XA9846490
IAEA-IWG-NPPCI-98/1 LIMITED DISTRIBUTION
WORKING MATERIAL
COMPUTERIZED REACTOR PROTECTION AND SAFE^TY RELATED SYSTEMS IN NUCLEAR POWER PLANTS
Proceedings of a Specialists' Meeting Organized by the International Atomic Energy Agency in Co-operation with Paks Nuclear Power Plant
27-29 October 1997 Budapest, Hungary
Reproduced by the IAEA Vienna, Austria, 1998
NOTE The material in this document has been supplied by the authors and has not need edited by the IAEA. The views expressed remain the responsibility of the named authors and do not necessarily reflect those of the government(s) or the designating Member State(s). In particular, neither the IAEA nor any other organization or body sponsoring this meeting can be held responsible for any material reproduced in this document.
toft BLANK - 3 -
FOREWORD
Though the majority of existing control and protection systems in nuclear power plants use old analogue technology and design philosophy, the use of computers in safety and safety related systems is becoming a current practice.
The Specialists Meeting on "Computerized Reactor Protection and Safety Related Systems in Nuclear Power Plants" was organized by IAEA (jointly by the Division of Nuclear Power and the Fuel Cycle and the Division of Nuclear Installation Safety), in co-operation with Paks Nuclear Power Plant in Hungary and was held from 27-29 October 1997 in Budapest, Hungary. The meeting focused on computerized safety systems under refurbishment, software reliability issues, licensing experiences and experiences in implemented computerized safety and safety related systems. Within a meeting programme a technical visit to Paks NPP was organized.
The objective of the meeting was to provide an international form for the presentation and discussion on R&D, in-plant experiences in I&C important to safety, backfits and arguments for and reservations against the digital safety systems. The meeting was attended by 70 participants from 16 countries representing NPPs and utility organizations, design/engineering, research and development, and regulatory organizations. In the course of 4 sessions 25 technical presentations were made.
The present volume contains the papers presented by national delegates and the conclusions drawn from the finial general discussion.
NEXT PAGEfS) toft BLANK - 5 -
IAEA Specialists' Meeting on Computerized Reactor Protection and Safety Related Systems in Nuclear Power Plants
Budapest, Hungary 1997 October 27 - 29
PROGRAMME
Monday, October 27
8:30 - 9:00 Registration, Ramada Grand Hotel
9:00 - 9:25 Opening Session
Welcoming Remarks - G. Vamos, Safety Director of Paks NPP Welcoming Remarks - V. Neboyan, IAEA Overview of IAEA Specialists Meeting - A. Hetzmann, Paks NPP
9:25 - 10:25 Session 1: Computerized Safety Systems under Refurbishment Chairperson: Paul van Gemst, Sweden
1.1 The Modernization of the Safety I&C Systems at the Paks NPP. A. Hetzmann, Hungary
1.2 Experience and Perspective in Backfittings of Safety I&C Systems in Belgian Nuclear Power Plants. J.C. Naisse. Belgium.
10:25 - 10:50 Coffee Break and Registration
10:50 - 12:50 Session 1: (Continuation)
1.3 An Application study for the Class IE Digital Control and Monitoring System. H.Fukumitsu. Japan.
1.4 Computerized Reactor Surveillance and Control System: an FBR Example. J-P. Trapp, A. Lebrun. France.
1.5 GUARDS: an approach safety-related systems using COTS. Example of MMI and reactor automation in nuclear submarine application. M Brun, France.
1.6 Refurbishment of the Reactor Protection System at Paks NPP. The Refurbishment Process. T. Turi, B. Katies. Hungary.
12:50-13:50 Lunch Break - 6 -
13:50 - 15:20 Session 2: Software Reliability Issues Chairperson: Jeno Hetthessy,Hungary
2.1 Government of Common Cause Failures. H-W.Bock. Germany.
2.2 Reliability Analysis of Protection Systems in NPPs Using Fault-Tree Analysis Method. J.Bokor, G.Szabo, P.Gdspdr, J.Hetthessy. Hungary.
2.3 Adoption of digital safety protection system in Japan. Z. Ogiso. Japan.
15:20-15:50 Coffee Break
15:50 -17:10 Session 2: (Continuation)
2.4 Methodology of Formal Software Evaluation J. Tuszynski. Sweden
2.5 A Safety Related Control System for NPPs. G.H.Schildt. Austria.
2.6 Methodology and Tools for Independent Verification and Validation of computerized I&C Systems Important to Safety. A. Lindner, H. Miedl. Germany.
19:00 Dinner
Tuesday, October 28
9:00 - 11:00 Session 3: Licensing Experiences Chairperson: Petr Krs, Czech Republic
3.1 A Regulatory Frame for Safety Digital Systems in Nuclear Power Plants. A. Mozas Garcia. Spain.
3.2 Regulatory Aspects of Digital Systems. Hungarian Approach to Licensing. A.H. Hamar. Hungary
3.3 Licensing Process of the Digital Application: Nuclear Measurement Analysis and Control-Power Range Neutron Monitor (NUMAC-PRNM) System for their Implementation in the Laguna Verde NPP Unit 2. R.Ledesma-Carrion. A. Hernandez-Cortes, Mexico.
3.4 NRC Perspectives on the Digital System Review Process. J.LMauck. USA
11:00-11:20 Coffee Break - 7 -
11:20 -12:50 Session 4: Experiences in Implemented Computerized Safety and Safety Related Systems. Chairperson: Jean-Claude Naisse, Belgium
4.1 Replacement of the Control & Instrumentation System with the Microprocessor Based System in Japanese PWR Plants. N. Hayashi. Japan.
4.2 Application of Computer-Based Safety Systems in Korea Nuclear Power Plants. Won-Young Yun. Republic of Korea.
4.3 Shutdown systems computer-monitoring for CernavodaNPP. M.C. Popescu, Romania.
12:50-13:50 Lunch break
13:50-15:15 Session 4: (Continuation)
4.4 The Use of PC Based Data Acquisition Systems, Connected to the Reactor Shutdown System #1 and #2. M.Stanciu, R.Dudu. Romania
4.5 Modernization of Safety Systems in Ringhals 1 NPP in Sweden. E. Strobeck, P. V. Gemst. Sweden.
4.6 Replacement of the Complete Control System of the NPP Oskarshamn 1 by Digital Distributed Control System. E. Berger. Germany.
15:15 - 15:35 Coffee Break
15:35 - 17:00 Session 4: (Continuation)
4.7 The Computer Aided Operation of the N4 Series. G.Guesnier, J.P.Bouard. France.
4.8 ABWR (K-6/7) Construction Experiences. Computer-Based Safety System. T. Yokomura. Japan.
4.9 NPP Control Command: Considerations for the Future. J-P. Trapp. France.
17:00 - 18:00 Session 5: General Discussion, conclusions and Recommendations Chairperson: James White, USA
Wednesday, October 29 (Optional) Technical visit to Paks Nuclear Power Plant
8:30 - 10:30 Travel to Paks NPP 10:30 - 11:00 Visitor Centre Paks (coffee) 11:00-12:30 Visit to the Plant 12:30-13:30 Lunch 13:30-15:30 Travel to the hotel or to airport I NEXT PAQE(S) I left BLANK - 9 - TABLE OF CONTENTS
Session 1: Page No. Computerized Safety Systems under Refurbishment 13 Chairperson: Paul van Gemst, Sweden
The Modernization of the Safety I&C Systems at the Paks NPP 15 A.Hetzmann, Hungary
Experience and Perspective in Backfittings of Safety I&C Systems 27 in Belgian Nuclear Power Plants. J.C. Naisse. Belgium.
1.3. An Application study for the Class IE Digital Control and Monitoring System 39 H.Fukumitsu. Japan.
1.4. Computerized Reactor Surveillance and Control System: an FBR Example 55 J-P. Trapp. A. Lebrun. France.
GUARDS: an approach safety-related systems using COTS. Example of MMI and reactor automation in nuclear submarine application 65 M. Brun, France.
1.6. Refurbishment of the Reactor Protection System at Paks NPP 71 The Refurbishment Process. T. Turi. B. Katies. Hungary.
Session 2: 81 Software Reliability Issues Chairperson: Jeno Hetthessy,Hungary
Government of Common Cause Failures 83 H-W.Bock. Germany.
Reliability Analysis of Protection Systems in NPPs 91 Using Fault-Tree Analysis Method. J.Bokor, G.Szabo, P. Gdspdr. J.Hetthessy. Hungary.
Adoption of digital safety protection system in Japan 105 Z. Ogiso. Japan.
Methodology of Formal Software Evaluation Ill J.Tuszynski. Sweden
A Safety Related Control System for NPPs 119 G.H.Schildt. Austria.
Methodology and Tools for Independent Verification and 127 Validation of computerized I&C Systems Important to Safety. A. Lindner. H. Miedl. Germany. - 10 - Session 3: 139 Licensing Experiences Chairperson: Petr Krs, Czech Republic
A Regulatory Frame for Safety Digital Systems in Nuclear Power Plants 141 A. Mozas Garcia. Spain.
Regulatory Aspects of Digital Systems. Hungarian Approach to Licensing 153 A.H. Hamar. Hungary
Licensing Process of the Digital Application: Nuclear Measurement 163 Analysis and Control-Power Range Neutron Monitor (NUMAC-PRNM) System for their Implementation in the Laguna Verde NPP Unit 2. R.Ledesma-Carrion. A. Hernandez-Cortes, Mexico.
NRC Perspectives on the Digital System Review Process 173 J.LMauck. USA
Session 4: 183 Experiences in Implemented Computerized Safety and Safety Related Systems. Chairperson: Jean-Claude Naisse, Belgium
Replacement of the Control & Instrumentation System with the 185 Microprocessor Based System in Japanese PWR Plants. N. Hayashi. Japan.
Application of Computer-Based Safety Systems in Korea 199 Nuclear Power Plants. Won-Young Yun. Republic of Korea.
Shutdown systems computer-monitoring for Cernavoda NPP 207 M.C. Popescu, Romania.
The Use of PC Based Data Acquisition Systems, Connected to 211 the Reactor Shutdown System #1 and #2. M.Stanciu, R.Dudu. Romania
Modernization of Safety Systems in Ringhals 1 NPP in Sweden 225 E. Strobeck, P. V. Gemst. Sweden.
Replacement of the Complete Control System of the NPP 237 Oskarshamn 1 by Digital Distributed Control System. E. Berger. Germany.
The Computer Aided Operation of the N4 Series 245 G. Guesnier. J. P. Bouard. France.
ABWR (K-6/7) Construction Experiences. Computer-Based Safety System 253 T. Yokomura. Japan. - 11 -
NPP Control Command: Considerations for the Future 267 J-P. Trapp. France.
Session 5: 275 General Discussion, conclusions and Recommendations Chairperson: James White, USA
Summary of the discussion. 277 J. White. USA
List of participants 281
NEXT PAOEIS) Uf tBLANK - 13 -
Session 1:
Computerized Safety Systems under Refurbishment
NEXT PAQE(S) left BLANK - 15 -
XA9846491 THE MODERNISATION OF THE SAFETY l&C SYSTEMS AT THE PAKS NPP
A. HETZMANN Paks Nuclear Power Plant Ltd. Hungary
Abstract
The purpose of this paper is to overview the refurbishment of the Reactor Protection System at Paks Nuclear Power Plant. The operational experiences of the existing process control system are illustrated. The paper discusses the goals, the scope, the life cycle and the implementation schedule of the refurbishment.
INTRODUCTION:
The Paks Nuclear Power Plant, the only nuclear power plant in Hungary, consists of four WWER 440 Model 213 type conceptually identical PWR reactor units. Construction started in 1974 in accordance with the technical and safety standards applicable at that point in time. The requirements for the safety systems were completed during the construction in compliance with the (Soviet) OPV 82 Standard. The 1840 MW installed total capacity represents a significant proportion of the domestic power production. The four Units are operated in base load with limited load following capabilities and frequency control function. The bar chart in Figure I representing the annual cumulative load factors illustrates the reliability of the Units.
A Paksi Atomeromfi kumulativ teljesftmeny kihaszn&l&si t£nyezojenek alakulasa Cumulative load factor of Paks NPP
Figure 1 - 16 - 1. OPERATIONAL EXPERIENCES OF THE PROCESS CONTROL SYSTEMS
1.1. Characteristics of the existing I&C systems
The majority of the I&C equipment and devices of the NPP was designed and manufactured in the 1970s. The Units are not completely identical on the equipment and device level. The Hungarian scope of the equipment supply increased significantly for Units 3 and 4. A considerable part of the respective installed Plant Computers, data acquisition units, the auxiliary building process control system, the 0.4 kV substation and the measuring circuit and control elements (sensors and transmitters) were manufactured by Hungarian companies. The structure of the process control systems of the Paks NPP implemented in accordance with the original WWER 440/213 Unit design is characterised by the following features:
• Distributed implementation of the I&C functions
The control and monitoring tasks have been realised by the designer divided into elementary functions. The functions of measurement (display and recording), control, signalling and regulation are implemented via circuits independent of each other from the aspect of detection. Beside that, the central process control computer also has mostly independent measuring background. Reactor monitoring and the radiation control of the process in the primary circuit are also performed by autonomous systems.
• A specific system of hierarchy
During the design of the I&C systems, the classical safety principles have been considered in accordance with the OPV82 Standard. As a result, a three-level hierarchy is outlined: => safety and safety related systems ==> regular plant I&C => information and monitoring systems The complete process control system comprises the safety and safety related systems, the regular (operational) plant I&C systems, the process monitoring computers and the I&C components installed in the autonomous service and auxiliary systems. A characteristic feature of the system is the combined implementation of the safety and safety related functions within the same system. We can conclude that the hierarchy of requirements is implemented only to a certain degree in the originally applied I&C equipment, which means primarily the qualification deficiencies of individual components and devices.
•A safety system divided into subsystems
The system controlling the protection-initiated shutdown and emergency cooling of the reactor consists of several autonomous subsystems. During the implementation of the major safety functions a not uniform redundancy structure was applied. The system structure of the existing safety instrumentation is shown in Fig. 2. - 17 -
ACTUATORS
EXISTING SYSTEM STRUCTURE EREDETIREM3S2ER FELEPtTtSE RTPS Reactor Technological Protection System NMS Neutron Monitoring System ECCS Emergency Core Cooling System DLS Diesel Load Sequencer RPLS Reactor Power Limiting System CR Control Rod SGPS Steam Generator Protection System
Figure 2
1.2. Operational and maintenance issues
After commissioning, the expected availability and reliability could be achieved in the field of I&C by eliminating some device-level weak-points and functional deficiencies. Maintaining that availability and reliability requires a significant volume of high-level maintenance as well as extensive and strict human control. The devices of the safety systems will undergo periodically performed preventive maintenance adjusted to the tests and systematic replacements at regular intervals during operation.
In the initial phase of operation (from 1984 to 1991) a large number of more or less significant deficiencies and misadjustments were detected during the transient processes initiated by loss of the Unit and/or main components. The detected malfunctions were eliminated by introducing device level and/or functional modifications. At that time we elaborated and introduced what we called the "dark-control-room concept", which means that during a fully fault-free operation no lighted (active) signals are allowed in the Main Control Room.
The data concerning the detected failures of the I&C equipment and devices are collected and evaluated We try to utilise the results of the data evaluation mainly during the review of the maintenance technologies and during the development of medium-term backfitting plans.
The evaluation of the failure statistics of the I&C equipment detected in the years 1994, '95 and '96 is demonstrated in Figure 3. - 18 -
Annual report on I&C failures in 1994-1995-1996. Icanyitastechnikai meghtbasodasok osszefoglald jefentes az 1994.1995,1996 evrdl
Detection mode of failures thibafoltartto* m6dj«)
Mode of repairing
SDOO
4000
3000
2000
1000
replacement of equpment repairing wfltiout r«placamont
D istrtbution ofnumberofl&C failures by units
(meghb«sod6sok szdmAnak megoszldsa blofekofc szennt) 1000
900
800
700 i 600 i 500 i 400 I 300
200 J
100 0 , [
Distribution of I&C failures by funtion of equipment Az iranyitasi feladat szerinti htoa megosztes
cont (vezerieslechnfca) ( 11455
•pec measurerneP"1L1J ' (speciaasmerestechnita)
; cooventionai measurmeWr' ' (hagyomanyos merestech ) I
control loop (szabaFyzo kon )
protection *. (vedetiTirendszen) j 625
others J- (egyeO) \
Fig. 3 - 19 -
2. BACKFITTING ACTIVITIES ON THE PROCESS CONTROL SYSTEMS
The incremental modernisation of the process control systems at the Paks NPP practically started after the commissioning of Unit 4. From the aspect of subsequent operation and maintenance it can be regarded as a favourable circumstance that, beside participation in the appropriate theoretical and practical training, the NPP personnel was actively involved in the installation and commissioning as well as in the supervision of the construction. Despite the deficient know-how transfer and technical documentation, the performance and supervision of these activities presented itself as an excellent opportunity for acquiring detailed knowledge about the process and the plant equipment's. Beside systematic personnel training, the steady operation of the four Units was based on that knowledge. In certain areas it was possible to utilise the experience gained during the construction and commissioning to such an extent that certain technical information required for the upgrade was available already in the early stage of operation. The lessons learned directly by the personnel were also applicable in the development and introduction of the equipment-specific maintenance and control procedures. The motives for the I&C modifications, upgrades and refurbishment can be summarised as follows:
• Addition of functions missing from the original design and amendment or modification of the functions implemented insufficiently. • Reduction of operational and maintenance expenses. • Meeting higher safety and quality requirements. • Disappearing manufacturing and supplier background.
The backfitting activities performed in the period from 1986 to 1992, concentrated primarily on the plant computers and on certain low-reliability measuring and display devices as well as on the correction of the functional deficiencies on Units 1 and 2. From 1985 to 1990, the plant computers of Units 1 and 2, which are still in operation, were backfitted step- by-step while preserving the original system architecture. The availability and standard of service of the process computers has improved significantly and reached the required level due to early modifications. The first-generation refurbishment of the computer technology equipment was finally completed by the expansion of the reactor monitoring system called VERONA.
3. THE NECESSITY OF THE REACTOR PROTECTION SYSTEM REFURBISHMENT
A number of studies and safety analyses have been performed to review the WWER Units to define their safety features as well as weak-points and deficiencies. The considerations for the necessity of the upgrade of the protection instrumentation, i.e. Reactor Protection System Refurbishment are complex. The most important factors can be summarised as follows: • Qualification and lifetime extension
In accordance with the Hungarian safety regulations, the operation licence of the individual Units is to be renewed once in 10 years. One of the main conditions for renewing the operation licence is the appropriate qualification of the equipment and components. The qualification requirements conform to the safety classification and the installation environment of the equipment. The system-level refurbishment, beside qualification, addresses also the - 20 - issues of equipment and component ageing and lifetime extension in the scope of the replacement.
• Growing maintenance costs, equipment obsolescence
Some obsolete and ageing equipment and the shortage of spare part supply cause increasing problems. In addition to that the original manufacturing and supply background significantly changed or disappeared altogether in the past years. Therefore, a significant volume of preventive maintenance is required to ensure a level of reliability meeting the expectations.
• Safety and LICENSING issues
It is a basic expectation that the refurbished reactor protection system should meet the currently valid safety and licensing requirements. The refurbishment has the goal to eliminate the functional and system technology malfunctions and deficiencies revealed and demonstrated by the safety analyses.
4. REACTOR PROTECTION SYSTEM REFURBISHMENT
4.1 THE PREPARATION, EVOLUTION OF REQUIREMENTS
Starting from 1991, special attention was paid by the PA Rt. Management to the development of the I&C refurbishment strategy, as well as to the fulfilment of the measures generated by the strategy. Several analyses and problem investigation studies were performed involving internal resources and engineering consultants. These studies included also suggestions for the strategy to follow. In 1992, a team of engineers within the Company were assigned the task of the technical and economic establishment of the I&C refurbishment activities. Parallel to that, the previously developed and approved upgrades aimed at eliminating the deficiencies and weak-points were continued. In 1993, the decision was made to give priority to the refurbishment of the safety instrumentation against operational I&C backfits and to start intensive preparation. In 1994 the Reactor Protection System Refurbishment Project (RPS RP) was formed. The supplier's contract was signed after the development of the technical specification, accomplishing the bidding procedure and receiving the principal system license in September 1996.
The major stages or milestones of the preparation process are listed below:
Paks NPP internal investigations and operational experiences 1991 - 92 Safety assessment of RPS 1992 Approval of the safety and economic analysis of the 1993, June refurbishment (PA Rt.) Invitation for bids (Task Plan) 1993, August Evaluation of the bids 1994, March Investment program 1994, March PA Rt. Board of Directors decision on performing the 1994, April preparatory phase with two potential Vendors Forming the Reactor Protection System Refurbishment Project 1994, June Issue of the Customer Requirements 1994, Dec. 15. Close-Up of the PP work 1995, June - July Authority Statement 1995, September - 21 - Investment Plan for approval of PA Rt.'s General Assembly 1995, Dec. 14 Invitation for renewed bids 1995, Dec. 29. (Siemens, Groupe Schneider, Westinghouse) Application for Principal System License 1996, April 22. Evaluation of the bids 1996, April 30. Updating of the Investment Program 1996, May 3. Principal System License 1996, July 12. Signing of the Contract 1996, Sept. 17.
I consider it important to emphasise the significance of the preparatory work. The definition of the system of requirements, scope and functionality of the complex refurbishment of safety systems is possible only through well-organised thorough and systematic work. The evolution of the technical requirements and specification developed for the refurbishment of the reactor protection system is shown in Fig. 4.
EVOLUTION OF TECHNICAL, FUNCTIONAL AND QA REQUIREMENTS
STA TITLE FEATURES USED FOR GE ISSUED 1. TASK PLAN o APPROXIMATE SCOPE •=> INVITATION FOR BH)S 1993 O SEVERAL OPTIONS (FIRST ROUND) <=> UNDEFINED ARCHITECTURE o APPROXIMATE FUNCTIONALITY •* OUTLINED TECHNICAL REQUIREMENTS 2. CUSTOMER O CLARIFIED SCOPE •=> SUPPLIERS REQUIREMENTS O DETAILED TECHNICAL COMPETITION 1994 DEC. REQUIREMENTS (DURING PPP) <* DETAILED ARCHITECTURE «* AUTHORITY <* PRELIMINARY DETAILED STATEMENT NATURAL LANGUAGE AND =» INVESTMENT FORMAL FUNCTIONAL PROGRAM DESCRIPTIONS o FEWER OPTIONS (NMS, SCOPE, SYSTEM LOCATION) 3. SYSTEM O UPDATED VERSION OF THE O INVITATION FOR Bros REQUIREMENTS PREVIOUS ONE •* APPLICATION FOR 1996 «* FINALISED ARCHITECTURE SYSTEM LICENSE 4. TECHNICAL PART •=> FINALISED LOCATION =J> CONTRACT OF THE o FIXED SCOPE CONTRACT <* FINALISED NMS 1996 5. FUNCTIONAL O FINALISED FUNCTIONALITY ^> APPLICATION FOR REQUIREMENTS «* SAFETY ANALYSES FUNCTIONAL 1997 LICENSE O BASES FOR THE FACTORY ACCEPTANCE TEST
Figure 4 - 22 - 4.2 LIFE CYCLE MODEL
The Life Cycle Model can be the tool for the development and representation of the logic connections between the individual design and/or implementation activities of the safety system refurbishment. The EEC 880 Standard defines a Life Cycle Model for safety computer system development and implementation. Considering that the software-based system is to be implemented in the environment of an operating power plant, great emphasis is to be placed on the I&C host environment. To ensure that, the Life Cycle Model shown in EEC 880 was complemented to fit in with the scope of the refurbishment. The upgrade and adjustment of the connecting equipment and systems is included in a parallel branch of the life cycle. The life cycle diagram representing the main groups of activities is shown in Figure 5. The individual activities in the three branches of the life cycle can be performed relatively independently. Thus the model does not represent a time schedule, but is meant to develop and represent primarily the inter-relations of activities and their mutual impact on one another. Project proceeding is supported by a much more detailed life cycle, too. The life cycle with the detailed task definition is part of the Development Plan made for the complete RPS refurbishment. The demands of users, corporate, national and international regulations, outputs from the Foundation Phase, proposals Foundation - .1 - System Requirements 1/1 Preparation System (Phase 1) Specification 1/2
Conventional Computer Software I&C Hardware Requirements Requirements Requirements 2/04 2/07 J. Conventional Computer I&C Hardware Software Design Design Design 2/02 2/05 2/08
Conventional I&C Computer System Software Manufacture/ Hardware Analysis Coding Procurement Manufacture 2/03 2/06 2/12 2/09
Design and Computer Manufacturing System (Phase 2) Integration 2/10
Factory Acceptance Test 2/11
On-Srte Installation 3/01 Installation (Phase 3)
System Installation, Integration 3/02 -L System, I/O Test Site Acceptance Test 3/Q3
Pilot Run Operation Operation
Figure 5 - 23 - 4.3. THE SCOPE OF THE REFURBISHMENT
The scope of the refurbishment for the systems to be replaced is distinctly demonstrated in Figure 2. The integrated reactor protection system realised by the refurbishment will fully cover the functions realised by the existing systems. During the definition of the functionality of the system being designed, the results of the international and national safety reviews and operational experiences of the WWER Units were taken into consideration. The basis for detailed development of the functionality to be implemented in the digital system is the following: • the originally implemented safety functions • establishing full-scope diversity for the events to be addressed • expansion of the scope of events addressed by the system (ECC, PRISE) • improve the effectiveness of the event detection • ensure the consistency of reactor shutdown and emergency core cooling system actuations • the WWER-specific introduction of the 30 minute rule • the elimination of the unnecessary stepped reactor shutdown function (simplification) •the elimination of actions, operation mode selection by the operators (automatic neutron flux reference signal generation, etc.) One of the most important data supply obligation within the customer's scope is the functional specification. The implementation activities of the system supplier (designer, manufacturer) are to be based on the functional task plan and specification, specific to the appropriately tested and verified application (Unit). In order to ensure that, a number of safety analyses and reviews have been performed recently. We can even say, that the verification of the functionality will be performed with varied intensity throughout the project, parallel to the design and manufacturing. The structure of the new RPS with consequently triplicated redundancy is shown in Figure 6.
CONTROLLED PROCESS
NEW SYITEM STRUCTURE Figure 6 - 24 -
Due to the safety implications and complexity of the reactor protection system refurbishment underway, the Project has its own document hierarchy and a QA Plan based on ISO 9000 standard. The core of the QA documentation are the Development and the V&V Plans developed for the project.
The major steps of the V&V activity are:
• formal description of functionality (SFD = synoptical functional diagrams)
• the demonstration of the adequacy of the functional requirements - engineering verification - verification using testing tools
• open and closed loop testing of the representative configuration (RC)
• factory system integration
• factory acceptance tests (FAT), System Validation
• on-site system integration, I/O tests
• System commissioning, reviews and tests of the installed system
•unit level test ( funtion specific process tests ) System Validation Certainly we wish to utilise the fact that the Paks NPP has a full-scope training simulator. We plan to use the Unit simulator available on the plant site for verifying the functional specification, representative configuration and the control room interfaces of the new system. Therefore the upgrade of the training simulator in use since 1988 has been underway since 1996. The existing information system tries to monitor the internal status of the safety systems by monitoring a large number of binary signals. That status monitoring will lose its importance with the application of the new digital reactor protection system. The refurbishment of the process control computers of the related Unit is planned to be performed during the outage preceding the reactor protection system refurbishment. Within that activity, the new information system is to be made capable of communication with the intelligent protection system. We wish to utilise the services provided by the plant computers for the tasks of status monitoring of the safety systems and the evaluation of the emergency events.
4.4 IMPLEMENTATION SCHEDULE
The installation activities of the new safety system are planned to be performed possibly during several maintenance outages through pre-installation activities. The three independent trains of the new reactor protection system will be installed in three different system rooms of what is called the electrical gallery of the reactor building. The existing equipment is to be relocated to provide room for the central cabinets. During the maintenance outage of 1997 the preinstallation activities not affecting the equipment of the existing reactor protection system were commenced. The installation of the new cable routes and impulse line routes was also started and will be resumed during the maintenance outage of 1998. The management level schedule for the factory and on-site activities of the time period from contracting to the test run of Unit 1 is shown in Figure 7. - 25 -
1996 1997 1998 1999 Task Name Qtr 2lQtr 3lQtr~4 gr 11Qtr 2| Qtr 3[Qtr~4 QtrilQtr2lQtr3lai System development and realization Contract initialling 2 1 Conventional IC requirements
! 2 Conventional IC design 2-3 Conventional IC manufacturing and purchasing
2.4 C omputer hardware requirements
2 5 Computer hardware design
2 6 Computer hardware manufacture 2 7 Software requirement 2 8 Software design
2 9 Software coding
2 10 Computer system integration 2 11 Factory acceptance test
2 12 System analysis
3 1 Preinstallation during outages
3 1 Preinstallation during operation
3 2 System installation 3 3 System test site, acceptance test
Pilot run Outage in ^99
Development of test enviroment
Training simulator update
RC development Interface development between simulator and SMS
Hardware in the loop test Training on the updated simulator
Figure 7
Supplier and Customer have established the project organisations responsible for the performance of the refurbishment tasks. The project organisations are involved with mutually approved systematic approach in fulfilling the tasks to meet the agreed and approved schedule. It can be stated already after the first year of the contract-based refurbishment process that the implementation of the safety I&C system continuously requires a high level of organisation, QA and project management.
REFERENCES
[1] Approval of the Safety and Economic Analysis of the RPS Refurbishment, PA Rt 1993 [2] Strategy planning of the I&C reconstruction process, A. Hetzmann 1995 [3] RPS Investment Program, PA Rt 1996 [4] RPS Application for Principal System License, Technical Attachment, PA Rt 1996 [5] Selected safety aspects of WWER 440 Model 213 NPP, IAEA 1996 [6] The Concept of the I&C Refurbishment, PA Rt 1996 [7] Technical requirements for RPS, 1996, PA Rt. RPS RP [8] RPS Refurbishment at the Paks NPP A. Hetzmann, T. Turi 1997, May
NEXT PAOg(S) !«f f BLANK - 27 -
EXPERIENCE AND PERSPECTIVE IN XA9846492 BACKFITTING OF SAFETY I&C SYSTEMS IN BELGIAN NUCLEAR POWER PLANTS.
Jean-Claude NAISSE Tractebel Energy Engineering, Brussels, Belgium.
Abstract
The seven NPPs presently in operation in Belgium were commissioned in between 1975 and 1985. They amount to an installed capacity of 5.600 MWe (almost one third of to- tal Belgian capacity) and ensure some 55% of the total electricity production in Belgium. For Belgian NPPs the legal obligation to perform a safety re-evaluation after each ten year of ope- ration is embedded in the associated royal authorization decree for plant operation. Those re- evaluations are major contributors that give rhythm to large safety reassessment activities and to eventually induced I&C revamping/replacement projects. In 1985 the first safety revision of the oldest plants emerged into large I&C modification programs linked to the addition of Ultimate Safety Systems to the original plant systems : in Doel 1/2 plants, programmable reactor protection and actuator control systems were added. In 1992/95 the first safety revi- sion of the four latest Belgian NPPs did not came out with such fundamental I&C modifica- tions: most important safety I&C induced project was the additions in Tihange 2 and 3 of programmable systems for sub-cooling and critical safety function monitoring. Due to licen- sing problems experienced with above projects, I&C systems replacement that occurred as a consequence of the second safety revision of the oldest plants were made by means of non programmable systems. In addition lots of efforts were devoted to assess, analyze and try to counteract the consequences of obsolescence of existing old I&C equipment. Considering obsolescence problems it is clear that the following steps in the lifetime of Belgian NPPs will be crucial as far as I&C systems and equipment are concerned.
1. THE BELGIAN NUCLEAR CONSTRUCTION PROGRAM (FIG. 1) The Belgian commercial nuclear program started in the early sixties with the con- struction of the experimental PWR plant BR3 in Mol (commissioned in 1962 - nominal elec- tric power 11,5 MWe). In the middle of the sixties the Chooz A plant was commissioned : this French-Belgian cooperation project was intended to be a prototype for the large scale nu- clear construction programs that were to be launched both in France and in Belgium.
Those two plants were decommissioned respectively in 1987 and 1991. The seven NPPs nowadays in operation in Belgium are located at two different sites (Doel near Antwerp - Northern part of the country and Tihange near Liege - Southern part of the country). Those seven NPPs amount to an installed capacity of 5.600 MWe (almost one third of the total Belgian capacity) and ensure some 55% of the Belgian electricity production (40.000 GWh).
Commissioning of those plants occurred respectively in 1974/75 for Doel 1/2 (two loop-twin units), 1975 for Tihange 1 (three loops), 1982 for Doel 3, 1983 for Tihange 2 and 1985 for Doel 4 and Tihange 3. The studies related to the next NPP to be built in Belgium (the N8 project - intended 1.400 MWe) started in 1986. Those studies were frozen in 1989 following governmental de- cision. THE BELGIAN NUCLEAR CONSTRUCTION PROGRAM
NSSS supplier 1955 BR1 (MOL) 4MWth 1962 BR2 (MOL) RESEARCH REACTOR 60 MWth 1962 BR3 (MOL) EXPERIMENTAL (decommissioned) 11,5 MWe W 1967 CHOOZ A FRENCH-BELGIAN UNIT (decommissioned) 305 MWe FRA/W/ACEC 1974/75 DOEL 1/2 TWIN UNITS (2 REACTORS - 2 TURBINES) 800 MWe W/ACEC TIHANGE 1 BELGIAN-FRENCH (1 REACTOR - 2 TURBINES) 870 MWe FRA/W/ACEC i DOEL 3 980 MWe 1982/83 FRA 00 TIHANGE 2 950 MWe FRA 1 1985 DOEL 4 1000 MWe W TIHANGE 3 1000 MWe W
1989 Suspension of studies for new NPP in BELGIUM (N8 Project) 1400 MWe FRA - 29 -
2. ORIGINALLY IMPLEMENTED I&C SYSTEMS IN BELGIAN NPPS For the oldest plants of Doel 1/2 and Tihange 1 an I&C structure implementing four safeguard instrumentation redundancies and two safeguard actuator redundancies was selec- ted. Instrumentation systems and analog controls were based on dedicated hardware modules. Reactor protection and safety features actuation systems as well as the overall logic actuator controls were relay based. Conventional hardwired panels and desks were used in the control rooms. Almost no programmable equipment was involved, only to notice were the plant data loggers with their associated printers in the control room. For the four latest plants the first level I&C structure involved again four safeguard in- strumentation redundancies but this time three redundant safeguard actuator trains were cho- sen for. In order to cope with external accidents (airplane crash, large explosion) a similar complementary I&C structure associated to the emergency systems was implemented. In- strumentation systems and analog controls were still based on dedicated hardware modules although for Doel 4 and Tihange 3 some complex non safety related analog controls (Steam Generator level control, Steam dump control, ...) were performed by stand-alone program- mable modules (ACEC MRH 3333). Reactor protection and safety features actuation systems were based on magnetostatic fail-safe equipment. Overall actuator logic control were performed by Iskamatic equipment in Doel 3 and 4 and by relays in Tihange 2 and 3. Control integrated the color CRT's of the plant computerized information systems. Programmable controllers were widely used in stand alone and non safety related applications (demineralization plants, waste treatment plants, refueling machines, ...). The only NSSS specific system based on programmable equipment was at that time the rod position indica- tion system.
It should be noted also that although different NSSS suppliers were selected all along the Belgian nuclear construction program a very strict standardization on I&C was imposed by the Belgian utility and architect-engineer so as to achieve coherence between the various plants and between NSSS and non NSSS I&C equipment. At the point where the studies for N8 were frozen, the following implementation op- tions were already decided :
• four safeguard redundancies for both instrumentation and actuators; • common I&C structure to cope with both internal and external accidents; • programmable I&C overall and specific systems; • computerized control room.
3. EXPERIENCE IN BACKFITTING OF I&C SYSTEMS IN BELGIAN NPPS
3.1. REASONS FOR BACKFITTING The need for I&C systems backfitting is generally driven by the consequences of con- straints arising from obsolescence. Obsolescence to be interpreted broadly as it can result from various factors that are related to :
• the I&C equipment itself or its associated support (from the manufacturer, from the architect-engineer or at the plant) • the functionalities provided by the I&C system • the evolution of the regulatory framework applicable to the plant. - 30 - Equipment and functional obsolescence generally induce I&C backfittings intended for plant operation and/or maintenance improvement, they address almost only non safety related I&C systems.
Plant design regulatory framework obsolescence induces mainly safety related back- fittings.
3.2. ON-GOING IMPROVEMENT OF PLANT OPERATION/MAINTENANCE Tremendous progress of digital systems and experience gained with their implementa- tion, operation and maintenance in both conventional and nuclear Belgian power plants paved the way for a lot of I&C backfittings in NPPs based on digital systems.
3.2.1. Steam Generator level control upgrading Using programmable equipment to implement those controls in Tihange 3 and Doel 4 plants since their commissioning (1985) allowed to evaluate the benefit that could be expec- ted from such a backfitting for the other plants.
More performant control algorithms allowed to lessen the burden to the operator by providing a full automatic SG level control from hot standby of the plant up to full load ope- ration. In case of incident also the new control demonstrated to be a must for SCRAM redac- tion purposes. Starting in 1986 with Tihange 1 all the plants were successively upgraded with digital equipment.
3.2.2. Computerized Information Systems First plant to be upgraded was Tihange 1 (in 1986/87). The initial data logger was re- placed by a system providing graphical color CRT's that were integrated in the existing con- trol room. For Doel 1/2 data loggers replacement occurred in 1990/91 along with the works linked to the first safety revision of those plants. Existing computerized information systems in Doel 3 and Doel 4 were replaced more recently along with the outages for steam generator replacement. Those replacements were decided mostly to cope with equipment obsolescence.
3.2.3. Rod position control and rod position indication systems
The initially installed systems in Doel 1/2 were replaced respectively in 1990 for rod position control system and 1993 for rod position indication system. The existing rod position indication system was already digital designed in the early seventies : in this case both equipment and functional obsolescence were tackled. The system was developed as a stan- dard product (see fig. 2) and is to be implemented soon in Tihange 1 and Tihange 3. •o a ro 8 o O m m o ^ m o H C 71 m
- xe - - 32 -
3.3. DECENNIAL SAFETY REEVALUATIONS Obsolescence linked to applicable regulatory framework evolution was taken into ac- count from the beginning of the nuclear construction program in Belgium. For all NPPs ope- rated in Belgium the legal obligation of performing each ten year a plant safety reevaluation was embedded in initial royal authorization decree for plant operation.
3.3.1. First safety reevaluation of oldest plants Impact of the first safety revision of the oldest plants (Tihange 1 and Doel 1/2) was very important. Beyond design situations to be addressed for those plants were determined as follows :
• high level earthquake • airplane crash • large external explosion • fire in the electrical building • unavailability of the control room • loss of all external and internal power sources. Taking those situations into account imposed large upgradings of existing I&C systems and the addition of Ultimate Safety systems. In Tihange 1 (see fig. 3) the existing electrical building was reinforced and requalified against high level earthquake (0,17G), external explosion and little airplane crash. Redundant train separation was improved and qualified I&C power sources were added. A non seismic single train ultimate system was added. No digital I&C equipment were implemented.
CONTROL ' Reinforced and requalified ROOM to withstand earthquakes (0,17G) 1 Improved train separation > Separate and redundant qualified I&C sources added ACTUATORS > Instr. & R.P/S.A. refurbished
NON SEISMIC
INSTRUMENTATION : HARDWIRE LOGIC CONTROL : RELAY
Fig. 3 - 33 - In Doel 1/2 (see Fig. 4) it was concluded that it was impossible to upgrade the existing electrical building as far as high level earthquake and physical separation of redundancies were concerned. Separate ultimate systems were added : • they are housed for the two units in a common building (named GNS) and designed to withstand high level earthquake (O,1G), external explosion and little airplane crash; • two separate I&C electrical sources are available per unit in the GNS, they can be shared to achieve up to a fourfold redundancy for protection; • 6 kV power supplies for ultimate equipment are not made redundant per unit: in case of single failure, possibilities exist for manual switch-over to ultimate equipment dedi- cated for the other unit. The ultimate I&C systems are based on CEGELEC-ACEC AC 132 equipment for in- strumentation, reactor protection and safeguard actuation (SPS system) and on SIEMENS- TELEPERM ME for actuator logic and analog control.
Those ultimate I&C systems are acting on :
• actuators already existing or added in the original circuits so as to realize the back-up panel functions (hot and cold shut-down facilities), the cold overpressure protection and the isolation of normal feedwater and main steam lines • the specific ultimate systems that provide for Reactor Coolant Pump seal injection, SG feedwater, cooling water, compressed air, diesels and electrical distribution control and ventilation of GNS building.
EXISTING CONTROL] ELECTRICAL (GEH) 1-9 BUILDING ELECTR. EQUIPMENT 1 ELECTR. EQUIPMENT 2 .COMPUTES SEISMIC (LOW LEVEL) • fl JIMOS} F.O.
JA B.P B.P. I SEISMIC (HIGH LEVEL) (GNS) C UP UP E6 0 N T 12 14 24 ./A z_ ./A C C O B.P B.P 0 N UP UP N
EMERGENCY FEEDWATER P.P. SEAL INJECTION EMERGENCY COOLING
SPS = REACTOR PROTECTION & SAFEGUARD ACTUATION = AC132-16 CEGELEC-ACEC LOGIC & ANALOG CONTROL : TELEPERM SIEMENS B.P/U.P = back-up panel / ultimate panel Fig. 4 - 34 -
3.3.2. First safety reevaluation of the four latest plants
The studies related to the first ten year safety revision of Doel 3 and 4 and of Tihange 2 and 3 plants did not came out with fundamental subsequent I&C modifications. The initially installed emergency provisions intended to cope with external accident provided a satisfactory answer to most of beyond design situations to be considered. An important induced safety related I&C project was due to the necessity to add a fully qualified core temperature and subcooling monitoring system in those plants. Tihange 2 and 3 were chosen for first implementation. In order to get maximum advantage of this installation, it was decided to integrate in the system the automatic follow-up of Critical Safety Functions.
The block scheme of the intended system is presented in fig. 5. Important characteris- tics of this system were the exchange in-between safety trains of digitalized analog values (each train computing the most probable value) and the aim for a qualified CRT based su- pervision. Due to licensing problems the delays extended and finally a restricted system limited to original safety related demand (core temperature and subcooling recording in control room) was licensed in 1996.
3.3.3. Second safety reevaluation of the oldest plants Reactor Protection and Engineered Safety Features Actuation System in Tihange 1 was replaced in 1995 during outage for replacement of the steam generators. Existing relay system was replaced by a magnetostatic based one (see fig. 6). Reactor trip breakers were also replaced and a new SCRAM structure adopted. The new system integrates new protection functions and periodical testing is eased by the use of programmable test consoles. A back-up system has also be added allowing during refueling to cut off the main system for mainte- nance while maintaining the restricted protective functions needed.
Nuclear Instrumentation Systems in Doel 1/2 were replaced during normal outages of the plants. Actual neutron detectors and all existing cabling were maintained. Conventional analog equipment (standardized with the one used in radiation monitoring equipment) were chosen and programmable equipment was restricted to the programmable test equipment. The new systems provide for better separation between redundant channels and seismic adequacy versus adopted Operating Basis Earthquake. Obsolescence of the existing safeguard diesels starting supervisory system in Doel 1/2 and the need for better diagnostic monitoring in case of fail to start had already led in the early 90ties to a replacement project based on programmable control. A first machine had al- ready been equipped but due to licensing problems the situation was since blocked. This pro- ject has been restarted based on conventional technology control and one system has been replaced based on conventional technology control and one system has been replaced mid 1997 (the three others are foreseen in 1998).
A similar project is on-going for Tihange 1. Extension to control desk Main control room - •*— Outside technical support center (OTSC) ••Control desk-* •*- Control panels AT
TTl Display Generator
SUBCOOLING AND CRITICAL SUBCOOLING AND CRITICAL SUBCOOLING AND CRITICAL SUBCOOLING AND CRITICAL SAFETY FUNCTIONS MONITORING SAFETY FUNCTIONS MONITORING SAFETY FUNCTIONS MONITORING SAFETY FUNCTIONS MONITORING B R G N
i r i 'CORE REACTOR REACTOR REACTOR PROTECTION PROTECTION PROTECTION a> Li PROCCSS THERMO- THERMO- THERMO- NUCLEAR COMPUTER c NUCLEAR NUCLEAR NUCLEAR DYNAMICAL. DYNAMICAL. INSTRUM. DYNAMICAL. INSTRUM. DYN. INSTRUM. INSTRUM. 3 INSTRUM. INSTRUM. INSTR. INSTRUM. I o 'c o tj LU
TRAIN B | TRAIN R I TRAIN 0 TRAIN G TRAIN N1/N2 f 3 COLD COLD o JUNCTION JUNCTION BOX B BOXB TTT T
19 20 39 39 IN CORE THERMOCOUPLES REACTOR COOLANT CIRCUIT REACTOR CONTAINMENT
Fig. 5 PROCESS INFORMATIONS PROCESS INFORMATIONS TRAIN A TRAIN B
NUCLEAR & THERMODYNAMIC INSTRUMENTATION
P1 P2 P3 P4 i i I IVI MANUAL MANUAL COMMANDS COMMANDS TRAIN A TRAIN A
1 i u RP/ESFA TRAiN A RP/ESFA TRAIN 8
I
ESFA REACTOR TRtP REACTOR "imp X/Y REDUNC1ES X/Y REDUNDANCIES £SFA
""• ALARMS ""^ INDICATION "^COMPUTER
ACTUATORS RELAY CONTROL ACTUATORS TRAIN A RELAY CONTROL AX AX* Y BX TRAIN B AY BXtY/ BY 2 ROD GENERATORS CONTROL REACTORS TRIP BREAKERS SYSTEM
Fig. 6 - 37 -
4. PERSPECTIVE IN BACKFITTING OF SAFETY RELATED I&C SYSTEMS
4.1. ALREADY PLANNED REPLACEMENTS OF SPECIFIC I&C SYSTEMS Especially for the oldest plants obsolescence of I&C equipment places increasingly heavy burden on maintenance, test and repair activities.
In Doel 1/2 equipment obsolescence concerns about radiomonitoring measurements have led to the decision to replace part of the existing systems (among which are some safety related ones). This project is currently in the bidding phase but it is already clear that the market trend is mostly oriented towards digital solutions. In Tihange 1 same obsolescence and availability concerns have forced the decision to replace the nuclear instrumentation and thermodynamical instrumentation systems. Backfit- ting activities should occur stepwise along plant outages and start in 1999. The studies are due to begin very soon and both digital and conventional solutions are going to be conside- red.
4.2. THE GLOBAL APPROACH TO COPE WITH NEXT MILESTONES IN THE LIFETIME OF BELGIAN NPPs Considering obsolescence problems it is clear that following safety revisions of the plants (2005 - third revision of the oldest plants, 2002/2005 second revision for the more re- cent ones) will be crucial as far as I&C systems and equipment are concerned. The year 2000 is probably to be the definitive turning point towards digital technology for I&C in Belgian NPPs.
4.2.1. The new I&C structure concept The overall I&C structure implemented in the Belgian NPPs currently in operation is relying on a split between elementary I&C systems that is an image of the technological con- straints inherited from the state of the art available in the early seventies. In the late eighties, with the studies related to the design of the next NPP in Belgium (N8 project) the point was already reached of reconsidering both elementary I&C systems and overall I&C structure in the light of the technological developments that had occurred. From 1989 up to now, better knowledge of the digital technology and associated expe- rience feedback has allowed to tackle the fundamental problems and to define a new ideal I&C structure. Each intended I&C backfitting project is to be evaluated against the basic con- cepts of this ideal structure in order to possibly reconsider the limits of the backfitting so as not to hamper other future backfittings while allowing to progress gradually towards a final I&C structure showing improved coherence. - 38 -
4.2.2. The assessment project for preparation of future digital I&C backfittings As can be clearly seen from experience in digital I&C backfittings described in chap- ter 3 hereabove the licensing concern is the major problem for further implementation in Bel- gium. In order to solve this problem Belgian utility and architect engineer have started a common project with the Belgian licensing authorities in order to assess and globalize all the work that was performed in Belgium up to now as far as implementation, licensing and ope- ration of digital I&C systems are concerned. This project should also :
• screen what is happening abroad Belgium for licensing of digital systems • evaluate the I&C systems is currently available on the market.
Final goal for this project is to provide the necessary global classification, qualification and licensing approach to be used for future digital I&C backfitting in Belgian NPPs. - 39 -
AN APPLICATION STUDY FOR THE CLASS IE DIGITAL CONTROL AND MONITORING SYSTEM m,,,.,..,
HIROYUKIFUKUMITSU XA9846493 Nuclear Power Plant Department, EISC MITSUBISHI ELECTRIC CORPORATION Kobe, Japan
Abstract
This paper presents an application study for the Class IE digital control and monitoring system to the next Japanese plants, especially about MMIS. The system architecture of hardware and software is also introduced, which will explain the strategic plan for the necessary software verification and validation according to the latest requirement from Japanese regulatory guide.
1. INTRODUCTION
The Man-Machine Interface System(MMIS)s in PWR plants employ the latest technology, such as human engineering, knowledge-based technology and computer technology in each generation, to reduce operator workloads and to reduce human error. The first PWR, started its commercial operation in 1970, the first generation Main Control Board have been applied with many hardware switches, indicators. On the other hand, the latest Japanese PWRs employ microprocessor-based(digital) systems for reactor and turbine control and plant monitoring system. The next plants will also employ those proven technology for the Class IE system; reactor protection system and MMIS. At present time, the construction schedule of the next PWR plants is in the planning phase, however, the basic development of the digital Class IE control and monitoring system has been finished. The digital systems have great advantage for the application to MMIS, for example, use of Visual Display Unit(VDU), improvement of system reliability and operability and reduction of maintenance workload and cost. From the view point of the recent regulatory guide, the application of the digital system for Class IE control and monitoring system will require more investigation concerning plant safety, reliability analysis and verification and validation of software.
2. DESIGN APPROACH
2.1. CONSIDERATION FOR THE DIGITAL INSTRUMENTATION AND CONTROL SYSTEM
As the instrumentation and control system has the role of the center nerve in the nuclear power plant, I&C system was designed to have high reliability and safety from the beginning of the nuclear history. At the time of construction of the newly designed PWR plant in Japan, we are trying to upgrade total I&C system design. Digital technology, which is the major upgrading issue in the I&C system, have been applied step by step to Japanese PWR plants from portions of I&C system not important to safety to portions important to safety shown in Fig.l. - 40 - Fig.l History of the I&C Technology
1970's 1980's 1990's 2000's Hardware Technology - Signal Analog - Analog Digital - Digital Processing (Box Type) (Card type) (Non-Safety) Analog (Card Type) (Safety)
- Protection Magnetic Solid State Solid State - Digital Logic Relay Circuit Circuit
- Control Magnetic Magnetic Digital - Digital Sequence Relay Relay (Non-Safety) Solid State Circuit (Safety)
Application of Rad Waste Main Main Control Board Digital System Control Safety System Technology System Non-Safety System (Control rod, Pressurizer, etc.)
In the next stage PWR plant, totally digitalized I&C system including Class IE system and soft-operation control room are planned to apply to improve safety, reliability, maintainability and testability, and to reduce plant post. This newly designed I&C system, especially the digital Class IE system is carefully designed, and a large scale qualification test was carried out with cooperation of Japanese PWR/BWR utilities and vendors.*
2.2. DESIGN OF THE DIGITAL CLASS IE CONTROL AND MONITORING SYSTEM
When we apply the digital technology into the Class IE on system, we have to consider not only conventional design criteria but also newly started design criteria for safety software into design of the system. Basically, the functional design of the digital Class IE system is almost the same as the design of the conventional system and conventional design criteria is applied. But, concerning about the software, recently started domestic design guideline (JEAG- 4609) is applied to the design process and the V&V activity. In this JEAG-4609, design and manufacturing process shown in Fig.-2 is defined and the V&V activity should be applied to each stage of design and manufacturing, (process in JEAG-4609 is similar to the process in ANSI/IEEE-7.4.3.2) - 41 - Fig.2 Verification & Validation Flow
System Requirements of the Digital Class IE System
(note 1) (note 2) Requirement Specification of Software V&V plan the System Design
Verification 1 •*
Requirement Specification of Verification 2 the Hardware & Software Design
Software Verification 3 -* Hardware Design Design & Production 1 Software Verification 4 Production
Hardware & Software Verification 5 Integration
Validation •*
Final Products
Verification 1: Specification verification of system note 1) j : design requirement indicates the scope of design Verification 2: Specification verification of hardware and production activity. & software design requirement Verification 3: Software design verification note 2) ; ; Verification 4: Software production verification indicates the scope of V&V Verification 5: Verification of hardware and software activity. integration - 42 -
23. CONSIDERATION IN THE ENVIRONMENTAL QUALIFICATION
Environmental withstand capability of the digital Class IE system is considered in the design according to some domestic standard on seismic, radiation etc. There are no domestic standard for EMI in the nuclear power plant, but based on some investigation and analysis for magnitude of the noise or surge in the nuclear power plant, we choose some standards about thunder impulse and electro-magnetic surge, and applied them in the qualification test. In addition, some conditions as seismic design are individually checked site by site. There are no domestic standard for RFI in nuclear power plant also, but we carried out qualification test with some handy talkies used in operating nuclear power plants. These EMI and RFI qualification is same as the qualification for the non-Class IE digital I&C system in operating nuclear power plants, so judging from satisfactory operating experiences we think that these qualification is applicable to the digital reactor protection system.
2.4. CONSIDERATION IN THE DESIGN OF THE SOFTWARE
As mentioned before, reliability of the safety software is obtained by tough V&V activity. But some design criteria shown below are applied to the software design itself to carry out the V&V activity effectively. (1) Class IE software should have single task architecture and execute the task in a fixed time interval. Interrupt operation should be inhibited. (2) The system software which controls or manages the system operating mode should be separated from the application software which describes the function of each system. (3) The system software should only have required features for the I&C system in the nuclear power plant, (dedicated system software for nuclear application should be used) (4) The system software should have modular and structural architecture, and each module should be written in high level language. (5) The application software should be written as combination of functional modules (sub- routines) which represent functional element of the I&C system of the nuclear power plant. (6) Each functional modules should be written in high level language. (7) Combination of the functional modules should be visible in a graphical image like CAD. Graphical symbols which represent functional modules are put on the CRT of software tool.
3. DESIGN
Documentation structure same as the conventional system will be applied to equipment specification of the digital Class IE system. Important specifications such as system functions, functional boundary between hardware and software, and system interfaces are described in composite block diagrams. Structure of these diagrams are similar to the non-Class IE digital applications in the operating plants and have sufficient experiences. In this composite block diagram, function to be installed is described as the connection of graphical symbols which represent basic functional elements generally used in the design. This approach enables easy understanding and review of the functions of equipment not only for experts of the digital I&C system but also for the people who has experiences in the conventional I&C system including operational staff or maintenance people. - 43 -
This documentation is widely effective in the use of design, manufacturing, testing, operation and maintenance. For the system software which determine basic system operation, the same software is used as the non-safety system in the operating plants which experienced intensive verification tests and sufficient experiences. There are no need to change the specification of the system software for Class IE application, so only required specifications for each Class IE system are described in the specification documents. - 44 -
3.1. SOFTWARE SPECIFICATION
Software specification of the application software is directly created from equipment specification described in the composite block diagram. Software modules which correspond to the graphical symbols in the composite block diagram are connected together. Programming of the application software is achieved at a software design/programming tool like a manner as CAD drawing tool to select each module symbols and connect them. Completed application software is readable and reviewable not only by the designer of the software but also by the system designer and utility people. This approach have been applied since the design of the software of the non-Class IE application for the operating plants, and has sufficient experiences. Fig.3 shows an example of software architecture. Fig.3 An example of software architecture Basic S/W
Initial Processing H/W Initialize
Main Control S/W Calibration Processing Initialize Processing (Periodic) Initial Checking
Input Control Checking Output Communica- Process Process Process Process tion Process
Application S/W
(Displays) (Symbol Packages) —m__
V, / U^\i #1
(Control Switches) CXI [OFF
ON
OFF - 45 -
3.2. HARDWARE SPECIFICATION
As mentioned in section 2.3, several measures are alsotaken into the hardware specification. - EMI/RFT -seismic The hardware configuration is shown in Fig.4 below.
Fig. 4 An example of digital system for MMI-S
J I TT Communication Communication (with Touch Panel) (with Flat Display Panel)
Communication Communication Management (with I&C) (with another VDU) - 46 - 4. SOFTWARE TEST
In the software verification test, the software should be executed on the system which has the same configuration as the target system to verify system function. Module of the system software and functional modules are tested in the V&V activity through structural tests (white box tests) and functional tests (block box tests) carried out at object code level. Total system function of the application software is verified using test bed which has the same configuration as the target system using simulated input signals. System software of the digital Class IE system is the dedicated one which is designed for the use of I&C system in nuclear power plants, and this system software operate in single task and fixed time interval without any interrupt operation. So test condition is able to be established easily without any consideration for the timing of related signals and the operation of the target system to perform sufficient verification test with relatively small numbers of test cases. Fig.5 shows an example of testing procedure.
Fig. 5 An example of testing procedure
[ Periodic Single Task Operation J
Input ProcessJ Symbol Selection
Process Input
Control Request
[ Control Process j
Display
Symbol/Color change
Output Creation
Checking Process J
Output Process J
Process Output - 47 - REFERENCES
[1] INTERNATIONAL STANDARD, "Design for Control Rooms of Nuclear Power Plants", IEC-964. [2] INTERNATIONAL ELECTROTECHNICAL COMMISSION IEC STANDARD, "Software for Computers in the Safety Systems of Nuclear Power Stations", IEC-880. [3] JAPANESE STANDARD, "Guideline of Computer Application for the Class IE System", JEAG-4609. [4] K. INUFUSA and others, "Total Instrumentation and Control Systems for Future PWR Plants", Mitsubishi Denki Giho, Vol.64, No.3, p.13-17. [5] M. MATSUMIYA, "Steps toward Reliability Improvement in Electrical Instrumentation Equipment", Mitsubishi Denki Giho, Vol.69, No.9, p.2-5. AN APPLICATION STUDY FOR THE CLASS IE DIGITAL CONTROL AND MONITORING SYSTEM
(1) Digital technology, which is the major upgrading issue in the I&C system, have been applied step by step to Japanese PWR plants from portions of I&C system not important to safety to portions important to safety. (2) Design and manufacturing process should be defined and the V&V activity should be applied to each stage of design and manufacturing. (3) Software architecture applicable to V&V (4) Simplified digital system for MMI-S (5) Testing procedure of software 1970's 1980's 1990's 2000's Hardware Technology - Signal - Analog - Analog - Digital - Digital Processing (Box Type) (Card type) (Non-Safety) - Analog (Card Type) (Safety)
- Protection - Magnetic - Solid State - Solid State - Digital Logic Relay Circuit Circuit •p- - Control - Magnetic - Magnetic - Digital - Digital Sequence Relay Relay (Non-Safety) - Solid State Circuit (Safety)
j i , Application of -Main -Mairi Control Board Digital -Rad Waste System ODntrol -Safe ty System Technology S)/stem -Non--Safety System (C'ontrol rod, Pressurizer, et< System Requirements of the Digital Class IE System
I (note 1) (note 2) Requirement Specification of Software V&V the System Design •j Verification 1
Requirement Specification of 1 Verification 2h Verification 1: Specification verification of the Hardware & Software system design requirement Verification 2: Specification verification of o 1 hardware & software design I Software 1 Verification 3p requirement Hardware Design Design Verification 3: Software design verification & 1 Verification 4: Software production Production Software [Verification 4r verification Production Verification 5: Verification of hardware and software integration Hardware & Software [Verification 5p Integration note 1) ^."."." _J indicates the scope of design and I production activity. Validation note 2) f indicates the scope of V&V activity. Final Products Basic S/W
Initial Processing H/W Initialize I Main Control S/W Calibration Processing Initialize Processing (Periodic) Initial Checking
I | i I Input Control Checking Output Communica- Process Process Process Process tion Process
Application S/W
(Symbol Packages)
ON
(Control Switches) MMI-S VDU -L L T Communication Communication (with Touch Panel) (with Flat Display Panel) I E 3 E E at Communication Communication Management (with I&C) (with another VDU) [ Periodic Single Task Operation J
{ Input Process )
Symbol Selection
Process Input
Control Request
Control Process J
Display
Symbol/Color change
Output Creation
Checking Process J
••HI Output Process j
Process Output - 55 -
COMPUTERIZED REACTOR SURVEILLANCE AND CONTROL SYSTEM: AN FBR EXAMPLE
J-P. TRAPP, A. LEBRUN XA9846494 CEA/DRN/DER/SSAE CE Cadarache, France
Abstract
Reactor core surveillance is most often performed using analog processing approaches and signals from neutronic sensors (fission chambers, ionization chambers, SPND, etc.) or thermal sensors (thermocouples). The processing used is often extremely simplified. A significant improvement in the performance levels of these systems can be obtained by applying digital processing to these same signals. This paper presents the TRTC Core Temperature Processing System ("TRaitement des Temperatures Coeur or TRTC") that ensures the thermal surveillance of a fast breeder reactor core, the Superphenix unit; we also present the ALPES system that is a development of this system and which significantly improves the performance of the surveillance and protection functions. We will show that these systems can be used in all types of reactors where surveillance systems use temperature measurements that are representative of core output temperatures. - 56 -
1 - Introduction
The core output temperature, when it is representative of the heat build-up in an assembly or in a core zone, can be used to monitor reactor operation and also to protect against various incidents or even potential accidents. This is the case in various reactor types, BWR, RBMK, WER and typically in FBRs.
In particular, in the latter, the presence of an hexagonal tube confines the flow of cooling fluid to each assembly. In this way, each individual one can be considered as a unique object, independent of its neighbours and whose reaction to a given neutronic state only depends on the flow of fluid through it. This hexagonal tube (HEX) contributes to ensuring that the output temperature is perfectly representative of the events that may occur in the assembly, i.e.:
- An unexpected variation in the flow of heat carrying fluid, - Fast or slow occurrence of a blocking phenomena.
Therefore precise and continuous monitoring may be envisaged. This was the case for the RAPSODIE experimental reactor (1967-1983) and is still the case for the PHENIX (250 MWe, since 1974) and SUPERPHENIX (1200 MWe, since 1985) reactors.
This paper presents the TRTC system for SPX and the performance it achieves as well as the improvements that can be made by digital signal processing systems as shown by the ALPES demonstrator.
2 - The core temperature processing system (TRTC) in Superphenix
OVER ROTATING PLUG
,u' A DIGITAL •>=
TO DIGITAL _ CONVERTER TV DISPLAY OPERATOR DESK IAND MULTIPLEXER
Main control rod ISCPI B) In core neutron counler
4^ Backup rod (SAC) ^» Neutron yu'de lulu'
\O/ Diluent subassemrjlv Fig. 1: View of the reactor core Fig.2: Core temperature control system for SPX - 57 -
Each of the 376 fuel assemblies (Figure 1), the 21 control rods and the 72 fertile assemblies in the first radial crown are monitored by two Chromel-Alumel thermocouples (Tc) located 10 cm over the assembly heads, in normal operation at rated power (14 cm when stopped at 180°C). These thermocouples have a time constant of 1.1 second and over 90% of the temperature data is acquired and available after a second.
The multiplexers used scan all of the thermocouples in approx. 600 msec, effectively allowing an acquisition period of 1 second. Given the thermal inertia of the assemblies and the dynamic progression of the incidents to detect as well as the improvements in processing that can be envisaged (refer to paragraph 5), it will no longer be necessary in future to reduce the thermocouple time constant or the acquisition period used.
The measured temperatures are processed by two fail-safe classified, redundant computers with an installation that is fully independent from the thermocouples to the computers (except for the tube that carries the two TCs).
These two computers are connected by a data link that allows them to communicate and generate protection zone results in 2 out of 2 mode. In this way, each second each of the two computers receives all of the core temperature readings as well as the output temperatures from the primary pumps (4). When this system was designed and installed on SPX, only one type of computer was qualified by EDF, this explains why the two computers used are identical one, which can be criticized from an independence point of view; the same approach is also applies to the processing software which is not diversified.
The data link between the two systems is provided by fiber optics to ensure electrical uncoupling between the two systems. This avoids introducing any dependency between the two systems; if one of the two computers received during the preceding second, data from its opposite number, it takes it into account and uses 2 out of 2 logic, otherwise it operates in 1 out of 1 logic mode.
The two computers are also connected to the facility computer (CORA-refer to Figure 2) that mainly performs the surveillance and results presentation function (diagrams) as well as storing the measurements.
3 - The functions performed by the TRTC in Superphenix 71-2/ and their performance
3.1 - The blocking gap This is the most important parameter: AT|= heating of assembly i,
8ATj = ATj - 3;. ATmg ATmg= average heating of assemblies in group g ai= standardization factor.
that characterizes the heating state of an assembly i, taken individually, in relation to the heating of all of the assemblies of the same type, combined in the same group. - 58 -
It allows continuous precise monitoring and protection of the assemblies against the risks of blockage and in all cases against abnormal heat build up in an individual assembly.
An emergency state is triggered when the blockage variation reaches or exceeds +15°C
3.2 - Average Heating
ATm = ( Zj ATj )/n n is the number of assemblies
This is used to monitor and protect the core against abnormal thermal situations.
The emergency stop is initiated when ATm reaches or exceeds +16°C
3.3 - The Maximum Clad Temperature
TE = Core input temperature, TN1G = TE + A.ATm + B A and B are adjusted factors, ATm = average heating
The emergency stop procedure is initiated when ATm reaches or exceeds +20°C above a set temperature level of 700°C.
3.4 - Maximum inlet Temperature
TE = ( Sk TEk) / 4 where TEk is the output temperature from each of the 4 primary pumps.
The emergency stop procedure is initiated when TE reaches or exceeds +470°C
3.5 - Other Monitored Parameters
These are not calculated directly by the TRTC but by the CORA computer (refer to Figure 2).
Lineic power: P//«j = k(. Qp . ATj where Qp represents the flow in the core and k| a factor calculated by the project code. The Plin for all of the monitored assemblies are calculated every two minutes and compared to reference values; if the values are exceeded an alarm is sent.
Power per assembly: Ps = Q(. Qp . ATj where Qi is the flow in the assembly.
Gauge temperature record. From the heating levels per assembly (ATj), and a reference temperature chart calculated periodically using project codes, the CORA computer calculates the percentage of gauges that show a maximum clad temperature that reaches or exceeds certain values. - 59 -
3.6 - Performance Levels Reached The goal, i.e. a precise monitoring of the thermal conditions in the SPX reactor core as well as protection against incidents can be considered reached.
The TRTC systems allows the detection (and localization) of the presence of partial blockages in a fuel assembly (ass. 3200), at an early stage as soon as 10% of the rated power level is reached. In the same way, thermal monitoring has been ensured. In addition, the operational availability of the system has been excellent and the failure rate low.
To this must be added that the reconstruction of the radial distribution of the power layer from the AT; values measured can be obtained with a high degree of accuracy; the variations between experience and calculation as shown in /I/ and due to insufficient representativity when taking temperature readings 111 were considerably reduced by an improvement in the precision of neutronic calculations.
Today, we can be sure of the representativity of the measurements made and their analysis. However, temperature fluctuations, especially around the edge of the core have been found to be relatively important and certainly significant enough to reduce the performance level of the surveillance system.
4 - Technical improvements that can be envisaged for future reactors
In the context of the EFR project, a new generation 1500 MWe fast reactor, a number of improvements have been proposed compared with the system used for SPX: - Using 3 thermocouples per assembly instead of 2, - Moving into the dome or onto the core cover plug (BCC), functions currently performed in the electronics rooms in order to reduce the data transport distances especially along the long distance runs (300 meters), - Using 2 out of 3 logic, - Diversifying the thermometric probes, - Diversifying the computers and software used.
However, significant improvements will come more from the use of new signal processing techniques rather than from technical improvements, even if some of them must be planned.
5 - Digital processing of core temperatures /3-4/
5.1 - The ALPES Demonstrator The performance limitations of the TRTC system reside in the temperature fluctuations that increase when moving away from the center of the core towards the outer edge. Performance improvements of course require improvements in the Signal to Noise ratio, and therefore the ability to obtain as quickly as possible the useful part of the signal relating to the observed phenomena. - 60 -
To do this, digital filtering techniques have been implemented in the ALPES demonstrator. This uses an HP9000 workstation that every second receives all of the core temperature readings (and those of the primary pump outlets) from one of the two TRTC systems, via a (PC) server that is tasked with ensuring the compatibility between the computer coding used in the TRTC and those of the workstation. All of the digital processing is performed in the same second, making security actions possible, where necessary. This demonstrator is designed to show the performance of these systems in the EFR context, both from an accident protection point of view, than from that of on-line surveillance.
Organisation of the ALPES demonstrator processes
j *eitr>wrrocouptvt |
SiAMbnci con x*« CCKUIH
Figure 3: ALPES block diagram
This system has worked on-line in SPX since July 1995 and has since shown both its reliability in service and its capacity.
5.2 - Improving the Signal to Noise Ratio
Subassembly type Number Max. std. deviation This record of temperature fluctuations was Breeder 72 3.96°C made using an operating threshold of Fuel peripherals 170 2.4°C 95% Pn. The increase in the fluctuation of Fuel in central zone 194 0.66°C the distance in the center of the core.
The digital filters used are Butterworth type filters with a low-pass cut-offset at 0.005 Hz. Under these conditions, the improvement in the detection of events that lead to slow output temperature drifts is significant.
Sub-assembly type Improvement As shown in the table opposite, the reduction Breeder 27% is more significant, the higher the initial Fuel peripherals 31% amount of fluctuation. Fuel in central zone 0% - 61 -
5.5 - Fast Detection of Control Rod Movement
Obviously this is a fast event that must be detected all the more rapidly when control rod removal occurs as this inserts re-activity.
Two types of detection algorithms have been implemented in the ALPES system: a/ Control rod signal: The method requires taking advantage of the deformation in the power layer induced by the Unexpected Control Rod Withdrawal (UCRW).
SSCP = heating around the moving rod, and
SUCRW ~ ($SCP " SREF ) I SREF with S^p = heating around the rod located diametrically opposite it.
Only a fast variation of this signal is useful for detection; the continuous component is eliminated by digital filtering so that it can be compared to an absolute threshold determined so that all alarms that do not correspond to real motion can be eliminated.
b/ Global signal: The purpose is to detect control rod movement by integrating the deformation effect of the power distribution as shown by the blockage variations, regardless of its effect (large or small) and its sign (negative or positive). The calculation algorithm is as follows:
G(t) = V Zinb §ATj(t)2 / nb with 5AT,(t) as defined in 3.1 and nb = number of assemblies
The balance value of this signal is not zero. On URCR, we will consider the fast change that is the only significant one; the usable signal or global URCR is therefore the raw signal cleared of its continuous component by digital filtering (ALPES uses a second order Butterworth filter).
6 - ALPES Performance Levels: Reactor Tests
The tests performed on SPX from September 1995 to December 1996 at power levels from 0 to 90% of rated power were satisfactory: - Correct demonstrator performance, compatible with the industrial operation of a reactor, including during fast power level transitions, - Few failures, - No unjustified alarms when rod movements corresponding to normal reactor operation occurred. These tests also allowed validating all of the calculations performed by ALPES in relation to the identical calculations performed by TRTC or by CORA (figure 2). - 62 -
Control rod voluntary insertion tests intended to test the capacity of the demonstrator in detecting such movements have been performed on SPX in December 1996, at power levels of 50 and 80% of rated power. It should be noted that these tests serve to qualify the detection algorithms, whether for inserting or removing a control rod, as the phenomenology is symmetrical from one case to another. These tests comprised successively and continuously inserting 4 control rods leading to a known anti- reactivity insertion; 1 internal curtain rod and 3 external curtain rods where therefore inserted into the core.
Int.Row External Row Int.Row External Row B01 B07 B19 B01 B07 B10 Control rod motion detection was in al -23.4 -15.2 -25 -20.2 -14.1 -18.5 cases performed by the demonstrator, while the TRTC detection functions were not used for the insertion 18.6 19.3 25.1 21 22.3 27 performed.
18 27 20 16 22 25
•gay -21 -20 -19 -16.9 -17 -14
SPX: 80% Pn Rod B10 (external row) insertion
0.02 —"
0.00 -i
-O.02
-0.04 --
-fl.06 -
10 11:16:40 11:18:20
Figure 4: ALPES detection Figure 5: ALPES detection Rod Signal Global signal
For the tests performed on a low reaction level core, therefore in conditions that are less favorable for detection, ALPES ensures this detection from 11 to 15 seconds before the first TRTC detection position. - 63 -
7 - Propects
Currently an ALPES type system may be considered qualified; additional tests are desirable to complete the performance level evaluation, especially on a higher reactivity level core. However, fail-safe qualification of the software used in ALPES is required before it can be installed on a reactor.
If this program was initiated and undertaken on a fast breeder reactor, this is mainly due to the opportunity presented by the FBR program that existed in France. However the principle of surveillance and protection using digital temperature signal processing can be applied to any type of reactor where a significant operating temperature signal level is available. This is the case for RBMK and VVER reactors and probably for BWR (or ABWR) reactors too.
8 - Conclusions
The improvement in the performance of reactor core surveillance and protection systems is linked more to the improvement in signal processing than to the availability of new sensors, although improvements may also occur in this zone. The appearance of computer systems dedicated to surveillance and/or protection is a virtual certitude, when it has not already been implemented (refer to CANDU type reactors). This approach was undertaken in France from the start of design work on fast breeder reactors and especially for Superphenix. The development and the tests performed, especially those described above, show the validity of this concept as well as the potential that can be expected.
References:
[1] Nuclear Science and Engineering: 106, 47-54 (1990) Measurement of core Thermal- Hydraulic characteristics D. LETEINTURIER (CEA) - B. BERNARDIN (CEA) - M. BLANC (FRAMATOME) - M. PAUL1N (EDF/SEPTEN)
[2] Nuclear Science and Engineering: 106, 47-54 (1990) Coolant mixing phenomena influencing measurements of core coolant temperature rises. JP. PAGES(CEA) - G. FRANCOIS (FRAMATOME) - R. VIDARD (EDF/SEPTEN)
[3] Anomaly detection of the radial power distribution by temperature signal processing A. LEBRUN - JP TRAPP 1MORN - PIESTANY (Slovakia) - 1996
[4] ALPES, a demonstrator for on-line temperature visualizing and processing A. LEBRUN - JP TRAPP (CEA/DER) - S. SALA (CNPE Creys-Malville) Specialists' meeting on In core instrumentation and reactor core assessment - MITO(Japan) -1996 _ NEXT PAQE(S) |«ft BLANK - 65 - XA9846495 GUARDS : AN APPROACH SAFETY-RELATED SYSTEMS USING COTS EXAMPLE OF MMI AND REACTOR AUTOMATION IN NUCLEAR SUBMARINE APPLICATION
M. BRUN Technicatome Aix-en Provence, France
Abstract
For at least 10 years, the nuclear industry designs and licences specific digital safety-critical systems (IEC 1226 class A). One key issue for future programs is to design and licence safety-related systems providing more complex functions and using Commercial-Off-The-Shelf components.
This issue is especially raised for Reactor automation and Man-Machine-Interface. The usual I&C (Instrumentation & Control) organisation for these functions is based on redundancy between a commercial, up-to-date, unclassified « normal » system and a simplified classified « back-up » system using traditional technologies. It clearly appears that such organisation is not satisfying from the point of view of people who have actually to operate these systems: The operator is supposed not to trust the normal system and rely on the back-up system which is less helpful and that he use very few.
This paper presents a new approach to that problem using COTS components in low-level layers, safety architecture and mechanisms at medium level layer (GUARDS architecture developed in the current ESPRIT project n° 20716), and a pre-validated functional layer. The aim of this solution is to comply with the « future » IEC 1226 class B requirements, at lower overall cost (design, implementation, licensing, long term confidence). This approach is illustrated by its application in Man-Machine-Interface (MMI) for our future program of Nuclear submarine.
1. BACKGROUND
In the beginning of the '80s the industry of safety-critical processes (avionics, nuclear, railways,....) introduced the digital technology in I&C. Specific proprietary solution were developed and licensing standards were issued (IEC 880, DO 178,...). Today, these solutions are qualified and full authority safety-critical systems are in service. For licensing constraints he strategy is: « We do all what we can do develop these system with very high quality standards and to keep them as simple as possible »
Meanwhile, a less stringent effort has been made for other systems (automatism, regulations, MMI,....), to define the reasonable level of constraints in the validation/licensing process. However, these "safety-related" systems are actually strongly involved in the plant safety (this is especially true for Submarine applications where reactor-shutdown-state is not actually "safe" for the point of view of platform safety).
During the '80s the classical approach consisted in using some state-of-the-art unclassified commercial system backed-up by simpler classified systems based on traditional technologies. However, this approach leads to complex issues concerning (i) the consistency between primary and backup system and (ii)the discontinuities in the operator's thought process, if the primary system fails. - 66 -
It's obviously not satisfying to have, on one hand a « normal system » that is very helpful for operator, but on which he cannot rely because of its complexity and low level of guaranteed dependability, and on the other hand a back-up system that is very simple, using traditional technologies in which the operator is supposed to rely, but that is less helpful and that he never uses. Consequently, our future program will be based on the following strategy :
"The system the operator usually use, is the system in which he can trust, and then, the system that must be demonstrated as actually dependable ".
Hence, the primary system must be classified at high level (for instance level B). In that case, if a back-up system exists (due to defence-in-depth considerations), it can be classified at lower level.
2. A "REASONABLE INTRODUCTION" OF COTS
For some years, there is a trend to avoid specific designs and adopt « Off-the shelf» solutions, for obvious considerations of costs and long term perenniallity . But, for safety- related systems, using high level COTS products (such as industrial PLD or MMI system) leads usually to difficulties to reach a "sufficient" confidence level in the final system. Moreover, these industrial systems evolve in the sense of a ever increasing complexity, to cope with the market objectives. Hence, if the designer uses a high level industrial product, the effort to demonstrate and maintain on the long term the confidence - particularly the compliance with (future) IEC880 class B requirements- could lead to unacceptable long term costs.
To answer these problems usually encountered by designers, an alternative approach could be to: • limit the functionalities of the system to what fulfils the "reasonable" needs of the application (and not what is commercially available, even at low initial cost). In this approach we limit the overall complexity of the system. • limit the specific parts of the system (i.e. non-COTS part) to the "minimum reasonable" allowing to get the low costs and long term perrenialty of industrial COTS while keeping specific parts qualified by years of use on reactor.
For our future programs, we plan to introduce COTS only in low level layers (standard boards, busses, firmware,...) compliant to de-facto standards (as VME, POSIX,....) while re- using existing application functional layers. These functional layers have obviously less functionality than the current state-of-art industrial products .... but this functionality fulfils the needs of reactor operation.
This approach tries to maintain the system complexity as low as possible - to achieve dependability objectives- and, meanwhile, to introduce standard COTS to achieve the costs objectives.
Even with that "limited" approach to COTS introduction, some technical problem remains. COTS components, even at low level layers, generally cannot be certified through IEC standards approach since their design and validation process is unknown. The project GUARDS described hereafter aims at helping the validation process of such systems providing architecture, mechanism "on top" of COTS low level layers to deal with: - 67 -
• redundancy management/ synchronisation • firewalling (temporal and spatial) • schedulability analysis
3. THE GUARDS PROJECT
3.1 Objectives
The overall objectives of the GUARDS project is to design an architecture for safety- critical and safety-related real-time systems providing :
• Generosity: to allow the architecture to be instanciated in various industrial domains by using reusable hardware and software components; • Dependability : to substantiate the confidence one can place in the resulting systems; • Real-time : to support systems characterised by hard timing and scheduling constraints; • Validation : to ease demonstration of the expected properties; • Certification : to comply with emerging standards.
To achieve this goal GUARDS provides a consistent set of methods, techniques and tools.
3.2 Organisation
The GUARDS project is developed in the framework of the European Community ESPRIT project. The GUARDS consortium includes 8 partners. Three major industrial companies (End-users) in the Space, Railways and Nuclear fields lead the project. A careful specification of their needs forms the basis from wich appropriate mechanisms and architecture are identified and studied by academic partners. These mechanisms are then refined into hardware and software components developed by the three End-users, with the support of Technology providers' expertise and tools
• End-users - Technicatome, Aix-en Provence (France) - Matra Marconi Space , Toulouse (France) - Ansaldo Trasporti, Genova (Italy) • Technology providers : - Intecs Sistemi, Pisa (Italy) - Siemens AG Osterreich, Wien (Austria) • Academics - LAAS-CNRS, Toulouse (France) - PDCC, Pisa (Italy) - University of York, York (UK) - University of Ulm (subcontractor of Technicatome)
3.3 Generic architecture
To fulfil the various requirements of the three end users and in particular to be able to tolerate both physical and design faults, the GUARDS architecture is structured around three main dimensions : Channel redundancy, multiplicity inside a channel, Software Integrity level inside each CPU. - 68 -
The channel dimension C provides primary fault containment regions, and is designed to take into account carefully identified fault models (including the so-called Byzantine faults). According to the number of channels, several kinds of GUARDS instances may be envisaged. For example:
• Two-channel instances can be used to implement the classic duplication-and-comparison scheme, in order to ensure safety. • Three-channel instances can be used to implement the well-known Triple Modular Redundancy scheme, in order to improve reliability or availability without degrading safety. • Four-channel instances can provide additional flexibility, by widening the spectrum of applicable interactive consistency algorithms.
The multiplicity dimension M defines secondary fault containment regions, by decomposing each channel into several independent processor boards, which can then be used to improve either availability or fault diagnosis capabilities of the channel. The multiplicity dimension can also be used to improve performance (through parallel processing), or to implement COTS diversification.
The integrity dimension I prevents the propagation of errors from low-level integrity software to high-level integrity software. This dimension allows high critical and low critical softwares to share the same processor, without forcing the low critical part to be validated as if it were highly critical (solution commonly used, but not very cost effective).
The whole generic architecture is shown bellow, where the shaded boxes spot the GUARDS-specific components which may need some specialised non-COTS hardware.
3.4 Components
To host an end-user application, an instance of architecture is supported by a set of GUARDS components implementing the needed dependability mechanisms.
The clock synchronisation component allow the different channels to be tightly synchronised.
The Inter-Channel Network (ICN) manager component executes the inter-channel exchange protocols (Byzantine Agreement protocol where one channel broadcasts its private value, and Interactive Consistency protocol where each channel broadcasts its private value). These protocols are able to tolerate arbitrary faults even in a three-channel instance, by using authenticated messages. - 69 -
The ICN manager also performs the fault diagnosis and fault passivation activities at the inter-channel level. For example in an instance of 3 or more channels, the fault diagnosis algorithm used is decomposed in two phases : one accumulation phase where detected errors are locally collected by each channel, and one consolidation phase where cumulated error status are exchanged across channels in order to reach a global consensus. It ensures correctness (no non-faulty channel is diagnosed as faulty) but not completeness (some Byzantine faults are demonstrably un-diagnosable). The fault passivation algorithm is decomposed in two steps : isolation and then if necessary switch-off. First, isolation orders are sent by each non-faulty channel through the ICN and executed by the faulty channel as soon as it receives such orders from at least two different remote channels. Second, if the isolation fails because of a «too faulty » channel unable to isolate itself, switch-off orders are sent through dedicated hardware links and cause the faulty channel to be unconditionally powered off.
The output data consolidation component consolidates the individual outputs of the different channels. This component is designed in a way ensuring its independence from the end-users field-specific outputs. In case of a detected false command, the corresponding channel is immediately passivated.
The multi-level integrity component manages the different integrity levels. It ensures that no information can flow from low-integrity levels to high-integrity levels, except through special validation procedures (used to solve the issue of the progressive degradation of the integrity level of data). It also supports spatial, temporal and access firewalling: spatial firewalling is implemented by a Memory Management Unit and ensures that no illegal read/write access occurs in memory ; temporal and access firewalling are implemented by budget timers and capability checks and ensures that a low integrity software cannot prevent a high integrity software to be scheduled or to access some shared resource.
Other components support the multiplicity dimension (error detection and recovery at the intra-channel level, real-time scheduling of the different software tasks inside each channel), filter the intermittent errors (both at the inter and the intra-channel levels) and manage the Input / Output devices.
4. CONCLUSION
For at least 10 years it's obvious that digital technology is cost-effective, and improve the safety in safety-critical systems( IEC1226 A class), assuming a stringent effort in maintaining the design simple, and assuming a high level of quality in designing, testing, qualifying and licensing.
But the safety of the plant always implies more than safety-critical I&C. It's why safety-related systems (IEC 1226 B or C) are more and more implied in the qualification/licensing process. All Nuclear designers have to face this problem, but it's especially true for shipborne reactors, since the power availability is a key factor for platform safety.
The usual approach to this problem is to use a simplified and classified system as a back-up of the normal state-of-art unclassified (or low classified) system. This is not satisfying from the point of view of human factor management. - 70 -
The approach we promote is to consider that the « normal system » (and often the only system) for automating and monitoring of the plant must be kept as simple as possible, even if it doesn't offer the state-of art functionality in process automating and monitoring. This allows, with a reasonable effort in the validation process of to get a justified confidence in its qualification to class B requirements.
The consequence of such a choice is to reduce the capability of finding in open market a industrial-off-the-shelf system able to be licensed to such application. One answer is proposed that combine:
• COTS components at low level layers to get the hardware costs and perenialty of open market. This layer evolves at market rate, but remains compliant to de-facto standards (e.g. VME, POSIX,..) • GUARDS architecture and mechanisms at medium level layer aiming at helping the demonstration of compliance to non functional requirements of the system (safety, availability, real-time,....) • Specific pre-validated Software, at functional layer, kept as simple as possible and qualified by years of experience on reactors. This layer evolves only when a actual need appears, and doesn't follow the rush to more and more functionality.
5. REFERENCES
- All references about GUARDS project are accessible on : http ://www.cs.york.ac.uk/~rts/ljerka/guards.html
- some parts of the current communication are derived from a communication of C.Rabejac and H.Schindler (Matra Marconi Space) in DASIA '97 - 71 - XA9846496
REFURBISHMENT OF THE REACTOR PROTECTION SYSTEM AT PAKS NPP. THE REFURBISHMENT PROCESS
T. TURI B. KATICS Paks Nuclear Power Plant Ltd. Paks, Hungary
Abstract
The Reactor Protection System Refurbishment Project had an extensive preparation period in Paks started in 1992. During this preparation a large volume of the basic engineering tasks has been performed and as a result a contract for implementation of a three-train digital RPS on the four Units was concluded with Siemens in September, 1996. According to that contract the first refurbished Unit will be commissioned in 1999 followed by a further Unit in each succeeding year. This paper introduces the process of the refurbishment, overview of the V&V activities, introduce the architecture, summarise the main design principles and outlines the additional tasks to be performed together with the RPS design.
1. STRUCTURE OF THE PROJECT DOCUMENTATION
Already in the first invitation for bids issued in 1993 it was a basic requirement for the Supplier to comply with the regulations of the ISO 9000 Standards. In order that our Project can also meet these requirements, the documentation had to be structured accordingly. (See Figure 1.). The rules, procedures and instructions obligatory for each organisation of the NPP are the highest level documents. The second level is the Development Plan and the QA Plan required by ISO 9000 and the lowest level includes the Technical, QA, Investment and Authority documents.
Technical and functional documents
This package includes the technical requirements, functional requirements, the analyses and the design documents produced by the Supplier.
The technical requirements include some general guidelines formulating the basic principles and summing up obligatory rules or standards. The detailed technical requirements formulate the features that can be demanded item by item. Such features are e.g.: Accuracy, Dependability, Response time, Environment Resistance, Security Requirements, Man- Machine Interface, Location, etc.
Another large group is the set of functional requirements. Beside natural language description of the functions, the protection tasks were formulated on high-level logic diagrams using formal tools. The high-level logic design was complemented with the I/O database of the system.
The Development Plan requires the supplier to produce a large volume of technical documentation. The structure of this documentation follows the top-down approach of the Development Plan and contains the conceptual and detailed design documents. The - 72 - conceptual level contains the high level technical plan of the new RPS. It includes the system, subsystem and module level descriptions both on the HW and the SW side. The different types of HW and SW solutions are designed in these documents, too. During the detailed design these typical solutions are adapted to the specific needs.
The technical documentation package comprises the different technical analyses as well. They represent the establishment of functional modifications, functional diversity analyses, the analysis of the changes in the I&C structure, the deterministic analysis of the architecture defined in the specification as well as the dependability analyses.
PA Rt Level Procedure
RPSRP Constitutional * ition lures
QA Plan Development Plan
Technical Investment QA Documents Licence Documents Documents Documents
Supplier Functional V&V Investment Documents Req. Plan Program Time Technical 1 Procedures H Req' I -I Schedules Analyses Contracts
Figure 1
QA documents
In accordance with the requirements of the ISO 9000 Standards, the QA Plan is a document of great importance managing all the other documents, thus it is not part of this package. All the other QA related documents, like the V&V Plan, the V&V programs, the different procedures and the reports are included in this package.
Investment documents
The investment documents include the investment program for project implementation, the commercial requirements of the invitations for bids and the different contracts. They include also work planning dealing with implementation constraints as well as scheduling and logistics.
Authority related documents - 73 -
The large scope and significance of the refurbishment requires continuous co- operation with the nuclear authority beyond the usual correspondence. The licence documents include the different licence applications, correspondence and licences as well as the memorandums and minutes of meetings developed during official contacts with the Nuclear Safety Inspectorate (NSI).
When compiling a major technical document package such as application for a licence to be submitted to the authority, the package is compiled by selecting the required technical or quality documents from the above document structure.
2. LIFE CYCLE MODEL
The logic connections between the individual refurbishment activities are represented in the Life Cycle Model. The IEC 880 Standard concerning safety software was specified as a basic requirement for the organisations involved in the refurbishment. This standard defines a Life Cycle Model for safety computer system development and implementation, but that Model does not consider the conventional I&C interfaces, that is the environment surrounding the digital system. Considering that the software-based system is to be implemented in the environment of an operating power plant, great emphasis is placed on the existing and remaining I&C environment. To ensure that, the Life Cycle Model shown in IEC 880 was complemented with a branch of activities concerning the upgrade and adjustment of the connected equipment and I&C circuits (see Fig. 2).
For each of these activities we defined V&V requirements similar to those set forth by the Standard for the tasks of the computer hardware and software branches. The Life Cycle Model shown in Fig. 2 is just an outline. The detailed model is included in the continually updated Development Plan.
Before the start of each phase the tasks belonging to the given phase are to be defined. After updating the Development Plan, the Verification programs for the individual steps and tasks, as well as the validation programs for the phase are to be developed.
The Development Plan is probably the most important document supporting the project management. It divides the activities of the refurbishment process into the following hierarchic categories:
•=> Phases •=> Steps "=> Tasks
For each of the tasks it defines
"=> the input documents, the conditions for the commencement of the activity, •=> the tasks to be performed, the rules of performing the work, •=> the expected output and •=> the organisation responsible for performance of the work. - 74 -
The demands of users, corporate, national and international regulations, outputs from the Foundation Phase, proposals Foundation
System Requirements 1/1 Preparation System (Phase 1) Specification 1/2 A. Conventional Computer Software I&C Hardware Requirements Requirements Requirements 2/01 2/04 2/07
Conventional Computer 1 I&C Hardware Software Design Design Design 2/02 2/05 2/08
Conventional I&C Computer System Software Manufacture/ Hardware Analysis Coding Procurement Manufacture 2/03 2/06 2/12 2/09
Design and Computer Manufacturing System (Phase 2) Integration 2/10
Factory Acceptance Test 2/11
On-Site Installation 3/01 Installation (Phase 3)
System J. Installation, Integration 3/02 JL System, I/O Test Site Acceptance Test 3/031
Pilot Run x- Operation Operation
Figure 2
Certainly it has to be taken into consideration that the activities of the three branches can be performed relatively independently, i.e. the Model is not a time schedule. The schedules are defined according to the logic connections of the life cycle, considering an optimum solution for the implementation. The V&V Plan and the time schedules refer to the identification code and definition of the different tasks given in the Development Plan
3. THE VERIFICATION AND VALIDATION PLAN
This document is to regulate the technical review tasks as part of a QA system comprising the whole process of the refurbishment. On the one hand the refurbishment process and on the other hand the product (design, equipment, system) produced during and after the fulfilment of the individual phases of the refurbishment are to be controlled. - 75 -
Consequently, the control activities are divided into two groups, verification and validation activities. In order to ensure the traceability of the refurbishment, the process is divided into phases, the phases into steps and the steps are further divided into tasks in the Development Plan. Verification is the review of outputs from the tasks against the inputs to the task. Validation is the control of the results of the individual steps, phases and the whole process against the input requirements defined at the beginning of the controlled period. The V&V tasks are defined at two levels in the following documents: 1. Verification and validation Plan (this document) defining the general conditions for the control activities. 2. The detailed verification or validation programs for the activities required by the V&V Plan.
The V&V Plan defines: •=> the planning of control activities according to the life cycle •=> the V&V requirements for the Supplier ^ the V&V activities and requirements independent of the Supplier (RPS RP) •=> the requirements against the content of the V&V programs •=> the requirement of documentation.
The detailed verification and validation programs are the documents that regulate the details of the verification and validation requirements. The V&V programs are developed by the organisation responsible for the review according to the conditions defined in the V&V Plan. The V&V program is to be developed and approved until the start of the review at the latest. The Verification and validation Plan comprises the entire life cycle of the refurbishment. The V&V Plan is to be reviewed after the fulfilment of the individual phases and updated in case of need.
4. ARCHITECTURE, DESIGN PRINCIPLES
Digital automation techniques have undergone a significant development during the recent decades. State-of-the-art, high processing capacity process control systems facilitate the application of sophisticated algorithms for PIE identification. Utilising the possibilities offered by the new techniques, we plan to implement an integrated protection system in a way that beside changing the I&C technology we modify not only the system architecture, but also its functionality. A further condition for the integration of autonomous systems is the application of qualified and reliable sensors and transmitters. During the design and implementation of the new protection system all the classic safety requirements shall be adhered to. We make all efforts to ensure the high-level and documented checkback of compliance with the principles expressed in the requirements.
The structure of the planned architecture is shown in Fig. 3. The consequently triplicated redundancy structure ensures the fulfilment of the single failure criterion. The emergency reactor trip and emergency core cooling system functions require almost the same input signal interfaces in the integrated system, which facilitates a significant reduction in the number of sensors. The use of state-of-the-art digital technology with large processing - 76 - capacity makes it possible to refine the different functions and to consequently sequence the EP and the ECCS actuation.
CONTROLLED PROCESS I
RED: Redundancy 2V3 DIVa. b: Diverse "a", "b" EP ACTUATOR RPL: Reactor Protection Logic CONTROL IPL: Integrated Protection Logic
Point • to - point individual wired link BsssssysvevmsMv Multiplexed optical link EPACTUATORS
u.,.,.,.,.,.^f^n Physical separation Process connection Point • to • point individual wired link or multiplexed communication link
Figure 3.
The architecture of safety automatics is supposed to be the simplest possible, i.e. the number of active elements in the signal flow from the sensors to the actuators should be minimal. Except for connections within a train, all connections are to be reaction-free. The system structure within each train shall follow the allocation of functions introduced for the sake of functional diversity. Simplicity
The simplicity of structure means transparency which in itself reduces the probability of design errors, simplifies system knowledge and troubleshooting as well as system surveillance and testing. In order to achieve simplicity, during the evaluation priority was given to systems with a minimum number of serial elements. Modular structure was favoured. - 77 -
The principle of simplicity implies the minimisation of the non-safety functions implemented by the new RPS as possible and reasonable.
Fault tolerance, fail-safe features
The system is regarded as fault tolerant, if the failures considered do not result in the loss of safety functions. The term fail-safe feature means that failures move the output status to a safe position. These characteristics must be considered during the system design.
Protection against common cause failures
To avoid common cause failures with high probability the following solutions are to be used:
=> Physical separation between the independent subsystems (trains) O The use of type-tested, qualified hardware and software components <=> The use of functional and physical diversity.
Access to the RPS trains is to be restricted physically and administratively. Visible and comprehensible identification of the RPS trains is to be ensured.
Diversity
The principle of diversity is to be applied to the extent justified by safety aspects. The applied technology and techniques are closely related to the scope and method of diversity. In our opinion functional diversity is of primary importance, therefore we defined the requirement that each PIE to initiate reactor shutdown shall be detected through at least two physically independent parameters. The implementation of physical diversity for nuclear event detection is set as an objective.
Testability, cyclic tests
The Protection System shall test itself and its environment during operation to detect potential failures. If the self-test detects a failure, a signal must be sent to the operator via the Safety Monitoring System and the outputs must be moved to the predefined safe position. Cyclic tests shall be performed for the whole system to detect failures undetectable by automatic self-tests. These tests shall be run and documented automatically upon manual start. Automatic testing, its documentation and the evaluation support facility shall be part of the system. The cycle time to be specified for the cyclic tests shall be defined by the dependability analysis. If a protection signal flow is tested in several steps, appropriate overlapping of the partial tests shall be ensured.
Verification and Validation
The demonstration of the fact that the system behaviour and the operation of the implemented functions comply with the specification is important not only for the operator but also for the licensing authority. On the one hand it is to be demonstrated with high reliability that the new RPS fulfils the specified functions and only those, and that it fully complies to the technical requirements. - 78 -
Considering that the full-scope testing theoretically cannot demonstrate the exact compliance of the programmed components with the specification, special attention is to be given to QA and V&V during software development. Thus the regulations of ISO 9000, IEC 880 and IEC 987 are set as a minimum requirement.
5. ADDITIONAL TASKS
Full-scope simulator
Since 1988 the NPP has had a full-scope training simulator equipped with the exact duplicate of the main control room. That feature of the simulator is to be utilised within the reactor protection system refurbishment project.
UPGRADED UNIT INFORMATION SYSTEM Legend: Logic connection I/O signals nx RS232 link ETHERNET - TCP/IPIink SINEC L2 link Internal Computer connections Figure 4
The upgrade of the full-scope simulator adjusted to the safety I&C system refurbishment provides several advantages:
•=> Training for the NPP personnel is to be ensured at least half a year prior to implementation on the first Unit. •=> It is practical to utilise the fact that the full-scope simulator facilitates the validation of the new system in realistic operational situations. - 79 -
It is also to be noted that the existing simulator needs to be upgraded anyway, since it cannot follow the changes and modifications on the Units due to lack of capacity. The structure of the upgraded simulator and the connection to the Representativ Configuration of the new RPS is shown on Figure 4.
Unit information system
The existing process information system receives large quantities of binary signals from the safety I&C systems. This information supply will cease to exist after the safety system refurbishment, but new binary and analogue signals are to be provided via communication. The Unit information system is regarded as obsolete both for processing speed and for forms of display, therefore its upgrade is due anyway, so it is practical to perform the upgrade in conformity with the RPS refurbishment. The connection is to be performed via dupplicated Gatways as shown on Fig. 5
INFORMATION NETWORK
GATEWAY GATEWAY
RPS RPS RPS Y X W
Figure 5
NEXT PAGE(S) toft BLANK - 81 -
Session 2:
Software Reliability Issues
NEXTPAGE(S) toft BLANK Illllllll
XA9846497
GOVERNING OF COMMON CAUSE FAILURES H-W. BOCK Siemens/KWU NLL Erlangen, Germany
Abstract
Agreed strategy is to govern common cause failures by the application of diversity, to assure that the overall plant safety objectives are met even in the case that a common cause failure of a system with all redundent trains is assumed. The presented strategy aims on the application of functional diversity without the implementation of equipment diversity. In the focus are the design criteria which have to be met for the design of independent systems in such a way that the time-correlated failure of such independent systems according a common cause can be excluded deterministically.
1 Introduction
The design of safety systems - of mechanical process systems as well as of I&C systems - is from the beginning of the development of nuclear power plants characterised by the requirement on failure tolerance. Proven design principle is the application of redundancy to fulfil the required safety functions even in case of a failure of one of the redundant subsystems including consequential failures (Single Failure Criterion ). Additionally it is an established requirement (e.g. in the German KTA 3501) to consider a potential design fault in the definition of the I&C safety functions such that generally for each design basis accident two physically divers initiation criteria should be implemented in the I&C safety system.
Common cause failures generally originate in unknown design faults, which cause a malfunction of redundant but identical subsystems due to a specific loading. The other general failure possibility, that random hardware faults accumulate in a hidden way in redundant subsystems and lead to the total system failure on demand, has proven to be irrelevant for carefully maintained safety systems and is not object of this paper.
Since the start of introducing digital I&C systems for safety relevant functions, the focus lies on the development of strategies to overcome problems of common cause failures. Accepting the severe safety importance of undetected design errors which may be the potential cause of the common failure of redundant safety systems to fulfil their intended functions sometimes, from present discussions, one may have the impression that the common cause failure problem is typical for digital I&C systems.
Design faults originate in the design process. It is the experience from the operation of redundant systems that hidden design faults generally become evident in the case of specific random loadings. The experience from the operation of non-redundant industrial digital systems doesn't help, because often we cannot differ between a systematic failure and a random component failure in case of a system malfunction. - 84 -
The probability, whether a system contains inherent unknown design faults generally cannot be quantified. What is decisive, is the quality of the design process and therefore the weak points correlated with the technology of the target system have to be reflected for the design process. The experience from the occurrence of the malfunction of systems built with other technologies or for other applications gives no quantitative information, which can be used for statistical means.
2 The Three Level Strategy
To govern the problem of ,,Common Cause Failure" (CCF) of I&C safety systems, Siemens/ KWU has developed the ,,Three Level Strategy". The three levels form different defence-in-depth design barriers which include the I&C system development, the design of the overall I&C systems architecture as well as the design of individual I&C systems. Thus the global plant safety objectives are met even if the occurrence of common cause failures is assumed.
The analysis of failures of redundant systems always leads to an erroneous specification of the intended functions or an erroneous design of software or hardware modules or to faults in the manufacturing process of I&C systems. However, such occurrences are rather improbable and the causes change with the I&C technology. Therefore probabilistic approaches are generally not feasible to manage the CFF problem.
The strategy that has been developed by Siemens/KWU in parallel to the development of the TELEPERM XS system comprises three design levels to govern the CFF problem (figure 1).
Overall Architecture, Design of Independent I&C Safety Systems IAEA Code of Design Identification and Categorisation of Safety Functions to Ensure the Overall Safety Objectives IAEA SG D1 Design of Independent Systems with Assigned Safety Functions (Including Defence in Depth) KTA 3501 Independent Systems are characterized by IEC 1226 - Specific Independently Effective Safety Functions (Functional Diversity) Draft - Specific Measurements to Ensure Permanently Different Data Trajectories IEC 1513(5) - No Communication between the Independent Systems
Design of Individual I&C Safety System IAEA SG D3, D8 s Design to Meet the "Single Failure Criterion' by KTA 3501 p - I&C System Architecture Correlated to: Measurements and Actuators as well as Draft A ISC Installation Rooms and Supply Systems IEC1513(6) Qualified Design Procedure to Support the Error-free Design during all Lifecycle Phases C - Design Support by the Qualified SPACE -Engineering System to Ensure Design Quality by: IEC 880 E Formal and Understandable Design Graphics, Automatic Code Generation and Design Data Bank Draft Simulator-Based Validation of the same Software to be Loaded on the Target System IEC 880/Sup.1 Deterministic I&C System Behaviour by Qualified Key Features IEC 780, 987 E Tolerance of hardware to Environmental Stress Qualification ace. I&C Safety Standards IEC 1000 L Robustness against Input Data Dependences Strictly Cyclic System Operation P Absence of Process-dependent Interrupts KTA 3503 E Static Allocation of System Resources R System Operating Software Modules and Development and Documentation ace. IEC 880 IEC 880 Reusable Application Software Function Module Library including the Qualification by Independent Experts M Function Modules Completely Capsulated and with a Consequent Check of Operability of Input Data High Performant System Selfmonitoring and Testability of Designed Safety Functions IEC 671 X Interference-free Communication between Redundant Subsystems s TELEPERM XS : The Three Level Strategy Figure 1 - 85 -
2.1 The deterministic I&C system behaviour
The first design level in the strategy to govern CCF was elaborated during the development of the requirement specification to ensure the key features of the TELEPERM XS system. The system is characterised by deterministic I&C system behaviour. This means that the overall system behaviour in response to any input data trajectories is determined by the validated application software and is free of any unintended interferences on the operating system software and the system hardware.
The deterministic behaviour is ensured by the following key features of the TELEPERM XS system:
• The hardware modules are designed and qualified by theoretical analysis as well as tests to perform their intended functions even under environmental stress. This ensures that system failures caused by environmental effects can be excluded within the design requirements of the relevant German as well as international I&C safety standards.
• To ensure the independence of the systems' operating behaviour from any input data trajectories, the following set of system features is implemented: Strictly cyclic system operation No process dependent interrupts Static allocation of system resources
• Interference-free communication between subsystems as fault barrier so that single failures in one train cannot propagate to a system CCF
• The operating system software is developed strictly according to IEC 880. To ensure highest quality, the complete development documentation was input to the qualification process by independent experts.
• The function block modules kept in the library for generating the application software are developed and qualified in the same way according to IEC 880. All function block modules are completely capsulated and equipped with consequent checks on operability of the input data.
Finally these key system features that are relevant for ensuring the deterministic system behaviour were confirmed during generic tests on a redundant four-train system performed in the presence of independent experts from GRS-ISTec and TUV-North. The confirmed deterministic system behaviour is the essential precondition for that the correct design of application software and architecture for an individual I&C system determines the final behaviour of the integrated system in correspondence to the design requirements.
2.2 The design of individual I&C safety systems
The quality requirements on the design of individual I&C safety systems form the second level in our strategy to cope CCFs. The main requirements within this design level focus on meeting the ,,Single Failure Criterion" and ensuring that the functional requirements from the plant process are fulfilled by the application software. - 86 -
The ,,Single Failure Criterion" is interpreted such, that in the case of the trip of one of the redundant trains, the designed safety functions are performed without deficiencies on the basis of the measured process information by the available trains. Relevant for ensuring compliance with this requirement are: • The design of an adequate redundant architecture correlated to the redundant measurements and supply systems and including a suitable voting principle. • Furthermore, the interference-free communication and the absence of any central synchronising mechanisms between the trains is essential for ensuring the continued operation of the non-tripped trains in the case that one train has failed.
The application software is designed by means of the advanced SPACE engineering system. To reduce the probability of hidden design errors to the lowest possible extent, the indented functions are designed in the proven format of function diagrams, which are easy-to- understand for I&C engineers as well as for the designer of the mechanical process systems. The I&C system architecture is also designed by means of SPACE such that each function is allocated to a dedicated processor. The code generation is performed for the complete set of functions for a redundant I&C system including all communications.
Requirements I&C System Specification and Design Validation of I&C System Specifiation Plant Disturbance Analysis Functional Validation
Plant Simulator Plant Simulator I&C System Specification via SPACE Basic I New I&C I I&C Model Functional Requirements • Physical Parameters • Calculation of • Func. Processing Relevant Transients • Reliability ace. Test Specification • Failure Tolerances • Engineering Judgement on esign Grafic • Human Interactions Data Bank Display Adequate Behaviour £ • Generation of Test Files for Factory Acceptance Test Review on Automatic Code Generation ' £— Correct Implementation of Check of Formal Correct Design Data Functional Requirements Check of Processor and Bus Load Factory Acceptance Test • Function Diagrams ± Detail Design Test Divice for • Measurements with Links to Input Modules • Input Data Stimulation & • Links to Switchgear and Control Rooms I • Output Data Checks • Manufacturing and Installation Documents ± I&C System with Manufacturing Integrated Software
TELEPERM XS : Quality Management in the Enginering Process
Figure 2 shows the straightforward engineering process to design I&C systems in correlation to the verification and validation phases: - 87 -
Advanced automatic checks are integrated in the SPACE engineering system to eliminate formal errors of input data. Furthermore, the possibility to design processor and bus loads by optimising the architecture (e.g. by parallel processing) and the functional allocation to different processors inside the I&C system is provided. These checks also include the prediction of the overall response time. The documentation of the I&C system specification - stored in the design data bank - is reviewed against the basic requirements specification.
The most effective possibility to eliminate hidden design errors is provided with the functional validation of the generated application software. For the functional validation, the generated application software (not only the pure code for the designed functionality but the complete code for the redundant system including the communication between the redundant trains) is linked to an already validated simulator code (e.g. on a powerful workstation) and than checked by computing the relevant design transients. As a real time simulator is not required for the functional validation, it is possible to use the same simulator that was already used for the disturbance analysis. The functional validation can additionally be used to generate the input - output data test files for the factory acceptance tests.
For the reactor control and limitation system for the NPP Unterweser (delivery 7/97; 20 cubicles) we had performed in parallel the above mentioned software validation in an ,,one computer environment" as well as the factory acceptance tests with the integrated system linked to a real time simulator. The comparison of the calculated transients showed excellent correspondence which confirms the deterministic behaviour of the TELEPERM XS system. The possibility of the direct validation of the application software which is later integrated in the target system establishes an advanced possibility to ensure the required functionality as well as to eliminate hidden design errors much better than it was possible for proven technology with hardwired I&C protection systems.
2.3 The design of independent I&C safety systems
On the first and second level the focus is laid on features and methods that reduce the probability for remaining hidden design errors to the lowest possible extent. On the development level of the I&C product system these are the qualified features to ensure the deterministic system behaviour and on the design level for individual I&C systems especially these are the qualified design of the application software including its validation.
As complementary design barrier, on the 3rd level the application of independent I&C safety systems is superposed to ensure that the global safety goals are met despite of an assumed CCF of one of the systems. In the strategy to govern CCFs this forms a deterministic approach by the design of independent I&C systems in such a way that the synchronous failure of two or more systems can be excluded.
I&C safety systems are not burdened by environmental stress during plant internal accidents (except the sensors inside the containment) and are designed and tested to tolerate plant externally triggered stress conditions from seismic or lightning events in accordance with the relevant standards. Only input data trajectories during plant transients can form potential loadings to trigger the failure on demand of an I&C system by the activation of hidden design errors in the application software. Special care has to be taken for input data - 88 -
trajectories with partly wrong and inconsistent input data, because the sensors are stressed during the environmental conditions during plant transients.
This fact that hidden design errors in the software can be activated to initiate system CCFs only by specific input data trajectories is discussed in the following:
Essential for managing this generic problem for digital I&C systems are those features which establish the barrier against interferences from the application software on the operating system software and the hardware. This encapsulation of the application software reduces respectively the scope of software which can contain design errors with the potential of CCFs. With the additional quality features of the application software library (capsulated function block modules with consequent operability checks), the I&C system operation cannot be jeopardised by any input data trajectories.
This limitation of process dependent interferences on the application software serves for the following advantage: As the application software is the only object which is specifically loaded by process depended input data trajectories, only the application software needs to be diverse for realising independent I&C systems which are not vulnerable to fail on this common cause. The application of functional diversity is the most effective way to ensure diverse application software.
Additionally to the barrier against interferences from the application software level on operating system software and hardware the following design requirements have to be met to realise independent I&C systems: • The main plant safety objectives have to be ensured by independently effective I&C safety systems with • different safety functions and as far as possible individual input measurements, to ensure permanently different data trajectories for the independent systems and • initiations via independent means (e.g. actuators in the switchgear). • Absence of direct communication between the independent systems. • Service activities (e.g. for periodic tests) are permitted only for one of the independent systems and within one system only related to one of the redundant trains at the same time.
For the design of independent I&C systems in cases where the barrier against interferences from the application software on the operating system software cannot be claimed, the application of diversity of the system operating software or even equipment diversity has to be considered instead. The application of diverse I&C systems, however, gives additional burden on the utility with respect to: • increased costs for qualification and licensing of two different systems • establishing and maintaining the know-how for servicing two operated systems in parallel • the more complex configuration management for spare parts and in consequence of modifications of components • increased potential of errors during a later I&C systems redesign in consequence of process modifications - 89 - 3 Conclusion
The Siemens ,,Three Level Strategy" is based on proven features of the TELEPERM XS system and enables us to govern the problem of common cause failures of safety I&C systems without the need to apply equipment diversity. On the first and the second design level the probability of hidden design errors is reduced to an extent that is at least compatible with the proven design for hardwired I&C safety systems This is achieved by:
• The deterministic system behaviour which is confirmed in the qualification process by independent experts and which ensures that the resultant functionality and behaviour of an individual I&C system corresponds to the application specific design.
• The qualified design process for system architecture and application software based on the SPACE engineering system by means of formal and understandable graphic presentations and the validation of the generated application software to prove its adequate behaviour during design basis accidents.
Based on the confirmed key features of the product system TELEPERM XS and the qualified design process for realising individual I&C systems, independent systems are designed such that a simultaneous failure of these independent systems by a common cause can be excluded.
• Essential is the design according to deterministic requirements to ensure the absence of potential common influencing factors. By the assignment of divers individual safety functions to these independent safety I&C systems, it is ensured that the overall plant safety objectives are met even in the case of an assumed failure of one of these independent systems.
NEXT PAQE(S) tef tBLANK XA9846498
RELIABILITY ANALYSIS OF PROTECTION SYSTEMS IN NPP APPLYING FAULT-TREE ANALYSIS METHOD
J. BOKOR, P. GASPAR, J. HETTHESSY Computer and Automation Research Institute Hungarian Academy of Sciences Budapest, Hungary G. SZABO Technical University of Budapest Budapest, Hungary
Abstract
This paper demonstrates the applicability and limits of dependability analysis in nuclear power plants (NPPs) based on the reactor protection refurbishment project (RRP) in NPP Paks. This paper illustrates case studies from the reliability analysis for NPP Paks. It also investigates the solutions for the connection between the data acquisition and subsystem control units (TSs) and the voter units (VTs), it analyzes the influence of the voting in the VT computer level, it studies the effects of the testing procedures to the dependability parameters.
1. INTRODUCTION
The NPP Paks consists of four operating VVER-440 type reactor units. These pressurized water reactors (PWR) operate with thermal neutrons, both the heat carrying and the moderating agents are pressurized water. The first unit of the NPP Paks was started at the end of 1982. After two years in average level operation the Unit-1 run with a load factor which was remarkable even by international standards. The Unit-2 was connected to the electric network in 1984 and it reached 100% of its nominal output within 55 days. The Unit- 3 was started in 1986 and Unit-4 in 1987. All four units of the NPP Paks have shown excellent operational results.
The protection system of the reactor units is based on relay structure in conformity with the technical level of the eighties. Although the protection system operates reliable, because of the age of the protection system, of the difficulties of obtaining spare parts, and of the development of the technology it is necessary to modernize for integrated computer based protection system. One of the advantages of the new protection system is that it integrates the realized protection logic, which operates in separate subsystems up till now. In this way it is possible to reduce the redundancy, e.g. to decrease the number of the sensors and to avoid the problems of the redundant information sources. - 92 -
The reactor protection refurbishment project (RRP) started in 1995. Different types of requirements were set up against the protection system. Such a requirement was that the new system should operate with larger level dependability than the previous version. Moreover, probability requirements of certain events were also set up. Because of the above requirements and of the requirement of supporting continuous development comparing different development alternatives it is necessary to analyze the plans of the protection system on probability basis. Besides of them the system under planning is subject of deterministic examinations, which can be supported with probability based examinations.
The structure of the protective system of NPP Paks is based on PLC with triple redundancy. The connection among redundant subsystems (trains) is solved by different methods. On the one hand trains share the measured and preprocessed signals among each other for the sake of the validation. On the other hand the comparison and voting of the processed protection signals are performed. The two main tasks of the protection system, namely the emergency protection (EP) and the emergency core cooling systems (ECCS) are operated different ways. The actuator signals for the EP function is produced by relay voting, while the actuator signals for the ECCS function is created by PLC based voting. In the latter case the protection signals are also shared in the voting level.
The applied method for analysis of the RPS is the well-known fault tree analysis (FTA) method because of its efficiency and because it is widely used in nuclear industries. As a result of this analysis, a so-called fault tree is constructed, an algorithm can easily be derived to calculate the probability of system failure. One of the advantages of the analysis is that the structure of the fault tree can be a very useful support for the objective justification of the system. Moreover, it forces the analyzer to take all the events leading to the top event into consideration.
The aim of this paper is the investigation of the applicability of the dependability methods in RPS. The structure of the paper is as follows. Chapter 2 summarizes the probability requirements for the RPS. Chapter 3 illustrates the theoretical background of the FTA. Chapter 4 demonstrates some case studies from the RRP.
2. THE PROBABILITY REQUIREMENTS FOR THE RPS
The safety requirements against the RPS can be divided into two groups, some of the requirements can be investigated with deterministic analysis, e.g. the single failure criterion, or the common cause failure, and some of them can be investigated on probabilistic basis. During the probabilistic system analysis the input data are the failure rates of the components, and the probability value or the frequency of an event concerning on one function of the system is examined. In this sense the examined events are fault events actually, which are described by the probability of failure states. The frequency of an event under a defined time interval gives the number of the failures. Both the frequency and the probability are time dependent, which means that the values of them can be described by functions of time.
The advantage of the probability based investigations is that the system can be characterized by objective parameters, namely probabilistic values in contradiction to those examinations where the qualities are subjective, so the qualification is difficult, e.g. multi level scale. This objectivity is important from the point of view of comparison of the alternatives - 93 - and of the analysis of the requirements. On the other hand the problem is that the failure rates of the different components are experimental values. The determination of these values is based on the investigation of similar parts. So the values of the concrete components built into the system can more or less differ from these experimental values. One of the solutions for the above problem is if the uncertainty of the probability of the failure rate is taken into account, e.g. the variance of the failure rate.
In the RRP the investigated probability requirements are regarded in two main functions, namely in the EP function and in the ECCS function. The requirements are as follows:
- the probability of masking the EP function on the fulfillment of any initiation criterion, - the probability of masking the EP function on the fulfillment of any postulated initiating event (PIE), - the frequency of spurious reactor shutdown, - the probability of masking the ECCS function, - the frequency of spurious ECCS actuation.
3. THE THEORETICALLY BACKGROUND OF THE FTA
The probability analysis of systems can apply different methods, e.g. the FTA, the event tree analysis (ETA), the failure modes and effect analysis (FMEA), the cause-consequence analysis (CCA), or the fault Hazard analysis (FHA). In the RRP the applied method is the FTA method because of its efficiency and it is widely used in nuclear industries. This technique is evolved in the aerospace industry during the 1960s. The FTA is basically a systematic analysis of the system failure events and of the subsystem and component events that can cause failure. As a result of this analysis, a so-called fault tree is constructed, and algorithms can easily be derived from the structure of the fault tree to calculate the probability of system failure.
The aim of the FTA method is to determine the probability and/or the frequency of a specified status of the system. Since the predefined state is usually a fault state, so the name of the method as fault analysis is proved. The word tree in the name of the method illustrates that the occurrence of the defined event has to be described as a multi level connection of events, which events can be further decomposed, so the system can be represented as a tree of events.
In the FTA method the defined event is any kind of fault operation in coincidence with the prescribed RRP. This defined event is called as top event. During the analysis the so-called basic events are searched, which together occur when the top event happens. It is important to have any kind of information about the probability of occurring basic events, e.g. failure rate. It is also important to precisely determine the connections of basic events because they basically influence the result of the computations.
During building up a fault tree the causes of the events can be determined by deductive analysis which means that the deduction goes from the event to the cause. In each step a cause is selected and one or more events is searched for as a basic cause. Even in this case the advantage of the analysis is that the structure of the fault tree can be a very useful support for the objective justification of the system. Moreover, it forces the analyzer to evaluate all the events leading to the top event. - 94 -
The most important fault tree gates, which are Boolean logic operators of the basic events, are as follows: AND: This gate is true if all input events are true, that it represents combinations of basic events. OR: This gate is true if at least one input event is true, that it can show single input events that can cause the output event. NOT: This gate is true if the input event is false, so this can be thought as a logic inverter. K/N (K-out-of-N): This gate is true if at least K of the N input events are true, namely the next level (maybe the top level) occurs if at least K input events occur from the possible N basic events. Certainly, this gate can also be constructed by AND and OR gates. Surely, more logic gates can be defined applying the previous gates, e.g. NAND gate. A special gate type is the TRANSFER gate, which perform the division of the fault tree, so it supports the survey of the fault tree.
The time dependent property of a basic event is usually critical. The more precise description of the events requires taking the time dependency of the probabilities into account. The task of the basic event reliability models is to define the probability values of a component in time function. In simple cases mean unavailability (long-term unavailability) values are used instead of time dependent model. Below, some reliability models are summarized.
1. Constant unavailability component. This component can break down at the moment of switch on, e.g. valves with two states. This has a simple model, which uses a constant unavailability q as its only parameter. Q(0=q, where q is the probability.
2. Non repairable component. The lifetime of non-repairable components lasts until a fatal failure occurs. This has an exponential failure model with the constant failure rate. The unavailability of this component is modeled by the following form: where X is the failure rate.
3. Continuously monitored, repairable component. The failure of a continuously monitored component is detected promptly and the repairing is started. This repairing usually means the substitution of the faulty component with a faultless component. After the defined repair time this component operates without fault until the next failure. The unavailability of this component is as follows:
where [i is the repair rate.
4. Periodically tested component. The failure of a periodically tested component is detected by a test, which is started in predefined time interval. After detecting the failure the repair is started. The unavailability of this component is as follows: Q(t) = 1 - e-l(l-J> \ Tj = 0, TI,2TI,.... where Tj is the test interval. - 95 -
The FTA gives valuable information and different type of results about the system for the constructors or for the inspectors. Some results are necessary for the constructors, e.g. the weak points of the system, the importance of a component, the sensitivity of a parameter, etc. Other results are useful for the inspectors, e.g. the unavailability of the top event, the frequency of it.
1. The probability and/or frequency of the top event. One of the most important analysis is the unavailability of the top event. The calculation is based on the failure rates of the basic events and the connection among these events. The calculated probability value qualify the system as accepted or not in the sense of the predefined requirement. In the case of non-acceptable result the weak points of the system has to be investigated with further tools.
2. Minimal cut set analysis. The goal of the minimal cut set analysis is to generate the so-called minimal cut sets of the fault tree, and to perform a point-estimate quantification of the top event. A minimal cut set is a combination of basic events, which causes the top event to occur, and if any of those events is removed from the set, the top event does not occur. The minimal cut sets can be sorted into decrease order using the failure rate of its basic events. In this way the weak points of the system can be determined, since it can be established which events are responsible for the unavailability of the top event. Moreover, it can be investigated how many basic events necessary to the unavailability of the top event. This is useful in the case of single failure criterion, since in this case it can be proved that at least two failures necessary to failure system operation.
3. Uncertainty analysis. The uncertainty analysis calculates probability distribution for the top event result, which is usually based on Monte Carlo simulation.
4. Sensitivity analysis. The sensitivity and importance analysis functions can calculate parameters in further sense, e.g. importance of a basic event, importance of the group of basic events, importance of a parameter, sensitivity of a parameter. These examinations show how the top event sensitive to modification of the parameters. In this context parameter means data of a probabilistic model, e.g. X, u., repair time, test interval, etc. The constructors have to know this results in order to determine which parameters influence significantly the probability of the top event. In this way they can select parameters, which have to be modified in order to improve the probability value. Moreover, the effect of the different time intervals can also be determined. By decreasing test interval to discover failure speedy or decreasing repair time can reach the improvement of the probabilistic value.
4. CASE STUDIES IN NPP PAKS
Example 1
In the case study 1 the application of the FTA method for different developing alternatives is demonstrated. In the ECCS function the VT computers get the actuation signals from the TS computers through point-to-point connections. The scheme with three trains and point-to-point connections can be seen in Fig. 1. One possible solution for the connection - 96 - between these levels is the local area network without point-to-point connections. This construction can be seen in Fig. 2.
Y train X train W train Sensor side..
Actuator side
Fig. 1: Scheme for the ECCS function with three trains of the basic system.
Y train X train W train Sensor side.
AND Actuator side
Fig. 2: Scheme for the ECCS function applying local area network.
The advantages of the local are network are the simplicity, and the easier maintenance. At the same time this system could be more sensitive, because some failure can block off a local network. The question is how this modification presents in the probabilistic values.
The created fault tree for masking the ECCS function can be seen in Fig. 3. The fault- tree for masking the ECCS function in a train can be derived by basic events, e.g. by failure of the actuator control, by failure of the actuator, and by transfer gates, e.g. by failure of the voting logic. This structure of the point-to-point case is the same as of the local area case. The difference between them come from the transfer gate named Failure of the connection. The fault-tree of this gate in the case of point-to-point can be seen in Fig. 4 and the case of local area can be seen in Fig. 5. - 97 -
Moaa| of *• WmoECCJ Symbolism used in this paper: •HA H_ 1. Event with description: Mmkwt of *t Emrate Foiknoflfe Fata* of »* WmiaECCS aivivjofa. 2. Basic event with description and name:
i. Logical connections between events: | OR | [ 2v3 | [AND]
. Transfer gate with description:
Fig. 3: Fault-tree for masking the ECCS function in the train 1.
Fata* of Bo Faknofao FaWiofitM caandioaX cntwctMB Y 1° 1 i i Faknofao 9LLMaoa»k. SLLMawkk SLLMaodak. VTW-A.No.2. VT-W^K, No. J.
1 i i Fata* of Fata* of Faknof VT-W-AM.il. VT-WA 51.21 No.1. No.1. No2 rrwsuMju
F.tanof*. Fantfii SLIlo* 9LLMa««ik. SL!lof SUXanak Sill of SUM aodah. T5-W-A.No! TS-X^.N.1 T5-X-A.No! TS-Y-A.N.I TS-V-A. No.1. f»JM MLUO fAIU n-IM UI FAJU
Fig. 4. Subtree for failure of communications in the case of point-to-point connection.
u [2 1 1 Foiknoflko Fuknof*. SIXMaoadt, UXMaodok. SLLMaoAik VT-W-A.NOI VTWVk.No.! YT-WtUMIFlMM n-wuxMi r/au 1 1 1 Fata* of Foitaoof Foiknof VT-W.AM.21, VT-WnASL21. VT-W-ASL11. No.1. No.1. No.1. n-wturiutM VT-WUIFiUll 1 1 FaknofAo Fata* of ao Faknof a* aXMaoaik. SIXMaoaik. SLLMaoiak. VT-W-B. No.1 VT-W-B. No.2 VT-W-B. No.3 vr-nuuariuu \ 1 1 Foiknof Foiknof Faknof vnnui, VT-W-e SL2I, No.1. No.1. No.1 n—iurAHl 1 1 1 Foikrtofao Foiknofao Faiknoftti •lllof SLllof SLllof TS-W-B.No.1. TS-X-B.No.1. TS-Y-B.No.1. n-m,u,,~>* """" 1 | 1 Foiknofn* Fata* of ao Faknofat SLLMaoAik. SLLMaoikk SUMaodak, TS-W-B.No.1 TS-X-B.No.2 T9-Y«.No.l
FaknofiM Faknofat Fata* of *o Fata* ofai Foiknoflki Faknofao SL2lof SOU aodak. SUlof SLUiaoMl. SL!l«f SLLMaoaik TS-W-A.No.1. TS-W-A.No.1 T>-X-A,No.1. TS-X-A.N.1 TS-YvVNo.1. TS-T-A.No.1 M UiMt FAHS ft-JMUIFAUJ
Fig. 5. Subtree for failure of communications in the case of local area network. - 98 -
The first twenty minimal cutset events in the case of masking the ECCS function can be seen in Table 1 and Table 2. It can be noted that the realization of the connection between the TS and the VT does not influence the probabilistic values. The reason of it is that the sensors and the input modules are responsible for masking the ECCS function, which can be also seen from the minimal cut sets. At the same time in the sense of the frequency value of spurious ECCS actuation VT computers play important role. However, the value does not decrease, because failure caused by spurious operation is not assumed. Therefore, this modification can be executed without decreasing frequency value.
Table 1 Minimal cutset events of masking the ECCS in the case of point-to-point connection. No Minimal cutsets Unavailability Interpretation BEMU FALLS UNDET BEMU FALLS UNDET 1.J3E-O7 Two input modules fail undetected in 2 BEM2A FAILS UNDET BEMU FALLS UNDBT 1.53E-07 different trains 3 BEMIA PARS UNDET BEMU PALLS UNDET 1.53E-07 4 BEMU PALLS UNDET SZENZOR U UNDET 1.07E-07 An input module fails undetected & a sensor 5 BEMU PAHS UNDET SZENZOR LA UNDST 1.07E-07 fails undetected in different trains 6 BEMIA FAILS UNDBT SZENZOR UUNDBT 107E-07 7 BEM2A FAILS UNDET SZENZOR UUNDBT 1.07E-07 8 BEMU PAILS UNDET SZENZOR2AUNDBT 107E-07 9 BEMU PAHS UNDET SZENZOR tAUNDET I.07E-07 10 SZENZOR LA UNDET SZENZOR U UNDET 7.52E-08 Two sensors fail undetected in different trains 11 SZENZOR U UNDET SZENZOR U UNDET 7.52E-08 12 SZENZOR U UNDET SZENZORU UNDST 7.52E-08 13 BEMU FAILS UNDET TSYASVEIFUD 7.34E-08 An input module fails undetected & a TS 14 BEMU PAHS UNDET TSWASVEIPUD 7.34E-08 computer fails undetected in different trains 15 BEMU FAILS UNDET TSWASVEIPUD 7.34E-08 16 BEM LA FAILS UNDET TSXASVE1PUD 734E-08 17 BEMU FAILS UNDET TSXASVE1FUD 734E-08 18 BEMU PAILS UNDET TSYASVEIFUD 7.34E-08 19 SZENZOR LA UNDET TSYASVB1PUD 5.14E-08 A sensor fails undetected & a TS computer 20 SZENZOR U UNDET TSWASVBIFUD 5.14E-08 fails undetected in different trains
Table 2 Minimal cutset events of masking the ECCS in the case of local area network. No Minimal cutsets Unavailability Interpretation l BEMU PAILS UNDET BEMU FAILS UNDET I.53E-07 Two input modules fail undetected in 2 BEMU PALLS UNDET BEMU FALLS UNDET I.53E-07 different trains 3 BEMU FAILS UNDET BEMU FALLS UNDET I.53E-07 4 BEMU FALLS UNDET SZENZOR U UNDET I.07E-07 An input module fails undetected & a sensor 5 BEMIA PAHS UNDET SZENZOR U UNDBT 1.07E-07 fails undetected in different trains 6 BEMU FAILS UNDET SZENZOR U UNDET 1.07E-07 7 BEMU FALLS UNDET SZENZOR U UNDET I.07E-07 8 BEMU PALLS UNDET SZENZORU UNDET 1.07E-07 9 BEMU PAILS UNDET SZENZOR U UNDET I.07E-07 10 SZENZOR U UNDET SZENZORU UNDET 7.52E-08 Two sensors fail undetected in different trains 11 SZENZOR LA UNDET SZENZORU UNDET 7.52E-O8 12 SZENZORU UNDET SZENZORU UNDET 7.52E-08 13 BEMU FALLS UNDET TSYASVEIPUD 7.34E-08 An input module fails undetected & a TS 14 BEMU FAILS UNDET TSWASVEIFUD 7.34E-08 computer fails undetected in different trains 15 BEMU FALLS UNDET TSWASVEIPUD 7.34E-08 16 BEMU PALLS UNDET TSXASVB1PUD 7J4E-08 17 BEMU FALLS UNDET TSXASVEIFUD 7J4E-08 18 BEMU FALLS UNDET TSYASVE1PUD 7.34E-08 19 SZENZOR U UNDET TSYASVEIPUD 5I4E-08 A sensor fails undetected & a TS computer 20 SZENZOR U UNDET TSWASVEIPUD 5.I4E-08 fails undetected in different trains
Example 2
This example shows the effect of omitting the voting on the VT computer level on the probability of failure operations. The block scheme of this structure can be seen in Fig. 6, and the related fault-tree is on Fig. 7. Based on the result of the previous examination it can be expected that the change of the probability of masking the ECCS function will be small, while the frequency of spurious actuation will be significantly worse, since this modification influences the critical points.
The probability of masking the ECCS function is 4.69 10 in the basic system, while 3.90 10 in the case of without voting. The frequency of spurious ECCS actuation is 3.59 10 /year in the first system, while 3.46 10 /year in the second system. The frequency of spurious ECCS actuation is worse at one order in the situation without voter. It can be established that in the case of without voting there are single failure cases, which can cause - 99 - failures in the system. Of course, in a decision concerning on the whole protection system there are different viewpoints, e.g. the simplicity, the testability, the maintainability besides the probabilistic values. The first twenty minimal cutset events of masking the ECCS function in the cases of with voting and without voting can be seen in Table 3-4. Y train X train W train , Sensor side , [4v--jr-: -?- ? ,-••••? -?-j 1 Ts-A' !-J-SY?-!
AND Actuator side Fig. 6: Scheme of the realization of the VT function without voting.
Wins ECCS hMioa. Kf. A
1- 1 HMVTkfici oaMaaahk CMMii wakiat him
TS_W_A L*J
T» W A Fahnaffe u—mil W • •«••
Fig. 7: Fault-tree for masking the ECCS function in the train 1 without voting.
Table 3 Minimal cutset events of spurious ECCS actuation in the case of with voting. No Minimal cutsets Unavailability Interpretation l SZENZOR 1A UNDET SZENZOR 2A UNDET 7.32E-O8 Two sensors generate input signals failure in 2 SZENZOR 2A UNDET SZENZOR 3A UNDET 7.52E-O8 undetected way in different trains 3 SZENZOR IA UNDET SZENZOR 14 UNDET 7.52E-O8 4 SZENZOR 3A UNDET TSWA SVS1 PUD 5.UE-08 A sensor generates an input signal failure in 5 SZENZOR 2A UNDET 5.I4E-08 TSWA SVEt PUD undetected way & a TS computer fails 6 SZENZOR U UNDET TSXASVEIFUD S.I4E-O8 7 SZENZOR U UNDET TS7ASVE1FUD 3.I4E-08 undetected in different trains 8 SZENZOR IA UNDET TSXASVEIFUD 3.I4E-08 9 SZENZOR LA UNDET TSTASVEIPUD 5I4E-08 10 TSWA SVE1 PUD TSXASVEIFUD 3.51 E-46 Two TS computers generate spurious signals II TSXASVEIFUD TSTASVEIFUD 3 5IE-O8 in different trains 12 TSWASVEIFUD TSTASVEIFUD 3 5IE-08 13 ECCLTEVIOUT ECCLTEVIOUT-2 2.89E-08 Two output cards generate spurious signals 14 ECO. TEV3 OUT 2.89E-08 ECCLTEV3OUT-2 in the same train 15 ECCLTEVIOUT ECCLTEV2OUT-2 2.89E-08 16 SZENZOR 1A UNDET TSWASVEIFD 2.89E-O8 A sensor generates an input signal failure in 17 SZENZOR 24 UNDET 2.89E-O8 TSWA SVEIFD undetected way & a TS computer fails 18 SZENZOR SA UNDET TSXASVEIFD 2ME-W 19 SZENZOR 1A UNDET TSYASVEIFD 2.89E-08 detected in different trains 20 SZENZOR IA UNDET TSXASVEIFD 2.89E-08
It can be concluded, that the critical part of a given function in the system can be determined with FTA in the sense of faulty operation or spurious operation. If any change is - 100 - occurred on the critical parts, the probability values will significantly change, while in the case of non-critical parts the changes hardly effect the parameters. So if the system had to be improved from dependability point of view, then the critical parts should be changed. Moreover, simplicity can be performed on the non-critical parts, e.g. in order to decrease the cost. In this case it has to be controlled if judgement of this part changed because of the simplification. It has to be noted that spurious operation and masking the operation change contradictorily, i.e. improving the value of spurious operation spoils the value of the masking the operation, and vice versa. So in order to increase the dependability values a part of the system has to be searched which is critical in this sense. At the same time, the changes on the non-critical part do not increase the dependability value.
Table 4 Minimal cutset events of spurious ECCS actuation in the case of without voting. No Minimal cutsets Unavailability Interpretation TSWASVBIPVD 187E-04 A TS computer sends a spurious actuation I.87E-04 2 TSYASVB1PVD signal to VT computers (undetected error) 3 TSXASVB1PUD I.87E-04 A SZENZOR 1A UNDBT SZENZOR 3A UNDBT 7.52E-M Two sensors generate an input signal failure 7.52E-0R 5 SZENZOR 2A VNDET SZENZOR 3A UNDET in undetected way in different trains 6 SZENZOR LA VNDET SZENZOR 3A UNDET 7.52E-O8 7 ECCLTEVIOUT ECCLTEVIOUT-1 2.89E-O8 Two output cards generate spurious signals S ECCLTBVSOUT ECCLTBV3OUT-2 I.89E-W in the same train 9 ECCL TEV3 OUT ECCLTEV2OUT-2 2.89E-O8 10 SZENZOR IA VNDET SZENZOR 2A DET 1.07E-08 A sensor generates an input signal failure in SZENZOR 2ADST 11 SZENZOR U UNDBT I07E-08 undetected way & another sensor generates 12 SZENZOR 3AUNDET SZENZOR UDET I.07E-O8 13 SZENZOR UDET SZENZOR 2A UNDET 1.07E-08 an input signal failure in detected way in 14 SZENZOR IA DET SZENZOR U UNDET I.07E-08 another train 15 SZENZOR IA UNDET SZENZOR UDET I.07E-O8 16 BEM2AS1GFA1L SZENZOR U UNDET An input module generate a spurious signal 17 BEMLASIGFAO. SZENZOR 2A UNDBT & a sensor generates an input signal failure in 18 BEMUS1GFAIL SZENZOR 2A UNDET 19 BEM IAS1QFAO. SZENZOR U UNDET detected way in another train
20 BEK4U SIG FAIL SZENZOR I A UNDET iiii i
Example 3
The example 3 demonstrates how the dependability values depend on the value of the test interval, and how the FT A can be applied to determine the proper test interval. During the operation of the RPS detected or non-detected faults can be occurred. The faults are not detected if they occur and they can be detected only after some time applying a detecting algorithm or some testing tool. The ways of exposing faults can be divided into two main groups. The self-test of equipment inform about fault occurring practically at the same time when the fault occurs. But there are faults, which can not be effectively exposed by self-tests. To exposing these faults special test cases have to be prescribed and to be performed periodically. The efficiency of the fault detection significantly influence the dependability of the system, this is why the selection of the time interval of the periodical test is important. Of course there are practical experiments for this selection, but there are technical and economical difficulties of the testing with too short time period. Therefore, the FT A can be a useful tool to determine the test period. In Fig. 8 the probability of masking the operation and the frequency of the spurious function are illustrated with different testing intervals. The result of the examination can be a useful information to investigate the time intervals.
Example 4
In the example 4 the applicability of the FTA method is illustrated with the analysis of different testing cases. In this example the test of the VT computers is analyzed. The scheme for testing one VT computer can be seen in Fig. 9. The periodical test is performed on the different system parts with shifting in the time. So only one subsystem does not work. During the test phase the prescribed conditions has to be fulfill. So this special case can be also examined on probability basis. - 101 -
Probability of masking the ECCS function Frequency of spurious ECCS actuation x10"* 1.4*10' 5.5 + 5 1.2 + + + + 4.5 + + + 4 4- +• 0.8 + + 3.5 f + 0.6 + + 3 + + + 0.4 + 2.5
02 + + " 2 . + 1.5 0 1000 2000 3000 4000 5000 6000 1000 2000 3000 4000 5000 6000 Test Interval |hou] Test Interval [how]
Fig. 8: Connection between the dependability values and the testing period.
The examinations of the system to be tested have to be performed so that the tested component is assumed to be faulty in coincidence with the worst case principle. The fault-trees for masking the ECCS function with testing and without testing can be seen in Fig. 10. In case of masking ECCS function one train is calculated with the tested VT computer, since this is the worst case. In this case the technological l-of-3 connection is altered to l-of-2 connection. The fault-trees for spurious ECCS actuation with testing and without testing can be seen in Fig. 11. Because of the previous examples the tested VT computers are not critical in the criteria, so the probability values are not significantly decreased even in this important modification. The probability of masking the ECCS function is 4.69 10"6 in the basic system, while 6.74 10 in the case of actuator testing.
Y train X train W train Sensor side
underlies ting I AND AND Actuator side
Fig. 9: Scheme for masking the ECCS function with a tested VT computer.
In case of spurious behavior different structure can be experimented. In this case it is assumed that the VT computer operates spuriously. So the pair of the tested VT computer in the same train will have greater importance in coincidence with the worst case situation. Therefore, the frequency of spurious operation is improved significantly. The frequency of A 1 spurious ECCS actuation is 3.59 10 /year in the basic system, while 1.02 10 /year in the - 102 - case of actuator testing. The result of the minimal cutset events of spurious ECCS actuation in the cases of with testing and without testing can be seen in Table 5-6.
Making a* *• (a) ECCS teak* (b)
T- H MaduagaTfn Making efta ECCataKtka ECCSfaakpa ECCS faction •ftonhY •fantnuiY
I 1 MukngoTlfe Mn.Bg of*. Matagoffe MakiujafoM MaKBgaftl Max kg of to Maatag of*. Matagar** WmiaECCS W Ma ECCS XmkECCS XBaiaECCS YmtaBCCS YmiaECCS XnaECCt XtnalECCS Y ma ECCS YtniaECC* faction. >ot A faction,«. 8 faction. M, A factioa. act B faction, at. A faction. Ml. A faction, act. B function, act. A faction, a*. B
Fig. 10: Fault-tree for masking the ECCS function without testing (a) and with testing (b).
Spvrioufl ECCS hactiom
SpHRonircndion Spurionnadioi Spnriommctioi Sparioal rtadion Spacious readioi Spurious nactioc from max frannWnY alnfnaW froanaX finalrailY
Spurious reac- Spario«art«> SpMrioasnac- Spariounoc- Ipnoiureadka Spunoumadioa Spttrioacitaction tion fiom k. la ionttailaalnl o«ifr«n*.l« ionfra Ifct2aa union la. la froalaald traalwlna frank. !«J ndofmiaX ad. artniaY mtorniaY ad. M-tniaY ad-arniaY
Fig. 11: Fault-tree for spurious ECCS actuation without testing (a) and with testing (b). Table 5 Minimal cutset events of masking the ECCS function with testing. No Minimal cutsets Unavailability Interpretation l ECCSBE-AKB2S4FUD ECCSBE-AKB3S4FVD 4.04E-07 Two output modules fail to operate in 2 ECCSBE-AKB2S4FUD BCCSBETAKT3S4FVD 4.04E-07 different trains, but not in a tested train 3 ECCSBE-AKB3S4FUD ECCSBE-AKT2S4FUD 4.04E-07 4 BCCSBE-AKT2S4FUD ECCSBE-AKT3S4FVD 4.04E-07 5 BEMIA FAILS UNDET BEMU FAILS UNDET I.53E-07 Two input modules fail undetected in 6 BEM2A FAILS UNDET BEM3A FAILS VNDET I.53E-07 different trains 7 BEMIA FAILS UNDET BEMiA FAILS VNDET I.53E-07 g ECCSBB-JKB2S4FUD VT-YM1FVD 19E-07 An output module fails to operate & a master 9 ECCSBETAKB2S4FUD VT-YCIFUD 19E-07 or a checker processing unit fail in the other, 10 ECCSBETAKB3S4FVD VT-XUi FUD .I9E-07 11 ECCSBE-AKB3S4FVD VT-XCIFVD 19E-07 but not in the tested train 12 ECCSBE-AKT3S4FVD VTrXUIFUD .19E-07 13 ECCSBE-AKT3S4FUD VT-XC1FUD 19E-07 14 ECCSBE-AKT2S4FVD VT-XMl FUD 19E-07 15 ECCSBE-AKT2-S4FUD VT-YCIFUD 19E-07 16 ECCSBB-AKB2S4FD ECCSBB-AKB3S4FUD 1.08E-07 Two output modules fail to operate in 17 ECCSBE-AKB2S4FD ECCSBE-AKT3S4FVD 1.08E-07 different trains, but not in a tested train; one 18 ECCSBB-AKB2S4FVD ECCSBE-AKB3S4FD I.08E-07 19 ECCSBE-AKB2S4FVD ECCSBE-AKT3S4FD I.08E-07 failure is detected 20 ECCSBE-AKB3S4FUD ECCSBE-AKT2-S4FD I08E-07 Table 6 Minimal cutset events of spurious ECCS actuation with testing. No Minimal cutsets Unavailability Interpretation l ECCLTEVIOUT-2 1.70E-04 The output card belongs to the pair of the tested VT fails 2 SZENZOR LA UNDET SZENZOR U UNDET 7.S2E-Og Two sensors generate input signals failure in 3 SZENZOR2A UNDET 7.52E-0g SZENZOR 3A UNDET undetected way in different trains 4 SZENZOR U UNDET SZENZOR U UNDET 7.52E-08 5 SZENZOR 1AUNDBT TSWA-SVSI FUD 3.I4E-O8 A sensor generates an input signal failure in 6 SZENZOR 3A UNDET 5.14E-O8 TSmt-SVEl FUD undetected way & a TS computer fails 7 SZENZOR 2A UNDET TSYA-SVEI FUD 5I4E-08 g SZENZOR IA UNDET TSYA-SVE1FUD 5I4E-O8 undetected in different trains 9 SZENZOR U UNDET TSXA-SVE1FUD 5HE-O8 10 SZENZOR 3A UNDET TSXA-SVEIFUD 514E-08 II TSWA-SVEI FUD TSYA-SVEI FUD 3S1E-08 Two TS computers generate spurious signals 12 TSXASVBIFUD 3.51 E-08 TSXA-SVBIFUD in different trains 13 TSWA-SVEI FUD TSYA-SVEI FUD 3.51 E-08 14 ECCLTEV2OUT ECCLTEV2OUT-2 2.89E-08 Two output cards generate spurious signals IS ECCLTEV3OUT 2.89E-08 ECCLTEVIOUT-2 in same train, but not in the tested train 16 SZENZOR U UNDET TSWASVBIFD I.94E-Og A sensor generates an input signal failure in 17 SZENZOR 2A UNDET TSWA-SVBIFD I.94E-OS undetected way & a TS computer fails IS SZENZOR U UNDET TSXA-SVEIFD I.94E-08 19 SZENZOR 2A UNDET TSYA-SVEI FD 1.94E-08 detected in different trains 20 SZENZOR LA UNDET TSXA-SVEIFD 1.94E-O8 - 103 -
5. CONCLUSION
The paper has demonstrated that the probability based analysis of the system applying FTA method can be an efficient tool for the system verification, and it supplies useful information even for the system designer to develop the system. In the illustrated examples not only the methodology has been demonstrated, but some interesting results from the analysis of the RRP Paks have also highlighted.
LIST OF ABBREVIATIONS:
ECCS: Emergency core cooling systems EP: Emergency protection FTA: Fault-tree analysis TS Data acquisition and subsystem control unit NPP: Nuclear power plant PIE: Postulated initiating event PSA: Probability safety analysis PWR: Pressurized water reactor RPS: Reactor protection system RRP: Reactor protection refurbishment project SL: Communication unit of the computer SLLM: Coupling unit of the communication VT: Voter unit
ACKNOWLEDGMENTS
The authors are indebted to Mr. Albert Hetzmann director of NPP Paks, to Mr. Tamas Turi, and to Mr. Bela Katies project leaders of RRP for their support and cooperation.
REFERENCES
[1] Berg, U. (1990). Reltree and risk spectrum: Experience from and development of PSA software for PCs, Reliability Engineering and Systems Safety, Vol. 30, pp. 323-338. [2] Brown, K.S., Evaluating fault trees (and & or gates only) with repeated events (1990). IEEE Transactions on Reliability, Vol. 39, No. 2., pp. 226-23. [3] Clarotti, C.A. (1981). Limitations of minimal cut-set approach in evaluating reliability of systems with repairable components, IEEE Transactions on Reliability, Vol. R-30, No. 4., 1981 October; pp. 335-338 [4] Colombo, A.G., RJ. Jaarsma, L. Olivi (1978). On the statistical data processing for a safety data system, Proc. of the ANS Conference on Probabilistic Analysis of Nuclear Reactor Safety, Los Angeles, California. [5] Doyle, S.A., J.B. Dugan (1993). Fault trees and imperfect coverage: A combinatorial approach, Proc. Annual Reliability and Maintainability Symposium. [6] Doyle, S.A., J.B. Dugan, M.A. Boyd (1993). Fault trees and Markov models for reliability analysis of fault tolerant systems, Reliability Engineering and System Safety, Vol. 39, pp. 291-307. - 104 -
[7] Dugan, J.B., S. A. Doyle, F. A. Patterson-Hine (1994). Simple models of hardware and software fault tolerance, Annual Reliability and Maintainability Symposium, pp. 124- 129. [8] Dugan, J.B., S. A. Doyle (1997). New Results in Fault-Tree Analysis, Annual Reliability and Maintainability Symposium, Philadelphia, USA. [9] Hetzmann, A., J. Eiler (1997). Nuclear Power Plant I&C activities in Hungary 1995-97, National report for the regular meeting of the IAEA International Working Group on Nuclear Power Plant Control and Instrumentation, Vienna. [10] Hwang, C.L., A. Frank, M.H. Lee (1981). System-reliability evaluation techniques for complex/large systems - a review, IEEE Transactions on Reliability, Vol. R-30, No. 5., 1981 December; pp. 416-423 [11] Gangadharan, AC, M.S. Rao, C. Sundarajan (1977). Computer methods for qualitative fault tree analysis, Proc. Design Engineering Technical Conf., Chicago, pp. 251-263. [12] Islamov, R. (1993). Using Probabilistic Safety risk analysis for making decision in NNP reconstruction, 2nd World Congress on Safety Science, Budapest, Hungary. [13] Lee, W.S., D.L.Grosh, F.A.Tillman, C.H.Lie (1985). Fault tree analysis, methods, and applications - A review, IEEE Transactions on Reliability, Vol. R-34, No. 3., pp. 194- 203 [14] Leveson, N. G. (1995). Safeware. System safety and computers, Addison-Wesley, Reading, Mass. [15] Mansoor A., M. (1982). Quantitative evaluation of nuclear-reactor protective-equipment using Markov approach, IEEE Transactions on Reliability, Vol. R-31, No. 1; pp. 112- 116. [16] Parhami, B. (1994). Voting algorithms, IEEE Transactions on Reliability, Vol. 43, No. 4., 1994 December; p:617-629 [17] Schneeweis, W.G. (1987). Approximate fault-tree analysis with prescribed accuracy, IEEE Transactions on Reliability, Vol. R-36, No. 2., pp. 250-254 [18] Stecher, K. (1986). Evaluation of large fault-trees with repeated events using an efficient bottom-up algorithm, IEEE Transactions on Reliability, Vol. R-35, No. 1., pp. 51-58 - 105 - XA9846499
ADOPTION OF DIGITAL SAFETY PROTECTION SYSTEM IN JAPAN
Z. OGISO Institute of Nuclear Safety Nuclear Power Engineering Corporation Japan
Abstract
The application of micro-processor-based digital controllers has been widely propagated among various industries in recent years. While in the nuclear power plant industry, the application of them has also been expanding gradually starting from non-safety related systems, taking advantage of their reliability and maintainability over the conventional analog devices. Based on the careful study of the feasibility of digital controllers to the safety protection system, the Tokyo Electric Power Company proposed on May 1989 the adoption of digital controllers to the safety protection system in the Application for Permission of Establishment of Kashiwazaki-Kariwa units 6 and 7 (ABWR-1350Mwe each). MITI, Ministry of International Trade and Industry, the Japanese regulatory body for electric power generating facilities, had approved this application after careful review. This paper describes a series of supporting activities leading to the MITI's approval of the digital safety protection system and the MITI's licensing activities . - 106 -
1. Identification of the issues The digital system consists of hardware and software. The failure modes of the hardware are approximately similar to those of the conventional system, and it may surely be said that the level of the risk accompanied with the adoption of digital devices can be maintained as equivalent to or less than that of analog devices, provided that the same design requirements are imposed to redundancy and channel separation . As for the software installed in the computer system, all output signals of each independent channel are prone to be affected by any fault simultaneously owing to the common usage of the same software to each independent channel. This is the main issue from the regulatory point of view. Therefore it is recognized that appropriate requirements on the computer-based system were necessary in addition to the conventional requirements in such area as redundancy, independence, separation and testability. Based on this recognition, MITI conducted the following activities.
1) to establish both design and confirmation method to enhance the reliability of digital technology as applicable to the safety and safety-related systems,
2) to issue the design criteria for computer systems important to safety, and
3) to perform the demonstration tests to confirm the system integrity and reliability.
2. Supporting Activities 2.1 Establishment of design criteria In Japan, the basic principles for licensing of light water nuclear power plants are defined in the "Safety Design Criteria for Light Water Nuclear Power Plant " authorized by the Nuclear Safety Commission. The essential requirements for the safety protection system are described in the Criteria. As for the industry side, the Design Guide for a Safety Protection System "JEAG-4604", established corresponding to the Criteria, covers conventional systems but not covers computer-based safety-related system. The need for industry to establish design guide applicable to computer-based safety-related systems was recognized. The task was carried out by the Electrotechnical Standard Survey Committee, which was established by industry, and in which officials of MITI were registered as regular participants. The new design guide "JEAG-4609 ; Application Criteria for Programmable Digital Computer System in Safety-Related Systems for Nuclear Power Plants" for the computer-based safety protection system was established by incorporating additional - 107 -
requirements to ensure the reliability of software being installed in computer systems for safety-related systems. The contents are as follows, 1) Channel redundancy of safety protection system 2) Inter-channel independence of safety protection system 3) Separation of safety protection system from non-safety-grade I&C system 4) Testability of safety protection system 5) Tolerance against seismic force and/or environmental conditions 6) Fail-safe design 7) Response time 8) Emergency AC power supply in case of loss of power 9) V&V of software 10) Management of software modification The requirements from 1 to 8 are similar to the conventional requirements for the analog system, and the remaining two are the newly added requirements solely for the safety critical software. 2.2 Demonstration test The demonstration test was conducted by the Nuclear Power Engineering Corporation (NUPEC) under the sponsorship of MITI as one of the Safety Demonstration Test Programs for Japanese Nuclear Power Facilities. The test was carried out to confirm the adequacy of the V&V method stated in JEAG 4609 and demonstrated that the integrated system of software and hardware worked well without any troubles or faults. A steering committee composed of researchers and experts supervised the test. One of four independent channels was simulated with software-based devices to be used in the actual plant, while the others were simulated by a simulator arranged for the test purpose. (1) Software The software installed in the test system was the same one to be installed in the safety protection system of the K-6/7. Check and review of the software was carried out at each software production stage according to the V&V method stated in JEAG-4609. No trouble nor failure occurred through the series of the tests described below. This result confirmed the adequacy of the V&V method as well as the operational reliability of the produced software. (2) Integrated system test The test items of the software-computer integrated system consist of characteristics test, thermal aging test, noise test, vibration test and accident simulation test. The test conditions were determined based on the design requirements for the safety protection - 108 -
system and environmental conditions expected to be encountered during normal and abnormal plant operation. The noise tolerability tests, in particular, were carried out exhaustively since the computer system should work in a low voltage condition. Noise source in nuclear power plants was reviewed and simulated. The simulated noises, such as noises from the power supply system, induced noise, electro-static noise, radio-wave interference and lightning surge, were loaded one by one. The system worked well without any trouble or failure even with these noises exist. This result not only showed the integrity of the computer system, but also led to the establishment of the noise test method. The seismic test is very important in Japan. The computer system was mounted on a shaking table and a seismic load was applied. The computer system worked well both during and after the seismic loading. Through these demonstration tests, MITI could accumulate significant data for the safety review of the computer-based safety protection system.
3. Application The first nuclear power plants that adopted the digital safety protection system in Japan were K-6/7. The safety review had been carried out by MITI for the system proposed by the licensee and granted the license on the condition that the regulatory judgment applied here should be limited to the proposed system only.
3.1 Safety review The hardware of the digital safety protection system is designed and manufactured in the similar manner as the conventional analog system. Therefore the quality and the reliability of hardware was certified using similar manner as analog system. As for the software, the language used in the system is symbolic language, POL (Problem Oriented Language). Review was carried out from the view point of compatibility of V&V method and the software written in POL. The characteristics of the software written in POL are as follows ; - program is written by using comparatively less kinds of logic elements. - program is executed toward one-way direction with cyclic execution, but without interruptive execution, thus minimizing the invasion of errors. Since the structure of software written in POL is simple, the program is easily readable and clear when being reviewed by a third person. This makes it easy both to verify the program and to confirm the validity after the system integration. MITI approved the proposed digital safety protection system based on the inherent characteristics of POL, considering the fact that the manufacturer had established the - 109 - quality assurance technology in producing software by POL, based on the accumulated experience of software for non-safety related systems. This means that the most important factor in securing the reliability of software is that the licensee should establish the appropriate quality assurance program and put them into practice when producing the software. Consequently it was recognized that the quality assurance plan, as well as the design details, should be subjected to the review item in MlTI's review process of the Construction Plan.
3.2 Inspection M1TI performs pre-use inspections for the systems and components to confirm the necessary function and capability, based on the licensee's self-imposed tests. The same practice was applied for the inspection of the digital safety protection system. The primary responsibility lies with the licensee to check and review the system during its production according to the V&V procedure. MITI inspects essential function of the system after the licensee has completed and installed the system. MITI planned to audit the results of V&V performed by the licensee in the case that system would fall into failure resulting from software error, but there had been no system faults and the associated audit were not performed.
4 . Conclusion and Future plan MITI acknowledged the importance of establishing the QA system of producing and V&V of the software among the licensees and manufacturers for securing the reliability of the software. It should be stressed that the software should be constructed so that it can be easily readable by a third person.
NEXT PAQE(S) left BLANK - Ill - minium XA9846500
METHODOLOGY OF FORMAL SOFTWARE EVALUATION
JAN TUSZYNSKI Sydkraft Konsult AB Malmo, Sweden
Abstract Sydkraft AB, the major Swedish utility, owner of ca 6000 MWei installed in nuclear (NPP Barseback and NPP Oskarshamn), fossil fuel and hydro Power Plants is facing modernisation of the control systems of the plants. Standards applicable require structured, formal methods for implementation of the control functions in the modern, real time software systems. This presentation introduces implementation methodology as discussed presently at the Sydkraft organisation. The approach suggested is based upon the process of co-operation of three parties taking part in the implementation; owner of the plant, vendor and Quality Assurance (QA) organisation. QA will be based on tools for formal software validation and on systematic gathering by the owner of validated and proved-by-operation control modules for the concern-wide utilisation. 1. Software project organisation
1.1. General QA of the real-time systems has two main approaches available: • vendor evaluation • product evaluation QA through vendor evaluation is presently the most favoured approach. Assumption that "good vendor will guarantee right quality.... " is comfortable for both plant owners and vendors. Vendor's assurances of ".. full turn-key, functional responsibility based on our standard products ..." sounds nicely for the owner as it will simplify his organisation for both purchase and implementation. The problems will show up first when guarantees are concerned. There are no vendors willing to cover dominating costs of the control system modernisation; cost of plant stand-still. The method recommended will accordingly include direct product evaluation by application of formal tools for verification and validation (V&V). Application of formal tools puts anyhow special demands on owner's and vendor's organisation. That is generally valid for any tools having meaning in a context of work pattern only. - 112 -
1.2. Standards and recommendations Power industry and especially nuclear one is bound to follow standards and recommendations. Methodology described in this paper is based on, • IEC880: Software for computers important to safety for NPP. Including recent updates as Supplement to IEC88O and draft IEC880-1. • The Swedish recommendations corresponding IEC-880 are, KSU-TBE106: Programmable control systems. Software
Other standards give recommendations for general industrial systems, rules of classification, etc.: • IEC1508: (Draft) Functional safety of electrical/electronic/programmable electronic safety related systems • IEC SC65A WG9: Software for computers in the application of industrial safety-related system" • IEC 1226: NPP- Instrumentation and control systems important for safety. Classification • IEEE 308 (384, 379) - Standard Criteria for Class IE Power Systems for Nuclear Power Generating Stations • DIN V 19250: Grundlegende Sicherheitsbetrachtungen fiir MSR-Schutzeinrichtungen
Draft IEC880-1 chapter 2 recommends formal methods for software procurement meant here as "methodical framework"1 consisting of methods for formal specifications, formal verification of specifications, formal software development. The same norm requires proof obligations defined in mathematical terms. Formal proof is then defined as mathematical proof of fulfilment of proof obligations. Formal proof is practically possible only if special tools are available.
1.3. "Third party"; external QA organisation Procurement of the control systems is normally done through tendering when the owner selects the vendor2. Both parties have the same implementation aim but different interests. All differences are supposed to be regulated in the contract defining strictly division of responsibilities. The contract includes demands on quality assurance and thus request for a third party to be involved; QA organisation. QA organisation can be internal or external. Internal QA, inside owner's or vendor's organisation, concerns mainly verifications, i.e. check-up that tasks performed comply with demands of earlier stages of the project. External QA goes in between the owner and the vendor and concerns mainly validation, i.e. check-up of the compliance between demand (specification) and the final result. This study concerns mainly an external QA organisation which shall be independent of both the vendor and in some degree of the owner3. External QA organisation will be the main user of the formal tools for validation of real-time systems.
"formal" means then; conceptually right, according to fixed rules. 2 Selecting of the vendor is usually complicated process concerning naturally economy but in a great degree evaluation of the vendor's capability to deliver real-time system of required quality. Vendor's evaluation can be done according to ISO9000 or still better by application of various software procurement models as e.g. (CMM) Capability Maturity Model independence is defined by the contract or by valid standards and means often participation of authorities - 113 -
2. The process of software procurement Procurement of SW shall be done in well defined stages4, mainly as the following, • (FA): Functional Analysis. Crucial activity defining, according to controlled process requirements, functions of the real-time system. • (FS): Function Specification. Functions as identified by FA are here described formally and unambiguously. • (DP): Design and Programming. • (Int): Integration of Soft and Hardware into the common, final product • (Ver): Verification, actually not a stage but a QA process where particular project stages will be checked up and accepted • (Val): Validation, tests of conformance between FS and functions delivered
2.1. Types of software Two groups of SW products are concerned, 1. Operating system; principally integrated part the vendor's system. 2. Application functions; executing the actual, process dependent functions required of the control system. QA methodology discussed here concerns mainly application functions. Operating system will be treated generally in the same way as hardware; i.e. as a program environment for applications provided by the vendor. It means that all formal test of applications must be done in vendor's target environment of the real-time system. Exclusion of the operating system from formal testing does not exclude that system from the particular interest of the owner. Operating system is presently main CCF5 factor of redundant links of control systems.
2.2. Modularity QA shall be based on modularity. Division in modules (Design and Programming) shall be formalised according to the following, 1. Structuring and modularisation of the software according to Function Specification, most often on the object control level, get fixed "standardised" form of "type-circuits" (figure 1). The control functions on group and block level will be normally based on "type-tools" (e.g. for sequence control)6 2. Modules shall be classified according to required safety and availability (figure 2) 3. Class and function shall be described formally in the specification of module requirements. 4. Modules shall be procured according to well established project routines concluded by module validation (certification) 5. Modules when ready and certified shall be placed in software libraries.
4 main condition for any verifications 5 Common Cause Failure; existence of a common function in separated links of the system which in case of failure can stop functioning of all links. 6 Division in object, group and block levels corresponds to the traditional control system structure as applied presently for Swedish Power Plants. - 114 -
OPERATOR STATION
~4 1 SWITCH OF. Alt /ROCESS CONTROL STATION LOCAL FANEL 11 I ' '"" LotrtUmoie f"^ ~" ^ ^ f "| "^ .„. I ON/OFF ' I. * ' I
MMC HANDLER
CALCULATIONS
INTERFACE : wiih (unction i :
24V* " N
Figure 1: Components of the complete type-circuit
2.3. Quality through re-application. Software libraries. Basis for the proposed QA system is re-application of the software modules. Quality can be achieved through systematic product improvement through experience gathering and continuous reduction of systematic errors in the specifications and software. This policy is clearly defensive by assuming errors in all new software.
The main conclusion of that assumption is that new software shall not be allowed in
Figure 2: Modularity through division in classes - 115 - the highest class of the control modules; i.e. safety systems. The problem can be solved by initial application of modules to the lower classes only. Gradual advancement to higher classes will be allowed parallel to operating experience. QA through re-application requires software library (figure 3) as a base for all software procurement. The following will be required for the library: • fixed routines for module documentation, validation, storage, retrieve, update and revision • library structure, e.g. according to module applications and classes • means for creating library subsets suiting various power plants, organisations, etc. • special attention shall be given to validation of library modules. The modules shall be certified for storage in the library through validation based on formal methods. • the rules for module handling shall be adopted to class of modules. • responsibility for validation, maintenance, up date, etc. of each library subset shall be well defined.
tructunng Classification Div. in modul
QA: task 1 test & certification of library modules (tested "1 all modules & from lib i Certified); QA:task2 supervision of modules used for applications (only library modules acceptable)
Figure 3: Software implementation through project library
Management of library shall be facilitated by the special software maintenance system. The system shall allow configuration of the project specific library. The project library shall gather all the structures, tools and modules identified during structuring and modularisation of the software. The identified elements can be subsequently taken from the owner's or / and vendor's libraries. In case suitable elements are not available the new elements must be developed. Inclusion of all modules into project library shall follow owner's rules for library handling. The project library will become the basic element of the project bound QA. - 116 -
One of the main advantages of a formally organised libraries will be possibility to trace down development process of any module purchased or developed for the actual application. 3. Verification of Specification An external QA consists mainly of validation of the final software product. As validation compares the product with product specification it must be assumed that specifications are correct. Verification of specifications becomes accordingly crucial for software correctness. Verification methods start usually from recognition of potential errors in specifications, e.g. • principal function errors caused by misunderstanding of the process controlled, errors in that process etc. • erroneous object assignment • errors in syntax and semantics • errors of consistency De-bugging of errors of assignment, syntax, semantics and consistency can be handled by formal specification languages and corresponding verification tools. The problem of principal function errors is normally approached through the functional analysis (FA). FA, carried by the owner (process supplier), is based upon fixed rules and criteria applicable to the process controlled, and on a deep knowledge of that process. There is a number of well established FA methods, majority based on some form of failure / event tree. The method used widely in nuclear industry is PSA7 dealing with event tree initiated by the probable events of accidents. FA will be documented in functional circuit diagrams, in several levels of detail, starting with overviews and "zooming" down to the formal language function specifications of modules and structures employed . 4. Final product validation
4.1. General Validation means final product acceptance, or formal proof as defined by IEC880, licensing the product for inclusion in the software library. Validation will be performed by the QA organisation during design and programming period with the final module acceptance during FAT9. Validation can be performed through: • direct check-up according to test programme • check-up by comparison Both methods require special tools. Validation will be applied to both specific modules of the library and to the groups of modules interconnected to perform specified application function. Test objects for all validations named here are vendor's real-time target systems.
7 Probabilistic Safety Analysis 8 Various methods of FA are well described in the literature: e.g. ref [8] 9 Factory Acceptance Tests - 117 -
OWNER VKNDOR
PROBLEM, tests prescribed normally not feasible
Figure 4: Validation through test programme
4.2. Validation through test programme Validation through test programme (figure 4) assumes that such a programme is feasible and can be run in a limited time period. That assumption can be realised for simple modules only. Validation of this kind will require, • complete test programmes defining test input data values and sequences and expected test results. Test programmes must be automatically generated from functional specifications. • test environment including test data generator and test object response analyser. All criteria for the product acceptance must be included in a response analyser
4.3. Validation by comparison Validation by comparison is based on procurement of an alternative to target program produced by vendor (figure 5). Validation of this kind will require, • "pattern program"10 generated automatically from the formal functional specification. • complete test environment including test data generator and comparator of responses. Validation will be here realised by parallel inclusion of identical test data into a pattern and a target. All response deviations must be reported by the comparator and subsequently analysed. Main advantages of this method are simplified selection of test data (through e.g. statistical approach) and direct representation of the actual specification through its pattern
10 VTT Finland (P. Haapanen el al) uses here "test oracle" [7] - 118 -
OWNER VENDOR
TEST TEST OBJECT
t ARK RKULTSJIlbMIC ».L .'
Figure 5: Validation through comparison
REFERENCES [1]: "An introduction to Formal Methods", A. Diller, Z. Wiley and Sons, Inc., NY 1990 [2]: "An Integrated Formal Approach for Developing High Quality Software for Safety-Critical Systems", Meng Ouyang, Michael W. Golay, MIT, Michael S. Novak, ABB Combustion; Report No. MIT-ANP-TR-035 [3]: "Formal and Abstract Software Module Specifications - A Survey", Yabo Wang, Tech. Report 91-307, ISSN 0836-0227, Queen's University, Ontario, Canada, 1991. [4]: "Validation and Reliability Testing of Safety-Critical Software for Wolsong NPP Units 2, 3 and 4", J.S. Baxter, el al Atomic Energy of Canada, Ltd, and H.B. Kim, el al, Korean Atomic Energy Research Institute. [5]: "The Use of an Integrated Test Environment in the Design and Verification of Digital Closed Loop Automatic Control Systems for the Sizewell B PWR", G.P. Paulson, el al, Westinghouse; K. Drury, el al, Nuclear Electric Ltd; Paper at the 1996 ANSI Meeting, Proceedings NPIC & HMIT '96. [6]: "Qualification of an Advanced Digital Safety System", Werner Bastl, Dieter Wach; Institute for Safety Technology (ISTec) GmbH; Paper at the 1996 ANSI Meeting, Proceedings NPIC & HMTT '96. [7]: "Validation of Programmable Automation Systems for Safety Critical Applications", Pentti Haapanen, el al, Technical Research Centre of Finland (VTT); International Workshop on Licensing Issues ...., March 1996, GRS/ISTech, Munich [8]: "Dependability of Critical Computer Systems,Guidlines" The European Workshop on Industrial Computer Systems Technical Committee 7 (EWICS TC7). del 1, 2 och3,F.J.Redmill(1988). [9]: "Digital Instrumentation and Control Systems in Nuclear Power Plants. Safety and Reliability Issues" National Research Council. Procured on request of USNRC. National Academy Press, 1997. - 119 - XA9846501 A SAFETY RELATED CONTROL SYSTEM FOR NPPs
G.H. SCHILDT Vienna University of Technology Institute for Automation Vienna, Austria
Abstract
After an introduction into safety terms a short description of diverse system design is given. Diversity principle will be analyzed critically especially due to non-planable waiting times, the necessary grade of diversification, real-time behaviour. A conventional PID-controller is presented running in parallel with a modern fuzzy controller. Nevertheless, just the fuzzy controller offers a great challenge because of its inherent diverse design approach. Up to now there is deaper know-how available for V&V procedures for conventional as well as fuzzy controller. An example for such a system design will be presented together with V&V aspects.
1. INTRODUCTION
In the field of NPPs safety critical devices and control systems are used. In the past, safety proofs were often done by considering the reaction of a certain device in case of any failure. Thus, "failure-mode-effect-and-critical-analysis (FMECA)" was applied /I/.
At first, some terms of safety technique shall be introduced:
• safety critical system: control system causing no hazard to people or material in case of environmental influence or system failure. • safety: property of an item to cause no hazard under given conditions during a given time; i.e. avoidance of undue fail conditions, (e.g. undue fail conditions may be caused by technical system failures or malfunction of an electronic device interfered by electromagnetic noise). • hazard: state of a system that cannot be controlled by given means and may lead to damages to person or materials. • safe system state: property of a system state to cause no hazard to people or material. • fail-safe: technical failures within an item may lead to fail states (fail), which however have to be safe (safe).
One has to distinguish according to plant equipment items important to safety and items, that are not important to safety (Figure 1). - 120 -
Plant equipment
Items important to safety Items not important to safety
Definition:
These items comprise...
- those structures, systems and components whose malfunction or failure could leed to undue exposure of the site personnel or members of the public. This includes sucesshe barriers set up against the release of radioactivity from nuclear facilities
- those structures, systems and components, which prevent anticipated operational occurences from leading to accident conditions
- those features, which are provided to mitirate the consequences of malfunction or failure of structures, systems or components.
Figure 1: Items important or not important to safety
Figure 2 shows the relationship between items important to safety and safety systems.
COMPONENTS
SAFETY RELATED SYSTEMS SAFETY SYSTEMS
Systems important to safety Systems important to safety are which are most safety systems provided to assure, in any condition, the safe shut-down of the reactor and the heat removal from the core and/or to limit the consequences of anticipated operational occurences and accident \ Protection Systems Safety System Support Feaon*
Safety Actuation System
Figure 2: Safety Related Systems vs. Safety Systems
Figure 3 shows a single-channel fail-safe control system. Additionally, a state graph demonstrates, that if any safety critical failure/malfunction occurs the system state changes over to a so-called safe system state. The control system stays in that safe system state with a transition probability of pn = 1. Thus, the control system can only come back into the normal operational state by certain maintenance. - 121 -
Control System Output Input (intrinsically fail-safe) Telegram (measured values) (command telegram)
p22-l system state #
2 I Fail-safe state 2 __
pl2
1 J normal system state
tFl tF2 t plKl tFl, tF2-Mure events
Figure 3: One-channel fail-safe control system
Because up to now no fail-safe one-channel computer is available, one has to choose a configuration of at least two computers running parallely. In this system configuration results of both channels are to be fed to a fail-safe comparator, whose output enables a safe gate in case of equivalent results, represented by corresponding command telegrams to be fed to the technical process (Figure 4).
process from computer #1 technical Fail-safe comparator process process to technical | safe gate computer #2 process*
system state # tA 2 ' dangerous fail state 2 J'
pl2 turn off ' J normal system state 1
plKl
safe turn-off state 0. tFl tF2
Figure 4: Double-channel control system with fail-safe comparator - 122 - 2. DIVERSITY
Up to now there exist many diverse realizations in the field of NPPs. Because, combined hard- and software system will never be error-free, a possible design approach is to diversify such a control system. Basically, diversity may be defined as follows 111:
"Existence of different means performing a required function"
(e.g.: different physical principles, different approaches to solve the same task, different algorithms, etc.)
Moreover, diversity can be specified as follows: Especially, for diverse real-time applications one can distinguish between soft and hard mode of diverse system design.
DIVERSITY for real-time systems
soft mode hard mode (e.g. distributed voting)
fail-safe control fail safe operational system with a system without any (e.g. control safe system state safe system state under dependability system in NPPs) aspects (e.g. airforce control system)
Figure 5: Different kinds of diversity
Thus, if a one-channel control system can not be proved by a safety proof directly, one has to use the chance of diverse system design. In case of vital software one has to recognize that software will never be error-free. Thus, there are several kinds of diversification of software like ...
... different algorithms ... different program languages ... different compilers ... different operating system etc.
The principle of diverse system design can be found in many safety critical applications. Nevertheless, some fundamental disadvantages of diverse system design still exist: a. Proof of sufficient diversification grade
A typical problem with diverse system design is to prove that the measure of diversification grade within a n-version system is sufficient. Thus, a possible approach to design a safety relevant controller is trying to find such independant implementations that everyone will testify at once sufficient diversification because of reasonable different approach. - 123 - b. Non-planable waiting times
In case of different approaches or algorithms one has to accept possibly non-planable waiting times because of corresponding results that are to be compared. c. High sophisticated fail-safe comparator
Because of rounding or succession effects of results like real numbers a high sophisticated fail- safe comparator will be needed comprising a tolerance zone management.
3. SYSTEM CONFIGURATION
Taking these problems of diverse system design into consideration one can apply a conventional PBD-controller in one channel and a fuzzy controller in the other (Figure 6).
Conventional PID-controller (hardware) I— Fail-safe Input Comparator 1—
Fuzzy Output Controller Safe (software) Gate
Figure 6: Diverse controller architecture
Basically, a controller cooperating with a technical process can be described by Figure 7.
w(t) ^ e( ) y(t) t n(t) Technical Controller J Process
y(t)
Legend: w(t) = reference input signal e(t) = w(t) - y(t) = error de(t)/dt = deviation of error u(t) = Controller output signal (e.g. command telegram) z(t) = interference to technical process y(t) = control signal
Figure 7: Control loop - 124 -
Operation of conventional PED-controller can be described as
u(t) = KP • e(t) + K, -/e(t)dt + KD • de(t)/dt
This differential equation has to be solved in order to generate a new actual value of u(t).
In the second channel a fuzzy controller is installed. Figure 8 shows a block diagram of such a fuzzy controller comprising a condition interface transforming error value e(t) to fuzzy equivalents, inference engine cooperating with a rule base, and an action interface transforming fuzzy results to crisp values of controller output signal.
a Rule base \ n(t) fiizz y Condition Inference- results Action- J interface machine Interface
Fuzzy-Controller
measurement Technical recording process
Figure 8: Block diagram of a fuzzy controller
The rule base contains a set of rules Rb Rj,..., R^ These rules form the expert knowledge how to control the technical process properly and can be described as follows:
condition AND condition pk (premise) OR condition
THEN action I (^(conclusion)
Necessary adaptation of fuzzy controller towards technical process may be done by modifying the contents of rule base, strategy of inference engine, or fuzzyfication and defuzzyfication process. Additionally, there is a real good chance for tuning the real-time behaviour of the controller by modification of membership functions. Due to a well-defined decision strategy of inference engine conclusions as fuzzy results can be derived easily. - 125 -
4. V&V ASPECTS
The presented configuration follows diverse system design, because one channel can be implemented in hardware (conventional PED-controller) and the other channel can be implemented in software (fuzzy controller). Furthermore, both algorithms for process control are totally different from each other. In case of diverse system design a necessary safety proof does not comprise the evaluations of each channel but functionality as a whole. For this configuration it can be shown, that the grade of diversification is sufficient.
5. CONCLUSIONS
After an introduction into safety terms and diversity principle a new system configuration consisting of a conventional PED-controller (hardware) and a fuzzy controller (software) was presented. If one succeeds in managing typical problems like unplanable waiting times or a comparator with tolerance zone management function, it can be shown that the grade of diversification within this double channelled control system is sufficient.
6. REFERENCES
III G.H. Schildt "A Double-Channelled Safety Critical Process Visualization", IAEA Specialists' Meeting, Moscow, 1993 111 G.H. Schildt "On Diverse Programming for Vital Systems", IF AC-Proceedings on Safety of Computer Control Systems, 1989 121 J. Kahlert, "Fuzzy-Logik undFuzzy-Control" H. Frank: Vieweg & Sohn VerlagsgesmbH, Braunschweig/Wiesbaden, 1994
H1XT PAQE(S) |«U BLANK - 127 - METHODOLOGY AND TOOLS FOR INDEPENDENT VERIFICATION AND VALIDATION OF COMPUTERIZED I&C SYSTEMS IMPORTANT TO SAFETY
A. LINDNER XA9846502 H. MIEDL Institut fur Sicherheitstechnologie (ISTec) GmbH Garching bei Miinchen, Germany
Abstract
Modular software based I&C systems are state-of-the-art in industrial automation. For I&C systems important to safety in nuclear power plants, software based systems are also more and more applied. According to existing national and international guidelines and standards, the assessment of these systems calls for appropriate test methods and tools. By use of tools quality of the assessment process should be improved and expense should be limited. The paper outlines the structure of the independent verification and validation (V&V) process of the Teleperm XS system and the lessons learnt from this process. Furthermore, tools are discussed used for V&V of the Teleperm XS software. The recently developed tool VALIDATOR, dedicated to V&V of the plant specific I&C functions is described in more detail. We consider V&V of the basic software components and the system software to be required only once, but the C source codes of the plant specific functional diagrams have to be checked for each application separately. The VALIDATOR is designed to perform this task. It gives evidence of compliance of the automatically generated C source codes with the graphical design of the functional diagrams in reasonable time and with acceptable costs. The working method, performance and results of the VALIDATOR are shown by means of an actual example.
1 INTRODUCTION
Modern software based I&C systems are state-of-the-art in industrial automation. For I&C systems important to safety in nuclear power plants, software based systems are also more and more applied, e.g. PPS at Sizewell B, SPIN at N4 reactors (e.g. Chooz), Westinghouse System in Temelin NPP, Teleperm XS of Siemens/KWU, etc. The Teleperm XS system is characterized by a modular design in hardware and software. This offers the opportunity to extend the well established hardware type test approach to the software. The assessment of these systems, according to existing national and international guidelines and standards, is time consuming and expensive, as reported e.g. for Sizewell B [5].
The type test approach which was used for the Teleperm XS system contributes to the effectiveness of the assessment process. This approach can be effectively supported by computer tools. In addition appropriate tools enhance the quality of the assessment process.
The Teleperm XS system consists of a set hardware and software components. By means of these components it is possible to design I&C systems for several purposes and especially for different technological systems. For the design of complete I&C systems the - 128 -
CASE tool SPACE is used. With SPACE the hardware and software configuration of the I&C system is described [6].
System Requirements System Specification Code Generation and Validation
Software Hardware
Figure 1: Design process using SPACE
On the hardware, which itself does not perform I&C functions, the I&C functions are stamped in form of functional diagrams and functional diagram groups respectively. Concerning the type test of the components it is not necessary to analyze the software at component level. The assessment of these assembled systems should focus on the evaluation of the functional diagrams and functional diagram groups.
2 INDEPENDENT VERIFICATION AND VALIDATION OF COMPUTERIZED I&C SYSTEMS IMPORTANT TO SAFETY
To assure an appropriate safety level of the Teleperm XS system, an independent V&V process was performed by GRS/ISTec and TUEV Nord. Basis of this process was the conceptual assessment of the system in 1992 [2]. It comprises the system architecture, the functional system features, and the design principles of the system. Based on this concept software and hardware components of the Teleperm XS system were designed by Siemens/KWU and evaluated componentwise. For this purpose the well established type test approach for (conventional) hardware has been extended to software components [1, 2, 3]. - 129 -
Plant Specific Tests
]Plant Independent System Test
Type Test Type Test Type Test Component 1 Component 2 ... Component n
Conceptual Assessment
Figure 2: V&V process for the Teleperm XS system
Additionally a plant independent system test was carried out and evaluated to demonstrate • proper integration of hardware and software components • deterministic system behavior - timing - deterministic and interference-free communication • usability of the software - operational system - selftest - operational modes of the real time environment - correct calculation of representative functional diagrams • failure behavior and fault tolerance - failure recognition and failure indication - failure propagation barriers - behavior during test, maintenance, and diagnose.
The result of all the plant independent tests and assessments is a set of hardware and software components to design I&C systems which are suitable for safety systems. The necessary plant specific tests and evaluations need not to evaluate all the components once more but should show the correct combination of the components to perform the plant specific functions. - 130 -
3 TOOLS TO ASSIST THE VERIFICATION AND VALIDATION PROCESS
In course of the independent assessment of the Teleperm XS software, several tools were used. Nevertheless, using tools does not replace expert knowledge. A full automated V&V process is not the target. But the tools provide important information about the software to be analyzed.
For the type test of Teleperm XS software modules the LDRA Testbed (C version) was used by GRS/ISTec [9]. This is a tool for static and dynamic analysis of C programs on the source code level. For Teleperm XS the static analyzer was applied to focus the manual review. Fig. 3 and 4 show outputs of this tool.
Kiviat Diagram of s_bwd.c F E
Label Bar Lwb UPb Val A Average Number of Essential Knots in a procedure 0.00 2.00 1.50 B Total Number of Essential Knots in Program (c> 0 12 9 C Average Essential McCabes Measure in a procedure 1.00 3.00 2.17 D Total Essential McCabes Measure in Program (c) 1 13 8 E Average Number of Knots in a procedure 0.00 5.00 6.33 F Total Number of Knots in Program (c> 0 30 38 G Average McCabes Measure in a procedure 1.00 100.00 9.33 H Total McCabes Measure in Program 1 500 51 I Average Maximum Interval Nesting in a procedure 1.00 3.00 1.33 J Total Maximum Interval Nesting in Program 1 4 2 K Average number of Order 1 Intervals in a procedure 1.00 5.00 2.50 L Number of Order 1 Intervals in program
Figure 3: Analysis result: kiviat diagram of a software module - 131 -
Fig. 3 shows a kiviat diagram of a software module. Dependent on the thresholds, which can be set as parameters of the analysis tool, it gives an overview about threshold violation and therefore hints to detect weak program parts.
In Fig. 4 a flowgraph of a typical Teleperm XS procedure is shown. Mostly, procedures in Teleperm XS are much more simple. Of course, the analysis tool is also suitable for more complex procedures than in the example given. The depicted flowgraph shows for example that the procedure is well structured.
Static flouigraph of procedure t SZ.CheckBUDNMI
Figure 4: Analysis result: static flowgraph of a procedure - 132 - THE VALIDATOR - A TOOL FOR PLANT SPECIFIC VERIFICATION AND VALIDATION OF TELEPERM XS SYSTEMS
4.1 Principles, Structure, and Performance of the VALIDATOR
The role of the VALIDATOR is quite different from the above described common tool LDRA Testbed. It is a special tool to validate automatically generated functional diagrams and functional diagram groups [7, 8].
The basic principle is the analysis of the generated normed (standardized) source code independent from the code generator. This is done by reverse transformation of the normed source code to reconstruct the inherent operation of the underlying safety function in a form suitable to prove the functional equivalence with its specification. This means to extract from each functional diagram • the function blocks, • their calling sequence, and • their parameters (e.g. input/output signals, ranges,...) which describe the connections within the functional diagram, i.e. connections between function blocks and/or connections from or to other functional diagrams.
This information is then compared with the database tables1 containing the specification of the functional diagram. If there are any discrepancies between the source code and the specification, they are analyzed and recorded. Fig. 5 shows the function of the VALIDATOR in the V&V process. Besides failures from the code generator the VALIDATOR will also find some human errors which may be made during the I&C design process.
The possible differences between the C source code and the SPACE database entries are configured in error classes. The number of error classes for functional diagrams and functional diagram groups is shown in Table I.
TABLE I.. Number of error classes number of error classes functional diagrams 101 functional diagram groups 133
TABLE II. Performance of the VALIDATOR (computation time) min. computation max. computation average computation time [min] time [min] time [min] functional diagrams <1 550 1.5 functional diagram groups 5 630 40
1 Database access of the code generator and the VALIDATOR is done by different C++ classes to maintain independence of both tools. - 133 -
The performance of the VALIDATOR was demonstrated in first tests with a collection of about 70 realistic functional diagram groups with about 1800 functional diagrams (Table ID-
It is obvious that the CPU time strongly depends on the complexity of the functional diagrams and their connections. The validation process needs additional time to prepare the database and to evaluate the protocols. Especially for the interpretation of the VALIDATOR protocols and the location of the errors in the C source code and the graphical functional diagrams, deep knowledge about the Teleperm XS software is required. An application example of the VALIDATOR is given in the next chapter.
Overall System Specification J
I&C System Specification Functional Diagrams (Database Entries)
A Software Specification I J I
Conceptual Design J
Detailed Design J
C Source Code i
Object Code
Figure 5: Role of the VALIDATOR in the Teleperm XS design - 134 -
4.2 Example of VALIDATOR Application
A short example demonstrates the use of the VALIDATOR. It is taken from the small Teleperm XS system of GRS/ISTec. The error which is detected by the VALIDATOR was forced on purpose.
Fig. 6 shows a part of a functional diagram. It is a test function to switch a lamp on and off. After code generation it was decided to change the parameter f i_i_i to the value of 2 seconds. This change was done with the graphical functional diagram editor of SPACE but without new generation of the software. Therefore, the old source code and the database entries are different in the parameter f i_i_i.
V
M Einhat ninktion Kcnnztich«n Bern. Batichnung Ein:
lofcaler Blink hkto.5 Hi
ORS01SW201 Voferltbt
voter Icbt
OR5015W201 Bujuon EFUltbt
ORS01SW201 KDPPlM.TAn.TB Ok
modified parameter fl_l_l function block "OFFDELAY"
Figure 6: Functional diagram with changed parameter - 135 -
/*
/* file fd_3.c */ /* function i_fd_3_Compute */ /*.FD fd_id 3 */ /* FD KKS 6RS01SW201 */ /* FD version 01.00 */ /* FD changed 07.05.97 11:03:37 */
/* FDG generator version: 02.20 */ /* FDG generator changed: 09.01.97 */ /* File generation date : 12.05.97 16:59:21 */ /* */
/* Initialization of internal FD identification string */ static const fdIdString_t fd_3_lntldent_p = /* "FD
/* Initialization of changeable FB parameters */ static const fd_3_CParams_t fd_3_CParamsConst = { /*
/* Function implementing the FD module */
void i_fd_3_Compute()
static const fb_353_t locFb_l = { /* Name "OFFDEIAY", loc_id 6, Page 1 */
&fd 3 CParams.fl 1 1,
/* Call FB modules: */
r = g_fb_353 ( &locFb_l );/* OFFDEIAY , 1, 4A */ if (r != OK) i_fdgAppendFbRetCode( 3, 1, r );
/* i_fd_3_Compute() */
Figure 7: Source code of the functional diagram before changing the parameter (partly) - 136 -
( fdg_id): 0014 (fdgversion): 01.01 (fdgchanged): 07.05.97 (cg_version): 02.20 (cg_changed): 09.01.97 (fdidstring): FD00003/01.00/07.05.97/02.20/09. 01. 97
Funktionsplangruppe: 14 Fehlercode 11 mit 07.05.97 und 14.10.97
( fdginput): 3_CSignals.bsZ_4/bs!nitError ( fdginput): 3_CSignals.bsZ_4/t_101_bsZ_4.s/bsInitError/t_101_bsZ_4 ( fdginput): 3_CSignals.bsZ_16/bsInitError ( fdginput): 3_CSignals.bsZ_16/t_101_bsZ_16.s/bsInitError/t_101_bsZ_16
( fdgoutput): d_20046->bs_2/3_CSignals.bsZ_ll ( fdgoutput) d_20046->bs_3/3_CSignals.bsZ_6 ( fdgoutput) d_20046->bs_4/3_CSignals.bsZ_19 ( fdgoutput) d_20046->bs_5/3_CSignals.bsZ_20 (fltastring) flta/0.025 ( fdpartO) 3_Compute
( plan_id): 00003 (fd_version): 01.00 (fd_changed): 07.05.97
Funktionsplan: 3 Fehlercode 1 mit 07.05.97 und 14.10.97
(cg_version): 02.20 (cg_changed) 09.01.97 (fbidstring) 302/01.00/30.03.93 {fbidstring) 351/01.00/16.08.93 (fbidstring) 353/01.00/18.01.94 (fbidstring) 354/01.00/18.01.94 (fbidstring) 356/01.00/18.01.94 ( usignals) bs_302_l/0/0 ( usignals) bs_302_2/0/0 ( ysignals) ms_2_5 ( cparams) fl_0_l/1.0 ( cparams): fl_l_l/1.0
Funktionsplan: 3 Fehlercode 5 0 mit 1.0 und 2.0
( compute): fb_354 ( compute) CSignalse.bsL_13_2 ( compute) CSignalsa.bsL_0_2 ( compute) CParams.fl_0_l ( compute) DParams.ui_0 1 ( compute) fb_302
( assign4): 302/11 { assign4): 302/12 ( assign4): 351_w/13
Analyse erfolgreich beendet ! Es wurden 3 Unstimmigkeiten entdeckt
Figure 8: VALIDATOR protocol (partly) - 137 -
The VALIDATOR protocol (Fig. 8) shows three anomalies. The first one was found in the functional diagram group 14 and shows different dates of changing the functional diagram group (Fehlercode 11). The second one was found in the functional diagram 3 and shows also different dates of changing the functional diagram (Fehlercode 1). It is the more detailed detected cause of the first anomaly. The third one (Fehlercode 50) shows the difference of the value of "fl_l_l" 1.0 in the program and 2.0 in the database (and that means in the graphical representation).
The source code of the function diagram is unambiguous defined by the function diagram ID2., which is denounced in the VALIDATOR protocol. In the source code there is the FD3-KKS4-name (GRS01SW201) of the graphical representation of the functional diagram coded. Using this information it is possible to detect the causes of anomalies and to correct the failures. In this example the failure is corrected by a new code generation.
The example shows that besides errors of the code generator itself also (human) errors in the design process are detectable. Whereas errors in the software components and the code generator are minimized because of type test and the plant independent system test, potential failures from the system design are found by the VALIDATOR before programming the hardware and performing time consuming tests.
5 SUMMARY
The V&V process of computerized I&C systems important to safety is time consuming and expensive. A stepwise methodology like the type test concept for Teleperm XS has the potential to perform this work with reasonable effort. Appropriate tools can support the evaluation and enhance the quality of the assessment with reduced costs.
A special tool to validate the functional diagrams and functional diagram groups of Teleperm XS was developed by GRS/ISTec. By means of this tool the user gets evidence that the C source code of the functional diagrams and functional diagram groups is equal to the specification in the SPACE database. Furthermore, possible errors in the source code are detected and corrected before the Teleperm XS system is finally programmed and tested.
The VALIDATOR designed by GRS/ISTec is completely independent from the code generator. Besides errors of the code generator itself also some human errors in the design process are detected.
2 function diagram identification number 3 function diagram 4 Kraftwerkskennzeichensystem - Identification System for Power Plants - 138 -
References
[ 1 ] BASTL, W., BOCK, H.-W., "German Qualification and Assessment of Digital I&C Systems Important to Safety", Reliability Engineering & System Safety,(in press). [2] WACH, D., MULKA, B., SCHNURER, G., "Experience with Safety Assessment of Digital Upgrading of I&C in VVER Type Reactors", Proc. of VVER Instrumentation and Control, April 21-24, 1997, Prague, Czech Republic), p. 85 - 96. [3] KERSKEN, M., "Methoden zur Qualifizierung hochzuverlassiger Software - Internationale Vorgehensweise", Deutsches Atomforum e.V. (Hrsg.), LEITEC'96, Digitalisierung der Leittechnik in Kernkraftwerken, S. 171-187. [4] BASTL, W., BRUMMER, J., HOFFMANN, E., WACH, D., Gutachten zum Konzept der digitalen Sicherheitsleittechnik von Siemens/KWU, GRS-A-1921, Juli 1992. [5] Proc. of a Forum on Safety Related Systems in Nuclear Applications, The Royal Academy of Engineering, December 1992. [6] GRAF, A., "Software Development Method for Safety Critical Applications", in: Haapanen P. (ed) Advanced Control and Instrumentation Systems in Nuclear Power Plants, Design, Verification and Validation, (Proc. of TQM Espoo/Helsinki, Finland, 20 - 23 June 1994). [7] BRUMMER, J., KERSKEN, M., LINDNER, A., MIEDL, H., "Validation of Transformation Tools", Licensing of Computer-Based Systems Important to Safety, NEA/CNRA/R(97)2, p. 400-411. [8] MIEDL. H., "Reverse Transformation of Normed Source Code", (Proc. of Probabilistic Safety Assessment and Management '96, ESREL'96 and PSAM-III, June 24-28 1996, Crete, Greece). [9] LDRA Testbed® C Version 4.9, Liverpool Data Research Associates (LDRA) Ltd. - 139 -
Session 3:
Licensing Experiences
HEXT PAOE(S) left BLANK - 141 - XA9846503
A REGULATORY FRAME FOR SAFETY DIGITAL SYSTEMS IN NUCLEAR POWER PLANTS
A. MOZAS GARCIA Electrical Engineering and I&C Department Consejo de Seguridad Nuclear Madrid, Spain
Abstract
The paper focuses on Spanish experience regarding software based systems for safety applications from the regulator's point of view. It describes the actual situation in Spain, number and models of reactors, modernization projects, digital systems implemented and licensing documentation and processes already followed by some upgrading projects. The paper wonders what documents should be required for safety and reliability demonstration of a safety system, when they should be reviewed, and what other activities may be necessary to acquire confidence on a particular system. It describes Spanish laws regarding nuclear safety under which, national standards from the NPP design original country apply to nuclear reactors in Spain. It finally suggests that an international standard jointly used by system manufacturers, nuclear licensees and nuclear safety authorities, both from the country where the NPP is installed, and from the original design country, should be developed so that rapid and easy agreement on licensing issues is reached among all parties. The last part of the paper describes the licensing approach proposed by CSN (Spanish Nuclear Safety Authority). It is still under development and it is based on previous experience on digital systems for non-safety applications. It consists of constructing several frames: 1) databases of existing software based systems, 2) guides for inspection and 3) questionnaires for helping in verification and validation activities evaluation. The scope is to establish a well defined procedure that helps in evaluating the particular system. However, in order for such a procedure to be useful, both regulators and utilities and, perhaps also system manufacturers, should agree on it. Joint CSN-utilities working groups may be suitable for such a purpose.
1. INTRODUCTION
Spanish nuclear potential consists of nine reactors distributed in seven different sites. The first one came into operation in 1968 and the last one in 1988. At the moment, there is no nuclear power plant under construction.
In order to cope with research and regulatory functions, a public institution called JEN was created in 1951 , which supervised the construction projects of the first plants in Spain. Later on, in 1982 the Consejo de Seguridad Nuclear (CSN) was born from the former JEN, in order to incorporate all the regulatory, inspection and evaluation functions related with nuclear energy. The last phases of the construction projects of the most modern reactors, and the continued inspection of the already operating plants have been the usual challenges CSN has faced since it was created. - 142 -
At the moment, design modifications, specially regarding digital technology implementation, seem to be a new challenge in the near future for the Spanish regulatory authority.
1.1. Spanish Nuclear Power Plants
Eight of the nine operating reactors are US technology based reactors. Two of them are General Electric Boiling Water Reactors (BWR), and the other five are Westinghouse Pressurized Water Reactors (PWR). The last one is based on Siemens/KWU German technology and is also a PW Reactor. TABLE I shows the main characteristics of the NPP's in Spain.
From the point of view of I&C regulatory requirements, important improvements have been implemented regarding post-accident instrumentation, systems for safety parameter display and operating aid, reactor protection systems, etc. Some of this upgrading projects, specially the most recent ones try to take advantage of the digital systems features preventing from supplying problems of analogue components.
TABLE I. MAIN CHARACTERISTICS OF REACTORS
UNFT \ ELECT. POWER TYPE SUPPLIER STARTOPERAT. ( Jos£ Cabrera 160 PWR WH 1968
Garona 460 BWR GE 1971
AJmarafc ? 930 PWR WH 1981
Aimaraz 2 930 PWR WH 1983
Asco 1 930 PWR WH 1983
Asc<32 930 PWR WH 1985
Cofrentes 994 BWR GE 1984
Vandellos 2 992 PWR WH 1987
Trillo 1066 PWR KWU 1988
2. DIGITAL SYSTEMS LICENSING ISSUES
In what extent are the standard approaches used in the regulatory and licensing process to ensure adequate safety margins and low safety risk in the safe operation of the plants affected? Usual methodology evaluates the safety analysis of the system upgrading under consideration, making up a decision on whether the upgrading project affects the system safety level, decreasing it or not. This methodology makes use of well established calculations and methods based on the failure modes of analogue components and technology. - 143 -
In reviewing these approaches regarding digital technology, the US National Academy of Sciences and the National Research Council have identified several which are believed to be the most critically related to instrumentation and control (I&C) systems in nuclear power plants (NPP's).
• Defense in Depth. Safety systems are designed to provide multiple barriers to prevent problems.
• Safety Margin Assessment. Both deterministic and probabilistic analysis are used to assess the response and performance of safety systems, the relative frequency and consequences of abnormal events, and to search for design weaknesses.
• Environmental Qualification. Equipment must be capable of carrying its safety function under aggressive and extreme conditions.
• Quality Assurance. Quality assurance and control programs must be applied in order to ensure that safety systems meet all the requirements they were designed for.
• Failure Vulnerability. Independence, separation and redundancy features try to guarantee that failures can be treated as independent events and that common mode failures are not a major threat to multiple safety barriers.
The use of digital technology to implement safety systems challenges the actual validity of these approaches. At least eight issues have been identified as particularly important.
• Software Quality Assurance. None of the classic approaches appears to be fully satisfactory in assessing and ensuring software quality. How can a method be defined to develop high quality software?
• Potential for Common-Mode Software Failure. There exists procedures for evaluating common-mode failure potential in analogue I&C systems, but do they apply for software based digital systems? What does software diversity mean?
• Systems Aspects of Digital Technology. Along with benefits, digital I&C systems introduce potential new failure modes that can affect safety margins. How can the experience in other applications be applied to nuclear power plants?
• Human Factors. A new methodology is needed to assess the impact of computer based human machine interfaces on human performance in NPP's.
• Safety and Reliability Assessment Methods. These new methods are needed to ensure that levels are maintained or enhanced.
• Dedication of Commercial Off-the-Shelf Hardware and Software. Can this type of hardware and software be used in nuclear applications although they have not been designed following nuclear applicable standards?
• Licensing Process. Actual regulatory process may not be suitable for evaluating digital systems. In addition, can a standard licensing process be defined which apply systematically to any software based system? - 144 - International meetings in digital technology must not only focus on design and developing issues for new applications, but they also should provide a forum for international discussion on licencing techniques that unify criteria in order to ease tasks for searching safety, quality and performance evidences in digital systems.
3. REQUIREMENTS FOR DIGITAL SYSTEMS
Functional and reliability requirements are supposed to be the same as those required for analogue systems. Nevertheless there are several issues specially important for digital systems, since adequate reliability levels need to be demonstrated.
TABLE II shows features of analogue and digital technology which can affect to the requirements specification, design and licensing processes.
TABLE II. ANALOGUE VERSUS DIGITAL TECHNOLOGY
FPATURES ANALOGUE DIGITAL
Data collection Continuous Discrete
Data transmission Continuous and hardwired Over shared metal wire or fibre optic lines configured as data busses or data highways or over point to point data links
Control logic Logic is implemented with fixed function Logic is implemented with implementation components programmable function components
Operator Fixed function displays, hardwired with Programmable interactive displays interfaces field components connected to programmable logic control components
Reliability Environmental conditions affect Environmental conditions may degrade calibration. High initial number of performance but this systems do not failures due to manufacturing flaws, and drift. Hardware failure curve is similar high rate of failures at end of service life, to analogue components. There are no due to ageing effects. generally accepted methods for quantifying software reliability.
In-service testing Manually done by operation and Some hardware testing is made maintenance personnel automatically by pre programmed software. Some testing is done manually
Preoperational Exhaustive output versus input Exhaustive functional testing for simple testing functional testing and cycle to failure combinational logic systems. Statistical testing testing for complex systems. Latent software errors may be difficult to find.
Failure modes Based on component ageing and Based mainly in erroneous and maintenance ambiguous requirement specifications and design errors - 145 - Important topics that must be taken into consideration when dealing with digital systems are:
• Systems compatibility: open systems. When designing, proprietary technology does not facilitate work for reviewers and maintenance personnel. Open arquitectures which allow simple future modifications and are potentially less affected by spare parts supply problems are much more preferred than others.
• Rapid technological changes and designs coping with them. One of the most important reasons for digital upgrades is obsolescence of analogue technology. Analogue components are difficult to replace because it is not easy to find spare parts. Today it is much easier to find digital components. However this type of components develops very rapidly, much more than analogue components a few years ago. Although digital components are supposed to be capable to meet the functions they are designed for during a long time, it might be difficult to find spare components in a short time because of fast digital technology developing. Though not ageing problems, digital technology might undergo obsolescence problems in a few years.
• Commercial off the shelf software and hardware. Analogue equipment for nuclear applications must undergo qualification tests according to standards. However digital systems are mostly based on highly experienced commercial software and hardware. This type of components must follow a dedication process in order to prove that they are suitable for nuclear applications. In what extent operation experience is enough as a dedication process, must be decided depending on the particular system, the application and the operating experience.
• Finding a method to demonstrate system correctness, validity and reliability. It might be what software based systems need to spread out all over industry safety related systems. How to demonstrate that a system design and implementation is correct and reliable? So far, a statistical approach based on testing was accepted to prove it. However it is not clear that this approach is applicable to software. Common sense tends to claim for a general testing procedure that eventually may prove correctness and reliability. Is that possible? It does not seem to be easy to develop such a process for very large and complicated systems, but what about more simple ones where input set is finite and easy to know? Reactor Protection Systems have very limited inputs and outputs, and inner logic is usually simple. Testing based on a complete combination of all possible inputs is feasible. But it is not clear that such a testing process is enough. System or basic software like operating system and occasionally databases may need similar testing which might be much more difficult to carry out. Anyway a solution based on systematic testing (or similar processes) that gives rise to a result easily understandable in conventional terms and that is not only based on quality assurance methodology and documents review would be very much welcome.
• Design focused on testing. Testing plans should be generated simultaneously to design implementation while independence is still preserved. Input combinations, tests, even results, depend highly on design and this one must be accomplished having in mind future testing processes.
• Common cause failures avoidance. Due to software special failure modes, common cause failures are most feared since they are supposed to stay latent in software and - 146 - undetectable through systematic testing. CCF's avoiding techniques are based on both rigorous developing process and special design features like fault tolerant arquitectures and functional diversity. Channel based systems which monitor and control diverse variables through software which is different and also diverse might be a good approach against software common cause failures.
General considerations on environmental qualification of equipment that works with extremely low intensity and voltage levels; and human machine interfaces in all those systems where an upgrading project affects the operator interface, which may require retraining.
4. MODERNIZATION PROJECTS
Spanish nuclear reactors can be classified into three different generations. The first two reactors whose operating licenses were issued in late sixties; the following five plants whose operating licenses are from the period 1981-1985; and the two last reactors, from the late eighties.
None of the designs of any generation was thought to implement any function by digital technology. However, different reasons like ageing, difficulties in finding spare parts, and increasing interest in getting better performance of the installed systems are opening the door inside the nuclear industry for the utilisation of the software based digital technology in the implementation of safety and non-safety systems in NPP's.
Upgrading projects to replace old analogue components by digital processors are becoming so important, that it is expected to be a major licensing task in the future, even in those countries were no reactor is under construction.
In Spain, the following are modernization projects that have been or are still under licensing process:
4.1. Control systems
Asco units 1 and 2 have replaced the analogue components of the 7300 Westinghouse cabinets by Intel 486 based WDPF microprocessors. The most relevant modified control systems are the following: • Reactor Control System • Steam Dump Control System • Feedwater Control System • Pressurizer Pressure and Level Control Systems • Control Rod Insertion and Withdrawal Limit Alarms The design provides of fault tolerance features through the use of redundant components, automatic self-diagnostic and automatic input signal validation.
Jose Cabrera NPP reactor and turbine control systems have also been upgraded, replacing one by one with digital controllers (Fischer-Porter MC5000) all the analogue and pneumatic controllers of the process control loops and maintaining functional characteristics. Some of the functions are also provided with redundant controllers. - 147 -
4.2. Systems for display of safety parameters and operation aid
TMI accident in 1979 caused the regulators to issue new standards about accident diagnosis and operator aid. US NUREG's 696 and 737, Supplement 1 describe the requirements for a Safety Parameter Display System (SPDS) which should help the operators during normal and abnormal operation displaying specially important parameters for safety.
The implementation of such a system makes use of software based programmable computers and has much to do with information systems. At the moment all the Spanish reactors except Trillo NPP have a SPDS which is implemented most time embedded into the plant computer. This system is not basically a safety system. That means, it is not under licensing considerations. However CSN has reviewed every installed SPDS focusing its interest into safety aspects like signal isolation between IE classified and non-IE classified parts of the system, and system availability level.
4.3. Future Modifications
It is not difficult to imagine future trends in the field of digital upgrading projects. Most of I&C systems will be modified depending on the degree of obsolescence and safety of the system. However, Reactor Protection Systems and Engineering Safety Features Actuation Systems are already considered as possible candidates for new modifications.
These kind of systems may consist of a simple logic, but they are the most critical systems regarding safety.
5. LICENCING DOCUMENTATION AND PROCESS
What documents should be required for safety and reliability demonstration of a safety system? When should these documents be reviewed? What others activities are necessary to acquire confidence of a particular system? Digital systems are new in their relation with licensing nuclear processes, and all these questions and some others are not trivial to answer. Spanish Nuclear Authority CSN is very much concerned about these issues since the safety level of the plant must not be degraded after any design modification.
According to Spanish laws, nuclear reactors in Spain are subject to applicable laws and standards from the country of the original design. Therefore, US nuclear regulations apply to eight of them, and German KTA's and RSK's apply to the other. However, CSN maintains the position of applying similar and homogenous standards for the nine plants, no matter the original design country is.
On the other hand, suppliers for digital systems come from all over the world. Safety and quality requirements for their products are based either in national or international standards. Spanish utilities, when planning to develop a modernization project, may be interested in comparing different offers before deciding which one they choose. In this context, it should be very helpful if there was international agreement on what should be enough for safety demonstration of any particular system. - 148 -
5.1. Already installed systems
The most important upgrading projects already finished in Spain were conducted in Jose Cabrera NPP, and in Asco NPP Units 1 and 2.
Already in 1991 did Jose Cabrera modify panel P-14 which implements certain steam generator reactor trips and engineering safeguards actuations. Later, during a two years long outage between 1993 and 1995, panel P-20, which belongs to the Reactor Protection System, was also upgraded. These two modifications were based on Foxboro SPEC 200 Micro cards which implement the formerly analogue based logic functions.
So far this is the only modification of a safety system in Spain. The process for licensing was mainly based on the operating experience of this technology in the United States. With the help of an independent american reviewer (in the case of the P-14 project), test documents and quality assurance plans as well as the overall project process were audited. The specially simple design based on multiple redundant channels and the simplicity of most of the functions implemented did facilitate the task.
More recently, in 1997, Jose Cabrera has modernized the turbine and reactor control loops. However, since these systems are not safety related they do not precise CSN approval. In addition, the special characteristics of this project where every loop was replaced by a digital controller on a one-by-one basis, no significant information was transmitted to CSN.
Asco 1 and 2 modifications are not safety related either. However, the scope of the modification, simultaneous in time with steam generators replacement, has made CSN involvement much more important.
The modification affected control system functions enumerated in chapter 4.1. Westinghouse 7300 cabinets numbers 5,6,7 and 8 were fully emptied and refilled with microprocessor cards of the WDPF family. Through the use of configurable functional diagrams, these cards implement the mentioned systems control loops and the separation between safety and non-safety related parts. The utilization of the digital Median Signal Selector grants the isolation of the Reactor Protection System that shares channels with the control system.
As mentioned above, this is a non-safety-related system. That means, it doesn't require CSN approval. Nevertheless CSN staff has followed the activities of the modification in order to gain experience of digital upgrading projects. In addition to the reactor control system, the turbine control system has also been modified, and a new control system for the natural draught refrigerating tower has been installed. Such extensive modification regarding the use of software based application were considered by CSN as a good chance to learn about software development and software based systems inspection.
The activities realized by the staff consists of:
• functional documentation (logic diagrams) reviews,
• WDPF description reviews,
• Median Signal Selector design review,
• audits to utility staff, - 149 -
• inspections to the plant
After the system came into operation CSN staff focused his attention in following operating experience and possible new design modifications, specially everything related to modification procedures and configuration management control.
5.2. Regulatory position
As stated above, the most important standards applicable to Spanish NPP are from the original project country of every plant. However, although more and more there are some few international standards that tend to be spreadly used, there is no explicitly accepted or endorsed normative documents by US NRC nor German GRS that impose restrictive requirements to digital systems. Under these circumstances it is not an easy task to apply original country standards to plants that have plans to implement software systems.
One additional problem appears when European vendors or suppliers try to make an offer of a system to a US design based plant or vice versa. European vendors try to meet European normative that may not be equivalent to american normative that should be met by utilities. CSN position is that an international standard and normative frame should be created that should be precise enough and spreadly accepted in order to avoid such problems.
In the other hand, requirements for safety, quality and reliability demonstration ought to be clearly defined and widely accepted, so that regulatory authority inspection activities can be smoothly integrated into the development process.
The international standards that seem to be mainly used are:
• IEC 880 "Software for Computers in the Safety Systems of Nuclear Power Stations"
• IEEE 7-4.3.2 "IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations"
5.3. Licensing standard digital systems
Some vendors have developed big software standard applications that may be configured in order to implement different control, monitoring, protection, etc. functions. These systems are usually based on modules or subroutines which may be easily validated and that combined in different ways are able to implement more complex functions.
One way to classify the software embedded in such a system is:
• basic or system software, composed of unit modules, self-testing subroutines, operating system and some other features; and
• application specific software, composed of those features specially made or referred to the particular application. It may consists of specifically developed unit modules, data bases, configuration parameters, specific files, etc.
Treatment of both types of software is not the same. Operating experience of the system in other NPP may be a way to validate the basic software, but even this assertion could be false depending on the application software in both the experienced plants and the plant realizing the modification. Besides, experience of the system should be based on equivalent systems to that considered for upgrading. That means that many successful information - 150 - system applications of the standard system might not be enough to consider the basic software for a safety related application validated.
In addition, a specific licensing process that includes verification and validation activities for the basic software may increase the reliance on the reliability level of the new application. This activities are usually made in the original country and it is usually presented by the vendor as an evidence of system reliability.
The second part of the software, i.e. the application specific software, cannot be previously validated. It depends on the particular application and the verification and validation activities should be carried out by the nuclear safety authority of the NPP country. There might be a standard approach to develop this software, that may help to license the application, but that may not be usual. The development process, although the software may be simpler than basic software, shall be as rigorous and strict as that for basic software. Nuclear safety authorities of affected countries should develop an approach for licensing this type of software. Since both vendor and plant may be based on foreign designs, every approach, technique, activity, etc. should be internationally accepted or, at least, based on international standards.
In what way can the licensing process followed by the application specific software of a particular system in a NPP help in that process for other system in other NPP? In order to answer this question it should be considered:
• whether the first process was carried out by the same nuclear authority or by others;
• whether both systems, whose licensing processes are to be compared, are actually similar systems with similar functions;
• whether basic software is identical in both systems;
• whether the activities for licensing the first system can be carried out for the second one;
• available documents for licensing both systems;
Experience gained in licensing processes and digital systems can indeed help when a new system is under consideration. It is supposed that every new system will require a minimum effort which may be systematized but not eliminated.
6. PROPOSED CSN APPROACH
In order to undertake the licensing tasks reserved for the nuclear authority during the licensing process of a new system or an upgraded system, CSN has decided to start developing a methodology that may help in that process. CSN approach considers that Spanish nuclear utilities do agree on a methodology based on international accepted standards.
This methodology consists of:
• Development of a database of the digital systems and their features already operating in the Spanish NPP. The aim is to get a good description of all already installed systems (mainly non-safety systems so far) that should help in evaluating the degree - 151 - of possible comparison between two different systems. This database contains hardware and software description, including life-cycle phases, and verification and validation activities.
• Preparation of a guide for digital systems inspection. CSN has already a clearly defined methodology for inspection of conventional I&C systems. However, digital systems are different enough to require special attention in some particular fields. This guide tries to give a set of prescriptions that may be followed by the inspector, although this one has the option to make an specific use of the guide depending on the particular characteristics of the system.
During the inspection several issues should be evaluated:
1. System adequacy for performing the safety functions required by design basis.
2. Rigorous development process by determining the degree of coherence and completeness of eveiy life-cycle phase.
3. Level of confidence of the documents review and system tests required by the Verification and Validation Plan, so it is assured that both systems and equipment are able to perform the functions they are designed for.
4. Maintenance procedures requirements that ensure the system will be operating under postulated events conditions, and that possible new modification will not decrease system safety level.
5. Human factors and operating procedures should guarantee proper operation during normal and abnormal conditions.
The guide establishes three different phases for the inspections in both hardware and software parts: previous study of the system; visit to the plant; meeting with utility personnel to evaluate the conclusions of the inspection.
The guide also describes the final inspection report.
• Development of a questionnaire to help in verification and validation activities evaluation. It tries to establish the guide requirements for V&V activities in a more systematized manner that may be easier to apply by the inspector. It focuses on V&V organization, activities, tests and results.
The scope is to establish a well defined procedure that helps in evaluating the system. It is important to note that in order for it to be useful, both regulators and utilities should agree on such procedure. That's why CSN considers important to reach a consensus with Spanish utilities. One way for achieving it is to create a utilities-CSN working group for digital systems, where both positions are clearly defined starting with the system upgrading projects that the utilities are already considering.
7. CONCLUSIONS
Safety related systems need not only rigorous design that ensure reliability, performance, etc. levels that meet requirements specification, but also capability to - 152 - demonstrate that those requirements are fulfilled in order to pass a licensing process required by standards.
Modern design processes can help by generating more understandable documentation or by easier to follow or to review design activities and procedures. However, since most times vendors, utilities and regulators are not from the same country, international agreement should be reached in order to establish well defined requirements that, once met, allow the system to be licensed.
CSN position is to elaborate a methodology to help in system inspection and validation. Total agreement with utilities is sought in order to optimize effort and results. Design considerations regarding hardware, basic software, application specific software, operating experience, licensing experience, etc. are issues that may affect life-cycle and licensing process and whose utilization by utilities and regulators in those processes should be clearly stated.
8. REFERENCES
1. IEEE 7-4.3.2 "IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations"
2. IEC 880 "Software for Computers in the Safety Systems of Nuclear Power Stations"
3. Digital Instrumentation and Control Systems in Nuclear Power Plants: Safety and Reliability Issues. Committee on Application of Digital Instrumentation and Control Systems to Nuclear Power Plant Operations and Safety. National Academy of Science.
4. Mozas, Alfredo Estudio sobre Fiabilidad en Sistemas Digitales de I&C. Procesos de Desarrollo y Verification. Nota Interior AMG/03/95 Consejo de Seguridad Nuclear.
5. Informe Preliminar para una Gufa de Inspection de Sistemas Digitales CSN/TGE/INEI/9612/624. Consejo de Seguridad Nuclear. - 153 - i inn mill XA9846504
HUNGARIAN APPROACH
K. HAMAR Hungarian Atomic Energy Authority Nuclear Safety Directorate Budapest, Hungary
Abstract
Paper describes the licensing milestones of Paks NPP reactor protection refurbishment project starting from the simple task specification of high-tech I&C installation and up to acceptance tests and issuing license which are scheduled for 1999. Specific emphasis are put on the structure of the reactor protection refurbishment project licensing documentation. - 154 -
Licensing Milestones of Paks NPP Reactor-Protection Refurbishment Project
1993. Simple Task Specification HAEA NSD agrees first time with the idea of high-tech I&C installation. 1994. Detailed Task Specification with pre-selected contractors Schneider Group and Siemens Company. The Task Specification intend to introduce digital technology 1995. 1st Licensing Documentation is based on Detailed Task Specification Description of safety targets, design principles, and requirements 1995.Sept. Regulatory Statement agrees with the concept, with 39 comments
1995. Principle System Specification is the basis of the Bid invitation for Schneider, Siemens, Westinghouse, and 2nd Licensing Documentation is practically the more detailed version of the 1st Licensing Documentation.
1996. Apr. Dead line for the bids, HAEA NSD in accordance with safety policy doesn't take part in selection of contractors or bid evaluation.
1996. July System Technique License (STL or Principal System License) conceptual license on the Principle System Specification. There was no consideration of any vendor specific aspect, neither in the documentation, nor in the license. NSD had 42 comments, expecting clarifications in the documentation, V&V considerations and general requirements against the documentation prepared until the Factory Acceptance Test (FAT).
1996. Sept. NPP signes contract with SIEMENS 1997.Apr. Process Functionality Specification delivery to Siemens, submission to NSD.
1997.June New Act on Atomic Energy comes into force with new Safety Codes and Guides
1997. Aug. Acceptance of Process Functionality Specification after the evaluation of Description of Process Functions Diversity of Initiation Criteria Logic Plans (Synoptical Diagrams) and I/O database Analysis of the Effects of the Structural Modification of RPS. Some minor changes in process functionality due to negotiations, and finishing the research of two major issues are expected until the end of 1997.: Primary to secondary circuit leakage detection and handling Necessity of automatic earthquake reactor-trip - 155 -
1998. March or 90 days before FAT Nuclear Import License on 3rd Licensing Documentation, containing I&C Functional Description, on the basis of Logic Plans (Synoptical Diagrams) and I/O database Analysis of the Effects of the Structural Modification (Fault trees, probabilistic evaluation)-First version Documentation of • Integrated System, structure and evaluation • HW & SW elements of the system, • manufacturing environment, • testing environment, • test strategies and cases, • results of HW& SW module testing, certificates • first results of testing the Integrated System, certificates
The vendor specific Integrated System and the system modules will be described first time in this phase after the design, the Import Permission may state added requirements against Factory Acceptance Tests (FAT), and may state the first requirements of NPP Site Testing.
1998. June Start of Factory Acceptance Test NSI prescribed in STL that, the FAT requires valid Nuclear Import Permission. Validity means that the content of Import Permission and the included requirements are accepted by the Licensee, or in case of appeal the legal procedure has already been finished with or without the modification of Import Permission. The functionality has to be demonstrated at FAT with the specified parameter values of Process Functionality Specification, but they are not necessarily the exact, final parameter values for RPS actuation or alarm. This gives some freedom in correction of parameters, while the Logic Plans (Sinoptical Diagrams) are expected to be fixed after verification, which is due in 1997.
1999.Jan. End of Factory Acceptance Test
1999Febr. Plant Modification License on 4th Licensing Documentation, containing Description of modifications on civil structures, I&C cabinets, cabling, measuring equipment, tool-kit and methodology of testing on the site Structural and Safety Evaluation of new RPS. Analysis of the Effects of the Structural Modification - Final version The Plant Modification License states the requirements against testing on site.
1999. License for Operation 5th Licensing Documentation The documentation have to summarize the results of on site testing. This License may state requirements against the operation, methodology and period of cyclic testing, procedure on error indication by self testing, etc. - 156 -
Evidences required for licensing are obtained from the next sources:
Vendor prepared documentation - SIEMENS Certificates are accepted from the vendor home country institutions eg. GRS ISTec and TUV-Nord, on Teleperm-XS standard components HW components - off the shelf SW module library of logic functional blocks Run-time environment, drivers and utilities SPACE developing environment
NPP RRP Design Staff prepared documentation NPP contracted experts opinions NPP V&V Team Reports
HAEA contracted experts opinions HAEA QA audit reports HAEA V&V Audit Team Reports
Test Reports Test cases must cover all ofthenon certified aspects of components and integrated system Certificates are accepted from the vendor home country institutions eg. GRS ISTec and TUV-Nord, of representative Integrated System Siemens in-house FAT program NPP RRP Design Staff and V&V Team FAT and SAT program Authority FAT and SAT program (optional) - 157 -
Chapters of the Reactor Protection Refurbishment Project Licensing Documentation
Technical Requirements
M001 Design Principles M002 Identification System of Documentation M003 Applied Codes and Standards Ml03 Environmental Specification Ml04 Response Time Requirements Ml05 Accuracy Requirements Ml06 Reliability Requirements M107 Testability Requirements Ml08 Man/Machine Interface Ml09 Sequrity Constrains Ml 10 Changeability and Extendability Mill System Scope, Boundaries and Interfaces Ml 12 Location of the new System Ml 13 Description of power supply sources available
Functional Requirements
M202 Description of Process Functions M203 Diversity of Initiation Criteria M204 Logic Plans (Synoptical Functional Diagrams) M205 I/O database
Analysis
M301 Analysis of the Effects of the Structural Modification
M302 Functional Safety Analysis
Conventional I&C Specification
M400 including: Input analog and binary signals and output signals Unit computer interface Power supply Cabling Civil and mechanical engineering aspects Quality Assurance
Q100 QA Program Q200 Development Plan Q300 Verification and Validation Plan - 158 -
V&VandV&V Audit
The V&V activities carried out by NPP contracted group of Hungarian senior experts from scientific institutions. This group is accepted to be vendor independent. NSI established a V&V Audit Team, which follows the NPP V&V Team, through the V&V phases, which are defined in the RRP V&V Plan (STL). The reports of NPP V&V Team and V&V Audit Team will be linked to the legal phases of licensing regulatory decisions. The V&V Audit Team has to have access to the relevant documentation, with no regard to that, whether the legal phase of licensing, where the document pertains to, has already started, or not with submission of documentation.
Structural and Safety Evaluation ofnewRPS.
This job is really complicated from the aspects of elaboration and evaluation as well. The NSD approves the structure in the import permission procedure, and decides on the acceptance of deterministic evaluation. In this procedure the NSI expresses an opinion on the input database and the assumptions of probabilistic evaluation. This means, the first version of probabilistic evaluation have to be submitted in the documentation of Import Permission, before FAT. Until the permission for plant modification procedure the probabilistic evaluation can be refined and finalized. In the Hungarian safety regulations there are no explicit probabilistic numeric values stated as acceptance criteria.
At FAT NSD considers the structure and functions fixed. Further modification of the structure or functions after FAT leads to new test phases, or repetition of FAT. - 159 -
New Safety Code
1997.June New Act on Atomic Energy comes into force with new Safety Codes and Guides The Code volumes are mandatory: In the most complex cases 6 months are available for regulatory decisions.
1. Rules of Regulatory Procedures 2. Quality Assurance Principles 3. Design Principles 4. Operational Rules 5. Code on Research Reactors
Guide for l&C and Electrical Design
The Guide is not mandatory, but together with the included list of standards, it is representing the knowledge base of the reviewer on the Authority side.
Applicant has the right to prove the fulfilment of requirements on the basis of different guides and standards, but has to face that fact, the different basis from that, which the Evaluator is prepared for, can lead to significantly longer time and higher cost in the review procedure.
Evidences of licensability according to the Guide for I&C and Electrical Design
The Safety Code on design states the general requirements against the redundancy, diversity, and reliability of the systems in general. First time in the history of Hungarian regulations guideline paragraphs are devoted to the assessment of complex system design, identifying three recommended techniques:
System Analysis Probabilistic Safety Analysis SW V&V (eg. ffiC812) (eg. IEC880, 987) - 160 -
System analysis (suitable standard eg. IEC812)
The depth of the evaluation and the regulatory involvement makes the real difference between the Safety Categories or Classes. The below set of documentation and report files have to be completed first of all for the benefit of the Licensee, who should append them to the licensing documentation when it is practical, at the latest until finalizing the the Preliminary Safety Report.
• Description of the different system elements with their characteristics, against their investigated performances during FAT and SAT • Comparison with the design: • Roles and functions • Connections between the elements • Redundancy level and nature of the redundant systems • Location of system within the whole facility • Data pertaining to functions, characteristics, and performances
• Status of the different operating conditions of the system and equipment which provide the function • Changes in the configuration of the system and components during different operational conditions • Minimum performance in different operational conditions, regarding to levels of degradation
• Realiability values: loss of actuation of equipment, train and system level, loss of safety function. Spurious actuation leading to safety consequence • Estimation of common couse failure probabilities in SW • List of occurances of discovered errors in developing environment and tools • Evaluation of common couse HW failure probabilities
• Duration of the tasks, in case of intelligent devices • Time interval between periodic and cyclic tests • Time available for corrective action before serious consequences occur to the system • Repair conditions • Procedures for routine testing, available test equipment
• Operating procedures during system start up • Provided control during the operational phases - 161 -
Probabilistic Safety Analysis of Paks NPP Reactor-Protection Refurbishment
Classic Fault Tree Model will be provided by the Siemens Company. The software can be characterized by concentrated probabilistic values, derived from statistically valid random testing. Hungarian Authority has no information at the moment about the reliability or reliability growth model which the Siemens designers consider. The theory and practice should be documented first time in the Nuclear Import License procedure.
To provide the opportunity to compare the old and new reactor protection system we recommend the next considerations:
System Boundaries of Analysis
From Reactor Trip sensors to input of control-rod drive controller-group to control-rod drive power supply breaker
From ECCS sensors to input of actuation signal multipliers
Defined Top-Events
Postulated Initiating Events are detected by two diverse parameters.
Loss of control-rod drop while one trip parameter limit (initiation criteria) is exceeded Loss of any actuation signal in one ECCS train
Loss of control-rod drop while two diverse trip parameter limits (initiation criteria) associated with the given PIE are exceeded Loss of at least one function in all of the 3 ECCS trains
Spurious or Inadvertent Trip Spurious or Inadvertent high-pressure injection, spray system, or confinement isolation start up - 162 -
V&V Audit identified targets for Paks NPP Reactor-Protection Refurbishment
1. QA aspects of documentation preparation, to ensure validity of evaluated documents.
2. Utilization of software analysis tools. Hungarian regulatory position on the field of software analysis tools is that, we have no tools in the house at the moment, and the ownership is not necessarily the proper solution, due to the required special expertise for the tool operation and result evaluation. We identified at the moment the necessity of reverse engineering tool, like GRS/ISTec developed Validator Tool, which transforms the "C" language computer code back to process function describing data base, and this way provides an opportunity to compare the original process function specification database to the reverse transformed database. Static analysis tool is not required due to the automatic code generation in the Siemens SPACE Developing System.
3. Coverage aspects. System and component properties can be Certitified and Tested. Test cases must cover all of the non certified aspects of components and integrated system. Listing the next aspects Authority have to identify together with the Licensee, what can be certified (C), and what should be tested (T).
Functional completeness T Value range, regarding the discontinuities and boundary neighbouring param's T Modes of system operation C,T Monitoring of all outputs while system or distinct module testing T SW-SW, SW-HW interfaces, communication protocols C Existence and behavior of exception or error handling mechanisms C All modul and system calls are exercised in the plant specific integrated system C,T Data structures C Declared constants T All data items should be exercised T Time critical behaviour, system timing, response time C,T Calculated values versus pre-calculated values C
4. Particular attention has to be drawn to identified lack of diversity in: • Human language one version Functional Specification • Human language Functional Specification transformation to Logic Plan (Synoptical Diagram) • Logic Plan (Synoptical Diagram) transformation to SPACE input-database • SPACE generated "C" language code Compiler to runing code - 163 - XA9846505
LICENSING PROCESS OF THE DIGITAL APPLICATION: NUCLEAR MEASUREMENT ANALYSIS AND CONTROL POWER RANGE NEUTRON MONITOR (NUMAC-PRNM) SYSTEM FOR THEIR IMPLEMENTATION IN THE LAGUNA VERDE NPP UNIT 2
R. LEDESMA-CARRI6N, A. HERNANDEZ-CORTES National Commission on Nuclear Safety and Safeguards Division of Nuclear Safety Mexico
Abstract
This paper describe the licensing process performed by the Mexican Regulatory Commission fCNSNSJ for the NUclear Measurement Analysis and Control-Power Range Neutron Monitor [NUMAC-PRNM] system, which sends trip signals to the Reactor Protection System (RPS). and has been implemented in the Laguna Verde Nuclear Power Plant Unit 2 [L VNPP-U2] before its first fuel loading. The review and approval process was performed with the advise role of the United States of America Nuclear Regulatory Commission [USNRCJ: the regulatory frame applied includes the Code of Federal Regulation, some Regulatory Guides and some Industrial Standards. The evaluation covered topics related with the software, hardware and firmware specifications, design, tests, training, maintenance and operational experience. After the revision of these topics, the NUMAC-PRNM was approved through the CNSNS Safety Evaluation Report (SERl and then installed in the LVNPP-U2. This paper include a description of the regulatory requirements to this'digital application, the safety concerns involved, the compliance to these requirements by the utility and the results of the CNSS'S evaluation, mentioning the experience acquired during the process and the method used to perform the evaluation. Additionally, the interface between the designer- vendor, the utility and the regulator}' body during this licensing process is commented. Finally, the conclusion is presented, taking info account the operational experience of the NUMAC applications implemented in the LVNPP. It also give the future regulatory tasks related to the assessment of digital performance equipment and upgrades.
1. INTRODUCTION
Mexico has two Boiling Water Reactors (BWRs) units denominated Laguna Verde (LV) NPP, are rated at 675 MWe each, located in the Gulf of Mexico at 70 km north from Veracruz City. At this moment, the Unit 1 is working in its sixth fuel cycle and the Unit 2 is in its third fuel cycle. The design of LVNPP was made by General Electric in the Nuclear Steam Supply System (NSSS) and by Ebasco Services in the Balance of Plant (BOP). For the nuclear regulatory framework, Mexico adopted the regulations from the countn.- of origin of the reactor, in this case, the Code of Federal Regulations (CFR) part 10 "Energy" of the USA [1]. The review of the LV original design was evaluated through the Final Safety Assessment Report (FSAR) by CNSNS. This report includes, besides of the plant component and system description, the considerations on the risk and safety operation, also contain the Operational Technical Specifications (Tech Spec), and the questions and corresponding answer issued during the licensing process.
Nowadays, the analog equipment shows the degradation effects that can produce malfunctions, also, their maintenance has become more complicated and expense, and the difficulty to obtain replacement parts increases because components are no longer fabricated. This situation produce the necessity to perform diverse improvements which involve the changes from analog equipments or systems (E/S) to their respective digital E/S. - 164 -
In USA, the ''generic license" usually is obtained by the designer-vendor, who submits for evaluation their E/S design [the design information is contained in a document called: "Topical Report"] to the Regulatory Commission (denominated as "USNRC"), then a "property information exchange agreement" is established. Then the Commission perform the safety assessment and issue a report called Safety Evaluation Report (SER), in this document is stated if the E/S is founded acceptable or not, and the conditions to the respect. In the acceptable case, this SER can be included by the designer-vendor in their Topical Report, calling now this document a "Licensing Topical Report" (LTR).
The licensing process performed to licensee digital equipments or systems allows to get an "generic licensee" and/or an "'particular licensee" [for an application on a specific NPP]. Some times, the specific licensee is obtained in a less difficult way if the (E/S) already have a generic license. In this case, the review-approval process can be based on the assessment and approval of the generic design of this E/S issued by the regulatory organization, resting to evaluate features related to the specific configuration of the NPP in which will be installed.
The situation is such that no matter if the E/S already have or not a "generic approval", the proprietary of the NPP in which the E/S is planned to be installed, will perform under the 10CFR50.59 rule [2] an "safety analysis" on this concern and then submit it to evaluation by the USNRC, making this submittal process as an Operational Licensee Amendment Submittal under the guidelines of the 10CFR50.90 [3] and 10CFR50.92 [4]. During the evaluation process, the Commission also can have an interaction with the supplier manufacturer with the purpose of evaluate the general features of the design, this activity can be performed through interviews, request for information or questions denominated: Request for Additional Information (RAI's), facility inspections or programs and documents audits. In this way. it can be developed a evaluation process that include the review of the generic design and the analysis and assessment of the NPP specific application.
2. MEXICAN NUCLEAR REGULATORY COMMISSION REQUIREMENTS TO THE LACUNA VERDE NPP (LVNPPJ
The LVNPP design changes are considered under the guidelines of the I0CFR50.59 rule, therefore CNSNS require to the licensee the safety analysis under the 50.59 rule 10 determine if have or not to submit to the CNSNS the proposed modification for review and approval. In case that the change is considered an Unreviewed Safety Issue (USP, concern . the LVNPP is obligated to perform a detailed safety analysis and submit it to evaluation. The NUMAC-PRNM digital application was considered feasible to create a new failure modes not considered in the analog original design, according to the USNRC safety concerns criteria stated in the draft of the GL 95-02 issued on August 14 '92 [5].
The points to be reviewed in any digital implementation are the follow:
The Software Design Development Program, containing: The Software Quality Assurance Plan (SQAP), also including: The Software Configuration Management Plan (SCMP), The Software Management Plan (SMP), and The Verification and Validation Plan (SV&VP) The Commercial Grade Parts (HW/SW) Dedication Method The Equipment Environmental Qualification, including: Temperature. Pressure. Humidity and Radiation operational conditions. Electromagnetic Interference (susceptibility and compatibility). Electrostatic Discharge protection and prevention action. - 165 -
The Equipment Seismic and Dynamic Qualification. The Isolation and Interaction between the IE Class and Non 1E Class parts, considering: Physical Separation and Independence criteria. The Power Supply criteria (Reliability, Availability, Redundancy, Fail to the Safe State). The Equipment Test Capability The Defense In Depth (DID) considerations, including: Reliability, S W Common Mode Failure (CMF) and Single Failure Criteria (SFC) The Training Program to the personal involved in their operation and maintenance. The Operational Technical Specification Changes. The Affected Procedures (Management, Operation, Maintenance, Training, etc.) The Installation and Validation in Site, considering: The site installations details and the in-site testing with "life signals" (functional tests) taking into account the Human Factors Program and Tasks Analysis results.
2.1 NUMAC-PRNM ARRANGEMENT FOR THE LVNPP U2
The NUMAC-PRNM was designed, fabricated and provided by the General Electric Company (GE) to the Mexican Federal Electricity Commission (CFE) for their installation in the Main Control Room (MCR) of the LVNPP U2 before its initial fuel loading. This digital equipment never had been submitted for review and approval to the USNRC in the past, so LVNPP U2 was the first plant to implement this digital upgrade in the world. The NUMAC-PRNM is part of the Neutron Monitor System (NMS) in power range, this equipment has a chassis, modules, components, communications and interface panels, electrical and fiber optics connections. It includes 6 NUMAC-APRM (Average Power Range Monitor). 2 NUMAC-RBM (Rod Block Monitor). 5 NUMAC-QLVPS (Quadruple Low Voltage Power Supply) 5 NUMAC I/O (input/output) Interface Panels (IP), and all their internal modules. The equipment is grouped is such way that 3 APRMS and 1 RBM modules are in one of the two division of the Reactor Protection Svstem (RPS).
2.2 CNSNS ASSESSMENT TO THE NUMAC-PRNM SPECIFIC APPLICATION TO LVNNP U2
The review process was performed creating an interface between the CNSNS. CFE and GE, in such way. that the questions and RAI's generated were conducted in parallel to GE and CFE. The evaluation was performed by an Mexican assign at the USNRC headquarters, counting with the USNRC technical advise. The RAI's were controlled by the CNSNS staff in Mexico and finally incorporated in the LVNPP U2FSAR chapter XX [6]. The CNSNS review included the design phase of this equipment, covering the development, modular, integration, functional, and the in-site tests. In order to perform the evaluation of the tests executed in the stages previous to the installation in site, it was necessary to obtain the tests results controlled by the GE SCMP. and then to perform a traceability task to follow the process, putting special attention in the open items issued during the process and their definitive solutions. The hardware (HVV) criteria applied to the safety system design are stated in the ANSI/IEEE Std 603-1980 [7] endorsed by the RG 1.153 [8]. The RG 1.152 [9] state the application of the ANSI/IEEE Std 7.4.3.2-1982 [10] for software (SW).
In the next lines, each point considered in the evaluation is referenced, the applicable standards and the main aspects of the review process are mentioned. - 166 -
• Software Reliability
To the design, development and testing of the NUMAC-PRNM at the vendor facility in San Jose, CA, USA, GE applied their SQA Plan and related procedures which were verified to be consistent with the requirement specification. These GE SCMP, SMP, SV&VP had been approved by the USNRC in the past and was issued according the guidelines stated in the ANSI/IEEE-7.4.3.2, also considering the following standards, however not officially endorsed in that moment by the USNRC: IEEE- 730-1989 [II], IEEE-828-1983 [12], IEEE-829-1983 and IEEE-1012-1981 [13]', ASME NQA-2a-1990 part 2.7 [14] and IEC-880 [15]; as methods to accomplish the requirements of the I0CFR50 Appendix B [16] and RG 1.152. In September 1997, the USNRC issued the RG's that endorsed these SW IEEE standards. The NUMAC-PRNM uses microprocessors with the functional and display capabilities implemented in the software. The SW resides in Electrical Programmable Read-Only-Memory (EPROM). The GE SCMP state that any SW revisions will be accompanied by a HW part number revision, and will require a Engineering Change Notice to implement. The concept of Verification and Validation (V&V) [17] indicate the process of determining whether the requirements for a system or component are complete and correct, the products of each development phase fulfill the requirements or conditions imposed by the previous phase, and the final system or component complies with specified requirements. Based in the review of the modular, integral and functional tests results. For the Operating system (OS) used in the Main CPU modules, GE used the XUMAC NM386 OS that was adequately testing and reviewed applying the NUMAC V&V program. The commercial programming languages used in the Main CPU and Display CPU were PL/M 86, ASM and C+ applied under the GE SCMP, GE SMP and SV&V plans accepted in the past by the USNRC and controlled by the NUMAC SQA program. These processes were founded acceptable by CNSNS.
• Dedication of Commercial Grade Parts
Because the commercial components (HW/FW/SW) are not produced under the quality assurance control process requirements, such as the applied to the Class IE equipment, is necessary to evaluate the potential failure modes (single, multiple or the common mode) that can be produced (GL 89-02 [18], GL 91-05 [19], ASME-NQA-M990 [20] and EPRI NP-5652 [21]. For the NUMAC-PRNM, GE dedicate the high and low voltage sources, by using the methods stated in their procedure: GE EOP 65-2.20 [22] that was previously reviewed by the USNRC. and founded acceptable by CNSNS.
• Environmental Qualification
The 10CFR50.49 [23] and the RG 1.89 [24] states the equipment environmental qualification requirements. No matter the NUMAC-PRNM was installed at LVNPP U2 MCR that is considered as a "mild" environment. GE developed an equipment qualification considering the followed aspects:
Temperature, Pressure and Humidity, the operational ranges of these parameters were analyzed for the environments in where the equipment was installed. The IEEE-323-1974 [25] was used as a guide to perform the qualification. The environment limit values was determined by tests and were: Temperature: 5°C to 50°C Pressure: +-1.0"H2O, Humidity: 20% to 90%, these values were founded acceptable. Radiation For the NUMAC-PRNM installed in the MCR boards, GE determined a Total Integrated Dose (TID) for a 40 year operational period with a 100% load factor at nominal thermal power of 175 Rads and for the accident operational condition a TID of 30 Rads (integrated over 65 months). The guidelines used for this environment qualification was the IEEE 323-1974. These values were founded acceptable. - 167 -
• Electromagnetic Interference (EMI)
To evaluate the EMI/RFI is necessary to review the vendor test methodology, specially the frequencies used in the test, also the modifications performed to compensate by these susceptibilities. Some guidelines used to evaluate the EMI aspect are the follow: NUREG CR-3270 [26], IN 83-83 [27], MIL-Std-461 [28], MIL-Std-462 [29], IEC 801-2 [30]. For the NUMAC-PRNM GE made a comparative study [31] in which no NUMAC-PRNM component or module was tested physically, the study was based in other NUMAC equipment tests. The range and frequency considered in this study were: Radiated Electric Field: 10KHz to 1*8 GHz Field Strength: 50 V/m Radiated Magnetic Field: 30Hz to 50 KHz, Field Strength: 80 to 120 dBpT GE states that the NUMAC-PRNM has an "improved mechanical design"' with better EMI resistance with respect the other NUMAC chassis. Also states that the PRNM equipment is not susceptible to electromagnetic (EM) disturbances from the neighboring modules and it does not cause electromagnetic disturbances to neighboring modules. Until now, no measurement of the EM field for the equipment installed at the plant has been performed by the licensee or the vendor. The CNSNS technical position was that the LVNPP Unit II MCR electromagnetic environment will be tested in the future. This item is still pending.
• Electrostatic Discharge (ESD)
For the NUMAC-PRNM GE used the IEC Std 801-2 to qualify the NUMAC-LRM in the past, then, the NUMAC-PRNM was qualified by analysis at a severity level 3 (8 kv air discharge, 4 kv contact discharge). Also, precautionary information on the servicing and electronic devices susceptible to ESD were included in the CFE operation and maintenance procedures. This point was founded acceptable.
• Seismic and Dynamic Qualification
The NUMAC-PRNM was installed inside the vertical board "VB-2r which have five (5) bays. GE developed an analysis from the Floor Response Spectra (FRS) considering their amplification inside the panel, and determined by test in their facilities in San Jose, CA. USA, the "peak" value for the amplitude of such spectra and the Zero Period Acceleration (ZPA). The guides to do this analysis is based in the RG 1.100 [32] and the IEEE-344-1987 [33]. GE stated that their test results enveloped the in-site tests results. The test reach acceleration of 3.0 g in the 3 spatial coordinates. However, the GE analysis only considered 3 of the 5 bays included in the Laguna Verde VB-21. Therefore, after the CNSNS evaluation, a more detailed dynamic in-site test and analysis was required and performed by the WYLE Laboratories [33]. This complementary test confirmed that the NUMAC-PRNM equipment installed in the 5-bays panel supported the "g" values considered in the LVNPP design.
• Isolation and interaction between the Class IE and No Class IE parts
The independence, physical separation and isolation criteria used in the equipment design are states in the I0CFR50 Appendix A GDC 22 and 24 [35], RG 1.75 [36], RG 1.153, IEEE Std 279-1971 [37]. IEEE Std 384-1981 [38], IEEE Std 472-1974 [39], ANSI/ IEEE Std 603-1980. The NUMAC- PRNM modules and components classified as Safety Related (S-R) receive power from dedicated, independent and divisional separated Class IE power supplies. The isolation between the NUMAC- PRNM system and the existing Neutron Monitor System (NMS) and Reactor Protection System (RPS) is based on relay isolation. All inter-channel and isolation devices are optical fiber, so the methods of isolating the Class IE components from the Non Class IE were considered acceptable. - 168 - • Power supply
The 10CFR50 appendix A GDCs 17, 21 and 23 states the requirements for the system power sources fail to safe state condition. For the NUMAC-PRNM was verified the quality of the system power supply, defining their availability and reliability, and reviewing the system adequacy under the effect of a loss of power event (fail to the safe state), founded it acceptable by CNSNS.
• Test Capability
The I0CFR Appendix A GDC 21 state the test capability requirement. Also the RG 1.22 [40], RG 1.47 [41], RG I.I 18 [42], IEEE Std 279-1971, IEEE Std 338-1977 [43]. For the auto-test concept, must be determined: (1) which components are being tested, (2) the components that are being tested are appropriately tested, and (3) there is no problem in any S-R and NS-R interface. In the case of the NUMAC-PRNM. the auto-test function accomplished satisfactory these requirements.
• Defense In Depth (DID)
The Single Failure Criteria (SFC) stated in the RG 1.53 [44] and in the IEEE Std 379-1972 [45], requires that any single failure shall not prevent proper protective action at the system level when is required. The microprocessor based digital systems which shares data bases and process equipment, has a potential for CMF in the area of SW, HW and SW and HW interaction. Defense against CMF is provided by the levels of quality, redundancy and diversity presents in the digital system design. For the NUMAC- PRNM. the quality is considered adequate, remembering that a good Quality Assurance Program strongly minimizes, although it cannot eliminate the likelihood of a software CMF. The redundancy is accomplished by the NUMAC architecture design, which include six independent APRM channels, the watchdog timer and the self-diagnostic. The diversity requirement state that in case of the PRNM signals can not contribute to the SCRAM function of the RPS during an high neutron flux event, there should be other functions that are physically separate form the NUMAC-PRNM system that would constitute a diverse, highly reliable backup that can be capable of responding to this event within an acceptable response time. The PRNM have not a backup system, the diverse method to perform the protection actions in case of an event in the NUMAC-PRNM suffer a CMF, is considered to oe accomplished by the reactor operator using information from the MCR displays from alternate parameter that can indicate the effect of a high neutron flux, manually performing the SCRAM function. A MCR Task Analysis was performed in the Laguna Verde simulator showing the appropriate response of the operator.
• Training
The training was an important part for installing and operating the NUMAC-PRNM. The licensee trained the operators and technician. CNSNS verified during a technical visit the effectively of some training sessions, founded its acceptable.
• Operational Technical Specification [Tech Spec] Changes
For this NUMAC-PRNM application no changes to the Tech Spec were produced, because the allowance values and setpoints remain the same, no trip signal was added and the response times accomplish the requirements (10CFR50.36 [46] and 10CFR50.59). - 169 -
• Procedures
The licensee revised their operational and maintenance procedures, updating its as necessary according to the GE operational and maintenance procedures and training methods, these actions were founded acceptable by CNSNS during a technical visit.
• In Site Test, Installation and Validation
Based in the review of the before points mentioned above. CNSNS performed a technical visit to the site with the purpose to verify the satisfactory accomplishment of the requirements, a walkthrough (physical and documentation review) was done confirming that the Factor Testing was executed and adequately controlled by the producer-vendor until the shipment of the equipment. Later, when the equipment was received in the site, was verified by the Quality Assurance group (vendor and licensee). But CFE not had a SQA. The in site tests were performed and controlled by the licensee with the advise role of the vendor, covering the phases of reception, installation, preoperational and functional tests. (CFE PP-251C[47]). CNSNS verified the development of the in site tests and observed that some changes were performed to the NUMAC-PRNM EPROM under direct request of the GE technician, so CNSNS required the participation of the CFE quality assurance group to control these changes. At that time, the CNSNS position was to suggest to CFE the incorporation of the SQA in the LVNPP Quality Assurance Program (QAP), because this problem was considered be under SCM scope focused on the operation and maintenance stages of the NUMAC-PRNM SW Life Cycle. After that situation, the tests was concluded satisfactory and the NUMAC-PRNM was left in the operable state, get ready to initial fuel loading and for the reactor star-up tests and commercial operation phases.
3. SUMMARY
3.1 Licensing Process pending items
The items pending are related to the requirement to perform an EM map of the LVNPP U2 MCR. The EPR1-TR 102323-1994 [48] and the NUREG/CR-6436 [49] presents the EM environment of some NPP's like an intent to generate an envelop to the BWR's EM environment, but until now. is considered that each NPP have an specific environment, therefore, the LVNPP EM map will be performed in the near future at different reactor power conditions.
The CNSNS suggestion to LVNPP about to incorporate in their Quality Program the SQAP including the SCMP. SMP and SV&VP during the SW Life Cycle, now is a requirement. The accomplishment of this requirement is pending by CFE. but several steps have been done, during a recent technical visit was presented and discussed the last versions of the RG 1.152. RG 1.153, and the draft version of the RG's which will endorse the SW IEEE standards.
3.2 Operational Experience of the NUMAC applications in MEXICO
Actually. LVNPP UI and U2 have several digital important to safety application. The operational experience of the NUMAC family (PRNM, SRNM, LRM. LCRM, AT1P. RWM) installed in both units shows that these equipments have benefits to the safety and operation of the NPP, however, the implementation of these equipment have been produced a new kind of safety culture, that introduce new operation precautions and require a more detailed considerations in the root cause analysis of the safety concerns for the new digital equipments, such as the HW environmental susceptibilities to the temperature. EMI. smoke, etc. and the SW precautions related with the CMF and DID aspects. - 170 -
Recently, CNSNS performed a technical visit to LVNPP and observed some problems in the digital equipments, must of them not cause an Licensee Event Report (LER) under the 10CFR50.72/73 rule [50], however, produced the issuing of an Abnormal Event Report (REA), that enforced the necessity of a root-cause analysis by the licensee with the support of the vendor. The problems detected are related with generation of spurious isolation and half SCRAM signals during the testing of one system division by the Tech Spec requirements. The immediate corrective actions performed by the licensee with the advise of the vendor have been the resetting of the testing function and then the repetition of the tests, and in few cases, after some seldom recurrences, the replacement of one slot card and-the repetition of the test. Some possible root cause can be the temperature increases registered inside the panel where the modules are located (until 56°C), other can be SW malfunctions. The CNSNS position, accepted by the licensee was determine the specific root cause with the support of the designer-producer-vendor. These events shows the kind of problems that were not detected during the V&V tests and in the site functional tests, and are observed after I or 2 year of operation.
3.3 CNSNS Future Tasks
• CNSNS is taking measures to implement a program to record, evaluate and perform trend analyses for the digital E/S malfunction in both units of the LVNPP, and is working in the possibility to enforce an international experience backfitting through a IAEA cooperation project.
• Also, CNSNS will evaluate, in case that the CFE will implement the NUMAC-PRNM plus instability trip function to resolve the BWR thermal hydraulic instabilities problems which is required as a long term solution by the GL 94-02 [57].
4. CONCLUSIONS
• The NUMAC-PRNM CNSNS licensing process performed in 1994 was considered acceptable, taking into account that in the time in which was issued, was a time for changes in the industry and regulatory point of view, several industrial standards and regulatory guides were under review and approval process. Also, the GL 95-02 that officially established the USNRC safety concerns for the digital applications eppeared until 1995. and the official endorsement of the IEEE 7.4.3.-2-1994 by the RG 1.152 and the IEEE-603-1991 by the RG1.153 has been done until 1996. Now the RG 1.168 [51], RG 1.169 [52]. RG 1.170 [53], RG 1.17! [54], RG 1.172 [55]. RG 1.173 [56] endorses the applications of the IEEE standards related to the SV&V. SW Tests Documentation, SCM, SW Unit Testing. SW Requirement Specifications and Developing SW Life Cycle Process, respectively. These RG's enforce the CNSNS technical position to require the SQA implementation at LVNPP. The CNSNS SER [58] for the specific application of the NUMAC-PRNM to LVNPP U2 address all the assessment results..
• Because problems on the performance of some digital equipment installed in both units of LVNPP have been detected . taking into account that these problems not produced an licensee event report under the 10CFR50.72/73 rule, but considering at this time as important information, an agreement between the licensee and CNSNS have been established to report, record and evaluate these problems, allowing perform a traceability analysis to determine the reliability of the digital equipment in a more precise form, and then get a more deep knowledge of their performance conducting to the generation and implementation of more adequate corrective actions. - 171 -
6. REFERENCES
111 Code Federal Regulations. Part 10 ENERGY < 10CFR) 121 1OCFR5O.59 "Changes, tests and experiments" (31 1OCFR5O.9O "Application for amendment of license or construction permit" [41 1OCFR5O.92 "Issuance of amendment" [51 GL 95-02 "Use of NUMARC/EPRI Report TR-102348 "Guideline on licensing digital upgrades" in determining the acceptability of performing analog-digital replacement under 10CFR50.59" [61 LVNPP U2 FSAR Chapter XX [71 ANSI/IEEE Std 603-1980 -> IEEE Std 603-1990 "IEEE Standard Criteria for Safety Systems for NPGS. Institute of Electrical and Electronic Engineers" [81 RG 1.153 "Criteria for Power, Instrumentation and Control Portions of Safety Systems", 1985 / 1996 [91 RG 1.152 "Criteria for Programmable Digital Computer System Software in Safety-Related Systems of NPP's". '85/'96 [101 ANSI/IEEE Std 7.4.3.2-1982 -> IEEE Std 7.4.3.2-1993 "Application Criteria for Programmable digital Computer Systems in Safety Systems in NPGS" [11| IEEE Std 730-1989 'Software Quality Assurance Plans" 1121 IEEE Std 828-1983, "Software Configuration Management Plans" (131 IEEE Std 829-1983, "Software Test Documentation" and IEEE Std 1012-1986 "IEEE Standard for Software V&V Plans" [14] ASME NQA-2a-1990, Part 2.7, "Quality Assurance Requirements of Computer Systems for Nuclear Facility Applications, ASME" [151 IEC 880. "Quality Assurance Requirements of Computer system at Nuclear Facility Applications" [161 10CFR50 Appendix B "Quality Assurance Program" [ 1 7) IEEE Std 610.12-1990 "Glossary of software definitions" (181 GL 89-02 "Actions to Improve the Detection of Counterfeit and Fraudulently Marketed Products" [191 GL 91-05 "Licensee Commercial-Grade Procurement and Dedication Programs" (20I ASME NQA-1-1989, "Quality Assurance Program Requirements for Nuclear Facilities" [211 EPRI NP-5652 "Guidelines for the utilization of commercial-grade items for use in safety related applications" (1983) [221 GE Engineering Operating Procedure EOP 65-2.20 R.5 "Dedication of Commercial Items", Rev.4 (1989), Rev.5 (1994) [231 10CFR50.49 "Environmental Qualification of electric equipment important to safety for NPPs" [241 RG 1.89 "Qualification of Class 1E Equipment for NPP's, 1974 (251 IEEE Std. 323-1974, "IEEE Standard for Qualifying Class 1e Equipment for NPGS's" (26! NUREG CR-3270, "Investigation of Electro-magnetic Interference (EMI) Levels in Commercial NPP's" [271 IN 83-83 "Use of Portable Radio Transmitters Inside NPP's" [281 MIL-STD-461 (A,B,CI. "Electro-magnetic Emission and Susceptibility Requirements for the Control of EMI" [291 MIL-STD-462. "Electro-magnetic Interference Characteristics Measurements" [30) IEC 801-2 "Electrostatic Discharge Requirements" (1991) [31] GE Interim Report: NUMAC-PRNM EMI/RFI Environmental Qualification, prepared for Laguna Verde Unit II, 1994 [321 RG 1.100"Seismic Qualification of Electric and Mechanical Equipment for NPP's". rev.1, 1977 [331 IEEE Std. 344-1975(87), "IEEE Recommended Practice for Seismic Qualification of Class 1E Equipment for NPGS's" [341 WYLE Laboratory Report for LVNPP U2. NUMAC Panel Dynamic Testing, 1996 (351 10CFR50 Appendix A, "General Design Criteria (GDCsl for NPPs" [GDCs Nos.2,4,17,20,21,22,23,24,251 [361 RG 1.75 "Physical Independence of Electrical Systems", rev.2, 1978 [371 IEEE Std 279-1971, "Criteria for Protection Systems for Nuclear Power Generations Stations (NPGS's)" (381 IEEE Std 384-1977, "Criteria for Independence of Class IE Equipment and Circuits" [391 IEEE Std 472-1974, "Guide for Surge Withstand Capability Tests" [401 RG1.22 "Periodic Testing System Actuation Functions". 1972 [41] RG1.47 "Bypassed and Inoperable Status Indication for NPP", 1973 [421 RG 1.118"Periodic Testing of Electric Power and Protection Systems", rev.2. 1978 |43l" IEEE Std. 338-1977. "IEEE Standard Criteria for Periodic Testing of NPGS's" [44| RG 1.53 "Application of Single Failure Criterion to NPP". 1973 (451 IEEE 379-1977, "Application of the Single Failure Criterion to NPGS Class 1E Systems" (461 1OCFR5O.36 "Operational Technical Specifications" [471 CFE Preoperational Test PP-251C (50] RG.1.168 " [481 EPRI TR 102323-1994 "Guidelines for Electromagnetic Interference Testing in Power Plants" [491 NUREG/CR-6436 "Survey of ambient electromagnetic and radiofrequency interference levels in NPPs" (1996) [50] 10CFR50.72/73 "Immediate Notification Report"/ "Licensing Event Report" [511 RG 1.168 "Verification, validation, reviews and audits for Digital Computer Software (DCS) used in Safety Systems (SS) on NPPs" (1997) (52) RG .169 "Configuration management plan for DCS used in SS of NPPs" (1997) (531 RG .170 "Software test documentation in DCS of SS of NPPs" (19971 [541 RG .171 "Software unit testing for DCS used in SS of NPPs" (1997) [551 RG .172 "Software requirements specifications for DCS in SS of NPPs* (1997) [561 RG ,173 "Developing software life cycle processes for DCS used in SS of NPPs" (1997) [571 CNSNS Safety Evaluation Report for the NUMAC-PRNM implementation at the LVNPP U2, 1994 [581 GL 94-02 "Long-term Solutions and Upgrade of Interim Operating Recommendation for Thermal-Hydraulic Instabilities in BWR"
HEXT PAOE13) |«ft BLANK _ XA9846506 NRC PERSPECTIVES ON THE DIGITAL SYSTEM REVIEW PROCESS
J.L. MAUCK Instrumentation and Controls Branch Division of Reactor Controls and Human Factors Office of Nuclear Reactor Regulation United States Nuclear Regulatory Commission Washington, D.C., USA
Abstract
Since about 1988, the USNRC has been involved in the review of digital retrofits to instrumentation and control (I&C) systems in nuclear power plants. Initially, this involvement was limited but with the advent of the 1990s, NRC involvement has become greater because of increased interest in and application of digital systems as existing analog systems become obsolete. Criteria for the design of such systems to ensure safety has been promulgated over the years and the USNRC has been actively involved both nationally and internationally with this effort. With the publication of the Zion Eagle 21 Safety Evaluation Report in 1992, Generic Letter 95-02 in April 1995 which endorses EPRI guidance document TR-102348 on digital upgrades and the latest revision to Regulatory Guide 1.152 which endorses IEEE 7.4.3.2-1993; a basic digital system review process was established. The NRC supplemented this review process with recently issued inspection procedures for use by NRC inspectors when conducting onsite reviews of digital modifications. In addition, the NRC undertook a major effort to codify the above guidance and the experience gained from digital system reviews of both operating plant modifications and advanced reactor designs, over these years into a revision to Standard Review Plan, (SRP), NUREG-0800, Chapter 7, Instrumentation and Control. This SRP revision was published in June, 1997, and included new SRP sections, branch technical positions and six new regulatory guides endorsing IEEE standards on software quality. The NRC staff believes that a stable digital system review process is now in place.
1. INTRODUCTION
Actual implementation of digital systems modifications to US nuclear power plants is not new - such systems have been in use since the late 1970's. Activity on the part of licensees in the 1980's and early 1990's highlighted the need to update NRC staff review criteria. The publication of the NRC Safety Evaluation report dated June 9,1992, on the Eagle 21 Reactor Trip System modification at Zion provided a comprehensive digital system review framework for operating reactor digital modifications. Additionally, during this same time period, the NRC was completing reviews of the advanced light water reactor digital instrumentation and control systems designs. It was decided to codify both the operating reactor digital modification and advanced reactor instrumentation and control system design reviews into a revision to the Standard Review Plan.
The challenge for the NRC was to balance the advantages of digital systems with the potential problems they create and maintain the level of safety prescribed in the existing regulations and individual plant licensing bases. The experience gained from the reviews of digital system operating plant upgrades, the reviews of the advanced light water reactor designs, and - 174 - the interactions with experts in academia, industry and government (here and abroad) led to what the NRC believes is a stable licensing approach, for use in future upgrade proposals.
2. STANDARD REVIEW PLAN
The USNRC has recently completed a several year task to update the regulatory framework and review guidance for nuclear power plant digital I&C systems. This update consists of a revision to the SRP, NUREG-0800 Chapter 7, Instrumentation and Control, which incorporates six new regulatory guides endorsing IEEE standards on software quality, new branch technical positions addressing review aspects of digital systems, and new sections in Chapter 7 on diverse I&C systems and data communication systems. Also included are references to USNRC endorsement of key EPRI topical reports dealing with specific topics of concern in digital systems including EPRI TR-102348 on digital system upgrades, TR- 106439 dedication of commercial-off-the-shelf software, and TR-102323 on electromagnetic interference protection. The framework sets out an acceptable approach to implementation of digital I&C systems, but is not a requirement. Licensees may provide alternative approaches with appropriate justification. There are also twenty publicly available USNRC technical reports that provide background and support for the SRP guidance and cover such digital I&C issues as: diversity analysis; software reliability and safety; environmental effects; programming languages; human-system interface; and software verification and validation.
The major revision to SRP Chapter 7 was the addition of detailed review guidance and acceptance criteria for digital computer-based I&C systems. The guidance covers the regulatory basis, information to be reviewed, and basis for acceptance. The staffs acceptance of software for digital computer-based I&C systems is based upon three factors for ensuring software quality. The first factor is confirmation that the software was developed in accordance with acceptable software development plans. The second factor is evidence that the plans were followed in an acceptable software life cycle process. The third factor is evidence that the life cycle process produced acceptable design outputs.
The review approach for digital systems is similar to that used by most industry and regulatory authorities concerned with the safe application of digital technology. It consists of a two-fold demonstration—provision for a high quality software and hardware design development process, and a level of defense-in-depth and diverse capability to offset the recognition that software cannot be made error free despite this high quality process. The software development process calls for effective documentation of the software life cycle including the requirements specification, and verification and validation program. The principle feature of the NRC criteria for this demonstration is endorsement of industry standards on the quality of the software development process and other industry guidelines on digital system implementation.
The following discussion describes the content of the update to SRP Chapter 7 and highlights the major differences between the 1997 version and the previous version (1981). These differences are due mainly to the issues involved in the use of digital technology as discussed above and in part due to new safety issues that have occurred over the years.
Chapter 7 of the SRP provides guidance for the review of the instrumentation and control (I&C) portions of (1) applications for nuclear reactor licenses or permits and (2) amendments to existing licenses. The SRP guidance may also be applied in the review of topical reports submitted to NRC by vendors and industry groups requesting generic acceptance of systems - 175 - or components and specific topics that may be used in and are applicable to nuclear power plant I&C systems.
SRP Section 7.0 provides an overview of the process used by the NRC to review both the I&C portion of license applications and the I&C portions of generic safety evaluations of specific topics. Guidance is provided to the reviewer in applying Chapter 7 of the SRP to these reviews.
Figure 7.0-2 illustrates the life cycle for any I&C system, and relates the application types to the life-cycle activities that should be addressed by the application. The review of any application should involve all the applicable life-cycle activities. Reviews should confirm the acceptability of system requirements and the adequacy with which the final system meets these requirements. Review of non-digital computer-based system implementation may focus on component and system requirements, design outputs, and validation (e.g., type testing). Review of digital computer-based systems should focus on confirming the acceptability and correct implementation of the life-cycle activities. Appendix 7.0-A describes a generic process for reviewing the unique aspects of computer-based systems, including hardware/software integration.
The guidance in Appendix 7.0-A is used in conjunction with the remaining sections of SRP Chapter 7 when applied to a digital system for review of (1) the overall I&C system design described in Section 7.0, (2) the design criteria and commitments described in Section 7.1, and (3) the individual I&C systems described in Sections 7.2 through 7.9. This appendix illustrates how the review activities interact with each other and with the overall I&C system review process described in Sections 7.1 through 7.9. Additional information relevant to the review process can be found in the references in Section D of this appendix.
SRP Section 7.1 discusses the review of the overall I&C system concept and generic system requirements. Appendices 7.1 -A, 7.1 .-B, and 7.1 -C discuss the review procedures for each acceptance criterion relevant to I&C systems.
The fundamental acceptance criteria for I&C systems are described in 10 CFR 50.55a, which refers to ANSI/IEEE Std 279, "Criteria for Protection Systems for Nuclear Power Generating Stations;" Reg. Guide 1.153, "Criteria for Power, Instrumentation, and Control Portions of Safety Systems," which endorses IEEE Std 603, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations;" and Appendix A of 10 CFR Part 50, General Design Criteria (GDC). Appendix B of 10 CFR Part 50 Quality Assurance Criteria provides criteria for quality assurance programs to be applied to the design, fabrication, construction, and testing of I&C safety systems. The criteria of 10 CFR Part 50 apply to safety-related digital I&C systems and are sufficient to support licensing of such systems. Specific guidance for digital systems designs is contained in IEEE Std. 7-4.3.2 "IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations" which is endorsed by Reg. Guide 1.152 "Criteria for Digital Computers in Safety Systems of Nuclear Power Plants". For applications for standardized plant design certification under 10 CFR Part 52, the technical acceptance criteria of 10 CFR 50 apply.
Certain characteristics of digital I&C systems necessitate that augmented review approaches and different review perspectives be used in assessing compliance with the fundamental acceptance criteria of 10 CFR Part 50. These characteristics are important to the valuation of (1) design qualification of digital systems, (2) protection against common-mode failure, and (3) selected functional requirements of IEEE Std 603 and the GDC that pose new assurance - 176 - challenges when implemented using computers. These issues are discussed in more detail below and are the basis for the guidance in SRP Section 7.1 for digital I&C system reviews.
Digital I&C systems require additional design and qualification approaches that are not typically employed for analog systems. The performance of analog systems can typically be predicted by the use of engineering models. These models can also be used to predict the regions over which an analog system exhibits continuous performance. The ability to analyze the system design using models based upon physics principles, and the ability to use these models to establish a reasonable expectation of continuous performance over substantial ranges of input conditions are important factors used in the qualification of analog system designs. These factors enable extensive use of type testing, acceptance testing, and inspection of design outputs in qualifying and verifying the design of analog systems and components. If the design process ensures continuous behavior over a fixed range of inputs, and testing at a finite sample of input conditions in each of the continuous ranges demonstrates acceptable performance, then performance at intermediate input values between the samples test points can be inferred to be acceptable with a high degree of confidence.
Digital I&C systems are fundamentally different from analog I&C systems in that use of software codes create a virtually unlimited number of pathways for inputs and outputs, and minor errors in design and implementation can cause them to exhibit: unexpected behavior. Consequently, the performance of digital systems over the entire range of input conditions cannot generally be inferred from testing at a sample of input conditions. The use of inspections, type testing, and acceptance testing of digital systems and components does not alone accomplish design qualification and verification at high confidence levels. To address this issue, the NRC approach to the review of design qualification for digital systems focuses, to a large extent, upon confirming that the applicant/licensee employed a high-quality development process that incorporated disciplined specification and implementation of design requirements. Inspection and testing is used to verify correct implementation and to validate desired outputs (functionality) of the final product, but confidence that isolated, discontinuous point failures will not occur derives from the discipline of the development process.
SRP Sections 7.2 through 7.9 describe the review of system-specific requirements, system design, and implementation. In the SRP Chapter 7 updates, the content of SRP Section 7.2 through 7.7 is basically the same as in the previous version of the SRP with the exception of reference to SRP Section 7.1 for digital system applications guidance. Two new sections of SRP Chapter 7, Section 7.8 and 7.9 have been added to provide specific guidance for I&C systems not previously addressed in the SRP.
SRP Section 7.8 describes the review process and acceptance criteria for the diverse I&C systems and equipment provided for the express purpose of protecting against potential common-mode failures of protection systems. The following systems are covered by this section:
1. Anticipated transient without scram (ATWS) mitigation systems required for compliance with 10 CFR 50.62. As defined in 10 CFR 50.62 which was promulgated in 1985, an ATWS event is an anticipated operational occurrence followed by failure of the reactor trip portion of the protection system. 10 CFR 50.62 identifies design requirements for ATWS mitigation systems and equipment in pressurized and boiling water reactor designs. - 177 -
2. Diverse manual controls and displays provided to comply with the NRC position on defense-in-depth and diversity (D-in-D&D) for digital I&C systems as described in the Staff Requirements Memorandum (SRM) regarding SECY-93-087. These systems are to be independent and diverse from the safety digital computer system, located in the main control room, and provide for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions.
3. Diverse actuation systems (DAS) are those automatic systems provided solely for the purpose of meeting the NRC position on D-in-D&D for digital I&C systems. DAS and ATWS mitigation system functions may be combined into a single system. The reactor trip system (RTS), engineered safety features actuation system (ESFAS), control systems, or other diverse I&C systems may perform DAS functions to meet the NRC position on D-in-D&D. Diverse I&C system functions performed by the RTS, ESFAS and other systems are not within the scope of this section. The diverse I&C functions of these systems should meet the criteria applicable to the systems as a whole. The criteria for these system designs are found in the appropriate SRP sections for the individual systems.
SRP Section 7.9 describes the review process and acceptance criteria for data communication systems (DCSs) that are part of or support the systems described in Sections 7.2 through 7.8. The scope and depth of the review and the acceptance criteria will vary according to the importance to safety of the system that the DCS is supporting.
The objectives of the review are to confirm that the DCS is of comparable qulaity and reliability to the system it supports, will perform the safety functions assigned, and will tolerate the effects of random transmission failures. A particular concern is that the transmission of multiple signals over a single path may constitute a single point of failure that may have a larger impact on plant safety than would occur in previous analog system designs.
SRP Chapter 7 contains technical positions (BTPs) that provide guidance on specific aspects of I&C system design. The first nine of the BTPs are the same as those presented in the 1981 version of SRP Chapter 7. There are four new BTPs based on new operating reactor issues and six new BTPs based on the application of digital based I&C systems. The more significant of these new BTPs are discussed below.
BTP 10 provides additional guidelines for reviewing an applicant/licensee's post-accident monitoring system. These guidelines are based on previous reviews of applicant/licensee design submittals that contained approved interpretations and alternative design features to the guidance identified in Reg. Guide 1.97, "Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident."
BTP 11 provides guidelines for reviewing the use of isolation devices in I&C systems. These acceptance guidelines are based on experience in the review of applicant/licensee submittals for electrical qualification and application of isolation devices used to protect safety I&C systems from faults in non-safety I&C systems.
BTP 12 provides guidelines for reviewing the process an applicant/licensee follows to establish and maintain instrument setpoints. These guidelines are based on reviews of applicant/licensee submittals and vendor topical reports describing setpoint assumptions, - 178 - terminology, and methodology, and experience gained from NRC inspections of operating plant setpoint programs.
BTP 13 provides guidelines on the use of cross-calibration techniques for surveying the performance of resistance temperature detectors (RTDs). These guidelines are based on experience in the detailed reviews of applicant/licensee submittals describing the application of in-situ cross-calibration procedures for reactor coolant RTDs, as well as NRC research activities. Other methods, such as using a diverse parameter to provide a cross-correlation reference, can be used if adequate justification is provided.
BTP 14 provides guidance for the review and confirmation that an acceptable level of software quality is provided for computer-based I&C systems. The NRC's acceptance of software for safety system functions is based upon (1) confirmation that acceptable plans were prepared to control software development activities, (2) evidence that the plans were followed in an acceptable software life cycle, and (3) evidence that the process produced acceptable design outputs. These guidelines are based on reviews of licensee submittals, industry standards for software development, and the analysis of standards and practices documented in NUREG/CR-6101, "Software Reliability and Safety in Nuclear Reactor Protection Systems." The structure of BTP 14 is derived from the review process described in Appendix 7.0-A.
BTP 17 provides guidelines for reviewing the design of self-test and surveillance test provisions in digital computer-based I&C systems. These guidelines are based on reviews of applicant/licensee submittals and vendor topical report submittals describing self-test and surveillance test assumptions, terminology, methodology and experience gained from NRC inspections of operating plants.
BTP 18 provides guidelines for reviewing the use of programmable logic controllers (PLCs) in digital instrumentation and control (I&C) systems. These guidelines are based on reviews of licensee submittals and the analysis of PLC-related issues documented in NUREG/CR- 6090, "The PLC and Its Application in Nuclear Reactor Protection Systems."
BTP 19 discusses common-mode failure concerns in digital computer-based systems due to a potential software error which defeats the redundancy achieved by hardware architecture. In NUREG-0493, "A Defense-in-Depth & Diversity Assessment of the RESAR-414 Integrated Protection System," the NRC documented a D-in-D&D analysis of a digital computer-based reactor protection system, in which defense against common-mode failures was based upon an approach using a specified degree of system separation between echelons of defense. Subsequently, in SECY 91-292, "Digital Computer Systems for Advanced Light-Water Reactors," the NRC included discussion of its concerns about common-mode failures in digital protection systems and documented its position with respect to common-mode failures in digital systems and defense-in-depth. This position was formally implemented in accordance with the SRM for Item II.Q of SECY 93-087, "Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs." Based on the above and experience in the detailed reviews of digital protection systems, the NRC staff has established acceptance guidelines for D-in-D&D assessments as described in this branch technical position.
BTP 20 provides guidelines for reviewing digital system real-time performance and system architectures. These guidelines are based on reviews of licensee submittals and the analysis - 179 - of these issues documented in NUREG/CR-6083, "Reviewing Real-Time Performance of Nuclear Reactor Safety Systems," and NUREG/CR-6082, "Data Communications."
3. GENERIC DIGITAL ISSUES
At the present time, there are few safety-related digital modifications being proposed for plant-specific applications. However, the NRC has been and continues to remain active in the review of generic proposals.
The NRC is currently reviewing several generic digital-based programs concerned with modifications to operating plant I&C systems. These are (1) programmable logic controllers for use in safety-related systems (EPRI sponsored), (2) Application Specific Integrated Circuits for replacement of existing Westinghouse plant reactor trip systems (Westinghouse sponsored) and (3) Ovation safety-related digital based system (Westinghouse sponsored). We are currently applying the updated SRP Chapter 7 to the review of these generic proposals. These programs are scheduled for completion over the next several years.
4. FUTURE ISSUES
The NRC recognizes that the rapid evolution of computer technology will mean further changes in systems proposed for nuclear power plant implementation in the future. Maintaining the review criteria for these evaluations current is important. In order to address anticipated digital system issues for the future, the NRC identified a number of research efforts to help cope with future evaluations. These are as follows: a. Use of ISO 9000
The international computer vendor community (including US nuclear suppliers) is increasing the use of ISO 9000 and ISO 9000-3 for general quality assurance and software quality assurance respectively due to the international recognition of these standards and regulatory requirements in much of the European community. NRR audits of ISO 9000 certified systems have raised several questions regarding its guidance when compared to the quality assurance requirements of 10 CFR 50, Appendix B. Some computer-based systems are certified to the general ISO 9000 criteria but are not certified to the software- related ISO 9000-3 criteria. Information received from the Software Productivity Consortium and other industry publications notes that an ISO 9000 certification may not assure the necessary level of quality assurance for safety systems due to variance between the certifying entity and the specific regulatory requirements. The NRC will develop a comparison of these quality standards. b. Domain Engineering Guidance
Domain engineering is increasing in popularity with vendors because it facilitates the reuse of software with the resultant economic benefits. The establishment of a domain model allows the development of standard software requirements specifications and architectures that can be used for multiple systems. The NRC will develop guidance on application of domain engineering. c. Quantitative Assessment of Digital System Reliability - 180 -
A longstanding goal of the computer industry has been the attempt to quantify the reliability of software-based systems. The NRC will survey the state-of-the-practice methods for assessment of quantitative reliability prediction, and incorporation of quantitative reliability in PRAs. One candidate for review is the Statistical Modeling and estimation of Reliability Functions for Software (SMERFS) produced by the Naval Surface Warfare Center. The project should include a review of European and Canadian nuclear industry and domestic computer industry efforts in this area. The NRC will attempt to identify means for quantification of digital system reliability. d. Guidance on Formal Methods and Applicable Tools
Formal methods have been presented by their proponents in the computer industry and academia as a method to mathematically prove that the software will contain no errors. Several formal methods academic projects and a few commercial projects were reviewed by the staff several years ago. Since then, the literature has described several improvements. The NRC will survey recent formal methods development and state of the practice with a focus on formal requirements specifications and their effectiveness in practical commercial applications. Verification of timing considerations via formal methods will also be addressed. The NRC will develop guidance for use of formal methods as appropriate. e. Review of IEEE Std 1498 Guidance
In August 1995, ISO/IEC 12207, "Software Lifecycle Processes," was released as an approved international standard. The Joint International Standards Working Group (JISWG) is adapting ISO/IEC 12207 for use in the United States including the technical content found in J-STD-016. The scope of ISO/IEC 12207 includes the computer development process of IEEE 1498 as well as acquisition, supply operation, and maintenance processes. The US 12207-1996 guidance focuses on the overlap between IEEE 1498 and ISO/IEC 12207 and includes supporting processes such as documentation, quality assurance, configuration management, and peer review. The NRC will develop a comparison of IEEE 1498 and US version of ISO/IEC 12207 against the SRP Chapter 7 guidance and, if acceptable, a regulatory guide will be prepared to endorse both standards.
5. YEAR 2000 CONCERN
Another important topic that is being pursued is the problems associated with the Year 2000 (Y2K) issue. The Y2K problem has the potential to affect any computer system, any hardware that is microprocessor-based (embedded software), and any software and data base at nuclear power plants.
As of this date the NRC has not received notification from vendors of digital protection systems, (Westinghouse, General Electric, Combustion Engineering, Foxboro, Allen Bradley, and Framatome/Babcock & Wilcox), that a Y2K problem exists with their safety-related initiation and actuation systems. However, non-safety, but important computer-based systems, primarily data bases and data collection necessary for plant operation which are date driven, may need modification for Y2K compliance. Some examples of systems that may be affected by Y2K problems are:
Security computers Plant process (data scan, log, and alarm)/Safety parameter display system computers) - 181 -
Emergency response systems Radiation monitoring systems Dosimeters/readers Plant simulators Engineering programs Communications systems Inventory control system Surveillance and maintenance tracking systems Control systems
The NRC issued Information Notice 96-70, "Year 2000 Effect on Computer System Software," to alert NRC licensees, certificate holders, and registrants of the potential problems their computer systems and software may encounter as a result of the change to the new century. The information notice (IN) contained a discussion of how the Y2K issue may affect NRC licensees. The IN encouraged licensees to examine their uses of computer systems and software well before the turn of the century and suggested that licensees consider actions appropriate to examine and evaluate their computer systems related to the Y2K issue. Also, the final version of the updated SRP Chapter 7, incorporates wording that addresses the need for recognition of the Y2K issue..
The NRC is currently working with various industry groups to ensure that individual licensees are developing proper plans for each nuclear plant to address the Y2K issue and to provide confidence to the NRC that come the year 2000, nuclear plants in the United States will continue to operate in a safe manner.
6. CONCLUSION
Meetings of this type are important to the fostering of international cooperation in addressing common problems, sharing solutions, and determining future research needs on issues associated with the implementation of digital technology which is itself a rapidly changing technology. Although the specific approaches to acceptance of digital technology in nuclear power plants may differ from country to country, the overall objective is largely the same: ensure an appropriate level of safety has been achieved.
As discussed above, the NRC undertook a major effort to codify the guidance developed and the large amount of regulatory experience expended in digital system reviews over the past few years in a revision to the SRP that was published in June 1997. Although, the NRC believes that a stable digital review process is now in place, the NRC will continue to maintain its review criteria current as digital-based I&C system technology advances.
HeXTPAQE(S) toft BLANK - 183 -
Session 4:
Experiences in Implemented Computerized Safety and Safety Related Systems.
NIXT PAGE(S) left BLANK - 185 - XA9846507 REPLACEMENT OF THE CONTROL & INSTRUMENTATION SYSTEM WITH THE MICROPROCESSOR BASED SYSTEM IN JAPANESE PWR PLANTS
N. HAYASHI Mitsubishi Heavy Industries, Ltd. Kobe, Japan
Abstract
In Ohi Units 3 and 4, Ikata Unit 3, and Genkai Units 3 and 4, the latest of PWR plants now under operation in Japan, the reactor control system and turbine control system employ the microprocessor base digital control systems with a view to improving reliability, operability and maintainability. In the next stage plants, another application of such digital system is also planned for the instrumentation rack for the reactor protection system for further improvement. On the other hand, in Mihama Unit 1, the first of domestic PWR plants, and later plants except for the latest 5 plants, analog control systems are employed for the instrumentation racks. For the analog control systems of these plants, FOXBORO H-Line instruments, equivalent domestic box type instruments or WH7300 Series card type instruments were initially employed, and later replaced with domestic card type control systems after 10-15 year operation. However, 8-12 years have pass 3d since these replacements, so the 15th year generally quoted as an interval for replacing C&I systems is near at hand. This is the time to consider next replacement. This replacement will be based on the latest digital technology. However, it is not practical way for the existing plants to apply the same integrated digital C&I system configuration for the next stage plants, because it requires the drastic change of the C&I system configuration and significant cost-up. Therefore, we must investigate the optimum digital C&I system configuration for the existing system.
1. Introduction
As domestic PWR plants, 23 plants are currently under operation from the first Mihama Unit 1 starting in 1970, till the latest Genkai Unit 4 starting in 1996. In 18 plants excluding the latest 5 units, analog control systems are employed for the C&I systems.
Concerning the hardware for their C&I systems, domestic card type systems were initially applied to Takahama Unit 3 and later plants. Replacement also took place respectively at previous plants after 10-15 year operation. Currently, 18 plants have domestic card type analog control systems.
However, early models of such domestic card type analog control systems have already been used for 13 years. The interval of 15 years commonly quoted for standard replacement is near at hand, therefore, any problem including failure due to secular deterioration or suspension of parts production could come to surface. The spare space available in the current systems is very scarce because instruments have been added in the course of system improvements made to date, and still more, no space for the additional instrument racks is available too. Also considering the following needs by the customers, now is the time for - 186 - system replacement.
• Further improvement of reliability • Reduction of maintenance/repair costs • Reduction of periodical inspection processes • Maintaining spare space for the future improvement and modification
These needs for improvement should be reflected in the replacement method, and the general movement in the world from analog to digital technology should also be taken into account, and then, the operational experience of the digital control systems used in the reactor control and turbine control system at the latest 5 plants should be considered. Naturally, such considerations will end in digital systems. Our evaluation includes the following particulars in replacement work:
• As in the next stage plant, the reactor protection system is included in the replacement.
• In the existing plants, the reactor protection system and turbine control system are realized by analog and relay (partially solid state method), and systems are distributed. Therefore, it is not practical to replace all of the systems at once. For the time being, only the analog systems to be improved urgently should be replaced. This means it is difficult to directly apply the digital control system integrating the analog and relay system now under consideration for the next term plant.
• In the future, other systems including the main control board will possibly be replaced with the same method as used in the next stage plant. Therefore, it is necessary to provide a system configuration of compatible interface with such method.
Considering the above arguments, this paper will show the situations concerning the replacement to digital system, which is now under evaluation by considering the current status of C&I systems in Japanese PWR plants and their needs for improvement.
2. Current Status of C&I Systems in Domestic PWR Plants
2.1 Current Status of Domestic PWR Plants
23 PWR plants are classified into the following 4 generations according to their ages:
• 1st Generation ( 1970-1979 ) Mihama Units 1, 2 and 3 (Kansai Electric Power Co., Ltd.) Takahama Units 1 and 2 (Kansai Electric Power Co., Ltd.) Ohi Units 1 and 2 (Kansai Electric Power Co., Ltd.) Ikata Units 1 and 2 (Shikoku Electric Power Co., Ltd.) Genkai Units 1 and 2 (Kyushu Electric Power Co., Ltd.)
• 2nd Generation (1980 -1989 ) Takahama Units 3 and 4 (Kansai Electric Power Co., Ltd.) Tsuruga Unit 2 (Japan Atomic Power Co.) Sendai Units 1 and 2 (Kyushu Electric Power Co., Ltd.) Tomari Units 1 and 2 (Hokkaido Electric Power Co., Inc.) - 187 -
• 3rd Generation (1990-1997) Ohi Units 3 and 4 (Kansai Electric Power Co., Ltd.) Ikata Unit 3 (Shikoku Electric Power Co., Ltd.) Genkai Units 3 and 4 (Kyushu Electric Power Co., Ltd.)
• 4th Generation (Future) Tsuruga Units 3 and 4 (Japan Atomic Power Co.: planned)
For the C&I system in each generation, the technology then common was employed, the details of which will be shown in Fig. 1.
(1) 1st Generation The reactor control & protection system and turbine control system are both configured in the analog and relay logic.
(2) 2nd Generation The reactor control & protection system and turbine control system are both configured in the analog and relay logic. In some plants, however, the reactor protection system employs the solid state logic, and auxiliary system employs the digital control technology.
(3) 3rd Generation As the digital control technology is developed, the reactor control system and turbine control system employ the digital control system in order to improve reliability, operability and maintainability, while the reactor protection system employs the analog and solid state logic.
(4) 4th Generation For further improvement, digital systems are applied to the reactor protection system. In addition, concerning the operations on the main control board, conventional hard switches are replaced with the touch operation by CRT. This realizes the integrated digital C&I system.
2.2 Experience of Replacing C&I Systems in Japan
(1) In all the plants of the 1st generation and some plants of the 2nd generation, FOXBORO H-Line instruments, equivalent domestic box type instruments or WH7300 Series card type instruments were introduced for analog protection and control system. Due to the problems including increased product failure and product supply, the domestic card type analog control system replaced the older models having 10-15 years of operation records. 10 years have already passed since earlier replacement. Some plants not replaced since start of operation operate original systems for 13 years.
(2) In order to improve the availability of the Feed water control system, some plants began to employ the digital control system having fault diagnosis function for the backup of the analog control system since 1990.
Fig. 2 shows the actual replacements carried out domestically on the instrumentation racks of the reactor control & protection systems. Fig.l Digital application to operating PWRs in JAPAN
1-st Generation 2-nd Generation 3-rd Generation APWR Mihama-1 Takahama-1 lkata-1 Ohi-1 Tsuruga-2 Ohi-3 / Genkai-3 Tsuruga-3 Man Bench Board Bench Board Bench Board Bench Board Main: Console Main: Console Console + Machine • Aux.: Bench Board Aux.: Bench Board Large Display Panel Interface Hard S/W operation Hard S/W operation Hard S/W operation Hard S/W operation Hard S/W operation Hard S/W operation CRT touch operation monitor by Indicator monitor by Indicator monitor by Indicator monitor by Indicator monitor by Indicator monitor by CRT & monitoring Reactor Analog & Relay logic Analog & Relay logic Analog & Relay logic Analog & Relay logic Analog, Solid-state Analog & Solid-state All Digital (4ch, 4train|
Protection (3 ch. & 2 train) (3 ch. & 2 train) (3 ch. & 2 train) (3 ch. & 2 train) trip logic & Relay ESF logic (4ch, 4traln trip trip & 2train ESFI logic (3 ch. & 2 train) & 2train ESF logic) logic)
Reactor Analog circuit Analog circuit Analog circuit Analog circuit Analog circuit Ail Digital control & - All Digital control & Control Relay sequence Relay sequence Relay sequence Relay sequence Relay sequence sequence sequence \ (Simplex) (Simplex) (Simplex) (Simplex) (Simplex) (Duplex) (Duplex) Digital backup for Digital backup for Digital backup for Digital backup for Feedwater control Feedwater control Feedwater control Feedwater control installed at 1995 installed at 1994 installed at 1990 installed at 1994
Turbine Analog circuit Analog circuit Analog circuit Analog circuit Analog circuit All Digital control & All Digital control & Control Relay sequence Relay sequence Relay sequence Relay sequence Relay sequence sequence except sequence (Simplex) (Simplex) (Simplex) (Simplex) (Simplex) Turbine protection (Duplex) I EH,rep!aced by Digital Controi sys. replaced EH replaced by Digital (Duplex) at 1993 by Digital at 1991 at 1994
Auxiliary Local analog control & Local analog control & Local analog control & Local analog controi & All Digital control & All Digital control & All Digital control & System relay sequence relay sequence relay sequence relay sequence sequence sequence sequence (Duplex) (Duplex) (Duplex) Digital replacement Digital replacement Digital replacement planned at 1996 planned at 1996 planned ai 1997 Fig.2 Summary of C&l rack replacement
• Sufficient Experiences No. Plant Year Notes 1 Mihama #1 (Kansai) 1995 2 Mihama #2 (Kansai) 1994 3 Mihama #3 (Kansai) 1992/1993 92: Protection, 93: Control 4 Takahama #1 (Kansai) 1988 00 5 Takahama #2 (Kansai) 1987 vO 6 Ohi #1 (Kansai) 1988 7 Ohi #2 (Kansai) 1987 8 Ikata #1 (Shikoku) 1989/1990 89: Protection, 90: Control 9 lkata #2 (Shikoku) 1996/1997 96: Protection, 97: Control 10 Genkai #1 (Kyushu) 1990/1991 90: Protection, 91: Control 11 Genkai #2 (Kyushu) 1994/1995 94: Protection, 95: Control In case of No.6 and 7, WH7300 series were replaced to Japanese card racks. In case of all other cases, BOX type racks were replaced to Japanese card racks. - 190 - 3. Needs for Improvement of Current Systems and Replacement to Digital Control Systems
In the domestic PWR plants, as shown in Fig. 3, operation records are stable. This is not only due to higher reliability of the system itself but also, more essentially, to the more substantiated maintenance of system by the users.
• By the more strict system check, defects are detected swiftly, and corrective actions are taken. • Systems are updated according to the plan drawn by considering operation records. • Improvements taken for non-conformance occurred are also reflected in other plants.
This plant maintenance should be continues from now on. However, improvements are requested for improvement of reliability according to longer fuel cycles, short annual inspection outage, reduction of the maintenance cost and improvement of operability. The needs for system improvement as described above are presented for the analog instrumentation systems currently used in the reactor protection & control system directly related to the plant availability, and in the turbine control system. In realizing these needs, the current analog technology is not enough, and therefore, replacement is planned by assuming some digital control system to be applied.
3.1 Improvement of System Reliability
For the analog instrumentation system for the reactor protection & control system and turbine control system, the following two types are currently used. With no plant failure trip as directly caused by the failed system occurring so far, these types boast of a stable operation.
• Mitsubishi Electric Corporation MELNAC Series Applied in 10 domestic plants including Takahama Units 1/2 and others.
• Yokogawa Electric Corporation System 1100 Series Applied in 13 domestic plants including Mihama Units 1/2 and others.
The parts failed so far in the above-mentioned systems are mainly the mechanical components such as relay, switch, variable resistance and connector. The number of these mechanical components failures are expected to increase as time goes by and as they are used more frequently. Very few semiconductors are detected failed so far, and future occurrence of semiconductor failure is not known. However, these have been used for more than 10 years, and the replacement interval commonly quoted for electrical measurement systems is 10-15 years. This suggests some possibility of a rapid increase of faults. From the above arguments, operations of longer fuel cycles now planned should be considered, and systems should be updated as a preventive maintenance even before entering the period of wearing failure. In implementing the digital technology, a self diagnosis technology should be introduced along with the digital control system, while at the same time, such systems should have redundant architecture. Number of Plants en
f 1 CO "2L
cmbe r 3 era' w nou n to o PC H B" Z5. "0 o "9 5T i 0) ^. 65 r+ w Ct> |2nd g bega i
o st a rat i ia l o CD 1 o r "v o I T3 hei ? 3 1 CD pl a n 5 ftp o' H3 •i (/> S! Mi 5' ftp
S3* i 3 O o
o p r° CO CO b en en en b en Spurious Trip Rate (/Reactor Year)
- T6I - - 192 - 3.2 Reduction of Periodical Inspection/Reduction of Maintenance Cost
(1) Reduction of Maintenance Items and workload Currently, the analog instrumentation system is checked for the following items in each annual inspection:
• Calibration test of all cards (static test) • Dynamic test of PID, LEAD/LAG cards • Confirmation test of bistable set points • Check of A/M station • Others; check of power unit, etc.
Since these checks are carried out with all the component cards of the plant's control protection system, the time and workload required for those checks dominates a fairly large portion of the checks done on the C&I systems in each annual inspection. In a short annual inspection of 40 through 49 days, such portion may be critical in the annual inspection processes, and should also be improved to reduce maintenance cost.
By digitalizing the control system, it is possible to confirm its integrity by a self- diagnosis function which is unique to digital systems. Therefore, it is also possible to reduce the following checking scope/checking items substantially.
• Calibration test of all cards (static test) The control block that used to be realized by analog cards conventionally will be configured by software. ROM/RAM storing these software are continuously checked by its self diagnosis. They need no additional checks. Analog input unit that is left as hardware can be calibrated on-line by intelligent I/O cards. This does not need additional checks, either. This means only the analog output card should be calibrated in the static test of cards.
• Dynamic test No checks are required, because the self diagnosis of the ROM/RAM storing software continuously carries out such checks.
• Confirmation test of vise table settings Same as above.
If the number of current check processes is specified as 100%, the method described above will reduce it down to about 35%. This means a reduction of 65%.
(3) Actions to Take for Product Availability The card type analog instruments now under operation have been used for about 15 years since first installation, and some of the parts used in it are no longer produced. The card type analog instrumentation rack consists of about 40 types of cards in realizing a control protection function at a plant. However, about 50% of the cards experienced the problems of parts availability.
To deal with the parts which are no longer produced, the manufacturer of the instrumentation rack is requested to switch them to the second sources, or keep - 193 - them in stock so that steady supply may be maintained. However, in consideration of the tendency found in the industrial world in general by which digital technologies take place of the conventional analog technologies, product availability is feared to deteriorate. This means it is difficult to provide solution by such minor modifications as have been done so far.
Circuit patterns or circuits themselves will have to be changed. Then, new cards will have to be made, and development verification test will contribute to increase costs incurred by the cards.
To reduce the costs of plant maintenance/repair, it is necessary to supply products stable. In this regard, too, analog control systems must be replaced with digital control systems.
3.3 Improvement of Operability
Not only to establish a stable controllability throughout the plant power level, which is robust to external disturbance, but also to configure a plant gentle to human being, further improvements and automation will have to be made.
• Automation of plant's heating/cooling operations • Automation of low-power operations (automatic control rod control system at 15% power or lower) • Automation of turbine startup operations • Others
In adding these automatic logic, the following things must be reflected as the features of digital technology (It is difficult to provide analog system because it requires a huge scale system):
• Complicated operations can be processed with higher accuracy. • A number of operations can be processed by one unit. • Functions can be changed or expanded easily, because it is done in the software.
3.4 Maintaining Space for Expansion
In some plants of long operations, the space for installing digital instrumentation system may be scarce, because improvement works have been repeated so far. In such a case, cables may be deployed with no room for expansion, hindering the system improvement work planned for maintaining/improving the plant. To deal with these problems, the following things must be reflected as the features of digital technology to provide solutions for system's expandability.
4. Basic Designing Policy for Digital C&I System
To realize the needs for system improvement, the latest digital technologies must be applied.
Since it is not practical to provide the same system configuration as in the latest plant because a large scale of addition and modification will be necessary, only the improvement needs related to the analog instrumentation system in the existing plant should be dealt with by - 194 - digitalizing the system. The designing in such a case should be carried out in a way that good interface can be maintained even if totally digitalizing C&I system involving the main control board in the future.
4.1 Safety/Reliability
The protection system for the next stage plants has the 4-channel configuration of 2- out-of-4 output to enhance plant safety and availability. In the existing plants, however, 1 channel must be added to the detector to meet the above requirements. And the nuclear reactor trip breaker rack is configured in 2-train of 1 -out-of-2 output. If these things are to be improved, huge impact will be brought to the plant systems, leading to increased costs. Therefore, the current 2-out-of-3 output configuration should be maintained.
By taking advantage of the digitized system, and by substantiating the self diagnosis function, a failure diagnosis rate of 99% or more is maintained.
To maintain the functional diversity of the reactor protection system, the reactor trip parameters requiring such diversity are processed by independent microcomputer, while from the view point of defense-in-depth, the reactor trip functions and the ESF actuation functions are processed by independent computer.
4.2 Operability
The interface with the main control board or other systems should be via hard wired. The current hard-wired interface should be maintained. However, in consideration of other systems to be digitalized in the future, the system should be configured in a way that interface can be maintained easily by multiplex transmission. The interface with the plant computer should be made by the multiplex transmission through the unit bus. As far as the control system (non-safety) is concerned, the system configuration by considering multiplex transmission should be based on such system configuration as has operating experience at the latest plants. Safety system should be configured by considering separation and independence.
(1) Information Transmission for Safety System (Equipment operation, status signals and PAM) The signal transmission line of safety system should have a multiplex information transmission line independent of the non-safety systems. This information transmission line should consist of the 2-train configuration maintaining mutual independence.
(2) Information Transmission of Non-safety Systems The transmission to the non-safety systems should be made by installing the information transmission line to the unit bus. The connection to the unit bus in the non-safety systems should be electrically separated by optical fiber, while at the same time, the data should be transmitted one way from the safety system side to the unit bus, so that no failure in the unit bus side should affect the functions of the safety system. - 195 -
And if the control system rack is to be replaced, the new system should be able to deal with the expansion of automation and the improvement of controllability.
4.3 Maintainability/Testability
By substantiating the self diagnosis function, any failure of the system should be identified in the level of card or module, and the results of such diagnosis should be able to be displayed on the rack.
System should be configured, if possible, with cards or modules so that any failed parts can be replaced easily.
The maintenance of the software should be facilitated by the maintenance tools so that it may be tested/calibrated easily.
The instrumentation rack for the safety system should have a built-in automatic tester, and the integrity check required during operation should be basically automated .
4.4 Economy
The interface between systems should be established by photo-multiplex transmission, so that the interface with other system in the future can be configured by multiplex transmission. Consequently, such system should be able to deal with the problems encountered in finding the routes for cable deployment at the existing plants.
5. System Configuration
Fig. 4 shows the configuration of the digital system now under consideration for use as the protection system. Such system will be realized by applying partially the digital reactor protection system which has already been qualified in the development and verification tests for the next stage plant.
(1) The protective functions are distributed functionally into 3 CPU groups (RT # 1, RT #2, ESF), and the card constituting each CPU group should be the one that has already been implemented in the control system rack at the latest plants with good operating experience.
(2) The interface with other systems including the main control board should be made by the hard wired connection through the signal conditioner card. If other systems are digitalized in such configuration, the signal conditioner card may be removed, and the multiplex transmission should be applied.
(3) The interface with the control system rack to be replaced with digital control system at the same time and with the plant computers already digitalized should be changed from the conventional hard-wired interface to multiplex transmission, so that the cable quantity may be reduced, and the expandability (flexibility for modification) of information interface may be maintained. Fig.4 System construction of digital reactor protection rack
To Control Rack Main Control Board Local o Indicator-Recorder Switch o
Signal Conditioner
I
Same as Subsystem Gr.1 Protection Rack
Trip Indicator .etc Com Signal Unit Another Channel
Data Link Transmission B - Relay Racks Reactor Trip & ESF Logic ( Same as A - Rack) ( Existing A - Relay Racks ) Hard Wired - 197 - 5. Conclusion
Some Japanese analog card racks in 2nd generation plants have already been used since 10 to 15 years and will come into the general replacement intervals of the C&I system. Concerning next replacement, digital technology is necessary in order to improve the existing plant capability.
We start the study of the best procedure for digital replacement of the C&I systems. At the final stage of this replacing procedure, all C&I system will be replaced with the digital system. As the result of our rough study, the reactor control and protection racks must be replaced first.
HBXTPAOB(S) ,*ft BLANK - 199 - XA9846508 APPLICATIONS OF COMPUTER BASED SAFETY SYSTEMS IN KOREA NUCLEAR POWER PLANTS
WON YOUNG YUN Korea Institute of Nuclear Safety Taejeon, Republic of Korea
Abstract
With the progress of computer technology, the applications of computer based safety systems in Korea nuclear power plants have increased rapidly in recent decades. The main purpose of this movement is to take advantage of modern computer technology so as to improve the operability and maintainability of the plants. However, in fact, there have been a lot of controversies on computer based systems' safety between the regulatory body and nuclear utility in Korea. The Korea Institute of Nuclear Safety (KINS), technical support organization for nuclear plant licensing, is currently confronted with the pressure to set up well defined domestic regulatory requirements from this aspect. This paper presents the current status and the regulatory activities related to the applications of computer based safety systems in Korea.
1. Introduction
The nuclear energy program in Korea, was established in the early 1970s for the development of alternative energy resources. From then the progress of Korea's nuclear energy program has been remarkable. As of the December 1996, Korea has twelve nuclear power plants in operation and six nuclear power plants under construction. Moreover, it is expected that the Korea nuclear energy program will be further expanded to follow-up future energy demand. Thus, from an aspect of nuclear energy utilization, Korea can be recognized as one of the major nuclear energy countries in the world.
As a result of this movement, Korea Electric Power Company (KEPCO) has established an aggressive instrumentation and control (I & C) upgrade program for the technical innovation of Korean nuclear power plants. One of the key elements of I & C's upgrading program is the adaptation of computer-based safety systems in nuclear power plants. The main purpose of the program is to take advantage of modern computer technologies such as potential performance, maintenance capability, etc, and to resolve issues arising from components obsolescence in existing old nuclear power plants.
From an aspect of nuclear plant safety, the computer-based safety system, as compare to the conventional analogue systems, may bring out new safety concerns such as the potential for software common mode failures and/or unexpected failure mechanisms. Thus the regulatory positions for the design of computer based safety system are not yet formalized in some fields. So far, there has been a lot of controversies between nuclear utilities and regulatory authority for the implementation of computer- based safety systems in Korean nuclear power plants. This paper briefly describes those examples and licensing activities in Korea. - 200 -
2. Implementation Status of Computer-Based Safety Systems
2.1. Digital Interposing Logic System in YGN 3/4 Plants
Yonggwang nuclear 3 and 4 (YGN 3/4) plants are two-loop type PWR plants developed by ABB-CE company with an electrical output of 1050 MWe per each unit. They are reference models of Korean Standard Nuclear Power Plant (KSNPP). The construction of YGN 3/4 plants was started in December 1989 and the commercial operations were started in March 1995 and January 1996 respectively.
The NSSS design for YGN 3/4 plants is an application of ABB-CE's Standard System 80 design which is a reference model of the conventional nuclear power plants developed by Combustion Engineering. However, the instrumentation and control (I & C) design incorporates evolutionary features in some parts of the system configurations. Among these features is the digital interposing logic system (DILS), designed for the plant components control and the safety systems actuation.
The DILS is an integrated microprocessor-based control system which receives the plant operating command from the control modules mounted on control panels, on-off logic actuators and other control systems etc., to provide the suitable output signals to field devices, control module indicating lamps, annunciators, and the plant computer etc. These signals are mainly used for control system actuations during normal plant operations and interact with the safety system actuations in the case of plant accident conditions.
The DILS has independent subsystems with its own dedicated control board. The control board has its own dedicated control card, I/O buffer cards, and I/O terminations. A singe-loop control board can interface with the 128 field devices, maximum through the fiber-optic serial ports, and/or discrete I/O to external equipments such as annunciators and plant computer. Functionally, the master control subsystem is used to generate permissive or interlock signals, monitor the operating status of all other subsystems, report system failures, and take fail-safe action for faulted systems. In some cases, interlock functions are achieved by hardwired connections from inputs to outputs within the respective subsystems.
The software program used for the system execution and the logical operations is designed with the address-table programming method. This method requires no programming language knowledge because the logic flow chart is the definitive program document. Thus, the program can be implemented easily by reading the functional logic diagram. For reliable system operations, DILS has its own self-checking and auto-test capabilities enabling all of the data transmissions and logical operations to be checked and tested during system operations.
Historically speaking, the orignal design of this system was developed for process control by Forney International Inc., using the AFS-1000 product. As a result, it was the first application of its kind to the safety-related systems in nuclear power plant engineering.
2.2 Programmable Digital Comparators in Wolsong 2/3/4 Nuclear Plants.
The Wolsong nuclear power plant units 2, 3 and 4 are PHWR plants supplied by Atomic Energy of Canada Limited (AECL). Each of them has a net electrical output of 663 MWe. The construction of Wolsong unit 2 was started in 1991 and the commercial operation was started in July 1997. In the case of Wolsong unit 2, there are 21 new design changes relevant to licensing requirements,with the Programmable Digital Comparator - 201 -
(PDC) being one of those evolutional design features. The PDC is a microprocessor based system which is programmed to generate conditioning logic output, signal rationality checks, and variable reactor trips for the safe operation of the plant. In the system configuration of CANDU-600, there are two independent reactor shutdown system entitled Safety Shutdown System 1 (SDS 1) and Safety Shutdown System 2 (SDS 2) which have 6 PDCs in each of the two reactor shutdown systems.
The basic design concept of Wolsong PDCs is identical with that of the reference plant in Canada. Functionally, PDCs are used to calculate the trip conditions or operating setpoints for field component actuations. The digital outputs of the PDCs drive relays in the channel trip logic are used for other trip parameters and the internally generated variable set points are displayed on control room panels. From a point of equipment qualification, PDCs are designed with industrial grade, field-proven computers which have read-only memories (ROMs) for the purpose of memory protection.
Actually, original designs of PDCs were proven by previous operations in Canada. Since some parts of the software program equipped in Wolsong PDCs were changed in the engineering process, we requested KEPCO to provide detailed software engineering documentations and check its source program in detail.
2.3. Digital Data Processing and Plant Protection System in Kori 1 Plant
Kori 1 nuclear plant is a two-loop type PWR plant which generates electrical output of 595MWe. It is the first commercial nuclear power plant which is supplied by the Westinghouse Company with a turn-key based contract. The commercial operation of Kori 1 nuclear plant was started in April 1978. In the system configuration, most of the instrumentation and control systems are comprised of analog electronic devices and mechanical relay logic circuitries like other conventional nuclear plants.
Among them, the data processing and plant protection cabinet, entitled Forbore H-line cabinet, consists of four (or three) redundant channel to accommodate the 2 out of 4 (2 out of 3) voting systems with analog Foxbore modules and data processing circuits. Thus the system's safety and reliability of the plant protection system can be assured through this redundant system configuration.
During the early stages of plant operation, there has been no significant safety concern in the I & C systems. However, maintenance problems due to long-term component degradation and component obsolescence were reported frequently in early 1990s, and recently have become generic safety issues in Korea.
In relation to this issue, KEPCO established long-term I & C upgrade programs, the step-by-step replacement of degraded systems, for operating nuclear plants. One of these projects is I & C's upgrade for the Kori 1 nuclear plant. The scope of this project includes the replacement of electronic modules and data communications related to the NSSS protection system (NPS) and the NSSS control system (NCS). This upgrade will be the first analog to digital replacement of commercial dedicated microprocessors in an operating plant. It is known that the upgraded system will process the same inputs and outputs by using the existing sensor outputs and field controllers. In relation with this, the main concern of this project will be the qualification of commercial product applications and the configuration management of computer software. - 202 -
2.4. Digital Plant Protection System in UCN 5/6 Plants
Ulchin nuclear 5 and 6 (UCN 5/6) plants are recognized as Korea Standard Nuclear Power Plants (KSNPP) which have the same electrical outputs compared to the YGN 3/4 plants. The construction of the UCN 5/6 was started in 1977 and the first commercial operation is scheduled in 2003. Currently, the construction permits for UCN 5/6 plants are under preliminary safety review by the KINS staff.
UCN 5/6 plants have evolutionary features in some parts of their design compare to YGN 3/4 plants. These evolutionary design features are specifically noted in the design of instrumentation and control, safety of Digital Plant Protection system (DPPS) and Digital Engineered Safety Feature Actuation System (DESFAS) will be the most critical licensing issue due to the functionality of those systems.
From an aspect of system architecture, the DPPS, which is designed to generate signals for reactor trip and Engineered Safety Feature (ESF) actuations automatically when required, is a form and function replacement of the analog PPS installed in conventional CE plants. These features are a result of its built-in automatic and manual testing capabilities.
The DESFAS serves as an interface between the ESF portion of DPPS and the Plant Control System (PCS). The DESFAS is also a one-to-one function replacement for the Auxiliary Relay Cabinet (ARC) in the conventional CE plants. Thus, upon receipt of engineered safety component initiation signals from DPPS, the DESFAS processes the signals in a selective 2-out-of-4 logic to actuate plant components.
Since the original design concept of DPPS and DESFAS is reflected in ABB-CE's advanced nuclear plant (SYSTEM 80+), KEPCO has insisted that most of the safety issues were resolved during the process of Design Certification performed by the US NRC, and the conceptual design of DPPS and DESFAS is completely the same as the original ABB- CE design. However, we believe there still exists unresolved safety problems, such as, the provisions for defense against common mode failure (CMF), the level of product qualification and verification of system reliability. We also feel that the detailed design program and qualification program should be evaluated by our regulatory staff, which will be organized into a special task force team to evaluate the safety of the proposed system.
In lieu of this, KEPCO will provide the topical reports on UCN 5/6 DPPS and DESFAS for an in-depth regulatory review. The reports will include detailed information associated with the DPPS and the DESFAS.
3. Regulatory Activities on Computer Based Safety System
Korea Institute of Nuclear Safety (KINS), a government established regulatory supporting organization, is responsible for performing the safety evaluation of nuclear power plants and other nuclear facilities in Korea. In order to do their mission effectively, KINS has carried out many regulatory research projects related to the establishment of the Korean regulatory codes and standards for design, construction and operation of nuclear power plants. However, like other countries, practical implementations of computer based safety system in nuclear power plants have increased rapidly during the 1990s and it is expected that future implementations will also increase. - 203 -
KINS has established the regulatory position that design requirements of safety systems in nuclear plants, should be confirmed with the regulatory guidelines of the original vendor's country, and that the quality level of the proposed system should not be lower in comparison then the original system design. Especially in the case of operating system upgrades in nuclear power plants, the licensee should justify the design adequacy from the points of system reliability and system safety.
In practical cases, our major safety review activities related to computer based systems review can be summarized as follows: - Evaluate the rational of design documentations and design process. - Verify the manufacturer's quality assurance program and resulted documentations. - Analyze the system's architecture from a point of defense against common mode failure (CMF). - Audit the design process and the qualification test process when needed. - Evaluate the software Verification and Validation (V&V) efforts and related documentations. - Confirm the software configuration management (CM) program and the system maintenance program etc.
Concerning the safety assessment of the computer based systems (DILS) in YGN 3/4 plants, our regulatory activities and experiences are explained as follows:
1) Rational of design documentations Since the AFS-1000 system was originally developed for industry process control in early 1980's, the design documentations applicable to the nuclear plant licensing were not provided completely. Because of this we we required the manufacture to generate supplementary versions of design documentations for the safety review process.
2) Verification of quality assurance program From the aspect of nuclear plant regulation, DILS is the first application to Korean nuclear power plants. Consequently, it is required to generate the formalized documents as reflected in the ASME NQA-1 1977. In relation with this concern, we performed the evaluation on the manufacturer's quality assurance plan and related documentations.
3) Provisions of defense against CMF There has been a lot of controversies in the concept of defense against CMF, between nuclear industries and regulatory bodies. Thus, we performed the in-depth detail design evaluation, with the support of domestic expert groups, university professors and field engineers, on system architecture and data communications. Based on the results of our evaluations, we concluded that system operability should be enhanced to mitigate the common mode failure in accident conditions. Consequently, we required KEPCO to additionally install a single hardwired backup panel for safety- related components actuation in Train B.
4) Audit of equipment qualification test The failure mechanisms of digital system are more complex than the conventional analog systems in most cases, with the EMI/RFI susceptibility being the most critical factor of failure mechanism at certain environmental conditions. In relation to this concern, we reviewed the manufacturer's qualification test program and found that additional qualification tests should be performed with the relevant regulatory - 204 -
requirements. We required KEPCO to perform the additional qualification tests, after which, we audited the qualification test processes performed in the Wyle Laboratory, and verified the acceptability of the test results.
5) Evaluation of the software V&V program Software verification and validation may be the most effective method in reducing software programming error at the present stage. We found that the manufacture had not generated the complete form of software V&V documentations as reflected in the IEEE-7.4.3.2 due to their lack of experience in nuclear plant engineering. So, we required the manufacturer to sumit a complete set of software programming information and proceeded to check in detail software programs with the support of a group of computer software specialist.
In the design review on Wolsong PDC system, the main concerns were concentrated on the design efforts to ensure the system reliability and operability of reference plants. During early stages of our safety review, we reviewed a number of documentations related to the system design process, the qualification test results and the results of the designer's reliability analysis. We also reviewed the operating experiences of PCCs in Canadian nuclear power plants and the root causes of their failures. We found that all of these failures are not safety significant and that the failure rate was acceptable.
We also reviewed with the support of Korean experts the detailed design information of the software program contained in Wolsong PDC system. Our conclusion, that the software program of Wolsong PDC was acceptable since it had implemented the simple software program and had followed the enhanced qualification requirements issued by Canadian regulatory authority (AECB). Finally, we concluded that the Wolsong PDC system was acceptable for issuing of an operational license.
In the second case, the licensing process will be somewhat different in the analog to digital upgrade in operating nuclear power plant compared to the licensing of construction plants in Korea. In this regard, Korea Atomic Act requires that the licensee who desires to change the design in a nuclear plant, shall obtain permission from the Minister of Science and Technology (MOST) in accordance with the technical justification of the design change. The licensee shall submit a report containing a brief description of any changes, tests, or experiments, including a safety evaluation of each. Furthermore, the records of any changes shall be maintained until the termination of the license.
For the digital upgrade in Kori 1 nuclear plant, KEPCO will provide the technical report with the presentation of their design change program. We expect that any significant safety issues will not arise, due to the fact that KEPCO will adapt the proven methods resulting from other countries many references, and as necessary the safety review meetings will be held.
Considering the third case, the DPPS and the DESFAS in the UCN 5/6 plants will be the most critical licensing issue in regard to the plant's I & C system safety review. Since it can be considered as a prototype design, and the first practical implementation of safety critical computer based system in ABB-CE plant, we required KEPCO to generate topical reports which describ the detail design methods, design description, quality assurance program and defense-in-depth report. The basic concept of the topical report is similar to that used in USA. Thus, KEPCO, who adheres to the similar structure of USA reports, will submit the topical reports in January next year containing the information shown in the Table 1. - 205 -
For the review of those documentations we will organize a multidisciplinary task force team, involving software experts, system engineers and regulatory staffs. In relation to our licensing review of this report, it is expected that the defense-in-depth provisions, the system reliability analysis and the equipment qualifications will be the major safety concerns.
4. Concluding Remarks
The Korean nuclear industry has limited operational experience with the computer based safety systems. However, like other countries, practical applications of computer technology to the safety systems in our nuclear plants have increased rapidly in recent years. We have carried out various safety research projects continuously, but our own regulatory positions on computer based safety systems have not been formalized. Until that time, we will follow the regulatory requirements of the original vendor's country and the consultative opinions from relevant expert groups. The cooperations with foreign countries and international organizations, such as IAEA and OECD/NEA are needed for us in our continuing efforts to develop relevant regulatory guidelines.
In conclusion, it is our experience that the major difficulties in the licensing of computer based safety system comes from the lack of well defined design requirements, complicated computer software engineering, limitation of procurement process, and insufficient efforts for the generation of licensing documentations. Thus the licensee should strengthen safety improvement efforts, find compensated methods to solve those difficulties, and accelerate safety research programs to expand the computer based safety systems for the enhancement of system reliability. - 206 -
Table 1. Contents of Topical Report on DPPS & DESFAS
1.0 Purpose
2.0 Scope
3.0 Applicable References
4.0 Applicable Codes and Standards
5.0 Protective System Overview 5.1 Background 5.2 Design Basis
6.0 Digital Plant Protection System (DPPS) 6.1 Functional Requirements 6.2 System Description 6.3 Hardware Description 6.4 Software Description 6.5 System Interfaces
7.0 Digital Engineered Safety Features Actuation System (DESFAS) 7.1 Functional Requirements 7.2 System Description 7.3 Hardware Description 7.4 Software Description 7.5 System Interfaces
8.0 Software Reliability 8.1 Quality Assurance 8.2 Configuration Management 8.3 Validation and Verification
9.0 Equipment Qualification 9.1 Environmental Qualification 9.2 Seismic Qualification 9.3 Electromagnetic Interference (EMI/RFI) Testing
10.0 Equipment Reliability 10.1 Failure Mode and Effects Analysis (FMEA) 10.2 Mean Time Between Failure (MTBF) Analysis 10.3 Operating History
11.0 Common Mcde Failure Evaluation 11.1 Scope of Evaluation 11.2 Approach for Defense in Depth and Diversity 11.3 Evaluation of Events
12.0 Conclusions - 207 - • ••••• •••••• XA9846509 SHUTDOWN SYSTEMS COMPUTER-MONITORING FOR CERNAVODA NPP
M.C. POPESCU Center of Technology&Engineering for Nuclear Project, CITON Bucharest, Romania
Abstract
Cernavoda Unit 1 is the newest CANDU type NPP. Fully computerised automatic control is implemented for the major unit processes including reactor regulation, boiler pressure control, unit power regulation, boiler level control, primary heat transport pressure and inventory control, turbine run-up and on-power refuelling. In order to improve post-accident diagnose and to maintain trip set-point margin during refuelling for example, a Distributed Data Acquisition System (DAS) will be implement on the actual shutdown systems configuration. Stage of selection of the equipment supplier for hardware is not completed. New Romanian PLC's manufactures have to be selected.
1. CERNAVODA CONTROL AND SAFETY SYSTEMS
Cernavoda Unit 1 is the newest CANDU type NPP. Despite that erection have been started from 1979 and full power reached in 1996, thanks to modifications implemented during construction, Cernavoda Unit 1 has the same performance like other NPP's CANDU 6 type in operation in Canada, Argentina and Korea. Fully computerised automatic control is implemented for the major unit processes including reactor regulation, boiler pressure control, unit power regulation, boiler level control, primary heat transport pressure and inventory control, turbine run-up and on-power refuelling. Two identical, independent digital computers are used for direct digital control. Each computer is capable of complete station control and transfers control automatically to the other computer on detecting a fault. The computer system plays an integral role in the defence-in-depth safety approach and attempts to intercept system upset before they become reactor trips. For example, if high local neutron flux or high boiler pressure is detected, the control system initiated a "setback" which ramps the reactor power down. For loss of line or turbine trip, a "step back" is initiated where reactor power is rapidly dropped. In both cases, the reactor continues to operate at a lower power only until the condition clears. To mitigate the consequences of a serious process failure requiring reactor shutdown, decay heat removal and/or retention of released radioactivity, from Special Safety Systems SSS are used. They consist of the following: - Shutdown System Number 1 ( SDS # 1) - Shutdown System Number 1 ( SDS # 2) - Emergency Core Cooling System (ECCS ) - Containment System (CS) - 208 -
Each SSS is completely independent from the other with its own sensors, logic and actuators and employs triplicate logic, meets single failure criterion, is designed with built-in feature to facilitate on-line testing and are to greatest extent possible free from operational connection with any of the process systems. SDS #1 uses solid shutoff rods dropping from the top of the reactor under the force of gravity. SDS # 2 uses high pressure liquid poison injection into the moderator. ECCS supplies coolant (H2O) to all the reactor headers into three stages: high pressure (nitrogen pressurised water from tanks located outside of the reactor building), medium pressure (water from an inner tank located at the top of the containment) and low pressure (recovered water that has collected in the sumps of the reactor building and pumped back into the reactor core via heat exchanger). CS comprised a pre-stressed, post-tensioned concrete containment structure, an automatically initiated dousing system, building air coolers, a filtered air discharge, access airlocks, an automatically initiated containment isolation system. Active parts of SSS are located as follow: SDS # 1 and ECCS in the Main Control Room (MCR) SDS # 2 and CS in the Secondary Control Area (SCA) MCR contains also displays and controls for SDS # 2 and CS.
2. SDS's TECHNICAL APPROACH
Each of the two SDS's consist of the following: sensors, signal amplifiers, trip comparators or microprocessors called Programmable Digital Comparators ( PDC) for the trip parameters that require extensive conditioning, or those that have set-points that are functions of reactor power and/or heat transport system pump configuration and relays logic driven by trip comparators or PDC's output. Each of the trip parameters has an analogue MCR panel indication for actual value and for trip setpoint. Also there is an annunciation alarm indicating the state of the trip limits and the trip channel's status. Annunciator is started by other relays than trip relays. SDS # 1 has three channels who provides 11 trip limits monitoring. SDS # 2 has the same configuration, but only 10 trip limits. Panel indicators are buffered from active part of trip channel.
3. SDS's COMPUTER MONITORING
During plant operation, MCR operators have to observe only for SDS # 1, 140 analogic signals and 150 digital signals (parameters value, trip setpoint and system status). For SDS #2 there are 121 analogic signals and 114 digital signals. Only few of these signals are connected to the main computers. However, automation provides operators up to 15 minutes to think and plan before taking action following a plant upset. In order to improve post-accident diagnose and to maintain trip set-point margin during refuelling for example, a Distributed Data Acquisition System (DAS) will be implement on the actual SDS's configuration. Analogue signals to be taken from MCR panel through buffer amplifiers and digital signals to be taken from free contacts of the annunciation relays. For - 209 -
SDS # 1 data acquisition modules are required with maximum 64 analogue or digital inputs. All these modules communicate through RS485 data link with a work station placed on the operators desk. Some applications were established: - each terminal module has to convert signals into engineering values - work station has to provide menu files in the same fashion as main computer menu files.The display oculars will be the same with main computer display. - windows will be provided for the Operating Manuals and Emergency Operating Procedures. Stage of selection of the equipment supplier for hardware is not completed. New Romanian PLC's manufactures have to be selected.
NEXT PAOE(S) toft BLANK - 211- XA9846510
USE OF PC BASED DATA ACQUISITION SYSTEMS, CONNECTED TO REACTOR SHUTDOWN SYSTEM No.l AND 2
M. STANCIU R. DUDU RENEL FCNE Cernavoda Cernavoda, jud. Constanta, Romania
Abstract
Intention of this material is to present the experience in use and future development of PC Based Data Acquisition Systems (DAS), connected to Reactor Shutdown System (SDS) #1 and #2, at Cernavoda Nuclear Power Plant (NPP) Unit 1 (Ul). Two major aspects, regarding the purpose of using DAS, are the subject of the material: - post-event analysis and system impairments evaluation; - economic penalties reduced.
1. INTRODUCTION
Cernavoda NPP is a 5 unit plant, with independent units, out of which only Ul is in commercial operation, all the rest being in various degrees of completeness. It's being built under AECL (Canadian) license.
Cernavoda is located in Dobrogea region on Danube river banks and the river is used as heat sink for the plant.
Site construction started in 1979, but was delayed mainly due to Romanian industry effort to assimilate as much as possible from plant equipment and components. Also following December 1989 work stopped for 2 years until the new contract between RENEL and AECL-Ansaldo was signed, to finish Ul work, commission it and execute preservation work for the rest of the units.
2. NUCLEAR UNIT SHORT DESCRIPTION
Nuclear units which are part of Cernavoda NPP are of CANDU 600 type, similar with Canadian plants Point Lepreau and Gentilly2.
CANDU 600 is a Pressurised Heavy Water Reactor with two circuits, primary one with D2O and secondary one with H2O. The reactor is fuelled with natural uranium. It employs pressurised horizontal channels, which are holding the fuel bundles, cooled by heavy water primary agent. Outside these pressure channels, and isolated with a CO2 annulus gas, is the moderator (also heavy water) enclosed by a cylindrical vessel called Calandria. The moderator is cooled by a separate heat sink to evacuate the heat produced by the moderation process. At each face of the reactor (that is at both ends of the 380 pressure channels), there is a fuelling machine, the machines being controlled by station computers, to refuel the reactor at power. - 212 - Primary circuit is separated from secondary one by 4 steam generators (Babcock & Wilcox).
Turbine is made by General Electric and the secondary side is designed by Italian company Ansaldo.
Reactor thermal power (evacuated to turbine) is 2064 MWt and rated generator power is 706 MWe.
Unit control is accomplished by Station Control Computers System which employs 2 process computers (in control - back-up configuration). These computers are produced by Canadian company CAE and are performing the following functions: 1) they control the following process: - control reactor power and adjust for local flux tilts; - steam generator pressure control; - steam generator levels control; - manoeuvre the electrical generator load; 2) monitor reactor, turbine, steam generator and electrical generator parameters; 3) control fuelling machines; 4) perform annunciation, both on screens and printers.
CANDU 600 safety systems are divided in 2 groups (group II being earthquake qualified to 9 degree earthquake). These safety systems are: a) Group I: - Reactor Shutdown System No. 1; - Emergency Core Cooling System (cools the reactor core in case of LOCA); b) Group II: - Reactor Shutdown System No. 2; - Containment System (contains the activity and reduces the pressure in case of LOCA).
The safety systems are completely separated one from another and from normal process systems. These systems are using only the process computer annunciation system, but they have also their own annunciation means.
Unit 1 reactor first approach to criticality was in April 1996 and began commercial operation in November 1996.
3. REACTOR SHUTDOWN SYSTEMS
Each reactor shutdown system has 3 measurement and decision channels, with dedicated instrumentation, working in 2/3 logic to trip the system and shutdown the reactor.
SDS#1 employs 28 rods of steel-cadmium which drop in reactor core to shut it down, by means of an electromagnetic clutches operated by trip logic (2/3 measurement and decision channels). - 213 - SDS#2 injects neutron poison in moderator vessel to shutdown the reactor. This system has 6 tanks with Gadolinium nitrate dissolved in heavy water connected with pipes, to injection nozzles inside Calandria. These tanks are separated from another tank, pressurised with helium at 80 bar (8 MPa), by a network of 6 quick opening valves (each pair of valves is actuated by a measurement and decision channel), arranged so that if 2 channels trip, a path is opened for helium to inject the poison in the moderator.
Parameters monitored by both shutdown systems are: neutronic parameters (local neutron flux, logarithmic power rate) and process parameters (pressure, flow, level, temperature of various nuclear systems). These parameters are used to determine if an accident has occurred or reactor power control is lost and therefore reactor must shutdown.
SDS#1 and 2 monitor almost the same parameters, but their setpoints are staggered, due to economic penalty of tripping SDS#2 (to pull out the poison from moderator takes about 30 hours) instead of SDS#1 (withdrawal of the rods takes about 10 minutes).
Both shutdown systems employ microcomputers. Each measurement and decision channel of each shutdown system has 2 microcomputers called Programmable Digital Comparators (PDC's), called PDC#1 and #2. PDC's measure process parameters (pressure, level, etc.), reactor power from in-core flux detectors and ion chamber of the specific measurement and decision channel. PDC role is to calculate the trip setpoint for de measured parameters as function of reactor power, compare the field measurements (process parameters monitored) with the calculated setpoints and actuate the trip logic of the specific measurement and decision channel.
Starting from design basis accidents parameters monitored by PDC's are called primary parameters and back-up parameters. Primary parameters are monitored by PDC#1 and back- up parameters are monitored by PDC#2.
PDC is an assembly of 2 components: - a data acquisition unit DG/DAC 4308; - a microcomputer DG-MP 100; produced by-Data General, early 70's design. Figure 1 shows the block diagram of PDC#1 and Figure 2 PDC#2.
PDC software is extremely simple, without operating system. Practically, the software has two main loops: an active loop and a test loop, which are activated alternatively. The difference between loops is that in test loop the values of the inputs are read from an internal table and the result of computation is compared against internal table values and if the results don't match the specific measurement and decision channel is tripped (Figures 3 and 4 show the active and inactive passes of software) It's purposely very simple, with test routines both software and hardware. Physically the software is burned-in PROM chips, without any possibility of being altered or tampered with. New software revisions represent new sets of PROM's which are tested in a Maintenance and Development facility.
PDC proved to be a reliable piece of equipment, with very low maintenance. We are experiencing problems with this equipment only in terms of procurement since these are obsolete and with new software revisions post-commissioning (the type of PROM used by PDC is no longer available on the market). - 214 -
Kf-100 -(•120-Rl.lf HTt LOW DITT PRtSSURE TRIP KTS CJFP ««>J4-P2i MAIN rr.oczss-.rm .iDiotu* rr.cssur.izcx. von LEVEL TRIP PRESSURE WJTT LOOPS FLUX ""'*" -<*]3O-RL1?O' P'JMP MODI OPERATIOH US OtT-KOUtK. DETECTOR IDli-V- LOOPS H331-R*- DC/DAC BWtPPEJ IKPUT/ LOCAL ERROR HCSSACE DJIPLAY DESHAOE ««J32-RS».« OUTPUT ILEM) RELAY COKTACT TO WATCHDOG ' *DS«2 TRIP LOCIC HORMAL- | • P'JMP MODE SELECTION ?:,PJ • • (I331-I.I2-1 PXSRZ LOW LVL TRIP SP KETER P2.P4 - I:TS BIF7 tii-a -««33tLI3-l SOILER LOW J.VJ. TRIP 5P METER "ESS HSi' '• COKDITICKINO -tl)J2:i2M I» CHAMBER LOS-K METER WATCKCOC (S310 •_ TE5T PB7 • AI/AO SELFCHECK L3OP Dl/DO ir.LFCMECK I.OOP PDC1 Block Diagram / - PDCir/ 5/oc^ Diagram -11)10 >ltl' HTS H15H PRtSSUKE TRIP ->I.-1O >L>>> KTS LOW PRZSSURC TRIP -«i)>0RL*3* tOTLER FEESL1ME LOW PRESSURE TRIP - MtSaO-ftll** PPC SX1.FCHXCK ANNUNC2AT7OM -MJ10HUH POC INPUT SICHAL ABROMtAL ANXUN -••]20>RI,lt1 KTS LOW PRESS TRIP INK K0.lt FP) I BF1.P TRIP INH K10I PPI FLUX • PUMP MOOI OPERATION MS OFFNODMX. Drrt LOOPS DEKIPfLE «« DO/SXC INPUT/ LOCAL ERROR DESHADE »« MESSAGE oirrurr iLcni ION CKAMBElk ««33J AT".- LOC.ii.JM n_ri_ RELAY CONTACT TO " «os«z ntip 2.OCZC NORMAL- PUMP HOPE SELECTION Pl.PJ • ttiit-Htt' • 11)1 »)•: MTt LOM PRESS TRIP SP HCTER P2.P4 • • •S12-R2f< ION CHAMBER UMK HCTER WATCHDOG ••JJO- T£ST Pi'' • •H2HTJ-1 ION CHAMBER COMPENSATED L1M-N CHAMKtL J» VBC(Jt. IFL:HCI HETER IDENTITY »«C»HI AI/AO SELFOIECK LOOP Oi/DO SELTCHeCK LOOP PDC2 Block Diagram Figure 2 - PDCU2 Block Diagram - 215 - f CD moamw START POIKT VO r SVBKOUTtXB *o STOKS TO POWER I>ATA CALCULATIOH TABLZS scLTCKecx SSQUBNCB 1 r Bacon mzssmuzER. uva. GENERIC ALGORITHM HT.UW 0) SET OUTPUT TABUI TO TUP STATS FLOW 00 KZAD KtOCBSS INPtrT BOILER LFVBL CvIO SSTOt,TPVTTAKL> TO TTOP OK CXBAR STATS M» DUJVI DISPLAY AT A/lflF APrUCASLZ) • MODERATOR TEMTERATVM r 0) VO-ALARM 01> CBECKSUM - HALT Oil) THREAD CHBOC . HALT CHECK 0») SBT WATCMDOO 0|O W VRTTE ot/rrtrr TABLB TUP CODES TO VO r PDC Active Program Pass Figure 3 - PDC Software Active Pass - 216 - 0) ntOOUM START ?OJKT fll> SET OUTrUT TAJULBTOTTjr STATE HOUiUJMUlNO 0)0 C3JEAJI.CALCULA.TSO DATA 0«> SET NON - ACTYVS INDEX i 1 SUBROCTINS TOWER CALCULATION HALT ON KEADDOVT3 SELFCHECX W.OV1T2IT SBQUENO TABLSS VO TABU r SUU3R PiBUUWZER. LBVHL CEKEJUC ALOORITHM r H.T. LOW 0> SET OUTPUT TABUS TO TKjy STATE PLOW 00 KEAD rROCESS IKTUT OSJ PERFORM HCOOKALTTY <*HBnr. ALAXM ON FAHJUKK 1 r 0v> CALCULATB rnoccsj TRIP SBTPOIKT BOU> W OOMFAKB IKfW TO SBTPOINT urvs. M) CKBCK TRD- OOMDiriONINO 1 r MOCntATOK TEMPERATURE 1r A OKBOCSUM - MALT 00 TKXEAP CHECK • MALT CHECK Ott) CSBOC OVrrUTTABUB VALVBS ON SRXOX DETECTION • HALT 1 PDC Inactive Program Pass Figure 4 - PDC Software Inactive Pass (Test Pass) 4. PC-BASED DATA ACQUISITION SYSTEMS The need for PC-Based Data Acquisition Systems appeared at Cernavoda Ul due to the following problems: 1) Panel meters of SDS #1 and #2 are of analogue type, low accuracy (1.5% full scale). This has a direct impact on plant operation, because of the following reasons: i) due to on-line refuelling, local neutron flux raises and if the flux detector loop indication goes within 5%FP from it's trip setpoint the operator has to de-rate the unit with 1-5%FP for few hours (up to 10 hours); - 217 - ii) periodically, twice a day, in-core flux detector amplifiers gain is adjusted, with a coefficient which takes in consideration the burning of the fuel, coolant parameters, and poison concentration in moderator and coolant. This coefficient is also influenced by the accuracy of the input values; 2) In case of plant upsets or unit trip (reactor trip, reactor stepback, turbine trip, etc.) the alarm printouts are not always enough and also the number of variables with history, in station computers, is limited and usually the sampling interval for those variables is too large. To analyse the event, a record of a fairly large number of parameters, taken for some time before and after the event is required with smaller sampling time. To satisfy both requirements, PC Based Data Acquisition Systems were chosen, a DAS system for each shutdown system. 4.1 Data Acquisition System Hardware A Data Acquisition System comprises a PC AT-486, a data acquisition board National Instruments AT-MIO-16L-9 and a SCXI-100 chassis with 4 amplifier/multiplexers SCXI- 1100 (National Instruments). Neutronic parameters (local flux, linear power, logarithmic power and logarithmic power rate from ion chamber), process parameters (pressure, flow, level, etc.) and trip setpoints are connected through optical isolators to DAS analogue inputs. Figure 5 shows the hardware of PC-DAS and Figure 6 one optically isolated loop. Personal Computer Piug-ln OAQ Board SCXI Cable Assembly SCXI Chassis SCXJ Module SCXI Terminal Block or Connoctor- J and-Shell Assembly Figure 5 - PC-DAS hardware - 218 - Floating Signal Connection Referenced to Chassis Ground for Better Signal-to-Noise Ratio Figure 6 - PC-DAS Analogue Input 4.2 Data Acquisition System Software DAS Software is a Windows 3.11 application developed with Lab VIEW for Windows program produced by National Instruments. Also, the previous versions of software used in commissioning were developed with Lab VIEW. 4.3 Use of PC-DAS during commissioning During commissioning DAS was used for 2 major purposes: I) DAS was connected to Reactor Start-Up Instrumentation before Manual Fuelling of the reactor (first load of fuel) and until the end of low reactor power tests (up to 10'3FFP). This way the indication of reactor power before and during first approach to criticality was more precise than analogue instruments of the Start-Up Instrumentation. Also DAS was used by Reactor Physics department to calculate, display and record the Doubling Time, as an indication of criticality. It was also used to display reactor power after criticality, when reactor power was manually raised from 10*12FFP, where criticality occurred, up to 2*10'6FFP, where Reactor Regulating System took over reactor control. II) During low reactor power and high reactor power, DAS was also used to record power rundown during transients (SDS#1 and 2 trip, Reactor Stepback-fast power reduction, Reactor Setback-slow power reduction) and the recorded data where used by Reactor Physics department to align their simulation programs to real system evolution. Figure 7 shows the actual power rundown during SDS#1 trip, from full power during commissioning. - 219 - SDSifl Trip 96/10/28. 13:55:20. Reactor Linear Power from Ion Chamber Channel D (SDSfil) i ^_ o.; —IC LIN POWER o.g 0.7 o.s OJ 0.4 OJ 03 O.I — ' ~» •" l '••• — ~ H " 1 . -1* 20 23 30 35 40 50 a TO seconds Figure 7 - Power Rundown (SDSU1 Ion Chamber Linear Power) 4.4 Use of PC-DAS during commercial operation Windows 3.11 application presently running on PC-DAS it's executing the following tasks: 1. displays on a set of screens monitored parameters as barcharts and also in alphanumeric; 2. displays the "margin-to-trip" for the monitored parameters; 3. visually alarms when the "margin-to-trip"goes below a pre-set value; 4. records the acquired data on hard-drive, as ASCII files for history and transfers them on floppy-disk on request. 4.5 Advantages of using PC-DAS (liardware and software National Instruments) It's a flexible system, easy to use, with visual programming and the graphic interface well done and handy for operators. High precision readings (16 bit resolution) and high acquisition speed (100,000 readings/sec for one acquisition channel) and a large number of acquisition channels (240 channels maximum). Using optically isolated amplifier/multiplexers DAS can have no interference with the monitored system and no cross-connection can accidentally appear between channels. The price is fairly low (about 10,000 USD for 2 DAS). - 220 - The output data can be arranged in any format and graphs can be made in any way (stretched, compressed, only a window), basically any data processing available through spreadsheet programs can be applied. 4.6 Examples of event analysis with DAS collected data 4.6.1 Analysis of the effect of testing one boiler level loop on the other boiler level loops During periodic testing of "Low Boiler Level" trip parameter, the operator noticed that the indicated boiler level, on a different boiler level loop, used by Boiler Level Control system, is affected (the indicated level raised) and the "spreadcheck" alarm from Station Computers came in. Analysing the data available in DAS, showed that the other 2 measurement and decision channels of SDS#1 were also affected, level deviation being in the unsafe direction. Figure 8 shows the indication of the channel under test (channel E, loop 1). Figure 9 shows the effect on channel D loop 1. The analysis conducted in the field revealed that transmitter impulse lines for several loops were in close proximity and by executing the test, they got heaied-up, the density of the water in those lines changed and made the transmitter believe that an actual change in level occurred. Analysing the recorded data with Microsoft Excel program, the amplitude of the phenomenon was determined and by several attempts the test was modified to have the lowest impact on the other loops. Boiler 1 level as indicated by 68238-LT-1E, during OMT 68200.8 on channel E Bo. Level Trip S.P. « 1.772m tor 100SFP 1.5. — The actual moment of the test S ? R 8 R S SSB S5R8 5 8 S 8. ft 8 5 8 3 SfcSSSK 55S 8SSS R 8 8 S 3 8 B £ t" 5! S 5 £ Si R R S R 8 8 s S 8 S 3 3 H 3 « v V V V t V v> A in in i/i tfli th' in iti ih wi in tfi vi ih* Boiler 1 level as indicated by 68238-LT-1D, during OMT 68200.8 on channel E 2.09. 3333333333333333333333333333333333 Tim» Figure 3 - The influence on LT-1D transmitter 4.6.2 An aid to System Engineer in system status evaluation During normal operation, any system can become affected by process conditions (cleanliness, deterioration of normal parameters, etc.). If System Engineer has a means of comparison for system behaviour in time, it can flag him to react sooner and prevent spurious trips which can be very costly. Figure 4 shows an example of a parameter affected by degradation of optimal operating conditions. A Boiler Feedline Pressure loop contains a small bladder accumulator with pressurised N2 cushion. The loss of the N2 pressure shows as an increase in measurement noise. This flagged System Engineer to re-charge the accumulator with N2 at specified pressure and to increase the frequency of periodic re-charge activity. Figure 5 is the signal after re-charging the accumulator. Pressure (MPa) Pressure (MPa) A A A A A "S ~J a> p> a> 7:31:21 AM -J 7:31:59 AM. 7:32:10 AM. 7:32:25 AM. I 7:32:40 AM. I 7:32:53 AM. I 7:33:06 AM. I 7:33:23 AM. I 00 O 3" 01 7 33 38 AM 8 3 5 3 7:33:54 AM k I? Q 7:34:11AM 7:34:26 AM 7:34:42 AM 7:34:57 AM 7:35:15 AM 7:35:43 AM 7:36:07 AM 7:36:35 AM 7:37:02 AM. 7:37:31 AM .. 7:37:46 AM.. - 223 - 4. 7 Future development at Cernavoda Unit 1 Implementation of PC-DAS's for SDS#1 and #2 at Cernavoda is in a intermediate stage. The final stage will be with the application migrated under QNX operating system (produced by QNX Software Systems Ltd.), which is a real time operating system. The present implementation is affected by the shortcomings of the Windows 3.11 program. Also audio alarms will be implemented, with an adequate audio system, and alarms for unsafe deviation of the monitored parameters. Presently process computer printers of an old type (Benson) were replaced with modern laser printers, connected through a local network with industrial PC's which act as gateways for station computers. These gateway PC's will also be used do download periodically all the measured and calculated variables inside station computers. The rest of the safety systems and the turbine controller will also be connected to PC- DAS's. The final intent is to connect all these DAS's to the company PC network to achieve the integrated history record of the plant variables. Long term mass storage of the data will be provided so that any event can be recalled at any time. The data will be also used for the external reporting to regulatory bodies and to the general public (in the proper format). Data can also be used by management in synthetic reports in a computerised Work Management System. A second path in data usage will be a dedicated computer that will analyse the data and signal to the operators when the plant is entering an abnormal situation (before the situation becomes obvious to the operator) and recommend actions to them, decreasing the response time of the operators. It will also be used as a back-up to the main annunciation system. NEXT PAGE(S) toft BLANK ill XA9846511 MODERNISATION OF SAFETY SYSTEMS IN RINGHALS 1 NPP IN SWEDEN EINAR STROBECK Ringhals 1, Vattenfall AB, Sweden PAUL VAN GEMST ABB Atom AB, Sweden Abstract This paper discusses the modernisation process for the Ringhals 1 NPP, and consequences of safety requirements upgrading to the most modern levels. The process includes modernisation of all I&C and electrical systems both for safety and for non-safety. The paper will focus on the modernisation of safety I&C. In accordance with established practise for Swedish BWRs standard and proven design components and systems are used when designing the safety and non-safety I&C for a new NPP. As a result, the I&C will already be more than 10 years old when the commercial operation of the plant starts. Therefore, it should be far from surprising that a complete modernisation of the plant equipment is initiated after about 20 years operation, when the I&C is really some 30 years old. The modernisation program in Ringhals 1 which will be carried out in 6 steps during the normal refuelling outages up to year 2003, and is, from a safety point of view, based on the following four important decisions: • Programmable technology shall be used. • Number of suppliers shall be drastically reduced and one supplier shall be selected for the main part. • Following the modernisation, the safety level should be comparable to that of the latest built nuclear plant in Sweden. • After the modernisation operation of the plant can be continued for another 15 to 20 years. The modernisation project was started in 1995 with an analysis phase called RAMP; the purpose of which was to define both general plant requirements as well requirements for each individual I&C and electrical system. The RAMP project was carried out as a typical "top down process". The top was based on the evaluation and interpretation of the defined modernisation policy. Other levels were the design basis, the requirements for each technology area and the requirements for individual I&C and electrical systems. The paper will describe shortly the organisation and progress of the RAMP project. - 226 - 1 Introduction The Ringhals 1 nuclear power plant, on the West coast of Sweden, is owned by Vattenfall AB. The plant, which is a two-turbine plant with a BWR of ABB Atom design with external recircirculation pumps, was commissioned in 1969. Up through 1995 it has produced 22,09 TWh with an average availability factor of 80%, and at a production cost of 0,15 Swedish crowns per kWh (less than 19 US$ per MWh). Three PWRs of Westinghouse design are also located at the Ringhals site. The safety systems of Ringhals 1 are basically designed with two redundant trains. Due to load distribution requirements the auxiliary electrical power supply system has been laid out as a four busbar system, including four diesel generators, however. The reactor protection system (RPS) is built in three channels with a two-out-of-three coincidence voting. The I&C systems and the other electrical systems were designed in the early 60s using the standard components that were available on the market at that time. As a consequence, the design of these components was already some 10 years old when the plant was commissioned. The logic for the I&C was built with relays, and the closed loop control systems were based on discrete electronics. The alarm system was, for the first time in Sweden, computerised. Ringhals 1 was also the first nuclear power plant in Sweden to be provided with an on-line process computer for core supervision. An anticipated lifetime for I&C equipment is about 25-35 years (Figure 1). After this time, the number of incidents and failures will increase and the equipment becomes obsolete. Such problems can jeopardise the power plant availability but also impact its safety. 30-3S years old Equipment I&C Development Plant Design Commercial Operation 1960 1970 1980 1990 2000 2010 Figl: The lifetime of I&C - 227 - Modernisation of Safety I&C In Rlnghals 1 NPP RINGHALS RESULTS 1996 Total production 25,3 TWh (18% of Swedish electrical production) Availability 90 % Production cost 16 5re/kWh iiilii s||ipii iipiiiii p IAEA Specialist Meeting Nuclear Power Budapest VATTENFALL - 228 - Typical problems are: • Ageing of material. • Increased fault frequency. • Spare parts unavailability. • Lack of technical support from original suppliers. • "Unknown" technology to younger people. • Modifications are difficult to carry out During the 30 years operation of the Ringhals 1 plant, some separate I&C systems have been replaced by digital systems, but no structural changes have been carried out. This approach may result in an I&C with equipment from different suppliers and no standard for communication, MMI (Man-Machine-Interface) and maintenance strategy. Feasibility studies showed that such piece-by-piece modernisation can enable extending plant operation for another 5 to 10 years. The expected lifetime for the plant as a whole is substantially longer than that however and therefore, a major modernisation for I&C and electrical equipment was decided in 1995. 2 Policy and implementation The policy decided for the modernisation of the I&C includes the following components: • After completion of the modernisation program, the expected life time for the I&C shall be at least 15 to 20 years. • The modernisation shall be carried out in steps during the normal annual refuelling outages. • Modern, i.e., programmable, technology shall be used. • After the modernisation, the safety level should be comparable with that of the latest built NPP in Sweden. Based on this policy, a strategy for implementation was worked out. It was decided that the modernisation shall be carried out during 6 outages starting 1997 and finishing 2003. Another important decision was that each modernisation step shall be a part of the final I&C structure. As a logical conclusion it was decided that the final structure must be specified first, including determination of the sequence of the different upgrades. The design of the final structure depends on the I&C products available on the market, and therefore, several feasibility studies were carried out by different suppliers, both for the Ringhals 1 BWR and the Ringhals 2 PWR. The main conclusions from these studies were: • The number of suppliers must be drastically reduced since: 1. open systems for communication do not exist; 2. in order to obtain a uniform and standardised operator interface, the MMI part must be designed and delivered by one supplier, and 3. plant computers or other computers must be integrated in the new I&C structure. • A co-operation agreement must be signed with one supplier. Another important observation made during the studies was that the amount of work would be comparable to that for building a new plant, but the implementation is more complex. - 229 - In existing plants, constraints that must be taken care of are: • existing buildings; • implementation in steps; • short outages; • old and new equipment in integration. As a first step in the modernisation process, it was decided to initiate an extensive analysis phase to be carried out in co-operation with the selected I&C supplier. This should be done in a typical top-down approach. For the Ringhals 1 BWR plant, the ABB Atom company was selected as the I&C supplier (Figure 2). To offices, off-site Firewalls I Plant management iw Personal Li U Computer Plant Management ~~j~. . Operator station Engineering Tools Fig 2: ABB's Advent® Power for nuclear requirements. (Part of the Nuclear Advantage concept) It was also observed that the existing plant simulator should be used not only for renewed operator training, but also for verification and validation of modifications prior to the installation in the plant. 3 Analysis Phase The main goals for the analysis phase were to develop plans for the modernisation and the implementation strategy, as well as establishing technical requirements. It should be carried out as a top-down project leading to a description of the requirements for the individual systems in the plant. - 230 - The analysis phase was divided into several steps, for definition or description of: 1. Policy, work organisation and general plant requirements. 2. Rules, standards and design basis. 3. Requirements for the different technology areas. 4. Specifications for every system in the plant. The inputs for the study were taken from (Figure 3): • The original requirements which had been described in more details by a design basis reconstitution project called REDA. • Operating experiences. • New rules and standards. • The selected programmable I&C system. Utiltility & vendor knowledge Reconstruction project r Operating experiences New rules & standards New I&C technology New plant LIMITATIONS design basis I&C MODERNISATION Fig 3: Inputs to the modernisation The study was carried out in a co-operation between Vattenfall ABB. Documents were reviewed in different steps in both organisations and issued as a Vattenfall documentation. - 231 - Policy, Work organisation 1 Rules, Standards, Design basis Design t**t Safety classes Lined op verifkatioft Sb&dttor principles Control room ptindptes Technology areas Strategy Safety review Diversity Alarm principles I*C circuits Tools, documentation Installation Redundancy Signal transmission Labeling EMI Earthquake — -... '..'.'-." 1[ System specifications INSTALLATION POWER SUPPLY I&C CONTROL ROOM Layout Principles Plant control Layout Enclosures Instrumentation Component control Simulator Cables Component control Instrumentation MMI Earthing, lightning Power distribution RPS Alarm system Labeling Process computer Environmental Remote shutdown qualification Outages Fire protection Table I: Documents for the analysis phase All the documents had been reviewed at the end of the phase (table 1). 4 Safety improvements 4.1 Introduction As explained previously, the goal for the modernisation is to obtain a safety level comparable with that of the latest built nuclear power plants in Sweden. The Ringhals 1 plant was designed in the mid-1960s, following the General Design Criteria of the forerunner to the US NRC. At that time, the only industrial nuclear standard that was available, was the proposal for the IEEE 279 with design rules for the RPS. As a consequence, the RPS equipment was the only equipment designed to meet special nuclear requirements. The rest of the equipment, including turbines and service systems, was classified as safety important and was designed to the highest possible industrial quality. - 23? - ORIGINAL DESIGN IEEE 279 TODAY About 200 guides and standards Fig 4: The evolution of standards Today, about 200 rules and standards, for safety and non-safety systems, as well as for the interconnection between these systems, exist. Some impacts from these new rules and standards are indicated below. 4.2 Separation As described above, all equipment was, from the beginning, regarded as important to safety. No functional separation was, in principle, required between important or less important systems for safety. Physical separation was provided by two fire areas in the control and electrical building and for the two turbine buildings. The reactor building was generally one single fire area in which redundant equipment could be installed in the same room. Later on, a classification of the systems and components in accordance with modern classification methods was carried out. One result of this new classification is a demand for functional separation between safety and non-safety systems. This is a design criteria for the new digital equipment where firewalls are provided between the two types of systems. Cables belonging to safety and non-safety systems should be installed on separated trays, but this will, due to layout constraints, not always be practically possible. The existing cable trays will be used both for safety and non-safety cables. The non-safety cables shall therefore be designed and selected as for safety cables ("associated"). The physical protection of the original two fire areas will be improved or extended to correct weak points in the plant. - 233 - 4.3 Redundancy and diversity The design for the Ringhals 1 BWR was based on a two-division concept. During the detailed design phase, some additional redundancy or diversity was introduced. Examples are: • Scram with two diversified systems. • Auxiliary feed water supply by a high pressure system as backup to the low pressure core coolant injection system. • Two additional diesel generators. • Three channels in the RPS. Original design Current design Proposed modernisation fwo division* Additional redundancy Pour divisions and diversity Fig 5: The evolution of redundancy and diversity Later on, during the plant operation life more diversity has been built in, e.g., by an additional auxiliary feed water system pump directly-driven by a diesel. These additional systems have been installed on a case-by-case basis, however, but the I&C was not restructured from the original two division design (Figure 5). For the modernisation, a restructured I&C which takes care of the existing redundancy or diversity of other systems in the plant, has been proposed. The new I&C will be designed with two "main" divisions, A&B, which in principle are the divisions of the original design. In addition, there will be two divisions, C&D, which comprise the I&C for the other existing redundant or diversified process, service systems or auxiliary electrical power supply. The redesign of the I&C will be co-ordinated with the power supply for the system components as well as the cable installations. Redundancy means for the I&C that there are four separated divisions but still using the same I&C product The I&C redundancy is following the redundancy of the safety process systems. For this reason it was not possible to obtain a four divisional I&C redundancy totally (Figure 6). - 234 - Reactivity Control Core Cooling SAFE Pressure Relief SHUTDOWN Heat Removal Core Cooling I Containment I LOCA Filtered Ventilation! Fig 6: The proposed redundancy For the power plant exists safety goals. These are to be verified by probabilistic calculations. If such calculations show that the safety goals cannot be fulfilled by using the same product for all four I&C divisions diversity can be introduced easily. A preliminary result of such analysis was that diversity is necessary only for the most frequent hazards. The diversity can be arranged within the I&C to have A&B redundant for handling both LOCA and more frequent reactor shutdowns. In addition to the A&B divisions the two other, C&D divisions, can be designed with diversified technology but only for handling the more frequent hazards ("Safe Shutdown") (Figure 7). Reactivity Control Core Cooling SAFE | Pressure Relief SHUTDOWN I Heat Removal Core Cooling Containment LOCA Filtered Ventilation Fig 7: The proposed diversity The control room is based on the use of work stations. These are not safety-related in order to simplify licensing. For this reason diversity must be provided in the control room for safety manual control and instrumentation by hardwired units. Due to the high degree of automation the number of such units is very small. Additional hardwired units are provided to give the operators access to non-safety instrumentation and control needed to cope with fast transients during normal operation. - ?35 - 4.4 Earthquake The Ringhals 1 NPP was not designed for earthquakes. Studies have shown, however, that the probability of earthquakes is comparable with the safety goals of the plant; i.e., the effects of earthquakes cannot be neglected. Hence, all new safety equipment for I&C and auxiliary electrical power systems will be seismically qualified. The ground conditions for the Ringhals 1 plant are different from those which have formed the basis for the spectra defined in the US NRC Regulatory Guides, e.g., in Reg. Guide 1.60. Therefore, a special floor response spectrum has been calculated for the plant. ¥.5 Safety Parameter Display After the TMI incident, a new type of Emergency Procedures (EOP) was developed for Ringhals 1 and implemented. These procedures contain two parts, namely: 1. An overview of the most critical safety values which indicate the status for each safety function. 2. Alarms if the safety function is jeopardised and manual operator actions are required to restore the plant to a safe status. After minor additions, it was concluded that all means for following these procedures were available in the control room. These means were spread out on different panels, however, and the operators wanted to have all information related to the EOP shown in an overview. This way, the information will be available for all people in the control room, including the shift supervisor (Figure 8). SIMULATOR- OUTAGES EVALUATION SPDS SYMPTOMS ACTIONS Fig 8: Design of the SPDS The existing EOP was mainly developed with respect to events during power operation, but it has been noted that some events during low power operation or during annual refuelling - 236- outages can be critical, as well. The new SPDS will be designed also for supervision during low power operation and outages. 4.6 Remote shutdown The original design was provided with a simple possibility to shutdown the plant outside the control room. This possibility has been improved during years of operation. The new design will comply with modern Swedish and IEC standards. The improved remote shutdown facility will be provided with work stations for: • supervision of the (warm) safe shutdown • manual cold shutdown The shutdown of the plant to warm conditions and keeping it there is done automatically by the RPS and process automation systems. Further shutdown must be initiated manually in the remote shutdown facility. For ergonomic reasons, the work stations in the remote shutdown facility are copies of the corresponding ones in the central control room. These work stations are not connected to the same MMI bus, however, since it is assumed that this bus is damaged due to fires in the control room. 5 Conclusions The analysis phase has shown that the top-down approach was very useful for taking care of overall plant requirements. It is nearly a "must" if a major modernisation is planned or other than the original requirements must be met. It was also very fruitful for specification and purchasing of systems. The co-operation of the utility and vendor brought in both operational experience and experience from later built plants. As always in a project, the influences of proposed modifications to the SAR (Safety Analysis Report) and the Technical Specifications must be studied as early as possible. An observation during the analysis phase was that there is more redundancy or diversity for process systems in existing plants than for the I&C. It is recommendable that modernisation of the I&C systems shall follow the same degree of redundancy or diversity as is built in for process systems. Diversity shall not be discussed as a separated item only for I&C. This is valid for process systems within the same safety division or between safety and non safety systems. For major modernisations the regulatory body shall be kept informed continuously from the start. Illlllllllll XA9846512 REPLACEMENT OF THE COMPLETE CONTROL SYSTEM OF THE NPP OSKARSHAMN 1 BY DIGITAL DISTRIBUTED CONTROL SYSTEM EDMUND BERGER ABB Kraftwerksleittechnik GmbH Kallstadter Str. 1 D 68309 MANNHEIM Germany Abstract As part of an ongoing modernisation program, the I&C system and the control room of Oskarshamn 1 will be upgraded by ABB using its 'AdvantdDPower1 range of digital, programmable process control system. Besides ensuring the higher level of safety that is demanded today, the new equipment provides the plant with an integrated system which will improve operator interaction with the plant and reduce the risk of human error. The newly installed DCS system will serve also as a platform for further improvements of the control room. This paper discusses Oskarshamn 1 exchange of the complete control system of a nuclear power plant, the technical solution and the time schedule. Oskarshamn 1 is the first nuclear power plant in Sweden. It is a boiling water reactor built between 1966 and 1971 by ABB ATOM in Sweden. According to the plant age the control system is relay-based, while instrumentation and analogue control is semiconductor-based. This makes maintenance expensive and even worse, makes extensions nearly impossible. According to the safety standards of the 60ties, there is no separation between safety and non safety control and no seismic qualification. To extend the life of this plant the owner has decided to improve the safety system as well as to replace the reactor protection system, the safety related control and the non safety related control by a state-of-the-art digital distributed control system from ABB. In March 1997, ABB got the order to replace the reactor protection system, the safety control system and to start the replacement of all control systems. The old control room has to be replaced by a new economically design. Together with the exchange of the control system the safety features of the plant and the emergency power supply has to be extended. 1. Introduction The early generation nuclear power plants in Sweden and elsewhere were based on 1960's technology, the best available. I&C system at this time were based on mechanical relays and discrete electronic and electrical components To ensure that these plants continue to provide high levels of operational efficiency and stay in line with current safety standards, their I&C systems need substantial modernisation. In nearly all cases, this means replacing the solid state equipment by digital, programmable systems like ABB's Advant®Power. - 238 - The Oskarshamn 1 nuclear power plant situated on the East coast of Sweden went into operation in 1972. The I&C system consisted of two parts, one for daily operation (the non safety part) and the other for reactor protection (safety part). Now the old I&C system will be decommissioned and replaced by modern process control systems. The new I&C system is based on open standards and of modular design to facilitate further long term improvements whenever the plant owner, OKG is convinced of cost effectivity. In year 1995 the management of OKG decided to extend the lifetime of this power plant by adding additional safety features and replacing the control system and the emergency power supply. After studies conducted by the power plant staff and ABB ATOM, OKG contracted ABB for the replacement of the control system and the emergency power supply. This contract includes the following deliveries: • reactor protection system (reactor trip system, safety features actuation system) • non classified control systems nuclear and non nuclear(control rod control, power control, feedwater control) • main control room and emergency control room • computer information system • emergency power supply • simulator 2, The Structure of the Control System ABB's Advant®Power constitutes a truly integrated control system as shown in the diagram. The integration of process control and safety control allows a common operator interface to simplify and thus improve control room ergonomics. The challenge is to design an integrated control system and at the same time to ensure the functional and local separation of the independent safety subsystems as well as functional and local separation between the safety and the conventional sections. - 239 - Reactor Turbine Engineering tools Operator Operator Plant information network Computer Informationssystem train 4 train 3 Information and control network (optical fibre) train 2 train 1 AC 160 AC 450 non safety related control Structur of the Control System for Oskarshamn 1 Advant Power is based on digital programmable technology which has been developed in an evolutionary process. The development of both software and hardware has been carried out in short steps; each new system release or update has always been based on operational experience from existing technology. Both software and hardware have been thoroughly tested by industrial users as well as in several non-safety classified applications in nuclear power plants in past decade.. Advant Power, already in operation for applications in nuclear power plants for some years, now will be used not only for new nuclear power plants like Ulciin 5 & 6, but also for retrofits and replacement of control systems in nuclear power plants like Oskarshamn 1. The control system for Oskarshamn has the following structure: the AC 160 is used for safety applications in the reactor protection system, the safety related control and boiler protection. This controller is presently under qualification according to international and American standards for class 1E systems the AC 450 is used for non-safety applications control interfaces for the safety systems in the main control room and emergency control room will be realised with in conventional indicators and push bottons the power plant will be controlled via screen based operator stations running on powerful workstations the control systems are connected via a powerful control bus, the safety systems are connected via optical links - 240 - the main control room is equipped with screen based operator stations and with large screens the computer information system is fully integrated into the human machine interface The controllers AC 160 and AC 450 are independant designs developed by independent development teams, using different software, different components, and different buses.. 3. Safety related control system •The reactor protection system includes the automatic protective functions for reactor shutdown and maintenance of plant safety as reactor trip, emergency core cooling, decay heat removal and containment isolation. The system is devided into three distinct functions, process instrumentation and signal conditioning, protection logic including the 2 out of 4 voting and the safety equipment actuation including system and component logic. •-•;,f — i' e — ii E! — — i Advant Controller AC 160 The Advant Controller AC 160 used for safety applications has been developed especially for safety applications. The AC 160 controller may have up to four redundant processors located in in different cubicles. The redundant processors are connected via an independent peer-to-peer link. All active components of the controller are cyclically tested and monitored, critical diagnostics switches to the redundant controller In a redundant configuration for protection systems each station has its own I/O modules, with automatic signal distribution to all redundant channels and voting of the input signals from this redundant channels All processing modules are active and are connected via a safety-qualified high speed link for the exchange of input signals, voting and diagnostic signals. A non safety classified bus connects the REACTOR PROTECTION SYSTEM controller with the non classified systems for exchange of diagnostic signals, and non safety control signals with the non classified control system. The bus protocols and the controller software are highly deterministic. This ensures a safe and highly reliable solution for protection systems. All modules are equipped with self-diagnostics, the controllers with watch dog and memory checking. - 241 - 4. Non Safety Control System In the non-classified, non-safety control system the AC 450 controller will be used. This is a powerful controller with a redundant CPU. [Till IIIIII ii i ^in iHiin ii irpg^ Advant Controller AC 450 The Advant Controller 450 is a high-end, high performance controller for binary, regulatory and supervisory control. It can be used stand-alone, or as an integrated controller in a distributed control system, communicating with other Advant Power equipment via the Advant Power network. The configuration possibilities of Advant Controller 450 covers a wide range of functions, such as logic and sequence control, data and text handling, arithmetic, reporting, positioning and analogue control including advanced PID and self-tuning adaptive control. A 'Remote I/O' subsystem will be used for the data acquisition and the output to the controlled plant objects. The remote I/O modules may be located in the field and will be connected to the controller via fieldbus. Using remote I/O modules, both a centralised and a decentralised I/O installation according to location of the plant objects is possible. This gives the advantage of fast replacement of the old equipment without recabling and remarshalling of the field equipment. - 242 - 5. Control Room, Operator Interface and Computer Information System The main control room will be completely replaced. This includes a new design of the control room adapted to state-of-the-art of ergonomic design. The power plant will be controlled only via operator stations realized on powerful workstations, equipped with mouse and screens. These operator stations have acces to all information in the power plant like pressure, temperature, flow or binary status values in such a way that the operator has always an overview over the status of the plant. To operate a valve or a motor the operator selects this object with a mouse, then an operation windows pops up in which the operator may issue a command. Three large screens updated by the operator stations give the plant overview in both normal and transient operation. Kontrollrum Skrfttngtnj&r TurttnoperttOr Reaktoropeftttr Konstruktlonsvtrktyg ^___ Process dt tor ~ KoitVo Jlsy si* m 'I CKR-natverk Processdator Integration of Computer Information System For adverse conditions additional operator interfaces for the safety systems will be installed in conventional means directly connected to the safety control system in the main control room and emergency control room. - 243 - A powerful computer information system is fully integrated into the operator stations. This system collects, stores and archives all necessary information of the operation of the plant. It is also a powerful platform for the application packages for operator support and for the management of the plant. 6. Time Schedule The reactor protection system and the safety control will be installed and commissioned in the planned shut-down period of 1999, the non-safety control will be installed in three phases in the planned shut-down periods 2001, 2003 and 2005. The control room will also be replaced stepwise according to the relating control systems. One year before the installation of the safety system this application will be installed on a simulator for the training of the operators. Timeschedule • April 1997 contract about replacement of control system (including RPS, safety control system and nuclear non safety control) • Sept. 1997 Requirement Spec's send to client and authority • Oct. 1997 Basic design main control room • June 1998 Delivery of hard- and software for the simulator • March 1999 100 % factory acceptance of RPS s June 1999 start of erection of DCS • Sept. till Dec. 1999 plant outage commiss. of new control system • Dec. 1999 licensing of RPS by authority • Dez. 1999 switch to new control system • Oct. 1999 start of 01M0KK replacement of non nuclear, non safety control 7. Conclusion The replacement of the I&C in Oskarshamn 1 will improve the plant safety and reliability by introducing four functionally and physically separated subsystems for the reactor protection system and safety classified control equipment. The new control system will provide an efficient platform which allows continuation of upgrading for control equipment and for the control room. The new control system also makes the operation and maintenance easier; the new control room layout will be based on latest ergonomic design criteria, thus providing optimal working conditions to the operators. With this refurbishment OKG will extend the life of Oskarshamn 1 far into the comming century. The time schedule shows that such a renovation may be performed in an acceptable time span with low impact to the operating period of the plant. NBXTPAOEIS) toft BLANK - 245 - i IIIII mill XA9846513 THE COMPUTER-AIDED OPERATION OF THE N4 SERIES G. GUESNIER, J.P. BOUARD Electricite de France, Engineering and Construction Division Basic Design Department Villeurbanne, France Abstract Designed at the beginning of the eighties, subject of many months of evaluation and validation between 1987 and 1996 on a full scope simulator, the computer-based control room and the fully integrated computerised I&C system of the N4 series are now under operation. Today, Chooz NPP unit 1 and 2 are connected to the French grid (since 1996) and the unit of Civaux 1 is in the final phase of commissioning tests. Start up of the last (Civaux 2) is scheduled in summer 1998. The commissioning hitches inherent to any innovation have been resolved, the safety authority has granted operating licenses. This short but significant operating time associated to the commissioning phases have generated a first positive experience feedback which has consolidated the decision made by EDF in the design of this project, as well on the MMI point of view as on the I&C architecture one. Finally it has led to the decision taken by EDF, its European partners in the EURs (European Utilities Requirements) and the German utilities partnering the EPR project (European Pressurised Reactor), to choose this control-room concept for future plants. 1. INTRODUCTION In the early eighties, EDF decided to start designing a new control-room concept and the architecture of a fully integrated computerised I&C system, with the overall objective of reducing human factor-related risks by changing the control-room design, and so improving the quality of operation. 2. OBJECTIVES AND MAIN OPTIONS The objectives chosen from the outset of the project were as follows: - to reduce the amount of information presented to the operator, and to make it better and more relevant, - to develop processing modes for the generation and presentation of information, and alarm processing in particular, in order to facilitate the understanding of this information and adapting it to the operating context, - to strengthen the exchange of information between the operating and maintenance structures, so that operating procedures took better account of the actions carried out by the plant maintenance teams, - 246 - - to search for a single interface for all operating conditions, - to develop processing modes to assist operation, and to achieve the optimum integration of these modes in the operating procedures. To realise these objectives, the following main options were adopted: - all information from the plant would undergo systematic validation processing, - computing facilities would be used to present information and issue orders: firstly in order to place a wide range of information at the operator's disposal ; secondly to associate controls and information relating to the same operating action, whether this action concerns equipment start-up or shutdown, adjustments, procedure application or alarm-sheet processing. Because of this last option, a seated operating position was chosen. 3. MAIN FEATURES OF THE CONTROL ROOM Control room of 1450 MWplants (N4 Series) - 247 - Operation from the control room is carried out from workstations which are computerised for all plant condition categories. This choice provides the following advantages: - to have the same operating facilities available in all conditions (the concept of a "normal" operating workstation and an "accident" operating workstation was rejected), - to provide the operator with high-power information and control equipment, in order to ensure high-quality information and presentation, - to avoid a mixture of conventional and computerised equipment (a hybrid control room) ; besides the drawback of heterogeneous presentation of equipment, this design makes it difficult to draw a clear line between the computerised and conventional controls. Four workstations are installed in the control room. They are identical and standardised: two are operating workstations for the two operators ; the other two are observation workstations (actions on the process are locked) for the use of the technical supervisor and the shift operations manager or safety engineer. In addition, to provide the operating team with a rapid plant overview and supplement the fragmented view supplied by the display screens, a large wall-mounted mimic panel, whose moving elements (indicators, positions) can be read from the operator workstations, was installed in the control room. All this equipment, supplemented by reprographics, printing and telecoms equipment and by several surveillance systems (fire protection, access control, etc.), is necessary and adequate for plant operation. A computer link with the lockout management system for maintenance jobs informs the operators, on their screens, of the "lockout" status of equipment. These options privileged the "human factor-ergonomy" aspect : they required the implementation of computing equipment for which full unavailability had to be considered in economically acceptable conditions, given the current level of technology. In addition to the provisions described above, the design also included diversified operating equipment in the form of a panel with conventional operating equipment which is independent from the computer system which runs the operating workstations; from it, the plant can be brought to a safe shutdown state and accident conditions controlled. This diversified equipment, called "auxiliary panel", is used only when the computer system is unavailable (failure or programmed shutdown). The qualified wall-mounted mimic panel completes the facility. The breakdown of tasks between the operator and the I & C system (more commonly known as "degrees of automation") is as follows: - safety-related protective actions are automated; from a safety viewpoint, operator intervention in the 20 minutes following initiation of a protective action is not required, - actions related to equipment protection are automatic, especially for high-cost items, - 248 - - the adjustment functions required to keep the plant stable or to vary plant load are automated, - there is no sequential automation for function start-up or shutdown; the operator intervenes on a group of actuators executing a limited task, or he controls individual actuators. 4. COMPOSITION AND ORGANISATION OF THE OPERATING TEAM The operating team is the same as in all EDF nuclear power plants. For a pair of units, it comprises: - one shift operations manager, who leads the team. In accident conditions, he acts as safety engineer until the latter arrives. - two technical supervisors (one per unit), who support the shift operations manager. They play a supervisory role in accident conditions. - four operators (two per unit; one is responsible for operating the reactor, the other for the water-steam line, particularly in accident conditions). - two operating technicians to operate the auxiliary nuclear building. - field operatives (operating technicians and inspection patrols). 5. OPERATING EQUIPMENT AT THE OPERATORS' DISPOSAL Each of the four operating workstations in the control room includes an operating zone and an alarm zone. When all four are available, two are allocated to unit operation, and two are used for surveillance only (the controls cannot be accessed). If one or two workstations assigned to operation become unavailable, one or both of the other two workstations may be reconfigured into operating mode. The operating zone consists of three graphic screens, three touch-sensitive screens, a trackball and a function keypad. From it, the operator has access to: - mimic-type images (about 800) representing either circuits or information and control groups corresponding to an operating task, - data sheets (about 10,000) providing precise details about each sensor or actuator, - pages of procedures guiding him through normal operating tasks and during incident and accident operation (about 1,000 and 2,500 respectively). The accident procedures are based on a state-oriented approach. The alarm zone consists of four semi-graphic screens and a function keypad; it displays alarm messages, which are classified according to severity and degree of urgency. - 249 - The operator can process these alarms by calling up, on the operating-zone screen, the alarm sheets (there are about 4,000) which indicate the steps to take and provide the means to do so. The two operating workstations are standardised, and any unit control or information can be accessed from either workstation. For operation with the procedures, the latter are structured so activities can be shared between the "reactor" operator, the "water-steam" operator and the supervisor. 6. MAIN FEATURES OF THE I&C ARCHITECTURE REMOTE CRISIS I CAD i CENTERS MAIN CONTROL ROOM LEVEL3 • sees' JLi. MIMIC PANEL TECHNICAL MANAGEMENT INTERFACr AUXILIARY 9TETECWIOU. KAC PANEL me, i NETWORK REMOTE LEVEL 2 SHUTDOWN PANEL ma OPERATORS WORKSTATIONS X PROTECTION & LEVEL 1 SAFETY SUPPORTING TURBINE Contronte £ SAFEGUARD (CO3) i&C ! SYSTEMS I&C AUTOMATIC I & C System SPIN j RGL 1 RPN CONTROL & (CS3) (SCAP) PROTECTION I LEVEL 0 hard-wired links SENSORS & ACTUATORS Bus links I&C architecture of the N4 series The architecture of the I&C system is structured in: - a level 1, or "automation" level, comprising: - the protection system and the safeguard systems support system, safety classified IE; these are programmed systems developed specifically for these applications, in accordance with the recommendations of the IEC 880 standard, and which automatically execute all necessary safety- related actions within 20 minutes after an accident. - the system that adjusts and protects the turbogenerator; this is a programmed system, supplied with the turbogenerator. - 250 - - programmable logic controllers (about 320 PLCs are located in 150 cabinets) in charge of all automatic protection and adjustment; they transmit all acquired information on the process to level 2 and receive the operators' orders from level 2. - a level 2, or "man-machine interface" level, consisting of: - the computer system (KIC) which manages the operator workstations, whose redundant architecture permits a high availability target. - the auxiliary panel and mimic panel, whose information and controls are directly linked to level 1. - a level 3, or "technical management level", comprising : - the maintenance or technical aids systems, - the links to the National Crisis Centre. The controls and information on the auxiliary panel are those directly necessary: - in a normal operating situation, to keep the plant stable or bring it to a safe shutdown state. - in an accident situation, to apply the accident procedures of the state- oriented approach. The operating scenarios are as follows: - KIC fully operational, - normal operation: the whole team is in KIC mode. - accident operation: the operators and supervisor are working on the KIC and the safety engineer is on the auxiliary panel (this provision was chosen). - Total KIC failure: the whole team is on the auxiliary panel (in normal conditions, the unit is kept as is for a maximum of four hours). - Partial KIC failure: - normal conditions: the loss of more than three operator workstations results in switchover to the auxiliary panel. - accident conditions: the loss of more than two operator workstations results in switchover to the auxiliary panel. - 251 - 7. DATA MANAGEMENT AND VALIDATION The term "I & C data" covers various entities: - "process" data, characterising the sensors and actuators connected to the I & C. - the processing algorithms (automation - adjustments) located, - in the IE systems. - inthePLCs. - the data generated by the I & C system. - the images, procedures, alarm sheets. The data specific to the IE systems are managed and validated separately. The other data, which represents about 16 million basic information items (40,000 objects comprising 40 attributes on average), are managed by a CAD tool to ensure their coherence. The algorithms of the level-1 PLC's were tested on test benches in a design office. The level-2 images and procedures were validated functionally on simulators and, for the syntax, on test benches. Stringent modification procedures are in place for modifications which prove necessary while the unit is loaded. Level-1 and level-2 data (excluding the IE systems) can be modified with systems running and the unit in operation. Only the items (sensors, actuators, images, etc.) whose data are involved in the modifications are considered unavailable by the operators throughout execution of the modification (a few minutes at most). 8. PROVISIONS FOR SYSTEM MAINTENANCE The system is equipped, in its constituent parts, of self-testing mechanisms which identify failures and trigger the activation of suitable redundancies and diagnosis-assistance mechanisms. The redundancy levels in place for safety- or availability-related functions, and the functions required for operation, are designed in such a way that the maintenance operations are performed in-line, and the systems remain operational. To modify the System software, the system in question must be shut down. This type of modification will be carried out during reloading outages. - 252 - 9. OBJECTIVES ACHIEVED Today, Chooz NPP unit 1 and 2 are connected to the French grid (since 1996) and the unit of Civaux 1 is in the final phase of commissioning tests. Start up of the last (Civaux 2) is scheduled in summer 1998. The commissioning hitches inherent to any innovation have been resolved, the safety authority has granted operating licenses. So far the users are satisfied with the system, and the steps to ensure long service life (procurement of spare-part stocks, long-term contracts with main suppliers) have been taken. During start-up of the lead unit, the I & C system did not give rise to any noticeable incidents, and malfunctions that occurred during testing were quickly controlled. The short but significant operating time associated to the commissioning phases have generated a first positive experience feedback which has consolidated the decision made by EDF in the design of this project, as well on the MMI point of view as on the I&C architecture one. Finally these positive aspects have led to the decision taken by EDF, its European partners in the EURs (European Utilities Requirements) and the German utilities partnering the EPR project (European Pressurised Reactor), to choose this control-room concept for future plants. 10. THE CONDITIONS FOR SUCCESS Of the many factors that shape the success of such a system, three should be emphasised : - the project organisation; this was the decisive factor, enabling all the energies of several engineering departments and the suppliers to be properly focused. - the complementary relationship between designer and utility. - the quality of the data. The utility was associated with the study and assessment of the system from the design stage : the utility designed a large proportion of the images, procedures and alarm sheets, while the engineering departments invested great effort in the operating studies and in harmonising the information-processing modes. The computerised procedures, the design of task-tailored images, and the computerised alarm sheets required heavy design input, as any error or incomplete aspect is more problematic to correct than in the case of paper documentation. The quality of the information supplied to the operator (accuracy, relevance, etc.) is an essential factor for success: it is fundamentally important for the operator to trust this information. The chosen option - always to leave him in control of the situation (ultimately he decides, not the computer) - also contributes strongly to this trust. - 253 - ABWR (K-6/7) CONSTRUCTION EXPERIENCE XA9846514 (COMPUTER-BASED SAFETY SYSTEM) T. YOKOMURA Tokyo Electric Power Company Tokyo,Japan Abstract TEPCO applied a digital safety system to Kashiwazaki-Kariwa Nuclear Power Station Unit Nos.6 and 7,the world's first ABWR plant. Although this was the first time to apply a digital safety logic system in Japan, we were able to complete construction of K-6/7 very successfully and without any delay. TEPCO took a approach of developing a substantial amount of experience in digital non- safety systems before undertaking the design of the safety protection system. This paper describes the history, techniques and experience behind achieving a highly reliable digital safety system. 1. Introduction TEPCO has introduced digital technology to a nuclear power station in a well-planned manner and completed a comprehensive digitized plant at the Kashiwazaki-Kariwa Nuclear Power Station Units 6 and 7 (K-6/7), including safety systems. Although schedule for completing the construction processes, from bed-rock inspection through fuel loading in about 40 months at the Kashiwazaki-Kariwa K-6/7 was very challenging, we completed hardware manufacturing, software development, verification and validation (V&V), and field tests on the digitized safety protection system within the schedule and had no problems. In this paper, we describe the performance and evaluation results of V&V and various tests on the safety system software and the future schedule, while presenting TEPCO's history of digital technology introduction. 2. Construction Schedule and Scope of Manufacture at K-6/7 (Figure 1) For Kashiwazaki-Kariwa Nuclear Power Station Unit 6, we started excavation in September 1991, poured the first concrete in August 1992, installed the reactor pressure vessel in August 1994 and commenced fuel loading in November 1995. Finally, after pre- operation and start-up tests, the unit started commercial operation in November 1996. During this period, for K-6, the main control room panels for the reactor system, including the safety system, were fabricated at Toshiba's Fuchu Works, and those for the turbine system were fabricated at Hitachi's Ohmika Works. The control panels for the reactor and turbine systems were installed at the site in July 1994 after comprehensive combination tests with man-machine equipment and a process computer, and simulation tests. After the control panels were installed, we restored them, tied in field signals, and started confirmation of functions. As for Unit 7, the schedule for promoting its construction followed that for Unit 6 by about one year. In the case of Unit 7, we reversed the suppliers of equipment to balance the technology of the domestic manufacturers, i.e., equipment for the reactor system was supplied by Hitachi, and that for the turbine system by Toshiba. - 254 - 3. Scope of Application of C&I p. -P to K-6/7 (Figure 2) Figure 2 shows an overall schematic diagram of controls and instruments (C&I) at K-6/7. As shown in the Figure, digital controllers are used throughout the plant. Instruments are linked together by their multiplex controllers, and optical fibers or hard wires. The operational data and equipment status required by the main control room is put together by the process computer and sent to man-machine devices. The part enclosed by a broken line represents the part which was digitized for the first time at K-6/7. Most of the plant systems were already digitized at preceding plants. The safety system is also composed basically of same hardware and software already used in preceding plants. So the digital controllers were very smoothly introduced into the safety protection system. 4. History of Introduction of Digital Control Technology Figure 3 shows the history of TEPCO's introduction of digital controllers. At K-2/5, which started commercial operation in 1990, we established triplicate control technology and no-interrupt processing by digitizing important control systems. At the same time, we introduced touch-screen operation with a process computer to the radioactive/waste (R/W) system, and down-sized man-machine devices to establish basic technology and collect experience on the points to be improved for operation. At K-3/4, which started commercial operation in 1993 and 1994, respectively, we established multiplexing transmission technology using optical fibers, and widely applied digital control technology, except for the safety system. And, at K-6/7, we digitized the safety protection system by using this multiplex control technology and optical multiplexing data transmission technology. 5. Configuration of Digital Reactor Protection System Figure 4 shows the configuration of the digital reactor protection system at K-6/7. The signals sent from field sensors are converted from analog signals to digital signals by the Remote Multiplexing Unit (RMU) and sent via optical fibers to the Digital Trip Module (DTM) at the main control room. Here, trip signals for each division are generated by application software. When more than 2 out of 4 signals come into a Trip Logic Unit (TLU), the electromagnetic solenoid for emergency insertion of control rods is deenergized. As for CPUs, an Intel i80386 32-bit CPU is used by Toshiba and a Motorola 68030 32-bit CPU is used by Hitachi. As for application software, Problem Oriented Language (POL), a graphical language, is used. 6. Difference between Non-Safety System, Development and Test Processes of Hardware and Software, and Safety Protection System Process Figure 5 shows the design, development and test processes of hardware and software. The part enclosed by a broken line represents the parts of a new process that are added when the p. -P is used for the controller. It should be noted that all systems in the plant are built basically by the same processes as the safety protection system. The parts newly that are added to the safety protection system are only the V&V process, IBD cross-check, decompile check and the dynamic simulation test (the parts enclosed by a solid line in the diagram). - 255 - On the following pages, we would like to describe the development and test results of the software and how to assure reliability of the software subject to V&V. Basically, the reliability and availability of non-safety systems are adequately assured and demonstrated by TEPCO in conventional ways. Therefore, the V&V method is mainly used to demonstrate reliability to third parties in an auditable manner. We think that V&V is not an essential tool for obtaining high reliability. 7. Characteristics of K-6/7 Software Based on our long history of us ing digital controllers, we give particular emphasis to the following points in designing software: • Use of language which can be easily verified • Simple logic • Prohibition of interrupt processing Moreover, we also made the following points the basic policy: • Basically replace relay logic with a software diagram for a safety system • Never provide additional complex logic to the software diagram for a safety system Figure 6 shows an example of POL. This language is very easy to verify, and it is possible to easily read the behavior of the program from its source list. When digital controllers were initially introduced, there were some types of software which could hardly be read, but POL has outlived such software because it was necessary for utility engineers to easily understand the functions and the behavior of digital equipment. POL has the characteristic of being easy to read, and therefore highly reliable application software can be developed. 8. Man-hours required for V&V and Result POL is software that can easily conduct V&V. But, several ten thousands of man- hours at the manufacturers and several hundreds of man-hours at our company were required for Veri.l through Veri.5. It seemed that the V&V aspect requiring the most time was documentation. It took a lot of man-hours to make the documents in an auditable manner, because the documents to be verified were in different format, e.g., specification and IBD. Through V&V activities, a few ambiguous Japanese words and phrases were found in the specifications, and therefore, we revised it in order to clarify. No other errors were found. 9. Additional Verification Conducted for Application of POL to Safety Protection System, and Results The source lists described by POL are compiled according to the process shown in Figure 7, and installed in hardware. A maintenance tool is available to read the software installed in hardware and reversely to decompile the POL diagram. With this tool, it is possible to utilize a program different from the compiler and to reversely decompile the program installed in hardware to the POL so that it can be checked by engineers. Therefore, it is possible to confirm whether the program compiled through the compiler is properly performing or not. In other words, it is possible to indirectly check the compiler. - 256 - In the past, for non-safety system, we did not conduct such checks, because the POL compiler performed well. As for the safety protection systems of K-6/7, we conducted checks for double assurance and found no errors. 10. Validation Test To confirm system performance, we conducted function tests and dynamic tests. The function tests were basically the same as the conventional sequence (system logic) tests. But, using POL was very helpful to confirm system logic, as the internal sequence status could be read on the maintenance tool display. For the safety protection system, dynamic tests were also conducted for double assurance. For the dynamic tests, the manufacturers prepared automatic test tools, performed 7 cases more than 10,000 times, and recorded the results. When the construction of K-6/7 was underway, the dynamic tests on the Sizewell B Unit in the U.K. was in the news. So we also conducted dynamic tests, and the results of the behavior were all normal. The tool was designed to automatically generate signals and record them. A lot of time could be saved in factory tests. 11. Hazard Analysis of Digital Controller with POL Now hazard analysis of digital controllers by means of POL is underway. Figure 8 shows an example. As for application software, there are almost no hazards through various easy checks, as long as POL is used. We think the results of hazard analysis of digital control systems using C language or PL/M may be the same fault tree, but there must be a big difference in the difficulty of discriminating the hazards. POL and the POL maintenance tool are effective for doing so. 12. Conclusion The digital safety system applied to K-6/7 performed very well during manufacturing tests, installation tests, and plant start-up test, and it continues to operate successfully now. This fact proves that our approach to and design for a digital safety system are correct. (1) Apply a digital system to non-critical, non-safety systems first. (2) Decide on or select the design philosophy and best software and hardware for a nuclear power plant controller. (3) Then expand the digital system gradually to learn about and study the necessity of QA program improvement, and test methods, etc. (4) Then apply ix -P technology to the safety system. We believe the best software for nuclear power plant is POL. In fact, POL is very useful and convenient to conduct V&V. But the V&V needs a lot of man-hours, so the design freeze or standardization is important. TEPCO will continue to make efforts to enhance the reliability of its digital systems and to reduce the man-hours required for V&V in a proper manner. - 257 - References [1] T. Shirakawa, T. Tochigi, K. Iwaki, T. Yokomura, Tokyo Electric Power Company, " Quality Assurance and Quality Control Program for Digital Safety Protection System in Nuclear Power Plants", Sep., 10,1992 [2] T. Yokomura, Tokyo Electric Power Company, "Test Experience of Digital Control System for Kashiwazaki-Kariwa Unit No.6 and 7", The Special Topics Meeting on Nuclear Reguratory Matters between NRR/NRC and ANRE/MITl, Sep., 8, 1997 Dak- Plant 1992 1993 1994 1995 1996 1997 1998 Bedrock Inspection Electric Power Receiving puel Loading Turn Over V(29th, .Jul.) VRPVON V<3lst'Jan) V(31st,Nov.T V(7th,Nov.) 1st Outage J K-6 July CTL Panels design and Supplier Installation Toshiba Main Control Room and Rx Island C&I Fabrication of CTL Panels Hitachi Tb Island C&I Bedrock Inspection Electric Power Receiving Fuel Loading Turn Over V(I7th, Mar.) VRPVON V V(10th,Oct.) V(2nd,Jul.) 1st Outage J • i CTL Panels design and Supplier K-7 Installation L Hitachi Main Control Room and Rx Island C&I Fabrication of CTL Panels Toshiba Tb Island C&I K-6 K-7 Rx Island Toshiba Hitachi Contracted Scope of K-6 / 7 Tb Island Hitachi Toshiba Rx,Tb General Electric General Electric Figure 1 Construction Schedule and Scope of Manufacturers at K-6/7 1 Multiplexing line Cable ro 01 ECCS PUMP INTERNAL INVERTER PUMP CONDENSATE HEATER PUMP (REACTOR BUILDING) (TURBINE BUILDING) MULTIPLEXING CONTROL PANEL Figure 2 System Configuration,CM_fbi^JgWRiK-6/7) 716 ITEM N^ 70's 80's 90's (1) Plant Aux. Tb Aux. Sys. System ( Introduce Digital Control to Nuclear Plant j Control Rx Aux. Sys. EHC , (2) Rx Power Pressure, iri rove Waterievcl Control FDWC I ' P Reliability and Plant Availability RFC (Triplicated Control Sys.) I usi"g triplicated Digital Control System. (3) CR Control Dual System r Enhance Reliability using Digital I V Control. (2 out of 2 Logic)) O (4) Radio active Touch Screen Duplex System Introduce compact Man-Machine Interface Waste Processing (Back up system) and Network Technology to reduce cost. System (5) Non-safety Total Multiplexing / Estab|ish piant.wide digitai controi except Digital Control Technology | for safety system. (6) Plant-wide Digital System Digital Safety System. PLANT 2F-4 K-2/5 K-3/4 K-6/7 Figure 3 Application of Digital Control System in TEPCQ's BWR g !S X Network CTL Network CTL Network CTL Network CTL (ro s I I Network CTL | Applicatio n Controlle r Operatin g n Softwar e Syste m Memor y CP U o Mai n Si i / a. Inte l i 8 Lang u TOS M Asse m o (Tosh i 320 K 3 (3 2 B 3 * Byt e H (5 SB &• <%* ~ P s'. 00 o n © o O 69- itachi ' ISE C "8 2Byt e ^ 3 o I r 0 3Q r as = 1 o si r O O H O 3d •SP I m —• r 3 r—] ^—i o n y 5- r =g. g g i I3 =2. r a. o s 5 — o 55* V5 9 ere b =3 e s ~ 193 ~ - 262 - System Requirements X E/PJEAG c Verification-1 J System Specification Verification-2 Equipment Specification C J Interlock Block Diagram •k Crosscheck of the Toshiba & Hitachi IBD (Detect Logical Error) Hardware Design Software Design ECVVD Verification-3/4 Component POL Coding Procurement (CAD System) X Parts Screening Floppy Disk (Heatcycle Test etc) f Verification-5 Cabinet Assemble r r Compare Check Software Loading Decompile Check Visual Inspection Factory Test I/O Wiring Inspection I/O Characteristic Test 1 System Logic Test Validation Shipping System Response Time Test c Single Failure Test if Dynamic Transient Test Installation at Site f~ReassennbleTest I/O Wiring Check Installation Test Digital-I/O Check _ Analog-I/O Check Preoperation al Test Interlock Test Annunciator Test MITI Inspection Actuator Test Protection Device Test Fuel Loading —Combination Test (Cabinet, Sensor Actuator) X Heat-up Test if: Special Test only for K-6/7 Digital Safety System MITI Inspections !_._,._J Additional Procedure for u -P Sys. Additional Procedure for Safety System Software Commercial Operation | Figure 5 TEPCO's Standard Procedure to achieve highly reliable non-safety & safety Systems (RPSLOI15lO>(Dl'06' '"P5L0I 751P) (Dl *07) (RP5L0IT5WU)101*09> '01*101 ^ (RP5L02?IOC I IXP5L0?3a*lt I U) »tomi«t» Figure 6 Example of Software Diagram described for POL Maintenance Tool Controller Compiler CAD System Source Program Macro Combination Loading POL Coding o compile to * n Machine Language (Describe Macro Combination, Refer I Parameters, etc.) Object Generate Documents Conversion Program Table I Refer Machine Language Compare Check Display decompile to Software the POL Logic • Diagram Macro Combination (POL) check Figure 7 Checking Method of POL Compiler - 265 - Top Hazard Trouble of DTM Logic Error Ven 3.4 Programing Error Design Error (Div.l) Designing Error of Macro Ven 3.4 I More than 3 DTM troubles Erroneous Execution Order Vcn 3.4+Vali lead to Scram failure > Connection Error Ven 3.4 Address Error Ven 3.4 Implemaentation Error Designing Error of Macro Vali Logic Error Vali Maintenance Error Desig Error Implementation Error Memory Error B POL Compiler Logic Error Veri5+Vali Error Erroneous Execution Order Ven5+Vali Address Order Vero+Vah Connection Error Vero+Vali Device Asignment Error Vcn5+Vali Trouble of Design Error Scale Misadjustment I Ven 3.4 A Set Values Implementation Error Address Asignment Error | Veri5+Vali Maintenance Error Figures Conversion Error I Ven5+Vali Memory Error Memory Allocation Error I Ven5+Vali POL Compiler Error B Trouble of Task Management Erroneous OS Operating System Error Memory Management Error Timer Management A: If POL is Used Error the check is easier. Common Resource Management Error B: If POL is Used Inpul/Output Management the check is easier Error by use of the maintenance tool. Signal Transmission C: Simple Logic, Single Task Management Error and No interruption are importaint. System Management Error Application Program Implementation Management Error Error Maintenance Error Memory Error Figure 8 Example of Hazard Analysis for POL MIXTPAOetS) MtBLANK - 267 - NPP CONTROL COMMAND: CONSIDERATIONS FOR THE FUTURE J-P Trapp Illllllllllllllllllllinillli CEA/DRN/DER/SSAE CE XA9846515 Cadarache, France Abstract Recent years have seen considerable improvements in the performance available from instrumentation, computerized data acquisition and processing systems, signal processing and related display processing systems. This progress implies the need for a complete rethink of the approach to future surveillance, control and protection systems for use with nuclear reactors, especially regarding new reactor systems. These new systems will in the future need to ensure full compatibility between safety improvements and the enhanced economic competitively of nuclear power. This paper presents an exercise covering the main functions that can as of now be considered for future applications in this field. 1. INTRODUCTION For all reactors, thermal, fast (breeder or not) or other types, the Instrumentation and Control (IC) system has two main functions: - Control and surveillance, - Protection. These two functions must be strictly separated as usual, as regards the materials used in the measurement channels; this separation can lead to the use of a doubling material (based on the diversity principle): applying to sensors and associated electronics which are used to elaborate the signal and diagnosis. In the past, the surveillance function was assumed to indicate only very simple results (values or trends) and display it to the reactor staff; now, and especially in the future, this function will include and combine: - The state of the measurement channel, - The state of the measurement value, - A diagnosis of the reactor state. In the past and even today, the protection function is performed by very simple systems based on making a comparison between the measured signal level and fixed values considered as thresholds; generally this type of operation uses analog systems. In the future, and already in some current applications, the protection function will be performed by computerized systems with thresholds that vary according to the reactor state (power level, etc.). In this paper, we present some considerations on these two functions, taking in account the considerable progress made in the electronics and computer fields. - 268 - It should be noted that this exercise, which appears dedicated to fast reactors can in the most part be transposed to other types of reactor, as in most cases the data processing systems are completely independent of the rest of the operation. 2. RECALL: PRESENT SURVEILLANCE SYSTEMS IN LFMBRs It should be remembered that the measurement acquisition and processing systems that are used on LFMBRs (French reactors) were designed at a time when computer systems were in their infancy (1970 for Phenix and 1980 for SPX). This also applies to a large part of the PWRs built over the last decade. The equipment that was available at the time offered only limited performance, requiring in general the use of large scale general purpose computers, i.e. the opposite to the current trend towards 'dedicated' systems. The result was the concentration in a small number of large (or medium) sized machines of all of the very large amount of data acquired from the reactor, and necessary for its control and for the surveillance of essential operating parameters. This large scale data acquisition is in contradiction with the quality of the related processing, and this is due to the limited performance available from these computers. For example, all of the neutronic, thermal, hydraulic and clad rupture data for the SPX system is acquired and processed by a single computer. The notion of the Man-Machine Interface (MMI), although implied in people's minds, could not truly be applied. These circumstances lead to 'closed' systems where the analysis of results could not, except for rare exceptions, be performed in real-time meaning that the data was read back from various magnetic media; the loss of time resulting from this design has always been considerable, when it has not actually caused a loss of data. In addition, the independence of each data acquisition and processing system, at least in relation to storing results, leads to a dispersion of results that makes it difficult to summarize the results obtained. The acquisition and the storage of measurements is, in general, inadequate especially in relation to fast changing events (reactivity, clad ruptures, various incidents, etc.). The storage of results on the media used (in general on magnetic tape) causes, in addition to the problems of long term storage, obliges the operator to perform long, complex and costly operations (tape copies) in order to fulfill storage requirements. 3. CONSIDERATIONS ON THE SURVEILLANCE SYSTEMS 3.1. General First of all, we will list some of the general principles that form the basis of the surveillance systems: - 269 - a/ independence relative to the protection system, b/ 'dedicated' acquisition systems, i.e. dedicated to a specific field (neutronics, thermal, etc.), c/ implementing 'predictive' systems, d/ connecting these systems via a computer network, e/ continuous high speed measurement acquisition, f/ appropriate storage (slow or fast, depending on requirements), g/ on-line analysis of measurements, h/ diagnostics on the correct operation of measurement channels, i/ optimized data presentation (MMI) combined with pre-diagnostics, j/ connecting acquisition systems to a general data bank, k/ analyzing results off-line by semi-automatic processing of stored measurements, 1/ implementing a supervisor. These few principles will lead to considerable development of signal processing and to considering as a whole, all of the surveillance systems: from the sensor to diagnostics via the Man Machine Interface. This will have the following consequences: a/ The acquisition computers connected to this system, that are independent of the protection system, are not failsafe qualified; despite this, the quality of the implementation and the qualification tests must be especially well executed. The processing software must be able to evolve over time, to support requirements that where not taken into account during design, or to match technical changes. b/ Each surveillance domain will be processed by a specific computer that will perform all of the functions required for surveillance. c/ Anticipated fault detection (core, components, etc.). d/ All of these computers will be connected by network, which will allow transmission by each one to the other of any data that might be necessary for its own processing. e/ Current computers enable high acquisition speeds. Acquisition will be performed at a speed that will not exceed a second and may, as appropriate, be far faster (0.1 sec, or even be a little as a few msec). f/ High speed storage (t«lsec) is of interest only in the case of a specific event; under normal circumstances storage will be performed at a rate closer to every second (or more); the decision will be taken automatically after analyzing the measurement and the performing a diagnostic of normal operation. g/ On-line analysis (1st. level) of signals used to determine the characteristics of the type of operation: normal or 'degraded'; this analysis is connected to e/. h/ A signal analysis process will be located in the acquisition systems in order to provide continuous or periodical diagnostics on the correct operation of the channels used for measurement acquisition. - 270 - i/ The Man-Machine Interface should be especially 'elaborate' in order to present the operators and duty staff with information that is as concise as possible on the state of the control systems and on the reactor: pre-diagnostics can also be considered. j/ The acquisition systems will be linked, via the computer network, to a data bank that can acquire, in real-time or not, all of the data collected by the various computers. This data bank will be connected by the computer network to the workstations of the various users (analysis of operation, equipment maintenance, etc.) whether they are located on-site or away from it (crisis team or expert consultants, for example). k/ Automated processing of data retrieved from the data bank will allow a fast analysis (2nd. level) of the results; the finer (3rd. level) analysis being performed by specialists in the domain. 1/ A supervisor will ensure the surveillance of the entire system: measurement channels and acquisition computers and will indicate any malfunctions. 3.2. Description by Domain The headings below will cover the general specifications of each of the surveillance domains. A surveillance domain refers to a set of measurements performed on a given physical domain and possibly any additional or correlated measurements. 3.2.1 - Neutronic Domain (all reactor types). This is the domain covered by all of the neutronic sensors (in the pressure vessel or below it). The surveillance system must: - Continually monitor any change to the neutronic population, regardless of the state of the reactor (shutdown, during the divergence, rising in power and rated power), - Monitor the evolution of reactivity via on-line monitoring (using a digital reactimeter), - Monitor the position of the control rods, - Provide a diagnostic on the neutronic situation of the reactor (reactivity comparator), - Provide a diagnostic (continual or periodical) on the state of the measurement systems. - Provide the neutronic elements required for on-line monitoring, using 3D calculations, - Store all of the data required, at the necessary rate and send them to the data bank, either continually or periodically after a preliminary examination (quality, coherence, amount). 3.2.2- Core Thermal Domain (LFMBR, RBMK etc.). This is the domain covered by all of the thermal sensors that ensure temperature surveillance of the output from the core (Cr-Al thermocouples and Na-Stainless Steel, if necessary); the surveillance system must: - Continually monitor the evolution of core output temperatures, - Calculate all of the parameters required for this monitoring, - Continually evaluate the margins around the thresholds, - Ensure, on demand, any settings that may be required, - Provide core temperature maps (and/or any other parameters) as well as diagrams that illustrate the current situation, - Provide, on demand, elements for comparison with comparable previous situations, via the related data bank, - Provide the data necessary for on-line 3D monitoring (preferable in the future), - 271 - - Storing data and sending it to the data bank after prior examination. 3.2.3 - Clad Failure Domain (Mainly LFMBR). This domain is covered by the system for detecting clad failures (whether built-in or not), the localization system and the system for cover gas surveillance. Note that this surveillance domain does not cover protection against local fusion accidents (slow or fast blockages, random command rod movements, etc.) that will be ensured by a specific surveillance system. Note that this system will need to receive information relating to the neutronic power (domain 3.2.1) and hydraulic data (domain 3.2.2 ). It ensures: - Diagnosis on proper measurement channel operation, - Monitoring the activity of the cover gas and any necessary transmission of an alert and alarm, - Continual monitoring (at optimized rate) of'clad failure' signals, - The generation and transmission of alerts and alarms, - The surveillance and diagnostics of the hydraulic sampling system (if necessary), - In the event of a clad failure, time management and the margin before the thresholds, - Managing the localization system (starting prospection and signal management), - Presentation of summary diagrams on the situation of the reactor in this domain, - Temporary storage of data before transmission, after examination, at the data bank. Note that this system should receive data relating to the neutronic power level (domain 3.2.1) and some data on the hydraulic domain (domain 3.2.4 ). 3.2.4 - Primary Pressure Vessel Domain (all reactor types) This covers the primary and secondary flow rates, the temperatures of the main components (vessel, intermediate heat exchangers, inside of the vessel, surface, etc.), the core acoustics: It will ensure: - Monitoring changes to all acquired parameters, - Monitoring their evolution during transitional phases, - Any transmission of alerts, - The presentation of summary diagrams covering the situation of the reactor in this domain, - Transitory storage of data prior to transmission, after examination at the data bank. 3.2.5 - Primary and Secondary Circuit Domain This domain covers all of the motion, speed and acceleration component sensors (piping, shafts, etc.), the temperatures of the steam generators, pipes and turbine. Its functions are similar to those of the previous domain. 3.2.6 - Preventive Surveillance Domain (all reactor types) This is a 'new' system whose purpose is clearly anticipated fault detection whether this relates to the core or to the pressure vessel or to any of the components of the primary or secondary circuits. This anticipated detection should contribute to improving reactor availability (and therefore plant availability) by repairing at a chosen time, any potential faults that if not found by this detection could lead to an unexpected reactor stoppage. - 272 - This system combines: - neutronic data (channels below or in the pressure vessel), - acoustic data related to the core and to the steam generators (or others), - mechanical data (motion and vibration sensors), - thermal data (thermocouples). It should also comprise the detection of any sodium gas build up caused by argon (in LFMBRs) or level surveillance (water - steam) in PWRs. The processing of signals and the analysis that will lead to a fault diagnostic will be made on-line (or after a slight delay), by a computer 'dedicated' solely to this function; it may receive, over the network, any additional data from the other surveillance computers. This surveillance of course includes the detection of foreign objects. This also contributes the preventive maintenance that will have effects on the competitivity of the installation. 4. ABOUT THE PROTECTION SYSTEMS This system must be independent of the previous one**1, so as to meet the principle of independence that is so important to the safety authorities. It is intended to: - Protect the reactor against any excursion outside of the normal operating domain, - Avoid multiple incidents from degenerating into an accident, ( ' Measurement channels and systems for processing and generating the stop signal. - Reducing or eliminating the possibility of accidents occurring, - Reducing the consequences of any possible accidents. In the past, and even most often currently, protection is ensured by analog systems which from a threshold being exceeded, trigger the reactor shut down procedure; in some cases (CANDU, neutronic checks on the French PWRs, monitoring core temperatures such as in LFMBRs) this form of protection is computer initiated. But this is far from being the rule. The settings of these thresholds are most often fixed; they are the result of a compromise between ensuring safety and correct reactor operation that can cannot tolerate excessive planned or unplanned stoppages. This compromise level is often highly conservative and may also illustrate 'designers' willingness to abide by conventional wisdom. Dynamic protection management leading variable threshold levels depending on the state of the reactor is probably inevitable. This will lead to computerized safety threshold management. - 273 - Obviously, the FAILSAFE qualification of these systems and especially the related software is the major problem to be resolved to ensure the acceptability of these systems to the safety regulators in the various countries. Some of these aspects have already been resolved in whole or in part (e.g. in Canada). These aspects are not impossible technical problems, but rather a question of the general approach to safety as well as the personnel and hardware resources that must be applied. 5. CONCLUSION The considerable progress achieved over the last few years in the field of instrumentation and systems for computerized data acquisition and processing and for signal processing lead us to envisage far reaching changes in the vision of surveillance and protection systems for future nuclear reactors. These systems must clearly be designed to: - Improve safety, - Improve the availability of the installations, - Reduce human errors, while contributing to improving the competitivity of nuclear power generation in relation to other power sources. At the same time, and this is not the least important factor, the result will most likely be better acceptation of nuclear power by public opinion. - 274 - EXAMPLE OF A COMPUTERIZED SURVEILLANCE SYSTEM Computer n°i To supervisor and/or data bank Computer n°n - 275 - Session 5: General Discussion, Conclusions and Recommendations NEXT PAQE(S) left BLANK - 277 - SUMMARY OF THE DISCUSSION Prepared by the session Chairperson Mr. J. White. The final session was a panel-led discussion of general conclusions and recommendations. The panel was comprised of Mr. White and the chairmen of the first four sessions: Mr. van Gemst of Sweden, Mr. Hetthessy of Hungary, Mr. Krs of the Czech Republic, and Mr. Naisse of Belgium. Each panelist made opening statements of their observations and conclusions. Then the floor was opened for comments from the meeting participants. The following is a summary of the discussion. I. It is clear that usage of computer based systems in nuclear power plants is increasing in many countries. The presentations in the previous sessions indicate an inevitable introduction of digital equipment into I&C systems both in safety and non-safety systems. At this meeting, papers were presented describing introduction of modern I&C technology into nuclear power plants in Belgium, the Czech Republic, Finland, France, Germany, Hungary, Japan, Korea, Mexico, Romania, Slovakia, Spain, Sweden, and the U.S.A. Each experience is different so there is no standard and unique solution for implementation, but the generic goals that are pursued are the same: increase the plant safety; boost plant operational performance (both during normal and upset situations); decrease the burden of maintenance and testing; cope with obsolescence concerns. For new plants to be commissioned, full digital solutions were chosen and no doubt will continue to be chosen. For refurbishment, it is clear also that digital is the way everyone is going to but following a step by step approach. We think that here the work could be more difficult. The plants to be refurbished are 15 to 20 years old and as such their I&C structure reflects constraints linked to the sixties/seventies available technology. Changing the systems without reconsidering the interfaces between the old systems and the new systems could endanger the final goal which is to reach a coherent overall digital I&C and MMI structure. II. We need to provide a more balanced view of the advantages and the issues. The meeting participants generally agreed that this community should present a more balanced view of the design, validation and use of computerized reactor protection and safety related systems than we normally present. This balanced view should include more discussion of the advantages (promised and realized) of computerized systems rather than too much emphasis on the problems and issues concerning regulation and licensing. We need to talk more about the improvements in safety and operations resulting from these systems. We also need to share any improvements in regulatory climate associated with the use of these systems. One example of improved operation mentioned at this meeting is at the Cernovoda Unit 1 [a Candu reactor]. Use of PC-based systems at Cernovoda has allowed better management of on-line refueling, with more precise measurement of fluxes. The requirement is that if the neutron flux level indication is within 5% of an upper limit, then the reactor has to be derated for several hours. The older design Cernovoda instrumentation was less precise (1.5% full scale) than newer digital instruments. With the newer computer-based system, the - 278 - Cernovoda reactor is able to prevent unnecessary deratings. Several other benefits of computer-based systems have been proven and were mentioned in the previous sessions. A summary of the issues was presented in the paper by Mr. Garcia [Spain]. These include software quality assurance, potential for common-mode failure, systems aspects of digital technology, human factors, safety and reliability assessment methods, dedication of commercial off-the-shelf hardware and software, and the choice of appropriate licensing approaches. Garcia also pointed out that we have ways of dealing with these issues like defense in depth, environmental qualification, and hazards analysis to ensure safety margins. III. We need to keep safety systems simple, with only as much functionality as needed to improve safety. The participants agreed that new computerized safety or safety related systems should be as simple as possible, with only enough functionality to realize the safety or safety related goals. This will take a lot of discipline because computerized systems can have a great deal of added functionality. Keeping the systems simple will improve the licensability of the systems because they will be easier to analyze and test. Several papers mentioned that the use of simple operating systems, without interrupts, with deterministic operation is the best approach for highly reliable systems. IV. We need to communicate better with computer scientists and software engineers to improve reliability and licensability of our computer-based systems. The nuclear community are not leaders in computer science and software engineering. We have been leaders in most of the technologies we have needed to design our plants, like nuclear physics, nuclear fuels and metallurgy, heat transfer, shielding. We became leaders in these fields because we generated the raw data from which our design approaches grew. We do not have time for that in computer science and engineering, because we need to use computers now. The U.S. National Academy of Sciences Panel on Digital Instrumentation and Control Systems in Nuclear Power Plants recently pointed out that one of the most challenging problems faced by nuclear experts is communication with experts in computer science. There are very significant differences in understanding by nuclear engineers and computer scientists of terms like: simple systems; diversity; 100% testability; common cause failure; common mode failure; verification and validation; and software quality assurance. All communities involved in the application of computer based systems to nuclear plants need to work together: reactor vendors, licensees, regulators, computer scientists and software engineers, digital hardware designers, human-machine interface designers and researchers. There are more than 200 standards and guidelines associated with digital and computer-based systems. Most of these standards and guidelines are general rather than specific, so that a great deal of variation in their usage occurs. We should expect that "best practices" will change as the international community gains experience. We must stay current. We should publish our work for review by the academic community, including non-nuclear experts. We should play more of a leadership role in standards development for software-based systems. The IAEA might invite computer scientists and software engineers to a future IWG meeting to share latest methods and best practices. - 279 - V. The regulatory bodies in most of the countries are gaining experience from licensing of refurbishment or replacement or projects of different scope and safety significance. Because the laws of each country are different, the fact that each national regulatory environment is somewhat different is not surprising. The nuclear community will be getting some experiences from specific licensing applications dealing with computerized systems. Although the regulatory environments are somewhat different, some of the experiences will be common [because the issues are similar]. The regulatory bodies are gaining experience (on- the-job-training). We need to capture common experiences in terms of lessons learned. There is a lack of an international standard for licensing this technology for nuclear plants. Frequently, a country will adopt some of the regulations of the country providing the technology. This makes it difficult to mix European, U.S. and Asian technologies. Perhaps the IAEA could play a role in facilitating international standards. VI. The quantification of the reliability of software in software-based systems is one of our most serious issues. In the final session, we noted that software reliability cannot be determined absolutely by analysis, calculation and testing, but only by expert judgment. Mr. van Gemst recommended we take a look at an ESPRIT project called SERENE for knowledge based evaluation (Bayesian techniques) of reliability . The project is developing a tool for proof for compliance IEC 1508. This project is considering non-nuclear industries also. Mr. van Gemst also recommended that the IAEA IWG-NPPCI should have a specialists meeting about validation tools. Software validation using IEC 880 requires extensive and expensive documentation. We need automated tools to help reduce the documentation labor costs. On the other hand, as pointed out by Mr. Brun during this session, we should not separate too much the professional engineer from the problem through the use of tools. New systems will have hundreds of processors running software simultaneously. We need to be able to follow what is going on. A good graphical programming language could help provide a common language to facilitate communication among users, designers, analysts and auditors. Some of the presentations in earlier sessions indicated that use of these high level languages have helped designers and analysts. VII. The most common approach to deal with common-mode failure possibility is diversity. We need optimal diversity. The Siemens three layer defense-in-depth approach described in the paper at this meeting by Mr. Bock [Germany] may be very good. We should assume that surely we have an error somewhere. As Mr. Hetzmann [Hungary], pointed out in this session, however, we should remember that diversity is a tool, not a target. Furthermore, as Mr. Brun [France] and Mr. Bouard [France] have mentioned in this session, there are other instances of common mode failure in addition to software. We should not forget about these other cases, like the use of redundant equipment (pumps, valves, actuators which have common design vulnerabilities). - 280 - VIII. There was a discussion which generated a lot of interest but time expired before the participants reached a consensus: Mr. Brun [France] stated that reliance on a system seldom (if ever) used by operators for rare safety challenges is not as desirable as reliance on a system used frequently by operators. This statement means that we put a great deal of emphasis [time, labor cost, qualification cost, licensing cost, maintenance cost] on our safety systems, which the operator probably will rarely use. But for the systems the operators use daily, we spend far fewer resources. Furthermore, in times of safety challenges requiring use of these safety systems, the operators (who will be under a great deal of stress) will be required to work with relatively unfamiliar equipment and man-machine interfaces. Several participants indicated that their organizations believe this is acceptable because the operators will not be required to do anything for most serious type of accidents which have been analyzed, because the safety systems will automatically control the reactor for 30 minutes. Also, operators do have some experience with use of safety systems because of their training on simulators. One participant also stated that most of the increased cost of the safety systems compared to non-safety systems was in the documentation, rather than in the rigor of the design process. This discussion might be revisited at another IWG-NPPCI meeting. - 281 - IAEA SPECIALISTS' MEETING ON COMPUTERIZED REACTOR PROTECTION AND SAFETY RELATED SYSTEMS IN NUCLEAR POWER PLANTS 27-29 October 1997 Budapest / Hungary LIST OF PARTICIPANTS Name: Address: Tel.: Fax/E-mail: AUSTRIA Schildt, Gerhard Helge Institute for Automation 1-43 1 58801 8190 + 43 1 586 32 60 Vienna University of Technology schi@ auto.tuwien.ac.at Treitlstr. 1/183-1 A-1040 Vienna BELGIUM Naisse, Jean-Claude Tractebel Energy Engineering + 322 773 76 18 + 322 773 89 10 7 Ave. Ariane B-1200Brussel CZECH REP. Hladky, Milan Dukovany NPP + 420 509 60 5375 + 420 509 92 21 11 675 50 Dukovany Krs, Petr State Office for Nuclear Safety + 420 2 21624740 + 420 2 21624 360 Semovazne nam. 9 Petr Krs@ sujb.cz 11000 Prague 1 Londynova, Katerina I&C Energo + 42 509 605568 + 42 509 605584 Jaderna elektrarna Dukovany 67550 Dukovany Nekuza, Milos State Office for Nuclear Safety + 420 509 301 + 420 509 922 414 Semovazne nam. 9 110 00 Prague 1 Ondrak, Zdenek Dukovany NPP + 420 509 605 243 + 420 509 92 2111 67550 Dukovany Precan, Jaroslav Dukovany NPP + 420 509 60 5496 + 420 509 92 21 11 67550 Dukovany Rosol, Josef Dukovany NPP + 420 509 605 418 + 420 509 922 360 67550 Dukovany Tipek, Zdenek State Office for Nuclear Safety + 420 334 422 3667 + 420 334 741 288 Semovazne Namesti 9 110 00 Prague 1 FINLAND Jarvinen, Marja-Leena Finnish Centre for Radiation and + 358 9 759 881 + 358 9 7598 8382 Nuclear Safety Nuclear Safety Department P.O.Box 14 FIN-00881 Helsinki Leppimaki, Petri Markus Teollisuuden Voima Oy + 358 2 8381 3414 + 358 2 8381 3209 FIN-27160Olkiluoto - 282 - Maskuniitty, Matti Finnish Centre for Radiation and + 358 9 759 881 + 358 9 7598 8382 Nuclear Safety Nuclear Safety Department P.O.Box 14 FIN-00881 Helsinki Pulkinnen, Jukka Teollisuuden Voima Oy + 358 38 83811 + 358 38 83814309 FIN-27160Olkiluoto FRANCE Bouard, Jean-Paul EdF SEPTEN + 04 72 82 71 66 + 04 72 82 77 04 12-14 ave. Dutrievoz F-69628 Villeurbanne Cedex Brun, Michel TECHNICATOM + 33 04 42 60 2716 +33 0442 60 2500 Rue Ampere, BP 34000 [email protected]. fr 13791 Aix en Provence Mauduit, Jean-Paul FRAMATOME + 33 1 47 96 38 04 + 33 1 47 96 19 31 Tour Framatome F-92084 Paris La Defense Cedex Trapp, Jean-Pierre CEA/DRN/DER7SSAE/LSMR + 33 04 42 25 44 10 + 33 04 42 25 27 80 CE/Cadarache 13108 Saint Paul Lez Durance Cedex GERMANY Berger, Edmund ABB Kraftwerksleittechnik GmbH + 49 621 381 3887 + 49 621 381 2646 Kallstaedter Str. 1 D-68309 Mannheim Bock, Heinz-Wilhelm Siemens KWU NLL + 091 31 186161 + 091 31 1863 62 Hammerbachstr. 12+14 D-91050Erlangen Lindner, Arndt ISTec GmbH + (089) 3 20 04-400 + (0 89) 3 20 04-300 Forschungelande 85748 Garching Seidel, F. Bundesamt f. Strahlenschutz (BfS) + 49 5341 225-0 + 49 5341 225-225 Postfach 10 0149 D-38201 Salzgitter HUNGARY Bokor, Jozsef Hungarian Academy of Sciences + 361 1667 483 + 361 166 7503 Kendeu. 13-17 H-llll Budapest Gaspar Peter Hungarian Academy of Sciences f 361 1667 483 + 361 166 7503 Kendeu. 13-17 H-llll Budapest Hamar, Karoly Hungarian Atomic Energy Authority, Nuclear Safety Directorate Hetthessy Jeno Hungarian Academy of Sciences + 36 11 66 7483 + 3611 667503 Systems and Control Laboratory Computer and Automation Research Institute Kendeu. 13-17 H-llll Budapest Hetzmann, Albert Nuclear Power Plant Paks + 36 75 508 531 + 36 75 312 725 P.O.Box 71 7031 Paks Horvath Erzsebet Siemens Rt. KWUN H-l300 Budapest +36-1-457 16 68 +36-1-457 16 32 Pf.191 - 283 - Kecskemeti, Gyula Nuclear Power Plant Paks + 36 75 507 671 + 36 75 506 632 P.O.Box 71 H-7031 Paks Marko Janos ETV-EROTERV Power Engineering +361 218 5600/3373 +361218 5685 and Contractro Co. Axigyal u. 1-3, H-1094 Budapest Monori, Pal ETV-EROTERV Power Engineering +361 455 3656 +361218 5585 and Contractro Co. Angyal u. 1-3, H-1094 Budapest Neubauer, Istvan Electrical Power Research Institute Nigicser, Jeno Electrical Power Research Institute Racz, Gabor Technical University of Budapest Sarkozi, Tibor Nuclear Power Plant Paks + 36 75 507 755 U- 36 75 312 725 P.O.Box 71 H-7031 Paks Soumelidis, Alexandras Hungarian Academy of Sciences + 361 1667 483 ^ 361 166 7503 Kendeu. 13-17 H-llll Budapest Szabo, Geza Department of Control and Transport +36 1 463 19 79 + 36 1 463 30 87 Automation Technical University of Budapest Bertalan L.U.2 Budapest Tarnai, Gabor Technical University of Budapest Turi, Tamas Nuclear Power Plant Paks + 36 75 508 845 r+36 75 506 632 P.O.Box 71 H-7031 Paks Zemlicki, Lajos Nuclear Power Plant Paks + 36 75 507 996 + 36 75 506 632 P.O.Box 71 H-7031 Paks JAPAN Fukumitsu, Hiroyuki Mitsubishi Electric Corporation + 81 78 682 6330 + 81 78 682 6368 1-1-2 Wadasaki-cho Hyogo-ku Kobe 652 Hayashi, Nobuhiro Mitsubishi Heavy Industries Ltd. + 8178 672 3326 + 81 78 672 3277 Kobe Shipyard & Machinery Works Nuclear Plant Designing Department 1-1-1 Wadasaki-cho Hyogo-ku Kobe 652 Ogiso, Zenichi Institute of Nuclear Safety + 813 5470 5486 + 81 3 5470 5487 Nuclear Power Engineering Corporation Fujita Kanko Toranomon Bldg. 17-1, Toranomon 3-Chome Minato-ku Tokyo 105 Yokomura, Tadayuki Nuclear Power Engineering Dept. + 81 33501 8111 + 81 3 3596 8562 Tokyo Electric Power Company 1-3, Uchisaiwai-cho 1-Chome Chiyoda-ku Tokyo 100 - 284 - REP. OF KOREA Yun, Won-Young Korea Institute of Nuclear Safety f 82 42 868 0237 + 82 42 861 0943 P.O.Box 114 Yusaong Taejon MEXICO Ledesma, Rafael CNSNS + 52 5 590 50 54 + 52 5 590 7508 Dr. Barragan 779 Col. Vertiz-Navarte 03020 Mexico, D.F. NETHERLANDS Van de Veen, W. KEMA Nederland BV + 31 26 3562321 + 31 26 351 8092 Postbus 9035 6800 ET Amhem ROMANIA Dudu, Radu RENEL + 40 41 239 340 + 4041 239679 Cernavoda Str. Medgidiei, Nr. 1 Cernavoda 8625 Jud. Constanta Popa, Costin RENEL + 4041 239340 + 40 41 239 679 Cernavoda Str. Medgidiei, Nr. 1 Cernavoda 8625 Jud. Constanta Popescu,Mircea Center of Technology & Engineering + 40-1-420.88.16 40-1-420.88.16 Constantin for Nuclear Projects (CITON) 40-1789.35.90 40-1-789.35.90 P.O. Box 5204-MG-4 Bucharest,Magurek, ROMANIA SLOVAKIA Arbet, Ladislav Nuclear Power Plants Research Institute + 421 805 569726 + 421 805 569153 Inc. B mail: Okruzna 5 [email protected]. 918 64Trnava Golan, Peter Bohunice NPP, Slovak Electric, Pk. +421 805 59 1501 +421 805 59 1527 Bohunice NPP, 919 31 Jaslovske Bohunice Vaclav, Juraj Bohunice NPP, Slovak Electric, Pk. +421 805 59 1501 +421 805 59 1527 Bohunice NPP, 919 31 Jaslovske Bohunice SPAIN Mozas Garcia, Alfredo Consejo de Seguridad Nuclear [+34 1 3460134 f 34 1 3460588 Justo Dorado 11 28040 Madrid SWEDEN Aslund. Alf Vattenfall Energisystem AB, Box 528, +46 8 739 6231 +46 8 739 5477 S-162 16 Stockholm Van Gemst, Paul ABB Atom AB + 4621 347035 + 4621 347318 S-721 63 Vasteras [email protected] Gustavsson, Eva ABB Atom AB + 46 21 348551 + 4621 347318 S-721 63 Vasteras atoevgu@ ato.abb.se - 285 - Hallman, Anders Swedish Nuclear Power Inspectorate, S +46 8 698 8472 +46 8 661 9086 106 58 Stockholm Johansson, Anders Vattenfall AB + 46 340 668365 + 46 340 6651 02 Ringhals S-430 22 Varobacka Lundin, Ted Forsmarks Kraftgrupp AB + 46 173 82275 + 46 173 81631 Vattenfall S-742 03 Osthammar Lundqvist, Goran Vattenfall Energisystem AB + 46 8 739 5975 f 46 8 739 69 00 Box 528 S-162 16 Stockholm Svensson, Goran Ringhalsverket +• 46 340 667059 + 46 340 668515 Vattenfall AB S-430 22 Varobacka Stahle, Lars-Olov OKB AB, Oskarshamnsverket + 46 491 786754 + 46 491 78 6870 S-572 83 Oskarshamn [email protected] Talts, Hakan Simpevarp f 46 491 787521 + 46 491 78 6865 S-57283 Oskarshamn Tyszynski, Jan Sydkraft Konsult AB k 46 40 255892 + 46 40 302194 Carl Gustavsvag 4 S-205 09 Malmo SWITZERLAND Feer, Urs HSK + 41 56 310 39 98 + 41 56 310 38 54 Section ELT CH-5232 Villingen Kaiser, G6tz NOK Beznau NPP + 41 56 2 66 7703 + 41 56 2 66 7702 CH5312D0ttingen cag@nok. ch U.S.A. Mauck, Jerry L. US Nuclear Regulatory Commission + 301415 3248 + 301 415 1254 MS 8H3, Washington DC 20555 [email protected] White, James D. Oak Ridge National laboratory + 423-574-5527 + 423 576 8380 I&C Division Building 3500, MS 6009 P.O.Box 2008 Oak Ridge, Tennessee 37831-6009 I.A.E.A. Neboyan, Vladimir IAEA + 43 1 2060 22796 +43 1 20607 Division of Nuclear Power and the Fuel [email protected] Cycle Wagramerstrasse 5 P.O.Box 100, A-1400 Vienna Dusic, Milorad IAEA + 43 I 2060 22522 +43 1 20607 Division of Nuclear Installation Safety [email protected] Wagramerstrasse 5 P.O.Box 100, A-1400 Vienna