The French Connection

The nuclear instrumentation systems of France’s 900 MWe nuclear power plants have been refurbished with digital I&C, using a Spinline 3 platform. The IRSN has assessed the instrumentation system upgrade from analogue to digital technology at Fessenheim and Bugey, the first French 900 MWe nuclear units.

David Flin

Electricité de France (EDF) undertook a refurbishment of the nuclear instrumentation system installed in its CP0 series (900 MWe) units with two objectives in mind:

  • To enhance system availability and reliability by significantly reducing spurious actions related to maintenance
  • To solve the problem of obsolete hardware (cabinets and power range detectors) and facilitate incorporation of subsequent programmed system developments.
Click here to enlarge image

Framatome acted as the prime contractor for this operation, which involved upgrading analogue instrumentation and control (I&C) systems to a digital technology derived from that used in the N4 plant series (1450 MWe reactors), while preserving the existing interfaces with other systems, in particular, the nuclear instrumentation analogue circuitry. This involved replacing nuclear instrumentation analogue processing cabinets with digital models and substituting CBL15-type detectors with collimating capability for the older-design power range detectors, to give a more accurate image of neutron flux.

The functional breakdown of a digital nuclear instrumentation calls for three separate PLC-like units corresponding to the three ” source, intermediate and power range ” protection channels. Each of these units is developed on the Spinline 3 platform supplied by Schneider Electric, and consists of input/output (I/O) boards for functional data and a CPU board equipped with a Motorola 68040 microprocessor that incorporates generic system software. Protection software for each nuclear instrumentation unit includes both customer-specific “application” software developed by Framatome and the already mentioned system software.

This refurbishment is the first major upgrade of an I&C system to be carried out in the French nuclear reactor series. It was initiated by EDF following the conclusions of its study on I&C systems hardware ageing and obsolescence in 900 MWe plants.

EDF carried out feasibility studies on the nuclear instrumentation refurbishment in 1996 and, in June 1998, presented the project to the French nuclear safety authority and its technical support organisation Institute of Radiological Protection and Nuclear Safety (IRSN). The first operational version of the digital nuclear instrumentation was installed at Fessenheim 1 in January 2000.

Since then, the new system has been installed as part of second ten-year inspection activities to all six units of the CP0 series, after allowance for feedback from its integration into the first unit. Subsequent developments gave rise to a new version of the programmed system, enabling better interfacing with existing systems, particularly under special operating conditions. These changes likewise elicited technical advice from the IRSN.

Safety assessment

The purpose of the assessment was to verify the compliance of the safety demonstration made for refurbishing the nuclear instrumentation. This essentially meant checking that safety requirements had been met at all levels in the operation, from system specification through design and implementation to onsite requalification. The development process was assessed to ensure the consistency of relationships and requirements between its various stages. Documentation associated with each stage was assessed according to the basic safety rules and standards applied in France.

Based on its previous experience in evaluating I&C systems for P4 (1300 MWe) and N4 (1450 MWe) plants, and to account for the first-ever aspect of such an upgrade and its implications for the safety of CP0-series plant units, IRSN performed its assessment in four phases, three of which were spread out over a year, and the fourth timed to end six months before installation of the new system in the second CP0 unit. These four stages consisted of analysing:

  • The principles of the modification, the justification and rules for design and development
  • The quality of its proposed implementation
  • The quality of the installation after the integration of changes in onsite requalification tests
  • Operating behaviour.

Figure 1. The first update took place at Fessenheim 1
Click here to enlarge image

The first update took place at Fessenheim 1 during the unit’s second ten-year inspection. Figure 2 shows assessment milestones and their relation to installation constraints.

IRSN’s objective was to provide its technical advice on upgrade principles and their proposed implementation before Fessenheim was shut down, so that the safety authority could authorise EDF to install the new system during the outage. Analysis of operating feedback was then intended to determine the acceptability of generalising the upgrade to all other units in the CP0 series.

At the joint request of the safety authority and IRSN, EDF published documentation on specific aspects of the refurbishing operation, including:

  • Systems (system software specification manual, system architecture) and functional design (functional protection diagram, functional control diagram)
  • System and application software (software quality plan, specifications, design, source and binary codes)
  • Validation: analysis and results of integration and validation tests; interconnected tests
  • Requalification integrating health physics requisites such as the site operation file
  • Neutronics, such as the rules for core physics tests on restartup.

The IRSN assessment therefore covered all of the following: system, hardware, software, functional design, operation, health physics, fire protection and human factors. The broad outline of analyses for each of these aspects is detailed below.

The system

The system includes:

  • Architecture (redundancy, independence, emergency power supply), the capacity of the system to detect and report its failures, degraded mode management (failsafe features, inhibits)
  • Reliability (study of the validity of system and failure rate models and the adequacy of selected periodic test frequency to reach the reliability target)
  • Interconnected tests (relevance and coverage of functional tests with respect to specifications)
  • Parameter setting management (analysis of process and organization used to modify parameters and ensure traceability of the modifications).

The hardware consists of:

  • Periodic tests to verify test principles, the test method and test exhaustiveness as well as overlapping between tests
  • Qualification of the ability of hardware to perform its functions in the service environment, to withstand EMI, earthquakes and similar.

Figure 2. IRSN’s objective was to provide its technical advice before Fessenheim was shut down
Click here to enlarge image


The Software includes

  • The observance of and compliance with IEC standard 60880 (development of 1E class programmed systems)
  • Analysis of source codes and software architecture
  • Validation test and integration test coverage
  • Independent testing of executable code using a simulation tool.

IRSN believes that safety must be evaluated for the system software of each nuclear instrumentation unit, rather than for system or application software taken separately. This means that the software of a unit as a whole is responsible for safety functions assigned to the hardware on which it runs. System software for the Spinline 3 platform was thus assessed in accordance with its utilisation in nuclear instrumentation units. This included evaluation of the performance of protection functions, verifying that the programmed units responded as expected to failures and confirming that manufacturers tests gave suitably exhaustive coverage.

The Neutronics and system operation has to have:

  • Periodic tests
  • Restartup core physics tests, such as the power reconstruction process, calibration of neutron detectors, and protection threshold adjustments.

Requalification and health physics includes:

  • Test programme and prerequisites for associated operations
  • Dosimetry of operations associated with the upgrade, including analysis of optimization initiatives and operating feedback relating to collective and individual doses and operation times.

Human factors considered were:

  • Control room alarm management
  • Human-machine interface (HMI), adapting to personnel activities involving the nuclear instrumentation cabinet
  • Training and operator mastery of digital system maintenance.

IRSN based its choice of means for the assessment on a critical study of documentation supplied by EDF. Software assessment relied principally on automated tools. It should be noted that the study of human factors entailed interviewing personnel onsite and during system operator training sessions. Assessment of such an upgrade requires considerable human resources to cover the various technical fields involved.

At the request of the safety authority, analysis of the different topics described above led IRSN to give its opinion on the acceptability of the upgrade in safety terms and on the non-regression of the levels of design, development capability and installed system quality.

The assessment approach adopted by IRSN enabled the analysis of the multifarious impact of a nuclear instrumentation digital upgrade in a period of time that was short for such a heavy workload. This experience revealed that the following points should be given special emphasis in future revamp assessments:

  • Interfaces, between the refurbished system and its environment, and specifically their dynamic aspects (time required for signal state changes). This is because signal processing times differ from analogue to digital systems and require specific adaptations.
  • An increase in the number parameters required by the upgrade to a digital I&C system, and the more thorough documentation needed to suitably credit the requirements applicable to each parameter category.
  • Maintenance problems that are inherent in the use of generic software, specifically where this software must evolve to meet requirements of other projects. To eliminate any such problems, the safety authority has now requested that system software be only dedicated to class 1E systems.

Figure 3. The upgrade from analogue to digital technology has had an organizational impact
Click here to enlarge image


Engineering process

The engineering process that, in the specific context of an analogue-to-digital upgrade, must be formalised to suitably clarify the system specification-to-software document interface. More generally, the operator of the nuclear power plant must present its engineering process at the start of the project in order to facilitate the identification of documents relevant to project development. These documents must cover every single phase from formulating requirements and defining specifications through to the various types of testing. It must be possible to correctly situate them in the engineering process at each phase in development, so that their links with upstream and downstream documents can be identified and their content accurately appraised.

Using this approach guarantees that the process will comply with the prevailing rules for development and that system safety requirements take shape gradually, and yet remain traceable as the project progresses. It is then easier to relate the tests used in verifying compliance to the original set of requirements. Right from the start, there must be consensus with the nuclear power plant operator on the required content of each development stage. Correct progression and observance of the different engineering phases then contribute positively to demonstrating safety of the project, particularly where the system might evolve towards new versions.

The nuclear power plant operator must include enough time in the project schedule for the safety authority and its technical support organizations to conduct the safety assessment, and enough time to allow for the timely forwarding of the relevant documentation to these entities.

In 1996, EDF launched feasibility studies for the refurbishment of the nuclear instrumentation system installed in its CP0 series units. All six of these units have now been equipped with the new digital instrumentation system. IRSN considers that the upgrade to digital technology facilitates both operation and maintenance of the system without regression of the safety level.

IRSN applied an assessment method that enabled crediting of all aspects impacted by the upgrade in a relatively short time. The assessment was based on documentation supplied by the operator, and dealt primarily with system design (reliability, architecture, interconnected tests), hardware (periodic tests, qualification), software (compliance with IEC standard 60880 for programmed systems, evaluation of the development process and its side-effects, test coverage), operation, requalification, health physics, fire protection and human factors.

Human implications

The upgrade from analogue to digital technology at the nuclear power plants had an organizational impact, such as changes in periodic test and parameter setting procedures, as well as human implications on operator training and mastery of the digital system, both of which must be considered in a safety analysis. In general, this experience revealed that a few areas ” such as engineering process and interface dynamics ” required special emphasis in future update assessments. For a major update impacting numerous technical fields, the operator also needs to make better provision when scheduling project development activities for the time required by the safety authority to perform its assessment.

Given the speed of technological advances and of changes in the industrial environment, the use of digital I&C systems means that from the outset of the project, the operator must take whatever measures are necessary to guarantee long-life system operation, as protection from potential loss of industry expertise and the risk of component obsolescence.

No posts to display