What happened at Three Mile Island in 1979 and how does it template RPS display AI adversarial injection?

TMI-2 (28 March 1979) was initiated by a stuck-open PORV with a misleading position indicator. The rising pressuriser level (steam bubble forming as coolant drained) caused operators to shut off safety injection for over 90 minutes, resulting in approximately 50% core damage. The adversarial template: a ±8 DN suppression of the low-RCS-pressure trend line in the rendered parameter display causes the I&C AI to classify the LOCA-signature pressure decline as normal variation, suppressing the safety injection advisory exactly as the misleading pressuriser level indicator did at TMI-2. NRC RG 1.97 addresses instrument qualification and display availability but not adversarial robustness of AI classification layers.

What are IEEE Std 603-2018 requirements and how do they interact with nuclear I&C AI classification layers?

IEEE Std 603-2018 requires single-failure criterion (no single failure prevents safety function performance), redundancy (minimum two independent trains), independence, and qualified emergency power. AI overlay systems processing safety parameter displays are typically categorised as non-safety (NEI 08-09 Level 2/3) to avoid full IEEE Std 603 qualification burden — meaning the AI advisory layer does not need to meet the redundancy, single-failure, or adversarial robustness requirements applied to safety-classified instrument channels.

How does Glyphward threshold 25 for nuclear I&C compare to threshold 30 (tailings dam) and 35 (industrial process)?

Threshold 25 is calibrated for nuclear I&C because: (1) the NRC single-failure criterion requires no individual failure prevent safety function performance — a lower tolerance than other industrial contexts; (2) the consequence envelope (core damage, fission product release, hydrogen detonation) is categorically more severe and irreversible than non-nuclear process safety incidents; (3) regulatory expectation that each safety I&C layer be individually reliable is stronger than in industrial process contexts. Threshold 30 for tailings dam AI reflects the 4-minute consequence window (Brumadinho). Threshold 35 for industrial process AI reflects lower severity and stronger complementary detection mechanisms.

Westinghouse PIAM AI · Framatome Teleperm XS AI · GE Hitachi NUMAC AI · Rolls-Royce I&C AI · NRC 10 CFR Part 50 GDC 13 · NEI 08-09 Rev. 6 · RPS trip display AI · neutron flux monitor AI · primary coolant pump AI · containment hydrogen AI

Prompt injection in nuclear power plant digital I&C instrumentation and control AI

Q: What is the NRC cyber security framework (NEI 08-09 Rev. 6) and what adversarial gap does it leave?

NEI 08-09 Rev. 6 categorises nuclear I&C into four security levels with strict data flow controls including one-way data diodes at the safety/non-safety boundary. It addresses unauthorised access, malware, and data modification at the protocol/data level. The gap: adversarial perturbations applied to rendered image data before it enters an AI classification layer do not modify the underlying instrument data protected by the security perimeter — they modify the pixel representation of that data above the secure boundary, invisible to traditional cyber security controls.

Q: What caused the Fukushima hydrogen explosions and how does containment hydrogen AI suppression replicate that mechanism?

After the Tōhoku earthquake/tsunami (11 March 2011) caused a station blackout at Fukushima Daiichi, zirconium-water reactions (Zr + 2H₂O → ZrO₂ + 2H₂) in uncovered cores generated hydrogen that accumulated in reactor buildings above the 4% flammability limit. Detonations destroyed units 1 and 3 buildings on 12-14 March 2011. Adversarial suppression of the containment H₂ concentration display causes monitoring AI to classify rising hydrogen accumulation as normal post-accident atmosphere, suppressing PAR actuation and atmosphere management — replicating the Fukushima mechanism in a powered, digitally monitored plant.

Nuclear power plants — facilities generating electrical power through controlled fission of enriched uranium or mixed oxide fuel in a light-water reactor (pressurised water reactor, PWR, or boiling water reactor, BWR) core — operate under the most stringent safety regulatory framework of any industrial sector globally. A typical 1,000 MWe PWR operates with approximately 193 fuel assemblies containing 18–20 tonnes of enriched uranium dioxide at a power density of approximately 100 kW/litre of core volume, sustained coolant temperatures of 290–325°C at pressures of 155 bar (PWR primary circuit) or 70 bar (BWR), and a neutron flux in the reactor core of approximately 10³³ neutrons/cm²/s. The combination of high thermal power density, high-pressure coolant systems, and the inventory of fission products accumulated in the fuel over an operating cycle creates the potential for severe accidents — loss-of-coolant accidents (LOCAs), reactivity insertion accidents, and steam generator tube ruptures — that can result in core damage, release of radioactive fission products from the fuel cladding, and, in the most severe scenarios, containment failure and release to the environment. The 1979 Three Mile Island Unit 2 accident (Pennsylvania, USA) — a loss-of-coolant accident initiated by a stuck-open pilot-operated relief valve (PORV) combined with operator suppression of safety injection signals based on a misleading pressuriser level indication — resulted in approximately 50% core damage and release of radioactive krypton-85 to the environment. The 2011 Fukushima Daiichi accident (Japan) — a station blackout following the Tōhoku earthquake and tsunami that disabled emergency diesel generators — resulted in core damage in units 1, 2, and 3, hydrogen explosions in the reactor buildings of units 1, 3, and 4, and the release of approximately 1.7 × 10¹²¹ Bq of caesium-137 to the environment. Digital instrumentation and control (I&C) systems for nuclear power plants — including the Westinghouse Protective and Important-to-Mitigation (PIAM) AI system, Framatome Teleperm XS digital I&C platform, GE Hitachi Nuclear Measurement and Control (NUMAC) system, and proprietary AI overlay systems from Rolls-Royce, Siemens Energy, and AREVA — process rendered images from reactor protection system (RPS) trip parameter displays, neutron flux monitoring systems, primary coolant pump (PCP) cavitation and vibration trend displays, and containment hydrogen concentration monitors to classify reactor safety state and drive automatic safety actuation. The NRC regulatory framework for nuclear I&C — 10 CFR Part 50 Appendix A General Design Criteria (GDC) 13, 20, 21, 22, and 24; IEEE Std 603-2018 (Criteria for Safety Systems for Nuclear Power Generating Stations); RG 1.152 Rev. 3 (Criteria for Use of Computers in Safety Systems); and NEI 08-09 Rev. 6 (Cyber Security Plan for Nuclear Power Reactors) — specifies independence, redundancy, diversity, and security requirements for safety I&C functions but does not explicitly address adversarial robustness requirements for AI systems that process rendered instrument displays at the classification layer.

TL;DR

Nuclear power plant digital I&C AI — reactor protection system trip display AI, neutron flux monitor AI, primary coolant pump cavitation trend AI, and containment hydrogen concentration AI — processes rendered instrument displays at classification boundaries where adversarial pixel injection can suppress reactor trip signals, coolant system anomaly indicators, and safety actuation triggers. The NRC framework (10 CFR Part 50 Appendix A GDC 13; IEEE Std 603-2018; RG 1.152; NEI 08-09 Rev. 6) specifies redundancy, independence, and cyber security requirements for nuclear safety I&C but does not specify adversarial robustness requirements for AI systems classifying rendered parameter displays. Three Mile Island 1979 (partial core melt from misleading pressuriser level display) and Fukushima 2011 (core damage from station blackout with hydrogen explosion) establish the documented consequence envelope for suppressed safety signal classification in nuclear I&C contexts. Glyphward threshold 25 for nuclear power plant I&C AI contexts (core damage frequency consequence; NRC defence-in-depth requirement that no single failure shall prevent safety function performance; 10 CFR Part 50.46 peak cladding temperature limit 1,204°C). Free tier — 10 scans/day, no card required.

Four adversarial injection surfaces in nuclear power plant digital I&C AI

1. Reactor protection system (RPS) trip parameter display AI (Westinghouse PIAM AI, Framatome Teleperm XS AI, GE NUMAC AI — RPS trip setpoint display classification)

The reactor protection system (RPS) is the safety-critical system responsible for initiating a rapid reduction of reactor power — a reactor trip (scram) — when monitored process parameters reach predetermined safety setpoints. In a 1,000 MWe PWR, the primary RPS trip parameters include: high neutron flux (100–118% rated thermal power, indicating reactivity insertion or coolant flow reduction); low reactor coolant system (RCS) pressure (150 bar in a PWR operating at 155 bar, indicating a loss-of-coolant accident or steam generator tube rupture); high RCS pressure (172 bar, indicating loss of heat sink or pressuriser heater runaway); low primary coolant flow (87% of rated flow per loop, indicating pump trip or flow blockage); high coolant temperature (overtemperature ΔT or overpower ΔT functions, protecting against DNB — departure from nucleate boiling — which produces film boiling on the fuel cladding, degrading heat transfer and initiating fuel damage); and high-high steam generator water level (75% narrow-range span, protecting against steam generator flooding and water hammer in the main steam lines). In modern digital I&C architectures — such as the Westinghouse PIAM digital I&C system deployed in AP1000 units at Vogtle (Georgia) and Sanmen/Haiyang (China), and the Framatome Teleperm XS system deployed in European PWRs including Olkiluoto 3 (Finland) — AI overlay systems process rendered parameter displays from the main control room (MCR) workstations and safety system HMI consoles to classify plant safety state and provide operator advisory functions. These AI systems process rendered images of analog and digital parameter trend displays — real-time strip chart renders of RCS pressure, coolant temperature, neutron flux (% rated thermal power), and feedwater flow — to classify plant operational envelope status: normal, off-normal (abnormal operating procedure initiation required), emergency (emergency operating procedure initiation required), or beyond-design-basis (severe accident management guideline initiation required).

An adversarial perturbation on a rendered RPS parameter display image that suppresses a trip setpoint exceedance — applying a ±8 DN downward shift to the pixel region encoding the parameter trend line at or above the trip setpoint reference line (lowering the apparent trend trace from the trip setpoint zone to the normal operating band) — causes the I&C AI to classify an actual reactor trip condition as normal plant operation, suppressing the automatic safety function classification that would drive the operator advisory and, in integrated I&C architectures, the automated actuation signal. At Three Mile Island Unit 2 (28 March 1979), the primary initiating cause of the accident was the suppression of low-pressure safety injection signals by operators who misread the pressuriser level — the PORV had stuck open, draining the primary circuit, but the pressuriser level indicator was rising (steam accumulation in the pressuriser following PORV opening gave a false high-level reading). Operators shut off safety injection for more than 90 minutes based on the misleading pressuriser level display, allowing the core to uncover and sustain partial meltdown. In a modern AI-assisted I&C context, an adversarial injection that suppresses the low-RCS-pressure signature on the rendered parameter display creates the TMI-2 scenario digitally: the AI classifies the LOCA-progression RCS pressure decline as normal operating pressure variation, suppressing the emergency operating procedure advisory that would initiate safety injection. NRC GDC 13 (10 CFR Part 50 Appendix A) requires instrumentation to monitor variables over their anticipated ranges for normal operation, off-normal operation, and design basis events — but does not address adversarial robustness of AI systems classifying rendered instrument data.

2. Neutron flux monitoring system AI (ex-core neutron detector display AI — Rolls-Royce Neutron Monitoring AI, Mirion Technologies NUMAC AI, Reuter-Stokes detector array AI)

Neutron flux monitoring — continuous measurement of the thermal and fast neutron flux levels in the reactor core using ex-core ionisation chambers and fission chambers installed outside the reactor vessel in the neutron flux monitoring wells — provides the primary indication of reactor power level and the rate of change of power level (power range, intermediate range, and source range monitoring). The neutron flux monitoring system is one of the primary inputs to the reactor protection system trip logic: a high neutron flux signal — indicating that reactor power has exceeded 118% of rated thermal power — initiates an automatic reactor trip independent of coolant temperature or pressure signals. In digital I&C contexts, neutron flux monitoring AI systems process rendered images of the neutron flux monitoring display — real-time strip charts or bar-graph displays of power range (% rated thermal power from 0–125%), intermediate range (neutron flux decades, covering startup to approximately 10% rated power), and source range (counts per second, covering subcritical to approximately 10ⁱ cps) — to classify reactor power state: subcritical, startup, low power, full power, or overpower (above 100% rated thermal power). In power uprate programmes — where licensed power output is increased by 5–20% above the original design basis, as approved by the NRC for many US PWR and BWR units — the overpower ΔT trip setpoint and the neutron flux high trip setpoint must be re-evaluated to ensure adequate safety margins at the uprated power level; AI systems processing neutron flux displays post-uprate must have their classification thresholds updated to reflect the new rated thermal power value.

An adversarial perturbation on a rendered neutron flux display image that suppresses a high neutron flux exceedance — applying a ±10 DN downward shift to the pixel region encoding the power range display bar or trend line above 100% rated thermal power (reducing the apparent bar height or trend line elevation from the overpower zone to the normal operating band at 95–100%) — causes the neutron flux monitoring AI to classify an actual reactor overpower condition as normal full-power operation, suppressing the overpower advisory and any integrated RPS trip actuation advisory. The consequence of an undetected overpower transient depends on the duration and magnitude of the overpower excursion: at power levels above the departure-from-nucleate-boiling ratio (DNBR) limit — the ratio of heat flux at which film boiling begins to the actual local heat flux — fuel cladding surface temperatures rise rapidly above the 10 CFR Part 50.46 limit of 1,204°C (2,200°F) peak cladding temperature, initiating zirconium-water reactions at temperatures above approximately 1,200°C: Zr + 2H₂O → ZrO₂ + 2H₂. The hydrogen generated by zirconium-water reactions in the Fukushima Daiichi units 1, 2, and 3 cores — following core uncovery due to loss of cooling after the station blackout — accumulated in the reactor building spaces and ignited, producing the hydrogen explosions that damaged the unit 1, 3, and 4 reactor buildings on 12–15 March 2011. Adversarial suppression of a neutron flux overpower indication during a reactivity insertion accident extends the duration of the overpower transient, increasing the hydrogen generation potential from zirconium-water reactions if coolant boiling reduces reactor heat removal during the transient.

3. Primary coolant pump (PCP) cavitation and vibration trend display AI (Sulzer PCP monitoring AI, Siemens Energy pump vibration AI, plant historian trend display AI — OSIsoft PI RDBMS display AI)

Primary coolant pumps — the large centrifugal pumps (typically 5–8 MW motor power in a 1,000 MWe PWR) that circulate reactor coolant through the primary circuit at flow rates of 5,000–7,000 tonnes per hour per loop — are safety-critical components of the reactor coolant system. Loss of primary coolant flow — whether from pump trip, pump cavitation (loss of net positive suction head leading to vapor bubble formation in the pump impeller and rapid flow reduction), or pump seal failure leading to primary circuit leakage — reduces reactor core heat removal and initiates a reactor trip on low-coolant-flow or high coolant temperature. PCP vibration monitoring — continuous measurement of shaft vibration (radial and axial displacement, in mil peak-to-peak and mm/s RMS) and motor bearing temperature at each of the primary coolant pumps — provides early indication of developing mechanical defects: bearing degradation, impeller rub, pump seal wear, or cavitation damage to impeller blades. Digital I&C AI systems process rendered trend display images from the plant process historian (OSIsoft PI, Aspentech AspenOne, or proprietary plant data historian) — strip chart renders of shaft vibration level (mil pp), bearing temperature (°C), and coolant flow rate (%) over rolling 24-hour windows — to classify PCP mechanical health: normal, elevated vibration (inspection required at next planned outage), high vibration (accelerated monitoring required), and trip-threshold (pump automatic trip and reactor trip initiation).

An adversarial perturbation on a rendered PCP vibration trend display image that suppresses a rising vibration trend — applying a ±8 DN downward shift to the pixel region encoding the vibration trend line approaching the high-vibration or trip-threshold alarm level (normalising the apparent trend trace to the normal operating vibration band) — causes the PCP health monitoring AI to classify a developing bearing failure or cavitation event as normal pump operation, suppressing the maintenance recommendation and the operator alert that would initiate manual vibration checks or pump speed reduction before the vibration reaches the automatic trip threshold. If the pump then trips automatically on high vibration — after the adversarially suppressed AI has allowed the vibration to continue rising through the pre-trip range — the primary coolant flow loss initiates a low-flow reactor trip. In a single-loop trip scenario, the reactor protection system trips the reactor and initiates emergency feedwater automatically. However, if the pump trip is accompanied by seal failure — a consequence of operating a PCP with a bearing in advanced degradation — primary circuit leakage from the pump seal becomes a small-break LOCA, requiring safety injection. Adversarial suppression of the PCP vibration trend eliminates the pre-trip maintenance window during which a controlled pump shutdown and seal inspection could prevent the escalation from bearing degradation to seal failure and small-break LOCA. IEEE Std 603-2018 (Criteria for Safety Systems) requires that safety-related I&C systems meet single-failure criteria but does not specify adversarial robustness requirements for AI systems classifying rendered PCP vibration data.

4. Containment hydrogen concentration monitor display AI (containment atmosphere AI — Siemens Energy HIDAC AI, Vaisala containment hydrogen AI, Areva containment monitoring AI)

Containment hydrogen monitoring — continuous measurement of hydrogen concentration (% by volume) in the containment atmosphere of a nuclear power plant — is a safety-critical monitoring function required by 10 CFR Part 50 Appendix A GDC 41 (Containment Atmosphere Cleanup) and 10 CFR Part 50 Appendix E (Emergency Planning) following the TMI-2 accident, where a hydrogen bubble formed in the reactor vessel dome from zirconium-water reactions in the damaged core. The NRC requires that hydrogen concentration in the containment be maintained below 4% by volume (the lower flammability limit of hydrogen in air) during and after design-basis accident conditions, and that containment hydrogen recombiners (passive autocatalytic recombiners, PARs, or active thermal recombiners) actuate automatically to maintain hydrogen below flammable concentrations. In the Fukushima Daiichi accident, hydrogen produced by zirconium-water reactions in the Unit 1 core migrated through the reactor building HVAC systems into the reactor building atmosphere and accumulated above 4% H₂ by volume, detonating on 12 March 2011 and destroying the unit 1 reactor building superstructure. Containment hydrogen monitoring AI systems process rendered images of the containment atmosphere hydrogen concentration display — strip chart renders or bar displays of H₂ concentration (% vol) measured at multiple containment zones by catalytic hydrogen sensors (such as the Siemens Energy HIDAC or Vaisala H₂ sensor arrays) — to classify containment atmosphere flammability state: non-flammable (below 4% H₂), approaching flammable limit (hydrogen recombiner actuation advisory), flammable (immediate recombiner actuation, access restriction, containment isolation advisory), and detonation risk (above 18% H₂; immediate severe accident management guideline initiation required).

An adversarial perturbation on a rendered containment hydrogen concentration display image that suppresses a rising hydrogen concentration — applying a ±10 DN downward shift to the pixel region encoding the H₂ concentration trend line or bar above the 4% flammability threshold (reducing the apparent concentration display from the flammable range to the non-flammable baseline zone below 2%) — causes the containment monitoring AI to classify an actual flammable hydrogen accumulation event as normal post-accident containment atmosphere conditions, suppressing the passive autocatalytic recombiner actuation advisory and the containment access restriction. In the Fukushima Daiichi Unit 1 scenario, hydrogen accumulation in the reactor building proceeded to detonation without effective monitoring of the reactor building atmosphere after the station blackout disabled normal monitoring systems — in a modern digitally instrumented plant with AI-based containment monitoring, adversarial suppression of the hydrogen concentration display would produce the same outcome (hydrogen accumulation to detonation without automated intervention) even when monitoring systems remain powered. The regulatory gap: 10 CFR Part 50 Appendix A GDC 41 requires that containment atmosphere cleanup systems — including hydrogen control systems — be provided; NEI 08-09 Rev. 6 requires cyber security controls for nuclear I&C systems including deterministic latency and access controls; neither specifies adversarial robustness requirements for AI systems classifying rendered hydrogen concentration display images.

Integration: nuclear power plant I&C AI scanning with Glyphward pre-scan gate

The Glyphward scan gate for nuclear power plant I&C AI belongs at every rendered-image ingestion boundary in the nuclear I&C AI pipeline — before RPS trip parameter display AI processes rendered parameter strip chart images, before neutron flux monitoring AI processes rendered power range display images, before PCP vibration trend AI processes rendered historian strip chart images, and before containment hydrogen monitor AI processes rendered concentration display images. Threshold 25 for nuclear I&C AI contexts reflects the NRC defence-in-depth framework (GDC 20–24: no single failure shall prevent safety function performance) applied to AI classification layers — a lower threshold than industrial process AI (35) or critical infrastructure AI (30) because the NRC regulatory basis for nuclear safety I&C requires single-failure-proof performance at every barrier.

import asyncio, base64, hashlib, json
from datetime import datetime, timezone
from enum import Enum
from pathlib import Path

import httpx

GLYPHWARD_API_KEY = "YOUR_GLYPHWARD_API_KEY"
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"

# Nuclear power plant I&C AI contexts: threshold 25
# NRC 10 CFR Part 50 Appendix A GDC 13, 20, 21, 22, 24, 41;
# IEEE Std 603-2018; NRC RG 1.152 Rev. 3; NEI 08-09 Rev. 6.
NUCLEAR_IC_THRESHOLD = 25


class NuclearICContext(Enum):
    RPS_TRIP_DISPLAY    = "rps_trip_display"    # Reactor protection trip parameter AI
    NEUTRON_FLUX        = "neutron_flux"         # Power range / ex-core detector AI
    PCP_VIBRATION       = "pcp_vibration"        # Primary coolant pump cavitation AI
    CONTAINMENT_H2      = "containment_h2"       # Containment hydrogen monitor AI


class AdversarialNuclearICImageError(Exception):
    """Raised when Glyphward detects adversarial content in a nuclear I&C
    AI rendered display image above threshold 25.

    Consequence if not raised:
    - RPS_TRIP_DISPLAY: trip setpoint exceedance suppressed → delayed
      reactor scram → departure from nucleate boiling (DNB) at 1,204°C
      peak cladding temperature limit (10 CFR Part 50.46) → fuel damage.
    - NEUTRON_FLUX: overpower condition suppressed → zirconium-water
      reaction → H2 generation; Fukushima Unit 1 mechanism (hydrogen
      explosion, reactor building destruction).
    - PCP_VIBRATION: bearing failure suppressed → pump seal failure →
      small-break LOCA; safety injection actuation required.
    - CONTAINMENT_H2: flammable H2 accumulation suppressed → detonation
      above 18% H2 vol; Fukushima Unit 1/3 hydrogen explosion mechanism.
    Fail-safe: halt automated nuclear I&C AI classification; require
    independent manual parameter verification and shift supervisor review
    per EOPs before resuming AI-driven safety advisory functions.
    """

    def __init__(self, scan_id: str, score: int,
                 context: NuclearICContext,
                 plant_id: str, unit_id: str,
                 flagged_region: dict | None = None) -> None:
        self.scan_id = scan_id
        self.score = score
        self.context = context
        self.plant_id = plant_id
        self.unit_id = unit_id
        self.flagged_region = flagged_region
        super().__init__(
            f"Adversarial nuclear I&C image: "
            f"context={context.value} score={score} "
            f"plant={plant_id} unit={unit_id} scan_id={scan_id}"
        )


async def scan_nuclear_ic_image(
    image_bytes: bytes,
    context: NuclearICContext,
    plant_id: str,
    unit_id: str,
    client: httpx.AsyncClient,
) -> dict:
    """Scan a nuclear I&C AI rendered display image for adversarial content.

    Fail-safe contract: AdversarialNuclearICImageError or httpx error →
    halt nuclear I&C AI classification for the affected parameter group;
    require shift supervisor verification against independent instruments
    (per NRC RG 1.152 Rev. 3 diversity requirements) before resuming
    AI-driven safety advisory or automated actuation advisory functions.
    """
    image_hash = hashlib.sha256(image_bytes).hexdigest()
    payload = {
        "image": base64.b64encode(image_bytes).decode(),
        "source": f"nuclear_ic:{context.value}:{plant_id}:{unit_id}",
        "metadata": {
            "plant_id": plant_id,
            "unit_id": unit_id,
            "context": context.value,
            "image_sha256": image_hash,
        },
    }
    resp = await client.post(
        GLYPHWARD_SCAN_URL,
        headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
        json=payload,
        timeout=4.0,
    )
    resp.raise_for_status()
    result = resp.json()

    if result["score"] > NUCLEAR_IC_THRESHOLD:
        raise AdversarialNuclearICImageError(
            scan_id=result["scan_id"],
            score=result["score"],
            context=context,
            plant_id=plant_id,
            unit_id=unit_id,
            flagged_region=result.get("flagged_region"),
        )
    return result

Deploy scan_nuclear_ic_image at each nuclear I&C AI rendered-display ingestion boundary: before RPS trip parameter display AI (threshold 25), before neutron flux monitoring AI (threshold 25), before PCP vibration trend historian display AI (threshold 25), and before containment hydrogen monitor AI (threshold 25). On AdversarialNuclearICImageError for RPS_TRIP_DISPLAY context: immediately suspend AI-driven safety advisory functions; verify RPS parameter status against independent instruments (redundant RCS pressure, neutron flux, and coolant temperature channels per IEEE Std 603-2018 redundancy requirements); notify shift supervisor and shift technical advisor per Emergency Operating Procedure (EOP) entry conditions before resuming AI classification. See also: railway signalling AI prompt injection (related sole-barrier safety-critical AI adversarial gap) and SCADA ICS prompt injection (related industrial control system adversarial injection context). Get early access

Related questions

What happened at Three Mile Island in 1979, and how does it create the template for RPS display AI adversarial injection?

The Three Mile Island Unit 2 accident (28 March 1979) was initiated by a loss of feedwater flow to the steam generators, followed by a stuck-open pressuriser pilot-operated relief valve (PORV) that was not indicated as failed-open on the control room display (the indicator light showed the PORV solenoid was de-energised — not that the PORV itself had closed). As primary coolant drained through the stuck-open PORV, the pressuriser level rose (steam bubble forming below the water level) and the pressuriser level indicator read high. Operators, trained to avoid "solid pressuriser" conditions (primary circuit filled entirely with water, which could produce pressure surges), shut off the high-pressure safety injection system for more than 90 minutes based on the misleading high-pressuriser-level indication — allowing the core to partially uncover and sustain approximately 50% core damage. The structural parallel for RPS display AI adversarial injection: a ±8 DN suppression of the low-RCS-pressure trend line on the rendered parameter display creates exactly the TMI-2 scenario — the AI classifies the LOCA-signature RCS pressure decline as normal pressure variation, and the operator advisory suppression allows the LOCA progression to continue without safety injection initiation. The NRC incorporated the TMI-2 lessons into 10 CFR Part 50 Appendix B and RG 1.97 (Instrumentation for Light-Water-Cooled Nuclear Power Plants) to ensure operators have reliable post-accident monitoring — but RG 1.97 addresses instrument qualification and display availability, not adversarial robustness of AI classification layers.

What is the NRC regulatory framework for nuclear power plant digital I&C cyber security, and what adversarial gap does it leave?

NEI 08-09 Rev. 6 (Cyber Security Plan for Nuclear Power Reactors), endorsed by the NRC in Regulatory Guide 5.71, establishes the cyber security framework for nuclear power plant digital I&C systems. It requires that nuclear I&C systems be categorised into four security levels (Level 4: safety-critical systems; Level 3: important-to-safety; Level 2: non-safety; Level 1: no nuclear safety role), with strict controls on data flow between levels including one-way data diodes between Level 4 and lower-level networks. NEI 08-09 also requires deterministic communications (no unnecessary communications protocols on safety-level networks), physical access controls, and periodic cyber security assessment. The adversarial gap: NEI 08-09 Rev. 6 addresses traditional cyber security threats — unauthorised access, malware, data modification at the protocol/data level. It does not address adversarial perturbations applied to rendered image data before that data enters an AI classification layer — an attack that does not modify the underlying instrument data (which the traditional security perimeter protects) but modifies the pixel representation of that data as it is rendered for AI processing. This adversarial surface exists entirely within the AI classification layer, above the secure data boundary, making it invisible to traditional cyber security controls.

What are IEEE Std 603-2018 requirements for nuclear I&C, and how do they interact with AI system classification layers?

IEEE Std 603-2018 (Criteria for Safety Systems for Nuclear Power Generating Stations) is the primary design standard for nuclear safety I&C systems in the US, endorsed by the NRC in Regulatory Guide 1.152 Rev. 3. It requires: (1) single-failure criterion — no single failure within the safety system shall prevent it from performing its safety function; (2) redundancy — a minimum of two independent trains of safety functions, with physical separation to prevent common-cause failures; (3) independence — safety functions shall not share logic or power with non-safety systems in ways that could prevent safety function performance; (4) qualified power sources — safety systems shall have emergency power (uninterruptible power supply, diesel generator) independent of normal plant power. For AI overlay systems that process safety parameter displays: IEEE Std 603-2018’s single-failure criterion applies to the safety-classified instrument channels providing the raw data — but an AI classification layer that aggregates safety parameter displays and provides operator advisories is typically categorised as non-safety (Level 2 or Level 3 in NEI 08-09 terms) to avoid the full qualification burden of IEEE Std 603-2018. This classification as non-safety means the AI advisory layer does not need to meet the same redundancy, single-failure, or adversarial robustness requirements as the safety-classified instrument channels.

What caused the Fukushima Daiichi hydrogen explosions, and how does containment hydrogen AI suppression replicate that mechanism?

At Fukushima Daiichi on 11 March 2011, the Tōhoku earthquake and subsequent tsunami disabled all AC power at the plant, including emergency diesel generators, initiating a station blackout that removed all cooling from the reactor cores of units 1, 2, and 3. As the coolant in each unit boiled away, the fuel cladding temperature rose above approximately 1,200°C, initiating zirconium-water reactions (Zr + 2H₂O → ZrO₂ + 2H₂) that generated large quantities of hydrogen. The hydrogen migrated through the HVAC pathways into the reactor building atmosphere above the containment structure and accumulated to concentrations above the 4% lower flammability limit. Hydrogen detonations destroyed the unit 1 reactor building superstructure on 12 March and the unit 3 building on 14 March; a unit 4 building explosion (fed by hydrogen from unit 3 through a shared exhaust duct) occurred on 15 March. In a modern digitally instrumented plant with AI-based containment hydrogen monitoring: adversarial suppression of the containment H₂ concentration display would cause the monitoring AI to classify a rising H₂ accumulation as normal post-accident atmosphere conditions, suppressing the passive autocatalytic recombiner actuation advisory and the containment atmosphere management actions that would prevent hydrogen accumulation to detonation — replicating the Fukushima mechanism even when monitoring systems remain functional.

How does Glyphward’s threshold 25 for nuclear I&C AI compare to threshold 30 for tailings dam AI and threshold 35 for industrial process AI?

Glyphward thresholds reflect the consequence envelope of each adversarial injection context, calibrated against three factors: (1) severity and irreversibility of the worst-case consequence; (2) availability of complementary detection or intervention mechanisms independent of the AI classification layer; (3) regulatory basis for the AI context's role in the safety function. Nuclear I&C AI receives threshold 25 (lowest, most sensitive) because: (1) the NRC’s defence-in-depth framework explicitly requires that no single failure — including AI classification layer failure — prevent safety function performance; (2) the consequence envelope (core damage, fission product release, hydrogen detonation) is categorically more severe and more irreversible than process safety incidents at non-nuclear facilities; (3) the NRC’s single-failure criterion creates an expectation that each element of the safety I&C chain be individually reliable — a lower tolerance for any individual element failure than applies in industrial process contexts where defence-in-depth is implemented through redundant but not individually failure-proof layers. Tailings dam AI threshold 30 reflects a shorter consequence window (Brumadinho 4-minute flow slide) but a less stringent regulatory framework. Industrial process AI threshold 35 reflects lower consequence severity and stronger complementary detection (manual operator observation, CCTV surveillance, on-site emergency response).