Chapter Instrumentation and Control Overview

CHAPTER 7 — INSTRUMENTATION AND CONTROL

7-1

7ChapterInstrumentation and Control

OverviewThe ABWR instrumentation and control (I&C) designfeatures system redundancy, fault tolerant operation,and self-diagnostics while the system is in operation.This is made possible by the extensive use of advanceddigital technologies. The ABWR I&C Systemrepresents the largest system change from previousBWR designs.

Previous BWRs used hard wired point-to-point controlroom to field monitoring and control systems;essentially there was one wire per function or~30-50,000 wires coming from the field to the cablespreading room and then control room. The ABWR,instead, is designed with a three-layer I&C systemthat uses extensive multiplexing and fiber optics. Thethree layers are:

• Remote Multiplexer Units (RMUs) in the field.This equipment generally handles 300-400 signalsper RMU and interfaces the I&C system with thenormal field signals and actuators.

• A computer/controller layer. This layer has all ofthe dual and triple redundant controllers thatoperate the plant and a networked computersystem - there is no single process computer.

• A display, control and alarm/annunciator layer.This layer is basically all the screens, peripheralsand alarms in the control room and forms the I&Cinterface to the operator.

The instrumentation of the ABWR is generally associatedwith the control of the reactor, control of the balance ofplant (BOP), an extensive alarm system, prevention ofthe operation of the plant under unsafe and potentiallyunsafe conditions, monitoring of process fluids and

gases, and monitoring of theperformance of the plant.

Design goals of the I&C Systeminclude:

• Minimize reactor trips/systemunavailability due to human errorsor single active componentfailures.

• Design any systems necessary forpower generation (except theelectrical system) to be single-failure proof for both control andtrips.

• Achieve a one-in-fifty-year or lessfailure rate for I&C.

• Computerize operator aids andnormal/emergency procedures toreduce “manual” data processingand centralize human engineeredoperator interface to minimizeoperator burden.

• Provide for most I&C equipmentcommunication and displayprotocols to follow internationallyrecognized standards.

• Use standardized modularequipment and extensive self-diagnostics/fault identification tominimize operation andmaintenance costs and reduce theburden on the maintenance staff.

• Achieve a high degree of plantautomation.


7-2

• Provide automatic load-followingcapability over the 50-100% powerrange.

Digital Measurement andControl

A standardized set of microprocessor-based instrument modules is used toimplement most ABWR monitoringand control functions. Thestandardized Digital MeasurementControllers (DMCs) and RemoteMultiplexer Units (RMU) exploit themany advantages of digitaltechnology, including self-test,automatic calibration, user interactivefront panels, standardization of theman-machine interface and, wherepossible, use of common circuit cards.These features reduce calibration,adjustment, diagnostic and repair timeand reduce spare circuit card inventoryrequirements, as well as reduce controlroom instrument volume. As a result,system availability is improved due tothe enhanced reliability and reducedmean time to repair.

The DMC chassis, RMU chassis andMan-Machine Interface (MMI)chassis are standard for all similarABWR applications; only modular,plug-in interchangeable, circuit boardsdiffer between systems. Functionalfeatures provided in the I&C designinclude:

• Sensor signal processing.

• Redundant sensor power suppliesto meet the requirements of allsensors.

• Functional microcomputersimplementing data transfers, self-test functions and communications.

• High speed parallel data bus for communicationbetween the functional microcomputer and othermodules.

• Trip and analog outputs driving external relays,actuators, logic circuits, meters, and recorders.

• Redundant power supplies for the electronics.

• Fiber optic and other interfaces, allowing the DMCand MMI units to communicate directly with plantmultiplexing networks.

• Menu-driven front panel for operator/technicianinterface.

Multiplexing

The Multiplexing System provides redundant anddistributed control and instrumentation datacommunications networks to support the monitoringand control of interfacing plant systems. The systemcontains an Essential Multiplexing System (EMS) anda Non-Essential Multiplexing System (NEMS) forsafety and non-safety/BOP systems, respectively. Thesystem provides all electrical devices and circuitry(such as multiplexing units, bus controllers, formattersand data buses) between sensors, display devices,controllers and actuators which are defined andprovided by other plant systems. The multiplexingsystem also includes the associated data acquisitionand communication software required to support itsfunction of plant-wide data and control distribution.As shown on Figure 7-1, digital technology andmultiplexed fiber optic signal transmission technologyhave been combined in the ABWR design to integratecontrol and data acquisition for both the Reactor andTurbine Buildings.

Signals from various plant process sensors provideinput to RMUs located near the sensors. The RMUsdigitize input signals and multiplex the signals via fiberoptic cables to the control room. There the signals aresent to the various computers, controllers and displaydevices as needed. The process is bidirectional in thatsignals from the operator or plant controllers are puton the network and directed to the various actuatorsfor control action.


7-3

The EMS has four control data networks (each ofwhich is redundant), one per division with the NEMSbeing a control data network with dual redundancy.Whether EMS or NEMS, redundancy is such that asingle cable can be lost or any RMU fail withoutaffecting the operation of the remainder of the system.

Finally, each RMU is itself single-failure proof downto a small number of signals; all single failures areself-diagnosed. The RMUs are located throughout theplant in 1E and non-1E areas to keep plant wiring asshort as possible.

Digital ProtectionSystemApplicationsAdvanced Safety SystemsDesign

The Reactor Protection System (RPS),Neutron Monitoring System (NMS)and Leak Detection and IsolationSystem (LDI) are four-channel, while

Figure 7-1. ABWR Integrated Multiplexing System Architecture

PLANTUNITLEVEL

SYSTEMLEVEL

MULTIPLEX *

PLANT COMPUTERCONTROL ROOM

LOCALLEVEL

SENSOR/ACTUATORLEVEL

* REPRESENTS ONE OF FOUR SAFETY DIVISIONS INDICATES CONVENTIONAL HARDWIRED CABLES

MUXFIELDUNIT

MUX

CONTROLLER

MUXFIELDUNIT

MUX

CONTROLLER

MUXFIELDUNIT

MUX

CONTROLLER

MUXFIELDUNIT

MUX

CONTROLLER

MUXFIELDUNIT

MUX

MOTORCONTROL

LOADDRIVERS

(TYPICAL)

MUXFIELDUNIT

MUX

SAFETYSYSTEM LOGICAND CONTROL

FAULT-TOLERANT

CONTROLLER


7-4

the ECCS are three-mechanicaldivisions actuated by two-out-of-fourlogic from four-channel sensor input.NMS is described in Chapter 6.

Safety System Logic andControl

Safety System Logic and Control(SSLC) and the associated EMSequipment is divided into fourdivisions. Each division is physicallyand electrically separated from theother divisions. Communicationsbetween divisions, as withcommunications with the NEMS,process computer, and control roominstruments, is via fiber optic cablewhich provides complete electricalisolation and prevents spreading ofelectrical faults between safety systemdivisions and between safety and non-safety-related equipment.Communication between safetydivisions and nonessential equipmentis through “Data Gateways” whichallow information to flow in only onedirection.

Some control signals bypass the EMSwhen the signal design requirementsare such that processing the signalthrough the EMS would cause theestablished design requirements(signal processing speed) to beexceeded.

The SSLC also controls the automaticactuation and operation of thefollowing systems during emergencyoperation:

• High Pressure Core Flooder.• Reactor Core Isolation Cooling.• Residual Heat Removal.• Automatic Depressurization.• Emergency Diesel Generators.

• Reactor Building Service Water/Ultimate HeatSink.

• Reactor Building Cooling Water.

Standby Liquid Control System (SLCS) and StandbyGas Treatment System (SGTS) logic are separate fromSSLC.

Reactor Protection System

The Reactor Protection System (RPS) is the overallcomplex of instrument channels, trip logic, tripactuators and scram logic circuitry that initiate rapidinsertion of control rods (scram) to shut down thereactor if monitored system variables exceedpreestablished limits. This action avoids fuel damage,limits system pressure and thus restricts the release ofradioactive material. The RPS also establishes reactoroperating modes and provides status and controlsignals to other systems and annunciators. Toaccomplish its overall function, the RPS interfaces withthe Essential Multiplexing System, NeutronMonitoring System, Process Radiation MonitoringSystem, Control Rod Drive System, Rod Control andInformation System, Reactor Recirculation ControlSystem, Process Computer System, Leak Detectionand Isolation System, Nuclear Boiler System andassociated plant systems and equipment.

The RPS overrides all operator actions and processcontrols and is based on a fail-safe design philosophythat allows appropriate protective action by providingreliable single-failure-proof capability to automaticallyor manually initiate a reactor scram while maintainingprotection against unnecessary scrams resulting fromsingle failures. This is accomplished through thecombination of fail-safe equipment design andredundant two-out-of-four logic arrangement thatautomatically reconfigures to a two-out-of-three logicif a channel fails or is bypassed. Manual RPS actions(scrams) are hard wired and always available to theoperator.

Leak Detection and Isolation System

The Leak Detection and Isolation System (LDI) is afour-channel system consisting of temperature,pressure, flow and fission-product sensors with


7-5

associated instrumentation, alarm, and isolationfunctions. This system detects and annunciates leakageand provides signals to close containment isolationvalves, as required, in the following systems:

• Main Steamlines.• Reactor Water Cleanup System.• Residual Heat Removal System.• Reactor Core Isolation Cooling System.• Feedwater System.• Emergency Core Cooling Systems.• Other miscellaneous systems.

Small leaks are generally detected by monitoring theair cooler condensate flow, radiation levels, equipmentspace temperature, and drain sump fill-up and pump-out rates. Large leaks are also detected by changes inreactor water level, drywell pressure, and changes inflow rates in process lines.

Manual isolation control switches are provided topermit the operator to manually initiate (at the systemlevel) isolation from the control room. In addition,each MSIV is provided with a separate manual controlswitch in the control room which is independent ofthe automatic and manual leak detection isolationlogic.

Fault-Tolerant ProcessControl SystemsThe entire ABWR control system necessary for powergeneration is made up of a network of triple redundantand dual redundant Fault Tolerant Digital Controllers(FTDCs). Single controllers are used where thefunction is not important to power generation. Ingeneral, the key ABWR boiler control systems suchas the feedwater control, recirculation flow control,turbine control, automatic power regulator and reactorpressure regulator systems are based on the triplicated,microprocessor-based FTDC. The remainingimportant BOP control systems are based on dualredundant FTDCs. Each FTDC includes two or three

identical processing channels, whichreceive all the redundant processsensors inputs and perform the systemcontrol calculations in parallel.

For triple redundant process control,all FTDCs are active simultaneouslyand each provides an output to theNEMS network to the RMUs wherethe outputs are two-out-of-three voted(mid-value voting on continuousoutput signals (e.g., valve positiondemand) and two-out-of-three votingon discrete outputs (e.g., pump trip).Thus, the FTDC design eliminatesplant trips due to single failures ofcontrol system components.

For dual redundant process control,one FTDC is active and the other is in“hot standby”; only one processor at atime provides an output to the NEMSnetwork and to the RMUs but the otherFTDC is “live” and can automaticallyand bumplessly assume command ifthe primary FTDC fails.

All important control signals aretypically measured with threeindependent transducers (andoccasionally measured with two);these input signals are delivered to allcontrollers by the NEMS and validatedbefore control action is taken. Thisscheme and the controller redundancyeliminates plant trips due to singlefailures of control system components.

The FTDC hardware for all two orthree process control systems isidentical. Only the imbeddedapplication firmware and the quantityand types of input and output modulesdeviate between the systems. TheFTDC architecture includes:


7-6

• Two or three identical processingchannels, each of which containsthe hardware and firmwarenecessary to control the system.

• Dual multiplexing interface unitsper controller for communicationto the redundant Non-EssentialMultiplexing System.

• Interprocessor communicationlinks between processing channelsto exchange data in order toprevent divergence of outputs andto monitor processor failures.

• Redundant power supplies.

• Signal processing techniquesapplied to validate the redundantinput signals for use in controlcomputations.

• A portable Technician InterfaceUnit (TIU) to provide a menu-driven system which allows thetechnician to inject test signals,perform troubleshooting andcalibrate process parameters.

The fault-tolerant architecture of theFTDC design provides assurance thatno single active component failurewithin the sensing, control, orcommunication equipment can resultin loss of system function or plantpower generation. The dual andtriplicated design also provides on-linerepair capability to allow repair and/or replacement of a faulty componentwithout disrupting any important plantprocess.

Automatic Power RegulatorSystem

The primary objective of theAutomatic Power Regulator System(APR) is to control reactor powerduring normal power generation by

appropriate commands to change rod positions, or thechange reactor recirculation flow. Either thermalpower or gross generator electrical power can becontrolled/demanded by the operator. Alternatively,the operator can engage a pre-programmed daily load-following schedule. The APR System always followsa predefined “trajectory” on the power/flow map forany mode of power operation.

The APR System also has the ability to pull the reactorcritical and heat it to rated temperature and pressurefrom either a cold or hot standby condition. The APRSystem can also bring the reactor down to coldshutdown conditions. For either heatups or cooldowns,the reactor temperature rate is controlled to within TechSpec limits by the APR commands to the SteamBypass and Pressure Control System (SBPC) andRCIS.

The APR System consists of triply redundant processcontrollers; these receive information from the variousplant sensors and issue commands to the RCIS toposition control rods, to the RFC System to changereactor coolant recirculation flow, and to the SBPCSystem to set pressure.

The APR System generally controls the nuclear controlsystems and works in parallel (but not synchronously)with the Power Generation Control System functionof the plant Process Computer System; the lattersystem controls most other automation functions. Thenormal mode of operation of the APR System isautomatic but if any abnormal plant condition isdetected or if the downstream controllers receiving theAPR commands fail or are switched to manual, theAPR will automatically cease control operations,switch all downstream controllers to manual, andalarms will be activated to alert the operator. A failureof the APR System will not prevent manual controlsof reactor power, nor will it prevent safe shutdown ofthe reactor.

Feedwater Control System

The Feedwater Control System (FWC) automaticallycontrols the flow of feedwater into the reactor pressurevessel to maintain the water within the vessel at normal


7-7

and predetermined levels for all modes of reactoroperation, including heatup and shutdown. Theoperator can control reactor level between therequirements of the steam separators (this includeslimiting carryover, which affects turbine performance,and carryunder, which affects RIP operation).

A fault-tolerant triplicated, digital controller using aconventional three-element control scheme, providescontrol signals to adjustable speed drives (ASDs) forthe feedwater pump motors, to accomplish the controlfunction.

The FWC System may operate in either single- orthree-element control modes. At feedwater and steamflow rates below 25% of rated when the steam flowmeasurement is outside of the required accuracy orbelow scale, the FWC System utilizes only water levelmeasurement in the single-element control mode.

When steam flow is negligible, as during heatup andcooldown, the FWC System automatically controlsboth the Reactor Water Cleanup (RWCU) Systemdump valve and the feedwater low flow control valveto control reactor level in the single element mode inorder to counter the effects of density changes duringheatup and purge flows into the reactor. At higher flowrates, the FWC System in three-element control modeuses water level, main steamline flow, main feedwaterline flow, and feedpump suction flow measurementsfor water level control.

Steam Bypass and Pressure Control SystemThe Steam Bypass and Pressure Control System(SBPC) is a triply redundant process control system:in Manual, the operator can adjust bypass valveposition and provide reactor pressure setpointdemands; in Automatic, these functions are providedby the APR. Only the operator can switch the SBPCSystem to Automatic, but either the operator or theAPR can switch the SBPC System to Manual.

Unlike previous BWRs, reactor pressure and notturbine inlet pressure is controlled by the SBPCSystem. In normal power generation, reactor pressureis controlled by automatically positioning the turbine

control valves - the pressure controlsignal “passes through” the SBPCSystem to the turbine control system.During modes of operation where theturbine is off-line, flow limited, trippedor under control of its speed/acceleration control system duringturbine roll or coastdown, reactorpressure is controlled by the bypassvalves which pass steam directly to themain condenser under the control ofthe pressure regulator. Steam is alsoautomatically bypassed to thecondenser whenever the reactorsteaming rate exceeds the flowpermitted to pass to the turbinegenerator. With a full bypass designoption, the turbine bypass system hasthe capability to shed up to 100% ofthe turbine-generator rated loadwithout reactor trip or operation ofSRVs. For all these modes ofoperation, the pressure regulationsystem provides main turbine controlvalve and bypass valve flow demandsso as to maintain a nearly constantreactor pressure; it also indirectly(through the APR) provides demandsto the recirculation system tooptionally aid in maintenance of gridfrequency.

Recirculation Flow ControlSystem

The Recirculation Flow Control (RFC)System is a triply redundant processcontrol system: in Manual, the operatorcan adjust individual or gang RIPspeeds or demand a specific core flow;in Automatic, these functions areprovided by the APR. Only theoperator can switch the RFC Systemto Automatic, but either the operatoror the APR can switch the RFC Systemto Manual.


7-8

The RFC System consists of threeredundant process controllers,adjustable speed drives (ASDs),switches, sensors, and alarm devicesprovided for operational manipulationof the ten RIPs and the surveillance ofassociated equipment. The solid-stateASDs provide variable voltage,variable frequency electrical power tothe RIP induction motors. In responseto either the plant operator or the APRor, optionally, grid frequencydemands, the RFC System adjusts theASD power supply output to vary RIPspeed, core flow and reactor power.Extremely rapid reactor powerchanges can be achieved either bymanual operation or by automaticoperation from ~65-100% reactorpower.

The objective of the RFC System is tocontrol reactor power level, over alimited range, by controlling the flowrate of the coolant flow through thereactor. To change the coolant flowrate through the core, the speed of theRIPs is adjusted, either together in thegang mode or individually bycommands from the RFC System tothe ASDs controllers of the individualRIPs. The RIPs can be driven tooperate anywhere between 30 to 100%of rated speed with the variablevoltage, variable frequency powersource supplied by the ASDs. Due tothe low rotating inertia of the RIPs,which are coupled with the solid-stateASDs, the RIP can respond quickly toload transients and operator demands.

Turbine Control System

The Turbine Control System is aredundant process control system: inManual, the operator can adjust theturbine load set; in Automatic, this

function is provided by the APR. Only the operatorcan switch the turbine controller to Automatic, buteither the operator or the APR can switch the turbinecontroller to Manual.

The turbine generator uses a digital monitoring andcontrol system which, in coordination with the turbineSBPC System, controls the turbine speed, load, andflow for startup and normal operations. The controlsystem operates the turbine stop valves, control valves,and combined intermediate valves. The turbine controlsystem also provides automation functions likesequencing the appropriate turbine support systemsand controlling turbine roll, synchronization of themain generator and initial loading.

Non-redundant turbine-generator supervisoryinstrumentation is provided for operational analysisand malfunction diagnosis. Automatic controlfunctions are programmed to protect the turbine-generator from overspeed and to trip it; the trip logicfor all but bearing vibration is at least two-out-of-threelogic.

Other Control Functions

The following control functions are dual redundant.The software functions are deliberately spread throughmany controllers to facilitate verification andvalidation (V&V), quality assurance and initialconstruction setup.

Power Generation Control System: The PowerGeneration Control System (PGCS) is a subset of theprocess computer function implemented as a dualredundant controller. The APR System providesautomation of the reactor control functions and thePGCS provides other Nuclear Island and BOPautomation functions by providing the setpoints oflower level controllers and commands to various BOPequipment for normal plant startup, shutdown, andpower range operations.

The PGCS works in parallel but is not synchronouswith the APR System; one of the design features ofthe PGCS is that it contains no control algorithms butinstead issues only supervisorial commands to the BOP


7-9

controllers and systems which otherwise remainresponsible for their own availability and operation.PGCS contains the algorithms for the automatedcontrol sequences associated with plant startup,shutdown, and power range operations.

The plant operator interfaces with the PGCS througha series of breakpoint controls to initiate automatedsequences from the operator control console. Ingeneral, plant automation is broken down into logicalsteps and sequences like heatup or turbine roll whichthe operator can initiate and which then proceed tocompletion and halt until the operator initiates the nextsequence. For selected operations that are notautomated or that are contained within 1E systems,the system prompts the operator to perform suchoperations. A semiautomatic mode is also providedwhere the PGCS provides only guidance messages tothe operator but does not actually operate plantequipment.

Rod Control and Information System: The RodControl and Information System (RCIS) is a dualredundant process control system: in Manual, theoperator can select and position the control rodsmanually, either one at a time or in a gang mode. Ifthe RCIS is in Semi-Automatic mode, the operatorneeds to only give permission to start and stop controlrod motion and the RCIS will insert or withdraw thecontrol rods following a predefined control rodsequence. If the RCIS is in Automatic mode, itresponds to commands for rod insertion or withdrawalfrom the APR; this will also follow a predefinedcontrol rod sequence. Only the operator can switchthe RCIS controllers to Automatic, but either theoperator or the APR can switch the RCIS to Manual.

The RCIS provides the means by which control rodsare positioned from the control room for powercontrol. The RCIS controls changes in the corereactivity, power, and power shape via the FMCRDmechanisms which move the neutron absorbingcontrol rods within the core. For normal powergeneration, the control rods are moved by their electricmotors in relatively fine steps; for reactor scrams, thecontrol rods are inserted both hydraulically andelectrically. For operation in the normal gang

movement mode, one gang of controlrods can be manipulated at a time. Thesystem includes the logic that restrictscontrol rod movement (rod block)under certain conditions as a backupto procedural controls.

The RCIS contains as a subsystem, theATLM (automatic thermal limitmonitor), which provides an on-linemeasurement of plant thermal limitsfrom the LPRMs and periodic processcomputer updates. The ATLM willautomatically block rod motion if itdetects operation near Tech Specthermal limits.

Another RCIS subsystem is the RodWorth Minimizer (RWM) Subsystem,which forces compliance to the definedcontrol rod sequencing rules byindependently issuing rod blocksshould a high worth rod patterndevelop.

The RCIS and the scram timing panelalso support automatic measurementof control rod Tech Spec scram speedsfor either planned or unplannedscrams.

Process Radiation MonitoringSystem: The Process RadiationMonitoring System (PRM) monitorsand controls radioactivity in processand effluent streams and activatesappropriate alarms, isolations, andcontrols. The PRM System indicatesand records radiation levels associatedwith selected plant liquid and gaseousprocess streams and effluent pathsleading to the environment. Alleffluents from the plant, which arepotentially radioactive, are monitoredboth locally and in the control room.These include the following:


7-10

• Main steamline tunnel area.• Reactor Building ventilation

exhaust (including fuel handlingarea).

• Control Building air intake supply.• Drywell sumps liquid discharge.• Radwaste liquid discharge.• Offgas discharge (pretreated and

post-treated).• Gland steam condenser offgas

discharge.• Plant stack discharge.• Turbine Building vent exhaust.• Radwaste Building ventilation

exhaust.

Area Radiation Monitoring System:The Area Radiation Monitoring(ARM) System provides operatingpersonnel with a record and indication,in the main control room, of gammaradiation levels at selected locationswithin the various plant buildings andgives warning of excessive gammaradiation levels in areas where nuclearfuel is stored or handled.

The ARM System consists of gamma-sensitive detectors, digital radiationmonitors, auxiliary units, and localaudible warning devices. Systemrecording, like all process functions,is done by the process computer. Thedetector signals are digitized andmultiplexed for transmission to theradiation monitors and to the maincontrol room. Each local monitor hastwo adjustable trip circuits for alarminitiation. Auxiliary units are providedin local areas for radiation indicationand for initiating the sonic alarms onabnormal levels. Radiation detectorsare located in various areas of the plantto provide early detection and warningfor personnel protection.

Containment Atmospheric Monitoring System: TheContainment Atmospheric Monitoring (CAM) Systemmeasures alarms and records radiation levels and thehydrogen and oxygen concentration in the primarycontainment under post-accident conditions. It isautomatically put in service upon detection of LOCAconditions.

The CAM System provides normal plant shutdownand post-accident monitoring for gross gammaradiation and hydrogen/oxygen concentration levelsin both drywell and suppression chamber. The CAMSystem consists of two divisions which are redundantlydesigned so that failure of any single element will notinterfere with the system operation. Electricalseparation is maintained between the redundantdivisions. All components used for safety-relatedfunctions are qualified for the environment in whichthey are located. The system can be actuated manuallyby the operator, or automatically initiated by a LOCAsignal (high drywell pressure or low reactor waterlevel). The CAM System does not actuate nor interfacewith any other safety-related systems.

Process Computer: On-line networked computers areprovided to monitor and log process variables andmake certain analytical computations. The processcomputer cabinets are really several redundantcomputer functions that may, in fact, be severalphysical computers. These functions include:

• Most non-1E display support.• Core three-dimensional power monitoring (3D

Monicore).• Balance-of-plant (BOP) performance calculations.• Sequence of events.• Manual and automatic logging.

Remote Shutdown System: In the event that thecontrol room becomes inaccessible, the reactor canbe brought from power range operation to coldshutdown conditions by use of controls and equipmentthat are available outside the control room. Manualtransfer devices are provided which override controloutputs from the main control room and transfercontrols to remote shutdown control. Control signals


7-11

(but not process signals, since they interface with fieldRMUs and not the control room) are interrupted bythe transfer switches. All necessary power supplycircuits are also transferred to other sources. Operationof the transfer switches causes an alarm in the maincontrol room; outside the main control room, accessto the remote shutdown control panels isadministratively and procedurally controlled. TheRemote Shutdown System (RSS) functions ahead ofthe plant multiplexing system: all controls andindications are hard wired and will function regardlessof the status of the multiplexing system.

Instrumentation and controls on the remote shutdownpanels include the following:

• Controls and indications for operation of oneHPCF loop to control reactor water level.

• Controls and indications for operation of two RHRloops to support shutdown cooling once reactorpressure has been reduced, and suppression poolcooling to control suppression pool temperaturewhich may rise due to SRV operation.

• Controls to operate three SRVs for maintainingand reducing reactor pressure.

• Indications of reactor vessel water level andpressure, and suppression pool temperature andlevel.

• Controls and indications for operation of theRBCW and RBSW Systems.

• Controls and indications for electrical powerdistribution.

• Controls for manually starting and stopping twoof the emergency diesel generators.

Main Control RoomThe key elements of the ABWR main control room(MCR) design (Figure 7-2) are (1) the compact maincontrol console (MCC) for primary operator controland monitoring functions, and (2) the integrated wide

display panel, which presents anoverview of the plant status that isclearly visible to the entire operatingcrew. Each of the units incorporatesadvanced man-machine interfacetechnologies to achieve enhancedoperability and improved reliability.Human factors engineering principleshave been incorporated into the designof the MCR panels and into the overallMCR arrangement.

Total plant control is achieved from theMain Control Console (MCC) for allphases of operation. The consoledesign incorporates touch-screencathode ray tubes (CRTs), flat paneldisplay devices, and a limited numberof hard switches as the primaryoperator interface devices. The CRTsand flat panel displays are driven bythe Plant Computer System (PCS). Themain control console has a low profileso that the operators can perform theirduties from a seated position.

The Wide Display Panel (WDP)provides summary information onplant status parameters and key alarmsto the operators, supervisors and othertechnical support personnel in theMCR. The WDP is locatedimmediately in front of the operatorswhen they are at their normal workstation seated at the main controlconsole. This WDP includes a fixedmimic display, an approximately100-inch large variable display, top-level plant alarms, detailed systemlevel alarms, and touch-control flatpanel displays. The WDP incorporatesthe Safety Parameter Display System(SPDS) as part of the plant statussummary information.


7-12

The MCR also includes a supervisors’console which has CRTs formonitoring plant status. Thesupervisors’ console is set backdirectly behind the operators in aposition which ensures that a clearview of all operating activities isavailable to the supervisors.

Main Control ConsoleThe Main Control Console (MCC)provides the displays and controlsnecessary to maintain and operate theplant during normal, abnormal, andemergency conditions. This console is

used in conjunction with the information provided onthe vertical surface of the Wide Display Panel.

The MCC comprises the work stations for the twocontrol room plant operators, and is configured suchthat the operators are provided with controls andmonitoring information necessary to perform assignedtasks and allows the operators to view all of the WDPfrom their seated position at the MCC. The console isconfigured in a truncated “V” shape. The normal plantcontrol and monitoring functions are performed in thecentral area of the console, while the safety-relatedNuclear Steam Supply (NSS) functions are located onthe left-hand side and the balance-of-plant (BOP)functions are located on the right-hand side.

Figure 7-2. ABWR Main Control Room

Alarmindicator

Wide displaypanels

Fixed mimicdisplay

Variabledisplay

Flatdisplay

Flatdisplay

CRT Hard switchpanels

Main controlconsole


7-13

A primary means for operator control and monitoringis provided by the color-graphic, touch-screen CRTsmounted on the MCC. The CRT displays are drivenby the Process Computer. There are many types ofdisplay formats which can be shown on the CRTs,including summary plant status displays, trend plots,system status formats, alarm summaries, plantoperating procedure guidance displays, and plantautomation guidance displays. Although each CRT isassigned a default display for a given operatingcondition, the operators have the flexibility to selectany display on each of the seven touch-screen CRTs.This multi-redundant display capability ensurescontinued normal plant operation in the event of afailure of one or more of the CRTs.

The system status displays provide information onindividual plant systems. The touch screens on theCRTs provide direct control for nonsafety-relatedsystems at the system component level. Theapplication of this touch screen capability for controlof nonsafety systems, along with the incorporation ofautomated plant operation features, was a major factorin reducing the size of the MCC to its present compactdimensions.

The alarm summary displays on the MCC CRTssupport the operators’ decision-making process. Thepresentation of alarms employs optimizationtechniques designed to prioritize alarms and filter orsuppress nuisance alarms which require no specificoperator action. An example of this alarm processingwould be the suppression of the audible alarmsassociated with the Reactor Protection System duringthe period of a reactor scram.

The ABWR MCC also provides flat panel displays(e.g., electroluminescent, plasma, or liquid crystaldisplays) for extended monitoring and controlcapability. These touch-control flat panel displays aredriven by microprocessor-based controllers which arecompletely diverse from the controllers. This diversityof displays and controls in the console design enablescontinued plant operation even in the unlikely eventof a total loss of all CRTs.

The flat panel display devices are usedto support both safety and nonsafetysystem monitoring and controlfunctions. The flat panel displayswhich are used as safety-systeminterfaces are fully qualified to Class1E standards. The safety-related flatdisplays are located on the left side ofthe MCC. For control and monitoringof the three redundant and independentdivisions of the Emergency CoreCooling System (ECCS) and reactorprimary containment heat removal,two flat panel display devices areprovided in each of those divisions.One flat panel display is typically usedfor monitoring and the other is usedfor control. Flat panel displays formonitoring and control of majornonsafety systems are also located onthe MCC.

In addition to the touch-screen CRTsand flat panel display devicesdescribed above, the MCC is equippedwith dedicated, “hard” switcheslocated on the horizontal desk surfacesof the console. Some of these hardswitches are the sequence mastercontrol push-button switches used forinitiating automation sequences fornormal plant operations and forchanging system operating modes.Other hard switches are hard-wireddirectly to the actuated equipment (forabsolute assurance of function) andprovide backup capability for initiatingsafety system functions and key plantprotection features, such as manualscram, SLCS initiation and turbine tripfunctions.

A limited number of dedicatedoperator interfaces are provided in thecenter of the MCC for key systemssuch as the Rod Control and


7-14

Information System. These dedicatedinterfaces contain hard switches andindicators to provide quick andconvenient access to key systeminterfaces under all plant conditions.

Wide Display Panel

The Wide Display Panel (WDP) is alarge vertical board which providesinformation on overall plant statuswith real-time data during all phasesof plant operation. The informationpresented on the WDP is clearlyvisible from the Main ControlConsole, the supervisors’ console, andother positions in the control roomwhere support personnel may bestationed. The WDP provides a fixedmimic display, a large (~100-inchdiagonal) variable display. Spatiallydedicated alarm windows for critical,plant-level alarms are also provided onthe left-hand side WDP. Spatially-dedicated detailed system level alarmsare located above their respectivesystems on the fixed-mimic display. Atthe base of the WDP, there are multipleflat display devices for individualsystem surveillance, monitoring andcontrol.

The fixed mimic display is arrangedon two, adjacent, upright panels whichcomprise the center and right-handsections of the WDP. The two panelsare driven by independentmicroprocessor-based controllers. Thecenter panel is seismically qualifiedand is driven by safety-related, Class1E microprocessors. Information onthis panel includes the critical plantparameters required for a safetyparameter display system and Type Apost-accident monitoring indications.Specific information displayed on thispanel includes the status of the core

cooling systems, reactor pressure vessel and coreparameters, containment and radiation parameters, andthe status of safety-related equipment. The informationdisplayed completely satisfies the requirement forsafety parameter and post-accident monitoring withoutthe need for any other display equipment. The rightpanel of the fixed mimic display contains informationon the BOP power generation cycle, such as thecondensate and feedwater system, turbine/generator,and power transmission systems.

Also, within the area of the fixed mimic display,dedicated alarm windows are provided for important,plant-level alarms that affect plant availability or safety.Examples of the plant-level alarms include high reactorpressure, low reactor water level and high suppressionpool temperature.

The large variable display is located on the rightupright panel of the Wide Display Panel. The basicpurpose of the large variable display is to provideinformation on important plant process parameterswhich supplements the overview information on thefixed mimic display. The information presented on thelarge variable display can be changed, depending onthe plant operating conditions and the needs of theoperating crew. Any display format available on theMCC CRTs can also be displayed on the large variabledisplay. Examples of the full color graphic displaysthat can be shown on the variable display are thevarious CRT display formats which would be selectedunder plant emergency conditions.

Closed circuit TVs are provided which allow remoteobservation of equipment and operations in areas thatare not normally accessible and of other criticalactivities such as fuel handling and maintenance tasks.Communication between the control room crew andother areas of the plant is enhanced with this visualfeedback capability. These closed circuit TVs havehigh definition with color capability.

The touch-control flat displays located at the base ofthe WDP provide the capability for surveillance ofsystems and equipment during normal plant operation.In addition, these devices can be used for control and


7-15

monitoring of plant systems during maintenance andrefueling outages and during periods when a portionof the MCC may be taken out of service formaintenance. These flat displays are driven bymicroprocessor-based controllers which are separatefrom the plant Process Computer System.

Plant AutomationThe ABWR design incorporates extensive automationof the operator actions which are required during anormal plant startup, shutdown and power rangemaneuvers. The automation features adopted for theABWR provide for enhanced operability andimproved capacity factor relative to conventionalBWR designs. However, the extent of automationimplemented in the ABWR has been carefully selectedto ensure that the primary control of plant operationsremains with the operators. The operators remain fullycognizant of the plant status and can intervene in theoperation at any time, if necessary.

The ABWR automation design provides for threedistinct automation modes: Automatic, Semi-Automatic, and Manual. In the Automatic mode, theoperator initiates automated sequences of operationfrom the MCC. Periodic breakpoints are inserted inthe automated sequence which require operatorverification of plant status and manual actuation of abreakpoint control push-button to allow the automatedsequence to continue. When a change in the status ofa safety system is required, automatic prompts areprovided to the operator and the automation issuspended until the operator manually completes thenecessary safety system status change.

In the Semi-Automatic mode of operation, theprogression of normal plant operations is monitoredand automated prompts and guidance are provided tothe operator; however, all actual control actions mustbe performed manually by the operator. In the Manualmode of operation, no automated operator guidance

or prompts are provided. The operatorcan completely stop an automaticoperation at any time by selecting theManual mode of operation.

OperationThe ABWR control room designprovides the capability for a singleoperator to perform all required controland monitoring functions duringnormal plant operations as well asunder emergency plant conditions.One-man operation is possible due toimplementation of several key designfeatures: (1) the Wide Display Panelfor overall plant monitoring; (2) plant-level automation; (3) system-levelautomation; (4) the compact MCCdesign; and (5) implementation ofoperator guidance functions whichdisplay appropriate operatingsequences on the main control panelCRTs. The role of the operator willprimarily be one of monitoring thestatus of individual systems and theoverall plant and the progress ofautomation sequences, rather than thetraditional role of monitoring andcontrolling individual systemequipment. However, to foster a teamapproach in plant operation and tomaintain operator vigilance, theoperating staff organization for thereference ABWR control room designis based upon having two operatorsnormally stationed at the controlconsole.

During emergency plant operations,plant-level automation is automaticallysuspended, but system levelautomation is available. One operator


7-16

would be responsible for the NSSsystems and the other for the BOPsystems, with the supervisorsproviding direction and guidance.Again, system-level automation allows

for simplified execution of both the safety andnonsafety system operations. In lieu of system-levelautomation, direct manual control of individual systemequipment is available on the touch-screen CRTs andflat displays.

Click navigation buttons below to go to

PreviousChapter

NextChapter

Table of Contents

Chapter Instrumentation and Control Overview

Documents