The development in instrumentation and control (I&C) has been very rapid over the last few decades. New generations of digital equipment with improved performance have been introduced in the market at a high rate. This development is also reflected in new and improved systems for I&C in all major industries, including transportation, the chemical industry, and conventional power plants. The new systems take advantage of technological achievements to accommodate sophisticated and efficient treatment of measurements and control signals, for high speed and reliability, but also for flexibility and versatility.
The fact of the matter is that the adoption of the new technology has, for various reasons, been slower in nuclear power plants. The most important reason is that only a few new plants have been ordered worldwide during the last ten years. A second reason is connected to the efforts needed in providing adequate evidence that the digital I&C systems can be used in safety and safety related applications. This issue is connected to the effort needed in obtaining adequate assurance that the digital I&C will fulfill its intended function and contain no unintended function in all possible operational states during its entire life cycle.
However, lately there seems to be a mammoth interest in the I&C systems around the global community even though nuclear power plants (NPPs) are approaching or have reached the midpoint of their design life. At the same time there have been tremendous advances in electronics, computers and networks. These new technologies have been incorporated into the currently available digital I&C hardware and software. Notwithstanding the fact that advanced digital I&C systems have been used extensively in many other industries, their use in the nuclear industry is still very limited. This is mainly because very few new NPPs have been built since the mid 1980’s and the licensing process of digital I&C systems is challenging and complex. Despite these issues, numerous modernization projects have demonstrated that the functional improvements of digital I&C technology can provide cost effective improvements to NPP safety and availability.
I&C systems are considered to be the nervous system of a nuclear power plant. They monitor all aspects of the plant’s health and help respond with the care and adjustments needed.
The reality is that progress in electronics and information technology (IT) has created incentives to replace traditional analog I&C systems in nuclear power plants with digital I&C systems, i.e. systems based on computers and microprocessors. Digital systems offer higher reliability, better plant performance and additional diagnostic capabilities. Analog systems will gradually become obsolete in the general IT shift to digital technology. About 40 percent of the world’s operating reactors have been modernized to include at least some digital I&C systems. Most modern plants also include digital I&C systems.
Digital I&C systems have posed new challenges for the industry and regulators, who have had to build up the methods, data and experience to assure themselves that the new systems meet all reliability and performance requirements. In general, countries with more new construction of nuclear reactors have had greater incentives and opportunities to develop the needed capabilities. Other countries are still in the process of doing so.
I&C systems are designed with the focus to empower NPPs for the following operational functions:
1. Plant Monitoring and Display Systems:
These systems are designed to monitor plant variables and provide data to other I&C systems and to the plant operators for use in controlling the operation of the plant. Typical examples include systems that monitor and display the status of the fire protection system, fluid temperatures, and pressures. These systems also normally provide visual and audible alarms at various control stations, particularly the main control room, that notify operators of trends or particular values requiring action by the operator to avert an actual problem or emergency. Usually there are formal procedures the operators follow when such an alarm or notification occurs, with the alarm set-point and required response time coordinated to give the operator adequate time to take action. Typically, the response times are on the order of tens of minutes; if inadequate time exists, an automated response is provided;
2. Plant Control Systems:
These systems are designed to control all the normal operations of the plant. They are used in startup, power operations, shutdowns, and plant upsets. Regarded by plant owners as the primary controls for their expensive and complex plants, they are fully engineered, they are robust, and they usually have considerable redundancy (see below) to prevent single failures or anticipated events from escalating into plant shutdowns, trips, or accidents endangering plant equipment, personnel, and the public. Typical examples include feedwater and steam control systems, turbine generator controls, and the myriad of systems used to control the many circuit breakers, pumps, and valves throughout the plant;
3. Plant Protection and Mitigation Systems:
These systems are designed to provide an additional, separate layer of systems that monitor the plant variables. If they detect that the above-described plant monitoring and control systems have not kept the plant within a predefined set of conditions, they take action automatically to rapidly shutdown the plant (“trip” and “scram” are terms that accurately convey the nature of the response) and start any other needed systems to mitigate the detected problem and place the plant in a safe state. These protection and mitigation systems have a number of important characteristics:
- They are physically separate systems that generally do not share hardware and software with the plant operating and control systems (Some limited amounts of equipment such as sensors may be shared provided the equipment meets safety quality requirements.). This extends to and includes needed auxiliary systems such as heating, ventilation, and air conditioning; electrical or hydraulic power supplies; and cooling water systems;
- They are environmentally qualified for the harshest anticipated operating/accident conditions, including highly unusual events such as large earthquakes and tornadoes;
- When called upon to act, they go to completion of their intended function;
- The protection and mitigation systems do not control or modulate the operation of the systems they control. They shut down the reactor, trip the turbine generator, start needed cooling water systems, and go to preset operating conditions that are safe for the plant to maintain for extended periods;
- In addition, they are designed to single-failure proof. That is, no single failure at the component or system level (including a failure internal to the protection and mitigation systems in addition to the initiating event or failure and any direct consequence) or no single operator error can prevent them from successfully operating. As a result, they use redundancy. That is, there are typically multiple, separate, parallel sets of equipment and systems to carry out the same function. In I&C systems in particular, this redundancy is usually provided by having four parallel channels that actuate the systems if needed. The four parallel channels are fed to a logic system that requires any two valid signals to cause actuation. This logic assures that no single failure will prevent or cause the drastic actions taken by these systems. It also allows complete (sensor-to-actuator) testing of one channel at a time while the plant is at power without causing or inhibiting the protection and mitigation function; and
- In addition to being single-failure proof, the protection and mitigation systems have other features to enhance their reliability and increase their effectiveness against hazards. For example, two reactor shutdown mechanisms are provided—insertion of control rods and injection of a soluble neutron poison. Also, for any given accident, two or more different initiation signals will be generated and sent to the protection and mitigation system. (For example, a loss-of-flow accident through the reactor will be detected by a high reactor outlet temperature and a high pressure signal.) This type of redundancy provides protection against general classes of common-mode failures—failures in which a single error or problem disables multiple, independent safety functions.
It is important to note that the requirements of nuclear plant I&C systems, including the protection and mitigation systems, are well within the capabilities of current I&C technology – analog or digital. In terms of response time and accuracy (for example), the nuclear plant I&C requirements are relatively modest.
In terms of the capabilities of these systems, a typical unit has approximately 10,000 sensors and detectors and 5,000 km of I&C cables; and the total mass of I&C related components is in the order of 1,000 tonnes. This makes I&C system one of the heaviest and most extensive non-building structures in any nuclear power plant.
No globally comprehensive statistics are available on the numbers of plants with fully analog, fully digital or hybrid I&C systems. However, approximately 40 percent of the world’s 439 operating power reactors, accounting for nearly all of the 30 countries with operating NPPs, have had some level of digital I&C upgrade to, at least, important safety systems. From another perspective, 90 percent of all the digital I&C installations that have been done have been modernization projects at existing reactors. 10 percent have been at new reactors. Of the 34 reactors currently under construction around the world, all of those for which construction began after 1990 have some digital I&C components in their control and safety systems.
Here are some examples of how countries around the world are deploying I&C systems:
- Japan: The first fully digital I&C system was integrated into the Kashiwazaki-Kariwa-6 advanced boiling water reactor (ABWR) in 1996, followed shortly by Kashiwazaki-Kariwa-7. Similar digital I&C systems are used in Hamaoka-5. Tomari-3, which will feature the first all-digital reactor control room, which became operational in 2009;
- China: Qinshan Phase III, with two 700 MW (e) CANDU reactors, and Tianwan-1 and -2, with two 1000 MW (e) VVERs, have fully digital I&C systems, including both the safety and control systems, and partly computerized, i.e. hybrid, human-system interfaces (HSIs). China’s high-temperature gas-cooled experimental reactor, the HTGR-10, also has fully digital safety and control I&C systems, plus a hybrid human-system interface in its main control room;
- The UK: At Sizewell B, a 1250 MW(e) PWR, all automatic functions of the safety I&C systems are digital, and in the main control room, all the qualified displays used in the human-system interface are computerized;
- Russia: Kalinin-3, which was commissioned in 2004, is the first VVER-1000 equipped with digital I&C safety systems and digital process control systems. In addition, both its main and emergency control rooms have hybrid human-system interfaces. A dynamic simulator was also installed for the purpose of testing control functions;
- The Republic of Korea: Three 1000 MW(e) PWRs are under construction (Shin-Kori-1 and -2 and Shin-Wolsong-1), all with fully digital I&C safety and control systems and hybrid human-system interfaces in the control rooms;
- The USA: 1978 was the last year in which construction started on a reactor that eventually came on line. The US Nuclear Regulatory Commission (NRC) has therefore not had the same experience with digital I&C systems as have regulators in China, India, Japan and the Republic of Korea, where the expansion of nuclear power is centred. Partly as a result, digital systems have not yet been approved for use as safety systems in operating US NPPs.
From a specific cyber security point of view, nuclear power plant I&C systems are generally isolated from external communication systems. Nonetheless, particularly the computers used in safety and safety-related systems must be very well protected from possible intrusions. But other computers must be protected as well. The computers used to control the plant are essential to assure the continuity of power production. The computers used to control access to sensitive areas are needed both to prevent unauthorized access that might be part of an attack, and to assure authorized access both for safety and security reasons. Computers that store important and sensitive data have to be protected to assure that those data are not erased or stolen.
Possible cyber-attacks could be associated with business espionage, technology theft, a disgruntled employee, a recreational hacker, a cyber-activist, organized crime, a nation state, or a terrorist organization. Four categories of possible cyber-attacks have to be considered:
- Unauthorized access to information (loss of confidentiality);
- Interception and change of information, software, hardware (loss of integrity);
- Blocking data transmission lines and/or shutting down systems (loss of availability); and
- Unauthorized intrusion in data communication systems or in computers (loss of reliability).
Computer security is built from a consideration of these possible threats and the development of a design basis threat (DBT), defined within the context of computer security, that typically involves both insiders and outsiders. A significant difficulty is that the complexity of computer systems sometimes makes it difficult to identify possible sequences that could introduce important threats. The tools for identifying threats and building barriers include both technical tools, such as intrusion detection, virus scanners and encryption, and administrative tools such as the application of security zones, security management systems, passwords and biometric identification.
Experience gained from cyber security in other sensitive fields, such as the military, national security, banking, and air-traffic control is valuable both for improving cyber security at nuclear power plants with digital I&C systems and for demonstrating that cyber defenses can consistently stay ahead of cyber-attacks. But, as with safety and other areas of security, cyber security is an area where no-one can rest on his laurels. Continued success requires continuous vigilance and continuous improvement.
Digital I&C systems are expected to continue as an area of rapid technological development. Future designs of NPPs will require new solutions both in sensing technologies and in digital control. Advanced sensors, detectors, transmitters, and data transmission lines are needed to meet the requirements imposed by the operating conditions of new designs (e.g. high temperatures and high flux) and the harsh environment of ‘beyond design basis’ conditions. Additional monitoring and diagnostic systems will need to be developed, making use of on-line condition monitoring techniques, reactor noise analysis for incipient failure detection, wireless sensor networks and communication, and integrated remote operation.
- Harmonization of the licensing process for Digital Instrumentation and Control Systems in Nuclear Power Plants;
- IAEA Nuclear Energy Series – Implementing Digital Instrumentation and Control Systems in the Modernization of NPPs;
- IAEA Instrumentation and Control (I&C) Systems in Nuclear Power Plants – A Time of Transition; and
- The National Academies Press – Nuclear Power Plant Instrumentation & Control Systems