Philippsburg from the air

The upgrade at Philippsburg unit 2 (right) affected about a third of its 20,000 signals

Nine years after it started, a project to upgrade the instrumentation and control system for unit 2 of Philippsburg nuclear power plant (KKP 2) is due for completion. An outage planned for 2009 will mark the end of the demanding project, which involved upgrading the plant’s analogue I&C system (Reaktorleistungsleittechnik, REALL) to new-generation digital technology (Reaktorleistungsleittechnik Digital, READIG).

Philippsburg 2, a 1458MWe pressurised water reactor, began commercial operations in 1985. The READIG project came into fruition 15 years later, around 2000, after problems ensuring the future supply of spare parts for the REALL system were first identified.

The project has been a success story for both Areva and for the plant operator, EnBW Kernkraft GmbH (EnKK). Michael Wenk, chairman of the management board of EnKK said: “Cooperation between manufacturer and operator was highly productive and very profitable for both sides. The result is a system ideally tailored to the boundary conditions and the needs of our plant.” Areva tailored both the hardware and software to the specifics of KKP 2. It incorporated empirical knowledge gained in nuclear plants all over the world into the software, which took four and a half years to compile.

Throughout the project the regulator, Baden-Wuerttemberg’s Ministry for the Environment, and independent inspectors, were continuously involved, particularly since the work impinged on safety systems. They were involved in planning, monitored the progress of the project and conducted evaluations at defined milestones during the project.

The READIG project

Within the framework of the READIG project, the plant’s limitation system, reactor control systems and measurement channels for the in-core neutron-flux detectors were all digitised. Broadly speaking, the project consisted of three phases: concept planning, verification and validation, followed by implementation.

The switch to digital instrumentation and control represented a major change and affected a large number of interfaces in the plant. As a result the project had to be organized accordingly, so as to ensure that in terms of both engineering and organization all the requirements for the new system would be satisfied.

Both sides – Philippsburg NPP and Areva as the supplier – therefore put together their project teams to include members from every department affected by the project. In KKP alone the team consisted of some 35 individuals from the unit 2 operations support group and from the various areas of activity including instrumentation and control, power engineering (heavy current), process engineering, civil engineering, ventilation, physics, maintenance, quality management and IT security. The commercial side was involved as well, handling contract-related issues and supervising deliveries and services furnished by all the companies involved.

Responsibilities were clearly assigned within the project team and detailed task descriptions were compiled for everyone involved. Project manager Raphael Brzozowski coordinated the project team’s work and whenever higher-level decisions were necessary, for budgetary sign-off, for example, he submitted the results of work on the project to a steering committee of plant managers and relevant department heads. Alongside regular status meetings with independent experts and the regulator, the project team met frequently to discuss work in hand, and individual work groups organized ad hoc meetings. The work of the project team was planned in every detail and mapped out in a phased schedule.

Planning

In 2000, Philippsburg nuclear power plant laid the groundwork for concept planning and follow-up work by commissioning Areva to undertake a feasibility study into modernising and optimising reactor instrumentation and control, with particular emphasis on the reactor limitation and control systems.

The concept plans for I&C and project processing were then drawn up. By 2002, work had progressed to the point at which revised and new I&C functions had been defined and the corresponding event analysis had been completed.

In 2004, Areva and EnBW Kernkraft GmbH concluded their contract negotiations: Areva was commissioned to undertake the READIG project and introduce its TELEPERM-XS system for unit 2 of Philippsburg nuclear power plant. Although the system uses standard computing hardware, the software is completely customised for the plant. The system complies with German standards including Nuclear Safety Standards Commission’s (Kerntechnischer Ausschuss) KTA 3501, Reactor Safety Commission guidelines and the requirements laid down by the Federal Agency for Information Security (Bundesamt für Sicherheit in der Informationsverarbeitung, BSI) in its standard 100-2.

Progress made by 2006 meant that work on the detailed software design by Areva and Philippsburg teams could be brought to a close. This was followed by an exhaustive, four-step validation process, which lasted some two years in all.

Validation

In step one, Areva focused on specification with the SPACE editor. The defined requirements were translated into computing code. The syntax errors in the code were corrected at this stage of the process.

Step 2:

Then Areva validated the software in the defined software environment with the SIVAT and REDIFF tools. Formal errors and in some instances process errors were corrected.

Step 3:

Software and hardware testing took place in Areva’s test field at its facility in Erlangen, Germany. There the company operates its TELEPERM XS Integration Center, one of the world’s largest test fields for I&C cabinets.

Step 4:

Finally, the code was implemented and tested on the simulator in Essen.

Brzozowski stressed how the final stage was of particular importance. “There is one aspect that is of particular importance – both for us in systems engineering and for the shift teams responsible for operation,” he said. “We are now able to test the I&C parameters one to one at the KKP 2 simulator in the simulator centre in Essen. This opens up huge possibilities for us. First, we can use this capability to continue optimising the system in future as requirements emerge from operations or new technological possibilities become available. Second, the shift personnel now have an even more authentic simulation facility at their disposal for training and qualification in Essen.”

All the steps in the validation process were aimed at ensuring functionality and all were completed successfully.

Simplified diagram of the Philippsburg digital I&C architecture

Simplified diagram of the Philippsburg digital I&C architecture

Implementation

From 2006 onward and paralleling validation, planning progressed for installing READIG in the 2008 outage. Wiring diagrams, cable and jumper lists, the measurement list and the list of indicators computed from measurements filled some 14,000 pages. In addition, more than 190 periodic test procedures in the KKP 2 Operating Procedures Manual, and various other documents were updated to take account of the modifications.

In March 2008, the new I&C cabinets were moved into the plant, hooked up to the power supply, interconnected and powered up. The switchover from the old systems to the new digital reactor power I&C system took place during the 2008 outage in July 2008. All the preparations had gone smoothly and the team was totally committed, so in a 22-day period the old I&C system was disconnected and the new one was connected. Disconnection of the electronics and connection of the new systems to the defined interfaces progressed right on schedule. At the same time, more tests were conducted to ensure correct installation and commissioning of the new I&C system and processes. Various other tests were later conducted as part of the post-outage plant restart and when the plant was back in operation.

“It really was an exciting time. We were all working our hardest,” recalls Brzozowski. “But everyone pulled together.” The preparations had all been made with meticulous care, so there were no delays as work progressed. “We had been to Essen to do intensive one-to-one testing of the new systems on the simulator there and to familiarise the shift personnel with the new technology. That’s why we were confident that there would be no surprises,” he said. “Having said that, it is a given that a changeover of this magnitude is always of special significance for everyone involved.”

Now, more than six months on with READIG successfully implemented in the plant, all tests and other analyses have returned positive results right across the board. Isolated optimizations have been undertaken and other minor adjustments have been scheduled for the 2009 outage.

“This state-of-the-art system incorporates a raft of optimizations that we have built in and that greatly facilitate the work of system owners and of the shift teams operating the plant. We have improved and extended existing functions and integrated entirely new features. So now the plant is ideally set up for the coming decades of successful operation,” Brzozowski says. (Under the German government’s current nuclear phase-out schedule, the plant is expected to operate until 2018).

“The results are really fascinating. This digital I&C system makes for transparency in process control. That makes life easier for the operating personnel. The most important process variables can be compressed and mapped as graphics so that we can view them in their meaningful process context. That opens up entirely new possibilities for data acquisition and analysis.” For example, operators can bring up temperatures and pressures related only to reactor core functions.

Initially, of course, these optimizations meant changes for the shift personnel. Staff in the control room, maintenance and information technology technicians had to adapt. Intensive training on the simulator in Essen familiarized them with the new features well in advance. Introduction to the theory behind the new functions and changed processes was underpinned by hands-on familiarization with the new technology and training in modes of operation transferable to the totality of events.

“That was how we integrated our shift personnel into READIG at an early juncture,” explains Horst Janisch, operations manager at KKP 2. “Thanks to that intensive training in the new digital I&C technology, they were able to work with it directly without any readjustments. That meant they could make use of the advantages and the new functions implemented in the new I&C system right from the word go.”

There are some 500 instrumentation and control cubicles in the plant, and about 190 of them were affected by the READIG work. 44 old cubicles with ISKAMATIC, TELEPERM-C, SIMATIC S3, TK240 and Contronic equipment were replaced by 30 new TELEPERM-XS cabinets with significantly enhanced functionality. About 4100 hard-wired connections were made in the I&C cabinets. Approximately 1400 copper cables were affected by the work and were replaced with fibre optics. 6200 signals, about a third of the station’s 20,000 signals, were affected by the changes.


Related Articles
GSE Systems Slovakian simulator contract
Better I&C at Forsmark 3
Good is not good enough
Millstone hits the grindstone
GE to upgrade Spanish reactor control system
German plant round-up
Bohunice to get I&C upgrade
Areva says more I&C answers by year end
Areva to supply I&C system for Novovoronezh-2

The principal design targets of the READIG project

– Optimising plant management by minimising manual intervention and improving the utilisation of the existing margins. Whereas the analogue system gave operators a range of values, the digital system provides exact digital measurements. This makes it easier to keep the power station running within pre-set boundaries
– Various process improvements in controlling and managing events
– Optimised structuring of the I&C functions and classification in safety categories in line with the Reactor Safety Commission’s guidelines
– Consistency between I&C systems in the plant and at the D42 simulator in the simulator centre in Essen, Germany (identical software on the user level)
– Minimising and automating periodic testing
– Rigorous segregation of redundancies as a means of proofing against single-mode faults (validation of the
redundant input variables, actuation of the final controlling elements by voters, no quadrant relationship for the control rod movement limitation system (STAFAB)
– Improving alarms and announcements in the control room, for example with process graphs and with static
signals taking the place of the coordinate signals formerly common in German nuclear power plants
– Utilising the benefits of digital instrumentation and control with regard to decoupling, both of energy and data, so that measuring a process does not affect that process
– Utilising complex computations (eg for filtering various signals, the Xenon Model, and/or computation of boron/ demineralized-water injection) to keep process control exactly in step with the technical process requirements

THEY CHOSE
Areva’s TELEPERM-XS has three basic principles: avoid system faults and errors through a modular design with
simple, thoroughly tested components; execute the system and application software in a deterministic way; identify and cope with failures using extensive self-monitoring and fault handling.
– Simple design of software components means that error-prone design principles are not used. For example, memory is statically allocated to the various software function, so that deadlocks due to dynamic memory re-allocation cannot happen. Faults due to erroneous processing of absolute time (such as year 2000 effects)
cannot happen, simply because no absolute time is used.
– Deterministic system behaviour is implemented by using strictly cyclic execution of the application software, and
by using cyclic message transfer on the buses, with messages of always the same size. Cyclic execution of the
application software means also that no process driven interrupts are used, i.e. the software is always executed in
the same way.
– The system has been implemented in nuclear power plants in Argentina, Bulgaria, China, Germany, Slovakia, Sweden, Switzerland and the USA.
System owners can use a service unit to modify the software. This unit also can fetch parameters from the plant and monitoring them live over an extended period, complete with dedicated logging. The different parameters can be changed and/or periodic tests carried out. Signals can be tracked through the entire respective system by displaying their values in animated function diagrams. Several types of protection safeguard the service unit, either by password access, or installation of the service unit in the access-controlled area of the plant.