Security of Safety Important I&C Systems

One of the most challenging modern problems—security assessment and assurance for safety important I&C systems—is discussed. Interrelations and hierarchical structure of I&C systems attributes, including safety and security, are considered. Review of existing regulatory documents that covers various development and operation aspects of safety important I&C systems is presented. Such a review also addresses issues related to requirements for safety important I&C systems, including security requirements, depending on their underlying technology, as well as reveals the impact of the main features, including used technologies and development approaches. Main challenging problems and requirements in the area of security assurance for complex safety important I&C systems are outlined. A possible way to analyze the security vulnerabilities of safety important I&C system is considered; it is based on process-product approach, and it requires performance of assessments for products (components of I&C system at different life cycle stages) and all the processes within the product life cycle. A possible approach to assessment and assurance of safety important I&C systems security is discussed. Such an approach takes into account possible vulnerabilities of Field Programmable Gate Arrays (FPGA) technology and appropriate points of their insertion into the life cycle. An analysis of existing techniques for assurance of safety important I&C systems security is performed.

Diversity and Multi-Version Systems

To protect safety-critical systems from common-cause failures that can lead to potentially dangerous outcomes, special methods are applied, including multi-version technologies operating at different levels of diversity. A model representing different diversity types during the development of safety-critical systems is suggested. The model addresses diversity types that are the most expedient in providing required safety. The diversity of complex electronic components (FPGA, etc.), printed circuit boards, manufacturers, specification languages, design, and program languages, etc. are considered. The challenges addressed are related to factors of scale and dependencies among diversity types, since not all combinations of used diversity are feasible. Taking these dependencies into consideration, the model simplifies the choice of diversity options. This chapter presents a cost effective approach to selection of the most diverse NPP Reactor Trip System (RTS) under uncertainty. The selection of a pair of primary and secondary RTS is named a diversity strategy. All possible strategies are evaluated on an ordinal scale with linguistic values provided by experts. These values express the expert’s degree of confidence that evaluated variants of secondary RTS are different from primary. All diversity strategies are evaluated on a set of linguistic diversity criteria, which are included into a corresponding diversity attribute. The generic fuzzy diversity score is an aggregation of the linguistic values provided by the experts to obtain a collective assessment of the secondary RTS’s similarity (difference) with a primary one. This rational diversity strategy is found during the exploitation stage, taking into consideration the fuzzy diversity score and cost.

International Standard Bases and Safety Classification

The main standard bases for NPP I&C systems are documents of the International Atomic Energy Agency (IAEA) and International Electrotechnical Commission (IEC). Standards are interconnected through the following: IAEA develops general safety principles for NPP I&C systems, and IEC develops technical requirements that use and specify safety principles. Structures of the bases are considered. Classifications of I&C systems and their components are given on the basis of their safety impact. According to the IAEA classification, all systems are divided into safety important and non-safety important. According to IEC, functions to be performed by I&C systems shall be assigned to categories according to their importance to safety. The importance to safety of a function shall be identified by means of the consequences in the event of its failure, when it is required to be performed, and by the consequences in the event of a spurious actuation. All functions are divided into categories A, B, C.

Safety Parameters Display Systems

The chapter contains a description of Safety Parameters Display Systems (SPDS) implemented at NPP units WWER-1000 of Ukraine. These systems were designed by Westinghouse Electric Corporation (USA). LLC “Westron” (Ukraine) took development and implementation of these systems. These systems were provided at 11 NPP units in the framework of the International Nuclear Safety Program with the support of DOE (USA). The general purpose of SPDS is to provide support for operators, when abnormality of NPP unit operational conditions must be determined rapidly. The chapter considers the purpose and the functions of these systems, specific features of the displaying information about the state of the functions, which are critical for NPP unit safety, and the structure of systems. Implementation of SPDS project at 11 units of Ukrainian NPPs is a good example of USA and Ukraine collaboration in the nuclear area. Organization of this large-scale modernization is described.

Rod Group and Individual Control System

Chapter 10 considers the Rod Group and Individual Control (RG&IC) system, which is one of the individual I&C systems and a part of the reactor control and protection system. RG&IC is an actuation system, which performs functions initiated by emergency and preventive reactor protection, reactor power control, unloading, limitation and accelerated preventive protection, and remote control rod position commands sent by the power unit personnel. The central part of RG&IC system consists of software-hardware complex SHC RG&IC-R based on the equipment family of the Research and Production Corporation “Radiy” (RADIY PLATFORM – see Chapter 1). The RG&IC system combines functions that belong to A and B categories according to safety impact (IEC, 2009), relates to safety class 2(A) and complies with the fundamental safety principles (IAEA, 1999), requirements that are set forth in international standards (IAEA, 2002, 2012; IEC, 2011), and Ukrainian nuclear safety rules and regulations (NP, 2000, 2008a, 2008b).

Emergency and Preventive Reactor Protection Systems

In Chapter 9, Emergency and Preventive Reactor Protection (E&PRP) systems implemented at the Ukrainian NPPs during 2003-2013 are considered. The core of E&PRP systems is formed by software-hardware complexes (SHC E&PRP) developed on the base of the Research and Production Corporation “Radiy” equipment family. The first part describes the main purposes of E&PRP: forced power reduction or immediate reactor shutdown to prevent an emergency from developing into an accident. The second part describes the basic functions determined by the system purposes, along with additional functions performed by SHC E&PRP. The third part is devoted to describe SHC E&PRP technical characteristics, which implement the specified functions. The forth part deals with information about the composition and structure of SHC E&PRP, as well as about connections of SHC E&PRP with adjacent I & C systems are shown. In the fifth part, aspects of functional safety assurance during development, production, and acceptance of SHC E&PRP are considered.

Overall Instrumentation and Control Systems

Chapter 8 considers design principles of Overall Instrumentation and Control (OI&C) systems implemented at Ukrainian NPPs. The first section provides brief information on controlled objects—power units with reactors WWER, which are operated at Ukrainian NPPs. The main principles and features for modernization of OI&C systems and their components in NPPs in Ukraine that were generated in 2000-2011 are further provided. The third section is dedicated to the architecture of OI&C systems that control technological processes on these power units. After that, the central part of this architecture, a group of the most closely connected individual Instrumentation and Control (further, I&C) systems, for which the general term “reactor control and protection system” is used in Ukraine and Russia, is considered in detail. The purpose, composition, and structure of a modernized reactor control and protection system that are implemented at Ukrainian NPPs with WWER reactors are provided.

Properties of Safety Important I&C Systems and their Components

Operation reliability of NPP I&C and its components is considered in this chapter. Besides quantitative measures, qualitative features that provide required functional reliability such as protection against Common Cause Failures (CCF), single-failure criterion, redundancy, diversity, prevention of personnel errors, and technical diagnostics, are discussed. A group of features of NPP I&C and its components, united by “performance resistance,” is also considered. In particular, they are resistance to environment influences, mechanical influences (including earthquake impacts), insensitivity changes of power supply, and electromagnetic disturbances. Operation quality issues are considered. By quality (in a broad sense), the authors mean the accuracy, response rate characteristics, and features of human-machine interfaces. Features that provide NPP I&C independence from malfunction or removal from operation of system components (including redundant ones) or from adjacent NPP I&C, and the decrease of possible impact of components on other adjacent systems (electromagnetic emission, fire safety) are described as well.

NPP

The problem of the safe interaction between a Nuclear Power Plant (NPP) and a Power Grid (PG), considering the Fukushima nuclear accident, is becoming topical. There are a lot different types of influences between NPPs and PG, which stipulate NPPs’ safety levels. To evaluate the influences, two metrics are proposed: linguistic and numerical. The approach to the NPP-PG safety assessment is based on the application of Bayesian Belief Network (BBN), where nodes represent different PG systems and links are stipulated by different types of influences (physical, informational, geographic, etc). It is suggested to evaluate criticality of the PG system considering the change of criticalities of all connected systems. The total criticality of each node in BBN is assessed considering particular criticalities caused by different types of influence. The complex nature of NPP and PG mutual interaction calls for the need for integration of different methods that use input data of different qualimetric nature (deterministic, stochastic, linguistic). Application of one specified group of risk methods might lead to loss and/or disregard of a part of safety-related information. BBN and Fuzzy Logic (FL) represent a basis for development of the hybrid approach to capture all information required for safety assessment of NPP – PG under uncertainties. Integration of FL-based methods and BBNs allows decreasing the amount of input information (measurements) required for safety assessment, when these methods are used independently outside from the proposed integration framework. An illustrative example for the NPP reactor safety assessment is considered in this chapter.

Organization and Information Support of Expert Reviews of I&C Systems Modernization at NPP of Ukraine

Safety assessment of Instrumentation and Control systems (I&C systems) of NPP is performed during expert reviews of nuclear and radiation safety in the framework of the licensing process at all life cycle stages of I&C systems. Life cycle stages of NPP I&C systems, which are determined by current guides, rules, and standards of Ukraine, are considered in the chapter. A short overview of the main principles of safety regulation of nuclear facilities, licensing, and expert review of nuclear and radiation safety is presented. Specific safety assessments of NPP I&C systems at different life cycle stages are analyzed (in particular, a list of documents proving NPP I&C safety that should be submitted for expert review at each stage is given). Such assessment is a labor-intensive process that requires processing considerable amounts of a variety of information. Hence, it is reasonable to provide experts with information support for assessing the safety of NPP I&C systems. The chapter gives suggestions and examples of practical implementation of the automated system for support of expert activities and considers the knowledge base for I&C systems.