IEC 60987:2007

IEC 60987
Edition 2.0 2007-08
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Nuclear power plants – Instrumentation and control important to safety –
Hardware design requirements for computer-based systems

Centrales nucléaires de puissance – Instrumentation et contrôle-commande
importants pour la sûreté – Exigences applicables à la conception du matériel
des systèmes informatisés
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by
any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either IEC or
IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de la CEI ou du Comité national de la CEI du pays du demandeur.
Si vous avez des questions sur le copyright de la CEI ou si vous désirez obtenir des droits supplémentaires sur cette
publication, utilisez les coordonnées ci-après ou contactez le Comité national de la CEI de votre pays de résidence.

IEC Central Office
3, rue de Varembé
CH-1211 Geneva 20
Switzerland
Email: inmail@iec.ch
Web: www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
ƒ Catalogue of IEC publications: www.iec.ch/searchpub
The IEC on-line Catalogue enables you to search by a variety of criteria (reference number, text, technical committee,…).
It also gives information on projects, withdrawn and replaced publications.
ƒ IEC Just Published: www.iec.ch/online_news/justpub
Stay up to date on all new IEC publications. Just Published details twice a month all new publications released. Available
on-line and also by email.
ƒ Electropedia: www.electropedia.org
The world's leading online dictionary of electronic and electrical terms containing more than 20 000 terms and definitions
in English and French, with equivalent terms in additional languages. Also known as the International Electrotechnical
Vocabulary online.
ƒ Customer Service Centre: www.iec.ch/webstore/custserv
If you wish to give us your feedback on this publication or need further assistance, please visit the Customer Service
Centre FAQ or contact us:
Email: csc@iec.ch
Tel.: +41 22 919 02 11
Fax: +41 22 919 03 00
A propos de la CEI
La Commission Electrotechnique Internationale (CEI) est la première organisation mondiale qui élabore et publie des
normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications CEI
Le contenu technique des publications de la CEI est constamment revu. Veuillez vous assurer que vous possédez
l’édition la plus récente, un corrigendum ou amendement peut avoir été publié.
ƒ Catalogue des publications de la CEI: www.iec.ch/searchpub/cur_fut-f.htm
Le Catalogue en-ligne de la CEI vous permet d’effectuer des recherches en utilisant différents critères (numéro de référence,
texte, comité d’études,…). Il donne aussi des informations sur les projets et les publications retirées ou remplacées.
ƒ Just Published CEI: www.iec.ch/online_news/justpub
Restez informé sur les nouvelles publications de la CEI. Just Published détaille deux fois par mois les nouvelles
publications parues. Disponible en-ligne et aussi par email.
ƒ Electropedia: www.electropedia.org
Le premier dictionnaire en ligne au monde de termes électroniques et électriques. Il contient plus de 20 000 termes et
définitions en anglais et en français, ainsi que les termes équivalents dans les langues additionnelles. Egalement appelé
Vocabulaire Electrotechnique International en ligne.
ƒ Service Clients: www.iec.ch/webstore/custserv/custserv_entry-f.htm
Si vous désirez nous donner des commentaires sur cette publication ou si vous avez des questions, visitez le FAQ du
Service clients ou contactez-nous:
Email: csc@iec.ch
Tél.: +41 22 919 02 11
Fax: +41 22 919 03 00
IEC 60987
Edition 2.0 2007-08
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Nuclear power plants – Instrumentation and control important to safety –
Hardware design requirements for computer-based systems

Centrales nucléaires de puissance – Instrumentation et contrôle-commande
importants pour la sûreté – Exigences applicables à la conception du matériel
des systèmes informatisés
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
PRICE CODE
INTERNATIONALE
V
CODE PRIX
ICS 27.120.20 ISBN 2-8318-9285-6

– 2 – 60987 © IEC:2007
CONTENTS
FOREWORD.4
INTRODUCTION.6

1 Scope.8
1.1 General .8
1.2 Use of this standard for pre-developed (for example, COTS) hardware
assessment .8
1.3 Applicability of this standard to programmable logic devices development.9
2 Normative references .9
3 Terms and definitions .10
4 Project structure .12
4.1 General .12
4.2 Project subdivision .12
4.3 Quality assurance .12
5 Hardware requirements .13
5.1 General .13
5.2 Functional and performance requirements.14
5.3 Reliability/Availability requirements .15
5.4 Environmental withstand requirements .16
5.5 Documentation requirements.16
6 Design and development .17
6.1 General .17
6.2 Design activities .17
6.3 Reliability .18
6.4 Maintenance.18
6.5 Interfaces .19
6.6 Modification.19
6.7 Power failure .19
6.8 Component selection.19
6.9 Design documentation.19
7 Verification and validation .20
7.1 General .20
7.2 Verification plan .20
7.3 Independence of verification.21
7.4 Methods .21
7.5 Documentation .22
7.6 Discrepancies.22
7.7 Changes and modifications .22
7.8 Installation verification.22
7.9 Validation .22
7.10 Verification of pre-existing equipment platforms .22
8 Qualification .23
9 Manufacture .23
10 Installation and commissioning .23
11 Maintenance.23
11.1 Maintenance requirements .24

60987 © IEC:2007 – 3 –
11.2 Failure data.24
11.3 Maintenance documentation.25
12 Modification.26
13 Operation .26

Annex A (informative) Overview of system life cycle .27
Annex B (informative) Outline of qualification.28
Annex C (informative) Example of maintenance procedure .29

Bibliography.30

– 4 – 60987 © IEC:2007
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
NUCLEAR POWER PLANTS –
INSTRUMENTATION AND CONTROL
IMPORTANT TO SAFETY –
HARDWARE DESIGN REQUIREMENTS
FOR COMPUTER-BASED SYSTEMS
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for any
equipment declared to be in conformity with an IEC Publication.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 60987 has been prepared by subcommittee 45A: Instrumentation
and control of nuclear facilities, of IEC technical committee 45: Nuclear instrumentation.
This second edition cancels and replaces the first edition published in 1989. This edition
includes the following significant technical changes with respect to the previous edition:
• account has been taken of the fact that computer design engineering techniques have
advanced significantly in the intervening years;
• update of the format to align with the current IEC/ISO directives on the style of standards;
• alignment of the standard with the new revisions of IAEA documents NS-R-1 and NS-G-
1.3, which includes as far as possible an adaptation of the definitions;

60987 © IEC:2007 – 5 –
• replacement, as far as possible, of the requirements associated with standards published
since the first edition, especially IEC 61513, IEC 60880, edition 2, and IEC 62138;
• review of the existing requirements and updating of the terminology and definitions.
The text of this standard is based on the following documents:
FDIS Report on voting
45A/662/FDIS 45A/666/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
The committee has decided that the contents of this publication will remain unchanged until
the maintenance result date indicated on the IEC web site under "http://webstore.iec.ch" in
the data related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
– 6 – 60987 © IEC:2007
INTRODUCTION
a) Technical background, main issues and organization of the standard
The basic principles for the design of nuclear instrumentation, as specifically applied to the
safety systems of nuclear power plants, were first interpreted in nuclear standards with
reference to hardwired systems in IAEA Safety Guide 50-SG-D3 which has been superseded
by IAEA Guide NS-G-1.3.
IEC 60987 was first issued in 1989 to cover the hardware aspects of digital systems design
for systems important to safety, i.e. safety systems and safety-related systems.
Although many of the requirements within the original issue continue to be relevant, there
were significant factors which justified the development of this revised edition of IEC 60987, in
particular:
– a new standard has been produced which addresses in detail the general requirements for
nuclear systems important to safety (IEC 61513);
– the use of pre-developed system platforms, rather than bespoke developments, has
increased significantly.
b) Situation of the current standard in the structure of the IEC SC 45A standard series
The first-level IEC SC 45A standard for computer-based systems important to safety in
nuclear power plants (NPPs) is IEC 61513. IEC 60987 is a second-level IEC SC 45A standard
which addresses the generic issue of hardware design of computerized systems.
IEC 60880 and IEC 62138 are second-level standards which together cover the software
aspects of computer-based systems used to perform functions important to safety in NPPs.
IEC 60880 and IEC 62138 make direct reference to IEC 60987 for hardware design.
The requirements of IEC 60780 for equipment qualification are referenced within IEC 60987.
For modules to be used in the design of a specific system important to safety, relevant and
auditable operating experience from nuclear or other applications as described in IEC 60780,
in combination with the application of rigorous quality assurance programmes, may be an
acceptable method of qualification.
For more details on the structure of the SC 45A standard series, see item d) of this
introduction.
c) Recommendations and limitations regarding the application of the standard
It is important to note that this standard establishes no additional functional requirements for
Class 1 or Class 2 systems (see IEC 61513 for system classification requirements).
Aspects for which special recommendations have been produced (so as to assure the
production of highly reliable systems), are:
– a general approach to computing hardware development;
– a general approach to hardware verification and to the hardware aspects of computer
system validation.
60987 © IEC:2007 – 7 –
It is recognized that computer technology is continuing to develop and that it is not possible
for a standard such as this to include references to all modern design technologies and
techniques. To ensure that the standard will continue to be relevant in future years the
emphasis has been placed on issues of principle, rather than specific hardware design
technologies. If new design techniques are developed then it should be possible to assess the
suitability of such techniques by adapting and applying the design principles contained within
this standard.
The scope of this standard covers digital systems hardware for Class 1 and Class 2 systems.
This includes multiprocessor distributed systems and single processor systems; it covers the
assessment and use of pre-developed items, for example, commercial off-the-shelf items
(COTS), and the development of new hardware.
d) Description of the structure of the SC 45A standard series and relationships with
other IEC, IAEA and ISO documents
The top-level document of the IEC SC 45A standard series is IEC 61513. It provides general
requirements for I&C systems and equipment that are used to perform functions important to
safety in NPPs. IEC 61513 structures the IEC SC 45A standard series.
IEC 61513 refers direct to other IEC SC 45A standards for general topics related to
categorization of functions and classification of systems, qualification, separation of systems,
defence against common-cause failure, software aspects of computer-based systems,
hardware aspects of computer-based systems, and control room design. The standards
referenced direct at this second level should be considered together with IEC 61513 as a
consistent document set.
At a third level, IEC SC 45A standards not referenced direct by IEC 61513 are standards
related to specific equipment, technical methods, or specific activities. Usually these
documents, which make reference to second-level documents for general topics, can be used
on their own.
A fourth level extending the IEC SC 45A standard series, corresponds to technical reports
which are not normative documents.
IEC 61513 has adopted a presentation format similar to the basic safety publication
IEC 61508 with an overall safety life-cycle framework and a system life-cycle framework and
provides an interpretation of the general requirements of IEC 61508-1, IEC 61508-2 and
IEC 61508-4, for the nuclear application sector. Compliance with IEC 61513 will facilitate
consistency with the requirements of IEC 61508 as they have been interpreted for the nuclear
industry. In this framework, IEC 60880 and IEC 62138 correspond to IEC 61508-3 for the
nuclear application sector.
IEC 61513 refers to ISO 9001 as well as to IAEA 50-C-QA (now replaced by IAEA 50-C/SG-Q)
for topics related to quality assurance (QA).
The IEC SC 45A standards series consistently implements and details the principles and
basic safety aspects provided in the IAEA Code on the safety of NPPs and in the IAEA safety
series, in particular the requirements of NS-R-1, establishing safety requirements related to
the design of NPPs, and Safety Guide NS-G-1.3 dealing with instrumentation and control
systems important to safety in NPPs. The terminology and definitions used by SC 45A
standards are consistent with those used by the IAEA.

– 8 – 60987 © IEC:2007
NUCLEAR POWER PLANTS –
INSTRUMENTATION AND CONTROL
IMPORTANT TO SAFETY –
HARDWARE DESIGN REQUIREMENTS
FOR COMPUTER-BASED SYSTEMS
1 Scope
1.1 General
This International Standard is applicable to NPP computer-system hardware for systems of
Class 1 and 2 (as defined by IEC 61513).
The structure of this standard has not changed significantly from the original 1989 issue;
however, some issues are now covered by standards which have been issued in the interim
(for example, IEC 61513 for system architecture design) and references to new standards
have been provided where applicable. The text of the standard has also been modified to
reflect developments in computer system hardware design, the use of pre-developed (for
example, COTS) hardware and changes in terminology.
Computer hardware facilities used for software loading and checking are not considered to
form an intrinsic part of a system important to safety and, as such, are outside the scope of
this standard.
NOTE 1 Class 3 computer-system hardware is not addressed by this standard, and it is recommended that such
systems should be developed to commercial grade standards.
NOTE 2 In 2006 the development of a new standard to address hardware requirements for “very complex”
hardware was discussed within IEC SC 45A. If such a standard is developed then that standard would be used for
the development of “very complex” hardware in preference to IEC 60987.
1.2 Use of this standard for pre-developed (for example, COTS) hardware assessment
Although the primary aim of this standard is to address aspects of new hardware
development, the processes defined within this standard may also be used to guide the
assessment and use of pre-developed hardware, such as COTS hardware. Guidance has
been provided in the text concerning the interpretation of the requirements of this standard
when used for the assessment of such components. In particular, the quality assurance
requirements of 4.3, concerning configuration control, apply.
Pre-developed components may contain firmware (as defined in 3.8), and, where firmware
software is deeply imbedded, and effectively “transparent” to the user, then IEC 60987 should
be used to guide the assessment process for such components. An example of where this
approach is considered appropriate is in the assessment of modern processors which contain
a microcode. Such a code is generally an integral part of the “hardware”, and it is therefore
appropriate for the processor (including the microcode) to be assessed as an integrated
hardware component using this standard.
Software which is not firmware, as described above, should be developed or assessed
according to the requirements of the relevant software standard (for example, IEC 60880 for
Class 1 systems and IEC 62138 for Class 2 systems).

60987 © IEC:2007 – 9 –
1.3 Applicability of this standard to programmable logic devices development
I&C components may include programmable logic devices that are given their specific
application logic design by the designer of the I&C component, as opposed to the chip
manufacturer. Examples of such devices include complex programmable logic devices (CPLD)
and field programmable gate arrays (FPGA).
While the programmable nature of these devices gives the development processes used for
these devices, some of the characteristics of a software development process and the design
processes used for such devices, are very similar to those used to design logic circuits
implemented with discrete gates and integrated circuit packages. Therefore, the design
processes and design verification applied to programmable logic devices should comply with
the relevant requirements of this standard (i.e. taking into account the particular features of
the design processes of such devices). To the extent that software-based tools are used to
support the design processes for programmable logic devices, those software tools should
generally follow the guidance provided for software-based development tools in the
appropriate software standard, i.e. IEC 60880 (Class 1 systems) or IEC 62138 (Class 2
systems).
2 Normative references
The following referenced documents are indispensable for the application of this document.
For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.
IEC 60780, Nuclear power plants – Electrical equipment of the safety system – Qualification
IEC 60812, Analysis techniques for system reliability – Procedures for failure mode and
effects analysis (FMEA)
IEC 60880, Nuclear power plants – Instrumentation and control systems important to safety –
Software aspects for computer-based systems performing category A functions
IEC 61000 (all parts), Electromagnetic compatibility (EMC)
IEC 61025, Fault tree analysis (FTA)
IEC 61513:2001, Nuclear power plants – Instrumentation and control for systems important to
safety – General requirements for systems
IEC 62138, Nuclear power plants – Instrumentation and control important for safety –
Software aspects for computer-based systems performing category B or C functions
ISO 9001, Quality management systems – Requirements
IAEA NS-G 1.3, Instrumentation and control systems important to safety in nuclear power
plants
IAEA 50-C/SG-Q:1996, Quality assurance for safety in nuclear power plants and other nuclear
installations
– 10 – 60987 © IEC:2007
3 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC 61513, as well as
the following, apply.
3.1
ATE
automated test equipment
3.2
COTS
commercial off the shelf; COTS is a subset of pre-developed products
3.3
diversity
existence of two or more different ways or means of achieving a specified objective. Diversity
is specifically provided as a defence against common cause failure. It may be achieved by
providing systems that are physically different from each other or by functional diversity,
where similar systems achieve the specified objective in different ways
[IEC 60880:2006, definition 3.14]
NOTE This definition is wider than that used by the IAEA NS-G-1.3 which is as follows: “The presence of two or
more systems or components to carry out an identified function, where the different systems or components have
different attributes so as to reduce the possibility of common mode failure”. [IEC 61226:2005, definition 3.5]
3.4
firmware
software which is closely coupled to the hardware characteristics on which it is installed. The
presence of firmware is generally “transparent” to the user of the hardware component and,
as such, may be considered to be effectively an integral part of the hardware design (a good
example of such software being processor microcode). Generally, firmware may only be
modified by a user by replacing the hardware components (for example, processor chip, card,
EPROM) which contain this software with components which contain modified software
(firmware). Where this is the case, configuration control of the hardware components by the
users of the equipment effectively provides configuration control of the firmware. Firmware, as
considered by this standard, is effectively software that is built in to the hardware
3.5
FMEA
failure modes and effects analysis
3.6
FTA
fault tree analysis
3.7
NPP
nuclear power plant
3.8
pre-developed
item which already exists, is available as a commercial or proprietary product, and is being
considered for use in a computer-based system
NOTE This definition is consistent with the definition of pre-developed software provided by IEC 61513:2001.

60987 © IEC:2007 – 11 –
3.9
qualified life
period for which a structure, system or component has been demonstrated, through testing,
analysis or experience, to be capable of functioning within acceptance criteria during specific
operating conditions while retaining the ability to perform its safety functions in a design basis
accident or earthquake
[IAEA Safety Glossary:2006]
3.10
revealed hardware failure
a hardware failure which is detected automatically and reported, for example, a board failure
where a watchdog circuit automatically detects the failure and raises an alarm
3.11
safety-related system
system important to safety that is not part of a safety system
[IAEA Safety Glossary:2006]
3.12
safety system
system important to safety, provided to ensure the safe shutdown of the reactor or the
residual heat removal from the core, or to limit the consequences of anticipated operational
occurrences and design basis accidents
[IAEA Safety Glossary:2006]
3.13
single failure
failure which results in the loss of capability of a system or component to perform its intended
safety function(s), and any consequential failure(s) which result from it
[IAEA Safety Glossary:2006]
3.14
single failure criterion (SFC)
criterion (or requirement) applied to a system such that it is capable of performing its safety
task in the presence of any single failure
[IAEA Safety Glossary:2006]
3.15
systems important to safety
system that is part of a safety group and/or whose malfunction or failure could lead to
radiation exposure of the site personnel or members of the public
[IAEA Safety Glossary:2006]
3.16
system validation
confirmation by examination and provision of other evidence that a system fulfils in its entirety
the requirement specification as intended (functionality, response time, fault tolerance,
robustness)
[IEC 60880:2006, definition 3.42]

– 12 – 60987 © IEC:2007
3.17
unrevealed hardware failure
hardware failure which is not detected by a system automatically and which only becomes
apparent when an attempt is made to use a function which depends upon the failed hardware.
Such failures may be discovered by functional testing or when an operational demand is
placed upon the system
3.18
verification
confirmation by examination and by provision of objective evidence that the results of an
activity meet the objectives and requirements defined for this activity (ISO 12207)
[IEC 62138:2004, definition 3.35]
4 Project structure
4.1 General
A project established to produce a computer-based system important to safety should be
divided up into a number of phases. Each phase should be to some extent self-contained but
will depend on other phases for input and will, in turn, provide outputs for other phases. The
various project phases together are considered to form the overall safety life cycle (see
IEC 61513, Clause 5, which provides requirements for system life cycles). IEC 61513 allows
project phases to be performed in parallel providing the integrity of the development process
is not compromised.
A quality assurance plan shall be applied to the hardware production process.
4.2 Project subdivision
The following general requirements define the hardware development life-cycle requirements
for computer-based systems within the scope of this standard.
a) The hardware development life cycle shall be compatible with the whole system life cycle
(Annex A).
b) Each sub-phase of the hardware development life cycle shall consist of well-defined and
documented activities.
c) Pre-existing hardware products (for example, COTS) to be included in the design shall be
checked, verified and tested as appropriate before use.
d) Adequate means (i.e. spare parts, devices for test and maintenance, etc.) and
accommodation (i.e. laboratories, workshops, space, etc.) shall be provided to carry out
the tasks associated with each development phase.
e) Each development phase shall include the production of appropriate documentation.
f) Each development phase shall be concluded by performing verification (see Clause 7).
g) Every verification activity shall result in auditable records documenting the conclusions
reached and any design changes resulting from the verification performed.
h) All work activities shall be scheduled to ensure that adequate time is allowed for the following:
1) the resolution of any interactions between the hardware and software development
phases required to ensure system hardware/software compatibility;
2) the production of documentation, and the performance of testing, verification and
quality assurance activities.
4.3 Quality assurance
The design and development process shall meet the relevant requirements of IAEA 50-C/SG-
Q (compliance with ISO 9001 is one acceptable method of meeting these requirements). A

60987 © IEC:2007 – 13 –
hardware quality assurance plan shall exist either as a separate document (or documents) or
as part of an overall quality assurance plan. The plan shall address the use of pre-existing
hardware and the development of hardware as required. All hardware quality-related activities
to be performed by the plant operator, owner, contractors and subcontractors as part of the
hardware development process should be included in the quality assurance plan.
4.3.1 The plan should address the following phases, as they are applicable to any particular
system or development:
a) design and development;
b) procurement;
c) manufacturing;
d) construction and commissioning;
e) operation and maintenance.
4.3.2 It is not a requirement that all the phases listed above be addressed before the design
process begins, but, before each phase is initiated, a plan addressing the requirements of that
phase shall be in place.
4.3.3 The quality assurance plan(s) should describe the organization, management and
execution of quality related activities, including, as relevant:
a) documentation configuration control;
b) the design process;
c) the procurement process for goods and services;
d) configuration control of build instructions, build procedures and drawings;
e) configuration control of materials and items to be used to build the system hardware;
f) quality control activities, such as formal inspections;
g) control of test equipment;
h) control of hardware handling/storage/shipping;
i) the testing process;
j) monitoring of nonconformances raised and the implementation of corrective actions;
k) the procedure for storing quality assurance records;
l) the procedure for internal audits.
5 Hardware requirements
5.1 General
5.1.1 The hardware requirements shall be consistent with the requirements of the system
and form part of the computer-system specification (see IEC 61513:2001, Clause 6). The
computer-system specification is a description of the combined hardware/software system and
states the design objectives for the system and the functions to be performed by the computer
system (systems may be developed for a particular application or may be developed
generically, i.e. platform development, in which case development is based upon derived
generic system requirements).
5.1.2 The hardware requirements shall be specified in the system hardware requirements
specification, or in some other suitable document.

– 14 – 60987 © IEC:2007
5.1.3 Hardware requirements shall be presented according to a technique or method whose
format shall not preclude readability, i.e. the hardware requirements should not be difficult to
understand.
5.1.4 Functional hardware requirements shall be unambiguous, testable and/or verifiable
and achievable.
5.1.5 The hardware requirements specification should give an overview of hardware
requirements, identify the hardware functions important to nuclear safety (however, if these
are provided in combination with the system software they should be defined in the system
requirements specification), identify the hardware design requirements, state hardware
reliability requirements, and state the hardware environmental withstand requirements.
5.1.6 The hardware requirements for computer systems may include requirements which are
applicable to hardware in general as well as requirements which are particular to computer
system hardware (for example; cabling, surface preparation of enclosures).
5.1.7 The hardware functional requirements should generally describe what has to be done
and not how it has to be done. However, the use of pre-existing components/platforms may
result in a degree of bottom-up hardware design. Before such pre-existing components are
selected for use, an assessment shall be performed to confirm that the hardware performance
characteristics (for example; failure modes) are consistent with system requirements. If any
anomalies are found then these shall be reconciled, either by modifying the hardware design
or the system design (while ensuring that system nuclear safety requirements are not
compromised).
5.2 Functional and performance requirements
5.2.1 The hardware functional and performance requirements shall be consistent with the
functional and performance requirements of the system important to safety.
5.2.2 The hardware functional and performance requirements, combined with the software
requirements (to the extent necessary to address all hardware requirements), shall be verified
for compliance with the system requirements.
5.2.3 All parts of the system, down to the component level, which contain software shall be
assessed as described in 1.2 of this standard.
a) The hardware functional requirements shall include, but are not restricted to, the definition
of
1) the purpose of the overall computer system hardware and of each hardware sub-
system;
2) the numbers and types of sensors and actuators to be connected to the computer
system;
3) the numbers and types of devices for the man/machine interface such as displays,
printers and keyboards.
b) Each component or subsystem delivered by a supplier, and which is to be integrated into
the system, should be accompanied by a specification which addresses all safety-related
aspects of the performance of that item. If such a specification is not provided, then an
analysis shall be performed to determine the hardware design characteristics of the
component to the extent necessary to confirm its suitability.
c) The hardware performance requirements shall include (as applicable to any particular
application)
1) required data acquisition rate;
2) required data handling capability;
3) required computational capacity;

60987 © IEC:2007 – 15 –
4) required reliability/availability;
5) required communications interfaces (protocols, transmission speeds);
6) required computational and conversion accuracy;
7) required signal noise rejection capability;
8) required response times;
9) physical size limitations;
10) geographic requirements (for example, length of data transmission lines);
11) required level of spare capacity (if required);
12) environmental withstand qualification requirements;
13) electrical power supply requirements.
d) Any constraints imposed upon the hardware design by the system or software design shall
be stated.
5.3 Reliability/Availability requirements
5.3.1 The hardware reliability/availability requirements shall be consistent with the overall
reliability requirements of the system. They shall include a description of any types of failure
which have to be tolerated without loss, or with a defined limited loss, of function. Hardware
reliability targets should be provided.
NOTE Hardware reliability in this context is concerned with random hardware failures and excludes any
consideration of failures due to logical design errors.
5.3.2 Irrespective of the hardware reliability/availability requirements, the overall I&C
architecture for a NPP shall meet the IAEA NS-G-1.3 single failure criteria (see 3.6).
5.3.3 The hardware requirements should give target figures for the hardware reliability
parameters (such as mean time between failure (revealed), mean time between
failure(unrevealed), mean time to repair (for revealed failures)). Any requirement for reliability
claims to be supported with detailed analysis of the hardware design should be stated, for
example, subunit, card-level or component-level analysis.
5.3.4 The methods which may be used to analyse the reliability and the effects of system
hardware failures include
– FTA, which is concerned with the identification and analysis of conditions and factors
which cause or contribute to the occurrence of a defined undesirable event (see
IEC 61025 for advice concerning this technique);
– FMEA, which identifies failures which have significant consequences affecting the system
performance, for example, reliability, safety, availability (see IEC 60812 for advice
concerning this technique).
Where relevant, a suitable analysis technique shall be applied to Class 1 and Class 2
hardware systems to ensure that any potential hardware failures do not have unacceptable
nucle
...