Ri Ukepr 0002
Ri Ukepr 0002
Ri Ukepr 0002
[email protected]
Date 16 April 2009
Your ref:
I am writing to confirm our recent discussions where we have advised you that the issue of the
adequacy of the UK EPR C&I architecture would be raised as a Regulatory Issue (RI).
Our C&I assessment work completed to date has identified the adequacy of the UK EPR C&I
architecture as a matter of sufficient importance to raise this as a RI at this stage that may, if not
resolved, prevent the successful outcome of GDA. Therefore, I have raised RI-UKEPR-2 to cover this
topic. We have discussed our intention to issue this RI and outlined our concerns at our meeting in
Erlangen on 13 and 14 January 2009 and more recently at the 13 March 2009 Level 4
teleconference. Our detailed concerns can be found below and in the Annex to this letter. You
should also note that HSE ND has engaged a Technical Support Contractor to assist with its
assessment of the UK EPR and as a result, additional matters relating to the C&I architecture (i.e. to
those recorded in this letter) may emerge. Please note that the technical areas of concern given
below and in the draft Regulatory Issue Actions (RIAs) attached were derived from our review of your
proposed C&I architecture based on our Step 2 and Step 3 assessments against HSE’s Safety
Assessment Principles for Nuclear Facilities (SAPs), 2006 Edition, Revision 1. An important aspect of
our SAPs is the strong emphasis on probabilistic safety analysis of complex systems in addition to the
more traditional deterministic techniques. It is in the area of probabilistic analysis that some of the
most significant challenges for the EPR C&I system arise particularly on matters of independence,
diversity and the use of Class 2 and 3 systems with probabilistic claims in your Baseline Level 1 PSA
more appropriate for Class 1 systems.
It is our regulatory judgement that the C&I architecture appears overly complex. Our judgement is
based on a number of concerns; firstly, the reliance on two computer-based systems (originally
developed by the same Company) and a high degree of connectivity between these two systems.
Secondly, independence between the safety (Class 1) and the larger number of safety related
systems (Class 2/3) appear to be significantly compromised due to the high level of interconnectivity
between systems of different safety classification. Thirdly, we have serious reservations about your
proposal which allows lower safety class systems to have write access (permissives etc.) to higher
safety class systems (i.e. the usual UK practice of only allowing one way online communication from
a safety system to systems of a lower safety class is not applied in the UK EPR design) (see Annex
RI-UKEPR-2.A2). Other concerns include the absence of a safety class 1 display system (which is
included in the Olkiluoto 3 (OL3) and US EPR designs) (see Annex RI-UKEPR-2.A3), no Class 1
manual controls or indications either in the Main Control Room or Remote Shutdown Station (see
Annex RI-UKEPR-2.A3) and EPR function categories/equipment class assignments do not appear to
align with UK expectations as defined in BS IEC 61226 (see Annex RI-UKEPR-2.A4).
In addition EDF/Areva has now submitted its C&I PSA sensitivity study. HSE ND believes the
baseline values used for C&I systems (i.e. 10-5 pfd for the Teleperm XS Protection System (PS) and
10-4 pfd for the Siemens SPPA -T2000 platform which provides back up reactor protection) will prove
very difficult if not impossible to substantiate. The claim on the PS system is beyond the normal limit
for reliability claims (i.e. 10-4 pfd) as stated in nuclear sector standards and guidance (Ref. 1, 2, 3, 4,
5, 6 and 7) including that of ASN’s safety advisory group (Ref. 5). The claim for the Siemens SPPA -
T2000, a Class 2/3 platform, is at the 10-4 pfd limit for Class 1 systems. The sensitivity study has
shown that there is unlikely to be any margin for reducing the claimed C&I system reliabilities to more
credible values without significantly increasing EDF/Areva’s risk estimates to levels which are close to
or in excess of the Basic Safety Levels (see HSE Safety Assessment Principles for Nuclear Facilities
2006 edition, Revision 1) (see Annex RI-UKEPR-2.A1). By way of comparison you should note that
the claim on the Sizewell B computerised Primary Protection System (PPS) when standing alone was
10-4 pfd and for the most frequent faults the claim for the combination of the PPS and hardware
(laddic) based Class 1 Secondary Protection System was 10-7 pfd. From this it can be seen that you
are attempting to claim two orders of magnitude better reliability for the combination of two computer
based systems (i.e. 10-9 pfd) one of which (i.e. the Siemens SPPA - T2000 platform) was (to our
knowledge) not developed to nuclear sector protection system standards such as IEC 60880 or IEC
60987.
We have previously advised you that the provision of a hardware back up protection system (as
employed in OL3) might be a possible way forward on some of the topics identified in this letter (see
Annex RI-UKEPR-2.A1). The provision of a hardware backup system on OL3 and Class 1 display
system (OL3 and US EPR) suggests that the implementation of such systems is reasonably
practicable and necessary for a plant designed to meet modern international safety standards.
Further information on the RI and related draft Regulatory Issue Actions (RIAs) can be found in the
Annex to this letter.
Please note we are sending a copy of this letter and its attachments to Mr Sylvain Petit at ASN. We
also intend to provide a copy of this letter to our partners in the OECD MDEP EPR working group (i.e.
US NRC, STUK and IRSN).
Please provide a response to this letter, including a plan for addressing the draft RIAs, by 22 May
2009. So that we can include consideration of your responses in our Step 3 report would you please
ensure that you have completed all work necessary to address the RIAs and have provided us with a
full response by the end of August 2009. In view of the complexity of some of the concerns linked to
our draft RIAs please note that an acceptable full response in time for Step 3 (end August 2009) could
be a conceptual design solution together with a plan and commitment to produce a detailed design
solution during Step 4.
Yours sincerely
1. IAEA safety guide NS-G-1.1 IAEA Safety Standards Series, Safety Guide No.NS-G-1.1 -
Software for Computer Based Systems Important to Safety in Nuclear Power Plants. (2000).
2. IEC 61226:2005. Nuclear power plants - Instrumentation and control systems important to safety
– Classification of instrumentation and control functions.
3. Licensing of safety critical software for nuclear reactors. Common position of seven European
nuclear regulators and authorised technical support organisations. Revision 2007
5. Technical Guidelines for the design and construction of the next generation of nuclear
pressurized water plant units" adopted during plenary meetings of the GPR and German experts
on the 19 and 26 October 2000.
6. The Tolerability of Risk From Nuclear Power Stations (HSE 1992) ISBN 0-11-886368-1.
7. The use of computers in safety-critical applications – Final report of the study group on the safety
of operational computers – (HSC 1998) ISBN 0 7176 1620 7.
Annex
Regulatory Issue RI-UKEPR-2 - Draft Regulatory Issue Actions
RI-UKEPR-2.A2 – Failure Independence between Safety (Class 1) and Other Systems Including
Safety Related Systems (Class 2/3).
Discussion - See letter (paragraph 2) for discussion related to this action. EDF/Areva has not
demonstrated that the UK EPR C&I design satisfies the following HSE SAPs; ERC.2 (O7),
ESS.15, ESS.18 and ESS.20.
Action A2.1: EDF/Areva to review and explain the extent of information transmitted to the
Teleperm TXS Protection System from non F1A systems (e.g. permissives, vetoes and resets
of automatically initiated F1 functions etc.).
Action A2.2:EDF/Areva to review and implement measures to ensure the C&I systems’ design
meets HSE SAP ESS 15, 18 and 20, and the security principle that there should be no
communication to safety systems from safety related systems.
Action A2.3: EDF/Areva to demonstrate that electrical and functional isolation exists for
interfaces to systems of different safety class.
Discussion – The Reactor Control, Surveillance and Limitation System (RCSL) and the
protection system (PS) are both based on the Teleperm XS system and as such there exists
the potential for a common mode failure of both systems.
Action A2.4: EDF/Areva to explain why the potential for common mode failure of the RCSL
and PS is not a concern (SAP ESS 18).
RI-UKEPR-2.A3 – Provision of Class 1 Manual Controls and Indications in the MCR and RSS.
Discussion – There are no Class 1 manual controls or indications either in the MCR or RSS
(c.f. AP1000 and Sizewell B which do have significant Class 1 manual controls and
indications including hardwired reactor trip). Note that the SICS is Class 2 (F1B/E1B) and the
interface to the Class 1 (F1A/E1A) protection system is via a communications bus (i.e. not
hardwired). Manual operation of RT/ESFAS appears to be via the Class 3 (F2/E2) PAS.
EDF/Areva has not demonstrated that the UK EPR C&I design satisfies the following HSE
SAPs; ESS.3, ESS.8 and ESS.13.
Action A3: EDF/Areva to review the C&I architecture design to determine the reasonable
practicability of providing Class 1 manual control and indication systems (e.g. as for the OL3
and US EPRs that have the TXS (QDS) which is not present in FA3 or UK EPR) in the MCR
and RSS.
* NB. The references in brackets following identification of the SAPs in the above text are to
Observations in HSE’s Step 2 Report on EPR C&I.
Table 1