I&C upgrade ends in success at Loviisa

FORTUM’S LOVIISA PLANT IS LOCATED on the southern coast of Finland. It has two Russian designed VVER-440 reactors, which have been in operation since 1977 and 1980, respectively.

While the major components of the plant are Russian, the I&C systems were mainly based on Siemens technologies (Simatic and Teleperm), for normal operation and safety related systems, and Russian technologies for reactor trip, rod control and neutron flux monitoring.

To maintain safe and reliable operation until the end of the operating licence and accommodate new safety recommendations, it was decided in the early 2000s to modernise all I&C systems at the plant.

The first modernisation project, Loviisa Automation Renewal (LARA), started in 2005 (with different contractors from the recently completed ELSA project). As part of the LARA project the preventative protection and control rod drive position monitoring systems at both units were replaced with digital I&C in 2008 and 2009. Also, a significant part of the operational (non-safety) automation was at that time renewed with digital systems.

The LARA project was terminated in early 2014, when both parties (suppliers and purchaser) agreed that the large scope and considerable complexity of the project meant it would be significantly delayed. The LARA project scope included renewal of all automation systems across both units. It also included renewal of control rooms and simulators.

The new modernisation project, ELSA, kicked off on 14 October 2014 (‘name day’ for Elsa in Finland). This had a more limited (although still very ambitious) scope, with the number of functions and systems to be renewed reduced to make implementation more manageable The ELSA project was awarded to Rolls-Royce, with the objectives of updating the reactor protection, control and power limitation systems and accident management systems.

The new safety-classified systems delivered by Rolls-Royce are based on its Spinline digital safety platform. The Rolls-Royce scope also included a hardwired backup system for accident management, monitoring and normal control systems based on third party PLCs.

ELSA was a complex project with a challenging timeframe. The challenges included:

• ensuring compatibility between the modernised systems and the old systems remaining in place: interfacing between these systems is a key success condition;
• implementing the project in four years, from basic design and licensing to installation and commissioning;
• ensuring modifications management: because the new systems use a different technology compared to the ones they replace (digital vs analogue), improvements are possible, while some existing applications cannot be replicated exactly identically;
• putting in place of a strict interfacing policy to separate the systems of different categories, because the modernised systems belong to different safety classes.

I&C architecture

The list of functions to be implemented via the ELSA project was clear from the beginning, but the architecture design has been a long journey. The conceptual design included drafting the list of systems and the preliminary interfaces between them.  

Two important questions were raised during the early design phases:

• What level of diversity for the reactor trip system (RTS)?
• Do we use the Rolls-Royce proprietary safety network widely or do we prefer the use of hardwired connections?

The advantages and drawbacks of all possible solutions were balanced during several brainstorming sessions, but we were able to arrive at these design principles:

• A non-safety diverse automatic backup of RTS is enough if an SC (Safety Classification) 3 diverse manual backup is available. (Finland employs three Classfications, in descending order of stringency, SC2, SC3; and NS (Non Safety)). An SC3 automatic backup would have been better, but it would have required the licensing of another SC3 platform, most probably not software-free. The manual backup is sufficiently simple to be implemented in a simple hardwired platform, reducing the licensing risk compared with an additional software- based platform. The credibility of the manual backup of RTS is proven by accident analyses showing that the human operator has sufficient time to react for most likely accident cases, as well as RTS common cause failure (CCF). For unlikely cases where fast action is needed together with RTS CCF, NS classification is enough for the automatic backup.
• Intensive cabling between channels has not been thought to be practicable for an existing plant, where cable trays and penetrations have not been designed for four-channel architecture. It was decided that the licensing effort required for a safety network was more reasonable than pulling several tens of kilometers of cables just for voting logic. The network is thus mainly used for communication between channels of the same system and between systems, making use of the characteristics of the Rolls-Royce NERVIA network, designed for nuclear applications.

In the beginning, there was no plan as to how to implement the functions on site, except that everything should be finished in 2018.

The decision was made to implement the SC2 systems last, to allow enough time for the licensing and certification of the Spinline platform. And the starting point would be several SC3 functions to be implemented in 2016, within the PAIS (Preventative Actuation and Indication System), which includes renewal of the reactor boiling margin calculation system, and new preventative functions for both the primary and secondary sides. Starting with one system of a less stringent safety classification, provided a training opportunity for both the Rolls-Royce and Fortum teams, without taking excessive risks with such a tight schedule.

The need for diversity together with the three phase approach resulted in the breakdown structure for the project shown in the block diagram above.

Main control room

Fortum has been involved with the development and maintenance of power plant main control rooms since the 1970s. In the ELSA project, Fortum was responsible for control room ergonomics. The control concept is based mainly on hardwired panels and desks and a process computer system, which is a main monitoring system for the plant, including the main alarm system. The ELSA project aimed to limit visible changes and the basic concept of a hybrid control room remained. A new hardwired control panel was installed mostly for manual backup functions. The other HMIs (human–machine interfaces) of new and renewed automation systems were integrated into existing panels and desks including a new monitoring system for I&C as well as renewed functions, eg, nuclear power monitoring, reactor trip and power control.

In order to have cumulative evidence of the validity of the design, all the control room and HMI changes were verified and validated several times during the project. Integrated system validation focusing on the entire control room was conducted at the end of the project.

Licensing

It was clear at the start that the licensing would be a key success factor for the project. Rolls-Royce has been guided by Fortum in gaining an understanding of the YVL guides (Finnish nuclear safety regulatory guides) and their underlying principles. One important point was to plan each design or validation step with clear documentation before doing anything, and to have it approved by the authority. 

The innovative approach used in the ELSA project was to create packages of documents that were linked together and present a high-level view of each package to the nuclear regulatory authority at a dedicated meeting, before it received the individual documents for review. This helped the regulator to better understand what it was reviewing. All the ELSA documents were approved in time without impacting the project schedule.

It could have been seen as a good idea to create a new documentation structure to comply with YVL guides, but it was decided to prove that the usual Rolls-Royce documentation was compliant with YVL, with a gap analysis that resulted in very few additional documents needing to be issued, such as “suitability analysis”, specific to Finnish plants. This approach benefitted from skilled resources coming from other Rolls-Royce projects, and was also time efficient because people already knew the environment in which they were working.

Combining the package-based approach with high quality documentation made for a smooth licensing process throughout the project, something that can be hard to achieve in nuclear I&C projects.

Accident studies

In the ELSA project, Fortum used its safety engineering design method, ADLAS, which was applied to plant and functional level design. In practice this meant that the overall safety related functionality of the plant was clearly defined. This so-called functional architecture included safety functions and also high level requirements for the safety functions that were not in the scope of the ELSA project.

Verification and validation of the plant and architecture were implemented with analyses and tests. Analyses included the renewal of all safety analyses and fault and common-cause analyses of the new automation systems. The goal was to validate the new automation systems as part of the plant and introduce new analyses related to YVL guides.

Simulation

APROS-based simulators were extensively used during the ELSA project, with the new automation systems being validated against the simulated plant. Selected accidents and transients scenarios were simulated with ELSA automation modelled in APROS and later compared to Rolls-Royce emulated automation. The tests were evaluated by the operators of the Loviisa nuclear plant. In addition simulators were used in the validation of the operating and emergency instructions and the main control room concept (using virtual reality). The tests made it possible to discover errors early and allowed the tuning of the power controller before commissioning.

For each stage, a test platform with all cabinets was set-up in Rolls-Royce premises, driven either by Rolls-Royce test tools or by the APROS simulator. It was possible to simulate actual plant behaviour with cabinets in the loop.

After all testing had been performed, formal factory acceptance tests were conducted with the competent authority. This was supposed to be only based on documentation produced during the testing phases, but as per safety authority request, a few additional tests were carried out using the test platform, not based on test procedures. One test was a complete blackout of half of the cabinets (which is not in design bases since there are four redundant power supplies), which resulted in no abnormal behaviour, thus demonstrating the robustness of the design.

After that, a new session of tests was planned with regulatory authority to test some beyond-design-bases cases, including some APROS modifications to enable replay of the tests. All results were satisfactory, even if the scenarios had not been considered as possible during the design phases.

For example, a CCF in the existing ESFAS (engineered safety features actuation system) was simulated, leading to the impossibility of a trip on request by the RTS in the case of a large breach on the secondary side. When simulating this situation, it appeared that the diverse automatic backup using measurements and functions different from the RTS was able to trip the reactor. This was further evidence that the architecture was robust and that the right level of diversity was integrated in it.

Field engineering

For the entire project, around 300 installation plans (an installation plan in the Loviisa QMS (quality management system) being an instruction for installation people, including quality control details, inspection and test procedure after completion of the work) have been written by Rolls-Royce and approved by Fortum, and then executed with Finnish installation company INSTA. An installation plan is on average 150 pages, and can be up to 500 pages for complex or large scale activities; it is the result of a significant engineering effort to adapt the Rolls-Royce technology to existing plant constraints and customer requirements. This enabled the installation of more than 80 cabinets and the connection of thousands of new wires, together with the modification of tens of existing cabinets that accommodated the new connections and improvement in existing functions.

Thanks to the construction of new buildings close to the reactor building, it was possible to perform installation of cabinets and interconnection of them before outages, and precautions were taken to pull almost all cables during an operational period. The outage period was used to dismantle unneeded equipment, to make modifications in the control room, and to connect the new instrumentation & control to the existing I&C (including sensors); then all testing and commissioning activities were carried out, before start-up, which was always kept unimpacted by the I&C upgrade work.

Key success factors

Several factors are considered to have been essential in achieving success:

• A constant commitment to deliver on time at the right level of quality.
• A fine-tuned breakdown of tasks, a tailored schedule and excellent work by all stakeholders in-factory and on-site, which made it possible to complete all the tasks that could be anticipated before the outages.
• A “continuous improvement” way of working taking into account the lessons learnt from each phase as it was completed and reassessing the process/project organisation based on the findings.
• A very collaborative mindset among all those mobilised on the project and a trust in our ability to work together, to think differently, and to better motivate the teams.  

Author information: Mika Lehtonen, Fortum, project manager, ELSA project; Yann Challamel, Rolls-Royce, technical leader, ELSA project