Modernisation of NPP, Consideration of CCF aspects Franz AltkindSwiss Federal Nuclear Inspectorate (HSK) Manfred Märzendorfer NPP Leibstadt Switzerland (KKL) Date: 19.-21.06.2007 / MMA/AF
Content • Situation in Switzerland • Modernisation of NPP (Example based on Project PRESSURE) • Study for „CPU based safety control systems“
CH-Nuclear facilities overview Geographical position of the Swiss nuclear facilities. The sites of the NPPs are marked by triangles. Experimental and research installations are marked by stars. Facilities for nuclear waste management are marked by squares. Dots mark the major cities.
Reasons for retrofitting of existing I&C Systems • No support anymore from supplier • Increasing maintenance cost • Issue from safety evaluation • Control room improvements Most of the new I&C systems important to safety available on the market are computer based systems
Regulatory situation for digital-I&C in Switzerland • 1997: The Swiss Federal Nuclear Safety Inspectorate (HSK) starts a collaboration with a workgroup of members of the Swiss NPP‘s to establish a Guideline for „safety relevant digital I&C in NPP´s“. • 2005: The R-46 became effective officially in April • http://www.hsk.psi.ch/deutsch/gesetzgrundlagen/start4.htm • Richtlinien →  → R-46/d • Before the official enactment, the licencing of safety relevant digital I&C was based on R-35 (recently already „in the spirit“ ot the R-46, e.g. project ANIS+ in KKL) Blue Conventional I&C systems White Computer based I&C systems
Regulatory situation for digital-I&C in Switzerland • The Guideline is based on international standards (IAEA / IEC) • Credit can be taken for generic qualification of the platform by an „international“ accepted authority (e.g. SER of the NRC) • this allows to focus the licencing process mainly on the project specific concept (e.g. topology) and the applications (functions) • The HSK leaves it open for the „licensee“ (applicant) whether he wants to go e.g. according US (NRC NUREG / IEEE) or other regulations depending on the origin of the I&C platform to be implemented • The guideline has emphasis on the aspects of e.g. • SW and FW (incl. tools) especially in regard of the CCF (systematic error) • IT-security (data integrity, „intrusion“)
Qualification of electrical and I&C systems and equipment I&C-System 1 3 Safety relevance of general systems 2 Requirements for qualification and classification from international and CH regulation view Allocation toI&C-Systems Functions, Equipment
Modernisation of NPP – Project PRESSURE NPP Beznau(Example of licensing procedure: for replacement of the reactor protection system,the engineered safety features actuation system and the control system) • Preconditions • Licensing procedure phases • Assessment in the context of Plant Safety • Assessment in the context of I&C System • Functional diversity • Operating Experience • Conclusions
Preconditions • Characteristics of the replacement • PWR-plant, Westinghouse (USA), commissioning 1969/1971: modern I&C-technique from German supplier Siemens must be made consistent with the concepts and constraints of the plant • Safety basis, functionality, HSI remains unchanged • Conditions and criteria for licensing and assessment • Assessment based on state of science and technology • No detailed regulation framework in the area of I&C in Switzerland • Design and realisation must meet the requirements of the supplier’s country, i.e. Germany • Conclusions for the licensing procedure • Assessment of overall, safety and process aspects by HSK • Support by German experts (TÜV Süddeutschland und ISTec)all aspects related to computer based I&C systems
Licensing Procedure HSK-R-35Applied for the PRESSURE Project Supplier & utility activities HSK approvals Phase Early phase Introduction and agreement about the procedure requirement specifications safety evaluation Phase S1: “Concept” Approval of concept Comments Phase S2: “System Design” design specifications realisation Phase S3: “Realisation” phase A Approval for implemention implementation Approval for nuclear commissioning Quality assurance plan phase 4“Integration and Commissioning” Commissioning plan phase C V&V plan phase D (approval forplant start up) Approval for next cycle Operation 5 days of operation
Assessment in the context of Plant Safety • Requirements specification by supplier • Comparison with the currently existing functions • Safety assessment by utility, supported by supplier with consideration of CCF • Analysis of possible effects caused by the I&C replacement • Analysis of diversity of the category A functions • Inclusion of the Beznau NPP emergency system in the analysis of diversity • Categorisation of I&C functions according to IEC standard 61226 • Consequences and results of the first assessment • Enhanced safety assessment • Some modifications of the I&C-functions
Assessment in the context of I&C System • Documents for the assessment • Functional requirements specification • Specification of the I&C structure • Reliability analysis, failure mode and effect analysis • Contract with “TÜV Süd” for assessment and evaluation • Application specific assessment of the computer based I&C structure: • Equipment and software is implemented correctly • Consistent with the relevant requirements and constraints • In the given environmental conditions • Acceptance criteria to be defined based on German and international nuclear technology standards and guidelines • Issues of the first assessment: • Improvements of the documentation, further analyses • Modifications in the concept of the I&C architecture
Diversity of Functions and Actuation Signals NANO (bunkered emergency System) Decontik k,S and relays Emergency –Systems-Actuation
I&C System Architecture R1 R2 R4 R3 Binary& Analogue Station incl. CPU Separate comm. for diversity A and B Point to point conn. Message and service interface Closed loop control
Operating experiences • Commissioning in unit 1: Autumn 2000 • Commissioning in unit 2: Autumn 2001 • More than 5 years of operating experience • Positive operating experiences: • required periodic tests • behaviour of control loops • support of maintenance using the service station • 2002 -2006: minor modifications, improvements and enhancements in the software and peripheral hardware (I/O only). Each modification was done during plant outage. For every modification a licensing procedure was performed with HSK before installation and commissioning. During installation and commissioning phase inspections have been made by HSK.
Conclusions • If no detailed I&C regulation framework is available:Early agreement about the licensing procedure, standards and guidelines to be applied, documents to be provided and acceptance criteria to be met. • The licensing procedure with the 4 phases turned out to be a good method. Specific aspects of computer based systems have to be integrated in the licensing procedure. • Early information of the licensing authority about the intentions of a project has a positive influence on a good co-ordination between the project development and the licensing procedure. • The proof of sufficient diversity in order to deal with common cause failures may require a re-assessment of the event analysis. • Configuration and change control, as well as measures to protect against non-allowed access to the computer based system (security), is very important during the whole life cycle.
Basic principle study for „CPU based safety control systems“ performed by TÜV • Overview of international used CPU based safety systems • Requirements from the regulatory side • Controlling of CCF • Denfence-in-Depth • Indepency of systems within the same safety level and on different safety levels • Complex of problems by changing to CPU based safety control systems • Approaches for designing safety systems in CPU based technology
Overview of international used CPU based safety systems • Canada • Frankreich • USA • UK • Czech Republik • Sweden • Korea • Finland • Conclusion: Most of them use for avoiding CCF in safety systems a second, independent control system which is diverse in HW and also for system SW. • Experience shows, that a complete functional diversity by an retrofit project for • NPP isn`t possible. • In Germany all inspection organizations require functional diversity as standard. • In addition TÜV Süd-IS requires a diverse protection system (trip) and an independent • diverse system for manual operation for ESFAS (Engineered Safety Features • Actuation System).
Controlling of CCF • General: Safety systems must be developed in such a way, that no influence for operational availability on the safety system may occur. CCF in • combination with other failures must be postulated for safety function of • category A. • Study considers: • Definition (RSK, KTA3501, IEC 61226, IAEA NS-G-1.3, IAEA NS-R-1,IEC 60880) • Requirements for Analysis(KTA 3501, IEC 61513, IEC 60880, IAEA NS-R-1, IAEA NS-G-1.1, IEC 61226) • Requirements regarding Diversity for designs against CCF(KTA 3501, IEC 61226, IAEA NS-R-1, IEC 61513,IAEA NS-G-1.1, IAEA 61226) • Requirements regarding verifications for diversity (IEC 61513,IAEA NS-G-1.3)
Denfence-in-Depth (for I&C IEC61513) Control of abnormal intervention and detection of failures Control of severe conditions incl. prevention of accident progression and mitigation of consequences of severe accident Control of accidents within the design Base (this must be as tight as possible = diversity necessary) Prevention ofabnormal intervention and failures Mitigation of radiological consequences of significant external releases of radioactive material
Independency of systems within the same safety level and on different safety levels • Some important items to be considered: • Within I&C systems important to safety different safety categories should be independent to have no influence from the lower to the higher level. • Safety functions of category „A“ should be realised so that diverse functions will work indepently from each other • Redundancies should be independent and separated (e.g. for fire protection) • Exception: if safety function units of different categories will be implemented on the same platform (Hardware) the highest category has to be applied for the whole system.
Complex of problems by changing to CPU based safety control systems • System characteristics: • Communication and processing will be serial instead parallel • Real time operation • High complexity of HW-components and SW • Structural change of the architecture and concentration of many different functions • Short life cycle of electronic devices and frequent changes of electrical items, SW and Tools • Failure depending on its history (reason therefore are excessive increasing internal states of CPU based electronics)
SPS SPS SVE SVE SVE SPS SPS SVE SPS SVE SPS SVE Diverse Subsystem A Diverse Subsystem B FB 1 FB n FB 1 FB n M1 M2 M3 N1 N2 N3 … … 2v3 2v3 A2 A1 Approaches by designing safety systems in computer based technology 2v3 =2oo3 Complete diverse subsystems (SVE CPU Type A and SPS CPU Type B)
FB 1 FB n M1 M2 M3 M4 M1 M2 M3 M4 … SVE SVE SPS SPS SVE SPS SPS SVE Relay-Logic Relay-Logic A1 An Approaches by designing safety systems in computer based technology Diverse subsystems in each function unit (SVE CPU Type A and SVP CPU Type B)
SVE SVE SVE SVE SPS SVE SVE SPS SVE SVE SVE SVE SPS SVE SVE Backup Diverse Subsystem A Diverse Subsystem B FB 1 FB n FB 1 FB n M1 M2 M3 M1 M3 N1 N2 N3 M2 … … 2v3 2v3 2v3 1v2 1v2 A1 A2 Approaches by designing safety systems in computer based technology Functional diverse subsystems (same platform) and additional diverse backup system