With rapidly advancing digital technologies, smart devices are increasingly used in nuclear power plants. These smart devices can be implemented as separate or standalone field components or embedded as components in other equipment or systems and can be used to increase plant reliability, enhance safe operation and improve testing and monitoring functions. However, the use of smart devices may potentially introduce new hazards, vulnerabilities and failure modes. The safety aspects and design criteria associated with the safe use of industrial commercial smart devices in systems important to safety considered in this publication include: functional suitability and the evidence required to demonstrate this suitability, quality, qualification, the consideration of certification by non-nuclear organizations using non-nuclear standards, and aspects affecting integration of the smart device into existing systems in order to ensure that the smart device will retain its suitability for the required lifetime.

• 1. INTRODUCTION
  • 1.1. Background
  • 1.2. Objective
  • 1.3. Scope
  • 1.4. Structure
• 2. MOTIVATION AND CHALLENGES ASSOCIATED WITH SMART DEVICES
  • 2.1. Advantages of using smart devices
    • 2.1.1. Solution to obsolescence of analogue devices
    • 2.1.2. Implementation of functions requiring many analogue components
    • 2.1.3. Additional functionality to maintain safe operation following a failure
    • 2.1.4. Self-diagnostics to detect random failures
    • 2.1.5. Reduced operational and maintenance costs
    • 2.1.6. Potential reduction of surveillance requirements
    • 2.1.7. Improved monitoring of mechanical and electrical systems
  • 2.2. Technical challenges regarding implementation of smart devices
    • 2.2.1. Internal complexity of the realization of the desired functionality
    • 2.2.2. Extent of configurability
    • 2.2.3. Suitability of internal sampling frequency and frequency response
    • 2.2.4. Potential existence of secondary functionality
    • 2.2.5. Undocumented features
    • 2.2.6. Necessity of ensuring a secured configuration
    • 2.2.7. Radiation susceptibility
    • 2.2.8. Potential for common cause failure
    • 2.2.9. New failure modes
    • 2.2.10. Possibility of counterfeit items
    • 2.2.11. Requirements for strict version control and material source control
    • 2.2.12. Potential for hidden smart devices within otherwise conventional devices
    • 2.2.13. Interface with other technologies within the target system
    • 2.2.14. Sensitivity to the quality of existing power supplies
    • 2.2.15. Sensitivity to cabinet temperature
    • 2.2.16. Hardware qualification
  • 2.3. Licensing topics related to qualification
    • 2.3.1. Review and selection of an approach based on recognized practices
    • 2.3.2. Capabilities of organizations charged with qualification
    • 2.3.3. Limited access to detailed design information
    • 2.3.4. Inconsistencies in structure and intent in the quality assurance programme
    • 2.3.5. Differences in design criteria for software with high safety significance among Member States
    • 2.3.6. Differences in software verification and validation requirements
    • 2.3.7. Configuration management requirements
    • 2.3.8. Differences in expectations of suitability analysis for different applications
• 3. CONSIDERATIONS FOR COPING WITH COMMON CAUSE FAILURES OF SMART DEVICES
  • 3.1. Common cause failure considerations when using multiple smart devices in instrumentation and control architectures
  • 3.2. Assessing common cause failures caused by smart devices in the plant architecture
  • 3.3. Examples of architectural solutions to common cause failures
  • 3.4. Computer security considerations on the use of smart devices
• 4. SMART DEVICE QUALIFICATION
  • 4.1. Overview
    • 4.1.1. Prior to commencing the qualification of a device
    • 4.1.2. Qualification objectives
    • 4.1.3. Software and hardware qualification
    • 4.1.4. Generic qualification versus specific qualification
    • 4.1.5. Restrictions of use
  • 4.2. Qualification attributes and criteria
    • 4.2.1. Compliance with functional and performance requirements
    • 4.2.2. Adequacy of the development process
    • 4.2.3. Confirmation that the device has a suitably low random failure rate
    • 4.2.4. Confirmation that the device will withstand all operating conditions
    • 4.2.5. Confirmation of the adequacy of the user documentation of the device
    • 4.2.6. Use of operating experience of the device
    • 4.2.7. Confirmation of the device’s resistance to cyberthreats
    • 4.2.8. Review of factors that can impact a device’s operation over time
    • 4.2.9. Confirmation of absence of any specific vulnerabilities
  • 4.3. Management system
  • 4.4. Documentation
    • 4.4.1. Qualification plan
    • 4.4.2. Qualification report
  • 4.5. Other approaches used for smart device qualification
• 5. DEPLOYMENT OF A SMART DEVICE IN SYSTEMS IMPORTANT TO SAFETY
  • 5.1. General
  • 5.2. Configuration management
  • 5.3. Smart device life cycle activities
    • 5.3.1. Equipment selection
    • 5.3.2. Suitability assessment
    • 5.3.3. Procurement
    • 5.3.4. Installation and commissioning
    • 5.3.5. Plant operation using the smart device
    • 5.3.6. Periodic testing and maintenance
  • 5.4. Management of change
• REFERENCES
• Annex I ADDITIONAL CONSIDERATIONS ON THE USE OF SMART DEVICES
• Annex II EXAMPLE OF COMMON CAUSE FAILURE ANALYSIS
• Annex III USE OF STANDARDS AND GUIDANCE FOR SOFTWARE QUALIFICATION
• Annex IV EXAMPLES OF MEMBER STATE PRACTICES
• DEFINITIONS
• ABBREVIATIONS
• CONTRIBUTORS TO DRAFTING AND REVIEW