Keywords

1 Introduction

PAMS is a safety important I&C system including a series of monitoring information. This information can provide judgments for the operator accomplishing and maintaining NPP to safety states. The computer-based equipment has the high reliability, flexibility, and less restriction on scale of panels. The qualification computers have been extensively adopted by NPP,which have the high reliability, better maintainability, and meeting the requirement of information shared and date secondary exploitation. For using computer, the conditioning and selection information according to plant condition is easier. It is more convenient for operator on accident management and monitoring. It should be necessary to enhance the application research of computer-based PAMS.

2 Selections and General Design Requirement for Accident Monitoring Parameters

2.1 Selection of Plant Parameters for Accident Monitoring

Accident monitoring instrumentation needs to provide the necessary information to support making operational decisions during implementation of emergency operating procedure (EOPs) and severe accident management guideline (SAMGs),need to be selected with the goal of supporting the emergency response plan decision making process [2]. Generally plant parameters for accident monitoring include DBE and DEC parameters to support preventive accident management and mitigating accident management.

Parameters for Design Basis Accident include [3] includes:

  • Parameters for providing information essential for the control room operator of taking the specific planned manually-controlled actions for which no automatic control is provided to bring the plant to safety state;

  • Parameters for providing the assessment of achievement and maintenance of the plant safety functions to the control room operators;

  • Parameters for providing the most direct indication of the integrity of threefold fission product barriers;

  • Parameters for providing the performance of safety system, auxiliary supporting features and other systems indirectly indicating the safety shutdown state, and f or confirming safety system status;

  • Parameters for providing evaluation of the magnitude of the release of radioactive materials through identified meteorological condition.

The accident monitoring parameters for Design Extension Condition (DEC, including Severe Accidents) needs to provide the safety information required to appropriately respond to plant conditions as the accident progresses. This information enables plant operators to make correct decision.

2.2 General Design Requirement of Instrumentation

Referencing GB/T13627, the types of post-accident monitoring variable include Type A, B, C, D, and E, different variables are not mutually exclusive. When a variable belong to one or more of five types, this variable must comply with the variable type the highest requirements. Accident monitoring instrumentation implement functions over the duration required to enable plant operators to appropriately respond to the accidents according to guidelines and procedures. The safety classification of the specified instrument for accident is to comply with GB/T 15474-2010 [4]. The safety classification of various parameters for the requirements of equipment list in the following Table 1, which only give the basic requirements of accident monitoring parameters corresponding to the different safety function classification equipment, taking D parameters as an example, the signal can be taken from the A/B safety classification of class equipment.

Table 1. Requirements of safety Classification of accident monitoring parameters
Full size table

For Type A, Type B, and Type C variables, instrument has the highest reliability requirements. The instrument shall be seismically qualified and environmentally qualified for that accident’s intended environment at the installed location. Accident monitoring instrument shall satisfy the requirement of single failure, common cause failure, independence and separation, isolation. The failures of an accident monitoring instrument don’t result in information ambiguity that could lead the operator fail to accomplish a required safety function. The power supply for instrumentation that monitors Type A, Type B, and Type C variables is Class 1E. Control room indication shall be uniquely identified with a characteristic designation so that the operator can easily discern. At least one of the redundant display for Type A and Type B accident monitoring variables shall be a spatially dedicated continuously display. The reliability requirements of class D parameters are not as high as Type A/B/C variables. They are generally implemented with Non-1E equipment to meet the requirements of the environment and seismic, and Non-1E power supply is required. The reliability requirements of Type E variable are the lowest, which are generally realized by NC equipment, without relevant environment and seismic qualification requirements.

3 Characteristic of PAMS on the Third Generation NPP

3.1 The Characteristic in EPR

In EPR, 1E TXS and non-1E TXP DCS platform are adopted. Although no system standard for design criteria of PAMS be used, redundant configuration qualified display system (QDS) are still used as the man-machine interface of TXS, and realize the power plant an important safety parameter monitoring function. Independent severe accident instrumentation should be considered. Two PS QDS and two SA QDS are equipped to display and record the safety important parameter. At the same time, the conventional safety display instrument (ID) is also considered in the safety information and control system (SICS). The safety important parameters are also processed and displayed by the process information and control system (PICS) implemented by the gateway to the non 1E class TXP platform. The structure abbreviated drawing is shown in Fig. 1.

Fig. 1.
figure 1

The structure abbreviated drawing of PAMS for EPR

Full size image

QDS Configuration meets the requirements for independence and isolation between channels. The safety classification signals are acquired and distributed through Protection Instrumentation Pre-processing System (PIPS), afterwards are delivered to the protection system (PS with four channels), which is connected to the QDS via the Message and service interface (MSI). The calculated core thermocouple signal and RPN signal for the core cooling calculation are sent to PS, these signals are sent directly to the 1E ID via MSI, parts of signals from MSI are sent to the QDS by PI. The parameters needn’t be calculated and recorded are sent to 1E ID directly through PI, otherwise the parameters are delivered to QDS and/or 1E ID. Few signals collected from NC system (such as meteorological and regional radiation monitoring parameters) are displayed in non-safe PICS.

For SA QDS, there are two severe accident units (SAU), the interface with PICS is ensured through the Monitoring and service interfaces units of PS (PS-MSI) and the gateways of PS. Parts signals are acquired from PIPS and SAS [5].

The PS QDS is powered by 1E AC power supply, which is connected with diesel generators and two hours of UPS when normal power is lost, and the SA QDS are powered by SBO diesel and 12 h of UPS [5].

The main characteristics of accident monitoring system in EPR is to adopt the special safety important redundancy QDS based on computer, for data acquisition and processing, indicating the overview of plant sate, showing the sorted according to the safety function, displaying the trend of accident parameters and records as shown in Fig. 2. For some of F1A function continuously display signals, such as valve state etc. if the PICS becomes unavailable SICS design the conventional indication Devices ID, the different color of equipment label can distinguish PAMS parameters. The operator can be identified by the QDS display and the alarm when the data is reliable.

Fig. 2.
figure 2

Illustration of QDS display

Full size image

3.2 The Characteristic in AP1000

Taking an AP1000 nuclear power plant as an example, the DCS consists of a 1E Common Q platform and a Non-1E Ovation platform. PAMS is performed by part of the reactor protection and safety monitoring system (PMS), power plant control system (PLS) and the data display and processing system (DDS). The PMS provides signal conditioning, communications, and display functions for Category 1 variables and for Category 2 variables that are energized from the Class lE uninterruptible power supply system. The PLS and the DDS provide signal conditioning, communications, and display functions for Category 3 variables and for Category 2 variables that are energized from the non-Class 1E uninterruptible power system. The DDS also provides an alternate display of the variables, which are displayed by the PMS. The structure of PAMS is shown in Fig. 3.

Fig. 3.
figure 3

The structure abbreviated drawing of PAMS

Full size image

The accident monitoring system is implemented by the PMS with redundant configuration, One QDPS subsystem is located in Division B and the other QDPS subsystem is located in Division C of the four redundant divisions, designated A, B, C, and D of the PMS. The post-accident monitoring system consists of 1E flat-panel displays (FPD), the identification data processing system (QDPS), and the AF100 internal isolation network [1].

The dedicated sensors are directly connected to the QDPS via hardwire. For the shared sensors, part of signals sent to QDPS directly or via Bi-stable Processor Logic (BPL). The signals from division A, D communicate by HSL point-to-point and photoelectric isolation from integration communication processor (ICP) of division A/D to ICP of HSL B/C, then share in AF100 network of division B/C with QDPS.

QDPS processors realize group control of valves, calculation of the sub cooling and the core cooling conditions, and display the accident monitoring the information in FDS for the operator command.

Power of QDPS subsystems are from the Class 1E DC and uninterruptible power supply (UPS) system for 72 h after a loss of all AC power (station blackout). After 72 h, the ancillary diesel generators provide power for the QDPS subsystem.

The Non-1E accident monitoring parameters are sent to DDS from PLS via the NC plant real-time date network, via which PLS is connected to PMS.

4 Comparison and Application Research

4.1 Comparison of Technical Characteristics

On the third generation NPP, PAMS adopt special safety important digital display device, and combine with few conventional safety display instrument structure. Based on the principle of “available with”, under normal condition NC system is used to display the state of plant, once in accident condition NC system failure, the safety display device can be used for monitoring the safety status of NPP. Safety processing display device meet the requirement of single failure criterion and the redundant configuration. Except for some special monitoring signal, most shared signals are acquired via communication isolation and electrical isolation from safety system. The characteristic of robust technologies is used, through the different structural configuration to meet the requirements of the performance of the existing nuclear power plants.

According to the design and technical requirements of PAMS, the technical requirements comparison of the accident monitoring system on the third generation NPP are analyzed as shown in Table 2.

Table 2. The technical comparison of PAMS on the third generation NPP
Full size table

4.2 Application Research

During the Japan Fukushima Daiichi accident, in 2011, the instrumentation provided for accident monitoring proved to be ineffective for a combination of reasons that appeared to include a loss of power, failure of sensors due to environmental conditions, instrument ranges that were not suitable for monitoring plant condition and a lack of alternative data for use in validating instrument readings [2]. All national authorities have strengthened the review of accident monitoring instrument on high requirements for reliability, design criteria and performance criteria, and application of operator aids equipment. Reference the design requirements of accident monitoring instrument in IAEA NO.NP-T-3.16, the development of the accident monitoring system based on computer equipment is suggested in following,

  • Two diversified digital platform of 1E and non-1E may be adopted for different system structure according to the classification and design requirements of the monitoring parameters. In normal condition all parameters including the severe accident are monitored in non-1E digital platform. Type A, B, and C parameters with display identification can be display by one alone digital safety display device of redundant configuration. For the development of qualification large screen equipment for continuous and trend parameters should be considered according to the requirement display.

  • Operators need to be provided with information about the reliability, expected limits to operability and survivability of both designated and other available accident monitoring channels, so that they can recognize conditions that may be impairing the reliability of the readings. For each accident monitoring channel, the aid should ideally include information such as,instrument tap, sensor, transmitter, signal processing and readout locations, instrument channel range and any provisions available for extending the measurement range, channel uncertainties when exposed to the environmental conditions and plant power source, which provide support for operator accident handling and evaluation.

  • Advantage characteristics of computer equipment on confirming quickly and validity of the digital display signal can be used for such as that the signal can be judge by color logo and alarm in combination with the background of solution, making it easier to identification for operator.

  • As a backup of computer equipment, complete and clear information on the instrument of an accident should be maintained in the emergency procedure and severe accident guide.

  • The application development of calibration following environment and extended display range can be conducted for the parameter impact of the base accident environment and the severe accident environment.

  • Using of severe accident modeling to establish necessary parameter ranges, mission times and environmental conditions which equipment needs to withstand, provide better analysis for the design of the accident monitoring instrument [2].

  • Although the safety classification of extend accident condition monitoring instrument (including severe accident) generally is lower, but the instrument may be exposed to severe environments for long-term, unless a single channel can be repaired or replaced at an acceptable exit time within the scope of operation, redundancy need to be considered. Because severe accidents are more likely to be characteristic of trend monitoring, it is considered to set up a redundant digital display device for severe accident monitoring.

  • As a backup of computer equipment, complete and clear information on the instrument of an accident should be maintained in the emergency procedure and severe accident guide.

5 Conclusions

With the development of technology, for meeting the higher requirements of PAMS, the safety classification digital equipment will be widely adopted in PAMS. In addition to the permanent monitoring instrument, the safety information can be gained through the offline analysis sampling method, such as portable instrument. The use of robots and unmanned aircraft can be used as a means of support for the harsh environmental conditions, it is developed in further.