Yr. iC'^' .-. • - A'f //
Inftmational Atomic Entrgy Agency IWG-NPPCI-84, I
INTERNATIONAL WORKING GROUP ON NUCLEAR POWER PLANT CONTROL AND INSTRUMENTATION
BACKFITTING FOR NUCLEAR POWER PLANT CONTROL AND INSTRUMENTATION
PROCEEDINGS OF A SPECIALISTS' MEETING ORGANIZED BY THE INTERNATIONAL ATOMIC ENERGY AGENCY IN CO-OPERATION WITH THE ATOMINSTITUT DER OSTERREICHISCHEN HOCHSCHULEN AND HELD IN VIENNA, 25- 27 APRIL 1984
INTERNATIONAL ATOMIC ENERGY AGENCY, VIENNA, 1985 BACKFITTING FOR NUCLEAR POWER PLANT CONTROL AND INSTRUMENTATION
PROCEEDINGS OF A SPECIALISTS' MEETING ORGANIZED BY THE INTERNATIONAL ATOMIC ENERGY AGENCY IN COOPERATION WITH THE ATOMINSTITUT DER OSTERREICHISCHEN HOCHSCHULEN AND HELD IN VIENNA, 25-27 APRIL 1984
INTERNATIONAL ATOMIC ENERGY AGENCY, VIENNA, 1985 BACKF1TTING FOR NUCLEAR POWER PLANT CONTROL AND INSTRUMENTATION IAEA, VIENNA, 1985 IWG-NPPCI-84/1
Printed by the IAEA in Austria January 1985 FOREWORD
A Specialists' Maating on Baekfitting for Nuclear Power Plant Control and Inatraaaatatlon was proposad ay tens IAEA working Group on Nuclear Power Plant Control and Iastronantstlon at Ita aaating in Munich in October 1982.
Beeniremente for baekf itting existing control equipment arlaa aa tha safety criteria and llcanaing recrulrements bacon* stricter, aa new technological Innovations find application and aa tha industry laarns naw lessons fron evente in operating plants*
Tha IAEA Working Croup on Nuclear Power Plant Control and Instrumentation keeps tha problem of backfittlng as a taak of pemanent interest. But this Specialists' Meeting waa tha first to devote itself exclusively to this problem and where the problem has been discussed in the complex manner*
Aa the experience in backfitting of control equipment is of intarast both for designers and usars these two aides have been invited to the nesting*
A Specialists' Meetiig, held in Vienna, Austria, fron 25 to 27 April 1984, was hosted by tha Atominstitut der Oesttrralchischcn Hochschulen (The Atomic Institute of Austrian Dnivaraitias)• 77 dalegataa fron 20 countries participated in tha meeting and 26 papara wara prasentad. A visit to the Zwcntendorf Nuclear Station waa also includsd in tha meeting programme*
CONTENTS
Welcoming address 9
Summary 13 Summary of Session 1 15 Session 2 18 Session 3 20 Session 4 21 Session 5 22
IMPROVEMENT OF RELIABILITY OF C&I SYSTEMS (Session 1)
I&C related aspects during backfitting of a special heat removal system (UNS) for a BWR at Brunsbuettel 25 P. Fasko (Switzerland) Improvement on reliability of control system in PWR plant 32 S. Taguchi, T. Mizumoto, Y. Hirose, J. Kashiwai, L Takami, M. Shono. Y. Roji, S. Kizaki (Japan) Experiences in the development of an Emergency Response Facility (ERF) system for a nuclear power plant 43 A. Seisdedos, M.A. Sdnchez-Fomi'e (Spain) Seismic evaluation of electrical and instrumentation systems. Backflt actions being carried out at Trino Vercellese nuclear power plant 53 M. Torlai, A. Aquino (Italy)
IMPROVEMENT OF RELIABILITY OF C&I SYSTEM (cont'd) (Session 2)
Review of instrumentation and control system backfitti'--; in Loviisa nuclear power station in Finland 62 /. Ekman (Finland) Backfitting of the nuclear plant VI power control system 71 C. Karpeta, J. Rubek, P. Stirsky (Czechoslovakia) I&C upgrades resulting from the systematic evaluation program carried out at the Central Nuclear Jose Cabrera 77 J.C. Humphrey (Spain) Retrofitting of an improved stack monitoring system in Rajasthan atomic power station 85 K. Natarafan (India) Improvement of nuclear power plant monitor and control equipment. Computer application backfitting 93 H. Hayakawa, A. Kawamura, O. Suto, Y. Kinoshita, Y. Toda (Japan) EXTENSION AND NEW CONCEPTS OF C&I SYSTEMS (Session 3)
Extensions and renovations of reactor protection systems 101 K. Hellmerichs (Federal Republic of Germany) Automatic detection and analysis of nuclear plant malfunctions 109 R. Bruschi, P. Di Porto, R. Pallottelli (Italy) Review of safety related control room function research based on experience from nuclear power plants in Finland 117 K. Juslin. B. Walstrdm. £. Rinttila (Finland) Modifications needed to operate PWR's plants in G. Mode 123 J. P. Stain man (France) Backfltting possibilities "f process instrumentation during planning, construction or operation of nuclear power plants 127 G.E. Kaiser, R.R. SchemmeKFederal Republic of Germany), H.D. Warren (United States of America) Question of automation of periodical slow process in nuclear power stations 135 S. Berta (Hungary) Neutron monitoring system for BWR's. Experience and developments 137 W. Harfst 'Federal Republic of Germany)
BACKFITTING OF COMPUTER SYSTEMS (Session 4)
Replacement strategy for obsolete plant computers 145 J.P. Schaefer (Federal Republic of Germany) Role of computers in CANDU safety systems 152 G.A. Hepburn, R.S. Gilbert, N.M. Ichiyen (Canada) The replacement gag vibration monitoring system for Hinkley Point *B' power station 158 T. Bagwell, M.F.G. Morrish (United Kingdom) On design measures required to ensure high-quality services of unit computers in nuclear power stations 170 /. Valko(Hungary) A digital, decentralized power station control system with BUS-Transmission facilitates the problem of backfitting 172 G.E. Kaiser, R.R. Schemmel (Federal Republic of Germany)
SPECIAL SYSTEMS AND PROCEDURES DUE TO NEW REQUIREMENTS (Session 5)
Comparison of control systems applied to the handling of radioactive reactor components 179 C Robinson, E.G. Harris. P.C. Dyer, J.G.B. Williams (UnitedKingdom) Backfitting of research reactors 192 R. Delrue, Th. iXoesen (Belgium) Influence of regulatory requirements for nuclear power plants on the fackfitting of Austrian research reactors 195 H. BOck. J. Hammer, A. Nedelik, H. Weiss (Austria) Assessment and inspection tasks of the Spanish regulatory body staff regarding I&C and related systems backfitting in old plants R. Cid Campo, /./. Villadoniga (Spain) Backfitting in Rossendorf research reactor control and instrumentation system / Klebau, S. Seidlerf German Democratic Republic)
Closing session. Chairman's remarks on the meeting List of participants
WELCOMING ADDRESS
HJ. LAUE International Atomic Energy Agency Vienna
Mr. Chairman, Ladies and Gentlemen,
It is my pleasure to welcome you on behalf of the International Atomic Energy Agency to this Specialists' Meeting on Backfitting in Nuclear Power Plant Control and Instrumentation.
The meeting is being held within the framework of the programme of the International Working Group on Nuclear Power Plant Control and Instrumentation and is convened with the support of the Atominstitut der Oesterreichischen Universitaten (the Atomic Institute of Austrian Universities).
This is, as far as we know, the first time that the problem of backfitting of control and instrumentation equipment in nuclear power plants is the subject of an international meeting. This is rather surprising if one regards the three generations of control systems that we have seen in the last some 20 years.
The first generation I would state as typical for the situation in the middle of the 1960s. The control and instrumentation systems were then really adaptations of systems in fossil-fired plants. But there was recognition of the need to reducing the errors in measurements, together with speeding up the response of the automatic protection systems. Also safety considerations combined with the application of transistor equipment led to, e.g., the use of 3-out-of-4 logic, which permitted reduction of the spurious trip rate.
Already at this time the introduction of new control systems raised man-machine interface problems which we should have recognized earlier.
The next generation of control and instrumentation systems was developed in the middle of the seventies through the evolution of electronics with a fairly stable pattern of hardwired digital systems.
9 Microprocessors and other digital techniques, like integrated circuits demanded introduction of a new element - the software, which can fail as other system components. This led to the necessity of validation of software, a problem which, of course, still is with us in a new dimension due to the immense increase in complexity.
Stricter safetyRequirements in the wake of the TMI-2 accident along with application of new technological designs and feedback of operating experience are features of new designs which are now emerging in a third generation.
These rapid developments fundamentally changing C and I concepts and technology thus took place within 20 years and are continuing. Plants representing the first generation are still in operation and may indeed have reached only a bit more than half of their technical lifetimes. It is thus rather curious that backfitting has not been raised as an urgent problem much earlier.
One of the dominant aspects of control system backfitting is now the very high speed in the development and introduction of computer technology which bring continuous changes into the design of plant control systems.
Backfitting of control systems means nowadays also the introduction of new instruments and also systems for incident diagnosis, for example, incorporation of loose parts monitoring and early failure diagnosis systems.
This is by no means a complete list of the questions which you will be discussing but it shows the complexity of the problem of which now an increasing number of plar.t designers and operators, as shown by the unusually large interest in this specialists' meeting. You are 80 participants from 19 countries which is remarkable for a meeting of this type.
We note that both designers and users are represented and that should help to bring about a particularly useful discussion.
Concluding, I wish to express our gratitude to the Government and authorities of Austria for the offer to host the meeting in this
10 Institute and for all arrangements which have been made to ensure a productive and successful meeting; to Mr. Nedelik, who, as the Austrian representative to the International Working Group on Nuclear Power Plant Control and Instrumentation suggested to hold this meeting here; and co Mr. Bock and his colleagues, who have spared no effort in the organization of the meeting, the administrative chores to make our stay here a rewarding and also pleasant one.
And to all of you I wish a successful and productive meeting.
]]
SUMMARY
Safety and economy of nuclear power plants Is based on the reliable operation of all plant components including control systems and related instrumentation* The aim of the meeting was a detailed discussion of methodologies, major considerations and criteria used in identifying weak points of control equipment and corresponding ways of technical solution of that problem.
The meeting programme included 26 papers handling following topics:
Improvement of reliability of C&l systems; Extension and new concepts of C&I systems; Backfitting of computer systems; Special systems and procedures due to new requirements*
Following are short summaries by session chairmen on each topic.
13
SUMMARY OF SESSIONS
Session 1
IMPROVEMENT OF RELIABILITY OF C&I SYSTEMS
G.E. KAISER, Federal Republic of Germany
The four presentations of the first session gave a broad spectrum of reasons for backfitting C&I devices of NPP's.
P. Fasko presented with his paper "I&C related aspects during backfitting of a special heat removal system (UNS) for a BWR at Brunsbiittel" I&C related problems and solutions, when a special emergency heat removal system is installed in an existing plant. I&C interfaces between UNS and the existing plant had not to impare safety functions in the plant. This was realized by planning the electrical power supply and by measuring by means of transmitters which belong to the UNS but which are physically situated in the reactor building. The EMC design was subject of very careful considerations.
Due to the different construction, planning and manufacturing dates of equipment and software for the existing plant and the new safety sytems, a series of C&I related operational items have to be considered.
Three further presentations treated of backfitting measures and changes in the C&I system itself (non induced by changes in the process system):
The failure of the control 3ystem is the primary cause of un scheduled shutdown experienced at PWRs in Japan. (Failure of feed- water control 5 times/52 reactor years, failure of rod control 3 times/52 reactor years.) Including reactor trips by failures of all the components of the plant there was an average of 0.8 failures/reactor year.
15 As S. Taguchi explained operating experiences were analyzed in a systematical way and critical equipments were identified, using failure mode and effects analysis. Shutdown probabilities were estimated by means of fault tree analysis (FTA). As a result, the control system's reliability was increased and with it the plant reliability by backfifcting redundant design. The plant unavaila- bility according to the FTA decreased from 10"*• to 10~* l/reactor year ("Improvement on reliability of control system in PWR plant").
The presentation "Experiences in the development of an Emergency Response Facility (ERF) system for a nuclear power plant" by A. Seisdedos F. de Pino and M.A. Sanchez-Fornie pointed out, that requirements for additional auxiliary equipment and systems and new experiences of operating plants (TMI-2) can require a new technique of C&I of an existing plant. At the example of a 974 MWe BWR by G.E. the engineering development steps for realizing a new operator information system for accident conditions, added to the existing, relay-based C&I system, were explained. A Safety Para meter Display System aims to enhance operator capability to under stand plant conditions and interact in situations that require human intervention. Functions to be realized by the system are:
critical plant parameter display emerge icy response guidelines displays analog trend displays.
The computer system is not safety related, but most of the 1700 analog and binary input signals come from safety-related systems.
The paper "Seismic evaluation of electrical and instrumentation systems backfii. actions being carried out at TRINO Vercellese nuclear power plant" by M. Torlai and A. Aquino presented a special program for the seismic qualification of the electrical and instrumentation safety related systems at an existing plant. Seismic loads had not been considered in the original design of the plant.
Based on the requirements and recommendations from the current criteria for new plants (Rev. 2 of Standard Review Plan Section 3.10 and Reg. Guide 1.100), equipment was seismically qualified by
16 analysis and/or laboratory test. Analysis alone were acceptable only if the necessary functional capability of the equipment was assured by its structural integrity. When the test method was utilized, the equipment was mounted on a shake table and subjected to certain types of excitation corresponding to a test response spectrum which envelopes the required response spectra.
Cable raceways are passive components for which only a structural integrity evaluation was required. Cabinets, control boards and valves are active components and therefore an operability evalua tion was required as well.
The results:
Cable trays system: No modifications were required for trays and few improvements were necessary for supports
Cabinets and control boards: New anchorages for almost every piece of equipment examined
Modifications for MCC's drawers and for cabinets with doors.
No spring/damping systems were necessary to support cabinets. Relays, whose functionality is required during the shaking event will be substituted or qualified.
17 Session 2
IMPROVEMENT OF RELIABILITY OF C&I SYSTEMS (cont'd)
J. FURET, France
The second session was also devoted to improvment of reliability of control and instrumentation system. Five papers have been distributed but four only have been presented. Mr EKMAN from Finland describes the review of backfitting work concerning instrumentation and control of V.V.E.R 4*0 Mwe PWR nuclear power plant of Lovisa. The two units are quite new and their operation is quite satis factory if we consider the load factor. The main reason of the backfitting is based on "striger safety" to bring into account the T M I lessons and following partly the N.C.R R.G 197. We have noticed that if a lot of additionnal post accident monitoring equipment have been installed, little backfitting has been done in the main control room from the human factors point of view. We hope that the results of the studies made on simulators for filtering alarms during transients will be implemented on the computer plant. We know that this helpfull improvment for operators, is the solution of an old and difficult problem which we have heared since many years. Mr HUMPHREY from Westinghouse Nuclear Espanola Compagny has presented the results of the systematic evaluation programm carried out at the Jose COBRERA Nuclear Power Plant well known by the name of ZORITA. This plant is quite old, it is also an interisting plant because it is a PWR with only one loop. I suppose that the first design of the control and instrumentation has been made at the beginning of the years 60. Mr HUMPHREY has pointed out that to conduct with efficiency the evaluation programm and to manage the improvments the full participation of the owner's plant operating and maintenance staff is needed. It is easy to agree and to understand this point of view. We have noticed that for a such plant the implementation schedule is quite long and that the technical problems raised by the review based on NCR Safety Philosophy and Regulatory Guide are not easy to solve. Even the lack of space for the implemented equipment is a difficult problem. And the effort made by the utility to upgrade the safety of one of their first nuclear power plant has to be underlined. Mr NATARAJAN from India has presented an exemple of the improv ments made on the RAJA5TAN nuclear power plant, where two CANDU units are running since many years. One has been manufactured by CANADA and the second by INDIA.
18 India has a deep experience of the operation of this kind of plants and it is important to notice how the improvments made were conducted. The detailed description of the improvment made on the stack monitoring system given by Mr NARAJA5TAN shows the way to conduct the evaluation and the study and to select the solution which makes the better compromise between the need of the plant safety and the means and the ressources of the country where the plant is sited. Mr SUTO has presented a large scope of improvments proposed by TOSHIBA for its BWR plants based on the use of computers applications. The results of some "application experiences" were «lso presented. It seems that the spectrum of the well Known PODIA system has been enlarged by automatic refuelling, TOSREX and ARTREX systems. I was surprised to hear from Mr SUTO that even the design of these systems has also taken into consideration the next backfitting phase. It would be interesting to know the opinions of the utilities on this point. For me, it is difficult to imagine more functions using computer applications than those presented in the paper. Many Kinds of improvments of instrumentation and control systems have been presented in this session. But he major part of them concerns the primary side of the plant. I suspect thas the improvment described in Tchecoslovakia paper concerns more the secondary side of the plant. And so we regret that our collegue of Tchecoslovakia were not able to present their paper. The main reasons of backfitting in NPP control and instrumentation are based not only on new safety requirements but also on the experience of the operation of the plant just after start up and on the fast speed of technological innovations in the field of electronic components. These technical innovations may solve very often problems raised by improvements of avaibility and safety of the plant but also by reduction of personnai radiation doses. My feeling hearing the papers of this session and of the others is that the increase of availability and safety and the decrease of personnai radiations doses are the keywords of backfitting in NPP control and instrumentation and they are also the keywords of the future development of NPP.
19 Session 3
EXTENSION AND NEW CONCEPTS OF C&I SYSTEMS
H. ROGGENBAUER, Austria
In this session there were 7 papers* They were dealing with all kinds of 14C installations necessary to meet new requirements coming from operation experience* Some of the papers are treating the relevant problems from the view point f the vendor, some from the view point of the utilities and some from the research point of view; hence this session gave certainly a good section. Especially the RPS experienced increased requirements for different reasons, for example the consequences from the TMI accident, counter measures against external events, etc* But also old I&C systems have to be replaced. Different problems related to adaptation of new systems to the already existing ones were shown*
A number of new concepts and systems have been developed which are to be integrated in order to Increase the availability and the safety. To test new concepts simulators turned out to be very useful.
One important aspect is also the consideration of modern control rooms taking into account ergcnomical perceptions* NPPs are tc an Increasing extent used for load follow and frequency control* To do this improved operator aids by computers and improved control by using grey rods are necessary*
With improved or newly developed Instruments accuracy can also be increased allowing for optimal operation margins* As an example the measurement of the saturation temperature can be mentioned here.
But also I&C systems for slow processes, like slow chemical processes, fluid wastage, etc* are to be considered further.
Finally the utilisation of new technology, like microprocessors, fiber optics, etc. are to be considered for integration*
20 Session 4
BACKFITTING OF COMPUTER SYSTEMS
G.A. HEPBURN, Canada
Three of the papers addressed the general problem of backfitting or replacing computer systems in operating plants, while the other two dealt with specific retrofit applications.
While obsolescence of existing equipment was cited as a major reason for requiring computer system replacement, this alone does not seem to have become an insuperable problem* The main reason for backfitting computers seems to be to take advantage of new technology to greatly improve the man-machine interface.
Most of the systems described used a distributed architecture, with multiplexed Information being transferred of serial data links* The modular nature of the resulting systems eased the backfitting problem, since only the wiring of the data aquisition equipment required a plant shutdown. Since this wiring is local, there need not be a major disruption due to major rewiring in a central location, or addition of long new cable tray runs. Session 5
SPECIAL SYSTEMS AND PROCEDURES DUE TO NEW REQUIREMENTS
D. WELBOURNE, United Kingdom
The first paper from Mr. C. lobinson of NNC, Great Britain is on a computer control application. It describes the backfitting of an irradiated fuel handling facility with dual control by PLC units, to Hinkley B AGR in Great Britain. The problem of software integrity is of increasing significance, and the verification and validation techniques described were comprehensive and thorough.
It was of great interest to hear that the software was diverse in the two processors used for control. Many of us are concerned to apply computers for reactor safety functions and it is of great importance to build on what we have learnt. Canada is clearly able to teach some of us here, but it is interesting to hear of the developments which have been achieved in UK. An area where computer manufacturers could be interested is the possibility of a fail to safe computer module, demonstrated in a full and comprehensive way by a proper analysis of its failure mechanisms and its self-check facilities. Such a module could find wide application where reactor protection or the control of active processes was involved.
An interesting paper was presentee by S. Herin, on renovating C&I systems and cooling systems on research reactors in Turkey and in Iraq. The pictures he showed were of great interest. The problems of old, leaky reactor tanks, cooling systems, which are inadequate by today's standards, and out of date instrumentation without spares were clearly described and their resolution and the consequent significant improvements in safety are of major importance to everyone, both as engineers and as members of the public.
In the area of licensing for backfitting in Austria, Herr Nedelik gave a most interesting review of the problems for low power reactor, and this was further explored by Sr. Villadoniga in his paper on licensing of backfits to early Spanish power reactors. It is perhaps surprising that there is a shortage of clear criteria for backfitting, and perhaps there is scope for IAEA or IEC work on the minimum standards for such backfitting. The USA NRC regulatory guides are an excellent basis but in some senses are often narrow minded, and Sr. "illadoniga gave a glimpse of the breath of view needed by a licensing authority.
Guidelines seem to be needed covering, for example, the following major points:
- at least 2 trains of cooling for the reactor - at least 2 trains of emergency power supply - at least 2 shutdown parameters for faults - some sort of fail-to-safe argument on protection equipment - at least 2/3 shutdown on flux and other key parameters - a source of emergency power must be guaranteed before any reactor operation is permitted - a degree of segregation and of separation must exist - an assurance of earthquake and fire hazard withstand
22 The absence of attention to fire hazards during this conference is of some concern, since the Brown's Ferry report is of almost greater importance than TMI. It is to be hoped that backfitting programs take proper account of the hazard of fire to cables which might totally destroy control and coolant facilities for the reactor.
Finally an interesting paper was given by Herr Klebau on the design and prototype construction of a computer system which clearly does far more than he had time to explain. It is hoped to apply this to a low power reactor used for isotope production and for irradiation work. The automation of such small reactor facilities is clearly an important area for backfitting, and it is interesting to hear of the advances his organisation has made. There was not time after the presentation for him to describe the software quality assurance measures and languages, but the level of testing he outlined on what is understood to be an assembly code system with some Fortran gives assurance of a high quality product appropriate for the automation he envisages.
Overall, these papers gave a most interesting overview with appropriate detail of the problems of backfitting and licensing for various reactors.
I&C RELATED ASPECTS DURING BACKF1TTING OF A SPECIAL HEAT REMOVAL SYSTEM (UNS) FOR A BWR AT BRUNSBUETTEL
P. FASKO Motor Columbus, Consulting Engineers Inc., Session 1 Baden, Switzerland
IMPROVEMENT OF RELIABILITY OF C&I SYSTEMS 1 INTRODUCTION Chairman The BWR at Brunsbifttel (KKB, 770 MWe), north of the G.E. KAISER Federal Republic of Germany (ERG), went Into commercial operation in 1976. In 1976 the Bundeaminiater dec Inneren (BMI) of the PRG (federal responsibility for superior safety aspects of NPP's) asked for the implementation of a special emergen cy heat removal system (UnabhJfngiges Notstandssystem - UNS) for the NPP Brunsbiittel (KKB). The goal of this backfittlng is to cope with events which were not postu lated in the original design of the plant and, to further reduce the residual risk. Tht Hamburgliche Electricltitiwerke AG (HEW), as owner of the NPP Brunsbiittel (KKB), charged 1979 Kraftwerk Union AG (KNU) with the design, erection and commissioning of the UNS. Moto.—Columbus Consulting Engineers Inc. (HC ING) was entrusted by the Sosialmlnlster des Landes Schleswig-Holstein (state responsibility for nuclear safety) to perform all necessary detailed safety assess ment and quality assurance supervision during the various phases of planning, construction and erection up to com missioning according to paragraph 20 of the German Atomic Law, After completion of the detailed planning and the corres ponding safety assessment, the authorities granted the construction and operation license for the UNS beginning November 1982. Site construction of the new buildings be gan just afterwards. A major backfitting outage of the NPP Brunsbiittel (KKB) lasted until Mid 1983, which was used to perform the main electromechanical as well as structural modifications in X the existing plant to accommodate the planned connection DCS. UNS-INSTRUMENTATION AND CONTROL SYSTEMS to be de- to the UNS. Signed (as applicable) according to KTA 3501 (the German standard for reactor protection systems and The commissioning date of the UNS is scheduled for the monitoring of engineered safeguards) refueling period in 198S. DC6. UNS-HBAT SINK INDEPENDENT PROM EXISTING PLANT 2 DESIGN BASIS OP UNS DC7. UNS-ELECTRIC POWER SYSTEMS INDEPENDENT PROM EXIS TING PLANT DCS. UNS INDEPENDENT FROM OPERATIONAL SYSTEMS For the above-mentioned special heat removal system (UNS) for the NPP Brunsbuttel (KKB) no directly applicable DC9. It is permitted to APPLY PROVISIONALS in order to safety rules or criteria were available which would des fulfill long-term safety goals cribe the specific requirements for the UNS. DC10. The UNS is to be DESIGNED TO WITHSTAND EXTERNAL In the course of planning and safety assessment the safe EVENTS according to current requirements if a ty goals of the UNS vere defined as following: reduction of the residual risk is achieved If an initiating event leads to functional incapacity or DC11. The UNS is to be DESIGNED TO WITHSTAND SABOTAGE destruction of vital (physical protection) - components DC12. SUFFICIENT INSTRUMENTATION SHALL BE PROVIDED in the - systems outside of the reactor building UNS control room to monitor the achievement of - structures long-term safety goals the UNS shall provide the following tasks: 1. plant shut-down 3 BRIEF DESCRIPTION OF THE UNS 2. remove decay heat 3. avoid gross activity releases. The UNS design shall fulfill 2 principles: The technical solution to fulfill the above-mentioned criteria consists of: - not impair existing safety functions - contribute to reduction of residual risk - low pressure injection system which takes water out of the suppression pool, cools it and feeds it back to the To achieve these safety goals the following design cri reactor pressure vessel via the piping of the core in teria were set up: jection system (active components 2 x 100 %) DCt. If SCRAN and CONTAINMENT ISOLATION not fail-safe - the service water system (active components 2 x 100 I) then UNS shall provide also these functions which dumps the heat to the atmosphere via a wet cell type cooler with 2x8 ventilators DC2. MANUAL ACTIONS are permitted only 10 hours and longer after the occurrence of an initiating event - various ventilation systems (partially 2 x 100 %> for the controlled and noncontrolled areas with recirculat DC3. Function of existing SAFETY SYSTEMS must not be im ing possibilities paired by the UNS - various service and communication systems OC4. The UNS is required to meet the SINGLE FAILURE CRITERION for active components - diesel-backed electrical power systems 2 % 100 t
No UNS SYSTEM-REDUNDANCY for passive components is - independent process control systems for the UNS/ in required cluding a control room in the UNS building The components and systems of the UNS will be installed in a few cases Diagram 2: UNS Electrical Power Supply c) Control Diagram 3: UNS Instrumentation and Control In the case of motor-driven isolation valves, which are to be actuated and powered from the existing plant as well as from the UNS, special switch over units are built in as interfaces, which are actuated either by I 4 C SPECIFIC PROBLEMS AND SOLUTIONS - the existing plant - or the existing plant and the UNS (with priority) I fc C INTERFACES BETWEEN UNS AND EXISTING PLANT - or the UNS alone. Especially DC3 (no imparement of safety functions in the In the case of fail-safe operated check valves (e. g. existing plant) required a very thorough analysis of all containment isolation of steam lines) the interface interfaces: component is a relay. It can be actuated from the UNS, and thus disconnects the fail-safe circuit, which means actuation either by the existing plant or the UNS. This interface turned out to be of low importance be These interfaces are equipped with remote manual cause electrical power for the UNS is only supplied testing facilities. during standby from the existing plant. In case of an UNS-relevant event the electrical power connection is cut (2 switches in series) and the two electrical trains of the UNS (redundancy A and B) are suppl'sj each by a 1.2 NN diesel generator. °) lD5$E!J"SD5§Si2D 4.2 ELECTROMAGNETIC COMPATIBILITY (EMC) All parameters from the existing plant (e. g. reactor Due to the distance between UNS-building and existing prescure, RPV-level), which are required to initiate plant the question of prop* EMC design was subject of the UNS safety functions, or which are required to very careful considerations and evaluations. monitor the proper performance of the UNS, are meas ured by the means of transmitters which belong to the EMC of the UNS in connection with the existing plant is UNS, which are electrically powered from the UNS, but designed such that lightning would not impair the UNS or which are physically situated in the reactor build the existing plant, nor lead to a false actuation. ing. These UNS transmitters (e. g. pressure, level, flow) tap the pressure transmission piping of trans All other EMC aspects are considered to be sufficiently mitters in the existing plant - that is the instrumen covered with this approach. tation interface for the respective measurements. The following lightning stroke data correspond well with In order to Meet best DC3 additional pressure trans the currently accepted data in the FRG. mission piping was kept as short as possible, and the location of the UNS transmitters was carefully evalu ated with respect to redundancy requirements of the existing plant, as well as the UNS. 4.4 OPERATIONAL CONSEQUENCES Lightning data negative stroke positive stroke (all structures) (structures >100 m height) Due to the different construction, planning and manufac turing dates of equipment and software for the existing plant and the UNJ, a series of specific items are to be rise time [»•] 1 SO looked after. decay tine U»] SO 500 The utility personnel has to operate, maintain, repair and understand: peak current 100 500 - different types of I i C equipment for the same [M] function steepness [k*/iis] 100 15 - different ways of presentation in the logic and circuit diagrams In ordec to achieve a sufficient low level of differen - different layout of the control rooms. tial voltage between the respective earth points of the UNS and existing plant the iron reinforcement of the ex The solution for this will be a thorough training program isting plant is connected electrically via the under for the personnel end well-defined non misunderstandable ground UNS conduit (across non conducting expansion instructions in the operational manuals. joints of the conduit) to the iron reinforcement of the UNS building. In addition to this, and in particular to reduce the induced voltage between the conductors of a cable, a special shielded cable for all I t C connections between I'NS and existing plant is applied. These passive EMC measures are complemented by active 5 CONCLUSIONS measures: All I * C connections between UNS and existing plant are equipped with isolation devices. Thus it can be expected that electromagnetic disturbances especially due to lightning will be no problem for operation or safety We think that the special heat removal system UNS for NPP of the plant. Brunsbuttel will contribute to reduce the residual risk (that is the risk which is left if one assumes the occur rence of events beyond the design basis) and we made the experience - up to now (beginning of the electrical in stallation) - and also expect for the future that I fc C 4.3 GRADATION OF SET POINTS is not and will not be a problem area for backfitting the UNS. As certain safety functions (e. g. automatic depressuri- zation, low pressure core injection, isolation of main We would like to point out that I t C was not the cause steam lines) are performed from the existing plant as for backfitting the UNS, I fc C just helps to perform the well as from the UNS (in parallel) it was desirable to proper function of the UNS. This also, because the utili guarantee that the safety systems would be started in a ty has been performing a sort of ongoing backfitting of defined sequence (existing plant before UNS). the instrumentation in the recent years. Due to tolerances in the instrumentation chains and in the time delay units between existing plant and UNS it was necessary to gradate the respective set points. This could be solved in a satisfying way. wet cell cooler (approx. 30 MW ) th containment reactor pressure vessel 2x8 ventilators < ci— -On 2 x 100 s main steam Mi .-ft.-*. —i low pressure J injection system J ol existing plant • —_^_ ~ »- — I UNS service water pool x ? feedwater SERVICE WATER SYSTEM /TV/M) UNS service water pumps reactor building KKB UNS Primary and Service Water System 03.84 2S Diagram No. 1 Redundancy "A" T 10 kV connection to Redundancy "B" existing plant lor stand by power supply K).5fcV iQSkV Diesel- Diesel- 0,4 kV 0.4MV 0,41. V 0.4kV (Ho) ffl 3~N.re.50m.3ao/HOv 6 3-N.PE. SOHi. IM/MOV, X- f 1 1 *A ® ® -\ ® S prin^ry m and service water n I pumps »24V T r T •24V 3 d 220 V DC m* ! 1 T T 1 d 4< r L b_._J 24 V DC l&C power supply v 220 V AC 220 V AC -X- KKB UNS Electrical Power Supply Diagram No. 2 03.84 Location Location Location Location Transmitter Indication 71 0 Sensing and Registration Transmitting Alarm 1ZHT (analog/binary) Comparator Isolation Amplifier Alarm 1 " TZ. Signal Alarm \—/\ Alarm processing l] Unit m Signal exchange r Redundancy A/B Line I Line 2 Line 3 Line I Line 2 Line 3 Redundancy A Redundancy B Instrumentation and signal processing (or actuation o( the UNS V > i Alarm Logic operations Redundancy A J\ Impulse Generator 2 out ol 3 Voting Unit 2 out o( 3 Voting Unit Impulse Reciever Manual interaction ' !i Alarm Alarm ^- Automatic Control level Testing priorities Actuation ol UNS KKH UNS Instrumentation and Control 01.K Studies made of Japanese PWR operating expe Study of Operating Experiences riences have revealed that failures in th«* A survey is made of both Japanese and the US PWRs' operating control system are the primary causes of un records to identify shutdown experiences caused by the fail scheduled shutdowns. An attempt has, there ure of the control system. fore, been made to improve the reliability of the control system in order to raise the FMEA plant reliability. The followings are the procedures app^ad to solve the issue; study To screen out less reliable components whose failure are like of operating experiences, fault tree analysis ly to cause plant trip, Failure Mode and Effects Analysis and failure mode and effects analysis. (FMEA) is done. Improvement measures are developed for the FTA control system whose failure threatens to Shutdown probabilities are estimated by means of Fault Tree cause the plant trip during the plant life. Analysis(FTA). These systems are the main feedwater control system, rod control system, pressurizer con Examination of Improvement measures trol system and main steam control system in the primary control system. Various countermeasures are examined for the components which are found less reliable. In addition, the reduction in shut As a result, the plant unavailability is ex down probability expected to be achieved by the each improve pected to be reduced significantly by apply ment measures is estimated by analyzing the fault tree. ing the improvements. The improvements are applied to the plants under construction and The following are mainly the description about the improve the operating plants in co-operation wi'.h ment of reliability of the primary control system. utilities and vendors. II. STUDY OF OPERATING EXPERIENCES Experiences at PWRs operating in Japan Figure-1 shows percentage contributions of failed com ponents/systems which are identified from operating records as the outright cause of unshceduled shutdown. It is apparent from the figure that 30% of the shutdowns are attributable to the control system. uu L 40- (%) Figure-2 Failure Distribution of Components Constituting the Control System 20- - NPE Data 0 r-4 u a) 3. These results suggest that the control system should be o o —» 4-> -»4 u 4> examined whether to cause shutdown or not by their con «7> C H stituent components' failures and that improved measures Uo EV £ «U *in 4e1 4«> C -4 14 4i tJ a u o -u •H X* « 41 should be studied for the control system. CM V C 4> » •->I a U Ea X O >< 41 9 H>, m v4 9 4J O w en is WW > 0. a P. O III. FAILURE MODE AND EFFECTS ANALYSIS Figure-3 shows a work sheet used in FMEA. The following are Figure-1 Contribution of Failed Components the explanation of the work sheet. to Unscheduled Shutdown on PWRs 1) Component identification - Japan The name of each component used in the system under re view is filled. 2) Failure mode Failure mode is specified for each component. The fol lowing are typical failure modes: Experiences at PWRs operating In the United States Control valve and NUREG-0200 1/ was surveyed to identify unscheduled shut Solenoid valve: full-open, or full-close downs experienced at PWRs designed by Westinghouse. A survey of Nuclear Power Experiences(NPE) 2/ was also Sensor, Controller, made. It turned out that the main feedwater control and the rod control system are less reliable among the primary Converter and control system. Failure distribution of components which Positioner: high output or low output are calculated from the experienced records are found to Switch, Relay, and be similar to those obtained from the Japanese records. Comparator: fail to actuate or spurious 33 (Figure-2) actuation 3) Effects on the control system IV. FAULT TREE ANALYSIS For each component, effects on the performance of the con The probability of plant trip caused by a component failure is trol system associated with its failure are assessed and evaluated by FTA using the result of FNEA. A typical fault described. tree for the mair> fe«dwater control system is shown in Figure-4. During the course of evaluating the probability, recovery by 4) Effects on the plant operators are taken into considerations. For each component, effects on the plant operation asso ciated with its failure are assessed and described. ANS-58.8 6/ was referred to the determining operator's recovery factors. Plant shutdown probability obtained from FTA is pre 5) Plant event sented in Figure-S. Plant events initiated by the failure are described in ac cordance with time-sequence. Probabilities of the main feedwater control system and the rod control system dominates more than a half of the total 6) Time period plant shutdown probability. This tendency is also seen in oper ating experiences. The time elapsed from the initiation of failure to the plant trip is described. The reason for the significant contribution from these two systems could be the rapid transient caused by their failure 7) Information available for operator and a large number of components in these systems. Information available on the main control board during the event, e.g., annunciator, indicator, and other display, is described. 8) Operator action Expected operator's action is described. 9) Method of failure detection Read out information necessary for the operator to diagnose the failure is described. 10) Failure rate The failure rate of each component is assessed and filled in. Domestic experiences data, hardware manufacturers' data, IEEE Standard 500 V. WASH-1400 4/, and MIL-HDBK- 217C S/ are consulted. ~ 11) Improvement measures Candidate measures for improving the component whose fail ure causes plant trip, or whose failure is hardly detected are described. Nam of systeau Feedwatar Control(A loop) Cowponent Evant Chart Nathod of Failura effect on effect on rallure fteprovement Identification aystea plant Fallura MNtki Mode Rate Haaaura Plant Evant tiM Information Opara tor Oataction for Oparator Action I/p converter. Low lo»» of K.T. 1. 3FCV-468 closad ^ Direct method I/P. . Inatallatlon of valva SF, FN - l.*00 t/h Positioner t Output faadwatar of failura 0.2*10 /hr lift meter; To monitor • 0.444 t/aac 2. Loss of faadwatar flow FM < SF ANN J Boostar relay flow detection it valve lift and control • 0.S7B » /t«c for Main 3. Oacraaaa of SG watar leval watar laval not avail Positionert ler output on main Faadwatar con Deviation ANN able. JalO-'/hr control board Downcomer cross-sec- trol valve tlonal area • 10 m2 4. R.T. by Ona Low watar lava] 3FCV-46B Booster Installation of redun •in. ANN Faadwatar flow "i.ii »l0 ° • l.SB%/aec 44% •* 2S% 12 sec ANNi Annunciator Pneumatic control devices are located outside the control roost. Figure-3 Typical FHEA Documentation 35 SG loo water lo»al I.T t raaduatar f loo < Staaai flow Lou or faadwaf r (loo 1.5 x W /».Y. aI loop • loop C loop roc valva cloaad fUC valva elosad f«C Valva* closet Laoand /\ 5.0«10"2 5.0x10' 5.0x10 Evant Srafcol •aaic tvant £L o Cloainq atonal to FVC Valva cloaad Sacendary Evant FWC Valva 1 1 1.6x10-* 1.4X10-2 nouso Evant (Oparatina Condi tion) a Gat* Syabol 2x10" operator racovar Low output sional "and" Cata during nanual control 0.5 A l.lKlO-* tow output signal •Or" Cata during automatic contrbl A 2.2x10 "Inhibit* Cata 5 £*==> _/\ (Transfar Loo output aiqnal "Tranafar" Cata *—» out) of controllor o.ooos A (Tranafar Z_i in) ( rue Valva: railuri a of pneuMtic raadoatar Control Valva ) control for PNC Valva -2 1.5x10 1.4x10 loaa of control air aourca -2 5Z 1x10 Air vant fron loo output of •oostor r*c Valva Actuator •ally 1.4x10 2.8x10 1.4X10' Ficrurt-4 Fault Trea for th« Main Faadwatar Control Syctem (.6x10 5.8x10 w Experienced data Control System Improvement FTA befor improv^aent Feedwater Control o Redundant system with automatic transfer FTA after improvement for pneumatic subcontrol system of control Reactor Year valve t o Mode change from normal energized to normal rS de-energized for the isolation solenoid of 10 control valve i o Backup system with a u -computer for analog J control system i Rod Control o Double holding by stationary and movable grip- 5 w *i per coil of control Sod drive mechanism. j Pressurizer Control o Redundant pressure sensor o Manual close switch for spray valve 2* 10- 3 > Main Steam Control o 2 out of 3 logic for relief valve quick open :i i circuit o Fault detection by plant computer for steam i dump actuation circuit t| II J . Table-I Sureary of the Improvement for the primary control systum o u N V —4 e c U U r-l Backup System for the Main Feedwater Control System o 3 3 0 II u •» •« *U> •S! « « c The conceptual architecture of the backup system is shown u u o o. o. o S5S8 in Figure-6. A feature of this backup system is that the micro-computer is utilized for diagnosis and the backup of the analog control system. Figure-5 Reliability of Control Systems 1) Objectives of the backup system The objectives of the backup system are the realiza V. EXAMINATION OF IMPROVEMENT MEASURES tion of the detection of component failures, and auto matic transfer to the backup control system without One of the criteria for determining the application of improve significant transient. ment measures is the cost evaluation. If the cost necessary for implementing the improvement measure is lower than the cost The backup systems are provided for the following} for running an alternative power station during the plant shut down, this countermeasure is acceptable. (1) analog control subsystem PI controller, function gener These improvement measures that are applied or are going to be ator, and filter applied to the plant under construction and the operating plants are shown in Table-1. Figure-5 indicates that the plant unavail (2) sensors feedwater flow, steam flow, SG ability is expected to be reduced significantly to less than water level, and turbine first 10~*/R.Y. for each control systems. stage pressure Among them, the improvement measures for the main feedwater con (3) pneumatic con trol system and the control rods drive mechanism-control system trol subsystem - pneumatic control section of (CRDM-CS) are to be described in detail. the main feedwater control valve (positioner, I/P conver ter, and booster relay) s s s FF SSSTT CG6 Legend " « r F F P F ILL 12 12311 123 Fttl..Fee4water Flow IX FW2..Fee4water Flow 12 S?l..Stew Flow II 5F2..State Flow 12 SF3..Staaa Flow fron other loops TP1-.Turbine First Stag* Pressure II ® € TP2..Turbine First Stage p a 1' I Pressure 12 VH SGL1..SG Water Laval II J„_J£ty , SCL2..SC Kater Level 12 V* SGL3..SG "ater Laval froei Protection System Y-H-— ---o SEF: Reference Sienal — -i DEV Dews Sional Deviation \L V— '. SG »*atar Laval Prooraai U-Cosmuter | >: Hich Selector PI: PI Controller I/P: Electric/pneueatic Converter P/P: Pneumatic Positioner U-Cocrutci B/R: Booster Relay Pneumatic Control Diagnosis Peedwater Control Valve rigur«-6 Backup System for Feelwater Control System 2) Backup Systems (2) Differences between the following process variables are monitored. This monitoring is assigned to the The analog control subsystem, sensors and pneumatic con analog base hardware, not to the computer. trol subsystem are provided with backup sys tems. When the diagnostic logic identifies a failure (a) difference between the feedwater flow and the in these systems, it generates the switchover signal to steam flow transfer the .'unction to a backup system automatically. (b) difference between SG water level and SG water (1) Backup system for the analog control subsystem level reference The analog control system is backed up by a micro- (3) The analog control subsystem is regarded as failed computerized diagnostic system which simulates the when the difference signals defined above (4)-(l) function or the analog control subsystem. and (2)) exceed predetermined thresholds coinci dent ly. (2) Backup system for the sensors Other means to improve accuracy of the diagnosis is de Two(2) sensors continuously monitor the same pro scribed below: cess variables. If the sensor used for control is failed, it is backed up by the remaining one. (4) Improvement of simulation accuracy There is a problem that the computer continues to (3) Backup system for the pneumatic control subsystem accumulate the input error and it brings difference Redundant electrical pneumatic converter(I/P), between the analog control subsystem output and the positioner(P/P) and booster relay(BS) are installed computer output. To eliminate this problem, the as backup for the pneumatic control subsystem. computer is tracking the analog control output with One channel is operating the control function, and a certain time delay. another is in standby. When the former fails, the control function is transferred to the latter back (5) Monitor the outputs of two analog controllers up system automatically. Outputs of the water level controller and the flow controller are monitored to Increase accuracy of 3) The following considerations are taken into account when diagnosis. designing the diagnostic system. (f) Coincidence of polarity (1) The diagnostic system shall not be affected by either The analog control system is regarded as failed only fluctuations in process variables or electrical noise. when polarities of deviations in the control system This is done by determining thresholds for difference signals described below in such a way that they bring '.itputs and differences in the process variables are about neither frequent occurrence of false diagnosis coincident each other. nor large fluctuations in process. For example, the low output failure of the analog control system is shown in Figure-7. (2) The diagnostic logic for the analog control subsys tem, sensors, and pneumatic control subsystem are independent. Computer output - Analog Control Output e. > Low Failure of 4) Diagnosis for the analog control subsystem Analog Control Subsystem The basic functions of the diagnosis for the analog con Steart flow - trol subsystem are as follows: Feedwater flow > t-, ID The computer (backup system) simulates control func tion done by the analcg control subsystem. Differ ence between the analog control subsystem output and SG water level reference - SG water level 33 the computer output is monitored. > d Ct SET POINT Figure-7 A Diagnostic Logic for Analog Control Subsystem S) Diagnosis for the sensors 6) Diagnosis for the pneumatic control subsystem This diagnostic system is for the feedwater flow, steam This diagnostic system is for the pneumatic control sub flow, SG water level and turbine first stage pressure. system of the main feedwater control valve. The posi tioner, I/P converter and booster relay are subject to Redundant sensors are installed for the same vari (1) this diagnosis. able. The difference between the two(2) sensors is monitored. (1) The difference between the controller output and <2) The difference between the sensor and the following the valve lift is monitored. reference signal is monitored. (2) Differences between the feedwater flow and steam flow, and between SG water level and SG water level . Feedwater flow - steam flow in the same loop reference are also monitored. , Steam flow - steam flow in the other loop (3) The failure of the pneumatic control subsystem is . SG water level - SG water level in the same loop regarded as failed when the difference signals that is used only in the protec defined above (6)-(l) and (2)) exceed predetermined tion system thresholds coincidently. Turbine first (4) When the main feedwater control valve is closed by stage pressure The low output is regarded as an isolation signal initiated under SG high water failed, so that there is no level condition, this diagnostic logic is blocked. reference signal. The logic for diagnosis is presented in Figure-9. (3) The sensor is regarded as failed when the difference signals defined above (S)-(l) and (2)) exceed pre SG watar loval - determined thresholds coincidently. SG wtu laval rifinnn > Ct £)-) High railuro (4) The diagnostic logic is blocked during the plant Faadwatar flow transient, "'his is done, because the reference Staaa flow signals are not in steady condition. H Valva lift - F»llur« A diagnostic logic for the feedwater flow is presented in Controllar output > C^ of valv« Figure-8. 0- SG uur lival rafaranca >* SG tutor loval > t. Oi StMD flOH - Feedvaeer flow tl Faadwatar flow > *s - Feedwater reference > £± IH controllar oucput ^ Low' fiilux* - Valva lift * eS Feedwater flow II High failure of - Feedwater flow 12 > e-i Feedwater Flow II U^ 2^®-J Signal of the plant transient Hain faadvater control valva c t **t point E : SET POINT isolation sinnal figure-$ Diagnostic Logic for Figure-8 A Diagnostic Logic for Feedwater Flow Pneumatic Control Subsystem I Control 7) Validation Control Control Control Sign*! Signal Signal The improvement measures have been shown to have proper functions through a validation test using prototype equipment and the plant simulator. Croup Control Control Control Control S«taction Circuit Circuit Circuit Circuit Circuit 2. Improvement Measures for CRDM-CS Associated with each rod is a drive mechanism that contains Povar a group of three coils; a stationary gripper coil, a movable Bus gripper coil, and a lift coil. In the hold position, only the stationary gripper is energized to grasp all rods. When rods are in selected mode and being inserted or withdrawn, all these three coils are energized. However, the movable gripper coil is energized only for rods which are in selected mode. Rods which are not in selected mode are held by the stationary gripper only, and will therefore drop when fail ures of the stationary gripper coil control circuits or power fuses occur. While rods which can in selected mode may slip in this case. Because, it takes time before the movable gripper coil is energized to grasp the rods. It is evident from the above discussions, that unavailability of CRDM-CS can be reduced when the mechanism at the holding position is improved. This is done by grasping rods at holding position with both stationary and movable grippers regardless to the selection modes. This countermeasure can prevent the followings; drops of rods in non-selected mode, and slips of rods in selected C • CI mode. The conceptual circuit of the improvement measure is Group 1 croup 2 shown in Figure 10 and 11. This improvement measure has been shown to be able to pro vide the proper functions through a validation test using the prototype equipment and the control rod drive mechanism. S I• Shutdown link C Bi Control Bank Control-rod Drivg Shalt Figurg-10 CRDM-CS b«for« iKprovemant 41 42 Control Control Control Control Control Control VI. CONCLUSION Slantl Sian«l Sign*! Signal Signal Sign*! As measures to reduce unavailability caused by the failure in the control system, backup systems for the main feedwatur con trol system and the double holding mechanism by a stationary JUL iZL 3H JZ£ Croup and movable gripper coil for CRDM-CS are developed. Control Control Control Control Control Control Solac- Circuit Circuit Circuit Circuit Circuit Circuit tion Circuit These improvement measures are applied or are going to be ap plied to the plants under construction and the operating plant in co-operation with utilities and vendors. The plant unavail ability is expected to be reduced significantly by applying the improvements. Potior Bu* As a method to screen out components whose failures will cause a plant shutdown, FMEA technique is used. Failure probabilities estimated by FTA are found to be very similar to ones calculated from operating records so these results are regarded as credible. •'.f.l b u u L tfUFur S B C • C B S B C B C B Crouo 1 Group 1 Croup 2 Group Group 1 Group 2 REFERENCES / 1/ NUREG-0020 (NRC Operating Units Status Reports) SC Coil HE Coll 2/ Nuclear Power Experience(NPE) 2/ IEEE Standard-500 (IEEE Guide to the Collection and Pre sentation of Electric, Electronic, and Sensing Component Reliability Data for Nuclear Power Generating Stations) Shutdown Bank 4/ WASH-1400 (Reactor Safety Study, An Assessment of Acci Contro* Bank dent Risks in U.S. Commercial Nuclear Power Plants) 5/ MIL-HDBK-217C(Military Handbook: Reliability Prediction Control-rod of Electronic Component) Drive sh«ft 6/ ANS-58.8 (Time Response Design Criteria for Safety-related Operator Actions) Figure-11 CROH-CS after Improvement of the main objective for plant safety and in view of the requirement for EXPERIENCES IN THE DEVELOPMENT additional auxiliary equipment und systems, ends within the relay-based OF AN EMERGENCY RESPONSE FACILITY (ERF) concept of very large control rooms which may present obstacleu for the SYSTEM FOR A NUCLEAR POWER PLANT objective of a clearer and easier operator function. In an attempt to address the resolution of this compromise, some new A. SE1SDEDOS requirements have been produced, especially in the united States. Por Empresarios Agrupados, S.A., construction, testing and operation of nuclear facilities, Spanish law requests compliance with the technical requirements imposed on other Madrid facilities of the same type, the so-called "reference plant". Our example, the Cofrentes Nuclear Power Plant owned by HIDROELECTRICA ESPAROLA, equipped M.A. SANCHEZ-FORNIE with one boiling water reactor by General Electric, with 974 MWe, located in the Spanish province of Valencia, which will serve to illustrate the generic Hidroelectrica Espafiola, S.A., concepts to be addressed, has a U.S. reference plant and is therefore greatly Madrid affected by the development of the U.S. nuclear regulatory process. Spain One of the most important new requirements is the implementation of the Emergency Response Facilities. Abstract As is already known, the main purpose of these facilities is to provide The TMI-2 accident gave rise to a series of new requirements with which information, in a way which is easy to understand, on the state and development of the Plant and the evolution of the environmental conditions, in Nuclear Power Plants aust comply and aaongst which the lapleaentatlon of the event that they become abnormal or even accidental. Moreover, they aust eaergency response facilities, particularly Che SPDS, has received provide means to help control room personnel and to assess emergency actuation methods. special attention. This paper covers the experience and problems encountered In the developing of the engineering necessary for the Several levels of compliance with the existing standards and guides should, of detailed definition of the ERF in a Nuclear Power Plant In the conaerclal course, be requested depending on the different stages of operation phase. Also, a real exaaple Is provided for the case of a construction-installation and operation. plant In the last phase of construction and Installation. This will serve to Illustrate each of the topics covered. It should be emphasized that, for the above-mentioned Cofrentes exaaple, plant safety relies on the conventional panels while all the backfitting performed in the emergency response area is considered as auxiliary help, which follows the recommendations of the standards and guides. INTRODUCTION Perhaps one of the main concepts derived from the TMI accident five (5) years This papur presents the criteria which, in our opinion, should be followed in oqo was the need to improve the conventional design of the power plant's order to design an Emergency Response Facility within a nuclear plant during control facilities. While the human engineering factors combined with an the commercial operation phase. Even if, in Cofrentes, an ERF was designed in-depth use of reliable electronics was experiencing success in some other and introduced in the very last stages of its Installation, a major portion of areas like air transportation, the major part of the power plant's control was the experience described hereinafter is applicable and, therefore, the exaaple still under the inertia of the relay-based concept. can be considered as valid. The long construction and installation cycle of a nuclear power plant is in The paper covers the topics of basic, detailed and interface design. Each of fact making it worse. Ten years are more than enough to confirm the them will be commented on in the light of the Cofrentes example, with a brief obsolescence of control equipment whose use was decided based on old and well description of the actual experience achieved. proved experience. Moreover, the increasing regulatory process, both in view I. BASIC DESIGN The first step in the definition of basic engineering is called by us DEVELOPMENT OF AN "ERF" SYSTEM "conceptual design". It must contain the following points. FOR A NUCLEAR POWER PLANT 1.1 ESTABLISHMENT OF FUNCTIONS TO BE PROVIDED By THE SYSTEM In order to aid the operators in emergency control of the Plant under accident conditions, the functions to be defined can vary from a selected few to a large quantity. ENGINEERING DEVELOPMENT STEPS The variations depend on many factors such as the type of existing operator aids, the Plant construction status, available free space to locate the displays taking into account the human engineering factors, etc. The functions must be studied on a case-by-case basis in order to achieve the implementation of the system in a feasible and practical way, but in compliance with the spirit of the existing standards and guides. © " CONCEPTUAL. DESIGN " The minimum functions to be included in the System are those related to the Safety Parameter Display System which aims to enhance operator capability to understand plant conditions and interact in situations that require human intervention. These functions will serve as a very important aid to control room personnel during abnormal conditions in determining the safety status of • FUNCTIONS TO BE REALIZED BY THE SYSTEM the plant and in assessing whether abnormal conditions require corrective operator action. Based on this idea, the minimum functions should bes -CRITICAL PLANT PARAMETER DISPLAY Critical Plant Parameter Display, which is intended to display the minimum set of plant parameters in a single primary display format to -EMERGENCY RESPONSE GUIDELINES DISPLAYS . quickly assess the safety status of the Plant. -ANALOG TREND DISPLAYS Emergency Response Guideline displays which provide Plant operators with the- "symptoms" of the Plant condition for input and follow-up of -OTHERS procedures developed from the Emergency Response Guidelines and obtaining the requi-ed actions in response to ooserved symptoms for safe control •SECOND-LEVEL DISPLAYS and shutdown during an accident. • RECONSTRUCTION AND ANALYSIS FUNCTIONS Analog Trend Displays for showing the variations of variables versus time and one variable versus another with a time history for each displayed variable. Moreover, the two-dimensional limit set out in the Emergency Procedures (such as the Heat Capacity Limit Curve) will serve to assist operators and obviate the need to perform calculations to determine • DETERMINATION OF INPUTS TO REALIZE FUNCTIONS margins when the time may be at a premium. with these basic functions, the system may also be designed for recalling additional data on secondary display fcrmats (or second level displays), • FORESIGHT OF SPACE INSIDE AND OUT OF serving as an additional aid to control room personnel in following the evolution of either Critical Plant Parameters or in the performance of CONTROL ROOM sympton-oriented emergency procedures. These second level displays nay be presented by mimic and/or system status © "ELABORATION OF TECHNICAL SPECIFICATIONS" presentations with different access mechanisms. In addition, and for the TSC, event reconstruction and analysis functions May be specified to be performed by display and plotting systems from which the user can obtain all the necessary transient data for that purpose. NUMBER AND TYPE OF ANALOG AND DIGITAL INPUTS In mid-1981, and after publishing the first guides (NUREG 696, Regulatory Guide 1.97, Rev. 2, etc.) and standards, we considered the need for including in our Cofrentes Plant a system which, combining the limitations imposed by -PHISICALLY DISTRIBUTED DAS. the project status at that time with the available state of the art, would -QUALIFICATION OF DAS. comply with the new requirements and also enhance aids for the operator and the overall operations control and management. COMPUTER HARDWARE On slide number 1, you can see a general view of the main control room at Cofrentes. It was taken in February this year when preoperational testing was essentially completed. All of you are familiar with this absolutely conventional concept of the design. It is well proven, easily maintainable and even all our operators liked it, because all of them have spent quite a -REAL-TIME. REDUNDANCY. AVAILABILITY long time in similar rooms at the thermal units, and a person always likes things with which he Is familiar. However, the addition of systems and -CRT DISPLAY SYSTEM controls to the original design in 197S, made operator action mote and more complex, thus imposing separation from the objective of keeping It simple. At that point, and again confirming that plant safety did not isquice it, w« • 2 CRT DISPLAY UNITS FOR SPOS (CONTROL ROOM) decided to provide the operator with such a considerable aid. • 2 OR 3 CRT DISPLAY UNITS FOR TSC • I CRT DISPLAY UNITS FOR EOF Besides a human engineering study, of which one of the results was the multicolour aspect on the front panel after a functional grouping, as you can see on slide number 2, it was decided to design and procure a new computer -OTHER PERIPHERALS system that would provide! Responses to emergencies. Including the above-described Functions for •1 PRINTER/PLOTTER 4 I HARD-COPY FOR SPOS SPDS and TSC • 2 PRINTER/ PLOTTER t \ HARD-COPY FOK T5C Aids to control non-emergency but complex situations. Including such functions as system process diagram displays, alarm monitoring, etc. • I PRINTER/PLOTTER 4 tHARD-COPY FOR EOF Capability to be used aa the main processor of the data to be analyzed during nuclear testing Capability to be expanded in the future to include some functions not needed at present, and even to relieve the old process computer of its present necessity • COMPUTER SOFTWARE you can also observe on the upper half of the slide a result of the implementation of this system. The two CRT's above the main control panel, in the control rod area, will Indicate the selected displays without distracting FUNCTIONS ACCORDING TO "CONCEPTUAL DESIGN* the operator's attention from the main panel instruments. 1.2 DETERMINATION OF NECESSARY INPUTS TO BE INTRODUCED INTO THE SYSTEM TO PROVIDE THE REQUIRED FUNCTIONS The purpose of this task is to obtain a cough estimate of the number and type of signals which will be processed by the system. This will permit the specification of a modulat data acquisition system. A typical problem encountered in Plants in operation or nearing operation is to have an instrumentation design which was not intended to provide the inputs required by the system, as well as other problems such as cablet tray saturation, available penetrations, and so on. This involves the consideration of specifying a data acquisition system physically distributed so that the signal can be taken from the original points or areas for better and easier implementation. Moreover, since most of the inputs required come from safety-related systems, and the computer system for Emergency Response Facilities is not safety-related, the data acquisition system must he qualified to guarantee that, under emergency conditions, the circuit from which the input is tuken is not degraded. SUDB 1 The modularization of the data acquisition system is very important due to the increase which the preliminary assigned number of inputs will surely suffer. In Cofrentes. we started considering 900 signals and we now have around 1,700, taking into account both analog and digital signals. Of course, thin meant that we had to modify the previous quantities of electronic modules ordered for the data acquisition system. When we get to the detailed desiga, we will indicate the number of new instruments needed, as well as the problems found to actually get some signals d ^ W lul nil from existing instruments without impairing their function. 1.3 PREPARATION OF THE PURCHASE SPECIFICATION .ikat •» «•» w tti* *M The next step is the preparation of Technical Specifications for purchasing —-V^ 1 **-& different equipment items. The most important Specification involved in ERF is related to the computer system required, which must include all the hardware and software necessary, in accordance with the conceptual design mentioned before. There are, of course, other Specifications, such as communication and power supply systems which must be provided. an* s The computer hardware for the ERF System must be a real-time system where As may be a«en, the signals go to analog and digital input modules which fast response and resolution are very important characteristics to be condition them before being sent to the multiplexers. accomplished in addition to the basic requirements of redundancy am' availability. For every eight (8) analog or digital input modules, there is a multiplexer which multiplexes the signals before sending them to the formatters. Since the basic purpose of the system is to provide concise displays of olant Parameters to aid the control room and Technical Support Center operators to rapidly and reliably determine the Safety Status of the Each multiplexer has two output ports through which the same Information is plant, the CRT's display systems must be of high precision and resolution sent to the formatter of each computer. In this way, the information is input so that the information shown to the operator is clear, unambiguous and to each computer in a redundant manner. validated where possible. The computer system is constituted by two DEC VAX 11/7BO connected through After an in-depth analysis of existing standards, guides and studies Decnet communication lines. related to the ERF, the system must be configured with the following peripherals: Each computer haa different functions assigned to it. One is called the TRA A minimum of two CRT display units in the Control Room for the SPDS (Transient Recording and Analysis) and the other the RTAO (Real-Time Analysis purposes, each with their own associated operator's console and Display). - Two or three CRT display units in the Technical Support Center, also with their individual operator's console. To support the functions assigned to each subsystem, and in addition to the various auxiliary memory elements, tapes, etc., the following peripherals are provided for the presentation and handling of information. If there are three CRT's, two (2) of them will have the same functionability as two SPDS CRT's and the third would be used for specific functions assigned to the TSC. Control Roomi Two black and white TV programmer terminals If the Emergency operations Facility (EOF) is implemented, two CRT display units should be specified for that facility in order to supply Four high resolution CRT's in colour with associated Keyboards the same information as the Control Room related to Plant Safety status and meteorological and radiological information on the Plant area. One Video Hard Copier with the possibility to function aa a printer and hard-copy. with regard to printers/plotters, hard-copies and similar devices, the One Printer/Plotter quantities to be specified depend on the specific analysis and reconstruction event functions considered. At least one printer/plotter and one hard-copy per facility must be included, although two printers/ Technical Support Centeri plotters in the TSC could be considered. One P * W programmer terminal In relation to the functions, the system must be specified according to Two colour CRT's with associated keyboards the definition made in the conceptual design described before. One hard-copier identical to that in the Control Room At the time of preparing the Cofrentes ERF specification, the number of CRT units was not so clear and the peripheral unit quantities were left to the 1.4 EQUIPMENT ARRANGEMENTS advice of the bidder, of course, a minimum was indicated. Rather than tell you about that preliminary status, it would suit our purpose better to briefly describe the actual configuration of the system which was determined by an Once the number of computer subsystem elements are defined, a compromise has in-depth review and analysis with the selected bidden General Electric Co. to be made among requested space, distance to the control room and, of course, available space. ANALOG $ DIGITAL Tht arrangement of the data acquisition subsystem elements depends largely on INPUTS its modularization and once this is decided, there should be no major I 1 1 11 problems. As the majority of the signals are normally taken from the control INPUT MODULES room, the provision of a number of cabinets is recommended to house the MULTIPLEXERS electronic DAS nodules. T In cofrentes, we had to modify the arrangement of the process computer CPU's and associated equipment so as to leave enough free space to accommodate the newelements. The Tesult was a highly denslfied TSC, but located conveniently close to the main control room. We had no problems finding a place for the DAS cabinets inside the control room and a minor modification was made on the original process computer console to allocate an ERF console. In the following slides (numbers 3, 4 and 5), you can see the actual Cofrentes TSC. A minimum amount of maintenance space has been left for the different equipment items and the main console is oriented to the technical staff meeting table. Here (slide number 6) you have the console dedicated to emergency response information in the control room. Combined with the CRT's on the upper side of the main panel as we saw at the beginning, it represents a powerful instrument for aiding the operator. Alongside, you see the old process computer's CRT's which offer the normal functions of performance calculation, alarm monitoring, etc. In the next slide (number 7), you can see the DAS cabinets arranged around the wall in the control rocm. This made their location easier, since there was not much spare space at the time it was decided to adopt the ERF. All internal maintenance can be performed from the front. COLOR' HARD | [COLOR] TSC L.CR1 COPIER • CRT CRT | |_AET6 J LhEVB J 9 2. DTMLBD D1SIGN 2.1 ImTOT LIST The first step in the preparation of the input list consists of det«rsiining the signals which should be included in the system. Evidently/ the necessity for a certain signal is directly related with the purpose for which it is intended and the function in which it will intervene. Both for the functions mentioned previously and for others whose implementation ia required, the standards relating to the subject may tie taken as a basis, together with various complementary studies which exist (NSAC). However, the specific study for the Plant in question should be fundamentally used, since all the guidelines and standards cover only generally the signals to be sent to the ERF. In this sense, we could say that the spirit of the standard indicates, in addition to the SPDS functions, the advisability of supervising overall operation and availability of the various Plant systems and equipment as second level displays. Once the study has been prepared determining the signals to be considered in the system, the way in which each of them will be obtained has to be analysed. Here, we have found different cases which in turn require different solutions and which we have attempted to synthesize as follows. Firstly, the existence of an instrument or contact has to be verified at the point frou which a signal is required. Here we have the first group of signals which requires a new instrument. This group may have magnitudes, althogh normally small, for which the addition of new instruments, such as thermocouples or pressure elements, may be practically impossible due to the advanced status of construction or to the fact that the Plant is in operation. Conceptually identical measurements have to be found for which an instrument exists or, in the worst case, not include the signal in the system. h typical example of this first group of signals is that which is relative to digital signals coming from valves, whether manual or automatic, but for which there is no limit switch to permit monitoring of the position of the valve. Secondly, for the signals we require and for which an instrument exists, the use they have and from where they may be obtained have to be determined. Thus, there will be a group of signals which may be taken directly from the reserves of existing instrumentation in the form of free output from the electronic cabinet circuits. if these free outputs are isolated from other possible uses, they may be taken directly or, otherwise, they will have to be isolated either in the cabinets themselves or in the ERF data acquisition system. Next, a group of signals will have to be obtained which exist in the Plant for 2.2 DEVELOPMENT AND HVLEWNTATION OF FUNCTIONS other uses and for which no available output exists to the ERf. A study will have to be Bade on this group of signals with regard to the possibility of duplicating the signal by adding electronic circuits. Given the specific characteristics of the Emergency Response Uystem, the development and implementation of the different functions assigned thereto require an exhaustive knowledge of the Intent of applicable standards with This solution which, in theory, is the bes^ and simplest, has the disadvantage regard to the type of information to be presented in the various peripherals. of possible inability to add new circuits, since there may not be enough spare Particular emphasis should be given to the design of the screen dluplays since space and, also, the existing circuits would have to be internally rewired. these constitute the primary and primordial element in nan-machine Another possible solution would be to obtain signals from the voltage and in comnunication. The configuration of the displays should be carried out taking parallel with existing signals. into consideration, amongst other factors, good human engineering principles. Safety-related signals will have to be isolated, whether or not there are free The tasks associated with the implementation of functions basically consist of outputs either in the electronic cabinets or in the ERF data acquisition the definition and detailed development of each format in which information is equ ipment. presented, on both CRT's and printers. In the development process, the function characteristics, means of access and, above all, the relation with the inputs intervening in the function and the algorithms relating these Once the signals to be included in the ERF system and the means of obtaining inputs for the desired presentation, must be established in great detail for each one have been determined, they must be listed in detail indicating all each of the functions planned. the characteristics associated to each one in order to generate the system data base. All of the abcve should be documented with sufficient clarity and detail so that no possible confusion may arise. In the generation of the data base, all the fields which allow full definition of both analog and digital signals must be considered. In the case of Cofrentes, and mainly due to the very limited time schedule, we decided to adopt the functions and displays offered by the GE standard One aspect of certain importance is to verify and ensure that the ranges of software. However, the ability to introduce additional function and, in the different measurements are as required by applicable standards in order to short, to modify the software is being granted through an intensive training obtain information with the intended range and precision. plan. In Cofrentes we had to include the following additional instruments! The present software is designed to easily accept the modification or addition of displays on an interactive mode. Three (31 pressure transmitters 2.3 INTERFACE DETAIL DESIGN Fourteen (14) KTO's Thirty-four (34) thermocouples (only two of which were new) the rest In addition to the ERF computerized system itself, there is a group of were provided using the same thermowell and changing the existing single activities related therewith which are of vital importance for the full thermocouple into a double thermocouple) integration of the system in the Plant. Forty (40) position limit switches a. Provision of space or rearrangement of existing spare spuce to locate Technical Support Center equipment and service areas. The above does not include the temporary instrumentation needed to collect data during nuclear and startup testing, principally acceleroneters, lanyard potentiometers and strain gauges. The implementation of the ERF will probably imply a study and, possibly, a new approach to other aspects, such as civil work, air conditioning, cable feedthroughs, etc. In the case of Cofrentes, we hav« established a UPS with two (2) 35 KVA 52 All of this should be carried out with the idea of a practical and redundant trains and have had enough spare capability on the possible implementation in accordance with the spirit of the standards. non-essem ial batteries. The arrangement of the ERF in Cofrentes has been commented before. At d. Communications this point, it should be added that the previous design of ventilation and air conditioning ducting had to be modified to evacuate the heat load of the BRP computer equipment. Fortunately, the fans were designed with Sufficient means of transmitting information between the TSC, EOF and the a sufficient conservative margin. control room should be provided and, naturally, its functional capability demonstrated in several postulated accident situations. b. Miring and Wire Running Design As the major portion of the signals are within the control room, this part of the interface design receives great attention. Divisional separation and cable tray filling must be the Rain criterion in addition, of course, to protection against electromagnetic interference depending on the signal levels within the DAS. The use of fibre optic cable, which does not suffer this problem, also presents advantages in the very high data transmission capability. Ir cofrentes, the DAS is connected from the multiplexers to the computer via fibre optic cable. This demonstrated great advantages over coaxial cable, especially during the installation period and taking into account the DAS cabinets in other locations, at a distance from the control room. As fibre optics have only an average capability to withstand radiation levels, this required some peculiar wire running to avoid certain areas; however, the flexibility and size of the cable proved to be very useful in almost full cable trays and conduits and, in fact, for any application in plants in or nearing operation. Slide number 8 shows the use of fibre optic cable connecting into the computer system formatters and coming from the multiplexers. Th.5 use of trays in the cable spreading rooms above and below the control toira presented no major problem and only a few cases required dedicated coiiduits which had not bien provided previously. c. Power Supplies This is an area which requires the dedication of very special attention since it is obviously fundamental to overall ERF reliability. In the event that spare batteries are not available, the power consumption is large enough to require a major space allocation to house those necessary for the uninterruptible power supply (UPS). Special care should be taken in coordinating the self-protection of each piece of ERF equipment with SLIDE 8 the protection of ths motor control center from which it is supplied, and with each of the UPS outputs. CONCLUSION SEISMIC EVALUATION OF ELECTRICAL AND INSTRUMENTATION SYSTEMS. In this paper, we have attempted to present a number of general considerations BACKFIT ACTIONS BEING CARRIED OUT together with the experience obtained in implementing an ERF at Cofrente3 Nuclear Power Plant in design and installation activities. AT TRINO VERCELLESE NUCLEAR POWER PLANT Certain recommendations and experiences have been indicated in various M. TORLAI specific areas. However, the most important experience has not yet been Nucleare Italiana Reattori Avanzati S.p.A. (NIRA) mentioned. Genoa The ESF is not a piece of equipment in the conventional sense, which is A. AQUINO designed, installed and operated to perform a limited and specific function. Centro Termica e Nucleare, It is, rather, an incredibly powerful instrument offering the functions originally requested and many more which may be decided at a later date. Its Ente Nazionale per l'fcnergia Elettrica (ENEL), power stems frou the fact that it is applying one of the most advanced technologies. Initially, it may be considered too large an investment to Milan resolve a regulatory requirement) however, when increased use demonstrates its potential applicability, not only for the direct operational group at the plant but also, perhaps, for management and engineering staff at the central Italy offices (since it is possible to install a connected console at a very great distance from the Plant), the assurance of a rapid pay-off will generally be accepted. Abstract A special program has been set up for the seismic qualification of the electrical and instrumentation safety related systems at Trino Vercellese nuclear power plant. The intent of this paper is to describe the problems connected to the seismic qualification of operating plants and to present a viable and cost effective approach to the solution. An example of a practical application is included. It shows how it can be demonstrated the operability of the equipment following a seismic event based on a similarity method. I, INTRODUCTION Trino Vercellese power plant, owned by ENEL (The Italian National Utility), is equipped with a Westinghouse 4-loops, 825 MWt PWR. The design of the plant goes back to the years right before 1960 and the plant went into commercial operation on January, 1 , 1965. Trino is therefore a nuclear power plant of the first genera tion, and for many aspects to be considered a prototype. For some years it was also the largest PWR In operation in the world. Seismic loads were not considered in the original design of the plant. After ten years of commercial operation the plant design was - RCS water inventory reviewed and a report "on the plant condition and on the plant safety related auxiliary cooling operation status" had to be submitted to ENEA (the Italian spent fuel pit integrity Licensing Authority). essential instrument air At this stage ENEA requested ENEL to evaluate the capability of plant status monitoring the plant to withstand the effects of a posculated seismic - power supply to safety related equipments. event. The systems or parts thereof necessary to secure the above For this purpose ENEL and NIRA (Nucleare Italiana Reattori mentioned functions were analyzed. Avanzati, Westingnouse NSSS licensee) set-up a program with The following is a list of the main systems: Westinghouse supervision that mainly consisted of the following Reactor coolant (RCS pressure boundary) steps: - Charging and volume control - Identification of systems to be analyzed Emergency core cooling (only lines that were not sei- - Definition of the evaluation methodology and acceptance smically qualified in previous programs) criteria Decay heat removal Plant walk-through and data collection - Main steam, main feedwater, steam generator blowdown Perform the analyst and evaluate the results (lines to the isolation valves) Definition of necessary modifications including feasibili Auxiliary feedwater ty study Component cooling - Preliminary design of individual modifications - Neutron shield In addition to these activities ENEL, in collaboration with a Spent fuel pit (piping connected to pit) civil consultant, performed the following tasks: - Service and raw water Investigate the hystorical seismicity and the geological - Essential instrument air characteristics of the Trino site in order to define the Containment spray reference SSE (Safe Shutdown Earthquake) Electrical power supply to the required systems and compo - Perform structural evaluation of the plant's buildings in nents order to define the structural modifications for seismic Instrument and control (for support of the required adequacy systems) Develope the resulting ARS (Amplified Response Spectra) required fur the subsequent systems and components analysis and evaluation. For each of the above systems both piping and mechanical components (pumps, valves, to..Ks, heat-exchangers) with the associated supports were analyzed in order to evaluate the 2. SYSTEMS CONSIDERED FOR THE SEISMIC QUALIFICATION structural adequacy to sustain the seismic loads. Particulary for the Reactor coolant system a 3-Dimensional The systems and components, which are essential to bring and finite elements dynamic model was prepared including primary maintain the plant in a cold safe shut down status, were coolant piping and all primary components (reactor pressure analyzed. vessel, steam generators, primary coolant pumps and pressuri- This safety status was defined as the capability to maintain zer). the following plant functions: The result of the analysis, performed by a response spectrum - core and reactor vessel internal structural integrity technique, indicated that some modifications to the primary (control rod insertion and cooling geometry preservation) pumps and steam generators supports were required. - core subcriticality Very sophisticated analysis for the reactor pressure vessel was RCS pressure integrity performed using a 3-D finite elements non-linear model core residual heat removal including reactor pressure vessel itself, internals, core and - RCS pressure control and overpressure protection control rod drive mechanism. The non-linearity is a consequence of the existing gaps between For the above reasons a special pre gram his been set up for the RPV and internals and core. seismic qualification of electrical and instrumentation systems A synthesized time history acceleration, derived from the based on the following approach: response spectra at vessel supports location, was applied to a) Structural integrity evaluation: the model simultaneously in 3 orthogonal directions. To demonstrate the capability of passive components to The analysis demonstrated that the structural integrity of the withstand the SSE effects and to make a first step cowards RPV and reactor internals will be maintained following SSE. the seismic qualification of active components. Another main scope of this analysis was to prove the CRDS b) Operability evaluation: (Control Rod Drive Sy3tem) operability. Requested for active components only. The results of the evaluation successfully demonstrated that This approach is in accordance with the methodology used by the control rods will perform their design function (insertion) U.S. Utilities involved in the same kind of activities. during the SSE event. The electrical and instrumentation safety related equipment and systems considered were: 3. ELECTRICAL AND INSTRUMENTATION SYSTEMS cable raceways (conduits and cable trays system) electrical and instrumentation cabinets and control boards 3.1. Background - pneumatic end motor operated valves. The current criteria and methods of compliance for new plants Cable raceways are passive components for which only a are contained in Revision 2 of Standard Review Plan Section structural integrity evaluation is required. 3.10, "Seismic and Dynamic Qualification of Mechanical and On the other hand cabinets, control boards and valves are Electrical Equipment", and Regulatory Guide 1.100, "Seismic active components and therefore an operability evaluation is Qualification of Electric Equipment for Nuclear Power Plants", required as well. which, with some exceptions, basically endorses IEEE Standard The usefulness of the structural analysis is limited by the Equipment for Nuclear Power Generating Stations. fact that it does not give any indication about the operability Based on the requirements and recommendations from these of the component being analyzed. current criteria and methods, equipment is seismically quali Therefore to demonstrate the operability it would be necessary fied today by analysis and/or laboratory test. Analysis alone to subject the component to a test oi. a shaking table with all are acceptable only if the necessary functional capability of the problems already described. the equipment is assured by its structural integrity. Other In order to by-pass this problem, it has been developed a wise, some testing is required. Seismic input motion to method based on similarities that will be described in para 5. equipment is specified by required response spectra or by time This method can demonstrate both the structural integrity of histories. the components and their operability. When the test method is utilized, the equipment is mounted on a The example given in para 6 will show the validity of the me shake table and subjected to certain types of excitation thod based on similarity for what concerns the structural corresponding to a test response spectrum which envelopes the analysis. required response spectra. The equipment should be tested In 4. STRUCTURAL INTEGRITY EVALUATION the operating condition. For equipment too large to fit on a shake table, a combined analysis and test procedure is adopted. The floor response spectra used for the structural evaluation were obtained with a dynamic analysis of the various buildings 3.2. Approach description using a ground excitation according to Reg. Guide 1.60 (ZPA 0,1 «>• It is recognized that it may not be practical to qualify ope The structural evaluation of the mentioned items was carried rating plant equipment using current seismic qualification cri out according to the following methodology: teria and methods due to excessive p\.ant down time, difficul 1) Cable trays and conduits: ties in shipping irradiated equipment to a test laboratory and a. Plant walk-down for cable and runs Identification. : in acquiring identical old vintage equipment for laboratory b. Support, trays and conduit data collection. testing. c. Establishment of a set of criteria and requirements 2) Electrical and instrumentation cabinets and control boards to be satisfied. The main objective of the analysis was the evaluation of d. Static equivalent plus finite element model analysis. anchorages capability in order to avoid the sliding and overturning of cabinets containing safety related compo 2) Electrical and instrumentation cabinets and control boards nents. This is in accordance to what has been carried out a. Equipment identification. by the U.S. utilities involved in the SEP (Systematic b. Establishment of a set of criteria and requirements Evaluation Program). to be satisfied. A further objective of the analysis was to ensure proper c. Structural analysis including anchorages. anchorages for mobile parts or components (like drawers) 3) Pneumatic and motor operated valves in order to avoid damages to safety related equipment. a. Valves identification. The results showed the need for the following: b. Frequency determination. - New anchorages for almost every piece of equipment c. Body and actuator analysis. examined; d. Comparison with the allowable limits. - Some anchorages for the drawers of 2 MCC stacks; - New and stronger latches for equipment with doors, 1) Cable trays and conduits 3) Pneumatic and motor operated valves The criteria used for the cable trays evaluation consisted The scope of valve evaluation was comprised of more than in verifying that the SSE induced effects on the raceway one hundred valves in piping systems under consideration. system will not produce any fracture capable of compromi The valve qualification was performed by first grouping sing the cables electrical performances. similar type of valves to minimize the number of analyses. A static equivalent analysis has been developed and used Valves which are deemed to result in the representative as a calculation method for typical configurations and conservative estimate of stress conditions were previously grouped into homogeneous classes. analyzed. The remaining cases have been analyzed using finite I The seismic evaluation of valve assembly structural element models. I integrity included the natural frequency determination and A "spacing table" methodology was applied to the :ondu't the stress evaluation of critical valve sections. Critical system. sections/locations considered In this analysis were the 7% of critical damping was used in the analysis. yoke frame section located at approximately yoke/bonnet This value, in accordance with many tests conducted in interface and the bonnet. U.S. laboratories (1), (2), is considered very conservati ve due to the damping effects associated to the friction The yoke/bonnet bolts were also evaluated for seismic dissipation among the cables. loads. The calculated stresses compared with the allowable limits The results of the above evaluation were: of ASHE Sect. Ill showed all the valves to be seiswically - conduit system: a check of the existing supports has acceptable. been done based on the spacing tables obtained from the analysis. 5. OPERABILITY EVALUATION - cable trays system: no modifications are required for As mentioned before, the current criteria applicable to new trays and few improvements are necessary for supports. plants require some laboratory tests to demonstrate the The results were found in accordance with data collected capability of the safety related equipment to perform their in U.S. fossil power plants that experienced actual functions. earthquakes (3) even stronger than the Trino postulated Due to the absence of specific criteria for operating plants a SSE. pratical and cost effective approach has been developed by the Some typical configurations are presented in figure 1. SQUG (Seismic Qualification Utilities Croup). The Seismic Qualification Utility Group, consisting of 18 no further analysis besides the studies conducted for the utilities, was formed in September, 1981 to develop an structural integrity evaluation: alternative for resolving the seismic qualification issue (•). some bounding spectra obtained from actual strong earth Utilities believed at the outset that equipment used in nuclear quakes experienced worldwide are to be compared with the and fossil power plants is designee* and installed to meet postulated response spectra of the equipment under rugged service conditions and, as such, is inherently capable consideration; of surviving seismic events. other recommendations must be followed to demonstrate the Early after the formation of the SQUG, a pilot program was equipment operability. conducted to establish the similarity of equipment at nuclear power plants with equipment at other commercial facilities, and then to collect and evaluate* data on that equipment performance at selected commercial facilities after having experienced 6. APPLICATION EXAMPLE substantial earthquakes. The following is to show how the two methods were used for the The Group's seismic consultant Earthquake Engineering (EQE, seismic qualification of two MCC cabinets and compare the Inc.) performed walkdowns of selected nuclear plants as well as results. commercial generating facilities and substations, and from the The equipment considered (fig. 2) is located in the spreading results the Group selected seven categories of equipment for room area in the auxiliary building at mt 138,80 elevation, 4 further study and evaluation. The equipment for the pilot meters above grade. program included: MCC identification Motor Control Centers TAG NUMBER: MCC-1B2E-1A, MCC-12B2E-1A Low Voltage Switchgear (up to 480 V) MODEL: MULTITROL Metal Clad Switchgear (2 to 4 Kv) MANUFACTURER: MAGRINI - ITALY Motor Operated Valves VOLTAGE: 380 V A.C. 3 ph. - Air Operated Valves VINTAGE: 1970 - Horizontal Pumps Vertical Pumps In May of 1983, a Senior Seismic Review and Advisory Panel (SSRAP) was formed consisting of experts in seismic matters and 6.1. Analytical evaluation selected jointly by the NRC and the SQUG. This pear panel met A finite element model of the structure was developed in order several times in the course of its review of the utilities' to reach the following results: data and evaluations, and met with representatives of manu cabinets first natural frequency determination to comply factures as well as other industry groups (such as the AIF). with SSRAP's criteria At its recent meeting on December IS, 1983 with NRC and the compare the conclusions of the analysis with the results utility representatives, the SSRAP documented its findings and obtained from the application of the method suggested by established some criteria applicable to operating equipment. SQUG. The SSRAP report (4), now endorsed by NRC, agreed that when the equipment is properly anchored and with certain other caveats, Figure 3 shows the structural assembly of one MCC stack and it has inherent seismic ruggedness and a demonstrated capabili figure 4 the finite element model used to perform the analysis. ty to withstand substantial seismic events without damage; The results of the analysis were: hence, further seismic qualification is not necessary. Natural frequency: 23 Hz The verification of the seismic adequacy of the seven classes All of the structural components of the model showed a of equipment at the nuclear power plant according to the stress within the allowable limits. recommeniations expressed by SSRAP is quite simple and requires However it has been necessary to design a proper anchorage since the equipment was just resting on the floor. (*) ENEL is a member of SQUG and NTRA partecipates at SQUG Meetings. Evaluation with the alternative method 6.3. Conclusion The evaluation of the seismic adequacy of MCC according to the We have shown that thu analytical and the alternative method criteria given by the SSRAP report requires the following proposed by SQUG lead to the same conclusion for what concerns activities: the structural analysis of the components. Compare the actual horizontal floor response spectrum with Moreover the SQUQ method la capable of demonstrating the the recommended bounding spectrum for that equipment operability of active components following a seismic event. The actual spectrum at the equipment base must be less We can therefore conclude that the method proposed by the SQUG than the bounding spectrum at and above the equipment is a viable approach to the seismic qualification of operating natural frequency. plants. Fig. 5 shows how this requirement is largely satisfied. Note that th> actual floor response spectrum damping value is 4% of critical damping. This is more conservative than the b% damping required by REFERENCES the SSRAP method. (1) Seismic testing of electric cable support systems,by Paul Provide the adequate anchorage of the cabinet Koss - Bechtel Power Corporation. As mentioned before a new anchorage has been designed for the cabinets. (2) Shaking table testing for seismic evaluation of electrical raceway systems. - The maximum cutout dimension for cabinet sheating must be URS/John A.Blume 4 Associates, Engineers. 6" wide x 13" high As shown in figure 2 this requirement is widely satisfied. (3) Program for the development of an alternative approach to The externally mounted equipment weight must be less than seismic equipment qualification 100 lb i by P.Vanev, S.Swan - EQE inc. None of the above equipment are present on the cabinets. I (4) Use of past earthquake experience data to show seismic - All internal sub-assembly must be securely attached to the ruggedness of certain classes of equipment in nuclear cabinets wich contain them Based on engineering Judgement the MCC'a drawers were power plants. Senior Seismic Review e Advisory Panel (SSRAP). found not properly anchored against horizontal seismic loads. Some flat bars were designed to avoid sliding of the drawers during the seismic event. For maintenance purposes the flat bars can be removed. - Adjacent assemblies (cabinets) must be structurally interconnected This requirement is also satisfied. Since the requirements established in the SSRAP report were satisfied we can conclude that: The equipment has an inherent seismic ruggedness and has a demonstrated capability to withstand substan tial seismic motion without structural damage. The functionality after a strong shaking has also been demonstrated. J ul J=I A o •I R 1 •u: ni n -ii -'i'-' U U! U & o* o 1.8 BOUNDING SPECTRUM 2. 1.5 ACTUAL SPECTRUM z o < 1.2 0.4*5 0.21 0.0 _L _L _L _L 8 12 16 20 24 28 FREQUENCY (HZ) FIG. 5. SI 62 REVIEW OF INSTRUMENTATION AND CONTROL SYSTEM BACKFITTING IN LOVIISA NUCLEAR POWER STATION IN FINLAND I. EKMAN Imatran VoimaOy, Helsinki, Finland Session 2 Abstract Loviisa nuclear power station consists of two 440 MWe IMPROVEMENT OF RELIABILITY OF C&I SYSTEMS (cont'd) PWR units. Loviisa 1, the first nuclear power plant in Finland, started commercial operation in 1977 and Loviisa 2 in 1981. In general the instrumentation and Chairman control systems of the plant have performed well and the general design solutions have been satisfactory. In spite of this after the start-up of the plant a J. FURET lot of backfitting work of instrumentation and control systems has been carried out. Major contribution of the backfitting work is due to the fact that safety requirements become stricter as new technological innovations find application and as lessons are learnt from experience with operating plants. Especially the lessons learnt from TMI-2 have influenced Loviisa instrumentation and control system i backfitting. Only a minor part of the backfitting work has been the changing of components that have turned out to be unrealiable or correcting design deficiencies. The paper gives an overview of the backfitting work of the instrumentation and control systems of Loviisa plant and some examples of adopted solutions are described in more detail. New measurements for accident monitoring are described. A description is given concerning changes that have been made or that are planned to the plant protection system. The environmental qualification of safety celated equipment located inside containment has been assessed. Work in the field of man-machine communication is discussed. On-line surveillance system of plant main components is described. I 2 INTRODUCTION POST ACCIDENT MONITORING Loviisa is a twin-unit nuclear power station located After the TMI-accldent special attention was focused on the southern coast of Finland. Lovilsa 1, the to post accident monitoring capabilities in nuclear first nuclear power plant in Finland, started power plants. Among the lessons learnt from the commercial operation in 1977 and Loviisa 2 in 1981. accident was that more and better information should Each unit has a capacity of 440 MWe and a Soviet-made be provided to the operators during and following an reactor of the type WER 440 and two Soviet-made accident in order to come to right conclusions. It turbines. The owner of the plant, Imatran Voima Oy was also noticed that many important measurements (IVO), participated actively in the planning and where out of scale during the accident. The USNRC construction of the plants and it was responsible issued fairly soon after the accident a new revision a.o. instrumentation and control (I k C) engineering. of Regulatory Guide 1.97 "Inst umentation for Light- The major part of the instrumentation and control Water-Cooled Nuclear Power Plants to Assess Plant and systems of the plants where supplied from western Environs Conditions During and Following an Accident. countries, mainly from Germany (FRG). This guide introduced new specific requirements on post accident monitoring instrumentation. An Both units have performed well as the load factors assessment was made how the uxisting instrumentation of 1983 90 % and 86 % show. In general also the of Loviisa plant fulfilled these new requirements. As instrumentation and control systems of the plant have a result new measurements with extended ranges have performed well and the general design solutions have been and will be added to the plant. been satisfactory in regard both to economy and to safety. The safety solutions represented well the As an example the existing containment pressure state of art of the day. measurements were supplemented with two redundant wide range measurement channels with the range In spite of this after the start-up of the plant a extending four times the design overpressure of the lot of backfitting work of instrumentation and containment. control systems has been carried out. This work employs roughly 5 persons in our I & C engineering It was also noticed that the requirements for the office. Major contribution of the backfitting work is range and redundancy of containment floor and sump due to the fact that safety requirements become water level measurements were not met. Two redundant stricter as new technological innovations find capacitive level measurements were Installed. application and as lessons are learnt from experience with operating plants. The requirements for the ranges of radiation monitoring equipment where much stricter than the Especially the lessons learnt from TMI-2 have practice of the day. To meet these new requirements influenced Loviisa I & C system backfitting. Only a the plant radiation monitoring system was minor part of the backfitting work has been the supplemented with a.o. the following extended range changing of components that have turned out to be measurements unreliable or correcting design deficiences. Containment radiation was measured up to In this presentation an overview is given of the 300 R/h. Two new monitors for each units backfitting work of the instrumentation and control were installed with range 1-10 R/h. systems of Loviisa plants and some examples of adopted solutions are described in more detail. The The noble gas activity of the plant vent following themes are discussed stack was measured up to 1 Ci/m . A new monitor for each unit was installed post accident monitoring extending the range up to lu Ci/m . protection system modifications environmental qualification After TMI the possibility of a hydrogen explosion control room and man machine communication that could break the containment became an issue. In on-line surveillance system for plant main the case of Loviisa it was given as a new design tt components. basis that 75 % of the zirconium in the reactor would react with water forming hydrogen. The hydrogen In this display operators can with a pushbutton behaviour in the containment was studied with select also other parameters e.g. each individual hot computer codes, and as a result of thes? studies it leg temperature etc. The displays are shown in figure was decided that a hydrogen burning system using 2. As to the core exit temperatures the maximum glow-plugs in the containment is implemented and that absolute value of the 24 channels is continuously the existing removable hydrogen monitoring system shown in the control room panel. Furthermore there is shall be replaced by a new fixed one with range up to a selection display where a selected channel or 10 %. The system chosen for this task uses so called average value can be monitored. The saturation margin diffusion probes which are located within is also calculated for the maximum core exit containment. The measuring principle of the diffusion temperature and when it is zero an alarm is given probes is catalytic burning of hydrogen in a detector indicating that boiling occurs in the reactor and chamber whose temperature is measured with a when it shows superheating another alarm is given. resistance sensor. This resistance is measured using This alarm is an indication of coolant level reaching compensation resistance sensor in an inactive chamber the top of the coce. The saturation margin derived with a Wheatstone bridge connection. The electronics from coce exit temperature is also shown in the of the system for signal conditioning ace located in selection display.The system provides also othec electronics rooms outside containment. alarms and features like a possibility to manually disregard certain input values. During the TMI-event, in spite of many indications, operators were unaware of the actual cooling In addition to the system described above the conditions of the reactor coce. This has put emphasis saturation margin will also be calculated by the on providing improved monitoring instrumentation to process computer of the plant using the same give a clear indication of inadequate core cooling measurements as inputs. The values are displayed on conditions to the operators. In this area it was the CRTs of the process computer. decided that for Loviisa plant a system for saturation margin and, core exit temperature The saturation margin monitoring system is vecy monitoring will be implemented and installed in the useful in the early stage of an accident but in a two next revisions of the units. phase stage reactor vessel liquid level indication would be helpful for the operators to be well aware The system calculates the saturation margin using of the situation. As mentioned above the core exit reactor coolant system pressure and hot leg temperature superheat alarm would give information of temperature as inputs and it monitors core exit the level at one elevation. We have been assessing temperature in 24 points. The range for saturation different possibilities lu measure the level. The margin is from 100*C subcooling to 20*C superheat heated junction thermocouple level sensors have been and the range for core exit temperature extends to under a closer look and turned out to be feasible. 12S0'C. However no decision of installing any reactor vessel level measurement system has yet been made. Figure 1 shows schematically the principle of the system. The existing reactor coolant pressure measurements (4 redundant + 1 narrow scale,) hot leg 3 temperature measurements (one in each loop) and core PROCTECTION SVSTEH MODIFICATIONS exit thermocouples (24 out of 210) are used as inputs to the system. These inputs are led to a calculation unit which converts the input signals into digital In Loviisa plant there are two systems for reactor form and processes the signals digitally. The system protection calculates from the pressure input the corresponding saturation temperature and compares it with the Reactor trip actuation system delivered by measured hot leg temperature. The difference is the Soviet reactor supplier. continuously shown in the control room panel. The system also calculates the corresponding saturation Engineered safety features actuation system pressure from the hot leg temperatures, compares it which is of German (FRG) origin. with measured pressure and the difference is shown in The reactor trip actuation system consists of two another display in the control room panel. channels each employing three measurements per parameter with two out of three selection. The logic injection pumps or opening of pressurizer safety is implemented with relay techniques with fail-safe valves and their being stuck open. To decrease the characteristics. After some modifications in the probability of such rapid cooidown transients some power supply of the system and after changing some modifications to the protection systems have been components that turned out to be unreliable the planned, but the decision whether they are equipment has performed satisfactorily. implemented has not yet been made. The engineered safety features actuation system To diminish the cooldown by the four redundant hlgn consists of four redundant channels with 2 out of 4 pressure safety Injection pumps it has been suggested selection logic for measurements. The logic is that a change-over automatic feature Is made tw the implemented with so called dynamic pulse logic protection system. In the existing system all the techniques. The equipment has performed well. pumps are started when safety injection signal is initiated. According to the proposed scheme only 2 The redundant channels of the system are separated pumps will start and each pump has a spare pump in physically and electrically to diminish the stand-by and the latter are started if the former probability of common mode failures. The effects of pumps fail in their safety function (if the pumps fires in different locations in the plant have been don't start, if they stop or if the line is not reviewed and as a result of these assessments fire open). barriers between redundant channels have been strengthened. In the case of steam line breaks the existing protection system closes the steam line isolation The TMI-event has influenced also the protection valves and thus isolates the leak when the steam systems of Loviisa plant. Some of the process collector pressure decreasing rate is high or whan criteria for actuating protection functions were the pressure difference between steam collector and modified. For example the high pressure safety steam generator is high. These signals operate only injection was formerly actuated only on low when the steam line breaks are very large. Their pressurizer level. In a situation like at THI wheu safety function is in large st«am line breaks to the coolant leaked through the pressuriier relief prevent excessive cooling of the reactor coolant in line this signal would not work. A new signal for order to avoid uncontrolled reactor criticality. A high pressure safety injection was added to the new protection signal has been proposed for steam system. Now the high pressure safety injection is line isolation to protect the reactor pressure vessel also actuated when reactor coolant system pressure against thermal shocks in the case of intermediate decreases below a preset limit. The signal can be size leak in the steam lines. The proposed signal manually bypassed when steam line pressure is below is: "Low steam collector pressure" AND "Keactor a preset limit. coolant pressure higher than a present limit" AND "Low pressurizer level". If there is a leak in the A minor TMI induced modification was the lowering of steam line the steam collector pressure drops which the set point of reactor trip on high reactor coolant accounts the first part of the signal. For start-up pressure to get a larger margin for pressurizer and shut-down this signal is inhibited by the latter safety valve operation. two, the last one indicating abnormal cooling. As one result of an analysis concerning certain An example of a cooldown transient is the case when feedwater line breaks a reactor trip signal actuated turbine operates on higher power than the power on low steam generator level was added. generated in the reactor. This was studied after an event in Loviisa where control rods dropped into the Recently extensive analysis work has been carried out core because of a power supply failure without any concerning pressurized thermal shock on the reactor trip signal. In this case the turbines would not have pressure vessel and the reactor coolant system tripped automatically early enough. Fortunately the pressure boundary. Rapid cooldown of the reactor operator tripped the turbines almost instantaneously. coolant system has a strong impact on the strenght of To cope with this situation automatically a new the steel that has become brittle due to radiation. signal for turbine power limitation and turbine trip The rapid cooldown may be caused e.g. by leaks in the is planned which is actuated when pressurizer level, secondary side, by operation of high pressure safety which is an indirect indication of reactor power, deviates excessively from a reference signal formed result of tests simulating hydrogen burning in the 66 the from turbine power. containment junction boxes made of polycarbonate have been replaced by cable splices with shrink sleeve in When analyzing the capabilities of proposed new such locations where, according to the containment protection signals like the ones mentioned above the hydrogen analyses, the environmental conditions are full-scale training simulator has turned out to be a worst during hydrogen fires. valuable tool. The qualification for LOCA environment ( + hydrogen A problem related to protection and safety systems is fire) is not an easy task and a lot of work remains a tendency of certain valves that their torque switch to be done in this field all over the world and in signal will appear momentarily when the valve Loviisa, too. This is why we are very satisfied with actuator recieves an "open" signal. This torque the solution adopted during Loviisa plant design that switch signal prevents the opening of the valve. When all pressure and differential pressure transmitters collecting failure data in the plant it was noticed are located outside containment. The measurement that about half of all safety related failures in the pipes penetrate the containment and they are equipped plant mechanical components where these stuck valve with check valves which eliminate leaks outside failures. These failures were typically found during containment. periodical test of safety and protection systems. After thorough studies one of the solutions to the problem was the following. 5 When the valve is at closed position the travel CONTROL ROOM AND MAN-MACHINE COMMUNICATION switch signal "closed* is on and stays on when opening the valve until the valve steam has moved The main control room lay-out is shown in figure 3. over the switch set point. It was desided that the The most important controls and indicators are open-direction torque switch signa\ is bypassed when located in the control console as well as the CRTs of the "closed" travel switch signal is on and the the process computers. Also the panels contain bypass is removed when the "closed" travel switch control push-buttons and indicators. The CRTs of the signal disappears. This logic was easily implemented computer show alarm print-outs, process diagrams, by adding one or two diodes in the valve actuator trend curves etc and it has a dominant role In plant terminal box. This modification has been done to supervision. In the panels and partly in the console those valves that have caused most trouble in this the controls and indicators are located within mimic respect. The number of stuck valve failures in the diagrams. plant has desreased and this solution has had a significant contribution to this decrease. The main control room of Loviisa has turned out to be very satisfactory from the human factors point of view. Hence very little backfitting work has been done in this field. 4 ENVIRONMENTAL QUALIFICATION One of the most essential problems in the field of man-machine communication is that at big disturbances When the instrumentation and control equipment were too much and needless process-information, especially specified and purchased for Loviisa plant the alarms, is presented to the operators so that it is environmental qualification of equipment for accident hard to utilize the essential information. As a R t 0 conditions was not well established. After TMI also project IVO has examined a method of suppressing this subject has been reviewed. The I & C equipment unnecessary alarms. The method adopted is cause- located inside containment which are needed during consequence analysis of alarms based on typical p'ant and following >n accident were identified and their transients which have occurred in Loviisa plant. environmental endurance has been assessed. A lot of Alarm logic was designed for those case transients tests have been carried out. As a result of these and validated by the full-scale training simulator of studies some equipment has been or will be replaced. the Loviisa plant. The method used is quite simple For example pact of the control cabling has been compared with e.g. examination of all alarm messages replaced by cables with Flamtrol insulation. As a existing in the alarm system. The very promising results indicate that even more than a half of all alarms occurring at big process transients can be two-channel measurement unit with analog-to-digital suppressed from display without losing any necessary converters. The analyzing system is capable of process information. An example of the results is carrying out sophisticated spectral and statistical shown in fiqure 4. As a result of the experiments analyses of the measurement signals. this type of alarm logics have been designed into the Loviisa process computer but not yet implemented. The main surveillance methods used by the system are A major backfitting work in the future will be the noise measurements replacement of the process. Although the current measurements of mechanical vibrations! computer has performed well this must be done because impact measurements. the equipment technology is obsolete and difficulties to get spare parts are foreseen. This project is now Uy the noise measurements process variables (neutron in a preplanning stage. flux, temperatures, pressures) are measured in frequency range 1 mtiz to 100 Hz. For example reactor , core pendulum movement can be monitored by measuring 6 the noise of out-core neutron flux signals. ON-LINE SURVEILLANCE SYSTEM OF PLANT MAIN COMPONENTS Mechanical vibrations are measured in frequency range The fast development of microelectronics has made it 10 Hz - 10 kHz in order to survey the condition of possible to construct systems by which the condition the turbines and primary coolant pumps. of power plant components can be surveyed on-line. The decrease of the prices of such systems on one Impact measurements are used for detecting loose hand and the increase in size of the power plant particles in the primary circuit. The monitoring components on the other hand is leading to a systems uses the resonant frequency of the situation that the system will pay back its prize if accelerometers (28 kHz). a single failure of the components or a needless outage can be prevented. 7 Also the safety of the plant is enhanced by CONCLUSIONS surveillance systems especially in the case of prima ry circuit vibration and loose parts monitoring. for these reasons after the start-up of Loviisa 1 In the case of Loviisa nuclear power station we have systems for main component surveillance were learnt that the work in the ISC engineering office installed evolving into a surveillance system of is not finished when a nuclear power plant is today which is shown in figure 5. started. In order to keep up with the evolving requirements for nuclear safety and technological The surveillance system can be divided into two innovations a lot of backfitting work must be done operational levels. On the first level the so called continuously. In this work the Finnish safety primary systems continuously measure the vibrations authorities have played an important role in pushing of the plant main components, i.e. turbines, primary u*3 to work hard for enhancing the safety of the coolant pumps (PCPs) and the primary coolant system, plant. The backfitting work of Loviisa plant has by and warn immediately if the vibrations exeed the no means been unbeneficial. It has enhanced the preset levels. The primary systems are analog safety and economy of the plant and it has given us measurement devices and capable only of very limited valuable experience to tackle instrumentation and signal processing. control systems also at future power plants. The second level consists of a computer-based analyzing system connected to the primary systems and also to some process measurements through a 2/32- channel multiplexer. The heart of the analyzing system consists of a PDP 11/35 computer and a s Saturation margin moni-/ Core exit temperature torlng monitoring A • •!• • • LI U U LIU O L' Li U - I_l l_l «_l L* •_• U L' Panels I SATURATION MARGIN \ I CORE EXIT T *C I | Primary circuit" Secondary circuit • Li U L» L' L1 U •_• - U U U LI U U Li 7 I SELECTION DISPLAY l| SELECTION DISPLAY 2 | / o o o o O O "0 O L£ Operators* desk E L>« | Shift superviso^3 ou o i Disturbance Safety system panels annunciation £1 and alarms 'Disturbance 'annunciation Pig. 3 Layout of Loviisa main control room Saturation margin < 0 Saturation margin < MIN Core exit T superheat Core exit T saturation 1 Information windows showing which variable is displayed in selection display or which channel is swithed off 2 Display selection 3 Channel switch off 4 Permanent display showing one variable 5 Selectable display showing the selected variable FIGURE 2 Saturation margin and core exit temperature monitoring. Control room display instruments. S9 78 NPS LOVIISA 2 NPS LOVIISA 1 1. prioritTzmzmy Pwil •! POWER PLANT PROCESS IM Atif! ANO NORMAL INSTRUMEN TATION Mature - •fAlt _^^^ »!•'«- p J •""' U ON-LINE > IS 10 «S tlM/aln SURVEILLANCE SYSTEM • ' LIGHT ALARM SUPPRESSION Hck Mill muni. /rfWW** LOUD viiaiiiON VIBBAIIOH 2. priority SPiM(l) HOHiiaaiHS PRIMARY HONUORIHQ SYSTEMS 0« KP5 OF lutaiNis 101 101 TtllphlAtTIlAt 4S tlM/nin Alarms HEAVY ALARM SUPPRESSION OUQI ciuilN M«*y (Canazg ANALYSING Hff« 1 swflai t*«»uttr POlMim COHPUHI 1 SYSTEM •• IM 1 (ucmeii Digital HO tv.il IMORAIMV 1 •1 1 IVO •fiimrnnitim \. priority 4S tinc/ain Figure 4 Averi^e alarm accumulation in the simulator Figure 5 runs of a laru,e transient. The ruled areas Schematic diagram of the surveillance system indicate the number of active alarms. BACKF1TT1NG OF THE NUCLEAR PLANT VI At present, two WER 440 MW units are successfully POWER CONTROL SYSTEM operated at the plant VI at Jaslovské Bohunice. As far as the power control system of these units is concerned Soviet - made C. KARPETA, J. RUBEK, P. ST1RSKY instrumentation and control systems are employed mainly in the Power Research Institute (ECU), primary loop while Czechoslovak instrumentation and control Prague, Bêchovice, Czechoslovakia systems prevail in the secondary loop. Operational experience acquired at the plant VI gives evidence that the main tasks of the power control systems of these units are accomplished Abstract satisfactory. Certain deficiency has been observed within the The paper deals with some aspects of water level control system in steam generators in the case implementation o£ modifications into the of a main coolant pump outage. Operator's manual intervention Czechoslovak nuclear plant VI control system is needed under these conditions in order to maintain the as called for on the basis of experience water level at the demanded value. gained during the first period of the plant More serious economic consequences originated from operation. Brief description of the plant insufficient co-operation between the reactor power controller power control system and its main functions and the turbine power controllers in the case of a turbine is given. Some deficiencies in the system trip. Such an event resulted in substantial drop o£ both the performance during abnormal conditions are primary and secondary circuit pressure and, as a rule, led to outlined and measures taken to overcome them reactor trip. In order to overcome this shortcoming some are presented. modifications for the Czechoslovak turbine controller have been suggested. They have been thoroughly tested by extensive simulation studies carried out with the plant dynamics model. On-site verification has been performed during start-up of 1. INTRODUCTION the plant second unit. After implementation in both un^cs of the VI plant they proved to be a significant contribution In the field of nuclear energy Czechoslovakia has embarked to the plant operational performance. on construction of plants equipp-ed with Soviet pressurized water reactors of the WER type. Design and construction of these plants is carried out in close co-operation with the 2. DESCRIPTION OF TUE POWER CONTROL SYSTEM Soviet Union. Czechoslovak industry delivers majority of both The power control system of the plant VI unit is a primary and secondary circuit components while the Soviet complex multidimensional regulating system which controls contractor delivers fuel, main circulating pumps for the primary generation of power in the reactor, its transferring to the coolant and a number of special equipment and devices. turbines and its feeding to the grid. If the system is to Furthermore, the Soviet contractor is in charge of nuclear be described in a block manner it consists of the following safety of the plants. controllers. In the secondary circuit we have the turbine power controller, pressure controller in the main steam on/off either manually or automatically: header, the controller of the by-pass station to the turbin, - operational mode R, in which pressure in the main steam condenser, the controller of the steam relief station to the header is controlled by changing the reactor power? atmosphere, and the water level controller in the steam - operational mode SRs, in which the reactor power is generator. In the primary circuit we have the reactor integral regulated at a demanded constant value; power controller, the coolant pressure controller, and the - operational mode SRn, in which the output of the reactor water level controller in the pressurizer. Since there are power controller is disconnected from the control rod's six primary coolant circulating pumps, six steam generators, drives untill steam pressure deviation does not exceed two turbines and two steam relief stations to the atmosphere the demanded value by 0.245 MPa. If it does the ARM 4 is at a WER 440 unit, a number of the above mentioned automatically switched to the R mode in which it sustains controllers is, in effect, present at multiples. till a manual intervention of the operator. From the functional point of view the individual From hardware point of view the ARM 4 controller controllers of the unit's power control system can be consists of two parts: a part for processing analogue characterized as follows. signals /implementation of control laws, etc./ and a part for processing discrete information /switching of operational modes, signalization, interface to the reactor protection system, etc./. As a whole it is a two-channel redundant device which employes the "2-out-of-2" logic /in the case The reactor power controller is a Soviet - made multi of a primary coolant pump failure it is switched to purpose device with type marking ARM 4. The main tasks "l-out-of-2"/. As far as dynamic behaviour is concerned of this controller are summarized below: ARM 4 is a complex nonlinear controller with varying - automatic adjustement of the reactor integral power in structure. Derivation of its transfer functions at different correspondence with the power of both turbogenerators. operational modes is presented in detail in [l]. Steam pressure in the main steam header is taken as a variable which characterizes the balance of the reactor ïUEfeïDë_£2S£E2iiêE and turbogenerators power. This variable is to be maintained Each of the two 220 MW steam turbines is equipped at the demanded value of 4.414 MPa with - 0.05 MPa dead-zone; with the electrohydraulic regulating system TVER-Ol delivered - automatic stabilization of the reactor integral power at by the turbines manufacturer, i.e., SKODA Works. The main a demanded value with a dead-zone of - 2 %¡ functions of TVER are as follows: - automatic reduction of the reactor integral power in the - control of the turbine which means either controlling the case of an outage of one or two primary coolant circulating turbine power or controlling steam pressure in the main pumps /by 25 or 50per cent of the actual value at the steam header. Both controls are exercised by the turbine instant of outage/. control valves. It is augmented by a protection system These tasks are carried out by the ARM 4 device in one against excessive pressure increase/drop before the of the following nudes of operation which can be switched turbine; - control of th-~ by-pass station to the turbine condenser system, is added to the controller output signal to reduce which means controlling of steam pressure in the main the pressure overshoot under these abnormal condition.'!. steam header by control valves of the by-pass station. This control is active in the case of a significant increase of steam pressure, e.g., during a turbine trip. Each of the six steam generators is equipped with an System TVER consists of a hydraulic part /conventional separate water level controller. The input to such a components for controlling turbine revolutions and by-pass controller consists of three signals, namely deviation station valve openirg/ and an electronic part /electronic from the demanded value, flow rate of the generated steam components for measuring and evaluation purposes, electronic and flow rate of the feedwater. The manipulated variable units for implementation of individual control laws/. is the opening of the control valve in the feedline to the Interconnection between the electronic and hydraulic parts steam generator. The control loop is implemented with is provided by a turbine operating device and electro- modules of the Soviet-made impulse control system KASKAD. hydraulic converters. The individual controllers of the Its dynamics can approximately be considered as a PI control TVER system can be, in general, characterized as PI law. controllers with constraints imposed upon the output signal. When the TVER system is operated in the turbine power Ç22ÈE2i_2Î_£!2ë_5££âm_EÊiiSÎ_§£2!i2Q§_£2-.£ï}§_ÊÎ:m25I?!}e.£S control mode corrective signals derived from grid frequency, There are two steam relief stations to the atmosphere pressure in the condenser and pressure in the main steam at each unit of the VI plant. They are located at both ends header are fed into the block for formating the turbine of the main steam headers and they are rated for a steam flow power demanded value. Furthermore, the demanded power and of 200 tons per hour. Each station is furnished with its own its rate of change are limited to a pre-set values. Turbine controller which is made up of KASKAD modules. The controller controller can be switched from turbine power regulating starts to operate when pressure in the header exceeds the mode to the steam pressure regulating mode only under the value of 4.91 MPa and controls it by a P control law to the conditions that the ARM 4 controller is not set to the R demanded value of 4.61 MPa. The station is closing at the mode and the pressure sensing devices are functioning pressure level of 4.51 MPa. correctly. The by-pass station control system is activated when ElimâEÏ_£22iâD£_EEêS§yE2_£2D£E2i pressure in the main steam header exceeds the value of The nominal value of the primary coolant pressure is p + u + A where s t ie d ^l P2' P¿ * * demanded value, Ap. is an 12.26 MPa. The variables which are employed to affect the auxiliary signal employed to shift regulation range of the coolant pressure are as follows s electric heating of coolant by-pass station above the regulation range of the pressure in the pressurizer, spraying by water taken from the cold control by means of reactor power adjustement and ûp, leg of the primary circuit and opening of the pressurizer represents a dead-zone. In the case of a turbine trip relief valve. The individual control loops are made active/ a derivative signal, transformed by a first-order lag inactive at pre-set values of che primary coolant pressure. Water_level_çontrol_in_the_gressurizet with the tripped turbine? therefore, a trip signal Is created whenever their power goes lower than a pre-set value/. High This control system is to maintain the primary coolant overshoots in steam pressure were also caused by relatively volume at a constant value. The input variable is deviation slow opening of the by-pass stations to condenser. All this of the actual water level in the pressurizer from its resulted in the reactor power diminishing on completion of demanded value, the manipulated variables are control the transient to a level of about 25 to 30 per cent of its valves" opening in the makeup and letdown lines. nominal value. Delayed closing of the control valves of the by-pass stations to condenser led to fast steam pressure decrease and undershoot in the course of the transient. Low 3. SÏSTEM PERFORMANCE DURING ABNORMAL CONDITIONS AND THE values of steam pressure combined with substantial lowering SUGGESTED CORRECTIVE MODIFICATIONS of the reactor power caused considerable decrease of the primary coolant mean temperature and unacceptable drop in Czechoslovak WER 440 MW units differ from units of the the primary coolant pressure. This led to reactor trip by Same type operated in other countries in that the turbine the so-called protection signal of the 2-nd order. Since the regulator is of Czechoslovak origin. Both units of the VI decreasing steam pressure in the main steam header was plant work at basic load mode employing constant secondary approaching the trip setting for the second turbine this pressure control strategy. Under normal operating conditions would also result in the reactor shut down. the turbine controller TVER is run at the power control mode while the reactor controller ARM 4 is set to the SRn mode If the unit's power control system is to minimize in which the output of the controller is disconnected from the deviations in reactor coolant pressure and temperature the control rod's drives. A change in the unit's power is it is necessary that the reactor power be lowered to a level accomplished by manually setting a new demanded value for corresponding to the power of the running turbine and the the TVER. The ARM controller is manually switched to the R steam pressure deviations be made as small as possible. This mode in which it controls the pressure in the main steam can be accomplished by proper tuning of the reactor header by adjusting the reactor power. After the transient controller, the turbine controller and the by-pass station is over the ARM is manually switched back to the SRn mode. controller while observing all safety requirements relevant to such an anticipated operational occurrence. In the first period of operation of the VI plant's unit No 1 a kind of incorrectness in co-operation between the Extensive simulation studies, carried out with an overall reactor and turbine controllers was occurring during a plant dynamics mathematical model - see C3D> le<* to a transient caused by outage of one of the two turbines - see £2]. conclusion that reactor power reduction which is out of The reactor controller ARM 4 tended to decrease the reactor proportion to the turbines' power reduction can be prevented power not only in the mode R on the basis of an increase in by excluding or, at least, limiting operation of the reactor the steam pressure in the main steam header but also in the power controller at mode R. This can be arranged for by mode SRs on the basis of a trip of two main primary coolant ensuring that the maximum deviation of the steam pressure pumps /two primary coolant pumps get power supply for a will not exceed the value of 0.245 MPa at which the ARM 4 limited time from the home consumption generator associated controller is automatically switched to the R mode. On the basis of results acquired from simulation it has been values have been as follows: 264.1°C and 285°C. Let us suggested that the time of opening of the by-pass stations" shut mention at this point that nominal values of these temperatures valves be made shorter /approximately 11 s/, a derivative signal are 270 C and 300 C, respectively. The reactor power has been of the form of decreasing exponential function with the time reduced to 4 7 per cent of its nominal value. During transients constant of about 11 s be added to the input to the actuating initiated by a turbine trip at lower levels of the unit's device of the by-pass stations' control valves and the gain power the maximum deviations in the primary coolant pressure of the proportional channel of the PI pressure controller and temperature as well as in the steam pressure in the main by means of the by-pass stations be substantially increased. steam header are smaller. Implementation of the derivative The derivative signal, which is generated at the instant of signal affects favourably the transients also in the case of a turbine trip, has been shaped in such a way that short-term switching-off the unit's breaker when the turbines' power is but full opening of the control valves of the by-pass station reduced to the home consumption level. Since the derivative of the tripped turbine be accomplished. The gain of the signal causes full opening of the by-pass stations' control proportional channel of the controller has been tuned to a valves independently of the turbine power value preceding value which causes instantaneous full opening of the control the trip its application would result in temporary steam valves providing the steam pressure deviation from the pressure decrease in the case of a turbine trip at lower demanded value is 0.245 MPa. The value of the controller's loads of the unit. This disadvantageous effect is compensated integral channel gain has been diminished to prevent under for by a higher gain adjustement in the proportional channel shoot in the steam pressure. The new value makes the time of of the controller of the by-pass station to turbine condenser. full opening of the control valves under the command of The described modifications do not cause excessive only the integral channel of the controller of about 110 s cooling down of the primary coolant in the case of reactor in the case of steam pressure deviation also of 0.245 MPa. All these modifications could be implemented by minor trip by the so-called protection of the 1-st order, either. changes in the turbine controller. After shut down of the reactor the corrective signals derived from steam pressure in the main steam header are decreasing Simulation studies, which have been carried out to test the demanded value of the turbine power which, in its turn, the above mentioned modifications indicated that satis causes a reduction of the turbine power proportional the factory transients initiated by a turbine trip can be steam pressure drop. At steam pressure of 4.02 MPa the first arrived at in the unit's whole power range. During a transient turbine is tripped by its quick-acting isolating valve, at at nominal power the primary coolant pressure builds up to 3.82 MPa the second turbine's trip follows. Therefore, the maximum value of 12.45 MPa. In the further course of the derivative signal which speeds up opening of the control transient it falls down to the lowest value of 11.51 MPa valves of the by-pass stations, is generated. As a result while triggering of the reactor protection of the so-called of these actions the steam pressure does not fall down below 2-nd order takes place at the value of 11.27 MPa. Primary 3.8 MPa. coolant temperature at the input to the reactor reaches Another problem which had to be resolved concerned maximum value of 272.2°C while that at the output from the improving the turbine controller performance in abnormal reactor does not exceed the value of 302.8°C. The minimum conditions leading to negative deviations in the steam 78 pressure at the >nain steam header - see CO. When the turbine gained from the efforts to correct these deficiencies after controller dead-zone of - 0.06 MPa is surpassed the corrective the plant VI went operational is that in order to cope with signals from the steam pressure affect the turbine power such a task in the presence of "boundary condition" set by demanded value which has been set by the operator. While this the plant's routine operational procedures and a limited corrector network is in active mode the turbine controller number of the control systems* adjustable parameters simulation operates as a proportional regulator of steam pressure. For studies, carried out with an detailed and validated this reason steady-state negative deviation of steam pressure mathematical model of both the plant's and its control from its nominal value occurs under abnormal conditions such systems' dynamics, seem to be inevitable. These studies as primary coolant pumps outage, turbine trip, etc. It is the provide for better insight into the correlations between the operator's task to bring back the steam pressure to its parameters" settings and the quality of plant control under - demanded value by manual setting of the turbine power the conditions of complying with all safety requirements. demanded value to a level which corresponds to the actual Furthermore, the number of on-site tests for verification of reactor power value and, afterwards, switch on the turbine the proposed modifications can be minimized. controller to automatic mode. Since these operations are time consuming they put additional load upon the operators which is incovenient especially under abnormal conditions. REFERENCES Relatively simple modification of the turbine controller has |_1J Rubek, J. et al., WER 440 Power Plant Control Systems' been suggested on the basis of simulation studies which Dynamics /in Czech/, EGÛ" Report No. 11 14 1 30, 1980 provides for automatic varying of the turbine power demanded value in such a way that the negative pressure deviations ï_2~2 Rtfdzi, S., Dynamic Behaviour of a WER Plant;Realisation be compensated. of Dynamic Experiments /in Slovak/, EGÚ Report No. 11 07 1 04, 1979 4. CONCLUSIONS £33 Bednarik, K., Rubek, J., Stirsky!, P., Impact of Turbine The results of simulation studies carried out for the Trips upon Plant VI Reactor /in Czech/, Conf. on Phys. purpose of improving the performance of the plant VI power and Thermal Aspects of WER Core Safe Operation, Prague, control system levealed that structure and setting of the 1980 reactor power control loop, the turbine control system and £43 Karpeta, C. et al., Nonlinear Model of VVER Plant the control system of the by-pass stations to turbine Components /in Czech/, EGÛ" Report No. 21 03 12 10, 1981. condenser have substantial influence upon the capability of these systems to keep the plant variables within the limits set by the safety analysis. In the case that some control systems are delivered as nearly an integral part of individual plant's components developed and manufactured by different manufacturers deficiencies in co-operation between these controllers are likely to occur. The experience I&C UPGRADES RESULTING FROM THE SYSTEMATIC PLANT REVltW EVALUATION PROGRAM CARRIED OUT Data retrieval from the plant was therefore a first step AT THE CENTRAL NUCLEAR JOSE CABRERA towards plant diagnostic, analysis of the results and identification of points requiring immediate attention, known as short term items. J.C. HUMPHREY Westinghouse Nuclear Espanola, In a second stage, called phase 2, a number of modifications Madrid. Spain were defined as required in areas of Fluid, Auxiliary and Electrical systems and to their corresponding supporting IfcC systems, bearing C.intral Nuclear JosO Cabrera, also known as Zorita, is a 160 considerable impact on general plant and control room layout Mrie nuclear power plant owned and operated by UNION ELBCTRICA- aspects. As part of the review program, the plant's Instrumentation FtNOKA, S.A. The plant was supplied by Westinghousfe Electric and Control Systems were evaluated in depth, both from the viewpoint Corporation and contnisioned in 1968. It features a unique one loop of safety adequacy of their design as well as that of comparison Pressurized Hater Reactor design. between their design criteria and current codes and standards. The review concluded that most of the non conformances lied in the tollowing Uie requirement issued by the Nuclear Regulatory general areas of comron mode failures whilst the functional aspects Ouromisicn in late 1977, to perform evaluations of operating plants of the reactor protection system and safeguards actuation systems in the USA licensed before 1972, U»e Spanish Licensing Authorities represented adequate levels of plant protection. The design phase requested C.N. Jose Cabtera to carry out a similar review of their therefore centered around developing the modifications required to plant. The main objectives were to cea^ues the safety adequacy of eliminate or greatly reduce the risk of conmon modes failures, such the operating systems, provide a docuuteiittd comparison of the plant as providing redundant vital power sypply systems, protecting cable desicpx versus present day criteria and estaL-ish a rationale for raceways or providing new cable routings and new cables for departures. Another important objective was to provide prompt essential circuits or considering prevention of external hazards, identification ot any significant deficiency. such as improvements to both passive and active fire protection systems, etc. Within this frame, in Autumn 1979, UNION ELECTRICA-FENOSA decided to contract the original vendor, Vfcstinghouse, to perform a FUNCTIONAL REQUIREMENTS plant specific evaluation based on the MHC's Systematic Evaluation program, the TM1 Action Plan ai»3 address any plant specific concerns As a result of the review, new functional requirements for arising from the review, ihe review known as phase 1 of the C.N. the plant reactor protection and control systems were issued by the Jose Cabrera SystenuUic Evaluation Program, was completed and design review team. These requirements determined that the existing documented by April 1980. reactor protection system was functionally adequate and that the introduction of redundant vital power supplies to the existing redundant protection instrumentation channels and protection logic were considered sufficient to improve its reliability. No changes were determined as necessary to the normal plant control systems. 77 78 the requirements for the Bigineered Safeguards Actuation throughtout the Ha in Control Board and other Control room panels anri system however, modified the existing ones in order to address on the other, the limited space available meant that it would be extremely difficult to meet current separation criteria and that no a) New functional requirements determined by the new assurances could be given AS to the final functional integrity of requirement:; imposed on the safeguards fluid systems and the the modified system. This imnediateley led the designers together modifications resulting thereof. with the utility's plant staff to consider replacing its uroor pact b) Meeting current Codes and Standards in terms of providing with a new, fully structured system. This new system would be diversity in tike automatic initiation of safeguards and physically located elsewhere, tnus resolving aspects of redundancy, physical and electrical separation, cabling and cable pulling in one manual actuation at the various system levels. instance, whilst ensuring, on receipt of the hardware, having a fully tested and qualified system which would contribute to reduce As a direct result of the modifications to the Fluid systems the erection and plant recomissioning time. and the introduction of a large number of new safeguards components, the ESFAS required expansion of its output capacity to drive all the safeguards components and also, to incorporate different stages of The configuration for the ESFAS system would therefore be as actuation logic, whether it be initiation of safety injection, phase follows. As for the Reactor Protection System, one part, the A or phase B containment isolation, initiation of emergency process instrumentation channels, would be retained and supplemented reedwater, etc. with new instrumentation, whilst the second one, the logic and actuation system, would be totally replaced with a new one. The concero for making the safeguards systems common made failure proof, uhich formed the basis of the plant upgrade, In the existing system, automatic actuation of the Emergency particularly in the electrical systems area, required the ESFAS Core Cooling System was achieved by means of a combination logic of system to meet .single failure criteria by providing redundant, two out of three low pressurizer pressure signals derived from physically and electrically separated systems as well as adapting it bistables in the three redundant pressurizer pressure process to the new configuration of the electrical power distribution protection Instrumentation channels. In order to introduce systems. The designers had furthermore to consider the excellent diversity of automatic actuation as dictated by the new functional record of C.N. Jose Cabrera and therefore, any modifications requirements, additional process plant signals were required. As in introduced, had to maintain the existing plant availability whilst other westinghouse plants, containment pressure was selected as a at the same time increasing the reliability of the system. back up parameter to pressurizer pressure. This not only allowed diverse actuation but also permitted automatic initiation at another level of safeguards actuation namely, containment isolation. Three ENGINEERED SAFEGUARDS ACTUATION SYSTEM new containment pressure channels are being provided to achieve automatic actuation on two out of three logic as well as providing With the design concepts and functional requirements in hand, readouts in the Control Room. a rapid conclusion was that it was neither practical nor cost effective to try modifying the existing system in order to meet the The installation of this instrumentation which needs to meet latest requirements. On one hand, the fact that it was dispersed current separation criteria requires three new mechanical containment penetrations, since the sensing elements consist of a features are being incorporated into the system design such as pressure belows sensor located inside containment which provides a improved on line test facilities and outputs for plant operator pressure signal through a sealed capillary to an electronic OP information. transmitter located outside containment, for this purpose, existing electrical spare penetrations are being replaced by tailor made A further modification has been introduced both to minimize mechanical penetrations. the cabling impact and to reduce the amount of hardware required and therefore make the proposed system more cost effective. A second modification introduced by the new functional requirements was the introduction of manual initiation at system The existing system consisted of two trains of actuation with level. This is being provided at the main control board and at the operation of either train of logic actuating both trains of Safeguards panel in order to allow operator to actuate safeguards in safeguards components. To retain this feature whilst at the same anticipation to the actuation by the automatic system or in the time meeting separation criteria would have required each train to unlikely event of its failure. double the capacity of its output section in separate compartments with as many interconnections between trains as components to be The new logic and actuation system proposed was divided into actuated as well as providing separate isolation relays in both three sections: trains. The proposed system contemplates the actuation of one train of safeguards only from its corresponding train of actuation logic. The first one, the input section, receives signals from the A reliability study was performed demonstrating that with the process instrumentation bistables indicating that initiation of improvements introduced at the level of the actuation logic, safeguards is required and provides three levels of se.^o^ution effectively making the logic redundant, the proposed system corresponding to the three protection grade instrumentation channels maintains the same order of reliability. the plant is designed with. The combination logic is performed in a second separate section, where different actuation signals are POST ACCIDENT MONITORING INSTRIMENTATION derived to drive the safeguards components through relay contacts located in yet another section, the output section. For consistency with the upgrades brought to the Safeguards Systems and bearing in mind the TMI Action Plan and the publication The maintenance aspects considered, together with the need to by the NIC of revision 2 to Regulatory Guide 1.97 "Instrumentation ensure compatibility with the existing retained systems such as for light water cooled nuclear power plants to assess plant and process instrumentation protection system bistables, reactor environs during and following and accident" in Dec. I960 led to the protection system and safeguards components gave strong arguments in reassesment of the plant instrumentation available to the operator. favor of retaining the original plant design concept and maintaining This instrumentation is of paramount importance to enable plant the use of relay technology and hard wired logic rather than solid operators to correctly diagnose an accident and take corrective state or microprocessor based technology. This has proven the most actions to minimize its consequences. Again, this task was to be difficult decision making process where, development cost for this very plant specific and acceptable under cost benefit terms. The plant specific hardware and manufacturing lead times more than first priority was therefore to identify what consisted in a minimum 79 anything, favored the relay based design. However additional set of variables that an operator required for accident diagnostic and subsequent mitigation. The basis was established as that physical and electrical separation, new instrument locations were provided by the plant emergency operating instructions, revised to sought. This implied designing new impulse line layouts, new adapt them to the moditications introduced in the safeguards systems. cabling and its routing, providing new containment penetration inserts, etc. The benefits were that there were only minor impacts A set of 21 variables was identified. Besides providing on existing and retained plant I*C, but again, the lack of space information to the operator to make his initial diagnostic, the PAM created the major problem. instrumentation system has to provide him with continous and unambiguous information of critical plant parameters and allow him In order to support the new field mounted sensors and provide to perform the manual actions dictated by the operation aspects of the readouts in the Control Room, new signal processing electronics the safeguards systems per his established procedures. were needed. To cope with the full set of PAMs variables to be The WM instrumentation must therefore survive the environment provided, new IfcC cabinets were required which had also to comply tiiat any of its components may be subjected to, during and after an with current criteria. Three class IE protection grade cabinets are accident, and cilso be single failure proof and thr ere fore being supplied. redundant. Also the trend of change of the parameters measured could be of interest for determining progress, or the taking of correc- ive actions, and therefore required that these parameters be recorded in order to ease data retrieval. NEW INSTRIMENTATJON AND CONTROL SYSTEMS Once the requirements were defined, it was found that only a Apart from the fully dedicated set of instrumented PAMs limited number of the instrumentation available at the plant met variables, considerable additional i*C was required as a result of these and that ii. some instances the parameters specified were not the modifications to the fluid systems. Since new operational being measured at all. It was therefore apparent that extensive features were introduced in these and, given the requirements foe modifications were necessary. redundancy or corresponding protection or control grade basis, a fourth control grade IfcC Cabinet was required and is being supplied. Firstly, new qualified redundant field mounted sensors were required. Since a number of variables selected for PW's were already used is part of the existing plant protection The total IfcC system thus defined was therefore integrated, instrumentation system and that in some instances, different ranges providing the process instrumentation required for: to those existing were being specified, in order not to disturb normal plant operation, changing the periodic test procedures or a) Diverse safeguards initiation, modifying the maintenance and calibrations being carried out by b) Post Accident Monitoring, plant staff since 1968, it was decided not to replace existing c) Monitoring and performing process control and sensors but rather to supplement them with new additional ones. interlock functions of modified systems, in full compliance with current codes and standards and providing This also made it possible to address and comply with the state of the art process instrumentation, identical to that class IE requirements inherent to their design. Therefore to ensure installed in the latest Westinghouse supplied plants in Spain. CtNEKAL PLANT AND CONTROL M3GM LAYOUT motor control centers from which both existing and new safeguards components are operated and also to A number of difficulties in the area of general plant and more create new cable spreading room for power circuits. specifically, control room layout became apparent to the designers early in the process. b) As part of the modifications required to meet Control Boom habitability requirements, the large existing As opposed to more modern plants, C.N. Jose Cabrera did not Control Boom Heating, Ventilation and Air feature specific dedicated areas to electrical or I(C equipment. Conditioning Uhit, needed to be replaced by a new Equipment, mostly electrical switcngear, was concentrated in redundant and qualified system. Hie existing unit different areas common to secondary plant systems. The control room was located next to the Control Room and it was was small, with panels in two straight lines separated by an access therefore decided to remove it and locate the new corridor, The main control board panels incorporated all the ISC system on the roof of the auxiliary building, systems*, electronic modules, power supplies, readouts, protection therefore making room available for two rows of and safeguards logic and output relays, etc. typical of a standard process instrumentation and safeguards relay cabinets with their associated system of cable trays 1965 vintage industrial plant design. The cable access to the underneath them. control board panels and the cable spreading room underneath the control room were also highly congested. As it has been shown, the development of the design concepts This has permited the correct layout of IfcC rack mounted had also led to considerably large pieces of hardware being required equipment,, separate from medium voltage switchgear in a controlled for the plant upgrade. Consequently there was an evident problem of environment and in accordance with its structured system basis. making additional space available and making the best use of it. Also the layout proposed addresses not only cable access and separation requirements but allows periodic testing and carrying out The problem of lack of space has been solved by; maintenance in a suitable fashion. a) Converting part of the existing auxiliary building A further problem, far more complex, was the need to into an electrical building, vacating three floors integrate the new equipment in the existing control board panels and previously used foe chemistry labs, I(C calibration rework the wiring inside them. (DC power supply system two train test benches and maintenance equipment storage, split, introduction of three vital instrumentation power mechanical workshops and administration offices and distribution busses, new control switches, etc..) The problem was transferring them to new premises built outside the aggravated by the fact that the panel layouts had to be human main plant. This has allowed the carrying out of factored and that the operators were intimately familiar with their extensive civil work modifications, including a new control board, many of them having operated the plant since its intermediate floor, which now provide separate and commisioning and therefore understandably reluctant to modify its clear cut areas where it has been possible to install layout in anyway. the new Class IE electrical switchgear trains and This will be achieved by careful consideration of the new required to carry out the final design and to the lead times for features introduced in the operations of the various systems. New equipment manufacture and delivery. panels, for new systems such as HVAC, Fire Protection, Diesel Generator Chit and its auxiliary systems have been introduced and The first outage started when the plant shutdown in October located in the control room. Trie main conttol board will be 82. By that date, the design of what was then called phase 3A was extended on one end to house the controls for the new electrical almost complete and hardware had been ,xirchased and was being distribution power systems. Because of the extensive modifications delivered to the plant. Some of this hardware was built required in the area of safeguards and the physical impossibility to specifically for C.N. Jose Cabrera whilst some equipment was add the new safeguards functions whilst maintaining a rational obtained from other utilities with delayed nuclear power plants operational layout, it was decided that the complete safeguards under construction. A further proolem was that whatever was panel would be totally replaced by a new one. The new panel would installed in that pnase was to be integrated in the final provide a proper layout of plant safeguards systems manual controls configuration of the pi int upgrade, the design for which was still and integrate the post accident monitoring instrumentation not complete. Therefore, a number of decisions were made only on readouts. Similar arguments to those considered for the safeguards sound engineering judgement ai«. anticipating to the further extent activation system contributed towards this decision namely. possible, the ultimate plant layout configuration, as far as location of components such as valves, piping systems, ventilation a) meeting current codes ami standards, air ducts etc. was concerned and which was still at a conceptual b) providing a fully wired up and tested panel, design stage. It was also apparent that some temporary solutions c) reducing plant downtime in an area which is bound to had to be envisaged and that it would eventually be necessary to be the critical path in the upgrade implementation replace or recable what was being implemented. and plant recomissioning schedule, From a systems viewpoint, the modifications carried out in IMPLQOITATIDN SCHEDULE phase 3A, mainly those relative to the Emergency Core Cooling System, the two train split of the Electrical Power Systems, A point not apparent so far in this paper is in what manner including the installation of a Diesel Generator Unit and its have tlte implementation of the various modifications been carried auxiliary systems, and part of the heating, ventilation and control out and scheduled. This, needless to say, has constituted one of room air filtering and air conditioning systems, required providing the major challenges of the whole upgrade program. their associated IfcC features. Two llC cabinets housing the supporting instrumentation were supplied and installed, with the The license issued by the Spanish Consejo de Sxjuridad knowledge that they would have to be recabled internally when Nuclear in August 81 to permit operation of the plant on its eventually part of the final ISC plant configuration. eleventh fuel cycle committed the utility, UEFSA, to initiate a program to design and implement the modifications. After extensive The number of additional components such as new valves, negotiations with the CSN, it was agreed that the implementation introduced in the BCCS, required expansion of the existing activities were to be divided in two parts to be performed at the safeguards actuation system, as opposed to the solution ultimately scheduled annual plant refuelling outages, mainly due to the time envisaged for it and described earlier. The safeguards panel was also modified on a temporary basis by utilizing some free panel this engineering team directly interfaces with the owner's plant space luckily available next to it, ind adding all the new manual opera ;ing and maintenance staff on a continous basis. In fact, many controls and instrumentation readouts. aspects of the upgrade incorporate features introduced by the plant staff resulting from their full participation and close follow of The plant was ready for start up by the end of July 1983 but the design activities. for reasons beyond the scope of this paper was not allowed to start until th«» end of November last year. Finally, but certainly of no lesser importance, is the close cooperation required between all the parties involved in the design The [iiose 3B implementation phase in the IbC area is and implementation activities. This includes working with an presently intended to start in February 1985 when the plant shuts Architect Engineer who is responsbile for the detailed engineering down after having operated on a streched out cycle, in order to activities and has the lead design responsibility of the allow for final detailed design and equipment delivery. It is modifications to some plant systems under a previously agreed scope expected to complete the upgrade in a six month period. split. LESSOB LEARNED The experience gained in Phase 3A has taught some vitally important lessons and confirmed the soundness of some decisions made Ije forehand. The first lesson is that when dealing with a wide number of issues the most resource effective way to carry them out has to be in an integrated fashion. This has required setting up a small dedicated and experienced multidiscipline engineering task force to carry out the basic engineering under a strong project management. The same team is also responsible for close follow and scheduling of the implementation aspects and therefore must be located near or at the plant itself. Another oovioos lesson is that in depth knowledge of the plant is essential both from a systems and systems layout viewpoint as well as from its operating experience. cor this reason, and because the results of the final upgrade must be considered in terms of cost effectiveness and plant operation, it is imperative that C.N.JOSE CABRERA CONFIGURATION OF PLANT ISC SYSTEMS MANUAL NEW ACTUATION PROTECTION NEW SAFEGUARDS & PAMS PANEL NEW CLASS CABINETS IE SENSORS PROT SET I 11no8v VA C e"505 PROT SET 118 V AC II -a II e BUSH AUTOMATIC ACTUATION III PROT SET 118V AC III TRAIN A ©• BUSTO" ,125 V DC *G~ TRAIN A MANUAL SFGDS EXISTING IN, VRESETI COMPONENTS SENSORS D EXISTING PROTECTION •ft WSTRUMENlAnON II ^US J REACTOR III PROTECTION SYSTEM )te* TRAIN B ,125 V DC *G" US IT INSTRUMENTATION REACTOR TRIP TOTS NEW l&C 118 VAC SYSTEM BREAKERS NEW ESFAS RACKS CABINET G BUS1U NEW SENSORS RETROFITTING OF AN IMPROVED STACK MONITORING Building had a duct mounted monitor to measure gross gamma SYSTEM IN RAJASTIIAN ATOMIC POWER STATION activity. The exhaust duct from each reactor building was provided with particulate and iodine monitoring installations. R. NATARAJAN Tritium was monitored individually at the exhaust of RB-1 and Power Projects Engineering Division, RB-2 as part of a sequential tritium-in-air monitoring system. Department of Atomic Energy, Although these systems satisfied, in a collective way, the re Bombay, India quirements of regulatory provisions, deficiencies of the installed systems were realised in the course of operation of the two units and the need for a dedicated system with improved 1. INTRODUCTION design and installed close to the point of release, was felt. In compliance to the requirements of safety In nuclear This paper describes the provisions of the new system and retro power plant operation, all radioactive releases from an NPP fitting of the same in the operating reactor. through the ventilation system are monitored to ensure that releases into the environment are well within limits set by 2. DESCRIPTION OF THE SYSTEM AS EXISTED PRIOR TO MODIFICATION competent authorities and that proper records of such releases are maintained. It Is normal practice that exhaust The gaseous activity released was measured by a wide range air from all the potentially active areas of the plant are logarithmic gross gamma monitor with a Sodium Iodide scinti- routed to the atmosphere at an elevated level through a llator-photo-multiplier assembly used as the detector for the Stack. The radioactivities present In the exhaust are depend gamma activity. The detector assembly is provided with lead ent upon the type of nuclear Installation and Its design and shielding to minimise background contribution and mounted so the various processes, of operation. To meet .he regulatory as to face the centre of the combined ventilation exhaust duct requirements, provisions must exist in the system to measure in the Service Building leading to the stack. An alarm circuit all radionuclides so released. Also, when the levels of the provided annunciation for high activity release rates. activities released exceed predetermined levels, early warn ing to the operator by suitable annunciation in the control Different probes installed individually in the Reactor room should be provided. It is also essential to isolate the Building exhaust ducts, provided samples for particulate and system —id bottle it up, should this become necessary, in iodine monitoring. Filtering technique was employed to give the unlikely event of an uncontrolled release of ndioactivity an enhanced signal to noise ratio. The particulate filter assembly was viewed by a thin-walled, end-window CM tube. The The Rajasthan Atomic Power Station comprises of two gross particulate beta activity, processed by a discriminator units of Pressurised Heavy Water Reactors. The first unit and logarithmic count-rate meter, was recorded in a strip- went critical in 1972 and the second In 196©. In the original chart recorder. Charcoal impregnated filter, having an efficiency design, there was no integrated system to monitor all the of 99% for iodine retention was used for iodine monitoring. relevant parameters in the ventilation exhaust at the point The filter was faced by a Sodium Iodide (Thallium activated) of release from the stack. The common exhaust duct combining scintillation detector-photo multiplier-assembly and surrounded K the exhaust from the two reactor buildings and the Service by a lead housing to provide shielding from ambient activity. gg A single channel analyser was set for the 364 Kev peak of Iodine- ledge of the ventilation flow rate record and the gamma 131 activity. The output of the single channel analyser was fed activity dose rate record. This was a time consuming process. to a logarithmic count-rate meter, alarm circuit and a recorder. Besides, because of the wide range and logarithmic scale Tritium was measured by means of a kO litre compensated used, good measurement sensitivity could not be achieved at ionization chamber, through which the sample air was drawn. normal release rates. The beta activity was measured as current from the ionization The simple iodine monitoring system installed proved chamber using a DC amplifier. inadequate to meet the actual requirements under the practical conditions encountered in the plant. In spite of the prefer ential collection of iodine in the filter, a finite air volume could not be avoided in the filter detector assembly which 3. DEFICIENCIES OF THE OLD SYSTEM gave rise to a high background due to Compton scatter of other predominant gamma activities in the exhaust air and consequent The system equipments were located at avails places contribution to the Iodine Channel. In addition, the estimation in the ventilation equipment room. Hence, the in' -rference of the release rate of activity at any time, based on the logar to the measured parameter in an Instrument from the various ithmic count-rate meter record curve was not a quick and activity laden ventilation ducts in the neighbourhood was convenient process. In the early stages after the installation significant and varying. Because of the Individual handling of a new filter, the activity is predominantly due to Argon-41 of the various radioactive parameters, a number of sampling in air. During the later stages, the combined count-rate due to points in the ducts had to be provided and sample pumping Argon and Iodine is high. Under both conditions, the statistical systems installed. Isokinetic probes were not employed for errors involved set practical limits to the measurement of, in sampling in the ventilation ducts. The correlation between a small interval of time, the instantaneous release rates. the quantity actually released through the stack and the quantity measured at the point of the probe installation was The tritium monitoring system performance was also unoertain because of the length of duct and the tunnel between Impaired whenever there was Argon-M activity in reactor areas. the stack and the ventilation equipment room. Substantial During operation, RAPS developed leaks in the thermal shiaMd amount of tubing was involved and considerable maintenance cooling system and the resulting high Argcn-M activity, efforts mere required to keep the various pumping systems though within prescribed Technical Specification limits,made operational. Availability of space and additional cost were the operation of the iodine monitoring and the tritium moni restraints for providing complete redundancy for all the toring systems very difficult. In fact, the tritium monitoring pulping systems. system could not provide any meaningful information to be of any practical use while the Iodine Monitoring System could While the installed system for noble gas monitoring only provide a rough indication of much higher than normal provided information on the instantaneous dose rate at the releases. point of location, which was to be correlated to the instant aneous release rate from the stack, the integrated activity Estimation of gross iodine and tritium activities released over a day would have to be estimated from a know released over a day could still be computed accurately for the purpose of compliance to Technical Specifications by steady release, the objective «for the stack inert gas monitoring counting of the iodine filter in a laboratory counting set up system was set to detect this release as its lower limit. for iodine and by means of a bubbler system for tritium. Actually the system is designed to detect about 1 curie per hour Nevertheless, compliance to ALARA principle and efficient release rate. The technical specification limit for short term Man-Rem expenditure management during maintenance activities releases of about 25,000 ci per day is taken as the upper limit dictated the need for improved sensitivities in the measuring of the range. systems and continuous Indication of release rates, even The schematic diagram, shown in Fig.1, explains the function under possible high ambient Argon-41 activity conditions. The of the monitor. The air is drawn through a gas chamber,consisting advantages of a centralised stack monitoring system to of two concentric aluminium cylinders. A metal walled CM tube is simultaneously monitor the identified parameters, namely located in the inner cylinder to detect the gross gamma activity. Argon-41, particulates, Iodine and tritium also became apparent. The signal is fed to a dual range linear count-rate meter. The Substantial effort wa3 hence spent on the improvement in the two ranges are calibrated;.by introducing air with known Argon-41 measuring techniques and circuitry for the individual systems concentration and by adjusting the count-rate meter to give full and new designs evolved. A scheme was conceived to locate scale outputs corresponding to (i) 10"5 mlcrocurie/ml and centrally all the improved equipments in a specially constructed (ii) 10"2 microcurie per ml. When the Count-rate exceeds 9554 FS activity monitoring room close to the stack. in the low range, the range is automatically switched over to the high range. Similarly, when the count-rate falls below 5# 4. DESIGN CONSIDERATIONS FOR DEVELOPMENT OF INDIVIDUAL SYSTEMS in high range, it switches over to the low-range. Separate 4.1 Inert Gas Activity Monitoring: adjustable alarm circuit is provided to give alarm when the count rate exceeds any pre-set value. A new stack inert gas activity release monitor was designed to measure and indicate continuously the rate of The above activity signal, along with another signal release of the gaseous activity, primarily Argon-41,through the provided by a turbine type air flow meter located in the tunnel stack and also to compute and register the cumulative activity leading to the stack, form the two input signals to a multiplier. released over a period. The flow meter gives full scale signal corresponding to the maximum air flow rate oif 105m per hour. The output of the While the subsequent nuclear power stations in India are multiplier represents the activity release rate from the stack. being designed for zero discharge of gaseous activities through This is fed to an operational amplifier type integrator with a the stack, each reactor of RAPS is designed to discharge a capacitor in the feed back. nominal activity of about 60 curies per day and could actually be much higher. The major contribution to the activity comes The build up*of voltage across the capacitor la compered from the thermal shield cooling system. This is a closed system with with a set reference signal. The comparator output discharges air as the coolant having a 2% bleed flow of about 34 cubic metres the Integrator capacitor and feeds an advancing pulse to the per minute to the stack. The specific Argon-41 activity in the mechanical register. The reference voltage is adjusted so as to system Is estimated tobe 1.2 x 10"*J microcurie per ml of air, correspond one count in the register to one curie of activity which gives the above release of activity. In view of this released through the stack. Thus the reading on the mechanical 88 register gives directly the cumulative activity released An efficiency of 3% is realized in practice, for the counting through the stack in curies. set-up. With a staple flow rate of 50 litres per minute and a stack flow rate of 10^nr per hour,K1 is estimated to be having k.2 Iodine Monitoring: a value of 2. The value of K1 will vary with changes in any of the associated parameters. The iodine activity release in RAPS, during normal operation, was ooserved to be very small, usually less than The release rate at any time is obtained by finding the slope 1 mlllicurie per day. DAC level of iodine-in-air activity of the count-rate versus time curve at that time. A more being of the order of 1 picocurie per litre of air, the target relevant parameter is the specific concentration of iodine for development is set as the ability of detect this concent activity in exhaust air. If C is the count rate at any tine, ration of iodine activity in air under the prevailing ambient and C" the count-rate after an interval of T minutes the Argon-**1 activity conditions, with a reasonable accuracy. The concentration of Iodine activity is given by measurement time should also be small,sa as to be able to C" - C x 1 . x 100 x 1 microcurie/litre observe any increasing iodine concentration promptly. The T x 60 3.7 x 1 I i 5. COMPLETE DESCRIPTION OF THE SYSTEM alarm provided in the control room from the stack activity monitoring system, is deemed to be adequate. While a multinoz-le probe to cover a central .-egi-n and four surrounding quadrants of the circular cross section of the 6. CONCLUSION stack is planned to be Installed in stations-under construction The problems encountered in the measurement of inert gas backfitting of such an assembly in the stack of RAPS was not activities, Iodine activity and tritium activity released through found feasible. Hence, a single penetration was made in the stack the stack in RAPS are described and the considerations for the wall at an elevation approximately half the height of the stack development of improved instruments outlined. The new approach and a tube is embedded to extend to the centre of the circular provides for better accuracy of measurement of all the relevant stack cross section. Stainless st» el tube is used in view of its radioactive parameters in the stack at one centralised place. low plating factor for Iodine. The sample flow rate is adjusted The construction work in the station for the newly conceived stack to provide for isokinetic sampling. The tubing run extends to an activity monitoring system is completed and the earlier equipments adjacent,specially constructed, activity monitoring room. The used are installed in the room temporarily. Development prototypes ecjuipments for pumping th<= sample air flow and other radiation of stack inert gas monitoring system and iodine monitoring system monitoring systems are located in this room. Local air-conditioners as described in Section 5 are made and evaluated. Fabrication of are provided to control the ambient temperature of the room to new equipments for retrofitting in. RAPS is in progress and these provide for satisfactory functioning of the instruments. will replace the equipments temporarily installed in the station. Since pre-flltering is required prior to monitoring of Thanks are due to S/Shri Ch.Surendar of PPED and iodine activity in order to remove the Radon Thoron progeny T.Subbaratnam of BARC for their helpful suggestions and products, which may interfere with iodine monitoring, the S/Shri A.R.Gore and P.Kumar of PPED for assistance in the pre particulate monitor is arranged to be first in the scheme, paration of this paper. The help rendered by Control Systems followed by the Iodine,gross gamma and tritium monitoring systems. Group of M/'s Electronics Corporation of India Ltd., Hyderabad and The complete system is shown in Figure 6. A completely redundant M/s Situ Electro Instruments,Bombay in the development of proto system of instruments is also provided so that uninterrupted types as per our requirements is gratefully acknowledged. operation is possible, even during maintenance of the equipments or during periods of change of filter for the iodine or parti culate monitoring system. The automatic air-sampling system and the building venti lation isolation logic are not linked with the stack monitoring system in RAPS. These are already provided at the Reactor Building exhausts separately for Unlt-1 and Unit-2,based on triplicated- duct~mounted gross gamma monitors. However, provision is made in the stack Activity Monitoring room to collect air sample from the srjnpled air flow as and when desired,for laboratory analysis. 9? Manual action from the control room, based oa the information and •1 92 HIGH VOLTAGE SUPPLY VENTILATION OUCT MULTIKIER LINEAR -Wrtt Fl-J COUNT RAH MEIER •€) ION CHAMBER »l SIGNAL INTEGRATOR fROM V* / AIR FIOW METER a AUTO RANGECHAMX RELEASE RATE / cncuT HIGH ALARM METE* SIMULATED SIGNAL L TO REPRESENT t / : AIR FLOW RATE / y ION CHAMBER 1I / / RELAY / / COMPARATOR / L&-V VS ktAtf HOUSING' / TRIGGER ORVER CIRCUIT (MOLECULAR SIEVE) DETECTOR GAS CHAMBER ICAO HOUSING ASS« N*M FIG- 4 CALIBRATE TRITIUM IN AIR MONITORING-SCHEMATIC FIG 1 SCHEMATIC OF INERT GAS ACTIVITY MONITORING SYSTEM SCA-» 1001NC PRE AMP IODINE SCA-J PRINTER DETECTOR SIGNAL PROCESSOR PANEL MEIER 43 SCA-3 GAIN VARIATION [_ BVllO£ GAIN ITO t I ALARM r— UNIT FIG-2 IODINE MONITOR ELECTRONICS UNIT BLOCK DIAGRAM ICl | METER*! | ION CHAMBER, SET ALARM VOLTAGE _ . II AMPLIFIER ©I 2. PARTICULATE ALARM PRE AMP. CRM L..35riiaa5«L__J DISCRIMINATOR ' AMPLIFIER DETECTOR UNIT £-*• <•>• JE» AI M.T. DC SUPPLY POWER SUPPLY FIG.-5 FIG.-3 PARTICULATE MONITOR ELECTRONICS UNIT BLOCK DIAGRAM TRITIUM IN AIR MONITOR ELECTRONICS SLOCK DIAGRAM IMPROVEMENT OF NUCLEAR POWER PLANT MONITOR AND CONTROL EQUIPMENT 10 TRITIUM MONITOR ELECTRONICS UNIT Computer application backfitting SEE FIG 1*3 SEE FIGS H. HAYAKAWA, A. KAWAMURA Control and Electrical Engineering Department, Nuclear Energy Group, Toshiba Corporation, Tokyo saMPlE MR FROM STACK O. SUTO, Y. KIN0SH1TA, Y. TODA Power Generation Control Systems Department, Fuchu Works, Toshiba Corporation, Tokyo CAlt ORATION UNE Japan Abstract SEE fIC 1*1 10 THTIUM MONITOR ELECTRONICS UNIT SEE FIG. S This paper describes the application of advanced computer technology to existing Japanese Boiling Water Reactor (BWR) FIGS STACK ACTIVITY MONITORING SYSTEM FLOW DIAGRAM nuclear power plants for backfitting. First we review the background of the backfitting and the objectives of backfitting. And a features of backfitting such as restrictions and constraints imposed by the existing equipments are discussed and how to overcome these restrictions by introduction of new technology such as highly efficient data transmission using multiplexing, and compact space saving computer systema are described. Role of the computer system in reliable NPS are described with a wide spectrum of TOSHIBA backfitting computer system application experiences. 93 94 I. Introduction station, the objectives of backfitting, the way of backfitting and philosophy are given in chapter 3. About A decade has passed since the start of nuclear power plant commercial operation in Japan and control and In chapter 4 role of computer system in reliable NPS are instrumental-ion system for the earlier plants are now entering a described and our application system can be found. The relation stage in wLich system deterioration demand a larger amount of between objective of the backfitting, technology and application maintenance work to keep these plants properly and safely systems is summarized in chapter 5. operating. On the other hand technology in the electronics field has experienced a very large advance during these ten 2. Background years and is still growing very rapidly. Recently the technology in the electronics field has Computer systems and C&I systems are no exceptions to this experienced a very large advantage during these ten years and is trend and some of the significant technology changes are : still growing very repidly. Study on humman engineering are development of fast speed and highly integrated VLSI chips achieving useful works in man-machine interface and control room realizing enhancement of hardware capability and large memory arrangement and alarming philosophy such as categorized alarm capacity, optical data transmission highways utilizing and the use of color coding. Progress in automatic control multiplexing technique allows high quality and high rate data theory and application system was achieved automatic turbine transmission using much less amount of cabling than before, start up - shut down in BWR plant. development of high resolution color CRT's enhancement of plant monitoring through intuitive and integrated plant information And after TMI incident the requirement on the plant safety displayed on it, intelligent high speed data acquisition system and operationability are increasing. The new plant which has and also development of software production techniques enables been recently designed can use above new technology and satisfy more powerful, complex, and flexible software to be implemented the safety and operationability requirements. matching the increase in needs or requirements for the software functions. These two factors: system deterioration and But, it is not easy for the existing commercial plants and technology advancement, combined with the sharp increase in the plants which are under construction to satisfy the safety functional requirements regarding plant status monitoring and and operationability requirements stimulated by TMI incident, control during these few years have accelerated the computer they have many problems because of being old plants. application backfitting plans. a. These are many manual operations b. Lack of TMI counter measure functions In this paper our experiences in nuclear power plant c. Man-machine interface is not so good computer system backfitting and role of computer systems in d. Obsolete computers and Control and Instruments nuclear power plant will be presented. e. Low plant availability because of long outage time Under such a situation the backfitting is the key to upgrade In chapter 2 the status and the problems of the existing plant are described. For realizing reliable nuclear power the existing old plant and to have more reliable nuclear Power Station. 3. Backfitting (to have more reliable NPS) Restrictions and constraints imposed by the existing equipment such as the necessity of cabling for additional 3.1 Objectives monitor and control process inputs and outputs, the problems of available space, power supply, and air conditioning are the The objectives of backfitting of NPS is to have more features of backfitting. reliable NPS, and to improve the following factors. And important thing is the fact that the backfitting work a. Reliability roust be done during the periodical plant maintenance outage b. Availabilitgy period. c. Safety d. Maintainability This means that high level system engineering is needed for e. Operationability scheduling. The big difference between new construction plant and 3.2.1 What to be considered backfitting of the old plant are followings. a. The new plant can achieve above objectives by the What to be considered for backfitting derives from the original design. features of backfitting to the existing plant which is mentioned b. The old plant should achieve above objectives above. through the backfitting. The following principle subjects are to be considered before This is the feature and difficulty of th=» backfitting. backfitting. (1) To make maximum use of existing facilities, interfaces, 3.2 How to realize cables and sensors, minimizing the need for new building, walls etc. Several methods for realizing backfitting can be used such as replacement of obsolete system, introducing new systems, (2) To provide a reliable computer facility, with reliable introducing new technology and uprading of functions. support systems, (Uninterruptable Power Supply, Heating Ventilating and Air Conditioning). Application of computer technology which has experienced great progress in recent years has been one of the most powerful (3) To be considered the technique or method for minimizing the method fulfilment of the objectives given above. work of alteration of existing panels and benchboards in order to take new inputs for the new systems. But the difficulties lie in the interfacing between new system and the old one, namely the new system should fit to the (4) To have to keep a system reliability higher by adopting 95 existing interfaces of the old system. factory combination test with the plant dynamics stimulator or such kind of tools, because at site the validation and In the computer hardware field, development of high speed verification test time and checkable items are limited very and highly intergrated VLSI (Very Large Scale Integrated much. Circuit) chips has realized enhancement of space factor, that is, spatial smaller computer can raalize more enhanced functions (5) To consider the next backfitting phase. than the old one. The VLSI technology, also, brings larger memory capacity which can memorize much more data and can a. The life cycle of the NPS is over 30 years but that of process it quickly. At backfitting new functions to an obsolete C&I system is about 10 years. computer system, new computer system, which has sufficient b. New technology makes the computer system smaller, more capability to add new functions to current functions, could be functions will be added in the same space as the installed in the area where the old one did. previous computer system in the next backfitting. Peripheral equipment of computer system has been also developed. Using CRT (Cathod Ray Tube) to display important 3.2.2 Available Technology parameters with a mimic piping diagram could improve the operator's monitoring plant operation. The voice announcing The new technology can make the nuclear power station more device, which can speak preset phrases according to the demand reliable, more available, safer, and easier to operate and to of computer, could inform operators who whould not give maintain. attention to the information of computer system through typewriter or CRT, to present that, for example, the plant was Available and useful technology for backfitting is suffering from anomalous event. followings. In the computer software field, development of software (1) Computer technology engineering can realize more powerful, complex, and flexible software to be implemented matching the increase in needs or a. Hardware innovation requirement for the computer software functions with high b. Software engineering reliability. c. Advanced peripherals On the other hand, the progress of the human engineering has (2) Human Engineering enhanced operator's monitoring ability through i.ituitive and could reduce operator's misoperations and misunderstandings. (3) Redundant System The CRT display well regarded the human factors could make operaters to grip the plant status easily and accurately. (4) Robotics (Automation) Also, Robotics and automation technology is useful for <5> Multiplexing Technology and Optical Fiber backfitting because it can replace the conventional manual operation to newly sophisticated computerized automatic operation and it can help the operators to be free from a simple (4) Man-machine interface repetitive work and can reduce dosage. Computer system with advanced peripherals such as color graphic display, voice guidance and touch screen board Another innovation can be found in multiplexing and optical improve man-machine interface and reduce the operator fiber. Optical fiber has many advantages such that it can burden to grasp the entire plant status. reduce cabling space drastically and it is free from the electromagnetic noise. This means that optical fiber is a (5) Intelligency (value added of the computer) powerful tool for backfitting. Computer system can judge, act and process the information. This is the most important feature of the system. 4. Role of computer system in reliable NPS The computer system is the ke;* component for the backfitting 4.2 Application systems to have more reliable NPS. The roles of computer are described in above section, in 4.1 Role of computer system this section the more detailed roles are discussed with a concrete computer application system. Computer system are consist of high technology such as hardware technology, software technology and application For example, the automatic refueling machine is the software, and it has achieved important roles in NPS as follows: computerized system which can refuel and shuffle automatically according to the preset procedure. The conventional machine (1) Automation without computer is driven by an operator who rides on the Computer system can replace the manual operations to refueling machine above the reactor core. The automation automatic operations. function, which is one of the main role of comruter, replaces the operator from radioactive environment and can refuel and (2) Bulk of data gathering, editing, recording and analyzing shuffle rapidly and accurately. The time saving for refueling capability is sixty-five percent of manual, the manpower saving is fifty 2ome feature of the computer is to be able to handle percent, and the radiation exposure is reduced to sixteen and to process the bulk of data very quickly and percent. No misoperation has realized also. As refueling and accurately. shuffling is the critical pass of plant outage schedule, the automatic refaeling machine can shorten the plant outage time (3) Repetition of same simple (or complex) work and can improve availability of the plant. Computer can repeat same action or processing in anytimes accurately, this means simple repetitive The typical example is discussed above, another application operation can be replaced by the computer system. systems featuring computer are listed in Table 1. And relation Computer does not make mistake as human does. between application systems and benefits is shown in Fig. 1- As shown, intcoduction or" a computerized system has many References improvement. The DMS, tor an example, improve reliability, safety, and opeiationability of the plant. 1. M. ICoh, et. al, "Application of process computers and colour CRT displays in the plant control room of a BWR", Nuclear power experience, Vol. 4, IAEA-CN-42/297, 1983, 5. Conclusion pp.329-342. In summary, computer application system for backfitting is 2. R. Yoshioka, et. al, "Reactor operation and management" described, and Fig. 2 shows the relationship of the objectives Toshiba review, No.120, 1979, pp.10-13. of the backfitting and applicition computer systems and available technology. 3. K. Niki, et. al, "Development of computerized radioactive waste disposal system for EWR nuclear power plants", IEEE Computer technology are growing in a rapid speed especially Transactions on Nuclear Science, Vol. NS-30, No.l, Feb., in application software. Recently Research and Development on 1983, pp.842-846. Artificial intelligence and knowledge base system are being carried out. 4. K. Hara, et. al, "Automatic refueling platform system and automatic CRD iemote handling system", IEEE Transactions on Application computer system for NPS using Artificial Nuclear Science, Vol. NS-30, No.l, Feb., 1983, pp.851-855. intelligence and knowledge base software will make NPS more reliable, for example high level plant diagnostic and operator 5. A. Kawamura, "Toshiba new data aquisition and display guidance function with learning capability would help the plant system", presented at 6th international fair and technical operator very much. meetings of nuclear industries Nuclex 81 in Basel Swizerand, 1981. In such next backfitting stage, "more intelligency" and Robotics will be introduced to the existing plants, and it will 6. T. Okada, et. al, "Ultrahigh performance minicomputer, make NPS more reliable. TOSBAC series 7/70", Toshiba reviw, No.128, 1980, pp.29-34. Table 1 Back fitting Systems (1) Table 1 Back fitting Systems (2) Methods Methods Backfitting Conventional Backfitting Conventional System Function System Function system system system system DMS , Mimic display . Hardwired Computer Automatic Automatic refueling (Display & , Alarm message display logic CRT Refueling operation Manual Computer Monitoring . Detection of anomalous . Conven- Multiplexing Machine (Direct Digital operation operation System) conditions at the tional Control) non-scheduled shut- process Operation according down computer to the preset data . Stand-by Monitoring of ESS . Predetection of plant TOSREX . Data strings record abnormal condition (Toshiba dynamic ing before and after none . Computer analysis and the preset event (or pen . Printer RECording . Manual data record recorder) . CRT SPDS Minimum set of safety None Computer System) ing (Safety Para parameter display CRT meter Display Mimic display Optical fiber Cistern) Alarm message display (option) ARTREX (All Rod Timing . Measurement, re . Pen . Micro RECording cording and recorder processor System) checking appropriate . CRT Radioactive Mimic display ness of all rod Waste Disposal Alarm message display Hardwired Computer scram time Control & logic CRT Monitoring Detection of anomalous . Manual Sequence conditions at the operation controller IDT . CRT format genera non-scheduled shut-down (Intelligent tion by man-machine none . Desk with Automatically Display conversation CRT display of the Terminal) . On line data operating parameters display from the host computer (MODEM interface) Condensate Automatic operation Demineralizer Automatic regenera Hardwired Computer Automatic tion of the resin logic CRT Control Mimic display Manual Optical data Alarm and operation highway Monitoring Touch sensitive screen in APPLICATION SYSTEM OBJECTIVE CMS RELIABILITY SPDS AVAILABILITY R/W SYSTEM SAFETY CON-DEMI SYSTEM OPERATIONABILITY AUTOMATIC REFUELING MAINTAINABILITY TOSREX ARTREX IDT Fig. 1 APPLICATION SYSTEM OBJECTIVE Fig. 2 Scope of computer application rackfitting in nuclear power plants. EXTENSIONS AND RENOVATIONS OF REACTOR PROTECTION SYSTEMS K. HELLMER1CHS Kraftwerk Union AG, Erlangen, Federal Republic of Germany Session 3 Abstract EXTENSION AND NEW CONCEPTS OF C&I SYSTEMS Increase of requirements hy the authorities as to the design of reactor protection systems affected In the last years not only plans being under Chairman construction, but also resulted In partly spacious extensions and renovations. While working on the extensions and renovations a lot of H.ROGGENBAUER problems arose: - far-reaching performance of newest guideline* and rules In spite of old plant concepts; - partly higher degree of redundancy requirements of the new systems In contrast to the present systems; - use of present safeguard systems for new accident countermeasures; - designation of priorities between present and new functions, especially In view of fault behaviour of present systems; - adaptation of the new I&C equipment to the present slgnallsatlon-, operation- and Information-arrangements under consideration of the preaant operational philosophy; - spatial Incorporation of new equipments; - construction as to time without expanding of the planned refuelling phases. Because the KWU has planned and constructed such alterations In nearly 10 plants a lot of experience has been gathered. The development of the pressurized water reactors (PWR) as well a of the boiling water reactors (BWR) from the first commercial operatinr plants till today showa a continuity in the develop ment of accident considerations and in the structure of the safety systems. Therefore the efforts, to accomodate the plants with older status to the actual status at time, could be successfull. M3 in the recent years a lot of extensions and renovations of The reactor protection system includes - according to German reactor protection systems have been planed or constructed interpretations - equipment for actuation of reactor trip respectively will be designed, of which the Kraftwerk Union and engineered safeguards (see Fig. 2). The important engineered is participating especially in that plants which have been safeguards for PWR are constructed by themselves with extensive lay-out performance and deliveries. - the residual heat removal A review about this activities is shown in Fig. 1 in which - the containment isolation you can find the PUR and BWR plants constructed by Kraftwerk - the extra borating Union and which are under operation since now. - the emergency feedwater supply - the relief station A global impression about the scope of the extensions is - the emergency power supply derivable from the number of additional reactor protection cabinets. Since the reactor trip actuation is done by a lot of initiation But too in relationship with planed extensions of safety criteria in older plants too, the backfitting measures refer countermeasures in nuclear power plants of other manufacturers mainly to engineered safeguard systems. there have been realized a lot of design performances, In the following Fig. 3 reasons are listed up for extensions e.g. for the NPP Beznau and Muhleberg in Switzerland. and renovations of reactor protection systems. After this common overview about there activities in connection to extensions and renovations of reactor protections systems From technological views the following aspects led to in the following special problems at the example of PWR's extensions of reactor protection systems shall be discussed. - extended accident considerations At the beginning I like to give you a definition of refering to the TMI accident the reactor protection system, as it is in use in Germany. - extended accident considerations refering to steam The important safety-related lay-out fundamentals for the generator heating tube leakages reactor protection system are stated in detail in the KTA - erections of additional emergency systems against rule 3501 which complies with uany international guidelines. external events In this rule the following definition is met: and as a clear aspect of instrumentation and control devices "The reactor protection system is a system which - renovation of old reactor protection equipment monitors and processes the values of process vari- . ables relevant to the safety of the nuclear power The consequences of the 3 technological aspects on the plant and the environment in order to detect incidents safeguard systems are shown in detail in Fig. 5. and to initiate protective actions so that the condition As a consequence of the THI accident mainly the following of the nuclear power plant is kept within safe limits." measures were executed - automatical cool-down of the primary coolant with The glance into the technological modifications in relationship 100 K/h via the main steam relief station to extensions which was given in the first part of the lecture 7 automatical isolation of the accumulators was nesessary for a better discussion of the problems of I*C - additional feedwater supply of the steam generator extensions and modifications which are mainly refering to by emergency feed systems. structures and organisation of reactor protection systems. First of all the extensions of existing reactor protection To improve the accident countermeasures in case of steam systems respectively the erection of additional reactor generator heating tube leakages the following countermeasures protection systems was a result of extended automation of were extended, which additionaly are effective for accidents accident .countermeasures in the actuation level. by external events: An extension of the initiation level for existing counter- measures was realized only in exceptional cases and can be - automatical controlled partial cool down via the main realized as backfitting measure without special problems, steam relief station, that means analog control of the because there is no Influence on structures and organisation main steam pressure on a value below the set point of the of reactor protection systems. main steam safety valves with the task to hinder a repeated actuation of the safety valves Modifications and extensions only refer to reactor pro tection equipment, but not to switch gears and safeguard - Isolation of a fail opened safety valve with the conse components. quence of steam generator heating tube leckage and release of radioactivity to the environment. But extensions in this field leads to problems relative to the erection of additional equipment, because of the colla This counter measures will be actuated by accidents boration of old and new systems as well in the safeguard following external events to avoid steam generator heating tube systems as in the safety I+C systems has to be perfectly Leakages. and necessitates priorities. These problems are shown in Fig. M. The additional countermeasuresfor external events as - emergency feedwater supply In the following cases the erection of independent reactor - emergency power supply protection systems is possible: replace safeguard systems which are not secured against - if for the additional countermeasure independent safeguard external events but this systems will be additional system or indipentend safeguard components are foreseen. redundancy for internal accidents. In the design phase it should be considered to use no components for new countermer.sures, which recieve already The improvements refering to the main steam relief station and commands from an existent reactor protection system. the accumulators are an automation of formerly manual measures - if this is net possible it should be prefered to have Thi3 problems shall be discussed more in details by the tht- same direction for the commands of the exi3tent and the example of KKU (NPP Unterweser), especially illustrated new reactor protection system. by conderations of external events and the main steam In this cases only I • C problems in collaborating of the relief station. commands of two different equipments could arrive, but a special priority control is not necessary. The original layout during the construction of the plant provided no special systems to control accidents by external Is such a solution not possible, but is it necessary to events. Correspondingly the actuation of 1 x 50 1 safeguard control a compenent by the existent respectively by new system was done by a four fold redundant reactor protection erected reactor protection systems into opposite positions, system A (signed with the redundancies Al + A<4 in Fig. 6) the erection of new equipment is only possible, if there are which was located in the switch gear building. vietermined clear priorities. A main steam isolation, which was necessary for some internal The greatest requirements arise, if countermeasures against accidents was actuated by the reactor protection system A external events have to be erected but commands of an (redundancies Al and A2 of steam generator 1). The secondary existent reactor protection system have to operate on the side heat removal was realized by the safety valve of the same component- If the existent reactor protection system i3 relief station, because of relief control valve and the relief remaining in that area which can be destroyed by external gate valve were closed by main steam isolation signals from events the regulation of the priorities is necessary in that the reactor protection system. As a long time measure the gate way that the commands of the reactor protection system which is valve had to be opened by manual command and the control valve located in an area secured against external events have the actuated for controlled pressure limitation. higher priority. In a second layout phase, which was still realized during the If such a priority is inadmissable for internal accidents, it plant contruction, an additional emergency feed system for remains no other possibility as to renovate this countermeasure protection against accidents by external events was erected, in the new reactor protection system in the secured area to which includes a second independent reactor protection system B, have a protection against spurious initiation. consisting of the redundancies B1 and B2 (Fig- 7). The consequence of this transfer is, that the degree of re dundancy of the new reactor protection system in minimum Thi3 system was erected with spatial separation from the the same as of the existens system. This can result into a lot of reactor protection system A, so that in the case of an consequences in the design of the additional reactor protection external event only one of the both systems could be system, because all requirements for the existent system have destroyed. Because of the systems inside of the reactor to be fulfilled by the new system too, although the requirements building and the relief 3tation could not be destroyed by for the neu additional countermeasures are smaller. external events, the heat removal could be done by emergency feed and the relief station. ror main steam isolation by the reactor protection system B The upper explanations showed that the technological concept in the case of external events the mainsteam isolation valve is very important for the problems and solutions of the design recieved additional solenoid valves and additional control of extensions and modifications of reactor protection systems. commands Bl and from system B. Besides the control valve B2 At the end let me do some remarks about special I • C trcif»rj an additional gate valve with the control command views. Bl from system B. The heat removal after main steam isolation As already mentioned before, fir some backfitting solutions was ensured by the safety valve. it is necessary, to build priorities between seperate reactor protection systems and to have a protection against spurious According to this technological advices it was possible to initiation. For these aspects KWU developed special electronic erect 2 independent reactor protection systems. circuits. In a second pnase of KKu-backfitting which will be designed The organization of additional safety related I • C is shown at time, improvements of accident countermeasures against in Fig. 9 steam generator heating tube leakages shall be provided. It is postulated that in the case of steam generator heating Priority modules are attached to the control interface of pumps tune leakage in coincidence with loss of power supply a safety and valves, which connect signals with different priorities valve of the relief station remains in the open position from various reactor protection system or other safety related (see Fig. 8). I + C equipment. For control of this accident an additional gate valve in the Additionaly they allow manual commands either from the main steampipe to the safety valve is foreseen, which shall be control room or an emergency control room, depending on a closed in the case of an open remaining safety valve. selection switch. The pressure limitation will be done by the relief control The priority modules insure that for example in case of external valve, with an analog controller which will be actuated by events the necessary countermeasures from a secured reactor high steam pressure and control the steam pressure to a protection system and necessarily following up manual commands valve below the setpoint of the safety valve. from the emergency control room :an be executed without in This contermeasure originally is necessary for an internal fluences of the destroyed parts of the plant. event. Because of spurious signals from the reactor protection Manual interventions into the reactor protection system, for system can influence countermeasures for external events in example commands for bridgings or memory reset are secured a not tolerable manner it is necessary to place this equipment against spurious signals by a special coded release. This into a building secured against external events. Therefore the release Is a binary coded signal which cannot be fail reactor protection system C with the redundancies CI ... Ct actuated by external events with a very high probability. is foreseen for this KKU-backfitting phase. So the reactor protection system C is an integrated system which fulfills An other advantage of ;he organaization of I+C backfitting tasks for accidents initiated by internal and external events. measures shown in Fig. 9 is, that the erection and the start up of the additional equipment can be done during normal plant operation. Only the insertion of the existant reactor protection and normal operational commands in) o the prepared de coupling and signal accommodation interface is necessary Kniiwwtm Unton during shut down phases. This cari be executed in a very short time, for instance during refueling. date of KM) scope of KUU plants RPS-cablnets Short interupticns of normal operation should be one main c (Missioning Layout aspect for extensions and renovations. KHO 1968 * 16 Obrlghela KKS Stade 1972 - KCB 1973 * 7 As conclusion it can be confirmed that extensions and Oorssele (Netherlands) renovations of reactor protection systems require the Blblis A / 0 197* -76 * 7 clearification cf a lot of problems which can lead GKN 1 1976 « 1 to very different solutions, but which depend In a great Neckarwesthela manner on technological improvements and postulated Z KKU 1978 X20 conditions of the accident philosophic. Untemeser KKU Gdsgen (Switzerland) 1979 - Experiences with plants which started again for a longer time with important extensions and renovations show KK6/BAG Grafenrhelnfeld 1981 - that backfitting measures can be executed in short shut down phases and with positive consequences for the MM Huroassen 1972 » IS following plant operation. KKB Brunsbtlttel 1976 a 20 • KKI Isar 1977 » 1 KXP 1 Phillppsburg 1979 - Scope of RPS extensions by KMI Flo. 1 i Knitwork Union Knttlwont Union Technological aspects - extendedconclderatlons of accidents as a consequence of the INI-accident - extended considerations of accidents with regard to the steaa generator heating tube leakage - erection or additional systeas for counteraeasures against accidents by external events I • C aspects - Repiaceaent of old I • C systeas by new one's TBI consequences with better reliability and test coafort ftMlai wflw iMmg* PMI I 1 steaa generator heating SMAMI hMl WMMI poap tube leakage external events DPS Reactor Protection Systea EajQMaMM Sara gu aid) Fig. 2 Reasons for Extensions and Renovations of (Schematic) Reactor Protection Systeas F">- ' IN Krmttwmrk Union H>mifwork Union problem consequence control of independent atstema erection of Independent reactor protection control of independent components systems la possible control of co-won coaponcnts •Mil*!** Into the save direction control of co-Mon components erection of independent reactor protection into opposite direction ayaterns la only poaalble, If there are clear prioritiea between the reactor protections systems suprious initiation la inadmtsaable security against spurious inltatlona by (f. e». ai consequence of external events) erection Inside or secured *reas Cooperation of existing and additional Fig. * • Reactor Pro tectIon Systems Krmftwrk Union Ataosphertc Relief Station Fig. 6 Eteam generator variant 1 TMI beating tube external improvements consequences (leakage events automatical cool down with 100 k/h aaln steam of the primary coolant automation relief atatlo of formerly .utoaatical partial cool manual >wn steam pressure con- C*wtr»t *•>*• iroT to a value below the countermeasures C«t« IIIN ifety valve set point CAM v«l*« [isolation of a faulty opened fety valve automatical I accumulators Isolation or the accumu lators emergency additional higher degree wi»«ci*r«4 reed or feed of steam feed system ateam gene generators of redundancy «ll«r**l •alarnm* rators Tor internal incidents emergency power supply for additional power supply systems Atuspterlc Relief Station Fig. / Technological Reasons of Reactor Protection Extensions rig. 5 Vartanr 7 JCrafhvorik Union AUTOMATIC DETECTION AND ANALYSIS OF NUCLEAR PLANT MALFUNCTIONS R. BRUSCHI, P. DI PORTO, R. PALLOTTELLI Simulator Service, Comitato Nazionale per la Ricerca e per lo sviluppo dell'Energia Nucleare (ENEA), Rome, Italy •M »M »rs *»S Abstract Ct Ct c» c« •sector frolecIlM In this paper a system is proposed, which performs dinamically the •ull«l-« detection and analysis of malfunctions in a nuclear plant. The proposed method was developed and implemented on a Reactor Simulator, instead of *M«r«« «a«t«al on a real one, thus allowing a wide range of tests. For all variables under control, a simulation module was identified and implemented on the reactor on-line computer. In the malfunction Ataosoneric Relief Station Fig, 8 identification phase all module run separately, processing plant input Variant 5 variables and producing their output variable in Real-Time; continuous Krmttwmrk Union comparison of the computed variables with plant variables allows malfunction's detection. At this moment the second phase can occur: when a malfunction is detected, all modules are connected, except the **latent additional additional module simulating the wrong variable, and a fast simulation is carried control r**clor reactor control on, to analyse the consequences. for MMTtttl protection protection ror annual »b*r«tIon ayatea &JH2Hayate a •wmrta AccoMp)Ins Introduction against aporlowa and signal al*nala) Malfunction Detection "Diagnostic*' Data will be presented as follows. In normal conditions - "Dia_ gnostic" - all controlled variables are shown, with Ueir plant and computed values, in blue colour. When a malfunction if. detected by Each module runs in Real-Time, following the scheme of "Compare", the wrong variable values become green, P.id, after a confir_ fig. 2. It works in a completely independent way, by pro_ mation time, they become red. At this moment "Previsional" start run_ cessing only plant variables ( with the exception of the ning. On the video + ,- and = signs will appear urder the controlled output feedback ). Malfunction fast detection is carried out by comparing plant variables with those computed by the variables, as a first trend indication. On operator request PTIME model, following the scheme of fig. 3. prevision values will also be printed. Modules and plant operate with the same input varia The proposed methods were Implemented and tested on a Nuclear bles; for this reason a computed variable will disagree with Reactor Simulator, instead then on a real plant; PEC Reactor Simu_ the corresponding real variable when the plant transfer lator was utilized. PEC ( Prova Elementi di Combustibile - Test or function is modified, that is when a malfunction oc_ Fuel Elements ) is a 120 HWth experimental Fast Breeder Reactor curs. under construction by the Italian Atomic Organization ( ENEA ). Several techniques have been tested to validate the The PEC Simulator is carachterized by: difference between computed and real variables. The - Principal Operator Console exact replica; flow-chart of fig. 4 shows the selected method. - Plant identified by a 400 differential equations, with SO msec With this method a malfunction is detected not minimal integration step, mathematical model; only by observing the differences between computed and plant variables, - Package implemented on SEL 32/77 system; but also by analysing their derivatives, in order to avoid false alarms - Multipurpose instructor desk; In Fig. S the flow-chart of Diagnostic is shown. - Foxboro FOX 2/30 on—line computer. Implementing ar.J testing the proposed techniques on a Simulator instead then on a real plant, allows us to apply and verify them Malfunction Analysis "Previsional" in any possible malfunction. Their validity on the real plant must obviously be verified, but it will depend essentially on roliabi_ Vlhen a malfunction is detected through the difference between re_ lity of the Simulator itself. al and computed variables, as shown before, the "Previsional" phase can Let us conclude by presenting an example. Fig. 8 shows the apply. It can run both automatically and under operator's request. In controlled variables in a steady state condition, with the follo_ the predictive phase the same simulation modules, as in "Diagnostic", wing meaning (see fig. 9): are used, but with two important differences. ~ Modules are connected ;>s shown in fig. 6. In this way, on the plant WRI1 PRIMARY INLET FLOW RATE NORTH computer a Simulator is realized, wich starts from the Initial Condi WRI2 " " SOUTH WHO! " OUTLET " NORTH WB02 " " SOUTH WUP1 iliX PRIMARY FLOW HATE NORTH REAL-TIME MXP2 » " SOUTH CLOCK W6P EMERGENCY CIRCUIT PRIM. FLOW RATE AHV REACTOR VESSEL COOLANT LEVEL AMCV COMPONENTS VESSEL COOLA"T LEVEL AHX1 NORTH IHX COO U NT LEVEL ACTIVATION AHX2 SOUTH VBP1 NORTH PRIMARY PUMP VELOCITY VRP2 SOUTH ASS1 NORTH •' " ABSORPTION ASS2 SOUTH DIAGNOSTIC TCV COMPONENTS VESSEL COOLANT TEMPERATURE TXPOl NORTH IHX OUTLET COOLANT TEMP. PRIMARY TXP02 SOUTH •• TXSOl NORTH " " " SECONDARY TXS02 SOUTH " CUT C 0 ,. ACTIVATION Assume a supply fault in a primary cooling circuit pump (see fig.9). M It will be detected by "Diagnostic" and signaled both by the difference M between plant and computed variable of the pump velocity, and by a colour change in the screen. "Previsional" will then furnish data of fig. 10, 0 PREVISIONAL which can be compared with those of fig. 8 to estimate consequences. >C' '">r N Reliability of "Provisional" can be verified by comparison with the evolution of real variables recorded in fig. 11. A ACTIVATION R E A CRT < "> OPERATOR KEYB. Plg.1 Vnr Cn 112 MODEL n=C> TRANSF. FUNCTIONS PLANT VARIABLES PLANT TRANSF. ^> FUNCTIONS -*. Var Ci Fig.3 Fig.2 Var CI DIAGNOSTIC VAil. Ill IT I PLANT VXR. fiiiAD 1 MODULE I YES t MODULE )i 1 ' CALL COMPARE ""^^ YES HO YES ' UPDATE VIDEO CALL PREVISIOHAL ^\ YES ' ' REAL-TIME 3YHC3. STOP MALFUNCTION YES 113 Pig.* Pig.5 PRSVISIOMAL 114 JiTArtT SET pasVI3I0W-TII.!3 TT"EK»PTU!B K = I YES iiALF. VARIABLE MODULE(K) EXTRAPOLATION RUNNING K=K+X VARIABLES OUTPUT STOP Pig.S Pig.J STEADY STATE VALUES PREVISION FOR 3 MIN. REQUESTED BY DIAGNOSTIC MRU URi2 UROl UR02 UXP1 WXP2 UEP 314 4 314.4 314.4 314.4 314.4 314. 4 20. 2 URIl MR 12 UROl UR02 UXPl bXP2 UEP 289 7 327. 0 308. 3 308. 3 308 6 308. 6 70. 3 AHV AHCV AHX1 AHX2 AHV AM;V AHX1 AHX2 -3 213 -3. 970 -3. 356 -3. 356 3 222 -3. 963 -3 337 -3 337 VRP1 VRP2 ASSt ASS2 VRPl VRP2 ASS I ASS2 117.0 117.0 ISO. O 230.0 112 9 116. 9 231.8 230. 1 TCV TXP01 TXP02 TXS01 TXS02 TXP01 399. 4 399. 2 399. 7 495. 7 493. 9 TCV TXP02 TXS01 TXS02 398 3 397. 8 398. 4 493. 3 493. 7 Fill Fi| 10 N*4Ail r vw—I INi/Air \__J fit* UAW- n'8!j tin* IIMV ASM* AHV 1 1 ...... 1 ft? ...... j i . ' i i HI —w "tl S'E -4 «1~ * i5'( r i /i • 1 1 I L7..J i j [ ! .: '. i & ' i/ • ^ : .1 i ! | I...L! LI .1J._ : ..... i •— ?V — I'- — L "- ! ' 1i ..... /< jiiLu oajuo, •- _ t ! M^ 71 J •t i — l ' -Avd iS<« _. — ..... 1 1 i H -H~ i , 1 i (- J H »-t- u it ST U 0> l-t- u rt- I0H1 iau x«f \ ttr i« SBC KB «W otr in» V9> 1'1> REVIEW OF SAFETY RELATED CONTROL ROOM FUNCTION THE REPLACEMENT OF PRESENT BLOCK COMPUTERS RESEARCH BASED ON EXPERIENCE The plants ara equipped with both conventional Instrumentation FROM NUCLEAR POWER PLANTS IN FINLAND and axtanalve process computer syataas. The computer systsaa Include process dlagraa displays, trend curves, and event and alarm announclatlon. They have no safety related functions. The K. JUSLIN. B. WAHLSTROM control rooas sre equipped with conventional Instrumentation Technical Research Centre of Finland, for control of safe shut-down, which Is duplicated to aaergency control placaa. Espoo In fact It Is possible to opersts the plsnts without the E. R1NTTILA process coaputers, but In the dally work of the operators they ara a valuable sourcs of Information. The Information la mora Imatran Voima Oy, eaelly and In mors condesad form obtained from the VDU's than Helsinki from ths convsntlonsl process orlsntstsd mimics. The centralised block coaputsrs Include the process computers, Finland the front end computers, snd dedlcsted computer system*. To ensure high availability watch dogs for automatic swltchlng- Abstract owsr to stand-by equipment la ussd. Ths main reaaon to change the block computera Is rslstsd to the aalntenence problems. Ths A comprehensive human engineering research programme vendors are not always supporting their old computer versions was established In the second half of the 1970'a at with spare parts. Further neither hardware aslntsnsncs nor tha Technical Research Cantra of Finland (VTT). The programming couraaa ara arranged. The teaching of new personnel raaearch la performed In cooperation with the utility will rely on the utility companies themselves. companies Imatraa Volma Oy (IVO) and Teolllauudan Volma Oy (TVO) and Includes toplca auch aa Handling of alarm The PWR plant computers are dsslgnsd In tha lata 1960'a and Information, Disturbance analysis systems, Aaaeaaaant their limited capacity Is nowadaya almost fully utilised. of control rooaa and Validation of aafety paraaetar Larger softwsre extensions srs Impossible without a replacement dlaplay ayateaa. Reference la alao aade to the Finnish of the computers. contribution to the OBCO Halden Reactor Project (Balden) and the Nordic Llaaon Coaalttee for Atoalc The prospective replacementa of the block computera will Energy (NKA) research projects. In this paper primarily be performed so that there will be *a little »m feaalble realisation alternatives of aafaty related possible changes In ths opsrstor Interface. The existing cotrol rooa functlona are discussed on the basis of functions are tranaferred to the new computer Installations. experience froa the nuclear power plants In Finland, Provision will of courss be msds for additions snd future which at preaent are equipped with extensive procaaa development of the functions. computer ayateaa. A proposal for future power plant information ayateaa la described. It Is Intended thst The BWR plsnt procsss computers may be replaced by new versions this proposal will serve aa the baala for future of the same vendor systsas. The progrsas, which mainly sre computer ayateaa at nuclear power planta In Finland. written in high level language, can ba copied to the new ayateas. Only sasll modifications srs needed. INTRODUCTION Regarding the PWR computer systsms tha replacement will cover moat of the systsas. Ths Intsntlon Is not to touch ths wirings There are two PUR and two BWR power planta In Finland. The PWR froa process to dsts concsntrstors. All ths computer functions plants are operated by the utility company laatran Volaa Oy hsvs to be reprograamed to high lsvel lsngusgs, which Is the (IVO) and the BUR planta are operated by Teolllauudan Volaa Oy asln effort. (TVO). The units are operated aa baae load units and tha refuelling periods are allocated to the auaaer. The PWR planta have been In operation alnce 1977 and 1980, and tha BWR planta The Incresssd performance of the new process computers snsbles since 197B and 1980. Investigation have been aade regarding a atagad Introduction of new functions, which hsd not been the feasibility of a fifth nuclear power plant. posslbls to rssllss to the same sxtsnt with ths old coaputsrs. On ch« other hand tha preaent function* are so versatile Chat The display formats there la no lamldlate naad for large updating. For Instance tha features of NOREC 0696 regarding display of cartaln aafaty Basically the prasent process and lnstruaantaclon dlagraas, related parameters and their trend curves ara easily selectable trend curvea and alarm list formats can be accompllshsd by tha present aysteaia. dleplayad. Some supplementary feetures sre Included in the process diagrams as shown la figure 1 /l/i For tha PUP. plants some filtering of tha alarms by auppraaalon of unaeceaoary algnala has bean suggested and could be realized laportant events and functlona, main variables froa even with the present computer Inatallatlon. the plant and neighbouring systems could be collected In standard portions of the display to minimize the It la felt that It la Important that tha presentation of need to change pat**, Intonation la coaelatent In ell dleplays and reporta of tha active plant protection signals, loss of supply voltage process computer systea. In all operation situations, Including with naaa of supply, and stellar signals could be severe disturbances, the operator should be able to work with displayed where they csuse consequences, the aaaa familiar tool. All dlaplaya should font an Integreted felled functioning of controllers and sutoaatlcs might ayatea. For Inatance a aafety paraaeter display ayatea on a be displayed correspondingly, aeparate computer ayatea la not preferred. A future endeavour the severity of critical safety function* could be to sake the procese Information data baae available outside the Illustrated end reference could be Bade to relevant control rooa In a technical aupport center la aore convenient help pages or paper documents, to realize with an Integrated coaputer syatea. The proceaa alao critical availability (unction* could be presented, coaputers and the front end coaputera should be froa the aaae the complexity of the display could normally be reduced vendor and programmable In high level language. The coaputera by suppressing unnecessary details, which could be ahould uae a atandard well teated operational ayatea with recalled by operator or by certain events. possibilities to add aore processors In future If aore computational capacity la needed. The data concentretora need Other useful dleplay formats sre diagrams of controls, not to be programmable but they could be IB qualified to automatic* and Interlocks with on Una updated analog and almpllfy possible later connectlone of safety related algnala. digital algnal veluee. To the dlaplay could be Included a sat of operational FUTOU POWER PLANT INFORMATION SYSTEM Instruction* with easy methods to find Information of a apeclflc aubject and to change pages. The following proposed featurea are Intended for future power plant Information systems, but could be Included also In The trend curves could be extended with dotted predictions mad* present or renewed ayateas If they are conaldered feasible. by a on-line simulator and with a updating rate of aaverel minute*. Possible deviations from the predicted value* arc caused by operator manual actions or faults In Instrumentation The display unite or process equipment. Inatead of simulation alao static reference curvea atored from previous similar situations, as The video dlaplay unite Include following feature*: for Instance a turbine trip, could be used. fully graflc (all plxele addreasable), Less Important alarm* should be normally supressed froa the - aore than 16 selectable colours, alarm list If they are a simple consequense of other alarms. large dlaplaya, •ut on request It should be posslbls to dleplay all alarms or high resolution (1000*800 pixels), all alarma related to a specified sub-systsa. - no flickering, - a aet of hardware graflc functtone la Included to The present chronological event reporta on printer should enaure faat tlae reeponaee, be possible to get on the display too. Possibility to replay - touch-screen capabllltlea, should be srranged by snapshots. Other required reports ares function keyboarda. report of effective operational restrictions due to safety requirements, Dlaplay unite are needed alao outside the control rooa, especially eeelly aovable plug la unlta. the operational restrictions could slso be displayed on xy-plota of the process state. (•port of dcvlatlona fro* a named operational plant It la possible to call up a dlaplay by symbol or number atata. Tha predefined plant states Include for tnatanca or by the use of the hierarchy structure waive poaltlona and permitted llmlta for measured process values. forward or backward at same level, up or down In hierarchy, return to top level or to previous dlaplay. The uoe of coloura Tha main Intention of the use of colours Is to present the Off line operations state of a component. Peaceful paatal coloura should be uaed for process components In normal state of operation and tha Tha atand by computer could be uaad to make several off Una coloura should be consistent with the proceaa componect type. operatlona. The Interactive computer elded functions of In figure 2 a proposal for the use of coloura la shown. Brown dstsbaae updating, dlaplay design, core cslculstlon, lndlcstea that a component la In maintenance. Yellow Indicates statistical rsport generating, and operator gulds updating warming and half Intensity yellow Indicates recommended aupport should not require deeper knowledge of the computer systems. to return the failed availability. Red Indicates alarm and pink Indicates support to return a eafa state. The data bate can be updated, signals added and removed, and definitions csn be changed. Tha proceaa slgnsl definitions Include tha following data) Calling the displays identification and short definition, A hierarchical display ayatem la needed. The dlaplay hlerachy hardware and common addraases, should be flexible to soften the dividing up of the procesa scaling parameters and alarm llmlta for analog signals, Into different dlaplaya and to get a more parallel way of required history definitions, preeentlng tha process. In figure 3 • display atructure - statue word including maintenance information, developed at VTT la shown. It comprises three process levels time when last updated by tha data concentrator. and an additional help level. Tha flrat level Includes There should be efficient toola to build and update dlaplay •afety dlaplaya, formate. Special function keyboards or touch screen keyboards - alarm dlaplaya, with predefined process symbols csn be ussd. Simple procedures - availability dlaplaya with help dlaplaya of operational to link process elgnsls to the dlsplsy formats should be llmlta. provided. - preplaaaed procedures, - maintenance proceduree, Slow motion rsplsy of event log and acannlng of eelected eventa - economy displays. are uaable features. laey means to define prosedures for on 11ns gsnerstlon of special purpose logs with selected vsrisbles The second level Includea and collection dmas should be Included. - main proceee diagrams, Performance calculation programs for reactor and plant, and •hut down and start up dlaplaya, possible simulation programs are run on the etand by computer. historical trend data. Tha third level Includea proceaa aubayataa displays with a halp Tims responses level of following maximum time rssponaea and resolution intervals are dynamic dlaplaya of availability, controllers, recommended J Interlocks, automatics and electricity feed, aubeyetam atart up and ehut down, generetlon time for a new display 2 s snd of prsvlous - measuring values and identification codes. dlaplay 1 a, updating of dlaplay information 1 a, resolution time for digital signals within S ms, analog data updating ratea from 10 Hi to 0.1 Hs, IIS alar* dlsplsys 2 s. 129 Provlalone for expert ayateae The expert eyatea la an example of future operator support eyeteae. Provisions ehould be aade for gradual conatructlon Kautto A.M.T, How to Illustrate the Information of a and Increasing uae of a knowledge baae for an expert system complex procsss via displays, NKA/LIT workshop on Interface. The expert ayatea could support the dec!salons artificial Intelllgency In cotrol of complex systems, asking of the operatora by a sequence like the following In a DenMtk, Rlso, April 1983. specific situation: Wahlstrbm B.,Resmussen J., A Nordic cooperation In the aaklng the diagnostics, field of human factors In nucleat power plants, IAEA, - searching for different corrective alternatives, International conference on nuclear power experience, trying thoae alternative* on a plant or aubproceaa Austria, Vienna, Sept. 1982. elaulator working faater than real tlae, checking that the operational goala are fulfilled, Karpplnen J., Stocka E., The large scale research - aaklng recoaaendatlona cf operation or aequence of simulator NORS for aan machine aystsas developaent, operations available to the operator, IFAC workchop on modeling snd control of electrical preeentlg the criteria why the presented alternative power plants, Italy, Coao, Sept. 1983. waa chosen. Wahlstrtfa B., Smldt Olasn H., Rlnttlla* E., Mel Jar CM., In coapllcated dynaalc proceasea plain logical evaluation of Experimental validation of an operator support system cauaea and coneequenses le difficult to aake without the help using a training simulator, IAEA, International of a dynaalc alaulator. symposium on operational safety of nuclear power plants, Austria, Vienna, 1984. RECENT RESEARCH PROJECTS Norroa L., Ranta J..Wahlstrbm B., Assessment of control rooas of nuclesr power plants, Technical Research VTT has participated In the Nordic cooperation funded by the Centre of Finland, Research Reports 184, Espoo, 1983. Nordic Ualaon Coaalttee for Atoalc Energy (NJU) 111. Kukko T., RlnttllK E., Hakkonen L., Reduction of alarm The conatructlon of the MORS alaulator alted In Halden haa been messages In nuclear power plant control rooa, IAEA a Joint effort by Oy Nokia Electronics, IVO, the OECD Halden specialists aeetlng on systeas and methods for aiding Reactor Project and VTT tit. normal and abnormal conditions, Hungary, Balatonallga, October 1983. Experlaental validation of a SPOS concept haa been perforaed In a Joint project between Coabuatlon Engineering Inc. HALOEN, IVO Kautto A., Norros t., Ranta J., WahlstrtSm B., Vlsusl and VTT HI. Information In Improving the squlsltlon of process feeling, IFAC/IFIP Symposium ra new techniques In a, control rooa design review haa been aade In cooperation with ergonomics, France, Valenciennes, 1983. TVO and VTT. A pilot aaaeaaaent study was carried out applying NUREG-0700 and NUREG-0801 when approplat*. The NUREC-0700 checkllat is not directly applicable to the Finnish situation and la aerely directed to an aaaeeaaent of details than of the overall function atructure of the control rooa HI. The poaalbllltlca of reducing the elara Information have been exaalned In cooperation with IVO and VTT /6/. In a VTT funded project on graphical Information preeentatlon and In several cooperation projects between VTT and the utility coapaolaa the role of visual Information in comprehending the esaentlal dynamics of the process has been studied PI. KAME OF 0ISPLAÍ Ua tua ITJ Intención Colour purpose htenction to the Key variables H » £ preceding of the displayed to the next bright blue steam phase and components (sub)- (sub)systea balance systea (sub)- dark blue water phase and components systea violet components in electrical system bright green normal dynamical In formation for steam H- 4 E Failed autonatlcs and dark green for water balance cause of failure-. blue green for electricity yellow warning (availability) Safety functions red alarm (safety) Control area half intensity yellow support to return '.i.e failed availability Subsystea area function for use pink support to return the process to safe state "tfo r components "The location of the brown component in maintenance controllers present display automatics half intensity brown fixed text «The location of a Displayed when relevant disturbance in terns of safety/avalabiltty and "Displayed on request warning/a lam. Figure 1. The structure of a proceas dlagraa display. Figure 2. The use of colours on the displays. 121 First process. Safety, preplanned maintain ttvtl l critical alarms availability economy J procedures ability Sub-goals functions Help level bad data prognosis historical ta Third process level Subsystems Help display level inter identifica shut-down start up availability Jl_ controllers measuring tion codes dynamical dynamical locks values of a of a dynamical dynamical statical dynamical subsys '-•» subsystem Figure 3. The hierarchical dleplay ayatem atructure. INTRODUCTION MODIFICATIONS NEEDED TO OPERATE PWR's PLANTS IN GMODE Electricity production of a nuclear origin in France has been substanLial 1/ increased over the last few years, representing 50 * of total national electricity production for all sources, and 66 % of total production by J.P. STA1NMAN thermal means, in 1983. Service de la production tlicnnique, The PWR power stations, originally operated as base stations, are now tlectricile de France, required to make an active contribution to real-time adjustment of the Paris, France production-consumption balance. In 1983, nuclear production exceeded demand for some 1200 hours, and 700 load adjustment cycles were executed for aLl units in service. We anticipate that the total will reach 2500 hours in 1984, Abstract and could rise to more than 5000 hours in 1986. Participation in daily load matching and frequency-power adjustment, ma.ie The Production of electricity from PWR nuclear plants represents it necessary to undertake a certain number of complementary supporting !»<• % of t£_ total production of electricity In France for 198<», and 68 % studies. Furthermore, it has been necessary to make certain improvements to of the electricity produced by Thermal power plants (127 fWh over 187 TV.'h). the installations, principally in the field of regulations of pressure and (»re suriser level, and assistance in operation It should also be noted that These data show clearly that the French PWR plants do not work in improvements to the regulation systems are beneficial, quite independently "base mode" any more but have to fit production nlth consumption, in other from the constraints resulting from participation in load adjustment action. words to assume the frequency control. these improvements make it possible to achieve a worked reduction in the constraints to which certain zenes of the NSSS are subjected (charging To participate permanently to the load follow and frequency control, It line connection on the primary circuit, and spray and surge pressuriser lines) appeared that some improvements in the field of pressurlzer level and pressure control were necessary as well as in the field of operator aids computer. At the time of boiler design, the selected control mode (A - mode), using highly absorbant control rod clusters ("bl^ck" clusters) made it possible It should be noted that these Improvements are useful even without to achieve the fastest power gradients. The resultant flux distortion could taking into account the constraints due to load follow and frequency control be substantial, but remained compatible with contemporary safety criteria. because the mechanical stress in the CVCS piping for Instance.Some additional The appearance of the ECCS criterion in 1973 reduced the authorised tests are planned to better Identify this specific problem. operating range considerably, which led to reduce the manoeuvrability of the PWR units. This became Insufficient to allow optimum operation of The need of a more flexible operating mode than ones given by the French production resources, as soon as the major share of total production initial system (black control rods) significantly reduce in 1973 due to the was obtained from nuclear sources. application of the ECCS criterion, led EOF and Framatome to develop a new operating mode (G. Mode) allowing a faster power escalation (5 k PM/mn) EDF consequently requested FRAMATOME to develop a control mode offering whatever the fuel burn-up. better penormance, and to provide for adaptation of this mode to the boilers then being built. This led to the birth of G-mode, using control rod clusters This new operating mode improves significantly also the flexibility with less abso~bant characteristics ("grey" clusters), and the corresponding of operation when the frequency control is needed, and helps a lot the operating device ("DMA" Increased manoeuvrability de'-'ice). These are now operators in such cases. All the 900 MWe Nuclear plants will be able to fully operational, and in service on two units for more than a year. operate in"C mode'before the end of 1984. Generalisation to all 900 MW reactors will be implemented ue.ore the end of 1984. It should be noted that this device is incorporated as original The 1300 MWe P.P. which Paluel 1 the first of a kind will be synchro equipment in the 1300 HW units, the first of which (I'ALUEL 1) will be coupled nised In 19a*», are equiped to be operated ln'C mode "from the initial st-irt up to the grid thi3 year. up. Their capabilities have been improved, keeping the same level of safety, in comparison with the 500 MWe plants In changing fundamentaly the reactor We shall now examine the following points, in the order indicated : protection system. Regarding the 900 MWe plants, the reactor protection system is based on the limits of power distribution, concerning the 1300 HWe . grid requirements, defining the degree of flexibility which the nuclear plants a sophisticated instrumentation (very precise Neutron detectors, boilers must provide, control rods position measurement, SPUD allows the Immediate calculation of physical parematers such as DtlOR or FQ. The precise knowledge of all . modifications applied for the purpose of participation in daily load margins, In real time, allows to operate the plants In better conditions. matching and frequency-power adjustement, using the original control mode (A-mode), . modifications applied for the purpose of improving boiler operational 11 " 59?IEIf:ATIONS_APPLIED [0R PARTICIPATION BY NUCLEAR UMITS WITH A-MODE ClNTROL, flexibility {C-mode and DMA device). IN DAILY LOAD MATCHING AND FREQUENCY-POWER ADJUSTMENT II - PERFORMANCE REQUIREDFROM NUCLEAR BOILERS 3.1. ACHIEVABLE PERFORMANCE AND OPERATING CONSTRAINTS a) Load following Examination of the forecast daily load curves enables us to define representative load modulation programmes, which can be required of the When reactor power variations occur, the reactivity balance is nuclear units, to achieve an approximate production-consumption balance. modified by the power effect, the action of which is instantaneous, This relates essentially to variable amplitude and duration nigh load and the xenon effect, the action of which is progressive. adjustment, accompanied by a second modulation cycle during the afternoon, on the last days of each week. These variations must be compensated at all times, by action on the control rod clusters and/or soluble boron, as also on the The load variation rate required for economic management of production temperature of the moderator. resources is approximately i to 2 X of nominal power per minute. Temperature variations can only be authorised within certain tight Furthermore, the production units must also participate, in real-time, limits, in order to restrict resultant mechanical stresses. The use in precision adjustment of the production-consumption balance : of the control rod clusters is highly limited, in order to comply with safety criteria. In the case of the A-mode control involving the use . primary frequency-power adjustment makes it possible to ensure the of highly absorbant "black" clusters, the use of these clusters is existence and stability of a balanced state for the complete inter limited in practice to the control of axial power distribution. connected European grid, more or less instantaneously as a result of automatic action. A margin of at least 2.5 X of power off-take must be The greater part of reactivity adjustment must therefore be obtained, left to the automatic control system, in the event of high amplitude load variations of the load matching type, by action on the soluble boron : . secondary frequency-power adjustement, also referred to as remote adjustment, because managed by a single control system for the complete . boration during load reduction to compensate the power effect, national grid. The state of balance provided by the primary function is adjusted to 50 Ha. ensuring compliance uith interconnection programmes. . dilution during the low-power steady period, to compensate xenon evolution, The power output oy the production units participating in this task can vary automatically within a pre-defined range, on either side of the value . dilution during the load escalation period, again to compensate set by the operator. the power effect. The adjustment half-range required for each unit is between 3 and 5 X The dilution efficiency decreases in the opposite way with fuel nominal power, and the normal maximum resultant load variation rate is 1 X burning, so that the maximum possible load escalation rate decreases nominal power per minute. between the start and the end of fuel cycle from about 2 to 0.3X PN/mn. The capacity for fast power return is limited to about 20 X of When the margins allocated to the remote adjustment system have been nominal power. fully absorbed, it may be necessary to reconstitute these margins by real-time correction of the operating programme established for certain Experience shows that the PWR units are perfectly capable of production units. In the event of major difficulties in grid operation, modulating output to meet grid requirements, within the performance the load variation rate required may approach 3 X of nominal power per limits authorised by the original control mode (A-mode). These minute. limits are nevertheless insufficient to meet optimum cost requirements. Furthermore, it should be noted that load matching operations require manipulation of a let down orifice, to match dilution flow to actual need. This produces substantial thermal stresses, on the charging line connection on the primary circuit. As a result of regenerative heat exchanger design, which is planned to replace in due course, as a consequence of insufficient exchange characteristics, operation of a let down orifice produce a temperature variation of about 40J C on the connection under static conditions, this variation increasing The efficiency of these modifications has been demonstrated by by an additional 30 to 70" C under transient conditions. tests carried out on different PWR units. Where these modlficacions have not been applied, the inservice behavior of the charging Stress calculations made during the design phase only authorise a line connection on the primary circuit cannot be guaranteed Cor the limited number of fluctuations during MSS3 lifetime, and operation full lifetime of the unit, even in the absence of participation in in the load matching mode under the original conditions, could adjustment action. Furthermore, these modifications make it possible lead to stresses exceeding the limits of design values. to envisage extension of the average primary temperature control dead-range, without unacceptable resultant stresses on the prinary b) Frequency-power adjustment circuit. Temperature fluctuations are reduced from 25" C to about 5" C for a an enlarged dead-range of a factor 2. Power variations result from automatic action, and adjustment of reactivity hy modification of the soluble boron concentration level, This arrangement would make it possible to improve possibilities vhich requires operator action, cannot be envisaged. Experience for participating in frequency adjustment operations at the shows that the Alref t 5 X control rule is just compatible with beginning of fuel cycle, and would also increase operating cottfort. operation in the adjustment mode, using a remote adjustment partici pation half-range corresponding to 3 to 4 X of nominal power b) Computer-assisted control during the first third of the fuel cycle, then increased to 5 % PN during the following operating time. The performance of a PWR unit In the load matching mode is conditioned, as we have already seen, by the execution of boration or dilution If we consider the impact of adjustment on the mechanical performance operations selected by the operator. Inaccurate estimation of ihe of the primary circuit, fluctuations in reactor power induce quantities to be Injected, or injection times, can result in limiting fluctuations in pressuriser level. The can lead to fluctuations in performance to a level below that achievable, which is already load output in the primary circuit. As .as already been mentioned, these insufficient as we have seen. cause temperature fluctuations in the hot water reinjected into the primary circuit, increasing the thermal stresses applied to the Consequently it is planned to equip the 900 and 1300 MWe PWR units charging line connection on the primary circuit. It is essential with a computer-assisted control capability. for most of the fluctuations to remain below a threshold value of 20" C, this being the temperature used for event accounting. A system of this type is already in service on the two FESSENHEIM units, and generalisation to all units will be.implemented in the 3.2. MODIFICATIONS APPLIED near future. a) Cuntrol of pressuriser level An axial neutron calculation model is uioi for permanent irradiation, xenon and iodine axial distribution calculation, by acquisition of Modifications have therefore been applied to pressuriser level essential parameters characterising reactor core status. It is then control. The modifications involved are as follows : possible to carry out forecasting simulation at any time. The system provides for interactive conversation between operator "ho describes . anticipated action on charging flow in the event of detection the load variation programme which he wishes to implement, and the of a let down flow variation, without waiting for variation model which defines the sequence of boration and dilution operations of pressuriser level. This action makes it possible to achieve to be executed (injection volumes and times). The criteria adopted marked transient attenuation if a let down orifice is operated, ensures strict compliance with technical operating specifications, better control of power distribution, and minimum production of . reduced leve1 controller gain for small level variations, liquid waste. • improved definition of the pressuriser level set point. - MODIFICATIONS APPLIED FOR THE PURP0SE_OF IMPROVING OPERATIONAL FLEXIBILITY : The average primary temperature used to define the level set-point, G-MODEANODMA DEVICE does not correspond strictly to constant mass operation, as the cold circuit and hot circuit volumes are different. The absence 4.1. FUNCTIONAL DESCRIPTION of correction can therefore lead to modifications of charging flow which are not normally necessary. G-mode was designed to allow compensation of reactivity variations resulting only from power effect, using the control rod clusters. In order to minimise perturbation of axial and radial power distribution, and ensure 125 compliance with safety criteria, the clusters used ("grey" clusters) have a neutron absorbant efficiency below that of conventional "black" Adaptation of initial equipment mainly consists on the addition of clusters. The two types have 8 and 24 absorber pencils respectively. a sixth static power supply in order to move clusters (ESP). As a matter of fact, six sub-groups, representing 24 control clusters, can te operated Insertion of the clusters is slaved to operating power, so as to simultaneously. provide strict power effect compensation. This arrangement makes it The power compensation cluster setpoint is generated and tested by a possible to obtain return to full power at a maximum rate of 5 % specific logic (DMA logic). Highly sophisticated hardware is us«d for this of nominal power per minute whatever the degree of fuel burn-up. purpose. Four groups of rod clusters are used, inserted in an overlapped configuration so that axial offset remains as constant as possible, The principle of this control system, based on the precise position of at all power levels. Cluster groups with increasing neutron absorbant the clusters, and the existence of a direct interface between turbine efficiency are used for this purpose. The two firsts groups are and reactor power, has led to significant amplification of functional respectively composed by 4 and 8 "grey" clusters, and the two others requirements relating to the accuracy and reliability of the by a "black" clusters. electrical signals involved. All groups are extracted at nominal power, and insertion of the Experiments were carried out with a boration/dilution automatic control "black" clusters only starts below 60 X of nominal power. The insertion device during G-mode operating tests. The strategy applied does not law of control groups must be updated at periodical intervals during involve any anticipated action, this being particularly suitable for the fuel cycle. G-mode, as the boron is only used for compensation of effects which kinetic evolution is relatively slow. The control strategy developed, Boron is only used to compensate slow reactivity variations due to backed up by experience, assigns a AI control function to the xenon effect, and fuel burning. temperature control group (group R). An independent temperature monitoring system controls a group of The (A I - dlref)/group "R" position range can thus be breakdowned 8 "black" clusters (group R) which is used to realize fine reactivity into three zones : boration, dilution and neutral zone. Range limits adjustment, and assists the power control groups in the case of fast are constantly updated according to operating power level. transients. Furthermore, it is used to control axial power, within certain limits. An operating range is allocated, the height of The automatic control device executes necessary operations directly, which is restricted in order to reduce impact on power distribution. taking due account of special operating conditions which can require It is dimensioned to compensate xenon level variations resulting from specific action (blockage, time delay and modulated actions). This operation in the frequency adjustment mode. The temperature control system makes the operator free of responsibility for frequent boration system also compensates the effects of frequency control, when amplitude or dilution operations, accompanying the load matching function. The is less than 2,3 X of nominal power, which is not applied to the power operator is thus available to supervise general operation of the PWR control system in order to minimise loads applied to. the adjustment unit, and eliminates the random factors Inherent in human intervention. cluster control mechanisms. 4.3. PRACTICAL OPERATING EXPERIENCE On the other hand, remote control is applied in full to the power control system. After IS months operation using G-mode, the operating balance Is apparently in line with forecasts, from the point of view of control, As with A-mode, compliance with the LOCA limit makes it necessary to equipment stresses and waste production. In particular. It has been hold the operating point inside a predetermined power/axial power possible to verify manoeuvrability, which is significantly better than difference range. Compliance with the limits of this range is ensured that of A-mode : by an automatic control system, which reduces turbine load when r .-cessary. . load escalation can be achieved at a rate of 5 % of nominal power per minute, whatever the degree of fuel burning. This performance 4.2. MODIFICATIONS APPLIED should be compared with that of conventional power stations, for which the figure is about 1,7 X of nominal power per minute, While awaiting completion of development of this new control mode, the PWR units were equipped with "grey" clusters for the future . the PWR units are capable of participating in the frequency adjustment Li-mode, these clusters being used for the shutdown function. The function, with a remote control half-range corresponding to 5 X of units were later equipped with a cluster control device, providing for nominal power, without operator intervention. operation in A or G-mode. The change over and requalification request ' ir 2 days outage. The interest of this device was that it prepared the The task of the operator during load matching operations is i''H units for G-mode operation, while awaiting test results obtained consequently alleviated, as power distribution control is now on a first unit and authorisation from the safety authorities. partially intrinsic. The ddditi i of the boration/dilution automatic control device should BACKFITTING POSSIBILITIES OF PROCESS INSTRUMENTATION make it pc iible to obtain fully automatic control of the unit during load variations. DURING PLANNING, CONSTRUCTION OR OPERATION OF NUCLEAR POWER PLANTS Thu-? the performance level of NSSS and turbine become now quite the same. This operational flexibility now allows any real-time modification of the load programme for the nuclear stations, enabling G.E. KAISER, R.R. SCHEMMEL the operation responsible people to achieve optimum management of the generation-transmission system. Brown, Boveri & Cie, AG, Brown Buvcri Rcaktor Gmbli, Mannheim, Federal Republic of Germany H.D. WARREN Babcock & Wilcox Co., vLynchburg, Virginia, United States of America 1 Introduct ion The necessity for baekfitting existing C U I equipment in nuclear power plants arises as a result c£ new li censing requirements being imposed or through a need for improved performance as experience with operating plants becomes available. These changes arise either because additional process variables need to i>e monitored; improved sensors need to be installed (to increase safety or operating mar gin); more directl> sense the processes; or to address concerns in signal conditioning, control algorithms, control system strategy, or safety system design. This paper discusses examples of backfitting experi ences on existing plants and some being developed for future improvements. 2 Example of Improving Plant Operating Margin for PWJt MUlheim-Karlich Plant Every Secondary side heat balance core power estimate utilises feedwater mass flow as a parameter. This is normally implemented through a complete analog meas urement string which accepts a Venturi differential signal, along with pressure and temperature, and then through a function generator or calculating module produces a signal proportion to mass flow: * " CVenturi/ • • 127 \f^ This requires a number of modules and is limited in Because the circulators were not yet installed it was accuracy to-2 %. Modifying the data acquisition meth possible to calibrate the venturies with forced air od so that the £ P, P and T signals are measured di f ow. In order to obtain a similar to operational rectly, and the mass flow digitally determined, pro Reynolds number, the calibration mass flow exceeded vides a measurement more than twice as accurate. This the mass flow in operation. In-place testing during method reduces the uncertainty in determining core later start-up testing confirmed that the measurement power from a secondary side heat balance from 1,8 % to met the design goals. O.B % of full power. In this way in a rattier late state of plant construc In Germany the primary side enthalpy difference is normally determined with thermocouples which sense tion 6x2x3 Venturi tubes could be provided to absolute temperature. On the Mulheim-Ka'rlich plant a satisfy all requirements, which were put to reactor differential temperature measurement was backfitted safety system sensors: two measuring systems with utilizing RTDs with one differential temperature three tubes at each circulator. transmitter. With this new measurement the uncertainty in the primary side heat balance was reduced from? 5 % to 1,2 %. Figure 1 presents the resultant improvements accomplished with these two backfitting changes. 4 An Example of PWR Possibility for Future Backfittinq - Saturation Temperature Detector (STU>) An Example of a Backfitting Requirement in an UTR With the experience gained from the TMI-2 accident it During construction of THTR 300 (a gas cooled graphite became clear it was necessary to better monitor the moderated high temperature reactor power plant in thermodynamic state of the primary system coolant in a Germany) a mass flow measurement in the primary system PWR. was required in an IAEA Safety Guide DB quality. This meant the measurement had to be direct and the raeas- Although inadequate core cooling exists only when the uring channels had to be designed in a redundant way. core is actually (partially) uncovered, a risk arises The six helium coolant circulators had already been if there is no longer a saturation margin and the fabricated, but not yet installed, when it became reactor coolant enters into a two-phase condition with necessary to design a flow measurement. The circula natural circulation interrupted. tors and their motors are under helium atmosphere within the prestressed concrete reactor vessel (PCRV) Since then many measurement concepts have been propos with the nominal operating conditions ed to measure the appropriate system parameters such as approach to saturation (subcooling margin). Al coolant temperature T = 24S *C though instrumentation has already been backfitted - pressure p = 40 bar into operating plants, or the design for plants under the total design mass flow of one of the six construction, this state of the art instrumentation is circulators is q » 8,2 kg/s = 29550 kg/h. indirect and inaccurate in such a way that operators n must ambiguously infer existing system conditio.is. the volume flow is qn = 165 574 m /h. The problem was to locate a position within the prim In response to this a new saturation temperature de ary system, where the whole mass flow passed and to tector has been developed with an accuracy and sensi install a retrofittable measurement technique. A posi tivity to unambiguously indicate to the operator if he tion was found in the radiation shield plugs between is approaching a condition of a risk of inadequate the core and the circulators. Each of them has an in core cooling. ner ring-formed input channel and an output channel divided into six sectors along an outer ring. The saturation temperature of a PWR to date is not directly measured but determined from a pressure meas Pitot tubes could not be used because of unknown urement. Inaccuracies in the pressure measurement, streaming and pollution by graphite. Therefore the six along with the comparison to an existing primary tem output channel sectors were modified to include clas perature measurement, can introduce errors in deter sical Venturi tubes with a characteristic of mining margin to saturation of up to 8 K under normal opening m = (d/n)^ = 0,595 to produce a^p of conditions, and of 10 K up to 30 K under accident con 38 mbar at design flow (Figure 2). ditions (see Figure 3). The saturation temperature detector (STD) described in heater is again turned on. The detector is designed so [1] and [2] provides a means to directly measure the that for all design transients the water level remains saturation temperature of a system, independent of its above the SWID, and the indicated temperature auer thermodynamic state, and determine margin to satura correction through the SWID signal tor the few degrees tion with a measurement uncertainty of less than a few subcooling, will be the exact system saturation tempe degrees. rature . Inside a small pressure vessel (Figure 4), which is Through analyses and bench testing the STD design has connected to the reactor coolant via a pressure sens been optimized for ing line, the medium (primary system water) is heated SWID setpoints along with heater power and con to near saturation by means of heater in order that trol logic the vessel remains full but within the margin to sat geometry to optimize phase seperation during fast uration measurable by a Steam Water Interface Detector pressure decreasing transients [1. 3] (SWIO). The heater power is controlled to main water inventory to metal mass ratio tain an equilibrium between heat input and heat losses water inventory to SWID elevation while maintaining the system (STD) slightly subcooled. insulation thickness measurement of saturation temperature. The SWIO used for this purpose distinguishes (the me The STD is an excellent candidate for future b.ickfit dium at its location) between steam, subcooled water, ting because and saturated water. In addition the SWIO directly measures the subcooling margin (within the STD) when the simplicity of design makes it less expensive less than 5 K subcooled. The temperature which is than existing margin-to-saturation systems measured in the water volume of this pressure vessel (by means of a resistance temperature detector) is, it can easily be installed (similar to a pressure after correction with the SWID signal, the saturation transmitter) temperature (Tiat) of the reactor coolant at the coiresponding pressure (P). the improved accuracy provides a measurement which can be used as thet To control the STD to maintain a full and nearly sat urated system under steady state, the SWID detector is Basis for shutting off or starting RC pumps installed at a certain distance above the heater. As shown in figure 4 heating energy is controlled in such or regulating HP injection flow a way that it just compensates for the heat loss Safety system initiations based upon loss of through thermal radiation off the surface of the pres subcooling margin sure vessel. If the STD is overly subcooled, full heater power is provided until a saturation margin of only a few K exists. With this condition the heater Basis for determining secondary side satur energy is automatically reduced to the necessary equi ation temperature (from superheated steam librium level. In this operating mode the heater power pressure) for comparison to primary tempera is dependent upon pressure and margin to saturation. ture to distinguish ovurcooling and over With stationary reactor coolant pressure and with the heating transients. heater energized the water level will remain full. If the pressure in the primary system drops significally 5 An Example of Expanded Applications for Incore the water level decreases as the water flashes due to Instrumentation the enthalpy change and evaporation due to heat input from the walls. 5.1 State of the Art In the event of rapid pressure transients (or anytime A probable area for backfitting in the future involves a steam/water mixture is detected) the heater is turn a more extended use of incore detectors for protec ed off, and the pressure vessel radiates off heat and tion, control, and monitoring. Fixed self-powered in becomes cooler. The steam bubble then becomes smaller, core detector systems have been developed which, with the pressure drops, cold coolant from the pressure the large data base [3] now available, can be utilized, line is admitted and the water level rises. As soon as through software or hardware backfitting, to improve the steam/water detector indicates subcooling. the plant operating margins. I Self-powered neutron detectors (SPNDs) that have 5.3 Power Limit Control System rhodium (Rh) emitters are used in uany pressurized water reactors as power shape monitor:.. To date protection and control system measurements The SPND signal is normalized to reactor power by com have utilized only promt responding out-of-core detec parison to a calculated thermal reactor power using tors. indirect measurements and heat balance methods. A typ ical reactor has SPNDs positioned throughout the core A B fc W design being built by BBR in Germany uses SPNU to measure such quantities as quadrant power tilt, incore detectors in a Power Limit Control System which axial power imbalance, and the total distribution of was backfitted into the design of the MUlheim-Karlich power within the core. plant. The system was designed after a licensing re quirement to improve plant safety by spactially moni The signal-to-flux proportionality factor changes with toring the core power density distribution to effect increasing exposure, because the sensitivities of the local protection through a power reduction whan local SPNOs to neutrons decrease with exposure. After cor flux profile setpoints (ECCS and DNBR initial condi rection for background, the signal from a Rh detector tion limits for kw/m and power peaking) are exceeded. is further corrected for this sensitivity depletion and the Rh detector signals are then proportional to local neutron flux densities at the emitter locations. Using the incore detectors greatly reduces the observ ability limitation and allows monitoring axial power The neutron sensitivity o'f a Kh detector operation as distribution limits and DNBR power peaking limits more part of an incore monitoring system in a PWR is con- directly. At 17 different radially spaced fuel assemb tinously corrected for depletion by a plant on-line ly locations (center and four per quadrant), and computer. The correction is based upon empirical data 7 different axially separated core elevations, the that defines sensitivity as a function of elelctric local power, axial offset, and azimuthal imbalance charge released from the detector (which is a function limits are monitored by SPNOs with a unique setpoint of integrated neutron exposure to the detector). The for each monitoring location. Calibration data for the accuracy of the correction is directly related to the detectors are provided from the on-line computer. accuracy of the empirical data (once normalized). Ex Along with reactor power from the out-of-core detec tors, and the primary system pressure, temperature «nd isting depletion data on B + W detectors permit using flow, the appropriate location setpoints and margin the Rh detectors for over 7 years [4]. are determined through the following algorithm! Reactor Power Verification Setpointsi The large data base (over 350 detectors in a B + W SP (J. L) - ^ • DLISP (J, L) plant) and years of experience enable an excellent corelation of the corrected Rh-SPtJD signal to core Wherei power and therefore extended applications. SP (J. L) Setpoint for LDBS string J at level L Several B + H plants have been backfitted with plant LHR Limiting heat rate determined from computer software changes to use the SPWD incore cal (0, P, f, P) culated core power as an independent means of long MHR Measured heat rate from calibrated SPNDs term thermal reactor power verification. A generic DLISP (J, L) Segment power for LDBS string J level L problem in many plants is long term degradation of the (•]"- 0) feedwater flow Venturi. resulting in a false high estimate of core power through heat balance methods Ma rg i n < (from 1 to 5 %, see Figure 5). Utilization of the in dependent SPND method can prevent this resultant re duction in maximum allowable power operation. M (J, L) » Where: By backfitting a system utilizing the direct prompt- delayed incore monitoring of core power, instead of M (J, I.) Margin tor LOUii string J, Level L monitoring indirectly with out-of-core neutron detec tors, operating marging power peaking penalties DUSP' (J. L) Segment power tor LOBS string J, Level L. (through estimations and observability limitations) can be greatly reduced (see Figure 6). 2.0 Coolant inlet C V- Coolant o outlet tu t 1.5 tlie core 3 1.0 ca Outlet to x the 0,5 circulator —r i 1 • 1 1 i | I I— 13 20 30 40 50 60 70 80 80 100 110 Reactor Power (t) Fig. Is Improvements in the uncertainty in calcula ting Reactor Power with different heat bal ance methods. Primary Side: Q„ i (T) s primary side heat balance from absolute * tempetemperaturr e (RTD) and measured flow 0 (T) » . Q (AT) > primary side heat balance from direct tem- * perature (RTD) difference and calibrated flow Q (AT) = C (T. ) . (Ah (AT. P. T. )] . in in Segments Secondary Side; Q (m) i secondary side heat balance from measured feedwater flow th h °..c««> »W ' 9" f> Fig. 2i Backfitted differential pressure measurement (Venturi tube) in the radiation shield plug Qaec (AP) < secondary side heat balance from measured venturi AP. P and T of a helium coolant circulation in a tITR. Q (AP) c . A P (h went. 9 sec -^7 V Rtl)ll«»t« Th«raoa«l«r Dtltctor Prtsmrt Vflttol Connection to pri««ry tyitt* control Uqic (tot bolau) Range of Typical 3M2 Subcool 1119 Margin Uncertainties control .. SUIO oncovtrod . or In STD (TsaUcowbined with TC in Primary System ttt«* rtnian ( T from separate transmitters, AT calculated) tutcooled > SIC ' rfjion Hutir po»or/ hoot lott , tqulliorlua ' root on STD (Tsat)cQwb)neil with HOT in Primary System (direct AT measurement) XlurltcO ronton Htttor Power / i —— I I SO 1U0 ISO Primary System Pressure /bar Fig. 4; Operating Principle (or the Saturation Tem perature Detector (STD) Pig. 3) Saturation Temperature Detector (STD) and typical Subcooling Meter (from P and T) a Principle Measurement error comparison b SWID/Heater Control Logic 134 Estimate of RPS Power Peaking Penalties toot - Penalty Traditional RPS Prompt Incore RPS Xenon Transient* 5% 0-5% Rod Bow, Densificalion, Manufacturing 5% 5% Fuel Burnup Distribution 5% 0% 9St Measurement Uncertainty 8% 8% o- - - Model Uncertainty 7% 2% Observability Limitations 15% 515% Total Margin Loss 45% 2035% 90*, - Net Gain: 10-?5% FIG. 6. Operating time over a number of fuel cycles Margin Comparison TRADITIONAL RPS Fig. 5; Error in heat balance resultant influence on power level operation of a typical PWR plant II MM? utm It MIWMMUT WKltumy 1 Plant Instrumentation indicated powers calibrated 4- ill MuiMinin Ml (Murine by core power esti*ate fro* secondary aide heat imutiiM / HiMII balance or priMary side with recalibrated flow signal (based upon secondary aide). \ .it mm mrnut 2 Actual core power and estimate fro* SPND'a. • n MMI iNcurtim rnf »ru«r MJII UMI1IM iiirtiar •rtuiiM nuu MM Mil HI INCORE RPS U wsiiwiiun immiiM . it MIMVMMUI Mciiunnr T-f- ill *FI una* tuMia »ilf IflNItT iiunia -it aacituian item irtrc r*«u mi triuiiM »•!•' FIG. 7.* QUESTION OF AUTOMATION OF PERIODICAL SLOW PROCESS IN NUCLEAR POWER STATIONS * Kjur» >b S. BERTA F.roterv, Hungary In Hungary one QAQ MW PR'.1/ unit Is In service and the second one is under couinissionins. Two units have one background coaplex. Further tv/o P»R units are beings made and of course another background complex. In the PWJJ A- Allowed operating region using out-of-core detectors technology these background technological processes ensure B- Allowed operating region using prompt in-cores the safe and contamination free operation. They task to prevent the escape of noxious, chemical or radioactive Result —*• Operating flexibilityfload follow) by-products. 'fhe main technological parts of the background complex: Faster return to full power - Fuel cell resting * - tfourdifferen t water filtering systecw ___^______Capacity factor - Hydrogen contact burners - Tv/o Qaa filtering systems FIG. 7.b - fluid wastage and contaminated resin handling —Prepare of chemical solutions The aim of this article is to study the possibilities of autouation of the background complex. 1. Characteristic features of processes in background technology - Slow chemical procedures - Periodical operation - The connection among; main technolosical processes are exactly determined - Characteristic topological structures: - line - branch - loop - The process itself or its elements are duplicated, 135 in soue case uitltlpllcated. conventional control theory was applied In the design - determining the minimum number of remote controlled valve:; of the first background complex. According to the - fitting of the instrumentation to the requirements of conventional power station practice, moat of the on-line connection valves were hand operated, only the minor of them the - analysts of closed-loop control and the pumps had remote control. The operation of - selection an'', specification of elements taking part in valves In contaminated area could be done from a safe the automation procedure. place by cardan shafts. The instrumentation was adapted 6. Iteration for finding the optimum. This procedure quires to the structure of operation. cooperation among members taking part in the realization Advantages: - on site connection with the technology, of theproject. simple and safe operation. 7. Decision. The decision was no for the automation of the Disadvantages:- The coinpletition of different technol total background complex. There is general averse to the ogical routes is slow, needs great practice, high microprocessor systems. Everybody ajpreciate the advantages attention and survey. The lack of any of these can but these is no experience in the next cases cause false operation and sometimes accidents. - the behaviour of the operator when there is a breakdown Many skilled workers are required the electronic system. Hew requirements - ttie operators loose the on site connection with the - On-line connection between the technology and the equipuent, they will be lazy and will be bored. control room - ensurance of spare components during the whole life of - Interlockings for preventing fals operations. the system - txact data lodging, computation. - nearly everybody has one or two bad experiences with - In case of disturbance nobody has to risk his healt. the repair of home electronic equipments. This is the The proposed solution was the application of Hungarian question of reliability. made microprocessor process control systems, 8. Compromise - For the organisation of remote control and technol A part of the background complex technology is located ogical limit values Programming Logic Controller in a separate building. This part is nearly 30 % of the /PLC/ was suggested whole. In this separate building there is a local control - For the operator communication and data lodging, room, subordinated to the central one. .cosed-loop control, and'fcr computation, SAM 85 system with a display monitor and printer configuration The compromise decision was to adapt the same configuration was suggested of the PLC and SAM 85 microprocessor systems to this part - For registration and integration functions control technology. The aim is to get experiences and practice in board instruments were suggested. the use of microprocessor systens in nuclear power stations. 1 Introduct ion I will apeak about experience)and developments of the KWU-Neutron Monitoring System for Boiling Water Reactors. Let me first give you a short introduction to the Neutron Monitoring Systea: The Neutron flux density Is a measure of the power generated in a reactor by nuclear fission. In boiling water reactors the neu tron flux density la usually measured by means of incore detec tors. A traversing incore probe (TIP) system is used to monitor the power distribution and to calibrate the incore detectors. As the neutron flux density varies over approximately 11 decades between shut-down and full power this range cannot be covered by a single monitoring system and is therefore subdivided into three overlapping partial ranges, namely the - Source Range (SRM) - Intermediate Range (IHM) and the - Power Range (LPRM) The detectors of the Neutron Monitoring System are housed in as semblies extending into the reactor core at water gap intersec tion between core modules. 137 Figure \ shows the radial distribution of the assemblies of the -•• + + + + Neutron Monitoring System or a KWU-1300 MWe BWR. The circles show r + + i * it t,tt,t X. + * -*• [+J+J+J+ the position of the LPRM assemblies, the triangles the position + + + +• + ± of the SRM and the squares the position of the IRM. + i.,+ +,;+ + X, + + + I + + 41 ±± + A* tit + H n n The main functions of the Neutron Monitoring System are: + t +• + •+ + + 1- - Monitoring the neutron flux density at all reactor operating V'-t J 4 t -f +T+ conditions L + •f J - Determining the total power generated by fission i -j -:• * i + $ - Honitorlng the spatial power density distribution In the 1 reactor core • DM A*****,U.t + + + + Radial Arrangement of the Assemblies 2 Operating Experience of the LPRM MNK61 and MBK61 Detector Neutron fa'dtnuty (4'W) type 10* 10" 10' KWU canufactures MNK61 (non-breeder detectors) and MBK61 (breeder Souttt range (SUM) AtAK?l detectors) LPRM'a for use in dry and wet tubes. Assemblies with KWU-LPRM's are In operation in all German and some foreign BWR's. Some main features of the LPRM MNK61 and MBK61 are mtevmeJtute - Miniature fission chamber run j* (MM) HiK.61 - MBK6I with regenerative Uranium layer - Integrated mineral insulated metal sheath cable - Argon fill gas - Signal level from 1500 xuA to 50 ,uA Figure 2 shows a schematic drawing of the LPRM MNK61 and MBK61. MNKM (ifftMlAffM) USUI Specialities or these KWU-detectors are MFKU T 1 -r f 1 - Fissile layer on anode vr w io-' to-' 10* 10' to - Hollow anode for improved linearity wide range defector Rtacfor powtr mptrant ot rated - Gas seal between detector and cable - Cable filled with Argon BUR Neutron rteasurlng Ranges F1G.1. Since several years KWU analyses the performance of the Installed /^s I- •» *TT>^1 Sclteaatlc Outline LPRM'a. Characteristic data such as of a Detector >. 1 j -r4 F.«a0tu»t - I/V curves - 100 V/200 V gradient - MSV/DC ratio - sensitivities - Individual neutron exposure r — Mumma MWMIOI K£V fEAIUHtS are recorded on-site. J -— l>»»r cfoftaiJ* o Fissile Layer on Anode O HOI 1 Ox Anode 1 i Off-site evaluations of these data yield: o Congress Ion seal \ 1 - individual burn up --b o Cable filled with Argon .--^ ^ 11 - end of life determination - failure identification - failure rates An example or results obtained Is given in figure 3. This figure shows the relative sensitivity of the 1 LPRM's of one assembly versus the individual time integrated neutron flux density (flu nfi ency) at the position of the detectors. The curves can be fitted to exponential functions which characterize the burn up of the 1 ; 1 MeW-l«- I i ~T~ UAMKC Jul uranium layer. The individual burn up depends on the axial posi < - In » nj: Outer I < / II a | c*t€ St** This Is a strong argument to use LPRM's In dry tubes where single II el II detectors can be exchanged. From plots such as Figure 3 also failures of the detectors - e. g. broken metal-to-ceramic seals - can be identified. For these de FIG. 2 tectors a step in the calibration curves would be observed. 133 Operational Record of LPRH MNK6) ami MBK61 HH£ - OEP£NO£NCE OF LPRM - S£NS1T1VIIY 0 Number of Poner Plants 11 '-••-- n« —I. It 0 Total Number of Detectors 1285 > • '«• 1 --I.M . LPRH A - position ' --• . M 00 3&. » LPRH B - position -S.M Number of non-Breeder-Detectors 1245 ^^OiK*' o LPRH C - position 00 Number of Breeder-Detectors 36 . LPRH 0 - position --•.is s^ 00 Number of Detectors in Wet Assemblies 1252 -? •.«•- ^> ^v --*.«• LV 00 Number of Detectors in Dry Assemblies 36 ^ s\ ^ ^N.\ o Total Operating Time (FPD) 26384 *) o Failure Rate (I0~6n~1) 1.08 ^ ^ »._._, i 1 I N. •) 36 Detectors more than 4 FPY FIG.4. Full Po.,r t.orm (FPY) 3 Automatical Calibration System of the LPRM'a FIG. 3. Because of the burn up of the uranium layers the LPRM'a are re calibrated nearly every month. Up to now this recallbratlon la done by the operators. It requires some time and errors cannot The ala of theae activitiea ia to aaaure the quality of the LPRM'a always be excluded. To quote aorae numbers: To recalibrate 192 and to advise the customers when burned up LPRM'a should be re LPRM's of a KWU-1300 MWe BWR 3 men are at work for a day. placed. In order to reduce these activities KWU has developed an auto The operational experience ahowa very low failure rates. Thla can matical recallbratlon system Incorporating microprocessors and be seen froa the atet'-dca shown in Figure ft. The total number EAROMS. of KWU-LPRH'a Installed la 1285 and the failure rate ia of the order of 10"6 h"'. There are MNK61 In the KKW Wilrgaaaen in opera The system consists of a central computer (Figure 10). This com tion for a period of nearly 6 full power years. This means for puter receives the calibration data and alphanumeric strings for the breeder detectors HBK61 which are of identical design as the identification of the detectors from the surveillance computer MNK6) that from the mechanical point of view they could really of the plant. The computer transfers the data to microprocessors reach their theoretically predicted life tine of about 10 yeara. in the redundances which recalibrate the LPRM one by one. Redundancy 1 Redundancy 2 Redundancy 3 t KWU-Oamma Sensitive Traversing Incore Probe (TIP) for BWR APRM K chanels Q K @ M. t Reasons to Replace Neutron-TIP*s by Gamma-TIP's LPftM I , i N '/ N.I ft IN chanels As Mentioned in my introduction the TIP-systea serves two main 2 purposes, first to provide calibration of the LPRH and second to I microprocessor \ / \ microprocessor I ill [ microprocessor obtain detailed 3-dlmensional power distributions. Up to recent ly thermal neutron-sensitive Tip's were used. 7ZZZL7ZZZZZZZ 77777/7///////ZZZ, Power distributions determined by neutron-TIP's often show asymme tries, which are not really properties of the power distributions. address and data bus system c :> I will demonstrate this with Figure.5. Asche*atlc comparison or I the thermal neutron flux and the gamma flux Is shown. Note the calibration printer large neutron flux gradients and the small gamma flux gradients computer floppy In the water gap between fuel elements. disc i-M surveillance ! computer 1 V /^N Schematic outline of the Automatic Calibration 1 System 15 "" I / FIG 10. a. G m \ ^ i. The advantage of the new system, is: v mm nit * j / m - Faster recall brat ion : w - I —-^C^^ u — •»•» - Hore exact recallbratlon c * l^^^^ma— .f - Shorter recallbratlon Intervals by calibration with precalculated calibration factors and therefore 0,5 - Increase of margins to the power limits Another feature of the automatic recallbratlon system Is this: The characteristic data of the Installed LPRM's I mentioned be fore can also be measured automatically. Further on-site evalua I 1 „_!_ 1 1 1 . 1 ._!_. . tion is possible. As an example of such measurements let me show Fuel rods you I/V-curves of the LPRM of an assembly obtained (Figure 11). 141 Coapariaon of thirul neutron flux and canaa nun In the water (ap FIG. 5. between fuel elements I Rather due to geometrical tolerances or snail detector displace ments in the water gaps between fuel elements signal mlslnterpre- tations result from the large neutron flux gradients. Since gamma flux gradients are smaller, information Trom gamma-TIP's Is less • 10- subject to such errors. These differences led to the development of Gamma-TIP's. « 0.5 4.2 Design of the Gamma-TIP The design of the KWU-gamma-TIP is the same as the former neu- tron-TIP or as the LPRH HNK61 I mentioned before. The only dif lower core edge axial cor* height upper cor* edge ference is, that in the case of the gamma-TIP no electrode la Comparison of gasM*-TIP-slgna* G and neutron-TIP-slgrtal H coated by uranium. So this detector is insensitive for neutrons. «t Identical conditions To get a suitable sensitivity the gas pressure In the chamber is increased from 1 bar to 20 bar argon. The signal level at 100 % of full power is of the order of 500 .uAaps. to 100 .'tamps. FIG. 6. t.3 Results with the Gaaaa-TIP in Service Gamma-TIP's have now been installed In all German BWR'a. Figure 6 shows an example of signal curves measured In the same Instrumen tation tube with a neutron and a gamma-TIP at identical condi tions. Since the two detector signals depend differently In par ticular on the void fraction, correspondingly different results are obtained. Evaluation or the data taking the respective transfer correlations into account leads to the same power distribution (Figure 7). The improvements achieved by gamma TlP*s (Table I) show In par r lower cor* edge axial core tieight upper cor* edge ticular that pseudo hot channels deduced from neutron-TIP meas Coaparlson of power distribution derived fro* gaaaa-TIP-signal C urements are absent In the gamma-TIP data. and neutron-TlP-signal N FIG. 7. - lower costs Table I: Achieved Improvement with Camma-TIP - simple change from source range to intermediate range monitoring KKU KKB KKP t - LOCA proof system from source range to power range N G N G N G reactor power 41.6} 95.*» < 99.71 The main features of the KWU-wlde range Neutron Monitor concept are: coolant flow 35.7 * 112.4 * 101.5 t 3 radial hot- 1.53 1.39 1.13 1.34 1.39 1.30 channel factor - Neutron flux range to be covered will be 1 x 10 nv to 1 ^ -9 1.5 x 10 J nv or approx. 10 t to 10 % full power - The former intermediate range detector WSK61 is used, The KUU-gamma-TIP is a suitable system to determine the 3-dlmen only the preamplifier ia changed sional power distribution in a BWR more accurately and operates - Preamplifier with output Ted into a counting- and an in accordance with theoretical predictions. The margins to U.* MSV-channel power limits are increased. - No change of the insertion and retraction drive system with flexible drive tube - Class IE System 5 Combined Source Range and Intermediate LOCA- and selsalc-proo." Range Monitoring System from start-up to full power - Minimum impact of retrofit into existing plants As mentioned before the Neutron Monitoring System has to cover a very wide dynamic ran6e of about 11 decades of neutron flux density from start-up to full power. An established technique Figure 8 shows a block diagram of the electronics of the wide is that the start-up range is covered by two sub-systems: the range monitor channel. The only alteration to the former Source-/ source and the intermediate range system. Intermediate-Range-System Is the change of the preamplifier. Especially the electronics in the cabinets are the same. A wide range start-up system which combines the function of the source and intermediate range system is developed by KWU and in the test phase. A single miniature fission chamber is used for pulse mode (SNM-channel) as well as for variance mode measure Figure 9 shows the measured response of the counting and HSV ment (IBM-channel). outputs of the preamplifier versus neutron flux density. The overlapping area between counting- and MSV-channel Is about 2 The advantages of the wide range system are: decades. - smaller number of in-core assemblies, reactor vessel pene trations and preamplifiers than with separate systems 144 Percent Full Power Control Room Reoc lor l»g Aote Building Mtttr Period* I with Meter Oitc/iMlnoto' 0 0 Combined Linear Pream- MSV plilier Chanel -0 Schematic outline of the Wide Range Monitoring System T 1 1 1 1 1 1 1 i i »' 10* JO* 10* 10' 10f 10* t0w »" Ww 10" 10K FIG, 8. True Neutron Flux Density INV) •• e» Response of the Wide Range Monitoring System FIG. 9. 6 Summary KWU has made improvements on all parts of the Neutron Monitoring System or BWR's. These Improvements allow to optimize the plant operation and lead to higher flexibility and availability of BWR's. REPLACEMENT STRATEGY FOR OUSOLETE PLANT COMPUTERS J.P. SC1IAEFER Krul'twerk Union AG, Erlungen, Federal Republic of Germany Session 4 BACKFITT1NG OF COMPUTER SYSTEMS Abstract Chairman The plane coaputer* of the first generation of larger nuclear power G.A. HEPBURN plants are reaching the end of their useful life tine with respect to the hardware. The software would be no reason for a system exchange but new task* for the supervisory computer systea, availability questions of maintenance personnel and spare pares and Che deaand for taproved operating procedures for the coaputer users have stimulated the considerations on how to exchange a computer system In a nuclear power plant without extending plant outage tlaes due co exchange works. In the Federal Republic of Ceruany the planning phase of such backflttlng projects Is well under way, soae projects are about to be Implemented. The base toe these backflttlng projects Is a nodular supervisory computer concept which has been designated for the new line of KWU PWK's. The main characteristic of this computer system Is the splitting of the systea into a data acquisition level and a data processing level. This principle allows an extension of the processing level or even repeaced replacements of the processing computers. Wtch the existing computer systea still in operation the new systea can be Installed in a step-by-scep procedure. As soon as the first of the redundant process computers of the data processing level Is in operation und the data link to the data acquisition computers Is established the old computer system can be taken out of service. Then the buck-up processing coaputer can be commissioned to complete the new system. The first generation of nuclear power plants in the power range To ensure this "bumpless" transfer an overlapping pnase of the 300 to 1300 Megawatts has no* attained an operating time of functions of the "old" and tne new system cannot be avoided. about 10 years, that Is to say about IS years have passed since the original plant comuter systems were designed or put Into Exhibit 5 Replacement Sequence< service. After tne successful system exchange at least tne alarm The owners of these plants are at the point of having to decide annunciation and measured value display will oe on colour •hat to do with these systems, as tne computers are nearlng tne CRT's. end of their useful lifespan. Exhibit 6 >Alarm display on a CRT< As an option plant parameters can be displayed In a grapnlc Exhibit 1 >Evolutlon of systems* form, which is a very powerful tool to provide for a highly The plants equipped with the first generation of SIEMENS condensed medium for control room personnel information. process control computers are - as far as K»U plants are Exhibit 7 >naln Plant Systems* concerned - four B»R's and nine PVR's. About 1000 process signals are complied In the overall layout Fortunately we can state that the computer systems In these shown on exhibit 7. The actual system exchange has to be plants are still operating according to their specifications prepared very carefully In order to keep tne transient phase as and In most of tne cases are maintained by tne computer snort as possible. manufacturers under long term service contracts. Nevertheless tnere are reasons to consider the replacement of the existing Exhibit 8 Replacement preparation* systems oy a new Installation. Before preparing a firm offer to replace a compjter system a Exhibit 2 >Reasons< study on the requirements and procedures should be prepared. As most of the German Federal States only permit the start up of a •hen thinking of a system replacement one certainly does not nuclear power plant with the supervisory computer system oelng only want to maintain the functions of the "old" system. One available, this study here has to be made very carefully, A also wishes to consider the implementation of new tasks. detailed schedule of events has to be prepared In ordai to make Exhibit J >New Tasks< sure that plant shutdown times are used as efficiently as possible. The basis of our new computer systems for backflttlng projects is the system concept for the plant supervisory computer system for KWs new line of P»R's of the 1300 n» range.The main design Up to now this presentation has only snown the aspects of tne consideration Is the splitting up of the system into a data replacement stategles for the supervisory computer system. acquisition level and a data processing level. The acquisition Backflttlng projects can also Include a variety of computers level consists of small single purpose computers which monitor and components; e.g. Independent, single task computers and the many binary and analog Input points, label each event with computer components which can be connected or snould be the real time and transmit these data to the processing level. Integrated Into a new design of tne plant computer system. The acquisition computers areas far as possible, to be arranged according to the building sections of the swltchgear Exhibit 9 Additional computers* building. The processing-level computers snould generally consist of two redundant computers In order to increase the system availability. Exhibit 4 >nodular concept< The most Important aspect of a replacement strategy Is to manage the activities In such a way that - contlnous availability of the plant computer functions is guaranteed (In K»U plants these functions Include the on-line evaluation of core physics data) - the system replacement must be carried out during the normal plant shut down periods. 0 I V A QDQDt> _ KKP I. KKB, KKI I. KKK jpnBWHBBMBHBaHMH /•EG 60/50 BWR's DWR's WCfiM K RE/OAT EKi«MATlC D3B / R ^^^^^^J| a BroKflorf, following * SIEMENS 113 0, GOULD KKG/BA6, KRB, KV6, KKP II I SIEMENS R 30, R •< KC8, Biblls, GKN 1, KKU, Gfisg SIEMENS 306 KW0, KKS, CNA I " SIEMENS 305 T—r—r T—r-1—r T—r T—r T—r 1970 75 ao 90 KW-WZS 17 Replacement of Plant Compute Evolution of Systems 2/S4 Sdiatftr Operational... - Hardware capacity reacned - Enrtanced display of process information desired - Ennanceu procedures for control functions desired - Modern (nodular) software - Software handling (replacement of puncned cards) Computer Manufacturers - Spare parts avallaolllty - Service personnel avallaDlllty I ! %mmmmmm4 Authorities.. Additional Requirements * Redundant Alarm and Switching log az3 * Long term storage of process data Replacement of Plant Computers KWU-VZS 17 Reasons 2/w tamtn Video Display units Alarms Measured values srzii Grapnlc Displays / Curves Operating poln.s diagrams ETZ3 Analysis functions - OlsturDance analysis - Symptom oriented displays - Emergency situation aanagement CZ3 Long Term Data Storage - Alarm - Measured values High Speed Analog Data Acquisition Data Interfaces to other Computers KMJ-VZS 17 Replacement of Plant computers New Tasks 2/M SOtOTfti US /*ero Dan; ^'system:' control computer;^ 4} Replacement of Plant computers Modular Concept :/u sch-fn' i Phase 3 •„• £ Phase g'pnaise 2JS HPrase 3; J ^ *'«lJU.i-'-u'J-'.V^ ^•••••''•••-'-,' £=B. III jgza. . W / 1 X Z' J3 / 010 -:K. Processing Processing / / a? System^,- computer 'computer #—"&* / /////////:• ''•''///////.• .3*-.3 / m. / / Acquisition Acquisition computer . ;y •computer. \ \ s \ \ -. \; 'peripheral^ Mxisranl puuntrtl ptrlphtril tfiit unit I Prozess signals &': Phas e 4:5 Wfwy Analog KWJ-VZS 17 Replacement of Plant Computers Replacement Sequence Z/M Scnatfu "* NEW ALARM "• 15.20.15 ALARM ANNUNCIATION ALARM GROUP 13 4 7 PAGE 0 lOBTOl J071 UA TRANSF BT01 BUCHHOLZ PROT B 39 1 GOl 14.48.21 lOBTOl J020 UATRANSF 3T01 DIFF PROT S 38 1 G02 14.48.26 lOJKOO EOOO GEM VOLTAGE REGULATOR 8 255 3 GOl dSQESQH 14.52.18 10RN31 L001 LPPRE^jEATER 3.1 LEVEL B2725 7 G02 14,58.10 lOSSll TC33 GEN PRIM. W. COOLANT OUTLET TEMP B1735 3 GOl mEBBMKm 15.05.14 1CSP17 T902 GEN WIND.PRIM.W. ROD OUTLET TEMP M 559 3 WSEBMGteO.OO CEL 15.12,46 I 100F00 EOOO 24 V SWITCHGEAR FQ FEEDER B 532 1 1 GOl 15.18.04 KIU-VZS 17 Replacement of Plant Computers Alarm Display on a VDU 2/M ScNu/tr K«U-vZS 17 T Replacement of Plant Compute Main Plant Systems 2/M scMtrn Evaluation of present Status vnlch functions have to oe Maintained ? •nlcn ne» tasks are to be considered ? Signals / Signal connections existing 7 Requirements of government authorities ? Rooms / cllMtlc conditions ? scheduled plant shutdok.t tlaes 7 Selection of the new System - which generation of computers Is available 7 Hardware Software - system Integration 7 Control rooa Computer rooa - Salvaging of prograas - are net systeas to be Integrated ? e.g. eaergency syitems Time of replacement ( Longer ) Standstill phases of the unit Preparation of connections, partly erection (step-by-step) commissioning w Replacement of KIU-VZS 17 2/U Scfimttl Plant computers Replacement preparation Aero ball systea control coaputer Core Siaulator Control rod control coaputer |"""" *| Fuel eleaent handling coaputer Reactor protection systea aonltorlng coaputer I1"" " "i Hardware testing Performance check Annunciation High speed scanning of analog points and, storage and evaluation (platting) Site protection E=J Personal radiation dosls supervision Envlronaent protection Coaputer based operating aanual Replaceaent of Plant Coaputers Additional Computers ROLE OF COMPUTERS IN CANDU SAFETY SYSTEMS Our highly successful experience with computer control hub led both designers and plant owners to consider the use of programmable devices in the Special Safety Systems. As will be seen, we are now G.A. HEPBURN, R.S. GILBERT, N.M. ICH1YEN engineering the fourth generation in the application of computers to shutdown systems. The first three generations were retrofits to Atomic Energy of Canada Limited, existing plants. Since each generation did not have to wait for a Mississauga, Ontario, Canada new plant design for its implementation, evolution has been quite rapid in nuclear industry terms. Design work on the first application started about siven years ago. CAllbU Special Safety Systems - a brief overview: A short description of these systems will enable the reader to i,ettr.*t understand the environment in which the computer systems operate. Abstract All tece.'.' CANDU reactors have four Special Safety Systems - two totally independent Shutdown Systems, an Emergency Coolant Xr.jwction System (EC1), and the Containment System. The instrumentation for each Small digital computers are playing an expanding role in the safety systems of these systems is independent of that of the others, and ii. itself of CANDU nuclear generating stations, both as active components in the divided into three fully independent channels. Typically, activation trip logic, and as monitoring and testing systems. The paper describes of a system requires two of its three channels to b>- in the tripped three recent applications: state. Testing is carried out one channel at a time. As part of the shutdown system test procedure, the channel under test is set in a (i) A programmable controller was ietro-fitted to Bruce "A" Nuclear tripped state, meaning that a trip on either of the remaining channels Generating Station to handle trip setpoint modification as a will trip the reactor. function of booster rod insertion. Shutdown System 1 (SDS1) operates by dropping shutoff rods into (ii) A centralized monitoring computer to monitor both shutdown systems the core under gravity. Shutdown System 2 (SDS2) injects a liquid and the Emergency Coolant Injection system, is currently being poison into the heavy water moderator, except on Pickering 'A', retro-fitted to Bruce "A". which uses moderator dump. (in) The implementation o? process trips on the CAMDU 600 design Both shutdown systems are designed to detect the full set of using microcomputers. While not truly a retrofit, this feature design basis accidents. They employ self-powered in-core detectors was added very late in the design cycle to increase the margin to monitor neutron overpower (NOP), ion chambers to detect high rate of against spurious trips, and has now seen about 4 unit-years of change of power, and a variety of process measurements. service at three separate sites. Evolution of Computers in CAHDU Safety Systems; Committed future applications of computers in special safety systems are also described. The four applications to be discussed here are, in order of project inception: NOP Setpoint Conditioning at Bruce 'A' Safety System Monitoring at Bruce 'A' and 'B' Introduction: Computerization of process trips on the CANDU 600 Plant computers have always been a feature of the CANDU design. Five generations of CANDU reactors have seen successively greater Pull computerization of all shutdown system levels of computerization, with the result that all major control functions on Darlington functions are now completely computerized (1). Until relatively recently, however, the Special Safety Systems were implemented using The remainder of this section will discuss the functional aspects conventional analog circuitry and discrete logic. of each system, and reasons behind their introduction. bruce 'A' Not' Setpoint Condi t lomnij : When operating at high power, close operator attention is required to avoid reactor trips due to drifting instrumentation, perturbations Bruce 'A' i^ a 4 x 760MW station on Lake Huron, Ontario. The induced during refuelling, or single channel trips when another channel first mat became critical in 147b. Tin.- bryce 'A' design employs has been placed in a tnpi . d condition during testing. Jt was clear sixteen enriched uranium booster rods to aid restart following a thui the operator's task could be facilitated if the neutron oveipower reactor trip. During the design process, the second shutdown system detector readings were presented more clearly. A computer based display requirements became much more stringent than was initially assumed. system was chosen as it provides the greatest flexibility in display The system changed from being a backup defence to cover failures in format and alarm annunciation capability. Since all major control SDSl, with trip setpoints substantially less conservative than those functions are already computerized, the operators are already familiar of SDSl, to being a fully capable parallel shutdown system. Unfort with the use of such displays. unately, the reactor construction was too far advanced to permit the inclusion of enough in-core detectors on SDS2 to provide sufficiently The use of the plant control computers was considered for this detailed flux measurements under all configurations of inserted booster monitoring function, but was rejected because, conceptually, this might rods to permit operation at full power with boosters inserted. Thus be looked upon as compromizing the separation between the conttol and the initial license did not permit the use of boosters. This resulted shutdown systems. in a very short decision and action time following a reactor trip, and consequently led to unnecessarily large production losses. The same computer system also monitors the Emergency Coolant Injection (ECU system. The objective here was somewhat different, Subsequently, we were able to show that safe operation with Bruce 'A' is being retrofitted with an upgraded ECI system, which, for normal NOP setpoints was possible with up to two booster rods inserted, testing purposes, employs a large number of remote controlled isolating while reduction of the NOP trip setpoints permitted safe operation valves, allowing each portion of the system to be tested without causing with greater numbers of boosters in core. an injection. If the operator should leave one of these valves in the wrong position, the system could be left in an unavailable condition. This led to a requirement to lower NOP setpoints as a function of The monitor computer warns the operator of system unavailability and the number of boosters in core. The general requirement became abnormal situations, based on inspection of ISO analog and tiOO digital obvious quite some time before the detailed analysis was complete, inputs. Since the entire ECI system has been redesigned on Bruce 'A', and this in turn led to the decision to implement the logic on a introduction of the monitor computer did not pose any particular programmable controller - the first application of a programmable retrofit problems. digital device in a Canadian (and possibly any) reactor shutdown system. The configuration of the monitor computer system is shown in The function of the device is quite simple. The MOP setpoints Figure 1. Since the multiplexers are connected directly into the are reduced in three steps as a function of the number of boosters existing instrument loops in the safety systems, separation between in core. Inserted boosters are read by the programmable controller safety system channels had to be maintained. This was achieved by as digital inputs. The counts of inserted boosters at which each placing a data multiplexer in each channel, and communicating the setpoint reduction takes place can be set by Grey-coded thumbwheel information to a central monitoi omputer over one-way fibre optic switches. Setpoint reduction is achieved by switching in additional links. The multiplexers send the .' information "blind". There are no bias voltages to the summing junction of the analog comparator control signals going from the monitor computer to the multiplexer, amplifier whose output breaks the trip chain. There is one programmable so channelization of the Safety System is not affected. controller in each channel of SDS2. Similar monitor computers have also been incorporated in the Safety System Monitoring at Bruce *A' and 'B': Bruce 'B' design, the first unit of which will go critical this summer. Here, shutdown system monitoring was extended to cover procass Crips. The primary reason for introducing these systems was to provide On Bruce 'A', this was avoided, since additional instrumentation would concise NOP margin to trip information on SDSl and SDS2. The control have been required to monitor trip setpoints, greatly complicating the roort instrumentation of these shutdown systems is conventional, using retrofit operation. Normally, we do not operate close to the process edge reading meters. At Bruce 'A1, for example, neutron overpower is trip setpoints. The main reason for monitoring these parameters is to detected using 51 in-core flux detectors, each of which h«-j its own detect instrument failures promptly. meter in the control room. These detectors are distributed among the six shutdown system channels. A channel will trip if any one of its Computerized Trips on the CANDU 600: detectors exceeds the trip setpoint. The margin to trip is typically 8% full power. On the CANDU 600 design, it became apparent as the licensing analysis progressed, that we would have to depart from our previous approach ot tricing when a single process variable exceeded a fixed interactive CRT for this purpose. During shutdown system tests, the setpoint. Scti.uu.ii would have to become a function of reactor power, computer performs each step, then returns to the operator and requests and some trip parameters would require somewhat complex conditioning his permission to proceed with the next step. There are numerous logic, if the ui.its were to be capable ot their designed power output advantages to this approach: without compromizing ease of operation. An example of the type of setpoint variation reijuired is shown in Figure 2. This figure also The potential for error is greatly reduced, since shows the manner in which the setpoint function was modified in a the computer is much better suited to performing subsequent software revision. To accommodate expected design changes repetitive tasks than is a human operator. arising from licensing analysis and commissioning experience, there was a need for easy adaptability of the shutdown system logic. Once An accurate log of the test is kept. again, the application called for a computer. Tests can be quickly aborted if another channel Since design and construction of the shutdown systems was already gets close to tripping. quite far advanced (about IS months before criticality), the new system had to be integrated into the ocnventionai relay logic/analog comparator A large 1.umber of dedicated test controls are system, and additional space for equipment was very restricted. After eliminated from the control panels. considering the various alternatives - an expanded conventional system, a custom designed analog system employing extensive microcircuitry, The test, sequences are written in a simple, specially designed and a digital system - the decision was taken to use computers. By interpretive language, and can be written and modified by computerizing the comparison and conditioning logic for all process non-programmers. The system can therefore be readily applied to trips, we were able to make enough space available for the new equipment reactors of various types. We expect that this computer aided test The computers replace conventional analog comparators, and are therefore feature will be the source of future retrofit business. referred to as "Programmable Digital Comparators", or POC's. Since such significant application of computers in shutdown systems was novel, we Design and Installation Information: were required to use two computers in each shutdown system channel, the various process trips being divided between the two machines This section provides some technical information on the types PDC1 and PDC2. The resulting configuration is as shown in Figure 3. of equipment used in the various installations, and on the qualification Note the integration with existing analog equipment used for the requirements, and any particular problems encountered in integrating neutronic trips. From the operator's point of view, the system the systems into the existing plant designs. implementation still looks conventional. The first reactor to go critical with these computerized shutdown systems was Lepreau 1, Bruce 'A' NOP Setpoint Conditioning: in New Brunswick, on July 25th., 1982. The systems are also in use now on Gentilly 2, in Quebec, and on wo 1sung 1, in Korea. The programmable controllers used were Texas Instrument 5TIs. These units are programmed using Boolean Logic equations. Despite the Darlington Computerized Shutdown Systems: simplicity of the function, we were only just able to fit the logic into the machine's 1000 step memory. This came as a bit of a surprise Since the shutdown systems on Darlington 'A' < a The only parts of the system whose installation impacts the Bibliography: existing plant are the multiplexers, which are located in the shutdown system instrument rooms. The equipment was installed on Bruce 'A* unit 4 while the unit was at power, and final connections to the existing (1) "Computers' Key Role in CANDU Control" - N.M. Ichiyen and shutdown system loops will be made in April 1984, during a one month M. Yanofsky, Nuclear Engineering International August 1980. outage for installation of the new ECI system. (2) "Computers in CANDU Special Safety Systems" - N.M. Ichiyen, IAEA A problem was encountered during the design phase where two signals Meeting on Nuclear Power Plant Control and Instrumentation, (parameter value and setpoint) were being monitored in a single 4-20mA Munich, Germany, 1982. tow now t«»i 1SS Mm LVI •OHH m »MI MCM»a ^ QPI Q^ DD DL-, *•!LOW M IE 1 u«»» I MU*»I.»I ID "Q T3 "Q Cuunilla "ED } MJUMCHftS POCI I VAIUMfflf ** EP EH ED1 @i EH EH EH EH EP EH EH EH EH EH EH EH EH EH EH EH EH EH EH EH 1 FftltulCTMl EH EHEHEH EHEHEH EHGHEH EHEHEH s i 5 S 1 : I : 5 i i * I i i i i » FIGURE 3 CANDU 600 SHUTDOWN &U&2 SMUIDOVW4 &V&IIM NO 3 SYSTEM UTILIZING PDC'S ftCl - fcMkHCfeNCV COOL AN I INJfcCIlON FIGURE 1 BRUCE 'A' MONITOR COMPUTER CONFIGURATION >1- »- a •- f FINAL SCTMiNT / v ' / /\ SCTPOtNT a j •T • i—i—i—r •T" 1 T—1 T" 0 3* « M M IW %FOWEft FIGURE 2 CANOU MM PRESSURIZER LOW LEVEL SETPOINT (M) VS REACTOR POWER FIGURE 4 DARLINGTON 'A' SHUTDOWN SYSTEM PANELS NEUTRON OVERfOWER TRIP MARGIN TO TRIP CHANNEL D OfltCTOR if r POINT VAlUt HMMUIN 1 1 1 1 1 1 1 1 1 1 1 1 1 SMI 10* 0 MO •ro 0M1 toto Mb -tt «*> IMO M» ••» 0*01 IMO VO •so OHO* IMO Mi -so MM IMO IM -71 ISM IMS MO •SO ISM IMO wot •4* M-MOMIO* COWMITf A Ml -sr on-oSKAtntii COMWII* 1«M IMO FIGURES DARLINGTON'A'SHUTDOWN SYSTEM COMPUTER I-IMTCOWUII* 17(01 IMO M? -ti CONFIGURATION — ONE SHUTDOWN SYSTEM SHOWN im IMS •7* .?« M«< IMO Ml -S-l ISM IMO MS •»i w* IMO •rs •»•» 17101 IMO Mi -to II11 1 1 1 1 1 1 1 1 1 FIGURE 6b BRUCE 'A' SINGLE CHANNEL NOP MARGIN-TO-TRIP OISPLAY OtW£. F ptifte.'li^ '.'^Sf V viewer -#»*, *VJt ome : « FIGURE •*) BRUCE 'A' NOP MARGIN-TO-TRIP OISPLAY - ALL CHANNELS In order to overcome the problem, all fuel stringers were removed THE REPLACEMENT GAG VIBRATION MONITORING SYSTEM from the reactor and the sags modified. However It was Important to FOR H1NKLEY POINT B' POWER STATION continue to Maintain a close surveillance thereafter In order to demonstrate high Integrity during the life of the gag units. T. BAGWELL Monitoring of gag vibration was implemented by a single computer/scanner system for some 6 years, but due to a requirement for Hinkley Point 'B* Power Station, improved reliability and availability, the Initial system has been Central Electricity Generating Board (CEGB) replaced by a dual computer/multI scanner system. This paper considers the background to the original system, Its subsequent replacement, and MFG. MORR1SH discusses some of the problems encountered and their solutions. Engineering Department, 2. INITIAL SYSTEMS CEGB South West Region, 2.1 INITIAL MONITORING SYSTEM. Barnwood, Gloucester When the redesigned gags were reloaded with their fuel stringers United Kingdom into the reactor, It was decided to fit each stand pipe with an accelerometer so that any vibration could be Monitored. The ?08 accelerometer signals from each reactor were fed to Individual charge amplifiers and were then Monitored audibly on a regular basis by an engineer. Whilst this system did work It suffered several major Abstract drawbacks. The decision as to whether a gag was clashing was purely subjective and relied on the discretion of the engineer. Also, to The original computerised system for Monitoring the vibration monitor all 616 channels took a long time and could only practicably be or gaga In each reactor channel of the Hinkley Point 'B" AGB carried out weekly. Meanwhile, Berkeley Nuclear Laboratories (BNL), a Power Station did not aeet the specification for a More CEGB research division, were Investigating better ways of deciding if a stringent safety requirement. This paper describes the gag was vibrating, and eventually arrived at a method of sampling the replacement of that original single processor system with an amplitude of the vibration readings from each channel. enhanced dual processor/multiple scanner computer system used to satisfy this new saTety and reliability need. The To decide if a gag Is vibrating abnormally, all 306 aignala from specification and installation of the new hardware and each reactor are scanned sequentially, each channel being scanned at a software are discussed, and some of the problems encountered frequency of *KHz Tor a set number of scans. For each channel, the and their solutions are highlighted. amplitude data from thaae scans is collated into a 1021 element histogram. A statistical analysis is then performed to find the number of scanned readings that fall outside four times the standard deviation of thd histogram. When this number exceeds a predefined limit, it Is 1. INTRODUCTION assumed that the gag could be vibrating abnormally. Hinkley Point B Power Station is one of the first generation 2.2 INITIAL COMPUTER MONITORING SYSTEM. Advanced Gas-cooled Reactors (»GK) built by the Central Electricity Generating Board (CEGB). It has two reactors ?. BASIS FOB REPLACEMENT SYSTEM To complement the new hardware being Installed, new software would be needed. The CEGB had developed a new national standard software 3.1 HEW SAFETY CASE. language for on-line applications, CUTLASS, and this was to be the first use of this language at a nuclear site. If a gag unit were to fail, the severe vibration causing the gag failure would undoubtedly also cause the failure of the two channel gas 3.1* PROJECT TIME SCALE. outlet thermocouples for that channel. The double thermocouple failure was accepted as the safety case for detecting failed gags. The The time scale set for the project was that the Reactor * system computer system was used as a mean." of investigating the vibration should be changed from the old to the new system during the biennial characteristics of the gags. At the time the performance and outage In early 198?. The contract waa placed in mid 1962 and the reliability of the system was not thought adequate for use In the hardware arrived on sit* at the end on December 1982, The final system safety arguement. was commissioned on RM ready for the reactor returning to load in mid May 1983. The Reactor 3 system la being changed during 198k. It was recognised that a double thermocouple failure could occur from causes other than severe gag vibration. In practice a number of ». HARDWARE SPECIFICATION such dual failures did occur, and it became desirable to revise the safety case. Improvements In the reliability and performance of the 1.1 GENERAL existing computer monitoring system had been made since early start-up and It was consequently possible to make a new safety case based upon a Fig. 1 shows schematically the arrangement of the original gag vibration monitoring system being the primary means of detecting scheme. The accelarometer signals for each reactor were fed via charge gag failure. amplifiers to Individual scanner systems, located In the cable flats adjacent to the reactors. Data was then tranaferred along separate 3.2 HEM HARDWARE SYSTEM. dual 22 way highways to a common processor two floors below. A graphics display terminal was used to provide histogram plots for an The new safety case only allowed a six hour break In gag vibration individual channel on request and two printers provided a hard copy of monitoring before a reactor shutdown was necessary. The existing the alarms raised with statistical data. These peripherals were In the system only had one computer and single scanners monitoring both Station Computer room adjacent to the central control room (CCA). The reactors, with no backup systems. Therefore an upgrade of the system Gag Vibration alarms were tsken Into the Station Computer system and was required to provide a better availability if rorced reactor outages displayed to the operator with the other Station alarms. were to be avoided. Problems had also been experienced with the scanners and charge amplifiers sited In the cable flats adjacent to the In the proposed system all the equipment, with the exception of Reactors. In this location they were subject to very high temperatures the CCR printers, waa to be located In • room adjacent to the cable flats, a dual scanning arrangement was proposed, ulth each Reactor 5. DESCRIPTION OF HARDWARE having identical systems. Separate processors for each Reactor were to be provided ulth Identical peripheral devices. The design had Fig. 2 is a simplified diagram to show the basic flow of data In enough redundancy to meet the higher level of availability required the system. The output from the accelerometers Is taken to individual and to aeet a aean time to repair of less than 6 hours. Alarms were charge amplifiers whose output is in the range *5 to -5V. A new still handled by the Station Computer. channel Is selected by each of the scanning systems approximatly every 30 seconds and then that channel scanned at IKHz for 23 seconds by the 1.2 HARDWARE FEATURES SPECIFIED ADC card. Computer interfaces are provided to drive local and remote printers, graphics display terminals, the Station Computer digital The essential hardware features specified for each of the two Inputs, a magnetic tape software loading facility and a system console. systems uere:- Fig. 3 shows the final arrangement of the hardware used. 1.2.1 Computer Peripherals 5.1 COMPUTER PERIPHERALS a) One monochrome graphics display terminal ulth keyboard 3.1.1 Graphics Visual Display Unit b) One system load facility The Graphic Terminal is a video text terminal and a Graphics Processor In one package. It has outputs for both an external c) One panel mounting printer for use in CCR colour monitor and hard copies or the displays. The device Is operated at a data rate of V.SKbaud due to software restrictions. The scanning system was required to monitor 610 analogue inputs comprising two separate systems each of 320 inputs. Each channel 5.1.2 Cartridge Tape Drive Unit was to be sampled for a period of tine (approximately 23 sees) The dual drive unit is used to load the application and diagnostic whilst it is scanned at IKHz to provide data for online analysis. sortware into the computer system. The device is operated with a A switchable input low pass filter of 1, 2 and IKHz was specified data rate of 9.6Kbaud. for use on all inputs. The IKHz filter is currently used. 5.1.3 Panel Mount Printer A minimum of 8 digital output signals was required. This is a 18 column thermal printer which is operated at a data rate of 300 baud via a 20ma current loop. 1.2.2 Control Computers 5.1.1 Free Standing Logging Printer a) One 16 bit central processor This printer was part of the existing monitor system and is operated at a data rate of 300 baud. b) Memory - 128K words 5.1.5 Typewriter Terminal c) Battery backup for entire memory - 10 minutes It Is operated at a data rate of 300 baud and is used as the system console. d) Programmable Clock 5.2 COMPUTER SYSTEM e) Watchdog Facility A brier description of the computer cards, In the order they are 1.2.3 Cabling located, is as follows:- The contract included all the cabling within the equipment a) Processor Card cubicles except the inputs from the charge amplifiers. This card carries the main processor plus a floating point option and memory management unit. The card also contains a Watchdog, The anti-microphonic radio frequency cable required to extend the Crystal Clock, Bootstrap and single serial I/O port. The latter two existing accelerometer cables t~. the relocated charge amplifiers facilities are disabled. was subject to a separate •supply only' contract. The miniature coaxial cable was required to have a characteristic impedance of The Processor Carrier Card has two switches on the front facing 50 ohms, an overall diameter of approximately 2mm and a nominal section, one for enabling the clock and watchdog facilities and the capacitance of approximately lOQpF per metre. other for the halt, run and initialise functions. b) ^mory Card 5.4 ACCELEROMETER CABLING This card contains 128K by 18 bits. A separate contract was awarded to provide the miniature coaxial c) Analogue to Digital Conversion Card cables and connectors to extend the existing cabling to the new This card version can multiplex 8 fully differential Inputs Into a equipment room. Each of the 610 cables had to be extended by high speed "sample and hold" amplifier. This then supplies a 12 bit approximately 100 metres. An Interface connecting board using analogue to digital (A/D) converter with a conversion rate set to 'through' sockets was designed and built by Sta'ion staff. IKHz using the potentiometer on the card. The Input voltage range was set to -5 to *5 Volts and a software programmable gain option 6. SOFTWARE SPECIFICATION used. When the decision had been made to use CUTLASS for the new system, d) Relay Output Card. the latest available version was release ?.'*• This had been running in There are 20 relay changeover contacts available on this card but many installations for some time and most of the initial problems only 10 are used to generate both conventional and Station computer associated with it had been corrected. alarms. It was decided at an early stage to make the software iJentical in e) Quad Serial Line Card - 20mA. both computer systems (R3 and R4) to avoid any problems when modifying This card contains Tour independent serial lines and is used to the programs. From the operators' viewpoint the new system had to interface to the B3 and fit scanner systems, the panel and free appear similar to that being replaced, only minor Improvements being standing printers using a 20ma current loop standard. added at their request. f) Quad Serial Line Card - RS 232. Within the CUTLASS software structure there are several different This Quad Serial Line card is configured to the BS 232 standard. "subsets" to perform varying functions (eg a VUU subset, a DDC subset The card is used to drive the magnetic cartridge tape unit, the etc). Although a VDU terminal waa being used In the new GVM system, It display terminal and the console. A port is configured as a was not thought necessary to use the VDU subset for the one format communication line, but not used. required, as the VDU aubaet would Incur a large resident software overhead. It waa thua decided to use only the General Purpose subset g) Bootstrap Card and to drive the VDU with special WRITE statements, and to use special This card carries the CUTLASS bootstrap software on four EPROMs. statements for scanning and digital outputs. The Relay output and 20ma current loop cards incorporate onboard Also special software "driver" modules were needed to augment the microprocessor intelligence which provides self-diagnostic checking. standard CUTLASS release. These were for:- Indication of card failure is provided on the front of the cards, Serial line card. via LEDs. A card failure also causes an interrupt to the processor Relay output card. card which is used by the watchdog software procedure to operate the ADC high speed data acqulstlon card. watchdog contact. Code for a system Watchdog. 5.2.2 Scanners 7. APPLICATION SOFTWARE Each of the four 320 channel scanning systems comprises of a 61 channel master scanner plus four 64 channel slave units. No 7.1 BASIC PRINCIPLES measurement modules are required In the scanners, as the Analogue/Digital function Is provided by the ADC card. Fig. 4 shows the basic principles involved in the data acquisition. To decide If a gag la vibrating, the output from each accelerometer is scanned at 4 Khz for 90,000 scans. For each scan, the 5.3 ACCELEROHETERS AND CHARCE AMPLIFIERS amplitude is measured and a count is recorded in a 1024 element array to represent this amplitude. Over the period of approximately Z'i These are retained from the existing system. The output range of seconds that each channel Is scanned, this array Is filled, most of the the charge amplifiers is »5V to -5V and the low Impedance outputs fed counts being recorded around the centre elements, and tail! g off to to scanners on both systems. A separate audio facility has been zero at the end elements. When scanning is completed, a statistical retained and Is mounted below the charge amplifiers. It Is not analysis Is done of the results In the array, and a figure for the intended to use the audio facility for normal operations. standard deviation calculated. The counts stored In the elements 181 railing outside four times this standard deviation are totalled, and if h) Allow requests for channels to be "monitored", le scanned evirry this exceeds 60 then the gag is assumed to be vibrating excessively. jO minut>-9 and the results of the scan printed. These channels will remain "monitored" until "released" from this facility. Each channel is scanned in this uay in sequential order and any channel found In alarm is immediately scanned again and if the alarm i) Allow channels to be "cancelled" from any scanning if they are condition persists, it is indicated to the control room operator by a found to be faulty. These "cancelled" channels can then be digital output to the main station computer system. The advised "included" back Into the main scan. operator action is to open the gag one inch, which should sufficiently alter the gas flow to stop the gag vibrating. To check the alarmed J) Print, a summary of "alarmed", "monitored" and "cancelled" channels, they are then scanned in the same way on a half hourly basis channels at each shift changeover. until they are below the alarm level Tor three successive half-hourly periods. Other suspect channels can be forced Into a half-hourly k) Display the currently scanned channel Identity, on request. monitor by the operator. A facility exists to cancel channels with known hardware faults to stop them being scanned. 1) Display, on request, the initials of the engineer who performed the last action on a particular channel. at each shift changeover a summary of channels alarmed, monitored and cancelled is output to the operator via a printer in the control m) Draw a histogram and print the statistics of a requested channel. room. If this channel has recently been In alarm or faulty, and Its results are stored in one of the buffers, the histogram will be 7.2 SOFTWAHE FUNCTIONS drawn from these results. If a second request Is then made on this channel, or the results are not stored, then the channel will be The application software is required to carry out the following scanned for the required 90,000 times and the histogram drawn from actions:- these results. a) Sequentially scan all channels In a background scan for 90,000 n) Allow the results of scanning to be suppressed If a reactor Is samples on each channel. To analyse the results of these scans to not at power, or is being scanned by the other computer system. check for high vibration. o) When the' results are suppressed as in n), allow repeated scanning b) Any channel found to have a high vibration, scan again and if the of one channel to be requested for hardware maintenance, alarms from vibration persists, alarm the control room operator and log the these scans to be suppressed. details on the printers in the control loom and GVH computer room. p) At the end of each scan cycle, to scan a test signal and check c) For any channel found in alarm, repeatedly scan that channel that the results are within predetermined limits. every 30 minutes, and log the results, until the counts outside 1 standard deviations have been less than 60 for three consecutive 30 7.3 DESCRIPTION OF TASK BREAKDOWN. minute periods. The basic philosophy of CUTLASS is that the system be broken down d) Maintain the alarm "Gag Vibration High" to the station computer into a scheme and task structure. The application code is divided into whilst there is any channel in alarm, but reset and reflash the several "schemes" for security, ease of coding and testing. Each of alarm for any subsequent channel that should go into alarm. these schemes is then further split Into "tasks" which deal with particular functions of the system. It la the taaka that are e) For any channel found to have a hardware fault, scan again and If clock-connected at set time intervals. Fig. 5 shows diagramaatically the fault persists, log the results and alarm to control room the scheme interaction. operator. In this system there are two main schemes (R3MAIN and REMAIN) that f) Store the results of any alarmed or faulty channel in one of 5 deal with the main scanning of the channels. They decide which is the cyclic buffers so that subsequently a histogram may be drawn if next channel to be scanned, wait for that scanning, and then process requested. the results of the scan. The next channel decision depends on whether it is an ordinary back-ground scan, a half-hourly alarm sc*n, a repeat g) Provide an Interface via a VDU to allow restricted changes to the scan, or whether there is an outstanding histogram request. It deals system. The maintenance engineer "logs on" l-efore each action, and with the scan results according to the reason for scanning. These the engineers initials are checked and remembered. schemes also activate alarms to the Station computer and set up messages to the printers. To Initiate scanning or a channel, the above two schemes set-up Hinkley Point made it Impractical to use the new GVM processor as a markers to allow the SCAN scheme to run. This scheme in turn sets target and thus an Identical backplane was purchased and the markers to the SELECT scheme that does the relay selection of the appropriate card? installed in it to make a replica of the final requested channels and passes control back to SCAN on completion. SCAN system. This was located next to the Host and a suitable set of then Initiates the 2~* second scan at <*KHz on the R? and R<4 channels peripherals connected to the target to enable the software development selected and when this has completed, control is finally passed back to to take place. the two main schemes. The method of building a complete system was to first run the Another scheme GAGVT125 deals with the operator interface via the Target Construction program on the Host to build a suitable target VDU terminal. It accepts requests, checks their validity, and then software framework. This was then loaded down the serial line to the acts on them, usually by setting markers that other schemes use. target, followed by appropriate User and Clobal directories. The various schemes were then compiled and down line loaded one at a time MESSAGE is the scheme that outputs messages to both printers. to the Target. When all had been loaded, a complete Target image was Other schemes set markers for this one to check, and when one is found then saved back up the serial line onto a disk file. This saved disk set, the messages are printed. file was finally dumped onto a tape cassette to be loaded eventually into the running system. ALMSUMM sets a martcer every 30 «inutes to allow the alarm scan to occur if needed. It also prints out a summary of alarmed, cancelled 8.2 SOFTWARE WALK THROUGH. and monitored channels at every shift changeover. Once the initial application software had been written, It was HIST is the scheme that deals with drawing a histogram of the agreed that it would be useful as part of the Quality Assurance if a results from a channel scanned by the main scheme. "walk through" of the coding were to be done. This involved the programmer explaining his code, line by line, to other computer FIDO is the watchdog scheme. It monitors the running of all other experts. This exercise showed up several problems, and minor schemes via global data flags and should one fail (global set "bad") it improvements were also incorporated as a result. will operate the watchdog relay to warn of the failure. This scheme also updates the date and time on the VDU. 8.3 INDIVIDUAL SCHEME CHECKS. 7.4 PRIORITIES AND RUN TIMES. As the scheme and task coding was completed, checks were made on the program logic and operation using the replica Target computer. As To allow correct interactions of tasks within the system, each is far as possible this was carried out using dummy data items before given a priority and a run time. Tasks can be either run continuously, final Installation In the new system. or they can be clock connected to run at set time intervals. Once all the schemes had been tested in this way, they were 7.5 OPERATOR DRIVING INSTRUCTIONS combined into a complete target image and loaded to the main target. The first part of the test schedule was to teat each scheme on Its own Although all alarms are raised to the main control room desk and to ensure that each functioned correctly. This testing wade use of operator, it is the shirt computer engineer that actually uses the GVM the system console to set and check Global data items. These tests system via the VDU terminal. To aid him in the operation or the approximatey repeated those already done on the replica Target. system, an booklet has been compiled containing useful information about the software. This Includes Instructions Tor loading in the 8.4 TASK PRIORITIES AND RUN TIMES. system rrom cassette, relay information, failure messages and details of the available test programs. An initial estimate of task run times was made and priorities assigned on a task Importance basis. Once more than one task was COMMISSIONING enabled, it was found necessary to adjust these run times and priorities to avoid scheme time-outs. 8.1 SOFTWARE DEVELOPMENT. 8.5 SCHEME CHECKS WITH SIMULATED INPUTS. The development of the software for the GVM system followed normal CUTLASS techniques. That is, the Initial input of coding was done via Once it was proved that the schemes worked in isolation, the whole a Host computer system, and then to run the CUTLASS compiler, the Host system was activated, but with no outside plant connected. An has to be connected to a Target computer. The location of the Host at electronic signal generator had been produced by BNL which provided an input that could simulate the various vibrations emanating froa a 9. PROBLEHS ENCOUNTERED DURING THE PROJECT standpipe. The controls could be set to simulate a normal channel, a vibrating channel or one with a hardware fault. This signal was 9.1 GENERAL connected to a number of charge amplifier inputs for test purposes. a aau-tooth waveform generator was also connected to selected channels. The project being centred around a hardware only contract, with With these signals connected, tests were made to ensure the expected CEGB software, did lead to a number or probleas. Contrtbutary factors results appeared on the correct channels. were that it was the first tiae that this design of equipment had been used in the Region. 8.6 TOTAL SJSTEM TESTS. The probleas are summarised below under separate hardware and On the coapletion of the above tests, the cables fro* the software headings although in aany cases they are inter-related. acceleroaeters were connected to the charge amplifiers and the system run in its final plant state. As at this tiae the reactor was not at 9.2 HARDWARE power, every channel appeared as a Low Input fault and this was used initially to check that every channel was being scanned. The BNL test a) Serial Port on Processor Carrier Card - In this design the port box was connected to selected channels to provide alara conditions for is used for the systea console. The port is set to Interrupt with a those channels, some channels were put into Monitor and soae Cancelled. level * prority, but because It is the physically closest device to fie Checks were again made to ensure that channels were scanned in the processor it can effectively achieve the highest priority. This Is correct order. The plant cables were then reinstated and the system because it is capable of accepting, and not passing on, the processor's left to run uninterrupted in its final form for 200 hours to ensure interrupt acknowledge signal. The systea design required a priority there were no probleas. structure with the high speed ADC at the highest priority. A design modification was made which allowed this port to be isolated. A spare 8.7 HARDWARE port on the RS232 serial line card was used as the console device. 8.7.t Coaputer Hardware b) High Speed Data Acquisition Systea - A DMA card was supplied for use with the ADC card. During initial CUTLASS software tests It The design concept was that the coaputer hardware would be was discovered that the DMA card was not processor compatible, and thus coaaissioned at Works, and on Site, using CUTLASS software. However was removed from the systea. this was not possible, due to the unavailability of software drivers. The original scheae used separate ADCs for each scanner system. Tests were conducted to deteraine the optlaua aethod or obtaining the data The contractors software testa were very basic and allowed from two scanners. It was concluded that the best solution was to use acceptance and delivery of the hardware to site. However they did not two channels on one ADC to handle both scanners, as it provided the check the real tiae operation of the aystea. Hardware deficiencies fastest overall conversion tiae and provided a siapler hardware were subsequently found when the CUTLASS software was available and arrangement. This resulted in the additional provision of an initial coaaissioning software checks were being carried out on site. interconnection module for the scanner output cables. 8.7.2 Hiring and Cabling Commissioning c) Scanners - During the site coaaissioning trials, In-service failures occurred in the scanners. One aaster and one slave scanner Special coaaissioning application software programs were written unit became faulty and were replaced. In the saae period three clock to facilitate the coaaissioning of the cable continuity and cubicle PC8s were found faulty. All faulty units were returned for analysis wiring. These allowed continuity to be checked froa the existing and repair. There have been no reported faults in the eleven months of termination area in the cable flats, through the new coaxial cables, operation since these failures. These events did highlight a relocated charge amplifiers, cubicle wiring, scanner systea and finally maintenance problem with the scanner interconnecting leads. These were the data acquisition systea. An electrical noise signal was connected too short to allow single units to be removed and replaced, and have in turn to each channel in the cable flats and the channel to be thus been lengthened. aonitored was selected via the coaputer display terainal keyboard. A printout was given on the systea printer indicating the channel d) Battery Backup - Provision was made in the contract for battery selected, together with the results or the statisical analysis on the backup which was successfully tested at Works and Site. This facility data collected. These results were used as test records to demonstrate is not at present used. In the future it is planned to incorporate that all channels were successfully checked for continuity. this facility into the scheme. e) Display Terminal Graphics Speed - The display terminal used was a) Printer Disconnection - The scanners and the 2 printers are found to be slow in graphics mode. The maximum rate it could be driven driven from the quad serial line card via current loops. There has reliably In an unformatted mode was 2.4Kbaud. Under these conditions to be a continuous current path through all 4 aerial outputs or elsi; It was taking some 60 seconds to plot the histogram required. A driver a card "fault" occurs, which in turn activates the watchdog, with XON and XOFF features was available very late in the project and Problems arose if a printer was disconnected for maintenance without incorporated. This allowed the terminal to be driven at a maximum of first shorting out its serial line input. To overcome this, 4.8Kbaud, with a histogram plot time of approximately MO seconds. shorting switches were fitted across these devices so that they can be disconnected without affecting the system. 9.? SOFTWARE. b) Additional Test Channel - The normal scanning of the system a) Task activation - The initial idea for the application software covers channels 1 to 308 for reactor channels with channel ?09 beln? was to try to duplicate the layout or the existing SVEPSPEED system, a test signal checked at the completion of each reactor scan cycle. but It became obvious that this form of software layout was not If a hardware fault occurs, one method of locating the possible feasible as SUEPSPEED used the facility of activating one job from fault is to substitute parts of a good channel signal path for the another. component thought to be faulty. This could, for example. Involve exchanging a good channel's charge amplifier for the suspect one by cross connecting the cabling. Whilst this method does work, it does its CUTLASS (Version 2.3) tasks have to be clock-connected, or else involve disturbing a good channel signal. It was thus arranged to run continuously, the problems of task Interaction soon became clear. use channel 310 as an additional test channel that could be scanned Some of the functions of the system were obviouly suited to clock repeatedly or via a histogram request, but would be ignored by the connection, eg half-hourly alarm scan or shift change-over summary normal scanning sequence. The hardware In this input chain could prints, but others would have run more efficiently If they could have then be substituted for the suspect items. been activated aa soon as they were required. This particularly applied to drawing histograms etc. These sorts of tasks have had to be run at set time intervals and they then check to see if relevant c) Additional Diagnostic Software - Whilst many of the possible markers are set to know whether to perform their allotted code, or Just harware faults are flagged by comprehensive failure messages, exit to try again later. requests were made for additional diagnostic programs. These were incorporated into the main system tape dump, but are not normally b) Task timing - Clock-connection caused many problems with task enabled. To run these programs It is necessary to disable all the timing. A task ha3 to finish performing its function by the time the normally running schemes and to then enable the required next clock-connection occurs, otherwise the task is timed out. Thus, diagnostics. These Include facilities to selectively scan one for example, if it takes 40 seconds to draw a histogram on the VDU, channel and print out the results, a test of the relay output that task cannot be connected at more than, say, every 45 seconds. selection, a cyclic selection test of all channel relays on both R3 and R4 scanners, and a printer test. c) Driver testing - Several problems were experienced with the Initial versions of the special drivers. Even though these drivers had 11. CONCLUSIONS been tested in Isolation at RHQ using simple test programs, when they were Incorporated into the main application code, problems showed up. The initial reason for installing this replacement g»g vibration Once the cause of the errors had been pin pointed, they were soon monitoring system was to provide a more secure system that would corrected. satisfy a new safety requirement. The equipment Installed has completely met this requirement. 10. EXPERIENCE WITH THE OPERATIONAL SYSTEM Host of the problems encountered during the project derived from the fact that this was the first use of a new software language on a When Reactor * was returned to load at the end of its outage, the nuclear site, and also with this particular manufacturer's equipment. new GVM system was activated to monitor the gags. It was discovered In a system such as this, where the user supplies the software, it is that several Inputs were giving hardware faults and these were stongly recommended that a complete version of the software be corrected. Host of the faults appeared to be caused by mechanical available prior to works acceptance tests, and that the manufacturer Is damage during pile cap work In the outage, but since these have been made aware of the method by which his hardware is to be driven by that repaired, the system has functioned well. Some minor problems have software. Test demonstrations with the manufacturer's own software are been encountered and the necessary actions taken to correct them. Insufficient. These have Included :- The 'software walkthrough' technique, whereby the programs were explained to a group, proved to be advantageous and highlighted several probleaa which could then be rectified before the aystea was tested. CHARM AMPUFIBI CHMCC AMPLIFIER 1 During the year that the new systea has been in service monitor ng ACCCLCROMfTf RS ' cuaiaf CUBIC Lt ACCELEROMCTERS Reactor R4 PIUE CAP The authors would like to thank the Station Manager, Hinkley Point a) PILE CAP Power Station and the Director of Engineering, South Western Region, CEGB, for permission to publish this paper. Rill LEVEL CARLE FLATS SCANNER SCANNER CUIICIC CUIICIE DUAL II WAV DUAL 11 WAV HIGHWAY ' HIGHWAY A ' A' PROCESSOR _•> ALARMS TO STATION COMPUTCN SVSTEM V.O. I 1 1*K COM TERMINAIMINALt J I R* INSTRUMENT l_. ROOM STATION COMPUTER ROOM Ml PRINTER V 4:R * PRINTCR FIG.1.ORIGINAL GAG VIBRATION MONITORING SCHEME. CHANCC AMPUPMII CHAKCf AMKIPIf • Ml STANOMPt ACCfltMMCTfRS OUTPUT* OUTPUTS PIN NIACTOk MASK* MASTIM I SCAMNK SCANMR no CMAact AMPUPICKS. 1 SLAVfS 1 SlAVf* I »JO CHANN&S 110 CMANNf LS •X..: IOW PASS LOW PASS _ PMMOTHM PIIIM UNIT. PUT fII UNIT. 3 UfACTQN »StCM SOPTtMM I SVSTfM TIUMIHATIONS MAO PACH.ITT I «KM| ADC | STSTCM CONTMM. ANO MSPIAT o•AC* PIAN « | rrr"PIMPMMAl PtUO PANfnl | PACKITT. WATCNOOO . ' CMSTAl ClOCK CUTLASS StSTCM SOPTWARC \m AW tttuom CUTIAU APPLICATION SQPTtPAIIC. i 1 AOC MAOMTK PANIl 60APNICS TAP* POlNTfO TCAHINAl UNIT NCIAT OUTPUT OCAO StMAl IIM ISaiA ' 1 l QUAO URIAl IMI MS HI 1 STSTfM POINTCa CONUOl MOM COM Ml MOM •OOTSTIIAP. TERMINAL MOUNT! O STATION AlAAM SVSItM CONVINTIOMAl AlAAM MHMftK PASCIA POWM SUPPIT UNIT • IMS TIMC ClOCA tATTIA* OACI UP UNIT m FIG.2. FLOW OF DATA IN THE SCHEME. FIG.3. FINAL HARDWARE ARRANGEMENT. 1 CHARGE AM^UFiCI OUTPUT. •sv- ft/VN.- tify +"fy ,,MC~ •5 V VOLTAGE SIGNAL FROM ACCELEROMETER CHARGE AMPLIFIER. 23 SECS COMPUTER SCAN OF A SINGLE CHANNEL. 2 5HRS. NQN. A" CHANNEL n CHANNEL n«>l TIME COMPUTER SCAN AND ANALYSIS OF SUCCESSIVE CHANNELS. ELEMENT.!. ELEMENT 1024r INTEGER ARRAY RESULTING FROM SCAN OF ONE CHANNEL. FIG.4. BASIC SCANNING PRINCIPLES. GAGVTI25 visual Accepts requests froa operator for ayatea actions, checks thtir validity and carriaa dlaplay out tht acticn. Output* mssages whara appropriate. SosBarr rrint SUMMARY ALARM MESSAGE Frist sussarjr of al»r=f«, roritored Initiate alara scan Output alaraa, systea sessaaes and and cancelled channels eeery 30 ainutea. statistics generated in in; scheae. at Mch shift chanfe e»er. R3MAIN R4MAIN Decides which is next channel to be Decides which is next channel to be scanned, and acts on the results of scanned, and acts on the results of that scan. Saises alarms to the Station that acan. Raises alarm to the Station computer if channel in alara or faulty. eosputer if channel in alara or faulty. HISTR3 HISTR4 Draws histogram for S3. Draws histogram for SUf. SCAN Scans the R? and R"» channel at <» kHz. FIDO Interfaces with all schema via global data items to ensure all are functioning. Activates SELECT Operates the icanner relays of the selected R3 and R"t channel to t>» scanned. FIG. 5. SOFTWARE INTERACTION 3 ON DESIGN MEASURES REQUIRED TO ENSURE HIGH-QUALITY Interface elements of the process control system, their SERVICES OF UNIT COMPUTERS IN NUCLEAR POWER STATIONS probable service life and determining role in fulfilment of functions. I VALKO Solutions for efficient service life and their restrictions. Erolerv, Hungary Necessity and practical realization of control system recon struction. The activity has to be planned and taken into account in advance. Control devices are designed for a fraction of the service life of process equipment. 1. Ageing of process controlling computer systems Organisation of the control system with a view to future Moral and physical ageing of computer systems in general reconstruction. The retention of the "hardest" components and in process control. Factors of physical ageing. - i.e. those of the longest service life. The impact of Modification of the control task by unit-specific factors "planned steady computer system development" strategy on recognizable during a longer period; consideration of the control system and corresponding parallel measures taken the a.m. factors by hardware and software means and their in the latter. Probable control system solutions and their limits. Labour decreasing during operation and concentration convergence towards process interfaces of unit computers. of control. Decentralized organisation. Decentralization and BUS orga Impact of new measuring techniques. Mora] ageing of spare nization. BUS organization structures; different levels parts. Substitution of IC-s by compatible new circuits of control and corrupting systems. and their utilization problems. Modification of the assortment of mechanical interface elements, the accumul NPS unit stillstands resulting of technology and their pro ation of spare parts is economically not feasible. bable length. Activities within the primary circuit, possi 2. Computing devices in the control system bilities and necessities. Existing discrepancies. Power pro duction and its availability as well as the relation of Control system equipment consists of easily replaceable the aforementioned factors to the reliability of control. "soft" hardware and of "hard" hardware requiring the replacing of mechanical interface and of cabling. Hardness of hardware and process interfaces . Soft hard Efficiency of existing equipment. Elasticity and task ware and cards; solutions for the application of modules "hardness". Hard and variable software. Quality of the containing components of different life duration. fulfilment of tasks. With units not duly typified the for The NPS control system is generally the hardest hardware mulation of the task reflects the state of the art and means factor. Some aspects of the efficient service life of of realization of a 6-7 years earlier period. Ageing curve NPS control systems. The control system has to fulfil is steeper than exponential. In an unfavourable case the functional and availability requirements. Outline of formulated task is insufficient and obsolete already at factors influencing availability. the moment of commissioning. 3. Ageing of unit computers "total substitution" and methods of its realization. Possibilities of strategy selection. Ageing features of components of computerized systems with a view to the structure of process computers. Summary Ageing groups: - printers and hard-copy devices The author analyses the ageing process of NPS unit computers - displays and its influencing factors resulting of the control and - magnetic discs and tapes computing system, by using the strategies of "planned steady - central computing devices development" and of "total substitution". He tries to lay - analogue process peripheries down requirements for designing. The impact of probable - digital process peripheries development trends is investigated, considering also the control system, as a whole. An attempt is made to determine Physical wear and moral ageing of different devices. Ageing "hard" and "soft" hardware and software components. of software. Consequences of software development and un changed staff required for obsolete software. Ageing acceler ating effects of local software activity and measures to be taken for its restriction. Strategy of planned steady development and of total sub stitution and their comparison. Conditions for the use of the strategy of planned steady development: structure, hardware specifications, BUS and interface specifications and their realization in the field of software handling, and other factors. Possibilities and limits of the application of planned steady unit computer development strategy. Available and actual time of realization. Possibilities of application of the total substitution strategy, its relations with control system reconstruction. Required implementation time and methods. Possibilities of total reconstruction and time schedules for its realization. 4. Design considering ageing Purpose and time-scheduling of the reconstruction of computing devices. Advantages and steps of the planned steady development strategy. Characteristic features of the necessity of A DIGITAL. DECENTRALIZED POWER STATION CONTROL SYSTEM By the use of microprocessors and bus transmission methods, dedicated control subsystems, with digital WITH BUS-TRANSMISSION FACILITATES stored program processing methods, can be designed THE PROBLEM OF BACKFITTING decentrally and hierarchically. TJie digital tuchriitjues thereby used enable new service and diagnosis methods to be realized. Because of the dynamic method of oper G.E. KAISER. R.R. SCHEMMEL ation* i.e. continuous monitoring, and automatic data validation conditions are created which enable dis Brown, Boveri & Cie, AG, Brown Boveri Reaktor GmbH, turbances in the whole plant to be identified accord Mannheim, ing to location, type and time of occurrence by inte grated diagnosis. This results in largely increased Federal Republic of Germany plant availability and improved overall plant opera tion. Instead of allocating each measured signal and each instruction a separate wire, all signals and instruc tions are transmitted serially via a data bus, accord ing to a time multiplexed procedure. By doing this, Intcoduct ion large quantities of cable are saved. Backfitting measures in the plant C & 1 system nay 1 System Overview have their origin in changes or additional installation of process The power station process control system PKOCUcJTROL P equipment (which may also affect the C ( I sys covers all tasks, which are required for complete tem) or may be confined to process controli the C & I system itself. signal conditioning transmission These changes arise while additional process variables monitoring might be monitored by new sensors, which must be in - sequencing control stalled at the interface between process and C & I analog control system (see other paper) or new requirements concern protection ing signal conditioning, control algorithms, failure communication of control system strategy need to be realized (see this paper). PRQCONTROL P features a decentralized hierarchical structure and has been designed around digital stored A digital, decentralized C & 1 System with BUS-Trans- program techniques. The information exchange between mission the process control components is made via the bus oriented data transmission and distribution systems. Current NPP control equipment technology is essential All signals - measured values and instructions - are ly characterized by the transmission of information in scanned and transmitted serially via a dual channel parallel using individual cables, and utilizes hard remote bus system. wired techniques for the processing of information, (see right-hand side of Figure 1). figure 2 shows the control system configuration. Each signal is connected from its originating location with Progress in the area of semiconductor development a process station. Process stations can be mounted characterized by micro-processors and LSI-circuits, anywhere in the plant, so that only short cable runs has opened up new possibilities for the solution of are necessary between transmitter and station, or they the control tasks. The new power station control sys can be mounted in a centralized location, such as the tem PROCONTROL P utilizes these possibilities - see Electronics Room for example. The input signal is then left-hand side of figure 1. converted into a digital signal and is passed to the bus. Figure 3 shows a pcuc«ss station in a U00 MW plant. In the hard wired programming technique the sequential The blue cables come from the seniors, the yellow one control and analog control tasks are realised by hard is the bus. ware modules together with the associated project spe cific wiring. In the PRGCONTROL V stored program tech The stat ions can contain input, output and processing nique the project specific wiring is replaced by a devices in any nix. All stations are connected with project specific structuring. The necessary functions each other by a remote or a local bus. All signals are for the process control tasks are available in the transmitted via the remote bus to all stations which form of Standard Function Modules (Firmware). Proceed are connected to the bus. In each station the signals ing from function plans these standard functions are are distributed, if necessary, to all devices where structured by the means of the connection definitions they are required for processing or signalling or as and their parameters. The input of this data is in instructions cor example. plain language statements which are familiar to engi neers. Programming knowledge is not required. The reiaote bus coupler ensures thct the stations are connected non-reactively to the bus. The distr ibutor The communication between the operators and the con station coordinates the distribution of data. The re trol system is designed as a system which is hierar mote bus consists of two independent channels. Each chical with relation to its abilities and equipinon' . station is connected non-reactively to the two chan The principal item of this process-control communica nels of a remote bus line - channel A and channel B. tions system is a central operating desk. Via this The principle of dual channelling is carried out con desk it is possible to communicate with the whole of sequently in the distributor stations. Each transmis the process control system. All devices, structures, sion channel has its own distributor station. parameters etc. can be accessed from here, i. e. they can be displayed and modified with simultaneous auto The transmission security of the PROCONTROL P remote matic documentation. Among others, the following mode bus system exceeds the maximum class according to of operation are possible: IEC TC 57, A maximum of 8 remote bus lines can lead from the distributor station into the individual plant simulation of signal statuses areas in a star configuration. Each remote bus line separation of defective signals can be up to 1500 m long. The system is designed in remote adjustment of parameters such a way that the remote bus lines and the remote signal tracing (including device internal signals) bus couplers can be planned, installed and commis structuring of sequential control and analog sioned without the exact position and layout of the control individual stations being previously known. These graphical display of process control functional stations can be subsequently connected to the remote details. bus coupler via direct connections up to 50 m long (see Pig. 3). Communication with the process control system is very simple, being based on dialog techniques via the Figure If shows an application example of a 600 MW colour CRT units. lignite power station. Four redundant remote bus lines lead (in separate channels each) from the electronics The capability to display disturbances which occur room into the field. Sensors ans transducers comprise within the process control system (as opposed to pro a total of approximately 2500. cess disturbances) is an additional important feature of the process control communication system. The basis The stations can be planned, installed and commis for this is the decentrally designed hierarchically sioned independently of one another and of the remote structured diagnostic system of PROCONTROL P. bus lines. The data transmission systeiu is event-oriented. Signal changes are transferred immediately. Even with a large number of events the reaction time is less than 10 nis. Addressing and Direction of Transmission Galvanical separation between the safety process sys tems are realized in the emergency rooms and also between the control room and the safety process sys Each signal to be transmitted must be identified with tems. IEEE-Standards and NRC Regulatory Guides are an exclusive address. A signal can only have one point satisfied (i. e. lEfcK 308, 323, 344, 4K> UUC 1.69 ami of origin; it can however be used at several loca 1.100). tions. In PKOCONTROL P each signal to be transmitted is according to its originating location, i. e. its source (source location address). Advantages in Backfitting Requirements Data sinks, like output or processing devices, keep an address list, in which the signals are delaied, which - New connections between the process ami all mon the device has to receive and evaluate. The signal itoring, protection or control locations are made connection is produced by inputting the required only by software modification. No cabling is source address. The address list is stored in a pro needed. Each signal to be transmitted is identi grammable semiconductor memory (PKOM) and thus easily fied by exclusive address and it can be used at amendable. several locations. Additional cabling or analog signal conditioning modules are not required and The data transmission with source addressing is, in significant space is saved in already crowded principle, comparable with radio. The receiver is control rooms. tuned on the transmitter; many receivers or data sinks can listen simultaneously. The system is simple and Maintenance and modification of existing systems additional sinks may be added without repercussions on is difficult because of the limitation on spare- the data sources. parts. State of the art equipment is microproces sor based and more readily available and cost Example of a NPP effective than outdated analog modules. The tasks of superordinated analog control or A typical example of backfitting C & 1 system in a sequential control (which could be the sequential nuclear power plant is the following: control of a function group) are carried out by micro-processor devices, which can communicate In the 900 MW NPP Tihange 2 the central control room via the bus system. These devices receive input and the three independent emergency shut down rooms values, process them according to predefined pro are linked together with three bus systems (see grams and then output the resulting values and Fig.,5"). 870 criteria and 190 commands (all in a the positioning instructions to the bus system. binary manner) are transmitted. Backfitting in the system can be considered in the user program memory at a later date. The The bus system has the task, number of devices is not affected and another device type is not required. Changes of algorithms to transmit the positions of switchgear and in a control loop and of sequential control func valves of the safety system from the emergency tions during backfitting, are realised by chang shut down rooms to the control rooms and ing a PROM. to give commands from the control room to the Backfittinq operations concerning damping and emergency rooms for safety-related and normal signal-to-noise ratio in the signal transmission operational systems of the plant. path can be realized without expensive and time- consuming hardware operations by a non-linear The application of the bus system allowed to fullfill adaptive filter. the subsequent requirement of the licensing authority for linking the three emergency rooms between control Process computer system together with the display room and safety related process systems in a non- system are used for high level information proc reactive ly and redundant way. This could be realized essing and display tasks. These systems allow the very quick and without bigger contructions on site (no use of standard display formats as well as user cabling:). tailored graphic display formats to aid in the overall control of the process. All backfitting tasks concerning man/process communication can be realized therefore in a very sinple manner only by changing software. Error indicators from the C <• I system, as meas uring range overstep can be presented to the -n~i q operator in an ergonomic optimal way. Backfit- & PrOCMf ting, whose origin lays in changing ergonouiical canwnunc topics, can also be realized in a flexible way. -V a a a o GnwpaMttaltMd PROCONWOLP PnOCONTROt K |i»OTQI C^ ""•''' f •*•«•>••« £z Prac«a Z$ o»*» ,£& >.PrK. ^BWC»a» fe> <***** nf&i ^ 'ig. 1: Current equipment technology and digital, BUS transmitting technology Fig. 2. System configuration of PROC0HTR0L P 175 Ill * FIA- */ ; Application t«*t*i|jlt 7oo HW £.i'«*ii'/c powiv «t<*Koi T :t J if * * ?*< •* 4 vi w Jiliil U INct .5 a h. t s •S • «i "J ! 5 m Figure 7 - Central conlrol room with main and auiiHary control consoles COMPARISON OF CONTROL SYSTEMS APPLIED TO THE HANDLING OF RADIOACTIVE REACTOR COMPONENTS C. ROBINSON National Nuclear Corporation Ltd, Warrington, Cheshire E.G. HARRIS, PC. DYER Session S Struchun & Hcnshaw Limited, Bristol SPECIAL SYSTEMS AND PROCEDURES DUE TO J.G.B. WILLIAMS NEW REQUIREMENTS South Western Region, Central Electricity Generating Board (CEGB), Chairman Bristol D. WELBOURNE United Kingdom Abstract The fiisc generation of nuclear power scacions have individual reactors each incorporating complete facilities for servicing components and refuelling. In the lacer designs, each power scacion has cwo reactors which are connecced by a central block. This central block concains one sec of facilicies co service boch reactors, buc co improve che scacion capability, some of chese are co be replicaced. The central block incorporates a hoist well which was used during construction for the accessing of complete components. On completion of this work, the physical size of the hoist well is such as to permit che incorporation of addition ;1 facilicies if these are shown to be operationally and economicall) desirable. Since a number of years of power operation has elapsed, the advancages of back-fitting to existing fuel-handling facilities has been illustrated. Since che mechanical arrrangemencs and operacing procedures are substantially similar for boch the original and new handling facilities, the paper will illustrate the control systecs provided for each. The configuration of the system is arranged to have cwo channels of control which complies with che current standard requirements in the United Kingdom. These requirements are more stringent than when che existing facilicy was designed and constructed, as described in che relevanc sections of che paper. The new sysCem has been designed and is being uaiiutactured Co comply wich che General Electricity Generating Board standard for nuclear fuel route interlock and concrol syscents. |gg I Introduction (ii) release of radioactive material likely to lead to doses off-site greater than 1/100 ERL. The existing discharge fuel route for the two advanced gas cooled reactors at Hinkley Point 'B' Power Station comprises a series of individual 'in-line' facilities common to both (iii) A release of coolant which cannot be isolated and/or reactors. The breakdown, or outage or any will affect the total could cause temperature and toxicity hazards. refuelling capability hence, the length of time before such a breakdown or outage affects the refuelling rate will be very short. (iv) High radiation dose race likely to lead co a radiation exposure above Che annual limit. Based on operational experience to date ic is estimated that a major outage on the fuel dismantling facility will be required at The new facility is being constructed in what was the old hoist approximately seven year intervals throughout the life of the power well of the services block which interconneccs the two reactors. station. This is to enable Che replacement of non-mecallic components (A new hoist well has been constructed for operational purposes). which are expected to deteriorate in service due to the high levels The original hoist well is of a size chat, during che inicial of irradiation within this facility. conscruccion of che Power Station, large permanent plane items were introduced as complece assemblies, tience, there is adequate The facility, known as Che irradiaced fuel dismantling cell, has space co construct the new facility wichouc any interruption to operaced satisfactorily since the station was commissioned in the normal operation of any of the existing plant. 1970's, buc because of the implications seated above, a new fuel dismantling and other 'in-line' facilities have been or are being There are however, three existing plant items that will connect constructed. with the new facility, either electrically or mechanically - the fuelling machine; gas blowdown plane; irradiaced fuel cooling One of the facilities at present under construction is known as the scorage pond. Therefore, che back-fitting at these planes can, scringer dismantling cell, and this cell will be capable of performing by careful preparacion of the interfaces, be implemented during roucine dismantling of fuel scringers and will supplement the a very short time-scale. existing irradiaced fuel dismantling cell. 2 Existing Facility This cell, although being construcced on similar lines Co Che exiscing facility has one major difference, and chac is Che introduction of (i) Ceneral programmable logic controllers Co perform Che c ncrol and incerlock funccions. On the exiscing facilicy these functions are carried ouc An irradiated fuel assembly, Fig 1, can be removed from by electro-magnecic relay logic. the reaccor by che fuelling machine whilsc che laecer continues co operaCe. This means chat the machine The control and interlock syscea is based on a CenCral Eleccricicy contains carbon dioxide it pressure (design value 685 psig) Generating Board Generation Development and Construction. Division and temperature (design value 2S0°C). Initially, the scandard encicled "Principles of Nuclear Fuel Route Interlock and assembly is placed in a pressurised decay scorage cube Control Systems". This standard has been updated (1980) to cake inco and Chence, after a suitable period to the unpressurisad account the use of programmable logic controllers. The standard has facility. Fig 2. been produced to eusure that safecy and reliability are given paramount consideration in the design of all nuclear fuel rouce concrol systems, (ii) Operation and outlines essential design parameters to achieve the minimum desired integrity of the control systems. The facility, Fig 2, is provided for the following operations The above stated standard specifies that the design of interlocks shall (a) dismantling of the irradiated fuel assembly. incorporate the level of diversity and/or redundancy necessary to meet the required integrity(s). (b) discharging che individual fuel elements inco che scorage pond prior co despatch to the reprocessing As a guide, a system of interlocks raced as ' iass B must provide a plane. minimus integrity equal to 10~* failures per annum and to protect against the following stated hazards:- (c) changing one, or more individual fuel elements in Che evenc of failure, and che subsequent re-assembly prior (i) severe damage to fuel or plant which can be repaired but to restoration in the reaccor. would result in plane shut-down for a long period. ( The complete system consists of the programmable logic The p.l.c's will operate from a 110V, SO Hi supply; the controllers, motor control centres, motors, actuators, inputs will, in general operate at 48V d.c. as will the control devices, sensors, limit switches, alarms and outputs to indicators, whilst the outputs to contactors indicators, control desks and interface equipment; generally and solenoid valves will operate at 110V a.c. as shown iu Fig 7, Each p.l.c system is provided with plug-in facilities for The principal operator interfaces with the programmable the connection of a portable visual display unit to assist controllers are the push-buttons and plant status/alarm in the diagnosis of faults, maintenance and programming indicators in the upper and lower cell control areas and in purposes. The keyboard on the display unit is fitted existing items oi plant in the power station, namely the with a temporary removable overlay for maintenance or fuelling machine, reactor coolant gas blowdown plant, and the re-programming operations. Once a securicy key is removed inlets to the storage pond and debris vault. from the p.l.c., the mode of operation is unalterable; this security is in the form of passwords which are attached to (b) Programmable logic controllers (p.l.c's) the programming mode. A maintenance node of operation is incorporated in each p.l.c. system rfhich is completely In general, the normal sequence of operations will be supervised independent of normal operations and has restricted access. and regulated by two identical p.l.c's operating in parallel, and two additional p.l.c's are used to control the cooling The sequence of the controls, for the operations in the system. The p.l.c's are of modular construction and incorporate facility are governed by electrical interlock circuits derived facilities for entering, storing and executing pre-determined from the individual plant items. Two types of interlock are sequence programs tor the plant operation. However, to provide used, and defined as:- reliable interlock routes the p.l.c's will operate independently, each incorporating the required number and types of inputs sequence interlocks which relate to the condition (analogue and digital) and outputs. All the plant sensors and of the facility prior to activating a drive or other actuators will provide inputs to the p.l.c's, and those sensors function. associated with a particular drive mechanism which has been duplicated will provide a separate, but identical form of input drive interlocks which relate to the condition of a to each of the p.l.c's. Since the p.l.c's have identical programs particular drive, or function, prior to it being for each function, both of the activating outputs will be activated. presented simultaneously, subject only to transition times. The system is arranged so that parity checking takes place on each A considerable amount of effort has been expended in The system configuration, namely two channels of control, is ptouucing lu^h quality software tor the p.l.c's. Following arranged to comply with currenc UK standards. These are wore Che compilation of the schedule of operations, flow charts scringenc since che existing facility was built, hence chu have been prepared tor each or the routines to be petorxned requirement now for two channels. in che facility, finally, using these flow charts, ladder diagrams have been produced, and at all stages cross- checking The system has been designed co meec che incerlocking require has taken place by personnel not involved with the preparation ments of the user specification number 0DCD194 with the particular 01 any of che foregoing documentation. hazard incegricy conforming co che present requirements, rumely Cacegory ' B". As stated in section -i(iii) of this paper, chere are nearly seventeen hundred individual steps that can be performed in Each processor has a signal inpuc counc of approximately two the facility, therefore ic is apparent that che use of p.l.c's hundred and fifcy (250), plus five (5) analogue inpuc signals has considerably simplified che overall physical arrangemencs and an oucpuc counc of approximately eighty (80) plus one (I) in the new facility. analogue oucpuc module. (c) Motor control centres There are a further fifty six (36) inpucs and ninety six (96) oucpucs plus chree (i) analogue oucpuc modules for che control Foe the complcce operation of the facility the control centres desks. contain the starters for all the necessary drives and actuators. In general, all the starters consist of fuse-switches and two The majority of input modules are 48v dc wich che exception of separate pairs of reversing contactors, these latter being installed chose for particular applications such as 15v dc for che encoders in separate comparcuieucs. The cencres also contain remote input/ and 4 - 20 mA or 0- lOv for analogue signals. outpuc bases associated with che p.l.c's. For maintenance purposes the starters and valve solenoids are each capable of manual The oucpuc modules provide for outputs of HOv ac, 48v dc TTL operation and is independent of the normal operating sequence. and analogue. In addition co these, che syscem provides WORD inpuc and oucpuc modules which consist of eight lines multiplexed, (d) Control desks these operate ac TTL levels (five (5) voles dc) and are used for communication becween che two main processors. Both the upper and lower control desks are situated in front of tht shielded viewing windows at their respective levels in che Typical 48v dc inputs are from plant operated switches and other facilicy. voltage free conCacc signalling devices and ISv dc input modules are for use wich encoder cype inputs. Analogue inpucs are sourced from another processor and are used for mechanical equipmenc The following functions are provided on each: posicion informacioo, also analogue inpuCs from Che load monitoring devices in various pares of che facilicy are provided. upper control desk 37 control functions Oucpucs ac 48v dc are used for alarms, indication, small dc 24 visual indications solenoids and interface relays whilst the UOv ac oucpucs energise 8 visual alarms final drive concaccors. TTL oucpucs are for LED displays wich analogue outputs being used for analogue cype meters and/or lower control desk indicators and also for an operational speed control feature 5 control functions for the main platform drive. 13 visual indications The processor user memory is programmed using a VPU (Video (e) Control syscem Programming Unit) which provides programming function keys together with a visual display giving the operator prompt The new facilicy control system is microprocessor based, and messages as well as the system software configuration. The in accordance with the specified requirements for the plant application sofeware is initially loaded in baccery backed is arranged as a two channel system. Each channel consiscs RAM to enable it to be verified and/or modified during works of a main processor plus remote input/output bases with two tests on the equipment and the possible changes during che signal sources for each defined function; and this is a hieved as subsequent site commissioning. The final applications program follows. in RAM is then transferred to EPROM which is the final format by the processors to other equipment, or to separate parts used during the active operations of the facility. This of the same equipment which are external to the processor, particular arrangement gives a uon-volatile memory and is are also at a logic I level. unalterable by the operator. l'hus the program can only be modified by special equipment and authorised personnel. During The remote input/output bases are plant mounted, that is, the operation of loading to EPROM the program is also loaded in the control desks; motor control centre; local to groups to tape or floppy disk for storage if required. of plant sensors. As the remote input/output bases use a serial link communication to the main processor this enables The programming unit (VPU) can be used during commissioning to a reduction to be made in main run cabling together with monitor program events in real time. The individual signal termination boxes which, in turn reduce the number of connections operations are displayed on the VPU and this information can be and terminations co be made during installation, thereby used to aid fault fiuding. improving reliability. Within the controller suite the interlock requirements of both The sensors used in the facility are primarily mechanically channels are kept separate by using separate processors and operated limit switches with some auxiliary systems for specific separate programs. This is necessary as the integrity of a functions such as load monitoring; height or position concrol; single processor is not sufficiently high to allow that processor radiatiou monitoring bused on electronic systems. The load to control both channels. monitoring is connected as an analogue input co Che processors and used for various concrol and interlock functions, whereas The processors are programmed to carry out system response; to height and position signals are connected as digital inputs and monitor that within a time window the drive output correctly processed as a binary count. responds to the processor output signal, and further checks that the drive has achieved its objective within a pre-determined The diversity of signal generation is achieved, where possible, time. by using different types md/or manufacturer of signal sensors; for example:- for height control there are two different types Programs within the processors are sub-divided into:- of encoders, one being absolute, the other incremental, each encoder being connected to a different channel. For a typical operating routines, which drive outputs and contain the actuator operated drive, discrete limit switches are used which interlocks. are operated by the final operating shaft, as are separate limit sequence routines, which supervise and schedule the operating switches, these latter being integral with the actuator drive - routines. Che switches being connected to separate processor channels. checking routines, which test the conditions of inputs and outputs. The signals from operator desk mounted controls such as pushbuttons alarm routines, which monitor and display fault conditions. and controllers, are connected Co one channel only via a remote input/output base and then, using the communications link between The system uses diverse sensors wherever practicable to achieve main processors, transferred to Che second processor. the required interlock integrity: Where it is not practicable to use diverse sensors, simple redundancy with high integrity actuation The use of a processor based system for concrol purposes has is used to achieve the required level. All sensors are wired into enabled scandard operational features such as indicator lamp testing, the processors as changeover contacts to enable a regular complement alarm cescing and general plane monitoring co be included for check co be executed on each thus providing a check and confirmation operational and maintenance facilities all of which are software of the satisfactory operation of that particular sensor. The based rather Chan hard wired as in relay logic systems. processors will also carry out a parity check on all multi-channel inputs and outputs. The sensors connected to the processors will The new plane facilicy is required co incerface wich other existing switch the +48v dc, sourced from within the controller suite. facilities such as the fuelling machine, gas blowdown system and the fuel storage pond. The specific functions of these are:- The class of interlock is then achieved by using two The fuelling machine is used to transport irradiated fuel from channels of input sensor and drive outputs. storage cubes co Che dismantling facilicy(s). All sensor permissive signals connected into the processors The gas blowdown and cooling system depressurises the refuelling are at a logic I level and all permissive signals transmitted machine and controls assembly cooling. The storage pond receives die individual fuel elements from this, 5 List of Figures or c^i original, facility for storage and final off-site despatch for re-processing. 1 Basic arrangement of fuel stringer. All the interfacing output signals are arranged to have 2 Simplified arrangement of existing dismantling facility. volt-free contacts via output relays which are mounted within the controller suite. The interfacing input signals 3 Isometric view of upper cell. are arranged as vole-free contacts within their respective facility control cubicles to switch the new facility's 48v dc 4 Isometric view of lower cell. signals. 5 Typical cubicle arrangement - existing facility, To achieve final switching of heavy current devices, such as (relay/contactor system) motors, actuators etc, a motor control centre is provided fully corapartmented and arranged to provide suitably rated dual 6 Arrangement of cubii'le - new facility contactors to achieve the reliability and integrity figures (p.l.c system) in line with the specified requirements. The two contactors for any particular drive are operated independently and 7 Basic block schematic diagram of complete system. simultaneously by their respective processor. Also a signal indicating the contactor operated condicion is provided as an 6 Acknowledgements input to the processor - this being used for parity checking. This paper is published by permission of the managements of:- Two of the compartments are used for special functions and contain the equipment necessary to provide d.c. regenerative tNational Nuclear Corporation Ltd, Warrington, Cheshire, England. type drives. These drives are used for the grab hoist and platform functions, which are operationally required to achieve Strachan & Henshaw Ltd, Ashton, Bristol, England. a high level of speed and position control. Independently adjustable controls are provided for acceleration and deceleration Central Electricity Generating Board, South Western Region, Bristol, together with controls for current limit, overload and maximum England. and minimum speed settings. Outputs from these drive units are provided for remote diagnostic monitoring and are used in the main processors for control and indication/alarm purposes. To achieve the required speed and position control, the units have regenerative power converters consisting of two, 3 phase fully-controlled thyristor bridges, connected in anti-parallel, one always being supressed whilst the other conducts. These converters are used to control the speed and torque in either direction, for both the driving and braking modes. The platform drive unit see Fig 3 is also supplied with a O - IQv dc analogue signal, derived from the main processor, to provide operationally defined speed control. This enables speed matching to be achieved between the platform and the refuelling machine during dual mode operation, for the safe handling of the irradiated fuel stringer. 4 Conclusions This paper has illustrated the advantages of utilising processors over 'hard-wired' relay systems for the control and interlock functions of irradiated fuel dismantling. Also, practical as well as technical benefit is apparent since the manufacturing of the processor system is simplified ||5 an<* as stated the space requirements are considerably reduced. IK I" "ftlWtl <£. «ClUBM6 MM lOll MQ|«UM 1I04J JUT izzinp=i3ia=zar: XX xxoirzznicj: uc7/::m ij =c 3 •tt-OOCM. t*«flUI *.Wt - r~^ iiiiiiiiiiiiiiiiiiiiiiiiiiiir> ' • Ti I 3=L o^jij imiiiiiiHiiiiiiHHiiHiim J22^ i ••» MM j -7-777-/ //////// / / / / / 3_ 2Z^-Z~/ /'/////////// /S-i3 " ILn. *Ut«JM tCAMVI *Ufi a- -F • *UU CLtMIHlS -c #} MAI (^t HOI »*#«01 f)||0 BASIC ARRANGEMENT OF FUEL STRINGER KIG 1 flOOD SLAB CM* »CC(SS SIMPLIFIED ARRANGEMENT OF EXISTING DISMANTLING FACILITY hlG 2 Ml 181 IM'-«' ttVfl *CC|«« ftU« - MOWOOWNPOI noimcim M««u«ttN ror ow«i cufwocwcv HANO RMD UPPtn CfU •*MC10 VAlVf FIG 3 ISOMETRIC VIEW OF UPPER CELL MASTER/SLAVE MANIPULATORS CELL LIGHTING CARTRIDGES END FITTING REMOVAL DRIVE DEBRIS LATCH DRIVE \— POND LATCH DRIVE POND LATCH EMERGENCY DRIVE DEBRIS TUBE VAULT SHIELDVALVE DRIVE FIG .SOME TRIG VIEW OF LOWER CELL 189 190 OQDOO TYPICAL CUBICLE ARRANGEMENT FIG 5 - EXISTING FACILITY (RELAY/CONTACTOR SYSTEM) ARRANGEMENT OF CUBICLE -NEW FACILITY :*• ( P. L. C SYSTEM) FIG 6 fc. IDC K-OwOOWM I •LOwOOWM COOUNC _ 5J T i*n» cut COMTMX OMCLt * iuwit go comae*. »IC «O10a SfUT(>» •COM CGMiaot CO»CLC •uiHtutTONi . amen cuacu CIHIK VHVf UUIT S»'» MOCISi0H WUU« Sw'l TIT new j«'j L J uwca coHratx JICTUATCM » ScTiMtO** • VXINOOS MXtHOKft KMO ICMC* ccmraa. cemme*. MOM CUWO.C MM kOX* Cfu. •v»»r HATUI MMCI. QASIC BLOCK SCHEMATIC DIAGRAM OF COMPLETE SYSTEM FIG 7 IS BACKF1TTING OF RESEARCH REACTORS* b) cooling and purification circuits for both the TRI and TH2 reactor* The scope covered specifically the design and construction of R. DELRUE,Th. NOESEN . a new stainless steel lining for Che pool to replace the old ceramic lining Belgonucleaire, . new primary and secondary loops for the existing TKI and the new TK2 reactors, including the atmospheric cooling cowers Brussels, . circuits to measure the Nib level and for the dtteccion of cladding Belgium rupture (DRU) c) instrumentation and control for the TK2 reactor The scope pertained mainly to the supply of che nuclear and thermodynamic instrumentation channels i.e. I. AWTKOOUCTION - neutron channels with their detectors Numerous nuclear centres operate research reactors with nominal theraal . 3 safety channels working In a 2 out of 3 logic powers ranging from several hundred kW to the range of 5 to 10 HW. . I control channel allowing manual fcnd automatic operation. The Many of these reactors, of various origins, are frost 10 to 20 yean old automatic operation mode is equipped with a fast and a slow and aay require adapting or aodernlzlng to raise their power level or to correction loop. The fast correction loop takes che neutron repair worn parts, or siaply to replace parts that have become obsolete flux Into account. The slow correction loop li bated on following the development of new technologies. thermal power correction or on N16 correction. Two of Belgonucleaire's recent achievements in the field of backflttlng - temperature, pressure, flow and level instrumentation adapcad to the are the Turkish TRI and TR2 reactors and the Iraqi IRT SOOO reactor. The main aspects of these projects are described below. new reactor, mainly . core inlet and outlet temperature . warm layer temperature 2. THE TURKISH TR 1 AMI) TR 2 REACTORS . pool temperature . heat exchanger temperatures In 1977, the Turkish Atomic Energy Commission (TAEK) decided to enlarge . core differential pressure the existing AMF type 1 HUt TR1 reactor facilities at the Cekmece Centre for Mtclear Studies and Training (CNAEM) located 40 km away from . primary and secondary flowrates Istanbul. The plant has been modified to Include a second reactor of . pool level 5 (Alt power in the same pool. - health pnyslcs equipment, mainly . Jl gamma channels In che reactor rooms Three specific fields were covered ; . 3 gas activity monitoring channels a) core structure for the TR2 reactor with the exception of the already . 3 dust monitoring channels existing fuel and control rods. . 2 ORG channels The scope pertained mainly to the design and construction of . 3 fast neucron channels . the support unit for the core, control rods and neutron chambers - * control rod drives . the support unit for the control rod drives - all systems pertaining to Interlocks, displays, alarms »nd emergency . a set of tools for handling the various core components shut-down of the reactor. • a mobile platform above the pool to permit handling. - a new control room equipped with 13 panels and a control desk for che new TR2 Instrumentation and control equipment ; spare room has been provided for the existing TKI control equipment Intended to be • Presented by S. HERIN transferred there at a later stage. fuel was loaded into TK2 at the very beginning of De-ember i*a\, the . A third log power + period safety channel using also an existing reactor reached criticality for the first tine on December iU, 5981 fixed Ionization chamber provides safety actions for neutron flux and reached its nominal 5 hwi power level on October 5, 19B2. level and period. 3. THE IRAQI 1RT 5000 REACTOR . Finally the last fixed ionization chamber is connected to a linear amplifier the output of which is sent to a frequency converter In February 1982, nElCONUCLEAlRE, through its subsidiary, Belgacom, was providing a sound at a frequency directly tied to the neutron flux entrusted with the task of replacing and modernizing the instrumentation level, thus warning the operator of any change of power. equipment of the 1RT 5000 reactor at the Tuwaltha Nuclear Energy Centre located 30 ka away froa Baghdad, in Irak. - Temperature, pressure, flow and level instrumentation necessary to aeet the conditions imposed by the existing equlpaent. The contract covered : - Health physics equipment to survey the reactor hall and the existing ventilation system, mainly 5 gas and aerosol monitoring systems - dismantling of the existing Instrumentation system connected to the existing ventilation ducts or stack. - design, construct!:i. Installation and start-up of the new system - All systems pertaining to Interlocks, displays, alarms and emergency dimensioned so as to allow the reactor to operate at an ft MUt power shut-down of the reactor. level. - Numerous panels And a control desk for the existing control room, a The entire new systea uses the existing measuring chaabers and control public address systea and an insulation test circuit to survey the rod drives, some existing cables and In line Instruments. In addition, existing low voltage circuits. che new equipment Is designed to aeet the various operating criteria of the original plant. The contract has been signed In February 1962 and the provisional Specifically, the following equipment has been supplied : acceptance has been signed by the customer In November 1983. As the old system dismantling started only in Hay 1983, the reactor has been shut - start-up, safecy and operaclng neutron channels compatible with che down for less than 6 months. existing cables and detectors. A total of 9 channels were, concerned. . 2 channels (log power + period) for the period measurement and That very short time is mainly due to protection - very good collaboration with the customer who gave us all the required . 1 channel for the linear flux recording detailed information concerning che old system and the interfaces with . I channel for the period controller. parts of the system which were not replaced These four channels are connected to four existing mobile Ionization - good preparation of the paper work before the dismantling of the old chaabers automatically lifted as function of the flux. systea . Another linear channel uses a fixed ionization chanber and perforas - use of connectors instead of classical terminals, allowing connections flux control. Coablned with a demand signal froa the "power demand and coaplete tests in the workshop potentiometer" it generates the error signal used to drive automatically the control rod. - easy start up of cha new systea with a staff of personnel using the new systea exactly the way It used the old one, the "man-reactor" relation . Two other linear flux channels, connected to a fixed Ionization being as close as possible to the old «r.e. chamber, are used as safety channels Inducing a reactor shutdown by overpower. m 4. CONCLUSIONS The backiittlng of research reactors covers a variety of activities : - Instrumentation and control. Control systeas have developed rapidly and aany reactor operators wish to replace obsolete equipment by new systems. - Pool liners, Soae pools are lined internally with ceramic tiles. These Bay becoae pervious with time necessitating replaceaent, e.g. by a new stainless steel liner. - Heat reaoval systea. Deficiencies can occur In one or aore of the cooling systea coaponents. Upgrading aay require aodiflcatlons ot the systea such as addition of prlaary loops, introduction of deactivation tanks, puap replaceaent. Recent experience in such work has shown that renewal, backtltting and upgrading of an existing reactor is economically attractive since the related costs and delivery dags are substantially lower than those required to install a new research reactor. INFLUENCE OF REGULATORY REQUIREMENTS - repetitive testing procedures FOR NUCLEAR POWER PLANTS - matntainance and repair procedures for safety related instrumentation ON THE BACKFITTING OF AUSTRIAN RESEARCH REACTORS - emergency plan - facility reporting H. BOCK, J. HAMMER - documen ta t ion. Atomimtitut der O&terreichischen University ten, Vienna B. Backfltting in haidware A. NEDELIK - separation of safety actuation systems and operation Osterreichisches Forschungszentrum Seibersdorf, systems Vienna - redundant and diversified instrumentation - emergency instrumentation and control panel H. WEISS - continuous measurement and registration of safety Technische Universitiit Graz. related data, e. g. data of radioactive effluents Graz - emergency cooling system - emergency power supply. Austria C. Design considerations 1. GENERAL CONSIDERATIONS - earthquake, fire and air plane crash evaluations. In general, both the rules and recommendations for research Prom the philosophy of {redundant and diversified instrumentation reactors and the regulatory requirements for nu> iear power which plays an important role in NPP instrumentation due to plants INPP) have substantial influence on the backfitting of safety and availability considerations only the latter is being research reactors. This is especially true for cases where applied to research reactors to some extent. Redundant instru research reactor facilities are in the stage of final licensing mentation is usually only required where safety related Instru or renewal of the operation license. However, the main impacts mentation channels are not "fail-safe". Separation of safety on backfitting in cor.tcol systems and instrumentation of research actuation systems and operation systems is strongly aspired but reactors usually result from regulatory requirements for NPP; in is still not demanded as >t is in NPP. Austria especially from the licensing procedure of the Zwenten- dorf NPP. During the early stage of research rnactor operation main emphasis was put on reactivity accident considerations. The reactor was Generally there are several areas of influences which are about: considered to be a potential source of power excursions. Since then experience in both, research reactor and NPP operation, has A. Administrative procedures shown that these fears have not to be ta..en as serious as initially assumed and more considerations were focused on thermal- - diagnosis of faults and plant disturbances and counter hydraulic aspects. This resulted in severe evaluation of the loss- actions to be taken; for instance included in the of-coolant accident with the possible consequences, e. g. release operation manual of radioactivity from the reactor facility. In NPP continuous measurement and registration ol liquid, gaseous in reactor size and risk potential were taken into account, this or airborne radioactive effluents is mandatory independently of nevertheless placed a heavy burden on the licensee. Costly tests normal or abnormal plant operation or shut down condition. This and calculations were required in some instances to demonstrate enables the plant operator to demonstrate that the permissible the adequacy of originally installed or modified equipment. In limits for radioactive release have not been exceeded at any othe: cases proposed changes in the reactor systems originating time. Though the radioactive inventory is much less in research from improved techniques and new safety philosophies were reactors, generally the same philosophy is applied today to them accepted by the reactor operator without discussion. In this as to N*»P resulting in backfitting of adequate instrumentation connection it should be recalled that the operators of research not only for emergency and post accidental conditions but also reactors are faced with s -oblems unique to these facilities: for reactor shut-down. reactor experiments, especially of the in-core type require a large amount of flexibility and a continuous up-dating of safety Emergency power supply for shut-down heat removal and other assessments. purposes is not necessary in many research reactors, however it is generally demanded for the instrumentation for measure In this context only a selection of J«C related backfitting ment of radioactive effluents. activities of more general Interest will be presented. The situation in ba=Kfitting of the Austrian research reactors 2. ASTRA REACTOR is distinguished by the fact that all three operating facilities namely 2.1 Safety systems/Postulated Initiating events ASTRA ~ a 12 NH pool reactor at Seibersdorf In addition to the original design basis events (like reactivity TRIGA HARK II - a 2i0 kW pool reactOi In Vienna disturbances, coolant accidents, etc.) a set of external iAB - a 10 kW Argonaut reactor in Graz influences (earthquake, fire, air plane crash ...) as well an internal failures within a portion of the safety system itself had been operating for several years on temporary permits only had to be considered and analysed. since the legal base on which the licensing of these reactors is performed - i. e. the Austrian Health Physics Act of 1969 - As compared with a nuclear power plant all safety assessments had been issued much later than reactor operation had started. are facilitated by the lower risk potential of a research reactor as well as the essential fact, that no active heat- The three facilities had to undei.30 individually a final operating removal systems are required for the shut-down reactor and the licensing procedure. This process involves a considerable amount isolated reactor pool. of backfitting both in hardware and ir. certain administrative operating procedures. Moreover the requirements of reactor availability are much less stringent for a research reactor) therefore it is possible to Due to the absence of national codes and safety criteria for use simple, "trip-happy" logic in the safety systems. research reactors the regulatory authorities used in many cases the internationally accepted standards for nuclear power reactors 2.2 Safety systems/Design characterlsltlcs as a guidance - of course in a modified form to make them applicable in each specific case. Although the basic differences The original reactor protection system was designed according to the fail-safe principle; however (with exception of the neutron flux safety channels) no redundancy or majority voting condition for thermohydtaulic core calculations and this assures logic existed. There was no clear separation of safety actuation steady state operation of the fuel below onset of nucleate boiling. systems and operation systems. 2.4 Emergency Instrumentation and control panel The new requirements called for additional signal paths in order to have at least two independent land if possible diverse) ways The requirement that neither radiation accidents nor possible of identifying each individual initiating event (Fig. 1). earthquake damages should interrupt the flow of information from the reactor to the operator made it necessary to install Necessarily several new instrumentation channels for water level, a control panel outside of the reactor building. differential pressure, low voltage etc. had to be installed. Here a number of selected safety variables are indicated and although all safety related equipment is designed to assume a registered (emergency instrumentation). Signals coming from "safe state" when de-energized, continuous monitoring was the reactor control room are decoupled by isolation amplifiers. required for important instrument channels (e. g. lower limit settings for radiation protection channels, signal comparators The emergency instrumentation can be powered by 3 different -iox redundant channels etc.). diesel-generator sets as wall as by a battery-converter set. The original design of the ASTRA instrumentation and control Several safety actions (scram, pool isolation etc.) can be manually systems included a series of by-pass switches. The operator initiated from the sane panel. could disable some of the scram criteria in order to have greater flexibility for experiments. All of these switches For the purpose of minimizing the effect of external influences, had to be removed. it was decided to remove the emergency ventilation systems (consisting of a battery-operated blower, a charcoal absorber The principle of independence between safety systems components and a set of absolute filters) from its original location and and non-safety components made it necessary to Install a new re-install it in an earthquake-protected area. All intermeehlng decay-heat-removal system because the existing emergency cooling with the normal containment ventilation system was avoided; the pump had been identical with the main pump of the water actuation logic could be considerably improved. purification system. The protection system logic could be simplified accordingly. 2.5 Automatic pool Isolation 2.3 Condition limitation The probability or occurance of a loss-of-coolant accident could be substantially decreased by the addition of a pair of battery- For the safety related J4C systems of nuclear power plants special operated valves in the primary cooling circuit, located directly devices are introduced to limit the value of process variables to at the concrete wall of the reactor pool. ensure that the initial conditions for the analysis of design basis events are always met. These valves are part of the safety actuation system. They are automaticially closed in case of a. c. power failure or in case In an analog manner a reactor shut-down limit for coolant temperature of low wacer level in the pool. had to be installed. A temperature of SO* C had been used as Initial 2.6 Effluent monitoring and registration 1. TRIGA MARK II REACTOR To ensure continuous information and documentation of radioactive 3.1 Background effluents, the stack monitors, the iodine and aerosol sampling filter equipment have to meet ttte criteria for external influences The TRICA Mark II reactor is in operation since 1962 and has a as applied to the emergency instrumentation. similar fate as the ASTRA reactor. However due to the status of the Atominstitute (the reactor is operated by the Federal 2,1 Emergency power supply Ministery of Science and Research) the licensing process is not yet completed, although many backfitting installations have The regulatory authorities decided that the principle of multiple been carried out in various reactor systems during the last and Independent power supply for safety related systems had to be S years. extended to the physical separation of the power generating equipment. According to this philosophy it was not sufficient 3.2 Reactor Instrumentation to have 3 different dlesel-generator sets available because the are installed in a common building of the power station. The instrumentation of the TRIGA reactor installed in 1968 consists of four nuclear channels (start-up, lin., log., and Safety relevant equipment is now (normally) supplied with safety channel) and of several temperature measuring channels electrical energy from the power station. Alternatively it controlling fuel and water temperature. Although these can be powered from a (geographically separated! stationary instrumentation has proved to be reliable since many years some battery or from a small local diesel-generator set. insTumtmtational backfitting was performed. The main installations were an uninterrupted power supply to the reactor Instrumentation, Operation of the reactor is only permitted if at least one of to the data logging system and to the area monitoring system. these stand-by power supplies Is operable. This is performed by a 110 V battery system designed for a 12 hour power supply in combination with a 5 kVA DC/AC converter. 2.8 Administrative procedures A data logging system was installed collecting all data on a hourly basis in routine operation and storing alarm data Like in a nuclear power station all repair work and maintenance immediatly. Presently these data are printed but in the future activities in connection with safety related equipment, their they will be stored on magnetic tape. commencement and their termination . re subject to approval by the reactor management. The procedure is formalized and has to In addition to the original instrumentation a few more alarm be documented. criteria for the reactor surveillance were installed, such as an additional "very low pool water level" alarm, a highly Duality assurance for replacement parts is regulated in a sensitive activity monitor in the secondary cooling system, a similiar manner. continuously working aerosol monitor above the pool water and a low pressure indicator of the reactor building atmosphere. Drawings, log books, operational records and data have to be All signals are displayed in the reactor control room. filed according to a documentation system originally developed for the Zwentendorf Nuclear Power Station. 3.1 Ventilation system In this case backfitting requirements have been mainly limited to additional regulations for operating procedures. Only minor The old concept of the noble gas monitoring system consisted of hardware changes have been required, such as additional radiation 2 GM-detector bundles in each of the two ventilation channels. monitors, improved fire protection etc.). This system has been upgraded with new instruments and aerosol and iodine collectors have been added in each ventilation channel. The existing safety analysis has been extended to external Furthermore the blowers have been modified to allow emergency influences |e. y. earthquake). ventilation in addition to full blower capacity. In an emergency case the reactor hall atmosphere will be purged by low capacity b. SUMMARY ventilation through absolute filters and the air released to the atmosphere will be monitored by the installed detectors. In general the licensing and backfitting activities have once more demonstrated the fact that safety assessment of a research 3.4 lire protection and surveillance system reactor is by no means lust a scaled-down version of a nuclear power plant licensing procedure. As the Atominstitute has been designed in the late fifties, a modification of th» laboratories in view of fire protection Naturally the risk potential is much lower, however, the very and security was necessary. Therefore new fire proof doors and nature of research calls for much more flexibility in operation, windows have been installed in the reactor hall and further installations will be done in the institute's building together for temporary installations and for experimental methods which with an electronic fire and smoke alarm system. A surveillance cannot be covered by detailed regulations In advance. system was also installed in sensitive areas of the reactor hall. Therefore the application of nuclear power reactor criteria 3.5 Additional requirements to such facilities has to be considered with extreme caution. If NPP standards are applicable at all, they have to be care In respect to previous procedures the re-inspection frequency fully interpreted In each individual case. of instruments, systems and components has been increased considerably requiring additional manpower and moneyi both It is interesting to compare the original reactor safety reports factors are very scarce in almost every research institute. with their modern versions: emphasis has shifted from reactivity Therefore money and manpower had to be diverted from the accident calculations to thermal-hydraulic considerations, to various departments of the Institute at the cost of basic better instrumentation (both in quality and quantity) and to and applied research. more effort in reducing, measuring and documenting all radioactive effluents. This tendency is also reflected in most of the back- The backfitting procedures are presently not finished 11. e. fitting requirements. the primary reactor cooling circuit will be renewed), but most of the safety experts' requirements have already been fulfilled, In summary, the result of the lengthy licensing and backfitting therefore the licensing procedure is exspected to be terminated process is certainly a considerable improvement in performance without further backfittlng requirements. and safety of the Austrian research reactors. 4. ARGONAUT REACTOR GRAZ The licensing of the 13 kw Argonaut Reactor at Graz has been completed in spring 1983. Pig. 1 Uncontr. reactivity ASTRA Safety System insertion Lay-out diagram Power control failure (simplified) Low Clow Core by-passed Loss of coolant High pressure in reactor hall Electr. power failure Initiating events *< M tc h to s *N. •< « •H r~ !* «-« •"1 >. ~^ » 1 0 0) 0) .H H W <*> S5 rH > • > .H r4 (M «I Kl U 41 «J id • o •a M ai •-Í H » 0) B GO o Kl ar c • O u. •n « o a »H fi «4 Ai •i u > O O •*«* t v safety « O» ^P-. ••Ho O O p A. 04 Au* Alarm Scram Rod insertion -h Pool isolation/cl. valves 'backfitting' additions Emerg. cooling/start Emerg. ventilation Em. power supply ASSESSMENT AND INSPECTION TASKS OF THE In this respect the different review approaches used for the above SPANISH REGULATORY BODY STAFF REGARDING l&C mentioned plant; is analyzed comparing them with those used in other- AND RELATED SYSTEMS BACKFITTING IN OLD PLANTS countries. The potential benefits of the use of advanced methods, as probabilis R. C1D CAMPO, J.I. V1LLADONIGA tic risk assessment (PRA) in reaching backfitting decisions is appraised, Consejo de Seguridad Nuclear, describing the scope of the PRA required for Santa Maria de Garona. Madrid, Spain 2. BACKrITS AT JOSE CABRERA Jose Cabrera Nuclear Power Plant, hereafter JC NPP, 1s a Westinghouse 1. INTRODUCTION. PWR that started commercial operation in 1968. The chronology of recent backfits in JCNPP is characterized by three The purpose of this presentation is to provide a summary of distinct phases: the assessment and inspection tasks performed by the technical reviewers Phase 1. Includes the identification and definition of the topics to of the Consejo de Seguridad Nuclear on the backfitting of Instrumentation be reviewed. Topics from the U.S. Nuclear Regulatory Commission & Control and related Systems, carried out on the oldest two plants in (NRC) Systematic Evaluation Program (SEP), from TNI action plans Spain: Jose Cabrera and Santa Maria de GaroAa. and specific topics of JCNPP were Included. It was prepared by The actions taken up to this time to improve the safety of these Westinghouse and independently reviewed by NUS Corporation. This installations are discussed, together with the expected actions in the Information was pnsented to the Consejo de Seguridad Nuclear (CSN) near future. However, the paper mainly deals with the review difficulties In April, 1981. associated with the assessment of old plants against current criteria, Phase II. Includes the design of an Integrated solution. The utility among others: •ntrusted the preparation to Westinghouse and Empresarios Agrupados, an Spanish architect-engineer. • The lack of specific criteria for backfitting, standard criteria The first conceptual solution was presented to the CSN in January are normally too prescriptive. 1982. The CSN basically approved the solution, expresing Its • Extensive backfits will normally require the shutdown of the disagreement with the duration of the program. The utility presented plant, therefore, to reduce shutdown time it is necessary to a so called reconfigurated solution shortening the time spans for review information not totally final, and normally changing. the execution of the plan, solution that was agreed upon by the CSN. • Integration of backfits extending to more than a shutdown period Phase III. Includes the detailed engineering design and implementation is difficult, since, in the initial stages detailed information of the modifications. The execution of this phase was divided in about the final situation to be achieved might not exist. Inte 2 intervals, Phases 3A and 38 leaving the implementation effort to gration of different backfitts is even more difficult. the refueling outages. 2|2 The principal modifications of I4C and electrical systems during phase • Further improvements of d.c. power supplies through the subst'tu 3A Mere fundamentally directed towards the electrical distribution system, tion of the old batteries by other new ones that fulfil current including: criteria, the incorporation of two new chargers, and the separation between safety and non-safety loads. • The incorporation of new on—site emergency power sources through the installation of a new line from Zorita Hydraulic station (4400 (B) Instrumentation and Control: KVA) and the installation of a new diesel generator (2750 KVA) • Incorporation, in the reactor protection system, of three new • The achievement of cross-alimentation capability of the 3 KV plant cabinets of process intrumentation corresponding to the different buses from the exterior supplies ( lines of 220 and 46 KV ) channels of the Reactor protection system, including new actuation • The c. eat ion of two separate trains of internal electrical energy signals of the Engineered Safeguards Systems. distribution ( electrical separation of the 3 KV and 380 V a.c. • Substitution of the Engineered Safeguards Initiation System cabinets buses. ) by two new cabinets of redundant relays that incorporate the actuation • The modification of the d.c. supplies, incorporating a second logic of both existing and new systems. battery and new battery chargers assigning redundant chargers • Post-accident information system. to different trains,providing electrical separation between both. The methodology used to review these backfits starts with the comparison With relation to the Instrumentation and Control systems, the of the present design against current criteria. Once t*ie deviations are incorporated modifications during phase 3A were not substantial changes, identified with respecto to the said criteria, the following alternatives being fundamentally directed to the Incorporation of the process instru are considered: mentation and controls of the new systems installed during this phase - The deviation does not have Impact on safety. No action 1s ( Ventilation Systems, Oiesel Generator ) and of the improvements in required. existing systems ( ECCS ..). - The deviation nay be offset by modification of procedures or enlarging the inspection program. No physical irodifications According ta the information recently sent by the utility to the are required. CSN, the scope of the predicted modifications for phase 38 basically - Physical modifications are required. includes: The selection of one of the above alternatives is based on engineering (A) Electrical Systems: judgement, taking in to account factors like the restrictions of the original • Total modification of the vital a.c. supplies ( to vital instrumen design, the operational experience, the homogeneity of the modifications as tation ). The present system with only one bus fed by an inverter a whole... etc. This judgement is the most difficult task of the regulate y will be substituted by three buses, fed by three inverters, that body. will allow an independent supply of each instrumentation channel Although during phase 3A electrical systems have been substantially (Reactor protection system and Post-accident instrumentation). improved there are some aspects that will require further review in phase • In addition to the implemented modifications in phase 3A on the 3B, for Instance: on-site electrical distribution system, the 3KV and 360 V a.c. • The clear identification of components required to mitigate accident buses will be split to separate safety and non-safety loads and conditions and to achieve the safe shutdown of the plant, in order physical separation of redundant components will be achieved. to provide them with adequate electrical power supplies. • The Interaction between the normal and emergency electrical supplies 3. 8ACKFITS AT SANTA MARIA DE GARONA. when they feed safety and non-safety loads during normal operation, and how the transference is achieved in emergency conditions. Santa Maria de Garoria Nuclear Power Plant , hereafter SMG NPP, is • Safe shutdown capability. Physical separation of electrical equip a General Electric Boiling Water Reactor, BUR/3 with a Mark I containment aent, cable trays containning redundant cables..etc. that started commercial operation in 1971. In relation to ISC Systems phase 3A did not include substantial changes. Throughout the years some important modifications have been imple Ue have not received a detailed proposal for phase 3B yet. mented, among them: During phase 3A we only supervised the modifications incorporated into • A new offgas system was installed. (1.975) the plant since the permit to proceed with the modification was granted • Three new safety/relief valves and one safety valve were installed based on a conceptual report that did not establish the detailed modifications to increase the pressure relieving capacity. (1975-76) to implement in phases 3A and 3B. The review of phase 3A has - ?<>n a difficult • Many piping-vessel safe-ends were replaced.(1974,77,80) task because: • The recirculation discharge valve by—pass line was removed.(1.980) • There was a lack of specific criteria to be met. • New fire detection equipment was installed (1.979) • It was difficult to have and integrated view of the modifications • The Scram Discharge Volumen (SOV) was modified following the since what we knew of phase 3B was very preliminar and conceptual. requirements of NRC J4E Bulletin 80-17, Including new SDV water • The information provided to the CSN staff kept changing continuously. level sensors, modification of SDV vents and drains, new SDV vent • There was not clearly stated logic in the selection of the modifica and drain valves closure time, surveillance requirements ..etc. tions from an accident analysis point of view. • Five jet-pump beams were replaced (1.979,82) • Fuel pool capacity was increased (1.982) The area where our contribution to plant safety has been more impoir • New suppression pool supports were installed to sustain dinamic taut was the preoperational tests of the new or improved systems, among loads (1.982) them: • Following TMI lessons learned and action plan many modifications • The testing of the emergency power supply systems ( Zorita Hydro!ic were implemented, including: new valve position indication system, Station and the Diesel Generator ) new post-accident sampling station, accident monitoring instrumenta • The automatic transfer among different sources of electrical tion, new emergency support centers..etc. power ( normal, crossed, Zorita hydraulic and O.G.I In many instances instead of physical modifications being implemented « The testing of the new batteries and battery-chargers. changes in technical specifications or procedures were. However since the • The verification of electrical separation between trains. plant had not undergone a comprehensive review, in February 19B2 the Consejo It is expected that phase 3B will provide a comprehensive, well de Seguridad Nuclear required the utility to start a mayor review, clasifying documented and integrated basis to allow the CSN staff a thorough the topics to deal with,in 3 cathegories: review of the final situation of the plant from a safety point of A. Those topics that have already been implemented in U.S. operating view. Meanwhile there is no doubt that the modifications of phase 3A plants similar to SMG NPP. have substantially improved the safety of the plant. B. Those topics that require modifications already identified but 213 still not implemented. C. Those topics requiring further review. Requirements for Isolation of High-- and Low-pressure Systems, RHR System Interlock Requirements, Containment Isolation System, In October 1982 the utility proposed to perform the review within Containment Leak Testing, Emergency Lore Cooling Systan (£CCS) four years, giving priority to items already started. Actuation System, Testing of Reactor Trip System and Engineered In July 1983 the CSN required the performance of the review according Safety Features...etc. to the following scope and schedule: (3) Actions to be performed during the refueling outage before Cycle Xul. (1) Actions to be performed before the XII cycle of operation. • To complete the work in the topics previously identified. • To complete the work in topics previously identified. • To install the modifications resulting from the control room • To improve electrical panels anchorage. design review, and related to the Safety Information Oi'olay • To by-pass or justify MOVs thermal overload protection. System. • To improve Reactor Coolant System Leak Detection. • To prepare Safety Evaluation Reports regarding: Flooding potential • To review and define modifications to improve safe shutdown and protection requirements, Ultimate Heat Sink requirements, lnter_ capability. nally generated Missiles, Effects of Pipe Breaks on Structures • To perform battery discharge tests. Systems and Components Inside Containment, Seismic Design Conside • To improve battery room ventilation and battery protection. rations, Appendix K-Electrical Instrumentation and Control Re-reviews, • To protect water intake equipment form pipe ruptures. Isolation of Reactor Protection System from Nonsafety Systems • To complete supports installation of Safety and Relief valve dis_ Including Qualification of Isolation Devices, Electrical Penetrations charge pipings. of Reactor Containment, Review of Several Accident Analysis ..etc. • To improve control room haoitability. • To complete the studies regarding Environmental Qualification of Safety Equipment. • To prepare a report discussing the operational experience of the • to complete the modifications regarding the Mark I torus. plant from March 1971 to August 1983. t To update the Technical Specifications according to the General • To propose the scope and procedures to perform a Probabilistic Risk Electric Standard Technical Specifications. Assessment (Level One) to have further arguments regarding the need The approach used by the CSN staff to review and approve backfits is of the modifications to be implemented during the refueling outage basically taken from that established by the U.S. Nuclear Regulatory previous to Cyc'e XIII. Commission (NRC) Systematic Evaluation Program (SEP), and is as follows: (2) Actions to be performed before the 30th of June 1984. (1) The topic is identified, on its own merits or based on the identification • To complete the work in topics previously identified. in other countries, mainly the U.S. • To update emergency procedures acording to GE Technical Guidelines. (2) The utility prepares a SAR, analyzing the present design against • To prepare Safety Evaluation Reports (SARs) regarding: Hydrologic current regulatory criteria. In this regard, it is important to say description of the site, Classification of Structures, Components that due to a lack of national criteria, the criteria of the country and Systems ( Seisiric and Quality ), Wind Loadings, Turbine Missiles, of origen of the reactor are used. Therefore, for reactors like SMG Piping and Safe-enlIntegrity, Residual Heat Removal System Reliability, NPP coming from the U.S., the NRC rules, regulations, guides and Stan Residual Heat Removal System (RHR) Heat Exchanger Tube Failures, dards are applicable. (3) In those cases were deviations a<-e found, a judgement of the safety The current acceptable characteristics of the RCPB Leakage Detection inportance is necessary. Apart from qualitative criteria, in the review System are set up in Regulatory Guide 1.46 and are shown in Table 1 comparing of SMG NPP, Probabilistic Ris;. Assessment (PRA> will be used to judc,e them with the SMG NPP system characteristics. Due to the plant age there are the merits of the possible backfits, as is discussed later. Due to many deficiencies, however, not all of them are worth being corrected. establishes schedules it is very difficult to consider all the back Bearing in minu ..nat current criteria are established to be used in the fitting decisions *" »o integrated way. plants design stage, they ~e too prescriptive for backfitting. (4) Once the decision regarding the need of an specific backfit is reached, Since the schedule of the program covers several years, and the the utility proposes a design modification. decision was taken to review and complete the actions in many topics before completing all the reviews, the following modifications were proposed by (5) The design modification is reviewed and a certain design is agreed the utility. upon. On many ocasions, due to the rush to restart the plant as soon as posible, the utility as well as a final design has most of the new components before approval by the Consejo de Seguridad Nuclear(CSN) is grantea. (6) The implementation of the modification and any testing required is supervised by the CSN staff. Normally the technical reviewers are supposed to follow the problems from begining to end, covering all the assessment and inspection aspects. A great deal of effort is spent, reviewing testing procedures and supervising the tests to assure that their scope, acceptance criteria and execution are adequate. Since the goal of this paper is the description of the CSN staff experience working on backfits in old plants, we will go through one of the topics, as an example, analyzing the problems encountered in each step of the process described above. At SMG NPP the Reactor Coolant Pressure Boundary (RCPB) Leak Detection System ( in case of leaks to the contaiment ) consisted of: — Level and discharge flow measurements in floor and equipment drain sumps. — Monitoring of the condensate flow rate from air coolers. — Monitoring of airborne gaseous and particulate radioactivity, (using the Post-Accident-Sanpling Station) The need to review this topic against current criteria was identified by the U.S. NRC SEP, therefore the utility was asked to prepare a SAR and to propose the modifications deemed necessary. 215 Table 1 SENSITIVITY AND SEISM1CALLY ON-LINE OETECTION METHODS THAT SHOULD BE EXISTING METHODS RESPONSE TIME QUALIFIED (SSE) (2) FUNCT. TESTING EMPLOYED. (R.G. 1.45) SMG NPP R.G.1.45 SMG. R.G.1.45 SMG. R.G.1.45 SMG. 3) ? SUMP LEVEL AND FLOW MONITORING. Yes. 1 gpm 1 gpin OBE< yes yes 1 hour 2 hours & AIRBORNE PARTICULATE RADIOACTIVITY Yes(1) 1 gpni . Yes No yes yes MONITORING. 1 hour >8 hours MONITORING OF CONDENSATE FLOW RATE Yes 1 gpin 1 gpin OBE No yes no FROM AIR COOLERS 1 hour J hour or MONITORING OF AIRBORNE GASEOUS Yes"* 1 gpm OBE No yes yjs RADIOACTIVITY 1 hour >8 hours (1) PASS. Post Accident Sampling Station (2) SSE. Safe Shutdown Earthquake (3) OBE. Operating Basis Earthquake - A decrease in the level span between start and stop of the sump Moreover, it imposes a similar rush in the regulatory body to review the pumps together with the installation of a timer to measure time SAR, supervise the installation, review the testing procedures, attend between starts and an alarm actuated when measured leak rate is the test execution, and assure that adequate operational procedures exist. more than ) gpu m the last hour. It is difficult to perform such an aumount of work carefully. However, the - The redesign of the pipe collecting air i-uolers condensate to fact that the utility has done everything quickly makes a thorough review assure that it will remain functional when subject to the Safe by the regulatory body staff to assure correctness very important. Another Shutdown Earthquake. drawback of short schedules is that the CSN staff spent considerable tune and effort reviewing preliminary information that later on, was substantially Here the problem of integration appears. Dealing with backfitting changed. schedules, there are two possible approaches: (1) to perform the review and implementation topic by topic, (2) to perform all the reviews first, The utility proposal was accepted by the CSN staff wro performed deciding in an integrated way,at the end,about all the backfits that may an inspection to assure correct implementation and to attend the pre-opera be necessary. The first approach has the advantage that the plant impro tional testing of the modification. veneres are achieved early in tine, but makes any integration effort almost inposible. In the RCP8 leakage detection system example, it was At any rate the most important thing, the gist of any backfitting decided that a sensitivity of 1 gpn in one hour was enough, however, decision is the understanding of the safety importance of the modification. the review of the pipe break inside containment topic, scheduled for Both scope and schedule of the modifications should be based on a a later stage, will probably lead to an increase in sensitivity , and comprehensive analysis of the importance of the proposed modifications therefore new modifications in the same system. Based on our experience for the sar'ety of the plant. The use of appropriate metnods to jujge to date, it appears that the best approach is the one used by the NRC that importance is esential to achieve cost ef:tive backfitting in its SEP,leaving the integrated assessment of all topic deviations decisions. The tool used, is normally engineering judgement. However, in to the end except when the deviations Are so important that require the case of SMG NPP the CSN has required the performance of a Level 1 imediate action. PRA to have additional basis for decisions before most of t e backfittings are implemented. The scope of the PRA will be a level 1 as defined in Since the resolution of the RCP8 leakage detection system topic NUREG-2.300 "PRA procedures guide". The study is aimed to determine the was required to permit tne startup of the plant after the 1983 refueling most significant contributors to the "risk" of the plant, not to obtain outage, the utility rushed to decide about the modifications, their final bottom line numbers. The licensee must participate actively in the design, the aquisition of new equipment, and even the implementation before execution of the study involving personnel directly related with the the CSN staff had the oporLunity to review the SAR. This situation may plant operations. In this way the »tudy will gain in accuracy and the cause the utility substantial economical losses in case the regulatory personnel will improve his knowledge of the strengths and weaknesses of body considers later on that the proposed modifications are unaceptable. the plant. 217 4. CONCLUSIONS Based on our experience torking on backfits of the two oldest plants in Spain, we believe that: (1) Reaching backfitting decisions is one of the most difficult tasks being performed by a regulatory body. (2) Any backfitting decision should be preceded by a thorough review of the safety importance of the situation the backfit is aimed to correct. (3) Backfitting decisions should be reached in an integrated way. A complete review of the plant should be performed to put each backfit in perspective. PRA may be a useful tool to achieve it. (4) Except when there is an inmediate need of corrective actions backfitting schedules should be long enough to allow appropriate review by all involved parties. BACKFITTING IN ROSSENDORF RESEARCH REACTOR - bockfitting requirements wlch arise from major Improvements CONTROL AND INSTRUMENTATION SYSTEM that must be incoi—porated, changes In operating tasks or due to regulrtiry requirements following the international trends in safety demands. J. KLEBAU.S. SEIDLER Central Institute for Nuclear Research, In the last years in the field of NPP the amount of application!! Academy of Sciences, of digital informational systems lncroesed. But they aro mainly Rossendorf, used to survey the operation state of the plant. Howover, these German Democratic Republic systems based on the so called "centralized concept" were not capable of meeting the requirements of reliability and economy so. that they couldn't be used as control systems. Relating to this, the use of microcomputer systems saema to ba Abstract connected with soma advantages. And with respect to the increasing capability those informational systems are suitable to realize The ;>upor generally describe a a decentralized Hierarchical control of higher order, like optimization, adaption and learning. informational System (HIS) uhich has I'ueri developed for b&ck- fitting in Kossendorf Research Reactor (RFR) control and in To get experiences in designing and developing of computerized strumentation syateo. The RFR nas put into operation in 1C57 control systems, ad Hierarchical Informational .System (HIS) and reconstructed froa 2 \\\l up to a therual power of lO l.'.y for surveillance and control of the Roasendorf Research Reactor at the end of the sixties. Qockfitring is planned by uao of (RFR) has been developed. en advanced computerized control system for tho next yours, liain tasks of HIS are: Pracossaonitoring. online-dlsturbanco analysis, technical diagnosis, direct digital control and uso of a special industrial robot for discharging of irradiatod 2. REQUIREMENTS AND AUTOMATION TASKS materials out of the reactor. The RFR is a light water modoratad and light water cooled txperiences obtained by HIS during a testperlod will be presented. reactor from tank type, which became critical in 19S7. It's thermal power was raised in two steps at first from 1. INTRODUCTION 2 to 5 i;w than from S to 10 ir.V ot tho end of the sixties /l/. During tho first years tho reactor noa used in gonoral for Experiences have shown, that nuclear reactor control and research work in nuclear and reactor phyoicu, but slnco a feu instrumentation (C & I) equipment once if not twice will have years tho main tost; of the reactor has becomo tho production to be replaced during tho raactor life-time. Factors influencing of radioactive isotopes. Tho annual volume of this production this are: nay be caracterizod by the numbor of about 40000 peckaQee representing an approximate voluo of eevorol millions of - renew of rapid obaoletlng C & I equipment as a reault of Dollars. Together tilth the voluminous production of neutron fast paca of technological development in electronics end dotted silicon this noeda moro than 6000 loading rospactivaly computer technique unloading operations by tho reactor staff. i.t backfitting requirements for RFR C S I system, tho following Cut novcrtheloos the HIS enables the roactor staff to not dcoands have to bo taken into consideration: o~foricnceo with such a oystom and it also may bu considered as c | Hot system for developing and tooting of uothodo and |.ro^r(,iia - automation of loading technique for material to be Irradiated. lotor used in IIPP's. /2/ Special ains in connection with steadily increasing production arc the decrease -. f body burdon by radioactive radiotion and Tho tasks discussed in the preceding chapter, in gonar.il hovo the reduction o>" the reactor staff. outonouous charectarlstlcs, but they ore very closely linked - preparation for on operating refine with alternating roector by the process. Thus o docontrolizod hierarchical syston, ahov/n in fig.l seems to be tho boot oolutlon to uoot all the roi;ulronunto poner mentioned above. Tho system conslst3 of various bacic units which - loprovooent in man-machine communication both during normal cro situated nearby tho technological process and linked with tho end abnormal situation utiin computer via a oerlell bus, tho so culled IFLS interfaco /!/. Tho basic units (ursadat 5000) aro connected to the technological To ncet all requirements mentioned above a lot of automation process. Eoch unit consists of . microcomputer fiobotron K 1520 tasks has to be solved: and several process I/O moduleJ. it is primary usod for date acquisition and preprocessing proceduros, but furthermore other - process aonitorino. which Includes acquisition, preprocessing, tosl:s can be performed too. monitoring and logging of oata Tho mcln computer (Robotron K 1600) gonorally has two functions: - technical diotwosis. that means elaborating of methods for online disturbance una!ysi8 and noise analysis - operating management problems in the syatom Including tho - process control e.g. in tho sense of direct digital control man-machino-coumunication and reactor start-up and shut-down procedures - solving of real-time tasks with high demond in processing - use of a speclul industrial robot for loading operation nith tine and memory material to be irradiated in the reactor The performance of tho whole system essentially Hill be affected by the exchange of information within the oyotom. The requirements to the link software realizing the IFLS Mainly 3. GEJ r;AL ST^UCTUKE Or THE SYSTEM wore deduced uo vie 11 from oxperionco obtained by earlier computer explication tn NPP's /4/ as from actuall taeks at the HFR. Tho Because tho computerized informational oystcu HIS especially fall owing demands v/ere significant for developing of the IFLS has been developed to meet the backfltting ror.uirouanto of the progrom: i.i';l, it has some features, ivhich are dlfiormt froa those of systens installed at NPP'a. Socio of those ristinctions aro: - good real-time behaviour of the complete system - high reliability of data transmission , - much loner number of process inputs and outputs - simple handling of user progrsMs by the employer - shorter distance between process and conputorsystem - low demand of memory and operation time - solving different problems (research work in reactor physics) Thus tha data ara transalttod via tha bua by a fraae with liaitad . direct digital control of reactor power realized aa a cascado length. Besides tho data, a froaa contuins several information of neutron flux, nitrogen activity and primary circuit tonporatur for control and check and is liaitad by aynchron characters. regulators. Tha use of adaptive algorithm is plcnnod. Tito structure of the fraae bases on the ISO-MOLC standard, but . progrou for optiaul reactor shut down IFLS has its own function codes perforating the real-tiao doaands Fig.2 shovis tho general solution of xonon-polooning liaitcctan of process control better than the iCLC-proceduro. by noons of tho shut down control prograu (roallzed on uroadat 50C0), which is baaed on the Pontrjagln l.oxioura Principle /'//. As tha result of distributing the control probleaa on two coaputor During nornal rouctor operotion, every G nlnutuo tho ohut down levels, the Majority of transuisslon rou,uests coaoa froa tha upper control progroa is calculating as well tha reactivity effect of level. For that reason the aain coaputor peraanontly operates as xenon-poiooning fron xonon ond jodlne concentration ao tho ohut c. aasterstatlon. whereas the basic units only have the slave down control parcaetoro, which uro being stored and displayed position on the bus. ao 0 help for tho operator. . developnent, design ond installation of a special lnduotrl&l The IFLS interface aay be realized as roll aa an electric cable robot for Manipulation and monitoring the cottplote cycle of or a fiber optic line. loading ond unloading of notarial into tho irradiation channels within tho core /O/. Further stops will be automatic objoct identification and 4. TESTING THU HIS AT THE RFR using of a opocial coanunicotlon language. . preparation of rouctor inotruucntatlon (nuclear and technological To test all the features of the not-j systen f. special version sensors) for data acquisition by a process coo;>utor o.j. oloctrical of HIS has been installed nearby the RFR soue years befora Isolation between Instrumentation and computer. ouct; fit ting of control and instrumentation oysteo has to bo roalizod. The investigations have to be spllttod into: 5. CONCLUSION - test of the systeu. which neans performance and availability Up to now tho dacentrullzod hierarchical oystoo HIS has boon of the hardwaro (IC 1620/K 1630, ursadat 5000) and software tooted at the nossondorf Research Roactor r.'Fr; on a largo scalo. oodulos (operating systeo. IFLS) Aftar finishing the Investigations opoken ubout It will bo decided, - onlino test of the oysteo it tho RFR. vihereao the reactor how the systea aay be used for nceting the bacl;fltting roi.ulreuuntc of Control und Inotrupontotion systeM. operator he3 been integrated into solving this task. Tha rs;i following probleos had to be solved: Uiuultaneoualy experioncoo and rooults obtained by developing . process noititoring. including data ac( ulsition and proproccooin'j t end testing the HIS hove boon used In tho fiold of designing on tho basic units and aonitoring and logging of data by moans and projecting of new concepts for MI'P Control and instrumentation of tha uuin computer aystcos. . on line disturbance analysis prograa "GAAP 2" for dialog oriented causc-consai.ucnco analysis (realized on K 1620) /S/ naFUREHCES . developing of 0 3p-eclal noise analysis aonitor for early accident recognition of uain uggregats o.g. puops by aeans of analyzing /l/ Hloronyuuc, H.j 25 Ouhro Roosandorfor Forochungoroul:tor the stochastic part of signals, for detection of nuclear boiling RFf! - ."JiicUblicI;, (jeijonwartiger Stand und Uiinftlso F'lino. and for detection of loose ports in tho prinary circuit /6/ Uornonoruie 25 (1C03), 455 /2/ Boldeueg. P.. Lnfcolainn. '..'.. r.lobau. 0. ; Uborwochunj und IAIN COMPUTER COIWUTE* PROCESS Kentrolio do3 r.'oaaendorfer Forachungsruoktora alt olnoa R00OTROM COtaWNIKATION C0t«IUNICATI0N nikrorochnororlontlorten Autonatlslorungsaystum. i; 1620/K 1610 Uorncnor.310 25 (1S02) 200 Ti SERIAL BUS (IFLS) /3/ UnUclu&nn. '.;. : Cine Sof ti-.-arcliisung zur Kapplung dor BASIC UNITS V. uroadat 5000 ait oinea Hochnor K 1620/U 1G30 in ProseC- UKSADAT WOO URSAOAT 5000 URSA0AT 50O0 rcchncraystoa A 6401/A 6492. (R000TRON K IMP) (ROBOTROM K 1830) [RODOTnOW K 1520) •or 25 (19C2) H. 9 /4/ Soldier. S. : hoyer. 3.: Investigation on tho Reliability T E C N NO L 0 C I C AL PROCESS ( R f R ) of a asocial Proceaa Coaputcrized Instrumentat Ion at a Nuclccr Conor Plant. lAEA/HPPCI S|cclallata Looting on "Exporlonco fron Cuclity flq.l HIERARCHICAL INF0Rr ATI0NAL SYSTEr. (HIS) Aaaurcnce end Control of flucloor Po.vor Plant Control and GENERAL STRUCTURE Inatrunentatlon Systoa". Vienna. Septcobar 25-27, 1979 /5/ Lindner, A.; Oaldeueg. F. ; Fiedler. U. ; The Disturbance Analysis Syatou SAAP-2. Jx.f»l IAUA/HPPCI Specialists Looting on "Systems and iiothoda for Aiding llucloor Powor Plant Operators During Noraol / Xanon rooctlvlty without »hut dawn control and Abnornal Conditions". Baletonfoldvar. Hungary, /" 4-6 October. 1963 Reactivity raaarva of rooctor /0/ Ciora. H.-O.; Grebner. A. at all: Integration of noioe xanon reactivity diagno3tica into tho control and safety syston ef a HPP. oftar ehut-oown control doee not overe»otd tho ^ IAEA Specialists hooting, on "Early Diagnosis of Failuroc rooctlvtty rooorvo in priuory aystea cooponents of NPP." X Ch] Prag. CSSR. 21-25 Ouni. 1982 I I I L- ' • ' 1 I -ft 1 I ft 0 /7/ Daldoneg. F. ; Gate. 3..- Stoingroerier, C. s PthtMW] Reactor start-up end shut-dorm by uoana of 0 digital Raactor ohut-donn froa ototlenary sonar hierarchical decentralized infornationol syaten. Digital duo to diaturbotlon (e.g.) caoputer applications to process control. 6 IFAC/1FIP Conference. Dusseldorf. October 14-17. 19CO •hut-down control prograa /0/ Faulstlch. K. ; Baldoneg. F.; Franko. K. : t(h) Ein Ooladerobotor fur Bestrahlungagut am Koosendorfer 1 1 1 1 i- _• 1 ft. 1 1 1 0 J 10 « 10 Forachungsroaktor. Figure 2 Shut-down central ot tho Roooonoorf Reoeerch Raactor Kornenergle 25 (1902) 461 CLOSING SESSION - emergency control room signal transmission CHAIRMAN'S REMARKS ON THE MEETING - automation of auxiliary systems frequency and load falling control W. BASTL - controls for fuel handling. Federal Republic of Germany As we have seen, introducing of new process computer systems most of the time changed completely the overall data handling and data processing, After the presentation of the session summaries by the chairmen which means one could very easily produce all type of information let me express some personal views and remarks on backfilling of combinations, high level information (using mathematical correlat l*C in nuclear power plants. Getting away from the subdivision ions) and, by means of CRTs or may be liquid cristal displays, all of this subject according to the session topics. I found roughly kind of visualization to the operator. speaking to main groups of backfilling measures: This situation shows already the limitation of backfitting. Provid - the classical group, e.g. backfilling of real obsolete components ing a new kind and organisation of information to the operator means and' systems at least three things - the vast field were back fit ting lead to improvements of the pre sent situation of the plant. - proper Implementation in the traditional surrounding of the control room As to the classical backfitting, the most important role Is certainly - training to the new situation played by the measures, which are to be taken due to updated or new - updating If not rewriting the operator's manual (the old manual is regulatory requirements. Along this line we heard about strongly linked to the traditional way of information presentation) - seismic evaluations of 1-tC In this context I would have liked to see some analysis of the trade - implementation of emergency response facilities off of information improvement. It seems to me the hardware-part might - updating of research reactor instrumentation. be by far the less expensive one. A good idea to improve implementation of new information systems could be to make more extensive use of The second group is strongly dominated by all type of process com simulators, this moans to analyse various options or configurations puters. Either the obsolete computer systems is replaced - and of on the simulator. course mostly by a more powerful system with a variety of new tasks - or the new instrumentation or control system is at least based upon Fortunately, there is also another type of new information systems, process devices, mostly micro-computers. We recall presentations con which cause less problems when applied as a backfitting tool. Diagnosis cerning systems like loose parts monitoring or vibration monitoring make use - automatic sensor calibration of computerization in order lo perform on-line spectral or statistical analysis; but loose parts localization or vibration analysis is done - monitoring-computers for ECC and shut-down systems 213 • tot too frequently, so that information in (he control room itself is available. There was only littlt discussion on the economical not a necessity. efficiency of backfitting measures. I consider cost-benefit con siderations on backfittinq n very important aspect, which has to After all that one may have the impression I was summarizing a process be thoroughly considered and which will gnin more and more importance computer meeting, but looking at the type of presentations and its with the growing life time of nuclear power plants. Let me close in percentage these were really the key-papers. I also hope the meeting saying, l+C was always the most flexible part of the plant systems. was representative for the actual situation. Now it is evidently becoming even more flexible, which is a danger but also a chance. It is a great challnnge for all of us to use this On the other hand we have to bear in mind that l+C has to consider the chance to the benefit of the availability of nuclear power plants. complete chain sensor - signal processing - actuating device. Therefore, I would like to raise the question: aren't we once again improving the In closing the session I should like to thank the lecturers for their middle-part of the chain, though there are certainly various unsolved interesting talks, the audience for valuable comments and the chair problems regarding hardware- and software reliability, which was not a men for excellent guidance through the sessions. On behalf of all of subject of our meeting. Signal condensation by means of view graphs, us my very special thanks are to our hosts, the Atominslitut, Dr. Bock diagrams, etc, makes certainly very often impossible to figure out if and his kind assistants, for providing us with excellent facilities the input-signals ar« correct. E.g. let us remind survey diagrams, and for the great hospitality. Last not least we thank the IAEA for which sometimes are fed with up to thousand sensor signals. There is providing another opportunity to hold a speclallsts'meeting on l+C, no doubt that highly reliable sensors and on-line validation of which I believe proved to be very successful, and we thank our sensor signals is essential of efficient application of computerized scientific secretary, Mr. Sitnikov. I should like to point out that he information systems. A lot of R+D-work is going on in the field, e.g. has supported the IWC-NPPCI for several years with great enthusiasm and digital sensors, smart sensors. Therefore. I would like to have a high efficiency and that he is now going to leave us for his home town specialists1 meeting on sensors in the near future. And in order to Moskow. We do wish him the best for his future career. close the chain I also propose a specialists' meeting on actuating devices, because it seems to me an area were availability can be still unproved. As a whole, our meeting has shown clearly the various technical problems of l+C back fitting. There was just a few papers discussing the analyses to be performed in order to achieve optimal technical solutions. It was stressed again and again that this was a very difficult task, and that the suitable methodology is still missing. This situation holds for the "classical" backfitting and moreover for optimization purposes. Reliability and risk analysis methods can be only partially applied, because l+C is essentially linked to the operator, and in the area of man-machine no sufficient data arc Sj^ LIST OF PARTICIPANTS BELGIUM Baudelet, C. Association Vlncotte, B-1640 Rhode-Salnt-Cenese ARGENTINA ELECTROBEL, Huber, H. Coalslon Naclonal de Energla Atoalca, Flnne, C. Place du Trone 1, Avda Ltbertador 8250, B-1000 Brussels 8250 Buenos-Aires Plant Instrumentation and Control Section, Herln, S. BelgonucKalre, AUSTRIA Rue du Chaap de Mam 25, B-1050 Brussels Bock. H. Atoalnstltut der Oesterrelchlschen UnlversltKten, Van Relyen, M.C. Coaaitslon of the European Coanunltles, Schiittelstrasse 115, Direction gingrale de la science, A-1020 Vienna de la recherche et du diveloppeaent, Rue de la Lol 200, Dworzak, F. Austrian Research Centre Selbersdorf, B-1049 Brussels Lenaugasse 10, A-1082 Vienna Schucyser, J. CEN/SCK, Boeretang, 200, Haaaer, J. Atoalnstltut der Oesterretchlschen B-2400 Hoi UnlversltUten, SchUttelstrasse 115, Vuylsteke, E. Socl Konlg, H. Austrian Research Centre Selbersdorf, Hepburn, G.A. Atomic Energy of Canada Ltd., Instttut fUr Reaktorslcherhelt, CANDU Operations, lenaugasse 10, Sheridan Park Research Coaaunlty, A-1062 Vienna Hlsslssa-.gs, Ontario L5K 1B2 Nedellk, A. Austrian Research Centre Selbersdorf, lenaugasse 10, CZECHOSLOVAKIA A-1082 Vienna Stlrsky, P. Power Research Institute, Oppolzer, H. Austrian Research Centre Selbersdorf, Partisanska 7a, Lenaugas*e 10, Prague 7 it-1082 Vienna Roggenbauer, H. Austrian Research Centre Selberadorf, FINLAND Lenaugasse 10, A-1082 Vienna Ekaan, I. Iaatran Volaa Oy, P.O. Box 138, Sarlnger, G. Bundesalnlaterlua fUr Cesundhelt SF-00101 Helsinki und Uaweltschutz, Vienna Juslln, K. Technical Research Centre of Finland, Vuorlaleheutle 5, Weiss, H. Technlsche University Craz, SF-02150 Eapoo Grax 218 POLAND cont. GERMANY, FEDERAL REPUBLIC OF Bastí, W. Cesellschaft fUr Reaktorstcherhult, Lucander, A. Teollisuuden Volma Oy, D-8046 Carchlng Fredrlkinkatu 51-53, SF-00100 Helsinki Harfst, U. Kraftwerk Union AC, Keaktoren, Hammerbacheratrasae 12+14, Postfach 3220, D-8520 Erlangen FRANCE Becquevort, J.L. Soclété Merlln-Cérln, llellmeilchs, K. Kraftwerk Union AG, Reaktoren, F-38050 Grenoble Cedex Hamnerbacherstrasse 12+14, Postiach 3220, Buisson» J. DEIN/SAI, D-8520 Erlangen Centre d'études nucléaires de Saclay, F-91191 Cil-sur-Yvette Cedex Kaiser, G.E. BBC Mannheim, Dept. GK/ir, Herlln-Gérln, Burel, J.P. Postfach 351, F-38050 Grenoble Cedex D-6800 Mannheim 1 Dallland, K. CEA/OAS, Schaefer, J.P. Kraftwerk Union AC, B.P. 6, Hamiierbacherstrasse 12+14, F-92260 Fontenay-aux-Rosea Postfach 3220, D-8520 Erlangen Depuis. M. Merlin-Cêrln, F-38050 Crenoole Cedex Wendllng, R.D. Bundesminlsterlura des Inneren - RI5, Graurheindorfer Strasse 198, Département d'Instrumentation nucléaire D-5300 Bonn 1 turec, J. DEIN/SME, Centre d'études nucléaires de Saclay, F-91191 Cli-sur-Yvette Cedex HUNGARY Electricité de France, Berta, S. ER0TERV Llenart, P. Service de la production thermique, 3, rue de Messine, Raszl, K. TRANSELEKTR0, F-7538-» Paris Cedex 08 P0B 377, H-1394 Budapest Electricité de France, Service de la production thermique, Stelnaaa, J.f- Rosta, M. Company for Electroautomatics, 3, rue de Messine, F-75384 Paris Cedex 08 Takács, L. Company for Electroautomatics, ValkS, I. Design Institute for Power GERMAN DEMOCRATIC REPUBLIC Systems and Stations, ER0TERV Croît, G. (Combinat Automatlslerungsanlagenbau, Institut fUr Elektro-Anlagen, Strasse der Befrelung 1, INDIA DDR-1136 Berlin Natarajan, K. Government of India, Klebau, J. Zentrai institut fur Kernforschung, Department of Atomic Energy, Rossendort, Bombay DDR-8051 Dresden ITALY THE NETHERLANDS Aquino, A. ENEL CTN, Daatselaar, C.J. Ministry of Social Affairs and Employment, E-:te Nazlonale per l'Energla Elettrlca, P.O. Box 69, Vlale Cardano, 10, NL-2270 MA Voorburg Milano Kroon, J.P. Provinciale Zeeuwse Energie My, Bruschi, R. ENEA, Kernenerglecentrale Borssele, S.P. AngulU a re se, 301, Postbus 48, C.R.E. {.¿sácela - Roña NL-4330 AA Mlddelburg Curzlo, G. Unlverslta Degll Studl di Pisa, Visser, B.J. Ministry Social Affairs and Development, Ut partimento di Costruzlonl, M.-2273 Kit Voorburg Meccanlche e Nuclearl, Via Dlotlsalvi, 2-1, Vrlese, A. Provinciale Zeeuwse Energie My, 1-56100 Pisa Kernenergtecentrale Borssele, Postbus 48, Crlaaldl, C. Conitato Nazlonale per l'Eiergla Nucleare, NL-4330 AA Mlddelburg Directorate for Safety, Via Vltallano Brancattl 48, 1-00144 Rome La Prat o, E. Conitato Nazlonale per l'Energla Nucleare, SWEDEN Víale Regina Margherita 125, 1-00198 Roue Fosrman, T. Swedish .State Power Board Forsnarksverken, Torlai, M. AREA Inplantl Elettrlcl e Strunentazlone, 5-740 70 Oesthannar Dlrezlone Ingegncrla Genérale, MRA S.p.A., Crttndalen, 0. Sydkraft AB, Largo Renzo Tasselll, S-217 01 Malntt Via del Tescatorl, 35, 1-16129 Genova Vlano, CD. ENEA-NIRA, Genova SWITZERLAND Bollok, L. Centrale Nucléaire de Lelbstadt SA JAPAN Division Electrotechnlque, CH-4351 Lelbstadt Suto, 0. Fuchu Works of Toshiba Corporation, 13-12, Mita 3-Chone, Mlnato-Ku, Fasko, P. Nuclear Safety I, Tokyo, 108 Motor Colunbus, Baden Taguchl, S. Nuclear Engineering Division, Mitsubishi Atonic Power Industries, Inc. Cfeller, J. Centrale nucléaire de Beznau, CH-5312 DStclngen 2-4-1 Shlbakoen Mlnato-Ku, Tokyo 105 Lengweller, K. Centrale nucléaire de Ctisgen-Danlken, Case postale 55, KOREA, REPUBLIC OF CH-4658 Dünlken Chang Sang Hak Turrlan, A. Division principale de la sécurité des Installations nucléaires, Song Ung Rok CH-5303 WUrenllngen SPAIN UNITED KiriCDOM .;ont. Bu rond t, E. Fuerzas Eléctricas Morrlsh, H.F.G. Central Electricity Generating Board, Setsdedos, A. Eptisa-Chesa-Tecnlcas Reunidas, S.A., Barnett Way, Barnwood, Empresarios Agrupados, Gloucester CL4 7RS, Magallanes, 3, Madrld-15 Robinson, C. National Nuclear Corporation Ltd., Warrington Road, Humphrey, J.C. Westlnghouse Nuclear Española (WENESP), Rlsley, Warrington, Agustín de Foxa, 29, Cheshire WA3 6B2 Madrld-16 Wei bourne, D. Lumbreras, A. Uestlnghouse Nuclear Española (WENESP), National Nuclear Corporation Ltd., Cambridge Road, Agustín de Foxa, 29, Whetstone, Leicester LE8 3LH Nadrid-16 Welch, R.R. Central Electricity Generating Board, (larda, J. Union Eléctrica Fenosa (UE-FENOSA), Barnett Way, Barnwood, Capitán Haya, S3, Gloucester CL4 7RS Hadrld-16 Williams, J.G.B. CEGB Severnslde, Sanchez-Fornlé, M. Hldroelectlca Española, S.A., Southwestern Region, Heraoillla 3, Bristol Ap'-ío. «58 (C), Madrid 1 VUladonlga, J.I. Systems Analysis Section, CONSEJO DE SEGURIDAD NUCLEAR (CSN), Paseo de la Castellana, 135, YUGOSLAVIA Madrld-16 Teodoslc, V. Electrical Engineering Faculty, University of Belgrade, UNITED KINGDOM Belgrade Bagwell, T. Central Electricity Generating Board, Barnett Way, Barnwood, INTERNATIONAL ATOMIC ENERGY AGENCY Gloucester CLA 7RS Konstantinov, L.V. Wagramerstrasse 5, Cundy, D.R. UK Atomic Energy Research Establishment, Laue, II. J. P.O. Box 100, Harwell, Dlcot, Novak, S. Vienna, Austria Oxfordshire 0X11 ORA Sltnlkov, C.