Loviisa nuclear power plant’s automation renewal project “ELSA” achieved what seemed almost impossible: to execute large-scale nuclear project by keeping original schedule and inside the frames of budget. Both ADLAS® and Apros® were successfully utilised in demanding licensing process of the project and they had essential role in ensuring the project execution on schedule and in budget.
Fortum’s Loviisa Nuclear Power Plant is located on the Southern coast of Finland. It has two Russian designed VVER-440 reactors, which have been in operation since 1977 and 1980.
While the major components of the plant are Russian, the I&C systems were mainly based on Siemens technologies (Simatic and Teleperm), for normal operation and safety related systems, and Russian technologies for reactor trip, rod control and neutron flux monitoring.
Fortum started I&C modernisation to improve licensability and maintainability of the plant in terms of new safety I&C concept.
The goals of the project were:
1. To ensure remaining lifetime of the plant units by:
2. To allow extension of lifetime of the plant from I&C perspective by:
New automation cabinets
Control room and field connections
Key success factors of the project:
Extensive task specification for I&C functions is based on plant-wide safety architecture created by using comprehensive licensing approach (ADLAS®, Advanced Nuclear Licensing and Safety Design Method of Nuclear Facilities) which takes into account the features of the specific plant.
The task specification was implemented by means of well-prepared project lifecycle model which started with comprehensive pre-engineering phase. Design requirements are covering not only the radiation safety authoirity’s Nuclear specific requirements, but also selected references from international standards.
Using ADLAS® also in steering the engineering and licensing activities of the project lifecycle and in approval process with radiation safety authorities.
Comprehensive safety I&C architecture was created, but the modernization mainly concentrated on Finnish I&C Safety classes 2 and 3 (equivalent to IAEA Safety Category 1 and 2, ICE Category A and B or EUR F1A, and F1B).
Using Fortum’s advanced process simulator (APROS®) in addition to normal I&C test procedure for evidence in validation of safety I&C architecture.
Implement and validate respective changes in the control rooms and finding solutions for interface between new digital I&C system and old analogue actuation prioritization and switchgear.
Modified old automation cabinets
Apros-based simulators were extensively used during the ELSA project, with the new automation systems being validated against the simulated plant. Selected accidents and transients scenarios were simulated with ELSA automation modelled in Apros and later compared to Rolls-Royce emulated automation. The tests were evaluated by the operators of the Loviisa nuclear plant. In addition simulators were used in the validation of the operating and emergency instructions and the main control room concept (using virtual reality). The tests made it possible to discover errors early and allowed the tuning of the power controller before commissioning.
For each stage, a test platform with all cabinets was set-up in Rolls-Royce premises, driven either by Rolls-Royce test tools or by the APROS simulator. It was possible to simulate actual plant behaviour with cabinets in the loop.
After all testing had been performed, formal factory acceptance tests were conducted with the competent authority. This was supposed to be only based on documentation produced during the testing phases, but as per safety authority request, a few additional tests were carried out using the test platform, not based on test procedures. One test was a complete blackout of half of the cabinets (which is not in design bases since there are four redundant power supplies), which resulted in no abnormal behaviour, thus demonstrating the robustness of the design.
After that, a new session of tests was planned with regulatory authority to test some beyond-design-bases cases, including some APROS modifications to enable replay of the tests. All results were satisfactory, even if the scenarios had not been considered as possible during the design phases.
For example, a CCF in the existing ESFAS (engineered safety features actuation system) was simulated, leading to the impossibility of a trip on request by the RTS in the case of a large breach on the secondary side. When simulating this situation, it appeared that the diverse automatic backup using measurements and functions different from the RTS was able to trip the reactor. This was further evidence that the architecture was robust and that the right level of diversity was integrated in it.