Standards Development

Scope

This document addresses certain devices that contain embedded software or HDL Programmed Devices (HPD) which are candidates for use in nuclear power plants. It provides requirements for the selection and evaluation of such devices where they have dedicated, limited, and specific functionality and limited configurability.The scope of this standard encompasses what the IAEA refers to as “Smart Devices” in Safety Reports Series No. 111, which draws from IEC 62671 (see 5.2.2 for Applicability).I&C systems important to safety of classes 1, 2 and 3 (in the IEC 61513 context) and class 1E (in the IEEE 603 context) may be implemented using conventional hard-wired equip­ment, digital technology equipment (computer based or programmed hardware) or by using a combination of both types of equipment. This International Standard provides the acceptance criteria for the selection, evaluation and use of certain digital devices. Such devices are very often developed to meet industrial safety standards such as IEC 61508. This standard provides a framework for qualification of the devices for use in a nuclear power plant.Devices addressed by this Standard are dedicated devices of limited, specific functionality, that contain or may contain components driven by software or digital circuits designed using software-based tools. Examples are smart sensors, valve positioners, electrical protective devices or inverters that contain or may contain components driven by software or digital circuits designed using software-based tools. This standard does not address the software aspects of complex general-purpose devices that are addressed by other standards, such as IEC 60880, IEC 62138, and IEEE 7-4.3.2 for software. This standard addresses the aspects that should be considered when evaluating the suitability of these dedicated devices of limited, specific functionality for use in a nuclear power plant. The intent is to apply a graded approach to these aspects, with more demanding requirements applied for higher classes.These aspects include:functional suitability (does the device perform the functions required, and are these functions suitably secure from interference from any other functions), the evidence required to demonstrate this suitability (such as the development process followed, and the operational experience and maturity of the device), aspects affecting integration of the device in existing systems (e.g. functional compatibility and impact on maintenance and operation), and requirements related to ensuring the device will retain its suitability for its required lifetime (such as the lifetime of the plant).This Standard relies on other standards, especially IEC/IEEE 60780-323, IEC 62003, IEEE 2425, and IEC/IEEE 60980-344 to address hardware qualification aspects not related to the complexities of software, namely reliability aspects related to environmental qualification and failures due to aging or physical degradation.The need for this standard arises from current trends in the I&C industry including the advancing obsolescence of existing devices presently in use in nuclear power plants. It is becoming increasingly difficult, if not impossible, to identify analog devices or replace many existing devices with identical ones because suppliers increasingly employ micro-controllers, ASICs etc. embedded within the candidate replacement devices, and analog devices are becoming increasingly unavailable.There are various technical risks regarding the suitability of these devices for use in nuclear plants, because:many of these devices do not duplicate the precise functionality of the obsolete device to be replaced, having in some cases less and in other cases more functionality, or even subtly different functionality that may be inconsistent with the original design intent, these differences in functionality are not always readily apparent. they may have specific vulnerabilities or failure modes that did not exist with the original equipment and that need to be considered.