IEC 62138:2018

IEC 62138 ®
Edition 2.0 2018-07
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Nuclear power plants – Instrumentation and control systems important to
safety – Software aspects for computer-based systems performing category
B or C functions
Centrales nucléaires de puissance – Systèmes d’instrumentation et de contrôle-
commande importants pour la sûreté – Aspects logiciels des systèmes
informatisés réalisant des fonctions de catégorie B ou C

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de l'IEC ou du Comité national de l'IEC du pays du demandeur. Si vous avez des
questions sur le copyright de l'IEC ou si vous désirez obtenir des droits supplémentaires sur cette publication, utilisez
les coordonnées ci-après ou contactez le Comité national de l'IEC de votre pays de résidence.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé info@iec.ch
CH-1211 Geneva 20 www.iec.ch
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.

IEC Catalogue - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
The stand-alone application for consulting the entire The world's leading online dictionary of electronic and
bibliographical information on IEC International Standards, electrical terms containing 21 000 terms and definitions in
Technical Specifications, Technical Reports and other English and French, with equivalent terms in 16 additional
documents. Available for PC, Mac OS, Android Tablets and languages. Also known as the International Electrotechnical
iPad. Vocabulary (IEV) online.

IEC publications search - webstore.iec.ch/advsearchform IEC Glossary - std.iec.ch/glossary
The advanced search enables to find IEC publications by a 67 000 electrotechnical terminology entries in English and
variety of criteria (reference number, text, technical French extracted from the Terms and Definitions clause of
committee,…). It also gives information on projects, replaced IEC publications issued since 2002. Some entries have been
and withdrawn publications. collected from earlier publications of IEC TC 37, 77, 86 and

CISPR.
IEC Just Published - webstore.iec.ch/justpublished

Stay up to date on all new IEC publications. Just Published IEC Customer Service Centre - webstore.iec.ch/csc
details all new publications released. Available online and If you wish to give us your feedback on this publication or
also once a month by email. need further assistance, please contact the Customer Service
Centre: sales@iec.ch.
A propos de l'IEC
La Commission Electrotechnique Internationale (IEC) est la première organisation mondiale qui élabore et publie des
Normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications IEC
Le contenu technique des publications IEC est constamment revu. Veuillez vous assurer que vous possédez l’édition la
plus récente, un corrigendum ou amendement peut avoir été publié.

Catalogue IEC - webstore.iec.ch/catalogue Electropedia - www.electropedia.org
Application autonome pour consulter tous les renseignements
Le premier dictionnaire en ligne de termes électroniques et
bibliographiques sur les Normes internationales,
électriques. Il contient 21 000 termes et définitions en anglais
Spécifications techniques, Rapports techniques et autres
et en français, ainsi que les termes équivalents dans 16
documents de l'IEC. Disponible pour PC, Mac OS, tablettes
langues additionnelles. Egalement appelé Vocabulaire
Android et iPad.
Electrotechnique International (IEV) en ligne.

Recherche de publications IEC -
Glossaire IEC - std.iec.ch/glossary
webstore.iec.ch/advsearchform
67 000 entrées terminologiques électrotechniques, en anglais
La recherche avancée permet de trouver des publications IEC et en français, extraites des articles Termes et Définitions des
en utilisant différents critères (numéro de référence, texte, publications IEC parues depuis 2002. Plus certaines entrées
comité d’études,…). Elle donne aussi des informations sur les antérieures extraites des publications des CE 37, 77, 86 et
projets et les publications remplacées ou retirées. CISPR de l'IEC.

IEC Just Published - webstore.iec.ch/justpublished Service Clients - webstore.iec.ch/csc
Restez informé sur les nouvelles publications IEC. Just Si vous désirez nous donner des commentaires sur cette
Published détaille les nouvelles publications parues. publication ou si vous avez des questions contactez-nous:
Disponible en ligne et aussi une fois par mois par email. sales@iec.ch.

IEC 62138 ®
Edition 2.0 2018-07
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Nuclear power plants – Instrumentation and control systems important to

safety – Software aspects for computer-based systems performing category

B or C functions
Centrales nucléaires de puissance – Systèmes d’instrumentation et de contrôle-

commande importants pour la sûreté – Aspects logiciels des systèmes

informatisés réalisant des fonctions de catégorie B ou C

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 27.120.20 ISBN 978-2-8322-5830-9

– 2 – IEC 62138:2018 © IEC 2018
CONTENTS
FOREWORD . 4
INTRODUCTION . 6
1 Scope . 8
2 Normative references. 8
3 Terms and definitions . 9
4 Symbols and abbreviated terms . 17
5 Key concepts and assumptions . 17
5.1 General . 17
5.2 Types of software . 17
5.3 Types of configuration data . 18
5.4 Software and system safety lifecycles . 19
5.5 Gradation principles . 21
6 Requirements for the software of class 2 and class 3 I&C systems . 22
6.1 Applicability of the requirements . 22
6.2 General requirements . 22
6.2.1 Software safety lifecycle – Software quality assurance . 22
6.2.2 Verification . 23
6.2.3 Configuration management . 24
6.2.4 Selection and use of software tools . 25
6.2.5 Selection of languages . 26
6.3 Selection of pre-developed software . 27
6.3.1 General . 27
6.3.2 Documentation for safety. 27
6.3.3 Evidence of correctness . 28
6.3.4 Functional suitability . 35
6.3.5 Selection and use of digital devices of limited functionality . 35
6.4 Software requirements specification . 35
6.4.1 General . 35
6.4.2 Objectives . 35
6.4.3 Inputs . 36
6.4.4 Contents . 36
6.4.5 Properties . 37
6.5 Software design . 38
6.5.1 Objectives . 38
6.5.2 Inputs . 38
6.5.3 Contents . 39
6.5.4 Properties . 40
6.6 Implementation of software . 40
6.6.1 General requirements . 40
6.6.2 Configuration of software and of devices containing software . 40
6.6.3 Implementation with application-oriented languages . 41
6.6.4 Implementation with general-purpose languages . 41
6.7 Software aspects of system integration . 43
6.7.1 General . 43
6.8 Software aspects of system validation . 43
6.8.1 General . 43

6.9 Installation of software on site . 45
6.9.1 General . 45
6.10 Anomaly reports . 45
6.11 Software modification . 46
6.11.1 General . 46
6.12 Defences against common cause failure due to software . 47
Annex A (informative) Typical list of software documentation . 48
Annex B (informative) Correspondence between IEC 61513:2011 and this document . 49
Annex C (informative) Relations of this document with IEC 61508 . 50
C.1 General . 50
C.2 Comparison of scope and concepts . 50
C.3 Correspondence between this document and IEC 61508-3:2010 . 51
Bibliography . 52

Figure 1 – Typical software parts in a computer-based I&C system . 18
Figure 2 – Activities of the system safety lifecycle (as defined by IEC 61513:2011) . 19
Figure 3 – Software related activities in the system safety lifecycle . 20
Figure 4 – Development activities of the IEC 62138 software safety lifecycle . 21
Figure 5 – Overview of the typical qualification process for pre-developed complete
operational system software . 30
Figure 6 – Overview of the typical qualification process for pre-developed software

components . 31

Table A.1 – Typical list of software documentation . 48
Table B.1 – Correspondence between IEC 61513:2011 and this document . 49
Table C.1 – Correspondence between this document and IEC 61508-3:2010 . 51

– 4 – IEC 62138:2018 © IEC 2018
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
NUCLEAR POWER PLANTS – INSTRUMENTATION
AND CONTROL SYSTEMS IMPORTANT TO SAFETY –
SOFTWARE ASPECTS FOR COMPUTER-BASED SYSTEMS
PERFORMING CATEGORY B OR C FUNCTIONS

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 62138 has been prepared by subcommittee 45A: Instrumentation,
control and electrical power systems of nuclear facilities, of IEC technical committee 45:
Nuclear instrumentation.
This second edition cancels and replaces the first edition published in 2004. This edition
constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous
edition:
a) align the standard with standards published or revised since the first edition, in particular
IEC 61513, IEC 60880, IEC 62645 and IEC 62671;
b) merge Clause 5 and Clause 6 of the first edition into a single clause in order to avoid the
repetition of the vast majority of the text which proves to be extremely difficult to maintain
in consistency;
c) revise clause on the selection of pre-developed software based on experiences from the
application of the first edition of the standard on industrial projects. More precise criteria
are proposed for the evidence of correctness of pre-developed software;
d) introduce requirements on traceability in consistency with IEC 61513;
e) introduce an Annex A that gives a typical list of software documentation;
f) introduce an Annex B that establishes relationship between IEC 61513 and this document;
g) introduce an Annex C that establishes relationship between IEC 61508 and this document.
The text of this standard is based on the following documents:
FDIS Report on voting
45A/1201/FDIS 45A/1209/RVD
Full information on the voting for the approval of this International Standard can be found in
the report on voting indicated in the above table.
This document has been drafted in accordance with the ISO/IEC Directives, Part 2.
In this document, the following print types are used:
• Requirements and recommendations applicable specifically to class 2 or to class 3
systems appear in italics in Clause 6.
The committee has decided that the contents of this document will remain unchanged until the
stability date indicated on the IEC website under "http://webstore.iec.ch" in the data related to
the specific document. At this date, the document will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
– 6 – IEC 62138:2018 © IEC 2018
INTRODUCTION
a) Technical background, main issues and organisation of this document
This International Standard provides requirements on the software aspects for computer-
based instrumentation and control (I&C) systems performing category B or C functions as
defined by IEC 61226. It complements IEC 60880 which provides requirements for the
software of computer-based I&C systems performing category A functions.
It is consistent with, and complementary to, IEC 61513:2011. Activities that are mainly
system level activities (for example, integration, validation and installation) are not
addressed exhaustively by this document: requirements that are not specific to software
are deferred to IEC 61513:2011.
This document takes into account the current practices for the development of software for
I&C systems, in particular:
– the use of pre-developed software, equipment and equipment families that were not
necessarily designed to nuclear industry sector standards;
– the use of application-oriented languages.
b) Situation of the current document in the structure of the IEC SC 45A standard series
IEC 61513 is a first level IEC SC 45A document and gives guidance applicable to I&C at
system level.
IEC 62138 is a second level IEC SC 45A document that supplements IEC 61513
concerning software development of computer-based I&C systems performing category B
or C functions.
For more details on the structure of the IEC SC 45A standard series, see item d) of this
introduction.
c) Recommendations and limitations regarding the application of this document
This document is not intended to be used as a general-purpose software engineering
guide. It applies to the software of I&C systems performing category B or C functions for
new nuclear power plants as well as to I&C upgrading or back-fitting of existing plants.
For existing plants, only a subset of requirements is applicable and this subset has to be
identified at the beginning of any project.
The purpose of the guidance provided by this document is to reduce, as far as possible,
the potential for latent software faults to cause system failures, either due to single
software failures or multiple software failures (i.e. Common Cause Failures due to
software).
This document does not explicitly address how to protect software against those threats
arising from malicious attacks, i.e. cybersecurity, for computer-based systems. IEC 62645
provides requirements for security programmes for computer-based systems.
To ensure that this document will continue to be relevant in future years, the emphasis
has been placed on issues of principle, rather than specific technologies.
d) Description of the structure of the IEC SC 45A standard series and relationships
with other IEC documents and other bodies documents (IAEA, ISO)
The top-level documents of the IEC SC 45A standard series are IEC 61513 and
IEC 63046. IEC 61513 provides general requirements for I&C systems and equipment that
are used to perform functions important to safety in nuclear power plants (NPPs).
IEC 63046 provides general requirements for electrical power systems of NPPs; it covers
power supply systems including the supply systems of the I&C systems. IEC 61513 and
IEC 63046 are to be considered in conjunction and at the same level. IEC 61513 and
IEC 63046 structure the IEC SC 45A standard series and shape a complete framework
establishing general requirements for instrumentation, control and electrical systems for
nuclear power plants.
IEC 61513 and IEC 63046 refer directly to other IEC SC 45A standards for general topics
related to categorization of functions and classification of systems, qualification,
separation, defence against common cause failure, control room design, electromagnetic
compatibility, cybersecurity, software and hardware aspects for programmable digital

systems, coordination of safety and security requirements and management of ageing.
The standards referenced directly at this second level should be considered together with
IEC 61513 and IEC 63046 as a consistent document set.
At a third level, IEC SC 45A standards not directly referenced by IEC 61513 or by
IEC 63046 are standards related to specific equipment, technical methods, or specific
activities. Usually these documents, which make reference to second-level documents for
general topics, can be used on their own.
A fourth level extending the IEC SC 45A standard series, corresponds to the Technical
Reports which are not normative.
The IEC SC 45A standards series consistently implements and details the safety and
security principles and basic aspects provided in the relevant IAEA safety standards and
in the relevant documents of the IAEA nuclear security series (NSS). In particular this
includes the IAEA requirements SSR-2/1, establishing safety requirements related to the
design of nuclear power plants (NPPs), the IAEA safety guide SSG-30 dealing with the
safety classification of structures, systems and components in NPPs, the IAEA safety
guide SSG-39 dealing with the design of instrumentation and control systems for NPPs,
the IAEA safety guide SSG-34 dealing with the design of electrical power systems for
NPPs and the implementing guide NSS17 for computer security at nuclear facilities. The
safety and security terminology and definitions used by SC 45A standards are consistent
with those used by the IAEA.
IEC 61513 and IEC 63046 have adopted a presentation format similar to the basic safety
publication IEC 61508 with an overall life-cycle framework and a system life-cycle
framework. Regarding nuclear safety, IEC 61513 and IEC 63046 provide the interpretation
of the general requirements of IEC 61508-1, IEC 61508-2 and IEC 61508-4, for the
nuclear application sector. In this framework IEC 60880, IEC 62138 and IEC 62566
correspond to IEC 61508-3 for the nuclear application sector. IEC 61513 and IEC 63046
refer to ISO as well as to IAEA GS-R-3 and IAEA GS-G-3.1 and IAEA GS-G-3.5 for topics
related to quality assurance. At level 2, regarding nuclear security, IEC 62645 is the entry
document for the IEC SC 45A security standards. It builds upon the valid high level
principles and main concepts of the generic security standards, in particular ISO/IEC
27001 and ISO/IEC 27002; it adapts them and completes them to fit the nuclear context
and coordinates with the IEC 62443 series. At level 2, regarding control rooms, IEC 60964
is the entry document for the IEC SC 45A control rooms standards and IEC 62342 is the
entry document for the IEC SC 45A ageing management standards.
NOTE 1 It is assumed that for the design of I&C systems in NPPs that implement conventional safety functions
(e.g. to address worker safety, asset protection, chemical hazards, process energy hazards) international or
national standards would be applied.
NOTE 2 IEC SC 45A domain was extended in 2013 to cover electrical systems. In 2014 and 2015 discussions
were held in IEC SC 45A to decide how and where general requirement for the design of electrical systems were to
be considered. IEC SC 45A experts recommended that an independent standard be developed at the same level as
IEC 61513 to establish general requirements for electrical systems. Project IEC 63046 is now launched to cover
this objective. When IEC 63046 is published, this NOTE 2 of the introduction will be suppressed.

– 8 – IEC 62138:2018 © IEC 2018
NUCLEAR POWER PLANTS – INSTRUMENTATION
AND CONTROL SYSTEMS IMPORTANT TO SAFETY –
SOFTWARE ASPECTS FOR COMPUTER-BASED SYSTEMS
PERFORMING CATEGORY B OR C FUNCTIONS

1 Scope
This document specifies requirements for the software of computer-based instrumentation and
control (I&C) systems performing functions of safety category B or C as defined by
IEC 61226. It complements IEC 60880 which provides requirements for the software of
computer-based I&C systems performing functions of safety category A.
It is consistent with, and complementary to, IEC 61513. Activities that are mainly system level
activities (for example, integration, validation and installation) are not addressed exhaustively
by this document: requirements that are not specific to software are deferred to IEC 61513.
The link between functions categories and system classes is given in IEC 61513. Since a
given safety-classified I&C system may perform functions of different safety categories and
even non safety-classified functions, the requirements of this document are attached to the
safety class of the I&C system (class 2 or class 3).
This document is not intended to be used as a general-purpose software engineering guide. It
applies to the software of I&C systems of safety classes 2 or 3 for new nuclear power plants
as well as to I&C upgrading or back-fitting of existing plants.
For existing plants, only a subset of requirements is applicable and this subset has to be
identified at the beginning of any project.
The purpose of the guidance provided by this document is to reduce, as far as possible, the
potential for latent software faults to cause system failures, either due to single software
failures or multiple software failures (i.e. Common Cause Failures due to software).
This document does not explicitly address how to protect software against those threats
arising from malicious attacks, i.e. cybersecurity, for computer-based systems. IEC 62645
provides requirements for security programmes for computer-based systems.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their
content constitutes requirements of this document. For dated references, only the edition
cited applies. For undated references, the latest edition of the referenced document (including
any amendments) applies.
IEC 60880:2006, Nuclear power plants – Instrumentation and control systems important to
safety – Software aspects for computer-based systems performing category A functions
IEC 61226, Nuclear power plants – Instrumentation and control important to safety –
Classification of instrumentation and control functions
IEC 61513:2011, Nuclear power plants – Instrumentation and control important to safety –
General requirements for systems

IEC 62671:2013, Nuclear power plants – Instrumentation and control important to safety –
Selection and use of industrial digital devices of limited functionality
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following
addresses:
• IEC Electropedia: available at http://www.electropedia.org/
• ISO Online browsing platform: available at http://www.iso.org/obp
3.1
animation
process by which the behaviour defined by a specification is displayed with actual values
derived from the stated behaviour expressions and from some input values
[SOURCE: IEC 60880:2006, 3.1]
3.2
application function
function of an I&C system that performs a task related to the process being controlled rather
than to the functioning of the system itself
[SOURCE: IEC 61513:2011, 3.1]
3.3
application software
part of the software of an I&C system that implements the application functions
Note 1 to entry: Application software contrasts with system software.
Note 2 to entry: Application software is plant specific, so it is not to be considered pre-developed software.
[SOURCE: IEC 61513:2011, 3.2 modified (modified notes to entry)]
3.4
application-oriented language
computer language specifically designed to address a certain type of application and to be
used by persons who are specialists of this type of application
Note 1 to entry: Equipment families usually feature application-oriented languages so as to provide easy to use
capability for adjusting the equipment to specific requirements.
Note 2 to entry: Application-oriented languages may be used to specify the functional requirements of an I&C
system, and/or to specify or design application software. They may be based on texts, on graphics, or on both.
Note 3 to entry: Examples: function block diagram languages, languages defined by IEC 61131-3.
Note 4 to entry: See also general-purpose language.
[SOURCE: IEC 60880:2006, 3.3 modified (addition of note 4 to entry)]
3.5
common cause failure
CCF
failure of two or more structures, systems or components due to a single specific event or
cause
– 10 – IEC 62138:2018 © IEC 2018
Note 1 to entry: Common causes may be internal or external to an I&C system.
[SOURCE: IAEA Safety Glossary, 2016 edition]
3.6
complexity
degree to which a system or component has a design, implementation or behaviour that is
difficult to understand and verify
[SOURCE: IEC 61513:2011, 3.9]
3.7
computer program
set of ordered instructions and data that specify operations in a form suitable for execution by
a computer
Note 1 to entry: This includes traditional programs written in general-purpose languages. This also includes
programs written in application-oriented languages.
[SOURCE: IEC 60880:2006, 3.10, modified (addition of note 1 to entry)]
3.8
computer-based item
item that relies on software instructions running on microprocessors or microcontrollers
Note 1 to entry: In this term and its definition, the term item can be replaced by the terms: system or equipment or
device.
Note 2 to entry: A computer-based item is a kind of programmable digital item.
Note 3 to entry: This term is equivalent to software-based item.
3.9
configuration management
process of identifying and documenting the characteristics of a facility’s structures, systems
and components (including computer systems and software), and of ensuring that changes to
these characteristics are properly developed, assessed, approved, issued, implemented,
verified, recorded and incorporated into the facility documentation
[SOURCE: IAEA Safety Glossary, 2016 edition]
3.10
cybersecurity
set of activities and measures whose objective is to prevent, detect, and react to digital
attacks that have the intent to cause:
• disclosures that could be used to perform malicious acts which could lead to an accident,
an unsafe situation or plant performance degradation (confidentiality),
• malicious modifications of functions that may compromise the delivery or integrity of the
required service by I&C CB&HPD systems (including loss of control) which could lead to
an accident, an unsafe situation or plant performance degradation (integrity),
• malicious withholding or prevention of access to or communication of information, data or
resources (including loss of view) that could compromise the delivery of the required
service by I&C systems which could lead to an accident, an unsafe situation or plant
performance degradation (availability).
Note 1 to entry: This definition is tailored with respect to the IEC 62645 scope, focusing on the prevention of,
detection of and reaction to malicious acts by digital means on I&C CB&HPD systems. It is recognized that the
term “cybersecurity” has a broader meaning in other standards and guidance, often including non-malevolent
threats, human errors and protection against natural disasters, which are all out of the scope of IEC 62645.

[SOURCE: IEC 62645:2014, 3.6 modified (removal of note 2 to entry)]
3.11
dedicated functionality
property of devices that have been designed to accomplish only one clearly defined function
or only a very narrow range of functions, such as, for example, capture and signal the value of
a process parameter, or invert an alternating current power source to direct current. This
function (or narrow range of functions) is inherent in the device, and not the product of
programmability by the user
Note 1 to entry: Ancillary functions (e.g., self-supervision, self-calibration, data communication) may also be
implemented within the device, but they do not change the fundamental narrow scope of applicability of the device.
Note 2 to entry: “Dedicated” in the sense in which it is used in IEC 62671 refers to design for one specific function
that cannot be changed in the field.
[SOURCE: IEC 62671:2013, 3.7]
3.12
design specification
document or set of documents that describe the organisation and functioning of an item, and
that are used as a basis for the implementation and the integration of the item
3.13
documentation for safety
document or set of documents that specifies how a product can be safely used for
applications important to safety
Note 1 to entry: This definition is used in the context of pre-developed software (see 6.3).
3.14
dynamic analysis
process of evaluating a system or component based on its behaviour during execution. In
contrast to static analysis
[SOURCE: IEC 60880:2006, 3.15]
3.15
electrical/electronic/programmable electronic item
E/E/PE item
item based on electrical (E) and/or electronic (E) and/or programmable electronic (PE)
technology
Note 1 to entry: In this term and its definitions, the word “item” can be replaced by the words: system or
equipment or device.
[SOURCE: IEC 61508-4:2010, 3.2.13, modified ("item" added and note to entry modified)]
3.16
equipment family
set of hardware and software components that may work co-operatively in one or more
defined architectures (configurations). The development of plant specific configurations and of
the related application software may be supported by software tools. An equipment family
usually provides a number of standard functionalities (e.g. application functions library) that
may be combined to generate specific application software
Note 1 to entry: An equipment family may be a product of a defined manufacturer or a set of products
interconnected and adapted by a supplier.
Note 2 to entry: The term “equipment platform” is sometime used as a synonym of “equipment family”.

– 12 – IEC 62138:2018 © IEC 2018
[SOURCE: IEC 61513:2011, 3.17 modified (removal of note 1 to entry)]
3.17
error
discrepancy between a computed, observed or measured value or condition, and the true,
specified or theoretical value or condition
Note 1 to entry: See also human error, fault, failure.
[SOURCE: IEC 61513:2011, 3.18, modified (addition of note 1 to entry)]
3.18
executable code
software that is included in the target system
Note 1 to entry: Executable code usually includes instructions to be executed by the hardware of the target
system, and associated data.
3.19
failure
loss of the ability of a structure, system or component to function within acceptance criteria
Note 1 to entry: Equipment is considered to fail when it becomes incapable of functioning, whether or not it is
needed at that time. A failure in, for example, a backup system may not be manifest until the system is called upon
to function, either during testing or on failure of the system it is backing up.
Note 2 to entry: A failure is the result of a hardware fault, software fault, system fault, or operator or maintenance
error, and the associated signal trajectory which results in the failure.
Note 3 to entry: See also human error, fault, error.
[SOURCE: IAEA Safety Glossary, edition 2016]
3.20
fault
defect in a hardware, software or system component
Note 1 to entry: Faults may be originated from random failures, that result e.g. from hardware degradation due to
ageing, and may be systematic faults, e.g. software faults, which result from design errors.
Note 2 to entry: A fault (notably a design fault) may remain undetected in a system until specific conditions are
such that the result produced does not conform to the intended function, i.e. a failure occurs.
Note 3 to entry: See also human error, error, failure.
[SOURCE: IEC 61513:2011, 3.21, modified (note 3 to entry modified)]
3.21
firmware
software which is closely coupled to the hardware characteristics on which it is installed. The
presence of firmware is generally “transparent” to the user of the hardware component and,
as such, may be considered to be effectively an integral part of the hardware design (a good
example of such software being processor microcode). Generally, firmware may only be
modified by a user by replacing the hardware components (for example, processor chip, card,
EPROM) which contain this software with components which contain modified software
(firmware). Where this is the case, configuration control of the hardware components of the
equipment effectively provides configuration control of the firmware. Firmware, as considered
by IEC 60987, is effectively software that is built into the hardware
[SOURCE: IEC 60987:2007, 3.4]
3.22
functional validation
verification of the correctness of the application functions specifications against the top level
plant functional and performance requirements. It is complementary to the system validation
that verifies the compliance of the system with the functions specification
[SOURCE: IEC 61513:2011, 3.23]
3.23
general-purpose language
computer language designed to address all types of usage
Note 1 to entry: The system software of equipment families is usually implemented using general-purpose
languages.
Note 2 to entry: Examples: Ada, C, Pascal.
Note 3 to entry: See also application-oriented language.
[SOURCE: IEC 60880:2006, 3.20 modified (note 3 to entry added)]
3.24
human error (or mistake)
human action that produces an unintended result
Note 1 to entry: See also fault, error, failure.
[SOURCE: IEC 61513:2011, 3.26 modified (note 1 to entry added)]
3.25
I&C architecture
organisational structure of the I&C systems of a plant which are important to safety
[SOURCE: IEC 61513:2011, 3.27]
3.26
I&C system
system, based on E/E/PE items, performing plant I&C functions as well as service and
monitoring functions related to the operation of the system itself
Note 1 to entry: The term is used as a general term which encompasses all elements of the system such as
internal power supplies, sensors and other input devices, data highways and other communication paths, interfaces
to actuators and other output devices. The different functions within a system may use dedicated or shared
resources.
Note 2 to entry: The elements included in a specific I&C system are defined in the specification of the boundaries
of the system.
Note 3 to entry: See also the definition of E/E/PE item and the associated notes.
Note 4 to entry: According to their typical functionality, IAEA distinguishes between automation / control systems,
HMI systems, interlock systems and protection systems.
3.27
integration
progressive aggregation and verification of components into a complete system
3.28
library
collection of related software elements that are grouped together, but which are individually
selected for inclusion in the final software product

– 14 – IEC 62138:2018 © IEC 2018
[SOURCE: IEC 60880:2006, 3.24]
3.29
mode of operation
functional state of an item where it provides a s
...