Risk and reward4 July 2017
A ten-year project saw replacement of a fleet-critical control system at two UK reactors.
Nuclear power plants are fitted with equipment in use at the time of design and construction. Inevitably, technology moves on and some of that equipment will in due course become obsolete.
Replacing obsolete systems can have significant implications for the plant’s safety case and cause lengthy and expensive outages. The replacement of high-integrity control systems at two of EDF Energy’s UK plants – Heysham 2 and Torness – provides an example of how such a fleet-critical project should be tackled.
Code migration and testing was a key element of the changeover because of the risk that issues affecting availability and functionality could cause loss of output. This work was done by Amec Foster Wheeler and has taken 10 years, with final completion due in July 2017.
At the two stations the fuel route plant, including the fuelling machines, were originally controlled by a bespoke control and protection system called Reypak. Reypak, a programmable logic controller (PLC), was a distributed system with inputs and outputs in remote racks and the application in a main rack. Reypak uses a multi-tasking operating system with the application written as discrete blocks of structured code in S80, a bespoke language created for the system.
In the safety case, the system and the application code were claimed to have a probability of failure on demand (pfd) of 10-1.
The Reypak system had become unreliable and obsolete and presented significant availability issues for the two stations. The fuel route systems are fundamental to the safe and reliable movement of fuel and components, which are in turn essential for continued operation of the reactors.
EDF Energy wanted to replace 21 Reypak systems but it was crucial that the solution avoid any need to shut down the reactors, which would incur a cost of £1 million per station per day in lost output. The operators were only too well aware that the original systems had taken many years of on-site commissioning to get the facilities and fuelling machine operating as required.
To reduce the risk, the project was phased so that it would deliver an immediate improvement in reliability while leaving the difficult issues until later. The solution was to replace the I/O sub racks with standard PLC components (Siemens S7-300 and S7-400), communicating with the existing Reypak main rack and application. The equipment delivery was specifically designed to aid installation, with each racking taking about three hours to replace. This gave an immediate gain in reliability whilst minimising the risk to the plant operator.
The next phase was to migrate the application code from Reypak S80 to Siemens SCL. In an innovative and technically challenging solution, Amec Foster Wheeler’s team developed an automatic code migration tool. This meant that the existing code did not need to be manually re-written, reducing risk and potential introduction of latent errors. More significantly, this preserved the years of development work invested in the existing code.
A process was created to verify and validate the migrated code and the migrated application was verified and validated against a dynamic plant model and test environment. This included creating a logical plant model, which was validated by testing against the Reypak environment and application before being used to verify the functionality in the migrated Siemens environment and application. This test environment allowed full 100% off-site testing of the migrated application, including interlock testing. This test environment was created using standard Siemens tools WinCC SCADA and the SIMATIC toolbox. A scripting environment was designed to run interlock tests against the migrated application code.
The tool and supporting process were evaluated against the requirements to support the safety case and confirmed to support a safety case claim of 10-1 pfd.
Having completed migration and off-site testing it was possible to reduce the on- site installation and testing to a minimum and thereby to reduce the plant outage significantly. In fact, installation and testing at the stations was reduced to a few days rather than the feared months or years.
The outcome for EDF Energy was improved reliability through to end of life and the removal of a major issue threatening generation.
For Amec Foster Wheeler, the project has developed a niche capability that is being applied to similar projects for EDF Energy and others. It has also spawned further projects to enhance the fuel route systems at Torness and Heysham 2 and other EDF Energy sites.