Digital Instrumentation and Controls Research

Past research has included analyzing failure and fault modes and mechanisms, operational experience, methods to test software, and methods to perform and evaluate a DI&C hazard analysis. Ongoing DI&C systems safety research topics include common-cause failure, assurance case approaches, and causality-based techniques for performing hazard analysis and learning from events encountered during operation.

International collaboration includes the OECD/NEA Halden Reactor Project ‒ now focused on the Human, Technology and Organization (HTO) aspects. The NRC has hosted many Halden workshops to learn about the common needs and issues experienced by industry and to learn about best practices and the state-of-the-art in DI&C safety assurance, including a series of six workshops in 2020. Another example is NRC participation in the TF SCS, an international organization that regularly meets and updates its technical report on common positions regarding the licensing of safety critical software for nuclear reactors. In 2014, at the invitation of the TF SCS, RES staff reviewed the TF SCS’s technical report, provided comments for improvements, and studied how the information could benefit the NRC. The NRC published this report with an added appendix (NUREG/IA-0463) to make the technical reference more readily accessible to NRC staff and stakeholders in the USA. RES will continue to collaborate with TF SCS and is currently working on a revision to NUREG/IA-0463.

Table 1 summarizes relevant documents and research performed to provide decision support for safety evaluation.

Table 1: Safety Evaluation of DI&C

Model-Based Systems Engineering (MBSE) represents a structured approach to applying modeling techniques throughout the entire lifecycle of system development, from conceptual design to operational phases. This method has become increasingly relevant in addressing the complexity and potential failures associated with digital instrumentation and control (I&C) systems. Since the 1960s, the NRC has been concerned with systemic failures in protection and reactivity control systems, particularly when using redundant elements. Unlike traditional I&C systems, digital I&C introduces new challenges, including complexity, unanticipated interactions, and emergent behaviors. To address these issues, several approaches have been developed, such as Systems-Theoretic Process Analysis (STPA) and advanced simulation techniques using MBSE models.

A notable initiative for MBSE is the High Assurance Rigorous Digital Engineering for Nuclear Safety (HARDENS) Research Project. This project displays the application of MBSE to showcase and educate stakeholders on advanced, high-assurance practices using publicly available tools. The HARDENS Reactor Trip System (RTS) project utilizes modern model-based technologies, including sensors, solenoid actuators, and field programmable gate arrays (FPGA’s). By utilizing open-source tools, HARDENS models cost-effective solutions for safety-critical systems in nuclear environments.

Table 2: Model-Based Systems Engineering

The current I&C regulatory infrastructure is based on compliance with the Institute of Electrical and Electronic Engineer’s (IEEE) design and quality standards and the NRC's defense in depth policy. The NRC staff routinely applies engineering judgment, e.g. on safety importance, and operating experience, in evaluating individual designs against regulatory standards. The NRC seeks additional technical methods and tools to integrate risk insights and better quantify risks when possible.  Consistent with NRC’s broader efforts (See “The NRC’s Concept of Risk”), this research area focuses on examining the following questions:

• What can go wrong?
• How likely is it?
• What would be the consequences?

These risk insights are integrated into technical reviews and inspections of digital systems, consistent with the principles defined in RG 1.174 and other relevant guidance.

Current Efforts

The NRC Staff anticipates that licensees and applicants will increasingly employ hazard analysis techniques to risk inform the use of digital I&C systems and components (e.g., Systems-Theoretic Process Analysis).  NRC’s most current effort seeks to assess the feasibility and limits of accepting STPA-informed evidence as a substitute for traditional diversity and design. For a brief overview, see ML24116A202.

Completed Efforts

Table 3 summarizes the research, spanning almost two decades, to risk inform digital I&C.

Table 3: Risk Informing for Digital I&C

Research on electromagnetic compatibility (EMC), electromagnetic interference (EMI), and radio-frequency interference (RFI) has focused on enhancing the reliability and resilience of safety-related instrumentation and control (I&C) systems in nuclear power plants. Studies, primarily conducted by Oak Ridge National Laboratory (ORNL) and sponsored by the U.S. NRC, have developed technical recommendations for addressing EMI, RFI, and power surges. These efforts include establishing electromagnetic operating envelopes, testing criteria, and design practices to ensure systems can withstand interference and power surges. The research emphasizes good engineering practices for EMC, such as circuit design, shielding, and grounding, as well as creating detailed testing protocols and regulatory guidance to maintain system integrity under adverse electromagnetic conditions. Table 4 summarizes research and work on electromagnetic environmental effects.

Table 4: Electromagnetic Environmental Effects

RES has examined the impact of electromagnetic pulse (EMP) on U.S. nuclear power plants since the 1980s. RES continues to monitor developments in this area and update the findings periodically, expanding the scope to include space weather events. Research efforts support the NRC position that U.S. plants can safely shut down in the aftermath of either occurrence. The NRC is currently participating in the interagency response to Executive Order 13865, “Coordinating National Resilience to Electromagnetic Pulses.” This is a government-wide effort to ensure national infrastructure components will remain functional in the event of an EMP. Table 5 summarizes completed research concerning electromagnetic effects.

Table 5: Electromagnetic Pulse and Space Weather Effects

Online monitoring refers to automated techniques used to assess instrumentation performance or health while the facility is operating. Online monitoring seeks to determine whether the equipment has encountered an anomaly or fault or if recalibration is needed. For example, some systems can detect an eventual bearing failure in a pump by monitoring vibrations; other systems are capable of monitoring safety signals when a protection channel is drifting out of the allowable tolerance.

The availability of online monitoring may result in licensees seeking approval to change surveillance and maintenance practices at nuclear facilities. For this reason, the NRC proactively seeks to ensure that it is prepared to evaluate, provide timely decisions, and offer regulatory guidance on the safe use of online monitoring methods. Table 6 summarizes online monitoring research.

Table 6: Online Monitoring

The nuclear industry has expressed interest in expanding the use of wireless technologies in Nuclear Power Plant applications. Examples include use in industrial control systems and data acquisition monitoring systems for plant component/equipment health monitoring that are located near, or even on, safety related/important-to-safety (SR/ITS) equipment. Expansion of wireless technology use must ensure it does not impact safe operation of the plant through adverse interactions with SR/ITS systems. Table 7 summarizes research and other information on the safety concerns of wireless technology and other emerging technologies.

For more information on the cybersecurity side of wireless technology, see the cybersecurity research page.

Table 7: Wireless Technology

Embedded digital devices (EDDs) and related emerging technologies may introduce new hazards or other safety concerns, as presented in Regulatory Issue Summary 2016-05, "Embedded Digital Devices in Safety-Related Systems," dated April 29, 2016. Ongoing research aims to develop the technical basis for evaluating EDDs and emerging technologies, along with relevant observations, based on their classification, functionality, configurability, consequences of failure, and potential for common cause failure. This research reviews how other agencies worldwide, both nuclear and non-nuclear, regulate, approve the use of, and apply EDDs.

Areas of interest include the types of components in safety-related applications most likely to have EDDs, methods used by other industries and countries to regulate the use of EDDs, and potential issues noted in industry. This information serves to support the technical basis for a graded approach in the selection and use of EDDs. A tangential supply chain issue is the use of replacement parts or parts in upgrades that may contain an undeclared digital device, as it may not meet the requirements for the safety-related application in which it is being used.

Other attributes such as reliability (the ability to perform with correct, consistent results), diagnostics, operating experience, and failure modes were reviewed because of their use in risk informing the acceptance of the use of EDDs. Emerging technologies associated with EDDs were noted during this work and are described. Table 8 summarizes research concerning EDDs and emerging technologies associated with EDDs.

Table 8: Embedded Digital Devices and Emerging Technologies

This research addresses the effects of fire, smoke and other environmental effects on equipment. Fire is a design-basis event. To demonstrate that it can be handled, licensees perform a post-fire safe-shutdown analysis to assure that a train of shutdown structures, systems, and components remains free of fire damage for a single fire in any single plant fire area. Industry has developed methods for evaluating the effects of fire-induced circuit failures on safe-shutdown capability. Nuclear Energy Institute report NEI-00-01, Revision 2, "Guidance for Post-Fire Safe Shutdown Circuit Analysis," May 2009, provides one acceptable method for performing a post-fire safe-shutdown circuit analysis when used with RG 1.189, Revision 3, "Fire Protection for Nuclear Power Plants," issued February 2018.

The NRC has sponsored research to support the development of the agency position in this area. Table 9 summarizes research concerning effects of fire-related (e.g., smoke, heat) environmental conditions.

Table 9: Fire-Related Environmental Effects