Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
CSA N290.18-17: Requirements for Nuclear Power Plant Safety Instrumentation and Control Systems
A Technical Overview of Scope, Design Requirements, and Compliance for CANDU Reactor Safety Systems
Scope and Application
CSA N290.18-17, published by the Canadian Standards Association (CSA Group), specifies requirements for the design, qualification, and in-service performance of instrumentation and control (I&C) systems that perform safety functions in CANDU nuclear power plants. This standard applies to systems classified as Safety Class 1, 2, and 3 according to the national regulatory framework, and it covers both new plant builds and modifications to existing installations.
The primary objective of CSA N290.18-17 is to ensure that safety I&C systems achieve and maintain the necessary reliability, availability, and independence to prevent or mitigate accidents. The standard adopts a defence-in-depth approach and aligns with international practices, including IAEA Safety Standards Series No. NS-G-1.3 (Instrumentation and Control Systems Important to Safety in Nuclear Power Plants). Its scope encompasses the entire lifecycle from concept design through decommissioning, with particular emphasis on:
- Functional requirements and performance criteria for safety systems
- Architectural design principles such as redundancy, diversity, and independence
- Equipment qualification against environmental and seismic conditions
- Software integrity for digital I&C platforms
- Periodic testing and surveillance intervals
Tip: When applying CSA N290.18-17 to a new build, early classification of I&C functions (using the safety function classification methodology) reduces rework and clarifies qualification requirements from the design stage.
Technical Requirements
Safety Classification and Performance Criteria
CSA N290.18-17 establishes three safety classes for I&C systems based on the significance of the functions they perform. Each class imposes distinct requirements for fault tolerance, response time, reliability, and qualification. The following table summarizes the key performance criteria for each class:
| Parameter | Safety Class 1 | Safety Class 2 | Safety Class 3 |
|---|---|---|---|
| Required reliability (probability of failure on demand) | ≤ 1 × 10–4 | ≤ 1 × 10–3 | ≤ 1 × 10–2 |
| Response time (sensor-to-actuator) | < 50 ms | < 100 ms | < 200 ms |
| Redundancy / voting configuration | Triple Modular Redundancy (TMR) with 2oo3 voting | Dual redundant (2oo2 or 1oo2) | Single channel with fail-safe design |
| Seismic qualification level | Safe Shutdown Earthquake (SSE) | Operating Basis Earthquake (OBE) | None (non-seismic) |
| Environmental qualification (EQ) | Full EQ per CSA N290.14 (loss-of-coolant, harsh environment) | Mild environment with post-accident limits | Ambient design range |
Architectural and Design Principles
The standard mandates that safety I&C systems be designed with spatial and electrical independence to prevent cascading failure. For Class 1 systems, diversity in both hardware and software (e.g., using different processor platforms or programming languages) is required to protect against common cause failures. CSA N290.18-17 also requires that any software used in safety systems be developed according to a validated lifecycle process that includes formal specification, static analysis, and dynamic testing to achieve the highest integrity level (equivalent to IEC 60880 for Class 1).
Qualification and Testing
Equipment qualification must consider the most severe environmental conditions expected during normal operation, anticipated operational occurrences, and design basis accidents. The standard references CSA N290.14 for environmental qualification methods and CSA N290.12 for seismic qualification. For digital equipment, electromagnetic compatibility (EMC) testing and aging assessments are required. In-service periodic testing intervals must ensure that the reliability targets are not compromised over the plant’s operational life.
Warning: A common non-compliance issue is the under-estimation of aging effects on digital I&C cards. CSA N290.18-17 requires a proactive obsolescence management plan and accelerated life testing to maintain safety classification during long-term operation.
Implementation and Compliance Considerations
CSA N290.18-17 is referenced by the Canadian Nuclear Safety Commission (CNSC) in regulatory documents such as REGDOC-2.2.4, Safety Analysis for Nuclear Power Plants. Compliance involves a rigorous verification and validation (V&V) process performed by an independent team. Key implementation steps include:
- Function classification: Identify and assign each I&C function to a safety class based on deterministic engineering judgment and probabilistic safety assessment.
- System specification: Develop a system requirements specification that includes functional, interface, and reliability requirements per the standard.
- Architectural design: Implement redundancy and diversity while avoiding all inter-system dependencies that could defeat independence.
- V&V and qualification: Conduct type tests, environmental tests, and seismic shake-table tests in accordance with CSA N290.14 and CSA N290.12.
- Configuration management and periodic surveillance: Maintain as-built documentation and conduct periodic tests at intervals defined by the reliability model (typically 1 to 12 months for Class 1 systems).
Success: Several CANDU operators have used the CSA N290.18-17 framework to successfully upgrade aging analog I&C systems to modern digital platforms while maintaining regulatory approval. The key is early engagement with the CNSC and a staged implementation plan.
Danger: Failure to perform a thorough EMC qualification on digital safety systems can lead to spurious actuations. In one documented case, a Class 1 system underwent false shutdown due to conducted interference from a non‑safety power supply. CSA N290.18-17 requires immunity testing to at least IEC 61000-4 levels for the most severe plant conditions.
Future Alignment and International Recognition
CSA N290.18-17 is part of the evolving Canadian regulatory framework that is increasingly harmonized with international standards. The 2017 edition incorporates lessons from Fukushima (post-2011) and aligns with IAEA safety guides on diversity and Defence in Depth. While the standard is mandatory in Canada, many features—such as the safety classification table and the reliability targets—are used as best practices in other jurisdictions due to the high pedigree of CANDU I&C technology.
Frequently Asked Questions
Q: What is the difference between CSA N290.18-17 and the earlier edition CSA N290.18-10?
A: The 2017 edition significantly expands the requirements for digital I&C, adding specific software integrity criteria based on IEC 60880 lifecycle requirements. It also introduces a more rigorous approach to common cause failure analysis for software-based safety systems and clarifies the seismic qualification boundaries for Class 2 and 3 equipment.
A: The 2017 edition significantly expands the requirements for digital I&C, adding specific software integrity criteria based on IEC 60880 lifecycle requirements. It also introduces a more rigorous approach to common cause failure analysis for software-based safety systems and clarifies the seismic qualification boundaries for Class 2 and 3 equipment.
Q: Does CSA N290.18-17 apply to I&C systems used in emergency response facilities (such as the main control room and outage control centre)?
A: Yes. The standard covers all I&C systems that perform a safety function, including those in the main control room, supplementary control points, and post‑accident monitoring systems. However, human‑factors engineering requirements for workstations are covered under a separate CSA standard (CSA N290.15).
A: Yes. The standard covers all I&C systems that perform a safety function, including those in the main control room, supplementary control points, and post‑accident monitoring systems. However, human‑factors engineering requirements for workstations are covered under a separate CSA standard (CSA N290.15).
Q: How can I demonstrate compliance with the reliability target of 1×10–4 failures per demand for a Class 1 system?
A: Compliance is demonstrated through a combination of probabilistic modeling (using fault trees or reliability block diagrams), historical field data from similar systems, and periodic testing. CSA N290.18-17 requires a documented reliability program that includes both hardware and software failure estimates, with conservative uncertainty bounds. Type testing of redundant channels is also recommended to validate the independence assumptions used in the model.
A: Compliance is demonstrated through a combination of probabilistic modeling (using fault trees or reliability block diagrams), historical field data from similar systems, and periodic testing. CSA N290.18-17 requires a documented reliability program that includes both hardware and software failure estimates, with conservative uncertainty bounds. Type testing of redundant channels is also recommended to validate the independence assumptions used in the model.
Q: Is CSA N290.18-17 recognized internationally, or only in Canada?
A: While it is a Canadian standard issued by the CSA Group, its requirements are largely harmonized with IAEA safety guides and have been adopted by some utilities outside Canada for CANDU‑type reactors. For PWR or BWR designs, utilities often refer to IEC 61513 or IEEE 603, though many principles—especially those regarding diversity and independence—are identical.
A: While it is a Canadian standard issued by the CSA Group, its requirements are largely harmonized with IAEA safety guides and have been adopted by some utilities outside Canada for CANDU‑type reactors. For PWR or BWR designs, utilities often refer to IEC 61513 or IEEE 603, though many principles—especially those regarding diversity and independence—are identical.
Article prepared in 2026. This document is for informational purposes and does not substitute for official CSA N290.18-17 documentation or regulatory guidance.