INSTRUMENTATION, CONTROL, AND SAFETY SYSTEMS OF CANADIAN NUCLEAR FACILITIES

July 1993

Robert E. Uhrig, Oak Ridge National Laboratory, The University of Tennessee, Knoxville, TN

Richard J. Carter, Oak Ridge National Laboratory

SUMMARY

This report updates a 1989-90 survey of advanced instrumentation and controls (I&C) technologies and associated human factors issues in the U.S. and Canadian nuclear industries carried out by a team from Oak Ridge National Laboratory (Carter and Uhrig 1990). The authors found that the most advanced I&C systems are in the Canadian CANDU plants, where the newest plant (Darlington) has digital systems in almost 100% of its control systems and in over 70% of its plant protection system. Increased emphasis on human factors and cognitive science in modern control rooms has resulted in a reduced work load for the operators and the elimination of many human errors. Automation implemented through digital instrumentation and control is effectively changing the role of the operator to that of a systems manager.

The hypothesis that properly introducing digital systems increases safety is supported by the Canadian experience. The performance of these digital systems has been achieved using appropriate quality assurance programs for both hardware and software development. Recent regulatory authority review of the development of safety-critical software has resulted in the creation of isolated software modules with well defined interfaces and more formal structure in the software generation. The ability of digital systems to detect impending failures and initiate a fail-safe action is a significant safety issue that should be of special interest to nuclear utilities and regulatory authorities around the world.

BACKGROUND

Throughout the world, the nuclear power industry is currently developing advanced control and operator interface systems based on innovative applications of digital computers. Significant changes in the operation of nuclear power plants can be expected from the use of computers for automation and operator aids. Over the past two decades, the Canadian nuclear power plant vendor AECL (Atomic Energy of Canada, Ltd.) and utilities have demonstrated digital instrumentation and control systems to be effective in monitoring and controlling the CANDU (Canada Deuterium-Uranium) nuclear power plants and in providing the degree of safety margin needed to protect both the plant and the public. The Canadian experience of improved performance and increased safety, while using commercial-grade computers and components, has demonstrated a cost-effective approach to the implementation of digital systems in both control and safety systems. The ability of these digital systems to detect impending failures and initiate a fail-safe action is a significant safety issue that should be of special interest to utilities and regulatory authorities around the world.

CONCLUSIONS

Canada has by far the most experience in the world with advanced (digital) instrumentation and control (I&C) systems for nuclear power plants. Darlington, the newest CANDU plant, has digital systems in almost 100% of its control systems and over 70% of its plant protection system. The control and plant protection systems use commercial-grade digital components, qualified in much the same way analog components are qualified, plus testing for electromagnetic interference and seismic qualifications. AECL, in plants outside Ontario, has had 36 programmable logic controllers (PLCs1 ) in operation in three CANDU plants since 1982 (over 300 system years) with no incidents of spurious plant trips due to any kind of PLC malfunction and no incidence of failure to trip when required. When a digital component or system begins to degrade, the self-checking features immediately put the system in trip mode and alert plant personnel, who in all cases have been able to identify and replace the faulty component within two hours. This performance has been achieved using a software quality assurance program that meets the IEEE and IEC standards, but does not include extraordinary measures to prevent common mode software design errors. It is very difficult to compare the status of I&C systems in Canadian and U.S. nuclear facilities, because they have developed under very different technical and regulatory environments. The CANDU reactors are large because they use natural uranium. Digital control systems are required to operate at the rated power levels, where xenon has an influence on the neutron flux distribution and stability. U.S. nuclear reactors use enriched uranium and are substantially smaller. As a result, the influence of xenon on the spatial distribution of the neutron flux is limited, and analog control systems are deemed to be adequate. Necessity and sound engineering have made digital control systems acceptable in the CANDU reactors.

Extensive experience with digital systems in control of early CANDU reactors demonstrated the inherent advantages (reliability, flexibility, stability, etc.). Hence, it was a logical next step to introduce digital systems into safety systems. As a result of Canada's very favorable experience in using digital systems in both control and safety systems, the percent of such systems using digital technology has grown rapidly (see Figure 25). The ability to easily automate many test and calibration functions, to the point of using every other cycle for testing in safety systems, has resulted in significant advantages and safety improvements to the CANDU power plants over plants using analog systems. Indeed, the Canadian use of digital safety systems in nuclear power plants, without analog backup systems, is almost unique in the world.

[figure 25]
Figure 25. Trend Toward Digital Control and Protection in CANDU Pressurized Heavy Water Reactor Nuclear Steam Supply Systems (PHWR NSSS). (Source: Atomic Energy of Canada, Ltd.)

In the United States, digital control was not originally deemed a necessity to operate nuclear power plants safely, and vendors utilized traditional analog systems for both control and safety. Once the overall design of power plants evolved to a certain level, the rapid growth of the industry (over 100 plants in 25 years) often made regulatory approval of changes difficult. By the time the advantages of digital systems became apparent to U.S. vendors and utilities, they were a decade or more behind the Canadians as far as experience with digital systems was concerned. Although there are exceptions, most U.S. nuclear I&C vendors today utilize digital systems that emulate the function of the analog systems they replace, and make the units plug compatible, physically, electronically and functionally.

Table 27 compares I&C systems in U.S. and Canadian nuclear power plants. For the reasons discussed above, the I&C systems in the Canadian plants are well ahead of those in the United States in most categories. Furthermore, there is little expectation that the situation will change significantly in the near future. (However, a recent Electric Power Research Institute (EPRI) initiative could change this situation substantially by the end of the century.) A major contributing cause is that there have been no new orders for nuclear power plants from U.S. utilities since the accident at Three Mile Island. Nevertheless, there is considerable effort being expended in the United States for I&C systems for the next generation of nuclear power plants (SBWR, AP-600, ALWR, and MHTGR). Since many U.S. vendors are associated with foreign vendors (Combustion Engineering is owned by ABB Atom, B&W is 51% owned by Framatom, and General Electric has a very close association with both Toshiba and Hitachi), it is expected that much of the European and Japanese experience in advanced I&C could be available to U.S. vendors for the next generation of nuclear power plants in the United States. Canadian I&C technology is also available in the United States, and AECL is an active competitor in bidding for digital I&C systems (e.g., digital feedwater control systems) in U.S. nuclear plants. AECL has also submitted a letter of intent to the U.S. Nuclear Regulatory Commission to submit the 450 MWe CANDU-3 design for standard design certification under 10 CFR part 52.

The hypothesis that properly introducing digital systems increases safety has been supported by the Canadian experience. The safety significance of the performance of digital vs. analog systems is a critically important issue, and it undoubtedly will become more important with aging and obsolescence of hardwired analog components. The use of flexible digital systems permits reallocation of the testing function to the computer, with an attendant increase in reliability and safety. Mounting evidence of the superior performance of digital systems provides a basis for all regulatory authorities to allow utilities worldwide to introduce digital-based systems where it makes sense to do so. The most important step needed for such action is a clear definition by regulatory authorities of the validation and verification requirements and acceptance criteria for both digital hardware and software.

TABLE 27
Comparison of Canadian and U.S. Nuclear I&C Systems

(See Key)
[table 27]
1 The terms "PLC" (programmable logic controller) and "PDC" (programmable digital controller) are often used interchangeably, depending on the context.


Published: March 1994; WTEC Hyper-Librarian