SUB-CHAPTER: G.3 SECTION : - PAGE : 1 / 41 UK-EPR FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY CHAPTER G: INSTRUMENTATION AND CONTROL SUB CHAPTER G.3. F1 CLASSIFIED INSTRUMENTATION & CONTROL SYSTEMS 1. PROTECTION SYSTEM (PS [RPS]) ARCHITECTURE 1.0. SAFETY REQUIREMENTS 1.0.1. SAFETY FUNCTIONS The Protection System contributes to the following safety functions: - control of reactivity, - removal of residual heat, - limitation of radioactive releases at the site boundary to an acceptable level by controlling, after PCC-2, 3, 4 and RCC-A events, automatic reactor trip and the start-up of the safeguard systems. In addition, the PS [RPS] must contribute to maintaining the Reactor Control System integrity. 1.0.2. FUNCTIONAL CRITERIA The Protection System must implement the necessary short-term automatic actuation of safety systems which are used to mitigate the consequences of PCC-2, 3 or 4 events. The PS [RPS] must be designed to: - allow the transients criteria to be met, - allow the controlled state to be reached. This system is required to accomplish similar actions in case of RCC-A accidents. 1.0.2.1. Reactivity control The reactor trip (rod drop) together with the Safety Injection System if needed, must enable the reactor to reach the subcritically required by the controlled state for accident conditions PCC 2 to 4. For RCC-A events the PS [RPS] must accomplish all the short-term safety functions allowed by the definition of the transient.
77
Embed
SUB CHAPTER G.3. F1 CLASSIFIED ... - epr-reactor.co.uk
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
SUB-CHAPTER: G.3 SECTION : -
PAGE : 1 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
SUB CHAPTER G.3. F1 CLASSIFIED INSTRUMENTATION & CONTROL SYSTEMS
1. PROTECTION SYSTEM (PS [RPS]) ARCHITECTURE
1.0. SAFETY REQUIREMENTS
1.0.1. SAFETY FUNCTIONS
The Protection System contributes to the following safety functions:
- control of reactivity,
- removal of residual heat,
- limitation of radioactive releases at the site boundary to an acceptable level
by controlling, after PCC-2, 3, 4 and RCC-A events, automatic reactor trip and the start-up of the safeguard systems.
In addition, the PS [RPS] must contribute to maintaining the Reactor Control System integrity.
1.0.2. FUNCTIONAL CRITERIA
The Protection System must implement the necessary short-term automatic actuation of safety systems which are used to mitigate the consequences of PCC-2, 3 or 4 events. The PS [RPS] must be designed to:
- allow the transients criteria to be met,
- allow the controlled state to be reached.
This system is required to accomplish similar actions in case of RCC-A accidents.
1.0.2.1. Reactivity control
The reactor trip (rod drop) together with the Safety Injection System if needed, must enable the reactor to reach the subcritically required by the controlled state for accident conditions PCC 2 to 4.
For RCC-A events the PS [RPS] must accomplish all the short-term safety functions allowed by the definition of the transient.
SUB-CHAPTER: G.3 SECTION : -
PAGE : 2 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
1.0.2.2. Residual Heat Removal
When thermohydraulic conditions require it, the Protection System must enable the actuation of the safety systems (safety injection in the primary coolant, secondary partial cooldown, ASG [EFWS] actuation).
1.0.2.3. Containment of radioactive substances
The Protection System must, in due time, start the systems that prevent exceedance of specified fuel limits after any PCC or RCC-A event.
The Protection System must enable to detect the accidental situations that could impair the primary system integrity. In most cases, the reactor trip, associated with safety devices that act by direct pressure limitation, must guarantee this integrity. When there is a risk of brittle fracture of the RPV, the Protection System must limit the build-up of pressure in the RCS.
Furthermore, the containment isolation system must limit to acceptable values the radioactive releases following accidents where integrity of the primary coolant system is lost.
1.0.3. DESIGN REQUIREMENTS
1.0.3.1. Requirements arising from the safety classification
1.0.3.1.1 Safety Classification
The Protection System is safety-classified, according to the classification principles presented in sub-chapter C.2.
1.0.3.1.2 Single failure criterion (active and passive))
The single failure must be applied at the system level.
As a consequence, the PS [RPS] must be made of redundant trains able to perform the safety functions after the loss of one train. The redundant protection channels must be implemented in separate divisions to prevent common cause failure in case of internal or external hazard affecting one division.
Electric decoupling must be provided between redundant trains.
Support functions must be independent to the largest possible degree. Each redundant train will receive its power from a distinct backed up power supply.
F1A functions should be accomplished even in case of single failure criterion application simultaneously to preventive maintenance or periodic test conditions.
1.0.3.1.3 Emergency supplied power
The Protection System must be emergency-supplied by diesel generators, so that its safety function is ensured, even if external power supply is lost.
SUB CHAP : G.3 SECTION : -
PAGE : 3 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
In addition, the Protection System must be supplied by an uninterruptible power supply at the suitable voltage in order to ensure its safety functions without interruption when external power supply is lost.
1.0.3.1.4 Qualification under operating conditions
The equipments involved in the safety functions of the PS [RPS] must be qualified according to the ambient conditions in which they are required to operate.
Components ensuring an F1 safety function must be qualified according to the rules presented in chapter C.7.
The mechanical classification is not applicable to the Protection System.
The electrical and I&C equipment are classified accordingly to the rules of the chapter C.2).
1.0.3.1.6 Seismic classification
The Protection System must be seismic classified, according to the classification principles presented in chapter C.2.
The objective of the dimensioning provisions is to ensure that the safety functions of the systems and components necessary for plant return to safe shutdown state will not be affected by an Increased Safety Earthquake.
1.0.3.2. Other regulatory requirements
1.0.3.2.1 Official texts
The general document “Options de Sûreté du projet de réacteur EPR” (letter DGSNR/SD2/079/2000) applies to the Protection System.
1.0.3.2.2 Basic Safety Rule
The application of the Basic Safety Rules to the EPR is developed in section A.7.
The following Basic Safety Rules are applicable to the EPR Protection System:
II.4.1.a "Safety Classified Electrical Systems Software"
IV.2.b "Requirements for the design, qualification, deployment and operation of safety-classified electrical hardware
1.0.3.2.3 Technical Guidelines
In addition to the general requirements given in chapter A.1 (General safety approach), requirements applicable to the PS [RPS] are presented in sections A.2.2 (Redundancy and diversity in the safety systems), B.2.2.2 (Computerized safety systems) and G3 (Design of Instrumentation and Control).
SUB CHAP : G.3 SECTION : -
PAGE : 4 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
1.0.3.2.4 Electrical design rules
Design rules for electrical equipment and specific rules to be applied to instrumentation are provided in the RCC-E.
1.0.3.2.5 Hazards
The Protection System must be protected against risk of common mode failure resulting from internal or external hazards.
1.0.3.2.6 Internal hazards
The PS [RPS] must be protected against internal hazards, according to sub-chapter C.4.
I&C systems and equipment must be designed in order that :
- I&C functions necessary to reach the safe state are available, taking into account a single failure and preventive maintenance on the necessary system, in case of internal failure independent from a PCC-2 to PCC-4 or RRC event;
- F1 I&C functions necessary to control PCC-2 events are available, taking into account a single failure and preventive maintenance on the necessary system, in case of internal failure leading to a PCC-2 event.
1.0.3.2.7 External hazards
The PS [RPS] must be protected against external hazards, according to sub-chapter C.3.
To ensure protection against airplane crash, two system trains must be installed in a protected building and the remaining two must be geographically separated to limit the consequences of a crash to a single division. The PS [RPS] train in the non-destroyed building division has to be protected from any impact generated by the equipment in the destroyed division.
1.0.4. TESTS
1.0.4.1. Pre-operational tests
Pre-operational tests must prove the adequacy of the design and the performance of the Protection System.
1.0.4.2. Periodic tests and in-service inspection
Long periods of operation with a potential degraded I&C configuration (accumulation of failures) which might lead to lose a safety function are shortened by periodic testing.
Self tests and periodic tests must be implemented in F1 functions to detect failures. Tests frequencies are calculated from the reliability expected of the tested function.
The PS [RPS] is designed to allow the implementation of the periodic tests.
Layout and design of the Protection System equipment must provide easy access to enable performance of in-service inspections and periodic tests. Suitable techniques have to be applied to reduce the possibilities of inappropriate actions during tests.
SUB CHAP : G.3 SECTION : -
PAGE : 5 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
1.1. MISSION
The Protection System implements the automatic functions, manual actions and monitoring functions which are F1A classified. The Protection System also implements some parts of the F1B safety classified functions as well as some specific F2 functions.
These F1A functions are used after an initiating event (PCC 2, 3, 4) to reach a controlled state. They mainly comprise:
- automatic actuation of reactor trip,
- automatic control of safeguard systems and related support systems,
- generation of signals for the detection of situations which request operator manual actions,
- actuation of manual F1A I&C functions.
1.2. SUPPORTED FUNCTIONS
1.2.1. AUTOMATIC REACTOR AND TURBINE TRIP FUNCTIONS
Table G.3 TAB 3 lists the Reactor Trip and Turbine Trip functions that can be performed by the Protection System.
1.2.2. SAFEGUARD FUNCTIONS
Table G.3 TAB 4 and TAB 5 list the Safeguard functions that can be performed by the Protection System.
1.2.3. SAFEGUARD SYSTEM SUPPORT FUNCTIONS
Tables G.3 TAB 6 and TAB 7 list the safeguard support systems functions.
1.3. DESIGN BASIS
1.3.1. DESIGN CRITERIA
1.3.1.1. Redundancy
When two I&C F1A classified functions perform contradictory actions on the same component, the one which has priority on the other one is called Non-Unequivocally Safety Oriented (NUSO). All other safety I&C functions are called Unequivocally Safety Oriented (USO).
SUB CHAP : G.3 SECTION : -
PAGE : 6 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
The F1 part of the Protection System is designed to withstand single failure even during maintenance or periodic testing. In order to achieve tolerance to single failure and maintenance, while minimizing the occurrence of spurious actuation, a four-fold redundancy is necessary. In addition, the four redundant protection channels must be implemented in separated divisions to prevent common cause failure in case of an internal hazard in one division (a single failure must be tolerated in addition to an internal hazard).
The degree of redundant functions and their associated equipment of the mechanical/fluid system must be preserved in the associated redundant I&C functions (e.g. four medium head safety injection trains also require four dedicated I&C subsystems).
The current level of reliability/availability in terms of non actuation on demand, is defined in sub-chapter R.1.
1.3.1.2. Independence
In accordance with RCCE, three kinds of independence are considered in one I&C system.
- independence between redundancies of the I&C system.
- independence between equipment of different safety classes.
- independence between diverse functions.
In addition to requirements applying to independence within the Protection System, the independence between the Protection System and the other I&C systems must is also necessary.
1.3.1.2.1 Independence between the four redundancies of the Protection System
According to RCC-E and to limit the consequences of a single failure to the affected redundant function, the redundant functions and their associated equipment including their support systems (e.g. power supply) must be independent from each other.
This requirement involves the implementation of at least the following measures:
- the redundant equipment of the Protection System must be physically allocated in different divisions.
- specific protection measures must be provided (e.g. protection wall or protection tubing) to achieve divisional separation for measurement points which are located near to each other.
- to prevent the propagation of internal hazard consequences through divisions and limit the effects of a single failure to the affected redundant functions, divisional interconnections must be limited to a minimum.
- when the connections between divisional separated functions are required (e.g. majority voting), the data communication between divisions must be decoupled both electrically (e.g. optic fibre) and physically (e.g. fire barriers).
- erroneous commands and information passing from a disturbed division must be ignored by the undisturbed divisions (e.g. by means of majority voting).
SUB CHAP : G.3 SECTION : -
PAGE : 7 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
1.3.1.2.2 Independence between equipment of different safety classes
According to RCC-E requirements, equipment of different safety classes within the Protection System must be independent in such a way that a failure occurring in lower class equipment does not impair the functions of the higher class equipment.
This requirement involves the implementation of the following measures (as a minimum):
- for the Protection System, connections between equipment of different safety classes must be minimized (e.g. common use of measurements and components).
- the use of common components must be avoided as far as possible. If not, the common equipment used must be assigned, classified and designed according to the requirements of the higher class.
- Connections between E1 equipment and E2 or NC equipment must be electrically decoupled.
1.3.1.2.3 Independence between diverse functions
When functional diversity is required, a sufficient degree of independence must be achieved.
This requirement involves the implementation of the following design measures:
- instrumentation, process units and cabling for each of the diverse function must be separated.
- equipment diversity for instrumentation may be implemented when diverse functions use of the same process parameter (decision made on case by case basis).
1.3.1.2.4 Independence between the Protection System and the other I&C systems
A sufficient independence to the other lines of defence must be achieved because the Protection System belongs to the main line of defence.
This requirement involves the respect of the following design measures:
- Provisions must be taken for decoupling the connections between the Protection System and the I&C systems F2 classified or NC. If common information is shared by the Protection System and other I&C systems, provisions must be taken for decoupling the connections.
- When a sensor is used for both protection and control functions, its failure must not result in a transient for which the protection function using this sensor is required to act, unless this protection function could still operate despite an additional failure combined with preventive maintenance or a periodic test (single failure criterion). In practice, when a sensor is used both for protection and control functions, all four measurements are sent to the equipment implementing the control functions, and a voting is used to eliminate the faulty signal.
SUB CHAP : G.3 SECTION : -
PAGE : 8 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
1.3.1.3. Detection of degraded states
Appropriate measures should be taken to detect and identify occurrence of failures. This is to avoid long periods of operation with a degraded I&C configuration which might lead to lose a function due to an accumulation of failures.
For this reason, self tests and periodic tests of the equipment performing the F1 functions must be implemented to detect any failure that could prevent the F1 function from operating.
1.3.2. AVAILABILITY CRITERIA
1.3.2.1. Spurious actuation upstream from the last voter
For F1A functions, a failure, anywhere in the Protection System upstream the last voter must not generate a spurious command that would lead to a spurious actuation, even during maintenance or periodic test.
1.3.2.2. Spurious actuation downstream from the last voter
For F1A functions, the risk of spurious actuation, due to the equipment downstream the last voter (and including it), of the corresponding actuators must be minimized.
1.3.3. PERFORMANCE
Performance in term of accuracy and response time is derived from the functional requirements summarised in G.3 TAB 8.
Performance is ensured by the following principles:
1.3.3.1. Distribution of functions
To comply with IEC 60880, Appendix B, individual application functions with different response time magnitudes should not be allocated to the same processing unit.
To reduce the complexity of software, individual application functions should be divided amongst several processing units.
If it appears that for a specific accident two pre-existing signals can initiate the required protection action (functional diversity), the structure of the Protection System has to take this into account in order to provide separated equipment for the implementation of the different initiation channels.
1.3.3.2. Communication
According to RCCE C5000, the behaviour of the Protection System that supports F1A functions must be deterministic. An I&C system is said to be deterministic if it possible to establish, by analysing its design, architecture and implementation, with a very high degree of precision and certainty, what it does under all required modes of operation.
Therefore the communication system used in the F1A part of the Protection System must be deterministic.
Some features related to the deterministic behaviour of a system are listed below:
SUB CHAP : G.3 SECTION : -
PAGE : 9 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
- Pre-determined response time,
- Simple testability and failure diagnosis,
- Simple software validation.
1.3.4. AMBIENT CONDITIONS REQUIREMENTS
1.3.4.1. Normal conditions
The hardware must be able to operate in the ambient conditions given in the section I.4.1.
1.3.4.2. Accident conditions
As specified in section G.3.1.0.3.1.4, components performing an F1 safety function are qualified to remain functional under the post-accident conditions.
As well component ensuring an F2 function have to be qualified to remain functional under the post-accident conditions.
1.3.5. HUMAN-MACHINE INTERFACE REQUIREMENTS
Access to video display units, computers, keyboards, mice, disk or CD-ROM drives, hard disks, printers, etc. related to the Protection System equipment is controlled by physical means such as keys, magnetic or chip cards, etc.
Every time work on one of these devices is stopped, the equipment must be locked.
No immediate access is possible to the Protection System software itself. This means that access is possible only through interface equipment used for testing or configuration or data consultation, and that the interface equipment is connected to the Protection System without requiring the I&C cabinets to be opened. The purpose of this restriction is to limit the overall number of physical accesses required to the electronic modules of the Protection System.
The interface equipment is dedicated to the Protection System. It is connected to the Protection System only. Disconnecting the interface equipment is only possible after unlocking a specific locking device.
Access to the Protection System software is via a screening software module installed within the interface equipment.
The screening module requires:
- the general password,
- the user’s name,
- the user’s personal password,
for any user requesting any type of access.
The user’s personal password is only known by that user. He can change his password whenever he wishes, and passwords must be changed with a minimum frequency.
SUB CHAP : G.3 SECTION : -
PAGE : 10 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
Management of access to the interface equipment allows:
- control of user name and personal password,
- access to necessary areas of the Protection System software according to the user name. It includes read and write authorizations,
- access to a single train,
- control of automatic traces of operations (traces of access and operations when access is granted),
- etc.
The designer organises the Protection System software and the hardware to forbid access to other software areas than those needed for testing, configuration and data consultation.
1.4. ARCHITECTURE
1.4.1. STRUCTURE AND COMPOSITION
1.4.1.1. General remarks
The Protection System is designed:
- to minimize the quantity of components (electronic cards, etc.) and the number of network connections,
- to ensure the global response time of function requirements e.g. by limiting network load.
1.4.1.2. Functional structure
For this section refer to figures G.3 FIG 2 and FIG 3.
The Protection System performs four types of F1A functions:
It also performs some F1B functions, which mainly are:
- calculation of the temperature saturation margin,
- some post-accident monitoring, possibly involving information synthesis (redundancy reduction) in division 2 and 3,
SUB CHAP : G.3 SECTION : -
PAGE : 11 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
- monitoring of voted values in the F1A part of the PS [RPS],
- management of alarms related to the PS [RPS],
- management of F1B manual controls acting on PS [RPS] F1A,
- management of F1B manual grouped controls,
- etc …
The following sub-sections apply to the four divisions of the plant and for the four redundancies of the Protection System.
1.4.1.2.1 Sensor(s) and transmitter(s)
Depending on the type of sensor, the I&C cabinets provide the power supply to the detectors, the decoupling modules if necessary, and perform the required conditioning to provide different types of standardized signals that can be used by the A/D converters.
1.4.1.2.2 Measurement data acquisition
- A/D converters:
The Protection System converts analogue measurement signals to digital values.
- Data transmission:
In most cases, after A/D conversion there are no data exchanges between the four redundant elements of the Protection System at this step (see Fig 2). However some specific functions (e.g. power distribution inside the core monitoring function) need to exchange digitalized values between divisions at this level (see Fig 3).
- First level of processing:
Each signal is checked. In case of violation of the measuring range limits or in case of detection of a fault in the acquisition, the signal is invalidated for processing. Each digitalized input is computed to get the corresponding physical value of the measurement which is used by the processing. The results of the digitalization and the conversion into physical values are also transmitted to other systems (see Tab. 4 and Tab. 5) and to the service equipment.
1.4.1.2.3 Initiation Processing
The first step is the collection of data from the Measurement Data Acquisition of its division, or in some special cases also from the three other divisions (because some functions need the information of from all four redundancies - see Data transmission above). The digital data are processed according to the functional requirements.
The last step of the initiation processing is the comparison with a threshold to provide binary information, hereafter called the initiation signal, indicating whether or not the threshold is reached.
SUB CHAP : G.3 SECTION : -
PAGE : 12 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
In case of detected failure in initiation processing, the initiation signal is invalidated.
1.4.1.2.4 Actuation Processing
Each division collects the redundant initiation signals from the four divisions. These signals are computed in a 2/4 voting logic to provide initiation orders. Different cases exist as represented in G.3 FIG 5. Such 2/4 voting logic is designed to be downgraded in the appropriate way if one or more signals are invalidated.
All the initiation orders generated by the different initiation channels are computed together with the permissive/interlock signals to produce an actuation signal.
The results of the majority voting (i.e. the initiation order) as well as the actuation signal are also transmitted to other systems (see G.3 TAB 2) and to the service equipment.
1.4.1.2.5 Closed loop control processing
This function is specific to control loop processing (not shown in G.3 FIG 2): the physical parameter that is controlled is acquired by the Measurement Data Acquisition part in the four divisions, then analogue values are sent within the division to units dedicated to closed control loop actuations.
1.4.1.3. Composition
Figures G.3 FIG 3, FIG 4 and FIG 8 illustrate the "Equipment Architecture"..
Figure G.3 FIG 6 shows the relation between the "Functional Structure" and the "Equipment Architecture" of the Protection System.
The architecture applies to the four divisions of the plant: it involves the following types of unit ...
1.4.1.3.1 Remote Acquisition Units (RAU)
This kind of unit is dedicated to measurement acquisition and transmission of the acquired measurements to units dedicated to processing functions in all divisions. These units ensure the Measurement Data Acquisition role in the functional architecture.
1.4.1.3.2 Acquisition and processing units (APU)
These units are dedicated to the Initiation Processing functional task, but they are also able to perform measurement acquisition functional tasks.
1.4.1.3.3 Actuators Logic Units (ALU)
These units are dedicated to actuation processing.
1.4.1.3.4 Control units (CU)
These units are dedicated to closed loop control processing.
SUB CHAP : G.3 SECTION : -
PAGE : 13 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
1.4.1.3.5 Functional distribution
The Protection System implements two different kinds of functions:
- three-level functions, which require data exchange between divisions immediately after acquisition.
- two-level functions, which do not require data exchange after acquisition of measurements.
In case of three-level functions, the functional structure would be implemented in the following units:
- measurement data acquisition is performed by the Acquisition Unit.
- initiation processing is performed by the Acquisition and Processing Units.
- actuation Processing is performed by the Actuators Logic Units.
In case of two-level functions, the functional structure is implemented in the following units:
- measurement Data Acquisition is performed by the Acquisition and Processing Units.
- initiation Processing is performed by the Acquisition and Processing Units.
- Actuation Processing is performed by the Actuators Logic Units.
In the case of the NUSO support system function (e.g. load shedding sequence), all the functional structure described in the G.3 FIG 2 is implemented in the APU. For safety and availability reasons, processing is realised three times in three APU of each division (see G.3 FIG 6). An order is then transmitted to PACS through a 2 out of 3 hard wired module.
The other support system functions are engineered like classic ESFAS functions (see G.3 FIG 6).
In the case of the closed loop control function, the measurement data acquisition part is ensured by one APU. All the other parts of the functional structure are implemented in the CU (see G.3 FIG 6). The two CUs are organized in master / hot standby devices to pilot the control valve.
1.4.1.3.6 General description
To take advantage of the existence of two signals for a given safety action, the F1A part of the protection system is organised in two independent subsystems (see G.3 FIG 3)
Sensors are acquired by RAU or APU on subsystem A or B. For some special cases a sensor may be acquired by both subsystems (see G.3 FIG 4).
Actuators can be controlled either by subsystem A, subsystem B, or both (see G.3 FIG 4).
- Reactor Trip :
- is controlled at the ALU level on subsystem A. - is controlled at the ALU level on subsystem B.
- ESFAS are controlled at the ALU level on subsystem A or B.
SUB CHAP : G.3 SECTION : -
PAGE : 14 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
- NUSO Support System functions are controlled at the APU level on subsystem A and B.
- USO Support System functions are controlled at the ALU level on subsystem B.
The F1B part of the Protection System is composed of several units dedicated to:
- MCS [SICS] management (called the Panel Interface unit),
- Information transfer management (called Monitoring and Service Interface unit).
The Panel Interfaces (divisions 2 and 3) are connected to the four Monitoring and Service Interface units to permit information synthesis.
Monitoring and Service Interface Units provide the interfaces with the lower-classified equipment devices:
- RCSL interfaces in the four divisions,
- gateways located in the division 1 and 4.
- service units that support the MMI interface of PS [RPS] for test, diagnosis and maintenance purpose.
1.4.2. INSTALLATION
To conform with spatial separation requirements, the four trains of the Protection System and the I&C electrical equipment are located within the four safeguard buildings. Therefore, the Protection System I&C equipment is arranged within the I&C cabinets room of safeguard buildings SB1 to SB4.
1.4.3. INTERFACES WITH THE REST OF THE I&C
The Protection System is implemented in the level 1 of the automation structure. Its interfaces and relations with other systems of levels 0, 1 and 2 are represented in G.3 FIG 1. The following description refers to this figure.
1.4.3.1. INPUT
The Protection System receives manual control signals from the Process Information and Control System (MCP [PICS]) and the Safety Information and Control System (MCS [SICS]) to reset some actions initiated automatically by the Protection System or to start some protection actions.
The Protection System performs data acquisition (analogue, binary...) of signals issued from instrumentation systems or from limit switches values.
The Protection System exchanges the necessary information for commissioning, maintenance and periodic testing purposes with the Service Centre.
See Table G.3 TAB 1 for an overview of the inputs provided by the other I&C systems.
SUB CHAP : G.3 SECTION : -
PAGE : 15 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
1.4.3.2. OUTPUT
The Protection System provides information for the Safety Information and Control System (MCS [SICS]) and the Process Information and Control System (MCP [PICS]).
The Protection System provides the Reactor Trip devices with control signals for reactor trip actuation.
The Protection System provides the Priority and Actuator Control System (PACS) with control signals for actuator position changes.
The Protection System provides information for the Reactor Control Surveillance and Limitation System (RCSL), the Process Automation System (PAS) and the Safety Automation System (SAS).
See G.3 TAB 2 for an overview of the destination of the Protection System outputs.
1.5. OPERATION MODES
The Protection System is composed of a set of units (APU, ALU, etc …) in which the main component is a CPU.
The following description concerns the operation modes of a unit.
G.3 FIG 7 gives the details of the operation modes and their interactions.
The operation states of a unit are the following:
Start Up : on start-up of the function processor, multiple steps of an initialization routine are executed. First a low-level boot monitor controls the hardware initialization and triggers comprehensive start-up self-tests. After successful start of the operating system kernel, the INIT module of the runtime environment (RTE) takes over control of the CPU to complete the initialization phase of the RTE. If the initialization should fail, the cyclic operation will not be commenced and the INIT module ends in an endless loop without enabling output signals. After initialization has been successfully completed, the function processor is changed to normal operation.
Cyclic operation : cyclic operation is the normal mode of a function processor. It remains in this status, until it is reset, either manually or as a consequence of any exception caused by a random hardware fault or power switch-off. A transition to other operation modes can only be initiated by the Service Unit.
Trace mode : In this mode it is not possible to impact the cyclic operation of a function processor by the Service Unit. The functionality for tracing a specified scope of processed signal data from the Service Unit is already included in this CPU operating mode. Tracing can be initiated for any selected signals belonging to the function diagrams presented on the Service Unit.
SUB CHAP : G.3 SECTION : -
PAGE : 16 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
Parameterization : A prerequisite for this mode is the release for changing to the parameterization mode. In this mode, the application software (function diagram group modules) continues to be processed in the same way as in the “cyclic operation” mode. The reason for introducing this specific release before changing into the “parameterization mode” is to implement an administrative barrier before some set-points may be changed. A return to normal “cyclic operation” is possible at any time without additional conditions. During operation of the I&C, only the parameters that were previously designed as “changeable during cyclic operation” (e.g. for optimising a close-loop control or adapting parameters in case of a stretch-out operation) can be changed via the Service Unit.
Functional Test : This state is used for troubleshooting. A prerequisite for this mode is the validation for switching to the “function test” mode with respect to
- Plant operating conditions (decision by the shift personnel) and - The operating modes of the TELEPERM XS system in other initiation
trains. If one processor in another chain is already in functional test mode or is identified not to be in normal operation, then release for switching to test mode of an additional processor is inhibited.
When changing to test mode, cyclic processing of the application functions is stopped.
Processing functions are activated according to test conditions by means of additional control commands sent by the Service Unit:
- Activation / deactivation of input / output drivers - Activation / deactivation of message send and message receive
functions - Activation /deactivation of function diagram module processing - Preliminary filling of data in input and output buffers - Tracing of signals
The “functional test” operating mode is always exited by a processor reset and automatic restart. After a start-up time of about 10 seconds, processing is continued in “cyclic operation” mode.
Diagnosis : A prerequisite for this mode is the release for switching to the “diagnosis” mode. The release depends on the decision by the maintenance shift and the TELEPERM XS systems operating mode in the other initiation trains. In "Diagnosis mode" all of the "Functional Test mode" functions can be performed. The additional function is essentially software loading. In some very exceptional cases, specific test routines can be loaded and run. The “diagnosis” operating mode is always exited by a processor reset followed by an automatic restart.
1.6. TECHNOLOGY USED
The equipment used to implement the Protection System is the TELEPERM XS digital I&C platform.
SUB CHAP : G.3 SECTION : -
PAGE : 17 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
The digital TELEPERM XS instrumentation and control (I&C) system is intended for applications relevant to safety in nuclear power plants. It was developed for installation in new nuclear power plants as well as for upgrading and retrofitting I&C systems in existing plants.
Outstanding features of TELEPERM XS are the flexible task-oriented architecture which enables economical and space-saving solutions for all types and sizes of nuclear power plants and the advanced concept that guarantees long system life by using interface and communication standards wherever possible and up-to-date methods for engineering and maintenance.
The major advantages of employing digital processors in systems relevant to safety include :
- early detection of faults by cyclic self-monitoring,
- early detection of faults by improved monitoring of peripheral equipment (transducers, peripheral interfaces),
- protection against faulty signals by fault detection measures for serial data transmission,
- increased fault tolerance compared to hard-wired systems through introduction of a signal status for marking faulty signals,
- digital signal processing, unaffected by drift or electromagnetic interference,
- galvanic decoupling by use of optic fibre for serial data transmission,
- automation of plant engineering and documentation, ensuring the best possible consistency and correctness of documentation.
1.7. POWER SUPPLY
The Protection System is supplied with uninterruptible power at the suitable voltage (24 V DC).
Each cabinet is required to be connected to two redundant DC power supplies. The incoming feeders of these power supplies are energetically isolated from each other, using diodes for instance.
During normal operation, both DC power supplies are supported by the Uninterruptible Power Supply (UPS) of the relevant division. In case the UPS of the given division is unavailable, one of the two DC power supplies can be switched to the UPS of the neighbouring division.
To enable standardized signal conditioning, the power supply and signal output of remote measurements is standardized.
1.8. PERIODIC TESTS
The main principles and requirements for periodic testing are listed below:
- the test equipment is independent from the tested equipment,
- "transparency" of periodic tests: for the tested unit, there is no difference between normal operation and periodic testing,
SUB CHAP : G.3 SECTION : -
PAGE : 18 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
- periodic tests are highly automated,
- the test equipment is NC classified.
2. SAFETY AUTOMATION SYSTEM (SAS) ARCHITECTURE
2.0. SAFETY REQUIREMENTS
The SAS I&C system is subject to the safety requirements applicable to F1B I&C systems, due to the I&C management associated with the F1B safety functions (not performed by the PS [RPS]).
The SAS system ensures the processing of automatic and manual actions, together with the associated monitoring, necessary for the performance of the safety functions detailed below:
2.0.1. SAFETY FUNCTIONS
The SAS contributes to the three basic safety functions (control of radioactivity, residual heat removal, and radioactive substance containment) as part of the management of I&C processing .
With regard to safety analysis, the SAS system performs:
- F1B I&C functions,
- F2 seismic classified I&C functions (F2E).
2.0.2. DESIGN REQUIREMENTS
As part of the F1B functions, whose automation and manual control functions and associated monitoring it ensures, the SAS system must meet the requirements detailed below. These requirements must be met for all the functions managed by the SAS (including the part of the PACS functions processed by SAS equipment, according to 4.0 of this Sub-chapter).
2.0.2.1. Requirements resulting from the functional and mechanical classifications
2.0.2.1.1 Functional classification of the system
The SAS system must be safety-classified, in accordance with the classification indicated in sub-chapter C.2.
2.0.2.1.2 Single failure criterion (active and passive)
The single failure criterion must be applied to the SAS system at the functional level (cf. section C.2.1) by integrating a sufficient degree of redundancy, structure, and adequate provisions.
SUB CHAP : G.3 SECTION : -
PAGE : 19 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
If periodic tests are possible and are performed (according to the principles defined in sub-chapter C.1 and detailed in section G.3.2.0.2.1.7), then the system must be designed with sufficient redundancy that it can continue to process F1B safety functions even in the event of equipment being unavailable due to testing, and other equipment being assumed unavailable due to application of the single failure criterion (at the level for F1B system functions).
Independence and physical separation: The SAS system is subject to these requirements, which lead to the requirement for physical and electrical independence of the equipment in the four I&C divisions upon which it depends.
2.0.2.1.3 Emergency power supplies
The electrical power supply for the SAS equipment must be backed up by the main diesel sets. Moreover, the power supply must be of the uninterruptible type, guaranteeing the power supply even during switching between normal power and diesel power. (i.e. it must ensure that the SAS safety functions can continue without interruption).
The SAS system must be powered from the same division as that of the processes it activates, each division being electrically and physically independent of the three others in a way that eliminates the possibility that a single hazard/failure can affect more than one division.
2.0.2.1.4 Qualification under operating conditions
The SAS equipment must remain operational in post-accident conditions, and must therefore meet the qualification requirements defined in sub-chapter C.7.
Moreover, this equipment must be operational in both normal and extreme environmental conditions applicable to the automation rooms in which it is located. These conditions are defined in section I.4.1.
2.0.2.1.5 Mechanical, electrical, and I&C classifications
The mechanical and electrical classifications do not apply to I&C equipment.
The classification of the SAS I&C equipment is as follows, (in accordance with the principles defined in sub-chapter C.2):
- E1B class for the SAS equipment processing F1B safety functions
- E2 class for the SAS equipment processing F2E safety functions
2.0.2.1.6 Seismic classification
The SAS equipment necessary to process F1B and F2E functions must be seismic class 1 (SC1).
2.0.2.1.7 Periodic testing
The I&C functions managed by the SAS must be tested periodically (as defined in section C.2.1):
- for the I&C processing associated with F1B functions
SUB CHAP : G.3 SECTION : -
PAGE : 20 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
- for the I&C processing associated with the F2E functions, when these are not in continuous operation.
The SAS system must be designed to allow periodic tests.
2.0.2.1.8 Additional requirements
Not applicable
2.0.2.2. Other regulation requirements
2.0.2.2.1 Basic Safety Rule
The following Basic Safety Rules are applicable to the System:
II.4.1.a "Safety Classified Electrical Systems Software"
II.2.b "Requirements for the design, qualification, deployment and operation of safety-classified electrical hardware
2.0.2.2.2 Technical Guidelines
The technical guidelines detailed in Chapter C.1 (specifically G 3.4 and G 3.7) must be taken into account in the design of the SAS system.
2.0.2.2.3 EPR-specific texts
The SAS equipment must meet the requirements of RCC-E.
2.0.2.3. Hazards
a) Requirements for which the general installation provisions provide protection of the system against hazards:
The SAS system must be protected against common mode failures which can be generated by internal or external hazards according to the requirements defined in sub-chapters C.3 (external hazards) and C.4 (internal hazards). This leads to the independence (physical and electrical) of each of the four divisions housing the SAS equipment.
b) Requirements for system protection against particular hazards
Not applicable
c) Hazards not relevant to the system
Not applicable
2.0.3. TESTING
After installation, the SAS system must be subject to pre-operational testing to verify that it conforms to the system performance required in the design.
SUB CHAP : G.3 SECTION : -
PAGE : 21 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
The requirements for periodic testing are set out in section G.3.2.0.2.1.7.
2.1. ROLE
The role of the SAS is to manage the F1B and F2E automated functions, manual controls and associated monitoring required for the nuclear and conventional islands. (F1B and F2E are defined in section G.3.2.0.1)
2.2. FUNCTIONS PROVIDED
The I&C functions processed by the SAS are the following:
- data processing: acquisition and conditioning
- processing of application calculations: closed loop controls, generation of individual and grouped commands (simultaneous or sequential), controls prioritisation, generation of various information intended for other I&C units, etc.
- processing of monitoring signals: Processing of status and fault check-backs, generation of alarms and signalisations.
2.3. DESIGN BASIS
2.3.1. AVAILABILITY REQUIREMENTS
The main availability requirements for the SAS are linked to the reliability and the maintainability of the system i.e.:
- to limit the loss of SAS due to failure of one of its components (mainly by component redundancy)
- to facilitate the maintenance and repair of the SAS to minimise downtime
2.3.2. REQUIRED PERFORMANCE
The SAS is subject to particular performance requirements:
Response time requirements:
o maximum time from the variation of an input (logic or analogue) to transmission to an output interface.
o maximum time from the receipt of a manual command to its transmission to an output interface
These global criteria are applied to the SAS as follows:
- for a manual command, see section G.3.3.3.3
- for an automatic command:
SUB CHAP : G.3 SECTION : -
PAGE : 22 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
o acquisition of a logic input, calculation of a logic command, and transmission to an output interface.
o acquisition of an analogue input, calculation of a logic or analogue command, and transmission to an output interface.
The SAS must contribute to fulfilling the global criteria described above and in section G.3.3.3.3.
In particular, the two acquisition, processing and transmission actions performed by the SAS must be compatible with the required total response time (including MCS [SICS], SAS and level 0).
Sizing requirements:
o static sizing includes the number of actuators, sensors and functions that the SAS supports.
o dynamic sizing includes sampling and processing times, taking into account the way in which the considered function is processed (periodic or event-triggered).
2.3.3. AMBIENT CONDITIONS
The ambient conditions that the SAS must tolerate are linked to the temperature and relative humidity of the rooms housing this equipment. The environmental characteristics are defined in section I.4.1, for normal and extreme conditions.
2.3.4. HUMAN-MACHINE INTERFACE REQUIREMENTS
No requirements for the SAS..
2.4. ARCHITECTURE
2.4.1. STRUCTURE AND COMPOSITION
The structure and composition of the SAS are dictated by the functional requirements. This set of requirements affects the allocation of Instrumentation & Control processing tasks to the various components within the SAS.
These functional requirements relate to:
- The functional classification of the processing (typically F1B and F2 for SAS). Although, in certain situations (see below) the SAS could be required to run certain non classified processes.
- The electrical division (together with the processing cabinet, and associated actuators and sensors)
- The classification of processing to be performed (affecting the choice of input/output card types for example)
SUB CHAP : G.3 SECTION : -
PAGE : 23 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
- The processing performance requirements (response times, propagation times, accuracy)
- The processing groupings / exclusions which require certain processes to be grouped (due to the requirement to simultaneously shut down all these processes in the event of malfunction of the part of the CC [I&C] system that manages it), or conversely, that certain processing groups need to be managed by different SAS equipment units (due to the requirement to maintain a group of processes despite the loss of others due to a malfunction).
Moreover, the SAS structure takes into account the segmentation of the process being controlled, dictated by the number, geographic sitting and type of actuator and sensor interfaces to be managed.
For a given safety function, different combinations are possible, for example:
- 4 x 100%: 1 mechanical train of 4, with its associated I&C, is necessary to fulfil the safety function
- 4 x 50%: 2 mechanical trains of 4, with their associated I&C, are necessary to fulfil the safety function
- 2 x 100%: 1 mechanical train of 2, with its associated I&C, is necessary to fulfil the safety function
In order to prevent an SAS internal failure affecting more than one mechanical train, each mechanical train is controlled by an SAS sub-group in the same division as the mechanical train.
2.4.2. INSTALLATION
The SAS equipment is distributed within the 4 divisions. The equipment is installed in the I&C cabinet rooms of divisions 1 to 4 of the safeguard buildings and in the I&C cabinet rooms of the diesel buildings.
The SAS cabinets are positioned considering:
- consistency with the location and division of the actuators and the sensors managed,
- available space, and
- the electrical supplies of the four divisions.
2.4.3. INTERFACE WITH THE OTHER I&C SYSTEMS
The SAS exchanges information with:
- the HMI, MCS [SICS] and MCP [PICS]: related to plant operation by the operator
- the PAS, RCSL and PS [RPS] systems: related to the plant's automation management
- the instrumentation process: associated with measurement and data acquisition
SUB CHAP : G.3 SECTION : -
PAGE : 24 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
- the cubicles (electrical boards) and the control devices (electro-positioners, etc): associated with actuator controls
- the “external” systems (I&C cabinets for the diesels, etc): associated with the unit's automation management
2.5. OPERATING CONFIGURATIONS
The configuration of the SAS (from hardware and functional points of view) is independent of the plant situation. Processing allocation depends only on functional criteria and on the allocation principles of the I&C system. The configuration of SAS is, from this point of view, constant.
The SAS configuration only depends on the following principle: in the event of malfunction of an active CPU, the system switches to a redundant standby unit. This principle applies to all the redundant SAS boards (CPU boards and communication management boards).
2.6. TECHNOLOGY
This sub-section will be provided after the standard I&C equipment has been chosen.
2.7. POWER SUPPLY
Within each division, SAS is supplied at 230 V AC, by a dual emergency power supply. The first power supply is provided by the main distribution board, the second is provided by the sub-distribution board.
Each mechanical train is controlled by an SAS sub-group located and powered by the same division as the mechanical train.
The voltage required by the SAS cabinets will be regulated internally in cabinets dedicated to their power supply. These power supply cabinets are situated in the same rooms as the SAS cabinets.
2.8. PROVISIONS FOR PERIODIC TESTING
In accordance with RCC-E, F1B safety functions must be periodically tested. F2E functions are also subject to periodic testing when they are not in continuous operation.
The safety function test will allow the verification of the whole control channel, from the sensor (automatic control), or from the MCS [SICS] (manual control), via SAS, up to the change of state of the actuator.
However, if the reconfiguration of the relevant actuator cannot be carried out (for example, during the plant operation), provisions are taken for blocking the control signals during the test, so that the actuator control line can be tested without physically controlling it.
SUB CHAP : G.3 SECTION : -
PAGE : 25 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
3. ARCHITECTURE OF THE SAFETY INFORMATION AND CONTROL SYSTEM MCS [SICS]
3.0. SAFETY REQUIREMENTS
3.0.1. SAFETY FUNCTIONS
MCS[SICS] contributes to the safety functions supported by the I&C (see section G.1.0.1).
Regarding the safety analysis, the MCS[SICS] provides the operators with sufficient information and controls to reach and maintain the plant at safe shutdown following PCC-2 to PPC-4 type events. The MCS[SICS] is the operating method used for the safety analysis. Therefore, the MCS[SICS] is of Class F1B/E1B.
3.0.2. DESIGN REQUIREMENTS
3.0.2.1. Requirements resulting from the functional and mechanical classifications
3.0.2.1.1 Functional classification of the system
The MCS[SICS] supports different classes of the unit’s I&C functions:
- Not classified
- F2
- F1B
The MCS[SICS] is thus, according to sub-chapters C.2 and G.1, safety-class F1B and must therefore meet the safety requirements listed in the following paragraphs.
3.0.2.1.2 Single failure criterion (active and passive)
a) Functions supported by MCS[SICS]
F1B functions:
The part of the MCS[SICS] which assists in carrying out F1B functions must be designed to meet the single failure criteria, at a functional level, by including sufficient redundancy, a suitable structure, and a suitable set of principles. This part of the MCS[SICS] must therefore remain operational in the event of a combination of a single failure in one of its divisions, and the unavailability of another of its divisions due to maintenance.
The E1B controls and indications of the MCS[SICS] are subject to the requirements of independence and physical and electrical separation between the different I&C divisions on which it depends.
F2 Functions:
The single failure criterion is not applicable to the F2 functions of the MCS[SICS].
NC Functions:
SUB CHAP : G.3 SECTION : -
PAGE : 26 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
The single failure criterion is not applicable to the NC functions of the MCS[SICS].
In addition, the MCS[SICS] controls are activated by the MCP[PICS]-MCS[SICS] transfer controls, which are independent and separated from the control means, in order to exclude the possibility of a single failure or an internal risk of generating spurious signals and commands.
3.0.2.1.3 Emergency power supplies
The electrical power supply to the MCS[SICS] equipment must be safeguarded by the main diesel sets. Moreover, this power supply must be uninterruptible, guaranteeing a power supply even during switching between normal power and diesel power. In this way, the safety functions performed by the MCS[SICS] can be assured without interruption of service.
The MCS[SICS] equipment must be powered by the same electrical division as the I&C division on which it depends, each division being electrically and physically independent from the others in a way that eliminates the possibility that a single hazard/failure can affect more than one division.
3.0.2.1.4 Qualification under operating conditions
The equipment supporting the MCS[SICS] functions must be qualified for their safety class, according to sub-chapter C.7, and for the normal and extreme environmental conditions under which it would be operating when fulfilling these functions, in accordance with section I.4.1.
3.0.2.1.5 Mechanical, electrical, and I&C classifications
Mechanical classification is not relevant to the MCS[SICS].
Electrical classification is not relevant to the MCS[SICS].
According to sub-chapter G.1 relating to the I&C classification:
- MCS[SICS] equipment ensuring F1B functions must be E1B classified
- MCS[SICS] equipment ensuring F2 functions must be E2 classified
- MCS[SICS] equipment ensuring NC functions must be NC
Hence MCS[SICS] equipment is E1B classified.
3.0.2.1.6 Seismic classification
Due to its F1B classification, the MCS[SICS] system must also belong to seismic class 1 and meet the corresponding requirements, in accordance with the principles in Chapter C.2.
3.0.2.1.7 Periodic testing
Those parts of the MCS[SICS] ensuring F1B functions must be subject to periodic testing.
Those parts of the MCS[SICS] ensuring F2 functions which are not in continuous use must be subject to periodic testing.
Those parts of the MCS[SICS] ensuring F2 functions which are in continuous use and those ensuring NC functions, do not require periodic testing.
SUB CHAP : G.3 SECTION : -
PAGE : 27 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
3.0.2.2. Other regulation requirements
3.0.2.2.1 Basic Safety Rule
The following Basic Safety Rule is applicable to the system :
IV.2.b "Requirements for the design, qualification, deployment and operation of safety-classified electrical hardware
3.0.2.2.2 Technical Guidelines
Technical Guidelines (see Chapter C.1) must be taken into account in the design of MCS[SICS].
In particular, G 3.5 of the Technical Guidelines indicates that the MCS[SICS] is a means used for safety assurance.
3.0.2.2.3 EPR-specific texts
The MCS[SICS] equipment must meet the requirements detailed in the RCC-E.
3.0.2.3. Hazards
a) Requirements for which the general installation provisions allow the protection of the system against hazards:
The MCS[SICS] must be protected against common mode failures that could result from internal or external hazards, in accordance with the requirements defined in sub-chapters C.3 (external hazards) and C.4 (internal hazards).
b) Requirements for system protection against particular hazards:
Not applicable
c) Hazards not relevant to the system
Not applicable
3.0.3. TESTS
3.0.3.1. Pre-operational tests
After installation the MCS[SICS] must be subject to pre-operational testing to verify that it complies with the defined design requirements.
3.0.3.2. Monitoring in operation
Not applicable
3.0.3.3. Periodic tests
Those parts of the MCS[SICS] requiring periodic testing according to section G.3.3.0.2.1.7 must be designed so as to allow the testing to be performed.
SUB CHAP : G.3 SECTION : -
PAGE : 28 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
3.0.4. I&C DESIGN REQUIREMENTS
There are no particular constraints beyond those mentioned in table G.1 TAB 1.
3.1. ROLE
The Safety Information and Control System (MCS[SICS]) is the safety-classified I&C system that provides information and controls necessary to reach and maintain safe shutdown for post-accident operation in the event of unavailability of the MCP[PICS]. The monitoring and control means supported by the MCS[SICS] are not the operating interface preferred by the operating team for monitoring and operating the plant.
Furthermore, the MCS[SICS] is the operating means claimed in the safety analysis of PCC-2 to PCC-4 design conditions. It also contributes to the probabilistic safety evaluation of the plant in so far as it can be used as a diverse source of information.
The main role of the MCS[SICS] is therefore to provide the operators with sufficient controls and information to address the following situations:
- in the event of a short period of unavailability of the MCP[PICS] in normal operation (PCC-1): to monitor and control the plant in a steady power state,
- in the event of a longer period of unavailability of the MCP[PICS] in normal operation (PCC-1): to shutdown and keep the plant in a safe state,
- in the event of unavailability of the MCP[PICS] during PCC 2 to 4 design conditions: to monitor the plant and initiate appropriate post-accident functions to reach and maintain safe shutdown conditions.
In the event of fire, if the operating team uses the MCS[SICS], then the fire-fighting functions can also be initiated from the MCS[SICS].
When the MCP[PICS] is available in the Main Control Room, the MCS[SICS] is also active in the following circumstances:
- Periodic testing associated with the MCS[SICS]
- In accident situations, monitoring of the main safety parameters and of the state of the safety systems (information search on a facility diverse from that of the MCP[PICS]).
3.2. FUNCTIONS SUPPORTED
The MCS[SICS] performs the following control and monitoring functions:
- display of process information.
- control functions.
- alarm display and processing.
- analogue data recording.
- interface functions (filtering, data transmission).
SUB CHAP : G.3 SECTION : -
PAGE : 29 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
- test functions.
3.3. DESIGN PRINCIPLES
3.3.1. SPECIAL PROVISIONS
The particular design provisions that must be taken into account for the MCS[SICS] are as follows:
- the MCS[SICS] must be functionally independent of the MCP[PICS] so that under no circumstances can failure of the MCP[PICS] have consequences on the MCS[SICS].
- When the MCS[SICS] is in service (see State 3 of section G.3.3.5), the MCP[PICS] controls must be deactivated.
- no internal hazard in the main control room resulting in the loss of MCS[SICS] may also result in the loss of the RSS workstations.
- The MCS[SICS] must meet the human-machine interface requirements described in Chapter Q and section G.3.3.3.5.
3.3.2. AVAILABILITY REQUIREMENT
The MCS[SICS] is a diverse back-up to the MCP[PICS].
The monitoring and control means provided by the MCS[SICS] are not normally used by the operators to operate the plant.
3.3.3. REQUIRED PERFORMANCES
The MCS[SICS] is subject to the following performance criteria:
- response time requirements: as for the MCP[PICS] (see section G.4.1.3.2), the MCS[SICS] must meet response time requirements. The use of hardwired links for the transmission of data, without data processing guarantees that the response time is equal to or less than for the MCP[PICS].
- sizing requirements: the MCS[SICS] must support all the conventional control and monitoring devices necessary for the operator to perform the tasks described in section G.3.3.1, without requiring any other means than the MCS[SICS]. Notably, operation from the MCS[SICS] must be possible without the wall-mounted mimic panel.
3.3.4. AMBIENT REQUIREMENTS
As the MCS[SICS] panels are installed in the Main Control Room then the environmental requirements that it has to withstand are those of the MCR.
The conditions are classified into two categories:
SUB CHAP : G.3 SECTION : -
PAGE : 30 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
- the environmental conditions that the equipment must endure. This includes temperature and relative humidity,
- the contribution of the equipment to the environmental conditions. This includes noise level and dissipated heat.
3.3.5. HUMAN-MACHINE INTERFACE REQUIREMENTS
The arrangement of the MCS[SICS] into panels must meet ergonomic requirements (suitability for operator tasks) requirements for independence (mainly physical separation) between equipment packages connected to different divisions.
The detailed list of different information and controls that must be provided by the MCS[SICS] is determined by analysing the tasks that must be performed. Information related to the means implemented on the MCS[SICS] can be found in Chapters M and Q.
3.4. ARCHITECTURE
3.4.1. STRUCTURE AND COMPOSITION
The MCS[SICS] consists of a set of conventional controls and displays (push buttons, light indicators, analogue displays, recorders etc.) that are directly connected to the appropriate level in the I&C architecture (PS[RPS], RCSL, SAS or PAS) and arranged on the panels. Due to its nature the MCS[SICS] has no data processing capability and receives information from level 1 systems.
3.4.2. INSTALLATION
The MCS[SICS] panels are installed in the Main Control Room.
3.4.3. INTERFACES WITH THE OTHER I&C SYSTEMS
The MCS[SICS] has two types of interfaces:
- interface with the operator in the control room,
- interface with the automation level (PS[RPS], PAS, SAS)
3.5. OPERATING MODES
The MCP[PICS] , in the Main Control Room, is the preferred means of operating the plant. The operating team operates from the MCS[SICS] when no sufficient operator workstations in the Main Control Room are available or if the MCP[PICS] is completely unavailable.
In case of the loss of the Main Control Room due to an internal hazard (such as fire), operation by the the MCS[SICS] and the MCP[PICS] in the Main Control Room is no longer possible. In that situation, the operating team uses the MCP[PICS] control facilities in the Remote Shutdown Station.
SUB CHAP : G.3 SECTION : -
PAGE : 31 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
The principles of transfer between the different control facilities are managed by the operating procedures.
Typically the MCS[SICS] modes of operation are as follows:
- State 1: passive state
o MCS[SICS] controls are deactivated.
o information is operational.
- State 2: Intermediate state
o the MCS[SICS] is not in service but periodic tests can be performed
- State 3: active state
o MCS[SICS] is in service, the MCS[SICS] functions are available, the MCP[PICS] controls are deactivated.
3.6. TECHNOLOGY
The standard technical solution for the MCS[SICS] is based on the use of conventional technology. The choice of equipment conforming to the requirements stated in this Chapter will be defined following completion of detailed studies.
3.7. POWER SUPPLY
The MCS[SICS] is supplied by 230 V AC sources from 4 divisions in such a way that the loss of an electrical division does not lead to the total loss of the MCS[SICS]. Additional equipment permits adjustment of the voltage of the MCS[SICS] equipment. Each control facility is supplied by its own electrical division which is backed-up by the emergency diesel generator.
The controls and indications for the conventional island are supplied by equipment in the BLNC (unclassified electrical building).
Isolation measures are provided to maintain the electrical separation of the MCS[SICS] equipment of the different divisions.
3.8. PROVISIONS FOR PERIODIC TESTING
The MCS[SICS] must be periodically tested in accordance with section G.3.3.0.2.1.7 And hence the MCS[SICS] configuration (in particular “State 2” described in section G.3.3.5) must therefore allows such testing.
Testing of each of the safety functions that are subject to periodic testing will allow verification of the complete control channel, from the sensor (automatic control), or from the MCS[SICS] (manual control), via the I&C processing equipment, up to the change of state of the actuator.
SUB CHAP : G.3 SECTION : -
PAGE : 32 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
However, if the actuation of an actuator under test is not acceptable (e.g. during plant operation), then provisions are made to block the control signals during the test, so that the actuator control line can be tested without actually changing the actuator’s state.
4. MANAGEMENT OF PRIORITY AND ACTUATION CONTROL (PACS)
4.0. SAFETY REQUIREMENTS
The PACS is provided to control and monitor each actuator under all plant operating conditions.
In terms of safety, the PACS must ensure the automation functions associated with the control and monitoring of the actuator to achieve the safety function.
The PACS functions are as follows (see detailed functions and their distribution in section G.3.4.2):
- Management of control priority, which splits into two sub functions: One prioritises the commands received by the PAS or SAS, and the other prioritises the commands received by the electrical cubicle powering the actuator
- Control of the switching device
- Monitoring of the actuator
- Essential protection of the components.
The functions are managed by two sets of equipment, as follows:
- PAS (or SAS, according to the function required): Assures one part of the "Management of control priority" function, and the "actuator monitoring" function
- Electrical cubicle: Assures the other part of the "Management of control priority" function and the “Control of the switching device” function and the "Essential protection of components" function.
PACS has the same functional classification level as the actuator it controls (PACS F2 for an F2 actuator, PACS F1B for an F1B actuator, and PACS F1A for an F1A actuator) for functions requiring such classification..
The safety requirements for the PACS apply also to PAS / SAS and to the electrical cubicle, as follows:
- PACS F2: Requirements identical to those defined in Chapter G.4.2.0 "Safety requirements", as well as the PACS functions managed by PAS and those managed by the cubicle (except for the classification requirements detailed in 4.0.2.1.5 and 4.0.2.1.6 of this sub-chapter applicable only to the cubicles),
SUB CHAP : G.3 SECTION : -
PAGE : 33 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
- PACS F1B: Requirements identical to those defined in 2.0 of this sub-chapter "Safety requirements", as well as PACS functions managed by SAS and those managed by the cubicle (except for the classification requirements detailed in 4.0.2.1.5 and 4.0.2.1.6 of this Sub-chapter applicable only to the cubicles)
- PACS F1A:
o for the PACS functions managed by the PAS ( actuator not subject to automation and F1B or F2E controls): requirements defined in Chapter G.4.2.0 “Safety requirements”
o for the PACS functions managed by the SAS ( actuator subject to automation and F1B or F2E controls): requirements defined in 2.0 of this Sub-chapter “Safety requirements”
o for the PACS functions managed by the cubicle (F1A functions): given herein (see “Important” below).
- PACS NC (NC actuator): No safety requirements.
Important: For ease of understanding section 4.0 only defines the safety requirements applicable to the PACS F1A functions which manage the electrical cubicle. The requirements applicable to PACS F2 and F1B are defined elsewhere, as follows:
4.0.1. SAFETY FUNCTIONS
The PACS is involved in the three basic safety functions (control of radioactivity, residual heat removal, and radioactive substance containment) as part of the management of I&C processing associated with the following functions:
- F1A functions
The PACS must support F1A automation functions (for the functions not managed by the PS [RPS]), and hence it is E1A classified.
4.0.2. DESIGN REQUIREMENTS
In terms of the F1A functions for which it manages the automation processing, the PACS must meet the following requirements:
4.0.2.1. Requirements resulting from the functional and mechanical classifications
4.0.2.1.1 Functional classification of the system
The PACS system is safety-classified, in accordance with the classification principles in sub-chapter C.2.
4.0.2.1.2 Single failure criterion (active and passive)
The single failure criterion is applicable to the PACS, to ensure an adequate degree of redundancy.
SUB CHAP : G.3 SECTION : -
PAGE : 34 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
If periodic tests of the PACS functions are possible and are undertaken (in accordance with the principles defined in sub-chapter C.1 and applied in section G.3.4.8), then the PACS must be provided with sufficient redundancy to ensure that it can continue to process F1A safety functions even if some of the equipment is unavailable due to testing and further equipment is assumed to fail as a result of the application of the single failure criterion.
Independence and physical separation: the PACS is subject to these requirements, which lead to the physical and electrical independence of the equipment of the four I&C divisions on which it depends. Each PACS actuator must be independent of the other PACS: there is no exchange between them. Provision must be made to isolate different equipment items to ensure the PACS functions and avoid common cause failures. Thus, links between the PS [RPS], PAS, SAS and electrical cubicle are hardwired.
4.0.2.1.3 Emergency power supplies
The I&C power supply which is integrated within the electrical cubicle must be backed up by the main diesel generators. Moreover, this power supply must be of uninterruptible, which guarantees a power supply even during switching between normal power and diesel power. In this way, the safety functions performed by the PACS can be assured without interruption of service.
The PACS must be supplied by the same division as the division of the actuator it controls, each division being electrically and physically independent of the three others in a way that eliminates the possibility that a single hazard/failure can affect more than one division.
4.0.2.1.4 Qualification for operating conditions
The PACS equipment must remain operational in post-accident conditions, and therefore must meet the qualification requirements defined in sub-chapter C.7.
Moreover, this equipment must be operational in both the normal and extreme environmental conditions applicable to the electrical rooms in which they are installed. These conditions are defined in section I.4.1.
4.0.2.1.5 Mechanical, electrical, and I&C classifications
Mechanical classification does not apply to the electrical equipment.
The electrical cubicles must meet the following requirements:
- electrical classification, due to their actuator powering function. This classification is as follows, conforming to the principles defined in sub-chapter C.2:
o Class EE1 for a cubicle powering an F1 actuator
o Class EE2 for a cubicle powering an F2 actuator
- an I&C classification, because they are part of the I&C ensuring the automation process of the PACS functions set out in section G.3.4.2.. This classification is as follows, in accordance with the principles defined in sub-chapter C.2:
o Class E1A for a cubicle managing an F1A actuator
o Class E1B for a cubicle managing an F1B actuator
SUB CHAP : G.3 SECTION : -
PAGE : 35 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
o Class E2 for a cubicle managing an F2 actuator.
4.0.2.1.6 Seismic classification
The cubicle must be:
- at seismic class 1 (SC1), when managing F1 or F2E functions
- at seismic class 2 (SC2), when managing F2N functions
4.0.2.1.7 Periodic testing
The F1A I&C functions managed by PACS must be subject to periodic testing (as defined in section C.2.1) and hence the PACS must be designed to allow periodic testing.
4.0.2.1.8 Additional requirements
Not applicable.
4.0.2.2. Other regulation requirements
4.0.2.2.1 Basic Safety Rules
PACS not affected
4.0.2.2.2 Technical Guidelines
Technical Guidelines (see section C.1.2 and more specifically section G 3.7) must be taken into account in the design of the PACS.
4.0.2.2.3 EPR-specific texts
The equipment managing the PACS functions must meet the requirements detailed in the RCC-E.
4.0.2.3. Hazards
a) Requirements for which the general installation provisions allow the protection of the system against hazards:
The PACS must be protected against common mode failures that could be generated by internal or external hazards, according to the requirements defined in sub-chapters C.3 (external hazards) and C.4 (internal hazards). This leads to independence (physical and electrical) between the four divisions housing the PACS equipment.
b) Requirements for system protection against particular hazards
Not applicable
c) Hazards not relevant to the system
SUB CHAP : G.3 SECTION : -
PAGE : 36 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
Not applicable
4.0.3. TESTS
After installation the PACS must be subject to pre-operational testing to verify that it conforms to the system performance required in the design.
The requirement for periodic testing is explained in section G.3.4.8.
4.1. ROLE
The role of the PACS is to ensure control of the actuator, monitoring of its movement, and protection of the electrical components. It is responsible for:
- in terms of actuator control:
- Selection of the highest priority command (in the case of simultaneous commands) from all the commands to which the actuator is subject
- Control of the switching device
- in terms of actuator monitoring: Management of the actuator position and any movement failures (excessive manoeuvre time or inconsistency between the expected and actual position of the actuator).
- in terms of the protection of components: Detection of malfunction that could damage the electrical part of the actuator or its electrical power supply
4.2. FUNCTIONS PROVIDED
In keeping with the functions defined in section G.3.4.1, the PACS ensures the following four functions:
- Management of control priority: Prioritisation of all commands (automatic and manual) governing the actuator, whatever their origin or function, and selection (in the case of simultaneous commands) of the command having the highest priority. The command selected is sent to the PACS function “control of switching device” (cf. below).
The priority of commands is as follows (highest to lowest priority):
- “Essential protection of components” command (protection against damage to the electrical part of the actuator, or to its electrical connection)
- Disconnection command (following a loss of electrical power)
- Reactor protection command (stop)
- Reactor protection command (go)
SUB CHAP : G.3 SECTION : -
PAGE : 37 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
- Manual command via local IHM[HMI] (IHM[HMI] which can be connected to the electrical cubicle permitting a direct command to the cubicle, isolated from the automation). Used in an installation start-up situation, or during operations (command if the automation is unavailable).
- Control of a protection device (coming from the process: e.g. Very high temperature of a heating battery)
- Operating command (coming from the process: e.g. Tripping of a filling pump on low level)
- Manual command from the Reserve Shutdown Panel
- Manual command via the MCS[SICS]
- Manual command via the MCP[PICS]
- Control of the switching device: Control of the device which activates movement of the actuator This command is received in the function "Management of control priority"
- Monitoring of the actuator: Management partly of the position of the actuator, and partly of its movement failures. The latter function detects a movement malfunction in the actuator: An abnormally long movement time, and inconsistency between the expected and actual position of the actuator.
- Essential protection of the components: Generation of a command resulting from malfunction of the moving part of the actuator (short-circuit or surge, isolation fault, etc) in order to prevent risk of damage to the actuator or to its electrical power supply. This control is applicable to the PACS function "management of control priorities", where it is assigned the highest priority level.
The processing of the PACS functions is organised in the following way:
- The PAS/SAS generates automatic commands outside F1A, and acquires the manual commands issued from the centralised HMI (MCP[PICS] or SDR[RSS] and MCS[SICS]). In the case of simultaneous commands, it selects the highest priority command according to the hierarchy defined above (“management of control priority” function). The selected command is sent to the electrical cubicle. Also, PAS/SAS provides monitoring of the actuator position and generation of movement fault signal ("Actuator monitoring" function).
- The PS [RPS] generates F1A commands (safeguard actions and safeguard support) which are sent to the electrical cubicle
- The electrical cubicle implements the essential protection of the components (“Essential protection of components” function), and receives command(s) issued from the PS [RPS], command selected by the PAS/SAS and commands issued from the local IHM[HMI]. In the event of simultaneous commands, the highest priority command (according to the hierarchy defined above) is selected ("management of control priority" function) and sent to the switching device ("control of switching device" function).
N.B.: The “management of control priority” function is implemented partly by the PAS/SAS and partly by the electrical cubicle.
SUB CHAP : G.3 SECTION : -
PAGE : 38 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
4.3. DESIGN BASIS
4.3.1. AVAILABILITY REQUIREMENTS
The main availability requirements for PACS are linked to the reliability and the maintainability of the equipment performing the functions i.e.:
- Limiting the loss of the PACS due to breakdowns in one of its components (mainly by component redundancy)
- Facilitating the maintenance and repair of the PACS to minimise downtime
4.3.2. REQUIRED PERFORMANCE
The response time of the PACS following a command (including acquisition, processing and execution of the command) coming from the level 1 systems (PS [RPS], SAS, PAS) must not exceed 100ms.
4.3.3. ENVIRONMENTAL CONDITIONS
The environmental conditions of the equipment managing the PACS functions depend on their location:
I&C cabinets rooms (PACS functions managed by PAS/SAS):
- the temperature and relative humidity characteristics of the air surrounding the PAS/SAS equipment (installed in the I&C cabinets rooms) are specified in Chapter I.4.1, for both normal and extreme conditions.
Electrical switch rooms (PACS functions managed by the electrical cubicle):
- The temperature and relative humidity characteristics of the air surrounding the electrical cubicles (installed in the electrical switch rooms) are specified in Chapter I.4.1, for both normal and extreme conditions.
4.3.4. HUMAN-MACHINE INTERFACE REQUIREMENTS
Not relevant to the PACS.
4.4. ALLOCATION OF PACS FUNCTIONS
4.4.1. STRUCTURE AND COMPOSITION
The four PACS functions are processed partly by PAS automation (or the SAS, according to the required function), and partly by the electrical cubicle, (see 4.2 of this Sub-chapter).
The structure and composition of the functions processed by PAS, are defined in Chapter G.4.2.4.1.
The structure and composition of the functions processed by SAS, are defined in 2.4.1 of this Sub-chapter.
SUB CHAP : G.3 SECTION : -
PAGE : 39 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
The specification for the functionality of the electrical cubicles is still being developed and will be detailed later.
4.4.2. INSTALLATION
The equipment processing the PACS functions will be installed:
- for PAS and SAS automation: In the I&C cabinets rooms of the division or sector containing the controlled actuator
- For the electrical cubicles: in the electrical switch rooms of the electrical division or sector containing the controlled actuator
4.4.3. INTERFACES WITH THE OTHER I&C SYSTEMS
The PACS functions are managed by by a PAS/SAS entity – electrical cubicle, which exchanges information with:
- the centralised HMIs:
MCP[PICS]/SDR[RSS]
MCS[SICS]
- the local IHM[HMI] (IHM[HMI] which can be connected to the electrical cubicle) in terms of initiation of autotest, and control in case of automation malfunction
- the PAS or SAS (for the Instrumentation & Control functions other than those managed by PACS): Generation of automatic operating commands, generation of fault information other than those of movement etc.)
- the PS [RPS] (for the management of safety commands)
- the switching devices(s) (managing the actuator electrical power supply)
- the process sensors
4.5. OPERATING CONFIGURATIONS
The configuration of PACS (from the point of view of the equipment and function) is independent of the status of the plant. The allocation of processing within the different equipment managing the PACS functions (automation and electrical cubicle) depends only on the functional criteria and the inherent functionality of these 2 sets of equipment. The PACS configuration does not change.
4.6. TECHNOLOGY
The PACS technology is defined by that of the equipment which processes the functions. The PAS and SAS technology will be detailed once the I&C equipment types are chosen.
SUB CHAP : G.3 SECTION : -
PAGE : 40 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
Electrical cubicles are used for driving the actuators (low and high voltage): these cubicles are managed by conventional I&C technology (with digital electrical protection for the high-voltage actuator cubicles)
Cubicle design is still in progress. This information will be detailed later.
4.7. POWER SUPPLY
The power supplies for the different equipment which implements the PACS processing functions, is as follows:
- PAS automation (or SAS, according to the functional requirements): Supplied at 230 V AC, via a duplicated diesel-backed power supply (see Chapter G.4.2.7 for details of the PAS power supplies and 2.7 of this Sub-chapter for details of the SAS power supplies). The PAS (or SAS) automation implementing the management of the PACS functions of a given actuator is supplied by the same division or sector as that of the actuator.
- Electrical cubicles are supplied with:
- Power voltage, by a supply, which, depending on the functional requirements, is diesel-backed or not
- Control voltage, which supplies the internal instrumentation and control of the cubicle, by a supply from two redundant 230 V AC sources. The nature and level of the control voltage will be defined later by the supplier of the switchgear, and will be specified when known.
4.8. PROVISIONS FOR PERIODIC TESTING
In accordance with RCC-E, the F2 functions (on a case-by–case basis), F1B and F1A, must be periodically tested. In this respect, and as a function of its classification, the PACS (as an element of the actuator control channel), is subject to periodic testing to verify the integrity of the control channel.
This test applies to the overall function, and includes:
- the test initiator (IHM[HMI] manual command or local mechanical action on a sensor, as appropriate)
- the PACS, comprising the automation (PAS or SAS, depending on the functions required) and the electrical cubicle including the switching device(s)..
- the actuator, whose movement is verified in a test
N.B.: If a particular actuator cannot be activated (for example while the unit is operating) provisions must be made to ensure the test does not entail an actual actuator movement.
The basic principles for periodic testing are described below:
SUB CHAP : G.3 SECTION : -
PAGE : 41 / 41 UK-EPR
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
- to the maximum extent possible, periodic testing must be performed from the Main Control Room if the tests involve an action on the process, or if the tests concern the human-machine interface itself, without necessitating local intervention.
- when a safety system actuator receives commands from several systems (e.g. the PS [RPS] and SAS or PAS), the testing of this actuator must be performed as far as possible from only one of these systems. The testing of commands from other systems must be performed without actual movement of an actuator.
- tests which involve actuator movement, and require the use of an IHM[HMI] to send the commands and to verify the information received, require the participation of personnel. These tests should remain manual (no automatic activation, prior to the mechanical system tests).
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
G.3 TAB 3: REACTOR TRIP AND TURBINE TRIP FUNCTIONS PERFORMED BY THE
PROTECTION SYSTEM (PRELIMINARY LIST)
PROTECTION FUNCTION PCC USO/NUSOREACTOR TRIP (AND TURBINE TRIP)
on Steam Generator pressure drop > Max1 PCC2/3/4 USO on Steam Generator pressure < Min1 PCC2/3 USO on Pressurizer pressure < Min2 PCC2/3/4 USO on Steam Generator level (A) < Min1A PCC2/3/4 USO on Steam Generator level (A) > Max1A PCC2/3/4 USO on Pressurizer pressure > Max2 PCC2/3 USO on Pressurizer level > Max1 PCC2 USO on Steam Generator pressure > Max1 PCC2/3 USO on containment pressure > Max1 PCC3/4 USO on High linear power density PCC2 USO on Low Departure from Nucleate Boiling Ratio (Low DNBR) PCC2 USO on High core power level PCC2/3 USO on Excore high neutron flux rate of change PCC4 USO on Low Reactor Coolant Pumps speed (four RCPs) PCC2/3 USO on Low reactor coolant flow rate (one loop) * PCC2/4 USO on High neutron flux (intermediate range) PCC2/4 USO on Low doubling time (intermediate range) PCC2/4 USO on Low hot leg pressure PCC2 USO
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
G.3 TAB 8 : PROTECTION FUNCTIONS ACCURACY AND RESPONSE TIME
(PRELIMINARY LIST)
PROTECTION FUNCTION ACCURACY RESPONSE TIME
REACTOR TRIP (AND TURBINE TRIP) on Steam Generator pressure drop > Max1 1.5 bar 500 ms on Steam Generator pressure < Min1 1.5 bar 500 ms on Pressurizer pressure < Min2 1.5 bar 500 ms on Steam Generator level (A) < Min1A 2% MR 500 ms on Steam Generator level (A) > Max1A 2% MR 500 ms on Pressurizer pressure > Max2 1.5 bar 500 ms on Pressurizer level > Max1 2% MR 500 ms on Steam Generator pressure > Max1 1.5 bar 500 ms on containment pressure > Max1 0.2 bar 500 ms on High linear power density 8.7% LPD 500 ms on Low Departure from Nucleate Boiling Ratio (Low DNBR)
later 500 ms
on High core power level later 500 ms on Excore high neutron flux rate of change 2% NP 300 ms on Low Reactor Coolant Pumps speed (four RCPs) 0.1% 200 ms on Low reactor coolant flow rate (one loop) * 3% 500 ms on High neutron flux (intermediate range) 10% 300 ms on Low doubling time (intermediate range) 10% 300 ms on Low hot leg pressure later later
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
G.3 TAB 8 : PROTECTION FUNCTIONS ACCURACY AND RESPONSE TIME
(PRELIMINARY LIST)
PROTECTION FUNCTION ACCURACY RESPONSE TIME
SIS ACTUATION on Pressurizer pressure < Min3 1.5 bar 500 ms on Reactor Coolant System loop level < Min1 15 cm 500 ms on ΔPsat < Min1 Later 500 ms
PARTIAL COOLDOWN on Safety Injection System signal See SIS
signal See SIS signal
on Steam Generator level (A) > Max2A 2% MR 500 ms MSIV CLOSURE
on Steam Generator pressure drop > Max1 1.5 bar 500 ms on Steam Generator pressure < Min1 1.5 bar 500 ms on Steam Generator level (A) > Max2A if partial cooldown is finished (*)
2% MR 500 ms
EFWS ACTUATION on Steam Generator level (B) < Min2B (*) 2% MR 500 ms on Loss of Offsite Power signal later later Emergency Feedwater System pump overflow protection 1% 500 ms
CONTAINMENT ISOLATION Containment isolation stage 1 on Safety Injection System signal
See SIS signal
See SIS signal
Containment isolation stage 2 on containment pressure > Max2
0.2 bar 500 ms
EFWS ISOLATION on Steam Generator level (B) > Max1B if Emergency Feedwater System has started (*)
2% MR 500 ms
MSRT Main Steam Relief Train isolation on Steam Generator pressure < Min3 (*)
1.5 bar 500 ms
Main Steam Relief Train opening on Steam Generator pressure > Max1
1.5 bar 500 ms
Main Steam Relief Train setpoint increase on Steam Generator level (A) > Max2A if partial cooldown is finished
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
G.3 TAB 8 : PROTECTION FUNCTIONS ACCURACY AND RESPONSE TIME
(PRELIMINARY LIST)
PROTECTION FUNCTION ACCURACY RESPONSE TIME
RCP TRIP Reactor Coolant Pumps trip on ΔP over RCP < Min1 and SIS signal
3% 500 ms
LHSI / RHR train isolation on high sump level and/or high SAB pressure
Later 500 ms
MFW ISOLATION Main Feedwater low load isolation on Steam Generator pressure drop > Max2 (*)
1.5 bar 500 ms
Main Feedwater low load isolation on Steam Generator pressure < Min2 (*)
1.5 bar 500 ms
Main Feedwater/Start-up and Shutdown System isolation on Steam Generator level (A) > Max1A
2% MR 500 ms
Main Feedwater full load isolation on Reactor Trip signal (*)
See Reactor Trip signal
See Reactor Trip signal
PSV OPENING 1st Pressurizer Safety Valve opening for brittle fracture protection of RPV
later 500 ms
CVCS ISOLATION Anti-dilution in shutdown conditions with RCP not in operation
Anti-dilution in standard shutdown states conditions Anti-dilution in power conditions later later Shutdown of CVCS charging line on high PZR level later later
CCWS Component Cooling Water System configuration on containment pressure > Max1
0.2 bar 500 ms
DIESEL ACTUATION Diesel actuation on 10 kV busbar voltage < Min1 later later
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
MAIN FEEDWATER / STARTUP AND SHUTDOWN SYSTEM ISOLATION
Div. 1
2/4
Div. 1, 3
Div. 1, 2, 4
2/4
Div. 3
Div. 2, 3, 4
Div. 1, 3
Division 2 Division 3 Division 4Division 1
SG2 MFW / SSS isolation :
Same as SG1 (replace SG1 by SG2) except the following points :- div. 2 PS controls SG2 main isolation valve,- div. 2, 4 PS controls SG2 high and low isolation valves.
FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY
CHAPTER G: INSTRUMENTATION AND CONTROL
CLOSED LOOP CONTROL
Div. 2, 3, 4
Division 3 Division 4Division 1
SG1 MSRCVOpening Control
Division 2
Div. 1 Div. 1
SG1 sensorSG1 sensor SG1 sensor SG1 sensor
This diagram applies to SG2, SG3, and SG4 in the following way :
- SG2 : MSRCV opening control is implemented in div. 2 PS.- SG3 : MSRCV opening control is implemented in div. 3 PS.- SG4 : MSRCV opening control is implemented in div. 4 PS.