The list of functions to be implemented via the ELSA project was clear from the beginning, but the architecture design has been a long journey.
The conceptual design included drafting the list of systems and the preliminary interfaces between them.
Two important questions were raised during the early design phases:
- What level of diversity for the reactor trip system (RTS)?
- Do we use the Rolls-Royce proprietary safety network widely or do we prefer the use of hardwired connections?
The advantages and drawbacks of all possible solutions were balanced during several brainstorming sessions, but we were able to arrive at these design principles:
- A non-safety diverse automatic backup of RTS is enough if an SC (Safety Classification) 3 diverse manual backup is available. (Finland employs three Classfications, in descending order of stringency, SC2, SC3; and NS (Non Safety)). An SC3 automatic backup would have been better, but it would have required the licensing of another SC3 platform, most probably not software-free. The manual backup is sufficiently simple to be implemented in a simple hardwired platform, reducing the licensing risk compared with an additional software-based platform. The credibility of the manual backup of RTS is proven by accident analyses showing that the human operator has sufficient time to react for most likely accident cases, as well as RTS common cause failure (CCF). For unlikely cases where fast action is needed together with RTS CCF, NS classification is enough for the automatic backup.
- Intensive cabling between channels has not been thought to be practicable for an existing plant, where cable trays and penetrations have not been designed for four-channel architecture. It was decided that the licensing effort required for a safety network was more reasonable than pulling several tens of kilometers of cables just for voting logic. The network is thus mainly used for communication between channels of the same system and between systems, making use of the characteristics of the Rolls-Royce NERVIA network, designed for nuclear applications.
In the beginning, there was no plan as to how to implement the functions on site, except that everything should be finished in 2018.
The decision was made to implement the SC2 systems last, to allow enough time for the licensing and certification of the Spinline platform. And the starting point would be several SC3 functions to be implemented in 2016, within the PAIS (Preventative Actuation and Indication System), which includes renewal of the reactor boiling margin calculation system, and new preventative functions for both the primary and secondary sides. Starting with one system of a less stringent safety classification, provided a training opportunity for both the Rolls-Royce and Fortum teams, without taking excessive risks with such a tight schedule.
The need for diversity together with the three phase approach resulted in the breakdown structure for the project shown in the block diagram above.