The UK EPR digital I&C system

This architecture was submitted to the UK safety authorities in the frame of the Generic Design Assessment, accepted in principle in 2010, and received Design Acceptance Certification in December 2012.

The I&C architecture comprises all of the automation and safety systems for nuclear power plant safe operation by allowing continuous monitoring and control of the plant parameters.

The I&C architecture basically comprises sensors to transform physical data into electrical signals, and programmable controllers to process these signals, provide actuator control and monitoring, and means of control used by the plant operators. The overall design of the I&C system and associated equipment must comply with process, nuclear safety and operational requirements.

The design of a NPP relies on different safety levels for systems, structures and components, in compliance with general IAEA guides and in line with the local regulations. For I&C functions, this safety categorization is complemented by additional design requirements applicable to the I&C system class associated to an I&C function-specific category based on IEC61226.

The structure of the EPR™ instrumentation and control system is characterized by three main levels of organisation:

• Level 0 corresponds to sensors and actuators
• Level 1 carries out the automation functions: it comprises the reactor control and protection systems, the turbo-generator control and protection system, and the system performing all other automation functions (plant control and protection)
• Level 2 carries out functions related to the human-machine interface that allow the plant to be operated and monitored. The I&C level 2 systems are principally located in the main control room (MCR) and remote shutdown station (RSS). These systems can be broken down into two distinct groupings; computerised and conventional systems. There are two level 2 computerised systems; the process information and central system (PICS) and the protection system (PS) operation terminal (PSOT) and one level 2 conventional system: the safety information and control system (SICS). Plant operations generally take place on PICS, direct control of PS takes place on PSOT and a diverse and non-computerised SICS is used when PICS or PSOT is unavailable.

The data exchanges between the level 1 I&C systems and the PICS take place over the plant network. The plant network crosses the divisions and extends through the nuclear island safeguard and electrical buildings, the effluent treatment building, the diesel buildings and the electrical building on the conventional island. The plant network is Class 3 with a SC1 seismic requirement and, for availability reasons, is designed to withstand a single failure as well as internal hazards within a division.

I&C functions and equipment are categorized depending on their importance to safety. I&C functions are thus implemented using components with the appropriate quality level for their safety class.

The concept of "Defence-in-Depth and Diversity" (DiD) ensures the effectiveness of the protective barriers by identifying the threats to their integrity and by providing successive lines of defence to protect them from failure. The I&C architecture relies on three main lines of defence:

• Preventive line, whose goal is to control the main plant parameters within their expected operating range and control potential deviations. It includes hazards protection
• Main line of protection (class 1 I&C safety features, called safe path I&C safety features, providing a back up in case of loss of the Protection System) used to prevent core melt functions to protect against hazards
• Risk reduction line used to prevent core melt in case of common cause failure of digital I&C systems preventing the main line of protection to operate and mitigate the consequences of severe accidents with a dedicated I&C system.

The preventive line includes:

• Process Automation System (PAS), whose main role is the monitoring and control of the plant in all normal operating conditions. In addition, the PAS performs sufficient monitoring and control of sub-functions related to risk reduction
• Reactor Control, Surveillance and Limitation System (RCSL) that processes Category B, Category C and non-categorised I&C functions related to core control and monitoring, including core control functions and the automatic limiting conditions of operation (LCO) functions and limitation functions for core parameters and for the reactor coolant circuit requiring control rod actuation
• The turbine generator I&C system.

The main line of protection includes:

• A Reactor Protection System (PS) that monitors the safety parameters in all plant condition categories, and for all initiating events, enables the automatic Category A protection and safety I&C functions, the automatic Category A control I&C functions of the safety support systems and the manual Category A I&C functions
• Safety Automation System (SAS) whose main functions include: post-accident management I&C functions (manual and automatic) necessary to bring the plant from the controlled state to the safe shutdown state after an initiating event (Category B), Category A & B I&C functions preventing significant radioactive release including those that are the diverse line of protection in the main line of defence, as well as other actions.

The risk reduction line includes:

• Non-Computerised Safety System (NCSS) that provides protection and control in case of total loss of computerised I&C functions (that is, those performed by systems based on the SPPA-T2000 and TELEPERM?XS (TXS) platforms)
• Severe Accident I&C system that provides the necessary commands and information in the event of a severe accident coupled with, or due to, a Loss of Off-site Power (LOOP), loss of Emergency Diesel Generators (EDG) and Ultimate Diesel Generators (UDG).

Redundancy, separation, diversity

The EPR™ I&C systems and equipment comply with the principles of redundancy, diversity and separation applied in the design of the EPR™ reactor safety-related systems. For example the Safety Injection System and the Emergency Feedwater System, which each consist of four redundant and independent trains, also have four redundant and independent I&C channels.

The EPR reactor system uses three technical platforms: the AREVA TXS platform, the Siemens SPPA-T2000 digital I&C system, and the AREVA UNICORN platform for the non-computerised safety system.

Each safety and safety-related I&C system is designed to be able to satisfactorily fulfil its functions even if one of its channels is not available due to a failure and a second one is unavailable for preventive maintenance reasons.

The level of availability of the I&C systems performing safety functions is specified so as to comply with the probabilistic safety targets adopted in the EPR™ reactor design.

Common cause failure is taken into account in the design of the I&C architecture, from the sensors level up to the human-machine interfaces for the operators. The design also deals with the main and diverse backup means to cope with CCF of the modern computerized operators' workstations.

In short, the UK EPR I&C architecture offers:

• A quadruple-redundant digital safety I&C
• Diverse digital I&C systems to cope with a complete failure of the Protection System (PS)
• A non-computerized safety system.

For example, the RCSL and PS are both implemented on the TXS platform, and both systems act upon the control rods. The RCSL acts upon the control rods in normal operation and is designed to support the limitation functions in order to avoid demands for protection action. The PS trips the reactor if protection limits are reached. If a common cause failure of the RCSL and PS were to occur, it could lead to an Anticipated Transient Without Scram (ATWS), as both systems could fail to send the signal to insert control rods when necessary. In this case, the SAS, which is implemented on the SPPA-T2000 platform, would recover the situation and enable the controlled state to be reached.

The reactor trip equipment and the boration systems (the Safety Injection System and the Extra Boration System) are initiated by multiple I&C signals. The implementation of these I&C functions and signals in the I&C systems depends on which line of defence the function and signal belong to. The reactor trip equipment and the boration systems are both actuated by the same I&C system (PS / TXS platform) as they belong to the main line of defence. However, because the reactor trip, SIS initiation and EBS initiation are also required in the diverse line of protection within the main line of defence, which protects against RRC-A multiple failure events, they can also be actuated by the diverse SAS (SPPA-T2000). Therefore, in the event of unavailability of the PS, the Reactor Trip, SIS and EBS functions would still be available.

The main NCSS automatic functions are reactor and turbine trip, main feedwater isolation and emergency feedwater system actuation. These actions leave the plant in a stable steady-state condition. Other automatic functions such as reactor cooling pump trip, component cooling water system isolation, or chemical and volume control system (CVCS) isolation take care of specific dominant events and sequences.

Non-Computerized Safety System

Following the requirements from the UK regulators to ensure a complete independence of the organization for the design of the digital safety I&C platform and the non-computerized system, AREVA decided together with EDF in 2012 to launch the development of a new safety platform via its subsidiary AREVA TA located in Aix-en-Provence, France. AREVA TA has a long experience in designing digital and non-computerized safety I&C for the purpose of propulsion and research reactors. This new platform will be primarily developed for the UK EPR reactor and be further extended to address the larger world market.

The safety modules are designed as simple components, such as discrete elements (transistors, transformers), TTL logic gates or operational amplifiers, and the logic is performed with the already-proven and fail-safe Magnetic Dynamic Logic technology. This technology uses dynamic signals combined together through magnetic transformers. When the plant and its safety systems are operating normally, the signals received by the NCSS are always dynamic. In case of malfunction, the signal(s) will become static and the output of the NCSS will be driven to 0, automatically indicating to the plant operators that an action is required on the concerned safety systems. With this design, any failure mode of the electronic components of the modules can be demonstrated to lead to a zero-level output. This intrinsic safety feature is based on transformers and transistors, combined with a dynamic clock signal. Using transformers also ensures electrical isolation between inputs and outputs, which is needed to avoid fault propagation in safety systems. AREVA has a long and solid experience with this technology; it has been designing and installing this type of modules on nuclear propulsion and research reactors since the late 1970s.

Photo: Hinkley Point C EPR, courtesy EDF Energy