SUB CHAPTER G.4 F2 CLASSIFIED AND NON CLASSIFIED ...epr-reactor.co.uk/ssmod/liblocal/docs/V3/Volume...

SUB-CHAPTER : G.4 SECTION : -

PAGE : 1 / 24 UK-EPR

FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY

CHAPTER G: INSTRUMENTATION AND CONTROL

SUB CHAPTER G.4 F2 CLASSIFIED AND NON CLASSIFIED INSTRUMENTATION AND CONTROL SYSTEMS

1. ARCHITECTURE OF THE PROCESS INFORMATION AND CONTROL SYSTEM (MCP [PICS])

1.0. SAFETY REQUIREMENTS

1.0.1. Safety functions

The way the Process Information and Control System (MCP[PICS]) contributes to the safety functions supported by the I&C is described in section G.1.0.1 (see F2 functions). With regard to safety analysis, the MCP [PIC] provides the operators with sufficient information and control means to operate and monitor the plant in normal operation conditions - PCC-1 (within specified operational limits and conditions) and also in RCC-A and RCC-B situations. Hence the MCP [PICS] performs certain F2 and NC functions.

Moreover the MCP[PICS] is the preferred controlling and monitoring system used to optimise operation in PCC-2 to PCC-4 conditions (see Chapter M for more details).

1.0.2. Design Requirements

1.0.2.1. Requirements resulting from functional and mechanical classification

1.0.2.1.1. Functional classification of the system

The MCP[PICS] performs F2 and NC operating and monitoring functions. According to the classification described in sub-chapter C.2, the MCP [PICS] shall be F2/NC safety classified.

The MCP[PICS] is the preferred operating and monitoring system used to optimise operation in PCC-2 to PCC-4 conditions thus:

- operator workstation equipment and architecture of the computerised human machine interface in the Main Control Room must meet the requirements applicable to F1B systems,

- the corresponding software must meet the related qualification requirements,

- means must be implemented (outside of the MCP[PICS]) for the detection and annunciation of failures of the MCP[PICS] processing units, and these means must meet the requirements applicable to F1B functions and equipment.





1.0.2.1.2. Single failure criterion (active and passive)

The single failure criterion is not required for the F2 functions of the MCP[PICS]. Due to the F1B requirements related to the operator workstation equipment and the architecture of the computerised human machine interface in the control room, the single failure criterion must be met by the architecture of this sub-set of MCP[PICS] equipment.

1.0.2.1.3. Emergency power supply

Because of the F2 safety classification of the MCP[PICS], the requirements for the emergency power supply of the MCP[PICS] equipment is defined on a case-by-case basis.

Due to the F1B requirements related to the operator workstation equipment and the architecture of the computerised human machine interface in the control room, the power supply of the associated equipment must, at least, be backed up by the main diesel units. In addition, this power supply must be uninterruptible during all possible operating modes and corresponding transients.

1.0.2.1.4. Qualification under operating conditions

The MCP[PICS] equipment must be qualified according to its safety class, and must therefore meet the qualification requirements (integrity, availability, etc.) defined in sub-chapter C.7 under normal and extreme environmental conditions to which it may be subject (see section I.4.1).

1.0.2.1.5. Mechanical, electrical, I&C classification

Mechanical and electrical classification does not apply to I&C equipment.

According to sub-chapter G.1 on I&C classification:

- parts of the MCP[PICS] equipment (through the application of the F1B requirements to the operator workstations equipment and architecture of the computerised human machine interface in the control room) must be E1B classified,

- the remainder of the MCP[PICS] equipment:

- that ensures F2 functions must be E2 classified,

- that ensures NC functions does not need to be classified.

1.0.2.1.6. Seismic classification

Parts of the MCP[PICS] equipment must be seismic class 1 (SC1):

• due to the F1B requirements related to the operator workstation equipment and architecture of the computerised human machine interface in the control room;

• due the defence-in-depth concept: given that the workstations of the remote shutdown station (RSS) are identical to those of the main control room, it has been decided to apply a seismic classification requirement for the control and monitoring functions of the remote shutdown station of the EPR (printing and storage functions – if required for the remote shutdown station – are not included).





Other MCP[PICS] equipment must be seismic class 2 (SC2) meaning that it will not degrade seismic class 1 equipment in case of a seismic event.

1.0.2.1.7. Periodic testing

The MCP[PICS] equipment that performs F2 functions is subject to periodic tests if they are not in continuous operation.

1.0.2.2. Other regulation requirements

1.0.2.2.1. Basic safety rules

The MCP[PICS] is not concerned.

1.0.2.2.2. Technical Guidelines

The Technical Guidelines described in Chapter C.1 must be taken into account for the design of the MCP[PICS].

1.0.2.2.3. EPR specific texts

The MCP[PICS] must meet the requirements of RCC-E.

1.0.2.3. Hazards

a) Requirements protection of the system against hazards:

The MCP[PICS] must be protected against common mode failures that can result from internal or external hazards by meeting the requirements defined in Chapter C.3 (external hazards) and Chapter C.4 (internal hazards).

b) System protection requirements against specific hazards:

Not applicable.

c) Hazards that do not concern the system:

Not applicable.

1.0.2.4. Tests

1.0.2.4.1. Pre-operational tests

The MCP[PICS] must be subject to pre-operational tests to check that, after installation, the system performance complies with the design requirements.





1.0.2.4.2. Monitoring during operation

The F1B classified means implemented to detect and annunciate potential failures of MCP[PICS] processing units enables monitoring of the correct operation of MCP[PICS] processing units in the control room.

1.0.2.4.3. Periodic tests

No periodic test is required for the NC functions.

The F2 functions that are not in continuous operation must be periodically tested. Thus, the SDR [RSS] must be designed so that periodic tests can be performed.

1.0.3. I&C design requirements

There are no specific constraints except those mentioned in table G.1 TAB1 .

1.1. ROLE

The Process Information and Control System (MCP[PICS]) is the I&C system that enables the computerised operation of the plant. It includes:

- the operator workstations and the Plant Overview Panel (POP) installed in the Main Control Room (MCR);

- the operator workstations installed in the Remote Shutdown Station (SDR[RSS]);

- the operator workstation installed in the Technical Support Centre (TSC) for supervision;

- the basic operator workstations (with fewer screens) that can be installed in addition to the computerised operating means in particular plant situations (e.g. commissioning) or for specific activities (e.g. maintenance).

In addition, the MCP[PICS] records significant events that occur in the plant and provides the interface with the non real-time applications (also called level 3 applications).

The main function of the MCP[PICS] is to provide the operators with controls, information and operating guides that are fully appropriate to their tasks, in any plant situation. As this function entails an interaction with operators, the MCP[PICS] Human-Machine Interface must comply with ergonomic criteria to take into account the cognitive and physiological aptitudes of the operators.

1.2. PERFORMED FUNCTIONS

In order to meet the objective described in the previous section, the PICS must ensure the following features:

- Display functions:

- displaying graphical images, operating guides alarm sheets, technical sheets and lists,





- allowing navigation through the different images,

- allowing selection of an item if the operator has to interact with it,

- updating images (colour, shape of objects etc.) according to the process state,

- plotting curves,

- printing various images or lists.

- Instrumentation and Control functions

- sending commands to actuators via the the I&C systems,

- retrieving command feedback,

- presenting data to the operator.

- Alarm functions:

- warning the operators as soon as an alarm occurs,

- managing the list of the alarms,

- providing access to the alarm sheets.

- Processing functions

- managing the data base(s),

- initiating processing in case of change of state,

- providing processed information if needed (situations, alarms, synthetic information etc.).

- Interface functions:

- retrieving and filtering data from the process via the automation level,

- sending data to the process via the automation level.

- Archiving function:

- archiving logic and analogue data,

- retrieving archived data.

- Administrative and maintenance functions

- providing help for maintenance,

- providing help at inserting functioning data,

- providing help for analysis (logging, periodic test data analysis etc.),





- ensuring security tasks (e.g. operator access etc.),

- self monitoring.

These features are sufficient to ensure that shift teams will take benefit from the results of the Human Factors program described in Chapter Q. In addition, particular attention is paid to the design of the interface and the working environment as detailed in section G.4.1.3.4 in this sub-chapter.

1.3. DESIGN PRINCIPLES

1.3.1. Availability requirements

The main objectives for MCP[PICS] architecture are availability, flexibility and maintainability. In particular this means that the MCP[PICS] must be sufficiently flexible and redundant to:

- prevent most losses of MCP[PICS] due to the failure of one piece of equipment,

- allow redistribution of the working area (screens, operating workstations etc.) when some pieces of equipment (screen, computer etc...) are unavailable,

- make maintenance and repair easier to minimize the period of unavailability of MCP[PICS],

- allow connection of additional components (reduced MCP[PICS] workstation) during specific phases (e.g. commissioning, maintenance).

1.3.2. Required performances

The MCP[PICS] is subject to particular performance requirements:

• Response time requirements: which ensure that the MCP[PICS] is able to provide the necessary level of information in the required time in all plant situations.

Global criteria concerning the following topics:

- maximum time between a variation occurring at level 0 (sensors level) and the update of the corresponding information on screen,

- maximum time between operator action and its transmission to the actuator,

- time needed for the operator to obtain an information he asked for.

These global criteria are adapted to the MCP[PICS] as follows:

- for a manual operation (from the action of the operator to transmission to level 1) taking into account the HMI response time, the accuracy of the transmitted value and the communication time,

- for a feedback from a manual operation (from level 1 output to screen update) taking into account the response time for the visualisation, the accuracy of the displayed value and the communication time,





- for the visualisation of a sensor’s value (from level 1 output to screen updating) taking into account the response time for the visualization, the accuracy of the displayed value and the communication time.

• sizing requirements:

- static sizing includes the number of actuators, sensors etc. that the MCP[PICS] must support and the number of images, animated objects, procedures pages, alarms sheet etc. that must be provided by the computerised operating means,

- dynamic sizing specifies the number of state changes or analogue variations within a fixed interval of time that the MCP[PICS] must be able to process.

Values for the different criteria listed above will be defined in detailed studies. They depend mainly on ergonomic criteria (e.g. response time for visualization or feedback; type of information and its organisation for static sizing), or on functional studies.

1.3.3. Environmental Requirements

The environmental requirements depend on the location of the equipment (MCR or SDR[RSS] or I&C rooms).

They are classified into two categories:

- the environmental conditions that the equipment must withstand. This includes temperature and relative humidity of the room.

- the impact of the equipment on local environmental conditions. This category includes noise level and dissipated heat.

For the particular case of graphical equipment, some particular environmental conditions such as lighting must be considered from an ergonomic point of view. The provisions that must be made are determined as part of the Human Factors approach (section Q.2 for details of requirements for a suitable working environment and section Q.4 for environmental requirements).

1.3.4. Human machine interface

Concerning the Human Factors approach, the MCP[PICS] plays two roles:

- the MCP[PICS] must provide features necessary for complying with good Human Factor Engineering principles (e.g. information treatments, type of supported information, organization of information, layout of information, navigation means, alarm system, operating guides mechanisms etc.),

- the MCP[PICS] must provide a working environment for the operators with an interface that meets state-of-the-art ergonomic criteria (organisation of the different means in the MCR, workstation layout, dialogue means, communications means etc.).

These requirements are taken into account considering the section Q.2..





1.4. ARCHITECTURE

1.4.1. Structure and composition

The MCP[PICS] implements the following main typical resources (software and/or hardware):

• graphical interfaces for the Human-Machine Interface,

• network interfaces for data exchange between resources,

• real time data bases (process and computed data, and their attributes, Man-Machine Interface data),

• archiving and printing facilities,

• operating systems,

• application software.

These resources are typically distributed amongst the following equipment:

• control workstations in the main control room and in the remote shutdown station (operators),

• monitoring workstations in the main control room and in the technical support centre,

• a plant overview panel (POP) incorporating large screens in the main control room,

• temporary simplified workstations for use during specific phases (e.g. commissioning) or specific tasks,

• a set of computers, either associated to the workstations or, when needed, centralized and installed in the I&C rooms (divisions 1 and 4),

• printing stations,

• archiving equipment,

• interfaces with engineering tools,

• interfaces with other applications (level 3),

• networks for exchange of data between MCP[PICS] and level 1 or 3 systems.

Operator workstations (control or monitoring workstations) consisting of standardized screens driven by computers with their associated control devices (mice, keyboards, etc).

Operators workstations (control or monitoring workstations) in the MCR and in the SDR[RSS] are based on the same equipment and provide similar functionality. Any monitoring workstation can be configured on-line to become a control workstation that can be used in the event of total loss of a control workstation. This flexibility is governed by procedures.





The number of workstations, their detailed composition (e.g. number of screens), their organization in the MCR, SDR[RSS] or TSC, are determined by the Human Factors Engineering program (see section Q.2).

The Plant Overview Panel (POP) is an integral part of the MCP[PICS]; therefore it is subject to the same functional classification (i.e. F2/NC) and could be considered as an operator workstation configured for monitoring the plant. Therefore simultaneous failure of POP and MCP[PICS] must be considered, especially for MCS[SICS] design (see sub-chapter Q.4).

The I&C functions performed by the MCP[PICS ](see section G.4.1.2) are distributed amongst the various packages of equipment to satisfy safety and availability requirements:

- F2 functions are implemented in E2 equipment or groups of equipment; the non safety-classified functions are preferably processed by non-safety classified equipment;

- MCP[PIC] and MCS[SICS] components are sufficiently different in technology to minimise the risk of common mode failure. This measure is complemented by appropriate installation measures(see sub-chapter G.1);

- the processing equipment needed to control and monitor the plant from the SDR[RSS] workstations is installed in the I&C rooms of divisions 1 and 4, outside the MCR (in a different fire compartment to the MCR) so that they cannot be lost simultaneously with the MCR,

- MCP[PICS] architecture (at least the part implementing the F2 function) is fault-tolerant, i.e., it implements sufficient redundancy and independence so that none of the most probable failures should result in the loss of HMI functions.

1.4.2. Installation

The MCP[PICS] graphical equipments is typically installed as follow:

- In the main control room (MCR) :

- two control workstations,

- two monitoring workstations,

- basic operator workstations with a reduced number of screens, some of which may be temporary (e.g. for the first start-up).

- plant overview panel (POP),

- printers.

- In the Remote Shutdown System (SDR[RSS]):

- two control workstations (when the SDR[RSS] is active, or otherwise monitoring workstations),

- one basic operator workstation with a reduced number of screens configured in supervision mode,

- printers.





- In the technical support centre (TSC):

- one monitoring workstation,

- printers.

1.4.3. Interfaces with the other I&C systems

The MCP[PICS] has 3 types of interfaces:

- the interface with the automation level (PS[RPS]/SAS/PAS/RCSL),

- the interface with the engineering and maintenance tools (of MCP[PICS]),

- the interface with level 3 applications.

1.5. OPERATING MODES

The MCP[PICS] has the following different operating configurations:

- The standard configuration of the MCP[PICS] is:

- all control and monitoring workstations of the MCR are working,

- the plant overview panel is operational,

- the workstations of the SDR[RSS] are in monitoring mode,

- TSC workstations are not operational except in a situation where a support team is needed (in this situation, the workstation is in monitoring mode).

- Non critical failure of MCP[PICS] equipment: in this configuration, a part of the MCP[PICS] has failed but sufficient means are still available to allow a redistribution of the working area and the use of the MCP[PICS] to control and monitor the plant. Typical situations are as follows:

- loss of non graphical equipment: the redistribution of the process resources or interface resources is in most cases done automatically by the system (e.g. through redundancy mechanisms) with no impact on operator tasks,

- loss of a screen of an operator workstation: as the screens of an operator workstation are standardized, the operator redistributes its tasks to the remaining screens,

- loss of a control workstation: a monitoring workstation can be configured into a control workstation to replace the unusable one,

- loss of a part of the POP: the POP consists of four large wall-mounted screens. This allows redistribution of the content of the POP on the remaining screens in the event of failure of a POP screen,

- loss of the POP: the POP is not required to control or monitor the plant so that a loss of the POP doesn’t lead to the loss of the PICS.





In addition to these potential events, special attention is paid to the maintenance and repair tasks in order to reduce the time needed to replace or repair the component that has failed.

- Unavailability of the MCP[PICS]: in the event of loss of MCP[PICS] or the shutdown of the MCP[PICS] for maintenance purpose, the shift team switches to the MCS[SICS]. This transfer is governed by procedures. For the I&C, those procedures stipulate particular actions to prevent spurious control signals being generated by the MCP[PICS].

- Unavailability of the MCR: in the event of loss of the MCR due to an internal hazard (e.g. fire), the MCS[SICS] and the equipment of the MCP[PICS] located in the MCR are no longer available. In this situation, the shift team moves to the SDR[RSS]. As for the previous configuration, particular actions must be taken to prevent spurious control signals being generated from the MCR. The configuration of the MCP[PICS] is as follows:

- SDR[RSS] workstations are operational and configured to control mode.

- MCR workstations are unusable and any control signals that they could generate are blocked.

Further details are given in Chapter Q.

The different configurations (particularly the difference between unavailability of the MCP[PICS] and non critical failure of components) are determined on the basis of the minimum amount of equipment required to operate the plant with the MCP[PICS] (minimum number of screens needed to operate the plant from a control workstation, minimum number of control and monitoring workstations to operate the plant etc.). These limits depend on the way the different pieces of equipment are used, therefore they are mainly determined by the Human Factors engineering program.

1.6. TECHNOLOGY

This information will be provided when the digital system for the standard I&C has been selected.

1.7. POWER SUPPLY

Those parts of the MCP[PICS] located outside the MCR are electrically powered by divisions 1 and 4 so that a single failure in the power supply does not lead to the total loss of MCP[PICS]. The power supply for the operator workstations in the MCR is from divisions 1 to 4 so that the impact on the MCR equipment of loss of power from any one division is minimised.

1.8. PROVISIONS FOR PERIODIC TESTING

Periodic tests are only performed on equipment installed in the SDR[RSS]. Periodic tests will be performed by verifying that the SDR [RSS] operates correctly.





2. ARCHITECTURE OF THE PROCESS AUTOMATION SYSTEM (PAS)


The Process Automation System (PAS) is subject to safety requirements applicable to the F2 I&C systems, because it implements functions that are F2 safety classified.

The PAS processes automatic and manual actions and the related monitoring required to fulfil the safety functions described below.

2.0.1. Safety functions

The PAS participates in the three basic safety functions (reactivity control, residual heat removal and confinement of radioactive substances) by implementing:

- Safety classified F2 non-seismic classified functions (F2N),

- Non-safety classified functions (NC),

The management of seismic classified F2 functions (F2E) is dedicated to the SAS (see section G.3.2.0.1).

2.0.2. Design requirements

Since the PAS implements automatic and manual controls and the related monitoring of F2 functions, it must fulfil the requirements described below. These requirements must be met for all the automatic functions managed by the PAS (including the part of the PACS functions processed by the PAS equipment - see Chapter G.3.4.0.1).

2.0.2.1. Requirements resulting from functional and mechanical classification

2.0.2.1.1. Functional classification of the system

The PAS must be F2/NC safety classified, according to the classification described in Chapter C.2.

2.0.2.1.2. Single failure criterion (active and passive)

The single failure criterion does not apply to the PAS (as it does not implement F1 functions).

The PAS shall meet the following requirements related to independence and physical separation:

- If the PAS is used to back up a F1A system (e.g. ATWS) it must be physically separated from the PS[RPS],





- If PAS F2 processing is used to reduce the consequences of internal or external hazards, its operation must not be affected (in an unacceptable manner) by this hazard.


The requirement for emergency power supply to PAS equipment must be defined on a case-by-case basis. If required, the power supply must be backed up by the main diesel units. In addition, this power supply must be “uninterruptible” to ensure the power supply even during the switchover from normal power supply to diesel power supply.

The PAS must be supplied with power by the same division / board as the process it controls is.


The PAS equipment must remain operational in post-accident conditions, and must therefore meet the qualification requirements defined in sub-chapter C.7.

In addition, the equipment must be operational in the normal and extreme environmental conditions of the plant rooms in which it is installed. These conditions are defined in section I.4.1.

2.0.2.1.5. Mechanical, electrical, I&C classification

Mechanical and electrical classification does not apply to I&C equipment.

The I&C classification of the PAS equipment must be as follows, according to the principles defined in Chapter C.2:

- E2 class for PAS equipment that processes F2N safety functions,

- Non-safety classified (NC) for PAS equipment that processes non-safety classified functions.


The PAS equipment installed in the same rooms as Seismic Class 1 (SC1) equipment must be Seismic Class 2 (SC2) classified i.e. it will not degrade seismic class 1 equipment in the event of a seismic event.

2.0.2.1.7. Periodic testing

F2 processing that is not required in continuous operation managed by the PAS system, is subject to periodic testing of the safety function which it manages (except in specific cases specified in Chapter C.4),

For these F2 functions, the PAS must be designed to allow the periodic tests to be performed.

2.0.2.1.8. Additional requirement

Not applicable







The PAS is not concerned.


The Technical Guidelines in Chapter C.1 (specifically paragraphs G3.4 and G3.7) must be taken into account in the design of the PAS.

2.0.2.2.3. EPR specific texts

The PAS must meet the requirements of RCC-E.

2.0.2.3. Hazards

a) Requirements for protection against hazards:

The PAS system manages the automatic control and monitoring functions designed to reduce the consequences of an internal or external hazard. These functions must remain operational during a hazard, and thus must not be affected (to an unacceptable extent) by the hazard itself or by its consequences. For these functions, an analysis is performed on a case-by-case basis to define the measures to be implemented (redundancy, separation, independence) to protect the PAS equipment against hazards.

b) System protection requirements against particular hazards

Not applicable

c) Hazards that do not concern the system:

Not applicable

2.0.3. Tests

The PAS must be subject to pre-operational tests to check that, after installation, the system performance complies with the design requirements.

The requirements associated with the periodic tests are given in section G.4.2.0.2.1.7.

2.1. ROLE

The role of the PAS is to manage the required F2N and NC instrumentation and control functions (defined in 2.0.1 of this Sub-chapter) of the nuclear and conventional islands and the site.

2.2. PERFORMED FUNCTIONS

The PAS performs the following instrumentation and control functions:





- data processing: acquisition, processing and transmission for use,

- processing of application calculations: regulating controls, generating individual and grouped commands (simultaneous or sequential), prioritisation of control commands, generating diverse information to be sent to other instrumentation and control units, etc.

- survey processing : processing of state and default report, alarms and signals elaboration.

2.3. DESIGN BASIS

2.3.1. Availability requirements

The main requirements for PAS availability are linked to the reliability and maintainability:

- prevention of failure of the the PAS due to the failure of a single piece of equipment (by redundancy for example), in most circumstances.

- facilitation of maintenance and repair so as to minimize the duration of unavailability of the PAS

2.3.2. Required performances

The PAS is subject to performance requirements:

- Response time requirements:

• Maximum time between the variation of an input (logic or analogue) and the transmission to the output interface,

• Maximum time between the reception of a manual command and the transmission to the output interface.

These global criteria are adapted to the PAS as follows:

• for manual commands see section G.4.1

• for automatic commands:

- acquisition of a logic input, calculation of a logic command, and transmission to an output interface.

- acquisition of an analogue input, calculation of a logic or analogue command, and transmission to an output interface.

The PAS contributes to fulfilling the global criteria described above and in section G.4.1 (i.e. required performance of the MCP[PICS]).

In particular, the transmission and processing functions performed by the PAS must be compatible with the required total response times (including MCP[PICS], PAS and level 0).





- Sizing requirements. These include:

• static sizing includes the number of input / outputs (actuators, sensors, etc.) that the PAS has to process,

• dynamic sizing includes processing times, taking into account the program execution type (periodic or event-driven).

2.3.3. Ambient Conditions

The environmental conditions that the PAS equipment must withstand depend on the temperature and relative humidity in the rooms where the equipment are located. These environmental features (normal and extreme) are described in section I.4.1.


Not applicable

2.4. ARCHITECTURE


The main features that have an influence on the PAS architecture are expressed in the "functional requirements" (issued from process engineering).

The functional requirements deal with:

- the functional class of the processing (F2 or NC for PAS).

- the electrical division or train (corresponding to that of the process, actuators and sensors, to be managed),

- the type of processing to be carried out (the choice of the type of input/output cards can depend on that, for example),

- the performance required of the processing unit (response time, propagation time, accuracy)

- the grouping / separation of processing. These relate to the requirement for certain processing functions to be grouped (to prevent simultaneous loss of these processing functions if the part of the I&C system that controls them does not operate correctly), or conversely, that certain processing functions are controlled by different PAS hardware units (to ensure that a group of processing functions remains operable in the event of loss of others due to system failure).

The structure of the part of the PAS that processes the manual and automatic actuations mainly depends on the actuators and sensors (number and location).

The basic structure of the PAS depends on the number of trains available to perform a given function. For a function and initiating event, there are different possible combinations e.g.:





o 1 x 100 %: 1 mechanical train with its associated I&C is necessary to fulfil the function

o 4 x 50 %: 2 out-of-four mechanical trains with their associated I&C are necessary to fulfil the function.

o 2 x 100 %: 1 out-of-two mechanical train with its associated I&C is necessary to fulfil the function.

In order to prevent any internal hazard from impacting more than one mechanical train, each mechanical train is controlled by a sub-system of the PAS located in the same division as the mechanical train.

2.4.2. Installation

The PAS equipment is distributed into the 4 divisions. It is installed in the I&C cabinet rooms of divisions 1 to 4 of the electrical buildings for the nuclear island, in the I&C cabinet rooms of the 2 sections for the conventional island, and in the I&C cabinet rooms in the site buildings for the site-specific systems.

The PAS cabinets are distributed in consideration of:

- consistency with the localization of actuated electrical or mechanical equipment and sensors,

- consistency with the electrical power supply of the division or busbar ,

- available space.

2.4.3. Interfaces with other I&C systems

The PAS exchanges information with:

- The process instrumentation: exchanges linked to the acquisition of measurements and states,

- The IHMs [HMIs]: MCP/SDR [PICS/RSP], and MCS [SICS]: exchanges linked to the operator control,

- The RCSL, PS [RPS], and SAS: exchanges associated with the management of the plant unit’s process control,,

- the cubicles (electrical boards) and the controllers (electro-positioners etc.) : exchanges linked to the actuators’ control,

- “external” systems (turbine I&C cabinets, etc.) : exchanges linked to the management of the plant unit’s process control.






The configuration (for both hardware and functions) of the PAS (see section G.2.1.4) is independent from the plant situation. Processing allocation only depends on functional criteria and processing allocation principles of the I&C system. The configuration of the PAS is, from this point of view, constant.

The configuration of the PAS only changes in the event of malfunction of an active CPU board: in this case the system switches to the redundant standby board. This principle applies to any redundant card of the PAS (CPU cards and communication management cards).

2.6. TECHNOLOGY

This information will be provided when the digital system for the standard I&C has been selected

2.7. POWER SUPPLY

Within each division, the PAS is 230V AC powered.

If there is an emergency power supply functional requirement (defined on a case-by-case basis), the PAS then receives a duplicate power supply; the first power supply is provided by the main distribution switchboard and the second is provided by the sub distribution switchboard.

Each mechanical train is controlled by a sub-system of the PAS located and electrically supplied by the same division as the mechanical train.

The voltage levels required for I&C cubicles or associated process, are generated internally in the I&C cubicles or in converter cubicles. These converter cubicles are located in the I&C cabinet rooms.

2.8. PROVISIONS FOR PERIODIC TESTING

No periodic test is required for the NC functions.

According to section G.1.0.3.1.7 periodic tests are required for the F2 functions that are not in continuous operation (such as risk reduction functions) to ensure their availability on demand.

Test procedures:

As far as possible, a given part of PAS is tested together with the actuators that it controls. The test verifies the complete command channel, from the sensor (automatic command), or from the PICS (manual command) up to the actuator change of state.

If the actuation of an actuator cannot be accepted (e.g. during operation of the plant) provisions are taken to block the command signals in the drive control while the test is in progress.





3. ARCHITECTURE OF THE REACTOR CONTROL, SURVEILLANCE AND LIMITATION SYSTEM (RCSL)


3.0.1. Safety function

The Reactor Control, Surveillance and Limitation system (RCSL) must participate in the following safety functions:

• Reactivity control;

• Residual heat removal.

3.0.2. Functional criteria

The RCSL provides automatic control, Limiting Conditions of Operation (LCO) and limitation functions for core parameters.

It monitors the core physical parameters and initiates various a partial reactor trip if needed.

3.0.3. Design requirements

3.0.3.1. Requirements issued from safety classification

3.0.3.1.1. Safety classification

The RCSL system must be safety classified according to the principles specified in sub-chapter C.2.1.

3.0.3.1.2. Single failure criterion (active)

Not applicable.


Not applicable.


Components ensuring a F2 safety function must be qualified to remain functional under post-accident conditions.

The resulting requirements for components (integrity, operability, functional capacity etc.) are presented in sub-chapter C.7.





3.0.3.1.5. Classification of mechanical, electrical and I&C equipment

The mechanical classification does not apply to the RCSL system.

The electrical classification of the system must be EE2.

The I&C classification of the system must be as follows, according to the classification principles presented in Chapter C.2:

- Class E2 for the F2 part,

- Class NC for the rest of the system.


The RCSL system does not need to be seismically classified.


3.0.3.2.1. Official texts

The general document “Options de Sûreté du projet de réacteur EPR” (DSIN letter 079/2000) applies to the RCSL.


The application of the Basic Safety Rule is developed in sub-chapter A.7.


The applicable Technical Guidelines are given in Chapter C.1. In addition to the general requirements of paragraph A.1 (general safety approach), requirements applicable to the RCSL system are included in paragraph G.3 (design of the instrumentation and control) and paragraph C.2.1 (single failure requirement).

3.0.3.2.4. Rules of electrical design

The design rules for electrical equipment as well as the specific rules to be applied to the I&C are provided in the RCC-E.

3.0.3.3. Internal and external hazards

• Internal hazards

No requirement.

• External hazards

No requirement.





3.0.4. Tests

Pre-operational tests must prove the design adequacy and performances of the RCSL.

The F2 functions which are not continuously in operation must be tested periodically.

3.1. ROLE

The RCSL system contributes to the normal operation of the plant (PCC1) and controls and monitors the core parameters.

3.2. SUPPORTED FUNCTIONS

As defined in section G.2.1.3.2, the RCSL system performs F2 and NC I&C functions to control and monitor operations related to the core. These include:

- core control functions,

- core related LCO functions,

- core related limitation functions,

- core related operator aid functions.

A list of the typical application functions related to each type of application function performed by the RCSL system is given in G.4 TAB 2.

3.3. DESIGN BASIS

3.3.1. Required performance

Response time (processing and actuation levels): less than 500 ms.

3.3.2. Ambient conditions

See section I.4.1.


The Human-Machine Interface must provide I&C staff with the following functions:

- commissioning and maintenance related functions.

- configuration related functions.





3.4. ARCHITECTURE


The RCSL system consists of two parts:

- a redundant part;

- a non-redundant distributed part.

Description:

A summary description of the RCSL is provided in G.4 TAB1.

Redundancy of the processing units:

There is a pair of processing units distributed in divisions 1 and 4. In this pair, one processing unit is the master and the other is in on stand-by. Between the units, redundancy is managed with an L2 connection and a hardwired connection.

Redundancy of the interface to PAS and level 2:

Each channel of redundancy consists of the following units:

- a gateway.

- a switch.

3.4.2. Installation

The RCSL actuation level is arranged within safeguard buildings 1 and 4. In order to reduce the amount of cabling, it could be installed together with the corresponding power electronic modules cabinets within the switchgear room.

The RCSL processing level is also arranged within I&C cabinet rooms of safeguard buildings 1 and 4.

The service unit is installed in the I&C Service Centre.

3.4.3. Interfaces with other I&C systems

The RCSL system is a part of level 1 of the I&C architecture.

The RCSL system receives:

• from the Process Automation System (PAS):

- process parameters.

• from the Protection System (PS[RP]):






• from the Control Rod Drive Mechanisms (CRDMs):

- state/status of the Control Rod Drive Mechanisms.

• from the Process Information and Control System (MCP[PICS]):

- manual commands on automatic regulations.

- change of control rod sequence.

- setpoints.

The RCSL system provides:

• the Process Automation System (PAS) with:

- commands and setpoints.

• the Control Rod Drive Mechanisms (CRDMs) with:

- regulation signals that control the currents in the coils.

• the Process Information and Control System (MCP[PICS]) with:


- preprocessed alarms.

- state/status of the Control Rod Drive Mechanisms.

- state/status of the automatic controls.

- status of RCSL (self-surveillance).


The RCSL system has three operating modes:

- normal mode (automatic or manual).

- de-energized state (power supply off).

- degraded mode.

See G.4 FIG 2.

3.6. TECHNOLOGY USED

The equipment used to implement the RCSL system is the digital I&C platform TELEPERM XS.





3.7. POWER SUPPLY

The RCSL system is supplied by a non-interruptible power supply at the appropriate voltage (24 VDC).

Each cabinet is connected to two DC power supplies. The incoming feeders of these power supplies are energetically isolated from each other (e.g. using diodes). During normal operation both DC power supplies are supported by the Uninterruptible Power Supply (UPS) of the relevant division. In the event of unavailability of the UPS of the given division, one of the two DC power supplies can be switched to the UPS of the neighbouring division.

3.8. PROVISIONS FOR MAINTENANCE AND I&C TESTS

The service unit is used for maintenance and I&C tests.

SUB-CHAPTER :G.4 SECTION : - TABLE : 1 PAGE : 1 / 1

UK-EPR



G.4 TAB 1: DESCRIPTION OF THE RCSL SYSTEM

Unit Redundancy and safety classification

Location (division)

Description

Processing Unit (PR)

Redundant: one master/hot stand-by

pair.

E2

1 and 4

Performs: - Voting/selection of input data (if

necessary). - Automation controls:

- Closed loop controls - Open loop controls - Combinational controls.

- Priority management between the different commands dedicated to the rods.

- Alarms elaboration

Rod control units (RCU)

Non redundant

E2

Distributed in div. 1 and 4

according to the location of the

RCCAs

Performs: - Management of the cycles of coil

current according to the order received from the PR units.

- Elaboration of a report of good or wrong execution of insertion: withdrawal orders

- The RCUs also acquire reactor trip demands from the four divisions of RPS via hardwired connections; the trip is performed if at least 2/4 of the input signals are on.

Internal RCSL

network

Two-fold redundant

E2

1 and 4

To allow the exchanges of data

between the PR units and the remote

I/O modules.

Remote I/O modules

Two-fold redundant

E2

1 and 4

To allow the exchanges of data

between the PR units and the RCUs.

Monitoring and service interface

Non redundant

NC

1

Performs: monitoring of the PR units and the rod control units

Gateway Two-fold redundant E2 1 and 4

Performs the interface between: - RCSL and PAS - RCSL and MCP[PICS]

Switch Two-fold redundant E2 1 and 4 Allows communication between several units.

Service unit Non redundant

NC 1

Performs: - Testing and diagnosis functions.

SUB-CHAPTER : G.4 SECTION : - TABLE : 2 PAGE : 1 / 1

UK-EPR



G.4 TAB 2: TYPICAL APPLICATION FUNCTIONS PERFORMED BY THE RCSL

SYSTEM

TYPE OF APPLICATION FUNCTIONS TYPICAL

APPLICATION FUNCTIONS

Control functions LCO surveillance functions

Limitation functions

Closed loop control X Open loop control X X X

Combinatory control X Alarm elaboration X X X

CRDM control X X X

Priority management

Not specific to a type of application function

SUB-CHAPTER : G.4 SECTION : - FIGURE : 1 PAGE : 1 / 1

UK-EPR



G.4 FIG 1: PRELIMINARY BOUNDARIES OF THE RCSL SYSTEM

SUB-CHAPTER : G.4 SECTION : - FIGURE : 2 PAGE : 1 / 1

UK-EPR



G.4 FIG 2: OPERATING MODES

De-energized state

Normal mode

Degraded mode

SUB CHAPTER G.4 F2 CLASSIFIED AND NON CLASSIFIED ...epr-reactor.co.uk/ssmod/liblocal/docs/V3/Volume...

Documents

Transcript of SUB CHAPTER G.4 F2 CLASSIFIED AND NON CLASSIFIED ...epr-reactor.co.uk/ssmod/liblocal/docs/V3/Volume...