**2.2 Digital instrumentation and control**

Although the first closed-loop industrial computer control system was installed by Texaco Company at its Port Arthur refinery in 1959 [1], I&C in nuclear reactors

**Figure 2.** *Signals for a notional RPS.*

### *Cyber-Informed Engineering for Nuclear Reactor Digital Instrumentation and Control DOI: http://dx.doi.org/10.5772/intechopen.101807*

largely remained analog until about 30 years ago when digital transmitters, indicators, controllers and data recorders began replacing analog sensors, indicators, actuators, and pen-based chart recorders. And, while non-safety digital control systems (e.g., feedwater control systems, turbine control systems and reactor control systems) are now commonly installed in nuclear reactors, safety-related digital control systems (e.g., RPS, ESFAS) are much less common, especially in the United States. The United States has been slow to adopt digital technology because of previously unanalyzed risks associated with new and unknown attributes, including common cause failures and cyber risks. International adoption of digital technology in nuclear reactors, including safety-related control systems, has been more aggressive than in the United States. Of course, new advanced reactors are being primarily designed with DI&C.

As described by the Nuclear Energy Institute (NEI), an I&C device in the U.S. power reactor industry is typically considered 'digital' if it contains any combination of hardware, firmware, and/or software that can execute internally stored programs and algorithms without operator action [2]. Hardware includes microelectronics, such as digital or mixed signal integrated circuits, as well as larger assemblies, such as microprocessors, memory chips, and logic chips. Hardware may also include other peripherals, such as expansion drives or communication controllers. Software includes operating systems, platforms, and applications used for process control, human machine interfaces, and other specific programs used for device or system operation. Firmware is software stored in non-volatile memory devices that provides low-level control specific to the hardware. Firmware executes higher-level operations and controls basic functionality of the device, including communication, program execution, and device initialization.

Field sensors and controllers may be standalone, small local systems, or larger distributed control systems. Devices may be connected by physical cables or wireless technology (e.g., WiFi, cellular, satellite, Bluetooth, radio frequency identification). There is also a range of communication protocols used in DI&C depending on the design and manufacturer.

The systems, structure, and components (SSCs) used in U.S. NPP safetyrelated protection systems are categorized as Institute of Electrical and Electronics Engineers (IEEE) class 1E technologies as defined by IEEE 308-1971 (and later) [3]. They must be designed to conform with General Design Criteria (GDC) in 10 CFR 50 Appendix A [4], IEEE 279-1971 [5], IEEE 308-1971 [3], and IEEE Std 603-1991 [6], as applicable based on construction permit dates. Guidance in Regulatory Guide 1.152 [7] and IEEE 7-4.3.2-2003 [8] may also be used to comply with Nuclear Regulatory Commission (NRC) regulations. Internationally, applications or components that perform IEC category A safety-related functions may fall under IEC 61513 [9], International Atomic Energy Agency (IAEA) SSR-2/1 [10], and IAEA SSG-39 [11] requirements.

These general design criteria include conformance requirements for independence and single-failure criterion such as defense-in-depth, diversity (i.e., different technology), redundancy (i.e., secondary equipment that duplicates the essential function), physical separation, and electrical isolation. The purpose of single-failure criterion is to ensure no single failure of a component interferes with the safety function and proper operation of the safety system [6]. Generally, it is impossible to prove that digital systems are error free. And, while common-cause failures can occur with analog equipment, it is more likely that software errors will result in common-cause failures, such as identical software-based logic errors that could cause simultaneous functional failure of all four RPS divisions. Thus, since unanticipated common-cause failures are more likely in digital systems than analog systems, there is increased burden to prove to the regulator that the design adequately meets the general design criteria outlined in the applicable requirements.
