Using ADLAS® and Apros® successfully in licensing of large scale I&C modernisation at Loviisa Nuclear Power Plant

Loviisa nuclear power plant’s automation renewal project “ELSA” achieved what seemed almost impossible: to execute large-scale nuclear project by keeping original schedule and inside the frames of budget. Both ADLAS® and Apros® were successfully utilised in demanding licensing process of the project and they had essential role in ensuring the project execution on schedule and in budget.

Employees at the power plant

ELSA project


New systems


Planning material

170 km

New wiring

Loviisa NPP

Fortum’s Loviisa Nuclear Power Plant is located on the Southern coast of Finland. It has two Russian designed VVER-440 reactors, which have been in operation since 1977 and 1980.

While the major components of the plant are Russian, the I&C systems were mainly based on Siemens technologies (Simatic and Teleperm), for normal operation and safety related systems, and Russian technologies for reactor trip, rod control and neutron flux monitoring.

Description of the problem

Fortum started I&C modernisation to improve licensability and maintainability of the plant in terms of new safety I&C concept.

The goals of the project were:

1. To ensure remaining lifetime of the plant units by:

  • Modernizing Reactor Trip (RT) system and Neutron Flux Measurement system based on outdated Russian relay technology and implementing backup systems for RT
  • Strengthening defence in depth principle by adding backup systems and preventive protection
  • Improving concept for accident management

2. To allow extension of lifetime of the plant from I&C perspective by:

  • Building new sophisticated I&C concept on top plant safety architecture grounding



New automation cabinets


Control room and field connections


Measuring points

How it was done

Key success factors of the project:

Extensive task specification for I&C functions is based on plant-wide safety architecture created by using a comprehensive licensing approach (ADLAS®, Advanced Nuclear Licensing and Safety Design Method of Nuclear Facilities) which takes into account the features of the specific plant.

The task specification was implemented by means of a well-prepared project lifecycle model, which started with a comprehensive pre-engineering phase. Design requirements cover not only the radiation safety authority’s Nuclear specific requirements but also selected references from international standards.

Using ADLAS® also in steering the engineering and licensing activities of the project lifecycle and in the approval process with radiation safety authorities.

Comprehensive safety I&C architecture was created, but the modernization mainly concentrated on Finnish I&C Safety classes 2 and 3 (equivalent to IAEA Safety Category 1 and 2, ICE Category A and B or EUR F1A and F1B).

Using Fortum’s advanced process simulator (APROS®) in addition to normal I&C test procedure for evidence in the validation of safety I&C architecture.

Implement and validate respective changes in the control rooms and find solutions for the interface between the new digital I&C system and the old analogue actuation prioritization and switchgear.

Fortum's 207 person-years included


Inspection reports


Planning material


Modified old automation cabinets


Accident studies

In the ELSA project, Fortum used its safety engineering design method, ADLAS, which was applied to plant and functional level design. In practice this meant that the overall safety related functionality of the plant was clearly defined. This so-called functional architecture included safety functions and also high level requirements for the safety functions that were not in the scope of the ELSA project.

Verification and validation of the plant and architecture were implemented with analyses and tests. Analyses included the renewal of all safety analyses and fault and common-cause analyses of the new automation systems. The goal was to validate the new automation systems as part of the plant and introduce new analyses related to YVL guides.


Since the beginning of ELSA project it was clear that licensing would be a key success factor for the project. The I&C suppler, Rolls-Royce, was guided by Fortum in gaining an understanding of the YVL guides (Finnish nuclear safety regulatory guides) and their underlying principles.

Fortum’s innovative approach used in the ELSA project was to create licensing packages of documents to support project quality process. The packages were linked to quality process and related licensing steps. Packages were introduced to authority before it received the individual documents for review to give high-level view of each package. This helped the regulator to better understand what it was reviewing. All the ELSA documents were approved in time without impacting the project schedule.


Apros-based simulators were extensively used during the ELSA project, with the new automation systems being validated against the simulated plant. Selected accidents and transients scenarios were simulated with ELSA automation modelled in Apros and later compared to Rolls-Royce emulated automation. The tests were evaluated by the operators of the Loviisa nuclear plant. In addition, simulators were used in the validation of the operating and emergency instructions and the main control room concept (using virtual reality). The tests made it possible to discover errors early and allowed the tuning of the power controller before commissioning.

For each stage, a test platform with all cabinets was set up on Rolls-Royce premises, driven either by Rolls-Royce test tools or by the APROS simulator. It was possible to simulate actual plant behaviour with cabinets in the loop.

After all testing had been performed, formal factory acceptance tests were conducted with the competent authority. This was supposed to be only based on documentation produced during the testing phases, but as per safety authority request, a few additional tests were carried out using the test platform, not based on test procedures. One test was a complete blackout of half of the cabinets (which is not in design bases since there are four redundant power supplies), which resulted in no abnormal behaviour, thus demonstrating the robustness of the design.

After that, a new session of tests was planned with regulatory authority to test some beyond-design-bases cases, including some APROS modifications to enable replay of the tests. All results were satisfactory, even if the scenarios had not been considered as possible during the design phases.

For example, a CCF in the existing ESFAS (engineered safety features actuation system) was simulated, leading to the impossibility of a trip on request by the RTS in the case of a large breach on the secondary side. When simulating this situation, it appeared that the diverse automatic backup using measurements and functions different from the RTS was able to trip the reactor. This was further evidence that the architecture was robust and that the right level of diversity was integrated in it.

Nuclear power

We offer services for the whole life-cycle of nuclear power plants

More about Nuclear Services