Embedded Safety-Critical Systems in Nuclear Power Plants

Embedded Safety-Critical Systems in Nuclear Power Plants Brief Comparison of IEC 61508 and the Design of Systems Important to Safety Budapest University of Technology and Economics Department of Measurement and Information Systems

Nuclear Power Generation Introduction to Nuclear Energy and Nuclear Power Plants

Nuclear Power Is it even necessary? Fossil fuel power plants o burn carbon fuels such coal, oil or gas to generate steam driving large turbines that produce electricity o non-renewable fuel: oil depletes soon, gas next, carbon later o they produce large amounts carbon dioxide, which causes climate change o they increase background radiation Large hydro power plants o water from the dams flows through turbines to generate electricity o no greenhouse gas emissions o impact on the ecology around the dam o the number of sites suitable for new dams is limited Other renewables o wind, solar and small scale hydro produce electricity with no greenhouse gas emissions o higher cost than other forms of generation, often requiring subsidies o they do not produce electricity predictably or consistently o they have to be backed up by other forms of electricity generation

The Two Types of Nuclear Energy Production Energy yield from nuclear fission Energy yield from nuclear fusion Fusion Fission 4

Comparison of Fission and Fusion Fission Fusion Mechanism Conditions splitting of a large atom into two or more smaller ones criticality (prompt subcriticality), moderator, and coolant fusing of two or more lighter atoms into a larger one high density, high temperature (plasma), precise control Energy produced much greater than conventional 3 or 4 times greater than fission Byproducts highly radioactive isotopes, long decay time, large residual heat some helium and tritium (short halflife, very low decay energy) Nuclear waste byproducts, structural materials structural materials (lower half-life) Fuel 235 U (0.72%), 232 Th, possibly 238 U 2 H (deuterium) and 3 H (tritium) Advantages no greenhouse emissions, economical, highly concentrated fuel, intrinsically safe no greenhouse emissions, very low amount of waste, abundant fuel, intrinsically safe, low risk Disadvantages high risk, radioactive waste commercial application is far away 5

Controllability of Nuclear Fission Effective neutron multiplication factor (k) is the average number of neutrons from one fission to cause another fission o k < 1 (subcriticality): the system cannot sustain a chain reaction o k = 1 (criticality): every fission causes an average of one more fission, leading to a constant fission (and power) level o k > 1 (supercriticality): the number of fission reactions increases exponentially Delayed neutrons are created by the radioactive decay of some of the fission fragments o The fraction of delayed neutrons is called β o Typically less than 1% of all the neutrons in the chain reaction are delayed 1 k < 1/(1-β) is the delayed criticality region, where all nuclear power reactors operate 6

Inherent Safety of Nuclear Power Plants Reactivity is an expression of the departure from criticality: ρ = (k - 1)/k o when the reactor is critical, ρ = 0 o when the reactor is subcritical, ρ < 0 The temperature coefficient (of reactivity) is a measure of the change in reactivity (resulting in a change in power) by a change in temperature of the reactor components or the reactor coolant The void coefficient (of reactivity) is a measure of the change in reactivity as voids (typically steam bubbles) form in the reactor moderator or coolant Most existing nuclear reactors have negative temperature and void coefficients in all states of operation 7

(A Few) Types of Nuclear Reactors Graphitemoderated reactors Gas-cooled reactors Water-cooled reactors RBMK Nuclear Reactors Thermal Reactors Watermoderated reactors Light-waterreactors Light-elementmoderated reactors Heavy-water reactors CANDU BWR PWR Fast Neutron Reactors Generation IV reactors 8

Nuclear Reactor History and Generations Generation II: class of commercial reactors built up to the end of the 1990s Generation III: development of Gen. II designs, improved fuel technology, superior thermal efficiency, passive safety systems, and standardized design Generation IV: nuclear reactor designs currently being researched, not expected to be available for commercial construction before 2030 9

Gen. II Water Moderated Reactor Types Pressurized Water Reactor (PWR) Cooled and moderated by high-pressure liquid water, primary and secondary loops Boiling Water Reactor (BWR) Higher thermal efficiency, simpler design (single loop), potentially more stable and safe (?) Pressurized Heavy Water Reactor (PHWR) Heavy-water-cooled and -moderated pressurizedwater reactors, fuel in tubes, efficient but expensive High Power Channel Reactor (RBMK) Water cooled with a graphite moderator, fuel in tubes, cheap, large and powerful reactor but unstable 10

Pressurized WR Boiling WR Common Light Water Moderated Reactors 11

Overview of a PWR nuclear power plant Control Rods Secondary Circuit Steam Generator Pressurizer Primary circuit Reactor vessel 12

Risk of Nuclear Installations Using the Terms of the Functional Safety Concept

Functional Safety Concept: Risk Risk based approach for determining the target failure measure o Risk is a measure of the probability and consequence of a specified hazardous event occurring o There is no such thing as Zero Risk A safety-related system both o implements the required safety functions necessary to achieve a safe state for the EUC or to maintain a safe state for the EUC o is intended to achieve the necessary safety integrity for the required safety functions 14

Consequence: Effects of Ionizing Radiation Deterministic effect Hatás 100% Stochastic effect Kockázat m=5*10-2 /S v 0% Dózis Küs zöb Dózis Natural radiation o Internal radiation: 40 K o External radiation TENORM Background radiation o artificially increased background radiation Artificial radiation o Medical diagnosis and treatment o Industrial radiation sources o Nuclear tests o Nuclear waste 15

The Risk Assessment Framework The three main stages of Risk Assessment are: 1. Establish the tolerable risk criteria with respect to the frequency (or probability) of the hazardous event and its specific consequences 2. Assess the risks associated with the equipment under control 3. Determine the necessary risk reduction needed to meet the risk acceptance criteria this will determine the Safety Integrity Level of the safetyrelated systems and external risk reduction facilities 16

Consequence Example Risk Bands for Tolerability of Hazards Significant Major Catastrophic Zone 1 Unacceptable Risk Region Zone 3 Tolerable Risk Region Zone 2 Transitional Risk Region Remote Unlikely Possible Probable 10-4 10-3 10-2 10-1 1 Frequency (per year) 17

Severity of consequence Tolerable Risk of Nuclear Installations Design Basis Accidents Beyond Design Basis Accidents Severe Accidents Anticipated Operational Occurrences Normal Operation Design Basis Accidents Anticipated Operational Occurrences Beyond Design Basis Accidents Design Basis Accidents Probability of occurrence (in decreasing order) 10 0 10-4 19

Operational States and Transients of NPPs Normal Operational State o most probable, most frequent state Operational Transients aka. Anticipated Operational Occurrences (AOO) o highly probable operational occurrences, having a minor effect o good chance of multiple AOOs during operational life-time Design Basis Accidents o improbable accidents, these are included in the Design Basis Beyond Design Basis Accidents Severe Accidents o extremely improbable accidents o the Design Basis of most existing units does not include BDBAs o this is changing, many former BDBAs became DBAs in the case of Generation III and Generation IV nuclear units 20

Classification of Events & Operating Conditions 21

Definition of Safety Central concepts: Hazard, risk and safety Hazard Harm Combination of the probability of occurrence of harm and the severity of that harm Tolerable risk: Risk which is accepted in a given context (based on the values of society) Residual risk: Risk remaining after protective measures have been taken Risk Safety Functional safety

Postulated Initiating Events A postulated initiating event (PIE) is an identified event that leads to an anticipated operational occurrence (AOO) or accident condition and its consequential failure effects. o All safety analysis, deterministic or probabilistic, begins with definition of a set of PIEs PIEs may be defined from various sources: o Formal analytical techniques, such as Failure modes and effects analysis (FMEA), or Hazards and operability analysis (HAZOP) o PIE lists developed for other, similar plants o Operating experience with other plants o Engineering judgement 23

Classification of PIEs According to origin: Internal events o are those PIEs that arise due to failures of systems, structures, or components within the plant, or due to internal human error, and o provide a challenge to internal safety systems. External events o are those PIEs that arise from conditions external to the plant, such as natural phenomena or off-site human-caused events and o provide a challenge to safety equipment and/or to plant integrity. 24

The Design Basis The design basis specifies the necessary capabilities of the plant to cope with a specified range of operational states and design basis accidents within the defined radiological protection requirements The design basis includes o the specification for normal operation, o plant states created by the PIEs, o the safety classification, o important assumptions and, o in some cases, the particular methods of analysis. 25

Identification of Internal Initiating Events Proper operation depends on maintaining the correct balance between o power production in the core o transport of energy in the reactor cooling system (RCS) o removal of energy from the RCS, and o production of electrical energy Thus, PIE categories may include: o change in heat removal from the RCS o change in coolant flow rate o change in reactor coolant inventory, including pipe breaks o reactivity and power distribution anomalies o release of radioactive material from a component or system 26

Identification of Internal Initiating Events Consider failures (including partial failures or malfunctions) of safety systems and components, as well as non-safety systems and components that impact safety function Consider consequences of human error: o Faulty maintenance o Incorrect settings or calibrations o Incorrect operator actions Include fires, explosions, floods which could cause failure of safety equipment Some events from outside the plant may be analyzed as internal events because of the nature of their impact o Loss of off-site power o Loss of component cooling water 27

Identification of External Initiating Events External events can lead to an internal initiating event and failure of safety systems that provide protection. Naturally occurring events: o Earthquakes o Fires o Floods and other high water events o Volcanic eruptions o Extremes of temperature, rainfall, snowfall, wind velocity Human-caused events: o Aircraft crashes o External fires, explosions, and hazardous material releases 28

Nuclear Accidents The Three Most Prominent Accidents in the History of Nuclear Power Generation, and Lessons Learned

Main Types of Nuclear Reactor Accidents Accident initiated by sudden reactivity increase (e.g. control rod ejection) that causes reactor runaway o RIA Reactivity Initiated Accident o the nuclear chain reaction becomes uncontrollable prompt supercritical reactor Accident initiated by insufficient cooling (e.g. due to loss of coolant) o the efficiency of heat removal from the core drops o the reactor core cooling is lost that can cause damage to the fuel cladding o LOCA Loss of Coolant Accident o LOFA Loss of Flow Accident o LOHA Loss of Heat Sink Accident 30

Reactivity Initiated Accident 31

Loss of Coolant Accident LB LOCA 32

International Nuclear Event Scale (INES) Level 7: Major accident Level 6: Serious accident Level 5: Accident with wider consequences Level 4: Accident with local consequences Level 3: Serious incident Level 2: Incident Level 1: Anomaly Level 0: Deviation (No Safety Significance) 33

Details and Examples of the INES Scale INES Level People and Environment Radiological Barriers and Control Example Level 7: Major accident Major release of radioactive material Widespread effects Chernobyl accident (Soviet Union), 26 April 1986 Fukushima accident Level 6: Serious accident Significant release of radioactive material Kyshtym disaster at Mayak (Soviet Union), 29 September 1957 Level 5: Accident with wider consequences Limited release of radioactive material Several deaths Severe reactor core damage Significant release within installation Three Mile Island accident (United States), 28 March 1979 34

Three Mile Island Accident In 1979 at Three Mile Island nuclear power plant in USA a cooling malfunction caused part of the core to melt in the #2 reactor o A relatively minor malfunction in the secondary cooling circuit caused the temperature in the primary coolant to rise o This in turn caused the reactor to shut down automatically o A relief valve failed to close, but instrumentation did not reveal the fact o So much of the primary coolant drained away that the residual decay heat in the reactor core was not removed o The core suffered severe damage as a result o The operators were unable to diagnose or respond properly to the unplanned automatic shutdown of the reactor o Deficient control room instrumentation and inadequate emergency response training proved to be root causes of the accident Some radioactive gas was released a couple of days after the accident, but not enough to cause any dose above background levels There were no injuries or adverse health effects from the TMI accident 35

Three Mile Island Accident 36

Chernobyl Accident The Chernobyl accident in 1986 was the result of a flawed reactor design that was operated with inadequately trained personnel o The crew wanted to perform a test to determine how long turbines would spin and supply power to the main circulating pumps following a loss of main electrical power supply o A series of operator actions, including the disabling of automatic shutdown mechanisms, preceded the attempted test o By the time that the operator moved to shut down the reactor, the reactor was in an extremely unstable condition o A peculiarity of the design of the control rods caused a dramatic power surge as they were inserted into the reactor The RBMK reactor can possess a positive void coefficient o The interaction of very hot fuel with the cooling water led to fuel fragmentation o Intense steam generation then spread throughout the whole core causing a steam explosion and releasing fission products to the atmosphere o A second explosion threw out fragments from the fuel channels and hot graphite The resulting steam explosion and fires released at least 5% of the radioactive reactor core into the atmosphere Two Chernobyl plant workers died on the night of the accident, and a further 28 people died within a few weeks as a result of acute radiation poisoning 37

Chernobyl Accident 38

Fukushima Accident Following a major earthquake, a 15-metre tsunami disabled the power supply and cooling of three Fukushima Daiichi reactors, causing a nuclear accident on 11 March 2011 o The reactors proved robust seismically, but vulnerable to the tsunami o This disabled 12 of 13 back-up generators on site and also the heat exchangers for dumping reactor waste heat and decay heat to the sea o The three units lost the ability to maintain proper reactor cooling and water circulation functions, all three cores largely melted in the first three days Rated 7 on the INES scale, due to high radioactive releases over days 4 to 6 After two weeks the three reactors (units 1-3) were stable with water addition but no proper heat sink for removal of decay heat from fuel By July they were being cooled with recycled water from the new treatment plant, and official 'cold shutdown condition' was announced in mid-december Apart from cooling, the basic ongoing task was to prevent release of radioactive materials, particularly in contaminated water leaked from the three units There have been no deaths or cases of radiation sickness from the nuclear accident, but over 100,000 people had to be evacuated from their homes 39

Fukushima Accident 40

Safety Relative to Other Energy Sources Deaths from energy-related accidents per unit of electricity Fuel Comparison of accident statistics in primary energy production (Electricity generation accounts for about 40% of total primary energy) Immediate fatalities 1970-92 Who? Normalized to 1/TWy* electricity Coal 6400 workers 342 Natural gas 1200 workers & public 85 Hydro 4000 public 883 Nuclear 31 workers 8 41

Safety of Nuclear Power Plants Overview of the Basic Concepts of Nuclear Safety

Characteristics of Nuclear Power Plants They contain a large amount of radioactive material Employees need to be protected from radiation even in normal operation The release of radioactive contaminants must be prevented even in accident conditions! Plans must exist to handle the problems if radioactive contaminants are still released Residual (decay) heat removal (heat from the decay of fission products) is of high importance 43

Safety Goals of Nuclear Power Plants Normal operational state: intrinsically safe o environmentally safe: no release of contaminants o intrinsic safety: negative void coefficient But Potentially hazardous o possibility of severe consequences due to an incident o design flaws and incompetence can lead to accidents Aim: avoidance of accidents o design and build a safe nuclear power plant o safe operation and maintenance of the NPP 44

Safety of Nuclear Power Plants Nuclear power plants and its safety systems and technical equipment must be designed so that the safety of the environment is guaranteed even if an accident occurs Modern nuclear power plants satisfy these criteria Periodic safety audits are required to o assess the effectiveness of the safety management system o and identify opportunities for improvements The licensing authority permits the startup, operation or maintenance of a nuclear power plants only if the guaranteed safety of the reactor is proven 45

Safety of Nuclear Power Plants Nuclear safety has three objectives: 1. to ensure that nuclear facilities operate normally and without an excessive risk of operating staff and the environment being exposed to radiation from the radioactive materials contained in the facility 2. to prevent incidents, and 3. to limit the consequences of any incidents that might occur Aim: to guarantee in every possible operational and accident conditions (above a certain occurrence frequency and consequence, i.e. risk) that the radioactive material from the active zone be contained in the reactor building 46

The Basic Principles of Nuclear Safety Nuclear safety uses two basic strategies to prevent releases of radioactive materials: o the provision of leak tight safety barriers o the concept of defense-in-depth applies to both the design and the operation of the facility despite the fact that measures are taken to avoid accidents, it is assumed that accidents may still occur systems are therefore designed and installed to combat them and to ensure that their consequences are limited to a level that is acceptable for both the public and the environment 47

Five Layers of Safety Barriers in NPPs 1st layer is the inert, ceramic quality of the uranium oxide 2nd layer is the air tight zirconium alloy of the fuel rod 3rd layer is the reactor pressure vessel made of steel 4th layer is the pressure resistant, air tight containment building 5th layer is the reactor building or a second outer containment building 48

Pressure Resistant, Air Tight Containment 49

Structure of the Paks NPP and Safety Barriers 50

Main Systems Shown in the Previous Figure 1. Reactor vessel 2. Steam generator 3. Refuelling machine 4. Cooling pond 5. Radiation shield 6. Supplementary feedwater system 7. Reactor 8. Localization tower 9. Bubbler trays 10. Deaerator 11. Aerator 12. Turbine 13. Condenser 14. Turbine hall 15. Degasser feedwater tank 16. Feedwater pre-heater 17. Turbine hall overhead 18. Control and instrument room 51

Levels of Defence in Depth Level 1: Mitigation of radiological consequences of significant releases of radioactive materials Level 2: Control of severe plant conditions, including prevention of accident progression and mitigation of the consequences of severe accidents Level 3: Control of accidents within the design basis Level 4: Control of abnormal operation and detection of failures Level 5: Prevention of abnormal operation and failures Conservative design and high quality in construction and operation Control, limiting and protection systems and other surveillance features Engineered safety features and accident procedures Complementary measures and accident management Off-site emergency response 52

Design Limits Design Basis Accidents The design limits prescribe that for any DBA: o the fuel cladding temperature must not exceed 1200 C o the local fuel cladding oxidation must not exceed 18% of the initial wall thickness o the mass of Zr converted into ZrO 2 must not exceed 1% of the total mass of cladding o the whole body dose to a member of the staff must not exceed 50 msv o critical organ (i.e., thyroid) dose to a member of the staff must not exceed 300 msv 53

Safety Functions To ensure safety o in operational states o in and following a design basis accident, and o (to the extent practicable) on the occurrence of selected BDBAs The following fundamental safety functions shall be performed: 1. control of the reactivity 2. removal of heat from the core 3. confinement of radioactive materials and control of operational discharges, as well as limitation of accidental releases 55

Main Safety Systems in Nuclear Power Plants Reactor Protection System (RPS) o Control Rods o Safety Injection/Standby Liquid Control Emergency Core Cooling System o High Pressure Coolant Injection System (HPCI) o Depressurization System (ADS) o Low Pressure Coolant Injection System (LPCI) o Core spray and Containment Spray System o Isolation Cooling System Emergency Electrical Systems o Diesel Generators o Motor Generator Flywheels o Batteries Containment Systems o Fuel Cladding o Reactor Vessel o Primary and Secondary Containment Ventilation and Radiation Protection 56

Emergency Core Cooling System 1. Reactor 2. Steam Generator 3. Main Cooling Pump 4. Primary Pipe Rupture 5. Hidroaccumulator 6. Low Pressure Coolant Injection System Vessel 7. Low Pressure Coolant Injection System Pump 8. High Pressure Coolant Injection System Vessel 9. High Pressure Coolant Injection System Pump 10. Pressurizer 57

Instrumentation and control for systems important to safety Safety Life-cycle of I&C Systems in Nuclear Installations

Nuclear Standards: Differences from IEC 61508 Deterministic approach o Safety function are classified into categories according to their impact on plant safety o Systems are classified into categories according to the safety functions they provide o Requirements are assigned to categories Requirements are drawn from the plant safety design base Requirements are tipically deterministic o Design for reliability Single failure criterion Redundancy Diversity o Independence o Avoidance of Common Cause Failures 59

Safety Classification of Nuclear I&C Systems The safety classification of nuclear systems is country and authority dependant. The requirements for the design and operation of systems important to safety, however, are similar. Source: IAEA TECDOC-1066, Specification Requirements for Upgrades Using Digital I&C. January 1999. 60

Examples of I&C Systems Important to Safety 61

IAEA Standards International Atomic Energy Agency IAEA Safety Standards Series No. NS-R-1 (2000), Safety of Nuclear Power Plants: Design (Requirements) IAEA Safety Standards Series No. NS-G-1.3 (2002), Instrumentation and Control Systems Important to Safety in Nuclear Power Plants (Safety Guide) IAEA Safety Standards Series No. NS-G-1.1 (2000), Software for Computer Based Systems Important to Safety in Nuclear Power Plants (Safety Guide) 62

IEC Nuclear Standards International Electrotechnical Commission IEC 61226:2009, Nuclear power plants - Instrumentation and control important to safety - Classification of instrumentation and control functions IEC 61513:2001, Nuclear power plants Instrumentation and control for systems important to safety General requirements for systems IEC 60987-2:2007, Nuclear power plants Instrumentation and control important to safety Hardware design requirements for computer-based systems IEC 60880-2:2006, Nuclear power plants Instrumentation and control systems important to safety Software aspects for computer-based systems performing category A functions IEC 62138:2004, Nuclear power plants Instrumentation and control important for safety Software aspects for computer-based systems performing category B or C functions IEC 62340:2007, Nuclear power plants Instrumentation and control systems important to safety Requirements for coping with common cause failure (CCF) 63

Correlation Between IEC Classes and Categories Categories of I&C functions important to safety (according to IEC 61226) Corresponding classes of I&C systems important to safety (according to IEC 61513) A (B) (C) 1 B (C) 2 C 3 I&C functions of category A may be implemented in class 1 systems only I&C functions of category B may be implemented in class 1 and 2 systems I&C functions of category C may be implemented in class 1, 2, and 3 systems 64

The Use of Standards in the Design Process Requirements from the plant safety design base IEC 61226: Classification of I&C functions I&C Architectural design Assignment of functions to I&C systems IEC 61513: General requirements for systems Design and Implementation of the I&C Hardware Design and Implementation of the I&C Software IEC 60987: Hardware design requirements IEC 60880: Software aspects for computerbased systems performing category A functions IEC 62138: Software aspects for computerbased systems performing category B or C functions 65

Simplified Safety Life-Cycle Requirements from the plant safety design base I&C Architectural design Assignment of functions to I&C systems Safety life cycle of I&C system 1 System requirements specification System installation Safety life cycle of I&C system n System requirements specification System installation Overall integration and commissioning Overall operation and maintenance 66

Assessment of Components Objective: contribute to confidence that system conforms to safety requirements Stringency of assessment depends on: o safety class of system o how component is used o consequences of component errors and failures o intrinsic component properties (e.g., complexity)

Overall Requirements - Class 1 Low complexity Deterministic behavior for computer-based systems: o cyclic behavior o preferably stateless behavior o load independent of external conditions o static resource allocation o guaranteed response times o single (random) failure criterion o robustness with respect to errors Software developed according to stringent nuclear industry standards (e.g., IEC 60880)

Overall Requirements - Class 2 Controlled complexity Confidence based in particular on analysis of system design High quality software, not necessarily developed according to nuclear industry standards

Overall Requirements - Class 3 No specific limit for complexity Confidence mainly based on: o proven application of quality standards o global demonstration of fitness Specific demonstrations may be required on identified topics

Consistency with System Level Constraints Predictable behavior (Classes 1 & 2): o precise specification of component behavior o documented conditions of use in system Deterministic behavior (Class 1): o static resource allocation o static parameterization o preferably stateless behavior o clear-box (with limited exceptions) o proven maximum response time o proven robustness against consequences of errors