I

1
IC Modernization at NPP Dukovany

• C. Karpeta, Scientech LLC-organizational
  component
• L. Leák, CEZ-Power Generation Division
• J. Rosol, CEZ-Power Generation Division

IAEA Technical Meeting on Increasing Power Output
and Performance of NPPs by improved IC
Systems 29-31 May 2007, Prague, Czech Republic
2
Topics to be addressed

• Plant IC system assessment activities.
• Strategies of the IC modernization program.
• Strategies for the licensing process.
• Refurbishment of modules M1 and M2.
• Refurbishment of modules M3, M4, and M5.
• Resolution of the digital computer-based IC
  systems important to safety dependability issue.
• Operational experience with the innovated modules
  M1 and M2.

3
Plant IC system assessment activities

• Assessment performed by the French company EdF
  and the English company NNC under the EU PHARE
  program project ENE/15. It was a mutually
  independent deterministic evaluation of the plant
  IC system design, which resulted in
• providing technical recommendations how to
  eliminate the revealed shortcomings
• providing system level specifications for
  innovation of the individual IC systems
• Plant internal audit, which was entirely the
  plants own effort.
• The individual plant IC systems were evaluated
  against the following criteria
• Impact on nuclear safety.
• Impact on plant availability.
• Operation and maintenance costs.
• Lifetime, maintainability.
• Compliance with regulatory requirements
• PSA level 1 was applied to evaluate the impact on
  nuclear safety.
• Simple straightforward methods were used for the
  evaluation of the remaining criteria.
• Plant external audit, conducted by the ENAC
  consortium
• It was focusing on safety aspects

4
Plant IC system assessment activities- cont.

• IAEA ASSET inspections in 1993 and 1996.
• Practically all events caused by IC failures
  were assigned level INES-0.
• Evaluation of the IC equipment under the plant
  launched qualification program.
• The main conclusions of the IC relating parts of
  the plant assessments were as follows
• No major safety concerns relating to plant IC
  systems were raised, although some aspects of the
  design did not reflect the best international
  practices, such as those of the IAEA safety
  guides
• Regarding the impact on the plant availability,
  no significant IC shortcomings were found out
• Significant problems were identified in the
  lifetime and maintainability of the existing IC
  equipment
• Regarding compliance with regulatory
  requirements, several areas where improvements
  were feasible were identified

5
Strategies of the IC modernization program

• Regarding the plant operational safety aspects
• The refurbished IC systems shall be implemented
  in order of their significance to safety, with
  the reactor protection system having the highest
  priority.
• For practical reasons, this principle is being
  followed by having the program broken down into
  two separate projects, i.e.
• Refurbishment of the so-called modules M1 and M2,
  where those modules encompass the reactor
  protection system, the emergency load sequencer,
  the post-accident monitoring system, the reactor
  power limitation system, the reactor power
  control system, the steam generators protection
  systems, and the plant process computer,
  including the in-core measurements processing.
• Refurbishment of the so-called modules M3, M4,
  and M5, where those modules encompass
• - primary circuit logic systems (i.e.
  systems providing control of component states)
• and process control systems,
• - turbines and generators control and
  protection systems, and the unit safeguard
• system,
• - secondary circuit logic systems and
  process control systems.
• Hence, modules M1 and M2 refurbishment project
  will be implemented
  first.

6
Strategies of the IC modernization program
cont.

• Regarding the plant availability aspects
• Step-by-step implementation of the program at
  each unit over a specified time span.
• Performing dismantling of the old systems and
  installation, testing, and commissioning of the
  new systems during the planned standard and
  extended refueling outages.
• Performing, to the extent limited by plant safety
  and operational constraints, various preparatory
  activities between the outages.
• Regarding the plant IC system concept,
  functionalities and implementation.
• Retaining the original protection and control
  concept.
• Retaining, as far as reasonable and practicable,
  the existing plant IC system structure.
• Retaining all the existing functionalities.
  Modification of functions important to safety are
  allowed, provided that they are adequately
  substantiated and have been approved by the
  regulatory authority.
• Current systems will be replaced by new systems
  on a one-by-one basis.
• Regarding the technology platform the equipment
  of the new systems is to be built of.
• The new systems shall be based on an up-to-date
  proven technology platform.
• Where practicable and economical, functional
  equivalents of the current systems equipment and
  components may be used.
• Most of the new systems should be digital
  computer-based systems.

7
Strategies for the licensing process

• As per the provisions of the Czech Republic
  Atomic Act, reconstruction and/or implementation
  of changes in nuclear facilities that affect
  nuclear safety, radiation protection, emergency
  preparedness and security fall into the category
  of activities for which a permission (license)
  must be granted by the State Office for Nuclear
  Safety (SONS).
• The one-step licensing process to be applied
  for implementation of reconstruction or other
  changes that affect nuclear safety, radiation
  protection, emergency preparedness and security
  of nuclear facilities, as stipulated by the
  provisions of 9, (1), f) of the Atomic Act, was
  felt to be not quite adequate for a large-scope
  several-stage IC system refurbishment projects

8
Strategies for the licensing process- cont 1

• Project specific licensing process has been
  conceived in several rounds of discussions
  between the plant operator and the regulatory
  body. This process is copying to certain extent
  the licensing process applied to new nuclear
  power plant projects.

9
Strategies for the licensing process- cont 2

• Project specific licensing requirements have been
  set forth by the regulatory body. They relate to
  the following areas
• Classification of the IC functions, systems and
  equipment important to safety
• Acceptability of the digital computer-based IC
  systems important to safety.
• Software development process for the IC systems
  important to safety.
• Verification and validation of the software for
  the IC safety systems.
• Defense against common cause failures due to
  errors in the software of IC safety systems.
• Communications between sub-systems of the digital
  computer-based IC safety systems.
• Testability of the digital computer-based IC
  safety systems during reactor operation.
• Compliance to the single failure criterion.
• Equipment qualification.
• Reliability of the innovated IC systems
  important to safety.

10
Refurbishment of modules M1 and M2Installation
and commissioning of the refurbished modules
started at unit No.3 in March 2003, and was
completed in May 2005

• The following general technical guidelines were
  adhered to
• Reactor trip and engineered safety features
  actuation functions are to be implemented in one
  triple redundant system, namely the reactor
  protection system.
• Reactor power limitation functions are be
  implemented in each of the reactor protection
  system divisions, but functionally isolated from
  the trip functions.
• Number of sensors is to be reduced.
• Sensor sharing between the safety systems is
  allowed. Limited sensor sharing between safety
  systems and systems of lower safety grade may be
  used.
• Some functions of the safety systems can be
  modified in correspondence with the plant
  proposed and the regulatory authority approved
  changes.
• Post-accident monitoring is to be implemented as
  a separate system.
• The technical level and quality of core
  monitoring should be significantly improved
  through improved processing of the measurement
  data provided by the existing reactor in-core
  instrumentation.
• Computerized functions of operator support should
  be significantly extended, and the human-machine
  interface should be improved
• Only limited modifications to the main and
  emergency control rooms are allowed.
• The current structure of manual controls and
  alarm displays should be kept.
• Extended diagnostic functions should be provided

11
Refurbishment of modules M1 and M2- cont. 1

• The design and implementation of the refurbished
  systems is compliant with
• the requirements for assurance of nuclear safety
  set in the Czech Republic legislation (Atomic
  Act, SONS regulations)
• the project specific requirements set by SONS
• the individual IC systems specific requirements
  set by the project team, which relate to the
  assurance of functionality, reliability,
  performance, environmental durability, and
  quality
• the provisions of the applicable standards.

12
Refurbishment of modules M1 and M2- cont. 2

• Block diagram of the refurbished modules M1 and
  M2 is depicted in Fig.1
• Photos of the modernized main control room of
  unit No.3 and of the original and current ESFAS
  equipment are presented in Fig.2 through 4.
• The project implementation at unit No.1 is
  nearing completion. Its implementation at units
  No.2 and 4 is in progress. The project is to be
  completed in 2009.

13
Refurbishment of the NPP Dukovany IC System
Overall architecture Fig. 1
14
Reactor protection system Fig. 2
old new
15
New MCRFig. 3
16
Sometimes it wasnt easyFig. 4
17
Refurbishment of modules M3, M4, and M5

• The following preparatory and initial activities
  have been performed so far, or are being still in
  progress
• The so-called Coordination Design Phase 1 has
  been elaborated. It defines the overall concept
  of the refurbished IC systems, specifies
  applicable requirements for their design and
  implementation, specifies the hardware and
  software technology platforms the refurbished IC
  systems should be built of, and specifies a
  breakdown of the project implementation into
  seven stages.
• Coordination Design Phase 2 has been
  elaborated. It specifies the control algorithms
  to be implemented in the refurbished systems.
• Safety classification of the IC functions in
  question has been performed to the guidance
  provided in the technical standard CSN IEC 61226.
• Elaboration of the so-called technological
  control algorithms of the actuators.
• Measurement of the electromagnetic environment
  and interferences pertinent to the existing
  cabling.
• Measurement of the electromagnetic environment in
  the locations of the new IC equipment.
• Analyses of technical characteristics of the
  interface devices, e.g. relays.
• Analyses of the impacts of lightning and
  short-circuit currents on the existing cabling.
• Establishing photo-documentation of the current
  state of the panels housing the IC equipment

18
Refurbishment of modules M3, M4, and M5- cont. 1

• The main constraints imposed on the project
  implementation are as follows
• Replacement activities shall be performed during
  the units planned outages.
• 40 to 50 IC equipment panels will need to be
  replaced and tested during each unit outage they
  include approximately 1000 functions.
• In contrary to the technique used during the
  project T544 implementation, off-line
  installation of the new equipment, i.e. equipment
  installation during an outage without connecting
  its outputs to the actuated devices and providing
  those connections in the next outage, is not
  possible for technical reasons.
• The equipment cannot be refurbished on a
  straightforward one by one basis since adequate
  separation of the IC functions based on their
  safety classification needs to be accomplished.

19
Refurbishment of modules M3, M4, and M5- cont. 2

• The refurbished portion of the plant IC system
  will consist of the following major parts
• DIAG, RSBP, RSBS, RSBT
• System DIAG is a new system, which will provide
  
• - acquisition, time stamping processing,
  display, and archiving of the operational and
  diagnostic data generated by the refurbished
  modules M3 through M5
• - transmission of a selected set of that
  operational and diagnostic data to the unit
  process computer system
• - data acquisition from the unit process
  computer system and their distribution to the
  refurbished systems.

20
Refurbishment of modules M3, M4, and M5- cont. 3

• System RSBP will
• provide monitoring and control functions of the
  primary circuit components and processes,
  including dedicated human-machine interfaces
• be replacing the current relay logic systems and
  control systems of the primary circuit
• System RSBS will
• provide monitoring and control functions of the
  secondary circuit components and processes,
  including dedicated human-machine interfaces
• be replacing the current relay logic systems and
  control systems of the secondary circuit

21
Refurbishment of modules M3, M4, and M5- cont. 4

• System RSBT will
• provide monitoring and control functions of the
  units both turbine-generators, including
  dedicated human-machine interfaces
• be replacing the unit safeguard system, the
  turbine-generators protection system, the turbine
  control systems, and the electronic hard-wired
  logic systems.
• Refurbishment of the modules M3 through M5 is to
  be completed by the year 2015.

22
Distribution of IC functions in correspondence
with their safety classification - Fig. 5
1P10
1P11
1P12
1P15
1P13
1P16
A1
C2
C4
A5
N6
B3
The existing equipment and its safety classified
functions
Example of 6 cabinets
N2
B1
C6
A2
B4
C1
N3
N5
B2
N1
A6
A category
B category
C category Nonclassified
The new equipment
23
Original IC Fig.6NSSS part
BOP part
24
Dependability of digital computer-based IC
systems important to safety

• To ensure adequate level of dependability of
  digital computer-based IC systems important to
  safety the following measures were taken
  regarding the hardware and software development
  and manufacture
• Requirements common to the development and
  manufacture of computer hardware implementing IC
  functions of any of the three safety category
  functions, i.e. category A, B, or C as per the
  provisions of the standard IEC 1226, have been
  specified.
• Specific graded requirements have been specified
  for the development and implementation of
  computer software, which provides safety category
  A functions, or safety category B functions, or
  safety category C functions.
• Adherence to these requirements was monitored by
  conducting technical audits at the suppliers of
  digital computer-based IC systems for modules M1
  and M2.

25
Dependability of digital computer-based IC
systems important to safety cont.1

• These measures were aimed at getting high quality
  hardware and as error free as possible
  software, commensurate with safety significance
  of the individual refurbished IC systems.
• In parallel, measures were also taken to cope
  with those situations when in spite of all the
  efforts to avoid errors in software, common cause
  failures might occur due to some residual
  software errors. These measures consisted in
• providing within the refurbished IC safety
  systems two diverse lines of protection against
  the so-called frequent design basis events, i.e.,
  events with the estimated frequency of occurrence
  higher than 10E-3/year
• providing within the refurbished modules M1 and
  M2 four lines of defense-in-depth, which are
  mutually independent and to some extent diverse.
• Detailed description of these measures is beyond
  the scope of our paper hence, also beyond the
  scope of this presentation.

26
Dependability of digital computer-based IC
systems important to safety - cont.2

• The main requirements for the development and
  manufacture of computer hardware were as follows
• Development of hardware shall be divided into
  formalized phases with specification of
  activities pertinent to each phase.
• Each phase shall be terminated by verification
  and shall include generation of appropriate
  documentation.
• Verification, quality assurance, inspection and
  test activities shall be performed to the
  provisions of appropriate plans.
• Sub-systems, modules and components to be used in
  the computer system may be both dedicated
  hardware products as well as off-the- shelf
  products qualified for a particular application.
• The proper working of the integrated computer
  system shall be demonstrated.

27
Dependability of digital computer-based IC
systems - SW category A

• The main requirements for the development of
  computer software were as follows
• Development process of software, which implements
  category A functions shall be a well structured
  and fully formalized process consisting of
  planning and development activities.
• Planning activities shall result in establishing
  a set of planning documents, including
• - Software quality assurance plan
• - Software verification and validation plan
• - Software configuration management plan
• - Software safety plan.

28
Dependability of digital computer-based IC
systems - SW category A cont.

• Development activities shall include
• Requirement activities, i.e. software
  requirements specification, followed by
  performance of requirements safety
  analysis, VV tasks, and CM tasks.
• Design activities, i.e. software design
  specification, followed by performance of design
  safety analysis, VV tasks, and CM tasks.
• Implementation activities, i.e. coding, followed
  by performance of code safety analysis,
  VV tasks, and CM tasks.
• Integration activities, i.e. software
  integration, followed by performance of
  safety analysis tasks, VV tasks, and CM
  tasks.
• Validation activities, i.e. software testing,
  performance of safety analysis tasks, VV tasks,
  and CM tasks.
• Installation activities, i.e. software
  installation into the processing units,
  performance of VV and CM tasks.
• No third party independent VV activities need
  to be performed provided that the VV team is
  management and financial independent of the
  development team.

29
Dependability of digital computer-based IC
systems - SW category B

• Development process of software, which implements
  category B functions shall be a well structured
  and to large extent formalized process consisting
  of planning and development activities.
• Planning activities shall result in establishing
  a set of planning documents similar to that of
  the category A software development process but
  for the software safety plan.
• Development activities shall be basically the
  same as those of the software category A
  development process but for the software safety
  activities.
• Performance of the QA, VV, and CM activities
  need not be documented to the same level of rigor
  as for category A software.

30
Dependability of digital computer-based IC
systems - SW category C

• Development process of software, which implements
  category C functions shall be a structured and to
  some extent formalized process consisting of
  planning and development activities.
• Planning activities shall result in establishing,
  as a minimum, of the following plans
• - Software quality assurance plan.
• - Software verification plan.
• Development activities shall be basically the
  same as those of the software category B
  development process but for integration and
  validation activities, which may be viewed as a
  part of the computer system integration and
  validation.
• Performance of the QA and VV may be documented
  in a summary form.

31
HW SW development process technical audits

• Regarding the conduct of technical audits, it was
  required that they be focusing on
• Auditing the planning documents generation
  process.
• Auditing the software and hardware requirements
  setting and implementation processes.
• Auditing the software and hardware design
  processes.
• Auditing the software and hardware manufacturing
  and testing processes.
• Auditing the implementation of the verification,
  validation, configuration management and software
  safety processes.

32
HW SW development process technical audits
cont.

• The performed technical audits and the process of
  audit findings and observations disposition
  contributed significantly to the verification
  that
• The development of software and hardware
  important to safety was adequately planned for by
  the audited organizations.
• A V-shaped model of the system, hardware and
  software lifecycle, which is depicted in Fig.8,
  was followed in the development process of
  computer hardware and software important to
  safety. The development activities as implemented
  by the audited organizations were consistent in
  all significant aspects with the above stated
  main requirements as detailed by the provisions
  of the planning documentation and by the
  provisions of the applicable standards.

33
HW SW LifecycleFig. 7
34
Implementation at Unit B3
35
Implementation and start of operation

• Step by step implemetation in the course of four
  standard refueling outages
• Validation in parallel operation (esp. step No.7)
• Specific test program for reactor start - up
  (step No. 8)
• Regulatory inspection and independent supervision
• Trial operation (12 months)
• Verification of guaranteed parameters
• Guarantee period operation (ended on 20th May
  2007)

36
Lessons learned(good practice)

• Careful preparation period
• (started in PHARE project with English NNC Ltd)
• Splitting in two phases M1,2 and M3-5
• (important for implementation during standard
  refueling outages)
• Conservative approach
• What has not to be changed - shall not be
  changed
• Use of the plant simulator
• (functional specification, test design
  verification)
• Training system (selected NPP personnel acted as
  tutors)
• NPP staff involvement
• (fundamental for implementation and
  commissioning)

37
Operational experience

• Advantages of the new IC systems
• Employment of advanced fuel due to new core
  monitoring
• More reliable and accurate rod control (RRCS)
• Better ex-core measurement ( fixed detectors,
  comfortable calibration, ..)
• New functions and better HMI of the process
  computer (PCS)
• - operators support (e.g. SPDS)
• - separated display of alarms
• - large and detailed screens
• - additional dedicated displays
• Powerful diagnostics

38
Operational experienceresume

• The new, refurbished, IC systems
• are compliant with regulatory authority
  requirements
• facilitate plant service time extension
• meet the plant operator expectations
• The commissioning and operation in the course of
  warranty period (24 months) have proved the
  feasibility of large scale IC refurbishment
  within standard refueling outages
• The M1,2 refurbishment project at Dukovany Unit 3
• is viewed as a success

39
IC Modernization at NPP Dukovany

• Thank you for your attention