Nuclear I&C systems in a digital era8 March 2022
As nuclear plants continue to transition from analogue to digital instrumentation & control systems, Dr Li Li discusses some of the challenges associated with digital systems
High-integrity reliable instrumentation and control (I&C) systems are vitally important to safely operate a nuclear power plant or nuclear material-related facility. The architecture of I&C system includes hardware (such as sensors, programmable logic controllers, hardwired logic, cabling, supervisory control and data acquisition equipment), software (control system, application) and human-system interfaces across every part of the nuclear facility. It supports safety and non-safety-related functions under normal operation and designated abnormal situations. It may be called the nervous system of a nuclear facility.
Since the UK’s first commercial nuclear plant at Calder Hall, conventional I&C systems with analogue devices and related technologies have been predominant. However, analogue I&C systems experience several disadvantages. Analogue signals generally have a lower quality than digital signals with less accurate reading. Signals acquired from analogue electronics are more prone to distortion in response to noise than those from digital instruments.
The biggest challenge for nuclear I&C systems to continue using analogue devices is managing obsolescence. When analogue devices are at the end of their service life, or discontinued by the original vendors, parts replacement becomes difficult or impossible. Digitised devices and modern I&C systems are needed in the nuclear industry now and for the future.
Digital I&C systems have become more popular and desirable, in line with the rapid development of microprocessor chips and computerised technology.
The first digital I&C system for a nuclear power plant was reported at Kashiwazaki-Kariwa 6, an advanced boiling water reactor in Japan, which began commercial operations in 1996. Digital multiplex controllers are used throughout the plant, including in the main control room, for the reactor control system and for other safety systems. Analogue signals are collected from field sensors, converted into a digital format by remote multiplexing units, then sent to the main control room via optical fibres.
In the late 2000s, digital I&C systems were included during upgrades and modernisation of several nuclear plants around the world, including Russia’s Kalinin 3 (commissioned in 2004) and Japan’s Ikata 1&2 (commissioned in 2009). The USA’s first digital I&C system modernisation was at Oconee in 2011. The UK, South Korea, France and China are among other countries which have also implemented digital I&C systems in their nuclear power plants in recent years.
The US Nuclear Regulatory Commission (NRC) has now made its first approval of a full-scale digital I&C system for small modular reactors (SMRs) when it approved the NuScale design. For safety related I&C systems in its SMR, NuScale has introduced a digital platform including a highly integrated protection system based on a proprietary field programmable gate array.
I&C systems in SMRs will be digitalised, with the latest technologies and modularised design. In the event of plant upgrades, modernisation, life extension and obsolescence management, more large-scale plants will also adopt digital I&C for safer and reliable operations and cost savings.
Challenges of digital I&C
Safety and reliability
An I&C system depends on the same four defence-in-depth (DiD) principles as does any nuclear design - redundancy, independence, deterministic behaviour and with diversity.
Independence will prevent a failure propagating from system to system or between the components within a system. The different algorithms or different technologies will provide diversified ways of monitoring, actuation and control to achieve a required I&C function. Redundancy means that alternative systems and components can perform the required function if the first fails.
The design of digital I&C systems is guided by documents of safety fundamentals, specific safety requirements and the specific safety guides issued by the International Atomic Energy Agency (IAEA). These govern the safety classifications of I&C functions, based on the requirements from the plant safety design base. The architecture of the digital I&C system is impelled by the class of functions to be implemented by the DiD concept.
The greater the complexity of a digital I&C system, the greater the probability that a common cause failure (CCF) could occur among the subsystems, and allowing a system malfunction to be caused by a single failure event. Compared to physical assets in a nuclear plant, CCFs can happen more often to software or software-controlled devices. However, there are many ways to prevent common cause failures, with the tools of failure analysis and risk management. In a DiD-based digital I&C system, the safety principles of redundancy, diversity and independence are implemented to ensure the safety and reliability of system operation.
IAEA safety standard SSR-2/1 defines five layers in the concept of defence-in-depth. The design of a digital I&C system’s architecture should employ DiD techniques to constitute the layers of defence for preventing failures and faults within the system.
As both analogue and digital, software is part of the safety and reliability design of I&C systems. However, digital I&C relies heavily on computer-based software and systems, which are used to implement the safety functions in nuclear plant. A stringent verification and validation (V&V) process has to be carried out on the software architecture, along with the hardware, system and human-system interfaces, to meet the aforementioned safety principles.
Once the I&C system design is approved by the regulator, the integrity, reliability and continuity of operation is vital for the operator to generate electricity. The single failure criterion is a deterministic behaviour to assure a digital I&C system tolerating a random failure for an individual structure, system or component. Normally, a reliability target derived from a probabilistic safety assessment is calculated to demonstrate the anticipated failure rate in digital I&C system to as low as reasonably practicable (ALARP).
In contrast to analogue devices, a smart device (or smart instrument in some documents) is based on a microprocessor or other programmable electronic component. The end user can perform some limited configuration of the device to provide specific forms of functionality. This configurability has additional benefits — flexibility, accuracy and capabilities for online monitoring, calibration and diagnostics — but in a digital I&C system it can add complexity for qualification and regulatory approval.
To overcome the difficulty of design and approval, the UK licensees and its regulator have established a good context to guide and approve the smart devices used in plant modernisation. The ‘Emphasis’ assessment tool is fully compliant with IEC 61058 and ISO 9001, as well as static analysis or statistical testing. The assessment and qualification processes are in addition to the manufacturer’s type tests for a smart device, meeting the required safety integrity level. The UK approach for safety assessment is to address two aspects of the independent ‘confidence-building’ measures and production excellence. Recently, the Office for Nuclear Regulation has approved several smart devices as part of the generic design assessment (GDA) for the UK HPR1000 and Westinghouse AP1000.
The scope of smart devices or embedded digital devices in the nuclear industry is not limited to measurement and indication via sensing instruments, but includes actuation and self-diagnosis functions through embedded programmable software — for example, actuated control valves, variable frequency controllers and motor starters.
Although smart devices are often used in the process industries, they are rarely deployed in nuclear plants due to their complexity and because of nuclear safety concerns.
Because of the limited size of market and need for rigorous regulation and special skill and knowledge, it is not commercially attractive for smart device vendors to invest heavily on smart devices for nuclear applications.
The demand should be addressed by the sector, working with vendors to design and manufacture smart devices that follow ALARP principles. We need a collaborative effort from regulatory authorities, designers, operators and engaged smart device manufacturers.
If nuclear facilities are to adopt digital I&C systems, cybersecurity has to be top of the agenda in design, verification and validation, regulation and operation. Since digital signals are transmitted in binary format, they can be easily compressed and encrypted. On the other hand, they can be vulnerable to hackers or remote hostile entities.
The cybersecurity risk for nuclear plant is very real. In 2003, the Davis-Besse plant was infected with the Slammer worm, rendering the safety parameter display system inaccessible to operators and disabling a safety parameter display system for nearly five hours. In 2014, both the Monju plant in Japan and the Kori plant in South Korea suffered information theft due to malware attacks, including employee information and plant blueprints. In probably the best-known incident, from 2010, the Stuxnet attack at the Iranian uranium enrichment facility at Natanz damaged 984 centrifuges by implanting malware into Siemens S7-417 and S7-315 controllers. This compromised the cascade protection system to over-pressure the centrifuges, and the centrifuge drive system to over-speed the centrifuge rotors.
Because of the concern over cyberattacks on digital I&C nuclear plant, many organisations and authorities have developed guidance and best practices to safeguard the cybersecurity. In the USA, 10 CFR 73.54, included in the physical protection system of 10 CFR 73.1, requires a cybersecurity plan from a licensee that satisfies the requirements for NRC review and approval to ‘protect digital computer and communications systems and networks’. NRC also provides Regulatory Guide 5.71 (RG5.71) to detail the method and approach to protect the digital hardware, system and networks from cyber threat and attack.
In the UK, the ONR has released a Technical Assessment Guide on nuclear security (CNS-TAST-GD-7.1), providing general advice and guidance to ONR inspectors on how aspects of cybersecurity should be assessed. It guides the licensees in developing security arrangements to meet legal obligations for cybersecurity and information assurance.
To prevent, detect and respond to cybercrime aimed at nuclear facilities, IAEA issues Nuclear Security Series No. 17 and No. 33 to provide guidance for the protection of digital I&C systems at nuclear facilities against malicious acts and hostile attacks. The International Electrotechnical Commission publishes the standards IEC62645 and IEC62859 for the development and management of effective secured computer programmes to eliminate the vulnerability of I&C programmable digital systems in nuclear power plant.
Under the guidance of national and international standards and regulations, nuclear plant operators can develop a security policy that provides a framework of risk management, security management, verification and validation management to defend digital I&C systems from cybersecurity threats. That may include an ‘air gap’ between the corporate network and safety-critical control network; prohibiting remote updates and disabling portable storage device access; requiring encrypted authorisation for flash memory updates; and minimising employees’ privileges for modifying and updating the control software, using a stringent authentication procedure.
The passive heat removal functions in some small modular reactor designs can perform a shutdown without external safety-related pumps or fans. The simplified I&C design for the reactor control system inherently reduces the concern from cybersecurity threats, which gives the SMR I&C system leverage in favour of digitalisation.
Upskilling and training
The digital I&C system is becoming the norm in modernised and new plant, so the industry needs to act swiftly to upskill its workforce and train the new generation to work with these emerging technologies.
The knowledge and skills related to digital I&C — in areas including digital electronics, smart instruments, software, cybersecurity, machine learning and artificial intelligence — have to be developed to align with digitalisation and automation in plant operation to uphold nuclear safety principles. There are also new requirements for the supply chain to develop their staff with digital technologies, so they can provide safe and reliable design, systems and components.
The current fleet operators will continue to train their staff, particularly those who work in the main control room, with the latest digital technology and associated knowledge. Security awareness and advanced training helps strengthen the cybersecurity chain, empowering employees to become proficient in protecting the system against attack. Alongside on-the-job training, digital mock-up simulators can be used to train staff to mitigate and eliminate operational risks in a range of adverse events.
For the future workforce, a digital I&C curriculum should be taught in qualification programmes for graduates with the latest industrial digitalisation technologies. The curriculum should not only cover knowledge of electrical systems, instrumentation, control and automation, but also data science, machine learning, virtual reality and augmented reality. Otherwise, the skill shortage and lack of competence in the field of digital I&C will impose a danger to a modern nuclear power plant operating at high standard of safety.
The adoption of digital technology in the nuclear industry is lagging behind other industrial sectors such as aerospace and automotive, because of the sector’s unique safety features.
People may question the safety and complexity of deploying digital I&C systems in nuclear plant, and we need to demystify these fears and confusions. Vendors, licensees, regulators and relevant organisations should work together in developing standards, guidance, and best practices. Bodies such as IAEA, EPRI, Nuclear Energy Agency and state regulatory authorities could publish a series of documents to guide and advise the preparation of digital I&C in new builds, SMRs and AMRs. With these good practices, digital I&C systems will bring significant benefits and efficiencies in managing the safer operation of nuclear power plants.
Dr Li Li is head of control & instrumentation group at the UK's Nuclear Advanced Manufacturing Research Centre (AMRC)