The latest spin on digital safety systems

SPINLINE 3 is the culmination of the work and experience of Schneider and Framatome in developing their “SPIN” digital reactor safety instrumentation & control technology. Early SPIN-based systems are in operation in France and other countries.

The two companies moved to digital systems as they offer many advantages for nuclear plants, such as:

• Increased safety and availability, eg through better fault detection and higher accuracy processing.

• Reduced system size through the use of integrated complex functions and communications.

• Improved operation and maintenance, eg by system supervision and automatic diagnosis.

• Increased flexibility and operational scope through technology evolution.

While SPIN was originally developed for French reactors, SPINLINE 3 is designed to satisfy international standards and utility requirements and can be adapted to all reactor systems. It can easily be integrated into existing systems and connected to other computer-based equipment.

This includes not only new reactor designs but the refurbishment of safety systems on early reactors. SPINLINE 3 has already been retrofitted to the Soviet-designed VVERs at Kozloduy in Bulgaria.

RENOVATING EARLY SYSTEMS

Refurbishing an old I&C system of an existing nuclear power plant is often a more complex undertaking than designing for a new one.

The main motivation for refurbishment of course is that the original system is getting old, which results in spare parts availability problems and reductions in both safety and availability. In the particular case of Soviet designed PWRs (VVERs), the original I&C supplier actually specified that the equipment be changed after a given period of operation.

A refurbishment must meet specific requirements, such as:

• The new I&C system has to interface with the existing equipment remaining in place. Special care has to be taken with data interfaces, cable ways and geographical location.

• The outage required for installing the new I&C system has to be as short as possible.

A step by step approach is therefore often the best route to refurbishment both economically and technically.

ORIGINS OF SPIN

SPIN came out of a decision to develop an entirely new reactor protection system for the 1300 MWe reactors (known as P4) constructed for Electricité de France. The first model, SPIN P4, was installed on twenty 1300 MWe PWRs in the 1980s. It was based on Motorola 6800 CPU boards programmed in assembler and on serial links. It has now successfully accumulated 200 reactor years of experience (since Paluel first went critical in 1984).

The second step came in the 1990s when SPIN N4 was installed on four 1450 MWe units in France (the N4 PWRs) as well as in several CEA research reactors. SPIN N4 was based on Motorola 68000 CPU boards programmed in C language and on deterministic networks (discussed below). It has now successfully accumulated 20 reactor years of experience.

Building on this successful experience, SPINLINE 3 has been developed to reach the following goals:

• Increased safety and availability.

• Easier operation and maintenance.

• State of the art performance.

• Shorter development time.

The system handles all functions important for safety, from measurement acquisition to actuator control, including:

• Reactor protection (reactor trip and associated engineered safety features, diesel sequencing).

• Reactor control and limitation.

• Neutron instrumentation.

To date, applications of SPINLINE 3 include:

• New plants, notably Qinshan phase 2 (China).

• Refurbishment projects, for example at Kozloduy (Bulgaria), where it has been in operation since September 1997, Tihange (Belgium) and Bugey and Fessenheim (France), where it will shortly be in operation.

The four steps of technology development are shown in the diagram.

BASIC DESIGN CRITERIA

SPINLINE 3 has been developed to meet national and international standards for safety I&C systems as set out in RCCE (French rules), IEEE, IEC and IAEA safety guidelines. The system has been designed to comply with the following criteria:

• Fail-safe architecture – SPINLINE 3 ensures that the outputs to actuators are always valid and that no failure impairs safety.

• Fault-tolerance (including single failure criterion) – SPINLINE 3 can meet any redundancy requirements.

• Functional diversity defends the system against common cause failures.*

• Functional insulation avoids propagation of failures between redundant parts.

Other features of SPINLINE 3 include:

• Scalability. SPINLINE 3 can fit a range of sizes of I&C systems. It can be used for highly distributed architectures such as the reactor protection system of N4 plants (four divisions with three levels of processing: acquisition, functional processing, voting) or more compact configurations such as Qinshan (two trains for source and intermediate range, four trains for power range, one level of processing).

• Modularity. The system can be delivered either as racks to be integrated into existing cabinets (for some refurbishment purposes) or as whole cabinets.

• Flexibility. The system can evolve without hardware modification.

• Determinism. The same inputs produce the same outputs with a guaranteed response time.

• Ease of operation and maintenance. Protection thresholds can be modified through a secured protocol; there is also a station for supervision and automated diagnosis.

THE TECHNOLOGY

SPINLINE 3 is a modular and standardised arrangement of PLC-like deterministic units. A unit consists of a rack including a CPU board with its software and peripheral boards (mainly I/O boards).

The hardware components have been specifically designed for safety applications, with safety and fail-safe features taken into account at the very outset of the design process. For example, actuator control boards move to a pre-defined safe state in case of loss of communication with the upstream stages of processing.

The main pieces of hardware are:

• Cabinets and 19 in 6U racks designed to withstand harsh conditions of temperature, EMI, vibrations, earthquakes.

• Input and output boards for both binary and analog data, neutron instrumentation, thermodynamic instrumentation, actuator control.

• High speed deterministic networks: the NERVIA™ network is a 2 megabit/s, broadcast type, token ring network using either optical fibre or coaxial cable for communications within the safety system or for communications with non-safety units; and the dedicated actuator network, which is based on a master/slave protocol and uses the same media as NERVIA.

• A powerful 25 MHz 68040 Motorola microprocessor CPU board, with 2 megabytes of secured read only flash, 2 megabytes of RAM and 64 kilobytes of non volatile EEPROM memory.

• An interface to the PC world via the NERVIA network.

THE SOFTWARE

Simplicity and the use of computer-aided tools are the key principles applied to safety where software is concerned.

SPINLINE 3 has neither operating system nor interrupts, the safety software being a single loop running the same functions in a pre-defined and fixed time. The safety software includes “system” software and “application” software: the system software covers initialisation, self-tests, interfaces with I/O boards and networks, monitoring of the loop duration; the application software is defined by the customer and reflects the functional requirements.

Software development is automated using a CAD workshop called CLARISSE.

CLARISSE covers the following activities:

• A description of the I&C architecture and hardware composition, which is used to generate automatically the system software, network configurations and network messages.

• A user-friendly graphics editor called SCADE™ for development of application (ie customer-defined) software reflecting functional requirements (SCADE is also currently being used by Airbus Industries, Volvo and Saab Military Aircraft).

• Automatic generation of C code for all the software, with automatic generation of associated documentation and subsequent compilation and link-editing for embedding on CPU boards.

SCADE has evolved from the SAGA tool, itself a major innovation of the SPIN N4 project, which uses a total of 200 000 lines of safety (Class 1E) software code. With SCADE and other facilities, the CLARISSE CAD workshop used in SPINLINE 3 contains all the tools needed for automated generation of executable code.

All SPINLINE 3 hardware and software components are 1E qualified. They are already in operation at nuclear power plants in France and elsewhere.

A MODERN I&C SOLUTION

As outlined above, SPINLINE 3 has been designed in compliance with today’s international standards. An I&C system based on this technology is fault-tolerant from the basic components (boards and software) to the complete architecture. It is also deterministic and continuously self-tested, thus ensuring that failures are immediately detected, mitigated and signalled to the operator.

In safety I&C systems, special care has to be taken with software because it is a potential source of faults and of delay of the overall project. The best approach is to automate the software development as much as possible.

Schneider made a major move in this regard with the use of the SAGA tool to generate code for the SPIN N4 project. For SPINLINE 3, the CLARISSE CAD workshop uses SCADE (evolved from SAGA) to provide automatically-generated executable code.

The system has many other features to ensure safe operation, including consistency checks, and avoids the use of operating system or interrupts in the 1E software. All software and hardware components have been qualified to nuclear standards.

The wide range of I/O boards and their capacity allow SPINLINE 3 to support any nuclear safety application. The use of powerful CPU boards and high speed networks gives short response times even for complex functions and, above all, this response time is guaranteed by the application of the determinism principle.

SPINLINE 3 has many features to ease system operation and maintenance. For example, setpoint adjustments needed to satisfy operating requirements are made possible through a secured protocol and a consistency check is performed between redundant parts.

Failure signals are monitored by a dedicated station, which includes automatic diagnosis of faults to facilitate a quick repair; the diagnosis indicates which board is failing. Periodic tests, initiated by plant technicians, are automated and ensure a high coverage of faults.

Based on our experience, we are able to deal with the long-term maintenance requirements of I&C systems (a 25 year maintenance agreement has been concluded with EDF). SPINLINE 3 has been developed to be implemented quickly, even during normal planned outages as desired by operators, and with our experience in dealing with licensing procedures, we can support the building of a safety case for the I&C system required by regulators.