EN 60880:2009

SLOVENSKI STANDARD
01-januar-2010
-HGUVNHHOHNWUDUQH0HULOQDLQQDG]RUQDRSUHPD]D]DJRWDYOMDQMHYDUQRVWL
=QDþLOQRVWLSURJUDPVNHRSUHPHUDþXQDOQLãNLKVLVWHPRYNLL]YDMDMRNDWHJRULMR
IXQNFLM$,(&
Nuclear power plants - Instrumentation and control systems important to safety -
Software aspects for computer-based systems performing category A functions
Kernkraftwerke - Leittechnik für Systeme mit sicherheitstechnischer Bedeutung -
Softwareaspekte für rechnerbasierte Systeme zur Realisierung von Funktionen der
Kategorie A
Centrales nucléaires de puissance - Instrumentation et contrôle-commande importants
pour la sûreté - Aspects logiciels des systèmes programmés réalisant des fonctions de
catégorie A
Ta slovenski standard je istoveten z: EN 60880:2009
ICS:
27.120.20 Jedrske elektrarne. Varnost Nuclear power plants. Safety
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD
EN 60880
NORME EUROPÉENNE
October 2009
EUROPÄISCHE NORM
ICS 27.120.20
English version
Nuclear power plants -
Instrumentation and control systems important to safety -
Software aspects for computer-based systems
performing category A functions
(IEC 60880:2006)
Centrales nucléaires de puissance -  Kernkraftwerke -
Instrumentation et contrôle-commande Leittechnik für Systeme
importants pour la sûreté - mit sicherheitstechnischer Bedeutung -
Aspects logiciels des systèmes Softwareaspekte für rechnerbasierte
programmés réalisant des fonctions Systeme zur Realisierung
de catégorie A von Funktionen der Kategorie A
(CEI 60880:2006) (IEC 60880:2006)

This European Standard was approved by CENELEC on 2009-07-01. CENELEC members are bound to comply
with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard
the status of a national standard without any alteration.

Up-to-date lists and bibliographical references concerning such national standards may be obtained on
application to the Central Secretariat or to any CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other
language made by translation under the responsibility of a CENELEC member into its own language and notified
to the Central Secretariat has the same status as the official versions.

CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Cyprus, the
Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain,
Sweden, Switzerland and the United Kingdom.

CENELEC
European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung

Central Secretariat: Avenue Marnix 17, B - 1000 Brussels

© 2009 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELEC members.
Ref. No. EN 60880:2009 E
Foreword
The text of the International Standard IEC 60880:2006, prepared by SC 45A, Instrumentation and
control of nuclear facilities, of IEC TC 45, Nuclear instrumentation, was submitted to the formal vote
and was approved by CENELEC as EN 60880 on 2009-07-01 without any modification.
The following dates were fixed:
– latest date by which the EN has to be implemented
at national level by publication of an identical
national standard or by endorsement (dop) 2010-07-01
– latest date by which the national standards conflicting
with the EN have to be withdrawn (dow) 2012-07-01
CLC/TC 45AX experts draw attention to the readers of this European standard to the fact that it should
be read in conjunction with IAEA document INSAG-10, 1996, “Defence in Depth in Nuclear Safety”
which applies.
__________
Endorsement notice
The text of the International Standard IEC 60880:2006 was approved by CENELEC as a European
Standard without any modification.
__________
- 3 - EN 60880:2009
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications

The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.

NOTE  When an international publication has been modified by common modifications, indicated by (mod), the relevant EN/HD
applies.
Publication Year Title EN/HD Year
1)
IEC 60671 - Nuclear power plants - Instrumentation - -
and control systems important to safety -
Surveillance testing
IEC 61069-2 1993 Industrial-process measurement and EN 61069-2 1994
control - Evaluation of system properties
for the purpose of system assessment -
Part 2: Assessment methodology
1)
IEC 61226 - Nuclear power plants - Instrumentation - -
and control systems important to safety -
Classification of instrumentation and
control functions
1) 2)
IEC 61508-4 - Functional safety of EN 61508-4 2001
electrical/electronic/programmable
electronic safety-related systems -
Part 4: Definitions and abbreviations
1)
IEC 61513 - Nuclear power plants - Instrumentation - -
and control for systems important
to safety - General requirements
for systems
ISO/IEC 9126 Series Software engineering - Product quality - -
1)
IAEA guide NS-G-1.2 - Safety assessment and verification -
for nuclear power plants
1)
IAEA guide NS-G-1.3 - Instrumentation and control systems - -
important to safety in nuclear power
plants
1)
Undated reference.
2)
Valid edition at date of issue.

NORME CEI
INTERNATIONALE
IEC
INTERNATIONAL
Deuxième édition
STANDARD
Second edition
2006-05
Centrales nucléaires de puissance–
Instrumentation et contrôle-commande
importants pour la sûreté –
Aspects logiciels des systèmes programmés
réalisant des fonctions de catégorie A

Nuclear power plants –
Instrumentation and control systems
important to safety –
Software aspects for computer-based
systems performing category A functions

 IEC 2006 Droits de reproduction réservés  Copyright - all rights reserved
Aucune partie de cette publication ne peut être reproduite ni No part of this publication may be reproduced or utilized in any
utilisée sous quelque forme que ce soit et par aucun procédé, form or by any means, electronic or mechanical, including
électronique ou mécanique, y compris la photocopie et les photocopying and microfilm, without permission in writing from
microfilms, sans l'accord écrit de l'éditeur. the publisher.
International Electrotechnical Commission, 3, rue de Varembé, PO Box 131, CH-1211 Geneva 20, Switzerland
Telephone: +41 22 919 02 11 Telefax: +41 22 919 03 00 E-mail: inmail@iec.ch Web: www.iec.ch
CODE PRIX
XE
PRICE CODE
Commission Electrotechnique Internationale
International Electrotechnical Commission
МеждународнаяЭлектротехническаяКомиссия
Pour prix, voir catalogue en vigueur
For price, see current catalogue

60880  IEC:2006 – 3 –
CONTENTS
FOREWORD.7
INTRODUCTION.11

1 Scope and object.17
2 Normative references .17
3 Terms and definitions .19
4 Symbols and abbreviations.29
5 General requirements for software projects .29
5.1 General .29
5.2 Software types .33
5.3 Software development approach .35
5.4 Software project management .39
5.5 Software quality assurance plan .39
5.6 Configuration management.41
5.7 Software security.43
6 Software requirements.47
6.1 Specification of software requirements .47
6.2 Self-supervision .49
6.3 Periodic testing .49
6.4 Documentation .51
7 Design and implementation .51
7.1 Principles for design and implementation .53
7.2 Language and associated translators and tools .57
7.3 Detailed recommendations .59
7.4 Documentation .63
8 Software Verification .63
8.1 Software verification process.63
8.2 Software verification activities .65
9 Software aspects of system integration.73
9.1 Software aspects of system integration plan.75
9.2 System integration .77
9.3 Integrated system verification.77
9.4 Fault resolution procedures .79
9.5 Software aspects of integrated system verification report .79
10 Software aspects of system validation .81
10.1 Software aspects of the system validation plan.81
10.2 System validation .81
10.3 Software aspects of the system validation report .83
10.4 Fault resolution procedures .83
11 Software modification .83
11.1 Modification request procedure .85
11.2 Procedure for executing a software modification.87
11.3 Software modification after delivery.89

60880  IEC:2006 – 5 –
12 Software aspects of installation and operation.91
12.1 On-site installation of the software .91
12.2 On-site software security.91
12.3 Adaptation of the software to on-site conditions.93
12.4 Operator training .93
13 Defences against common cause failure due to software.95
13.1 General .95
13.2 Design of software against CCF .97
13.3 Sources and effects of CCF due to software.97
13.4 Implementation of diversity.99
13.5 Balance of drawbacks and benefits connected with the use of diversity.99
14 Software tools for the development of software .99
14.1 Introduction .99
14.2 Selection of tools.101
14.3 Requirements for tools .103
15 Qualification of pre-developed software.113
15.1 General .113
15.2 General requirements.113
15.3 Evaluation and assessment process.115
15.4 Requirements for integration in the system and modification of PDS .131

Annex A (normative) Software safety life cycle and details of software requirements .133
Annex B (normative) Detailed requirements and recommendations for design and
implementation .137
Annex C (informative) Example of application oriented software engineering (software
development with application-oriented language).163
Annex D (informative) Language, translator, linkage editor .171
Annex E (informative) Software verification and testing.175
Annex F (informative) Typical list of software documentation .191
Annex G (informative) Considerations of CCF and diversity .193
Annex H (informative) Tools for production and checking of specification, design and
implementation .201
Annex I (informative) Requirements concerning pre-developed software (PDS) .207
Annex J (informative) Correspondence between IEC 61513 and this standard .211

60880  IEC:2006 – 7 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
NUCLEAR POWER PLANTS –
INSTRUMENTATION AND CONTROL SYSTEMS IMPORTANT TO SAFETY –
SOFTWARE ASPECTS FOR COMPUTER-BASED SYSTEMS PERFORMING
CATEGORY A FUNCTIONS
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with an IEC Publication.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 60880 has been prepared by subcommittee 45A: Instrumentation
and control of nuclear facilities, of IEC technical committee 45: Nuclear instrumentation.
This second edition cancels and replaces the first edition published in 1986 and IEC 60880-2
published in 2000. It constitutes a technical revision.
The revision of the standard is intended to accomplish the following:
• To take into account the fact that software engineering techniques advanced significantly
in the intervening years.
• To align the standard with the new revisions of IAEA documents NS-R-1 and NS-G-1.3.
This includes as far as possible adaptation of the definitions.

60880  IEC:2006 – 9 –
• To replace, as far as possible, requirements associated with standards published since
the first edition of IEC 60880, especially IEC 61513, IEC 61226 edition 2, IEC 62138 and
IEC 60987.
• To fully integrate IEC 60880-2 published in 2000 as chapters 13, 14, 15 and annexes G,
H, I.
• To review the existing requirements and to update the terminology and definitions.
The text of this standard is based on the following documents:
FDIS Report on voting
45A/613/FDIS 45A/621/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
The committee has decided that the contents of this publication will remain unchanged until
the maintenance result date indicated on the IEC web site under "http://webstore.iec.ch" in
the data related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
60880  IEC:2006 – 11 –
INTRODUCTION
a) Technical background, main issues and organisation of the standard
Engineering of software based Instrumentation and Control (I&C) systems to be used for
nuclear safety purposes is a challenge due to the safety requirements to be fulfilled. The
safety software used in nuclear power plants (NPP) which are often required only in
emergency cases, have to be fully validated and qualified before being used in operation. In
order to achieve the high reliability required, special care has to be taken throughout the
entire life cycle, from the basic requirements, the various design phases and V&V procedures
for operation and maintenance. It is the main aim of this standard to address the related
safety aspects and to provide requirements for achieving the high software quality necessary.
The first edition of this standard was issued in 1986 to interpret the basic safety principles
applied so far in hardwired systems for the utilisation of digital systems — multiprocessor
distributed systems as well as larger scale central processor systems — in the safety systems
of nuclear power plants.
It has been used extensively within the nuclear industry to provide requirements and guidance
for software of NPP safety I&C systems.
Although many of the requirements within the first edition continued to be relevant, there were
significant factors which justified the development of this second edition:
– Since 1986, a number of new standards have been produced which address in detail the
general requirements for systems (IEC 61513), hardware requirements (IEC 60987) and a
standard to address software for I&C systems performing category B or C functions for
NPP systems important to safety (IEC 62138). The Safety Guide 50-SG-D3 of the IAEA
has been superseded by the guide NS-G-1.3. Additionally, IEC 60880-2 has been issued.
– Software engineering techniques have advanced significantly in the intervening years.
In this standard, utmost care has been taken to keep transparency with respect to the first
edition. Where possible, the phrasing of requirements has been kept, otherwise it has been
extended in a traceable way. In the same manner, IEC 60880-2 dealing with software aspects
of defence against common cause failures, use of software tools and pre-developed software
has been integrated, so that now this current standard covers entirely the software safety
issues to be addressed.
It is intended that the standard be used by systems developers, systems purchasers/users
(utilities), systems assessors and by licensors.
b) Situation of the current standard in the structure of the SC 45A standard series
IEC 60880 is directly referenced by IEC 61513 which deals with the system aspects of high
integrity computer-based I&C used in safety systems of nuclear power plants together.
IEC 60880 is the second level SC 45A document tackling the issue of software aspects for
I&C systems performing category A functions.

60880  IEC:2006 – 13 –
Software for categories B and C functions is dealt with in IEC 62138.
IEC 60880 and IEC 62138 together cover the domain of the software aspects of computer-
based systems used in nuclear power plants to perform functions important to safety.
This second edition of IEC 60880 is to be read in conjunction with IEC 60987 and IEC 61226,
the appropriate SC 45A standards on computer hardware and on classification.
For more details on the structure of the SC 45A standard series see item d) of this
introduction.
c) Recommendation and limitation regarding the application of this standard
It is important to note that this standard establishes no additional functional requirements for
safety systems.
Aspects for which special requirements and recommendations have been produced, are:
1) a general approach to software development to assure the production of the highly reliable
software required including hardware and software interdependencies;
2) a general approach to software verification and to the software aspects of the computer-
based system validation;
3) procedures for software modification and configuration control;
4) requirements for use of tools;
5) procedures for qualification of pre-developed software.
It is recognised that software technology is continuing to develop at a rapid pace and that it is
not possible for a standard such as this to include references to all modern design
technologies and techniques.
To ensure that the standard will continue to be relevant in future years the emphasis has been
placed on issues of principle, rather than specific software technologies.
If new techniques are developed then it should be possible to assess the suitability of such
techniques by applying the safety principles contained within this standard.
d) Description of the structure of the SC 45A standard series and relationships with
other IEC documents and other bodies documents (IAEA, ISO)
The top level document of the SC 45A standard series is IEC 61513. This standard deals with
requirements for NPP I&C systems important to safety and lays out the SC 45A standards
series.
IEC 61513 refers directly to other SC 45A standards for general topics related to
categorization of functions and classification of systems, qualification, separation of systems,
defence against common cause failure, software aspects of computer-based systems,
hardware aspects of computer-based systems, and control room design. The standards
referenced directly at this second level should be considered together with IEC 61513 as a
consistent document set.
60880  IEC:2006 – 15 –
At a third level, SC 45A standards not directly referenced by IEC 61513 are standards related
to specific equipment, technical methods or specific activities. Usually these documents,
which make reference to second level documents for general topics, can be used on their
own.
A fourth level extending the SC 45A standard series corresponds to the technical reports
which are not normative.
IEC 61513 has adopted a presentation format similar to the basic safety publication
IEC 61508 with an overall safety life-cycle framework and a system life-cycle framework and
provides an interpretation of the general requirements of IEC 61508 parts 1, 2 and 4, for the
nuclear application sector. Compliance with this standard will facilitate consistency with the
requirements of IEC 61508 as they have been interpreted for the nuclear industry. In this
framework, IEC 60880 and IEC 62138 correspond to IEC 61508, part 3 for the nuclear
application sector.
IEC 61513 refers to ISO standards as well as to IAEA 50-C-QA for topics related to quality
assurance.
The SC 45A standards series consistently implement and detail the principles and basic
safety aspects provided in the IAEA Code on the safety of nuclear power plants and in the
IAEA safety series, in particular the Requirements NS-R-1, “Safety of Nuclear Power Plants:
Design” and the Safety Guide NS-G-1.3, “Instrumentation and control systems important to
safety in Nuclear Power Plants”. The terminology and definitions used by SC 45A standards
are consistent with those used by the IAEA.

60880  IEC:2006 – 17 –
NUCLEAR POWER PLANTS –
INSTRUMENTATION AND CONTROL SYSTEMS IMPORTANT TO SAFETY –
SOFTWARE ASPECTS FOR COMPUTER-BASED SYSTEMS PERFORMING
CATEGORY A FUNCTIONS
1 Scope and object
This International Standard provides requirements for the software of computer-based I&C
systems of nuclear power plants performing functions of safety category A as defined by
IEC 61226.
According to the definition in IEC 61513, I&C systems of safety class 1 are basically intended
to support category A functions, but may also support functions of lower categories. However
the system requirements are always determined by the functions of the highest category
implemented.
For software of I&C system performing only category B and C functions in NPP as defined by
IEC 61226, requirements and guidance of IEC 62138 are applicable.
This standard provides requirements for the purpose of achieving highly reliable software. It
addresses each stage of software generation and documentation, including requirements
specification, design, implementation, verification, validation and operation.
The principles applied in developing these requirements include:
– best available practices;
– top-down design methods;
– modularity;
– verification of each phase;
– clear documentation;
– auditable documents;
– validation testing.
Additional guidance and information on how to comply with the requirements of the main part
of this standard is given in Annexes A to I.
2 Normative references
The following referenced documents are indispensable for the application of this document.
For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.
IEC 60671, Periodic tests and monitoring of the protection system of nuclear reactors

60880  IEC:2006 – 19 –
IEC 61069-2:1993, Industrial-process measurement and control – Evaluation of system
properties for the purpose of system assessment – Part 2: Assessment methodology
IEC 61226, Nuclear power plants – Instrumentation and control systems important for safety –
Classification of instrumentation and control functions
IEC 61508-4, Functional safety of electrical/electronic/programmable electronic safety-related
systems – Part 4: Definitions and abbreviations
IEC 61513, Nuclear power plants – Instrumentation and control for systems important to
safety – General requirements for systems
ISO/IEC 9126, Software engineering – Product quality
IAEA guide NS-G-1.2, Safety Assessment and Verification for Nuclear power Plant
IAEA guide NS-G-1.3, Instrumentation and Control Systems Important to Safety in Nuclear
Power Plants
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
animation
process by which the behaviour defined by a specification is displayed with actual values
derived from the stated behaviour expressions and from some input values
3.2
application function
function of an I&C system that performs a task related to the process being controlled rather
than to the functioning of the system itself
[IEC 61513, 3.1]
3.3
application-oriented language
computer language specifically designed to address a certain type of application and to be
used by persons who are specialists of this type of application
[IEC 62138, 3.3]
NOTE 1 Equipment families usually feature application-oriented languages so as to provide easy to use capability
for adjusting the equipment to specific requirements.
NOTE 2 Application-oriented languages may be used to specify the functional requirements of an I&C system,
and/or to specify or design application software. They may be based on texts, on graphics, or on both.
NOTE 3 Examples: function block diagram languages, language defined by IEC 61131-3.
3.4
application software
part of the software of an I&C system that implements the application functions
[IEC 61513, 3.2]
60880  IEC:2006 – 21 –
3.5
automated code generation
function of automated tools allowing transformation of the application-oriented language into a
form suitable for compilation or execution
3.6
channel
arrangement of interconnected components within a system that initiates a single output. A
channel loses its identity where single output signals are combined with signals from other
channels, e.g., from a monitoring channel, or a safety actuation channel.
[IAEA NS-G-1.3, Glossary]
3.7
code compaction
purposeful reduction in memory size required for a program by the elimination of redundant or
extraneous instructions
3.8
common cause failure (CCF)
failure of two or more structures, systems or components due to a single specific event or
cause
[IAEA NS-G-1.3, Glossary]
3.9
computer
programmable functional unit that consists of one or more associated processing units and
peripheral equipment, that is controlled by internally stored programs and that can perform
substantial computation, including numerous arithmetic operations or logic operations, without
human intervention during a run
[ISO 2382/1]
NOTE A computer may be a standalone unit or may consist of several interconnected units.
3.10
computer program
set of ordered instructions and data that specify operations in a form suitable for execution by
a computer
3.11
computer-based system
I&C system whose functions are mostly dependent on, or completely performed by using
microprocessors, programmed electronic equipment or computers
[IEC 61513, 3.10]
NOTE Equivalent to: digital systems, software-based system, programmed system.
3.12
data
presentation of information or instructions in a manner suitable for communication,
interpretation, or processing by computers
[IEEE 610, modified]
NOTE Data which are required to define parameters and to instantiate application and service functions in the
system are called “application data”.

60880  IEC:2006 – 23 –
3.13
defence in depth
application of more than one protective measure for a given safety objective, such that the
objective is achieved even if one of the protective measures fails
[IAEA Safety Glossary]
3.14
diversity
existence of two or more different ways or means of achieving a specified objective. Diversity
is specifically provided as a defence against common cause failure. It may be achieved by
providing systems that are physically different from each other or by functional diversity,
where similar systems achieve the specified objective in different ways.
3.15
dynamic analysis
process of evaluating a system or component based on its behaviour during execution. In
contrast to static analysis
[IEEE 610]
3.16
failure
deviation of the delivered service from the intended one
[IEC 61513, 3.21, modified]
3.17
fault
defect in a hardware, software or system component
[IEC 61513, 3.22]
3.18
fault tolerance
built-in capability of a system to provide continued correct execution in the presence of a
limited number of hardware or software faults
3.19
functional diversity
application of the diversity at the functional level (for example, to have trip activation on both
pressure and temperature limit)
3.20
general-purpose language
computer language designed to address all types of usage
[IEC 62138, 3.17]
NOTE 1 The operational system software of equipment families is usually implemented using general-purpose
languages.
NOTE 2 Examples: Ada, C, Pascal.
3.21
human error
human action that produces an unintended result
3.22
initialise
to set counters, switches, addresses, or contents of storage devices to zero or other starting
values at the beginning of, or at prescribed points in, the operation of a computer program

60880  IEC:2006 – 25 –
3.23
integration tests
tests performed during the hardware/software integration process prior to computer-based
system validation to verify compatibility of the software and the computer hardware
3.24
library
collection of related software elements that are grouped together, but which are individually
selected for inclusion in the final software product
3.25
N-version software
set of different programs, known as versions, developed to meet a common requirement and
common acceptance test. Concurrent and independent execution of these versions takes
place, generally in redundant hardware. Identical inputs in test systems or corresponding
inputs in redundant systems are used. A predetermined strategy such as voting is used to
decide between conflicting outputs in different versions.
3.26
operational system software
software running on the target processor during operation, such as: input/output drivers and
services, interrupt management, scheduler, communication drivers, applications oriented
libraries, on-line diagnostic, redundancy and graceful degradation management
3.27
postulated initiating event
PIE
events that lead to anticipated operational occurrences or accident conditions and their
consequential failure effects
[IEC 61513, 3.41]
3.28
pre-developed software
PDS
software part that already exists, is available as a commercial or proprietary product, and is
being considered for use
[IEC 62138, 3.24, modified]
3.29
redundancy
provision of alternative (identical or diverse) structures, systems or components, so that any
one can perform the required function regardless of the state of operation or failure of any
other
[IAEA NS-G-1.3, Glossary]
3.30
role-based access control
access control based on rules, defining the permitted access of users to objects (functions,
data) on the basis of user groups with an identical role instead of individual users

60880  IEC:2006 – 27 –
3.31
safety function
specific purpose that must be accomplished for safety
[IAEA NS-R-1, Glossary]
3.32
safety system
system important to safety, provided to ensure the safety shutdown of the reactor or the
residual heat removal from the core, or to limit the consequences of anticipated operational
occurrences and design basis incidents
[IAEA NS-R-1, Glossary]
3.33
signal trajectory
time histories of all equipment conditions, internal states, input signals, and operator inputs
which determine the outputs of a system
3.34
software
programs (i.e. sets of ordered instructions), data, rules and any associated documentation
pertaining to the operation of a computer-based I&C system
[IEC 62138, 3.27]
3.35
software development
phase of the software lifecycle that leads to the creation of the software of an I&C system or
of a software product. It covers all the activities from software requirements specification to
validation and installation on site
[IEC 62138, 3.30]
3.36
software modification
change in an already agreed document (or documents) leading to an alteration of the
executable code
NOTE Software modifications may occur either during initial software development (e.g. to remove faults found in
later stages of development), or after the software is already in service.
3.37
software safety life cycle
necessary activities involved in the development and operation of the software of an I&C
system important to safety occurring during a period of time that starts at a concept phase
with the software requirements specification and finishes when the software is withdrawn from
use
[IEC 62138, 3.31]
3.38
software version
instance of a software product derived by modification or correction of a preceding software
product instance
[IEEE 610, modified]
60880  IEC:2006 – 29 –
3.39
specification
document that specifies, in a complete, precise, verifiable manner, the requirements, design
behaviour or other characteristics of a system or component and, often, the procedures for
determining whether these provisions have been satisfied
[IEEE 610]
NOTE There are different types of specifications, for example software requirements specification or design
specification.
3.40
static analysis
process of evaluating a system or component based on its form, structure, content or
documentation. In contrast to dynamic analysis
3.41
system software
part of the software of an I&C system designed for a specific computer or equipment family to
facilitate the development, operation and modification of these items and associated
programs
[IEC 62138, 3.33]
3.42
system validation
confirmation by examination and provision of other evidence that a system fulfils in its entirety
the requirement specification as intended (functionality, response time, fault tolerance,
robustness)
3.43
verification
confirmation by examination and by provision of objective evidence that the results of an
activity meet the objectives and requirements defined for this activity
[IEC 62138, 3.35]
4 Symbols and abbreviations
CASE Computer Aided Software Engineering
CCF Common Cause Failure (see 3.8)
I&C Instrumentation and Control
PDS Pre-Developed Software (see 3.28)
PIE Postulated Initiating Event (see 3.27)
QA Quality Assurance
V&V Verification and Validation
5 General requirements for software projects
5.1 General
The process of producing instrumentation and control systems for use in nuclear power plants
is set down in IEC 61513 that introduces the concept of the system safety lifecycle as a
vehicle by which the development process can be controlled and whose adoption should also
result in the evidence necessary to justify the operation of safety systems. The system safety
lifecycle described in IEC 61513 includes and places requirements on, but does not dictate,
the project arrangements to be used for production of systems (see Figure 1).

60880  IEC:2006 – 31 –
System requirements specification
Selection of pre-existing
Suitability analysis
equipment/equipment family
System specification
System detailed design and implementation
Development of new system
Application software Equipment (system software
software and hardware
development/generation and hardware) procurement
features
System integration
Functional validation
System validation
System installation
System modification
IEC  715/06
Figure 1 – Activities of the system safety lifecycle (as defined by IEC 61513)
For computer-based (i.e. digital) systems the system safety lifecycle is further developed to
introduce the concept of a software safety lifecycle (see Figure 2 for activities). This shows
the hardware and software development being undertaken in parallel from a common
specification but coming together at the integration and installation phases of the lifecycle.
The following processes support the phased development process of producing the software:
– software project management (5.4);
– software quality assurance and quality control
...