IEC TR 63084 Edition 1 0 201 7 06 TECHNICAL REPORT Nuclear power plants – Instrumentation and control important to safety – Platform qualifaction for systems important to safety IE C T R 6 3 0 8 4 2 0[.]
I E C TR 63 ® Edition 201 7-06 TE C H N I C AL RE P ORT colour i n sid e N u cl e ar power pl an ts – I n s tru m en tati on an d trol i m portan t to s afe ty – IEC TR 63084:201 7-06(en) P l atform q u al i facti on for s ys te m s i m portan t to s afe ty T H I S P U B L I C AT I O N I S C O P YRI G H T P RO T E C T E D C o p yri g h t © I E C , G e n e v a , S wi tz e rl a n d All rights reserved Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either IEC or IEC's member National Committee in the country of the requester If you have any questions about I EC copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or your local I EC member National Committee for further information IEC Central Office 3, rue de Varembé CH-1 21 Geneva 20 Switzerland Tel.: +41 22 91 02 1 Fax: +41 22 91 03 00 info@iec.ch www.iec.ch Ab ou t th e I E C The I nternational Electrotechnical Commission (I EC) is the leading global organization that prepares and publishes I nternational Standards for all electrical, electronic and related technologies Ab o u t I E C p u b l i ca ti o n s The technical content of IEC publications is kept under constant review by the IEC Please make sure that you have the latest edition, a corrigenda or an amendment might have been published I E C Catal og u e - webstore i ec ch /catal og u e The stand-alone application for consulting the entire bibliographical information on IEC International Standards, Technical Specifications, Technical Reports and other documents Available for PC, Mac OS, Android Tablets and iPad I E C pu bl i cati on s s earch - www i ec ch /search pu b The advanced search enables to find IEC publications by a variety of criteria (reference number, text, technical committee,…) It also gives information on projects, replaced and withdrawn publications E l ectroped i a - www el ectroped i a org The world's leading online dictionary of electronic and electrical terms containing 20 000 terms and definitions in English and French, with equivalent terms in additional languages Also known as the International Electrotechnical Vocabulary (IEV) online I E C G l os sary - s td i ec ch /g l oss ary 65 000 electrotechnical terminology entries in English and French extracted from the Terms and Definitions clause of IEC publications issued since 2002 Some entries have been collected from earlier publications of IEC TC 37, 77, 86 and CISPR I E C J u st Pu bl i s h ed - webstore i ec ch /j u stpu bl i sh ed Stay up to date on all new IEC publications Just Published details all new publications released Available online and also once a month by email I E C C u stom er S ervi ce C en tre - webstore i ec ch /csc If you wish to give us your feedback on this publication or need further assistance, please contact the Customer Service Centre: csc@iec.ch I E C TR 63 ® Edition 201 7-06 TE C H N I C AL RE P ORT colour i n sid e N u cl ear power pl an ts – I n s tru m en tati on an d trol i m portan t to s afe ty – P l atform q u al i facti on for s ys tem s i m portan t to s afe ty INTERNATIONAL ELECTROTECHNICAL COMMISSION ICS 27.1 20.20 ISBN 978-2-8322-431 6-9 Warn i n g ! M ake s u re th a t you ob tai n ed th i s p u b l i cati on from an au th ori zed d i stri b u tor ® Registered trademark of the International Electrotechnical Commission –2– I EC TR 63084: 201 © I EC 201 CONTENTS FOREWORD I NTRODUCTI ON Scope 1 General Framework Norm ative references Terms and definitions Abbreviated terms I &C platform versus I &C system 5 General – Structure of the platform qualification 5 I &C platform as an obj ect of qualification – Conceptual design Documentation of the I &C platform 6 Platform qualification Organisation of the qualification General Parties involved Scope of the qualification Hardware modules 2 Operational system software 20 Application software 21 Tools 21 I ntegration to a representative system 21 Methods of qualification 22 General 22 Type testing 22 3 Operating experience 23 Anal yses 23 Documentation of qualification results 24 Maintenance of qualification 24 Dependency on the platform through life-cycle of the I &C system 26 General 26 Models of cooperation between the parties of the I &C system project 26 Platform environment for implem entation of applications 26 Platform supported procedures for I &C system im plementation 26 Tool-based im plementation – Kind of tools required 28 3 Application software development 28 I &C system integration, validation and com missioning 29 Conclusions 30 Annex A (informative) I ssues of the Finnish licensing approach 31 Annex B (informative) Review of Areva's TELEPERM XS platform qualification 35 Annex C (inform ative) Review of Westinghouse ALS platform qualification 37 C General 37 C I ntroduction and ALS-background 37 C Westinghouse’s life cycle m anagem ent process 38 C Standards, guidelines and regulatory compliance 38 I EC TR 63084:201 © I EC 201 –3– C Equipm ent qualification 38 C Environmental qualification 38 C Seismic qualification 38 C 4 EMC qualification 39 C Fault/isolation qualification 39 C Software qualification 39 C Regulatory com pliance 39 C Review by N RC 39 C Review of equipm ent qualification 39 C Review of regulatory com pliance 40 C NRC conclusion 41 Annex D (inform ative) Review of CTEC’s Firm Sys platform qualification 42 D General 42 D I V&V procedure 42 D Assessm ent criteria 43 D Assessm ent scope 43 Annex E (informative) Review of SOOSAN EN S’s POSAFE-Q platform qualification 44 E Presentation of POSAFE-Q PLC 44 E Equipm ent qualification 44 E Software verification and validation 45 E Reliability anal ysis 46 E Regulatory com pliance 46 Annex F (inform ative) Review of Rolls-Royce’s Spinline platform type approval 47 F.1 Overview 47 F.2 Type approval 47 F.3 Type approval process 48 Bibliograph y 50 Figure – Platform and application developm ent process Figure – General overview of a typical qualification process Figure – Process for maintaining the platform qualification 25 Figure – Life cycle procedures/tasks of the I &C system im plementation 27 Figure – Application developm ent based on the proj ect library (V-for vendor, O-for owner) 29 Figure B – Software type test procedure 35 Table D – Standards applied 43 Table F – I nternational I EC standards applied for the assessment 48 –4– I EC TR 63084: 201 © I EC 201 INTERNATI ONAL ELECTROTECHNI CAL COMMISSI ON N U C L E AR P O WE R P L AN T S – I N S T RU M E N T AT I O N AN D C O N T RO L I M P O RT AN T T O S AF E T Y – P L AT F O RM Q U AL I F AC T I O N F O R S YS T E M S I M P O RT AN T T O S AF E T Y FOREWORD ) The I nternati on al Electrotechni cal Comm ission (I EC) is a worl d wid e organization for stan dardization com prisin g all n ation al el ectrotechnical comm ittees (I EC National Comm ittees) The object of I EC is to prom ote internati onal co-operation on all q uestions concerni ng stand ardi zati on in the el ectrical an d electronic fi elds To this en d and in additi on to other acti vities, I EC pu blish es I nternational Standards, Techn ical Specificati ons, Technical Reports, Publicl y Avail abl e Specificati ons (PAS) an d Gu ides (h ereafter referred to as “I EC Publication(s)”) Th ei r preparation is entrusted to tech nical comm ittees; any I EC N ational Comm ittee interested in the subj ect dealt with m ay partici pate in this preparatory work I nternational, governm ental an d n on governm ental organ izations l iaising with th e I EC also participate i n this preparation I EC collaborates closel y with the I ntern ational Organi zation for Stand ardization (I SO) in accordance with ditions determ ined by agreem ent between th e two organi zati ons 2) The form al decisions or ag reem ents of I EC on tech nical m atters express, as n early as possible, an i nternati onal consensus of opi nion on the rel evant subjects since each technical com m ittee has representati on from all interested I EC N ational Com m ittees 3) I EC Publications have the form of recom m endations for intern ational use an d are accepted by I EC National Com m ittees in that sense While all reasonable efforts are m ade to ensure that the tech nical content of I EC Publications is accu rate, I EC cann ot be h eld responsi ble for th e way in which th ey are used or for an y m isinterpretation by an y en d u ser 4) I n order to prom ote intern ational u niform ity, I EC National Com m ittees und ertake to apply I EC Publ ications transparentl y to the m axim um extent possible i n their national an d regi on al publicati ons Any d ivergence between an y I EC Publication and the correspondi ng national or regi on al publicati on sh all be clearl y in dicated in the latter 5) I EC itself d oes n ot provi de an y attestation of conform ity I n depend ent certificati on bodies provi de conform ity assessm ent services and, in som e areas, access to I EC m arks of conform ity I EC is not responsi ble for any services carri ed out by ind ependent certification bodi es 6) All users shou ld ensure that th ey h ave the l atest editi on of thi s publicati on 7) No liability shall attach to I EC or its directors, em ployees, servants or ag ents inclu din g in divi du al experts an d m em bers of its tech nical com m ittees and I EC Nati on al Com m ittees for any person al i nju ry, property d am age or other dam age of any n ature whatsoever, whether di rect or indirect, or for costs (includ i ng leg al fees) and expenses arisi ng out of the publ ication, use of, or relian ce upon, this I EC Publicati on or any other I EC Publications 8) Attention is drawn to th e N orm ative references cited in th is publ ication Use of the referenced publ ications is indispensable for the correct applicati on of this publication 9) Attention is drawn to the possibility that som e of the elem ents of this I EC Publication m ay be the su bject of patent rig hts I EC shall not be held responsibl e for identifyi ng any or all such patent ri ghts The m ain task of I EC technical com mittees is to prepare I nternational Standards H owever, a technical committee m ay propose the publication of a technical report when it has collected data of a different kind from that which is normally published as an I nternational Standard, for exam ple "state of the art" I EC TR 63084, which is a technical report, has been prepared by subcomm ittee 45A: I nstrum entation, control and electrical system s of nuclear facilities, of I EC technical committee 45: Nuclear instrumentation The text of this technical report is based on the following documents: Enqui ry draft Report on votin g 45A/1 06/DTR 45A/1 41 /RVDTR Full information on the voting for the approval of this technical report can be found in th e report on voting indicated in the above table I EC TR 63084:201 © I EC 201 –5– This docum ent has been drafted in accordance with the I SO/I EC Directives, Part A bilingual version of this publication m ay be issued at a later date I M P O RT AN T th at it – Th e co n ta i n s u n d e rs t a n d i n g c o l o u r p ri n t e r of ' co l ou r c o l o u rs i ts in si d e' wh i ch c o n te n ts l og o a re U s e rs on th e cover c o n s i d e re d sh ou l d p ag e to t h e re fo re of th i s be p ri n t p u b l i cati on u s e fu l th i s fo r i n d i c ate s th e d o cu m e n t c o rre c t u si ng a –6– I EC TR 63084: 201 © I EC 201 INTRODUCTION a) Technical background, m ain issues and organisation of the Technical Report I t is recommended that platforms are used for the development and im plementation of I &C systems These platform s are understood here as a set of hardware and software com ponents that m ay work co-operativel y in one or m ore defined architectures (configurations) Some I &C platform s were not conceived originally for the implem entation of nuclear specific, safety applications These I &C platforms have been proven and certified for industrial applications but the qualification for the nuclear safety application has to be dem onstrated There are standards within SC 45A and in particular WG A3 which cover the developm ent and qualification of computer-based systems and the corresponding application functions However, it is not clear how the standards from SC 45A can be used on the qualification of I &C platforms Other relevant standards of SC 45A are in WG A7 (safety categories) and in WG A9 (qualification of electrical equipm ent) Annexes are included to illustrate the approaches applied in different countries and their experiences This Technical Report is written to support decision m akers related to the issues, goals and results of the platform qualification and the system qualification b) Situation of the current Technical Report in the structure of the I EC SC 45A standard series I EC 63084 as a technical report is a fourth level I EC SC 45A document For m ore details on the structure of the I EC SC 45A standard series, see item d) of this introduction c) Recommendations and lim itations regarding the application of the Technical Report I t is im portant to note that a technical report is entirel y inform ative in nature I t gathers data collected from different origins and it establishes no requirem ents d) Description of the structure of the I EC SC 45A standard series and relationships with other I EC documents and other bodies’ docum ents (I AEA, I SO) The top-level docum ents of the I EC SC 45A standard series are I EC 61 51 and I EC 63046 I EC 61 51 provides general requirements for I &C systems and equipm ent that are used to perform functions important to safety in N PPs I EC 63046 provides general requirements for electrical power systems of NPP; it covers power suppl y system s including the suppl y system s of the I &C systems I EC 61 51 and I EC 63046 are to be considered in conj unction and at the same level I EC 61 51 and I EC 63046 structure the I EC SC 45A standard series and shape a complete framework establishing general requirem ents for instrum entation, control and electrical systems for nuclear power plants I EC 61 51 and I EC 63046 refer directl y to other I EC SC 45A standards for general topics related to categorization of functions and classification of system s, equipm ent qualification, separation, defence against common cause failure, control room design, electrom agnetic compatibility, cybersecurity, software and hardware aspects for programm able digital systems, coordination of safety and security requirements and managem ent of ageing The standards referenced directly at this second level should be considered together with I EC 61 51 and I EC 63046 as a consistent document set At a third level, I EC SC 45A standards not directly referenced by I EC 61 51 or by I EC 63046 are standards related to specific equipm ent, technical methods, or specific activities Usuall y these documents, which make reference to second-level documents for general topics, can be used on their own A fourth level extending the I EC SC 45 standard series, corresponds to the Technical Reports which are not norm ative The I EC SC 45A standards series consistentl y im plem ents and details the safety and security principles and basic aspects provided in the relevant I AEA safety standards and I EC TR 63084:201 © I EC 201 –7– in the relevant docum ents of the I AEA nuclear security series (N SS) I n particular this includes the I AEA requirements SSR-2/1 , establishing safety requirem ents related to the design of nuclear power plants (NPP), the I AEA safety guide SSG-30 dealing with the safety classification of structures, system s and com ponents in N PP, the I AEA safety guide SSG-39 dealing with the design of instrum entation and control systems for NPP, the I AEA safety guide SSG-34 dealing with the design of electrical power systems for N PP and the implementing guide NSS1 for com puter security at nuclear facilities The safety and security terminolog y and definitions used by SC 45A standards are consistent with those used by the I AEA I EC 61 51 and I EC 63046 have adopted a presentation format sim ilar to the basic safety publication I EC 61 508 with an overall life-cycle fram ework and a system life-cycle framework Regarding nuclear safety, I EC 61 51 and I EC 63046 provide the interpretation of the general requirements of I EC 61 508-1 , I EC 61 508-2 and I EC 61 508-4, for the nuclear application sector I n this framework I EC 60880, I EC 621 38 and I EC 62566 correspond to I EC 61 508-3 for the nuclear application sector I EC 61 51 and I EC 63046 refer to I SO as well as to I AEA GS-R-3 and I AEA GS-G-3 and I AEA GS-G-3 for topics related to quality assurance (QA) At level 2, regarding nuclear security, I EC 62645 is the entry document for the I EC SC 45A security standards I t builds upon the valid high level principles and main concepts of the generic security standards, in particular I SO/I EC 27001 and I SO/I EC 27002; it adapts them and completes them to fit the nuclear context and coordinates with the I EC 62443 series At level 2, regarding control rooms, I EC 60964 is the entry document for the I EC SC 45A control rooms standards and I EC 62342 is the entry document for the I EC SC 45A ageing management standards NOTE I t is assum ed that for the d esign of I &C system s in N PPs that im plem ent conventi on al safety functions (e g to ad dress worker safety, asset protection, chem ical h azards, process energ y hazards) intern ational or national stan dards woul d be applied NOTE I EC SC 45A dom ain was extend ed i n 201 to cover electrical system s I n 201 an d 201 discussions were hel d i n I EC SC 45A to d ecide how an d where g eneral requi rem ent for the d esign of electrical systems were to be consid ered I EC SC 45A experts recom m ended that an in depen dent stand ard be developed at th e sam e level as I EC 61 51 to establish general requi rem ents for el ectrical system s Project I EC 63046 is n ow launch ed to cover this objective When I EC 63046 will be published this Note of the introd uction of I EC SC 45A stand ards will be suppressed –8– I EC TR 63084: 201 © I EC 201 N U C L E AR P O WE R P L AN T S – I N S T RU M E N T AT I O N AN D C O N T RO L I M P O RT AN T T O S AF E T Y – P L AT F O RM Q U AL I F AC T I O N F O R S YS T E M S I M P O RT AN T T O S AF E T Y 1 S cop e G e n e l This Technical report provides an assessm ent fram ework and activities for efficient and transparent qualification of I &C platform s for use in nuclear applications important to safety, according to nuclear standards and state of the art The assessm ent aims at a prequalification of I &C platform s outside the framework of a specific plant design Qualification is assumed to be pre-requisite for allowing the particular I &C platform to be used for im plementation of the safety classified I &C system I t is to enable parties implem enting particular plant specific I &C system s to concentrate on application functions, while for basic system functions to rely on platform qualification The I &C platform qualification is based on evaluation of the hardware and software functions provided by the platform ensuring safe and cost-effective life-cycle support of I &C systems That would include tools for software engineering and software developm ent (software m odule libraries), code generation, validation, maintenance, etc Basic means of equipm ent qualification, as prescribed by the I EC/I EEE 60780-323, are through anal ysis, type testing and documented operational experience Other documents applicable for qualification for nuclear use include I EC 61 51 3, I EC 60880, I EC 621 38, IEC 62566, I EC 62671 and I EC 61 226 The features of the I &C platform to be qualified will be identified in requirements on the I &C platform The requirements can vary, but in essence are based on suppliers' claim s on the product scope and functionality Those claims are norm all y given in platform docum entation such as system descriptions and supplier's requirements for design , implementation, verification & validation They are all based on the appropriate I EC SC 45A standards and national regulations F m e w o rk This document is organized as follows: • • • • Clause addresses the role of the platform qualification, including the conceptual design and the docum entation constituting the basis for the process of platform qualification Clause is the main clause of this document addressing the process and m ethods of platform qualification Crucial aspects of docum entation and m aintenance of the qualification are included Clause addresses platform elem ents necessary for safe and efficient im plem entation and life cycle support of plant-specific I &C systems Aspects of the I &C platform qualification are further developed and exemplified in annexes Annex A lists licensing issues of the Finnish licensing approach Annex B discusses the qualification of Areva's TELEPERM XS platform, actualized with notes on qualification from the Finnish Olkiluoto N PP Annex C discusses the qualification of Westinghouse's FPGA-based platform of modules type ALS (Advanced Logic System ) Annex D discusses the qualification of CTEC’s digital platform Firm Sys for use in systems important to safety in NPP Annex E discusses the qualification of SOOSAN EN S’s POSAFE-Q platform Annex F discusses the qualification of Rolls-Royce’s digital safety I &C platform Spinline in the framework of the type approval for the ELSA project The five examples given in Annexes B to F are all of platforms developed for nuclear application – 42 – I EC TR 63084:201 © I EC 201 An n e x D (informative) Re vi e w o f C T E C ’ s F i rm S ys p l a tfo rm q u a l i fi c a t i o n D G e n e l China Techenerg y Co Ltd (CTEC), a joint venture co-funded by China Guangdong N uclear Power Group and Beijing Holl ysys Co Ltd , does engineering design of digital I &C system s, system integration, and technical service for nuclear power plants CTEC has developed the digital instrumentation and control (I &C) platform FirmSys to be used in system s im portant to safety for nuclear power plants (N PP) I n order to qualify the Firm Sys platform for the international market, CTEC asked I STec to carry out – as third party – the independent verification and validation (I V&V) of the Firm Sys platform software D I V& V p ro c e d u re The I V&V was perform ed by I STec and assisted by the V&V team of CTEC The V&V team of CTEC is independent from the development team of CTEC I STec has been responsible for the overall I V&V works and results approval An y issues raised by the I V&V tasks were collected in Lists of Open Points (LOP) The LOP collected the I V&V findings in tables of minor issues, requests and key issues Com pliance with standard requirem ents is documented in specific tables of the LOP All open points have been clarified by the development team of CTEC The clarification results were verified and closed by I STec assisted by the V&V team of CTEC The overall software assessm ent activities and assessm ent results were compiled in assessm ent reports The assessment reports summarize the contents of the LOPs and give the assessm ent conclusions I n addition, the assessm ent reports give detailed reference to the assessed documents and code files The referenced data is uniquel y identified by checksums using the method of RI PEMD-1 60 Together with the assessment reports I STec issued certificates The certificates corroborate the basic suitability of Firm Sys platform concept and software, and the Firm Sys software safety m odules for the use to im plement the software of I &C functions im portant to safety in N PP The assessm ent was performed in form and content, appl ying the requirem ents of the standards given in Table D and with respect to the consistent transition of one phase to the other within the software safety life cycle I n order to locate potential deficiencies all assessed documents were subj ected to: • • • form al check; consistency check, and functional check I n addition, the following anal yses were perform ed for the development documents: • • • • criticality anal ysis; requirements allocation anal ysis; traceability anal ysis; interface anal ysis; ————————— This inform ation is gi ven for th e venience of users of this docum ent an d d oes n ot constitute an endorsem ent by I EC of th e com panies n am ed I EC TR 63084:201 © I EC 201 – 43 – hazard anal ysis; security anal ysis, and Risk anal ysis • • • For the test docum ents, the following anal yses were applied: Traceability anal ysis; Hazard anal ysis; Security anal ysis, and Risk anal ysis • • • • D.3 Assessment criteria The detailed assessment has been carried out in order to prove com pliance of the software and its development life cycle with the requirements based on the international standards as listed in Table D I n case of I EEE Std 7-4.3 TM -201 also the differences to the form er version from the year 2003 were taken into account during assessm ent Table D.1 – Stand ards applied N o Standards I EC 61 51 3: 201 , Nuclear power plants – I nstrum entati on and control im portant to safety – General req uirem ents for system s, Ed 0, 201 -08 I EEE Std 7-4 TM -201 0, Stan dard criteria for di gital com puters in safety system s of nuclear power gen erating stati ons, 201 0-08 I EC 60880: 2006, Nuclear power plants – I nstrum entati on and control system s im portant to safety – Software aspects for com puter-based system s perform ing category A fu nctions, Ed 0, 2006-05 I EC 62566: 201 2, Nuclear power plants – I nstrum entati on and control im portant to safety – Developm ent of HDL-programm ed integ rated circuits for system s perform in g category A functions, Ed 0, 201 2-01 I EEE Std 01 TM -2004, I EEE Stand ard for Software Verification an d Valid ation, 2005-06 The international standard I EC 61 51 3: 201 provides requirem ents on system aspects of digital I &C system s im portant to safety The international standard I EEE Std 7-4 3.2 TM -201 m ainl y focuses on safety systems of N PP Of particular im portance for the assessment are the international standards I EC 60880: 2006 and I EEE Std 01 2™ -2004 I EC 60880: 2006 provides requirem ents for the software of com puter-based I &C for safety system s of NPP I EEE Std 01 2™ -2004 describes processes and activities for software V&V depending on the software integrity level I EC 62566: 201 describes developm ent requirem ents of programm able devices which are based on hardware d escription language (H DL) and are im portant to N PP safety I &C system performing category A functions D.4 Assessment scope The assessment has been applied to the development docum entation and test docum entation of the Firm Sys platform concept and software, the software safety modules, the CPLD logic software in net comm unication m odules, code transform ation modules of the engineering workstation software, and of the function block library of application software These documents cover relevant process and product issues The I V&V procedure contained activities for requirem ents anal ysis, design, coding and testing The activities were organized according to the software life cycle phases as applied to the FirmSys platform concept and software, and to the software safety mod ules – 44 – I EC TR 63084:201 © I EC 201 Annex E (informative) Review of SOOSAN ENS’s POSAFE-Q platform qualification E.1 Presentation of POSAFE-Q PLC POSAFE-Q, which m eets international standards such as I EEE 7-4 and EPRI TR-1 07330 is a safety grade Q Class E PLC-based I &C platform for nuclear power plant Therefore hardware platform was qualified and system software running on it was reviewed by CT, I T, ST and SI T Additionall y the verification and validation according to international standards by I EEE 01 and I EEE 074 was conducted to ensure the highest level of availability, safety and reliability POSAFE-Q also went through a variety of anal ysis procedures including reliability anal ysis, safety anal ysis, and EQ (Equipm ent Qualification) testing and anal ysis Based on all of these efforts, POSAFE-Q has been certified for its reliability and safety by the authorized institutions E.2 Equipment qualification The POSAFE-Q qualification program as below is applied to ensure the operation in generic plant condition and plant-specific operating conditions according to the relevant international standards: • • • Environm ental qualification; EMC qualification; Seismic qualification a) Environmental qualification The POSAFE-Q hardware was qualified for Class E applications installed in a m ild environm ent The qualification was performed in design temperature, pressure and hum idity including aging analysis in accordance with I EEE Standard 323 b) EMC qualification The POSAFE-Q hardware was qualified for electrom agnetic com patibility in accordance with Regulatory Guide 80, EPRI TR-1 02323 and I EC 61 000 series in order to show that I &C platform including hardware and software is fault-free from conducted and radiated electrom agnetic interference (EMI ), radiofrequency interference (RFI ), and power surges c) Seismic qualification The POSAFE-Q hardware was qualified for Class E safety functions and operations per I EEE Standard 344 According to I EEE Standard 344, seismic qualification of Class E equipm ent demonstrated an equipm ent’s ability to perform its safety functions before, during and after Operating Basis Earthquake (OBE) and Safe Shutdown Earthquake (SSE) To demonstrate the ph ysical and functional integrity of POSAFE-Q PLC platform during a seism ic event, the test specim en was subjected to a series of seism ic si mulation tests including resonance search tests, five OBE tests, and one SSE test using a tri-axial seismic shake table ————————— This inform ation is gi ven for th e venience of users of this docum ent an d d oes n ot constitute an endorsem ent by I EC of th e com panies n am ed I EC TR 63084:201 © I EC 201 E.3 – 45 – Software verification and validation a) Software development procedu re and plan POSAFE-Q software was developed through the Software Development Life Cycle according to the I EEE standards concept as well as im plemented through a top-down m odular approach as below: • planning phase; • requirem ent phase; • design phase; • im plementation phase; • integration phase; • verification and validation phase; • installation and maintenance phase According to the waterfall m odel for software development, verification and validation activities for POSAFE-Q software was carried out through all the life cycle phases in accordance with the verification and validation plan that satisfies Safety Review Guidelines for Pressurized Power Reactor (PWR), Appendix 7-1 Software Review Guidelines published by Korea I nstitute for N uclear Safety (KI N S) on a com puter-based digital instrum entation and control system s, and I EEE standards pertaining to verification and validation All the results of software life cycle process for the traceability, accuracy and completeness were reviewed, and its result was reflected into design, software testing that had been perform ed in accordance with the step-by-step life cycle verification and validation plan POSAFE-Q processor m odules configured for redundancy and its redundancy management software module were analyzed to detect the risks that were not identified in the step-by-step life cycle verification and validation activities b) Software test and validation Software test and validation was performed to ensure that POSAFE-Q has appropriate functions and perform ance required by the safety system Tests for software were carried out separatel y by integration test, system test, system interoperation test in accordance with technical criteria such as the PWR Nuclear Power Plant Safety Examination Guidelines Appendix 7-1 and I EEE Standard 7-4.3 ) Software com ponent test Com ponent test was carried out to ensure that POSAFE-Q software satisfies design requirem ents, interface requirem ents and software design specification based on hardware in accordance with the technical standards such as I EEE Standard 008 and EPRI TR-1 07330 2) Software integration test Software integration test was carried out to confirm the functional dependencies that are configured in POSAFE-Q software in accordance with the technical references such as I EEE Std 829 and EPRI TR-1 07330 3) Software system test Software system test was carried out to confirm that POSAFE-Q software satisfies each requirement of requirement specification norm all y in accordance with the technical references such as I EEE Std 829 and EPRI TR-1 07330 4) Software system interoperation test Software system s interoperation test were perform ed to confirm that POSAFE-Q software satisfies the requirements specified in the design specification – 46 – E.4 I EC TR 63084:201 © I EC 201 Reliability anal ysis To satisfy the reliability requirem ent of I EEE 603, the quantitative as well as the qualitative anal ysis for POSAFE-Q were conducted through failure rate and MTBF anal ysis, and FMEA review through presum ed operation scenarios The result of reliability anal ysis was fit into original design of POSAFE-Q iterativel y E.5 Regulatory compliance The following is part of standards, regulations, guidelines and report which are used to design POSAFE-Q I &C platform in order to implem ent the requirements in them : a) I EEE 603 – I EEE Standard Criteria for Safety Systems for N uclear Power Generating Stations b) I EEE 7-4 – Standard Criteria for Digital Com puters in Safety Systems of Nuclear Power Generating Stations c) Regulatory Guide 52 – Criteria for Use of Computers in Safety System s of Nuclear Power Plants d) I EEE 01 – Standard Software Verification and Validation Plans e) EPRI TR-1 07330, Generic Requirem ents Specification for Quality a Commercial Available PLC for Safety Related Applications in N uclear Power Plants I EC TR 63084:201 © I EC 201 – 47 – Annex F (informative) Review of Rolls-Royce’s Spinline platform type approval F.1 Overvi ew Rolls-Royce is a leading supplier of safety-critical I &C systems and related services for N PPs Rolls-Royce has developed the digital safety I &C platform Spinline to im plement class safety I &C system s (according to the classification of I EC 61 226:2009) Spinline consists of hardware com ponents (such as cabinets, racks and boards), software com ponents (such as the operational system software and class libraries), and a dedicated proprietary System and Software Development Environment CLARI SSE All Spinline hardware and software com ponents taken individuall y are class (according to the classification of I EC 61 226: 2009) qualified and m eet international standards They have alread y been widely used and proven on several N PPs The Spinline platform is designed, qualified and m anufactured by Rolls-Royce From the beginning Spinline has been designed and qualified to m eet European nuclear safety standards Typical applications include reactor trip functions, neutron flux measurement and engineered safety features actuation systems (ESFAS) I t has been installed successfull y in several existing N PPs in the framework of refurbishment of reactor protection system s and in newly constructed plants I n order to be used for the im plementation of digital l&C system s designed for safety l&C applications in Finnish N PPs, Rolls-Royce Civil N uclear SAS com missioned the TÜV Rheinland I nstitut für Sicherheitstechnologie (I STec) Gm bH for the Type Approval of the digital safety I &C platform Spinline in the fram ework of the ELSA refurbishm ent proj ect (Loviisa N PPs) F.2 Type approval According to the Finnish Regulatory Guideline YVL E [YVLE7], subsection "Type Approval", a Type Approval shall be acquired for all safety class (see the note below) equipm ent and essential accident instrum entation in safety class (*) (safety class З A) [para 569] The Type Approval shall verify that the product and its implem entation meet the applicable technical requirements NOTE: YVL classification differs from I EC 61 226: 2009 classi fication; safety class in YVL correspon ds to class in I EC 61 226: 2009 and safety class related to essential accident i nstrum entati on i n YVL corresponds to cl ass i n I EC 61 226: 2009 The main objective of the type approval is to ensure that • • • the Spinline platform complies with the applicable nuclear industry standards according the type approval plan, the Spinline platform conforms to its specification, and the Spinline design and m anufacturing process is controlled by a quality m anagement system compliant with an appropriate standard to ensure h igh quality I &C products The type approval approach is based on the assessm ent of the equipment design (type test) and the quality m anagem ent of m anufacturing of com ponents ————————— This inform ation is gi ven for th e venience of users of this docum ent an d d oes n ot constitute an endorsem ent by I EC of th e com panies n am ed – 48 – I EC TR 63084:201 © I EC 201 The type approval covers the generic qualification of hardware and software components The existing qualification is credited to obtain the type approval certificate I f missing tests or unreached constraints are identified, it will be detailed and justified The application-specific qualification is not covered by the type approval Application-specific qualification would typicall y be covered directl y the N PP utilities and potentiall y be com pleted by a third party independent expert assessm ent The requirem ents applied for the type approval are fulfilled by compl ying with the international standards listed in Table F.1 Tabl e F – I n t e rn a t i o n a l I E C s t a n d a rd s a p p l i e d N o fo r t h e a s s e s s m e n t S t a n d a rd s I EC 61 51 3: 201 , Nuclear power plants – I nstrum entati on and control for system s im portant to safety – General requi rem ents for system s, Ed 0, 201 -08 I EC 60880: 2006, Nuclear power plants – I nstrum entati on and control system s im portant to safety – Software aspects for com puter-based system s perform ing category A fu nctions, Ed 0, 2006-05 I EC 60987: 2007, Nuclear power plants – I nstrum entati on and control im portant to safety – H ard ware design requi rem ents for com pu ter-based system s, Ed 0, 2007-08 I EC 60987: 2007/AM D1 : 201 IЕС 60780: 998, Nuclear facil ities – Electrical equi pm ent im portant to safety – Qualification I EC 61 500: 2009, Nuclear power plants – I nstrum entati on and control im portant to safety – Data comm unication in system s perform ing categ ory A functions, Ed 0, 2009-1 I EC 62566: 201 2, Nuclear power plants – I nstrum entati on and control im portant to safety – Developm ent of HDL-programm ed integ rated circuits for system s perform in g category A functions, Ed 0, 201 2-01 F T yp e a p p ro v a l p ro c e s s The type approval process of the Spinline platform includes the following subjects: • • • • the assessment of the hardware which will be used to build the delivered I &C systems (e g processing boards, input/output boards, term inal blocks, cabinet com ponents); the assessment of generic software (e g., operational system software, specific proprietary class libraries); the assessment of software development tools (e g , system and software development environment CLARI SSE); the assessment of generic em bedded Field Program mable Gate Array (FPGA) used for electronic functions of the boards The type approval is performed on the basis of documents Documents which are onl y available for review at Rolls-Royce premises are reviewed in the factory The documents used for the type approval are divided into • • • • "standards and guidelines", the “standards and guidelines” define the frame of the type approval process; "fundamental documents", the “fundam ental docum ents” considered by I STec as the m ost relevant documents related to safety are assessed completel y and in detail; "referenced documents", the “referenced docum ents” are assessed selectivel y in order to evaluate e g., traceability aspects, specific test cases, etc ; "supplem entary docum ents", the “supplementary documents” are used to obtain the overview about the Spinline platform The supplem entary documents comprise also the audit documents I EC TR 63084:201 © I EC 201 – 49 – The assessm ent results are docum ented in the List of Open Points (LOP) as m inor issues (e g typing errors, form errors), requests (e.g wrong descripti ons of technically correct items, inconsistent or insufficient descriptions), and key issues (e g non -conformance with guidelines or standards) The basic principle is the review of the considered documentation including their consistency, formal aspects, and functional aspects The docum ents are assessed for internal consistency and completeness (self-contained assessm ent) and for consistency with superior documents, respectively with the requirem ents from previous development phases The docum ents are examined in form and content and special attention is paid to the conformity with the applicable standards The LOPs are com municated to Rolls-Royce who gives answers to the LOP and agrees to necessary revisions of the corresponding document The LOPs are clarified between I STec and Rolls-Royce during several project m eetings Rolls-Royce adds the open points (m inor issues and requests, no key issues) in its document managem ent system to correct the issues in future revisions The assessed docum ents provide the essential information about the qualification of the digital safety I &C platform Spinline The documents identify the com ponents and its internal design Operational performance requirem ents under normal, abnormal and accident conditions are specified The application of the quality managem ent system for the developm ent of Spinline is assessed on the basis of documents and complemented by audits at Rolls-Royce The quality management system is supported by engineering procedures providing the basis for h igh quality I &C products The engineering and quality procedures are used for system design and manufacturing – 50 – I EC TR 63084:201 © I EC 201 Bibliography For undated references, the latest edition of the reference applies I EC 60964, Nuclear power plants – Control rooms – Design IEC 60987: 2007, Nuclear power plants – Instrumentation and control important to safety – Hardware design requirements for computer-based systems IEC 60987: 2007/AM D1 : 201 IEC 61 000 (all parts), Electromagnetic compatibility (EMC) Functional safety of electrical/electronic/programmable electronic safety-related systems – Part 1: General requirements IEC 61 508-1 , Functional safety of electrical/electronic/programmable electronic safetyrelated systems – Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems I EC 61 508-2: 201 0, Functional safety of electrical/electronic/programmable electronic safety-related systems – Part 3: Software requirements I EC 61 508-3, Functional safety of electrical/electronic/programmable electronic safety-related systems – Part 4: Definitions and abbreviations IEC 61 508-4, Nuclear power plants – Instrumentation and control systems important to safety – Management of ageing IEC 62342, IEC 62443 (all parts), I EC 63046 8, Industrial communication networks – Network and system security Nuclear power plants – Electrical systems – General requirements Information technology – Security techniques – Information security management systems – Requirements I SO/I EC 27001 , I SO/I EC 27002, Information technology – Security techniques – Code of practice for information security controls I SO/I EC 5504-1 : 2004, vocabulary I SO 9001 : 2008, Information technology – Process assessment – Part 1: Concepts and Quality management systems – Requirements I SO 90003: 201 4, Software engineering – Guidelines for the application of ISO 9001:2008 to computer software Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations I EEE 7-4 2, I EEE 323: 974, IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations ————————— Under preparati on I EC TR 63084:201 © I EC 201 – 51 – IEEE 323: 2003, IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations IEEE Recommended Practice for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations IEEE 344: 987, IEEE 344: 2004, IEEE Recommended Practice for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations IEEE 384: 992, IEEE 603, IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations I EEE 008, IEEE Standard for Software Unit Testing IEEE 01 2: 998, IEEE Standard for Software Verification and Validation Plans IEEE 074, IEEE Standard for Developing Software Life Cycle Processes IEEE 076, IEEE Standard VHDL Language Reference Manual IEEE 364, IEEE Standard Verilog® Hardware Description Language ABB , Supplier Code of Conduct (201 4) AREVA QA prescription to its suppliers: a graded approach Siem ens: “Suppliers Chain M anagem en t” Alstom, “Supplier Quality Manual” Procurement Strategy Processes”, J uly 2006 Council: “Establishing Com prehensive Supplier Qualification Safety Dem onstration Plan Guide: “A general guide to Safety Demonstration with focus on digital I &C in N uclear Power Plant m odernization and new build proj ects” Sweden, Elforsk report No 3: 86, Septem ber 201 Comm on position of seven European nuclear regulators and authorised technical support organisations “Licensing of safety critical software for nuclear reactors ”, Report number: 201 3: 08 I SSN: 2000-0456 Root Joseph T., Seaman Stephen G., Design Processes for FPGA Platform and System Application, N PI C & H MI T 201 5, Charlotte, U SA, February 23–26, 201 NI ST SP 800 series documents, N ational I nstitute of Standards and Technology, National I nstitute of Standards and Technolog y, Gaithersburg, MD Available from Regulatory Guide 75 Rev 3f, Regulatory Guide 52, Plants Criteria for Independence of Class 1E Equipment and Circuits Criteria for Use of Computers in Safety Systems of Nuclear Power – 52 – I EC TR 63084:201 © I EC 201 Verification, Validation, Reviews and Audits for Digital Computer software used in Safety Systems of Nuclear Power Plants Regulatory Guide 68 Rev , Guidelines for evaluating electromagnetic and radio-frequency interference in safety-related instrumentation and control systems Regulatory Guide 1 80 Rev.1 , Regulatory Guide 209, Guidelines for Environmental Qualification of Safety-Related Computer-Based Instrumentation and Control Systems in Nuclear Power Plants Specific Safety Guide: Safety Classification of Structures, Systems and Components in Nuclear Power Plants IAEA SSG-30: 201 4, IAEA SSG-34, Design of electrical power systems for nuclear power plants IAEA GS-G-3 , Application of the management system for facilities and activities I AEA GS-G-3 5, The management system for nuclear installations I AEA GS-R-3, The management superseded by GSR Part 2) I AEA Safety Glossary, system for facilities and activities (This publication has been Terminology Used in Nuclear Safety and Radiation Protection Ed 2007 I AEA Safety Standards Series, N°SSR-2/1 , Safety of Nuclear Power Plants: Design Decision No 768/2008/EC of the European Parliament and of the Council of Jul y 2008 on a common framework for the marketing of products, and repealing Council Decision 93/465/EE KTA 3503, Type test of electrical modules of the reactor protection system DI &C-I SG-04, Highly-Integrated Control Rooms – Communications Issues DI &C I SG-06 – Digital I&C Licensing I SG-06, Interim Staff Guidance Revision (I nitial I ssue for Use) Process – Task Working Group #6: Digital I&C Licensing Process , Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems BTP 7-1 4, BTP 7-1 9, Guidance for Evaluation of Diversity and Defense-In-Depth in Digital ComputerBased Instrumentation and Control Systems GDC 4, CFR 50.49, for nuclear power plants Environmental qualification of electric equipment important to safety MI L-STD-461 E, Requirements for the Control of Electromagnetic Interference Characteristics of Subsystems and Equipment EPRI TR-1 02323, Equipment Guidelines for Electromagnetic Interference Testing of Power Plant Generic Requirements Specification for Quality a Commercial Available PLC for Safety Related Applications in Nuclear Power Plants EPRI TR-1 07330, I EC TR 63084:201 © I EC 201 – 53 – Safety Review Guidelines for Pressurized Power Reactor (PWR), Appendix 7-1 3, Software Review Guidelines for Pressurized Power Reactor Finnish Regulatory Guideline YVL E [YVLE7], Electrical and I&C equipment of a nuclear facility _ INTERNATIONAL ELECTROTECHNICAL COMMISSI ON 3, rue de Varembé PO Box 31 CH-1 21 Geneva 20 Switzerland Tel: + 41 22 91 02 1 Fax: + 41 22 91 03 00 info@iec.ch www.iec.ch