SUB CHAPTER G.3. F1 CLASSIFIED ... - epr-reactor.co.uk

SUB-CHAPTER: G.3 SECTION : -

PAGE : 1 / 41 UK-EPR

FUNDAMENTAL SAFETY OVERVIEW VOLUME 2: DESIGN AND SAFETY

CHAPTER G: INSTRUMENTATION AND CONTROL

SUB CHAPTER G.3. F1 CLASSIFIED INSTRUMENTATION & CONTROL SYSTEMS

1. PROTECTION SYSTEM (PS [RPS]) ARCHITECTURE

1.0. SAFETY REQUIREMENTS

1.0.1. SAFETY FUNCTIONS

The Protection System contributes to the following safety functions:

- control of reactivity,

- removal of residual heat,

- limitation of radioactive releases at the site boundary to an acceptable level

by controlling, after PCC-2, 3, 4 and RCC-A events, automatic reactor trip and the start-up of the safeguard systems.

In addition, the PS [RPS] must contribute to maintaining the Reactor Control System integrity.

1.0.2. FUNCTIONAL CRITERIA

The Protection System must implement the necessary short-term automatic actuation of safety systems which are used to mitigate the consequences of PCC-2, 3 or 4 events. The PS [RPS] must be designed to:

- allow the transients criteria to be met,

- allow the controlled state to be reached.

This system is required to accomplish similar actions in case of RCC-A accidents.

1.0.2.1. Reactivity control

The reactor trip (rod drop) together with the Safety Injection System if needed, must enable the reactor to reach the subcritically required by the controlled state for accident conditions PCC 2 to 4.

For RCC-A events the PS [RPS] must accomplish all the short-term safety functions allowed by the definition of the transient.





1.0.2.2. Residual Heat Removal

When thermohydraulic conditions require it, the Protection System must enable the actuation of the safety systems (safety injection in the primary coolant, secondary partial cooldown, ASG [EFWS] actuation).

1.0.2.3. Containment of radioactive substances

The Protection System must, in due time, start the systems that prevent exceedance of specified fuel limits after any PCC or RCC-A event.

The Protection System must enable to detect the accidental situations that could impair the primary system integrity. In most cases, the reactor trip, associated with safety devices that act by direct pressure limitation, must guarantee this integrity. When there is a risk of brittle fracture of the RPV, the Protection System must limit the build-up of pressure in the RCS.

Furthermore, the containment isolation system must limit to acceptable values the radioactive releases following accidents where integrity of the primary coolant system is lost.

1.0.3. DESIGN REQUIREMENTS

1.0.3.1. Requirements arising from the safety classification

1.0.3.1.1 Safety Classification

The Protection System is safety-classified, according to the classification principles presented in sub-chapter C.2.

1.0.3.1.2 Single failure criterion (active and passive))

The single failure must be applied at the system level.

As a consequence, the PS [RPS] must be made of redundant trains able to perform the safety functions after the loss of one train. The redundant protection channels must be implemented in separate divisions to prevent common cause failure in case of internal or external hazard affecting one division.

Electric decoupling must be provided between redundant trains.

Support functions must be independent to the largest possible degree. Each redundant train will receive its power from a distinct backed up power supply.

F1A functions should be accomplished even in case of single failure criterion application simultaneously to preventive maintenance or periodic test conditions.

1.0.3.1.3 Emergency supplied power

The Protection System must be emergency-supplied by diesel generators, so that its safety function is ensured, even if external power supply is lost.

SUB CHAP : G.3 SECTION : -




In addition, the Protection System must be supplied by an uninterruptible power supply at the suitable voltage in order to ensure its safety functions without interruption when external power supply is lost.

1.0.3.1.4 Qualification under operating conditions

The equipments involved in the safety functions of the PS [RPS] must be qualified according to the ambient conditions in which they are required to operate.

Components ensuring an F1 safety function must be qualified according to the rules presented in chapter C.7.

1.0.3.1.5 Mechanical, Electrical, I&C Classifications

The mechanical classification is not applicable to the Protection System.

The electrical and I&C equipment are classified accordingly to the rules of the chapter C.2).

1.0.3.1.6 Seismic classification

The Protection System must be seismic classified, according to the classification principles presented in chapter C.2.

The objective of the dimensioning provisions is to ensure that the safety functions of the systems and components necessary for plant return to safe shutdown state will not be affected by an Increased Safety Earthquake.

1.0.3.2. Other regulatory requirements

1.0.3.2.1 Official texts

The general document “Options de Sûreté du projet de réacteur EPR” (letter DGSNR/SD2/079/2000) applies to the Protection System.

1.0.3.2.2 Basic Safety Rule

The application of the Basic Safety Rules to the EPR is developed in section A.7.

The following Basic Safety Rules are applicable to the EPR Protection System:

II.4.1.a "Safety Classified Electrical Systems Software"

IV.2.b "Requirements for the design, qualification, deployment and operation of safety-classified electrical hardware

1.0.3.2.3 Technical Guidelines

In addition to the general requirements given in chapter A.1 (General safety approach), requirements applicable to the PS [RPS] are presented in sections A.2.2 (Redundancy and diversity in the safety systems), B.2.2.2 (Computerized safety systems) and G3 (Design of Instrumentation and Control).





1.0.3.2.4 Electrical design rules

Design rules for electrical equipment and specific rules to be applied to instrumentation are provided in the RCC-E.

1.0.3.2.5 Hazards

The Protection System must be protected against risk of common mode failure resulting from internal or external hazards.

1.0.3.2.6 Internal hazards

The PS [RPS] must be protected against internal hazards, according to sub-chapter C.4.

I&C systems and equipment must be designed in order that :

- I&C functions necessary to reach the safe state are available, taking into account a single failure and preventive maintenance on the necessary system, in case of internal failure independent from a PCC-2 to PCC-4 or RRC event;

- F1 I&C functions necessary to control PCC-2 events are available, taking into account a single failure and preventive maintenance on the necessary system, in case of internal failure leading to a PCC-2 event.

1.0.3.2.7 External hazards

The PS [RPS] must be protected against external hazards, according to sub-chapter C.3.

To ensure protection against airplane crash, two system trains must be installed in a protected building and the remaining two must be geographically separated to limit the consequences of a crash to a single division. The PS [RPS] train in the non-destroyed building division has to be protected from any impact generated by the equipment in the destroyed division.

1.0.4. TESTS

1.0.4.1. Pre-operational tests

Pre-operational tests must prove the adequacy of the design and the performance of the Protection System.

1.0.4.2. Periodic tests and in-service inspection

Long periods of operation with a potential degraded I&C configuration (accumulation of failures) which might lead to lose a safety function are shortened by periodic testing.

Self tests and periodic tests must be implemented in F1 functions to detect failures. Tests frequencies are calculated from the reliability expected of the tested function.

The PS [RPS] is designed to allow the implementation of the periodic tests.

Layout and design of the Protection System equipment must provide easy access to enable performance of in-service inspections and periodic tests. Suitable techniques have to be applied to reduce the possibilities of inappropriate actions during tests.





1.1. MISSION

The Protection System implements the automatic functions, manual actions and monitoring functions which are F1A classified. The Protection System also implements some parts of the F1B safety classified functions as well as some specific F2 functions.

These F1A functions are used after an initiating event (PCC 2, 3, 4) to reach a controlled state. They mainly comprise:

- automatic actuation of reactor trip,

- automatic control of safeguard systems and related support systems,

- generation of signals for the detection of situations which request operator manual actions,

- actuation of manual F1A I&C functions.

1.2. SUPPORTED FUNCTIONS

1.2.1. AUTOMATIC REACTOR AND TURBINE TRIP FUNCTIONS

Table G.3 TAB 3 lists the Reactor Trip and Turbine Trip functions that can be performed by the Protection System.

1.2.2. SAFEGUARD FUNCTIONS

Table G.3 TAB 4 and TAB 5 list the Safeguard functions that can be performed by the Protection System.

1.2.3. SAFEGUARD SYSTEM SUPPORT FUNCTIONS

Tables G.3 TAB 6 and TAB 7 list the safeguard support systems functions.

1.3. DESIGN BASIS

1.3.1. DESIGN CRITERIA

1.3.1.1. Redundancy

When two I&C F1A classified functions perform contradictory actions on the same component, the one which has priority on the other one is called Non-Unequivocally Safety Oriented (NUSO). All other safety I&C functions are called Unequivocally Safety Oriented (USO).





The F1 part of the Protection System is designed to withstand single failure even during maintenance or periodic testing. In order to achieve tolerance to single failure and maintenance, while minimizing the occurrence of spurious actuation, a four-fold redundancy is necessary. In addition, the four redundant protection channels must be implemented in separated divisions to prevent common cause failure in case of an internal hazard in one division (a single failure must be tolerated in addition to an internal hazard).

The degree of redundant functions and their associated equipment of the mechanical/fluid system must be preserved in the associated redundant I&C functions (e.g. four medium head safety injection trains also require four dedicated I&C subsystems).

The current level of reliability/availability in terms of non actuation on demand, is defined in sub-chapter R.1.

1.3.1.2. Independence

In accordance with RCCE, three kinds of independence are considered in one I&C system.

- independence between redundancies of the I&C system.

- independence between equipment of different safety classes.

- independence between diverse functions.

In addition to requirements applying to independence within the Protection System, the independence between the Protection System and the other I&C systems must is also necessary.

1.3.1.2.1 Independence between the four redundancies of the Protection System

According to RCC-E and to limit the consequences of a single failure to the affected redundant function, the redundant functions and their associated equipment including their support systems (e.g. power supply) must be independent from each other.

This requirement involves the implementation of at least the following measures:

- the redundant equipment of the Protection System must be physically allocated in different divisions.

- specific protection measures must be provided (e.g. protection wall or protection tubing) to achieve divisional separation for measurement points which are located near to each other.

- to prevent the propagation of internal hazard consequences through divisions and limit the effects of a single failure to the affected redundant functions, divisional interconnections must be limited to a minimum.

- when the connections between divisional separated functions are required (e.g. majority voting), the data communication between divisions must be decoupled both electrically (e.g. optic fibre) and physically (e.g. fire barriers).

- erroneous commands and information passing from a disturbed division must be ignored by the undisturbed divisions (e.g. by means of majority voting).





1.3.1.2.2 Independence between equipment of different safety classes

According to RCC-E requirements, equipment of different safety classes within the Protection System must be independent in such a way that a failure occurring in lower class equipment does not impair the functions of the higher class equipment.

This requirement involves the implementation of the following measures (as a minimum):

- for the Protection System, connections between equipment of different safety classes must be minimized (e.g. common use of measurements and components).

- the use of common components must be avoided as far as possible. If not, the common equipment used must be assigned, classified and designed according to the requirements of the higher class.

- Connections between E1 equipment and E2 or NC equipment must be electrically decoupled.

1.3.1.2.3 Independence between diverse functions

When functional diversity is required, a sufficient degree of independence must be achieved.

This requirement involves the implementation of the following design measures:

- instrumentation, process units and cabling for each of the diverse function must be separated.

- equipment diversity for instrumentation may be implemented when diverse functions use of the same process parameter (decision made on case by case basis).

1.3.1.2.4 Independence between the Protection System and the other I&C systems

A sufficient independence to the other lines of defence must be achieved because the Protection System belongs to the main line of defence.

This requirement involves the respect of the following design measures:

- Provisions must be taken for decoupling the connections between the Protection System and the I&C systems F2 classified or NC. If common information is shared by the Protection System and other I&C systems, provisions must be taken for decoupling the connections.

- When a sensor is used for both protection and control functions, its failure must not result in a transient for which the protection function using this sensor is required to act, unless this protection function could still operate despite an additional failure combined with preventive maintenance or a periodic test (single failure criterion). In practice, when a sensor is used both for protection and control functions, all four measurements are sent to the equipment implementing the control functions, and a voting is used to eliminate the faulty signal.





1.3.1.3. Detection of degraded states

Appropriate measures should be taken to detect and identify occurrence of failures. This is to avoid long periods of operation with a degraded I&C configuration which might lead to lose a function due to an accumulation of failures.

For this reason, self tests and periodic tests of the equipment performing the F1 functions must be implemented to detect any failure that could prevent the F1 function from operating.

1.3.2. AVAILABILITY CRITERIA

1.3.2.1. Spurious actuation upstream from the last voter

For F1A functions, a failure, anywhere in the Protection System upstream the last voter must not generate a spurious command that would lead to a spurious actuation, even during maintenance or periodic test.

1.3.2.2. Spurious actuation downstream from the last voter

For F1A functions, the risk of spurious actuation, due to the equipment downstream the last voter (and including it), of the corresponding actuators must be minimized.

1.3.3. PERFORMANCE

Performance in term of accuracy and response time is derived from the functional requirements summarised in G.3 TAB 8.

Performance is ensured by the following principles:

1.3.3.1. Distribution of functions

To comply with IEC 60880, Appendix B, individual application functions with different response time magnitudes should not be allocated to the same processing unit.

To reduce the complexity of software, individual application functions should be divided amongst several processing units.

If it appears that for a specific accident two pre-existing signals can initiate the required protection action (functional diversity), the structure of the Protection System has to take this into account in order to provide separated equipment for the implementation of the different initiation channels.

1.3.3.2. Communication

According to RCCE C5000, the behaviour of the Protection System that supports F1A functions must be deterministic. An I&C system is said to be deterministic if it possible to establish, by analysing its design, architecture and implementation, with a very high degree of precision and certainty, what it does under all required modes of operation.

Therefore the communication system used in the F1A part of the Protection System must be deterministic.

Some features related to the deterministic behaviour of a system are listed below:





- Pre-determined response time,

- Simple testability and failure diagnosis,

- Simple software validation.

1.3.4. AMBIENT CONDITIONS REQUIREMENTS

1.3.4.1. Normal conditions

The hardware must be able to operate in the ambient conditions given in the section I.4.1.

1.3.4.2. Accident conditions

As specified in section G.3.1.0.3.1.4, components performing an F1 safety function are qualified to remain functional under the post-accident conditions.

As well component ensuring an F2 function have to be qualified to remain functional under the post-accident conditions.

1.3.5. HUMAN-MACHINE INTERFACE REQUIREMENTS

Access to video display units, computers, keyboards, mice, disk or CD-ROM drives, hard disks, printers, etc. related to the Protection System equipment is controlled by physical means such as keys, magnetic or chip cards, etc.

Every time work on one of these devices is stopped, the equipment must be locked.

No immediate access is possible to the Protection System software itself. This means that access is possible only through interface equipment used for testing or configuration or data consultation, and that the interface equipment is connected to the Protection System without requiring the I&C cabinets to be opened. The purpose of this restriction is to limit the overall number of physical accesses required to the electronic modules of the Protection System.

The interface equipment is dedicated to the Protection System. It is connected to the Protection System only. Disconnecting the interface equipment is only possible after unlocking a specific locking device.

Access to the Protection System software is via a screening software module installed within the interface equipment.

The screening module requires:

- the general password,

- the user’s name,

- the user’s personal password,

for any user requesting any type of access.

The user’s personal password is only known by that user. He can change his password whenever he wishes, and passwords must be changed with a minimum frequency.





Management of access to the interface equipment allows:

- control of user name and personal password,

- access to necessary areas of the Protection System software according to the user name. It includes read and write authorizations,

- access to a single train,

- control of automatic traces of operations (traces of access and operations when access is granted),

- etc.

The designer organises the Protection System software and the hardware to forbid access to other software areas than those needed for testing, configuration and data consultation.

1.4. ARCHITECTURE

1.4.1. STRUCTURE AND COMPOSITION

1.4.1.1. General remarks

The Protection System is designed:

- to minimize the quantity of components (electronic cards, etc.) and the number of network connections,

- to ensure the global response time of function requirements e.g. by limiting network load.

1.4.1.2. Functional structure

For this section refer to figures G.3 FIG 2 and FIG 3.

The Protection System performs four types of F1A functions:

- automatic actuation of the reactor trip,

- automatic control of the ESFAS,

- control of the safety support systems,

- management of F1A manual controls (for instance Reactor trip manual control),.

It also performs some F1B functions, which mainly are:

- calculation of the temperature saturation margin,

- some post-accident monitoring, possibly involving information synthesis (redundancy reduction) in division 2 and 3,





- monitoring of voted values in the F1A part of the PS [RPS],

- management of alarms related to the PS [RPS],

- management of F1B manual controls acting on PS [RPS] F1A,

- management of F1B manual grouped controls,

- etc …

The following sub-sections apply to the four divisions of the plant and for the four redundancies of the Protection System.

1.4.1.2.1 Sensor(s) and transmitter(s)

Depending on the type of sensor, the I&C cabinets provide the power supply to the detectors, the decoupling modules if necessary, and perform the required conditioning to provide different types of standardized signals that can be used by the A/D converters.

1.4.1.2.2 Measurement data acquisition

- A/D converters:

The Protection System converts analogue measurement signals to digital values.

- Data transmission:

In most cases, after A/D conversion there are no data exchanges between the four redundant elements of the Protection System at this step (see Fig 2). However some specific functions (e.g. power distribution inside the core monitoring function) need to exchange digitalized values between divisions at this level (see Fig 3).

- First level of processing:

Each signal is checked. In case of violation of the measuring range limits or in case of detection of a fault in the acquisition, the signal is invalidated for processing. Each digitalized input is computed to get the corresponding physical value of the measurement which is used by the processing. The results of the digitalization and the conversion into physical values are also transmitted to other systems (see Tab. 4 and Tab. 5) and to the service equipment.

1.4.1.2.3 Initiation Processing

The first step is the collection of data from the Measurement Data Acquisition of its division, or in some special cases also from the three other divisions (because some functions need the information of from all four redundancies - see Data transmission above). The digital data are processed according to the functional requirements.

The last step of the initiation processing is the comparison with a threshold to provide binary information, hereafter called the initiation signal, indicating whether or not the threshold is reached.





In case of detected failure in initiation processing, the initiation signal is invalidated.

1.4.1.2.4 Actuation Processing

Each division collects the redundant initiation signals from the four divisions. These signals are computed in a 2/4 voting logic to provide initiation orders. Different cases exist as represented in G.3 FIG 5. Such 2/4 voting logic is designed to be downgraded in the appropriate way if one or more signals are invalidated.

All the initiation orders generated by the different initiation channels are computed together with the permissive/interlock signals to produce an actuation signal.

The results of the majority voting (i.e. the initiation order) as well as the actuation signal are also transmitted to other systems (see G.3 TAB 2) and to the service equipment.

1.4.1.2.5 Closed loop control processing

This function is specific to control loop processing (not shown in G.3 FIG 2): the physical parameter that is controlled is acquired by the Measurement Data Acquisition part in the four divisions, then analogue values are sent within the division to units dedicated to closed control loop actuations.

1.4.1.3. Composition

Figures G.3 FIG 3, FIG 4 and FIG 8 illustrate the "Equipment Architecture"..

Figure G.3 FIG 6 shows the relation between the "Functional Structure" and the "Equipment Architecture" of the Protection System.

The architecture applies to the four divisions of the plant: it involves the following types of unit ...

1.4.1.3.1 Remote Acquisition Units (RAU)

This kind of unit is dedicated to measurement acquisition and transmission of the acquired measurements to units dedicated to processing functions in all divisions. These units ensure the Measurement Data Acquisition role in the functional architecture.

1.4.1.3.2 Acquisition and processing units (APU)

These units are dedicated to the Initiation Processing functional task, but they are also able to perform measurement acquisition functional tasks.

1.4.1.3.3 Actuators Logic Units (ALU)

These units are dedicated to actuation processing.

1.4.1.3.4 Control units (CU)

These units are dedicated to closed loop control processing.





1.4.1.3.5 Functional distribution

The Protection System implements two different kinds of functions:

- three-level functions, which require data exchange between divisions immediately after acquisition.

- two-level functions, which do not require data exchange after acquisition of measurements.

In case of three-level functions, the functional structure would be implemented in the following units:

- measurement data acquisition is performed by the Acquisition Unit.

- initiation processing is performed by the Acquisition and Processing Units.

- actuation Processing is performed by the Actuators Logic Units.

In case of two-level functions, the functional structure is implemented in the following units:

- measurement Data Acquisition is performed by the Acquisition and Processing Units.

- initiation Processing is performed by the Acquisition and Processing Units.

- Actuation Processing is performed by the Actuators Logic Units.

In the case of the NUSO support system function (e.g. load shedding sequence), all the functional structure described in the G.3 FIG 2 is implemented in the APU. For safety and availability reasons, processing is realised three times in three APU of each division (see G.3 FIG 6). An order is then transmitted to PACS through a 2 out of 3 hard wired module.

The other support system functions are engineered like classic ESFAS functions (see G.3 FIG 6).

In the case of the closed loop control function, the measurement data acquisition part is ensured by one APU. All the other parts of the functional structure are implemented in the CU (see G.3 FIG 6). The two CUs are organized in master / hot standby devices to pilot the control valve.

1.4.1.3.6 General description

To take advantage of the existence of two signals for a given safety action, the F1A part of the protection system is organised in two independent subsystems (see G.3 FIG 3)

Sensors are acquired by RAU or APU on subsystem A or B. For some special cases a sensor may be acquired by both subsystems (see G.3 FIG 4).

Actuators can be controlled either by subsystem A, subsystem B, or both (see G.3 FIG 4).

- Reactor Trip :

- is controlled at the ALU level on subsystem A. - is controlled at the ALU level on subsystem B.

- ESFAS are controlled at the ALU level on subsystem A or B.





- NUSO Support System functions are controlled at the APU level on subsystem A and B.

- USO Support System functions are controlled at the ALU level on subsystem B.

The F1B part of the Protection System is composed of several units dedicated to:

- MCS [SICS] management (called the Panel Interface unit),

- Information transfer management (called Monitoring and Service Interface unit).

The Panel Interfaces (divisions 2 and 3) are connected to the four Monitoring and Service Interface units to permit information synthesis.

Monitoring and Service Interface Units provide the interfaces with the lower-classified equipment devices:

- RCSL interfaces in the four divisions,

- gateways located in the division 1 and 4.

- service units that support the MMI interface of PS [RPS] for test, diagnosis and maintenance purpose.

1.4.2. INSTALLATION

To conform with spatial separation requirements, the four trains of the Protection System and the I&C electrical equipment are located within the four safeguard buildings. Therefore, the Protection System I&C equipment is arranged within the I&C cabinets room of safeguard buildings SB1 to SB4.

1.4.3. INTERFACES WITH THE REST OF THE I&C

The Protection System is implemented in the level 1 of the automation structure. Its interfaces and relations with other systems of levels 0, 1 and 2 are represented in G.3 FIG 1. The following description refers to this figure.

1.4.3.1. INPUT

The Protection System receives manual control signals from the Process Information and Control System (MCP [PICS]) and the Safety Information and Control System (MCS [SICS]) to reset some actions initiated automatically by the Protection System or to start some protection actions.

The Protection System performs data acquisition (analogue, binary...) of signals issued from instrumentation systems or from limit switches values.

The Protection System exchanges the necessary information for commissioning, maintenance and periodic testing purposes with the Service Centre.

See Table G.3 TAB 1 for an overview of the inputs provided by the other I&C systems.





1.4.3.2. OUTPUT

The Protection System provides information for the Safety Information and Control System (MCS [SICS]) and the Process Information and Control System (MCP [PICS]).

The Protection System provides the Reactor Trip devices with control signals for reactor trip actuation.

The Protection System provides the Priority and Actuator Control System (PACS) with control signals for actuator position changes.

The Protection System provides information for the Reactor Control Surveillance and Limitation System (RCSL), the Process Automation System (PAS) and the Safety Automation System (SAS).

See G.3 TAB 2 for an overview of the destination of the Protection System outputs.

1.5. OPERATION MODES

The Protection System is composed of a set of units (APU, ALU, etc …) in which the main component is a CPU.

The following description concerns the operation modes of a unit.

G.3 FIG 7 gives the details of the operation modes and their interactions.

The operation states of a unit are the following:

Start Up : on start-up of the function processor, multiple steps of an initialization routine are executed. First a low-level boot monitor controls the hardware initialization and triggers comprehensive start-up self-tests. After successful start of the operating system kernel, the INIT module of the runtime environment (RTE) takes over control of the CPU to complete the initialization phase of the RTE. If the initialization should fail, the cyclic operation will not be commenced and the INIT module ends in an endless loop without enabling output signals. After initialization has been successfully completed, the function processor is changed to normal operation.

Cyclic operation : cyclic operation is the normal mode of a function processor. It remains in this status, until it is reset, either manually or as a consequence of any exception caused by a random hardware fault or power switch-off. A transition to other operation modes can only be initiated by the Service Unit.

Trace mode : In this mode it is not possible to impact the cyclic operation of a function processor by the Service Unit. The functionality for tracing a specified scope of processed signal data from the Service Unit is already included in this CPU operating mode. Tracing can be initiated for any selected signals belonging to the function diagrams presented on the Service Unit.





Parameterization : A prerequisite for this mode is the release for changing to the parameterization mode. In this mode, the application software (function diagram group modules) continues to be processed in the same way as in the “cyclic operation” mode. The reason for introducing this specific release before changing into the “parameterization mode” is to implement an administrative barrier before some set-points may be changed. A return to normal “cyclic operation” is possible at any time without additional conditions. During operation of the I&C, only the parameters that were previously designed as “changeable during cyclic operation” (e.g. for optimising a close-loop control or adapting parameters in case of a stretch-out operation) can be changed via the Service Unit.

Functional Test : This state is used for troubleshooting. A prerequisite for this mode is the validation for switching to the “function test” mode with respect to

- Plant operating conditions (decision by the shift personnel) and - The operating modes of the TELEPERM XS system in other initiation

trains. If one processor in another chain is already in functional test mode or is identified not to be in normal operation, then release for switching to test mode of an additional processor is inhibited.

When changing to test mode, cyclic processing of the application functions is stopped.

Processing functions are activated according to test conditions by means of additional control commands sent by the Service Unit:

- Activation / deactivation of input / output drivers - Activation / deactivation of message send and message receive

functions - Activation /deactivation of function diagram module processing - Preliminary filling of data in input and output buffers - Tracing of signals

The “functional test” operating mode is always exited by a processor reset and automatic restart. After a start-up time of about 10 seconds, processing is continued in “cyclic operation” mode.

Diagnosis : A prerequisite for this mode is the release for switching to the “diagnosis” mode. The release depends on the decision by the maintenance shift and the TELEPERM XS systems operating mode in the other initiation trains. In "Diagnosis mode" all of the "Functional Test mode" functions can be performed. The additional function is essentially software loading. In some very exceptional cases, specific test routines can be loaded and run. The “diagnosis” operating mode is always exited by a processor reset followed by an automatic restart.

1.6. TECHNOLOGY USED

The equipment used to implement the Protection System is the TELEPERM XS digital I&C platform.





The digital TELEPERM XS instrumentation and control (I&C) system is intended for applications relevant to safety in nuclear power plants. It was developed for installation in new nuclear power plants as well as for upgrading and retrofitting I&C systems in existing plants.

Outstanding features of TELEPERM XS are the flexible task-oriented architecture which enables economical and space-saving solutions for all types and sizes of nuclear power plants and the advanced concept that guarantees long system life by using interface and communication standards wherever possible and up-to-date methods for engineering and maintenance.

The major advantages of employing digital processors in systems relevant to safety include :

- early detection of faults by cyclic self-monitoring,

- early detection of faults by improved monitoring of peripheral equipment (transducers, peripheral interfaces),

- protection against faulty signals by fault detection measures for serial data transmission,

- increased fault tolerance compared to hard-wired systems through introduction of a signal status for marking faulty signals,

- digital signal processing, unaffected by drift or electromagnetic interference,

- galvanic decoupling by use of optic fibre for serial data transmission,

- automation of plant engineering and documentation, ensuring the best possible consistency and correctness of documentation.

1.7. POWER SUPPLY

The Protection System is supplied with uninterruptible power at the suitable voltage (24 V DC).

Each cabinet is required to be connected to two redundant DC power supplies. The incoming feeders of these power supplies are energetically isolated from each other, using diodes for instance.

During normal operation, both DC power supplies are supported by the Uninterruptible Power Supply (UPS) of the relevant division. In case the UPS of the given division is unavailable, one of the two DC power supplies can be switched to the UPS of the neighbouring division.

To enable standardized signal conditioning, the power supply and signal output of remote measurements is standardized.

1.8. PERIODIC TESTS

The main principles and requirements for periodic testing are listed below:

- the test equipment is independent from the tested equipment,

- "transparency" of periodic tests: for the tested unit, there is no difference between normal operation and periodic testing,





- periodic tests are highly automated,

- the test equipment is NC classified.

2. SAFETY AUTOMATION SYSTEM (SAS) ARCHITECTURE


The SAS I&C system is subject to the safety requirements applicable to F1B I&C systems, due to the I&C management associated with the F1B safety functions (not performed by the PS [RPS]).

The SAS system ensures the processing of automatic and manual actions, together with the associated monitoring, necessary for the performance of the safety functions detailed below:


The SAS contributes to the three basic safety functions (control of radioactivity, residual heat removal, and radioactive substance containment) as part of the management of I&C processing .

With regard to safety analysis, the SAS system performs:

- F1B I&C functions,

- F2 seismic classified I&C functions (F2E).


As part of the F1B functions, whose automation and manual control functions and associated monitoring it ensures, the SAS system must meet the requirements detailed below. These requirements must be met for all the functions managed by the SAS (including the part of the PACS functions processed by SAS equipment, according to 4.0 of this Sub-chapter).

2.0.2.1. Requirements resulting from the functional and mechanical classifications

2.0.2.1.1 Functional classification of the system

The SAS system must be safety-classified, in accordance with the classification indicated in sub-chapter C.2.

2.0.2.1.2 Single failure criterion (active and passive)

The single failure criterion must be applied to the SAS system at the functional level (cf. section C.2.1) by integrating a sufficient degree of redundancy, structure, and adequate provisions.





If periodic tests are possible and are performed (according to the principles defined in sub-chapter C.1 and detailed in section G.3.2.0.2.1.7), then the system must be designed with sufficient redundancy that it can continue to process F1B safety functions even in the event of equipment being unavailable due to testing, and other equipment being assumed unavailable due to application of the single failure criterion (at the level for F1B system functions).

Independence and physical separation: The SAS system is subject to these requirements, which lead to the requirement for physical and electrical independence of the equipment in the four I&C divisions upon which it depends.

2.0.2.1.3 Emergency power supplies

The electrical power supply for the SAS equipment must be backed up by the main diesel sets. Moreover, the power supply must be of the uninterruptible type, guaranteeing the power supply even during switching between normal power and diesel power. (i.e. it must ensure that the SAS safety functions can continue without interruption).

The SAS system must be powered from the same division as that of the processes it activates, each division being electrically and physically independent of the three others in a way that eliminates the possibility that a single hazard/failure can affect more than one division.


The SAS equipment must remain operational in post-accident conditions, and must therefore meet the qualification requirements defined in sub-chapter C.7.

Moreover, this equipment must be operational in both normal and extreme environmental conditions applicable to the automation rooms in which it is located. These conditions are defined in section I.4.1.

2.0.2.1.5 Mechanical, electrical, and I&C classifications

The mechanical and electrical classifications do not apply to I&C equipment.

The classification of the SAS I&C equipment is as follows, (in accordance with the principles defined in sub-chapter C.2):

- E1B class for the SAS equipment processing F1B safety functions

- E2 class for the SAS equipment processing F2E safety functions


The SAS equipment necessary to process F1B and F2E functions must be seismic class 1 (SC1).

2.0.2.1.7 Periodic testing

The I&C functions managed by the SAS must be tested periodically (as defined in section C.2.1):

- for the I&C processing associated with F1B functions





- for the I&C processing associated with the F2E functions, when these are not in continuous operation.

The SAS system must be designed to allow periodic tests.

2.0.2.1.8 Additional requirements

Not applicable

2.0.2.2. Other regulation requirements


The following Basic Safety Rules are applicable to the System:

II.4.1.a "Safety Classified Electrical Systems Software"

II.2.b "Requirements for the design, qualification, deployment and operation of safety-classified electrical hardware


The technical guidelines detailed in Chapter C.1 (specifically G 3.4 and G 3.7) must be taken into account in the design of the SAS system.

2.0.2.2.3 EPR-specific texts

The SAS equipment must meet the requirements of RCC-E.

2.0.2.3. Hazards

a) Requirements for which the general installation provisions provide protection of the system against hazards:

The SAS system must be protected against common mode failures which can be generated by internal or external hazards according to the requirements defined in sub-chapters C.3 (external hazards) and C.4 (internal hazards). This leads to the independence (physical and electrical) of each of the four divisions housing the SAS equipment.

b) Requirements for system protection against particular hazards

Not applicable

c) Hazards not relevant to the system

Not applicable

2.0.3. TESTING

After installation, the SAS system must be subject to pre-operational testing to verify that it conforms to the system performance required in the design.





The requirements for periodic testing are set out in section G.3.2.0.2.1.7.

2.1. ROLE

The role of the SAS is to manage the F1B and F2E automated functions, manual controls and associated monitoring required for the nuclear and conventional islands. (F1B and F2E are defined in section G.3.2.0.1)

2.2. FUNCTIONS PROVIDED

The I&C functions processed by the SAS are the following:

- data processing: acquisition and conditioning

- processing of application calculations: closed loop controls, generation of individual and grouped commands (simultaneous or sequential), controls prioritisation, generation of various information intended for other I&C units, etc.

- processing of monitoring signals: Processing of status and fault check-backs, generation of alarms and signalisations.

2.3. DESIGN BASIS

2.3.1. AVAILABILITY REQUIREMENTS

The main availability requirements for the SAS are linked to the reliability and the maintainability of the system i.e.:

- to limit the loss of SAS due to failure of one of its components (mainly by component redundancy)

- to facilitate the maintenance and repair of the SAS to minimise downtime

2.3.2. REQUIRED PERFORMANCE

The SAS is subject to particular performance requirements:

Response time requirements:

o maximum time from the variation of an input (logic or analogue) to transmission to an output interface.

o maximum time from the receipt of a manual command to its transmission to an output interface

These global criteria are applied to the SAS as follows:

- for a manual command, see section G.3.3.3.3

- for an automatic command:





o acquisition of a logic input, calculation of a logic command, and transmission to an output interface.

o acquisition of an analogue input, calculation of a logic or analogue command, and transmission to an output interface.

The SAS must contribute to fulfilling the global criteria described above and in section G.3.3.3.3.

In particular, the two acquisition, processing and transmission actions performed by the SAS must be compatible with the required total response time (including MCS [SICS], SAS and level 0).

Sizing requirements:

o static sizing includes the number of actuators, sensors and functions that the SAS supports.

o dynamic sizing includes sampling and processing times, taking into account the way in which the considered function is processed (periodic or event-triggered).

2.3.3. AMBIENT CONDITIONS

The ambient conditions that the SAS must tolerate are linked to the temperature and relative humidity of the rooms housing this equipment. The environmental characteristics are defined in section I.4.1, for normal and extreme conditions.


No requirements for the SAS..

2.4. ARCHITECTURE


The structure and composition of the SAS are dictated by the functional requirements. This set of requirements affects the allocation of Instrumentation & Control processing tasks to the various components within the SAS.

These functional requirements relate to:

- The functional classification of the processing (typically F1B and F2 for SAS). Although, in certain situations (see below) the SAS could be required to run certain non classified processes.

- The electrical division (together with the processing cabinet, and associated actuators and sensors)

- The classification of processing to be performed (affecting the choice of input/output card types for example)





- The processing performance requirements (response times, propagation times, accuracy)

- The processing groupings / exclusions which require certain processes to be grouped (due to the requirement to simultaneously shut down all these processes in the event of malfunction of the part of the CC [I&C] system that manages it), or conversely, that certain processing groups need to be managed by different SAS equipment units (due to the requirement to maintain a group of processes despite the loss of others due to a malfunction).

Moreover, the SAS structure takes into account the segmentation of the process being controlled, dictated by the number, geographic sitting and type of actuator and sensor interfaces to be managed.

For a given safety function, different combinations are possible, for example:

- 4 x 100%: 1 mechanical train of 4, with its associated I&C, is necessary to fulfil the safety function

- 4 x 50%: 2 mechanical trains of 4, with their associated I&C, are necessary to fulfil the safety function

- 2 x 100%: 1 mechanical train of 2, with its associated I&C, is necessary to fulfil the safety function

In order to prevent an SAS internal failure affecting more than one mechanical train, each mechanical train is controlled by an SAS sub-group in the same division as the mechanical train.

2.4.2. INSTALLATION

The SAS equipment is distributed within the 4 divisions. The equipment is installed in the I&C cabinet rooms of divisions 1 to 4 of the safeguard buildings and in the I&C cabinet rooms of the diesel buildings.

The SAS cabinets are positioned considering:

- consistency with the location and division of the actuators and the sensors managed,

- available space, and

- the electrical supplies of the four divisions.

2.4.3. INTERFACE WITH THE OTHER I&C SYSTEMS

The SAS exchanges information with:

- the HMI, MCS [SICS] and MCP [PICS]: related to plant operation by the operator

- the PAS, RCSL and PS [RPS] systems: related to the plant's automation management

- the instrumentation process: associated with measurement and data acquisition





- the cubicles (electrical boards) and the control devices (electro-positioners, etc): associated with actuator controls

- the “external” systems (I&C cabinets for the diesels, etc): associated with the unit's automation management

2.5. OPERATING CONFIGURATIONS

The configuration of the SAS (from hardware and functional points of view) is independent of the plant situation. Processing allocation depends only on functional criteria and on the allocation principles of the I&C system. The configuration of SAS is, from this point of view, constant.

The SAS configuration only depends on the following principle: in the event of malfunction of an active CPU, the system switches to a redundant standby unit. This principle applies to all the redundant SAS boards (CPU boards and communication management boards).

2.6. TECHNOLOGY

This sub-section will be provided after the standard I&C equipment has been chosen.

2.7. POWER SUPPLY

Within each division, SAS is supplied at 230 V AC, by a dual emergency power supply. The first power supply is provided by the main distribution board, the second is provided by the sub-distribution board.

Each mechanical train is controlled by an SAS sub-group located and powered by the same division as the mechanical train.

The voltage required by the SAS cabinets will be regulated internally in cabinets dedicated to their power supply. These power supply cabinets are situated in the same rooms as the SAS cabinets.

2.8. PROVISIONS FOR PERIODIC TESTING

In accordance with RCC-E, F1B safety functions must be periodically tested. F2E functions are also subject to periodic testing when they are not in continuous operation.

The safety function test will allow the verification of the whole control channel, from the sensor (automatic control), or from the MCS [SICS] (manual control), via SAS, up to the change of state of the actuator.

However, if the reconfiguration of the relevant actuator cannot be carried out (for example, during the plant operation), provisions are taken for blocking the control signals during the test, so that the actuator control line can be tested without physically controlling it.





3. ARCHITECTURE OF THE SAFETY INFORMATION AND CONTROL SYSTEM MCS [SICS]



MCS[SICS] contributes to the safety functions supported by the I&C (see section G.1.0.1).

Regarding the safety analysis, the MCS[SICS] provides the operators with sufficient information and controls to reach and maintain the plant at safe shutdown following PCC-2 to PPC-4 type events. The MCS[SICS] is the operating method used for the safety analysis. Therefore, the MCS[SICS] is of Class F1B/E1B.




The MCS[SICS] supports different classes of the unit’s I&C functions:

- Not classified

- F2

- F1B

The MCS[SICS] is thus, according to sub-chapters C.2 and G.1, safety-class F1B and must therefore meet the safety requirements listed in the following paragraphs.


a) Functions supported by MCS[SICS]

F1B functions:

The part of the MCS[SICS] which assists in carrying out F1B functions must be designed to meet the single failure criteria, at a functional level, by including sufficient redundancy, a suitable structure, and a suitable set of principles. This part of the MCS[SICS] must therefore remain operational in the event of a combination of a single failure in one of its divisions, and the unavailability of another of its divisions due to maintenance.

The E1B controls and indications of the MCS[SICS] are subject to the requirements of independence and physical and electrical separation between the different I&C divisions on which it depends.

F2 Functions:

The single failure criterion is not applicable to the F2 functions of the MCS[SICS].

NC Functions:





The single failure criterion is not applicable to the NC functions of the MCS[SICS].

In addition, the MCS[SICS] controls are activated by the MCP[PICS]-MCS[SICS] transfer controls, which are independent and separated from the control means, in order to exclude the possibility of a single failure or an internal risk of generating spurious signals and commands.


The electrical power supply to the MCS[SICS] equipment must be safeguarded by the main diesel sets. Moreover, this power supply must be uninterruptible, guaranteeing a power supply even during switching between normal power and diesel power. In this way, the safety functions performed by the MCS[SICS] can be assured without interruption of service.

The MCS[SICS] equipment must be powered by the same electrical division as the I&C division on which it depends, each division being electrically and physically independent from the others in a way that eliminates the possibility that a single hazard/failure can affect more than one division.


The equipment supporting the MCS[SICS] functions must be qualified for their safety class, according to sub-chapter C.7, and for the normal and extreme environmental conditions under which it would be operating when fulfilling these functions, in accordance with section I.4.1.


Mechanical classification is not relevant to the MCS[SICS].

Electrical classification is not relevant to the MCS[SICS].

According to sub-chapter G.1 relating to the I&C classification:

- MCS[SICS] equipment ensuring F1B functions must be E1B classified

- MCS[SICS] equipment ensuring F2 functions must be E2 classified

- MCS[SICS] equipment ensuring NC functions must be NC

Hence MCS[SICS] equipment is E1B classified.


Due to its F1B classification, the MCS[SICS] system must also belong to seismic class 1 and meet the corresponding requirements, in accordance with the principles in Chapter C.2.


Those parts of the MCS[SICS] ensuring F1B functions must be subject to periodic testing.

Those parts of the MCS[SICS] ensuring F2 functions which are not in continuous use must be subject to periodic testing.

Those parts of the MCS[SICS] ensuring F2 functions which are in continuous use and those ensuring NC functions, do not require periodic testing.







The following Basic Safety Rule is applicable to the system :

IV.2.b "Requirements for the design, qualification, deployment and operation of safety-classified electrical hardware


Technical Guidelines (see Chapter C.1) must be taken into account in the design of MCS[SICS].

In particular, G 3.5 of the Technical Guidelines indicates that the MCS[SICS] is a means used for safety assurance.


The MCS[SICS] equipment must meet the requirements detailed in the RCC-E.

3.0.2.3. Hazards

a) Requirements for which the general installation provisions allow the protection of the system against hazards:

The MCS[SICS] must be protected against common mode failures that could result from internal or external hazards, in accordance with the requirements defined in sub-chapters C.3 (external hazards) and C.4 (internal hazards).

b) Requirements for system protection against particular hazards:

Not applicable


Not applicable

3.0.3. TESTS

3.0.3.1. Pre-operational tests

After installation the MCS[SICS] must be subject to pre-operational testing to verify that it complies with the defined design requirements.

3.0.3.2. Monitoring in operation

Not applicable

3.0.3.3. Periodic tests

Those parts of the MCS[SICS] requiring periodic testing according to section G.3.3.0.2.1.7 must be designed so as to allow the testing to be performed.





3.0.4. I&C DESIGN REQUIREMENTS

There are no particular constraints beyond those mentioned in table G.1 TAB 1.

3.1. ROLE

The Safety Information and Control System (MCS[SICS]) is the safety-classified I&C system that provides information and controls necessary to reach and maintain safe shutdown for post-accident operation in the event of unavailability of the MCP[PICS]. The monitoring and control means supported by the MCS[SICS] are not the operating interface preferred by the operating team for monitoring and operating the plant.

Furthermore, the MCS[SICS] is the operating means claimed in the safety analysis of PCC-2 to PCC-4 design conditions. It also contributes to the probabilistic safety evaluation of the plant in so far as it can be used as a diverse source of information.

The main role of the MCS[SICS] is therefore to provide the operators with sufficient controls and information to address the following situations:

- in the event of a short period of unavailability of the MCP[PICS] in normal operation (PCC-1): to monitor and control the plant in a steady power state,

- in the event of a longer period of unavailability of the MCP[PICS] in normal operation (PCC-1): to shutdown and keep the plant in a safe state,

- in the event of unavailability of the MCP[PICS] during PCC 2 to 4 design conditions: to monitor the plant and initiate appropriate post-accident functions to reach and maintain safe shutdown conditions.

In the event of fire, if the operating team uses the MCS[SICS], then the fire-fighting functions can also be initiated from the MCS[SICS].

When the MCP[PICS] is available in the Main Control Room, the MCS[SICS] is also active in the following circumstances:

- Periodic testing associated with the MCS[SICS]

- In accident situations, monitoring of the main safety parameters and of the state of the safety systems (information search on a facility diverse from that of the MCP[PICS]).

3.2. FUNCTIONS SUPPORTED

The MCS[SICS] performs the following control and monitoring functions:

- display of process information.

- control functions.

- alarm display and processing.

- analogue data recording.

- interface functions (filtering, data transmission).





- test functions.

3.3. DESIGN PRINCIPLES

3.3.1. SPECIAL PROVISIONS

The particular design provisions that must be taken into account for the MCS[SICS] are as follows:

- the MCS[SICS] must be functionally independent of the MCP[PICS] so that under no circumstances can failure of the MCP[PICS] have consequences on the MCS[SICS].

- When the MCS[SICS] is in service (see State 3 of section G.3.3.5), the MCP[PICS] controls must be deactivated.

- no internal hazard in the main control room resulting in the loss of MCS[SICS] may also result in the loss of the RSS workstations.

- The MCS[SICS] must meet the human-machine interface requirements described in Chapter Q and section G.3.3.3.5.

3.3.2. AVAILABILITY REQUIREMENT

The MCS[SICS] is a diverse back-up to the MCP[PICS].

The monitoring and control means provided by the MCS[SICS] are not normally used by the operators to operate the plant.

3.3.3. REQUIRED PERFORMANCES

The MCS[SICS] is subject to the following performance criteria:

- response time requirements: as for the MCP[PICS] (see section G.4.1.3.2), the MCS[SICS] must meet response time requirements. The use of hardwired links for the transmission of data, without data processing guarantees that the response time is equal to or less than for the MCP[PICS].

- sizing requirements: the MCS[SICS] must support all the conventional control and monitoring devices necessary for the operator to perform the tasks described in section G.3.3.1, without requiring any other means than the MCS[SICS]. Notably, operation from the MCS[SICS] must be possible without the wall-mounted mimic panel.

3.3.4. AMBIENT REQUIREMENTS

As the MCS[SICS] panels are installed in the Main Control Room then the environmental requirements that it has to withstand are those of the MCR.

The conditions are classified into two categories:





- the environmental conditions that the equipment must endure. This includes temperature and relative humidity,

- the contribution of the equipment to the environmental conditions. This includes noise level and dissipated heat.


The arrangement of the MCS[SICS] into panels must meet ergonomic requirements (suitability for operator tasks) requirements for independence (mainly physical separation) between equipment packages connected to different divisions.

The detailed list of different information and controls that must be provided by the MCS[SICS] is determined by analysing the tasks that must be performed. Information related to the means implemented on the MCS[SICS] can be found in Chapters M and Q.

3.4. ARCHITECTURE


The MCS[SICS] consists of a set of conventional controls and displays (push buttons, light indicators, analogue displays, recorders etc.) that are directly connected to the appropriate level in the I&C architecture (PS[RPS], RCSL, SAS or PAS) and arranged on the panels. Due to its nature the MCS[SICS] has no data processing capability and receives information from level 1 systems.

3.4.2. INSTALLATION

The MCS[SICS] panels are installed in the Main Control Room.

3.4.3. INTERFACES WITH THE OTHER I&C SYSTEMS

The MCS[SICS] has two types of interfaces:

- interface with the operator in the control room,

- interface with the automation level (PS[RPS], PAS, SAS)

3.5. OPERATING MODES

The MCP[PICS] , in the Main Control Room, is the preferred means of operating the plant. The operating team operates from the MCS[SICS] when no sufficient operator workstations in the Main Control Room are available or if the MCP[PICS] is completely unavailable.

In case of the loss of the Main Control Room due to an internal hazard (such as fire), operation by the the MCS[SICS] and the MCP[PICS] in the Main Control Room is no longer possible. In that situation, the operating team uses the MCP[PICS] control facilities in the Remote Shutdown Station.





The principles of transfer between the different control facilities are managed by the operating procedures.

Typically the MCS[SICS] modes of operation are as follows:

- State 1: passive state

o MCS[SICS] controls are deactivated.

o information is operational.

- State 2: Intermediate state

o the MCS[SICS] is not in service but periodic tests can be performed

- State 3: active state

o MCS[SICS] is in service, the MCS[SICS] functions are available, the MCP[PICS] controls are deactivated.

3.6. TECHNOLOGY

The standard technical solution for the MCS[SICS] is based on the use of conventional technology. The choice of equipment conforming to the requirements stated in this Chapter will be defined following completion of detailed studies.

3.7. POWER SUPPLY

The MCS[SICS] is supplied by 230 V AC sources from 4 divisions in such a way that the loss of an electrical division does not lead to the total loss of the MCS[SICS]. Additional equipment permits adjustment of the voltage of the MCS[SICS] equipment. Each control facility is supplied by its own electrical division which is backed-up by the emergency diesel generator.

The controls and indications for the conventional island are supplied by equipment in the BLNC (unclassified electrical building).

Isolation measures are provided to maintain the electrical separation of the MCS[SICS] equipment of the different divisions.


The MCS[SICS] must be periodically tested in accordance with section G.3.3.0.2.1.7 And hence the MCS[SICS] configuration (in particular “State 2” described in section G.3.3.5) must therefore allows such testing.

Testing of each of the safety functions that are subject to periodic testing will allow verification of the complete control channel, from the sensor (automatic control), or from the MCS[SICS] (manual control), via the I&C processing equipment, up to the change of state of the actuator.





However, if the actuation of an actuator under test is not acceptable (e.g. during plant operation), then provisions are made to block the control signals during the test, so that the actuator control line can be tested without actually changing the actuator’s state.

4. MANAGEMENT OF PRIORITY AND ACTUATION CONTROL (PACS)


The PACS is provided to control and monitor each actuator under all plant operating conditions.

In terms of safety, the PACS must ensure the automation functions associated with the control and monitoring of the actuator to achieve the safety function.

The PACS functions are as follows (see detailed functions and their distribution in section G.3.4.2):

- Management of control priority, which splits into two sub functions: One prioritises the commands received by the PAS or SAS, and the other prioritises the commands received by the electrical cubicle powering the actuator

- Control of the switching device

- Monitoring of the actuator

- Essential protection of the components.

The functions are managed by two sets of equipment, as follows:

- PAS (or SAS, according to the function required): Assures one part of the "Management of control priority" function, and the "actuator monitoring" function

- Electrical cubicle: Assures the other part of the "Management of control priority" function and the “Control of the switching device” function and the "Essential protection of components" function.

PACS has the same functional classification level as the actuator it controls (PACS F2 for an F2 actuator, PACS F1B for an F1B actuator, and PACS F1A for an F1A actuator) for functions requiring such classification..

The safety requirements for the PACS apply also to PAS / SAS and to the electrical cubicle, as follows:

- PACS F2: Requirements identical to those defined in Chapter G.4.2.0 "Safety requirements", as well as the PACS functions managed by PAS and those managed by the cubicle (except for the classification requirements detailed in 4.0.2.1.5 and 4.0.2.1.6 of this sub-chapter applicable only to the cubicles),





- PACS F1B: Requirements identical to those defined in 2.0 of this sub-chapter "Safety requirements", as well as PACS functions managed by SAS and those managed by the cubicle (except for the classification requirements detailed in 4.0.2.1.5 and 4.0.2.1.6 of this Sub-chapter applicable only to the cubicles)

- PACS F1A:

o for the PACS functions managed by the PAS ( actuator not subject to automation and F1B or F2E controls): requirements defined in Chapter G.4.2.0 “Safety requirements”

o for the PACS functions managed by the SAS ( actuator subject to automation and F1B or F2E controls): requirements defined in 2.0 of this Sub-chapter “Safety requirements”

o for the PACS functions managed by the cubicle (F1A functions): given herein (see “Important” below).

- PACS NC (NC actuator): No safety requirements.

Important: For ease of understanding section 4.0 only defines the safety requirements applicable to the PACS F1A functions which manage the electrical cubicle. The requirements applicable to PACS F2 and F1B are defined elsewhere, as follows:


The PACS is involved in the three basic safety functions (control of radioactivity, residual heat removal, and radioactive substance containment) as part of the management of I&C processing associated with the following functions:

- F1A functions

The PACS must support F1A automation functions (for the functions not managed by the PS [RPS]), and hence it is E1A classified.


In terms of the F1A functions for which it manages the automation processing, the PACS must meet the following requirements:



The PACS system is safety-classified, in accordance with the classification principles in sub-chapter C.2.


The single failure criterion is applicable to the PACS, to ensure an adequate degree of redundancy.





If periodic tests of the PACS functions are possible and are undertaken (in accordance with the principles defined in sub-chapter C.1 and applied in section G.3.4.8), then the PACS must be provided with sufficient redundancy to ensure that it can continue to process F1A safety functions even if some of the equipment is unavailable due to testing and further equipment is assumed to fail as a result of the application of the single failure criterion.

Independence and physical separation: the PACS is subject to these requirements, which lead to the physical and electrical independence of the equipment of the four I&C divisions on which it depends. Each PACS actuator must be independent of the other PACS: there is no exchange between them. Provision must be made to isolate different equipment items to ensure the PACS functions and avoid common cause failures. Thus, links between the PS [RPS], PAS, SAS and electrical cubicle are hardwired.


The I&C power supply which is integrated within the electrical cubicle must be backed up by the main diesel generators. Moreover, this power supply must be of uninterruptible, which guarantees a power supply even during switching between normal power and diesel power. In this way, the safety functions performed by the PACS can be assured without interruption of service.

The PACS must be supplied by the same division as the division of the actuator it controls, each division being electrically and physically independent of the three others in a way that eliminates the possibility that a single hazard/failure can affect more than one division.

4.0.2.1.4 Qualification for operating conditions

The PACS equipment must remain operational in post-accident conditions, and therefore must meet the qualification requirements defined in sub-chapter C.7.

Moreover, this equipment must be operational in both the normal and extreme environmental conditions applicable to the electrical rooms in which they are installed. These conditions are defined in section I.4.1.


Mechanical classification does not apply to the electrical equipment.

The electrical cubicles must meet the following requirements:

- electrical classification, due to their actuator powering function. This classification is as follows, conforming to the principles defined in sub-chapter C.2:

o Class EE1 for a cubicle powering an F1 actuator

o Class EE2 for a cubicle powering an F2 actuator

- an I&C classification, because they are part of the I&C ensuring the automation process of the PACS functions set out in section G.3.4.2.. This classification is as follows, in accordance with the principles defined in sub-chapter C.2:

o Class E1A for a cubicle managing an F1A actuator

o Class E1B for a cubicle managing an F1B actuator





o Class E2 for a cubicle managing an F2 actuator.


The cubicle must be:

- at seismic class 1 (SC1), when managing F1 or F2E functions

- at seismic class 2 (SC2), when managing F2N functions


The F1A I&C functions managed by PACS must be subject to periodic testing (as defined in section C.2.1) and hence the PACS must be designed to allow periodic testing.

4.0.2.1.8 Additional requirements

Not applicable.


4.0.2.2.1 Basic Safety Rules

PACS not affected


Technical Guidelines (see section C.1.2 and more specifically section G 3.7) must be taken into account in the design of the PACS.


The equipment managing the PACS functions must meet the requirements detailed in the RCC-E.

4.0.2.3. Hazards

a) Requirements for which the general installation provisions allow the protection of the system against hazards:

The PACS must be protected against common mode failures that could be generated by internal or external hazards, according to the requirements defined in sub-chapters C.3 (external hazards) and C.4 (internal hazards). This leads to independence (physical and electrical) between the four divisions housing the PACS equipment.

b) Requirements for system protection against particular hazards

Not applicable






Not applicable

4.0.3. TESTS

After installation the PACS must be subject to pre-operational testing to verify that it conforms to the system performance required in the design.

The requirement for periodic testing is explained in section G.3.4.8.

4.1. ROLE

The role of the PACS is to ensure control of the actuator, monitoring of its movement, and protection of the electrical components. It is responsible for:

- in terms of actuator control:

- Selection of the highest priority command (in the case of simultaneous commands) from all the commands to which the actuator is subject

- Control of the switching device

- in terms of actuator monitoring: Management of the actuator position and any movement failures (excessive manoeuvre time or inconsistency between the expected and actual position of the actuator).

- in terms of the protection of components: Detection of malfunction that could damage the electrical part of the actuator or its electrical power supply

4.2. FUNCTIONS PROVIDED

In keeping with the functions defined in section G.3.4.1, the PACS ensures the following four functions:

- Management of control priority: Prioritisation of all commands (automatic and manual) governing the actuator, whatever their origin or function, and selection (in the case of simultaneous commands) of the command having the highest priority. The command selected is sent to the PACS function “control of switching device” (cf. below).

The priority of commands is as follows (highest to lowest priority):

- “Essential protection of components” command (protection against damage to the electrical part of the actuator, or to its electrical connection)

- Disconnection command (following a loss of electrical power)

- Reactor protection command (stop)

- Reactor protection command (go)





- Manual command via local IHM[HMI] (IHM[HMI] which can be connected to the electrical cubicle permitting a direct command to the cubicle, isolated from the automation). Used in an installation start-up situation, or during operations (command if the automation is unavailable).

- Control of a protection device (coming from the process: e.g. Very high temperature of a heating battery)

- Operating command (coming from the process: e.g. Tripping of a filling pump on low level)

- Manual command from the Reserve Shutdown Panel

- Manual command via the MCS[SICS]

- Manual command via the MCP[PICS]

- Control of the switching device: Control of the device which activates movement of the actuator This command is received in the function "Management of control priority"

- Monitoring of the actuator: Management partly of the position of the actuator, and partly of its movement failures. The latter function detects a movement malfunction in the actuator: An abnormally long movement time, and inconsistency between the expected and actual position of the actuator.

- Essential protection of the components: Generation of a command resulting from malfunction of the moving part of the actuator (short-circuit or surge, isolation fault, etc) in order to prevent risk of damage to the actuator or to its electrical power supply. This control is applicable to the PACS function "management of control priorities", where it is assigned the highest priority level.

The processing of the PACS functions is organised in the following way:

- The PAS/SAS generates automatic commands outside F1A, and acquires the manual commands issued from the centralised HMI (MCP[PICS] or SDR[RSS] and MCS[SICS]). In the case of simultaneous commands, it selects the highest priority command according to the hierarchy defined above (“management of control priority” function). The selected command is sent to the electrical cubicle. Also, PAS/SAS provides monitoring of the actuator position and generation of movement fault signal ("Actuator monitoring" function).

- The PS [RPS] generates F1A commands (safeguard actions and safeguard support) which are sent to the electrical cubicle

- The electrical cubicle implements the essential protection of the components (“Essential protection of components” function), and receives command(s) issued from the PS [RPS], command selected by the PAS/SAS and commands issued from the local IHM[HMI]. In the event of simultaneous commands, the highest priority command (according to the hierarchy defined above) is selected ("management of control priority" function) and sent to the switching device ("control of switching device" function).

N.B.: The “management of control priority” function is implemented partly by the PAS/SAS and partly by the electrical cubicle.





4.3. DESIGN BASIS

4.3.1. AVAILABILITY REQUIREMENTS

The main availability requirements for PACS are linked to the reliability and the maintainability of the equipment performing the functions i.e.:

- Limiting the loss of the PACS due to breakdowns in one of its components (mainly by component redundancy)

- Facilitating the maintenance and repair of the PACS to minimise downtime

4.3.2. REQUIRED PERFORMANCE

The response time of the PACS following a command (including acquisition, processing and execution of the command) coming from the level 1 systems (PS [RPS], SAS, PAS) must not exceed 100ms.

4.3.3. ENVIRONMENTAL CONDITIONS

The environmental conditions of the equipment managing the PACS functions depend on their location:

I&C cabinets rooms (PACS functions managed by PAS/SAS):

- the temperature and relative humidity characteristics of the air surrounding the PAS/SAS equipment (installed in the I&C cabinets rooms) are specified in Chapter I.4.1, for both normal and extreme conditions.

Electrical switch rooms (PACS functions managed by the electrical cubicle):

- The temperature and relative humidity characteristics of the air surrounding the electrical cubicles (installed in the electrical switch rooms) are specified in Chapter I.4.1, for both normal and extreme conditions.


Not relevant to the PACS.

4.4. ALLOCATION OF PACS FUNCTIONS


The four PACS functions are processed partly by PAS automation (or the SAS, according to the required function), and partly by the electrical cubicle, (see 4.2 of this Sub-chapter).

The structure and composition of the functions processed by PAS, are defined in Chapter G.4.2.4.1.

The structure and composition of the functions processed by SAS, are defined in 2.4.1 of this Sub-chapter.





The specification for the functionality of the electrical cubicles is still being developed and will be detailed later.

4.4.2. INSTALLATION

The equipment processing the PACS functions will be installed:

- for PAS and SAS automation: In the I&C cabinets rooms of the division or sector containing the controlled actuator

- For the electrical cubicles: in the electrical switch rooms of the electrical division or sector containing the controlled actuator

4.4.3. INTERFACES WITH THE OTHER I&C SYSTEMS

The PACS functions are managed by by a PAS/SAS entity – electrical cubicle, which exchanges information with:

- the centralised HMIs:

MCP[PICS]/SDR[RSS]

MCS[SICS]

- the local IHM[HMI] (IHM[HMI] which can be connected to the electrical cubicle) in terms of initiation of autotest, and control in case of automation malfunction

- the PAS or SAS (for the Instrumentation & Control functions other than those managed by PACS): Generation of automatic operating commands, generation of fault information other than those of movement etc.)

- the PS [RPS] (for the management of safety commands)

- the switching devices(s) (managing the actuator electrical power supply)

- the process sensors

4.5. OPERATING CONFIGURATIONS

The configuration of PACS (from the point of view of the equipment and function) is independent of the status of the plant. The allocation of processing within the different equipment managing the PACS functions (automation and electrical cubicle) depends only on the functional criteria and the inherent functionality of these 2 sets of equipment. The PACS configuration does not change.

4.6. TECHNOLOGY

The PACS technology is defined by that of the equipment which processes the functions. The PAS and SAS technology will be detailed once the I&C equipment types are chosen.





Electrical cubicles are used for driving the actuators (low and high voltage): these cubicles are managed by conventional I&C technology (with digital electrical protection for the high-voltage actuator cubicles)

Cubicle design is still in progress. This information will be detailed later.

4.7. POWER SUPPLY

The power supplies for the different equipment which implements the PACS processing functions, is as follows:

- PAS automation (or SAS, according to the functional requirements): Supplied at 230 V AC, via a duplicated diesel-backed power supply (see Chapter G.4.2.7 for details of the PAS power supplies and 2.7 of this Sub-chapter for details of the SAS power supplies). The PAS (or SAS) automation implementing the management of the PACS functions of a given actuator is supplied by the same division or sector as that of the actuator.

- Electrical cubicles are supplied with:

- Power voltage, by a supply, which, depending on the functional requirements, is diesel-backed or not

- Control voltage, which supplies the internal instrumentation and control of the cubicle, by a supply from two redundant 230 V AC sources. The nature and level of the control voltage will be defined later by the supplier of the switchgear, and will be specified when known.


In accordance with RCC-E, the F2 functions (on a case-by–case basis), F1B and F1A, must be periodically tested. In this respect, and as a function of its classification, the PACS (as an element of the actuator control channel), is subject to periodic testing to verify the integrity of the control channel.

This test applies to the overall function, and includes:

- the test initiator (IHM[HMI] manual command or local mechanical action on a sensor, as appropriate)

- the PACS, comprising the automation (PAS or SAS, depending on the functions required) and the electrical cubicle including the switching device(s)..

- the actuator, whose movement is verified in a test

N.B.: If a particular actuator cannot be activated (for example while the unit is operating) provisions must be made to ensure the test does not entail an actual actuator movement.

The basic principles for periodic testing are described below:





- to the maximum extent possible, periodic testing must be performed from the Main Control Room if the tests involve an action on the process, or if the tests concern the human-machine interface itself, without necessitating local intervention.

- when a safety system actuator receives commands from several systems (e.g. the PS [RPS] and SAS or PAS), the testing of this actuator must be performed as far as possible from only one of these systems. The testing of commands from other systems must be performed without actual movement of an actuator.

- tests which involve actuator movement, and require the use of an IHM[HMI] to send the commands and to verify the information received, require the participation of personnel. These tests should remain manual (no automatic activation, prior to the mechanical system tests).

SUB-CHAPTER: G.3 SECTION : - TABLE : 1 PAGE : 1 / 1

UK-EPR



G.3 TAB 1: PROTECTION SYSTEM INPUTS PROVIDED BY OTHER INSTRUMENTATION

& CONTROL SYSTEMS

Input source Data type Connection type

PAS None. /

RCSL None. /

SAS Some signals are sent by SAS (to be confirmed) Hardwired

MCP[PICS]

Reset of automatic protection actions.

Global initiation of the main protection actions.

Manual actuation of permissive signals.

Network

MCS[SICS]

Reset of automatic protection actions.

Manual initiation of automatic protection actions.

Manual actuation of permissive signals.

Initiation of manual F1A actions .

Hardwired

Service Centre

Simulation order.

Parameter setting.

Manual initiation of periodic testing.

Network


UK-EPR



G.3 TAB 2: DESTINATION OF THE PROTECTION SYSTEM OUTPUTS

Destination Data type Connection type

PAS

Process parameters (analogue & binary) in case of shared instrumentation.

Status of automatic actions (e.g. reactor trip, start of SIS)

Network

RCSL


Commands to automatic controls.

Status of automatic actions (e.g. reactor trip, start of SIS)

Network

SAS


Commands to automatic controls (e.g. for main diesels).

Hardwired

Reactor Trip Devices

Trip breakers and trip contactors orders Hardwired

PACS

Actuation orders.

Inhibition for periodic testing. Hardwired

MCP[PICS]

Process parameters.

Alarm signals.

State of the automatic actions.

Status of PS [RPS] (self-monitoring).

Network

MCS[SICS]

Process parameters.

Alarm signals for F1A manual actions (if any).

State of the automatic actions.

Status of PS [RPS] (self-monitoring).

Hardwired

Service Centre

State / status of I&C components.

Feedback of the PS [RPS] periodic tests.

Feedback of modifications.

Network


UK-EPR



G.3 TAB 3: REACTOR TRIP AND TURBINE TRIP FUNCTIONS PERFORMED BY THE

PROTECTION SYSTEM (PRELIMINARY LIST)

PROTECTION FUNCTION PCC USO/NUSOREACTOR TRIP (AND TURBINE TRIP)

on Steam Generator pressure drop > Max1 PCC2/3/4 USO on Steam Generator pressure < Min1 PCC2/3 USO on Pressurizer pressure < Min2 PCC2/3/4 USO on Steam Generator level (A) < Min1A PCC2/3/4 USO on Steam Generator level (A) > Max1A PCC2/3/4 USO on Pressurizer pressure > Max2 PCC2/3 USO on Pressurizer level > Max1 PCC2 USO on Steam Generator pressure > Max1 PCC2/3 USO on containment pressure > Max1 PCC3/4 USO on High linear power density PCC2 USO on Low Departure from Nucleate Boiling Ratio (Low DNBR) PCC2 USO on High core power level PCC2/3 USO on Excore high neutron flux rate of change PCC4 USO on Low Reactor Coolant Pumps speed (four RCPs) PCC2/3 USO on Low reactor coolant flow rate (one loop) * PCC2/4 USO on High neutron flux (intermediate range) PCC2/4 USO on Low doubling time (intermediate range) PCC2/4 USO on Low hot leg pressure PCC2 USO


UK-EPR



G.3 TAB 4: SAFEGUARD FUNCTIONS PERFORMED BY THE PROTECTION SYSTEM

(PRELIMINARY LIST)

PROTECTION FUNCTION PCC USO/NUSOSIS ACTUATION

on Pressurizer pressure < Min3 PCC2/3/4 USO on Reactor Coolant System loop level < Min1 PCC3/4 USO on ΔPsat < Min1 PCC3/4 USO

PARTIAL COOLDOWN on Safety Injection System signal PCC2/3/4 USO on Steam Generator level (A) > Max2A PCC3/4 USO

MSIV CLOSURE on Steam Generator pressure drop > Max1 PCC2/3/4

RRC-A USO

on Steam Generator pressure < Min1 PCC2/3 USO on Steam Generator level (A) > Max2A if partial cooldown is finished (*)

PCC3/4 USO

EFWS ACTUATION on Steam Generator level (B) < Min2B (*) PCC2/3/4 USO on Loss of Offsite Power signal

CONTAINMENT ISOLATION Containment isolation stage 1 on Safety Injection System signal

PCC2/3/4 USO

Containment isolation stage 2 on containment pressure > Max2

PCC3/4 USO

EFWS ISOLATION on Steam Generator level (B) > Max1B if Emergency Feedwater System has started (*)

PCC3/4 NUSO

MSRT Main Steam Relief Train isolation on Steam Generator pressure < Min3 (*)

PCC2 NUSO

Main Steam Relief Train opening on Steam Generator pressure > Max1

PCC2/3 USO

Main Steam Relief Train setpoint increase on Steam Generator level (A) > Max2A if partial cooldown is finished

PCC3/4 USO

RCP TRIP Reactor Coolant Pumps trip on ΔP over RCP < Min1 and SIS signal

PCC3/4 USO

(*) : Action related to one steam generator


TABLE : 4 PAGE : 2 / 2

UK-EPR



G.3 TAB 4 : SAFEGUARD FUNCTIONS PERFORMED BY THE PROTECTION SYSTEM

(PRELIMINARY LIST)

PROTECTION FUNCTION PCC USO/NUSOLHSI/ RHR TRAIN ISOLATION

LHSI/ RHR train isolation on high sump level and/or high SAB pressure

PCC4 NUSO

MFW ISOLATION Main Feedwater low load isolation on Steam Generator pressure drop > Max2 (*)

PCC2/3/4 RRC-A

USO

Main Feedwater low load isolation on Steam Generator pressure < Min2 (*)

PCC2/3 USO

Main Feedwater/Start-up and Shutdown System isolation on Steam Generator level (A) > Max1A

PCC2/3/4 USO

Main Feedwater full load isolation on Reactor Trip signal PCC2/3/4 USO PSV OPENING

1st Pressurizer Safety Valve opening for brittle fracture protection of RPV

PCC2 USO

CVCS ISOLATION Anti-dilution in shutdown conditions with RCP not in operation

PCC2 USO

Anti-dilution in standard shutdown states conditions Anti-dilution in power conditions Shutdown of CVCS charging line on high PZR level PCC2 USO

F1A ALARM (operator action) PCC2 USO High neutron flux (source range) PCC2 USO

(*) : action related to one steam generator


UK-EPR



G.3 TAB 5: SAFEGUARD SYSTEMS CONTROL FUNCTIONS PERFORMED BY THE

PROTECTION SYSTEM (PRELIMINARY LIST)

PROTECTION FUNCTION PCC USO/NUSOMSRT

MSRT control function (Closed loop control) PCC2/3/4 USO EFWS

Emergency Feedwater System pump overflow protection PCC2/3/4 USO


UK-EPR



G.3 TAB 6: SAFEGUARD SUPPORT SYSTEMS ACTUATION FUNCTIONS PERFORMED

BY THE PROTECTION SYSTEM (PRELIMINARY LIST)

PROTECTION FUNCTION PCC USO/NUSOCCWS

Component Cooling Water System configuration on containment pressure > Max1

PCC3 USO

DIESEL ACTUATION Diesel actuation on 10 kV busbar voltage < Min1 PCC2/3 USO


UK-EPR



G.3 TAB 7: SAFEGUARD SUPPORT SYSTEMS CONTROL FUNCTIONS PERFORMED BY

THE PROTECTION SYSTEM (PRELIMINARY LIST)

PROTECTION FUNCTION PCC USO/NUSODIESEL ACTUATION

Diesel load shedding sequence PCC2/3 NUSO


UK-EPR



G.3 TAB 8 : PROTECTION FUNCTIONS ACCURACY AND RESPONSE TIME

(PRELIMINARY LIST)

PROTECTION FUNCTION ACCURACY RESPONSE TIME

REACTOR TRIP (AND TURBINE TRIP) on Steam Generator pressure drop > Max1 1.5 bar 500 ms on Steam Generator pressure < Min1 1.5 bar 500 ms on Pressurizer pressure < Min2 1.5 bar 500 ms on Steam Generator level (A) < Min1A 2% MR 500 ms on Steam Generator level (A) > Max1A 2% MR 500 ms on Pressurizer pressure > Max2 1.5 bar 500 ms on Pressurizer level > Max1 2% MR 500 ms on Steam Generator pressure > Max1 1.5 bar 500 ms on containment pressure > Max1 0.2 bar 500 ms on High linear power density 8.7% LPD 500 ms on Low Departure from Nucleate Boiling Ratio (Low DNBR)

later 500 ms

on High core power level later 500 ms on Excore high neutron flux rate of change 2% NP 300 ms on Low Reactor Coolant Pumps speed (four RCPs) 0.1% 200 ms on Low reactor coolant flow rate (one loop) * 3% 500 ms on High neutron flux (intermediate range) 10% 300 ms on Low doubling time (intermediate range) 10% 300 ms on Low hot leg pressure later later


UK-EPR




(PRELIMINARY LIST)


SIS ACTUATION on Pressurizer pressure < Min3 1.5 bar 500 ms on Reactor Coolant System loop level < Min1 15 cm 500 ms on ΔPsat < Min1 Later 500 ms

PARTIAL COOLDOWN on Safety Injection System signal See SIS

signal See SIS signal

on Steam Generator level (A) > Max2A 2% MR 500 ms MSIV CLOSURE

on Steam Generator pressure drop > Max1 1.5 bar 500 ms on Steam Generator pressure < Min1 1.5 bar 500 ms on Steam Generator level (A) > Max2A if partial cooldown is finished (*)

2% MR 500 ms

EFWS ACTUATION on Steam Generator level (B) < Min2B (*) 2% MR 500 ms on Loss of Offsite Power signal later later Emergency Feedwater System pump overflow protection 1% 500 ms

CONTAINMENT ISOLATION Containment isolation stage 1 on Safety Injection System signal

See SIS signal

See SIS signal

Containment isolation stage 2 on containment pressure > Max2

0.2 bar 500 ms

EFWS ISOLATION on Steam Generator level (B) > Max1B if Emergency Feedwater System has started (*)

2% MR 500 ms

MSRT Main Steam Relief Train isolation on Steam Generator pressure < Min3 (*)

1.5 bar 500 ms

Main Steam Relief Train opening on Steam Generator pressure > Max1

1.5 bar 500 ms

Main Steam Relief Train setpoint increase on Steam Generator level (A) > Max2A if partial cooldown is finished

2% MR 500 ms



UK-EPR




(PRELIMINARY LIST)


RCP TRIP Reactor Coolant Pumps trip on ΔP over RCP < Min1 and SIS signal

3% 500 ms

LHSI / RHR train isolation on high sump level and/or high SAB pressure

Later 500 ms

MFW ISOLATION Main Feedwater low load isolation on Steam Generator pressure drop > Max2 (*)

1.5 bar 500 ms

Main Feedwater low load isolation on Steam Generator pressure < Min2 (*)

1.5 bar 500 ms

Main Feedwater/Start-up and Shutdown System isolation on Steam Generator level (A) > Max1A

2% MR 500 ms

Main Feedwater full load isolation on Reactor Trip signal (*)

See Reactor Trip signal

See Reactor Trip signal

PSV OPENING 1st Pressurizer Safety Valve opening for brittle fracture protection of RPV

later 500 ms

CVCS ISOLATION Anti-dilution in shutdown conditions with RCP not in operation

Anti-dilution in standard shutdown states conditions Anti-dilution in power conditions later later Shutdown of CVCS charging line on high PZR level later later

CCWS Component Cooling Water System configuration on containment pressure > Max1

0.2 bar 500 ms

DIESEL ACTUATION Diesel actuation on 10 kV busbar voltage < Min1 later later


SUB-CHAPTER: G.3 SECTION : - FIGURE : 1 PAGE : 1 / 1

UK-EPR



G.3 FIG 1: INTERFACES AND RELATIONS BETWEEN THE PROTECTION SYSTEM AND

THE OTHER SYSTEMS OF LEVELS 0, 1 AND 2

SAS PASRCSL

PACS

PS

ServiceCentre

PICSSICS

level 1

level 0

level 2

InstrumentationSystems

Reactor TripActuators

This figure only deals with the Protection System. The interconnections between other I&C systems do not appear.

This figure is purely functional. No indication is given regarding the hardware of the connections (network, hardwired,...).


UK-EPR



General functional structure for reactor trip (RT) or ESFAS actuation

G.3 FIG 2: GENERAL FUNCTIONAL STRUCTURE (DIVISION 1)

OF THE PROTECTION SYSTEM (PS [RPS])

Actuator ControlLogic

A/D conversion

Processing,Voting, Logic, ...

Div.2 *

Div.3Div.2

Div.4


A/D conversion


Div.3Div.2

Div.4

Reactor TripLogic

ActuatorLogic

Reactor TripDevices

PACS

Actuationprocessing

Initiation Processing

Measurement DataAcquisition

Sensor(s) andTransmitter(s)

Signal B (if any)

Actuators

Div.2Div.3

Div.4Div.2Div.3

Div.4

Div.3 *

Div.4 *

Div.2 *

Div.3 *

Div.4 *

Div.2 *

Div.3 *

Div.4 *

Div.2 *

Div.3 *

Div.4 *

Note Note

* : This kind of exchange is onlyneeded for some few specific

functions

Note: Voting are only performedon the SPND measurements

Signal A


UK-EPR FUNDAMENTAL SAFETY OVERVIEW

VOLUME 2: DESIGN AND SAFETY CHAPTER G: INSTRUMENTATION AND CONTROL FIGURE : 3 PAGE : 1 / 1

Sub-System B

DIVISION 1 DIVISION 2 DIVISION 3 DIVISION 4

CU

ESFAS

APUALU APUALU

ESFAS

TRIP

CUClosed Loop

Control

APURAU

CU

ESFAS

APUALU APUALU

ESFAS

TRIP

APURAU

CU

ESFAS

APUALU APUALU

ESFAS

TRIP

APURAU

CU

ESFAS

APUALU APUALU

ESFAS

TRIP

APURAU

Sub-System ASub-System BSub-System ASub-System BSub-System ASub-System BSub-System A

ALU : Actuation Logic unit (F1A)

RAU : Remote Acquisition Unit (F1A)

CU : Control Unit (F1A)

Legend :

APU : Acquisition & Processing Unit (F1A)

APU

APU

APU APU

APU

APU APU

APU

APU

APU APU APUAPU

APU

APU

APU

Support SystemControl




CUClosed Loop

Control

CUClosed Loop

Control

CUClosed Loop

Control

G.3 FIG 3: EQUIPMENT ARCHITECTURE OF THE F1A PART OF THE PROTECTION SYSTEM (PS [RPS])


UK-EPR



G.3 FIG 4: EQUIPMENT INTERFACES OF THE PROTECTION SYSTEM (PS [RPS])

Reactor Trip : ESFAS and Support System Actuation:

Closed Loop Control :

OUTPUTS :

CU

1

PACS

Sub-System B

CU

Hot Standbycontrol device

ALU

&

1

Reactor TripDevices

&

Sub-System A Sub-System B

ALU ALU ALU ALUALU

PACS

Same Sub-System

INPUTS :

Single Sensor :

ALU : Actuator Logic unit (F1A)

APU : Acquisition & Processing Unit (F1A)

CU : Control Unit (F1A)

Legend :

MSD : Measurement Signal Dispatching (F1A)

APU APU /RAU

APU /RAU

M S D

SameSub-System

APU

MSD

APU

Sub-System A

Sub-System B

Single Sensor split over 2Acquisition Unit :

Single Sensor split over 2Sub-System :

Support System Control:

Sub-System A Sub-System B

APU APU APU

2/3

PACS

ALUALU

Other Sub-System

1

**

* : only for some few actuators

RAU : Remote Acquisition Unit (F1A)


UK-EPR



G.3 FIG 5: ACTUATION PROCESSING

SI ACTUATION

2/4

Div. 1, 2, 4

Div. 1, 2, 4

2/4

Div. 1, 3, 4

Div. 1, 3, 4

2/4

Div. 2, 3, 4

Div. 2, 3, 4

2/4

Div. 1, 2, 3

Div. 1, 2, 3

Division 2 Division 3 Division 4Division 1

SI train 1 SI train 2 SI train 3 SI train 4Output


UK-EPR



MAIN STEAM ISOLATION VALVE CLOSURE

2/4

Div. 1, 2, 4

Div. 1, 2, 4

2/4

Div. 1, 3, 4

Div. 1, 3, 4

2/4

Div. 2, 3, 4

Div. 2, 3, 4

2/4

Div. 1, 2, 3

Div. 1, 2, 3


Solenoïd valve pilot n° 1of all MSIV




1 2

3 4

Closure of MSIV if (1 and 2) or (3 and 4) open


UK-EPR



EFWS (SG 1) ACTUATION

2/4

Div. 2, 3, 4

Division 3 Division 4Division 1

SG1 EFWS

Div. 1

Division 2

Div. 1 Div. 1

SG1 sensor SG1 sensor SG1 sensor SG1 sensor

This diagram applies to SG2, SG3, and SG4 in the same way with Sgi EFWS actuation ordered by division i.


UK-EPR



CONTAINMENT ISOLATION Stage 1 / Stage 2

2/4

Div. 1, 2, 4

Div. 1, 2, 4

2/4

Div. 1, 3, 4

Div. 1, 3, 4

2/4

Div. 2, 3, 4

Div. 2, 3, 4

2/4

Div. 1, 2, 3

Div. 1, 2, 3


Actuators powered bydivision 1




Containment isolation power supplies principle : see 8.1 - Fig. 3


UK-EPR



SG1 EMERGENCY FEEDWATER SYSTEM ISOLATION

2/4

Div. 2, 3, 4


SG1 EFWS

Div. 1

Division 2

Div. 1 Div. 1

SG1 sensor SG1 sensor SG1 sensor SG1 sensor

This diagram applies to SG2, SG3, and SG4 in the same way with Sgi EFWS isolation ordered by division i.


UK-EPR



REACTOR COOLANT PUMPS TRIP

2/4

Div. 1, 2, 4

Div. 1, 2, 4

2/4

Div. 1, 3, 4

Div. 1, 3, 4

2/4

Div. 2, 3, 4

Div. 2, 3, 4

2/4

Div. 1, 2, 3

Div. 1, 2, 3


RCP n° 1RCP n° 2

RCP n° 1RCP n° 2

RCP n° 3RCP n° 4

RCP n° 3RCP n° 4


UK-EPR



MAIN FEEDWATER / STARTUP AND SHUTDOWN SYSTEM ISOLATION

Div. 1

2/4

Div. 1, 3

Div. 1, 2, 4

2/4

Div. 3

Div. 2, 3, 4

Div. 1, 3


SG2 MFW / SSS isolation :

Same as SG1 (replace SG1 by SG2) except the following points :- div. 2 PS controls SG2 main isolation valve,- div. 2, 4 PS controls SG2 high and low isolation valves.


Same as SG1 ( replace SG1 by SG3 )


Same as SG2 ( replace SG2 by SG4 )

SG1 sensorSG1 sensorSG1 sensorSG1 sensor

SG1high and low isolations

SG1main isolation valvehigh and low isolations


UK-EPR



MAIN FEEDWATER HIGH LOAD ISOLATION ON REACTOR TRIP

2/4

Div. 1, 2, 4

Div. 1, 2, 4

2/4

Div. 1, 3, 4

Div. 1, 3, 4

2/4

Div. 2, 3, 4

Div. 2, 3, 4

2/4

Div. 1, 2, 3

Div. 1, 2, 3


SG1, SG3 MFWhigh load system





UK-EPR



CVCS ISOLATION / IRWST BORATION

2/4

Div. 2, 3, 4


CVCS Isolation /IRWST Boration

Acq.

Div. 2, 3, 4

Div. 4

Div. 2, 3, 4

Acq.

Div. 1, 3, 4

Acq.

Div. 1, 2, 4

2/4

CVCS Isolation /IRWST Boration

Acq.

Div. 1, 2, 3Div. 1, 3, 4 Div. 1, 2, 4

Div. 1

Div. 1, 2, 3

Div. 1Div. 1, 2, 3Div. 4Div. 1 Div. 4


UK-EPR



DIESEL ACTUATION AND LOAD SHEDDING

2/3


This diagram applies to Diesel 2, 3, 4 in the same way with Diesel i actuation controled by div. i.


UK-EPR



CCWS CONFIGURATION

2/4

Div. 1, 2, 4

Div. 1, 2, 4

2/4

Div. 1, 3, 4

Div. 1, 3, 4

2/4

Div. 2, 3, 4

Div. 2, 3, 4

2/4

Div. 1, 2, 3

Div. 1, 2, 3


Cooling and Isolation Cooling Cooling Cooling and Isolation


UK-EPR



REACTOR TRIP 2 LEVELS FUNCTIONS

Reactor Trip

2/4

Div. 1, 2, 4

Div. 1, 2, 4

2/4

Div. 1, 3, 4

Div. 1, 3, 4

2/4

Div. 2, 3, 4

Div. 2, 3, 4

2/4

Div. 1, 2, 3

Div. 1, 2, 3


Reactor Trip Reactor Trip Reactor Trip


UK-EPR



REACTOR TRIP 3 LEVELS FUNCTIONS

2/4


Reactor Trip

Acq.

Div. 2, 3, 4Div. 2, 3, 4

Acq.

Div. 1, 3, 4

Acq.

Div. 1, 2, 4

2/4

Acq.

Div. 1, 2, 3Div. 1, 3, 4 Div. 1, 2, 4 Div. 1, 2, 3

2/4 2/4

Div. 2, 3, 4Div. 2, 3, 4 Div. 1, 3, 4

Div. 1, 3, 4Div. 1, 2, 4Div. 1, 2, 4

Div. 1, 2, 3Div. 1, 2, 3

Reactor Trip Reactor Trip Reactor Trip


UK-EPR



CLOSED LOOP CONTROL

Div. 2, 3, 4


SG1 MSRCVOpening Control

Division 2

Div. 1 Div. 1

SG1 sensorSG1 sensor SG1 sensor SG1 sensor

This diagram applies to SG2, SG3, and SG4 in the following way :

- SG2 : MSRCV opening control is implemented in div. 2 PS.- SG3 : MSRCV opening control is implemented in div. 3 PS.- SG4 : MSRCV opening control is implemented in div. 4 PS.

Acq. Acq. Acq. Acq.

Div. 1

ClosedLoop

Control


UK-EPR



G.3 FIG 6: RELATION BETWEEN FUNCTIONAL STRUCTURE AND EQUIPMENT

ARCHITECTURE.

Reactor Trip 2 levels function

A/Dconversion

Processing,Threshold,

Logic ..

Reactor TripDevices

Processing,Voting, Logic ...Reactor Trip

Logic

&

1

Reactor TripDevices

1st c

ycle

tim

e2nd

cyc

le ti

meSignal A Signal B

APU

ALUALU

Div.2Div.3Div.4

Div.2Div.3Div.4

Div. 2, Div. 3, Div. 4

APU

APU

Div. 2Div. 4Div. 3

From an other Reactor TripFunction in the other Sub-System


UK-EPR



RELATION BETWEEN FUNCTIONAL STRUCTURE AND EQUIPMENT ARCHITECTURE.

Reactor Trip 3 levels function

Div.2Div.3Div.4


Div.2Div.3Div.4

Div.2Div.3Div.4

A/Dconversion

Processing,Voting,

Threshold,Logic ..

Div.2Div.3Div.4

Reactor TripDevices

Processing,Voting, Logic ...Reactor Trip

Logic

1st c

ycle

time

2nd c

ycle

tim

e3rd

cyc

le ti

me

APU


RAU RAU

APURAU RAU

Div. 2, Div. 3, Div. 4Div. 2, Div. 3, Div. 4

&

1

Reactor TripDevices

Signal A Signal B

ALUALU


APU

Div. 2Div. 3

From an other Reactor TripFunction in the other Sub-System


UK-EPR




ESFAS

Div. 2 Div. 3Div. 4

Div.2Div.3Div.4


A/Dconversion

Processing,Threshold,

Logic ..

APUDiv.2Div.3Div.4

PACS

1st c

ycle

tim

e2nd

cyc

le ti

me

APU

APU

ALU ALU

Processing,Voting, Logic ...Actuator

Logic

1

PACS


UK-EPR




Support System function

A/Dconversion

Processing,Voting, Logic ..

PACS

1st c

ycle

tim

e

APU


Logic

APU APU

APUAPU APU

APUAPU APU

2/3

PACS


UK-EPR




Closed Loop Control function

Div.2Div.3Div.4

Div. 2

Div.2Div.3Div.4


Div. 3Div. 4

Processing,Logic ..

PACS

CU

1

PACS

1st c

ycle

time

2nd c

ycle

tim

e

Diversity B

A/Dconversion

CU

APU CU

CU

Hot Standbycontrol device


Logic

APU


UK-EPR



G.3 FIG 7: OPERATION MODES

PowerOff

Outputsinhibited

CyclicOperation

TracingTest

ParamDiagnosis Manu .

Manu

Manu

Manu

Reset

ResetReset

Reset

Manu

Manu

Auto

Reset

Reset : Manu or Hardware failure detection or Power off

Start Up(Autotest)

Auto

Manu(switch off)

Manu(switch on)


UK-EPRFUNDAMENTAL SAFETY OVERVIEW

VOLUME 2: DESIGN AND SAFETY CHAPTER G: INSTRUMENTATION AND CONTROL FIGURE : 8 PAGE : 1 / 1

G.3 FIG 8: INFORMATION STREAM BETWEEN DIFFERENT PART OF THE PS [RPS]

SICS

PICS

PAS / SAS

F1A F1B F2

NC

F1AF1BF2

NC

F1AF1BF2

NC

GWF2F1B

NC

F1A GW

F2 F2

F1BF1B

Division 1 Division 4

Division 3Division 2 Information stream external to the givenclassified part of the PS

Information stream internal to the givenclassified part of the PS

Hard wired information exchange

The grey tint part of the picturedon’t belong to the PS

This picture only givesthe information streambetween the differentpart of the PS. It don’tgive information aboutnumber of network ortopology.

Sensor and actuatorsare not shown.

Interface with RCSL isnot shown.

SUB CHAPTER G.3. F1 CLASSIFIED ... - epr-reactor.co.uk

Documents

Transcript of SUB CHAPTER G.3. F1 CLASSIFIED ... - epr-reactor.co.uk