Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC TS 61873-2001 — Nuclear Power Plants — Instrumentation and Control (I&C)
Key Insight: IEC TS 61873-2001 is a Technical Specification providing guidance for overall I&C system architecture design in nuclear power plants, covering safety classification, diversity design, redundancy configuration, and software verification.
1. Standard Scope and Positioning
IEC TS 61873-2001 “Nuclear power plants — Instrumentation and control” is a Technical Specification (not a full International Standard) intended to provide preliminary guidance for I&C system architecture design in nuclear power plants. It applies to PWR, BWR, and PHWR reactor types.
The core objective is to ensure that I&C systems reliably perform their safety functions and regulatory functions under all operating conditions (normal operation, anticipated operational occurrences, and design basis accidents). Its methodology is based on IEC 61513 (general requirements for NPP I&C systems) and further elaborates the technical implementation pathway.
Technical Note: IEC TS 61873 is at the Technical Specification level, meaning its content is forward-looking and advisory, not yet fully matured into a formal standard. In practical engineering applications, it must be adapted to each country’s nuclear safety regulatory requirements (e.g., China’s HAF 102, US RG 1.180).
2. I&C System Architecture and Safety Classification
NPP I&C system architectures follow the defense-in-depth principle, employing multi-level structures to ensure that a single failure does not result in loss of safety functions.
2.1 Safety Classification Architecture
The specification divides I&C functions into three safety categories: IE-class (safety-class, performing reactor trip, containment isolation), non-IE class (non-safety, performing power regulation, process control), and auxiliary class (monitoring and diagnostics). Safety-class and non-safety-class systems must be physically separated through electrical isolation (optical couplers or relays).
2.2 Diversity Design Principle
To prevent common cause failure (CCF), diversity design is required in safety-class I&C systems. A typical configuration is “two digital trains + one diverse actuation system (DAS).” Digital systems use FPGAs or microprocessors, while DAS employs simplified hardwired logic (relays or analog circuits) as backup when digital systems fail due to software common cause failure.
| Safety Class | Function Category | Redundancy | Fault Tolerance | Typical Equipment |
|---|---|---|---|---|
| IE-class (Safety) | Reactor protection, ESF | Quadruple (4×2) | Single fault tolerant | Safety-grade DCS (e.g., Tricon) |
| Non-IE class | Power control, process regulation | Dual (1×2) | Fail-safe | Commercial PLC/DCS |
| Diverse Actuation (DAS) | Backup trip, emergency operation | Dual (1×2) | Independent of digital | Hardwired relay logic |
| Monitoring/Diagnostic | Vibration, leak detection | Single | Short outage tolerable | Data acquisition system |
3. Engineering Implementation and Software Verification
Best Practice: Digital I&C modernization is a current industry trend. A phased deployment strategy is recommended: first upgrade non-safety systems to gain experience, then progressively advance to safety-grade digital replacement. Each phase should maintain a parallel operation period of at least 6 months.
Software V&V: Safety-class I&C system software must undergo rigorous V&V in accordance with IEC 60880 (Software for nuclear safety systems). The specification emphasizes four key phases: requirements analysis, design verification, code review (including static analysis and dynamic testing), and system integration testing. Each phase requires an independent verification team.
Electromagnetic Compatibility (EMC): NPP environments contain strong electromagnetic interference sources (main generators, large transformers, variable frequency drives). I&C system EMC design must comply with IEC 61000 series requirements, particularly radiation immunity levels of 30 V/m (safety-class) and 10 V/m (non-safety). Single-point grounding should be used to prevent ground loops.
Critical Warning: Common cause failure (CCF) in digital I&C systems is one of the most challenging issues in nuclear safety. If the same software version runs in multiple channels concurrently, a software defect could disable all safety channels simultaneously. The solution is strict enforcement of diversity design and independent V&V — both measures are indispensable.
4. Frequently Asked Questions
Q1: What is the relationship between IEC TS 61873 and IEC 61513?
A: IEC 61513 provides the top-level lifecycle model and safety classification framework for NPP I&C systems. IEC TS 61873 provides more specific technical guidance within this framework, including digital system architecture selection, communication protocol recommendations, and verification methodology details. Think of 61513 as “what to do” and 61873 as “how to do it.”
Q2: Why can’t commercial PLCs be directly used in NPP I&C systems?
A: While widely used in industrial process control, commercial PLCs lack nuclear safety certification and cannot meet NPP-specific requirements for fault tolerance (single-failure tolerance), self-diagnostic coverage (≥99%), and deterministic response time (≤50 ms). Safety-class applications require certified nuclear safety-grade DCS platforms.
Q3: What is the design basis for the Diverse Actuation System (DAS)?
A: The DAS design basis is: when all digital safety systems fail due to common cause software failure, the DAS must independently perform reactor trip and critical safety functions (e.g., emergency core cooling initiation). DAS trip parameters should be independent of main protection system sensors, typically using different physical measurement principles.
Q4: Can fieldbus technology be used in NPP safety-class I&C systems?
A: Most nuclear safety regulators currently maintain a conservative stance on fieldbus (PROFIBUS, Foundation Fieldbus) use in safety-class systems, primarily due to indeterminate communication delays and potential bus congestion risks. The mainstream approach remains point-to-point hardwired connections for safety-class sensors and actuators. Fieldbus is only used in non-safety systems.
