- Email: [email protected]
Simulation Assisted Automation Testing During Loviisa Automation Renewal Project
Simulation Assisted Automation Testing During Loviisa Automation Renewal Project Topi Tahvonen*, Pasi Laakso**, Jens Wittig***, Klaus Hammerich****, Esa Maikkola***** * Fortum Nuclear Services Ltd, POB 100, FI-00048 FORTUM, Finland (Tel. +358 40 826 2688, e-mail: [email protected]) **VTT Technical Research Centre of Finland, POB 1000, FI-02044 VTT, Finland (Tel. +358 20 722 5776, e-mail: [email protected]) *** Areva NP, POB 32 30, 91058 Erlangen, Germany, (Tel. +49 9131 189 5097, e-mail: [email protected]) **** Siemens AG, Energy Sector, E F IE 39, Kaiserleistr. 10, 63067 Offenbach/Main, Germany (Tel. +49 69 807 3611, e-mail: [email protected]) ***** Fortum Power and Heat Ltd, PL 23, 07901 LOVIISA, Finland (Tel. +358104555011, e-mail: [email protected]) Abstract: In simulation assisted automation testing, an automation system is connected to a process simulator that provides a realistic process response. Under this circumstance, automation testing becomes intuitive since the automation system can be operated as at the actual plant. Testing Station software has been developed to support simulation assisted automation testing. It provides tools for simulation control; simulation can be started/stopped, initial conditions saved/loaded, and malfunctions launched/reversed. Furthermore Testing Station is used to design and report the results of the tests. Simulation assisted automation testing has been successfully used during automation renewal project of Loviisa nuclear power plant. APROS process simulation software has been used to implement the process model needed for the testing. Keywords: Process simulators, Automatic testing, Nuclear plants 1. INTRODUCTION An automation system must be thoroughly tested before it can be installed into the process plant. Simulation assisted automation testing provides a new way to execute tests that are not possible, hard to implement or expensive to do by using traditional testing methods (Laakso et al. 2005). It is “virtual commissioning”; the automation system is installed on a simulated process plant, I/O is checked, and tests are done to the automation system. In practice it means that such kind of tests are done in test field and factory acceptance tests that are done in commissioning (see Figure 1). Especially integral tests require a realistic process response that earlier has not been available before automation system installation to the plant. The development of simulation tools, automation system emulations and communication software has made simulation assisted testing more effective. As a latest step the development of working methods and tools for simulation assisted automation testing has been started. This document focuses on simulation assisted automation testing in automation renewal project of Loviisa nuclear power plants (Välisuo 2005). The Loviisa nuclear plants are nearly thirty years old and their current automation systems are getting outdated; the number of automation component malfunctions is increasing and it is hard to get new spare
parts. However, the process equipments of the plants are in good condition and they do not prevent using the plants for decades. Consequently it is possible to extend the life time of the plants considerably by renewing the automation system.
Commissioning tests
I&C system concept
Simu latio
Requirements specification
n as
System specification Detailed design
siste dt
SAT validation
estin g
FAT validation
Test field
Plant commissioning System installation & commissioning
Installation in Simulated environment System integration
Implementation
Figure 1 V-model of I&C system design life cycle (IEC & IEEE), simulation assisted testing makes it possible to test the kind of tests earlier that are done in commissioning. In simulation assisted automation testing a process simulator is connected to the automation system that is under testing. A virtual copy of the automation system can be used which means that the automation system is emulated and the automation application is run on a standard PC. The process simulator provides a realistic process response to the
automation system. With this arrangement the automation system can be operated the similar way as at the actual plant. In consequence, simulation assisted testing is very intuitive. One can see on the operator displays if the automation is working correctly or if there is a need for corrections. Simulation assisted automation testing is an addition to the more conventional tests that are done to the automation system. However, it is possibly the only reasonable way to test the automation system as a whole so that the crossdependencies between the different parts of the system are also taken into account. The initial data of the renewed automation system is thirty years old and it is hand-written to a large degree and therefore it contains errors, it is not fully up to date and some parts of the initial data is difficult to interpret. The errors originating from the initial data can be discovered effectively by simulation assisted automation testing. The fewer errors are in the automation system, the more reliable it is and the shorter commissioning time will be achieved. The shorter the commissioning time the faster the plant is back in production. Moreover, nuclear power plants are required to have a training simulator to be able to train the operators. Therefore the simulator that corresponds to the new automation system has to be developed in any case. The same simulation model that is used in automation testing can also be used in training simulator. Therefore additional costs for simulation assisted automation testing are low. Simulator aids in automation testing has been used previously e.g. in Narva modernization project (Rinta-Valkama et al. 2000) carried out by Fortum Engineering in 1999 - 2000. During the project, simulator was used to test and tune the controllers and also logics were tested to some extent. In consequence, the automation system had fewer errors before installation and therefore commissioning time was shorter. 2. SIMULATION ASSISTED TESTING ENVIRONMENT The process simulator contains models of the process, measurements, and field devices. The automation system is connected to the process simulator (See Figure 2) so that it acquires the measurement signals and sends control commands to the simulated field devices. With this arrangement the automation system can control the simulated field devices like it would control them at the actual plant and it gets a realistic process response. When the automation system opens a valve, it gets the feedback from the simulated valve. Moreover the opening of the valve causes other changes in the simulated process containing measured and signals that transferred to the automation system. E.g. after a valve is opened fluid starts to flow through it and liquid level of a tank starts decreasing. The scope of the process simulation model defines how big part of the automation is included in the tests. The interconnections between the control loops are taken into account by the process simulation. The different controllers control the same process simulation model and therefore their
actions affect to each other. The computing power and memory of the computer used to simulate the process model limit the scope and accuracy. The larger and more accurate the model is the slower the simulation speed becomes. To speed up the simulation speed, process model can be divided into several computers. Process simulation model that includes every essential processes of Loviisa nuclear plant can be simulated over real time speed with a standard desktop PC. The automation system connected to the process simulator can be the actual system or so-called virtual automation system (Kettunen and Paljakka 2006) that is computer software being able to execute automation applications similarly to the actual automation system. In addition, virtual automation system implements the basic features typically needed in simulation such as run/freeze and save/load initial condition. Normal process displays and control systems can be connected to virtual automation. Virtual automation runs often on a standard PC.
Testing Station •Simulation control •Design tests •Report tests
Simulation commands
Automation system
Process data
Controls field devices Process response
Process simulator
Figure 2 In simulation assisted testing environment, automation system controls the field devices that are simulated on the process simulator where it also gets a realistic process response. In Loviisa automation renewal project APROS (Advanced PROcess Simulator) (Juslin 2005a, b, Laakso et al. 2005) is used to model the process. APROS is a simulation software product of VTT Technical Research Centre of Finland and Fortum. It is meant for full-scale modeling and dynamic simulation of industrial processes. It provides tools, solution algorithms and model libraries of generic components suitable for various purposes like design, analysis and training. These tools enable full-scale modeling and simulation of power plant, including automation and electrical systems. The total simulation system meant for testing or training contains usually many separate components that need to be managed simultaneously. Typical components include process simulator, virtual automation system, communication software and operator displays. Testing Station visualizes the state of the different components and gives simultaneous simulation control commands like start and stop to all components. Testing Station also takes care of time synchronization between the process simulator and virtual
automation system. In addition, Testing Station can be used to launch and reverse malfunctions that are implemented to the simulator. Testing Station (Tahvonen 2006) provides tools to design, organize, execute and report tests. When designing the test, the user selects the variables that are stored during the test from the process simulator and automation system, selects initial condition and creates a simulation sequence that defines what happens during the test. The simulation sequence (See Figure 3) may include e.g. malfunction or operator commands. In addition, the length of the test run can be defined with the simulation sequence. Together with an initial condition the simulation sequence defines a test run unambiguously if the communication between all components and Testing Station is synchronized. In consequence the test run is fully repeatable. During the tests, information is passed to Testing Station from the process simulator and virtual automation so that the results of the test run can be analyzed. Testing station provides trending tools for on-line and off-line visualization of the results. Furthermore it provides tools for comparing results of the test runs and reporting test runs and comparison results. Report contains information about the process model and the automation system that were used. Moreover it contains figures of the simulation sequence and trends.
Figure 3 Example of simulation sequence used in automation testing. Simulation sequence defines what happens during a test run. Usually two methods are used to analyze the results of the tests. The data that the simulator produces during a test run can be compared to reference data that has been stored during the previously executed test runs when possibly different automation application was used. The reference data has to be verified before using it. If the data obtained from the test run is close enough to the reference data, the test can be approved. Other way to analyze the test is a qualitative method. The way that the automation system should work is described in the functional specification and the result of the test run is compared to the functional specification. For example it can be checked that liquid levels do not oscillate and they are in acceptable limits, pumps have been started, and valves have been opened like it is described in the functional specification.
3. CASE LOVIISA Loviisa automation renewal project (Välisuo 2005) is planned to take place in four stages. In the first stage the automation system of auxiliary processes e.g. water treatment plant is renewed. Also preventive protection system that includes e.g. slow and fast shut-down of the reactor are renewed in stage one. Reactor protection system is renewed in stage two. The automation system of primary and secondary circuit are renewed in stages three and four respectively. The automation is renewed so that mainly its functionality does not change. Areva Siemens consortium delivers the renewed automation system to the Loviisa plant that is owned by Fortum. This chapter discuss about experiences of simulation assisted automation testing in stage one of Loviisa automation renewal project. 3.1 Organization Simulation assisted testing was done in collaboration with the customer and the supplier. The collaboration was a prerequisite for successful testing because the knowledge of the automation system, process, and process simulation was needed. Fortum provided the process simulator and simulation control tools for simulation assisted testing and therefore an expert from Fortum was present all the time during the tests. Automation system expert from Siemens or Areva was also present all the time during the tests. Later when the most of the problems with the testing environment were solved, experienced operators from the plant participated in automation testing testing. When an unexpected behavior of the system was found, it was reviewed, to find out if the cause was an error in the automation system or in the simulation model. Sometimes there were errors also in the functional design documents that were used as initial data to implement the automation system. Then the correct information was checked from the plant if possible. Small changes to the automation system were accepted by Fortum automation designer. Changes that affected the functionality of the automation system went through the change work procedures of Loviisa nuclear plant. 3.2 Testing of Water Treatment Plant Automation The renewed automation system of the water treatment plant was tested with simulator by using a virtual copy (Kettunen and Paljakka 2006) of the automation system T2000 (Siemens Power Generation 2008). It means that the automation code is compiled and used on a standard PC. Therefore simulation assisted automation testing could be started before the automation cabinets were even ready. When the cabinets were ready and conventional testing of the automation system was started, simulation assisted testing was done in parallel with the conventional testing. Virtual automation was connected with the process simulator by using Apros Communication Library (ACL) (APROS documentation 2008). ACL is based on TCP/IP and therefore
the virtual automation and process simulation could be on different PCs. 3.2.1 Test Cases Normal use cases were a good starting point to design the tests because simulation assisted automation testing is practically operating the system and checking that it works correctly. Start-up and shut-down programs were logical choices to test cases. If they work a large part of the automation system works. Other cases were smaller and related to some specific part of the automation e.g. change over automation of redundant pumps. In addition to the normal use cases, the fault tolerance of the automation system was tested. Some malfunctions were launched on the simulated process devices and measurements or unusual process states were created e.g. a blockage in a pipe. In these situations some protection automation or redundancy should be activated. 3.2.2 Evaluation The automation system was evaluated against the initial data: functional diagrams, descriptions of measurements and circuit diagrams. The virtual automation system had similar tools as the actual automation system. Signal values could be monitored with dynamic function diagrams. In addition, the stimulated OM690 operating and monitoring system provided the same error messages and warnings that would also appear at the real plant. When those errors appeared during normal operation of the plant, obviously something was wrong. In addition, the automation system was implemented on the process model using the automation components of APROS (APROS documentation 2008) and the planned tests were done to it also. The test results were validated by licensed operators from the plant. When the tests were done to the actual automation system they were compared against the reference data obtained from the tests with APROS automation. If big differences between the reference and test data were detected, the reasons were investigated. 3.2.3 Results Several corrections were made to the automation system of water treatment plant based on the results of simulation assisted automation tests. Corrections were made to measurement limit values, change over automation parameters, plant start up and shut down sequences, and operator displays. In addition, the controllers were tuned. Figure 4 represents a liquid level of the evaporator during start up sequence of the plant. After tuning the controllers, the start up sequence finished much faster than before tuning. The errors that were found from the automation system during simulation assisted testing did not have any clear common factor. Some errors originated from faulty initial data or misinterpretation of it and other errors were a result of a human error.
TR30L001 :06:40 00:40:00 01:13:20 01:46:40 02:20:00 0:06:40 00:23:20 00:56:40 01:30:00 02:03:20
600.000
400.000
200.000
0.00000
200 000 APROS T2000 after tuning
T2000
Figure 4 Example of a trend used during automation testing. The trend is liquid level of the evaporator during plant startup sequence. APROS automation implementation is compared to virtual copy of T2000. 3.3 Testing of Preventive Protection System The The renewed preventive protection system of Loviisa nuclear plant is implemented with TXS (Richter and Wittig 2003) by Areva. The communication method between process simulation and automation system is slightly different from the method used with T2000. Virtual copy of TXS was connected to APROS by using it as an external model of APROS (APROS documentation 2008). This means it can directly read and write variables to APROS process model. This kind of method made it possible to connect also the real automation cabinets to APROS by using ERBUS interface (Richter and Wittig 2003). The actual simulation assisted tests on the preventive protection system were done with the real automation hardware. 3.3.1 Test Cases The preventive protection system is designed to limit reactor power in a case of neutron physical or process parameter deviations from the values that are set for normal operation. Thus test cases were selected so that the kind of process states are achieved on the process simulator that should activate the preventive protection system. The selected tests were primary circulation pump trips, primary circulation pump trips with a malfunction in reactor power limitation system, and manual fast reactor shutdown. In addition it was tested how the automation system worked in a case when turbine load was changed. 3.3.2 Evaluation The preventive protection system was also implemented on the process model by using APROS automation components (APROS documentation 2008). The APROS implementation was validated against Loviisa training simulator. The planned
tests for the preventive protection system were done with the APROS implementation and process data was collected during the tests. The same tests were done on TXS when it was connected to APROS. The test results were analyzed by comparing them with the results of the tests with APROS implementation. When differences were detected, the reasons for them were thoroughly investigated. 3.3.3 Results A few corrections were made to the preventive protection system based on the results of simulation assisted automation testing. Corrections involved the user interface, hysteresis of reactor temperature measurement, and a small change to reactor shut down signal displayed on operator terminal. Figure 5 represents neutron power during a test where three primary circulation pumps were tripped and a malfunction was launched on reactor power limitation system. Fast reactor shutdown was activated due to high reactor outlet temperature. Based on the test, hysteresis of reactor temperature measurement was changed.
00:00 :00:00
Neutron power 00:03:20 00:06:40 00:10:00 00:01:40 00:05:00 00:08:20
100.000
75.0000
50.0000
25.0000
APROS TXS with hysteresis of 2.5°C TXS with hysteresis of 1.0°C
Figure 5 Example of a trend used during automation testing. During the test three primary circulation pumps were tripped and a malfunction was launched on reactor power limitation system. The trend is of neutron power of the reactor. APROS automation implementation is compared to the actual TXS. 3.4 Lessons learned Errors of automation design can found during simulation assisted automation testing. Therefore good practices are needed to handle changes in automation. They must be reviewed in collaboration with the personnel of the plant so that all the safety related aspects are also taken into account. However the review process must be quick enough to be able to work effectively during testing. The help of the experienced operators is essential during simulation assisted automation testing. They know how the process and the automation should work and therefore they
can detect abnormal situations quickly. For those situations it is important to be able to repeat it in order to investigate the problem more closely. 4. CONCLUSIONS “Virtual commissioning” describes simulation assisted automation testing perfectly. Automation system is commissioned on the simulated process plant and during it corrections are made to the system. Variety of the errors found during simulation assisted automation testing of Loviisa nuclear plant automation convinces that the method is an effective way to test automation systems. Even such errors can be found that would be very difficult to find with other means. Errors that originate from faulty initial data are possible to find when automation system gets a realistic process response. In addition, the functionality of controllers would be hard to verify without process response. Operational safety review of Loviisa by IAEA points out that simulation assisted automation testing is a good practice (Division of Nuclear Installation Safety 2007). Besides of functional testing of automation, simulation assisted testing environment is also used to pre-tune controllers. This sets high demands for the accuracy of the process model. Therefore if one cannot guarantee the accuracy of the process model, one should not tune the controllers very tight. However, with the simulator it can be easily seen if the control parameters are far from the correct ones. Repeatability of the tests is an important feature of the testing environment. If some incorrect functionality is discovered while testing the automation system on system level as a whole, there has to be a way to search the starting point of the incorrect functions. When the tests can be easily repeated, one can always go back to the points in the simulation where more attention is needed. Simulation sequences offer a solution to repeatability. With a simulation model and a simulation sequence the test run is unambiguous. In consequence, automatic testing of modifications in already commissioned automation is possible. A set of tests are done with the simulator after the modifications and the results are compared to the same tests done before the modifications to quickly verify that the automation system is working correctly. Prospects for simulation assisted automation testing are bright. Accurate process simulation models can be built up entirely based on engineering data (Kettunen and Paljakka 2006). Therefore process simulators could be used as a tool in automation design. Automation designer could test different control concepts with the simulator before deciding which to use. In future, when automation design tools get more and more flexible, online changes to the logics of the automation system would make simulation assisted automation testing faster and more effective.
REFERENCES Anonymous, APROS documentation (2008) Division of Nuclear Installation Safety (2007), Report of the Osart (Operational Safety Review Team) Mission to the Loviisa Nuclear Power Plant, 5−21 March 2007, IAEANSNI/OSART/07/139, p. 91 Kettunen, A., and Paljakka, M., (2006), Process Simulation in Power Plant Design, published in the proceedings of SIMS 2006 – the 47th Conference on Simulation and Modelling, Helsinki, Finland Juslin, K., (2005 a.), Large Scale User-Oriented Simulations, APROS Infopackage, publicly available from Fortum or VTT Juslin, K., (2005 b.), A Companion Model Approach to Modelling and Simulation of Industrial Processes, Dissertation for the degree of Doctor of Technology at Helsinki University of Technology, VTT Publications 574, Espoo, Finland Laakso, P., Paljakka, M., Kangas, P., Helminen, A., Peltoniemi, J., and Ollikainen, T., (2005), Methods of simulation-assisted automation testing, VTT Tietopalvelu, Espoo Finland Richter, S., Wittig, J., 2003, Verification and Validation Process for Safety I&C Systems, Nuclear Plant Journal, Volume 21 No. 3, Blayais, France Rinta-Valkama, J., Välisuo, M., Karhela, T., Laakso, P., and Paljakka, M., (2000), Simulation Aided Process Automation Testing, Proceedings of IFAC’s Conference on Computer Aided Control System Design (CACSD), University of Salford, UK, September 11 - 13 2000, p. 277-280, Elsevier Science Siemens Power Generation – Power Plant Operator Software Solutions, viewed 21st November 2008, Tahvonen, T., (2006), Methods and Tools for Simulation Assisted Process Automation Testing, Master’s thesis, Helsinki University of Technology, Department of Engineering Physics and Mathematics, Espoo, Finland Välisuo, M., (2005), Renewal the I&C systems of NPP Loviisa, presented in IAEA technical meeting Implementing and Licensing Digital I&C Systems and Equipment in NPPS, November 22-24, 2005, Technical Research Centre of Finland, Espoo, Finland
parts. However, the process equipments of the plants are in good condition and they do not prevent using the plants for decades. Consequently it is possible to extend the life time of the plants considerably by renewing the automation system.
Commissioning tests
I&C system concept
Simu latio
Requirements specification
n as
System specification Detailed design
siste dt
SAT validation
estin g
FAT validation
Test field
Plant commissioning System installation & commissioning
Installation in Simulated environment System integration
Implementation
Figure 1 V-model of I&C system design life cycle (IEC & IEEE), simulation assisted testing makes it possible to test the kind of tests earlier that are done in commissioning. In simulation assisted automation testing a process simulator is connected to the automation system that is under testing. A virtual copy of the automation system can be used which means that the automation system is emulated and the automation application is run on a standard PC. The process simulator provides a realistic process response to the
automation system. With this arrangement the automation system can be operated the similar way as at the actual plant. In consequence, simulation assisted testing is very intuitive. One can see on the operator displays if the automation is working correctly or if there is a need for corrections. Simulation assisted automation testing is an addition to the more conventional tests that are done to the automation system. However, it is possibly the only reasonable way to test the automation system as a whole so that the crossdependencies between the different parts of the system are also taken into account. The initial data of the renewed automation system is thirty years old and it is hand-written to a large degree and therefore it contains errors, it is not fully up to date and some parts of the initial data is difficult to interpret. The errors originating from the initial data can be discovered effectively by simulation assisted automation testing. The fewer errors are in the automation system, the more reliable it is and the shorter commissioning time will be achieved. The shorter the commissioning time the faster the plant is back in production. Moreover, nuclear power plants are required to have a training simulator to be able to train the operators. Therefore the simulator that corresponds to the new automation system has to be developed in any case. The same simulation model that is used in automation testing can also be used in training simulator. Therefore additional costs for simulation assisted automation testing are low. Simulator aids in automation testing has been used previously e.g. in Narva modernization project (Rinta-Valkama et al. 2000) carried out by Fortum Engineering in 1999 - 2000. During the project, simulator was used to test and tune the controllers and also logics were tested to some extent. In consequence, the automation system had fewer errors before installation and therefore commissioning time was shorter. 2. SIMULATION ASSISTED TESTING ENVIRONMENT The process simulator contains models of the process, measurements, and field devices. The automation system is connected to the process simulator (See Figure 2) so that it acquires the measurement signals and sends control commands to the simulated field devices. With this arrangement the automation system can control the simulated field devices like it would control them at the actual plant and it gets a realistic process response. When the automation system opens a valve, it gets the feedback from the simulated valve. Moreover the opening of the valve causes other changes in the simulated process containing measured and signals that transferred to the automation system. E.g. after a valve is opened fluid starts to flow through it and liquid level of a tank starts decreasing. The scope of the process simulation model defines how big part of the automation is included in the tests. The interconnections between the control loops are taken into account by the process simulation. The different controllers control the same process simulation model and therefore their
actions affect to each other. The computing power and memory of the computer used to simulate the process model limit the scope and accuracy. The larger and more accurate the model is the slower the simulation speed becomes. To speed up the simulation speed, process model can be divided into several computers. Process simulation model that includes every essential processes of Loviisa nuclear plant can be simulated over real time speed with a standard desktop PC. The automation system connected to the process simulator can be the actual system or so-called virtual automation system (Kettunen and Paljakka 2006) that is computer software being able to execute automation applications similarly to the actual automation system. In addition, virtual automation system implements the basic features typically needed in simulation such as run/freeze and save/load initial condition. Normal process displays and control systems can be connected to virtual automation. Virtual automation runs often on a standard PC.
Testing Station •Simulation control •Design tests •Report tests
Simulation commands
Automation system
Process data
Controls field devices Process response
Process simulator
Figure 2 In simulation assisted testing environment, automation system controls the field devices that are simulated on the process simulator where it also gets a realistic process response. In Loviisa automation renewal project APROS (Advanced PROcess Simulator) (Juslin 2005a, b, Laakso et al. 2005) is used to model the process. APROS is a simulation software product of VTT Technical Research Centre of Finland and Fortum. It is meant for full-scale modeling and dynamic simulation of industrial processes. It provides tools, solution algorithms and model libraries of generic components suitable for various purposes like design, analysis and training. These tools enable full-scale modeling and simulation of power plant, including automation and electrical systems. The total simulation system meant for testing or training contains usually many separate components that need to be managed simultaneously. Typical components include process simulator, virtual automation system, communication software and operator displays. Testing Station visualizes the state of the different components and gives simultaneous simulation control commands like start and stop to all components. Testing Station also takes care of time synchronization between the process simulator and virtual
automation system. In addition, Testing Station can be used to launch and reverse malfunctions that are implemented to the simulator. Testing Station (Tahvonen 2006) provides tools to design, organize, execute and report tests. When designing the test, the user selects the variables that are stored during the test from the process simulator and automation system, selects initial condition and creates a simulation sequence that defines what happens during the test. The simulation sequence (See Figure 3) may include e.g. malfunction or operator commands. In addition, the length of the test run can be defined with the simulation sequence. Together with an initial condition the simulation sequence defines a test run unambiguously if the communication between all components and Testing Station is synchronized. In consequence the test run is fully repeatable. During the tests, information is passed to Testing Station from the process simulator and virtual automation so that the results of the test run can be analyzed. Testing station provides trending tools for on-line and off-line visualization of the results. Furthermore it provides tools for comparing results of the test runs and reporting test runs and comparison results. Report contains information about the process model and the automation system that were used. Moreover it contains figures of the simulation sequence and trends.
Figure 3 Example of simulation sequence used in automation testing. Simulation sequence defines what happens during a test run. Usually two methods are used to analyze the results of the tests. The data that the simulator produces during a test run can be compared to reference data that has been stored during the previously executed test runs when possibly different automation application was used. The reference data has to be verified before using it. If the data obtained from the test run is close enough to the reference data, the test can be approved. Other way to analyze the test is a qualitative method. The way that the automation system should work is described in the functional specification and the result of the test run is compared to the functional specification. For example it can be checked that liquid levels do not oscillate and they are in acceptable limits, pumps have been started, and valves have been opened like it is described in the functional specification.
3. CASE LOVIISA Loviisa automation renewal project (Välisuo 2005) is planned to take place in four stages. In the first stage the automation system of auxiliary processes e.g. water treatment plant is renewed. Also preventive protection system that includes e.g. slow and fast shut-down of the reactor are renewed in stage one. Reactor protection system is renewed in stage two. The automation system of primary and secondary circuit are renewed in stages three and four respectively. The automation is renewed so that mainly its functionality does not change. Areva Siemens consortium delivers the renewed automation system to the Loviisa plant that is owned by Fortum. This chapter discuss about experiences of simulation assisted automation testing in stage one of Loviisa automation renewal project. 3.1 Organization Simulation assisted testing was done in collaboration with the customer and the supplier. The collaboration was a prerequisite for successful testing because the knowledge of the automation system, process, and process simulation was needed. Fortum provided the process simulator and simulation control tools for simulation assisted testing and therefore an expert from Fortum was present all the time during the tests. Automation system expert from Siemens or Areva was also present all the time during the tests. Later when the most of the problems with the testing environment were solved, experienced operators from the plant participated in automation testing testing. When an unexpected behavior of the system was found, it was reviewed, to find out if the cause was an error in the automation system or in the simulation model. Sometimes there were errors also in the functional design documents that were used as initial data to implement the automation system. Then the correct information was checked from the plant if possible. Small changes to the automation system were accepted by Fortum automation designer. Changes that affected the functionality of the automation system went through the change work procedures of Loviisa nuclear plant. 3.2 Testing of Water Treatment Plant Automation The renewed automation system of the water treatment plant was tested with simulator by using a virtual copy (Kettunen and Paljakka 2006) of the automation system T2000 (Siemens Power Generation 2008). It means that the automation code is compiled and used on a standard PC. Therefore simulation assisted automation testing could be started before the automation cabinets were even ready. When the cabinets were ready and conventional testing of the automation system was started, simulation assisted testing was done in parallel with the conventional testing. Virtual automation was connected with the process simulator by using Apros Communication Library (ACL) (APROS documentation 2008). ACL is based on TCP/IP and therefore
the virtual automation and process simulation could be on different PCs. 3.2.1 Test Cases Normal use cases were a good starting point to design the tests because simulation assisted automation testing is practically operating the system and checking that it works correctly. Start-up and shut-down programs were logical choices to test cases. If they work a large part of the automation system works. Other cases were smaller and related to some specific part of the automation e.g. change over automation of redundant pumps. In addition to the normal use cases, the fault tolerance of the automation system was tested. Some malfunctions were launched on the simulated process devices and measurements or unusual process states were created e.g. a blockage in a pipe. In these situations some protection automation or redundancy should be activated. 3.2.2 Evaluation The automation system was evaluated against the initial data: functional diagrams, descriptions of measurements and circuit diagrams. The virtual automation system had similar tools as the actual automation system. Signal values could be monitored with dynamic function diagrams. In addition, the stimulated OM690 operating and monitoring system provided the same error messages and warnings that would also appear at the real plant. When those errors appeared during normal operation of the plant, obviously something was wrong. In addition, the automation system was implemented on the process model using the automation components of APROS (APROS documentation 2008) and the planned tests were done to it also. The test results were validated by licensed operators from the plant. When the tests were done to the actual automation system they were compared against the reference data obtained from the tests with APROS automation. If big differences between the reference and test data were detected, the reasons were investigated. 3.2.3 Results Several corrections were made to the automation system of water treatment plant based on the results of simulation assisted automation tests. Corrections were made to measurement limit values, change over automation parameters, plant start up and shut down sequences, and operator displays. In addition, the controllers were tuned. Figure 4 represents a liquid level of the evaporator during start up sequence of the plant. After tuning the controllers, the start up sequence finished much faster than before tuning. The errors that were found from the automation system during simulation assisted testing did not have any clear common factor. Some errors originated from faulty initial data or misinterpretation of it and other errors were a result of a human error.
TR30L001 :06:40 00:40:00 01:13:20 01:46:40 02:20:00 0:06:40 00:23:20 00:56:40 01:30:00 02:03:20
600.000
400.000
200.000
0.00000
200 000 APROS T2000 after tuning
T2000
Figure 4 Example of a trend used during automation testing. The trend is liquid level of the evaporator during plant startup sequence. APROS automation implementation is compared to virtual copy of T2000. 3.3 Testing of Preventive Protection System The The renewed preventive protection system of Loviisa nuclear plant is implemented with TXS (Richter and Wittig 2003) by Areva. The communication method between process simulation and automation system is slightly different from the method used with T2000. Virtual copy of TXS was connected to APROS by using it as an external model of APROS (APROS documentation 2008). This means it can directly read and write variables to APROS process model. This kind of method made it possible to connect also the real automation cabinets to APROS by using ERBUS interface (Richter and Wittig 2003). The actual simulation assisted tests on the preventive protection system were done with the real automation hardware. 3.3.1 Test Cases The preventive protection system is designed to limit reactor power in a case of neutron physical or process parameter deviations from the values that are set for normal operation. Thus test cases were selected so that the kind of process states are achieved on the process simulator that should activate the preventive protection system. The selected tests were primary circulation pump trips, primary circulation pump trips with a malfunction in reactor power limitation system, and manual fast reactor shutdown. In addition it was tested how the automation system worked in a case when turbine load was changed. 3.3.2 Evaluation The preventive protection system was also implemented on the process model by using APROS automation components (APROS documentation 2008). The APROS implementation was validated against Loviisa training simulator. The planned
tests for the preventive protection system were done with the APROS implementation and process data was collected during the tests. The same tests were done on TXS when it was connected to APROS. The test results were analyzed by comparing them with the results of the tests with APROS implementation. When differences were detected, the reasons for them were thoroughly investigated. 3.3.3 Results A few corrections were made to the preventive protection system based on the results of simulation assisted automation testing. Corrections involved the user interface, hysteresis of reactor temperature measurement, and a small change to reactor shut down signal displayed on operator terminal. Figure 5 represents neutron power during a test where three primary circulation pumps were tripped and a malfunction was launched on reactor power limitation system. Fast reactor shutdown was activated due to high reactor outlet temperature. Based on the test, hysteresis of reactor temperature measurement was changed.
00:00 :00:00
Neutron power 00:03:20 00:06:40 00:10:00 00:01:40 00:05:00 00:08:20
100.000
75.0000
50.0000
25.0000
APROS TXS with hysteresis of 2.5°C TXS with hysteresis of 1.0°C
Figure 5 Example of a trend used during automation testing. During the test three primary circulation pumps were tripped and a malfunction was launched on reactor power limitation system. The trend is of neutron power of the reactor. APROS automation implementation is compared to the actual TXS. 3.4 Lessons learned Errors of automation design can found during simulation assisted automation testing. Therefore good practices are needed to handle changes in automation. They must be reviewed in collaboration with the personnel of the plant so that all the safety related aspects are also taken into account. However the review process must be quick enough to be able to work effectively during testing. The help of the experienced operators is essential during simulation assisted automation testing. They know how the process and the automation should work and therefore they
can detect abnormal situations quickly. For those situations it is important to be able to repeat it in order to investigate the problem more closely. 4. CONCLUSIONS “Virtual commissioning” describes simulation assisted automation testing perfectly. Automation system is commissioned on the simulated process plant and during it corrections are made to the system. Variety of the errors found during simulation assisted automation testing of Loviisa nuclear plant automation convinces that the method is an effective way to test automation systems. Even such errors can be found that would be very difficult to find with other means. Errors that originate from faulty initial data are possible to find when automation system gets a realistic process response. In addition, the functionality of controllers would be hard to verify without process response. Operational safety review of Loviisa by IAEA points out that simulation assisted automation testing is a good practice (Division of Nuclear Installation Safety 2007). Besides of functional testing of automation, simulation assisted testing environment is also used to pre-tune controllers. This sets high demands for the accuracy of the process model. Therefore if one cannot guarantee the accuracy of the process model, one should not tune the controllers very tight. However, with the simulator it can be easily seen if the control parameters are far from the correct ones. Repeatability of the tests is an important feature of the testing environment. If some incorrect functionality is discovered while testing the automation system on system level as a whole, there has to be a way to search the starting point of the incorrect functions. When the tests can be easily repeated, one can always go back to the points in the simulation where more attention is needed. Simulation sequences offer a solution to repeatability. With a simulation model and a simulation sequence the test run is unambiguous. In consequence, automatic testing of modifications in already commissioned automation is possible. A set of tests are done with the simulator after the modifications and the results are compared to the same tests done before the modifications to quickly verify that the automation system is working correctly. Prospects for simulation assisted automation testing are bright. Accurate process simulation models can be built up entirely based on engineering data (Kettunen and Paljakka 2006). Therefore process simulators could be used as a tool in automation design. Automation designer could test different control concepts with the simulator before deciding which to use. In future, when automation design tools get more and more flexible, online changes to the logics of the automation system would make simulation assisted automation testing faster and more effective.
REFERENCES Anonymous, APROS documentation (2008) Division of Nuclear Installation Safety (2007), Report of the Osart (Operational Safety Review Team) Mission to the Loviisa Nuclear Power Plant, 5−21 March 2007, IAEANSNI/OSART/07/139, p. 91 Kettunen, A., and Paljakka, M., (2006), Process Simulation in Power Plant Design, published in the proceedings of SIMS 2006 – the 47th Conference on Simulation and Modelling, Helsinki, Finland Juslin, K., (2005 a.), Large Scale User-Oriented Simulations, APROS Infopackage, publicly available from Fortum or VTT Juslin, K., (2005 b.), A Companion Model Approach to Modelling and Simulation of Industrial Processes, Dissertation for the degree of Doctor of Technology at Helsinki University of Technology, VTT Publications 574, Espoo, Finland Laakso, P., Paljakka, M., Kangas, P., Helminen, A., Peltoniemi, J., and Ollikainen, T., (2005), Methods of simulation-assisted automation testing, VTT Tietopalvelu, Espoo Finland Richter, S., Wittig, J., 2003, Verification and Validation Process for Safety I&C Systems, Nuclear Plant Journal, Volume 21 No. 3, Blayais, France Rinta-Valkama, J., Välisuo, M., Karhela, T., Laakso, P., and Paljakka, M., (2000), Simulation Aided Process Automation Testing, Proceedings of IFAC’s Conference on Computer Aided Control System Design (CACSD), University of Salford, UK, September 11 - 13 2000, p. 277-280, Elsevier Science Siemens Power Generation – Power Plant Operator Software Solutions, viewed 21st November 2008,