Why use simulators for engineering?21 November 2018
Didier Paen and Jean-Christophe Blanchon outline five reasons why the nuclear sector could benefit from engineering simulators, drawing on the experience at Flamanville 3 and other EPR projects.
THE NUCLEAR INDUSTRY IS FOLLOWING in the footsteps of the automotive and aerospace industries when it comes to systems engineering, but it has an advantage when making this approach more reliable and more productive: simulation. There are at least five reasons to adopt this new work method.
The nuclear industry has been combining systems engineering and simulation for over ten years. In 2006, EDF embarked on this path with TREFLE, the engineering simulator for the Flamanville EPR. Similarly, Framatome used a simulator developed by CORYS in commissioning the Taishan EPR.
The main objective for an engineering simulator is validation of the digital instrumentation and controls (I&C). The experience from initial numerical implementation of the I&C for a nuclear plant is that validation should not be postponed to the commissioning step. Tests and updates must start during the design, and before implementation into real control systems.
The EPR programme requires investment in simulation to validate early design phases due to the complexity of the systems and their interconnections. The following details illustrate the size of the plant: more than a hundred elementary systems; fifteen thousand I&C diagrams; five thousand pieces of relatively small equipment, such as valves; several hundred large components, such as pumps; fifteen thousand operator software panels and ninety thousand local commands.
This was the main motivation to start work on a V&V simulator for Flamanville EPR in 2006. From the start, the defined phases were:
Phase 1: This first simulator focused on nuclear island elementary systems and was delivered in 2008. The objective was to test at I&C functional level.
Phase 2: Achieved in 2009, this simulator added process, safety information and control systems. It contained the human-machine interface (HMI) for the operator software panels and safety system interface.
Phase 3: This simulator was the full scope simulator, used for training and engineering since 2013. It contained simulated process and safety information control systems as specified by EDF engineers.
Phase 4: This phase started in 2014. Several sets of data were integrated in the simulator (one per year) that corresponded to design iterations. All the elementary systems in the scope were affected. Afterwards, the real safety and information control system could be coupled with the simulator.
Phase 5: This phase will start soon. It will use the final data set and will be updated to match site values, such as flows and pressure drops, obtained during commissioning and functional tests.
The simulation programme was designed to fill the following needs defined at the beginning of this EPR programme:
- Validation of rules and procedures for fault operations. This is an iterative process. The first step was done with the phase 1 simulator.
- Support for probabilistic safety studies. Fault operation and associated conditions were evaluated. The resulting study details the required conditions to save the reactor, the duration of operation and the work breakdown per operator. These use of simulator features like scenario and automatic execution, and simulation reports.
- Human factor studies are performed through different phases of the simulator. Simulation software is able to mimic the operator panels. Efficiency is evaluated during exercises done by EPR operators under real operational conditions defined through a set of different scenarios. Human factor experts are able to analyse the results and can specify a new version of HMI to be tested in the next campaign. Operation rules, roles and efficiency are evaluated. The control room organisation is also part of the evaluation, using the full scope replica simulator.
- Commissioning before startup. A dedicated version of the simulator is used. The I&C as implemented in cabinets is simulated and allows all test operating procedures to be run to check their execution and avoid equipment failures.
- Operator training is required several years before the EPR startup.
This simulator could also meet additional requirements that appeared during the EPR project development:
- Validation of procedures for normal operation;
- I&C validation very early in the basic design phase;
- System studies to evaluate new I&C strategies;
- Human resources management, training system engineers so they quickly become efficient at project tasks.
As a result of this success, engineering simulators are also being used for Hinkley Point C and the basic design of new-generation EPR2 power plants. Moreover, the use of simulation to design safer I&C was the subject of four years’ worth of research by the Connexion Cluster, a joint initiative of the French nuclear industry in which CORYS was a participant. There can be no question that the technology is mature.
Technology step changes were required to perform large simulation projects. CORYS worked on several key factors in its ALICES® software workshop. They were:
- Confidence in physical simulation performance and results;
- Traceability of engineering data: any discrepancy in simulator execution is analysed, as its root cause is often an issue in data configuration or in I&C execution;
- Integration of reference engineering codes and real-time execution: even during physical transient phases, full scope simulators are able to run CATHARE 2 thermal- hydraulic and Coccinelle3D neutronic models;
- Easy modifications to support design cycle: In addition to the easy editing of models with ALICES® workshop, automation has been set up to integrate I&C diagrams, operator panel HMI and mechanical schemes for equipment and pipes (based on extractions of 3D PDMS).
CORYS has all the tools necessary to combine engineering and simulation. As illustrated above, ALICES® technology is widely used to develop process models for training simulators which can also be exploited in full for studies.
ALICES® is a “try and test” platform for integrating a wide range of engineering building blocks, including Scade, Matlab Simulink, Framatome’s TXS etc. Real PLC cabinets may also be combined with a simulation to provide a “hardware in the loop” test bench. This was demonstrated on the Connexion cluster, which started in 2012 and included a modular workshop for functional I&C engineering. This draws on a range of resources supplied by the various partners, and uses simulation as a design and integration environment.
The advent of digital technologies has allowed for a huge number of service bundles for operations. I&C is becoming a vital link in this service infrastructure – an infrastructure that has to be able to evolve in line with the reactor throughout its life cycle. Digital systems have to be configured in such a way as to be consistent with actual unit conditions and the supporting document management system.
ALICES® editor may be deployed as a CAD editor to allow functional specifications to be described and executed, for instance for open-loop testing. An example is the EDF tool for design of the I&C of the Hinkley Point EPR, which is based on CORYS’ technology. It offers: static validation, relating to monitoring of consistency and rule checking; dynamic validation once the diagrams have been edited, engineers can execute them, either in interactive mode for fast, intuitive validations (confirmation that the action “pump activation” causes it to start), or in automatic mode for various scenarios (measurement of execution time, achievement or otherwise of what is expected).
Initially identified by the teams as time-consuming, this tool chain has quickly become a reference tool, used by around 50 engineers responsible for control system design. Time gains do not stop at the design phase: closed-loop simulations, with coupling to a hydraulic model, could help improve control parameters before on-site tests. Potentially, such a validation platform could be adapted to other uses, such as validation of the applicative code developed from the specifications by the programmable logic controller (PLC) manufacturer.
Earlier, fuller testing
The V&V process was used for the Flamanville project. The sooner errors in a complex system are detected, the less they cost to correct. With simulation, testing can start as soon as the first I&C specifications are available. Open-loop testing can be conducted, and later ‘hardware in the loop’ testing, with the real cabinets. Tests can cover a single system or multiple, interdependent systems. Lastly, CORYS works with partners to allow test scenarios to be devised, using formal methods to check properties relating to functional and safety requirements.
The return of experience for V&V project is based on the following points:
- Generation of functional I&C per elementary system: the result is the validation of the corresponding elementary system;
- Closed loop testing with the simulator per elementary system: a dedicated simulator associated with the elementary system is used at each level. This way the I&C analogue part can be validated;
- Engineering simulator running the global I&C: global I&C validation for all EPR plant states.
Tools are used for functional diagram validation, basic design and detailed design validation. The simulator can also integrate the implemented I&C. The first version of the implemented I&C database is loaded into the simulation environment and testing of the implemented I&C can begin very early before commissioning. This was the case at Taishan, where tests of the I&C began around three years before the startup. A lot of issues were found with the database during those early tests, either in the elementary systems or in their connection and data exchange. Signals between systems are sampled and can lead to mismatched communication. The physical architecture of the cabinets is also taken into account, with delay allocated to distant signals.
Traceability and continuity
The design of a reactor involves several hundred people, in individual disciplines: procedures, I&C, operation, and so on. The integration simulator into which data from all these sources is injected creates continuity between the disciplines, decreasing the risk of operating in isolation and the resulting inconsistencies. Combined with product life management, the simulator can also ensure traceability of design stages, corrections and tests – already completed and still to be done.
A configuration management tool is used for simulator data inputs. The purpose is to put in place efficient processes for data management based on feedback of experience.
A process is defined to extract data from life management tools in a format ready for direct simulator import. It can be seen as an extension of data repository dedicated for the simulation.
New data sets are largely updated automatically. There is automatic import of geometry data based on 3D plant design software: an exported file is used for hydraulic network configuration. I&C and most equipment are also automatically updated, with a few manual actions are required for specific equipment.
A new set of data is imported inside the simulation environment and tested before a new revision, to improve data consistency. An important use of the simulator is data check so the history view is mandatory.
A typical situation in an existing plant is that there is no database and the process contains all the engineering data. So CORYS had to develop its own tool to ensure traceability and consistency checks: the data package manager. Any object in the manager has a history, with phases and versions related to the simulator project lifecycle. The customer’s documents at the origin of an import are referenced.
When the CORYS engineer detects bad behaviour in the simulator, the version history helps him to identify the modification at the origin of the problem. The customer can use the same interface to check that the simulator data are up to date and in line with the specification.
One major responsibility for the simulator supplier is, at any time, to verify the version and origin of any data.
Shorter design cycles
Nuclear industry actors are now extending the scope of their systems’ engineering resources to manage requirements, ensure traceability and provide digital continuity using project life management. Combining these tools with simulation allows design cycles to become shorter still.
For the Flamanville project, data packages were frozen during phase 3, even when some data was missing or changing. Then data package was continuously updated in phase 4 to allow reactivity. The time required to update data was reduced as a result of an integrated team that was able to directly contact system engineers. The engineering simulator was immediately updated with design data and is the integration centre of the design.
Reactivity and change management process: efficient response for system engineer request, design issues are fixed within a short timeframe. That offers efficient feedback to support tests and studies for procedures, operations, human factors and training.
The simulator will also be used for commissioning Flamanville, reducing the time required as all tests can be performed on the simulator. Because the simulator can be easily updated it reduces the time needed for the I&C pretesting phase.
The commissioning simulator for the Taishan EPR in China, for instance, absorbed engineering data at the rate of one step change every quarter and one update every month. Unit 1 of the Taishan nuclear power plant was connected to the grid on 29 June 2018, becoming the first EPR to achieve grid connection and power generation.
Author information: Didier Paen, Commercial manager business development at CORYS; Jean-Christophe Blanchon, R&D manager at CORYS