‘Avoid unnecessary complexity’ would seem to be a good principle to follow in designing power stations, but one which is sometimes ignored by designers of computer based instrumentation & control systems, notably those to be employed in the new generation of nuclear power plants.
This has emerged as a key issue for the UK nuclear safety regulators in their assessment of Areva's EPR, currently going through the licensing process. ‘It is our regulatory judgement that the C&I architecture appears overly complex,’ they say.
They are concerned that the system relies on two computer based systems, with a high degree of connectivity between them. They are unhappy about what they regard as a lack of separation between safety (ie reactor protection) systems and control systems, which are classified as merely ‘safety related.’ In addition they believe that the failure probabilities claimed by EDF/Areva for the I&C systems (10-6 pfd (probability of failure on demand) for the TXS protection system and 10-4 pfd for the Siemens SPPA-T2000 platform, which provides back-up reactor protection) ‘will prove difficult if not impossible to substantiate.’ They say the 10-6 is ‘beyond the normal limit for reliability claims’ (which has been put at 10-4 pfd). They also point out that in the case of Sizewell B (the UK’s first and only PWR power plant) the claim on the digital primary protection was 10-4 pfd, while that on the combined primary plus secondary hard wired system was 10-7 pfd. However, in the case of the EPR, EDF/Areva are ‘attempting to claim two orders of magnitude better reliability for the combination of two computer based systems (ie 10-9 pfd) one of which (ie the Siemens SPPA-T2000 platform) was (to our knowledge) not developed to nuclear sector protection system standards such as IEC 60880 or IEC 6098.’
A possible way out of this might be to install a good old fashioned hard wired system (as was done at Sizewell B, and for that matter has been specified for Finland’s Olkiluoto 3 EPR) as a back up protection system. This helps get round the problems that use of software in safety system poses for regulators (mainly because of the difficulties of demonstrating that it is free of bugs and not a potential source of ‘common cause failure’).
But even with hard wired back-up Olkiluoto 3’s digital I&C system seems to be still proving a headache for STUK the Finnish regulator, which has raised concerns similar to those that are exercising its British counterpart. In a recently leaked letter to the Areva CEO, the head of STUK pointed to lack of any ‘real progress in the design of the control and protection,’ commenting that ‘without a proper design that meets the basic principles of nuclear safety...I see no possibility to approve these important systems for installation. This would mean that the construction will come to a halt and it is not possible to start commissioning tests.’
The OL3 project has already suffered considerable delays, many of them due to inadequate completion of design and engineering prior to start of construction, and the last thing it needs is further problems of this nature. The good news for the UK is that the I&C issue has been raised, and hopefully can be resolved, well before the start of any construction. This suggests that, so far at least, the revised regulatory scheme for nuclear new build in the UK is working as intended.
Linkedin
