Embed Size (px)
Citation preview
TECHNICAL REPORTS SERIES No. 2 3 9
N u c le a r P o w e r P la n t In s tru m e n ta tio n a n d C o n tro l
A Guidebook
INTERNATIONAL ATOMIC ENERGY AGENCY, VIENNA, 1984
NUCLEAR POWER PLANT INSTRUMENTATION AND CONTROL
A Guidebook
The following States are Members of the International Atomic Energy Agency
AFGHANISTANALBANIAALGERIAARGENTINAAUSTRALIAAUSTRIABANGLADESHBELGIUMBOLIVIABRAZILBULGARIABURMABYELORUSSIAN SOVIET
SOCIALIST REPUBLIC CAMEROON CANADA CIJILE CHINA COLOMBIA COSTA RICA CUBA CYPRUSCZECHOSLOVAKIA DEMOCRATIC KAMPUCHEA DEMOCRATIC PEOPLE’S
REPUBLIC OF KOREA DENMARKDOMINICAN REPUBLICECUADOREGYPTEL SALVADORETHIOPIAFINLANDFRANCEGABONGERMAN DEMOCRATIC REPUBLICGERMANY, FEDERAL REPUBLIC OFGHANAGREECEGUATEMALA
HAITIHOLY SEEHUNGARYICELANDINDIAINDONESIAIRAN, ISLAMIC REPUBLIC OFIRAQIRELANDISRAELITALYIVORY COASTJAMAICAJAPANJORDANKENYAKOREA, REPUBLIC OF KUWAIT LEBANON LIBERIALIBYAN ARAB JAMAHIRIYALIECHTENSTEINLUXEMBOURGMADAGASCARMALAYSIAMALIMAURITIUSMEXICOMONACOMONGOLIAMOROCCONAMIBIANETHERLANDSNEW ZEALANDNICARAGUANIGERNIGERIANORWAYPAKISTANPANAMA
PARAGUAYPERUPHILIPPINESPOLANDPORTUGALQATARROMANIASAUDI ARABIASENEGALSIERRA LEONESINGAPORESOUTH AFRICASPAINSRI LANKASUDANSWEDENSWITZERLANDSYRIAN ARAB REPUBLICTHAILANDTUNISIATURKEYUGANDAUKRAINIAN SOVIET SOCIALIST
REPUBLIC UNION OF SOVIET SOCIALIST
REPUBLICS UNITED ARAB EMIRATES UNITED KINGDOM OF GREAT
BRITAIN AND NORTHERN IRELAND
UNITED REPUBLIC OF TANZANIA
UNITED STATES OF AMERICA URUGUAY VENEZUELA VIET NAM YUGOSLAVIA ZAIRE ZAMBIA
The Agency’s Statute was approved on 23 October 1956 by the Conference on the Statute of the IAEA held at United Nations Headquarters, New York; it entered into force on 29 July 1957. The Headquarters of the Agency are situated in Vienna. Its principal objective is “ to accelerate and enlarge the contribution of atomic energy to peace, health and prosperity throughout the world” .
© IAEA, 1984
Permission to reproduce or translate the information contained m this publication may be obtained by writing to the International Atomic Energy Agency, Wagramerstrasse 5, P.O. Box 100, A-1400 Vienna, Austria.
Printed by the IAEA in Austna October 1984
TECHNICAL REPORTS SERIES No.239
N U CLEAR POW ER PLAN T INSTRUM ENTATION A N D CONTROL
A G uidebook
INTERNATIONAL ATOMIC ENERGY AGENCY VIENNA, 1984
NUCLEAR POWER PLANT INSTRUMENTATION AND CONTROL:A GUIDEBOOK
IAEA, VIENNA, 1984 STI/DOC/10/239
ISBN 92—0—155284—X
FOREWORD
The IAEA has produced over several years a number of publications with the aim of providing guidance in the planning and introduction of nuclear power in a country. As part of this work the International Working Group on Nuclear Power Plant Control and Instrumentation recommended that a guidebook should be prepared to summarize the problems in the field of nuclear power plant control and instrumentation and to give advice in particular to those preparing for their first nuclear power project. The book is closely related to the IAEA’s Nuclear Safety Standards (NUSS) programme as far as the field of instrumentation and control systems is concerned with regard to the safety and operational systems. The terminology and definitions of these documents have been used where applicable.
Though not likely to be decisive, specific considerations of instrumentation and control will be a most important factor in the procurement of a nuclear power system, because of their importance to safety and reliable operation. Because of this and for other reasons, the procurement team must possess sufficient expertise in this area to permit worthwhile and searching exchanges between it and the prospective vendor’s staff.
This guidebook is intended for the instrumentation and control specialists on the procurement team with a basic understanding of the instrumentation and control systems associated with a nuclear power plant.
The purpose of this guidebook is to give a prospective purchaser an account of instrumentation and control problems that may present difficulties during any of the many crucial stages of planning, procurement, commissioning and operations.
The present version of the guidebook is mainly restricted to light-water reactors but information on the CANDU system has been included.
The book is divided into two main parts: since this guidebook is intended mainly for countries embarking on a nuclear power programme, the first section is devoted to the discussion of problems in the area of instrumentation and control systems encountered during the phases of planning, design, procurement, inspection and construction, during commissioning and testing as well as during start-up and commercial operation. These problems are only partly of a technical nature; the main difficulties arise from organization, licensing, and staffing for a nuclear power plant project. So from the point of view of countries embarking on a nuclear power programme the first part may be regarded as the main part of this publication. It is designed to help in recognizing and identifying the difficulties which arise in the course of initiating such a
programme. Understanding clearly these numerous and complex problems may be a first step to their solution.
To avoid generalities and a flavour of blandness in the guidebook, the first part gives numbers and preferred or recommended methods. However, each country embarking on a nuclear power programme has its own unique national infrastructure, and evolves solutions accordingly. It is therefore worth while mentioning that the recommendations and numbers given in the first part are by no means universal and only represent problems and their solutions for a given set of circumstances. It is hoped that the contents will provide the reader with food for thought, assist him in problem identification and provide guidelines for solutions.
The second part tries to give the reader an overview of nuclear power plant instrumentation and control philosophies. It does not attempt an evaluation of the different designs and concepts. The contributions of different manufacturers on their concepts are included as an information source in annexes to the guidebook.
The sources for this study are published literature as well as information collected directly from reactor suppliers, utilities and research institutions.
EDITORIAL NOTE
The material in this Guidebook has been edited by the editorial staff of_the International Atomic Energy Agency to the extent considered necessary for the reader’s assistance. The views expressed and the general style adopted remain, however, the responsibility o f the authors. In addition, the views are not necessarily those o f the governments o f the nominating Member States or o f the nominating organizations.
The use o f particular designations o f countries or territories does not imply any judgement by the publisher, the IAEA, as to the legal status o f such countries or territories, o f their authorities and institutions, or o f the delimitation o f their boundaries.
The mention o f specific companies or o f their products or brand names does not imply any endorsement or recommendation on the part o f the IAEA.
Authors are themselves responsible for obtaining the necessary permission to reproduce copyright material from other sources.
CONTENTS
PARTIINSTRUMENTATION AND CONTROL
OF A COUNTRY’S FIRST NUCLEAR POWER PLANT
1. INTRODUCTION ......................................................................... 3
2. ORGANIZATION AlND METHODS ............................................... 5
2.1. I&C for the Safety Regulatory Authority ................................... 62.2. Nuclear licensing and regulation .................................................. 6
3. TECHNOLOGY TRANSFER AND NATIONALPARTICIPATION ........................................................................ 11
4. MANPOWER DEVELOPMENT ...................................................... 18
4.1. Initial training for professionals (academic plus practical) ............. 304.2. Technician training ................................................................. 304.3. In-house training facilities: the establishment of a nuclear
training centre........................................................................... 314.3.1. Specification of objectives .............................................. 324.3.2. Training the trainers ..................................................... 334.3.3. The syllabus ................................................................ 334.3.4. Planning of laboratories for the training centre ................ 35
4.4. Role of the IAEA ’ ..................................................................... 354.5. Some implementation problems .................................................. 364.6. Design and Development (D&D) role of the training centre ......... 364.7. Familiarization with plant equipment: utilization of
plant spare modules for training ................................................. 374.8. Preparation of training manuals and lessons ................................ 384.9. Career planning: fighting stagnation and attrition ....................... 38
5. NUCLEAR POWER PLANT TRAINING SIMULATOR PROJECT .... 39
5.1. Full scope nuclear power plant training simulator ........................ 415.2. Current status on use of simulator .............................................. 435.3. Full scope vis-a-vis generic or basic principles training simulators .. 435.4. Simulator location and timing.......... :......................................... 445.5. Execution of the NPPTS project .................................................. 445.6. Simulator spin-offs ..................................................................... 46
6.1. Planning and pre-project phase .................................................. 476.2. Project preparation phase ......................................................... 506.3. Project design engineering phase .................................................. 59
6.3.1. Manpower requirement for design engineering ................ 606.3.2. Owner/utility involvement ............................................. 616.3.3. Some considerations in I&C equipment selection and
evaluation .................................................................... 646.4. Construction and installation of I&C equipment............................ 66
6.4.1. Participating organizations ............................................. 676.4.2. I&C activities and considerations...................................... 68
6.4.2.1. Planning ......................................................... 686.4.2.2. Shipment, storage and pre-installation
verification ..................................................... 696.4.2.3. Installation and verification during installation .... 696.4.2.4. Post-installation verification ........................... 706.4.2.5. Pre-commissioning I&C loop checks and control
circuit logic checks .......................................... 716.4.2.6. Modification during installation ........................ 726.4.2.7. Handing-over to commissioning ........................ 72
6.5. Commissioning and start-up ...................................................... 736.5.1. Commissioning programme .............................................. 73
6.5.1.1. Responsibility and manpower ............................ 736.5.1.2. Licensing activities ........................................... 736.5.1.3. Time schedule .................................................. 74
6.5.2. Testing procedures ......................................................... 746.5.3. Commissioning documentation ...................................... 74
6.5.3.1. Purpose of commissioning documentation ......... 746.5.3.2. Content of commissioning documentation ......... 75
6.5.4. Special problems ............................................................ 756.5.5. Pre-operational tests ..................................................... 75
6.5.5.1. Testing programme ........................................... 766.5.6. Initial start-up tests ......................................................... 76
6.5.6.1. Prerequisites .................................................. 766.5.6.2. Testing programme: fuel loading to criticality..... 776.5.6.3. Testing programme: power ascension to
hand-over ..................................................... 776.5.7. Special regulatory requirements during start-up ................ 78
6.5.7.1. Special tests...................................................... 796.5.7.2. Grid considerations ....................................... 796.5.7.3. Outstanding items ........................................... 79
6.5.8. Preparation by the owner for take-over and forcommercial operation ..................................................... 79
6 . V A R I O U S P H A S E S O F P R O J E C T I M P L E M E N T A T I O N .......................... 4 7
6.5.9. Status of the I&C maintenance group at the time ofplant hand-over ............................................................. 81
6.6. Operation and maintenance.......................................................... 826.6.1. I&C maintenance department of the plant ......................... 82
6.6.1.1. ‘First-line’ maintenance activities ...................... 826.6.1.2. Preventive maintenance (PM) activities .............. 846.6.1.3. Shop calibration, repair and maintenance
(and salvage) .................................................. 856.6.1.4. Maintenance of equipment history and evaluation. 856.6.1.5. Documentation ............................................... 866.6.1.6. Materials management....................................... 86
6.6.2. I&C training ................................................................. 866.6.3. Technical support: plant performance analysis and
modifications ................................................................. 87
7. SPECIAL TOPICS :......................................................................... 88
7.1. Spare parts inventory .................................................... 897.2. Spare computer system (SCS) .............................................. 907.3. Need for design know-how ................................................ 917.4. D&D simulator ........................................................ 91
Appendix to Part 1: Bibliography and general reading ............................ 93
PART IIOUTLINE OF CURRENT WATER REACTOR
INSTRUMENTATION AND CONTROL
8. DESIGN CONCEPTS OF INSTRUMENTATION AND CONTROLFOR CURRENT WATER REACTOR NUCLEAR POWERPLANTS ........................................................................................ 99
8.1. General aspects ......................................................................... 998.1.1. Design philosophies.......................................................... 998.1.2. Definitions and terminology ........................................... 998.1.3. Main structures ..............................................................100
8.2. Control equipment ......................................................................1028.2.1. Switching logic and on-off open-loop control .................... 1028.2.2. Open- and closed-loop control for continuous process
variables .........................................................................1028.2.3. Control components ........................................ .'.............103
8.3. Automation..... ;...........................................................................1038.4. Computers ..... :..........................................................................105
8.5. Design requirements ................................................................. 1078.5.1. Redundancy, physical separation, diversity and
failure to safety ............................................................. 1078.5.2. Interconnection and independence .................................. 1098.5.3. Maintainability, repairability and testability ................... 1098.5.4. Automatic testing and failure detection ........................... 1108.5.5. Standardization of design and equipment ....................... 110
8.6. Electric and non-electric power supplies for I&C .........................1108.7. Environmental influences .......................................................... 114
8.7.1. Fire ............................................................................... 1148.7.2. Seismic influences .........................................................1158.7.3. Air conditioning ............................................................ 1168.7.4. Electromagnetic interference .......................................... 1168.7.5. Accident conditions ..................................................... 1178.7.6. Other external hazards ..................................................1178.7.7. Security ........................................................................ 118
Bibliography ........................................................................................ 118
9. OPERATOR/PLANT COMMUNICATION ....................................... 120
9.1. Central control room .................................................................. 1209.1.1. Purpose of the control room .......................................... 1209.1.2. Design of the control room .............................................. 1219.1.3. Ergonomic aspects and layout.......................................... 1219.1.4. Equipment inside the control room................................... 123
9.2. Other control boards1 ....................... .•........................................ 1259.2.1. Emergency control room..... ............................................ 1259.2.2. Local control panels ........................................................125
Bibliography ........................................................................................ 125
10. INSTRUMENTATION ................................................................. 126Bibliography ......................................................................................... 127
11. MAIN CONTROL SYSTEMS .............................................................127
11.1. Basic control concepts of PWR/NPPs ................................................. 12711.2. Reactor power control for a PWR .................................................... 13211.3. Other important PWR control systems .................................132
11.3.1. Turbine control .......... ............................................ . 13211.3.2. Steam generator ...........................................................s.. 13211.3.3. Volume and boron concentration control systems ............. 133 •11.3.4. Reactor pressure control ...................................................... 133
11.4. Basic control concept of BWR/NPPs .......................................... 13311.4.1. Reactivity parameters in a BWR core ................................13311.4.2. BWR control concepts...................................................... 135
11.5. BWR control systems ............................. ...................................13811.5.1. Pressure and turbine speed control .................................... 13811.5.2. Control of the vessel’s water level ................................... 13911.5.3. Core power control .......................................................... 14011.5.4. Control rod control.......................................................... 14111.5.5. Other control systems ...................................................... 141
Bibliography ...........................................................................1............142
12. SAFETY SYSTEMS AND SAFETY-RELATED SYSTEMS .............142
12.1. Protection system ...............................................................v....14212.2. Safety actuation systems............................................................. 14512.3. Safety system support features ..................................................14612.4. Safety-related systems.................................................................147Bibliography ........................................................................................149
ANNEX IINSTRUMENTATION AND CONTROL CONCEPTS
FOR CANDU REACTORS. A CANADIAN EXAMPLE
1. INTRODUCTION ......................................................................... 155
2. REACTOR FUNDAMENTALS ...................................................... 155
2.1. Pressure tube concept ................................................................. 1552.2. Natural U02 and D20 ........... :..................................................... 1572.3. Reactivity feedback..................................................................... 1572.4. Reactor kinetics ........................................................................ 1572.5. Xenon feedback ........................................................................ 158
3. OVERALL INSTRUMENTATION AND CONTROL DESIGNPHILOSOPHY ............................................................................. 159
3.1. Defence-in-depth........................................................................ 1593.2. Special safety systems ................................................................. 1593.3. Reactor regulation ................................................................ .....1603.4. Electrical power supplies............................................................. 161
4. AUTOMATIC CONTROL SYSTEMS ............................................... 161
4.1. General ....................................................................................1614.2. Overall plant control ................................................................. 162
4.3. Digital computer systems .......................................................... 1634.4. Reactor instrumentation .............................................................. 1644.5. Reactor regulating system .......................................................... 165
4.5.1. Zonal control absorbers .................................................. 1674.5.2. Mechanical control absorbers ...........................................1674.5.3. Adjusters........................................................................ 169
4.6. Flux mapping ..................................... .'..................................... 1694.7. Control strategies ....................................................................... 169
4.7.1. Reactor start-up ............................................................ 1694.7.2. Normal operation ........................................................ 1714.7.3. Power setbacks ............................................................ 1714.7.4. Power stepbacks ............................................................ 172
4.8. System response to disturbances ..................................................... 1724.9. Xenon override and load-following capabilities ............................... 173
4.9.1. Xenon override ................................................................1734.9.2. Load-following capabilities .............................................. 174
4.10. Reliability and maintainability ......................................................175
5. REACTOR SAFETY SYSTEMS ..................................................... 177
5.1. Shutdown System No. 1 .............................................................. 1775.1.1. General description ............. :.......................................... 1775.1.2. Logic ........................................................................... 1795.1.3. Individual trips ............................................................ 182
5.2. Shutdown System No.2 .............................................................. 1835.3. Emergency coolant injection ............ !....................................... 1885.4. Containment ............................................................................. 190
5.4.1. Dousing system ............................................................ 1905.4.2. Containment isolation control......................................... 191
6. CONTROL ROOM DESIGN AND INFORMATION DISPLAY ......... 191
6.1. Main control areas ...................................................................... 1936.2. Main control room panels ........................................................... 1936.3. Safety-related display instrumentation ........................................ 194
7. ON-POWER REFUELLING SYSTEM.............................................. 195
8. ELECTRICAL POWER SYSTEMS .................................................. 197
9. MISCELLANEOUS INSTRUMENTATION AND CONTROLSYSTEMS ................................................................................... 199
9.1. Radiation protection ................................................................... 1999.1.1. General ........................................................................ 199
9.1.2. Fixed and portable area monitoring ............................... 1999.1.3. Access control................................................................ 2009.1.4. Liquid effluent monitoring .............................................. 2009.1.5. Gaseous monitoring......................................................... 2009.1.6. Containment monitoring................................................. 2009.1.7. Environmental surveillance .............................................. 201
9.2. Fire protection .i....................................................................... 2011
10. HEAVY-WATER MONITORING ................................................. 201
10.1. Heavy-water leak detection ......................................................... 20210.2. Process monitoring .................................................................... 202
I
11. FAILED FUEL DETECTION SYSTEM ......................................... 202
12. LICENSING PHILOSOPHY ........................................................ 205
Acknowledgements ....... ....................................................................... 207References ...................■....................................................................... 207
ANNEX IIINSTRUMENTATION AND CONTROL CONCEPTS
FOR PWR REACTORS: A FRENCH EXAMPLE
1. GENERAL DESIGN'CRITERIA.................................................... 211)
1.1. Regulations, Codes and Standards .............................................. 2111.1.1. Regulations relative to health physics ............................... 2111.1.2. Regulations relative to pressure vessels ........................... 2111.1.3. RCC design and construction rules ................................... 2111.1.4. Regulations relative to transport ...................................... 212
1.2. Operational requirements ......................................................... 212
2. INSTRUMENTATION AND CONTROL FUNCTION ................... 213
2.1. General ................................................................................... 2132.2. Safety-related systems................................................................. 214
2.2.1. Protection! system ......................................................... 2142.2.2. Systems required for safe shutdown ................................... 2142.2.3. Supporting systems ......................................................... 214
2.3. Instrumentation and control systems for the normaloperation of the nuclear power plant ........................................... 2152.3.1. Instrumentation ............................................................. 2152.3.2. Control loop ................................................................ 216
\
2.3.3. Logic control ................................................................ 2172.3.4. Computer and data-processing system ........................... 2172.3.5. Alarm processing system ................................................ 217
3. INSTRUMENTATION AND CONTROL DESIGNPRINCIPLES AND CHARACTERISTICS ...................................... 217
3.1. Protection system and systems required for safe shutdown............. 2173.1.1. General description of the protection system .................. 2173.1.2. Design basis of the protection system .............................. 218
3.2. Protection and engineered safety systems performance ................. 2193.2.1. Emergency shutdown channels ..................................... 2213.2.2. Engineered safety systems ............................................. 2223.2.3. Post-accident monitoring system..................................... 222
3.3. Performance of the systems designed for ensuring normaloperation of the plant ............................................................ 2233.3.1. Adjustment to the grid ................................................. 2233.3.2. Principle of the RAMP (Reactor Advanced
Manoeuvrability Package) .............................................. 2233.3.3. RAMP control system .................................................... 225
4. MAIN EQUIPMENT DESCRIPTION .............................................. 227
4.1. Digital integrated protection system (SPIN) ................................ 2274.1.1. General configuration .................................................... 2274.1.2. Technological choices .................................................... 2294.1.3. Structure of a functional unit ......................................... 2334.1.4. Operation of a functional unit......................................... 2344.1.5. Assembly of the components forming a UF ................... 235
4.2. Programmable system for on/off control........................................ 2364.2.1. Main characteristics..................................................... 2364.2.2. Automation cabinets .................................................... 238
4.3. Control system ......................................................................... 2394.3.1. Micro-Z arrangement — Examples .................................. 241
4.4. Computer and data-processing system............................................ 2414.5. Operator and computer ............................................................... 243
4.5.1. General ....................................................................... 2434.5.2. Forecast and load follow-up calculations.......................... 2444.5.3. In-core calculations ........................................................ 2454.5.4. Performance calculations................................................. 247
ANNEX IIIINSTRUMENTATION AND CONTROL CONCEPTS
FOR PWR REACTORS: A FEDERAL GERMAN EXAMPLE
1. DESIGN BASIS FOR NUCLEAR POWER PLANTS INTHE FEDERAL REPUBLIC OF GERMANY .................................. 251
1.1. Regulatory requirements.............................................................. 2511.2. Operational requirements .......................................................... 252
2. FEATURES OF KVyU NPPs AND I&C SYSTEM ............................ 252
2.1. General remarks ......................................................................... 2522.2. Special features df the I&C system ............................................... 254
3. DESIGN PRINCIPLES OF SAFETY-RELATEDREACTOR-LHTTECHNIK............................................................. 255
3.1. Operator’s role .................. ....................................................... 2573.2. Limitations ................................................................................ 2573.3. Examples of diversity ................................................................. 2583.4. Testability and fault detection capability .................................... 259
4. REACTOR INSTRUMENTATION ................................................. 259
4.1. Neutron flux instrumentation ..................................................... 2594.1.1. Ex-core ........................................................................ 2594.1.2. In-core........................................................................... 2594.1.3. Aeroballsystem ............................................................. 260
4.2. Radiation monitoring .................................................................. 2604.2.1. Design ............................................................................ 2614.2.2. Measurements ................................................................ 2614.2.3. Tests ............................................................................ 2624.2.4. Computer application ..................................................... 262
4.3. Conventional instrumentation...................................................... 262i*
5. SAFETY SYSTEM! ......................................................................... 263
5.1. Reactor protectibn system (RPS) ...... ......................................... 2635.2. Engineered safety features .......................................................... 265
'I
6. LIMITATION SYSTEMS ...... ............... ........................................ 265
6.1. Survey of limitations ............... :................................................ 2706.2. Reactor power limitation system (REPOL).................................... 271
6.3. Bank movement limitation system (BEPOL) .......................... :.... 2726.4. Coolant-pressure, -inventory and -temperature gradient
limitation system (PITEL) ......................................................... 2736.5. Local power surveillance system (LPS) ..................................... 2746.6. Rod dropping system (RODROP) ............................................. 274
7. REACTOR CLOSED-LOOP CONTROLS ..................................... 274
7.1. General remarks ....................................................................... 2747.2. Reactor power control system (survey) ............................ .'......... 276
8. CONTROL ROOM DESIGN ........................................................ 278
9. COMPUTER APPLICATION ........................................................ 279
9.1. Concept .................................................................................. 2799.2. Functions ............................................................................... 279
10. OPERATIONAL CHARACTERISTICS ......................................... 283
10.1. Load-following capability ......................................................... 28310.2. Start-up behaviour .................................................................... 28310.3. Anticipated operational events ................................................. 283
11. SUPPLEMENT ........................................................................... 283
11.1. Power supply concept ................................................................ 28311.2. Quality assurance .................................................................... 284
ANNEX IVINSTRUMENTATION AND CONTROL CONCEPTS FOR BWR REACTORS: A JAPANESE EXAMPLE
1. INTRODUCTION ....................................................................... 287
2. DESIGN CRITERIA FOR NUCLEAR POWER PLANTS ................ 287
2.1. Requirement of standards and guides .......................................... 2872.1.1. Standards and guides .................................................... 2872.1.2. Guides for safety design inspection .................................. 2872.1.3. Technical provisions and guides ..................................... 288
2.2. Requirements for construction and operation............................... 2882.2.1. Permission for construction............................................. 2882.2.2. Requirements for operation ......................................... 2892.2.3. Operation of nuclear power plant .................................. 289
3. DESIGN GUIDES FOR BWR POWER PLANTS............................... 289
3.1. Safety design criteria ................................................................ 2893.1.1. Prevention of major events .............................................. 290.3.1.2. Detection1 of a major event and safe shutdown
of the reaptor ................................................................ 2903.1.3. Plant control after occurrence of a major event ................ 290
3.2. Operating limits criteria ............................................................. 2913.2.1. Operating limits for fuel cladding integrity ....................... 2913.2.2. Operating limits for the primary reactor coolant system ..... 2913.2.3. Limit setpoints of safety systems ................................... 291
3.3. Seismic and environmental conditions criteria............................... 2923.3.1. Seismic design criteria..................................................... 292
3.3.1.1. Design principles .............................................. 2923.3.1.2. Seismic design criteria for instrumentation
i and control ................................................. 2933.3.2. Environmental conditions criteria ................................... 293
3.3.2.1. , Design principles.............................................. 2933.3.2.2. Environmental conditions criteria for
! instrumentation and control ........................... 2933.4. Operating personnel interface ...................................................... 294
3.4.1. Design principles ............................................................. 2943.4.2. Basic considerations regarding the operating personnel
interface ........................................................................ 294
4. PROCESS INSTRUMENTATION ................................................... 295
4.1. General ......... i......................................................................... 2954.2. Design conditions for the process instrumentation ........................ 296
5. NUCLEAR INSTRUMENTATION .................... ........................... 297
5.1. Design criteria ............................................................................ 2975.2. Major facilities............................................................................ 298
6. REACTOR CONTROL SYSTEM ................................................... 302
6.1. General .................................................................................... 3026.2. Reactor power qutput control system........................................... 3026.3. Reactor pressure control and turbine control systems..................... 3036.4. Reactor water level control system ............................................... 3046.5. Safety considerations ................................................................. 304
7. SAFETY AND PROTECTION SYSTEM.......................................... 305
7.1. Design criteria .......................... ................................................ 3057.2. Emergency reactor shutdown system ......................................... 306
7.2.1. Reactor scram conditions ............................................. 3067.2.2. Fail-safe ....................................................................... 3067.2.3. Tests ........................................................................... 3077.2.4. Reset ........................................................................... 307
7.3. Backup emergency shutdown system :......................................... 3077.4. Other important safety and protection functions ....................... 308
8. CENTRAL CONTROL ROOM ..................................................... 308
8.1. General ................................................................................... 3088.2. Monitoring console panel ......................................................... 3098.3. Application of colour CRTs ..................................................... 3128.4. Safety considerations ................................................................. 312
9. PROCESS COMPUTER SYSTEM ................................................... 313
9-. 1. Basic functions of process computer ........................................... 3189.2. System configuration ................................................................. 320
10. POWER SYSTEM ........................................................................ 321
ANNEX VINSTRUMENTATION AND CONTROL CONCEPTS FOR PWR REACTORS: A JAPANESE EXAMPLE
1. INTRODUCTION ........................................................................ 327
2. INSTRUMENTATION ................................................................. 327
2.1. Nuclear instrumentation .............................................................. 3272.2. Process instrumentation ............................................................ 328
2.2.1. Reactor pressure instrumentation ................................. 3282.2.2. Pressure level instrumentation......................................... 3282.2.3. Coolant temperature instrumentation .............................. 3292.2.4. Coolant flow instrumentation ......................................... 3292.2.5. Reactor coolant pump instrumentation .......................... 3302.2.6. Steam flow instrumentation ................. ......................... 3302.2.7. Containment pressure instrumentation ........................... 3302.2.8. Containment water level ...... •.......................................... 3312.2.9. Signal transmission, transformation and conditioning ...... 331
2.3. Rod position instrumentation ...................................................... 3312.4. Plant radiation monitoring instrumentation ............................... 333
3. OPERATIONAL SYSTEMS ......................................................... 334
3.1. Control concepts and plant power control ................................... 3343.2. Role of boric acid concentration control....................................... 3353.3. Combined control concept ...................... \............................... 3353.4. Reactor pressure control ..........:...... ........................................... 3363.5. Steam generator level control ...................................................... 3363.6. Steam pressure control ............................................................. 3393.7. Steam dump control ................................................................. 3393.8. Pressurizer water level control...................................................... 3393.9. Rod control system ..................................................................... 3393.10. Control bank rod insertion monitoring ....................................... 3403.11. Operational characteristics .......................................................... 341
4. SAFETY SYSTEMS ..................... ............................................... 342
4.1. Design bases ...:......................................................................... 3434.2. Reactor protection system .......................................................... 3434.3. Engineered safety features actuation system ................................ 343
5. SAFETY-RELATED SYSTEMS ...................................................... 343
5.1. Post-accident monitoring (PAM) .................................................. 343
6. CONTROL BOARD DESIGN .......................................................... 344
6.1. Design of conventional control board ........................................... 3446.2. Design of advanced control room ............................................... 344
7. PLANT COMPUTERS..................................................... ............... 346
7.1. General .................................................................................... 3467.2. Entire system architecture .......................................................... 3467.3. Instruction system .............. ....................................................... 3497.4. CRT display system..................................................................... 3497.5. Technical support centre (TSC) .................................................. 349
8. ADVANCED INSTRUMENTATION AND CONTROL SYSTEMS ...... 350
8.1. Reactor protection system .......................................................... 3508.1.1. Analog section................................................................ 3508.1.2. Logic section ................................................................ 350
8.2. Reactor control system .............................................................. 3518.3. Detectors............................................................. :.................... 3518.4. Reactor power monitoring system ............................................... 352
ANNEX VIINSTRUMENTATION AND CONTROL CONCEPTS
FOR THE ASEA-ATOM BWR: A SWEDISH EXAMPLE
1. INTRODUCTION ......................................................................... 355
2. SAFETY DESIGN PHILOSOPHY .................................................. 355
2.1. Redundancy ............................................................................. 3552.2. Separation ................................................................................ 3562.3. Degree of automation ................................................................. 3562.4. Protection ................................................................................ 3562.5. Diversity .................................................................................... 3582.6. Remote shutdown ..................................................................... 3602.7. Shutdown outside the control room (remote shutdown) ............. 360
3. CONTROL ROOM ......................................................................... 360
3.1. Main principles ......................................................................... 3603.2. Design ........................................................................................ 3613.3. Components ............................................................................. 364
4. REACTOR PROTECTION SYSTEM ............................................... 364
4.1. Introduction ............................................................................. 3644.2. Instrumentation ......................................................................... 3664.3. RPS logic.................................................................................... 3674.4. Test and calibration..................................................................... 3674.5. Data sheet ................................................................................ 369
5. PLANT CONTROL......................................................................... 369
5.1. Overview .................................................................................... 3695.2. Recirculation flow control .......................................................... 3705.3. Control rod operation ................................................................. 3715.4. Reactor water level control .......................................................... 3715.5. Reactor pressure control .............................................................. 3725.6. Design ........................................................................................ 3725.7. Data sheet ................................................................................ 375
6. COMPUTER APPLltATION .......................................................... 375
6.1. Tasks ........................................................................................ 3756.2. Concept .................................................................................... 3766.3. Data sheet ................................................................................ 378
7. PRIMARY SYSTEM INSTRUMENTATION .................................... 378
8. POWER SUPPLY CONCEPT .......................................................... 381
9. FUTURE TRENDS......................................................................... 383
LIST OF PARTICIPANTS .................................................................... 385
PARTI
INSTRUMENTATION AND CONTROL OF A COUNTRY’S FIRST NUCLEAR POWER PLANT
1. I N T R O D U C T I O N
The Instrumentation and Control (I&C) of a nuclear power plant (NPP) are the eyes and ears of the operator. If properly planned, designed, constructed and maintained they will present him with correct, appropriate information that will enable him to take judicious action during abnormal operations. They thus form, along with the human operator, the most vital link for the safe, efficient operation of a plant.
Under normal operating conditions, the I&C systems steer the plant for the operator, allowing him time to observe the overall behaviour of the plant, perform calculations and operations of an ancillary nature, etc., at the same time presenting the operator with all the necessary relevant information at his finger tips, allowing him — so to speak - constantly to monitor the pulse of his plant so that he is poised to take corrective action when required.
Despite the importance of I&C to safe, efficient plant operation, it plays a very small role in the selection of a reactor type or a nuclear steam supply system (NSSS) vendor. This can be governed by many other considerations. The I&C specialist may therefore find that he may have little to say in plant selection, though later on — during commissioning and operation — what was selected may greatly affect his work as well as plant operation. The I&C specialists may also find that during the planning and pre-project phases, the activities such as I&C manpower and organizational planning will take a second place to fuel economics, siting, etc.
This situation need not be accepted passively. I&C personnel can and should — right from the beginning — develop an appreciation and knowledge of the equipment and systems and determine whether stated objectives for safe, efficient operation of the plant will be met by the equipment proposed to be supplied. They can also determine whether adequate measures are included in the national programme as well as in the contract agreement with vendors for the requisite transfer of technology that will enable I&C personnel to support the plant during its lifetime.
One purpose of this guidebook is to present the I&C specialists with various considerations and implications so that they can prepare themselves and proffer to their management cogent reasons and measures for I&C planning and organization right from the very inception of the project.
Since it takes a minimum of six to seven years from signing of the contract to commercial operation, this lead time is quite adequate for preparing the I&C personnel for the responsibility of the operation and maintenance of I&C equipment and systems, provided that recruitment and training is started from the planning phase.
One fact that may already be apparent to the reader is that the I&C specialists — more than any other NPP specialists — have to be versatile, as their work is interactive with many areas outside their discipline: with
3
the operation of the plant, with process systems, with health physics and radiation monitoring, and of course with safety. There is a need for the I&C specialist not to confine his learning to I&C equipment and systems only.He should be equally familiar with operating procedures, plant dynamics, and process systems as with I&C systems. This broad base of knowledge will greatly ease his job, and will assist him in communicating with non-I&C personnel in their language rather than in the specialized jargon which tends to be used by computer and I&C personnel.
I&C personnel will find that they have to interpret plant transients or faults (such as a sudden spike in coolant pressure or power output) in terms of specific control equipment behaviour (be it genuine or a result of equipment malfunction). A knowledge of process systems and their operation is therefore invaluable.
The I&C personnel for a country’s first nuclear power plant may be drawn either from nuclear research centres, from process industries (refineries, etc.) or from fossil-fuelled power plants. It may be worth while pointing out some of the special I&C requirements of a nuclear power plant and the spheres of activity of an I&C organization.
The instrumentation and control requirements of a nuclear power plant are far more complex and diverse in nature than those of a conventional plant.There are several reasons for this, some of which are:
(1) The availability of a nuclear power plant is of much greater concern than that of a conventional station because of the nuclear plant’s higher capital cost. The plant availability is totally dependent on the reliable measurementof plant parameters and their control.
(2) Due to non-accessibility of the reactor during plant operation, the state of the reactor and associated systems is required to be displayed in, and manipulated from, a central control room.
(3) Highly reliable redundant safety systems are required to ensure the automatic safe shutdown of the plant to prevent damage to the equipment and personnel.
(4) Since reactors and their instrumentation are experiencing rapid technological advances, the I&C of these systems are being regularly updated. New systems and equipment are being introduced as a result of obsolescence caused by these technological advances, and to provide improved performance and safety.The following needs are therefore important while planning for
I&C support:(1) Engineers and technicians familiar with the conventional process instrumenta
tion and/or with instrumentation of a research reactor.(2) Engineers and technicians specifically trained in the I&C of the nuclear
power plant being acquired.
4
(3) Training facilities for providing an understanding of the I&C of a nuclear power plant and imparting skills for repair and maintenance of I&C equipment.
(4) Design knowledge for reviewing, and where necessary, upgrading the performance of I&C equipment and systems. This is essential for modification of systems that do not meet the design intent and safety requirements and for subsequently combating obsolescence in I&C equipment.
(5) Facilities for carrying out periodic in-service inspection of plant equipment.(6) Ability to carry out major repairs to I&C equipment speedily and
effectively without jeopardizing the availability and safety of plant equipment.
(7) Ready availability of spares for the repair and maintenance of I&C equipment throughout the life of the plant and avoidance of loss of production because of lack of availability of spares.
(8) Monitoring the performance of the safety systems.(9) Capability of generating better specifications for succeeding plants based
on experimental data and performance figures of the first plant.This section of the guidebook attempts to highlight some of the problems
encountered in each phase of a NPP project — and presents possible remedies. Although the problems may be of common nature in many non-vendor, developing countries, the solutions proposed are by no means universal. The Guidebook may however assist the countries in problem identification and provide guidelines for solutions.
2. ORGANIZATION AND METHODS
The I&C is only a part of the overall nuclear project framework that will have to be established at national as well as at owner/utility level.
It is necessary to understand the various organizational structures and interrelationships that are possible, and how and where I&C activities fit into this overall scheme.
For a detailed treatment of this subject, the reader is referred to IAEA Code of Practice 50-C-G on Governmental Organization for the Regulation of Nuclear Power Plants (1978), and TRS 200 — Manpower Development for. Nuclear Power: a Guidebook — and references therein.
I&C specialists will be required in each organization participating in the project and methods will need to be established in this phase to enable I&C specialists to communicate and even to be shared, and to ensure that rigid boundaries between these organizations are not set up. One suggestion is to establish technical committees based on the various specializations required for a nuclear power programme, e.g. an I&C Technical Committee could be
5
comprised of I&C specialists from all the above organizations. The problem of communication may not be acute in an early stage of project development with only a few people, but later on it can be a major hindrance if there is a lack of proper and timely planning.
2.1. I&C for the Safety Regulatory Authority
Once a government takes a decision to embark on nuclear power, specific programme-oriented activities can be started. Among the most important of these is the nuclear safety regulatory activity and the establishment of a Nuclear Safety Regulatory Authority.
An I&C Technical Committee comprising I&C specialists working in various organizations could serve as the technical arm of the regulatory body to assist it during the early stages where it may not have the necessary technical expertise itself. Consultants from the IAEA or from a country other than the one supplying the nuclear power plant would be especially valuable and necessary for the regulatory body.
In an early phase the work of the regulatory I&C staff may include:
(1) Getting thoroughly familiar with the various I&C standards, such as the Institute of Electrical and Electronics Engineers (IEEE) standards for reactor protection, International Electrotechnical Commission (IEC) and IAEA safety guides and the general design criteria of some of the major NSSS vendors and their application to their reference plants.
(2) Getting familiar with reliability techniques, fault-tree analysis failure modes and effects, etc., and with the available computer codes.
(3) Dissemination of information, either compiled initially or later internally generated studies and analyses, on design features and operational experience of nuclear power plants.
2.2. Nuclear licensing and regulation
Whereas there could be considerable I&C expertise available in a country embarking on a nuclear power programme, on the other hand, with a country’s first nuclear power project, there may be a total lack of experience in nuclear- safety-related I&C activities. The following is recommended as prerequisite reading for all I&C professionals, especially those involved in nuclear safety regulatory activities:
(1) IAEA Safety Guides, specifically50-SG-D3: Protection System and Related Features in Nuclear
Power Plants50-SG-D8: Safety-Related Instrumentation and Control Systems for
Nuclear Power Plants
6
(2) Nuclear IEEE Standards (in 2 volumes)(3) Material1 from the IAEA training course on nuclear power safety analysis
review, held at the Argonne Centre for Educational Affairs in 1978.The work of an I&C specialist on safety regulatory activities falls into the
following categories:
Codes and standards
Adoption and adaptation of codes and standards of the IAEA and/or the vendor country to the nuclear power plant being built specifically, and generally for the nuclear power programme. Interpreting and clarifying these to the owner/utility using specific examples from the nuclear power plant being built. In addition to IAEA Codes of Practice and Safety Guides, of interest to the regulatory I&C specialists are the IEEE and IEC standards and relevant sections of the ASME guides which specify the penetrations and fittings required for transducers such as resistance temperature detectors (RTDs), etc., within the reactor pressure boundary. A detailed list of these standards and guides is contained in the bibliography.
Licensing and safety assessmentIi
The work starts in 'the pre-project phase with discussions with vendors on the safety aspects of their proposed NSSS types, and explaining to them the specific national requirements. Subsequently I&C specialists participate in the preparation or review of the bid specifications and later in the evaluation of the bids from the safety; point of view. Once the contract is signed and the design work starts, participation in the design review process at the design offices of the main supplier can provide extremely valuable knowledge not only of the plant being constructed but also of the various methodologies of the design review process, and knowledge of the process system parameters and design. This will assist verifying that the design conforms to the applicable criteria and codes.
The I&C specialists in this area of activity will be responsible for reviewing the safety analysis reports and the assessment of applications for construction permits, operating licenfces, etc. During commercial operation, the I&C specialists would be responsible for reviewing performance reports of the safety systems and of other I&C systems and ensuring that the integrity of the systems as designed is being maintained. They would also review and give approval to any design changes or modifications.
1 For example, the lectures by YAREMY, E. on “ Introduction to Review of I&C Systems” and SCHOLL, R.F., Jr. on “ Reactor Trip Systems” .
7
Inspection and enforcement
These activities ensure the enforcement of standards, rules and regulations, and include investigations of unusual occurrences or any suspected breach of regulations, etc.
Development work and dissemination of information
The dilemma of I&C specialists working in nuclear regulatory activities in a country embarking on its first nuclear power plant is that they have to review and adjudge activities in which they play no participating role, and thus have little opportunity for gaining experience by actually doing things like their counterparts in the utility and the project design engineering group. Furthermore, they may find no technical support within the country, i.e. from independent specialists, consultants or advisory bodies, to advise and assist them.
A clear definition of their authority by the highest management level and by national legislation is vital, and will assist the I&C specialists in obtaining the required information and acceptance by the owner/utility.
This definition of their authority will result in the owner/utility being required to involve the nuclear regulatory personnel at the appropriate times and also explain and clarify to them the reasons for the various decisions and courses of action taken by the owner/utility. This will enable a learning process and a growing in maturity of the I&C safety personnel.
The exercise of authority vested in the regulatory body may bring about compliance and obedience from the owner/utility but will not solve the problem of gaining respect by virtue of superior technical expertise.
It is therefore recommended that the image of the I&C specialists of the regulatory authority (and even of the Safety Division of the plant) as ‘inspectors’ and ‘enforcers’ be tempered with the role of disseminators of information and as sources of advice.
Starting from the project preparation phase, the I&C personnel of the Regulatory Authority could also perform the following work which would enhance their knowledge and also assist the owner/utility:
— preparation of explanatory notes with specific examples of how the codes, standards and design criteria are to be applied to the evaluation of the I&C of the plant systems;
- carrying out analysis and design review studies of the operating power plant;— developing simplified models and computer programs to analyse and
illustrate the dynamics of overall plant control and the major control systems;
- collating, analysing and disseminating information pertaining to experience in the design and operation of nuclear power plants.
8
The various organizational and work considerations of nuclear licensing and regulation are discussed below:
Advisory services and consultantsI
The advisory services of an independent agency such as the IAEA can prove invaluable in establishing the programme of the regulatory body and in complementing the regulatory authority personnel by specialists in various disciplines.
iiAdoption of proven standards and codes
A basis for the safety assessment and licensing of I&C systems must be established in the form of a set of safety criteria, guides and rules.
In a country embarking on a nuclear power programme usually the base of related engineering standards is narrow and nuclear standards are lacking completely. It is usual therefore to adopt another country’s regulatory framework, in most cases that of the main supplier. This tends to save costs because the supplier can use standards familiar to him.
A global adoption, however, can create problems: differencesjn the state of development of the exporting and the importing country have to be taken into account. Local conditions and characteristics have to be given proper consideration .in order to avoid misuse or misunderstanding of adopted standards or codes. Differences in application can arise from varying interpretation of how certain criteria may be satisfied.
In other cases requirements may not be applicable at all (e.g. historical seismic data).
Applying a given set of rules also requires a certain amount of supporting software, such as computer programs, data banks, etc., to enable verification of vendor calculations and data.
I
Development of national codes and standards ■
A country initiating a nuclear power programme may not have the experience to develop and codify a complete set of nuclear codes and guides of its own. In fact, even countries having extensive experience in safety practices have not documented in all cases their experience in a form suitable for general use.
To provide a frameiof reference for the government, the regulatory bodyiiand other relevant organizations of Member States, the IAEA has been
preparing a set of Codes of Practice and Safety Guides.These codes and guides are based on current practices and recommendations.
They establish general recommendations and minimum requirements. They
9
do not contain, however, specific standards for design or maintenance of equipment. If a country wishes to use them as part of its own national regulations, this can be achieved by transferring them fully or partly into national codes or guides.
Another way of adjusting regulations to the specific needs of a country is to modify existing codes or their range of application.
Difficulties encountered in combining different codes and standards
Care must be taken in simultaneously using existing codes and standards of different origin as a basis for review work. Using various guides and combining them to form an ‘envelope’ does not necessarily make an optimum safety frame of reference.
Avoiding licensing delays
The following may lead to delays in licensing:
(a) A licensing aspect is not considered from the beginning of the licensing process, e.g.— fire protection— building construction (separation, plant layout)— air crash— meteorological aspects— earthquake— flood— new industry (explosion danger, air pollution with aggressive effluents)— man-induced accidents
(b) The regulatory body obtains knowledge of aspects relevant to safety too late and therefore some quality postulations and need for certificates may arise after a certain component has already been manufactured
(c) The material given to the licensing staff needs too much investigation before licensing
(d) The communication possibilities between licensing staff, safety assessors, vendor’s and operator’s personnel are too inefficient (distance, no permission for direct communication, no readiness for direct conferences, language problems)
(e) Too many of those examinations, tests and investigations which are possible during the construction phase are postponed until later.
Another significant reason for prolongation of the project is re-interpretation of regulatory criteria, after the project has started, such as those relating to seismic protection, fire protection, missile protection, plant security, etc.
10
Changes and additions, especially during the later stages of construction add extremely to costs and to construction time. Such changes may have a much more significant side-effect on I&C than is apparent at first. Fire barriers, seismic reinforcements, additional equipment redundancies required, etc., affect not only the systems in question but also power supplies, instrumentation, ventilation, cable raceways, additional penetrations of barriers, etc.
Careful, timely consideration of the above points can prevent expensive delays arising from the licensing process.
3. TECHNOLOGY TRANSFER AND NATIONAL PARTICIPATIONI
Instrumentation and Control is one area of the nuclear power plant where national participation can produce substantial benefits not only for the power plant but for the country as a whole. Instrumentation and Control of a current nuclear power plant is heavily biased towards electronics (very few pneumatic controls are used, other than for the final control elements, i.e. control valves, etc.) and electronics is aHvery fast-changing technology with a built-in obsolescence factor that is a cause of grave concern for a developing country installing its first nuclear power plant. It expects its instrumentation to last for the lifetime of a plant. ;
Simplifying somewhat, one may define I&C obsolescence in this context as lack of the support necessary to keep I&C equipment and systems operational. If an instrument recorder cannot be repaired because parts of it are no longer available or/and the manufacturer is not making this type of recorder any more or has gone out of business, this installed recorder (though it may still be functional) has to be considered obsolete because support for it is unavailable. The factors behind this lack of support, i.e. technological improvements that may have allowed bigger, better and cheaper recorders to be made, can be regarded as irrelevant for the owner of the recorder who has already paid for his recorder and is happy with its capability if only he can keep it running.
Thus, if the I&C technological and industrial infrastructure can be geared towards support for theil&C of the plant, i.e. parts, services, components and functional substitution design capability are available within the country, the problem of obsolescence may not arise, a problem which may otherwise result in costly and expensive imported replacement equipment plus plant down-time.
The following text, and the data in Table I are reproduced from the IAEA Guidebook “Manpower.Development for Nuclear Power” (page 216 ff.).
“Items such as instrumentation have high technical difficulties combined with relatively low cost;1 These, however, involve a high technological content and might have important spin-off effects on the overall industrial development of the country. Therefore special efforts for national participation might be justified.”
11
T A B L E I . N U C L E A R P O W E R P L A N T E Q U I P M E N T A N D C O M P O N E N T S
C O N T R O L A N D I N S T R U M E N T A T I O N
Component Technical difficulty® Relative cost®
Control room instrumentation 3 3In-core instrumentation 4 2On-line computer 3 -4 2Radiation monitoring equipment 2 2Other instrumentation 1-2 1-2
a Index number: 1 = low; 2 = medium; 3 = high; 4 = very high.
It is recommended that efforts be made for national participation in manufacture of on-line computer systems and development of their application software, in radiation monitoring equipment, control room instrumentation and process instrumentation. This may well require licensing agreements with foreign suppliers.
In order to increase participation of the private sector in these activities, the following incentives may prove to be helpful:(a) R&D grants for product development,(b) Assured orders subject to the equipment qualifying for NPP service,(c) Exemptions from import duties (for components imported to manufacture
I&C equipment) and tax holidays on goods and services sold to nuclear power plants,
(d) Assistance by the nuclear research centre(s) in the initial design and development.Apart from equipment manufacture, I&C system engineering is another
area that can provide a major national input. Engineering of a nuclear power plant of a proven concept (i.e. not first of a kind) involves up to three million man-hours, accounting for a total of 10% of the total plant costs. The I&C design (project engineering) efforts, including overall plant control and I&C systems-related safety analysis, etc., can be approximately of the order of 15%, i.e. a total of 450000 man-hours and approximately 1.5% of the total plant cost. To carry out I&C project engineering would require 40-45 experienced engineers.
A country embarking on its first nuclear power plant may not have the necessary experienced personnel to act as the architect-engmeer (A-E) for its plant. This does not however mean that a tufnkey contract is the only answer. Establishment of a national A-E firm with which any selected foreign A-E or consulting firm would be obliged to work could be recommended
12
_IZEDUCATIONAL
- Manpower development | programme
- In-house nuclear training centre
- Training of I&C engineers and technicians
- Establish I&C labs and special 'rigs' at centre for I&C practical training
- Full-scope nuclear power plant training simulator specification, conceptual and detailed design, construction, commissioningand 'fine-tuning' to the as-built plant
- Spare computer system . |
__________ I___________ 1il
D&O simulator for
- Performance
- Concept evaluation
- Man/machine interface I
- Develop operator assistance techniques
- Control systems training ,
- Safety studies ,
------ A .. !
ILINDUSTRIAL
- Local industrial survey
- Develop purchase standards for local procurement of ancillary I&C hardware such as panels, wire and cables, terminals; strips, connectors, lamps, relays, etc
- Computer systems integration from CEM hardware, software engineering
- Possibility of local fabrication or assemblyof process instrumentation, eg transmitters,sensors, recorders, controllers, indicators, etc under licence from one of the recognized process instrumentation manufacturers
- As above, for portable and fixed radiation monitoring instrumentation
- Full-scope nuclear power plant training simulator fabrication
- Engineering service industries
F IG .l . E stab lish ing th e base.
MANPOWER I FACILITIES | | ORGANIZATIONS |
| PROFESSIONALS |
I&C professionals with post-graduate specialized academic training, plus maiority with 3 years training at vendor's design offices, now working in
- Safety regulatory activities
- In-house training- Project management
organizations- Plant maintenance
organization- seconded to vendor for commissioning
• manning I&C maintenance
- drafting, documentation and maintenance of history sheets
- Proiect engineering design group, also seconded to vendor for commissioning
- Simulator construction and commissioning
- Computer & Controls development group at site with liaison to nuclear research centre and to the industry, developing and testing software on spare computer system
I&C Technical Committee ‘operational'
TECHNICIANSCRAFTSMEN
I&C technicians trained at the training centre working on
- Construction, equipment installation and precommissioning checks
- Instrument repair and calibration in the instrument shop
Draftsmen maintaining and updating plant I&C documentation
I&C craftsmen trained at site, working on construction and equipment installation
I&C labs and class-room training operational at the Training Centre
Vendor-assisted training for- craftsmen- technicians and
engineersat plant site
Computer and Control systems development centre with spare computer system operational
I&C Shop and Maintenance section operational
Private, or public-sector organizations for computer systems integration (from OEM hardware) established and operational
Nuclear power plants training simulator operational for operator training and for checkout of commissioning procedures, etc.
Nuclear research centre providing analytical support for the safety authority and for the proiect-design engineering group and coordinating any D&D work for the local industry
Safety Regulatory Authority- reviews- inspections
In-house Training Centre
Protect Management
Proiect Design Engineering Group
Research Centre
Plant operating and maintenance organization
F IG .2. T h e estab lish ed base: a na tio n a l scenario a t th e e n d o f th e co n s tru c tio n phase.
1 4
I2010
T "+ 10 n o
I Fresh engineering graduates sent for I 20 academic studies and practical training abroad
________ J 30__________
■r(-10 + 10
+ 10
Recruitment of key I&C personnel
I&C manager 3 lead 1
X. engineers F~
Engineers recruited and trained abroad
1. 30 C. 201 I------------- h
+ 10 + 10
10
5 5 T ^+ 10 +10 +10 +1|0 +10
Engineers retained (assuming 1/3rd attrition) and available at year —6
6050
J 40•))-
40
Engineering manpower build-up
x4j------
x2x1|
_____ *3| Build-up of engineers trained locally at in-house trainingcentre, numbers x l , x2 ... depending on extent of desired national participation and requirements for future plants
Technicians retained (assuming 1/3rd attrition)
Technicians recruited
3040
6050
40
1 20 |______in L_ __ _ T j
__J Training of technicians at m*house training centre
YEAR - 13 __________L_
-12I
-10t
Decision to embark on
- 9 ___L
-8
+
-6 -1
Govt approval to embark on
Letter of intent
Contractaward
Start of construction
Start of commissioning
Commercialoperation
nuclear power nuclear power phase phasepre-project phase proiect:
project preparationphase |
F IG .3. I& C manpower and development.
as one viable solution. The establishment of project-engineering services within the country will not only reduce the foreign exchange component, but its establishment is a prerequisite for self-reliance in bid specification, preparation, evaluation, plant construction, commissioning, operation and maintenance support and for local manufacture.
It may be noted that to make this venture a success, an equal number (i.e. the 40-45 engineers mentioned for a nuclear power programme without significant national participation) of additional I&C engineers would be required, as well as about 35—40 draftsmen, as proper transfer of technology needs recipients for the technology.
National participation can be defined, in a narrow sense, as the efforts of a country towards self-reliance, and for a transfer of technology in order to provide assured support for the safe, efficient operation and maintenance of its nuclear power plant over its lifetime. A broader definition could be the development of an educational, technological and industrial infrastructure so as to maximize the local content in the supply of goods and services, and in the performance of activities in the various phases of the nuclear power programme.
Infrastructures will be needed in the educational, technological and industrial sectors. The extent to which they will be developed depends on the policy established for the country’s national involvement.
Figure 1 shows the infrastructure necessary to establish the base for a competent national participation and Figs 2 and 3 show how the established base will have to evolve through a span of six to seven years into a well- functioning, programme-supporting organization which will be able to act with • independent and qualified capability. To be effective, the national assets as described in Fig. 2 should be operative by the end of the plant construction phase in order efficiently to cater for the operational problems and maintenance requirements of the NPP.
The educational or manpower development activities shown in Fig. 2 can be considered as prerequisites for the technological and industrial infrastructure building activities and are considered essential if a country decides not to avail itself of the option of an entrepreneur built-and-operated plant (Section 6).
The various infrastructure building activities are examined in the context of I&C and some considerations are listed below:
(1) In the area of manpower development, know-how is best built up by ‘doing’ rather than a pure training attachment to consultants or suppliers, classified under the general head of ‘on-the-job training’ without any specific job responsibilities.
(2) Consultants may be engaged by the owner for assistance in preparationof bid specifications, evaluation of bids, safety assessment and formulation of a detailed manpower development programme. Sometimes, the
16
consultant organization operates separately from the owner/utility engineers, interacting only at the project manager level of the utility. This is not conducive to the owner’s engineers gaining any substantial experience. A far more preferable method would be for the individual engineers of the consultant or architect-engineer (A-E) to work with the owner’s project engineers (and not the project manager), thereby building up the working level of the owner’s manpower through taking responsibility for the recommendations of the consultant or A-E. Each owner’s engineer in a certain area or discipline should have control over the number of hours spent (and therefore payment to be made) by his counterpart engineer(s) in the AfE or consultant organization.
(3) Consultants and architect-engineers participating in the nuclear power project should be encouraged to set up fully fledged design offices in the owner’s country. Where local engineering firms are available or have been specially established, the expatriate firms could be required to work with these local firms.
(4) During the construction and commissioning phases as many as possible of the owner’s I&C personnel should be involved in the work activities.In the contract, a limit could be placed on the number of expatriate supervisory personnel during (say) commissioning. The remaining personnel required would be provided by the owner and seconded to the main supplier/contractor. This puts the onus on both the owner and supplier to take positive steps in this process of transfer of technology, the owner to make sure that he has recruited and trained the requisitenumber of personnel to place at the disposal of the main contractor, and
i[the main contractor, will of necessity ensure that they are utilized productively. The above participation of the owner’s personnel in the work of construction and commissioning has another very important aspect. Knowledge ,of the physical layout and familiarity with devices, cabling and some special installations, etc., is practically impossible to acquire later on, and this knowledge is invaluable during plant operation.This also applies to participation in planning and carrying out various commissioning and acceptance tests, e.g. plant heat-rate tests, building containment tests, plant base-line measurements, to name a few examples where first-hand knowledge will prove extremely useful. It should be noted that most of this knowledge gained during construction and commissioning may never be fully documented and will reside in the mind of the owner’s personnel.They will be a more valuable commodity than hardware, and efforts have to be made to retain them so that they may transfer their knowledge subsequently to their colleagues through lectures and documentation.
(5) I&C maintenance activity starts from the time I&C hardware arrives on-site. Inspection of the equipment on arrival, its calibration or repair prior to installation, and subsequent calibration and repair continues through to
17
the commissioning phase. The owner should undertake the sole responsibility for I&C maintenance by its personnel right from the very beginning.This single step alone will go a long way to ensure a smooth transfer from contractor to owner.
(6) One of the first steps should be the preparation of a concrete plan for national participation. Terms such as “ensuring self-reliance through maximum national participation” and “vigorous efforts shall be made for a transfer of technology” may be fine as slogans but accomplish littleto achieve the objective. This detailed plan should be discussed both with the local industry as well as the main contractors and suppliers, and an item-by-item, device-by-device list prepared with its resource requirement for implementation in terms of manpower and funds. An agreed and perhaps revised plan may emerge, and governmental funding as well as incentives to local industry for this be made available. Since the infrastructure building activities start long before the signing of the contract, funds must be committed and made available for this plan, now evolved for national participation. Without the strong commitment of the government, the owner/utility and of private enterprise, this plan may fall apart no matter how willing the donor organizations; and half-hearted attempts may harm the cause of nuclear power.
(7) While preparing the bid specifications, and during pre-contract discussion with the suppliers, the extent of design engineering and manufacturing know-how required under the plan for transfer of technology shouldbe finalized and included in the contract. Licensing agreements may have to be negotiated not only with the main suppliers but also with the process instrumentation and computer manufacturers. As mentioned earlier, the major emphasis should be in the acquisition of the I&C systems design engineering know-how, especially in the areas where the impact of rapidly changing technology may cause obsolescence. Thus to achieve any degree of self-reliance, the ability of the owner’s I&C engineers to act as architect-engineer can be considered a first priority and funds may have to be set aside for the acquisition of this know-how. The existence of a matching recipient organization is nonetheless imperative, as there have been instances where information acquired, e.g. design documents, drawings, computer codes and analysis, has just lain gathering dust for want of proper utilization because of the lack of a planned programme or a matching recipient.
4. MANPOWER DEVELOPMENT
The success of nuclear power in a country depends on its trained manpower.In the initial years of nuclear power, this meant availability of manpower, withthe owner/utility trained to carry out operation and maintenance. With growing
18
experience, as the nuclear industry matured, it was found that, in addition to operation and maintenance, there were other activities for which full responsibility had to be borne by the national organization, and which had to be primarily executed by national manpower, whatever the contracting arrangement (turnkey or equipment-only, etc.). These were considered ‘essential’ activities for national participation. (See the IAEA Guidebook on Manpower Development for Nuclear Power, TRS 200, pp. 197—214.)
All of these ‘essential’ activities, some of which start very early in the project, require a certain minimum of trained manpower without which it may be inadvisable to embark on a nuclear power project.
Most countries embarking on a nuclear power programme want to maximize national participation and transfer of technology so as to achieve eventually self-reliance in their programme. This could be one of the major objectives, along with power generation, for a country.
Manpower requirements will, therefore,- further increase, since a transfer of technology needs recipients and not just donors.
As mentioned in Section 3, four to five senior I&C staff must be available who will form the nucleus around which the I&C personnel will be gradually built up.
The lead time of six to seven years from contract award to commercial operation is adequate to develop I&C groups capable of operating, maintaining and providing support design and development services to the nuclear power plant, provided manpower development is initiated from this planning phase.
A total of 100—120 I&C professionals and about twice this number of draftsmen and technicians needs to be recruited and trained during and up to commercial operation. The phase of I&C equipment installation and commissioning provides absolutely invaluable training opportunities and as many persons as possible should be trained during this phase, since they will not only provide support for.this power plant but will also enable much greater participation in the project engineering and commissioning of the next plant(s).
The numbers suggested may seem very large for just one discipline but it must be borne in mind that:
(1) The attrition rate may be much higher than expected;(2) I&C staff will be required in many organizations — in the regulatory
authority, in the project team, the design team, the operating team, for the simulator training centre, etc. There should be an adequate number of I&C staff to man! these organizations; and
(3) If the number trained does happen to become larger than required for the project, their services could be utilized in other national projects, whereby they still remain a national asset.
iPrior to the start of, I&C equipment installation, i.e. at the start of the
construction phase, training opportunities within the country in the rather
19
T A B L E I I . S U G G E S T E D I & C M A N P O W E R O R G A N I Z A T I O N D U R I N G
P L A N N I N G A N D P R E - P R O J E C T P H A S E
AreaNumber of staff required
by consultant/ by owner architect-engineer
1. Key I&C personnel to be recruited initially - 4
- Managerplanning and project management
— Lead Engineermanpower development
- Lead Engineernational participation technology transfer project design engineering QA/QC
- Lead Engineerregulatory activities
2. Systems analysispower systems planning energy modelling feasibility studies
1 2
TOTAL 1 6
high-technology area of Instrumentation and Control may be limited, or nonexistent for specific training in I&C of nuclear power plant equipment and systems.
Of the 100-120 I&C professionals suggested above, approximately half the number should be recruited and trained prior to the start of construction.
Thus, during the planning and pre-project phase a start should be made in sending professionals, i.e. young engineering graduates who will later on participate in I&C activities, for specialized studies at educational institutions abroad (if such facilities are not available within the country) in the various sub-disciplines of I&C, such as control engineering, process instrumentation, digital and pulse electronics, computer hardware and software, etc., followed by a one-year on-the-job attachment at nuclear power plants abroad or, if this is not possible, at some modern conventional power plant where the automation level may be comparable.
r
2 0
T A B L E I I I . S U G G E S T E D I & C M A N P O W E R O R G A N I Z A T I O N D U R I N G
P R O J E C T P R E P A R A T I O N P H A S E
AreaNumber of staff required
by consultant/ by owner architect- engineer
1. Key personnel 6
- I&C Managerplanning and project management
- Lead Engineermanpower development
- Lead Engineer(s)national participation and technology transferproject design engineeringlocal fabrication and systems engineering
- Lead Engineerregulatory activities
- Lead Engineerplant simulator
2. Systems analysis 1 2
3. Manpower training 1 2
4. Safety regulatory activities Reliability analyses and reviews Performance analysis and reviews Standards adoption and adaptation
2 4
S. National participationproject design engineering QA/QC 1
procurement specifications local fabrication and local systems engineering -
The numbers will depend on the range and extent of national participation in i design and manufacture. -
i6. Preparation of I&C bid 1
Specifications and evaluation1 6
7. Plant simulator 1 2preparation of specifications design data collection control room list of instruments
to be simulated, input-output list specification of simulation computer
TOTAL 6 22
2 1
T A B L E I V . S U G G E S T E D N A T I O N A L I & C M A N P O W E R O R G A N I Z A T I O N
D U R I N G D E S I G N P H A S E *
Area Number of staff required by owner’s engineers
1. Control system design and performance analysis 3
2. Process instrumentation nuclear safety support system turbine generator Balance of plant
5
3. Plant computers 5
4. Safety systems 4
S. Developmental systems and monitoring systems for on-line surveillance and non-destructive testing
3
TOTAL 20
8 The numbers suggested are not those that would be required for a strong national participation with responsibility for project design engineering, but the optimum for an active participation in design at the vendor’s design offices and for subsequent long-term support of the plant.
Figure 3 also shows a time schedule for the training of the first batch of 50—60 professionals who will serve during the construction of the plant.
This process of post-graduate academic plus practical training may last three years, and it is recommended that at least 50—60 professionals should be sent for training in the various I&C sub-disciplines, in a phased programme of (say) ten persons each year. This practice should continue until year -9, so that there is an influx of professionals with specialized academic training joining the project. The last batch going in year “9 would be back in year -6, i.e. the time suggested in Fig.3 for the start of construction and now, with the plant under construction, the site or the vendor’s design offices would provide the necessary work and training opportunity.
Assuming an attrition rate of one in three (experience tends to indicate that losses may even be higher), about 40 I&C professionals with 3—6 years’ post-B.Sc. experience would be available (see Fig.3) at the start of construction.
Tables I—VI show the recommended minimum I&C manpower required during the various project phases.
2 2
T A B L E V . S U G G E S T E D I & C M A N P O W E R O R G A N I Z A T I O N D U R I N G
C O N S T R U C T I O N P H A S E
Staff to be provided by ownerArea Engineers Supervisors/
ForemenTechnicians
1. Electrical -
cabling and wiring installation and check-out
*1 1 2
equipment installation'and check-out 2 2 6
2. Instrumentationtubing and device installation and check-out
2 1 10
control wiring, device installation and check-out
2 2 10
c , shop calibration and repairs 2 1 10nuclear electronicsdevices, installation and check-out
2 1 4
3. Computershardwaresoftware development'
5 2 4
4. Regulatory Authority QA/QC
8 —
TOTAL 24 10 46
When we talk of manpower it is important to note that we are not just dealing in numbers (as in the Tables mentioned above) but we must look beyond the numbers and consider the importance of
— experienced and motivated personnel— clearly defined job responsibilities and duties— guarding against stagnation during slack periods— opportunities for career development.
It is also important for management to note that, whereas in some of the other disciplines involved in a nuclear power project such as mechanical engineering, civil engineering, electrical engineering, etc., there may be enough
2 3
TABLE VI. SUGGESTED I&C MANPOWER ORGANIZATION DURING COMMISSIONING3
No. to be provided by main supplier/contractor
No. to be provided by owner
Area „ Engr. Supervisor
Engr. Super- Tech- visor nician
1. Electrical system commissioning 1 3 3 8
2. Control and instrumentation 1
Electrical and Control Maintenance Manager
Instrument shop12 2 6
Commissioning of process instrumentation 2 2 4
Commissioning of nuclear instrumentation 2 1 2Commissioning of control loops 2 2 4Commissioning of monitoring, surveillance and communication systems 1 1 4Commissioning of protection and safety activation systems 2 1 4Commissioning of reactivity devices and reactor control systems and checking overall plant performance 2 2 4
3. Commissioning of computer systems 5 2 4
4. Regulatory Authority 8 -
TOTAL 2 30 16 40
a The numbers indicated represent those who will be participating full-time during the whole commissioning phase. They do not include designers of systems, representatives of the I&C equipment vendors, etc., who may be present for short durations or for special tests. Nor do they include personnel attached for training purposes.
2 4
TABLE VII. SUGGESTED (NATIONAL) I&C MANPOWER ORGANIZATION* DURING COMMERCIAL OPERATION
Number of staff required
Area Engineers Supervisors/Foremen
Technicians Craftsmen
1. Plant staff: electronic and computer (E&C) maintenance department
Electrical and control Maintenance.Manager. .
1 — —
Electrical maintenance Protection and control Switchgear and motors
2 2 8 3
Instnuiment maintenance First-line maintenance Shop repair and maintenance
2 1 6 2
Nuclear instrumentation and NDT support 2 1 4 -
Computer systems 3 1 4 -Materials management - 1 - -Shift maintenance 5 10
10 11 32 5
2. Training Centre: training in equipment and system principles and skills
Instrumentation Nuclear electronics Electrical Computers
4 4 4
4 4 4
T A B L E V I I ( c o n t . )
Number of staff requiredArea Engineers Supervisors/
ForemenTechnicians Craftsmen
3. Regulatory AuthoritySafety systems evaluation 4 -I&C systems review 4 -
8
4. Technical support1*Reactor and overall plant control 2Electrical systems 1 1 4Process instrumentation 2Nuclear instrumentation 1Computer system 2Safety systems and plant performance - 2
10 1 4
T O T A L c 32 16 40 5
The numbers suggested do not include trainee engineers and technicians.
This group will carry out performance reviews of the I&C equipment and systems and their impact on'the availability o f the plant, initiate design changes, carry out the engineering of design improvements and provide support to the plant maintenance staff in the implementation of these modifications. The group will also carry out design studies to evaluate the impact of major conceptual changes in the plant operation and if necessary carry out development work to implement such changes. The group will also be responsible for initiating and developing programmes and systems to ensure that the plant integrity is maintained. This includes development of a programme for periodic inspection of nuclear power plant components, techniques for carrying out such inspection and carrying out design analyses such as failure mode and effect analysis to detect and rectify possible design deficiencies.
In the case of a developing country embarking on its first power plant, this group will form a part of the plant operating organization. As more plants are constructed, this group could form a nucleus of Central Engineering Services (CES) of the utility. In that case, the technical support at the plant could consist of two engineers to collect plant data, and engineer minor design changes and to serve as a liaison to the CES.
The I&C manpower requirement in other organizations concerned with design and manufacture, such as the nuclear research centre or project engineering organization, cannot be precisely defined as it will be dependent upon a nation’s choice as to the range and extent of national participation in fabrication and design engineering, and the plans for immediate construction of more nuclear power plants. A vendor country with a modest programme may have between 150-300 I&C professionals working on R&D and project engineering.
Table VIII shows the I&C manpower requirement for the nuclear power plant training simulator.
NPPTS NPPTS planning contract award
NPPTSoperational
Prepare bid specs NPPTS System design phase
Set NPP data base Prepare design specs
tor software Implementation phase NPPTS construction Software development
Testingphase
NPP design
YEAR-8
CommissioningNPP manufacturing
T-2 -1
NPPcontract award
----------------NPPcommissioning
NPP commercial operation
F IG .4 . S im u la to r schedu le .
expertise and experienced manpower available, this may not be the case for I&C involving high technologies (micro-electronics and computers) that may not be present in a country with a relatively weak industrial and technological infrastructure. There may also be a strong competition and demand for I&C specialists, leading to problems not only with recruitment but also in keeping (or, holding onto) the I&C specialists.
Very few universities and educational institutions may be teaching I&C subjects. Thus, most of the I&C personnel — both engineers and technicians — may have to be hired straight from universities and polytechnical institutes and trained, initially at academic institutes abroad, and subsequently at the in-house nuclear training centre established by the owner/utility (see Section 4.3).
Thus the number of I&C engineers and technicians to be trained as recommended in Table I—VI may appear much larger than one might expect.
A simulator project group from within the I&C professionals should be formed approximately a year before contract award (Fig.4). Initially manned with three to four I&C personnel, the group can expand to about 15 I&C professionals and professionals from other disciplines (nuclear, process systems, electrical, etc.) and gradually build up to the manning level indicated in Table VII. This number does not include the training instructors who are
2 8
T A B L E V I I I . S U G G E S T E D ( N A T I O N A L ) M A N P O W E R O R G A N I Z A T I O N 3
F O R A S I M U L A T O R P R O J E C T
Number of staff requiredArea Engineers Supervisors/ Technicians
ForemenCraftsmen
Owner/utility also acting as A:-E.with a simulator manufacturer or NPP main supplier acting as consultant
1. ProjectProject manager Project engineers
13 - -
2. System designsystem manager 1 nuclear physicist 3 electrical systems modelling 2 protection systems modelling 2 process systems modelling 5
mechanical electrical I&C
control systems modelling 2 computer systems modelling 2
>
3. Hardware engineeringsystems manager computer engineers system software engineers
122
2 10 2
4. Maintenancehardware 1 software
22
1 4 —
Local fabricators/subcontractors of control room complex
Notspecified
TOTAL 30 3 14 2
a Does not include training instructor requirement.
2 9
essential for the successful utilization of the nuclear power plant training system (NPPTS). The initial activities of the group would be:
— Pre-tender discussions with simulator vendors and visits to the various simulator installations.
— Preparation of specification of the NPPTS, also clearly giving the requirement for national participation. The vendor should also be asked to give the requirement of design data to be obtained from the nuclear power plant suppliers.
— Preparation of conceptual design specifications of the simulator and discussions with national manufacturers for their scope of supply.A simulator is an important component of the nuclear power programme.
Section 5 of this guidebook contains more specific information on this subject.
4.1. Initial training for professionals (academic plus practical)
A sound educational base in the I&C sub-disciplines (control engineering, process instrumentation, digital electronics, digital computer technology, computer science and engineering) with a strong emphasis on the applied or practical approach, is an essential prerequisite for an I&C manpower development programme, especially for professionals.
In order to have the requisite number of I&C professionals at the start of project preparation phase (year —10.5) and at the start of construction (year —6), it is suggested that 50-60 young engineering graduates be sent abroad for a three-year programme of specialized studies in the I&C subdisciplines, followed by practical attachment in nuclear power plants. This programme needs to be started early in the planning phase, with perhaps ten persons being sent each year, so that by the start of construction, this training programme is complete and I&C engineers are available to participate in the design, construction and project management of their own plant.
4.2. Technician training
The next phase in manpower development would be recruitment and training of I&C technicians which would be conducted by I&C key personnel and engineers having recently undergone specialized academic and practical training.
Coinciding with the start of the project preparation phase (year —10.5), a programme of recruitment and training of technicians would be initiated.This will become a continuing activity for the nuclear power programme and the establishment of in-house training facilities, i.e. a nuclear training centre is recommended. Though called a nuclear training centre, most of the training may well be devoted to development of basic I&C skills. The technician
3 0
training programmemay start with the recruitment of 15 I&C technicians and draftsmen every year.
For I&C activities, it(is anticipated that a minimum of 50 foremen (supervisors) and technicians would be required. In addition, 10—15 I&C draftsmen would be necessary. This number may increase to 50 draftsmen, if the country plans to participate to any extent in design engineering and fabrication. It may be noted that training requirements do not cease when the above number is reached.! Retraining or training in specialized skills, and above all training the fresh inflow of personnel to compensate for what may be large outflows (attrition) must be catered for, thus making training a continuing process. ;
As far as the training of I&C technicians, is concerned, each country may have to take a decision on the extent of training to be imparted at the nuclear training centre, i.e.(a) Either recruit electronic/radio/electrical technicians with a three-year
post-secondary school diploma from a polytechnic, impart to them the specialized and practical I&C skills, knowledge of I&C equipment, system fundamental training and some nuclear orientation. Such training could last one year; or
(b) Recruit secondary school graduates who have had no electrical/electronic academic and skills training; give them first a basic electronic/electrical course and then the education mentioned in (a) above. Such a course could last three to four years.Option (b) will greatly increase the burden on the nuclear training centre. If technician, training schools (polytechnics) exist in the country, it may be preferable to start with polytechnic graduates and just make up for the curricula deficiencies and provide specialized skills and nuclear o rie n ta tio n .
The decision, which will be taken by each country in the light of prevailing conditions and requirements, will however affect the complexion of the training centre. For the discussions in the next paragraph, on nuclear training centres, option (a) is assumed.
4.3. In-house training facilities: the establishment of a nuclear training centre
When a firm decision has been taken to embark on a nuclear power project, i.e. at the start of the project preparation phase, a well-planned and intensive programme of in-house training should be initiated for the training of both engineers and technicians in I&C fundamentals, nuclear power plant equipment and system principles, specific plant systems and I&C skills.
31
The training activity must not be considered as a subsidiary activity, and the key person responsible for I&C planning and implementation must consider this as one of his major tasks along with project management and design engineering, etc. This is important, as I&C personnel engaged in project activities may have to devote some of their time to teaching activities and fears of delaying plant start-up have to be countered with arguments for the absolute necessity of training.
Specialized I&C training may also be conducted at the various existing educational or research institutes of the country. But in order to provide nuclear training as well as training in I&C equipment, systems and skills, specially tailored to suit the requirements of a nuclear power programme, a nuclear training centre located at the site is invaluable. It forms the hub of the manpower development activities.
One of the three or four key I&C persons (see Section 2.1) would be assigned the full-time task of planning the I&C training programme and training facilities, assisted by two of the I&C engineers who had been sent for academic and practical training abroad.
Assistance from the IAEA in terms of advice and experts in planning and implementing this training programme would be invaluable. The Agency has acquired a depth of experience in the planning of training courses and can provide the necessary assistance in this area.
The nuclear training centre would have both classroom and laboratory facilities for I&C and other disciplines. One of the first tasks of the nuclear training centre should be to establish special training courses for technicians, and to see to their recruitment.
The various points related to the establishment of such a centre — in the context of I&C — are given below in their order of sequence and priority.
4.3 .1 . Specification of objectives
It must be decided, for example, whether to impart plant-specific training only or to provide a broader scope of training in I&C fundamentals as well as plant-specific training. These and other questions and the objectives and benefits hoped to be achieved by the training centre therefore should be clearly spelled out. The IAEA can provide invaluable assistance to the I&C planners in evaluating the national requirements determined by them, in drawing up a clear definition of the training needs and evolving a suitable manpower development programme.
Whereas the needs may vary from country to country, one common need is that of providing on-the-job training possibilities within the country so as to prepare the personnel for the performance of essential activities required for the nuclear power programme. The training centre must therefore be
3 2
4.3.2. Training the trainers
Imparting training and planning a training programme is a science in itself. One of the key I&C personnel, it is recommended, should have a background of teaching practical, applied I&C subjects at, say, a polytechnic. A teaching background at a university may not be as suitable, being more academic in nature.
As the technician training programme progresses, a few of the technicians who possess aptitude for teaching may be sent for specialized training at one or more of the existing nuclear training centres under the auspices of the IAEA, and serve later as instructors.
4.3.3. The syllabus
The syllabus would need to cater for the training of both I&C technicians and engineers, with a different depth of understanding. The syllabus can therefore comprise some core courses and various modules. A training programme for technicians and engineers at varying levels of knowledge and experience could therefore be tailored from the various modules. The core course (a prerequisite for all I&C personnel) may comprise:
- radiation protection- nuclear orientation- I&C terminology, symbols familiarization with process instruments
displays (PIDs), schematics and wiring diagrams, etc.- I&C systems of the specific plant.
The I&C sub-specialization topics suggested are:- nuclear electronics- process instrumentation- control systems- computers.
Within each sub-specialization, the courses could be broken up as follows:- I&C fundamentals: introductory, intermediate and advanced.- I&C equipment and. system principles: introductory, intermediate and
advanced.- I&C skills training: introductory, intermediate and advanced.
The introductory level could be for the initial training of technicians.The intermediate level would be the starting point for professionals and
clearly capable o f providing practical training on the typical I&C equipmento f a nuclear power plant.!
33
also be the next higher level for technicians, and lastly advanced courses in the various sub-disciplines would be for specific job and responsibility- oriented training.
A typical module on process instrumentation could be:
Fundamentals
— AC and DC amplifiers, power supplies— measurement fundamentals: units, accuracy, tolerance repeatability
Equipment and system principles
— principles of measurement of flow, temperature, pressure, level, etc.— transducers, RTDs, thermocouples, differential pressure (d/p) cells,
orifices, nozzles— calculation of pressure suppression, compensation for pressure and
temperature— controllers, retransmitters, square root extractors, pneumo-electric (P/E)
and electro-pneumatic (E/P) converters— recorders and indicators— final control elements— typical process instrumentation loops such as three-element boiler
feedwater control
Skills
— use of tools and test equipment, e.g. digital voltmeters (DVMs), vacuum tube voltmeters (VTVMs), bridges, calibration test sets for calibration of d/p cells, etc.
— calibration of process instrumentation— assembly, dismantling and repair— procedures for removal from service and bringing into service of process
instruments.In many developing countries, professionals may have acquired few skills
or little practical training. In such a case it would be very desirable for the engineers to take the introductory level skills training in addition to the intermediate and advanced levels. In the working environment of a nuclear power plant as opposed to, say, a design office, an engineer would command much more respect from his technicians and will be able to give better supervision if he were at least equally adept as they in handling tools and test equipment. Skills training is therefore very important for nuclear power plant engineers, especially early in their career (and indirectly may also help
34
4.3.4. Planning of laboratories for the training centre
The planning of laboratories and specification of hardware for the laboratories is the next logical step after the syllabus has been determined.The laboratories and the experiments will therefore form an extension of what is taught in the classroom, amplify the principles taught on the blackboard and provide the trainee with an exposure to the type of hardware he will have to deal with in the plant.1
Unfortunately, the equipment for the laboratories is often purchased prior to planning the syllabus, either because detailing the syllabus and laboratory experiments is too cumbersome a job or perhaps because financing under some barter or loan agreement ,suddenly becomes available, and the hardware is purchased without adquate consideration of how it will be used. This is disastrous and should be avoided at all costs. Even donated equipment can prove to be very expensive in the long run if it does not fulfil the objectives.
Equipment acquisition should be gradual and tied in with the introduction of additional or more specialized courses. As an example, process instrumentation hardware for training, e.g. recorders, controllers, etc., should be purchased only when the plant contract is signed and the type of instrumentation used in the plant known.
This tendency towards premature purchase is not entirely a shortcoming of the I&C personnel, and may be due to the way funds are made available, e.g. with a “now or never” situation, i.e. funds are available only if included in the initial plan for thej training centre with very little opportunity for subsequent purchases, or;funds are made available at the last minute under a barter or loan agreement! and the purchase specifications have to be prepared and delivered within a matter of days. At the management and planning level, this practice should be avoided.
4.4. Role of the IAEA ,
At this planning stage, where a detailed manpower development programme has to be formulated and its implementation started, a country embarking on a nuclear power programme may need considerable technical and financial assistance. Not much assistance can be obtained, however, from a supplier before a contract has been signed. Nevertheless, the IAEA could assist the country’s engineers in formulating and implementing the manpower development programme by providing experts for planning and teaching, fellowships for the trainers and technical assistance for equipment.
engineers involved in design or safety regulatory activities, since the preferredroute to these organizations may be through the nuclear power plant).
35
As mentioned earlier, training is a science in itself and the IAEA could assist in providing an insight into the latest and most efficient training techniques.
4.5. Some implementation problems
Training may be talked about a lot but its practice poses problems, especially when it comes to staffing training centres with the best professionals, ■ and sparing specialists from other activities. An IAEA report2 mentions that experience from utilities in industrial countries would indicate that a net benefit could be expected even when some 15% of the time of the production personnel was devoted to training and retraining functions. The benefits of training are therefore well-known. Successful implementation is thus mainly a question of the degree of management awareness and commitment to manpower development. The following suggestions may be helpful in attracting the best professionals for teaching:(a) Just as some utilities require an operating licence as a prerequisite for
higher posts, one or two semesters spent at the training centre teaching and preparing lessons may be made a prerequisite for promotion to the next higher grade.
(t>) An enforced rotation of all personnel (professionals and foremen/super- visors) regardless of rank, in all organizations associated with the nuclear power programme through the training centre for teaching and preparing lessons for one semester, say, once in three years.
(c) Grant of special pay or qualification allowances to the instructors.
4.6. Design and Development (D&D) role of the training centres
Just as many universities actively engage in research and development side-by-side with teaching activities, nuclear training centres attached to nuclear power plants can play an important Design and Development role. Possible advantages of such an approach are:(1) It can attract the best professionals, who would otherwise prefer more
active roles in commissioning, operation or project engineering, to come and teach at the training centre. They could work on D&D projects at the centre to develop ideas and techniques for which they would otherwise not get the time when engaged in operation or maintenance.
(2) The trainees could, by participating in D&D projects, gain valuable practical experience.
2 Technical Committee Meeting on Practical Training in Nuclear and Fuel Cycle Technology under the Auspices of IAEA, 31 March - 2'Apnl 1981, Vienna.
36
(3) In the initial stages of nuclear power development, the training centre could be made the focal point for technology transfer, an activity which can be considered to complement manpower development.
(4) Once the plant has been operating for two to three years and has reached a stage of maturity,:the operating personnel would like some more challenging jobs. The plant management would not like to lose this experienced staff. Working on plant-related D&D projects at the training centre (which would be located at the plant site) may satisfy both requirements and the staff would be immediately available to help in emergencies and for planned shutdowns.
Some I&C-related D&D projects are suggested as follows:(1) A ‘spare’ computer system is generally considered as a requirement for the
support of the on-line computer system (be it for monitoring or control).It can be used as a source of tested spares, for training, for trouble-shooting defective circuit-boards from the on-line computers, and for software development.This ‘spare’ computer system could be transformed into a hybrid computing facility with an analog computer interfaced to it, and used for control systems training, for real-time modelling and simulation of the various systems of the plant — the analysis and study of their dynamic behaviour. If desired, this could evolve into a D&D simulator for carrying out man/machine interface studies and other plant evaluation and safety studies. The computer used for the D&D simulator again may or may not be the ‘spare’ computer system, depending upon the approach evolved by a country. The common feature would be the objective, i.e. development of expertise and national know-how.
(2) Construction of special rigs with provision for demonstrating pressure, temperature and level control, etc. Such rigs could be used for testing and gaining experience on new developments in transducers and other process instrumentation devices.
4.7. Familiarization with plant equipment: utilization of plant spare modules for training
Once the contract for the plant has been signed, and procurement of material is under way, I&C skills could be imparted by utilizing the plant’s spare modules and equipment, such as transmitters, recorders, controllers, etc. The supplier may therefore be requested to supply the spare modules at site. as soon as possible.
This approach of using spares for training has some drawbacks. They may be damaged during graining and hence consideration should be given to this fact when specifying the spares requirements. If there is enough money
37
available, some additional spare modules may be purchased just for the training function.
In the same way, test equipment and tools similar to the ones used in the instrument shop of the plant can be made available at an early stage, so that initial skills training in the use of tools and test equipment may commence.
4.8. Preparation of training manuals and lessons
The preparation of good lessons and training manuals is perhaps the single most important factor for the success of the manpower development programme.
Some suggestions in this regard are:/
(1) The operating team (i.e. the group of people who would eventually be responsible for the operation and maintenance of the plant) could be assigned to write comprehensive training manuals on the plant equipment and systems. This could be made one of their prime responsibilities in the early phases of plant construction, when the activities at the site may be somewhat less important for the operating team and they may be undergoing training at the supplier’s design offices.
(2) I&C specialists in various organizations could be seconded for a sabbatical of one semester to the training centre to prepare lessons in their areaof specialization.
(3) Special packaged training material on I&C equipment can be purchased from several sources (the Instrument Society of America (ISA) is one such source) and can serve as a starting point.
(4) The manufacturers of the I&C equipment for the plant may be asked to supply training lessons and manuals. Whilst some of this information may be gratis, the majority is in the form of priced documents. However, if these are requested at the time of purchase of the hardware, manufacturers usually provide them on a no-charge basis.
In conclusion, it will primarily be the responsibility of the permanent teaching staff of the training centre to prepare the training lessons. Preparing these lessons in the form of Programmed Instruction (PI) text may be relatively difficult but in the long run may reduce the teaching load.
4.9. Career planning: fighting stagnation and attrition
For a detailed treatment of this topic, reference may be made to Section 3.5, on Personnel Management, of the IAEA Guidebook on Manpower Development for Nuclear Power, TRS 200. A few additional comments are given below:
38
(1) There may be periods of inactivity or levelling off in the nuclear power programme of a country. Career development tends to suffer and stagnation may result. Apart from emoluments and perquisites offered to nuclear power plant personnel, the above may be an important factor in loss or attrition in numbers of experienced personnel.
(2) Innovative methods rather than the imposition of restrictive measures may prove to be more fruitful in combating attrition. Possible methods are to establish national training centres with D&D facilities, arranging sabbaticals or placements of personnel at plants under commissioning or at their design offices, etc.
(3) Developing experienced manpower for a nuclear power programme is expensive and time-consuming. Aggressive and positive management methods must also be devised to prevent attrition and stagnation, which tend to negate the efforts expended in manpower development.
5. NUCLEAR POWER PLANT TRAINING SIMULATOR PROJECT
Growing size, complexity and high availability (units have operated continuously for close to one year) make it uneconomical to use the nuclear power plant for the training of an operator. Full-scope nuclear power plant training simulators (NPPTSs) comprising exact replicas of the control room and simulating the dynamic behaviour of the plant with considerable exactitude3, are now standard tools for training and the regulatory authorities of several countries make simulator training a mandatory requirement for the licensing of operators. The authorities also count start-up on a simulator towards the ‘hot start-ups’ on the plant required by an operator for his licence. There is additionally one significant advantage of a NPPTS over the actual plant, for training purposes. The NPPTS can train the operator in the handling of abnorm al or accident conditions which would be impossible to perform on the real plant. Other training advantages are given in detail in Section 12. The NPPTS can play a significant part with regard to the commissioning, writing and verification of operating manuals, and training of I&C technologists. A high degree of national participation in the design and manufacture of I&C equipment and systems of a first nuclear power plant may be very difficult to achieve. However, this need not be the case for the construction of a nuclear power plant simulator. The NPPTS project can (and should) be viewed as an excellent vehicle for transfer of I&C technology to a country building its first nuclear power plant. Simulators generally take 30-36 months to construct; their construction can start with the completion of the basic design engineering of the nuclear power plant, i.e. a
3 See American National Standard ANSI/ANS-3.5/1981 “Nuclear Power Plant Simulators for Use in Operator Training” .
39
year or so after contract award, and they are required generally two years before the plant goes into commercial operation. Assuming seven years from contract award to plant commercial operation, it is felt that there is adequate lead-time to allow for national participation in the simulator project and also fulfil the requirement of having the simulator two years before commercial operation commences.
Full-scope nuclear power plant training simulators are now an accepted tool for training of operators. World-wide there are more than 40 full-scope NPPTSs in operation, or under construction. The reasons for their widespread use can be summed up as follows:
(1) The nuclear power plants currently being built, or under operation, are in the 600-1300 MW(e) range. Arranging start-ups (or reactivity manipulations) on these large plants for training of operators has to be kept to an absolute minimum, for economic reasons.
(2) Most plants run on base-load, and transients are few and far between.Little opportunity for training therefore exists, whereas the need for training increases in proportion to the relatively little experience thatis gained by the operator, in normal plant operation, in handling transients and abnormal occurrences.
(3) NPPTSs are being constructed that faithfully simulate the plant and therefore allow realistic training to be imparted.
(4) It is not possible to subject the operating plant to abnormal occurrences to provide training of the operator in the handling of safety-related occurrences, which the operator must be capable of handling. A classic example of these would be a loss of coolant accident resulting from (say) a reactor coolant system cold-leg rupture, etc.
(5) The simulator allows a better and properly documented evaluation of the operator response.
(6) A plant transient may be over in a few minutes. It is not possible to ‘replay’ a situation on the actual plant and thus allow the operator to evaluate and judge his actions and ‘retry’ ; nor does the actual plant allow slow motion or freeze of plant situations to enable him more carefully to observe and correlate plant behaviour. A NPPTS allows all of these features, viz. playback, freeze, snapshot and slower than real-time motion. The simulation can be speeded up so that a better appreciation is developed of slow-acting phenomena such as xenon build-up or xenon oscillations, etc.
On the other hand(1) Full-scope nuclear power plant training simulators are expensive. Costs are
now in the multi-million dollar range.(2) NPPTSs are still only a simulation of the plant and cannot provide a complete
substitute for actual plant experience.
4 0
(1) Purchase a basic principles training simulator (BPTS) which costs about US $ 1 million, and provides, as the name indicates, training in the basic principles of a reactor type, e.g. BWR or PWR, etc.
(2) Purchase a generic simulator, e.g. the simulator may be a full-scope simulation of an earlier'plant which may be the same type but nor exactly the same in size or technical features, as the plant currently under construction.
(3) Rent time at one of the NPPTSs at the training centres of the vendor country, to train and retrain operators.
(4) Take no action and hope that the actual plant (being built) will provide sufficient training. This course of action is definitely not recommended.In the event that an owner/utility decides to acquire a full-scope NPPTS,
several contracting arrangements exist:(1) Purchase a simulator from a manufacturer and later enter into a contract
for updating or ‘fine-tuning’ the NPPTS to the plant operating data(2) Purchase simulator but ‘fine-tune’ the NPPTS oneself(3) Build the simulator using a simulator manufacturer as a consultant.
The construction schedule of a NPPTS is 30-36 months and therefore it can be operational by the time plant commissioning starts. In addition to operator training it can: ;(1) Be used for verification and testing of commissioning procedures(2) Assist in the preparation of operating manuals and training the operators
prior to plant operation,(3) Help discover anomalies in plant dynamic behaviour prior to commercial
operation,(4) Assist licensing personnel in understanding the plant.
These and other issues are now discussed in more detail.
The two above-mentioned factors can cause the owner/utility also to look atother options, viz:
5.1. Full scope nuclear power plant training simulator
A full-scope nuclear! power plant training simulator (NPPTS) is a one-to-one replica of the control room and with precise mathematical models of the plant systems attempts to reproduce the dynamic behaviour of the plant being simulated. In general terms, an operator should see no discernible difference between the behaviour of the simulator and that of his plant. The fidelity of a NPPTS is more specifically described in the American National Standard ANSI/ANS-3.5-1981 “Nuclear Power Plant Simulators for Use in Operator Training”. Some extracts from this standard are reproduced below:
41
Performance Criteria■ Steady State Operation— The simulator instrument error shall be no greater than that of a comparable
meter, transducer and related instrument system of the reference plant.— Principal mass and energy balances shall be satisfied. The simulator-computed
values for steady state, full power, automatic control operation shall not change (drift) by more than ±2% over a 60 minute period. ■
— The simulator-computed values of critical parameters4 shall agree with the reference plant parameters within ± 2%, e.g. reactor power, reactor hot- and cold-leg temperatures, feedwater flow, steam pressure, generated electric power, recirculation flow, primary system pressure.
— The calculated values of non-critical parameters pertinent to plant operation, that are included on the simulator control room panels, shall agree with the reference plant to within ±10% or shall not detract from training.
— The response of the simulator resulting from operator action, no operator action, improper operator action, automatic plant controls and inherent operating characteristics shall be realistic to the extent that within the limit of the performance criteria the operator shall not observe a difference between the response of the simulator control room instrumentation and the reference plant.
The above-mentioned simulator standard, though referring specifically in the context of the US NRC regulations 10 CFR Para. 55 to the qualification and requalification of operators, may be considered as general guidelines for any full-scope simulator used for operator training.
Simulators can not only train the operator as to the right responses to specific plant situations but, more important, can develop in him an appreciation of the underlying principles of the plant equipment and systems, and the interrelationships between the behaviour of various plant systems during transients.
In order to achieve the above, however, possessing a simulator is not enough.It must be complemented with classroom training and ‘walk-throughs’ of the plant.Some of the simulator features are:
(1) Initial conditions: i.e. the capability to provide 20 initialization points (to start the simulator training) corresponding to different plant conditions, e.g. cold start-up, hot start-up, turbine rolling, 25% power, 50% power, etc.
(2) Malfunctions: typically 200—250 malfunctions, resulting in abnormal or emergency conditions, can be introduced. Each type of accident analysed in
4 Critical parameters:1. Those parameters that require direct and continuous observation when the plant
is under manual control.2. Input parameters to plant safety systems.
42
the plant safety report that results in observable indications on control room instrumentation should be simulated. The plant mathematical models should be such that response to malfunctions is inherent in them, and it should be possible to introduce simultaneous or sequential malfunctions.
(3) Freeze, backtrack and replay: it is possible to stop (or freeze) an ongoing simulation at any point in time, giving the instructor or operator time to explain some detail,' and either go ahead or go back to any point in time in the last 30 minutes (back-track) and replay the last 30 minutes of plant simulation in 30-second snapshots (similar to instant replay on television).
(4) Override: an instructor can arbitrarily generate a fault on an instrument (e.g. switching pump to “ON” does not produce desired result) or spurious alarms. '
(5) Environment: some simulators also replicate the exact control environment, viz. turbine noise, blow-off, etc.
5.2. Current status on use of simulators
Full-scope nuclear power plant simulators are supplied by at least four manufacturers in three vendor countries. A few countries have built their own simulators. As of June 1980, some 40 PWR/BWR nuclear power plant simulators were in operation or under construction5. In addition, full-scope simulators for CANDU PHWRs and FBRs have also been built.
5.3. Full-scope vis-a-vis generic or basic principles training simulators■i
A basic principle training simulator (BPTS) does not replicate the control room, relying instead on; a simplified flow diagram of the plant. It incorporates mathematical models of‘the plant system comparable to those in a NPPTS and may cost in the range of, US $1 million. Whereas it may find limited use in training nuclear engineers in a university or research environment (with no access to a NPPTS) it serves little use for plant-specific operator training.
A generic simulator is a full-scope simulator for which the reference plant6 is not the plant being built, but an earlier plant similar in type but not necessarily of the same size.
For a country embarking on a nuclear power programme, the best approach would be to build a full-scope NPPTS referenced to the plant being built.
5 Symposium on Personnel Organization and Qualification in the Equipment and Operation of Nuclear Power Plant, Cologne, June 1980. Gesellschaft fur Reaktorsicherheit Report (Federal Republic of Germany).
6 Reference plant: the specific nuclear power plant from which the simulator control room configuration, system,control arrangement and simulator database are derived.
43
5.4. Simulator location and timing
The full-scope NPPTS can be located at the plant site at the in-house training centre or at a location away from the plant, where the utility may be planning a central training centre.
Countries which have installed simulators have chosen one or the other approach. Generally, instructors and operators have indicated their preference for the NPPTS to be located at the plant site. This enables simulator training to be complemented by ‘walk-throughs’ of the plant, and also ensures immediate and easy access to the operations staff for retraining.
A full-scope NPPTS can take 30-36 months to construct, i.e. from contract award to acceptance tests, and it is preferable that it be available at the start of plant commissioning, i.e. approximately two years before commercial operation commences. A suggested simulator schedule based on maximum national participation is given in Fig.4.
5.5. Execution of the NPPTS project
The NPPTS for the planned nuclear power plant (NPP) is a project in itself and must be staffed and managed accordingly. Planning for the NPPTS needs to start around year —8, i.e. approximately a year before NPP contract award. The NPP bid specification should include the information that the owner/utility plans to build a simulator and would require database information from the vendors/ suppliers. The specifications of the NPPTS are prepared by the owner and it is preferable that the contract for the simulator be awarded around the same time as the plant contract award. The reasons for suggesting this are:(1) Full-scope NPPTSs can cost between US $6— 10 million. It will be relatively
easier to arrange financing (and governmental approval) if the NPPTS is included as a part of the total plant package which may cost over $ 1000 million for a 600 MW(e) plant.
(2) There would be sufficient lead-time in the simulator project to enable national participation.As mentioned in Section 4, a high degree of national participation in the
design and manufacture of I&C equipment and systems of a first nuclear power plant may be difficult to achieve. However, this need not be the case for the design and construction of a nuclear power plant training simulator. The NPPTS project should be viewed as an excellent vehicle for transfer of I&C technology to a country building its first nuclear power plant.
The advantages of maximizing national participation in the simulator project are as follows:(1) It would help in building up an I&C technological infrastructure in areas
vital for subsequent technical support of the plant, viz.
44
- system modelling and plant dynamics— control room complex fabrication- computer technology- computer real-time programming— QA and QC practices relating to I&C manufacture— project engineering and project management know-how.
The engineers participating in simulator design and commissioning will acquire valuable knowledge and experience for NPP project design engineering.
(2) The lead-time available makes the simulator project a little more tolerant of delays that must lie expected if national participation and transfer of technology are desired. The nuclear power plant construction and commissioning, on the other hand, is on the critical path; and the same extent of national participation (as can be achieved in a NPPTS project) in the design and fabrication of I&C equipment for a nuclear power plant may either not be possible, or prove to jbe very expensive, since it can be estimated that one week’s delay in the cpmmercial operation of a 600 MW(e) plant couldresult in a loss to the utility of a few million dollars in revenue.
(3) With national participation in the NPPTS project, the owner/utility could select the simulation computers to be of the same type or even identical to the plant performance monitoring computers. This would be invaluable in providing technical support for the plant. There is however one constraint in this consideration. Most present-day simulation computers are 32-bit machines, whereas many performance monitoring computers are of 16-bit word length. This situation may however change towards 32-bit word length computer systems being universally employed in performance monitoring systems. |
(4) The NPPTS, which is referenced to the plant ‘as-designed’, has to be updated or ‘fine-tuned’ to the actual plant once it goes into commercial operation7 so that the simulator can provide as accurate a simulation as possible of the plant. Simulator manufacturers only guarantee performances to match the ‘as-designed’ plant; and ‘fine tuning’ the simulator can be time-consuming and therefore expensive, if the owner does not possess the required experienced simulator personnel and has to contract this work out to the simulator manufacturer.
7 ANSI/ANS-3.5/1981 states that the simulator database must be updated to the actual plant data within 18 months after the plant enters into commercial operation.
45
It is also necessary to point out some difficulties associated with a high degree of national participation in the NPPTS:
(1) Simulation is still an art rather than an exact science. There are there, possibly four simulator manufacturers world-wide and modelling methods specially for reactor neutronics are considered proprietary information.
(2) Real-time simulation as applied to simulators is considerably different from modelling and simulation used in scientific computation or design engineering, and therefore know-how has to be developed.
(3) Similarly, special simulation models are being developed by simulator manufacturers to emulate real-time operating systems offered by computer manufacturers. This may involve considerable additional effort.
(4) A NPPTS project requires a multi-disciplined effort of electronic, mechanical, nuclear and computer engineers, with an excellent practical knowledge of the process as well as a sound theoretical base.A suitable contracting arrangement is suggested as follows: The owner/utility
undertakes to fabricate locally (through a sub-contractor) and install the control room complex, develop the application software (or purchase parts of it under licence from the simulator manufacturer) and integrate the simulator, with the simulator manufacturer in the role of a consultant to the utility. The participation of a simulator manufacturer as a consultant ensures that required outside expertise is available when required.
5.6. Simulator spin-offs
A full-scope nuclear power plant training simulator is probably the most effective (and possibly the only) way of providing training and retraining of operators, and may need no additional justification.
Some additional benefits may accrue as a result of having a NPPTS operational before the commercial operation of the plant:(1) Verification of plant design: a simulator can be effectively used to confirm
behaviour and uncover certain design problems and thus reduce start-up delays. Utilities operating nuclear and fossil-fuelled plants have reported instances where certain design deficiencies came to light during simulator testing.
(2) Development and verification of commissioning procedures: The overall operation of a plant depends upon the satisfactory working of each plant system, which in turn depends much upon how well it is tested during the commissioning phase. A simulator provides a dynamic facility for the development and testing of commissioning procedures. Similarly, various system interactions can be studied on the simulator and provide the owners’ commissioning engineers with an overall ‘feel’ of the expected plant behaviour.
46
(3) A simulator can be used to study the effect of proposed design changes to the plant before implementation.
(4) After a system is commissioned, the determination of optimum controller settings is usually done by manipulating the processes. This is time-consuming and sometimes undesirable. A simulator can be used to determine proper controller settings for a desired system response.
(5) Smooth plant commissioning and early start-up requires a team effort. A simulator can result in considerable saving by avoiding human interaction problems by demonstrating various systems interactions to the commissioning group.
The initial plant operation is usually marred by diverse problems. If the operating staff is not properly trained, smooth plant operation is delayed. It is of immense value to have ah operating staff fully trained and completely familiar with plant operations before the start-up.
The simulators are designed to simulate steady-state, dynamic and transient responses to all changes in plant parameters at all operating power levels. A simulator is perhaps the only device that can cater for all the plant requirements prior to, during and after its construction.
6. VARIOUS PHASES 'OF PROJECT IMPLEMENTATION
This section briefly describes the phases in the life-cycle of a nuclear power project and summarizes the I&C activities in each phase.
Figure 5 (reproduced from TRS No. 200, Manpower Development for Nuclear Power, p. 18) shows the general schedule of a nuclear power project from which it can be seen that the various activities associated with the project extend over a period of about 14 years.
Fig.6 indicates a workable schedule for the I&C activities to be organized and conducted by the various project groups.
6.1. Planning and pre-project phasetDuring the pre-project phase the I&C activities will be of an organizational
and preparatory nature. In this initial phase of planning for a nuclear power programme, I&C specialists may be inducted at the time when, based on initial studies, final approval has been given by the government to embark on nuclear power. A manager for I&C activities and at least three lead engineers (or at most four may be recruited. These jprofessionals should have 6-10 years’ experience in I&C.It is suggested that they come from varying backgrounds. It is recommended that the I&C manager come from an automated thermal power plant (of about 200 MW(e)) and have a commissioning and maintenance background with design
47
00 §
5 ° z Si & oS S
£ * II* 9
s s S i c5 ? <3 ( 3 s
T T T
- - IS5 ! J » y ? _
Years -14 -1 3 i )
-12I__
-11 - 10 -J_____I__
-9 - 8 -7 -6 -5 -4 -3-I » I I I - 1 I
- 2 -1 J _____U
A PRE PROJECT ACTIVITIES1 Power system planning2 Feasibility study3 Site survey
B PROJECT IMPLEMENTATION1 Site selection and qualification2 Preparation of specifications3 Bid preparation4 Bid evaluation5 Contract negotiation6 Project engineering7 Licence application activities8 Procurement of equipment and materials
C MANUFACTURING
0 PLANT CONSTRUCTION1 Site preparation and excavation,
base-mat pouring2 Construction reactor building and
containment3 Installation primary systems4 Construction auxiliary buildings5 Installation auxiliary systems6 Construction turbine/generator building7 TG installation
E COMMISSIONING
F OPERATION AND MAINTENANCE
FIG.5. Schedule for a nuclear power project.
A R E A S or GR O U PS
SYSTEMS ANALYSIS AND MODELLING
MANPOWER DEVELOPMENT
« ---------------------
SAFETY REGULATORY ACTIVITIES '
OPERATINGTEAM
DESIGN TEAM
PROJECTGROUP
NATIONALPARTICIPATION
Y E A R -1 3 ________ i
, Initial I"“ planning Select key I&C personnel
_Recruitand initiate training of fresh engineers in I&C of institu* tions abroad
{-Survey and familiarization withinternational safety standards and codes
-1 2 j _
-11___ i
Detailed feasibility power system studies etc.
• Establish the in-house nuclear training centre
• Initiate technician training programme
- Initiate D&D simulator project at training centre
- Adoption of national safety standards
- Evaluation of bids against standards
• Review PSAR
• Bid specification preparation• Tender documents- Discussion with vendors• Bid evaluation and
- contract negotiation ►- Establish national
manpower dev programme, in*house training centre
• Establish base I&C technological D&D (D&O simulator etc.)
• Local industrial survey- Local manufacture possibilities- Computer systems integration
plus software dev. efforts-1 0 -9 -8
J _______ I
Systems analysis and modelling
In-house training centre operational - Training of engineers & technicians • Establish full*scope nuclear power
plant training simulator (NPPTS)
Attachment of I&C -safety regulatory per "sonnet at" design officesAttachment of plant I&C - Seconded to main contractor/maintenance personnel at design offices. Prepare
'spares lists, maintenance and training manuals Attachment of design team at design offices of main supplier or A-E
- Safety reviews and inspection Safety analyses and information dissemination
' 1 'ractor/l
Project construction and commissioning, inspection and review
supplier for construction and commissioning activities Responsible for I&C maintenance
• Seconded to mam contractor/1 supplier for construction and i commissioning activities |
m Acceptance j ” and control- *
settlement- Development and debugging of application
software for plant computers• Integration of plant computer systems
from OEM hardware n- Supply of ancillary I&C hard- M. Use DSl0 simuia,0r tor
ware such as wire, cables, local rp tuning of control loops andpanels etc. for plant dynamics familiarization
-6 -5 -4 -3 -2 -1 0_|________|________|________ |________ I
Local vendor assistance ^
“during *commissioning
+ ■TGovt, approval to embark on nuclear power pre-project phase
Decision to embark on nuclear power project’project preparation phase I
Letter of intent
Contractaward
Start ofconstructionphase
Start of commissioning phase
Commercialoperation
VO FIG. 6. I&C activities and groups.
experience. A post-graduate academic background is desirable. One of the three lead engineers should be from a nuclear research centre with experience in nuclear electronic instrumentation, digital electronics and digital systems, the second one with a background of control engineering modelling and simulation (a PhD in control engineering would be an asset) and process automation, and a third with a combination of the backgrounds mentioned above with relevant experience in practical, applied I&C teaching at a polytechnic abroad. These key people, coming from different sub-disciplines of I&C, will formulate and spearhead the I&C programme for the project lifetime and must be chosen with care for their dynamic qualities, planning capabilities and technical expertise. Recruitment for these key personnel could be done within the country as well as from the country’s nationals working abroad, where it may be more easy to find people with the requisite experience. Good I&C professionals are in short supply and the planning of the owner organization must be such as to make it attractive (in terms of salary and perquisites) for such people to join this organization.
The I&C involvement may be considered to start with this pre-project phase. This could also mark the beginning of nuclear safety regulatory activities. The I&C involvement starts in this phase, with grid studies and their impact on the type of plant control required, viz. load-following or base load, etc.; in the analysis of domestic resources and degree of local industry participation; steps for development of I&C industrial infrastructure; specification and installation of site instrumentation for collecting seismic and meteorological data; with the safety regulatory authority for preliminary evaluation of safety standards and risk assessment formulae published by the IAEA and those in use in the various vendor countries; and above all the work of planning for future I&C activities and the development of requisite manpower.
The initial nucleus of four to five I&C senior professionals will now start to establish the I&C manpower development programme and set up the infrastructures necessary to support the national participation in the I&C activities.
6.2. Project preparation phase
A decision is taken to embark on a nuclear power project. The project now has a name and a project group is established and operational. The first batch of I&C engineers who were sent for three-year academic-cum-practical training are now back (Fig. 1) and ready to participate in this phase along with the four or five I&C senior professionals who had been working in the pre-project phase.
In this guidebook this project preparation phase is considered to span a period of three and a half years. In developing countries, this phase may be more long- drawn-out because of financing. The increasing capital cost of nuclear power (over US $1000 million for a 600 MW(e) plant) is a severe burden for a developing country and a lot of studies and comparisons of conventional versus nuclear plant
50
could be required. Economic as well as safety and availability studies may be needed before a government commits the large funds required. If a viable industrial infrastructure does not exist in the country, efforts on a national level may be undertaken to build such an infrastructure (and this is time-consuming), thereby also reducing the foreign exchange burden of a nuclear power plant.
Activities during the project preparation are listed below.
6.2.1. Pre-tender discussions: These should be held with vendors and include acquiring an understanding of the reference plants, evaluating various reactor types against the national policy for nuclear fuel cycle, local participation and grid conditions, etc.
6.2.2. Review of IAEA, [national and other safety standards, codes and criteria;adoption and adaptation of national standards: In many cases the country accepts
ijthe regulatory standards of the vendor country in toto. A clear understanding of what those standards mean and a means of checking conformance to those standards are essential. An intermediate approach recommended is the adoption of IAEA codes of practice and safety standards which have been jointly prepared and reflect the consensus of several countries. A list of relevant IAEA Safety Standards (Codes of Practice and Safety Guides) are given in the Appendix at the end of Part I of this book.6.2.3. Recruitment and training of technicians: Whereas the specialized academic plus practical training of engineers was initiated in the planning phase, the training of technicians was not. The first batch of the specialist I&C engineers would now have returned and one of:their major responsibilities would be the recruitment and training of technicians and draftsmen.
6.2.4. Establishment of an in-house training facility: A well-planned and intensive programme of in-house training should be initiated for the training of both engineers and technicians in I&C fundamentals, equipment and system principles, specific plant systems and I&C skills. Training and re-training, either teaching or being taught, should become an integral part of an I&C engineer’s activities during his professional career in nuclear power.
Once the site for the nuclear power plant has been decided, plans for the construction of an in-house training facility should perhaps be the first step towards the successful introduction of nuclear power. There may be arguments for and against locating the nuclear training centre at the plant site. Experience tends to indicate that the training centre and eventually the plant simulator be located at the site, so that plant orientation and classroom studies can proceed side by side. Details of syllabi and laboratories are given in Section 4, Manpower Development. ,6.2.5. National Participation: The detailed mechanics of the decisions taken by government on national participation have to be worked out. Two broad areas are involved:
51
(a) manufacture of I&C equipment,(b) extent and areas of I&C in which project design engineering can be done
locally.Incentives for (a) as specified earlier have to be worked out in detail and approved by the competent authority, and licensing agreements with foreign vendors negotiated. For (b) an organizational umbrella, scope of activity and agreement with foreign A-E or consultants need to be worked out. Some considerations in this context are given in Section 3.
6.2.6. Bid evaluation and contract negotiation: The I&C specialists should participate in the bid evaluation and be members of the contract negotiation team. In essence, this whole guidebook is aimed at discussing issues and topics that could assist the owner’s engineers in evaluating the bids and in preparing the specification of requirements for the plant.
6.2.7. Preparation of simulator specification: A full-scope nuclear power plant training simulator is now an accepted tool for training and licensing operation.The responsibility for construction, commissioning, fine-tuning and maintaining the simulator will rest with the I&C personnel. During this phase, the I&C personnel will be required to prepare the specifications of the simulator and include in the specification the extent of national participation desired.
Crucial decisions have to be taken in this project preparation phase, viz. selection of reactor type, supplier, contract arrangement, extent of national participation in project engineering, manufacture, construction, etc. The consequence of these decisions would affect not only the power plant being contracted for, but also the future of nuclear power in the country.
Some considerations in this phase are summarized below.
6.2.8. Familiarization with various reactors: With the approach suggested in Section 6.1 the I&C engineers would have received some practical training at the various nuclear power plants abroad. However, if it is not possible at the planning stage to visit the nuclear power plants, prospective vendors/suppliers may be asked to arrange short visits of two to three months’ duration at nuclear power plants undergoing commissioning or initial operation. Four to six of the I&C group leaders should visit one plant of the main suppliers under consideration. Thus, some first-hand knowledge in the group will be acquired about all the major reactor types and suppliers. The comments of the operating organization on problems encountered, technical and contractual, may be quite revealing and not found in the vendor-supplied descriptions. A word of caution is appropriate here, however. The comments received, especially if adverse, must be accepted judiciously since they may include a bad experience by an individual, which should not prejudice the appraisal of a reactor type or vendor. For the scheme suggested above, a major stumbling block may be the financing of,the visits since, with
52
the project funds not yet released, the management must be prepared to make a special effort to get funds for these visits.
Publications such as the IAEA’s “Operating Experience with Nuclear Power Stations in Member States”, which has separate sections on I&C problems of operating nuclear power plants, may prove to be useful for an appreciation of the maintenance problems and design changes pertaining to I&C equipment.
Vendors’ descriptions, design manuals of the reference plants, presentations made by the prospective suppliers and above all constant internal lectures and discussions within the I&C group will assist in acquiring a degree of knowledge prior to preparation of bid specifications.
6.2.9. Preparation of bid specifications and bid evaluation: A consultant is generally required in the'preparation of bid specifications. The I&C personnel should prepare their list of considerations, both technical and administrative, for input into the bid specifications. Some considerations are listed below:6.2.9.1. Adoption of the national voltage and frequency standard for all I&C equipment. Non-compliance with this consideration can result in a high degree of dependence on the vendor for even such small items as lamps for indicating lights, etc., and in subsequent foreign exchange expenditure in buying spares and consumables which otherwise would be easily available from within the country.6.2.9.2. The plant load-following capability as required by grid conditions should be clearly specified. A certain flexibility in this capability should be sought for, as the grid conditions or utility requirements may undergo considerable unexpected change by the time the plant goes into commercial operation, e.g. initially it may be thought that the nuclear plant would operate as a base-load station and it is therefore designed accordingly. Later on, grid conditions could call for frequency control operation.
6.2.9.3. As a minimum, all conventional I&C equipment such as cable, wires, instrument tubing, cable-trays, lights, motor control centres, small motors, transformers, relays, cubicles, panels, junction boxes, etc., that are manufactured within the country and are being used in various industries and thermal power plants should be clearly defined in the bid specifications as items of local supply. This list should be as clear and as detailed as possible (giving specifications, etc.) and should be discussed in depth with the prospective supplier so as to leave no ambiguity. The owner/utility should however be prepared to accept responsibility for the performance of these items in the event that the plant supplier has reservations as to their use. Simultaneously, the local manufacturers of the equipment should be given the required specifications for their equipment in a nuclear power plant so that they are aware of the QA/QC standards expected of them.
53
These items, i.e. the conventional bits of I&C hardware, may not sound as glamorous as on-line computers, yet they form a large bulk of I&C supply and can build the industrial infrastructure for an increased scope of supply in future plants.6.2.9.4. Present-day plants not only tend to employ digital computers as on-line data acquisition, reduction display, and monitoring systems, but also often employ several small microprocessor-based systems for a host of functions, e.g. for the reactor protection system, for the core sub-cooling monitor, acoustic leak monitoring system, etc. In addition, computers are employed in the nuclear power plant simulator and some reactor types use redundant computer systems for plant control.
One of the major advantages of digital computers is their flexibility (from the safety qualification point of view this could be viewed as a disadvantage). Software, i.e. programs, can be modified or added, to suit changing or additional requirements. With the decreasing costs of computer hardware, software forms a major cost component (60—70%) of a system. Developing local capabilities in computer software does not require any heavy capital expenditure or a large complex infrastructure. Consideration may therefore be given to national participation in software engineering. Furthermore, if there is no national computer manufacturing capability to start with, strong consideration should be given to the establishment of a computer systems integration (from original equipment manufacturer (OEM) hardware, initially imported from abroad) capability in the country. One strong reason for suggesting this is the problem of obsolescence. By the time a plant goes into commercial operation, the computer supplied may be obsolete and parts no longer available. Replacement of an on-line computer may be a very expensive proposition, i.e. because of capital cost and plant down-time (see the Appendix at the end of this Section, especially the list of symposia, for further information on this subject).
As mentioned in Section 3, if the I&C technological and industrial infrastructure can be geared towards support for the I&C of the plant, especially computers, the problem of obsolescence may well be surmountable.
The bid specifications and tender documents must again very clearly spell out this requirement. Convincing the reactor supplier to adopt this approach may only be possible if the requisite technological and industrial infrastructure required for software and hardware engineering has been catered for and built up in the planning and project preparation phases. This cannot be precisely termed as manufacture, since manufacture may not be involved, but only system integration.
6.2.10. For the purpose of reviewing the extent of national participation possible, the major instrumentation and control equipment of a plant can be subdivided into the following:
54
II
6.2.10.1. Nuclear (i.e. the in-core and ex-core neutron flux) instrumentation.Generally developed by the NSSS supplier or by some special companies that are adopted as a firm supplier for the NSSS. Little chance of national participation. >6.2.10.2. On-line computers. The previous paragraphs cover this area.6.2.10.3. Control room complex (excluding display and control devices such as indicators, recorders, video-display units, etc.). Here again, many of the NSSS suppliers have specially fabricated control room complexes seismically tested, and national participation is not recommended and may not even be possible. However, some NSSS suppliers may offer various options, totally computer-based or a hybrid.
6.2.10.4. Process instrumentation (i.e. controllers, recorders, indicators, transmitters, re-transmitters, high-low monitors, P/E convertors, etc. There are perhaps half a dozen major suppliers of process instrumentation for nuclear and thermal power plants, the petrochemical industry, etc. If one of these I&C suppliers has manufacturing facilities, or if licensing agreements can be worked out in advance, the products of this supplier can specifically be requested in the bid specification, and agreement of the NSSS supplier obtained.
6.2.10.5. Control valves. These are special items and some are specifically designed for nuclear service. It is questionable whether national participation is appropriate for these items.6.2.10.6. Process radiation monitoring. As in the case of process instrumentation, there are not many such equipment suppliers of repute and if any of these has local facilities for manufacture and repair and is otherwise suitable, he may be specified.6.2.10.7. Chemical and health-physics laboratory instrumentation. Here again the owner/utility could exercise his choice of supplier.6.2.10.8. Portable radiation instruments. Some nuclear research centres may actually manufacture these instruments. This may be a starting point for a country’s development of capability in nuclear instrumentation.
6.2.10.9. The degree,of manual or automatic control required, as well as of local versus remote control must be determined and specified. However, the I&C specialist must be prepared and have cogent reasons for deviating from the standard supply of the NSSS manufacturer.6.2.10.10. The requirements of ease of maintenance, accessibility during plant operation, the possibility of isolation of a control device and its power supply isolation, etc., must be mentioned in the bid specifications, and thebids carefully evaluated for compliance with these criteria. It may be mentioned
55
that these criteria are generally met in the safety systems and the I&C systems important to safety, but a closer check would be needed-in those control loops that are not important to safety but affect plant availability. There have been instances where control power supply wiring has been looped to many instruments, making removal of one instrument for maintenance prone to de-energization of others, which could result in loss of plant availability.
6.2.10.11. It is also suggested that a lot of the minor instrumentation may deserve more careful review. Major instrumentation and control loops get a lot of attention and review both by the designers and the safety reviewers. Minor instrumentation systems as well as the interfaces between the NSSS, TG and BOP sometimes can cause a lot of maintenance problems and plant incapabilities. Unfortunately there is no hard and fast rule as to which specific areas to look for. The I&C engineer and his consultants have to depend upon their experience.
Other areas that need to be evaluated are:
— action on loss of alarm annunciation— action on loss of plant on-line computers— separation of control and protection systems— the lifetimes and duty cycles of all the major I&C equipment.
6.2.10.12. The layout of the I&C shop, its proximity to the control room, the offices and the layout of the computer maintenance area must be specified, keeping in view the possibly unique requirements, e.g. the number of technicians and engineers may be much higher than in the vendor country and therefore necessitate a larger instrument shop. Similarly, instrument repair space, storage space for immediately needed spares and a small area for lectures/training may be another consideration. Once the buildings have been designed, it is well-nigh impossible to expand a cramped instrument shop or improve its ventilation, and this could be a problem throughout the lifetimeof the plant.6.2.10.13. The subject of spare parts supply, procurement and storage is discussed in more detail in Section 7. At the bid specification stage the scope of spare parts can be specified in the documents in terms of a certain sum of money (which could be approximately 25% of the capital cost of the I&C equipment) reserved for the purchase of spares. Spares adequate for two to three years’ commercial operation of the plant should be recommended by the manufacturer and approved by the owner. Spare parts should be specified along with the design of the I&C equipment and module-level spares should be purchased with the main equipment since later on these may either not be available or a higher price may be charged for them. One major item would be the purchase of a spare computer system. Some vendors are now including this in the scope of supply. A rationale for this is given in Section 7.2.
A similar provision of funds may be made for test equipment and tools.56
6.2.10.14. The construction and commissioning of the plant provides an invaluable training period: However; training during this phase is best done by doing rather than watching. Assuming specific job'responsibilities is probably one of the best ways of learning. The contract should provide for this. One possible way is to limit the number of commissioning engineers of the prime contractor (or the NSSS supplier, as the case may be), the remaining personnel required to be supplied by the owner. The owner must be prepared to accept that the I&C engineers so [dedicated for commissioning and construction would be administratively and technically under the control of the prime contractor, since the wearing of two hats would cause unnecessary complications and these engineers can best guard their employer’s interests by fully participating in the duties so assigned them. It is also recommended that the utility/owner should undertake the responsibility of I&C maintenance from the day maintenance activities start at the plant. Thus by the time the plant is ready to be taken over, the owner has I&C engineers and technicians who have had three to five years’ experience in maintaining their plant and have established work procedures and equipment history records. Provision for this must be stipulated in the contract.6.2.10.15. In the event that a nuclear power plant simulator is ordered for the plant, and it is recommended that this be done (see Section 5), the specifications should include the requirements of design data on the plant from the supplier that would be required by the simulator manufacturer.
6.2.10.16. The contract documents should also specify the requirement of the owner for training of his personnel at the design offices of the supplier in the project engineering of the plant and subsequently at a nuclear power plant as well as at the vendors or the I&C manufacturers. This period of attachment should be for a minimum period of three years to be really effective.
Assistance could also be requested and stipulated in the contract agreement in the augmentation of the in-house training centre.
Since all the I&C personnel may not be able to participate in the training programme at the supplier’s design offices and the works of the I&C vendors, training courses at site by the I&C vendors offered to both engineers and technicians would prove ,,to be extremely useful. The training literature brought by the instructors (transparencies, video tapes, etc.) could be purchased and subsequently used for re-training.
6.2.10.17. The extent of documentation to be supplied, viz. design manuals, software source listings of application programs and system programs, maintenance manuals, drawings, wire and cable-lists, should be clarified with the vendors and the numbenof copies or ‘masters’ required spelled out in the contract. Seven to nine copies of design manuals and maintenance manuals may well be needed during plant operation and maintenance. The information
57
required in addition to that normally provided by the supplier, and required for the national objectives of transfer of technology and self-reliance, should be discussed with the prospective supplier and agreements reached. The supplier may be more receptive to such arrangements prior to the signing of the contract.
6.2.10.18. The role of the utility’s project staff and the responsibility of the supplier to inform them of the construction details and to satisfy them that the work being carried out is of acceptable quality should be stipulated in the contract, otherwise their role would be limited to that of a spectator and to providing necessary services (communications, power, etc.) for the supplier.6.2.10.19. The supplier normally provides station performance warranties on major items such as fuel burnup, heat rate, plant output, etc. However, the manufacturers’ warranties on I&C equipment would expire long before commercial operation. The NSSS supplier or main contractor should therefore be asked for material and workmanship warranties for, say, a one-year period after start of commercial operation, on all I&C equipment.
6.2.10.20. Finally a consideration, the lack of which causes considerable strain and ill feeling between the owner and supplier during the post-contract phases, especially in a turnkey contract. This is the request for changes or additions, i.e. items that in the light of experience or additional knowledge, the owner now considers ‘necessary’ but in the view of the supplier are ‘desirable but not essential’ and furthermore not included in the scope of supply. Hard bargaining may ensue. It is therefore imperative that the owner makes an allocation in the initial funding for the contract for such changes.This may be an internal arrangement between the owner/utility and the financing body (the government) and the amount not necessarily known to the supplier. This ‘piggy-bank’ or contingency fund could be of the order of 1 —5% of the cost of the capital equipment. If these funds are not available, the owner may find it very difficult to avail himself of any options and improvements, during the project construction phase, where such improvements can be relatively easily implemented. However, caution is necessary in suggesting many and wholesale changes at this stage.
6.2.11. Contract negotiation and choice of supplier: notwithstanding the contract clauses and specifications, one of the most important aspects to consider, in developing an owner/supplier relationship, is the integrity of the supplier. This depends upon the reputation built up by the supplier for quality and dependability. The relationship between the supplier and owner has to last over the lifetime of the plant and perhaps over the next plants which may be purchased from him, and not just for the duration of the contract, which could last until the start of commercial operation. A mutual respect built up between the owner and supplier, and personal understanding between the project managers of the supplier and owner may well prove more helpful than
58
dozens of clauses inserted into the contract to protect the rights of the owner or supplier. All technical aspects being equal, and financing considerations apart, this single above-mentioned feature should play a very important part in the choice of supplier.
6.3. Project design engineering phase
A certain amount of design engineering is performed by the supplier(s) during the pre-contract phase while preparing the bids. This activity, however, starts in earnest with the signing of the contract. For a single-supplier, turnkey contract, the responsibility for the total plant design rests with the main contractor, who would be the NSSS vendor. In other types of contracts, NSSS, TG and BOP suppliers and architect-engineers (A-E) would share the design activities, with either the bwner or the A-E being responsible for the overall plant co-ordination and management.
Another option is suggested that may be attractive for countries that need nuclear power immediately, but have yet to develop a strong educational, technological and industrial infrastructure and cannot afford to wait for the infrastructure to build up before installing a nuclear power plant. In this option a main contractor not only undertakes the responsibility of project implementation but also of operating and maintaining the plant and guaranteeing its safety and availability. This option has not been exercised so far by either an owner or a supplier, but should hot be ruled out by countries which have the requisite funding and need nuclear power immediately as a source of energy for their development. Another sub-option within the above could be to use an entrepreneur who may decide to finance the building of a nuclear power plant as a purely commercial venture and supply the utility the electricity on agreed terms.
The above option should be given serious consideration both by the prospective owner/utility in the developing countries as well as the vendor countries and the reactor suppliers.
The owner/utility in urgent need of energy may decide not to avail himself of this ‘entrepreneur/main supplier built and operated’ option for perhaps the following reasons:
(1) A vendor is not available who is prepared to undertake the project on these terms.
(2) Either an entrepreneur is not available, or the owner country is not able to arrange the additional financing that would be required to make use of this option.
(3) Self-reliance, transfer of technology and national participation objectives may preclude consideration of this arrangement.
59
(4) There may be considerations that this option would lead to a lack of development of safety regulatory activities and to complications as to who will bear the nuclear liability.
In such an event the owner/utility must give very careful consideration to a strong national participation in the project design engineering phase and the preparation for participation in this phase, as this is a phase in which active national participation can significantly enhance the national capability in nuclear power.
There may be arguments for a stronger thrust initially, in local manufacture. It is submitted that this is not entirely possible without active involvement in project design engineering and really can be a consequence of design participation. Furthermore, expertise in the area of bid specifications preparation, evaluation and contract negotiation (and these are activities that can be considered essential for national participation) imply a considerable knowledge of project design engineering.8
6.3.1. Manpower requirement for design engineering
As mentioned earlier in Section 3, I&C project design engineering of a nuclear power plant of a proven concept (i.e. not first of a kind) can require approximately 450000 man-hours and the services of 40—65 experienced I&C engineers, accounting for approximately 1.5% of the plant costs. The I&C sub-disciplines or activities, and the approximate manpower required can be classified as follows:
Sub-discipline /activity Number of engineers1. Performance analysis 3-42. Major control systems design 3-43. Process instrumentation
NSSS 10-15TG 3-5BOP 8-10
4. Plant computers 5-105. Control room complex 2-46. Safety systems 5-107. Developmental systems and 2-4
monitoring systems for on-line surveillance and NDT
Total 41—66
8 The above paragraphs should be treated as food for thought rather than as outright recommendations.
60
The sequence of activities in the I&C project engineering process and the associated manufacturing and site-related activities are listed below:
— preliminary and conceptual design— licensing documentation— basic and detailed design— equipment specifications— procurement and manufacturing surveillance— modifications— erection and commissioning support— documentation for the plant as built.
6.3.2. Owner/utility involvement
Attachment of the regulatory staff and the owner/utility at the design offices of the supplier during the design phase is imperative, regardless of the type of contract. The duration could be from 2\ to 3\ years. The financing and administrative arrangement must be made in the contract, and the precise function, responsibility and administrative control of the owner’s design team stipulated. The term “as mutually agreed upon from time to time” causes unnecessary complications and therefore a clear definition of the duties and responsibilities of the design team is necessary in the contract. Consideration may also be given to the attachment of the owner’s engineers to the central engineering offices of a utility which implements its own power projects, and which is operating or commissioning a similar plant. Such an attachment would also expose the owner to the methodologies (and organizational requirements) of the design review process, plant testing and acceptance procedures and the requirements of subsequent engineering support during commercial operation.
Prior to his attachment to a specific section or work area, an I&C engineer should undergo an 8—12: week orientation on all the process systems of his plant. The requirements of I&C emanate primarily from the process system parameters and understanding them will greatly benefit him. Another part of the orientation should be the use and interpretation of international, national and company standards, how to document, and the importance of clear documentation, which forms the only means of !communication between main supplier, the site and the regulatory authority.' This may be labouring a point, but in the nuclear power industry, the need for clear concise documentation cannot be overemphasized, and the I&C engineer of a country embarking on its first nuclear power plant should master the ability to provide this.
In order to provide effective support to the plant after commercial operation has commenced, it is recommended that the I&C engineers acquire working familiarity with the following:
61
(1) all the control loops of the plant, from the sensor to the final control element, their control actions, interlocks and control ranges. This could be done by preparing steady-state input-output diagrams and simple charts. Some diagrams are shown in Figs 7 and 8.The diagrams shown are for illustration only and bear no reference
to any specific plant or control loop. Every I&C engineer may choose to drawthese diagrams in the way he prefers.
(2) Understanding and use of fault-tree analysis, failure mode and effect analysis and cause/consequence diagrams.
(3) Specification and selection of instrument devices.(4) Evaluating loop and system design for conformity to the safety standards.(5) Analyses of process dynamics and design of complex control systems,
their modelling and simulation. Translating results of these analyses into concrete hardware specifications.
(6) Testing and tuning of control loops.(7) A thorough understanding of the considerations and analyses that have
led to a particular I&C design. This is extremely important since, during the lifetime of the plant, modifications or backfitting may be required.It is important to know the original design intent before designing any modifications. Most of the time this design intent or the reason for a particular approach is not very clearly documented.
(8) Computer system software and hardware: It is suggested in Section 6.2.9 under the topic “Preparation of bid specifications and bid evaluation” that strong consideration be given to national participation in software engineering and even computer systems integration.The trend in the modern plant is more and more towards the use of digital computers and the owner’s engineers should participate in (and thus become familiar with) the design of application software and the hardware interfacing of the computer system(s) to the plant. This is extremely necessary as otherwise the owner may have to call for expensive support from the computer supplier and sometimes this may not be available as the computer system(s) supplied may be obsolete. (Although most NSSS suppliers are entering into long-term agreements with computer manufacturers, their effectiveness has yet to be seen.)For national participation in computer systems integration, a large number of computer professionals will be required (and the details of such an organization are outside the scope of this guidebook). Aside from this requirement, five to ten I&C engineers must be trained in computer software and hardware at the design office of the supplier or the computer manufacturers).
(9) Evaluating the instrumentation as regards ease of maintenance and repairability.
62
mA
1000variable
(say) pressure 1800lbf/irrcontrol valve from l/P converter
100%
Controller output to control valve via l/P converter
0 _ , 100%. Transmitter:output/4 controller input 20 mA
FIG. 7. Steady-state input/output diagrams.
(Ibf/in2)2000
Relief valve operation ----------------------------
Reactor trip setting on high pressure ■1 ■
cold-water spray operation control band for normal operation
Start standby pump
Reactor trip on low-pressure
Emergency injection
1000
FIG. 8. Chart for a pressure control loop. 1 lbf/in2 = 6895 Pa.
SET 1500 POINT
63
(10) As mentioned earlier, carefully studying the minor control loops and instruments, and the interfaces between equipment from the various suppliers (if there is more than one).
(11) Evaluating spares requirements. The best time to start evaluating spares requirements is when instrumentation and control equipment is being selected and ordered. The I&C engineers in the design offices of the supplier will have easy access to literature, manuals and relatively easy access to the I&C manufacturers and thus will be able to prepare an economic yet comprehensive list of recommended spare parts. This is their plant and the responsibility for spares is primarily theirs - of more interest to them than to the designer — and they should devote to it the attention it deserves. While evaluating requirements for component spares, one type of component, e.g. an integrated chip (IC) may be used in several types of equipment and this should be standardized, and ordered from a general supplier, or the IC manufacturer. Though time- consuming, this will result in considerable savings, as well as providing the start for the database for the inventory programme required during commercial operation.The list is by no means complete, and the reader may add to (or delete
from) the list based on his experience and requirements.In conclusion, it may be stated that an in-depth knowledge of the
I&C equipment and systems design and of the design intent is essential in order to provide subsequent support to the plant. Generally, vendors may not be prepared to provide the detailed design analyses and codes, etc. needed for the above. It is recommended that these be acquired even if this entails added costs. The subsequent savings will justify this initial expenditure. The minimum number of the owner’s I&C engineers required to participate in the design phase is given in subsection 6.3.1.
6.3.3. Some considerations in I&C equipment selection and evaluation
A host of standards and guides are available, and some pertaining to I&C equipment selection and systems evaluation are listed in the Appendix. Some general guidelines are as follows:(a) Some general guidelines are as follows:(1) I&C equipment costs are a small fraction of the plant capital equipment
costs, yet I&C is perhaps the most conspicuous feature of the plant and one where there is a lot of human interaction. The cost of the I&C equipment, though important, should not form the basis for equipment selection nor for the type and extent of instrumentation provided.
64
(2) Standardization onia manufacturer, or a few manufacturers: A proliferation of I&C vendors — resulting from preferences of individual designers — is a •maintenance engineer’s nightmare, and causes major headaches in subsequent
• I&C maintenance. Most suppliers keep this requirement in mind. The owner/utility should ensure that a conscious effort is made to limit the number of I&C vendors, especially where project engineering is sub-divided between NSSS, TG and BOP suppliers.
Where possible (i.e. where diversity is not a special requirement), the same applies to homogeneity of equipment, i.e. the same type of limit switches, resistance temperature detectors (RTDs), transmitters and other I&C devices.
(3) The national safety, review assessment representatives of the regulatory body should be consulted in this phase. If the I&C equipment selection is done without regard to the safety review aspects time will be lost and further costs incurred subsequently in adapting to these requirements. The financial burden for this may well have to be borne by the owner, especially if not otherwise stipulated in the contract or after contract completion.
(4) The selection of I&C vendors should be based on their established reputation for quality and long-term support.
(5) Ease of maintenance: guaranteed long-term (ten years) availability of spares; the use of standard, multi-sourced (as opposed to single-source or ‘exotic’) components in the design; support facilities within the country and good documentation and training support are some critical factors in the selection of an I&C vendor. 1
(6) If the owner wants additional installed spare capacity in the I&C, over and above what the supplier normally provides, this should be catered for at thisstage. This can range from additional terminal strips in junction boxes, to'lextra cable pairs, higher rating of power supplies, to (say) 100% expandability of computer main memory and process I/O capability. Similarly any requirements of additional measurements, test-jacks, test-valves, etc., that the owner may require for performance testing and monitoring during commercial operation should be allowed for at the design stage. If not done at this stage, one may find that the addition of even just a single thermocouple may require a major effort during commercial operation. It may be worth while adding a general observation. Designers are sensitive persons, as perhaps all creative people are, and do not take easily to criticism or suggestions. (They get a lot of these from the safety reviewers of their own country.) They may therefore be not so receptive to suggestions, no matter how well-meaning, from the owner’s engineers (especially from a non-vendor country), and a considerable amount of tact may therefore need to be exercised by the owner’s engineers.A participatory role in the design, rather than a ‘supervisory’ or training role, may be a preferred1 way for the attachment of the owner’s engineers with the design group of the supplier, as this tends to ease matters and personal relationships develop.
65
6.4. Construction and installation o f I&C equipment
The construction and installation of I&C equipment (especially the field- mounted instrumentation) is to some extent dependent on the installation of mechanical equipment and piping, i.e. boilers have to be erected, pumps have to be in place, major piping work done, and most of the heavy equipment in position so that instrument devices are not damaged. This phase can be considered to start around year -4, and to be complete by year — 1 to commercial operation, with an 18—24 month period of intensive activity. If three years of training of the I&C engineers at the vendor’s design offices started at year -6.5, this would be in time for them to return to the site to participate in the construction activity.
This phase can be further subdivided into the following phases:— planning— pre-installation verification— installation and verification during installation— post-installation verification— modifications— documentation.
Documentation or its updating is a continuing activity. At the start of this phase, drawings and documentation “approved for construction” are issued; and at the end of the construction phase, drawings, wire-lists, cable and cable-tray routes and other documents have to be revised to reflect the plant ‘as-built’.
Viewed from the outside, the construction and commissioning phases may appear to be one smooth phase. Specific milestones, however, exist where the construction phase of an I&C system, or the I&C of a particular process system, is considered complete (though minor, agreed deficiencies may still exist) and the system or equipment responsibility handed over to the commissioning staff.In this guidebook, one such milestone is the point where the I&C devices and their logic have been energized and checked for correctness, although their functioning has not been checked at the rated process fluid conditions of temperature, pressure, etc. The work in this phase can then be said to consist of the following.
— Central control room prewired panels installation and interconnection— installation of the monitoring (or control) computers, software installation
testing and debugging, connection of the process input-output (I/O) devices— field panels, junction boxes and cable-tray installation— laying of tubing and cabling— checking of devices prior to installation— device installation— wiring and interconnection of field devices with central control room— device removal (where necessary) from field for instrument shop calibration
(installation verification)
66
— wiring, tubing logic and pre-energization checks— energization checks but, in the case of motor control-circuits without primary
circuit energization, ;and in the case of other control circuits with final control element actuation but with process fluid either absent or not at rated temperature and pressure. .For an ideal transfer to technology, the owner’s personnel and the local work
force should perform all the above activities, under expatriate supervising staff of the main contractor.
6.4.1. Participating organizations
The following organizations would be involved in this phase at the site:
Owner/utility and national organizations Main supplier/prime contractor
1. Project management organization 1. Construction organizationfor planning and projectmonitoring
2. Construction personnel, seconded to main supplier/prime contractor, who will subsequently maintain the plant
3. Representatives of the regulatory authority
4. ‘In-house’ training organization5. Project design engineering 2. Commissioning organization
organization for back-up I&Csupport and for domestic industrial liaison. The QA/QC functions can rest with this organization, or with project management; the representative of the regulatory authority could work within this organization.
Each of these organizations will have their I&C personnel, and effective discipline-oriented communication is necessary. An I&C Technical Committee,which would meet regularly, comprised of representatives from each organization, may be one way of communication.
67
6 .4 .2 . I & C a ctiv ities a n d co n sid e ra tio n s
The various I&C activities in this phase and some of the considerations relating to these activities are given below:
6.4.2.1. Planning
The planning is initially done at the design office of the main supplier and subsequently at site. The installation, inspection and testing activities should be planned and documented as a sequence of operations, and should include a review of all relevant information, for example:
— system/component design specifications— the latest applicable “approved-for-construction” drawings— installation specifications— manufacturers’ instructions— wiring diagrams and process instant displays (PlDs)— QA documentation— procedures and instructions— compliance with applicable codes and standards.
Detailed planning diagrams (Programme Evaluation and Review Technique (PERT) charts or Critical Path Method (CPM) diagrams) are so complex that computers are needed to assist in their preparation and updating. The I&C engineers in the owner project-management organization (Section 6.4.1) can become involved and participate in this activity if they offer to implement this activity on the ‘spare’ computer system, which should be delivered as early as possible at site, and it can then be used as the ‘house computer’ for computer-aided project-related activities. Other such activities which can be implemented are:
— updating of construction drawings— computerized wire-lists, sorted by wire number, device, or location— computerized cable routing lists, etc.
These can form the database for the subsequent updates which would be done during the plant lifetime. It has been sometimes observed .that the owner’s interest in having the latest, applicable ‘as-built’ plant documentation ceases when he takes it over. After a few years’ operation, if there is a need to make (say) some wiring changes it is found that the drawings are either not available or sadly out of date. This should be avoided at all costs. Participating in the construction phase in documentation management and setting up a working system for updating will help prevent this.
68
6.4.2.2. Shipment, storage and pre-installation verification
I&C equipment, compared to mechanical equipment, is neither bulky nor heavy.
All electronic I&C instrumentation and other devices should be air-freighted. The equipment arriving at the airport can sometimes be mercilessly handled.The I&C engineer may find that he may have to arrange for speedy delivery and proper storage of his equipment. The owner will find it very useful, even under a turnkeyj;ontract, not to wait until plant hand-over to establish his stores organization, but undertake the responsibility for this activity from the construction phase. The I&C personnel will need to assist the stores personnel in a suitable organization and procedures for proper storage and environmental control of I&C stores. Though not so critical in this phase and therefore often ignored, it may, later in plant operation, come as a rude shock to management to find a rusty RTD in place of a needed spare RTD qualified for nuclear power plant service and then have to wait for six- to nine months for the arrival of a replacement.
It is important that all I&C devices received at site undergo inspection. A small area in the stores can be set aside as a laboratory for incoming inspection.This can comprise visual examination for damage during transit, checking that the device model number, range, voltage rating, etc., is as per the specifications, and a more detailed examination such as a three-point calibration to confirm that the factory calibrations have not drifted as a result of shipment and handling. Errors discovered at this time can be rectified promptly and not cause delays which may otherwise result if a deficiency is discovered during subsequent installation, when this activity may be on the critical path. Often, field-mounted devices may be installed in place after a simple operational check so that tubing and wiring connections are completed, and at a later date detailed calibration and functional checks performed.
6.4.2.3. Installation, and verification during installation
(a) Installation activities related to I&C systems:— Mounting and supporting of cable trays, conduits, raceways, instrument racks
and panels— cable pulling, splicing and terminating— cable and instrument sensing line routing, including maintaining required
separation between redundant systems— tagging or identifying various items— identification of safety-related equipment (instruments, transmitters, cables,
cable trays, conduits, penetrations, sleeves, panels, racks, etc.) should be unambiguous, simple and down to the channel level
— installing electrical and instrumentation penetration assemblies, and assuring the integrity of the containment seals
69
— installation of cable and instrumentation piping— installation of protective measures against fire— calibration and adjusting switch setpoints of instruments.
(b) Verification activities:
The inspection of correct installation includes checking:— compliance of items with the respective documents, handbooks or records— levelling and alignment— proper location, support, and routing of cables and sensing lines: special
care should be exercised in proper routing of cables into cable trays; a timely inspection programme should follow the activity
— tightness of connections and fastenings and use of proper tools, in particular to assure compliance to seismic design
— freedom of movement of parts subject to thermal expansion— accessability for surveillance and maintenance— correct polarity— proper grounding and shielding terminations— fluid levels and pressures— absence of leaks— physical integrity— identification (labelling)— circuit fusing— proper ratings of equipment— access of cooling air— cable penetrations (fire protection).
Inspection of correct housekeeping and protective measures is also important:
— protective measures applied for equipment not in operation— protective measures to prevent damage to I&C equipment already installed
(or partially installed) as a result of continuing adjacent mechanical or civil construction
— protection measures to prevent damage as a result of human errors, sabotage, theft
— protective measures to prevent damage to measuring and test equipment during field use.
6A.2.4. Post-installation verification
The principal inspection activities at this point are to check:— conformance of the installation with specifications, plans, documents— good and proper workmanship
70
— equipment and materials have not been damaged during installation— all temporary conditions (jumpers, bypass lines, setpoints) clearly identified— protective measures applied for equipment not in operation. Measures such
as covering the instruments with a temporary protective box can prevent their being damaged by adjacent construction work.
— non-conformance items: all errors, modifications, design and field changes still not completed, corrected and approved by the responsible authority should be listed at this point; it should be ascertained that all these items are conveniently documented and characterized as open items.
6.4.2.5. Pre-commissioriing I&C loop checks and control circuit logic checks
Once the installation of the devices, the wiring and tubing is complete, loop checks and control circuit logic checks are made to ensure that the circuits are connected and operate as per the drawings. These checks include:
— adjusting of valves by the controller (in the hand position), checking that they open and close as per the logic and that there are no wiring or tubing mistakes. Loss of air and power supply positions are also verified.
— total loop checks: from sensor to final control element, e.g. differential pressure equivalent to 0, 25, 50, 75 and 100% of the measured range is applied through, say, a pneumatic test set or a deadweight tester to the process connection' of a level transmitter, and the corresponding position of the final control element checked, with the controller in AUTO mode and at varying setpoints..
— neutron instrumentation (where applicable) is checked in the instrument shop and in situ, using a special rig with a neutron source, etc.
— the process I/O, i.e. digital inputs and analog inputs to the monitoring computer are simulated and the computer actions verified. All program branches and re-entry points are checked in the software The checking procedure for the computer software and hardware is quite detailed and complex and outside the scope of this guidebook. Test jacks and additional digital-cum-analog'check-out panels can considerably ease testing. Some papers presented in the various IAEA Specialists’ Meetings on Nuclear Power Plant Control and Instrumentation (NPPCI) also provide valuable information and references. ;
A spare computer system identical to the main computer and delivered early at site can prove invaluable for software development and check-out.
— All the interlocks and enabling devices in the various control circuits such as pump-motor circuits or motorized-valve circuits are checked for correct operation.
I
There may well be! more than 10000 devices in the plant and sometimes they may be checked or calibrated more than once. The experience gained in
71
this phase by an I&C engineer is invaluable and much more than he may acquire during the whole operating lifetime of the plant. This work should not just be left to technicians. During this installation phase, a maintenance engineer or a design engineer is not so burdened with the administrative duties that come when the plant is operating, when he is responsible for maintenance. All the I&C engineers should therefore take this opportunity of working with their own hands and thoroughly learning about their plant.
6.4.2.6. Modification during installation
During installation it always turns out that some modifications are necessary. The reason for these modifications may be:
— incomplete or incorrect planning— changes in design by reason of the latest findings (safety, availability)— shipment and delivery problems— results of verification activities during installation— results of field changes during installation.
In practice it is a difficult task to keep the modification (installation verification, documentation) in evidence. It is chiefly a communicational and organizational problem. Documentation is essential for this task and, while generally originated by the design, construction or installation teams, it should be closely followed by the QA specialists.
6.4.2.7. Handing-over to commissioning
As the installation checks of the I&C of a particular system are completed, the I&C can be handed over to the commissioning team., and the owner’s I&C engineers may also get involved in the commissioning activities. There may be relatively slack periods where the construction of a particular system is complete and its commissioning is yet to start. These periods can be utilized for some formal training and recapitulation of the activities, with discussions on future commissioning activities.
6.5. Commissioning and start-up
The commissioning phase normally spans a period of 18-24 months and in this phase it is demonstrated that the plant equipment and systems and the plant as a whole operate in accordance with the design assumptions and performance criteria, and satisfy the various contractual clauses regarding heat rate, power rating, load cycling capability, etc. It may be found that the plant may be verified to behave as per design and as per contract, yet other considerations,
72
e.g. grid conditions or a higher temperature of cooling water, etc., may require new conditions to be met. These are also tested and verified in this phase.
Although the nomenclature for the tests performed during this phase may vary (names such as pre-operational, functional, pre-loading, post-loading, startup, integrated, acceptance tests are employed), these can be divided into two main phases:
(i) Pre-operational tests on components and systems after construction but before fuel is loaded
(ii) Initial start-up tests after fuel loading, including the tests made during ascension at each power level, and plant acceptance tests.
6.5.1. Commissioning programme
A commissioning programme is prepared, indicating the overall scope of activities and also giving details of the following items:
— purpose of the tests— test sequence and procedure— technical and administrative provisions— organizational arrangements— range and extent of documentation required at each step.
6.5.1.1. Responsibility arid manpower
The commissioning phase, if well executed, can be an object lesson in managing and co-ordinating complex activities within a short time-frame and with the possibility of unexpected events. The owner/utility, contract arrangement permitting, should take the overall responsibility for control and co-ordination of all commissioning. This experience will prove valuable in the planning of future maintenance outages and for the next plants.
As mentioned earlier,, owner participation can be maximized by stipulating in the contract that the owner will provide the bulk of the commissioning personnel, with a limited number (an exact number needs to be specified) of key specialists from the main supplier/contractor. If, however, the owner is not able to supply the requisite commissioning engineers he may have to end up paying for additional expatriate personnel to complete the work. With proper planning, however, a country embarking on its nuclear power programme should be able to provide the bulk of commissioning personnel.
6.5.1.2. Licensing activities:
It should be clarified in advance in what manner and to what extent the licensing representatives intend to participate in the commissioning phase.
73
6.5.1.3. Time schedule
A realistic time schedule must be drawn up for the whole commissioning phase and should include options for the case of non-conformance.
6.5.2. Testing procedures:
All commissioning tests should be performed in accordance with written procedures. These procedures should include the following items:
— test objectives— test methods— data collection and processing methods— data evaluation methods— limiting criteria— prerequisites (technical and organizational)— test conditions and test procedures— acceptance criteria— list of test equipment (instruments, tools, facilities)— list of manpower requirements (qualification, responsibility)— precautions for safety of personnel and equipment— references, identification, distribution— a list of information required for documentation— definition of test completion— provisions for the case of unexpected results and occurrences.
6.5.3. Commissioning documentation
A complete and clearly arranged documentation of all facts related to commissioning is essential.
6.5.3.1. Purpose of commissioning documentation
— specify all actions necessary for execution and evaluation of testing— show that licensing and safety assessment requirements have been met— enable the integration of the many and various documents relating to the
commissioning activity into a coherent pattern— collect base-line data for future reference— permit communication and information between all involved groups— show continuity in the commissioning activities— show that the design intent has been met— show that modifications have been correctly implemented— show accordance with quality assurance requirements.
74
6.5.3.2. Content o f commissioning documentation
— commissioning programmes, schedules and reports— vendor specifications, safety reports— regulatory body requirements— modifications of design and construction— records of deficiencies and corrective actions— final test reports and completion certificates— installation completion certificates— test procedures— operational limits and conditions— operating and maintenance instructions— records for fuel and nuclear materials— procedures for safety of equipment and personnel.
6.5.4. Special problems
— conservation of already tested items— provision to assure tested status of a system— documentation and execution of modifications during installation and
testing phase— co-ordination of a diversity of testing activities (simulations, interactions,
damage, personnel planning)— co-ordination of tests concerning different parts of a system (sensors,
electronics, actuators, mechanical components interfaces)— accuracy analysis of measurement loops— software review (computer applications)— relation to safety of subsystems and annunciation systems— time pressure during commissioning of I&C systems— electromagnetic disturbances.
6.5.5. Pre-operational tests
These comprise functional tests on individual subsystems, systems or groups of systems before fuel loading.
These tests are aimed at obtaining initial operational data of equipment, some base-line measurements for subsequent in-service inspection, ensuring the compatibility of operation with interfacing systems and verification of the functional performance of these systems with process fluid at (or within measuring range of) pressure and temperature (using non-nuclear heat, i.e. by reactor coolant pump heat in a PWR or PHWR or by a conventional boiler in a BWR).
75
6.5.5.1. Testing programme
Since I&C is used in nearly all systems of the nuclear power plant the test programmes have to be co-ordinated with the test schedules for the mechanical systems in many cases.
Simulations: For testing the performance of I&C systems the proper operating conditions should be simulated (as far as practicable).
Pre-operational tests of the reactor protection system: a very large number of test activities are involved. These tests should be done when most of the other systems are already tested and no further construction work, especially in the electronic region, is foreseen.
Non-nuclear warm test series: The considerable advantage of realistic test conditions for important systems operating at nominal temperatures and pressure (but with inactive coolant) can be gained from a non-nuclear warm test series with heat being generated by the reactor coolant pumps (PWR) or by a conventional boiler (BWR).
As regards I&C systems the warm test series should be used to concentrate on the following activities:
PWR: — adjustment and performance tests of the reactor pressure control system and the relief valves •
— adjustment and performance of the volume control system— measurement of heat losses— calibration of instrumentation.
BWR: — performance tests or recirculation pump control— adjustment and performance tests of the pressure relief valves— calibration of instrumentation.
6.5.6. Initial start-up tests
This phase starts with fuel loading and ends with full power tests and handover of the plant. These tests are to confirm that the reactor is in a suitable condition to start up, that all systems and parameters are as expected. It will be shown step by step that the plant is capable of producing the full specified power and that the plant operates in accordance with design. Only I&C-related items are mentioned.
6.5.6.1. Prerequisites:
— the status of all systems required just prior to beginning fuel loading as specified
76
— completion of inspection of fuel assemblies, reactivity control devices and other absorbers
— nuclear start-up instrumentation properly calibrated and located, functionally checked
— the appropriate reactivity controls operable and in readiness for reactor shutdown by the insertion of negative reactivity
— the reactivity condition of the reactor core as specified— fuel handling equipment checked— the status of protection systems, interlocks, mode switch, alarms and
radiation protection equipment verified to be as prescribed. The high flux trip points .set for a relatively low power level for operable control rods during fuel loading and the alarm and trip setting of other protection set to low values
— radiation monitors, nuclear instrumentation, manual and automatic devices to actuate building evacuation alarm and ventilation control tested and verified to be operable
— approval by the regulatory body before fuel loading commences.
6.5.6.2. Testing programme: fuel loading to criticality
— control rod position indication, protective interlocks and circuitry— reactor protection system: trip point, logic and operability of trip breakers
and valves, and manual trip functions— calibration and neutron response check of source range monitors. Calibration
of intermediate-range neutron flux measuring instrumentation— mechanical and electrical in-core monitors, including traversing in-core
monitors, if installed
6 .5 .6 .3 . T e s tin g p ro g ra m m e : p o w e r ascension to h a n d -o v e r
The tests are performed at various power levels; only I&C-related items are listed:
— verification of performance of major or principal plant control systems such as average temperature controller, automatic reactor control systems, integrated control system; pressurizer control system, reactor coolant flow control system, main-, auxiliary- and emergency-feedwater control systems; hotwell level control systems; steam pressure control systems; and reactor coolant make-up arid let-down control systems.
— neutron and gamma radiation surveys— determination that adequate overlap of source and intermediate-range neutron
instrumentation exists— dynamic plant response to the design load swings, including step ramp
changes, and response to automatic control
77
— functioning of chemical and radiochemical control systems— correctness of process and effluent radiation monitoring systems response— evaluation of core performance: reactor power measurements, verification
of calibration of flux and temperature instrumentation— process computer: comparison of safety-related predicted values with
measured values. Verify control room or process computer inputs from process variables, data print-outs, and validate performance calculations performed by the computer. Validate all computer safety functions
— turbine trip— loss of off-site power— the dynamic response of the plant to load rejections, including turbine trip— the dynamic response of the plant for a simulated condition of loss of
turbine-generator coincident with loss of off-site power— the dynamic response of the plant in the case of automatic closure of all
main steam line isolation valves. For PWRs the test may be made at a lower power level to demonstrate proper plant response to this transient
— dynamic response of the core and plant to fast load changes initiated by the load control
— capability of plant to control core xenon oscillations— base-line data for reactor coolant system loose parts monitoring system— effectiveness of reactor coolant, leak detection systems— operation of failed-fuel detection systems in accordance with predictions.
6.5.7. Special regulatory requirements during start-up
The entire phase of fuel loading, approach to criticality and low-power operation has to be governed by special regulations valid for that phase only.
There are stronger restrictions as well as special permission for test procedures not possible during normal operation.
‘Temporary instrumentation’ (usually additional neutron counting channels) is connected to the reactor protection systems during start-up.
Sometimes the logic criteria for reactor shutdown are made more ‘trip-happy’ (no majority voting of redundant channels).
Other special start-up regulations may be related to the stepwise calibration of power-measuring channels during approach to full power, where the final, absolute calibration is to be made. To compensate for this inaccuracy, regulatory requirements may demand correspondingly lower setting of the reactor power trip level.
The licensing for start-up should entail— the pre-operational tests, followed by permission to load the core partially— some special tests for partially loaded core— permission to load the whole core to zero-power tests
78
— the zero-power tests, followed by— tests planned for different power levels and transients, up to the allowed
power, followed by— permission for operation up to the next level of partial power load (power
ascension tests).
6.5.7.1. Special tests
Some of the above-mentioned tests would satisfy contractual requirements. However, the following additional acceptance tests which have I&C involvement may also be performed:
— plant heat-rate tests .— plant availability tests— computer systems availability tests.
6.5.7.2. Grid considerations
In relatively small grids, the performance of tests such as load-rejection from full power, etc., may require special consideration and planning; if the owner is not the utility then even more careful joint planning and discussions would be required.
In addition to the above, from the time the plant is synchronized to the grid, the plant output may vary considerably and the load dispatch centre of the utility has to be kept informed. The ‘visible’ phase of the plant will start, with the synchronization of the plant to the grid and the I&C engineers will need to interact more closely with their counterparts in the utility to ensure a positive acceptance of the nuclear'plant. Communication links (carrier, VHF, etc.) if not already established between the plant and load dispatch centre, should be made before this testing starts.
6.5.7.3. Outstanding items
It may be very rare that at plant hand-over all the I&C equipment and systems are functioning as intended, and a number of deficiencies may exist. One of the major remaining jobs of the I&C commissioning or project engineer may be the preparation of clear and concise deficiency lists, their settlement and rectification.
6.5.8. Preparation by the owner for take-over and for commercial operation
A lot has been said earlier about the owner preparing for commercial operation, and the time has now come. The planning can be so well done that this taking-over may go practically unnoticed and the owner’s I&C engineers may
79
already be in position, with functioning departments (as suggested in previoussections) to ensure a smooth transfer. Some owner considerations in thecommissioning phase are mentioned below:
(1) A commissioning programme proposed by the vendor may merely comprise the checking of the installed equipment, and its operation against the vendor’s own standards and documentation, and preclude any testing or reviews which would reveal such design inadequacies or omissions as would affect the safety and availability of the plant during commercial operation.The commissioning programme should therefore include all such performance tests as are necessary to confirm that the plant is capable not only of operating safely during normal conditions, but also during abnormal operations and postulated equipment malfunctions
(2) I&C representatives of the regulatory authority and the owner project organization should carry out reviews, and include in the commissioning programmes tests to ensure (1) above. The review role of the personnel of the regulatory authority and the project organization should be clearly spelled out in the contract. The main contractor would thus be able to incorporate this requirement of the owner into his schedule and also make available all the latest information, i.e. analyses, drawings, specifications, test results, etc., necessary and required by the representatives of the regulatory authority and the commissioning organization. Since this could be a country’s first nuclear power plant, the owner may not possess enough experienced personnel to carry out reviews, and to specify the tests to be performed. Independent consultants knowledgeable in the reactor type being constructed (and preferably from a country other than the vendor’s) may prove to be necessary for this activity. Here again, it is suggested that the responsibility for this work should rest on the shoulders of the owner’s engineers and not on the consultants, i.e. the consultants should act in an advisory capacity to each individual engineer responsible for reveiws. This will help ensure that the owner’s engineers will become capable of carrying out reviews independently for their next plant.
(3) Instrumentation and control equipment and systems can be fully commissioned and tested only after the mechanical equipment and systems are installed and commissioned. At that stage there can be a tremendous pressure by the vendor (in his effort to meet contractual deadlines) to commission the control and instrumentation as quickly as possible, thus leaving very little scope for comprehensive performance testing and for the on-the-job ‘hands-on’ training of the owner’s personnel. Unless otherwise agreed to, the vendor — in order to meet contractual deadlines - may try to reduce the scope of commissioning tests or neglect the owner’s requirement to train and familiarize its personnel during this vital commissioning and start-up phase. Therefore, the owner’s requirement of on-the-job ‘hands-on’ training of its personnel during
80
commissioning as well as the scope of the commissioning testing must be decided and agreed upon at the time of contract negotiation. The owner should be prepared to accept possible delays in plant synchronization in order to achieve the above objectives (viz. training and comprehensive testing) so vital for trouble-free commercial operation.
(4) A vendor may face considerable problems in commissioning those systems in which he has little prior experience and which are perhaps designed for the first time for the plant. One possible solution is for the owner to insist on the vendor supplying proven systems which have been demonstrated to work satisfactorily at similar plants. Due to the very rapid pace of technological development in electronics, this may not always be possible. Another approach suggested is that if a nuclear research centre exists within the country, the electronic R&D efforts at the centre could be oriented to provide support for such systems.
Some of these points may appear trite and redundant, and it may be argued that vendors, as a matter of course, take care of them in the design and commissioning phases. However, practices vary a lot between vendor countries and between vendors and some owners may have to face considerations similar to the ones mentioned above.
6.5.9. Status of the I&C maintenance group at the time of plant hand-over
The following will be available:
— engineers, technicians and draftsmen with several years of installation,. commissioning and maintenance experience, and with a thorough familiarity
with their plant— latest ‘as-built’ documentation for the plant with procedures set up for
keeping them updated— vendor maintenance manuals, and where these are inadequate supplementary
maintenance manuals written by the I&C engineers— an operational I&C document update and library section— all tools and test equipment that are required to maintain the I&C equipment— adequate spares at the component, circuit-board and subsystem (where
necessary) level for (approximately) two years of plant operation— records of calibration, switch settings, etc., of all devices— equipment history cards with data of the past 3-4 years’ records of
maintenance and repairs— preventive maintenance (PM) schedules and procedure for performing PM— a system for maintaining components and spare parts inventory, with a list of
future spares and consumables required being in preparation— training and re-training programme.
81
6.6. Operation and maintenance
The preparatory phases for the nuclear power plant are now all over and the commercial operation due to begin. If the country has been building the plant with the objective of maximum national participation, the necessary educational, technological and industrial infrastructures will have been established and be capable of providing long-term support to the plant.
Some inadequacies in the infrastructure may however become apparent during the early stages of plant operation and need to be supplemented with outside support. Furthermore, there may be some delays before the budget and foreign exchange allocations are available for purchase of spares, consumables, etc.It would therefore be desirable to enter into an agreement with the vendor country, for the first two to three years of plant operation, for financing of spare parts, training requirements and services.
I&C maintenance covers a host of activities designed to “support”9 an operating power plant; these are described below, as well as the various organizations and their I&C departments, who will work together to provide the I&C support (see Table VI in Section 4).
6.6.1. I&C maintenance department of the plant
The maintenance department of the plant is the front-line department for providing the day-to-day services. Since this guidebook is primarily addressed to I&C personnel, electrical equipment and systems maintenance has not been covered. There is a very close interrelationship of electrical maintenance with I&C. Some large utilities may have strong central electrical repair and maintenance departments which>also provide maintenance services at the plant. In other cases the electrical and I&C maintenance is combined under one Electrical & Control (E&C) maintenance department, and this is the way it is depicted in Table VI. Working procedures can be considerably simplified if a combined E&C group exists, especially for shift coverage, where minimum I&C personnel would be needed to provide ‘first-line’ maintenance service.
The activities of the I&C maintenance department will comprise the following.
6.6.1.1. ‘First-line’ maintenance activities
These activities range from a control engineer reviewing, analysing and initiating corrective measures for anomalous behaviour of I&C equipment, at the one end, to relatively minor jobs such as setting right a poorly inking recorder or readjusting a limit switch.
9 The term “support” is meant to encompass all activities, at the plant or external to the plant and to the plant location, that will enable continued operation of the plant at peak safety and availability, throughout its lifetime.
82
As mentioned in Section 1, it is essential for an I&C engineer to develop a ‘feel’ for the process, and,thus be able to spot potential trouble and not just wait for the operations engineer to report a fault. This he can do by reviewing equipment history sheets, records of failures and through preventive maintenance (see 6.6.1.2 below). Another immediate way (which complements the first), is by going to the control room, reading shift logs, looking at and analysing the print-outs and recorder charts, etc., and through discussions with the shift engineer.
The other major activity in this area is carrying out corrective maintenance, i.e. diagnosing or trouble-shooting, replacing faulty modules, recalibrating the equipment in situ and tuning the loop. This requires engineers and technicians possessing intimate familiarity with the overall control loop or control logic as well as an insight into the implications of de-energization or removal of a piece of equipment from service in terms of the safety and availability of the plant.The faulty modules or defective circuit-boards are then further trouble-shot in the shop (or, in the spare computer system, for defective computer boards) and repair done at the board level by component replacement. In most developing countries (and even in developed countries) the concept of ‘throw-away’ maintenance is a luxury that cannot be afforded. Modules or circuit-boards of modern computers using dense packaging (sometimes referred to as field replaceable units) are large and complex and cost in the $ 10 000 range, so board repair is a must. Keeping the mean time-to-repair (MTTR) as short as possible is specially important in systems which directly affect safety and plant availability. Considerable improvement in MTTR can be achieved if spare modules or spare subsystems are kept energized and calibrated ready to be put into service. The time to repair would then merely be that needed to localize the fault to a faulty module or subsystem and replacing the unit with a ‘hot’ spare.
This method is particularly useful in the maintenance of on-line computer systems. A spare computer system (SCS) identical to the on-line computer system can provide:(a) a source of tested spares, even sub-systems, e.g. replacement of disc drive(b) a test-bed for trouble-shooting defective circuit-boards(c) software development, debugging, assembly and compilation(d) engineering, scientific computation, and even the data processing facilities of
the plant.In the case of plants where the on-line computers are employed for plant
control, the SCS can also be interfaced with an analog computer, and with a mock-up of the reactor and turbine control consoles to provide a facility for the dynamic testing of the plant control under simulated plant conditions. For plants where the computers are used for data acquisition, analysis reduction and operator presentation, the SCS could be used for evaluating the man/machine interface under anomalous conditions.
83
A word of caution may be suggested in using the SCS for purposes other than for maintenance. The SCS should remain primarily a maintenance tool and additional functions should not impair its efficacy as an invaluable maintenance aid.
The subject of providing shift coverage, i.e. I&C ‘first-line’ maintenance round the clock, is debatable. Some organizations may just prefer to have their maintenance people on call and when a problem arises call the respective process instrumentation, neutron instrumentation or computer specialist. This may be. a convenient or manpower-saving way, especially if a housing complex is adjacent to the plant (probably not so convenient for a control engineer who is called up at night). Other organizations, and this is recommended, require their shift, engineer to be knowledgeable enough to supervise such maintenance and provide shift I&C coverage. An experienced senior technician, i.e. a foreman or supervisor, and two technicians are suggested as being adequate on each shift. This should not be a permanent assignment and shift maintenance staff should be rotated through the normal day coverage so thi*t they do not lose touch with their specialization.
6.6.1.2. Preventive maintenance (PM) activities
The planning and implementation of preventive maintenance is one of the primary tasks of the I&C engineers. The planning itself is a dynamic activity where the range and extent of PM is under constant review based on actual experience, and the period between preventive maintenance operations on a device can be modified. Experience may even indicate that PM on that device is not required. Some preventive maintenance is done during normal operation; some is performed during plant shutdowns, scheduled or unscheduled.
During the commissioning phase, the I&C engineers should prepare and implement a plan for preventive maintenance. This is a job of gigantic magnitude where each device and control loop is reviewed along with the manufacturer’s recommendation and procedures prepared for carrying out this preventive maintenance. The plan and procedures for maintenance on safety-related l&C systems and those I&C systems important to safety will need to be reviewed by the plant management and the regulatory authority.
The capability of the I&C personnelObviously PM would only be useful if the device or system being maintained
is in a better shape after maintenance, and no new faults introduced by PM.The commitment of the management '
This is important since a risk (maybe small) is involved, of causing a plant incapability (outage or derating) while performing PM. .
These two factors are interrelated and if absent, the PM system can fall into disuse, and result in more breakdown or emergency maintenance.
84
6.6.1.3. Shop calibration, repair and maintenance (and salvage)
As mentioned earlier, repair aspects may be of great importance in a developing (or non-vendor) country embarking on a nuclear power programme. Repair of instruments requires a high degree of knowledge and skill in electronics. Also, electromechanical skills are required in repair and adjustment of pneumatic instruments and devices such as teletypes, disc drives, etc. Over the years many unserviceable instruments may tend to accumulate and here good, skilled craftsmen- cum-technicians can manage to salvage a lot of this equipment. It is therefore very desirable to have a few craftsmen with these capabilities. Most of this work is performed in the I&C shop on a workbench and requires different skills and temperament to those of first-line maintenance staff.
The instrument shop also carries out most of the calibration work on the instruments, and should also possess and carefully maintain the test equipment (standard) against which'precise calibration can be made not only of the field devices but also for the calibration instruments used for field calibration.
6.6.1.4. Maintenance of equipment history and evaluation
Starting from the time that the I&C equipment is installed, the I&C maintenance department should maintain a file on each device. This history file would have a record of all calibrations performed, the preventive maintenance carried out and the repairs done, including parts replaced. These history files will then build up an invaluable database for the following:
(a) diagnosing of faults, i.e. similar faults may have occurred earlier(b) determining the interval and extent of preventive maintenance necessary(c) evaluating the behaviour of devices of a particular make and manufacture
as an input to be fed into future plants or even for this plant, if modification or replacement of a frequently malfunctioning device is required
(d) failure rates, which'would be an essential input for any safety, reliability or availability analysis
(e) evaluating the future spare parts requirement(f) evaluating the effectiveness of preventive maintenance.
The I&C engineers and technicians, while filling out details of maintenance carried out, should try to give as much description as possible, clearly documenting the failure symptoms and the repairs carried out, e.g. just simply writing “pressure control not working” and “control repaired, now ok” will not serve any purpose.It is the responsibility of the I&C manager to ensure that the equipment history files are properly documented and maintained.
85
6.6.1.5. Documentation
The I&C maintenance department of the plant is also responsible for maintaining and updating the documentation relating to the I&C equipment and systems. This comprises:
(a) System design specifications. These may need to be revised in the event ofa design change which alters the system design performance or design criteria.
(b) Equipment design specification. Some changes may affect only the equipment and not the system intent and only the equipment design specification may need to be updated.
(c) Drawings comprising installation drawings, wiring diagrams, schematics, cable and wiring lists, etc.
(d) Computer software listings.It is vital that all this documentation be kept updated and be available to
the work force. Any change must be carefully reflected in all the documentation so that no contradictions exist in it.
In some plants the updating function is performed by the technical support group (section 6.6.3).
6.6.1.6. Materials management
Last but by no means least important is the responsibility of materials management, i.e. specifying spare parts that will be required to keep the I&C equipment operational, inspecting them when they arrive and subsequently at regular intervals and ensuring their proper storage.
6.6.2. I&C training
Training is a continuing activity in a nuclear power programme. It should not merely be considered the preserve of the training centre alone, and I&C specialists in the maintenance and technical departments of the plant, the regulatory authority, etc., must participate. The I&C engineers of the plant who participated in the installation and commissioning must, as a first priority, start training their replacements. Failure to do this may either consign the I&C specialist to a prolonged stay in the plant or, in the event that he is able to leave, result m a vacuum that may not be easily filled. A suggestion given earlier that all professionals should be required to spend (say) one semester every two to three years teaching is one way to ensure an information transfer.
Foremen or senior technicians who participated during commissioning and early operation may make excellent instructors especially if cadre advancement
86
opportunities are also offered (e.g. promotion to officer cadre to compensate for loss of overtime, etc.), as well as opportunities for specialized training in teaching methods (at an established training centre abroad).
If this interaction between training centre and plant is not maintained, the training activity at the centre will tend to become less and less relevant to the operating plant and its usefulness will be drastically curtailed. It is therefore up to the plant management to spare its best and most experienced engineers for teaching, even if it means inconvenience at the plant.
6.6.3. Technical support: plant performance analysis and modifications
The I&C maintenance department provides all the day-to-day support for the plant. It is however also necessary that this be complemented by a group responsible for providing long-term technical support. The activities of the I&C technical support group can consist of:(1) Performance reviews of the I&C equipment and systems and their impact on
the availability of the plant. Some utilities have established the practice of setting up Reliability and Maintainability (R&M) targets for each plant system (the sum of which would be the target plant availability), and then the performance of each system can be adjusted against these targets and improvements or modification suggested on .this basis.
(2) Initiate design changes, carry out the engineering of design improvements and provide support to the maintenance department in their implementation.
(3) Carry out design studies to evaluate the impact of major conceptual changes (if required) in the plant operation, and if found necessary and beneficial, carry out the development work to implement such changes.
(4) Initiate, develop or participate in development of systems and programmes to ensure that plant integrity is maintained. This could include development of programmes for periodic in-service inspection of nuclear power plant components, techniques for carrying out such inspection, carrying out design analysis on I&C systems and the I&C of process systems to detect and rectify possible design deficiencies.
Due to the rapid technological advances in electronic equipment and systems, it is generally recognized that the I&C of a plant may require major replacement, to combat (for example) obsolescence. The requirement for improvements and ease in operator communications may be another factor leading to I&C changes. The I&C technical support group must therefore be technically capable of coping with change, not for the sake of change but because of the necessity to keep the plant operating efficiently.
87
7. SPECIAL TOPICS
(1) Difficulties in lifetime support for existing I&C equipment and systems. The I&C equipment of a nuclear power plant will most likely have to be replaced or upgraded once if not twice in the plant’s lifetime. This has been experienced in some vendor countries, and factors that contribute are:(a) the fast pace of technological development in electronics results in
rapid obsolescence of I&C equipment, thus resulting in difficulty in supporting the installed equipment, e.g.— spare parts prices may become exorbitantly high, making it more
economical to replace items with a cheaper, more efficient functional equivalent. A typical example of this is the magnetic drum memories supplied with earlier computer systems. The drastic decrease in the cost of bulk memories makes replacement of drum memory with a present-day disc memory much cheaper than refurbishing the drum surface recommended every five years.
— the equipment may no longer be manufactured and spares and technical expertise may just not be available!
(b) backfitting requirements arising as a result of major improvements that must be incorporated, changes in operating environment (e.g. effect of grid requirements on plant, the extent of automation required, etc.) or regulatory requirements. Incidents, some major, some minor, also pinpoint the need for better or more comprehensive instrumentation.
(2) The man/machine interface needs considerable improvement. Control room complexes are undergoing evolution, and strategies are being developed to present the control room operator with clear, unambiguous information at all times. The earlier control rooms were modelled on those in fossil-fuelled power plants. Present-day nuclear power plants, with a much greater emphasis on safety, and the need to mitigate the effect of untoward incidents, requirea control room (and thus information presentation) different from those of earlier nuclear power plants.
(3) The use of digital computers in nuclear power plants is on the increase and this will have considerable impact on the operation and maintenance of plants, and their licensing. Computer-based protection systems are being introduced and more countries may see the use of computers for plant control. One aspect of the increasing use of computers is that they are much affected by the fast technological development and may well be obsolete by the timethe plant goes into operation. Computer systems software and hardware design must cater for obsolescence and the possibility of replacement.
The I&C specialists of countries embarking on a nuclear power programme will need to examine these issues in the light of their own experience and
Some major I&C-related issues that face nuclear power plants are:
88
national environment and evolve solutions to cope with these issues. Some topics that relate to these issues are discussed in this section.
7.1. Spare parts inventory
An adequate spare parts inventory, at sub-assembly, module and component level, is almost indispensable for efficient maintenance of I&C equipment and systems and for staving off obsolescence. It can take several man-years’ effort to evaluate, specify and build up an adequate, yet not lavish, spares inventory.The plant veridors, operating in a technologically developed environment where spares are not such a critical issue, may underestimate the requirement for a plant ' being installed in a non-vendor country or alternatively suggest service or contract maintenance as an answer. This is one area where the I&C engineers of the owner must themselves take the initiative and carry out the planning, keeping in mind their national infrastructure. The following points may be worth considering in this connection.
(1) Vendors generally tend to specify expensive complete assemblies, thus rapidly consuming the money budgeted for spares, and few or no component spares are ordered.
(2) Spares should be ordered keeping in mind:(a) the remoteness from the service facilities of the I&C manufacturers(b) the extreme difficulty in returning any defective equipment to the
manufacturer for repairs(c) the fact that ‘throw-away’ maintenance is not feasible for a developing
country and(d) that component spares may not be available within the country, thus
necessitating these to be ordered from abroad.(3) Spare assemblies and modules should preferably be ordered only for critical
systems where down-time has has to be kept to a minimum, and where necessary for imparting skills training in the in-house facility. These assemblies and modules should be kept energized and calibrated (and not just stored on the shelf) and their operation tested periodically. Enough component spares should be available to repair these spare assemblies and modules.
(4) It will be simpler and more economical if spares are ordered along with the equipment.
(5) In order to avoid duplication in stocking at the component level, considerable effort could be required by both the vendor and the owner in preparing a consolidated list of components which are common to more than one piece of equipment. It should be ensured that the manufacturer of I&C equipment provides list of components used in his equipment by generic name and not simply by the manufacturing part number, and as far as possible he should provide data sheets for the components.
89
(6) If the exercise mentioned in point (5) is carried out, then it would be possible to purchase component spares from component manufacturers or general- purpose suppliers at a fraction of the cost charged by the I&C equipment manufacturers. The I&C equipment manufacturers are generally agreeableto such an arrangement, since it is very troublesome for them to stock and supply, say, half a dozen components of each type. However, care should be taken that the components ordered from general-purpose suppliers meet the reliability standards for a nuclear power plant.
(7) It may be noted that the spares requirements for the initial two to three years of operation may well be as high as 25% of the value of the equipment.
(8) For those critical items of plant equipment which affect the safety and availability of the plant, the spares inventory would need to be built up at component, circuit-board, and module as well as system level.
7.2. Spare computer system (SCS)
A rather special case of spares inventory is the acquisition of a spare computer system identical to the plant on-line performance monitoring computers (or control computers for plants where computers are used for direct digital control). Primarily intended for spares, the SCS can also serve as a design and development and training tool. It can thus serve:(1) As a source of tested spare circuit-boards and modules. Once the fault on
the plant on-line computers has been localized to the board or module, the defective board can be replaced with a ‘hot’ spare from the SCS, thus greatly reducing the repair time.
(2) As a test-bed for trouble-shooting and repairing defective boards. The SCS can be used to trouble-shoot the defective boards, repairing them and checking them for correct operation. Using special programs the repaired board can be cycled many times in a short period of time to ensure its integrity.
(3) For software development. The SCS can be used for developing and debugging application software. Analog and digital check-out panels can be interfaced with the SCS to provide a process input/output capability, to generate interrupts, etc.; to enable a thorough check-out of the application software for the plant on-line computers. An off-line data link can enable the tested software to be transferred to the on-line computers.
(4) As an excellent tool for training in computer systems hardware and software. Maintenance engineers, especially those relatively inexperienced, get little opportunity for maintenance training on the on-line computers. An excellent training facility can be built around the SCS, for training of engineers and technicians in computer maintenance.
(5) As a computational tool for plant-based scientific and engineering computation.
90
(6) As a D&D tool. The SCS can be integrated with an analog computer and a duplicate of the control room information system and the plant control consoles (where computers are used for control) and thus become the nucleus of a D&D simulator (see Section 13.4). Mathematical modesl developed for the plant systems and incorporated in the SCS analog computer complex can enable performance analysis of the plant dynamics and thereby serve as a training and D&D tool for control engineers, experienced shift managers and safety personnel.
7.3. Need for design know-how
In order to provide effective technical support to the plant over its lifetime, the I&C engineers must know not only the hardware details of their plants, but also have an in-depth knowledge of the I&C equipment, systems design and of the design intent. Some of this can be acquired from information analyses, design reports, etc., supplied by the vendor, but for the most part this knowledge has to be built up from sheer experience, and participation by actually doing and not simply looking on. As mentioned in earlier sections, there is therefore an imperative need for a participative approach in project design engineering, installation and commissioning.
However, once the plant goes into operation, there is a gradual decoupling of the transfer of knowledge from the main supplier to the owner. The owner/ utility may have an active programme of building several nuclear power plants, the participation in which can keep the owners’ engineers ‘operational’. Even in this case a certain national design and development infrastructure is required where I&C engineers can evolve and stay prepared for the long-term technical support activities for their power plant. As suggested in Section 4, Manpower Development, there may be considerable advantages in building this I&C design and development infrastructure at the in-house training centre.
One method suggested for building up an I&C design development infrastructure is the establishment of a D&D performance analysis simulator (or simulation centre).
7.4. D&D simulator
A D&D simulator, as opposed to a full-scope NPPTS, or possibly as an adjunct, will primarily fee a tool for(1) comprehension of control systems(2) nuclear power plant performance analysis, especially plant response to
accident conditions(3) evolving an improved man/machine interface(4) safety studies and training of safety reviewers
91
(5) studying the effect of any proposed design changes prior to theirimplementation in the plant — basically a tool that will evolve with changing heeds and serve as a bridge to the next plant(s), i.e. not only provide support for the existing plant, but for the owner; serve to bridge the gap, which may be rather long, between the first plant and the next, and increase the scope of national participation in future plants.A D&D simulator may be designed to be an adjunct to a full-scope NPPTS
and comprise
(1) a high-speed computer complex capable of running more detailed10 realtime system models of the plant which would enable study of the system dynamic behaviour under postulated accident conditions
(2) a flexible information presentation system which enables studies of the man/ machine interface
(3) provisions for accessing process input/output variables of the plant, to allow the simulation models to be updated to represent actual plant behaviour
(4) an analog computer for control engineering work, i.e. development of transfer functions and for initial model development work
(5) a shared global memory with the full-scope NPPTS to allow transfer of system models developed on the D&D simulator to the NPPTS and enable their testing in the overall plant simulation.
The D&D simulator could then allow a study of the issues raised earlier in this section and thus come up with design of I&C systems that are more adaptable to change and can combat obsolescence. Some typical functions that can be envisaged for the D&D simulator are:(1) Overall systems design and analysis such as studies of plant response to
various sequences of events, their likely outcome, including evaluation of stacking of malfunction sequences11 and the development of operating procedures for corrective actions applicable to different accident scenarios.
(2) To develop improved models for the NPPTS.(3) To assist in tuning of the control loops of the plant during the commissioning
phase and in subsequent plant operation.(4) To evaluate design changes, assess their impact on plant behaviour and enable
a demonstration to the safety reviewers and operating personnel prior to implementation in the plant.
(5) Various abnormal transients or abnormal occurrences could be simulated and the performance of the protection systems in meeting the design objectives evaluated.
10 That is, more detailed than the models incorporated in the full-scope NPPTS.11 American National Standard ANSI 3.5-1981 para 3.4.2.
92
(6) Simulating hardware, function, or system failures, and evaluating their effect on plant performance.
(7) Detailed system design and analysis of plant components.(8) Enable study of feedback received from the operating plant, from unusual
occurrence reports, etc., and evaluate recommendations contained therein.
The D&D simulator can form an indispensable tool not only for I&C engineers but for professionals connected with the power programme either in its operation, project engineering design or with the safety regulatory body.
Appendix
BIBLIOGRAPHY AND GENERAL READING
A. IAEA PUBLICATIONS - GENERAL
ROSEN, M., The critical issue of nuclear power plant safety in developing countries, IAEA Bulletin 19 2 (1977).ROSEN, M., “Upgrading the safety assessment of exported nuclear power plants”, Problems Associated with the Export of Nuclear Power Plants (Proc. Symp. Vienna, 1978), IAEA,Vienna (1978).SAGANE, R., “Some remarks and advice to purchasers derived from ten years experience in Japan with reference to the characteristics of the nuclear power plant business”, Proc. IAEA Study Group Meeting, Manila, October 1966.Steps to Nuclear Power: a Guidebook, Technical Reports Series No. 164 (1975).Economic Evaluation of Bids for Nuclear Power Plants: a Guidebook, Technical Reports Series No. 175 (1976).Manpower Development for Nuclear Power: a Guidebook, Technical Reports Series No. 200 (1980).Introduction to Nuclear Power: a Guidebook (in preparation).
B. SYMPOSIA
Nuclear Power Plant Control and Instrumentation 1973 (Proc. Symp. Prague, 1973), IAEA, Vienna (1973).Nuclear Power Plant Control and Instrumentation 1978 (Proc. Symp. Cannes, 1978), 2 volumes, IAEA, Vienna (1978).
93
C. SPECIALISTS’ MEETINGS(International Working Group on Nuclear Power Plant Control and Instrumentation — IWG-NPPCI)
Experience in the Use of Computers in the Operation of Nuclear Power Plants (Brussels,Oct. 1971).Installation and Commissioning Problems in the Instrumentation of Nuclear Power Plants (Winfrith, Jan. 1972).Analysis of Measurements to Diagnose Potential Failures (Rome, April 1972).Reliability Analysis to Control and Instrumentation Systems (Oslo, Nov. 1972).Non-nuclear Measurements Associated with Vital Functions of the Nuclear Boiler Monitoring and Control System (St. Laurent-des-Eaux, June 1973).Reactor Protection Systems (Cologne, Oct. 1973).In-core Instrumentation and Failed Fuel Detection and Location (Toronto, May 1974).Spatial Control, Problems (Studsvik, Oct. 1974).Nuclear Power Plant Control Room Design (San Francisco, July 1975).The Core and the Primary Circuit Instrumentation for LMFB Reactors (Risley, Jan. 1976).Use of Computers for Protection Systems and Automatic Control (Neuherberg, May 1976).Simulators for Training Nuclear Power Plant Operators and Technical Staff (Studsvik, Oct. 1976).Nuclear Power Plant Control Problems Associated with Load Following and Network Transients (Cadarache, Jan. 1977).Software Reliability for Computerized Control & Safety Systems in Nuclear Power Plants (Pittsburgh, July 1977).The Effect of Regulatory Requirements on Nuclear Power Plant Control and Instrumentation Systems (Madrid, Oct. 1977).Design of NPPCI Electronic Equipment to Achieve Electromagnetic Compatibility (EMC), (Winfrith, Feb. 1978).Power Supply Arrangements for Nuclear Power Plants (Stockholm, Sep. 1978).Control System Commissioning and Dynamic Model Validation (Harrogate, June 1979).Experience from Quality Assurance and Control of NPPCI Systems (Vienna, Sep. 1979).Procedures and Systems for Assisting an Operator During Normal and Anomalous Nuclear Power Plant Operation Situations (Munich, Dec. 1979).Sodium Flow Measurements in Large LMFBR Pipes (FRG, Feb. 1980).Distributed Systems for Nuclear Power Plants (Chalk River, May 1980).Acquisition of I&C Technology for Countries Embarking on a Nuclear Power Programme (Madrid, Nov. 1981).
94
D. IAEA SAFETY SERIES
Design for Safety of Nuclear Power Plants: a Code of Practice, IAEA Safety Series No. 50-C-D, IAEA, Vienna (1978).Safety Functions and Component Classification for BWR, PWR and PTR: a Safety Guide,IAEA Safety Series No. 50-SG-D1 (1979).Fire Protection in Nuclear Power Plants: a Safety Guide, IAEA Safety Series No. 50-SG-D2 (1979).Protection System and Related Features in Nuclear Power Plants: a Safety Guide, IAEA Safety Series No. S0-SG-D3 (1980).Protection Against Internally Generated Missiles and Their Secondary Effects in Nuclear Power Plants: a Safety Guide, IAEA Safety Series No. 50-SG-D4 (1980)External Man-induced Events in Relation to Nuclear Power Plant Design: a Safety Guide, IAEA Safety Series No. 50-SG-D5 (1982).Ultimate Heat Sink and Directly Associated Heat Transport Systems for Nuclear Power Plants: a Safety Guide, IAEA Safety Series No. 50-SG-D6 (1981).Emergency Power Systems at Nuclear Power Plants: a Safety Guide, IAEA Safety Series No. 50-SG-D7 (1982).Safety-related Instrumentation and Control Systems for Nuclear Power Plants: a Safety Guide, IAEA Safety Series No. 50-SG-D8 (in preparation).Design Aspects of Radiation Protection for Nuclear Power Plants: a Safety Guide, IAEA Safety Series No. 50-SG-D9 (in preparation).Fuel Handling and Storage Systems in Nuclear Power Plants: a Safety Guide, IAEA Safety Series No. 50-SG-DJ0 (in preparation).General Design Safety Principles for Nuclear Power Plants: a Safety Guide, IAEA Safety Series No. 50-SG-D11 (in preparation).Design of the Reactor Containment Systems in Nuclear Power Plants: a Safety Guide, IAEA Safety Series No. 50-SG-D12 (in preparation).
IReactor Cooling Systems in Nuclear Power Plants: a Safety Guide, IAEA Safety Series No. 50-SG-D13 (in preparation).Design for Reactor Core Safety in Nuclear Power Plants: a Safety Guide, IAEA Safety Series No. 50-SG-D14 (in preparation).
E. AMERICAN NATIONAL STANDARDS INSTITUTE (ANSI) and NUCLEAR REGULATORY COMMISSION (NRC)
Nuclear Power Plant Simulators for Use in Operator Training, American National Standard ANSI/ANS-3.5-198I, American Nuclear Society (1981).Licensed Operating Reactors (the Gray Book), Nuclear Regulatory Commission Rep. NUREG-0020. Appears monthly.
9 5
F. INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS (IEEE)
Nuclear IEEE Standards, 2 volumes, IEEE, New York (1978).
G. OTHER READING
Nuclear Power Experience. Multi-volume, updated regularly; BWR and PWR (separate books). Section IX deals with Instrumentation and Control. Petroleum Information Corporation, Denver.HARRER, J.M., BECKERLEY, J.G., Nuclear Power Reactor Instrumentation System Handbook, 2 volumes, US Atomic Energy Commission, TID-25952-P1 and P2, USAEC Technical Information Centre, Springfield, VA (1973).HARRER, J.M., Nuclear Reactor Control Engineering, Van Nostrand (1963).SCHULTZ, M.A., Control of Nuclear Reactors and Power Plants, McGraw Hill (1961).WEBER, T.W., An Introduction to Process Dynamics and Control, Wiley (1973).
96
PART II
OUTLINE OF CURRENT WATER REACTOR INSTRUMENTATION AND CONTROL
8. DESIGN CONCEPTS OF INSTRUMENTATION AND CONTROL FOR CURRENT WATER REACTOR NUCLEAR POWER PLANTS
8.1. General aspects
8.1.1. Design philosophiesThe basic objective of current nuclear power plant operation is the production
of electrical power under optimum economic conditions, with the absolute necessity of ensuring safety to the public and the operating staff while keeping harmful effects to the environment below an acceptable level. This entails avoidance of pollution as well as the safe containment of radioactive material under normal and abnormal operating conditions.
These two main objectives — power production and safety — which are common to all nuclear power plants, determine the requirements for I&C systems.
From this common starting point various control philosophies have evolved, resulting in different system structures realized by different designers at different times.
For example, some early concepts favoured a single global plant I&C system, fulfilling functions important for safety as well as operational tasks. Stated benefits of this approach included savings in the amount of instrumentation and continual use of safety-related equipment (in contrast to stand-by safety systems). However, regulatory requirements as well as new trends in design have preferred the concept of independence of protection systems and operation systems. Each of them can be optimized independently for its specific purpose. The safety system has full priority and overrides the other systems. This concept of two clearly separated categories of I&C systems within the plant is at present widely accepted.
In contrast to this binary (‘black and white’) classification of equipment and functions, other philosophies have evolved, stressing the safety aspect of all I&C systems, however, graded by various degrees of importance (i.e. various shades of ‘grey’). The benefit of such ‘grey’ systems is seen in increasing the plant availability by avoiding unnecessary actuation of the safety system.
All these trends and philosophies are naturally closely related to the regulatory environment of the designer. The basic principles underlying a certain instrumentation and control design are not always obvious from the structure of the system or its written description.
The annex to Part 2 illustrates the approach of some of today’s PWR,BWR and PHWR nuclear power plant manufacturers.
8.1.2. Definitions and terminologyUnfortunately the definitions and the terminology in the field of I&C are not
always fully consistent.
99
I & C S y s te m s Im p o rta n t to S a fe ty
I & C Safety Systems
Protection Safety Safety SystemSystem Actuation Support
Systems Features
e.g. eg e.g.
- Reactor — Actuation — Emergencytrip I&C of reactor power
— Initiationtrip systems
of emer - Actuation - Safety-gency core of emer* relatedcooling gency core equipmentetc. cooling lubrication
etc. etc.
Safety-Related
I KSystems
e.g.
— Limitation systems
— Radiation monitoring system
— Fire detection I&C
. etc.
Non-Safetyf&C
Systems
*9
- Power regulating system
- Primary coolant system flow I&C
- Primary coolant system pressure I&Cetc.
FIG. 9. Instrument and control systems.
For example, the term ‘reactor protection system’ is sometimes used to designate only the group of equipment initiating reactor shutdown. Other terms used are safety system, reactor trip system, shutdown system, etc. According to IAEA Safety Guide 50-SG-D3, however, the protection system “encompasses all electrical and mechanical devices and circuitry, from sensors to actuation device input terminals involved in generating the necessary signals associated with the protective function”, thus including commands for reactor shutdown, but also containment isolation, emergency core cooling, etc. This publication in general follows the definitions given in the IAEA Safety Guides (see References).
Figure 9 shows the relationship between the different parts of I&C systems as defined in these documents.
8.1.3. Main structures
A wide variety of different structures and hierarchies of I&C systems exists. Figure 10 may serve to illustrate some of the main features typical for I&C systems. The diagram shows in horizontal sections the hierarchical levels:I
— Plant control level. This is the highest ranking section of I&C, usually situated in (or close to) the control room. Functions concerning the overall plant performance and mode of operation are controlled and monitored at this level (e.g. unit control distributes and co-ordinates signals to control subsystems according to external power demand).
1 0 0
FIG.l 0. Structure of I&C in a nuclear power plant.
— System control level. Various control systems (open or closed loop) are used to keep all process variables within normal operating values. These systems are subject to intervention from protection or limitation systems if preset limits are exceeded.
— Component control level. At this lowest level only relatively simple logic functions and interlocks are performed, usually in connection with the actuation of single components (starting pumps, motors, etc.). ,
In the vertical direction the left side of Fig. 10 shows how information and ■ actions of different priority, such as manual control, protection, limitation and
101
other signals, are transmitted to the plant. On the right side, the figure shows how measured information about the process is picked up by the various sensors and flows back to system control level and plant control level. Process signals may of course also be used to initiate simple interlocks and actuations at the component level; they are not shown in the diagram.
Before transmission, the sensor signals are usually converted to standard signal levels (e.g. 4—20 mA, 0—10 V, etc.). For remote transmission of signals the 4-20 mA current signal is more common because of its higher noise immunity. The voltage signals such as 0—10 V are generally used within the control room for recorders and indicators.
8.2. Control equipment
In principle, control equipment design follows the general trends as indicated in Sections 8.3 and 8.4. Classic electromechanical devices are tending to be replaced by semiconductor components and integrated circuits. Equipment of this type is usually less expensive, more compact and well suited for a higher degree of automation.
Trends seem to be moving towards an increasing amount of programmable logic to replace hardwired equipment.
8.2.1. Switching logic and on-off open-loop control
For the major part of power plant control two-state signals (like on-off, open-closed, etc.) are used for
— switching logic— remote control (actuation of active components, etc.)— step-by-step processes— interlocking— status monitoring.
In modern plants, the switching logic is increasingly based on electronics instead of relays.
Some suppliers offer a few standard electronic modules that can be used for a great variety of control applications.
8.2.2. Open- and closed-loop control for continuous process variables
In a nuclear power plant the number of process variables to be controlled is similar to that in a fossil-fuelled power plant, but redundancy may be applied to a higher degree for safety and reliability reasons. Special precautions are necessary to allow interaction between parallel closed loops.
In some cases computers play a part in control (Section 8.4).
1 0 2
8.2.3. Control componentst
Some conventional control devices are listed here. Computerized control systems are mentioned in Section 8.4.
The controllers and other electronic devices offered by different vendors are usually identical with equipment for conventional power plants. They vary with respect to signal voltage, supply voltage, combining and governing possibilities, testability, etc.
They include:
— controllers with continuous output (proportional control possibly combined with reset and/or rate action)
— controllers with discontinuous output (usually in connection with an integrating final control element)
— summing or inverting amplifiers— minimum or maximum selecting devices and other nonlinear devices— logic units, memories, time-delay units— limit value monitors.
In most systems of a nuclear power plant the final control elements correspond to those of conventional power plants; some of them have special requirements in the nuclear field (e.g. fast-acting, zero-leakage valves).
Examples of such final control elements are:— hydraulically actuated valve systems, driven by nonflammable liquid— valves driven by pressurized water— process-fluid operated valves— variable-speed fluid couplings— synchronous or asynchronous motors with power supplies from frequency
converters— pneumatically actuated valves.
Special nuclear control devices are:— control rod drive mechanisms— devices for feeding and bleeding borated water.
These final control elements perform their function as parts of complex control systems.
8.3. Automation
The term automation is applied here to indicate the transfer of actions and decisions from the human operator to process control equipment.
For clarity it should be stated that the level of automation is not necessarily coupled to the degree of computer application for control. Hardwired analog
103
circuits may well perform all complex control modes, although the general trend is directed towards increasing use o f digital hardware. Combining conventional control equipment with a process computer leads in many cases to flexible hierarchical systems.
Simple control systems using simple structures undoubtedly have their merits in operation and maintenance, but they may require some overdesign o f plant systems and components to achieve adequate margins in component ratings.
In general, automating a nuclear power plant to a very high degree, i.e. largely eliminating the necessity o f human intervention under normal conditions (and even in short-term abnormal situations) improves overall reliability o f operation. The large number o f individual control actions can be significantly reduced by applying function control at system level rather than control on the component level (e.g. start o f feedwater system instead o f opening valves,, starting pumps, etc.).
On the other hand, experience from plant operation seems to indicate that the degree o f automation in the realm o f non-safety-related systems should not go beyond a certain level. For the sake o f flexibility and ease o f operation, only frequently used, complex functions should be automated.
It is considered undesirable to-have, for example, automatic turbine startup in a base-load power plant. Some utilities, however, express the opposite opinion: Especially those systems which are not often used will benefit from automation, because operators have little chance to get used to them. In all cases the operators must maintain detailed knowledge o f their systems and subsystems. Reliance on automatic functions should not lead to deterioration o f operator quality.
Any possible savings from the reduced number o f plant operations Staff achieved by automation may be partly offset by the need for programmers and highly skilled maintenance specialists. Operators are relieved o f routine tasks but they still have to perform many more complex functions beyond the capability o f the automatic systems. They are also needed to supplement automatic actions o f the protection system (which are o f rather short-term character) by executing long-term control in the case o f operational occurrences or accident conditions.
A high degree o f automation puts more weight on the question o f equipment standardization. Due to the large number o f remotely actuated items o f equipment the uniformity and serviceability o f components becomes increasingly important.
In some instances automation has been used as a form o f last-minute modification to compensate for poor design, usually leading to additional and more complex electronics. In such a case a careful study o f the problem may show that cure o f the original shortcomings in design (if possible) is the better solution.
An answer to the question o f how much.automation is optimum cannot be given in general terms. It will depend strongly on the specific situation o f th e '
1 0 4
manufacturer (design concept, technology) and o f the utility (operational requirements, resources available, standard o f personnel). Careful analysis o f the individual situation (possibly with the help o f consultants) is recommended (see Part 1).
8.4. Computers
The use o f digital computers in I&C systems offers many advantages, making them strong competitors to hardwired equipment.
Their capability in acquiring, processing, storing and retrieving large amounts o f data as well as their flexibility in adapting to changes or extension o f systems is beginning to make them standard equipment in nuclear power plants for offline applications such as:
— optimum fuel management— optimum core power distribution and control rod strategies— calibration and correction factor calculation for in-core detectors (in some
cases on-line)— maintenance management— system performance analysis.
Regulatory requirements and (to some extent) economic considerations have limited the on-line computer largely to open-loop applications, such as
— data scanning and logging— sequence-of-events recording— detection o f abnormal plant conditions and their analysis— information display systems— sequencing o f control rods, indication and recording o f their position— real time calculation o f parameters which cannot be measured directly— core surveillance; This is either done by direct evaluation o f in-core
instrumentation signals (see Section 8.5) or by core simulation. Special information for the operator includes: spatial distribution o f power in the core, DNB ratio, poisoning, fuel burn-up.
The majority o f present-day LWRs can be operated at least with reduced control performance and for some time without the support o f on-line process computers. Their functions influence more the convenience and economy o f operation. On the other hand there are notable closed-loop applications o f process computers (e.g. AGR, PHWR, some new designs o f LWRs).
An example o f direct digital control is the control o f CANDU reactors by means o f a dual computer configuration. This concept uses one computer as the main controller with the other in hot stand-by.
These computers perform direct digital control o f reactor regulation, boiler pressure control and fuelling machine operation. Based on the successful
10 5
input signals from sensorsdigital calculating
moduleslimit value
monitors
trip bus
trip signals
F IG .11. Digital calculating modules in a reactor protection system.
performance o f past designs, more control function and logic interlock functions are being added.
The use o f computers in protection systems has been subjected to many investigations and discussions. Several reactor suppliers have conducted extensive development projects in this area.
Basically there are two different lines o f approach for the future:
— The hardwired protection system is intended to be replaced by a fully computerized system. The main difficulties o f this concept are connected with the licensability o f such a complex hardware/software system.
— Only certain portions o f the hardwired protection system (functional subgroups or channels for individual safety variables) are replaced by small computersor computing modules dedicated to one special protection function only (e.g. DNB calculations). Thus the ability o f the computer to perform calculations can be utilized without sacrificing the structural simplicity o f protection system design (Fig.l 1).
The second approach, which avoids most o f the difficulties o f large-scale centralization o f safety-relevant functions, seems to be the most prudent way o f (gradually) resolving the problems associated with licensing.
Special examples o f applications o f computing modules in protection systems are given in the Annex to Part 2.
1 0 6
World-wide there are new concepts o f computer-based I&C under investigation, development and design. Main characteristics are: distributed systems (microprocessor) with decentralized information processing close to the point o f measurement, multiplex systems for data transfer, use o f opto-electronics„ new control-room concepts, etc. Compared to present-day functions, new I&C systems are expected to perform a variety o f additional tasks.
8.5. Design requirements
8.5.1. Redundancy, physical separation, diversity and failure to safety
The high demands on nuclear power plant control and instrumentation reliability and availability require high levels o f quality in the system’s structural design and careful selection o f the components used. Even then the standards for safety systems (and for certain other I&C systems, which are o f high importance for plant availability) can only be met by applying the well-proved principles o f redundancy, physical separation, diversity and fail-safe operation.
Redundancy and physical separation. Several instrument channels in parallel are used to measure the same physical variable. Some kind o f logic decision, such as majority voting, crossLcomparison or elimination o f extremes, is applied to the redundant signals before accepting them as being representative for the process variable being measured. Full advantage o f this principle is only gained if it is extended to the independence o f power supplies and if all equipment o f one redundant channel, including cables and instrument lines, is physically separated from the other channels in a systematic manner (separation by distance or barriers, use o f isolation amplifiers and decoupling devices, etc.).
Diversity. Another way to increase the reliability o f a system (especially to reduce its vulnerability to common-mode failures) is offered by the principle o f diversity. This may be by equipment diversity (devices o f different design or origin are used for the same function) or by functional diversity (different physical parameters are used as initiating criteria for the same protective action). Whereas functional diversity is a regulatory requirement for protection systems in some countries, some aspects o f equipment diversity are still under discussion (increased maintenance and repair problems, fully equivalent yet diverse equipment is not readily available, etc.).
Failure to safety. This concept is widely used, especially for I&C systems important to safety. In principle it makes use o f the fact that equipment can be designed with a strong bias towards a certain output signal in case o f failure.Since such spurious signals are directed towards initiating shutdown o f the plant or other safety actions, they are referred to as‘failure to safety’ or ‘ failsafe’ modes. A classic example is the design o f I&C systems on the principle o f
107
inner outercontainm ent-isolation valves
I__ reactor water levelP__.containment pressure
transmitters
limit value monitors
2 out of 3 majority votingandactuating
logic
------barrier 1 between■ h ■' isolation r redundant
device J subdivisions
F IG .12. Redundancy, diversity and separation. Simplified example for containment isolation in a BWR after steam pipe rupture inside containment.
de-energization. (A power supply failure does not put such equipment into some undefined state but rather causes it to generate a ‘safe’ signal.)
The ultimate effect o f such spurious signals, however, may depend on a variety o f conditions (refer to Section 12.1 concerning not fully safety-oriented actions). Therefore the term ‘ fail-safe’ may give a false impression when applied to the most general situation and should be used with care.
Redundancy and diversity are illustrated in Fig.l 2. The example shows • how the demand for the protective action ‘initiation o f BWR containment isolation’ in the case o f the postulated initiating event ‘steam pipe rupture inside containment’ is detected both by the decreasing reactor water level L and by the
108
rising containment pressure P (diversity). Each o f these variables is measured by three independent channels (redundancy). Physical separation assures that fire or other external influences will not simultaneously destroy more than one channel. L and P are converted to electrical signals which trigger limit value monitors after having reached preset levels. Each o f the resulting logic signals is compared with its redundant neighbouring signals in a logic circuit (majority voting). If at least two o f three instrumentation channels (either L or P) have tripped, containment isolation is initiated both by inner and outer isolation valves.
8.5.2. Interconnection and independence
Majority voting or signal comparison circuits always necessitate some form o f interconnection between redundant channels. To avoid propagation o f failures (electric transients, physical accident consequences) the transmission o f signals between redundant channels as well as signal flow from the protection system to the operation system must be through isolation devices. No credible failure at the output o f such a decoupling element (e.g. short circuit, open circuit, ground, overvoltage) shall prevent proper functioning o f the channel connected to its input. In Fig. 12, a diode symbol is used to indicate such isolation devices.
A special form o f designing for channel independence is the application o f fire protection criteria (Section 8.7). Quality assurance and careful inspection — especially in the case o f modifications after the final I&C installations have been made — must ensure that the original standard o f channel and system independence is maintained throughout the lifetime o f the plant.
8.5.3. Maintainability, repairability and testability
Systems designed for long and reliable life must also have provisions for facilitating their routine maintenance, testing and repair.
Unfortunately requirements for the design o f safety systems are often in conflict with the requirements for optimum maintenance. The problem o f equipment diversity with its associated higher demands on the maintenance crew has been mentioned already. Another example is the frequent contradiction between providing effective barriers (fire, radiation, etc.) and the necessity o f having good access to equipment for maintenance and repair.
Even optimum design for safety and maintainability can be nullified by poorly co-ordinated installation o f different systems.
The capability for testing and calibrating safety-related devices is a standard requirement; the test intervals are usually prescribed in detail. These intervals should be a good compromise between (theoretically derived) demands for frequent testing and practical considerations o f wear and probability o f human errors. Problems encountered in performing the required tests have often been caused by inadequate design. Inadvertent plant shutdown or component
109
failure could have been avoided in many cases by providing proper test jacks and bypasses in the original installation. However, there must be provisions to ensure that bypasses are removed when returning the system to its original condition.
Means for isolating systems for maintenance without affecting the function o f other systems should be an inherent part o f good design.
Closely related to repair is the question o f spare parts. The increasing complexity o f I&C components and the shortage o f highly specialized service technicians have favoured the ‘replace-and-throw-away’ concept. In many cases, however, repair o f defective components may prove to be the more economic solution (long delivery times, problems o f transport and currency, etc.). Although repairability o f equipment usually will not be the primary objective o f the designer, it can be a very important factor for the user.
8.5.4. Automatic testing and failure detection
The availability o f a nuclear power plant can be improved by application o f automatic test facilities, thus shortening the test intervals. Such facilities should be considered and — if found appropriate — incorporated into the system as a design feature. No ideal method o f automatic testing seems to have evolved so far. Different methods (comparators, pulsed systems, etc.) for testing parts o f I&C systems are in use. Computerized methods for automatic testing show promise for the future. Another important item is automatic failure detection (failure monitoring, failure signal processing with computer). This can limit trouble-shooting time and can in addition allow an estimation o f system status between inspections. This, however, must be weighed against additional costs and increased complexity o f equipment. A cost-effectiveness study should be performed prior to a final decision.
8.5.5. Standardization o f design and equipment
Standardization is an important aspect o f I&C design, offering obvious advantages in costs, licensing, spare parts management, maintenance, etc.
In the case o f safety-related instrumentation, however, contradicting requirements for diversity in design and equipment exist.
Standardization o f design should aim at the use o f only a limited number o f well-proved measurement methods (e.g. differential pressure for flow measurements); standardization o f equipment should not only include restriction in the number o f types o f devices but also - as far as practicable - limitation in the number o f measurement ranges and other equipment parameters.
8 .6 . Electric and non-electric power supplies for I&C
The requirements for redundant sets o f safety systems lead to the concept o f redundant subdivisions for the power supplies o f safety-related I&C
1 1 0
■*vsubdivision 1 subdivision 2
v -subdivision 3
CHARGER
7ZA CONVERTER
1 DECOUPLING 7 DIODE
( CIRCUIT BREAKER
l l TRANSFER SWITCH
$ TRANSFORMER
F IG .13. Typical arrangement for I& C power supplies.
~ V ~subdivision 2 subdivision 3 subdivision 4
F IG .14. An'alternative arrangement for I& C power supplies.
Vsubdivision 2subdivision 1
FIG . 15. Another typical arrangement for I& C power supplies.
I l l
systems as well (see IAEA Safety Series No.50-SG-D7A). Some o f the nonsafety-related systems are also connected to these supplies due to requirements o f plant availability.
Various concepts for highly reliable I&C power supplies are used. They are usually part o f the emergency electric power system. Some typical arrangements are shown in Figs 13—15.
In order to improve availability or to interface an n-channel I&C system with m bus-bars, different kinds o f cross-connections between redundant subdivisions are used in existing designs. The system layout must o f course be considered as a whole (spatial situation, use o f isolating devices, reliable interlocks, etc.). Modern trends, however, indicate a tendency towards a higher degree o f independence o f redundant subdivisions.
Electric power for I&C systems important to safety is usually supplied from battery-supported DC bus-bars and battery-backed AC supplies (converters), providing non-interruptible voltage to vital AC loads. However, for some o f these systems interruptions o f several hundreds o f milliseconds may occur when changing over from back-up AC to converter or vice-versa.
Voltage levels and freqency differ according to designs and the available mains in the country o f construction, e.g. 115 V /60 Hz in the USA, 220 V /50 Hz in Europe.
Usually at least two levels o f DC voltage exist:
— a higher level (typically 110 V or 220 V ) for the actuation o f solenoid valves, for control voltage o f circuit breakers and supplying converters;
— a lower level (typically ± 24 V ) for the supply o f electronic cabinets and switching logic.
One particular feature is the provision o f an external emergency power feed (e.g. from the police, the military, or the fire department) during long-lasting accidents with loss o f power.,
For proper performance o f I&C systems not only the stationary characteristics, but also the transient behaviour o f electric power supplies are important.Transients in frequency, voltage and AC stability may be caused during transitions between plant operation modes, for example in such conditions as:
— Start-up phase. Power for I&C is provided from the grid. The NPP generator takes over NPP loads gradually after its connection to the grid.
— Normal operation. The plant delivers power and supplies its own load, including I&C systems.
— Island operation. The plant is disconnected from the grid, but supplies its own load.
— Emergency shutdown with grid available. Power for NPP loads is supplied from the grid.
1 1 2
— Emergency shutdown without grid power. In this mode on-site generators provide the power for the safety-related loads and support the batteries for those parts o f I&C required to keep the reactor in a safe shutdown condition.
- Planned shutdown. The supply o f the plant’s loads is gradually transferred from the NPP generator to the grid.
The influence on the I&C system o f such transitions has to be kept small by proper design. Verification could be best obtained during power tests when all necessary equipment is available and optimization procedures are implemented.If spurious activations occur, they should be carefully investigated for cause and origin.
The design specifications for I&C equipment are sometimes not quite compatible with the associated power supplies.
In order to ensure compatibility some points need to be closely considered. The DC distribution system is usually very large and overvoltages as well as undervoltages are to be expected. Monitoring units usually sitting at the bus-bars should switch o f f the chargers when overvoltages or excessive charger ripple occur. The limits depend on the instrumentation system used and, if possible, electronic circuit designs not very sensitive to nominal voltage changes should be employed, because it is very difficult to keep a large DC distribution system within close limits. The data sheets o f some instrumentation units give only the static voltage limits, but no data on transients.
The instrumentation and control systems are sometimes composed o f units produced from different manufacturers with differing voltage limits as well. It is advisable to check these limits very carefully at the design stage.
The voltage and frequency tolerances o f the AC bus-bars and especially the interruption time during the load take-over o f the on-site generator are points to be considered when interfacing I&C equipment to the power supplies. Sometimes the quantification o f such data can only take place during the final testing stages o f a NPP when all loads are installed and a realistic simulation o f the transients and interruption times can take place.
It could be o f advantage if the backfitting or enlargement possibilities (usually additional data loggers or computer power) are considered at an early stage and to allow for reserve power from the I&C power supplies. This will avoid future problems such as additional involvement o f licensing authorities, additional construction work going on, protection o f I&C equipment from such activities, etc.
Another aspect to be considered is overvoltage protection. Overvoltage could be caused in one or more o f the following ways:
(1) Overvoltage in the AC bus-bars feeding the charger and coupling capacitively from the primary to the secondary windings o f the transformer,
(2) Disconnection o f heavy loads,
1 1 3
(3) Blowing o f fuses due to short circuits,(4) Lightning strikes.
In order to limit the impact o f overvoltage to the I&C equipment the following points should be considered.
(1) Adequate screening between the primary and secondary windings o f the charger transformers should be employed.
(2) Any heavy loads should be placed as near as possible to batteries.(3) Quick-acting fuses should be employed where possible in order to limit
heavy currents.(4) Overvoltage suppressors should be used in cases where no improvements are
expected, e.g. large zener diodes, or varistors, or voltage-stabilizing integrated circuits should be built into the cards o f sensitive electronic equipment.
It is also advisable that a fuse-blowing test be undertaken at a stage when the instrumentation and control systems are available at the NPP site and signs o f false signals or switching actions should be noted.
The non-electric supplies are the pneumatic and hydraulic supplies. Their fluids must be carefully specified and their supply tightly controlled. Dirt, moisture and lack o f fluid capacity would lead to common-mode failures. Oil in capillaries (e.g. for pressure transmission) suffers deterioration from high radiation doses.
8.7. Environmental influences
8.7.1. Fire
In addition to the general guidance given in the IAEA Safety Guide on Fire Protection in Nuclear Power Plants (SG-D2), a variety o f more detailed design criteria, guides and recommendations on fire protection with relevance to I&C system design is in existence; many requirements are site-dependent and have to be specified by the authorities.
Protective measures against fire (as well as other external hazards) should be treated as an integral part o f the detailed plant specifications and taken into account from the beginning o f plant planning. A powerful tool for the protection o f vital I&C equipment is the systematic separation o f redundant subsystems and the distribution o f these systems among different fire zones. Fire zones are separated either by sufficient distance to prevent the spread o f fire or by approved fire barriers.
A critical point is the penetration o f fire barriers by electrical cables. It is recognized that many serious fires in industry are traceable to the propagation o f fire through cable ducts and wall penetrations. Special seals and fire-resistant materials have therefore been developed and should be incorporated in the design.
1 1 4
Fire-extinguishing systems should always be regarded only as a complement to, not a replacement of, structural measures for fire protection.
Advanced-power plant designs have made use o f the principle o f separation very rigorously: components belonging to different (redundant) subdivisions are strictly located in different rooms, the only exceptions being the reactor containment and the control room. But even in these areas physical separation by distance is applied to the extent practicable (although these measures may cause certain inconvenience for service and maintenance).
Rooms containing I&C equipment or cables should be free o f combustible substances. The use o f plastic materials in these areas should be kept to a practicable minimum (because o f flammability and toxic fumes). Cable culverts, cable shafts and cable floors must never be used to house pipes for oil, gas, etc.
To minimize the possibility o f starting a fire from overheated cables, all fuses should be carefully dimensioned and selected.
An automatic central fire detection and alarm system should be installed as a subgroup o f the total plant instrumentation.
Fixed fire-fighting systems have to be selected according to their tasks and hence detailed knowledge o f the situation is required. Generally, however, it is recommended to use automatic water sprinklers for cable channels, culverts, distribution rooms, etc. For rooms with high concentration o f electronic equipment (computer room, control room, etc.) manually actuated sprinklers and/or Halon systems are preferable. For relay rooms, cabinets and battery rooms foam systems also may be considered.
8.7.2. Seismic influences
I&C equipment, especially for safety-related purposes (e.g. reactor protection systems), has to be designed to withstand operating basis earthquake (OBE) and safe shutdown earthquake (SSE).
The seismic requirements for I&C are derived from the design basis earthquake, from the floor-response properties (spectra) where I&C is installed.
To determine the seismic performance o f I&C equipment two different methods can be followed:
(1) For structures o f larger size (cable raceways, cabinets, pressure transducer impulse lines) it is appropriate to calculate the behaviour under stress to verify the performance under seismic load.
(2) For small parts (circuit-boards, racks, electronic components) it is recommended to perform tests on the actual equipment with earthquake-simulating devices ( ‘shakers.’ ). However, it is a problem to find an adequate testing procedureto simulate the influence o f an earthquake realistically.
115
8 .7 .3 . A i r c o n d it io n in g
Air conditioning as a means o f removal o f excess heat from I&C safety systems must meet the requirements for safety system support features. However, malfunction or even loss o f air conditioning subsystems must also be considered for safety-related and non-safety-related I&C systems.
Especially in regions with tropical climate, high humidity or in the neighbourhood o f chemical plants, proper design o f ventilation systems (physical separation, redundancy) may be the only way to eliminate a major source o f common-mode failures in I&C equipment.
The function o f air conditioning must not be jeopardized by backfitting or alterations, such as installation o f additional barriers, etc.
8.7.4. Electromagnetic interference
In the hostile electromagnetic environment o f a nuclear power plant a source o f influence on the I&C systems is electromagnetic interference, which could induce in the worst case a common-mode failure. Problems associated with electromagnetic interference appear usually after completion o f equipment installation if proper provisions have not been made during design. Sometimes a troublesome investigation is required to locate the source o f such interference, which could be o f a transient nature.
The larger transient sources o f electromagnetic interference are listed in the following table. For each source is given the peak voltage to be expected and the corresponding disturbing current and its rise time. The main coupling path to instrument circuits is also suggested. The term ‘earth coupling’ is used for electromagnetic coupling from a source o f disturbance such as the distribution mains supply through any number o f passive resonant circuits (cable sheaths, water pipes, stanchions) to the screens, or cables o f instrument systems. More details are given in the bibliography for this section.
In order to cope with such disturbance as given in Table VIII, correct design o f instrument circuits is vital, adequate screening enclosures have to be used and the associated cables must have sufficient screening performance. While this is part o f the design aspect o f instrument systems, the supplier o f such equipment can be helped by having his attention drawn at an early stage to specification levels o f interference immunity and the ways the instruments are going to be tested.
One source o f disturbance o f increasing importance is the close radio transmitter (or walkie-talkie). With frequencies up to 960 MHz and an equivalent radiated power o f over 5 watts now possible, it is important to test all critical instruments for susceptibility, not at one frequency, but over a wide range from 20 MHz to 1 GHz.
1 1 6
TABLE VIII. TRANSIENT INTERFERENCE SOURCES AND LEVELS
SourceRadiofrequency levels Coupling path
Potential Current Rise time Direct Earth
Distribution mains 400 V 8 A 10 ns X X
High-voltage mains 11 kV 10 ns X
Relays (unsuppiessed) 800 V 10 A 3 ns X X
Welding equipment 400 V 8 A 10 ns X
Lightning strike 100 kA 1 jus X
Close radio transmitter 5 W 960 MHz X
Static discharge 8 kV 15 A 2 ns X
Other tests have been devised to assess an instrument system’s ability to meet disturbance levels up to those suggested in the table. These tests involve injecting disturbance currents into the unscreened connections to an instrument and also into the screens and earth connections o f screened (or shielded) instruments.
If the problems associated with the electromagnetic interference are not tackled at the design stage it is quite difficult to locate and cure them later when the equipment is installed in the NPP.
8.7.5. Accident conditions
All those parts o f I&C which are required to perform their functions duringand after an accident must be designed and tested to withstand the anticipated
tenvironmental conditions (radiation, temperature, mechanical shock, humidity, pressure, etc.).
Specifications o f such equipment and its protection barriers must take into consideration the duration o f the extreme accident conditions as well as the performance expected from a particular device: e.g. instrumentation required only for trip functions immediately following an accident needs a different type o f qualification and protection equipment needed for long-term postaccident monitoring.
8.7.6. Other external hazards
Other external hazards than those treated in the previous section may be grouped into two broad categories:
— natural phenomena (floods, tornadoes, etc.)- man-made incidents (explosions, release o f toxic chemicals, aircraft
impacts, etc.).
117
Protective measures, against these hazards are closely related to the plant site. However, some o f the basic principles mentioned in the previous sections,i.e. physical separation and structural protection (concrete walls, etc.), may be applied in a similar manner.
In many modem nuclear power plants even the loss o f the main control room by destruction would not lead to unacceptable consequences: reactor shutdown and cooldown can be performed from locations outside the control room.
8 .7.7. Security
Counteractions against sabotage attempts involving I&C systems could very effectively start with a careful evaluation (or re-evaluation) o f the safety systems and the safety-related systems, assuming them to be subjected to subversive acts. This vulnerability analysis should take into consideration employee complicity also.
Realizing that the control room is a critical area in this context, detailed procedures and installations have been foreseen in many nuclear power plants to ensure safe shutdown o f the plant even in a situation when the control room is not accessible or is occupied by saboteurs.
B I B L I O G R A P H Y
Section 8.1
Nuclear Power Plant Control and Instrumentation (Proc. Symp. Prague, 1973), IAEA, Vienna (1973).
Nuclear Power Plant Control and Instrumentation (Proc. Symp. Cannes, 1978), IAEA, Vienna (1978).
INTERNATIONAL ATOMIC ENERGY AGENCY, Safety-Related Instrumentation and Control Systems: a Safety Guide, Safety Series No. 50-SG-D8, IAEA, Vienna (in preparation).
INTERNATIONAL ATOMIC ENERGY AGENCY, Protection System and Related Features in Nuclear Power Plants: a Safety Guide, Safety Series No. 50-SG-D3, IAEA, Vienna (1980).
Section 8.2
INTERNATIONAL ATOMIC ENERGY AGENCY, Protection System and Related Features in Nuclear Power Plants: a Safety Guide, Safety Senes No. 50-SG-D3, IAEA, Vienna (1980).
KRAFT, M., et al.,“ Electronic equipment o f nuclear power plants” , Atomkemenerg.Kerntech. 34 1 (1979) (in German).
118
S e c t i o n 8 .3
INTERNATIONAL ATOMIC ENERGY AGENCY, Use o f Computers for Protection Systems and Automatic Control (Proc. Specialists’ Meeting Munich, May 1976).
INTERNATIONAL ATOMIC ENERGY AGENCY, Protection System and Related Features in Nuclear Power Plants: a Safety Guide, Safety Series No. 50-SG-D3, IAEA, Vienna (1980).
Nuclear Power Plant Control and Instrumentation (Proc. Symp. Cannes, 1978), IAEA,Vienna (1978).
MISSBACH, D., et al., “ Automation in nuclear power plants” , Kemenergie 21 3 and 7 (1978), 22 6(1979).
Section 8.4
INTERNATIONAL ATOMIC ENERGY AGENCY, Procedures and Systems for Assisting an Operator During Normal and Anomalous Nuclear Power Plant Operation Situations (Proc. Specialists’ Meeting Munich, Dec. 1979).
INTERNATIONAL ATOMIC ENERGY AGENCY, Nuclear Power Plant Control and Instrumentation (Proc. Symp. Cannes, 1978), IAEA, Vienna (1978).
OECD HALDEN REACTOR PROJECT, Process Supervision and Control in Nuclear Power Plants (Proc. EHPG Meeting' Frederikstad, 1977).
INTERNATIONAL ATOMIC ENERGY AGENCY, Software Reliability for Computerized Control and Safety Systems in Nuclear Power Plants (Proc. Specialists’ Meeting Pittsburgh,July 1977).
INTERNATIONAL ATOMIC ENERGY AGENCY, Distributed Systems for Nuclear Power Plants (Proc. Specialists’ Meeting Chalk River, July 1980).
INTERNATIONAL ATOMIC ENERGY AGENCY, Use of Computers for Protection Systems and Automatic Control (Pioc. Specialists’ Meeting Munich, May 1976).
Section 8.'5
INTERNATIONAL ATOMIC ENERGY AGENCY, Effect of Regulatory Requirements on Nuclear Power Plant Control and Instrumentation Systems (Proc. Specialists’ Meeting Madrid, Oct. 1977).
INTERNATIONAL ATOMIC ENERGY AGENCY, Protection System and Related Features in Nuclear Power Plants: a Safety Guide, Safety Series No. 50-SG-D3, IAEA, Vienna (1980).
Nuclear Power Plant Control and Instrumentation (Pioc. Symp. Cannes, 1978), IAEA,Vienna (1978).
US NUCLEAR REGULATORY COMMISSION, General Design Criterion 13, Instrumentation and Control.
US NUCLEAR REGULATORY COMMISSION, Regulatory Guide 1.118, Periodic Testing of Electric Power and Protection Systems.
US NUCLEAR REGULATORY COMMISSION, Regulatory Guide 1.75, Physical Independence of Electric Systems (1974).
1 1 9
S e c t i o n 8 .6
INTERNATIONAL ATOMIC ENERGY AGENCY/NPPCI, Power Supply Arrangements in Nuclear Power Plants (Proc. Specialists’ Meeting Stockholm, Sep. 1978).
INTERNATIONAL ATOMIC ENERGY AGENCY, Emergency Electrical Power Systems at Nuclear Power Plants: a Safety Guide, Safety Series No. 50-SG-D7A, IAEA, Vienna (in preparation).
Section 8.7
INTERNATIONAL ATOMIC ENERGY AGENCY, Fire Protection in Nuclear Power Plants: a Safety Guide, Safety Series No. 50-SG-D2, IAEA, Vienna (1979).
US NUCLEAR REGULATORY COMMISSION, Regulatory Guide 1.120, Fire Protection Guidelines for Nuclear Power Plants.
INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS, Standard 344-1975, Recommended Practices for Seismic Qualification o f Class IE Equipment for NP Generating Stations.
INTERNATIONAL ATOMIC ENERGY AGENCY, Design of Electronic Equipment to Achieve Electromagnetic Compatibility (Proc. Specialists’ Meeting, Winfrith, Feb/March 1978).
US NUCLEAR REGULATORY COMMISSION, Regulatory Guide 1.97, Instrumentation for LW-Cooled NPP to Assess Plant Conditions During and Following an Accident, USNRC (1977).
US NUCLEAR REGULATORY COMMISSION, Regulatory Guide 1.17, Protection of Nuclear Power Plants Against Industrial Sabotage.
9. OPERATOR/PLANT COMMUNICATION
9.1. Central control room
9.1.1. Purpose o f the control room
Each NPP has a central or main control room enabling the operator to monitor the plant and communicate with personnel inside and outside. A single central control room may serve for several plant units, or each unit may have its own control room. Both alternatives have their advantages and drawbacks. The main purpose is to permit the operator to monitor the performance o f the plant, to optimize performance during normal conditions and to control it during abnormal ones; to supervise important areas inside and outside the plant; to monitor the status o f the systems; and to serve as a communication centre should need arise. Normally the main control room is located centrally in the control building and is surrounded by rooms necessary for housing o f
1 2 0
electronic equipment, computer systems, DC power supply systems, building ventilation, cable routing, as well as offices, and rooms for personnel, conferences and documentation.
9.1.2. Design o f the control room
The main control room has a central location among the buildings, so as to provide optimal access.
Preferably it is surrounded by heavy concrete walls with only one entry, easily controllable, but with several emergency exits consisting o f double doors to be opened only from the inside. These are for protection against hazards from inside the control room and against sabotage. It is also desirable to supply the main control room with a special, independent ventilation system.
Another requirement in some countries is to protect the control building against airplane crash. To that end, one can design the concrete roo f such that no burning fuel from the airplane can flow through openings into the building. The planning should provide for a minimum number o f openings.The main control room and all equipment inside should be earthquake-resistant.
The design o f a central control room should also meet requirements for other hazards (e.g. high-pressure steam pipes, high-energy missiles, liquid-gas storage tanks, etc.). The control room should be located above the highest flood level, and penetrations (cable ducts, etc.) from adjacent buildings should be sealed. The necessary cable junction room is usually located beneath the central control room. Cable routing to the control room is preferably via isolated cable trays fulfilling the requirements o f fire protection.
Openings for cable entries are sealed and electrical signal lines important to safety are buffered to,avoid electronics outside the control room being affected by failures inside it.
The control room should be designed so as to keep the noise level (and other psychological stress factors) inside to a minimum. It should be laid down that only authorized persons may enter the control room.
9.1.3. Ergonomic aspects and layoutI
The main items to be considered in the layout o f a control room are ergonomic aspects, functional aspects, operator task analysis, and information techniques. The main goal is the improvement o f man/machine interfaces to reduce the probability o f operational errors.
Elementary considerations must be taken into account, such as distinctive functional grouping o f control panel elements. Such elements are often used in large arrays. Functional demarcation and accentuation o f logical groupings should be used.
121
The arrangement o f functional group control should assure a good overview o f the operational status o f the plant. These functional areas should be arranged in accordance with the process areas. They can be grouped in alarm fields, group control, subgroup control and indication fields.
Generally a left-to-right order o f placement should be applied, following the sequence used to bring the plant up to rated power output.
Within each group some kind o f hierarchical labelling should be employed. As a rule a control switch or button should be placed in an unambiguous relationship to any indicator to which it relates. The control operation has to be apparent from the associated control labelling. Problems may be created if controls (handles or knobs) are located in areas which render them vulnerable to inadvertent contact with the operators. Raised protective barriers, position locking controls, guard rails, etc., may improve the situation even in cases where weak points are identified after installation.
Sometimes strip chart recorders in the control room are overloaded with too many parameters to be monitored. This results in illegible print-outs. Installation o f a sufficient number o f recorders should be part o f control room design.
If printers and other computer peripherals are noisy they should be placed in special rooms. Normally the process interface electronics is also located in special rooms.
Safety-related redundant parts inside the main control room should be physically separated, consistent with the existing standards and preferably in totally enclosed cubicles.
A good control room design should also permit maintenance and replacement o f any item during normal operation.
Functionally the control room is divided into several areas. All important information should be available at the main control desk. From here instructions can be given. Here also a pushbutton for the emergency shutdown command should be installed. Also, communication devices, pushbuttons for site alarms, e.g. fire, radiation, might be arranged here. Via a TV monitor the operator can watch important areas, such as plant entrances, etc. Necessary operation manuals might be located here as well.
Another control room area is usually entered only to perform special tasks. In this auxiliary area recorders, annunciators and indicator panels are housed.
All desk modules should be linked by fire-resistant cables. The safety- related panels may need to be seismically resistant and provided with fire barriers.
Figure 16 shows an example o f a control room concept. Normally dimensions o f control desks and panels are based on anthropometric studies.
The critical dimensional factors for the design o f a console for a seated operator are the proper height relative to viewing tasks both on a console and
1 2 2
in a surrounding control room area, the seat height, depth and knee clearance, ready access to controls, and so on.
The most comfortable viewing angle is 15° below the horizontal. A display unit should therefore be located in the middle o f the normal viewing zone and perpendicular to the normal sight line. For a standing operator station the design should ensure control and display location within the reach and visual field o f the smallest operator.
It is advisable to use non-reflecting glass inside the control room. The control room should be equipped with a proper lighting system, available also during accident situations, which implies that parts o f that system are connected to the power from battery-backed DC systems. A subdued illumination should be preserved to enable the operators to write, and to read and watch data from display apparatus. Mostly a simulated daylight is preferred. The lux level should be adjustable for each control room area. A lux level in the horizontal direction o f 450 lux, and in the vertical direction o f 100 lux is recommended in some countries. Normally the control room temperature and humidity should be controlled.
9.1.4. Equipment inside the control room
Monitoring o f the main plant systems is sometimes carried out via computer displays. Sometimes these display systems are used as back-up
1 2 3
presentation for process parameters (curves, bar charts, etc.). New plants use • colour CRTs.
Using such display systems makes possible forms o f presentation which are not possible using conventional means.
All information can be presented to the operator on request, or automatically at any time when there is a change in the status o f the plant or the systems, or when an event occurs. All information can be stored and recalled at any time desired.
The information can be given alphanumerically, or graphically, or combined in a static or dynamic manner. Attention can be drawn to certain details by applying the zoom technique. Parameters can be displayed which are not directly measurable but are derived by a computer. Direct interaction between the operator and the plant via a CRT display unit is possible as well
Procedures for presentation o f only the most necessary information are sometimes applied. However, all information should be available in detail to the operator if he wishes to have it. Advanced control rooms are using an integrated set o f computer-based components for operator-oriented plant monitoring and supervision and attempts are being made to optimize the amount o f useful information available to help the operator in making correct decisions for plant operation.
It should be possible to record automatically the history o f parameter values and normal interactions. The information the operator gets should also give him an early warning o f possible accidents. Certain indications o f an accident often are only recognized through collective alarms. However, it is also necessary to discover the primary cause.
Indication should also be provided about the status o f control systems.In abnormal or accident situations, the available information should allow
a quick appraisal as to whether the safety systems are performing the required safety functions, and for monitoring the long-term course o f accidents to assure that conditions are remaining within defined limits. Further, the operator has to be provided with controls to carry out manual control o f the plant and respond to malfunctions. When using colour CRTs, several aspects are o f importance: colour coding, blinking to attract, screen overload, number o f characters that can be taken in at a glance, appropriate formats, etc. The interrelationship o f display pages should be clear.
The colour coding o f signal lights, indicators, and control devices could be chosen according to existing standards (e.g. DIN 4818/9.65) but should in each case be consistent. When in a group, indicators should always have the same zero indication position. Special care should also be taken to use the right scales. They should not contain too many division marks when only used for check reading. The length o f the scale should be long enough for a reliable reading.
1 2 4
A number o f different devices are used for communication with the plant. However, new designs for such devices are made so frequently that it is o f little use to describe those which are currently available.
The future trend will also go in the direction o f applying microcomputers, making it possible locally to monitor and control portions o f a nuclear power plant with only summary data transmission to the control room.
9 . 2 . O t h e r c o n t r o l b o a r d s
9.2.1. Emergency control room
In some NPPs the scram function and residual heat removal can be performed from a special apparatus room which contains all the necessary indicators and the necessary controls to shut down the plant and to keep it in a safe condition. Since such a room is usually protected against various hazards it enables shutdown even in dangerous situations (e.g. when the central control room is not accessible). Destruction o f such an emergency control room does not influence other equipment since it is electrically isolated.
The equipment inside this room usually obtains its supplies (electrical, etc.) from special devices which are also installed inside this emergency control room.
9.2.2. Local control panels
Some NPPs also offer the possibility for manual interaction with the plant outside the control room at various local control stations inside the plant.
Such local control stations or panels include status indications and control facilities, for example for stand-by generators with auxiliary systems and diesel-backed switchgear in the diesel buildings, for motor-operated valves in the electrical equipment rooms in the reactor building, for DC/AC inverters, rectifiers, batteries and miniature circuit breaker distribution units in the control building or other buildings, the compressor motors for the air cooling system, or the water clean-up system.
B I B L I O G R A P H Y
INTERNATIONAL ATOMIC ENERGY AGENCY, Control Room Design, (Pioc. Specialists’ Meeting San Francisco, July 1975)
US CODE OF FEDERAL REGULATIONS, General Design Criteria for Nuclear Power Plants, Title 10, Part 50, Appendix A (1972).
INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS, Standard P567, Guide for the Use of Control Rooms.
125
INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS, Standard P566, Guide for the Design of Display and Control Facilities for Central Control Rooms of Nuclear Generating Stations.
BRITISH STANDARDS INSTITUTE, Recommendations for the Design of Scales and Indexes, Part 1, British Standard 3693 (1964).
DEUTSCHES INSTITUT FUR NORMUNG, Skalen und Zeiger fur elektrische Mefiinstrumente, Standard DIN 43802, Blatt 1-6 , Berlin (1964).
McCORMICK, E.J., Human Factors Engineering, McGraw Hill, New York (1970).
SVERIGES STANDARDISERINGSKOMMISSION, Reactor Shutdown Without Access to the Control Room, Swedish Standard SEN 36 90 03, Standards Commission, Stockholm.
US NUCLEAR REGULATORY COMMISSION, Handbook o f Human Reliability Analysis With Emphasis on Nuclear Power Plant Applications, Rep. NUREG/CR-1278 (1980). •
10. INSTRUMENTATION
It is necessary to provide a wide variety o f instrumentation in a nuclear power plant, so as to provide plant status and process information. These signals are used as information inputs for the control, status annunciation and activation o f systems important to safety and other systems, and to indicate transients and deviations.
The instrumentation o f a NPP may be grouped as follows.
Nuclear instrumentation: e.g. neutron flux density and spatial distribution used in reactor power measurement.
Process instrumentation: e.g. reactor pressure coolant level or pressurizer level, steam flow, coolant temperature, flow and recirculation pump speed, containment pressure, water level and temperature, and component instrumentation, e.g. indicating valve and control rod position.
Process-radiation and site (area) instrumentation: e.g. main steam line, gas effluents and site (area) radiation monitoring.
Special instrumentation: e.g. seismic, monitoring o f equipment vibrations, meteorological, hydrogen concentration, water conductivity, failed-fuel detection, boric acid concentration and other.
A large number o f components (e.g. transducers), measurement principles and methods are employed.
Closely associated with the nuclear power plant instrumentation is the necessary signal-conditioning transformation and transmission, in order to enable trouble-free interfacing to the amplifiers or instrumentation units (e.g. 0 or 4—20 mA output current proportional to the measured quantity,
126
low-impedance twisted wire lines, analog-to-digital conversion, trigger level realization, connections to sensitive amplifiers via screened cables, avoidance o f common-mode voltages, and other special arrangements).
Detailed information about instrumentation systems is beyond the scope o f this book. It can be found in the literature, in technical handbooks and in manufacturers’ descriptions.
The realization o f the instrumentation has to take into account the prevailing needs and goals o f the systems to which the instrumentation belongs, according to whether the system is classified as important to safety, or not.
BIBLIOGRAPHY
HARRER, J.M., BECKERLEY, J.G., Nuclear Power Reactor Instrumentation Systems Handbook, 2 volumes, US Atomic Energy Commission, TID-25952-P1 and P2, USAEC Technical Information Center, Springfield, VA (1973).
INTERNATIONAL ATOMIC ENERGY AGENCY, Protection System and Related Features in Nuclear Power Plants: a Safety Guide, Safety Series No. 50-SG-D3, IAEA, Vienna (1980).
INTERNATIONAL ATOMIC ENERGY AGENCY, Safety-Related Instrumentation and Control Systems: a Safety Guide, Safety Series No. 50-SG-D8, IAEA, Vienna (in preparation).
INTERNATIONAL ELECTROTECHNICAL COMMISSION, General Principles o f Nuclear Instrumentation, Publication 231 (1967).
INTERNATIONAL ELECTROTECHNICAL COMMISSION, General Characteristics o f Nuclear Reactor Instrumentation, Publication 232 (1966).
INTERNATIONAL ELECTROTECHNICAL COMMISSION, Principles o f Instrumentation for Direct Cycle Boiling Water Reactors, Publication 23 IB (1972).
INTERNATIONAL ELECTROTECHNICAL COMMISSION, Principles of Instrumentation for Pressurized Water Reactors, Publication 231D(1975).
11. MAIN CONTROL SYSTEMS
11.1. Basic control concepts o f PWR/NPPs
The elementary diagram o f a PWR/NPP is shown in Fig. 17. The power reactor is governed by the reactivity in the core. Reactivity in turn is affected by all variables influencing neutron economy, such as temperature o f fuel and coolant or concentration o f neutron-absorbing materials in the core (control rods, poisons, etc.).
For practically all important PWR types the fuel temperature coefficient o f reactivity is negative, i.e. rising temperature causes increased neutron absorption in 238U, thus counteracting the increase in power production. The
1 2 7
Steamreactor generator
Pr PS
pump pump
Pr reactor pressure (150 bar) Ps steam pressure (70 bar)
Th outlet coolant temperature from reactor (320° C)
Ts steam temperature (290°C)
Tc inlet coolant temperature const, coolant flowto reactor (290° C) and prim, pressure
FIG.17. Elementary diagram o f PWR/NPP. Symbols and typical values for some control variables.
i---------------------------------------------------------------------------------------- 1
reactivity
FIG.18. PWR/NPP inherent reactivity feedback (temperature coefficient loop).
overall temperature coefficient depends on a variety o f plant parameters. In general, however, increased reactor power results in higher coolant/moderator temperature and effects a change in reactivity which has a stabilizing influence on the system. This negative feedback is an inherent characteristic and corresponds to a built-in control system (Fig. 18).
1 2 8
power output
FIG.19. Variations in temperature and pressure -with power output (part-load diagram).
The natural stability o f a PWR in the course o f load change has to be supported by external control loops in order to improve time behaviour as well as to avoid excessive, deviations o f plant parameters from normal values.
Parameters o f special importance are primary coolant temperature and secondary pressure (which in saturated steam generators is directly related to secondary coolant pressure). Primary coolant pressure and flow are assumed to be constant.
Increasing power output from such a system must be accompanied by an increasing temperature difference between primary and secondary coolant, providing the necessary heat flow across the steam generator. Figure 19 shows these variations in a part-load diagram.
External control loops are used to control either one o f these variables according to a program. The other variables depend on the characteristics o f the plant.
The natural program for a reactor with a negative temperature coefficient is the constant-TAV program (TAV designates the average primary coolant temperature). A change in power demand requires a minimum o f control rod motion, due to the self-stabilizing characteristics o f the reactor. The volume o f primary coolant remains essentially constant and the required size o f the pressurizer is at a minimum. These conditions are preferable for the reactor. However, as can be seen from Fig.20a, the steam pressure has to be varied over a wide range, requiring larger and heavier components in the secondary system.
The other extreme would be represented by a control programme for constant steam pressure with a corresponding rise in average primary coolant temperature (Fig.20b). Advantages and disadvantages are now reversed: while the secondary
1 2 9
FIG.20. Programs for PWR control: (a) constant Tm program, (b) constant Ps program.
FIG.21. Programs for PWR control: (a) Tw - Ps compromise control, (b) power-dependent program.
side can be optimized, a large range o f primary temperatures and corresponding problems o f pressurizer dimensioning and coolant volume control have to be considered. More control rod motions are necessary to override the inherent temperature-stabilizing tendencies.
Both control concepts are in use. Some manufacturers, however, prefer combinations o f the two programs. This can be done either by ‘linear mixture’ (Fig.21a) or by changing from one type o f program to the other at certain power levels (Fig.2 lb).
1 3 0
I_____________________________________ I
____________ bidirectional effect
FIG.22. Control loops, 'turbine-follows-reactor' type (simplified diagram). Power demand acts mainly on the reactor power control. This control principle is preferably used for low- power operation.
bidirectional effect
FIG.23. Control loops, ‘reactor-follows-turbine’ type (simplified diagram). Power demand acts mainly on the turbine control. This control principle is preferably used for high-power operation.
The reactor and turbine-generator are close-coupled systems. Power demand may be imposed either on the reactor ( ‘turbine-follows-reactor’ or ‘forward control’, Fig. 22, with secondary steam pressure control via turbine and bypass valves) or on the turbine ( ‘reactor-follows-turbine’ or ‘backward control’ , Fig.23, with reactor power control minimizing the primary coolant temperature deviations). In modern, large power plants the first principle is
131
used mainly during start-up or shutdown, whilst the second principle or a combination o f both principles is used during normal operation, i.e. base-load or load-following operation. (Note: the type o f control is not necessarily dependent on a certain type o f part-load programme.)
Figures 22 and 23 also show the use o f neutron flux signals for reactor power control. This is advantageous at low power, when feedback via temperature is small, especially in the forward control mode (at very low power, open- loop control is used). For measures against power distribution tilts local neutron; flux signals are used.
More detailed control concepts o f different vendors can be found in the annexes.
11.2. Reactor power control for a PWR
As discussed in the preceding section, the reactor power is controlled by reactivity, mainly through the temperature coefficient o f reactivity, control rod setting and boron concentration in the coolant.
Control rods in a PWR are inserted into the core from above. They are moved by various types o f control rod drives. In the case o f emergency shutdown the rods drop under gravity.
To accomplish uniform power density, control rods with part-length absorbers o f different construction are used in some control concepts. Complex strategies for optimum control rod programs have been developed (see annexes) . 1
Special consideration has to be given to problems o f power distribution tilts caused by xenon oscillations in large cores.
11.3. Other important PWR control systems
11.3.1. Turbine control
Turbine control o f a PWR/NPP is in general similar to that o f a fossil- fired power plant.
In principle the turbine valves are controlled by load demand o f the MW-demand setter to change the steam flow rate. Steam pressure may be used as an additional correction signal.
11.3.2. Steam generator
Typically the steam generator water level is controlled by feedwater and steam flow, similar to level control in conventional boilers.
1 3 2
1 1 .3 .3 . V o lu m e a n d b o ro n c o n c e n tra tio n c o n tr o l system s
The volume control system keeps the primary coolant volume (represented by pressurizer level) near its reference value by varying the ‘let-down’ and the ‘make-up’ flow accordingly. This system is combined with boric acid concentration control. An increase in boron concentration — in the primary system — is performed by injection o f boric acid, whereas demineralized water and low concentration make-up fluid are used to produce the opposite effect.
11.3.4. Reactor pressure control
Pressure in the primary loop is defined by the steam cushion in the pressurizer, a tank connected to the hot leg o f one o f the primary loops. The pressure o f this saturated steam volume can be controlled via the temperature o f the water in the pressurizer. This is done by electrical heating or by spraying water from the cold leg o f the primary loop into the pressurizer. Outside the range o f this control system, automatic relief and safety valves are used for pressure limitation.
11.4. Basic control concept o f BWR/NPPs
11.4.1. Reactivity parameters in a BWR core
During normal power operation the reactivity in the BWR core is balanced by the following reactivity parameters:
(a) The excess reactivity o f the fissile material when cold(b) Control rod reactivity(c) Moderator temperature reactivity(d) Fuel.temperature reactivity(e) Steam void reactivity(f) Xenon poisoning reactivity(g) Burnable absorber reactivity.
(a) Cold excess reactivity
The cold excess reactivity is defined by the reactivity in the core in cold shutdown without xenon and \yithout control rods inserted.
This reactivity is required for balancing negative reactivity contributions from fuel and moderator temperature increase, fission products build-up (poisoning), steam void and fuel depletion.
1 3 3
(b) Control rod reactivity
The control rod reactivity is mainly used to shut down the reactor safely and to start up to power operation. In older BWR plants control rods are also used for compensation of, the depletion o f the fissile material.
In modem BWRs so-called burnable absorbers are mainly used for this purpose.
(c) Moderator temperature reactivity
By this is understood the reactivity changes due to uniform change in core water and moderator water temperature. At very low temperatures the coefficient is slightly negative for a fresh core and slightly positive for an end-of-cycle core.
It becomes more negative for increasing temperatures because the moderation o f neutrons decreases.
The time delay between a neutron power change and the feedback from the moderator temperature is o f the order o f five to ten seconds.
(d) Fuel temperature reactivity
A fuel temperature increase results in a higher neutron absorption in the fuel (Doppler effect).
Over the whole temperature operating range the fuel temperature coefficient is negative.
The time delay between a neutron power change and the feedback from the fuel temperature is slightly less than for the moderator temperature feedback.
(e) Steam void reactivity
The BWR core contains at power operation a mixture o f water and steam.A higher volume o f steam-bubbles means a lower moderation o f neutrons.
A BWR is optimized to operate with a fairly strong negative void coefficient. As the steam void depends on local power distribution it is an excellent
way to stabilize the core against local instabilities.Time constants between the neutron power and the steam void feedback
are o f the same order as those for moderator feedback.
(f) Xenon poisoning reactivity
Depending on power level variations the xenon content in the core varies. Xenon is a fission product and a strong neutron absorber.
The time constant between the burnup or build-up o f the xenon and changes in core power is o f the magnitude o f several hours.
1 3 4
(g) Burnable absorber reactivity
The excess reactivity when the fissile material is cold must be high enough to ensure that the reactor can be operated until the next outage for refuelling. The excess reactivity must therefore be sufficient to balance the fissile material burnup.
The introduction o f burnable absorbers (BA) in the fuel reduces the maximum core excess reactivity and thus supplements the reactivity control o f the control rods.
The negative influence o f the BA reactivity will decrease with irradiation and towards the end o f the fuel operating cycle practically all the BA will have vanished.
With an advanced design it is possible to have the control rods almost totally out o f the core at rated power. In this way the control rod movements during full power operation are minimized.
11.4.2. BWR control concepts
An elementary diagram o f a BWR is shown in Fig.24.The steam produced by the reactor core is separated from water in the
reactor vessel and dried. The steam is transported to the turbine plant. The water is mixed with feedwater from the turbine condenser and recirculated through the core. The pressure o f the reactor vessel or the turbine inlet pressure is, with minor exceptions, kept constant at power operation. Pressure control is performed by the turbine governor, which balances steam production and steam flow to the turbine. That means that the turbine accepts the flow generated by the reactor core. This principle is called ‘ turbine slave to the reactor’ or ‘ turbine follows reactor’ .
For fast power control (step response) it is in modern designs possible to vary the reactor.pressure within certain limits.
Return water (feedwater) to the vessel and the steam flow produced are balanced against each other in order to maintain constant water level in the reactor vessel.
Most European BWRs are provided with a system for 100% steam bypass to the turbine condenser. If the turbine cannot accept the produced steam flow it is routed directly to the turbine condenser. In such a way it is possible to avoid reactor scram if the turbine is tripped or if the electrical turbine generator load has been switched o f f suddenly (load rejection). During this last- mentioned mode o f operation the reactor pressure is kept constant by the bypass valves. The turbine speed is kept constant by a control system acting on the turbine governor.
13 5
Tu rbme
ps .. . Steam pressure I 70 barl Is Steam temperature ( 290*C) ' ms Steam How (1000kg/s ITp Feedwater temperature |190*C) mr Recirc. How (7300 kg /s)P . Generator power (750 MVA J
FIG.24. Elementary diagram o f a BWR and typical values for some plant variables.
FIG.25. BWR: operation diagram.
50 100 (%)
13 7
( p ) Pressure
Position
FIG.27. BWR: principle o f relief valve control system.
The reactor power is determined by control loops for recirculation water flow or control rods. Variation in the recirculation flow will influence the steam void and hence core reactivity.
As this recirculation flow will determine the core cooling it is not permissible to have certain combinations o f water flow and core heat power. For certain earlier reactor types there are also operational limitations because o f hydraulic instabilities at low flows and mechanical stress problems for fuel boxes at high flows. The operation diagram is shown in Fig.25.
11.5. BWR control systems
11.5.1. Pressure and turbine speed control
As mentioned previously, the-turbine inlet pressure or reactor vessel pressure is kept constant during normal operation by the turbine governor. In order to avoid excess turbine speeds at load rejection a high closing speed rate is required for the governor. If turbine speed is increased, the governor control system is automatically switched from pressure control to turbine speed control. At the same time pressure control is transferred to the steam bypass system. In order to avoid a pressure transient during this switch-over the bypass valves must open rapidly.
Many BWRs are provided with a special pressure control loop for start-up. Pressure increase or decrease is automatically set by a program controller.
1 3 8
REACTOR VESSEL
FIG.28. BWR: basic design o f feedwater control system.
If fast plant power control is required, the constant pressure control concept is abandoned temporarily. The turbine control principle is shown in Fig.26.
If the turbine unit or condenser is not available, reactor steam flow has to be bypassed into the containment water pool (suppression pool).
There are different , types o f valves, but a good practice is to have two reserved for accurate pressure control. These valves are provided with a pressure control system similar to that for the turbine unit (with the exception o f speed control). This control system is automatically switched in. Similar to the turbine governor control there is also a sequence controller for increasing or decreasing the reactor pressure at a preset rate. This principle is shown in Fig. 2 7.
11.5.2. Control o f the vessel’s water level
The amount o f feedwater returning to the vessel can be changed by controlling the speed o f the feedwater pumps or the position o f the control valves in the feedwater lines. As the water-level control must be in operation over a wide range o f pressure and feedwater flow rates, very often combinations o f speed and position control are used.
1 3 9
REACTOR
To minimize thermal transients when cold feedwater is pumped into the hot reactor vessel, special care has to be taken to provide a continuous and not pulsating flow. The feedwater level is determined in the first place by balancing the steam flow and return feedwater. A delayed control signal is obtained by measuring the water level. Very often the required water level is a function o f the reactor power or post-scram conditions. Principles are shown in Fig.28.
11.5.3. Core power control
As mentioned previously, recirculation flow control changes the reactor ' power.
• In earlier reactors the total recirculation flow was routed outside the vessel through recirculation pumps. The pump motors were driven by a variable frequency obtained by a motor-generator unit. Other designs use jet pumps inside the vessel and a small amount o f recirculation flow is used to control these.
The flow can be varied by pump speed or control valve position control. These pumps or control valves are located outside the vessel. The latest designs include pumps built completely inside the reactor vessel. No recirculation flow is routed outside the vessel. The pump motor is fed by a variable frequency obtained using thyristors.
1 4 0
— constant recirculation flow— constant power or constant power rate control— frequency control.
Very often the control system is also provided with stabilizing loops which prevent the reactor power exceeding certain limits.
Should a fast power response be required the flow control and pressure control systems can be connected. For a short period the reactor pressure is decreased until the flow is increased. Figure 29 shows the principles.
D i f f e r e n t c o n t r o l m o d e s are p o s s ib le , e . g . :
11.5.4. Control rod control
Control rods are provided with two control systems
— for scram— for power or power distribution control.
Modern designs separate the control systems and also the actuators for these two functions completely.
For reactor scram there is a hydraulic system which inserts the control rods very fast. For power control or power distribution control, motor-driven actuators are used for accurate and slow positioning o f the rods.
To date control rods have not been included in a closed-loop concept. Several power plants use computers in the manual control system. Such computers are used to store and set up control rod sequences.
As mentioned earlier there are plants in operation where the rods are completely withdrawn during operation. Such plants require control rod positioning only during start-up and shutdown.
11.5.5. Other control systems
There are other important control systems in a BWR plant. Examples o f these are:
— generator voltage control— feedwater temperature control— condenser make-up control.
Such control systems are conventional and are similar in design to those in fossil-fired power plants.
141
BIBLIOGRAPHY
SCHULTZ, M.A., Control o f Nuclear Reactors and Power Plants, McGraw Hill, New York (1961).
INTERNATIONAL ATOMIC ENERGY AGENCY/NPPCI, Nuclear Power Plant Control Problems Associated with Load Following and Network Transients (Proc. Specialists’ Meeting Cadarache, Jan. 1977).
INTERNATIONAL ATOMIC ENERGY AGENCY/NPPCI, Spatial Control Problems (Proc. Specialists’ Meeting Studsvik, Oct. 1974).
Nuclear Power Plant Control and Instrumentation (Proc. Symp. Prague, 1973), IAEA, Vienna (1973).
Nuclear Power Plant Control and Instrumentation (Proc. Symp. Cannes, 1978), IAEA, Vienna (1978).
KALASCHN1KOW, V., et al., “ Control Systems of Nuclear Power Plants with Reactors Cooled by Ordinary Water” , Control and Command of Nuclear Reactors and Power Plants, Congress Report, Warsaw (1973).
12. SAFETY SYSTEMS AND SAFETY-RELATED SYSTEMS
12.1. Protection system
The design basis for the reactor protection system o f a particular plant is a set o f postulated initiating events which have to be considered in the safety analysis. For each o f these events acceptable limits on their consequences have to be established (see IAEA Safety Series No. 50-SG-D3). Thereby the functional requirements for the protection system and the safety actuation systems are defined. Since each initiating event is detected when a certain set o f plant variables exceed preset limits the protection system has to be designed for the logical sequence: postulated initiating event — initiating criteria — corresponding safety action. Some o f these correlations for a BWR are shown in Fig.30. For example: the postulated initiating event “ loss o f coolant inside containment” (caused, e.g., by rupture o f a main steam line) is indicated by at least two physical variables: reactor water level and containment pressure (see subsection 8.5.1). These variables, those which are primarily affected by this event, are used as initiating criteria for proper safety actions. As shown in Fig.30, reactor shutdown, containment isolation, high- and low-pressure coolant injection and turbine trip are the safety actions counteracting this particular accident. The diagram is a very simplified version. A typical 700 MW(e) BWR has about 20—30 safety variables monitored by 200—300 analog transmitters and about the same number o f on /o ff switches. The protection system provides about 20—30 protective actions.
1 4 2
I
Nu c l e a r Po w e r Pl a n t (BWR)
Va r ia b l e s Af f e c t e d : Postulated In it ia t in g Events Actio n s Required
x xx x
x x xx
Loss of coolant Inside containment Leak In main steam line outside containment Loss of main heat sink Trip of feedwater pumps Suppression-chamber disturbance Unlimited withdrawal of control rods
X X
u •— o
Q» VI ■*- n>* £
»— 'U Of *- O)u V (S > «a -o
*e f-£ S*■» O3 .z o e u K o f a v i v )
■*- oa tj
u£ C OJv 'S €u X x: toa a o» .e w C i - yjp V ^ ek ° I Se r- VI L O V IIIo *r- — Q>
In it ia t in g Cr it e r ia
Protection
System
Sa fet y
Actuation
System s
Safety System Support Features
c o■>- c•*- VI c -M «o c «P >■r- <0 C »—r- «J «O •— >•— O O0 O O <4-XI VI U OfI •*- 0) •*-a l- « •— a.3 V a U « >r£ C M 3 L kVI 0) VI VI 4-*1 4i «i ttu c u oi i. «0 T- O. I- 3 C■M 10 f O. M •*-
u +j J : i vi .o« c I 01 b01 O r> O L 3oE o a: _i ol *—
Safet y Actions
FIG.30. Initiating events and criteria, with the corresponding safety actions for a BWR.
A corresponding example for a PWR is shown in Fig.31. The inputs and outputs o f the protection system for a typical set o f postulated initiating events are shown in a very simplified manner.
Protective actions may be fully safety-oriented, i.e. the associated safety actuators will bring the plant into a safe condition under all circumstances, even in the case o f a faulty actuation. Typical examples are reactor shutdown or start-up o f emergency supplies. These should be carefully distinguished from not fully safety-oriented actions. The effect o f these actions is dependent on the momentary boundary conditions o f plant operation, such as mode o f operation (start-up, full power, etc.) as well as plant status (e.g. repair or test o f systems). Spurious initiation o f not fully safety-oriented actions must never cause damage to the plant (e.g. abrupt pressure relief in a BWR may damage pressure vessel internals) nor must it prevent other protective actions.
1 4 3
Nu c l e a r Power Pl a n t . (RWR)
Va r ia b le s Affe c t e d : Postulated In it ia t in g Events Actions Req u ired :
. x x xx x
x x
x x x x
x x
Major leak In reactor coolant systemLeak fn main steam line outside containmentLeak In main steam line Inside.containmentTrip of several main coolant pumpsTrip of feedwater pumpsUnlimited withdrawal of control rods.
X X X X XX X X XX X X X
L. v - f—
■O 2 -CQ» C O DiL. tO r- •!-3 j: £l/t C7* £ I—in ■*- o 0) ai« £ * - > ! . *- oi aCL </l
O *i- i—kA u W W W kO U N N c (Ur- •*- t r OJ 1** o >» i- &. o» e
ID VI ME VI uir- 0>E to
s- ® !■ 4-*I /) (L Q . CL V ) O
In it ia t in g Cr it e r ia
Protection
System
Safety
Actuation
Systems
Safety System Support Features
f - o *4-> t-O -M t.C W‘ U 01C O •*-» OJ +j5 r- e io0 4J C 2*0 rtj -r- *a1 r - a> at*■* O 01 OJ '3 Vt 3 I. M.£ <A 3Ifl VI IA >,Ol V IA ut> C k ,fll cO *r- CL U 0)■M *0 CL DtU p—td r-I I
Safety Actions
F IG .3 1 . In itia tin g e ven ts a n d criteria , w ith th e co rresp o n d in g sa fe ty a c tio n s fo r a PW R .
A different approach must be used in both cases when ‘fail-safe’ design is to be applied. Special, attention has to be paid to faulty actuation o f not. fully safety-oriented protective actions.
General design principles o f the protection system incorporate the well- known concepts o f redundancy, diversity, physical segregation and testability. In some cases automatic signal comparison between redundant channels is used. . .
Because o f the importance o f the protection system for the safety .of the plant all quality requirements for the hardware are high and design tends to be conservative, relying on well-proved equipment and components. Relay systems or dynamic pulse-operated logic (or combinations o f both) are usually preferred to other types o f bi-stable devices.
The fact that large' PWRs have fuel design limits on departure from nucleate boiling ratio (DNBR) and peak .linear heat rating, emphasizes the
1 4 4
need for monitoring these important safety variables even though they are not directly measurable parameters. Both are affected directly by power density.
Early protection systems in PWRs usually derived information about power distribution from an array o f ex-core neutron detectors measuring neutron flux at two levels o f the core (axial power difference). Based on additional correlations (developed off-line) the most pessimistic power distribution for a given axial difference was used, resulting in some loss o f load factor.
Systems o f more modern design have introduced improvements by using
— multisection ex-core detectors and/or in-core detectors for better knowledge o f power distribution.
— digital calculation o f DNBR and local power density. For this purpose dedicated computers (core protection calculators), microprocessor-based systems or digital calculating modules are used by different manufacturers.
In all cases limiting values for the initiation o f protective actions are derived from these calculated variables in the same manner as limiting values from directly measured plant variables.
Problems o f a similar kind led to the use o f in-core neutron detectors in BWRs at a very early stage o f their development.
In some countries more extensive use o f computers in safety systems is restricted by the problem o f licensability. At present there are experiments in various nuclear power plants, where protection system computers are operated open-loop in parallel with conventional hardwired equipment to enable experience to be gained and performance data to be collected.
Computation o f plant variables for protection system input (e.g. pressure corrections for level measurements based on differential pressures) is still preferably made by analog computing modules.
12.2. Safety actuation systems
According to the definition o f IAEA Safety Series No. 50-SG-D3, the safety actuation systems are the final control elements o f the reactor protection system.
In general the structure and the equipment used in the control o f safety actuation systems as triggered by the reactor protection system is not very different from other industrial systems actuating electric, electromechanical, hydraulic or pneumatic equipment. Usually some kind o f sequence control is employed. There are, however, specific properties o f these safety-relevant systems:
— Redundancy. The application o f this principle is not only reflected in the multiplicity o f subsystems available for a safety task (e.g. 3 X 100% or 4 X 50% emergency power supply capacity) but in many cases also
14 5
in the internal structure: l-of-2 or 2-of-3 configurations o f power switches, pilot valves, actuators, etc.
— Priority. In fulfilling its safety task, a safety actuation system is given priority over other operational systems. Sequence control is programmed in such a way that protection signals have priority. In certain cases they can even override interlocks for component protection.
— Manual intervention. There are very varied philosophies concerning the role o f the operator. Whereas at least one national standard (Safety Standard KTA 3501, see bibliography) allows manual interventions (such as initiation, interruption or resetting) only in well-proved exceptions, IAEA Safety Series No. 50-SG-D3 emphasizes provision o f manual back-up for safety actions. These different philosophies are reflected in the degree o f automation necessary and the time available to the operator before he must take action.
Typical safety actuation systems o f LWRs include:
— Scram system— Low-pressure emergency core cooling systems— Emergency feedwater system (PWR)— Containment isolation— Emergency diesel-generators.
12.3. Safety system support features
Safety system support features are defined as the collection o f equipment that provides service such as cooling, lubrication and energy supply to the reactor protection system and the safety actuation systems.
To keep up the high standard o f quality usually invested in the safety systems it is essential that the auxiliary supplies have comparable reliability and availability. For example, sufficient ventilation and cooling for electronic components must be assured by redundant or stand-by systems. Their design must not violate the physical separation o f the redundant main systems or fire barriers, although these requirements may often be in conflict with accessibility and maintenance considerations.
Electrical power to the reactor protection system in current LWRs is supplied from rectifier/battery systems in redundant configuration. Decoupling is achieved by diodes. The batteries provide a non-interruptible power source and act also as a filter between the plant auxiliary power supply and the protection system.
Electrical power to the safety actuation systems in the case o f loss o f grid is supplied by diesel generator sets with various degrees o f redundancy (2 X 100%, 3 X 100%,-4 X 50%, etc.) depending upon the reliability criteria in different countries.
1 4 6
Cable routing, type, dimension and position o f fuses should be carefully checked during the design and installation phase to avoid problems o f interference and o f possible overheating in the case o f short circuits or ground connections.
Safety system support features should have automatic switch-over to their reserve systems when malfunctions occur. In any case they should annunciate failures o f their function in the main control room.
1 2 . 4 . S a f e t y - r e l a t e d s y s t e m s
Limitation systems. The tasks o f limitation systems may be considered to range between the normal operating levels and the levels at which the protection system operates. Limitation systems are able to override both manual and automatic control actions in the case o f disturbance and to restore plant variables to normal values before protective actions (usually including reactor shutdown) are initiated. For a more detailed description refer to the Appendix.
These systems are not always clearly defined as limitation systems. They may be considered to be part o f the protection system or part o f the closed- loop control systems. :
Alarm annunciation. The large number o f plant variables which have to be measured and supervised in a nuclear power plant require a systematic approach in presenting alarms to the operator. It is also necessary to have an alarm log for analysis and documentation.
The present situation is characterized by two competing approaches to the problem:
— The conventional alarm system having typically thousands o f alarm points and using sequence-of-events recorders. Solid-state modular systems are widely used for producing audible and visual alarms. Different flashing frequencies and colours may be used; logical grouping o f alarms can greatly facilitate the information presentation.
— The computer system. In addition to presenting alarms to the operator the computer is well suited for producing alarm sequence logs even o f parameters which are not directly measurable and need some kind o f computation.
The full advantage o f computers is demonstrated in applications such as core supervision, thermal power and burnup calculations. Based on the information o f in-core detectors, it is possible to supervise computed parameters such as MCHFR (minimum critical heat flux ratio) in a BWR, giving the margin to film boiling in critical-parts o f the core. These computed parameters can be displayed to the operator, possibly together with intended operating levels.
14 7
The main problem is to present the enormous amount o f information in a manner that will not overload the capability o f the human operator. Some form o f data reduction is necessary; the use o f computers for automatically processing the measured data is advantageous. On the other hand, the use o f too much processed information will increase the danger o f having important single sensors masked by summarized and averaged data. Moreover, the operator is not ‘coupled’ closely to his process any longer. In fact, in modern power plants the designer has to try to find an optimal compromise between the two extreme methods o f data presentation (e.g. categorization o f alarms).
Special systems. There is a great variety o f special systems covering certain safety-related aspects o f operation (both in BWRs and PWRs). A systematic survey o f these systems (such as radiation detection equipment, effluent monitoring, instrumentation system for coolant purification and treatment, etc.) is beyond the scope o f this book. A few important examples, however, may be mentioned:
— Core motion monitoring. A basic design feature o f a PWR is the suspension o f the core from an attachment o f its container, the core barrel, to the reactor vessel’s head flange. Hydraulic turbulence and mechanical vibrations caused by the cooling system may lead to excitation o f motions o f the core barrel and consequently o f the fuel elements. The changingwater gap between core and reactor vessel can be detected by the out-of-core neutron chambers. Analysis o f the data in the amplitude and frequency domain has led to detection and repair o f improper barrel clamping in at least one practical case. Abnormal motions o f other PWR internals (control rods, fuel, core support) have been experimentally identified by similar methods and measuring systems.
— Seismic instrumentation. Systems o f this kind used in nuclear power• plants consist mainly o f triaxial accelerographs, seismic switches and
response spectrum recorders. The instrumentation is used to record earthquake intensity and to monitor the plant’s response. This information is used to aid a decision on plant shutdown when the operating basis earthquake is exceeded. Automatic seismic reactor shutdown for commercial power plants is presently still under discussion.
— Measurement o f hydrogen concentration in the containment. These measurements may be made continuously or, more usually, by taking samples from the containment area.
— Noise analysis. Basic measurement methods o f this type have long been in use. However, the development o f neutron noise techniques is specific to reactors and has offered many measurement possibilities otherwise impossible because o f the hostile environment inside the reactor. These methods have proved especially beneficial in the detection o f excessive vibration and part loosening inside the reactor vessel.
1 4 8
In BWRs, problems with jet pumps, with vibration o f feedwater spargers and with motion o f in-core instrument tubes caused by hydraulic excitation have occurred and have motivated the search for better techniques. Pre-operational test programs should furnish base-line data for detecting developing anomalies in the reactor system later on.Post-accident monitoring. Experience has shown that even if safety systems are working properly during the early stages o f an accident it is indispensable to have a certain minimum amount o f instrumentation available for long periods after the occurrence. Therefore even those parts o f the instrumentation not directly associated with the safety o f the public but essential for post-accident monitoring should be carefully selected and tested with an eye to assuring minimum damage to the plant.
B I B L I O G R A P H Y
KERNTECHNISCHER AUSSCHUSS, Safety Standard KTA 3501, Reactor Protection System and Monitoring of Engineered Safeguards, KTA Cologne (1977) (in German).
INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS, Standard 279-1971,Criteria for Protection Systems for Nuclear Power Generating Stations (also designated ANSI N42.7-1972).
INTERNATIONAL ATOMIC ENERGY AGENCY, Operational Limits and Conditions for Nuclear Power Plants: a Safety Guide, Safety Series No. 50-SG-03, IAEA, Vienna (1979).
INTERNATIONAL ATOMIC ENERGY AGENCY, Use o f Computers for Protection Systems and Automatic Control (Pioc. Specialists’ Meeting Munich, May 1976).
INTERNATIONAL ATOMIC ENERGY AGENCY, Procedures and Systems for Assisting an Operator During Normal and Anomalous Nuclear Power Plant Operation Situations (Proc. Specialists’ Meeting Munich, Dec. 1979).
INTERNATIONAL ATOMIC ENERGY AGENCY/NPPCI, In-Core Instrumentation and Failed Fuel Detection and Location (Proc. Specialists’ Meeting Mississauga, 1974).
US NUCLEAR REGULATORY COMMISSION, Regulatory Guide 1.47, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems.
JOLLY, M.C., et aL, Principles and practice of reactor safety systems, Nucl. Eng. Int.(Feb. 1976).
ALEITE, W., et al., (Protection) Limitation Systems, ANS/ENS meeting, Knoxville, 1980, CONF-800403 (Vol. 2), available from INIS.
1 4 9
ANNEXES
NATIONAL EXPERIENCE
These annexes were prepared for this guidebook by representatives o f the Member States concerned, who were nominated by their respective Authorities to assist the Agency.
It is recognized that there is no typical or average nuclear power reactor, and there are also wide variations in the instrumentation and control concepts and systems that have been developed and that are applied in different countries and by different manufacturers. It is felt that the analysis and evaluation o f different instrumentation and control concepts and systems may provide useful guidance. For this purpose, experience o f the following companies in the subject area o f the Guidebook is presented:
Atomic Energy o f Canada Ltd
Framatome
Kraftwerk Union AG
Toshiba Corp.
Hitachi Ltd
Mitsubishi Atomic Power Industries Inc.
ASEA-ATOM AB
Canada
France
Germany, Federal Republic o f
Japan
Japan
Japan
Sweden
The List o f Participants contains the names o f the authors who prepared the annexes.
INSTRUMENTATION AND CONTROL CONCEPTS FOR CANDU REACTORS
ANNEX I
A CANADIAN EXAMPLE
1. I N T R O D U C T I O N
The instrumentation and control systems provided in a CANDU nuclear power plant include all systems required for
— automatic control o f the reactor, balance o f plant and auxiliary systems— safe shutdown o f reactor and auxiliaries— on-power refuelling— control o f access to high-radiation areas— detecting heavy water leaks— plant-wide monitoring o f radioactivity— fire protection— failed-fuel detection and location.
The major differences between CANDU control and instrumentation systems and other reactor concepts are in reactor control, safety philosophy, on-power refuelling and the need for heavy-water instrumentation. These are treated in sufficient detail so that Instrumentation and Control (I&C) specialists from countries about to embark on a nuclear programme can compare the CANDU systems to other systems. The other I&C topics listed above are more common to all nuclear power stations and are therefore only briefly discussed.
The systems described herein are being offered as part o f the CANDU-PHW1
600 MW(e) power reactor design [1] which is being marketed internationally. Changes can be incorporated into the design to conform to the different regulatory standards that exist throughout the world.
2. REACTOR FUNDAMENTALS
2.1. Pressure tube concept
The CANDU-PHW reactor is a heavy-water-moderated, heavy-water-cooled, natural-uranium-fuelled reactor which utilizes the pressure tube concept. The pressure tubes containing the fuel run horizontally through the reactor core as shown in Fig. 1. Pressurized heavy water carries the heat from the fuel to the steam generators.
Each pressure tube is isolated and insulated from the heavy water moderator by a concentric calandria tube and a gas annulus. Consequently the moderator system is operated at low temperature and pressure. The reactivity control and shutdown mechanisms reside in the low-pressure moderator, thus simplifying their design, construction and maintenance and eliminating the possibility o f their ejection in an accident situation. As well, this cool moderator can act as a heat sink under certain accident conditions.
1 CANada Deutenum Uranium, Pressurized Heavy Water.
1 5 5
STEAM PIPES
F I L IG H T W A TE R S TE A M Ij
[~ 1 l i g h t w a t e r c o n d e n s a t e
g h e a v y w a t e r c o o l a n t
n H E A V Y W A TE R M O D E R A TO R
M O D E R A TO R PUMP
r --------- y
lL 5 j—n ..ii>.i . u n n c D A T n o u c a t c <M O D E R A TO R H E A T E X C H A N G E R
FIG.l. Steam supply system o f a CANDU reactor.
1 5 6
TIME (s )
FIG. 2. H o t b u n d le p o w e r tra n sien t fo llo w in g a break in o n e reactor in le t header.
2.2. Natural U 0 2 and D20
The use o f natural uranium fuel in an optimized lattice, and heavy water as moderator and coolant, combined with the capability to refuel the reactor while at full power, gives the CANDU reactor its good neutron economy and low excess reactivity. This results in a power reactor with very low fuel costs.
2.3. Reactivity feedback
The only reactivity feedback effects that are o f any consequence are the coolant density (or void), fuel temperature and xenon effects. Since the moderator temperature is controlled independently o f the primary coolant, it does not contribute any significant reactivity feedback.
The fuel temperature reactivity coefficient is negative and therefore stabilizing whereas the coolant void reactivity coefficient is positive and therefore destabilizing. The sum o f these, and lesser reactivity feedback effects, is a power reactivity coefficient that is near zero under normal operating conditions.
2.4. Reactor kinetics
The prompt neutron lifetime in a CANDU lattice is relatively long (= 0 .9 ms) and the delayed neutron fraction (=0 .005) is enhanced by the presence o f photo-
1 5 7
T IM E A F T E R SH U TD O W N ( H O U R S )
FIG . 3. R e a c to r p o w e r tra n sien t during a sta r t-u p fo llo w in g a 3 0 m in sh u td o w n .
neutrons. These two factors, combined with the subdivision o f the primary coolant circuit into two separate loops, slow down a potential power excursion considerably, as compared to typical light-water reactors [2 ].
Figure 2 shows typical power pulses for the “ hottest fuel bundle” due to a Loss-of-Coolant Accident (LOCA) resulting from 20%, 30% and 100% inlet header breaks followed by the action o f one o f the shutdown systems in the 600 MW(e) CANDU-PHW reactor. The additional energy stored in the fuel during these transients (= 2 .6 full power seconds) is more than a factor o f 3 below that required to cause fuel damage (= 9 full power seconds). Hence spontaneous fuel breakup is not a safety concern dunng a LOCA in CANDU-PHW.
2.5. Xenon feedback
A reactor that is unstable due to xenon feedback effects would undergo slow, divergent spatial power oscillations (e.g. side to side or end to end) which, at
1 5 8
constant total power, would overheat some fuel. The CANDU-PHW reactor is equipped with a continuous, automatic spatial control system that prevents xenon oscillations and corrects flux distortions due to other causes.
The xenon load at full power is = 29 mk. When the reactor power is rapidly decreased, the xenon concentration increases over a period o f a few hours and then decays. The resulting variation in core reactivity is made up by the movement o f zonal control absorbers and, if necessary, the removal o f some adjuster rods from the core.
In the event o f a shutdown from full power, the adjuster rods have enough reactivity to restart the reactor within 5- hour, before poisoning out. A typical start-up power history, using the 7 banks o f adjusters, is shown in Figure 3.
3. OVERALL INSTRUMENTATION AND CONTROL DESIGN PHILOSOPHY
3.1. Defence-in-depth
The CANDU l&C systems are designed for high reliability and availability to meet stringent safety and operational requirements. To achieve these goals a defence-in-depth design philosophy is employed. On the reactor design itself, this takes the form o f multiple physical barriers to radioactive release, including the uranium oxide fuel, the fuel sheath, the primary heat transport system, the containment system and the exclusion zone o f the site. ‘Defence-in-depth’ manifests itself in the I&C design in such ways as providing diversely functioning systems that can do the same job, procuring components for different systems from different suppliers, using physical separation o f systems and components that provide back-up functions to each other and annunciating and correcting minor system upsets before they become major.
The final elements in this‘defence-in-depth’ approach are the Special Safety Systems that shut down the reactor, provide long-term cooling o f the fuel and contain potential releases o f radioactivity. There are four Special Safety Systems:
— Shutdown System Number One (SDS-1)— Shutdown System Number Two (SDS-2)— Containment System (CS)— Emergency Coolant Injection (ECI)
3.2. Special safety systems
Each system is completely independent from the others, with its own sensors, logic and actuators. Each system employs triplicated logic, meets the IAEA single- failure criterion, and is designed with built-in features to facilitate on-line testing.
1 5 9
The provision o f two shutdown systems, either o f which is capable o f shutting the reactor down for the entire spectrum o f postulated initiating events, is a unique feature o f the CANDU I&C design. The two shutdown systems are geometrically and functionally independent o f each other, and each is designed such that at least two, generally diverse trips (trips based on functionally different measured variables) are activated by any single process failure.
The Special Safety Systems, in turn, are to the greatest extent possible free from operational connection with any o f the process systems, including the Reactor Regulating System.
To provide protection against postulated initiating events o f low probability such as fires or local missiles, the plant systems, both process and safety, are divided into two groups.
All Special Safety Systems and associated support services are designed as Group 2 and located in a physically separate area from the normal plant process systems in Group 1. In the event that one group is disabled by a common-mode incident, the following capability is preserved:
— Reactor shutdown— Decay heat removal— Preservation o f radiation release barrier— Supply o f information required to assess the state o f the nuclear steam supply.
Defence against earthquakes is facilitated by seismically qualifying all Group 2 equipment, and the main control room is sufficiently qualified against earthquakes that it is possible for the operator to remain in it after an earthquake.If the main control room were lost for any reason, the essential reactor systems could be regulated from a secondary control area, which is geographically isolated from the main control room.
3.3. Reactor regulation
An essential principle o f CANDU I&C philosophy is that major plant control, annunciation and display functions should be computerized. The resulting high degree o f automation and improved man/machine interface leave the operator free to concentrate on unusual occurrences, and have the additional advantage during commissioning o f facilitating design improvements. A dual computer system concept is employed to provide the required high reliability.
Each computer is capable o f complete station control and transfers control automatically either completely, or by function, to the other on detection o f a fault. Changeover from one to the other occurs when internal hardware and software self-checking, or an external ‘watchdog timer’, detect a system fault. System faults result in an automatic reloading o f memory followed by a computer restart, or a complete transfer o f control to the other computer, depending on the severity o f the condition detected.
1 6 0
The control functions are designed to be independent o f each other, to be immune to single input faults and to ensure that all controlled devices produce their desired outputs. The system depends on redundant information, rationality checks and feedback from the controlled devices. In effect, each function determines for itself if it should continue or relinquish control. A function that relinquishes control produces an alarm for each abnormal condition and turns itself off, leaving its outputs in a safe state. Control o f the function automatically transfers to the other computer.
The computer system plays an integral role in the defence-in-depth approach and attempts to intercept system upsets before they become reactor trips. This it does by control algorithms that reduce reactor power when certain variables are outside their acceptable control ranges, thus restoring normal operating conditions without invoking a trip.
3.4. Electrical power supplies
Finally, there is ‘defence-in-depth’ in the electrical power supplies. Each channel o f the triplicated safety systems is fed from independent uninterruptible power supplies. Similarly each computer o f the dual computer system is fed from a separate independent uninterruptible power supply to avoid loss o f control capability due to a common power supply fault.
4. AUTOMATIC CONTROL SYSTEMS
4.1. General
The maximum practical amount o f automatic control is incorporated in the CANDU design, to reduce the routine workload o f the operating staff. This frees them for high-level monitoring o f overall plant status, thereby enhancing operating efficiency.
Two identical, independent digital computers are used for direct digital control, and almost all major control functions are computer controlled. Each computer is capable o f complete station control and will transfer control automatically to the other computer on detection o f a fault. An availability in excess o f 99.8% has been achieved with this system [3].
The control systems are designed to make the plant tolerant to expected and unexpected transients to avoid unnecessary plant outages. A design objective has been to make the intervention o f the shutdown systems unnecessary in all cases except real accidents in which public safety is in question.
The loss-of-line to the bulk electrical system and a turbine trip are two transients that the control system must periodically cope with. This it does by rapidly reducing reactor power to about 60% combined with discharging steam
161
POWER (ALTERNATE MODE)
F IG .4 . B lo c k diagram o f overall p la n t c o n tr o l
to the turbine condenser or to the atmosphere. Following such a transient, the reactor system is capable o f sustained operation at any load between 55% and 1 0 0 % o f rated capacity.
Some CANDU reactors are provided with control equipment for cogeneration — generation o f electricity and the provision o f process steam to a nearby industrial process.
4 .2 . O v e r a l l p l a n t c o n t r o l
The control o f the reactor and its steam loads is accomplished by keeping the boiler steam-drum pressure constant. Two distinct control modes exist for doing this.
— NORMAL is the usual control mode at high power. The turbine load is set to the desired value and the reactor power adjusts automatically to maintain constant steam generator pressure.
— ALTERNATE is the usual control mode at low power (below = 2% ) and during upset conditions. The operator specifies the reactor setpoint and the plant steam loads are adjusted to maintain steam generator pressure.
The main components o f the overall plant control loops are shown in Fig.4, with the control computer programs in a separate box.
1 6 2
The primary functions o f the main programs shown are:
(1) Unit Power Regulator - Changes turbine load as demanded by the operator or by the Remote Control Centre, and maintains the desired generator load.
(2) Steam Generator Pressure Controller — In the NORMAL mode it controls boiler pressure by changing the reactor power setpoint. In the ALTERNATE mode it adjusts the plant loads.
(3) Reactor Flux Control — Adjusts the reactor’s reactivity devices to maintain the neutron power specified by the Demand Power Routine.
Most o f the other programs in the computer are described separately.The plant loads are shown in Fig.4 and include:
(1) Turbine — Normally controlled from the Unit Power Regulator. Hardware unloaders protect the turbine during abnormal conditions.
(2) Condenser Steam Discharge Valves — Normally controlled from the Steam Generator Pressure Controller. Separate hardware logic closes these valves on low condenser vacuum to protect the condenser.
(3) Atmospheric Steam Discharge Valves — Normally controlled from the Steam Generator Pressure Controller.
(4) Process Steam — Controlled from the Steam Generator Pressure Controller in response to flow demands from the external process, or at low flows, in response to pressure'control requirements.
4.3. Digital computer systems
Digital computers are used for station control, alarm annunciation and data display. The design o f this system has been continually improved from the first direct digital control system in the Douglas Point generating station which went into operation in 1966.
The current station-control and data acquisition uses the dual configuration shown in Fig. 5, consisting o f two identical computers, one on hot-stand-by, connected by a data link and a shared display system [4], No analog backup is needed because the availability o f the dual computer system is more than 99.8%.
The high reliability o f this dual computer control system results from a combination o f highly reliable solid-state hardware and a self-checking system.
Software and hardware faults are detected by internal self-checking plus an external ‘watchdog timer’ Detection o f a fault results in individual control tasks being transferred to the other computer. A restart system, that automatically reloads the core memory from the disc memory and restarts the computer, is combined with the fault detection to provide a system practically immune to transient faults.
An extensive computer-driven alphanumeric/graphics cathode ray tube (CRT) display system provides the operator with alarm annunciation and operating data.
1 6 3
A C
FIG.S. Configuration o f plant computer system.
These colour CRTs are a modem replacement for most o f the panel instrumentation found in conventional control rooms [5], Direct-wired window annunciators are provided for group alarms as backup to the computerized alarm system. The operator communicates with the computers through keyboards in various locations in the control room.
4.4. Reactor instrumentation
Separate nuclear instrumentation systems are provided for regulation and safety to measure reactor neutron flux over the full operating range o f the reactor. As summarized in Table I, proportional counters, uncompensated ion chambers and self-powered in-core flux detectors are used to give a continuous measurement o f reactor power from source level to 150% o f full power, i.e. approximately ten
1 6 4
T A B L E I. R E A C T O R P O W E R M E A S U R E M E N T S Y S T E M S
Neutron flux A p p l i c a t i o ninstrumentation Flux Flux Safety systemssystems mapping regulation SOS-1 SDS-2
Proportionalcounters
3 BF 3 Counters (in-core) for 10” 14 to 10-9 o f full power 3 BF3 Counters (ex-core) for 10~10 to 10-6 o f full power
Ion chambers
3 at one side of calandna (for bulk flux between 1 O' 6 and 0.15 o f full power)
3 at side of calandria (ex-core)
3 at opposite side of calandria (ex-core)
Flux detectors
102 in-core vanadium detectors (used for flux calibration at high power)
28 in-core platinum detectors (used at higher power levels for bulk and spatial control)
34 in-coreplatinumdetectors
23 in-coreplatinumdetectors
Additional Power Measurement Instrumentation:
(1) Twenty-four resistance temperature devices (RTDs) distributed in the reactor inlet and outlet headers for bulk power calibration below 70% full power.
(2) Four sets of boiler power measurement devices (steam flow meter, feedwater flowmeter, feedwater temperature detector) for bulk power calibration above 50% full power.
decades. A minimum overlap o f one decade is provided between successive ranges o f nuclear instrumentation.
Proportional start-up counters are used only during the first criticality or for starting after a very long shutdown. Following high power operation, heavy-water reactors retain a sufficient neutron source to keep the ion chambers on scale even after extensive shutdowns. The start-up counters are therefore not normally required and are removed after start-up.
4.5. Reactor regulating system
The reactor regulating system consists o f that part o f the overall plant control system that directly controls reactor power — either to an operator- specified setpoint (ALTERNATE mode), or to the power level required to maintain steam generator pressure (NORMAL mode). A block diagram o f the reactor regulating system is shown in Fig.6 .
1 6 5
OsOnP O IS O N PO ISON
R E M O V A L A D D IT IO N(M A N U A L ) (M A N U A L )
H A R D W A R EIN T E R L O C K S
LR E A C T I V I T Y
D E V IC E SR E A C T O R S T E A M
G E N E R A T O R
TO T U R B IN E
F L U X D IS T R IB U T IO N
F L U X POW ER
G A D O L IN IU M PO ISO N
A D J U S T E R S
M E C H . C O N T R O L A B S O R B E R S IS H U T O F F R O D W IT H D R A W A L j
Z O N A L C O N T R O L A B S O R B E R S I
R E A C T I V I T Y D E M A N DD E V IC E P O W ER
C O N T R O L S R O U T IN E
R E A C T O R POW ER '
F L U XM A P P IN G
P O W ER M E A S U R E M E N T & C A L IB R A T IO N u
T H E R M A LPOW ER
R E A C T O R P O W ER S E T P O IN T
M E C H C O N T R O L A B S O R B E R C L U T C H E S■I S TE P B A C K
= T =S E T B A C K D IG IT A L C O N T R O L COMPUTER
S TE P B A C KP A R A M E T E R S
S E T B A C KP A R A M E T E R S
FIG. 6. Block diagram o f reactor regulating system.
(1) Provide automatic control of reactor power between 10-7 full power and fullpower. 1
(2) Maintain the neutron flux distribution close to its nominal design shape [6] so that the reactor can operate at full power without violating bundle or channel power limits.
(3) Monitor important plant parameters and reduce reactor power quickly when any of these parameters are out of limits.
(4) Automatically withdraw shutoff rods from the reactor when the trip channels have been reset following a reactor trip on Shutdown System No. 1.
Reactor neutron power is controlled to a given setpoint by means of the reactivity control devices, which for fast control include:
— 14 light-water zonal control absorbers— 4 mechanical control absorbers, and— 21 solid adjuster rods.
Long-term negative reactivity is provided by the addition of soluble poison (boron or gadolinium) to the moderator. Boron is used to suppress the excess reactivity in a fresh core .and gadolinium is used following poisoning to compensate for xenon burnout.
4 .5 .1 . Zonal control absorbers
The main method for controlling reactor power is by adjustment of average H20 level in the 14 independently controllable compartments of the zonal control absorbers. Differential adjustment of levels in individual compartments is used for spatial (zonal) control. Platinum in-core flux detectors provide the neutron flux feedback signals required by the digital control algorithms for regulation of both the bulk and spatial flux. The layout of the various reactivity mechanisms and detectors is shown in Fig. 7.
4.5 .2 . Mechanical con tro l absorbers
The reactivity range (±3 milli-k) provided by the zonal control absorbers is adequate for most power manoeuvres. However, certain situations require additional negative reactivity that is provided by the 4 mechanical control absorbers (-10 milli-k), normally out of the core (see Fig.7).
These situations include
— controlled shutdown of the reactor by the regulating system— ramped power reduction (SETBACK) during upset conditions to allow
continued operation at reduced power
I t is d e s ig n e d t o s a t is f y t h e f o l l o w i n g r e q u ir e m e n t s :
1 6 7
1 2 3 4 5 6 I 8 9 10 11 1213141516 17 IB 182021 22
FIG. 7. Reactivity mechanism layout.
Step power reduction (STEPBACK) during certain upset conditions to avoid a Loss-of-Regulation accident and hence actuation of one of the shutdown systems.
Normally the mechanical control absorbers are automatically driven by the control computer; however, they can be manually controlled'by the operator.
4 .5 .3 . A d j u s t e r s
The 21 adjuster rods, shown in Fig.7, have graded absorption and are normally fully inserted in the core for flux shaping. They are withdrawn in symmetrical banks, under the control of the digital control computer, to provide positive reactivity for shimming the zonal control absorbers as well as for xenon override following a shutdown. Their total reactivity worth of 15 milli-k makes it possible to start up the reactor within 30 minutes after shutdown from full power. The adjusters also permit sustained power reductions to 55% of full power. During periods of refuelling incapability the adjusters can keep the plant operating for weeks by compensating for the loss of reactivity of =0.31 milli-k per day.
Manual control of the adjusters by the operator is provided.
4.6. Flux mapping
The platinum flux detectors used for spatial control do not accurately represent average zone power as they sense the flux over a small volume, three lattice pitches long. Therefore, a need exists for the accurate measurement of average zone power to calibrate these detectors. This is done with a system of 102 vanadium flux detectors distributed throughout the reactor core. Signals from these detectors are processed by the flux mapping routine in the control computer, to obtain average zone flux estimates. Processing of flux detector signals includes reading, checking for rationality, converting to proper units and correcting for detector bumup. Detector readings that do not pass the rationality check are rejected.
The flux mapping routine also estimates the maximum flux levels in the core and uses this information to initiate a reactor setback if the power is too high in some fuel bundles.
The flux mapping routine also provides a channel power map, as well as estimates of the flux at Regional Overpower Trip (ROPT) detector sites. This gives the operator accurate information on the state of the core.
4.7. Control strategies
4.7 .1 . R eactor start-up
The triplicated start-up instrumentation listed in Table I is used for the initial approach to reactor criticality or for start-up after a very long shutdown. Each channel of instrumentation is connected to the corresponding channel of SDS-1.The trip and alarm parameters used are high log power, low log power, high log rate and HV power supply voltage.
On the approach to criticality the operator removes boron from the moderator and records the neutron count rate from each of the three instrumentation
1 6 9
ZON
E C
ON
TRO
L
_ A
VE
RA
GE
ZO
NE
CO
NTR
OL
_
AV
ER
AG
E
ZON
E C
ON
TRO
L
VA
LVE
LI
FT &
AD
JUS
TER
AN
D n
CO
MP
AR
TME
NT
LEV
EL o
' C
OM
PA
RTM
EN
T L
EV
EL
AND
FLOW
—’
AB
SO
RB
ER
SP
EED
(%
FU
LL
) — (%
FU
LL
)( a ) 100%
-5 -4 -3 -2 -1 0 +1 +2 +3 +4 +5PO W ER E R R O R %
POW ER E R R O R %
POW ER E R R O R %
FIG. 8. Reactivity limit control diagram.
1 7 0
channels at regular time intervals. Between 10-14 and lO-10 full power the signals are provided by in-core BF3 counters. Once the out-of-core BF3 counters come on scale the instrument channels are switched over to them. Finally, when the ion-chamber system indicates a power level of 10-6 full power the digital.control computer takes control and raises power to the requested setpoint.
4. 7.2. Norm al operation
During normal operation (above 15% FP) the zonal control absorber program provides signals to the absorber inflow control valves to hold both reactor power and zonal power at their setpoint values. The valve lift and hence flow varies with power error as shown in Fig. 8 (d).
■ Spatial flux control has lower priority than reactor power control. If individual compartment levels are too high or too low, spatial flux control in those compartments is slowly phased out and the remaining range is reserved for reactor power control. Flux tilt control is also removed below 15% full power where it is not needed.
For certain upset conditions (see Section 4.5.2) the required negative reactivity rates and depths are beyond the capability of the zonal control absorbers. This capability is provided by the insertion of four mechanical control absorbers (MCAs). Inadequate negative reactivity is indicated by high average water level in the zonal control absorbers and/or by high positive power error. These conditions are therefore used in the control computer to initiate MCA in-drive, as shown in Fig.8(b). Under special conditions the use of the MCAs is inhibited, e.g. both shutdown systems not available.
In addition to their normal uses for shaping flux and providing xenon override following a shutdown, the adjusters can be used to assist the zonal control absorbers when more positive reactivity is required. Hence adjuster out-drive is initiated on low average light water level and on excessive negative power error, as shown in Fig.8(a). Conversely, high water level and positive power error cause adjuster in-drive. The speed of adjuster rods and of the mechanical control absorbers depends on power error as shown in Fig.8(c).
Finally, the manual addition of gadolinium poison to the moderator is available to the operator.as backup to the mechanical control absorbers. The automatic addition of gadolinium poison takes place on high power error (> +10%) combined with positive flux-rate and prevents Loss-of-Regulation accidents due to the slow growth of reactivity in the core.
4. 7.3. P ow er setbacks
Reactor power setbacks are controlled reductions in power when certain plant parameters exceed specified limits. They are automatically initiated by
1 7 1
the computer SETBACK routine which drives-in the mechanical control absorbers. Plant conditions that initiate setbacks include:
— high loca l neutron flu x
— spatial control off normal— low de-aerator level— high bo ile r pressure
— upsets in moderator temperature or pressure.
4. 7.4. P ow er stepbacks
As part of the ‘defence-in-depth’ philosophy, a STEPBACK routine is provided in the regulating system to correct minor upsets before they become major. For certain upsets the routine initiates fast power reductions by dropping the four mechanical control absorbers into the core. If the stepback condition clears during the gravity fall of rods, the clutches are engaged and the rods caught in mid-flight. Plant upset conditions that initiate reactor stepbacks include:
— reactor trip— turbine trip— loss o f line— heat transport pump trip— high heat transport pump pressure— high flu x power or high f lu x rate
— low boiler levelTo prevent the spurious in it ia t ion o f stepbacks w h ich could lead to a reactor
po ison out, the stepback rou tine is run m bo th con tro l computers and a stepback is in it ia ted on ly when bo th computers ca ll fo r one.
4.8. System response to disturbances
As mentioned in Section 4.2, the plant operates in one of two modes, NORMAL or ALTERNATE. In the NORMAL mode, boiler pressure is usually controlled by manoeuvring reactor power with help, on occasion, by varying the plant load. An example of this combined action is the rapid turbine runback transient shown in Fig.9 where the steam discharge valves are lifted during the decrease in reactor power.
On a turbine trip, loss-of-line or loss of stator cooling, the reactor is stepped back to 60% power by partially dropping the mechanical control absorbers. As shown in Fig. 10 both the atmospheric and condenser steam discharge valves are initially used to vary the plant load. This is followed by all the steam being bypassed directly to the condenser through the condenser steam discharge valve.
1 7 2
1 0 0
25
lu iu T -ia m -T r -STEAM FLOW THROUGH - CONDENSER STEAM I I DISCHARGE VALVES <%> -
-V
20
10
TTffl-TITSTEAM FLOW THROUGH ATMOSPHERIC STEAM DISCHARGE VALVES (%)
i l
0 2 0 4 0 6 0 8 0 100 120 140 160
T IM E ( s )
FIG. 9. Normal mode turbine run back at 2.2%'s~x from 100% full power.
4.9. Xenon override and load-following capabilities
4 .9 .1 . X en on override
Figure 11 shows a typical power recovery after a reactor trip. The slow rate of rise from approximately 60% to 100% of full power results from the requirement to prevent any local fuel overrating caused by neutron flux distortions. These flux distortions result from the removal of adjuster rods during start-up.As the excess xenon poison is burned out, adjusters are re-inserted, the flux shape reverts to normal, and reactor power is allowed to increase to 100%.
1 7 3
T IM E (s)
FIG. 10. Turbine trip from a turbine and reactor power o f 100%.
In the worst case, when a ‘poison out’ is barely averted and all the adjusters are withdrawn for the restart, the return to full power may take up to four hours. If the reactor does poison out, the build-up of xenon-135 prevents reactor startup for a further 40 hours. Under normal conditions, a ‘poison out’ is averted if the operator brings the reactor up to the poison-prevent level (==60%) within the poison override time (s30 minutes). If the turbine cannot pick up the load fast enough, the excess steam is temporarily discharged to the condenser.
4.9 .2 . Load-following capabilities
Reactor power can be suddenly reduced from full power to as low as 55% power and kept there indefinitely without poisoning out. However, the subse-
1 7 4
ELAPSED TIM E (M IN ) A FTE R REACTOR TRIP (N O TE CHANGE OF SCALE)
FIG. 11. Start-up after a reactor trip.
quent rate of return to full power is somewhat restricted to avoid local fuel overpowering due to transient flux peaking. Figure 12 shows the estimated fastest possible rates of return to full power at various times following a power reduction to 55% power.
Although the present CANDU reactors are operated as base-load stations there are no technical reasons preventing daily load-cycling. Constraints on power increase rate would be built into the control algorithm.
4.10. Reliability and maintainability
The demand for a highly reliable regulating system is driven by safety and economics. Experience with existing CANDU stations indicates that the Loss-of Regulation (LOR) target failure rate of 10”2 (once per 100 years) is achievable.
1 7 5
FIG. 12. Power reco very after a stepback to 55%.
The more common regulating system outages requiring maintenance are resulting in a reactor unavailability of = 20 hours per year. Less than five hours of this is attributed to unavailability of both control computers.
The high reliability of the regulating system and other nuclear systems results from quality control, careful commissioning, system redundancy and fail-safe philosophy.
Maintainability is achieved by:
— modular, plug-in construction of all the instrumentation— provision of a complete spare channel— use of standard commercially available detectors, instruments and cables— provision of test equipment to promote rapid diagnosis of faults— accessibility of all components for replacement.
1 7 6
5 . R E A C T O R S A F E T Y S Y S T E M S
5.1. Shutdown System No. 1
5 .1 .1 . General descrip tion
Shutdown System No. 1 (SDS-1) uses 28 spring-assisted, gravity-drop absorber elements as its basic shutdown mechanism, and is the preferred2 method of quickly terminating reactor operation when specified parameters enter an unacceptable range. When any of the nine trip parameters listed in Table II exceed their trip settings, a two-out-of-three ‘general’ logic system senses the ' requirement for a reactor trip. If a trip is required, the direct-current clutches on the shutoff rods, which are in two groups of 14 each, are de-eneigized, and the absorber elements drop into the moderator. The redundant logic system fails to a safe condition on loss of AC power.
A simplified block diagram of one channel of SDS-1 is shown in Fig. 13, and a typical trip circuit, including shutoff rod absorber clutch connections, is shown in Fig. 14.
The three trip channels (D, E and F) have completely independent and physically separated power supplies, trip parameter sensors, instrumentation trip logic, and annunciation. Thus no single failure can invalidate a called'-for trip action.
When any two of the three channels trip, the shutoff rods are dropped. With the general coincidence logic used, an entire channel trips when any measurement of any parameter reaches its trip setting. This approach makes testing easier and more complete as compared to local coincidence schemes, where testing requires a number of steps.
Use is made of light-emitting diodes (LEDs) in the shutoff rod trip network to indicate correct operation of the trip relays when a particular channel of a specific trip parameter is tested (see Fig. 13). Correct operation of a particular relay contact is indicated by lighting of the associated LED, and failure of a relay to re-energize after test is detected by its LED remaining lit.
A facility for testing the drop time of the absorber elements during reactor operation is also provided.
In the main control room a separate instrumentation panel is allocated to SDS-1. On it are mounted
— all the annunciator alarms indicating the state of trip parameters andtrip channels,
— the test LEDs and switches,— the manual drive and test-drop handswitches for the shut-off units, and— the manual tnp button.
2 This preference is an econom ic factor since the use o f Shutdown System No. 2, which injects poison into the moderator, results in a reactor ‘ poison out’ , with attendant unit unavailability to the electrical grid.
1 7 7
TABLE II. TRIP PARAMETERS AND SETPOINTS FOR SHUTDOWN SYSTEM No. 1
Trip parameter Detectortype
Setpoint Conditioning parameters
High neutron power
Verticalin-coredetectors
Setpoint periodically adjusted to suit various operating-state flux shapes
Set points adjusted by handswitches
High rate log neutron power
Ion chambers 10% per second
"
High heat transport pressure
Pressuretransmitters
Relief valves - 10.2 MPa (gauge) trip - 10.45 MPa (gauge)
Low gross coolant flow
Differentialpressuretransmitters
14 kg/s (approx. 70% o f nominal)
Log power >0.3% full power
High reactorbuildingpressure
Pressuretransmitters
4 kPa (gauge)
‘
Lowpressurizerlevel
Differentialpressuretransmitters
Function o f reactor power
(1) Signal representative o f reactor power from in-core flux detectors
(2) Manual (for maintenance or operation below 5% full power)
Low steamgeneratorlevel
Differentialpressuretransmitters
Function o f reactor power
(1) Manual (used at low powers to allow steam generator maintenance)
(2) Setpoint determined by flux detector signals
Low heat transport pressure
Pressuretransmitters
Function o f reactor power
(a) Conditioned on log flux >0.3% full power
(b) Setpoint is function o f linear flux
Boiler feedline low pressure
Pressuretransmitters
4.0 MPa (abs) Manual
Manual - - -
Start-up count rate (initial startup only)
1 7 8
FIG.13. Shutdown System No. 1 - block diagram.
All trip parameters are connected through suitable buffers to the sequence- of-events monitor on the main computers for ‘post-event’ analysis.
The unavailability requirement of 10-3 or less is met without taking credit for trip signals from more than one trip parameter at a time, even though diversity has been provided. The shutoff system is considered to be available if all except the two most effective absorbers drop when required to do so. The negative reactivity insertion rate for this situation is more than adequate to keep the result of any accident within regulating agency guidelines.
The principle of diversity in the design of the trip system is illustrated in Table III. For each process failure there are at least two effective trip parameters, with the alternate trip parameter being based on a different measurement principle from the primary parameter.
5.1 .2 . Logic
The trip system makes extensive use of relay logic. Relay trip logic is standard in CANDU stations built during the 1960s and 1970s and has proved
1 7 9
120 V AC ;
120 V AC
CONVERTER GROUP 'A' RODS 90V DC-W----------1------- w-
CONVERTER
4:11 4:12 14 RODS-•-10 — n -r-12 INGROUP DI 4= =FE1 DI -=p ^ =pFl
‘A*‘ CLUTCH i COILS
RELAYS FOR GROUP ’A' RODS
■44-
-44-
E2=}= y 4=F1 E1 t =FD2-w-
F2 4= 4= D2 F2 ± =tE2
a
? TDR y TDR TEDp Hm rjn
CONVERTER GROUP *B' RODS CONVERTER
NOTE 1. GROUP'A'AND'B'RODS HAVE SEPARATE POWER SUPPLIES
2. TDR CONTACTS ARE FOR PARTIAL DROP TESTING OF INDIVIDUAL RODS
FIG.14. Shutdown System No. 1 — typical trip circuit.
1 8 0
TABLE III. SHUTDOWN SYSTEM NO. 1 COVERAGE OF PROCESS FAILURES - PARTIAL LIST
Process failure Trip parameters Alternate trip parameters1
Loss of regulationfrom high power:
Fast High neutron power High neutron power/high heat transport pressure
Slow High neutron power High heat transport pressure/manual
Loss of regulation from decay power levels
Pressurized/pumps on:Fast High rate neutron
powerHigh heat transport pressure
Slow High heat transport pressure
High neutron power/manual
Pressurized/pumps off:Fasti High rate neutron
powerLow gross coolant flow
Slow Low gross coolant flow
High heat transport pressure
Depressunzed/pumps off:Fast ‘ High rate neutron
powerLow gross coolant flow
Slow Low gross coolant flow
Manual
‘ Depressurized/pumps on:Fast High rate neutron
powerLow heat transport pressure
Slow Low heat transport pressure
Manual
Loss of Class IV Low gross coolant High heat transport pressureflow
highly reliable. In trip systems having simple trip parameters, relay logic leads to a simple, testable, fail-safe design.
The trip systems for later generation CANDU stations combine relay logic with microprocessors called Programmable Digital Comparators (PDCs) for implementation of trip parameters that require extensive conditioning, or those that have setpoints that are functions of reactor power and/or heat transport system pump, configuration. The microprocessors are standard field-proven units with read-only, memory.
1 8 1
A typical illustration of PDC use is the design shown in Fig. 15 where two are used per instrumentation channel; one for the primary trips requiring a significant degree of conditioning and one for the associated alternate or backup trips.
As operational experience is gained, one PDC per trip channel will be employed. The PDCs replace analog trip comparators used previously for complex trips. Digital outputs controlled by the PDCs drive relays in the channel trip logic, as do other trip parameters.
5 .1 .3 . Individual trips
The various trip parameters are listed in Table II. There are nine automatic trips, a manual trip which allows operator intervention, and a start-up-count-. rate trip, which is in service only for the initial start-up from low source current.
1 8 2
The High Neutron Power trip is based on promptly responding, self-powered platinum flux detectors mounted vertically in the core such that all regions of the core are protected from overpower. These flux detectors are independent of any regulating system or SDS-2 detectors, and are tested by injection of a current at the amplifier inputs, and by checking the insulation resistance of each detector. The detector outputs are displayed in the control room for the purpose of monitoring the signals.
The other neutronic trip, High Rate Log of Neutron Power, is based on three uncompensated ion chambers located in separate housings on different sides of the reactor vessel. Testing is initiated from the control room by driving an adjustable, piston-actuated boral-sleeve shutter which is set to provide the necessary log-rate signals.
The other trip parameters are based on standard process instrumentation transmitters. In all cases, testing can be automatically initiated from the control room, and consists of operating the relevant transmitter instrumentation valves and applying appropriate test pressures.
5.2. Shutdown System No. 2
Shutdown System No. 2 (SDS-2) provides a second method of quickly terminating reactor operation for the same spectrum of postulated initiating
1 8 3
TABLE IV. TRIP PARAMETERS AND SETPOINTS FOR SHUTDOWN SYSTEM NO. 2
Trip parameter Detectortype
Setpoint Conditioning parameters
High neutron power
Horizontalin-coredetectors
Setpoint periodically adjusted to suit vanous operating state flux shapes
Setpoints adjusted by handswitches
High rate log neutron power
Ion chambers 25% per second
Low coredifferentialpressure
Differentialpressure
620 kPa Log >5% full power (normal operation)Log flux >0.3% (handswitch, for long shutdowns)
High heat transport system pressure
Pressuretransmitters
11.62 MPa (gauge)
Low steamgeneratorlevel
Differentialpressuretransmitter
Function of reactor power
(1) Conditioned on log flux >5% full power
(2) Setpoint determined by flux detector signals
Lowpressurizerlevel
Differentialpressuretransmitter
Function of reactor power
(1) Setpoint conditioned on in-core flux detector signals
(2) Manual (for maintenance)
Low heat transport system pressure
Pressuretransmitter
Function of reactor power
(1) Conditioned on log flux >0.3% full power
(2) Setpoint is function of linear flux
High reactorbuildingpressure
Differentialpressuretransmitter
4 kPa (gauge)
Manual - - -
events as SDS-1. Provision of two functionally and physically independent shutdown systems, both designed for a very low unavailability, 10-3, virtually guarantees shutdown capability under all reactor accident circumstances.
SDS-2, employing an independent two-out-of-three ‘general’ logic system (a channel of which is shown in Fig. 16), opens fast-acting helium pressure valves
1 8 4
FIG. 17. Shutdown System No. 2 - schematic.
to inject gadolinium nitrate ‘poison’ directly into the D20 moderator when any of the eight measured parameters listed in Table IV exceeds its limit.
Six horizontal poison injection nozzles are provided. The basic principles of operation are illustrated in Figs 16 and 17. The actuation of any two trip channels opens valves to establish a path from the high-pressure helium supply tank to the poison tanks, and gadolinium nitrate is forcibly injected into the moderator.
The selection of trip parameters is such that there are again, as with SDS-1, at least two trips for each process failure, and, in general, the alternate trip parameter is based on a different measurement parameter from the primary trip, as illustrated by Table V.
1 8 5
TABLE V. SHUTDOWN SYSTEM NO. 2 COVERAGE OF PROCESS FAILURES - PARTIAL LIST
Process failure Trip parameters Alternate trip parameters
Loss of regulationfrom high power:
Fast High rate log of High neutron power/high heatneutron power transport pressure
Slow High neutron power High heat transport pressure/manual
Loss of regulation from decay power levels
Pressurized/pumps on:Fast High rate log o f
neutron powerHigh heat transport pressure
Slow High heat transport pressure
High neutron power/manual
Pressurized/pumps off:Fast High rate log of High heat transport pressure/
neutron power low core APSlow Low core AP High heat transport pressure
Depressurized/pumps off.Fast High rate log of
neutron powerLow core AP
Slow Low core AP ManualDepressurized/pumps on:
Fast High rate neutron power
Low heat transport pressure
Slow Low heat transport pressure
Manual
Loss o f Class IVwhile at high power Low core AP High heat transport pressure
The High Neutron Power Trip is based on a number of promptly responding self-powered platinum flux detectors mounted horizontally in the core. These detectors are separated from any regulating system and SDS-1 detectors by the spatial separation of the assemblies. The detector outputs and trip setpoints are displayed in the control room for monitoring purposes.
The High Rate Log of Neutron Power trip, as for SDS-1, uses uncompensated ion chambers, but the ion chambers and their associated amplifiers are of different manufacture than those of SDS-1 and the ion chambers are located at a different reactor face. Testing is similar to that done in SDS-1, with the use of a piston- actuated boral-sleeve shutter to simulate a rate of change of neutron power.
1 8 6
FROM DOUSING TANK
GAS ISOLATION VALVES
€ 13
ECl - E M E R G E N C Y C O O L A N T IN JE C T IO N R IH - R E A C T O R IN L E T H EA D E R ROH - R E A C T O R O U T L E T H EA D E R MP = M E O IU M PRESSURE HP - H IG H PRESSURE
F R O MSUM P T O P R IM A R Y H E A T T R A N S P O R T SYSTEM
FIG. 18. Emergency coolant injection system.
The other trip parameters are based on standard process instrumentation transmitters. In all cases, testing can be automatically initiated from the control room, and consists of applying appropriate test pressures to the relevant transmitter.
Testing also includes automatically operating the quick operating valves in one trip channel periodically, as well as taking a poison tank out of service to check that its gadolinium nitrate concentration meets requirements.
Indication of a successful channel test is obtained by observing correct operation of the quick acting valves in the control room. The logic processing for SDS-2 is similar to that of SDS-1, and employs a combination of relay and microprocessor technology. However, different designs and suppliers are utilized.
A separate panel in the main control room is allocated solely for SDS-2. As for SDS-1 the panel consolidates all annunciator alarms, test switches, etc., associated with SDS-2.,
1 8 7
Connections are also made through suitable isolating buffers to the main computer systems sequence-of-events monitor.
The target unavailability of the system of 10-3 is met without taking credit for alternate trips, and having at least 5 of 6 poison tanks available.
5.3. Emergency coolant injection
The emergency coolant injection (ECI) system shown in Fig. 18 is composed of three stages: high pressure, medium pressure and low pressure.
The high-pressure stage uses pressurized nitrogen to inject water into the reactor core from water tanks located outside the reactor building. The medium- pressure stage supplies water from the dousing tank. When this water supply is depleted, the low-pressure stage recovers water that has collected in the reactor building sump and pumps it back into the reactor core via the emergency cooling heat exchanger and the emergency cooling recovery pumps.
The high-pressure injection stage consists of one nitrogen gas tank and two water tanks. The gas tank normally operates at a pressure between 4.1 MPa and 5.5 MPa, whereas the water tanks operate slightly above atmospheric pressure. Two recovery pumps, each capable of supplying 100% of ECI flow, are provided. Each pump is supplied by Class III power and by the emergency power supply system (see Section 8). The heat exchanger in the recovery pump discharge line is designed to maintain the emergency cooling flow at about 50°C at entry to the heat transport system.
Since inadvertent injection of emergency coolant would be economically penalizing, precautions are taken in the logic design to prevent inadvertent initiation of ECI, while still providing the redundancy required to meet the unavailability target of less than 10~3. Typical design features are:
(1) All instrumentation and associated control loops used to initiate ECI are triplicated (e.g., low heat transport pressure and high reactor building pressure). The sensors used are dedicated to ECI and are not shared either by other safety systems or other process systems.
(2) Local coincidence is used in the logic to help eliminate spurious trips of the system.
(3) All logic for isolating each of the two separate heat transport loops, during a LOCA, is separate from the logic for other functions.
(4) Redundant valves in parallel are used wherever power-operated valves are required for ECI. Either one opening would be sufficient. Each valve of a pair is fed from an independent power supply and annunciation is made of valve power supply failure.
(5) On-power testing facilities are provided to assure that the target unavailability is met.
1 8 8
FIG. 19. Containment system
FIG.20. Dousing spray header system.
1 8 9
B U ILD IN G N 0.PR ESSURE * 3
L
B U IL D IN G P GPR ESSUR E
1
C
B U IL D IN G 0PR ESSURE
C H A N N E L N
C H A N N E L 0
R A D IO N 2 ,A C T IV IT Y ' 3
L
R A D IO P 0
A C T IV IT Y G
cRADIO - QA C T IV IT Y
C H A N N E L N
C H A N N E L 0
S IG N AL TO S T A R T
N O N -O P E R A T IN Gl o c a l a ir
CO O LER S
OR
IS O L A T IO NLO G IC
T Y P IC IA L S E R IE S IS O L A TIO N V A L V E S
OR TO O TH ER ’ P EN E TR A TIO N S
SIGNAL TO S T A R T N O N -O P E R A T IN G LO CAL AIR COOLERS
FIG.21. Simplified block diagram o f containment automatic isolation control loop.
5.4. Containment
The containment system shown in Fig. 19 comprises a prestressed, post- tensioned concrete containment structure, an automatically initiated dousing system and building air coolers, a filtered air discharge system, access airlocks, and an automatically initiated containment isolation system.
5 .4 .1 . Dousing system
The dousing spray header system is illustrated in Fig.20. Two valves in each of six independent spray headers open on high building pressure to start dousing. The valves in three headers are of one type, from one manufacturer, and the valves in the other three headers are of a second type and from another manufacturer. This results in two independent dousing systems with three spray headers in each.
Twelve independent valve control loops are provided, one for each valve, each with its own sensor of building pressure. The unavailability targets can easily be met because the valves can be tested via the 2-valves-in-series arrangement, plus the fact that only four of the six spray headers are needed for adequate
1 9 0
FIG.22. Control centre layout.
dousing. Any failure of air or power needed to open the valves is immediately annunciated, and a log of position of the valves is available in one of the dual computers.
5 .4 .2 . Containm ent isolation control
The control system for containment isolation, continuously monitors the building pressure and radioactivity and automatically closes isolation dampers and valves when limits on either are exceeded. Figure 21 illustrates that a two-out-of-three ‘high’ indication is required to initiate closure.
Two series-connected valves are provided for isolating each penetration, and closing either one effectively ‘bottles up’ the penetration. The conversion of the two-out-of-three measurement to the required one-of-two logic for the valves is also illustrated in Figure 21.
6 . CONTROL ROOM DESIGN AND INFORMATION DISPLAY
Two major control areas are provided, — the main control room and secondary control area. The main control room centralizes all the information
1 9 1
CONTAINMENT EMERGENCYCORECOOLINGFUELLING MACHINEano fuel handlingCONTROL CONSOLE\
SHUTDOWN smEH NO 2n?i - plj* \
SHUTDOWN SYSTEM NO 1
MOOERATOft ANOREACTOR MISCELLANEOUS PRIMARY HEATSYSTEMS TRANSPORT SYSTEMANNUNCIATION I ANO DIGITAL I CONTROL COMPUTERS\REACTORREGULATINGSYSTEMTURBINE GENERATOR
ELECTRICAL DISTRIBUTION SWITCHYARD SYSTEMS
MISCELLANEOUSAUXILIARYSYSTEMS
I I I ! I / I I \CRT \\ A
LI PL? PL3 PL4 PLS PLS PL7 PLS PL9 PI 10 Pill PLI2 PLI3 PLI4 PL 15 PUS PL17 PL 10 Plt9 PLJO\ \ \ \ \ l I I I I 1 1 / 1 1 1 i I 1 1
FIG.23 Control panel layout.
and man/machine controls required for safe operation of the plant, including those items required for the Group 2 safety systems previously described in Section 3.
The secondary control area, which is geographically remote from the main control room, would be used for performing the shutdown and decay heat removal functions associated with Group 2 safety systems, if the main control room became inaccessible.
6 .1. Main control area
A typical main control room layout for a two unit station is shown in Fig. 2 2.
The basic philosophy of design is to display sufficient information to allow the unit to be controlled from the control room. To achieve this goal, all indications and controls essential for operation (start-up, shutdown and normal) are located on the control room panels. Also located there are the controls for any systems requiring attention within 15 minutes of an alarm. For systems not requiring attention within 15 minutes, local control may be provided.
Most information is presented to the operator via the station computer system. However, sufficient conventional display, annunciation and recording of plant variables is included to allow the plant to be properly run in the shutdown condition with both computers out of service.
In case the control room becomes uninhabitable, enough display and control instrumentation is provided in the secondary control area to allow the plant to be shut down and maintained in a safe shutdown condition.
6.2. Main control room panels
As shown in Figs 22 and 23 the control panels form part o f the boundary walls of the control room. With the degree of automation provided, the need for operator action at the control panels is infrequent. Therefore, the main control panels have been designed as standup panels with no sitdown console.An exception to this is the fuelling machine console where, despite a high degree of automation, manual intervention is sometimes required. To reduce interference with the rest of the control room, this console is located to one side, out of the main traffic flow.
The panels are laid ou t on a system basis with the controls for a specific system being located in one bay. Spacing between instruments is kept to a minimum in an attempt to achieve a compact display of information.
In laying out each system, consideration is given to the relative location of the controls based on process function and/or plant location. Mimics of the more complex process and electrical systems are displayed using colour graphic lines to represent the flow paths. There are seven cathode ray tubes (CRTs) with their
1 9 3
associated keyboards located on various process panels for system parameter or trend displays (see Fig.23). Two CRTs are mounted in the fuel-handling control console to display fuelling system information.
There are two CRTs located centrally on the unit panel for display of annunciation messages. For the convenience of the control room operators, a CRT is located in their desk, which allows them to view computer-driven graphics or alphanumeric displays of any important plant parameters. Printed copy of CRT display information can be generated on demand.
The CRTs replace many of the meters and recorders normally found on conventional panels. Sufficient redundancy is built into the display system to ensure a high availability comparable to the dual computer controller system itself. The use of computer-driven displays results in less congested panels and allows easier correlation of information. The greater flexibility possible is of considerable use during commissioning and at other times, such as during extended shutdowns, when special display requirements must be met. Furthermore, infrequently used information can be suppressed during normal operation.
A reactor alarm annunciation system consists of small direct-wired window annunciators, two computer-driven CRTs for alarm message presentation, and a facility to provide a printed record of all alarm conditions in chronological order of their occurrence. Alarm windows are illuminated independently of the computers for all alarm conditions that can cause reactor trips, power runbacks, turbine- generator trips, high-voltage breaker trips and other important system upsets.
6.3. Safety-related display instrumentation
Most of the information on the state of the plant is presented to the operator via the two station control computers. This includes the data logging, sequence- of-events functions, displays of plant variables and initiation of most alarms. The computer system is designed to fail safe on dual computer failures by dropping the four mechanical control absorbers and flooding the 14 light-water zone control absorbers. However, when dual computer failures occur, the operator will be deprived of the normal source of most of this information.
Certain plant information must be available to the operator at all times and, therefore, he cannot rely on the computer system for these data. This includes the status of all the safety systems and sufficient information about the status of the plant to enable him to establish the existence, nature and extent of an accident and to allow him to intervene intelligently, where necessary, with manual actions. This objective is achieved by displaying the following information directly on the control room panels:
— Red alarm windows to indicate the trip state of any parameter in any of SDS-1, SDS-2, ECI or CS Special Safety Systems.
— Other alarm windows to indicate abnormalities in the shutdown and safety- related systems, e.g. loss of power, loss of helium pressure.
1 9 4
— The values of each trip parameter in each channel of SDS-1, SDS-2, ECI and CS Special Safety Systems.
— Alarm windows to indicate the existence of single and dual computer failures.— Process indicators to display information on the status of subsystems required
for the operation of the safety systems, and other safety-related systems,e.g. dousing tank and reactor building basement water levels and temperatures.
7. ON-POWER REFUELLING SYSTEM
CANDU reactors rely on semi-continuous, on-power refuelling for close control of core reactivity and efficient utilization of the natural uranium fuel.
The fuel-handling system comprises equipment for storage of new fuel, for fuel changing and for temporary storage of spent fuel. Reactor fuel is changed on a routine basis with the reactor operating at full power.
The flow of fuel through the plant is shown schematically in Fig.24.
1 9 5
" A " "C "
FUEL HANDLING EQUIPMENT
11INPUTS
O U TP U TS 11TE R M IN A TIO N RACK
PR O TE C TIV ESYSTEM
COM PUTER C O N TR O LL E R
A U TO /M A N U A LC O N TR O L
PANEL
C R TDISPLAY
A N DK EY B O A R D
LO G G IN GPR IN TER
C R TD ISPLAY
A N DK E Y B O A R D
A U TO /M A N U A LC O N TR O LPA N EL
" A " SYSTEM C O N TR O L CO N SOLE " C " S YS TEM
FIG.25. Fuel-handling control - block diagram.
1 9 6
The major steps in the movement of fuel are normally under remote and automatic control from the control room, i.e.
— loading the fuelling machine— loading and unloading a reactor channel, and— discharging spent fuel.
One of the two station control computers is used to control the fuel-handling system. In addition, there are separate consoles and control panels in the control room specific to the fuel-handling system. Interconnections between the control system components and the fuel-handling equipment are shown in the block diagram of Fig.25.
Refuelling can be carried out under automatic or manual control. In both modes, certain output commands are routed through a protective logic system that protects against inadvertent operations that could damage the equipment or cause personnel hazards..
Normal control functions are carried out from the automatic section of the refuelling control console and selected data are displayed on a CRT. A printer provides a hard copy of these data when requested. Minimum operator intervention is required during automatic control.
8 . ELECTRICAL POWER SYSTEMS
Figure 26 shows the classes of electrical power and their separation into two completely independent groups (one for Group 1 process systems and one for Group 2 safety systems). Each power supply group comprises two or three independent trains, depending on class of power.
Four classes of power are provided for service power and instrumentation loads. Their uses in order of their reliability are:
CLASS I — Uninterruptible direct current (DC) supplies for essential instrumentation, protection and control equipment.
CLASS II — Uninterruptible alternating current (AC) supplies for essential instrumentation, protection and control equipment.
CLASS III - Alternating current (AC) supplies to essential auxiliaries which can tolerate short interruptions required during start-up of the stand-by generators. These essential auxiliaries are necessary for an orderly shutdown of the reactor.
CLASS IV — Normal alternating current (AC) supplies to auxiliaries and equipment which can tolerate long interruptions without affecting personnel and equipment safety. Complete loss of Class IV power
■ will initiate a reactor shutdown.
1 9 7
400 kV MO kVLINES LINES
NOTES II) SHOWN FOR UNIT 1 (21 SIMILAR FOR UNIT 2131 SWITCHYARD IS COMMON FOR UNIT 1 AND 2
FIG.26. Electrical power systems.
All stand-by generators of the Group 2 power supplies including D/G-3 and D/G-4 are seismically qualified.
Within each separate train, an ‘even, odd’ bus concept is followed to provide ‘dual-bus or better’ reliability at all voltage loads for Class III and IV power. Loads and redundant auxiliaries are connected so that half of any actual process is supplied from an odd bus and the other half from an even bus. The odd and even concept is applied throughout, including the cable tray system, junction boxes,
1 9 8
etc., in order to maintain physical separation and so achieve maximum reliability under normal and abnormal conditions.
Class I and II power is triplicated at all needed voltage loads. Each of the three Class I buses is fed from its own rectifier which is in turn connectable to either the odd or even Class III bus (see Fig.26).
Loads of triplicated systems, such as SDS-1 and SDS-2, are connected so as to ensure independent power supplies for each channel of the triplicated system. Independence of the triplicated power supplies is carried right through to separate cable trays, junction boxes, conduits and routing to decrease vulnerability to common-mode faults.
9. MISCELLANEOUS INSTRUMENTATION AND CONTROL SYSTEMS
9.1. Radiation protection
9.1 .1 . General
Limitation of external and internal radiation exposure to persons at the site boundary and to plant personnel is accomplished by a combination of facilities incorporated into the station, and by adherence to a set of administrative and operating procedures.
Exposure of members of the public is limited by exclusion of all unauthorized persons from the station area, and by preventing any habitation nearer than 1000 metres from the station. The release of all effluents, liquid and gaseous, that might conceivably carry significant radioactivity is monitored and controlled. Active solids are stored in a manner that prevents the release of radioactivity.
The exposure of station personnel to radiation is limited by key interlock control of access to areas of high activity or possible contamination.
9.1 .2 . F ixed and portable area m onitoring
Fixed alarming area gamma monitors are permanently installed in areas of potentially dangerous radiation exposure to detect the occurrence of radiation hazards and to warn personnel of the presence of high fields. Two setpoints are normally provided on these monitors, both of which activate a flashing light and audible alarm in the area being monitored. The lower setpoint indicates equipment failure. The higher setpoint indicates high radiation levels.
Alarms from the area gamma monitors would, in accident cases, be preceded by other indications of impending trouble. The control room, associated air conditioning system and instrument areas are arranged so they can be atmospheri-
1 9 9
cally isolated, and could remain in service following any design basis reactor accident, or failure of a main or auxiliary steam or water header.
Portable alarming systems are used in the plant for various maintenance and operations tasks in high fields. These devices are used in-plant to minimize exposure and prevent overexposure.
9.1 .3 . A ccess control
Personnel entry to the exclusion zone is restricted to qualified personnel and to those under their escort. There are ‘Access Controlled Areas’ where the radiation hazard is such that entrance may be made only with the knowledge and consent of the control room staff and by using a special key. Visible signals are provided in the control room to indicate which keys are in use.
There are some areas where radiation is directly related to power level. If the access key is not in the keyboard, reactor power cannot be raised. All personnel access doors are equipped with devices to permit escape, irrespective of the status of access locks.
9 .1 .4 . Liquid effluent m onitoring
Facilities are provided to collect a sample from each effluent tank for laboratory analysis. The results of the analysis determine whether the effluent needs treatment or can be safely discharged.
Effluent from the liquid waste management system is monitored continuously, the sample being taken at a point upstream of the confluence with the condenser cooling water flow, in order to achieve maximum measurement accuracy.
Continuous samples are taken, using a pump, of the discharge canal water. These samples are checked for tritium content and the nature and concentrations of any radionuclides present. Sampling and measurement frequency are determined by the Health Physics group.
9 .1 .5 . Gaseous m onitoring
Continuous samples of the effluent are taken and monitored to determine releases of iodine particulates and noble gases. The signal from each of these monitors is recorded in the main control equipment room. A high-level signal is annunciated in the control room. Tritium monitoring is carried out by laboratory analysis of gaseous effluent monitor samples. There is no continuous recording or annunciation of this function.
9 .1 .6. Containm ent m onitoring
A separate triplicated gross-gamma monitoring system monitors the containment duct activity. A high activity measurement at any two of the three
2 0 0
instruments will close the dampers and permit manual operation of the dousing system.
9.1. 7. Environmental surveillance
Beyond the site boundary, the Canadian practice has been for government agencies to monitor and sample the environment. In addition, the operators of Canadian plants do some environmental monitoring, both to check the data compiled by the government agencies or others, and to assist in the development of more accurate correlations between station releases and environmental radioactivity levels.
To date, this monitoring has shown that, in general, CANDU plants can meet their operational target of keeping below one per cent of the allowable releases.
9.2. Fire protection
In general fire detectors are provided for protection of all key areas of the station. The detectors alarm on the fire protection panel and in the main control room. The signals from the fire detectors also cause the ventilation system for the fire zone to go into a ‘fire mode’ of operation.
Various system types, ranging through sprinkling, automatic water deluge, carbon dioxide, Halon 1301 and foam, are used, dependent on the nature of the hazard and the equipment in the area. Automatic Halon 1301 systems are used in such key centres as the Battery and Telecommunication Room, Plant Control Computer Room and Counting R oom . Automatic foam protects the fuel tanks for the Class III diesel generators and the auxiliary steam generator.
Hose cabinets and dry-type chemical extinguishers are located throughout the turbine and service buildings. Hose stations have adjustable nozzles, and are located so that two water streams can reach all areas.
10. HEAVY-WATER MONITORING
Heavy water is a major component of the capital cost of CANDU reactors. Consequently, suitable instrumentation is required for quantitative determination of the deuterium concentrations for heavy-water inventory, management and process control. The two analytical approaches used to measure the isotopic concentrations of water over the entire range of D20 concentrations are, chemical laboratory analysis of grab samples, and on-line monitoring of process streams.
Manual sampling is used on those process streams that are of secondary importance in the overall operation of the reactor. At present, on-line D20 monitoring offers the greatest benefit for those systems capable of leaking heavy water to the environment and those whose D20 concentration is used for process control.
201
For these applications, precise isotopic measurements at the two extremes of the concentration range are needed, i.e. around natural and reactor grade isotopic values.
10.1. Heavy-water leak detection
Although leaks have been minimized so that heavy-water upkeep accounts for less than 5% of the total unit energy cost, the potential for laige losses still exists. Rapid response leak detection is provided by two fully automatic heavy- water liquid analysers. These units use infrared spectrometry to measure low concentrations of excess D20 in the various process light-water streams, viz.,
— boiler light water,— fuelling machine heat exchangers,— moderator heat exchangers, and— other process system heat exchangers.
When a high concentration of D20 is detected in any of these streams, an alarm is given in the control room. The station staff then uses the instrument to verify the location and size of the leak. With this analytical data, the decision can be made to either shut down immediately to repair the leak, or wait for a scheduled shutdown.
10.2. Process monitoring
A CANDU reactor normally has two heavy-water upgrading towers, one for moderator D20 and the other for primary coolant D20. Each tower has two heavy-water liquid analysers. One monitors the low-level effluent from the tower and provides a signal for the automatic control of the tower. The other monitors the upgraded DzO product and isolates the tower if the product is unsatisfactory.
The measured D20 concentrations from these units are recorded and displayed in the control room. Alarms in the control room are also provided to indicate out-of-limit conditions or equipment faults.
11. FAILED FUEL DETECTION SYSTEM
If the zirconium cladding around the U02 fuel is breached, the failed fuel must be located and removed while the reactor continues to operate at power. The presence of failed fuel in the reactor is determined by the Gaseous Fission Product Monitoring System, shown in Fig.27, which continuously monitors flowing samples of the heat transport system coolant.
The gaseous fission product activity in the sample is detected by a gamma- sensitive spectrometer that is fitted with a high-resolution germanium detector.
2 0 2
BYPASSVALVE
FIG.27. Gaseous Fission Product Monitoring System.
A multi-channel analyser is used to determine the difference in the gamma count rates between the sample and the natural background. The gamma energy, above background, for each of four radioisotopes, is sent to the control computers for display and comparison to allowable limits. When these limits are exceeded, indicating a fuel failure, the Failed-Fuel Location System can be used to find the channel with the defective fuel.
The Failed-Fuel Location System, shown in Fig.28, extracts, on demand, a continuous sample from each fuel channel feeder. Coils in these sample lines are arranged in a matrix that is automatically scanned by moving BF3 neutron counters and the results are output on a local printer. A sample that shows a higher delayed neutron count, with respect to other samples, indicates a fuel failure in the corresponding channel. The operator then switches to the manual
2 0 3
T O H E A T TR A N S P O R T PUMP S U C TIO N
SAMPLE FROM FEED ER
LOOP 1 LOOP 2 LOOP 1 LOOP 2
FIG.28. Failed-Fuel Location System.
2 0 4
T A B L E V I . A E C B G U I D E L I N E S F O R A C C I D E N T C O N D I T I O N S
EventMaximumfrequency
Individual dose limit
Total population dose limit
Single serious 1 in 3 years 0.S rem 104 man-remprocess (whole body) (whole body)failure3 3 rem 104 rem
(thyroid) (thyroid)
Dual failure 1 in 3000 years 25 rem (whole body) 250 rem (thyroid)
106 man-rem (whole body) 106 rem (thyroid)
a Serious process failure is defined as any failure o f process equipment or procedure which, in the absence of action by the Special Safety Systems, could lead to significant fuel failures or significant release o f radioactive material from the station.
mode to double check the readings before deciding on channel refuelling. If refuelling is initiated, the Location System is used to identify the faulty fuel bundle pair.
The duty cycle of the Failed-Fuel Location System is very low because CANDU fuel bundles currently have a proven reliability of 99.97% [7],
12. LICENSING PHILOSOPHY
The design of CANDU reactors reflects the requirements laid down by the Atomic Energy Control Board of Canada (AECB). The AECB is a Federal Agency that is responsible for the licensing of commercial nuclear reactors in Canada.
The licensing process is the means by which the AECB gains assurance that a nuclear facility will be sited, designed, constructed, commissioned and operated in compliance with safety criteria and requirements established by the AECB.
The central safety criterion is that the risks due to nuclear power production should be much smaller .than those due to other methods of energy production. Since the danger to the public would be the accidental releases of radioactivity to the environment, the AECB has set maximum permissible releases that the utilities must meet for operating conditions as well as accident conditions.
The operational target dose at the plant boundary from routine releases is 5 mrem/a. The resulting average exposure to the surrounding public would then be less than 1 mrem/a, which is less than 1% of natural background. •
2 0 5
T A B L E V I I . M A T R I X O F C O I N C I D E N T F A I L U R E S
Process failures Shutdown systems 1 or 2
Special safety systemsEmergencycoolantinjection
Containment
Fuel and fuel handling— fuel failures in the core- fuel failuies during fuel handling
X X
Electrical system— complete and partial loss
o f Class IV power supplyX X
Reactor control- reactivity disturbances from
wrongful use o f reactivity devices at both full and low power
— loss o f primary pressure control
X X
— loss o f secondary pressure control
Reactor components— flow blockage in a fuel channel
X X
— failure o f heat transport— failure o f heat transport
system pump circulation— loss of shield cooling— l o s s o f s h u t d o w n c o o l i n g X
X X
— loss o f service water
Coolant systems— failures in the major pipes of
the heat transport system
X X
— feeder failure— end fitting failure— pressure tube failure— steam main failure— loss of feedwater supply
X
XX
For accident conditions, the AECB guidelines are based on the “single and dual failure” concept. A “single failure” is a serious failure of a single process system. A “dual failure” is a coincident failure of a process system and unavailability of any one of the special safety systems. The AECB guidelines specifying the maximum allowable frequencies and doses for these accidents are summarized in Table VI.
2 0 6
Serious process failures include such incidents as loss-of-regulation and loss-of- coolant accidents. Safety analyses of such events are carried out, as part of the licensing process, to show that the limits of Table VI are not exceeded. Table VII shows a typical matrix of process failures that are analysed. The ‘X’s on this table are failures that need not be considered as they do not change the outcome of the analysis.
ACKNOWLEDGEMENTS
We are indebted to W.R. Cooper, E.M. Hinchley, J.J. Lipsett, G.F. Lynch and E.M. Yaremy for their assistance and advice in the preparation of this document. We would also like to acknowledge the continued encouragement and support of E.O. Moeckand A.J. Stirling during the preparation of this document.
REFERENCES
[1] ATOMIC ENERGY OF CANADA - ENGINEERING COMPANY, CANDU Nuclear Power System, Atomic Energy o f Canada Ltd. Rep. TDSI-105 (1981).
[2] KUGLER, G., Distinctive Safety Aspects o f the CANDU — PHW Reactor Design, Atomic Energy of Canada Ltd. Rep. AECL-6789 (1980).
[3] PEARSON, A., Nuclear power plant control beyond the 1980s, IEEE Trans. Nucl. Sci.Vol. NS-27, 1 (1980).
[4] ICHIYEN, N.M., YANOFSKY, N., Computers’ key role in CANDU control, Nucl. Eng.Int. (August 1980).
[5] POPOVIC, J.R., ASHWELL, R.E., SMITH, J.E., CRT man-machine communication system in nuclear power stations, IEEE Trans. Nucl. Sci. Vol. NS-26,1 (1979).
[6] HINCHLEY, E., KUGLER, G., On-line Control o f the CANDU-PHW Power Distribution, Atom ic Energy o f Canada Ltd. Rep. AECL-504S (1975).
[7] BAZELEY, E.G., HASTINGS, I.J., IVANOFF, N., “ CANDU fuel - nineteen years of power reactor experience” , paper presented at the Canada/Mexico Nuclear Symposium on CANDU Fuel, Mexico City, November 1981, Rep. CNS-73, available from INIS.
2 0 7
ANNEX II
INSTRUMENTATION AND CONTROL CONCEPTS FOR PWR REACTORS
A FRENCH EXAMPLE
1. G E N E R A L D E S I G N C R I T E R I A
1.1. Regulations, Codes and Standards
The following French Regulations, Codes and Standards are applied for the design and construction of FRAMATOME supply.
1.1 .1 . Regulations relative to health physics
“Decret n° 66—450 du 20 juin 1966 relatif aux principes generaux de protection contre les rayonnements ionisants” (Decree No. 66—450 of June 20,1966, relative to the general principles of protection against ionizing radiation).
“Decret n° 75—306 du 28 avril 1975 relatif a la protection des travailleurs contre les dangers des rayonnements ionisants dans les installations nucleaires de base” (Decree No. 75-306 of April 28, 1975, relative to the protection of workers against ionizing radiation in nuclear facilities).
1 .1 .2 . Regulations relative to pressure vessels
“Decret du 2 avril 1926 portant reglement sur les appareils a pression de vapeur” (Decree of April 2, 1926, regulating steam pressure vessels).
“Arrete du 23 juillet 1943 relatif a la reglementation des appareils de production, d’emmagasinage ou de mise en oeuvre de gaz comprimes, liquefies ou dissous”(Order of July 23, 1943, relative to the regulations concerning apparatus used in the production, storage and handling of compressed, liquefied or dissolved gases).
“Arrete du 28 janvier 1943 portant reglement sur les appareils a pression de gaz” (Order of January 28, 1943, regulating gas pressure vessels).
Regulations relative to the implementation of the above decrees and orders including the “Arrete du 26 fevrier 1974 portant application de la reglementation des appareils a pression aux chaudieres nucleaires a eau” (Order of February 26, 1974, applying to regulations on pressure vessels for nuclear water reactors).
1 .1 .3 . R C C design and construction rules
The RCC (“Recueil des regies de conception et de construction” ) stipulates the rules and practices applied by the French nuclear industry. The RCC covers the applicable requirements contained in French regulations, codes and standards.
The RCC is divided into six main parts:RCC-P Regies applicables aux procedes Design and Construction Rules
des centrales nucleaires a eau for Systems Design of 900 MW(e)legere pressurisee de 900 MW(e) PWR Nuclear Power Plants
211
RCC-M
RCC-E
RCC-G
RCC-I
RCC-C
Regies de conception et de cons- Design and Construction Rules truction des materiels mecaniques for Mechanical Components ofdes ilots nucleaires PWR
Regies de conception et de construction des materiels electriques des ilots nucleaires
Regies applicables au genie civil des centrales nucleaires a eau legere pressurisee de 900 MW(e)
Regies applicables a la protection contre l’incendie dans les centrales nucleaires a eau legere pressurisee
Regies de conception et de construction applicables aux assemblages de combustible des ilots nucleaires PWR.
PWR Nuclear Islands
Design and Construction Rules for Electrical Equipment of Nuclear Islands
Design and Construction Rules for Civil Works of 900 MW(e) PWR Nuclear Power Plants
Design and Construction Rules for Fire Protection in PWR Nuclear Power Plants
Design and Construction Rules for Fuel Assemblies of PWR Nuclear Islands.
1 .1 .4 . Regulations relative to transport
In addition, the following international regulations are applied as far as transport is concerned:
— IAEA Regulations for the Safe Transport of Radioactive Materials— Air transport: IATA (International Air Transport Association)— Sea transport: IMCO code (International Maritime Code: dangerous
goods — Class 7)— Rail transport: RID (International Regulations for the transport of
dangerous materials by railway — Class IV B)— Road transport: Appendix A, Class IV B of ADR (agreement concerning
the international transport of dangerous merchandise by road).
1.2. Operational requirements
The French thermal, hydraulic and nuclear power plants are part of the European interconnected grid. As the installed load of nuclear power plants increases year by year, it has been necessary to abandon designing nuclear power plants to operate only as basic plants.
2 1 2
Because of their importance in the grid, they must necessarily take part, like the other types of plant, in maintaining grid characteristics such as voltage, frequency and power output.
They participate in load follow-up, i.e. in the daily power output programme and also in the remote control which involves grid frequency control (secondary frequency control). Moreover, the reactor intervenes locally in the primary frequency control by participating in the control of the turbine-generator speed. These different interventions, locally as well as at the interconnected grid level, involve requirements relative to the operation of the reactor-turbine unit: fast power rise or drop, house load operation, hot shutdown, cold shutdown, reconnection to the grid, etc. These requirements involve more complex control modes: control rods with different levels of reactivity; more thorough monitoring of core behaviour; DNBR, Unear power, axial offset, etc. It should be noted that the protection and engineered safety systems take into account the limit values of these parameters.
2. INSTRUMENTATION AND CONTROL FUNCTION
2.1. General
Instrumentation and control comprises all the means necessary to operate and monitor the plant (i.e. to maintain or modify the status of the functions).
They operate in normal and emergency conditions in order
— to control all electric actuators— to maintain the power output of the plant within the desired operating
range— to provide the operator with all the information required for the effective
and safe operation of the power plant by means of analog and digital measurements of process parameters
— to control the environment of the power plant to ensure protection of plant personnel against harmful effects of radiation
— to protect systems and equipment when the assigned limits of the physical parameters are exceeded
— to effect a safe shutdown of the power plant in all circumstances— to mitigate the consequences of an accident by actuation of the engineered
safety systems.
The following equipment is used for this purpose:
— instrumentation and analog control systems— logic control systems— computer and data-processing system.
2 1 3
2 . 2 . S a f e t y - r e la t e d s y s t e m s
The safety-related equipment and systems are those essential for:
— emergency reactor shutdown— containment isolation
. — reactor core cooling— reactor heat removal— prevention of significant release of radioactive material to the environment.
These functions are realized by the protection system, the systems required for safe shutdown and the supporting systems.
2 .2 .1 . Protection system
The protection system is designed to initiate the emergency reactor shutdown and engineered safety systems.
It is used to make sure that the safety limits of the reactor coolant system and of the core are not exceeded in the case of control system malfunction or abnormal conditions of the reactor (incidents, accidents).
The design bases used to determine the characteristics of emergency reactor shutdown are:
— maintaining fuel cladding integrity— maintaining reactor coolant system integrity.
The initiation of the engineered safety systems such as containment isolation or safety injection is used to limit the radiological consequences of accidents.
2 .2 .2 . System s required fo r safe shutdown
The systems required for safe shutdown are those which are used for maintaining the reactor core in a subcritical status and for ensuring core decay heat removal from the reactor coolant system, containment heat removal and prevention of significant release of radioactive material to the environment.
2 .2 .3 . Supporting system s
The supporting systems are those required for the correct operation of the systems described above and of their actuators, but which do not directly participate in the safety function, for example, the backup power supply system or electrical premises ventilation.
2 1 4
2.3. Instrumentation and control systems for the normal operation of the nuclear power plant
2 .3 .1 . Instrumentation
2.3.1.1. Nuclear instrumentation system
The main function of the nuclear instrumentation system consists in monitoring the neutron flux and processing the analog signals thus obtained, for use either in the reactor protection system or in the control and display systems.
The nuclear instrumentation system consists of twelve independent channels: four in the source range, four in the intermediate range and four in the power range.
2.3.1.2. Process instrumentation
The functions of the process instrumentation are to provide the operator with the necessary information to take rapid action when required, and to analyse the behaviour of various components following normal or abnormal events.
2.3.1.3. In-core instrumentation system
The in-core instrumentation system yields information on neutron flux distribution and fuel assembly outlet temperatures at selected locations within the reactor core.
The system consists of thermocouples positioned at specific points and of miniature neutron flux detectors which can be inserted on request in the centre and along the entire length of selected fuel assemblies.
In-core instrumentation provides information for calculating coolant enthalpy and specific fuel burnup, and for evaluating coolant flux distribution.
2.3.1.4. Rod position indication system
The control rod position indication system serves as a means of providing information to the operator.
The rod position sensor is constituted by a primary coil and a series of secondary coils, the magnetic coupling of which to the primary coil depends on the position of the grooved rod.
2.3.1.5. Plant radiation monitoring system
(a) Process radiation monitoring system: this continuously monitors the reactor coolant, all plant effluents and the containment atmosphere.
2 1 5
(b) In-plant area radiation monitoring system: this provides indication of radiation levels in different plant areas (12 channels).
2.3.1.6. Fire detection system
Detectors located at fixed points generate an alarm whenever a fire occurs. This allows the operator to actuate the fire protection and smoke extraction systems.
2.3.1.7. Containment deformation measurement
The containment is provided with instruments designed to measure containment deformations during the tensioning of the cables, the acceptance test of the containment and to check the condition of the building during its life.
2 .3 .2 . Control l o o p ,
2.3.2.1. Reactor control system
The reactor control system provides automatic control of the reactor during at-power operation. It generates signals for actuating the control rods and the pressurizer control elements. The chemical and volume control system serves as a secondary reactor control system for the long-term reactivity adjustment by addition or removal of boric acid solution to or from the reactor coolant.
2.3.2.2. Turbine bypass control system
The turbine bypass control system automatically actuates the relief valves of the turbine bypass system in order to create an artificial steam load enabling the NSSS to be kept in normal operation in the case of load reduction, turbine trip, hot shutdown or turbine start-up.
2.3.2.3. Feedwater flow control system
The feedwater flow control system maintains the water level in all steam generators at a programmed value during steady-state operation and within limits required for safe and continuous plant operation during transients. Control of feedwater flow in each steam generator is carried out by operation of the main or bypass valve of the feedwater system and by feedwater pump speed control.
2 1 6
2 .3 .3 . L o g i c c o n t r o l
Various controls are used:— centralized manual controls, located in the control room or on the
emergency shutdown panel— local manual controls— automatic controls— protection systems.
2 .3 .4 . Com puter and data-processing system
See Section 4.4.
2 .3 .5 . A larm processing system
The alarm processing system warns the operator whenever a fault occurs in any system by energizing a horn and illuminating the relevant fault indicator light.
3. INSTRUMENTATION AND CONTROL DESIGN PRINCIPLES AND CHARACTERISTICS
3.1. Protection system and systems required for safe shutdown
3 .1 .1 . General description o f the protection system
The protection system includes all electrical and mechanical equipment involved in the elaboration of signals initiating the emergency reactor shutsown and the engineered safety systems, from the sensors to the actuator input terminals, i.e.:
— process instrumentation sensors— nuclear instrumentation detectors— rod position sensors— measurement data acquisition and digital signal processing cabinets.
These programmed units provide signals opening the reactor trip breakers and signals used to initiate the engineered safety systems.
— logic safety cabinets. They receive the programmed unit signals, establish logic coincidences and provide signals to the various actuators required to initiate and operate the engineered safety system functions.
2 1 7
3 .1 .2 . D e s i g n b a s is o f t h e p r o t e c t i o n s y s t e m
(a) Protective actions
All protective actions are automatic except in those cases where the time between the initiation of a dangerous condition and the required protective action is long enough to allow manual action by the operator. Once initiated, each protective action goes to completion.
(b) Compliance with the single-failure criterionThe protection system is designed with sufficient redundancy to ensure
that no single failure results in the loss of a protection function. Failures arising within the system, those occurring in auxiliary supporting systems, and those resulting from outside phenomena have been considered.
(c) Failure detectionIn order to allow internal failures to be detected and to verify that system
performance is in accordance with the functional requirements, the protection system is designed to be tested periodically during reactor operation. Different parts of the protection system can be tested separately to detect any loss of redundancy.
(d) Protection against common-mode failuresMeans have been provided to protect the protection system against common
mode failures in order tom minimize the prbability of such failures affecting redundant channels. Physical and electrical separation of redundant equipment items is used to limit the consequences of external hazards. Postulated common-mode failures originating within the system are taken into account in the design, primarily by the use of functional diversity (for the signals which initiate protective actions).
(e) Manual initiation of protection functionsEach protective action at the system level can be controlled manually from
the control room. The amount of equipment used for manual initiation is kept to a minimum.
(f) QualificationThe various components are subjected to a qualification programme to ensure
that the protection system is capable of performing its function during and after any design basis event.
(g) BypassesThe removal from operation of one channel for testing or maintenance pur
poses is allowed only when the other channels meet the single-failure criterion.
2 1 8
Operational bypasses are indicated in the control room and removed automatically whenever permissive conditions are not met.
(h) Information readoutData concerning the status of the plant and the status of the protection system
channels are precisely and completely displayed in the control room. These displays allow the operator to follow up the protective systems operation and, if needed, to initiate manual actions.
3.1 .3 . S ystem s required fo r safe shutdow n and supporting system s
The instrumentation and control of these systems includes various control devices in the control room (or at the auxiliary shutdown panel and locally if the control room is unavailable), certain cabinets which provide logic signals to the actuators used to place the reactor in safe shutdown, as well as indicators, recorders, lights and alarms.
In the control room, the operator is provided with all the means necessary to control the plant under normal conditions and to take action to bring it to a safe state after an accident and to maintain it in this state.
The control room is adequately protected to permit access and occupancy during and after accidents.
If the control room is unavailable, equipment is provided at appropriate locations outside the control room. This equipment is:
— designed to ensure prompt hot shutdown of the reactor, including the instrumentation and controls necessary to maintain the reactor in a safe state during hot shutdown, and
— adequate to allow cold shutdown of the reactor.
This equipment includes:
— the auxiliary shutdown panel, located in the electrical premises near the local switchgear panels. It encompasses all controls and readouts needed to bring the reactor to hot shutdown and to maintain it in this state
— local actions (using 380 V or 6.6 kV switchgear, test tap connections and local manual controls) can be used to bring the reactor to cold shutdown and act as a supplement to the auxiliary shutdown panel; time is available for their use.
3.2. Protection and engineered safety systems performance
When abnormal conditions occur in the nuclear steam supply system, protection is ensured by logic circuits which entail different protection and engineered safety actions:
2 1 9
220
LOCA alorm Emergency shutdown caused by low DNBREmergency shutdown caused by Low ONBR alorm
moilmum linear power
FIG.l. Core monitoring and protection system.
— emergency shutdown— initiation of auxiliary feedwater system— steamline isolation— isolation of normal feedwater lines— initiation of safety injection system.
3 .2 .1 . Em ergency shutdow n channels
Two types of core protection are provided for preventing the physical limits of the core to be reached (DNB and linear overpower):
— Specific protections based on the measurement of only one of the physical parameters which affect the core limit values. Because of the simplicityof these protections, the response time is short, and they are effective in the case of transients leading to a rapid variation of a single parameter (for example, reduction in the reactor coolant flow rate).
— More complex protections used in the case of accidents leading to the variation of several physical parameters (thermal power, coolant temperature, power distribution, etc).
These protection systems use margin calculations with respect to physical limits. From the physical parameter measurements algorithms calculate two parameters which cannot be measured directly:
— the DNBR (Departure from Nucleate Boiling Ratio)— the maximum linear power locally produced in the core.
The first parameter is used for determining the margin with respect to the probability of occurrence of the burnout; the second parameter is used for determining the margin with respect to the probability of fuel damage because of an excessive rise in temperature.
The detectors used are:
— primary system temperature detectors— primary pressure detectors— rod position indicators for radial power distribution calculation— multisection ex-core detectors for axial power distribution calculation
(6-section detectors)— coolant pump speed indicators for calculating the flow rate in the core.
Calculations are carried out by microprocessors which can deal with complex algorithms with an acceptable response time (see Fig. 1).
The use of fine measurements of the variables which characterize the core status (actual power distribution) and of sophisticated calculations of the operating limits provides a knowledge of margins of operations as exact as possible, which contributes to good plant operational flexibility (manoeuvr- eability).
221
Moreover, this protection system has a monitoring function: it generates alarms when the core is in unfavourable pre-accident conditions, i.e. when the operating conditions are such that the effectiveness of the protection system in the case of an accident requires a corrective action by the operator (low DNBR alarm and LOCA alarm).
3 .2 .2 . Engineered safety system s
The auxiliary feedwater system is designed to cool the reactor in the case of normal feedwater system failure or unavailability.
Steam isolating valves are closed to limit excessive cooling of the primary system and the quantity of steam released in the containment in the case of an SLB.
Normal feedwater line isolation may also be required to limit cooling or steam release, as well as to prevent water from entering the turbine, in the case of a high level in a steam generator.
The safety injection system is designed to provide the primary systemwith:
— on the one hand, the quantity of water necessary for reactor core coolingin the case of a LOCA,
— on the other hand, the quantity of boric acid necessary to compensate forthe reactivity insertion in the case of a cooling accident, for example an SLB.
3 .2 .3 . Post-accident m onitoring system
This system is designed, after an accident which requires the automatic initiation of the engineered safety actions, to provide the operator in the control room with data sufficient for post-accident monitoring and control of the plant.
It includes instrument channels which consist of sensors, isolation modules, indicators and recorders.
This system is supplemented by a boiling margin computer which compares the saturation temperature corresponding to the (measured) pressure of the primary system with the temperature at the hottest point on the primary system (measured by thermocouples located at core outlet).
This margin is used by the operator to decide whether the safety injection and the reactor coolant pumps must be stopped or set into operation. It is thus possible to prevent the uncovering of the core while limiting the disadvantages of a sustained operation of these systems.
22 2
3.3. Performance of the systems designed for ensuring normal operation of the plant
3 .3 .1 . A dju stm en t to the grid
The participation of an electric power plant in grid requirements results in output variations which can be broken down as follows:
— daily load follow-up cycles: power is lowered from the rated value to an intermediate power level (for example at a 2% per minute speed) then returned to the rated value.
— primary frequency control: it is performed by the turbine speed controller. These variations induce variations in plant power with an amplitude of approximately 3—4% of the rated power.
— secondary frequency control (remote control): a load control centre takes into account the frequency variations and the energy exchanged with the neighbouring systems to generate a power correction signal remotely sent to the plants. This signal causes ±5% power variations at a maximum 1.5% per minute speed.
— return to full power: following an unexpected grid incident, plants operating at reduced power may be required to return, at a 5% per minute speed, to full-load operation.
— house load operation: in the case of a serious incident on the grid, the latter may no longer be in a position to receive the power generated by the plant. The plant, however, continues to produce energy for its own consumption. The steam produced in excess is sent directly to the condenser through a circuit which bypasses the turbine.
Normal plant operation is guaranteed within certain voltage and frequency limits. Within these limits the plant keeps on producing power. The overshooting of these limits necessarily entails house load operation.
3 .3 .2 . Principle o f the R A M P (R eactor A dvanced Manoeuvrability Package)
The RAMP uses the control rods to execute the variations in power level. Boron is mainly used to compensate for reactivity changes due to xenon poisoning effect and fuel bumup.
Two types of control rods with distinct functions are moved in the core by the operation of two independent control channels:
— A power control channel controls ‘grey’ rods (they are called grey rods because of the relatively low absorption capability of some of them) divided into four groups. These groups are inserted in sequence from the least absorbing group to the most absorbing group as power decreases. The choice
2 2 3
224
P O W E R
D E M A N D
ELECTRIC POWER
SIGNAL
FIG.2. Power control system: grey rod control.
of group worths and of the insertion sequence is made in such a way that axial power distribution is only slightly disturbed, whatever the power level. Thus, the fact that the position of these groups is slaved only to the power level allows the axial distribution to be maintained in a satisfactory condition and the built-in reactivity to be kept sufficient for a fast return to full power.
— A temperature control channel which controls a group of black rods. This channel is used for a fast and-fine adjustment of reactivity; the function of this black group (the R bank) mainly consists in compensating for side- effects. Apart from the cases of fast transients, in which it assists the grey groups, it is normally confined within an operating band located in the upper section of the core.
The effect of a power variation on reactivity is normally compensated for by grey rod displacement, but the fact that the position of these rods is open-loop controlled does not allow a fine adjustment to be carried out. Similarly, reactivity variations due to xenon level variations are normally compensated for by the corresponding variation of boron concentration, a perfect compensation, however, being impossible to achieve. The total reactivity balance, which must be zero to ensure reactor criticality, is, thus, automatically adjusted by the R bank.
The R bank position is controlled by boron concentration. The R bank must normally be maintained within its operating band. It is temporarily used to compensate for axial power distribution disturbances which could entail dangerous oscillation (xenon oscillation).
It also compensates for primary control power variations which, except in the case of an incident, have no repercussions in the grey groups, as well as xenon level variations due to the remote control and primary control, to avoid modifying boron dilution or concentration too frequently.
3 .3 .3 . R A M P control system
The grey group control channel is shown in Fig.2.These groups are positioned as a function of the power required by the grid,
on the one hand, in the form of the load follow-up manually displayed by the operator and, on the other hand, in the form of the remote control signal automatically generated in a dispatching centre.
Power demand is converted into position demand through a function generator which sets the position of the various groups, taking into account the insertion sequence. The position setpoint is compared with the measured position of the rods. A positioning error entails the displacement of the rods in accordance with a speed control programme which includes a deadband and hysteresis in order to limit displacements.
In order to distribute demands between both systems of rods, the grey rods are required for the primary frequency control only in the case of an incident on
2 2 5
t m 2i m 1
u .
NEUTRON FLUX ,----- ( m 3r---- ♦ m 4V ' .TURBINE
AVERAGE TEMPERATURE ( T av)To, 2 Tqv 1a n
To* 3 To* *
(HIGH PASS COMPARATOR| |*lviHEEL I |HIGH PASS COMPARATOR!t PRESSURE | ' ' I r "' >T11 1
1 + Z12P HZS P
1v= r«„ l + Z|4p
AVERAGETEMPERATUREPROGRAMME
wo£ I/I
3 ®>"Srb £ £1 “ S £ ■ . £ -g
* 3 SO "a * i
\ 1*2 3 PWZ2P o+24pkw:5p)
YIP
1 iS T U V
I n . . n
L 106
WITHDRAWAL INSERTION *5CT Turbint by-pass system
FIG.3. R Bank control.
2 2 6
the grid, by means of a deadband which eliminates the impact of normal frequency variations.
The R bank control channel is represented in Fig.3. It is composed of two parts:
(1) The average temperature channel, which compares the setpoint value, Tref, with the measured average measured temperature, Tav
(2) The channel which controls the discrepancy between turbine powerand nuclear power Qn and allows a fast response to be obtained in the
case of fast variations in the load.
As for the grey groups, a speed control programme, which includes a deadband and hysteresis, controls R bank displacements.
4. MAIN EQUIPMENT DESCRIPTION
4.1. Digital integrated protection system (SPIN)
The progress made as regards technology now makes it possible to execute more elaborate protection functions suitable for closer supervision of the phenomena that are to be monitored.
This system is designed to meet the following requirements:
— improve the safety of the plant— improve its availability— facilitate installation— facilitate testing and maintenance.
The main characteristics taken into consideration are:
— the possibility of performing more elaborate processing of monitoring and protection algorithms
— a redundancy of order 4 of the sensors, the instruments and the signal processing system
— the possibility of inhibiting part of the protection system— the standardization of the equipment v— physical and electrical separation of the redundant assemblies— the use of multiplexed links— the automation of tests.
4 .1 .1 . General configuration ( Fig.4)
The SPIN includes:
— four acquisition and processing units for protection (UATP),— two logic processing units (ULS): one for controlling the engineered safety
system A and the other for controlling system B.2 2 7
FIG.4. General arrangement o f the SPIN.
The function of each UATP consists in:
— acquiring all the signals emitted by the sensors associated with this UATP— carrying out the necessary processing of these signals— carrying out comparisons with the protection thresholds so as to generate
partial tripping data for each elementary function— transferring these partial tripping data to the other UATPs— executing logic (2/4) processing of the partial tripping signals from the
four UATPs, taking any possible inhibitions into account— transmitting trip instructions directly to the reactor trip breakers and,
via the ULSs, to the engineered safety systems actuators.
Each ULS receives the trip requests sent out by the four UATPs, arranges them according to a 2/4 logic and transmits the instructions to the actuators, after taking into account the manual tripping controls from the control room.
4 .1 .2 . Technological choices (Figs 5 and 6)
The definition of the UATP is based on the use of programmed, digital techniques which only permit monitoring and protection algorithm processing.
An analysis of the possible structures led to the choice of a multiprocessor structure that can be divided into specialized, autonomous sub-assemblies.'Each sub-assembly is built around a microprocessor.
This solution has the following advantages:
— distribution of tasks— operation in parallel making it possible to use standard microprocessors to
obtain the required response times— small programs that are easier to analyse, implement and test— smaller failure unit.
These sub-assemblies include the functional units (UF) which are assigned to the processing of protection algorithms and the transfer units (UE) which permit communication outside the UATPs, via multiplexed links. In particular, the UEs transmit partial tripping data between UATPs.
All necessary transfers between UFs and UEs are carried out via shared memories.
Due to the simplicity of the functions that the ULSs are required to perform, a wired technique has been chosen. This technique is of the ‘directed failure’ type. In order to avoid untoward tripping, each ULS consists of two identical sub- assemblies and the instructions sent out by the two sub-assemblies are arranged in a 2/2 logic before they are trasmitted to the actuators.
2 2 9
230
Monuol control For ehonnel A reset to zero
Monuol control For grouped octuotor test
0 " 3 11 V4 I
PROCESSING
A1 U H
ULS.A
l l[p r o c e s s in g ]
___n 72l A2 Manual control
\ For putting/ the
I system in t o scrvice
H 2, 3i 4 f
G OPROCESSING
UAT P 4
l 2/« I
PROCESSING
| B1 11/2 I 1 l»/2l B2_-
ULS. B
Manual contrgl For channel B reset to terg
Manual cgntrgl fgr grouped octuotor test
FIG.5. UATP-ULS links and ULS block diagram.
6 Shored m e m o ry b u s e s
Series links using - opticol
Fibres
Wire - for-wire on/off outputs
V A \
W -M
v>£
f a
> x l l i
1---------
EmershutPWl
gtneydawnr r
ChonnelA in hi bition
logic
Channel 8 in hi bition
lagic
Cords interconnected by bus [ = □ Cords fitted with wire . for-wire
Anoloj UD
Anoloq UO
On-off UO
Pulse UD
Inhibition UD
Alorms
~ u
UO; decoupling unitinput / output
Anolo.g on/off inputs
FIG. 6. Structure o f a UA TP.
232
r~
BUS FOR ACCESS TO SHARED MEMORIES CO N TR O L
O U T P U T
FIG. 7. Structure o f a functional unit (UF).
4.1.3. Structure o f a functional unit (Fig. 7)
Each functional unit is built around a microprocessor that executes the digital and logic processing relative to one or several elementary protection functions. A UF consists of input circuits, output circuits, the microprocessor and its associated memories. In addition to its input circuits and its ‘wire-for-wire’ output circuits, the microprocessor has access to shared memories and thus transfers can be carried out outside the UATPs via UEs that manage multiplexed links.
Data are transmitted to the various elements of the UF via buses. Specialized buses are assigned, on the one hand, to inputs/outputs and, on the other hand, to communications with the shared memories.
4.1.3.1. Input circuits
These are used to acquire:
— analog signals emitted by the neutron sensors or by the thermodynamic sensors. Analog/digital conversion is carried out at this level under microprocessor supervision
— pulsed signals issued by the primary pump speed sensors— numerical quantities transmitted in parallel by the control rod position
sensors— logic signals from the control room or local control devices.
4.1.3.2. Output circuits *
These permit wire-for-wire transmission of trip instruction from the protection actuators (reactor trip breakers or engineered safety systems actuators) and of other signals.
4.1.3.3. Microprocessor
This performs the processing and monitors the acquisition of inputs and the transmission of outputs. The program is contained in a REPROM, thus prohibiting any outside intervention. The intermediate computation variables are stored in the read/write RAMs.
Whenever the volume and the complexity of the processing so require, a specialized arithmetic and logic unit is associated with the microprocessor. This unit can be considered as a peripheral device that performs arithmetic operations under the supervision of the microprocessor.
Lastly, the microprocessor has access to the shared memories. The microprocessor of each UF has its own clock and therefore works asynchronously with respect to the microprocessors of the other UFs or of the UEs; this increases the
2 3 3
autonomy of the UF and limits the consequences of a failure. Furthermore, each UF has its own specific power supply.
4.1.3.4. Shared memories
These are read/write RAMs accessible to two microprocessors. They enable data to be transferred from a UF to a UE, or inversely.
Since processing is performed asynchronously by the two microprocessors that have access to a memory, this memory acts as an intermediate storage area, and since the accesses are random accesses, overlapping is prevented by a system that is coupled with each shared memory.
In order to simplify the implementation and operation of the shared memories, the two accesses are specialized, one for the input and the other for the output. Therefore, data flow in one direction only.
4 .1 .4 . Operation o f a functional unit
Each UF performs its program autonomously. Schematically, a UF carries out the following tasks:
— acquisition of analog, digital and logic inputs— digital processing of data— comparison of the results of this processing with a fixed or a computed thres
hold in order to generate the partial tripping data connected with the corresponding elementary protection function
— storage of these partial tripping data in the corresponding shared memory with a view to transmitting them to the corresponding UFs of the other UATPs via the UE
— reading of the partial tripping data generated by the corresponding UFs of the other UATPs in the corresponding shared memory
— logic 2/4 processing of the partial tripping signals from the four UATPs— possible transmission of a trip instruction to the reactor trip breakers connected
with this UATP or to the ULSs, according to the circumstances.
The digital processing to be performed on the data varies from one UF to the other. In those UFs which process simple protection functions, the signals issued by the sensors are usually compared directly with fixed thresholds.However, in the other UFs, the digital processing is complex; protection against low DNBR, for instance, depends on flow rate, primary temperatures, pressure, primary pump speeds and control rod position.
This protection entails the use of algorithms to determine two parameters which cannot be measured directly: the DNBR and the maximum linear power locally produced in the core. This is one of the considerations that guided the technological choices for the UATPs.
2 3 4
The logic 2/4 function and the inhibition possibilities of a sensor and of its associated instruments involve the following logic processing:
0 inhibition ->-2/4 logic1 inhibition -+ 2/3 logic2 inhibitions -*■ 1/2 logic and alarm3 or 4 inhibitions -*■ emergency shutdown.
This processing ensures that the protection system remains in conformity with the single-failure criterion for all the combinations of inhibitions that can be carried out.
The processing sequence of a UF is repeated indefinitely. Since each UF is autonomous, it is possible, by distributing the elementary protection functions among the UFs, to process, on the one hand, simple protections calling for short response times and, on the other hand, more elaborate protections but with longer response times.
Furthermore, each program includes a certain number of self-tests enabling most anomalies in operation to be detected; moreover, a watchdog monitors microprocessor activity.
Lastly, an automatic testing device makes it possible to check periodically that all the protection functions, from the acquisition of the analog signals to the emission of the tripping signals, are working correctly. This testing device injects signals in place of real inputs, collects the processing results and compares them with the anticipated results.
4 .1 .5 . A ssem b ly o f the com pon en ts form ing a U F
UFs are made up by assembling standard electronic boards, including:
— the microprocessor board, which comprises a Motorola 6800 microprocessor, the RAMs and the REPROMs, and the clock
— the arithmetic and logic unit board— the analog input board which carries out the analog/digital conversions— the digital input boards— the digital output boards— the shared memory board
The various boards which form a UF are grouped in a rack. The buses connecting these boards are physically implemented at the rear of the rack.There are, in fact, two separate buses:
— one bus connecting the microprocessor board to the inputs/outputs,— one bus connecting the microprocessor board to the shared memories.
2 3 5
— the programme implemented in the REPROMs— the number of input/output boards— whether there is an arithmetic and logic unit or not.
4.2. Programmable system for on/off control
Technological improvements in microelectronics led to the development in France of an advanced programmable system for the first 1300 MW nuclear power plants, meeting the following objectives:
— introduction of automation at a high reliability and availability level,— progressive implementation in design offices and on sites by operators not
specialized in electronics or data processing— great flexibility permitting the configuration of various systems— survivability of first failure— capability of self-diagnosis.
This equipment is characterized by a modular, programmed and multiplexed structure with distributed software.
4 .2 .1 . Main characteristics
The basic structure is a cabinet which includes:
— a process interface unit (inputs/outputs)— an electronic unit which performs logic data processing and data exchange— a survey unit in charge of fault localization— a test and maintenance unit (man/machine communication)— a display unit, common to several cabinets where the internal faults of the
system are displayed.
For reliability and availability purposes, each cabinet can be equipped with a dual structure; the interface block including the 256 input/output modules is unique. In this case, the electronic block is fitted with two redundant structures having access to the interface block. An order shall be transmitted only if requested by the two redundant structures (operation in 2/2 mode). Should a failure occur in one of the two redundant structures, this structure shall automatically be switched off while the operation continues in 1/2 mode with the remaining structure.
Each redundant structure of the electronic blocks is equipped with a set of microprocessors actuating the following functional units (see Fig.8):
— interface control unit (UC) managing the interface modules.— processing unit consisting of :
T h e d if fe re n c e b e tw e e n o n e U F a n d a n o t h e r d e p e n d s o n :
2 3 6
D ISPLA Y
FIGS. Automation cabinet schematic diagram.
2 3 7
Logic processing unit (ULT) implementing programs stored in REPROMs of the program unit (UP);
Logic management unit (ULG) controlling REPROM configuration, undertaking the detection and identification of defects and implementing the starting programs of a cabinet.
— Internal functions control unit (UI) managing and implementing the internal variables and time delays.
— Inter-cabinet exchange control unit (UE) carrying out uni- or bi-directional multiplexed exchanges with other cabinets or with demultiplexing equipment through the connection unit (UB). Each inter-cabinet exchange controlunit can transmit or receive a maximum of 1000 data items.
— Unit controlling the exchanges with the centralized plant computer (TCI); this unit transmits to the centralized plant computer only those status changes which appear separated by at least a 50-ms interval.
A supervising unit, common to the two structures, localizes defects and manages the various modes of operation in connection with the logic management units.
A 1300 MW PWR nuclear power plant is equipped with approximately 1000 remote controlled actuators, 2000 logic sensors and position indicators,600 control devices, 3000 alarm devices and 600 signalling devices; moreover, it has to deal with almost 6000 data items to be transmitted to the plant computer.
4 .2 .2 . A utom ation cabinets
These cabinets receive logic data from the installation or the control room; they prepare orders for actuators, generate alarm data and send data to the plant computer. Data and control devices corresponding to the same functions are grouped in the same cabinet to reduce wire-for-wire or multiplexed connections between cabinets. About a hundred cabinets are installed in the plant:
55 are located in the electrical building, channel A; they deal with the automation relative to channel A safety-related systems and to the systems which are located in the turbine hall and reactor building.25 are located in the electrical building, channel B; they deal with the automation relative to channel B safety-related systems.13 are located in the nuclear auxiliaries building (common to two plants); they deal with the automation relative to nuclear waste systems.3 are located in the pumping station and deal with the automation relative to non-safety-related auxiliary systems (common to two plants), set up in this station.2 are located in each diesel generator building and deal with local diesel generator automation.
2 3 8
7 are located in the on-site demineralized water production station.2 are located in the on-site auxiliary boiler building.
All systems managed by these cabinets are controlled and supervised from the control room, except those located in the nuclear auxiliaries building and in the demineralized water production station; the latter are controlled locally and supervised from the control room.
The general rule retained for all automation cabinets is that every control or order and all data from the plant is sent to these cabinets through wire-for-wire connections. Multiplexed links between cabinets are used to convey data acquired or generated in a particular cabinet and used in one or several other cabinets. As far as alarms and signals are concerned, alarms requiring immediate action by the operator are indicated by lights connected wire-for-wire to the cabinet generating these alarms; remaining alarms are transmitted by multiplexed links to the alarm centralizing cabinet and presented on a display CRT. Signals are transmitted through multiplexed links to demultiplexers installed in the control room which control the LEDs.
4.3. Control system
The control systems can be made by means of PID controllers and conventional analog components.
However, as in the digital integrated protection systems (SPIN) and programmable systems for on/off control, distributed individual microprocessors have been widely used in the programmable control systems.
The Micro-Z system, based on distributed microprocessors, allows an algorithm or any algorithm assembly to be performed. The man/machine communication system matches any process, unit arrangement and operating mode. Each element is separate and cannot be disturbed if other elements fail.Time sharing is available for ease of operation.
The Micro-Z system allows supervision via the following functions:
— acquisition, processing, control— man/machine communication— communication interface— configuration and adjustment.
These functions are dealt with below.
(a) Acquisition, processing, control Acquisition and control
— either through input-output modules, for control data processed separately,— or through multiplexed acquisition cards for monitoring data (high level
or low level analog data or logic data).
2 3 9
Processing and control
Each card of the system includes:
— a #zP that performs all control functions in a loop, whatever algorithm sophistication,
— a juP to communicate with the other system elements.
All input/output modules and data processing cards are installed in Micro-Z system cabinets.
(b) Man/machine communicationThe selection of an adequate control station depends on the type and size
of the installation, the location of the different control rooms, etc.Three designs are available and can be used at the same time.
Conventional control stations
In the case of separate control stations, the operator can take advantage of digital component performance while keeping the conventional way of controlling a plant.
General purpose stations
From a simplified keyboard, up to four stations can be connected to any acquisition, processing or control card of the system.
Video control centre
All control functions can be performed from CRT and keyboard assemblies, particularly monitoring and display of:
— control loops— mimic diagrams and associated on/off controls— alarms— history.
The video control centre can also be provided with:
— a printer,— an operator’s log,— a hardcopier.
(c) Communication interfaceConnections between the processing and control cards, and the control
stations are made through:
— either the concentrator, for the video centre— or the selector, for the general-purpose stations.
2 4 0
In any case, the controllers operate independently of the correct operation of the digital connections to the video centre. Concentrator and selector are installed in a Micro-Z cabinet. Every bus user is provided with a coupler, which makes it fully independent.
(d) Configuration and adjustmentProcessing and control functions are set or modified on the acquisition card
‘configurator’. System control parameters are set by means of a microconsole. Mimic diagrams are programmed on the video centre ‘configurator’.
4 .3 .1 . M icro-Z arrangement — Exam ples
(a) Process control through separate stations Suits small-sized plants.
(b) Process control through general-purpose stations and separate stations Suits small- or medium-sized plants with centralized control from the
general-purpose stations and possible transfer to the separate stations.
(c) Process control through video centre and general-purpose station stand-by systemProvides cheap stand-by system for the video centre, using something
simpler than separate station’s.
(d) Process control through a double video centreMan/machine communication and control are possible on a single CRT and
keyboard assembly. In this case, video assemblies HDLC are doubled.
(e) Process control through video centre and conventional station stand-by systemProvides the process control system with maximum reliability. Many more
arrangements are possible with the Micro-Z system elements.
4.4. Computer and data-processing system
The computer system ensures the following main functions:
- displaying the process subsystem block diagrams on the dialog screen- data logging and editing on the log printer of all events detected by the
supervision programmes- supervision of the analog and on/off variables in order to display alarm
messages on the control screen
2 4 1
— recording of history which can be edited on a printer on request— fast trouble-recording intended to follow up turbine parameters (speed,
pressure, turbine valve positions) during transients— particular nuclear function including editing of the reactor core data map
and editing of the core data on punched tape or floppy disc.
To ensure the above functions, the computer system proceeds in two phases: data acquisition and data processing.
(1) Data acquisitionThe acquisition of analog and on/off variables is by means of micro-programs
which function with five acquisition types:
— conventional on/off data acquisition— nuclear on/off data acquisition— fast trouble-recording data acquisition— analog data acquisition— nuclear flux detector analog data acquisition.
(2) Data processing
Display of the block diagrams:On operator’s request, polychrome block diagrams of the plant unit subsystems appear on the dialog screen with indication of the current on/off and analog variable status.
Analog variable supervision program:The supervision of the analog variables is intended to detect the variables exceeding preselected limits.
Alarm display:Alarms are actuated by logic variable status change.
Data logging:The data logging function consists in editing a log book on a printer. This log book contains the following events, in chronological order:
— events detected by the supervision program— events corresponding to operator actions.
Oscillating on/off variable:The on/off variable status change repeated x times in m minutes causes the automatic inhibition of this variable and displays an alarm.
Fast trouble-recording:The tachyperturbography function is intended to monitor the turbine control and protection systems during transients.
2 4 2
Recording of history:The means selected for the history are memorized as they are acquired. There are two history durations:
— 5 minutes for the variables scanned every 5 seconds— 30 minutes for the variables scanned every 20 or 60 seconds.
Deviation input processing:A deviation signal is obtained when an action ordered by the operator is not accomplished.
Nuclear function:The nuclear function concerns the acquisition and processing of the data related to the general features of the NSSS and of the in-core nuclear flux measurements.The computer performs the following calculations:
— in-core nuclear flux detector heterogeneity correction— calculations per in-core thimble explored:
average value of the flux in the reference area, active area, and overall active areamaximum value of the flux in the active area axial peaking factor axial offset factor
— neutron flux calculations:dissipated power reference flux
— overall neutron flux parameters:overall peaking factor overall axial offset factor maximum power per unit length
— enthalpy calculation , ,— radial tilt factors calculation.
4.5. Operator aid computer
4 .5 .1 . General
Each plant unit is provided with an on-line data-processing computer which performs acquisition, elementary calculations and presentation of data. An extra plant monitoring computer connected with the data-processing computer ensures the following additional functions:
— forecast and load follow-up calculations— in-core calculations— performance calculations— real-time functions supplementing the computer and data-processing system.
2 4 3
These functions are performed using Fortran language.The programs of this computer allow the operator to obtain accurate reactor
status information, and enable the performance of calculations or the optimization of the reactor control in various conditions such as:
— constant axial offset control— load follow-up— return to power after shutdown, etc.
4 .5 .2 . Forecast and load follow -u p calculations
Functions
Current status calculations are made every 20 minutes, or on operator’s request, or when power variation exceeds 20% of the value measured during the last run. This is achieved by:
— reading the basic and last run parameters on disc— real-time data acquisition— updating the flux, power, xenon, samarium distributions, as well as the
burnup ratio— calculating the reactivity and axial offset— recording the status on disc and editing it either on console or line printer.
In the case of plant monitoring computer unavailability, the updating of the real-time parameters normally checked by the computer is performed by the operator, who uses the status recorder listing as a check-list to input manually the updated values of the corresponding parameters.
The plant monitoring computer can perform numerous forecast calculations at the operator’s request. Some are done in one step, others are multistep.
One-step calculations include forecasting the effect of changing a parameter, such as power level, rod position, boron concentration, inlet temperature, etc., as a function of control parameters such as: keff, axial offset, reactivity.
Multistep calculations include forecast versus time for:
— load follow-up program— determination of return-to-full-power capability— critical boron concentration for start-up in x hours once the control rod— bank has allowed instantaneous return to full power— reactivity evaluation versus time, all rods inserted— verification of dilution/boration capability.
Input:
Distinctions are made between basic inputs, real-time inputs and operator inputs.
2 4 4
Basic inputs (punched cards or magnetic support) are neutronic and geometric core data used in neutronic calculations. These inputs are updated at the beginning of each cycle until the equilibrium cycle.
Real-time inputs include date and hour (from the computer) and reactor parameters such as:
— rod position— inlet temperature— outlet temperature— power level (from thermal balance or ex-core chambers)— boron concentration.
Operator inputs include:
— run initiation (actuates real-time data logging)— initiation of various multistep procedures— data such as:
physical parameters of the core burnupxenon, samarium worth searches, load follow-up, etc.
Output:
Normal outputs (very short) are performed on screen and/or on line printer on operator’s request:
— operator input, date and hour of run— parameters such as (real-time data or calculation results):
burnup power levelboron concentration, water and boric acid flow requirement axial offset and axial peaking factor pressure and inlet temperature xenon, samarium level and worth
— miscellaneous alarm and error messages such as:rod cluster insertion or withdrawal limits overshooting of the axial offset permitted band dilution capability overriding calculation error messages.
4 .5 .3 . In-corecalculations
This function allows a fast analysis of these parameters to be carried out during testing; it also enables the processing to be performed within the required time (approximately 8 hours) after an incident.
2 4 5
F u n c t io n s :
The following corrections are made on every flux trace:
— realignment on a known grid position— noise elimination— interpolations and extrapolations to complete the trace— comparison with the nuclear power derived from ex-core measurements.
Once all traces have been introduced:
— calculation of calibration coefficients for each detector based on a reference tube trace obtained by the first detector,
— calibration of the traces with the above coefficients.
From the normalized and calibrated traces, the following calculations are performed:
— average power per fuel assembly— axial peaking factor and axial offset per assembly— average axial power distribution— radial power tilts— power of hottest fuel rod per assembly— axial factor of the hottest fuel rod per assembly— values and positions of maximum axial and radial power factors— radial and total peaking factors— comparison with safety limits (LOCA).
In case of limit overriding, message and alarm printing is initiated.
Input:
Distinction is made between basic input and specific input. The basic inputs (read on card or magnetic supports) include:
— theoretical distributions of activity: average power per assembly at various burnups and rod configurations
— co-ordinates of assemblies and instrument channels.
The specific inputs for one map include:
— traces previously processed during the last run— instrumentation channel monitoring sequence— control rod position at the beginning and end of calculation— nuclear power (ex-core chamber measurements)— date and hour (beginning and end of calculation).
2 4 6
Output:
Output is provided on the line printer with the following indications:
— control rod position— nuclear power— date and hour of the beginning and end of calculation.
A plot of the maximum axial power distribution and the corresponding LOCA limit can be provided.
4 .5 .4 . Perform ance calculations
From the information issued by the conventional part of the plant, the plant monitoring computer can make performance calculations such as:
— feedwater characteristics— condenser performance— turbine performance— moisture separator performance— feedwater pump performance.
2 4 7
ANNEX III
INSTRUMENTATION AND CONTROL CONCEPTS FOR PWR REACTORS
A FEDERAL GERMAN EXAMPLE
INTRODUCTION
This annex is intended to give a survey of the special features of the Kraftwerk Union AG (KWU) I&C concept for the reactor “Leittechnik” of a PWR nuclear power plant of 600—1300 MW(e). To facilitate its use the paper is divided into two parts:
— Part A gives the main design requirements of the plant and the I&C systems and summarizes features which may differ from other concepts.
- Part B provides an overview with emphasis on special features of the safety-related reactor “Leittechnik”.The word “Leittechnik” is used because the term “I&C Systems” might
be misleading in various countries. In the Federal Republic of Germany “Leittechnik” summarizes all equipment and systems necessary to protect, guide, and supervise a process in a wide sense: sensing, transmission, conversion, signal handling, signal generation, computing, data storage and actuation for protection, limitation (~ redundant limit control), open- and closed-loop control, sequence control, monitoring, surveillance, annunciations, modelling, and the relevant power supplies.
1. DESIGN BASIS FOR NUCLEAR POWER PLANTS IN THE FEDERAL REPUBLIC OF GERMANY
1.1. Regulatory requirements
The framework for nuclear power plant (NPP) design for the Federal Republic of Germany (FRG) is set by governmental licensing requirements. These requirements are formulated in Guidelines by the Reactor Safety Commission and as Standards by the Nuclear Safety Standard Commission (Kerntechnischer Ausschuss, KTA-Regeln). If less severe requirements would be adequate for a special application in a foreign country, the I&C-System could be simplified.
The most important differences to foreign countries’ design requirementsare:
— diversity o f initiation channels of the Reactor Protection System (RPS) for each serious event in the safety analysis.
— failure criterion which requires the capability to master the simultaneous occurrence of a single failure and a repair at any tim e (Fig. 1).
— degradation in design requirements for events with less serious
consequences (see “limitations”).— manual intervention as a protective action should be an exception and
shall n ot b e needed earlier than 3 0 minutes after start of an event.
251
Ra Co Co Re Ra Re Se
Co common-mode failure Ra random failure
Re repair Se secondary failure
FIG.l. Combinations o f failures to be considered.
1.2. Operational requirements
The operational requirements for the FRG NPP are prescribed by the utilities, which require quick load change capability including daily load-following operation. The following power ramp rates are demanded: ±10% per min over a span of 30% of rated power, ± 5% per min over a span of 60% of rated power. The load change requirements also include the capability of fast start-up after scrams as well as fast power cut-back provisions to avoid scrams after anticipated operational occurrences such as isolation of the plant from the grid (needing only 45% steam dump capacity to condenser) or loss of coolant flow in one coolant loop.
2. FEATURES OF KWU-NPPs AND I&C SYSTEM
2.1. General remarks
KWU is a turnkey supplier as well as an NSSS contractor of NPPs.The NPPs can be equipped with “secured areas” (reactor and emergency
feed building, Fig.2) which are protected against external impacts, such as— earthquake— airplane crash— explosion pressure waves— action of third parties
and with areas for which reduced security is required (e.g. switchgear building, Fig.2).
2 5 2
reactor building secured area unsecured area
Legend
1 reactor vessel 13 intermediate cooler2 steam generator 14 service cooling water pump3 coolant pump 15 main steam blowdown valve4 protective cylinder 16 emergency generator5 annulus air extraction system 17 demmerahzed water tank6 containment 18 power diesels7 steel concrete canning 19 fuel pool pump8 safety inaction pump 20 nuclear component cooling pump9 residual heat removal pump 21 emergency component cooling pump
10 after-cooler 22 emergency service coolant water pump11 borated water tank 23 extra borating pump12 accumulator 24 scram system
FIG .2. Installation o f the safety features.
The safety-related I&C systems are installed in four physically separated rooms in the switchgear building as well as in another four rooms in the emergency feed building.
Battery-buffered low voltage (24 V) control circuits are usual. They are protected against excessive voltages by a decoupling concept defining leittechnik islands.
A unique equipment system with clearly defined signal levels is used in the safety-related as well as in the operational leittechnik; a black box technique is used only in closed subsystems such as ventilation.
2 5 3
I I I II I III I IV I section
X]|Q3l£ZJlCDlCDl[:>
:: :: :: :i
battery
cabinetpair
FIG.3. DC power supply concept.
Dynamic pulsed signals (widely used within the protection system and in important parts of the limitation systems) are used instead of static ones, as they provide a higher degree of failure detection.
The enlarged dynamic magnetic core system is used for logic gating to initiate protective actions.
Priority of protection and limitation commands is secured by special priority modules.
Leittechnik cabinets have a twofold power supply:— 2X 4 batteries for DC (Fig.3)— 2 X 4 diesels for AC.
2.2. Special features of the I&C system
Neutron in-core detector signals are used as input to protection limitations. Diverse and fourfold redundant limitations are used in the area between the reactor protection system and the operational closed-loop controls. Thus, a special kind of defence in depth is realized to increase the plant’s overall operational safety. An automatic test computer is used for diagnoses and cyclic tests of the reactor protection system (RPS) and of limitations. The tests are designed to overlap functional processing trains.
A pilot project is being performed to introduce in protection limitations a fourfold redundant computer system for on-line and on-site evaluation of DNBR (using 8X3 in-core thermocouples).
NPPs can perform a quick c9 ol-down (100 K/h) using the main steam relief valve and main steam bypass station.
The design comprises distributed computing structures: four process computers for data acquisition and four for data processing and plant surveillance, each installed in a physically separated room (Fig.4).
2 5 4
2X4ColourScreens
(3 X 5 ) Res Res Res Res Res
Res a a a aRes a □ CD a
a a a□ □ a Accident Monitoring
Data Acquisition Computers
Process Elements
(2X)
VDU Controllers * * 1 per 2-4 screens * * *
VDU VDUSupply SupplyComputer Computer
1 2
fvDU
'Plant Models |
'S(9)HSequenced Data Transfer Lines __
±L J±
I I
2(3)AeroballSystemComputer
2000 (2800) analog/ 10 000 (16 000) binary signals from plant
FIG.4.' KWU-KONVOr process computer system.
3. DESIGN PRINCIPLES OF SAFETY-RELATED REACTOR-LEITTECHNIK
The leittechnik design principle can be briefly characterized as a defence in depth (Fig.5).
The idea is to use echelons of defence consisting of redundant or diverse control systems which act progressively as the controlled variable deviates from the desired value. At first, as the variable deviates from normal conditions operational controls take action. Following the action of these operational controls, one or more levels of limitations may intercede prior to the actuation of the protection system as the event grows from a minor operational event to a minor disturbance, and to a significant incident. At each stage the purpose is to terminate the event and return the system to normal operation for minor events and to safety shutdown for the events which become more serious.
The total leittechnik in this design consists of subsystems which fulfil different requirements according to their functions and safety-related importance. Different requirement levels have been introduced in the manner presented in Table I.
2 5 5
trip value
progressively ngraduated n ^echelonsof defence n-2
control Vdeadband
FIG.5. The reactor ‘Leittechnik’ concept of defence in depth.
TABLE I. REQUIREMENT-LEVELS OF LEITTECHNIK IN FRG NUCLEAR POWER PLANTS
Requirementlevel
Functional requirements Characteristics Examples
I Highest reactor safety Direct, redundant Simple, diverse Worst-case qualified
Scram-system ESFAS
II High reactor safety Redundant Worst-case qualified
Protection limitations Quick cool-down
III Normal reactor safety Normally redundant Not diverse Not worst-case qualified
Condition limitations
IV ■ Plant safety Sometimes red. diverse worst-case qualified
Component-protection
V Plant availability (Partially) redundant Operational limitations Reactor control
VI Normal system technique
Flexible(Language/Changes)
ControlsInformation systems
VII Component-correlatedequipment
SimpleCheap
Ventilation control
progressivelygraduatedmeasures
2 5 6
Graded availability goals could be assigned to the different requirement levels ranging from the highest to the lowest level.
To meet the availability margins diversity, signal comparison and pulsed signals are used. Mostly, the RPS is designed as a double 2-out-of-3 system, whereas limitations are a single 2-out-of-4 system. Safety-related signals have priority to normal manually given commands or closed-loop control commands.
The operational closed-loop controls consist of only one processing train except some branches for protection of expensive plant components. Closed- loop controls are optimized with respect to several goals, e.g. minimum tank volume for demineralized water.
3.1. Operator’s role
In this highly automated leittechnik (Fig.6) with its setting of priorities, diversity and redundancy the operator is considerably relieved from needing to have quick reactions to process performance. In Fig.6 the operator’s role is characterized in the box on the extreme right. In normal operation he is an optimizer of closed-loop controls to adjust variable parameters for anticipated operations.
In emergency situations automatic countermeasures are provided so that the operator need not act before 30 minutes have elapsed. So he can understand what is going on and then he can either select proper strategies to combat the disturbance or wait and call for assistance.
3.2. Limitations
A special feature of this leittechnik concept is the introduction of safety- related ‘grey’ functions between the ones of the protection system (‘black’) and the operational closed-loop controls (‘white’).
Limitations are designed to— eliminate faults otherwise necessary to be considered in the licensing
procedure— initiate early, diverse and intelligent safety actions instead of tripping— assure initial conditions assumed in the safety analysis— reduce the probability of human errors by minimizing occasions for
these, thereby giving confidence to the operator— contribute to more careful treatment of the plant by smoothing
transients and acting as a fast backup control— increase plant flexibility and availability by allowing better and more
sophisticated control means to make possible operation much closer to limits.
2 5 7
(process-) detectors
------- amplifying-------------2. _ preprocessing ■
-------1 supply 1---------------- comparing-
0QDE1safety systems
protection/condition
reacUxjj redundant closed-loop control
1supply*lmdenendent) controls
processingA+B
logic gating]
sequential *con
. .votmq -r-luli t - olar-'"9 cl8 n fro 8 P*
supply* open-loop jontrojs
componentprotection
displaying
documentation
computation
manual control
check
optimizing
alarming
T I T(T)redundancy
ITinri(fcl) diversity
I process-) final control elements
FIG. 6. Leittechnik functions.
3.3. Examples of diversityt
Different types of measurements to govern a reactor power increase are: via reactor power measurement by temperature rise combined with
ex-core neutron flux via coolant pressure via pressurizer water level.
Different ways to perform reactor shutdown are: by control rod droppingby the four-channel extra borating system (eight tanks — high pressure).
Different operational closed-loop control methods for reactor power control purposes are:
coolant average temperature control using control rods main steam pressure control using the turbine steam valve.
Examples of diverse signal processing are:— control rod dropping initiated by the reactor protection system and
simultaneously by the control rod dropping system as part of limitations (Section 6.6)
— if the reactor power limitation system is actuated the generator power control will diversely try to set back the plant power level
— if the reactor power limitation system blocks enabling commands for withdrawal of control rods the output of withdrawal commands given from the closed-loop controls is simultaneously suppressed.
2 5 8
In order to keep the unavailability of the RPS and limitations within prescribed limits, functional cyclic tests of the non-pulsed electronic equipment in the four identical system sections are performed by an automatic test device in addition to manual tests. The automatic test device consists of a local resident central test computer on which test programs run and peripheral movable units which will be connected to the relevant electronic equipment for test purposes to transfer test commands of the central computer into system- adapted test signals, to monitor test responses and to give a test-log.
Advantages of automatic testing compared to manual testing are: the time for the test is considerably shortened completeness and reliability of the test are increased a log of the test program and test sequence is automatically given lower graded personnel is needed for maintenance.
Besides the automatic test device, additional electronics for diagnoses are provided on the plug-in modules for
monitoring of safety-related variables such as reactor power, feedwater flow, etc.monitoring of synchronous operation of redundant processing trains.
Malfunction recognition signals of in-core power distribution detectors are automatically checked for correctness before further action is taken.
3 .4 . T e s t a b i l i t y a n d f a u lt d e t e c t io n c a p a b i l i t y
4. REACTOR INSTRUMENTATION
4.1. Neutron flux instrumentation
An overview is given in Fig.7.
4 .1 .1 . E x-core
These are usually (axial location as in Fig.8)— 2 source-range channels— 4 logarithmic intermediate-range channels— 4 power-range instrumentation channels.
4 .1 .2 . In-core
Continuous measurements of local power are performed by 48 power distribution detectors (PDD). These are self-powered detectors with co-emitters. Eight PDD fingers are located over the core cross-section, each with six detectors axially, won-equidistant (Fig.8).
2 5 9
FIG. 7. Overview o f neutron instrumentation systems.
4 .1 .3 . Aeroball system
The aeroball system carries small steel balls with vanadium content through thimbles into the core for about 3 min radiation exposure. Thereafter it measures the activation at 28 X 32 spatial points (Fig.8) and evaluates the data by process computer. Results (after 10 min) are used for determination of
— time-discrete 3D power distribution— hot channel factors and peak power density— DNBR— burnup distribution and isotopic composition— calibration data for PDDs.
4.2. Radiation monitoring
Monitoring functions are: personnel, area, systems, radioactive releases, contamination, environment. A part of the systems monitoring equipment works on the reactor protection system.
2 6 0
3—4-rod I-bank group
1112131415161718191101111121131141151
p \ ~ r __ 10 3 4 1 A/ _N is 2 ft % - 2 1 1 ^M K 7 8 S •
*5 7
L P, A £ ►K 1 5 \ 9 6 9 8 31 2 * *H 4 • 6 0 6 • 4 activeG ra j A lengthF I L 8.* "9z 1 5 1 £ 390 cm HE BQ S £ □ mD 7 * 5. i I I 71r m-C I 3 2 a 2 !E»1 m-B 2 Tr T j 7 1 & a ►A t \ i32 "
°10°20 1 II III IV „D•bank'°30 » n s m 1. bank°40 □ □ □ □ 2. bankd50 m s & x 3. bank°60 □ □ □ □ 4. bank
aeroball system
9 9 9 9——• A
2 power distribution detectors
rod out
core centre
3 Neutron flux measurements i"' i source range Y.X.V/1 intermediate range
power range
FIGS. Core cross-section.
4 .2 .1 . Design
The equipment for systems monitoring and for air monitoring is partly centralized in special shielded compartments. Positions of high safety-related importance are equipped redundantly and/or diversely.
4 .2 .2 . M easurements
— beta/gamma-sensitive detectors are evaluated integrally or nuclide- specifically
— special shielding of detectors assures maximum sensitivity 1— measuring points are self-testing and failures are annunciated automatically— power supply: 24 V DC, exceptionally 220 V AC— analog and binary signals are transmitted to the control room for
recording purposes (some also to the emergency control station)— activity of main steam is monitored continuously by six different
measurements per steam line (2 diverse 2-out-of-3 systems per steam line against steam generator U-tube fraction)
2 6 1
— a nuclide-specific measurement for the noble gases at the stack can be delivered if requested: It gives a print-out listing the different noble gas isotopes with both the instantaneously released activities and the ones integrated from history.
— in addition to the equipment for normal operation the stack instrumentation comprises a special high-dose measurement covering a range up to ca. 1000 Ci/h.1
4 .2 .3 . Tests
Before operation: See Section 11.2.During operation: Regular tests for diagnoses of transducer performance
(using radioactive nuclides and electronic test equipment).
4 .2 .4 . Com puter application
— two redundant minicomputers determine the rate of emission of radioactive noble gases (Ci/h)
— analysis and summary for the nuclide-specific measurement of noble gases at the stack (if requested).
4.3. Conventional instrumentation
Instrumentation of high safety-related importance is redundantly/diverselydesigned. Special features are for instance:
(1) A ccid en t m onitoring system : Signals from the normal plant instrumentation as well as from special instrumentation are used and documented on recorders, computer printers and on a PCM documentation unit.
(2) Water level in reactor pressure vessel: This measurement- evaluates the temperature difference between a heated and an unheated resistance temperature detector (under immersed conditions: temperature difference is almost zero).
(3) Main coolant tem perature: For RPS and control, KWU uses special thermocouples giving quick and exact responses. The detectors are located in specially machined wells giving a 50% response-time of less than two seconds. The accuracy is derived from a resistance thermometer which is located inside the same well as the thermocouples. The plug-connected detectors can be changed easily with the system under pressure and temperature.
1 1 Ci = 3.70 X 1010 Bq.
2 6 2
(4) O ther system s: Loose parts monitoring system, vibration monitoring system, and leakage detection system.
(5) M onitoring the thermal stresses in steam turbines: It is important for the operator to know how quickly his turbine can be started up and what changes in load he may make without fear of overstressing the components and thereby causing excessive fatigue. The turbine stress evaluator provides the basis for long-life operation in that it is continuously computing permissible values for changes in operating conditions and displaying the data for the operator’s use. The D Z-device is a small one-purpose microcomputer for evaluating the actual degree of metal fatigue following real operating conditions. To be exact, the DZ-computer provides measurement of elastic strength fatigue (D) and long-term fatigue (Z).
5. SAFETY SYSTEM
Functions: to recognize all accidents and to perform countermeasures tomitigate consequences.
Physical design:— consistent physical separation of the mutually redundant subsystems
(Fig.2)— installation of safety-related equipment so that it is protected against
external impacts and can fulfil its function even following these.
Main com pon en ts:— reactor protection system and limitations (safety-related limit controls)— engineered safety features.
5.1. Reactor protection system (RPS)
Functions' recognition of accidents and initiation of countermeasures.
Design: in accordance with— criteria of the Bundesminister des Inneren (BMI criteria)— guidelines of the Reaktorsicherheitskommission (RSK guidelines)— standards of the Kerntechnischer Ausschuss (KTA rules)
which are largely in conformance with those of foreign countries.
D ifferences to other countries:
— application of these guidelines and rules relates not only to control accidents originating within the NPP but also to accidents caused by external impacts on the NPP.
— single-failure criterion comprises simultaneous occurrence of failures (random, common-cause or consequential) and repair (Fig.l).-
2 6 3
FIG. 9. Schematic o f reactor pro tection system.
Signal processing: (see also Fig.9)- both acquisition of measured data and the analog processing part are
three/fourfold redundant— the output signals for all protective actions are generated by logic gating
in the logic part. Logic gating is accomplished by the dynamic (pulsed) magnetic core system successfully used by KWU in many NPPs.
Protective actions are mainly initiated by 2 X 2-out-of-3 logic. Figure 10 presents the reactor trip values for each accident to be considered. Actuation signals for the engineered safety features are summarized in Fig.l 1.
2 6 4
5 .2 . E n g in e e r e d s a fe ty fe a tu re s
Engineered safety features (ESFAS) represent the final elements of the reactor safety system. They include systems for
— reactor shutdown— extra borating— emergency core cooling— containment isolation.
Since engineered safety features (e.g. for reactor shutdown and for extra borating) as final elements are also used by lower-level systems, special priority modules enable graded priority to be given to the reactor protection system, the limitation system and to manual commands.
Components which are necessary to master external impacts are installed in a specially protected emergency feed building (Fig.7). Auxiliary systems providing, for instance, emergency power supply or ventilation of ESFAS are designed under the same conditions as safety systems.
6. LIMITATION SYSTEMS
The very extensive use of limitations in the operational field between the protection system and the closed-loop controls is an important feature of the FRG’s understanding of operational safety. The design of limitations is based on the large-scale implementation of computers but mostly on the high level of experience of a turnkey contractor.
Limitations combine intelligence features of closed-loop controls with the high availability of protection systems. According to Rule KTA 3501 (reactor protection system and monitoring of engineered safeguards) each limitation can be classified from a licensing standpoint as a protection limitation or a condition limitation.
The definition of these is as follows:Protection limitation actuates protective actions that cause the value of
the monitored safety variable to return to the value specified for normal operation. In contrast to the reactor protection system a second initiation criterion is not required for protection limitations. A typical protection limitation is the reactor power density limitation to protect against centre-line melting of fuel.To measure the power density the in-core power distribution detectors are used.'
Condition limitation is a device that limits the value of process variables so that the initial conditions for (the analysis of) specified incidents are met.A typical condition limitation is the limitation of integral reactor power as an initial condition for LOCA. For cost- and organization-minimizing purposes both types of limitations are designed identically. This often also simplifies a
2 6 5
FIG. 10. Limit values for initiation
of reactor trip.
267
Reactor coolant pump speed 1 < min 2 2 of 3 Reactor coolant pump speed 2-4 < mm 2 each 2 of 3
▲ AA
Pressurizer level > max 1 2 of 3 Pressurizer level < min 1 4x 2 of 3
O • Oo • o o o o
Voltage level control rod bus 2 of 3 o
Activity in main steam line 1 (Al 2 of 3 Activity in main steam line 2-4 (Al each 2 of 3 Activity in mam steam line 1 (B) 2 of 3 Activity in main steam line 2-4 (B) each 2 of 3
o
o
Pressure drop, main steam line, SG 1 2 of 3
Pressure drop, main steam line, SG 2-4 each 2 of 3
• o
oo
Pressure drop, SG 1 2 of 3 Pressure drop, SG 2-4 each 2 of 3 '—
•o
oo
Pressure, main staam line, SG 1 2 of 3 Pressure, main steam line, SG 2-4 each 2 of 3
OO
0°
oo • o
o
aP. Plant Compartment-Atmosphare > max 2 of 3
aP, Operating Compartment-Atmosphere > max 2 of 3
•
o
•
o•o
Level. SG1 2 of 3 Level, SG 2-4 each 2 of 3
• o o
ooo
* reactor trip limit values are only reached if loss of reactor limitation systems it assumed
** depend on amount of damage
SG steam generatoro directly initiating limit valueA "AND" gated limit value* first initiating limit
FIG
.ll. Actuation
signals for ESFAS.
roOsoo
n. Disturbances and N. accidents
Actuation signals, \ .
faulty
openin
g of
all mai
n stea
m byp
ass v
alves
trip o
f one
reacto
r cool
ant
pump
and
| loss
of con
trol r
od dro
pping
functi
onlarg
e leak
in r
eactor
cool
ant
system
medium
leak
in r
eactor
cool
ant s
ystem
smell
leak in
reac
tor c
oolan
t syst
em
main
steam
Ime b
reak
behind
mam
stea
m iso
lation
valve
*1fee
dwate
r line
brea
k bet
ween
mam
feedw
ater
h eader
and
mam
feed p
ump
pressu
re slid
e valv
e*1stea
m gen
erator
U-tu
be fra
cture
*1stea
m gen
erator
U-tu
be fra
cture
with
emerg
ency
power
*1
emerg
ency
powe
r
loss o
f main
heat s
inkno
closing
of a
main
steam
safe
ty valv
e on
demand
*1
destru
ction
by ext
ernal
impact
s *4
Reactor trip 11 X X X X X X X X X X X X9 XShutdown via limitation systems 12 X XTurbine trip 16 X X X X X X X X X X X X9 X
Containment isolation, generel 1 21 X X X X6 X6Containment isolation, nuclear ventilation 22 X X X X6 XEContainment isolation, volume control system 23 X X X X6 XSContainment isolation, nuclear ventilation, delayed 24 X X X X6 XEContainment isolation, general 2 25 X X X X6 X6
Emergency core cooling preparation 31 X X X X6 XSFlooding signal 1 32 X X X X6 XESump signal 1 33 X X XStart high-pressure injection pump 34 X X X X6 X6Reduction safety injection pump 35 XE X6Start low-pressure injection pump 36 X XShutdown and start-up pump systems OFF 37 xs X5Flooding signal 2 38 X X X X6 X6Sump signal 2 39 X X X
Start extra borating system 41 X X X X6 XS XReactor coolant isolation 43 X X X X6 XS XReactor coolant pump OFF 44 X X X X6 XE X
■ Open extra borating infection valve 45 X X X X6 X6 X
269
Open accumulator, cold leg Isolate accumulator, cold leg Open accumulator, hot leg Isolate accumulator, hot leg
51525354
X7X8XX
X7X8XX
X7XBX
Main feedwater pump OFF 61 X X X2 X XMain feed header isolation, SG 1 62 X3 X X X X3 X XB X6 X3 X XMain feed header isolation, SG 2—4 62 X3 X X X X3 X X6 X6 X3 XLow load feed header isolation, SG 1 63 X X2 X XLow load feed header notation, SG 2—4 S3 X X2Close main steam isolation valve 65 X X X2 X X XClose relief valve, SG 1 66 X X XClose main steam isolation valva forsafety valve, SG 1 67 X
Emergency feed diesel, leg 1 ON 71 X3 X3 X X3 X X3/5 X3 XEmergency feed diesel, leg 2—4 ON 71 X3 X3 X X3 X X3 X3 X3/5 X3 XEmergency feed generator, leg 1 ON 72 X5 XEmergency feed generator, leg 2—4 ON 72 X5 XEmergency feed load, leg 1 OFF 73 X X5 XEmergency feed load, leg 2-4 OFF 73 X X5 XEmergency feed line system, leg 1 ON 74 X3 X3 X X3 X X3 X3 X3 X3 XEmergency feed line system, leg 2-4 ON 74 X3 X3 X X3 X X3 X3 X3 X3 XEmergency feed line system, leg 1 OFF 75Emergency feed line system, leg 2-4 OFF 75
Open main steam relief isolation valve, SG 1 81 X X X X X X X X X9 XOpen main steam relief isolation valve, SG 2—4 81 X X X X X X X X X XCoal-down 100 K/h 83 X X XPartial cool-down, SG 1 86 X X X X X X9 XPartial cool-down, SG 2-4 86 X X X X X X XEmergency power diesels ON 91 X XEmergency power generator ON 92 X XEmergency load OFF 93 X XPE and PJ ON 95 X X X X X X
*1SG Steam generator 2PE Secured service cooling water system 3PJ Secured closed cooling water system *4
S
for steam generator 1if reactor coolant pressure < 9 bar within 200 s if start-up/shutdown pumps unavailable dependent on degree of damage if power supply assigned to a section is unavailable
6 if the emergency cooling conditions are fulfilled7 for e period of up to 500 s8 at the latest after 500 s9 actuation before the main steam safety valve is demanded
RPS Reactor Protection System REPOL Reactor Power Limitation SystemLPS Local Power Surveillance System BAMOL Bank Movement Limitation System
PITEL Coolant Pressure, -Inventory, -Temperature Gradient Limitation System
ROD ROP Rod Dropping System
FIG.12. Interaction between limitation systems.
new licensing procedure. A transition from a condition- to a protection- limitation and vice versa is easily achieved. Each limitation consists of four identical (redundant) sections: if when testing or repairing one section, a single failure in the second section occurs simultaneously, the plant keeps running using the remaining two intact sections.
6.1. Survey of limitations
All limitations can be grouped into three main systems according to their functions (see Fig. 12):
— reactor power limitation system (REPOL)— bank movement limitation system (BAMOL)— coolant-pressure, -inventory, and -temperature gradient limitation
system (PITEL).The REPOL is supplemented by the local power surveillance system (LPS),
which mainly processes the in-core power distribution signals as input to the REPOL, and the rod dropping system (RODROP), which processes output signals from the REPOL to enable control rod dropping.
2 7 0
To perform actuation signals of the limitation systems the control rod actuation system provides the impulse pattern for the control rod drive mechanism to move the control rods, realizes the hierarchy of control rod drive commands, and with increasing priority actuates (a) closed-loop control commands, (b) manually given commands and (c) limitation commands. This system also processes control rod position measuring signals (analog and digital).
The final element actuation system provides actuation of pumps and valves.
A special four-redundant annunciation system informs the operator about the status of the limitation systems. Information is optically presented on the master information desk in the control room.
6.2. Reactor power limitation system (REPOL)
Each of the four identical REPOL sections consists of several parallel trains, which all receive the same set of four measuring signals taken at different measuring points.
For signal processing the second largest value of the four input signals in the safety-relevant direction is selected, so as to exclude measuring errors or transducer disturbances. In principle, each processing train concludes with three limit value monitors (bi-stables), at least. Corresponding limit value monitors of the four sections are additionally connected to provide synchronism between different sections.
The thresholds of the limit value monitors are set in echelons, thus representing multilevel defence. The binary output signals of the limit value monitors are either directly combined in a priority logic or effect the ‘maximum permitted reactor power’ (PERM), to initiate REPOL actuation.The ‘maximum permitted reactor power’ is the most important REPOL signal because the difference between the signal measuring the reactor power and PERM is input to a set of limit value monitors with thresholds increased to enable well-timed REPOL actuations. This realizes the multilevel defence concept within the reactor limitation system as part of the overall leittechnik defence- in-depth principle to increase the plant’s operational safety. If a (time-dependent) runback or setback of the power level is required by REPOL, then the maximum permitted generator power is deduced from the maximum permitted reactor power and causes the closed-loop generator power control to reduce the generator power quickly, directly and smoothly. Otherwise the live steam minimum pressure control would activate the same generator power control, but much more rapidly.
The reactor power limitation system contains the following limitations which actuate if there is a departure from normal operational values of
2 7 1
(1) integral reactor power(2) coolant temperature(3) coolant pressure combined with pressurizer level(4) local reactor power in top core half, e.g. with respect to PCI, DNB, LOCA(5) local reactor power in bottom core half, e.g. with respect to PCI, LOCA(6) main coolant pump speed(7) steam generator feedwater flow(8) control rod positions, e.g. unintended rod dropping.
Whilst (6, 7,8) are dependent functions of (1), (2) and (3) are diverse functions. REPOL actuation signals given to the control rod actuation system are presented in Fig. 13.
The control rod actuation system combines the actuation signals of the four REPOL sections in a 2-out-of-4 voting logic to decide on control rod actuation. Other REPOL actuation signals are transferred to the rod dropping system or to the bank movement limitation system.
6.3. Bank movement limitation system (BAMOL)
The bank movement limitation system is designed to secure the shutdown reactivity necessary for reactor trips. Instead of the non-measurable shutdown reactivity the minimal required dropping distance of the control rods is supervised. For this purpose each section of the BAMOL gets the positions of all control rods moving in one quadrant of the core cross-section. The control rod positions are measured either in an analog or in a digital way. Disagreement causes reduction of the maximum permitted reactor power in the same REPOL section. For the D-bank, separated limit value monitors with increased thresholds realize the multilevel defence concept. Initiated countermeasures are
— blocking demineralized water injection— injection of boric acid via the two pipes of the operational injection
system— borating via the four pipes of the extra borating system.
For L-bank, one limit value monitor initiates blocking of both— demineralized water injection and— further L-bank insertion.
After scram the withdrawal speed of the L-bank is limited with respect to the reactivity rate per second.
In close connection to the main objective of BAMOL is the concentration limitation of mass-flow injected into the reactor coolant loop. This limitation permits injections into the primary loop only with concentrations higher than the burnup-dependent one of the reactor state ‘subcritical hot’. The limitation is actuated by some modules of REPOL or if the reactor is shut down.
2 7 2
Reactor Protection Measuring Signals
1 sliding I Loop Pressure Limit Value jPreaurizer WlLocal Power Surveillance SystemPower Dens.Detector| I bottom { top jONB Local Power decrease
CoolantTemperatureMeasurement
^ direct countermeasure(J) countermeasure via reduction of the Permitted Reactor Power
Reactor Primary Loop Bottom Top due to Rod CoolantPower Energy Power Oens PowDens drop/Trip Temperature
L-Bank Withdrawal Block L*D Bank Withdrawal Block L-Bank Insertion Block
— - 0*Bank Insertion Command— - L-Bsnk Insertion Command— Rod Drop
Injection by the Extra Boretmg System— — Dilution Block
Permitted RodGenerator Movement Control Control Rod ActuationPower Limitation
FIG.13. Actuation o f reactor power limitations.
To test the operability'of the BAMOL even during external impact on the NPP, special electronic equipment is located in the emergency feed building. This electronic device identifies the plant status: power operation or shutdown. During shutdown the operator has to inform this circuitry of his presence in the control room regularly to avoid blocking of demineralized water injection.
6.4. Coolant-pressure, -inventory and -temperature gradient limitationsystem (PITEL)
The PITEL summarizes condition limitations which limit process variables of the reactor coolant loop but which do not influence reactor power.
With priority, the coolant pressure limitation will maintain reactor coolant pressure at normal operational values, which depend on reactor coolant inlet temperature during normal operation or during intervals of warming up or cooling down the plant.
Furthermore, PITEL assures that the brittle fracture diagram of the reactor vessel is maintained particularly during hydrostatic pressure tests after refuelling.
The coolant inventory limitation will maintain the inventory of the reactor coolant loop during normal operation. To this end, a pressurizer level setpoint
2 7 3
is prescribed, dependent on coolant temperature. During the warming-up or cooling-down phase of the primary loop a minimum level is assured. A. special module supervises the reactor coolant loop status for.filling the pressurizer to enable degassing and hydrostatic pressure testing. Coolant temperature gradient limitation will limit stress on the reactor vessel caused by temperature changes during intervals of warming-up or cooling down the plant.
6.5. Local power surveillance system (LPS)
The local power surveillance system takes measuring signals of the in-core power distribution detectors and supervises these signals on measuring errors. The maximum power density values for the top half as well as for the bottom core half are determined. Furthermore, a local power actuation value with respect to DNB is calculated using the measuring signals of power distribution, reactor coolant inlet temperature, coolant pressure and main coolant pump speed. Additionally, rapid local power decreases are detected to initiate measures after unintended control rod trips as well as scheduled rod droppings.
6.6. Rod dropping system (RODROP)
Control rod dropping is a measure of the reactor power limitation system to enable fast setback of reactor power. Therefore, the rod dropping system is classified as part of protection limitations. The central control rod and rod pairs of the D-bank in their actual insertion sequence are used for dropping.The dropping sequence is always identical to one of the four programmed insertion sequences just selected. Furthermore, in case of load rejection or during loss of reactor coolant flow an ‘operational’ rod dropping subsystem will reduce reactor power to spare the plant and to increase plant availability by avoiding scrams. If scram occurs a dropping command is given to all control rods as well as the command to the reactor protection system. Finally, control rod dropping may be initiated manually in the control room (especially during commissioning tests for each single rod).
7. REACTOR CLOSED-LOOP CONTROLS
7.1. General remarks
Two different principles are applied:- presetting the plant power level at the reactor— presetting the plant power level at the turbine generator.
2 7 4
steam generator power (%)
FIG. 14. Part-load diagram o f the steam generator.
ACT Average coolant •CORA Control rod actuation GEPOtemperature L PD - control rod bank VALPOS
L-BAP L-bank position 0 Doppler control rod bank SPD-BAP □ -bank position PDD Power density detector MSMINPPD Power distribution Pel Electrical power MSMAXP
Generator power Valve position SpeedMain steam minimum pressure
MSMAXP Main steam maximum pressure
FIG. 15. Closed-loop controls.
2 7 5
The first principle is used for— start-up or shutdown— during limitation actions.
The second principle is used for normal operation including load following. The main objective is to control electric power production as per the
chosen physical plant design basis given in the stationary part-load diagram of the steam generator (Fig. 14) taking into account several goals to be optimized, namely, careful treatment of final control elements (e.g. control rod movements should be as small as possible and demineralized water consumption as small as possible) and balanced p ow er distribution.
The closed-loop controls can be partitioned into three sets (Fig. 15)— controls for state variables of primary and secondary loop (coolant:
pressure, pressurizer level, level of the volume control tank, steam generator level, etc.)
— controls concerning plant power (neutron flux, average coolant temperature, control rod position controls, axial power distribution control, generator power)
— operational limitations concerning the water/steam circuit (main steam minimum-, main steam maximum pressure, turbine speed).The reactor power control system differs from the others in using para
meters which can be adjusted for anticipated plant operations by the operator in the control room, e.g. constant load, start-up operation, load following.
7.2. Reactor power control system (survey)
Different control loops interacting in cascade (Fig. 16) give priority either to average coolant temperature control or to axial power distribution control (CLC in Fig. 16). Position control-loops for the control rods preserve their efficiency as final control elements with respect to power distribution.
As final control elements boric acid and demineralized water are used for:— D-bank position control— automatic compensation of xenon reactivity— automatic compensation of burnup (first fuel cycle: burnable poisons).
The D-bank, the weak bank, consists of four control rod quadruplets (quads)selectable out of a total of six quads by the operator during plant operation.Four different insertion sequences are programmed (Fig.9) to obtain quite a good radial/azimuthal power distribution in spite of rod insertion. D-quad locations are also chosen within the core cross-section to secure information from the in-core power distribution detectors.
The D-bank is used for— compensation of Doppler reactivity for control of integral reactor power
(Fig. 17)— L-bank position control.
2 7 6
average coolant temperature___controllerburnout compensation power distribution control loop coupler O-Bank position L-Bank position
controllerpower density detector reactor power rod drive mechanism reference value
FIG. 16. Schematic o f control equipment for reactor power.
Reactor Power (%)
10 30 50 70 90 100
FIG. 17. Bank insertion sequence in load-following.
2 7 7
InformationSystem
PrimarySideSystems
Safety-Related Systems
Main Control Desk
CommunicationCentre
CO >
£ c■5. a•< 0
VentilationandRadiationMonitoring
front view side view
provided for individual utility options such as:- excess control- supervisory tasks
FIG.18. KWU-KONVOI: main control room.
D4 is used only in special cases:— as the final element of limitations— if demineralized water is injected shortly after reactor scram is reset.
The L-bank, consisting of all control rods which are not actual D-rods,is the strong bank, used for:
- axial power distribution control- temporary support of the D-bank for control of integral reactor power.
8. CONTROL ROOM DESIGN
Use is made of a standardized control room concept, with one single control room for each plant unit, a high degree of remote actuation using low voltage technology and push-buttons, and providing a clear arrangement of
2 7 8
different plant systems with extensive use of mimic diagrams (Fig. 18). There is a specially designed panel for the protection system .
There are three alarm classes:— safety alarms (about 10) for manual clearly defined protective actions
(after 30 min)— class-I alarms (about 500) to indicate a safety system failure— class-II alarms (about 1000) for other failures.
About 30 high-frequency high-resolution full graphic colour VDU-displays are used for the supervision of important plant areas, e.g. core cross-section and representation of all process computer output.
9. COMPUTER APPLICATION
9.1. Concept (Fig.4)
A multiple process computer system with distributed peripheral processors is used. In each of the four sections of the switchgear there is one peripheral processor for:
- acquisition of measuring data (analog and binary)- adaptation of different signal levels- data transmission to main processors.
The main processors are of the Siemens 32-bit type 3287. Tasks are: -- plant monitoring- fault analysis- operating logs- logging alarms and measured values.
For pre-evaluation of aeroball data a special Siemens computer is used compatible to the main process computers. An on-line simulator and a sequential control monitoring computer may optionally be installed.
9.2. Functions
Conventional programs include- normal recording of process variables and disturbance recording for
incident review purposes (analog and binary data, switching, alarms, etc.)- statistics: frequency of certain states (coming up to certain values, certain
switching, etc.).For reactor physics programs: see Fig. 19.
2 7 9
280
system theoreticaldata
primary * secondary
loop
input
outputprogram name
FIG. 19. Reactor physics program system.
magnitude of lead changes in % of rated power
Tests performed in
x Biblis A
in % per minute
FIG.20. Load changes o f KWUPWR plants in commissioning tests (15.11.1983).
generator power
© startup after J 6h of zero power (3) turbine-trip © loss of load to house load
® loss to emergency power 0 loss of load to zero
FIG.21. Biblis A : multiple start-up procedure to more than 1200 MW(e).
28 1
FIG.22. Biblis A : loss o f load to house load at 80% rated power.
t-0 10 20 30 40 50 GO 120 i
FIG.23. Biblis A : main coolant pump(3) trip at 80% o f full load.
2 8 2
10. OPERATIONAL CHARACTERISTICS
10.1. Load-following capability (Fig.20)
The thick lines in Fig.20, including the dashed one, represent load-change capability as contracted, e.g. 30% of rated power as the magnitude of load change should be obtained with a power ramp of 10% per min.
During commissioning tests the following values were obtained:- Biblis B: load change of 10% in 10 s— Stade: load change of c. 63% in about 6 min.
10.2. Start-up behaviour
Multiple start-up procedures from zero power to rated power of more than 1200 MW(e) in short time intervals were demonstrated in commissioning tests at Biblis A (see Fig.21).
10.3. Anticipated operational events
Exam ple 1 : plant response to an isolation from the grid (Fig.22), fast power cut-back from full- to house-load by automatic rod dropping, avoiding scram: the dropped rod pairs are detected as steps in the reactor power trajectory of Fig.22.
The rod dropping function reduces the necessary main steam bypass capacity to 45% of rated steam flow.
Exam ple 2 : loss of reactor coolant flow (Fig.23), is detected via the main coolant pump speed; load rejection.to approx. 45% of rated power is achieved by dropping several control rods simultaneously into the core. Automatic controls stabilize the plant at that load. As a backup: reactor trip will be initiated if normal power set-back fails.
11. SUPPLEMENT
11.1. Power supply concept
In each of the four separated rooms (sections) of the switchgear and emergency feed building a battery of 24 V DC rated voltage is installed. The electronic cabinets are grouped into pairs. Each pair is supplied by two different batteries via diodes: one cabinet by the battery of its own section and the other by the battery of another section (Fig.3). Thus, with respect to power supply the sections are cyclically connected, resulting in a double power supply
283
for each cabinet since both voltages are conducted to a common bus-bar via diodes. A special electronic device prepares the power supply for analog signal processing. 1
The power supply of the control rod drive mechanism (RDM) is provided by four independent rectifiers delivering 220 V DC supported by one battery. The cabinets to actuate the RDM are set up in two' separated rooms of the switchgear building. Thus, the RDM-cabinets of each room are supplied by two rectifiers. A common bus-bar connects the RDM-cabinets of both sections.
The alarm system is supplied by a special busbar to keep the alarm system running during loss of power for the other functions.
11.2. Quality assurance
Each electronic device applied in safety-relevant systems has to pass individual tests:
— factory acceptance tests— suitability tests— commissioning tests.
Suitability tests are performed in the presence of the licensing authorities. These tests cover design review, worst-case ambient conditions, such as
— temperature 273 K — 343 K— moisture— high voltages < 45 V— shock— vibration— short-circuit.
The long-term operability is demonstrated in a 1000 hour continuous test.
2 8 4
ANNEX IV
INSTRUMENTATION AND CONTROL CONCEPTS FOR BWR REACTORS
A JAPANESE EXAMPLE
1. I N T R O D U C T I O N
This design guideline is a summary of a design concept for an instrumentation and control system for BWR power plants in Japan. This guideline does not describe the design details of the system, but simply the main I&C features.
The following section covers general design requirements for the instrumentation and control system for nuclear power plants in Japan; Section 3 discusses various specific current requirements for BWR nuclear power plants. Sections 4— 10 deal with the concepts and design criteria of instrumentation subsystems.
2. DESIGN CRITERIA FOR NUCLEAR POWER PLANTS
2.1. Requirement of standards and guides
2 .1 .1 . Standards and guides
During the design of a nuclear power plant, the safety design is inspected by the Safety Committee of the Atomic Energy Commission. Construction of the nuclear power plant is not permitted until all the necessary technical standards and guides provided in the inspection have been met.
Figure 1 illustrates the system of standards and guides.
The Basic Law for Nuclear Power Plant is fundamental for the design of the nuclear power plants. The Law for the Electric Industry regulates the construction of the plant, as well as the facilities employed in the plant. The “Regulation for Nuclear Reactors, etc.” was enacted to ensure safety and to utilize atomic energy effectively.'
2 .1 .2 . Guides fo r safety design inspection
The Safety Committee provides the guides for the safety design of nuclear power plant. In the guides, the following areas involve the instrumentation and control system.
(1) Control room: The control room shall function in such a way that the operator can stay there to shut down the nuclear reactor in safety in the event of an accident.
(2) Nuclear reactor shutdown system: Any time the transient reactivity exceeds the allowable operative range, the nuclear reactor shall be shut down in safety.
2 8 7
FIG.l. Standards and guides for the design o f a nuclear power plant.
(3) Safety system:(a) Design shall include redundancy for each system so as not to lose
protection owing to the single failure or single erroneous operation of the structural instruments and channels.
(b) The instrumentation and control system shall in principle be provided with an exclusive channel.
(c) Confirmation of the function and testing shall be available during the operation.
(d) Final safety shall be ensured in case of power cut-off or systems isolation, and the like.
2 .1 .3 . Technical provisions and guides
In addition to the standards and guides described above, there are specific technical provisions and guides for nuclear power plant unofficially provided by the Japanese Electric Association in order to supplement the laws. “Design Guides for Safety Systems of Nuclear Power Plants” (JEAG-4604) covers the instrumentation and control system giving the design requirements for safety.
This design guideline also conforms to the US Code of Federal Regulations, Title 10(10 CFR50) general design criteria, regulatory guide and standard review plan, and to standards and guides from the Institute of Electrical and Electronics Engineers (IEEE), the Instrument Society of America (ISA). The American National Standards Institute (ANSI) and the American Society of Mechanical Engineers (ASME).
2.2. Requirements for construction and operation
2 .2 .1 . Permission fo r construction
When permission for building a power reactor is given, after safety design of the reactor has passed inspection, the plans for construction must be sent to the
2 8 8
authorities for approval prior to commencement of construction. Building a nuclear power plant may commence once the plan has been accepted. The application should include the items subject to the safety design inspection. Equipment for instrumentation and control, radiation control and the auxiliary facilities are subject to approval.
2.2.2. Requirem ents fo r operation
Contractors who undertake the design and construction of nuclear power plants (Toshiba and Hitachi) are responsible for the design and construction contributing to low down-time, and prevention of injuries from radiation during operation over many decades. Human factors must be taken into consideration in the design and construction of the control room. The design should be based on human engineering so as not to cause erroneous operation or misjudgement.
2.2.3. Operation o f nuclear p ow er plant
Prior to the actual operation of the nuclear power plant, an inspection is conducted for each function subject to approval. Three steps of prior inspection are applied to commercial nuclear power plants. When the plant has passed the final step of the inspection, commercial operation is allowed. Maintenance and management of the commercial operation should conform to the provisions of the “Regulation for Nuclear Installations and Operations, etc.”. For that purpose security rules might be provided and be accepted by authorities.
3. DESIGN GUIDES FOR BWR POWER PLANTS
3.1. Safety design criteria
The nuclear power plant shall be provided with sufficient assurance that it can be operated, maintained and inspected without undue risk to the health and safety of the public and plant personnel throughout the life of the plant.
Therefore, to guard against major events that could cause undue risk to the health and safety of the public and plant personnel, the following policies shall be followed:
(1) The occurrence of such events shall be prevented or minimized.(2) Any such occurrence shall be detected as promptly as possible to permit safe
shutdown of the plant.(3) Protective facilities and equipment shall be provided to prevent further
consequences.(4) Adequate plant control shall be maintained after the occurrence.
2 8 9
3.1.1. Prevention of major events
Major events that could cause undue risk to the health and safety of the public and plant personnel include accidents such as a loss-of-coolant accident (LOCA) due to pipe ruptures of the reactor coolant pressure boundary and a release of radioactivity accident due to breaks of piping outside the reactor containment vessel. It is important to minimize the frequency of occurrence of these major events which may result in the release of radioactivity, and the measures to be implemented shall include the following:
(1) The reactor shall be designed so that in the power operating range the prompt inherent nuclear feedback characteristics provide countermeasures to a rapid increase in reactivity.
(2) The reactor shall be designed to assure that the integrity of the reactor coolant pressure boundary can be maintained and that the nuclear and thermal characteristics are suppressed within specified acceptable limits in abnormal transients, so that a serious release of radioactivity may be prevented.
(3) Features shall be incorporated into the design to ensure that even a small release of coolant from the reactor coolant pressure boundary can be readily and reliably sensed, to prevent a major event developing.
3.1.2. Detection of a major event and safe shutdown of the reactor
Measures shall be provided to assure the prompt and reliable sensing of the occurrence of any major event and safe shutdown of the reactor as follows:(1) The safety and protection system shall be such as to sense promptly the
occurrence of any major event and to initiate automatically the emergency core cooling systems and engineered safety features.
(2) The safety and protection system shall be designed to have redundancy and independence, ensuring that no single failure or removal of any component or channel included in the system results in loss of the function and reaching a safe state if conditions such as loss of energy and disconnection of the system are experienced.
(3) The safety and protection system shall be designed to provide in-service testability for its function of assuring system integrity.
3.1.3. Plant control after occurrence of a major event
The design shall incorporate the following considerations to assure adequate plant control after the occurrence of any major event.
(1) The control room shall be designed to permit access and occupancy by plant operating personnel.
2 9 0
(2) Instrumentation and controls shall be designed to facilitate ready evaluation of accident status and monitoring of plant parameters necessary to enable actions to be taken in response.
(3) Adequate means shall be designed for monitoring the containment vessel atmosphere and radioactivity, effluent discharge paths, radioactivity of the plant environs, etc., to determine accurately the status and degree of any accident.
3.2. Operating limits criteria
There are a variety of operating limits to ensure the integrity of fuel cladding and the primary reactor coolant system and if any one of these limits is exceeded the plant shall be shut down in safety and inspected for the cause. Therefore, adequate limit setpoints shall be provided for safety systems at which protective functions are automatically performed so that no operating limits are exceeded.
These setpoints shall be determined with a reasonable allowance to assure that the operating limits are not exceeded so long as the instruments involved are functioning steadily.
3.2.1. Operating limits for fuel cladding integrity
The limits shall be specified for the minimum critical power ratio (MCPR) and the maximum linear heat generation ratio (MHGR) as control and procedural limitations that assure safe operation of the plant and which are based on the design considerations of the fuel cladding.
3.2.2. Operating limits for the primary reactor coolant system
To assure the integnty of the reactor coolant system, limits shall be specified for the reactor pressure at the low level and that in a cold shutdown mode.
3.2.3. Limit setpoints of safety systems
To activate the necessary safety functions in transients or accidents, to assure the integrity of the fuel cladding and the primary reactor coolant system, trip setpoints shall be defined.
The trip conditions required to assure the integrity of the fuel cladding and the primary reactor coolant system shall include the following:
(1) Scram.......................................................................neutron flux level(2) APRM, prevention of control rod withdrawal(3) Scram and containment vessel isolation......... reactor water level low (L3)(4) Scram........................................... turbine regulating valve rapidly closed
291
(5) Scram.................................................. main steam isolation valve closed(6) Scram...................................................................reactor pressure high(7) Scram............................................................. turbine stop valve closed(8) Main steam isolation valve closed..............................reactor pressure low(9) Main steam isolation valve closed.................... reactor water level low (LI)
(10) Main steam isolation valve closed . . . . main condenser, vacuum degree low(11) Low-pressure core spray (LPCS) system and low-pressure coolant injection
(LPCI) system, low level initiation.................. reactor water level low (LI)(12) High-pressure core spray (HPCS) system and reactor core isolation cooling
(RCIC) system initiation..............................reactor water level low (L2)(13) Safety relief valve popping.............................................reactor pressure(14) Shutdown cooling system, isolation valve closed.............reactor pressure.
3.3. Seismic and environmental conditions criteria
3.3.1. Seismic design criteria
3.3.1.1. Design principles
Nuclear power plant facilities shall have sufficient capability to withstand the effects of any postulated earthquake so that the earthquake will not lead to a major plant accident. Based on this principle, seismic importance classifications shall be defined consistent with the functions of structures, systems and components included in these plant facilities. The types of earthquake to be considered include:(1) The Limit Earthquake that is considered possible; and(2) The Strongest Earthquake that might reasonably be expected to occur,
where those plant facilities which must be designed for both types are defined as Class As facilities and those designed for only the latter type are defined as Class A. Thus the seismic importance classifications include the following four classes:
Class As: Those where breaks or ruptures could cause a loss-of-coolant accident(LOCA); those which are necessary to assure the capability to shut down the reactor in an emergency and maintain it in a safe shutdown condition; the facilities to contain and store spent fuels; and the reactor containment vessel.
Class A: Those which are required to assure the protection of the public from radiation hazards in reactor accidents and where loss of the function could cause radiation hazards to the public, except those included in Class As.
292
Class B: Those which are related to highly radioactive materials, except thosein Classes As and A.
Class C: Facilities which are related to radioactive materials but which will notfall into any of the above seismic classes, and those which are not related to any radiation safety functions.
3.3.1.2. Seismic design criteria for instrumentation and controls
Instrumentation and controls shall be classified into Class As, A, B or C as appropriate to their intended functions and provided with sufficient assurance of structural and functional integrity, commensurate with the design seismic force defined for each class.
3.3.2. Environmental conditions criteria
3.-3.2.1. Design principles
Nuclear power plant structures, systems, and components shall be designed so as to maintain their specified functions under varying environmental conditions such as pressure, temperature, humidity and radiation effects at the site of installation, associated with normal operation and abnormal transients.
Also, the structures, systems, and components important to safety shall be designed so as to maintain their specified safe functions under varying environmental conditions such as pressure, temperature, humidity and radiation effects at the site of installation, associated with accidents.
3.3.2.2. Environmental conditions criteria for instrumentation and control
Instrumentation and controls shall be designed (including air conditioning facilities, etc.) to maintain specified functions under varying environmental conditions such as pressure, temperature, humidity and radiation effects at the site of installation, associated with normal operation and abnormal transients.
Also, instrumentation and controls mounted on the structures, systems, and components important to safety shall be provided with sufficient assurance of functional integrity to maintain their specified safe functions under vaiying environmental conditions such as pressure, temperature, humidity and radiation effects associated'with accidents, with the following considerations incorporated:(1) Such instrumentation and controls shall be installed, where practical, outside
the reactor building.(2) If the imposed functions do not permit their installation outside the reactor
building, they shall be subject to environment resistance tests and other requirements.
2 9 3
3 .4 . O p e r a t in g p e r s o n n e l in te rfa c e
3.4.1. Design principles
A nuclear power plant has centralized monitoring with the instrumentation and control equipment in its central control room that are necessary to ensure the operation and control of essential plant systems. The central monitoring and control system used by operating personnel shall be designed to facilitate ready monitoring and manipulation of plant systems, relieve the operating personnel from excessive duties and provide high operational reliability.
3.4.2. Basic considerations regarding the operating personnel interface
(1) All information necessary for reliable and safe plant operation shall be correctly provided to the operating personnel under any operational condition of the plant. In other words, when in normal plant operation, all such information as necessary to secure safe and efficient operation shall be made available to the operating personnel and, in emergency conditions, such information as necessary to assure the safe and prompt recovery of the plant shall be provided.
(2) The central control panel is the primary monitoring facility providing a direct interface between the plant processes and operating personnel. The control panel, therefore, shall be designed based on human-factors engineering.(a) Design and arrangement of the control panel and associated control
equipment shall be consistent with the frequency of monitoring and operation, and the degree of emergency and importance.
(b) Identification of system control switches is by graphic system representation.
(c) Identification of control switches and instruments is by shape and colour, according to their importance and functions.
(d) Arrangement and colour identification of alarm indication windows is according to their importance.
(3) For displaying plant operating status, coloured CRTs shall be positively and effectively used, thus concentrating necessary information on a minimum
. of sets and allowing automatic selection of displays.(4) The arrangement of the CRTs shall be such that necessary information for
plant monitoring and controls may be observed adjacent to the operating area, and its addition shall be reasonably co-ordinated with conventional instruments (hardwired). This arrangement, therefore, permits monitoring of the plant for continued operation with conventional instruments, even if the CRTs should fail.
(5) The CRT screens shall be designed by human-factors engineering to display information using formats readily readable by operating personnel. Data
2 9 4
display density, displaying colours, classification of displayed data, etc., shall be fully considered.
(6) The computer and dedicated controls shall be utilized to automate and optimize the operation of plant major systems and relieve the operating personnel from excessive duties. The computer shall execute overall plant control with adequate operational guides and also be used to support the operating personnel to operate plant systems.
(7) The computer system shall be of a highly reliable configuration and designed so that any loss of its function will not affect continued operation of the plant.
4. PROCESS INSTRUMENTATION
4.1. General
For control, protection and supervision capabilities required for the start-up and shutdown of the nuclear reactor, turbine and various auxiliary systems, process instrumentation is used to measure the temperature, pressure, flow and level of water. The instruments are used for the safety system, the control system and other systems to monitor, control, indicate and record.
The following lists typical process instrumentation for reactor and auxiliary systems in a BWR nuclear power plant.(1) Instrumentation for reactor pressure vessel
Measures the water level, pressure, and vessel wall temperature inside the reactor pressure vessel, and detects leakage from the flange seal of the vessel.
(2) Instrumentation for reactor water recirculation systemMeasures the flow of the recirculation water, pressure difference in the recirculation pump, jet pump, and diffuser.
(3) Instrumentation for main steam pipingMeasures the flow and pressure of the main steam and pressure in the first stage of the turbine.
(4) Instrumentation for reactor water supply control system Measures the flow, pressure and temperature of feedwater.
(5) Instrumentation for control rod hydraulic drive system Detects the location and hydraulic driving of control rods.
(6) Instrumentation for emergency core cooling system Measures the flow, pressure and temperature of the coolant.
(7) Instrumentation for reactor water purification systemMeasures the flow, pressure, temperature and conductivity of the reactor water.
(8) Instrumentation for boric acid solution injection systemMeasures the temperature, concentration, injecting quantity and pressure.
2 9 5
(9) Instrumentation for storage vesselMeasures the pressure inside the storage vessel and temperature and level of water inside the pressure suppression vessel.
4.2. Design conditions for the process instrumentation
Other than the design conditions for each system in general, those for instrumentation relating to the safety systems of nuclear power plants are specifically regulated by various guides and criteria. The following are the basic and important conditions.
Criteria for seismic design
This condition is particularly important in Japan.Design shall be such as not to cause any serious accident or environmental
pollution by radioactive contamination in the event of earthquake disaster. Instruments shall be carefully selected and the methods of installation examined in terms of priority for earthquake-proof installation according to the purpose and capability of the instrument, predicted earthquake condition, its magnitude, and capacity of the instrument to provide instrumentation while resisting earthquake. Hard design shall be basically applied to the earthquake-proof instrumentation. If necessary, however, flexible/soft design may be employed.
Criteria for single failure
Each system shall be designed so as to maintain its function any time the accident is brought about via single failure.
That is, a multiple security function must be provided for the system in which the multi-channels are electrically and physically separated in order that the effect of a common phenomenon is not the failure of the system function.
Separation of the control system from the safety system
In order to increase the reliability of the safety system, interaction of the control and safety systems shall be prevented.
Environmental conditions
For the instrumentation relating to the safety system, selection of instruments, locations and the method of installation shall be determined in such a manner that normal function can be maintained under severe conditions of such an accident as a LOCA and/or high energy pipeline break.
2 9 6
Testability
Instrumentation relating to the safety system shall be designed to allow periodic testing that can be executed while operating the reactor, including the test for multi-channels, one by one.
5. NUCLEAR INSTRUMENTATION
The reactor power, ranging from less than a watt to more than a megawatt, from the source range to power range, shall be measured by the use of appropriate neutron flux detectors. All neutron flux detectors shall be provided in in-core locations. This arrangement is provided to allow maximum sensitivity of detectors consistent with the movement of the control rods at start-up, and assure the appropriate measurement of neutron flux in the intermediate power range.
For neutron flux monitoring, three types of monitoring equipment shall be used. They are the movable fission counter tube-type monitor used in the source range, the movable fission chamber-type monitor in the intermediate range, and the small fission chamber-type monitor in the power range.
5.1. Design criteria
The nuclear instrumentation shall be designed to satisfy the following design principles:(1) The nuclear instrumentation shall cover the three measuring ranges, that is,
source range, intermediate range and power range to assure complete power monitoring from a reactor shutdown state to 125% of the rated power, and shall have sufficient overlaps of measurement among these power ranges so . that a shift from one power range to another will not cause discontinuityof measurement.
(2) The nuclear instrumentation shall detect any occurrence of excess power generation that could cause damage to the fuel cladding and provide a signal to the safety and protection system so that a reactor scram can be initiated to protect the fuel cladding. Also, above a specified power level, the withdrawal of the control rods shall be prevented by the rod block monitoring system before the specified acceptable fuel design limit is exceeded.
(3) The source-range and intermediate-range monitors shall be designed to monitor the neutron flux level at a shutdown state and during start-up, and the power-range monitor shall be designed to monitor the reactor power and the axial and radial power distributions at power operation.
(4) The number of channels for the intermediate-range monitor and for the power-range monitor shall be greater than that required for the safety and protection system by one or more channels which may be used, by bypassing,
297
for the purpose of maintenance, adjustment and calibration during reactor operation.
(5) The nuclear instrumentation relating to the safety and protection system shall be designed to satisfy the design principles as described in Section 7.
5.2. Major facilities
(1) Source-range monitor (SRM)
Four channels shall be provided for monitoring the neutron flux in the source range. Each channel shall consist of the movable fission counter tube, electric current pulse amplifier, combined circuit for the logarithmic counting rate and reactor period, power supply, indicator, recorder, cables, etc.
Normally, the source-range monitor shall be used to measure the neutron flux multiplication and the reactor period when approaching critical point.
In the source range, the counting rate and reactor period for each channel shall be indicated. With selected channels, the counting rate shall be recorded. During power operation, a reactor scram will not be initiated by the source-range monitor.
(2) Intermediate-range monitor (IRM)
Eight channels shall be provided for monitoring the neutron flux in the intermediate range. Each channel shall consist of the movable fission chamber, voltage amplifier, averaging square circuit, direct current amplifier, power supply, measuring range selector switch, indicator, recorder, cables, etc.
The intermediate-range monitor, when an abnormal power increase occurs due to misoperation by operators or malfunction of equipment, shall provide a reactor scram signal to protect the fuel cladding from damage.
The intermediate range shall be divided into an appropriate number of measuring ranges by the range selector switches and the power levels measured shall be indicated and recorded. The intermediate-range monitor shall include notification alarm for each range to alert personnel of an unsteady condition indicated by the indicator, such as ‘Indication Low’ (except the lowest range), ‘Indication High’ and ‘Inoperable’. An ‘Indication High’ in each range will scram the reactor to provide protection from an excessive rate of power increase. Also, an ‘Indication High’, ‘Indication Low’ or ‘Inoperable’ signal will cause prevention of rod withdrawal.
(3) Power-range monitor (PRM)
The power-range monitor shall consist of the local-power-range monitor and the average-power-range monitor, including 172 (43 X 4) detectors, and also
298
include the traversing in-core instrumentation which is used for the calibration of these monitors and measurement of the axial neutron flux distribution.
(a) Local-power-range monitor (LPRM)
The detector assemblies for the local-power-range monitor shall be distributed to 43 in-core locations with each assembly having four independent detectors in the axial direction with equal spacing, and thus provide 43 X 4 = 172 channels in total. The local-power-range monitor shall consist of the small fission chambers, amplifiers and power indication instruments.
The local-power-range monitor shall perform continuous measurement of local core power levels and provide an alarm notification for an excess power generation.
Indication instruments of the local-power-range monitor shall be distributed over the rod arrangement display panel so as to indicate existence of any high neutron flux by a lighting of the indication lamp of the applicable indicator.
(b) Average-power-range monitor (APRM)
The average-power-range monitor shall consist of multiple units each of which processes to average the output signals obtained from the detectors, through their amplifiers, of each pre-grouped local-power-range monitor, including six channels.
The average-power-range monitor shall be capable of measuring, indicating and recording the mean reactor power continuously from a range where an adequate overlap of measurement with the intermediate-range monitor is available to 125% of the rated reactor power.
When the measured mean reactor power exceeds a specified level, the withdrawal of the control rods shall be prevented. The setpoint of this stop signal shall be designed to follow automatically the variation of the recirculation flow rate.
To protect the fuel cladding, the average-power-range monitor shall be designed so that it will provide a reactor scram signal when the mean neutron flux reaches 120% of that of the rated power operation, or when the mean neutron flux corresponding to the heat flux at a transient of neutron flux increment reaches a level that has been automatically set according to the recirculation flow rate.
(c) Traversing in-core probe (TIP) system
The traversing in-core probe system shall be provided to perform calibration of the local-power-range monitor and measurement of the axial neutron flux distribution. For this purpose, the guide tubes used for calibration shall be installed through detector assemblies, each of which shall permit the transfer of an ultrasmall
2 9 9
* SLRC S e e jm lin e R e so n a n ce C om pen sator
FIG.2. BWR reactor control systems.
3 0 0
-1
3 0 1
fission chamber through it. The calibration guide tubes extend from the core inside to the calibration guide tube selecting equipment located inside the dry well. The 43 calibration guide tubes shall be in five groups, each group being provided with a detector driving mechanism.
(4) Rod block monitor (RBM)
The rod block monitor is a means to prevent withdrawal of the control rods to protect the fuel cladding from damage that may be caused by continuous withdrawal of the control rods due to misoperation.
The monitor shall include two systems, each being capable of averaging outputs from eight detectors, as a maximum, of the local-power-range monitor.
The monitor shall be designed so that a stop signal for preventing further withdrawal of the control rods is originated when the power obtained by any of these monitoring channels, after the withdrawal of the control rod has been started, exceeds a specified level. Also, it shall be designed so that a signal due to inoperability of the rod block monitor may cause a stop signal for prevention of the rod withdrawal.
6. REACTOR CONTROL SYSTEM
6.1. General
A reactor control system consists of a reactor power level control system, a pressure control system and a water level control system, each of which is reciprocally related to raise the capability. Figure 2 shows the loops of these control systems.
The details of each control system are described below.
6.2. Reactor power output control system
Principle of reactor power output control
The reactor power output control system in BWR plants consists of a control rod made of neutron-absorbing materials, rod drive system and recirculation flow control system. The control rod and its drive system maintain a constant desired power level by adjusting the position of the rod inside the core. The recirculation flow control system also controls the reactor power level by changing the recirculation flow to alter the density of the water, a moderating material used to slow down the fission neutrons. This recirculation flow control system is capable of changing the reactor power output rapidly over a wide range while keeping the power distribution in the core constant.
3 0 2
Control rod and drive system
A BWR plant of 11 million kW(e) has 185 control rods installed inside the core. Each control rod is provided with a drive system and hydraulic control system. Rod position is adjusted by drawing out from the top of the core or insertion by means of the hydraulic pressure that is manually remote-controlled in the control room. Only one control rod is operative at a time. When the power output is changed by using a control rod, the changing rate is approximately 2% power level/min. In the event of emergency shutdown of the reactor, as covered in Section 7.1, all control rods are promptly inserted at once (scram) by the reactor trip system.
Recirculation flow control system
Recirculation flow is controlled by a recirculation pump. The pump speed changes according to the change of the power frequency of the induction motor that drives the pump. Thus the recirculation flow is regulated. As shown in Fig.2, the recirculation flow control system consists of a recirculation pump motor- generator set with a variable frequency generator and drive motor between which a hydraulic coupling is provided. The master controller and speed controller control the motor-generator set speed. This system has the capability to change the reactor power output by approx. 30% power level/min.
6.3. Reactor pressure control and turbine control systems
Principle of the reactor pressure control
When the reactor is in power level operation, the reactor pressure is automatically controlled to be constant. For that purpose, a pressure control unit is provided in the turbine control system, and is used to regulate the turbine inlet steam pressure by opening and closing the turbine steam control valve and turbine bypass valve.
An electric hydraulic control unit is employed to control the turbine. Under normal operation, the pressure control unit keeps the inlet pressure of the turbine constant by adjusting the opening width of the turbine steam control valve. If the revolutions of the turbine are rapidly increased due to the load rejection of the generator, the speed control unit has a priority to close the turbine control valve over the pressure control unit.
Turbine steam bypass system
There are two types of plant, one with turbine bypass valve of 25% capacity of rated flow of the steam and the other with that of 100% capacity. For the
3 0 3
normal start-up and shutdown operations, and when the generator rapidly decreases or loses the load, the steam is handled within the range of the bypass capacity.
When a 100% capacity valve is provided in the plant, reactor scram is not necessary; accordingly, the unit can operate even in the case of full load rejection.
6.4. Reactor water level control system
In order to suppress the carry-over of water in the steam to be sent to the turbine and carry-under of steam to the water recirculating to the core, as well as to prevent the core from being exposed, three signals detecting the flow of the feedwater and main steam, and water level inside the reactor pressure vessel are provided. The flow of feedwater is automatically controlled to maintain the specified water level by the signal. In other words, the speed of the reactor water feed pump driven by the steam turbine, or the opening width of the feedwater control valve provided in the outlet of the motor-driven pump can be adjusted by these signals.
6.5. Safety considerations
Principal rules for the control systems
Since the nuclear reactor control system does not belong to the safety system but to the instrumentation and control system, it is independent of the requirements for the safety system. However, in order to augment the reliability of the control system required for increasing the availability of the plant, much multiplicity should be employed in the power source, detectors and control circuits. The requirement for diagnostic capability and maintenance should also be considered in the design.
Load follow-up <
For the design of the reactor control system, it is necessary that the primary parameters of the nuclear reactor be maintained within the suitable operating range regardless of possible changes of the operating conditions and load, and of the effect of disturbance under normal operation. Consideration of the combined effect of three elements, that is, the control rod, rod drive system and recirculation flow control system, is also essential to maintain the reactivity change due to the load fluctuation of the reactor, change of xenon concentration or temperature from high to low, and fission. In addition, one more factor necessary for the reactor control system is that the system must definitely and easily detect the power fluctuation of the reactor, if any.
3 0 4
7. S A F E T Y A N D P R O T E C T I O N S Y S T E M
The safety and protection system shall initiate appropriate safety and protective operations to prevent or suppress adverse conditions endangering reactor integrity, when abnormal transients or malfunctions that could impair the safety of the reactor occur, or when the occurrence of such accidents is anticipated.
This system shall consist of the emergency reactor shutdown system circuit and engineered safety feature circuits for initiating features such as emergency core cooling systems.
7.1. Design criteria
Design principles applied to the safety and protection system shall be asfollows:(1) The safety and protection system shall be capable of sensing abnormal
conditions and initiate automatically the operation of the emergency reactor shutdown system to assure that specified acceptable fuel design limits are not exceeded when abnormal transients occur during operation.
(2) The safety and protection system shall be designed to assure that specified acceptable fuel design limits are not exceeded for any single malfunction of the reactor shutdown system, such as accidental withdrawal of the control rods.
(3) The safety and protection system, in accident conditions, shall promptly sense the abnormal conditions and initiate automatically the operation of the emergency reactor shutdown system and engineered safety features.
(4) The safety and protection system shall be designed to incorporate sufficient redundancy and electrical and physical independence to assure that no single failure or removal of any component results in loss of the safety and protection functions.
(5) The safety and protective system shall be designed to fall into a state acceptable in safety consideration (fail-safe or fail-as-is state) if conditions such as disconnection of the system and loss of energy are experienced.
(6) The safety and protection system, where practicable, shall be separated from other general instrumentation and control systems and, if commonly used, it shall not be affected by a failure of any such instrument or control.
(7) The safety and protection system shall be designed to permit periodic testing of its functions during normal operation.
(8) The safety and protection system shall be designed taking into account seismic considerations.
3 0 5
7 .2 . E m e r g e n c y r e a c to r s h u t d o w n s y s te m
The emergency reactor shutdown system shall consist of two channels.Each channel shall include at least two independent trip setpoints for a single measured variable.
The contact of either setpoint shall trip the applicable channel and a simultaneous trip of both channels lead to a reactor scram.
7.2.1. Reactor scram conditions
Reactor scram shall occur in any one of the following conditions:(a) Reactor pressure high(b) Reactor water level low(c) Dry well pressure high(d) Neutron flux high(e) Neutron flux measuring instrumentation inoperative(f) Scram discharge volume water level high(g) Mam steam isolation valve closed(h) Turbine, main steam stop valve closed(l) Turbine, main steam control valve fast closed(j) Main steam line, radioactivity high(k) Earthquake acceleration large(1) Manual operation(m) Mode switch “Shutdown”.
Reactor scram occurs also in the following conditions:
(a) Reactor shutdown system operating circuit, loss of power.The loss of power for the reactor shutdown system operating circuit will lead to a scram due to the fail-safe function described later.
(b) Electrical hydraulic controls, low hydraulic pressure.A pressure drop of the turbine hydraulic controls will cause a fast closureof the turbine main steam stop valve and control valve, leading to a reactorscram.
7.2.2. Fail-safe
Relays associated with the channel trip or reactor scram shall be in a magnetized condition during operation, and a shift to non-magnetized condition of one or more relays shall cause a trip of the channel to which the relays belong.
As most accidental conditions of relays such as loss of power, burnout or short circuiting of coils and disconnection of wiring will return the relays to a non-magnetized condition that leads to a channel trip, the formation of these circuits is considered fail-safe for these accidental conditions.
3 0 6
On the other hand, for accidents such as melting of contacts due to bumout, contrary to the fail-safe nature, the electric current through each contact shall be designed not to exceed 50% of the rated current to prevent the occurrence of such failures.
7.2.3. Tests
The operating circuit of the reactor shutdown system shall be designed to permit, as a rule, the following tests for each channel at one time during reactor operation.
(a) Manual scram pilot valve performance test: Verify adequacy of the logic and performance of the scram pilot valve of each channel by operating the manual scram switch.
(b) Automatic scram pilot valve performance test: Verify adequacy of the logic and performance of the scram pilot valve of each logic circuit by using the keyed test switch.
(c) Detector performance test: Apply a calibration model signal to the detectors through calibration taps of each channel and verify adequacy of the logic and performance of the scram pilot valve.
(d) Single control rod scram performance test: Verify the scram time of each control rod by operating the manual switch.
The first three of these tests can together ensure the independence of each channel.
7.2.4. Reset
When either one of these channels trips and if the cause of the trip of that channel has been eliminated, the tripped channel shall be capable of being manually reset so that the pilot valve may be re-magnetized.
7.3. Backup emergency shutdown system
Two 3-directional, solenoid-operated valves for the backup emergency shutdown function shall be provided in the instrumentation pneumatic system to permit the insertion of control rods when any pilot valve becomes inoperative. This solenoid shall be connected to a direct current source and normally be in the non-magnetized condition. When main trip relays in two channels of the emergency reactor shutdown system operating circuit go into a non-magnetized condition, the two solenoids in the backup emergency shutdown valves shall be magnetized.
If pilot valves are inoperative owing to failure, the backup emergency shutdown valves shall be operated and the control rods will be inserted as a result of there being no supply of air pressure to the scram valve. In such a case, the rod insertion time is normally longer than usual; however, if other control rods are
3 0 7
available for immediate insertion, this will be sufficient for emergency shutdownof the reactor without backup emergency shutdown system.
7.4. Other important safety and protection functions
Other important auxiliary protective functions of the safety and protectionsystem shall include the following:(1) Closure of the main steam isolation valve by a reactor water level low signal.(2) Closure of the main steam isolation valve by a signal indicating main steam
line radiation high, main steam line pressure low, main steam line flow rate high, main steam line tunnel temperature high, or condenser vacuum degree low.
(3) Closure of the normal ventilation system and initiation of the stand-by gas treatment system by a signal indicating dry well pressure high, reactor water level low, or reactor building radioactivity high.
(4) Initiation of the high-pressure core spray system, the low-pressure core spray system and the low-pressure coolant injection system by a signal indicating reactor water level low or dry well pressure high.
(5) Initiation of the automatic depressurization system by a simultaneous indication of the reactor water level being low and drywell pressure high.
(6) Initiation of the high-pressure core spray system and activation of the diesel generator and the emergency diesel generator by a signal indicating reactor water level low or drywell pressure high.
(7) Closure of isolation valves other than the main steam isolation valve by a signal indicating reactor water level low or drywell pressure high.
8. CENTRAL CONTROL ROOM
8.1. General
Structure of the control panel
An exclusive or common central control room is provided for a single nuclear power plant or for two adjacent plants. The monitoring console panel is installed in the central control room and consists of a main panel and subpanels, auxiliary panel, and a terminal board to which the cables from the equipment of the plant are connected. Prefabricated cables are used to tie up each panel. A typical layout for the central control room and connections of the control panels are shown in Fig. 3.
3 0 8
FIG.3. Control room layout and cable connections.
Improvement of central control panel
Based on experience in the operation of more than ten plants and the results of continuous development, a newly developed central control panel is now available for improving monitoring and operating of the plant and its safety.Table I shows the major improvement in the newly developed central control panel.
8.2. Monitoring console panel
Positioning of the control panel
The monitoring console panel is divided into two, i.e. a main panel and subpanels according to the importance, emergency and frequency involved in monitoring. The main panel is placed between the subpanels. The layout of the main panel corresponds to the process flow. Monitoring for normal start-up, shutdown and power operations of the plant, and intensive operations required in the case of emergency can be primarily carried out by the main panel.
Layout of the control panel
Human engineering is a major factor in determining the configuration of the control panel and distribution of devices on the panel. Figure 4 shows how the
3 0 9
TABLE I. INTEGRATED BWR ADVANCED MAIN CONTROL ROOM PANEL
PURPOSE MEANS
Improving monitoring and operating of plant
* Definition of monitoring section* Intensive understanding of the condition* Prevention of erroneous operation* Prevention of misjudgement
Improving safety in the plant
* Prevention of erroneous operation* Intensive understanding of the condition
Improving control of plant operation
* Operator console (with CRTs)* Data record
Separation of main panel and subpanel
* Function distribution based on analysis of importance, emergency and frequency
CRT: power-up of the computer system
* CRT: 10-11 units* Display pictures for normal monitoring* Display pictures in the case of an emergency
Easy designation of device
* Form, colour, location
Easy designation of alarm
* Location, colour
Large collection o f data
* Expanded mput of computer* High-speed line printer, CRT hard copy
FIG.4. Configuration o f main control room panel and system layout.
M onitoring and operating sequence
*oe
oS
Division identified
FIG.5. Desirable procedure for monitoring: layout o f the panel surface.
monitoring console panel and systems on the panel should be placed. Figure 5 shows the desirable procedure for designing the panel layout, in conjunction with operation.
8.3. Application of colour CRTs
To provide better interface, many colour CRTs are used in the newly developed central control panel. Seven CRTs are provided in the main panel, two in the reactor coolant control panel, and one or two in the operator console. For the CRT display, 140 pictures are available for the plant monitoring under normal condition and in emergencies. The layout and classification of the CRT are shown in Fig. 6.
8.4. Safety considerations
Electrical and physical separation
The devices for the safety system are structured with redundance so that a single defect of a device does not cause the loss of the entire safety function.These redundant devices are electrically and physically separated to be stand-alone.
3 1 2
Parameter Trend
Alarm Monitoring
System Monitoring (FW/C, CUW)
System Monitoring (CR and In-core Monitor)
Summary MonitoringI Operation Guide, Alarm
System Monitoring(Turbine, Generator)
, 0 1 0 0 0 / 0 /
(Unit Supervisory Console)
(Reactor Core Cooling BB)
Safety System ^ 9 } §]Monitoring and\ ' Surveillance 'Test Guide
HC 0 rw
ntn(Operator’s Console)
EHB Display Function and Page Selection Switch IS ] Keyboard TW Typewriter HC Hard Copy
FIG.6. CRT arrangement.
Resistance against earthquake and non-flammability
The device for the safety system is to be capable of functioning in the event of severe earthquakes, which occur in Japan. Non-flammable materials are to be used for the cables and units in the panel.
9. PROCESS COMPUTER SYSTEM
All instrumentation and controls necessary for the monitoring, operation and control of the nuclear power plant shall be provided in the central control room. Also, a process computer system shall be provided in order to support the operating personnel by supplying various information necessary for operation of the plant.
3 1 3
RX PRS xx.xKG
RX LVL xxxx MM
N1500
1200
800
400 .
L3 -• 0 -
xxxx T/H
xxx °C
-RX DATA
F059Axxx.x KG
-----tXJ—
HTR 1A
HT R 1B
HTR 1C
STM FLOW xxxx t /HFDW FLOW
A xxxx T/H B xxxx t /H
-J) xxxx REV/MIN
F022A X X X • x KG*v 3 /
- { X J -------- H PF002A
H xj— LPF001A xx.x KG
7- -----------------FDW FLOW------------------
xxxxT/Il
) a f ' i ' i ■ i 1 i > | • i ■ i ' 1 1 1 1 |0 2000 4000
F017A
X X X X REV/MINF059B i
-----IX]—F022B xxx.x KG
-tx----- HPF002B
LP F001B
FDW FLOW-
TDRFP
— M------S—F024A F023A
X X X X t /H
"H '' I ' I 11 1 | 1 I ' I TTr I ' |0 2000 4000 F017B
F062A
A xxx.x KG
— -S --------- -------------F024B F023B
xxx F062B
F028B F027B X>0<.xKG
xxxx T /hp i ' 1 1 1 ' 1 ' | 1 i ' 1 M 1 1 1 |
0 1 0 0 0 2 0 0 0F018A
MDRFP
X X X X T/H— 04—| T ' i i | i | ■ | 1 r ' | P| i | j
0 1000 2000F018B
Y Y / M M / D D H H :M M
FIG.7. CRT display: feedwater system (normal).
RCIC
HPCS
LPCS
RHR
S/R VALVE STATUS_____
a J-* b J * c J t- n )f e J *
G Jt- H J* J k'J* l J[* MJ*
N p j ^ o j f " r JT s j ^
52SB J, 52SA|1, i s b V 1SA t
HPCS 2A 2B
Y Y / M M / D D H H :M M
ijiKJ\ FIG.8. CRT display, plant schematic (emergency).
± X X X X xxxxx (mm) (t/h )
1500 72000 _
W/R
RX
LEVEL
-3800
X X X . X(°C)
100 _ s / cT E M P
0 - I
coREFLOW
0 _
X X . X
( % ) 20 H 2C ON ■C E N T
0 -J
X X(kg/cm2)
PCVPRESs
FIG.9. CRT display, process trend (emergency).
Y Y / M M / D D H H :M M
s / c - r / b d i f f p ( m m a Q )
II
s / c
x x x ° C
T E M P
(«8 f ) x x x ° CT E M P
X X X . X ° cx x x ° C ■ ■ ■ x x x ° C ■1
0 ' 11 "VH
'X X X O Q ( 2 4 ? )| 1 1 1 1 | "1 T i.....r" |
x x x ° C 0 100 200■ ■ x x x ° c ■ ■ x x x ° C
P R S
( 12 * > ) * BrBT ' 1 o
x x x C ( 3 0 3 ° )
, 1 . 1 . j 1 . ' ' 1 1 r.' x x x ° c
x . x K C .A
x x x ° C ■ ■ x x x ° c i i B i
| ■ ■ ■ ■ I '0 100
T - r - i
200 0 1001 1 1
200 0 2 . 5 5
S / C L V L
0 -
- 5 0
Y Y / M M / D D H H : M M
F IG .10. C R T d i s p la y p o s t-a c c id e n t m o n ito r (em erg e n cy j.
9 .1 . B a s ic f u n c t io n s o f th e p ro c e s s c o m p u t e r
The process computer shall be applied to monitoring computations such as core performance calculations and data logging functions, and further used to provide selected and processed information to the operating personnel through coloured CRTs for the improvement of plant operabihty and monitoring capability. It shall also be used for overall plant control and to provide support for, and reduce the duties of, operating personnel by automating major plant operations.(1) Core performance calculation and core performance estimate
The computer functions under this paragraph shall include: computational processing of the in-core power distribution, in-core flow rate distribution, fuel linear heat generation, critical power ratio, reactor power, average void ratio, etc.; data acquisition concerning fuel irradiation, etc.; monitoring of in-core neutron flux; and recording of the control rod positions.
Also, it shall forecast the variation of power distribution caused along with the operation of plant systems and capability to perform on-line estimation of the in-core power distribution, thermal margin of the fuel assembly, etc. This estimate can provide sufficient assistance for making daily operation plans for load following.(2) Plant performance computation
The computer shall perform computational processing of the plant performance, on data such as availability of plant, efficiency of turbine generator, performance of feedwater heater and steam separator.(3) Rod worth minimizer (RWM)
The rod worth minimizer shall be provided to monitor the operating personnel’s manipulation of control rods at a low power condition and prevent accidental formation of such control rod patterns as may cause a high rod worth. In other words, the actual control rod pattern during operation is always compared to those patterns stored in the computer which have been demonstrated to be acceptable as safe and any deviation from the stored and qualified patterns will be prevented.If any deviation should occur, the rods which are out of specified sequence shall be identified for display and verification, and interlocking signals for rod operation shall be originated.
(4) Data logging, recording and documentation
The computer shall retain trip sequence records that provide useful data for investigating the cause of any scram occurrence and have an event recall function that records specified data at analog input point.
When alarm setpoints with respect to the analog input and calculation items are exceeded, the occurrence of alarms shall be recorded, contact inputs monitored and the variation of status recorded.
3 1 8
ERC - EMERGENCY REACTOR COOLING OOWN SYSTEM
APC • AUTOMATIC POWER CONTROLLER
FOWC- FEEOWA TER CONTROLLER RFC - RECIRCULATION FLOW
CONTROLLER
OPERATOR CONSOLE EMC- ELECTRO-HYORAULIC CONTROL SYSTEM
ASS- AUTOMATIC SYNCHRONIZING SYSTEM
AVR-AUTOMATIC VOLTAGE REGULATOR
HEAT-EX.
CST M :
RHR f>
F I G . l l . Plant automation system.
P O-PROCESS INPUT OUTPUT CRT-CATHOOE RAY TUBE OFW-OATA FREEWAY MST-MASTER STATION RST-REMOTE STATION
r f COMMON MEMORY
CUP CPU CPU CPUOR A1 GR81 GR 62 GRA2
<LINKAGE BUS> < LINKAGE BUS >
CPU-CENTRAL PROCESSING UNIT MAC-MULTI ACCESS CONTROLLER T/W-TYPEWRITER C/R-CARO REAOER L/P-LINE PRINTER M/T-MAGNETIC TAPE
|CRT| |crt| [crt|
MSlj idSl}" ImST
FIG.12. Multi-computer configuration.
3 1 9
Core performance calculation records, plant operation records, daily reports and other necessary documentation shall be provided for use in the plant operation control and fuel control.(5) CRT display and controls
The CRT shall be installed in the central control panel which is the primary interface between the plant and operating personnel in an arrangement that permits overall evaluation of the plant status.
Figure 6 shows a typical arrangement. The CRTs shall be classified according to their intended functions. Specifically, the CRTs located in the middle, i.e. Nos 2 to 6 , shall be used in the total monitoring of overall plant. Generally, the CRT screens are classified into those for monitoring normal plant operation and those for monitoring emergency conditions, and collectively shall have a ‘plant status monitoring function’. Figures 6—10 provide examples of CRT screens.(6) Automated plant system
Major operations, from the start-up of the plant through turbine speed increase, generator coupling, initial loading, power increase after initial loading, power decrease, up to shutdown, shall be under automatic computer surveillance utilizing the dedicated sublooped controls and sequence controls. Figure 11 shows the plant automation system.
The plant start-up-to-shutdown course shall be divided into multiple breakpoints and the operating personnel shall select the breakpoints so that the computer may perform total monitoring of the plant status and operations within these breakpoints and permit the CRT to display the necessary guides to operation, or automatically execute necessary computer controls.
9.2. System configuration (Fig. 12)
The process computer system shall have a system configuration that allows the dispersion of loads and risks utilizing multiple central processing units for improvement of its response and processing capabilities and reliability. The system shall also assure that, if any one of these computer units fails and stops, the function of the halted computer is automatically and promptly backed up by other computers, thus providing a high system reliability.
Input signals to the computer system consist of approximately 1400 as analog inputs and 2600 as digital inputs, where the signals relating to safety systems shall be sufficiently isolated from others that the safety systems will not be adversely affected by processing systems.
3 2 0
Station service power system
The station service power system is designed to prevent a complete power failure of the plant. It supplies power to the auxiliary machinery required to ensure the safety of the reactor system at any time, in normal or accident conditions.
An external power system and emergency station service power system are installed for safety assurance of the reactor system. The external power system is connected to the power system via more than two transmission lines. A multiplex diesel-engine generator system and DC power system are installed as the emergency station service power system.
Structure of station service power system
Figure 13 is a diagram of the station service power system in the latest 1100 MW BWR plants, and the details are described below.
The power is generally supplied to the station auxiliary machinery from the main generator through the station service transformer during normal operation, and through the starting transformer during start-up and shutdown. The structure of the starting transformer together with the adjacent units is shown in Fig. 12.
The station auxiliary machinery is classified into two groups, that is, (a) the machinery relating to the important systems and (b) devices for maintaining safety, such as engineering safety facilities and other general machinery, all of which is connected to the emergency bus and to the general bus or common bus. The power to the station auxiliary machinery is supplied through the high-tension bus and low-tension bus in accordance with the load capacity.
If the auxiliary machinery consists of two machines, these are generally connected separately to the different buses to ensure that power is supplied without failure.
A diesel generator system, consisting of two emergency generators and a generator for the high-pressure core spray system (abbreviated to HPCS system), is provided to operate the auxiliary machinery required for shutdown of the nuclear reactor in safety in the event that an accident such as complete consumption of the cooling material occurs when the external power supply is stopped.
Emergency high-tension bus
There are two emergency bus systems and a HPSC bus system all of which are electrically and physically separated to supply power independently to the equipment of three emergency systems. The design mcludes an earthquake-proof structure.
1 0 . P O W E R S Y S T E M
3 2 1
Explanation o f Symbol:
Main gen era tor D ie s e l-e n g in e g en era tor system Main transform er S ta tion transform er S ta rtin g transform er
A -1 , A -2 , B - l , B -2:General h ig h -te n s io n busSA-1, SA-2, SB-1, SB-2: Common h ig h -te n s io n bus C,D: Emergency h ig h -te n s io n
busH: HPCS h ig h -te n s io n bus
F IG .13 . S y s te m s tru c tu re .
Diesel generator system
A diesel generator system is provided with sufficient capacity to supply power to the engineering safety facilities and system equipment to be operated until the reactor is shut down when the cooling material in the reactor has been completely used up, with external power having failed, or been switched off, at the same time.
DC power system
A typical DC power system in the BWR plants of 1100 MW is shown in Fig. 14. The system consists of a 125 V line for the HPCS system and two lines for the neutron flux motor, and a 250 V line for the normal power source.
3 2 2
125V Storage battery AX Battery
charger £
DC 125V25VZ
') )
)
Batterycharger
) 125V Storage ba ttery B
BUS A (Section I )
Batterycharger
BUS B (Section H )
Batterycharger
BUS HPCS[ (Section H I)
r >— ’> i i $T '-~ ,Storage )
Battery charg* er :24V
Batte ry chajg- er +24V
£
DC 124V I BUS A (Sec- I I tio n
) )
X
£t l .
) Storage'\ rch a rg e r| '
DC ±2<v[
« I
Batterycharger
JL£T
DC 250V Storage battery
I
BUS B (Section I )
P i
DC 250V BUS
X1T
Batterycharger
:> r s
F IG . 14. E x a m p le o f D C p o w e r se t-up .
Storage batteries are connected to a static battery charger to which the power is supplied through the emergency low-tension bus. An insulated room with a redundant charging system is to be provided for each battery.The DC power system that supplies the power to the safety system has an earthquake-proof structure.
3 2 3
ANNEX V
INSTRUMENTATION AND CONTROL CONCEPTS FOR PWR REACTORS
A JAPANESE EXAMPLE
1. I N T R O D U C T I O N
This document describes the design concepts for instrumentation and control of pressurized water reactors which are in operation, under construction or being planned in Japan.
2. INSTRUMENTATION
2.1. Nuclear instrumentation
Nuclear instrumentation is intended to measure the power of a reactor. With regard to (a) the total power, it initiates protective measures (e.g. scram), and serves the power control system; with regard to (b) power distribution, it initiates protective measures (e.g. power limitation and DNBR limitation), and monitors power distribution (for the control of axial power distribution configuration).With regard to (c) the power changes related to time, it initiates protective measures following changes in power (e.g. protects for rod drop and rod ejection), and monitors the power changes related to time (reactor period).
Since the power which a reactor produces originates from nuclear fission, which produces a variety of fragments, particles and radiations, the measurement of these products will give information on the reactor power. The most direct method is to detect the thermal fission neutron flux density. The neutron detector for continuous measurement is installed outside the reactor vessel to improve, the reliability of the measuring system because the in-core temperature, pressure and radiation conditions are severe. The out-of-core neutron flux density covers a span of about 10 decades from the source level to the full power level. This span is generally divided into three ranges:(a) Source range(b) Intermediate range (up to 100% power)(c) Power range (from 1% power upwards).These measuring ranges overlap and cover the whole span.
Of these, the source range and intermediate range are used only when the reactor is shut down or starting up, and will not be calibrated to the thermal power. The power range monitors the power conditions of the reactor, and so it is calibrated to the thermal power obtained by calculation when the reactor is on power. The power in the upper section and that in the lower section of the core can be measured separately when the reactor is on power. The output of the upper or lower detector is calibrated periodically in order to cater for changes in the patterns of axial power distribution, which depend on the degree of fuel bumup. The calibration' is performed by measuring the pattern of in-core neutron flux distribution by moving a small thermal neutron flux detector up and down in the core.
3 2 7
The commonly used detectors have been developed with the following factors taken into consideration: sensitivity, ageing effects, response time, mechanical size, and tolerance to interfering radiations and environmental conditions.
Movable detectors are located inside the core for power distribution monitoring and calibration purposes.
2.2. Process instrumentation
The term ‘process instrumentation’ is normally used for instrumentation which is not essential for safe operation. All the parts of the instrumentation essential for safe operation are considered to conform basically to the Japanese General Design Criteria and to refer partly to the relevant Japanese standards, criteria and codes to complement the national guidelines.
2.2.1. Reactor pressure instrumentation
(a) Objectives
Pressurizer pressure and reactor coolant pressure are provided for substantially direct measurement of the reactor pressure.The former is used for the pressurizer pressure control systems (which actuate the pressurizer heaters, pressurizer sprays and pressurizer relief valves) and for protective actions such as reactor trip and S/I initiation.The latter is used for PAM (post-accident monitoring) and subcool degree indication in a control room and for interlock to pressurizer relief valves and RHR suction valves.
(b) Principles of pressure instrumentationThe pressure-sensing line and the transmitter to obtain reactor pressure, which are in contact with the reactor coolant fluid, are considered to conform to the relevant standards and criteria regarding the reactor coolant pressure boundary, earthquakes, etc., to minimize the probability of reactor coolant release from the sensing line or transmitter.
A diaphragm device is employed as a pressure-sensing element.
2.2.2. Pressurizer level instrumentation
(a) Objective
Pressurizer level is an important process parameter of a PWR and is used for the pressurizer level control system and for protective actions such as reactor trip and S/I initiation.
3 2 8
The pressurizer level is measured by a transmitter with a diaphragm as a differential pressure-sensing element. To avoid systematic errors due to vapour pressure in the pressurizer, the transmitters are calibrated at the normal operating pressure. The special provisions to avoid the influence of pressure and temperature in the pressurizer are as follows:(i) A sealed reference leg with pressure-sensing bellows is provided to prevent
boiling due to a drop in the pressurizer pressure.(ii) A condenser chamber is provided upstream of the reference leg to
prevent damage to the sensing bellows due to high temperature.The transmitter has a D P (differential pressure) sensing diaphragm which can resist fairly high static pressure.
2.2.3. Coolant temperature instrumentation
(a) ObjectiveThis process parameter is used for several purposes, some of which are power control (control rod control), thermal power monitoring and initiation of protective actions. The coolant temperature instrumentation contains narrow-range and wide-range temperature measuring devices. The narrow- range RTD is sensed without a thermowell and the wide-range RTD is sensed through a thermowell.
(b) Principles of coolant temperature instrumentationThe narrow-range temperature is required to be measured within a predetermined response time from the RC (reactor coolant) loop. To attain the above response time, the temperature is sensed directly by a RTD without a thermo- well from an RTD bypass manifold which eliminates the sensing delay due to a thermowell.
The hot-leg manifold also permits obtaining the average temperature from the RC hot leg by merging three bypass lines which are derived from three scoop connections on an RC loop.
2.2.4. Coolant flow instrumentation
(a) ObjectiveThis is intended to monitor the capability of transferring the core thermal power to the SG (steam generator) and to trip the reactor for protection when the capacity drops below a tolerable limit.
( b ) P r in c ip le s o f p re s s u riz e r le v e l in s t r u m e n t a t io n
329
An elbow type flow meter is used for this measurement. This type of flow meter sensing line is introduced from the elbow piping arranged between the SG outlet and the RC pump inlet and registers the differential pressure of the RC fluid flowing on the inside and the outside corners of the elbow piping to the transmitter. This flow meter gives only the relative flow rate calibrated against a rated flow.
The reactor coolant loop has a large diameter and relatively short piping and in permanent pressure loss is limited, thus other types pf D P measurement are not suitable.
( b ) P r in c ip le s o f c o o la n t f lo w in s t r u m e n t a t io n
2.2.5. Reactor coolant pump instrumentation
The RC pump is operated at a constant speed. The RC pump instrumentation measures the vibration of frames and shafts, temperature of bearings, oil pressure of bearings, seal water flow, etc., on the RC pump and has no reactor protection and control function.
2.2.6. Steam flow instrumentation
(a) ObjectiveThis parameter is mainly utilized for the SG level control and protective action.
(b) Principles of live steam flow instrumentationThis flow meter provides relative flow rates calibrated with FW (feedwater) ■ flow rates. It has a diaphragm which receives differential pressure produced between two sensing taps by the continuous pressure loss of the steam piping including the SG flow restrictors, one of which is mounted on the SG body and another of which is mounted on the steam piping situated substantially away from the SG outlet (to obtain sufficient differential pressure to sense).
2.2.7. Containment pressure instrumentation
(a) ObjectiveContainment pressure is an important parameter for LOCA identification within the containment and for post-accident monitoring.
3 3 0
A sensing device (bellows) is installed inside the CV (containment vessel)’, whereas the transmitter is mounted outside the CV to avoid deterioration in accuracy due to hostile environments during accident conditions. To ensure the CV pressure boundary, a double CV barrier is attained by the combination of a sensing device (bellows), a pressure impulse line (sealed type) and a receiving device housed in the transmitter.
2.2.8. Containment water level instrumentation
(a) Objective
This is used for CV level monitoring as part of PAMS.
(b) Principle of instrumentationA differential-pressure type with sealed sensing lines and a diaphragm is used.
2.2.9. Signal transmission, transformation and conditioning
(a) Pneumatic signalsThe pneumatic instrumentation is widely used for less important process signal transmissions and for control signal transmissions to air-operate control valves after I/P conversions have been accomplished.
(b) Analog output signals and binary status monitoring All the transmitters use 4 to 20 mA current signals.Voltage signals are not commonly used for transmitters because of low noise immunity, but they are used for those indicators, recorders, etc., in the control room which have cable routings receiving no harmful noise. To maintain signal diversity, multiconductors are not used for protection process signals, though they are partly used for control room information.
2.3. Rod position instrumentation
Two separate systems are provided to sense and display control rod positions as described below:
(a) Digital rod position indication system (Fig. 1)The digital rod position indication system measures the actual position of each full-length rod using a detector which consists of 42 discrete coils
( b ) P r in c ip le s o f c o n t a in m e n t p re s s u re in s t r u m e n t a t io n
331
F IG .l. Digital rod position detection concept.
mounted concentric with the rod drive pressure housing. They magnetically sense the entry and presence of the rod drive shaft through its centreline.The coils are interlaced into two data channels, and are connected with the containment electronics (data A and B) by separate multi-conductor cables. Multiplexing is used to transmit digital position signals from the containment electronics to the control board display unit. The digital position signal is displayed on the main control board by a series of light-emitting diodes (LED) for each control rod.
The one LED illuminated in the column shows a position for a particular rod. The use of two separate channels of information enables the digital rod position indication system to continue to function (with reduced accuracy) when one channel fails.
Included in the system is a rod-at-the-bottom signal that operates a control room annunciator.
(b) Demand position system
The demand position system counts pulses generated in the rod drive control system to provide a digital read-out of the demanded bank position.
3 3 2
(1) Are radiation monitoring instrumentation
In order to protect the plant personnel from excessive radiation exposure, this instrumentation continuously monitors the radiation level in the relevant area of the plant. It provides early warning of abnormal condition which could lead to a health hazard.
(2) Process radiation monitoring instrumentation
This continuously measures the radiation level in the relevant process in order to monitor the release of radioactive material from the plant to the environment and the integrity of various process systems. It provides warning of any abnormal condition, thus permitting measures to be taken to mitigate the abnormal condition and limit the radiation release.
(3) Detector assembly
The detector assembly consists of a radiation detector sampler, and a Pb- shield sample collector. Detectors are used which take into account the radiological, physical and chemical characteristics of effluent from the Geiger-Miiller (GM) counter, ionization chamber, Nal (Tl) scintillation detector and plastic scintillation detector.
The detector assemblies are divided, by modes of installation with the effluent streams, into an in-line type and an off-line type. The in-line type is of the mode with the detector assembly installed directly in the effluent stream and the off-line type is of the mode with the detector assembly installed with a radiation sampling line which is prepared from the effluent stream.
(4) Outline of area monitoring instrumentationThe area monitoring instrumentation is capable of monitoring radiation levels at the following locations:
Main control roomInside containment (near the airlock, and in-core instrumentation area) Radiochemical laboratory Charging pump room (A, B and C)Spent fuel pit area Sampling room Drumming station.
The area monitoring detectors are GM counters and the measuring range covers 10_1—104 mR/h.
2 .4 . P la n t r a d ia t io n m o n it o r in g in s t r u m e n t a t io n
3 3 3
(5) Outline of process monitoring instrumentationThe process monitoring instrumentation consists of the following process monitors:
Vent stack gas monitor, and sampling device (for radioactive iodine, particulate and tritium)
Rad-waste discharge effluent liquid monitor Containment vessel particulate and gas monitor Condenser air ejector gas monitor Auxiliary building airborne monitor Steam generator blowdown liquid monitor Component cooling water liquid monitor Reactor coolant monitor.
(6) Radiation monitoring instrumentation for accident situationsPlanning the installation of radiation monitoring instrumentation with an extended range is under way, in order to monitor the conditions of the plant during an accident. The functions of the radiation monitoring instrumentation for accident situations are as follow:(a) To monitor the radioactive material released from the plant in order
to estimate influences on the plant environment during an accident(b) To estimate the conditions and seriousness of an accident and provide
the necessary information on radioactivity for monitoring the progress of an accident.
(c) To protect the plant operators from radiation exposure in an accident.The radiation monitoring instrumentation for accident situations consists of the following:
Vent stack gas monitorMain steam line monitorInside containment high-range area monitorReactor coolant monitorInside auxiliary building high-range area monitorMain control room airborne monitor.
3. OPERATIONAL SYSTEMS
3.1. Control concepts and plant power control
PWR plants in Japan have four main control systems: control rod control (reactor power control), SG level control, pressurizer pressure control and pressurizer level control.
3 3 4
F IG .2 . C o n tro l ro d sy s tem .
The control rod control is used for reactor power control (Fig.2). The control rods are moved up and down when a deviation between Tavg (primary power) and Tref formed by the turbine first-stage pressure (secondary power) exceeds the predetermined setpoint.
Reactor power change due to TaVg change is compensated for by introducing the differentiated deviation signal between neutron flux and Pist (power demand) into this system.
3.2. Role of boric acid concentration control
The boron concentration control system (which requires manual action) is used for the relatively long-term and slow core reactivity control, whereas the reactivity control (including reactor trip) responsive to load changes during normal operation is performed by controlling the rod positions.
3.3. Combined control concept
Automatic power control is performed only by control rod control and boric acid control is manually operated when necessary so that the required rod worth is maintained for safe shutdown and the control rods are kept within the rod position limitations adaptive, to CAOC (constant axial offset control) operation.
3 3 5
F IG .3. P ressurizer pressure c o n tro l sy s tem .
3.4. Reactor pressure control
Reactor pressure control in the PWR is performed by the pressurizer pressure control system (Fig.3). The pressurizer control system provides the capability to maintain or restore the pressurizer pressure to the design pressure following normal operational transients that will induce pressure changes by the control of heaters and spray in the pressurizer.
It also provides steam relief capability by controlling the power relief valves.
3.5. Steam generator level control
The SG level control system is provided to maintain a programmed water level which is a function of turbine load. The SG level control system is equipped with a three-element controller which regulates the feedwater valve by continuously comparing the feedwater flow signal, water level signal, programmed water level and pressure-compensated steam flow signal. In addition, for plants with turbine- driven main feedwater pumps, the feedwater pump speed is varied to maintain a
3 3 6
Loop AT - k|Tgl1 *r ,»
Turbine First Stage • Pressure
Steam Generator Level
Fe'edwaterFlow
Steam Flow
Level Ref. t =
Filter1
1+rQs
Filter1
1+rt*
Filter1
S turning Amp*
Filter
PIController
Summing
Feedwater By-pass Control Valve * Modulate Signal
PIController
Suming PIAmp, Controller Feedwater Control Valve ' Modulate Signal
FIG . 4 . F eed w a ter con tro l sy s tem .
Loop A
Bias Signal
Steam Flow Loop B
Motor Driven Feedwater Pump Outlet Valve Control Signal
Loop C
Turbine Driven Feedwater Pump Speed Control Signal
.Feedwater Pump Discharge Pressure_Steam Header ’Pressure.Adjustable AP ‘at No Load Setpoint
FIG.5. Feedwater pump speed control system.
3 3 7
u>U>00
Pressure
Steam Header. Pressure
Lo-Lo Tavfi Interlock - Condenser Press. Low -
Control Air Supply
Turbine By-pass Valve Control Air Block
F IG .6 . S tea m d u m p c o n t r o l sy s tem .
programmed differential pressure between the steam header and feedpump discharge header (Figs 4, 5).
3.6. Steam pressure control
Steam pressure is maintained at an equilibrium value determined by heat balance between the heat input to the SG and the turbine steam rate without continuous control during normal operation. Limitation systems, however, are provided to prevent an unfavourable pressure spike caused by sudden turbine load reduction.
3.7. Steam dump control
The automatic steam dump system is provided to accommodate abnormal load rejection and to reduce the effects of the transients imposed upon the reactor coolant system.
In the difference between the reference temperature and the lead/lag compensated average reactor coolant temperature exceeds a predetermined limit, a demand signal will actuate the steam dump to maintain the reactor coolant system (RCS) temperature within the control range (Fig.6).
3.8. Pressurizer water level control
The pressurizer water level control system provides the capability to establish, maintain and restore the pressurizer water level within the specified limits as a function of the average coolant temperature. It maintains the coolant level in the pressurizer within the prescribed limits by actuating the charging and letdown system, thus controlling the reactor coolant water inventory (Fig.7).
3.9. Rod control system
The rod control system receives rod speed and direction signals from the Tavg control system.
The rod speed demand signal varies over the corresponding range of 3.75 to 45 in. per minute (6 to 72 steps/minute) depending on the input signal level.Manual control is provided to move a control bank in or out at a prescribed fixed speed. When the turbine load reaches approximately 15% of the rated load, the operator may select the AUTO mode, and the rod motion is then controlled by the reactor control system. In the AUTO mode, the rods are again withdrawn (or inserted) in a predetermined programmed sequence by the automatic programming
3 3 9
ON-OFF Control
F IG . 7. P ressurizer leve l con tro l sy s tem .
equipment. The shutdown banks are always in the fully withdrawn position during normal operation, and are moved to this position at a constant speed by manual control prior to criticality. A reactor trip signal causes them to fall by gravity into the core. There are two shutdown banks.
The control banks are the only rods that can be manipulated under automatic control. Each control bank is divided into two groups to obtain smaller incremental reactivity changes per step. All control rods in a group are electrically parallel so that they move simultaneously. There is individual position indication for each control rod. A variable speed rod drive programmer has the ability to insert small amounts of reactivity at low speeds to accomplish a fine control of reactor coolant average temperature about a small temperature deadband, as well as furnishing control at high speeds.
3.10. Control bank rod insertion monitoring
When the reactor is critical, the normal indication of reactivity status in the core is the position of the control bank in relation to the reactor power (measured by the reactor coolant loop AT) and coolant average temperature.These parameters are used to calculate insertion limits for the control banks. Two alarms are provided for each control bank:
(a) The ‘low’ alarm alerts the operator of an approach to the rod insertion limits requiring boron addition by following normal procedures with the chemical and volume control system.
(b) The ‘low-low’ alarm alerts the operator to take immediate action to add boron to the reactor coolant system by any of several alternative methods.
3 4 0
LOW ALARM
LOW-LOU ALARM
DEMAND BANKSIGNAL TYPICAL OF ONE CONTROL BANK
FIG .8. Control bank rod insertion monitor.
The purpose of the control bank rod insertion monitor is to give warning to the operator of excessive rod insertion. The insertion limit maintains sufficient core reactivity shutdown margin following a reactor trip and provides a limit on the maximum inserted rod worth in the unlikely event of a hypothetical rod ejection, and limits rod insertion in such a way that acceptable nuclear peaking factors may be maintained.
Figure 8 shows a block diagram representation of the control bank insertion monitor.
3.11. Operational characteristics
(a) Step load change
The plant control system can restore equilibrium conditions, without a trip, following a plus or minus 10% step change in load demand, over the 15 to 100% power range under automatic control.
(b) Loading and unloading
Ramp loading and unloading of 5% per min can be accepted over the15 to 100% power range under automatic control without tripping the plant.
(c) Load rejection
The plant control system is capable of accepting 50% load reduction from the rated power without a trip. As an option, the plant control system can be
3 4 1
F I G .9. R e a c t o r c o n tr o l and p r o te c t io n sy s tem .
designed to accept complete load rejection from the rated power without a trip and to continue producing the power required by the station aux ilia ry
system.
4. SAFETY SYSTEMS
The safety systems generally contain the reactor protection system (RPS) and engineered safeguard features actuation system (ESF) (Fig.9).
The instrumentation systems for the above systems provide automatic protection signals against unsafe and improper reactor operation during steady- state and transient power operations and initiating signals to mitigate the consequences of faulty conditions. They are required to ensure the integrity of the reactor coolant pressure boundary, capability to shut down the reactor and maintain it in a safe shutdown condition and capability to prevent or mitigate the consequences of accidents which could result in potential off-site exposure.These requirements are comparable to the guidelines formulated by Japanese General Design Criteria.
3 4 2
4 .1 . D e s ig n bases
The instrumentation systems are designed to initiate automatically protective action signals whenever a condition monitored reaches a preset level which is determined in the accident analyses. The following are important design bases:
Single-failure criterion Independence of redundant systemsSeismic and environmental qualification (consideration for common-mode failure), and
Testability.To preserve the redundancy and to ensure that no single failure will prevent
operation of the associated function, physical separation is accomplished for all the redundant instrumentation systems, including the electrical power supply systems.
4.2. Reactor protection system
The reactor protection system consists of two discrete portions of circuitry:
(a) An analog portion consisting of three to four redundant channels per parameter or variable to monitor various plant parameters, and
(b) A digital portion consisting of two logic trains which receive inputs from the analog portion channels and perform the logic necessary to automatically open the reactor trip breakers.
4.3. Engineered safety features actuation system
Almost the same concept as for the reactor protection system is applied except the method to actuate the engineered safety features. As described above, fourfold redundancy is provided for the analog portion of ESFAS and twofold redundancy for their logic portion.
Independence of the redundant portion from the sensors is maintained via the logic cabinets to the actuators.
5. SAFETY-RELATED SYSTEMS
5.1. Post-accident monitoring (PAM)
A certain minimum amount of indication is provided in the control room to enable the control room personnel to acquire information required during accident situations.
3 4 3
PAM instruments are satisfied with the requirements of single-failure criterion, seismic and environmental qualification, etc., so as to enable the personnel to determine the accident conditions with the required accuracy and reliability.
6 . CONTROL BOARD DESIGN
The main control board provides operation and control for the important systems within the nuclear steam supply system and the balance of the plant during normal and abnormal situations.
6.1. Design of conventional control board
A large number of board-mounted devices required to operate a nuclear plant are arranged to survey quickly plant parameters on a system basis by partially using mimic diagrams. Special display devices have been incorporated based on human-engineering principles. These functionally arranged displays include: individual rod position indicators arranged to easily check control rods out of alignment; status lights which indicate the status of the protection and safeguard channels, and monitor lights by which the operator can determine the status of vital valves and pumps to facilitate safeguard action.
The graphic colour CRT display system is employed, reducing conventional instrumentation in the control room. Standard displays include status displays, bar charts, trend plots and pictorial displays.
The design considers the optimum arrangement and selection of board-mounted equipment to meet the overall system requirements, and incorporates experience from previous plants. In addition, the evaluation is performed on a full-scale mock-up including CRT display formats.
6.2. Design of advanced control room
The increasing size and complexity of today’s processes, the more stringent requirements of safety, and desire to improve the quality of control and supervision of these processes have resulted in a considerable increase in the information to be presented to the operators. The increasing complexity and necessity of computers for the control, supervision and digestion of process data have motivated considerable efforts in the design of operator interface equipment.
When properly employed, computer-generated visual displays can greatly enhance the operator’s ability to interface with the plant processes, thereby
3 4 4
increasing availability and operability of the plant. The advanced control room will optimize the amount of useful information available to the operator to help him make correct decisions regarding plant operation.
In the light of TMI lessons learned and the increasing complexity, an extensive engineering programme is being initiated to improve the following major areas of man/machine interface design for a nuclear power plant control room:
(a) Develop and establish design philosophy and design criteria for panel layout and on-board equipment arrangement
(b) Establish CRT display design guidelines and improve design specifications, and
(c) Verify and design through ‘prototype’ demonstration in conjunction with assumed operator actions to various operational occurrences.
Fundamental functions of the main control room are to ensure(a) Safe and efficient operation during normal operation modes, and(b) Accomplishment of safety status and/or fast recovery from accident
conditions during emergency situations.The primary control console is mainly designated for the former operation
and the NSSS auxiliary control panel is designated for the latter situation. The concept will be decided by analysing the operational sequence of typical operating modes using mock-up panels, and is type-tested and evaluated by using a full-scale plant simulator. The advanced control room consists of the following basic control panels:
Primary control console/integrated NSSS BOP control NSSS auxiliary control panel T/G auxiliary control panel, and Supervisor’s console.The following items are studied and developed in detail:Functional analysis Task analysisDisplay integration requirementsInformation access requirementsData management requirementsDevelop man/machine interface conceptDevelop man/machine interface concept evaluation criteria, etc.
Based on the tasks mentioned above, re-evaluation is made of the consoles, displays, display formats, data management, etc., as required.
3 4 5
7 . P L A N T C O M P U T E R S
7.1. General
The computer system employed for a nuclear plant control and monitoring system is required to meet the following requirements:
(1) Compactness(2) Adequate processing capability(3) High system operating efficiency(4) High maintainability, and(5) Extensibility.
7.2. Entire system architecture
To provide such features as the use of common data, facility of backup, and minimization of the influence on other systems of additions, changes and of functions, it is planned to adopt a mode with decentralized functions connecting separate functional computers with high-speed data ways. The composition of the computer system being planned for introduction to a nuclear power plant in its final form is shown in Fig. 10, split by functions:
(1) The input data collecting system
There are some input computers to collect plant inputs according to the object of use, but on some system scales, one device may be used to collect input jointly.
(2) The general plant monitoring systemThis is a system to grasp accurately the behaviour of a plant by using memory, check and analysis functions of the computer and is provided with the following functions:(a) Keeping logs(b) Calculation of plant performance
(i) Monitoring of the reactor control system(ii) Monitoring of the plant and calculation(iii) Analysis of in-core nuclear instrumentation data(iv) Guidance during load-follow operation
(c) Plant monitoring function(i) To display the operating conditions and parameters of a system
en bloc(ii) To check the operator’s action during starting-up and shutting-
down and to display operation guides.
3 4 6
S t a t io n System
EngineerConsole
nrr DUp/ptr
Log Console
TW
ProgramConsoleCRT STW FIoppv.
Central Procei- ling Unit CPUx2©
I Central Processing Svs tj
EngineerConsole
CRTTW
l/0controlU-. P&
- 0 -AbnormalForecasting
-CEii_____
Abnormal Forecasting u-PInstruction SystemZ J
Total Radiological Assessment System
Data-way
Technical Support Centre
TSCK D ixn;
CRT Display System
Controller
&
TRT---------Controller.
x 3
TRT---------Controller
&k d 3,L ......... -X_3J
Auxiliary Control Board 1
Control- Ipt
• - I
M O jL . _ ~ x 2j Auxiliary Control sKdJt____
K DU
JPlant Controller
Plant Instrument , Environment, etc.
FIG. 10. Computer system configuration (example).
3 4 7
ProcessandNIS
Variables
---------|Signal |Conditioner
i_____ I
f B1stable I
BypassLogic
t = ± i
OpticalFibreCoupler
Ditto
Ditto
Mam Control Board
^ Manual 9 Switch
CH. I
-11 Ditto CH. II
ch. m c
CH. IV v
2/4 - on r
Bypass __Logic
Train A
OpticalFibreCoupler
Train B
Train C
Train D
. Rod Cont. System
-® © -1MG Set Trip Breaker
F IG .l l . Advanced protection system.
7 .3 . I n s t r u c t i o n s y s te m
This is designed to have the data processing function to foresee early abnormal symptoms of the conditions of the plant and equipment, and prevent the occurrence and progress of abnormal phenomena. It is designed to forecast the progress of the plant parameters and support the operation handling in order to facilitate the grasp of transient operating conditions.
(a) Processing and limit check of important input of the plant(b) Diagnosis, monitoring and confirmation(d) Determination of the cause of an abnormal situation(c) Instruction on operational margins(e) Instruction on the operation guide in abnormal situations (CRT)(f) Instruction on procedures for starting-up and shutting-down (CRT and VAS)(g) Confirmation of the plant conditions during abnormal situations, test and
normal operation
7.4. CRT display system
The CRT display system provides information processed by the various above-mentioned systems on the main control board, and serves as a monitoring centre. The CRT system is so designed that all the data of the plant are displayed either automatically or by the timing of operator’s requests according to the degree of importance.
Its features are:To display warnings in intensive forms and in styles easy to recognize and distinguish,
To be flexible in monitoring through functions of moving and zooming of pictures,
To have improved visual recognizability by displaying with Chinese characters, changing sizes of characters, and displaying in fine diagrams, and
To have a capability of backing up the display completely with another ' CRT in case of failure of any one of the CRT display devices.
7.5. Technical support centre (TSC)
This is designed to give a complete picture of the operating conditions of the plant, without anyone having to enter the control room during an accident. The centre can give instructions to the operators in the control room and can communicate with the outside. For this purpose a special computer system is provided which is capable of displaying important information such as process variables of NSS and BOP, radiation information, plant conditions, etc., and further can give operational instructions to the main control room and communicate with the outside via the communication lines.
3 4 9
8 . A D V A N C E D I N S T R U M E N T A T I O N A N D C O N T R O L S Y S T E M S
The instrumentation and control systems in a nuclear power plant are an important element in meeting various needs for improvement in the operability and safety of the plant (Fig. II).
On the basis of such recognition, the instrumentation and control system of a nuclear reactor will be improved to accomplish the following:
(a) To preclude the possibility that a single and random failure in the safety and protection system may lead to a plant trip
(b) To preclude the possibility that a single failure in the control system may induce a plant trip.New technology, especially in the electronics field, will be applied as much
as possible and incorporated in the new systems as an important means of system improvement.
8.1. Reactor protection system
8.1.1. Analog section(a) It will be capable of bypassing a channel when the instrumentation channel
is being tested or maintained, by changing all the analog channels tofour channels and applying the 2/4 logic base as the trip logic in order to improve the operability during testing and maintenance. (At present, it has a 2/3 logic base, which may be subject to mistrip, as it is switched to the trip mode during test or maintenance.)
(b) A bypass control logic will be applied in order to control the above bypass automatically. This is for the purpose of changing the trip logic from2/4 to 2/3, and then 1/2, maintaining the multiplicity by permitting only the first channel bypass and changing the second and successive channel bypasses to the trip mode.
(c)q In order to avoid a violation in independency among channels which may be caused by complexity brought about by the adoption of the bypass control logic, channel separation will be maintained by applying optical fibre cables in the signal interface.
(d) An automatic test circuit will be provided in the analog circuitry, which will mitigate the operator’s load by shortening the periodic test time.
8.1.2. Logic section(a) The logic section of the protection system will be changed from the present
two-train systems to the four-train systems, i.e. the actuation logic will be changed from 1 /2 to 2/4.
(b) The reactor trip breakers will be changed from the present 1/2 logic to 2/4.
3 5 0
8 .2 . R e a c t o r c o n t r o l s y s te m
(a) A signal selection circuit will be provided to make multiple the input signals and select the most suitable signals in important systems such as the steam generator level control system, etc.
(b) A backup control system of a redundant type will be provided to diagnose abnormality of the above-mentioned control system and switch to the backup control circuit in case of failure of the main control circuit. The above circuit for abnormality diagnosis and backup control will be of DDC mode using the microcomputer.
(c) The continuous control valve of the main feedwater control valve will be of the double switching mode in order to cope with a single failure in theair control section (I/P converter, positioner, etc.) around the valve.
(d) Due to the introduction of the microcomputer in the automatic power control system, a control system to meet future load-following requirements will be developed.
8.3. Detectors
As part of the development of a new protection system, the following are being developed:
(1) The N-l 6 power monitor and fast response RTDThe N-l6 reactor power monitor measures the 7-rays from N-l6 generated in proportion to the neutron flux level in the core with the ionization chamber provided on the surface of an RCS pipe. It performs the reactor protection function replacing the present AT. The adoption of the N-l6 reactor power monitor precludes the use of the bypass loop piping and bypass RTD, which will result in reduction in radiation exposure and equipment cost.In addition, a fast response RTD will be developed for the measurement of the reactor coolant temperature (cold leg).
(2) An RC pump speedmeter
An RC pump speedmeter has been developed, and the system is of a direct measuring mode replacing the underfrequency/undervoltage detector for the present RC pump; the logic is simplified, the operating margin will be increased and the possibility of false trip will be reduced.
35 1
8 .4 . R e a c t o r p o w e r m o n it o r in g s y s te m
(1 ) The m ulti-section ou t-o f-core nuclear instrum entation
A t present, the ou t-o f-core pow er range neutron detector o f each channel is divided in to tw o sections, as a means o f m on itoring the axial pow er distribution continuously . The pow er in the upper section and that in the low er section are measured separately and the deviation is used as a parameter o f axial p ow er distribution. The m ulti-section neutron detector w hich has been developed represents a part o f the o u t-o f-core pow er range neutron detector. It obtains the axial pow er d istribution continu ou sly b y interpolating data from each detector and is intended fo r close m onitoring. T he ad option o f this m ethod will result in im provem ent in the in -core pow er distribution m onitoring fu nction corresponding to (a ) the daily loa d -fo llow operation and (b ) A F C operation , b o th o f w hich a ffect the operational perform ance o f the plant.
(2 ) The fixed in-core detector (F ID )
T h e planning o f installation o f plural FID s is under w ay. T h e installation o f FID s will m ake possible d irect continuous detailed m on itoring o f the three- dim ensional p ow er distribution in the core , w hereby the operational perform ance at the loa d -fo llow will be im proved.
The installation o f FIDs in the core will also make possible continuous calibration o f o u t-o f-core neutron detectors and also an im provem ent in the reliability o f the o u t-o f-core neutron detectors.
(3 ) The post-accident neutron d etector
O u t-o f-core nuclear instrum entation viable in post-accident environm ental cond ition s is being developed.
35-2
A N N E X V I
IN S T R U M E N T A T IO N A N D C O N T R O L C O N C E P T S F O R T H E A S E A -A T O M B W R
A S W E D IS H E X A M P L E
1. INTRODUCTION
T he steam cycle o f a boiling water reactor (B W R ) plant (F ig .l ) is straightforw ard and simple. T he steam p rodu ced in the reactor core is passed directly to and through the turbine in to the condenser. The condensate is cleaned, preheated and returned as feedw ater to the reactor.
The steam cy c le in a BW R plant resem bles in m any respects that o f con ventional thermal plants. The early thermal plants utilized natural coo lan t circulation . In order to increase the heat rating o f the boiler, fo rced circulation was in troduced . F orced recirculation in m odern BWRs is used in order to achieve a higher p ow er density in the reactor core.
T he core w ith its in -core neutron flu x m easurem ent system is housed in the reactor vessel, w hich in m od em BW Rs also contains the steam separators, the steam driers, the feedw ater spargers and the recirculation pum p im pellers.This perm its a very com p a ct design o f the nuclear steam supply system , w ith a m inim um o f large vessel penetrations. M oreover, the com pactness o f the nuclear steam supply systems allow s a com p a ct design o f the reactor containm ent.
The te ch n o log y fo r the first A S E A -A T O M BW R systems was developed in the 1960s, independent o f any licences from other reactor suppliers. T he first BW R pow er plant in Sw eden, the 4 6 0 M W (e) Oskarshamn 1, w hich was supplied by A S E A -A T O M on a turnkey basis, w ent in to operation in the beginning o f 1972.
Since then, A S E A -A T O M has supplied or has under con struction ten other BW R plants o f a size varying betw een 59 0 and 1050 M W (e) including tw o units (6 9 0 M W (e)) in Finland.
2. SA F E T Y D ESIG N PH ILO SO PH Y
2.1. General
The licensing requirem ents in Sw eden are based on the general design requirem ents set forth b y the US Nuclear R egulatory C om m ission (U SN R C ) in the A ppendices to 10C F R 50. These US requirem ents and recom m endations are adapted to Swedish and European tech n ology and am ended b y specific and m ore stringent requirem ents, such as the “ 30 minutes rule” and a postulated reactor pressure vessel rupture.
T he adaption o f the safety requirem ents fo r the instrum entation and con tro l system is outlined below .
355
R E A C T O R P L A N T T U R B I N E P L A N T
Steamreheating Low pressure
turbine
Steam separating unit
Reactor core (boiling zone
High pressure feedheaters
Generator
Condenser
Condensate pumps
Low-pressurefeedheaters
Condensate cleanup
F IG .l. BWR 75 steam cycle.
PS = Power SourcesCl = Control & InstrumentationRPS = Reactor Protection SystemSS = Safety SystemsAS = Auxiliary Safety Systems
FIG.2. Redundancy principles.
2 .2 . R e d u n d a n c y
The design co n ce p t fo r the safety o f the w hole plant, i.e. fo r c o n tro l and instrum entation , auxiliary pow er supply and process systems related to safety, is based on the so-called N -2 princip le. A ll safety-related system s have been divided in to fou r redundant and independent subsystem s (channels, subdivisions) o f w hich on ly tw o are needed to co p e w ith any design basis accident situation (F ig .2 ).
F or non-safety-related parts the design goal is that a single com p on en t failure should n ot cause a reactor scram o r prevent plant operation . A disturbance in the operation m ight be acceptable, how ever.
2.3. Separation
The fou r redundant parts (subsystem s, channels, subdivisions) are separated from each other, b o th electrically and physically.
The electrical separation im plies that w hen signal exchange betw een the redundant parts o r betw een safety-related and non-safety-related equipm ent is necessary, this exchange must go via isolating devices. These devices are barriers against propagation o f e lectric faults and shall have an insulation level o f at least 0 .5 k V . Such isolating devices are used fo r both analog and digital signals. The signal levels are typ ica lly 0 —10 V o r 0 /4 8 V .
The physical separation im plies that redundant parts o f safety-related equipm ent are installed in separated areas w ith separate ventilation equipm ent (F ig .3 ). D oors and walls, etc. betw een such areas are designed to withstand accidents w hich m ay occu r w ithin the area. Exam ples o f such accidents are fires, flood in g , exp losion and pipe ruptures.
When this physical separation principle can not possib ly be m et, e.g. in the central con tro l ro o m and inside the reactor containm ent, separation is provided by distance, barriers o r oth er types o f m echanical protection s.
2 .4 . Degree o f autom ation
The “ 3 0 m inutes rule” referred to above requires that actions w hich are needed w ithin 30 m inutes after an accident, to mitigate the consequ ences o f the accident and to prevent releases o f radioactive m atter to the environm ent, shall be carried o u t autom atically . This means that manual actions by the operators are n ot required within a period o f at least 3 0 m inutes after an accident.
The system s fo r presentation o f status in form ation and safety evaluation must be designed in such a way that the operator will get a clear and correct view o f the situation. (A similar ph ilosoph y is adopted also fo r disturbances w hich m ay interrupt pow er generation o r cause m ajor com p on en t dam age.)
3 5 7
FIG. 3. Physical separation in building layout.
2.5 . P rotection
In order to m eet the requirem ents related to “ degree o f autom ation” above, the con tro l equipm ent is divided in to functional categories:
— norm al con tro l in w hich process values are maintained within operational lim its by manual o r autom atic actions.
— disturbances con tro l in w hich process values outside the operational limits are annunciated and special con tro l action initiated to keep the plant on line and to avoid com p on en t damage.
— p rotection con tro l in w hich m ajor com pon en ts are d isconnected o r the plant shut dow n. This is don e when continuous operation m ight im pose an environm ental risk or m ight damage econ om ica lly im portant items (heat exchangers, bigger pum ps).
This division in to categories is illustrated in Fig.4.
3 5 8
PHILOSOPHY APPLICATION
Industrialsafety
Reactor(Environmental)
ifety
Nominal water I
Reactor scram, feedwater pump trip Alarm .
Feedwater control
Alarm, reactor power reduction
Reactor scram, start-up of emergency core cooling
FIG.4. Protection philosophy and application.
3 5 9
2 .6 . D iv e r s it y
The protection system s fo r the reactor must be designed w ith a certain diversity as regards sensors and actuated equipm ent.
Based on risk calculations it is required that the capability o f shutting d ow n the reactor to subcritical cond ition s shall be ensured fo r the m ost frequent accident situations by at least tw o electrically and m echanically independent systems.
Diversity in instrum entation on the oth er hand is required w hen the accident leads to considerable changes in the am bient condition s o f sensors . and measuring channels.
2.7. Shutdow n outside the co n tro l ro o m (rem ote shutdow n)
I f the con tro l ro o m should becom e uninhabitable an d /or the con tro l r o o m equipm ent disturbed, the reactor can be shut d ow n from locations outside the co n tro l ro o m (Fig. 5). The equipm ent fo r such shutdow n procedures is norm ally n ot located in any single room . Necessary indicating instruments and com m u n ication equipm ent are installed in an ‘em ergency m onitoring centre ’ , and loca l con tro l stations are provided in the plant buildings, where necessary.
Isolating devices have to be provided fo r all electric signal con n ection s to the con tro l ro o m to ensure that an accident inside the con tro l room will riot disturb the analog or digital' circuits outside the con tro l room .
3. C O N T R O L R O O M
3.1. Main principles
The general layout o f the con tro l ro o m is determ ined by :
— the organization o f the operation sta ff and the responsibility o f the individual m em bers
— the tasks o f the operators during d ifferent types o f norm al and o ff-norm al m odes o f plant operation
— the degree o f autom ation in the plant— safety criteria.
The arrangement and detailed design o f the con tro l desks and panels-must take in to accoun t:
— the design o f the process systems— the interrelationship betw een process systems
3 6 0
— ergon om ic principles— available com p on en ts •— operating instructions.
3.2 . Design
A typical operator shift in Swedish nuclear p ow er plants is m ade up o f :
— a shift engineer— a reactor operator— a turbine operator, w h o also handles BOP systems— an electrical sw itchgear operator— tw o technicians.
The central con tro l ro o m has fo u r main sections, show n in F ig .6 , within w hich each m em ber o f the sta ff can find all the equipm ent necessary fo r his tasks.
These fou r sections, as show n in Fig.6, are:
(1 ) The section fo r operation o f the plant auxiliary p ow er system s and the external grid conn ection s.
(2 ) T he section fo r operation o f the reactor plant including safety-related systems.
(3 ) The section fo r m on itoring the w hole plant and supervising the operation o f the balance o f plant systems.
(4 ) The section fo r operation o f the turbine plant and generator systems.
In each section con tro l desks and panels are located in accordance w ith the fo llow in g principles.
F or m ost o f the tim e the plant is in continu ou s base-load operation .The operators on du ty are occu p ied b y secondary tasks at o r near the com m u n ication table where com m u n ica tion equipm ent is installed.
T he operational areas are show n in Fig. 7.F requent operator actions are norm ally needed on ly during start-up from
o r shutdow n to h o t shutdow n conditions. T he equipm ent fo r these actions is located o n the con tro l desks w hich are placed very near to the above- m entioned table.
The C R T display equ ipm ent fo r the m onitoring and supervision o f the overall plant operation is installed in the central part o f these desks.
Equipm ent w hich is used less frequently, e.g. during co ld shutdow n procedures or em ergency situations, o r equipm ent fo r service system s w hich are norm ally in continu ou s operation , is located in vertical con tro l panels, placed behind the con tro l desks.
3 6 1
\
FIG.6. Control room sections.
FIG. 7. Control room operational areas.
3 6 2
FIG.8. Section 2. reactor operation desks (RO D ), (a) Overall view, (b) detail.
3 6 3
The con tro l panels fo r the safety-related systems are divided in to fou r groups corresponding to the division in to fou r redundant subsystem s o r subdivisions o f the safety-related systems. The con tro l o f all safety-related equipm ent is located w ith its auxiliary service equipm ent such as pow er, air supply, ventilation, diesel generators, fuel supply, etc. The fou r groups o f panels are separated from each other by steel partitions and the cable con n ection s are run dow nw ards in to fou r separated cable room s. M im ic diagrams are extensively used throughout the main con tro l room .
3.3 . C om ponents
The com pon en ts used in the desks and panels fall in to tw o categories: conventional instruments, displays and sw itches and com puter-based C R T displays.
The conventional com pon en ts are generally used fo r in form ation and con tro l o f systems where detailed in form ation is necessary fo r p roper operator action. With a few exception s the com puter-based C R T displays are used fo r ‘overview ’ presentation o f the cond ition s in the reactor, in the turbine o r in the p ow er plant as a w hole.
The conventional com pon en ts are-installed in a m odular system w ith m im ic diagrams. These m im ic diagrams are process-system -oriented, i.e. all in form ation related to a sp ecific process such as instruments, ind icator lamps and switches, is integrated. The m odular build-up o f the panels makes it possible to alter conveniently o r add equipm ent. The con tro l desk fo r the reactor incorporates a C R T display w ith associated pushbuttons fo r the con tro l rod operation fu nction s (F ig .8 ).
Com puter-based C R T displays are also located in the con tro l desks fo r the turbine plant, i.e. C R T displays are located in all con tro l desk sections, the reactor desks, the plant ‘overview ’ desks, and the turbine desks (sections 2 ,3 and 4 ).
C R T displays fo r presentation o f im portant in form ation m ay also be installed at elevated locations (above the con tro l panels) in such a way that the in form ation can be read anywhere in the con tro l room area.
4. TH E R E A C T O R PR O TE C TIO N SYSTEM (R P S ) .
4 .1 . In troduction
The main objectives o f the reactor p rotection system are to detect incidents in the reactor plant and to initiate appropriate autom atic protective actions w hen such actions are necessary with regard to nuclear safety. There are a great num ber o f possible incidents w ith varying dem ands o n counteraction .
3 6 4
D epending on the required actions the d ifferent signals are assigned to p ro tection circuits w hich again are grouped together in three categories:
(1 ) Shutdow n circuits - R eactor scram (SS)— R eactor scram backup (R R )— Refuelling scram (B )
(2 ) Isolation circuits — R eactor containm ent isolation (II)- R eactor building area A isolation (IA )- R eactor building area B isolation (IB )- Turbine building isolation (IM )
(3 ) Em ergency corecoo lin g circuits — Core coo lan t in jection (R C )
— Vessel depressurization (T B )
The sets o f redundant measuring channels fo r supervising process parameters and indicating incidents are part o f the p rotection circuits together w ith the various log ic circuits fo r initiation o f the needed protective actions.
T he reactor scram and refuelling scram circuits will initiate a reactor shutdow n b y rapid, hydraulic insertion o f all con tro l rods.
The reactor scram backup circuit w ill shut d ow n the reactor b y rapid reduction o f the recirculation pum ps’ speed and insertion o f the con tro l rods by means o f the electrom echanica l drives.
The isolation fu nction s im ply closing o f relevant isolation valves, i.e. the valves adjacent to the reactor containm ent wall penetration, w hen pipe breaks o r large leakages are detected . I f the break or leakage has occurred inside the containm ent, the containm ent coo lin g system s are also started up.
The core coo la n t in jection circuit initiates start o f the em ergency core coo lin g systems, i.e. the high-pressure coo lan t in jection (o r auxiliary feedw ater) system and the low -pressure coo lan t in jection system .
The vessel depressurization is carried ou t by electrical in itiation o f valves in the pressure re lie f system .
The RPS, including the associated auxiliary p ow er supply and instrum entation , is consistently divided in to fou r redundant and separated channels. The process system s initiated b y the RPS, and the auxiliary p ow er supply, including the stand-by p ow er diesel generators, are d ivided up in to fou r redundant and separated parts correspondingly.
In order to reduce the risk o f spurious scrams and to increase the pow er plant availability, trip in itiations are in m ost o f the circuits generated in tw o- ou t-o f-fo u r voters, on e in each channel o f the circuits. O ne ex cep tion is the core coo lan t in jection circuit, in w hich the fou r channels operate independently o f each oth er in a on e -ou t-o f-on e m ode. Initiation o f core coo lan t in jection will n ot lead to a reactor scram , how ever.
3 6 5
FIG 9. Reactor protection system design principles.
4.2 . Instrum entation
Sets o f fou r redundant measuring channels are con n ected to the RPS (F ig .9 ). Signals from these channels are also used by other con tro l equipm ent such as:
— closed -loop con tro l systems— indicators, recorders, com pu ter— alarm display system.
These other circuits are separated galvanically from the RPS circuits by means o f isolating am plifiers o r o p to isolators to m inim ize the risk o f electrical faults in these circuits affecting the RPS circuit.
The measuring channels con n ected to the d ifferent RPS circuits cover the fo llow in g :
— reactor prim ary parameters fo r the SS and R R circuits— pipe break or leakage detection b y tem perature, pressure and water-level
ro o m m onitors fo r the isolation circuits— pipe break or leakage detection m onitors and very low reactor water level
fo r the (em ergency) core coo lan t circuits.
A nalog measuring channels with e lectron ic lim it devices are used as far as practical to facilitate testing and calibration during plant operation .
3 6 6
SENSORS ELECTRONIC LIMIT LOGIC TUO OUT LOGICCHECK OF FOURUNITS
FIG. 10. Reactor protection system test scheme.
4.3 . RPS log ic
The log ic fo r the d ifferent- RPS circuits is quite sim ple and built up with electron ic com pon ents. Sensors belonging to the same RPS circuit and redundant group can trip the RPS circu it channel through a co m m o n O R circuit. The p rotection actions are initiated in a 2 -ou t-o f-4 log ic, on e fo r each subdivision o f actuated process systems. Each o f these 2 -ou t-o f-4 m ajority circuits is con n ected to the ou tpu t o f the O R circuits in the fou r channels. This im plies that e lectric cross-conn ection s betw een the redundant subdivisions are necessary and a special signal transmission w ith fibre op tics to provide galvanic isolation has been developed.
R eliability calculations have show n that the weakest po in t in the circuits is the 2 -ou t-o f-4 voters, and fo r this reason these are tested autom atically and ‘ con tin u ou sly ’ .
4 .4 . Test and calibration
Testing o f the system can be carried out in tw o ways, as illustrated in Fig. 10:
— as a com p lete system test, including sensors, e lectron ic lim it units, O R circuits and individual inputs to the 2 -ou t-o f-4 units.
— in a ‘ step by step ’ procedu re w here testing is m ade in overlapping sections, i.e. transducers, lim it units, O R circuits, 2 -ou t-o f-4 units and initiating circuits to process systems.
Testing o f the com p lete system im plies that the reactor will be scram m ed and thus the ‘ step b y step ’ procedu re is the norm al testing procedure.
3 6 7
Logic Signal exchange
FIG. 11. Reactor protection system: typical 2/4 circuit.
This testing and calibration procedu re has been facilitated b y the fo llow in g design features:
— the circuits are easily divided up in to sections b y means o f sw itches. The sw itch position is specially indicated in the con tro l room .
— voltage sources and voltage ramp sources fo r testing o f am plifier gain and lim it values are installed.
— the status o f digital signals and actual setting o f lim it units are-recorded b y the plant com pu ter system.
— the norm alized (0 — 10 V D C ) analog signals o f the fou r redundant measuring channels fo r each param eter are continu ou sly com pared w ith each otherin the com puter. When deviations occu r, the com pu ter will initiate an alarm.
— as poin ted ou t above, the 2 -ou t-o f-4 units are tested autom atically and ‘ con tin u ou sly ’ .
During testing o f on e channel, this channel m ay be bypassed in such a way that the circuit will operate in a 2 -ou t-o f-3 m od e during the test, i.e. the plant availability will n o t be a ffected .
In order to m inim ize the risk o f com m on -m od e failure o f redundant channels, testing o r calibration o f equipm ent is on ly allow ed to be perform ed in on e channel at a time. A practical recom m endation is that testing or m aintenance should be carried ou t w ithin on e redundant group o r subdivision on ly during a specific w eek (see F ig .l 1).
3 6 8
4 .5 . D a t a s h e e t
RPS circuits 9R edundant channels/circuits 4V otin g princip le: tw o o u t o f fou r
T ota l num ber o f measuring channels
R R 4 X 6B 4 X 6SS 4 X 15II 4 X 7IA 4 X 10IB 4 X 10IM 4 X 20RC 4 X 4TB 4 X 2
T ypes o f process parameters:
Shutdow n circuits — neutron flux— reactor vessel pressure— core f lo w— vessel water level
Isolation circuits
Emergency core - coo lin g circuits
— ro o m tem perature— ro o m pressure
(pressure d ifferen ce)— ro o m water level— vessel water level
— as isolation circuits
5. P L A N T C O N T R O L
5.1. Overview
A BW R plant has fou r main con tro l system s:
(1 ) reactor p ow er con tro l b y variation o f the reactor coo lan t recirculation flo w rate through recirculation pum ps speed con tro l.
(2 ) reactor p ow er co n tro l b y con tro l rod position adjustm ents.(3 ) reactor vessel water-level con tro l b y controllin g the feedw ater flo w rate
to the reactor, through feedw ater pum p speed con tro l or con tro l valve operation .
3 6 9
Electric power output and grid frequency
FC Frequency converter HC Hydraulic coupling
I Integrated plant -J control system
FIG. 12. Reactor plant control systems.
(4 ) reactor pressure con tro l by controlling the steam flo w rate from the reactor through con tro l o f turbine inlet throttle and bypass valves opening, or con tro l o f the reactor re lie f valves to the condensate p o o l inside the containm ent.
The fu nction o f the system depends on the p ow er plant m od e o f operation , e.g. start-up o r shutdow n operations, base load or varying load pow er operation , transient or incident operations. The m ost im portant design features are described below (see Fig. 12).
5.2. R ecircu lation f lo w con tro l
The reactor p ow er can be maintained at a constant level, increased or decreased by varying the speed o f the recirculation pum ps, i.e. b y varying the coo lan t flo w rate through the reactor core. T he pum ps speed con tro l is accom plished by controllin g the frequ ency o f the pow er supply to the squirrel cage, asynchronous pum p m otors, each m o to r being supplied by its ow n thyristor-controlled frequency converters.
3 7 0
The con tro l system fo r these converters has the fo llow in g operating m odes:
— base-load operation at constant plant p ow er output— load fo llow in g at a preselected rate o f change o f pow er— frequ en cy con tro l in w hich the plant pow er ou tpu t is adapted to maintain
the grid frequ ency— rem ote con tro l in w hich changes in pow er ou tpu t (w ith in certain lim its)
can be initiated directly from a dispatch centre— manual pum p speed con tro l— incident con tro l in w hich rapid reduction in pum p speed is actuated to
avoid reactor scram.
5.3. C on trol rod operation
R eactor p ow er con tro l by con tro l rod operation is mainly used during start-up and shutdow n o f the reactor. D ue to the use o f axially and radially distributed burnable absorbers (B A ) in the reactor core , the need fo r c o n t r o l , rod operation during norm al p ow er operation is ve ry small.
T he A S E A -A T O M con tro l rod drives are actuated b y tw o independent systems:
— a hydraulic system fo r rapid insertion o f the con tro l rods (hydraulic scram ), and
— an electrom echanical drive system fo r accurate, fin e -m otion operation o f the rods.
T he electrom echanical drive system permits operation o f any individual rod or any group o f rods containing fou r o r eight or in special cases 50% o f the rods. The first three m odes are used at manually initiated con tro l rod m anoeuvering during norm al plant operation situations, whereas the latter is used in autom atic sequences w hen the reactor p ow er has to be reduced rapidly w ithout scram m ing the reactor.
The operation o f con tro l rods w ithin the reactor core is restricted by nuclear-therm al lim itations, and shall be perform ed in accordance with optim ized sequences. These sequences are precalculated fo r each operating season and stored in the plant com pu ter system . When con tro l rods are to be operated, the operator checks the sequence proposed b y the com pu ter and ‘ releases’ the m anoeuvering to be carried ou t, via the com pu ter system .
5.4. R eactor water level con tro l
During norm al operation at a p ow er level above about 20% , the w ater level con tro l is achieved b y speed con tro l o f the feedw ater pum ps. B elow 20% pow er it is achieved b y a com bin ation o f pum p speed con tro l and position ing o f con tro l
3 7 1
valves. Sw itching betw een these tw o m odes o f operation is perform ed autom atically.
In order to m inim ize thermal cyclin g problem s on reactor vessel nozzles the ‘lo w p ow er ’ feedw ater supply enters the reactor through special nozzles o f a smaller size. Switching betw een the norm al, ‘high p ow er ’ supply n ozzles and the smaller ones is also perform ed autom atically.
The feedw ater con tro l system is used also during incident situations to avoid reactor scram due to very high o r very lo w water levels by means o f fast feedw ater con tro l p erform ed b y backup circuits.
A fter a reactor scram , a special con tro l sequence is initiated to sm ooth ou t the post-scram con d ition s in the reactor vessel.
5.5 . R eactor pressure con tro l
D epending on the actual operation situation o f the plant the pressure con tro l is perform ed as fo llow s:
— during norm al p ow er operation , the turbine governor adjusts the steam inlet throttle valves opening.
— during start-up and shutdow n situations, and during periods w hen the steam dem and o f the turbine unit is lim ited , e.g. during so-called houseload operation , the governor actuates the dum p valves so that steam is bypassed to the condenser.
— when the turbine condenser is n ot available the pressure controller in the re lie f system initiates steam b low d ow n to the condensation p o o l inside the reactor containm ent.
N orm ally, the reactor pressure is m aintained constant at 7 MPa (7 0 bar).If, how ever, a rapid increase in electric p ow er ou tpu t is required, the pressure setpoin t may tem porarily be reduced a few per cent.' During start-up and shutdow n situations the pressure increase to o r decrease from 7 MPa is governed by a program m ed controller.
5.6 . Design
One o f the design ob jectives fo r the con tro l systems has been that a failure in the process instrum entation o r in the con tro l circuits is allow ed to cause a reduction in plant p ow er ou tp u t, but should n o t lead to a reactor scram.
F or this reason several redundant measuring channels are used fo r m ost o f the process parameters w ith the signals being treated in averaging units. The con tro l circuits are also m ade w ith redundant channels w ith averaging units on the output. This principle is illustrated in Fig. 13.
The reactor pow er and water-level con tro l systems are built up b y three m inicom puters in a tw o-ou t-o f-th ree averaging set-up. T he con tro l rod operation
3 7 2
CONTROL <ROOM
2 / 3
GOVERNORVALVES
REACTOR POWER A. WATER LEVEL CONTROL
PRESSURE CONTROL
FIG. 13. BWR 75: control system design principles.
is perform ed via the process com pu ter system w hich operates in a on e-ou t- o f-tw o schem e.
T he reactor pressure con tro l equipm ent consists o f redundant channels w ith conventional e lectron ic com pon ents.
In the con tro l desk in the con tro l room , the reactor pow er, water level and pressure con tro l equipm ent is actuated and supervised b y conventional con tro l sw itches and instruments. The con tro l rods are operated b y means o f a com pu ter display and push-buttons. T he display will show the con tro l rod position s and also the neutron flu x levels during the con tro l rod m anoeuvre.
3 7 3
PERFORMANCE REQUIREMENTS AND CAPABILITIESThe requirements and capabilities are defined in discrete points, eye-guides are drawn only to aid the comparison.
I X BWR 75 CapabilitiesResponse rate □ Nordel requirements
Nordel Scandinavian gridNapsic North American power system mtercon committee
STEP CHANGE TESTSPower change
POWER INCREASE FROM WARM, CRITICAL REACTOR, HEATED STEAM LINES AND ESTABLISHED CONDENSER VACUUM
Max increase rate warm turbineTurbine limitation at
Power (steam flow) 24 hours shutdown
RESPONSE RATE, NORMAL OPERATION (TV0 1 79-01-29)
LOAD REJECTION AT THE BARSEBECK NUCLEAR POWER PLANT 100% = 580 MW(e)
FIG.14. Reactor control data sheet A.
3 7 4
LOAD FOLLOW IN TVO 1 ,9 -1 2 FEB. 1979
Power output%
Control rod withdrawal
10080
60
40
200
9 00 21.009.00 21.00 9.00 21.00
79-02-10 79-02-11 79-02-12
FIG. 15. Reactor con trol data sheet B.
5.7 . Data sheets
Figures 14 and 15 represent data sheets covering various parameters.
6. CO M PU TER AP PL IC A T IO N
6 .1 . -Tasks
The A S E A -A T O M BW R 75 has been provided w ith a redundant com pu ter system w hich has the purpose o f assisting the plant operators in controlling and supervising the plant during all plant operation situations.
The main tasks during d ifferent situations are the fo llow in g fu nction s:
(a) During plant start-up or shutting down procedures— con tro l rod adjustm ents and presentation o f neutron flu x level and
con tro l rod positions— display o f the reactor operation po in t— supervision o f the reactor vessel heating o r coo lin g rate— calculation o f reactor core parameters
(b ) During norm al plant operation— recording o f testing o f safety-related equipm ent— supervision o f safety-related measuring channels— measuring and recording o f open ing and closing tim es fo r isolation
valves or the scram system during testing— m onitoring trends o f im portant plant parameters— calibration o f neutron flu x measuring equipm ent— m onitoring turbine condenser cond ition s— book k eep in g and diagnosis o f period ical testing, m aintenance o r repair
activities in the plant
3 7 5
(c ) During and after disturbances— indication and sequential recording o f all alarms in the con tro l room— annunciation o f less im portant alarms, w hich are n ot indicated on lamp
displays— book k eep ing o f thermal transients in process systems
(d ) A fter accidents— m onitoring and display o f im portant safety-related parameters— m onitoring o f the fu n ction o f safety-related systems— evaluation and recording o f plant behaviour im m ediately before the
accident and after the accident— evaluation and pred iction o f the long-term behaviour o f the plant— display in a technical support centre.
(e ) General functions— m onitoring and display o f water con du ctiv ity , leakage rates, operation
tim e o f m otors fo r pum ps and fans— display o f actual values and their trends o f analog measuring channels
con n ected to the com pu ter system— logging— lim it checking o f measuring channels.
6 .2 . C on cept
The redundant com pu ter system com prises equipm ent and fu nction s on ' d ifferent levels.
Data acquisition is perform ed in a num ber o f processors (2 0 —3 0 ) w hich are located in plant areas near to the process systems. The data acquisition system is managed by front-end com puters w hich com m unicate w ith the p ro cessors via a serial transmission. T he front-end com puters, in turn, transmit the data to the main com pu ters fo r evaluation and diagnosis o f the data. Each front-end com pu ter com m unicates with on e o f the main com puters on ly .
The m an/m achine com m u n ication processors con tro l the presentation o f in form ation from the main com puters to displays and recording equipm ent.
The display equipm ent consists o f a num ber o f C R T display units predom inantly located in the con tro l desks. The recording equipm ent com prises typew riters, curve recorders, and their distributed con tro l units.
The com p u ter system is con n ected to a core managem ent system , a technical support centre and finally a p lant administrative system , by co m m unication links, illustrated in Fig. 16.
3 7 6
F IG .16. BWR 75 computer design.
3 7 7
6 .3 . D a ta sh e e t
Data acquisition
— analog signals 2 5 00- digital signals 9 5 00— rem ote processors 27— front-end processors 4
Main com puter
— processor units 2— disc m em ories 4— capacity each (M w ord ) 33— primary m em ory (k w ord ) 512— w ord length (bits) 16— typewriters 2— service terminals 1
Operators — com m u n ication
— processor units 2— primary m em ory (k w ord ) 512— w ord length (b its) 16— service terminal 1— co lou r C R Ts 2 0- typew riters 4— copy in g units 2
7. P R IM A R Y SYSTEM IN ST R U M E N T A TIO N
T he primary system instrum entation shall provide in form ation fo r m on itoring o f the reactor core and the reactor vessel parameters during norm al and o ff-norm al plant operation . Figure 17 show s the main items m onitored .
The signals from the measuring channels o f the prim ary system instrum entation are used for:
— con tro l ro o m in form ation— lim it checking fo r alarm initiation and safety log ic inputs— recording b y recorders o r by the com pu ter— feedback con tro l systems.
M easurements o f parameters w hich are im portant fo r plant operation or accident situations are generally m ade in fou r redundant channels. The signals
3 7 8
F IG .l 7. Primary instrumentation.
o f these redundant channels are continu ou sly supervised by the com pu ter by com parison. A deviating channel signal will initiate an alarm.
A part from the prim ary sensors, instrum entation lines or cabling, the equipm ent is located outside the reactor containm ent.
The instrum entation com prises measuring channels fo r the fo llow in g process parameters.
(a) The reactor flu x level in the reactor core . The total measuring span isabout 12 decades. F or practical reasons the measurem ents are carried ou t by three subsystem s w ith a m ore lim ited measuring span. These subsystems are the source-range m onitoring (S R M ), used up to criticality , the interm ediate-range m on itoring (IR M ), used up to about 10% p ow er level, and pow er-range m onitoring (P R M ), used in the norm al p ow er range. The PRM system com prises a large num ber o f loca l PRM detectors. The signals from these are grou ped together in averaging units (A P R M ). T he SRM and IR M measuring channels operate w ith com bin ed detectors. These detectors are w ithdraw n from the core region during norm al operation to avoid bu m u p o f the d etector fissile material.
The LPRM detectors are perm anently installed in the core , and the detector burnup is com pensated fo r by adjusting the gain o f the am plifiers. The adjustm ent rate is determ ined by means o f a highly accurate system w ith m ovable detectors, the TIP (travelling in -core p rob e ) system'.
3 7 9
(b ) The reactor vessel pressure, w hich is measured by tw o systems. O ne o f these provides accurate measurem ents o f the pressure variations w hich m ight occu r during norm al plant operation . The other covers the w hole pressure range from atm ospheric pressure to the vessel design pressure, w hich is necessary during start-up or shutdow n procedures o r in accident situations.
( c ) The reactor vessel material tem perature is measured at several locations.T he rate o f tem perature changes o f various locations and tem perature differences betw een d ifferent parts can be supervised during heating up or coo lin g dow n at reactor start-up and shutdow n respectively.
(d ) T he reactor water level is measured by dp (d ifferential pressure) m ethods. Three subsystem s w ith d ifferent spans are used:
— the fine range m easurem ent, covering variations at norm al operation— the coarse range measurem ent, covering level variations at design basis
accidents, and— the full level range m easurem ent covering filling-up procedures up to
the vessel head and accidents outside the design basis./T he signals from the dp transducers are com pensated fo r variations in the reactor vessel water density due to tem perature changes o f the reactor and fo r variation o f the atm osphere tem perature in the containm ent.
(e ) The core coo lan t flow , w hich is measured at the inlet o f a representative num ber o f fuel assemblies. These inlets are provided w ith orifices and the differential pressure over these is used to determ ine the flow . The total core coo lan t flo w is obta in ed by sum m ing the individual signals.
( f ) The tem perature o f the core coo lan t, w hich is measured in the low er plenum , beneath the core.
(g ) The recirculation pum ps head, w hich is measured to verify the perform ance o f the internal pum ps.
(h ) The steam tem perature w hich can be used as a backup supervision o f the core cooling.
T he design o f the individual measuring channels d iffers from on e parameter to another, but m ost o f the channels fo llo w the design principles show n in Fig. 18.
The ou tpu t signal from the sensors is norm ally 4 —20 m A . In electron ic cubicles these current signals are transform ed (n orm alized) to voltage signals (0 —10 V D C ) and used fo r signal cond ition in g and further treatm ent. The signal cond ition in g may be square-root extractions fo r dp measurem ents or com pen sation fo r variation or environm ental cond ition s. T h e in com ing current signals are also check ed w ith regard to cable circu it con tin u ity , ou t o f range signals and short circuits.
Signals to non-safety-related equipm ent are branched o f f through isolating am plifiers whereas safety-related lim it checking units, and possib ly instruments, are con n ected directly to the 0 —10 V DC signal.
3 8 0
Instruments and indicating lamps in the con tro l ro o m are also con n ected to measuring circuits through isolating device (see Section 2 .7 ).
8. POW ER SU PPLY CONCEPT
The fou r redundant subdivisions o f the safety-related con tro l equipm ent are supplied w ith p ow er from a corresponding subdivision o f the auxiliary p ow er system.
Figure 19 show s the fou r subdivisions o f the safety-related auxiliary pow er system. These are located in separated parts o f the building, i.e. the entire subdivision including stand-by diesel generator, switchgear, and battery systems, is physically separated from the oth er subdivisions. N o electrical cross- con n ection s betw een the subdivisions exist.
T he batteries o f the DC system s have am ple capacity, since they have conservatively been dim ensioned to carry the highest load circu it fo r a 2 hours’ in terruption in battery charging. I f the batteries should fail, the switchgear and the con n ected loads will be supplied directly by the battery chargers. The batteries and chargers have furtherm ore been divided up in to tw o halves, so that testing and m aintenance can be carried ou t on on e h a lf during p ow er operation w ithout disturbing the process.
T he battery-backed A C system w hich is norm ally supplied from D C /A C static inverters, has a stand-by con n ection to the diesel-backed low voltage
381
DIESEL STAND-BY SYSTEM
+24V=
4110V=
I(SAME ASlSAME AS
22£25td E E K
C D
i
SAME AS A
FIG. 19. BWR 75 power supply concept.
m m
CONTROL ROOM
PLANTCOMPUTER
CONTROLCOMPUTERS
DISTRIBUTEDPROCESSINTERFACES
F IG 20. BWR programmable control system.
bus-bar. A t failures in the inverters the switchgear will autom atically be sw itched over to this stand-by con n ection .
T he p ow er supply fo r non-safety-related equipm ent is separated from that fo r 'safety-related systems.
Loss o f an individual A C bus-bar is n o t critical in norm al plant operation , i.e. it will n ot d irectly lead to a plant shutdow n. This feature has been verified during the com m issioning o f recently supplied plants.
C on trol systems o f this new type will be used fo r the waste-handling plants fo r the tw o 1050 M W (e) p ow er plants, Forsm ark 3 and Oskarshamn 3, n ow under construction in Sweden.
3 8 2
These systems are based on a new produ ct generation developed by A S E A including:
— process interface units— m inicom puters fo r process con tro l— operator ’ s display system .
In this p rod u ct line special attention has been paid to ensure that system design, com m issioning, m od ifications, m aintenance and service can be carried ou t rationally by non-specialists as regards com puters.
In the con tro l system s fo r the tw o waste-handling plants the basic process con tro l functions are carried o u t o n three levels, as indicated in Fig. 20. F or larger process system s on e o r m ore o f these basic control system s m ay be con n ected to a central com pu ter fo r overview presentation and fo r diagnostic analyses.
9. F U TU R E TR E N D S
The con tro l equipm ent o f tod ay is a m ixture o f conventional electron ic equipm ent and program m able equipm ent. This is exem plified b y the descriptions in Sections 5 and 6. Q uite obv iou sly this does n ot represent the optim al solution as regards design, operation and m aintenance o f the systems and equipm ent.
The same m ixture o f tw o technolog ies is also present in the con tro l room . There the tw o types o f system s o fte n operate in parallel, especially fo r presentation to the operators, and duplicate each other.
There is a general trend tow ard increased use o f com puters and p ro grammable con tro l systems. T he n ext generation o f con tro l equ ipm ent will p roba b ly be largely based on program m able equipm ent. Based on the experience we have tod ay , w e strongly believe that this new tech n ology will o ffe r considerable advantages both to the designer and to the operating personnel o f the pow er plants. Taking in to accoun t the advantages, the authorities w ill n o d ou bt accept the new tech n olog y , provided that the system design incorporates redundant features to ensure functional reliability.
A prerequisite fo r this developm ent step is, how ever, that the com pu ter system s are redesigned, b oth as regards hardware and softw are, in such a way that process, service, m aintenance, quality assurance and design requirem ents can be m et m ore easily.
In such program m able equipm ent all presentation in the con tro l room should g o through c o lo u r C R T displays. O ne o f the k ey problem s to be solved is h ow the overview o f plant fu nction s shall'best be presented to the operators on C R T displays on ly.
3 8 3
L I S T O F P A R T I C I P A N T S
The m eetings held in V ienna w ith the purpose o f assisting the IA E A in the preparation o f this G u id eb ook were:
Consultants M eeting 1 8 - 2 0 D ecem ber 1979
Brazil Intrator, E. Comissao Nacional de Energia Nuclear
Finland Ruokonen, K. Imatran Voima Oy
Pakistan Hashmi, J.A. Karachi Nuclear Power Plant
Consultants M eeting 2 0 - 22 M ay 1980
Austria Evangelatos, G. Fasko, P. Nedelik, A.H. Oppolzer, H. Roggenbauer, H.
Osterreichische Studiengesellschaft fur Atomenergie Ges.m.b.H.
Brazil Intrator, E. Comissao Nacional de Energia Nuclear
Finland Ruokonen, K. Imatran Voima Oy
Germany, Fed. Rep. o f Aleite, W. Kraftwerk Union AG
Italy Lo Prato, E. Comitato Nazionale per L’ Energia Nucleare
Pakistan Hashmi, J.A. Computer Division,Pakistan Institute o f Nuclear Science and Technology
Consultants M eeting 30 M arch - 1 April 1981
Austria Evangelatos, G. Osterreichische Studiengesellschaft furNedehk, A.H. Atomenergie Ges.m.b.H.Oppolzer, H.Roggenbauer, H.
3 8 5
France Vissariat, P. Framatome
Germany, Fed. Rep. of Fischer, H.D.
Pakistan Hashmi, J.A.
Sweden Van Gemst, P.
United Kingdom Cox, R.J.
IAEA consultants Evangelatos, G.Fasko, P. Nedelik, A.H. Oppolzer, H. Roggenbauer, H.
IAEA staff members Grabov, A.Laue, H.J. Sitnikov, G. Skjoldebrand, R.
Kraftwerk Union AG
Computer Division,Pakistan Institute o f Nuclear Science and Technology
ASEA-ATOM AB
United Kingdom Atomic Energy Authority,Atomic Energy Establishment, Winfnth
Osterreichische Studiengesellschaft fur Atomenergie Ges.m.b.H.
Division o f Nuclear Power Division o f Nuclear Power Division o f Nuclear Power Division o f Nuclear Power
The reports in the annexes were prepared by:
Canada
France
Germany, Fed. Rep. of
Japan (BWR)
Japan (PWR)
Sweden
Lepp, R.M. Watkins, L.M.
Vissariat, P.
Aleite, W. Fischer, H.D.
Itoh, M. Takumi, K.
Izumi, I.
Van Gemst, P.
Atomic Energy of Canada Ltd
Framatome
Kraftwerk Union AG
Toshiba Corp.Hitachi Ltd
Mitsubishi Atomic Power Industries Inc.
ASEA-ATOM AB
3 8 6
H O W T O ORDER IAEA PUBLICATIONS
An exclusive sales agent for IAEA publications, to whom all ordersand inquiries should be addressed, has been appointed in the following country:
U N ITED S TA TE S O F AM ER ICA UNIPUB. P.O. Box 433, Murray Hill Station, New York, N Y 10157
In the following countries IAEA publications may be purchased from the sales agents or booksellers listed or through your major local booksellers. Payment can be made in local currency or with UNESCO coupons.
AR G E N TIN A
A U S TR A L IABELGIUM
C ZEC H O SLO VAKIA
FRANCE
H U N G AR Y
IN DIA
ISRAEL
IT A L Y
JAPANN ETH ER LAN D S
PAKISTANPOLAND
ROM ANIA SO UTH A FR IC A
SPAIN
SWEDEN
U N ITED KINGDOM
U.SS.RY U G O S LA V IA
Comision Nacional de Energi'a Atomica, Avenida'del Libertador 8250, RA-1429 Buenos AiresHunter Publications, 58 A Gipps Street, Collingwood, Victoria 3066Service Courrier UNESCO, 202, Avenue du Roi, B-1060 BrusselsS.N .T.L .. Spalena 51. CS-113 02 Prague 1Alfa, Publishers, Hurbanovo namestie 6, CS-893 31 BratislavaOffice International de Documentation et Librairie, 48, rue Gay-Lussac,F-75240 Paris Cedex 05Kultura, Hungarian Foreign Trading CompanyP.O. Box 149, H-1389 Budapest 62Oxford Book and Stationery C o , 17, Park Street, Calcutta-700 016 Oxford Book and Stationery Co., Scindia House, New Delhi-110 001 Heiliger and Co., Ltd , Scientific and Medical Books, 3, Nathan Strauss Street, Jerusalem 94227Libreria Scientifica, Dott Lucio de Biasio "aeiou".Via Meravigh 16. 1-20123 MilanMaruzen Company, Ltd , P.O. Box 5050, 100-31 Tokyo International Martinus Nijhoff B V , Booksellers, Lange Voorhout 9-11, P O. Box 269, NL-2501 The HagueMirza Book Agency, 65, Shahrah Quaid-e-Azam, P.O Box 729, Lahore 3 Ars Polona-Ruch, Centrala Handlu Zagranicznego,Krakowskie Przedmiescie 7, PL-00-068 Warsaw llexim, P.O. Box 136-137, BucarestVan Schaik's Bookstore (Pty) Ltd., Libn Building, Church Street,P.O. Box 724, Pretoria 0001Diaz de Santos, Lagasca 95, Madrid-6Diaz de Santos, Balmes 417, Barcelona-6AB C E Fritzes Kungl. Hovbokhandel, Fredsgatan 2, P.O. Box 16356, S-103 27 StockholmHer Majesty’s Stationery Office, Publications Centre P.O Box 276, London SW8 5DRMezhdunarodnaya Kniga, Smolenskaya-Sennaya 32-34, Moscow G-200 Jugoslovenska Knjiga, Terazije 27, P.O. Box 36, YU-11001 Belgrade
Orders from countries where sales agents have not yet been appointed and requests for information should be addressed directly to:
Division of PublicationsInternational Atomic Energy AgencyWagramerstrasse 5, P.O. Box 100, A-1400 Vienna, Austria
o**oCO
INTERNATIONAL SUBJECT GROUP: VATOMIC ENERGY AGENCY Reactors and Nuclear Power/Reactor TechnologyVIENNA, 1984 PRICE: Austrian Schillings 780,—
