The document describes the instrumentation and control systems for the AP1000 nuclear power plant. It discusses the protection and safety monitoring system which initiates protective functions like reactor trip and engineered safety features to mitigate design basis events. The chapter focuses on the process used to design digital I&C systems rather than specific implementations due to rapid technology changes. It can use the Common Q or Eagle hardware and retains functional requirements from the certified AP600 design. Safety systems are discussed along with the four divisions of redundant instrumentation.
Safety of machinery - Application of standard EN ISO 13849-1dnunez1984
This document provides an overview and comparison of two machinery safety standards: EN 62061 and EN ISO 13849-1. It outlines the basic procedures for complying with machinery directives, including performing a risk assessment. EN 62061 focuses on functional safety for electrical/electronic control systems, using Safety Integrity Levels (SILs). EN ISO 13849-1 applies to all machinery and determines Performance Levels (PLs) based on factors like categories and probability of failure. The document provides details on how each standard specifies safety parameters and calculations for achieving the required safety level.
@Station is an Integrated Control and Protection designed for the operation of transmission and distribution substations. The system incorporates the latest technology in the field of substation automation to provide its users with innovative solutions to their requirements.
Rockwell Automation provides tools throughout each phase of the Safety Life Cycle to simplify safety system development and improve compliance. These include Safety Automation Builder for designing safety systems, Safety Functions with complete documented solutions, and SISTEMA for evaluating safety components. Additional tools help with system design, programming, diagnostics, and determining return on investment from safety improvements.
Yokogawa Safety Instrumented System -Prosafe RSAmit Sharma
1) The document describes Yokogawa's ProSafe-RS safety instrumented system, which integrates with their CENTUM distributed control system for improved plant safety, reliability, and performance.
2) ProSafe-RS achieves a high safety integrity level through a modular, dual-redundant architecture in every module and communication path. It offers flexibility in configuration and scalability up to 1500 I/O points.
3) The integrated ProSafe-RS and CENTUM systems provide a unified operator environment, remote engineering capabilities, and asset management through a single network, delivering operational excellence and safety excellence.
This document describes a microcontroller-based timer project. It provides background on the company Future Robotix, which designs embedded systems using microcontrollers like the AVR and MCS51 families. Embedded systems are integral computer systems found in devices like cell phones, cars, and medical equipment. The project uses an 8051 microcontroller as the control unit and interfaces it with switches and a buzzer. The microcontroller counts down the time and triggers the buzzer when the timer expires. Keil software is used for programming the 8051 microcontroller.
1) Previously at the Spallation Neutron Source (SNS), different alarm handling approaches were used that did not integrate well. To address this, a soft-IOC based alarm handler was developed that runs in Linux processes to better integrate alarms.
2) The new alarm handler was built using scripts to generate EPICS databases, display screens, and configuration from XML files for standard Linux soft-IOCs. This allows alarm summaries and controls to be incorporated into display screens.
3) The soft-IOC based alarm handler is now used across multiple systems at SNS, handling over 10,000 process variables and 700 alarm summaries. Operators use the integrated alarm displays and controls daily.
SCADA systems are used to control geographically dispersed assets where centralized monitoring and control are important. They integrate data acquisition from field sites with transmission systems and HMIs to provide centralized monitoring of numerous inputs and outputs from a single location in real time. SCADA systems typically consist of MTUs at a control center, communication equipment between the control center and field sites, and RTUs or PLCs at field sites that perform local control and sensor monitoring.
Safety of machinery - Application of standard EN ISO 13849-1dnunez1984
This document provides an overview and comparison of two machinery safety standards: EN 62061 and EN ISO 13849-1. It outlines the basic procedures for complying with machinery directives, including performing a risk assessment. EN 62061 focuses on functional safety for electrical/electronic control systems, using Safety Integrity Levels (SILs). EN ISO 13849-1 applies to all machinery and determines Performance Levels (PLs) based on factors like categories and probability of failure. The document provides details on how each standard specifies safety parameters and calculations for achieving the required safety level.
@Station is an Integrated Control and Protection designed for the operation of transmission and distribution substations. The system incorporates the latest technology in the field of substation automation to provide its users with innovative solutions to their requirements.
Rockwell Automation provides tools throughout each phase of the Safety Life Cycle to simplify safety system development and improve compliance. These include Safety Automation Builder for designing safety systems, Safety Functions with complete documented solutions, and SISTEMA for evaluating safety components. Additional tools help with system design, programming, diagnostics, and determining return on investment from safety improvements.
Yokogawa Safety Instrumented System -Prosafe RSAmit Sharma
1) The document describes Yokogawa's ProSafe-RS safety instrumented system, which integrates with their CENTUM distributed control system for improved plant safety, reliability, and performance.
2) ProSafe-RS achieves a high safety integrity level through a modular, dual-redundant architecture in every module and communication path. It offers flexibility in configuration and scalability up to 1500 I/O points.
3) The integrated ProSafe-RS and CENTUM systems provide a unified operator environment, remote engineering capabilities, and asset management through a single network, delivering operational excellence and safety excellence.
This document describes a microcontroller-based timer project. It provides background on the company Future Robotix, which designs embedded systems using microcontrollers like the AVR and MCS51 families. Embedded systems are integral computer systems found in devices like cell phones, cars, and medical equipment. The project uses an 8051 microcontroller as the control unit and interfaces it with switches and a buzzer. The microcontroller counts down the time and triggers the buzzer when the timer expires. Keil software is used for programming the 8051 microcontroller.
1) Previously at the Spallation Neutron Source (SNS), different alarm handling approaches were used that did not integrate well. To address this, a soft-IOC based alarm handler was developed that runs in Linux processes to better integrate alarms.
2) The new alarm handler was built using scripts to generate EPICS databases, display screens, and configuration from XML files for standard Linux soft-IOCs. This allows alarm summaries and controls to be incorporated into display screens.
3) The soft-IOC based alarm handler is now used across multiple systems at SNS, handling over 10,000 process variables and 700 alarm summaries. Operators use the integrated alarm displays and controls daily.
SCADA systems are used to control geographically dispersed assets where centralized monitoring and control are important. They integrate data acquisition from field sites with transmission systems and HMIs to provide centralized monitoring of numerous inputs and outputs from a single location in real time. SCADA systems typically consist of MTUs at a control center, communication equipment between the control center and field sites, and RTUs or PLCs at field sites that perform local control and sensor monitoring.
The document provides an introduction to programmable logic controllers (PLCs). It begins by stating the objectives of understanding PLC terminology, history, functions, advantages, and basic programming. It then explains what a PLC is and discusses its terminology, historical background, functions, advantages, basic components and instructions. Specific topics covered include the evolution of PLCs since 1968; their uses in various industries; how they can replace hard-wired relay systems; and how programming PLCs involves using ladder logic diagrams to represent circuits.
Yokogawa UGS Solution for System Integration with Third PartyAmit Sharma
The document introduces the Unified Gateway Station (UGS) developed by Yokogawa to achieve a unified operation environment across different controllers. The UGS connects external controllers like STARDOM's FCN/FCJ autonomous controllers and third-party controllers to CENTUM VP. It converts control protocols and allows process data, alarms, and system monitoring of external controllers on CENTUM VP screens. The UGS supports various protocols, handles a large number of tags and controllers, and improves engineering efficiency through import functions. This provides operators with a single environment to monitor all plant controllers.
This document provides a user guide for an IP66/Nema 4X rated variable speed drive for controlling AC motors. It discusses safety information and warnings, describes the drive's environmental and electrical characteristics, and lists its optional components. The guide contains information to help ensure the drive is properly installed and commissioned according to regulations.
A control system uses feedback to regulate its output based on inputs. A programmable logic controller (PLC) is a specialized computer used to automate industrial processes. There are two main types of PLCs: compact PLCs that have fixed modules within a single case, and modular PLCs that allow expansion through independent modules. A control system consists of a plant or process, controller, inputs, outputs, and disturbances; and can operate in an open loop without feedback or a closed loop that regulates output based on feedback.
Practical Alarm Management for Engineers and TechniciansLiving Online
The manual focuses on simple and practical information for personnel ranging from operators all the way up to supervisors, engineers and managers.
FOR MORE INFORMATION: http://www.idc-online.com/content/practical-alarm-management-engineers-and-technicians-26?id=8
This document provides an overview of programmable controllers, including what they are, how they work, and the different types. It defines programmable controllers as miniature industrial computers that contain hardware and software to perform control functions. The two main sections are the central processing unit (CPU) and input/output interface. The CPU controls all activity by reading inputs, executing programs stored in memory, and writing outputs. Common types are programmable logic controllers (PLCs), PC-based controls, and programmable automation controllers (PACs). Choosing the right controller depends on factors like the application, number of inputs/outputs, environmental conditions, and compatibility with existing systems.
Siemens,
Catalog Thiết Bị Tự Động Siemens, Catalog Thiết Bị Tự Động
Catalog Phụ Kiện Siemens, Catalog Phụ Kiện,
Catalog Siemens, Catalog,
https://www.dienhathe.com,
Chi tiết các sản phẩm khác của Siemens tại https://dienhathe.com
Xem thêm các Catalog khác của Siemens tại https://dienhathe.info
Để nhận báo giá sản phẩm Siemens vui lòng gọi: 0907.764.966
This document provides an overview of embedded systems and real-time systems. It discusses embedded software characteristics including responsiveness in real-time. Common architectural patterns for embedded systems like observe and react, environmental control, and process pipeline are described. The document also covers timing analysis, real-time operating systems components, and non-stop system components to ensure continuous operation.
The document provides an overview of industrial control systems (ICS), including common components like distributed control systems (DCS), programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA) systems, and human-machine interfaces (HMIs). It also discusses common industrial protocols like Modbus and vulnerabilities in ICS that have been exploited by malware like Stuxnet. The document uses diagrams and examples to illustrate how these systems work and how an attacker could potentially interact with a PLC to simulate an emergency shutdown.
The document discusses the structure and operation of computer systems. It covers topics like I/O structure, storage hierarchy, hardware protection mechanisms, and general system architecture. Interrupts are used to transfer control from user programs to the operating system kernel to handle events like I/O completion or timer interrupts. The memory is divided into protected regions for the kernel and user programs through the use of base and limit registers. System calls provide a mechanism for user programs to request services from the operating system kernel like performing I/O.
This document provides an introduction to functional safety for machinery. It defines functional safety and explains that it involves ensuring automatic actions occur to reach a safe state. The document discusses relevant functional safety standards like ISO 13849 and IEC 61508. It also examines functional safety concepts like risk assessments, safety integrity levels, safety elements involving structure, reliability, diagnostics and systematic capability. The document uses an example safety circuit diagram to demonstrate functional safety concepts like input channel fault detection.
This document provides an overview of automation and programmable logic controllers (PLCs). It discusses the introduction of automation, its advantages and disadvantages. It then discusses PLCs in detail, including their history, architecture, programming languages used, and applications. The key points are:
1) Automation uses control systems like computers to reduce human intervention in industrial processes. It increases productivity and quality while reducing costs.
2) PLCs were developed to replace relay control systems. They have a CPU, memory, input/output modules and power supply. Ladder logic, function block diagrams and structured text are common programming languages.
3) PLCs are used widely in industrial automation to control devices like
The document provides reference information on the structure and functions of CPU 41x modules used in Siemens S7-400 programmable logic controllers. It describes the controls, indicators, memory, interfaces, parameters, and operating modes of the CPU modules. Specifically, it covers the CPU's role as a PROFINET controller and device, capabilities for multicomputing and direct communication, and diagnostics features. The document is intended as a technical reference for qualified personnel working with S7-400 automation systems.
CETPA INFOTECH PVT LTD is one of the IT education and training service provider brands of India that is preferably working in 3 most important domains. It includes IT Training services, software and embedded product development and consulting services.
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT II Embedded Systems PeripheralsArti Parab Academics
This document discusses techniques for testing non-volatile memory devices like ROM and hybrid devices that cannot be overwritten. It describes using checksums and cyclic redundancy checks (CRC) to test the validity of data stored in these memory devices. Checksums involve computing and storing a value based on the data, then recomputing and comparing it to the original to check for errors. CRC is a more advanced checksum algorithm designed to detect common data errors. The document also discusses control and status registers that interfaces processors with peripheral devices, benefits of developing device drivers, components of a device driver, and using watchdog timers to protect against software hangs.
The document discusses the differences between distributed control systems (DCS) and programmable logic controllers (PLC) and provides guidance on selecting the best automation solution. It outlines seven key questions to consider regarding the manufacturing process, value of the product, system requirements, and operator needs. By evaluating these factors, manufacturers can determine whether a DCS, PLC, or hybrid system best meets their specific application needs. The convergence of DCS and PLC technologies has made the selection process more complex, requiring a clear understanding of engineering, operational and maintenance requirements.
This document provides an overview of key concepts from IEC/EN 61508, the international standard for functional safety of electrical, electronic, and programmable electronic safety-related systems. It introduces safety life cycles, risk assessment, safety integrity levels (SIL), probability of failure calculations, and different system architectures. The document contains examples to illustrate these concepts and clarify technical terms defined in the standard.
This document provides an overview of functional safety. It begins with definitions of functional safety and discusses relevant standards like IEC 61508. It then explains the functional safety lifecycle and certification process. This includes performing a hazard and risk analysis, defining safety requirements, and conducting audits. Examples of functional safety products are also provided. The document discusses how functional safety applies to electrical and programmable electronic safety systems and their role in risk reduction. It outlines approaches to achieve hardware safety integrity through techniques like redundancy, detection, and reliability.
protectionsettings-120425102109-phpapp01.pptThien Phan Bản
The document discusses power system protection settings. It describes the functions of protective relays and equipment protection, and the information required to calculate protection settings. The protection settings process involves calculating settings, checking them, and implementing them. Protective relays use functional elements like protection, control, and timing elements. Distance, overcurrent, and directional protection elements are described.
The document provides an introduction to programmable logic controllers (PLCs). It begins by stating the objectives of understanding PLC terminology, history, functions, advantages, and basic programming. It then explains what a PLC is and discusses its terminology, historical background, functions, advantages, basic components and instructions. Specific topics covered include the evolution of PLCs since 1968; their uses in various industries; how they can replace hard-wired relay systems; and how programming PLCs involves using ladder logic diagrams to represent circuits.
Yokogawa UGS Solution for System Integration with Third PartyAmit Sharma
The document introduces the Unified Gateway Station (UGS) developed by Yokogawa to achieve a unified operation environment across different controllers. The UGS connects external controllers like STARDOM's FCN/FCJ autonomous controllers and third-party controllers to CENTUM VP. It converts control protocols and allows process data, alarms, and system monitoring of external controllers on CENTUM VP screens. The UGS supports various protocols, handles a large number of tags and controllers, and improves engineering efficiency through import functions. This provides operators with a single environment to monitor all plant controllers.
This document provides a user guide for an IP66/Nema 4X rated variable speed drive for controlling AC motors. It discusses safety information and warnings, describes the drive's environmental and electrical characteristics, and lists its optional components. The guide contains information to help ensure the drive is properly installed and commissioned according to regulations.
A control system uses feedback to regulate its output based on inputs. A programmable logic controller (PLC) is a specialized computer used to automate industrial processes. There are two main types of PLCs: compact PLCs that have fixed modules within a single case, and modular PLCs that allow expansion through independent modules. A control system consists of a plant or process, controller, inputs, outputs, and disturbances; and can operate in an open loop without feedback or a closed loop that regulates output based on feedback.
Practical Alarm Management for Engineers and TechniciansLiving Online
The manual focuses on simple and practical information for personnel ranging from operators all the way up to supervisors, engineers and managers.
FOR MORE INFORMATION: http://www.idc-online.com/content/practical-alarm-management-engineers-and-technicians-26?id=8
This document provides an overview of programmable controllers, including what they are, how they work, and the different types. It defines programmable controllers as miniature industrial computers that contain hardware and software to perform control functions. The two main sections are the central processing unit (CPU) and input/output interface. The CPU controls all activity by reading inputs, executing programs stored in memory, and writing outputs. Common types are programmable logic controllers (PLCs), PC-based controls, and programmable automation controllers (PACs). Choosing the right controller depends on factors like the application, number of inputs/outputs, environmental conditions, and compatibility with existing systems.
Siemens,
Catalog Thiết Bị Tự Động Siemens, Catalog Thiết Bị Tự Động
Catalog Phụ Kiện Siemens, Catalog Phụ Kiện,
Catalog Siemens, Catalog,
https://www.dienhathe.com,
Chi tiết các sản phẩm khác của Siemens tại https://dienhathe.com
Xem thêm các Catalog khác của Siemens tại https://dienhathe.info
Để nhận báo giá sản phẩm Siemens vui lòng gọi: 0907.764.966
This document provides an overview of embedded systems and real-time systems. It discusses embedded software characteristics including responsiveness in real-time. Common architectural patterns for embedded systems like observe and react, environmental control, and process pipeline are described. The document also covers timing analysis, real-time operating systems components, and non-stop system components to ensure continuous operation.
The document provides an overview of industrial control systems (ICS), including common components like distributed control systems (DCS), programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA) systems, and human-machine interfaces (HMIs). It also discusses common industrial protocols like Modbus and vulnerabilities in ICS that have been exploited by malware like Stuxnet. The document uses diagrams and examples to illustrate how these systems work and how an attacker could potentially interact with a PLC to simulate an emergency shutdown.
The document discusses the structure and operation of computer systems. It covers topics like I/O structure, storage hierarchy, hardware protection mechanisms, and general system architecture. Interrupts are used to transfer control from user programs to the operating system kernel to handle events like I/O completion or timer interrupts. The memory is divided into protected regions for the kernel and user programs through the use of base and limit registers. System calls provide a mechanism for user programs to request services from the operating system kernel like performing I/O.
This document provides an introduction to functional safety for machinery. It defines functional safety and explains that it involves ensuring automatic actions occur to reach a safe state. The document discusses relevant functional safety standards like ISO 13849 and IEC 61508. It also examines functional safety concepts like risk assessments, safety integrity levels, safety elements involving structure, reliability, diagnostics and systematic capability. The document uses an example safety circuit diagram to demonstrate functional safety concepts like input channel fault detection.
This document provides an overview of automation and programmable logic controllers (PLCs). It discusses the introduction of automation, its advantages and disadvantages. It then discusses PLCs in detail, including their history, architecture, programming languages used, and applications. The key points are:
1) Automation uses control systems like computers to reduce human intervention in industrial processes. It increases productivity and quality while reducing costs.
2) PLCs were developed to replace relay control systems. They have a CPU, memory, input/output modules and power supply. Ladder logic, function block diagrams and structured text are common programming languages.
3) PLCs are used widely in industrial automation to control devices like
The document provides reference information on the structure and functions of CPU 41x modules used in Siemens S7-400 programmable logic controllers. It describes the controls, indicators, memory, interfaces, parameters, and operating modes of the CPU modules. Specifically, it covers the CPU's role as a PROFINET controller and device, capabilities for multicomputing and direct communication, and diagnostics features. The document is intended as a technical reference for qualified personnel working with S7-400 automation systems.
CETPA INFOTECH PVT LTD is one of the IT education and training service provider brands of India that is preferably working in 3 most important domains. It includes IT Training services, software and embedded product development and consulting services.
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT II Embedded Systems PeripheralsArti Parab Academics
This document discusses techniques for testing non-volatile memory devices like ROM and hybrid devices that cannot be overwritten. It describes using checksums and cyclic redundancy checks (CRC) to test the validity of data stored in these memory devices. Checksums involve computing and storing a value based on the data, then recomputing and comparing it to the original to check for errors. CRC is a more advanced checksum algorithm designed to detect common data errors. The document also discusses control and status registers that interfaces processors with peripheral devices, benefits of developing device drivers, components of a device driver, and using watchdog timers to protect against software hangs.
The document discusses the differences between distributed control systems (DCS) and programmable logic controllers (PLC) and provides guidance on selecting the best automation solution. It outlines seven key questions to consider regarding the manufacturing process, value of the product, system requirements, and operator needs. By evaluating these factors, manufacturers can determine whether a DCS, PLC, or hybrid system best meets their specific application needs. The convergence of DCS and PLC technologies has made the selection process more complex, requiring a clear understanding of engineering, operational and maintenance requirements.
This document provides an overview of key concepts from IEC/EN 61508, the international standard for functional safety of electrical, electronic, and programmable electronic safety-related systems. It introduces safety life cycles, risk assessment, safety integrity levels (SIL), probability of failure calculations, and different system architectures. The document contains examples to illustrate these concepts and clarify technical terms defined in the standard.
This document provides an overview of functional safety. It begins with definitions of functional safety and discusses relevant standards like IEC 61508. It then explains the functional safety lifecycle and certification process. This includes performing a hazard and risk analysis, defining safety requirements, and conducting audits. Examples of functional safety products are also provided. The document discusses how functional safety applies to electrical and programmable electronic safety systems and their role in risk reduction. It outlines approaches to achieve hardware safety integrity through techniques like redundancy, detection, and reliability.
protectionsettings-120425102109-phpapp01.pptThien Phan Bản
The document discusses power system protection settings. It describes the functions of protective relays and equipment protection, and the information required to calculate protection settings. The protection settings process involves calculating settings, checking them, and implementing them. Protective relays use functional elements like protection, control, and timing elements. Distance, overcurrent, and directional protection elements are described.
protectionsettings-120425102109-phpapp01.pptThien Phan Bản
The document discusses power system protection settings. It describes the functions of protective relays and equipment protection, and the information required to calculate protection settings. The protection settings process involves calculating settings, checking them, and implementing them. Protective relays use functional elements, and have operating characteristics like overcurrent, directional, and distance protection. Settings must coordinate protection across the system.
VigilantPlant | excellence in Safety & AvailabilityYokogawa
The document discusses how an integrated safety solution from Yokogawa can provide both high availability and safety. A Yokogawa solution integrates certified field devices like the EJX pressure transmitter, ProSafe-RS safety controller, and SVI II digital positioner. This allows for automatic diagnostics and partial stroke testing that minimize downtime. An example compares a Yokogawa integrated solution to an ad-hoc alternative, finding the integrated solution doubles safety availability, triples safety integrity, and extends valve proof testing intervals by 10 times, while also having lower lifecycle costs.
This document discusses power system protection settings. It begins by introducing the functions of protective relays and the information needed to calculate settings, such as line parameters, transformer parameters, fault studies results, and CT and VT ratios. It then describes the protection settings process and functional elements of protective relays. The document discusses the operating characteristics of overcurrent, directional, and distance protection elements. It explains concepts like current grading, time grading, and directional elements as they relate to achieving selectivity in protection schemes. Finally, it provides more details on distance protection principles and operating characteristics.
This document provides an overview and comparison of two machinery safety standards: EN 62061 and EN ISO 13849-1. It outlines the basic procedures for complying with machinery directives, including performing a risk assessment. EN 62061 focuses on functional safety for electrical/electronic control systems, using Safety Integrity Levels (SILs). EN ISO 13849-1 applies to all machinery and determines Performance Levels (PLs) based on factors like categories and probability of failure. The document provides details on how each standard specifies safety parameters and calculations for achieving the required safety level.
This document explains Safety Integrity Levels (SIL) which are used to quantify safety requirements for Safety Instrumented Systems. It discusses what SIL is, the four SIL levels and their required reliability, how SIL ratings are determined through a risk assessment process, and how hazards are protected against through a layered approach. The document also outlines the SIL life cycle including design, realization, and operation phases, how equipment failures can occur, and how a Safety Instrumented Function's performance is quantified through its Probability of Failure on Demand. It provides information on how components like actuators can be certified as "suitable for use" at a given SIL level and the role of proof and diagnostic testing.
Proposed Algorithm for Surveillance ApplicationsEditor IJCATR
Technological systems are vulnerable to faults. In many fault situations, the system operation has to be stopped to avoid
damage to machinery and humans. As a consequence, the detection and the handling of faults play an increasing role in modern
technology, where many highly automated components interact in a complex way such that a fault in a single component may cause
the malfunction of the whole system. This work introduces the main ideas of fault diagnosis and fault-tolerant control under the optics
of various research work done in this area. It presents the Arduino technology in both hardware and software sides. The purpose of this
paper is to propose a diagnostic algorithm based on this technology. A case study is proposed for this setting. Moreover, we explained
and discussed the result of our algorithm.
This document discusses Safety Integrity Level (SIL) and how it is used to quantify safety in industrial processes. It provides background on the development of international safety standards and defines key terms like SIL, Safety Instrumented Functions (SIF), Probability of Failure on Demand (PFD), and Safe Failure Fraction (SFF). The document explains how hazards analysis is used to determine target SIL levels for safety systems and instrumentation. It also outlines methods for evaluating SIL, including Failure Modes and Effects Analysis (FMEDA) and proven in use testing. Overall, the document provides a comprehensive overview of applying SIL standards to ensure safety in industrial control systems.
The document discusses power system protection and introduces some key concepts:
- Protection aims to protect people, the power system from instability, and system assets from damage. It acts in alert or emergency states to return the system to normal.
- Selectivity, reliability, speed, adaptation to changing conditions, and backup protection are main requirements. Selectivity means only faulted parts are isolated without impacting healthy parts. Reliability involves high security, dependability, and mean time to failure. Protection must quickly and accurately detect and isolate faults.
- Protection functions are implemented in intelligent electronic devices (IEDs) that supervise the system, make trip decisions, and signal circuit breakers based on sensor measurements via serial communication standards
This document discusses the key system components of an embedded firmware design, including the reset circuit, brown-out protection circuit, oscillator unit, real-time clock (RTC), and watchdog timer. It describes the purpose and functioning of each component. The reset circuit ensures the system starts from a known state on power up. The brown-out protection circuit prevents unexpected behavior if the supply voltage drops too low. The oscillator unit generates the processor clock signal. The RTC keeps track of time even without power. The watchdog timer monitors firmware execution and resets the processor if execution hangs.
Design & Fabrication of Electro-Pneumatic Gantry Type Sorting RobotIRJET Journal
This document describes the design and fabrication of an electro-pneumatic gantry type sorting robot. The robot uses sensors like proximity sensors and photoelectric sensors connected to a programmable logic controller (PLC) to sort objects on a conveyor belt based on their properties. A human machine interface (HMI) is used to monitor and control the sorting process. Pneumatic cylinders and solenoid valves controlled by the PLC move a gantry system to pick and place objects into different trays for sorting. Calculations are provided on the required forces and selection of components like the conveyor motor and pneumatic cylinders. The PLC controls the sorting process and sequencing of the robot through ladder logic programming.
The document provides information about the structure, operation, and control of power systems. It discusses:
1) The typical structure of power systems including generation, transmission, and distribution systems organized into interconnected regional grids and pools.
2) SCADA and EMS systems which monitor power system parameters, send real-time data to control centers, and support functions like generation control, scheduling, forecasting, and contingency analysis to guide optimal system operation.
3) Key aspects of power system operation and control including load frequency control, automatic voltage control, state estimation, and flexible AC transmission systems which maintain system stability and security through monitoring and automated response.
FAULT DETECTION AND DIAGNOSIS OF INDUCTION MACHINE WITH ON-LINE PARAMETER PR...Sheikh R Manihar Ahmed
1. The document discusses a fault detection and diagnosis system for induction machines. It includes a microcontroller, sensors, ADC, and LCD display.
2. The system works by setting threshold values for parameters like temperature and current. It then continuously monitors these parameters and compares them to the thresholds.
3. If a parameter exceeds its threshold, the system isolates the specific fault, displays it on the LCD, and triggers an alarm. The user can acknowledge the fault to stop the alarm.
This document provides an introduction to functional safety and an overview of IEC 61508, an international standard on functional safety. It defines functional safety as safety that depends on a system operating correctly in response to inputs. Functional safety is achieved through safety functions performed by safety-related systems. IEC 61508 provides a framework for achieving functional safety in electrical, electronic, and programmable electronic systems by defining safety integrity levels and requiring safety lifecycle activities like hazard and risk analysis. The standard can be applied directly or serve as the basis for other functional safety standards.
The document discusses burner management systems (BMS) and how programmable electronic systems (PES) can be used for burner control while ensuring safety. It outlines several key requirements for PES-based BMS to be certified, including using redundant safety-related PES, obtaining independent safety certification, and the designer demonstrating proper development and testing practices. The document also describes various safety features that can be designed into BMS, such as input/output monitoring, guarded outputs, processor watchdog timers, and power monitoring. It discusses architectures for safety programmable logic controllers (PLCs) including 1oo1D (one out of one with diagnostics) and 1oo2D (one out of two with diagnostics).
The document discusses burner management systems (BMS) and the importance of safety in their design and operation. It notes that BMS use programmable electronic systems like PLCs to control burners safely. However, these systems can fail in dangerous and undetectable ways. Therefore, international standards require safety features like input checking, output monitoring, watchdog circuits, and alarming to be designed into BMS to mitigate risks from failures. The document provides examples of how output monitoring, guarded outputs, and processor protection like watchdog timers can be implemented in typical PLC-based BMS.
Power system operation involves optimizing and coordinating generation, transmission, and distribution of electricity in a reliable, quality, and economical manner. This requires a load dispatch center to control operations in real-time. Protection systems are also important to monitor power systems and protect equipment from faults. The key components of a protection system include relays, communication systems, voltage/current sensors, backup power supplies, and control circuitry. Protection systems are designed to quickly and selectively isolate faults while maintaining reliability. Redundancy and independence between protection devices enhances dependability and security.
This document discusses power system protection settings and provides information on calculating protection settings. It covers the functions of protective relays and equipment protection, the required information for setting calculations such as line parameters and fault studies, and the process of calculating, checking, and implementing protection settings. The goal is to set protections to operate dependably, securely, and selectively during faults while meeting clearance time requirements.
1. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-1 Revision 14
CHAPTER 7
INSTRUMENTATION AND CONTROLS
7.1 Introduction
The instrumentation and control systems presented in this chapter provide protection against
unsafe reactor operation during steady-state and transient power operations. Theyinitiate selected
protective functions to mitigate the consequences of design basis events. This chapter relates the
functional performance requirements, design bases, system descriptions, and safetyevaluations for
those systems. The safety evaluations show that the systems can be designed and built to conform
to the applicable criteria, codes, and standards concerned with the safe generation of nuclear
power.
Because of the rapid changes that are taking place in the digital computer and graphic display
technologies employed in a modern human system interface, design certification of the AP1000
focuses upon the process used to design and implement instrumentation and control systems for
the AP1000, rather than on the specific implementation. The design specifics provided here are
included as an example for illustration.
DCD Chapter 7 for the AP1000 has been written to permit the use of either the Eagle protection
system hardware described in the AP600 DCD or the Common Qualified Platform (Common Q)
described in References 8 and 13 and accepted in References 11, 14, and 16. The I&C functional
requirements of the AP600, which has received Design Certification, have been retained to the
maximum extent compatible with the Common Q hardware and software and the Eagle hardware
and software.
The terminology used for Chapter 7 is intended to be independent of anyproduct, but when this is
not possible, Common Q terminology is used.
This chapter also discusses the instrumentation portions of the safety-related systems which
function to achieve the system responses assumed in the accident analysis, and those needed to
shutdown the plant. Section 7.1 describes the AP1000 instrumentation and control architecture,
with specific emphasis on the protection and safetymonitoring system. The plant control system is
discussed briefly. Other systems are discussed in more detail in relevant sections or chapters.
Section 7.2 discusses the reactor trip function, and Section 7.3 addresses the engineered safety
features (ESF). Systems required for safe shutdown are discussed in Section 7.4 in support of
other chapters. Safety-related display instrumentation is discussed in Section 7.5 and interlocks
important to safety are presented in Section 7.6. Control systems and the diverse actuation system
are discussed in Section 7.7.
Definitions
Terminology used in this chapter reflects an interdisciplinary approach to safety-related systems
similar to that proposed in IEEE 603 (Reference 1).
2. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-2 Revision 14
Safety System – The aggregate of electrical and mechanical equipment necessary to mitigate the
consequences of design basis events.
Protection and Safety Monitoring System – The aggregate of electrical and mechanical
equipment which senses generating station conditions and generates the signals to actuate reactor
trip and ESF, and which provides the equipment necessary to monitor plant safety-related
functions during and following designated events.
Protective Function – Any one of the functions necessary to mitigate the consequences of a
design basis event. Protective functions are initiated by the protection and safety monitoring
system logic and will be accomplished by the trip and actuation subsystems. Examples of
protective functions are reactor trip and engineered safety features (such as valve alignment and
containment isolation).
Actuated Equipment – The assembly of prime movers and driven equipment used to accomplish
a protective function (such as solenoids, shutdown rods, and valves).
Actuation Device – A component that directly controls the motive power for actuated equipment
(such as circuit breakers, relays, and pilot valves).
Division – One of the four redundant segments of the safety system. A division includes its
associated sensors, field wiring, cabinets, and electronics used to generate one of the redundant
actuation signals for a protective function. It also includes the power source and actuation signals.
Channel – One of the several separate and redundant measurements of a single variable used by
the protection and safety monitoring system in generating the signal to initiate a protective
function. A channel can lose its identity when it is combined with other inputs in a division.
Degree of Redundancy – The number of redundant channels monitoring a single variable, or the
number of redundant divisions which can initiate a given protective function or accomplish a
given protective function. Redundancy is used to maintain protection capability when the
safety-related system is degraded by a single random failure.
System-Level Actuation – Actuation of a sufficient number of actuation devices to effect a
protective function.
Component-Level Actuation – Actuation of a single actuation device (component).
7.1.1 The AP1000 Instrumentation and Control Architecture
Figure 7.1-1 illustrates the instrumentation and control architecture for the AP1000. The figure
shows two major sections separated by the real-time data network.
The lower portion of the figure includes the plant protection, control, and monitoring functions. At
the left is the protection and safety monitoring system. It performs the reactor trip functions, the
engineered safety features (ESF) actuation functions, and the Qualified Data Processing (QDPS)
3. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-3 Revision 14
functions. The I&C equipment performing reactor trip and ESF actuation functions, their related
sensors, and the reactor trip switchgear are, for the most part, four-way redundant. This
redundancy permits the use of bypass logic so that a division or individual channel out of service
can be accommodated by the operating portions of the protection system reverting to a two-out-of-
three logic from a two-out-of-four logic.
The ESF coincidence logic performs system-level logic calculations, such as initiation of the
passive residual heat removal system. It receives inputs from the plant protection subsystem
bistables and the main control room.
The ESF actuation subsystems provide the capabilityfor on-off control of individual safety-related
plant loads. They receive inputs from the ESF coincidence logic, remote shutdown workstation
and the main control room.
The plant control system performs nonsafety-related instrumentation and control functions using
both discrete (on/off) and modulating (analog) type actuation devices.
The nonsafety-related real-time data network, which horizontally divides Figure 7.1-1, is a high
speed, redundant communications network that links systems of importance to the operator.
Safety-related systems are connected to the network through gateways and qualified isolation
devices so that the safety-related functions are not compromised by failures elsewhere. Plant
protection, control, and monitoring systems feed real-time data into the network for use by the
control room and the data display and processing system.
The upper portion of the figure depicts the control rooms and data display and processing system.
The main control room is implemented as a set of compact operator consoles featuring color
graphic displays and soft control input devices. The graphics are supported by a set of graphics
workstations that take their input from the real-time data network. An advanced alarm system,
implemented in a similar technology, is also provided.
The data display and processing (plant computer) system is implemented in a distributed
architecture. The working elements of the distributed computer system are graphics workstations,
although their graphics capability is secondary to their computing performance. The distributed
computer system obtains its input from the real-time data network and delivers its output over the
network to other users.
WCAP-15775 (Reference 7) describes the diversity and defense-in-depth features of the AP1000
instrumentation and control architecture.
Protection and Safety Monitoring System
The protection and safety monitoring system provides detection of off-nominal conditions and
actuation of appropriate safety-related functions necessary to achieve and maintain the plant in a
safe shutdown condition. The protection and safety monitoring system controls safety-related
components in the plant that are operated from the main control room or remote shutdown
workstation.
4. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-4 Revision 14
In addition, the protection and safety monitoring system provides the equipment necessary to
monitor the plant safety-related functions during and following an accident as required by
Regulatory Guide 1.97.
Special Monitoring System
The special monitoring system does not perform any safety-related or defense-in-depth functions.
The special monitoring system consists of specialized subsystems that interface with the
instrumentation and control architecture to provide diagnostic and long-term monitoring functions.
The special monitoring system is the metal impact monitoring system. The metal impact
monitoring system detects the presence of metallic debris in the reactor coolant system when the
debris impacts against the internal parts of the reactor coolant system. The metal impact
monitoring system is composed of digital circuit boards, controls, indicators, power supplies and
remotely located sensors and related signal processing devices. The sensors and their related
signal processing devices are mounted in pairs to maintain the impact monitoring function if a
sensor fails in service. The metal impact monitoring system is described in subsection 4.4.6.4.
Plant Control System
The plant control system provides the functions necessary for normal operation of the plant from
cold shutdown through full power. The plant control system controls nonsafety-related
components in the plant that are operated from the main control room or remote shutdown
workstation.
The plant control system contains nonsafety-related control and instrumentation equipment to
change reactor power, control pressurizer pressure and level, control feedwater flow, and perform
other plant functions associated with power generation. The plant control system is described in
subsections 7.1.3 and 7.7.1.
Diverse Actuation System
The diverse actuation system is a nonsafety-related, diverse system that provides an alternate
means of initiating reactor trip and actuating selected engineered safety features, and providing
plant information to the operator. The diverse actuation system is described in subsection 7.7.1.11.
Operation and Control Centers System
The operation and control centers system includes the main control room, the technical support
center, the remote shutdown workstation, emergency operations facility, local control stations and
associated workstations for these centers. With the exception of the control console structures, the
equipment in the control room is part of the other systems (for example, protection and safety
monitoring system, plant control system, data display and processing system).
The boundaries of the operation and control centers system for the main control room and the
remote shutdown workstation are the signal interfaces with the plant components. These interfaces
are via the plant protection and safety monitoring system processor and logic circuits, which
interface with the reactor trip and ESF plant components; the plant control system processor and
5. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-5 Revision 14
logic circuits, which interface with the nonsafety-related plant components; and the plant real-time
data network, which provides plant parameters, plant component status, and alarms.
Data Display and Processing System
The data display and processing system provides the equipment used for processing data that
result in nonsafety-related alarms and displays for both normal and emergency plant operations,
generating these displays and alarms, providing analysis of plant data, providing plant data
logging and historical storage and retrieval, and providing operational support for plant personnel.
The data display and processing system also contains the real-time data network, which is a
redundant data highway that links the elements of the AP1000 instrumentation and control
architecture.
Incore Instrumentation System
The primary function of the incore instrumentation system is to provide a three-dimensional flux
map of the reactor core. This map is used to calibrate neutron detectors used bythe protection and
safety monitoring system, as well as to optimize core performance. A secondary function of the
incore instrumentation system is to provide the protection and safety monitoring system with the
thermocouple signals necessary for the post-accident inadequate core cooling monitor. The incore
instrument assemblies house both fixed incore flux detectors and core exit thermocouples. The
incore instrumentation system is described in subsection 4.4.6.1.
7.1.2 Protection and Safety Monitoring System
The protection and safety monitoring system is illustrated in Figure 7.1-2. The functions of the
protection and safety monitoring system are implemented in separate processor-based subsystems.
Each subsystem is located on an independent computer bus to prevent propagation of failures and
to enhance availability. In most cases, each subsystem is implemented in a separate card chassis.
Subsystem independence is maintained through the use of the following:
• Separate dc power sources for redundant subsystems with output protection to prevent
interaction between redundant subsystems upon failure of a subsystem.
• Separate input or output circuitry to maintain independence at the subsystem interfaces.
• Deadman signals: Adevice, circuit, or function that forces a predefined operating condition
upon the cessation of a normally dynamic input parameter to improve the reliability of
hard-wired data that crosses the subsystem interface.
• Optical coupling or resistor buffering between two subsystems or between a subsystem and
an input/output (I/O) module.
WCAP-13382 (Reference 2) provides a description of the Eagle hardware elements which
comprise the protection and safety monitoring system configuration for the AP600. WCAP-14080
(Reference 4) provides a description of the Eagle software architecture and operation for the
AP600. The Eagle hardware and software described for the AP600 may be used for the AP1000;
6. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-6 Revision 14
alternatively, the AP1000 protection and safety monitoring system may be based on the Common
Qualified Platform described in References 8 and 13 and accepted in References 11, 14, and 16.
7.1.2.1 Plant Protection Subsystems
The plant protection subsystems contain the necessary equipment to perform the following
functions:
• Permit acquisition and analysis of the sensor inputs required for reactor trip and ESF
actuation calculations.
• Perform computation or logic operation on variables based on these inputs.
• Provide trip signals to the reactor trip switchgear and ESF actuation data to the ESF
coincidence logic, as required.
• Permit manual trip or bypass of each individual automatic reactor trip function and permit
manual actuation or bypass of each individual automatic ESF actuation function.
• Provide data to external systems.
• Provide redundancy for the reactor trips and ESF actuations.
• Provide isolation circuitry for control functions requiring input from sensors which are also
required for protection functions.
Figure 7.1-3A illustrates the plant protection subsystems for the Eagle I&C architecture.
Figure 7.1-3B illustrates the plant protection subsystems and the engineered safety features
coincidence logic for the Common Q architecture.
7.1.2.1.1 Reactor Trip Functions
The reactor trip functions are performed in two subsystems per division for accident protection.
The primary function of the reactor trip subsystems is to process input data and provide a partial
trip signal to the trip logic whenever the preset limit of each protection function is exceeded.
To perform the protective function calculations, the subsystems require data from field sensors
and manual inputs from the main control room. The results of the calculations drive the
corresponding partial trip circuitry of the reactor trip coincidence logic.
The reactor trip coincidence logic acts to initiate a reactor trip when a trip function in two-out-of-
four independent safety divisions is in a partial trip state. The reactor trip coincidence logic also
provides for the bypass of trip functions and safety divisions to accommodate tests and
maintenance. The overall system logic implemented by the reactor trip coincidence logic function
is discussed in subsection 7.1.2.9.
7. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-7 Revision 14
The reactor trip coincidence logic is composed of two primary functions:
• The bistable processing function provides partial trip/bypass status to the other divisions.
• The reactor trip coincidence logic performs the logic to combine the partial trip signals and
outputs a fail-safe trip signal to the reactor trip switchgear.
7.1.2.1.2 Reactor Trip Switchgear Interface
The final stage of the reactor trip coincidence logic provides the signal to energize the
undervoltage trip attachment on each of the two division reactor trip switchgear breakers. Loss of
the signal de-energizes the undervoltage trip attachments and results in the opening of the reactor
trip breakers. An additional external relay is de-energized with the loss of the signal. The normally
closed contacts of the relay energize the shunt trip attachments on each breaker at the same time
that the undervoltage trip attachment is de-energized. The reactor trip switchgear interface,
including the trip attachments and the external relay, are within the scope of the protection and
safety monitoring system. Separate outputs are provided for each breaker.
Testing of the interface allows trip actuation of the breakers by either the undervoltage trip
attachment or the shunt trip attachment.
Figure 7.1-4 illustrates the reactor switchgear and manual trip interface.
7.1.2.1.3 Manual Reactor Trip
A manual reactor trip can be accomplished from the main control room by redundant momentary
switches. The switches directly interrupt the power from the voting logic, actuating the
undervoltage and shunt trip attachments. Figure 7.1-4 illustrates the implementation of the manual
reactor trip function.
7.1.2.2 Engineered Safety Features Coincidence Logic
The ESF logic functions are also performed in two subsystems per division for more reliable
accident mitigation. The primary functions of the ESF coincidence logic are to process inputs,
calculate actuations, combine the automatic actuation with the manual actuation and manual
bypass data, and transmit the data to the ESF actuation subsystems. To perform the ESF logic
calculations, the subsystems require data from the plant protection subsystems, and also use
manual inputs from the main control room and the remote shutdown workstation.
The ESF coincidence logic performs the following functions:
• Receives bistable data supplied by the four divisions of the plant protection subsystems and
performs two-out-of-four voting on this data.
• Implements system-level logic and transmits the output to the ESF actuation subsystems for
ESF component actuation.
8. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-8 Revision 14
• Processes manual system-level actuation commands received from the main control room and
remote shutdown workstation.
Figure 7.1-5 illustrates the engineered safety features coincidence logic for the Eagle I&C
architecture. Figure 7.1-3B illustrates the plant protection subsystems and the engineered safety
features coincidence logic for the Common Q architecture.
7.1.2.3 Engineered Safety Features Actuation Subsystems
The ESF actuation subsystems provide a distributed interface between the plant operator and the
nonmodulating safety-related plant components. Nonmodulating control relates to the opening or
closing of solenoid valves and solenoid pilot valves, and the opening or closing of motor-operated
valves and dampers. The ESF actuation subsystems implement criteria established by the fluid
systems designers for permissive and interlock logic applied to the component actuations. It also
provides the plant operator with information on the equipment status, such as indication of
component position (full closed, full open, valve moving), component control modes (manual,
automatic, local, remote) or abnormal operating condition (power not available, failure detected).
The ESF coincidence logic performs the appropriate voting operation on the bistable signals and
generates the system-level ESF logic commands including the system-level manual commands.
These system-level actuations are then sent to the ESF actuation subsystems. The ESF actuation
subsystems decode the system commands and actuate the final equipment through the interlocking
logic specific to each component. Component-level actuation signals are sent from the main
control room to the ESF actuation subsystems over redundant data highways. Component status is
transmitted from the ESF actuation subsystems to the main control room over the same redundant
data highways. Those components used for safe shutdown can also be controlled from the remote
shutdown workstation.
Figure 7.1-6 shows this redundant data highway for a single safety division for the Eagle I&C
architecture. Figure 7.1-3B includes the communication between the engineered safety features
coincidence logic and the engineered safety features actuation logic for the Common Q
architecture. Figure 7.1-9A illustrates the engineered safety features actuation logic for the Eagle
I&C architecture. Figure 7.1-9B illustrates the engineered safety features actuation logic for the
Common Q architecture.
7.1.2.4 Reactor Trip Switchgear
The reactor trip switchgear is used to initiate reactor shutdown. The reactor trip switchgear
connects the electrical motive power, supplied from motor-generator sets, to the rod control
system. The rod control system holds the control rods in position as long as electrical power is
available. When the protection and safety monitoring system senses that established limits for safe
operation of the plant have been, or are about to be, exceeded, a command is generated to
de-energize the undervoltage trip device and energize the shunt trip device in the reactor trip
switchgear breakers. This trips the breakers, disconnecting the power to the rod control system.
When power is removed, the control rods drop by gravity into the reactor core, initiating the
shutdown process.
9. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-9 Revision 14
The reactor trip switchgear is the final element in the protection and safety monitoring system
which operates for reactor trip. There are four redundant safety divisions, with each division
containing two circuit breakers of the reactor trip switchgear (eight breakers total). As illustrated
in Figure 7.1-7, the eight circuit breakers are arranged in a two-out-of-four logic configuration.
The reactor trip switchgear includes associated or ancillary equipment and internal busbars.
Breaker cells have steel barriers to completely encapsulate a breaker within its division and to
provide physical separation between the breakers in different divisions.
7.1.2.5 Qualified Data Processing Subsystems
The Qualified Data Processing Subsystem (QDPS), a subsystem of the PMS, provides
safety-related display of selected parameters in the control room.
The QDPS subsystems are a redundant configuration consisting of sensors, QDPS hardware, and
qualified displays.
The qualified data processing subsystems perform the following functions:
• Provide safety-related data processing and display
• Provide the operator with sufficient operational data to safely shut the plant down in the
event of a failure of the other display systems
• Provide qualified and nonqualified data to the real-time data network for use by other
systems in the plant
• Process data for main control room display, and to meet RegulatoryGuide 1.97 requirements
• Provide data to the main control room, the remote shutdown workstation, the plant computer,
other nonsafety-related devices, and nonqualified emergency response facilities in
conformance with NUREG-0696
The QDPS hardware consists of safety-related modular data gathering units. The QDPS receives
inputs from process sensors and safety-related digital systems. The QDPS consolidates the input
data, performs conversions to process units, and formats the data for data link transmission.
Figure 7.1-8A illustrates the qualified data processing subsystem for the Eagle I&C architecture.
Figure 7.1-8B illustrates the qualified data processing subsystem for the Common Q architecture.
Power is provided to the QDPS from the Class 1E dc and UPS system for 72 hours after a loss of
all ac power (station blackout). After 72 hours, the ancillary diesel generators provide power for
the QDPS. The QDPS is a two-train subsystem (Divisions B and C). The PMS, including the
QDPS, is diverse from the Diverse Actuation System (DAS). Sensors are not shared between PMS
and DAS.
The RTS/ESFAS signals are processed by the Plant Protection Subsystem of the PMS. Within the
PMS, some sensors are shared between the Plant Protection Subsystem and QDPS. Shared sensors
are processed first by the QDPS because the QDPS will need this sensor for more than 24 hours
10. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-10 Revision 14
following a station blackout. Twenty-four-hour batteries power the Plant Protection Subsystem;
therefore, the Plant Protection Subsystem cannot be used for QDPS functions.
The typical input parameter for RTS/ESFAS is four-way redundant with one sensor for each of
the four divisions. If that parameter is also needed by QDPS, the B and C division sensors are
processed first by QDPS then sent to the Plant Protection Subsystem. The A and D division
sensors are not shared with QDPS and, thus, are processed directly by the Plant Protection
Subsystem. If an RTS/ESFAS parameter is not needed by QDPS or if it is not needed after
24 hours, it is processed directly by the Plant Protection Subsystem in all four divisions.
7.1.2.6 Main Control Room Multiplexers
The protection and safety monitoring system contains redundant multiplexers to provide a signal
path from the protection channels to safety operator modules in the main control room. One
redundant main control room multiplexer is associated with each of the four safety divisions. The
multiplexers provide for transmission of component-level manual actuation signals from the main
control room to the ESF actuation subsystems. The multiplexers also provide for transmission of
component status information from the ESF actuation subsystems to the main control room.
The multiplexers communicate with soft control devices or operator interface modules in the main
control room. Subsection 7.1.3.3 provides additional discussion of the operation of the soft control
devices. The transfer of control from the main control room to the remote shutdown workstation is
accomplished using transfer switches as described in subsection 7.4.3.
Various “handshaking” signals are implemented for requests and responses between the soft
controls and the multiplexers to verify the receipt and the validity of the messages.
7.1.2.7 Sensors
The protection and safety monitoring system monitors key variables related to equipment
mechanical limitations, and variables directly affecting the heat transfer capability of the reactor.
Some limits, such as the overtemperature ΔT setpoint, are calculated in the plant protection
subsystem from other parameters because direct measurement of the variable is not possible. This
subsection provides a description of the sensors which monitor the variables for the protection and
safety monitoring system. For convenience the discussions are grouped into the following
three categories:
• Process sensors
• Nuclear instrumentation detectors
• Status inputs from field equipment
The inputs described are those required to generate the initiation signals for the protective
functions. The use of each parameter is discussed in the sections that deal with each protective
function. For example, reactor trip is discussed in Section 7.2 and ESF actuation is described in
Section 7.3.
11. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-11 Revision 14
7.1.2.7.1 Process Sensors
The process sensors are devices which measure temperature, pressure, fluid flow, and fluid level.
Process instrumentation excludes nuclear and radiation measurements.
Additional information on these process variables is included as part of the description of each
process system provided in other chapters. The process variables measured by the protection and
safety monitoring system are listed in Sections 7.2, 7.3, and 7.5.
7.1.2.7.2 Nuclear Instrumentation Detectors
Three types of neutron detectors are used to monitor the leakage neutron flux from a completely
shutdown condition to 120 percent of full power. The power range channels are capable of
measuring overpower excursions up to 200 percent of full power.
The lowest range (source range) covers six decades of leakage neutron flux. The lowest observed
count rate depends on the strength of the neutron sources in the core and the core multiplication
associated with the shutdown reactivity. This generally is greater than two counts per second. The
next range (intermediate range) covers eight decades. Detectors and instrumentation are chosen to
provide overlap between the higher portion of the source range and the lower portion of the
intermediate range. The highest range of instrumentation (power range) covers approximately
two decades of the total instrumentation range. This is a linear range that overlaps the higher
portion of the intermediate range. The neutron detectors are installed in tubes located around the
reactor vessel in the primary shield. Detector types for these three ranges are:
• Source range – proportional counter or pulse fission chamber
• Intermediate range – pulse fission chamber
• Power range – uncompensated ionization chamber
7.1.2.7.3 Equipment Status Inputs
Some inputs to the protection system are not measurements of process or nuclear variables, but are
discrete indications of the status of certain equipment. Examples include manual switch positions,
contact status inputs, and indications provided by valve limit switches.
7.1.2.8 Communication Functions
The communication functions provide information from the plant protection subsystem, the ESF
coincidence logic, the ESF actuation subsystems, and the QDPS subsystems to external systems.
This includes outputs to the plant control system and the data display and processing system.
Isolation devices provide electrical isolation between the protection and safetymonitoring system
and the external systems. The communication functions also provide soft control information from
the nonsafety system to the safety system for operator-initiated actuation and component control.
The communication functions are accomplished via channelized gateways as shown in
Figure 7.1-1.
12. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-12 Revision 14
The PMS Gateway interfaces the safety PMS to the nonsafety real-time data network, which
supports the remainder of the instrumentation and control system. The Gateway has two
subsystems. One is the safety subsystem that interfaces to the Plant Protection Subsystem, the
Engineered Safety Features Coincidence Logic, and the Qualified Data Processing Subsystem.
The other is the nonsafety subsystem that interfaces to the real-time data network. The two
subsystems are connected by a fiber-optic link that provides electrical isolation.
The primary flow of information between the two Gateway subsystems is from the safety
subsystem to the nonsafety subsystem. This information is a combination of plant process
parameter values and equipment status information. The information that flows from the nonsafety
subsystem to the safety subsystem is limited to the following:
• The safety and nonsafety subsystems exchange periodic low-level interface signals that the
communication controllers at each end of the link use to ensure that the link is functioning
properly. These signals are used only by the communication controllers and are not
propagated to the rest of the safety system. There is no application function in the safety
system that uses this information.
• The main control room and the remote shutdown workstation operator consoles are
nonsafety. The soft control inputs to the PMS from these locations are provided from the
nonsafety subsystem to the safety subsystem of the Gateway.
The gateway provides both electrical and communication isolation between the nonsafetysystems
and the PMS. Other than the isolation function, the gateway is not required for any PMS safety
function. There is no potential signal from the nonsafety system than will prevent the PMS from
performing its safety functions.
Specifically, the Gateway will provide the following isolation features:
• Electrical isolation between the Class 1E and non-Class 1E ports of the Gateway, as required
by IEEE 603-1991 (Reference 1).
• Communication isolation between the Class 1E and non-Class 1E ports of the Gateway, as
envisioned by IEEE 7-4.3.2-1993, Annex G (Reference 15). This includes:
– Class 1E communications buffering circuits to process the low-level interface signals.
– Use of only simple connectionless protocols between the Class 1E and non-Class 1E
ports of the Gateway. (Connectionless protocols do not use connection
establishment/management/termination nor do they use acknowledgements/
negative-acknowledgements/retransmission.)
– Software within the Class 1E portion of the gateway will filter the incoming message
stream and accept only valid soft control commands from a predefined list of valid
commands. All other messages will be discarded.
Application software running in the safety system will ensure the functional independence of the
Class 1E functions from the soft control demands received from the nonsafety systems.
13. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-13 Revision 14
Specifically, the application software will provide the following features:
• In cases where a component is controlled by an automatic safety function, the PMS
application software will ensure that the automatic safety function and the Class 1E soft
controls both have priority over the non-Class 1E soft controls.
• In cases where a Class 1E component is not controlled by an automatic safety function, the
PMS application software will ensure that the Class-1E controls have priority over the
non-Class 1E soft controls.
Analog inputs required for both control and protection functions are processed independentlywith
separate input circuitry. The input signal is classified as safety-related and is, therefore, isolated in
the protection and safety monitoring system cabinet before being sent to the control system.
The plant protection and safety monitoring system also provides data to the plant control system
pertaining to signals calculated in the subsystems, and to the data display and processing system.
Non-process signals are also provided to external systems. The non-process outputs inform the
external systems of cabinet entry status, cabinet temperature, dc power supply voltages, and
subsystem diagnostic status. Cabinet temperature sensing does not affect the safety-related
function. The information is gathered for the sole purpose of analysis by external systems.
7.1.2.9 Fault Tolerance, Maintenance, Test, and Bypass
The protection and safety monitoring system provides a high degree of reliability and fault
tolerance. This capability is demonstrated by the following design features:
• Two-out-of-four coincidence logic on reactor trip and most ESF actuations provides that any
failure in a single protection channel or safety division cannot cause a spurious reactor trip or
spurious system-level ESF actuation. This same two-out-of-four logic also provides that any
failure in a single protection channel or safety division cannot prevent a required reactor trip
or system level ESF actuation from occurring. This provides tolerance against failures
ranging from the failure of a single instrument or component, to the complete failure of an
entire plant protection subsystem or ESF coincidence logic division.
• Reactor trip and ESF actuation logic reverts to two-out-of-three coincidence logic if one
channel is bypassed or in test. The protection and safety monitoring system logic does not
allow more than one channel to be placed in bypass simultaneously. Therefore a single failure
while in test cannot cause a spurious reactor trip or spurious system-level ESF actuation. This
same two-out-of-three logic also provides that any failure in a single protection channel or
safety division cannot prevent a required reactor trip or system-level ESF actuation from
occurring.
The bypass logic allows the system to meet the single failure criterion with one channel
bypassed for testing or maintenance.
14. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-14 Revision 14
• The reactor trip logic provided in the plant protection subsystem also processes the manual
system-level inputs involved in the reactor trip function. Section 7.2 provides further detail of
the manual trip function. The voting logic for reactor trip functions is contained within each
plant protection subsystem. The reactor trip breakers operate on a de-energize-to-trip
principle.
• ESF actuation logic is performed redundantly in the ESF coincidence logic. Redundant
subsystems perform this logic so that a component failure related to one subsystem cannot
affect the other redundant subsystem. The system-level actuation outputs are transmitted to
the ESF actuation subsystems. Asingle failure cannot prevent ESF actuation. Extensive error
checking is performed to minimize failures from causing spurious actuation.
• Component-level logic is performed within the ESF actuation hardware. The logic processors
are programmed to respond to actuation signals received from the protection and safety
monitoring system data highways. Failure of one data highway does not prevent
component-level actuations. Extensive error checking on the data highways is provided to
minimize data highway failures from generating spurious ESF component-level actuations.
During maintenance, these same features that provide for fault tolerance allow the system to
continue to operate with one channel or certain components out of service.
7.1.2.10 Isolation Devices
Isolation devices are used to maintain the electrical independence of divisions, and to prevent
interaction between nonsafety-related systems and the safety-related system.
Isolation devices are incorporated into selected interconnections to maintain division
independence. Isolation devices serve to prevent credible faults (such as open circuits, short
circuits, or applied credible voltages) in one circuit from propagating to another circuit.
7.1.2.11 Test Subsystem
The test subsystem provides a means of testing the operation of the protection and safety
monitoring system and verifying that the plant protection system setpoints are within the system
requirements. Each redundant subsystem is tested individually.
Testing from the sensor inputs of the protection and safety monitoring system through to the
actuated equipment is accomplished through a series of overlapping sequential tests with the
majority of the tests capable of being performed with the plant at full power. Where testing final
equipment at power would upset plant operation or damage equipment, provisions are made to test
the equipment at reduced power or when the reactor is shut down.
Each division of the protection and safety monitoring system is furnished with a test subsystem.
The test subsystem provides for verification of the accuracy of setpoints and other constants, and
verification that proper signals appear at other locations in the system.
Verification of the signal processing algorithms is made by exercising the test signal sources
(either by hardware or software signal injection) and observing the results up to, and including,
15. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-15 Revision 14
the attainment of a channel partial trip or actuation signal at the power interface. When required
for the test, the tester automatically places the voting logic associated with the channel function
under test in bypass.
The overlapping test sequence continues by inputting digital test signals at the output side of the
threshold functions, in combinations necessary to verify the voting logic. Some of the input
combinations to the coincidence logic cause outputs such as reactor trips and ESF initiation. The
reactor trip circuit breakers are arranged in a two-out-of-four logic configuration, such that the
tripping of the two circuit breakers associated with one division does not cause a reactor trip. This
circuit breaker arrangement is illustrated in Figure 7.1-7. To reduce wear on the breakers through
excessive tripping, and to avoid a potential plant trip resulting from a single failure while testing is
in progress, the test sequence is designed so that actual opening of the trip breakers is only
required when the breaker itself is being tested.
The test subsystem does not test the ESF actuators. This portion of the test may be accomplished
by using component-level actuation signals. For those final devices that can be operated at power,
without upsetting the plant or damaging equipment, the test is performed by actuating the manual
actuation control which causes the device to operate. Position switches on the device itself send a
signal back to the ESF actuation subsystem, where it is transmitted to the main control room for
display purposes. The display verifies that the manual command is successfully completed, thus
verifying operability of the final device. For those devices which cannot be tested at power
without damage or upsetting the plant, continuity of the wiring up to the actuation device is
verified. Operability of the final equipment is demonstrated at reduced power or at shutdown,
depending on the equipment.
In addition to the testing function, the tester subsystem monitors the failure and diagnostic
information from the subsystems during normal operation, thus enhancing system maintenance of
the protection system.
The test subsystem provides the operator interface used for testing and maintenance.
Figure 7.1-5 includes the test subsystem for the Eagle I&C architecture. Figure 7.1-11 illustrates
the test subsystem for the Common Q architecture.
7.1.2.12 Safety-Related Display Instrumentation
Safety-related display instrumentation provides the operator with information to determine the
effect of automatic and manual actions taken following reactor trip due to a Condition II, III, or IV
event as defined in Chapter 15. This instrumentation also provides for operator display of the
information necessary to meet Regulatory Guide 1.97. A description of the equipment used to
provide this function is provided in subsection 7.1.2.5. A description of the data provided to the
operator by this instrumentation is provided in Section 7.5.
7.1.2.13 Auxiliary Supporting Systems
The safety-related system equipment is supported by the supply of uninterruptible electrical
power. This electrical power is supplied by the Class 1E dc and UPS system discussed in
Chapter 8.
16. 7. Instrumentation and Controls AP1000 Design Control Document
*NRC Staff approval is required prior to implementing a change in this information; see DCD Introduction Section 3.5.
Tier 2 Material 7.1-16 Revision 14
7.1.2.14 Verification and Validation
[Adequacy of the hardware and software is demonstrated for the protection and safety monitoring
system through a verification and validation (V&V) program. Details on the verification and
validation program are provided in either WCAP-13383 (Reference 3) or CE-CES-195
(Reference 9).]* WCAP-13383 is an AP600 reference. CE-CES-195 is a Common Q document.
The software development process is consistent with the following standards:
• ANSI/IEEE ANS-7-4.3.2-1993; “IEEE Standard Criteria for Digital Computers in Safety
Systems of Nuclear Power Generating Stations”
• IEEE 828-1990; “IEEE Standard for Software Configuration Management Plans”
• IEEE 829-1983; “IEEE Standard for Software Test Documentation”
• IEEE 830-1993; “Recommended Practice for Software Requirements Specifications”
• IEEE 1012-1986; “IEEE Standard for Software Verification and Validation Plans”
• IEEE 1028-1988; “IEEE Standard for Software Reviews and Audits”
• IEEE 1042-1987; “IEEE Guide to Software Configuration Management”
7.1.2.14.1 Design Process
[WCAP-13383 provides a planned design process for hardware and software development during
the following life cycle stages:
• Design requirements phase
• System definition phase
• Hardware and software development phase
• System test phase
• Installation phase
WCAP-15927 (Reference 10), a Common Q document, also provides a planned design process
for hardware and software development during similar life cycle stages:
• Conceptual phase
• System definition phase
• Software design phase
• Hardware design phase
• Software implementation phase
• Hardware implementation phase
• System integration phase
• Installation phase
17. 7. Instrumentation and Controls AP1000 Design Control Document
*NRC Staff approval is required prior to implementing a change in this information; see DCD Introduction Section 3.5.
Tier 2 Material 7.1-17 Revision 14
Depending on the protection and safety monitoring system hardware used for AP1000, either
WCAP-13383 or WCAP-15927 describe design processes that will be used for AP1000.]*
7.1.2.14.2 Commercial Dedication
[WCAP-13383 (Reference 3) and CENPD-396-P (Reference 8) provide for the use of commercial
off-the-shelf hardware and software through a commercial dedication process.]* Control of the
hardware and software during the operational and maintenance phase is the responsibility of the
Combined License applicant as described in subsection 13.5.1.
7.1.3 Plant Control System
The plant control system is a nonsafety-related system that provides control and coordination of
the plant during startup, ascent to power, power operation, and shutdown conditions. The plant
control system integrates the automatic and manual control of the reactor, reactor coolant, and
various reactor support processes for required normal and off-normal conditions. The plant control
system also provides control of the nonsafety-related decay heat removal systems during
shutdown. The plant control system accomplishes these functions through use of the following:
• Rod control
• Pressurizer pressure and level control
• Steam generator water level control
• Steam dump (turbine bypass) control
• Rapid power reduction
The plant control system provides automatic regulation of reactor and other keysystem parameters
in response to changes in operating limits (load changes). The plant control system acts to
maximize margins to plant safety limits and maximize the plant transient performance. The plant
control system also provides the capability for manual control of plant systems and equipment.
Redundant control logic is used in some applications to increase single-failure tolerance.
The plant control system includes the equipment from the process sensor input circuitrythrough to
the modulating and nonmodulating control outputs as well as the digital signals to other plant
systems. Modulating control devices include valve positioners, pump speed controllers, and the
control rod equipment. Nonmodulating devices include motor starters for motor-operated valves
and pumps, breakers for heaters, and solenoids for actuation of air-operated valves. The plant
control system cabinets contain the process sensor inputs and the modulating and nonmodulating
outputs. The plant control system also includes equipment to monitor and control the control rods.
The functions of the plant control system are performed by system assemblies including:
• Distributed controllers
• Signal selector algorithms
• Operator controls and indication
• Real-time data network
• Rod control system
18. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-18 Revision 14
• Rod position indication
• Rod drive motor-generator sets
Figure 7.1-10 provides an illustration of the plant control system.
7.1.3.1 Distributed Controllers
Each distributed controller processes inputs, performs system-level and component-level control
calculations, provides capability for an operator interface to the controlled components, transmits
control signals to discrete, modulating, and networked interfaced control components, and
provides plant status and plant parameter information to the real-time data network.
The distributed controllers receive process inputs and implement the system-level logic and
control algorithms appropriate for the plant operating mode. The distributed controllers receive
process inputs from, and transmit process control outputs to, the actuated components. The
distributed controller also transmits and receives process signals via the real-time data network.
The real-time data network also provides for two-way communication between the distributed
controllers and between the distributed controllers and the main control room and remote
shutdown workstation.
Control functions are distributed across multiple distributed controllers so that single failures
within a controller do not degrade the performance of control functions performed by other
controllers. The major control functions which are implemented in different distributed controllers
include reactor power control, feedwater control, pressurizer control, and turbine control.
7.1.3.2 Signal Selector Algorithms
Signal selector algorithms provide the plant control system with the ability to obtain inputs from
the protection and safety monitoring system. The signal selector algorithms select those protection
system signals that represent the actual status of the plant and reject erroneous signals. Therefore,
the control system does not cause an unsafe control action to occur even if one of four redundant
protection channels is degraded by random failure simultaneous with another of the four channels
bypassed for test or maintenance.
Each signal selector algorithm receives data from each of the redundant divisions of the protection
and safety monitoring system. The data is received from each division through an isolation device.
The signal selector algorithms provide validated process values to the plant control system. They
also provide the validation status, the average of the valid process values, the number of valid
process values, an alarm (if one process value has been rejected), and another alarm (if two
process values have been rejected).
For the logic values received from the protection and safety monitoring system, such as
permissives, the signal selector algorithms perform voting on the logic values to provide a valid
logic value to the plant control system. They also provide the validation status, the number of
valid logic values, an alarm if one logic value differs from the voted value, and another alarm if
two logic values differ from the voted value.
19. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-19 Revision 14
7.1.3.3 Operator Controls and Indication
The plant control operator interface is a set of soft control devices that replace conventional
switch/light or potentiometer/meter assemblies used for operator interface with control systems.
These soft control devices provide consistent operator interfaces for the plant control system. The
soft controls are located on each operator workstation and the remote shutdown workstation. Each
soft control device can control safety-related and nonsafety-related equipment.
The implementation of the soft controls is consistent with the following functional requirements:
• The soft control function does not affect the electrical or functional isolation of the
safety-related and nonsafety-related equipment. This isolation is maintained upon a single
failure of any equipment performing or supporting the soft control function.
• Failure of the operator displays does not prevent an operator from being able to safely
shutdown the plant.
When the operator desires to operate a component, the graphical operator display which is
indicating the component status is presented on the operator control console. This results in a
message being sent to the soft control device. The soft control device then displays the appropriate
control template. The operator then selects the desired control action on the template. After the
operator verifies that the desired control action is properly selected, the operator then actuates the
control action, causing the selected control action to be transmitted to the control device.
7.1.3.4 Real-Time Data Network
The real-time data network is a redundant data highway that supports both periodic and aperiodic
data transfers of nonsafety-related signals and data. Periodic transfers consist of process data that
is broadcast over the network at fixed intervals and is available to all destinations. Aperiodic data
transfer is generally used for messages or file transfers.
The real-time data network provides communications among the distributed controllers, the plant
protection and safety monitoring system gateways, the incore instrumentation, and the special
monitoring system.
7.1.3.5 Rod Control System
The primary means of regulating the reactor power and power distribution is to position clusters of
control rods in the reactor core using the rod control system.
The control rods are moved into and out of the reactor core by means of electromagnetic jacking
mechanisms, called control rod drive mechanisms, located on the reactor vessel head. Each control
rod drive mechanism consists of two gripper mechanisms, one stationary and one movable, that
hold a notched driveline attached to the upper end of the control rod. The grippers and the lift
armature are controlled by coils mounted external to the mechanism, concentric with the rod
driveline. By controlling the sequence of energizing these coils, the mechanism can be made to
step into, or out of, the reactor in increments. The rod control equipment provides this sequence
control.
20. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-20 Revision 14
The control rods are arranged into symmetrical groups. The groups of control rods are divided into
two categories: shutdown rods that are normally held fully withdrawn from the reactor, and
control rods that are positioned to some intermediate insertion. In addition, there is a subcategory
of control rods (low worth gray rods). If a rapid shutdown is necessary, the control, shutdown, and
gray rods are dropped into the reactor by de-energizing their drive mechanisms.
Interlocks are provided to prevent the motion of the control rods outside of planned sequences.
7.1.3.6 Rod Position Indication
The position of each control rod is continuously monitored by the rod position indication system.
This information is detected by the rod position detector assemblies. The signals from the
detectors are processed by the data cabinets and transmitted to the distributed controllers. The
distributed controllers further processes the rod position information and transmits this
information to the real-time data network.
7.1.3.7 Rod Drive Motor-Generator Sets
The rod drive motor-generator sets provide the power to the control rod drive mechanisms through
the reactor trip switchgear. The rod drive motor-generator sets are included in the plant control
system. The safety-related reactor trip switchgear is included in the plant protection and safety
monitoring system.
There are two motor-generator sets with flywheels and one control cabinet. Each motor-generator
is a three-phase induction motor, direct-coupled to a flywheel, and a synchronous alternator.
During normal operating conditions, both motor generator sets are operating in parallel and
equally sharing the total load demand. Each motor-generator set is capable of supplying the entire
load requirements when the other set is out of service.
7.1.4 Identification of Safety Criteria
7.1.4.1 Conformance of the Safety System Instrumentation to Applicable Criteria
The safety-related system instrumentation described in subsection 7.1.1 is designed and built to
conform to the applicable criteria, codes, and standards concerned with the safe generation of
nuclear power. Applicable General Design Criteria are listed in Section 3.1, NRC Regulatory
Guides in subsection 1.9.1, and Branch Technical Positions in subsection 1.9.2. Industry
Standards are cited as references.
The instrumentation and control portion of the safety-related system meets the requirements of
IEEE 603-1991 as discussed in WCAP-15776 (Reference 12). The topics are listed in the same
order as they appear in Sections 4 through 8 of IEEE 603-1991. IEEE 603 provides the design
bases of the instrumentation and control portion of the safety system. Other criteria related to the
IEEE 603-1991 requirements are also identified.
21. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-21 Revision 14
7.1.4.2 Conformance With Industry Standards
The instrumentation and control systems are designed in accordance with guidance provided in
applicable portions of the following standards. The portions of the standards which are considered
to be applicable are the portions of the standards which apply to instrumentation and control
systems performing protection and control functions in an industrial environment:
• IEEE 323-1974; “IEEE Standard for Qualifying Class IE Equipment for Nuclear Power
Generating Stations”
• IEEE 344-1987; “IEEE Recommended Practice for Seismic Qualification of Class 1E
Equipment for Nuclear Power Generating Stations”
• IEEE 379-2000; “IEEE Standard Application of the Single-Failure Criterion to Nuclear
Power Generating Station Safety Systems”
• IEEE 383-1974; “IEEE Standard for TypeTest of Class IE Electric Cables, Field Splices, and
Connections for Nuclear Power Generating Stations”
• IEEE 384-1981; “IEEE Standard Criteria for Independence of Class 1E Equipment and
Circuits”
• IEEE 420-1982; “IEEE Standard for the Design and Qualification of Class 1E Control
Boards, Panels, and Racks Used in Nuclear Power Generating Stations”
• IEEE 603-1991; “IEEE Standard Criteria for Safety Systems for Nuclear Power Generating
Stations”
• IEEE 627-1980; “IEEE Standard for Design Qualification of Safety Systems Equipment
Used in Nuclear Power Generating Stations”
• IEEE 1050-1996; “IEEE Guide for Instrumentation and Control Equipment Grounding in
Generating Stations”
• IEEE 1074-1995; “IEEE Standard for Developing Software Life Cycle Processes”
• EPRI TR-102323, Revision 1, “Guidelines for Electromagnetic InterferenceTesting in Power
Plants”
7.1.5 AP1000 Protective Functions
Protective functions are those necessary to achieve the system responses assumed in the safety
analyses, and those needed to shut down the plant safely. The protective functions are grouped
into two classes, reactor trip and ESF actuation. The software associated with these functions is
considered a basic component as defined in 10 CFR 21 (Reference 6).
Reactor trip is discussed in Section 7.2. ESF actuation is discussed in Section 7.3.
22. 7. Instrumentation and Controls AP1000 Design Control Document
*NRC Staff approval is required prior to implementing a change in this information; see DCD Introduction Section 3.5.
Tier 2 Material 7.1-22 Revision 14
7.1.6 Combined License Information
Combined License applicants referencing the AP1000 certified design will provide a calculation
of setpoints for protective functions consistent with the methodology presented in Reference 5.
Reference 5 is an AP600 document that describes a methodology that is applicable to AP1000.
AP1000 has some slight differences in instrument spans.
Combined License applicants referencing the AP1000 certified design will provide resolution for
generic open items and plant-specific action items resulting from NRC review of the I&C
platform. This will include definition of a methodology for overall response time testing.
7.1.7 References
1. IEEE 603-1991, “IEEE Standard Criteria for Safety Systems for Nuclear Power Generating
Stations.”
2. WCAP-13382 (Proprietary) and WCAP-13391 (Non-Proprietary), “AP600 Instrumentation
and Control Hardware Description,” May 1992.
[3. WCAP-13383, Revision 1 (Non-Proprietary), “AP600 Instrumentation and Control
Hardware and Software Design, Verification, and Validation Process Report,” June 1996.]*
4. WCAP-14080 (Proprietary) and WCAP-14081 (Non-Proprietary), “AP600 Instrumentation
and Control Software Architecture and Operation Description,” June 1994.
[5. WCAP-14605 (Proprietary) and WCAP-14606 (Non-Proprietary), “Westinghouse Setpoint
Methodology for Protection Systems, AP600,” April 1996.]*
6. 10 CFR 21, “Reporting of Defects and Noncompliance.”
7. WCAP-15775, Revision 2, “AP1000 Instrumentation and Control Defense-in-Depth and
Diversity Report,” March 2003.
[8. CENPD-396-P, Rev. 01 (Proprietary), “Common Qualified Platform,” May 2000 and
WCAP-16097-NP-A (Non-Proprietary), May 2003.]*
[9. CE-CES-195, Rev. 01, “Software Program Manual forCommon Q Systems,” May26, 2000.]*
[10. WCAP-15927, Rev. 0, “Design Process for AP1000CommonQSafetySystems,”August2002.]*
11. ML003740165, “Acceptance for Referencing of Topical Report CENPD-396-P, Rev. 01,
‘Common Qualified Platform’and Appendices 1, 2, 3 and 4, Rev. 01 (TAC No. MA1677),”
August 11, 2000.
12. WCAP-15776, “Safety Criteria for the AP1000 Instrument and Control Systems,”
April 2002.
23. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-23 Revision 14
13. CENPD-396-P, Appendix 4, Rev. 02 (Proprietary), “Common Qualified Platform Integrated
Solution,”April 2001 and WCAP-16097-NP-A, Appendix 4 (Non-Proprietary), May 2003.
14. ML011690170, “Safety Evaluation for the Closeout of Several of the Common Qualified
Platform Category 1 Open Items Related to Reports CENPD-396-P, Revision 1 and
CE-CES-195, Revision 1 (TAC No. MB0780),” June 22, 2001.
15. IEEE 7-4.3.2-1993, “IEEE Standard Criteria for Digital Computers in Safety Systems of
Nuclear Power Generating Stations.”
16. ML0305507760, “Acceptance of the Changes to Topical Report CENPD-396-P, Rev. 01,
‘Common Qualified Platform,’ and Closeout of Category 2 Open Items (TAC
No. MB2553),” February 24, 2003.
24. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-24 Revision 14
[This page intentionally blank]
25. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-25 Revision 14
Figure 7.1-1
Instrumentation and Control Architecture
26. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-27 Revision 14
Figure 7.1-2
Protection and Safety Monitoring System
27. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-28 Revision 14
Figure 7.1-3A
Plant Protection Subsystem (Eagle Platform)
28. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-29 Revision 14
HARD-WIRED
MANUAL
CONTROLS
ESF
ACTUATION
SUBSYSTEM
REACTOR TRIP AND
ENGINEERED SAFETY
FEATURES ACTUATION
COINCIDENCE LOGIC (1)
ALGORITHMS AND
CHANNEL BISTABLES (1)
REACTOR TRIP
SWITCHGEAR
B
C
D
FIBER-OPTIC
LINKS
A/D CONVERSION
SIGNAL CONDITIONING
FIELD
SENSORS
IN-CONTAINMENT
SENSORS
SPLITTER/ISOLATOR NON-SAFETY CONTROL
FIBER-OPTIC
LINKS
B
C
D
POWER SUPPLIES
AND
PRE-AMPLIFIERS
REDUNDANT SAFETY SYSTEM NETWORK
NIS
DETECTORS
QUALIFIED DATA
PRCESSING SYSTEM
NUCLEAR
INSTRUMENTATION
CABINET
REACTOR TRIP AND
ENGINEERED SAFETY
FEATURES ACTUATION
COINCIDENCE LOGIC (2)
ESF
ACTUATION
SUBSYSTEM
REACTOR TRIP
SWITCHGEAR
FIBER-OPTIC
LINKS
B
C
D
B
C
D
FIBER-OPTIC
LINKS
ALGORITHMS AND
CHANNEL BISTABLES (2)
Figure 7.1-3B
Plant Protection Subsystem and Engineered Safety Features
Coincidence Logic (Common Q Platform)
29. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-30 Revision 14
Figure 7.1-4
Reactor Trip Switchgear and Manual Trip Interface
30. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-31 Revision 14
Figure 7.1-5
Engineered Safety Features Coincidence Logic
(Eagle Platform)
31. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-32 Revision 14
Figure 7.1-6
Protection Logic Communication Diagram
(Eagle Platform)
32. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-33 Revision 14
Figure 7.1-7
Reactor Trip Switchgear Configuration
33. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-34 Revision 14
Figure 7.1-8A
Qualified Data Processing Subsystem
(Eagle Platform – Channels B&C Only)
34. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-35 Revision 14
ALGORITHMS
A/D CONVERSION
SIGNAL CONDITIONING
FIELD
SENSORS
IN-CONTAINMENT
SENSORS
REDUNDANT SAFETY SYSTEM NETWORK
NUCLEAR
INSTRUMENTATION
SIGNALS
FLAT PANEL
DISPLAY
FLAT PANEL
DISPLAY INTERFACE
Figure 7.1-8B
Qualified Data Processing Subsystem
(Common Q Platform – Channels B&C Only)
35. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-36 Revision 14
Figure 7.1-9A
Engineered Safety Features Actuation Subsystem
(Eagle Platform)
36. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-37 Revision 14
COMPONENT LEVEL LOGIC
(COMBINATION OF AUTOMATIC
AND MCR/RSW MANUAL SIGNALS
COMPONENT
INTERFACE
MODULES
COMANDS/
FEEDBACK
SWITCHGEAR, MOTOR
CONTROL CENTERS,
FINAL DEVICES
SEQUENCE
OF EVENTS
RECORDER
COINCIDENCE
LOGIC 1
LOCAL
CONTROLS
AND INTERLOCK
COINCIDENCE
LOGIC 2
Figure 7.1-9B
Engineered Safety Features Actuation Subsystem
(Common Q Platform)
37. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-38 Revision 14
Figure 7.1-10
Plant Control System
38. 7. Instrumentation and Controls AP1000 Design Control Document
Tier 2 Material 7.1-39 Revision 14
INTERFACE
AND
TEST PROCESSORS (1)
REDUNDANT SAFETY SYSTEM NETWORK
MAINTENANCE
AND
TEST PANEL
FLAT PANEL
DISPLAY
FIBER-OPTIC
LINK
NON-SAFETY
CONTROL
FIBER-OPTIC
LINKS
MAIN CONTROL ROOM SAFETY PANEL
MULTICHANNEL
FLAT PANEL
DISPLAYS
MULTICHANNEL
FLAT PANEL
DISPLAYS
INTERFACE
AND
TEST PROCESSORS (2)
Figure 7.1-11
Maintenance and Test Subsystem
(Common Q Platform)