Licensing experience with Digital Instrumentation and Control in by hzy93486


									Licensing experience with Digital
Instrumentation and Control in Canada

          Robert Lojk, Director Systems Engineering Division,
                        Canadian Nuclear Safety Commission
                             Portorož, Slovenia, May 8, 2009

I would like to acknowledge the contribution,
   support and assistance of CNSC staff,
   Gilbert Chun and Charles Zeng, as well as
   staff from OPG, CPUS and Candesco.
   Their assistance was invaluable and much


•   Who we are and what we do

•   How we get things done

•   History of Digital I&C in CANDU reactors

•   Case Study – Darlington NGS software redesign

•   CNSC Requirements for Digital I&C

•   Path Forward on Digital I&C

•   New Builds

•   Conclusions
Canadian Nuclear Safety Commission

          • Independent federal agency
          • Quasi judicial tribunal
          • Reports to Parliament through the
            Minister of Natural Resources
          • Does not promote nuclear
            technology or the nuclear industry

CNSC Mandate under the NSCA

 To regulate the industry in such a manner that the
  development and use of nuclear energy and
  materials do not pose an unreasonable risk to:
    •Health & Safety
    •The Environment
    •National Security

 To implement certain international obligations
    •Safeguarding and non-proliferation of nuclear
                  CNSC Structure

                      President & CEO
                       Dr. Michael Binder

 The Commission                             The CNSC Staff

• Independent Decisions              • Independent technical
• Establishes Legally-binding          reviews
  Regulations                        • Recommendations on
• Sets Regulatory Policy               licensing Decisions
  Direction                          • Administers Commission
• Open and Transparent                 Decisions
  Process                            • Access to Information Act   6
   Licensing Process: Main Steps
Applicant Provides Detailed

  Independent Technical
  Review by CNSC Staff               Licensees Performance
                                     (compliance verification)

 Recommendation to the

     Public Hearings          Decision by      Licence may
      (2 hearings)            Commission         be issued
History of Digital I&C in Canadian
Reactors started with NRU in 1963
1. NRU (National Reactor Universal) (not a power reactor)

  ● PDP-4 and PDP-5 installed in 1963 (DEC computers)
  ● Computers used for the following purpose:
      - Acquisition of computer based I&C technology
      - Test of computer reliability in NPP complex
  ● Application:
      - Control rod drive by triplicated flux controller (three
      - Scanning and alarms of temperature and flux (PDP-5)
      - Control and display (PDP-4)
  ● 50 analogue signals were scanned by PDP-5
Only control rods and display; not safety related                 8
History of Digital I&C in CANDU:
Douglas Point „68 (2/7)
2. Douglas Point (206MW) applied the NRU experience:

  ● Single CDC 636 installed in 1968 (much greater scope)
  ● Purpose:
     - Expansion of computer based control system
  ● Application:
     - Fast power regulation based on ion chamber signals and
       thermal signals
     - Control of neutron flux tilt: 300 temperature signals used
     - High temperature and low flow signals used in reactor
       safety system, but manual SS actuation
History of Digital I&C in CANDU:
Pickering A ‟70s & B ‟80s (3/7)
3. Pickering A 1971-73 (4X514MW) & B 1983-85 (4X516MW)

   ● Dual Digital Control Computer were installed
     IBM 1800 (“A” replaced w/ES-1800 hardware emulator)
   ● Application:
       - Reactor Regulation
       - Zone Control
       - Boiler Pressure
       - Fuelling Machine (One computer is used)
       - Temperature Monitoring
   ● SDS1* use PC-compatible computer for ROP** monitoring
* Shutdown System ** Regional Over Power                     10
History of Digital I&C in CANDU:
Bruce A ‟70‟s & 80‟s (4/7)
4. Bruce A 1977-1979 (4X740MW) & B 1984-1987 (4X750MW)

  ● Digital Control Computer was installed
    Varian 620f (Bruce A), Varian V-73 (Bruce B)
  ● Application: In addition to Pickering application
     - Man-machine-interface added (used 10 CRTs)
     - 8 CRT used for graphical plant information
     - 2 CRT used for alarm messages

  ● Monitor Computer (plant parameters and calculations)
    Data General MP200
History of Digital I&C in CANDU:
Pt. Lepreau ‟82 & G-2 „83 (5/7)
5. CANDU 6 (Gentilly 2, Point Lepreau) 600MW each

  ● DCC (Digital Control Computer)
    Hardware: Varian V-73
    Software: Varian V-73 assembler
      - Reactor Regulation System
      - Boiler Pressure / Level Control
      - Primary Heat Transport Pressure / Inventory Control
      - Moderator Temperature Control; Fuel Handling Control
      - Flux Mapping; Unit Power Regulation
Being replaced with SSCI 890 emulation hardware as a common
    CANDU design strategy for Varian                           12
History of Digital I&C in CANDU:
Pt. Lepreau & G-2 (6/7)
5. CANDU 6 (Gentilly-2, Point Lepreau) safety systems included
    (two computers, same hardware, same software, not diverse)

  ● PDC (Programmable Digital Comparator) Trip Computer
     - Shutdown System 1
       Hardware: Data General MP-100 Micro-computer
       Software: Assembler
     - Shutdown System 2
       Hardware: Data General MP-100 Micro-computer
       Software: Assembler

History of Digital I&C in CANDU:
Darlington, late 80‟s (7/7)
6. Darlington “fully Computerized” and diverse (see case study):

  ● DCC: Hardwr.: PDP 11/70 Software: Macro Assembler
  ● PDC
    System:          SDS1           SDS2
    Hardware:       GA-16/250       DEC LSI 11/23
    Software:       Fortran         Pascal
  ● Display/Test Computers: General Automation (GA-16/250)
  ● Monitor Computer: HW: General Automation
    Display/Test computer and Monitor computer use Fortran
DCC hardware replacement with emulator project underway
Case Study: Darlington Software
Redesign (1/5)
● 1982-85
   – Ontario Hydro (now Ontario Power Generation) and
       AECL decided for a software-based shutdown system
       (SDS) at Darlington NPP
   – AECB (now CNSC) involvement in pre-design studies
       was minimal
● Late 1986 and 1987
   – AECB found software development documentation
       difficult to review and convinced that a serious problem
       existed but had no proof
   – Software was found to be unreviewable
   – Licensee advised that there would be delays because of
       potential problems with review of software and the fact
       that the software development didn‟t conform to known
       engineering practices
Case Study: Darlington Software
Redesign (2/5)
● 1987
  - AECB and Ontario Hydro consultants recommended: re-
   structuring; re-documentation; and, random testing
● 1988-90
  - SDS 1 and SDS 2 software revised but only minor changes
   incorporated and reviewability still a problem
  - AECB issued license for 100 % power operation of
   Darlington following completion of SDS 2 software formal
   inspection (February 1990)
   – AECB instructed Ontario Hydro to redesign SDS 1 and
       SDS 2 software
Case Study: Darlington Software
Redesign (3/5)
● 1990-1994

Ontario Hydro and AECL developed software engineering
   standards and procedures based on IEC 880 (60880) and
   trial use of standards and procedures carried out.

● 1996-1997
CNSC carried out audits and follow-ups with a multidisciplinary
   team. First audit discovered some problems including the
   use of complex tools and independence of verifiers
   – All resolved by second audit in 1997

Case Study: Darlington Software
Redesign (4/5)
CNSC staff performed following activities in the two audits:

● Review of software requirements ( formal mathematical
● Confirmation of processes and people- design audits
● Systematic inspection (samples of verification work and
    hazards analysis)
● Review of software testing
   - monitoring of selected integration and validation tests
   - monitoring of commissioning, operational trials
● Involvement from various divisions and comprehensive review
    of dozens of documents                                      18
Case Study: Darlington Software
Redesign (5/5)
Lesson learned from the experience:

● Detailed design specifications have to be reviewed early in the
   design stage such that technical issues can be resolved to
   avoid expensive fixes afterward
● The review process highlighted that better guidance and
   processes would have facilitated the review: Systemic
   verification and validation are required early in the design
   phase to address potential regulatory stumbling blocks
Need to document and structure things to permit ready
   review and verification.

Requirements for Digital
Instrumentation and Control (1/3)
1. CNSC Requirements

  ● C-138 (Software in Protection and Control Systems) was
    drafted in 1999
  ● RD-337 (Design of New Nuclear Power Plants) in 2008,
    Clause 7.9.2 (Use of Computer-based Systems or
  ● General requirements from system level R-documents
     - R-8: Requirements for Shutdown Systems
     - R-10: The Use of Two Shutdown Systems

Requirements for Digital
Instrumentation and Control (2/3)
2. National Requirements

    ● N290.14-07 (Qualification of pre-developed software)
    ● CAN/CSA-Q396.1.1-89 (Quality Assurance Program for the
      Development of Software) used for CANDU 6
    ● CAN3-N290.1-80 (Requirements for the Shutdown Systems
      of CANDU Nuclear Power Plants) General requirements
    ● CAN3-N290.4-M82 (Requirements for the Reactor
      Regulating Systems of CANDU Nuclear Power Plants)
    ● CAN3-N290.6-M82 (Requirements for Monitoring and
      Display of CANDU Nuclear Power Plant Status)

Note: CAN3-N290 series provide system level requirements

Requirements for Digital
Instrumentation and Control (3/3)
3. International Requirements

   ● CNSC staff refers to IAEA, IEC, IEEE, ISA standards when
     CNSC and national standards do not provide extended

4. Industrial Standards (COG, OPG and AECL)

   ● Standards for Software Engineering of Safety of category II
    and category III Software)
   ● Standard for Computer System Engineering
   ● Suite of standards and procedures for Computer System
    and software engineering
Requirements for Digital Instrumentation
and Control – RD-337
Clause 7.9.2 (Use of Computer-based Systems or Equipment)

  ● Use of appropriate code and standards throughout the life
    cycle of the system or equipment, particularly during
    software development cycle
  ● Top-down software development process for verification
    and validation
  ● Third-party software in accordance with standards of a
    category commensurate with the safety function
  ● Reviewable software development process and design

    New Build Challenges (1/2)
A number of issues must still be resolved:

    – Digital system reliability, impact of harsh environment
    – Risk impact of digital I&C, modelling I&C in PSA
    – Applicability of commercial products (Hw/Sw)
    – EQ of smart sensor in hash nuclear environments
    – Human reliability impacted and new human error
      mode introduced by new technology (e.g. soft control)
    – Integration of commercial DCS systems into NPPs
    – Quality assurance / qualification of software
    – Qualification of fibre optic cables & equipment
     New Build Challenges (2/2)

…and more issues to be resolved:

   – Vulnerability, general and cyber security
   – NPP oriented I&C architecture
   – Equipment interoperability to deal with short life
     cycles and ageing
   – New measurement technologies
   – Automatic generation/ Voltage control to interface
     with grid
   – Use of simulation technology to support design
     decision, V&V I&C early in development stage
       New Build Opportunities
New applications and opportunities will be available:

    – Improved safety and response time
    – Better plant health diagnostics
    – New applications to improve plant safety and
    – Computerized operational procedures
    – Improved human factors interaction
    – Potentially reduced maintenance costs
    – Life extension and upgrade advantages


New nuclear power plant will be controlled by digital I&C systems.
  There are benefits and challenges; the implementation of such
  systems will require:

● Regulatory involvement at an early stage to ensure good
  practice, minimize risk and eliminate uncertainty
● Modern comprehensive standards to specify the correct
  approach, including validation, verification and structure
● Formalized review methodology to be used during software
  development process
● Collaboration among specialties (Safety analysis; QA; H.F.)

Thank you for your Attention!

• CNSC Website:
• CANTEACH site, CNSC content:


To top