Instrumentation and control (incl. protection systems)

ISSUE TITLE: Inadequate electrical isolation of safety from non-safety-related equipment (IC 1) ISSUE CLARIFICATION:

Description of issue:

This issue is also applicable to NPPs with LWR.

Electrical isolation devices are used to maintain electrical separation between safety- and non-safety-related systems in nuclear power plants (NPPs). The isolators are primarily used where signals from safety systems are transmitted to control or display equipment, such as the safety parameter display system (SPDS).

Electrical isolators include fibre-optic and photo-electric couplers, transformer-modulated isolators, current transformers, amplifiers, circuit breakers, and relays.

Observations during SPDS evaluation tests found that for electrical transients below the maximum credible level, a relatively high level of noise could pass through certain types of isolation devices and be transmitted to safety related circuitry. A high level of electrical energy passing through the isolator, could damage the Safety System component which may lead to unwanted operation of other devices, while a lower level of energy could generate electrical noise that could cause the isolation device to give a false output.

Safety significance

The signal leakage through inadequate isolation devices to safety-related circuitry could damage or seriously degrade the performance of the Safety System components. In other cases, electrically-generated noise on the circuit may cause the isolation device to give a false output. All these may cause the impairment of safety systems.

Source of issue (check as appropriate)

• ____xx____ operational experience

• __________ deviation from current standards and practices

• ____xx____ potential weakness identified by deterministic or probabilistic (PSA) analyses

MEASURES TAKEN BY MEMBER STATES:

Argentina

Embalse NPP mainly utilises opto – couplings, isolation transformers and isolation amplifiers.

Canada

In all current designs, safety-monitoring systems are engineered and tested for proper isolation from automatic safety system actuation subsystems and equipment

Modifications need to be implemented in some older units to alleviate this concern. Particular care is required in computerized monitoring system retrofits to older plants.

India

Indian design of PHWRs use mainly optical isolation, isolation transformers and amplifier to isolate the signals of the safety equipment from noise and non-safety related ones. There have been some occasions which brought out lack of, as well as failures of isolation. Magnetic coupling and interference have also been observed. Considerable difficulty is experienced to track these as they occur sporadically and adequate detection technology is not available. In new plants, PLC for cotrolling the safety and non –safety related loads are separated. Programmable digital comparator system ( PDCS) for safety and non-safety systems is also separted in 540 Mwe plants. In old PHWR uninterrupted power supply (UPS) systems for control systems and normal class II electrical power supply has been separated. In current designs, even the UPS supplying safety related control equipment and non-safety related equipments are segregated.

Korea, Republic of

The isolators used in Korean NPPs are qualified as Class1E components. Use of any isolators which is not satisfied with requirement of IEEE Std 323 (Qualifying Class 1E Equipment for NPPS) and IEEE 603 (Digital computers in Safety Systems of NPGS) would be a violation of FSAR which committees the use of these IEEE Stds. If any additional installation or modification of signal loop of safety system is implemented, licensee should report it. Therefore the qualification of EMI or EMC requirements should be validated in the process of reviewing the report of modification or change of safety systems.

Romania

The requirements for the electrical isolation of safety equipment is based on the Systems and Items Classification Lists, based as showed in GL1 on the Licensing bases requirements. These aspects are covered at Cernavoda NPP by design. All the safety significant items on electrical side, needing isolation have to comply with the 1E of IEEE requirements as per the EQR requirements.

Unit 2 requirements have however some modifications by comparison to the requirements for Unit1 ones related to Environmental (in the inside buildings) qualification due to the enlargement of the DBA and BDBA postulated for it.

The differences for unit 1 are under identification and are to be included in the Periodical Safety Review process from May 2001. However no major aspects impacting on safety are expected.

ADDITIONAL SOURCES:

• INTERNATIONAL ATOMIC ENERGY AGENCY, Management of Ageing of I&C Equipment in Nuclear Power Plants, IAEA-TECDOC-1147, IAEA, Vienna (2000).

• INTERNATIONAL ATOMIC ENERGY AGENCY, Management of Life cycle and Ageing at Nuclear Power Plants: Improved I&C maintenance, IAEA-TECDOC-1402, IAEA, Vienna (2004).

• Strategic Policy for Cernavoda NPP Unit 2 licensing process, CNCAN 1997.

• Cernavoda Unit 1 Commissioning and Operating Licenses, 1994-1995, and 1999.

• EQR for electrical systems for Cernavoda NPP Unit1.

• FSAR Cernavoda Unit 1, 1995.

• Strategic Policy for Cernavoda NPP Unit 1 relicensing in May 2001, CNCAN March 2000.

• System Classification List procedure, Cernavoda NPP.

ISSUE TITLE: I&C component reliability (IC 2) ISSUE CLARIFICATION:

Description of issue

This issue is also applicable to NPPs with LWR.

Safe reactor operation requires comprehensive instrumentation to actuate the reactor protection system and other I&C systems that may be necessary. The I&C equipment of NPPs are based on different technologies which can present in some cases reliability problems. Operational experience has shown that the I&C failure rate is relatively high in old NPPs due to technological obsolence and ageing.

Some I&C system designs do not include reliability analysis of hardware and software and the reliability impact of I&C components on the whole plant safety. Such reliability analysis should include the behaviour before, during and after accident conditions, including the instruments used in the reactor, thermocouples, pressure transducers, flow meters etc.

Safety significance

Poor I&C reliability may result in the impairment of safety systems. The effect can worsen with age unless there is a good ageing management programme in place involving maintenance and replacement of I&C components. Also of concern is the obsolescence of digital equipment, particularly if the original equipment is no longer available.

This issue affects the design provisions and may have a direct or indirect impact on deviations from normal operation, on bringing back the installation to normal operating conditions and on the capability of engineered design features to prevent the evolution of deviations into more severe accidents.

Source of issue (check as appropriate)

• ____xx____ operational experience

• ____xx____ deviation from current standards and practices

• __________ potential weakness identified by deterministic or probabilistic (PSA) analyses

MEASURES TAKEN BY MEMBER STATES:

Argentina

In order to increase the reliability of safety-significant I&C, two important activities have been performed recently. Modification of the nuclear reactor protection system of CNA1 by the addition of two new trip signals: implemented with EDM ISKAMATIC & TELEPERM C Siemens Technology instead of the old SIMATIC N and, total replacement of Vanadium & Platinum neutron flux vertical detectors & the associated wiring in CNE due to obsolescence & aging.

− Total replacement of neutron flux vertical detectors in CNA1 due to aging.

− Replacement of the mercury-wetted relays used in the safety system of CNE with doped relays due to reliability component reasons. An increase in relays failure mumber was detected and it was decided to analyse the causes. The results of this analyses indicated that mercury wetted relays type suffered mercury degradation (ageing) that provokes the sticking of the mercury with the relay electrical contacts. It means that contacts remains closed. At that time, all CNE safety systems had

this types of relays as following: SS#1 and ECCS use C.P. Clare relays which are mercury wetted relays (without tin). SS#2 , Containment system and EWS use Potter & Brumfeld relays and the 40

% were doped with tin. The different relay suppliers are for diversity design requirements. To reduce relay failures it was decided to replace mercury wetted relays by mercury wetted relays doped with tin At present, 50% of the relays were already replaced according to what have been programmed.

Special considerations have to be taken into account regarding maintenance programs for solid state components and other I&C components related to safety in all NPPs.

Reactivity device’s (shutoff rods, absorbers and adjusters) cables and connections from the panels to the reactivity desk were replaced. The new cables and connectors fulfil the corresponding environmental qualification requirements for the new CANDU plants.

Canada

The I&C component of safety systems and the reactor regulating system has not been a significant source of unacceptable reliability. Some components, notably mercury-wetted relays, have been replaced in order to improve I&C reliability. Obsolescence of digital equipment is a concern, particularly if the original equipment is no longer available.

India

Periodically I&C component failures/problem, both of isolated and generic nature, have been experienced in the Indian PHWRs. The older units used thermovolts for generating reactor trip contacts for some process parameters. AERB asked for a detailed review of failures, both safe and unsafe and plan of corrective action including phased replacement and these reports have been submitted. In some areas thermowell type of RTDs and thermocouples were unreliable and causing problems. These have been replaced by surface mounted RTDs. High temperature in control room and adjacent rooms used to result in common mode failure of several printed circuit boards. These were corrected by increasing the reliability and capacity of cooling systems, specifying higher ambient temperature to the manufacturers, etc. There have been a few instances of failure of junction boxes due high humidity in the pump room/boiler room and the utility has imposed an administrative limit on the steam leak in these areas after which unit is shut down to carry out rectification. Effect of instrument air on I&C reliability especially if moisture and oil is present, is dealt with in issue No.

ES5.

Instrumentation systems used in older units suffer from lack of vendor support, spare parts, etc. (see item MA1). Phased replacement/upgradation of these have been instituted. An example of this is the instrumentation system upgradation in the light water dousing system of RAPS No. 1 and 2. Issues connected with upgradation by replacement with computer based systems is covered under issue No.

IC 4. Some of the replaced I&C components started failing under high radiation field. Installing additional shielding/relocating as temporary measures implemented. Long term plan to sort out this issue is being followed with suppliers. To improve reliability of I&C components, impulse lines are SSE qualified.

For thermowell type and surface mounted type RTD reliability parameters are used from generic data sources i.e. IEEE and IAEA TECDOC.

I&C systems for which reliability analysis is carried out include PDCS, PLC, DPHS, RRS, ICMS and ECCS test facility.

Korea, Republic of

In order to increase the reliability of safety-significant I&C, the following activities in old plant are performed:

− replacements of neutron flux detect assemblies

− replacements of mercury-wetted relays

− upgrade of ion chamber signal processors

− SDS #1 PDC replacement plan

Pakistan

The instrumentation and control equipment installed at KANUPP was based on mid 60’s technology. To overcome the problems of aging and obsolescence, it was planned to replace the existing Computers, important C&I Loops and Panel C&I devices with advanced Process Controls & Instrumentation.

The “Computers, Control and Instrumentation Back-fitting Project” was initiated by KANUPP in early 1990s. After completion of civil work, major infrastructure related activities and installation work was completed by year 2000. Remaining infrastructure related activities, installation work, pre-commissioning, testing and commissioning was completed between year 2000 and 2003. Plant is now operational since January 2004 using new I&C Systems.

Plant regulating computers (ARC and BRC) have also been replaced by new I&C systems based on PLC’s. Following distinct plant functions are now being performed by these systems:

i) Reactor Power Regulation

ii) Fuel Channel Temperature Monitoring

iii) Bearing Temperature Monitoring of Pumps & Motors iv) Failed Fuel Activity Monitoring

v) Alarm Annunciation

Twenty seven (27) measurement loops and fifteen (15) closed-control loops have been replaced in year 2003 outage. Commissioning of remaining C&I conventional and safety loops will be carried out in 2006. Safety Parameters Display System (SPDS) and Critical Parameters Display System (CPDS) have been installed and are functional.

Romania

The reliability parameters of the I&C components was part of a check similar to those for diesels. In addition to those it is to be mentioned that the tests were guided during commissioning by Key (safety) Commissioning Objectives, based on the data to be demonstrated in the FSAR and the component priority defined as per the systems safety functions. A document called Safety Analysis Data List was defined for all systems and parameters for valves were also part of this system of testing in commissioning. Based on the analysis results also derived data for the Mandatory Test program defined for systems with safety functions and consequently for all components, which is applied during operation. Procedures were also adequately changed to support operators actions for

these possible situation. It is also to be mentioned that the feedback from operation is expected to correct this process.

As a result of this process Licensee decided to perform a so called 'Fix the Plant' program, to solve the problem of low reliability parameters for some plant I&C components; the program is close to completion.

ADDITIONAL SOURCES:

• INTERNATIONAL ATOMIC ENERGY AGENCY, Modernization of Instrumentation and Control in Nuclear Power Plants, IAEA-TECDOC-1016, IAEA, Vienna (1998).

• INTERNATIONAL ATOMIC ENERGY AGENCY, Management of Ageing of I&C Equipment in Nuclear Power Plants, IAEA-TECDOC-1147, IAEA, Vienna (2000).

• INTERNATIONAL ATOMIC ENERGY AGENCY, Management of Life Cycle and Ageing at Nuclear Power Plants: Improved I&C Maintenance, IAEA-TECDOC-1402, IAEA, Vienna (2004).

• Cernavoda Unit 1 Commissioning and Operating Licenses, 1994-1995, and 1999.

• Commissioning tests and reports for Instrument air systems and safety systems, Cernavoda NPP Unit1, 1995'1996, as reflected in independently and in chapter 14 of the FSAR Phase I, 1995.

• FSAR Cernavoda Unit 1, 1995.

• Strategic Policy for Cernavoda NPP Unit 1 relicensing in May 2001, CNCAN March 2000.

• ATOMIC ENERGY REGULATORY BOARD, “Safety Related Instrumentation and Control for PHWR based NPPs”. AERB/NPP-PHWR/SG/D-20 (2003).

• FSAR Narora Atomic Power Station 1&2.

ISSUE TITLE: Lack of on-line testability of protection systems (IC 3)

ISSUE CLARIFICATION:

Description of issue

This issue is also applicable to NPPs with LWR.

The protection system designs of some old plants do not provide for on-line testability.

During normal operation, protection systems are in standby, therefore failures of components may not be detected. Periodic tests are performed to provide some confidence in the capability of protection systems to fulfil their function. These tests are designed to simulate Reactor Protection actions following an accident or incident situation and should ideally trigger the whole protection chain from the sensors to the actuators. Manual testing during plant operation requires time and could be the source of errors; in addition any untimely protection actuation has to be avoided during or after the test, as well as unwanted inhibition when the plant is in operation.

On-line testing increases the ability to detect existing failures of the protection system and could therefore result in improved reliability of the system; hence, a reduction in plant risk.

Testing has a direct impact on the availability of safety-related systems. Safety systems in current PHWR plants are designed for testability on-line. However, in some old plants, a larger portion of the protection system hardware can only be tested through the sub-group relays during outages which typically have an 18-month frequency.

On-line testing increases the ability to detect existing failures of the protection system and could therefore result in improved reliability of the system; hence, a reduction in plant risk.

Safety significance

During normal operation, protection systems are in their stand-by mode. Without testing, it is not possible to demonstrate operability and the availability of the safety systems to perform their intended functions on demand.

Source of issue (check as appropriate)

• ____xx____ operational experience

• ____xx____ deviation from current standards and practices

• ____xx____ potential weakness identified by deterministic or probabilistic (PSA) analyses

MEASURES TAKEN BY MEMBER STATES:

Argentina

As a design requirement must to be performed periodical tests to the reactor protection systems trending to demonstrate that such systems are in an available and operative state. Tests results are included into a Safety System Annual Report that allow a performance evaluation and perform the necessary corrections and / or modifications.

Canada

On-line testability of protection systems is a regulatory requirement. Licensees routinely report (quarterly) availability figures for protection systems, on the basis of test results and failures recorded during the period. Licensees are required to demonstrate that safety system reliability targets continue to be satisfied.

India

Most of the parameters of reactor protection system and engineered safety features have in-built on line test facility. For some parameters on- line test facility is susceptible to human error although in safe direction. A few cases do exist where on-line/on -power testing is not envisaged in initial design, as the test frequency is comparatively less. Testing these parameters need reactor shutdown. This problem was not appreciated earlier as plants were not operating continuosly for long periods.

Presently Indian NPPs operate more than a year without shutdown. Therefore current injection test method has been retrofiited in some plants and being incorporated in rest of the plants where such deficiencies exist. Newer reactors have finite impulse test systems to continuosly check healthiness of electronic circuits and equipment. The AERB code on design makes this mandatory for new stations.

Apart from on-line testing of the electronic parts of protection systems, the on-line testing of shutdown rods clutch release for a limited drop is demonstrated in 540 Mwe PHWRs.

Non-availability of some systems during testing (eg.:- dousing system in RAPS No. 1 and 2 where two channels are blocked during testing) has been factored into engineered safety feature non-availability calculations/target used for safety analysis.

Continuous efforts have been put to avoid errors during manual testing. These include better check lists, different colour check lists for each channel, introducing testing by electronic injection circuits upto detector and the whole circuit during outages, etc.

Korea, Republic of

On-line testability of protection systems is demonstrated "Operable" by the performance of the surveillance test periodically, which is described on the technical specification to satisfy the safety reliability targets. Licensee should report that the failure related to shutdown system occurred.

Romania

This operability is being checked as part of the self assessment program to review the operational feedback system for all the plant systems/components, including the protection systems. The necessity of testability of the systems (i.e the list of these systems) was based on the requirements from Safety Classification Lists and on the results from the probabilistic analyses (review of reliability analyses, safety design matrices and PSA level 1 various versions). It is expected to get new confirmations as part of the new PSA level 1 developed this time for unit 1 as licensing conditions, in the Periodical Safety Review Program.

However there is no event encountered so far by Licensee and / or emerging problem related to this topic to justify its definition a Generic Safety Issue.

ADDITIONAL SOURCES:

• PSA level 1 Cernavoda NPP unit 1, results as included in the reports to IPERS mission in 1995.

• PSA level 1 Cernavoda NPP unit 1, results as included in the reports to IPERS mission in 1995.

Dans le document Generic Safety Issues for Nuclear Power Plants with Pressurized Heavy Water Reactors and Measures for their Resolution | IAEA (Page 130-155)