Available online at www.sciencedirect.

com

Nuclear Energy and Technology 3 (2017) 302–306

www.elsevier.com/locate/nucet

New generation refueling machine information and control system

V.V. Korobkin a,∗, V.P. Povarov b
a ResearchInstitute of Multiprocessor Systems named after the academician A.V. Kalyaev of the Southern Federal University, 2 Chekhov st.,
GSP284 Taganrog 347928 Russia
b Branch of JSC “Concern Rosenergoatom” “Novovoronezh Nuclear Power Plant” 1 Promyshlennaya zona Yuzhnaya, Novovoronezh,

Voronezh reg. 396072 Russia

Available online 29 November 2017

Abstract
The main distinctive feature in the creation of the new nuclear fuel handling complex at the Novovoronezh NPP is the deep integration
of the information and control system (ICS) and the electrical equipment complex of the refueling machine (RM) into a single complex. The
structure of the multi-level multi-processor and multi-network ICS provides high fault-tolerance and functional safety and fully corresponds
to the principle of no single point of failure, even when operating in single-channel mode. Control of the RM during refueling is carried
out with the participation of a human operator, who is supported by an intelligent interface. The operator makes decisions on certain actions
to control the RM and the complex as a whole, monitors the control process and takes decisions on preventing abnormal or emergency
situations.
In fact, the ICS is a distributed system that implements the entire control cycle and contains information, processing and control parts.
In each part, communication devices realize data connections between the components on the entire graph or on a common bus.
The development result is a new generation RM ICS that differs from the existing ones by innovative methodical, algorithmic, hardware–
software and design-technological solutions, which reduce the time and increase the safety of nuclear fuel handling in VVER reactors. At
the same time, the introduction of the RM ICS increases the installed capacity utilization factor (ICUF) of the power unit by about 1.66%,
which ensures additional electricity generation and supply for consumers.
Copyright © 2017, National Research Nuclear University MEPhI (Moscow Engineering Physics Institute). Production and hosting by
Elsevier B.V. This is an open access article under the CC BY-NC-ND license. (http://creativecommons.org/licenses/by-nc-nd/4.0/)

Keywords: Information and control system; Nuclear power plant; Functional safety; Nuclear fuel; Refueling machine; Decentralization of control functions;
Single failure; Human factor.

Introduction cess of creating a unified fuel handling system at NPPs in

At present, the Russian NPP power units (except for the
Kalinin NPP, Unit 3) are using control systems based on ob-
solete computing means, the resource of which has been com-
pletely exhausted. Taking into consideration the design fea-
tures of the refueling complex [1] and modern requirements
for nuclear fuel handling operations in terms of control, mon-
itoring and safety, an integral approach is required to the pro-
∗ Corresponding author.
E-mail addresses: vvk@niimvs.ru (V.V. Korobkin),
PovarovVP@nvnpp1.rosenergoatom.ru (V.P. Povarov).
Peer-review under responsibility of National Research Nuclear University
MEPhI (Moscow Engineering Physics Institute).
Russian text published: Izvestiya vuzov. Yadernaya Energetika (ISSN
0204–3327), 2017, n.3, pp. 98–107.
accordance with the prescribed regulations. The main compo-
nent of this complex is the refueling machine (RM), which is
directly used for fuel handling operations at a shutdown and
open VVER reactor during planned preventive maintenance
[2,3].
The previous experience of creating RMs shows that, de-
spite scrupulous compliance with safety requirements in de-
signing and manufacturing equipment intended for nuclear
hazardous operations, the control system, electrical equipment
and mechanical parts were developed and manufactured by
different organizations without proper mutual coordination,
which subsequently led to unjustified time and, as a conse-
quence, economic costs.
That is why the main distinctive feature in the design of
the new nuclear fuel handling complex is the deep integration

https://doi.org/10.1016/j.nucet.2017.11.005
2452-3038/Copyright © 2017, National Research Nuclear University MEPhI (Moscow Engineering Physics Institute). Production and hosting by Elsevier
B.V. This is an open access article under the CC BY-NC-ND license. (http://creativecommons.org/licenses/by-nc-nd/4.0/)
 V.V. Korobkin, V.P. Povarov / Nuclear Energy and Technology 3 (2017) 302–306
Fig. 1. RM ICS generalized structure.
of the information and control system (ICS) and the electri-
cal equipment complex of the refueling machine (RM) into a
single complex that takes into account all the constructional
and operational features of the RM mechanical part [4]. This
integration became possible due to the use of innovations in
technical devices and technologies. First, there have appeared
intelligent sensors that can be integrated into industrial sen-
sory data transmission networks and reconfigured depending
on the operating conditions. Second, modern frequency con-
verters (inverters), in addition to direct engine control, have
the ability to perform the function of controlling the local
mechanism (drive) and be integrated into industrial control
networks. New information technologies make it possible to
use a combination of modern means and methods of collect-
ing information to obtain new quality information about the
condition of an object or process, algorithms for processing
this information and taking decisions on controlling the RM
on this basis. At the same time, it became possible to si-
multaneously take into account the RM condition for various
and numerous groups of parameters, the control system hard-
ware/software condition, etc., on a real-time basis.
The paper presents the conceptual design of the new RM
ICS based on the latest achievements in producing hardware
components and information technologies.
The ICS has a multi-processor distributed two-channel
structure that ensures compliance with the fault-tolerance re-
quirements in case of independent information and control
functions. Intelligent software allows performing a real-time
analysis and processing of incoming information from RM
sensors, making decisions to prevent accident conditions dur-
ing refueling caused by the personnel or technical failures,
and predicting the initiation of subcritical or critical operat-
ing modes.
New RM ICS conceptual design
The most important requirements for the nuclear fuel
handling procedures remain accuracy, reliability, and safety
303
[5–9]. Therefore, for innovative Units 1 and 2 of the NVNPP
II with a VVER-1200 reactor, a new information and control
system for the RM was developed, manufactured, tested and
implemented. This system has a multi-level multi-processor
and multi-network structure (Fig. 1). This structure ensures
compliance with the fault-tolerance and safety requirements,
which fully corresponds to the principle of no single point of
failure, even when operating in single-channel mode [10].
The ICS is built on the basis of modern industrial automa-
tion and computer facilities using new information technolo-
gies, the general tasks of which are as follows:
- Ensuring maximum functional safety in nuclear fuel han-
dling operations and conducting maintenance and preven-
tive works.
- Providing flexible equipment control.
- Providing optimal information support for the “human-
machine” dialogue for efficient control.
The ICS, in general, operates in automated mode [11],
since the process of controlling a complex technical object
involves a human operator (one or more), who often decides
on various actions to control the RM and the complex as a
whole monitoring of the control process and makes decisions
on preventing abnormal or emergency situations. The commu-
nication between the operator(s) and the ICS is carried out
via the human–machine interface of the operator terminal.
The wide use of the function of automated decision sup-
port (Fig. 2) makes it possible to significantly undercut the
influence of the so-called “human factor” on the control pro-
cess, reduce the number of errors, and often exclude them
when making decisions, i.e., improve the facility safety [12].
The functional safety principle is realized by the use of
technical means localizing the development of unfavorable
processes both in the ICS and in the RM in the event of
faults and protecting the RM from issuing the wrong control
actions to counteract the development of a dangerous failure
and transfer the system to a protected state. For these pur-
304 V.V. Korobkin, V.P. Povarov / Nuclear Energy and Technology 3 (2017) 302–306
Fig. 2. Functional diagram of the MR ICS operator support.
poses, monitoring and diagnostic devices are used that eval-
uate the values of the ICS output signals, signals from the
control object condition sensors and the values of special di-
agnostic features.
An important aspect of ensuring the ICS operation safety is
increased fault-tolerance realized by reserving the most crit-
ical elements, i.e., control devices, sensors, information ex-
change buses, etc.
The use of duplication (as a special case of reservation)
leads to the construction of a distributed system. The ICS as
a distributed system has the following advantages:
- Ability to process data directly at the points of their re-
ceipt (e.g., when obtaining one value as a result of pro-
cessing the data of a set of sensors, when receiving one
record from the database, etc.) and minimize information
exchange.
Fig. 3. Control cycle diagram.
- Ability to perform multiple calculations, allocated to indi-
vidual tasks, which can be performed in parallel on differ-
ent computing devices (nodes).
- Flexible management of computing resources, which pro-
vides an optimally distributed computational load even in
the event of failures of the ICS nodes.
In addition to high fault-tolerance, the distributed ICS ar-
chitecture provides high efficiency and fully corresponds to
the control task [13]; while a typical control cycle (Fig. 3)
contains the following components:
- Primary and secondary processing of information on the
RM functioning obtained from the sensors.
- Automatic verification that all the values of the operation
parameters are within their specifications: if all the param-
eter values are within the limits set by their specifications,
the RM operates normally; otherwise, if at least one value
goes beyond the limits of the specifications, an abnormal
situation occurs, and managerial decisions must be taken
to enter all the indicators within the specified limits: for
this, a set of all possible solutions should be formed.
- Selection of solutions to enter all the parameter values
within the specified limits using the mathematical model
of the RM functioning.
- Selection of the optimal solution with the help of the math-
ematical model of the RM functioning.
- Formation of control commands and issuance of control
actions.
RM ICS generalized architecture
The considered conceptual provisions make it possible to
determine the composition of the RM ICS generalized archi-
tecture (Fig. 4). The main components here are information
sources (IS), communication devices (CD) providing informa-
 V.V. Korobkin, V.P. Povarov / Nuclear Energy and Technology 3 (2017) 302–306 305

Fig. 4. RM ICS distributed architecture.

tion exchange at various control levels, computing units (CU),

human–machine interface, controllers (C) and actuators (A).
The distributed RM ICS, implementing the control cycle
described above, contains information, processing and control
parts. In each part, communication devices realize data con-
nections between the components on the entire graph [14] or
on a common bus.
This architectural solution of the RM ICS makes it pos-
sible: first, to provide the possibility of increasing fault-
tolerance due to the decentralized control functions of the
information-computation process in each of the parts; sec-
ond, to build the RM ICS on the basis of unified means
of microelectronic and computer technologies; third, to op-
timize the software/hardware composition and, providing
fairly quick access to distributed structured and unstructured
data. Fig. 5. New generation MR ICS for Novovoronezh NPP II Units 1 and 2.
Therefore, the ICS has a multi-processor distributed two-
channel structure that ensures compliance with the fault-
tolerance requirements in case of independent information and the inverters, reconfiguration into single-channel mode occurs,
control functions. The system operates in two-channel mode, when the remaining inverter is alternately connected to one of
providing control commands by “two out of two” logic and the drives depending on the current algorithm for controlling
protections and interlocks by “one out of two” logic, or in the RM mechanisms in automated, step-be-step or manual
single-channel mode if one of the channels fails. The channels operating modes.
operate in parallel, independently and synchronously, which
makes it possible to compare the results of their operation
and, in the event of an error in the operation of one of the RM ICS functional capabilities
channels, lock out the transmission of a control action. In
the event of hardware problems in one of the channels, it is Fig. 5 shows a photograph of the new generation RM ICS,
possible to continue the system operation in a single-channel which is distinguished by innovative methodical, algorithmic,
configuration (see Fig. 1) provided that the channels of di- hardware–software and design-technological solutions, which
agnostics, protections and interlocks remain operational in a reduce the time and increase the safety of nuclear fuel han-
routine (automated, step-by-step, manual) mode. At the same dling operations, including:
time, the electrical equipment of the RM ISC also allows
operation in the mode (using two channels of the electrical - RM ICS hardware and software that provide parallelization
equipment) when each RM mechanism is connected to its in- of procedures for solving the tasks of controlling the RM
verter (frequency converter). In the event of failure of any of mechanisms as well as automatic fault diagnosis and redis-
306 V.V. Korobkin, V.P. Povarov / Nuclear Energy and Technology 3 (2017) 302–306
tribution of computing resources in case of fault detection,
which increases the functional speed and fault-tolerance.
- New system and application software of the RM ICS [15],
which implements monitoring, control and safety proce-
dures for the refueling process as well as a “friendly”
human–machine interface to minimize the risks of person-
nel errors.
- Adopted algorithm for controlling RM mechanisms mini-
mizing their movements in the refueling process with ac-
count of the imposed constraints, and optimizing the move-
ment speed rates of individual RM mechanisms in different
service areas of the reactor and spent fuel pool.
- Mode of setting up and preparing the task (refueling pro-
gram) for the initial preparation of data on the RM working
area, fuel cell coordinates, fuel assembly location, etc. Fur-
ther, based on these data, a refueling program is compiled
and introduced into the system.
ICS operators controlling the refueling process are respon-
sible for the decisions made; therefore, when developing the
complex, it is especially important to ensure convenience of
using the system. Due to the careful development of the user
interface, it is possible to reduce the risk factor of perform-
ing an unauthorized command as a result of operator errors.
However, besides this, there is a risk of failures related to
external influences. To avoid failures caused by the above
reasons, when developing software, methods of invariant pro-
gramming were used. Additionally, the system has a built-in
consistency check mechanism.
Conclusion
Due to the deep integration of software and hardware and
electrical equipment, the RM ICS of the Novovoronezh NPP
II has fully implemented two control channels, which makes
it possible to increase the safety of nuclear fuel handling oper-
ations and reduce the unproductive downtime while refueling
during planned preventive maintenance at the NPP. The intro-
duction of the RM ICS increases the ICUF of the power unit
by about 1.66%, which provides additional electricity gener-
ation and supply for consumers.
References
[1] S.A. Andrushechko, A.M. Afrov, B.Y. Vasilyev, V.N. Generalov,
K.B. Kosourov, Y.M. Semchenkov, V.F. Ukraintsev, NPP With
VVER-1000. Starting from Operation Principles to Design Evolution,
Logos Publ., Moscow, 2010, p. 603. (in Russian).
[2] I.A. Kalyaev, V.V. Korobkin, V.F. Bayuklin, A.N. Shkarovsky, Nuclear
Power Plants. Twenty Years After the Accident at the Chernobyl Nu-
clear Power Plant, JSC Concern Rosenergoatom Publ., Moscow, 2006,
pp. 246–250. (in Russian).
[3] I.A. Kalyaev, V.V. Korobkin, A.P. Kukharenko, V.V. Makeev, V.P. Po-
varov, K.Y. Rumyantsev, Innovatsii 10 (97) (2006) 65–68 (in Russian).
[4] A.A. Avdeev, A.M. Kobelev, V.V. Korobkin, D.V. Zhilnikov,
S.M. Yefremov, M.E. Pinchuk, S.A. Marchenko, Integral (51) (2010)
28–33 (in Russian).
[5] N.N. Makarov, Sistemy obespecheniya bezopasnosti funktsionirovaniya
bortovogo ergaticheskogo kompleksa: teoriya, proyektirovaniye, prime-
neniye (Systems to Ensure the Safety of the On-Board Ergatic Complex:
Theory, Design, Application), Mashinostroyeniye-Polyot Publ., Moscow,
2009, p. 760. (in Russian).
[6] K. Sonami Arun, Simplified phased-mission system analysis for system
with independent component repairs, NASA, 1996.
[7] , Federal Rules and Regulations in the Field of Atomic Energy Use,
Rostekhnadzor Publ., Moscow, 2015 (in Russian).
[8] V.A. Ostreykovsky, Shvyryaev Y.V., Safety of Nuclear Power Plants.
Probabilistic Analysis, Fizmalit Publ., Moscow, 2008, p. 352. (in Rus-
sian).
[9] Fedosovsky M.Y., G.A. Fokin, V.I. Gumenyuk, Nauchno-tekhnicheskiye
vedomosti SPbGPU 2 (78) (2009) 98–102 (in Russian).
[10] I.A. Kalyaev, V.V. Korobkin, E.V. Melnik, M.V. Khisamutdinov, Meth-
ods and Means to Improve Safety and Reduce the Time of Operations
With Nuclear Fuel at NPPs With VVER-1000 Reactors, Southern Fed-
eral University Publ., Rostov-na-Donu, 2014, p. 208. (in Russian).
[11] NP-026-16, Requirements for Safety-Critical Control Systems of Nu-
clear Power Plants, Federal Rules and Regulations in the Field of
Atomic Energy Use, Rostekhnadzor Publ., Moscow, 2016 (in Russian).
[12] N.A. Abramova, K.S. Ginsberg, D.A. Novikov, The Human Factor in
Management, KomKniga Publ., Moscow, 2006, p. 496. (in Russian).
[13] V.V. Korobkin, O.L. Sesekin, A.N. Tashlykov, A.G. Chentsov, Rout-
ing Methods and Their Applications in the Tasks of Increasing the
Safety and Efficiency of Operation of Nuclear Power Plants, Novye
Tekhnologii Publ., Moscow, 2012, p. 233. member corr. RAS I.A. Kali-
ayev (in Russian).
[14] V.V. Korneev, The Architecture of Computer Systems With a Pro-
grammable Structure, Nauka Publ, Novosibirsk, 1985 (in Russian).
[15] Korobkin V.V., Serogodsky A.I., Bluishvili I.V., Dubovik A.A. The soft-
ware complex of the refueling machine control system. Certificate RF.
No. 2015612308, (in Russian) 2015.