IAEA-IWG-NPPCI-95/10 LIMITED DISTRIBUTION
WORKING MATERIAL
MODERNIZATION OF INSTRUMENTATION AND CONTROL SYSTEMS IN NUCLEAR POWER PLANTS
Proceedings of a Specialists' Meeting Organized by the International Atomic Energy Agency in Co-operation with Institute for Safety Technology fISTecJ and held in Garching, Germany, 4-7 July 1995
Reproduced by the IAEA Vienna, Austria, 1995
NOTE The material in this document has been supplied by the authors and has not been edited by the IAEA. The views expressed remain the responsibility of the named authors and do not necessarily reflect those of the government(s) of the designating Member State(s). In particular, neither the IAEA nor any other organization or body sponsoring this meeting can be held responsible for any material reproduced in this document.
VDL Session 1:
Upgrading I&C: Vendors' and Utilities Views Chairman: Mr. W. Basil, Germany FOREWORD
Instrumentation and Control (I&C) is directly associated with the performance of all safety functions and its reliability should be consistent with the reliability of the respective mechanical or electrical systems. I&C is also the interface between the operator and the plant and, as such, has a paramount significance for safety. For the same reason, I&C is closely linked to the operating procedures and both should be assessed at the same time.
The present situation in the nuclear industry is characterized by a decreasing number of new plants and an increasing amount of installations where backfitting measures are to be expected. Instrumentation and control equipment in nuclear power plants have a special role, because their technological life span is about ten years and the innovation time even shorter. Considering the fact that the mechanical systems of the plant are designed for a lifetime of 30 to 60 years, the instrumentation and control equipment, or part of it, has to be backfitted or modernized several times in order to achieve the required availability and safety.
The Specialists' Meeting on "Modernization of Instrumentation and Control Systems in Nuclear Power Plants" was organized by the IAEA (jointly by Division of Nuclear Power and Division of Nuclear Safety) in co-operation with Institute for Safety Technology (ISTec) and held in Garching, Germany from 4 to 7 July 1995 (The Meeting Chairman - Dr. W. Bastl). The meeting brought together experts on power plant operation with experts on application of today's instrumentation and control technology. In this way, a match was made between those knowing the industry needs and requirements and those knowing the potentials of the technology.
The objectives of the Specialists' Meeting were:
To provide an international forum for presentation and discussion on experience with I&C modernization.
To share experience on the design and verification process connected to the I&C modernization.
To identify and describe advanced features for safety and operation improvements.
In order to facilitate a structured discussion and not to omit important problem areas, papers on the following subjects were considered to be within the scope of the Specialist's Meeting:
planning and organization of backfitting (e.g. consideration of operational needs, partial, staggered, complete modernization; envisaged time frames, reduction of plant shutdown time)
means to decide on backfitting meets (follow up of ageing, fatigue monitoring, condition monitoring, etc.)
realization of backfitting (implementation problems, adapting new I&C, changing from analog to digital, distributed systems) specific backfitting considerations related to automation (e.g. optimization of controls, new controls - steam generator, load following, etc.)
specific backfitting issues related to process computers (e.g. portability of programs, interface problems, improved documentation)
enhancing plant management (e.g. implementing advanced plant management systems, simplification of maintenance)
improvement of man-machine interface (e.g. control room supplements, operator support systems, potential for enhancements)
basic reliability considerations (e.g. degree of redundancy or diversity, reliable power supply of I &C, V&V problems)
safety and licensing (e.g. compensating degradation of plant safety, matching of new I &C to safety requirements, implementing defence in depth strategies, safety system related problems, applicability of existing safety standards)
experience from backfitting (e.g. planning versus realization, optimization of back fitting strategies).
The present volume contains the papers presented by national delegates. SPECIALISTS' MEETING ON MODERNIZATION OF INSTRUMENTATION AND CONTROL SYSTEMS IN NUCLEAR POWER PLANTS
Garching/Germany 4-7 July 1995
Programme
Session 1: Upgrading I&C: Vendors' and Utilities Views Chairman: Mr. W. Bastl, Germany
Ageing Diagnosis, Prediction and Substitute Strategies for I&C1 R. Heinbuch, J. Irlbeck, W. Bastl, GERMANY
I&C Refurbishment Activities and Experience at the Paks NPP A. Hetzmann, J. Eiler, T. Turi, HUNGARY
Modernization of the Control and Instrumentation in the TVO BWR Power Plant L.-E. Hall, FINLAND
Joint EEC - IAEA report on possible Control and Instrumentation improvements for RBMK reactors D. N. Wall, UK, F. Reisch, Sweden & A. Kossilov, IAEA
Modernization of the RBMK NPP I&C Systems in Russia A.I. Gorelov, MM Michailov, RUSSIAN FEDERATION
Modernization and Control Room Development - Current Trends and Approaches in Swedish Nuclear Power Plant G. Svensson, SWEDEN
Session 2: Upgrading I&C: Regulatory and Qualification Aspects Chairman: Mr. K. Hamar, Hungary
Summary of Session 2
The Transition to Modern Technology N. Anani, CANADA
Upgrades of Digital I&C in German Nuclear Power Plants: Regulatory Aspects and Qualification Requirements G. Schnürer, D. Wach, F. Seidel, L. Weil, GERMANY
1 Not available Licensing Experience of the u-processor Based I&C System in NPP Young Gwang Units 3,4 T-K Oh, REP. OF KOREA
Session 3: New Developments /Retrofitting of Specific Systems Chairman: Mr. van der Pias, Netherlands
An Effective New Method to Filter Out Falling In-Core Sensors F. Adorjan, HUNGARY
Modernization of Reactor Control and Limitation Systems in German PWR-based NPP's with the New Digital Safety I&C System Teleperm XS O. Schörner, GERMANY
Neutron Sensor Signal Validation: Early and On-line Oxygen Intrusion Detection J-Ch. Trama, A. Bourgerette, E. Barat, FRANCE
Session 4: IAEA TecDoc on Modernization of I&C in NPP Discussion on Scope and Structure Chairman: Mr. A. Kossilov, IAEA
Session 5: Enhancing MMI by New I&C Technologies Chairman: Mr. N. Anani, Canada
Upgrade of Process Information Systems in NPPs, a First Step to an Overall I&C Modernization /. Kollmannsberger, GERMANY
An Innovative Approach to Recording and Monitoring of Mobile Radiation Measurements. Iincluding demonstration2 S. Osterlehner, L. Felkel, GERMANY
The Strategy and Development for Alarm Processing Technology J-T. Kim, C.S. Ham, K.C. Kwon, D.Y. Lee, REP. OF KOREA
Modernization of the Neutron Monitoring System in NPP Borssele J. W. De Vries, The Netherlands, Harms, A. Klein, F. Schindhelm, GERMANY
Process Visualization for NPPs Running under Windows G.H. Schildt, AUSTRIA
1 Not available Frequency Selective Vibration Monitoring of Rotating Machinery - Recent Developments2 Ä Sunder, GERMANY
Introduction to Demonstration of Turbine Diagnosis System2 5. Szoldatis, GERM4NY
Closing Session Chairmen: Mr. W. Bastl, Germany, Mr. A. Kossilov, IAEA
Annex:
Modernization of Main Control Boards of Genkai Nuclear Power Station Unit 1 and 23 M. Takashima, Japan
Institute for Safety Technology (ISTec) GmbH
List of participants
2 Not available
3 Submitted but not presented I&C REFURBISHMENT ACTIVITIES AND EXPERIENCES AT THE PAKS NPP
Albert Hetzmann, I&C Director Janos Eiler, Head of I&C Technical Dpt. Tamas Turi, Project Manager Paks Nuclear Power Plant Ltd. Paks, Hungary
ABSTRACT
In introduction, the paper gives a general overview of the Paks nuclear plant and its operational statistics with details on I&C data. In the subsequent sections the bases of I&C reconstruction policy and its realisation is described. The different categories of reconstruction areas are detailed, broken-down to equipment and system levels. In closing, the paper gives a summary on the next phases and future tasks to be carried out.
1. DESCRIPTION OF THE PAKS NUCLEAR PLANT
1.1 General overview
Hungary's only nuclear power plant is located in the middle of the country, about 110 km south of Budapest, on the bank of the Danube river. There are four 460 MW, Russian design WER-440 Units at the site. They entered commercial operation between 1982 and 1987. Their total capacity of 1840 MWe contributes to the country's electricity generation to a very significant degree. The 1994 share can be seen in Fig. 1. Also last year the plant reached its greatest ever power generation by producing more than 14.000 GWh.
Figure 1. The number of reactor scrams per year and the power plant's load factor are depicted in Figures 2. and 3.
Number of reactor scrams per year Power plant load factor 5 9Oi °fl jCa jgni m p~ ft 4,5' : 80 ::. •: : «Cat :j : ?i .-. ;j- !•; ;•; :i: 4 70 3,5 e 60 - T • ^; • ; • I: • ? : : 3 ':•. '•}. .!•: •• - ; 50 2,5 Jv A 1 % I! :i ;• '•• 2 40 1.5' 30 • • ' r; ' :\ ' .'., ' .: ' :: ' .'*: ' :: r 20 : 0,5 10 " ; " h " i-;'. • I. - :i • I! • •!: • :! • !!; • 'i O 0 u> p» o>
Figure 2. Figure 3. 1.2 I&C operational statistics
A representative comparison of the 1989 and 1994 failure statistics can be seen in the figures below. As visible, there was a certain decrease in the trend due to the refurbishment steps taken during 1990 to 1994. The situation did not change in the case of actuator devices, in which area no significant modernisation has been taken yet.
Number of failures in different I&C areas
Regulators Protecticn Actuators Measurements 1989 546 796 702 3320 1993 218 589 691 2936
Statistics of failure distribution
-' Measurements 1000-r ,~_. Actuators 5004' ol^^S^ Protection •~-5~^T Regulators 1989 1993
Failure distribution in 1989 Failure distribution in 1993
Re ors Protection $S 5% 13% nu% 15% Actuators Measureme^^__^l Actuators L ^^51 13% v^^H^ nts v~-—__—- 16% Measurem 66% ents 62%
2. HISTORY OF I&C IMPROVEMENT STEPS
The reconstruction measures taken to date can be grouped as follows:
2.1 Identification and elimination of problems resulting from poor equipment quality
This consists of changing certain type of instrumentation and other equipment, while leaving the function of the loops unaltered. In some cases it goes together with the reduction of unnecessary redundancy. The following types of equipment fall into this category:
10 • dP transmitters • Indicators • Limit threshold switches • Recorders
2.2 Realisation of missing functions by installing new systems
The following control and monitoring systems - that had not been realised in the original design of the plant - were installed:
• Plant control centre • Enhanced in-core monitoring system • On-line water chemistry monitoring system • Radiation protection information system • Enhanced turbine governing system • Protected (bunker) control centre • Acoustic alarm system • Seismic monitoring and alarm system • Diagnostic systems (vibration and leakage monitoring)
2.3 Modernisation of obsolete systems
In the early phase of operation, the power plant conducted the replacement of the following unreliable systems:
• Display system of the unit computers • Data acquisition system of the unit computers • Reactor in-core monitoring system • Process monitoring unit computers • Control rod position indication
2.4 Safety enhancement measures
The major I&C measures related to or resulting from a general plant safely enhancement project are the following:
• Reactor protection system refurbishment • Partial replacement of containment penetrations • Modification of the logic of emergency feedwater pumps • Modernisation of automatic fire detection and protection systems • Installation of accident range gamma dose rate monitors inside containment
In the following paragraphs we put the emphasis on modification steps that have already been realised in Paks: therefore, experience is available and the solutions can be proposed for other similar plants.
3. EQUIPMENT LEVEL I&C UPGRADE
3.1 dP transmitter replacement
The systematic dP transmitter replacement commenced in 1991 and has continued ever since. There are more than 350 new transmitters installed in Units 1 and 2. There are four types of Rosemount replacement transmitters in use: • 1151: Standardtype • 1151-T: Standard type with nuclear cleaning and partial tracebility
11 1451: Special design for WERs. 1151-S: Smart transmitters
3.2 Electromechanical limit value switches
The systematic replacement of the originally installed electromechanical limit value monitors is carried out in the NPP and - at present - almost 600 new, fully electronic limit value switches (H&B INDICOMP) are installed in the four units.
3.3 Recorders
A systematic replacement of the obsolete Russian made recorders has been launched at the power plant. To date, 74 recorders have been replaced altogether in the four units. The new devices provide some practical services like event controlled recording. The project is to be continued in the next years.
3.4 Turbo-generator vibration and shaft displacement measurements
The vibration and shaft displacement of the turbo-generator sets were refurbished with Philips systems. Presently 3 turbines have the new bearing vibration monitoring and 5 turbines have the new shaft displacement measurement loops.
4. SYSTEM LEVEL I&C RECONSTRUCTION AND IMPROVEMENT
During the past few years the power plant continued the modernisation and improvement of several systems in the I&C fields. The most significant of them is the reactor protection system refurbishment. In addition, the core monitoring system has been further improved and the entire replacement of the turbine control systems is ongoing. A continuous chemical sampling and on-line water chemistry monitoring system is being installed too.
4.1 Reactor protection system (RPS) refurbishment
After thorough internal examinations and evaluations, an invitation to bid was issued in 1993 on refurbishing the RPS. After an evaluation, the best two vendors of several bidders were selected to perform a detailed specification phase. This phase has just been closed and a precise customer specification is completed now. This project consists of more than a direct replacement of the old system; it actually realises some presently separated safety or safety related functions into one three-channel integrated digital safety system. The project intends to evaluate and execute also some functional developments to the system to comply with international standards and Western safety requirements.
Since it is an explicit intention of the NPP to switch to purely digital equipment without any conventional backup, the licensing aspects are highlighted. The NPP's approach is to conduct a so called up front licensing procedure, which requires a very strict co-operation with the national authority. The main idea is to have the experts of the authority involved in the preparation of the different documents as early as possible to reach two goals at the same time:
• To make it possible to introduce the specific authority requirements directly into the documents before the application. • To assure an effective introduction phase for the authority experts, and thereby, make it possible for them to consult on the controversial points and to shorten the time that is necessary for approval and issuing the licensing documents.
4.2 Turbine control system replacement
The goal of this project is to establish capabilities of participating in the countrywide primary frequency control, which will, in turn make it possible for Hungary to join the European supply system. Under this project Unit 4 was equipped with a state of the art digital turbine controller last year. Based on the acceptable first year
12 operational experience, the remaining units are going to be furnished with the same equipment, one unit a year from now.
The equipment DIGIREC 920 is supplied by CEGELEC, the design change is prepared by the Hungarian design company EROTERV and the system is installed also by Hungarian firms.
4.3 Further developments of the in-core monitoring system
The new features of the system included a number of options making the work of the reactor operators even easier and more comfortable. Such options were:
• extension of database handling and information display on groups of measured input data • inclusion of new core maps such as the number of available SPNDS or outer temperature measurements around the assemblies • visualisation of the row SPND measurements • visualisation of the control rod positions and calibration with the aid of fine por'.on measurements • further comfort in displaying and definition of trend curves
Version 2.0 of the VERONA-U system was installed in Unit 3 in August 1994, and is in continuous operation ever since.
Development of Version 3.0, aimed for Unit 1 has finished recently. Among many other new features the main novelty of this system is the inclusion of a strategy planning module called TRANS. The algorithms of determining the interactions (control rod movements and change of boric acid concentration) necessary to reach a given state from the actual one has been developed by the plant-physicists and has been refined in the Atomic Energy Research Institute.
4.4 Replacement of the unit information computer and data acquisition system
Units 1 and 2 were furnished with M60 type, Russian made data acquisition systems. It was constructed using relay switched input multiplexers and low integration semiconductor elements. The electronic components had become obsolete by the 90's. The operation and repair work required big resources. A decision on replacing the whole data acquisition system was made in 1990. The refurbishment was realized during the annual outages in 1991 and 1992. The new Hungarian, microprocessor based, specially designed systems have been in operation without any problems since that time.
The original electro-mechanical display system in the main control room of Unit 1 was replaced at the very early phase of unit operation in 1985. The new system was microprocessor based with completely new CRT displays. The Unit 2 information system was put in operation already with this new display equipment. Both systems are still in operation, and they will be replaced together with the unit computers in the near future.
4.5 Installation of an on-line water chemistry monitoring system
Replacing a former, manually operated sampling system, a new PLC controlled automatic system has been installed with the following main purposes:
• To reduce personal irradiation dose
• To provide continuous, on-line sampling in place of the old, periodically taken, manual method
The system can be divided into three main parts:
• Sampling points inside containment • Sampling points in the turbine hall • Processing and displaying system
13 The samples are taken and routed to the sensors by an automatic, PLC controlled sequencer using a manifold valve selector system in the primary circuit. The total cycle time is 30 minutes. In the turbine hall the circuits have individual sensors. The total number of sampling points is about 100 in each unit. The system was installed in Units 2 to 4 in the past years and is going to be installed in Unit 1 next year. The PLC system consists of 9 SIEMENS made controllers for the whole power plant. It also includes displaying features at al- location of the Dlant via a local area network.
4.6 Radiation monitoring information system
The original monitoring system was equipped with individual displays and very simple, non-processed information services. A new, Hungarian information system was connected to the original Russian SEJVAL equipment to extend the displaying abilities and to provide information at a significantly improved processing level.
S. FUTURE TASKS
The power plant intends to continue the modernisation steps with no delay. The planning strategy for the project can be summarised as follows:
• Categorisation and revision of control room monitoring and control functions, establishing technological functional groups. • Evaluation of control functions not directly related to control rooms or other man-machine interfaces. Review of individual control loops and systems from the aspect of long-term suitability (operabiliry, maintainability, availability). • Based on the above aspects, identification and categorisation of l&C equipment proposed for upgrading and reconstruction. These categories may be: * Equipment level modernisation * System level modernisation * Application of individual I&C systems * Extension of functions of the unit information computers • Prioritisation of the above realisation categories, identification of related items, elaboration of schedules for the design and implementation phases. Harmonisation of the different items with other safety enhancement measures.
Specific tasks:
5.1 Realisation of the results of the AGNES (Advanced, General and New Evaluation of Safety) project
A comprehensive safety evaluation of the whole NPP was performed from 1992 to 1994. Not only did this project evaluate the current state of the NPP, but made suggestions for safety enhancements and established priorities between the different upgrading measures as well. The outcome of this project is a well established basis for planning the future I&C and process engineering upgrading activities.
5.2 Accomplishment of the reactor protection system replacement
This major task comprises several sub-tasks and related items, such as:
• Main l&C safety system modernisation • Justification and safety establishment of the functional modification and upgrade in the reactor protection system. • Modernisation of related systems, whose improvement is practical under the framework of the main project
14 • Hardware and software modernisation of the training simulator. Upgrading of it in order to support verification of the functional modifications and operating procedures aimed for safety systems in the real units. • 5.3 Replacement of the existing process information compi c*rs
This work shall be performed in close co-operation with the reactor protection system replacement and shall be scheduled in agreement with that. It will include the replacement of the obsolete Russian SM-2 machines in Units 1 and 2, and also the modernisation of the Hungarian made computers in Units 3 and 4.
5.4 AiJdent range gamma dose rate measurements inside containment
To have information on the gamma dose rate inside containment under accidental conditions, the power plant has decided to install monitoring loops, one in each containment. The project is in the preparation phase at the moment. The high range detectors are supplied by PRO\- *4CE in France and installation is anticipated in 1996.
5.5 Other tasks:
• A comprehensive examination, evaluation, and revision of the monitoring and control functions currently realised in the main control rooms. Realisation of new functional groups.
• Harmonisation cf equipment level replacement and I&C safety system upgrade.
• Seismic reinforcement of I&C components
• Qualification of I&C equipment and cables inside containment for LOCA conditions
• Improvement of the refuelling neutron monitoring system
15 MODERNIZATION OF THE CONTROL AND INSTRUMENTATION IN THE TVO BWR POWER PLANT
Lars-Erik Hall, Manager, Control and Instrumentation Teollisuuden Voima Oy FIN-27160 Olkiluoto, Finland
ABSTRACT
Teollisuuden Voima Oy, (TVO, Industrial Power Company Ltd) operates two identical 735 MWe BWR power plant units in Olkiluoto at the west coast of Finland. The units were delivered by ABB Atom and they have been in successful operation since 1978 and 1980, respectively. The units are of modern design with internal recirculation pumps with wet, thyristor controlled motors, fine motion control rod drive equipment, physically and electrically segregated four channel safety and control and instrumentation systems and advanced plant process computers.
In the years passed the equipment in the units has been improved or replaced based on the experience from the operation. These modifications have always been done in both units as there is a strong incentive to keep the units identical. Some of these replacements in the mechanical area have been quite extensive. The improvements regarding the control and instrumentation have generally consisted of minor items as modifications of control logics or additions of new measurements of interesting plant variables. The replacements have basically been made on a component level due to deficiencies in the function or obsolescence or lack of spare parts. However, the plant process computers and core calculation computers have already been replaced twice.
Now a major plant modernization initiative has been taken. This initiative contains projects regarding mechanical and process systems as well as electrical and control and instrumentation systems. The aim of the projects is to review the safety features of the plant and increase the safety if feasible to fulfill present and foreseeable requirements, to improve the production capacity and to find factors, which may limit the plant life time and to eliminate them if reasonable.
The modernization of the control and instrumentation systems in the years to come is a demanding and stimulating challenge. To be able to guarantee a safe, reliable and economical operation of the plant in the long run, it is considered, that all the original C&I of the plants shall be replaced at least once. The strategy for the modernization in general and for the modernization of the C&I is highlighted. The ongoing modernization projects and their background are described.
1. INTRODUCTION
Teollisuuden Voima Oy, (TVO, Industrial Power Company Ltd) operates two identical 735 MWe BWR power plant units in Olkiluoto at the west coast of Finland. The units were delivered by ABB Atom and they have been in successful operation since 1978 and 1980, respectively. The company TVO is mainly owned by big private companies in Finland and was founded to build and operate major base load power plants. At present the company is owning and operating the two units in Olkiluoto and participating with a 45 % share in a brand new 560 MWe coal fired power plant called Meri-Pori (name of the location of the plant). This plant is operated by the company IVO (State Power Board) and TVO receives a portion of the electricity produced corresponding to its share. TVO is not a profit making company, but the electricity is supplied at cost to the owners of the company.
The safe, reliable and economical operation has been considered to be of great importance to receive a full approval, acceptance and support by the authorities supervising the operation, by the general public and by the owners and users of the electricity produced by the units. TVO is
17 strongly committed to continuos attention to preserve and improve the present level of safety, reliability and economy of the operation and to maintain the units in modern and mint condition. This challenging commitment is seen to be the best guarantee for a successful future for the company and its owners. The challenge is best met with a technically optimized and smoothly operating plant. To support the preservation and improvement of the safety, reliability and economy of the operation a well trained, motivated and dedicated staff is of uttermost importance. To give the staff a fair opportunity to meet the challenge they need, in addition to a technically advanced plant, a support by excellent operating and maintenance procedures, technical documentation and training. In addition the mentioning of a support from the international nuclear community and from competent vendors in the nuclear field shall not be forgotten.
The practical experience of the operation and maintenance of the units has been very good. The aims for safe, reliable and economical operation have been fulfilled. To take a simple measure, the capacity factors for the units have been well above 90 % during the last 10 years of operation and the lifetime capacity factors until June 1995 are 85.5 % for TVO I and 84.5 % for TVO II. The number of plant disturbances during operation has also been reasonable low and no common factor causing disturbances has been discerned. However, an item in the safety culture strongly endorsed by the management is, that the staff shall never adapt an attitude of complacercy.
As the electricity produced by the units is of essential importance for the owners of the company there is a strong incentive to keep the refueling outages as short as reasonable. TVO has adapted an outage planning philosophy based on alternating refueling outages and service and refueling outages (refueling is done in May, when hydroelectric power is abundant in the Nordic countries). According to the adapted plan every second refueling outage includes refueling and mandatory inspections and services only. The aim is to perform this outage in about 10 days breaker to breaker time (10 days, 4 1/2 hours in 1995 in TVO I). All major inspections, services, tests and modifications shall be concentrated to the service and refueling outage in the year between the "pure" refueling outages. The length of this outage is about 2 to 3 weeks breaker to breaker time (13 days, 4 hours in 1995 in TVO II).
During the years of operation the company has put very strong attention to the maintenance and modifications to assure the safe, reliable and economical operation of the plant in the long run. TVO is committed to a philosophy which says, that the units shall be kept modern and in mint condition through continuous maintenance and modifications. To fulfill this goal there is an active and continuos follow-up of the aging of plant components, equipment and systems. The experience of the operation is collected and analyzed, and combined and compared with the experience from similar power plants or of the use of corresponding component or equipment elsewhere. Special attention is focused on equipment and systems which may be a threat to the safe, reliable and economical operation or may limit the lifetime expectancy of the plant units. Based on findings of the work done and based on the experience of the expert engineers in the organization decisions are made on modifications needed.
To fulfill the commitment to keep the plant units in modern and mint condition it is considered, that the control and instrumentation of the plant shall be totally replaced at least once. The needs for replacement in the C&I area are considered strong, as the general development in this field has been extremely fast and impressive and brought the "digital revolution", which potentially brings major improvements and additional functionality to the operation. In the following the general principles for the replacements and the technical solutions shall be discussed.
2. THE C/I DEVELOPMENT DURING THE YEARS OF OPERATION
The basic design of the TVO power plant units in Olkiluoto can still be considered to be up to date. Remarkable design features are internal recirculation pumps with wet, thyristor controlVd motors, fine motion control rod drive equipment, physically and electrically isolated ana segregated four channel safety and control and instrumentation systems and advanced plant process computers. The containment is of a pre stressed concrete type and equipment and systems have been backfitted to mitigate severe accidents (among other means and measures containment water filling, filtered wenting and instrumentation for severe accidents).
18 The original design of the C/I of the units was done in the middle of the 70's and was based on the experience from similar nuclear units supplied by ABB Atom. The design of the general C&I systems is based on traditional, hard-wired electronic equipment. The central part of the reactor protection system (RPS) is built with relay logics and implements a two out of four voting in the protection functions. However, the signals provided to the central part of the RPS are processed with electronics and also the actuation of the engineered safeguard systems is accomplished by electronic control units. The realization of the C&I systems including all equipment in the central control room is based on a very high degree of standardization.
The units are operated from separate, identical control rooms. The level of automation is rather high and basically all operations, which are needed during operation and periodical testing, as well as the operations during start-up and shut-down can be performed from the central control room. The 30 min rule has been applied as an original design requirement. The components and equipment in the reactor area are operated by individual controls but in the turbine area group controls and an upper level turbine plant control system is provided. The plant process computer has an important role as a system for the neutron flux measurements display, the presentation of the in-core fuel management calculations and for the control rod position supervision and maneuvering, as well as for the TVO-SPDS application. The control rods are maneuvered with the help of the plfint process computer according to a precalculated sequence in an open loop control mode. The plant process computer obviously also includes more "traditional" process computer applications to support the operators in the process supervision and disturbance analysis.
During the years of operation TVO has modified and replaced C&I systems in many different plant areas in different applications. This development has been concentrated on component or equipment level and has contained rather minor enhancements of the functionality of the systems. The reasons for the development in general and for C&I systems in particular are:
new explicit or implicit requirements by the authority elimination of a potential source of disturbances need for enhancement of the functionality maintenance related reasons obsolescence and difficulties in spare part procurement
Important boundary conditions in the development of the plant systems are, that the new solutions are accepted by the authority, are based on a proven design, are technically fit and standardized well enough to be integrated with the old systems and last, but not least, that they are economically justifiable during their lifetime. The evaluation of the economy includes considerations, that the new equipment and systems can be installed and commissioned during the short service outages mentioned above.
The initial component or equipment replacement phase in the life-cycle of a nuclear power plant can be considered to be the very first phase of plant development. In the development of the TVO power plant units the following general categories can be discerned:
minor functional modifications of individual control circuits to enhance the safety and improve or increase the functionality single C&I component or equipment replacements due to maintenance problems, obsolescence or lack of functionality introduction of an advanced feed water control strategy for low power operation by utilizing a general programmable control system plant process computer and core calculation computer replacements (at present the third generation is in operation) introduction of the TVO-SPDS plant process computer based function introduction of new process interface equipment for the plant process computer introduction of advanced data acquisition systems for environmental surveillance (meteorological data, radiation data)
19 systematic replacement of components with a potential susceptibility to common cause failure due to aging (relays, push buttons, temperature switches, batteries, power supplies, etc.)
In addition to the modifications and replacement activities mentioned above, totally new plant processes, such as the system to mitigate severe accidents, have been equipped with relevant C&I systems. The staff has also gained experience in the development of new C&I systems during the design, implementation and commissioning of the on-site interim storage for spent fuel, the final repository for low and intermediate level waste and the full scope replica training simulator, which are all located on the Olkiluoto site and operated by TVO.
3. THE MODERNIZATION INITIATIVE
In the different fields of engineering discussions regarding more substantial plant modifications have been going on more or less continuously. The discussions gained momentum as the plans for a new nuclear power plant did not get approval by the Finnish Parliament in the autumn of 1993. TVO was until this decision actively pursuing the possibility to build a new power plant. In 1994 TVO decided to collect different plant development needs into a modernization initiative, which consists of projects regarding mechanical and process systems as well as electrical and control and instrumentation systems. The aim of the modernization initiative and the particular projects is to review the safety features of the plant and increase the safety if feasible to fulfill present and foreseeable safety requirements, to improve the production capacity and to find factors which may limit the plant life time and to eliminate them if reasonable. The modernization projects can be divided in research and development projects and plant modification projects. The essential parts of the projects shall be finished in 1998. At this time the operation permit for the units shall be renewed according to the legal requirements for the operation of nuclear power plants in Finland.
The major project to enhance the safety of the plant already in progress is the modification to add two fast opening safety valves for reactor over pressure protection. These new valves are of a different type compared to the original valves and are thus providing diversity in the protection as well as increased over pressure protection and blowdown capacity. The new valves will be equipped with relevant C&I systems. The new valves shall be installed in the service outages in 1996 and 1997.
The potential for improving the production capacity can be realized by
reduction of the number of operational disturbances reduction of the length of time consuming activities on the critical path of the refueling outages improvement of the thermal efficiency reactor uprating within acceptable margins
The role of C&I modernization in the two first categories of actions are substantial. The two last categories contain modernization of mechanical equipment (replacement of the low pressure turbines, the feed water heat exchangers, the steam separators, new fuel types etc.) and of electrical equipment (main generator, which has been replaced in TVO II 1994 and shall be replaced in TVO I 1996, replacement of the main generator breaker, the main transformer, the recirculation pump motor drive equipment etc.). However, all the latter modifications certainly also have an impact in reducing the risk for operational disturbances due to the aging of the original equipment.
The integrated production over the lifetime of a plant unit is also very essential for the total economy of the plant. The replacement projects mentioned above have a long term aim to eliminate factors, which may limit the plant life time. As a part of the research and development activities tied to the modernization initiative, investigations are made to find other factors, which may limit the plant life time and to eliminate them if reasonable.
20 The modernization initiative will have a major impact on the development of the C&I systems. The projects included in the modernization consists of extensive system level replacement projects. The systems involved are very essential in the operation, but are of an autonomous nature compared to the basic and general control and instrumentation of the plant. It is considered, that in the years to come, now within the framework of the modernization projects, and later as separate projects all the autonomous control and instrumentation systems shall be replaced in about a 10 year time period. Going back to previously presented thoughts about the phases in the life-cycle of a nuclear power plant, this development can be considered to be the second phase of the plant C&I development.
4. THE C/I MODERNIZATION PROJECTS
Given as a boundary condition, that there is a need to replace all the C&I systems at least once, the question is, which the proper order of replacement is, as many systems cannot be replaced in the same service outage. Additional boundary conditions are, that the replacement shall be done before the function of the system gets unreliable (end of the bathtub curve) and within the short time frame of the service outages. The last requirement puts a very heavy demand on the detai'ed planning of the replacement projects and also have an influence on the chosen technical solut: ns. To fulfill the requirement on short installation and commissioning times during the outages, the structure and the technical solutions of the C&I modernization projects must be carefully analyzed. The decision about the order of the replacement projects shall be done based on the experience from the operation, but as an important complement engineering judgment shall be applied. Considering the consequences of a wrong decision (too early, too late), the cost of a too early replacement may be small compared to the drawbacks of starting the replacement activities too late.
The C/I system replacement projects initiated at the moment, as a part of the modernization initiative, are described in more detail below. The basic common goal for these projects is to reduce the plant unit potential susceptibility to disturbances.
4.1 The modernization of the turbine protection and control system
The modernization of the turbine protection and control system shall be realized in TVO I in 1996 and in TVO II in 1997. The present two channel protection system, which is based on a combination of hydraulic protection devices and electric protection switches, is replaced by a tree channel fully electronic system based on programmable technology. The present one out of two voting is replaced by a two out of three voting principle. To make this possible, most of the signals in the turbine protection is augmented with a third redundant signal channel. The aim of the project is to improve the reliability regarding the trip function and the disturbance tolerance against spurious trips and to replace obsolete components, which are difficult to maintain.
The single channel electronic and hydraulic turbine speed, load and reactor pressure controller is also replaced by a three channel programmable system with individual electronic control valve position control. This will basically eliminate the probability of a reactor trip due to a single failure in the pressure control function.
The human system interface in the central control room is based on workstation technology. The workstation is basically utilized for system supervision only, but control functions related to the start up or shut down of the plant is performed from this new system, as well as operations and reporting of the turbine valve testing during power operation.
4.2 The modernization of the reactor service bridge
The modernization of the reactor service bridge shall be realized in TVO I in the end of 1996 and in TVO II in the end of 1997 and for obvious reasons in the time between refueling outages, as the main use of this system is during the outages. The project is concentrated on a replacement of the old relay based C&I and thyristor based DC motor control. A major upgrade and enhancement of
21 the control logic and protection functions is also included. The aim of the project is to reduce the risks for disturbances in the refueling activities and to increase the speed of the refueling.
4.3 The modernization of the neutron flux measuring system
The modernization of the neutron flux measuring system shall be realized in several phases starting during the outages in 1996 and ending in 1998. In this project the present redundant (four redundancies) separate source range and intermediate range systems are replaced with a new wide range system covering the whole corresponding measurement range. This replacement includes the detectors, which are replaced by new loca and post-loca qualified, retractable detectors. The total number of detectors shall be increased from the present four to eight. The electronics for the PRM system is also replaced. The aim of these replacements is to improve the supervision of the core and to replace old traditional electronics and detectors with modern equipment.
4.4 The development of the central control room
The development of the central control room has been done as a continuous process during the years of operation. The modifications have consisted of rearrangements and additions of meters, displays and alarms and improvements in the control room ergonomy based on the operation experience. The replacement of the plant process computer systems has also had an influence on the human system interface in the central control room, as well as new computer based functions as the TVO-SPDS.
The present development plan contains a continuation of these control room modifications. The intention is to increase the iole of the plant process computer in the plant process surveillance and disturbance analysis by replacing traditional pen recorders, temperature displays and alarms and general low priority alarms with functions realized in the plant process computer. The C&I modernization projects mentioned earlier will also have an impact on the control room and the operating routines.
The aims of the control room development project is to
improve the work environment by development of the present control room equipment and to make possible a stepwise smooth transition to the use of new C&I systems enhance the quality of the information provided by developing the access and presentation of plant process data and including diagnostic aids introduce new ways of control in connection with the C&I modernization projects make the information access easier by concentrating the information to the primary operation area of the control room ("backpanel elimination") integrate new human system interfaces smoothly into the control room environment develope in the long run the hierarcical presentation of the information in the control room with the aim to enchance the possibilities for the operators to concentrate on the essential activities during operation, disturbances and accidents preserve the high degree of standardisation in the presentation of information and operation of the plant systems
4.5 The development of the reactor water level measuring system
The development of the reactor water level measuring system has been included in the modernization initiative because of the international attention paid to the potential problems with gas dissolved in the water of the reference legs of the level measuring systems based on difference pressure measurements. This gas might cause a measurement error in an accident scenario with a fast depressurization of the reactor pressure vessel. At present time the focus is on research and development and a follow up of the international development in this field. The decision about plant modifications, if needed, will be done later.
22 4.6 The modernization of the training simulator
The modernization of the training simulator is a project, whitch can be divided in two parts: The replacement of the simulation computer system to a state of the art system and the implementation of all the plant modifications included in the modernization initiative. The former is a prerequisite for the later. The implementation of this project is still in a phase of preliminary planning.
5. CONCLUSIONS
The safe, reliable and economical operation of the TVO nuclear units has always been the primary goal for the company and the staff. To reach this goal a philosophy of continuos plant modifications to keep them in modern and mint condition has been adopted. The philosophy has proved successful during the years passed, as the plant operation record and operational result of the company has been very satisfactory. Now the planned research and development and plant modification activities has been assembled to a plant modification initiative. Major control and instrumentation replacements are included in this modernization, as they are considered to be important to make a disturbance free operation possible in the long run. The replacements shall be realized with modern programmable systems and include functional enhancements and modernization of the human systems interface in the central control room.
It is considered, that in the years to come all the C&I of the units shall be replaced at least once in a stepwise order. The order and realization of these replacements has to be planned very carefully to make possible an installation and commissioning during the short service outages. The first phase of this total C&I modernization has been started during the years of operation by replacing single components and equipment. The second phase, which includes replacement of autonomous plant C&I systems, is initiated by the replacement projects in the plant modernization initiative, and will be completed as a whole in a time frame of about 10 years. The third phase of plant C&I modernization includes the replacement of the general and central turbine area and reactor area C&I systems. The implementation of this phase has been considered only in very general terms, as these modernization projects are to be initiated in a rather distant future.
The presented short and long term strategy shall make possible a smooth and continuous development of the C&I systems to guarantee a safe, reliable and economical operation in the long run. The project implementation and technical solution chosen shall be based on the own accumulated experience, but also on feedback from the nuclear community and on the experience of competent vendors in the nuclear field.
23 24 Joint IEC - IAEA report on possible Control and Instrumentation improvements for RBMK reactors.
D N Wall, UK, FReisch, Sweden & A Kossilov, IAEA
The safety of the RBMK, water cooled, graphite moderated pressure tube reactors has been in question since the Chernobyl accident. Visitors to the plant had identified a number of deficiencies with the plant and the control and instrumentation systems, like those of the WER pressurised water reactors, have attracted considerable attention. These deficiencies have been investigated by the IAEA and CEC as part of the international effort to assist in safety improvements to the plant. The results of these exercises have been reported for example the CEC review of RBMK safety NEI October 1994. During the course of these exercises work has gone on to achieve a number of practical and significant improvements to plant safety. However quite major incidents continue to occur, some of these have arisen from problems with or because of deficiencies in the instrumentation control and safety systems.
The generator fire in 1992 at Chernobyl 2 plant occurred because of limitations in the means available to disconnect the turbogenerator from the grid. The incident arose when the breaker closed and the turbogenerator which was effectively idle was connected to the grid. Connection should only have occurred once two contactors on the supply side of the coils were closed. However the cables ran in the same trench and became wet allowing a short to develop and energise to coils closing the breakers. Subsequently the automatic systems acted but were not effective consequently disconnection was only achieved when substation breakers many kilometres from the plant opened. By this time the large currents and associated electromagnetic forces had destroyed the generator and a fire had started.
During the operating life of the RBMK reactors there have been three incidents in which a local mismatch between the power and flow has occurred that has led to the loss of effective cooling. In every case there has been severe damage to the fuel in at least one channel and fuel channel rupture has occurred allowing a release of radiation. The three incidents are:
Leningrad NPP (LNPP) Unit 1 in 1975; Chernobyl NPP (CHNPP) Unit 1 in 1982; Leningrad NPP (LNPP) Unit 3 in 1992.
The initiators of the three incidents differ quite significantly ranging from flow starvation to local over power. In all three cases the incident was only detected following fuel and channel failure and radiation release. The instrumentation and protection systems were deficient as they failed to detect the incident and protect the fuel locally, indeed because of the lack of sound instrumentation the wrong reactor was shut down in one incident.
It was against this background that in January 1992 some of the members of working group A5 of the International Electrotechnical Commission (IEC) technical committee 45 sub-committee 45A made a proposal to take action to help improve RBMK safety. This proposal was subsequently adopted by the IEC and work commenced in 1993. The IEC requested support from the IAEA, who were and continue to be, very active in this area. The IAEA provided both technical and financial support notably involving experts in RBMK Instrumentation and Control. The basis of the work therefore included the results presented in IAEA TECDOC-694 and TECDOC-722, as well as the reports from CEC review of the RBMK, NEI October 1994. 25 The intent was originally to produce a standard for the RBMK along the lines of those that have been produced for other reactor types, this was however only considered possible following the development of a technical report identifying the key issues and possible solutions. The objective of the report was to identify, using material published and reported by the IAEA and others, problem areas relating to the safe operation of the RBMK reactors and to make recommendations for work to improve the safety of the reactors. The first objective was to identify the problems and a limited number of phy^cal measures that can be introduced to bring immediate benefit. A second objective was to place both the problems and the measures in the context of the international standards framework provided by the IAEA and the IEC.
It was agreed that effort must concentrate on identifying the improvements that were thought to be technically and financially viable for implementation in the short term so as to enhance the safety and availability of the RBMK plant. Such measures clear!)' could not be comprehensive and must be completed without the benefit of a full safety review, an exceptional but appropriate step for the RBMK.
The following topics were identified for consideration by the working group and have been included in the document:
The unit computer systems provides a lot of information required for: plant protection through operator action and plant operation. The systems needs to be upgraded to combat ageing obsolescence and improve the quality of information and man machine interface. The introduction of a diverse means of stopping the nuclear reaction and shutting down the reactor under normal and upset conditions. Examination of the problem of the provision of channel cooling. In particular the provision of supervision and channel protection that might be effective in the prevention of fuel and channel failure in the event of loss of flow. Automatic power control, to maintain the reactor at hs required power and provide control of the instabilities identified above and defence against equipment failures. Leakage detection from the primary circuit. The stability of characteristics of the core need to be identified in relation to the different types of power and flow instability. This includes feedback effects due to Xenon, moderator temperature and coolant voiding. Monitoring and protection during reactor start up to improve the equipment practices and procedures and so enhance safety. Hydrogen monitoring
The list above is not a complete list of safety issues for the RBMK nor were the items identified on a systematic basis but were selected by the EEC and Russian experts as considered to be appropriate to the activities of the IEC and for which technical experience was available in the working group. The items identified therefore do not reflect any ranking of the safety issues or any priority or impact on safety of any of the measures were they to be implemented. There are some very significant items missing from the list these include die much needed improvements to the control and protection systems particularly of the earlier stations and possible improvements to temperature monitoring and early detection of the failure of die primary pressure boundary in bodi die core region and around the pressure circuit, fire protection or activity and radiation contamination and release monitoring. The work of IEC SC45B Radiation Protection is referenced in die context of the latter hems.
26 The working group concentrated on I&C blatters however two subjects were included in the scope of work although they are generally not considered as central issues of I&C. Tlie first one deals with tlie addition of a diverse shut down system including the absorber mechanism which is important to the reactor safety. The second subject is hydrogen monitoring and the installation of system which should provide detailed information about tlie dangerous H2 concentration in key areas of tlie plant.
The data processing system and information presentation systems is used for important measurements and should be upgraded or replaced. The new equipment should be capable of handling and processing tlie information faster than the existing system and have the means of presenting the critical information to the operator in an easily understandable form Target performance requirements are indicated in table.
The improved computer system with more advanced information processing would also provide the operator with information indicating the approach to the conditions leading to violation of operating conditions or to fuel failures. Improvement to the human-machine interface will further enhance safety as a higher reliability can be placed on correct operator action. Tlie computer also allows for improved alarms and Safety Parameter Display System.
The shutdown system is vulnerable to incidents involving loss of water cooling which would cause a large reactivity insertion. It is essential to improve the means of detecting such incidents to provide protection by rapid reactor shut down. Such protection is provided by direct measurement on tlie CPS system however their reliability could be greatly improved by increased redundancy and additional application of new instruments. It is also suggested that the water inventory of the control and protection channels is reduced so decreasing tlie size of tlie reactivity transient in the event of a loss of coolant.
The current reactor shut down system is based on tlie use of solid absorber in the form of control rods, it is recommended that diverse means of reactor shut down is introduced. It is suggested the fast acting shut down system based on gas injection tlie mam elements of which recently passed trial tests along with liquid poison injection are investigated for use on the reactor.
Fuel cooling in the RBMK reactor is by a two phase flow through the circa sixteen hundred individual fuel coolant channels (pressure tubes). In those cases where cooling of the fuel has been lost significant accidents and radiation releases occurred. It is therefore vital to protect the fuel and prevent the pressure tubes from rupturing to exclude a violation of and prevent the limits on the dryout margin coefficient It was concluded that additional flowmeters will be needed if single channel protection is to be achieved. A number of additional ways of monitoring the coolant flow have been identified and it is recommended that these are to be further investigated and one selected for immediate implementation on all RBMK reactors.
Effective control of the three dimensional power distribution in the core is an absolute necessity for reactor safety. It is recommended that measures are taken to reduce the dependence of power distribution control on operator and introduce digital automatic systems for control of the spatial power profile and maintain the rods in their effective range. This system has to provide also a possibility to control power reductionin special conditions.
27 Leaks occurred many times in all types of nuclear power plants. An early detection of leakages is essential in order to recognize them as forerunners of possible ruptures with serious consequences. The specifications for an effective leak detection system is described above, this should provide an early indication of a tube break or other failure to enable accident mitigation measures to be employed.
Oscillatory behaviour in RBMK reactors has been observed as they are. like many other reactor types, subject to oscillatory behaviour of the neutron flux and other parameters. The dynamic behaviour of the reactor core depends mainly on the power level and the control rod configuration. Generally speaking the stability decreases at partial power. It is common practice now at Boiling Water Reactors to evaluate the stability margins during operation, it is recommended that this practice is adopted for the RBMK. The methods used in the west for stability monitoring are identified and it is recommended that these are used to mvestigate the stability characteristics of the RBMK. It is also recommended to implement the new fast response coolant density measurement method for stability monitoring.
Reactor start up is a sensitive phase of operation and the current arrangements would not appear to be adequate as there appears a significant possibility of human error. A proposal is made for improvements to the arrangement of the start up monitoring equipment to automate the motion of the detectors and introduce accurate means of measuring detector position or introduce fixed position detectors capable to monitor shut down range. The measures if adopted will also reduce the need for staff to be in the reactor hall during start up and place the operator m the control room in charge of all measuring and power raising activities.
Hydrogen produced during operation can accumulate in some of the reactor spaces to reach potentially explosive concentrations. It is suggested that a regime of hydrogen monitoring be established to identify the key areas of the plant. A system for early detection and venting or burn off of the hydrogen can then be introduced.
Reactor and UCS Function Time
1 .Deviation of the measured power from the set point at incore detector locations. t/ i
2.Automatic transmission of the setpoint values from the computer to the indication 5s system. 3.Two dimensional neutronic calculations of power distribution for PD <5s reconstruction. 4.Two dimensional reconstruction of Power Distribution (in X-Y geometry). 5s 5.Reconstruction of axial flux distribution at the points of axial ICD location. < 1 s 6. Three-dimensional neutronic calculations of power distribution (in x-y geometry) 5s for reconstruction of the power distribution.
7.Reconstruction of three-dimensional power distribution in all fuel assemblies. 5s 8.Diagnosis of signals from In core detectors, control rod position indicators, flow 5s meters and graphite temperature measurements, results of neutronic calculators.
28 Reactor and UCS Function Time 9.Calculation and indication of axial offset deviations at the points of axial ICD <1 s location. 10. Automatic check of in core detector insulation resistance. 2hr 11.Calculation of dryout and graphite temperature margins. 5s 12.Calculation of the current thermal reliability of the core. 5s 13. Calculation of the current values and prediction of reactivity coefficients. 5s H.Measurement of the shutdown subcriticality margin and the rate of its variation. 5s 15. Assessment of the error of power distribution reconstruction for each fuel 5s assembly. 16. Calculation of reactivity margin for inserted control rods in axial ICD locations. 5s 17.Recommendations for in core detector signals as regards adjusting the set points 5s of preventive protection / scram systems. 18.Recording of the history and the accident sequence. + 19.Recommendations to reactor operator for power distribution control. 5s 20.Recording of characteristics of the process quality during the shift. 8hr 21.Diagnosis of the primary circuit components. + 22.Complex reactor diagnosis based on the readings of existing instrumentation and 5s additional diagnosis systems, with generation of protection signals. 23.Digital fast-acting scram based on dryout and linear fuel power including In addition to the technical issued discussed the working group were able to identify a range of standards theat would be applicable to RBMK systems. These standards covered a range of special measurements eg flux, that are made on nuclear power plant as well as general systems eg control room design, and software standards. The rigourous application of these standards along with the IAEA safety guides and the exisiting Russian regulatory and standards framework should 29 enable new and retro fit systems to meet the high safety requirements expected in nuclear power plant construction and operation. 30 Modernization of the RBMK NPP's I&C systems in Russia A.L Gorelov, M.N. Michailov. Research and Development Institute of Power Engineering (RDIRE/ENTEK), Moscow, Russia* IAEA Specialists' Meeting on "Modernization of Instrumentation and Control System in Nuclear Power Plants", Garching, Germany. 4-7 July 1995. Modernization of the RBMK NPP's I&C systems in Russia RBMK I&C NUMBER OF INPUTS/ OUTPUTS REACTOR T-G TOTAL ANALOG INPUTS 6000 3000 9000 DISCRETE INPUTS 3500 14500 18000 ANALOG OUTPUTS 130 300 430 N) DISCRETE OUTPUTS 9000 8500 17500 REGULATORS - 85 85 RDIPE/ENTEK Modernization of the RBMK NPP's I&C systems in Russia MAIN REASONS FOR RBMK I&C MODERNIZATION SAEET^REQUIREMENXS >new national standards > safety technological equipment modernization emergency reactor core cooling at LNPP-1,2 > international experts recommendations main RBMK I&C disadvantages are avoided there are the number of lists of proposals and recommendations >IAEA, IEC rules and regulations AGING >RBMK units was started in 1973 REPLACEMENT PARTS DEFICIENCY > consequences of the USSR disintegration > renewing of production FUNCTIONAL IMPROVEMENTS >new algorithms feed water control dry-out margin calculations > man-machine interface improvements > technological equipment modernization start-up feed water circuit DIPE/ENTEK Modernization of the RBMK NPP's I&C systems in Russia SOME IMPROVEMENTS PROPOSED AND PLANNED EXTRACT FROM • new scram signals based on reactivity margin; • the high reliance of safety functions on operator action should be minimized; • the data processing computers should be upgraded and better alarms and displays installed. EXTRACT FROM. IÄEA-TECDÖC-773: • to reduce the impact of the loss of coolant from the control rod channels on the reactivity; • to reduce the maximum fuel linear heat rating by flattering the axial power profile; • to evaluate the margins to fuel assembly dry- out and channel rupture; • to introduce automatic protection for a single channel; • to improve the segregation of the channels of the protection system and the segregation of the control and protection system; • to introduce automatic control of the 3-D power distribution to reduce heavy dependence on operator actions to ensure plant control and safety. DIPE/ENTEK QSSlBLEWAYS: • integrated design • number of independent solutions • domestic I&C equipment •western I&C equipment • both LIMITATIONS: • one per reactor life prolonged maintenance period (1,5 year) • every year maintenance period (1-3 month) • money CRITERIA: • cost/effectiveness • meeting safety requirements • integrated design • step-by-step modernization • human factors • reduce needs in construction • new technology • possibility of technology transfer to Russia KD IP E/ENTEK Modernization of the RBMK NPP's I&C systems in Russia CURRENT STATE AND PERSPECTIVES Conceptual decision: 3 variants were analyzed Domestic Domestic for safety system IWestinghouse for normal I operation systems Westinghouse Organization problems: • NPP's programs • ROSENERGOATOM program • International cooperation • Technical solutions > Flow-rate meters for reactor core protection in the cases of loss of coolant in individual channel >RCPS (ind. LORM, LFR, etc.) > SKALA >SPDS >MCR DIFE/ENTEK Modernization of the RBMK NPP's I&C systems in Russia MAIN FEATURES OF REACTOR CONTROL AND PROTECTION SYSTEMS N ORIGINAL MODERNIZED NEW DESIGN DESIGN DESIGN N n N WEM N+T 1. INTEGRATION X X X X 2. TWO INDEPENDENT X X X COMPLETE SET 3. DIVERSITY (DESIGNER, X X X X MANUFACTURER, etc.) 4. SECOND INDEPENDENT REACTOR X X X X SHUT DOWN 5. SEGREGATION OF CONTROL AND X X X X PROTECTION CIRCUITS 6. LORM PROTECTION X • 7. IN-CORE PROTECTION X 8. COMMON FAILURE PROOF X X RDIPE/ENTEK Modernization of the RBMK NPP's I&C systems in Russia REACTOR CONTROL AND PROTECTION SYSTEMS TO BE INSTALLED AT: ORIGINAL MODERNIZED NEW dESpN' DESIGN DESIGN LENINGRAD NPP UNIT 1 SEPT. 1995 LENINGRAD NPP UNIT 2 DEC. 1994 LENINGRAD NPP UNIT 3 1998 LENINGRAD NPP UNIT 4 1997 KURSK NPP UNIT 1 DEC. 1996 KURSK NPP UNIT 2 DEC. 1997 KURSK NPP UNIT 3 1999 KURSK NPP UNIT 4 2000 SMOLENSK NPP UNIT 1 1999 SMOLENSK NPP UNIT 2 2001 SMOLENSK NPP UNIT 3 2002 RDIPE/ENTEK Modernization of the RBMKNPP's I&C systems in Russia SKALA-SYSTEMS MAIN CHARACTERISTICS CHARACTERISTICS SKALA SCALA-M SCALA-MICRO llNUMBER OF INPUTS: ANALOG 7000 7000 7500 DISCRETE 5000 5000 7500 |CRT < - 16 23 hriME PERIOD OF MONITORING j ^^H IINDIVIDUAL CHANNEL PARAMETERS: ^^H WATER FLOW RATE 60s 60s 5s FUEL CHANNEL INTEGRITY 150 s 60s 20 s POWER DISTRIBUTION 1-2 s Is Is CPS-rod POSITION 60s 60s 5s (CALCULATIONS: 2-D POWER DISTRIBUTION, DRY-OUT 10 min. <10 min. 2 min. MARGIN 3-D POWER DISTRIBUTION, LINEAR POWER - 2h 15 min. AND DRY-OUT MARGIN OPERATIVE REACTIVITY MARGIN 5 min. 5 min. 2 min. RDIPE/ENTEK 40 Paper presented at IAEA Specialists' Meeting on Modernization of Instrumentation and Contol Systems in M"L!?T Power Plants, Garching, Germany, 4-7 July 1995 MODERNIZATION AND CONTROL ROOM DEVELOPMENT - CURRENT TRENDS AND APPROACHES IN SWEDISH NUCLEAR POWER PLANTS Gerd Svensson Swedish Nuclear Power Inspectorate Dept Man Technology Organization Stockholm, Sweden Linking plant modifications and control room work Most Swedish utilities are in a structured way investigating and deciding on the preconditions and requv- enienis for plant modernization. Needs are seen to exchange the plant process computer and renew electrical, control svd instrumentation systems due to obsolescence, problems with spare parts and with competence. During this work there are discussions with the Swedish Nuclear Power Inspectorate (SKI). In these, SKI has asked for information on the handling of future modifications of importance for the operators' work and the control room design. The purpose of the paper is to present the first answers from the utilities, and finally to discuss some aspects of the SKI programme review. There were several reasons for asking for more information. First, modernization progr. .:;>mes had been presented, where this aspect was not addressed. The character of some projects, however, showed that they were bound to have consequences for the information presentation in the control room and die operators' tasks. Investigations into the needs for a safety analysis system had earlier been discussed with the utilities. It was not known if this was on the list of prioritized projects. Second, industry experience and human factors research show that many significant human factors issues arise very early in a plant modification process. The plants were in a process which should result in requirements, guidelines, and principles guiding future single modification projects. Reviewing the results and the activities of that process for human factors aspects seemed to be essential as a basis for the assessment of future single projects. To start with, the human factors review was limited to aspects of importance for control room design and operator work, which does not imply that maintenance related aspects were regarded to be of less importance. 41 Third, it had been noticed that new equipment was introduced into the control rooms that had to be operated in different ways, presenting unnecessary problems for the end-users. It was seen to result from a lack of basic human factors principles guiding the separate single projects. Also, there were examples to show how easy it was to forget the real needs and basic principles of control room work when facing vast engineering possibilities and things nice to have. Fourth, the early involvement of future end-users in a dialogue with human factors experts and engineering experts in the investigation process was regarded as essential for assessment of the results from the premodernization programme activities. Requirements and preconditions related to control room work The plants realized the need to address these issues explicitly in the preparatory phase of the modernization programme. Efforts are being spent on developing and defining basic principles and requirements to guide future single projects, directly or indirectly affecting control room work or design. An important step is to investigate the needs for modification from both ends. Descriptions are being made of decided and planned modifications for approximately the next five to ten years. Modifications considered are both those identified from studies of the control room design and operator work and those identified outside the control room which will have an impact on control room work or the human-machine interfaces. It is expected that the reasons for doing the modifications are stated and that some kind of evaluation is made of their potential implications for the control room function. Experiences from the actual control room and others need to be summed up and evaluated. A documented human factors evaluation of the control room function will be a good basis for its development. All utilities intend to sum up the current situation based upon earlier experiences, positive and negative, of the existing control room design and work in different situations. They also plan to collect the experiences of the instructors from training sessions in the full scale training simulators. The results of earlier reviews and surveys are used. Plants with no documented human factors evaluations of control room design and operator work are seen to be more motivated to do such studies. 42 Basic requirements and principles of control room work and design are important. A human factors analysis of functions and tasks will give information that can be used in this part. It is essential to cover outages, handling of disturbances and emergencies as well as ordinary control room monitoring work. All utilities are seen to put much work into this. What is aimed for is sometimes called a Control Room Philosophy or Operational Philosophy, stating requirements on the level of functions and tasks. Important issues being handled are for example operator roles, working methods, staffing, information presentation, and alarm handling. Detailed design requirements are needed, including the standards and norms used. This part seems to be well under way or almost completed. The discussions at the utilities for the moment seem to be more related to the status of the document. Requirements for human factors verification and validation are needed. In this area further discussions are planned with SKI. As a basis for these it is hoped that a seminar can be arranged presenting good practices and lessons learned. The implementation strategy is a vital part of the modernization programme. In the risk analysis human factors aspects need to be considered, including those related to verification of operability, control room monitoring, and disturbance handling. The requirements and resources needed for training and for human factors verification and validation need to be well understood and presented in the strategy. How are the requirements developed? One result from these preparatory activities will be documents describing the requirements. It is vital that they are based upon qualified analysis and expertise, and that the experts are given appropriate resources. It is essential that the requirements are accepted by the plai \ that is the staff concerned and the plant management, who will decide on their use. The work is mostly done by a team of experts consisting of relevant engineering expertise, control room operators and human factors expertise. The projects are headed by experienced project managers, and regarded as challenging because of the necessity to integrate expertise of different kind and generations. According to the information given, every plant does the work even if the project often is a common concern for the whole 43 company or corporate. From one of the projects it is known that the control room operators, one from each reactor, ar3 doing full-time project work on a temporary leave from ordinary control room work for the project period. This is a good practice for this type of work. Care is taken to let the team members get to know experiences from control rooms of different generations and applications as well as experiences from plants where major modernizations have been done or are implemented. It is not known how maintenance staff is involved, although most projects talk about the need to support maintenance with better information from the control room. It is however known that maintenance staff has been involved very early in exchange programmes involving programmeable electronics. The exchange is expected to make a major change in their work, and errors performed in maintenance of the new equipment may have effects on the safety of the system. Apart from more formal training their participation in all phases of the exchange projects is seen as essential in order to acquire a high competence. Their need for off- line equipment for retraining and fault diagnosis has also been met and of course procedures have been worked out for testing and maintenance before going into operation. Integration into the modernization programme In the premodernization activities similar efforts of course go inte establishing the requirements for modernization of other systems such as the electrical, instrumentation and control systems. All will however, need to be integrated. Below is an example of how they are combined in one of the premodernization programmes for a future exchange of electrical and control equipment. Policy, Goals Programme management and organisation General requirements (e.g.. criteria & norms, electrical classification, control room design, simulator requirements, verification of operabiliry) 44 General design requirements (e.g. exchange strategy, installation principles, safety review plan, seismic requirements, diversification of control equipment etc) System related design requirements ( e.g. for installation, power, control and control room) It is very interesting to see the importance given to programme management and organisation. It is seen as a separate and major concern to work out early on. It is expected that it will provide the means by which the several elements are well worked out, coordinated and integrated throughout the process and the process being monitored in that respect. Programme management and organisation SKI will be presented the whole modernization programme including its preparatory part. The advantages as well as difficulties of this approach will have to be met. One advantage, and challenge, is that it will be possible to establish a common review strategy from SKI concentrating on the system used by the utility to control and assess the programme and its parts. The formal system can be reviewed as well as actual practice. Of course SKI will need to decide when and where to do deeper and more detailed reviews. The importance of programme management and organisation applies to SKI as well as to the licensee. In the discussions on the review strategy of SKI, experiences will be used from reviewing an exchange programme of the reactor protection and control systems in one of the newer plants . In the review team of SKI, there were experts from different technical areas, quality assurance, and human factors. The exchange process was followed very early on, starting with discussions in the pre-programme activities through the development of the system. SKI concentrated on reviewing the procedures, principles, requirements, standards, norms i.e. the systems used by the power company forgetting an approval. Many essential similarities in the approaches of the experts were observed, apart from the common review strategy. The similarities were in some cases true and in others just on the face it. Compare for example the different meanings of the activities of verification and validation for human 45 factors specialists and software specialists. Pre-review work, where such issues can be discussed, are necessary in a team before embarking a common programme review. 46 Session 2: Upgrading I&C: Regulatory and Qualification Aspects Chairman: Mr. K Hamar, Hungary Summary of Session 2 K Hamar, Hungary Today at the NPPs the motivation to replace the existing I&C can not be derivated only from safety issues. The new, and may be digital I&C can be benefitial considering the intended higher reliability, and due to the higher reliability the I&C can contribute as a positive factor when utility and regulatory organization are calculating the expected life time of the units. In the highly industrialized countries the qualification of both of the existing and the new I&C system, including the verification and validation of programable devices, leads to serious sums in budget and a big amount of manpower has to be spent. In those countries where the financial conditions are worse or poor, the regulatory bodies have to calculate with limited budget and manpower, but on the other hand , the regulator does not want to bring to a stop the technological transition. On this conference we are waiting for the best examples to be introduced, especially considering the regulatory aspects. CANADA Mr. N. ANANI, Atomic Energy Control Board The nuclear industry is slower in taking advantage of the technological evolution than other industries. This slower process is due to stricter safety and operational requirements. The concept of upgrade can be on a piecemeal basis or complete change out of obsolescent system. In every case the process can be difficult for reasons of complexity and licencing concerns. Over the past two decades the Canadian nuclear industry has demonstrated the effective use of digital control systems in the safe operation, and recently the shutdown of nuclear power units. Developed digital technology is considered for use in future CANDU reactors. Safe, reliable and economic implementation of I&C system upgrades require a well defined and clear framework of implementation. This framework will provide a better foundation for the licencing process. The main tasks are the next: define the upgrade requirements select a replacement strategy define system boundaries assess human factor requirements establish sound Project Management assessment of risk and reliability verification and validation of SW and HW assess system qualifications 49 The qualification of commercial grade technology on the bases of testing alone is insufficient. The comprehensive evaluation of the manufacturer's methods for developing and implementing software and hardware have to be added. The licencing process requires a demonstration that adequate analysis has been performed at various stages of the design and implementation. It is not easy to decide when to involve the regulatory body. In general, the licencees have to ensure that all the vulnerable areas of the proposed changes are analysed internally prior to submitting documentation to regulatory body. This means in most of the cases significant resources and money have been spent to attain a level of confidence before commencing the licencing process. Maintaining a reasonable level of dialogue with the regulatory body during the early phases of an upgrade process will provide a faster means of communicating concerns and ensure that both the licensee and the regulator have gained concurrently similar knowledge and confidence in the proposed technology. The licensee should take the trouble to elaborate the first versions of guidelines for the above mentioned tasks, which effort can benefitially contribute to the dialogue with the regulatory body. GERMANY Mr. L. WEIL Federal Agency for Radiation Protection Mr. G. SCHNÜRER Institute for Safety Technology Today hard wired I&C is characterizing the German nuclear power plants. Computer technology is installed in some safety related systems. As it can be foreseen, the benefits of computerized I&C lead to a strong interest of the utilities and the industry to introduce this new technology in the NPPs. At the same time there is no guarantee to cover the expected operational time of the units with available spare part manufacturing of conventional technics. Discovering the tendencies, activities have been started in order to adapt and to extent regulatory requirements for safety and safety related applications of digital I&C on the basis of internationally accepted standards and safety guides, nice IEC1226, EEC880+suppl., and IAEA Safety Guides. The existing Nuclear Regulations are prescribing the reliability requirements, and it is stated, the new systems of I&C have to fulfill the requirements, with no sense of their digital or conventional being. For this reason a detailed quality assurance system has been developed by vendors, and a nation wide dialogue has been established between the manufacturers and regulatory organizations and institutions. In 1994 research activities were initiated to obtain an overview about regulatory aspects and qualification requirements necessary for licencing computerized I&C. Investigations are provided for 50 HW and SW configuration tüne scheduling I&C qualification environmental aspects compatibility of old and new I&C. It is intended to analyze the qualification requirements for backfitting procedures from the regulatory point of view, and backfitting feasibility has to be studied. The formal rules, standards and guidelines for safety and safety related I&C still have to be reviewed, including industrial and regulatory standards. The reliability requirements remain consistent with the special features of computer aided I&C. The sortware development process is based on the system development life cycle due to DEC880. The safety categorization scheme of EEC 1226 has been taken into account, to permit graduated qualification in accordance with the safety significance of the given function, system and equipment. In addition to the aspects of a newly constructed NPP, further safety aspects must be considered in the case of backfitting. For safety reasons it is favorable to proceed with backfitting in stages. The existing and upgraded I&C equipment have to be compatible, to avoid the unintended interferences. Strict definition of interfaces is required. The new components have to be resistent to all possible environmental influences, so the robustness is subject of regulatory inquires. For the purpose of systematization, it is intended to assign safety requirements and quality assurance measures to the phases of development, construction, set into operation, and operation. KOREA Mr. T.-K. OH Institute of Nuclear Safety A scientific method was presented for the evaluation of ESFAS control system software. The system is realized with microprocessor technology at Yonggwang 3. and 4. units. The approach has a solid theoretical foundation, demonstrating the daily need of applied sciences in the assessment procedures conducted by utility or regulatory organization. The control element of EFAS is Single Board Computer, which can be taken as a module not only in terms of hardware but also in terms of software. A fairly large program is consisting of three thousand assembly code lines runing on the SBCs. Hundreds of SBCs are used in ESFAS. The test principle based on the concept of sequential test. This test method can not guarantee the test object is free from failures, but can demonstrate with a given probability, that the program has achived the level of the required reliability. 51 The system is a standby system, which is dormant in normal operation, except the functional testing periods, which have a three month cycle in Korea. The safety verification of the software on the hiarerchically lower level of I&C systems is done with a moderate number of test cases by the experts of NPP operator. The question is that usually, how many test cases should be done additionally to confirm the specified reliability. The effort is intented to spend can be limited by cost and time. The possibility of making a mistake in judgement about the quality of the test object on the basis of test results can not be eliminated unless the entire input space of the program can be investigated. Testing on the entire input space is in contradiction at least with that fact, the time is available for decision is not infinite. One practiced solution and answeres are described in the paper of the lecture. 52 THE TRANSITION TO MODERN TECHNOLOGY Namir Anani, Senior Specialist Instrumentation and Control Directorate of Analysis and Assessment Atomic Energy Control Board Ottawa (Ontario), Canada ABSTRACT Since the 1970's, digital technology has undergone rapid improvement in terms of reliability, size and cost. The nuclear industry on the other hand has been somewhat slower than other industries in taking advantage of the technological evolution due to stricter safety and operational requirements. This slow process has left some nuclear plants with limited infrastructure for their existing systems in terms of replacements parts and software support. Although the control system upgrades are being driven primarily by the growing problem of obsolescence, another incentive has been to capitalize on the advantages offered by modern technology in potential improvement to safety and efficiency of nuclear power plants. The concept of upgrade to digital technology has been mainly based on both a piecemeal or through complete change out of obsolescent systems, the rational as to which concept to adopt has not always easily identifiable. The process of upgrade on the other hand, from analog to digital systems or from older generation to newer generation of digital technology has proven somewhat difficult for reasons of complexity and licensing concerns. These constraints coupled with the fast pace of development of control and instrumentation technology, demand constant evaluation and represent a challenge for the industry and the regulatory agencies. The need to find workable instrumentation and control systems upgrade guidelines for the benefit of both the industry and the regulators is paramount to ensure safe, and cost effective implementation of modern technology. This paper addresses some of the issues associated with the process of upgrade and the regulatory views and concerns. 53 1. BACKGROUND In recent years, the nuclear industry has been developing advanced control and operator interface systems based on innovative applications of digital computers. Over the past two decades the Canadian nuclear power industry has demonstrated the effective use of digital control systems in the safe operation and, more recently, the shutdown of nuclear power plants. Further advancements in digital technology such as the DCS (Distributed Control System) is currently being considered for use in future CANDU (Canadian Deuterium-Uranium) reactors. As older control systems begin to manifest signs of aging, available replacement parts become often difficult to acquire and maintenance of such systems become increasingly more arduous. Designers are then forced to look for an alternative technology which is up to date and is well supported in the market place. Although the search for a replacement technology has been primarily driven by the problem of obsolescence, another reason has been to capitalize on the advantages offered by modern technology such as the ease of reconfiguration, advanced control capabilities, enhanced diagnostics and failure detection modes, accuracy, etc. All combined lead to potential improvements in system reliability and safety. Once the decision to upgrade has been taken and the objectives of the intended modification have been clearly identified, the task of assessing the various commercially available technology begins and the strategy of implementation is laid out. An upgrade process is often complex, translated in to long periods of implementation. This lead time is generally long in the nuclear industry due to stricter safety and operational requirements. In many instances, by the time the replacement system is up and running, the employed technology is no longer current, few years later the system faces yet again the problem of obsolescence. Safe, reliable and economic implementation of I&C system upgrades require a well-defined and a clear framework of implementation. This is translated in to sound planning, design, clear implementation strategy and above all good project management. Such a framework will provide a better foundation for the licensing process. An upgrade project has normally numerous tasks that need to be adequately addressed for an effective and safe implementation of new technology. These are mainly: - Define the upgrade requirements - Select a replacement strategy - Define the system boundaries - Assess human factor requirements - Ensure sound Project Management - Perform risk and reliability assessments 54 - Perform verification and validation (Hardware and Software) - Assess system qualifications 2. UPGRADE REQUIREMENTS A clear definition of the upgrade requirements, is the first and decisive step in the upgrade process as it provides a too! for describing the safety, operational expectations and the constraints facing the project. Clearly defined requirements will additionally ensure that all efforts are channelled in the right direction and help in minimizing deviations from original intentions. Badly defined requirements will no doubt lead to misinterpretations and result in changes that have cost and safety implications, for this to be avoided the definition of the objectives should provide a reasonable understanding of the intended I&C system changes and their relative consequences on other systems in addition to the overall impact on the safety, design and licensing requirements. These definitions should include; the design objectives, system functional requirements (hardware and software), the codes and standards to be used, design constrains, configuration management, design/operation and maintenance requirements and the expected quality. 3. DECIDING ON A REPLACEMENT STRATEGY Replacement strategies are numerous and varied in concept. The decision as to which strategy to adopt is mainly based on three factors, cost enhancements, and the safety implications, and although the concepts utilised could be very diverse in nature, they do normally fall in to two categories. The first of these concepts is often referred to as the piecemeal technique. This involves the replacement of older technology with a new one while maintaining the existing system functionality. An approach such as this, while seemingly the most cost effective and the least complicated, is far from being obvious. Implementing such a concept requires rigorous planning and a profound knowledge of the old system hardware and software functionality, backed up by a faithful record of all modifications that have been implemented over the years. Without such documentation the verification and validation process can prove difficult resulting in higher than expected cost implications. The second concept of replacement is generally referred to as the complete change-out, and as the name implies, this is a complete revamp of the system hardware and software with possible enhancements to the degree of automation. This approach, although often regarded as being a costly option with possible implications on safety because of the new automation concept, does however offer the opportunity to commence with a system that is well defined, explicitly documented and is in line with current applicable standards. 55 4. SYSTEM BOUNDARIES Defining the upgrade boundaries represent a crucial step in the project since it helps to identify the impact of the upgrade on other systems or operations in addition to changes expected in interfaces and functionality within the system to be replaced and with other systems outside the boundary limit. The proceeding step is to identify the dissimilarities between the new proposed system and the one to be replaced in terms of additional features or omissions. It is generally the case that newer systems offer various options such as enhanced control modules or alarm packages that may introduce either during normal operation or malfunctions, new types of failures, and may additionally effect the functionality of other systems. Therefore it is essential that such enhancements are analyzed in light of their net worth and their subsequent impact on safety. 5. HUMAN FACTORS System upgrades must be reviewed based on principles of human factor engineering and cognitive science to ensure that human characteristics and behaviour are considered in every aspect of the upgrade process. The goal being to reduce the potential for human errors, confirm that rigorous design processes are being utilised, and ensure that the process is auditable. The interaction between an operator and a functional system is a process by which an operator receives this external data generated and emitted by the system and then act on it. The data is impressed on the human senses, processed by the brain, and normally result in a series of physical actions by the person on the control element or the system. For this data to provide rapid recognition and a safe response, it must be appropriately coded. This code need to correspond to what is called the perceptual organisations of the human brain. An operator is often exposed to a large number of visual and audible information. For this information to be recognised by the operator as meaningful, it must be correctly interpreted and prioritised. Effective analysis of the human factors in the implementation of new technologies and processes will significantly reduce the incidence of human error, thereby improving safety. 56 6. PROJECT MANAGEMENT Safe, reliable and economic implementation of an upgrade project require sound Project Management. Upgrade projects often consist of a multitude of activities and involve a large number of engineering disciplines that need to be monitored and evaluated on constant bases. Project planning being the basic tool of project management, should ideally go beyond simply establishing a detailed list of activities to be performed during a specified period of time but should also be able to provide quality, safety and economical expectations in addition to the necessary tools for measuring the progress on regular bases. Rigorous progress monitoring is vital during all stages of the upgrade process in order to detect all deviations from original design intentions and ensure that modifications are adequately assessed in light of their impact on safety and operations. 7. RISK AND RELIABILITY REQUIREMENTS Risk and reliability analyses are necessary during the design phase in order to identify the consequences of failures and measure with confidence the reliability of an I&C system. Many tools are available to accomplish these tasks, the most commonly used for risk assessment are the HAZOP (Hazard and Operability study) and FMEA (Failure Modes and Effects Analysis). The reliability aspect of the system is usually determined using Fault tree methods. These analyses provide means for identifying undesired events / hazards, their level of importance, and the consequences on the overall safety and operation of the plant. Once identified, measures are then taken, either in the design, operation or through maintenance practices to prevent and mitigate the effect of such failures. In order For the results to be sufficiently accurate real-world factors such as repair times, software failures, human errors, common cause failures, failure modes, and time dependent failure rates must be assessed as part of the analysis. Software reliability is an important area of the overall system reliability because of the extensive use of software in modern instrumentation and control systems. Although software engineering techniques have provided better design fault avoidance methods, the extensive use and complexity of software require better and more comprehensive software reliability analyses. Maintaining a good record of the analysis and the findings is important for future reference as it provides means of understanding the various design decision and constraints that were taken during the project design phase. 57 8. VERIFICATION AND VALIDATION (HARDWARE AND SOFTWARE) The main purpose of Verification and Validation is to confirm the correctness and completeness of the design and by doing so will provide adequate confidence that the requirements of the software and hardware development have been met. The V&V process ensures that the functional requirements defined in development process are properly implemented. This must be carried out by competent individual(s) other than the original designer(s) and preferably not reporting to the same management hierarchy. Verification includes activities such as witnessing, inspection, analysis and testing of the design activities during the development & modification phase, review of documented results of the original designer's activities. Validation on the other hand ensures that the overall integrated product operate as per the functional specifications. 9. QUALIFICATION Qualification ensures that the proposed system is compatible with the environment that it is intended for, fit for the purpose and complies with current standards. The qualification of commercial grade technology on the bases of testing alone is insufficient to determine the acceptability of the item for use in a safety system. Comprehensive evaluation of the manufacturer's methods for developing and implementing software and hardware is therefore necessary to waiver concerns about the applicability of the proposed technology in safety applications. Qualification may include seismic and environmental qualification such as temperature, humidity, radiation, electromagnetic interference in addition to assessing the operator-machine interface and required maintenance tools. Software qualification provides evidence that the software meet all the software requirements. The process of qualification may include a demonstration of the safety functions during abnormal conditions, the correct implementation of algorithms and logic, communication functions, memory protection, error handling and synchronisation, interrupts. 10. CONCLUSIONS The licensing process requires a demonstration that adequate analyses have been performed at various stages of the design and implementation phase. Deciding on when to involve the regulatory agency in an upgrade process has often been difficult to establish, as it may vary based on the upgrade extent and 58 the user confidence level in the proposed technology. In general, the policy adopted by the licensees has been to ensure that all the vulnerable areas of the proposed changes have been reasonably analyzed through internal auditing prior to submitting it for approval to the regulatory agency. In most cases significant efforts in terms of analysis, resources and money have been used to attain a level of confidence before commencing the licensing process. The regulatory agency once presented with the new proposal is bound to follow a similar route in evaluating the safety impact of the proposed technology which adds to implementation period. Maintaining a reasonable level of dialogue with the regulating agency during the early phases of an upgrade process will provide faster means of communicating concerns and ensure that both the licensee and the regulator have gained concurrently similar knowledge and confidence in the proposed technology. 11. REFERENCES: [1] Institute of Electrical and Electronic Engineers Std 7-4.3.2-1993, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations. [2] Robert E. Uhrig, Richard J. Carter, International Technology Research Institute, July 1993, Instrumentation, Control and Safety Systems of Canadian Nuclear Facilities. [3] William M. Goble, Instrument Society of America 1992, Evaluating Control System Reliability, techniques and applications. 59 60 IAEA Specialists' Meeting on "Modernization of Instrumentation and Control Systems in Nuclear Power Plants" Upgrades of Digital I&C in German Nuclear Power Plants Regulatory Aspects and Qualification Requirements G. Schnürer, D. Wach: Institut für Sicherheitstechnologie (ISTec) GmbH, Garching F. Seidel, L. Weil: Bundesamt für Strahlenschutz (BfS), Salzgitter 61 SGU-WEH1.SAWsgu/06.07.95/weh/sta 1 Abstract At present in German nuclear power plants hardwired safety I&C devices are in operation exclusively. Computerized I&C are used for operational purpose and are partly installed in some safety related I&C systems. The operational experience of German NPPs shows that for the time being no safety reasons exist to repiace or upgrade the hardwired safety I&C. But nevertheless, it is obvious that the benefits of new computerized I&C lead to a strong interest of the utilities and in addition the period of time for obtaining spare parts as guaranteed by the I&C producers will not cover the expected operation time of the German NPPs. World wide first applications and experiences demonstrate availability and reliability of digital I&C. Also in Germany digital computerized I&C has been developed by the industry and are offered to be introduced in NPPs. Besides, these technical developments, activities have been started in order to adapt and to extent regulatory requirements for safety and safety related application of digital I&C on basis of international Standards and Safety Guides (IEC 1226, IEC 880 + supplements, IAEA Safety Guides, etc.). Within the licensing procedure it has to be demonstrated, that computerized safety I&C fulfill the reliability requirements according to Nuclear Regulations, i. e. at least those of the present analog technology. For that reason a detailed quality assurance •system has been developed by vendors. But up to now there is no experience of backfitting with computerized safety I&C in Germany. Therefore in 1994 research activities were initiated to obtain an overview about regulatory aspects and qualification requirements necessary for licensing computerized I&C for German nuclear power plants. Regarding backfitting specific issues like hardware and software configuration, time scheduling, I&C qualification, environmental aspects (especially EMC), and compatibility of old and modem safety I&C have to be investigated. In particular it is intended to analyze the qualification requirements for backfitting procedures from the regulatory point of view. Regarding this item the paper gives a systematic approach to regulatory aspects in order to make the licensing procedure for upgrading or backfitting respectively of hardwired safety I&C systems with modern digital safety I&C more transparent. In addition investigations with respect to backfitting feasibility and concepts will be presented. SGU-WEH t .SAM/sgu/29.06.9S'weWsta 62 Foreword I would like to make some introductory remarks before Mr. Schnürer will present the joint BfS/ISTec paper on the regulatory aspects and qualification requirements of Nuclear Reactor I&C upgrading in Germany. Those of you familiar with our legal system will know that it is the Federal Ministry for Environment, Preservation of Nature and Reactor Safety (German abb: BMU) that acts as the supreme regulatory authority in this country. This comprises two basic powers: BMU is responsible for providing the legal framework (laws/ordinances) as well as the necessary codes, guides and safety standards, and it supervises the activities of the licensing authorities (part of Federal States) with respect to law fullness and expediency. To be able to perform these duties, BMU - on one hand - takes advice from RSK (advisory body made up of individual, independent experts) [Mr. Lindauer]. On the other hand BMU receives specific support from the Federal Office of Radiation Protection (BfS) and from experienced expert organizations like GRS or - in the specific case of Instrumentation and Control systems - like ISTec. For a number for years, both ISTec and BfS have been closely watching the German as well as the international development of I&C technology for Nuclear Power Plants. As a result of our common assessment, it can be stated that: - there is a continuous and growing trend towards new I&C system designs par- ticularly (Dr. Bastl and Mr. Anani (Canada) -> initial speech) towards digital technology; - many issues, however remain to be solved in order to comply with the existing regulatory framework and to meet present reliability and quality assurance requirements; - various activities are underway to extend the existing German rules and stan- dards with regard to the use of digital I&C in safety related systems; - at the same time, German experts are taking part in the international - and that means mainly the IEC rulemaking process; - in parallel, the manufactures are doing their job in developing quality assurance methods and tools for their digital I&C products. We are aware of the fact that in comparison with the construction of a completely new I&C system, the I&C upgrading and replacement and retrofitting process implies additional requirements and quality aspects. Apart from the EPRI initiative with its I&C upgrade guideline however, we do not know any comprehensive study on this subject. 63 SGU-WEH1.SAM/sgu/O6.07.05/weh/s1a So in a joint effort we set the frame and scope for a research project on the specific aspects and requirements for the transition towards digital I&C systems in existing NPPs. The work is carried out by the experts of ISTec and completely founded by the BMU. It is a systematic approach aimed to provide the scientific basis for rulemaking as well as the necessary licensing decisions and to make the assessment and licensing process as logical and transparent as possible. I would like to hand over the floor to Mr. Schnürer for his presentation. L Weil 64 SGU-WEH1.SAM/sgu/06.07.95/weWsla 1 Introduction The application of digital safety instrumentation and control (I&C) devices in German nuclear power plants (NPPs) has been rigorously discussed from the viewpoints of safety and licensing for years. German vendors have already developed and successfully applied digital I&C systems for surveillance and control of fossil fired power plants, e.g. unit 5 of the Staudinger power plant and the Großkraftwerk Mannheim. The positive operational experience with digital I&C gained thereby can contribute to the reliability proof of nuclear safety applications. But conventional operational experience is not sufficient, because regulatory requirements for safety critical a(-Dlications in NPPs are much more stringent. In particular, safety instrumentation and control equipment must be designed in such a manner that is does not determine the availability of the safety system. At present, in German nuclear facilities, digital I&C is only used for partial surveillance and control tasks of safety related systems. Examples are core monitoring systems, power density monitoring systems and the digital upgrading of hardwired calculation circuits. The use of digital process information systems (like PRISCA) has no direct safety significance. The usage of digital I&C in the safety system of German nuclear power plants is not sufficiently regulated by the German nuclear safety standards (KTA). Common international and national standards like I EC or DIN are helpful within the licensing procedure for NPPs in Germany, but not binding. The current development in Germany is covered by section 3. On the other hand, the worid-wide development show that digital I&C will be used within the safety systems of advanced reactors. This trend became obvious in June 1994 during the Technical Committee Meeting held by IAEA in Helsinki (IAEA-94). The currently discussed advantages and disadvantages of digital I&C are compared in section 2. Regulatory aspects, qualification requirements and specific I&C upgrading aspects are reviewed in section 3 and 4, respectively. 2 The pros and cons of digital safety and safety related I&C It seems to be generally accepted by technical experts that the main advantages of digital instrumentation and control equipment are: - high efficiency (high processing rate, high data transmission rate, high accuracy of signal processing and thus higher performance quality of control- and surveil- lance functions), - high system variability (capable of processing analog and digital signals, extend- able, enabling communication with other systems and processing of complex tasks), SGU-WEH1.SAM/sgu/06.07.95/weh/sta 65 - manufacture at relative low cost for fault tolerant operation (e.g. high redun- dancy at a dynamic change of selector logic), - compared to analog hardwired systems, significantly lowar demand on space and wiring, - effective protection to electromagnetic interference (EMI) using fibre-optic cables for data transmission, - extended self-test functions, which can be established online (without safety iso- lation, in KTA: "release switching"); extended maintenance and diagnostic op- portunities and - possibilities for introducing modern - and also digital - man-machine-interfaces to support the operator. Currently discussed critical aspects are: - difficulties in proving sufficient software reliability and - related to this - high cost in software specification, development and testing, - contradiction between the goal of an as extensively as possible prove of reliabil- ity by simple system construction and clearly defined functional range of compo- nents and the wide possibilities of modern computer technology which principally also enables the solution of complicated safety related tasks like the reactor power limitation or the online-core-calculation, - sensitivity of hardware to environmental influences of electromagnetic nature and to nuclear radiation, temperature, mechanical impact, and others, - potential for human errors caused by soft- and hardware handling during the life time of the I&C equipment with no immediately foreseeable effects; particularly caused by software maintenance and modification but also by transport, storage and handling of high level integrated semi-conductor components, - nuturally the operational experience has become available from the safety re- lated performance of digital I&C in NPPs is comparable small. - hardware technology may become rapidly outdated due to the progress of mi- croelectronics; hence upgrading measures become necessary again and - incomplete regulatory framework regarding digital safety I&C equipment. 3 Regulatory aspects and qualification requirements German rules, standards, Guidelines and regulatories for safety and safety related I&C still have to be reviewed. Likewise a survey of existing regulatory standards is given. The reliability requirements remain consistent with the special features of computer- aided I&C. It is an essential prerequisite for a comprehensive use of digital I&C in NPPs that the construction of software is directed by the aid of a software development life cycle. SGU-WEH1.SAM/sgu/06.07.9&weh/sta 66 According to the actual discussion for reviewing the RSK-Guidelines for Pressurized Water Reactors (RSKG-81) digital safety and safety related l&C will be adapted. Additionally the software development process is based on the system development life cycle due to IEC 880. One fundamental step is to permit graduated qualification in accordance with the safety significance of the respective FSE. The categorization scheme according to I EC 1226 has been taken into account. To guarantee sufficient reliability of safety and safety-relevant l&C measures of fault avoidance, fault detection and fault tolerance have to be realized. The following compiles regulatory standards which are essential for digital l&C application in German NPPs; also a short characterization is given: - KTA 3501, 1985 (KTAS-85); defines the safety philosophy of the reactor protec- tion system, still valid for digital l&C application, but covers not directly to digital l&C, - KTA 3503, 3505,1986, 1984; covers the topics of type testing of electrical mod- ules as well as type testing of sensors and transducers for the reactor protection system, an interpretation for digital l&C upgrading can be performed, - KTA 3506, 1984; covers the topic of system test of the safety and safety related l&C equipments of NPPs, an interpretation for digital l&C upgrading can be performed, - KTA 3507, 1986; covers the topics of factory tests as well as operational experi- ence on electrotechnical modules, equipment and system components of the safety sysiem, an interpretation for digital l&C upgrading can be performed, - KTA 3508 is in preparation; the new standard will cover the topic of digital l&C application comprehensively, currently a preliminary report is available, - RSK-Guidelines for Pressurized Water Reactor, 1981 (RSKG-81); cover in gen- eral the topic of reactor safety, the section conferring to digital safety and safety related l&C is in preparation, refers to DIN ISO 9000 part 3 and also to DIN IEC 880, - IEC 1226, 1993; categorizes the FSE functions with respect to their safety sig- nificance, a national version of this guideline - DIN 1226 - containing national re- marks is in preparation. 67 SGU-WEH1.SAM/sgu/06.07.95/weWs1a 4 Upgrading of digital safety and safety related I&C systems The following tasks initiate investigations in the field of digital I&C upgrading. What are the reasons to replace existing hardwired and proved in operation I&C system by new digital equipment? The operational experience for German nuclear power plants gives no safety reason to change or upgrade the hardwired safety and safety related I&C concept. But considering aging phenomena and the fact that I&C equipment will become outdated due to the rapid progress of electronic systems, a complete replacement of the I&C system might be advantageous regarding the expected life time of NPPs. Another reason for I&C upgrading might be that origin hardwired spare parts probably will not be available for the whole expected life time of NPPs. Additionally to the advantages already mentioned, in the case of upgrading digital equipment, a reevaluation of the safety and safety related I&C concept is possible and the plant can be adapted to the state of science and technology. The safety and technological requirements to be taken into account for implementation of digital upgrading are extensive. Nevertheless, upgrading by digital safety and safety related I&C has some special aspects in comparison to upgrading by modernized hardwired devices: - Usually there is no pin-compatibility to hardwired systems. - Additional protective devices may also become necessary (in view of shielding, power supply etc.). Therefore, a complete digital upgrade has to be carefully analyzed. The digital respectively hardwired I&C upgrade will be propagated stepwise, - the reliability of digital I&C equipment may be expensive to prove, - section 3 shows that the present national and international regulatory frame- works do not cover entirely the safety evaluation aspects of digital safety I&C; hence, also digital upgrading is not sufficiently covered, - maintenance and operational personnel must be trained. In the interim stages of backfitting, the staff must be able to handle both techniques which may cause operational errors. What are the experience in digital upgrading of safety related I&C? Up to now, in German NPPs hardwired equipment is used exclusively for safety critical functions. Often dynamic magnetization kernel systems are in use. A comprehensive backfitting with digital I&C has not been done up to now. Internationa! meetings show several applications of digital safety I&C, but according to the fact, that the digital I&C qualification process is very expensive in cost and rather extensive in time (in the absence of detailed standards) it has not been completed for most of the future projects (IAEA-94). SGU-WEH1.SAM/sgu/06.07.9S>weh/sta 68 In comparison to the construction of a complete safety and safety related I&C system for new NPPs, additional safety aspects must be considered in the case of backfitting. - Backfitting in stages It would be favorable for safety reasons, to design and to set up a modernized I&C system spatially and functionally separated from the existing system. For lo- cation reasons a partly or complete set up can be realized. In a next step, change-over from the existing to the new system is carried out (during refueling time period). But repeatly there is not enough location for installing a parallel I&C system. Generally, I&C change-over activities as well as functional tests and ac- ceptance procedures can only be established during the annual outage. Thus, restrictions in view of location and available time periods force I&C backfitting to be realized in stages with additional requirements, particularly concerning con- figuration management. The required reliability of each configuration consisting of devices of the existing and upgraded technology must be guaranteed in each backfitting stage. - Compatibility of existing and new I&C equipment Further on it is an essential prerequisite that existing and upgraded I&C equip- ment unintendedly do not interfere with each other. Therefore, a strict definition of interfaces between upgraded and existing as well as safety related and op- erational used parts of I&C has to be established for each backfitting stage. Fur- thermore, spatial separation between redundancies as well as decoupling of different voltage-levels should be carefully performed. Using pin compatible ASICs, some of the difficulties regarding interfaces may be removed. - Robustness of the upgraded I&C system The regulatory framework inquires that the construction and operation of digital I&C components is robust respectively resistant to all possible environmental in- fluences. In complete upgraded installations environmental influences on safety and safety related I&C can be systematically limited by design measurements (e.g. shielding, fibre optic cables). In case of backfitting it should be assumed that environmental influences on the upgraded I&C are hardly to quantify for the various backfitting stages. These and additional aspects of digital upgrade of safety I&C have been compiled and related quality assurance measurements have been derived. Table 1 is a compilation of some of these aspects. For the purpose of systematization, it is intended to assign safety requirements for digital I&C and respective quality assurance measures to the several phases of I&C development, construction, set into operation and operation. A first proposal is shown in Table 2. SGU-WEH1.SAM/sgu/06.07.95/weWsta 69 5 Conclusion Digital systems can fulfill the safety and safety related I&C functions in nuclear power plants. Also significant safety advantages can be expected due to improvements correlated with the implementation of screen-based control rooms in NPPs diminishing the probability of occurrence of serious human errors. Current German regulatories do not cover sufficiently the topic of digital safety as well as safety related I&C. That is why various regulatory activities are initiated to improve the situation. Problems within digital upgrading are caused by uncertainties concerning reliability proving, which is an essential prerequisite within the framework of nuclear licensing. By application of formal development methods covering the complete software development process, a great step towards provable software structures has been achieved. Formal methods should also be used during all upgrade phases. Suitable testing methods are currently being developed by the expert organizations. Examples are the use of formal methods, a comprehensive categorization scheme and tools for I&C specification. Besides, the tool aided software coding as well as the life cycle model for hard- and software development has been carried out. It is expected that the present activities will establish a significant progress towards implementation of digital safety I&C in German NPPs. Abbreviations: PRISCA Computer Based Process Information System KTA German Nuclear Safety Standards FEMA Failure Mode and Effect Analysis RSK Reactor Safety Commission FSE Function System Equipment References (IAEA-94) Advanced Control and Instrumentation Systems in Nuclear Power Plants, Design, Verification and Validation, Proceedings of IAEA Technical Com- mittee Meeting Helsinki/Espoo, 20 - 23 June, 1994. (KTAS-85) KTA-Safety Standard 3501, Reactor Protection System and Monitoring Equipment of the Safety System, Köln, Carl Heymanns Verlag KG, 1981. (RSKG-81)RSK-Guideline<5 for Pressurized Water Reactors, 1981, Bonn: Geschäftsstelle der Reaktorsicherheitskommission RSK, im BMU, 1981. SGU-WEH1.SAM/sgu/06.07.95/weWsta 70 Topic Imposed Aspect Attempt of Solution (Project, Example) I&C qualification No previously gained operational Use of new I&C for non-safety experience with new safety I&C related backup systems Type testing Compatibility of Time period of upgrading; old and Detailed upgrading plan and different I&C new I&C must be used in parallel documentation, interface definition, systems over a specified time period upgrading guidelines, Know how exchange of upgrading experiences Defence-in-depth, I&C shall not impair the reliability of Hierarchic I&C system with reliability the safety system; reliability proof functional decoupling and spatial for new I&C is difficult separation of redundancies, functional diversity I&C resistance Digital I&C is highly sensitive to Protection system to EMI, e.g. against environmental conditions: EMI, fibre-optic bus, optocoupler, environmental radiation effects, temperature, suitable specification of transport stresses environmental stresses during and storage conditions, transport, storage keeping and administrative precautions handling mechanical stress Further I&C Rapid further development: Upgrading of upward compatible development hardware will become "old I&C: expandable I&C module fashioned", new problems system, of-the-shelf technique, for concerning spare parts and special tasks, introduction is ASIC replacement may occur Software High qualification requirements: Use of standards IEC 880,1226: qualification software shall not impair the phase model, software reliability of the safety system development using formal methods beginning with specification phase, software development tools Test, simulation Required I&C reliability can only be Only well qualified test tools should achieved by using qualified test be applied; formal methods should tools be used for preparing tests New Prejudices/old common practices, Stepwise transition to computerised Man-Machine-Inter high effort for staff training control room, non-safety face (operators, maintenance staff) intermediate application Licensing Up to now Nuclear Regulatories do Preliminary report to KTA 3508, use procedure not cover digital I&C sufficiently of related IEC standards Table 1: Safety related aspects of digital I&C upgrading in NPPs SGU-WEH1.SAM/sgu/06.07.95/weWsta 71 Phases of Digital I&C Main Tasks of Enginee- Special Asp . Jp- Regulatory Framework, Derived Reliability and Quality Upgrade Process ring and Organisation grading Digital I&C Licensing Procedure Assurance Measurements Basic safety concept: New I&C architecture is strongly RSK-Guidelines DIN ISO 9001-3 - define reliability requirements dependent on reliability Incident Guidelines KTA 1401 Definition of - performing safety analysis requirements: (back-up system, KTA-Rules Quality manual Requirements (periodically) redundancy, diversity, others) I EC 1226 - derivation of plant specific -> Evaluation of the up- upgrade requirements grade concept (Authority/ - long term upgrade planning Technical Expert) - Study of practicability - definition of I&C function and Complete and detailed IEC 1226, 880,487 - software development categorization regarding the specification of all required I&C KTA 3501 life cycle safety goals/safety concept functions. Consider: - certification of the I&C Upgrade - specification of configuration - step-wise upgrade -> Evaluation of the satisfactory completion NJ Specification and structure - detailed description of exis- specification of qualification tests ting and new !&C system - use of formal methods, -> reengineering/redesign of the a comprehensive existing I&C system could categorization scheme become necessary and tools for I&C - high sensibility of digital I&C specification on EMI - there are several kinds -> upgrade of the EMC concept of diversity (functional, - failure tolerance of I&C for organisational, instru- safety critical functions is to mentational, etc.) specify SGUWEH1.SAWsgu/O6.O7.95/woh/sta Phases of Digital I&C Main Tasks of Enginee- Special Aspects of Up- Regulatory Framework, Derived Reliability and Quality Upgrade Process ring and Organisation grading Digital I&C Licensing Procedure Assurance Measurements Concept for the project Modification or no modification of -> Decision whether - Methods for failure de- management process engineering licensing under section 7 tection, avoidance and Upgrade Strategy: - temporary interfaces (Atomic Energy Act) is elimination Planning - definition of upgrade pack- - Interface requirements given - use schedules as for- ages or continuously mal tools for checking upgrading Compilation of information time-dependency, - Interface definition for the up- documents (ZPI) completeness, etc. graded system/configuration - computer aided plan documentation - time scheduling - plan for training of operators and maintenance staff •«0 - application of standard Formal considering of the KTA 3501 Main aspect: failure avoidance hardware specification and categorization IEC1226, 880, 987 - life cycle model for - software-development - verification of hard- and software de- I&C Design (modularisation due to I&C the required reliability during velopment functions and single tasks) safety specification and design - V-model for qualifi- phases cation - tailored or independent - suitability test of hard- software-development for and software (e.g. type hardware test, systemtest, integrationtest) - seiftest capabilities - tool aided generation of I&C functions SGU-WEH1.SAWsgu/06.07.B5/weh/sla Phases of Digital I&C Main Tasks of Enginee- Special Aspects of Up- Regulatory Framework, Derived Reliability and Quality Upgrade Process ring and Organisation grading Digital I&C Licensing Procedure Assurance Measurements - hardware configuration - statical and dynamical tests KTA 3503, 3505, 3507 - tool aided software - software engineering - provisional arrangements IEC 880 coding Implementation/ - standard software - compatibility of existing and -> attended by Technical - hardware and software Integration - complex I&C performance test new system Experts type test program -EMC - self-test capabilities - off-site prove of I&C - computer aided compatibilitiy documentation - simulation of interfaces - off-site test of modules and subsystems - consideration of accidental and envi- ronmental conditions Implementation of I&C Complete integration tests, KTA 3501, 3506, 3507 Computer aided check and On-site installations - start-up test program single tests and system tests documentation during all steps - on-site tests -> safety assessment and till start-up licensing acceptance (also construction attended) - periodical test, maintenance use of formal procedures for Supervision by the formal procedures for Operation/ and modification test, maintenance and modifi- Authority resp. Technical documentation and tests Maintenance - operator training plan cation Experts (e.g. quality manual) - complete documentation for revisions, operation and testing - operator qualification to old and new I&C technique Table 2: Compilation of safety related I&C upgrading aspects SGUWEH1.SAM/sgu/06.07.95/weWsla LICENSING EXPERIENCES OF THE fi -PROCESSOR BASED I&C SYSTEM IN YONGGWANG UNITS 3, 4 Tscheh-Kyuhn Oh, Principal Investigator Korea Institute of Nuclear Safety Taejeon, Korea ABSTRACT In the licensing process of Yonggwang unit 3 and 4 a software test method was devised This method does not try to verify that the test object is free from failures but tries to prove that the test object meets the prespecified reliability requirement and represents, compared with its conventional analogue counterpart, no significant risk to the plant with a given probability. This approach has a solid theoretical foundation and secures the objectivity of the licensing process at least for a certain class of nontrivial software. 1. INTRODUCTION Yonggwang unit 3 and 4 are newly constructed nuclear power plants with a nominal capacity of 1000 MWe respectively. The reactor protection system(RPS) is realized in conventional technology using relays to avoid the potential impediment for licensing. Only the engineered safety feature actuation system(ESFAS) is realized in ß -processor technology. The I&C System is, in general, hierarchically organized and consequently of a tree structure. The hierarchically lower level of the I&C system such as ESFAS consists of a large number of components. Consequently, the total cost of the I&C system is determined mainly by the hierarchically lower level, namely, ESFAS. In contrast to the higher level of the I&C system, the lower level of the I&C system accomplishes only simple functions such as opening or closing of individual machine components. Therefore, the software running on the hierarchially lower level of the I&C system is much easier to verify and to validate than the software running on the higher level of the I&C system. This does allow the verification & validation of the software running on the lower level with acceptable resource investment and within the time schedule. 2. SOFTWARE V&V AND SOFTWARE RELIABILITY Because in Yonggwang units 3 and 4 each piece of equipment in the active safety path has its own Single Board Computer(SBC), each SBC does not differ essentially from its conventional counterpart and can be taken as a module not only in terms of hardware but also in terms of software. A fairly large program consisting of roughly three thousand assembler code lines runs on each SBC. Because several hundred SBC's are used in the 75 ESFAS which belongs directly to the active safety path, it is not easy to verify the correctness of software in this safety critical application. Therefore, a test principle based on the well known concept of the sequential test was devised. This test can not guarantee the correctness of program bui guarantees with the given probability, to be precise, that the computer program has achieved the level of the required reliability. The theoretical bases of test strategy are as follows: - The safety system is essentially a standby system that is dormant in normal power operation and is activated mainly for the purpose of the function test. In Korean practice, the function test should be performed even' three months in such a manner that the input space of SBC consists of a small number of well defined trajectories, namely, a periodic sequence of eight on and off signals with some deviations. Deviations from the nominal trajectories are possible only by incidents/transients or the mistakes of operators and, finally, hardware fault outside SBC such as faults of relay contacts. The hardware fault is an old fashioned random failure which represents no significant risk to the plant. According to Korean experiences the incidents are rare events with the annual occurrence frequency of one transient per reactor.year. - Additionally, the power supply for SBC's is removed every year during a plant overhaul. When restarting the plant, the internal memory(RAM) must be reinitialized. The reinitialization drastically limits trie input trajectories to be tested. Therefore, the input space of SBC is not intractably huge so that it can be determined in a relative straightforward manner with some experiences in the operation of nuclear power plants. Consequently, the safety verification of software at least on the hierarchically lower level of the I&C system such as ESFAS can be achieved by the test which necessiates not an astronomical but a moderate number of test cases selected by the experts of NPP operations. 2.1 Hypothesis Test Since the program running on the single board computer has been subjected to a thoroughly organized debugging process, it can be expected that the probability for the existence of the residual bugs is very small. The reviewers of the regulatory organisation are interested in the answers to the following questions: 1) What is the assurance that the program achieved the specified reliability? 2) How much additional testing should be done in order to confirm the reliability of the software claimed by the applicant and his supplier? The answers to the above questions depend on the cost of testing, the time available to test the program without unduly delaying the plant startup, and the consequences of software failure during its operation and risks for the public. In what follows, we will try to answer the above questions in a quantitative manner using the tools that have solid mathematical foundations as far as possible. 2.2 Method of the Hypothesis Test 76 Recently, D. L. Pamas et. al [1] proposed the hypothesis test tr -"aluate the quality of the safety critical software. There exist already a number of hypothi ; testing methods but the following approach is common to most of them [2], [3]. Null Hypothesis Ho : p < p0. where p = the probability for the software failure Po = the specified probability for the software failure alternative Hypothesis Hi •" p > pi where pi > po In order to test the above hypothesis, we shall exercise the software for an additional time duration, which will be, in our case, the time interval between the delivery of the products and the first criticality of the reactor. We reject the null hypothesis, if the number of software failures encountered in the test period exceeds the prescribed level. The possibility of making a mistake in judgement about the quality of the test object, on the basis of test results, cannot be eliminated unless the entire input space of the program can be investigated. This is, of course, in general technologically and economically infeasible. Although the hypothesis testing has a solid theoretical foundation and is well known to the industrial engineering community[4], two types of errors can occur : a) Type I error (a -error) •' Null hypothesis Ho is true, that is, the test object has achieved the prescribed reliability level (p < Po < pi) but is rejected erroneously in favour of the alternative hypothesis Hi. Such a mistake is called type I error and its probability for occurrence is denoted by a. b) type II error (ß - error): Alternative hypothesis Hi is true, that is, the test object has not achieved the prescribed reliability level (p > pi > po) but is accepted erroneously. Such a mistake is called type II error and its probability for occurrence is denoted by ß. The regulatory agency investigating the applicant's claim could have specified values for a and ß, thus controlling the risks to which they are inevitably exposed because even this agency cannot afford such a luxury as the reservation of the decision on indefinite terms. The choice of a, the probability of a type I error, could have been based on the consequences of making that kind of error, namely condemning a good product and causing the subsequent delay of the plant startup which can be a financial fiasco to the applicant and, finally, depriving the public of having energy available when needed. The choice of ß, that is, the probability of a type II error could similarly have been based on the consequences of making that kind of error, namely, the cost to the public of being exposed to the nuclear risks. Both risks {a, ß} can be at least partially controlled by the choice of sample size. In principle, the type I error as well as the type II error can be reduced by increasing the sample size, i.e., the time duration for the test. In the case of the nuclear power plant, the time available for the software reliability test is only the time interval between the delivery of the software products and the first criticality of the reactor, roughly estimated, about one 77 year. The safety critical software must have so high a reliability that this time span could not be sufficient for adequate test of the product at all. What we can do now to resolve this problem is, firstly, to search for a method to accelerate the running of the test with some modification of the test object and, secondly, to use the improved methods in analysis of the test results. 2.3 Bernoulli Trials and the Software Reliability Test Usual methods for the software test can be essentially classified as two types, namely, function test (black-box test) and structure test (white-box test). The principal objective of these tests is that with a relatively small set of test data to detect as many software bugs or software faults as possible. They are usually performed by the developer and called the defect test[9]. The principal objective of the reliability test is not the bug finding but in confirming that the final product meets the specified reliability requirement. In safety critical applications, a large number of test cases are exercised in order to estimate the reliability of the software and to reduce the probability for a mistake in judgement, i.e., the pair {a, ß}. Let rn be the number of the software failures encountered during test period and N the sample size, i. e., the number of the test input sequences applied to the test object SBC. Then, as a consequence of Bernoulli's law of the large numbers[3], the random variable m/N, i.e., the frequency of the observed software failure during the test period converges to the probability of the software failure p, if the sample size N, i.e., the number of test cases chosen is sufficiently large. According to the central limit theorem in the probability theory, for a large N the probability distribution of Bernoulli trials converges to the normal distribution [4] : k2 1 N P{ki <: m ^ k2} = 2 N C i * p * (1-p ) "' ( 1 ) i = ki k2 = / exp [(x - p*N)2/ 2a2] dx , where a2 = p*(l-p)*N ki The classical theory of hypothesis testing is based on the Moivre-Laplace theorem given above, i. e., Gaussian normal distribution. The demerit of classical theories is that they are based on the asymptotic theory and, therefore, necessiate an intractably large sample size. 2. 4 Sequential Test A. Wald [5] elaborated on the classical theory of hypothesis testing. Although his method has a rigorous and sound mathematical foundation, a substantially smaller sample size is necessiated without increasing the probability for the type I errors a as well as the type II errors ß. 78 Region of R e s e s-v ati o ra -*• m egion of A. c c eptation Fig. 1 Reliabililty Test Therefore, we use this method, well known as the sequential test. This method is well described with a rigorous proof for the Bernoulli trials in M. Fisz's text book[6]. In the case of the sequential test, the sample size is not prefixed but determined in the course of the test run. The sample size, that is, the number of the test cases needed to estimate the reliability of the test object is here a random variable. But it is possible to estimate at least the expectation of the test duration so that the test can be planned in advance. In Fig. 1 is the method illustrated. The horizontal axis m represents the number of test cases exercised and the vertical axis me the number of the software failures observed. The region bounded by the veritical line m = 0 and the rejection line rm : In [(1-/9) /a] In [(1-pl) / (1-po)] m = rm, ( 2 ) In [pi / po] - In [(1-pi) / (1-pb)] In [pi / ft,] - In [(1- pi) / (1-pb)] is called the domain of the rejection : The region bounded by the horizontal line me=0 and the acceptation line am \n[ß/(l-a)] In [(1-pl) / (1-po)] m = a ( 3 ) me m In [pi / po] - In [(1-pi) / (1-pb)] In [pi / po] - In [(1-pi) / (1-po)] is called the domain of the acceptation. To make the above equation easier to discuss we introduce a parameter h and set: pi = h*po . ( 4 ) Since 1- p E [exp(p)]"1 for p < 1, it holds: In [(1-pi) / (1-po)] = In [exp ( p0 - pi )] = -( h -1 )*po ( 5 ) Now, the acceptation and rejection line can be represented respectively as follows: In Iß/(I-a)] (h-1) * hiß/(I-a)] (h-1) * m s + * * m) ( 6 ) arn = In h + (h-1) * i In h - (h-1) * Inh In h 79 In [a-ß)/a] (h-1) Tm = + * (po * m) ( 7 ) In h In h The region bounded by the rejection lino r;:i and the acceptaton line a-^ is called the domain of the reservation. In this region, the decision is reserved and the testing is continued until either the rejection or the acceptance line is reached. Excepting the judgement by the choice the triple {a, ß, h} the subjectivity is excluded from the test process. In the case of the sequential test, the number of the test cases needed to make a judgement is a random variable. It is useful to have a tool which enables us to estimate the sample size. For the estimation of sample size this approximation can be used-' - (1-2a) * In [(1-/8)/a] E{n} = ( 8 ) Po* In [pi / po] + (1-po) * In [(1-pi) / (1-po)] To simplify the above approximation further, the approximative relations ( 5 ) can be used again and it holds: (1 - 2a) * In [a-ß)/a] Ein} * po = ( 9 ) (h-1) - In h Due to the normalisation the right side depends on the risks {a, ß } and the selectivity h = pi / Po which choice is feasibly large. 2.5 Upper Bound for the Probability of Software Failure The hypothesis to be tested must be formulated at first and justified technically because the software in the safety critical application have to meet a very high reliability requirement. The chance of finding a failure in a thoroughly tested program is extremely small so that we must exercise a huge number of test cases in order to find a bug at all. If the regulatory agency limits its own risk to an acceptable level only in its favour and specifies an unrealistially high reliability requirement, then the test becomes unaffordable and is no longer a proper tool for V&V of the software. The specifier must be very careful not to specify the reliability requirement which cannot be tested within the due time span. Therefore, the specification of the reliability requirement necessiates the judgement of the experienced domain expert. The software errors are essentially not random errors but design errors. Consequently, they have the character of the common mode failure. The hardware such as valves and pumps also have their common mode failure. In the PSA community, the problems of the common mode failure or common cause failure are handled with the /?-factor method (and/or multiple greek letter method) [7]. 80 Let { A^ } be the event " failed start of the safety injection pump by a random failure in the train A " and { A«-.'} the event " failed start of the safety injection pump by a common cause failure ". The probability for the loss of both safety injection pumps can be calculated as follows: b 15 U Accf )n(A n,n J Accf )} = PUA^HA ™ U AccfHA"™. a b , U Acc'D Accf )> - P(A mnA ra } + 2*P{ AccfHA^} + P{Accf} a 2 b a - P{A ran} + 2*P{Accf}P{A ran} + P{Accf} - P{Accf} ^ ^*P{A ^} Ä 0.1*10"3 ( 10 ) Now, it is clear that the duplication of the mechanical equipments improves only moderately,namely, only in one order of magnitude. The determining factor for the reliability of the system is essentially the common cause failures or common mode failures of the mechanical components. Further, the German standard KTA 3501. version 3/77 for the reactor protection system can be helpful in resolving the problems related to the application of software in the safety system. It is required in paragraph 4. 8. 2 of the above standard that the reactor protection system shall be designed such that it is not the determining factor in the availability of the safety system. The reliability of the reactor protection system shall be greater than or equal to the reliability of the active safety equipment. On the basis of the above considerations, it is specified as a minimum that the software failure probability has to meet this reliability requirement-" 3 HASAV) S ß'*P{A*m) * 0.1*10~ ( 11 ) As mentioned already, some mistakes in the judgement based on the test of the limited sample size cannot be precluded and are unavoidable in the real world. To reduce this probability for the mistake in the judgement, the requirement can be slightly overspecified: n 3 P{ASAV) s 0.2 *ß'*P{A im) « 0.02*10~ ( 12 ) Now, the number of the test cases needed to make a decision will be estimated. By choosing a = ß = 0.001, h =pi / po = 0.1*10~3 / 0.02*10~3 = 5 and substituting in the right side of ( 9 ) we obtain the expectation of the number of test sequences needed to make a decision: E{n} = 2.8834 / p«, s 144170 test sequences ( 13 ) The above value is indeed substantially smaller than the value which is determined by the method given in [1]: n = 7 / 0.002* 10"3 = 350000 test sequences. As mentioned already, the time span available to the software test is about one year. It will now be investigated as to whether the reliability test can be performed under this time constraint. For this purpose the length of the test sequences will be estimated on the basis of the realities in NPP. Especially in the case of the components which are used during the power operation it is not difficult to construct the test sequences which consist of fifty open 81 close signals. This means that about seven million on-off signals are to be applied to the test object. The minimal signal interval is normally one minute in this application field because of the running time surveillance of the valves. Therefore, only about five hundred thousand test sequences ( 525.600 = 60*24*365 ) can be exercised during one year. This means that the test object must be modified to exclude the time determinig functions that are not directly safety related. 2.6 Selection of Test Sequences and Estimation of Test Duration Excepting for the first several years where the operation crew is still unfamiliar with the plant, the spurious trips are rather rare events so that the input sequences of the SBC are not very long. The main feedwater isolation valves(MFIV) are actuated by every spurious reactor trip by the safety system. In the case of manual plant shutdown for the purpose of maintenance they are actuated by the operator crew. During the normal power operation the MFIV are actuated only for the sake of the function tests every third month. Therefore, the input sequences to SBC has the following patterns: Case 1 : No spurious plant trip and manual shutdown [FT,FT,FT,FT] ( 14 ) where FT .' Function Test Case 2 : 1 Spurious plant trip [FT,ST,FT,FT,FT] [FT,FT,ST,FT,FT] [FT.FT.FT.ST.FT] [FT,FT,FT,FT,ST] ( 15 ) wher.e ST : Spurious trip Case 3 : 1 Spurious plant trip and an incident [FT,ST,RP,FT,FT,FT], [FT,ST,FT,FT,FT,RP], [FT,ST,FT,RP,FT,FT] tFT,ST,FT,FT,RP)FT] [FT,IT,FT,FT,ST,RP] ( 16 ) where RP : Reactor protection signal. The function test is constituted of the slave relay test (FTSB) and the partial movement test(FTpjvi.) of MFIV. These tests are performed by different departments with some time difference. Therefore, the input sequences can be refined further to take account of this detail. For example, the first input sequence can be refined as follows: [FT,RP,RP,FT,FF,FT] => [FTS.R,RP,FTP.M.,RP,FT,FT,FT],[FTP.M,RP,FTS.R,RP,FT,FT,FT], [FT,RP,RP,FT,FT,FT]. ( 17 ) Following the plant trip, the operator crew has to perform some series of manual tasks and can make some mistakes, for example, pushing the "close" push button instead of the "open" push button. To take account of such imponderable human errors, the subsequence {RP.RP} of the test sequences in ( 17 ) must be further refined : {RP, RP} => {RP, HEi, RP, HE2}, ... , {RP, HEi, HE2, RP, HE3}, , ( 18 ) Although the operator crews in the nuclear power plant are normally well trained for their jobs and perform their tasks guided by the written procedure, the human errors are 82 unavoidable. The test sequences including multiple human errors have a relatively small probability of occurrence. However, there are an enormous number of test sequences with small but finite probability. According to the one-zero-rule of the probability theory, well known as Murphy's rule, one of such events or test sequences unanticipated by the developer or reviewer definitely occurs in the long run. The risk is hidden in the union of such events with the small but non-vanishing probability of the occurrence. The statistical test relies on utilizing a large set of the test sequences to exercise the software. Therefore, the generation of the test sequences must be automated , for example, by using the random number generator. The manual generation of the test sequences can be restricted on the test sequences with relatively high probability of the occurrence. The insights obtained during this tedious work can serve as a solid basis for the subsequent design phase of the test sequence generatoi. 3. Hardwired Backup Ths initial position of the applicant was that in the case of the completely tested software, hardwired backup is unnecessary. Since the test conducted by the applicant is not accepted as complete and the supplementary test recommended by regulatory agency was in nature only a statistical test, some residual software faults would remain undetected and surface during the commercial operation. To resolve this concern, it was assumed that all n -processor boards fall into totally undefined states simultaneously. This means that the safety system is totally lost. But it was assumed that further additional incident of the pipe break type as well as additional single failure in the control system has not occurred. A detailed investigation showed that even with such a drastic hypothesis, the water inventory of the reactor coolant system as well as the inventory of the steam generator can be secured with the control system alone, approximately for one hour, and the plant remains in the controllable state. The operator crew has enough time, if necessary, to restore emergency feedline as well as the atmospheric steam dump line to maintain the plant in hot stand-by state, if they have a small hardwired backup panel available. Since the software failure can be removed by the reinitialisation of RAM, this hardwired backup panel does not need to be expensive and could be backfitted easily. The applicant has abandoned his initial position and agreed on the installation of the hardwired backup which under bypass of the ß -processor directly controls the components required to maintain the plant in the hot shutdown state. 4. Conclusion In the licensing process of Yonggwang unit 3 and 4 a software test method was devised. This method does not try to verify that the test object is free from failures but tries to prove that the test object has achieved the prespecified reliability and represents, compared with its conventional analogue counterpart, no significant risk to the plant with a given probability. This approach secures the objectivity of the licensing process at least for a certain class of nontrivial software. 83 5. References [ 1 3 D. L. Pamas et al. Comm. ACM. 33 (6). 1990: "Evaluation of safety-critical software" [ 2 ] Ernest H. Forman et al, IEEE Trans, on Reliability, Vol. R-28, No. 3, Aug. 1979: " Optimal time intervals for testing hypotheses on computer software errors " [ 3 ] Athanasios Papoulis, 1991 McGraw-Hill, Inc.: " Probability, Random Variable, and Stochastic Process " [ 4 ] Ronald E. Walpole, Raymond H. Myers, 1985 Macmillan Pub. Co.: " Probability and Statistics for Engineers and Scientists " [ 5 ] A. Wald, Annals of Mathematical Stastics, XVI. 2, June 1945: " Sequential Tests of Statistical Hypothesis " [ 6 ] M. Fisz, VEB Deutscher Verlag der Wissenschaften Berlin 1973: " Wahrsceinlichkeitsrechnung und Mathematische Statistik " [ 7 ] A. Mosleh et al, NUREG/CR-4780, Jan. 1989: " Procedures for Treating Common Cause Failures in Safety and Reliability Studies " [ 8 ] Janet R. Dunham, IEEE Trans, on Software Engineering, Vol. SE-12, No 1, 1986: " Experiments in Software Reliability: Life-Critical Applications " [ 9 ] I. Sommerville, 1992 Addison-Wesley Pub. Co.: " Software Engineering 4-th Edition " [ 10 ] John D. Musa, Anthony Iannino, Kazuhira Okumoto, 1987 McGraw-Hill 84 Session 3: New Developments /Retrofitting of Specific Systems Chairman: Mr. van der Pias, Netherlands AN EFFECTIVE NEW METHOD TO FILTER OUT FAILING IN-CORE SENSORS Ferenc Adorjän KFKJ Atomic Energy Research Institute of the Hungarian Academy of Sciences, Applied Reactor Physics Department H-1525 Budapest POB.49. Hungary Abstract The extensive and flexible data handling in the VERONA-u core monitoring system made it possible to test an original idea of validating the signals of in-core sensors. The basis of the method lies in the assumption that the "healthy" detectors located at a given axial elevation are supposed to have well-correlated signals against each other. We tested the idea by using historical data files that were collected by the VERONA-u system. Over 20,000 data sets (including 252 SPND readings and 210 core outlet thermocouple readings in each) with 10s time resolution from a whole operating cycle were utilized for testing [1]. The results have proved unambiguously that the method is very sensitive and stable at the same time. While the occurrence of false alarms was virtually zero, all the failing detectors were identified without using any a-priory information. The failing detectors were spotted several days (even two weeks) before any other obvious sign of failure could have been seen. The stability of the method during transients, especially during control rod movements was specifically analyzed. During such transients the sensitivity of the method typically decreases thus avoiding to produce false alarms. 1. INTRODUCTION The significance of core-surveillance systems as part of the I&C systems of PWR reactors seems growing, recently. These systems are also moving toward the fixed in-core detectors (FIDs) that provide the possibility of continuous monitoring of the on-going processes in- side the core. Since the installed FIDs can only be replaced during the refueling periods, it is crucial to keep track of the quality of each of the detectors. From the point of view of the uncertainty of the presented information, it is also of primary importance to include only those measurements in the evaluation algorithm that are certainly not farther away from the reality than it was assumed during the uncertainty analysis of the system. The density of the measurements in the core is usually high enough to allow rejecting a few percents of the detectors without any significant deterioration of the quality of the evaluation. Thus, it seems to be a better strategy to reject some suspicious measurements than to allow them contaminating the results. The difficulty of validating the signals of fixed in-core detectors is in the fact that each of the detectors are individually responsible to provide information about the local power density. Thus, theoretically, one can imagine such situation that only one single detector is affected by some local malfunction in the core. This means that a signal value that does not lie smoothly into its neighborhood, is not a good argument for its rejection without jeopard- izing the goal of on-line core surveillance. Thus, excluding the trivial cases of zero or very low signal, the mere observation of the static signals of the detectors does not really pro- vide an appropriate basis for signal rejection. The power reactors, however, operate in 87 steady-state operational mode most of the time. This is the point where the always present process noise can help. 2. TYPICAL VALIDATION PROCEDURES FOR FID SIGNALS Though the validation methods applied on the operational on-line core surveillance sys- tems are not frequently reported, according to the experience of the author, they are typi- cally based on some judgments on the stationary values of the detectors. Some of the ap- plied or proposed methods are, as follows: • fixed acceptance window; • acceptance window moving with the total power; • normalized acceptance band around the average axial distribution; • ranking all the readings and discard those that are far off from the majority; • acceptance band around the theoretical prediction. Without defining exactly these methods, we can state that all of these suffer a couple of common shortcomings: • one needs to set the acceptance bandwidth wide enough to avoid jeopardizing the re- jection of valid signals; • even with the most refined solution one has to choose a bandwidth not less than 20% of the signal, which selection requires to set the signal uncertainties also (at least) to this range. This magnitude of uncertainty, however, is totally unacceptable. As it follows from the above, these and similar methods can only be applied as primary fil- ters on the signals. To make the use of realistic measurement uncertainties justifiable, we need to have a significantly more sensitive method to validate those signals that are some- where inside the acceptable range. 3. THE OUTLINE OF THE METHOD There are two basic types of stationary (fixed) in-core sensors: the core outlet thermometers and the in-core neutron flux sensors. The latter can be for example different types of SPN detectors or y-thermometers. It is true for all of these that the detectors are arranged in one or several layers, perpendicular to the axial coolant flow. There are several known causes and forms of in-core technological noises. Though the signal variations due to the process noise are very small in amplitude, they obey the system dynamic equations. To reach our goal, it is not necessary to understand completely the physical nature of the noise, it is suf- ficient that the noise characteristics would produce correlated measured signals among all the sensors at the same axial elevation. The extent of this correlation may vary from one moment to the other, during different transient processes, or for different noise mecha- nisms. The response time of the sensors may pose some frequency limitations. We will see, however, that - at least for the WER-type PWR reactors, where the test data were ob- tained from - there exist some very low-frequency and small amplitude noise components that are completely satisfactory for the purpose of this methodology. Let us assume that there are J detector layers in the core with I detectors in each layer. We can write then the layer-wise linear correlation coefficient at the £-th position of the j- th layer as follows: 88 (1) 2 1 "V V 2 » V which is defined over the T time interval (the summation for t symbolizes the summation of the measurements over the discrete time points where t = kbl within the T interval). The symbol mj,t stands for the average of the measurements on thej-th layer at the t time point. Note, that the correlation coefficient defined this way is affected by the explicit corre- lation between the layer-wise average and the individual measurement. It would be cleaner to use m,,;. instead of using th~ t where the former symbol would stand for the layer average with the exclusion of the mij:t measurement. This approximation is justifi- able, however, if the number of measurements in a layer is sufficiently large. The literal definition of Cy correlation coefficient would sound as the measure of the correlation of each of the measurements at the layer j with the average of the (otherwise valid) detector readings on the given layer. (The existence of such correlation is consistent with the expe- rience and is well illustrated in Figures 2 and 6, as discussed later on.) The Co. coefficients are random variables, since they are created from the measured values. We need to make statistical judgment to decide whether they can be regarded as samples of a single distribution or not. If not, then we must find those elements of the set that are unlikely to belong to the homogeneous subset determined by the majority of the points. Even in the case of a homogeneous set, the distribution of the correlation coefficients is a rather complicated function which falls very far from a Gaussian shape. Fortunately, there exists a simple mathematical transformation, the so called Fisher's z-transformation [2] that transforms the distribution of linear correlation coefficients into a near-Gaussian dis- tribution: fe) By applying this transformation on the Cy coefficients we obtain a set of zy parameters that can be regarded as samples from a Gaussian distribution. Figure 1 illustrates the ef- fect of z-transformation. The data shown in the figure were obtained from the signals of 36 Rh SPNDs on the uppermost layer of the core, with T=20min, At=10s. We can notice that there was one failed detector in the layer, the one with C=0.59. Accord- ing to our experiences, during a steady state operation of the reactor all the acceptable zu -s seem to belong to a single distribution, while during a transient there may be distinct dis- tributions for each of the layers. If the number of detectors per layer is sufficiently large (at least 10-15) we can estimate the first and the second moments of the distribution, by the mean value: 5 and the standard deviation: cf, respectively. Having fixed a one-sided confidence level "li^ (3) <^0 defines the threshold, above which the zu values will be accepted. In practice we used the 89 (4) values as the acceptance thresholds for the correlation coefficients. Note, that in our ap- proach both a and 5 depend on the layer index j, therefore Co was also computed inde- pendently for each axial layers. 4. METHOD VALIDATION 4.1 Characteristics of the Validation Data Set By the courtesy of Paks NPP, Hungary, the Atomic Energy Research Institute has obtained a set of historical data files collected by the recently installed VERONA-u core monitoring system [3]. The set of data files covers the entire cycle 10 of Unit 2 (a WER-440/213 type reactor). The historical data files contain all measured data with 10 seconds resolution, including the measured currents of 252 Rh 30 25 SPND-s (36 strings with 7 detectors in each), 20 the mV signals of the 210 assembly outlet 15 thermocouples, and several other technologi- 10 cal signals. By using these files, any steady state or transient process of the reactor could ••I 0 •llllllllllllllllllllll.il 1*1 be reconstructed with the same accuracy as 0.59 0.65 0.71 0.76 0.82 0.88 0.93 0.99 in the on-line system. From among over 100 historical data storage files (covering 2.5 days Correlation coefficients each) we have selected 21 files to limit the amount of data. In addition to this, we have also used a special historical data file, that covers the whole burnup cycle with a sam- pling frequency of 15 minutes. These 22 files have been used, among other studies, to vali- 5 • date this signal validation method. 0- n n n n nil Inn 0.74 1.30 1.86 2.42 2.98 We have chosen the data files so that they cover the few transient processes that oc- Z-transformed correlation coefficients curred during the cycle (the reactor was never shut down before the end of the cycle Figure 1 Histograms of correlation coefficients and there were only a couple of instances before and after the Z-transformation when it operated at a decreased power level for a few hours). Note, that one would think that the Rh SPNDs are not suitable for any analysis related to the dynamic response of the detector, due to their delayed response character. Fortunately, they have a roughly 8% prompt fraction in their signal that is good enough for this pur- pose, even at higher frequencies. 4.2. The Applied Tools To study the contents of historical data files we could easily use the services of the off-line VERONA-u core-monitoring system [3], such as the trend displays and the play-back facil- ity. To test and qualify the above described methodology, we have developed two programs, inaependent of the VERONA-u system, called SPLC and TPLC. These programs perform the correlation analysis for the Rh SPND measurements and the core outlet thermocou- ples, respectively. The programs request only two input parameters: the length of the time periods T, for what the correlation coefficients are computed and the confidence level of accepting a 90 measurement. The programs retrieve the historical data files, which cover 2.5-4 days with 10s resolution, and evaluate the correlation coefficients for every T periods within the file. The lowest acceptable correlation coefficient is calculated independently for every time pe- riod and for every layer according to equations (3) and (4). The programs use two different confidence levels: one is called as suspect level K„ the other is called failure level K^ The outputs of the programs provide detailed analysis tables for each T time period and sum- mary statistics tables. By writing a simple batch file, one could have evaluated all the available historical files in a single run. 5. RESULTS In order to obtain sufficient statistics, we should have chosen T so that the sums in Eq.(l) contained a rather large number of terms. In general, we have found that the method is not very sensitive to the selection of the time period T. We could observe the behavior - as we expected - that if we chose too short a time period for calculating the correlation coefficients then the number of spurious judgments of the method increased. Choosing too long a pe- riod somewhat decreases the sensitivity of the method. The selection of the confidence lev- els affects more directly the occurrence of spurious judgments and the sensitivity as well. The sampling frequency of the data also affects the result, but not as much as one might anticipate. The analysis of the cycle long historical file, containing samples obtained every 15 minutes, provided a fairly good indication of the signal qualities. 5.1. SPND Evaluation For the SPNDs, we vsed T=30min for the 10s resolution historical files and T=8h for the file with 15min resolution (covering the whole fuel cycle). The one-sided confidence levels were chosen to very low values, i.e. allowing an extremely low chance to false alarms. The 4 5 "suspect" level was set to KS = 5-10" probability, while the "failure" level to Kf = 10~ . Before going into any details of the test results, let us have a look at a typical behavior of the signals. Figure 2. presents a trend of signals of six arbitrarily chosen Rh SPNDs, from two adjacent layers. The signals from layer 6 are plotted with solid lines, and from layer 5 with dotted lines. During about the first three quarters of the time period covered by the graph, a steady state operation of the reactor was going on. (Note, that the y-axis zooms out the upper 15% of the signal.) The small random variations in the signals directly corre- spond to the roughly ±1% random variations in the total power of the core. This is rather »A I OB "" . 1 5: \ v A. AA. ^^^...... /V^tV^ l '>• ^ •. # » ... #.« ;•*..•.-* U^\ •• -: :• Y-.j fir \J | UK.': :••..,:• ••••..., ,.* " V •• • •*.• • •..••• ._..* • '... i_ J v* - V'- 4 6 6 10 12 14 16 16 20 hours Figure 2 Correlated signals ofSPN detectors 91 Figure 3 Detail of Figure 2 with the quasi-periodic disturbance clear from the well correlated signals of all the detectors. At about 3 hours before the end of the plot, a small control rod movement occurred. After that point the signals from the two layers are clearly disconnected (due to some control rod movement), but still the detector readings from a given layer remain seemingly well correlated. This is much better visible in Figure 3, that is a zoomed-out plot of the rectangle in Figure 2. All this can clearly be seen through the plots, and the correlation analysis with SPLC provided results very con- sistent with the observations. In the magnified plot of Figure 3 one can clearly notice that the uppermost two curves show some quasi-periodical superimposed perturbation. Eventually, these detectors were selected for displaying on a trend, because the output of the SPLC program has shown slightly abnormal correlation coefficients for them (e.g. in a typical case for the upper-most curve C=0.985, while the average on the layer was 0.999 and the 10* probability threshold level of the distribution was at 0.987). Similar effects were found for a few other detectors throughout the cycle and the effects lasted for few hours or few days. We anticipate that it might have been caused by some vibrating in-core component, presumably by a vibrating control assembly, since all the effects were found in the neighborhood of some control as- sembly. An independent analysis, that goes beyond the scope of this paper, is being carried out to clarify the situation. The fact, however, that the method was able to pinpoint such a weak effect, highlights its sensitivity. The analysis of historical file that covered the whole cycle with 15 minutes resolution, has shown that there were 3 detectors that were flagged by the test in a large percentage of the cases (the correlation coefficients were computed over 8 hours periods in this case) Note, that the analyses that were based on the 10s resolution files has shown a much more sen- sitivity; the results from the 15 minute time resolution files were more to be used to indi- cate where to look for some effect. The detectors with non-zero failure frequency (other than the 04-37/6, 04-37/7, and 15-32/3) were all identified having the similar anomaly as shown in Figure 3. Though the real cause of this anomaly is not explained so far, it is seemingly rather common in this technology. Figure 4 presents the time trend of the failed signals along with 2 other signals for reference, over the first half of the cycle. We can see that the detectors, identified by 04- 37/6 and 15-32/3, failed gradually, having signals most of the time within the acceptable range. The third detector (not shown in the plot) failed suddenly, so that provided no signal for about two months and then returned to normal operation. The notable result was not that the correlation analysis was able to flag the detectors when they gave those wildly varying signals, but that at the very beginning of the cycle, about two weeks before the first obvious signs on the trend curves, it was able to spot the failing detectors. The analysis 92 0 4-37/6 [R efcrencci C4-37/S , I 15 -3 2/2 15-32/3 ^^^,.^ei:^^ Figure 4 Behavior of two failing SPND-s during the first 2.5 days (by using the 10s resolution files) flagged the detectors 04-34/6 and 15-32/3 in 86% and in 46% of the cases, respectively. Later on these figures increased to 87% and 96%. The pertinent results of the analysis during the very first 30 minutes shown in Figure 5, are summarized in Table I. Thus, the method is extremely suitable to locate signals that provide randomly changing false signals within the range of validity. The static zero signal of the third detector was also flagged as "failure" in 98% of the cases, though it could have been discarded by more simple methods, as well. That detector did not show any sign of failure before its signal vanished suddenly. Figure 5 shows the enlarged detail of Figure 4 with the regions where the detector failure could be noticed by a careful analysis of the trend curves by the naked eye. The correlation test, however, was able to identify the detector degradation at the very first 30 minutes period TABLE I Results from the first 30 minutes Another criterion of a good signal vali- dation method is its robustness, in the SPND Correlation Layer "Failure" sense of not making spurious judgments. coefficient average threshold Having studied through all the 22 files, 15-32 0.462 0.993 0.756 containing about 22000 snapshots each, /3 we could gather enough information to 04-37 -0.257 0.981 0.459 make the statement that (by choosing IS 15-3212 — 15.32« — Regions of visible bad correlation, first signs of degradation by trend Figure 5 The first two weeks trend of a failing SPND (detail of Fig. 4) 93 proper values of the few free parameters) the method is very stable, i.e. practically never provides false judgments. During transients, it becomes less sensitive to small perturba- tions in the signal (or weak signs of failure of the sensor) but even more easily discards the signals of crude failure. We have scrutinized all the cases when some of the detectors were discarded and always have found some valid reason for the judgment. Transients, when some control rod movements occur, seem to be best candidates to check the robustness of the method. To this end, we have analyzed a transient process when the total power of the reactor was raised from 50% to 100%. To make the things worse the 7 elements of the controlling bank were disconnected during the transient and the central element was let into the core somewhat deeper than the 6 others. The correlation analysis was carried out by using T=30 minute time periods. Table II shows a few characteristic results from the evaluation at the beginning of the process, as for reference and data from a period when significant control rod movement occurred. The selected detector was located next to the tip of the central control rod. Some more detailed results are given in [1]. It was a general experience with the method that Table II. Behavior of correlation values during rod motion the acceptance re- gion tends to Avg. corr. Correlation Threshold broaden during a in layer 3 at 11-42/3 (p=10"4) transient, resulting temporarily in de- Reference case 0.999 0.996 0.956 creasing its sensitiv- ity instead of caus- Rod transient 0.987 0.696 0.132 ing spurious rejec- tions. 5.2. Thermocouple Evaluation The signals from the core outlet thermocouples were handled as a single group, i.e. we pos- tulated that the correlation coefficients of all the good thermocouples should form a statis- tically homogeneous set. The analysis was carried out on the mV signals of the thermo- couples instead of the temperatures, though we have no reason to assume that it would not work by using the temperature values, as well. We used T=60 minute time periods for the analyses with the 10s resolution files, and applied i-3 probability as "suspect" 4 level, while for "failure" level Kf = 2 • 10" . There were only a few of thermocouple signals that failed during the cycle. One of those was the measurement, identified by TP 10-39 that started to show random variations ap- proaching the end of the cycle. The trend curve in Figure 6 shows the time period when the signal failure was first noticed by the correlation analysis. (E.g. for the time period in the range of the third ellipse this detector gave a correlation coefficient of 0.761, while the av- erage of the coefficients was 0.994 and the threshold value corresponding to the 2104 prob- ability of false alarm was 0.875.) A few days later this detector failed completely. 94 Figure 6 First signs of degradation in the signal of a thermocouple As a general experience with the thermocouples, we can say that in a few cases, during transients with control rod movements, the flux and power redistribution caused poor cor- relation between the thermocouples near to the core edge and the average. Probably, the method would show an even more stabile behavior if one forms two groups: one with the measurements in the internal region and another with the ones from the core periphery. 6. CONCLUSION The modernization and upgrading of the computer based I&C systems and specifically of the on-line core monitoring systems poses high requirements on the measurement and the evaluation accuracy. This requirement is directly linked to the signal validation, since we need to be able to identify those measurements that are only off to the extent of the claimed measurement uncertainty. The static validation methods are usually unable to meet this goal. The most important feature of the proposed signal validation method is that it is able to identify such malfunctioning sensors that still provide signal levels in the range of well ac- ceptable values. We also need to notice that the method is not restricted to the in-core measurements, it is probably w«il applicable to other groups of measurements in a system, where there is some redundancy and one can find some physical, technological reason for the signals being correlated within the group. Based on the experiences cited above, the method will be included soon in the next release of VERONA-u core monitoring system as an on-line signal failure warning tool. ACKNOWLEDGMENT The authors express their gratefulness to the Paks NPP Co., Hungary for they enabled us to access to the valuable data set, that was the main tool of verifying the method. Tl •• author appreciated the valuable comments of Dr. I. Lux and of Mr. T. Morita (from Wep:- inghouse Electric Corp.). The research project was partly supported by the Hungarian Na- tional Committee of Technical Development (OMFB), grant No.: 04448/94. 95 REFERENCES: [1] F. Adorjän, T. Morita: A Correlation-Based Signal Validation Method for Fixed In-Core Detectors (Submitted to Nuclear Technology 1.995) [2] W. H. Press et al: Numerical Recipes, The Art of Scientific Computing,. Cambridge Uni- versity Press, 1986 [3] I. Lux et al: Experiences with the Upgraded VERONA-u WER-440 Core Monitoring System, IAEA Specialists Meeting on Advanced Information Methods and Artificial Intelli- gence in Nuclear Power Plant Control Rooms, Halden, Norway, 13th-15th September, 1994 96 MODERNIZATION OF REACTOR CONTROL AND LIMITATION SYSTEMS IN GERMAN PWR-BASED NPP'S WITH THE NEW DIGITAL SAFETY I&C SYSTEM TELEPERM XS Olaf Schömer, Project Engineer Erlangen, July 1995 SIEMENS KWU NLL4 Erlangen, Germany ABSTRACT A new generation of digital (processor-based) I&C systems for safety-related applications in Nuclear Power Plants - the TELEPERM XS system - has been developed by the Power Generation Group (KWU) of SIEMENS. The system features are shortly outlined in the present paper. The SIEMENS concept of replacement and modernization of existing reactor I&C systems is described. The first modernization projects for several German PWR-based NPP's have been started in the field of reactor control and limitation systems and control rod actuation systems. Using the example of Neckarwestheim I NPP the main project phases for replacement of the Reactor I&C system are summarized and the current project progress state is reported. 1. INTRODUCTION The situation of the nuclear power industry in Germany leads to the fact, that the potential market for safety I&C systems in new power plants is very small. On the other hand several nuclear power plants in the near future will reach a life time, which makes the partial or complete modernization of safety I&C systems economically interesting and / or necessary in view of safety. The existing non-digital safety I&C systems used in these nuclear power plants are special solutions for safety relevant applications. The batch production of these systems has already been stopped or the costs per unit are very high because of the low production rate; Furthermore these systems usually do not match the high customer expectations with respect to serviceability, maintenance, diagnostics and documentation. These considerations lead at SIEMENS KWU to the development of TELEPERM XS, a digital (processor-based) I&C system suited for applications in the safety relevant area of I&C of nuclear power plants. TELEPERM XS enables the design of customer adopted solutions from small applications to complete systems of new power plants. The development of the TELEPERM XS system is almost finished and a qualified and type-tested according to German and international rules and codes system version wül be available at the end of 1995. TELEPERM XS finds its first applications in Germany in the field of modernization of reactor control and limitation systems and control rod control systems. The first projects have been started at this area and will be described in the present article. 97 2. TELEPERM XS Within the scope of the present article the properties and design criteria of the TELEPERM XS system are described only in a short way. The attention of interested readers is directed to the references .'!.', 13!, W and /&'. 2.1 System designation and description The digital I&C system TELEPERM XS has been designed for the use in the safety I&C systems of nuclear power plants and will be qualified according KTA 3501 code for: * Reactor Protection Systems, * Reactor Limitation Systems and * Reactor Control Systems. TELEPERM XS has well defined interfaces to SIEMENS systems of: * Reactor Instrumentation and neutron flux measurement (SINUPERM N), * Radiation Monitoring (SINUPERM M) as well as * Process Monitoring and * Operational I&C (TELEPERM XP). The following demands are stated for a digital I&C system suited for use in safety relevant applications. The combination of these demands leads to the requirement of high computing power of the CPUs and high transmission rates of the LANs. * The failure combinations according to KTA 3501 rule have to be managed : -> redundant system architecture, -> separated subsystems, -> decoupling. * short response times have to be kept: -> high computing power of the CPUs and high transmission rates of the LANs * the required reliability has to be proved: -> deterministic system behavior, -> cyclic operation of software without interrupts, -> no DELTA transmission, -> processing of signal and telegram status. 2.2 System Elements Figure 2-1 shows the main systems elements of the TELEPERM XS system. TELEPERM XS. Main system elements 98 Keeping in mind the experience with conventional I&C systems and digital computer- based systems for non-safety applications no specific hardware components for the TELEPERM XS systems have been developed. Rather selected components of standard SIEMENS device families have been type-tested and qu 'ified according to nuclear rules and codes. Those are: * CPU modules of the SIMICRO MMC system, * input/output modules of the SIMATIC S5 system and * LAN modules of the SINEC HI and SINEC L2 systems. The second system element of the TELEPERM XS system is the specific system software, which was developed according to the DIN IEC 880 and DIN ISO 900x rules. The system software consists of: * the small static operating system MICROS, * the runtime environment, which connects the application software with the operating system and * libraries of function blocks for I&C functions. The system software has been developed to a large extent independent of the target hardware, in order to make possible a portability of the software in case of change of the hardware generation. The third and most interesting element of the TELEPERM XS system consists of the SPACE engineering tool for * specification, * automatic code generation, * verification and * documentation of the I&C functions during the engineering process as well as for * testing, * diagnostics and * possible modifications of the I&C functions during operation. 2.3 The SPACE engineering tool The full size engineering tool of the TELEPERM XS system carries the title SPACE (Specification And Coding Environment) and is described in a detailed way in reference /4/. The main idea of software development and verification with the SPACE tool consists of the automatic code generation out of a data based formal graphical specification of the I&C functions. The tasks for the I&C system normally have been described by process engineers and physicists in form of verbal descriptions, diagrams and equations. The I&C engineer has a set of well defined, tested and qualified function blocks in order to convert the task description into function diagrams. The same method and tools are used for specification of the system hardware. Thus the data base is the single source for code generation and completely describes the designed I&C system. Furthermore based on this engineering method, called forward documentation, the permanent consistence of the designed function diagrams and the I&C function running on the target system is guaranteed. 99 The process of specification and verification of the I&C systems with the SPACE tool is shown in figure 2-2 and 2-3. Verification of the formal specification tym« SPACE Verification of code generation The method of automatic code generation out of a formal specification with the SPACE tool leads to several advantages : * generation of parameter lists and order lists out of the data base, * possibility of load calculations on an early stage of engineering, * possibility of testing and simulation of functions without target hardware. 2.4 Qualification of the system The qualification and licensing process of an I&C system with TELEPERM XS is divided into: * the type-testing of the components independent of the special application and * the licensing procedure for a special application. One of the main goals of the development of the TELEPERM XS system was to shift the main part of the qualification to the plant-independent part. The type-testing according to the valid national and international rules and codes covers: * the hardware modules and * the on-line software (operating system, runtime environment, libraries of function blocks) For the engineering tool a quality verification according to DIN IEC 880 and DIN ISO 900x will be done. The type-testing is currently being carried out. It will be finished at the end of 1995. The state of a plant specific licensing procedure is shown on the example of NPP Neckarwestheim 1 in chapter 4. 100 3. MODERNIZATION CONCEPT SIEME: i- KWU's concept of modernization and backfitting of safety I&C with the TELEPLRM XS system has been described in detail in reference 111. SIEMENS KWU proposes a modernization process divided into 3 main phases, which are described in tr following: * feasibility stud. . * concepts and * implementation. This method provides the possibility of elaboration of special customer-adopted, inexpensive, licensable solutions. Furthermore the customer has the possibility of making decisions after every phase. 3.1 Feasibility study The first step of modernization is the elaboration of a feasibility study. In cooperation with the customer the existing plant situation of the reactor I&C has to be clarified and a modernization concept has to be elaborated. Figure 3-1 shows the main steps during the elaboration of the feasibility study. Project phase No. 1: "Feasibility Study" currtnt itttt tukt propoit) for of I&C tyttim« modtmltttlon O Menttlcson of o compansonwim scope of functions lie tasks state of tne art exisong new interfaces scope of caDmets o interfaces o Bmescneouic existing device o system descnpfliri o TELEPERM XS systems packages engneertng tools opa abon & o o men Sonny I&C mom o allocation The main task during the recording of the existing state of the I&C system consists of the identification of I&C functions out of the documentation of the I&C system and the classification of these functions according to protection goals. This method provides the possibility to formalize the I&C task with aspect of the plant process and to compare the functions with the state of the art. Thus potential improvements of the I&C functions, exceeding the simple replacement of the device system, can be shown. Furthermore during the recording of the state of the I&C systems the plant-specific peculiarities are pointed out, as for instance: * space reserves in the switchgear building, * power supply reserves, * cable tracing, * used device systems of adjacent systems and * interfaces, decoupling. 101 Based on this information in cooperation with the customer an individual replacement concept can be established, in which the following conditions are considered: * possibility of replacement of I&C cabinets, * possibility of replacement of I&C functions, * interfaces, * customer requests in regard of operation & monitoring, * licensing conditions, * replacement time frame during scheduled refueling. Feasibility studies have been finished for the NPPs Neckarwestheim 1 and Unterweser and are currently being carried out for NPPs Biblis A, Biblis B and Grafenrhekifeld. 3.2 Licensing documentation In case of a positive customer decision for a replacement / modernization based on the results of the feasibility study, the elaboration of concepts can be started. At the same time the concepts built the basis of the plant-specific licensing procedure. The structure of the licensing documentation is derived from the ZPI list for nuclear licensing procedures. As shown in figure 3-2, the documentation is subdivided into 3 main complexes: Project phase No. 2 "Licensing Documentation" total procMi raqulra- I&C conupta dttcriptlon mtntiforl&C r^ distnöuoon orruncnons (5 system r\ description or architecture ISC tasw O caomet aiiocaDon Q annunciation O replacemert O classification packages O tesorjmty (5 Bmescneou« 0 erne behaviour Q service O redundance, 0 inteifaces. oecoupiing O vsv concept diversify-.. O power suppry Q engneenngtool O identiflcaon code O test operation The total description gives a reasoning and an overview of the modernization project and refers to the detailed concepts. Furthermore modernization packages are defined and an rough time schedule is defined. For the licensability of the replacement / modernization a detailed verification and validation (V&V) concept for all phases of the project is essential. If within the feasibility study all existing I&C functions of the reactor I&C system have been identified and classified, the safety tasks of the I&C modernization can be defined, taking into account the scope of functions to be replaced and the functional modifications to be made. The description of the I&C tasks contains only those functions, which are supposed to be replaced. Besides the description of the safety classification of the I&C functions and of the failure inducing events to be coped, the definition of the demanded time behavior of the I&C functions is necessary. This is a special problem of digital sequential operating I&C systems, because it has to be proven, that the total signal response time of the I&C system fulfills the process demands for time behavior. 102 The main part of the licensing documentation is taken up by the I&C concept descriptions. Based on the safety tasks of the I&C system the system architecture has to be defined and the distribution of the I&C function on the different subsystems has to be done. This provides the possibility of evaluation of the time behavior to be expected. Furthermore the I&C cabinet allocation and the module disposition can be derived as well as the power supply demands of the system hardware (power supply concept). The man-machine-interface of the TELEPERM XS system is described in the scope of an operation & monitoring concept and an annunciation concept. The test concept and the service concept play a special role, because of the high customer expectations with regard to testing, maintenance and service of the I&C system. Despite the high extent of self testing and failure report properties based on coincidence logic of the system, a limited number of repetitive tests of the I&C system is necessary. Within the ?:ope of the test concept the high degree of automation and serviceability of the test has to be proven. A service station, permanently connected to the I&C system is the place of work of the I&C engineer. The service concept has to show the system properties in regard of failure detection an localization, as well as for setting up system parameters for special operation conditions (e.g. stretch-out operation) or system conditions (e.g. transducer failure). The interface and decoupling concepts show the connection of the I&C system to be installed to the adjacent systems. Protection measures against high voltage influences are shown as well. The interface to the plant supervising computer (monitoring computer) plays a special role. A LAN connection via a Gateway computer is foreseen. The Gateway computer provides the signal decoupling of the I&C system from the supervising computer. A concept describing the application of the identification system, used for the I&C functions and hardware is part of the licensing documentation. In the German NPPs the AKZ and KKS systems are used. The elaboration of the licensing documentation for the NPPs Neckarwestheim 1 and Unterweser is almost finished. 3.3 Implementation The implementation begins after the elaboration of the licensing documentation and is subdivided in 4 stages (see also figure 3-3). Project phase No.3 "Implementation" mtnuficturlns •ii«mbly»nd tilt training and of I&C tyitam comrnlMlonlng optrxtjon support 0 specification O caDina assemory O monitoring O instruction 0 cooe generation O cabling O testing (3 tranmg (5 simulator) O electrical «song Q martenance O proouct support O oroer o* nanvrare O commissioning O 'not line' 0 manufacturing O Jtart-uo Q maintenancE O inter/asontest The process of elaboration of the function diagrams and hardware topology diagrams is called "specification of the I&C system" and could be started within the second phase "licensing documentation", because this process is not connected with the order 103 and manufacturing of the system hardware. Especially the automatic code generation and the following verification & validation of the I&C function by means of a simulation testbed and load calculations allow to get a higher extent of certainty for the implementation phase. After the order and manufacturing of the system hardware, especially the wiring and factory testing of the I&C cabinets a large integration test in a test field will be started. The test specifications used for simulation have to be proved on the target hardware. Furthermore by means of an plant simulation software the I&C software will be tested. Goal of the integration test is an full-size test scope in order to cope with the time frame of scheduled refueling for assembly and commissioning. The assembly of the system at the plant is limited to the assembly and commissioning of the pre-tested I&C cabinets and the connection of the input and output signals. For the pilot projects a test operation of the TELEPERM XS systems is planned in order to prove the reliability of the system under plant conditions. The "hot" commissioning of the TELEPERM XS system takes place after a one-year test operation. The implementation phase concludes extensive instruction and training of the customer staff as well as support in the field of maintenance and repetitive tests of the system. 4. NPP NECKARWESTHEIM 1 The NPP Neckarwestheim 1 is planning the modernization of a part of the reactor I&C, especially reactor control, reactor limitation and control rod actuation by means of the TELEPERM XS system. This modernization project is managed by the way described in chapter 3. 4.1 Feasibility study In the period from 01/1994 to 01/1995 a feasibility study as described in chapter 3.1 was carried out. In this feasibility study a total amount of 36 I&C functions of reactor control, limitation and control rod actuation systems was identified and classified. These functions have been compared with the appropriate functions of state-of-the-art NPPs and improvement possibilities have been pointed out. The identified functions currently are located in 24 I&C cabinets. A 4-channel TELEPERM XS system architecture has been proposed, which could be located in 22 I&C cabinets. The space and power supply reserves in the switchgear building do not allow a full-size parallel operation of both I&C systems, but only a step-by-step replacement with disassembly of the old I&C cabinets. 104 The feasibility study has been finished in January 1995 with a modernization proposal. The study consists of 24 work reports and lead to the contract of the second phase "Licensing documentation". 4.2 Licensing documentation The elaboration of the licensing documentation has been started in January 1995. The documents are almost finished and the discussion of th-rse documents with the licensing authority and their advisers has been started. The basic licensing documentation consists of 18 work reports. 4.2.1 Total description In the scope of the total description of the modernization the system architecture is outlined and founded. Furthermore replacement packages have been defined, (see also figure 4-1). NPP Neckarwestheim 1. System Architecture Two 4-channel independent computer networks for acquisition of signals and their processing in I&C fun ons have been foreseen for the safety classes S3 and Bl respectively. A LAN c .section of every acquisition computer to all 4 processing computers of its class by means of optical fibre links is planned. The actuator control (control rods, pumps, valves...) is implemented in high available and reliable computer configurations, called "Voter". The voters fulfill the coincidence logic and priority voting of the commands arriving from the processing computers. All acquisition and processing computers as well as the voters of one redundant subsystem are connected to a special computer called "message interface", which provides the connection to the conventional operating & monitoring system and the plant supervising computer. 105 The modernization is planned in two steps. The rough time schedule is shown in figure 4-2. NPP Neckarwesiheim 1. Time Schedule 1904 1006 1M6 1007 ioea "'MM««) 3-r —i— 1 '—i j TU* Utnn •»*«f —11 T UtttM "|J r ri» i «—II i 9 I I I > Co.«— * I 4.2.2 Description of I&C tasks Out of the 36 I&C functions, identified during the feasibility study, 29 functions have been selected for the modernization. For several I&C functions process improvements have been foreseen, e.g.: * pressurizer level limitation, * feed water limitation. 4.2.3 I&C concepts The licensing documentation consists of several I&C concepts, considering cabinet allocation, operation & monitoring, service and testing etc. The allocation concept of the I&C cabinets follows the existing concept of four separated trains for limitation functions. The control functions, currently implemented in a 1-channel architecture, in the TELEPERM XS system will be implemented in a 4-channel system. The functions of data acquisition and processing are combined in one I&C cabinet. Thus per train one cabinet for class S3 and Bl functions respectively is necessary. Furthermore per train one "message interface" cabinet will be provided. The control rod actuation will be processed in one cabinet per 2 control rod groups (8 rods). This leads to 6 cabinets, distributed on 3 trains. The other actuators will be controlled by 1 cabinet per train. NPP Neckarwesthelm 1. Cabinet Disposition 106 The existing control room allocation and the interfaces of the system remain almost the same. Thanks to that fact the instruction of the operation staff can be very short. The annunciation processing has been designed according to the existing concept. The information transfer to the plant supervising computer can be improved be means of the optical fibre-based LAN instead of the existing single wire connections. This makes possible a simple extension of the function and annunciation volume without hardware extension. The central service station is protected against unauthorized access via different security levels for monitoring, testing and parameter setting. The test concept is based on the high extent of self testing of the system hardware and the automatic failure reporting by means of coincidence logic. The remaining necessary repetitive tests have a high degree of automation. In addition to the type testing of the system components a licensing procedure of the whole system will be carried out by the licensing authority. This includes integration tests in the test field as well as tests under plant conditions and covers electrical and process tests. The scope of process tests can be minimized thanks to the plant simulation software used in the test field. For the NPP Neckarwestheim 1 an additional test operation is planned. A selected scope of I&C functions will be processed on limited system hardware components parallel to the existing system. 5 CONCLUSION The safety I&C system TELEPERM XS will be available at the end of 1995 in a qualified version according KTA350x rules. The area of application of the TELEPERM XS system in Germany will be found in the field of replacement / modernization of existing I&C systems. In this area the customer needs in modernization start with a plant life time of 15 years. For first application of the TELEPERM XS system the reactor control, reactor limitation and control rod actuation systems seam to be suited. In the area of reactor protection systems the application of TELEPERM XS rather has to be expected with complete system solutions (e.g. emergency diesel start I&C). In the area of reactor I&C several projects have been started, which are on different states of completion. First implementation of TELEPERM XS in Germany has to been expected in the middle of 1997 in the NPP Neckarwestheim 1. 6 REFERENCES IV A. Graf "Digitale Sicherheits-Leittechnik TELEPERM XS. Konzeption, Qualifi- zierung", Elektro- und Leittechniktagung für Kernkraftwerksbetreiber 1994 121 L. Reischl "Austauschkonzept für TELEPERM XS", Elektro- und Leittechnikta- gung für Kernkraftwerksbetreiber 1994 /3/ H.-W. Bock, A. Graf, H. Hofmann "Fortschrittliche Leittechniksysteme für Kernkraftwerke. Fertigstellung der digitalen Sicherheitsleittechnik TELEPERM XS", Lyon 1994 /4/ S. Richter, 0. Schörner "The SPACE engineering system", Arbeitsbericht KWU NL-R/1995/027, 22.05.1995 151 KWU NLL1-1001-00-V1.1/04.95 "TELEPERM XS. System description" 107 SIEMENS Systems KWU NIL4 Copyright © SIEMENS AG 1995 All Rights Reserved TELEPERWI XS 25 01.1995 Blall. eOÜOCOO SIEMENS {.••'• ." ;••!.• '.• _..:=j\•• "17,1-"^vfiJ"v--^^j^|-l-|j^^~^^||^^wsj-<-^^|<^-^^^^^I^^L^-^^^^^^^^^^^^_ TELEPERM XS. System description SIEMENS KWU modernization concept - feasibility study - licensing documentation (concepts) •;;-':.''.yj- - implementation NPP Neckarwestheim 1 - project state - technical solutions *'- "• *-.'••*»'*»'lV-*" TELEPERM XS Copyright © SIEMENS AG 1995 All Rights Reserved SIEMENS ; USSR,srfa! r safety i I&G systems §t jfewfew* .'.i'i.'i r i! i ;J;i},:i;[ iiiiiiiiiiiiii in!! ! i|h i ! >ii || (iPrlh i i . ;•!••; demanded response time short for reactor trip response < 200 ms tim© demand of high oomputing power * redundant * no interrupts subsystems * no code optimization * simple program structures ;• ! tr ;'.iii:i'; 'f •' *• ; ; l'l >' <;•''•' ' ' ' '>'•'\i i :!i ii'i ; i Ü '! '•* IlltjUM '.-•.''ij.;' '{''• '' i • •{ !i ' ,. ; ; '•';' .' i .':!"'l.• -'-i' !'-i;i ' '• i • • r' TELEPERM XS Copyright © SIEMENS AG 1994 All Rights Reserved SIEMENS • .:%5VMv-B.>fc— •—•— •.«••.*••••.> »;^wi-«^^3»i#-•??:-• wii^ti • ?•&•<», v>«i *»*•;•.•• K^* • *»*••.• • V* • • ••<»• t-••-••*•'?•.? Ws' ••••<«. •;•••• •• •'•.; •.'••• • .. selected hardware components standard of SIEMENS i&C systems I&C hardware;: (SIMATIC, SINEC, SIMICRO) components;; TELEPERMXS' • qualified |&C system for safety \\ KWU NLL4 TELEPERM XS Copyright© SIEMENS AG 1995 All Rights Reserved loltfeng (Is4 SIEMENS constitutes^new applications injnuclear technology whicfc gjspgjj^ thgi ifs consistent •' - ;:• - '• ^n)|!jjmp|öm^n^^nji^li§^^ •'•-.•• töftDe-expectedin course :v KWU NLL4 Copyright© SIEMENS AG 1994 All Rights Reserved Ixsffeng ds4 TELEPERM XS 20.02 1995 _ Blall: e0B0200 L~ SIEMENS -'- >"v-r->1-:tFi'£i#Tv^^^ ';V,;-;•••)' ;• '>• •: safety system formal SPACE INGRES requirements specification editor database mt: automatic code generation • ..-••." •. '.• •' I I&C functions hyypäfßnis, sWpara rules, convention1 s response time process engineer l&C engineer SPACE development environment verification steps :;-i'-;i:v.:.^££*^^^ KWU NLL4 TELEPERMXS Copyrighl© SIEMENS AG 1995 All Rights Reserved lolHeng ds4 SIEMENS .••••:-•'-' -.• .->./•• safety system formal INGRES code gen. rte compiler, linker requirements specification database locator } t: code gen. loadenr MicroSCOPE 0 '^an|lyze.r;re/rans? SPACE editor I code gen. s/mm target system compiler.linker I&C functions Design vimJi test field criteria — >i«(tbrex) m i —an testbed process engineer I&C engineer SPACE development environment JJ..V...V-) KWU NLL4 TELEPERM XS Copyright © SIEMENS AG 1995 All Rights Reserved tolfleng ds4 SIEMENS ^^ .••. • '-Äj-ai^^;-1..-•.*:-»•<•,•. v I I Hiii M 3Qri ti I « m! 1 Ii I 1 BÜ 1i1 ^^Ulfn •S firs SN $ 1 Iff 11 1m i is m I ftI1 H1 i Ü sUsü IM K ill Hill am KWU IJLL4 TELEPERM XS Copyright© SIEMENS AG 1995 All Righls Reserved fot^eng ds4 '••'.. - / • I KWU NLL4 TELEPERM XS Copyright© SIEMENS AG 1995 All Rights Reserved foltfeng ds4 SIEMENS :.<• ^'&'x'.^l^ KWU NLL4 TELEPERM XS Copyright © SIEMENS AG 1995 All Rights Reserved '»'«eng o54 SIEMENS Architecture TELEPERM XS Copyright © SIEMENS AG 1995 All Rights Reserved SIEMENS . •. *• }-"• 1994 1995 1996 1997 1998 1.Q 2.Q 3.Q 4.Q 1.Q 2.Q 3.Q 4.Q 1.Q 2.Q 3.Q 4.Q 1.Q 2.Q 3.Q 4.Q 1.Q 2.Q 3.Q 4.Q Study I - Licensing documentation KOMffil a Elaboration of concepts Specification of I&C functions Simulation and Testing HW 3 Start of Licensing Procedure 4.95 i_ • 0.95 TUV Statement _ Implementation ff * ••,,!•••••..'-] Engineering Limitation Systems Engineering Control Systems i§mm Test field 1 •• — _ Commissioning i r Test operation 11.9: i Commissioning Limitation Systems 1 96 —H— -•r L Commissioning Control Systems 11.91 -4 i- 1 1 Plant revisions £ # -I- Contracts + T Milestones ^V I KWU NLL4 TCI ppCDM XS Copyright© SIEMENS AG 1995 All Rights Reserved toWeng ÜS4 Ml r; •;. TELEPERM XS Copyright© SIEMENS AG 1995 All Rights Reserved SIEMENS .'• Lf,:':s'--'.;:•.:;-,. €> The qualified TELEPERM XS system will be . ..-:.rV V*.'-;r. available at the end of 1995. O The main area of TELEPERM XS application will be found in modernization / backfütting. •' • r.':...V,';v: .-• .- i Q First modernization project have been started. .'•.' ' ' •" V- • -V-'.'V.. O First TELEPERM XS implementation in V '!, • ' •"•"-;'.'} •'y-.i'-'i^ri Germany has to be expected in NPP Neckarwestheim 1 in the middle of 1997. «;, f. , • t.'•."»• • !' ^'iif'i ':'O KWU NLL4 TELEPERM XS Copyright© SIEMENS AG 1995 All Rights Reserved laWeng ds4 NEUTRON SENSOR SIGNAL VALIDATION : EARLY AND ON-LINE OXYGEN INTRUSION DETECTION Jean-Christophe TRAMA Alain BOURGERETTE, Eric BARAT CEA (LETI - Advanced Technologies) DEIN/SPE Saclay Research Center 91191 Gif-sur-Yvette cedexFRANCE 1. Introduction We present here a new method for early and on-line neutron sensor signal validation. This method is based on a theoretic work done on fission ionization chambers and boron ionization chambers signal modelling ([1], [2]). These works showed that the sensor signals present some very useful information not only of course for the DC part, but also in the fluctuations band. We suggest here that the Pov/er Spectral Density of the measurement signal is a very good signal validation criterion. To validate this hypothesis we worked on one of the more common degradation modes for ionization chambers, namely oxygen intrusion between the electrodes. We used an experimental version of a chamber from Merlin-Gerin. This is the chamber used in EDF PWR, for intermediate flux monitoring lines. This chamber was successively filled with growing oxygen quantities. We compared the examination of the DSP, and the saturation curves survey as failure detection tool, the latter being the off-line criterion presently used by EDF. The results showed an earlier detection for the PSD examination. 2. Description of the experiment The chamber type was a CC80 boron ionization chamber from EDF. The oxygen intrusions were performed by the Air Liquide company, at various levels (0% normal situation, 0,1%, 1%, 10% for abnormal detector states). The neutrons were provided by the Ulysse facility in Saclay, with fluxes from 10^ to 3.1010 neutrons per square centimetre and second. The electronics used was a large band one. The signals were acquired with a numerical oscilloscope Lecroy, and recorded on a PC disk through an IEEE link. Two sampling rates have been used : 50 kHz and 20 MHz, to study respectively the slow ionic component and the fast electronic component of the signal. The PSD of the signals were computed off-line. At each oxygen concentration step, we performed several measurements at different bias voltages, and we drew the saturation curves. 123 3. Results of the experiments For each oxygen concentration step, we performed two measurement series, separated by a few weeks. Each time the results from the two series at the same step were different. This is due to the fact that, in opposition with the real oxygen intrusion case where a leakage is the source of a continuous gas intrusion, we introduced a finite oxygen quantity once. This finite oxygen quantity was rather rapidly consumed inside the sensor, which resulted each time for the second measurement in a normal situation where no oxygen remained. This could appear as a rather annoying fact for our test. It is not for two reasons : first because the first series for each step were performed immediately after the oxygen intrusion by Air Liquide, and so were done in good conditions. Secondly because it allowed us to say that a slightly deficient gas composition at the beginning of the operating of a chamber is not a real problem, because, provided there is no leakage, this slight quantity will be quickly consumed in operation. We are going now to speak about only the first series at each step. The examination of the saturation curves did not show anything even at 1%. At 10% appeared an anomaly, as may be seen on figure 1. • 0% . 1% A 10% HT(V) •200 •400 •600 •800 Figure 1 : saturation curves : 10% anomaly detected, but not 1% As for the PSD, it was calculated with an average of numerous FFTs. The curves from the low band part (50 kHz sampling rate), and from the high band part (20 MHz sampling rate) were appended on the graphs, to present the PSD in its continuity over the whole band. No rescaling has been performed, both curves naturally met at their edge. Here we present these PSD for varying bias voltages : 0V, 100V, 300V, 600V (nominal voltage) and 800 and 1000V for the 10% concentration. At 0% we see a common frequency plateau, which tells us that all 124 the charges carriers are collected at 100, 300 and 600V : we are in the normal saturation case, exactly like in the DC case. The curve for 0V corresponds only to the electronics noise. 1.OOE-7 • KM*, r uLYsse i* O/1O/B4 I, BE - »L 1.OOE-1O POLARISATION MT • OV MT • 1OOV 1.OOE-12 MT - 3OOV 1.OOE-13 1.OOE-1-» 1 " 'i 1.ODEM 1.OOE+S FREQUENCE (Hz) Figure 2 : PSD for normal concentration 0% At l%, this high-frequency saturation plateau no longer exists, as can be seen on figure 3. It means that the oxygen introduction begins to have some effect on the signal formation inside the sensor. The phenomenon is rather simple : the oxygen molecule being electronegative tends to attach free electrons produced by the ionization. The result is an electrons disappearing and a negative ions, which are 1000 times slower, apparition, which has an incidence on the PSD, because the fast electrons are responsible for the high frequency part of the PSD. ULYSSe I« O4/O4/Q5 P3A : ICO n/cm".» BE + OL. S 1.OOE-1O 1.OOE-11 —= POLARISATION 1.OOE-12 HT — OV MT — 1OOV MT — SOOV 1.OOE-13 MT — BOOV 1.OOE-14 Figure 3 : PSD at 1 % : high frequency desaturation As far as the 0,1% step is concerned, the saturation curve did not see anything. The PSD was altered by experimental difficulties, but still showed some very good indications that the change was already distinguishable. 125 4. Discussion and conclusion The PSD is a very valuable tool for neutron sensor signal validation. It can be performed on-line, through an extension of the fluctuations or Mean Square Voltage mode ([3]), and presents so a lot of advantages upon the saturation curve which is an off-line technique. Moreover, this signal validation method does not use any kind of redundancy, nor any kind of process model, which makes it also very interesting in case of accidental situations where possibly many sensors could be faulty, and when the process may behaves in a different way than in normal operation. The last conclusion is that a slight oxygen presence in a non-faulty chamber at the beginning of its operating is not important: the oxygen will be consumed during operation. 5 References [1] E BARAT, JC TRAMA, A BOURGERETTE, "Neutron Sensor Modeling and Characterization", 9th Power Plant Dynamics Control & Testing Symposium, Knoxville/Tennessee, 24-26 May, 1995. [2] E BARAT, JC TRAMA, A BOURGERETTE, "Neutron Sensor Signal Validation", SMORN 7, Avignon/France, 19-23 June, 1995. [3] G KNOLL, "Radiation Detection and Mesurement", Jonn Wiley and Sons, New-York, 1989. 126 Session 4: IAEA TecDoc on Modernization of I&C in NPP Discussion on Scope and Structure Chairman: Mr. A. Kossilov, IAEA IAEA Technical Document on Modernization of L&C in NPPs Based on the recommendation of the International Working Group on Nuclear Power Plant Control and Instrumentation (IWG NPPCI) the Agency is planning in March 1996 to organize an Advisory Group Meeting (AGM) with the following objectives: 1. To solicit and analyze information from Member States regarding their experience in modernization of I&C in nuclear power plant. 2. To identify requirements for the system modernization. 3. To initiate development of an IAEA TECDOC on "Modernization of I&C in Nuclear Power Plant". 4. To consider and approve the Objectives of the TECDOC. 5. To prepare the extended outline of the TECDOC. The participants of the meeting in Garching were asked to provide their suggestions and recommendations on the new IAEA technical document based on national practices and experience. It was pointed out that Instrumentation and Control is an essential element for the safe and economic operation of all aspects of nuclear based industries. Good operational performance coupled with excellent safety records are being achieved in most countries of the world. This records are firmly based on the quality of the Instrumentation and Control systems and equipment. This quality needs to be evident in the conceptual design, manufacture, application, testing, operational use and maintenance of Instrumentation and Control if high standards are to be maintained. These factors are also very relevant when considering the refurbishment or replacement of I&C as many nuclear plants reach mature operating ages. This replacement aspect of I&C systems is an important consideration in many countries, especially Eastern Europe. The need for frequent backfitting of instrumentation and control systems arises from specific conditions such as: rapid obsolescence of technologies as a consequence of which new designs with new operational characteristics have to be employed; the high potential for improving and broadening I&C application to achieve improved on-site operational benefits at relatively low cost; and new regulatory requirements. The reasons for upgrading the instrumentation and control systems in nuclear power plants are to take advantage of modern technology to improve plant availability and to reduce instrumentation and control's contribution to escalating operating and maintenance costs. Modem instrumentation and control technology, using analogue and digital equipment to the best advantage, brings increased reliability, safery and cost-effective plant operation. Based on discussion during the session the participants suggested the following topics to be considered within the scope of a new technical document: 129 1. Present situation and needs for I&C modernization (new standards, rapid obsolescence, new regulatory and operational requirements, etc.) When to start modernization. 2. Benefits expected: safety and availability improvements. Cost/benefit analysis. Safety assessment. 3. Technical requirements and technical possibilities for I&C modernization. 4. Tasks and duties of utilities, regulators, vendors. 5. General procedures for I&C modernization (project management, assessment tools, scheduling, special approaches, etc.) 6. Human aspects in introducing modern I&C - Control rooms, training and retraining. Integration of operator, hardware and software. 7. New developments on I&C qualification and testing. V&V - the ways to reduce cost. 8. Standards on I&C modernization. Applicability of international standards. 9. Involvement of the end user in the I&C modernization. 10. Survey of the modern technologies available for I&C modernization. 11. Basic reliability consideration. The participants agreed to the fact that the new technical document has to help plan, develop, and implement I&C systems for operating nuclear power plants, help develop cost effective approaches in qualification, verification and validation to address regulatory approval for new (digital) systems, guide for research and development of advanced technologies for improvements of safety, reliability, and productivity of present and future nuclear power plants. 130 Session 5: Enhancing MMI by New I&C Technologies Chairman: Mr. N. Anani, Canada Upgrade of Process Information Systems in NPPs, a First Step to an Overall I&C Modernization J. Kollmannsberger, Sector Manager, Computer Systems Siemens AG, Power Generation (KWU) Erlangen, Germany 1. Introduction This specialist meeting is founded on different lifespan of various systems and components in the field of nuclear power technology. Within an average lifespan of a nuclear power plant, the most innovative technologies like microelectronics and computer science will obviously move from „middle ages" to „modern age". For power plant I&C-systems an average system innovation cycle of 15 years and a system utilization time of about 25 years is usual. The exception is the computer based information system due to its closer dependency on computer science progress. Economical and operational aspects force utilities to replace computer systems or at least subsystems after 10 to 15 years of operation. (Figure 1) Comparing lifespan of further I&C-systems it is obvious to integrate replacement of the plant computer system into an overall I&C-modernization strategy. This is one of the reasons, why backfitting of process information system is more than realizing computerized standard functions like alarm annunciation, logs, archiving and graphics on the basis of modernized hardware and software. 2. Customer Objectives Retrofitting Plant Computer Systems Decision to replace the process information system is driven by direct customer goals. The most important reason usually is obsolence of the computer hardware and capabilities and/or costs of sparepart provision. Hardware and software maintenance of elder, mostly proprietary systems require provision for specialized personnel, which at least becomes a further cost factor. Finally, expansions of plant respectively I&C -equipment may require additional signal and/or calculation capacity. 133 Computer systems to be replaced today are based on the technology of the early 80ies, thus providing only simple computerized functions like logs, alarm annunciation and comparative simple calculations. Adding new functionality is a further goal of plant operators. Much progress has been realized on the field of - modern MMI-functions, - convenient archiving and post mortem analysis means - alarm reduction, alarm analysis - online training of shift personnel using original plant data A lot of specialized computerized functions are available today, using dedicated workstation- or PC-based systems, like - environmental monitoring - special supervision systems (fatigue, loos part, leakage monitoring) - radiation protection - (partial) online simulation - fast scan data processing - extended core calculations Modern power plant information systems allow data exchange or at least provide appropriate interfaces to integrate output of these systems in archiving and MMI-functions of the mam plant computer system Customer advantage within I&C backfitting not only is influenced by the direct project costs, but considerably is depending on project conditions. One of the most important features is the selection of future based, expandable solutions to protect the investment. Further important criteria are minimization of outage and licensing rise. 3. How to Realize a Maximum of Customer Advantage 3.1 Future Based, Expandable Solutions Limitations in computer capability forced to specialized, mostly proprietary solutions for the computer systems beeing replaced now. Todays computer science increasingly allows to design computer systems with real portability and expandability, provided this is explicitly defined and considerd as a very basic design goal. Future based solutions today as a minimum use state of the art hardware and software components, must use open system technology and must base on worldwide accepted standards. 134 It is finally a more and more upcoming opinion, that it is most advantageous to consider the computer system as an integrated part of an overall I&C-system, comprising all subsystem for automation, reactor and safety I&C, specialized functions and related engineering system. Doing this leads to following steps of overall I&C upgrading with a minimum of rise. 3.2 Minimizing Licensing Rise and Plant Outage Replacing or upgrading the process information system of a nuclear power plant is a very complex procedure. In some countries backfitting measures are influenced seriously by the licensing situation. Minimising licensing rise and plant outage time therefore is one of the key factors of large I&C replacing projects. A feasibility study, worked out in cooperation with competent suppliers helps to minimize these rises. This study should be worked out by an integrated team of the utility and an experienced supplier and should thoroughly - identify the needs of the customer - define on an agreed basis parts important to safety - define on an agreed basis depth and procedures of licensing - work out a step by step strategy, including parallel operation if required - work out a qualification strategy for existing and new functions - assure professional system integration including o decoupling o grounding o interference o cabling o appropriate space planing 4. A Challenging Example ; Computer Retrofit Project NPP Grohnde On April, 1994 Siemens received the order to replace the process information system for nuclear power plant Grohnde in Germany. The goals for the new system concept are: - To retain the scope of the functions of the old process information system especially transforming the PRISCA graphics, thereby keeping qualification level. 135 - To provide an open system architecture with a larger system capacity and facilities to execute new tasks. - To be open to innovations which will be made in the field of computer technology. - To provide a high degree of availability and reliability. - To minimize disturbances in plant operation during the installation of the new system. The basis for this large computer backfitting project is the new Siemens I&C-System for all types of power plants, TELEPERM XP (Figure 2). The TELEPERM XP system consists of the following subsystems: - AS 620: Automation System for implementation of automation functions - SINEC: SIEMENS Network Communication as the bus system - OM 650: Operator control and Monitoring, the control and monitoring system for process operation and exchange of information - ES 680: Engineering system for planning, configuring and commissioning For high level computer replacement in nuclear power plants some additional functions are available within TELEPERM XP OM 650 IN. For data aquisition the standard subsystem TELEPERM XP AS 620 is used, engineered by the standard engineering system ES 680. Realization of the principles mentioned above are shown in the following: 4.1 Future based, expandable solutions with TELEPERM XP 4.1.1 State of the Art Hardware and Software Components (Figure 3) To assure compatibility and reduce training costs, the following equipment is used: - standard Sun servers with UNIX System V-based SOLARIS operating system - UNIX and INTEL-based PCs, - worldwide software standards, like UNIX, X-Windows, OSF Motif, and communication protocols ISO/OSI, - Database Management System INGRES - worldwide accepted Quasi-Standards like SIMATIC, SINEC, TCP/IP 4.1.2 Open System Technology Todays open systems not only should allow data exchange on a standardized basis, for example Ethernet protocols, but must provide apropriate interfaces to integrate dedicated computer systems with respect to - data acquisition - data archiving 136 - MMI-functions. The TELEPERM XP IN-Concept for NPP Grohnde integrates special computers for nuclear core calculation, fast scan data processing and display of the closed loop control criteria and is open for connections to plant management system, environmental monitoring computer and expansions in the field of reactor and safety I&C. (Figure 4) 4.1.3 Integrated Way to Further I&C Upgrade For process information system replacement in nuclear power plants, all subsystems of TELEPERM XP - AS 620 (for data aquisition) - OM 650 IN (for information system) - ES 680 (for engineering) - communication system are applied. Thus first provisions are made for following upgrades of operational and safety I&C (Figure 5), for example - adding or replacing operational I&C for example watertreatment - integration of first steps for safety I&C-innovation (TELEPERM XS) 4.1.4 Minimizing Licensing and Outage Rise Backfitting of the plant computer system of NPP Grohnde was initiated in 1993 with a well defined conceptual study comprising all relevant features mentioned above. Following key factors for a successfull rise-minimized project were identified: - to transform the complex PRISCA process graphics without loss of qualification - tool-supported transfer of the plant data basis („data model") - connection of the new system data acquisition allowing one year parallel operation - system integration into control room, switchgear building etc. Meantime, first site work was done during refuelling outage in March 1995. Cabling and connection work will be started in 1996 refuelling period. Parallel operation is scheduled for October to December 1996. In refuelling periode of 1997 switchover to the new and decomissioning of the old system is planned. 137 5. Conclusion Due to very short innovation cycles on the field of computer technology, backfittmg of process information systems should be considerd as the fist step to an overall I&.C upgrade. Using todays modern hardware and software components will allow economic portation of application software. Proceeding to following computer generation, if decided, will be much easier. 138 SIEMENS Customer Objectives (1) Replacement or upgrading of hardware and associated software - Obsolence - Optimizing sparepart provision - Optimizing HW and SW maintenance - Increasing signal capacity KWU LV2/Ko-mai 0M705.07.19919955 Upgrade of computer systems in NPP PC:engl- 1 .diw SIEMENS Customer Objectives (2) Add Functionality - modernized MMI-functions - convenient archiving and post mortem analysis means - online training using data of original plant situations - alarm reduction, alarm analysis Integrate Dedicated Special Function Computers - environmental monitoring - special supervision systems (fatigue, loos parts, leakage monitoring) - radiation monitoring - fast scan data processing - extended core calculations and online simulations - computer aids for periodic testing KWU LV2/Ko-mai 05.07.19950719955 Upgrade of Computer Systems in NPP PC:engt2.dr° w SIEMENS Customer Objectives (3) Protect Investment - future based, expandable solutions - open system technology - state of the art hardware and software components - integration in overall I&C upgrade KWU LV2/Ko-mai 050719905.07.19955 Upgrade of Computer Systems in NPP PC:engl3.drw SIEMENS Customer Objectives (4) Minimizing licencing and outage rise - competent conceptional study - agreed parts important to safety - step by step strategy - keeping qualification of transfered functions - qualification strategy for new functions - parallel operation - professional system integration considering o decoupling o grounding o interference o cabling o placing KWU LV2/Ko-mai 05.07.19950719955 Upgrade of Computer Systems in NPP PC.engM.dr° w SIEMENS Utilization Time of I&C Systems Innovation of Process Electronic Components Computer Bäckfittihg Standard Processors 7 Years Short-Lived Components 15 Years Long-Lived Components Utilization Time of I&C Systems 0 10 15 20 25 Years WNU LV2/Ko-mal Fig. 1: Power Plant I&C 05.07.1995 PC: ENTW6.DRW SIEMENS Process Information System for Nuclear Plant Grohnde SI NEC H1 FO terminal bus i M -U- KRIT Coupüng point SMR for external r READAT Juke Box OM 660-IN AteWving system SINEC HI FO plant bus KMS AS620B AS620B SINEC- IWS Apr» App Timer Standard- IWS-PE Apn. PE UM ' FÜM Aeroball flux KORMEL SMR- Criteria- Operational 1 & C, limitation measuring reactor protection system Filter Bus PC/LW:H/Krüger/Folien/TXP-IN/desi[jn/23a.dfw/osz Fig. 2: TELEPERM XP-IN LV21/Kr 06.95 SIEMENS Protection of Investment: State of the Art Hardware and Software Components X Terminal • n OSF MOTIV OT 650-IN OT 650-IN X-WINDOWS SUN INTEL TCP/IP INGRES ES 680-IN PU 650-IU SU 650-IN UNIX SV R4 ETHERNET SINEC ISO/OSI AS 620 SIMATIC • • • • g I Operational hardwired I&C, Limitation, Reactor Protection System 6 Process KWU LV2/Ko-mai Fig. 3: NPP Grohnde: 26.06.1995 Process Computer Replacement with TELEPERM XP PC:NPP3.drw SIEMENS Future Based Solutions Integration of Special Computerized Functions Readat Krit SMR AS 620 1 5 3 Operational hardwired I&C, Limitation, Reactor Protection System s Process (M) !>•< JQ- Fig.4: NPPGrohnde: KWU LV2/Ko-mai 26.06.1995 Process Computer Replacement with TELEPERM XP SIEMENS Future Based Solutions Provisions for Further Steps of I&C Replacement JJ 24 OT 650-1N OT 650-IN PU 650-IN SU 650-IN ES 680-IN Readat Krit SMR :•:«»>:•:•:•»:•:•:•:•::•:•:•:•»:•>»»:•: AS «0 AS 620 AS 620 | Operational hardwired I&C, Limitation, Reactor Protection System | \ " TX$ KWU LV2/Ko-mai Fig. 5: NPP Grohnde: 26.06.1995 Process Computer Replacement with TELEPERiVI XP PC.NPP2.drw THE STRATEGY FOR ADVANCEDI&C SYSTEM (I3CS) DEVELOPMENT J.T. Kim. C S. Ham. K. C, Kwon. D. Y. Lee Korea Atomic Energy Research Institute P.O. Box 105, Yusong, Taejon, 305-600, Korea ABSTRACT All of the nuclear power plants in Korea are operating vith analog instrumentation and control(l&C) equipment that are increasingly faced with frequent troubles, obsolescence and high maintenance expense. Electrical and computer technology has improved rapidly in recent years and has been applied to other industries. So it is strongly recommended we adopt modem digital and computer technology to improve plant safety and availability. We established the plan for the development of advanced I&C technology and equipment to solve the above problems. This plan is aimed at replacement of the I&C systems for the existing plants, and at planned as well as next generation nuclear power plants. It is divided into three major parts as follows: • Plan for domestic design of I&C systems and components • Plan for domestic manufacturing of I&C equipment • Plan for development of future technologies According to the above strategy, the advanced I&C system, namely, Is CSQntegrated Intelligent Instrumentation and Control System) Mill be developed for after next generation NPPs. I3CS Consist of three major parts, the advanced compact workstation, distributed digital control and protection system, and the computer-based alarm processing and operator support system, namely, DREAKlS(Diagnosis, Response, and operator Aid Management System). The first stage for DREAMS is to develop DAS'(Dynamic Alarm System) which reduces the nuisance alarm based on operating mode, direct precursor, and dynamic prioritization. 1. INTRODUCTION Nuclear power plants operating in Korea have analog instrumentation and control (I&C) equipment that is increasingly faced with frequent troubles, obsolescence and high maintenance expense. The digital technology provides advantages such as processing of numerous data, improvement of system reliability, flexibility of adding new functions, automation of periodic tests, self-diagnostics, and improved operation and maintenance using standardized components. So it is strongly recommended that Korean nuclear industries adopt the modern digital and computer technology to improve nuclear power plant(NPP) safety, availability and operating functions. Korean nuclear industries need to establish the entire plan for the development of advanced I&C technology and equipment to solve the above problems for the operational and future-planned NPPs. The strategy for the technology approach is shown in Fig. 1. The plan is aimed at replacement (backfitting) of existing I&C systems in operating NPPs, improving the I&C systems of planned NPP, and application of new concepts to advanced I&C through first of a kind engineering(FOAKE) and innovation I&C by future technology. It is divided into three major parts as following sections, with the relationship as shown in Fig. 2. 2. STRATEGIES OF TECHNOLOGY DEVELOPMENT 2.1 Bottom-up Approach Nuclear industries have been making many efforts to improve I&C systems for the solution of I&C problems of existing plants. The main focus is on the digitalization and the extended use of plant computers for data processing and display. If the I&C systems are designed by top-down approach using 149 fully digitized technology, this will provide maximum implementation in plant operation and maintenance. However, the top-down approach requires a large amount of man-power and time. It is a feasible and easy way to upgrade I&C systems gradually to reduce adverse effects or risks on the plant operation. Therefore, the I&C systems improvement for the near future plants in Korea should be done by the bottom-up approach. The bottom-up approach will be used to update the systems one by one as feasible. We have obtained the system design technology through the joint design and teclinology transfer for Yonggwang units 3,4 and Ulchin units 3,4 with ABB-CE. The design features of bottom-up approach are as follows : • Control system : Some devices of control systems installed in YGN 3&4 plants consist of digital microprocessor-based systems. However, they were implemented in single non-redundant configuration. • Safety systems : It is highly recommended that the reactor protection system and engineered safety feature actuation system would be improved with digital devices including the automatic function test and self-diagnosis features. • Plant computer system : It is a worldwide trend to use down-sized computers in distributed configuration instead of using a large host computer. Also, for the maintenance and solution of obsolescence issues, it is more desirable to adopt an open distributed architecture based on UNIX operating workstations. • Development of dynamic alarm system : Korea needs to develop an alarm system that can process and prioritize alarm signals effectively to provide a compact and simple display to operators depending on plant status. • Improvement of operator aids : Computerization of operating procedures and tech. spec, monitoring functions and improvement of other operator aid functions etc. will be necessary. There should be a preliminary development stage in which a FOAKE (First Of A Kind Engineering)level of design will be performed before the contract for the plant. If there is any technology or skills that Korea has not yet obtained but should have shortly for special areas, it is recommended that foreign vendors and organizations help to develop new I&C systems. Particularly, it is desirable for Korea and foreign venders to pursue the development of safety l&C systems jointly for application to NPPs. After contract for plant construction, detail system design and implementation for the specific plant should be accomplished as scheduled. 2.2 Top-down Approach It is expected that I&C systems, particularly the control room, for future plants will be strongly focused on human factors engineering. Therefore, the design of I&C architecture and the control room should be done in terms of operator tasks, types of information to be recognized, and for error reduction. The design concept that provides the greatest consideration to the operator is only achieved by top-down to re- construct the whole I&C structure based on the allocation of functional task-centered human operator. The next generation NPPs in Korea should be designed by the top-down approach. Next generation NPPs are designed with the addition of operator support systems, operation automation, and integration of monitoring and control. The top-down design approach, focused on operator tasks, ;hould be performed on the basis of previously obtained system design technology, research development results, transferred technology from ABB-CE and additional technology from the bottom-up approach. In the preliminary development stage before the contract for plant construction, designers will develop a standard design package to the level of FOAKE. If there are some fields of technology lacking in Korea such as overall project management, design integration, and licensing technology, they will be provided by cooperation with foreign suppliers. At this point, we will use the standard design packages that are developed from the bottom-up approach and off-the-shelf equipment from the domestic supply program. The major activities are as follows: • Preliminary conceptual design 150 • establishment of strategy and planning • review of accident analysis report • analysis of design requirements • development of operator task analysis and evaluation techniques • preparation of a scheme for advanced technology application • Conceptual design • system functional analysis • system function allocation and operator task allocation • setup of I&C architecture • development of design criteria • Basic design and engineering • development of design requirements • development of software V&V plan and procedures • analysis of seismic and environment qualification for hardware • analysis of failure modes and effect • development of inspection, test, analysis and acceptance criteria • approval of design certification • Standard detail design and installation • development of standard detailed design package • Specific detail design • detail design for specific plants • implementation and installation 2.3 Replacement of Obsolescent I&C Systems It is predicted that trip caused by I&C obsolescence will continue to increase as plants continue to age. The obsolescence and maintenance problems of I&C components require the replacement of old-fashioned systems with new digital equipment including microprocessor-based devices. Korea gained experience with replacement of the steam generator level controller with digital equipment in Kori unit 1. This new system has exhibited excellent operation. The replacement of analog in other operating NPP should adopt digital technology with modularized and standardized components for improvement of safety and availability. The major activities for replacement of obsolescent equipment in operating NPP are as follows: • develop I&C upgrade strategies and life cycle plans • setup the functional requirements and interface requirements • planning for verification and validation • system design, implementation and installation • setup the quality assurance program • produce procedure and documents • operator training KAERI recommends that the approach for replacing obsolete I&C equipment utilize domestic design technology and modern off-the-shelf equipment. If necessary for safety related systems, the conventional equipment may remain for back-up purposes until the newly installed equipment is fully approved. Other systems should be replaced by digital technology system-by-system with removal of conventional I&C equipment. After development of next generation NPP I&C systems, complete I&C systems can be replaced by the technology obtained from the top-down approach and domestically developed modern off- the-shelf equipment. 2.4 Development of the Off-the-shelf Equipment 2.4.1. Objective The distributed control systems(DCS) has advantages over the direct digital control systems in many respects including the additional function expansion and the control reliability in a large system. 151 For Korean NPP I&C systems it is desirable that the DCS use industrial open architecture(non- proprietary), and the off-the-shelf equipment should be developed so that it can be used in the other industries as well as NPPs, which is the goal of this stage. Fully developed off-the-shelf components would replace the obsolescent components of the existing NPP and be applied in the next generation plant. The major objective of this stage is to assure the capability of providing easy replacements of forthcoming obsolescent digital devices and of implementing I&C system functions in NPP by using domestic technology. 2.4.2 Development Strategy Domestic DCS technology has reached the level of application to fossil power plants. Starting from less experienced in NPPs, Korea needs to reinforce basic technology and ensure improvement of reliability to meet NPP needs. The functional and performance requirements of the components should be based on the review of those requirements at the early stage of the development process for more adaptable off-the-shelf equipment to support the commercial grade dedication process. The development process of the components for NPPs is required to meet the strict requirements including design procedures such as quality assurance and V&V. The application of those components to NPPs also requires sufficient experience in other industries for high reliability needed by NPPs. At present, off-the-shelf equipment used in Korean industries are considered to be too unreliable to be applied to NPPs. However it is expected that the domestic industries would guarantee the implementation and installation of the future NPP I&C systems through technology improvement. The developed components could be utilized for the replacement of the obsolescent I&C components and also for the application to the next generation NPP. Therefore, the schedule for their development should meet the needs of both utilization's. 2.5 The Development of the Necessary Technologies The new design concept based on digital technologies with wide experiences in the other industries should be introduced to develop the advanced I&C system of NPPs. This includes a computer-based control complex emphasizing operator tasks, computerized alarm processing, distributed control architecture using communication network, and so on. The application of these technologies to NPP is expected to improve operability and maintainability. The goal of this stage is the self-supporting capability of I&C systems for the NPP. These technologies would be applied to the next generation NPP as well as the planned NPP in Korea. For this purpose the development plan should be established strategically for timely application. First of all it must be decided which technologies shall be developed as the necessary items for the advanced I&C system and whether they shall be long term or short term projects. Short term projects consist of digital I&C system improvement for planned NPPs, and long term projects consist of the I&C system for the next generation NPP. The technology qualification assurance should be also studied as one of the above individual technology items. This includes the assessment of human factors engineering applied to the system, the verification and validation, and the electromagnetic interference. • Necessary technologies for short term project (1) Study on the improvement of the reliability and performance in digital control and protection system - stability analysis of the digital system - fault-tolerant method - digital PID control algorithm with high performance - high reliability (2) Development of the plant information and alarm system - advanced information platform - electronic display of normal and emergency procedures - tech. spec, monitoring - large board display of plant status 152 - dynamic alarm processing (3) Study on integrity of the sensor loop with high performance instruments (4) electromagnetic interference/electromagnetic compatibility (5) Data communication system (6) Verification and validation method - common mode failure analysis - diversity and defense-in-depth analysis (7) Engineering test and validation facility • Necessary technologies as long term project (1) Improvement of the reliability and performance through modern control methods - adaptive/fuzzy control algorithm - robust control method - fault-tolerant control method - supervisory control (2) Integrated operation support system (3) Method of assessment of the human factors (4) Improvement of integrity of the sensor loop using a smart sensor (5) Data communication network (6) Full scope simulator 3. STRATEGIES OF I3CS DEVELOPMENT 3.1 The Need of the New Concept After TMI-II accident, many analyses pointed out that a deficient information and human error caused the accident. The operator should take a sufficient information to identify the plant state on the transient. For the sake of getting the operator a sufficient information, the I&C system should apply an advanced digital technology. To reduce human error and support a decision of the operator tasks, the new concept focused on the operator tasks should be applied for the advanced I&C system. The Electric Power Research Institute(EPRI) suggested that the advanced I&C system, especially related with the operator tasks including control room, will be strongly focused on human factors engineering and an advanced digital technology. Westinghouse AP600 I&C system, ABB-CE Nuplex 8(H-, CANDU 3 I&C system, and EdF N4 I&C system were designed to adopt these new concepts. KAERI has established these new concepts for design of the next and after that generation NPPs in KOREA. Especially, the after next generation NPPs should be designed on the basis of these new concepts. 3.2 Target of I3CS The team for development of the advanced I&C system in KAERI are developing the advanced I&C system, namely I3CS(Integrated Intelligent Instrumentation and Control System) on the application of the new concepts focused on the advanced digital technology and human factors engineering for the next generation NPPs. These concepts of I3CS are set up as a result of the strategies of the technology development. I3CS reflects a concept of EPRI URD such as top-down approach based on the functional task analysis, modern digital technology, standardization and simplification, availability and reliability, and protection of investment. The major targets of I3CS are as follows : • Reduced Human Errors First of all, the design methodology for reduction of human error should be developed. It is a feasible way that a design of reducing human error is to be achieved by top-down approach to reconstruct the I&C architecture including control room based on a task allocation by the functional-based task analysis. Second, a cause bringing about human error should be eliminated. Because the auto start-up and cooldown system reduces the operator intervention in operation of start-up and 153 cooldown mode, a mistake of operator will be significantly reduced. Intelligent operation support system aids to identify the plant state in the transient condition, make a decision of the operator tasks, and guide operator actions. • Improved Availability and Reliability The reactor protection system and safety related system will be designed by digital technology with an automatic test function and self-diagnosis features. These technologies will significantly decrease the stupid reactor trip. The use of digital technology in NPPs takes advantages such as processing of numerous data, flexibility of adding a new function, and reduction of O&M expense. However, an application of digital technology may bring about a new problem to ensure safety and reliability as concerns common mode failure and software verification and validation(V&V). Especially because of the characteristics of software, the safety and reliability of software are critical issues in the digital I&C system of NPPs. • Standardization and Simplification TOS uses the industrial open architecture and off-the-shelf equipment manufactured in the domestic industry. Because the off-the-shelf equipment is developed with the design of adapting the industry standard, modulizating and simplifying, repair of I&C equipment will be complished by simple modular replacement in the field. O&M cost may be reduced. • Assure License An application of digital technology, especially digital safety system may bring about the new problems such as common mode failure, software verification and validation(V&V), establishment of quality assurance program and resolution of electromagnetic interference. A number of method and tool to solve these problems are being studied and developed, but not completely solve. These problems are directiy connected with licensing issues. For the sake of protection of utility's investment, license should be assured by solving these problems. 3.3 Development of I3CS I3CS concept has been developed on the basis of the technical review and functional-based task analysis for next generation NPPs performed by top-down approach. I3CS integrates an advanced I&C technology as follows: • robust and fault-tolerant control method • Intelligent supervisory control technique • Intelligent operator support technology • human factor engineering concept • Integrity of sensor loop using a smart sensor • Data communication network using field bus I3CS consists of three major parts. 3.3.1. Advanced Compact Workstation The advanced control workstation will adapt a control workstation concept on the application for next generation NPPs. This compact workstation will be upgraded by adding the new design features on the basis of functional-based task allocation. The added design features are as follows: • extension of supervisory functions • extension of coordinated function between operators • consolidation of operator support function • Intelligent soft control technique • electronic display of normal and emergency procedures 154 • extension of overview display - two detailed system overview mimic - selected movable overview display 3.3.2. Fully distributed digital control and protection system The control and protection concepts applied to next generation NPPs will also be adapted in I3C5 by adding the following design features : • Fully using data communication network • Supervisory control coordinating primary and secondary system • Auto start-up and shutdown system with supervisory coordinator • Robust and fault-tolerant control • Addition of Macro control functions • Certainly resolution for common-mode failure, software V&V and EMI 3.3.3. DREAMS(Diagnosis, Response and operation Management System) There are the strongly developing areas. At present, one of the most important issues in human factors engineering field is to reduce human errors. To reduce human errors, there are two ways that eliminate the essential cause of human errors to intervene operator and inform the operator what to precisely identify plant state in emergency condition and direct the operator actions. DREAMS provides the operator an exact information that supports the operator to diagnose abnormalities of plant, to manage the operator response on the application of the following technologies. • computer-based dynamic alarm processing techniques - alarm suppression on operating mode - alarm suppression on direct precursor and cause-consequence relationship - dynamic prioritization dependent on plant state. • model-based fault detection and diagnosis functions • integrated operation support and management system with computer- based normal and emergency procedures display, and technical specification monitoring 4. CONCLUSIONS There are vigorous studies to solve the obsolescence problem of conventional I&C system* ?.r-d to apply the advanced reactor I&C systems domestically and in foreign countries. At present, Korea ensures l&C system design technology by participating with ABB-CE in actual plant design. However, concept design and implementation technology are insufficient, and therefore, we need foreign technology when we are going to develop an advanced I&C system, I3CS. This plan will provide for achieving self-reliance in I&C technology. We can expect that I3CS will be designed and implemented by domestic technology within a few years. References [1] NP-7343, EPRI, Integrated Instrumentation and Control Upgrade Plan, Feb. 1992. [2] F. Ridolfo, et al., "The Nuplex80+ Advanced Control Complex from ABB Combustion Engineering," Nuclear Safety, pp.64-75, Vol.34, No.l, 1993. [3] AP600 Design Workshop Information Package Instrumentation and Control/Man-Machine Interface, Nov. 1990. [4] EPRI, Advanced Light Water Reactor Requirements Document, June 1990. [5] J. D. White, et al., European Instrumentation and Control, NTIS of U.S., Dec. 1991. [6] IEEE/ANS 7-4.3.2-1993, "Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Swiom", 1993. 155 . Obsolescence . Shortage of spare part . Proven digital technology Existing l&C J Replacement Improved l&C More Improved . Technical Improvement . User Requirement . Operating Experience . Short life-cycle electronic device New Compact Workstation Advanced Concept Network Top-down Design l&C EPR! URD Digital Control & Prot N4 . New Requirements -10CFR52.S/WV&V . Future New Technology Concept Prototype Fixed New Technology - Network, AI Innovation l&C Replacement of urgent obsolescent Development system of system System design implementation package Design improvement of planned NPP Development of standard MMIS MMIS design implementation package Replacement of obsolescent system Complete replacement of obsolescent MMIS Function upgrade of next generation NPP Authors: Mr. J. W. De Vries N.V. Elektriciteits- produktiemaatschappij Zuid- Neederland Mr. Harms Siemens AG Power Generation Group KWU, Germany Mr. Klein Siemens AG Power Generation Group KWU, Germany Mr. Schindhelm Siemens AG Power Generation Group KWU, Germany 1 Abstract 1 2 History of the neutron measurement systems designed by Siemens / KWU 1 3 System status in KCB before backfitting 3 4 Description of the measurement system SINUPERM N 4 5 Concept of test and parametrization computer PPR 6 6 Qualification of SINUPERM N 7 7 Special customers staff training 7 8 Operation of the measurement system in KCB 8 9 Conclusion 9 10 References 9 1 Abstract The neutron flux instrumentation system in Borssele NPP ( KCB ) was modernized during the scheduled refueling outage of 1994 as part of the .Project Modificaties". The TELEPERM B measurement system (in use since the initial startup of the plant) was replaced by the new digital SINUPERM N system. The functions of the new system are software-controlled. This results in state-of-the-art neutron flux instrumentation which meets current requirements. Backfitting was preceded by numerous tests and practical trials at an 1300 MW PWR, successful acceptance tests and special training for operating personnel. In-depth planning of replacement work allowed dismantling of the TELEPERM B system and the installation of the new SINUPERM N system to be implemented in a very short time during the scheduled refueling outage. The SINUPERM N system was in operation during startup of the plant n 1994 to prove its operational features and has now been working since February 1994 without faults disruptions. 159 History of the neutron measurement systems designed by Siemens / KWU The neutron measurement system in PWRs has to carrz out the following tasks: • monitoring the undercriticality of the core during fuel loading, • monitoring of increasing neutron flux during system startup, • monitoring of power and power density distribution at nominal and overpower. The requirements for the different range channels were taken into account by using different types of detectors such as BF3 counter tubes, ionization chambers and self powered n-ß detectors with special electronics for the signal conditioning. In the years between 1972 and 1975 the electronic part of neutron signal processing systems in KWU PWRs was realized with TELEPERM B modules. This analog measurement system consists of subassemblies for high voltage supply, pulse amplifiers, amplifiers with logarithmic characteristics, differential amplifiers for the power distribution detector system and other components. Fig. 1 shows an example of such a system. To perform servicing work such as monitoring the Zo/Z curve, measuring the overlapping of source and intermediate range, monitoring of detector characteristics or calibrating of measurement channels a number of different additional measurement devices such as counters, current meters and multi-channel analyzers were necessary. To get a neutron fiux signal strictly proportional to reactor power, further subassemblies for correcting the influence of coolant temperature and signal noise had to be added. Some of these assemblies are part of reactor security systems. Fig. 1 The increasing demands on process control, information and visualization during service work as well as experience gained during commissioning of nuclear power plants and power-ups led to the development of SINPUPERM C. This analog system was produced and installed by Siemens / KWU from 1978 till 1994. It was completed with a computer based examination system. SINUPERM C systems are used for example in all KONVOI plants. For further improvements of the neutron measurement system, the digital system SINUPERM N was developed and first used in the Borselle NPP. 160 3 System status in KCB before backfitting The system status of the neutron measurement system in KCB was checked out during the scheduled refueling outage in 1993 in order to obtain concrete information for the preparation of the backfitting. The mechanical and the electrical condition of the measurement channels was therefore documented in an appropriate manner. Signals which influence the parametrization of the measurement system such as coolant temperature fluctuation and signal noise were recorded and analyzed. The design of the system at KCB corresponds to the standard design of KWU PWRs, i.e. the neutron measurement system contains the following detectors : • source range with 2 channels , • intermediate range with 4 channels, • power range with 4 channels, • power distribution detector system (self-powered detectors) with 4 channels containing 10 detectors. The arrangement of the detectors is shown in Fig. 2. axial position of the excore chambers ,\ power distribution detector \ \ ± \ aeroball system tubes source range channel intermediate channel power range channel azimuthal position of the excore chambers 13 | 12| 11| 10| 9 | 6 [ 7 | 6 I 5| 4 | 3 j 2 Fig. 2 Because the detectors and their cabling to the electronic cabinets were in good condition the decision was made not to change these components. The results of this status check provided the basic information for the design and oarametrization of the measurement channels as well as for the removal of the old and installation of. 2 new system. 161 4 Description of the measurement system SINUPERM N The neutron measurement system SINUPERM N is a powerful multiprocessor system. Is was designed to satisfy all required neutron flux density measurement functions. This includes ex-core systems with pulse range, intermediate range and power range as well as the in-core system with power density retribution detectors. The system consists of two different sextions. • the analog section for high voltage supply of the detectors and for conditioning the signals of the different detector types, • the digital section for signal processing, diagnostic functions, data transfer and communication with control systems. The following properties of the measurement system are of special interest: short transfer times for triggering of the reactor protection limit values, interfaces for connection with digital control systems, digital filtering of neutron flux signals for noise reduction, parametrizable transfer function of the flux filter, support to all neutron measurement tasks from fuel loading to full power load, easy backfitting in plants equipped with other systems. SINUPERM N consists of 12 different subassemblies, which can be freely connected via backplane wiring to achieve the desired function. The measurement channels at KCB are built with these modules. Fig. 3 shows the principal arrangement of the subassemblies and the connections between the modules. coolant temperature "*""• Fig. 3 162 Fig. 4 shows examples of power range and PDD channels in KCB. Fig. 4 The system is completed by a test and parametrization computer PPR. The purpose of this computer is to automatically check and calibrate the measurement channels, register working modes and diagnose detector behavior. Special features of SINUPERM N are digital filtering and temperature correction of the neutron flux signals. The maximum amplitudes of neutron flux noise signals depend on mean value, neutron spectrum, coolant temperature and fluctuations of coolant temperature. These factors lead to an increasing noise level during normal reactor cycles. In particular, the increasing temperature differences of the coolant at the outlet of the steam generator are responsible for this effect. With increasing amplitudes the noise fraction of the neutron flux signals, derived from the power range and the power distribution detectors, can cause the spurious response of reactor protection limiting values. The filtering smooths the signals to decrease noise amplitudes without changing the behs/ior, in the event that actual neutron flux transients occur. The signals, measured at the ex-core detector positions are caused by thermal neutrons. The fast neutrons generated by nuclear fission reactions can be detected by the ex-core instrumentation only if they leave the reactor and are decelerated while passing through the reactor pressure vessel and the thermal shield. The number of neutrons leaving the in-core region depends on the moderating effect of the coolant. Because of the relationship between temperature and density of the coolant and the moderating effect, the measured neutron flux signal is dependent on coolant temperature. This dependency can be corrected digitally by the SINUPERM N measurement channel for pulse, intermediate and power range. 163 5 Concept of test and parametrization computer PPR The checking, parametrization and calibration of SINUPERM N channels is supported by the PPR. Control by PPR allows measurement to be carried out automatically. Two PPRs can be connected to the system. The central PPR is connected with all channels by a serial Profi bus and can handle the parameters of all subassemblies. A local PPR can be connected directly to a measurement channel for special work. The PPR controls the following procedures : parametrization of measurement channels, calibration of measurement channels, check of measurement channels, detection and analysis of internal system faults, check of the prerequisites for servicing work, performance of service work. The overall control of these procedures is implemented by software modules at the PPR. During normal work of the channel during reactor cycles no connection between the PPR and the measurement channels is needed. In case of a defect in the PPR no disturbance of the normal function of the measurement system occurs, even if the PPR is connected with the system. The central PPR in the NPP Borselle is located in the computing room. The main elements for work- ing with the PPR such as monitor and keyboard are located in the plant control room. Fig. 5 shows the principal arrangement of system checking with the PPR at KCB. SR • source rang« channel IR - intermediate channe PR - power range channel PROFI • bus PDD • power distribution channel PPR. local con nectable to one channel Fig. 5 164 6 Qualification of SINUPERM N The qualification of the new digital neutron measurement system S PERM N was performed in parallel with the system development. The standard national and international rules were taken into account. The system verification was carried out by the German Technical Inspectorate TÜV-Norddeutschland with respect to KTA 3503 and international standards defined for example in IEEE 308 and IEEE 327. For KCB the general rules of the IAEA were also considered. KCB decided to adopt the suggestion of Siemens / KWU regarding the first use of the system together with the related tests as the completion of system development. This was a successful way of preventing difficulties caused by the fact that the systems had not yet been certified. The evaluation of the results gathered during the first year of work and a formal revision of the software led to a plant-independent certification for the worldwide use of the system. The updated and certified software was implemented during the 1995 scheduled refueling outage at KCB NPP. During system development KWU assured the high quality of the product. This was guaranteed by meeting the rules defined in ISO 9000, KTA 1401, IAEA-50-C-QA as well as internal quality rules of Siemens / KWU. In addition to numerous tests in WKF Fürth SINUPERM N was checked out during a scheduled refueling outage at a 1300 MW PWR in 1993 under realistic conditions. Measurement channels for the pulse and the intermediate range were assembled from first module prototypes. These preassemblies were connected to additional detectors, which formed the testing environment. Information gathered during the fuel unloading and loading were of special interest for reviewing the system. The results showed the capability of the system to perform all required functions. Several errors, found in the prototypes, were corrected immediatly. It was therefore possible to use the completed prototypes during startup of this plant. Additional errors were corrected during the further development of the system. The acceptance test was of particular importance on one hand for the final design of the system and on the othsr hand to guarantee a continuous course of installation and commissioning of the measurement channels. The acceptance test was performed at the manufacturing plant in the WKF Fürth with a complete measurement system and a complete check of its functionality. System tests, integration tests and special training of personnel were performed. 7 Special customers staff training The goal of training the KCB personnel was to provide all the necessary information needed to work with SINUPERM N. Training was divided into a theoretical an a practical part. The theoretical part provided the customer with basic functional principles and important conditions for working with the neutron measurement system. The practical part showed the handling of the system and was performed during the acceptance test at WKF in Fürth. The users were able to apply the information, gathered during the theoretical training with the complete system. The final phase of training was the participation of the KCB NPP personnel in the commissioning of SINUPERM N. 165 8 Operation of the measurement system in KCB Because of detailed planning the complete removal of the existing system TELEPERM B took less then 5 days. The installation of the racks with the measurement channels and the wiring to the peripherals was performed in accordance with the assembly procedures. Fig. 6 shows a part of the system with 1 rack. The electrical commissioning of the measurement channels was performed with the help of the PPR and completed within the duration of the scheduled outage, thus enabling process-related commissioning to be performed in parallel with startup of the plant in 1994. With respect to the numerous tests performed during system tests on an 1300MW PWR and acceptance test all additional checks could be accomplished in parallel with normal power up. The commissioning of the source range channels was completed earlier then the others, thus allowing them to be used to monitor the subcriticality during fuel loading. During startup, the system was able to demonstrate its capabilities. The use of SINUPERM N allowed a significant reduction in the time required for startup. Calibration of the ex-core detectors no longer requires interruptions to the startup procedure. The following checks were done with support of SINUPERM N neutron measurement channels: • monitoring of Zo/Z-curve for observation of approach to reactor criticality, • monitoring the overlapping between source- and intermediate range as well as the linearity of the signals, • monitoring the reactivity, • calibration of intermediate range channels, Fig. 6 • calibration of power range channels, • calibration of power density distribution channels, zero-point calibration of axial tilt for adjustment of power density distribution channels in the case of symmetrical power distribution. 166 Fig. 7 shows examples of curves and protocols generated during power-up in 1994 at KCB NPP. fee* / r V - - • —**F- — Fig. 7 The measurement system has been in operation since February 1994 without interruption. No system faults have occurred. 9 nclusion The , w experience gained during its initial use in KCB NPP proves that SINUPERM N is a powerful and user-friendly digital measurement system. It is suitable for backfitting in PWR plants constructed by Siemens / KWU as well as in other vendor plants. With careful planning the backfitting can be performed during a normal scheduled refueling outage. The new strategy for testing with the use of a test and parametrization computer ( PPR ) leads to a significant saving of time required for startup of the plant. The next backfitting of a SINUPERM N measurement system will be at the Biblis B nuclear power plant. This will be the first plant in Germany where such equipment is installed. 10 References IV Dio a.o.: SINUPERM N - Neue Meßtechnik zum Erfassen der Neutronendichte bei Leistungs- und Forschungsreatoren, from .Leittechnik im Kraftwerk" 14.edition, September 1992 121 Grondey a.o.: Low frequency noise in a PWR and its influence on the normal operational characteristics of the plant, NEACRP Specialists meeting on in-core instrumentation and reactor core assessment, Pittsburgh USA October 1991 167 PROCESS VISUALIZATION FOR NPPs RUNNING UNDER WINDOWS Schildt, G. H., 0. Univ. Prof., Senior Member of EEEE Vienna University of Technology Institute for Automation Treitlstr. 3/183-1, A-1040 Wien e-mail: [email protected] KEYWORDS. Safety critical process visualization, fail-safe comparator, safety chain, dynamization principle, n-version programming, WINDOWS application, fundamentals of safety technique. ABSTRACT. After an introduction into fundamentals of safety technique a double channelled process visualization principle is presented. It bases on a (2-of-2) system configuration using different hardware and software channels. N-version programming together with different computer hardware is applied in order to establish a low cost redesign using commercial microprocessor components. Dynamization principle is applied. A first demo version running on PC under WINDOWS 3.1 is presented. Basically, safety aspects on safety critical programs running under WINDOWS 3.1 are discussed. Future developments are presented. 1. INTRODUCTION Up to now, in the field of NPPs safety critical devices normally have been realized in hardware. In the past, safety proofs were often done by considering the reaction of a certain device in case of failures. This was done by applying failure-mode-effect-and-critical-analysis (FMECA). Nowadays, first steps are done to transform process control to computerized systems. But, the essential problem is, that on one hand no commercial computer is operating in a fail-safe manner and on the other hand software will never be error-free. Especially, for process visualization up to now no safety-critical process visualization is available. In the following, a new concept of double-channelled process visualization system will be presented. At first some terms of fail-safe technique shall be presented: - safety critical system: control system causing no hazard to people or material in case of environmental influence or system failure. - safety: property of an item to cause no hazard under given conditions during a given time: i.e. avoidance of undue fa'1 conditions. Undue fail conditions may be caused by technical system failures and malfunction of an electronic device e.g. infered by electromagnetic noise. - hazard (according to safety engineering): condition of a system that cannot be controlled by given means and may lead to damages to persons. - safe system state: property of a system state to cause no hazard to people or material (in many applications of safety critical control systems there exists a safe system state. In some systems it is possible to choose the simplest way: to achieve the safe system state by shutdown. 169 -fail-safe: Technical failures within an item may lead to fail states of the safety critical system (fail), which however have to be safe (safe). Because up to now no fail-safe one-channelled computer is available, one has to choose a configuration of at least two commercial computers running parallely. In case of a double- channelled computerized control system, results of both channels are to be fed to a fail-safe comparator, whose output enables a safe gate in case of equivalent results (command telegrams) [SCHI 80]. The system structure is shown in Figure 1. Input data from Fail-safe echnic&l process command Safe Gale telegrams to technical process System stale 2 J tFD shutdown 1 . 0 tFI tF2 t pOO=l Legend: tFD = failure detection time pxx = transition probability tFI = time of fira critical failure tF2 = time of second critical failure Figure I: (2 of 2) control system with fail-safe comparator In this system configuration both channels do not need to operate fail-safely. It is the full responsibility o? the fail-safe comparator component to change over the whole system into a safe system state. The fail-safe comparator has to detect any inequality of generated command telegrams within a speä&ed failure detection time and corresponding to a well-defined tolerance zone. Basically, no complex fail-safe comparator with a comfortable tolerance zone management has been developed. 170 2. PROCESS VISUALIZATION Today, computers are not used for reactor protection systems. The main re son for this is that software will never be error-free. For visualization purposes computers mr r used to support the human decision maker. This motivated the following -nsualization concept: Image Processing System (Chanel 1) Instrumentation CRT (Process (3-chsnnelled) Vuutlizukn) Image Processmg System (Channel 2) Figure 2: Procesr Visualization Concept Measured values, which are to be visualized, are fed into two independent image processing systems, simultanously. Each image processing system generates a certain display. The output of each of them is an image that represents the actual status of the reactor. Using an electronic switch, which toggles in rapid succession (e.g. once a second) the images are combined to a chopped picture, which is displayed on a CRT. If the contents of the two images are identical, the operator does see one stable picture. Otherwise, some display elements (corr. to process elements) will blink. Safety-critical commands may be issued by the operator only, if no element blinks. In order to guarantee that the periodical switch is indeed toggling an additional display element is applied. If the image currently displayed comes from one processing unit, a vertical bar is displayed, if it comes from the other a horizontal one is used. Usually, colours are used heavily to convey status information in process visualization. If colours are used to indicate critical states or events, precautions must be installed to ensure proper operation of colour display. An example for a colour failure would be a drop out of the red colour cannon in a CRT. In this case an alarming state of an element cannot be displayed due to missing colour. An appropriate counter measure to this risk would be displaying a combined colour bar containing all relevant colours and changing the size of the bar, periodically. If possible the period of these changes should be different from the period of switch toggle, because of avoiding any common mode effect. 171 Altogether an operator is allowed to perform safety-critical operations only if the following four conditions hold: 1. None of the process display elements blinks. 2. The switch indicator changes its position, periodically. 3. The combined colour bar changes its size, periodically. 4. Two indicators are blinking periodically to assure that both visualization computers are still active. Additionally, safety-critical commands are protocoled on an additional control and failure printer, without any chance for data manipulation. Figure 3 illustrates such a process visualization for a NPP [ADR 92]. It shows the usual display- elements, the switch indicator, the combined colour bar, and blinking indicators. HGactor load _ lurpine Steam bypass .000 | MW ^bypass YZ60I steam gradient —, HPpre feed werter feed water low pressure mam condensate heater pumps container preheater pumps 1 2 11 2 3 L IP 1 2 3 red vtllow greet bl«t AUXILIARY SYSTEMS RBJRP RN1OQ0 RY VG Output: Shutdown RB/RP 1 ! Warning: RB/RP 1 blinks ! Figure 3: Process Visualization of NPP Additional windows can be provided for operator's inputs and outputs from the system (e.g. certain warnings). Figure 3 shows the screen output from the operator's monitor. It shows the model of a nuclear power plant, including the facility to enter commands and to get feedback from the system. The four colours are changing their size periodically, twice as fast as the green bar, which rotates about 90° periodically to show that the periodical switch for display generation is still alive. The display contains two additional windows, one for operator's inputs (commands) 172 and one for system reaction output. In this system configuration operator plays the role of the fail-safe comparator. He watches the display and has to detect blinking process element symbols, meaning that the two channels of the procei: visualization may have provided different information. Additonal two blinking indicators assure the operator that both computerized visualization channels are still alive. 3. PROCESS VISUALIZATION RUNNING UNDER WINDOWS A first prototype has been developed running under WINDOWS 3.1, just to demonstrate the visualization concept. Nevertheless, one has to argue that a real safety-critical process visualization never could be implemented under WINDOWS. That's why, WINDOWS 3.1 software was not developed due to safety-critical aspects. Otherwise, one will not get the complete source code of WINDOWS 3.1 in order to any V&V procedure. Because, commercial software will never be error-free, one has to apply validated real-time operating system software and visualization software, which could be validated too ace. to Cl-test coverage measure at least due to IEEE standards [SCHI 95], Figure 4 shows the complete hardware and software configuration consisting of two diverse channels comprising microprocessor hardware, real-time operating systems, and process visualization software (user software). process visualization process visualization task#l(SW) task#2(SW) i 1 i real-time real-time operating system #1 (SW) operating system #2 (SW) i i i \ r microprocessor #1 (HW) microprocessor #2 (HW) r r display buffer #1 display buffer #2 Y CRT Figure 4: Hard- and software system configuration 173 CONCLUSIONS A new approach of a double-channelled process visualization for NPPs was presented. It bases on dynamization principle as a fundamental concept of safety technique. Additonal indicators are implemented assuring that periodical switching between two display buffers is done, that all used colours can be indicated, and that both computer channels are still aiive. Furthermore an essential statement was made, namely that safety-critical process visualization cannot be implemented running under WINDOWS ™ software, because this commercial system software cannot be validated by a certain V&V-procedure. Nevertheless, a rapid prototype software was developed just for demonstration purpose. Future development comprises a real double channelled system configuration as described above. There is a certain advantage of this system concept: If any modifications of user interface or design would be necessary, the corresponding expenditure is kept quite low. Thus, following the actual trend a computerized safety critical process visualization has been developed with a real chance of application within the near future. REFERENCES [ADR 92] Adrian, H., "Nutzung der Möglichkeiten von rechnergestützten Bücherl, A., Entscheidungshilfen zur sicherheitsgerichteten Felkel, L., Unterstützung der Operateure in Kernkraftwerken" etal.: Gesellschaft für Anlagen- und Reaktorsicherheit mbH (GRS), Garching, 1992 [SCHI 80] Schildt, G.H.: "Grundlagen für Vergleicher mit Sicherheitsverant\>ortung" Siemens Forschungs- und Entwicklungsberichte, 1980 [SCHI 89] Schildt, G.H.: "On diverse Programming for Vital Systems" IF AC SAFECOMP 1989, Vienna [SCHI 92] Schildt, G.H.: "Safety of computer control systems" SAFECOMP 92, Oxford 1992 [IAEA 94] IAEA "The Annual Report for 19932, IAEA, Vienna, 1994 [REIT 94] Reiter, H.: "Nuclear Power Plant "-A Process Visualization Relevant to Safety, diploma thesis, Vienna University of Technology, 1994 [SCHI 94] Schildt, G.H.: "A Double-ChannelledSafey Critical Process Visualization" Vienna University of Technology, 1994 [VOG 88] Voges, U.: "Software diversity in computerized control systems" Springer, 1988 [SCHI 95] Schildt, G.H.: "Prozeßautomatisierung " Skriptum, TU Wien, 1995 17 4 Annex: Modernization of Main Control Boards of Genkai Nuclear Power Station Units 1 and 2 July 1995 Kyushu Electric Power Co., Inc. 177 1. Outline Genkai Nuclear Power Station Units I and 2, each 559MWe PWR, started the commercial Operation in 1975 and 1981 respectively. The average capacity factor of Unit 1 is 68.6%, and that of Unit 2 83.2%. Because of the decrease in the capacity factor of Unit 1 due to the degradation of Steam Generator tubes, we replaced Steam Generators of Unit 1 last year. The shared Main Control Room (MCR) for both units (one MCR for twin units) has various problems to be improved, so we are studying especially the replacement of the Main Control Board (MCB). 2. Problems Insufficient spare space for future improvement Because we have retrofitted many design changes of I&C installations to the MCB according to the regulatory requirements, etc., there is no longer enough spare space on the MCB and in cable-marshaling areas inside and beneath the MCB. It becomes difficult to retrofit additional installations on the MCB to I&C improvement. Man-machine interface The Man-machine interface has become worse because of added control switches or annunciators which are mounted on inappropriate positions as a result of insufficient spare space on the MCB. Also, in comparison with the MCB of the latest PWR plant, the MCB has plenty of problems to be improved from the viewpoint of human error prevention. Operator's habitability There are less than one half space for the operators in the MCR in comparison with the MCR of the latest PWR plants. And, some operators for the auxiliary systems, such as Radio-active Waste Disposal System, are always stayed in the local control access area. In case of the latest plant, all systems including the auxiliary system can be operated from the MCR and there are no local operators. The habitability of the local control areas is less than adequate, and an upgrade of the control area is strongly requested from the operators. 178 3. Plan to upgrade of the Units 1 and 2 MCR We are studying the upgrade of the MCR and related I&C systems, such as process computer systems and annunciator systems, from the following viewpoints: ® To improve the operability and to secure enough space for future retrofitting, replace the present MCB with a new CRT-based MCB which is adopted in the latest PWR plant. (D Expand the operator's work area and improve the habitability with the application of the new MCB. (§) Enable the operation of auxiliary systems, such as Radio-active Waste Disposal System from the MCR, and allow operators not to work in controlled access areas. 4. Main points to be resolved for upgrade ® Cable replacement A large amount of cables must be add or replaced in order to install the new MCB. This requires us to study the most reasonable measure to replace aged cables with new cables which require an enormous amount of resources. (D Shortest construction schedule It is necessary to identify the shortest construction schedule, because this MCB replacement will influence various plant maintenance schedule. (D Cost reduction To legitimate the benefit of the I&C improvement, it is necessary to decrease the replacement cost. 17 9 /Iain Control Room Genkai 3 and 4 : Main Control Room > Primary Displays al Board Configuration -v itrol Room (Controlled Access Areas) CRT as Primary Displays Mode-oriented, Partitioned Control Board Configuration Dynamic Alarm Prioritization Centralized Supervisory Control of Auxiliary Systems f Auxiliary Systems Control Switches are Mounted on Control Switches are Mounted on Inappropriat« Inappropriate Positions (Inside the Turbine Aux. Board) (Behind theNSSS Aux. Board) LJ\.,- _.!_..._ 1 / s. /._ L Supervisor Insufficient Spare Space for Annunciators Local Control Board for the Radio-active Waste Disposal System Insufficient Spare Space (Installed in the Control Area, Habitability is less than Adequate) the Main Control Room 181 sitions Insufficient Spare Space for Control Switches, Indicators and Recorders, etc. / Some Control Switches and Indicators are Mounted on Inappropriate Positions (Too High and too Low Position) Insufficient Spare Space in Cable-marshaling ble-marshaling Areas beneath 182 Areas inside the NSSS Aux. Board Institut für Sicherheitstechnologie GmbH Institut für Sicherheitstechnologie (ISTec) GmbH Institute for Safety Technology (ISTec) GmbH Stand: 20/17.94 183 IST-ENGLSAM/IST Forschungsgelände - Postfach 1313 - 85739 Garching - Tel. (089) 320 04 (0) - Telex 5212134 grs md - Telefax (089) 32004300 1 History The Institute for Safety Technology (ISTec) GmbH has been founded in 1991 as a 100 % subsidiary of Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH. The prime objectives of ISTec are to offer to the industry services in the field of safety research and information technology as well as give the industry access to research spin-offs for practical application. ISTec staff mainly consists of earlier GRS staff whose more than 25 years of experience, highest competence and international recognition stand for the productivity of ISTec. 2 Our Goals ISTec carries out application-oriented research and development and consulting in the areas of - Methodologies and Systems for process control - Quality Assurance. Our goals is the realization of high safety standards without compromising operational availability of industrial plants. 3 Our Capabilities 3.1 Information and Diagnosis Technology The development of computer-based methods is essential in order to improve the flow of process plant information to operating crews especially as regards diagnosis of malfunctioning components and systems or during times of anomalous process behaviour. Constant access to plant and process data are prerequisites for these tasks. The upkeep of data banks aids ISTec to give well-founded recommendations during periods of plant malbehaviour. These strategies synergise to decidedly improve prevention of incidents, lead to improved inspection measures and bring about extended plant life times. IST-ENGLSAM/IST 184 3.2 Qualification of Safety Instrumentation The development of task specific qualification procedures, especially as regards computer-based instrumentational system and components allow a better match between qualification level and operational requirements. Suitable methods ensure continuous quality assurance during the life cycle of instrumentation equipment. 3.3 Software Reliability User oriented methods and tools are developed with the aim to ensure the required reliability level of software used in process control. Activities are aimed at the improvement of reliability within the software life cycle, analyzing techniques, testing methods and production of highly reliable software structures. 3.4 Man Machine Interface These activities aim at optimizing the ability of operating crews to control complex technical processes and to create a basis for analysing evaluation procedures of human actions. It allows evaluation of the Man Machine Interfaces as regards Information content and layout, the possibility of using and testing computer-based operator support systems, the balance between manual and automatic actions, the handling facility of operational procedures, etc. This results in an improved reliability of process control which is especially valuable in processes of potentially high risk. 3.5 Tracing and Documenting of Waste This involves developing, supplying and testing of computer-based methods to ensure, evaluate and predict the safety of waste management systems and their possible environmental influences. These are in particular - setting up of waste documentation systems including supply of specifications, organsisational structures, user related software applications, hardware consultancy, software implementation, user support and service oi software supplied - acv ice and support in creating methods and processes to characterize, qualify and test hazardous waste - ?-dvice and support in the design of waste and transport containers - advice and support as regards safety questions concerning design, erection and operating technical facilities for temporary storage, burning and final depositing of waste. IST-ENG1..SAM/IST 185 SPECIALISTS MEETING ON MODERNIZATION OF INSTRUMENTATION AND CONTROL SYSTEMS IN NUCLEAR POWER PLANTS Garching/Germany 4-7 July 1995 LIST OF PARTICIPANTS Mr. M. SABRANSKY Nucleoelectrica Argentina S.A. Central Nuclear Atucha I - CC20 2806 Lima Prov. Buenos Aires ARGENTINA Tel.: 54 487 80996, 487 24671/76 Fax: 54 487 80996 Mr. G. H. SCHILDT Institute for Automation Technical University Vienna A-1040 Vienna AUSTRIA Tel.: 58801 8190 Fax: + 43 1 586 3260 Mr. B. COUPE CEN-SCK Boeretang 200 B-200 Mol BE! GIUM Tel: +32 14 33245 Fax: + 32 14 32 05 13 Mr. M. DUBOIS AIB - Vincotte Nuclear Avenue du Roi, 157 1060 Brussels BELGIUM Tel.: 02 536 83 85 Fax: 02 536 85 85 Mr. N. ANANI Atomic Energy Control Board P.O.Box 1046, Station B 280 Slater Street Ottawa KIP 5S9 CANADA Tel.: (613) 995-6535 Fax: (613) 995-5086 Mr. T. SEJBA Czech Technical University in Prague Faculty of Nuclear Scieces andPhysical Eng. Department of Nuclear Reactors V Holesovickach 2 180 00 Prague 8 CZECH REPUBLIC Tel:+ 42 2 85762421 Fax: + 42 2 664 10 764 Mr. L.-E. HALL Teollisuuden Voima Oy FIN-27160 Olkiluoto FINLAND Tel.:358-38 38 14300 Fax: + 358 38 38 14309 Mr. P. CASTILLEJOS Electricite de France (EDF) 6 quai Watier 78400 Chatou FRANCE Tel.: 30-87-7707 Fax: 30-87-8284 Mr. J.-C. TRAMA CEA Centre d'etudes de Saclay DEIN/SPEBAT451 F-91191 Gif-Sur-Yvette Cedex FRANCE Tel.: 33 169 08 4361 Fax: 33 1 69 08 76 79 188 Mr. Keita AKEHASHI Marubeni Deutschland Ges.mb.H. Erlangen Office Dr. Dassler Str. 25a D-91334Hemhofen GERMANY Tel.: 9131-204221 Fax:9131-203991 Mr. W. BASTL ISTec Garching D-85748 Garching GERMANY Tel.:(089)32004 300 Fax: 32 004 -300 Mr. H.W. BOCK Siemens KWU NLL Frauenauracherstr. 85 91056 Erlangen GERMANY Mr. L. CEURSTEMONT GRS Köln Schwertnergasse 1 50667 Köln GERMANY Tel.: (0221) 2068-202 Fax:(0221)2068-442 Mr. L. FELKEL ISTec Garching D-85748 Garching GERMANY Tel.:(089)32004 225 Fax: 32 004 - 300 Mr. J. ERLBECK Bayernwerk AG Postfach 20 03 40 80003 München GERMANY Tel.: (089) 1254 3857 189 Fax: (089) 1254 3906 / 3706 Mr. A. KLEIN Siemens KWU NU Z Abt. NLL-2 Frauenauracherstr. 85 91050 Erlangen GERMANY Tel.:09131-186696 Fax: 09131-18-9908 Mr. J. KOLDITZ Breslauer Str. 10 D-74388 Talheim GERMANY Tel.: 07133/8239 Mr. J. KOLLMANNSBERGER Siemens AG KWULV2 P.O.Box 3220 D-91050 Erlangen GERMANY Tel.: 09 131 186426, Fax: 091 31 186864 Mr.E. LINDAUER KSG Kraftwerks-Simuiator Ges.m.b.H. P.O.Box 15 02 51 D-45242 Essen GERMANY Fax:+ 49 201 4 86 21 99 Mr. S. OSTERLEHNER ISTec Garching D-85748 Garching Tel.: (089) 32004 239 Fax: 32 004 300 Mr. F. SCHINDHELM Siemens KWU NLL2 Frauenauracherstr. 85 91050 Erlangen GERMANY Tel.: 09131 18 850 88 190 Fax: 09131-18-9908 Mr. O. SCHOERNER Siemens KWUNLL4 Frauenauracherstr. 85 91056 Erlangen GERMANY Tel.:09131-18 85 109 Fax: 09131 18 6766 Mr. SCHNUERER ISTec D-85748 Garching GERMANY Tel: 89 32004-223 Fax: 8932004-300 Mr. F. SEIDEL Federal Office for Radiation Protection (BfS) P.O.Box 100149 D-38201 SaLzgitter GERMANY Tel.:(05341)225-151 Fax:(05341)225-225 Mr. F. STECKENBORN Gemeinschaftskernkraftwerk Neckar GmbH Postfach 11 62 74380 Neckarwestheim GERMANY Tel.: 07133/13-3149 Fax: 07133/12516 Mr. R. SUNDER ISTec Garching D-85748 Garching Tel.: (089) 32004 226 Fax: 32 004 300 Mr. S. SZOLDATITS ISTec Garching D-85748 Garching Tel.:(089)32004 215 191 Fax: 32 004 300 Mr. D. WACH ISTec Garching D-85748 Garching GERMANY Tel.:(089)32004 218 Fax: (089) 32004 300 Mr. L. WEIL BfS-KT Postfach 10 01 49 38226 Salzgitter GERMANY Tel.:05341-225110 Fax: 05341-225105 Mr. S. WIESNER TÜV - Bayern Dep. GZ-ETL 30 Westendstr. 199 80686 München GERMANY Tel: +49 89 5791 1464 Fax:+ 49 89 5791 2157 Mr. K. ZECK TÜV Südwest Gottlieb Daimler Str. 7 70794 Filderstadt GERMANY Tel.: 49 711/7706 335 Fax:+49 711/766 301 Mr.F. ADORJAN KFKI Atomic Energy Research Institute H-1525 Budapest P.O.Box 49 HUNGARY 94 Tel.: 361-169-9499 Fax: 361-155-2530 192 Mr. J. EILER Paks NPP P.O.Box 71 H-7031Paks HUNGARY Tel.: (36)75-318-557 Fax: (36) 75-319-573 Mr. K.HAMAR Hungarian Atomic Energy Commission Nuclear Safety Inspectorate Csörszu. 35 1124 Budapest HUNGARY Tel.:36-11-550-493 Fax:36-11-557-693 Mr. G. KOMLOSSY Paks Nuclear Power Plant Ltd. P.O.Box 71 H-7031Paks HUNGARY Tel: (36) 75-318621 Fax:(36) 1-155-1332 Mr. D. SARKADI Hungarian Atomic Energy Commission Nuclear Safety Inspectorate Csörszu. 35 1124 Budapest HUNGARY Tel.: 36-11-550-493, Fax: 36-11-557-693 Mr. T. TURI Paks NPP P.O.Box 71 H-7031 Paks HUNGARY Tel.: (36) 75-318-845 Fax: (36) 75-312-342 Mr. H. MASHIAH N.R.C.N. Beer.Sheva 84190 P.O.Box 9001 193 ISRAEL Tel.: 972-7-567277 Fax: 972-7-554S4S Mr. YusukeKONDO Nuclear Power Operation Department Kyushu Electric Power Co., Inc. 1-82 Watanabe-Dori, 2-chome Chuo-ku, Tukuoka, 810-91 JAPAN Tel.:092-761-3031 Fax: 092-761-4622 Mr. Makoto TAKASHIMA Mitsubishi Heavy Industries Ltd. Nuclear Energy Systems Engineering Center 3-1 Minatomirai 3-chome Nisbi-ku Yokohama 220-84 JAPAN Tel.: 045-224-9685 Fax: 045-224-9969 Mr. Sakaue TAKEHARU Mitsubishi Electric Corporation Nuclear Power Department Wadasaki-Cho, Hyogo-Ku Kobe JAPAN Tel.: (078) 682-6332 Fax: (078) 682-6342 Mr. J-T. KIM Korea Atomic Energy Research Institute P.O.Box 105 Yusong Taejon 305-699 REP. OF KOREA Tel.: 82-42-868-2404 Fax: 82-42-868-8357 194 Mr. T-K. OH Korea Institute of Nuclear Safety P.O.Box 114 Yousung Taejon 305 600 REP. OF KOREA Tel.: +82 868 2653 Fax: + 82 42 861 4047 Mr. J.W. DE VRIES N.V. Elektriciteits-Produktiemaatschappij Zuid-Nederland EPZ Project Modificaties Postbus 92 4380 AB Vlissingen NETHERLANDS Mr. M. HEJDENS EPZ P.O.Box 130 Zeedyk 32 4380 Vlissingen (NL) NETHERLANDS Tel.: 0031 1105-6000 Fax: 0031 1105-2550 Mr. Y. VAN DER PLAS KFD (Nuclear Safety Department) SZW Postbox 90801 2509 LV The Hague NETHERLANDS Tel: 0031 70 3335540 Fax: 0031 70 3334018 Mr. W. VAN DE VEEN KEMA P.O.Box 9035 6800 ET Arnhem NETHERLANDS Tel.: 0031 85 562321 Fax: 0031 85 518092 195 Mr. A. CHUDIN Russian Federation Ministry for Atomic Energy Staromonetny 26 Moscow 109180 RUSSIAN FEDERATION Tel.: 233-30-53 Fax: 230-24-20 Mr. A.I. GORELOV RDIPE P.O.Box 788 Moscow 10100 RUSSIAN FEDERATION Tel.: (095) 2637320 Fax:(095)9752019 Mr. A. MALMÖF OKGAB S-572 83 Figeholm SWEDEN Tel.:+46 491-86 000 Fax:+ 46 491 86 090 Ms. G. SVENSSON Swedish Nuclear Power Inspectorate S-10658 Stockholm SWEDEN Tel.:+ 46 8 6988474 Fax: +46 8 661 9086 Mr. C.-G. WORMKE OKG Aktiebolag 57283 Figeholm SWEDEN Tel.: +46 491-86000 Fax: +46 491 86870 or 86090 Mr. G.E. KAISER NOK Nuclear Power Plant Beznau CH-5312Döttingen 196 SWITZERLAND Tel.: +41 56 99 77 03 Fax: +41 56 99 77 02 Mr. H. REDDERSEN Colenco Power Consulting AG Mellingerstr. 207 CH-5405 Baden SWITZERLAND Tel.: 0041 56 771 563 Fax: 0041 56 8373 57 Mr. W. TODT, Sr. Imaging and Sensing Technology Corp. 300 Westinghouse Circle Horseheads, N.Y. 14845 U.S.A. Tel: 607-796-4303 Fax: 607-796-4482 Mr. N. WOODFINE Imaging and Sensing Technology Corp. 300 Westinghouse Circle Horseheads, N.Y. 14845 U.S.A. Tel: (in U.K.): 44-1-202-298016 Fax: (in U.K.): 44-1-202-295 106 Fax: (in USA): 607-796-4482 Mr. A. KOSSELOV International Atomic Energy Agency Division of Nuclear Power Wagramerstrasse 5, P.O. Box 100 Vienna, A-1400 Austria Tel.: +43 1 2060 22796 Fax.: +43 1 20607 partlist.gar 197