Abstract: Ningde Nuclear Power Plant in Fujian Province is one of the nuclear power plants that adopts a digital reactor protection system. It has advanced design concepts and ideas, improved the level of automation, and the system design meets the design criteria of single fault, diversity, independence and testability. This paper introduces the functions, overall structure, design features and periodic testing of the digital reactor protection system of Ningde Nuclear Power Plant. Keywords: nuclear power plant; digitalization; redundancy; diversity; topology; common mode fault 0 Introduction Due to the special requirements of nuclear power plants for nuclear safety, most nuclear power plants have always adopted traditional analog control systems. Digital instrumentation and control systems are less used in nuclear power plants. Digital control systems based on distributed control systems (DCS) have been widely used in conventional thermal power plants [7]. With the rapid development of computer hardware and software, the openness, high reliability, speed and operability of digital instrumentation and control systems have been gradually recognized. At the same time, due to the gradual improvement of the reliability of digital instrumentation and control systems and the accumulation of experience, it is possible for nuclear power plants to adopt digital control systems, which is a development trend. At present, the nuclear power plants that have adopted full-range digital control systems include Tianwan Nuclear Power Plant and Ling'ao Phase I Nuclear Power Plant conventional island systems and equipment [4,5]. Digital control systems offer unparalleled advantages over conventional analog control systems and are essential for improving the overall automation level of nuclear power plants. As one of the most important systems in a nuclear power plant, the gradual adoption of digital reactor protection systems has become a trend, forming the safety-level component of the entire nuclear power plant's DCS (Distributed Control System). Currently under construction nuclear power plants, such as Ling'ao Phase II, Hongyanhe Nuclear Power Plant, and Ningde Nuclear Power Plant, all employ digital reactor protection systems. 1. Reactor Protection System 1.1. Function The reactor protection system is the most important safety system in a nuclear power plant, belonging to Class 1E electrical equipment. It includes an emergency shutdown system and a dedicated safety facility drive system. The reactor protection system monitors parameters related to reactor safety. When these parameters exceed preset protection settings, it automatically triggers an emergency shutdown and activates corresponding dedicated safety facilities to limit the development of an accident, mitigate its consequences, prevent the release of radioactive materials into the surrounding environment, and ensure the safety of nuclear power plant equipment and personnel. It should also provide operators with manual control methods and relevant system and equipment status information. 1.2. Design Criteria The design of reactor protection system should follow the following criteria[1]: automatic protection, single fault criterion, diversity, testability and independence principles, etc. "Single fault criterion" means that a single protection system channel or system component failure shall not hinder the normal operation of the protection system. To meet the single fault criterion, the reactor protection system should have sufficient redundancy; avoiding common mode failures through functional diversity and equipment diversity is one of the basic principles of nuclear power plant instrumentation and control design[6]; "fail-safe criterion" means that the reactor can be shut down under the condition of loss of energy. When a system channel or component fails, no operation is required to keep the function of the protection system in a safe state. 2 Design of Digital Reactor Protection System of Ningde Nuclear Power Plant 2.1 Overall Structure The reactor protection system of Ningde Nuclear Power Plant adopts the MELTAC-Nplus R3 system of Mitsubishi Corporation of Japan. It mainly completes the nuclear safety level system and equipment control functions, such as reactor trip protection logic, dedicated safety facility drive, post-accident monitoring, etc. It is the safety level part of the integrated full-range DCS system. Its overall structure is shown in Figure 1. [align=center] Figure 1 Schematic diagram of digital reactor protection system[/align] In order to meet the design requirements of the protection system, the overall structure of the reactor protection system of Ningde Nuclear Power Plant adopts two columns, A and B, four redundant protection measurement channels, and two redundant logic processing units. Physical and electrical isolation is achieved between columns and channels[2], which is independent and does not affect each other. The digital reactor protection system mainly includes: safety-grade measuring instruments, reactor protection cabinet (RPC), dedicated safety facility drive cabinet (ESFAC), safety logic cabinet (SLC), communication network, diversity drive system (DAS) and shutdown circuit breaker, etc. Hard wiring is used between safety-grade measuring instruments and data acquisition channels, between logic processing output and shutdown circuit breaker, and between manual control equipment in the main control room and protection system. Other communication is done through network. The network adopts a dual-network redundant ring topology. 2.2 Safety-Level Display Unit (SVDU) The use of SVDUs is a key feature of this system. Designed by Mitsubishi based on the minimal backup panel concept, the SVDU features a touchscreen and is primarily used to control the operation of safety-level equipment. Operators invoke safety-level equipment from the NC-VDU, transmitting the invoke signal to the SVDU via the network. An operation panel then pops up on the SVDU, allowing operators to control the equipment using the touchscreen. This system has 16 SVDUs, distributed across the Backup Panel (BUP), Operating Console (OWP), and Remote Shutdown Station (RSS). To meet different functional requirements, the human-machine interfaces of the three types of SVDUs are not identical. 2.3 Reactor Protection Cabinet (RPC) Each protection channel consists of a set of reactor protection cabinets (RPCs) and associated equipment. Each set of reactor protection cabinets (RPCs) contains two processor subgroups, with redundant processor configurations in each subgroup. The RPC collects and processes sensor input signals, generating trigger signals that are sent to the emergency shutdown circuit breaker and the dedicated safety facility drive system to initiate an emergency reactor shutdown and activate the dedicated safety facilities as needed. The RPC has four channels, each receiving trigger signals from other channels and performing a 2-out-of-4 logic vote to generate a reactor trip signal. Each channel outputs a signal via hardwiring to the corresponding shutdown circuit breaker, driving two shutdown circuit breakers per channel. The RPC protection channels are electrically and physically isolated, operating independently without interference. 2.4 Safety Dedicated Drive Cabinet (ESFAC) The ESFAC receives RPC signals and performs a 2-out-of-4 logic vote to complete system-level logic drive. The ESFAC also receives manual control signals from the backup panel and emergency operation panel. 2.5 Safety Logic Control Cabinet (SLC) The SLC logic subsystem receives system-level ESFAC logic drive signals and other system signals (including control room manual commands) to complete component-level logic control. It outputs drive signals from the DO output card to the PIF card to control field safety-level equipment. 2.6 Network Structure The Ningde Nuclear Power Plant's digital reactor system comprises three networks: Safety Bus, Safety System Bus, and HM Data Bus. Safety Bus is classified as IE (Industrial Engineering) level, while Safety System Bus and HM Data Bus are classified as NC (Non-Industrial Engineering) level. However, all three networks share the same physical structure: a two-layer network with a redundant ring topology. The two-layer network offers high reliability, with mutual redundancy between the two layers. If one layer fails, the other layer takes over, preventing network paralysis and ensuring data transmission, thus guaranteeing system safety. 2.7 Diversity Drive System (DAS) The Diversity Drive System (DAS) consists of a diversity drive cabinet, backup control panel, and emergency control panel. The diversity drive cabinet is composed of analog-based cards, while the backup and emergency control panels consist of hard-wired switches and relays. The DAS provides diverse backup for common-mode faults in the digital reactor protection system. 2.8 Optimization Logic Control Module (PIF) The PIF card is installed in the SLC cabinet, and its main function is logic optimization. The PIF card receives signals from the SLC cabinet, the backup panel (BUP), and the emergency operation panel (ECP). These signals are selected by the PIF card's optimization logic and then directly control the field safety-level equipment. 2.9 Shutdown Circuit Breakers There are 8 shutdown circuit breakers, 4 in each of columns A and B. Column A consists of AX, AX′AY, and AY′; column B consists of BX, BX′BY, and BY′. Each channel's trip signal drives 2 circuit breakers. The 8 (4 groups) circuit breaker contacts are hard-wired to achieve a "two-out-of-four" logic trip. The hard-wired connection of the circuit breakers is shown in Figure 2. [align=center] Figure 2 Hard-wired connection diagram of emergency shutdown circuit breakers[/align] When any two of the 4 channels have a trip signal, the corresponding circuit breaker contacts open, cutting off the power supply to the rod control system and causing the control rods to fall to the bottom of the reactor, thus achieving an emergency shutdown. In addition to receiving automatic shutdown signals from the digital protection system, the shutdown circuit breaker also directly receives manual shutdown signals from the emergency control panel (ECP), thus realizing the diversity of reactor protection. 2.10 System Interface The interface design principle between the digital reactor protection system and other systems or equipment: the interlock protection signals adopt hard-wiring; the safety level parameters are transmitted to the NC-VDU for display via the network; the important 1E level display parameters are sent to the backup panel (BUP) conventional indicating instruments or PAMS system for display via hard-wiring. 3 Periodic Tests (T1, T2, T3) The reactor protection system design must allow for testing and inspection of all links from the sensor to the final actuator input signal during power operation. The test of the protection system must not affect the normal protection function of the protection system. Such tests will not cause protection action unless there is an actual protection condition [3]. The Ningde Nuclear Power Plant's digital reactor protection system is testable, capable of completing a full range of tests from sensor input and logic operations to actuator drive. The periodic tests include three parts: T1, T2, and T3. A schematic diagram of the periodic tests is shown in Figure 3. [align=center]Figure 3: Schematic diagram of periodic tests for the digital reactor protection system[/align] 3.1 T1 Test The T1 test tests the analog protection channels of the reactor protection system, mainly including parameter cross-calibration and probe verification. 3.2 T2 Test The T2 test tests the logic protection channels of the reactor protection system. 3.3 T3 Test The T3 test tests the actuators and protection signal output functions of the reactor protection system, including three aspects: Ø T3-1: Shutdown function test, completed through periodic circuit breaker tests; Ø T3-2: SLC and ESFAC function tests, capable of actually triggering some tests; Ø T3-3: SLC and ESFAC function tests, for actuators that cannot actually operate during normal operation, continuous tests are performed periodically during operation, and actual operation tests are performed during overhauls. 4 Conclusion The reactor protection of Ningde Nuclear Power Plant adopts a digital protection system. In order to prevent common mode failures, a variety of systems such as ATWS and ECP[6] are used as backups. The system design meets the design criteria of single failure, diversity, independence and testability. Its design ideas and concepts are scientific and advanced, and are worth learning from by other newly built nuclear power plants. The adoption of digital protection systems for reactor protection is a trend. However, given the high safety and high reliability of reactor protection systems, as well as the low design and manufacturing level of safety-level digital control systems in China, digital reactor protection systems have not yet been localized. Foreign systems are relatively expensive, and spare parts are easily subject to foreign control. Therefore, realizing the localization of digital reactor protection systems will be the mission and goal of China's automation control system scientists. 5 Reference Standards and Literature [1] GB/T 13629-2008. Applicable Criteria for Digital Computers in Nuclear Power Plant Safety Systems. [2] GB/T5963-1995. Isolation Criteria for Reactor Protection Systems. [3] GB5204-94. Periodic Testing and Monitoring of Nuclear Power Plant Safety Systems. [4] Wu Guangjian, Zhuo Wenbiao. Technical Characteristics of the Conventional Island Control System of Ling'ao Nuclear Power Plant [J]. Guangdong Electric Power, 2003, 16(1): 23-26, 45. [5] Wu Guangjian. Application of Distributed Control System in Conventional Island of Nuclear Power Plant [J]. Electric Power Construction, 2001, 22(9): 52-55, 59. [6] Cao Jianting. Analysis of Diverse Protection and Control of Nuclear Power Plant Using DCS. Modern Electric Power, Vol. 24, No. 06, 2007. [7] Yin Jiang, Feng Jiangtao. Distributed Control System of Power Plant [M]. Beijing: China Electric Power Press, 2006.