Fortum’s Loviisa Nuclear Power Plant is located on the Southern coast of Finland. It has two Russian designed VVER-440 reactors, which have been in operation since 1977 and 1980.
While the major components of the plant are Russian, the I&C systems were mainly based on Siemens technologies (Simatic and Teleperm), for normal operation and safety related systems, and Russian technologies for reactor trip, rod control and neutron flux monitoring.
Description of the problem
Fortum started I&C modernisation to improve licensability and maintainability of the plant in terms of new safety I&C concept.
The goals of the project were:
1. To ensure remaining lifetime of the plant units by:
- Modernizing Reactor Trip (RT) system and Neutron Flux Measurement system based on outdated Russian relay technology and implementing backup systems for RT
- Strengthening defence in depth principle by adding backup systems and preventive protection
- Improving concept for accident management
2. To allow extension of lifetime of the plant from I&C perspective by:
- Building new sophisticated I&C concept on top plant safety architecture grounding
New automation cabinets
Control room and field connections
How it was done
Key success factors of the project:
Extensive task specification for I&C functions is based on plant-wide safety architecture created by using comprehensive licensing approach (ADLAS®, Advanced Nuclear Licensing and Safety Design Method of Nuclear Facilities) which takes into account the features of the specific plant.
The task specification was implemented by means of well-prepared project lifecycle model which started with comprehensive pre-engineering phase. Design requirements are covering not only the radiation safety authoirity’s Nuclear specific requirements, but also selected references from international standards.
Using ADLAS® also in steering the engineering and licensing activities of the project lifecycle and in approval process with radiation safety authorities.
Comprehensive safety I&C architecture was created, but the modernization mainly concentrated on Finnish I&C Safety classes 2 and 3 (equivalent to IAEA Safety Category 1 and 2, ICE Category A and B or EUR F1A, and F1B).
Using Fortum’s advanced process simulator (APROS®) in addition to normal I&C test procedure for evidence in validation of safety I&C architecture.
Implement and validate respective changes in the control rooms and finding solutions for interface between new digital I&C system and old analogue actuation prioritization and switchgear.
Fortum's 207 person-years included
Modified old automation cabinets
Apros-based simulators were extensively used during the ELSA project, with the new automation systems being validated against the simulated plant. Selected accidents and transients scenarios were simulated with ELSA automation modelled in Apros and later compared to Rolls-Royce emulated automation. The tests were evaluated by the operators of the Loviisa nuclear plant. In addition simulators were used in the validation of the operating and emergency instructions and the main control room concept (using virtual reality). The tests made it possible to discover errors early and allowed the tuning of the power controller before commissioning.
For each stage, a test platform with all cabinets was set-up in Rolls-Royce premises, driven either by Rolls-Royce test tools or by the APROS simulator. It was possible to simulate actual plant behaviour with cabinets in the loop.
After all testing had been performed, formal factory acceptance tests were conducted with the competent authority. This was supposed to be only based on documentation produced during the testing phases, but as per safety authority request, a few additional tests were carried out using the test platform, not based on test procedures. One test was a complete blackout of half of the cabinets (which is not in design bases since there are four redundant power supplies), which resulted in no abnormal behaviour, thus demonstrating the robustness of the design.
After that, a new session of tests was planned with regulatory authority to test some beyond-design-bases cases, including some APROS modifications to enable replay of the tests. All results were satisfactory, even if the scenarios had not been considered as possible during the design phases.
For example, a CCF in the existing ESFAS (engineered safety features actuation system) was simulated, leading to the impossibility of a trip on request by the RTS in the case of a large breach on the secondary side. When simulating this situation, it appeared that the diverse automatic backup using measurements and functions different from the RTS was able to trip the reactor. This was further evidence that the architecture was robust and that the right level of diversity was integrated in it.