INSTRUMENTATION & CONTROL |


Table 1: Levels of defence-in-depth Levels of defence in depth


Level 1 Level 2 Level 3 Level 4 Level 5


Objective Prevention of abnormal operation and failures


Control of abnormal operation and detection of failures


Control of accidents within the design basis


Control of severe plant conditions, including prevention of accident progression and mitigation of the consequences of severe accidents


Mitigation of radiological consequences of significant releases of radioactive materials


Source: IAEA, Defence in Depth in Nuclear Safety, INSAG-10, INSAG Series, International Atomic Energy Agency, Vienna (1996) p33.


Essential means


Conservative design and high quality in construction and operation


Control, limiting and protection systems and other surveillance features


Engineered safety features and accident procedures


Complementary measures and accident management


Off-site emergency response


V As both analogue and digital, software is part of the


safety and reliability design of I&C systems. However, digital I&C relies heavily on computer-based software and systems, which are used to implement the safety functions in nuclear plant. A stringent verification and validation (V&V) process has to be carried out on the software architecture, along with the hardware, system and human-system interfaces, to meet the aforementioned safety principles. Once the I&C system design is approved by the regulator,


the integrity, reliability and continuity of operation is vital for the operator to generate electricity. The single failure criterion is a deterministic behaviour to assure a digital I&C system tolerating a random failure for an individual structure, system or component. Normally, a reliability target derived from a probabilistic safety assessment is calculated to demonstrate the anticipated failure rate in digital I&C system to as low as reasonably practicable (ALARP).


Smart devices In contrast to analogue devices, a smart device (or smart instrument in some documents) is based on a microprocessor or other programmable electronic component. The end user can perform some limited configuration of the device to provide specific forms of functionality. This configurability has additional benefits — flexibility, accuracy and capabilities for online monitoring, calibration and diagnostics — but in a digital I&C system it can add complexity for qualification and regulatory approval. To overcome the difficulty of design and approval, the


UK licensees and its regulator have established a good context to guide and approve the smart devices used in plant modernisation. The ‘Emphasis’ assessment tool is fully compliant with IEC 61058 and ISO 9001, as well as static analysis or statistical testing. The assessment and qualification processes are in addition to the manufacturer’s type tests for a smart device, meeting the required safety integrity level. The UK approach for safety assessment is to address two aspects of the independent ‘confidence-building’ measures and production excellence.


52 | February 2022 | www.neimagazine.com


Recently, the Office for Nuclear Regulation has approved several smart devices as part of the generic design assessment (GDA) for the UK HPR1000 and Westinghouse AP1000. The scope of smart devices or embedded digital


devices in the nuclear industry is not limited to measurement and indication via sensing instruments, but includes actuation and self-diagnosis functions through embedded programmable software — for example, actuated control valves, variable frequency controllers and motor starters.


Although smart devices are often used in the process industries, they are rarely deployed in nuclear plants due to their complexity and because of nuclear safety concerns. Because of the limited size of market and need for


rigorous regulation and special skill and knowledge, it is not commercially attractive for smart device vendors to invest heavily on smart devices for nuclear applications. The demand should be addressed by the sector, working with vendors to design and manufacture smart devices that follow ALARP principles. We need a collaborative effort from regulatory authorities, designers, operators and engaged smart device manufacturers.


Cybersecurity If nuclear facilities are to adopt digital I&C systems, cybersecurity has to be top of the agenda in design, verification and validation, regulation and operation. Since digital signals are transmitted in binary format, they can be easily compressed and encrypted. On the other hand, they can be vulnerable to hackers or remote hostile entities. The cybersecurity risk for nuclear plant is very real. In


2003, the Davis-Besse plant was infected with the Slammer worm, rendering the safety parameter display system inaccessible to operators and disabling a safety parameter display system for nearly five hours. In 2014, both the Monju plant in Japan and the Kori plant in South Korea suffered information theft due to malware attacks, including employee information and plant blueprints. In probably the best-known incident, from 2010, the Stuxnet attack at the Iranian uranium enrichment facility at Natanz damaged 984


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61