Instrumentation and control
Krško takes control25 March 2010
In 2007, a project was launched at Slovenia’s Krško NPP to upgrade the digital electro hydraulic (DEH) turbine control system, which was becoming obsolete. A new Westinghouse system has improved functionality and reliability, although its installation was complex. By Mark Zilavy and Damir Mandic
Nuklearna Elektrarna Krško (NEK) is a two-loop Westinghouse PWR plant that started commercial operation in 1983 with 664MWe rated output (1882MWt). After two power up-rates (steam generator replacement in 2000 and replacement of low pressure turbines in 2006) power was increased to 727MWe (2000MWt). The designed plant life was 40 years (up to the year 2023). The plant life-extension plans for additional 20 years (up to the year 2043) are expected to be approved by the Slovenian nuclear regulatory body very soon. The Republic of Slovenia has adopted regulatory standards with NEK operating in compliance with US codes and regulations.
If NEK had decided to keep the old DEH turbine control system and the old relay/electronic based turbine emergency trip system (ETS), future plant operations would have been likely to expect electronic and electrical equipment ageing effects on the digital electro-hydraulic (DEH) and turbine emergency trip system (ETS). These effects could cause transients or events (such as a turbine trip or a reactor trip) that could challenge the safeguarding of systems, functions or equipment. Because of this risk, DEH and ETS systems are considered ‘Important To Safety - ITS’. It is good practice to replace ITS systems before they start to cause degradation of plant availability and safety.
Components from all three main scope items (the old DEH and ETS, and the moisture separator reheater (MSR) control) were designed more than 30 years ago. New spare parts are no longer being made by the original equipment designers and manufacturers. Furthermore, old DEH software modifications were impossible.
The DEH could not be improved to eliminate recognized vulnerabilities, decrease operator burden and provide operators with clear and unambiguous information about processes controlled and monitored by DEH turbine control, turbine ETS and MSR control.
Project goals included improving the reliability and availability of the turbine control and turbine emergency trip systems by ensuring immunity to a single hardware failure by implementing a new redundant design.
In particular, the new system would decrease the probability of:
• Disturbances in operator capabilities to control or monitor TG set.
• Fault activations caused by failures in turbine control or protection systems.
• Omission of control or protective action caused by failures in turbine control or protection systems.
• Plant power transient.
• Plant trip (RX trip) as consequence of an unwanted turbine or generator trip.
In addition, the new system should decrease the frequency of maintenance and reduce the total operator burden. The new system should also allow upgrades and expansion on all platform levels when and if needed in development of future digital I&C plant modifications. In fact, a new project is underway include a new main electric generator monitoring system at Krško NPP.
The scope of project, named 500 TU-L, consisted of the basic DEH turbine control system replacement with the additional five items listed below:
• Replacement of the old DEH (digital electro hydraulic) Mod II turbine control system with the new PDEH (programmable digital electro hydraulic) system built by Westinghouse Electric Corporation on Emerson Ovation DCS platform. The system architecture includes three redundant OCR400 controllers, two process historian servers in a redundant configuration, two data link servers in a redundant configuration, two engineering workstations, six operator workstations, two redundant sets of networking equipment (root switches and fan-out switches and two administrators’ terminals).
• Replacement of the old turbine ETS (emergency trip system).
• Replacement of the old MSR (moisture separator reheater) control system.
• Controls and indicating lamps that were used for remote control and testing of twelve extraction steam valves were removed from one of the main control room operator panels and integrated within the new PDEH.
• Remote control and monitoring of the main electric generator hydrogen purge system. The new PDEH system provides HMI platform and programmable digital platform on which HMI and control algorithms have been implemented.
• Implementation of the new PDEH system on background and foreground Krško full-scope Simulator (KFSS).
Simultaneous to the modification 500-TU-L, other modifications and/or equipment replacements have been implemented to ensure successful overall project closure and reliable long-term plant operation. These modifications include replacement of turbine supervisory instrumentation; replacement of DEH room heating, ventilation and air conditioning equipment; installation of two new UPS (uninterruptible power supply) with battery backup independent from other sets of plant batteries; replacement of the main electric generator protection with new digital equipment; installation of mechanical, electrical and field I&C scope of the main electrical generator hydrogen purge system, for which PDEH provides programmable digital platform for HMI and implementation of control algorithms.
A related modification was the previous replacement of the moisture separator reheaters, or MSRs, carried out in the 2007 outage. In addition to its main mechanical scope, it also prepared for the TCS replacement activities. Those preparation activities were I&C changes related to the control of the valves that control fresh heating steam flow to the MSR reheaters and installation of two new I&C field cabinets.
The project planning started with the preparation of the conceptual design package and continued through the preparation of bidding technical specification, conformance technical specification and contract preparation. Westinghouse maintained the project schedule, and updated detailed project schedules were submitted within each project monthly progress report.
Timely recognition of possible obstacles and project delays were essential for the successful project progress, as well as contingency planning.
The PDEH system implementation was even more demanding than installation because of the limited time available for the project development up to the April 2009 outage. The PDEH system had to be implemented and ready for usage at the background KFSS by the end of November, 2009.
There are two main design processes: the detailed design modification package (DMP) development and the software development.
The first process applies Krško procedures to the detailed design. The DMP version that was submitted for NEK and licensing approval provides safety evaluation and safety evaluation screening documents per 10 CFR 50.59, including: all design impact analysis (general ones and programmable digital system (PDS)-specific engineering design analysis); design calculations; analysis of the project impact to NEK programs, to the updated safety analysis report, to NEK procedures and other documents; detailed bill of materials, installation and testing instructions; proposed changes on existing NEK drawings and set of new PDEH drawings; and two earliest documents in the software development phase: detailed software functional specification (DSFS) and software design specification (SDS). As designed, the DSFS and SDS documents had been revised several times during the software development and testing phase and finally within the project turn-over package. These documents will be amended with the whole set of software documentation.
Software development did not begin before the preliminary DMP and first set of DSFS and SDS documents were issued. It was very important that the software development was performed in consecutive steps that were supported by the generation of adequate documentation (DSFS, SDS, coding). Any significant functional changes always started from the revision of DSFS document, progressed to review and approval of the DSFS document revision, and then to the SDS revision and code revision. Development of software documentation after the system development and even after the system start-up does not ensure compliance to the plant system requirements or to user requirements.
Special precautions were taken for the design of application-specific hardware related to the PDEH MCB HMI devices, including hardwired functional keyboard, trackball panels, turbine valve status light box, stands for MCR desk monitors, installation of MCB LCDs and changes on standard MCB annunciator panels. Although their cost was not significant in the entire project, the design of PDEH HMI devices was challenging because it had to find a compromise between the requirements of the traditionally-designed MCR (while operating the plant equipment, the operator stands in front of the MCB), and the state-of-the-art characteristics of the new technology, and the requirements of NEK operations. In addition, other equipment was manufactured especially for the application, including PDEH cabinets, HMI devices for the MCB, triple instrument manifolds, the second hydraulic trip manifold, and brackets for speed probes.
The design verification and validation process for both detailed design modification package (DMP) development and the software development stretched from the very beginning of the technical specification requirements definition up to the PDEH system operation. There was an independent DMP review and verification, including peer review for NSR items and design verification for SR items. NEK experts, each responsible for his own area of expertise, performed the DMP review, comments and final approval. The independent DMP review included independent review of the DSFS document.
The complex V&V process for the software was performed in accordance with the PDEH software verification & validation plan. Because of the NEK plant specifics related to the existence of a background and foreground PDEH KFSS and the real plant PDEH system, there were more possibilities to extensively test and verify software and all PDEH functions than in similar plant systems. Factory acceptance testing (FAT) and site acceptance testing (SAT) were executed three times each on three different platforms (background simulator, foreground simulator, plant PDEH system).
The impact of the modification 500-TU-L to the existing operating components of the power plant is very complex. To provide all needed signals and to connect with existing components, installation parting was required. The modification was broken to four parts: 1) background KFSS, 2) foreground KFSS, 3) pre-outage PDEH installation and 4) 2009 refueling outage PDEH installation.
The first two parts were the implementation were completed by December 2008. The new PDEH control system was successfully loaded and then ultimately used on KFSS to train operators and to test the system’s reliability before actual implementation in the power plant. Although timely performance of these two steps was strategically important, the available time to do so was not an issue, compared to the latter two parts.
The third part of modification was the pre-outage installation of conduits, cable trays and cables. This part was very important due to its large scope and time consumption and it was necessary to finish it before the 1 April 2009 refuelling outage. Actual start of the pre-outage installation commenced on 12 January and completed within the allotted time.
The final part was the installation of new equipment (including sensors, cabinets, MCB HMI) and connection of all cables. The inspection of all works was needed at the end of this final part; this was also a long and complex job. The demolition and installation of components started on 1 April 2009. Checkouts and commissioning of the newly installed components started on 12 April 2009 with the powering up of the newly installed PDEH cabinets and computer processors.
PDEH-related problems and/or deficiencies that were found during the system commissioning on all three platforms were tracked using a logbook and documented via a problem/deficiency reporting (PDR) system. The problems either have been corrected during the system commissioning, or will have been corrected prior to the final project turn-over to NEK.
The purpose of start-up testing (NEK start-up procedure SUP-16.073) was to validate PDEH system functionality and performance while operating plant equipment during real plant start-up and plant operation at up to 100% of turbine load.
During SUP-16.073 execution, flow and power step changes were introduced into the PDEH TCS under a variety of operating conditions and power levels in order to perform fine tuning and to verify adequate system response characteristics. The plant and PDEH data were recorded during steady-state operation to verify that the steady-state performance criteria were met.
Start-up of the facility started on 1 May 2009 through executing the procedure of rolling off the turning gear. The plant achieved 100% power output on 8 May and completed start-up testing on 10 May with the conclusion of participation in grid frequency primary control testing. Submission of the project documentation turn over package (TOP) is scheduled for the end of January 2010. The latest version of PDEH software that contains resolution of some of currently open PDRs, will be loaded to the PDEH system during the refueling outage 2010 (October 2010) and the project will be officially closed at that time.
Mark Zilavy, Westinghouse Electric Company, Nuclear Services, RRAS – Repair, Replacement & Automation Services, 600 Cranberry Woods Drive, Cranberry Township, PA 16066, USA [email protected] Damir Mandi´c, Nuklearna Elektrarna Krško - NEK, Vrbina 12, SI-8270 Krško, Slovenia, [email protected]Related ArticlesDilute and disperse CAE helps Krsko go virtual Krsko deal Krsko decommissioning dispute