Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC 61226 Classification of I&C Functions Important to Safety in Nuclear Power Plants
💡 Core Insight: IEC 61226 establishes a classification framework for instrumentation and control (I&C) functions important to safety in nuclear power plants. Functions are categorized into classes A, B, and C according to their safety significance, with each class mapped to specific design, qualification, and independence requirements. It is a foundational document for graded I&C system design in nuclear installations.
1. Classification System and Definitions
IEC 61226 divides I&C functions into three categories based on their safety significance, each mapped to a specific set of design criteria and evaluation requirements:
- Class A Functions: Those necessary to perform safety functions whose failure could lead to significant degradation of design-basis accident consequences. These demand the highest reliability levels and typically employ fully type-tested, independently verified hardwired or diverse digital logic (e.g., reactor protection systems).
- Class B Functions: Those necessary for safety function execution whose failure would not lead to unacceptable consequence degradation, or those supporting Class A functions without directly performing safety actions.
- Class C Functions: Those that contribute to safety but are not within the scope of safety function execution, or those used for post-accident monitoring and assessment whose failure would not significantly impact safety.
⚠ Design Note: Classification is not static. The same function may carry different safety significance under different operating modes. For example, residual heat removal I&C control may have different classification during normal shutdown versus post-accident conditions. Designers must determine the most stringent classification for each function based on comprehensive safety analysis.
2. Design and Qualification Requirements by Class
IEC 61226 specifies differentiated design and qualification requirements for each I&C function class, covering independence, diversity, fail-safe behavior, software V&V level, and seismic qualification.
| Attribute | Class A | Class B | Class C |
|---|---|---|---|
| Independence | Fully isolated from others | Isolated from A, may share with C | No mandatory isolation |
| Diversity | Required (e.g., diverse backup) | Recommended | Not required |
| Fail-Safe | Mandatory | Recommended | Not mandatory |
| Software V&V | Highest (IEC 60880) | Medium (IEC 62138) | Conventional (IEC 62671) |
| Seismic Qualification | SSE level | SSE level | OBE or none |
| EMC Level | Highest immunity | High immunity | Industrial grade |
| Quality Assurance | QA1 | QA2 | QA3 |
Class A function software must follow IEC 60880, requiring formal methods, structured development, and comprehensive independent verification and validation (IV&V). Class B software follows IEC 62138, while Class C software may follow IEC 62671.
✅ Best Practice: Develop a comprehensive Function Classification Matrix covering all plant I&C functions, with each entry specifying its class, associated safety division, equipment, and software V&V requirements. This matrix serves both as a design-stage guide and as a configuration management tool for operational changes.
3. Independence Implementation and Common-Cause Failure Defense
Independence is a core requirement of the classification system. Class A functions must be both physically and electrically isolated from all other categories (B, C) and non-safety functions. Shared signal sources, communication networks, power supplies, grounding systems, and physical installation space must all be treated according to the highest class present.
Common-cause failure (CCF) defense is another key focus. For Class A functions, IEC 61226 requires diversity — employing different technical principles or design approaches to realize the same safety function. A typical example is a reactor protection system using both a microprocessor-based digital protection system and a solid-state or relay-logic diverse actuation system (DAS) as backup.
The standard also addresses classification in platform-based I&C designs. If the same I&C platform handles both Class A and B/C functions, the overall platform qualification must meet Class A requirements, and a thorough CCF analysis must demonstrate that a platform-level common-cause failure cannot disable all safety functions simultaneously.
🔴 Critical Warning: A common misunderstanding equates “safety class” exclusively with “Class A.” In fact, Class B and C functions are also “important to safety” and contribute to overall plant safety. Inappropriately downgrading a Class B or C function to non-safety status may lead to underestimation of uncertainty in safety analysis. Classification decisions must follow a formal safety classification review and be documented.
4. Frequently Asked Questions
Q1: How does IEC 61226 relate to IAEA NS-G-1.3?
A: IEC 61226 provides the technical elaboration of the classification principles outlined in IAEA NS-G-1.3. The IAEA guide establishes the framework, while IEC 61226 specifies concrete design and qualification technical requirements.
Q2: How is software classification handled in digital I&C platforms?
A: The I&C function classification determines the applicable software V&V standard: IEC 60880 for Class A (formal specification, full coverage testing), IEC 62138 for Class B, and IEC 62671 for Class C. A single platform may host multiple software classes provided isolation and CCF analysis requirements are satisfied.
Q3: Does classification apply to online modifications (e.g., parameter changes)?
A: Yes. Any modification affecting a classified function — software parameter changes, hardware replacement, or logic modification — must follow the change management process corresponding to the original classification, without unauthorized downgrading.
Q4: How should a system containing both Class A and Class C functions be treated?
A: The system as a whole should satisfy Class A requirements (highest-class principle), unless adequate independence can be demonstrated between Class A and Class C portions — separate processors, independent communication channels, and independent power supplies — with CCF analysis showing no credible failure path to Class A functions.
