USA's first fully digital station

All-digital reactor protection systems are already operating in France, Germany, Japan, Korea, Sweden, Switzerland, and UK, among other countries. In the US, some individual safety systems have been upgraded to digital, including core protection calculators at Palo Verde and Waterford; load sequencers at Turkey Point; and Eagle 21 safety systems at some Westinghouse plants. But Oconee is the first complete all-digital safety system installation in the US (see also NEI February 2009 p30).

In 2000, the US Nuclear Regulatory Commission (NRC) gave generic (non-site-specific) approval to the following digital I&C control systems for use in safety applications: Eagle 21 and Common Q (Common Qualified Platform) (manufactured by Westinghouse), Triconex (manufactured by Invensys), and Teleperm XS (manufactured by Areva NP). At the same time, Duke launched an internal process to refurbish the Oconee units, which included numerous digital upgrade projects.

First operational in 1973, Duke’s 2538MW Oconee nuclear station, which consists of three units, uses a Babcock & Wilcox pressurized water reactor design. The facility’s reactor protection system (RPS) and engineered safeguard protection system (ESPS) are analogue, solid-state technology manufactured by Bailey Meter Company in the 1970s. Since then Duke has upgraded the Hi Flux trip portion of the RPS with digital safety STAR modules from Areva to replace analogue modules.

The purpose of the RPS is to protect the integrity of the plant’s nuclear fuel by monitoring inputs from the reactor core. If any safe operating values are exceeded, the RPS shuts the reactor down by inserting its control rods. For its part, the ESPS monitors inputs that point to the occurrence of design basis threat events. If one were to occur, the system triggers engineered safety features, such as injecting cooling water. All RPS and ESPS functions are fed by sensors, instrument and logic strings, and actuation devices situated in instrumentation channels.

In the 1990s, Oconee suffered plant trips and transients caused by isolated weaknesses and single point vulnerabilities in its analogue I&C system. To eliminate these weaknesses, Duke Energy commissioned a report that recommended the addition of digital redundancy to Oconee’s non-safety control systems (such as the rod control system, main turbine control system, and integrated control system). Beginning in 1998, the following system upgrades were initiated: the integrated control system (completed in 1998); the water treatment system (completed in 2000); the automatic feedwater isolation (completed in 2002); the main turbine control system (completed in 2004); the main generator voltage regulator, turbine supervisory instrumentation, expandable process control system, and control rod drive system (completed in 2008); and the main feedwater pump control system (to be completed in 2010-2011).

Systems and technology manufactured by Areva of France, ICS Triplex of the UK, Invensys Inc. (Triconex) of the US, SMAR International Corporation of the US, and GE Energy’s Bently Nevada of the US were used. Digital I&C equipment for nuclear power plants has been developed by many manufacturers under a variety of trademarks such as Teleperm, Common Q, Tricon, Ovation, Spinline, and others. Table 1 summarizes the key characteristics of relatively common digital I&C equipment in nuclear power plants.

Digital RPS and ESPS

A project to digitally upgrade the I&C equipment of Oconee’s RPS and ESPS systems first won internal approval at Duke in 2003, and Duke actually submitted an application to the NRC in 2006 – the first the NRC received for digital control upgrade – only to withdraw it because the vendor design of the application-specific software and hardware elements was still in progress and the NRC wanted to review the final approved documents. Duke’s current licence amendment application was submitted to the NRC in January 2008.

Oconee’s digital RPS is comprised of four redundant protection channels that monitor safety-related plant parameters and generate reactor trip signals to protect the fuel and fuel cladding, the reactor coolant system and the reactor building from damage when any of the monitored parameters exceed their trip set points. The digital ESPS is designed to offset the impact of accidents by injecting coolant into the primary system when the reactor coolant system pressure becomes too low and isolating and cooling the reactor building when its pressure becomes too high. The digital ESPS consists of two subsystems, each of which consists of three instrument input channels. Each pair of ESPS instrument input channels shares process variable sensors and contains the signal processing, conditioning and isolation equipment for each plant variable and control signal monitored, power supplies, and equipment for analyzing the plant variables to determine if a protective action is required. When power is lost, the RPS fails to the tripped state, and the ESPS fails to the non-actuated state.

Oconee’s new digital RPS features redundant sensors, measuring channels, logic, and actuation devices. The RPS initiates a reactor trip when any two of these four channels detects an exceeded safety limit. Each of these four protective layers is physically separated from the others and runs on a separate power source. Similarly, the ESPS initiates an output signal when any two of its three protective channels (also physically and electrically isolated from each other) detect an exceeded safety limit.

The digital upgrade to the RPS system and ESPS not only overcomes concerns over the obsolescence of Oconee’s analogue RPS and engineered safeguards system, but adds additional engineered safeguard channels and includes some online monitoring (OLM) and diagnostic capabilities, which partly reduce periodic operator checks of system performance.

The Areva NP Teleperm XS system was chosen for Oconee’s RPS and ESPS because it promises high reliability through fail-safe design, fault tolerance, integrated self-checking, structural simplicity, and robustness, including resistance to temperature swings, vibration, seismic loads and electromagnetic radiation. Teleperm TXS encompasses three functional systems:

• Protection: monitoring safety parameters in all unit operating conditions; enabling automatic protection and safeguard actions when an initiating event occurs
• Reactor control surveillance and limitation: monitoring the core, rod control, and reactor coolant system and performing actions to protect reactor thresholds from being breached; and
• Priority and actuator control system: managing the control and monitoring of operational and safety-system actuators.

Approval process

From its initial submission in January 2008 to its formal approval in January 2010, the review process for Oconee’s digital I&C upgrade entailed 142 document submissions to the NRC as part of the licence amendment request (LAR), two rounds of requests for additional information for the LAR, 16 LAR supplements, and four NRC audits (of the Oconee site, Areva’s Alpharetta, Georgia office and twice at its Erlangen, Germany test field).

In part, this lengthy process stemmed from the fact that NRC’s formal approval process had never been tested by a full digital I&C upgrade before; Oconee is the first complete RPS/ESPS replacement that the NRC has ever reviewed. Despite the passage of time since NRC’s generic approval of various digital I&C control systems in 2000, NRC review guidance for digital I&C upgrades had remained current (and in fact had been updated in 2007 [SPR revision 5]). Moreover, NRC was developing additional guidance in the form of interim staff guidance documents as the Oconee upgrade proceeded to provide additional clarification to support the Oconee review. Although Duke was forced to juggle new guidance from NRC simultaneous to its submittal efforts for Oconee, it continually reviewed its submission data with the NRC to ensure that it was providing the type of information the NRC needed to perform a review.

However, because of the long lag between NRC’s generic approval of Teleperm and other safety-related I&C systems in 2000 and Oconee’s project review process, the information provided in the generic approval of the Teleperm XS platform required updating. The need to describe the changes to Areva’s Teleperm XS that had occurred since the system was generically approved in 2000 slowed the Oconee approval process down.

As an example of the twists and turns of this review process, Areva proposed using a SIVAT software simulation test tool to verify and validate (V&V) the RPS software by way of a series of built-in malfunctions. However, the NRC did not approve of the use of un-reviewed tools such as SIVAT as a substitute for the validation testing it had long required. For example, NRC’s Regulatory Guide 1.168 (2004) endorses the software V&V approaches described in IEEE Standard 1012-1998, which assigns four integrity levels (‘high criticality,’ ‘major criticality,’ etc.) to software and assigns various analysis and evaluation tasks (e.g., traceability analysis, risk analysis, etc.) to each stage (e.g., management, development, operation, etc.) of the software development process.

At Oconee, Areva proposed factory acceptance testing (FAT) as an alternative both to SIVAT and to the use of NRC-reviewed testing tools. Although Areva had not completed V&V in accordance with longstanding NRC guidance and had not yet submitted SIVAT for review, the NRC decided to accept FAT in order to prevent delays in the Oconee review process.

The primary factor impeding a rapid review by the NRC, in other words, was that Duke and Areva had not conformed to NRC’s long-established guidance and did not provide sufficient information for the NRC to evaluate proposed alternatives. Other factors impeding a rapid project review for Oconee included confusion on Duke’s part over the level of detail the NRC required for licence amendments and, more generally, the challenges the NRC faces in trying to keep its Standard Review Plan up-to-date given the rapid pace of change in digital technology.

Finally, the lengthy review process is also explained by the deliberate caution on NRC’s part regarding critical aspects of the digital upgrade. Historically, the NRC has resisted reactor protection systems that are 100% digital and has made its requirements more restrictive over time. The NRC is not alone in this. The UK required the Sizewell B plant to install a hardwired back-up to forestall the potential of I&C software failure, and Finland’s nuclear regulator, STUK, required Olkiluoto 3 nuclear facility to install an automatic hardwired backup system in the event of complete loss of its digital I&C system.

Regulatory concerns

Although digital I&C promises multiple benefits like self-checking, on-line diagnostics, improved accuracy, fault tolerance, and automated sensor calibration verification through the use of OLM it also presents unique challenges, from software logic errors and unanticipated system interactions to filtering and digital noise problems and trips that result from configuration changes while at power. In its approval deliberations of the Oconee upgrade, the NRC has focused on the following technical and security concerns: digital I&C’s potential failure modes and cyber security.

The NRC’s greatest concern in approving digital I&C systems has been the potential for common cause failure in I&C software. Because identical software is used in the redundant channels of safety-related systems, a bug inadvertently designed into the software (rather than resulting from degradation over time) could cause the same inaccuracies or misbehaviors in all the channels. The NRC is not yet fully satisfied with the level of research on common-cause failures of digital I&C systems. It has stated that “experience with digital I&C systems to date has shown that reliance upon quality assurance processes alone has not been adequately effective at preventing common cause failures even in high-integrity digital systems.”

The NRC was also concerned about the Oconee systems’ ability to meet NRC regulations requiring security against intentional external cyber attacks. As Mario Gareri, of the Office of New Reactors, explained in NRC testimony in 2008, “If you look at the design aspect, we’re trying to prevent possible bugs or back doors being put into the software life cycle while we’re developing the software. And if you look at the programmatic approach, we’re trying to prevent attackers from the outside getting into the systems through a cyber attack, [or] the internet.”

Addressing concerns

To address these concerns and accelerate the approval process for digital I&C systems like Oconee’s, in January 2007 the NRC formed six Task Working Groups of experts to address the following areas: cyber security, diversity and defense-in-depth, risk-informing digital I&C, highly integrated control room (communications), highly integrated control room (human factors), and licensing process issues. (The NRC later added a seventh Task Working Group on Digital I&C for Fuel Facilities).

From 2007 on, NRC released interim staff guidance documents on digital I&C that circulated these solutions and then codified them into formal regulatory documents, such as standard review plans [1,2], NUREGs [3], and regulatory guides [4,5]. The completion of the safety evaluation report for Duke’s proposed digital I&C upgrade of its Oconee plant in 2010 marked a significant milestone in the improvement of the approval process for digital safety system I&C.

Approval

Approval of Oconee’s digital I&C system depended on Duke and Areva’s ability to convince the NRC that Teleperm addressed the NRC’s concerns. In late 2009, nuclear regulators in France, the UK, and Finland questioned the Teleperm system’s ability to control a plant that exceeds normal operating conditions and whether Teleperm’s systems were truly independent (http://www.hse.gov.uk/newreactors/joint-regulatory-statement.pdf). These regulators also noted the occurrence of cyber security incidents involving control systems that used other Teleperm systems in non-nuclear plant applications. Areva argued that Teleperm XS achieved functional diversity by “dividing the... system into independent subsystems which... execute different I&C functions for handling one and the same event.” Areva also pointed to such TXS features as asynchronous operation, the absence of process-driven interrupts, ‘watchdog monitoring,’ clearly defined rules for use of the software functional blocks including exception handling, and fail-safe operation when a software error is detected.

To address cyber security, Teleperm TXS provides for communications independence, offers one-way hardware devices, and features no uncontrolled external network connections. The NRC determined to its satisfaction that Oconee’s cyber security regulations met NRC requirements. Hardwired one-way communications exist between the plant’s operator information computer and the RPS/ESPS. Oconee has two-way communications between the Engineering Service Unit for the RPS/ESPS and the safety processors, which is restricted by designed manual interlocks.

Based on these solutions, in January 2010, the NRC approved Duke’s licence amendment request for the digital upgrade to Oconee’s three units, with installation to occur during scheduled refuelling outages from 2011 through 2013.

Digital I&C and analogue sensors

In discussing Oconee’s new digital I&C system, Joseph Giitter, director of the Division of Operating Reactor Licensing in the NRC’s Office of Nuclear Reactor Regulation, noted that “The new systems will process and react to information from the plant’s existing sensors that monitor the reactor core and critical plant parameters.” Precisely because the Oconee upgrade employs existing reactor trip and accident mitigation sensor inputs, its digital effectiveness is only as good as the input from those existing sensors. The measuring technology of these sensors, the first component in a chain of components that make up an instrumentation channel, has not changed fundamentally in decades. Although sensors have exploited digital technology in terms of transmission and analysis, their sensing mechanisms remain analogue. As the historic Oconee digital upgrade gets underway, it is important to remember that any digital upgrade will come to nothing if the sensors on which it relies are inaccurate or degraded. Accuracy and response time must be verified and optimized to ensure that the digital I&C that the sensor feeds is providing reliable info to plant control and safety systems.

Fortunately, OLM technologies have been developed or validated in recent years by AMS Corp. and others through research and development (R&D) projects funded by the US Department of Energy (DOE), the Electric Power Research Institute (EPRI), utilities, the NRC, and others to facilitate sensor calibration and response time verification and signal validation. The new generation of reactors, future digital I&C systems, and new computer systems in existing plants are encouraged to include OLM technologies to automatically verify the validity, accuracy, response time, and thereby the reliability of process sensors which feed the important I&C systems of a plant (see also NEI April 2010, pp13-20).

In spite of great advances in I&C technologies in recent years, sensor problems still haunt the nuclear industry. For example, resistance temperature detectors (RTDs) that feed the plant protection systems in pressurized water reactors (PWRs) are found not to fit, mate, or seat properly in their plant thermowells, resulting in long or unacceptable response time. Also, problems such as blockages and voids in pressure sensing lines are encountered in nuclear power plants, resulting in sluggish dynamic response, extreme fluctuations, and inaccurate pressure or differential pressure readings and thereby errors in pressure, level, or flow measurement. Recent R&D projects performed under the auspices of the DOE have uncovered techniques that can account for these problems, provided that the output of I&C sensors are sampled at a high frequency (e.g., 1000Hz or greater) and analyzed in time and/or frequency domain to identify sensor problems and account for their effect on the reliability of I&C signals [6].

H.M. Hashemian, PhD, DE, founder and president, AMS Corporation (www.ams-corp.com), AMS Technology Center, 9119 Cross Park Drive, Knoxville, Tennessee 37923 USA. Email: hash@ams-corp.com