Prompt injection in small modular reactor SMR AI

Four adversarial injection surfaces in small modular reactor SMR AI

1. Natural circulation primary coolant flow display AI in NuScale PWR (NuScale Power Digital I&C AI, Rolls-Royce SMR controls AI, GE Hitachi BWRX-300 isolation condenser AI — SMR natural circulation flow monitoring AI)

The primary distinguishing safety characteristic of most SMR PWR designs — the NuScale Power Module, the Rolls-Royce SMR, and the Korea SMART reactor — is the reliance on natural circulation as the primary mode of primary coolant circulation in normal operation and all design basis accident scenarios, eliminating the primary coolant pumps (PCPs) that require AC power and represent the most failure-prone mechanical components in large PWR primary systems. In the NuScale Power Module, the primary circuit is contained entirely within a reactor pressure vessel (RPV) of approximately 17 m height and 2.7 m diameter, with natural circulation driven by the temperature difference between the heated core (at the bottom of the RPV, producing buoyant, lower-density hot coolant) and the cooled steam generators (at the upper annular region of the RPV, condensing the coolant and increasing its density), producing a continuous upward flow through the core and downward flow through the steam generator annulus without any pumps. The natural circulation flow rate — and therefore the core heat removal rate — is determined by the temperature differential, the hydraulic resistance of the flow path, and the buoyancy driving force. AI monitoring systems process rendered displays of the natural circulation flow indicators — inferred from differential temperature measurements (core outlet temperature minus core inlet temperature — the “DT” parameter), pressure differential across the steam generator, or acoustic flow sensors — to classify natural circulation status: normal (DT within design envelope, calculated core heat removal adequate), degraded (DT above design maximum — core outlet temperature rising, indicating reduced natural circulation flow), and absent (DT approaching boiling onset — emergency boration or other operator action required per Emergency Operating Procedure).

An adversarial perturbation on a rendered natural circulation flow indicator display image that suppresses a rising DT above the normal design envelope — applying a ±10 DN downward shift to the pixel region encoding the DT trend line above the normal operating maximum — causes the SMR natural circulation monitoring AI to classify a degraded natural circulation condition (reduced core heat removal) as normal operation, suppressing the operator advisory and emergency boration action that a degraded DT requires. The consequence pathway: with reduced natural circulation flow, the fuel cladding temperature rises above the normal operating value as the heat removal rate falls below the core power; at sufficient DT degradation, fuel temperature approaches the 10 CFR Part 50.46 limit (peak cladding temperature < 1,204°C); the passive ECCS actuation setpoint is approached (triggered by high reactor pressure or low-low RPV water level in the NuScale design) but the adversarially suppressed DT display prevents the operator from recognising that the passive actuation is approaching and that the Emergency Operating Procedure requires entry. The NuScale passive safety design eliminates the need for active safety injection — but it does not eliminate the need for accurate AI classification of the rendered natural circulation monitoring display that tells operators the passive safety mode is functioning correctly versus degraded.

2. NuScale containment vessel and reactor pool water level display AI (NuScale CNV water level AI, below-grade pool level monitoring AI, NRC Design Certification CNV flooding level AI — NuScale SMR containment flooding level display AI)

The NuScale Power Module containment design — approved under NRC 10 CFR Part 52 Design Certification (84 Fed. Reg. 57933, October 2019) — places the entire reactor primary system (the RPV with core, steam generators, and pressuriser) inside a steel containment vessel (CNV) that is submerged in a below-grade reactor pool of approximately 74,000 gallons (280 m³) of reactor pool water per module. The reactor pool provides the ultimate heat sink for all design basis and beyond-design-basis accident scenarios in the NuScale passive safety concept: the CNV exterior transfers decay heat from the RPV to the pool water by conduction and convection, and the pool water ultimately evaporates or is replenished from makeup sources to maintain long-term core cooling for 72 hours without operator action (the NuScale NRC Design Certification safety objective). The reactor pool water level — the elevation of the pool water surface relative to the CNV exterior — must remain above a minimum level for the passive containment cooling to function as designed: if the pool level drops below the minimum CNV immersion elevation (from a pool leak, evaporative loss exceeding makeup supply, or earthquake-induced pool sloshing), the CNV exterior thermal contact with the pool water is degraded, reducing the heat removal rate and causing CNV temperature to rise. AI systems process rendered displays of the reactor pool level instruments — level sensor trend displays showing the pool surface elevation against the minimum coverage level — to classify pool level status and alert operators to approaching minimum coverage conditions.

An adversarial perturbation on a rendered reactor pool level display image that suppresses a falling pool level toward the minimum CNV coverage elevation — applying a ±8 DN upward shift to the pixel region encoding the pool level indicator bar (raising the apparent pool surface elevation from the approaching-minimum range to within the normal operating band) — causes the NuScale pool level monitoring AI to classify a degrading pool level condition as within-normal, suppressing the operator alert and the manual makeup water initiation that minimum coverage approach requires. The consequence: pool level continues to fall; CNV exterior cooling degrades; CNV temperature rises; the decay heat removal margin to 10 CFR Part 50.46 cladding temperature limit decreases; the operator is unaware that the pool level is approaching the design basis minimum because the rendered display appears normal. In a multi-module NuScale VOYGR plant with 12 modules in a shared reactor pool, pool level monitoring is the common-cause monitoring function: adversarial suppression of the pool level display AI affects all 12 modules simultaneously (the pool is shared), making it a higher-consequence adversarial surface than single-module monitoring AI contexts. The NRC NuScale Design Certification Safety Analysis Report Chapter 6 (Engineered Safety Features) evaluates the passive safety cooling function assuming accurate pool level monitoring — the adversarial injection assumption is not evaluated in the Design Certification safety analysis.

3. TRISO fuel pellet integrity monitoring display AI (X-energy Xe-100 HTGR TRISO AI, Ultra Safe Nuclear USNC TRISO AI, KAERI HTTR TRISO fission gas AI — HTGR and TRISO-fuelled SMR fuel integrity monitoring AI)

Tri-structural isotropic (TRISO) fuel particles — the fuel form used in high-temperature gas-cooled reactors (HTGRs) and TRISO-fuelled SMRs including the X-energy Xe-100 (200 MWt, pebble bed HTGR), Ultra Safe Nuclear Corporation (USNC) Micro Modular Reactor (MMR), and the advanced TRISO fuel being developed for the TerraPower Natrium SFR and the Kairos Power FHR (fluoride salt-cooled high-temperature reactor) — consist of a uranium oxycarbide (UCO) or uranium dioxide (UO₂) fuel kernel surrounded by multiple coating layers: a porous carbon buffer layer, a dense inner pyrolytic carbon (IPyC) layer, a silicon carbide (SiC) pressure vessel layer, and a dense outer pyrolytic carbon (OPyC) layer. The multilayer TRISO coating acts as an independent pressure vessel and fission product containment barrier for each individual fuel particle — a TRISO particle retains fission product gases (krypton, xenon, iodine, caesium) within the SiC layer at fuel temperatures up to approximately 1,600°C (compared to the <1,204°C 10 CFR Part 50.46 limit for zirconium alloy cladding in LWR fuel). The integrity of the TRISO fuel particle coating — specifically the integrity of the SiC layer — is monitored by measuring fission gas release in the primary coolant (the coolant activity concentration of krypton-85 and xenon isotopes is an indicator of failed TRISO particles releasing fission gases into the coolant). AI systems process rendered displays of the coolant activity monitors — gamma spectroscopy displays showing the primary coolant krypton-85 and xenon activity concentration trend compared to the Technical Specification action levels — to classify fuel integrity status and trigger increased monitoring or shutdown actions at the fuel failure threshold.

An adversarial perturbation on a rendered coolant activity monitor display image that suppresses a rising fission gas activity concentration — applying a ±8 DN downward shift to the pixel region encoding the activity trend line above the Technical Specification Level 1 action level (increased monitoring) or Level 2 action level (ordered shutdown within 24 hours) — causes the TRISO fuel integrity monitoring AI to classify an active fuel particle failure (multiple TRISO particles with failed SiC layers releasing krypton-85 into the primary helium coolant) as background coolant activity. The consequence: failed TRISO particles continue to operate at increasing temperatures; additional SiC layer failures initiate as the thermal stress from the fission product gas inventory exceeds the SiC pressure capability; the coolant contamination from krypton-85 and caesium-137 release from failed particles increases; the delayed recognition of the fuel failure event results in a higher coolant contamination level at the time of shutdown and a more complex decontamination requirement for the primary loop. For X-energy Xe-100 pebble bed geometry (where pebbles circulate continuously through the core and can be individually inspected), the adversarial suppression of the coolant activity AI delays the identification and removal of the specific fuel pebbles with failed TRISO coatings — allowing the failed pebbles to continue circulating and releasing fission products into the primary coolant. IAEA SSG-55 (Design of the Reactor Core for Nuclear Power Plants) addresses fuel performance requirements for SMR cores but does not specify adversarial robustness requirements for AI systems classifying rendered coolant activity monitor displays.

4. Passive ECCS actuation status display AI in NuScale SMR (NuScale Reactor Trip and Isolation Valve AI, passive ECCS valve position indicator AI, gravity-driven cooling injection status AI — NuScale passive safety system actuation verification AI)

The NuScale passive ECCS — the Emergency Core Cooling System for the NuScale Power Module, approved under NRC Design Certification as the primary active-failure-free safety injection mechanism — operates by gravity-driven injection of the reactor pool water into the RPV when two conditions are met: (1) the RPV water level drops below the ECCS actuation setpoint (low-low RPV level, approximately 1–2 m above the top of active fuel); and (2) the isolation valves between the RPV and the CNV open, equalising pressure and allowing pool water to flow into the RPV by gravity. The ECCS actuation is entirely passive — the isolation valves are spring-operated and fail-open (they open on loss of control power, on signal loss, or on loss of the control circuit that holds them closed during normal operation). The actuation status display — showing whether each ECCS isolation valve has opened, whether the RPV-to-CNV pressure equalisation has occurred, and whether the gravity-driven pool water injection is proceeding — is the only positive indication available to the operator that the passive ECCS has actuated as designed. AI systems process rendered displays of the ECCS actuation status panel — real-time valve position indicators (green/open, red/closed), pressure differential displays showing RPV and CNV pressure trends converging after equalisation, and pool level trend showing the drawdown indicating injection flow — to classify ECCS status: no actuation (all valves closed — normal condition), partial actuation (some valves open — investigate), full actuation (all valves open, pressures equalising — ECCS proceeding normally, initiate long-term cooling Emergency Operating Procedure), and malfunction (actuation signal present but valve position indicates not open — backup actuation required).

An adversarial perturbation on a rendered ECCS actuation status display image that suppresses an actuation confirmation — applying a ±8 DN colour and symbol shift to the pixel region encoding an open valve position indicator (rendering the apparent valve as closed/normal rather than open/actuated) — causes the NuScale passive safety AI to classify an ECCS that has actuated (ECCS valves open, pool water injecting into RPV) as normal pre-actuation condition. This creates a uniquely dangerous consequence for SMR passive safety: if the passive ECCS has actuated during a loss-of-coolant accident (LOCA) and the operator AI does not recognise the actuation, the operator may take actions that interfere with the passive safety injection (such as attempting to pressurise the RPV to force an apparent ECCS valve closure — if the operator believes the ECCS did not actuate and is attempting to re-establish normal RCS pressure). NRC 10 CFR Part 52 Design Certification Safety Analysis for passive safety systems assumes that the operators receive correct indication of passive actuation status — an adversarial attack on the rendered actuation status display AI introduces the operator confusion failure mode that the passive safety design is intended to eliminate by removing the dependence on active systems and operator action. The SL-1 reactor explosion (Idaho, 3 January 1961) — in which an experimental boiling water reactor was destroyed by manual withdrawal of the centre control rod by approximately 50 cm (a movement never intended to be made) — established the precedent that reactor accidents can be initiated by operators acting on incorrect information about reactor state. Adversarial suppression of the passive ECCS actuation display AI produces exactly this operator-incorrect-information failure mode in the passive safety context. Free tier — 10 scans/day, no card required.

Integration: SMR AI scanning with Glyphward pre-scan gate

The Glyphward scan gate for small modular reactor SMR AI belongs at every rendered-image ingestion boundary in the SMR safety monitoring pipeline — before natural circulation flow display AI processes DT trend renders, before containment pool level AI processes pool level indicator displays, before TRISO fuel integrity AI processes coolant activity monitor renders, and before passive ECCS actuation AI processes valve position indicator displays. Threshold 25 (same as large nuclear power plant digital I&C AI) reflects the same NRC regulatory framework, the same GDC single-failure criterion intent (no individual failure shall prevent safety function performance), and the same radiological release consequence from core damage — combined with the unique SMR passive safety concern that adversarial injection in the passive ECCS actuation display can produce operator interference with passive safety injection, a failure mode that the passive design intent specifically eliminates from the active-system failure tree.

import asyncio, base64, hashlib, json
from datetime import datetime, timezone
from enum import Enum
from pathlib import Path

import httpx

GLYPHWARD_API_KEY = "YOUR_GLYPHWARD_API_KEY"
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"

# Small modular reactor SMR AI contexts: threshold 25
# NRC 10 CFR Part 52 (Licenses, Certifications, and Approvals for NPPs);
# NRC Design Certification Rule for NuScale (84 Fed. Reg. 57933, Oct 2019);
# NRC 10 CFR Part 50 Appendix A GDC 13/20-24 (via 10 CFR Part 52 reference);
# IAEA SSG-55 (Design of the Reactor Core for Nuclear Power Plants, SMR guidance).
SMR_THRESHOLD = 25


class SMRAIContext(Enum):
    NATURAL_CIRCULATION  = "natural_circulation"  # NuScale DT / flow display AI
    CONTAINMENT_POOL     = "containment_pool"     # Below-grade pool level display AI
    TRISO_FUEL_INTEGRITY = "triso_fuel_integrity" # Coolant activity fission gas AI
    PASSIVE_ECCS         = "passive_eccs"         # Passive ECCS valve actuation AI


class AdversarialSMRImageError(Exception):
    """Raised when Glyphward detects adversarial content in an SMR AI rendered
    safety monitoring image above threshold 25.

    Consequence if not raised:
    - NATURAL_CIRCULATION: reduced natural circulation suppressed → fuel
      cladding temperature rise undetected → 10 CFR 50.46 peak cladding
      temperature limit approach → fuel damage → radiological release;
      no active pumps to initiate; TMI-2 1979 class consequence pathway.
    - CONTAINMENT_POOL: pool level drop suppressed → CNV exterior cooling
      degraded → decay heat removal margin lost → core temperature rise;
      NuScale 12-module VOYGR common-cause pool: all modules affected.
    - TRISO_FUEL_INTEGRITY: fission gas release suppressed → failed TRISO
      particles continue operating → coolant contamination elevated →
      decontamination required; X-energy Xe-100 pebble bed failed-pebble
      removal delayed.
    - PASSIVE_ECCS: ECCS actuation suppressed → operator unaware passive
      injection proceeding → operator action may interfere with passive
      ECCS → cooling injection degraded; SL-1 1961 operator-incorrect-
      information failure mode precedent; NuScale Design Certification
      passive safety design intent violated.
    Fail-safe: halt AI classification; independently verify via backup
    hardwired indication channels and manual gauge readings per SMR
    Emergency Operating Procedure before any operator action that
    could affect passive safety system function.
    """

    def __init__(self, scan_id: str, score: int,
                 context: SMRAIContext,
                 plant_id: str, module_id: str,
                 flagged_region: dict | None = None) -> None:
        self.scan_id = scan_id
        self.score = score
        self.context = context
        self.plant_id = plant_id
        self.module_id = module_id
        self.flagged_region = flagged_region
        super().__init__(
            f"Adversarial SMR image: "
            f"context={context.value} score={score} "
            f"plant={plant_id} module={module_id} scan_id={scan_id}"
        )


async def scan_smr_image(
    image_bytes: bytes,
    context: SMRAIContext,
    plant_id: str,
    module_id: str,
    client: httpx.AsyncClient,
) -> dict:
    """Scan an SMR AI rendered safety monitoring image for adversarial content.

    Fail-safe contract: AdversarialSMRImageError or httpx error →
    halt AI safety classification for the affected SMR monitoring context;
    verify via backup hardwired indication channels and manual gauges per
    SMR Emergency Operating Procedure; do NOT initiate operator actions
    that could interfere with passive ECCS injection until passive safety
    status is confirmed via independent channels; notify NRC per
    10 CFR 50.72 immediate notification if passive ECCS status uncertain.
    """
    image_hash = hashlib.sha256(image_bytes).hexdigest()
    payload = {
        "image": base64.b64encode(image_bytes).decode(),
        "source": f"smr:{context.value}:{plant_id}:{module_id}",
        "metadata": {
            "plant_id": plant_id,
            "module_id": module_id,
            "context": context.value,
            "image_sha256": image_hash,
        },
    }
    resp = await client.post(
        GLYPHWARD_SCAN_URL,
        headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
        json=payload,
        timeout=4.0,
    )
    resp.raise_for_status()
    result = resp.json()

    if result["score"] > SMR_THRESHOLD:
        raise AdversarialSMRImageError(
            scan_id=result["scan_id"],
            score=result["score"],
            context=context,
            plant_id=plant_id,
            module_id=module_id,
            flagged_region=result.get("flagged_region"),
        )
    return result

Deploy scan_smr_image at each SMR safety monitoring AI rendered-image ingestion boundary: before natural circulation flow display AI (threshold 25), before containment pool level AI (threshold 25), before TRISO fuel integrity coolant activity AI (threshold 25), and before passive ECCS actuation status AI (threshold 25). On AdversarialSMRImageError for PASSIVE_ECCS context: immediately verify passive ECCS actuation status via backup hardwired indication channels independent of the flagged rendered-display AI system; do NOT initiate operator actions that could interfere with passive injection until independent verification is complete; notify the NRC Resident Inspector per 10 CFR 50.72 if ECCS status cannot be independently confirmed within 15 minutes. See also: nuclear power plant digital I&C AI prompt injection (large PWR/BWR I&C AI — same threshold 25) and nuclear waste ISFSI dry cask AI prompt injection (spent fuel storage AI — threshold 30). Get early access

Related questions