Hungary’s only nuclear power plant, Paks, is about 100km south of Budapest, on the Danube river. The plant has four Russian-designed VVER 440s. They operate mostly in baseload, but do have limited load following frequency control capability.
In 1997, a safety improvement programme was started at the plant, which included modifying its mechanical systems and installing a digital safety I&C system supplied by Siemens. When the programme is finished in 2002, the plant’s general safety features will rival those of Western-designed nuclear power plants.
When Paks started up, CM2-type Russian computers were installed. After nearly 20 years in operation, these old machines are obsolete in their hardware, software and functionality. The old system was physically worn out but was difficult to repair and it was hard to obtain spare parts. The software was no longer supported, and the man-machine interface was very poor. It was not possible to expand the system and add new functions, or to connect it with new standard open networks. It could process the original 7,000 input signals, but the new safety I&C system introduced an additional 2600 input signals.
The data acquisition system had already been mostly replaced with a Hungarian electronic model, which could collect about 4000 binary and 2000 analogue process signals. In units 1 and 2, the original design also comprised high-resolution, binary data acquisitors (10 msec cycle time) for fast data collection. These have been replaced by AEG Modicon-based PLCs, which can collect around 1,000 fast binary signals.
As a consequence, the new computer design had to provide for signal acquisition and processing from three types of data sources.
Preparing for reconstruction
The aim of the reconstruction was to develop and install a modern PCS architecture with sufficient resources to provide operators with on-line and archived data. A functional specification emphasised the application of up-to-date information presentation and human-system interaction (HSI) techniques, high system reliability, easy modification and expansion, and conformance to international standards.
The system replacement was carried out in piecemeal. In 1996, the idea of using a SCADA system emerged and many available systems were investigated. At the end of this period, Intellution’s FIX-32 was selected for a detailed evaluation. In 1997, a new hardware and software pilot system was installed, which ran the original process computer functions in a parallel mode. Installation and testing were successful, showing that the SCADA system could fulfil the majority of the necessary functions.
After the conclusion of the pilot project, the Paks team decided to proceed to replace the system at all four nuclear units and at the the training simulator.
A tender invitation was issued in 1998, to Hungarian computer science institutions. In the tender documentation, the application of a SCADA system was not mandatory. As a result, a wide variety of different offers arrived: centralised mainframe systems, hybrids, and fully distributed solutions. After very complex and difficult negotiations, and using the assistance of external advisory companies, in 1998 the project was contracted to the Computer and Automation Research Institute of the Hungarian Academy of Sciences.
The decision was to select a distributed SCADA system, based on Intellution’s FIX-32 application environment. The main reasons for choosing this type of system were:
•The pilot system had performed well.
•It has one single operating system (Windows NT).
•The majority of the software can be purchased, so there is less dependency on the system integrator.
•It is gradually expandable.
•It is testable in parts.
•It includes a web server for remote display services.
•It contains a number of PLC drivers.
After the contract was signed, the system integrator prepared the system design documentation and issued the orders to the component suppliers. Negotiations started with Intellution about the supply of the necessary software modules. As originally defined, the system required about 40 different licences for each nuclear unit (about 200 licences for the whole power plant). Eventually, a mutually beneficial structure was selected for the procurement of the application software components, based on comprehensive ‘unit licences’.
Additional software development activities and system integration took place in 1999. In the first unit, the entire replacement system was installed in February 2000, and the successful trial operation concluded in May 2000. In the second unit, the same activities were started in June 2000, and trial operation is was completed in October. The original Russian process computers remained in parallel operation (with no active workstations) for an additional three months, until the new system performed error-free operation with a nuclear unit in power operation.
THE NEW SYSTEM
The new system is based on the Intellution FIX-32 SCADA software. Information from the three data sources (IMR, NIMFA, RPS) is connected to a redundant pair of SCADA servers, which are in parallel operation. In the case of a server failure, the operator workstations will automatically switch over to the redundant server. This is provided by the FIX “automatic fail-over” function in the Intellution system. All the servers have a unified hardware structure with a redundant (dual homing) FDDI network connection. The paired servers are connected to a supervisory computer through serial lines. This latter computer continuously monitors the operation of the servers, and – in case of a failure – provides a switchover.
The main function of the duplicated computation servers is the execution of complex, algorithmic calculations, and running of the operator support functions that cannot be directly or optimally performed by the FIX-32 SCADA tools. At present, the most important of these functions is critical safety function monitoring. The modules that are run in the computation servers gather data for their algorithms from the other three pairs of SCADA servers and from other components on the network. After finishing a calculation, data is stored in a FIX database in the computation servers. As a result, the calculated or derived data can be used in other parts of the system in exactly the same way as if they were regular SCADA data.
Archives are stored in a database built in Microsoft SQL Server. The design of the archive system allows data saving, storage and restoration on the fly, without interfering with the on-line archiving. Data safety is provided by high-capacity RAID disks. This part of the system is also redundant.
The second archive server physically resides in the web server computer – an Intellution FIX web server. This server’s task is to provide data to the remote workstations, which are installed outside the boundary of the plant computer system. There are, for example, engineering workstations at the technical support departments of the plant. The web server:
•Separates the remote displays from the internal components of the process computer system.
•Displays information on remote workstations in a standard internet/intranet browser. (Besides the browser, there is no need for specific SCADA presentation tools on these machines.)
•Integrates additional human interface controls on the HTML surface of the browser, to call applications such as displaying archive and event lists, logs and archive trends.
The main means of supervising the operation of the plant computer system is the operations server. Although the off-line database, from which the on-line database for the SCADA components can be generated, resides in the archive servers, it can be modified and maintained through the operation server. Also, all the mimics for the SCADA workstations are stored, can be modified and then dispatched from this server.
All the workstations run under Windows NT. FIX view-node software provides most of the display functions. Additional, uniquely developed software components display the archived data and other complimentary functions. The workstations keep connection with the SCADA servers through the FIX automatic fail-over function.
Networking comprises dual homing FDDI interface cards in all the servers and workstations, as well as a redundant, CISCO-based switching/routing centre. The network structure provides modularity, redundancy and maintainability, and allows for centralised supervision.
In addition virtual LANs can be formed in the network centres, allowing for separation, routing, filtering and network traffic limitation.
IMPLEMENTING THE PROJECT
The project is carried out in an incremental way. In the first phase, which was completed in 2000, the following functions are implemented:
•Plant data acquisition and processing.
•Calculations (averages, speed of change, operating time).
•Alarm and event processing.
•Database handling, listing, logging.
•Displaying functions, human-system interface.
•Archiving, archive processing.
•System and network supervision.
•Web technology for remote presentation.
•Critical safety function monitoring.
When selecting FIX-32, it became obvious that the new SCADA system could not optimise all the necessary functions. This was mainly due to the Paks-specific data acquisition equipment, and new needs for improved redundancy handling, event-controlled, an aperture-based archive, and a process event list.
Data acquisition equipment
For obvious reasons, FIX did not have drivers for the existing data acquisition equipment. These data sources provide detailed status information with time stamps and they could not be processed optimally using the original FIX blocks. Using FIX development tools, two completely new, loadable blocks were manufactured to cope with the above problem. One processes the analogue signals, while the other takes care of the binary inputs. As well as processing functions, they provide outputs for the individual archive, and event subsystems described below.
Redundancy
FIX can switch over between the active and the stand-by servers should any one fail, but this has its limitations. In the Paks application a supervisory computer was added to each redundant pair of SCADA servers. It communicates with the servers through serial lines, using the Modbus protocol. Therefore, communication is not affected by the failure of the process computer network. In the FIX database, there are specific, diagnostic records inserted, which are scanned by the supervisory computer every 300 msecs. By evaluating these signals, the supervisory computer can deduce the status of the server hardware, processor load, status of the tasks and the network, etc. After detecting faulty status in the diagnostic signals for ten times after each other (about 3 secs), the computer will force a switch-over between the servers.
Database consistency between the redundant servers is provided in a way that the database is saved every minute in both servers. Should any server fail, the time stamps of the databases are compared at the reloading process, and the fresher database will eventually be loaded.
Event-driven archive
The original FIX archive function has a limited time resolution and is not event-based. In the old Paks process computers, however, the event-triggered archive method has been used for a long time, to the satisfaction of the information users. In normal operation, there are two million records to be archived in a day, and of course no single item of data can be lost, even at the maximum data flux in emergency situations. A completely new archive system had to be developed to provide the functionality required. A data feed is provided from the new loadable FIX block towards the SQL based archive. It has a two-week on-line data storage capacity, while long term archives are preserved on DAT cassettes. The archive module is complemented by a very convenient archive listing and trending function, which is also a Hungarian development.
Event list
FIX itself did not have any process-event listing function, but the operators requested it because the old process computers had this feature. An individual event handling system was developed and connected to FIX.
Safety monitoring and assessment
After the Three Mile Island accident, the NRC introduced safety parameter display systems in all US plants (NUREG-0696). At the same time, emergency operating procedures (EOP) were gradually becoming symptom-oriented. At Paks, the preparation of the new EOPs was finished (with Westinghouse’s assistance) in 1999, and a computerised plant safety monitoring and assessment system (PLASMA) was developed to support the execution of the new symptom-oriented EOPs. This was the most significant functional extension in the new process computers.
The development of the PLASMA system was based on a joint international agreement between Institutt for Energiteknikk (IFE) in Norway, the Hungarian Atomic Energy Research Institute (KFKI) and Paks itself. The project has been initiated and partly funded by Japan’s Science and Technology Agency through an OECD NEA assistance programme.
The main functions of the PLASMA system are:
•Evaluation and presentation of the current safety status of the plant.
•On-line monitoring of critical safety function status trees.
•Displaying the new, symptom-oriented EOPs.
•Displaying the process parameters that are referenced in the EOPs.
The PLASMA software and user interface are fully integrated into the architecture of the new plant computer system (PCS). Since the new PCS is implemented on workstations running in Windows-NT and using the Intellution SCADA system, this is also the environment for PLASMA.
The input/output (I/O) server collects the required input data from the new reactor protection system (RPS), the in-core monitoring system and the new plant computer.
After data collection, data are available for the other PLASMA modules through the SWBus developed at IFE.
The I/O module takes also care of writing back the calculated signals to the FIX database for further processing (alarm and event generation, displaying etc). So the calculated signals can be archived and displayed on FIX pictures or on trends, in exactly the same way as other signals in the SCADA system.
Plant state identification (PSI) is primarily based on simple logic calculations and a number of task-oriented display formats to help the operators understand the reactor state. The PSI module performs the calculations necessary to monitor the state of the safety and auxiliary systems.
A critical safety function (CSF) module evaluates the internal variables that are necessary to monitor and display CSF status trees. In principle, a status tree is a decision tree with one entry point and with a few possible exit points. Appropriate alarms are generated whenever the status of a specific function is off-normal. CSF alarms are then interpreted as other process alarms in the FIX system.
A procedure selection and display module displays the text of the requested emergency operating procedure in an ActiveX version of the Microsoft Internet Explorer web-browser (using HTML), as it cannot be done directly in FIX view. This module is based on the COPMA-III system developed at IFE. It also initiates display of the corresponding process parameters, which must be checked by the operator while executing the procedure. This latter data presentation is in the original FIX View environment, together with the HTML page.
PROJECT STATUS
The PLASMA system development has finished and the system is implemented in the training simulator. In this location, a comprehensive validation of the written emergency operating procedures took place with Westinghouse’s participation towards the end of 1999. At the same time, the validation of the PLASMA functions in the new plant computer was also conducted.
PLASMA has been installed in units 1 and 2, and is awaiting the conclusion of the regulatory licensing process of the new EOPs. On-line operation is expected to be introduced in 2001.
By mid-2000 the first phase had been completed in the training simulator and in units 1 and 2. When the project is implemented in unit 3, in 2001 a switchover is planned to Intellution’s newer iFix application, including a widespread use of OPC tools.
The first phase is due for completion in all four units in 2002. In a later phase the following additional functions are due to be added:
•Connection to intelligent field devices.
•Further operator support functions.
•Static information display (operating procedures, etc).
•Supporting I&C system’s functional testing.
•Long-term archive filtering.
•Supporting incident investigation.
•Mid-term integration of the internal radiation monitoring and radioactivity release monitoring systems.
Related ArticlesI&C progress at Paks
The System Characteristics |
The design is based on the following principles: •Distributed signal processing, distributed databases. •Full redundancy, including all the hardware and network components. •Uniform software components: – operating system: Windows NT – network protocol: TCP/IP – application software environment: Intellution FIX-32 SCADA – relational database: Microsoft SQL server •Uniform, Intel based professional hardware from Compaq. •Professional network components from Cisco. •Information displays are divided into local and remote user categories, but the presentation of information is uniform. •Modular, readily expandable system architecture. •Redundant archiving, remote archive accesses are separated from the internal network. •Independent system supervision and diagnostics machine. |