' ter* ft til
PROGRAMA PE ENGENHARIA NUCLEAR - C0PPE/UFRJ UhtL do Fundão - CtntAO dt Ttcnoloaia-Bl.G- S/tQt CP. 61509 - CEP Í194S-VÍO dt Jantvu>-RJ - ZJta&U
A NEW CONCEPT OF SAFETY PARAMETER
DISPLAY SYSTEM
AQUILINO SENRA MARTINEZ LUIZ FERNANDO SEIXAS DE OLIVEIRA
ROBERTO SChTHRU ZIEL! DUTRA THOMÉ
RONALD ARAÚJO DA SILVA
JUL/86 C/Pfcr - C * W £ - PEN-138
*?fit*ented to Se.mina.fi on HucleaK tnglme.fu.ng in Latin Ame.fu.ca SpomoKi by Latin Ame.tU.tan Section oi the Am&fUcan Hu.cle.ai Society - Mexico City - July 14-16, 19S6.
A NEW CONCEPT OF SAFETY PARAMETER
DISPLAY SYSTEM
AQUI LI NO SENRA MARTINEZ
LUIZ FERNANDO SEIXAS DE OLIVEIRA
ROBERTO SCHIRRU
ZIELI DUTRA THOME
PROGRAMA DE ENGENHARIA NUCLEAR
COPPE/UFRJ
and
RONALD ARAÚJO DA SILVA
DEPARTAMENTO DE COMBUSTÍVEL E SEGURANÇA NUCLEAR
FURNAS CENTRAIS ELÉTRICAS S.A.
PRINCIPAL INVESTIGATORS
* ABSTRACT
• * •
This paper presents Ü general description of
ANGRA-1 Parameters Display System (SSPA), a real tine and on
line computerized «cnltorlng systea for the parameters related
to the power plant safety. This systea has the nain purpose of
diaish the load on the AN6RA-1 power plant operators at an
emergency event by supplying them with the additional tools
serving as the basis for a prompt identification of the
accident.
The SSPA is a kind of safety parameter display
systea whose concept was introduced after .Three Mile Island
accident in USA. The SSPA comprises two nuclear applications
Independently considered. They are included into the Parameters
Monitoring Integrated System (SIMP) and the Safety Critical
Function System (SFCS).
I N D E X
- ABSTRACT
1 . INTRODUCTION 01
2 . GENERAL DESCRIPTION OF ANGRA-1 PARAMETERS DISPLAY
SYSTEM .. 03
3 . PARAMETERS MONITORING INTEGRATED SYSTEM 11
4 . SAFETY CRITICAL FUNCTIONS SYSTEM 12
5 . CONCLUSIONS 14
REFERENCES ". 15
t
1. INTRODUCTION
Angra-1 Parameters Display System (SSPA) is a real
time computerized'monitoring system for the parameters essential »
to determine the power plant safety status in case of emergency,
as well as to closely follow its normal operation functioning.
This system shall also indicate the operational procedures required
for restoring the power plant to normal condition of operation
whenever a transient may rise to threaten its safety.
Historically, the operators performance at the
event of an accident and the resulting power plant condition
change has basically depended on the operators capacity both to
correctly identify the circumstances causing such event and to
perform the task appropriate to recover it. This capacity depends
on a series of factors, such as training, control room layout,
emergency procedures adequately written, and many others. In case
the operators arrive at a wrong diagnosis of the transient basic
causes, its subsequent action (or Inaction) way potentially cause
the power plant safety condition deterioration, thus transforming
a simple operational incident into an accident of large proportions.
Several comissions in charge of investigating the
1979 accident at Three Mile Island. (TMI) in USA have granted special
attention to the role performed by the operators, as well as to
the available Instruments at the control room during the accident;
The adequacy of the number of monitored parameters, the instruments
accuracy and reliability, the effectiveness of the several indicators,
as well as the presence of dispersion factors were adequately
analysed. The unanimous conclusion was that the deficiency 1n the
instrumentation system and in the power plant emergency operational
Iggfl^djires significantly contributed to render the accident even
W r e serious. The THI events clearly showed1 that the large amount
of alarms and monitored parameters spred around the control room,
following no definite hierarchic structure (among them), led the
roperators to make a wrong decision.
gpl^r^-- Therefore, there was a compelling necessity to
diminish the load on the operators at an emergency event by
supplying them with the additional tools serving as the basis for
a prompt identification of the transient's nature. This would
render easier the task of resuming the power plant normal operation
condition.
The SSPA objective consists not only in filling the
necessity identified above but also in supplying ANGRA-1 operators
with an integrated view of the values of a set parameters capable
of reflecting any deviation from the power plant normal operation.
This system supplies integrated and structured
Information graphically transmitted to the operators by means of
high resolution color monitors. The general discription contained
in this article indicates that said system reflects the state of
art in what concerns aspects of man-machine interface at power
plants control rooms. It presents an enterely redundant hardware
configuration and a high structured and module-like software,
thus prooving to be a system with a high level of reliability..
-2-
2. GENERAL DESCRIPTION OF. ANGRA-1 PARAMETERS DISPLAY SYSTEM
Angra-1 Parameters Display Systeai (SSPA) comprises
two nuclear applications independently considered. In view .of this
fact, SSPA was divided into the Parameters Monitoring Integrated
System (SIMP) and the Safety Critical Function System (SFCS). The
latter system operates exclusively during power plant abnormal
operation.
Aiming at providing support to nuclear applications
SSPA software/hardware project includes a computer environment
designed to meet the necessities specified as follows. Nuclear
applications are real time processed, and the data base updating
Is performed each two second interval, the CPU bus comprising at
least 32 bits and a memory capacity exceeding 8Mb (per each CPU).
Besides the sensors signal validity performed as
of data acquisition, SSPA comprises a routine for validating the
coherence between redundant signals at data base. The generated
data base is available for common use both by SFCS and SIMP, and
renders possible to access an independent type of application
software.
The SSPA computer environment shows a high level of
reliability and availability. These two factors are closely
associated to the system redundancy. The system requires a 99.92
availability. The project presupposes periodic tests performed to
allow the diagnosis and identification of its components breakdown
or deterioration, so as to reach the demanded level of availability.
The output of most SSPA functions consists in a
display showing high resolution color graphics. Such requirement
{«plies special attention to video terminals hardware and demands
I software adequate to graphic processing. For some functions,
jfSPA application requires a conversational interaction with the
operator by using the console. The interaction i« performed via
dedicated keys and/or interpretative texts.
— - ANGRA-1 Parameters Display System has a modular
structure. The distribution of the displays integrating ANGRA-1
Parameters Display System (SSPA) by modules has the objective of
grouping those showing the same characteristics. The establishment
of the criterium for module formation was based on the display
function, use and layout. Accordingly, the following modules were
defined: .
1. Line Diagrams Module'
2. Graphics Module
3. Pipe and Instrumentation Diagrams Module
4. Historical Record Module
5. Status Tree Module
6. Function Recovery Procedure Module
.7. Listing Module.
The displays of the modules listed above are
presented in color CRTs by request of the operator. A dedicated
keyboard console is used to call for the displays.
The Line Diagram Module comprises nine displays,
each one presenting seven line-disposed parameters and two extra
parameters (windows). The main target of the Line Diagrams Module
Is to continuously monitor several parameter sets considered as
the most iraportant during the power plant operation. The selection
of these parameters was based on a specific power plant system or.
subsystem, or operating mode. Each set holds information sufficient
to detect any deviation from normal operation condition, allowing
the operator to follow the tendency of the parameters presented.
Figure 1 shows one of the Line Diagrams Module Displays. These
displays indicate the parameters, the instrument identification,
the actual value In digital and graphic forms, the setpoints, the
variation tendency and gradient.
The Graphics Module presents those graphics often
used during normal operation, as well as those called for during
emergency by function recovery procedures. All of the 15 on-line
displays present the actual value for the parameters related to
the graphic (eg.: P x T, Nuclear Power x GV Leve', GV Level x T,
etc..) and for.some other parameter of related interest. Figure 2
exhibits one of the Graphics Module displays. This module was
designed for supplying on-line the power plant operators with
graphics often used during operation, either for checking of the
parameters variation, either for analysing the trends of such
variation.
The Pipe and Instrumentation Diagrams Module,
comprising a total of twenty five displays, presents the mimic
(or flow chart) of ANGRA-? power plant systems which are the most
important for normal operation and of those necessary during
emergency (safety systems). .All of the displays monitor the power
plant system on-line, showing the position of some valves, the
status of some pumps, and the variables indicators, thus rendering
possible a faster evaluation of the system operation. Figure 3
presents a sample of the Pipe and Instrumentation Diagrams Module
Mtplayt
,S S P A A n g r o - 1
OIAGRAMA DC BARRAS
SECUNDÁRIO I dd/*m/oo
e , l ° j ii n i i U J i n i i.i 11 r i ir 11 T 11 111111111 r 11 ii i i.i f i n i.i I *•
I[ M) M l
Nivel do GV1 Folio e s t r e i l o
| l l l l | i l J J | l l l l l l l l l | l l l l | l l l l | l J - l — l - J — J » h J - l _ t - M - t . J . ^ J _ l . » » M
[ BOI ] 'lO ' * ' !34 " ' W ' ' + • • ! ' {%) VOIQQ dgua de «^ I t AW
Alim. do GV1 I , 1 , , 11,, 1111111111 n 1111111 i ,i 1111 M 111111 ll 11111111 J * M
f 80S ] 200 A 740 1210 1110 " ' h ' Voiôo do Vcpor «£« • I ( A1!
Sowdo do GV1 | 11«i j i • J I ) r 111 j • 11111 T 11111111111111 T . 111Z11111111 ' C 809 J 200 740 « 1 0 1820 ( t / h )
Nivel do GV2 „ . I ( AIS
Fouo estreito j , , , , ^ , , , . . , , , t l [ , , , , ^ , , , , ^ , , , , ^ , , , , ^, , , , , ^ , , , , | , l i r j I
[ 813 ] 10 * J4 3$ A 12 (%} Voiòo dguo de ^ I[ A»
Altm. dO GV2 J t , 1 r i u T ' | ' ' • ' ! " 11 | 1 1 1. n 1 1 i'T| 1 i i . i j 1 1 1 1 | 1 > 1 i j 1 1 I T ] I A i r
C 8i7 ] 200 A 740 iaeo * isto ( t / h ) Vozõo de Vopor ; <*- IC A2s Soindo do GV2 | , , , , | , , • , | , , , t ] , , , , j , , , , ^ , , , , j , , , , j , , , , j , . , , ^ j C A21
[ B21 ] 200 740 1280 1120 ( | / h )
PressSo no —> I [ A27
s i AO4 :
mm S ( A08 ]
Mfrofl
SC A12 ]
ÍAK>)N)
SC A1« 3
MM
SC A20 3
frtt&U}
S C * M 3
&22]p223
SC A28 J [A26JIJÍZ6]
( K g / c m ' g l Voiôo de Purgo do GV1 I [ A31 ] S[ A32 3 Vozôo de Purgo do Gv2 i C * » ] sC AM 3
( 82» 3(L/mln)Cc3o3— C A » 3 (A3OI[B30J C 833 3 (L/min )[C3<3-» ( A3? 3 MM
Sucçòo da* BAA I , , , , • , , • , , , , , , | , , , , . , , , , • , , , , • , t , , . , i . , • i , , , • , , , , 1 C *25 )
t 825 3 'o 7 ^ ] > ^ . ' • * ' " ' ( K g / c m 2
Figure 1. Line Diagram - Secondary I
,S S PA Anf f o-t '
CURVA DE CAPABILIOAOE DO GERADOR
dd/nm/oo
MCSSÍO oo tit * [ âoi ] (aoi) mt
>AT9i Of W f NCIA • [ AOl ]
[ M i )
POT. ATIVA
( M S ]
W . IIATIVA
[IWJ
i COMCHTC \ Cios] c
« [AMJ
• t*04j WAR
• [AO»J
A*M'«
MO 200 WO 400 500 600 700 800 900 1000 1100 POTÊNCIA ATIVA |MV)
T COMCNTC IXC. i [AM J
D [ l O t ] *«»«n 0
TCNSlO CICT. • [A07j
[aorJ KV
Figure 2 . Eletric Generator Capability Curve.
5 S S P A Angro-1
SISTEMA DE REMOÇÃO OE CALOR RESIOUAL dtf/mrn/oo hh'.mnt'.ss
| [811]
BIS t W8 ] , ^
[8l]<£[ At J
BIS
EJ-;
Ccis]
CCTT]
[Bir] [C«]
taw]aj[ i
VASOl
[ 8 1 3 ] - " C AS J [ A 4 3
TCRCR-1
-ÍINtB-
[CM]
BRCR1
SCOV [B33] [C33J
Cczi] [m)®Z 2 8IS rC 2 l ]
? r«i TAW] I « í ] C£J Á M I
••• - »!-•«£ t T * J , • BRCfU f f»a l fC9
POÇO
C*3]
K\»iLSJ^»i E
C«o]
[Kl
[B35] [C35]
« [«•] C»J
IBÍBT JE
- ^ \ [ C 3 0 ]
[830]
[829]
iSi —C>k|— [831]
[C15]
ITAR
[823] [ctOrçss]
W2 [BW. .-]
-H*H>KJ--H*Q1 [B26XB27]
Figure 3 . Residual Heat Removal System.
The Historical Record Module shows the tine variation
of a parameters set (each display presenting a top limit of four),
thus enabling the operator to follow the development of such
selected parameters by means of a listing specially designed for
this module. A specific set of parameters previously selected
composes the special displays of the Historical Record Module
which dispenses with the so-called listing display, thus accelerating
the access during emergency.
The Status Tree Module presents six monitoring
displays for a set of parameters considered as fundamental for the
power plant safety, which normal functioning guarantees the
integrity of the barriers preventing radioactivity liberation. The
displays are used at an emergency event when the power plant is
supposed to be set out of functioning. Figure 4 shows one of the
Status Tree Module displays.
The Function Recovery Procedure Module presents the
texts referring to the eighteen procedures used during emergency
in order to recover a specific function threatened. Such procedures
are presented in special format so as to guide the operator to
proceed step by step.
The Listing Module describes all of the SSPA
variables, and identifies the parameter, the actual value, the
upper and lower limits and the variable unit. Besides presenting
all of the SSPA variables to the user, this module aims also at
allowing the variables selection and access to the Historical
Record Module.
9-
.'•F!!
S S PA Angro-1
F - 0 . 2 RESFRIAMENTO DO NÚaEO r-'Ji-iiiipii
:í'f|{;..lf)l:miÉ:ti
S F C S [C9j
Q ) SUB
fad ®« ' FTF
[Cttl
[eu]
@C0N
" INV
T.MEOIA f Al ] m
QUCOWNW w Nfo
tURSUB [ « ] SIM
••','i i
[ci]
1 . . .MENORES T. MÉDIA [ A3 ]
NÀO
SM
[ca]
[ « ] D O D O O O t r
[C4]
[o]
[B4]
[w] [C7j l
VKMMA RF.R.5
jo] =\Q)s*nsnn»
[67]
Figure 4. Core Cooling.
3. PARAMETERS MONITORING INTEGRATED SYSTEM
The Parameters Monitoring Integrated System (SIMP)
consists of a set of modules meant for use during normal operation
át Angra-1 power plant. This system has not the purpose of providing
ill the information of control room panel. Its main purpose is to
supply an information set minimum for allowing the operator to
follow the power plant performance during normal operation. This
minimum set can be seen on CRTs in a logical and concise way. The
CRTs will be settled in the power plant control room.
The Inclusion of the SIMP in the Angra-1 Parameters
Display System serves also the purpose of making the operator
acquainted with the SSPA. An important factor in the basic definition
of the SSPA project was that of determining how frequently the
system should be used. In spite of the large benefits of the
system during an emergency operation, such system should also
include a set of displays designed mainly for normal operation,
since this 1s the power plant condition most of the time. SIMP was
included in SSPA due mainly to its importance in the analysis and
detection of any abnormal event.
The SIMP displays for monitoring the parameters
were designed to be informative even if the power plant conditions
remain constant for a long period of time.
The Parameters Monitoring Integrated System is
composed of *He following modules:
- Line Diagrams Module
- Graphics Module
- Historical Record Module
-11-
- Pipe and Instrumentation Diagrams Nodule
- Listing Module
4. SAFETY CRITICAL FUNCTIONS SYSTEM
far- *-••'' The conception of Safety Critical Functions System
fSFCS) is based on real time computarized monitoring of a set of
"Tunctions named safety critical functions, which are specified in
the well known Emergency Response Guidelines2.
perator:
The SFCS objectives consist in providing the
- a continuous evaluation of the power plant
safety under emergency conditions, through real
time monitoring of the logical parameters set
(status tree).
- a seqüencial classification of the actions to be
performed by the operator in emergency events.
- the emergency procedures necessary to bring the
power plant back to safety condition.
- auxiliary elements to help the operator not only
to perform his task but also to follow the effects
of his actions on the parameters and on the safety
systems of the power plant.
The safety critical functions concept is based on
the assumption that any accidental liberation of radioactivity to
-12-
the environment can he reduced if the radiation safeguards are
working properly. The functions recovery means the return of the
power plant to safety condition» under which.all the critical
functions are fully accomplished. The SFCS set of safety critical
functions is composed of:
- SUBCRITICALITY
- CORE COOLING
. HEAT SINK
- INTEGRITY
- CONTAINMENT
- INVENTORY
The safety critical function status tree comprehends
the guidelines in order to determine the power plant safety status,
independently of the accident sequency that occured. There is a
status tree for each of the critical functions» the set of said
trees determining the power plant safety status.
A restricted set of parameters is systematically
evaluated in order to determine each function status. A decision
tree-type branched structure is the logic vehicle to structure the
systematic evaluation of the power plant parameters which determine
each function status. Each status tree has an exclusive input
point and several output points (terminal branches) mutually
exclusive depending on the value of the parameters specified at
the tree. Thus, each run through a status tree generates an
exclusive output point, that is, an exclusive status of the
corresponding functions.
-13-
The SFCS runs sequentially through the six status -
trees and provides in real.tine the operator with the updated
status of all the critical functions by means of a color CRT.
S. CONCLUSIONS
This article was directed to present a general
description of ANGRA-1 Parameters Display System (SSPA) to be
introduced in the begining of 1987 at ANGRA-1 nuclear power plant
belonging to Central Nuclear Almirante Álvaro Alberto. This
article is limited to a certain number of pages and» therefore, we
could not describe the system in detail. It took 3 years to be
developed by a staff including eighteen researchers from different
knowledge fields.
ANGRA-1 Parameters Display System shall use a
totally redundant computer configuration in order to warrant a
high operational availability level. The objective of such system
1s to help the ANGRA-1 operations staff by integrately presenting
In a color CRT the information fundamental to determine the power
plant status, as well as the procedures to be followed at an
accident event, thus improving the man-machine interface. The
introduction at the power plant of this real time and on-line
system aims at increasing its safety conditions, thus fulfilling
the rednmmendations originating from the accident with the
Three Mile Island nuclear power plant.
The way it was developed, this system means a step
foward as compared to the similar ones designed abroad, mainly due
» * I
to its continuous functioning during power plant normal operation
by means of the Parameters Monitoring Integrated System (SIMP).
REFERENCES • M É N M M M M M W M
1. US Nuclear Regulatory Commission, "THI-2 Lessons Learned
Task Force Final Report" - NURE6-0585. October 1979.
2. Mestinghouse Owners Group. "Emergency Response Guidelines"
Revision 1. September 1983.
ACKNOWLEDGEMENTS
The authors would like to thank FURNAS - CENTRAIS
ELÉTRICAS and FINEP - Financiadora de Estudos e Projetos for
financial support. The authors acknowledge the technical contri
butions to the design of SSPA by the following researchers
- Cesar Augusto Commerlato
- Frederico Leing Mendes
- Jaime Eduardo Pinto
- Jose Luiz Rodrigues Neves
- Lauris Cristina de 0. Tay-Sobt
- Luiz Rogério Araújo de Araújo
- Norberto Ribeiro Bellas
- Sergio Ayala Pereira
- Tarcfsio Passos R. de Campos
15-
Top Related