EN 60987:2009

SLOVENSKI STANDARD
01-januar-2010
-HGUVNHHOHNWUDUQH0HULOQDLQQDG]RUQDRSUHPD]D]DJRWDYOMDQMHYDUQRVWL
=DKWHYH]DQDþUWRYDQMHVWURMQHRSUHPHUDþXQDOQLãNLKVLVWHPRY,(&
VSUHPHQMHQ
Nuclear power plants - Instrumentation and control important to safety - Hardware design
requirements for computer-based systems
Kernkraftwerke - Leittechnische Systeme mit sicherheitstechnischer Bedeutung -
Anforderungen an die Hardware-Auslegung rechnerbasierter Systeme
Centrales nucléaires de puissance - Instrumentation et contrôle-commande importants
pour la sûreté - Exigences applicables à la conception du matériel des systèmes
informatisés
Ta slovenski standard je istoveten z: EN 60987:2009
ICS:
27.120.20 Jedrske elektrarne. Varnost Nuclear power plants. Safety
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD
EN 60987
NORME EUROPÉENNE
June 2009
EUROPÄISCHE NORM
ICS 27.120.20
English version
Nuclear power plants -
Instrumentation and control important to safety -
Hardware design requirements for computer-based systems
(IEC 60987:2007, modified)
Centrales nucléaires de puissance -  Kernkraftwerke -
Instrumentation et contrôle-commande Leittechnische Systeme mit
importants pour la sûreté - sicherheitstechnischer Bedeutung -
Exigences applicables à la conception Anforderungen an die
du matériel des systèmes informatisés Hardware-Auslegung
(CEI 60987:2007, modifiée) rechnerbasierter Systeme
(IEC 60987:2007, modifiziert)
This European Standard was approved by CENELEC on 2009-06-01. CENELEC members are bound to comply
with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard
the status of a national standard without any alteration.

Up-to-date lists and bibliographical references concerning such national standards may be obtained on
application to the Central Secretariat or to any CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CENELEC member into its own language and notified
to the Central Secretariat has the same status as the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Cyprus, the
Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain,
Sweden, Switzerland and the United Kingdom.

CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung

Central Secretariat: Avenue Marnix 17, B - 1000 Brussels

© 2009 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. EN 60987:2009 E
Foreword
The text of the International Standard IEC 60987:2007, prepared by SC 45A, Instrumentation and
control of nuclear facilities, of IEC TC 45, Nuclear instrumentation, together with the common
modifications prepared by the Technical Committee CENELEC TC 45AX, Instrumentation and control
of nuclear facilities, was submitted to the formal vote and was approved by CENELEC as EN 60987
on 2009-06-01.
The following dates were fixed:

– latest date by which the EN has to be implemented
at national level by publication of an identical
national standard or by endorsement (dop) 2010-06-01

– latest date by which the national standards conflicting
with the EN have to be withdrawn (dow) 2012-06-01
Annex ZA has been added by CENELEC.
________________
– 3 – EN 60987:2009
Endorsement notice
The text of the International Standard IEC 60987:2007 was approved by CENELEC as a European
Standard with agreed common modifications as given below.
COMMON MODIFICATIONS
1 Scope
1.1 General
Replace NOTE 2 by the following text:
The more complex hardware components are out of the scope of EN 60987. IEC/SC 45 A
accepted new works items to cover the cases of those more complex hardware components
(e.g. IEC 62566 under development when EN 60987 was published).

Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications

The following referenced documents are indispensable for the application of this document.
For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.

NOTE  When an international publication has been modified by common modifications, indicated by (mod), the relevant EN/HD
applies.
Publication Year Title EN/HD Year
1)
IEC 60780 - Nuclear power plants - Electrical - -
equipment of the safety system -
Qualification
2)
1)
IEC 60812 - Analysis techniques for system EN 60812 2006
reliability - Procedure for failure
mode and effects analysis (FMEA)
1)
IEC 60880 - Nuclear power plants - - -
Instrumentation and control systems
important to safety - Software
aspects for computer-based systems
performing category A functions
IEC 61000 Series Electromagnetic compatibility (EMC) EN 61000 Series
1) 2)
IEC 61025 - Fault tree analysis (FTA) EN 61025
IEC 61513 2001 Nuclear power plants - - -
Instrumentation and control for
systems important for safety -
General requirements for systems
1)
IEC 62138 - Nuclear power plants - - -
Instrumentation and control important
for safety - Software aspects for
computer-based systems performing
category B or C functions
2)
1)
ISO 9001 - Quality management systems - EN ISO 9001 2008
Requirements
1)
IAEA NS-G 1.3 - Instrumentation and control systems - -
important to safety in nuclear power
plants
IAEA 50-C/SG-Q 1996 Quality assurance for safety in - -
nuclear power plants and other
nuclear installations
———————
1)
Undated reference.
2)
Valid edition at date of issue.

IEC 60987
Edition 2.0 2007-08
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Nuclear power plants – Instrumentation and control important to safety –
Hardware design requirements for computer-based systems

Centrales nucléaires de puissance – Instrumentation et contrôle-commande
importants pour la sûreté – Exigences applicables à la conception du matériel
des systèmes informatisés
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
PRICE CODE
INTERNATIONALE
V
CODE PRIX
ICS 27.120.20 ISBN 2-8318-9285-6

– 2 – 60987 © IEC:2007
CONTENTS
FOREWORD.4
INTRODUCTION.6

1 Scope.8
1.1 General .8
1.2 Use of this standard for pre-developed (for example, COTS) hardware
assessment .8
1.3 Applicability of this standard to programmable logic devices development.9
2 Normative references .9
3 Terms and definitions .10
4 Project structure .12
4.1 General .12
4.2 Project subdivision .12
4.3 Quality assurance .12
5 Hardware requirements .13
5.1 General .13
5.2 Functional and performance requirements.14
5.3 Reliability/Availability requirements .15
5.4 Environmental withstand requirements .16
5.5 Documentation requirements.16
6 Design and development .17
6.1 General .17
6.2 Design activities .17
6.3 Reliability .18
6.4 Maintenance.18
6.5 Interfaces .19
6.6 Modification.19
6.7 Power failure .19
6.8 Component selection.19
6.9 Design documentation.19
7 Verification and validation .20
7.1 General .20
7.2 Verification plan .20
7.3 Independence of verification.21
7.4 Methods .21
7.5 Documentation .22
7.6 Discrepancies.22
7.7 Changes and modifications .22
7.8 Installation verification.22
7.9 Validation .22
7.10 Verification of pre-existing equipment platforms .22
8 Qualification .23
9 Manufacture .23
10 Installation and commissioning .23
11 Maintenance.23
11.1 Maintenance requirements .24

60987 © IEC:2007 – 3 –
11.2 Failure data.24
11.3 Maintenance documentation.25
12 Modification.26
13 Operation .26

Annex A (informative) Overview of system life cycle .27
Annex B (informative) Outline of qualification.28
Annex C (informative) Example of maintenance procedure .29

Bibliography.30

– 4 – 60987 © IEC:2007
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
NUCLEAR POWER PLANTS –
INSTRUMENTATION AND CONTROL
IMPORTANT TO SAFETY –
HARDWARE DESIGN REQUIREMENTS
FOR COMPUTER-BASED SYSTEMS
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with an IEC Publication.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 60987 has been prepared by subcommittee 45A: Instrumentation
and control of nuclear facilities, of IEC technical committee 45: Nuclear instrumentation.
This second edition cancels and replaces the first edition published in 1989. This edition
includes the following significant technical changes with respect to the previous edition:
• account has been taken of the fact that computer design engineering techniques have
advanced significantly in the intervening years;
• update of the format to align with the current IEC/ISO directives on the style of standards;
• alignment of the standard with the new revisions of IAEA documents NS-R-1 and NS-G-
1.3, which includes as far as possible an adaptation of the definitions;

60987 © IEC:2007 – 5 –
• replacement, as far as possible, of the requirements associated with standards published
since the first edition, especially IEC 61513, IEC 60880, edition 2, and IEC 62138;
• review of the existing requirements and updating of the terminology and definitions.
The text of this standard is based on the following documents:
FDIS Report on voting
45A/662/FDIS 45A/666/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
The committee has decided that the contents of this publication will remain unchanged until
the maintenance result date indicated on the IEC web site under "http://webstore.iec.ch" in
the data related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
– 6 – 60987 © IEC:2007
INTRODUCTION
a) Technical background, main issues and organization of the standard
The basic principles for the design of nuclear instrumentation, as specifically applied to the
safety systems of nuclear power plants, were first interpreted in nuclear standards with
reference to hardwired systems in IAEA Safety Guide 50-SG-D3 which has been superseded
by IAEA Guide NS-G-1.3.
IEC 60987 was first issued in 1989 to cover the hardware aspects of digital systems design
for systems important to safety, i.e. safety systems and safety-related systems.
Although many of the requirements within the original issue continue to be relevant, there
were significant factors which justified the development of this revised edition of IEC 60987, in
particular:
– a new standard has been produced which addresses in detail the general requirements for
nuclear systems important to safety (IEC 61513);
– the use of pre-developed system platforms, rather than bespoke developments, has
increased significantly.
b) Situation of the current standard in the structure of the IEC SC 45A standard series
The first-level IEC SC 45A standard for computer-based systems important to safety in
nuclear power plants (NPPs) is IEC 61513. IEC 60987 is a second-level IEC SC 45A standard
which addresses the generic issue of hardware design of computerized systems.
IEC 60880 and IEC 62138 are second-level standards which together cover the software
aspects of computer-based systems used to perform functions important to safety in NPPs.
IEC 60880 and IEC 62138 make direct reference to IEC 60987 for hardware design.
The requirements of IEC 60780 for equipment qualification are referenced within IEC 60987.
For modules to be used in the design of a specific system important to safety, relevant and
auditable operating experience from nuclear or other applications as described in IEC 60780,
in combination with the application of rigorous quality assurance programmes, may be an
acceptable method of qualification.
For more details on the structure of the SC 45A standard series, see item d) of this
introduction.
c) Recommendations and limitations regarding the application of the standard
It is important to note that this standard establishes no additional functional requirements for
Class 1 or Class 2 systems (see IEC 61513 for system classification requirements).
Aspects for which special recommendations have been produced (so as to assure the
production of highly reliable systems), are:
– a general approach to computing hardware development;
– a general approach to hardware verification and to the hardware aspects of computer
system validation.
60987 © IEC:2007 – 7 –
It is recognized that computer technology is continuing to develop and that it is not possible
for a standard such as this to include references to all modern design technologies and
techniques. To ensure that the standard will continue to be relevant in future years the
emphasis has been placed on issues of principle, rather than specific hardware design
technologies. If new design techniques are developed then it should be possible to assess the
suitability of such techniques by adapting and applying the design principles contained within
this standard.
The scope of this standard covers digital systems hardware for Class 1 and Class 2 systems.
This includes multiprocessor distributed systems and single processor systems; it covers the
assessment and use of pre-developed items, for example, commercial off-the-shelf items
(COTS), and the development of new hardware.
d) Description of the structure of the SC 45A standard series and relationships with
other IEC, IAEA and ISO documents
The top-level document of the IEC SC 45A standard series is IEC 61513. It provides general
requirements for I&C systems and equipment that are used to perform functions important to
safety in NPPs. IEC 61513 structures the IEC SC 45A standard series.
IEC 61513 refers direct to other IEC SC 45A standards for general topics related to
categorization of functions and classification of systems, qualification, separation of systems,
defence against common-cause failure, software aspects of computer-based systems,
hardware aspects of computer-based systems, and control room design. The standards
referenced direct at this second level should be considered together with IEC 61513 as a
consistent document set.
At a third level, IEC SC 45A standards not referenced direct by IEC 61513 are standards
related to specific equipment, technical methods, or specific activities. Usually these
documents, which make reference to second-level documents for general topics, can be used
on their own.
A fourth level extending the IEC SC 45A standard series, corresponds to technical reports
which are not normative documents.
IEC 61513 has adopted a presentation format similar to the basic safety publication
IEC 61508 with an overall safety life-cycle framework and a system life-cycle framework and
provides an interpretation of the general requirements of IEC 61508-1, IEC 61508-2 and
IEC 61508-4, for the nuclear application sector. Compliance with IEC 61513 will facilitate
consistency with the requirements of IEC 61508 as they have been interpreted for the nuclear
industry. In this framework, IEC 60880 and IEC 62138 correspond to IEC 61508-3 for the
nuclear application sector.
IEC 61513 refers to ISO 9001 as well as to IAEA 50-C-QA (now replaced by IAEA 50-C/SG-Q)
for topics related to quality assurance (QA).
The IEC SC 45A standards series consistently implements and details the principles and
basic safety aspects provided in the IAEA Code on the safety of NPPs and in the IAEA safety
series, in particular the requirements of NS-R-1, establishing safety requirements related to
the design of NPPs, and Safety Guide NS-G-1.3 dealing with instrumentation and control
systems important to safety in NPPs. The terminology and definitions used by SC 45A
standards are consistent with those used by the IAEA.

– 8 – 60987 © IEC:2007
NUCLEAR POWER PLANTS –
INSTRUMENTATION AND CONTROL
IMPORTANT TO SAFETY –
HARDWARE DESIGN REQUIREMENTS
FOR COMPUTER-BASED SYSTEMS
1 Scope
1.1 General
This International Standard is applicable to NPP computer-system hardware for systems of
Class 1 and 2 (as defined by IEC 61513).
The structure of this standard has not changed significantly from the original 1989 issue;
however, some issues are now covered by standards which have been issued in the interim
(for example, IEC 61513 for system architecture design) and references to new standards
have been provided where applicable. The text of the standard has also been modified to
reflect developments in computer system hardware design, the use of pre-developed (for
example, COTS) hardware and changes in terminology.
Computer hardware facilities used for software loading and checking are not considered to
form an intrinsic part of a system important to safety and, as such, are outside the scope of
this standard.
NOTE 1 Class 3 computer-system hardware is not addressed by this standard, and it is recommended that such
systems should be developed to commercial grade standards.
NOTE 2 In 2006 the development of a new standard to address hardware requirements for “very complex”
hardware was discussed within IEC SC 45A. If such a standard is developed then that standard would be used for
the development of “very complex” hardware in preference to IEC 60987.
1.2 Use of this standard for pre-developed (for example, COTS) hardware assessment
Although the primary aim of this standard is to address aspects of new hardware
development, the processes defined within this standard may also be used to guide the
assessment and use of pre-developed hardware, such as COTS hardware. Guidance has
been provided in the text concerning the interpretation of the requirements of this standard
when used for the assessment of such components. In particular, the quality assurance
requirements of 4.3, concerning configuration control, apply.
Pre-developed components may contain firmware (as defined in 3.8), and, where firmware
software is deeply imbedded, and effectively “transparent” to the user, then IEC 60987 should
be used to guide the assessment process for such components. An example of where this
approach is considered appropriate is in the assessment of modern processors which contain
a microcode. Such a code is generally an integral part of the “hardware”, and it is therefore
appropriate for the processor (including the microcode) to be assessed as an integrated
hardware component using this standard.
Software which is not firmware, as described above, should be developed or assessed
according to the requirements of the relevant software standard (for example, IEC 60880 for
Class 1 systems and IEC 62138 for Class 2 systems).

60987 © IEC:2007 – 9 –
1.3 Applicability of this standard to programmable logic devices development
I&C components may include programmable logic devices that are given their specific
application logic design by the designer of the I&C component, as opposed to the chip
manufacturer. Examples of such devices include complex programmable logic devices (CPLD)
and field programmable gate arrays (FPGA).
While the programmable nature of these devices gives the development processes used for
these devices, some of the characteristics of a software development process and the design
processes used for such devices, are very similar to those used to design logic circuits
implemented with discrete gates and integrated circuit packages. Therefore, the design
processes and design verification applied to programmable logic devices should comply with
the relevant requirements of this standard (i.e. taking into account the particular features of
the design processes of such devices). To the extent that software-based tools are used to
support the design processes for programmable logic devices, those software tools should
generally follow the guidance provided for software-based development tools in the
appropriate software standard, i.e. IEC 60880 (Class 1 systems) or IEC 62138 (Class 2
systems).
2 Normative references
The following referenced documents are indispensable for the application of this document.
For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.
IEC 60780, Nuclear power plants – Electrical equipment of the safety system – Qualification
IEC 60812, Analysis techniques for system reliability – Procedures for failure mode and
effects analysis (FMEA)
IEC 60880, Nuclear power plants – Instrumentation and control systems important to safety –
Software aspects for computer-based systems performing category A functions
IEC 61000 (all parts), Electromagnetic compatibility (EMC)
IEC 61025, Fault tree analysis (FTA)
IEC 61513:2001, Nuclear power plants – Instrumentation and control for systems important to
safety – General requirements for systems
IEC 62138, Nuclear power plants – Instrumentation and control important for safety –
Software aspects for computer-based systems performing category B or C functions
ISO 9001, Quality management systems – Requirements
IAEA NS-G 1.3, Instrumentation and control systems important to safety in nuclear power
plants
IAEA 50-C/SG-Q:1996, Quality assurance for safety in nuclear power plants and other nuclear
installations
– 10 – 60987 © IEC:2007
3 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC 61513, as well as
the following, apply.
3.1
ATE
automated test equipment
3.2
COTS
commercial off the shelf; COTS is a subset of pre-developed products
3.3
diversity
existence of two or more different ways or means of achieving a specified objective. Diversity
is specifically provided as a defence against common cause failure. It may be achieved by
providing systems that are physically different from each other or by functional diversity,
where similar systems achieve the specified objective in different ways
[IEC 60880:2006, definition 3.14]
NOTE This definition is wider than that used by the IAEA NS-G-1.3 which is as follows: “The presence of two or
more systems or components to carry out an identified function, where the different systems or components have
different attributes so as to reduce the possibility of common mode failure”. [IEC 61226:2005, definition 3.5]
3.4
firmware
software which is closely coupled to the hardware characteristics on which it is installed. The
presence of firmware is generally “transparent” to the user of the hardware component and,
as such, may be considered to be effectively an integral part of the hardware design (a good
example of such software being processor microcode). Generally, firmware may only be
modified by a user by replacing the hardware components (for example, processor chip, card,
EPROM) which contain this software with components which contain modified software
(firmware). Where this is the case, configuration control of the hardware components by the
users of the equipment effectively provides configuration control of the firmware. Firmware, as
considered by this standard, is effectively software that is built in to the hardware
3.5
FMEA
failure modes and effects analysis
3.6
FTA
fault tree analysis
3.7
NPP
nuclear power plant
3.8
pre-developed
item which already exists, is available as a commercial or proprietary product, and is being
considered for use in a computer-based system
NOTE This definition is consistent with the definition of pre-developed software provided by IEC 61513:2001.

60987 © IEC:2007 – 11 –
3.9
qualified life
period for which a structure, system or component has been demonstrated, through testing,
analysis or experience, to be capable of functioning within acceptance criteria during specific
operating conditions while retaining the ability to perform its safety functions in a design basis
accident or earthquake
[IAEA Safety Glossary:2006]
3.10
revealed hardware failure
a hardware failure which is detected automatically and reported, for example, a board failure
where a watchdog circuit automatically detects the failure and raises an alarm
3.11
safety-related system
system important to safety that is not part of a safety system
[IAEA Safety Glossary:2006]
3.12
safety system
system important to safety, provided to ensure the safe shutdown of the reactor or the
residual heat removal from the core, or to limit the consequences of anticipated operational
occurrences and design basis accidents
[IAEA Safety Glossary:2006]
3.13
single failure
failure which results in the loss of capability of a system or component to perform its intended
safety function(s), and any consequential failure(s) which result from it
[IAEA Safety Glossary:2006]
3.14
single failure criterion (SFC)
criterion (or requirement) applied to a system such that it is capable of performing its safety
task in the presence of any single failure
[IAEA Safety Glossary:2006]
3.15
systems important to safety
system that is part of a safety group and/or whose malfunction or failure could lead to
radiation exposure of the site personnel or members of the public
[IAEA Safety Glossary:2006]
3.16
system validation
confirmation by examination and provision of other evidence that a system fulfils in its entirety
the requirement specification as intended (functionality, response time, fault tolerance,
robustness)
[IEC 60880:2006, definition 3.42]

– 12 – 60987 © IEC:2007
3.17
unrevealed hardware failure
hardware failure which is not detected by a system automatically and which only becomes
apparent when an attempt is made to use a function which depends upon the failed hardware.
Such failures may be discovered by functional testing or when an operational demand is
placed upon the system
3.18
verification
confirmation by examination and by provision of objective evidence that the results of an
activity meet the objectives and requirements defined for this activity (ISO 12207)
[IEC 62138:2004, definition 3.35]
4 Project structure
4.1 General
A project established to produce a computer-based system important to safety should be
divided up into a number of phases. Each phase should be to some extent self-contained but
will depend on other phases for input and will, in turn, provide outputs for other phases. The
various project phases together are considered to form the overall safety life cycle (see
IEC 61513, Clause 5, which provides requirements for system life cycles). IEC 61513 allows
project phases to be performed in parallel providing the integrity of the development process
is not compromised.
A quality assurance plan shall be applied to the hardware production process.
4.2 Project subdivision
The following general requirements define the hardware development life-cycle requirements
for computer-based systems within the scope of this standard.
a) The hardware development life cycle shall be compatible with the whole system life cycle
(Annex A).
b) Each sub-phase of the hardware development life cycle shall consist of well-defined and
documented activities.
c) Pre-existing hardware products (for example, COTS) to be included in the design shall be
checked, verified and tested as appropriate before use.
d) Adequate means (i.e. spare parts, devices for test and maintenance, etc.) and
accommodation (i.e. laboratories, workshops, space, etc.) shall be provided to carry out
the tasks associated with each development phase.
e) Each development phase shall include the production of appropriate documentation.
f) Each development phase shall be concluded by performing verification (see Clause 7).
g) Every verification activity shall result in auditable records documenting the conclusions
reached and any design changes resulting from the verification performed.
h) All work activities shall be scheduled to ensure that adequate time is allowed for the following:
1) the resolution of any interactions between the hardware and software development
phases required to ensure system hardware/software compatibility;
2) the production of documentation, and the performance of testing, verification and
quality assurance activities.
4.3 Quality assurance
The design and development process shall meet the relevant requirements of IAEA 50-C/SG-
Q (compliance with ISO 9001 is one acceptable method of meeting these requirements). A

60987 © IEC:2007 – 13 –
hardware quality assurance plan shall exist either as a separate document (or documents) or
as part of an overall quality assurance plan. The plan shall address the use of pre-existing
hardware and the development of hardware as required. All hardware quality-related activities
to be performed by the plant operator, owner, contractors and subcontractors as part of the
hardware development process should be included in the quality assurance plan.
4.3.1 The plan should address the following phases, as they are applicable to any particular
system or development:
a) design and development;
b) procurement;
c) manufacturing;
d) construction and commissioning;
e) operation and maintenance.
4.3.2 It is not a requirement that all the phases listed above be addressed before the design
process begins, but, before each phase is initiated, a plan addressing the requirements of that
phase shall be in place.
4.3.3 The quality assurance plan(s) should describe the organization, management and
execution of quality related activities, including, as relevant:
a) documentation configuration control;
b) the design process;
c) the procurement process for goods and services;
d) configuration control of build instructions, build procedures and drawings;
e) configuration control of materials and items to be used to build the system hardware;
f) quality control activities, such as formal inspections;
g) control of test equipment;
h) control of hardware handling/storage/shipping;
i) the testing process;
j) monitoring of nonconformances raised and the implementation of corrective actions;
k) the procedure for storing quality assurance records;
l) the procedure for internal audits.
5 Hardware requirements
5.1 General
5.1.1 The hardware requirements shall be consistent with the requirements of the system
and form part of the computer-system specification (see IEC 61513:2001, Clause 6). The
computer-system specification is a description of the combined hardware/software system and
states the design objectives for the system and the functions to be performed by the computer
system (systems may be developed for a particular application or may be developed
generically, i.e. platform development, in which case development is based upon derived
generic system requirements).
5.1.2 The hardware requirements shall be specified in the system hardware requirements
specification, or in some other suitable document.

– 14 – 60987 © IEC:2007
5.1.3 Hardware requirements shall be presented according to a technique or method whose
format shall not preclude readability, i.e. the hardware requirements should not be difficult to
understand.
5.1.4 Functional hardware requirements shall be unambiguous, testable and/or verifiable
and achievable.
5.1.5 The hardware requirements specification should give an overview of hardware
requirements, identify the hardware functions important to nuclear safety (however, if these
are provided in combination with the system software they should be defined in the system
requirements specification), identify the hardware design requirements, state hardware
reliability requirements, and state the hardware environmental withstand requirements.
5.1.6 The hardware requirements for computer systems may include requirements which are
applicable to hardware in general as well as requirements which are particular to computer
system hardware (for example; cabling, surface preparation of enclosures).
5.1.7 The hardware functional requirements should generally describe what has to be done
and not how it has to be done. However, the use of pre-existing components/platforms may
result in a degree of bottom-up hardware design. Before such pre-existing components are
selected for use, an assessment shall be performed to confirm that the hardware performance
characteristics (for example; failure modes) are consistent with system requirements. If any
anomalies are found then these shall be reconciled, either by modifying the hardware design
or the system design (while ensuring that system nuclear safety requirements are not
compromised).
5.2 Functional and performance requirements
5.2.1 The hardware functional and performance requirements shall be consistent with the
functional and performance requirements of the system important to safety.
5.2.2 The hardware functional and performance requirements, combined with the software
requirements (to the extent necessary to address all hardware requirements), shall be verified
for compliance with the system requirements.
5.2.3 All parts of the system, down to the component level, which contain software shall be
assessed as described in 1.2 of this standard.
a) The hardware functional requirements shall include, but are not restricted to, the definition
of
1) the purpose of the overall computer system hardware and of each hardware sub-
system;
2) the numbers and types of sensors and actuators to be connected to the computer
system;
3) the numbers and types of devices for the man/machine interface such as displays,
printers and keyboards.
b) Each component or subsystem delivered by a supplier, and which is to be integrated into
the system, should be accompanied by a specification which addresses all safety-related
aspects of the performance of that item. If such a specification is not provided, then an
analysis shall be performed to determine the hardware design characteristics of the
component to the extent necessary to confirm its suitability.
c) The hardware performance requirements shall include (as applicable to any particular
application)
1) required data acquisition rate;
2) required data handling capability;
3) required computational capacity;

60987 © IEC:2007 – 15 –
4) required reliability/availability;
5) required communications interfaces (protocols, transmission speeds);
6) required computational and conversion accuracy;
7) required signal noise rejection capability;
8) required response times;
9) physical size limitations;
10) geographic requirements (for example, length of data transmission lines);
11) required level of spare capacity (if required);
12) environmental withst
...