Workshop on Assessment and Reduction of Vulnerabilities to Common Cause Failures in Instrumentation and Control Systems in Nuclear Power Plants
Background
The design of nuclear power plants (NPPs) needs to take due account of the potential for common cause failures (CCF) of items important to safety. As more digital Instrumentation and Control (I&C) systems are introduced in NPP designs, whether for new reactors or through design modifications or safety upgrades of operational ones, CCF considerations are of significant interest in I&C design safety. Causes of concern range from defects in software to engineering deficiencies in requirements and architectural specifications. These concerns have been exacerbated with the increased sharing of resources in the digital systems and increased networking, introducing dependencies across redundant channels and across lines of defense. There is a concern that traditional evaluation practice may not yield the evidence needed to assure that redundancy by replication of channels and defense-in-depth will not be compromised, and that the safety functions will be performed when demanded. CCF related challenges in the safety of plant designs were considered for the first time in relation to anticipated transients without scram (ATWS) in the 1960s. Historically, CCF consequence analysis, which originates from ATWS concerns, included the evaluation of the impact of the loss of the reactor trip function. However, as more safety functions are performed by digital I&C systems and the safety function related resources, such as communicationnetworks and power supplies are shared, the scope of safety functions affected by CCF has become larger, and the consequence analysis needs to be expanded; for example, engineered safety functions (ESFs) could be degraded by CCF.
The objective of CCF consequence analysis is to identify affected safety functions and provide design requirements for diverse actuation systems. CCF coping analysis is the method to determine if the consequences of CCF are acceptable at the plant level. In the current practice of CCF coping analysis, postulated initiating event scenarios with failure of safety functions due to CCF are reviewed using best-estimate methods. The result of the analysis provides detailed safety requirements, e.g., for diverse reactor trip and diverse ESF actuation. Thus, the design requirements of diverse actuation systems could vary depending on the degree of conservatism in the assumptions used in the CCF coping analysis. However, there is no clear guidance for validating the degree of conservatism of these assumptions and event scenarios used in the analysis. Recently, in some Member States, the requirements of a diverse system were changed because of the changes in the assumptions used in the CCF coping analysis.
Another important topic is the I&C system architecture for diverse actuation systems to mitigate the effects of CCF. The vulnerabilities of I&C systems due to CCF have traditionally been addressed using defence in depth and diversity. A diverse actuation system has been widely applied to the I&C system to mitigate the effects of CCF. However, the regulatory position on the engineering requirements or the required level of diversity is not consistent across all Member States. For example, the resolution of the CCF issue through diversity in digital technologies is not easily admitted in some Member States. On the other side, new design approaches apply diversity inside the protection system architecture as well.
Objectives
The objective of the event is to provide a forum for Member States to exchange information on the state-of-the art knowledge and experience on safety aspects of assessment and reduction of vulnerabilities to CCF in I&C systems, including opportunities for safety improvements, as well as challenges, including those related to licensing. The workshop will focus on sharing different experiences of development of CCF coping analysis, diverse actuation systems design, and conditions under which I&C system designs without diversity would be considered adequately safe.
Target Audience
Participation is solicited from staff members of regulatory bodies, NPP operators, utility organizations, design and engineering consultant organizations, as well as from international organizations engaged in activities related to NPP safety and regulation. To ensure maximum effectiveness in the exchange of information, participants should be actively involved in the subject of the event.
The event is, in principle, open to all officially designated persons. The IAEA, however, reserves the right to restrict participation due to limitations imposed by the available facilities. It is, therefore, recommended that interested persons take the necessary steps for the official designation as early as possible.
Topics
The event will address recent experiences in Member States in specific areas related to safety aspects of assessment and reduction of vulnerabilities to CCF in I&C systems in NPPs. Topics to be covered will include, but not be limited to the following:
1. Assessment of vulnerabilities to CCF:
- Safety challenges in consequence analysis of CCF
- Licensing issues in CCF coping analysis
- Methods for CCF coping analysis.
- Assumptions and event scenarios for CCF coping analysis.
- Safety benefits of diverse actuation systems to mitigate the effects of CCF
2. Reduction of vulnerabilities to CCF:
- Strategies to cope with vulnerabilities to CCF
- Safety challenges in I&C architecture design to prevent or mitigate CCF
- Licensing issues related to diversity
- - Diversity in the design of channels (inter channel diversity)
- - Diversity through diverse digital platforms compared to diversity through a combination of digital and hardwired implementations.
- State-of-the-art approaches for reducing vulnerabilities to CCF
3. Design techniques to mitigate the effects of CCF
- Diverse actuation systems for the actuation of engineered safety systems (auxiliary feedwater system, safety injection system, etc.)
- Manual diverse actuation switch
- CCF detection and monitoring
- Human factors engineering in the evaluation of CCF mitigation
Venue
The event will be held at the Vienna International Centre (VIC), where the IAEA’s Headquarters are located. Participants must make their own travel and accommodation arrangements.
Key Deadlines
18 July 2023: Submission of abstracts via email to Scientific Secretary
18 July 2023: Deadline for submission of the Participation Form (Form A) and if applicable the Grant Application Form (Form C), to the competent national authority (e.g., Ministry of Foreign Affairs, Permanent Mission to the IAEA or National Atomic Energy Authority) or their organization for onward transmission to the IAEA
18 August 2023: Notification of acceptance of abstracts for oral presentations