EN 60671:2011

SLOVENSKI STANDARD
01-oktober-2011
Jedrske elektrarne - Merilna in nadzorna oprema za zagotavljanje varnosti -
Nadzorno preskušanje
Nuclear power plants - Instrumentation and control systems important to safety -
Surveillance testing
Kernkraftwerke - Leittechnik für Systeme mit sicherheitstechnischer Bedeutung -
Prüfungen zur Sicherstellung der Funktionsfähigkeit
Centrales nucléaires de puissance - Systèmes d'instrumentation et de contrôle
commande importants pour la sûreté - Essais de surveillance
Ta slovenski standard je istoveten z: EN 60671:2011
ICS:
27.120.20 Jedrske elektrarne. Varnost Nuclear power plants. Safety
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD
EN 60671
NORME EUROPÉENNE
August 2011
EUROPÄISCHE NORM
ICS 27.120.20
English version
Nuclear power plants -
Instrumentation and control systems important to safety -
Surveillance testing
(IEC 60671:2007)
Centrales nucléaires de puissance -  Kernkraftwerke -
Systèmes d'instrumentation et de Leittechnik für Systeme mit
contrôle-commande importants pour la sicherheitstechnischer Bedeutung -
sûreté - Prüfungen zur Sicherstellung der
Essais de surveillance Funktionsfähigkeit
(CEI 60671:2007) (IEC 60671:2007)

This European Standard was approved by CENELEC on 2011-08-08. CENELEC members are bound to comply
with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard
the status of a national standard without any alteration.

Up-to-date lists and bibliographical references concerning such national standards may be obtained on
application to the Central Secretariat or to any CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CENELEC member into its own language and notified
to the Central Secretariat has the same status as the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus,
the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia,
Spain, Sweden, Switzerland and the United Kingdom.

CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung

Management Centre: Avenue Marnix 17, B - 1000 Brussels

© 2011 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. EN 60671:2011 E
Foreword
The text of the International Standard IEC 60671:2007, prepared by SC 45A, Instrumentation and control
of nuclear facilities, of IEC TC 45, Nuclear instrumentation, was submitted to the formal vote and was
approved by CENELEC as EN 60671 on 2011-08-08 without any modification.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN and CENELEC shall not be held responsible for identifying any or all such patent
rights.
The following dates were fixed:
– latest date by which the EN has to be implemented
at national level by publication of an identical
(dop) 2012-08-08
national standard or by endorsement
– latest date by which the national standards conflicting
(dow) 2014-08-08
with the EN have to be withdrawn
As stated in the nuclear safety directive 2009/71/EURATOM, Chapter 1, Article 2, item 2, Member States
are not prevented from taking more stringent safety measures in the subject-matter covered by the
Directive, in compliance with Community law.

In a similar manner, this European standard does not prevent Member States from taking more stringent
nuclear safety measures in the subject-matter covered by this standard.
Annex ZA has been added by CENELEC.
__________
Endorsement notice
The text of the International Standard IEC 60671:2007 was approved by CENELEC as a European
Standard without any modification.
__________
- 3 - EN 60671:2011
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications

The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.

NOTE  When an international publication has been modified by common modifications, indicated by (mod), the relevant EN/HD
applies.
Publication Year Title EN/HD Year

IEC 60880 - Nuclear power plants - Instrumentation and EN 60880 -
control systems important to safety - Software
aspects for computer-based systems
performing category A functions

IEC 60987 - Nuclear power plants - Instrumentation and EN 60987 -
control important to safety - Hardware design
requirements for computer-based systems

IEC 61226 - Nuclear power plants - Instrumentation and EN 61226 -
control important to safety - Classification of
instrumentation and control functions

IEC 61513 - Nuclear power plants - Instrumentation and - -
control for systems important to safety -
General requirements for systems

IEC 62138 - Nuclear power plants - Instrumentation and EN 62138 -
control important for safety - Software aspects
for computer-based systems performing
category B or C functions
IAEA Safety guide - Instrumentation and control systems important - -
NS-G-1.3 to safety in nuclear power plants

INTERNATIONAL IEC
STANDARD
CEI
NORME
Second edition
INTERNATIONALE
Deuxième édition
2007-05
Nuclear power plants – Instrumentation
and control systems important to safety –
Surveillance testing
Centrales nucléaires de puissance –
Systèmes d’instrumentation et de contrôle-
commande importants pour la sûreté –
Essais de surveillance
PRICE CODE
T
CODE PRIX
Commission Electrotechnique Internationale
International Electrotechnical Commission
МеждународнаяЭлектротехническаяКомиссия
For price, see current catalogue
Pour prix, voir catalogue en vigueur

– 2 – 60671 © IEC:2007
CONTENTS
FOREWORD.4
INTRODUCTION.6

1 Scope.8
2 Normative References .9
3 Terms and definitions .9
4 Basic Principles for Surveillance Testing .11
4.1 General .11
4.2 Gradation of Requirements Based on Category .12
4.3 Extent of Surveillance Testing .12
4.4 Self-supervision in Lieu of Periodic Testing .12
4.5 Continuous Operation in Lieu of Periodic Testing .13
5 General Requirements for Surveillance Testing .13
5.1 Design Requirements .13
5.2 Procedures.14
5.3 Data to be recorded upon detection of a fault .14
5.4 Other data to be recorded .14
5.5 Test intervals .15
5.6 Verification of actuation set-points.15
5.7 Bypass .15
5.8 Response time .15
5.9 Restoration.16
6 Requirements for Testing of Sensors and Signal Processing Devices.16
6.1 General .16
6.2 Non-tested parts.16
6.3 Testing devices .16
6.4 Signals .16
6.5 Variation of signals.17
6.5.1 General .17
6.5.2 Slowly changing signal .17
6.5.3 Rapidly changing signal.17
6.5.4 Large change in signal .17
6.6 Operability.17
6.7 Sensor response time.18
6.8 Testing equipment.18
6.9 Calibration and transfer function.18
6.10 Surveillance .18
7 Requirements for Testing of Electromechanical Equipment.18
7.1 General .18
7.2 Interface.18
7.3 Typical functional tests.19
7.4 Continuous monitoring.19
7.5 Relays and valves .19
8 Requirements for Testing of Logic Assemblies .20
8.1 Scope.20
8.2 General .20

60671 © IEC:2007 – 3 –
8.3 Switching of signals.20
8.4 Testing signals .20
8.5 Interface.21
8.6 Data to be displayed.21
8.7 Data to be recorded.21
8.8 Detailed display.21
8.9 Testing equipment.21
8.10 Testing equipment using pulses .22
9 Self-supervision in computer-based I&C systems .22
9.1 Coverage of self supervision .22
9.2 Balance of diagnostic versus functional processing .23
9.3 Watchdog timers .23
9.4 Action taken on detected fault .23
9.5 Categorization of self-supervision software .24

Figure 1 – Extent of I&C Surveillance Testing .9

– 4 – 60671 © IEC:2007
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
NUCLEAR POWER PLANTS –
INSTRUMENTATION AND CONTROL
SYSTEMS IMPORTANT TO SAFETY –
SURVEILLANCE TESTING
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with an IEC Publication.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 60671 has been prepared by subcommittee 45A: Instrumentation
and control of nuclear facilities, of IEC technical committee 45: Nuclear instrumentation.
This second edition cancels and replaces the first edition published in 1980 and constitutes a
technical revision.
The main technical changes with respect to the previous edition are as follows:
– Expand scope to cover all systems important to safety, and clarify requirement gradation
for systems and equipment performing category A, B and C functions.
– Align with the new revisions of IAEA documents NS-R-1 and NS-G-1.3 (replacing D3 and
D8).
60671 © IEC:2007 – 5 –
– Provide references to relevant normative standards.
– Harmonize terminology with the existing standard hierarchy.
– Strengthen the role of computer self-supervision as an alternative to periodic surveillance
testing.
– Introduce features of digital I&C that present special opportunities or problems to on-line
testing.
– Present design requirements on testing features themselves (categorization, verification,
etc.) that derive from the standards adopted since the first issue of IEC 60671, which will
thus be updated to become consistent with the newer standards.
The text of this standard is based on the following documents:
FDIS Report on voting
45A/648/FDIS 45A/655/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
In the United Kingdom some differences exist:
Introduction, Clauses 1, 2 and 4.2: The classification scheme captured in standard IEC 61226
edition 2 (2005-02) is contrary to the custom, practice, and regulatory expectations as set
down by the United Kingdom Health and Safety Executive's Nuclear Installations Inspectorate
and the understanding in the United Kingdom of IAEA safety guides. Users of this standard
are advised that, in the United Kingdom, this standard should be read in conjunction with the
edition of IEC 61226 published by the BSI, and the Health and Safety Executive's Nuclear
Installations Inspectorate's Safety Assessment Principles to determine the classification of a
function or system.
The committee has decided that the contents of this publication will remain unchanged until
the maintenance result date indicated on the IEC web site under "http://webstore.iec.ch" in
the data related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
– 6 – 60671 © IEC:2007
INTRODUCTION
a) Background, main issues and organization of the standard
A fundamental requirement for I&C (instrumentation and control) systems important to safety
in nuclear power plants is that they be capable of being demonstrated to be ready to perform
their safety functions if needed. Surveillance testing may be performed by the execution of
functional tests or by self-supervision within the I&C systems important to safety, and is
augmented by diagnostic functions and by visual inspections of the I&C systems and their
status indicators by the plant operation staff. Depending on the reliability targets and the
testing conditions the demonstration of functional readiness may be performed either while
the plant is on-line or during plant shutdown. This Standard provides technical requirements
and recommendations for the implementation of surveillance testing for I&C systems
important to safety.
The object of this standard is:
– in Clause 4:
to establish the principles for surveillance testing of I&C equipment important to safety.
– in Clauses 5 through 9:
to give requirements to be fulfilled in the design and operation of I&C equipment important
to safety in regards to the surveillance testing.
b) Situation of the current standard in the structure of the SC 45A standard series
IEC 61513 establishes the top level requirements for I&C systems and equipment important to
safety. Among these requirements is the need to demonstrate, on a continuing basis, the
operability of the equipment and its readiness to perform its safety or safety related functions.
IEC 61226 establishes the principles of categorization of I&C functions according to their level
of importance to safety. The reliability required from any function in categories A, B or C
should be determined by either a quantitative probabilistic assessment of the NPP, or by
qualitative engineering judgment, and included in the specification.
IEC 60671 provides the bases and requirements for surveillance testing to demonstrate the
operability, under normal conditions, of these systems and equipment during their operative
life.
IEC 60671 supports the achievement of the target reliability by detecting faults within the
equipment allowing appropriate measures to be initiated (timely repair or any alternative
solutions).
IEC 60671 is the third level SC 45A document tackling the issue of surveillance testing for
I&C systems important to safety
For more details on the structure of the SC 45A standard series see item d) of this
introduction.
c) Recommendations and limitations regarding the application of the Standard
IEC 60671 applies to I&C systems and equipment important to safety. It establishes
requirements for surveillance testing as a means of demonstrating on a continuing basis the
readiness of the systems and equipment to perform their functions important to safety.

60671 © IEC:2007 – 7 –
Additional requirements relating to reliability and detailed requirements for redundancy and
diversity are not given in this standard but can be found in other documents of SC 45A.
The attention of the reader is drawn to the fact that in some countries the scope and the
content of periodic testing are defined by regulatory requirements and that these definitions
could differ from the ones used in this standard.
In the case of existing plants it may not be possible to apply all of the requirements of this
standard. Therefore, at the beginning of a modernization project of an I&C system important
to safety the subset of requirements to be applied shall be identified in regards to the overall
scope and consequences of modification of the I&C systems.
d) Description of the structure of the SC 45A standard series and relationships with
other IEC documents and other bodies documents (IAEA, ISO)
The top-level document of the IEC SC 45A standard series is IEC 61513. It provides general
requirements for I&C systems and equipment that are used to perform functions important to
safety in NPPs. IEC 61513 structures the IEC SC 45A standard series.
IEC 61513 refers directly to other IEC SC 45A standards for general topics related to
categorization of functions and classification of systems, qualification, separation of systems,
defence against common cause failure, software aspects of computer-based systems,
hardware aspects of computer-based systems, and control room design. The standards
referenced directly at this second level should be considered together with IEC 61513 as a
consistent document set.
At a third level, IEC SC 45A standards not directly referenced by IEC 61513 are standards
related to specific equipment, technical methods, or specific activities. Usually these
documents, which make reference to second-level documents for general topics, can be used
on their own.
A fourth level extending the IEC SC 45A standard series, corresponds to the Technical
Reports which are not normative.
IEC 61513 has adopted a presentation format similar to the basic safety publication
IEC 61508 with an overall safety life-cycle framework and a system life-cycle framework and
provides an interpretation of the general requirements of IEC 61508-1, IEC 61508-2 and
IEC 61508-4, for the nuclear application sector. Compliance with IEC 61513 will facilitate
consistency with the requirements of IEC 61508 as they have been interpreted for the nuclear
industry. In this framework IEC 60880 and IEC 62138 correspond to IEC 61508-3 for the
nuclear application sector.
IEC 61513 refers to ISO as well as to IAEA 50-C-QA (now replaced by IAEA 50-C/SG-Q) for
topics related to quality assurance (QA).
The IEC SC 45A standards series consistently implements and details the principles and
basic safety aspects provided in the IAEA code on the safety of NPPs and in the IAEA safety
series, in particular the Requirements NS-R-1, establishing safety requirements related to the
design of Nuclear Power Plants, and the Safety Guide NS-G-1.3 dealing with instrumentation
and control systems important to safety in Nuclear Power Plants. The terminology and
definitions used by SC 45A standards are consistent with those used by the IAEA.

– 8 – 60671 © IEC:2007
NUCLEAR POWER PLANTS –
INSTRUMENTATION AND CONTROL
SYSTEMS IMPORTANT TO SAFETY –
SURVEILLANCE TESTING
1 Scope
Where functional reliability is required by general safety standards, one aspect of
demonstrating this reliability is testing performed on-line during plant operation or during plant
shutdown in preparation for return to power operation.
This standard lays down principles for testing I&C systems performing category A, B and C
functions, per IEC 61226, during normal power operation and shutdown, so as to check the
functional availability especially with regard to the detection of faults that could prevent the
proper operation of the functions important to safety. It covers the possibility of testing at
short intervals or continuous surveillance, as well as periodic testing at longer intervals. It
also establishes basic rules for the design and application of the test equipment and its
interface with the systems important to safety. Further, the effect of any test equipment failure
on the reliability of the I&C systems is considered.
Types of surveillance tests may include:
– self-tests for I&C equipment;
– test of a group of equipment or components to confirm properties that support the safety
function (continuity, power availability, etc.);
– test based on information redundancy or comparison of control signatures (consistency
checking for redundant sensors, CRC-checking, Checksum, etc.);
– periodic testing which is related to the correctness of functional behaviour of an I&C
system.
The dependability targets of any I&C system is reached using an appropriate combination of
tests of the form indicated above.
The extent of the I&C system to be tested is from the interface of the sensors with the process
through to the actuation devices (see Figure 1). It is applicable to the installed I&C systems
as well as to temporary installations which are part of those I&C systems important to safety
(for example, auxiliary equipment for commissioning tests and experiments). This standard
also applies to individual electromechanical equipment, such as relays and solenoid
actuators.
Additional testing and inspections may be performed on I&C equipment for purposes other
than the demonstration of functional capability, such as to optimise preventive maintenance,
etc. Such tests are beyond the scope of this standard; however, they may be combined with
the surveillance testing discussed herein.
For any on-line tests the potential interaction and fault dependencies between the part of the
system under test and the testing part, have to be carefully studied and their influences have
to be fully integrated into the reliability assessment of the functions important to safety (in
accordance with IEC 61513).
60671 © IEC:2007 – 9 –
This standard applies to the I&C of new nuclear power plants as well as to I&C upgrading or
back-fitting of existing plants. For I&C upgrades, only a subset of the requirements may be
applicable; this subset is to be identified at the beginning of any project.

Extent of I&C
surveillance testing
Sensor
Signal Actuating
Logic
processing device
assembly
M
IEC  597/07
Figure 1 – Extent of I&C surveillance testing
2 Normative references
The following referenced documents are indispensable for the application of this document.
For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.
IEC 60880, Nuclear power plants – Instrumentation and control systems important to safety –
Software aspects for computer-based systems performing category A functions
IEC 60987, Nuclear power plants – Instrumentation and control important to safety –
Hardware design requirements for computer-based systems
IEC 61226, Nuclear power plants – Instrumentation and control systems important for safety –
Classification of instrumentation and control functions
IEC 61513, Nuclear power plants – Instrumentation and control for systems important to
safety – General requirements for systems
IEC 62138, Nuclear power plants – Instrumentation and control important for safety –
Software aspects for computer-based systems performing category B and C functions
IAEA Safety Guide NS-G-1.3, Instrumentation and Control Systems Important to Safety in
Nuclear Power Plants
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
automatic test
a test in which the operation of all or part of the instrumentation and control system is
checked in a completely automatic sequence. The automatic test sequence can be started
either manually by the operator, cyclically by a clock or automatically by the verification of a
well-defined condition
– 10 – 60671 © IEC:2007
3.2
availability
the ability of an item to be in a state to perform a required function under given conditions at a
given instant of time or over a given time interval, assuming that the required external
resources are provided
[IEV 191-02-05]
3.3
bypass
a device to inhibit, deliberately but temporarily, the functioning of a circuit or system by, for
example, short circuiting the contacts of a relay.
• maintenance bypass: a bypass of safety system equipment during maintenance, testing
or repair;
• operational bypass: a bypass of certain protective actions when they are not necessary
in a particular mode of plant operation
[IAEA Safety Glossary, Ed. 2.0 2006]
NOTE 1 A maintenance bypass that is applied to a channel may still leave the safety function operable through
redundancy and majority voting (e.g. two out of four coincidence logic becomes two out of three).
NOTE 2 A maintenance bypass is not the same as an operational bypass. A maintenance bypass may reduce the
degree of redundancy of equipment, but it does not result in the loss of a safety function.
3.4
full functional test
test that includes perturbation of the process variable, detection by the sensor, processing of
the signal(s), actuation of the appropriate sub-assemblies, logic assemblies and actuation
devices
3.5
functional reliability
ability to comply with requirements on complete and correct functionality and performance in:
a) all defined plant operational modes and conditions,
b) in all defined plant I&C system operational modes, and
c) with all stipulated failures/failure modes of the plant I&C system under which correct
function and performance is required
3.6
monitoring
means provided to indicate continuously the state or condition of a system, sub-system,
equipment or assembly
[IEV 393-08-48]
3.7
periodic testing
performance of tests at predetermined time points to demonstrate that the functional
capabilities of I&C systems and equipment important to safety are retained and that the
characteristics relevant to the claims of the safety analysis are satisfied
3.8
self-supervision
automatic testing of system hardware performance and software consistency of a computer-
based I&C system
60671 © IEC:2007 – 11 –
3.9
surveillance testing
complete scope of activities to demonstrate that the functional capabilities of I&C systems and
equipment important to safety are retained and confirmation that the design basis
requirements are met
3.10
test duration
the elapsed time between the test initiation and the test termination
3.11
test initiation
the application of a test input
3.12
test input
a real or simulated, but deliberate, perturbation of a measured variable or signal which is
imposed upon all or part of a signal processing device, a logic assembly, or a final actuation
device for the purpose of testing
3.13
test interval
the elapsed time between the initiation of identical tests on the same sensor and signal
processing device, logic assembly or final actuation device
3.14
test termination
the removal of a test input with the results of the test being known
4 Basic principles for surveillance testing
4.1 General
The goals of surveillance testing are to ensure the functional capability of I&C systems and
the related control path to actuate the process components important to safety and to give
periodic confirmation that design basis requirements such as those for reliability, accuracy,
response time and set points are met (Clause 4.82 of IAEA NS-G-1.3).
4.1.1 Surveillance testing of I&C systems and equipment important to safety shall
demonstrate and contribute to the achievement of the desired system reliability and
availability, by means of the detection of faults, and shall call attention to performance that is
not within prescribed limits. Prescribed limits are minimum performance requirements, such
as response time and set-point accuracy and any other characteristics of the system which
are essential to its satisfactory functioning. The surveillance testing has to confirm that the
essential safety features are retained in comparison to a reference status which may originate
from commissioning tests that verify the design basis requirements. While surveillance testing
could permit the detection of some specific wear and ageing mechanisms, the detection scope
is not sufficient to detect a priori all ageing mechanisms. The operability of equipment or a
system under normal conditions is generally not sufficient to lead to judgements on the
conservation of this property under design accident conditions. It is noted that many types of
unrevealed faults that could be a cause of unsafe failures can only be detected by testing.
4.1.2 Surveillance testing shall verify the relevant systems and equipment characteristics
given directly by the safety assessment report, or other relevant safety documents, for the
functions performed by the I&C systems important to safety. It could also be combined with
maintenance tests for performance measures that do not have a direct contribution to safety.
Such tests are not defined as surveillance tests (see 3.1) and are outside the scope of this
standard.
– 12 – 60671 © IEC:2007
4.2 Gradation of requirements based on category
4.2.1 I&C functions important to safety are assigned a safety category according to the
principles of IEC 61226. The surveillance requirements of the systems and equipment shall be
commensurate with the category of the functions they perform.
4.2.2 I&C systems and equipment performing category A functions shall be periodically
tested to demonstrate proper function.
4.2.3 I&C systems and equipment performing category B functions shall be periodically
tested to the extent determined by an analysis taking into account the reliability goals of the
functions.
4.2.4 I&C systems and equipment performing category C functions may rely on general
periodic observation of acceptable performance for continuously operating functions and on
checks during shutdown periods, for functions which are not continuously operating.
4.2.5 For I&C systems and equipment performing category B or C functions where
redundancy is provided to meet established reliability goals, periodic individual testing of the
functional capacity of all systems or sub-systems shall be included to the extent that faults of
the redundant equipment are not revealed through other means, for example self-supervision.
4.2.6 In the general case, test equipment may be assigned to a lower category than the
systems or equipment that is being tested. However, to the extent that the test features could
interfere in an inappropriate manner with the proper operation of the system or equipment
performing the function important to safety, it shall be assigned to the same category.
4.3 Extent of surveillance testing
4.3.1 The verification of correct operation during reactor operation shall include as much of
the sensor and signal processing devices, of the logic assembly and the final actuation device
under test as possible, without interfering unacceptably with normal plant operation.
4.3.2 Where overall functional testing is not practicable, a series of partially overlapping
tests shall be used in such a way that the combination of partial tests will satisfy all testing
requirements.
4.3.3 Functional tests may be supplemented with continuous monitoring to check for specific
failure modes.
4.4 Self-supervision in lieu of periodic testing
I&C systems that have the capability to reveal faults, within a short time interval of their
occurrence, by self-supervision performed by the equipment itself or by supervision of adjunct
equipment, may be excluded from the requirement for periodic testing provided the following
requirements are met.
4.4.1 An analysis shall be performed on such equipment to identify those postulated failure
modes that are revealed by the self-supervision.
4.4.2 Any residual failure modes that are not revealed by self-supervision shall be shown
not to affect the function important to safety of the equipment, or shall be covered by periodic
testing designed to the requirements of this standard.
4.4.3 Equipment faults revealed by self-supervision shall be made known to the plant
operating staff through appropriate alarms and indicating displays.

60671 © IEC:2007 – 13 –
4.5 Continuous operation in lieu of periodic testing
Equipment that performs its function important to safety on a continuous basis, such as
regulating controls, or that performs its function frequently during normal operation, as
opposed to equipment that performs its function only in response to a plant upset condition or
event, may be excluded from the requirement for periodic testing provided that the following
requirements are met.
4.5.1 Equipment actions and behaviours that are required for a function important to safety
and that are demonstrated on a continuing basis may be excluded from periodic testing.
Deviations of such actions and behaviours from acceptable states shall be made known to the
operating staff by appropriate indicators and alarms.
4.5.2 Equipment actions and behaviours that are required for a function important to safety
and that are not demonstrated on a continuing basis shall be covered by periodic testing.
4.5.3 If the adequate performance of equipment excluded from periodic testing under 4.5.1
(for instance time response or accuracy) cannot be confirmed through observation then other
means shall be provided to confirm its adequate performance.
5 General requirements for surveillance testing
5.1 Design requirements
5.1.1 The I&C system and equipment important to safety, including the final actuation
devices, shall be designed for testing during operation of the nuclear power generating
station, as well as during station shut-down (attention is drawn to 7.2). This design shall
permit independent testing of redundant assemblies while maintaining the system capability to
respond to bona-fide signals during operation.
5.1.2 The design shall provide for periodic testing to simulate accident signal trajectories, as
closely as practicable, to verify the performance of the system required. The test shall be
such as to demonstrate the full functional capability of the items under test.
5.1.3 Testing equipment shall not cause a loss of independence between redundant
assemblies.
5.1.4 I&C systems and equipment shall be designed with due consideration of the impact of
testing on plant availability and operation. Redundant equipment with coincidence logic
should be provided, where necessary, to fulfil this provision.
NOTE This is not always possible for all parts of a system, for example for final actuation devices.
5.1.5 The I&C system and equipment important to safety and the testing equipment shall be
designed so as to avoid functional degradation while under test. In all cases where the I&C
system important to safety includes redundancy, it shall be designed so that while a signal
processing channel and the associated logic assembly are under test, the function can be
provided by the remaining part of the system not under test even if the system is degraded by
a single random failure. An artificial actuation signal may be induced as part of the testing
procedure to fulfil this requirement.
NOTE "One out of two" systems can be justified for exemption of the single-failure criterion during surveillance
testing, provided that the reliability goals for the function are met.
5.1.6 Testability shall be considered in the selection of all components of I&C systems
important to safety. Sensors should be accessible and, where practicable, installed so that
their performance capability can be verified in situ. Selection of actuation devices shall
consider their state indication capability.

– 14 – 60671 © IEC:2007
5.1.7 A means of communication shall be provided between remote testing stations and the
main control room to ensure that station operators are cognizant of the state of the systems
under test.
5.1.8 Signal processing channels to be tested shall be capable of accepting simulated
actuation signals in lieu of sensor output so that actuation of the signal processing channel
can be verified from the point of test input, for example, during testing, to assist in verifying
the overall response time of the I&C system important to safety.
5.1.9 The signal path for the test signal after the point of injection shall be the same as the
signal path for the plant signa
...