 Okay, so I think we can start slowly. I think we have most of the participants here, I think. Okay, so let's start with another topic, INC and electrical systems. We have, in fact, two, I'd say, lessons. One about INC, one about electrical. I was asked to prepare, I'd say, presentation on both of these topics, so I decided to match them together into one presentation, so we will speak in parallel about INC and electrical systems because, in fact, the same, let's say, basic design principles and requirements apply on both of them. So during the presentation, in fact, you will again hear the same, let's say, basic design principles as you have already heard in the previous presentations, but now we deal mainly, okay, how to implement these, let's say, general design requirements into the electrical and INC systems. So this will be, let's say, another part to the, let's say, puzzle of the engineering assessment. So we will speak about INC and electrical systems together in both of the next lessons. So here, then, and then after, now, and then after the lunch. I will always, let's say, say some specific things concerning INC and electrical systems. I know there are some, let's say, INC and electrical engineers as well here. So from the point of view of INC or electrical systems itself, we will really scratch the surface because it's very broad topics. There are many, we can spend one month speaking just about INC or electrical systems. So we will focus on basic design principles and how they are applied basically in these kind of systems. So it will be just, let's say, overview from the point of view of INC and electrical systems. So let's skip this. Okay. So let's start with some overview. So instrumentation and control in short INC. I think everyone knows this abbreviation. It's some sort of, let's say, central nervous system of the plant. So it can, let's say, feel the sense, the technology parameters, and then based on some predefined algorithms to actuate, to influence the technology itself. So basically the INC systems are here or are in the plant to control or limit plant conditions during normal or abnormal conditions and also to achieve the safe shutdown state of the plant. So we have INC systems specifically also for the, let's say, accident conditions as well. So this is, let's say, from the point of view of safety. So the INC systems have, let's say, direct impact on the safety of the plant and also they can have impact on the, let's say, cost of the effectiveness because there are some systems which are used, let's say, as a support for the production and some, let's say, reliability or availability of the systems can, let's say, impact the electricity production because it's clear the main goal of nuclear power plant is to produce electricity and to, let's say, make some profit as well. But we will not speak about, let's say, the economic part of the problem. We will focus on the safety in this presentation because we have to evaluate the safety and the operation of the plant has to be safe. This is the basic requirement. And, of course, most of the INC systems or, let's say, all of them will not work if they will have no, let's say, power supply. So usually together the electric systems are, let's say, essential part of the safety as well because the INC systems are, let's say, active system, electrical, let's say, systems itself. So we have to power supply them. So we can't, let's say, split it in two and we will speak about both of them in a parallel. Just maybe a small remark. Most of the information I took from the new revisions of safety guides, DS430 is the draft of the new safety guide for design of electric system. I think it was not yet issued, but I think it will be very soon by the IEA. I think it's in final state. I think it was already approved, I think. Then DS431, you will see this, let's say, these references throughout the presentation and at the end you will have the list so everything you have in the presentation here. So DS431 is the draft of safety guide for INC system design. So most often I use these two drafts of new, let's say, safety guides to explain how to deal with different, let's say, basic safety requirements in these types of systems. So it's just for information. OK. So let's start with INC systems. So this is some, let's say, basic, let's say, scheme, how it can look like. So basically we have some technological process here and then we have some, let's say, measurements, some sensors which are able to read, to check, to sense the parameters of this process and then in the system itself there are some predefined algorithms, some logic which evaluates the state of the technology and provide some feedback, some action throughout the actuators which can be pumps, valves, or some motors or whatever. So this is called, let's say, the control loop. So it is some sort of loop. So it influences the process and then reads it again and it goes again and again. So usually we distinguish, let's say, two, let's say, big parts of the systems. So we have the control or the operational control. So these systems are used for the, let's say, normal operation. We have a lot of different systems for reactor power control, turbo generator control, different equipment, have some small control systems just for, let's say, the equipment itself. So we can find many, many such systems on the plant. But we also have, let's say, the specific, let's say, safety systems. Let's say specific requirements are imposed on the safety systems. We already know about it. Such as single ferrule criterion and common cause failure, let's say. So we will speak about these requirements throughout the presentation. But this is another group of the systems. They also work on the, let's say, similar example, similar principle. So they have the, let's say, sensors. They evaluate the state of the technology and based on some predefined logic, if it's necessary, if some, let's say, limits are exceed, so they provide some safety action. So the big difference between these two are not only the specific requirements because these systems have to be, let's say, more reliable because they have to deal with some, let's say, accidental conditions. But also some specific is that these systems usually work, let's say, continuously or it's sometimes called a high demand. So it always, let's say, is in full operation, but usually these systems work and, let's say, on demand. So only if some, let's say, specific combination of inputs occur, so then the action is here, a very specific action. So most of the time, the systems, in fact, do nothing. They just observe the technology and evaluate if some limits are not exceed. So this has some, let's say, implications. For example, we usually, when something wrong happens here, we usually immediately know that because the system is in full operation, but we have to more focus on, let's say, survival and testing of these safety systems to see that they are still capable to do something because usually they just sit and observe the situation. And also another big difference is the price. These systems are much more expensive. So this is, I think, clear. Another important thing, these systems usually not only control the technology, but they provide information to the people, to the operators. This is a very important part. I think in recent, in the past, it was quite often underestimated. I think after three-mile island, much focus was put to this part here. Because the humans have to interact with these systems and they have to get, let's say, proper information. They have to get the information. They are able to understand, evaluate what is, let's say, the state. And if some manual action is required, so they have to have means to provide the actions and also to have, let's say, information to decide if the action is needed. So the human machine or human system interface is a very important part of the systems as well. So this is, let's say, some basic principles of the INC systems. Any questions to this? Okay, here's, let's say, a more specific example with some pictures to have some nice pictures here as well. So basically, this is the same thing which was in the previous slide, so I will not speak very long about this. So here you have, let's say, the standard control systems with some specific, let's say, sensors. Here can be some logic and some actuators. As I have mentioned, so usually these systems are connected to some upper level. So this is, let's say, very often called, let's say, supervisory or operator level. This is, let's say, control level. This is some field level. Here's the so-called field instrumentation. It means sensors and so on. We can have also situations when we have, for example, some direct measurements. So the, let's say, sensor itself, let's say, provide some direct measurements to the control level, to the, let's say, main or emergency control room or whatever. That can be also, let's say, some specific dedicated, let's say, direct means to directly operate some equipment. So here's the picture of the control room. I think you saw such picture many times. What is important? Usually all the equipment are connected in some sort of, let's say, digital or computer systems to, let's say, gather all the information. And very often they are also connected to some higher level, some, let's say, cooperation or the plant network, which then is used, for example, by some departments like economical department, some, I don't know, technology department to evaluate the state of the equipment and management of the plant to see the key, let's say, indicators of the plant and so on. So usually you will find that all the systems are connected somehow. And that's why also the cybersecurity is a very big concern nowadays. And if we have enough time, so at the end of the second lesson, we'll spend some time with the cybersecurity as well because it's quite a hot topic nowadays. And it's basically because computer-based systems are used, interconnected, because very often here it's connected to the corporate network, to the emails, to the internet and anything like that. What I also, I would like to mention, there are also systems which perhaps don't have any actuators. They are just for the monitoring. So they have some, let's say, sensors, maybe some, let's say, logic, how to evaluate the state of the sensors and they provide the information to the people. So typically it's, for example, post-exit monitoring or radiation monitoring systems because usually you don't have any specific means how to control or you control through other systems, but there can be also monitoring systems as well. Such systems are used also for electrical grid, for example. Yes, you have nowadays in electrical, let's say, buses, you have some, let's say, specific, let's say, transformers which provide the information about the state of the, let's say, power in different, let's say, parts of your electrical grid or electrical buses of your plant. So also in the past there was some, let's say, strict division between electrical systems. Usually the electrical people usually don't speak much about this INCP plan was a vice versa, but nowadays it's like somehow, let's say, interconnect and blends because the same technology is used not only for the, let's say, technology, the pipes and the steam and water and whatever, but also for the electrical part of the plant itself. So let's focus also on the electrical part. So the core part of the electrical scheme is the, let's say, turbine, turbo generator. So basically the main reason is that it's here to produce the electricity and to send it to the off-site grid and to make some profit. So this is, let's say, some economic point of view, but we will speak about the safety. We need the electricity to provide the supply for the INCP systems to be able to work, to be able to provide the safety functions. So we have the interconnections from the turbine, which is able to supply the, let's say, the systems important to safety, and we also have, and it's recommended to have some, let's say, backup off-site power connection because this connection is used not only to, let's say, sell or provide the electricity to the off-site grid, but also it's used when the turbine is, let's say, stopped and it's during the outages or for whatever reason it can happen. It's not very, let's say, unintended. It's quite, let's say, credible even. So then we need some, let's say, additional source of power. So usually we use the off-site power to supply the systems important to safety and if this is for any reason unavailable, we should have some, let's say, backup off-site power, which is perhaps, let's say, not designed for the same loads because it's not used for the, let's say, as a normal output point for the distribution of electricity but it can be used just for the, let's say, load of the, let's say, inside equipment. So this black part, it's called preferred power supply and preferred, it's okay, it's what normally we use. This is something which we want to use, which we will use normally. So the source from the turbine is, let's say, household or the off-site off-site grid. Okay, for the safety systems, we also have this red part, some, let's say, backup, some safety power supply, which is backed up by some standby or backup diesel generators. So we have diesel generators. If we lose the preferred power supply, so we have to be able to supply the safety systems from, let's say, another source. So generally, we have as many, let's say, standby diesel generators, as many, let's say, safety trains of safety system we have. We will speak about it later as well. And we have to be able to, let's say, to keep it in operation. What was also done recently, so it was found out that, let's say, station blackout, it's quite, let's say, and design extension conditions based on Fukushima, okay, some credible event. It could happen. So we have to also deal with some design extension conditions. So it can happen. It also, these diesel generators are not available. So recently, some, let's say, alternate power supply was added to the design or in the, let's say, existing plant, it's also built as a new, some specific feature. It's in a new build. It should be included from the beginning. So it's some alternative diverse source of electric power. So it can be some, let's say, another diesel generator from which is placed somewhere else. Very often there are some mobile diesel generators with some specific connection provided and qualified for this type of event. And what we also have in the plant, we spoke about, let's say, AC power. But normally the, let's say, the computer-based, the digital systems, the INC systems, the, let's say, instrumentation is, let's say, supplied from DC, DC power. So, of course, normally the DC part of the electrical grid is, let's say, supplied through, let's say, transformers from the, let's say, preferred power supply. So from the turbine or from the either one off-site or another off-site, let's say, power source, it can be also supplied from the diesel generators. But we also have batteries, some UPS, some un-interceptable, let's say, power supply, some backup to be able to provide the power supply for, let's say, very important systems during the time, for example, before or during the time, before the diesel generator could be, let's say, connected and start to feed the DC systems or to, let's say, survive the time till we are able to put here some another, let's say, alternate source. So we have also batteries which are used for, let's say, some portion of the, let's say, safety systems to be able to survive, to supply them, to get the information to be able to properly, to keep the plant in the safe state also during these transients when we need to, let's say, start the diesels or, let's say, attached or connect these alternate power supplies. So this is, let's say, basic scheme. What usually you can find in, let's say, every power plant, it's usually much more, let's say, complicated. But basically, this is how it works. Okay. Safety classification. We already know about it. So I think it's not necessary to speak about it again. So just to remind you, so we have to identify all the items and, let's say, based on their safety significance. So again, it's about the added approach. So not all the equipment of the plant, not all INC or electrical systems of the plant have the same safety significance. So we have to, let's say, classify them. It's the same process as was shown before. And, of course, we have to design these systems based on the, let's say, requirements which are, let's say, specific for the safety class in which there are, let's say, labeled. So it's clear that the safety, the class one will have the more strict reliability requirements than, for example, class two or three. So I think this is clear. Maybe just, I think, some note that even if many standards we speak about, for example, INC systems classification and things like that, we always have to think about their power supplies. And the electricity part of the, which is important to the safety, needs to have the same classification or same requirements as the systems to which it serves. Yeah, because if it's not so good, so we can lose it. And then, as a consequence, we can lose also the, let's say, the safety system and the safety function itself. So this is, I think, quite clear, let's say, assumption. Okay, you have already seen this. So I think it's not important to, let's say, speak a long time about this. So just basically, so the plant equipment is divided into items which are not important to safety. So from the safety point of view, we do not care. And the items which are important to safety. Yeah. Okay, I will show you another picture. But basically, what we have seen about, let's say, IEA approach to classification, it basically applies to all equipment. So not only, let's say, machinery equipment or construction, it applies also to the, let's say, INC or electrical equipment. But in the different states, there are some different classification schemes based on different standards. What we have mentioned, 1E or non-1E, this is the American IEEE standard used for classification. And it's not, let's say, fully compliant with the IEA view of the classification. Another picture I will show you, maybe I will then go back. So you have different, let's say, classification scheme for INC and electrical system as well. So for IEA, this is some, let's say, the approach of IEA, it is not updated. So now there's new safety guide which speaks about class one, two and three, we know. Very often it's used IEC standard which, let's say, basically, let's say, copy the idea of the, let's say, nowadays IEA view. But there are different standards in different countries, how to, let's say, categorize or classify the INC and electrical systems. And so the idea, the basic idea is the same, to have a graded approach, to find out what is more important and to imply the specific requirement for the most important systems. But the frontiers between the systems are maybe not exactly the same. And yes, very often you can spend some time, if you, for example, in one of our plants, we use this IEC scheme in another plant which the INC was built by Westinghouse. We use this scheme and it's not always easy to find the connection in between. You have to, some, let's say, evaluate and, but the basic approach, the idea behind it, it's the same, yeah, but the classes, it's maybe called a little bit different. And so here during the presentation, we will, let's say, stay with the, let's say, general IEA view, but you can find many different approaches, yeah, and okay, okay, I cannot say, basically, the most further, let's say, the first category or the one category or whatever is called, so this is the most strict requirement. And they should be so strict that they should, let's say, I don't personally evaluate all of them and I'm not sure if such evolution has been done, but usually every specific, let's say, classification scheme use the, let's say, the basic design principles derived from IEA, so usually you will find for each of this group, which is the most strict, for example, the defense in the F, the single-ferral, common-course-ferral, and things like that. But there can be some differences because, for example, as was mentioned during the, let's say, presentation about classification, so for example, IEEE, it has, let's say, two groups, IEC, it has three groups, so for example, something which is called category B here could fall under one E here, and something could fall under, let's say, important to safety, but not one E, so there could be some differences there. But the reason is to implement the graded approach to identify the most important equipment and to apply the strict, let's say, reliability requirements on the, let's say, specific equipment only. Yeah. Mm-hmm. Mm-hmm, yeah. This is a really good question. I think every operator thinks about this. I think there is no simple answer because, for example, if the manufacturer is used to produce the systems according to the IEEE standards, so they use not only the classification, but they use only all the, let's say, design codes, for example, codes or standards for computer design and things like that based on IEEE standards. If you compare, for example, this IEC, you will find out that it's very similar, but if you ask the supplier that he has to, let's say, check and evaluate the, let's say, compliance, so it will cost some more money because if you have to check, you have to evaluate. There will be maybe some discrepancies who have to think about it or what to apply. So usually it's the choice to, let's say, choose one, let's say, classification scheme and the corresponding codes and to keep it consistent. But very often it's not possible because we have different suppliers from different, maybe, countries. So very often we'll have to deal with some, and not only in the classification. Perhaps they will use some specific design codes based on IEEE and you would like to see if it's complied with IEC and so on. So I think no easy answer is here. This is the problem that the, let's say, legislation all around the world is not the same. In different countries there are differences. They are not very big. Usually you can find the compliance, but you have spent some time and money on that. So I think the trend is to try to somehow, let's say, cooperate more to have, let's say, similar requirements all around the world. But this is, let's say, almost impossible. It's very difficult. And yeah, it's a big problem for everyone, for suppliers, for operators, for regulators, for everyone. Every country has some specific requirements. This is a problem. It will be better if it will be the one legislation for all, but unfortunately it isn't. And then it costs money. More effort, more resources, because we have to think about different standards and how they are, let's say, compliant to each other. So I don't want to spend, we can discuss a lot of time because it's a big problem, the legislation. So I just would like to, let's say, here in this slide to speak more about what kind of, let's say, INC and electrical systems we have to give you some idea about some specific systems. So for the safety systems, so usually what we have is something called protection system. Protection system usually includes two, let's say, subsystems. Sometimes they are implemented as two separate systems. Sometimes they are, let's say, as a one protection system. So one part is reactor-trip system. Reactor-trip system has, let's say, the only goal to screen the reactor. If there is some specific combination of the inputs, it shut down the reactor and this is the, let's say, goal of the specific system. Very easy task, one task, and it has to be provided. Then we have something called engineering safety actuator system, S-FAS, which, let's say, provides the function how to, let's say, keep the plant in the safe shutdown and to, let's say, cool the core, containment isolation, containment heat removal. So all these functions we have already mentioned in some, let's say, specific, let's say, presentations before, for example, the reactor cooling, the containment sprinklers or sprays, usually these actuators are driven by the S-FAS engineering safety actuator system, which is usually considered as a part of the so-called protection system. What is also important to say, there is no international consensus how the, let's say, ideal INC architecture should look like. There are different approaches how we can implement it. We will speak about some examples, but there is no consensus, there is no, let's say, one recommended architecture of the INC systems. There can be different solutions, different suppliers have different solutions which can work. So you can find real differences in between the plants, but the functions, nevertheless, if the system is included in one or two or how it's designed, so the protection system is somewhere in the plant implemented. From the point of view of electrical systems, what we have usually here or what we have here is something called emergency load sequencer. It's something when, for example, we have to, let's say, switch to the diesel generators and we need some big pumps to operate to cool the reactor and the containment. So we have to, let's say, load the diesel generator step-by-step because we don't want to overload it. So we have some, let's say, logic to load the diesel generator step-by-step, not to lose it just in the first second. So there are also some specific functions for, let's say, the electric part of the plant as well. From the point of electric, for example, cables and so on, we have also, let's say, containment penetrations. And just to remind you that containment penetrations are part of the safety systems. Even if the cable belongs to the, maybe, items which is not important to safety, it can be some, let's say, some information system there. So the penetration itself is safety system and it's not because of the cable itself but because of its containment. So just this small, small, okay, skip this. Okay, so now to the basic, so we will again speak about the, let's say, basic requirements and how it is applied in the, let's say, INC systems and electrical systems. So defense in that, we have heard a lot about this principle. So we know that we have to, let's say, implement, let's say, multiple barriers to protect us as much as possible. So the idea is not new. You can see the old castles, the old fortresses, they did exactly what we are trying to do now. So they had multiple walls, multiple barriers, maybe walls, some water in between. So they used independent walls, some different, let's say, materials, different approaches to protect themselves. And the approach in the INC or electrical system is completely the same. So basically, we have, as a one-level, I will explain in more details in other slides. We have some control systems for normal operation. If something bad happens, so we have perhaps some limitation system which can limit certain conditions. We have reactor trip system or, let's say, a reactor protection system which includes reactor trip and engineering safety actuators, so the cooling, containment, isolation and things like that. As a, let's say, another, let's say, a liar in defense in depth, if something bad happens here and the systems on lower level are not able to cope with it. We have some post-accident monitoring which can help me to, let's say, provide some, for example, some additional systems for control of the plant during some, for example, severe accidents. So this is basic principle of the defense in depth. So also for INC and electrical systems, defense in depth has to be implemented. We can't, let's say, degrade the defense in depth concept of the plant just implementing one big INC system which when we fail, when it fails, then it all, let's say, levels in depth are, let's say, degraded. So that's why we have more different, let's say, systems in the plant. So this is, the defense in depth is somehow based on the possible state of the plant. So this is the original, how the old or existing plants were built. So we already know that something called, which we called before, was called some beyond design basis, some severe accidents which was not considered in the existing designs. So after the Fukushima, there's some new, some evolution of the requirements. So now we have some design extension conditions which now we should, let's say, consider in our design as well. And it was explained in a presentation by Marco, I think, Monday. So I will not go into the details to, let's say, confuse you with some thoughts about it. But just to remind that basically, we start with normal operation, then we have some anticipated operational occurrence. So it's something which is not, let's say, normal, but which can happen quite often. So it's, for example, turbine trip, some electrical transients, anything like that. We have the design basis accidents. So it's basically the LOCA help and so on. And these types of accidents, there can be some combinations of accidents. And then we have design extension conditions. So we have different plant states and we should have different, let's say, INC systems together with some electrical systems to provide the power, to cope with different plant states. So I found this, let's say, nice table. I don't know, maybe it's not very readable. So I just explain a little bit and then you can read it in the presentation and you can find more information. For example, VENRA, it's free. You can download from the internet some description of this principle of defense in depth. So basically, for normal operation, we have the control systems. So the control systems are used to maintain the plant in the normal operating limits. They are used continuously. They provide some information to the operator and this is what is used in normal operation. So from the point of view of personnel, just, let's say, monitor and then check that the state is okay. For these types of events, so anticipated operational occurrences, so some, let's say, abnormal situations, we have, let's say, something which it's usually called some limitation systems. Very often there are quite, let's say, connected together with the control systems and as I said, there are no, let's say, ideal design. So in some designs, you will find, let's say, the limitation systems or limitation functions implemented, let's say, as a subsystem of the, let's say, this control part. In some design, you will find it as a specific subsystem of, for example, reactor protection system. There are different approaches how to do that. What is important, usually we have or we should have some, let's say, systems which are able to cope with these types of situations and to prevent to worsen this situation to go here. We always try to, let's say, stay here and go back to the normal operation. We don't want to, let's say, lose the plant conditions and to go to more severe conditions. So we try to avoid them. So that's why we implement this, let's say, levels. So the level of three is, let's say, basically the design basis, evens or combination of design basis, evens. So for this, we have the reactor protection system. So it's reactor tip system together with engineering safety features actuation. Usually there is some, let's say, diverse actuation system. So when we will speak about the common cause failure, we will see why it is implemented as a diverse. So very often there's a diverse system or diverse means which provides the operator the possibility to manually control certain aspects of the plant or certain safety equipment. In the case, there is some problem in this level. And then we have these design extension conditions. So this is quite, let's say, a new concept. So we should have, let's say, consider some additional features for these design extension conditions. Usually for the existing plant, there are, let's say, thinking to implement something more of some, let's say, usually some, let's say, mobile equipment which can be used when necessary. Let's say some specific, for example, severe accident monitoring system. Some hardened, let's say, instrumentation which is able to survive severe accidents and to provide the information. So there are some approaches. And it's not yet, let's say, fully described in the, let's say, standards and guidelines yet. But it's something which we have to think about. Okay, so maybe more specific information about electrical systems. I didn't find such nice table about electrical, so I have to create one. It's not so nice, but maybe it will be, I hope it will be okay for you. So again, we have, let's say, the expected states of the plant and let's say the systems which we have to co-base the situation. So basically, in normal operation, we use the preferred power supply. So we have variable grid. We have, let's say, on-site or off-site power. During the abnormal operation, so for example, where the turbine is stripped and stopped, so we usually use, or we have the household possibilities. It means we are able to, for example, use the backup off-site power. Or on the other hand, if, for example, off-site grid is lost, so we can use the turbo generator just for household. So we decrease the, let's say, power of the reactor of the turbine and we use the electricity production just for the household. So we have to be able to cope with these, let's say, types of transients. In the case of design-based accidents, so what we usually have, so it's our, let's say, the backup, these generators to provide the electricity to the safety systems, because in this level, the safety systems are in operation, reactor-type, as fast and so on. So we have these generators, perhaps together with the batteries, which help to survive the transients between switching of the, for example, off-site to the digital generators. And then for the deck, design extension conditions. So as I have already mentioned before, some alternate power supply is introduced to the plant, so it's very often some mobile or some diverse source of, let's say, power. Together with, perhaps, let's say, increase the battery capacity, because if you use some, let's say, mobile equipment and you have to bring it, for example, for some off-site to the plant and connect it and start it, perhaps it will take more time than the on-site diesel, so we perhaps need more capacity of the battery to survive these, let's say, transients. Okay. So station blackout, it's some, let's say, typical, or let's say, some, let's say, important consideration from the point of view of electricity. We have already, let's say, mentioned this, this. So station blackout means that we lost the preferred supply, so it means turbine off-site grid and this concurrent availability of the emergency AC power, so it means the standby diesel generators. So, and the experience shows that these situations can happen, even if I have a lot of diesel generators, it can happen. So consideration has to be, let's say, done. How to deal with the station blackout situation? So these are some, let's say, usually approaches or a combination of approaches of what is usually done. So increasing the capacity of the batteries, let's say, to survive more time, to have enough time to, let's say, do some action to provide some, let's say, off-site power or some mobile, let's say, units. Unit to unit connections. So if you have the plant which has multiple units, so you can have some specific unit to unit connections because it can happen that, for example, in one unit some diesel generators are still alive, so you can, let's say, interconnect and use them. And as I have mentioned, there are some divers or some alternate AC power sources. So what is important? They have to be protected to the, let's say, evens which can cause the station blackout. At Fukushima, if it was, for example, flooding, so we have to put the diesel generator to some, let's say, sealed compartment or to some higher elevation or to reinforced compartment, not to be, let's say, harmed by, for example, falling objects and so on. So consideration has to be put that we don't want to lose the alternate AC power source together with the, let's say, diesel generators. So okay, this is just some examples. So this is some alternate AC power in some reinforced container. These are some mobile units. You can have also some small, let's say, mobile units which can be carried by human just to supply an electricity only to some very specific, let's say, equipment. So let's say the combination of all of these can be used. It depends on the strategy and what the plant, let's say, prepare and create for such, such events. But what is important, we have to think and consider that such events can happen and have some, let's say, means and strategy how to deal with such event. Okay. So let's speak about another, so this was about, let's say, defense in depth, basically. So now let's speak about another important, let's say, designer requirement for the INC and electrical systems. And this is simplicity. It looks simple and it's not so simple, but it requires that the system should be as simple as possible. And we should avoid unnecessary complexity. Why? Because if the system is very complex and usually the INC systems, electrical as well, but the INC is typical for the INC, is too complex, so then it's not possible to test it in full extent because it's so complex that you are not able to have 100% test coverage. And so there is the possibility that there is some fault in the system which we cannot find because it's very complex. So we try to build the systems as easy, as simple as possible, to be able to test it and to eliminate the possibility that there is some hidden fault in the system. So this is the, let's say, very, let's say, specific and important requirements because it would be easy to put all the functions in one computer system. Nowadays, your mobile phone is able to implement all the functions of the plant mostly, but we don't want to do that because it would be very complex and we will not be able to, let's say, evaluate and test it and check and throw violence, the equipment to see that everything is okay. So we try to keep it simple. And it's not only for the, let's say, operator itself, but it's also for the regulator because also regulator has to evaluate, let's say, what the operator has done and with the most complex systems, it's complicated and there's a risk of hidden fault. So this is the reason for the simplicity. So now single failure criterion. You already know that. So we have to consider that every safety group has to consider single failure criterion. What is safety group? Safety group is from general term. In different designs, you can find division or chain or whatever, it's a group of equipment from the, let's say, sensors or whatever through the, let's say, logic to the actuators. So the whole group of equipment, which is necessary to provide the safety functions. So in all these chains, we have to consider that something can fail. Whatever it is, but we have to consider deterministically that something can fail. Even if the probability is not very high, but okay, this is deterministic criterion and we have to think and consider that something can fail. So something can fail. If it fails, so it can have consequences. So together with, let's say, failed equipment, it can have some consequences on other equipment. So we have to consider such consequences. We have to consider failures imposed on the postulated events for which the equipment is intended to work. So for example, if the equipment is intended to work during, for example, help or LOCA situation, so we have to be able to, let's say, and we have mentioned during the qualification. So we have to consider that during these, or let's say, during such event, the equipment will be able to survive. And what we have also, let's say, what we also have to consider, that we have to do some maintenance. You know that there, for example, can be some maintenance, something can fail. You have to, let's say, repair. There can be some maintenance because of the, let's say, equipment qualification, some requirements to replace something. So we have to consider that some part of the equipment could be, let's say, bypassed or put off-line because of the maintenance. So these are the considerations about the, let's say, single, frail criterion. So let's have a look, okay, some more specific example how to deal with it. So I think it's clear, and it's, let's say, practice that with single, frail criterion, we deal using redundancy. So simply, if we have to consider that something can fail here, so we put more of this. So we have multiple equipment, and if one fail, so we have another one. So it's okay. This is the, let's say, the basic approach how to deal with redundancy. So the question is, how many of these I will need? In some design, you can find three in some four, maybe for some specific system only two. So what are the, let's say, requirements? So how will I find that, okay, this number is sufficient for me. So there are two point of views. How is, let's say, the deterministic, which we will speak about. So it means the single, frail criterion, the maintenance. So this is some determinic assumption, I will speak about it. And another is also some, let's say, probabilistic, some reliability. Because, for example, I can have some reliability requirement of some specific safety function, and the reliability requirement can be such that this one system, I'm not able to reach it. So I have to put more system to, let's say, improve the reliability of this specific safety function. So this is, let's say, some, let's say, probabilistic, or let's say, point of view of how many redundancies I need. But, okay, let's speak about the single, frail criterion. So it's deterministic. So if we have redundancies, so we have to consider maintenance. So one, let's say, safety group could be put offline or bypassed because we do something on that. And we have to consider failure. This is the single frail, so any type, anything in this chain could fail. So we have to consider that, okay, one is, let's say, failed. So usually we have, let's say, if we have three or four, so as you can see, it can be enough. So from this point of view, but it has also some disadvantage. So what can happen if we put more redundancies? So we can fight the single frail. So if this is failed, so we still have two other, or at least one another, to deal with, let's say, the requirements with the safety function. The problem, which we can, let's say, introduce by this is spurious actuation, some unwanted actuation, because as we add more redundancies, we also, we not only increase the, let's say, probability that, okay, everything will work as it is intended, but we also increase the probability that if there is some specific failure which can lead to some unwanted actuation. So this is also more probable in these, let's say, multiple equipments. And the spurious actuation is something which we don't want. It can be, let's say, the safe state. So the spurious actuation can be the reactor tip. So, okay, let's say, put the reactor to the safe state. But from the point of view of, let's say, operation itself, it creates some, let's say, unnecessary stresses to the equipment. And you have learned that, okay, the reactor can survive only, let's say, a certain number of such, let's say, fast transients. So we don't want to, let's say, provide if it's not necessary to do such things. Also, we can, let's say, actuate some, let's say, S-fast function. We can, let's say, start pumping the cold water to the reactor to the primary circuit, which can, let's say, degrade the, let's say, equipment. Really, this is something which we would like to avoid as well. So how to deal with this, let's say, situation? So it's, we implement in some design. It's not, let's say, something which is required. But usually, what is implemented is voting logic. Or one solution can be voting logic. So the voting logic, basically, what is done? So for, let's say, every division, we, let's say, take into the account not only the outputs of this specific division, but also the outputs from the other divisions as well. So it's not only the one failure, one spurious actuation is not enough to trigger the, let's say, safety action. So it means that really, we need at least, for example, if we have, for example, three redundancies, we need at least, for example, two, let's say, systems actuating to go through the voting logic and to start the safety function. What is important, if you implement the voting logic, you have to, let's say, consider some specific states of the trains. Here's an example. I don't want, we don't have time to speak in very details about all the possible states. But this is an example for, if you have three redundancies, I think usually in the new design nowadays, I think four redundancies are used for the safety systems usually, but with three, you can also, it could be also done with three. But you have to consider that, okay, in normal state, two out of three vote, so it's okay, but you have to put consideration that, okay, some part could be in the maintenance and in another, let's say, division, there could be some failure and the failure could be such that, okay, it can block the safety signal or it can introduce a safety signal. So you have to consider different possibilities. So usually you have some system inhibition when it is, let's say, in the maintenance. You have some, for example, invalidity or when it's, let's say, the systems provide some 40 results or you can have some safe position which, for example, during the maintenance you switch certain, let's say, outputs to the safe position to the safe position because you don't want them to be masked by default in another division and so on. So it's quite complex. We don't have time to, let's say, we can spend a lot of time to discuss different transients. This is just an example of how it could work. It's not only example. There are many possibilities and in many designs there can be different possibilities. It's just for this example that if the voting logic is implemented you have to consider different states of the equipment and to be careful how to implement it. Okay. What is also important, together with redundancy, we don't want the failure to, let's say, spread to other redundancies. So what we implement is some, let's say, independence. So the divisions or the safety trends should be, let's say, independent from each other. So if there is a fryer in this room, so we have still the other two. And also we have to consider the common cause failure, especially with the digital systems. If I create the software for one redundancy and there is a fault, hidden fault, because it's very complex and maybe I am not able to test it fully because it's complex system, software system. So I can very easily copy and paste the same fault to all my other divisions. So the common cause failure, especially for the complex and digital systems is a very big concern and we will speak about it also later. This is just, okay, as a fun. So I think it's obvious that also power supply has to be provided independent to each other, let's say, safety trends. So you don't want to supply everything from one source because it will be evident common cause. So what we have, so for every safety, let's say division, we have specific, let's say, generator and the set of batteries. So we have the safety power for each of the thing independent to each other to be able to, let's say, supply and to operate all the, let's say, equipment in the case of some, let's say, fault in some of this equipment. Okay, redundancy, okay. So it was what I have mentioned. So it has to be redundant to the, let's say, to meet reliability requirements. Okay, we have mentioned. The elements, redundant elements should be also independent. Okay, I think it's clear. And redundancy can increase the probability of spurious activation. So one way how to deal is revolting. And also it applies to electrical systems as well. Yeah, so I have mentioned it as well. So independence. So we have mentioned that independence between different, okay, redundancies. In fact, the independence can be seen from, let's say, two point of views. We implement independence in between the redundancy, redundant, let's say, elements. And also we implement independence between different levels of depth. So there are two, let's say, implementation of, let's say, independence in the plant. So how it can be done? So first and most obvious is physical separation. So I put the equipment to another room or another building. I put the wall in between. Electrical isolation. So for example, I do not connect the equipment or I use some, for example, some isolation devices, some isolation transformers, some optic communication. Electromagnetic qualification can also, let's say, provide some help here because if we want to electrically isolate, so perhaps we have to check that also there are radiated electrical field, it's not, let's say, harm our equipment. What is more difficult is, let's say, functional independence or independence of communication. So this is not so easy to evaluate. So what functional independence? So it means that the function of one system doesn't depend on the function or results of another system. And in fact, in the plant, you will find that the systems in between the different levels of death are very often connected. There are some reasons for that. There can be some sensor sharing, there can be some, let's say, communication that, for example, the protection system will send some information to some, let's say, information system, provide the information about its state and so on. So there are some connections in between and we have to be able to, let's say, prove and to evaluate the, let's say, systems with lower classification which are less important and less reliable. They couldn't harm our, let's say, safety systems or the systems with, let's say, a higher classification. So it's basically to, let's say, fight the, let's say, spread of the failures. So we don't want the failure to go from one system to another. And this could be, let's say, quite difficult to evaluate. Very often you need some, let's say, specific knowledge of some specific system, how it is implemented to, let's say, provide the, let's say, the proof that the communication link, if it exists, it's safe enough. Here's also some, let's say, consideration about the cables. In the nuclear plant, we have a lot of cables, so we should also implement some separation between different types of cables. So again, we should separate the cables with this different, let's say, safety classification. We also should separate the cables from different safety divisions. So if we have more redundancies, for example, four trains, and then we put all the cables in one, let's say, penetration, so it's very weak point where we can really, very easily as a, let's say, common cause failure, let's say, lost all the redundancies. So we also have to, let's say, take care and to separate the cables from different divisions and also the cable with different voltage. So for example, the communication cables will be not in the same, let's say, the communication lines will be not in the same cable as some, let's say, high voltage, let's say, power cables. So this is some, let's say, really basic, let's say, consideration. You have to keep on mind when you, let's say, assess how the system is designed. So you can see the cabling in the plant is not always easy and you can find some places where there are some, let's say, convergence of the cables, for example, main control room. The cables can converge there, so it can be quite difficult to deal with this. Okay, so let's go, I think we can continue a little bit. I think we have to half past 12, I think, so let's continue a little bit and then we continue. So common cost failure, you already know about it, so we have to consider the common cost failure. It's, as I have mentioned, it's, let's say, specific concerns are for the complex systems. Just as a note, sometimes in the literature you can find common mode or common cost. Usually, and in this presentation, and very often it's common cost, it's used for both, and usually it's, let's say, synonym, but sometimes there are some distinction that common mode meets the manner, the way, how the equipment fails, and the cost is the event which caused, let's say, the failure. So sometimes there is, it's a very slight difference. Usually it's not very important, but there are some cases when it could be important, so just for your information that, okay, something like this, okay, terminology exists with regards to common cost failure. Okay, so now I have some, let's say, examples of common cost failures. So this is, let's say, environmental common cost failures. I think it's clear, external hazards. So we have mentioned it also during the qualification. This is quite interesting. Maybe someone of you have already seen similar pictures. This is something we can consider hardware, hardware, common cost. This was taken in one of our plans, and this is called thin whiskers. Maybe you heard about this phenomenon. So it's some, let's say, specific physical phenomenon when this, you use the pure metal, in this case, for example, tin. So, and if it's, let's say, exposed to some, let's say, stress, I think it's not, let's say, in detail described how, okay, it works. So some crystal could grow, and if you use the same, let's say, hardware connections in all your safety, like, say, trains, so you can have the same type of errors in all your redundancies. And what the K-star does, it grows, grows, grows, and then you can have a short circuit. Usually it's very thin, so it's usually disappear in the brands, but usually the equipment does something strange. And when you check, so you find nothing because it's disappears. So this is very specific, let's say, or example of the hardware, common cost failure. It could be, like, corrosion and things like that, but this is quite interesting. So, tin viscose. Here's another example of, let's say, more complicated common cost failure. Software, common cost failure in software, which is usually very difficult to find, and this is why the constraint is, so this is a real example of what really happened. So, just very quickly, so here's, let's say, there's some X-core measurements in the wide range, so high-level measurements of a new-ton power of reactor, which is then shared with, let's say, two different systems. The measurements from utilization chambers go to the post-exonet monitoring system, and also it goes to some, let's say, diverse monitoring systems. Normally in the, let's say, normal power, 100% so everything works as it should. When the, let's say, power drops to a certain level, for example, and this was found when the, let's say, the fuel was taken out from the reactor, so the, let's say, the new-ton power of the reactor was really minimal because almost nothing. So then the measurement goes to very low numbers, and we find out that not all the software systems are able to cope with such low numbers, and it was because some specific software libraries was used because a normal, let's say, floating point number are some defined, let's say, range in which it's going to work, and if it's, let's say, behind the range, so there are several possibilities how to deal with it, I will not go to the details, how one of the possibilities is that, okay, it's, let's say, directly, let's say, assigned to zero, what basically these systems done, but we find out that the post-exonet monitoring system, one specific component, and it was some graphical meter, when it was, let's say, under skin, and this slow value go inside, so it dies, and so we can lose, because of this slow number, we can lose all our free post-exonet monitoring systems at once, so it's, let's say, common cost failure, here's the failure, that the system was not implemented properly, and here was the trigger, the number was too low, nobody expected something like it can happen, and it caused, let's say, common cost failure in the software, fortunately, this system was, okay, it was still working, but this is the example of the, let's say, a failure in the software. So, let's go through this, and then we will stop. So, the concept is that, okay, how to, how it is happened, so during the design, when there is some error, the guy who programmed the software makes some error, so we have the fault in the software. The fault alone, perhaps there can be a fault in the software forever, and maybe we will not find, and it will not cause any problem, but if we have some, let's say, activating conditions, something we call trigger, so then the digital failure could, let's say, came to life, and could cause something, so if we have activating conditions in one division, so we can lose, for example, the function of one division. If we have the same activating conditions, because we have the same failure, copy and paste to all the divisions, and we have the same activating conditions in multiple divisions, so we can use the whole system, and this is the problem. We don't want to be here. And the, let's say, catastrophic scenario is that we have the same error in multiple systems, in multiple levels of death, and concurrent activating conditions, so we can lose all the systems, so this is the really catastrophic scenario, that's why we have to really pay attention to the common cause failure, and this is some, let's say, graphical representation, so for common cause failure to occur, we need, let's say, several things. We need to have the faulty system in multiple, let's say, for example, divisions or multiple systems, and we have to do the same concurrent activating conditions, so it's, let's say, not so easy to reach the common cause failure, but because of these systems can be quite complex, so we have to be very careful how to deal with it, and so how to reduce the CCF common cause failure, so it's independent, okay, it's because of the common cause failure, because of, for example, fire flooding and things like that, qualification, we have already mentioned that, we have already mentioned from internal external hazards and diversity, I will speak about it also in more details, this is, let's say, the way how we deal with common cause failure to introduce diverse systems, and also for the complex systems, what we have to do is to focus on the development process, so we have to try to avoid the faults during a high quality development process, we also focus to, let's say, detect the faults, because also there are humans here, and if there is some fault, so we have to try to verify, to check, to remove the fault before the operation itself, so it's for detection, and also some concept as fault tolerance, so if there is some fault and the equipment is faulty, so we don't want, so if we would like to, let's say, go in some, let's say, a purified state, we want to prevent the propagation of failures, these are the, let's say, basic concepts how to deal with common cause failure, so just let's speak about this diversity and maybe we will stop here then and have a break for lunch, so the diversity, there are a lot of literature about different approaches to diversity, and the different categories, different terminology, but let's say the basic approaches are, usually the functional and signal diversity, it usually goes together, the approach is that, okay, the safety function, the same safety function is based on, let's say, different logic, different algorithms, using, for example, different sensors, so for example, if I would like to, I don't know, evaluate the local conditions, so one way is, for example, I measure the pressure inside the primary circuit, and another approach is I measure the pressure, for example, in the containment, yeah, so for many safety functions, we can find different, let's say, physical, let's say, symptoms which can be caused by some event and we can evaluate using different approaches, so this is very, let's say, very important and one of the most, let's say, useful way how to deal with CCF, it's not only, there are other approaches, we can use design diversity or equipment diversity, so in fact, we implement the functions into completely different equipment, so we have, for example, computer-based system, and then we have some another relay-based or FPGA-based system which use different design, different, let's say, design principles, so there's, let's say, a lower probability that the same, let's say, error will be in two different systems, we can use human or logic diversity, so doing the development, some part of development is done by different people, different software tools or, let's say, procedures are used, so these are, let's say, basic examples of how to implement the diversity, okay, and, okay, so last slide, so this is just to demonstrate, so I will not speak a lot of it, so usually we have some diverse systems, we have few really controlled systems, you have protection system which, okay, can be some, let's say, primary protection system, maybe you have some, let's say, diverse protection system because of the consideration of common cause failure, you have post-oxygen monitoring system, very often there are diverse to each other, it's usually because of, let's say, these systems are, let's say, for example, not classified, so I use, let's say, some industrial standard, these are usually some specific systems which require different design, so I usually introduce some design diversity together with the planned design as well, it has to be, let's say, independent, so this is the independence in between the different levels of depth, but what is important, the life is not perfect, and very often we find, let's say, some communication links in between the systems, we find some, let's say, places where these systems go together to one place, for example, the control room, so then during the evaluation, we have to put attention, I will pay attention to these, let's say, specific connection to avoid the failure propagation and to check if the independence is, let's say, correctly implemented, and I think last slide before the break, and let's say the common cause failure or diversity from the point of view of, let's say, electrical systems, so we usually don't, let's say, have a lot of trouble with electrical system because the diversity is, let's say, somehow implemented based on the, let's say, the characteristics of the electrical systems itself, so basically the, let's say, different diverse systems are, let's say, the off-site power, we have turbo generator, it's very different, we have the standby generators, and we have some alternate AC power, so usually we have to really put attention to have diverse systems in this level because they are, let's say, same type of system, so this is the place where the diversity is, let's say, most concerned. Okay, so I think, let's stop here, I think it's time for a lunch break, so after the lunch, we will continue, with this presentation, so maybe are there any questions to the, what we have seen so far? I hope we will have more time at the end, I will try to, let's say, maybe go a little bit more quickly, but I think we will have, we will finish it on time, so there are no questions, so I think we have till two o'clock, so two p.m. we will continue with this presentation, so thank you for your attention, and bon appétit.