1、BSI Standards PublicationNuclear power plants Instrumentation and control systems important to safety Software aspects for computer-based systems performing category A functionsBS EN 60880:2009BS EN 60880:2009Incorporating corrigendum June 2015BS EN 60880:2009 BRITISH STANDARDNational forewordThis B
2、ritish Standard is the UK implementation of EN 60880:2009. It is identical to IEC 60880:2006. It supersedes BS IEC 60880:2006 which is withdrawn.The UK participation in its preparation was entrusted to Technical Committee NCE/8, Reactor instrumentation.A list of organizations represented on this com
3、mittee can be obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2015. Published by BSI Standards Limited 2015ISBN 978 0 580 90531 5ICS 27.1
4、20.20; 35.080Compliance with a British Standard cannot confer immunity from legal obligations.This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 January 2010.Amendments/corrigenda issued since publicationDate Text affected30 June 2015 Page nu
5、mbering correctedEUROPEAN STANDARD EN 60880NORME EUROPENNE EUROPISCHE NORMOctober 2009CENELEC European Committee forElectrotechnicalStandardization Comit Europen de Normalisation ElectrotechniqueEuropisches Komitee fr Elektrotechnische NormungCentral Secretariat:Avenue Marnix 17, B - 1000 Brussels 2
6、009 CENELEC - All rights of exploitation in any form and by any means reserved worldwide for CENELECmembers.Ref. No. EN 60880:2009 EICS 27.120.20English versionNuclear power plants - Instrumentation and control systems important to safety - Software aspects for computer-based systems performing cate
7、goryA functions(IEC 60880:2006)Centrales nuclaires de puissance -Instrumentation et contrle-commande importants pour la sret -Aspects logiciels des systmes programms ralisant des fonctions de catgorie A(CEI 60880:2006)Kernkraftwerke - Leittechnik fr Systeme mit sicherheitstechnischer Bedeutung -Soft
8、wareaspekte fr rechnerbasierte Systeme zur Realisierungvon Funktionen der Kategorie A(IEC 60880:2006)This European Standard was approved by CENELEC on 2009-07-01. CENELEC members are bound to complywith the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Stan
9、dard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained onapplication to the Central Secretariat or to any CENELEC member. This European Standard exists in three official versions (English, Fren
10、ch, German). A version in any otherlanguage made by translation under the responsibility of a CENELEC member into its own language and notifiedto the Central Secretariat has the same status as the official versions.CENELEC members are the national electrotechnical committees of Austria, Belgium, Bul
11、garia, Cyprus, theCzech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland and the United Kingdom.BS EN 60880:2009EN 60
12、880:2009 - 2 -Foreword The text of the International Standard IEC 60880:2006, prepared by SC45A, Instrumentation andcontrol of nuclear facilities, of IEC TC45, Nuclear instrumentation, was submitted to the formal voteand was approved by CENELEC asEN 60880 on 2009-07-01 without any modification.The f
13、ollowing dates were fixed: latest date by which the EN has to be implemented at national level by publication of an identicalnational standard or by endorsement (dop) 2010-07-01 latest date by which the national standards conflictingwith the EN have to be withdrawn (dow) 2012-07-01CLC/TC 45AX expert
14、s draw attention to the readers of this European standard to the fact that it should be read in conjunction with IAEA document INSAG-10, 1996, “Defence in Depth in Nuclear Safety”which applies. _Endorsement noticeThe text of the International Standard IEC 60880:2006 wasapproved by CENELEC as a Europ
15、ean Standard without any modification._BS EN 60880:2009 2 BS EN 60880:2009EN 60880:2009- 3 -EN 60880:2009Annex ZA(normative)Normative references to international publicationswith their corresponding European publicationsThe following referenced documents are indispensable for the application of this
16、 document. For dated references, only the edition cited applies. For undated references, the latestedition of the referenced document (including any amendments) applies.NOTE When an international publication has been modified by common modifications, indicated by (mod), the relevant EN/HDapplies.Pub
17、lication Year Title EN/HD YearIEC 60671 -1)Nuclear power plants - Instrumentation and control systems important to safety -Surveillance testing- - IEC 61069-21993 Industrial-process measurement and control -Evaluation of system propertiesfor the purpose of system assessment -Part 2: Assessment metho
18、dology EN 61069-21994IEC 61226 -1)Nuclear power plants - Instrumentation and control systems important to safety -Classification of instrumentation and control functions- - IEC 61508-4-1)Functional safety of electrical/electronic/programmable electronic safety-related systems -Part 4: Definitions an
19、d abbreviationsEN 61508-420012)IEC 61513 -1)Nuclear power plants - Instrumentation and control for systems important to safety - General requirements for systems- - ISO/IEC 9126 SeriesSoftware engineering - Product quality -IAEA guide NS-G-1.2 - 1)Safety assessment and verification for nuclear power
20、 plants- IAEA guide NS-G-1.3 - 1)Instrumentation and control systemsimportant to safety in nuclear powerplants- - 1)Undated reference.2)Valid edition at date of issue.BS EN 60880:2009 3 BS EN 60880:2009EN 60880:200960880 IEC:2006 3 CONTENTSINTRODUCTION.111Scope and object172Normative references.173T
21、erms and definitions.194Symbols and abbreviations.295General requirements for software projects 295.1General.295.2Software types335.3Software development approach.355.4Software project management.395.5Software quality assurance plan395.6Configuration management415.7Software security.436Software requ
22、irements476.1Specification of software requirements 476.2Self-supervision 496.3Periodic testing .496.4Documentation517Design and implementation 517.1Principles fordesignand implementation537.2Language and associated translators and tools.577.3Detailed recommendations597.4Documentation638Software Ver
23、ification 638.1Software verification process.638.2Software verification activities .659Software aspects of system integration.739.1Software aspects of system integration plan759.2System integration779.3Integrated system verification779.4Fault resolutionprocedures.799.5Software aspects of integrated
24、system verification report 7910 Software aspects of system validation8110.1 Software aspectsof the system validation plan8110.2 System validation8110.3 Software aspectsof the system validation report.8310.4 Fault resolution procedures.8311 Software modification.8311.1 Modification request procedure.
25、8511.2 Procedure for executing a software modification8711.3 Software modification after delivery.89BS EN 60880:2009BS EN 60880:200960880 IEC:2006 4 699101515151718202021222424252526262729303232323337383939404041414142424243444560880 IEC:2006 5 12 Software aspects of installation and operation9112.1
26、 On-site installation of thesoftware9112.2 On-site software security.9112.3 Adaptation of the software to on-site conditions.9312.4 Operator training.9313 Defences against common cause failure due to software9513.1 General.9513.2 Design of software against CCF 9713.3 Sourcesand effects of CCF duetos
27、oftware9713.4 Implementation ofdiversity9913.5 Balance of drawbacksand benefitsconnected with theuse of diversity.9914 Software toolsfor the development ofsoftware9914.1 Introduction.9914.2 Selection of tools.10114.3 Requirements for tools10315 Qualification of pre-developed software11315.1 General.
28、11315.2 General requirements11315.3 Evaluation and assessment process11515.4 Requirements for integration in the system andmodification of PDS .131Annex A (normative) Software safety lifecycle and details ofsoftware requirements.133AnnexB (normative) Detailed requirementsand recommendations for desi
29、gn and implementation.137Annex C (informative) Example ofapplication orientedsoftware engineering (softwaredevelopment with application-oriented language)163Annex D (informative) Language,translator, linkage editor 171Annex E(informative) Software verification and testing175AnnexF (informative) Typi
30、cal list of software documentation.191Annex G(informative) Considerations of CCF and diversity.193Annex H (informative)Tools for production and checking ofspecification, design andimplementation.201AnnexI (informative) Requirements concerning pre-developed software (PDS).207Annex J (informative)Corr
31、espondence between IEC 61513and this standard.211BS EN 60880:2009BS EN 60880:200960880 IEC:2006 5 464646474748484949505050505152575757586667698286889697101104106General 60880 IEC:2006 11 INTRODUCTION a) Technical background, main issuesand organisation of the standard Engineering of software based I
32、nstrumentation and Control (I2) a general approach to software verification and to the software aspectsof the computer-based systemvalidation; 3) procedures for softwaremodification and configuration control;4) requirements foruse of tools;5) procedures for qualification of pre-developed software. I
33、t is recognised that software technology is continuing to develop at arapid pace and that it isnot possible fora standard such as this to include references to all modern designtechnologies and techniques. To ensure that the standard will continue to be relevant in futureyears the emphasis has beenp
34、laced on issues of principle,rather than specificsoftware technologies. If new techniques are developed thenit shouldbepossibletoassess the suitabilityof suchtechniques by applying the safety principles contained within this standard. d) Description of the structure of theSC45A standard series and r
35、elationships withother IEC documents and otherbodies documents (IAEA, ISO) The top level document of the SC45A standard series is IEC 61513. Thisstandard deals withrequirementsfor NPP I top-down design methods; modularity; verification of each phase; clear documentation; auditable documents; validat
36、iontesting.Additional guidance and information on how to comply with the requirements of the main partof thisstandard is given in Annexes A to I.2 Normative referencesThe following referenced documents are indispensable for theapplication of this document.For dated references, only theedition cited
37、applies. For undated references, the latest editionof the referenced document(including any amendments) applies.IEC 60671, Periodic tests and monitoring ofthe protection system of nuclearreactorsBS EN 60880:2009BS EN 60880:200960880 IEC:2006 9 60880 IEC:2006 19 IEC 61069-2:1993, Industrial-process m
38、easurement and control Evaluation of systemproperties for the purpose of system assessment Part 2: Assessment methodologyIEC 61226, Nuclear power plants Instrumentationand control systems important for safety Classification of instrumentation and controlfunctionsIEC 61508-4, Functional safety of ele
39、ctrical/electronic/programmable electronicsafety-relatedsystems Part 4:Definitions and abbreviationsIEC 61513, Nuclear power plants Instrumentation and control for systems important to safety General requirements for systemsISO/IEC 9126, Software engineering Product qualityIAEA guide NS-G-1.2, Safet
40、y Assessment and Verification for Nuclear power PlantIAEA guide NS-G-1.3, Instrumentation and Control Systems Important to Safety in NuclearPower Plants3 Terms and definitionsForthe purposesof this document, the following terms and definitions apply.3.1 animationprocess by which the behaviour define
41、d by a specification is displayed with actual valuesderived from the stated behaviour expressions and from some input values3.2 application function function of an I software quality assurance and qualitycontrol (5.5);software configuration management (5.6);software security (5.7);software verificat
42、ion (Clause 8). Thereare also activities involving selection of languages (7.2, Annex D), selection of software tools to support the development (Clause 14), prevention of CCF (Clause 13) and productionof documentation (7.4, Annex F). The resulting software related activities in the system safetylif
43、ecycle and the supportingprocesses are shown below in Figure 2 (boxes in bold lines with reference to related subclauses inbrackets).BS EN 60880:2009BS EN 60880:200960880 IEC:2006 16 60880 IEC:2006 33 System requirements specificationSuitability analysis of pre-developedsoftware(15.3)System detailed
44、 design and implementation Equipment (system softwareand hardware) procurementDevelopment of new operationalsystem software(7) Application softwaredevelopment/generation(7) Selection ofpre-developed software (15.2)Software aspects of systemintegration (9, 15.4) Software aspects of systemvalidation (
45、10) Software aspects of systeminstallation (12.1) Software aspects of systemmodification (11) Functional validation Software safetylifecycleSoftware quality assurance(5.5)Softwareverification(8) Softwareconfiguration management(5.6)Selection and useof software tools(14) Selectionof languages (7.2)So
46、ftware security(5.7)System specificationIEC 716/06 NOTE Boxes in thin dotted lines represent system activities not addressed in this standard.Figure 2 Software related activities in the system safety lifecycleThe approach to software development should be based on the traditional “V” model as thisap
47、proach has been reflected and promulgated in other standards notably IAEA NS-G-1.3, butallowing necessary adjustments recognizing thatsome phases of the development can be done automatically by tools and that software development may be iterative.Subclauses 5.2 and 5.3introducethe different software
48、 types andthe development approach considered in this standard.5.2 Software types The software components of a system are often defined asbeing eitheroperational systemsoftware (communications, I/O management, standard functions, self-supervision, etc.) orapplication software (interlock logic, contr
49、ol loops, display formats, alarm logic, etc.).Application software generallyusesthe facilities provided by the operational system software,thus reducing the need forduplication of code within modules and thus reducing the overall amount of software. Application software is usually specificto one project.BS EN 60880:2009BS EN 60880:200960880 IEC:2006 17 60880 IEC:
