James D. White, Oak Ridge National Laboratory
The subject of instrumentation and control (I&C) technologies for nuclear power plants is of considerable interest to the nuclear industry throughout the world now. This interest derives from two considerations. The first is that the I&C systems are the windows into the status of the nuclear plant. Since the Three Mile Island accident, the industry has been trying to improve the ability of the operators to grasp the safety status of the plant, particularly during operational upsets. The advent of computer-based monitoring and display systems has provided opportunities for advancements which, hopefully, will improve the ability of the operators to understand the plant status, and therefore, improve the operator's ability to make the best decisions during the plant transients which might otherwise become accidents.
The second consideration is that the nuclear industry is being driven toward computer-based instrumentation and control systems. The driving forces are: (1) decreases in reliability of aging analog-based I&C; (2) lack of spare parts because the suppliers have moved on to digital hardware; (3) the promise of higher reliability of digital technologies; and (4) the lure of expanded capabilities of software-based systems.
Other industries have preceded the nuclear industry in the use of computer-based I&C. The possible consequences of failure of safety systems in nuclear power plants has resulted in a great deal of conservatism in the nuclear industry. Although this conservatism affects the design and regulation of nuclear safety systems, it also influences the design of control and information systems for nuclear power plants. Because of this conservatism, the nuclear industry moves very slowly to make changes in designs.
Other countries have many years of experience with digital systems in nuclear plants, whereas the United States has relatively little experience. As the United States embarks on the evolution from analog to digital I&C technologies, the designers should take advantage of the best technologies and lessons learned around the world. Also, the exportability of U.S. nuclear I&C technology will be related to its status compared to that in competing countries.
Because of these considerations, the National Science Foundation and the Department of Energy commissioned U.S. specialists to make assessments of instrumentation and controls (I&C) technologies used in nuclear power plants in: (1) Japan; (2) Western Europe and the former Soviet Union; and (3) Canada. These studies included reviews of the literature from 1988 through 1991 on the subject, followed by visits to some of the leading organizations in the field of nuclear I&C in the countries of interest. These studies have been published by the National Science Foundation.
The purpose of this summary is to provide a consolidated summary of the conclusions of these studies. This will present a high level contrast of the most advanced I&C technologies for nuclear power in the countries studied. Countries visited by panelists include France, Germany, Russia, Czechoslovakia, Norway, Canada and Japan. All of these countries are moving toward increasing use of digital computers in information and control systems.
The author has combined results of previous assessments. The summary also contains updates based on recent developments published in the literature (through May 1993) and discussed in recent high level meetings and conferences. This blending of earlier results with newer information required judgement by the author. The results in this section, therefore, should be considered the conclusions of the author alone, although the conclusions were reviewed by all of the panelists listed on Page 153.
For the purposes of this report, I&C is defined as:
Safety systems in nuclear power plants require a level of qualification of I&C substantially higher than in monitoring, control, communication and display systems. Furthermore, the level of qualification of safety system I&C seems to be more rigorous than in any type of process system known to the panelists participating in these studies.
Western Europe, Japan and Canada are significantly ahead of the United States in the research, development and implementation of new products in nuclear I&C. Table 26 shows Western Europe to lead the rest of the world in the categories of: Control Room Design; Transition to Computer-based Technology; Computer-based Operator Support Systems; Control Strategies; and Standards & Tools. The Japanese and Canadian nuclear industries generally are second and third, respectively, in the development and use of new products in modern I&C. The differences in research activities among the countries studied are not as dramatic as the differences in product development and product implementation. In terms of Basic Research, the United States is only slightly behind the world leaders. The reason Western Europe, Japan and Canada lead in the use of modern I&C technology in nuclear plants may be due to the fact that the nuclear programs in these areas of the world have had many more years of funding stability than those in the United States.
The United States is beginning to accelerate its Advanced Development and Product Implementation in the nuclear I&C area. For example, Westinghouse has recently signed a contract to supply instrumentation and control systems to the two-unit Temelin plant in the Czech Republic. Westinghouse also is performing a significant amount of the I&C work at Sizewell B, the new (and only) Pressurized Water Reactor (PWR) in the U.K. Another example where U.S. nuclear vendors are beginning to move forward in I&C is the case of the Advanced Boiling Water Reactor (ABWR). General Electric has been working with Toshiba and Hitachi in the design of the modern I&C in the highly automated ABWRs under construction now in Japan at Kashiwazaki-Kariwa. Upgrades to the I&C in existing U.S. plants are giving the U.S. industry the chance to apply some modern digital I&C now. These real-life experiences will help the United States move forward in the use of digital-based modern I&C.
Even these efforts, however, will fall short of placing the U.S. industry on an even level with the Western Europeans, Japanese and Canadians who continue to build many more plants than the U.S. industry and, therefore, continue to have many more opportunities to utilize advances in the I&C field.
The former Soviet Union was found to be strong analytically in I&C, but at a disadvantage because of low availability of newer, more powerful computers and computer chips. Especially in product development and implementation, the former Soviet Union seemed to lag behind the other countries studied, as shown in Table 26.
Ranking of World I&C Technologies for Nuclear Power
Conventional nuclear power plant control rooms are normally large rectangular rooms which have wall panels of dials, gauges, strip chart recorders, alarm lights and switches. The operators normally are standing when they make control changes in the plant, having to walk from panel to panel to read strip chart recorders and to turn switches. During operational upsets, hundreds of alarms and lights alert the operators about certain limits being exceeded. A great deal of training is necessary for the operators to be able to discern what has happened and what should happen next. For example, even though they had substantial training, the Three Mile Island operators could not determine the nature of the notorious accident at their plant, and made mistakes responding to the situation.
The advent of inexpensive, powerful computers with high resolution monitors has allowed designers to consider control room concepts in which the wall panels are replaced by computers. All countries studied, with the exception of Russia and Czechoslovakia, are working on control room concepts which include a cockpit type area for the operator(s). This type of control room is called cockpit-type because it resembles, to some extent, the cockpit in an airplane. Computer-based workstations surround the operator in such a manner that he does not have to move from his seat to monitor and control any of the plant's major systems.
Because there is such a large quantity of information which the operator might need, there is a concern that the operator might lose the big picture while searching through the instruments and computer-based displays surrounding him in a cockpit type control room. To avoid this, most new control room designs include a large diagram of the plant on one of the control room walls to present to all observers the status of the plant's major systems and alarms.
How these new control room design features will be used, and the definition of the roles of the human operators in these newer, more automated plant designs has been the subject of wide debate. In Japan and Germany, the trend is to use more automation, whereas in France the emphasis in their newest designs is on computer-displayed operating procedures to guide the plant operators. In U.S. and Soviet plants, the emphasis is on using digital systems to help the operator identify problems, decide on the appropriate corrective actions, and aid in the execution of those actions. Most reviewers agree that each type of approach can produce required safety and reliability goals, but which approach provides the best overall safety and reliability is unknown. The field of cognitive engineering may provide good insights into questions about the roles of operators in highly automated systems and what types of support systems to give the operators to support these roles. Japan, the United States, the former Soviet Union, and the Scandinavian countries seem to be taking the lead in the application of cognitive engineering to nuclear plant control room design and man-machine interfaces.
France is the undisputed leader in advanced control room design, with the new "N4" plant control room being built at Chooz B considered the most advanced in the world. Design work began in the early 1980s. France constructed a full-sized simulator of this type of control room design and performed several years of tests on it to validate the design concept. Framatome and Electricite de France led this work. The OECD Halden Reactor Project in Norway is a leader in a lot of European control room research and development, especially in the human factors area.
The Japanese government and nuclear industry have worked together on several projects involving control room layouts and operator workload. The Japanese MITI established the Institute of Human Factors in the Nuclear Power Engineering Test Center in 1987 to study human factors and human reliability. Also in 1987, the Japanese utilities' Central Research Institute for the Electric Power Industry (CRIEPI) established a Human Factors Center to develop countermeasures for reducing human errors in operation and maintenance of nuclear power plants.
In the design of its new CANDU plants, Atomic Energy of Canada Limited (AECL) has performed important analyses of human performance factors.
The United States does not have national R&D programs on control room design, although the Department of Energy programs on the Advanced Liquid Metal Reactor (ALMR) and the Modular High Temperature Gas-cooled Reactor (MHTGR) have done some high level conceptual designs of new control rooms.
The designs of nuclear power plants operating today in the United States use 1960's technology. This old technology uses analog type systems, which employ continuous current, voltage or pneumatic signals. In a typical plant, there are more than 100 such systems, making the plant difficult to maintain at times. In some older plants, 70% of the I&C equipment is no longer supported by a vendor, because today most I&C equipment is of a digital format. In this format, the analog signal is converted to a binary form which is compatible with computer-based equipment.
All countries studied are moving toward more use of digital systems. France, Canada and Japan have been using digital I&C in nuclear power plants for many years. The French have applied digital technology extensively in upgrading their 900 and 1300 MWe plant control and protection systems. They have increased the use of digital technology even more in their new 1500 MWe reactor concept, called the N4. In the United States, the Electric Power Research Institute (EPRI), a private research institute funded by a consortium of U.S. electric utilities, has undertaken an initiative to perform the R&D necessary to support the replacement of old analog-based I&C with newer computer-based I&C.
The biggest problem facing the nuclear industry in the evolution toward digital technologies is verification and validation (V&V) of digital-based, extremely high reliability systems. No methods exist today to predict (or assure) software reliability with the same confidence as with hardware systems. Several countries have encountered costly delays in bringing new nuclear plants on line due to unexpected problems in verification and validation (V&V) of digital-based systems.
In Canada, Ontario Hydro has had over 25 years of experience with various forms of digital technology in CANDU nuclear plants. Each new plant has had a greater scope of digital technology than the last. This evolution worked very well until Ontario Hydro built its newest plant, Darlington. The reliability and performance statistics of earlier reactors were outstanding, with most of their newest 8 units included in the top 25 reactors in the world. But with Darlington, the Canadian licensing authority, Atomic Energy Control Board (AECB), undertook a more stringent review of the software engineering processes (mainly V&V) than on the previous plants. As a result, operation of Darlington's first two units was delayed, with a resulting economic burden on the utility.
In the U.K., Nuclear Electric (the British nuclear utility - government supported) estimates that about 500 man-years of effort have gone into the design and V&V of the 100,000 lines of computer code in the safety system of Sizewell B, which has the U.K.'s first software-based primary protection system.
The Germans have the most automated plants in the world, with the most advanced being the ISAR plant designed by Siemens. The Japanese nuclear plants have implemented the most advanced computer-based control strategies.
These systems include signal validation, fault detection, diagnosis and mitigation. A significantly greater effort is being expended in Western Europe, Japan and Canada than in the United States to develop and deploy advanced fault management systems. There are several technological advances in these countries already available in software form that would be helpful to support operators in U.S. plants.
An example of problems with today's operator support systems is the case of alarms:
There are important new developments in the integration of computerized operator support systems designed to address problems. One of these is the Integrated Surveillance and Diagnostic System (ISADS) under development and prototyping at Halden, Norway under the sponsorship of the OECD. This system provides a graphical interface for the user and a high-level manager for eight different computerized operator support systems. In the GRADIENT project sponsored by ESPRIT, there is an integrated framework for a set of expert systems under development at the ABB Heidelberg Research Center. GRADIENT establishes a communication framework for a set of expert systems that reason about the status of the plant and advise the operator. There also is important R&D in this area In Germany's government funded research laboratory Gesellschaft fur Reaktorsicherheit and in France's government research laboratory Centre d'Etudes Nucleaires de Cadarache and the French utility Electricite de France laboratory Directiones, Etudes, et Recherches.
The degree of automation is higher in European, Japanese and Canadian plants than in present U.S. plants. The French generate 70 percent of their electricity with nuclear power. Because of this, they have worked hard to make the plants able to automatically match power output with power demand (load following). The French PWR safety systems are very similar to the U.S. systems. Both France and the United States have developed digital systems to improve safety system performance. The French experience base with their digital safety system design, called SPIN, is much larger than in the United States; the French use the SPIN system in 23 plants.
The Germans also have load-following capability. The panel concluded that the German plants are the most automated in the world. The German KONVOI plants have a unique "limitations" system, which takes automatic action to try to prevent the plant from getting into a situation where the safety system would have to act. This unique system almost always prevents the plant from ever reaching the trip conditions.
Russian research into control theory is analytically advanced as compared to control theory studies in other countries. The Russian safety system for the VVER-type plants is designed to give very large margins between action limits and the true level of safety concern. Although the technology of the control and safety system seems to be of the older analog type, the strategy for limitation and protection systems seems very robust and conservative.
In the case of I&C, the term "architecture" means the arrangement of control components, sensors, display devices, networks, cables and communication devices. It also includes the arrangement of information (or data) and software. The I&C architecture is very important to the success of a nuclear power plant design. The development and testing of a system's I&C architecture may be more expensive than the cost of the I&C system.
There are many types of architecture, each of which has advantages and disadvantages. The designer chooses the type of architecture best suited to meet all of the requirements of the system. There are several types of issues which must be addressed. In the United States, individual computing systems have been dedicated to solving individual problems, resulting in "islands of computing" which cannot communicate with other areas of the plant. In the French and Japanese plants, these "islands" are much more integrated. As a result, the architectures of these power plants usually consist of a combination of several types of simpler architectures into a more complex, larger whole. U.S. designers are now dealing with the problems of developing similar architectures.
France has had the most experience in architecture for digital I&C in nuclear plants. However, the French recently have had significant project delays at their newest plant, Chooz B, due to problems with their newest I&C system architecture. Even with many years of experience with digital architectures, the original French designer was unsuccessful in this latest project and was replaced. The same French designer was under contract to supply part of the Sizewell B architecture, but was also replaced on that contract. The problem seems to have been the increased amount of functionality put into the I&C design, without proving first that the architecture could handle the increased communication traffic.
Nuclear designers and researchers around the world have watched the French experience carefully, and have started activities to avoid similar experiences. In the United States, the EPRI has established a program to develop a plant communications and computing architecture plan (PCCAP) methodology. This methodology is planned to be implemented at the Calvert Cliffs Plant.
Activity in R&D, design and implementation of new I&C architectures is a little more intense in Europe than in the United States, due to real-life problems being faced there now.
The kinds of instrumentation addressed in the studies were:
Overall, the instrumentation and instrumentation systems used in all countries visited operate on the same principles. The requirements for plants in the countries studied vary somewhat, leading to differences due to design tradeoffs rather than technological breakthroughs. For this reason, Table 26 shows all countries at about the same levels of research, development and product implementation.
Standards are generally used by the engineering community to help assure quality of the systems designed. Nuclear designers are employing more computer-based systems I&C to ensure safe operation and economic performance. Standards for the use of computer-based systems in nuclear power plants have been developed in the international community to a greater degree than in the United States.
The West Europeans are leading the world in the development and use of standards in the design of microprocessor-based safety systems. They adhere to the International Electrotechnical Commission (IEC) Standard 880, Software for computers in the safety systems of NPP's, and IEC 987, Programmed digital computers important to safety for NPP's. The U.S. nuclear industry does not have a standard that is equivalent to IEC Standard 880 or the guidelines in Critical Computer Systems 2. However, there is an effort to develop an equivalent standard. This effort is the revision to ANSI/IEEE/ANS 7-4.3.2-1982, "Application Criteria for Programmable Digital Computer Systems in Nuclear Power Generating Stations." The Canadians developed their own standards originally because there were no sufficient standards when they first started application of digital technology in nuclear plants.
Computer-Aided Software Engineering (CASE) tools reduce the potential for errors in the final software because of the discipline provided by use of the tools. Computer-aided software engineering tools are being used more in Western Europe and Japan than in the United States for design, development and testing of software for nuclear plants. The Europeans are ahead in research on the use of formal design methods to design and qualify safety-critical software for nuclear plants.
Kent F. Hansen Massachusetts Institute of Technology
Ersel A. Evans Battelle, Pacific Northwest Laboratory
Wallace B. Behnke Commonwealth Edison Co.
Sheldon B. Cousin Stone & Webster
James D. White Oak Ridge National Laboratory
Victor H. Ransom Idaho National Engineering Laboratory
James D. White Oak Ridge National Laboratory
David D. Lanning Massachusetts Institute of Technology
Leo Beltracchi Nuclear Regulatory Commission
Fred R. Best Texas A&M University
James R. Easter Westinghouse Energy Center
Lester C. Oakes Private Consultant
A. L. Sudduth Duke Power Company
Robert E. Uhrig University of Tennessee and Oak Ridge National Laboratory
Richard J. Carter Oak Ridge National Laboratory