International Workshop on Defence in Depth aspects in Electrical Systems of Importance for Safety

Stockholm, 5 7 September 2007

Workshop Summary Notes

The following paper summarises key aspects of the presentations and discussions held at the International Workshop on Defence in Depth aspects in Electrical Systems of Importance for Safety held in Stockholm, 5 7 September 2007. This workshop was held as a result of the Forsmark Unit 1 event that occurred in July 2006. The Forsmark Unit 1 event and its outcome raised a number of issues related to the electrical power supply to systems and components important to safety in nuclear power plants. Many of the issues that have been highlighted during the investigation of the causes of the Forsmark Unit 1 event are of a generic nature. The objectives of the workshop were, based on the findings and experience from the Forsmark Unit 1 and other nuclear power plant events that have taken place, to gain understanding of potential weaknesses in the design, in the safety justification analysis and in the operation of electrical systems important to safety, and to establish approaches to address and correct these weaknesses.

Session 1: Events of generic importance 1.1 Several of the presentations and following discussions indicated clearly the generic difficulties in anticipating all types of events in electrical systems due to anomalies in electrical components. Several of the presented events were furthermore indicative of latent hidden failures with CCF character. Such latent failures have been identified as resulting from deficiencies in: Functional design requirements and specifications. Design review process and verification of equipment design (including verification of setpoint values and compliance of the installed equipment with specified characteristics, e.g. SAR requirements). Equipment qualification testing (FAT, SAT and OAT) which should cover operational occurrences, including abnormal operation to the greatest extent possible, as well as interfaces with other equipment. During the course of some of the presented events, the work situation for the operators in the main control room (MCR) was difficult due to the substantial loss of indication in the MCR, and/or to the impossibility of controlling the plant equipment from the MCR, or even locally. Several of the presented events were classified as serious and indicated a significant increase in the core damage probability (CDP). For some events, the latter reached levels up to 1E-2/y.

1.2

1.3

1 (5)

1.4

The issue of introducing black boxes in relation with component replacement during plant modernisation was discussed intensively. Experiences indicate that a replacement in the plant, even if the functional requirements are the same, can seldom be regarded as a 1 to 1 exchange, as the internal properties of new modern components often are different from those of older types. The issue of inadequate, or even lacking, documentation from the manufacturer as to the internal properties of the new components was recognised as a general problem. The full knowledge of equipment functionality is vital for reactor safety when a plant modernisation is performed. Experience indicates that components (black boxes) with more features than required can introduce unexpected failures and weaknesses in plant safety systems. Thorough simulation of the behaviour of black boxes and documentation of the performed tests were recognised as a complementary way of revealing and correcting weaknesses in the knowledge of equipment functionality. In the view of the Regulator organizing the workshop, Licensees have not devoted enough resources to identify deficiencies in components and systems belonging to the second level of the Defence in Depth (DiD). The deficiencies in the Forsmark UPS design was regarded as weakness in level 3 of the DiD. The UPS should have been designed to cope with all voltage transients originating from the external or internal grid, including main generator(s). It was also mentioned that new regulations may need to consider inverters as active components that must have a diversified redundancy. One presentation indicated that deficiency in experience feedback in one country made it possible for one initiating failure, related to ageing, to reoccur in another unit resulting in a significantly more severe event. It was recognized that both this example and its contrary, as exemplified by the timely assessment and reporting of the Forsmark Unit 1 event, unequivocally indicate the benefit of well established and functioning systems for experience feedback as a mean to minimize event reoccurrence.

1.5

1.6

Session 2: Design and analysis 2.1 It was recognized that small gradual changes of the original design, adding up with time, could invalidate the original design assumptions and safety analyses. In the past, NPP emergency power supply systems were equipped with qualified equipment of low complexity (QELC). Generally, the contribution from CCF was low. Today, NPP have replaced QELC with new more complex equipment. Modern equipment is sophisticated and loaded with a variety of embedded extra functions, resulting in a higher complexity. It is important to ensure that the surplus functionalities, including component protection functions, will not interfere with the basis design functionalities and prevent plant safety functions. The introduction of modern and sophisticated equipment with many embedded surplus functionalities was discussed as to the possibility of thorough testing of such equipment, in order to reduce the potential for CCF. The discussions underlined the importance to communicate thoroughly the functional requirements specifications to the Suppliers, and for the Suppliers to inform the Licensees exhaustively about all the built-in features and possible settings of the new equipment.

2.2

2.3

2.4

2 (5)

2.5

The potential risk of EDGs not tolerating low loading for long periods of time was discussed. Operation at low power should thus be exercised with care. This is mainly an issue in long-term storage and decommissioned plants where decay heat removal requirements are reduced drastically from the typical post-accident situation following full power operation.

Session 3: Interaction between the NPP and the grid 3.1 The industry has to restore the understanding of the design of NPP electrical systems and their interactions with the external grid. Lost knowledge from the design era tends to be replaced by the application of standards. However, standards do have limitations as to completeness and guidance. Full understanding of the design of NPP electrical systems was recognized to be of prime importance for formulating correct and comprehensive specifications for new equipment. Concerning potential conflicts between requirements on operation and maintenance of the grid and plant safety requirements, it was recognised that in some countries Licensees may have been too passive in finding a common understanding with the grid operators. The Licensees should have a clear enough understanding of grid behaviour so that they can define an electrical Design Basis Accident. If not, the Licensees will experience difficulty in defining bounding events and conditions that the plant has to cope with. In the past, NPPs used months to test electrical systems and equipment during initial commissioning. Today, testing of electrical systems after modifications is often performed in the scale of hours. Ample time must be allocated for thorough testing of electrical systems after modifications. The difficulty to define an enveloping profile for transients in electrical systems was broadly recognized. It was hereby identified that analyses of grid disturbances are still relatively limited and need to be enhanced in order to define more suitable protections. Simulations as well as testing of grid and NPP electrical systems in as close as possible to real conditions were generally recognized to be highly important. The discussions emphasized the need and benefit of simulation of the dynamic behaviour of the electrical systems outside and inside the NPP. Mature commercial simulation tools exist, but an important and necessary aspect underlined was the adequate qualification of such tools and especially the plant models used as input to simulation. Several presentations gave evidence that the development of calculations and simulation tools is on-going in most countries. A broad consensus exists for the need to perform benchmark exercises of the models and simulation tools, checking them against e.g. recorded transient data. Benefits and drawbacks of house load operation (islanding) were discussed. The grid operator asks in most countries for the possibility of the NPP to switch over to house load operation upon Loss Of Offsite Power. Some participants maintained that, from a plant safety point of view, it would be better to rely upon the start of the internal emergency power supply systems, and by that to achieve a more stable voltage and frequency. On the other hand, house load operation can be viewed as a preventive protection function; it essentially is auxiliary power to maintain plant in a safe condition without resorting to the last line of emergency power sources.

3.2

3.3

3.4

3.5

3.6

3 (5)

3.7

Related to this subject, an interesting fact was noted that few US NPPs have, by design, the possibility of house load operation. The underlying reason is that NPP owners do not want to have large condensers due to economical considerations. The capability to dump steam is thus often limited to 50 70% nominal steam flow. Furthermore, it was regarded to be in the interest of safety to equip plants with generator breakers in order to increase the probability to have the offsite power available. Discussions about interactions between the NPP and grid indicated that the extent and frequency of the contacts between Licensees and grid operator/Regulator vary significantly between countries. Following these discussions, the benefit for plant safety to have a coordination of requirements between the above parties was fully recognized. The development of national grids resulting from the connection of newer generating units, and the interconnections between national grids, raised the question whether or not grid protections and requirements consequently need to be coordinated also on an international level.

3.8

3.9

Concluding session 4.1 The workshop discussions have addressed issues related to the robustness of electrical systems in NPPs. It was generally recognized that these issues should be further investigated in order to: Define the normal and abnormal operating regime for the offsite power. Define electrical transients, both internally generated and resulting from the offsite power system. Define methods to study the topology of such transients. Validate simulation tools and models. The workshop underlined the need to develop models and calculations in order to simulate the dynamic behaviour of electrical systems. The technique of simulation seems to be established. However, a critical part is to obtain data in order to validate the simulation tools and models against real life data, especially data from transients that have occurred. The performance of international benchmarking exercises was recognized to be a most valuable future task. The question of sharing information and results about on-going simulation development projects was discussed. It was underlined that there is no problem in sharing information, but the problem is to define the level and format of the information to be exchanged. The importance of keeping an updated agreement on operational and technical specifications, related to the interaction between the grid and the NPPs, was pointed out. The importance of ensuring that hidden embedded functionalities in modern equipment will not impair safety functions was broadly recognized. A major prerequisite for such insurance is that the Licensee carefully specifies the functional requirements of the intended equipment, and to independently check that the suppliers equipment fulfils all specifications. However, the Licensee has to be fully aware that the new equipment most probably will have far more functionalities than

4.2

4.3

4.4

4.5

4 (5)

originally specified. It was underlined that all these additional functionalities should also be considered in the light of desired equipment behaviour (as recorded, or implicitly assumed, in plant Safety Analysis Reports), and appropriate specifications should be developed for the new functionalities. Only after this should correct implementation of the functions be assessed and thoroughly tested. 4.6 The discussions also emphasized the need for the Licensee to specify equipment nonfunctionalities. Suppliers will then have to demonstrate that any additional features of the new equipment will not impair the wanted and specified functionalities. Testing of modern equipment and plant modifications was discussed as to what the Regulators should require to be covered by the Licensees and Suppliers test programme. One matter is the need to check that the test programme is appropriate in view of the realisation of the equipment. In addition it must be ensured that the test programme is made in parity with the equipment specifications, and covers both FAT, SAT and OAT. One important aspect of the test programme shall hereby be devoted to ensuring that unwanted functionalities do not exist or are duly blocked. The issue of third party checks of electrical systems after modification was discussed. In some countries, such a third party check is performed on the behalf of the Regulator. Independence of the reviewer is, however, of little benefit if the review is conducted against incomplete/inappropriate specifications. Another part of the discussions concerned the question of whether guidelines and standards should be developed to cover new technologies in a timely manner. A perceived consensus is that such a development was needed. This question relates in particular to the need to define requirements and standards for achieving proper qualification of complex modern equipment, which might include black boxes. The discussions underlined the benefit to consider operating experiences closely when developing such requirements and standards. Even after comprehensive reviews of electrical systems during commissioning and for example in the context of modernisation, the risk for latent CCF remains. Such failures can be very difficult to reveal. Factors such as design features, modes of operation, environmental conditions, etc., could, in unfavourable combinations, weaken the ability of the plant to handle disturbances and transients. The robustness of the electrical systems must be maintained through quality in design, operation, maintenance and testing. The robustness should be demonstrated by a broadminded event analysis based on a thorough knowledge of electrical engineering and on insights from experience feedback, preferably complemented by using methodologies such as FMEA, dynamic transient analysis and PSA.

4.7

4.8

4.9

4.10

5 (5)