Click here to load reader

Assessment of I&C Problems of the · PDF fileThe other platform, SPPA-T2000, formerly known as Teleperm XP, has been deployed to different types of power plants since 1993. SPPA-T2000

  • View
    227

  • Download
    1

Embed Size (px)

Text of Assessment of I&C Problems of the · PDF fileThe other platform, SPPA-T2000, formerly...

  • Assessment of I&C Problems of the EPRStudy commissioned by Greenpeace Nordic

    2010-10-04

    Dr. Colin Hirsch, Perugia, Italy

    in collaboration with

    Dr. Helmut Hirsch, Neustadt, GermanyAdhipati Y. Indradiningrat, Neustadt, Germany

    The differences between theory and practice are greater in practice than in theory.

    1

  • Table of Contents

    ..................................................................................................................Introduction! 3...........................................................................Overview of Current EPR Projects! 3

    .......................................................................Role of I&C in a Nuclear Power Plant! 4...............................................................................................The EPR I&C Sytems! 5

    ..........................................................................................................Important Issues! 7....................................................................................Issue 1 - Software Reliability! 7

    ......................................................................Issue 2 - Architectural Shortcomings! 10........................................................Issue 3 - Commoditization and Consolidation! 11

    .........................Issue 4 - Full Disclosure of AREVA Software and Documentation! 13............................................................Issue 5 - Quality of AREVA Documentation! 14

    ..............................................................................Position of Regulatory Authorities! 16...................................................Remaining Problems and Possible Consequences! 18

    ..................................................................................Issue 1 - Software Reliability! 18......................................................................Issue 2 - Architectural Shortcomings! 18

    ........................................................Issue 3 - Commoditization and Consolidation! 19.........................Issue 4 - Full Disclosure of AREVA Software and Documentation! 19

    ............................................................Issue 5 - Quality of AREVA Documentation! 20................................................................................................................Final Words! 21

    .......................................................................Cyber Warfare and Cyber Terrorism! 21...............................................................................................................Bibliography! 23

    ......................................................................................Abbreviations and Acronyms! 26

    2

  • Introduction

    Overview of Current EPR Projects

    One of the so-called Generation III Pressurised Water Reactor types is AREVAs EPR. Its design is evolutionary; it was developed on the basis of the N4 and KONVOI reactors, the latest of the Generation II reactors in Germany and France, and is not radically different. (Almost all current commercial reactors are Generation II, and Generation III is currently being introduced.)The EPR design is a result of the co-operation between the French and German power plant vendors Framatome and KWU/Siemens, together with the French EDF and the major German utilities such as E.ON, EnBW, and RWE Power, and in collaboration with the safety and regulatory authorities from these two countries. The EPR has a high power output of approximately 1600 MWe. There are some new features which are intended to improve the safety level; other modifications constitute a reduction of safety margins. It is not immediately apparent, and there is no guarantee, that the safety level of the EPR is significantly higher than that of its predecessors [HIRSCH 2005].There are currently four EPR units under construction worldwide. In the US and UK, the EPR is undergoing the licensing or pre-licensing process.

    EPR units under construction worldwide

    Name Location Start of construction Estimated start of

    commercial operationOlkiluoto-3 Finland August 2005 2013Flamanville-3 France December 2007 2014Taishan-1 China October 2009 2013Taishan-2 China April 2010 2015

    The construction of Olkiluoto-3 in Finland started in Summer 2005. The unit was originally planned to enter commercial operation in Spring 2009, however several problems emerged during the construction process, such as irregularities in the concrete used for the foundation, heavy forgings that were below project standards and had to be re-cast, deficiencies in the pipe welding, and issues with the EPRs new I&C systems, have delayed completion of the reactor. The latest estimates speak of Olkiluoto-3 starting operation in 2013, almost 4 years behind the original schedule, and with a cost overrun of over 2 billion Euros.The construction of Flamanville-3 in France is experiencing similar problems. Since the start of construction in December 2007, the project has suffered accumulated delays due to problems with civil works, welding, component manufacturing, and the

    3

  • architecture of the I&C systems [NW 2010]. The Flamanville-3 unit is currently 2 years behind schedule.As noted above, one key cause for the delays of the two European EPR units is issues with the architecture of the plants digital I&C system. Architecture refers to the overall layout of the I&C systems and their interconnections. The British, Finnish, and French nuclear safety regulators have issued a joint statement that listed the key issues and demanded specific improvments from AREVA regarding the I&C systems for its EPR design [EU 2009].It was stated that the I&C systems designed for the EPR, as originally proposed by AREVA and the licensees, was found to contain a too high degree of complex interconnectivity between the control and safety systems, and therefore not comply with important independence principles [EU 2009].From the beginning, Finnish Radiation and Nuclear Safety Authority STUK required an additional and independent non-computerised backup system, and regulators in the UK have said that they might require similar measures, though a formal ruling on the matter is still pending [NW 2009b]. This report will look further into the issues regarding the I&C systems of the EPR.

    Role of I&C in a Nuclear Power Plant

    The three major functions of the I&C system in a nuclear power plant are monitoring, control, and protection. The I&C systems should provide accurate and appropriate information to the plant operators and permit judicious action during both normal and abnormal operation. They are used to control all the normal operations of the reactor, in startup, power operations, shutdowns and plant upsets. And they also have the task to protect the power plant from the consequences of any mistakes which the operator may make [IAEA 1999].The I&C systems of a nuclear power plant are divided into two categories, the safety systems and the non-safety systems. The non-safety I&C systems are in charge of monitoring and controlling the normal operation of the nuclear power plant, including startup and shutdown, and also for preventing off-normal conditions of the plant. It includes all facilities, loops and auxiliary systems that are needed for normal operation.The safety systems are designed to take automatic action to prevent and mitigate the consequences of faults and accident conditions in cases where the operators and the non-safety systems fail to maintain the plant within normal operating parameters.When necessary, the safety systems will at first undertake soft protection measures to bring the plant back to normal operating conditions. If these actions are not sufficient, the safety systems will automatically take action to rapidly shutdown the reactor (known as scram) and trigger any other systems required to mitigate the detected problem, and place the plant in a safe state. These safety systems are redundant, and usually designed to be as independent as possible from the non-safety control systems.

    4

  • Currently, digital based systems are replacing older analog based systems and becoming more and more wide-spread in all industrial sectors, including the nuclear industry. Digital technology has already been used for several years in nuclear power plants for non-safety applications, but only recently has it started to be used for safety-critical systems in nuclear power plants.The reason for the transition to digital I&C systems is obvious cursory advantages over analog I&C systems. They have higher data handling and storage capacities, allowing for more operating conditions to be measured, recorded, and displayed. The software controlling their behaviour is more flexible and can be more easily adapted and extended to the target application. They also have better self-monitoring capabilities. Finally, they can be more efficient than the analog systems in terms of spatial use and wiring effort. It is also becoming harder to find spare component parts for analog I&C systems because vendors have been going digital and reducing their maintenance and support capacities for analog equipment.For these reasons, the increasing use of digital I&C technology in nuclear power plants is in some sense inevitable, for which the design of the EPR can be seen as prominent example. The original design of the I&C systems for the EPR is based exclusively on digital systems. As mentioned above, the Finnish regulator, STUK, has already requested analog back-up systems, and UK regulators are considering making a similar requirement.

    The EPR I&C Sytems

    The EPR I&C systems are based on the Teleperm XS safety I&C system supplied by AREVA, and the SP