1 June 2007
Nuke design: A digital dictum
Korean plant shares lessons in advanced digital controls, suggested for U.S. plant upgrades
By Yangmook Chung, John Stevens, and William J. Gill
For more than a decade, the South Korean nuclear power industry has made digital control systems the backbone of nuclear power plant operations. One plant's approach to standardizing design approaches for reliable I&C technologies could offer suggestions to existing U.S. nuclear plants in upgrading with retrofits and even new plant designs.
Korea Hydro and Nuclear Power Co., Ltd. (KHNP) has relied on the use of digital controls from reactor protection to plant-wide control systems. At the Ulchin plant, we commissioned Units 5 & 6 (1000 MW) with advanced programmable digital control systems for safety- and non-safety-related nuclear steam supply system (NSSS) and balance-of-plant (BOP) functions. The systems meet rigorous performance and functional specification criteria.
Key areas guiding Ulchin's selection and project execution for digital controls included: a reliable fault tolerant system, functional segmentation to minimize the failure effects on operation, and validation and verification of the owner's application design (for regulatory compliance). Other needs included validation and verification of the system architecture and operation to assure system performance met intended use. System response time was critical to plant performance, as were global long-term system support, such as human machine interface (HMI), control system components, and communications.
The control system specifications, which Korea Power Engineering Company, Ltd. (KOPEC) usually writes, have traditionally invoked the latest advanced proven technology, challenging vendors to supply this technology for highly customized system solutions. We have encapsulated the challenges in rigorous system layout requirements (functional segmentation) and system performance parameters. The plant control systems at a typical KHNP nuclear power plant are responsible for NSSS and BOP controls, including the main control room HMI, and comprise safety and non-safety applications. Typical system size for the BOP is more than 14,000 I/O points and comprises thousands of controller cards. While they must maintain isolation between the safety and non-safety systems, the actual global system performance allows controlled exchange of data through various isolation schemes. Due to system-wide response times, the supplier often has a challenge to use available technologies to meet specification requirements, coupled with specific development to boost system response time and reliability.
In addition to functional performance and regulatory functional requirements, the plant control system must also exchange data with other digital systems in the plant to minimize mistakes in the database, data structure, and data integrity. Without trouble-free plant control systems, the nuclear power plant simply cannot run.
Ulchin control system project
As part of the initial engineering, manufacturing, and validation for robustness, we constructed a qualification cabinet comprised of controllers, racks, I/O, and auxiliary equipment, including HMIs, to create a fully functional operating system as it might be at the plant, mounted with cabinets and consoles. We then subjected it to environmental testing.
Perhaps the most demanding part of the total manufacturing cycle was the factory acceptance test. We wired every I/O point to a field simulating device to perform a rigorous check of the logic. As part of the regulatory compliance requirement, the system vendor had to demonstrate the logic drawings from the owner's engineer were correctly and exactly implemented in the system and verified by actual system performance. The engineering implementation could in no way change the design and intent of the logic. There could be no deviation in system look and feel in response to operator interactions with HMI devices. The integrity of the entire safety design basis rests on the precise implementation of the logic sequences in the system hardware and software. To pass the Korea Institute of Nuclear Safety (KINS) regulatory inspection of the system, we needed exact implementation and traceability of the entire process.
We shipped both systems at the scheduled times (about a year apart). This on-time shipment has historically been a problem for most nuclear power plant digital control system suppliers. The Ulchin 5&6 PCS vendor provided on-site technical supervision of installation and commissioning, part of the total plant commissioning of all the various reactor and mechanical systems in the new plants. For each unit, this process took nearly a year until we loaded each reactor vessel with fuel and ramped up heat production toward steam production.
While ramping toward power production, we had to modify some of the mechanical equipment as well as some logic in the system. Due to the length of time between initial conceptual engineering to final delivery of equipment (valves, fans, instrumentation, and vessels), suppliers had sometimes improved final delivered products, resulting in needed changes to control system layout and operation. This is a normal part of new plant construction and startup that has occurred frequently in the activity within Korea. Suppliers must be prepared to supply plants timely support.
Plant operation experience
Unit 5 went commercial in June 2004 and Unit 6 in July 2005. There have been no unit trips due to control system malfunction or component failure. The systems have performed to specification. We verified speed of loop response, critical-to-accurate, and timely field changes, and found them satisfactory in real-world implementation. We also validated speed of data transmission between the furthest points in the system. This has allowed the plant to employ logic in certain dedicated processors removed from the controlled I/O by thousands of feet. This extensive use of multiplexed, remote I/O has saved the plant millions of dollars of wiring and conduit expense, relying instead on high-speed, redundant fiber optics.
Using multiplexed I/O, high-speed communication techniques to bridge safety-to-non-safety systems data helps create a continuous and seamless backplane across the entire plant. Use of fiber optics allows compliance with insulating safety-to-non-safety signals, yet still allows significant speed of data throughput. High-speed controllers with noted logic execution times have guaranteed the seamless throughput of data as well as the necessary loop decision speed to implement the control design.
With the advanced engineering workstation tools the vendor supplied, updating logic, I/O schematics, and other system documentation in compliance with regulatory requirements reduces engineering hours since you can maintain all in one tool. The tool is designed to comply with the rigorous Electric Power Research Institute and IEEE standards KINS has promulgated for traceability of system changes.
Lessons for U.S. nuclear industry
While the digital plant control systems supplied to Ulchin 5 & 6 were for new plants, there are pertinent aspects of the KHNP and KOPEC approaches in specification writing and vendor selection the U.S. nuclear power industry should consider.
The plant control system supplied for each of the units at Ulchin comprises 60+ cabinets of safety and non-safety digital controls. At first blush, this might appear to be simply a large-scale distributed control system (DCS). In fact, each system is a tightly connected group of more than 1200 control loops or mini-DCS systems, residing in fully independent racks with independent power supplies. They are all designed to minimize or eliminate any propagation of failure or failure modes. This approach provides maximum functional segmentation to match the physical I&C design basis of the plant.
The bulk of U.S. nuclear power plants retain this high degree of functional segmentation, implemented initially through the analog and relay-based controls originally supplied during plant construction. Single or small multi-loop approaches match the present plants' safety design basis. A large DCS controller, capable of hundreds of executable loop logics and able to address thousands of I/O points, will not be cost effective in such a deployment and will absorb precious space resources.
Often, offerings by DCS vendors are multi-market type controllers sold into process or other control applications, which they force-fit into nuclear applications. Plants should be looking for a vendor whose system segmentation can afford the optimum match-up to existing I&C design. This also translates into a greater flexibility in the choice of precise upgrades focused at the greatest return to the plant.
Digital upgrades to some key loops, such as reactor vessel level control, control rod controls, and reactor protection, do not necessarily require large-scale, muscular controllers. Due to existing cabinets, the ability to provide a digital platform you can easily adapt to existing cabinet geometry (such as a 19" rack mount) but still maintain seismic ratings can be an important evaluation criteria when space is at a premium and schedules will not permit drawn out cabinet conversions.
Yet, the long term ability to support the build-up of a plant-wide control scheme over time, by adding one or more control loops and racks, to achieve the net effect of an integrated DCS is a system characteristic that should be available. The systems at Ulchin are modeled on this basis: a coupling of 1200 mini-DCS systems.
Another evaluation criterion should be long-term support of equipment. The long lead times of regulatory permitting can often extend into months. Suppliers who do not own their own technology will face digital obsolescence of key components, such as the main micro-processors. Yet, they will not have the ability to quickly respond, replace, or maintain such components. A vendor who owns the technology and has a demonstrable track record of commitment to long-term system support is the surest guarantee of sustainability through the regulatory process and beyond. One of the key commitments in the Ulchin contract is a guarantee of system support for 20 years, including spare parts, renewal materials, and upgrades.
About the Authors
Yangmook Chung is a computer section lead at Korea Hydro & Nuclear Power Co., Ltd., Ulchin Nuclear Power Site in Ulchin, South Korea. John Stevens is director of project engineering at HF Controls Corp. in Addison, Tex. William J. Gill is president of Windsor Consulting Group in Bloomfield, Conn.
Selecting a PCS vendor
The selection of the vendors for the plant control system is vitally important to Korea Hydro and Nuclear Power Co., Ltd., given its stringent operations philosophy. All plants have the identical look and feel at the main control consoles. A consulting engineer is available to all plants 24/7 to walk through issues. This mandates the use of a common approach to the operational design and function of the HMI. They do not tolerate functional equivalency or vendor interpretation through to implementation.
Factors to consider in choosing a vendor include installation costs, space, schedule, and technical factors. But technical factors undergo the greatest scrutiny. These include system performance features, system reliability, system operability and maintainability, and license ability.
Technical factors to consider include performance indicators, such as system configuration and flexibility; response time; safety design; communication network performance, such as structure and transfer rate; and error recovery. We also consider I/O device performance, such as scanning time, interface with various field sensors. It is important to have the ability to be hot swappable. Power supply requirements, such as redundancy, isolation, and grounding in are also important considerations. And of course there must be compliance with Korea Power Engineering Company, Ltd. (KOPEC) standards and system expendability.
Reliability and availability issues to consider include system availability, such as mean time before failure and mean time to recovery; redundancy to improve availability; diversity with backup panel designed by KOPEC; ergonomic design; independent design of communication network; and fault-tolerance. (We do not allow loss of one channel or one component to propagate to adjacent channels or devices.)
Operability and maintainability considerations include: diagnostics, such as self-test and failure indication; easy parts replacement of parts; maintenance schedule including life cycle of parts, components, and equipment; and operating conditions.
Licensability includes diversity to defend against common mode failure; rigorous implementation of industry standards in life-cycle development; communication independence; environmental conditions; equipment qualification (ability to withstand seismic events and emissions/radio frequency excursions); and experience.
Korean nuclear specifications
At the Ulchin 5 & 6 nuclear power plant, the physical implementation of the plant control system is spread over thousands of feet of the plant. Miles of fiber optic cable connect various cabinet assemblies. Control loops directly connect via high-speed interface modules due to speed considerations for correct plant operation, and where necessary, bypass the backbone system communication structure.
The most salient feature of the Korea Power Engineering Company, Ltd. (KOPEC) specification is the high level of control system functional segmentation. The end result is not simply one large control system, but many small control systems correctly linked together. The overriding philosophy is to prevent failures. Loss of any system level components (failure of an I/O card or controller) is limited to a small area by design and results in minimal impact of plant operation.
The Korean nuclear industry has not fully adopted redundancy of controllers, commonly accepted as a standard in conventional distributed control system applied to process industries or fossil power. We are just now applying it as required by safety design basis requirements in safety control system applications and in critical non-safety applications in new plants. In Ulchin 5 & 6, rather than redundant controllers, entire loops (controllers, I/O, power supplies) are redundant to each other for specific functional protection. We generously adopt redundancy of communication channels throughout the system architecture.
Given the distributed size of the system, high-speed throughput and reliable data transmission from end to end is mandatory. This throughput figures prominently in the deployment of the control scheme as an intimate part of the owner's engineer conception. This figures into the licensability, since the I&C safety design submitted to the regulatory agency, Korea Institute of Nuclear Safety (KINS), rests in part on this performance criteria.
Speed-of-loop execution, from control command through logic to output and feed-back acknowledgement minus field equipment latency, is also a vital piece of the control scheme concept. As with speed of communication, loop execution speed is also a performance parameter that is an intimate part of the KINS safety design basis.
The system architecture, its ability to match up one-for-one to the actual plant I&C safety design basis, is very important. There is a cost and space consideration in the evaluation. Use of large controller chassis with more than one thousand loops requiring dedicated controllers, would cause a huge absorption of space for cabinets. It would also mean paying for extra computing horsepower beyond what is truly necessary for the loop requirements. Few digital control systems are designed for safety applications with high degree of functional partitioning. The ideal controllers required by the specification have to perform processes at very high speed but minimize space requirements.
Each has to act independently so as to minimize any propagation of failures and impact to total system operation. Yet each must be able to network to sibling controllers (for example to other safety controllers) or across isolating fiber optic networks to the non-safety side. Some interconnections are so vital as to require dedicated high speed interface modules from loop controllers to other loop controllers that bypass the conventional higher level networks. One of the main hallmarks of nuclear I&C system design and implementation is the physical isolation of safety and non-safety applications, even of data sharing (i.e. an input cannot be wired to both safety and non-safety systems). Extensive use of fiber optics for the vast plant control system network has proven to be an acceptable and reliable isolation approach between safety and non-safety. But usage of fiber optics could not cause any sacrifice in terms of speed, nor could it be seen as a single point of failure (hence redundant links were implemented).
The design process for hardware, software, integration, and testing is critical to the delivery of a reliable and maintainable system. You cannot add quality after the system is completed. It must be an integral part of the process from inception.
To prove reliable performance for intended use prior to shipping, the system underwent a series of performance tests that KOPEC designed and witnessed. KHNP has mandated even if systems are supplied by diverse vendors from project to project, the HMI appearance, features, and functional system behavior from unit to unit throughout the Korean nuclear fleet must be the same from the operator console to the speed and manner in which final driven devices perform and acknowledge to the operator. Standardization within the fleet builds trust with the plant operations staff that system behavior, including from an HMI perspective, is identical. This translates into the ability to provide operational troubleshooting of plant upsets by a common engineering resource at Korea Hydro and Nuclear Power Co., Ltd. headquarters.