Historically, instrumentation and control (I&C) systems in nuclear power plants (NPPs) were custom developed to implement functions important to nuclear safety,1 specifically to meet nuclear quality assurance requirements by using conventional analogue technology. The gradual decrease of market availability of nuclear qualified products and the worldwide transition to digital technology, resulting in obsolescence issues, have made NPP designers increasingly dependent on integrating commercial I&C products within new development or modernization projects. Commercial off the shelf (COTS) devices that are produced in large quantities with a varied widespread use and significant operating experience provide a large user based test bed where problems are identified and fixed. NPP designers and operators are increasingly expressing the desire to use these digital COTS devices in systems, components and subcomponents of safety or safety related applications as economic alternatives to custom developed systems and equipment. These digital solutions can be used for applications involving systems important to safety in NPPs provided they can be shown to be of adequate quality to meet functional, safety, environmental and other requirements. Although this may be a challenging task, the incentives for the adoption of digital technology in systems important to safety at NPPs are strong. COTS devices may offer benefits such as an extensive history of operation, a large installed user base, improved reliability with a proven operating history, proven technology, self-monitoring and a larger group of technical personnel experienced with them. A COTS device also provides solutions to address obsolescence and lack of spare parts.

The use of COTS devices in systems important to safety raises concerns because their quality and integrity are not commonly developed in accordance with nuclear standards. Prior to use in an NPP, there is a need to demonstrate that digital COTS devices adhere to the functional, safety and environmental requirements (including heat, humidity, vibration, electromagnetic interference/radiofrequency interference (EMI/RFI), and seismic requirements as appropriate) with a level of quality and reliability comparable to that of a nuclear product. Special consideration needs to be given to the use of products based on digital technology in NPPs since they may be subject to unique vulnerabilities and failure modes (e.g. latent systematic faults2) related to nuclear safety applications. It should be recognized now that many traditionally non-digital products (e.g. sensors, motor control centres, device actuators, panel displays and even power supplies) offered in the commercial market often include embedded digital devices even though this may not be evident. Digital devices, including embedded digital devices, may be affected by external environmental conditions present in NPPs and need to be thoroughly evaluated and tested to ensure that the components will behave in a known and predictable manner, especially under failure conditions.

When COTS devices are used in NPPs, it is important that a suitable process is in place to gather sufficient evidence and confidence to demonstrate that these products will meet specific quality, functional and non-functional requirements expected in the intended application. This process, referred to in the following as the justification3 process, has to consider the behaviour of the device during normal operation as well as abnormal, transient and accident conditions. A systematic approach is needed so that, when applied appropriately and with sound judgement, it will facilitate the demonstration of evidence necessary to support the justification of these devices for nuclear safety applications.

The primary intent of this publication is to provide a starting point for Member States to develop or improve their processes for digital COTS justification. While high level expectations are identified in IAEA Safety Standards Series No. SSG-39, Design of Instrumentation and Control Systems for Nuclear Power Plants [2], the practical methods to justify digital COTS devices in nuclear safety applications often vary among Member States. In this context, this publication helps identify good practices, based on the combined experience of Member States involved in related discussions.

The key objectives of the publication are: