Information Processing in the Reactor Protection Systems of High Temperature Gas-Cooled Reactors

Received: 29 June 2020 Received in revised form: 26 July 2020 Accepted: 28 July 2020 Reactor protection systems (RPS) transform process variable signals from the sensors into initiation and actuation signals to trip the reactor if the signal's value exceeds the predefined trip setpoints of the RPS. Information on the current value of the process variables signals and the trip setpoint should be displayed properly on the visual display unit (VDU) in order to maintain the situation awareness of the operators in main control rooms (MCR). In addition, it is also helpful for them to investigate the cause of an accident after the reactor trip and to mitigate the accident based on the appropriate emergency operating procedures. This paper investigates how the information is processed in the RPS of Experimental Power Reactor (EPR) based on high temperature reactor (HTR) technology, and how the information is displayed on the human machine interface (HMI) of the MCR of the EPR. It is conducted by classifying the RPS into three layers based on its components and their functions, followed by the investigation of the type and the information processing in each layer. The results show that the form of the information has been changed throughout the RPS, started from the sensors and until it is displayed on the VDU. The results of the investigation are necessary to understand the concept of RPS, especially for new operators, and to prepare the mitigation actions based on the process variable that cause the reactor trip.


INTRODUCTION *
Safety is the most important aspect of nuclear power plants (NPP), including the ones using hightemperature reactors (HTR) technology. In order to operate a nuclear reactor safely, several variables have to be measured and monitored. Some of them are considered to be most essential for the safety of the reactor operation, and therefore their measurements and processing have to be fast and reliable. In case of emergency, the reactor protection system (RPS) should automatically trigger the safety actuation systems whenever necessary.
The experimental power reactor (EPR), which will be built in Indonesia, uses helium gas as reactor coolant and graphite as the moderator. The 10 MWth EPR is developed based on high temperature gas-cooled reactor (HTGR) technology. The RPS of the EPR receives the initiation signals from the sensors of main components of the reactor, which contain information about the process variables of the plant systems/equipment such as temperature, pressure, and neutron flux [1] [2]. The signals, mostly in the analog form, are processed in data acquisition systems and then converted into digital signals, since the RPS is designed in a digital system that can only receive digital signals. Then the signals are processed in the bistable processor of the RPS and the values are compared with the predetermined trip setpoints. If the values hit the setpoint, the processed signals are set as initiation signals. RPS is a redundant system that has more than one similar channel (usually 3 or 4 channels) and each channel has an initiation signal. Then, the logical coincidence logic processor will process and vote the signals based on, for example, 2 out of 3 (2oo3) method, which means that if 2 of the 3 signals are applicable for triggering the reactor trip, then the signals are set as actuation signals. The actuation signals will stop the power from the control elements of the control rods that cause the rods to drop by gravity into the reactor core. The rods absorb neutrons in the reactor core, stop the fission reaction, and then trip the reactor. In this case, the reactor is in a hot shutdown condition. The next step is to cool down the reactor conducted by the engineered safety features actuation systems (ESFAS) which will actuate some components of engineered safety features such as containment isolation system, main steam isolation system, and safety injection system [3].
Operators in the main control rooms have main tasks to monitor the plant status through the large screen display and to take control from their workstation desks when the accidents happened in the plant to bring the plant to the safe condition. Regarding the RPS, although it is conducted automatically by the system, operators still need to monitor the status of the parameter levels that can cause the tripping of the reactor, such as neutron flux, helium temperature, as well as primary and secondary flow rate. Based on that information, operators will focus on the specific components and then prepare for actions to mitigate the accidents based on emergency operating procedures. Therefore, a suitable and reliable HMI is needed to provide information related to the RPS.
This paper investigates how the information is processed in the RPS and presented on the information display in the main control room of the EPR. It includes the classification of the RPS layer based on the form and the type of the information, the way how to process the information in each layer, and how to display the information on the display unit. In addition, the preliminary design of HMI to display the information is proposed in this research. The HMI design considers the standards and requirements on how to properly display the information to the operators and to increase their awareness about the status of the plant and to reduce human errors caused by operators' actions. Figure 1 shows the diagram of the experimental power reactor (EPR), designed by the National Nuclear Energy Agency of Indonesia (BATAN) to provide electricity in the Puspiptek area. The EPR is based on HTGR with 10MWth of power capacity. HTGR is a modular pebble bed reactor that uses spherical fuel elements and helium as its coolant [4]. From Fig. 1, it can be seen that the fuel elements are located in the reactor core and reacted with neutrons to generate fission reactions. The heat resulted from the fission reaction is used to produce steam in the steam generator, which then be used to spin the generator turbine and thereby generating electricity. The fission reactions, the heat, and power are controlled by the control rods. Inserting the control rods into the reactor core will reduce the power and shut down the reactor.

REACTOR PROTECTION SYSTEMS AND ENGINEERED SAFETY FEATURES ACTUATION SYSTEMS
Both EPR and other types of NPP are equipped with RPS and ESFAS. RPS are actuated when some process variables (such as neutron flux and helium temperatures) exceeded the predefined safety operation criteria of the plant by sending the actuation signal to drop the control rods in order to trip the reactor. In this case, the reactor is in hot shutdown condition, which means that the residual heat should be removed from the reactor core to maintain its structural integrity. The ESFAS send the signal to actuate the cooling components to remove the decay heat. The design of RPS for the EPR has three channels and works as a redundant system. Each channel has the same components and functions. Figure 2 shows the principal of single channel of RPS. It can be seen that there are three levels of signals in the RPS: initiation level, logic level, and actuation level. The initiation level includes the acquisition of process variable signal from the sensors and transforming them into initiation signals in the bistable processor that indicate trip status. In the logic level, the logic selection of the initiating signal from each RPS channel is conducted in the local coincidence logic (LCL) processor to produce an actuation signal. Finally, in the actuation level, the actuation signal is converted into a trip signal which will cut the current source flowing to the control rods and then drop the control rods into the core to trip the reactor. Figure 3 shows the methods to investigate the information processing in the RPS. It starts with the classification of the RPS layers in terms of components and functional aspects of the RPS. In general, the RPS is connected to the sensors as the inputs and HMI as the output. Therefore, the classification is based on those components (sensors, RPS, and HMI) and their functions. Each layer has its type or form of the signals and information. The type of the signals and information will be identified based on the characteristics of the components in each layer. The next step is to investigate how the signals and information are processed in each layer and changed from process variables (in the sensors) to initiation and actuation signals (in the RPS) that can trigger a reactor trip. Another investigation is how to present the information on the HMI of the main control room properly. In this case, some standards, requirements, and human factor engineering are applied to the preliminary design of the HMI.

Classification of RPS layers
As mentioned in the previous section, the RPS is connected to the sensors/transducers and HMI. Each component has its characteristics and functions. Therefore, the classification of RPS layers can be conducted based on those components. The purpose of the classification is to make it easier to understand the function of the RPS and to investigate how the signal and information are processed in the RPS. Figure 4 shows the result of the RPS layers classification: sensor layer, control layer, and HMI layer.

Sensor layer
Sensors are devices that connected to the main components or equipment of NPP and transform the process variables such as temperature, pressure, flow rate, and volume into electrical signals. Regarding the EPR or HTR, literature [1] identifies the process variables for RPS, the measuring range to measure the process variables, and the related potential design basis accidents (DBA) which are summarized in Table 1. It can be seen from the Table 1, for helium temperature, the sensor measures the temperature in a range of 0-850°C (hot temperature) and transforms the temperatures into electrical signals, usually in the form of current signals. One of the reasons is the current signal is more reliable than the voltage signal in terms of transferring the signal through the media and the resistance of the noise [6].

Control layer
This layer is called the control layer because it controls the process variable signals so that they can be used to generate a signal to trip the reactor. It is located in the RPS and consists of bistable and LCL processors. The bistable processor stores predefined pre-trip and trip setpoints and compares the digital value of process variables with the trip setpoints to generate an initiation signal that indicates a trip state. As seen in Fig.2, the bistable processor is connected to the LCL processor (1 channel). In the case of RPS of an EPR, it has 3 redundancy channels. The resulted initiation signals from each of bistable processors are delivered and processed in the LCL processors. The LCL processor defines the state of the output based on the state of the three inputs and generates an actuation signal if two or more of three inputs (2oo3) express a trip signal.

HMI layer
This layer concerns with the presentation of the information of the pre-trip and trip setpoints, and the current value of the process variables on the HMI of the MCR. MCR is part of instrumentation and control of the nuclear power plants, therefore, the design should be based on standards such as IAEA Safety Guide SSG-39 (Design of Instrumentation and Control System for Nuclear Power Plants) [7] and IEEE Std 603-2009 (Criteria for Safety Systems for Nuclear Power Plants) [8]. Figure 5 shows the design of the main control room for the EPR. The MCR consists of display equipment such as large screen display, mimic display, alarm window, and VDU located on the operator work console. In addition, there are some computer houses and control stations that process the signals from the sensors and transmitters of the plant systems/equipment.

Information type in RPS layers
The component in each layer has its type and form of information. The information is carried out by the signals. The signals are transformed from an analog signal to a digital signal (to generate actuation signal to trip the reactor) or to digital value (to be presented on the visual display unit and alarm display. The results of the investigation of the information type of RPS layer are provided in Table 2.  Figure 6 shows the flow of information processing in RPS. Firstly, the signal containing the information of the process variable is sent to the bistable processor to generate the initiating signal and then converted into an actuation signal to trip the reactor. Secondly, the signals are connected to the large screen display to directly present the information about the status of the related components connected to the sensors. Finally, the signals are also sent to the alarm processor and displayed on the alarm display to warn the operator about the anomalies in the plant.

Sensor layer
Information processing in some components of the sensor layer, such as equipment, sensor, signal conditioning, analog to digital converter, and computer process, is shown in Fig. 7.

Equipment
Equipment is a set of plant systems or components that generate process variable or physical signals such as temperature, pressure, flow rate, and volume. Most of the signals are in the form of analog signals. In Fig. 7a, it is represented by a sine signal.

Sensor
Sensor measures and transforms the physical state of the equipment into an electrical signal. Unfortunately, the output signals from the sensor are not the same as the physical signals due to noise as can be seen in Fig. 7b.   Fig. 7. Information processing in the sensor layer Noise is an undesirable disturbance of an electrical signal. It can affect the amplitude and phase of the signal and change the shape of signals. The noise may come from the internal equipment such as thermal noise and shot noise, or external equipment such as electrical motors and switch gears. In the case of RPS, it can cause a mistake in generating the initiation and actuation signals for a reactor trip, and also cause mistake in sending an alarm to the operators. Therefore, the noise should be eliminated.

Signal conditioning
Before processing in the RPS, the analog signals should be processed in the data acquisition systems (DAS). Data acquisition is the process of measuring physical phenomena such as voltage, current, pressure, and recording the data for analysis purpose. The objectives of data acquisition are to obtain and store real-time data and to provide post-recording visualization and analysis of the data The noisy electrical signals should be conditioned in order can be correctly processed in the DAS. The common method is by implementing filter on the noisy signal, low pass filter of high pass filter. A low-pass filter allows signals with a frequency lower than a certain cut-off frequency, while high-pass filter passes signals with a frequency higher than cut-off frequency. Other types of signal conditioning are reshaping or amplifying the noisy/distorted electrical signal. As an example, the result of the signal conditioning can be seen in Fig. 7c. Then, the conditioned signal is suitable to be converted into a digital value.

Analog to digital conversion
The next step is to convert the conditioned signals into digital values by analog to digital converter (ADC). Analog signal is a continuoustime signal and a digital signal is a discrete-time signal. Therefore, to generate the digital signal, the analog signal needs to be sampled at a specific rate. The sampling rate or sampling frequency should consider the Nyquist theorem, which mentioned that the sampling frequency (fs) is greater than or equal to the twice of the highest frequency component of the signal (fm), in other words, fs ≥ 2fm [10]. This theorem offers some benefits to prevent the under-sampling (signal is sampled too slowly) and aliasing (frequency overlapping) which are useful to correctly reconstructed the signal at the output. Fig. 7d shows an example of the sampled signal. The results of the sampling process are a sequence of real numbers. Quantization change each of real numbers with a finite set of discrete values, usually are represented as fixedpoint words, such as 8-bit word length (11001100), 16-bit word length, and 24-bit word length.

Computer process
The digital values resulted from the ADC are then stored in the computer for further processing. In the case of RPS, the digital values of process variables (binary or hexadecimal) are sent to the bistable processor of the RPS and the visual display units on the operators' workstation and large screen display, and also to the alarm processor.

Control layer
In the control layer, the information is processed in the bistable and LCL processor. The bistable processor stores some predefined pre-trip and trip setpoints as thresholds. Inputs of the bistable processor are the digital value of the process variables. If the values of the inputs exceed the thresholds, the initiating signals are generated as the outputs of the bistable processor. Table 3 shows the example of trip setpoints that are used in the EPR which based on high temperature reactor. The trip setpoints are converted from decimals to the binary/hexadecimal in the digital RPS. For example, the measurements of hot helium temperature in EPR. The sensor records that there is an increasing temperature of helium. This information is passed through the bistable processor and then compared with the trip setpoint in the bistable processor. If the value reach or more than 740°C or 2E4 (hex), the information is set as an initiation signal for tripping the reactor. The RPS of the experimental power reactor has 3 redundancy channels, each has a bistable processor. Therefore, there are the 3 initiating signals resulted from the bistable processors. Then the signals are used as inputs for the LCL. The outputs are trip actuation signals that are generated if the 2 out of the 3 (2oo3) coincidence signals indicate a trip state. The signals are then delivered to the controller of the control rods that will force the controller to break the holding current at both poles of the control rod drive mechanism and to drop the control rods into the reactor core to stop the fission reaction and shut down the reactor.

HMI layer
As mentioned before that the function of the HMI layer is related to the presentation of the information of the pre-trip and trip setpoints, and the current value of the process variables on both on the visual display unit and alarm display. Below is the discussion of how to display the information and the proposed design of HMI to display the information on the MCR of the EPR.

Information presented on the large screen display
A large screen display in the main control room is used to display the information on the overall condition of the plant. In displaying the information on the large screen display should consider the requirements and standards, for example, IEEE std 497-2002 (IEEE standard Criteria for Accident Monitoring Instrumentation for Nuclear Power Generating Stations) [12]. The standard mentions several requirements and criteria for designing the display including the presentation of information on the display that should consider the following aspects, such as type of information, human factor engineering, do not provide ambiguous and misinterpretation information, and location of the display. Regarding the displaying information, one of the methods is based on ecological interface design [13], It focuses on the actual environment and its physical constraint as well as the consistent representation of levels and using variables. In addition, it can increase the situation awareness of operators and support the decision-making process, especially in unusual and unanticipated situations [13].
Related to the RPS, the large screen display should properly provide transparent information about the triggering status of each protection variables and also the status of the RPS. As shown in Figs. 5 and 6, the information about the triggering status of the RPS will be displayed on the visual display unit (VDU) and the large screen display. The operator can monitor the status of the variable process on the screen as well as the trip setpoints or the triggering values. If the values tend to reach the trip setpoints, although the reactor will be shut down automatically, operators will prepare for the actions such as finding the cause of the anomalies in the plant and finding the appropriate procedures to mitigate the accidents. Figure 8 shows the preliminary design of HMI for monitoring the RPS process variable and triggering status. The information is displayed on the VDU and the large screen display. Initially, the operators are provided with the interface of some process variables on their workstation which are important for RPS. If the operator select and click on a specific button on the VDU, for example the neutron flux, the new window is opened and displayed both on the VDU and the large screen display, which provide the information of the current value of the neutron flux, as well as the pretrip and trip setpoints. In addition, the design of the display should provide a graphical trend of the monitored variables to make it easier for operators to monitor the plant. The pre-trip setpoints are predefined value before the event of reactor trip to warn the operators and let the operators prepare for the actions to bypass the operation, if it is possible, to prevent the reactor trip. If they do nothing and the process variable value tends to reach the trip setpoint, the reactor will be tripped (shutdown).

The information displayed on the alarm window
As can be seen in Fig. 5, the information from the sensors of the plant system/equipment, which contains the variable process is processed in the control station. The control station is interconnected with the computer house and alarm control. The computer house is used to process and store the information that is displayed on the large display and visual display unit of the operator workstations. On the other hand, the alarm control processes the information related to the alarm conditions. In terms of RPS, it is related to pre-trip and trip setpoint. The objective of providing alarm systems in the MCR is to increase the awareness of operators of an operational problem in the plant. Operators should respond to the alarm information and compare with the information displayed in a large screen display and assess the current situation. Figures 8 and 9 show the draft of the alarm display design of an experimental power reactor for pre-trip and trip conditions, respectively. The alarm display consists of visual and audible annunciators. The visual annunciator includes text presentation and color-coding. As in Fig. 9, when the variable process, for example, the neutron flux reaches the pre-trip setpoint, the neutron flux display on the alarm display will be turned on with yellow color. In this condition, operators should look at and compare the information of the neutron flux on the large screen display. Then, they have to assess the condition and prepare the actions for resolving the anomalies. If the value tends to increase and reach the trip setpoint, the yellow color of the neutron flux display will be changed to red color and followed by the reactor trip display is ON with the red color, as can be seen in Fig. 10. In this condition, the audible annunciator is also sounded to alert operators about the anomalies. Then, they have to assess the conditions and also look at the other process variables to investigate the cause of the anomalies and find the appropriate procedures to mitigate the accident.

CONCLUSION
The investigation of the information processing in the RPS of the EPR or HTR has been conducted. It is conducted by classifying the RPS into three layers: sensor layer, control layer, and HMI layer. The results show that the sensor layer deals with the conditioning analog signals and converting them into digital signals/digital value. While in the control layer, the information processing is related to generating the initiation and actuation signals to trip the reactor. The HMI layer concerns with the presentation of information on the HMI of the MCR of the EPR. The results of the investigation are necessary, especially for new operators, to understand the function of the RPS and to prepare for actions to mitigate the accidents based on the process variables that cause the reactor trip. Future work is related to the design of the HMI for the RPS based on the preliminary design discussed in this paper.