Master of Science Thesis “Alarm handling in the control room of a Nuclear Power Plant”

TRITA-FYS 2012:12

Master of Science Thesis

“Alarm handling in the control room of a Nuclear

Power Plant”

by

Maxime Villemin

Stockholm, Sweden, 2012

A Thesis Submitted in Partial Fulfillment

of the Requirements

for the Double Degree

at

KTH Royal Institute of Technology (Sweden) Master of Science

Department of Reactor Physics &

Phelma Grenoble INP (France) Diplôme d’ingénieur Génie énergétique et nucléaire

M.Sc performed at EDF

3

A B S T R A C T

This master thesis was performed at Golfech Nuclear Power Plant located in France. The Reactor used is a Pressurized Water Reactor from the P’4 design. The subject of the master thesis is dealing with the handling of the alarms in the control rooms. It is essential to try to limit their number. Furthermore, the alarm represents the border between the Normal Operation of the reactor and the Emergency Operations Procedures (EOPs) or, in the worst case, the Severe Accident Management Guidelines. Hence, the notion of alarms is a fundamental aspect in the defense in depth concept: Prevention-Monitoring-Action/Mitigation (PMA) by being the interface between the Monitoring and the Action/Mitigation. Of course, not all the alarms are involving the application of an emergency procedure but they are measuring, in most of the cases, the evolution of all the physical parameters of the reactor, and are giving an overview of the state of the installations. Some alarms are more essential than the others because they are directly correlated with state functions of the reactor, hence have to be dealt in priority. Others alarms have a lower degree of importance but there are an overwhelming number of alarm on the screens in the control room, making less obvious other alarms that would appear. The handling of the alarm will be performed mostly in the master thesis in order to “clean-up” the screen of the control room, and to allow a better overview of the installations to the operators. Different methods were employed in this thesis in order to reduce the alarms on the screens. The first one was the utilization of new alarm handling software. Obviously, this software is ruled by an appropriate organization which includes a risk and safety analyses, validated by the Operations Shift Manager. Furthermore, the interaction machine/man has to be dealt with precaution regarding to the potential risk that it could introduce. This software is used for the alarms linked to the way of operating. The second method is a modification of installation and therefore has to be dealt with the procedures and the rules associated. The alarms linked to a maintenance activity within five days were carried out with this method. Last method consists on handling with the alarm by trying to fix the root of the problem, it is the more logical way of reducing the number of alarms but also the less obvious and, sometimes, it is impossible to perform it. The propositions to fix the problem are in application for some of the alarms.

5

T A B L E O F C O N T E N T

ABSTRACT ... 3

TABLE OF CONTENT ... 5

ACKNOWLEDGMENTS ... 7

1.

INTRODUCTION ... 9

1.1 Background and motivation ... 9

1.1.1 Presentation of the Nuclear Power Plant ... 9

1.1.2 Generalities of the PWR P’4 design and basic reviews... 9

1.1.3 The general organization of EDF ... 10

1.1.4 Organization of the Golfech Nuclear Power Plant and of the Operations Department ... 10

1.2 Review of the state-of-the-art knowledge ... 12

1.2.1 Control room organization ... 12

1.2.2 The different states of operating of the reactor ... 14

1.2.3 The alarms: a limit between the normal operation and the emergency procedures ... 22

1.2.4 Generalities about alarms ... 23

1.2.5 Generation of the alarms: Instrumentation and Control System ... 29

1.3 Discussion and objectives ... 31

2.

APPROACH ...32

2.1 Overview and identification of the alarms present in the control room ... 32

2.2 Propositions, Plan of action, and methods to reduce the number of alarms in the control rooms ... 33

2.3 The Temporary Plant Modification (MTI) process: Principles ... 33

3.

APPLICATION, RESULTS, AND DISCUSSION ...35

3.1 The alarm handling software ... 35

3.2 Handling of the recurrent alarms: dealing with the root of the problem... 36

3.3 Handling of the alarm with a modification of installation ... 37

3.4 Results ... 38

4.

CONCLUSIONS ...39

5.

APPENDIX 1: LIST OF THE ABBREVATIONS ...40

6.

APPENDIX 2: FACR EXAMPLE ...47

6

8.

FIGURES AND TABLES ...53

7

A C K N O W L E D G M E N T S

First and foremost, I offer my sincerest gratitude to my supervisor Delphine Apretna. Thank you for your patience, valuable feedback, inspiration, ideas, and advices.

I would like to thank Caroline Bernard and Olivier Coadebez, the former and the current Unit Director of Golfech, for offering me the possibility to perform my master thesis in their Nuclear Power Plant. In addition, I would like to thank you Thierry Latrouite, head of the Operations Department, who welcomed me in his Department.

I would like to express my gratitude to Pavel Kudinov and Nicolas Capellan, my supervisor in KTH and in Phelma respectively, who helped me during my master thesis by giving relevant advices.

I am indebted to my many colleagues from the Operations Department who supported me during my internship and always offered their help and explanations at any moment. Thank you for the nice working environment that you have maintained during the entire master thesis.

This thesis would not have been possible unless the three administrations of Phelma, KTH, and EDF which offered me the possibility to achieve my Double Degree in the best conditions. Thank you.

This thesis is dedicated to my parents who have given me the support throughout all my life at any moment. I would like also to dedicate this thesis to my grandmother and, especially, to my grandfather who was always deeply interested about my studies.

Thank you also to Inmaculada Viéitez for her endless patience for the rereading of this thesis and constant support.

9

1 . I N T R O D U C T I O N

1.1 Bac kgr oun d a nd mot ivat i on

1.1.1 Presentation of the Nuclear Power Plant

The master thesis was performed at EDF (Electricité de France) in the Golfech Nuclear Power Plant (France). EDF is the world’s leading nuclear energy company with a worldwide workforce around 160,000 persons. EDF manages the country’s 58 Nuclear Power Plants, and Golfech is one of these units. The power plant at Golfech has two operating Pressurized Water Reactors with the particular P’4 design and a power of 1300 MW each. The first power plant Unit is operating since 1991, and the second one since 1994. The master thesis was performed within the Operations Department.

1.1.2 Generalities of the PWR P’4 design and basic reviews

Each Unit of the Golfech Nuclear Power Plant is composed with a conventional island, nuclear island, and a cooling tower. The nuclear island is constituted with the core, the cooling system, and the safety systems (the Reactor Protection System, Chemical and Volume Control System, Safety Injection System, Containment Spray System, Residual Heat Removal System, Power Electrical System, Feedwater Flow Control System…). Other systems are present on this island such as the Boron Recycling System, the Ventilation Systems, Component Cooling System, and the electrical alimentation from the Diesel Motor System. The fuel storage pool is in a building which is a part of the nuclear island. The main steam system assures the link between the nuclear island and the conventional island.

The conventional island is composed with the turbine, the generator, and the condenser.

The fuel used in the power plant is uranium oxide fuel, the thermalhydraulics and materials characteristic of the reactor are the same that the usual ones used in a Pressurized Water Reactor.

The P’4 design of the PWR reactor have 4 steam generators (4-loop PWR) contrary to the PWR 900 MW, in order to provide a better cooling. Indeed, the power of a P’4 design is 1300 MW, and then the augmentation of the power implies a better cooling. Furthermore, the P’4 design has a double intern for the containment, which offers a better protection. The P’4 design has small differences with the P4 designs concerning the fuel building and some systems, but these differences are minimal, and are not important regarding to the subject that it is dealt in this thesis.

Here on the figure 1.1 a PWR reactor is represented:

10

The aim of this thesis is not to give all the characteristics of the pressurized water reactor. That is why only a small review is given in order to situate the environment where this master thesis was performed.

1.1.3 The general organization of EDF

EDF is composed with three different divisions in the nuclear domain:

 The Nuclear Production Division, which assures the operation of the power plant and contributes to participate in the improvement of the production of the power plant. This division is constituted by all the Units of the NPP (which have also its intern organization), the Engineering Operating Unit, which mission is to assure the basis in term of safety, radioprotection and environment protection; the Operational Technical Unit which assures all the modification and maintenance on the NPPs; and the Nuclear Inspection which assures all the verification on the NPPs.

 The Nuclear Engineering Production Division, which deals with the conception, and assures the engineering activities about the future Nuclear Power Plant. This division is constituted by the SEPTEN which deals with all the studying, and the preparation of the projects for the future Nuclear Power Plant. The National Center of Nuclear Equipment which deals with all the equipments of the Nuclear Power Plant. Other divisions, such as the CIDEN, deals with the waste and the deconstruction.

 The Fuel Nuclear Division which deals with all the questions about fuel issues.

All these divisions, notably the Nuclear Production Division and the Nuclear Engineering Production, are supervised by an independent national institution: the National Nuclear Safety Authority which makes sure that that all the safety assessments are respected.

1.1.4 Organization of the Golfech Nuclear Power Plant and of the

Operations Department

The NPP is an organization with the several main Departments:

 The Operations Department is piloting the Unit production constantly. It is monitoring the good operating of the reactor, and coordinates the activities and the monitoring through the control room and also locally.

 The Maintenance Department is assuring the servicing of the power plant in both preventive and accidental situations. The department is composed of different qualifications such as instrumentations, automatisms, test, electromechanically, and so on.

 The Engineering Department is supervising and helping both previously mentioned departments. It assures the safety improvements of the installation thanks to feedback from other units, and the analyses of the behaviour of the materials.

 The Safety Department deals with all the activities which concern the quality, and the safety. The department is also interacting with the other departments in order to provide assistance, advice and help in order to maintenance of a safety level.

11

 The Prevention of Risks Department is dealing with prevention of classical risks as well as radioprotection risks. It is in charge of checking the good application of the security rules, and helps all the workers to perform their work under the best conditions.

The constitution of the Operations Department is important for the dealing of the alarms in order to be able to identify the actors. That is why, a more precise investigation about this department and its organization was performed in this master thesis.

A typical team of the Operations Department is constituted by: between 4 and 6 technicians, 2 or 3 operators, 1 operations Foreman, 1 Shift Supervisor, and 1 Operations Shift Manager (the Operations Shift Manager is common for two teams of the Nuclear Power Plant Unit). There are 14 teams in the NPPs which are making a turnover 24h over 24h and 7 days over 7 days to assure the right production of the power plant. Each team is formed by:

 The technician: He contributes to the improvement of the performance of the operating, by dealing with the missions and the objectives of the Operations Department. He is in charge of the coordination of the activities for the other workers. He is performing the different operations of monitoring during the field inspection and the different local tests. He is writing the intervention request when he notices something wrong.

 The operator: He is piloting the reactor and performing the monitoring activities in the control room. He is also responsible of the serenity maintenance into the control room.

 The operations Foreman: He is responsible for the preparation of the alignments and the padlockings by performing safety analyses. He is improving the delay of inoperability of the Important for Safety materials. He is in charge of all the padlockings.

 The Shift Supervisor: He is responsible of the accurate operations of the technicians and helps the Operations Shift Manager with the decision-making. He is performing the good achievement of the operations by giving all the information to the team.

 The Operations Shift Manager: He is the responsible for the safety, operating actions, and the optimization of the installations by delegation from the direction of the Unit. He has to report to the Direction all the events that can occur when the power plant Unit is operating.

These descriptions are only a summary of the functions and activities of the technician, operators, operations Foreman, Shift Supervisor, and Operations Shift Manager. Of course, all of them have well defined activities regarding to the production, the safety, the security, the radioprotection, the environment and so on.

12

1.2 Revie w of t he sta te - of-t he -art knowle dge

1.2.1 Control room organization

The number of parameters which have to be checked and the complexity of the installation imply that the monitoring in the control room is fundamental. This activity has to be taken into account for the planning and the organization of the activity of every team. The monitoring deals with the checking of the physical parameters and the operability of the materials. This monitoring has to be done all the time.

The operating of a nuclear reactor implies the presence of, at least, two operators in the control room all of the time. The operator has to coordinate activities while the global monitoring is still necessary. If it is not the case, they need to change the planning of the other activities. The Operations Shift Manager, or Shift Supervisor by delegation, checks that the organization of the team allows a guarantee of the monitoring of the control room. The monitoring in the control room is also checked punctually by the management of the Operations Department [2].

The monitoring in the control room has to guarantee that the parameters of the installation stay in the authorized area (physics, technical specifications) in order to be able to act in case of any problem.

To assure that, the operators are performing a periodic turn in the control room by checking the physical parameters, the availability and operability of the materials and components, and checking the apparition of the alarms and acting if it is necessary.

The monitoring of the installation cannot be performed under good conditions if the control room is too noisy or if the operators are solicited all the time. Hence, the access to the control is regulated and is allowed not all the time.

It is easy to understand, that a high numbers of alarms per control room can have bad impact on the serenity of the control room, therefore it is important to limit their number.

13

14

1.2.2 The different states of operating of the reactor

a) The Normal Operation

The normal operations have to comply with the Technical Specifications for Operation which are done to guarantee the safety of the operating under normal operation conditions and therefore to prevent the apparition or the aggravation of incident or accident.

The technical specifications do not cover the incident or accident situations which are dealt by particular processes in the General Operating Rules.

The document is structured in six different operation domains which are enveloping the standards states of the reactors.

For each domain the prescriptions are dealing with:  The reactivity

 The cooling of the fuel

 The confinement and the integrity of the barriers  The transversal and support functions

 The rules to apply in case of the inoperability of request materials

The table 1.1 contents a summary of the different operation domains under normal operation conditions: Table 1.1: The operation domains in a normal state of the reactor [4]

Operation domain

Study domain and standard states

Completely Unloaded reactor All the fuel in the fuel building

Refuelling Shutdown Cold Shutdown for refuelling

Cold Outage for maintenance

Cold shutdown for maintenance with primary coolant system fully open Cold shutdown for maintenance with primary coolant system partly open

Cold shutdown for maintenance with primary coolant system closed and depressurized (pressure <5 bar)

Normal outage with cooling by Residual Heat Removal System

(RRA)

Normal cold shutdown (pressure > 5 bar) Intermediate shutdown with single phase conditions Intermediate shutdown with residual heat removal system conditions

(Residual Heat removal system connected) (RRA connected)

Normal outage with cooling by steam generators

Intermediate shutdown with Residual heat removal system conditions (RRA connected)

Intermediate shutdown with cooling by steam generators Hot shutdown

Reactor in service

Taking the reactor critical Hot standby Power operation

The concept allows the definition of some physical thresholds in order to maintain the integrity of the barrier, guarantee the efficiency of the safety functions, but also the definition of some assumptions regarding to the reactor initial state for the incidents or accidents studies.

15

safety criteria and the design assumptions of the reactor. Then, the Technical Specifications gives the domain of Normal Operation, by defining thresholds on physical parameters. The physical parameters are, for instance, the volume of coolant, the concentration in bore, the temperatures, the pressures and the mass flows. The measurements of these physical parameters are possible from the control room thanks to some tools such as indicators, recording, or the alarms for instance. It is worth noticing that the alarms are a direct link between the Technical Specifications and the safety. It constitutes an indicator of the possible threshold of physical parameter, hence the possible exit of a Normal Operation. The alarms issues are then fundamental, and need safety issues understanding.

The second objective of the Technical Specifications is to keep the availability of the safety functions which are mandatory for the control, the protection, the engineering safety feature, and the operability of the incident or accident operating procedures. Then, it is necessary to define the materials and systems availability in order to assure the safety functions. In this way, a system is defined as available only if it is possible to show that, at any moment, the material is able to guarantee its functions and its performances. The periodic tests are done according the General Operating Rules, in order to assure the operability of the materials.

The last objective of the Technical Specifications is to define a rule to respect in case of a non-compliance of a safety functions or when the operating is out of the Normal Operation domain.

The Technical Specifications give the information and the action to perform for each operation domain if an event occurs. For each area of operation (see table 1.1), the Technical Specifications for Operation define the operating procedure to apply after an event: action statement limiting condition, action statement time limit or time to repair [5].

Regarding to the concept of the defense in depth, all these rules constitute the prevention, but it is also necessary to define the monitoring and the mitigation actions in order to complete the concept of the defense in depth.

The monitoring is performed through several processes.

The first one is the periodic test on the important materials safety related. It is a part of the second level of the defense in depth (see later on the figure 1.10).

The activity of maintenance is also a way to check the availability and the reliability of all the necessary functions for the operators, in order to perform a safe operating. There are two kinds of maintenance, the corrective maintenance, carried out after failure, and the preventive maintenance, carried out in accordance to predetermined criteria with the intention of reducing the probability of failure of equipment or degradation of the service.

The last way is the requalification tests which consist in the verification of the behaviour of a component or a system to ensure that the design levels of performance are maintained or re-obtained after maintenance, modification or an operating event.

b) The emergency procedures

The last concept of the defense in depth is the action. The ways of action are organized in order to act against an incident or an accident. One of the chapters of the General Operating Rules corresponds to the procedures during an incident or accident: the EOP (Emergency Operating Procedures). It corresponds also to the organization of the operation team in order to apply these EOPs. In case of severe accident (according to the criteria) the Severe Accident Management Guidelines contains the actions that have to be performed in order to contain the accident.

The safety requirements for incident and accident situations consist in having the resources to handle all the circumstances in terms of organization, operation documents, equipment, and worker resources.

i) The Emergency Operating Procedures

The Emergency Operating Procedures constitute the third level of the defense in depth: the action and mitigation in case of accident. They are performed when a certain situation occurs, and it is necessary to apply special procedures in order to come back in a more stable state, therefore resume the normal operation of the reactor.

Before, the Emergency Operating Procedures were dealt thanks to the events approach concept.

16

These procedures were applicable for a single event (it means that it was not combined with another incident or accident) and therefore they must have been correctly diagnosed.

In other words when an event had occurred, the physical parameters were analyzed in order to define the current state of the reactor. A strategy was chosen, and different procedures were applied.

The process is summarized in the figure 1.3:

Figure 1.3: Process of the Emergency Operating Procedures [4]

By following this concept, the initial identification was not considered after, even if the initial state had changed or new events had appeared, it was not possible to change the operating instructions. The events procedures were not adapted to an accumulation of problems and defects.

In order to improve these procedures, EDF has developed during the 90’s a new approach. Indeed, it would be really hard and difficult to create, and also to choose, a procedure for every possible combination of several failures and events.

EDF has created then the Nuclear Steam Supply System state-oriented approach in order to avoid these difficulties.

The principle is simple: there is a limitation on the possible state functions of the nuclear steam supply systems but not on the different possible combination of failure.

The last version of this approach covers now all the types of incidents and accidents regarding to all the primary coolant system configurations.

Remark: The Golfech Nuclear Power Plant was the first one to have at its disposition the state-oriented approach in 1991.

In order to get a control of the possible states of the Nuclear Steam Supply System, a monitoring on the physical parameters is performed. For that, 6 state functions are defined, and offer a lot of information about the state of the reactor.

The 6 state functions are the following:  Sub-criticality

 Residual Heat Removal  Primary coolant inventory  Feedwater inventory  Steam generator integrity  Containment integrity

Physical parameters Identification of the state

Application of one strategy = sequence of operating actions +

17

When the overall of the physical situation is defined regarding these 6 state functions, it is necessary to determine the global objective of the control action according to the state. After that, a priority between the state functions has to be achieved, consequently on the actions which are mandatory in order to control the situation by monitoring the evolution of the state functions. At the same time, a general monitoring on the main state is performed in order to assure the operability of the main systems. Together, the process of identification of the physical state, determining the priorities, and state function control action to attain the general objectives, constitute a control strategy [4].

Here, on the table 1.2 the characteristics and the safety functions that represent the state functions are summarized.

Table 1.2: Process of the Emergency Operating Procedures [6]

The process of the identification of the physical state is done cyclically in order to adapt the actions.

All the thermohydraulic incidents and accidents, single or multiple, cumulated with a loss of system or human error, are covered by the state-oriented approach.

On the figure 1.4 this process is summarized:

State function

Characteristic

Safety

function

Subcriticality (S/K) _{Level of the neutronic power Reactivity} Residual Heat Removal [WR (P, T)]

Tsat

Primary system internal energy

Cooling

Primary coolant inventory (INVprim)

Level in the reactor

Heat exchange Core - Coolant Transport for the primary coolant Transfer until the steam generator Feedwater inventory (SG) (INVsec)

Level in the steam generator

Heat exchange coolant Evacuation of the energy Steam generator integrity (INTsg)

Pressure in the SG stable / Activity SG

No release of the radioactive elements into the environment

Containment

Containment Integrity (INTcon)

Pressure containment / Dose in the containment

18

Figure 1.4: Process of the approach state Emergency Operating Procedures [4] Physical parameters

Identification of the state

Continuity of the strategy

Change the procedure or the

sequence Application of one strategy = sequence of operating actions

Monitoring of the operability of important systems and contingent restoration actions

Physical parameters

Identification of the state

(what effect does the sequence of operating actions have on the state?)

Is the current procedure or sequence suitable?

Does the sequence or the procedure in operation reach the goal?

19 On the table 1.3 and figure 1.5 the 6 state functions and their localizations are

represented:

Table 1.3: The 6 state functions [6]

Figure 1.5: Localization of the 6 state functions [6] The 6 state functions

Primary system

S/K Subcriticality

WR (P,T) Residual Heat Removal

INVprim Primary coolant inventory Secondary

system

INVsec Feedwater inventory

INTsg Steam generator integrity

Containment

INTenc Containment integrity

20

The operating sequences are classifying into different kinds of procedures:

 For the primary system the procedures are named ECP (Primary Instruction State) and ECPR (Primary Instruction State when the Residual Heat Removal System is connected)

 For the secondary system the procedures are named ECS (Secondary Instruction State)

 For the periodic monitoring performed by the Operations Shift Manager or the safety engineer the procedures are named SPE (Periodic Monitoring Instruction)

The initiation of the application of these procedures is done after a first indication of a problem which can be given by an alarm: the DOS alarm which are the alarms related to the Guidance and Stabilization Document (see specifications of the alarms on paragraph 1.2.4).

The DOS corresponds to the Stabilization and Guidance Document.

This document leads the initial identification of the global physical state of the boiler from the power initial state until the Cold Outage for repair by indicating the instructions to apply. There is one DOS document for the operators (ECP), the operation Shift Supervisor (ECT),and the shift Manager (SPE). After that, the DOS leads the initiation of the different instructions.

These documents are dealing with all the states of the boiler, from the power initial state until the Cold Outage for repair.

Here, on the figure 1.6 the different kinds of procedures that can be used regarding to the severity of the accident and the state of the reactor (Residual Heat Removal System in service or not, and Primary Coolant System open or not) are represented.

22

1.2.3 The alarms: a limit between the normal operation and the

emergency procedures

As it can be seen on the figure 1.10, which summarizes the different states of a reactor and the different concepts of the defence in depth (Prevention, Monitoring and Action/Mitigation), the alarms have a fundamental role regarding to the monitoring. They represent the border between the normal operation and the incident/accident operation, hence between the monitoring and the action.

23

1.2.4 Generalities about alarms

a) Definition

An alarm can be defined as a message transmitted to the operators in order to warn them about a faulty of the equipment, installation or of the threshold exceeding of physical parameters. Consequently, they have to apply actions to monitor or fix the problem. The correlation between the defect, the alarm, and the action engaged by the operator is fundamental. For this reason, the domain of the monitoring of the alarms and the minimal action required from the operator, depending on the apparition of the alarm (minimal action justifying the presence of the alarm), are the two main components regarding to the handling of the alarms.

The support component of the alarms is normalized: there are the alarm windows and the polychromatic screens (BARCO screens).

Whatever the component used, alarm windows or screens, when the defect is present, the name and the symbol is present in order to attest the presence of the defect. The alarm is transmitted by a specific codification which gives the Unit, the elementary systems, and the code of the alarms. It is also given with a written text for the alarms on the screens.

Example of the identification of an alarm (1 RCV 034 AA):

1 RCV 034 AA PRESSION < 1 BAR ABS.

Every elementary system has an assembly of alarms description papers.

More information is given in the alarm description paper as represented on the figure 1.12.

The alarms linked to a system are transmitted from a place around the control and monitoring device of the system concerned. The control desk, as represented on the figure 1.2, has the alarm windows and the screen of the alarms associated to the systems that it is piloting.

b) Characterization and Categories of the alarms

The apparition of an alarm is characterized in the control room by both audible and visual signals:

Visual signal: The appearing or the disappearing of an alarm has two different visual signals. Each visual signal allows a separate identification of each alarm. The action to get off an alarm means that the operator took it into account and then is dealing with it. The getting off is done specifically on every alarm (each panel, each screen…).

Audible signal: The appearing and the disappearing of an alarm have two different audible signals warning the operator. Moreover, several kinds of signals could exist regarding to the different support of alarms. It is useful to awake the attention of the operator of every change in the state of an alarm, and then to be able to be heard from every place in the control room. The alarm getting off is global for every kind of support.

The appearance and disappearance of alarms on the screens with the visual and audible signal is summarized on the table 1.4: Unit 1 Elementary system: Chemical and Volume Control System Code of the alarm for a given system

24 Table 1.4: The audible and visual signals related to the alarms

Screens

Appearance

1 RCV 034 AA PRESSION < 1 BAR ABS

Red square flashing on the screen with an audible signal in the control room.

Fixation

1 RCV 034 AA PRESSION < 1 BAR ABS

When the operator has taken into account the alarm by pushing the button under the screen, the red square disappears and the klaxon stops

The defect disappears

When the origin of the alarm disappears, a white square is flashing and the colour of the text becomes purple.

Acknowledgment

When the operator has taken into account that the defect has disappeared by pushing the button under the screen, the alarms disappears from the screen. A klaxon is also flashing to make sure that the defect has effectively disappeared (different from the first one).

Remark: The appearance and the disappearance of alarms on the alarm windows are similar. The alarm window is flashing when an alarm appears on it. A klaxon is also flashing at the same time. When the operator has taken into account the alarms by pushing the button under the screen, the alarm windows stop flashing and have a steady red colour and moreover the klaxon stops. When the defect has disappeared, the alarm window is turned-off.

Beside the fact that there are audible and visual signals, it is also necessary to define an organization into hierarchy in order to classify the alarms by priority.

The first distinction that can be done concerning the alarms is between the alarms that imply the applications of the emergency procedures, and the ones which do not.

i) The DOS alarms (alarms related to the Stabilization and Guidance Document)

25

an activity of the materials it would not be necessary to apply these procedures; indeed in this case the appearance of the alarm would be known in advance.

ii) The other alarms

Not all the alarms are classified as DOS and imply the necessity of emergency procedures application; actually most of them do not. Nevertheless, all these alarms do not have the same degree of importance and for this reasons are coded with different colours in order to make a difference between them. Each colour has its specific meanings.

 The red alarms

The red alarms are transmitted directly to the alarm windows and define the defects which need quick actions. The actions that have to be performed are considered as emergency actions and have to be engaged in a specific time schedule:

 The yellow alarms

The yellow alarms are transmitted to the screens and define the defects which actions can be postponed. An action to fix a problem is classified into the category of an alarm which can be postponed if the action can be engaged in a time above:

 The white alarms

The defects which are dealt first automatically and which correspond to the change of state of some

26 the screens.

 The green alarms

The defects which are dealt automatically and do not need an intervention of the operators are signalized with green alarms. They are transmitted to the screens.

 The grouped alarms

Some alarms are grouped. The grouping of two or more alarms together is allowed when the operator does not need to discriminate the defects or when resources are available to make easily this discrimination.

Defects are grouped on one alarm in order to deliver more syntactical information or to gain place when the action to fix the alarm is local or from the same nature.

The grouping of alarms is remaining limited especially for the ones corresponding to the first and the fourth category.

When several alarms are grouped, sometimes the audible and visual signals (flashing of the alarm) are coming out every time that a defect appears: these are the re-flashing alarms.

When the operator does not need to know the specific details of the problem, the alarms are grouped in one alarm which is handled without flashing on and off all the time. The information is still available locally.

 The computer treatment complement (KIT)

The KIT calculator is a complement for the treatment of the alarms. It allows control and verification of the action, the monitoring, the analyses, and diagnoses. In order to guarantee these functions, the most important defect which generates an alarm on a screen or an alarm window will be treated in the calculator, and be mentioned in the KIT memory. The most important defects which generate alarms will transmit an input into the calculator. In this way, after the warning information has been received, the operator can consulate the KIT in order to get more detailed information.

This is especially useful for the grouped alarms; indeed it is possible to know the root of an alarm that has appeared on the screen or on the alarm window.

c) Handling of the alarms

When the Unit is operating, the objective is to pilot the reactor “off-light”. The operator has to act as much as possible in order to do not have any alarms in the control room.

27

When an alarm appears, the operator has to perform the action taking into consideration the alarm, by following the alarm description paper.

If the alarm is supposed to appear (maintenance action for instance), the operator has to check the cause of the alarm before fixing it.

After that, the operator has to turn off the alarm, especially in order to stop the audible signal which would become available again to warn about the appearance of a new alarm.

Dealing with constant flashing of alarms is an important issue. A constantly flashing alarm is symptomatic of operating or conception issues. A corrective action has to be performed: transient operating, to modify, adjustment of the threshold of the alarm, problem of hysteresis of the alarm, etc.

The hysteresis of an alarm can be an advantage or a drawback. This concept is to avoid that the alarm is constantly flashing, by allowing a margin to the threshold before the alarm appears or disappears. Nevertheless, in some situations (see later the case of the alarm named as RHY004AA), the hysteresis cumulated with some error margins from the materials can involve the generation of the alarms, though it is not required. The hysteresis principle is represented on the figure 1.11:

Figure 1.11: The hysteresis principle of one alarm

The alarms handling is of course done regarding to the categories of the different alarms. And then, an inhibition would not be permitted in cases of some categories which define the border between the normal operations and the incident/accident situations.

Presence of the alarm

Alarm threshold

29

In order to deal with the reduction of the number of alarms inside the control rooms, it is important to understand the process of the generation of the alarm. This also allows a better understanding of the interaction man/machine in order to try to reduce the number of alarms.

1.2.5 Generation of the alarms: Instrumentation and Control System

a) Generalities

The Instrumentation and Control System represents all the materials which guarantee the operating, the monitoring, and the Nuclear Power Unit safety.

The objective is to assure the three main objectives regarding to the nuclear safety: prevention, monitoring, and mitigating actions. Following this concept, it has to assure the Normal Operation of the materials, prevent the incident and accident, and mitigate the consequences of the incidents and accidents.

32

2 . A P P R O A C H

33

2.2 Pr opos iti ons, Pla n of a cti on, a nd met hods t o re duce t he

nu mbe r of alar ms i n t he c ontr ol r ooms

35

3 . A P P L I C A T I O N , R E S U L T S , A N D D I S C U S S I O N

36

37

39

40

5 . A P P E N D I X 1 : L I S T O F T H E A B B R E V A T I O N S

A FEEDWATER SUPPLY

ABP Low Pressure Feedwater Heater System

ADG Feedwater Deaerating Tank and Gas Stripper _System

AFR Feedwater Pump Turbine Fluid Control

System

AGR Feedwater Pump Turbine Lubrication System

AHP High Pressure Feedwater Heater System

APG Steam Generator Blowdown System

APP Turbine-driven Feedwater Pump System

ARE Feedwater Flow Control System

ASG Auxiliary Feedwater System

ATH Feedwater Pump Turbine Oil Control _{Processing System}

C CONDENSER

CET Turbine Gland System

CEX Condenser Extraction System

CFI Circulating Water Filtration System

CGR Circulating Water Pump Lubricating System

CPA Cathodic Protection System

CRF Circulating Water Condenser Cooling System

CTA Condenser tube cleaning system

CTE Circulation Water Treatment System

CTF Circulating water acid treatment system

CVF Cooling towers

CVI Condenser vacuum system

D DIVERS MISCELLANEOUS

DAN

Elevators in Nuclear Auxiliary building, Electrical building, Waste Treatment building,

Turbine hall

DAR Elevators in Reactor building and Operation building

DEG Nuclear island chilled water system

DEL Electrical building chilled water system DEQ Waste treatment building chilled water system

DMA Handling inside the Maintenance building

DMH Miscellaneous handling equipment

(circulating water pimping station)

DMK Fuel building handling equipment

DMM Turbine hall handling equipment

DMN Nuclear Auxiliary building handling equipment DMQ Waste treatment building handling equipment

DMR Reactor building handling equipment

DMS Electrical building and safeguard auxiliaries building handling equipment

DN Normal lighting, OAR

DNA Normal lighting Maintenance Shop

DNB Normal lighting – Safeguard auxiliaries

building

DND Normal lighting – Diesel buildings

DNJ Normal lighting – Gas storage and auxiliary transformer

DNK Normal lighting – Fuel building

DNL Normal lighting – Electrical building

DNM Normal lighting – Turbine hall

DNN Normal lighting – Nuclear Auxiliary building DNO Normal lighting – High point of structure

DNP Normal lighting – Water intake

DNQ Normal lighting – Waste treatment building

DNR Normal lighting – Reactor building

DNV Normal lighting – Auxiliary boiler building DNW Normal lighting – Unit operation building

DNX 6.6 KV power supply

DNY Normal lighting – Demineralization building

DRT Control markers

DS Emergency lighting – High point of structure

DSA Emergency lighting – Maintenance building

DSB Emergency lighting – Safeguard auxiliaries building

DSD Emergency lighting – Diesel buildings

DSI Site security system

DSJ Emergency lighting – Gas storage and

auxiliary transformer

DSK Emergency lighting – Fuel building

DSL Emergency lighting – Electrical building

DSM Emergency lighting – Turbine hall

DSN Emergency lighting – Nuclear Auxiliary

building

DSO Emergency lighting – High point of structure

DSP Emergency lighting – Water intake

DSQ Emergency lighting – Waste treatment _building

DSR Emergency lighting – Reactor building

DSV Emergency lighting – Auxiliary boiler building DSW Emergency lighting – Unit operation building

DSY Emergency lighting – Demineralization _building

DTL Closed-circuit television

DTM Moselle temperature alarm transmission

DTV Communication system

DVA Maintenance building cold rooms ventilation _system

DVB Maintenance building air conditioning and ventilation system

DVC Control room air conditioning system

DVD Diesel buildings ventilation system

DVF Electrical building smoke exhaust system

DVG Auxiliary feedwater pump room ventilation

system

DVH Charging pump room ventilation system

DVK Fuel building ventilation system

DVL Electrical building main ventilation system DVL A, B, C, D

DVM Turbine hall ventilation system

DVN Nuclear auxiliary building ventilation system DVO Essential service water building ventilation

and heating system

DVP Circulating water pumping station ventilation system

DVQ Waste treatment building ventilation system

DVR Computer room ventilation system

DVS Safety Injection and Containment Spray

Pump Motor Room Ventilation System DVT Demineralization building ventilation system

DVU

Security building and guardhouse ventilation, air conditioning, lighting and fire detection

system

DVV Auxiliary boiler building ventilation system DVW Unit operation building ventilation system

DVZ Electrical Building Safegaurd

DWA Maintenance building hot rooms ventilation

41 DWP Moselle to site tunnel ventilation system

E CONTAINMENT VESSEL

EAS Containment spray system

EAU Containment and seismic instrumentation

system

EBA Containment sweeping ventilation system

EDE Containment annulus ventilation system

EPP Containment leakoff monitoring system

ETY Containment atmosphere monitoring system

EVF Containment cleanup system

EVR Containment Continuous Ventilation and

Reactor Pit Ventilation System

G TURBINE GENERATOR GROUP

GRE Turbine governing system

GRH Generator hydrogen cooling system

GRV Generator hydrogen supply system

GSS Moisture separator reheater system

GST Stator cooling water system

GSY Grid connection system

GTH Turbine lube oil treatment system

GEV Power transmission system

GEX Generator excitation and voltage regulation system

GFR Turbine control fluid syste

GGR Turbine lubrication jacking and turning system

GHE Generator seal oil system

GPA Generator and power transmission protection

GPV Turbine steam and drain system

J FIRE PROTECTION

JDT Fire detection system

JPD Fire fighting water distribution system JPH Turbine oil tank fire protection system

JPI Nuclear island fire protection system

JPL Electrical building fire fighting water distribution system

JPP Fire fighting water production system

JPT Transformers fire protection system

JPV Diesel generator fire protection system

K MONITORING

KBS Temperature measurements

KCC Sending data to national emergency response

centres

KCD Demultiplexer relay cabling

KCG Auxiliary boiler building alarm relay

processing system

KCH Demineralizer alarm relay processing system

KCO Unit alarm relay processing system

KCS Security building alarm relay processing

system

KCT Waste treatment building alarm relay

processing system

KDO Test data acquisition system

KDS CIT Site Equipment

KER Nuclear island liquid radwaste monitoring and discharge system

KGA Reprom management

KGB Process Control Relaying Software

Management

KHY H2 leak detection system

KIR Primary circuit sonic monitoring system

KIT Data processing system

KKK Site and building access control system

KKO Energy metering and perturbography

KME Test instrumentation and measurement

KOS Perturbograph

KPE Tachyperturbograph

KPM Protection of equipment

KPR Remote shutdown panel

KRA Nitrogen risk detection

KRG General control analog cabinets

KRS Site radiation & meteorological monitoring system

KRT Plant radiation monitoring

KSC Main control room mimic panel and auxiliary panel

KSU Security building control panel

KTG Turbine generator group table testing

KXU Threshold electronic relay cabinets

KZC Controlled area access monitoring

L ELECTRICITY

LAA 230 VDC power system = LNF – LNE UPS

supply

LAB Turbine generator continuous lubrication

pump power supply

LAC Turbine generator emergency lubrication _{pump power supply}

LAE 230 V DC power system train A (LNG)

LAF 230 V DC power system train B (LNH)

LAL 230V power system - BDS power supply

LBA 125 V DC power system (equipment train A)

LBB 125 V DC power system (equipment train B)

LBC 125 V DC power system (equipment and

actuators train A)

LBD 125 V DC power system (equipment and

actuators train B)

LBE 125 V DC power system - Reactor protection

group 1

LBF 125 V DC power system - Reactor protection

group 2

LBG 125 V DC power system - Reactor protection

group 3

LBH 125 V DC power system - Reactor protection

group 4

LBK 125 V Power System

LBZ 125V BDS production and distribution

LCA

Unit 48 V power Supply - train A (safety support system; protection auxiliary control

system)

LCB Unit 48 V power Supply - train B (safety

support system automats) LDA 28 VDC power system (IPC SCAT train A _{level 1 Equipment System)}

LDC 28 VDC power system (IPC SCAT train A _{level 1 Equipment System)} LGA

LGB LGC

6.6V AC Normal Distribution Unit Auxiliaries

LGD LGE LGF

6.6V AC Normal Distribution permanent Auxiliaries

LGI

LGJ Common and Site 6.6V AC Switchboard

LGM

LGN 6.6kV AC Distribution Auxiliary Boilers

42

LGR 6.6kV AC Auxiliary Power Supply

LHA 6.6kV AC Emergency Power Distribution -

Train A

LHB 6.6kV AC Emergency Power Distribution - _{Train B}

LHP 6.6kV AC Emergency Power Supply Diesel -

Train A

LHQ 6.6kV AC Emergency Power Supply Diesel -

Train B

LHT Reaction Turbine

LK. LV AC Network - 380V AC

LL. LV AC Emergency Network - 380V AC

LLS Hydrotest Pump Turbine Generator Set

LM. 220 V Production and Distribution Supply

System (miscellaneous unit equipment)

LMC 220 V Production and Distribution

Non-Redundant System

LMK 220 V power system, BTE

LNA Reactor protection, group I

LNB Reactor protection, group II

LNC Reactor protection, group III

LND Reactor protection, group IV

LNE LNF

Uninterrupted 220V AC power - power supply KIC; MCR light train A

Uninterrupted 220V AC power - power supply KIC train A

LNG LNH

Uninterrupted 220V AC power system - power supply KIR, KRT train A

Uninterrupted 220V AC power system - power supply KIC, mimic panel, KRT, MCR light

train B

LNL 220V AC Power System (Security building)

LNR 220V AC power - power supply of

Maintenance building

LSA Test loops system

LSI Site lighting system

LSJ Fence lighting system

LTR Grounding system

LYS Battery discharge

P FUEL STORAGE POOL

PMC Fuel handing and storage system

PTR Reactor cavity and spent fuel pit cooling and treatment system

R REACTOR

RAM CRDM power supply system

RAZ Nuclear island nitrogen distribution system

RCP Reactor coolant system

RCV Chemical and volume control system

REA Reactor boron and water makeup system

REN Nuclear sampling system

RGL Rod control system

RHY H2 distribution

RIC In-core instrumentation system

RIS Safety Injection system

RPE Nuclear island vent and drain system

RPN Nuclear instrumentation system

RPR Reactor protection system

RRA Residual heat removal system

RRC Boiler control system

RRI Component cooling system

RRM CRDM ventilation

S GENERAL SERVICES

SAA Breathable compressed air production system

SAP Compressed air production system

SAR Instrument compressed air distribution system SAT Service compressed air distribution system

SBE Maintenance shops hot laundry

decontamination system

SDA Demineralised Water Supply System

SDP Demineralised Water Production System and

Pretreatment

SDX Demineralization Wastes Neutralisation _System

SEB Raw water system

SEC Essential service water system

SED Nuclear island demineralised water

production system

SEH Waste oil and inactive water drain system SEK Conventional island liquid waste collection

system

SEN Auxiliary cooling water system

SEO Station sewer system

SEP Potable water system

SER Conventional island demineralized water

distribution system

SES Hot water production and distribution system

SEZ Ground water control system

SFI Raw water filtering system

SGZ General gas storage and distribution system

SIR Chemical reagents injection system

SIT Feedwater chemical sampling system

SKH Oil and grease storage system

SLS Cleaning of the secondary side tubesheets of the steam generators

SRE Hot Workshop Drain System

SRI Conventional island closed cooling water

system

STB Slurry treatment system

STE Electrical tracing system

STR Steam transformer system

SVA Auxiliary steam distribution

T WASTE TREATMENT

TEG Gaseous waste treatment system

TEN Waste sampling system

TEP Boron recycle system

TER Liquid waste discharge system

TES Solid waste treatment system

TEU Liquid waste treatment system

TRI Waste treatment building cooling

S STEAM CIRCUIT

VPU Steam line drain system

VVP Main steam

X AUXILIARY STEAM

XAA Auxiliary Boiler Feedwater System

43 A LIST OF ABREVATIONS

AAR Scram, Reactor trip

ADR Risk Analysis

AEI I&C, Electrical, IT Department

AIC Computerised Tagging System

AN GV Normal Outage on SG ANRRA Normal Outage on RRA

APE State-oriented Approach

API Cold Outage for Repair

APR Refuelling Shutdown

APRP Loss of Coolant Accident (LOCA)

AQ Quality Assurance

ARI Isolating Breathing Apparatus

AS Safety Authorities

ASN Nuclear Safety Authority

AT Outage

B

BAC Waste Auxiliary Building

BAN Nuclear Auxiliary Building

BC Fuel Branch

BCCN Nuclear Equipment Manufacturing Inspectorate

BdC Tagging Office

BDMAT Equipment Database

BdS Security Building

BIC Operating Engineering Section

BK Fuel Building

BL Electrical Building

BMO Operating Methods Library

BPA Approved for Action

BPE Approved for action

BPR Approved for Implementation

BR Reactor Building

BTC Operating Technical Method

BTE Effluent Treatment Building

C

CA Work Co-ordinator and Manager (EDF work)

CAE As-built (drawings)

CAM Trade Work Co-ordinator

CAPE Active Installed Base Support Centre

CAS Systems Work Coordinator

CC Tagging Supervisor

CC Technical Inspector/Work Checker

CD Management Team

CDE Extended Management Team

CDO Operational Management Team

CdS Department Manager

CdT Work Supervisor

CE Operations Shift Manager

CE-Quart Duty Operations Shift Manager CEIDRE Corporate Chemical & Metallurgical

Laboratorie

CET Technical evaluation committee

CFH Human Factor Consultant

CHSCT Health and Safety Workplace Committee

CID Inter-departmental Collaboration

CIF Individual Training Log

CIINB Inter-Ministerial Committee of Basic Nuclear Installations

CIM Head of Professional Sector Maintenance

Work

CIP Public Information Centre

CIPN NPP Operations Engineering Centre

CLI Local Information Commission

CME Operations Foreman

CND Non-destructive Test (NDT)

CNIL National Commitee for IT and Freedom CNPE Nuclear Power Plant COAT Outage Committee COCAR Professional development committee

CODIS Regional Operational Fire and Rescue Centre

COE Environment Committee

COET Operations Committee COMEX Executive Committee COMSAT Outage Safety Committee

COOP Operational Production Optimisation Centre COSR Industrial Safety and Radiological Protection

Committee

CP Project Head

CPHC Senior Head Foreman

CR Report, minutes

CREL Local Event Report

CRES Significant Operating Event Report (SOER) CRHM Human Resources & Management

Committee

CRP RP Committee

CSCT Technical Specifications and Conditions CSNE Corporate Nuclear Safety Review Commitee

CT Technical Committee / Shift Supervisor

CT Quart Duty Shift Supervisor

CTC Temporary Operating Instruction

CTE Operational Technical Review Committee

CTI Engineering Technical Committee

CTS Nuclear Safety Committee

D

DCN Nuclear Fuel Division

DCO Chemical Oxygen Demand (COD)

DDD Dose-rate

DEGS EDF-GDF Services Direction

DES Safety Assessment Department

DGSNR Directorate General for Nuclear Safety and Radiation Protection

DI Work Request / Work file

DI meeting

DIN Nuclear Installation Division

DIN Nuclear Engineering Division

DIS Nuclear Engineering Division

DITHR Thermal, Hydroelectric and Renewable Engineering Division

DM Change/Modification File

DMP Special Tools and Equipment (temporary)

DOI Fire Guidance Document

DOS Stabilization and Guidance Document

DPN Nuclear Operation Division

DPTHR Thermal, Hydroelectric and Renewable _{Generation Division}

DR Execution File

DRIRE Regional Directorate for Industry, Research and Environment

DSE Plant Systems Description

DSIN Nuclear Installations Safety Directorate

DSM Pooled Services Division

DSQ Safety Quality Director

DVP Asset Development and Exploitation

E

44

EC Joint Team

EH Hydrostatic Test

EIS Fire & First Aid Team

EIS Safety-Related Event

EP Periodic Test

EP Procedure

EPS Probabilistic Safety Assessment

ESE Environmental Significant Event

ESR Radiological Protection Significant Event

ESS Nuclear Safety Significant Event

EST Radioactive Transport Significant Event

F

FA Anomaly Report

FAI Fire Action Sheet

FAR Quick analysis sheet

FE Gap analysis sheet

FNC Non-conformance Report

FSI Execution Synthesis Form

G

GAI International Activities Group

GAM Professional Sector Management Group

GAP Corporate Installations Affairs Group

GCR Radiation Protection Coordination Group

GDL Corporate Chemical and Metallurgical

Laboratories

GDMI Information Systems Maintenance and Development Group GEnv Environment Group

GET Network Operational Group

GIP Process Engineering Group

GMC Boiler Maintenance Group

GMSA Active Systems Maintenance Group GPEC Skills and Jobs Anticipated Management

GPR Advisory Committee for Nuclear reactors

GPR Risk Prevention Group

GRE OE Group

GSI IT manager

GSI Information Systems Group

GSN Nuclear Safety Group

GT EP EP Working Group

GTS Safety Technical Committee

GVP Performance & Monitoring Group

I

ICPE Installations classified for Environmental Protection

IN Nuclear Inspection Department

INB Basic Nuclear Installation

IPE Post-commissioning Technical Support

IPS Safety-Related

IRSN Radiological Protection and Nuclear Safety Institute

IS Safety Injection / Safety Engineer

ISAT Outage Safety Engineer

ISS Duty Safety Engineer

M

MDL Second Line Manager (department head)

MMCR Maintenance-Mechanices-Boilerwork-Valves

Department

MOA Training Commissioning/Training

Commissioner

MOE Training Provision/Training Provider

MPL First Line Manager

MQ Quality Manual

MSQ Safety and Quality Team

MTI Temporary Plant Modifications

N NA Application Memorandum NO Organisation Memorandum NS Departmental Memorandum NT Technical Procedure O OI Work Order

OIS Standard Work Order

OMF Reliability Centred Maintenance

OPRI Office for Protection against Ionising Radiation

OTC Optimisation – Trading – Marketing

P

PBMP Basic Preventive Maintenance Programme (corporate)

PC Set Point

PCC Site Assessment Emergency Centre

PDQ Quality Plan

PDR Spare parts

PDR General Work Form

PEE Test Procedure

PFU Unit Training Plan

PGF Training Guidelines

PIF Individual Training Plan

PLAP Local Professional Adaptation Scheme

PMT Medium Term Plan

PMUC Material and Equipment for Use in Power Plants

PPI Off-site Emergency Plan

PQS Quality and Safety Plan

PRS Assembly Point for Emergency Services

PRV Preventive Maintenance System (computer)

PTF Standard Professional Scheme

PTJ Small everyday jobs

PUI On-site Emergency Plan

PV Report

PVE Test Report

Q

QNS Non Quality Control

QS Quality Control

QS/QNS Maintenance

R

RAT Outage Meeting