Operation of Shared Systems via a Common Control System in a Multi-Modular Plant

Integral type reactors may need to be grouped to produce as much energy as a utility demands due to the small electrical output of an individual reactor. Sharing of systems among modules at a nuclear plant site is economically beneficial. Operation of systems shared between modules in a multi-modular plant is an issue never met in current NPPs, which may impact human performance. A design of operation of the shared systems via a common control system is presented as a technical approach to solve the problem. Modules and shared systems are controlled in independent network domains, respectively.Different fromcurrentNPPs, a limitation of operation authorities corresponding to certain modules and shared systems is defined to minimize the operation confusion between modules by one operator and to minimize the operation confusion of shared systems by different operators. Different characteristics of the shared system are analyzed, and different operation and control strategies are presented. An example is given as an application of the operation strategies. The operation design of the multi-modular system is in the preliminary stage, and, as an concept design, more verification and validation is needed in further works.


Introduction
Integral type reactor is a promising solution to meet future energy needs.Due to the design aspects of the integral type reactor, the electrical output of an individual reactor is relatively small compared to that of a typical commercial nuclear power plant.However, reactors can be grouped to produce as much energy as a utility demands due to the economic benefits [1], which form a nuclear energy system with multiple modules.To further reduce the cost, many designers of the small modular reactors [2,3] provide for creation of multi-module plants with certain shared components and infrastructure [4].The sharing of systems between modules means that only one system needs to be built rather than two [5].It is a reduction of overall construction time and outlay for equipment, materials, and structures.
The configuration of a multi-modular plant is different from current NPPs, and the differences include the layout of the infrastructure, integral placement of primary coolant system component, and shared systems or resources among modules.The sharing among modules may include the minor support or auxiliary systems, such as circulating water, instrument air, and AC and DC electric power [6], and some major primary or secondary systems, such as turbine generators coupled with two or more modules [7].Besides, the control system of the multi-modular plant is another aspect shared between modules.The control considerations of the shared aspects are uncommon in nuclear power operational experience, as presented by Clayton and Wood [8].
Due to the differences of the multi-modular plant and current NPPs, the U.S. Nuclear Regulatory Commission (NRC) conducted research to examine the human factors engineering (HFE) and the operational aspects of small modular reactors (SMRs).The research identified some potential human performance issues that should be considered in NRC's reviews of small modular reactor designs and in future research activities [9].These issues include multi-unit operations and teamwork, staffing mode and staffing level, control room configuration and workstation design, HSI design for multi-unit monitoring and control, and operational impact of control systems for shared aspects of SMRs.However, there is no operating experience from predecessor plants for the multi-modular plant, especially for the systems shared between modules.The operations of shared systems are related to many aspects, such as control system design [10][11][12], human factor engineering [13,14], team work, and operator training.In order to provide a technical approach to solve the problem, this paper presents a design strategy of the operation for shared systems via a common control system of a multi-modular plant.
In the design, a digital control system is used to realize the monitoring and control of multiple modules and each individual module is controlled via an independent network domain.The HSI (human-system interface) network connects all control network domains on an upper level, which enables monitoring and control of the whole plant through the operator workstation.Different operation and control strategies are considered for different types of shared systems.Control procedures are developed, and an example of the shared system control design in HTR-PM is presented.

Issues of Control and Operation of Shared Systems
2.1.Shared Systems.The shared systems refer to the resources and components that are shared among modules.The sharing of systems cannot impair the ability of the systems to perform their safety functions.Thus, an important objective of sharing systems is to reduce cost while maintaining safety.For many designs of multi-modular plants, safety functions are not shared.In this paper, the shared systems mainly include the process systems and control systems, which are all non-safety systems.Infrastructures are not included, such as buildings and structures mentioned in [4,8], because they need no controls.
According to the degree of the sharing, the shared systems can range from minor support or auxiliary systems to major primary or secondary systems.The minor support and auxiliary systems include systems for circulating water, instrument air, service-water cooling, and AC and DC electric power.These systems supply working medium for modules simultaneously or in turn.As important auxiliary systems, the failure of shared process system may result in abnormal situation of one module or more.The turbine generator coupled with two or more modules of HTR-PM [15] is an example of the major systems shared among modules.The steam generated by the two NSSS (nuclear steam supply system) modules, respectively, feeds one steam turbine to generate electricity.The turbine generator may be the biggest system shared among modules.
At the view of control, the shared systems can be categorized into two types.The first type is the systems capable of connecting with all modules simultaneously, such as the turbine shared among modules, or the device-cooling water systems.The second type is the system connecting with one module at a time, which is an independent system with full capacity for one module that can be cross-connected to support the other module if necessary.An example of this type of sharing is the standby coolant supply system that provides the capability to cross-connect selected portions of the residual heat removal (RHR) systems between units [5].
In order to realize the integrated monitoring and control, the common control system should be employed, which is another shared aspect.According to the I&C (instrument and control) design of current NPPs, all processes are monitored and controlled in an integrated fashion, and one control room is used.For the multi-modular plant, all modules may be monitored and controlled via a common control system, similarly to current NPPs.

Differences with Current
NPPs.Operation of multimodular plant is different with current NPPs, as shown in Table 1.These differences may have the potential to impact human performance.
For current NPPs, one control room is used to realize the monitoring and control of a single unit, and four or five operators are responsible for operation of reactor, turbine, and balance of plant (BOP), respectively.All systems involved are serving for one unit; there is no concept of "sharing." For a multi-modular plant, one control room may be used to realize the monitoring and control, and multiple modules may be operated by one operator (crew).The challenge to the operator lies in monitoring such a control system to confirm that individual modules and shared system are performing properly and that there are not degradations of the I&C system.

Operation of Shared Systems.
The operational impact of control systems for shared aspects is identified as one of the potential human performance issues that should be considered in the US Nuclear Regulatory Commission's reviews of SMR designs [9].The integrated control of multiple modules and their shared systems can be an operational challenge, as well as an I&C (instrument and control) one.
For the multi-modular system, the concept of operations is in the preliminary stages and control room and HSI designs are all in conceptual phase.However, no matter what is the control room or HSI like, the control system of shared aspects  is an important issue to be solved, which may include some special problems.
(1) How can the operators monitor and control the multiple modules and shared systems?
(2) How are the controls of multiple modules and shared systems to be implemented at operator workstations?
(3) Can different operators at different workstations monitor different modules and shared systems?
(4) Are the shared systems to be operated by more than one operator?
(5) How to control the shared system by more than one operator?
(6) Are there increased opportunities for wrong operation?
The problems above are to be solved through two technical approaches in this paper: control system design and operation strategy.

A Design of Control System for a Multi-Modular Plant
It is a trend for the nuclear industry to employ a digital I&C system.For the modular reactors designed recently, most of them employ the digital I&C, such as SMART [16] in Korea and mPower [17] in America.Control room designs are in the conceptual phase for many types of modular reactors.Configuration of the HSI and staffing level [18] are developed as prototypes and not finally determined.However, some design characteristics of the control system can be determined based on the monitoring and control function of the multi-modular system without consideration of the control room design.

System Architecture.
A control system should be employed to realize the integrated monitoring and control for the multi-modular system, as shown in Figure 1.
Similar to current digital control systems, the system consists of devices divided into three levels: the first level is the equipment of the plant, the second level is the control station, and the third level is human-system interface (HSI) device.The HSI devices supply information and controls, where the operator monitors and controls the plant; the control stations execute the commands from HSI level and automation of the equipment is executed here, too.
Considering the characteristics of the multi-modular system, the network is designed a little different.Control stations for a single module are designed to be connected in an independent network domain.Here, the independent network domain refers to a domain without direct network connection to the other domain on the control network level, and each network domain has its own network switches to the HSI network level.The control stations in an independent domain are dedicated to control the process for a single module.Similarly, control stations dedicated for shared systems are connected by another independent network domain.
The HSI network connects the control network of each module and shared systems on an upper level, and the data of every module and every shared system can be accessed and viewed by any VDU (visual display unit) at the operator workstation.

System Characteristics
3.2.1.Advantages.The system architecture may have many advantages, including the following.
(1) The control system design enables integrated monitoring and control from one control room or two separate control rooms, which supplies flexibility for control room design and HSI design.
(2) Failure of one individual control network domain cannot affect other control network domains, which ensures the normal operation of other modules and shared systems and minimizes the risk of control failures of all modules due to a network commoncause failure.
(3) Failure of HSI network may not affect the automation of the plant executed in the control station on the control network level.
(4) The design enables adding new module controls to the system with less impact on current modules.
(5) The design also enables the authority definition according to the network domain.Different control authorities can be defined based on the network position of the control system.

Possible Drawback.
Failures of HSI network will cause loss of the monitoring and manual operation of the whole plant via the control system.Diversities should be provided, such as direct hardwire connection from plant equipment to the control room and safety monitoring and controls (not included in Figure 1).The hardwire connection and safety controls are not aspects shared among modules and not the focus of this paper.

Necessity of Authority Limitation.
For current NPPs, there are few concepts of authority.The plant is controlled by the operator according to the operating procedures.Every operator has his own responsibility; the reactor operator is in charge of the reactor control and the turbine operator is in charge of the turbine control.For a plant with multiple modules, if there is no authority limitation, control of shared system may cause confusion between operators especially for the system operated by different operators at the same time.Therefore, the operation authority of a certain operator should be limited.In order to solve the problem, three different types of authorities are defined: monitoring authority, operation authority, and allocation authority.

Monitoring Authority.
Monitoring authority here refers to the access to displays at the operator workstation.HSI of the operator workstation is the most important way to share information and support teamwork, and any operator logged in the system should have the authority to view all displays.The control system architecture enables that, because every operator workstation has the same function as a node of the network.

Operation Authority.
Operation authority refers to the authorization of an operator to operate the plant equipment via VDUs.According to design aspects of the control system, different types of operation authority can be defined.Figure 2 gives an illustration of the operation authority design.Operation authority can be divided into two types: individual module operation and individual shared system operation.
Control authority corresponding to the first network domain refers to the operation authority of the equipment dedicated for module no. 1. Operators with operation authority of network domain of module no. 1 can operate the equipment of module no. 1 through operator workstation.Similarly, operators with operation authority in control network domain of shared systems can operate the equipment of the shared systems.
An operator may have the authorities of more than one domain or system according to the task he should accomplish.The equipment in a certain system can be operated by anyone who owns the corresponding authority.The authority of one system can be assigned to more than one operator.Here, operators with different authorities are identified by the user name and password when they log in the HSI system.

Allocation Authority to the Operator.
Besides the basic operation of the real equipment in the plant, there is another kind of authority, which is designed to be implemented by the senior operator, such as the supervisor.This kind of authority enables the supervisor to allocate operation authority to a certain operator, according to the situation of the plant.Some of the modules are shut down due to the need of the electrical power grid, and the responsibility of the operator who is in charge of these modules may be changed and the operation authority also needs to be changed.Here, the allocation of the control authority makes the sense.The operation authority can be changed at the supervisor workstation through VDUs.
The design of allocation authority supplies flexibility in operation authority configuration according to the plant situation of multiple modules.

Advantages of Authority
Limitation.This operation authority design enables one module to be operated by a certain operator as well as one operator to operate some certain modules.It is designed to minimize the opportunity for wrong operation between modules and the control confusion of the shared system by different operators at different workstations.If, according to the task analysis, an operator is in charge of only one module, he should not operate the equipment of other modules to avoid confusion between modules.The authority design is a technical approach to minimize human mistakes.

Operation Strategies of Shared Systems
The shared systems may include small auxiliary systems and big primary or secondary systems.However, at the view of control, the systems shared among modules can be divided into two types: the systems capable of connecting with all modules simultaneously and the systems connecting with one module at a time.The differences of two types are shown in Figure 3, in which the connections between systems are represented by different types of electrical switches.
For system capable of connecting with all modules simultaneously, there is no need of switchover function from one module to another.The connection can be switched on or off according to the operation requirement of each module with little interaction effect on other modules.
For systems connecting with one module at a time, the switchover function is needed.Switchover between modules is complicated, because the switchover may impact the states of the two modules before and after the switchover.Some special strategies should be considered.

System Capable of Connecting with All Modules Simultaneously.
For the shared systems capable of connecting all modules simultaneously, the operation authority can be allocated to one certain operator by the supervisor for the first time and not changed most of the time.
No matter whether the system shared is small or big, the control strategies are similar.The cooling water system supplies water for all modules at the same time, and control of this system may be authorized to a certain operator, who is responsible for monitoring and controlling the water supply for all modules.Control of turbine generator shared among modules is similar, and operator who is in charge of turbine control should have the authority to control the related components.The system is idle, not connecting with any module 1 The system is connecting with module no. 1 2 The system is connecting with module no. 2  ( ̸ = 0) The system is connecting with module no.
The operation authority for a certain operator is not changed most of the time.However, if the operation mode of the plant is changed due to some reason, such as the scheduled inspection outage, the tasks of the operator in charge of the module and the shared systems may be changed.The supervisor can allocate the operation authority of shared systems to other operators.

Systems Connecting with One
Module at a Time.According to the switchover requirement, the states of shared system should be defined, as shown in Table 2.
Different states of the system can be defined through some status of the system, such as the combination states of some valves, system temperatures, and system pressures.

Switchover Controlled by Automation.
For the system connecting with one module at a time, according to the frequency of the system switchover between modules, the control function is assigned to the automation or operator.If the switchover between modules is frequent and need not the permission of operator, the switchover function can be assigned to the automation.
Figure 4 shows the switchover controlled by automation.

Switchover Controlled by
Operator.If the shared system serves the modules in turn and cannot be operated automatically due to the importance of the system, special design is considered to solve the problem.The operation authority of the shared system is allocated to all module operators who need the system.The shared system can be used by only one module at the same time.Therefore, a preemptive algorithm is applied to the control logic of the shared system.The algorithm is shown in Figure 5.
(1) If the system state is 0, any module can use the system through the automation process or manual operation by the operator.(2) If the system state is not 0, which is 1, that means the system is used by module no. 1, and the system state cannot be set to other numbers by other operators except the operator of module no. 1.If the system is needed by other modules, the operator in charge of module no. 1 should "release" the system and then the system state is set to 0. (3) When the shared system is used by one module and is needed by other modules, the coordination between modules is needed, such as communication between operators and judgment of situation after system switchover to other modules.
Set system state = 0 Can be connected with a individual module?

Yes
No No Finish?
Set system state = n (n ≠ 0) Figure 4: System switchover controlled by automation.

Corporation between Operators.
The operation of multiple modules and shared systems relies on high levels of automation and team work.Corporation between different operators is more complicated than it is in current NPPs.

Mode of Corporation.
According to the characteristics of different systems shared (switchover between modules or not), the corporation modes between operators are different.The operator corporation for the control of the system capable of connecting with all modules simultaneously is similar to the corporation in current NPPs, because the system shared is related to whole plant, and control of the shared system is related to all operators.The corporation of the control for the system switchover between modules is different, because it is related to only two modules, and other modules and operators may not be included in the switchover corporation.

HSI Consideration.
In order to support the corporation between different operators, the human-system interface should supply information necessary, including the following.
(1) All displays can be viewed by any operator at any workstation in the control room, no matter whether the operator has the operation authority of the system or not.(2) The in-use and idle state of the shared system (whether system state is 0 or not) should be clearly shown on the display where the shared system is needed.(3) If the system is used by any module, which module is served for (the number of the system state) should be clearly shown on the display.

Example and Application
5.1.Example.The control of shared system for a multimodular system is in preliminary stage.And there is an example of control design of the some shared systems in HTR-PM.HTR-PM is the demonstration construction of the Chinese design [15] of the MHTGR (modular high-temperature gas-cooled reactor).The HTR-PM plant consists of two nuclear steam supply systems (NSSSs), which are the modules.Each module includes a single zone 250 MW th pebblebed modular reactor and a steam generator.The steam generated by the two NSSSs, respectively, feeds one steam turbine generating an electric power of 210 MW.
In HTR-PM, the turbine generator is the biggest sharing which connects with two modules simultaneously.There are some other auxiliary systems shared between the two modules, as shown in Figure 6.
In the two-modular HTR-PM, one control room is used to realize the monitoring and control of the whole plant.A DCS (distributed control system) is employed [19].There are four operators in the control room, including two reactor operators, one turbine operator, and one supervisor.The two reactor operators (ROs) are in charge of the two NSSS modules operations, respectively, and turbine operator (TO) is in charge of turbine generator operation.The basic operation authorities of one RO include the operation of one NSSS module and some shared systems.RO no. 1 cannot operate the equipment of NSSS no. 2 and the turbine generator, and RO no. 2 cannot operate the equipment of NSSS no. 1 and the turbine generator.The responsibility of each operator is not changed most of the time.The switchover of the shared systems between two modules is considered as follows.If one subsystem is needed by module no. 2 while it is supporting module no. 1, RO no. 2 should communicate with RO no. 1 and supervisor.If the supervisor and RO no. 1 determine that the switchover will not impact the situation of module no. 1, RO no. 1 should "release" the shared system through an operation via VDU, and then RO no. 2 can use the shared system for reactor no. 2.
The communication and corporation between the two ROs can be presented by the flow chart shown in Figure 7(a).It is clear that if corporation fails, the shared system cannot be used by the other module.The operation design forces different operators to communicate with each other on switchover of the shared system in order to ensure that both ROs keep the situation awareness of the shared system.

Comparison and Analysis.
There should be another design of the switchover operation of the shared system, as shown in Figure 7(b).If the two ROs can operate the shared system at the same time, the time elapsed may be shortened, but the communication and corporation between two ROs are weakened, and RO no. 2 may possibly neglect the switchover of the shared system to the other module.The design in Figure 7(a) may need more operation time than the design of Figure 7(b) but supply better communication and situation awareness of the shared system.

Conclusion
A design of operation of shared systems via a common control system for a multi-modular plant is presented.Without consideration of the workstation configuration and staffing level of the control room design, this paper focuses on the control and operation of the shared systems.A control system and its control network configuration are designed.Each module is controlled via an independent network domain, and failures of one independent network domain may not affect other modules.Displays of all modules can be viewed at any operator workstation under the structure of the control system.In order to minimize the human error of operation between modules and control confusion of shared system between operators, different operation authorities corresponding to network domain are defined.An allocation authority is also defined to supply flexibility for configuration of operation authorities of operators under different plant situations.
According to the characteristics of different shared systems, the shared system can be categorized into two types: the system capable of connecting with all modules simultaneously and the system connecting with one module at a time.Different control strategies are developed for the shared systems.The preemptive algorithm of the system switchover is designed to force the operators to communicate with each other on the shared system.An example in HTR-PM of a shared system control is shown as an application of the design strategy.
The design of I&C system for the multi-modular plant is in the preliminary stage, and there are many other issues to be discussed.The control and operation presented in this paper need further verification and validation to prove that it is good for human performance.

Figure 1 :
Figure 1: Control system of the multi-modular plant.

Figure 6 :
Figure 6: Relationship between shared systems and modules in HTR-PM.

Figure 7 :
Figure 7: Comparison of corporation of two ROs on the shared system switchover between modules.

Table 1 :
Operation differences of multi-modular plants and current NPPs.

Table 2 :
States of the shared system.