be reduced by system segregation. This is the separation of components by distance or physical barriers, a particular example being provision of principal fire barriers to delineate individual fire zones; such barriers may also serve as barriers to other hazards.  Adequate levels of plant segregation should be present in a licensee’s provisions to maximise the likelihood that a safety function will be performed, despite the occurrence of faults and hazards, possibly in combination.

System independence

4.8  Systems may be subject to spurious operation in addition to operational failures.  These can arise because a given safety system does not possess a sufficient level of independence from other separate systems.  Measures need to be employed by the licensee to ensure that wherever possible a safety system should not be adversely affected by the spurious operation or failure of other systems, especially through any potential for hidden dependency.

Fail-safe design

4.9  Where SSC failure cannot be ruled out on the grounds that its expected frequency is sufficiently low it may be possible to ensure that in the event of a plant failure the performance of the safety function is not prevented.  Where appropriate, it should be ensured that the measures employed by the licensee are such that plant which fails to operate fails to the safe condition, thus not hindering the performance of a safety function.

Essential services

4.10  Where services are necessary to support plant safety, it should be ensured that the standards applied to this plant are consistent with those applied to the system being supported.  This is required so that the fitness for purpose of plant that may be of a lower safety category is unlikely to prevent performance of a safety function by a system of higher safety category.

Equipment outage

4.11  Where nuclear plant is inoperable at any time, attention should be paid to the effect of its unavailability on the capability to perform necessary safety functions and also on its contribution to the risk from the plant.  It should be ensured where practicable, that safety systems and risk levels are not unduly affected by plant unavailability, and where this cannot be established, that specific measures are clearly defined (e.g. as Operating Rules or Instructions) which limit the effect of this on the system contribution to the risk.

Monitoring, inspection, testing and maintenance

4.12  Provision should be made by the licensee to ensure that the level of plant availability necessary to retain its fitness for purpose is achieved.  This is likely to be produced by implementing appropriate maintenance actions, etc. and may be assessed by the effect of such actions on the estimated changes in the contribution to the risk from the plant.  Where plant availability is likely to be affected by these maintenance requirements it should be ensured that specified levels of redundancy, diversity and segregation are not compromised.  This may involve consideration of the requirements of the plant operating rules, technical specifications or maintenance standards.

Layout

4.13  Plant which provides protection against certain faults or hazards should be assessed to ensure that it remains operable and accessible in the event of those faults or hazards occurring.  This is particularly important where safety related plant is collocated with other plant which may not be safety related.  In these circumstances the licensee should justify that the fitness for purpose of safety systems has taken account of the possibility of faults occurring in neighbouring plant and structures, which are not safety related.

5 Technical considerations

General

5.1  In achieving the robust design of safety related equipment, which ensures that nuclear plant remains within the specified safety limits, a primary objective is that the chosen systems demonstrate a defence in depth against all identified challenges to the performance of their safety function. Clearly such requirements are closely linked to the system functional reliability and also the ability of a safety system to perform a safety function in the presence of related SSC failures (reference should be made to T/AST/030 ^[7].  An assessment of the system reliability, possibly against predetermined target levels, or a separate assessment of the sensitivity of the system to the occurrence of a single failure, may suggest the provision of more than the minimum number of equipment items to ensure performance of a particular safety function.  This feature of engineering design forms a primary means of improving functional performance and reliability, and is frequently referred to as redundancy, a term which implies that the performance of a function does not critically depend on the adequacy of any single provision acting alone.

Redundancy

5.2  Engineering redundancy is frequently defined as the provision of more than the minimum number of nominally identical equipment items required to perform a specific safety function.  Such redundant provisions allow a safety function to be satisfied when one or more items (but not all) are unavailable, due to a variety of unspecified potential failure mechanisms (e.g. identified faults or hazards).

5.3  A simple check to ensure a minimum level of redundancy is one particular application of the single failure criterion, which tests the ability to perform a safety function in the presence of the single failure of either a passive or an active component in the safety system.

5.4  Where a system fails to satisfy the single failure criterion in a particular respect, one option for improving the position is to introduce additional systems to promote defence in depth by incorporating redundant items to perform the identical safety function in the event of a failure.

Dependent failure

5.5  Where redundant components are provided which satisfy the single failure criterion, and also the reliability requirements, it is necessary for more than one component to fail to prevent the performance of the system safety function. Increasing the number of redundant components/trains results in a consequential increase in the number of failures required, before the safety function fails to be performed.

5.6  Unfortunately, the provision of increasing amounts of redundant equipment does not lead to safety system reliability increasing indefinitely. The principal reason for an accepted limit to the benefit provided by utilising redundancy in design is the occurrence of failures which have a common origin or other type of common factor. This type of failure is often referred to either as a common cause failure (CCF) or a common mode failure (CMF).

5.7  A CCF is a dependent failure event where approximately simultaneous multiple failures result from a single shared cause (e.g. fire). A CMF is a common cause event where the multiple equipment items fail in the same mode (e.g. failure to reset pumps following maintenance).

5.8  The occurrence of equipment failures which are linked, has led to the study of SSC dependent failure which involves failure of a number of nominally identical items in a related way.

5.9  Multiple failures can occur due to common weaknesses or dependencies shared by components.  Such failures can cause failure of all redundant components in a single protection system or failure of components in more than one system.  Dependent failures can considerably reduce the reliability of the protection systems relative to that expected from consideration of random failure mechanisms acting alone.

5.10  The main types of failure dependencies that can cause potential loss of safety function are:

• Functional dependencies, which arise from shared or common functional features; such as a common electrical power source, a common cooling water system and a shared process fluid.
• Spatial dependencies, which arise from physical features shared by components located in a common location; such as common radiation or chemical conditions, a common environment and common support structures, and vulnerability to leaks of dangerous fluids (high temperature, corrosive or toxic).
• Inherent dependencies, which arise from shared characteristics; such as a common principle of operation or technical embodiment and a common failure mechanism such as mechanical overload or overpressure.
• Human error related dependencies, which arise from human errors affecting some shared or common human process; such as human error in design or manufacture, and operating staff error during operation and maintenance.

5.11  To provide protection against dependent failures, one approach, consisting of three main elements, is as follows:

• Failure dependencies to be identified and measures implemented where practicable in design, construction and operation to eliminate the dependencies or reduce their potential effect.

5.12  Examples of such measures are:

1. The provision of segregation to eliminate spatial dependencies; and
2. The avoidance of functional dependencies by segregation of safety related systems and their support services.

• Provide alternative and independent equipment and so eliminate undue reliance on any single system.  The purpose of this element of the approach is to provide protection against any 'hidden failure dependencies' that may not be identified.
• Approaches and procedures should be implemented to minimise the possibility of failure dependencies arising during design, manufacture, construction and operation, including dependencies due to operator and other human error.

5.13  Certain areas in the plant tend to be natural centres of convergence for equipment or wiring of various degrees of importance to safety.  Examples of such centres may be containment penetrations, motor control centres, cable spreading rooms, equipment rooms, the control rooms and the plant process computers.  Appropriate measures to avoid common cause failures should be provided, as far as reasonably practicable, in such locations where the usual options for defence in depth may not be available.

Diversity

5.14  Engineering diversity is defined as the provision of dissimilar means of achieving the same objective; e.g. the use of features which differ in the physical means of achieving a specific objective or use of different equipment made by different manufacturers.

5.15  Diversity provides one means of protection against some dependent failure mechanisms, by removing common features which may lead to failure dependencies. Diversity particularly provides protection against inherent dependencies and human error related dependencies.

5.16  Diverse provisions should be considered wherever a safety function needs to be satisfied to a reliability that exceeds a limiting value, frequently referred to as the 'common mode' or 'common cause' cut-off value.  Typically, this value may be in the range 1.0E-3 to 1.0E-5 failures per demand for nuclear applications. Acceptance of cut-off values lower than 1.0E-5 should be exceptional and will require a very high level of justification (reference should be made to T/AST/030 ^[7].

5.17  The possibility of the physical collocation or the functional support of diverse systems leading to dependencies which defeat the objective of providing diversity should be addressed in the layout and functional design of the nuclear facility and its systems.

Segregation

5.18  Equipment segregation is the separation of redundant and/or diverse components by distance or by barriers to prevent all or most of the components being damaged, particularly in the event of common hazards.

5.19  Segregation is provided in the design to ensure that internal hazards, such as fire and pressure parts failure, and certain external hazards such as aircraft crash do not damage separate trains of safety equipment to the extent that its functional reliability is unacceptably reduced.

5.20  In the event of a hazard, segregation by physical barriers typically provides redundancy of active components in a modern PWR NPP:
by a factor of 4 using for example quadrant segregation for hot shutdown in the short term
by a factor of 2 using for example half reactor segregation for cold shutdown in the long term.

5.21  Segregation can also be provided by distance, i.e. by separation. This is achieved by locating redundant (e.g. diesel generators) and diverse (e.g. the essential service water system and reserve ultimate heat sink) equipment in separate buildings.

System independence

5.22  Actions or inactions, but not necessarily failures resulting from a single maloperation (failure or spurious action) within one system may propagate to other systems by unidentified or normally hidden interdependencies which may not be revealed by a conventional dependent failure analysis and which can be grouped together as system dependency.

5.23  The reliability of systems may be improved by applying principles similar to the following, thus providing a structured approach to identifying potential system dependency and ensuring system independence in design:

• maintaining system independence among redundant train components
• maintaining system independence between train components and the effects of initiating events, for example, an initiating event should not cause the failure or loss of a safety system or safety function that is required to mitigate that event;
• maintaining appropriate system independence between or among trains, systems or components of different safety categories (see T/AST/008 ^[8]);
• maintaining system independence between items important to safety and those not important to safety.

5.24  System independence can be accomplished in the design of systems by using functional isolation and physical isolation.

Functional isolation

5.25  Functional isolation should be used to reduce the likelihood of adverse interaction between equipment, components and systems of redundant or connected trains resulting from normal, abnormal or spurious operation, or failure of any component in the trains.

Physical isolation

5.26  System design utilising the principles of physical isolation should be used as far as reasonably practicable to increase assurance that system independence will be achieved, particularly in relation to certain common origin events which are not immediately apparent. These principles include:

• separation by geometry (distance, orientation, etc.);
• separation by barriers; or
• separation by a combination thereof.

5.27  The choice of means of separation will depend on the initiating events considered in the design basis. (reference should be made to T/AST/006 ^[9] for Design Basis Accident Analysis).

Fail-safe design

5.28  Where reasonably practicable, the principle of fail-to-safety should be incorporated into the design of SSCs important to safety for nuclear installations i.e. if a system or component should fail, the plant would pass into a safe state without a requirement to initiate any actions.

Essential services

5.29  Services, which are essential to maintain a safe state of the plant may include electricity supplies, cooling water, compressed air or other gases and means of lubrication. Essential services that support equipment forming part of a system important to safety may be regarded as part of the safety related system. Their reliability, redundancy, diversity, independence, provision of features for isolation and for testing of functional capability should be commensurate with the reliability of the system that is supported.

Equipment outages

5.30  In the design of a nuclear installation and its safety systems needed for reliable performance, equipment outages should be taken into account. The impact of the anticipated maintenance, test and repair work on the reliability of each individual safety system should be included in this consideration. If the resultant reliability or availability to perform a safety function is such that the system no longer meets the criteria used for design and operation, the nuclear plant should be placed in a safe state and the component temporarily out of service should be substituted or restored within a specified time.

Monitoring, inspection, testing and maintenance

5.31  To ensure a high reliability of operation in service, the safety related equipment must be kept in a sound condition and at all times it must be available ready for operation on demand. This aspect of functional performance is covered in other TAGs.

5.32  The safety related equipment should be kept in a sound condition by a regular programme of inspection and maintenance; its effectiveness and reliability should be demonstrated by testing, on- or off-load as appropriate; and its availability for operation established by monitoring.

Layout

5.33  The possibility of the physical collocation of redundant systems leading to dependencies which defeat the objective of providing a successful safety function should be considered in deciding the layout of the nuclear installation in general and specific trains/systems in particular.

5.34  It should be established that systems will perform their safety function following any postulated initiating event. The particular layout arrangements which should be employed to ensure this are likely to vary considerably with the specific nuclear installation application and the range of initiating faults considered.

5.35  The plant layout may also affect the extent to which manual intervention requiring local access can be ensured in the event of it being necessary. These aspects of an installation design need to be assessed in relation to the claims made by the licensee regarding access provision during operating and fault conditions.

5.36  In addition to the above, measures should also be taken to ensure that the likelihood of unauthorised access, possibly prejudicial to nuclear safety is acceptable low.

References

1.  Safety Assessment Principles for Nuclear Facilities, 2006 Edition Version 1, HSE 2006.
2.  IAEA - Requirements: Safety of Nuclear Power Plants: Design, NS-R-1, IAEA 2000
3.  IAEA - Safety Guide: Design of Reactor Containment Systems for Nuclear Power Plants NS-G-1.10, 2004
4.  IAEA - Safety Guide: Design of the Reactor Core for Nuclear Power Plants, NS-G-1.12, IAEA 2005
5.  IAEA - Safety Guide: Protection against Internal Fires and Explosions in the Design of Nuclear Power Plants, NS-G-1.7, IAEA 2004
6.  IAEA - Safety Guide: Design of the Reactor Coolant System and Associated Systems in Nuclear Power Plants, NS-G-1.9, IAEA 2004
7.  T/AST/030 Probabilistic Safety Analysis
8.  T/AST/008 Safety categorisation and equipment qualification
9.  T/AST/006 Deterministic safety analysis and the use of engineering principles in safety assessment
10.  T/AST/035 The Limits and Conditions for Nuclear Plant Safety

Appendix 1 Comparison with WENRA reactor reference levels

The following evaluation of WENRA reference levels have been undertaken in respect to
diversity, redundancy, segregation and layout of mechanical plant at nuclear installations.

WENRA Reactor Safety Reference Levels	T/AST/036: Diversity, Redundancy, Segregation and Layout of Mechanical Plant
Appendix E  Design Basis Envelope for Existing Reactors
The reliability of the systems shall be achieved by an appropriate choice of measures including the use of proven components, redundancy, diversity, physical and functional separation and isolation. The means for shutting down the reactor shall consist of at least two diverse systems. 9.9  Each line that penetrates the containment as part of the reactor coolant pressure boundary or that is connected directly to the containment atmosphere shall be automatically and reliably sealable in the event of a design basis accident. These lines shall be fitted with at least two containment isolation valves arranged in series. Isolation valves shall be located as close to the containment as is practicable.	The issues of components, redundancy, diversity, physical and functional separation and isolation are addressed in sections 4.1, 4.2, 4.3, 4.4 and 4.5 with additional information provided in Appendix 2.
10.7  Redundancy and independence designed into the protection systems	This issue is addressed in T/AST/003, Safety Systems.