Replacing a safety-critical NPP control system

Nuclear power plants are fitted with equipment in current use at the time of design and construction. Inevitably, technology moves on and some of that equipment will in due course become obsolete.

Replacing obsolete systems is easier said than done because it may have significant implications for the plant’s safety case and cause lengthy and expensive outages.

Wood’s nuclear business recently completed a project to replace high-integrity control systems at Heysham 2 and Torness, UK nuclear power plants that were commissioned in the 1980s.

Code migration and testing was a key element of the changeover because of the risk that any issues affecting availability and functionality could cause loss of output.

At the two stations, the fuel route plant, including the fuelling machines, were controlled by bespoke control and protection systems known as Reypak, a programmable logic controller (PLC). 

The Reypak system had become unreliable and obsolete and presented significant availability issues for the two stations because the fuel route systems are fundamental to the safe and reliable movement of fuel and components.

The strategy decided upon was to replace the Reypak sub-racks with Siemens S7-300 and S7-400 PLCs, communicating back to the existing Reypak main rack and application.  This provided an immediate improvement in reliability whilst the longer task of code migration could be tacked.

To migrate the application code from Reypak S80 to Siemens Structured Control Language (SCL), Wood’s team developed an automatic code migration tool which meant that the existing code did not need to be manually re-written, hence reducing risk and potential introduction of latent errors.  More significantly this innovative and technically challenging solution preserved the years of development work invested in the existing code.

A process was created around this to verify and validate the migrated code and the migrated application was then verified and validated against a dynamic plant model and test environment. 

The tool and supporting process were successfully evaluated against the requirements to support the safety case and confirmed to support a safety case claim of 1 x 10-1 pfd.

For off-site testing, a dynamic plant simulation was developed allowing 100% off-site functional and interlock testing before delivery.

Having completed migration and off-site testing against the dynamic plant simulation, it was possible to reduce plant outage significantly by carrying out on-site installation and testing at the stations in a few days rather than the feared months or years.

Now, the lessons learned on the project are being applied elsewhere. Dawn James, Vice President for New Nuclear and Generation Services at Wood, explains: “The outcome for EDF Energy was improved reliability through to end of life and the removal of a major issue threatening generation. The solution resulted in months, if not years, of reduced plant downtime.

“For Wood, the project has developed a niche capability that is being applied to similar projects for EDF Energy and others.”


Ivor Yule, Wood

A longer version of this article appeared in Nuclear Engineering International