EN 60987:2015

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Kernkraftwerke - Leittechnische Systeme mit sicherheitstechnischer Bedeutung - Anforderungen an die Hardware-Auslegung rechnerbasierter SystemeCentrales nucléaires de puissance - Instrumentation et contrôle-commande importants pour la sûreté - Exigences applicables à la conception du matériel des systèmes informatisésNuclear power plants - Instrumentation and control important to safety - Hardware design requirements for computer-based systems27.120.20Jedrske elektrarne. VarnostNuclear power plants. SafetyICS:Ta slovenski standard je istoveten z:EN 60987:2015SIST EN 60987:2015en01-september-2015SIST EN 60987:2015SLOVENSKI
STANDARDSIST EN 60987:20101DGRPHãþD

EUROPEAN STANDARD NORME EUROPÉENNE EUROPÄISCHE NORM
EN 60987
February 2015 ICS 27.120.20 Supersedes EN 60987:2009
English Version
Nuclear power plants - Instrumentation and control important to safety - Hardware design requirements for computer-based systems (IEC 60987:2007 + A1:2013)
Centrales nucléaires de puissance - Instrumentation et contrôle-commande importants pour la sûreté - Exigences applicables à la conception du matériel des systèmes informatisés (IEC 60987:2007 + A1:2013)
Kernkraftwerke - Leittechnische Systeme mit sicherheitstechnischer Bedeutung - Anforderungen an die Hardware-Auslegung rechnerbasierter Systeme (IEC 60987:2007 + A1:2013) This European Standard was approved by CENELEC on 2015-02-16. CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique Europäisches Komitee für Elektrotechnische Normung CEN-CENELEC Management Centre: Avenue Marnix 17,
B-1000 Brussels © 2015 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN 60987:2015 E SIST EN 60987:2015

The following dates are fixed:
• latest date by which the document has to be implemented at national level by publication of an identical national standard or by endorsement (dop) 2016-02-16 • latest date by which the national standards conflicting with the document have to be withdrawn (dow) 2018-02-16
This document supersedes EN 60987:2009.
As stated in the nuclear safety directive 2009/71/EURATOM, Chapter 1, Article 2, item 2, Member States are not prevented from taking more stringent safety measures in the subject-matter covered by the Directive, in compliance with Community law. In a similar manner, this European standard does not prevent Member States from taking more stringent nuclear safety measures in the subject-matter covered by this standard.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CENELEC [and/or CEN] shall not be held responsible for identifying any or all such patent rights.
Endorsement notice The text of the International Standard IEC 60987:2007 + A1:2013 was approved by CENELEC as a European Standard without any modification.
In the official version, for Bibliography, the following note has to be added for the standard indicated:
IEC 61226 NOTE Harmonized as EN 61226. SIST EN 60987:2015

- 3 - EN 60987:2015 Annex ZA (normative)
Normative references to international publications with their corresponding European publications
The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
NOTE 1 When an International Publication has been modified by common modifications, indicated by (mod), the relevant EN/HD applies.
NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available here: www.cenelec.eu
Publication Year Title EN/HD Year
IEC 60780 -
Nuclear power plants - Electrical equipment of the safety system - Qualification - -
IEC 60812 -
Analysis techniques for system reliability - Procedure for failure mode and effects analysis (FMEA) EN 60812 -
IEC 60880 -
Nuclear power plants - Instrumentation
and control systems important to safety - Software aspects for computer-based systems performing category A functions EN 60880 -
IEC 61000 Series
Electromagnetic compatibility (EMC) EN 61000 Series
IEC 61025 -
Fault Tree Analysis (FTA) EN 61025 -
IEC 61513 20011) Nuclear power plants - Instrumentation
and control for systems important to safety - General requirements for systems - -
IEC 62138 -
Nuclear power plants - Instrumentation
and control important for safety - Software aspects for computer-based systems performing category B or C functions EN 62138 -
IEC 62671 -
Nuclear power plants - Instrumentation
and control important to safety - Selection and use of industrial digital devices of limited functionality - -
ISO 2768-1 -
General tolerances -
Part 1: Tolerances for linear and angular dimensions without individual tolerance indications EN 22768-1 -
ISO 2768-2 -
General tolerances -
Part 2: Geometrical tolerances for features without individual tolerance indications EN 22768-2 -
1) Superseded by IEC 61513:2011. SIST EN 60987:2015

ISO 3951-1 -
Sampling procedures for inspection
by variables -
Part 1: Specification for single sampling plans indexed by acceptance quality limit (AQL) for lot-by-lot inspection for a single quality characteristic and a single AQL - -
ISO 3951-2 -
Sampling procedures for inspection
by variables -
Part 2: General specification for single sampling plans indexed by acceptance quality limit (AQL) for lot-by-lot inspection of independent quality characteristics - -
ISO 9001 -
Quality management systems - Requirements EN ISO 9001 -
IAEA guide
NS-G-1.3 -
Instrumentation and control systems important to safety in nuclear power
plants - -
IAEA 50-C/SG-Q 1996 Quality assurance for safety in nuclear power plants and other nuclear installations - -
IEC 60987 Edition 2.1 2013-02 INTERNATIONAL STANDARD NORME INTERNATIONALE Nuclear power plants – Instrumentation and control important to safety – Hardware design requirements for computer-based systems
Centrales nucléaires de puissance – Instrumentation et contrôle-commande importants pour la sûreté – Exigences applicables à la conception du matériel des systèmes informatisés
INTERNATIONAL ELECTROTECHNICAL COMMISSION COMMISSION ELECTROTECHNIQUE INTERNATIONALE ICS 27.120.20 ISBN 978-2-8322-0674-4
– 2 – 60987  IEC:2007+A1:2013 CONTENTS FOREWORD . 4 INTRODUCTION . 6
1 Scope . 8 1.1 General . 8 1.2 Use of this standard for pre-developed (for example, COTS)
hardware assessment. 8 1.3 Applicability of this standard to programmable logic devices development . 9 2 Normative references . 9 3 Terms and definitions . 10 4 Project structure . 12 4.1 General . 12 4.2 Project subdivision . 12 4.3 Quality assurance . 13 5 Hardware requirements . 13 5.1 General . 13 5.2 Functional and performance requirements . 14 5.3 Reliability/Availability requirements . 15 5.4 Environmental withstand requirements . 16 5.5 Documentation requirements . 17 6 Design and development . 17 6.1 General . 17 6.2 Design activities . 17 6.3 Reliability . 18 6.4 Maintenance . 19 6.5 Interfaces . 19 6.6 Modification . 19 6.7 Power failure . 19 6.8 Component selection . 19 6.9 Design documentation . 19 7 Verification and validation . 20 7.1 General . 20 7.2 Verification plan . 20 7.3 Independence of verification . 21 7.4 Methods . 21 7.5 Documentation . 22 7.6 Discrepancies. 22 7.7 Changes and modifications . 22 7.8 Installation verification . 22 7.9 Validation . 22 7.10 Verification of pre-existing equipment platforms . 22 8 Qualification . 23 9 Manufacturing . 23 9.1 Quality assurance . 23 9.2 Training of personnel. 24 SIST EN 60987:2015

60987  IEC:2007+A1:2013 – 3 – 9.3 Planning and organisation of the manufacturing activities. . 24 9.4 Input data . 25 9.5 Purchasing and procurement . 25 9.6 Production . 27 10 Installation and commissioning . 29 11 Maintenance . 30 11.1 Maintenance requirements . 30 11.2 Failure data . 31 11.3 Maintenance documentation . 32 12 Modification . 32 13 Operation . 32
Annex A (informative)
Overview of system life cycle . 33 Annex B (informative)
Outline of qualification . 34 Annex C (informative)
Example of maintenance procedure . 35
Bibliography . 36
– 4 – 60987  IEC:2007+A1:2013 INTERNATIONAL ELECTROTECHNICAL COMMISSION ____________
NUCLEAR POWER PLANTS –
INSTRUMENTATION AND CONTROL
IMPORTANT TO SAFETY – HARDWARE DESIGN REQUIREMENTS
FOR COMPUTER-BASED SYSTEMS
FOREWORD 1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with may participate in this preparatory work. International, governmental and non-governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for Standardization (ISO) in accordance with conditions determined by agreement between the two organizations. 2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international consensus of opinion on the relevant subjects since each technical committee has representation from all interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any misinterpretation by any end user. 4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications transparently to the maximum extent possible in their national and regional publications. Any divergence between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter. 5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any services carried out by independent certification bodies. 6) All users should ensure that they have the latest edition of this publication. 7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and members of its technical committees and IEC National Committees for any personal injury, property damage or other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is indispensable for the correct application of this publication. 9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
This consolidated version of IEC 60987 consists of the second edition (2007) [documents 45A/662/FDIS and 45A/666/RVD] and its amendment 1 (2013) [documents 45A/897/FDIS and 45A/906/RVD]. It bears the edition number 2.1. The technical content is therefore identical to the base edition and its amendment and has been prepared for user convenience. A vertical line in the margin shows where the base publication has been modified by amendment 1. Additions and deletions are displayed in red, with deletions being struck through. SIST EN 60987:2015

60987  IEC:2007+A1:2013 – 5 – International Standard IEC 60987 has been prepared by subcommittee 45A: Instrumentation and control of nuclear facilities, of IEC technical committee 45: Nuclear instrumentation. This edition includes the following significant technical changes with respect to the previous edition: • account has been taken of the fact that computer design engineering techniques have advanced significantly in the intervening years; • update of the format to align with the current IEC/ISO directives on the style of standards; • alignment of the standard with the new revisions of IAEA documents NS-R-1 and NS-G-1.3, which includes as far as possible an adaptation of the definitions; • replacement, as far as possible, of the requirements associated with standards published since the first edition, especially IEC 61513, IEC 60880, edition 2, and IEC 62138; • review of the existing requirements and
updating of the terminology and definitions. This publication has been drafted in accordance with the ISO/IEC Directives, Part 2. The committee has decided that the contents of the base publication and its amendments will remain unchanged until the stability date indicated on the IEC web site under "http://webstore.iec.ch" in the data related to the specific publication. At this date, the publication will be
• reconfirmed, • withdrawn, • replaced by a revised edition, or • amended.
IMPORTANT – The “colour inside” logo on the cover page of this publication indicates that it contains colours which are considered to be useful for the correct understanding of its contents. Users should therefore print this publication using a colour printer.
– 6 – 60987  IEC:2007+A1:2013 INTRODUCTION a) Technical background, main issues and organization of the standard The basic principles for the design of nuclear instrumentation, as specifically applied to the safety systems of nuclear power plants, were first interpreted in nuclear standards with reference to hardwired systems in IAEA Safety Guide 50-SG-D3 which has been superseded by IAEA Guide NS-G-1.3. IEC 60987 was first issued in 1989 to cover the hardware aspects of digital systems design for systems important to safety, i.e. safety systems and safety-related systems. Although many of the requirements within the original issue continue to be relevant, there were significant factors which justified the development of this revised edition of IEC 60987, in particular: – a new standard has been produced which addresses in detail the general requirements for nuclear systems important to safety (IEC 61513); – the use of pre-developed system platforms, rather than bespoke developments, has increased significantly. b) Situation of the current standard in the structure of the IEC SC 45A standard series The first-level IEC SC 45A standard for computer-based systems important to safety in nuclear power plants (NPPs) is IEC 61513. IEC 60987 is a second-level IEC SC 45A standard which addresses the generic issue of hardware design of computerized systems. IEC 60880 and IEC 62138 are second-level standards which together cover the software aspects of computer-based systems used to perform functions important to safety in NPPs. IEC 60880 and IEC 62138 make direct reference to IEC 60987 for hardware design.
The requirements of IEC 60780 for equipment qualification are referenced within IEC 60987. For modules to be used in the design of a specific system important to safety, relevant and auditable operating experience from nuclear or other applications as described in IEC 60780, in combination with the application of rigorous quality assurance programmes, may be an acceptable method of qualification. For more details on the structure of the SC 45A standard series, see item d) of this introduction. c) Recommendations and limitations regarding the application of the standard It is important to note that this standard establishes no additional functional requirements for Class 1 or Class 2 systems (see IEC 61513 for system classification requirements). Aspects for which special recommendations have been produced (so as to assure the production of
highly reliable systems), are: – a general approach to computing hardware development; – a general approach to hardware verification and to the hardware aspects of computer system validation. SIST EN 60987:2015

60987  IEC:2007+A1:2013 – 7 – It is recognized that computer technology is continuing to develop and that it is not possible for a standard such as this to include references to all modern design technologies and techniques. To ensure that the standard will continue to be relevant in future years the emphasis has been placed on issues of principle, rather than specific hardware design technologies. If new design techniques are developed then it should be possible to assess the suitability of such techniques by adapting and applying the design principles contained within this standard. The scope of this standard covers digital systems hardware for Class 1 and Class 2 systems. This includes multiprocessor distributed systems and single processor systems; it covers the assessment and use of pre-developed items, for example, commercial off-the-shelf items (COTS), and the development of new hardware. d) Description of the structure of the SC 45A standard series and relationships with other IEC, IAEA and ISO documents
The top-level document of the IEC SC 45A standard series is IEC 61513. It provides general requirements for I&C systems and equipment that are used to perform functions important to safety in NPPs. IEC 61513 structures the IEC SC 45A standard series.
IEC 61513 refers direct to other IEC SC 45A standards for general topics related to categorization of functions and classification of systems, qualification, separation of systems, defence against common-cause failure, software aspects of computer-based systems, hardware aspects of computer-based systems, and control room design. The standards referenced direct at this second level should be considered together with IEC 61513 as a consistent document set. At a third level, IEC SC 45A standards not referenced direct by IEC 61513 are standards related to specific equipment, technical methods, or specific activities. Usually these documents, which make reference to second-level documents for general topics, can be used on their own. A fourth level extending the IEC SC 45A standard series, corresponds to technical reports which are not normative documents. IEC 61513 has adopted a presentation format similar to the basic safety publication IEC 61508 with an overall safety life-cycle framework and a system life-cycle framework and provides an interpretation of the general requirements of IEC 61508-1, IEC 61508-2 and IEC 61508-4, for the nuclear application sector. Compliance with IEC 61513 will facilitate consistency with the requirements of IEC 61508 as they have been interpreted for the nuclear industry. In this framework, IEC 60880 and IEC 62138 correspond to IEC 61508-3 for the nuclear application sector. IEC 61513 refers to ISO 9001 as well as to IAEA 50-C-QA (now replaced by IAEA 50-C/SG-Q) for topics related to quality assurance (QA). The IEC SC 45A standards series consistently implements and details the principles and basic safety aspects provided in the IAEA Code on the safety of NPPs and in the IAEA safety series, in particular the requirements of NS-R-1, establishing safety requirements related to the design of NPPs, and Safety Guide NS-G-1.3 dealing with instrumentation and control systems important to safety in NPPs. The terminology and definitions used by SC 45A standards are consistent with those used by the IAEA. SIST EN 60987:2015

– 8 – 60987  IEC:2007+A1:2013 NUCLEAR POWER PLANTS –
INSTRUMENTATION AND CONTROL
IMPORTANT TO SAFETY – HARDWARE DESIGN REQUIREMENTS
FOR COMPUTER-BASED SYSTEMS
1 Scope 1.1 General This International Standard is applicable to NPP computer-system hardware for systems of Class 1 and 2 (as defined by IEC 61513). The structure of this standard has not changed significantly from the original 1989 issue; however, some issues are now covered by standards which have been issued in the interim (for example, IEC 61513 for system architecture design) and references to new standards have been provided where applicable. The text of the standard has also been modified to reflect developments in computer system hardware design, the use of pre-developed (for example, COTS) hardware and changes in terminology. Computer hardware facilities used for software loading and checking are not considered to form an intrinsic part of a system important to safety and, as such, are outside the scope of this standard. NOTE 1 Class 3 computer-system hardware is not addressed by this standard, and it is recommended that such systems should be developed to commercial grade standards.
NOTE 2 In 2006 the development of a new standard to address hardware requirements for “very complex” hardware was discussed within IEC SC 45A. If such a standard is developed then that standard would be used for the development of “very complex” hardware in preference to IEC 60987.
1.2 Use of this standard for pre-developed (for example, COTS) hardware assessment Although the primary aim of this standard is to address aspects of new hardware development, the processes defined within this standard may also be used to guide the assessment and use of pre-developed hardware, such as COTS hardware. Guidance has been provided in the text concerning the interpretation of the requirements of this standard when used for the assessment of such components. In particular, the quality assurance requirements of 4.3, concerning configuration control, apply. Pre-developed components may contain firmware (as defined in 3.8), and, where firmware software is deeply imbedded, and effectively “transparent” to the user, then IEC 60987 should be used to guide the assessment process for such components. An example of where this approach is considered appropriate is in the assessment of modern processors which contain a microcode. Such a code is generally an integral part of the “hardware”, and it is therefore appropriate for the processor (including the microcode) to be assessed as an integrated hardware component using this standard.
Software which is not firmware, as described above, should be developed or assessed according to the requirements of the relevant software standard (for example, IEC 60880 for Class 1 systems and IEC 62138 for Class 2 systems). SIST EN 60987:2015

60987  IEC:2007+A1:2013 – 9 – 1.3 Applicability of this standard to programmable logic devices development I&C components may include programmable logic devices that are given their specific application logic design by the designer of the I&C component, as opposed to the chip manufacturer. Examples of such devices include complex programmable logic devices (CPLD) and field programmable gate arrays (FPGA).
While the programmable nature of these devices gives the development processes used for these devices, some of the characteristics of a software development process and the design processes used for such devices, are very similar to those used to design logic circuits implemented with discrete gates and integrated circuit packages. Therefore, the design processes and design verification applied to programmable logic devices should comply with the relevant requirements of this standard (i.e. taking into account the particular features of the design processes of such devices). To the extent that software-based tools are used to support the design processes for programmable logic devices, those software tools should generally follow the guidance provided for software-based development tools in the appropriate software standard, i.e. IEC 60880 (Class 1 systems) or IEC 62138 (Class 2 systems). 2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. IEC 60780, Nuclear power plants – Electrical equipment of the safety system – Qualification
IEC 60812, Analysis techniques for system reliability – Procedures for failure mode and effects analysis (FMEA) IEC 60880, Nuclear power plants – Instrumentation and control systems important to safety – Software aspects for computer-based systems performing category A functions IEC 61000 (all parts), Electromagnetic compatibility (EMC) IEC 61025, Fault tree analysis (FTA) IEC 61513:2001, Nuclear power plants – Instrumentation and control for systems important to safety – General requirements for systems IEC 62138, Nuclear power plants – Instrumentation and control important for safety – Software aspects for computer-based systems performing category B or C functions IEC 62671, Nuclear power plants − Instrumentation and control important to safety – Selection and use of industrial digital devices of limited functionality ISO 2768-1, General tolerances − Part 1: Tolerances for linear and angular dimensions without individual tolerance indications ISO 2768-2, General tolerances − Part 2: Geometrical tolerances for features without individual tolerance indications ISO 3951-1, Sampling procedures for inspection by variables − Part 1: Specification for single sampling plans indexed by acceptance quality limit (AQL) for lot-by-lot inspection for a single quality characteristic and a single AQL SIST EN 60987:2015

– 10 – 60987  IEC:2007+A1:2013 ISO 3951-2, Sampling procedures for inspection by variables − Part 2: General specification for single sampling plans indexed by acceptance quality limit (AQL) for lot-by-lot inspection of independent quality characteristics ISO 9001, Quality management systems – Requirements IAEA NS-G 1.3, Instrumentation and control systems important to safety in nuclear power plants
IAEA 50-C/SG-Q:1996, Quality assurance for safety in nuclear power plants and other nuclear installations
3 Terms and definitions For the purposes of this document, the terms and definitions given in IEC 61513, as well as the following, apply. 3.1
ATE automated test equipment 3.2
COTS commercial off the shelf; COTS is a subset of pre-developed products
3.3
diversity existence of two or more different ways or means of achieving a specified objective. Diversity is specifically provided as a defence against common cause failure. It may be achieved by providing systems that are physically different from each other or by functional diversity, where similar systems achieve the specified objective in different ways
[IEC 60880:2006, definition 3.14] NOTE This definition is wider than that used by the IAEA NS-G-1.3 which is as follows: “The presence of two or more systems or components to carry out an identified function, where the different systems or components have different attributes so as to reduce the possibility of common mode failure”. [IEC 61226:2005, definition 3.5] 3.4
firmware software which is closely coupled to the hardware characteristics on which it is installed. The presence of firmware is generally “transparent” to the user of the hardware component and, as such, may be considered to be effectively an integral part of the hardware design (a good example of such software being processor microcode). Generally, firmware may only be modified by a user by replacing the hardware components (for example, processor chip, card, EPROM) which contain this software with components which contain modified software (firmware). Where this is the case, configuration control of the hardware components by the users of the equipment effectively provides configuration control of the firmware. Firmware, as considered by this standard, is effectively software that is built in to the hardware 3.5
FMEA failure modes and effects analysis 3.6
FTA fault tree analysis SIST EN 60987:2015

60987  IEC:2007+A1:2013 – 11 – 3.7
NPP nuclear power plant 3.8
pre-developed item which already exists, is available as a commercial or proprietary product, and is being considered for use in a computer-based system NOTE This definition is consistent with the definition of pre-developed software provided by IEC 61513:2001. 3.9
qualified life
period for which a structure, system or component has been demonstrated, through testing, analysis or experience, to be capable of functioning within acceptance criteria during specific operating conditions while retaining the ability to perform its safety functions in a design basis accident or earthquake
[IAEA Safety Glossary:2006] 3.10
revealed hardware failure a hardware failure which is detected automatically and reported, for example, a board failure where a watchdog circuit automatically detects the failure and raises an alarm 3.11
safety-related system system important to safety that is not part of a safety system [IAEA Safety Glossary:2006] 3.12
safety system system important to safety, provided to ensure the safe shutdown of the reactor or the residual heat removal from the core, or to limit the consequences of anticipated operational occurrences and design basis accidents [IAEA Safety Glossary:2006] 3.13
single failure failure which results in the loss of capability of a system or component to perform its intended safety function(s), and any consequential failure(s) which result from it [IAEA Safety Glossary:2006] 3.14
single failure criterion (SFC) criterion
(or requirement) applied to a system such that it is capable of performing its safety task in the presence of any single failure [IAEA Safety Glossary:2006] 3.15
systems important to safety system that is part of a safety group and/or whose malfunction or failure could lead to radiation exposure of the site personnel or members of the public [IAEA Safety Glossary:2006] SIST EN 60987:2015

– 12 – 60987  IEC:2007+A1:2013 3.16
system validation confirmation by examination and provision of other evidence that a system fulfils in its entirety the requirement specification as intended (functionality, response time, fault tolerance, robustness)
[IEC 60880:2006, definition 3.42] 3.17
unrevealed hardware failure hardware failure which is not detected by a system automatically and which only becomes apparent when an attempt is made to use a function which depends upon the failed hardware. Such failures may be discovered by functional testing or when an operational demand is placed upon the system 3.18
verification confirmation by examination and by provision of objective evidence that the results of an activity meet the objectives and requirements defined for this activity (ISO 12207) [IEC 62138:2004, definition 3.35] 4 Project structure
4.1 General A project established to produce a computer-based system important to safety should be divided up into a number of phases. Each phase should be to some extent self-contained but will depend on other phases for input and will, in turn, provide outputs for other phases. The various project phases together are considered to form the overall safety life cycle (see IEC 61513, Clause 5, which provides requirements for system life cycles). IEC 61513 allows project phases to be performed in parallel providing the integrity of the development process is not compromised. A quality assurance plan shall be applied to the hardware production process. 4.2 Project subdivision The following general requirements define the hardware development life-cycle requirements for computer-based systems within the scope of this standard. a) The hardware development life cycle shall be compatible with the whole system life cycle (Annex A). b) Each sub-phase of the hardware development life cycle shall consist of well-defined and documented activities. c) Pre-existing hardware products (for example, COTS) to be included in the design shall be checked, verified and tested as appropriate before use. d) Adequate means (i.e. spare parts, devices for test and maintenance, etc.) and accommodation (i.e. laboratories, workshops, space, etc.) shall be provided to carry out the tasks associated with each development phase. e) Each development phase shall include the production of appropriate documentation. f) Each development phase shall be concluded by performing verification (see Clause 7). g) Every verification activity shall result in auditable records documenting the conclusions reached and any design changes resulting from the verification performed. h) All work activities shall be scheduled to ensure that adequate time is allowed for the following: SIST EN 60987:2015

60987  IEC:2007+A1:2013 – 13 – 1) the resolution of any interactions between the hardware and software development phases required to ensure system hardware/software compatibility; 2) the production of documentation, and the performance of testing, verification and quality assurance activities. 4.3 Quality assurance The design and development process shall meet the relevant requirements of IAEA 50-C/SG-Q (compliance with ISO 9001 is one acceptable method of meeting these requirements). A hardware quality assurance plan shall exist either as a separate document (or documents) or as part of an overall quality assurance plan. The plan shall address the use of pre-existing hardware and the development of hardware as required. All hardware quality-related activities to be performed by the plant operator, owner, contractors and subcontractors as part of the hardware development process should be included in the quality assurance plan. 4.3.1 The plan should address the following phases, as they are applicable to any particular system or development: a) design and development; b) procurement; c) manufacturing; d) construction and commissioning; e) operation and maintenance. 4.3.2 It is not a requirement that all the phases listed above be addressed before the design process begins, but, before each phase is initiated, a plan addressing the requirements of that phase shall be in place. 4.3.3 The quality assurance plan(s) should describe the organization, management and execution of quality related activities, including, as relevant: a) documentation configuration control; b) the design process; c) the procurement process for goods and services; d) configuration control of build instructions, build procedures and drawings;
e) configuration control of materials and items to be used to build the system hardware; f) quality control activities, such as formal inspections; g) control of test equipment; h) control of hardware handling/storage/shipping; i) the testing process; j) monitoring of nonconformances raised and the implementation of corrective actions; k) the procedure for storing quality assurance records; l) the procedure for internal audits. 5 Hardware requirements 5.1 General 5.1.1 The hardware requirements shall be consistent with the requirements of the system and form part of the computer-system specification (see IEC 61513:2001, Clause 6). The computer-system specification is a description of the combined hardware/software system and states the design objectives for the system and the functions to be performed by the computer system (systems may be developed for a particular application or may be developed SIST EN 60987:2015

– 14 – 60987  IEC:2007+A1:2013 generically, i.e. platform development, in which case development is based upon derived generic system requirements). 5.1.2 The hardware requirements shall be specified in the system hardware requirements specification, or in some other suitable document. 5.1.3 Hardware requirements shall be presented according to a technique or method whose format shall not preclude readability, i.e. the hardware requirements should not be difficult to understand. 5.1.4 Functional hardware requirements shall be unambiguous, testable and/or verifiable and achievable.
5.1.5 The hardware requirements specification should give an overview of hardware requirements, identify the hardware functions important to nuclear safety (however, if these are provided in combination with the system software they should be defined in the system requirements specification), identify the hardware design requirements, state hardware reliability requirements, and state the hardware environmental withstand requirements.
5.1.6 The hardware requirements for computer systems may include requirements which are applicable to hardware in general as well as requirements which are particular to computer system hardware (for example; cabling, surface preparation of enclosures). 5.1.7 The hardware functional requirements should generally describe what has to be done and not how it has to be done. However, the use of pre-existing components/platforms may result in a degree of bottom-up hardware design. Before such pre-existing components are selected for use, an assessment shall be performed to confirm that the hardware performance characteristics (for example; failure modes) are consistent with system requirements. If any anomalies are found then these shall be reconciled, either by modifying the hardware design or the system design (while ensuring that system nuclear safety requirements are not compromised). 5.2 Functional and performance requirements 5.2.1 The hardware functional and performance requirements
...