1 / 40

20-22 May 2009 Takaki Mishima Tokyo Electric Power Company

22 nd Meeting the IAEA TWG-NPPIC. Construction and operation experience of digitalized Safety Systems of Japanese ABWR. 20-22 May 2009 Takaki Mishima Tokyo Electric Power Company. Legal Notice: This documentation contains technical knowledge and secret information that

egil
Download Presentation

20-22 May 2009 Takaki Mishima Tokyo Electric Power Company

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 22ndMeeting the IAEA TWG-NPPIC Construction and operation experience of digitalized Safety Systems of Japanese ABWR 20-22 May 2009 Takaki Mishima Tokyo Electric Power Company Legal Notice: This documentation contains technical knowledge and secret information that belong to TEPCO. Therefore, it shall not be disclosed to third parties without consent of TEPCO.

  2. CONTENTS •Nuclear Power Generation in Japan • I&C development history of TEPCO’s BWRs • I&C development of Kasiwazaki-Kariwa Unit No.6/7 • Construction and operation experience of digitalized Safety Systemsfor Kasiwazaki-Kariwa Unit No.6/7 • Conclusion • Recommendations to IAEA TWG

  3. Nuclear Power Generation in Japan (1/2) • 55 units of commercial NPP in operation 49.6 GWe capacity in total / 30% of Japanese power supply → PWR: 23 units, BWR: 28 units , ABWR: 4 units • 3 units (ABWR: 2 units, PWR: 1 unit) under construction and 1 unit (Tokai) in decommissioning stage • 3 units (ABWR: 1 unit, APWR: 2 units) under review by NISA • 7 units under planning • 1 prototype FBR unit (Monju) in pre-operational phase and 1 ATR unit (Fugen) in decommissioning stage

  4. Nuclear Power Generation in Japan (2/2)

  5. Unit Type Output (MWe) Operation (1) ABWR 1385 (2) ABWR 1385 Unit Type Output (MWe) Operation 1 BWR3 460 Mar, 1971 2 BWR4 784 July 1974 3 BWR4 784 Mar. 1976 4 BWR4 784 Oct. 1978 5 BWR4 784 April 1978 Unit Type Output (MWe) Operation 6 BWR5 1100 Oct. 1979 1 BWR5 1100 Sep. 1985 (7) ABWR 1380 2 BWR5 1100 Sep, 1990 (8) ABWR 1380 3 BWR5 1100 Aug. 1993 4 BWR5 1100 Aug. 1994 5 BWR5 1100 April 1990 Unit Type Output (MWe) Operation 6 ABWR 1356 Nov. 1996 1 BWR5 1100 April 1982 7 ABWR 1356 July 1997 2 BWR5 1100 Feb. 1984 3 BWR5 1100 June 1985 4 BWR5 1100 Aug. 1987 TEPCO Nuclear Fleet Higashidori NPS Fukushima Daiichi NPS (1F) Kashiwazaki Kariwa NPS (KK) Fukushima Daini NPS (2F) 17 BWR units with a total installed capacity of 17.3 GWe (35% of Japanese nuclear power)

  6. FDWC / RFC CONTROL TURBINE-AUX SYSTEM RECTOR AUX.SYSTEM Application of Digital System in TEPCO BWRs '70s '80s '90s ITEMDATE 3D-CORE PERFORMANCE CAL. (1)PROCESS COMPUTER (2)REACTOR POWER REGULATOR (3)PLANT AUX.SYSTEM CONTROL (4)NEUTRON MONITORING •RADIACTION MONI. (5)SAFETY SYSTEM (6)RADIO-ACTIVE WASTE PROCESSING SYSTEMS CORE PERFORMANCE CALCULATION PLANT AUTOMATION DIGITAL EHC CR CONTROL NON-SAFETY SYSTEM PLANT WIDE DIGITAL SYSTEM CF/CD OFF GAS NEUTRON MON. RADIO. MON. RADIO-ACTIVE WASTE PROCESSING SYSTEM SEQUENCE CONTROL MINI.COMPUTER

  7. 7 Main Control Room of TEPCO’s BWR - Centralization of all plant information - introduction of CRTs - rearrangement of Main Control Console - introduction of Automated Operation 1st Generation (1971~1984) 2nd Generation (1985~ 1994) - introduction of FDs and CRTs with touch-operation - sharing of plant information among crew by large display panels etc. 3rd Generation (1996~ )

  8. Kashiwazaki-Kariwa Units #6 and 7 Unit #6Unit #7 Rated core thermal power 3,926 MWt Rated generator power 1,356 MWe Start of construction Sep., 1991 Feb., 1992 COD Nov., 1996 July, 1997 1st Concrete Pouring → F/L 37M 37.5M

  9. Main Control room of Units No.6 and 7 Unit No.6 Alarm Windows Unit No.7 Large Display Panels Shift Manager Main Control Console

  10. CCU CCU PRESSURE GENERATOR BOP RPS CONTROL CONTROL CONTROL EHC Configuration of ABWR I&C System Multi-Plexing Line Cable MAIN CONTROL CCU: Communication Control Unit PANEL ALARM ALARM SYSTEM SYSTEM PLANT From Control Units PLANT COMPUTER LEVEL SYS. (Large scale computer sys, μ-P sys.) From Local Signals PROCESS FLUX Rx. AUX RAD. APR MONITOR ECCS RC&IS FDWC RFC MONITOR LOGIC SYSTEM ING ING LEVEL (μ-P sys.) CONTROL RMU VALVE RMU RMU EQUIPMENT RMU TURBINE LEVEL GEN RMU INVERTER CONDENSER ECCS INTERNAL PUMP PUMP FMCRD FEEDWATER FW CONDENSATE RMU PUMP HEATER PUMP K-6 was supplied by Toshiba Hitachi GE K-7 was supplied by Hitachi Toshiba GE

  11. RMU : Remote Multi-Plexing Unit DTM : Digital Trip Module TLU : Trip Logic Unit OLU : Output Logic Unit L D : Load Driver : Optical Fiber : Hard Wire The Configuration of RPS DTM TLU OLU RMU Sensor LD LD Ⅰ Ⅲ Application Program D/O To LD of Div.1 Network CTL Network CTL A/I 2 out of 4 Logic LD LD LD LD Ⅳ Ⅰ Ⅱ Ⅲ Div.1 LD LD Form TLU of Other Div. Ⅳ Ⅱ Manual Scram SW Network CTL A/I To TLU of Other Div. Div.2 Trip Solenoid For Scram Network CTL A/I Div.3 Network CTL A/I Div.4

  12. RMU : Remote Multi-Plexing Unit DTM : Digital Trip Module SLU : Safety Logic Unit :Optical Fiber : Hard Wire The Configuration of ESF Sensor RMU DTM SLU-1 RCIC RHR(A) ADS(A) To Actuator RMU D/O Network CTL Network CTL A/I RMU SLU-2 Div.1 SLU-1 HPCF(B) RHR(B) ADS(B) To Actuator RMU D/O Network CTL Network CTL A/I RMU SLU-2 Div.2 SLU-1 To Actuator RMU D/O Network CTL Network CTL A/I HPCF(C) RHR(C) RMU SLU-2 Div.3 D/O Network CTL Network CTL A/I Div.4

  13. Number of Components RPS/MSIV 4 4 ESF 4 32 Component DTM TLU(SLU) DIV.1 3 DIV.2 3 DIV.3 2 On Operator Console 4 On 4 Control Panel Flat Display Control Panel 4 4 1500 points 4500 points 3 17 5000 points 30000 points RMU PI/O Transmission Data

  14. Consideration on Software Design Simple Logic - Mostly described by “AND”, “OR”, and “NOT” components Periodic Execution - Simple software structure No Interruption in external signal processing - Simple software structure Static Memory allocation - Simple software structure Flow-diagram-like Symbolic Language (POL) - Easy to program and verify POL : Problem Oriented Language

  15. Software diagram and POL (Problem Oriented Language) Operation Number 00 Software Diagram 00 (D0016) 01 AND 02 Operation Code (D0017) (D0896) (D0018) OR (D0019) Variable Number (D0016) Extraction of Program Data 00 02 OUT 01 AND OR D0896 D0018 D0016 NOT*0017 D0019 Extracted Program Data Rearrangement of the Extracted Program Data According of Order of Calculation Rearrangement of Variable number according to the rule, which is uniquely defined for each operation code OR OUT AND D0018 D0016 D0896 D0019 NOT* D0017 Execution

  16. Necessity of V&V of Software Compare Potential Risk of Common Mode Failure(Analog System vs Digital System) - General Understanding, Not Specific to K-6/7 - RISK EVALUATION Equal Hardware Common Mode Failure - Fire, Seismic, Ambient Temperature etc. Software Equal Error on Basic Design Phase - Error of Scram Logic and Set Point etc. Equal Error on Detail Design Phase - Error of Drawing and Diagram etc. More Error on Programming As for applying digital technology, V&V is required to avoid Common Mode Failure. Equal; Digital system has equal risk potential. More; Digital system has more risk potential. V&V : Verification & Validation

  17. Procedure to achieve highly Reliable System-1/2 System Requirement (JEAG,E/P) Verification-1 System Specification Verification-2 Equipment Specification Interlock Block Diagram Hardware Design (ECWD) Verification-3/4 Software Design POL Coding ( CAD System) Component Procurement ★De-compile Check Parts Screening Verification-5 Cabinet Assembly Floppy Disk Software Loading

  18. Procedure to achieve highly Reliable System-2/2 Validation Factory Tests ★ Semi-dynamic simulationTests for safety-related system Shipping Visual Inspection I/O Wiring Inspection I/O Characteristic Tests System Logic Tests Response Time Tests Single Failure Tests Installation at site Installation Tests Reassemble Tests I/O Wiring Check Digital I/O Check Analog I/O Check Pre-operation Tests METI Inspection Interlock Tests Annunciation Tests Actuator Tests Protection Device Tests Combination Tests Fuel Loading Heat-up Tests METI Inspection ★ :Special Tests only for K-6/7 Digital Safety-Related System Commercial Operation :Additional Procedure for Safety-Related System

  19. TEPCO Practice of Design Approval, Witness Documents of Safety Related System Factory Test Witness Design Approval System Specification Execute Execute Equipment Specification Interlock and Annunciation function test is sample inspection and data inspection Interlock Block Diagram Verification -1 Execute Elementary Control Wiring Diagram Execute Verification -2 Execute Software Diagram Display confirmation test is data inspection Execute FD(Flat Display) forms Verification -3/4 Document Examination Point ・ No difference from Upper Document ・ Confirmation of difference from System requirements, Design Review, Previous Plant, Between K6 and K7

  20. TEPCO’s Philosophy to avoid CMF caused by software error ・Software for safety system shall be easy to understand even for utility engineers. ・Digital system and software for safety system shall be verified and validated easily. ・TEPCO thought that POL was suitable language for V&V through long history of digital non safety system development. ・TEPCO convinced that high reliable digital safety system could and should be built by POL, which is very simple and visual software, and strict QA activities. ・V&V is conducted to demonstrate the reliability in auditable manner in addition to the strict QA activities. # POL : Problem Oriented Language V&V : Verification & Validation

  21. What we learned from Non-Safety Digital System (1) Listing type software languages such as FORTRAN,C etc. take much time and manpower to utilize compared with the conventional hardwired or analog systems. (2) With POL software design and development can be done visually. (3) Particularly in the system logic test (Validation Test), every path of the software could be easily verified by checking the status information on the maintenance tool.

  22. Evaluation of V&V Activities Effectiveness No major discrepancy was found. Work-force - Documentation: several thousands pages - Total Man-hour: a few thousands man-days/plant Improvement for following construction - to promote Software Modularization - to reuse the software verified already

  23. Experience of K-6/7 V&V <Experience> V & V is clear and feasible with POL. Veri-3/4:Easy to compare and verify IBD and software diagram. Validation: Graphical Tool is very useful to perform V&V. POL(Problem Oriented Language) is very effective. Graphical Tool is necessary for performing V&V definitely. In the system logic test in the validation test, every path of the POL software could be validated by checking the status information on the maintenance tool display. (It might be difficult to check the every path of the “listing type” software.)

  24. Development Process of Digital Safety System ITEM ‘86 ‘87 ‘88 ‘89 ‘90 ‘91 ‘92 ‘93 ‘94 ‘95 Product Schedule Development Manufacture & Test Design Shipment Major R&D Activities Guideline Setting (Application of Digital Computers to Safety Systems JEAG 4609) *Issued Cooperative Research by TEPCO and the JV companies Actual Proof Examination in NUPEC

  25. JEAG 4609 (Guideline on Application of Digital Computers to Safety Systems) JEAG : Industry Standard (JEA (Japan Electric Association) Guideline Objective:Identify Minimum Requirements of Safety Digital Controls Requirements : - Same as I.EEE 7-4,3,2 - Focus on Qualification Process - Requires to clarify design and manufacturing process to ensure traceability of design and manufacturing of S/W to carry out V&V (also shows typical V&V process) to assign verifiers among other than designers to document V&V results

  26. Cross Check of IBD between K-6 and K-7 Software Diagram made on CAD according to IBD(Interlock Block Diagram) is compiled and installed to controller through maintenance tool. So propriety of software depends on IBD. Purpose: Correction of mistake at basic design stage Standardization of SSLC Logic Enhance reliability through performing above two evaluation Result: Simplify Interlock even if right logically Standardize manual initiation logic of ESF etc.

  27. Semi-Dynamic Simulation Test From the viewpoint that the system is the first digital Reactor Protection System, we confirm the validity of the system by simulating the changes of the process values. - Prepare the simulator which simulates the changes of the parameters used in the safety analysis. (LOCA and so on) - Input the signals from the simulator to the digital controller, and record the corresponding system behavior by the recorders. - Verify whether the system works as expected or not.

  28. Results of Semi-Dynamic Simulation Test Example for the failure of reactor pressure controlling device

  29. Semi-Dynamic Simulation Test Results Item Test Case Results RPS : 6650 tests All Good Dynamic Transient Test ESF : 2320 tests All Good Random Input : 5240 tests Random Input Test All Good

  30. Hardwired Back Up Additional Requirement Reevaluate CMF of SSLC Manual Initiation of HPCF Indication of HPCF Flow Enhancement of FW Reliability RSS SLC Manual SCRAM Enlargement of Hardwired Back Up Transition of US Digital Safety System Design (Diversity) *Function added according to US ABWR Design Issued - CUW Line Isolation with proper Valve Status display - RCIC Steamline Isolation with proper Valve Status display - HPCF(C) Initiation with proper System Status display TEPCO’s design is same above.

  31. Hardwired Backup for SSLC Defence in Depth Design Control - Manual scram (main console) - Manual MSIV closure (main console) - CUW line isolation(back panel)* - RCIC steam line isolation (back panel)* - HPCF(C) initiation (back panel)* Display - RPV water level (large display panel) - RPV pressure(large display panel) - MSIV status(large display panel) - CUW isolation valve status(back panel)* - RCIC isolation valve status (back panel)* - HPCF(C) status(back panel)* (*Added After US ABWR Design Issued)

  32. Diversity in Reactor Protection System Manual Channel Trip SW Manual SCRAM SW Software Logic Unit A B 2/4 2/4 Ⅰ Ⅲ 2/4 2/4 Ⅲ Ⅳ Ⅰ Ⅱ Ⅱ Ⅳ Hardwired Logic Division I - IV Division I - IV Solenoid (A) Solenoid (B) SCRAM Pilot Valve

  33. Conclusion • Long experience of Non-Safety system usage contributedvery much to • success of digital safety system adoption in K-6/7. • -It’s very important to use the software feasible for V&V. • (Usage of Graphical language like POL is much effective.) • Design standardization and existing verified software application is • important from the Safety and Economical viewpoint. • - Considerations for common mode failure: • The suitable backup measures against CMF should be applied.

  34. Recommendations to IAEA TWG It should be useful for IAEA to utilize an operating experience of digital I&C in the Japanese NPP including TEPCO. ・ABWR: 4 plants in operation, 2 plants under construction, 1 plant under review by NISA ・APWR: 2 plants under review by NISA ・PWR main control room modernization: 1 plant under construction (new unit), 2 plants under installation (existing units)

  35. Thank you !

  36. The Manufacturing Process of Digital Safety System ITEM 1992 1993 1994 1995 Design ・ System design ・ Design review K-6 K-7 Manufacturing ・ Panel ・ Software K-6 K-7 V&V ・ Verification ・ Validation K-6 K-7 Semi-Dynamic Simulation Test K-6 K-7 Shipping K-6 K-7

  37. Factory Tests and Site Tests (Pre-Operation Tests) Factory Tests - Component Tests - System Combination Tests control system local multi-plexing units signal transmission network etc. - Semi-dynamic simulation Tests Site Tests - Installation Tests - Pre-operation Tests load rejection at 20%, 50%, 75% and 100% LOPA at 20% plant trip at 50% MSIV closure at 100%

  38. Validation method of Compiler (1/2) IEEE and IEC do not require the V&V of software tool ( including Compiler etc. ) -IEEE Std. 7-4.3.2 : V&V tasks are not required Should be controlled under Configuration Management -IEC-880 : The Compiler to be tested well Japanese code JEAG4609 also did not require V&V of software tool. But in case of K-6/7, TEPCO and manufacturers conducted additional check to demonstrate the validity of software tool, comparing the outputs from compiler and de-compiler.

  39. Software Diagram (POL) Validation method of Compiler(2/2) Maintenance Tool Controller Compiler CAD System Source Program Macro Combination Loading POL Coding compile to Machine Language (Describe Macro Combination, Parameters, etc.) Refer Object Program Generate Documents Conversion Table Refer Compare Check Machine Language Display the POL Logic decompile to Macro Combination check

  40. Another Hardwired Control ATWS - RPT : L-2 or L-3 and Reactor Pressure High - ARI :L-2 or Reactor Pressure High or Manual switch RSS - RHR(A), (B) - HPCF(B) - RCW/RSW(A),(B) - SRV 3 valves - Diesel Generator (A), (B) - Instruments on above system

More Related