• Non ci sono risultati.

Mitigate the effects of accidental events.

N/A
N/A
Protected

Academic year: 2021

Condividi " Mitigate the effects of accidental events. "

Copied!
41
0
0

Testo completo

(1)

4. Plant I&C general architecture

I&C is designed and implemented to allow plant operability. Consequently I&C is designed to take part in plant unit normal operating conditions and in performing safety functions which, according to a DiD strategy, are:

Prevent occurrence of incidental events;

Deal with incidental events whenever they occur;

Mitigate the effects of accidental events.

In both tasks I&C performs automated functions to trigger on actions or continuously controls physical parameters of the process, and Human Machine Interface functions to warn operators, display plant status and enable operators to perform manual action on the process.

As each system operating in a nuclear power plant “the I&C system” has to satisfy safety and security requirements according to functions performed by each I&C sub system. Moreover I&C design has to take into account DiD strategy, economical and operational constraints; so first paragraph will be about requirements that I&C has to satisfy.

Second paragraph will deal with the architecture of “the I&C system” giving a description of the functions performed by each I&C sub system and how all these sub systems interact and are linked in order to build “the I&C system”.

Third paragraph is specific to the digital platform by which operational I&C functions are performed: the processing and communication chain will be briefly inspected together with the structure of operators’ workstation.

4.1. Basic principles/requirements of the I&C design/system

4.1.1. Horizontal structure of the I&C

Data processing for monitoring, plant automatic and manual control, data storage, data display, etc. is performed on a digital, computerized, time discrete platform (SPPA-T2000 or TXS).

Different horizontal level can be identified according to the task performed:

(2)

̶ Level 0 I&C: it is the process interface. It performs physical process data acquisition and process variables modification by means of transducers and actuators respectively;

this level is interfaced with level 1 I&C to send and receive control signals;

o It encompasses mainly transducers and actuators;

̶ Level 1 I&C: it is the automation level that performs data and logic processing in order to send control actions to level 0 and deliver information to operators by means of level 2 systems; level 1 I&C is interfaced with level 0 and with operators by means of level 2 I&C (retrieve, delivery of data) ;

o It encompasses mainly automation controllers (booth software and hardware implemented);

̶ Level 2 I&C: it represents the HMI and it displays information about the physical conditions of processes and plant state to operators. It gets pre-processed data from level 1 I&C and it is interfaced with level 3 I&C;

o It encompasses mainly supervision controllers or conventional displays and control devices (desk tile);

̶ Level 3 I&C: it is a level composed of external monitoring or plant management systems. It can be interfaced with level 0, level 1 and/or level 2 to get information depending on the role performed by level 3 specific system.

o It encompasses specific hardware and software developed for a given purpose or application.

4.1.2. Functional safety principles

Generally speaking, I&C systems (hardware and software) are designed to implement in the plant functions that needs to be performed to assure its correct, economical, and safe operation.

In addition to functions required during plant normal operation (e.g. load following), functions are designed to cope with events that have an influence on reactor’s safety, these are named safety functions.

These standard events that are likely to occur during plant unit lifetime are traditionally

grouped according to their frequency of occurrence. According to the UK EPR™ safety

(3)

principles they are the following (in ascending order of severity, descending order of probability):

̶ DBC 2 -1: transients related to normal operation with a frequency of occurrence greater then 1/year;

̶ DBC-2: Anticipated Operational Occurrences (AOO) with an estimated frequency of occurrence in the range of 10 -2 to 1 per year,;

̶ DBC-3: which includes all design basis incidents, characterised by initiating events with an estimated frequency of occurrence is within the range of 10 -4 to 10 -2 per year;

̶ DBC-4: accident of very low frequency, limiting accidents initiated by events with a frequency of occurrence within the range of 10 -6 to 10 -4 per year;

̶ DEC 3 -A: complex sequences that is events with respect to core melt prevention;

̶ DEC-B: severe accident situations that is events for the definition of provisions to cope with core melt in which:

o LOOP DEC-B functions shall remain available during 12 hours after all internal and external power sources have been lost;

o Non-LOOP DEC-B functions;

̶ An additional low probability event is also taken into account dealing with the Common Cause Failure of the operational I&C cumulated with DBC-2 to DBC-4 event.

Safety functions are implemented for each of these events.

2 Design Basis Conditions are named Plant Condition Categories in the framework of the UK EPR™.

3 Design Extended Conditions are named Risk Reduction Categories in the framework of the UK EPR™

(4)

4.1.3. Defence in Depth principle

Five DiD principles exposed in [2], recalled hereunder, apply also to I&C system.

̶ Level 1 is a combination of design, quality assurance and control margins aiming at preventing the occurrence of abnormal operating conditions failures;

̶ Level 2 consists in the implementation of protection devices which make it possible to detect and correct the effects of deviations from normal operation or the effects of system failures. This defence level is aiming at ensuring the integrity of fuel cladding and that of the primary cooling system so as to prevent accidents;

̶ Level 3 consists of safeguard systems, protection devices and operating procedures which make it possible to control the consequences of accidents;

̶ Level 4 comprises measures aiming at preserving containment integrity and controlling severe accidents;

̶ Level 5 includes, in the event of the failure of previous levels of defence, all measures for protecting the public against the effects of significant radiological discharges.

These principles apply to the I&C in the following way:

̶ Level 1 is implemented by adequate organization of the I&C design process (quality assurance); this line of defence includes normal operation functions and regulation control functions;

̶ Level 2 represents the Preventive Line of defence. It is implemented by granting continuous execution of reactor monitoring functions, continuous operation of control functions and automatically triggered actions aimed at preventing/avoiding deviations from normal operating conditions in case of operation functions failure;

̶ Level 3 represents the Main Line of defence. It implements the detection of accidental/incidental situation and the start-up (manual or automatic) of mitigative counteractions and terminate sequences within DBC;

o Level 3 sub line: DEC-A functions and functions that deal with the CCF of

operational I&C cumulated with a DBC-2 to DBC-4; they represents risk

reduction measures to deal with Main Line failure.

(5)

̶ Level 4 is the Severe Accident Line of defence. It features the detection and control of degraded conditions that occur should level 3 functions fail in their execution (DEC- B);

̶ Level 5 is out of I&C scope.

4.1.4. Functional safety classification

I&C systems are classified according to the participation in mitigation of PIE of the functions they perform. Three safety classes are defined in relation to the three physical states that can be reached after a PIE. Following states apply to the mitigation of DBC-2 to DBC-4 events:

̶ Controlled state: core is sub critical; heat removal is assured on a short term basis (e.g.

via SGs); core water inventory is stable; acceptable radioactive discharges;

̶ Safe shutdown state: core is sub critical; heat removal is assured on a long term basis;

acceptable radioactive discharges;

̶ Final state (defined relatively to DEC-A events): core is sub critical; residual heat removal is assured by primary or secondary systems; acceptable radioactive discharges.

̶ Stable state: it is defined relatively to the mitigation of DBC-2 to DBC-4 cumulated with CCF of operational I&C; core is subcritical and residual heat removal is assured on a long term basis.

Corresponding safety categories are A, B, C and Non Categorized (NC).

A safety classification is required to:

̶ Identify items that are important to safety;

̶ Divide them into safety classes according to their safety significance;

̶ Design, construct, and maintain them so that their quality and reliability remain commensurate with their safety classification.

- A functional category applies to:

̶ Functions required to reach the non-hazardous stable state, to prevent a DBE from

leading to unacceptable consequences, or to mitigate its consequences;

(6)

̶ Functions, the failure or spurious actuation of which would lead to unacceptable consequences, and for which no other Category A function exists that prevents the unacceptable consequences;

̶ Functions required to provide information and control capabilities that allow specified manual actions necessary to reach the non-hazardous stable state (after DBE).

- B functional category applies to:

̶ all safety functions needed to reach and maintain the safe shutdown state after the controlled state;

̶ Plant process control functions operating so that the main process variables are maintained within the limits assumed in the safety analysis, if these control functions are the only means of control of these variables.

- C functional category applies to:

̶ functions that are not essential to maintain a safe shutdown state but which may be required to maintain it between 24 and 72 hours;

̶ functions used in normal operation to monitor A-B categorized functions;

̶ safety functions to reach and maintain the final state after DEC-A event sequences;

̶ functions used to prevent significant discharges after DEC-B sequences;

̶ functions used to monitor process variables considered as initial conditions in safety analyses; functions used to monitor radioactivity level during normal operation.

4.1.4.a. Safety requirements

Deterministic requirements: specific safety requirements correspond to the three safety classes exposed in paragraph 4.1.4. These requirements are expressed in dedicated codes [5]

issued by competent authority (IEC – International Electrotechnical Commission).

Correspondences are listed in the following table.

(7)

Function safety

category Reference code

IEC - Category A (Principal line) IEC - Category A (Diverse line) IEC - Category B (Principal line)

IEC - Category B (Diverse line)

C IEC - Category C

I&C equipment

quality classes Performed function in safety class Reference code

1 A IEC - Class 1

2 B IEC - Class 2

3 C IEC - Class 3

A B

Table 2: Safety requirements

Probabilistic requirements: a given safety function should met probabilistic objectives that are coherent with its safety Category. I&C systems involved in safety functions are considered in the plant PSA and if the objective of a CDF<10 -5 reactor/year cannot be met, I&C systems availability must be increased by means of redundancy, diversity, physical separation, etc.

Priority management: it is possible that an actuator may receive orders form different I&C sub systems (chains). In this case a priority order must be defined to manage conflicting orders. Following criteria are from [4]:

̶ Commands from higher categorized functions have priority over commands from lower categorized or non categorized functions;

̶ Within Category A, essential component protection has priority over automatic protection that is prior to manual protection;

̶ Within the same Category (NC, C or B), component and system protections have priority over automatic or manual action.

4.1.5. Functional (vertical) structure of the I&C

Concepts exposed till this point would be only a theoretical dissertation if they had not a practical way of implementation.

For this reason “the I&C system” is made up by different I&C sub systems (see chapter 4.2),

designed in order to be able to host I&C functions according to their category: each function

(8)

category is analyzed according to the safety and defence in depth requirements it shall fulfil;

the right I&C sub system is chosen according to the results of the analysis.

This results in a vertical I&C structure: each I&C level (see §4.1.1) task is performed by different I&C systems that have different constructive architectures.

All these sub systems need to be interconnected to each other in order to assure consistency and coherence of the control action. The way these interconnection are realized and their design defines an overall I&C architecture.

4.1.6. Economical and operative requirements

This category of requirements is laid down in the EUR for LWR [5]. In the following some of them are listed.

̶ It shall be possible to control the plant with 2 operators, and in steady conditions it should be possible to control the plant with one operator;

̶ The designer shall optimize the use of sensors;

̶ Closed-loop controls shall be optimized to reduce activation frequencies of the final control elements;

̶ Neither malfunctions in automatic systems nor shall operator’s errors lead to damage of components. Thus in the event of inadmissible conditions, the component protection logic shall take the component concerned out of operation;

̶ Closed loop controls shall keep the process parameters and systems within the specified operating range. It should allow manoeuvrability, load following capability and contribution to frequency control. The role of the operator is the supervision of the plant;

̶ A conventional or screen-based Remote Shutdown Station (RSS) shall be provided only to allow the plant to be brought to, and maintained in, a cold shutdown state in case of unavailability of the MCR;

̶ A Technical Support Centre (TSC) with screen-based monitoring means similar to

those of the supervision area of the MCR shall be provided for use by the technical

support team in emergency situations;

(9)

̶ The closed loop controls shall be grouped functionally according to the main task of the energy transformation process (e.g. reactor controls, steam-generator controls, turbine-generator controls, etc.).

4.1.7. Security requirements

In this context security is only referred to computer security: protection of those computer systems, networks and other digital systems that era critical for the safe and secure operation of the plant and for preventing theft, sabotage and other malicious acts.

Requirements dealing with this category are coded in the EUR for LWR [5] and IT security guideline [7]; some of them are listed below.

From IT security guideline:

̶ Decoupling mechanisms for data flow should be applied at the borders of a zone.

From EUR:

̶ Computer security should be enhanced by cross-checking. It should be possible to stave off a possible attack from a person by checking the actions he has taken;

̶ The "checker" shall not be authorized to modify what he checks;

̶ Back-up of system configuration, software and data is required for all systems.

4.1.8. Design considerations

Before concluding this section various I&C sub systems that will be described in §4.2 are introduced according to the requirements and needs which determine their implementation into the plant I&C system.

These sub systems compose the vertical I&C structure (see §4.1.5) and host different safety and operational functions.

4.1.8.a. Selection of platforms

Requirements for economic operation and design maintenance simplification, ask for a

reduced number of platforms supporting a screen based HMI. Nuclear safety asks for a

qualified platform to initiate automatic I&C action (enabling of functions) to perform accident

mitigation. But qualified platform does not support state of the art HMI, so it is needed to

implement two different platforms to satisfy the requirements: one platform for normal

(10)

operation supporting screen based HMI and another one for automatic accident mitigation.

Exigencies of know how and previous experience suggest to use SPPA-T2000 in the first case and computerized TXS in the second case.

4.1.8.b. Operation and information level (Level 2 I&C)

These are HMIs used by the operator to control the plant status and ongoing processes. HMI must provide a clear overview of inter-relationship and operating sequences for monitoring and control purposes. Moreover plant control must be performed in all conditions by the same HMI and information, alarms, checks displayed must be consistent and well structured to reduce human error probability. This requires dedicated technology that is implemented in the PICS (see §4.2.1.a) system. To ensure plant safety in case of this primary device failure backup control means must be provided to control safety parameter and system required to achieve stabilized plant conditions. This backup is represented by the SICS (see §4.2.1.b) system.

4.1.8.c. Control and protection level (Level 1 I&C)

Level 1 I&C is also used to implement the different lines of defence (see §4.1.3). For the purpose of cost reduction as well as design and maintenance operation simplification, number of sub systems needed to implement required functions should be as low as possible, but safety requirements and technical constraints increase this number.

4.1.8.c.1. Preventive line

From economical and safety point view it would be desirable to implement all functions afferent to the preventive line in the same sub system. But past experience and constraints of the selected platforms, imposes to use the TXS platform to implement all rod control related I&C functions. So, two different sub systems are used to implement preventive line functions.

̶ All core and control rods related functions (Category B, C, NC) and automatic LCO functions are implemented in the RCSL (see §4.2.2.b) sub system based on computerized TXS platform;

̶ Other functions which are C or Not Categorized in the PAS (see §4.2.2.a) or in the

SAS (see §4.2.2.c) for those ones C or B SC1 categorized. Both PAS and SAS are

based on SPPA-T2000 platform.

(11)

4.1.8.c.2. Main line

Safety requirements ask for a nuclear qualified system that is able to perform automatic actions in case of an accident. On the other hand post accident management requires lots of manual actions to be performed by plant operators and so a screen based HMI is needed.

Since the same HMI should be used in all plant conditions (for economical requirements as well as to reduce human error probability) post accident management functions have to be implemented in SPPA-T2000 platform.

As a consequence two I&C sub systems are used to implement the main line:

̶ Protection System (PS) (see §4.2.2.d) based on TXS to implement automatic accident mitigation;

̶ SAS based on SPPA-T2000 to implement post accident management.

Furthermore safety requirements (see §4.1.3) ask for allocating some functions mitigating DBC-2 to DBC-4 in case of a CCF of operational computerized I&C in a different system.

So, the Non-Computerized Safety System (NCSS) embeds all functions required to cope with CCF of operational I&C cumulated with DBC-2 to DBC-4 (see §4.2.2.e).

4.1.8.c.3. Severe accident line

Severe Accident I&C (SA I&C) (see §4.2.2.f) is a sub system used to cope with severe accident monitoring and managing. It remains available in case of other I&C sub systems failure.

̶ All functions that shall remain available during 12 hours after all internal and external power sources have been lost, are implemented in the Severe Accident I&C. Moreover related functions are also duplicated on SAS DEC-B in order to be available on PICS as long as it is available;

̶ All other functions that are not fully essential beyond 2 hours after all internal and

external power sources have been lost (Type 2 DEC-B) are implemented in SAS

DEC-B (see §4.2.2.g).

(12)

4.1.8.d. Process interface level (Level 0 I&C)

Level 0 I&C represents the interface with the process. Such interface consists of an amount of parallel operating channels that are linked to a set of I/O modules.

Moreover it may happen that an actuator receives signals from different I&C sub systems and it is needed to evaluate the priority of the various signals. The Priority Actuation Control System (PACS) (see §4.2.3.b) is the sub system in charge of this. Following rules are used to evaluate priority of commands:

̶ Commands from higher categorized functions have priority over commands from lower categorized or non categorized functions;

̶ Essential component protection has priority over automatic protection that is prior to manual protection;

̶ Within the same Category (Not Categorized, C or B), component and system protection have priority over automatic or manual action.

On the other hand it may happen that plant parameters acquired and monitored by TXS needs to be delivered to various I&C sub systems. This and other functions are performed by the Protection Instrumentation Preprocessing System (PIPS) (see §4.2.3.a).

4.2. I&C System general architecture

In this paragraph the sub systems introduced at the end of last paragraph will be described more in detail.

In summary there are:

̶ Two sub systems belonging to Level 2 I&C: PICS and SICS;

̶ Seven plus one sub systems belonging to the process level: PAS, SAS, RCSL, PS, NCSS, SA I&C, SAS DEC-B and TPCS;

̶ Two sub systems belonging to Level 0 I&C to manage interfaces between process and Level 1 I&C: PIPS and PACS.

All these sub system compose the plant “I&C System”.

(13)

4.2.1. Human Machine Interface – Level 2 I&C

The plant is normally operated from the MCR by the computerized Process, Information and Control System (PICS) by two operators and one shift supervisor. Therefore PICS must provide convenient information to them; moreover the presence of a third operator is envisaged for special plant conditions (e.g. at plant start-up) and so additional control means has to be provided.

A Plant Overview Panel (POP), made by large screens, provides overview plant information to the operators and supervisor; display assignment to the screens is managed by the Main Operator Work Place.

Additional information and required control devices are provided on the three operator workstations of the PICS. These workstations are replied also in the RSS in order to bring the plant in a safe state even if MCR is not available.

Another system based on a different technology is provided as backup for the PICS. This system is the Safety, Information and Control System (SICS). It is made up by conventional control panels and desktiles, it also hosts Qualified Display System (QDS) .

Switching means between the different HMI is provided by Interface Cabinets. They:

̶ Switch control and monitoring from PICS to SICS;

̶ Disable control from SPPA-T2000 and enable NCSS strategy;

̶ Enable PICS workstation in the RSS;

̶ Enables SA panels for Severe Accident management.

4.2.1.a. Process, Information and Control System – PICS

It is designed to control and monitor the plant in all conditions (normal, DBC and DEC). It accesses information of all Level 1 system and display them on the following HMI devices:

̶ Workstations in the MCR at operators workplaces, for the shift supervisor and for an auxiliary operator;

̶ Wall mounted large screens in the MCR for plant overview (POP);

̶ Workstations for monitoring and control in the RSS;

̶ Workstations for monitoring in the TSC;

̶ Additional workstations in the nuclear auxiliary building;

(14)

̶ Printers and data recorders.

PICS is made up by following equipment:

̶ Plant computers (PU) and Server Units (SU), installed in the I&C Computer Rooms of the divisions 1 and 4;

̶ Four plant overview panel (POP);

̶ Operators’ workplaces installed in the MCR, RSS and TSC (only monitoring);

̶ External units (XU), which provide an interface with Level 3 systems;

̶ Operating terminals (OT);

̶ Archiving system (RAID system);

PICS enable Level 3 I&C system via the XU (a server) to retrieve data and/or the master clock; writing from XU to PICS is not allowed for safety reasons.

PICS is Class 3/SC1 classified.

PICS is implemented with the SPPA-T2000 platform.

4.2.1.b. Safety, Information and Control System – SICS

SICS provide safety classified HMI devices to assure Category A and Category B earthquake resistant monitoring and control functions to:

̶ Maintain the plant in steady state power if the PICS is lost during normal operation; to bring and maintain the plant in safe shutdown state if the PICS is not recovered;

̶ Bring and maintain the plant in safe shutdown state in accident situation (DBC-2 to DBC-4) together with the simultaneous loss of the PICS;

̶ Bring and maintain the plant in stable state in accident situation (DBC-2 to DBC-4) with the total loss of SPPA-T2000.

SICS HMI is represented by conventional desktiles hardwired to Level 1 systems and some auxiliary panels located behind the operators’ workplaces. Two of them are specific and are:

̶ The Inter Workstation Console (PIPO) located between the operators’ workplace that

hosts trip control that must be rapidly accessible before switching to the RSS;

(15)

̶ Inter-Panel Signalisation Panel (PSIS) located in front of operators’ workplace between the POP screens; it hosts indicators that must visible to the operators while they are operating on PICS.

There are also four QDS among the auxiliary panels:

̶ Two of them connected to the PS for post accident information display and recording;

̶ Two of them connected to the SA I&C for display and recording of information in case of severe accident. These panels are also called “SA Panels” and supplied by 12h batteries since they host Type 1 DEC-B functions (see §4.1.2).

SICS is Class 1 digital equipment.

SICS is implemented with conventional indicators, desktiles and QDS based on TXS technology.

4.2.2. Automation level – Level 1 I&C

Automation level implements all the I&C function needed to operate the plant in all conditions.

4.2.2.a.Process Automation System – PAS

PAS performs normal operation plant control, monitoring and automation. It consists of a series of automation computers allocated in the four divisions of the plant and in the CI/BOP.

They are connected together and with SAS and PICS via plant bus. PAS is based on SPPA- T2000 platform.

Transducers measurements are acquired in the PAS via the PIPS if transducer is shared with systems implemented in TXS, or directly for other transducers.

PAS controls actuators too, via PACS, if an actuator receives signals from various I&C sub systems, or via FUM modules (that are part of PAS), for other actuators.

PAS is subdivided in other three systems to satisfy separation requirements.

Communication is assured by the plant bus that allows data exchange between divisions/sections, and by an island bus, that allows data exchange among the divisions/sections.

PAS is also interfaced with TPCS and BOP specific systems, via plant bus trough

communication module.

(16)

PAS is a Class 3 digital system.

4.2.2.b. Rod Control Surveillance and Limitation System – RCSL

RCSL perform B, C and NC categorized I&C functions related to reactor control and monitoring. They include:

̶ Core control functions;

̶ Core automatic LCO and limitation functions;

̶ Control rods actuating control functions;

RCSL is based on TXS digital platform and it is Class 2 equipment.

It is possible to identify three levels of tasks in the system: acquisition, processing and actuation.

The acquisition level consists of four redundant Acquisition Unit (AU) installed in the four divisions. Transducer signal is acquired by means of the PIPS system.

The processing level has a two fold redundant structure: it is based on two Control Units (CU) in hot standby installed in division 1 and 4.

The actuation level consists of two couples of Rod Drive Units that condition the signals from the CU and acts on the RodPilot ® which in turn operates the control rods.

A redundant Monitoring and Service Interface (MSI), assure interface between the CUs and gateway computers and service unit (it is a computer dedicated to maintenance, testing and diagnosis operations that are performed on the RCSL system).

Gateway is required to exchange information with the PICS system that is implemented in SPPA-T2000 technology.

Moreover hardwired connection is provided between RCSL and SICS.

(17)

Figure 1: RCSL simplified architecture

4.2.2.c. Safety Automation System – SAS SAS is used to implement:

̶ Category B I&C function needed to transfer the plant from controlled to safe shutdown state subsequently to an incident or an accident;

̶ I&C functions related to Class 2 support systems that do not change their state in case of an accident;

̶ Category A & B I&C Functions preventing significant radioactive release including those that are the diverse line of protection in the main line of defence;

̶ Category B I&C Functions with an SC1 seismic requirement;

̶ Category C I&C Functions with an SC1 seismic requirement.

Since principal line functions that it hosts are in Category B, SAS equipment is Class 2 equipment (see §4.1.4).

SAS is based on automation computers implementing SPPA-T2000 technology; they are

located in the four plant divisions. Two buses are available to SAS: plant bus for connexion

(18)

with PICS and PAS; a dedicated bus redundant with the plant bus for communication between divisions because plant bus is thought unavailable.

As for the PAS, transducers signals are acquired via PIPS system, if the transducer is part of a TXS based system, or directly in other cases. Actuators are driven via PACS, if they receive signals also from other I&C sub systems, or by the actuating section of the SAS, in other cases.

4.2.2.d. Protection System – PS

PS implements automatic protection functions that are in Category A that are required to reach the controlled state after a PIE in the DBC-2 to DBC-4. These are:

̶ Control of fuel reactivity;

̶ Fuel heat removal;

̶ Confinement of radioactive material.

PS hosts also Category A and B manual protection functions that are required to reach and maintain the safe shutdown state beyond the controlled state after DBC-2 to DBC-4 event.

Since PS manages Category A functions it is Class 1 equipment .

The PS is allocated in the four plant divisions with a four fold redundant structure. Three levels of function computers can be identified: Remote Acquisition Unit (RAU) for self powered neutron detector measurement acquisition; Acquisition and Processing Unit (APU) to acquire Class 1 transducers measurements from PIPS, measurements from dedicated systems and perform some processing; Actuator Logic Unit (ALU) dedicated to signal voting, actuation management and control loop processing: it sends orders to PACS and drives main trip breakers and trip contactors.

PS is interfaced with PICS via GW computers to allow control via the preferred HMI till it is available.

PS Class 1: it has a four fold redundant structure; each redundancy is allocated to a different

division. Units can exchange data between divisions. Due to functional requirements each unit

is divided into two different sub systems: A and B. The purpose of this architecture is to avoid

spurious activation of the system. In fact reactor trip is driven by both channels of subsystems

A or B.

(19)

Actuators switchgears, diesel generators activation are actuated by both sub system A and B, while sub system A is in charge of support functions.

MSI assures PS monitoring while PI realizes hardwired interface between PS and SICS desktiles. Link between SICS and PS for Class 1 commands is hardwired and connects the SICS to the ALU of the PS.

Since PS is in charge of automatic accident management actions and the related state of the art technology is TXS, it is implemented in TXS technology.

4.2.2.e. Non-Computerized Safety System – NCSS

NCSS is used in case of total loss of SPPA-T2000 based systems cumulated with DBC-2 to DBC-4 events. The NCSS performs necessary automatic Reactor Trip (RT) and some Engineered Safety Features Actuation System (ESFAS) initiations and also provides manual commands enabling the operators to bring the plant to a non-hazardous stable state and maintain it in that state until the computerised I&C can be recovered.

The NCSS is fourfold redundant for automatic functions; each redundancy is allocated to a different electrical division. Each redundancy contains elements to perform automatic and manual actions.

NCSS cabinets use non-computerised components to process automatic functions. These cabinets exchange information with the 3 other divisions through decoupling devices. The exchanges between divisions are hardwired.

In case of needs it is lined to plant I&C by means of selector switches on the SICS: this automatically excludes the SPPA-T2000 from the operational path. Link between SICS and NCSS is hardwired from SICS desktiles to NCSS cabinets via Interface Cabinets.

Transducers measurements are acquired via the PIPS sub system, while NCSS initiate Reactor Trip (acting on the Main Trip Breakers), ESFAS actuations (acting on electric switchgear), and Turbine Trip.

The platform used for NCSS is the AREVA TA UNICORN platform based upon non-

computerised technology. The safety functions are implemented on modules based on

Magnetic Dynamic Logic (MDL) technology with simple components such as discrete

elements (transistors, transformers, etc.), TTL logic gates or operational amplifiers.

(20)

Figure 2: NCSS simplified architecture

4.2.2.f. Severe Accident I&C – SA I&C

The SA I&C is used to implement functions that are required to monitor and control the plant subsequently a severe accident (DEC-B) relative to a complete loss of power supply. SA I&C hosts LOOP DEC-B functions and so it must be powered by 12h batteries.

SA I&C consists of two function computers (Severe Accident Units - SAUs) in two different plant divisions that can exchange data. They to the SICS indicators while SICS desktile is hardwired linked to SA I&C cabinets. The link to PICS is provided via dedicated units.

Since it is the only type of unit of the system, the SAU performs all the tasks necessary for the

fulfilment of the SA I&C I&C Functions:

(21)

̶ Sensor acquisition;

̶ Data processing;

̶ Actuator control.

Moreover some specific instrumentation signals are acquired too.

SA I&C is Class 3 equipment and it is based on TXS technology.

Figure 3: SA I&C simplified architecture

4.2.2.g.Safety Automation System DEC-B – SAS DEC-B

SAS DEC-B embeds Non-LOOP DEC-B functions that are required to monitor and control

the plant after a severe accident and so, like SA I&C, it must be battery powered. This time,

according to the category of functions performed by the equipment, battery power must be

assured for 2 hours (see §4.1.8.c.3).

(22)

It contributes to the following safety functions:

̶ Primary circuit depressurisation;

̶ Hydrogen control (mitigation);

̶ Containment depressurisation and heat removal;

̶ Radiological source term monitoring.

It is based on automation computers based on SPPA-T2000 platform allocated to two different plant divisions that are interfaced with PICS, SICS and PAS.

SAS DEC-B is Class 3 equipment.

4.2.2.h. Turbine Protection and Control System – TPCS

This sub system is out of the scope of the Nuclear Island supplier because it is strictly related to equipment that it is going to control (the turbine generator set). It is based on ****

proprietary technology and its introduction is due to the different dynamic characteristic of the system: the turbine generator set has a wider bandwidth than other system and so an higher sample rate is required to the control system (for SPPA-T2000 it is of 100 ms).

TPCS is hardwired linked to PS, RCSL, SAS, PAS and a network interface via a communication module to PAS.

4.2.3. Process interface level – Level 0 I&C

Measurement signals of safety parameters often need to be delivered to different I&C sub systems. Since the measurement is provided by only one transducer it is required that the signal is split as soon as possible in the signal processing chain in order to assure independence between the systems that share that measurement. For this reason signal conditioning and distribution of safety parameters is managed by a dedicated system that is independent from Level 1 I&C.

Same reasoning hold for safety actuators: they may receive order from different I&C sub

systems according to the mode of operation. Moreover according to the sub system that drives

the actuator some of its component protections may be switched off. This leads to the

introduction of an independent system to drive actuators of safety related components.

(23)

4.2.3.a. Protection Instrumentation Pre-processing System – PIPS

PIPS conditions analogical and binary signals delivered by transducers that are going to be used by PS, RCSL, SA I&C and NCSS (TXS based systems). PIPS also distributes the same signals to PAS, SAS and SAS DEC-B if they need the measure of that transducer.

It is composed by conditioning modules based on non computerized TXS technology. There is a module (or more) for every transducer. Modules are installed in the same division as the transducer and the level 1 sub systems using that signal. Signals are distributed to consumers via hardwired link.

The safety class of a module is the highest one among that of the sub systems using the signal provided by that module.

4.2.3.b. Priority and Actuator Control System – PACS 4 PACS provides following four functions:

̶ Management of control priority;

̶ Control of the switching device;

̶ Monitoring of the actuator;

̶ Essential protection of the components.

The four PACS functions are processed partly by PAS automation (or the SAS, according to the required function), and partly by the electrical switchgear unit.

The implementation of the PACS is decentralised. Each actuator has its own dedicated switchgear incorporating priority management functionality as required on a case-by-case basis. Relay based technology is used in the switchgear. No digital technology is used.

The command signals from the SPPA-T2000 systems (SAS, PAS, etc.) are hardwired to dedicated interposing relays in the actuator switchgear, as are the command signals from the

4 From [1].

(24)

PS and the NCSS. The interposing relays ensure that the I&C systems outputs remain isolated from each other.

Where NCSS manual commands are implemented for an actuator, these commands are normally disabled. In the event that the operator selects NCSS mode at the SICS panel (following detection of computerised I&C system failure), a selection relay within the PACS module enables the NCSS manual commands and disables commands from the SAS/PAS.

Information for actuator surveillance is presented to the operators, via a set of volt free relay contacts, through the computerised HMI. This information for all actuators is only collected by the SPPA-T2000 systems and transmitted to the HMI. These relay contacts, used for actuator surveillance, are isolated from any contacts used to implement the PACS priority and command circuits.

4.2.3.c. RodPilot ®5

RodPilot ® is the digital control rod drive system which actuates the control rods. The RCSL sends a 4 bit coded hardwired signal to RodPilot ® for the actuation of one rod.

Each RodPilot® cabinet manages four rods, except the cabinet managing the central control rod, which only handles this rod. The RodPilot ® modules manage the currents in the rod coils, contain the switchgear for the high voltage supply to the rods and perform monitoring tasks.

RodPilot® also acquires reactor trip demands from the four divisions of the PS via hardwired connections; the trip is performed on 2 out of 4 voting.

RodPilot ® is Class 2 equipment.

(25)

Figure 4:Overall I&C architecture

(26)

4.3. Siemens Power Plant Automation-T2000 – SPPA-T2000 6 It is now possible to investigate the platform which performs I&C functions (acquisition, data processing, etc) that is what equipment is installed into some of the sub systems described in

§4.2 and how this equipment works.

SPPA-T2000 is a distributed control system which provides all instrumentation and control equipment for process automation, monitoring and archiving in power plants.

Figure 5: SPPA-T2000 sub sytems

Processor SUN SPARC

Operating System SUN Solaris (Unix)

Graphic system DYNAVIS 2/ X-Windows/ OSF-Motif/ LabView Master cycle length 100 ms

Table 3: SPPA-T2000 basic characteristics

SPPA-T2000 implemented for a nuclear power plant, encompasses the following sub systems (see

Figure 5):

(27)

̶ OM690: Operating and Monitoring, it is a system devoted to interface the plant with the operators in the MCR. It is a window on the process for centralized operation, monitoring, surveillance and control commands acquisition to safely and functionally operate the plant. It is the HMI. Figure 6 and Figure 7 show an example of the windows based graphic. Figure 6 is an example of the Human Machine Interface to control actuators involved in closed loop operation: it allows selection of the operating mode and relative controls (automatic or manual), displaying of the process deviation that is processed by the controller and provides all functions for data analysis. Figure 7 is an example of plant display: with this interface it is possible to have an overview of main variables characteristic of a process.

Figure 6: PI controller interface avilable on OM

(28)

Figure 7: Screenshot of a plant display of the OM

̶ ES680: Engineering System, it is the central engineering tool to configure all the sub systems of the platform. This tool is used to implement user’s software into the platform (function diagrams). It features a graphic user interface and a library of Functional Blocks (FB);

̶ DS670: it is the Diagnostic System, it detects and localize faults in the equipment of the platform;

̶ AS620: it is the Automation System for process automation based on Siemens

proprietary processor. It acquires measurements and plant status via functional

modules, performs required calculation for open or closed loop control or simply logic

evaluation and issues the resulting commands. Moreover it is the interface between the

(29)

In the following more detailed information will be given on the AS620 system because it is the heart of automatic regulations (it is here that data are processed and software algorithms are implemented) and because it implements the regulations analyzed in this study.

4.3.1. AS620 – Automation System

AS620 can be classified a Level 0 and Level 1 I&C system according to the horizontal structure of the I&C (Refer to Figure 8). In fact it is composed by:

̶ Functional modules that realize the interface between the process and the automation system (Level 0);

̶ The AP (Automation Processor) that is the processing unit that performs calculations (Level 1).

Figure 8: The I&C horizontal structure

Functional modules are power plant specific modules that embed functions for signal processing (both in acquisition from transducers both in delivery to actuators, either of the

Level 0

Level 1

Level 2

(30)

digital, binary or analogical type). Each module has two redundant independent bus connections to connect it to the two busses. These lines assure connection of the functional modules to two interface modules (one per busline).

Each interface module has the task to connect the functional modules that perform interface tasks with the physical process to one of the two redundant AP units (processing unit) via a dedicated local bus to the CPU module.

Since functional modules have a double bus connection and two interface modules are installed, there is a redundant connexion; this redundancy is managed by the AP processor unit: if one unit is unable to access the bus or it is faulty, processing is switched to the back- up unit. The switchover is bumpless, with no effects on the process and data integrity is guaranteed.

The resulting architecture is shown in Figure 9.

(31)

Figure 9: AS620 Architecture

4.3.1.a.The AP – Automation Processor

H ARDWARE D ESCRIPTION The central unit of the AS620 is a redundant AP. In the following only one of the AP will be described.

The AP connects all lower level of the AS620 to the plant bus and hence it allows process control and monitoring from the OM690.

The AP processes the system and equipment protection functions. In addition to basic

functions, it uses a wide range of power plant specific functions blocks related to open and

(32)

closed loop control. These blocks are in the ES680 library and allow to generate the user’s program running on the AS620 sub system. The hardware composing the AP is based on the fault tolerant open loop controller developed by Siemens. AP is made up by various modules allocated in rack (Refer to Figure 10 and

Figure 11). Core module of the AP is the CPU module, namely the CPU ****. It allows the user software to run and it allows exchanging signals with the interface modules via the internal bus.

There are two communication modules that host a Communication Processor:

̶ The first one connects the AP unit to the plant bus, realizing the interface between AS620 and the plant bus;

̶ The other one is used to expand the connectivity of the AS620 if needed.

Digital input/output modules are used for cabinet monitoring.

A power supply module (PS) feeds the unit with required voltages.

Figure 10: AP-S7 structure

(33)

Figure 11: Some of the AP-S7 modules in the rack

S OFTWARE D ESCRIPTION AS620 uses user’s program to implement its automation tasks. The user’s program specifies how to manage data coming from the process and, consequently, how to affect the process by means of control actions. User can implement the desired software into the AP using the engineering tool ES680 in which basic operations (Boolean operators, algebraic operators, mathematical functions) and power plant specific functions (PID controllers, water proprieties, correction for mass rates derived from flow rates) are implemented as function blocks.

At each restart the AP initializes the user’s program by one-time routines. Once the user’s program is loaded, it is cyclically executed. AP tasks are open loop control, closed loop control and protections functions so the function blocks in the program are divided according to the following categories:

̶ Function blocks performing open loop tasks control;

̶ Function blocks performing closed loop tasks control;

̶ Functions blocks for protection tasks.

These blocks are processed cyclically each 100 ms or in the free cycle (when the AP has no other tasks to perform). The execution of the blocks is as follows:

̶ Protection tasks: each cycle (100 ms – highest priority);

̶ Closed loop control: each cycle (100 ms);

̶ Open loop control: in the free cycle (lowest priority).

(34)

User’s program runs into the CPU using the AP system software as a basis (a sort of operating system). The AP System Software (AP-SSW) has the following tasks:

̶ Sequence control for the user program with automation tasks in the AP;

̶ Monitoring and open-loop controllers of the functional modules;

̶ Transfer of commands from the OM690 system to functional modules;

̶ Reading information from the peripheral devices for automation tasks in the AP and visualization of the process statuses by the OM690.

Moreover AP-SSW provides to the user’s program the following interfaces:

̶ Interface for starting up the user program;

̶ Interface for open loop control functions;

̶ Interface for protection functions;

̶ Interface for closed loop control functions

̶ Interface for connecting auxiliary plant systems via I/O function blocks.

(35)

Figure 12: The AP-SSW Organization

AP-SSW Restart

Cyclic processing –

free cycle

Event controlled call

Start up user’s program

Establish OM, ES connection

User’s program for open loop tasks (first run)

User’s program for open loop control tasks

User’s program for protection tasks I/O function blocks

User’s program for closed loop control tasks

Fault function blocks

AP-SSW system error

Time controlled call every 100 ms

100 ms cycle AP-SSW Edit process

image of

inputs

Edit process

image of

outputs

Enable user’s program for closed loop control tasks

AP-SSW function block

User function block

(36)

Interfaces are provided to allow communication between the AP (and the software running on it) and higher level operation and monitoring system, the functional modules as well as other AP units installed in the plant. Following mechanisms are used to implement communication with the AP unit and will be described in the following of the chapter:

̶ Status transfer: transfer of status an process variables from AP to the OM690;

̶ Operation: setting parameters and values in the AP using the OM690;

̶ Event communication: transfer of alarms of the AP to the OM690 and the DS670, these events have a time code;

̶ Process image processing: data transfer between the AP and the functional (acquisition and actuating) modules via interface modules and other AP units.

AP – OM status transfer

The OM690 uses status transfer to retrieve data from the AP unit distributed in the plant.

Values requested to the AP are then used to update analogue and digital displays in the user’s program. Every time that OM690 needs one or more values it sends a status request to the AP.

Data are transferred via a status connection created in the plant bus (i.e. a data channel established between the AP and the OM690).

Operation

Operation allows OM690 to set operable values (those ones that can be operated by the operator) and parameters of the user’s program into the AP.

An operation connection is established each time the user’s program needs data from the operator via the OM690.

Event communication

Event communication allows receiving from AP and its subordinated modules value changes or faulting statuses. Each event contains a value, the system address of the issuer component, the time and the identification of the event.

Time coded events are of two types:

(37)

̶ Signal events: they refer to change of process variables. They are used to implement alarms, warnings and tolerances (threshold overtaking). Signal events are issued by the functional modules;

̶ I&C fault events: they are alarms referring to a fault in the issuer component (hardware or software).

Process image processing

Process image can be described as a memory in the CPU where the image of the physical process is rebuilt, that is in which the value of physical variables of the process is stored.

Connections to the process image are used to transfer data from the AP to the functional modules and vice versa and so, consequently, control the process by means of field actuators.

During process image transfer, the AP-SSW retrieves process data from the master CPU via the local bus and stores them into the process input image (PII). At this point data are available to the user’s program for calculation. The output of the calculations is stored into the process output image (POI) and it is published on the local bus via the master CPU. At this point the interface module passes the POI to the right functional module.

Process image is processed in the 100 ms cycle of the AP and once every 100 ms the master CPU publishes the PAA on the local bus.

The process input images (PII) of the functional modules are updated once every 100 ms before protection processing by the AP.

Process image can be exchanged not only between AP and lower level modules but also

between different AP unit. In this case communication is realized via the plant bus on which

AP↔AP connections are established.

(38)

Figure 13: Process image processing

4.3.1.b. Functional Modules: the interface with the process

H ARDWARE D ESCRIPTION Functional modules are the interface between the process and the control system. Their main tasks are:

̶ Acquisition, conditioning, processing, distribution and monitoring of signals and sensor supply;

̶ Processing of autonomous automation tasks for individual open or closed loop controllers;

̶ Generation of time coded events;

̶ Monitoring functions.

On the SPPA-T2000 platform, all functional modules have the same basic structure (see Figure 14), but each module has a function specific part in which specific software and the hardware is implemented according to the function performed by the module.

User’s program

PII POI

AP System Software

Two redundant Interface Modules

FUM

(39)

Figure 14: Basic structure of a FUM module

Each module features its own processing unit that performs the aforementioned tasks using the module software (firmware) that is stored in an EPROM. This software is cyclically processed.

Depending on module type the function specific part realizes hardware functions and connection between the processor and the process by means of module pins (transducer supply, data I/O, ADC or DAC, etc.).

Bus interface is redundant (one for each interface module): in case of fault on one line, communication is automatically switched to the other line. The fault is signalled and the module can be replaced while the system is on-line. High resistance decoupling assures that short circuits on one busline do not affect the other line or modules connected to that line.

Direct actuator control or direct transducer reading, is performed thanks to functional modules: they allow control and measure display on conventional desktiles.

S OFTWARE D ESCRIPTION Module software is composed by two parts: module independent software (operating system) and module specific software (module logic). The software is stored in an EPROM as firmware.

Operating system consists of a:

̶ Control section;

(40)

̶ Diagnostic and monitoring section;

̶ Communication section.

The control section uses uniform call and data interfaces to call up sub routines of the module specific software.

The diagnostic and monitoring section uses respective routines to test the functionality of each part of the module. In case of a fault this section issues an alarm and provides information about it. This part provides also function frequently required by the module logic such as times, status request, etc.

The communication section connects the functional module to the next higher level

automation processor. The interface module largely autonomously executes all

communication tasks. The communication section handles the entire communication process

between the functional module and the interface module also detecting faults during

transmission.

(41)

References

[1] UK EPR™ PCSR; on-line release available at www.epr-reactor.co.uk;

[2] IAEA NS-R-1: Safety of Nuclear Power Plants: Design;

[3] SPPA-T2000 User’s manual; on-line release available at www.sppaview.com;

[4] IAEA NS-G-1.3 : I&C Systems important to safety in NPP;

[5] EUR rev. C : European Utility Requirements;

[6] IEC 61513: NPP – I&C for systems important to safety – General requirements for systems;

[7] IAEA nuclear security series: Computer security at nuclear facilities.

Riferimenti

Documenti correlati

In order to study the ash dispersion, the output quan- tities are the statistical parameters that permits to reconstruct the parcels distribution in every cell (i.e. the mean

There- fore an important development of the present work would be represented by the implementation of the developed algorithms on GPU-base hardware, which would allow the

Stability assessment of the chemical composition of the treated mining water used to replenish the cooling circuit in Jaworzno III Power Plant – Power Plant II.. Marcin Karpiński

Simultaneously, due to the relatively low quality requirements for raw water, mine waters can be used to supplement losses in the cooling circuits.. Such solutions are

The article first developed a mathematical model of optimization of the power supply system for connection of the end user to electric grids according to the scheme of the

Figure 6.9a) represents the probability distributions of the different release states related to seismic failure for the anchored tank in the case of maximum

Three processes for ethanol production were taken into account (traditional dry milling, dry milling with recycle of distillers’ grains and quick germ – quick fiber) and three for

Peculiarity of such integrable systems is that the generating functions for the corresponding hierarchies, which obey Euler-Poisson-Darboux equation, contain information about