Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

CORDEL Defence in Depth Report 10 April

Download as pdf or txt
Download as pdf or txt
You are on page 1of 20

Defence-in-Depth and

Diversity: Challenges Related


to I&C Architecture
Cooperation in Reactor Design Evaluation and Licensing
Working Group of the World Nuclear Association
Title: Defence-in-Depth and Diversity:
Challenges Related to I&C Architecture
Produced by: World Nuclear Association
Published: April 2018
Report No. 2018/003

Cover image: Framatome

© 2018 World Nuclear Association.


Registered in England and Wales,
company number 01215741

This report reflects the views


of industry experts but does not
necessarily represent those of any
of the World Nuclear Association’s
individual member organizations.
Contents

Foreword 2

Executive Summary 3

1 Terms and Definitions 4


1.1 Defence-in-Depth and Diversity 4
1.2 Common Cause Failure 5
1.3 Attributes of Defence-in-Depth 5
1.3.1 Independence 5
1.3.2 Separation 5
1.3.3 Redundancy 5
1.3.4 Reliability 6
1.3.5 Availability 6
1.3.6 Levels of Defence 6
1.4 Attributes of Diversity 6
1.4.1 Human Diversity 6
1.4.2 Life-Cycle Diversity 6
1.4.3 Design Diversity 6
1.4.4 Software Diversity 6
1.4.5 Logic Diversity 6
1.4.6 Functional Diversity 6
1.4.7 Signal Diversity 6
1.4.8 Equipment Diversity 6
1.4.9 Equipment Manufacture Diversity 7
1.4.10 Logic Processing Equipment Diversity 7
1.5 Comparison of Definitions 7

2 Challenges of Defence-in-Depth and Diversity 8


2.1 Definitions and Usage 8
2.1.1 Defence-in-Depth Versus Diversity 8
2.1.2 Qualitative Versus Quantitative Assessment 8
2.1.3 Incomplete and Ambiguous Rules 9
2.1.4 Definitions of Diversity Attributes 9
2.2 Upgrading Existing Nuclear Plants 11
2.3 Implementation of Regulatory Guidance 11

3 Conclusions 14

4 References 16

1
Foreword

The Cooperation in Reactor Design Evaluation and Licensing Working Group


(CORDEL) was established by the World Nuclear Association in 2007 with the
aim of stimulating a dialogue between the nuclear industry (including reactor
vendors and operators) and nuclear regulators on the benefits and means of
achieving a worldwide convergence of industry standards for reactor designs.

The Digital Instrumentation & Control Task Force (DICTF) of CORDEL was set
up in 2013 to investigate key issues in digital instrumentation and control (I&C)
related to the licensing of new nuclear power plants, and to collaborate with the
International Electrotechnical Commission (IEC) and the Multinational Design
Evaluation Programme (MDEP) Digital Instrumentation and Control Working
Group (DICWG).

On the basis of a survey of its members, the CORDEL DICTF has identified four
main issues for investigation:
• Safety classification for I&C systems in nuclear power plants.
• Defence-in-depth and diversity1.
• Field-programmable gate arrays (FPGA): criteria for acceptance.
• Reliability predictions.
These are discussed in more detail in CORDEL DICTF 2014-2016 Outlook [Ref 1].

This report is the first in the series on Defence-in-Depth and Diversity, and
builds upon the work carried out in the series of reports on Safety Classification
for I&C Systems in Nuclear Power Plants [Ref 2, 3].

This report was drafted by Gregory Droba (GE Hitachi), with the input and
support from the members of the Task Force.

1
Referred to as diversity and common
cause failure (CCF) in CORDEL DICTF
2014-2016 Outlook [Ref 1]

2
Executive Summary

Inconsistencies in the definitions of terms, attributes, assessment


methodologies, and scope associated with the concepts of ‘defence-in-depth’
and ‘diversity’ can lead to significant challenges in design, licensing and cost
of nuclear power plants. The differences between these definitions were first
investigated in Safety Classification for I&C Systems in Nuclear Power Plants:
Comparison of Definitions of Key Concepts [Ref 3] and are expanded upon here.

The concept of ‘diversity’ in particular has changed as concern over common


cause failure (CCF) in digital instrumentation and control (I&C) systems
has become more prevalent. This has in turn affected the development of
I&C design for the main line of defence (e.g. protection system). Previously,
redundancy and separation of structures and components – such as the
use of identical equipment in a four/three divisional arrangement – was an
acceptable approach to meet the N+2 criterion2 and thereby demonstrate
diversity. However, the N+2 criterion has now been extended by the
conservative assumptions associated with digital I&C and thus digital CCF
has come to replace redundancy as the main driver for designing diverse
digital protection systems.

This report is organized as follows:


• A review of the terms and definitions associated with defence-in-depth and
diversity used by different organizations.
• Outline of the challenges in defining ‘defence-in-depth’ and ‘diversity’.
• Analysis of the challenges related to the application of defence-in-depth
and diversity, for example during the upgrading of existing nuclear plants
or the implementation of regulatory guidance.
• Recommendations of potential solutions.

2
The N+2 failure criterion means that it
must be possible to perform a safety
function even if any single component
designed for that function fails and any
other component or part of a redundant
system (or a component of an auxiliary
system necessary for its operation) is
simultaneously out of operation due to
repair or maintenance.

3
1 Terms and Definitions

To overcome the challenges of 1.1 Defence-in-Depth


implementing digital I&C systems,
the terms and definitions in use
and Diversity
around the world associated with The term ‘defence-in-depth and
‘defence-in-depth’ and ‘diversity’ diversity’, which is sometimes referred
need to be understood. A detailed to as simply ‘D3’, is not defined by
analysis of the differences in most regulatory bodies [Ref 3]. The
definitions between regulatory concepts of ‘defence-in-depth’ (DiD)
bodies and major nuclear codes and ‘diversity’ are therefore most often
and standards (see Table 1) was considered separately, though they
presented in Safety Classification for are strongly interrelated, with ‘diversity’
I&C Systems in Nuclear Power Plants: defined as an attribute of ‘defence-in-
Comparison of Definitions of Key depth’ in most cases.
Concepts [Ref 3].
The definition of ‘defence-in-depth’
In this report, the International Atomic provided by the International Atomic
Energy Agency (IAEA) and, when Energy Agency (IAEA) is:
relevant, the US Nuclear Regulatory A hierarchical deployment of different
Commission (NRC) definitions are levels of diverse equipment and
given. This section provides the procedures to prevent the escalation
definitions of ‘defence-in-depth’, of anticipated operational occurrences
‘diversity’, their attributes and and to maintain the effectiveness of
their use in the treatment of digital physical barriers placed between a
common cause failures (CCF) by radiation source or radioactive material
regulatory bodies. and workers, members of the public or
the environment, in operational states
and, for some barriers, in accident
conditions. [Ref 4]

Table 1. List of organizations whose terms and definitions are considered

Organization Acronym
Atomic Energy Regulatory Board (India) AERB
Nuclear Safety Authority (France) ASN
Canadian Nuclear Safety Commission CNSC
Federal Authority for Nuclear Regulation (UAE) FANR
Federal Environmental, Industrial and Nuclear Supervision Service Rostechnadzor
of Russia
International Atomic Energy Agency IAEA
International Electrotechnical Commission IEC
Institute for Electrical and Electronic Engineers IEEE
Nuclear Safety and Security Commission (Korea) NSSC
National Nuclear Regulator (South Africa) NNR
National Nuclear Safety Administration (China) NNSA
Nuclear Regulatory Authority (Japan) NRA
United States Nuclear Regulatory Commission NRC
Office for Nuclear Regulation (UK) ONR
Swedish Radiation Safety Authority SSM
Radiation and Nuclear Safety Authority (Finland) STUK
Turkish Atomic Energy Authority TAEK

4
‘Diversity’ is defined as: For nuclear applications, the use of a the particular mix of these attributes
The presence of two or more robust software development lifecycle needs to be considered depending
independent (redundant) systems or process is a means to reduce on the regulatory regime.
components to perform an identified latent defect errors and therefore
function, where the different systems also contributes to the mitigation of Several attributes associated with DiD
or components have different attributes software CCF. were identified and highlighted on
so as to reduce the possibility of the Digital Instrumentation & Control
common cause failure, including Regulatory-based design Task Force (DICTF) list of key terms
common mode failure. [Ref 4] considerations for potential CCF in which frequently cause trouble in the
digital instrumentation and control interpretation of requirements [Ref
Diversity can also be effectively (I&C) systems have evolved over time 2, 3]. The IAEA approach to DiD is
applied within a system, for example, and have affected the development of defined more specifically than the
signal or sensor diversity within a protection system I&C architectures. Nuclear Regulatory Commission
reactor protection system. The N+2 criterion used to be the (NRC) approach and many European
main design driver for a protection regulators have adopted the IAEA
system’s I&C architecture and approach. Thus, for this report, the
1.2 Common Cause resulted in the familiar four-fold and IAEA definitions are used [Ref 4].
Failure three-fold system architectures. The
The design criteria for a nuclear N+2 criterion has now been extended 1.3.1 Independence
plant’s safety systems encompass by the conservative assumptions For digital I&C systems, equipment
principles such as high quality, associated with digital CCF concerns is considered to be independent
integrity, reliability, independence, (i.e. assumed digital CCF coincident if it possesses the following
and qualification. Separation, with an anticipated operational characteristics:
redundancy, physical barriers, transient or postulated accident). • The ability to perform its required
and electrical isolation are design These types of failure were historically function is unaffected by the
measures that are applied to classified as ‘beyond design basis operation or failure of other
address potential vulnerabilities events’, but they have come to be equipment.
related to a single failure of considered controlling factors in
• The ability to perform its function
equipment and the propagation of safety system design.
is unaffected by the occurrence
failure effects. These measures tend
of the effects resulting from the
to minimize shared components It is interesting to note that in non-
postulated initiating event for
or equipment and non-essential nuclear standards, failure propagation
which it is required to function.
interconnections within I&C system and environmental impacts are the
architectures. While these measures primary focus of CCF vulnerabilities
1.3.2 Separation
reduce the potential for CCF they while latent design or manufacturing
cannot eliminate CCF, therefore flaws play only a minor role in these ‘Separation’, also referred to as
diversity provides an additional standards. Only 20% of the CCF ‘physical separation’, concerns
level of assurance to mitigate CCF assessment criteria in such standards separation by geometry (e.g.
vulnerabilities. are concerned with the risk of design distance or orientation), barriers, or a
or manufacturing flaws. The remaining combination of these. Separation is
A CCF is defined as a “failure of 80% of CCF assessment criteria is also used in the context of electrical
two or more structures, systems focused on failure propagation and isolation, functional independence
and components due to a single environmental impact. [Ref 5]. and independence of communication
specific event or cause” [Ref 4], [Ref 6, Requirement 21].
hence the broad definition of CCF
1.3 Attributes of 1.3.3 Redundancy
can be very complex. This report
focuses on the relationship between Defence-in-Depth Redundancy is the provision of
CCF and diversity, particularly where Various attributes can be used when alternative (identical or diverse) system,
a CCF of two or more structures, performing a defence-in-depth structure and components (SSCs),
systems or components is the result (DiD) evaluation. Depending on the so that any of the redundant SSCs
of a triggering event or condition purpose, scope, and objectives can perform the required function
that exposes a latent design or of the evaluation, one attribute or regardless of the state of operation or
manufacturing flaw. several may be required. Additionally, failure of the other.

5
1.3.4 Reliability Additional or refined definitions of 1.4.5 Logic Diversity
Reliability is the probability that a SSC attributes such as ‘life-cycle’, ‘logic’, Logic diversity is a specific type
will meet its minimum performance ‘equipment manufacture’, and ‘logic of software diversity that excludes
requirements when called upon to processing manufacture’ diversity any aspect of human diversity and
do so. have been proposed, but are not as instead focuses on the diverse
widely adopted [Ref 8]. manner in which the executables are
1.3.5 Availability constructed [Ref 8, Section 2.2.3.6].
Availability is the fraction of time for
1.4.1 Human Diversity
which a system is capable of fulfilling The way in which human beings can 1.4.6 Functional Diversity
its intended purpose. It is defined as affect design is referred to as human Two systems are functionally
the ability of an item to be in a state diversity. It can be extremely variable diverse if they perform different
to perform a required function under and is a contributing factor in physical functions even though
given conditions at a given instant of determining overall diversity. Using they may have overlapping safety
time or over a given time interval, with separate designers and testers to effects. Functional diversity is
the assumption that the necessary design and test functionally diverse often useful when determining if
external resources are provided. safety systems may reduce the sufficient mitigation means have
possibility of design errors [Ref 7, been employed for the postulated
1.3.6 Levels of Defence Section 3.2.4]. accidents. For example, a
In nuclear engineering, all safety combination of alternative systems
activities, whether organizational, 1.4.2 Life-Cycle Diversity in the face of primary system failure
behavioral or equipment-related, Life-cycle diversity is an aspect may be enough to mitigate the
can be organized into levels of of human diversity that focuses effects of an accident. Factors that
overlapping provisions, so that if specifically on the impact of human contribute to functional diversity
a failure should occur it would be influences on the software life-cycle are the use of different underlying
mitigated, compensated for, or [Ref 8, Section 2.2.3.5]. mechanisms, purposes, functions,
corrected without causing harm to control logic, actuation means, and
individuals or the public at large. response timescales
1.4.3 Design Diversity
[Ref 7, Section 3.2.3].
Design diversity is the use of
1.4 Attributes of different approaches, including 1.4.7 Signal Diversity
Diversity both software and hardware, to
Signal diversity is the use of different
solve the same or similar problem.
It has long been recognized that sensed parameters to initiate
The rationale for design diversity
vulnerabilities related to a single protective action. Factors that
is that different designs will have
failure of equipment by common contribute to signal diversity include
different failure modes and will not
cause (CCF) can be mitigated the following:
be susceptible to the same common
through diversity of safety systems. • Different reactor or process
influences [Ref 7, Section 3.2.1].
parameters sensed by different
Various attributes can be used to physical effects.
evaluate the diverse nature of two 1.4.4 Software Diversity
• Different reactor or process
systems. As with DiD evaluations, Software diversity is the use of
parameters sensed by the same
the purpose, scope, and objectives different programs designed
physical effect.
of the diversity evaluation may and implemented by different
require one or more attributes, and development teams to accomplish • The same reactor or process
the approach required by different the same goal. The rationale for parameters sensed by a different
regulators may require a different mix software diversity is that different redundant set of similar sensors
of these attributes. programmers will make different [Ref 7, Section 3.2.5].
mistakes. Factors that contribute
The definitions of ‘human’, ‘design’, to software diversity are the use of 1.4.8 Equipment Diversity
‘software’, ‘functional’, ‘signal’ and different algorithms, logic, program Equipment diversity is the use of
‘equipment’ diversity [Ref 7] are architecture, timing, operating different equipment to perform similar
widely accepted by most nuclear systems, and computer languages safety functions. For example, the
suppliers, operators and regulators. [Ref 7, Section 3.2.6]. use of diverse computer equipment

6
may have an effect on software 1.5 Comparison of
diversity; using different equipment
can force the use of diverse
Definitions
compilers, linkers, and other support The review of the terminology
software. This illustrates the deep in CORDEL’s report on Safety
connection between the diversity Classification for I&C Systems:
attributes [Ref 7, Section 3.2.2]. Comparison of Definitions of Key
Concepts [Ref 1] found:
1.4.9 Equipment Manufacture • There is no direct definition of
Diversity ‘defence-in-depth and diversity’
Equipment manufacturer diversity by any organization.
is a subset of ‘equipment diversity’. • Typically, the definitions for
It considers the process and ‘defence-in-depth’ and for ‘diversity’
product aspects of the equipment are found separately. Other
manufacture, which includes, terms such as ‘diversification’ or
for example, components, ‘diversity principle’ are used to
manufacturing lines, humans, and the refer to the concept of ‘diversity’.
use of different or diverse equipment • In general, the IAEA definitions
[Ref 8, Section 2.2.3.2]. appear to be the most practical
for both terms.
1.4.10 Logic Processing
Equipment Diversity The IAEA definition of ‘defence-in-
Logic processing equipment diversity depth’ does not conflict with other
is a subset of ‘equipment diversity’. organizations’ definitions and can
It considers the architectural be used by organizations that adopt
aspects of the equipment such the INSAG DiD model, the WENRA
as the use of different processing DiD model, or no specific model.
architectures (e.g. different processor The IAEA definition of ‘diversity’
manufacturers) and the component is equivalent to that of most other
integration of the equipment relevant organizations and none of
[Ref 8, Section 2.2.3.3]. the other definitions conflict with it.

7
2 Challenges of Defence-
in-Depth and Diversity
2.1 Definitions and usage of Defense-in-Depth, provides more
detail. The term ’defence-in-depth
As highlighted in Section 1.1, no
and diversity’ in the context of I&C
nuclear regulatory organization
systems appears to have its origins
defines the specific term ‘defence-
with the NRC, first in NUREG-0493,
in-depth and diversity’. In addition,
A Defense-in-Depth and Diversity
when the term is used, it is not used
Assessment of the RESAR-414
in any consistent manner.
Integrated Protection System, and
then later through NUREG-6303 and
2.1.1 Defence-in-Depth Versus NUREG-7007 to quantify diversity of
Diversity software to mitigate CCF.
For the organizations that define
‘defence-in-depth’, it is common for Almost all organizations refer to
diversity to be seen as one method ‘diversity’ or ‘diversity principle’,
of defence-in-depth. However, at which is applied to the concept
least half of the nuclear regulatory of defence-in-depth. The concept
organizations reviewed have no of ‘diversity’ has evolved to being
definition of ‘defence-in-depth’, one way in which DiD can be
and instead define ‘diversity’ or accomplished. Most approaches
‘diversity principle’. Conversely, only use an analysis to identify aspects
two organizations define ‘defence- of the plant design where diversity is
in-depth’, but not ‘diversity’. The required to mitigate CCF concerns.
concept of ‘diversity’ was defined
using different principles such as 2.1.2 Qualitative Versus
‘diversification’ and ‘diversity principle’ Quantitative Assessment
[Ref 3]. The set of permutations Assessment methods typically
used by the organizations that were include both qualitative as well
considered is shown in Table 2. as quantitative assessment. An
assessment method usually
Although no nuclear regulatory includes the identification of the
organization specifically defines relevant attributes of diversity, such
’defence-in-depth and diversity’, as human, design, or functional
several NRC publications, including diversity.
NUREG-0493 and NUREG/CR-6303
[Ref 7], use the terms ‘defence- Attributes of diversity are defined
in-depth and diversity’ as well as in order of effectiveness, where a
‘diversity and defence-in-depth’. higher or more effective attribute
IEEE Standard 7-4.3.2, which adopts would be more strongly weighted.
NRC terminology, uses the terms ‘D3’ Effective attributes provide strength
and ‘defence-in-depth’ [Ref 9]. in diversity and where this can be
demonstrated, the contribution of
Defence-in-depth was originally a less effective attributes may be
military concept and NUREG/KM-0009, minimal or in some cases not needed
Historical Review and Observations to establish diversity. Less effective

Table 2. Organizations whose definitions were considered

Defined Terms Organizations


Only ‘diversity’ CNSC, NRA, IEC, TAEK, ONR
Only ‘defence-in-depth’ NNR, NSSC, SSM, NRC
Both ‘diversity’ and ‘defence-in-depth’ ASN, AERB, IAEA, FANR
No definitions IEEE, ROST, NNSA, STUK

8
attributes may be able to mitigate 2.1.3 Incomplete and described, originated with NUREG/
CCF vulnerabilities when diversity Ambiguous Rules CR-6303, which was published in
using the preferred attribute cannot The purpose of the defence-in- 1994 [Ref 7]. NUREG/CR-7007 [Ref
be demonstrated. depth analysis is to identify the 8] builds upon and in some cases
multiple protective measures needed redefines the attributes introduced in
The factors of each diversity to ensure the safe operation of the NUREG/CR-6303.
attribute should be defined and plant. The application of diversity
ordered based on effectiveness. is intended to mitigate the effects of The main differences between NUREG/
For example, the arrangement and CCFs that would have an adverse CR-6303 and NUREG/CR-7007 are:
connection of the same components impact on the I&C system itself as • The ‘human’ diversity attribute
in a different manner may constitute well as between the different layers is designated the ‘life-cycle’
design diversity, but the attribute is of the defence-in-depth scheme. As diversity attribute to account for
subjective and thus qualitative. For discussed previously, quantification the fact that the attribute relates
a quantitative assessment, factors of defence-in-depth, as well as of to addressing human-induced
about the design architecture must diversity, is difficult to justify and faults throughout the system
be defined, which will be subjective. separate from the qualitative aspects. development life-cycle process.
Such postulated factors could These subjective aspects result in
• The ‘software’ attribute, is
include process inputs, output ambiguous or incomplete rules relating
renamed ‘logic’ as the former
control, the type of bus, or the level to how quantification is achieved.
is often misconstrued as only
of modularization. Finally, values
applying to a limited set of
must be assigned to these factors. While there are strategies that have
programmable devices when
If modularization is considered to be attempted to weight and normalize
the attribute should apply to all
a factor of the design architecture, defence-in-depth and diversity criteria
programmable devices.
values of ‘high’, ‘medium’ or ‘low’ [Ref 8], these strategies have relied on
might be acceptable. This example the evaluation of qualitatively selected • The ‘equipment’ attribute is
illustrates that any quantitative aspect base criteria to calculate a basis for divided into two groups: one
of the assessment will rely to some normalization. The inherent ambiguity group is for the manufacture
extent on subjective or qualitative in starting from a qualitative basis of equipment, which includes
aspects, which ultimately will be raises questions of the overall analysis, the core criteria described by
accepted or rejected based on the and thus the completion of the analysis NUREG/CR-6303; the second
strength of the argument made for can remain unbounded. Additionally, group is for the logic processing
the assessment. most methods and strategies for equipment, which includes the
defence-in-depth and for diversity additional criteria in NUREG/
Current methods [Ref 8] that present extend beyond CCF of software to the CR-6303 for the assessment of
strategies using quantitative scores hardware and system environment computer equipment.
are based on subjective or qualitative that the software executes.
attributes. The complexity of a purely NUREG/CR-7007 [Ref 8] presents the
quantitative approach increases with When the extent and conditions attributes and associated attribute
the aggregate. When the parts of for completion of the analysis are criteria as shown in the Figure on
a complex digital software system unbounded, subjective, incomplete page 11.
are integrated, additional CCF or ambiguous, the quantification of
vulnerabilities may be identified, ‘defence in depth’ and ‘diversity’ is The division of the equipment
which may require additional difficult to achieve. This situation is attributes into ‘equipment
assessment across types, attributes likely to continue to remain a challenge manufacturer’ and ‘logic processing
and factors of diversity. without sound scientific information that equipment’ is especially interesting
supports the effectiveness of ‘defence- as the logic processing equipment
The challenge then is to balance the in-depth’ and ‘diversity’ measures. criteria appear to be the generic
qualitative and quantitative aspects (device agnostic) additional details
of the assessment to present a 2.1.4 Definitions of Diversity specified in NUREG/CR-6303. The
substantiated argument showing that Attributes original aim of the logic processing
both aspects of the system being The six diversity attributes (human, equipment criteria in NUREG/CR-
assessed are sufficiently diverse to design, software, functional, 6303 was to provide clarity to the
achieve the level of safety required. signal and equipment) previously general equipment criteria.

9
Figure 1. Diversity Attributes and Associated Criteria Derived from NUREG/CR-6303

Equip
Manu f me nt
actu
s ign rer
De

Different manufacturer

differe nufacturer
different designs

igns

gns turer
tech

nt des
Dif me

Diffe gies

e d ufac
sa
fer tec

ns of
nolo

ma

sam an
en hn

esi

sio er
rent
Di sam

er ur
nt m
t a olo
ffe e

Same

t v ct
pp

en ufa
re te

Lo Equ ip
s

fere
nt ch

roa y

ic ture

fer an
ar n

log itec

d if m
ch olo

Dif

gic
g

t
t ion

Me

e
ite g

n
re rch

m
ch
ct y

ffe a

Sa
an
Di sing
ur

ism g
sin
e

ces ture

Proc ent
es
Func

s
r oc i c pro chitec
Fun p og ar
ction nt l ame
ere s
Diff ns in

m
s

ess ing
sio
ver
nt
Response compone
Different chitectures
times tio n ar
integra

Design Different da
ta
ns architectur flow
organizatio es
nt Diff
me ere
age diff nt pa
Man teams ere r
nt e amete
Di ffec rs
ma cle)

rs ffe ts
ne s r
sig eer rs sa ent
De gin me m pa
n

En ram e ra
H -Cy

ef m
Sa ffere

og fe et
Ce stal ers

Pr cts er
di
fie s

me nt
rti ler

s
In est

rs
ife

pa sen
T
u

Al

S
rep
Fun entatio
g

ram so
log hms,
(L

ig
o

Timing

environment

res
rit
ic

ete rs
Runtime

ctio
order

n
r

al
nal n
and

Logic

For example, a central processing by a different manufacturer of a that the most effective criteria may be
unit (CPU) or a field programmable fundamentally different design the only criteria necessary; however,
gate array (FPGA) designed and therefore there may not be a if an implementation is unable to
and manufactured by Intel will need to differentiate the equipment demonstrate adequate diversity for
be fundamentally different in diversity attribute from the equipment the most effective criteria, then one
manufacture and design from a manufacturer attribute. or presumably several of the less
CPU designed and manufactured by effective criteria may compensate
Motorola. However, it may be difficult Additional confusion is generated by enough.
to describe the differences between what appears to be repeated criteria
ones designed and manufactured across attributes. Is, for example, The spectrum of attributes addresses
by Intel and AMD. This is because the design architecture different different types of potential CCF. No
AMD aims to be compatible with Intel from the equipment manufacturer’s single attribute is a panacea and it
designs. This would be considered architecture or from the logic may not be practical to apply them
to be the same design executed by processing equipment architecture? all. Understanding the relationship
different manufacturers. With this in The criteria for a given attribute, as of an attribute to the type of CCF
mind, the different logic processing defined in NUREG/CR-6303, are given it mitigates would allow for a more
architectures are already covered in order of effectiveness. This implies targeted and quantifiable analysis.

10
While it is arguable whether or not most diversity guidance was or Germany (e.g. Siemens KWU)
the changes represented in NUREG/ developed within the context have supplied nuclear plants to a
CR-7007 are an improvement, they of plant protection systems. number of European countries. The
do highlight the challenge in not only Guidance that is reasonable European nuclear power providers
identifying the attributes, but also in for protection systems may be can be subdivided into countries
defining the criteria associated with excessive for smaller upgrades, with and ones without their own
those attributes. As digital devices especially for systems where the OEMs. In countries without their own
evolve, so too must the attributes, redundant elements neither see OEMs (e.g. Spain, Switzerland) the
definitions and criteria. the same input trajectories, nor supplier provided its overall design
experience similar operational philosophy including the defence-
2.2 Upgrading Existing history, nor communicate in-depth approach at the time the
with each other; or where the plants were constructed. In order to
Nuclear Plants system’s inputs and responses harmonize the approach to nuclear
Focused, or even limited, digital I&C to accident conditions are safety and radiation protection
licensing has been problematic in identical, or nearly identical, to regulation for western European
upgrading existing plants and this surveillance test conditions. countries, the Western European
issue has been compounded with the Nuclear Regulators Association
• As whole systems are replaced,
advent of the desire for plant-wide (WENRA) co-operation was formed
the interfaces become more
digital I&C systems upgrades. and its Reactor Harmonization
digitalized. With all analog
Working Group published its
interfaces there are fewer CCF
With smaller systems or single recommended defence-in-depth
vulnerabilities. As the interfaces
instruments, the argument of same levels [Ref 10]. Additionally, about
are upgraded to digital, the
form, fit, and function is easier to the same time, EPRI also provided
potential for CCF increases.
make, but as more systems are recommendations on defence-in-
replaced, along with the desire to depth levels [Ref 11]. However, a
carry out a complete modernization 2.3 Implementation of comparison of defence-in-depth
of some plants, regulators have Regulatory Guidance levels between the IAEA, WENRA
become more concerned about CCF. and EPRI reveals that there are still
All regulatory organizations aim to
minor variations to approaches
ensure safety and reliability in the
Digital upgrades, even limited ones, within Europe.
design, construction and operation of
face the following challenges:
nuclear facilities. However, the path
• The original design basis and Implementation of regulatory
to this goal differs depending on the
architecture may be lost or is guidance can often be interpreted,
regulatory environment. In particular or misinterpreted, in several ways,
not controlled or updated with the approach of defence-in-depth and
the plant maintenance and and the attempt to apply multiple
diversity varies from region to region. regional regulations to a single
modernization. This might require For example, implementation of the
costly reverse engineering to product can aggravate the issue.
US approach of defence-in-depth is
re-establish the design basis and different from European approaches,
architecture prior to any upgrades. The application of national regulation
and even within Europe there is no to a standardized technology (e.g.
• The application of modern generic or harmonized approach for EPR, AP1000, ABWR) results in
regulatory requirements may I&C systems. the implementation of different I&C
invalidate parts of the existing architectures to meet the different
design basis or architecture, The variations within the European regulatory guidance. One of the
and may require more extensive Union exist, in part, due the reasons for the variation in defence-
measures than just replacement. initial implementation of the in-depth efforts to date is that the
• Even smaller instrument or defence-in-depth approach and problem being solved is not clearly
system upgrades require some I&C architecture of the original defined, which might be due to
sort of ‘defence-in-depth’ equipment manufacturers (OEMs). ambiguous rules or guidance,
and ‘diversity’ analysis, which Suppliers from the USA (e.g. as described in Section 2.1.3.
faces the same challenges Westinghouse), Russia (e.g. JSC Thus, different perceptions of the
of regulator guidance and Rusatom Automated Control problem lead to very different I&C
quantification. Furthermore, Systems), France (e.g. EDF/Areva) architectures.

11
12
IAEA levels [Ref 6] WENRA levels [Ref 10] EPRI levels [Ref 11]
Level Objectives Level Objectives Essential means Level Objectives Associated Plant Conditions
1 Prevention of deviations from 1 Prevention of abnormal Conservative design and 1 Prevention of abnormal Normal operation, with plant
normal operation and the operation and failures. high quality in construction operation and failures. conditions remaining within
failure of items important to and operation, control of normal operating limits.
safety. main plant parameters inside
defined limits.
2 Detection and control of 2 Control of abnormal operation Control and limiting systems 2 Control of abnormal operation Anticipated operational
deviations from normal and failures. and other surveillance and failures to avoid occurrences (AOOs), with plant
operational states in order features. exceeding reactor trip limits. conditions remaining within
to prevent anticipated reactor trip limits.
operational occurrences at
the plant from escalating to
accident conditions.
3 Escalation of certain anticipated 3a Reactor protection system, 3a Postulated single initiating
operational occurrences or safety systems, accident events1.
postulated initiating events procedures.
might not be controlled at a Control of accident to limit Control of event to limit
preceding level and that an radiological releases and radiological releases and
accident could develop. prevent escalation to core melt prevent escalation to core melt
4 Mitigate the consequences 3b conditions. Additional safety features2, 3b conditions. Postulated multiple failure
of accidents that result from accident procedures. events.
failure of the third level of
defence-in-depth.
5 Mitigate the radiological 4 Control of accidents with core Complementary safety 4 Control of accidents that result Postulated core melt accidents
consequences of radioactive melt to limit offsite releases. features3 to mitigate core melt, in core melt, to limit offsite (short- and long-term).
releases that could potentially management of accidents with releases.
result from accidents. core melt (severe accidents).

1
May include AOOs that are not mitigated by the control and limitation systems, but take the plant beyond reactor trip limits and thus mitigated by reactor trip/scram.
2
The task and scope of the additional safety features of level 3b are to control postulated common cause failure events on ‘multiple failure events’.
3
The task and scope of the complementary safety features of level 4 are on ‘provisions to mitigate core melt and radiological consequences’.
As an example, consider three different The interpretation and implementation
regulatory regimes applied to a single of the degree of diversity results in
technology. The different regulatory significant differences in requirements
guidance could lead to the I&C between nuclear regulators, as
architecture needing to be redesigned. existing codes and standards do
This would result in three fundamentally not provide detailed guidelines. For
different I&C architectures to address example, the regulating organizations
the different approaches: of different countries have different
• One I&C architecture could rules on allowing the use of software-
require two subsystems in each based diverse backup systems
redundancy that is based on (defence-in-depth Level 3b) [Ref 12,
employing functional diversity for Sections 7.2 and 7.4].
the protection logic implemented
in the application layer. This The topic of diversity continues to be
approach implies that the closely associated with CCF concerns.
application software is the main In the past, the focus on CCF was on
CCF concern. events initiated by hazards, internal
or external, not initiated directly
• The second architecture could
by the I&C systems. Internal and
require diverse digital technology
external hazards like fire, air plane
to be employed for the reactor
crash or flooding are managed by
trip and engineered safeguard
physical separation measures such
measures to provide vendor
as employing four redundant I&C
diversity between two protection
systems separated by civil means.
layers. This approach implies
that the vendor platform is the
Standards like the German KTA 3501
main CCF concern.
contend that a bad design, defects in
• The third architecture could manufacturing or incorrect operation
require the addition of a could create a vulnerability that
non-digital diverse actuation could be triggered and result in a
system in parallel with the CCF. To mitigate CCF, KTA requires:
digital technology used on “For each incident to be controlled
the traditional reactor trip and by the reactor protection system at
engineered safeguard measures. least two physically different initiation
This approach implies that digital criteria should be employed.” While
technology (or the operating in France, diversification is used
system software layer) is the either technologically to mitigate a
main CCF concern. hypothetical failure of a system due
to a common cause, or functionally
to mitigate a hypothetical error in the
specification or in the design.

13
3 Conclusions

The term ‘defence-in-depth and term ’levels of defence’ and


diversity’ does not have any specific discontinue the use of ‘echelons
or direct organizational definition, of defence’.
but the two terms ‘defence-in- • The IAEA levels of defence
depth’ and ‘diversity’ are identified provide a standard or base
separately by most organizations. that could be used by vendors
With respect to standard terminology, and augmented as needed for
CORDEL DICTF makes the following specific regional regulators. The
recommendations: WENRA and EPRI proposed
• Use of the abbreviation ‘D3’ has levels of defence are examples
the effect of amalgamating two where the IAEA levels have been
distinct concepts into a single augmented. Adoption of the
concept to casual readers. The common defence principles by
term ‘defence-in-depth’ should national regulators would reduce
be distinguished from ‘diversity’, confusion and the likelihood
to emphasize that the two are that I&C designs would require
separate concepts that must significant re-work for regional
work together. acceptance.
• The definitions used by the IAEA
for the two terms ‘defence-in- While the principles and approach
depth’ and ‘diversity’ appear of different regulatory organizations
to be the most practical as may vary, the fundamental goal of
they do not conflict with other safety and reliability are the same.
organizational definitions. All There is recognition by regulators that
relevant organizations should modernization and clarity is required
adopt these definitions. for defence-in-depth and for diversity,
as well as for techniques to mitigate
• The current diversity attributes
CCF concerns associated with the
used by most organizations
I&C architecture in nuclear plants.
appear to be those defined by
To that end, it is recommended that
NUREG/CR-6303. NUREG/CR-
CORDEL DICTF members participate
7007 supports the conclusion
in activities centred around:
that these attributes should
be revisited, updated, and • Quantification of diversity
modernized. Well-defined attributes, the interaction of
attributes support clear attributes with each other (i.e. the
completion criteria for ‘defence-in- effective priorities of attributes),
depth’ and ‘diversity’ analysis and and the removal of subjectivity so
should be a topic for future work. that the completion criteria can
be identified and agreed to.
• The terms ‘levels of defence’
and ‘echelons of defence’ • Different defence-in-depth
have different definitions and approaches between regulating
add to the complexity and authorities. These can result
confusion of the application in costly redesign of I&C
of services and products in a architectures, but could be
globalized industry. The IAEA avoided through the adoption
uses ‘levels of defence’ and this of universal definitions and
term is widely accepted and requirements.
understood by organizations • Clarification of rules for
using the term ‘echelons of mitigation of CCF. This includes:
defence’. It would be beneficial the use of graded approaches
for the different regulatory to differentiate between main
organizations to adopt the line protection systems and end

14
devices with some embedded • To better understand the
digital features; and techniques, challenges of regulatory
or a combination of techniques, variations, a report dedicated
that can be applied to digital to documenting the different
instruments and devices to approaches is needed.
ensure reliability and mitigate
credible CCFs. Additionally a While the challenges of upgrading
preferred regulatory solution existing nuclear plants have been
is to introduce diversity into touched upon, this is a complex topic
I&C systems design to guard that requires further exploration and
against digital CCF. However, will be covered by the reports on I&C
the lack of clear criteria on how modernization.
to define sufficient diversity
has led to more complex
I&C architectures. The trend
has been towards lengthy
and more difficult reviews for
the treatment of digital CCF
vulnerabilities and I&C system
architectures because of the
subjective definition of digital
CCF vulnerabilities and the lack
of clear acceptance criteria for
diversity strategies. Improvement
in the treatment of digital
CCF is needed to reverse the
trend of increased I&C system
architecture complexity and
longer regulatory reviews.

Two additional CORDEL DICTF


reports are recommended on
defence-in-depth and diversity:
• The quantification of defence-
in-depth and diversity analysis
remains a challenge largely
because the extent and
conditions for completion of
an analysis are unbounded,
subjective, incomplete or
ambiguous. While the criteria
are reasonably well defined, they
are applied in a fairly subjective
manner. More work is needed to
evaluate the interaction between
levels of defence-in-depth
and particularly the manner in
which diversity criteria interact
with each other (to provide
evidence on diversity) so that
the completion criteria can be
recognized and agreed to by
those performing the analysis.

15
4 References

1. CORDEL DICTF 2014-2016 Outlook, Cooperation in Reactor Design


Evaluation and Licensing Digital Instrumentation and Control Task Force,
World Nuclear Association, September 2014

2. Safety Classification for I&C in Nuclear Power Plants – Current Status


& Difficulties, Cooperation in Reactor Design Evaluation and Licensing
Digital Instrumentation and Control Task Force, World Nuclear
Association, September 2015

3. Safety Classification for I&C in Nuclear Power Plants: Comparison of


Definitions of Key Concepts, Cooperation in Reactor Design Evaluation
and Licensing Digital Instrumentation and Control Task Force, World
Nuclear Association, September 2017

4. IAEA Safety Glossary, Terminology Used in Nuclear Safety and Radiation


Protection, International Atomic Energy Agency, June 2016

5. Appendix F of ISO 13849-1:2006, Safety Machinery – Safety-Related


Parts of Control Systems, International Organization for Standardization,
November 2006

6. Safety of Nuclear Power Plants: Design, Specific Safety Requirements No.


SSR-2/1 (Rev.1), International Atomic Energy Agency, February 2016

7. NUREG/CR-6303, Method for Performing Diversity and Defense-in-


Depth Analyses of Reactor Protection Systems, U.S. Nuclear Regulatory
Commission, December 1994

8. NUREG/CR-7007, Diversity Strategies for Nuclear Power Plant


Instrumentation and Control Systems, U.S. Nuclear Regulatory
Commission, February 2010

9. IEEE Std 7-4.3.2, IEEE Standard Criteria for Digital Computers in


Safety Systems of Nuclear Power Generating Stations, IEEE Standards
Association, 2003

10. Safety of new NPP designs, Study by Reactor Harmonization Working Group
RHWG, Western European Nuclear Regulators Association, March 2013

11. Principles and Approaches for Developing Overall Instrumentation and


Control Architectures that Support Acceptance in Multiple International
Regulatory Environments, Electric Power Research Institute, November 2014

12. Common Position on the Treatment of Common Cause Failure Caused by


Software Within Digital Safety Systems, MDEP Generic Common Position
No DICWG-01, Multinational Design Evaluation Programme, June 2013

16
World Nuclear Association +44 (0)20 7451 1520
Tower House www.world-nuclear.org
10 Southampton Street info@world-nuclear.org
London WC2E 7HA
United Kingdom

Inconsistencies in the definitions of the concepts of ‘defence-in-depth’ and


‘diversity’ can lead to significant challenges in the design, licensing and cost
of nuclear power facilities. Defence-in-Depth and Diversity: Challenges Related
to I&C Architecture, produced by the World Nuclear Association’s Cooperation
in Reactor Design Evaluation and Licensing Working Group, reviews these
challenges and provides recommendations to address them. This report is the
first in a series on Defence-in-Depth and Diversity, and builds upon the work
carried out in the series of reports on Safety Classification for I&C Systems in
Nuclear Power Plants.

The World Nuclear Association is the international organization supporting


the people, technology and enterprises that comprise the global nuclear
energy industry. Its membership encompasses uranium mining, conversion,
enrichment and fuel fabrication; reactor vendors; major nuclear engineering,
construction, and waste management companies; and the majority of the
world’s nuclear generation.

Defence-in-Depth and Diversity: Challenges Related to I&C Architecture


© 2018 World Nuclear Association. Registered in England and Wales, company number 01215741

You might also like