Modernisation of npp consideration of ccf aspects
Download
1 / 29

Modernisation of NPP, Consideration of CCF aspects - PowerPoint PPT Presentation


  • 549 Views
  • Updated On :

Modernisation of NPP, Consideration of CCF aspects. Franz Altkind Swiss Federal Nuclear Inspectorate (HSK) Manfred Märzendorfer NPP Leibstadt Switzerland (KKL). Date: 19.-21.06.2007 / MMA/AF. Content. Situation in Switzerland Modernisation of NPP (Example based on Project PRESSURE)

Related searches for Modernisation of NPP, Consideration of CCF aspects

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Modernisation of NPP, Consideration of CCF aspects' - PamelaLan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Modernisation of npp consideration of ccf aspects l.jpg

Modernisation of NPP, Consideration of CCF aspects

Franz AltkindSwiss Federal Nuclear Inspectorate (HSK)

Manfred Märzendorfer NPP Leibstadt Switzerland (KKL)

Date: 19.-21.06.2007 / MMA/AF


Content l.jpg
Content

  • Situation in Switzerland

  • Modernisation of NPP (Example based on Project PRESSURE)

  • Study for „CPU based safety control systems“


Ch nuclear facilities overview l.jpg
CH-Nuclear facilities overview

Geographical position of the Swiss nuclear facilities. The sites of the NPPs are marked by triangles. Experimental and research installations

are marked by stars. Facilities for nuclear waste management are marked by squares. Dots mark the major cities.



Reasons for retrofitting of existing i c systems l.jpg
Reasons for retrofitting of existing I&C Systems

  • No support anymore from supplier

  • Increasing maintenance cost

  • Issue from safety evaluation

  • Control room improvements

    Most of the new I&C systems important to safety

    available on the market are computer based systems


Regulatory situation for digital i c in switzerland l.jpg
Regulatory situation for digital-I&C in Switzerland

  • 1997: The Swiss Federal Nuclear Safety Inspectorate (HSK) starts a collaboration with a workgroup of members of the Swiss NPP‘s to establish a Guideline for „safety relevant digital I&C in NPP´s“.

  • 2005: The R-46 became effective officially in April

    • http://www.hsk.psi.ch/deutsch/gesetzgrundlagen/start4.htm

    • Richtlinien → [3] → R-46/d

  • Before the official enactment, the licencing of safety relevant digital I&C was based on R-35 (recently already „in the spirit“ ot the R-46, e.g. project ANIS+ in KKL)

Blue Conventional I&C systems

White Computer based I&C systems


Regulatory situation for digital i c in switzerland7 l.jpg
Regulatory situation for digital-I&C in Switzerland

  • The Guideline is based on international standards (IAEA / IEC)

  • Credit can be taken for generic qualification of the platform by an „international“ accepted authority (e.g. SER of the NRC)

    • this allows to focus the licencing process mainly on the project specific concept (e.g. topology) and the applications (functions)

  • The HSK leaves it open for the „licensee“ (applicant) whether he wants to go e.g. according US (NRC NUREG / IEEE) or other regulations depending on the origin of the I&C platform to be implemented

  • The guideline has emphasis on the aspects of e.g.

    • SW and FW (incl. tools) especially in regard of the CCF (systematic error)

    • IT-security (data integrity, „intrusion“)


Slide8 l.jpg

Qualification of electrical and I&C systems and equipment

I&C-System

1

3

Safety relevance of general systems

2

Requirements for qualification and classification from international and CH regulation view

Allocation toI&C-Systems

Functions, Equipment


Slide9 l.jpg

Modernisation of NPP – Project PRESSURE NPP Beznau(Example of licensing procedure: for replacement of the reactor protection system,the engineered safety features actuation system and the control system)

  • Preconditions

  • Licensing procedure phases

  • Assessment in the context of Plant Safety

  • Assessment in the context of I&C System

  • Functional diversity

  • Operating Experience

  • Conclusions


Preconditions l.jpg
Preconditions

  • Characteristics of the replacement

    • PWR-plant, Westinghouse (USA), commissioning 1969/1971: modern I&C-technique from German supplier Siemens must be made consistent with the concepts and constraints of the plant

    • Safety basis, functionality, HSI remains unchanged

  • Conditions and criteria for licensing and assessment

    • Assessment based on state of science and technology

    • No detailed regulation framework in the area of I&C in Switzerland

    • Design and realisation must meet the requirements of the supplier’s country, i.e. Germany

  • Conclusions for the licensing procedure

    • Assessment of overall, safety and process aspects by HSK

    • Support by German experts (TÜV Süddeutschland und ISTec)all aspects related to computer based I&C systems


Slide11 l.jpg

Licensing Procedure HSK-R-35Applied for the PRESSURE Project

Supplier & utility activities

HSK approvals

Phase

Early phase

Introduction and agreement about the procedure

requirement specifications

safety evaluation

Phase S1: “Concept”

Approval of concept

Comments

Phase S2: “System Design”

design specifications

realisation

Phase S3: “Realisation”

phase A

Approval for implemention

implementation

Approval for nuclear commissioning

Quality assurance plan

phase 4“Integration and

Commissioning”

Commissioning plan

phase C

V&V plan

phase D

(approval forplant start up)

Approval for next cycle

Operation

5 days of operation


Slide12 l.jpg

Assessment in the context of Plant Safety

  • Requirements specification by supplier

    • Comparison with the currently existing functions

  • Safety assessment by utility, supported by supplier with consideration of CCF

    • Analysis of possible effects caused by the I&C replacement

    • Analysis of diversity of the category A functions

    • Inclusion of the Beznau NPP emergency system in the analysis of diversity

    • Categorisation of I&C functions according to IEC standard 61226

  • Consequences and results of the first assessment

    • Enhanced safety assessment

    • Some modifications of the I&C-functions


Assessment in the context of i c system l.jpg
Assessment in the context of I&C System

  • Documents for the assessment

    • Functional requirements specification

    • Specification of the I&C structure

    • Reliability analysis, failure mode and effect analysis

  • Contract with “TÜV Süd” for assessment and evaluation

    • Application specific assessment of the computer based I&C structure:

      • Equipment and software is implemented correctly

      • Consistent with the relevant requirements and constraints

      • In the given environmental conditions

    • Acceptance criteria to be defined based on German and international nuclear technology standards and guidelines

  • Issues of the first assessment:

    • Improvements of the documentation, further analyses

    • Modifications in the concept of the I&C architecture


Slide14 l.jpg

Diversity of Functions and Actuation Signals

NANO

(bunkered

emergency

System)

Decontik k,S and relays

Emergency –Systems-Actuation


Slide15 l.jpg

I&C System Architecture

R1 R2 R4 R3

Binary& Analogue

Station incl. CPU

Separate comm.

for diversity A and B

Point to point conn.

Message and

service interface

Closed loop

control



Operating experiences l.jpg
Operating experiences

  • Commissioning in unit 1: Autumn 2000

  • Commissioning in unit 2: Autumn 2001

  • More than 5 years of operating experience

  • Positive operating experiences:

    • required periodic tests

    • behaviour of control loops

    • support of maintenance using the service station

  • 2002 -2006: minor modifications, improvements and enhancements in the software and peripheral hardware (I/O only). Each modification was done during plant outage. For every modification a licensing procedure was performed with HSK before installation and commissioning. During installation and commissioning phase inspections have been made by HSK.


Conclusions l.jpg
Conclusions

  • If no detailed I&C regulation framework is available:Early agreement about the licensing procedure, standards and guidelines to be applied, documents to be provided and acceptance criteria to be met.

  • The licensing procedure with the 4 phases turned out to be a good method. Specific aspects of computer based systems have to be integrated in the licensing procedure.

  • Early information of the licensing authority about the intentions of a project has a positive influence on a good co-ordination between the project development and the licensing procedure.

  • The proof of sufficient diversity in order to deal with common cause failures may require a re-assessment of the event analysis.

  • Configuration and change control, as well as measures to protect against non-allowed access to the computer based system (security), is very important during the whole life cycle.



Basic principle study for cpu based safety control systems performed by t v l.jpg
Basic principle study for „CPU based safety control systems“ performed by TÜV

  • Overview of international used CPU based safety systems

  • Requirements from the regulatory side

  • Controlling of CCF

  • Denfence-in-Depth

  • Indepency of systems within the same safety level and on different safety levels

  • Complex of problems by changing to CPU based safety control systems

  • Approaches for designing safety systems in CPU based technology


Slide21 l.jpg

Overview of international used CPU based safety systems systems“ performed by TÜV

  • Canada

  • Frankreich

  • USA

  • UK

  • Czech Republik

  • Sweden

  • Korea

  • Finland

  • Conclusion: Most of them use for avoiding CCF in safety systems a second, independent control system which is diverse in HW and also for system SW.

  • Experience shows, that a complete functional diversity by an retrofit project for

  • NPP isn`t possible.

  • In Germany all inspection organizations require functional diversity as standard.

  • In addition TÜV Süd-IS requires a diverse protection system (trip) and an independent

  • diverse system for manual operation for ESFAS (Engineered Safety Features

  • Actuation System).


Slide22 l.jpg

Controlling of CCF systems“ performed by TÜV

  • General: Safety systems must be developed in such a way, that no influence for operational availability on the safety system may occur. CCF in

  • combination with other failures must be postulated for safety function of

  • category A.

  • Study considers:

  • Definition (RSK, KTA3501, IEC 61226, IAEA NS-G-1.3, IAEA NS-R-1,IEC 60880)

  • Requirements for Analysis(KTA 3501, IEC 61513, IEC 60880, IAEA NS-R-1, IAEA NS-G-1.1, IEC 61226)

  • Requirements regarding Diversity for designs against CCF(KTA 3501, IEC 61226, IAEA NS-R-1, IEC 61513,IAEA NS-G-1.1, IAEA 61226)

  • Requirements regarding verifications for diversity (IEC 61513,IAEA NS-G-1.3)


Slide23 l.jpg

Denfence-in-Depth (for I&C IEC61513) systems“ performed by TÜV

Control of abnormal intervention and

detection of failures

Control of severe conditions incl. prevention

of accident progression and mitigation of

consequences of severe accident

Control of accidents

within the design

Base

(this must be as tight as possible =

diversity necessary)

Prevention ofabnormal intervention

and failures

Mitigation of radiological

consequences of significant

external releases of

radioactive material


Slide24 l.jpg

Independency of systems within the same safety level and systems“ performed by TÜV

on different safety levels

  • Some important items to be considered:

  • Within I&C systems important to safety different safety categories should be independent to have no influence from the lower to the higher level.

  • Safety functions of category „A“ should be realised so that diverse functions will work indepently from each other

  • Redundancies should be independent and separated (e.g. for fire protection)

  • Exception: if safety function units of different categories will be implemented on the same platform (Hardware) the highest category has to be applied for the whole system.


Slide25 l.jpg

Complex of problems by changing to CPU based safety control systems

  • System characteristics:

  • Communication and processing will be serial instead parallel

  • Real time operation

  • High complexity of HW-components and SW

  • Structural change of the architecture and concentration of many different functions

  • Short life cycle of electronic devices and frequent changes of electrical items, SW and Tools

  • Failure depending on its history (reason therefore are excessive increasing internal states of CPU based electronics)


Slide26 l.jpg

SPS systems

SPS

SVE

SVE

SVE

SPS

SPS

SVE

SPS

SVE

SPS

SVE

Diverse Subsystem A

Diverse Subsystem B

FB 1

FB n

FB 1

FB n

M1

M2

M3

N1

N2

N3

2v3

2v3

A2

A1

Approaches by designing safety systems in computer based technology

2v3 =2oo3

Complete diverse subsystems (SVE CPU Type A and SPS CPU Type B)


Slide27 l.jpg

FB 1 systems

FB n

M1

M2

M3

M4

M1

M2

M3

M4

SVE

SVE

SPS

SPS

SVE

SPS

SPS

SVE

Relay-Logic

Relay-Logic

A1

An

Approaches by designing safety systems in computer based technology

Diverse subsystems in each function unit (SVE CPU Type A and SVP CPU Type B)


Slide28 l.jpg

SVE systems

SVE

SVE

SVE

SPS

SVE

SVE

SPS

SVE

SVE

SVE

SVE

SPS

SVE

SVE

Backup

Diverse Subsystem A

Diverse Subsystem B

FB 1

FB n

FB 1

FB n

M1

M2

M3

M1

M3

N1

N2

N3

M2

2v3

2v3

2v3

1v2

1v2

A1

A2

Approaches by designing safety systems in computer based technology

Functional diverse subsystems (same platform) and additional diverse backup system