Nuclear power plant digital I&C AI adversarial injection: how ±8 DN in the rendered RPS trip parameter display suppresses a reactor protection system trip — and why NRC 10 CFR Part 50 Appendix A GDC 13 has no adversarial robustness criterion for the AI classification layer

How nuclear digital I&C AI works — and where the adversarial injection surface lives

A nuclear power plant’s Instrumentation and Control (I&C) system monitors and controls the reactor through a layered architecture. At the base layer, qualified nuclear-grade sensors measure safety-critical parameters: reactor coolant system (RCS) temperature at multiple locations in the hot and cold legs, RCS pressure, RCS flow rate (volumetric and mass), neutron flux at multiple radial and axial positions (ex-core detectors and in-core instrumentation assemblies), steam generator water level, feedwater flow, and containment pressure, temperature, and atmospheric composition including hydrogen concentration. These sensors output analog signals (4–20 mA, thermocouple mV, or neutron detector current) that are conditioned and processed through IEEE Std 603-2018-qualified transmitters, isolators, and signal processors operating in the safety I&C cabinet racks in the auxiliary building.

The qualified safety I&C system — the Reactor Protection System (RPS) and Engineered Safety Feature Actuation System (ESFAS) — processes these signals through hardwired or qualified digital logic to compare each parameter against its defined trip setpoint. When a parameter exceeds its setpoint — for example, when coolant temperature rises above the high-temperature trip setpoint, or neutron flux exceeds the overpower trip setpoint — the RPS actuates: reactor trip breakers open, control rods insert under gravity, and the reactor shuts down. The RPS logic is designed under the GDC 20–24 single-failure criterion: four independent measurement channels for each trip parameter, with a 2-of-4 coincidence logic for trip actuation, ensuring that no single channel failure prevents the trip function.

Above the qualified safety I&C layer sits the plant process computer and SCADA system — and increasingly, AI-assisted condition monitoring platforms. Westinghouse PIAM (Plant Information and Management AI), Framatome Teleperm XS AI operator advisory functions, GE Hitachi NUMAC (Nuclear Measurement and Control) advanced AI modules, and Rolls-Royce I&C AI condition monitoring tools process rendered images of I&C display screens, historian trend plots, and operator panel visualisations to classify plant condition, flag anomalies, and provide decision support to operators. These AI systems operate as a monitoring and advisory layer between the qualified I&C safety system and the control room operators.

The adversarial injection surface is the boundary between each rendered I&C display image and the AI that classifies it — the same structural pattern present in every nuclear I&C AI monitoring context: qualified sensors measure safety-critical parameters accurately and transmit correct readings through the qualified signal chain; those readings are rendered into 2D visualisation images for display and AI classification; the AI classifiers that provide operator advisory functions and automated condition assessment have been validated against clean, unperturbed display renders under normal and accident conditions but have never been evaluated for adversarial robustness at their rendered image ingestion boundary.

Three Mile Island Unit 2, 28 March 1979: the structural parallel that defines the adversarial injection consequence envelope

The TMI-2 accident began at 04:00:37 a.m. on 28 March 1979, when the secondary system feedwater pumps tripped, causing a loss of heat removal from the reactor coolant system. The reactor tripped automatically on high coolant pressure as expected. A pilot-operated relief valve (PORV) on the pressuriser opened at approximately 04:00:37 to relieve pressure — also as expected. The valve was designed to reclose when pressure returned below the setpoint. It did not. The PORV remained open for approximately 2 hours and 22 minutes, releasing reactor coolant at a rate of approximately 220 kg/min into the reactor coolant drain tank.

The critical instrumentation failure was the pressuriser level indicator. As reactor coolant escaped through the open PORV, the primary system was losing inventory. However, the pressuriser — a tall vertical vessel connected to the hot leg of one of the primary loops, used to maintain system pressure by controlling the volume of water in the primary system — was experiencing void formation: steam was forming as coolant boiled due to the pressure drop caused by the open PORV. The pressuriser level gauge showed a rising level — approximately 200 inches at the high end of the scale — because the void formation increased the apparent volume of water in the pressuriser. The level indicator measured level correctly; it could not indicate that the level it was measuring was largely steam void rather than liquid water.

Control room operators observed the high pressuriser level reading and, consistent with their operating procedures and training, interpreted it as indicating that the primary system had adequate or excess coolant inventory. When automatic Emergency Core Cooling System (ECCS) injection — high-pressure injection (HPI) — actuated at approximately 04:02 to inject borated water into the primary system, operators manually throttled and then shut off the HPI at approximately 04:06, because the high pressuriser level reading indicated (incorrectly) that adding more water risked overfilling the pressuriser and causing a solid-water pressure transient. HPI suppression continued for approximately 90 minutes.

During those 90 minutes, the reactor core began to uncover as coolant inventory in the reactor vessel decreased. Core uncovery (exposure of the top of the fuel assemblies above the coolant surface) began at approximately 04:15. Peak cladding temperatures rose above 1,000°C at approximately 05:50 and above 2,000°C at approximately 06:00. The zirconium alloy cladding reacted with steam above approximately 1,200°C through the exothermic Zircaloy oxidation reaction: Zr + 2H₂O → ZrO₂ + 2H₂. The reaction was self-accelerating above 1,500°C and produced approximately 400 kg of hydrogen. The hydrogen accumulated in the reactor building, where a hydrogen burn occurred at approximately 13:50 on 28 March. The NRC’s post-accident assessment established that approximately 50% of the fuel assemblies had been damaged through cladding oxidation, fuel pellet fragmentation, and core geometry distortion — the largest core damage event at any commercial reactor in the United States.

The Kemeny Commission (1979) and Rogovin Report (1980) identified multiple contributing factors: operator training gaps, control room human factors deficiencies, and inadequate emergency operating procedures. The misleading pressuriser level indicator was identified as a primary informational contributor to the operators’ diagnostic failure — not because the indicator was broken, but because it displayed correct information (pressuriser level) that was being interpreted as indicating a condition (adequate primary coolant inventory) that the indicator did not actually measure.

This is the precise structural parallel to AI adversarial injection at the nuclear I&C boundary. An AI system that classifies the rendered RPS trip parameter display to determine whether a reactor trip is required is performing the same inferential function as the TMI-2 operators reading the pressuriser level indicator: interpreting a rendered image of physical sensor data to determine whether a safety-critical threshold has been crossed and whether a protective action must be initiated. A ±8 DN adversarial pixel shift applied to the trip parameter display — suppressing the apparent visual exceedance of a trip setpoint from above-limit to within-normal appearance — is functionally equivalent to the TMI-2 pressuriser level display artifact: both cause the interpreting agent to conclude that conditions are safe when they are not.

Four adversarial injection surfaces: RPS trip parameter display AI, neutron flux monitor AI, primary coolant pump vibration AI, and containment H₂ monitor AI

RPS trip parameter display AI (Westinghouse PIAM AI, Framatome Teleperm XS AI). The Reactor Protection System trip parameter display renders the current values of all RPS-monitored variables — RCS temperature (∂T from hot leg to cold leg), coolant pressure, neutron flux (percentage of rated thermal power), RCS flow rate (fraction of nominal), steam generator levels, and calculated departure from nucleate boiling ratio (DNBR) — against their defined trip setpoints. DNBR is the calculated safety margin between current heat flux conditions and the DNB condition: when the DNBR falls below the safety analysis limit (typically 1.17 for Westinghouse 4-loop PWRs under COBRA-TRAC analysis assumptions), the fuel surface is at risk of transitioning from nucleate boiling to film boiling, producing a dramatic reduction in heat transfer and rapid cladding temperature rise. An AI system classifying this rendered display — trained to recognise the visual pattern of a parameter approaching or exceeding its trip setpoint bar — is in the adversarial injection threat model: a ±8 DN downward shift in the pixels representing the coolant temperature bar or DNBR trend approaching its limit suppresses the apparent approach to the trip setpoint threshold, causing the AI to classify current conditions as normal operating margin. The automated trip advisory or early warning function is not triggered. The 10 CFR Part 50.46 limit — peak cladding temperature not to exceed 1,204°C — is the threshold whose violation begins the TMI-2 consequence pathway.

Neutron flux monitor AI (GE Hitachi NUMAC AI, Rolls-Royce I&C AI). Ex-core neutron flux detectors (ion chambers mounted external to the reactor pressure vessel at defined axial positions) and in-core instrumentation (moveable or fixed in-core detectors at defined core locations) provide the primary measurement of reactor power level. The rendered neutron flux display shows power level as a percentage of rated thermal power, with high-power trip setpoints typically at 108–109% of rated power for ex-core high-range detectors. AI classification of the rendered neutron flux trend display — trained to detect rising power trends approaching the overpower trip setpoint — is in the adversarial injection threat model: a ±10 DN shift at the rising neutron flux trend pixels suppresses the apparent power level from its actual value (above the trip advisory threshold) to a lower apparent value (within normal operating range). The automated overpower early warning is suppressed. The mechanism from undetected overpower to core damage follows the Zircaloy oxidation pathway: Zr + 2H₂O → ZrO₂ + 2H₂ (ΔH = −596 kJ/mol, exothermic above approximately 1,200°C), producing hydrogen at a rate sufficient to cause pressure vessel hydrogen accumulation. At Fukushima Daiichi, the Zircaloy oxidation reaction at Units 1, 3, and 4 produced sufficient hydrogen to accumulate above the lower flammability limit (4% by volume in air) in the reactor buildings; the Unit 1 reactor building exploded at 15:36 on 12 March 2011, the Unit 3 reactor building at 11:01 on 14 March, and the Unit 4 reactor building at 06:00 on 15 March.

Primary coolant pump vibration trend AI. Primary coolant pumps (PCPs) — large vertical-shaft centrifugal pumps circulating reactor coolant at approximately 5,000 US gallons per minute at temperatures near 295°C and pressures near 155 bar — are monitored continuously by vibration sensors (accelerometers and proximity probes) measuring shaft displacement and housing vibration at the bearing locations. Bearing degradation in a PCP produces a characteristic progression: increasing vibration amplitude, changes in vibration frequency spectrum, and eventually shaft wobble that places the mechanical seal under eccentric loading. PCP mechanical seal failure allows reactor coolant to escape from the primary system: in pressurised water reactors, PCP seal failures are a documented source of small-break loss-of-coolant accidents (LOCAs). A ±8 DN adversarial shift in the rendered PCP vibration trend display — suppressing the apparent vibration amplitude increase in the bearing frequency band from the alert threshold to below-normal — causes the AI monitoring system to classify the bearing degradation as normal vibration variation. Planned maintenance intervention (bearing inspection, seal pre-conditioning, pump replacement) is not scheduled. The bearing continues to degrade toward seal failure. A small-break LOCA from PCP seal failure initiates the same reactor coolant inventory loss sequence as the TMI-2 PORV failure — with the primary difference that PCP seal LOCAs are typically slower than PORV-failure LOCAs, providing more response time if correctly identified.

Containment H₂ monitor AI. Hydrogen concentration monitors — catalytic or electrochemical H₂ sensors mounted at multiple elevations inside the reactor containment building — measure the hydrogen concentration in the containment atmosphere continuously. NRC GDC 41 (Containment atmosphere cleanup) requires that systems be provided to control the concentration of radioactive contaminants in the containment atmosphere, including hydrogen generated during accident conditions. Passive autocatalytic hydrogen recombiners (PARs) — deployed in EU PWRs following the post-TMI-2 regulatory response — and active H₂ igniter systems (deployed in US BWRs per 10 CFR 50.44 following the TMI-2 accident) are the engineered controls. Both require detection of rising H₂ concentration as the trigger condition: PARs activate passively when H₂ concentration reaches approximately 1–2% in their local zone, while H₂ igniters require operator activation based on H₂ monitor readings. An AI system monitoring the rendered containment H₂ concentration trend display and detecting rising hydrogen concentration is in the adversarial injection threat model: a ±10 DN shift in the H₂ trend pixels — suppressing the apparent rising H₂ concentration from above the 4% LFL alert threshold to below the initial alert level — prevents the AI from classifying the containment atmosphere as requiring action. The operator advisory for H₂ igniter activation or PAR surveillance is not generated. If H₂ continues to accumulate and reaches the detonation range (approximately 18–59% in air), the Fukushima Unit 1 consequence pathway — hydrogen detonation, reactor building structural destruction, uncontrolled radiological release — becomes the consequence envelope.

NRC 10 CFR Part 50 GDC 13 and GDC 20–24: the qualification framework and its boundary

NRC 10 CFR Part 50 Appendix A establishes the General Design Criteria (GDC) for nuclear power plant design. The relevant criteria for I&C AI adversarial injection are:

GDC 13 (Instrumentation and Control) requires that “instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to ensure adequate safety, including those variables and systems that can affect the fission product barriers, and shall be designed to ensure that adequate information is generated for manual control of those systems and variables necessary to assure adequate safety.” GDC 13 establishes the regulatory basis for the complete I&C monitoring architecture. It requires that the instrumentation system produce adequate information — but it defines “adequate information” in terms of the physical measurement chain: sensors, transmitters, and display systems that correctly capture and present the physical variable. It does not address AI systems that classify rendered display images of those physical variables.

GDC 20–24 (Protection system design criteria) establish the reliability, testability, independence, failure mode, and separation requirements for the Reactor Protection System. GDC 21 (Reliability and Testability) requires that the protection system “shall be designed for high functional reliability and inservice testability commensurate with the safety functions to be performed.” GDC 22 (Independence) requires electrical and physical separation between redundant protection system channels. GDC 23 (Failure Modes) requires that “the protection system shall be designed to fail into a safe state.” GDC 24 (Separation of Protection and Control) requires that the protection system be separated from control systems to the extent practical.

These criteria apply to the IEEE 603-2018-qualified safety I&C hardware and software that composes the RPS. An AI classification layer operating on rendered display images sits outside the GDC 20–24 qualification boundary: it is not part of the RPS logic, does not actuate trip breakers, and does not receive signals from qualified sensors through qualified signal conditioning. It operates on the rendered 2D visualisation output of the historian, SCADA, or display system — the same output that human operators see. GDC 20–24 single-failure criterion compliance is maintained for the qualified RPS hardware and software. The AI classification layer is simply not in scope.

The qualification gap follows the same pattern documented for railway signalling SIL 4 AI under CENELEC EN 50129 and oil refinery APC AI under OSHA PSM: the physical instrument is qualified against a rigorous standard; the AI that classifies the rendered output of that instrument is not within the standard’s scope. IEEE 603-2018 defines “single failure” in terms of hardware component failure and qualified software error — not in terms of adversarial pixel perturbations at a machine learning classifier’s rendered image ingestion boundary. The single-failure criterion, even when perfectly met by the qualified RPS hardware, provides no protection against adversarial manipulation of the AI layer that sits above it.

IEEE Std 603-2018 and the adversarial robustness gap in nuclear safety system qualification

IEEE Std 603-2018 (IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations) is the primary technical standard referenced by the NRC for nuclear safety-related I&C system design and qualification. It is incorporated by reference into the NRC Standard Review Plan (NUREG-0800) and into the safety analysis chapters of nuclear power plant Final Safety Analysis Reports (FSARs). IEEE 603 defines requirements for RPS and ESFAS design including: the single-failure criterion (Clause 5.1), redundancy and diversity requirements (Clause 5.2), qualification (Clause 5.3, requiring environmental and seismic qualification to IEEE 344 and IEEE 323), separation (Clause 5.4), independence of protection channels (Clause 5.5), fail-safe design (Clause 5.6), quality assurance (Clause 5.7), and testability (Clause 5.8).

IEEE 603 Clause 3.13 defines “failure” as “the loss of ability of an item to perform its required function within previously specified limits.” The standard’s threat model, developed across successive editions from 1971 to 2018, covers hardware failures (open circuits, short circuits, sensor drift, power supply failure, relay coil burnout) and qualified software failures (design errors, software specification defects, unintended interactions between qualified software functions). It does not include adversarial machine learning in its threat model. IEEE 603-2018 was the most recent revision at the time of writing; its development predates the mainstream deployment of deep-learning AI in nuclear I&C monitoring systems by several years. No errata, interim guidance, or supplemental standard to IEEE 603 has been issued that addresses adversarial robustness of AI classification systems at rendered I&C display image boundaries.

The NRC has published regulatory guidance on the use of machine learning and AI in nuclear applications — including NUREG-2217 (Feasibility Study for a Risk-Informed and Performance-Based Regulatory Framework for Microreactors, 2019) and preliminary regulatory basis documents for AI/ML in nuclear safety monitoring — but no binding rule or endorsement of a standard requiring adversarial robustness evaluation for AI systems classifying rendered I&C display images has been issued as of 2026. The AI I&C systems deployed by Westinghouse, Framatome, and GE Hitachi are therefore not subject to any regulatory adversarial robustness requirement. They are designed and validated against performance benchmarks using clean, unperturbed rendered display images under normal and design-basis accident conditions — the same validation approach used for all other industrial AI monitoring systems in the Glyphward portfolio — with no adversary in the validation threat model.

Glyphward threshold 25 for nuclear power plant digital I&C AI

Glyphward’s adversarial detection API operates as a pre-classification gate at the rendered image ingestion boundary of each nuclear I&C AI classifier: before the RPS trip parameter display AI processes the rendered trip parameter screen image, before the neutron flux monitor AI processes the rendered flux trend display, before the PCP vibration AI processes the rendered vibration trend, and before the containment H₂ monitor AI processes the rendered concentration trend chart. Each rendered image receives a risk score (0–100) in 8–15 ms. At or above threshold 25, Glyphward gates the AI classification and generates an immediate operator alert — without waiting for the monitoring AI to produce a potentially adversarially corrupted advisory output.

We configure this threshold at 25 for all nuclear power plant digital I&C AI contexts — the lowest threshold in the Glyphward portfolio. This is 5 points below the threshold 30 applied to tailings dam and LNG cold box AI, and 10 points below the threshold 35 applied to most industrial process AI. Four factors drive the nuclear I&C threshold.

First, the consequence category. 10 CFR Part 50.46 acceptance criteria violation — peak cladding temperature above 1,204°C — is the threshold for the TMI-2 consequence pathway: core damage, long-term facility loss, potential radiological release. The NRC establishes that violations of these limits in design-basis accident analyses are unacceptable — the entire safety analysis framework is built around preventing this outcome with multiple layers of redundancy, qualification, and single-failure protection. No other industrial sector in the Glyphward portfolio has a regulatory framework that treats the safety-system failure consequence with the same prescriptive determinism as NRC 10 CFR Part 50 and Appendix A GDC.

Second, the GDC 20–24 single-failure criterion gap is sharpest in the nuclear context. The GDC specifically requires that the protection system be designed so that no single failure prevents the safety function. An adversarial perturbation at the AI classification boundary is not a single failure in the GDC or IEEE 603 sense — but it produces a functional outcome equivalent to a single-failure suppression of the safety function. The threshold 25 setting reflects that Glyphward’s gate is operating in a domain where the regulatory intent is to prevent exactly this outcome, even though the regulatory scope does not currently extend to the AI classification layer.

Third, the TMI-2 structural parallel is uniquely direct. The TMI-2 accident is the most extensively documented example of a misleading instrument display causing operators to suppress a protective action — with core damage as the consequence. No other incident in the industrial safety literature more precisely parallels the adversarial injection threat model at a nuclear I&C AI boundary: in both cases, correct physical sensor data is rendered into a display that appears to indicate safe conditions when it does not, and a decision-maker (human operator in 1979, AI classifier in 2026) interprets that display as safe and suppresses or fails to initiate a protective action. The threshold 25 setting reflects this direct precedent.

Fourth, the false positive cost. A Glyphward gate triggering a threshold-25 alert on a clean nuclear I&C display image requires the operator to perform a manual parameter check — reading the raw instrument values from the qualified I&C panel or DCS display rather than relying on the AI classification. In a nuclear power plant control room, this is standard human factors practice: operators are trained to verify AI or computer advisory outputs against primary displays before taking action. A false positive threshold-25 gate produces a manual verification step — operationally minor. A false negative — adversarially suppressed trip parameter display AI that misclassifies an approaching trip setpoint exceedance as normal operation — produces the TMI-2 consequence pathway.

The Glyphward scan log for each nuclear I&C AI classification event — scan_id, risk score, display type (RPS trip parameter / neutron flux trend / PCP vibration trend / containment H₂ trend), classification decision (passed / gated), perturbation class, timestamp — satisfies the NUREG-0800 Standard Review Plan Chapter 7 I&C documentation requirements for monitoring system audit trails, supports the 10 CFR Part 50.59 safety evaluation programme documentation for AI monitoring tools deployed at qualified facilities, and constitutes evidence for the facility’s Initial License Application (COL) or operating licence amendment documentation demonstrating that the AI classification tools supplementing the qualified I&C system have been screened for adversarial manipulation.

Free tier — 10 scans/day, no card required. Submit a rendered RPS trip parameter display image from your plant historian or SCADA system to the Glyphward scanner to generate a baseline adversarial risk score for your nuclear I&C AI classification inputs.