Standards Development

Scope

1.1 General

This International Standard addresses certain devices that contain embedded software or HDL Programmed Devices (HPD) which are candidates for use in nuclear power plants. It provides requirements for the selection and evaluation of such devices where they have dedicated, limited, and specific functionality and limited configurability.

The scope of this standard encompasses what the IAEA refers to as “Smart Devices” in Safety Reports Series No. 111, which draws from IEC 62671 (see 5.2.2 for Applicability). This standard is also applicable to devices that allow for application programming, in these cases specific requirements apply.

Digital devices of limited functionality (DDLF) are a subset of smart devices. Generally, while smart devices can be tuned within very specific bounds to perform a simple, well understood function, they are not programmable after manufacturing. This is the definition used in this standard. Other definitions for smart devices do exist; for example, in the United Kingdom, a common smart device considered programmable, runs software that can change, and may attach to the internet. This type of system, more akin to a programmable controller, is outside of the scope of this standard, which deliberately limits the definition of smart device to that included in IEC 62671. Another common term is intelligent device, which maps directly to the term smart device in this context. Also note, smart devices in this context may be embedded into larger systems, but they may be standalone as well. The Nuclear Regulatory Commission uses the term Embedded Digital Device, defined as “a component consisting of one or more electronic parts that requires the use of software, software-developed firmware, or software-developed programmable logic, and that is integrated into equipment to implement one or more system safety functions.

”In accordance with IEC 61513, I&C systems important to safety of classes 1, 2 and 3 may be implemented using conventional hard-wired equip­ment, digital technology equipment (computer based or programmed hardware) or by using a combination of both types of equipment. This International Standard provides the acceptance criteria for the selection, evaluation and use of certain digital devices. Such devices are very often developed to meet IEC 61508, and this standard provides a framework for qualification of IEC 61508 certified devices.

Devices addressed by this Standard are dedicated devices of limited, specific functionality, that contain or may contain components driven by software or digital circuits designed using software-based tools. Examples are smart sensors, valve positioners, electrical protective devices or inverters that contain or may contain components driven by software or digital circuits designed using software-based tools. This standard does not address the software aspects of complex general-purpose devices that are addressed by other standards, such as IEC 60880 and IEC 62138 for software. This standard addresses the issues that should be considered when evaluating the suitability of these dedicated devices of limited, specific functionality for use in a nuclear power plant. The intent is to apply a graded approach to these issues, with more demanding requirements applied for higher classes.

These issues include:

• functional suitability (does the device perform the functions required, and are these functions suitably secure from interference from any other functions),

• the evidence required to demonstrate this suitability (such as the development process followed, and  the operational experience and maturity of the device),

• aspects affecting integration of the device in existing systems (e.g. functional compatibility and impact on maintenance and operation), and 

• requirements related to ensuring the device will retain its suitability for its required lifetime (such as the lifetime of the plant).

This Standard relies on other standards, especially IEC 60780, to address hardware qualification issues not related to the complexities of software, namely reliability aspects related to environmental qualification and failures due to aging or physical degradation. and assessment of components.

1.2 Background

The need for this standard arises from current trends in the I&C industry including the advancing obsolescence of existing devices presently in use in nuclear power plants. It is becoming increasingly difficult, if not impossible, to identify analog devices or replace many existing devices with identical ones because suppliers increasingly employ micro-controllers, ASICs etc. embedded within the candidate replacement devices, and analog devices are becoming increasingly unavailable.

There are various technical risks regarding the acceptance of these devices for use in nuclear plants, because:

• many of these devices do not duplicate the precise functionality of the obsolete device to be replaced, having in some cases less and in other cases more functionality, or even subtly different functionality that may be inconsistent with the original design intent,

• these differences in functionality are not always readily apparent. Examples exist of problems that have occurred because of the lack of guidance in this area, and are generally caused by the difference in design goals between nuclear plants and industrial applications for which equipment is designed, and

• they may have specific vulnerabilities or failure modes that did not exist with the original equipment and that need to be considered.