Current status of NPP I&C in the United Kingdom · Plant Instrumentation and Control, ... Reactors...

TWG-NPPIC, May 2015, Vienna: UK status 1

Current status of NPP I&C in the

United Kingdom

T P Smyth

AMEC Foster Wheeler, Knutsford, Cheshire, UK

25th Meeting of the Technical Working Group on Nuclear Power

Plant Instrumentation and Control, 27-29 May 2015, Vienna


Current status of NPP I&C in the United Kingdom

� Nuclear Power Plants in the UK

� Regulatory Environment

� Generic Design Assessment Process & Status

� Generic Design Assessment I & C Status

� Fukushima response

� Recommendations

Hinkley Point B


Nuclear Power Plants in the UK (1)

202319762 x 610 MWeAGR

202319762 x 610 MWeAGRHunterston B

Expected

shutdown

Start

operationUnit capacityTypeReactors

10 038 MWeTotal (19)

203519951 x 1188 MWePWRSizewell B

202319882 x 625 MWeAGRTorness

202319882 x 615 MWeAGRHeysham 2

201919852 x 580 MWeAGRHeysham 1

2024 (+5)19842 x 595 MWeAGRHartlepool

2028 (+10)19832 x 545 MWeAGRDungeness B

Dec 2015 (+1)19711 x 490 MWeMagnoxWylfa 1


Nuclear Power Plants in the UK (2)

�Electricity sources� 21% nuclear (2013: 20%)� 31% gas (2013: 27%)� 34% coal (2013: 36%)� 14% other

�Need to plan for energy replacement� 8 plants (15 reactors) will close in next 13 years� 8850 MWe


Regulatory Environment (1)

�Standards hierarchy� ONR Safety Assessment Principles & Technical Assessment

Guides (http://www.hse.gov.uk/nuclear)

� IAEA principles & IEC standards� IEC 61513

� IEC 61226

� Modern standards reviews� Design, Operation and Maintenance

� Part of Periodic Safety Reviews

�PSA based assessment

�Limit of reliability claims for software based systems

� 10-4 failures/demand claim limit



�Application to Sizewell B� Primary Protection System

� Four channels, 2 out of 4 tripping

� Software based

� Production excellence� IEC 60880

� Independent confidence building� Extensive testing� Independent code safety assessment

� Secondary Protection System� Four channels, 2 out of 4 tripping

� Protection for frequent faults

� Laddic – magnetic amplifiers

� Diverse technology



�New Build, in general, same regulatory requirements as Sizewell B� Diversity requirements in reactor protection systems

� Possibly less onerous protection system targets� Passively safe systems will make fewer demands

�Common regulatory position� Licensing of safety critical software for nuclear reactors:

Common position of seven European nuclear regulators and authorised technical support organisations.BEL V, Belgium ONR, United Kingdom BfS, Germany SSM, Sweden CSN, Spain STUK, Finland ISTec, Germany

� 1.13 Software reliability� 1.13.3.1: Reliability claims for a single software based system

important to safety of lower than 10-4 probability of failure (on demand or dangerous failure per year) shall be treated with caution.


Generic Design Assessment (GDA) Process

�Indicative timetable

EPR: iDAC (DEC 2011)

EPR: DAC (DEC 2012)

AP1000: iDAC (DEC 2011)

ABWR: AUG 2014


GDA Status

�New build� Generic Design Assessment (GDA)

� Areva/EdF EPR (1600 MWe) - GDA complete Dec 2012

� Westinghouse AP1000 (1117 MWe) - GDA restarted, due Jan 2017.

� Hitachi-GE ABWR (1350 MWe) - started Apr 2013, due end 2017.

� Office for Nuclear Regulation (ONR)� www.hse.gov.uk/newreactors

� ONR reports covering each Step of GDA

� Vendor GDA submissions� Areva/EdF EPR: www.epr-reactor.co.uk

� Westinghouse AP1000: www.ukap1000application.com

� Hitachi-GE ABWR: www.hitachi-hgne-uk-abwr.co.uk


GDA Applicants

�New build Sites� EdF Energy

� 2 x EPR at Hinkley Point

� 2 x EPR at Sizewell

� Bradwell site.

� Horizon Nuclear Power (Hitachi)� 2 x Hitachi-GE ABWR at Wylfa

� 2 x Hitachi-GE ABWR at Oldbury

� NuGeneration (Toshiba, ENGIE)� 3 x Westinghouse AP1000 at Sellafield site (Moorside).

� Total planned power ±19 GWe


GDA Applicant Sites


GDA I&C Overview

�GDA Status for I&C� UK EPR

� Step 3

� Step 4

� UK AP1000� Step 3

� Step 4

� UK ABWR� Step 2


GDA of UK EPRTM I&C (1)

�GDA Regulatory Issue on UK EPRTM I&C� GDA Step 3

� The complexity of interconnectivity between the very important Class 1 Safety Systems and lower Safety Class control systems. Of particular concern was that the lower Classes 2 and 3 Systems could have write access to the highest Class 1 Safety System (the main Reactor Protection System). This also challenged the important safety assessment principle that Safety Systems should be completely independent of control systems.

� There was a lack of Class 1 equipment including hard-wired and simple technology as a diverse backup to the highly computerised and sophisticated screen based displays and controls in the Main Control Room and Remote Shutdown Station.

� Substantiation of the reliability claims for the computer-based Systems Important to Safety.



� Resolution�All networked communications will be one-way, from the

Class 1 systems to lower Class 2 and 3 systems. The permissive signals that were to be implemented through the lower Class systems will now be implemented using Class 1 Safety Information and Control System (SICS) equipment including a Qualified Display System.

� There will be a Class 1 SICS operational in the Main Control Room and a similar panel in the Remote Shutdown Station. The SICS will include simple hard-wired technology and will be fully operational for alarms and displays at all times.

� Probabilistic claims on each of the main I&C platforms will have lower limits than in the original design for the UK. The shortfall in overall reliability of the safety systems will be made up by the introduction of a Non-Computer-Based Safety System (NCSS).



�GDA Step 4� Completion of Step 3 I&C issues: categorisation of functions,

classification of systems, compliance to IEC I&C nuclear standards.

� Claims-Arguments-Evidence (CAE) based review against the SAPs

� Review of the principal design and implementation standards for I&C Class 1, 2 and 3 equipment. Sampling of detailed evidence predominately focused on the Class 1 systems (e.g. reactor protection) and the key Class 2 systems.

� Review of safety case for the Class 1 and key Class 2 platforms and pre-developed components using appropriate guidance and standards. Development of application code, independent verification and validation, and Independent Confidence Building Measures.

� Further review of the I&C architecture including provisions for defence-in-depth, independence and diversity, automatic and manual safety actuations, and appropriateness of equipment class.



�GDA Step 4 (cont.)� Cross-cutting issues

� Safety Categorisation and Classification – Alignment with IEC61226.

� Smart devices.

�ONR Design Acceptance Confirmation� Dec 2012

� 5 year program

� ~£35 million


GDA of UK AP1000 I&C (1)

�GDA Regulatory Issue on UK AP1000 I&C� GDA Step 3

�No Regulatory Issues

�GDA Step 4 – Assessment findings� The PCSR and supporting documentation cover the main I&C

Systems Important to Safety expected in a modern nuclear reactor

� The I&C standards are broadly in accordance with those expected in the nuclear sector

� The safety cases for the Protection and Safety Monitoring System (PMS) and Diverse Actuation System (DAS) are in general accordance with expectations

� The overall I&C architecture is generally in accordance with expectations.



�GDA Step 4 – Assessment issues related to:� Changes made to the Diverse Actuation System (DAS)

architecture (i.e. from two-out-of-two actuation voting to two-out-of-three / dual one-out-of-two) to significantly improve fault tolerance and availability

� Change of Diverse Actuation System (DAS) technology from being based on complex FPGAs to non programmable electronics in order to address a major concern on DAS and Protection and Safety Monitoring System (PMS) / Component Interface Module (CIM) diversity

� Provision of detailed diversity analyses (PMS / DAS and Plant control System [PLS] / DAS) which need to be undertaken as a consequence of the DAS technology change

� Provision of equipment to reduce the frequency of spurious Automatic Depressurisation System (ADS) operation in the event of PMS failure



�GDA Step 4 – Assessment issues related to: (cont.)� Enhancements to the safety cases for the Protection and Safety

Monitoring System (PMS), safety Class 1 Component Interface Module (CIM) and the Diverse Actuation System (DAS)

� Provision of safety cases for the safety related Class 2 / 3 Distributed Control and Information System (DCIS) (comprising the Plant control System (PLS), Data Display and processing System (DDS) and Ovation platform)

� Provision of safety Class 1 displays and controls outside of the Main Control Room.



�GDA Step 4 (cont.)� Cross-cutting issues

� Smart devices.

� Metrication

�ONR Design Acceptance Confirmation� Interim Dec 2011

� Final due Jan 2017.


GDA of UK ABWR I&C (1)

�GDA Regulatory Issue on UK ABWR I&C� GDA Step 2 - No Regulatory Issues

�GDA Step 2 – Assessment Issues� The demonstration of adequate production excellence of the

Safety System Logic and Control (SSLC) design. The processes for complex components such as FPGAs planned to be used in this system are not fully developed.

� Independence of Design Teams for I&C platforms. To support the development of the SSLC design it is essential for the design team to be independent from teams who are developing the design of other protection and control systems.

� The Secondary Protection is based on hardwired non-programmable technology, which is made up of a number of separate systems. These should be designed as a single coordinated system in order to demonstrate that this system is adequate and resilient to systematic faults.



�GDA Regulatory Observations� Spurious I&C Failures as Design Basis Initiating Events

� Class 1 SSLC

� Class 2 hardwired protection System

� Class 2 plant control system� Class 3 auxiliary control system

� Back-up Building I&C� Beyond the design basis accident sequences

� Severe accident (SA) sequences� Also used for Design Basis Accidents – additional information

required in PCSR.

� Hardwired Back Up System� Safety function requirements for the hardwired backup systems� Design, design process and technology used for the hardwired

backup system and how the design protects against common cause and systematic failures. Justification of the technology selected and any interfaces the system has with other I&C systems



�GDA Regulatory Observations (cont.)� Safety System Logic & Control (SSLC) Class 1 HMI

� Functionality of the SSLC HMI. Modes of operation in which the HMI is used. Human Factors documentation.

� Design of the SSLC HMI and the selected technology, including a high-level description of how the design protects against fault propagation and corruption of information

� Justification of the technology selected for the SSLC HMI, including an initial high-level compliance analysis against standards such as IEC 61513.

� SSLC Production Excellence� Methodology

� Statistical Testing

� Embedded I&C subsystems and smart devices� List of Embedded I&C utilizing smart technology in SC1 or SC2

systems

� Justification of approach for embedded C&I systems and smart devices

� Trial of justification methods for examples at SC1 and SC2



�GDA Regulatory Observations (cont.)� SSLC and Support System Architecture

� Safety functional category for all of the SSLC plant level functions

� Category A safety functions should be designed to follow an N+2 format. Where the functions are category B or lower then a safety justification should be provided why the SSLC is used for the lower safety functional category role. Category B functions should not interfere with the operation of the whole four divisional SSLC.

� Safety System Logic & Control (SSLC) Design� Design Process

� Design Organization – independence.


Fukushima response

�UK Progress� Interim report – May 2011

� Final report – Oct 2011

� European Council "Stress Tests” – Nov 2011

� ONR Fukushima Implementation Report – Oct 2012

� Implications for New Build� Treated as an additional GDA issue


Fukushima I&C response (1)

�UK EPRTM Enhancements� Extension of severe accident battery storage capability from 12

to 24 hours

� Establishment of a communication system suitable for operation under a total loss of electrical power situation - a network of sound-powered telephones

� Qualifying the performance of instrumentation required for monitoring containment integrity and in the spent fuel cooling pool

� Provision of means for re-powering the dedicated Severe Accident Instrumentation and Control equipment

� Extension of SBO diesel generator autonomy by using mobile pumping of the main emergency diesel generator fuel tanks to recharge the SBO diesel generator fuel tanks

� Provision of equipment and means (connection point etc.) to re-supply significant electrical power from three days post-event

� Provision of a high power mobile emergency generator capacity


Fukushima I&C response (2)

�UK AP1000 Response� Review of design ongoing.

� AP1000 GDA Resolution Plan for GI-AP1000-CC-03

�UK ABWR Response� Provision of backup DC power

� Instrumentation� RPV depressurization

� Coolant injection control

� Instrument reliability and credibility� Severe Accident Instrumentation


Recommendations to the IAEA

� IAEA topics

�Embedded software

�The application of diversity, independence and physical

separation between different levels of the I&C system

�Human Factors Engineering

�Smart Sensors

�Design and management of I&C systems for future

upgrading

�Aging management of electrical equipment


References (1)

� ONR New build website: http://www.hse.gov.uk/newreactors/

� Licensing of safety critical software for nuclear reactors. Common position of seven European nuclear regulators and authorised technical support organisations. 2010. http://www.hse.gov.uk/nuclear/software.pdf

� UK EPRTM Control and Instrumentation (I&C) Architecture Regulatory Issue RI-UKEPR-0002 http://www.hse.gov.uk/newreactors/ri-ukepr-0002.pdf http://www.hse.gov.uk/newreactors/closure-of-regulatory-issue.pdf

� UK EPRTM I&C Architecture http://www.epr-reactor.co.uk, PCSR chapter 7, Appendix 7A.

� UK EPRTM I&C Architecture. UKEPR-0002-072 Issue 04. http://www.epr-reactor.co.uk, PCSR chapter 7.2.

� UK Office for Nuclear Regulation. GDA Step 4 and Close-out for Control and Instrumentation Assessment of the EDF and AREVA UK EPR™ Reactor


References (2)

� UK Office for Nuclear Regulation. Japanese earthquake and tsunami: Implications for the UK nuclear industry. Interim Report. May 2011.

� UK Office for Nuclear Regulation. Japanese earthquake and tsunami: Implications for the UK nuclear industry. Final Report. September 2011.

� UK Office for Nuclear Regulation National Final Report on European Council “Stress Tests” for UKNuclear Power Plants. December 2011

� EDF Energy NNB GenCo response to recommendations in ONR Chief Inspector’s Report (June 2012), NNB-OSL-REP-001450.

� UK Office for Nuclear Regulation “Japanese earthquake and tsunami: Implementing the lessons for the UK's nuclear industry” October 2012

� UK Office for Nuclear Regulation. UK ONR ENSREG Related ‘National Action Plan’ Dec 2012.

� Map: http://openstreetmap.org


References (3)

� http://www.nugeneration.com/index.html

� http://www.horizonnuclearpower.com/

� http://www.edfenergy.com/energy

� GDA Process: http://www.onr.org.uk/new-reactors/background.htm & www.onr.org.uk/new-reactors/ngn01.pdf

� AP1000 Fukushima plan: www.onr.org.uk/new-reactors/ap1000/reports/resolution-plans/wec-reg-0051r-enclosure-gi-ap1000-cc-03.pdf

� UK ABWR Fukushima response: UKABWR-GA91-9101-0101-28000-P-RevA

Current status of NPP I&C in the United Kingdom · Plant Instrumentation and Control, ... Reactors...

Documents

Transcript of Current status of NPP I&C in the United Kingdom · Plant Instrumentation and Control, ... Reactors...