# Development and Design Validation of Reactor Protection System Verification Facility for SMART

Seo Ryong Koo<sup>a\*</sup>, Seop Hur<sup>a</sup>, Chang Hwoi Kim<sup>a</sup> <sup>a</sup>Nuclear ICT Research Division, Korea Atomic Energy Research Institute 989-111 Daedeok-daero, Yuseong-gu, Daejeon, 34057, Republic of Korea <sup>\*</sup>Corresponding author: srkoo@kaeri.re.kr

### 1. Introduction

The Reactor Protection System (RPS) is a vital system which consists of sensors, calculators, logic, and other equipment necessary to monitor selected plant conditions and to effect reliable and rapid reactor shutdown (reactor trip) if monitored conditions approach specified safety system settings [1]. The system's functions are to protect the core fuel design limits and reactor coolant system (RCS) pressure boundary for anticipated operational occurrences (AOOs), and also to provide assistance in mitigating the consequences of accidents. Four measurement channels with electrical and physical separation are provided for each parameter to generate the trip signals. The RPS performs the reactor trip function and the ESF initiation function. The RPS provides an emergency shutdown of the reactor to protect the core and the reactor coolant system pressure boundary. The ESF-CCS provides those functions required to prevent the release of significant amounts of radioactive material to the environment in the event of pressure boundary rupture. In this study, the development and design validation of RPS verification facility for SMART is described.

### 2. RPS Verification Facility for SMART

RPS performs the reactor trip function and the ESF (Engineered Safety Features) initiation function. For the safety and economic enhancement, RPS adopts the proven technologies from the conventional nuclear power plant and the simplified design including SCOPS (SMART COre Protection System) as a processor module in the RPS [2].

### 2.1. Configuration of RPS Verification Facility

Fig. 1 shows the RPS verification facility developed in this research for the design validation of RPS form SMART. The RPS verification facility consists of SCOPS processor, bistable processor, coincidence processor, interface & test processor, maintenance & test panel, and initiation & actuation logic and devices. The SCOPS processor, bistable processor, and coincidence processor are located in the left side cabinet of the verification facility. The maintenance and test panel (MTP) and interface and test processor (ITP) are located in the right side cabinet.

The bistable processor generates trip signals if the measurement channel process value exceeds a setpoint. The bistable processor provides their trip signals to the coincidence processor located in the four redundant channels. The coincidence processor determines the coincidence logic trip based on the state of the four like bistable trip signals and their respective bypasses. The coincidence trip signals are used in the generation of the RTSS or ESF-CCS initiation. In the SCOPS processor, DNBR and LPD calculated are compared with trip setpoints for initiation of the low DNBR trip and the high LPD trip. Generated trip signals from each channel of the SCOPS are sent to the bistable processor in each RPS channel. The ITP monitors the RPS status and is used to initiate manual and/or automatic surveillance testing based on operator input via the MTP. The MTP is provided to serve as data communication gateways to send selected RPS channel status and test results to the IPS.



Fig. 1. RPS Verification Facility Cabinet (including SCOPS PLC)

The RPS verification facility has many hardware components and interface. Table I shows major component list of RPS verification facility including SCOPS and the major interfaces are followings.

- Process input from field (Analog Input)
- Reactor trip signal to RTSG (Dry Contact Output)

- SDL Communication
  - Communication Input from SCOPS
  - Communication Output to ESF-CCS
  - Communication for Internal Trip Signals
- SDN Communication
  - Communication for Internal Information
  - Inter Channel Communication

| Table I: Components | of RPS ar | nd SCOPS | Verification | Facility |
|---------------------|-----------|----------|--------------|----------|
|---------------------|-----------|----------|--------------|----------|

| System      | Sub System             | Major Component                                    |  |  |
|-------------|------------------------|----------------------------------------------------|--|--|
|             | SCOPS                  | Empty Slot (It will be Integrated in RPS Cabinet ) |  |  |
|             | BP                     | POSAFE-Q PLC                                       |  |  |
|             | CP                     | POSAFE-Q PLC                                       |  |  |
|             | ITP                    | POSAFE-Q PLC                                       |  |  |
| 000         |                        | Young-sung Relay (YSMR07-2P),                      |  |  |
| Cabinet     | Initiation Circuit     | Watchdog for PLC                                   |  |  |
| Cabinet     |                        | (Brentek P8-WDT24/PLC-A2-10)                       |  |  |
|             | MTP Computer           | MEN-F19P (QNX 6.3.2, PC SDN Card)                  |  |  |
|             | MTP Display            | Advantech Touch Screen Display                     |  |  |
|             |                        | (ADVANTECH FPM-5171G)                              |  |  |
|             | Function Enable Switch | Young-sung Switch                                  |  |  |
|             | Control PC             | Dell PC                                            |  |  |
| RPS         | Monitor                | LG Monitor                                         |  |  |
| I/O         | I/O chassis            | National Instrument I/O chassis and modules        |  |  |
| Simulator   | Communication PLC      | POSAFE-Q PLC                                       |  |  |
|             | OM and Trip Switch     | Young-sung Switch                                  |  |  |
| System      | Sub System             | Major Component                                    |  |  |
| SCOPS       | SCOPS                  | POSAFE-Q PLC                                       |  |  |
| Cabinet     | MTP Computer           | MEN-F19P (QNX 6.3.2)                               |  |  |
| (Temporary) | MTD Divelou            | Advantech Touch Screen Display                     |  |  |
| (           | MTP Display            | (ADVANTECH FPM-5171G)                              |  |  |
| SCOPS       | Control PC             | Dell PC                                            |  |  |
| I/O         | Monitor                | LG Monitor                                         |  |  |
| Simulator   | I/O chassis            | National Instrument I/O chassis and modules        |  |  |
|             |                        |                                                    |  |  |

## 2.2. Development and Design Validation

For the software reliability, this research adopted the standard software development method such as Software Development Life Cycle (SDLC). Especially, a modified incremental SDLC model was used according to the project schedule of SMART. The modified incremental model is a method of software development where the software is designed, implemented and tested incrementally until the software is finished. The software is defined as finished when it satisfies all of its requirements. This model combines the elements of the waterfall model with the iterative philosophy of prototyping. Fig. 2 shows the modified incremental software life cycle model.

For the design validation of RPS verification facility, the following validation tests were performed according to the basic coded and standard for nuclear power plant [3, 4].

- Component Test (CT)
- Integration Test (IT)
- System Test (ST)
- Acceptance Test (FAT/SAT)



Fig. 2. Modified Incremental Software Life Cycle Model

Fig. 3 shows the schematic diagram of validation tests in this research. Component Test (CT) is done at the lowest level of software. It tests the basic unit of software such as software module of each processors such as BP, CP, and ITP. Integration Test (IT) is performed at the integrated units based on the information in the software design specifications. System Test (ST) tends to affirm the end-to-end quality of the entire system. It is often based on the functional/performance requirements of the system. It tests the integrated software and hardware based on the information in the system requirements. Finally, Acceptance Test (AT) is done when the completed system is handed over from the developers to the customers or users. It tests the system based on the system requirements.



Fig. 3. Schematic Diagram of Validation Tests

## 2.3. Design Validation Tests Results

Design validation tests were performed in order to prove the functions and performance of the RPS. Major functions and performance requirements of RPS are as follows.

- Reactor Trip / ESF Actuation Function
- CWP(Ch.D) signal Function
- Test Function
- Bypass(start-up, shutdown, testing/maintenance) Function
- Interlock(bypass, test) Function
- Response Time: BP Input to Initiation Relay output 264 ms
- CPU Usages: less than 60%

According to above requirements, system test features of RPS as shown in Table II were generated in this research.

| DS V  |                                                     | Validation  | System Test Features |                                 |  |
|-------|-----------------------------------------------------|-------------|----------------------|---------------------------------|--|
| Ch.   | Name                                                | Method      | ID                   | Description                     |  |
| 5.1.1 | Overview                                            |             |                      |                                 |  |
|       |                                                     | System Test |                      | - Variable Overpower Trip, High |  |
|       |                                                     |             |                      | Logarithmic Power Level Trip,   |  |
|       |                                                     |             |                      | High Local Power Density (LPD)  |  |
|       |                                                     |             |                      | Trip, Low Departure from        |  |
|       |                                                     |             |                      | Nucleate Boiling Ratio (DNBR)   |  |
|       |                                                     |             |                      | Trip, High Pressurizer Pressure |  |
|       |                                                     |             |                      | Trip, Low Pressurizer Pressure  |  |
|       |                                                     |             |                      | Trip, High Main Steam Line      |  |
|       |                                                     |             |                      | Pressure Trip, Low Main Steam   |  |
| 542   | Poostor Trip Eurotion                               |             | ST-RPS-FUN-F01       | Line Pressure Trip, Low         |  |
| 0.1.2 | reactor mp r uncaon                                 |             |                      | Feedwater Flow Trip, High Lower |  |
|       |                                                     |             |                      | Containment Area Pressure Trip, |  |
|       |                                                     |             |                      | Low RCP Speed Trip, Low         |  |
|       |                                                     |             |                      | Reactor Coolant Flow Trip, High |  |
|       |                                                     |             |                      | Feedwater Flow Trip, Low        |  |
|       |                                                     |             |                      | Pressurizer Level Trip, High    |  |
|       |                                                     |             |                      | Pressurizer Level Trip, Manual  |  |
|       |                                                     |             |                      | Trip, High Letdown Discharge    |  |
|       |                                                     |             |                      | Amount Trip, High SG Inlet      |  |
|       |                                                     |             |                      | Temperature Trip                |  |
|       | Engineered Safety<br>Features Actuation<br>Function | System Test | ST-RPS-FUN-F02       | Each ESF actuation function     |  |
|       |                                                     |             |                      | shall be monitored continuously |  |
| 5.1.3 |                                                     |             |                      | by ESF-CCS.                     |  |
|       |                                                     |             |                      | - CMTAS, CIAS, PRHRAS,          |  |
|       |                                                     |             |                      | SITAS, ADAS, CVCSIAS,           |  |
|       |                                                     |             |                      | LDLIAS, BDSAS, TMSFLIAS,        |  |
|       |                                                     |             |                      | CPRSAS                          |  |
| 514   | Control Function                                    | Design      |                      |                                 |  |
| 0.1.4 | Function                                            | Review      |                      |                                 |  |
| 5.1.5 | Alarm Function                                      | System Test |                      | N/A                             |  |
| 5.1.6 | Test Function                                       |             |                      |                                 |  |

#### Table II: Sample of System Test Features of RPS

In the component test, the branch coverage test was accomplished based on white box test technique. As shown in Fig. 4, the component test for all modules of RPS was successfully performed.

|            |          | All      | Passed   | Failed   |  |
|------------|----------|----------|----------|----------|--|
| RPS        | Pass (%) | Objects  | Object   | Object   |  |
|            |          | (Number) | (Number) | (Number) |  |
| Test       | 100%     | 106      | 106      |          |  |
| Features   | 100%     | 100      | 100      | -        |  |
| Test Cases | 100%     | 1210     | 1210     | -        |  |
| Coverage   |          |          |          |          |  |
| (Branches  | 100%     | -        | -        | -        |  |
| or Bools)  |          |          |          |          |  |

Fig. 4. Component Test Results of RPS

For the integration test, test features were divided by three sub system such as bistable processor, coincidence processor, and interface and test processor. All test features for function of each processor were successfully examined in the integration test phase.

Finally, all functional test of RPS was passed for all test features as shown in Table II in the system test phase. For the performance test of RPS, response time and CPU usage were measured. The CPU usage was less than 60% for bistable processor, coincidence processor, and interface and test processor respectively. The measured response time at system test for RPS is shown in Fig. 5. It can satisfy the response time requirement of RPS.

| Cignal Type                    | Response Time | Masured Response |  |
|--------------------------------|---------------|------------------|--|
| Signal Type                    | Requirement   | Time             |  |
| RPS Reactor Trip               | 264 mg        | 156.2 ms         |  |
| (Analog Input to Relay Output) | 204 ms        |                  |  |
| RPS Reactor Trip               | 264 mg        | 138.4 ms         |  |
| (SDL Input to Relay Output)    | 204 ms        |                  |  |
| RPS ESF Initation              | 224           | 147.4 ms         |  |
| (Analog Input to SDL Output)   | 264 ms        |                  |  |

Fig. 5. Results of Response Time Test

#### 3. Conclusions

The verification facility of RPS for SMART was developed according to the modified incremental SDLC model and the design validation tests were successfully accomplished through this research project. The design validation was conducting to check the possibility of implementation for new design concept of RPS and the performance requirements such as CPU usage and response time. For all functional requirements of RPS, all tests (CT, IT, ST) are successfully passed. According to the results of measurements at systems test phase, CPU usage of all components (BP, CP, ITP) is less than 60% and response time (BP input to initiation relay output) is less than 260 ms based on performance requirements.

#### REFERENCES

[1] J.H. Park, D.Y. Lee, and C.H. Kim, Development of KNICS RPS prototype, ISOFIC 2005, Nov. 1-4, 2005.

[2] S.R. Koo, S. Hur, and C.H. Kim, Optimized Design of the Reactor Protection System for SMART, SMiRT-24, Aug. 20-25, 2017.

[3] IEEE Std. 7-4.3.2, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations, 2003.

[4] IEEE Std. 1012, IEEE Standard for Software Verification and Validation, 2004