Safety System and Control System Separation Requirements for ACR-1000™ and Operating CANDU^® Reactors

Digital control and safety plus the complete functional and physical separation between control and safety and also between the safety systems have been key long standing principles of CANDU^® nuclear reactor technology. This paper presents a historical evolution of these principles that make CANDU reactors one of the safest technologies in the world today. The original Generation II CANDU 6 reactors started with complete separation of control from safety and the division of safety systems into two groups having strong physical separation such as opposite sides of the reactor or reactor building. Within each group a more moderate distance separation was employed. With the advent of distributed computer technology for control and display functions, key processing equipment is now moved out remote from the control rooms and distributed into channelized field equipment rooms around the reactor building as in the Four-Quadrant concept for ACR-1000™. This new approach is immune to total unavailability of any control room or equipment room due to events such as fire with minimal impact to any of the safety systems regardless of their grouping. In addition to physical separation, appropriate functional partitioning, design rules to avoid communication cross links, and diversity principles are applied to computer based I&C systems as defences against common cause faults.