Get your priorities right18 December 2019
Managing data transmission in the instrumentation and control system to give priority data directly related to the security function reduces the load on the main channels and improves the speed and reliability of the system. This approach has been successfully applied. Wu Youguang, Ma Quan, Liu Mingming, Zhang Zipeng and Zhang Yu report.
THE DIGITAL SECURITY LEVEL INSTRUMENTATION and control system (DCS) of a nuclear power plant is sometimes known as its ‘nerve centre’. It is important in ensuring the safety of the reactor and personnel because its function includes safe shutdown of the reactor and managing safety facilities under accident conditions to limit the accident consequences.
In this system the data involved in the above functions are directly related to reactor safety and have to be processed first. Data related to display, alarm and maintenance provide secondary information.
In order to improve the response speed and reliability of the security level DCS system, auxiliary function data should not inhibit or delay data required to execute security functions.
In addition, the increasing amount of data processed by the security level DCS, means the load on the main processor is heavy and the processing time is long. Despite improvements in the processing speed and capacity of the security DCS, and in reliability, there remains a risk that in the worst case response time will exceed the requirements.
We have analysed the architecture of the security level DCS and the main and auxiliary data distribution to ensure that the main data of the security function is prioritised. This will improve the response speed and reliability of the security level DCS.
Naspic is a general equipment platform developed by the Nuclear Power Institute of China, based on microprocessor and network communication technology meeting regulations and standards for nuclear power plants, and the system requirements for plants’ safety control and protection system. It can be used to construct a digital security level instrument and control system for different reactor types (such as AP1000, Hualong 1, M310) and different architectures.
The basic architecture diagram of the Naspic platform is shown in Figure 1 (The ECP is an emergency control panel. The BUP is a backup panel.).
The platform includes a field control station, transmission station, safety display station, gateway station and engineer station.
The field control station handles signal acquisition, data processing, logical operation, signal outputs and data communication.
The transmission station manages data interface between the field control station and the safety display station, gateway station and engineer station.
The safety display station is the platform’s man-machine interface, managing safety level process parameters and alarm display, equipment control and reset locking.
The gateway station realizes data interaction between the Naspic platform and external non-security systems.
The engineering station manages configuration, downloading and maintenance.
The instrument and control system of reactor safety level, based on the Naspic platform, provides monitoring for plant deviations from normal operating conditions, and drives security functions to shut down the plant safely and maintain a safe state.
The digital security level DCS architecture of the China Engineering Test Reactor is shown in Figure 2. It has a three-channel redundant structure, which consists of three protection groups (I, II and III) and two logic series (A and B). The signal acquisition and logic processing related to the emergency shutdown system are implemented in three protection groups. The functions of the dedicated safety facility drive system are realised by the protection group and logic series.
Among them, IP, IIP and IIIP represent three redundant protection channels; PIPS-1, PIPS-2 and PIPS-3 represent three redundant protection channels’ preprocessing units; RPC-1, RPC-2 and RPC-3 represent three redundant protection channels’ protection processing units; TU-1, TU-2 and TU-3 represent three redundant protection channels’ signal transmission units; ESFAC-A1 and ESFAC-A2 represent two subgroups of dedicated security facility driver units of logical series A, which carry out 1oo2 decision output; ESFAC-B1 and ESFAC-B2 represent two subgroups of dedicated security facility driver systems of logical series B, which carry out 1oo2 decision output; ACM-A and ACM-B represent priority management units of two logical series; GW-A and GW-B represent the gateway units of two logical series.
In the architecture of a domestic engineering test reactor, each protection group corresponds to one protection group TU transmission station. Each logic series corresponds to one logic series TU transmission station.
Main and auxiliary data distribution
Data used for shutdown and dedicated safety facility driver functions are defined as the main function data, and the related data used to display, alarm and maintain are defined as the auxiliary function data. The main function data must not be adversely affected by the auxiliary function data and the auxiliary function data must not inhibit or delay execution of security functions.
We divide the signals into main and auxiliary data according to the above definition.
The digital security level DCS receives instruction signals from the main control room safety disk and backup disk. The instruction data includes equipment control instructions, which are main function data, and alarm and indication signals, which are auxiliary function data.
The periodic tests are a non-security function, and the periodic test data are auxiliary function data, which do not affect the execution of the security system. Therefore, in the periodic test, the module fault signal, the on/off feedback signal and the successful locking feedback signal are sent to the engineer station and the main control room for alarm and instruction after processing.
The alarm and indication signals are auxiliary function data, which are used to help operators to monitor unit status and help maintenance engineers analyse and locate faults, that includes equipment state feedback, PAMS parameters, process parameters and alarm signals.
Instrument control alarm and maintenance information are auxiliary function data that would occupy lots of the system communication resources. Alarm and indication signals for operator monitoring and maintenance engineers to analyse and locate faults will be sent to NC-DCS and the maintenance engineer station.
Main And Auxiliary Data Distribution Scheme
In the digital security level DCS, the main and auxiliary data are processed in the same main processor, and calculations show that response times for shutdown may breach requirements.
Supplementary data account for 97.62% of the total volume (see table), and the main data only account for 2.38%. The processor that performs protection logic and communication may process lots of auxiliary data, which will require a lot of time to execute. As the processing cycle increases, the response time of the system will increase, so the response time will slow down further and breach limits. To solve this problem and maintain the processing speed and time of the main channel of the shutdown protection and special security function, a transmission unit (TU) is added to each protection group and logic series. It is used to process display, alarm, periodic test and maintenance information transmission functions. It can separate out the auxiliary function data flow, which reduces the tasks and communication traffic in the protection group and logic series, reduces the complexity of software, shortens the response time to execute the protection function and improves the realtime security and reliability of the system.
The structure of main and auxiliary data shunting in digital security DCS is shown in Figure 3.
In the protection group IP (comprising instrument preprocessing unit PIPS-1, protective channel processing unit RPC-1, column A special safety facility drive system subgroup ESFAC-A1, column A priority management unit ACM-A) and logical series A the main data that perform security functions are processed and transmitted first.. Other auxiliary data are exchanged by the transmission unit (TU) and external data information, as are other protection groups.
Separate transmission of different types of signals can ensure that the data processing and transmission of security functions are not affected by non-security functions. The auxiliary function data is distributed by TU, which reduces the load in the main function data transmission channels.
This data distribution system, based on the Naspic platform, has been successfully applied to many projects - an engineering test reactor; the Xiapu fast reactor, the ACP100 small reactor - and it has had good engineering application results.
Comparing with other platforms
The security level DCS platforms in domestic nuclear power plants mainly use other platforms: Mitsubishi’s Meltac-N, Siemens’s TXS , Invensys’s Tricon and Westinghouse’s Common Q.
In these platforms the main safety data and the auxiliary data are all processed in the same processor. These security level platforms do not have TU transmission stations, unlike the Naspic platform. This approach reduces the number of cabinets, but there is a risk that it adds to the load on the main processor and means the response time is relatively long.
Author information: Wu Youguang, Ma Quan, Liu Mingming, Zhang Zipeng & Zhang Yu, Science and Technology on Reactor System Design Technology Laboratory Nuclear Power Institute of China, Chengdu, 610213, China