22nd Meeting the IAEA TWG-NPPIC
Construction and operation experience of digitalized
Safety Systems of Japanese ABWR
20-22 May 2009
Takaki Mishima
Tokyo Electric Power Company
Legal Notice:
This documentation contains technical
knowledge and secret information that
belong to TEPCO. Therefore, it shall
not be disclosed to third parties without
consent of TEPCO.
CONTENTS
•Nuclear Power Generation in Japan
• I&C development history of TEPCO’s BWRs
• I&C development of Kasiwazaki-Kariwa Unit No.6/7
• Construction and operation experience of digitalized
Safety Systems for Kasiwazaki-Kariwa Unit No.6/7
• Conclusion
• Recommendations to IAEA TWG
2
Nuclear Power Generation in Japan (1/2)
• 55 units of commercial NPP in operation
49.6 GWe capacity in total / 30% of Japanese power supply
→ PWR: 23 units, BWR: 28 units , ABWR: 4 units
• 3 units (ABWR: 2 units, PWR: 1 unit) under construction and 1 unit
(Tokai) in decommissioning stage
• 3 units (ABWR: 1 unit, APWR: 2 units) under review by NISA
• 7 units under planning
• 1 prototype FBR unit (Monju) in pre-operational phase and 1 ATR unit
(Fugen) in decommissioning stage
3
Nuclear Power Generation in Japan (2/2)
4
TEPCO Nuclear Fleet
Higashidori NPS
Unit
Type
Output (MWe)
(1)
ABWR
1385
(2)
ABWR
1385
Operation
Fukushima Daiichi NPS (1F)
Kashiwazaki Kariwa NPS (KK)
Unit
Type
Output (MWe)
Operation
1
BWR3
460
Mar, 1971
2
BWR4
784
July 1974
3
BWR4
784
Mar. 1976
4
BWR4
784
Oct. 1978
Unit
Type
Output (MWe)
Operation
5
BWR4
784
April 1978
1
BWR5
1100
Sep. 1985
6
BWR5
1100
Oct. 1979
2
BWR5
1100
Sep, 1990
(7)
ABWR
1380
3
BWR5
1100
Aug. 1993
(8)
ABWR
1380
4
BWR5
1100
Aug. 1994
5
BWR5
1100
April 1990
Unit
Type
Output (MWe)
Operation
6
ABWR
1356
Nov. 1996
1
BWR5
1100
April 1982
7
ABWR
1356
July 1997
2
BWR5
1100
Feb. 1984
3
BWR5
1100
June 1985
4
BWR5
1100
Aug. 1987
Fukushima Daini NPS (2F)
17 BWR units with a total installed capacity of 17.3 GWe (35% of Japanese nuclear power)
Application of Digital System in TEPCO BWRs
(1)PROCESS
COMPUTER
(2)REACTOR
POWER REGULATOR
'70s
'80s
CORE PERFORMANCE
CALCULATION
'90s
3D-CORE
PERFORMANCE CAL.
PLANT AUTOMATION
FDWC / RFC CONTROL
DIGITAL EHC
CR CONTROL
(3)PLANT
AUX.SYSTEM CONTROL
TURBINE-AUX SYSTEM
CF/CD
RECTOR AUX.SYSTEM
OFF GAS
(4)NEUTRON MONITORING
•RADIACTION MONI.
NEUTRON MON.
RADIO. MON.
(5)SAFETY SYSTEM
(6)RADIO-ACTIVE WASTE
PROCESSING SYSTEMS
SEQUENCE CONTROL
RADIO-ACTIVE WASTE
MINI.COMPUTER
PROCESSING SYSTEM
PLANT WIDE DIGITAL SYSTEM
DATE
NON-SAFETY SYSTEM
ITEM
6
Main Control Room of TEPCO’s BWR
7
- Centralization of all plant information
- introduction of CRTs
- rearrangement of Main Control Console
- introduction of Automated Operation
1st Generation
(1971～1984)
2nd Generation
(1985～ 1994)
- introduction of FDs and CRTs
with touch-operation
- sharing of plant information among crew
by large display panels
etc.
3rd Generation (1996～ )
7
Kashiwazaki-Kariwa Units #6 and 7
Unit #6
Unit #7
Rated core thermal power
3,926 MWt
Rated generator power
1,356 MWe
Start of construction
Sep., 1991
Feb., 1992
COD
Nov., 1996
July, 1997
1st Concrete Pouring → F/L
37M
37.5M
8
Main Control room of Units No.6 and 7
Unit No.7
Large Display Panels
Alarm Windows
Main Control Console
Unit No.6
Shift Manager
9
Configuration of ABWR I&C System
Multi-Plexing Line
MAIN CONTROL
PANEL
ALARM
SYSTEM
RPS
PLANT
COMPUTER
SYS.
From Control Units
PLANT
LEVEL
(Large scale computer sys,
μ-P sys.)
CCU:
ALARM
SYSTEM
Cable
Communication Control Unit
CCU
CCU
From Local Signals
FLUX
MONITOR
ING
ECCS
SYSTEM
LEVEL
(μ-P sys.)
Rx. AUX
LOGIC
RFC
APR
RC&IS
FDWC
PROCESS
RAD.
MONITOR
ING
BOP
CONTROL
PRESSURE
CONTROL
EHC
GENERATOR
CONTROL
CONTROL
VALVE
RMU
RMU
EQUIPMENT
LEVEL
RMU
RMU
TURBINE
RMU
INVERTER
ECCS
PUMP
GEN
CONDENSER
INTERNAL
PUMP
FMCRD
RMU
FEEDWATER
PUMP
FW
CONDENSATE
HEATER PUMP
K-6 was supplied by Toshiba
Hitachi
GE
K-7 was supplied by Hitachi
Toshiba
GE
10
The Configuration of RPS
Div.1
A/I
DTM
Network CTL
A/I
Network CTL
RMU
Network CTL
Sensor
TLU
D/O
OLU
Application
Program
2 out of 4
Logic
Form TLU of Other Div.
LD
A/I
Network CTL
Network CTL
Div.3
Ⅲ
To LD of Div.1
LD
LD
LD
Ⅳ
Ⅲ
Ⅱ
LD
Ⅰ
LD
Ⅱ
LD
Manual
Scram SW
Ⅳ
To TLU of Other Div.
Div.2
A/I
LD
Ⅰ
Trip Solenoid
For Scram
RMU : Remote Multi-Plexing Unit
DTM : Digital Trip Module
TLU : Trip Logic Unit
OLU : Output Logic Unit
L D : Load Driver
: Optical Fiber
: Hard Wire
Div.4
11
The Configuration of ESF
A/I
DTM
Network CTL
RMU
Network CTL
Sensor
SLU-1
RMU
D/O
To Actuator
RCIC
RHR(A)
ADS(A)
To Actuator
HPCF(B)
RHR(B)
ADS(B)
RMU
SLU-2
Div.1
Network CTL
A/I
Network CTL
SLU-1
RMU
D/O
RMU
SLU-2
Network CTL
A/I
Network CTL
Div.2
SLU-1
RMU
D/O
RMU
Network CTL
Network CTL
HPCF(C)
RHR(C)
SLU-2
Div.3
A/I
To Actuator
D/O
Div.4
RMU : Remote Multi-Plexing Unit
DTM : Digital Trip Module
SLU : Safety Logic Unit
:Optical Fiber
: Hard Wire
12
Number of Components
Component
RPS/MSIV
ESF
4
4
4
32
DTM
TLU(SLU)
DIV.1 3
Flat
Display
4
DIV.2 3
On 4 Control Panel
DIV.3 2
On Operator Console
Control
Panel
RMU
PI/O
Transmission
Data
4
3
4
17
1500 points
5000 points
4500 points
30000 points
13
Consideration on Software Design
Simple Logic
- Mostly described by “AND”, “OR”, and “NOT” components
Periodic Execution
- Simple software structure
No Interruption in external signal processing
- Simple software structure
Static Memory allocation
- Simple software structure
Flow-diagram-like Symbolic Language (POL)
- Easy to program and verify
POL : Problem Oriented Language
14
Software diagram and POL (Problem Oriented Language)
00
Operation
Number
Software Diagram
00
(D0016)
01
AND
OR
Operation
Code
(D0017)
02
(D0896)
(D0018)
(D0019)
(D0016)
Variable
Number
Extraction of Program Data
00
AND
D0016
NOT*0017
01 OR
D0018
D0019
02 OUT
D0896
Extracted Program Data
Rearrangement of the Extracted Program Data
According of Order of Calculation
Rearrangement of
Variable number
according to the rule,
which is uniquely
defined for each
operation code
OR
AND
D0016
NOT*
D0018
D0019
OUT
D0896
D0017
Execution
15
Necessity of V&V of Software
Compare Potential Risk of Common Mode Failure (Analog System vs Digital System)
- General Understanding, Not Specific to K-6/7 RISK
EVALUATION
Hardware
Common Mode Failure
- Fire, Seismic, Ambient Temperature etc.
Equal
Software
Error on Basic Design Phase
- Error of Scram Logic and Set Point etc.
Equal
Error on Detail Design Phase
- Error of Drawing and Diagram etc.
Equal
Error on Programming
More
As for applying digital technology,
V&V is required to avoid Common Mode Failure.
Equal; Digital system has equal risk potential.
More; Digital system has more risk potential.
V&V : Verification & Validation
16
Procedure to achieve highly Reliable System-1/2
System Requirement (JEAG,E/P)
Verification-1
System Specification
Verification-2
Equipment Specification
Interlock Block Diagram
Hardware Design
(ECWD)
Software Design
Component Procurement
POL Coding
( CAD System)
Verification-3/4
★De-compile Check
Parts Screening
Verification-5
Cabinet Assembly
Floppy Disk
Software Loading
17
Procedure to achieve highly Reliable System-2/2
Validation
Factory Tests
★ Semi-dynamic
simulationTests
Shipping
for safety-related
system
Visual Inspection
I/O Wiring Inspection
I/O Characteristic Tests
System Logic Tests
Response Time Tests
Single Failure Tests
Installation at site
Installation Tests
Reassemble Tests
I/O Wiring Check
Digital I/O Check
Analog I/O Check
Pre-operation Tests
METI Inspection
Interlock Tests
Annunciation Tests
Actuator Tests
Protection Device Tests
Combination Tests
Fuel Loading
Heat-up Tests
METI Inspection
Commercial Operation
★
：Special Tests only for K-6/7 Digital Safety-Related System
：Additional Procedure for Safety-Related System
18
TEPCO Practice of Design Approval, Witness
Documents of Safety Related System
Design Approval
System Specification
Execute
Execute
Equipment Specification
Interlock Block
Diagram
Verification
-1
Factory Test Witness
Execute
Elementary Control
Wiring Diagram
Execute
Software Diagram
Execute
Interlock and Annunciation
function test is sample
inspection and data
inspection
Verification
-2
FD(Flat Display) forms
Execute
Display confirmation test
is data inspection
Verification
-3/4
Document Examination Point
・ No difference from Upper Document
・ Confirmation of difference from System requirements, Design Review,
Previous Plant, Between K6 and K7
19
TEPCO’s Philosophy to avoid CMF caused by software error
・Software for safety system shall be easy to understand even for utility engineers.
・Digital system and software for safety system shall be verified and validated easily.
・TEPCO thought that POL was suitable language for V&V through long history of
digital non safety system development.
・TEPCO convinced that high reliable digital safety system could and should be built
by POL, which is very simple and visual software, and strict QA activities.
・V&V is conducted to demonstrate the reliability in auditable manner in addition to
the strict QA activities.
#
POL : Problem Oriented Language
V&V : Verification & Validation
20
What we learned from Non-Safety Digital System
(1) Listing type software languages such as FORTRAN,C etc.
take much time and manpower to utilize compared with
the conventional hardwired or analog systems.
(2) With POL software design and development can be done visually.
(3) Particularly in the system logic test (Validation Test),
every path of the software could be easily verified
by checking the status information on the maintenance tool.
21
Evaluation of V&V Activities
Effectiveness
No major discrepancy was found.
Work-force
- Documentation:
- Total Man-hour:
several thousands pages
a few thousands man-days/plant
Improvement for following construction
- to promote Software Modularization
- to reuse the software verified already
22
Experience of K-6/7 V&V
<Experience>
V & V is clear and feasible with POL.
Veri-3/4:Easy to compare and verify IBD and software diagram.
Validation: Graphical Tool is very useful to perform V&V.
POL(Problem Oriented Language) is very effective.
Graphical Tool is necessary for performing V&V definitely.
In the system logic test in the validation test, every path of the POL software could be
validated by checking the status information on the maintenance tool display.
(It might be difficult to check the every path of the “listing type” software.)
23
Development Process of Digital Safety System
ITEM
Product Schedule
Major
R&D Activities
‘86
‘87
‘88
‘89
‘90
‘91
Development
‘92
Design
‘93
‘94
‘95
Manufacture
& Test
Shipment
Guideline Setting (Application of Digital Computers to
Safety Systems JEAG 4609)
*Issued
Cooperative Research by TEPCO and the
JV companies
Actual Proof Examination in NUPEC
24
JEAG 4609 (Guideline on Application of Digital Computers to Safety Systems)
JEAG :
Industry Standard (JEA (Japan Electric Association) Guideline
Objective :
Identify Minimum Requirements of Safety Digital Controls
Requirements :
-
Same as I.EEE 7-4,3,2
Focus on Qualification Process
Requires
to clarify design and manufacturing process
to ensure traceability of design and manufacturing of S/W
to carry out V&V
(also shows typical V&V process)
to assign verifiers among other than designers
to document V&V results
25
Cross Check of IBD between K-6 and K-7
Software Diagram made on CAD according to IBD(Interlock Block Diagram) is
compiled and installed to controller through maintenance tool. So propriety of
software depends on IBD.
Purpose: Correction of mistake at basic design stage
Standardization of SSLC Logic
Enhance reliability through performing above two evaluation
Result: Simplify Interlock even if right logically
Standardize manual initiation logic of ESF
etc.
26
Semi-Dynamic Simulation Test
From the viewpoint that the system is the first digital Reactor
Protection System, we confirm the validity of the system by
simulating the changes of the process values.
- Prepare the simulator which simulates the changes of the parameters
used in the safety analysis. (LOCA and so on)
- Input the signals from the simulator to the digital controller, and
record the corresponding system behavior by the recorders.
- Verify whether the system works as expected or not.
27
Results of Semi-Dynamic Simulation Test
Example for the failure of reactor pressure controlling device
Signals
0
10
20
ON
B21-MSIV-RST_01
OFF
2000
Main turbine inlet pressure
N11-PT001A_02
N11-PT001B_02
N11-PT001C_02
1000
N11-PT001D_02
0
Signals
0
10
20
Status of MSIV solenoid valve
ON
B21-SO-F002AA_01
OFF
ON
B21-SO-F002AB_01
OFF
28
Semi-Dynamic Simulation Test Results
Item
Dynamic
Transient Test
Random Input Test
Test Case
Results
RPS : 6650 tests
All Good
ESF : 2320 tests
All Good
Random Input
: 5240 tests
All Good
29
Transition of US Digital Safety System Design (Diversity)
Hardwired Back Up
RSS
SLC
Manual SCRAM
Reevaluate CMF of SSLC
Enlargement of
Hardwired Back Up
Additional Requirement
Manual Initiation of HPCF
Indication of HPCF Flow
Enhancement of FW Reliability
* Function added according to US ABWR Design Issued
- CUW Line Isolation with proper Valve Status display
- RCIC Steamline Isolation with proper Valve Status display
- HPCF(C) Initiation with proper System Status display
TEPCO’s design is same above.
30
Hardwired Backup for SSLC
Defence in Depth Design
Control
- Manual scram
(main console)
- Manual MSIV closure (main console)
- CUW line isolation
(back panel)*
- RCIC steam line isolation
(back panel)*
- HPCF(C) initiation
(back panel)*
Display
- RPV water level
(large display panel)
- RPV pressure
(large display panel)
- MSIV status
(large display panel)
- CUW isolation valve status
(back panel)*
- RCIC isolation valve status
(back panel)*
- HPCF(C) status
(back panel)*
(＊Added After US ABWR Design Issued)
31
Diversity in Reactor Protection System
Software
Logic Unit
Manual
Channel Trip SW
Manual
SCRAM
SW
A
2/4
2/4
2/4
2/4
B
Ⅰ
Ⅲ
Ⅲ
Ⅳ
Ⅱ
Ⅰ
Ⅱ
Ⅳ
Hardwired
Logic
Division
Division
I - IV
I - IV
Solenoid
Solenoid
(A)
(B)
SCRAM Pilot Valve
32
Conclusion
-Long experience of Non-Safety system usage contributedvery much to
success of digital safety system adoption in K-6/7.
-It’s very important to use the software feasible for V&V.
(Usage of Graphical language like POL is much effective.)
-Design standardization and existing verified software application is
important from the Safety and Economical viewpoint.
- Considerations for common mode failure:
The suitable backup measures against CMF should be applied.
33
Recommendations to IAEA TWG
It should be useful for IAEA to utilize an operating experience
of digital I&C in the Japanese NPP including TEPCO.
・ABWR:
4 plants in operation,
2 plants under construction,
1 plant under review by NISA
・APWR:
2 plants under review by NISA
・PWR main control room modernization:
1 plant under construction (new unit),
2 plants under installation (existing units)
34
Thank you !
35
The Manufacturing Process of Digital Safety System
ITEM
1992
1993
1994
1995
Design
K-6
・ System design
・ Design review K-7
Manufacturing
・ Panel
・ Software
V&V
・ Verification
・ Validation
K-6
K-7
K-6
K-7
Semi-Dynamic
K-6
Simulation Test
K-7
Shipping
K-6
K-7
36
Factory Tests and Site Tests (Pre-Operation Tests)
Factory Tests
- Component Tests
- System Combination Tests
control system
local multi-plexing units
signal transmission network
etc.
- Semi-dynamic simulation Tests
Site Tests
- Installation Tests
- Pre-operation Tests
load rejection at 20%, 50%, 75% and 100%
LOPA at 20%
plant trip at 50%
MSIV closure at 100%
37
Validation method of Compiler (1/2)
IEEE and IEC do not require the V&V of software tool ( including Compiler etc. )
- IEEE Std. 7-4.3.2 : V&V tasks are not required
Should be controlled under Configuration Management
- IEC-880 : The Compiler to be tested well
Japanese code JEAG4609 also did not require V&V of software tool.
But in case of K-6/7, TEPCO and manufacturers conducted additional check to
demonstrate the validity of software tool, comparing the outputs from compiler
and de-compiler.
38
Validation method of Compiler（2/2）
Maintenance Tool
Controller
Compiler
CAD System
Source Program
Macro Combination
POL Coding
Loading
compile to
Machine Language
(Describe Macro Combination,
Parameters, etc.)
Generate Documents
Refer
Conversion
Table
Object
Program
Refer
Machine Language
Display
the POL Logic
Software
Diagram
Compare
Check
decompile to
Macro Combination
(POL)
check
39
Another Hardwired Control
ATWS
- RPT : L-2 or L-3 and Reactor Pressure High
- ARI : L-2 or Reactor Pressure High or Manual switch
RSS
- RHR(A), (B)
- HPCF(B)
- RCW/RSW(A),(B)
- SRV 3 valves
- Diesel Generator (A), (B)
- Instruments on above system
40