A new spin on digital safety systems21 February 1999
Instrumentation & control lies at the heart of nuclear safety and these days the obvious trend is towards digital safety systems, both for new build and refurbishment.
SPINLINE 3 is a new digital safety system developed by Schneider and Framatome. It is the culmination of experience with the SPIN digital reactor safety instrumentation & control system.
SPIN has its origin in the 1980s, when SPIN P4 was installed on twenty 1300 MWe PWRs in France. This was the first step. It was based on Motorola 6800 CPU boards programmed in assembler and on serial links. It has now successfully accumulated 200 reactor years of experience (first criticality at Paluel in 1984).
The second step came in the 1990s when SPIN N4 was installed on four 1450 MWe units in France (the N4 PWRs) as well as several CEA research reactors. SPIN N4 was based on Motorola 68000 CPU boards programmed in C language and on deterministic networks. It has now successfully cumulated 20 reactor years of experience.
Building on this successful experience, SPINLINE 3 has been developed with the following goals :Increased safety and availability; Easier operation and maintenance; State of the art performance; Shorter development time.
The system handles all functions important for safety, from measurement acquisition to actuator control, including :Reactor protection (reactor trip and associated engineered safety features, diesel sequencing); Reactor control and limitation; Neutron instrumentation.
To date, applications of SPINLINE 3 include:New plants, notably Qinshan phase 2 (China); Refurbishment projects, for example Kozloduy (Bulgaria), where it has been in operation since September 1997, and Bugey and Fessenheim (France), where it will shortly be in operation.
SPINLINE 3 has been designed to comply with the following main criteria, as specified in the relevant International Atomic Energy Agency (IAEA) safety guide :Fail-safe architecture. SPINLINE 3 ensures that the outputs to actuators are always valid and that no failure impairs safety. Fault-tolerance (including single failure criterion). SPINLINE 3 can meet any redundancy requirements. Functional diversity defends the system against common cause failures. Functional insulation avoids propagation of failures between redundant parts.
Other features of SPINLINE 3 include:Scaleability: SPINLINE 3 can fit a range of sizes of I&C systems. It can be used for highly distributed architectures such as the reactor protection system of N4 plants (four divisions with three levels of processing: acquisition, functional processing, voting) or more compact configurations such as Qinshan (two trains for source and intermediate range, four trains for power range, one level of processing). Modularity: the system can be delivered either as racks to be integrated into existing cabinets (for some refurbishment purposes) or as whole cabinets. Flexibility: the system can evolve without hardware modification. Determinism: the same inputs produce the same outputs with a guaranteed response time. Ease of operation and maintenance. Protection thresholds can be modified through a secured protocol. There is also a service station for supervision and automated diagnosis.
SPINLINE 3 is a modular and standardised arrangement of PLC-like deterministic units. A unit consists of a rack including a CPU board with its software and peripheral boards (mainly I/O boards).
The hardware components have been specifically designed for safety applications, with safety and fail-safe features taken into account at the very outset of the design process. For example, actuator control boards move to a pre-defined safe state in case of loss of communication with the upstream stages of processing.
The main pieces of hardware are:Cabinets and 19in 6U racks designed to withstand harsh conditions of temperature, EMI, vibrations, earthquake; Input and output boards for binary and analog data, neutron instrumentation, thermodynamic instrumentation, actuator control; High speed deterministic networks: the NERVIATM network is a 2 megabit/s, broadcast type, token ring network using either optical fibre or coaxial cable for communications within the safety system or for communications with non-safety units; and the dedicated actuator network, which is based on a master/slave protocol and uses the same media as NERVIA. A powerful 25 MHz 68040 Motorola microprocessor CPU board, with 2 megabytes of secured read only flash, 2 megabytes of RAM and 64 kilobytes of non volatile EEPROM memory. An interface to the PC world via the NERVIA network.
Simplicity and use of computer-aided tools are the key principles leading to safety where software is concerned:SPINLINE 3 has neither operating system nor interrupts, the safety software being a single loop running the same functions in a pre-defined and fixed time; and The software development is automated using a CAD workshop called CLARISSE.
CLARISSE covers: description of the I&C architecture and hardware composition, which is used to generate automatically the system software, network configurations and network messages; a user-friendly graphic editor called SCADETM for development of application (ie customer-defined) software reflecting functional requirements (SCADE is also currently being used by Airbus Industries, Volvo and Saab Military Aircraft); and automatic generation of C code for all the software, with automatic generation of associated documentation and subsequent compilation and link-editing for embedding on CPU boards.
SCADE has evolved from the SAGA tool, itself a major innovation of the SPIN N4 project, which uses a total of 200 000 lines of safety (Class 1E) software code. With SCADE and other facilities, the CLARISSE CAD workshop used in SPINLINE 3 contains all the tools needed for automated generation of executable code.
All SPINLINE 3 hardware and software components are 1E qualified. Above all they are already in operation at nuclear power plants in France and elsewhere.
Refurbishing the older plant
As already mentioned SPINLINE 3 can be retrofitted to existing plants, as has been done on the Soviet-designed VVERs at Kozloduy in Bulgaria. But refurbishing the I&C system of an existing nuclear power plant is often a more complex undertaking than building a new one.
The main motivation for refurbishment of course is that the original system is getting old, which results in spare parts availability problems and and reductions in both safety and availability. In the particular case of Soviet designed PWRs (VVERs), the original supplier specified that the equipment be changed after a given period of operation.
A refurbishment must meet specific requirements, such as:The new I&C system has to interface with the existing equipment remaining in place. Special care has to be taken with data interfaces, cable ways and geographical location. The outage required for the installation of the new I&C system has to be as short as possible.
A step by step approach is therefore often the best route to refurbishment both economically and technically.