《BS-IEC-60987-2007.pdf》由会员分享,可在线阅读,更多相关《BS-IEC-60987-2007.pdf(32页珍藏版)》请在三一文库上搜索。
1、BRITISH STANDARD BS IEC 60987:2007 Nuclear power plants Instrumentation and control important to safety Hardware design requirements for computer-based systems ICS 27.120.20 ? Licensed Copy: London South Bank University, London South Bank University, Fri Oct 05 02:31:39 GMT+00:00 2007, Uncontrolled
2、Copy, (c) BSI BS IEC 60987:2007 This British Standard was published under the authority of the Standards Policy and Strategy Committee on 28 September 2007 BSI 2007 ISBN 978 0 580 55469 8 National foreword This British Standard is the UK implementation of IEC 60987:2007. The UK participation in its
3、preparation was entrusted to Technical Committee NCE/8, Reactor instrumentation. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its c
4、orrect application. Compliance with a British Standard cannot confer immunity from legal obligations. Amendments issued since publication Amd. No. DateComments Licensed Copy: London South Bank University, London South Bank University, Fri Oct 05 02:31:39 GMT+00:00 2007, Uncontrolled Copy, (c) BSI IE
5、C 60987 Edition 2.0 2007-08 INTERNATIONAL STANDARD Nuclear power plants Instrumentation and control important to safety Hardware design requirements for computer-based systems IEC 60987:2007 Licensed Copy: London South Bank University, London South Bank University, Fri Oct 05 02:31:39 GMT+00:00 2007
6、, Uncontrolled Copy, (c) BSI CONTENTS 1 1.1 1.2 Use of this standard for pre-developed (for example, COTS) hardware 1.3 2 3 4 4.1 4.2 4.3 5 5.1 5.2 5.3 5.4 5.5 6 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 7 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9 8 9 2 BS IEC 60987:2007 INTRODUCTION.4 Scope.6 General.6 assessm
7、ent.6 Applicability of this standard to programmable logic devices development.7 Normative references .7 Terms and definitions .8 Project structure.10 General.10 Project subdivision 10 Quality assurance .10 Hardware requirements 11 General.11 Functional and performance requirements.12 Reliability/Av
8、ailability requirements .13 Environmental withstand requirements 14 Documentation requirements.14 Design and development 15 General.15 Design activities15 Reliability 16 Maintenance16 Interfaces17 Modification.17 Power failure.17 Component selection.17 Design documentation.17 Verification and valida
9、tion 18 General.18 Verification plan 18 Independence of verification19 Methods 19 Documentation 20 Discrepancies20 Changes and modifications .20 Installation verification.20 Validation20 7.10 Verification of pre-existing equipment platforms 20 Qualification .21 Manufacture .21 10 Installation and co
10、mmissioning.21 11 Maintenance.21 11.1 Maintenance requirements 22 Licensed Copy: London South Bank University, London South Bank University, Fri Oct 05 02:31:39 GMT+00:00 2007, Uncontrolled Copy, (c) BSI 3 BS IEC 60987:2007 11.2 Failure data.22 11.3 Maintenance documentation23 12 Modification24 13 O
11、peration .24 Annex A (informative) Overview of system life cycle 25 Annex B (informative) Outline of qualification.26 Annex C (informative) Example of maintenance procedure 27 Bibliography28 Licensed Copy: London South Bank University, London South Bank University, Fri Oct 05 02:31:39 GMT+00:00 2007
12、, Uncontrolled Copy, (c) BSI INTRODUCTION a) Technical background, main issues and organization of the standard The basic principles for the design of nuclear instrumentation, as specifically applied to the safety systems of nuclear power plants, were first interpreted in nuclear standards with refe
13、rence to hardwired systems in IAEA Safety Guide 50-SG-D3 which has been superseded by IAEA Guide NS-G-1.3. IEC 60987 was first issued in 1989 to cover the hardware aspects of digital systems design for systems important to safety, i.e. safety systems and safety-related systems. Although many of the
14、requirements within the original issue continue to be relevant, there were significant factors which justified the development of this revised edition of IEC 60987, in particular: a new standard has been produced which addresses in detail the general requirements for nuclear systems important to saf
15、ety (IEC 61513); the use of pre-developed system platforms, rather than bespoke developments, has increased significantly. b) Situation of the current standard in the structure of the IEC SC 45A standard series The first-level IEC SC 45A standard for computer-based systems important to safety in nuc
16、lear power plants (NPPs) is IEC 61513. IEC 60987 is a second-level IEC SC 45A standard which addresses the generic issue of hardware design of computerized systems. IEC 60880 and IEC 62138 are second-level standards which together cover the software aspects of computer-based systems used to perform
17、functions important to safety in NPPs. IEC 60880 and IEC 62138 make direct reference to IEC 60987 for hardware design. The requirements of IEC 60780 for equipment qualification are referenced within IEC 60987. For modules to be used in the design of a specific system important to safety, relevant an
18、d auditable operating experience from nuclear or other applications as described in IEC 60780, in combination with the application of rigorous quality assurance programmes, may be an acceptable method of qualification. For more details on the structure of the SC 45A standard series, see item d) of t
19、his introduction. c) Recommendations and limitations regarding the application of the standard It is important to note that this standard establishes no additional functional requirements for Class 1 or Class 2 systems (see IEC 61513 for system classification requirements). Aspects for which special
20、 recommendations have been produced (so as to assure the production of highly reliable systems), are: a general approach to computing hardware development; a general approach to hardware verification and to the hardware aspects of computer system validation. 4 BS IEC 60987:2007 Licensed Copy: London
21、 South Bank University, London South Bank University, Fri Oct 05 02:31:39 GMT+00:00 2007, Uncontrolled Copy, (c) BSI It is recognized that computer technology is continuing to develop and that it is not possible for a standard such as this to include references to all modern design technologies and
22、techniques. To ensure that the standard will continue to be relevant in future years the emphasis has been placed on issues of principle, rather than specific hardware design technologies. If new design techniques are developed then it should be possible to assess the suitability of such techniques
23、by adapting and applying the design principles contained within this standard. The scope of this standard covers digital systems hardware for Class 1 and Class 2 systems. This includes multiprocessor distributed systems and single processor systems; it covers the assessment and use of pre-developed
24、items, for example, commercial off-the-shelf items (COTS), and the development of new hardware. d) Description of the structure of the SC 45A standard series and relationships with other IEC, IAEA and ISO documents The top-level document of the IEC SC 45A standard series is IEC 61513. It provides ge
25、neral requirements for I however, some issues are now covered by standards which have been issued in the interim (for example, IEC 61513 for system architecture design) and references to new standards have been provided where applicable. The text of the standard has also been modified to reflect dev
26、elopments in computer system hardware design, the use of pre-developed (for example, COTS) hardware and changes in terminology. Computer hardware facilities used for software loading and checking are not considered to form an intrinsic part of a system important to safety and, as such, are outside t
27、he scope of this standard. NOTE 1 Class 3 computer-system hardware is not addressed by this standard, and it is recommended that such systems should be developed to commercial grade standards. NOTE 2 In 2006 the development of a new standard to address hardware requirements for “very complex” hardwa
28、re was discussed within IEC SC 45A. If such a standard is developed then that standard would be used for the development of “very complex” hardware in preference to IEC 60987. 1.2 Use of this standard for pre-developed (for example, COTS) hardware assessment Although the primary aim of this standard
29、 is to address aspects of new hardware development, the processes defined within this standard may also be used to guide the assessment and use of pre-developed hardware, such as COTS hardware. Guidance has been provided in the text concerning the interpretation of the requirements of this standard
30、when used for the assessment of such components. In particular, the quality assurance requirements of 4.3, concerning configuration control, apply. Pre-developed components may contain firmware (as defined in 3.8), and, where firmware software is deeply imbedded, and effectively “transparent” to the
31、 user, then IEC 60987 should be used to guide the assessment process for such components. An example of where this approach is considered appropriate is in the assessment of modern processors which contain a microcode. Such a code is generally an integral part of the “hardware”, and it is therefore
32、appropriate for the processor (including the microcode) to be assessed as an integrated hardware component using this standard. Software which is not firmware, as described above, should be developed or assessed according to the requirements of the relevant software standard (for example, IEC 60880
33、for Class 1 systems and IEC 62138 for Class 2 systems). 6 BS IEC 60987:2007 Licensed Copy: London South Bank University, London South Bank University, Fri Oct 05 02:31:39 GMT+00:00 2007, Uncontrolled Copy, (c) BSI 1.3 Applicability of this standard to programmable logic devices development I COTS is
34、 a subset of pre-developed products 3.3 diversity existence of two or more different ways or means of achieving a specified objective. Diversity is specifically provided as a defence against common cause failure. It may be achieved by providing systems that are physically different from each other o
35、r by functional diversity, where similar systems achieve the specified objective in different ways IEC 60880:2006, definition 3.14 NOTE This definition is wider than that used by the IAEA NS-G-1.3 which is as follows: “The presence of two or more systems or components to carry out an identified func
36、tion, where the different systems or components have different attributes so as to reduce the possibility of common mode failure”. IEC 61226:2005, definition 3.5 3.4 firmware software which is closely coupled to the hardware characteristics on which it is installed. The presence of firmware is gener
37、ally “transparent” to the user of the hardware component and, as such, may be considered to be effectively an integral part of the hardware design (a good example of such software being processor microcode). Generally, firmware may only be modified by a user by replacing the hardware components (for
38、 example, processor chip, card, EPROM) which contain this software with components which contain modified software (firmware). Where this is the case, configuration control of the hardware components by the users of the equipment effectively provides configuration control of the firmware. Firmware,
39、as considered by this standard, is effectively software that is built in to the hardware 3.5 FMEA failure modes and effects analysis 3.6 FTA fault tree analysis 3.7 NPP nuclear power plant 3.8 pre-developed item which already exists, is available as a commercial or proprietary product, and is being
40、considered for use in a computer-based system NOTE This definition is consistent with the definition of pre-developed software provided by IEC 61513:2001. 8 BS IEC 60987:2007 Licensed Copy: London South Bank University, London South Bank University, Fri Oct 05 02:31:39 GMT+00:00 2007, Uncontrolled C
41、opy, (c) BSI 3.9 qualified life period for which a structure, system or component has been demonstrated, through testing, analysis or experience, to be capable of functioning within acceptance criteria during specific operating conditions while retaining the ability to perform its safety functions i
42、n a design basis accident or earthquake IAEA Safety Glossary:2006 3.10 revealed hardware failure a hardware failure which is detected automatically and reported, for example, a board failure where a watchdog circuit automatically detects the failure and raises an alarm 3.11 safety-related system sys
43、tem important to safety that is not part of a safety system IAEA Safety Glossary:2006 3.12 safety system system important to safety, provided to ensure the safe shutdown of the reactor or the residual heat removal from the core, or to limit the consequences of anticipated operational occurrences and
44、 design basis accidents IAEA Safety Glossary:2006 3.13 single failure failure which results in the loss of capability of a system or component to perform its intended safety function(s), and any consequential failure(s) which result from it IAEA Safety Glossary:2006 3.14 single failure criterion (SF
45、C) criterion (or requirement) applied to a system such that it is capable of performing its safety task in the presence of any single failure IAEA Safety Glossary:2006 3.15 systems important to safety system that is part of a safety group and/or whose malfunction or failure could lead to radiation e
46、xposure of the site personnel or members of the public IAEA Safety Glossary:2006 3.16 system validation confirmation by examination and provision of other evidence that a system fulfils in its entirety the requirement specification as intended (functionality, response time, fault tolerance, robustne
47、ss) IEC 60880:2006, definition 3.42 9 BS IEC 60987:2007 Licensed Copy: London South Bank University, London South Bank University, Fri Oct 05 02:31:39 GMT+00:00 2007, Uncontrolled Copy, (c) BSI 3.17 unrevealed hardware failure hardware failure which is not detected by a system automatically and whic
48、h only becomes apparent when an attempt is made to use a function which depends upon the failed hardware. Such failures may be discovered by functional testing or when an operational demand is placed upon the system 3.18 verification confirmation by examination and by provision of objective evidence
49、 that the results of an activity meet the objectives and requirements defined for this activity (ISO 12207) IEC 62138:2004, definition 3.35 4 Project structure 4.1 General A project established to produce a computer-based system important to safety should be divided up into a number of phases. Each phase should be to some extent self-contained but will depend on other phases for input and will, in turn, provide outputs for other phases. The var