IEEE NPEC European Nuclear Electrical Safety Practices

IEEE NPEC European Nuclear Electrical Safety PracticesOliver Sobott

Manager, Electrical Systems Design Authority

PTLI-G ES, 2012-07, Oliver Sobott Slide 2

OverviewEuropean Nuclear Electrical Safety Practices

Introduction

Design of electrical systems

Offsite power supply

Onsite power supply

Equipment Qualification

Overview

Software qualification

Regulatory Overview

Classification

Separation

Ongoing discussion

Summary


IntroductionEuropean Nuclear Electrical Safety Practices

Introduction


IntroductionEuropean Nuclear Electrical Safety Practices

Aim of this presentation is to show the current design practice of electrical systems in nuclear power plants following European requirementsThere are obvious differences like nominal voltage levels (e.g. 10kV, 690V, 400V, 230V) and rated frequency (50Hz) compared to the US standards (13.8kV, 4.16kV, 480V, 110V and 60Hz).Main focus is on the overall electrical design aspect, less on the design of the equipment itselfThe electrical design of NPPs follows the defense-in-depth concept: 1st line: Normal operation (supply from main+standby grid,

main generator) 2nd line: Prevention + Mitigation (supply from emergency power

sources) 3rd line: Station blackout 4th line: Severe accident management 5th line: Offsite emergency response (added after Fukushima)


Design of electrical SystemsEuropean Nuclear Electrical Safety Practices

Design of electrical Systems


Offsite Power Supply 1/5 European Nuclear Electrical Safety Practices

The offsite power supply comprises the main and standby grid connections as well as the main generator. They belong to the 1st defense line.

Interaction between plant and grid: The grid code defines the requirements from the grid to the plant:

Voltage and frequency range in which the plant has to remain connected to the grid

Czech grid code Nordel grid code (Scandinavia)



Behavior in case of grid faults fault ride through characteristics)

Example is from NORDEL (Scandinavia). The Turbine/Generator as well as the auxiliary and safety systems have to stay connected and the design limits shall not be exceeded

Participation to the voltage and power control in the grid



The plant operator and nuclear regulation define the requirements to the grid

Independence between main and standby grid connection

Availability and reliability of grid supply (major contribution to the PSA analysis)

Needed power in case of turbine trip and transfer to the standby grid.

In Europe, traditionally each country has its own grid code despite the fact, that the national grids are interconnected (except UK, which is connected via DC link). Due to de-regulation of the markets and to increase competition, there is a draft for a European grid code established, called ENTSO-E, which will be part of European legislation in the future (binding requirements)



AuxiliaryNormal

Transformer

TI

NI

AuxiliaryNormal

Transformer

690V

G

400V

10kV

10kV

M

M

690V400V

10kV

690V

G

400V

10kV

M

M

690V400V

10kV

690V

G

400V

10kV

M

M

690V400V

690V

G

400V

10kV

10kV

M

M

690V400V

M M M MRCP RCP RCP RCP

AuxiliaryStand-by

Transformer

Generator

main grid

G

Unit Transformer

stand-by grid

Generator Circuit Breaker

Typical grid connection scheme in Europe



Tasks of the standby grid: Power supply from standby grid happens, if the main grid is not available and the house-

load operation has failed (e.g. main generator lost as well) In most applications, the reactor will be tripped if there is a transfer to the standby grid Increase of the overall reliability of power supply from the grid (there are minimum

requirements regarding reliability coming from PSA analysis) Ensure the power supply of the main heat sink (avoiding the start of the safety systems) Main- and standby grid supply shall be as independent as possible, i.e. if the grids are

independent different voltage levels should be used. A single failure shall not cause the loss of both grid connections simultaneously (different switchyards, no common towers of overhead lines, no crossings).

House-load operation Implemented to allow a fast reconnection of the plant to the grid in case of grid

disturbances which exceed the limits of the grid code (avoiding reactor trip) Providing an additional power source to the onsite power systems

Main differences to US design House-load operation capability is mandatory in Europe


Onsite Power Supply 1/3 European Nuclear Electrical Safety Practices

The onsite power supplies comprise the non-safety and safety emergency power sources, the station blackout power supply and, if already implemented, the dedicated severe accident power source. The latter three belong to the defense lines 2-4.

There has been a gap of about 15 years from the eighties to the year 1995, where not many new nuclear designs have been developed. But of course conventional design evolved, mainly in the following areas: Use of software based I&C systems and field devices in electrical systems Replacement of rotating converters by static technology Vacuum breakers and SF6 technology for switchgear Generally higher ratings of equipment and more compact designs (higher

integration) In Europe, manufacturers lost a lot of their “system” know how (especially

regarding nuclear applications), more focusing now on selling equipment instead of supporting system integration



Boundary conditions for the application of “modern” designs: Consideration of common cause failures (CCF) in all stages of design,

implementation and maintenance is one of the top priorities The use of software based devices requires new approaches to demonstrate a

sufficient level of reliability and prevention of CCFsMore complex devices (rectifiers, converters, inverters) which are not

developed for use in nuclear power plants have to be properly understood regarding all functions (including the ones which are not documented). This requires an in depth discussion about their intended use with the manufacturer and proper training of own staff

As the new I&C systems are more sensitive to disturbances (EMC, overvoltages), the proper environment has to be ensured: Change from single point grounding concept to use of equipotential surfaces (multipoint grounding) and implementation of an overvoltage protection concept including new power supplies

New failure modes introduced by new equipment (e.g. variable speed drives, IT security, networks) have to be considered and managed accordingly



Static inverters, switching power supplies, frequency converters Diversification is required for complex electronic devices like inverters and converters Special attention has to be paid to the admissible voltage and frequency range at the

input. Adequate protection devices with selective settings have to be used to ensure proper behavior in case of e.g. over voltages (as they will happen in case of transition to house-load operation)

In general, static devices provide much less short-circuit power compared to rotating converters: Quite often the sizing of the converter is determined by the required short-circuit power (e.g. to blow the fuse) and not by the power demand

Arc protected switchgear There are requirements in IEC and nuclear standards (e.g. YVL in Finland) to ensure

personal protection in case of arc faults in MV and LV switchgear. Active arc fault protection (based on pressure or light sensors) is used together with the respective design of the switchgear

Lessons learned from existing designs Minimization of equipment, i.e. the number of batteries and UPS is reduced by using

only one per division. Cable volumes are reduced by optimization of voltage levels and eliminating e.g.

24VDC for I&C power supply


Equipment QualificationEuropean Nuclear Electrical Safety Practices

Equipment Qualification


Qualification PrinciplesQualification is done according to the classification of the equipment

Basis for qualification is the use of series manufactured components, which are type tested according to conventional electrical standards

Large quantities

Return of operating experience

In case of special loads like e.g. seismic, LOCA, Severe Accident: Analysis, test or combination of both

There are basically three types of qualification documents: General specifications (how to qualify, methodology) Equipment qualification specifications (requirements per equipment) Qualification reports (results of tests and analyses)

For safety equipment suitability analyses are done which demonstrate compliance between the requirements and the selected equipment

1515AREVA NP

Overview 1 of 2 European Nuclear Electrical Safety Practices

PTLI-G ES, 2012-07, Oliver Sobott Slide 161616AREVA NP

Overview 2 of 2 European Nuclear Electrical Safety Practices


Software Qualification European Nuclear Electrical Safety Practices

Software based devices for safety applications It is postulated that it is impossible to demonstrate deterministically

an error free design based on software Therefore diversification has to be applied to cope with postulated

common cause failures in the design of a system In addition, software qualification according to at least industrial, for

higher classified also nuclear standards has to be performed Unfortunately, there is not a common agreement amongst the

regulators which level of qualification and diversification is sufficient – the topic is still ongoing

In addition, less and less electrical equipment is available which does not use any software, PLD or complex electronic devices. However, there is still a common understanding in Europe that electrical equipment selection shall be based on well proven, industrial designs manufactured in large quantities and with good return of experience and not on dedicated developments for the nuclear industry.


Regulatory OverviewEuropean Nuclear Electrical Safety Practices

Regulatory Overview


Classification 1 of 2 European Nuclear Electrical Safety Practices

Unfortunately, the requirements amongst the different regulators in Europe are still not harmonized like e.g. in the aviation industry, where it is sufficient to license a plane only once for worldwide application.

The nuclear standards are still country specific and have in most cases to be applied and required by law: YVL in Finland Authority: STUK KTA in Germany Authority: specific per “state” RCC-E in France Authority: ASN

Therefore the design needs to be adapted not only to the preferences of the client but also to country-specific requirements. Some example:

Classification of electrical systems (three safety classes at AREVA): Finland: SC2, SC3 for safety systems, SC4 and EYT for non-safety systems France: EE1 for safety systems, EE2 and NC for non-safety systems US: Class 1E for safety systems, non Class-1E for non-safety systems


Comparison US with European classification approachIn US regulatory practice (see 10CFR50.2) Class 1E is assigned to all safety–related electrical equipment i.e. those SSCs that are relied upon to remain functional during and following design basis events.Note: Class 1E does not encompass SSCs involved in the mitigation of design-extension events such as Station Blackout.For the US EPR and ATMEA1 such equipment is assigned to a “supplement grade” class NS-AQ. SSCs belonging to class NS-AQ are by definition non safety-related SSCs, but to which a “significant licensing requirement or commitment” applies. NS-AQ electrical equipment maybe assigned to the non-1E power supply system which is physically separated from the safety-related Class 1E emergency power supply.Coherence between US and present Standard EPRTM scheme: “Safety related” –> Functional Safety Class F1 (F1A/F1B) Class 1E -> Electrical quality class EE1 Supplement grade NS-AQ -> Functional Safety Class F2 Non Class-1E -> Electrical quality class EE2

Classification 2 of 2 European Nuclear Electrical Safety Practices


Separation European Nuclear Electrical Safety Practices

Separation Separation of safety and non-safety cabling required in YVL (Finland), but not

in French (RCC-E) or German (KTA) nuclear standards. For power sources, non-safety loads may be supplied by safety power

sources, if they are separated by isolation devices (i.e. in case of failure they do not endanger the operation of the safety system) and are considered properly in the power balance.

In the updated nuclear standards, coping with single failure and maintenance is required, i.e. there are at least three safety divisions to be used.

There is currently a discussion ongoing (European national regulators), to which extent cables and power sources of defense lines shall be separated. In Finland, there is already a requirement to separate (dedicated power source) systems dedicated for a severe accident.

AREVA‘s position outside the US is still, that for a four division plant an additional safety / non-safety cable separation does not provide any significant safety improvement


Use of IEEE Nuclear Electrical StandardsEuropean Nuclear Electrical Safety Practices

Clients and Regulatory Agencies which require use of IEEE Nuclear Electrical Standards Finland (safety authority STUK):

Application of IEEE 384 to cabling (not wiring inside cabinets)Application of IEEE 519 (harmonics). May change, as there is now an equivalent IEC61000 standard, which was not existing before (in 2003)

India (safety authority AERB, client NPCIL): Full application of IEEE 384 (cable separation) Full application of IEEE 387 (diesel) and also the fuel capacity from IEEE 308 (7 days)

Belgium (client GDF Suez)Full application of IEEE 387 (diesel)

Outside Germany: IEEE 317 (containment cable penetrations), there are basically only KTA 3403 (Germany) and IEEE 317 (rest of the world)


IAEA and IEC StandardsEuropean Nuclear Electrical Safety Practices

Use of IAEA standards in Europe (electrical systems design) Most country specific nuclear standards (like YVL, KTA, RCC-E) include a link to the

IAEA standards as the highest level definition of nuclear design requirements (quality, safety, electrical, I&C and so on). This concerns mainly (non-exhaustive list): IAEA NS-R-1 (safety requirements) IAEA NS-G 1.8 (design of emergency power systems) IAEA 50-C-Q (quality)

Equivalent nuclear electrical IEC standards to IEEE standards IEEE 384 (Independence) IEC60709 (separation for I&C systems)

IEC61226 (classification of I&C) IEEE 446, 946 IEC61225 (I&C power supply incl. UPS) IEEE 7-4.3.2 IEC60880 (nuclear software qualification cat A)

IEC62138 (nuclear software qualification cat B, C) IEEE 344 (seismic) IEC60980 (seismic qualification) IEEE 323 (qualification) IEC60780 (qualification)

Most other nuclear requirements are given in country specific standards (YVL, KTA, RCC-E which refer to the relevant conventional IEC guides for electrical equipment (switchgear, transformers, motors, etc. ) and design (short-circuit, etc.))

However for some IEEEs (partly 384, 387, 317, 308) there are no equivalent IECs, only local nuclear standards or IAEA guidelines


Ongoing discussion - IAEA European Nuclear Electrical Safety Practices

IAEANew electrical standard DS430 available as draft, main topics under discussion: Separation of safety and non-safety systems Use of software based devices


European Actors - ENSREG European Nuclear Electrical Safety Practices

It consists of senior official from the national regulatory authorities from all EU member states

The ENSREG (European Nuclear Safety Regulators Group) work covers for EU countries:

The safety of nuclear installations

The safety of the management of spent fuel and radioactive waste

The financing of the de-commissioning of nuclear installations

Advisory board to the European Commission


European Actors - WENRA European Nuclear Electrical Safety Practices

The main objectives of WENRA (Western European Nuclear Regulators‘ Association) are:

Develop a harmonized approach to nuclear safety and regulation

Provide an independent capability to examine nuclear safety in applicant countries

Be a network for chief nuclear safety regulators in Europe exchanging experience and discussing significant safety issues


Ongoing discussion - WENRA European Nuclear Electrical Safety Practices

WENRA (Example) Safety objectives for new power reactors are issued Document O.4 „Independance between all levels on defence“: SSCs fulfilling safety functions in case of postulated single

initiating events (DiD level 3.a) or in postulated multiple failure events (DiD level 3.b) should be independent from SSCs used in normal operation (level 1) and/or in anticipated operational occurrences (level 2), so that the failure of SSCs used in normal operation and/or in anticipated operational occurrences does not impair a safety function required in the situation of a postulated single initiating event or of a multiple failure event.

SSCs of DiD level 3.a and additional safety features of level 3.b events should be independent to the extent reasonably practicable.

Complementary safety features specifically designed for fulfilling safety functions used in postulated core melt accidents (DiD level 4) should be independent from the SSCs of the other levels of DiD.


SummaryEuropean Nuclear Electrical Safety Practices

Summary


Summary European Nuclear Electrical Safety Practices

Electrical equipment is generally based on industrial devices with good return of experience and qualified for its intended use

Due to some advantages in design, functionality and operation (and due to obsolence of other equipment) modern devices are used more and more like e.g. software based protective devices, variable speed drives, static converters, digital I&C systems.

However there are new challenges in connection with these devices: How to completely understand the new functions and failure modes, how to qualify a software/firmware not developed for nuclear application, how to exclude common cause failures?

Nuclear standards in Europe are only partially harmonized. Some efforts have been started e.g. to get a common grid code for all of Europe. It would be very beneficial to harmonize nuclear and electrical standards between Europe and the US to reach a situation comparable with the aviation industry where a license for a plane is accepted everywhere.

Documents

IEEE NPEC European Nuclear Electrical Safety Practices