HAEA NSD

Challenges for regulators in licensing

I&C systems

I. Lux, K. Tóth, K. Hamar

Hungarian Atomic Energy Authority

TM on Implementing and Licensing Digital I&C Systems and Equipment in NPPs

Espoo, 22-25 November 2005.
HAEA NSD
Contents
• References (2)
• Safety classification of I&C
• I&C requirements for safety m.
• Ageing and failure (2)
• Basic licensing conditions
• Licensing (5)
• The Paks NPP RPS story in The first DI&C
brief (6)

2/22
HAEA NSD
Referred publications (1/2)
• B. Wahlström and O. Glöckler: Challenges in implementing and
licensing digital I&C, IAEA TM, 13-16.09.2005
• Modernization of instrumentation and control in nuclear power plants,
TECDOC-1016, IAEA (1998)
• Specification of requirements for upgrades using digital instrument and
control systems, TECDOC-1066, IAEA (1999)
• Management of ageing of I&C in nuclear power plants, TECDOC-
1147, IAEA (2000)
• Verification and Validation of Software Related to Nuclear Power Plant
Instrumentation and Control, TRS-384. IAEA (1999)
• Modern Instrumentation and Control for Nuclear Power Plants: A
Guidebook, TRS-387, IAEA (1999)
• Quality assurance for software important to safety, TRS-397, IAEA
(2000)
3/22
HAEA NSD
Referred publications (2/2)
• Software for Computer Based Systems Important to Safety in Nuclear
Power Plants, NS-G-1.1, IAEA (2000)
• Modifications to Nuclear Power Plants, NS-G-2.3, IAEA (2001)
• Instrumentation and Control Systems Important to Safety in Nuclear
Power Plants, NS-G-1.3, IAEA (2002)
• Harmonization of the licensing process for digital instrumentation and
control systems in nuclear power plants, TECDOC-1327, IAEA (2002)
• Solutions for cost effective assessment of software based instrumentation
and control systems in nuclear power plants, TECDOC-1328, IAEA
(2002)
• Managing Modernization of Nuclear Power Plant Instrumentation and
Control Systems, TECDOC-138, IAEA (2004)
• Management of Life Cycle and Ageing at Nuclear Power Plants:
Improved I&C Maintenance TECDOC-1402, IAEA (2004)
4/22
HAEA NSD
Safety classification of I&C components

•Graded approach
•SCS: protection, actuation
•SRS: important but not SCS
•National variations of intntl.
standards
•Classification vs.
Categorization
•1: may affect on design basis
•2: change in SRS or operation
Hungary ABOS 2 ABOS 3 Unclassified
•3: minor modifications

Management of Life Cycle and Ageing at Nuclear Power Modifications to Nuclear Power Plants,
Plants: Improved I&C Maintenance TECDOC-1402, IAEA 5/22
NS-G-2.3, IAEA (2001)
(2004)
HAEA NSD
Breakdown of plant safety equipment

Modern Instrumentation and Control for Nuclear

Power Plants: A Guidebook, TRS-387, IAEA (1999)

Paks NPP
RPS cntrl
panel
Management of Life Cycle and Ageing at Nuclear Power
Plants: Improved I&C Maintenance TECDOC-1402, IAEA
(2004)
6/22
HAEA NSD
I&C requirements for safety management
Managing Modernization of NPP I&C
Systems, TECDOC-138, IAEA (2004)
• Defense in depth
– Diversity
– Redundancy TRS-387

• CCF protection
• Single Failure Criterion
• Environmental conditions
• Self-checking&-testing
• HMI Barriers and levels of protection
• Simplicity in design ⇐ Conflicts with almost all other requirements
Software for Computer Based Systems Important to Safety in NPPs, NS-G-1.1, IAEA (2000)

• Security •Safety Culture • Testability

• Fail-safe, fault tolerant •Maintainability • QA
7/22
Redundancy does not protect against sw CMF!
HAEA NSD
Ageing & failure (1/2)
Solutions for cost effective assessment of software based

Management of ageing of I&C in nuclear power plants,

instrumentation and control systems in nuclear power
plants, TECDOC-1328, IAEA (2002):

„Advances in DI&C is so rapid that

TECDOC-1147, IAEA (2000)

product lifetime < time for licensing”

Failure rates of electronic components

Lifetime of electronic components

8/22
HAEA NSD
Ageing & failure (2/2)
Harmonization of the licensing process for DI&C
systems in NPPs, TECDOC-1327, IAEA (2002)

Failure modes: dominantly

deterministic, not stochastic
– CCF due to specification or
design
– Environmental influences
Maintenance strategies
– Maintenance and modifications
Management of ageing of I&C in nuclear power plants,
– Unauthorized access TECDOC-1147, IAEA (2000)

„The technology has unfairly been blamed for problems that have arisen
from unsatisfactory specifications or flowed engineering processes”
9/22
HAEA NSD
Basic licensing conditions
Solutions for cost effective assessment of software based instrumentation and control
systems in nuclear power plants, TECDOC-1328, IAEA (2002):

•Regulatory requirements:
– Clearly defined standards
– Consistent approach and policy
– Sufficient competence and resources (NS-G-1.1)
•Licensee-regulator co-operation requirements:
– Confidence building
– Clear co-operation rules
– Early contacting and interactions

10/22
HAEA NSD
Licensing (1/5)
Harmonization of the licensing process for DI&C
systems in NPPs, TECDOC-1327, IAEA (2002)

• Advantages of DI&C:
– Improved accuracy
– No drift
– Correlation of data
possible
– Storage possibility
– Diagnostics, correction
Teleperm XS representative configuration at
– Improved HMI the Paks NPP

11/22
HAEA NSD
Licensing (2/5)
• Disadvantages of DI&C:
– More possible op. states
– Higher complexity higher
prob. of errors undetected
– Increased possibility of failed
or unintended functions
– Practically impossible to
demonstrate the absence of
sw errors
VERONA core monitoring system at the
– Not easy to use risk-informed Paks NPP

tools
„Difficult to agree upon adequate evidences of correct functioning”
12/22
HAEA NSD
Licensing (3/5)

• Licensing issues:
Harmonization of the licensing process for DI&C systems in NPPs, TECDOC-1327, IAEA (2002)

–Requirement specifications are very important

–Suggested to separate the I&C platform and
the application
–Configuration management system needed
–Future maintenance and changes should be
addressed
–Harmonization of licensing requirements is
suggested CSFM of the Paks NPP
„The nuclear industry has reached a point where it is no longer practical
just to produce more documents on how to license DI&C. The challenge
now lies in reducing the documents to a set, which is structured and can
give true support” 13/22
HAEA NSD
Licensing (4/5)
• Licensing issues (cont.):
Verification and Validation of Software Related to NPP Instrumentation and Control, TRS-384. IAEA (1999

– Amount of V&V
– Life-cycle with well defined
phases, input, output
– Reuse of existing sw
– Use of existing proprietary sw
– Use of Commercial Off The
Shall sw
– Change of requirements since
the installation of the plant

14/22
HAEA NSD
Licensing (5/5)
Modernization of instrumentation and control in nuclear power plants, TECDOC-1016, IAEA (1998)

• Local regulatory environment is to be reviewed

– To identify legal requirements applicable to the target I&C
– To reveal differences in licensing the new and the original
systems
• Special considerations to
– Missing legislative provisions
– Conflicts between national and international standards
– Contradicting requirements due to co-existence of old and
new
– Additional RB requirements
15/22
HAEA NSD
The Paks NPP RPS story (1/6)
Safety requirements:
• Defense in depth
•Time frame: 1997-2004 –Diversity
–Redundancy
•Legal background • Avoiding CCF
–Atomic Law (1996), and • Single Failure Criterion
–Safety Codes (1997) • Environmental
conditions
–Not specific for DI&C licensing • Self-checking&-testing
–Revised and supplemented in 2005 • HMI
• Simplicity in design
• Security
• Fail-safe, fault tolerant
• Safety Culture
• Testability
Local regulatory environment is to be reviewed • Maintainability
– To identify legal requirements applicable to • QA
the target I&C
– To reveal differences in licensing the new and
the original systems 16/22
HAEA NSD
The Paks NPP RPS story (2/6)

•Licensing
–Multistep procedure:
•License in principle
•Import license
Regulatory requirements:
• Clearly defined standards
• Consistent approach and
policy
• Sufficient competence and
resources (NS-G-1.1)
A
WR Y

anal og
module
PR Y2

anal og
module

NFaY
PR Y1

anal og
module
Red Y

NFbY
B A
WR X

analog
mo dule
PR X2

anal og
module

NFaX
PR X1

anal og
module
Red X

NFbX
B A
WR W

analo g
module
PR W2

anal og
module

NFaW
PR W1

anal og
module
Red W

NFbW
B
ECR

ECR
panels

I/O

I/O

I/O
I/O

I/O

I/O

I/O

I/O

I/O
to Y
MSI-ECR to X manual 1)
to W

•License for implementation RPS alarms

SVE1

SCP1

SVE1

SCP1

SVE1

SCP1

SVE1

SCP1

SVE1

SCP1

SVE1

SCP1
S451

SL21

SL21

SL21

SL21

SL21

SL21
Y (Es1) SLLM ( FES, SML)
X ( Es2) SLLM SL21
SVE1 S430 manual 2)
W (Es3) SLLM

SI NEC L2

SI NEC L2
(Y1) MSIY (Y2) MSIY ( X1) MSIX (X2) MSIX (W1) MSIW (W2) MSIW SL21 indicators
SIN EC H 1 S INEC H1 SIN EC H 1 SI NEC H1 ( E1) S470
S INEC H1 SI NEC H1
STC-
SINE C L2 (E2) SCP1
S INEC L2 SINE C L2 ECR
(E3)
SI NEC L2 SI NEC L2
SHS1
manual 1) manual 1) manual 1) manual 1) m anual 1) manual 1) SLLM
SLLM SLLM SLLM SLLM SLLM SLLM SLLM SLLM S LLM SLLM SLLM SLLM
fr om M CR/ECR from M CR/ECR fr om M CR/ECR fr om M CR/ECR from MCR/E CR fr om M CR/ECR

•Operating license

SINEC H1
SINE C H1 SHT1
TSaY TSbY TSaX TSbX TSaW TSbW Gateway
ECR

SVE1

SVE1

SVE1

SVE1

SVE1

SVE1
SL21

SL21

S430

SL21

SL21

S430

SL21

SL21

S430

SL21

SL21

S430

SL21

SL21

S430

SL21

SL21

S430
SHO1
SHT1

SINEC H1
SI NEC L2
conne ction to
pla nt cl ock

SCP1
SCP1

SCP1
SVE1

SCP1

S451

SVE1

SCP1

SVE1

S451

S451
SL21

SL21
SVE1

SL21

SL21

SVE1

SVE1

SCP1
S451

S451

SL21

SL21

S451
MCR
SI NEC H1 SI NEC H1 SIN EC H 1 SINE C H 1 SI NEC H1 SINE C H 1
SLLM SLLM SLLM SLLM SLLM SLLM
SI NEC H1
Gateway SHT1
EP1Ya EP1Yb EP1Xa EP1Xb EP1Wa EP1Wb SHO1 MCR

– Relates to the various phases

S HT1
(Y3) VT X (Y5) VTX (X3) VTW (X5) VT W ( W3) VTY (W5) VTY co nnectio n to
(Y4) VTW (Y6) VTW (X4) VTY SINE C L2 ( X6) VTY ( W4) VTX (W6) VTX
SI NEC L2 SI NEC L2 plant clock
SLLM
SI NEC H1 SI NEC H1 S INEC H1

to Y
MSI-MCR-e to X m anual 1)

SVE1

SVE1

SVE1
MSIY ECR ( E1) MSIX ECR (E2) MSIW ECR ( E3) to W

SI NEC L2
SL21

SIN EC L2

SIN EC L2
STC SCP1 (X1) NF aX SCP1 SCP1 S451
( Y1) NFaY SHO1 STC SHO1 (W1) NFaW STC SHO1 SVE1
SCP1 SCP1 SCP1
-Y SI NEC H1
-X SIN EC H 1
-W S INEC H1
S430

of lifecycle
( Y2) NFbY SCP1 (X2) NFbX SCP1 (W2) NF bW SCP1

S430

S430

S430
SHS1 (M3) STC- SCP1
MCR (M1) SHS1 MCR ( M2) SHS1 MCR (M3)
S470 MCR
(M2) MCR panels
SHS1 MSI-MCR
SI NEC H1 SIN EC H 1 SI NEC H1 SCP1
(M1)
SIN EC H 1 RPS alarms
(X4) T SaX (W3)TSaW ( W4) TSaW (Y3) TSaY (Y4)TSaY (X3)T SaX S451
(F ES, SML)
( W5) TSbW Y (Ms1) SLLM
( X6) TSbX (W6) TSbW ( Y5) TSbY (Y6)TSbY (X5)T SbX SLLM SL21
X ( Ms2)
( Es1) ECR ( Es3) ECR S430 manual 2)
( Es2) ECR SVE1
SINE C L2 S INEC L2
(Ms1) MCR (Ms2) MCR S INEC L2 SLLM
(Ms3) MCR W (Ms3) SL21 S470 indicators
SLLM SLLM SLLM SLLM SLLM SLLM SLLM SLLM S LLM SLLM SLLM SLLM SLLM SLLM S LLM SLLM SLLM SLLM

SVE1

SVE1

SVE1

SVE1

SVE1

SVE1
Checker

Checker

Checker
SCP1

SVE1

SCP1

SCP1
Mast er

Mast er

Mast er
SVE1

SL21

SL21

SL21
SVE1
SL21

SVE1
SL21

SVE1

SVE1
SL21

SL21

SL21

SL21

SL21

SL21

SL21
MCR

S451
S451

S451

S451
S451

S451
VTY VTX VTW
SIN EC H 1

S HO1

E CCS, train Y ECCS, train X ECCS , tr ain W Service Unit

manual 1) = Safety ac tuations (EP1, etc.)
220V 24V 24V 220V 24V 24V 220V 24V 24V
manual 2) = signal acknowledgement, test enable etc.

17/22
HAEA NSD
The Paks NPP RPS story (3/5)

FAT of Paks Unit No. 2 RPS

• License in principle (1997)
– Acceptability from safety p.o.w.
– Requirements for detailed design
– A single license for all 4 units
– Site-level license co-authorities
(env., human and non-human health, water
and field, emergency prep., fire, geology)
– Requ.s for implementation process
(design fundamentals, functionality, QA
requirements)
• Import license (1998) for
– purchase and manuf. of hw&sw
– integration of hw&sw components
– FAT of integrated system
– all 4 units
FAT targets:
•Identification of system comp&env.
•Function tests –verification vs. Func.spec.
•Fault tolerance –automatic regeneration
•Fail safe behavior –effects of signal failure
•Self-monitoring –hw, start & cyclic
•Start-up and periodic tests –op.intiated
•HMI
•Independence of subsystems –physical, log.
•Deterministic functioning –cycle, toler.
•Input accuracy
18/22
•System reliability –lack of random actuation
HAEA NSD
The Paks NPP RPS story (4/6)
• Representative configuration installed at the full scope
simulator (hw in the loop) (1998)
• License for implementation (1999-2002)
– Two for each unit:
• pre-mounting license –installation without connecting
• modification license –dismounting of old, installation, connection,
operation
– Modernization of sensors and actuators
– Modification of related I&C –neutron flux, cabling, turbine
controller, diesel controller
– New sw development tools for unit No. 4
• License for operation
– After 3 months of testing operation („independent FAT”)
– For 1 year, then renewed
19/22
HAEA NSD
The Paks NPP RPS story (5/6)
•Operating experiences
– No sw error while
commissioning
– Slightly differing unit wise
realizations –unification in
2003
– Modifications: elimination of
minor errors, better technical
solutions, extension of
functionality
– Experiences are favorable,
the PR functions properly

20/22
HAEA NSD
The Paks NPP RPS story (6/6)
Error/failure statistics for 1999-2001 (3 years, 4 units)
Specification error (DFD correction needed) 3
Random HW error (power supplier errors in this set: 4) 10
Recurrent HW error (first occurance random, DC power supplier error) 3
Systematic or CCF HW error 1
Application SW bug 2
High load on safety related (non safety) Ethernet bus 1
Measurement anomaly, no cause identified 1
Loss of telegram (due to asyncron behaviour) 1
Error log, but no cause identified 1
Non-recurrent phenomena, had no effect to log files 1
Sensor error 17
Human error , caused value lead to RPS actuation (Version change, testing) 2
Gateway and Service Unit (recurrent error is 1 error) 3
21/22
HAEA NSD

THANK YOU FOR YOUR ATTENTION!

22/22