White Paper - ICEweb · 2019-05-10 · existing and new field devices. The I/O modules include: Analog Input, Analog Output, Thermocouple Input, Pulse Input, Digital Input, and Digital

Whi

te P

aper

Tricon-Based Qualified Safety Parameter Display System (QSPDS) in Nuclear Power Plants

Author: Naresh Desai, Sr. Technical Consultant, Invensys

What’s Inside: 1.Abstract 2.Introduction 3.MajorRequirements 4.Tricon-BasedQSPDSArchitecture 5.SafetyApplicationSoftwareArchitecture 6.OperatorScreens 7.Summary

Page 1

1. AbstractThe Triconex® Tricon™ is a Triple Modular Redundant (TMR) digital system for Qualified Safety Parameter Display System (QSPDS) applications in nuclear power plants (NPPs). QSPDS is a safety related class 1E system that must have high reliability and availability (99.99%). The system must operate before, during and after a plant event (such as a loss of coolant accident or a plant station blackout event). Poor reliability of an existing QSPDS is one of the major maintenance issues of NPPs. The Tricon is a high reliability and high availability (99.99%) digital system with no single point of failure. It provides an economical solution to the obsolescence, reliability and availability problems of NPPs, and improves the operational efficiency of the NPP. The Tricon is certified by TÜV (a world recognized, independent safety agency) at International Electrotechnical Commission (IEC) Safety Integrity Level 3 (SIL) to be used for safety and critical control applications in process control and other industries. The Tricon is also certified by the Nuclear Regulatory Commission (NRC) to be used for safety (1E) and critical control applications in NPPs.

2. IntroductionThe QSPDS is a safety related class 1E system used to calculate and display Inadequate Core Cooling (ICC) parameters before, during, and after a plant event. The ICC parameters include: reactor vessel temperature and pressure saturation margins, reactor vessel level and core exit temperature. The QSPDS is also known as Inadequate Core Cooling Monitoring System (ICCMS).

Existing QSPDS systems are old, obsolete or on the verge of becoming obsolete, and hard to maintain due to the unavailability of spare parts. Staff at NPPs should not spend time trying to keep antiquated safety systems running. The design and architecture of a QSPDS should incorporate high reliability and high availability as inherent attributes. This type of safety system allows the plant operator to focus on the plant behavior, monitoring field parameters critical to maintaining the plant efficiently and quickly perform corrective actions when necessary.

Aging safety systems must be replaced with high reliability and high availability, modern digital systems. New systems must be not only easy to operate and maintain, but easy to upgrade and expand in the future. Most of the QSPDS requirements are common to the various NPPS. A QSPDS system must have the capabilities and flexibility to handle common regulatory requirements and vendor specific requirements for the different NPPs. 3. Major RequirementsField Interface• Interface to existing field elements, and new field elements (if necessary), for monitoring the reactor vessel parameters. Field

elements include Core Exit Thermocouples (CETs), Heated/Unheated Junction Thermocouples (HJTCs/UJTCs) or Reactor Vessel Level transmitters, Pressurizer Pressure transmitter, Reactor Coolant System (RCS) hot/cold leg temperature and pressure transmitters between the Foxboro field devices and a new Triconex-designed control cabinet. The Triconex-designed control cabinet must be located as close as possible to the chiller unit.

Control, Safety and Test• There are no control requirements for the QSPDS system. Note that some nuclear power plants use HJTCs/UJTCs for reactor vessel

water level calculation and may require that the QSPDS include the control for the HJTC heater controller• Process the reactor vessel critical inputs, validate the inputs and use validated inputs to calculate the following safety parameters

(inadequate core cooling indicators) for monitoring: – Temperature and pressure saturation margins – Reactor vessel level – Representative and average core exit temperature

• Monitor the QSPDS online diagnostics status• Transmit the safety parameters, field inputs, alarms and QSPDS status to the safety display system


Triconex Tricon

Page 2

• Transmit the safety parameters, field inputs, alarms and QSPDS status to the non-1E system (plant computer, data acquisition and display system, or DCS)

• Process operator inputs: individual field input bypass, alarm acknowledgement/reset, set points• Perform online diagnostics and transmit the system status to the safety display system and non-1E system

Operator Interface• Easy-to-use operator interface for monitoring and control• Enhanced visibility of safety parameters in real-time• Allow the operator to set the following parameters: Setpoints for the alarms (such as low vessel liquid level alarm and saturation

margin alarms), Bypass for individual input signals, Acknowledgement/Reset for individual alarms• Easy navigation between the various operator screens

Communications• Ability to interface with existing non-1E system (plant computer, data acquisition and display system, or DCS)• Redundant, high speed, industry standard communication interfaces and protocols to transfer real-time data (such as safety

parameters, field inputs, alarms, and QSPDS status) for monitoring and display, logging and trending for field diagnostics purposes

Reliability, Availability and Maintainability• High reliability and availability (99.99%) with no single point of failure• Online diagnostics with over 99.9% coverage• Online repair• Easy to maintain, modify and add future enhancements• Easy to upgrade and expand in the future without affecting existing field elements and wiring

The Tricon satisfies the above requirements for the QSPDS in NPPs. The Tricon based QSPDS system architecture is presented in Figure 1. The QSPDS consists of two separate and independent channels, each with its own field I/O, Tricon system and safety display. This basic architecture can be adapted to satisfy existing plant specific field elements and wiring requirements, additional field elements requirements, communications and display requirements.

4. Tricon-Based QSPDS ArchitectureA typical QSPDS consists of:• Tricon™ TMR system• TriStation 1131™ application development workstation• QSPDS safety application software• Safety parameter display HMI (Human Machine Interface)• Maintenance/engineering workstation

A brief summary of QSPDS components is provided on the next page.


Page 3

Tricon SystemThe Tricon is a TMR architecture based digital safety and control system. The system is certified by TÜV (a world recognized, independent safety agency) at IEC SIL 3 to be used for safety and critical control applications in process control and other industries. The Tricon is also certified by the NRC to be used for safety (1E) and critical control applications in NPPs.

The Tricon has three independent channels from the input terminal to the output terminal. Each input is scanned and voted by the three main processors (MPs) and the resultant voted input is provided to the same application running in the three MPs. The outputs from the application running in each MP go to the output modules where they are voted. The resultant voted output for each point goes to the output terminal/field device. The TMR architecture is presented in Figure 2.

The TMR architecture and design allows the Tricon system to perform its intended safety and control functions in the presence of a single hardware fault. In addition, the design allows the Tricon to run in TMR, DUAL or SINGLE mode, thus providing high availability (99.99%).

The built-in online diagnostics provide more than 99.9% fault coverage and isolate a fault to a specific module. The faulted module can be replaced with a new module online without affecting the QSPDS operation. The Tricon combines technology and architecture features to provide safety and control functions with the high reliability and high availability required for the safety and critical control applications in NPPs.

The Tricon can be expanded from a single chassis system to a 15 chassis system with a wide variety of I/O and Communications (COM) modules. As shown in Figure 1, most QSPDS systems require a main chassis and an I/O expansion chassis, with enough room for future expansion.

The COM modules provide the Tricon with the ability to interface with the existing plant computer, DCS systems and operator stations. These COM modules provide the redundant, high speed, industry standard communication interfaces and protocols for transferring real-time plant data for control, monitoring, logging and trending for field diagnostics purposes.

The I/O modules allow the Tricon to interface with various types of existing and new field devices. The I/O modules include: Analog Input, Analog Output, Thermocouple Input, Pulse Input, Digital Input, and Digital Output.

Tristation 1131 Application Development Workstation


Figure 1: Tricon-Based QSPDS Architecture

Figure 2: Tricon TMR Architecture

Page 4

TriStation 1131 is a PC based safety and critical process control application development workstation that provides a comprehensive set of development, test, monitor, validation, and diagnostic tools for Triconex Programmable Safety Systems (Tricon and Trident). The TriStation 1131 is compliant with the IEC 1131-3 International Standard for Programmable Controllers, Part 3: Programming Languages.

TriStation 1131 includes the following major features for application development:• IEC programming languages: Structured Text (ST) language (textual language), Function Block Diagram (FBD) language (graphical

language), and Ladder Diagram (LD) language (graphical language)• IEC data types: Basic data types (BOOL, INT, DINT, REAL, LREAL, DWORD, STRING, TIME, TOD, DATE, and DT) and user derived

data types (ARRAY, STRUCT, CONSTANT, and ENUMERATION)• Ready made, thoroughly tested libraries for application development:

– IEC standard library – Triconex library: system status and diagnostics functions, Scheduler functions, PID functions, Sequence Of Events (SOE) functions

• User-defined libraries: Users can develop, test, and archive their own libraries to be used in different applications• Easy-to-use Windows based graphical user interface (GUI)• A browser-based help system with extensive help for TriStation 1131 operations, library functions, and error messages• Security features and audit trail• Built-in application change control and version control• Emulator for application testing prior to downloading to the Tricon system• Project execution monitoring and control• Comment boxes and variable annotation for in-line documentation

The above features allow users to develop and test application software in a systematic and modular fashion.

QSPDS Safety Application SoftwareSafety application software is developed using the TriStation 1131 workstation and associated standard IEC and Triconex libraries. Please see the safety Application Software Architecture section for more information.

Safety Parameter Display HMI (Human Machine Interface)The safety parameters display system provides a graphical, easy-to-use operator interface for the monitoring of the reactor vessel safety parameters, field inputs, and alarms. Standard screens are available for the monitoring of the safety parameters by the operator. The standard screens can be modified and/or additional screens can be easily developed to meet the nuclear plant’s operational requirements. Please see section 6, Operator Screens.

Maintenance/Engineering WorkstationThis is a commercial-off-the-shelf (COTS) ruggedized PC with the Tricon Diagnostic Monitor utility. This utility displays Tricon system and module status by simulating the actual Tricon chassis and slots, so that users can find the exact location (chassis number and slot number) of a module. This workstation may also include the TriStation 1131 application software.

5. Safety Application Software ArchitectureSafety application software architecture consists of standard, COTS software modules (programs, functions, and function blocks) developed using TriStation 1131 and associated libraries. The TriStation 1131 programming facilities combined with the expertise and experience of the Triconex business unit personnel makes it easy to adapt the software architecture to satisfy any plant specific QSPDS requirements.

Figure 3 (see page 5) shows the major software modules and their interrelationships. These modules perform the field inputs, including scaling and failure detection, and calculate the following as Inadequate.


Page 5

Core Cooling (ICC) indicators:• Reactor vessel level• Average and representative core exit temperature• Reactor vessel pressure and temperature margin to saturation

Note that Figure 3 shows one of many ways of implementing the safety software functions. A different software implementation may be required for different NPPs, based on plant specific field I/O and safety display requirements.

A brief summary of the software modules is provided below.


Figure 3: Major Software Modules and their Interrelationships

Page 6

CET Processor• Input Processor

This function processes the individual CET input. It checks that the input is within the specified valid range and converts the input value to appropriate engineering units. An out of range input is tagged invalid, and an invalid input alarm is generated. An invalid input or input bypassed by the operator is not used in the calculations. The alarms, CET raw input value, and CET scaled value (in engineering units) are transmitted to the safety parameter display (HMI), and non-1E system.

• Core Exit Temperature CalculatorThis function uses the valid CETs, and calculates the following parameters:

– Mean core exit temperature and standard deviation – Statistical band to determine quality of each CET – Highest and second highest core exit temperatures in each quadrant including quality – Representative core exit temperature – Individual core exit temperature alarms – Representative core exit temperature alarm

This function further validates that each CET is within an acceptable statistical range using the mean, standard deviation, number of valid CETs, and acceptable deviation criteria (such as the operator adjustable tolerance bands).

The calculations in Figure 3 are reiterated to exclude any invalid/bypassed CETs.

Reactor Vessel Liquid Level Processor• Input Processor

This function processes the individual HJTC/UJTC input. It checks that the input is within a specified valid range and converts the input value to appropriate engineering units. An out of range input is tagged invalid, and an invalid input alarm is generated. an invalid input or input bypassed by the operator is not used in the calculations. The alarms, raw input value, and scaled value (in engineering units) are transmitted to the safety parameter display (HMI), and non-1E system.

• Reactor Vessel Liquid Level CalculatorThis function calculates the vessel liquid level for a single or split probe reactor configuration using eight HJTC/UJTC input pairs. Each pair has a predetermined liquid level associated with it depending on the location of the pair in the vessel. The temperature difference between the HJTC/UJTC pair indicates whether the pair is covered by the liquid or not. If a pair is covered with liquid, the temperature delta is within the specified limit (configurable). If the pair is uncovered (such as absence of liquid), the temperature delta increases above the specified limit.

For a split probe design, head and plenum level alarms are generated when the levels are detected below the specified limits (configurable).

An invalid or bypassed HJTC is substituted with the next higher HJTC. Invalid or bypassed UJTC is substituted with the next lower UJTC.

Saturation Margin Processor• Input Processor

This function processes the hot/cold leg temperature and pressure inputs of the Reactor Coolant System (RCS) loops. It checks that the input is within a specified valid range and converts the input value to appropriate engineering units. An out of range input is tagged invalid, and an invalid input alarm is generated. Invalid input or input bypassed by the operator is not used in the calculations. The alarms, raw input value, and scaled value (in engineering units) are transmitted to the safety parameter display (HMI), and non-1E system.

• Temperature Saturation Margin CalculatorThis function uses the lowest of the RCS loops pressure and steam table to calculate the saturation temperature. This function then calculates the temperature saturation margins by using the highest of the hot/cold leg temperatures and the representative core exit temperature. If any temperature saturation margins are outside the pre-defined range (configurable), an alarm is generated and transmitted to the safety parameter display and non-1E system.


Page 7

• Pressure Saturation Margin CalculatorThis function uses the highest of the RCS loops temperatures and steam table to calculate the saturation pressure. This function also uses the representative core exit temperature and steam table to calculate the saturation pressure. This function then calculates the pressure saturation margins by using lowest of the hot/cold leg pressures. If any pressure saturation margins are outside the predefined range (configurable), an alarm is generated and transmitted to the safety parameter display and non-1E system.

System Diagnostics ProcessorThis function uses the standard TS 1131 library system status functions to collect the following diagnostics and system status information, and transmits the information to the safety parameter display, and non-1E system:

• Chassis status of each chassis in the system• Module status of each module in each chassis• System mode — TMR, DUAL, or SINGLE• System date and time• Scan time• System key switch position• Application major and minor version numbers• Software runtime errors (such as Divide by zero, Overflow, and Underflow)

Alarms ProcessorThis function processes the alarms generated by the above software modules and transmits the alarmsto the safety parameter display and non-1E system. This function also transmits the selected alarms(such as low temperature and pressure saturation margins, low vessel liquid level, and system fault)to the annunciator panel.

6. Operator ScreensThe following standard safety parameter monitoring screens with security levels are available for the safety display system. These standard screens can be modified and/or additional screens can be easily developed to meet nuclear plant operational requirements.

The following standard safety parameter monitoring screens with security levels are available for the safety display system. These standard screens can be modified and/or additional screens can be easily developed to meet nuclear plant operational requirements.


Page 8

7. SUMMARYInvensys is a customer-centric company that provides a complete solution to the nuclear industry for safety and critical control. Invensys has installed more than 6,000 safety and critical control systems in plants all over the world, including NPPs.

The Tricon is a high reliability, high availability (99.99%), digital safety and control system with no single point of failure. The built-in features of the Tricon (high reliability, high availability, low maintenance, self-calibration, built-in online diagnostics, online repair, easy to expand and upgrade) help reduce life cycle operations and maintenance costs. The Tricon solves the obsolescence, reliability and availability problems of NPPs, while also improving the overall operational efficiency of the NPP.

Built-in online diagnostics provide more than 99.9% diagnostic coverage, providing a basis to potentially reduce periodic surveillance testing between refueling cycles. Online repair increases availability even further, as systems are not required to be taken offline to perform repairs.

With a Tricon installation, you not only receive proven TMR technology, but the experience and knowledge of the Invensys safety domain experts who are ready to help you all the way. With Invensys you gain experience in design, development, installation, and support of the QSPDS, efficient project execution and integration capabilities, round the clock customer support, and customized training for the I&C and plant operation personnel.

The Tricon from Invensys will be the last system you will ever install for the QSPDS. Future expansions and upgrades can be completed in just a period of days, not weeks or months. Existing cabinets, term panels, or field wiring do not need to be upgraded. This means you don’t have to perform continuity tests, loop checks, or field recalibrations. The overall result is tremendous cost savings in expansion or upgrades, with less coordination and project management effort.


Invensys, the Invensys logo, ArchestrA, Avantis, Eurotherm, Foxboro, IMServ, InFusion, SimSci-Esscor, Skelta, Triconex, and Wonderware are trademarks of Invensys plc, its subsidiaries or affiliates. All other brands and product names may be the trademarks or service marks of their representative owners.

© 2010 Invensys Systems, Inc. All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying, recording, broadcasting, or by any information storage and retrieval system, without permission in writing from Invensys Systems, Inc.

Invensys Operations Management • 5601 Granite Parkway III, #1000, Plano, TX 75024 • Tel: (469) 365-6400 • Fax: (469) 365-6401 • iom.invensys.com

Rel. 10/10 PN TR-0117

Documents

White Paper - ICEweb · 2019-05-10 · existing and new field devices. The I/O modules include: Analog Input, Analog Output, Thermocouple Input, Pulse Input, Digital Input, and Digital