IEC TR 63192:2019

IEC TR 63192 ®
Edition 1.0 2019-01
TECHNICAL
REPORT
Nuclear power plants – Instrumentation and control systems important to
safety – Hazard analysis: a review of current approaches
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé info@iec.ch
CH-1211 Geneva 20 www.iec.ch
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigendum or an amendment might have been published.

IEC publications search - webstore.iec.ch/advsearchform Electropedia - www.electropedia.org
The advanced search enables to find IEC publications by a The world's leading online dictionary on electrotechnology,
variety of criteria (reference number, text, technical containing more than 22 000 terminological entries in English
committee,…). It also gives information on projects, replaced and French, with equivalent terms in 16 additional languages.
and withdrawn publications. Also known as the International Electrotechnical Vocabulary

(IEV) online.
IEC Just Published - webstore.iec.ch/justpublished
Stay up to date on all new IEC publications. Just Published IEC Glossary - std.iec.ch/glossary
details all new publications released. Available online and 67 000 electrotechnical terminology entries in English and
once a month by email. French extracted from the Terms and Definitions clause of
IEC publications issued since 2002. Some entries have been
IEC Customer Service Centre - webstore.iec.ch/csc collected from earlier publications of IEC TC 37, 77, 86 and
If you wish to give us your feedback on this publication or CISPR.

need further assistance, please contact the Customer Service

Centre: sales@iec.ch.
IEC TR 63192 ®
Edition 1.0 2019-01
TECHNICAL
REPORT
Nuclear power plants – Instrumentation and control systems important to

safety – Hazard analysis: a review of current approaches

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 27.160 ISBN 978-2-8322-6408-9

– 2 – IEC TR 63192:2019 © IEC 2019
CONTENTS
FOREWORD . 4
INTRODUCTION . 6
1 Scope . 8
2 Normative references . 9
3 Terms and definitions . 10
4 Terminologies in IAEA-IEC and NRC-IEEE . 12
5 Abbreviated terms and acronyms . 14
6 General . 14
6.1 Hazard analysis of digital instrumentation and control systems . 14
6.2 Purpose of hazard analysis . 15
7 Comparison of hazard analysis requirements and guidance for nuclear industry . 16
7.1 General . 16
7.2 IAEA Safety Requirements SSR-2/1: Design Safety of NPP . 17
7.3 IAEA Safety Requirements SSR-2/2: Operation Safety of NPP . 18
7.4 IAEA SSG-39 recommendations for I&C system Hazard Analysis. 19
7.5 IEEE 603 requirements for I&C system Hazard Analysis . 20
7.6 IEEE7-4.3.2-2010 requirements for computer based I&C system Hazard
Analysis . 21
7.7 IEEE 1228-1994 requirements for I&C software Hazard Analysis . 22
7.8 IEEE 1012-2012 requirements for system Hazard Analysis . 23
7.9 HA Guidance of US NRC . 24
8 MDEP common position on hazard identification and controls for digital I&C
systems . 27
8.1 General . 27
8.2 Hazard identification [59] . 27
8.3 Hazard control [59] . 28
9 Further works for hazard analysis of I&C for NPPs . 28
9.1 The harmonized HA for I&C system of systems(SoS), software, hardware,
and human . 28
9.2 The harmonized HA with the security, and reliability of I&C systems . 29
10 Conclusion . 30
Annex A (informative) Survey of practical techniques for Hazard Analysis . 31
A.1 General . 31
A.2 Practical techniques for Hazard Analysis . 31
A.3 Use of the techniques for performing the HA for I&C systems . 32
Annex B (informative) Comparison of Hazard Analysis guidance and requirements of
safety industries . 33
B.1 [Safety industry general] IEC 61508 requirements for system hazard
analysis . 33
B.2 [Aerospace industry] DO-178C . 34
B.3 [Air Force System Safety handbook], 2000[63] . 36
B.4 [Military Industry] MIL-STD-882E (System Safety) . 38
B.5 [Car Safety] ISO 26262 (Auto) . 39
B.6 [Railway Industry] IEC 62278(RAMS) . 42
B.7 [Medical Industry] IEC 60601-1 (Medical electrical equipment – Part 1:
General requirements for basic safety and essential performance)[64] . 44
Annex C (informative) Comparison criteria of Hazard Analysis requirements . 47

C.1 Safety principles (safety model, safety culture) . 47
C.2 Safety processes . 47
C.3 Definition of HA . 47
C.4 Purpose of HA . 47
C.5 Method of HA . 47
C.6 HA process . 47
C.7 Independence of HA (HA organization) . 47
C.8 Harmonized HA of SoS . 48
C.9 Relationship with other requirements (security, reliability) . 48
Bibliography . 50

Figure 1 – I&C Layer and Defence-in-Depth Level . 9
Figure 2 – Internal or external hazards . 15
Figure 3 – IAEA-IEC framework of I&C standards . 16
Figure 4 – NRC-IEEE framework of I&C standards . 17
Figure 5 – Harmonization of HA requirements for I&C system of systems . 29
Figure 6 – Overall safety assessment . 30

Table 1 – Definitions of IAEA and IEEE nuclear standards . 13
Table 2 – Hazard Analysis in IAEA Safety Requirements SSR-2/1 . 18
Table 3 – HA requirements in IAEA SSG-39. 19
Table 4 – HA requirements in IEEE Standard 603-2009 . 20
Table 5 – HA requirements in IEEE7-4.3.2-2010 . 21
Table 6 – HA requirements in IEEE 1228-1994 . 23
Table 7 – HA requirements in IEEE 1012-2012 . 24
Table 8 – DSRS APPENDIX A. Hazard Analysis . 25
Table 9 – Research Information Letter of HA review (US NRC RIL 1101) . 26
Table B.1 – HA requirements in the functional safety standard IEC 61508 . 33
Table B.2 – HA requirements in the aerospace safety standards ARP 4761, DO-178C. 35
Table B.3 – HA requirements in Air Force System Safety handbook . 36
Table B.4 – HA requirements in the military safety standard MIL 882 E . 38
Table B.5 – HA requirements in the car safety standard ISO 26262 . 40
Table B.6 – HA requirements in the railway safety standard IEC 62278 . 43
Table B.7 – HA requirements in the medical safety standard . 45
Table C.1 – Comparison criteria . 48

– 4 – IEC TR 63192:2019 © IEC 2019
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
NUCLEAR POWER PLANTS –
INSTRUMENTATION AND CONTROL SYSTEMS IMPORTANT TO SAFETY –
HAZARD ANALYSIS: A REVIEW OF CURRENT APPROACHES

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as closely as possible, an
international consensus of opinion on the relevant subjects since each technical committee has representation
from all interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is are accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall be attached to IEC or its directors, employees, servants or agents including individual experts
and members of its technical committees and IEC National Committees for any personal injury, property
damage or other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees)
and expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
The main task of IEC technical committees is to prepare International Standards. However, a
technical committee may propose the publication of a Technical Report when it has collected
data of a different kind from that which is normally published as an International Standard, for
example "state of the art".
IEC TR 63192, which is a technical report, has been prepared by subcommittee 45A:
Instrumentation, control and electrical power systems of nuclear facilities, of IEC technical
committee 45: Nuclear instrumentation.
The text of this Technical Report is based on the following documents:
Draft TR Report on voting
45A/1197/DTR 45A/1231/RVDTR
Full information on the voting for the approval of this Technical Report can be found in the
report on voting indicated in the above table.

This document has been drafted in accordance with the ISO/IEC Directives, Part 2.
The committee has decided that the contents of this document will remain unchanged until the
stability date indicated on the IEC website under "http://webstore.iec.ch" in the data related to
the specific document. At this date, the document will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
A bilingual version of this publication may be issued at a later date.

– 6 – IEC TR 63192:2019 © IEC 2019
INTRODUCTION
a) Technical background, main issues and organisation of the document
The purpose of the TR is to identify the worldwide situation of HA requirements for digital I&C.
It is not the purpose of this technical report to reconcile the hazards analysis techniques and
to harmonise the use of hazards analysis terminology between the many different approaches
used by standards bodies (e.g. between the IEEE and IAEA), but rather to document the
different approaches. The information provided can then be used to further the development
of a consistent approach to hazards analysis within the IEC.
It is intended that this document be used by operators of NPPs (utilities), systems evaluators
and by licensors.
b) Situation of the current document in the structure of the IEC SC 45A standard
series
IEC 63192 as a Technical Report is a fourth level IEC/SC 45A document.
For more details on the structure of the IEC SC 45A standard series, see item d) of this
introduction.
c) Recommendations and limitations regarding the application of the document
It is important to note that a technical report is entirely informative in nature. It gathers data
collected from different origins and it establishes no requirements.
d) Description of the structure of the IEC SC 45A standard series and relationships
with other IEC documents and other bodies documents (IAEA, ISO)
The top-level documents of the IEC SC 45A standard series are IEC 61513 and IEC 63046.
IEC 61513 provides general requirements for I&C systems and equipment that are used to
perform functions important to safety in NPPs. IEC 63046 provides general requirements for
electrical power systems of NPPs; it covers power supply systems including the supply
systems of the I&C systems. IEC 61513 and IEC 63046 are to be considered in conjunction
and at the same level. IEC 61513 and IEC 63046 structure the IEC SC 45A standard series
and shape a complete framework establishing general requirements for instrumentation,
control and electrical systems for nuclear power plants.
IEC 61513 and IEC 63046 refer directly to other IEC SC 45A standards for general topics
related to categorization of functions and classification of systems, qualification, separation,
defence against common cause failure, control room design, electromagnetic compatibility,
security, software and hardware aspects for programmable digital systems, coordination of
safety and security requirements and management of ageing. The standards referenced
directly at this second level should be considered together with IEC 61513 and IEC 63046 as
a consistent document set.
At a third level, IEC SC 45A standards not directly referenced by IEC 61513 or by IEC 63046
are standards related to specific equipment, technical methods, or specific activities. Usually
these documents, which make reference to second-level documents for general topics, can be
used on their own. IEC 63096 refers in detail to a distinct version of ISO/IEC 27002. A later
modification of ISO/IEC 27002 must not automatically influence the modifications, detailing
and completions given by IEC 63096 without analysing the consequences from the nuclear
I&C perspective.
A fourth level extending the IEC SC 45 standard series, corresponds to the Technical Reports
which are not normative.
The IEC SC 45A standards series consistently implements and details the safety and security
principles and basic aspects provided in the relevant IAEA safety standards and in the
relevant documents of the IAEA nuclear security series (NSS). In particular this includes the
IAEA requirements SSR-2/1, establishing safety requirements related to the design of nuclear
power plants (NPPs), the IAEA safety guide SSG-30 dealing with the safety classification of
structures, systems and components in NPPs, the IAEA safety guide SSG-39 dealing with the
design of instrumentation and control systems for NPPs, the IAEA safety guide SSG-34
dealing with the design of electrical power systems for NPPs and the implementing guide
NSS17 for computer security at nuclear facilities. The safety and security terminology and
definitions used by SC 45A standards are consistent with those used by the IAEA.
IEC 61513 and IEC 63046 have adopted a presentation format similar to the basic safety
publication IEC 61508 with an overall life-cycle framework and a system life-cycle framework.
Regarding nuclear safety, IEC 61513 and IEC 63046 provide the interpretation of the general
requirements of IEC 61508-1, IEC 61508-2 and IEC 61508-4, for the nuclear application
sector. In this framework IEC 60880, IEC 62138 and IEC 62566 correspond to IEC 61508-3
for the nuclear application sector. IEC 61513 and IEC 63046 refer to ISO as well as to IAEA
GS-R part 2 and IAEA GS-G-3.1 and IAEA GS-G-3.5 for topics related to quality assurance
(QA). At level 2, regarding nuclear security, IEC 62645 is the entry document for the
IEC/SC 45A security standards. It builds upon the valid high level principles and main
concepts of the generic security standards, in particular ISO/IEC 27001 and ISO/IEC 27002; it
adapts them and completes them to fit the nuclear context and coordinates with the
IEC 62443 series. At level 2, IEC 60964 is the entry document for the IEC/SC 45A control
room standards and IEC 62342 is the entry document for the ageing management standards.
NOTE 1 It is assumed that for the design of I&C systems in NPPs that implement conventional safety functions
(e.g. to address worker safety, asset protection, chemical hazards, process energy hazards) international or
national standards would be applied.
NOTE 2 IEC/SC 45A domain was extended in 2013 to cover electrical systems. In 2014 and 2015 discussions
were held in IEC/SC 45A to decide how and where general requirements for the design of electrical systems were
to be considered. IEC/SC 45A experts recommended that an independent standard be developed at the same level
as IEC 61513 to establish general requirements for electrical systems. Project IEC 63046 is now launched to cover
this objective. When IEC 63046 is published this NOTE 2 of the introduction of IEC/SC 45A standards will be
suppressed.
– 8 – IEC TR 63192:2019 © IEC 2019
NUCLEAR POWER PLANTS –
INSTRUMENTATION AND CONTROL SYSTEMS IMPORTANT TO SAFETY –
HAZARD ANALYSIS: A REVIEW OF CURRENT APPROACHES

1 Scope
This document provides the comparison of the hazard analysis requirements between IAEA
framework and NRC-IEEE framework of standards and guidance. The hazard analysis
requirements in the different standards were compared with a set of comparison criteria,
including the safety principle, the safety process, the definitions, the hazard analysis process,
etc. This document includes the comparison results of the HA requirements of the safety
control systems of other safety industries in Annex C.
For a nuclear power plant, the design safety and operation safety shall be analyzed, for
example, to meet the IAEA Safety Requirements for Design (SSR-2/1) and Operation
(SSR-2/2). The scope of this document is to survey the state of the art in the hazard analysis
for the design of I&C system of NPPs.
Figure 1 illustrates the scope of I&C systems important to safety which have hazard analysis
requirements, in the form of a three by three matrix which is in IEEE 603-2009. This document
covers the hazard analysis for the sense and command features of digital systems. This
document also considers the requirements for hazard analysis of the system of systems(SoS),
including the software, hardware and human for the digital systems.

Figure 1 – I&C Layer and Defence-in-Depth Level
2 Normative references
The following documents are referred to in the text in such a way that some or all of their
content constitutes requirements of this document. For dated references, only the edition
cited applies. For undated references, the latest edition of the referenced document (including
any amendments) applies.
IEC 60880:2006, Nuclear power plants – Instrumentation and control systems important to
safety – Software aspects for computer-based systems performing category A functions
IEC 61226:2009, Nuclear power plants – Instrumentation and control important to safety –
Classification of instrumentation and control functions
IEC 61508 (all parts), Functional Safety of electrical/electronic/programmable electronic
safety-related systems
– 10 – IEC TR 63192:2019 © IEC 2019
IEC TR 61508-0, Functional safety of electrical/electronic/programmable electronic safety-
related systems – Part 0: Functional safety and IEC 61508
IEC 61508-4, Functional safety of electrical/electronic/programmable electronic safety-related
systems – Part 4: Definitions and abbreviations
IEC 61513:2011, Nuclear power plants – Instrumentation and control important to safety –
General requirements for systems
IAEA Safety Standards Specific Safety Requirements SSR-2/1:2012, Safety of Nuclear Power
Plants: Design
IAEA Safety Standards, Specific Safety Requirements SSR-2/2:2012, Safety of Nuclear Power
Plants: Commissioning and Operation
IAEA Safety Standards, Safety Guide SSG-39:2016, Design of Instrumentation and Control
Systems for Nuclear Power Plants
IEEE Standard 7-4.3.2-2010, IEEE standard criteria for Digital Computers in safety systems
for nuclear power generating stations
IEEE Standard 603-2009, IEEE standard criteria for safety systems for nuclear power
generating stations
IEEE Standard 1012-2012, IEEE standard for system and software verification and validation
IEEE Standard 1228-1994, IEEE standard for Software Safety Plans
Research Information Letter (RIL) 1101: Technical basis to review hazard analysis of digital
safety systems, US NRC, August, 2013

3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following
addresses:
• IEC Electropedia: available at http://www.electropedia.org/
• ISO Online browsing platform: available at http://www.iso.org/obp
3.1
safety analysis
evaluation of the potential hazards associated with the conduct of an activity
Note 1 to entry: Safety analysis is often used interchangeably with safety assessment. However, when the
distinction is important, safety analysis should be used for the study of safety, and safety assessment for the
valuation of safety — for example, evaluation of the magnitude of hazards, evaluation of the performance of safety
measures and judgment of their adequacy, or quantification of the overall radiological impact or safety of a facility
or activity.
[SOURCE: IAEA Safety Glossary, edition 2007]

3.2
assessment
the process, and the result, of analyzing systematically and evaluating the hazards associated
with sources and practices, and associated protection and safety measures. Assessment is
often aimed at quantifying performance measures for comparison with criteria.
Note 1 to entry: In IAEA publications, assessment should be distinguished from analysis. Assessment is aimed at
providing information that forms the basis of a decision on whether or not something is satisfactory. Various kinds
of analysis may be used as tools in doing this. Hence an assessment may include a number of analyses.
[SOURCE: IAEA Safety Glossary, edition 2007]
3.3
safety assessment
a) assessment of all aspects of a practice that are relevant to protection and safety; for an
authorized facility, this includes siting, design and operation of the facility. This will
normally include risk assessment.
b) analysis to predict the performance of an overall system and its impact, where the
performance measure is the radiological impact or some other global measure of the
impact on safety
c) the systematic process that is carried out throughout the design process to ensure that all
the relevant safety requirements are met by the proposed (or actual) design. Safety
assessment includes, but is not limited to, the formal safety analysis
[SOURCE: IAEA Safety Glossary, edition 2007]
3.4
hazard
a) potential source of harm
[SOURCE: ISO/IEC Guide 51:2014, 3.2]
b) intrinsic property or condition that has the potential to cause harm or damage. (B) A
source of potential harm or a situation with a potential for harm in terms of human injury,
damage to health, property, or the environment, or some combination of these
[SOURCE: IEEE 1012-2012]
3.5
hazard identification
process of recognizing that a hazard exists and defining its characteristics
[SOURCE: IEEE 1012-2012]
3.6
contributory hazard
factor contributing to potential for harm
[SOURCE: AviationGlossary.com, “Contributory Hazard,”
, October 15, 2012]
3.7
hazard analysis
a) process of examining a system throughout its lifecycle to identify inherent hazards and
contributory hazards, and requirements and constraints to eliminate, prevent, or control
them
[SOURCE: US NRC RIL 1101]
– 12 – IEC TR 63192:2019 © IEC 2019
b) systematic qualitative or quantitative evaluation of software for undesirable outcomes
resulting from the development or operation of a system
these outcomes may include injury, illness, death, mission failure, economic loss,
property loss, environmental loss, or adverse social impact. This evaluation may include
screening or analysis methods to categorize, eliminate, reduce, or mitigate hazards
[SOURCE: IEEE 1012-1998]
c) process of examining a system throughout its lifecycle to identify inherent hazards and
contributory hazards, and requirements and constraints to eliminate, prevent, or control
them
Note 1 to entry: The scope of hazard analysis extends beyond design basis accidents for the plant by including
abnormal events and plant operations with degraded equipment and plant systems.
[SOURCE: IAEA SSG-39, 2016]
d) process that explores and identifies conditions that are not identified by the normal
design review and testing process
the scope of hazard analysis extends beyond plant design basis events by including
abnormal events and plant operations with degraded equipment and plant systems.
Hazard analysis focuses on system failure mechanisms rather than verifying correct
system operation
[SOURCE: IEEE Std 7-4.3.2-2003 and 2010]
e) a hazard analysis (HA) is a process for examining an instrumentation and control (I&C)
system throughout its development lifecycle to identify hazards (i.e., factors and causes),
and system requirements and constraints to eliminate, prevent, or control them. Hazard
analyses examine safety related I&C systems, subsystems, and components, their
interrelationships and their interactions with other systems, subsystems, and components
to identify unintended or unwanted I&C system operation including the impairment or loss
of the ability to perform a safety function
[SOURCE: US NRC DSRS App A]
4 Terminologies in IAEA-IEC and NRC-IEEE
There are some differences in the concept, definitions and principles of the safety aspects
between IAEA and IEEE communities. Table 1 shows the differences as a summary.

Table 1 – Definitions of IAEA and IEEE nuclear standards
IAEA IEEE
1 Framework IAEA-IEC NRC-IEEE
Risk based Graded application of quality and
2 No graded application
qualification reliability features
SIL in IEC 61508, Categories in IEC
3 Classification Class IE, Non1E
4 Safety view Safety requirements specification is the Safety Analysis in all phases of the lifecycle
main activity in the lifecycle.
5 Software Safety goal and requirements shall be Same approach, but different in direct hazard
qualification met through good engineering. analysis
principle
1 Simple, separate safety systems 1 Simple, separate safety systems design
design
2 System quality
2 System quality
– Complete and correct safety
– Complete and correct safety requirements
requirements
– Correct implementation
– Correct implementation
– Producing quality products
– Producing quality products
3 Defense-in-depth and diversity
3 Defense-in-depth and diversity
4 Hazard avoidance / identification /
resolution
6 Accident Deviations from normal operation (IEEE 1228) An unplanned event or series of
events that results in death, injury, illness,
environmental damage, or damage to or loss of
equipment or property
7 Hazard (IEC 61508-4) Potential source of harm (IEEE 7-4.3.2) A condition that is a prerequisite
to an accident. Hazards include external events
as well as conditions internal to computer
hardware or software
8 Risk (IEEE 1228) A measure that combines both the
(IEC 61508-4) Combination of the
likelihood that a system hazard will cause an
probability of occurrence of harm and
accident and the severity of that accident
severity of that harm
9 Safety
(IEC 61508-4) Freedom from
unacceptable risk
10 Software  (IEEE 1228) A software condition that is a
hazard prerequisite to an accident
11 System  (IEEE 1228) A system condition that is a
hazard prerequisite to an accident
12 Software  (IEEE 1228) Freedom from software hazards
safety
13 System  (IEEE 1228) Freedom from system hazards
safety
14 Hazard (IEEE 7-4.3.2) Hazard Analysis: A process that
(IEC 61508-0) Hazard Analysis derives
analysis explores and identifies conditions that are not
Safety Function Requirements
identified by the normal design review and
testing process. Hazard analysis focuses on
system failure mechanisms rather than
verifying correct system operation.
(NUREG-CR 6430)[50] Hazard Analysis is the
process of identifying and evaluating the
hazards of a system, and then either
eliminating the hazard or reducing its risk to an
acceptable level.
15 Risk (IEC 61508-0) Risk assessment derives No definition
assessment
safety integrity requirements
—————————
Numbers in square brackets refer to the Bibliography.

– 14 – IEC TR 63192:2019 © IEC 2019
16 Functional (IEC 61508-0) Functional safety: is part No definition
safety
of the overall safety that depends on a
system or equipment operating correctly
in response to its inputs.
17 Functional (IEEE 7-4.3.2) Hazard Analysis: A process that
(IEC 61508-4) Functional safety
safety explores and identifies conditions that are not
assessment: investigation, based on
assessment identified by the normal design review and
evidence, to judge the functional safety
testing process. The scope of hazard analysis
achieved by one or more E/E/PE (See
extends beyond plant design basis events by
Table B.1) safety-related systems, other
including abnormal events and plant operations
technology safety-related systems or
with degraded equipment and plant systems.
external risk reduction facilities

5 Abbreviated terms and acronyms
ASIC Application Specific Integrated Circuit
CCF Common Cause Failure
COTS Commercial Off-The-Shelf
DSRS Design Specific Review Standard
ESF Engineered Safety Features
FPGA Field Programmable Gate Array
HDL Hardware Description Language
HA Hazard Analysis
HVAC Heating, Ventilation, Air Conditioning
IAEA International Atomic Energy Agency
I&C Instrumentation and Control
NPP Nuclear Power Plant
NRC Nuclear Regulatory Commission
PLC Programmable Logic Controller
QA Quality Assurance
RAMS Reliability, Availability, Maintainability, and Safety
RTS Reactor Trip System
SIL Safety Integrity Level
SoS System of Systems
SSR Specific Safety Requirements
V&V Verification & Validation
6 General
6.1 Hazard analysis of digital instrumentation and control systems
A hazard, in general, is defined as “potential for harm.” In this document, the scope of “harm”
is limited to the loss of a safety function in a Nuclear Power Plant (NPP). Furthermore, the
unintended or spurious action of a safety function can cause harm or in some cases
contravene the safety function needed in that particular situation.
In the context of ensuring a safety system of the highest criticality, a hazard (potential for
harm, in brief) is the potential to degrade the system’s capability to perform its allocated
safety function (henceforth, potential to degrade the system). The hazard may be external or
internal to the system. (There may be multiple levels of integration of a system, i.e., there may
be systems within systems; then the internal-external boundary shifts in accordance with the
level of integration in focus.)

The Hazard Analysis (HA) of an Instrumentation and Control (I&C) system is to identify the
relationship of the logical faults, error, and failure of I&C systems to the physical harm of the
nuclear power plant, and also to find the impact of the external hazard, e.g., tsunami, of the
nuclear power plant to the I&C systems.
Hazards analysis, a systems engineering activity, is the application of systematic and
replicable methods to identify hazards, their potential adverse effects, their causes, and the
changes in system concept or safety requirements needed to meet the overall safety goals of
the system.
Although the term “hazard analysis” has been defined in many different ways as shown in 3.7,
in this document the comparison scope of HA requirements is related to identify all internal
and external hazards of I&C systems boundary shown in Figure 2, leading to the loss or
spurious activation of safety functions of the NPP.

Figure 2 – Internal or external hazards
The hazard analysis is the analysis of internal and external hazards at the boundary of I&C
system as shown in Figure 2. Internal hazards include the inherent hazards from software
faults introduced throughout the software lifecycle, interaction faults between software and
human, and between software and hardware, functional interaction and multiple functional
failures such as a common cause failure. External hazards include a loss of power, EMI, RFI,
flood, earthquake, and their cascaded events.
6.2 Purpose of hazard analysis
The purpose of HA should be:
a) to identify the hazard and the contributory hazards of I&C system of systems (SoS;.
b) to validate the hazardous aspects of I&C system, software, hardware, and human
throughout the lifecycle;
c) to provide solutions for the elimination, control, and mitigation of the hazards.

– 16 – IEC TR 63192:2019 © IEC 2019
7 Comparison of hazard analysis requirements and guidance for nuclear
industry
7.1 General
There are two major groups of standardization communities in the nuclear industry, the IAEA
community and the IEEE community. Each community has developed safety standards and
regulatory criteria as shown in Figure 3 and Figure 4. The box in bold in Figures 3 and 4 has
some requirements related to the hazard analysis. In this clause, those HA requirements are
compared by a template which is defined in Annex C of this document.

Figure 3 – IAEA-IEC framework of I&C standards

Figure 4 – NRC-IEEE framework of I&C standards
7.2 IAEA Safety Requirements SSR-2/1: Design Safety of NPP:2012
Table 2 presents Hazard Analysis in IAEA Safety Requirements SSR-2/1:2012.

– 18 – IEC TR 63192:2019 © IEC 2019
Table 2 – Hazard Analysis in IAEA Safety Requirements SSR-2/1:2012
Comparison criteria of HA HA requirements in the safety standard of
requirements IAEA SSR-2/1: Design Safety of NPP
1 Safety principles
Requirement 17: Internal and external hazards. All foreseeable internal
hazards and external hazards, including the potential for human induced
(safety model or safety
events directly or indirectly to affect the safety of the nuclear power plant,
culture)
shall be identified and their effects shall be evaluated. Hazards shall be
considered for determination of the postulated initiating events and
generated loadings for use in the design of relevant items important to
safety for the plant.
2 Safety processes None
3 Definition of HA Internal hazards
5.16. The design shall take due account of internal hazards such as fire,
explosion, flooding, missile generation, collapse of structures and falling
objects, pipe whip, jet impact and release of fluid from failed systems or
from other installations on the site. Appropriate features for prevention and
mitigation shall be provided to ensure that safety is not compromised.
External hazards
5.17. The design shall include due consideration of those natural and
human induced external events (i.e. events of origin external to the plant)
that have been identified in the site evaluation process. Natural external
events shall be addressed, including meteorological, hydrological,
geological and seismic events. Human induced external events arising from
nearby industries and transport routes shall be addressed. In the short
term, the safety of the plant shall not be permitted to be dependent on the
availability of off-site services such as electricity supply and firefighting
services. The design shall take due account of site specific conditions to
determine the maximum delay time by which off-site services need to be
available.
4 Purpose of HA None
5 Method of HA None
6 HA process None
7 Independence of HA (HA None
organization)
8 Harmonized HA of SoS None
9 Relationship with other None
requirements (security,
reliability)
10 Discussion [Terminology Issue]
There are only the top level requirements of the internal and external
hazards in IAEA SSR-2/1 without the definitions of the internal and external
hazards.
There are informal explanations of the internal and external hazards:
Internal hazard such as fire, explosion, flooding, missile generation,
collapse of structures and falling objects, pipe whips, jet impacts, and
release of fluid from failed systems or from other installations on the site.
natural and human induced external events (i.e., events of origin external
to the plant)
In IAEA Safety Glossary, there is no definition of internal and external
hazards.
The internal and external hazards should be decided according to the
boundaries of the appropriate systems, such as the plant system, an I&S
system, a platform, an operating system, a device, and so on.

7.3 IAEA Safety Requirements SSR-2/2: Operation Safety of NPP:2012
No explicit requirements for operational hazards. There are many implicit requirements of
hazards.
...