APR1400 man-machine interface system

12 August 2011

A new digital instrumentation and control system has been developed for South Korea’s latest reactor design, the 1400MWe APR1400. The main features of its architecture and safety analysis are reviewed. By Yeong Cheol Shin

The design of the APR1400, an evolutionary advanced light water reactor, was developed by the Korean nuclear industry, under the leadership of Korea Hydro and Nuclear Power Company (KHNP), in the Korean Next Generation Reactor (KNGR) programme completed in 2002. This work included design of the man-machine interface system (MMIS) for reactor’s instrumentation and control system (I&C).

Shin-Kori 3&4 in southeastern Korea, currently under construction, is the prototype APR1400 reactor; Shin-Ulchin 1&2 in eastern Korea will be the second APR1400 project. Shin-Kori 3&4 and Shin-Ulchin 1&2 have been designed to satisfy the APR1400 standard design requirements that incorporate appropriate requirements from the Korean Utility Requirements Document. The APR1400 design includes improvements derived from the previous Korea Standard Nuclear Plant (KSNP) construction and operation experience.

Previous reactor designs such as the KNSP+ were controlled in a conventional analogue control room with indicators and switches. Microprocessors were used for safety and non-safety control systems, however the use of networks and multi-loop controls were limited. In 2008, however, the Korean Nuclear I&C System (KNICS) programme completed component design and manufacturing technology of the APR1400 MMIS.

In 2010, these systems and I&C platforms (including programmable logic controllers and distributed control systems) have been further developed and qualified through the Korean Nu-Tech 2012 R&D programme, which aims to accelerate development of MMIS, reactor coolant pump and core design to achieve technological self-sufficiency in reactor design by October 2012. The programme is linked to development of the indigenous 1500MWe APR+ reactor, an update of the APR1400.

KHNP (Korea Hydro and Nuclear Power) worked with nuclear system designer (Korea Electric Power Corporation Engineering and Construction) to develop the system design of APR1400 MMIS. The prototype APR1400 MMS, including programmeable logic control and DCS, was implemented by Doosan Heavy Industry. Companies that supported Doosan for MMIS manufacturing and qualification technology, including prototypes (system hardware and software), included Pohang Steel Company ICT as the safety PLC vendor, Woori Technology as the DCS vendor and the Korea Atomic Energy Research Institute.

Shin-Ulchin 1&2 will be first to incorporate both indigenous MMIS design and manufacturing technology. (Westinghouse Electric Company will supply MMIS manufacturing technology to Shin-Kori 3&4).

Digital I&C

Nuclear I&C is shifting rapidly to digital technology because of its potential advantages in realizing better I&C system performance, higher reliability, and the capability for complex functions that were not possible with analogue technology. Digital I&C makes it affordable to implement advanced control algorithms and computerized MMI systems that can compensate for the limitations of human cognitive resources in nuclear power plant operations and maintenance.

However, the complexity of MMI and software inherent in digital I&C can present challenges to the plant safety. In other words, qualifying digital I&C is more difficult due to the complexity of the highly-automated MMI design and the extremely flexible nature of software programming. Also, the Korean nuclear safety regulatory agency has established criteria regarding how to address technical issues of digital I&C.

The information processing and presentation capability of digital I&C provides opportunities to make full use of operator capabilities and to avoid challenging operator limitations. High-quality information can be made available to all operators at their own workstations.

The APR1400 I&C is distinguished from KSNP I&C designs by employing fully-digitised systems and data communications, and primarily computer-based Man-Machine Interfaces (MMI). APR1400 MMI advanced design features include (1) a control room layout with compact workstations, (2) a large central display panel, and (3) a safety console with qualified information and control to perform safe shutdown or EOP operation in case of total workstation failure (Figure 1).

The 1979 LOFW accident at the US PWR Three Mile Island unit 2 offered many lessons about improving nuclear power plant control room MMI. Post-TMI concerns include reducing operator information overload, improving the human factors of annunciator systems, and monitoring of safety-related information and Engineered Safety Feature (ESF) status. In APR1400, unified and consistent MMIs for the nuclear steam supply system (NSSS), turbogenerator (TG) and balance of plant (BOP) are provided in an integrated fashion to resolve these concerns.

In the centre of the control room are redundant compact workstations. These redundant workstations make plant information, control and procedures available to all of the operators. During dynamic simulations of emergency operations with real KHNP crews for HFE evaluations, there were cases when diagnosis errors by the control room supervisor were detected by another operator. The additional workstations have made a significant improvement in human reliability possible.

The automation of operator tasks that demand excessive operator cognitive resources can contribute to reducing operator workload and errors.

In APR1400, critical safety functions are a post-trip monitoring supplement to the emergency procedures. The safety parameter display system (SPDS) displays violations of these, and provides alarms. In the course of an event, the violation of one or more safety function status checks (SFSCs) alerts the control room staff to emerging problems with the ongoing mitigation strategy. Success path monitoring (SPM) algorithms provide alarms and displays of availability and performance for the success paths. APR1400 SPDS functions are integrated into the overall control room design, unlike conventional control rooms where SPDS is provided separately. Plant information representing critical safety functions are also provided on the large display panel as an integral part of the fixed mimic displays.

The APR1400 computerized procedure system (CPS) is an operator support system. It performs no automatic control actions. Procedure instructions are in the form of a graphic flow chart while maintaining the overall hierarchical structure of APR1400 operating guidelines. The APR1400 CPS displays the procedure not only to the control room supervisor but also to the other operators in the crew. When a crew procedure is executed, all operators involved can follow the supervisor’s procedure either in synchronous mode or in asynchronous mode. In synchronous mode, the system immediately shows the supervisor’s procedure display page transitions and actions on other operators’ displays. This facilitates the simultaneous monitoring of the supervisors’ actions and decisions by other operators. This allows the detection and recovery of operator errors. Sharing the same information provided from a single source eliminates the possibility of an operator acting on incorrect information, and reduces the workload of communicating with colleagues and searching for information on different displays. CPS can monitor plant conditions to alert operators to perform a particular step of a procedure. This can increase the likelihood of performing a critical operator action in time. In asynchronous mode, operators can select their own steps to see, independently of the supervisor’s procedure display. This allows the other operators to see next steps or to implement actions required for the steps to be executed.

Signal validation removes the need for operators to compare multiple redundant sensors to validate a parameter before acting on sensor data. For process parameters that indicate safety functions, process representation values (PRV) are derived from multiple sensors from multiple safety grade sensors and non-safety control sensors.

Reducing safety challenges

Fault tolerance functions of digital I&C reduce the frequency of unintended reactor trips that challenge plant safety. This fault tolerance is implemented at component and system levels as follows:

  • The distributed control system is designed in a distributed, redundant, and fault-tolerant architecture to achieve higher reliability than the conventional control system. The DCS redundancy applies to the network, controllers, and input/output (IO) devices. These features will result in fewer failures of single DCS components that cause spurious plant trips.
  • For all the process control functions that are critical to power production, that is whose failure can cause unintended reactor trips, sensors are duplicated. These functions include reactor power control, pressurizer level/pressure control, steam generator level control and main steam bypass control. Sensors for process control that do not cause reactor trips are not duplicated. Previously, an operator would manually switch to a healthy sensor when a control sensor for a process control fails. In APR1400, this transition is made automatically by the control system, which consults safety channel sensors to detect the failure of the sensor being used. This feature should reduce spurious plant trips.
  • A thorough single-point vulnerability (SPV) analysis was performed on a control element assembly (CEA) control system in the existing KHNP plants and found about 300 SPVs. To prevent CEAs from dropping due to a single failure of microprocessor or power circuitry, redundant features were applied to the power cabinet design. Diagnosis functions have been implemented for fault detection and reconfiguration to backup functions.
  • Reactor power cutback system (RPCS) functions have been improved to avoid reactor trip when one CEA is dropped.
  • The feedwater control system automatically controls the steam generator water level with the extended range of automation to low power. This is expected to considerably reduce spurious reactor trips caused by operator errors.

Human factors engineering

Computerized MMI is far more complex than conventional MMI and is more likely to create or allow operational errors if the potential for adverse effects is not appropriately addressed. Human factors engineering (HFE) ensures the quality of the computerized MMI.

The Shin Kori 3&4 MMI resources (displays, alarms, soft controls, computerized procedures and the large display panel) are based on extensive development work performed by the Korean nuclear organizations. The work was conducted during both Phase II of the Korea Next Generation Reactor programme, in which the basic design was developed for a standard safety analysis report (SSAR) for a design certification (DC) licensing application, and in phase III, the first-of-a-kind-engineering (FOAKE) design developed to supplement the SSAR in DC licensing review. These efforts included (1) design development, (2) implementation in a simulator-driven mockup and (3) extensive human factors evaluations of each of the MMI resources used for APR1400. The result is a very specific set of design requirements for each of the MMI resources.

The HFE programme was implemented based on the criteria in the HFE Programme Review Model (NUREG-0711). The programme includes HFE analyses of operating experiences, safety function allocation and operational tasks. Evaluation issues of the computerized control room were identified by HFE experts who had experience in designing and evaluating a computerised control room. These issues were tested in HFE evaluations. Dynamic mockups of preceding plants were used for the evaluations. For the initial suitability evaluation of the workstation control room concept, a partial mockup with one workstation was used. A full-scope mockup with redundant workstations was used for the remaining evaluations. Six iterations of human factors engineering evaluations were performed. The final evaluation is scheduled for 2011 with a full-scope replica simulator that uses the same MMI software as the plant.

Increasing reliability

To cope with the failure modes of computer-based digital I&C, fault tolerance features such as redundancy, distribution, segmentation and diversity are incorporated to minimize the effect of potential computer failures. The requirements for communication independence are implemented to make sure that safety functions are not influenced by non-safety systems or by other independent channels and trains of the safety system. Defence-in-depth and diversity of design is applied according the positions of USNRC SECY-93-087 to cope with the software Common Mode Failure (CMF) of safety digital I&C. The MMIS architecture of the APR1400 has two diverse groups: a safety group and a non-safety group (Figure 2).

The MMIS architecture satisfies the independence, separation and diversity requirements as follows:

  • The safety systems are functionally, physically and electrically independent from the non-safety systems. Signal transfer among the safety systems is carried out with data links or hardwired connections to maintain reliability.
  • Safety systems are channelized and independent from each other to meet the single failure criteria.
  • A set of channelized confirmation switches maintain channel independence allowing redundant safety trains to be actuated from the same soft control device.
  • The data communication networks between the safety system and the non-safety system are independent and diverse from each other. The data communication between safety and non-safety systems is designed in such a way that only one-way communication from safety systems to non-safety systems is accepted, so as not to compromise the safety functions.
  • In addition, data communication between safety and non-safety systems is uni-directional, allowing communication from safety to non-safety systems through the buffer circuit (as in IEEE 7-4.3.2).

The safety systems are based on a common safety platform which has been dedicated for nuclear use. Safety systems implemented on a common safety platform consist of a plant protection system (PPS) and an engineered safety features component control system (ESF-CCS). Most non-safety systems are implemented in a distributed control system-based standard platform. The DCS supports component-level control, automatic process control, and high-level group control. The non-safety system implemented in a DCS is the process-component control system (P-CCS).

Main control room operations are normally performed on workstations where four redundant sets of non-safety DCS operator interface stations (OIS) and safety soft controls are provided. Non-safety system control is done through DCS soft control while safety system control is done through safety soft control. In case operations cannot be performed from workstations, safety monitoring and safe shutdown are performed on a safety console (SC) where a qualified indication and alarm system (QIAS), safety soft control, and a minimum inventory of dedicated MMI are provided.

Protection against CMF

There are several major I&C systems in the APR1400 related to defence against common mode failures (CMF). The diverse protection system (DPS) design includes reactor trip and auxiliary feedwater actuation. The DPS reactor trip provides a simple and diverse mechanism to significantly decrease the risk of anticipated transient without scram (ATWS) events and assist the mitigation of the effects of a postulated CMF of the safety I&C systems. The DPS is implemented in the non-safety common platform and is powered by a non-class 1E vital bus power system which is independent from the class 1E vital bus power system.

The diverse indication system (DIS) is designed to provide the information necessary to monitor critical safety functions under the CMF of the safety I&C system during a design-basis event (DBE). This information is unavailable in the non-safety information system. For this purpose, the DIS receives field input signals through signal splitters/isolators before they enter the safety I&C systems processor. This system satisfies the diverse indication requirement of the Staff Requirements Memoranda (SRM) of US NRC SECY 93-087[4] on defense-in-depth and diversity for digital safety systems. It consists of one train of non-safety-related equipment. All DIS equipment is located on the main control room safety console.

Diverse Manual ESF Actuation (DMA) is provided to permit the operator to actuate engineered safety feature systems from the main control room after a postulated CMF of the safety system. The implementation of DMA switches bypasses all control panel multiplexers, gateways and the ESF-CCS controllers that perform the system-level and component-level actuation logic. The DMA switches for remote manual actuation of the ESF systems are hardwired to the component interface module (CIM) downstream of the ESF-CCS. CIM is implementation-based combination logic without programming during development.

Assessing CMF protection

The US NRC regulatory position on the defense against CMF is given in a four-point position (see box, p16).

Points 1 to 2 can be satisfied by an evaluation performed for APR1400 MMIS. The evaluation is performed to show the capability of the APR1400 MMIS design to cope with event initiators with a postulated pre-existing CMF of the safety I&C systems. All automatic responses of systems using the protective software and the capability for manual actuation using these systems are conservatively assumed to be disabled. The evaluation uses best-estimate assumptions regarding initial operating conditions and assumes continued operability of the reactor coolant pumps (except the events of which the event initiator is RCP failure itself), and the NSSS control systems. It is also assumed that the DPS provides an automatic reactor trip upon high pressurizer pressure or high containment pressure, and automatic actuation of the auxiliary feed-water system upon low steam generator level. Manual operator action is credited if the action time has been determined based on sufficient information and time for the operator to detect, analyze and act to mitigate the events with the CMF of the safety I&C systems. Safety functions that are not initiated as a result of the postulated CMF and the plant functions/systems that are not affected by the CMF are identified during this evaluation.

Operator response is necessary to help mitigate the short-term effects of an event, and to accomplish subsequent recovery actions following each event. Diversity in the plant equipment and software assures that adequate instrumentation and controls remain available for timely diagnosis and mitigation of the design basis events with the postulated CMF of the safety I&C systems.

The evaluation consists of a qualitative DBE assessment and a quantitative safety analysis. The qualitative analysis is to assess the defense-in-depth and diversity capability of the plant design in responding to the design basis events with a concurrent postulated CMF of the safety I&C systems. The qualitative analysis assumes that all automatic responses of the safety I&C systems, and the capability for manual actuation using these systems are precluded. The analysis assumes nominal plant conditions at the initiation of each event and best-estimate responses for the diverse reactor trip and auxiliary feedwater actuation equipment, and for the normal control systems and operator action. The qualitative DBE assessment in the evaluation for Points 1&2 above identifies the availability of those systems and functions based on their diversity, independence and the direct connection to the lowest-level components. Through a qualitative DBE assessment, the events that need quantitative analyses are identified.

The quantitative analyses estimate the results of each event by applying the initial conditions, equipment operability, operator actions and acceptance criteria. The emphasis of the evaluation was to ensure a reasonable ability to cope with the events in a manner that preserves core coolability, prevents excessive RCS or containment overpressure, prevents excessive radiological offsite doses and relies on reasonable operator response times. The criteria for core coolability, RCS pressure, containment pressure, offsite doses and operator action time are chosen to be appropriate for the beyond-design-basis categorization of each event when a concurrent low-probability CMF of the PPS and ESF-CCS is also assumed.

The quantitative evaluation results demonstrate the capability of diverse equipment and a reasonable operator response to provide adequate protection for the events identified in the qualitative DBE assessment.

The APR1400 MMIS provides the DPS to suit point 3. Point 4 is satisfied by the control system and DIS and DMA switches (above).

Software qualification

APR1400 safety-grade software, including PLC software, was developed in accordance with nuclear code and standards such as IEEE 1074, IEEE 1012, IEEE 828 and so on. All the software lifecycle activity defined in NUREG-0800 was executed for safety systems. The prototype of APR1400 MMIS, including PLC and DCS, implemented by Doosan Heavy Industry, is shown in Figure 1.

The software qualification process is composed of software safety analysis, a software verification and validation (V/V) process, and a software configuration management process. For the software V/V process, plan documents such as development plan, quality assurance plan, management plan and V/V plan were developed. In the requirement and design phase, safety system requirements and design documents were verified and validated through licensing suitability evaluation, traceability analysis and formal verification. The formal verification process was also used to find missing requirements or poorly-specified requirements in the software design. In the implementation and testing phase, a component test, an integration test and a system test were executed. These tests consisted of a test plan generation, a test design generation, a test case generation, a test procedure generation, and a test execution generation. A safety analysis has been performed to explore and identify conditions that are not identified by the normal design review and testing process. It is a method of identifying portions of software that have potential for unacceptable hazards.

A Software Safety Analysis (SSA) process was developed and applied to the lifecycle of the PLC software development. The SSA process uses a hazard and operability study (HAZOP). Software configuration management is an activity that configures the form of a software system (that is, documents, drawings and source code) and systematically manages and controls the modifications resulting from the software development and maintenance.

The APR1400 PLC has been developed based on a nuclear plant software qualification process. This is a very distinctive practice to improve reliability compared to other class-1E PLCs qualified by commercial off-the-shelf dedication processes such as EPRI TR-106439. The third-party review was processed for the PLC operating system kernel and system tasks to demonstrate their safety.

The APR1400 MMIS design is now being installed in Shin-Kori 3&4, whose commissioning is about to begin. A configuration management process will be implemented to systematically improve the APR1400 MMIS, especially operational MMI, reflecting operational experiences and feedback from Shin-Kori 3&4, while the safety features of I&C systems and engineering processes will remain embedded in the plant. The APR1400 MMIS is being further developed through the ongoing Advanced Power Reactor Plus (APR+) programme to further improve safety.

USNRC position on CMF protection

1. The applicant shall assess the defence-in-depth and diversity of the proposed instrumentation and control system to demonstrate that vulnerabilities to common-mode failures have adequately been addressed.
2. In performing the assessment, the vendor or applicant shall analyze each postulated common-mode failure for each event that is evaluated in the accident analysis section of the safety analysis report (SAR) using best-estimate methods. The vendor or applicant shall demonstrate adequate diversity within the design for each of these events.
3. If a postulated common-mode failure could disable a safety function, then a diverse means, with a documented basis that the diverse means is unlikely to be subject to the same common-mode failure, shall be required to perform either the same function or a different function. The diverse or different function may be performed by a non-safety system if the system is of sufficient quality to perform the necessary function under the associated event conditions.
4. A set of displays and controls located in the main control room shall be provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions. The displays and controls shall be independent and diverse from the safety computer system identified in items 1 and 3 above. —Item II.Q, SRM on SECY 93-087,

FilesFigure 2: Simplified APR1400 MMIS architecture

Figure 1: Prototype control room Figure 1: Prototype control room

Privacy Policy
We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.