IEC TR 61940:1998 pdf download – Nuclear instrumentation – review of the application of IEC 60880 (1986)

IEC TR 61940:1998 pdf download – Nuclear instrumentation – review of the application of IEC 60880 (1986).
The purpose of this report is to combine the pactlcal experience gained by users of IEC 60880 so as to provide an interpretation of IEC 60880 which will be of use to system developers and assessors. During the development of this report coniributions have been received from many nations and the contents of this report is now believed to reflect the international experience regarding IEC 60880.
This report Is not intended to represent an Interpretation 01 PEC 60880 as applied on any specific protect. It is written in a general manner and the suggested interpretations of IEC 60880 clauses should not be taken as definitive. This report does not replace, alter or add to the requirements contained in IEC 60880.
2 Reference documents
IEC 60880:1986, Software for computers in the safety systems of nuclear power stations
IEC 61508 (all parts). Functional safety of electrical.electronicprogrammable electronic safety- related systems I
ISO 9001:1994. Quality systems – Model for quality assurance In design, development. production, installation and servicing
IAEA 50-SG-D3:1980, Safety guide — Protection system and related features in nuclear power plants
3 DefInitions and abbreviations
The definitions used In this technical report are given In clause 2 Terms and definitions” of
IEC 60880.
VDU visual display unit
4 Assessment of compliance with IEC 60880
4.1 Purpose of assessment
There are many situations where an assessment against the Standard may be required. for example:
a) during a system development process design engineers may assess the available methodologies and technologies against the Standard when deciding which would be ttie most appropriate to use:
b) during the re-assessment of the safety case for an existing station the Standard may be used to assess the adequacy of operational systems;
C) independent assessors may be required to confirm that a development process is compliant with the Standard.
The main purpose of assessing a system, or a system component, is to determine if it is demonstrably fit for use- If a system can be shown to essentially comply with IEC 60880 this provides some considerable confidence that It Is suitable for use in a nuclear safety role.
4.2 Assessment process
Whether or not a particular system is considered to be “complianr depends not Only upon the characteristics of the system and its associated development life cycle, but also upon the skill of the assessor in interpreting the requirements and guidance provided by the Standard.
The Standard provides some guidance to assist in the interpretation of its contents, particularly the introduction which states that the Standard is to provide a ‘general approach’ to software development, verification and validation; the Standard discusses the software principles…’ and provides special recommendations’ for safety systems. The use of such terminology implies that the contents of the Standard are not to be applied dogmatically, but that they should be used as guidance and should be interpreted as required for particular applications
Clause 1. scope and object. also states Ihat the appendices contain “Additional guidance and information on how to comply with the requirements of the main part of this Standard” — the emphasis is placed upon the contents of clause 3 to 10 rather than on those of appendices A to F. The Standard requires that if techniques other than those identified in the appendices are used they are to be documented and auditable.
Clauses in the main body of the Standard are qualified in a number of ways, for example ‘may”. shall’, “required”. “should be’, “should be preferred’, ‘is recommended’. The significance of any deviations lrom the Standard depends upon the degree of compulsion implied by the text.
The end result of a formal assessment process should be a report identifying the particular clauses which are, in the opinion of the assessor, addressed or not addressed by a system. Documented justifications of compliance, in the form of explanations, references to manuals, reports, etc., should be provided for clauses for which compliance Is claimed. Where the requirements/recommendations of a clause have not been followed, i.e. have not been complied with, the following classifications of response are suggested:
a) not applicable, I.e. a coding recommendation not applicable to the language used, or a requirement outside the scope of the assessment, for example a requirement relevant to the purchaser/users of a system when performing an assessment of a system supplier, or a System requirement when the scope of an assessment is limited to assessment of the software production process.