IEC 60965:2009

IEC 60965
®
Edition 2.0 2009-07
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE


Nuclear power plants – Control rooms – Supplementary control points for
reactor shutdown without access to the main control room

Centrales nucléaires de puissance – Salles de commande – Points de
commande supplémentaires pour l’arrêt des réacteurs sans accès à la salle de
commande principale (salle de commande de repli)

IEC 60965:2009

---------------------- Page: 1 ----------------------
THIS PUBLICATION IS COPYRIGHT PROTECTED
Copyright © 2009 IEC, Geneva, Switzerland

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by
any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either IEC or
IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de la CEI ou du Comité national de la CEI du pays du demandeur.
Si vous avez des questions sur le copyright de la CEI ou si vous désirez obtenir des droits supplémentaires sur cette
publication, utilisez les coordonnées ci-après ou contactez le Comité national de la CEI de votre pays de résidence.

IEC Central Office
3, rue de Varembé
CH-1211 Geneva 20
Switzerland
Email: inmail@iec.ch
Web: www.iec.ch

About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
ƒ Catalogue of IEC publications: www.iec.ch/searchpub
The IEC on-line Catalogue enables you to search by a variety of criteria (reference number, text, technical committee,…).
It also gives information on projects, withdrawn and replaced publications.
ƒ IEC Just Published: www.iec.ch/online_news/justpub
Stay up to date on all new IEC publications. Just Published details twice a month all new publications released. Available
on-line and also by email.
ƒ Electropedia: www.electropedia.org
The world's leading online dictionary of electronic and electrical terms containing more than 20 000 terms and definitions
in English and French, with equivalent terms in additional languages. Also known as the International Electrotechnical
Vocabulary online.
ƒ Customer Service Centre: www.iec.ch/webstore/custserv
If you wish to give us your feedback on this publication or need further assistance, please visit the Customer Service
Centre FAQ or contact us:
Email: csc@iec.ch
Tel.: +41 22 919 02 11
Fax: +41 22 919 03 00


A propos de la CEI
La Commission Electrotechnique Internationale (CEI) est la première organisation mondiale qui élabore et publie des
normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications CEI
Le contenu technique des publications de la CEI est constamment revu. Veuillez vous assurer que vous possédez
l’édition la plus récente, un corrigendum ou amendement peut avoir été publié.
ƒ Catalogue des publications de la CEI: www.iec.ch/searchpub/cur_fut-f.htm
Le Catalogue en-ligne de la CEI vous permet d’effectuer des recherches en utilisant différents critères (numéro de référence,
texte, comité d’études,…). Il donne aussi des informations sur les projets et les publications retirées ou remplacées.
ƒ Just Published CEI: www.iec.ch/online_news/justpub
Restez informé sur les nouvelles publications de la CEI. Just Published détaille deux fois par mois les nouvelles
publications parues. Disponible en-ligne et aussi par email.
ƒ Electropedia: www.electropedia.org
Le premier dictionnaire en ligne au monde de termes électroniques et électriques. Il contient plus de 20 000 termes et
définitions en anglais et en français, ainsi que les termes équivalents dans les langues additionnelles. Egalement appelé
Vocabulaire Electrotechnique International en ligne.
ƒ Service Clients: www.iec.ch/webstore/custserv/custserv_entry-f.htm
Si vous désirez nous donner des commentaires sur cette publication ou si vous avez des questions, visitez le FAQ du
Service clients ou contactez-nous:
Email: csc@iec.ch
Tél.: +41 22 919 02 11
Fax: +41 22 919 03 00

---------------------- Page: 2 ----------------------
IEC 60965
®
Edition 2.0 2009-07
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE


Nuclear power plants – Control rooms – Supplementary control points for
reactor shutdown without access to the main control room

Centrales nucléaires de puissance – Salles de commande – Points de
commande supplémentaires pour l’arrêt des réacteurs sans accès à la salle de
commande principale (salle de commande de repli)
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
PRICE CODE
INTERNATIONALE
Q
CODE PRIX
ICS 27.120.20 ISBN 978-2-88910-354-6
® Registered trademark of the International Electrotechnical Commission
Marque déposée de la Commission Electrotechnique Internationale

---------------------- Page: 3 ----------------------
– 2 – 60965 © IEC:2009
CONTENTS
FOREWORD.3
INTRODUCTION.5
1 Scope.7
2 Normative references .7
3 Terms and definitions .8
4 Abbreviations .9
5 Design principles.9
5.1 General .9
5.2 Main objectives .9
5.3 Safety principles.10
5.4 Human factors engineering principles.12
6 Design process.12
7 Functional design .13
7.1 General .13
7.2 Human factors.13
7.3 Location and access route.13
7.4 SCP environment .14
7.5 Space and configuration.14
7.6 Information and control equipment .14
7.7 Communication systems.15
7.8 Other equipment.15
8 System verification and validation.15
Bibliography.16

---------------------- Page: 4 ----------------------
60965 © IEC:2009 – 3 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________

NUCLEAR POWER PLANTS –
CONTROL ROOMS –
SUPPLEMENTARY CONTROL POINTS FOR REACTOR SHUTDOWN
WITHOUT ACCESS TO THE MAIN CONTROL ROOM


FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with an IEC Publication.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 60965 has been prepared by subcommittee 45A: Instrumentation
and control of nuclear facilities, of IEC technical committee 45: Nuclear instrumentation.
The text of this standard is based on the following documents:
FDIS Report on voting
45A/749/FDIS 45A/769/RVD

Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This second edition cancels and replaces the first edition published in 1989. This edition
constitutes a technical revision.

---------------------- Page: 5 ----------------------
– 4 – 60965 © IEC:2009
The main technical changes with regard to the previous edition are as follows:
• to clarify the definitions and review the requirements.
• to update the reference to new standards published since the first issue, including
IEC 61227, IEC 61771, IEC 61772, IEC 61839, and IEC 62241.
• to align the Standard with the new revisions of IAEA documents NS-R-1 and NS-G-1.3.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
The committee has decided that the contents of this publication will remain unchanged until
the maintenance result date indicated on the IEC web site under "http://webstore.iec.ch" in
the data related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.

---------------------- Page: 6 ----------------------
60965 © IEC:2009 – 5 –
INTRODUCTION
a) Technical background, main issues and organization of the standard
IEC 60965:1989 was developed to provide requirements relevant to the design of NPP
supplementary control points for reactor shutdown without access to the main control room.
The first edition of IEC 60965 has been used extensively within the nuclear industry. It was
however recognized that recent technical developments especially those which are based on
software technology should be incorporated. It was also recognized that the relationships with
the standard for the main control room (i.e. IEC 60964) and the derivative standards to that
standard (i.e. IEC 61227, IEC 61771, IEC 61772, IEC 61839, and IEC 62241) should be
clarified and conditioned.
This IEC standard specifically focuses on the functional design process of the supplementary
control points of an NPP. It is intended that the standard is used by NPP designers, design
authorities, vendors, utilities, and by licensors.
At the end of the current revision, at the FDIS stage, two further points were identified. These
are: (a) requirements should be included associated with regular testing of the SCP, and (b) a
theoretical assessment is needed of the time available during which the reactor will be safe
but unattended, in order to move from the MCR to the SCP and for the SCP to become
operational. However, since these points were not raised formally by any National Committee,
they are recorded in this introduction for development in the next revision.
b) Situation of the current standard in the structure of the IEC SC 45A standard series
IEC 60965 is the third level IEC SC 45A document tackling the issue of the design of
supplementary control points.
IEC 60965 is to be read in association with IEC 60964 for the design of the main control room
(including the derivative standards mentioned above) which is the appropriate IEC SC 45A
document providing guidance on operator controls, verification and validation of design,
application of visual display units, functional analysis and assignment, and alarm functions
and presentation.
For more details on the structure of the IEC SC 45A standard series, see item d) of this
introduction.
c) Recommendations and limitations regarding the application of this Standard
The purpose of this standard is to provide functional design requirements to be used in the
design of the supplementary control points of a nuclear power plant to meet safety
requirements.
This standard is intended for application to supplementary control points whose conceptual
design is initiated after the publication of this standard. The recommendations of the standard
may be used for refits, upgrades and modifications.
Aspects for which special recommendations have been provided in this Standard, in
accordance with Clauses 6.15 to 6.30 of IAEA NS-G-1.3, are:
• The definition of the MCR and plant design bases for which the supplementary control
points are to be used.
• Access by station staff to the supplementary control points in such emergencies.
• Assurance for the station staff that the environment at the supplementary control points is
safe when they are to be used.

---------------------- Page: 7 ----------------------
– 6 – 60965 © IEC:2009
• Provision of information at the supplementary control points on the state of the reactor
critical functions.
• Transfer of control and indication functions from the main control room to the
supplementary control points in emergencies.
• Independence and separation of the cabling used by the supplementary control points
from that used by the main control room.
• Assurance that a safe shutdown state has been reached using the supplementary control
points.
• Communication facilities between the supplementary control points and to the station
management.
To ensure that the Standard will continue to be relevant in future years, the emphasis has
been placed on issues of principle, rather than specific technologies.
d) Description of the structure of the IEC SC 45A standard series and relationships
with other IEC documents and other bodies documents (IAEA, ISO)
The top-level document of the IEC SC 45A standard series is IEC 61513. It provides general
requirements for I&C systems and equipment that are used to perform functions important to
safety in NPPs. IEC 61513 structures the IEC SC 45A standard series.
IEC 61513 refers directly to other IEC SC 45A standards for general topics related to
categorization of functions and classification of systems, qualification, separation of systems,
defence against common cause failure, software aspects of computer-based systems,
hardware aspects of computer-based systems, and control room design. The standards
referenced directly at this second level should be considered together with IEC 61513 as a
consistent document set.
At a third level, IEC SC 45A standards not directly referenced by IEC 61513 are standards
related to specific equipment, technical methods, or specific activities. Usually these
documents, which make reference to second-level documents for general topics, can be used
on their own.
A fourth level extending the IEC SC 45A standard series, corresponds to the Technical
Reports which are not normative.
IEC 61513 has adopted a presentation format similar to the basic safety publication
IEC 61508 with an overall safety life-cycle framework and a system life-cycle framework and
provides an interpretation of the general requirements of IEC 61508-1, IEC 61508-2 and
IEC 61508-4, for the nuclear application sector. Compliance with IEC 61513 will facilitate
consistency with the requirements of IEC 61508 as they have been interpreted for the nuclear
industry. In this framework IEC 60880 and IEC 62138 correspond to IEC 61508-3 for the
nuclear application sector.
IEC 61513 refers to ISO as well as to IAEA 50-C-QA (now replaced by IAEA GS-R-3) for
topics related to quality assurance (QA).
The IEC SC 45A standards series consistently implements and details the principles and
basic safety aspects provided in the IAEA code on the safety of NPPs and in the IAEA safety
series, in particular the Requirements NS-R-1, establishing safety requirements related to the
design of Nuclear Power Plants, and the Safety Guide NS-G-1.3 dealing with instrumentation
and control systems important to safety in Nuclear Power Plants. The terminology and
definitions used by SC 45A standards are consistent with those used by the IAEA.

---------------------- Page: 8 ----------------------
60965 © IEC:2009 – 7 –
NUCLEAR POWER PLANTS –
CONTROL ROOMS –
SUPPLEMENTARY CONTROL POINTS FOR REACTOR SHUTDOWN
WITHOUT ACCESS TO THE MAIN CONTROL ROOM



1 Scope
This International Standard establishes requirements for the supplementary control points
provided to enable the operating staff of nuclear power plants to shut down the reactor and
maintain the plant in a safe shut-down state in the event that control of the safety functions
can no longer be exercised from the main control room, due to unavailability of the main
control room or its facilities.
The standard also establishes requirements for the selection of functions, the design and
organisation of the human-machine interface, and the procedures which shall be used
systematically to verify and validate the functional design of the supplementary control points.
It is assumed that supplementary control points provided for shutdown operations from
outside the main control room would be unattended during normal plant conditions other than
for periodic testing. The requirements reflect the application of human engineering principles
as they apply to the human-machine interface during such periodic testing and during
abnormal plant conditions.
This standard does not cover special emergency response facilities (e.g. a technical support
centre) or facilities provided for radioactive waste handling. Detailed equipment design is also
outside the scope of the standard.
This standard follows the principles of IAEA Requirements NS-R-1 “Safety of Nuclear Power
Plants: Design” and IAEA Safety Guide NS-G-1.3 “Instrumentation and Control Systems
Important to Safety in Nuclear Power Plants”.
The purpose of this standard is to provide functional design requirements to be used in the
design of the supplementary control points of a nuclear power plant to meet safety
requirements.
This standard is intended for application to supplementary control points whose conceptual
design is initiated after the publication of this standard. If it is desired to apply it to existing
plants or designs, special care must be taken to ensure a consistent design basis. This
relates, for example, to factors such as the consistency between the supplementary control
points and the main control room, the ergonomic approach, the automation level and the
information technology.
2 Normative references
The following referenced documents are indispensable for the application of this document.
For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.
IEC 60709, Nuclear power plants – Instrumentation and control systems important to safety –
Separation
IEC 60964, Nuclear power plants – Control rooms – Design

---------------------- Page: 9 ----------------------
– 8 – 60965 © IEC:2009
IEC 61226, Nuclear power plants – Instrumentation and control systems important for safety –
Classification of instrumentation and control functions
IEC 61513, Nuclear power plants – Instrumentation and control for systems important to
safety – General requirements for systems
IEC 61771, Nuclear power plants – Main control room – Verification and validation of design
IAEA NS-R-1:2000, Safety of nuclear power plants: Design
IAEA NS-G-1.3:2002, Instrumentation and Control Systems Important to Safety in Nuclear
Power Plants

3 Terms and definitions
For the purposes of this document, the following terms and definitions apply. For other terms,
refer to the general terminology defined in IEC 60964, IEC 61513 and in the IAEA NUSS
programme, such as Safety Guide NS-G-1.3 or the safety glossary.
3.1
control room staff
a group of plant personnel stationed in the control room, which is responsible for achieving
the plant operational goals by controlling plant through the human-machine interface.
Typically, the control room staff consists of supervisory operators, and operators who actually
monitor plant and plant conditions and manipulate controls, but may also include those staff
members and experts who are authorised to be present in the control room, e.g. during long
lasting event sequences.
[IEC 60964, 3.4]
3.2
local control points (or facilities)
points (or facilities) located outside the control room where local operators perform control
activities
[IEC 60964, 3.17]
3.3
local operators
the operating staff that perform tasks outside the control room
[IEC 60964, 3.18]
3.4
operating staff
plant personnel working on shift to operate the plant. The operating staff includes the control
room staff, maintenance engineers, etc.
[IEC 60964, 3.20]
3.5
supplementary control point
a location from which limited plant control and/or monitoring can be carried out to accomplish
the safety functions identified by the safety analysis as required in the event of a loss of
ability to perform those functions from the main control room. The supplementary control point
may be a special control room, but in many cases comprises a set of control panels and
displays in switchgear rooms or similar areas.

---------------------- Page: 10 ----------------------
60965 © IEC:2009 – 9 –
4 Abbreviations
I&C Instrumentation and Control
LCP Local Control Point
MCR Main Control Room
NPP Nuclear Power Plant
PIE Postulated Initiating Event
SCP Supplementary Control Points, Supplementary Control Point
V&V Verification and Validation
5 Design principles
5.1 General
Clause 6.75 of IAEA NS-R-1 states “Sufficient instrumentation and control equipment shall be
available, preferably at a single location (supplementary control room) that is physically and
electrically separate from the control room, so that the reactor can be placed and maintained
in a shut down state, residual heat can be removed, and the essential plant variables can be
monitored should there be a loss of ability to perform these essential safety functions in the
control room”.
Clauses 6.15 to 6.30 of IAEA NS-G-1.3 provide guidance on the requirements for
supplementary control rooms (‘SCP’ in this standard), including requirements associated with
the following:
• definition of the plant design bases that require use of the SCP (Clauses 6.17, 6.19, 6.20);
• location and configuration of the SCP to promote prompt mobilisation (Clause 6.29);
• qualified access path to the SCP, with hazard indication and suitable countermeasures
along this path (Clauses 6.27, 6.28);
• prevention of unauthorised access to or use of the SCP (Clause 6.21);
• safety functions of the MCR and SCP not affected by the same PIE, and independence of
the circuits associated with the SCP from those of the MCR (Clauses 6.20, 6.23);
• priority of control between the MCR and SCP, and transfer of control from the MCR to the
SCP (Clauses 6.18, 6.20, 6.24);
• manual control in the SCP accomplished by simple actions (Clause 6.22);
• displays and controls in the SCP similar to those in the MCR, to the extent possible
(Clause 6.22);
• consideration of the difference of purpose between the MCR and the SCP (Clause 6.25);
• if long-term use is envisaged, suitable facilities for habitability and workspace for tasks
(Clause 6.30).
5.2 Main objectives
The SCP shall be provided with the means to trip the reactor and bring the plant to a safe
shutdown state and maintain it in that state without access to the MCR. However, the SCP are
not required to perform all the other plant control and monitoring functions which are typically
performed in the MCR. According to the type of NPP and the detailed safety arguments,
provisions to cope with a predefined set of PIE could be integrated in the SCP.
The SCP are required if the conditions within the MCR are no longer within its operational
design bases, and in consequence are such that the MCR is no longer available. Possible
causes include a control room fire, the entry of excess smoke or a dangerous atmosphere to
the MCR, severe damage to the MCR or its cables such that safety functions cannot be
performed, major damage to the control room area, or major failure of control room facilities.

---------------------- Page: 11 ----------------------
– 10 – 60965 © IEC:2009
The design basis PIE and sequences of events for which the SCP are necessary and intended
to be used shall be identified. This shall include identification and justification of the assumed
duration for which the SCP may be required.
Since events leading to unavailability of the MCR are very infrequent, it is anticipated that the
plant safety analysis will demonstrate that such events can only coincide with another
independent event in the plant at an acceptably low frequency; in particular, it is anticipated
that the primary coolant circuit will be intact. However, due account shall be taken of any plant
fault that may occur as a consequence of reactor trip and of any plant faults at shutdown that
are of sufficient frequency to coincide with use of the SCP. In particular, the design of the
SCP shall take account of the possible long-term unavailability of the MCR due to fire or other
reasons.
The criteria for use of the SCP shall be clearly stated in the plant operating procedures.
It shall be possible to determine the complete safety state of the plant from outside the MCR.
This should preferably be from the SCP.
From an operational viewpoint (e.g. to simplify operation and avoid misunderstanding), it is
preferable to have only one SCP. Care shall be taken, however, to meet safety requirements,
particularly requirements for redundancy and independence.
There should be full presentation ability at all SCP of any computer-based information display
and alarm s
...