In December 2016, the Republic of Korea’s Shin-Kori 3 became the first APR-1400 to begin commercial operation with a fully integrated digital instrumentation and control (I&C) system. This is a first-of-a-kind for that reactor design, and the first fully integrated digital I&C system supplied by Westinghouse Electric Company for an advanced light water reactor to achieve commercial operation.

This implementation and the work behind it, from system architecture design to operation, will help the nuclear industry embrace fully integrated digital I&C systems. Shin-Kori 3&4 serve as the reference plants for additional APR-1400 units being built in South Korea, as well as four units being built at Barakah in the United Arab Emirates. Shin-Kori 4, which is also equipped with a Westinghouse-supplied digital I&C system, is expected to load fuel by early 2018.

Integrated digital I&C Systems

I&C systems monitor every critical facet of a nuclear power plant’s health and help to optimise its operation by making adjustments as needed. Many plants that began operation with analogue I&C systems have replaced portions of these reliable but ageing systems with digital equivalents on a component system basis, but these standalone systems do not realise the full performance benefits of integrated digital I&C systems. Integrated digital systems are highly reliable and offer better plant performance and additional diagnostic capabilities.

For Shin-Kori 3&4, KEPCO E&C designed a fully digital I&C architecture. Westinghouse was contracted by Doosan Heavy Industries, the prime contractor. Westinghouse had to design the components, manufacture the equipment, program the software and test, deliver and support commissioning of all safety and non-safety-related digital I&C systems.

These systems make up the man-machine interface system, which Westinghouse has delivered to Shin-Kori 3&4. This system consists of an advanced compact workstation control room and distributed digital control and protection systems using the Common QTM and OvationTM platforms. These platforms provide data acquisition, process component controls, information processing and display and plant protection functions. The all-digital platforms are integrated to deliver real-time, online diagnostics and testing while achieving high reliability and availability goals.

Digital I&C systems deliver this high level of performance through a complex integration of many components and a high dependency on software. While these factors do not affect the risk of single point failures that are inherent in all I&C systems, they raise the possibility of the risk of common cause failures. Single point failures occur when one failure affects an entire system. Common cause failures occur when one or more events lead to system failure by causing coincident failures in multiple systems or in two or more separate channels in a multiple channel system.

Methods to reduce these risks include diversity (two or more platforms or components with different attributes perform the same function); redundancy (including alternative systems and components so that any can perform the required function if the others fail); and independence (electrical isolation, physical separation and independent communications between systems). However, this level of defence in depth increases a system’s complexity and therefore, the risk of human error in design, operation and maintenance. These concerns were addressed through the system architecture and design for Shin-Kori 3&4.

KEPCO E&C designed the interface system architecture with two differentiated safety and non-safety platforms.

Westinghouse chose two diverse, commercially available platforms to support the complex architecture and reduce the likelihood of human errors. The Ovation platform was used for the non-safety suite of I&C systems, which operate the plant under normal conditions. It chose the Common Q platform for the safety suite of I&C systems, which provide plant protection and accident mitigation functions.

Plant wide data networks provide communication between equipment within a safety channel, across safety channels, within non-safety subsystems, and in some cases between safety and non-safety equipment.

Main Control Room

The main control room is compact, so that operators can readily access and control hundreds of components from modular, networked workstations. Former designs had separate, hardwired component controls and fixed indicators located throughout the room, but the advanced main control room allows for a simpler, more efficient operator interface in any operating conditions. The integrated networked systems allow information to be prioritised and presented to any operator in ready-access interfaces during abnormal operating conditions. 

Efficiency and checks and balances for safety in the main control room are made possible with bidirectional data highways that connect much of the equipment. This allows plant personnel to perform maintenance and surveillance testing activities from this central location. For example, operators can be made aware of failures via diagnostic alarms, view the health of I&C equipment and observe the status of mapped input/output points in real time. Likewise, system-level and component-level testing functions can be performed from central touchscreen user interfaces. Maintenance and test panel display screens also allow operators to modify process setpoints for each safety channel. In contrast, legacy plants require operators to use discrete panels with hard-wired switches and controls, and setpoint changes require operators to rebuild the application with hard-coded values and make setpoint changes at the board level.

The operator consoles have separate safety and non-safety power sources and redundant data connections. They each have four redundant non-safety workstations and safety-related ‘engineered safety feature soft control modules’ that operators must use to actuate safety-related components (although they can monitor and control processes from either type of workstation). This control is established using a unidirectional link.

A computerised procedure system integrates live plant data to guide operators through normal, abnormal and emergency operations, as well as through alarm responses. An advanced alarm system helps to minimise operator workload by prioritising and suppressing alarms based on plant mode and expected operations. Both are accessible from all workstations, can streamline plant data and help to reduce operator workload.

Operators can also share a display from their workstation with other control room operators on one of the variable-content displays in a large display panel across the front of the control room. Its fixed displays mimic the plant’s critical systems, allowing operators to maintain situational awareness using spatially dedicated information. 

As a defence-in-depth measure, a safety console in the main control room acts as a separate backup control console with diverse actuation for emergency safeguards. These controls can be used to shut down the plant or allow operators to perform any emergency operation. Manual/auto stations provide a diverse set of backup hardware for operator control of auxiliary feedwater flow and main steam atmospheric dump valves.

Westinghouse designed the signal multiplexers to help minimise field wiring, simplifying modifications for safety and non- safety controls. Fixed position controls connect process modules to the multiplexers, which transmit over fibre and copper networks.

Beyond the control room, as another safety measure there is a remote shutdown console, with a limited number of fixed position controls. There are several monitoring-only operator workstations throughout the plant so that plant support staff can readily access information.

Distributed I&C system

All non-safety related I&C systems, plant computer applications, data link interfaces to non-safety-related and safety-related I&C systems, and the network that makes intersystem communication possible are a part of the distributed control and information system.

This is also redundant and fault-tolerant. At Shin-Kori 3&4 it has 75 redundant controllers to operate plant I&C systems. I&C systems control pressuriser pressure and level; steam generator level; various chemical and volume control system functions; reactor power using a digital rod control system; radwaste control system; and other components such as the circuit breaker and various pumps, fans and valves. Two of the systems serve as backups to safety-related systems, which further support the defence-in-depth strategy.

The advanced alarm system is a modular, highly configurable software-based alarm system composed of redundant alarm servers. Alarm information is displayed on operator workstations and large displays. The computerized procedure system guides the operator step-by-step through the procedures by monitoring the appropriate plant data, processing the data and by identifying the recommended course of action. Both are a subsystem of the distributed information and control system called the information processing system, where historical data collection is also performed.

The distributed control and information system also monitors safety-related instrumentation and component information using four-channel-specific unidirectional data links. This way, safety data can be accessed by all systems connected to the distributed and information control system network, including the alarm system and the operator workstation displays.

Integrated digital safety systems

The safety system consists of interconnected process and input/output cabinets and operator interfaces, that protect the reactor, generate and execute the engineered safety features component actuations, monitor pre- and post-accident safety parameters, provide for discrete safety component control, and allow system- and component-level testing. These systems gather critical nuclear steam supply system parameters to generate plant protection actions, such as reactor trip, safety injection, etc., as needed. Checks are in place to validate the origination of the actuation signals, and system health is continuously self-monitored.

Westinghouse uses computer-based programmable logic controllers to conduct the control and logic processing because the software is robust, customisable, and large quantities of data can be shared through data networks. The data and its delivery to operators improve the operator experience in ways that cannot be achieved with analogue systems, such as prioritised alarms and control from operator workstations.

The safety system architecture employs four redundant channels of equipment and implements further redundancy between cabinets within each channel. Safety system controllers and their communication links are self-diagnostic. At Shin-Kori 3&4 the process control cabinets also have redundant, standby processor modules that continuously monitor their own health and the health of the redundant processor so that control can be transferred automatically and without incident when a failure is detected.

Safety system validation

The safety systems were verified and validated in accordance with US and South Korean regulatory guidelines, industry standards and Korea Hydro & Nuclear Power Company requirements. Westinghouse conducted validation in two major segments: hardware validation, including equipment qualification and commercial dedication; and software validation, through testing and an independent verification and validation process. Westinghouse used a phased approach to complete testing.

Integrating standalone systems

Westinghouse has designed a number of standalone systems for other nuclear power plants. These systems were originally designed as standalone digital systems to operate within analogue I&C systems.

One of two approaches could have been taken: a complete redesign of these systems for integration into the all-digital I&C system, or innovating methods to incorporate digital systems into the all-digital man-machine interface system architecture. The former would have meant a far greater investment for Korea Hydro & Nuclear Power Company.

For Shin-Kori 3&4, Westinghouse was able to integrate a complete digital rod control system by designing a new logic cabinet based on a distributed control system and new power cabinets to control the control rod drive mechanisms. Westinghouse also integrated several condition monitoring systems. Integrating an upgrade without the burden and expense of a complete redesign is a significant achievement in nuclear I&C modernisation. Because alarm information from these systems was also integrated into the plant’s advanced alarm system, it is an evolutionary step forward from segregated control room interfaces.

Commissioning challenges

As with any first-of-a-kind endeavour, there were challenges during the commissioning of Shin-Kori 3, particularly with regard to the man-machine interface.

For example, when Shin-Kori 3 underwent power ascension testing (May to December 2016) the testing programme included dynamic testing of all major equipment, including the digital I&C system. During a load rejection test at 80% reactor power, an unexpected reactor trip occurred. An unexpected sensor failure during the test had an unanticipated effect on the dynamic response of the steam bypass control system. The control system’s method to smoothly transfer control input signals interfered with the desired response to the load rejection (reactor power cutback without reactor trip).

Computer simulations that modelled the steam bypass control system’s response to a number of different plant scenarios helped Westinghouse and Korea Hydro & Nuclear Power Company understand the system’s dynamic response, revealing the path for proper tuning. The test was successfully run on the second attempt. 

Processor loading

Computer-based controllers complete complex functions robustly; however, the amount of code that can be executed with each controller is limited by that controller’s processing power. To minimise processor loading in the safety system, Westinghouse modified the execution time of certain blocks of code within each controller such that logic critical to meeting response time requirements was executed at a higher frequency (25-50 milliseconds); remaining logic was executed once every 500 milliseconds. In the most drastic case, this solution decreased processor loading from 90%, which is not compliant with the processor manufacturer’s limits, down to approximately 60%, which is well within limits.

While these steps decreased processor loading significantly, their result negatively impacted signal timing for momentary signals. During integrated factory testing, it was observed that some asynchronous control signals would fail to be propagated to their final output. Westinghouse analysed the signal interaction between differing execution blocks and found that momentary signals originating from high-frequency execution blocks would be complete before the low frequency blocks could execute, resulting in the signal being missed. To resolve this problem, Westinghouse stretched the originating pulsed signal so that changes in execution time or latency in the signal path would not cause a signal to be dropped. In specific cases, Westinghouse had to stretch the pulse of single signals in low- level code to ensure fidelity.

For an integrated digital I&C system, an integrated development and testing environment is critically important.

Future of digital I&C

The global nuclear fleet has driven innovation of robust, efficient and, above all, safe technology for digital I&C systems. Advanced control rooms with condensed, modular operator consoles, computerised procedures and smart alarm presentation systems fill the need for simpler, safer operator environments. Customisable commercial off-the-shelf equipment fosters an environment where any function can be achieved. Innovative methods that result in the successful integration of standalone systems show that integrated digital I&C systems can be implemented safely, timely and economically. 


Daryl Harmon is Consulting Engineer, Systems Integration and Operator Interface; Ben Romeo is Senior Engineer, APR-1400 Safety Systems and Functional Engineering; and Rob Beasley is Senior Engineer, Control Room Design, Westinghouse Electric Company LLC.