Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC 62084 Hardwired I&C Safety Systems for Nuclear Power Plants
Design Requirements for Nuclear Safety Instrumentation and Control Systems
IEC 62084 applies to hardwired instrumentation and control (I&C) systems performing safety functions in nuclear power plants. It establishes design requirements for systems ranging from reactor protection to engineered safety features actuation, ensuring independence, diversity, and defence-in-depth principles are maintained throughout the design lifecycle.
1. Design Principles — Independence, Diversity, and Defence-in-Depth
IEC 62084 mandates that hardwired I&C systems critical to nuclear safety must be designed using the fundamental principles of independence, diversity, and defence-in-depth. Independence requires that redundant safety channels be physically and electrically separated to prevent common-cause failures — separation distances, cable routing, and physical barriers must be specified and verified. Diversity demands that redundant channels employ different technologies or design approaches where credible common-cause failure mechanisms exist, such as using analogue electronics alongside digital logic for diverse trip functions.
Defence-in-depth is implemented through multiple levels of protection. The standard defines three primary safety I&C categories: the reactor protection system (RPS) which initiates automatic reactor trip upon detecting abnormal conditions; the engineered safety features actuation system (ESFAS) which controls containment isolation, emergency cooling, and other post-accmitigation functions; and the safety display and monitoring systems which provide operators with reliable plant status information during accidents. Each level must be functionally independent while maintaining consistent failure response logic.
A frequently overlooked design aspect is the requirement for systematic diversity in trip setpoint determination. When two redundant protection channels use identical sensor technology and signal processing algorithms, a common-mode calibration drift could defeat both channels simultaneously. The standard recommends using diverse sensor types (e.g., RTD vs. thermocouple) or diverse signal conditioning paths for critical parameters.
| Design Principle | Requirement | Implementation Example |
|---|---|---|
| Independence | Physical/electrical separation of redundant channels | Separate cable trays, physical barriers, dedicated power supplies |
| Diversity | Different technologies for redundant functions | Analogue trip unit + digital logic solver in parallel |
| Defence-in-depth | Multiple independent protection layers | RPS + ESFAS + safety display system |
| Fail-safe design | Predetermined safe state on loss of power/signal | De-energise-to-trip relay logic |
| Testability | On-line periodic testing without plant trip | Bypass-with-permission test architecture |
2. Qualification Testing and Environmental Survivability
IEC 62084 requires that all hardwired I&C equipment be qualified to demonstrate its ability to perform safety functions under the most severe environmental conditions expected during design-basis accidents. This includes exposure to elevated temperature, pressure, radiation, humidity, and vibration — both during normal operation and under accident conditions. Qualification methodology follows the principles of IEC 60780 (nuclear equipment qualification), with type testing, operating experience, or analysis used as acceptable evidence.
Accelerated aging is a critical component of qualification. The standard requires that equipment be subjected to thermal aging, radiation aging, and mechanical cycle aging equivalent to its design life before being tested under simulated accident conditions. The sequence matters significantly — radiation aging followed by thermal aging followed by accident simulation replicates the realistic chronological exposure of equipment installed in a nuclear containment building. The standard provides specific guidance on accident profile definition, including temperature ramp rates, peak temperatures, and duration at each condition level.
For digital I&C equipment qualification, pay particular attention to electromagnetic compatibility (EMC) testing per IEC 62003. The standard requires that safety I&C systems demonstrate immunity to conducted and radiated interference at levels representative of plant electromagnetic environment, including during accident conditions where portable radio communications may be used by emergency response teams.
3. Failure Mode Analysis and Reliability Targets
The standard requires comprehensive failure mode and effects analysis (FMEA) for all safety I&C functions. Each component and subsystem must be analysed to identify credible failure modes, their effects on safety functions, and the effectiveness of detection and mitigation measures. The unreliability target for reactor trip functions typically requires a probability of failure on demand (PFD) of less than 10⁻⁵, while engineered safety functions may be less stringent at 10⁻⁴ depending on the specific application and regulatory framework.
Common-cause failure (CCF) analysis is particularly important for hardwired systems. The standard mandates that CCF defence be demonstrated through a combination of diversity, physical separation, and periodic testing. The use of diverse trip parameters — such as combining neutron flux rate-of-change with coolant temperature and pressure measurements for reactor trip initiation — is considered a best practice approach. The standard references NUREG/CR-6303 and IEC 61508 methodologies for quantitative CCF assessment.
| Safety Function | Typical PFD Target | Dominant Failure Modes | CCF Defence Strategy |
|---|---|---|---|
| Reactor trip | < 10⁻⁵ | Sensor drift, relay stuck, power supply failure | Diverse trip parameters, 4-channel redundancy |
| ESF actuation | < 10⁻⁴ | Valve jam, pump failure, signal path open | Diverse actuation logic, mechanical diversity |
| Safety display | < 10⁻³ | Display failure, data link loss | Redundant displays, independent data paths |
| Manual initiation | < 10⁻⁴ | Switch failure, wiring open, human error | Multiple switches, diverse panel locations |
A key challenge in hardwired I&C reliability assessment is modelling the effect of maintenance and testing. The standard requires that the reliability analysis account for test intervals, repair times, and the coverage of on-line testing. Any portion of the system that is not testable during plant operation must be justified as acceptably low-risk or covered by diverse backup means.
Frequently Asked Questions
Q1: How does IEC 62084 relate to IEC 61513 for nuclear I&C?
IEC 62084 addresses hardwired I&C systems specifically, while IEC 61513 provides overarching requirements for the entire nuclear I&C architecture — including software-based systems. IEC 62084 can be seen as the “hardwired complement” within the IEC 61513 framework, providing detailed design guidance that IEC 61513 references for hardwired implementations.
Q2: What is the difference between Category A and Category B safety I&C?
Category A functions are those whose failure could lead directly to a severe core damage accident — typically reactor trip and essential safety actuation. Category B functions support accident mitigation but are not sole means of prevention. IEC 62084 applies primarily to Category A hardwired systems, with reliability targets and qualification more stringent than for Category B.
Q3: How is on-line testing implemented without causing spurious trips?
Through bypass-with-permission architectures: a test signal is injected into one redundant channel while that channel’s trip output is temporarily inhibited (bypassed) after operator confirmation. The remaining channels continue to provide protection. After the test, the bypassed channel is automatically restored. This approach requires careful design of the bypass administration logic to prevent common-cause failures in the bypass function itself.
Q4: Can modern microprocessors be used in hardwired safety systems?
Yes, but with stringent constraints: the firmware must be limited in scope and complexity, subject to formal verification methods, and the hardware must include independent watchdog monitoring. The standard recommends using FPGA-based or simple microcontroller architectures over full-featured processors, as the simpler devices can be more thoroughly analysed for failure modes.
