Safety systems at Dukovany

29 January 2001

Following an assessment of I&C systems at the Dukovany power plant, Framatome ANP and Schneider Electric have been awarded the contract to upgrade safety systems and equipment.

Over the next ten years the Dukovany power plant will undergo a modernisation programme costing up to $540 million. The bulk of the investment at the plant will be the replacement of equipment and systems during refuelling and equipment inspections.

Dukovany consists of four 6 loop VVER 440-213 reactors, the first of which was commissioned in 1985 and the fourth in 1987. It has recently set a plant record of 13.6TWh of electricity during 2000, exceeding its previous 1999 record of 13.4TWh.

CEZ, the Czech national utility, awarded the following activity shareout:

•Skoda JS for general engineering and project management.

•Skoda-Energo for control rod drive mechanism supply system.

•I&C Energo for site engineering and installation.

•ZAT for plant computers.

•A consortium between Framatome ANP and Schneider Electric for the reactor

protection system (and associated equipment), reactor control system, steam generator monitoring system and post accident monitoring system.

Systems and equipment

The consortium will supply the following systems and equipment:

•The ex-core nuclear instrumentation system (NIS), including the detectors and the signal conditioning equipment.

•The digital instrumentation processing system which receives signals from both the process instrumentation system (pressures, flows, levels, temperatures) and the NIS, processes them and generates safety-related trip commands.

•The digital reactor protection system (DRPS) which processes the commands and controls both the reactor trip system and the engineered safety features actuation system (ESFAS). The DRPS also controls the diesel generators load shedding and reloading sequence.

•The support action system (SAS) which monitors the steam generators and generates appropriate protective actions.

•The digital reactor limitation system (DRLS) which transmits signals to both the reactor control system and turbine control system so as to prevent reactor trip when the operating parameters near safety limits.

•The reactor control system (RCS).

•The post accident monitoring system (PAMS).

The scope of supply for these systems covers: design, safety analysis report updating and licensing assistance, manufacturing, factory acceptance tests, delivery, supervision of installation, testing and commissioning, training, and preparation of data for CEZ’s training simulator.

proposed technologies

CEZ specified that equipment must comply with both the American IEEE and the more recent IEC 1226 classifications. The reactor protection system is therefore based on the SPINLINE3 technology widely used for modern digital protection systems (see panel on page 29). This safety system is a three-train system with three independent divisions (see Figure on right). Both reactor trip and engineered safeguard system initiation signals are processed with 2 out of 3 gates.

The reactor control and limitation systems are also based on SPINLINE3, so as to constitute a consistent system, integrating all reactor-related automatic functions. Such a design facilitates data transfer amongst the different processing units of the system.

On the other hand, the PAMS, which displays information to the operators and generates no automatic action, is based on VME-standardised technology, widely implemented by Framatome ANP for such application.

Defence in depth is achieved using successive lines of defence as required by NUREG/CR 6303:

•The control systems maintain the operational conditions within a normal domain.

•The limitation systems detect abnormal evolutions and initiate actions that prevent the reactor from being tripped when the operational conditions evolve in such a way that safety actions are likely to occur.

•The reactor protection system initiates protective actions (reactor trip and engineered safeguard system startup).

•The post accident monitoring system provides the operators with appropriate information in case of accident.

process instrumentation system

The reactor protection system (RPS) can be broken down into two main parts. At the input processing level, there are three data acquisition and processing units, one in each division. They process both thermal-hydraulic parameters transmitted by the process instrumentation system (temperatures, pressures, flow rates and levels) and neutron flux signals delivered by the neutron detection conditioning units (NDCUs). In each division, four microprocessor-based protection processing units (PPU1, PPU2, PPU3 and PPU4) process data and generate protective signals (see Figure below).

Functional diversity is implemented between PPU1/PPU2 and PPU3/PPU4. As far as possible, two diverse functions – based on different measurements, algorithms and software packages – are capable of detecting any incident or accident. The first function is implemented in PPU1 or PPU2; the second is implemented in PPU3 or PPU4.

Each division is connected to a NERVIA protection network (see panel on page 29). As a result, there are three protection networks each corresponding to one division (as shown in the Figure below).

At the actuation level, there are again three output processing units, one in each division. They constitute the digital reactor protection systems (DRPS).

In each division, the DRPS (bottom left Figure) consists of four reactor protection processing units called RPPU-AX, RPPU-AY, RPPU-BX and RPPU-BY. Each RPPU receives trip signals from protection networks I, II and III and processes them with 2 out of 3 logic gates. Isolation is provided by optic transceivers and fibre optics between the PPUs and the RPS divisions.

In compliance with the diversity principle, RPPU-AX and RPPU-AY of each division process signals from PPU1 and PPU2, whereas RPPU-BX and RPPU-BY of each division process signals from PPU3 and PPU4 (shadowed boxes on Figure).

Reactor trip system

The reactor trip system (RTS) consists of two channels with three breakers (or, if necessary, three pairs of breakers) in each channel. The first channel is controlled by A signals through hardwired logic gates. They provide undervoltage release AND logic between AX and AY. The second channel is controlled in the same way by the diverse BX and BY signals. The AND gates reduce the risk of spurious trip, whereas cabling channels A and B in series secure the trip function.

The two trip breaker channels are diverse and installed in separate rooms, so as to provide resistance to internal hazard. Each channel consists of three switchgears (with four contacts) or six switchgears (with two contacts). Each swichgear (or pair of switchgears) is controlled by one division.

In each channel contacts are cabled in such a way that 2 out of 3 logic is provided between divisions I, II and III.


The engineered safeguard features actuation system (ESFAS) is based on shunt release logic. In each division, safeguard system actuation commands are derived from AX and AY signals and BX and BY diverse signals. AND gates prevent spurious actuation. Then, the commands are OR-gated, so as to secure safeguard system actuation. The same logic is used for emergency diesel generator load sequencing (ELS).

Manual controls

Manual reactor trip commands are directly hardwired to RTS switchgears. In the same way, safeguard function manual initiation signals are directly hardwired to the OR gates at the outputs of the DRPS. As a result, manual controls bypass all computerised equipment. IEEE. recommends such a design as a means for coping with common mode failures originating from software errors. Manual control signals are transmitted in parallel to the protection system inputs in order to ensure operation consistency.

Instrumentation system

The nuclear instrumentation system contains six nuclear instrumentation channels, one pair in each division. Each channel consists of:

•One proportional counter for refueling and shutdown.

•One compensated ionisation chamber for operation at power.

•The neutron detector conditioning unit (NDCU).

The NDCU feeds conditioned signals to the reactor protection system and the post accident monitoring system.


The digital reactor limitation system (DRLS) consists of three independent and identical (non-redundant) divisions. Each DRLS division captures data from the protection network and the DRPS of its own division and transmits limitation signals to the reactor control system, the control rod drive control system and the turbine/generator control system.


The interface and data management system (IDMS) is redundant (channel A and channel B) and provides the following functions:

•Capture of data from the NERVIA local area networks (the three protection networks and a fourth gathering data from the DRPS, the SAS and the RCS).

• Detection of discrepancies among redundant signals.

•Identification of failures and aid to the maintenance technicians.

•Data time stamping and interface with the plant computer system.

•Transmission of data of interest to control room displays.


The Post Accident Monitoring System (PAMS) is qualified for both hardware and software with a three-fold redundancy, i.e. one independent system in each division. Its design, based on VME technology, complies with Regulatory Guide 1.97 (RG 1.97).

Each channel captures category 1 data from sensors (thermocouples and other sensors), the neutron detector conditioning units and the corresponding protection network.

It processes data (in particular determining the subcooling margin) and displays information on liquid crystal displays located in both main control room and emergency control room.

Category 2 data (of less importance as defined by RG 1.97) are captured, processed and displayed by only one separate system belonging to division I.

The PAMS is connected with serial links to the plant computer system. During post-accident operation, PAMS-displayed information makes it easier for the operators to:

•Determine the type of accident.

•Check proper operation of both safety systems (reactor trip and engineered safety features) and systems important to safety.

•Assess radioactivity release.

•Monitor how the situation is going on.

•Decide measures to be taken should it be required by the plant conditions.

The PAMS is designed in such a way that the operators can verify that:

•The reactor is shut down and will remain so.

•The residual heat is and will be properly removed.

•All barriers preventing radioactivity from being released are in good condition and will not be damaged.

implementation schedule

The scheduled on-site implementation is organised in successive work packages to fit with the anticipated usual outages of either 30 or 60 days. The last work package necessitates a long outage and must therefore be subsequent to two or three short outages during which the first work packages are carried out.

Dukovany 3 will be the first unit equipped during four successive refueling outages in 2002, 2003, 2004, and 2005, with a long outage in 2005.

In 2002 one neutron detector channel will be implemented for qualification during the following fuel cycle. In parallel, one part of the reactor protection system (RPS) will be dismounted and removed to make room for the following interventions. As a result, each RPS division will work in 1 out of 1 instead of 1 out of 2 logic. In 2003 one or, if feasible, two RPS divisions will be installed, one division undergoing a functional validation programme during the subsequent fuel cycle.

In 2004 installation of the DRPS will be completed. Most of the equipment for the support action system, the diesel/generator sequencing system, the ex-core nuclear instrumentation system and the post accident monitoring system will also be installed. During the subsequent cycle the new systems will be validated off-line, while the old systems will continue to protect and control the unit.

During the fourth outage in 2005 (long outage) installation of new systems will be completed, the old systems dismounted and removed and the unit will undergo extensive commissioning tests.

For the other units, tests of ex-core detectors will not be necessary. Therefore two short outages followed by a long one will be sufficient. Unit 1 will be equipped from 2005 to 2007, unit 2 from 2006 to 2007 and unit 4 from 2007 to 2009. For unit 4, a short outage is anticipated in 2009. This outage should be prolonged in order to cover the amount of work necessary in this last work package.

Privacy Policy
We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.