scope:

Foreword

(This introduction is not part of IEEE Std 7-4.3.2-2003, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations.)

This standard evolved from IEEE Std 7-4.3.2-1993. It represents a continued effort by an IEEE working group to support the specification, design, and implementation of computers in safety systems of nuclear power generating stations.

This standard specifies additional computer-specific requirements (incorporating hardware, software, firmware, and interfaces) to supplement the criteria and requirements of IEEE Std 603-1998. This standard should be used in conjunction with IEEE Std 603-1998 to assure the completeness of the safety system design when a computer is to be used as a component of a safety system.

This standard recognizes that development processes for computer systems continue to evolve. As such, the information presented should not be viewed as the only possible solution. This is in keeping with the desire to use advances in digital technology, provided the criteria and requirements of IEEE Std 603-1998 and this standard are met. For example, while this standard does not address specifically artificial intelligence systems or fourth generation languages, their use is not precluded.

IEEE Std 7-4.3.2-1993 referenced ASME NQA-2a-1990, Part 2.7 (referred to as Part 2.7) to address specific software development requirements. References to ASME NQA-2a-1990 have been removed from this standard, and applicable IEEE standards have been referenced.

This standard does not provide requirements associated with the operation and maintenance of the computer following installation (i.e., surveillance testing frequency). Any problems identified should be addressed through applicable standards that specifically address these requirements.

Clause 5.1 in IEEE Std 603-1998 defines the single-failure criterion. Guidance for the application of this criterion is provided in IEEE Std 379™ -1988, Standard Application of the Single Failure Criterion to Nuclear Power Generating Station Class 1E Systems. The approach stated in 5.5 of IEEE Std 379-1988 is also appropriate for potential common-cause failures associated with computer hardware and software that have been developed under the requirements of IEEE Std 603-1998 and this standard. Annex B provides additional guidance for determining the need for design diversity in safety-related computer systems.

The working group revised the guidance in the 1993 standard to further address hazard analysis. These efforts resulted in a complete revision of the existing abnormal conditions and events (ACES) discussion in Annex D. Future work should consider the subject of software safety analysis in addressing system hazards. Additionally, future efforts should consider addressing these topics in the body of the standard.

The Nuclear Regulatory Commission endorsed the concept of requirements grading or classification in SECY-91-192, Digital Computer Systems for Advanced Light Water Reactors. A similar concept of safety classification is presented in ANSI/ANS 51.1983 [B1] and ANSI/ANS 52.1-1983 [B2]. If guidance is provided in a revision to IEEE Std 603-1998, efforts should then be undertaken to apply this concept in a revision to this standard.

This standard does not address justification for the selection of software tools and acceptance criteria for compilers, operating systems, and libraries. The working group felt this subject was outside of the scope of this revision.

During the NPEC preview of this revision of the standard, the topic of safety system software security was discussed. Specifically, the ability of the software system to fulfill its safety related functions in the presence of attacks. Recommendations were made that a future revision of the standard address software risks associated with attacks by insiders and from outside.

The qualification of existing commercial computers, or COTS, is addressed in the body of this standard and in Annex C. It is recognized that COTS dedication is a topic that can be applied to a broader range of Safety Systems equipment than computers, but it is included in this standard because it is not addressed elsewhere at this time. It is recommended (for future IEEE standards work) that a specific standard be developed for COTS dedication. IEEE Std 7-4.3.2 should then be revised to reference the new standard for the COTS dedication process.

In summary, the following major changes were implemented in this version of IEEE Std 7-4.3.2:

- The references were updated to include current IEEE Standards

- The definitions were updated and expanded, and references were provided for definitions obtained from other standards.

- A Software quality metrics clause was added. Industry practice is moving towards the use of software quality metrics to assure/monitor/improve software quality in addition to the V&V that has traditionally been applied.

- The Qualification of existing commercial computers clause was expanded to provide additional guidance that addresses the move toward the use of more commercial hardware and software in safety systems. This clause was reviewed to ensure consistency with industry guidance (e.g., EPRI guidance).

Discussion during the review led to the action item to move the recommendations and guidance portions of this addition (i.e., "should / may" clauses) to the annex.

- The Software tools clause was revised to address expanded use of software tools and methods to confirm suitability (IEC 60880-2, issued last year, specifically addresses the use of software tools.)

- The Verification and Validation clause was expanded to support the removal of Annex E, which addressed verification and validation activities. This standard references IEEE Std 1012™ , and clarifies requirements that are applicable to safety system software. Whereas IEEE Std 1012 only mentions "independent" V&V in the annex, the authors moved the requirements for IV&V into the body of the standard. Additionally, although different "integrity levels" are defined in IEEE Std 1012, this standard identifies which "integrity level" is applicable to safety system software.

- The Software configuration management clause was expanded to provide additional guidance by identifying the key requirements for configuration management for safety system software using the guidance provided in IEEE Std 828™ and IEEE Std 1042™.

- A Software project risk management clause was added to provide additional guidance consistent with IEEE Std 1540™ on risk management and IEEE/EIA12207.0 on software life cycle processes.

- A Fault detection and self-diagnostics clause was added to address features that are unique to software and computer systems.

- The Identification clause has been expanded to include software specific requirements by extending the IEEE Std 603 identification requirements to software.

- Annex A, Relationship to IEEE Std 603, was updated to reflect the contents of the current standard.

- Annex B, Diversity requirements determination, received minor editorial updates.

- Annex C, Electromagnetic compatibility, was deleted because Annex B of IEEE Std 603-1998 addresses the same subject.

- Annex D, Dedication of existing commercial computers, was updated to more completely address COTS issues. Additionally, this annex was designated Annex C.

- Annex E, Verification and validation, was deleted. V&V requirements were incorporated into the body of the standard. IEEE Std 1012 is referenced in the body to provide guidance.

- Annex F, Identification and resolution of hazards, replaced the previous version of this annex. The content was revised to better represent current practices and processes for hazards analysis. Guidance from EPRI [B3] was included in this section. Additionally, this annex was designated as Annex D.a

- Annex G, Communication independence, was designated Annex E.

- Annex H, Computer reliability, received minor editorial updates and was designated Annex F.

- Annex G, Bibliography, was added to identify informative references.

Participants

This document was prepared by the Application of Programmable Digital Computers to Safety Systems Subcommittee Working Group 6.4 of the IEEE Nuclear Power Engineering Committee. At the time this standard was completed, the Subcommittee Working Group 6.4 had the following membership:

^aThe numbers in brackets correspond to those of the bibliography in Annex G. 

Charles Roslund, Chair

Michael Waterman, Secretary

Larry Erin

Ronald Greenthaler

Myron Hecht

Ronald Jarrett

Ifti Rana

John Scott

James Stewart (deceased)

James Sweeney

John Waclo

At the time this standard was completed, Subcommittee 6 under the Nuclear Power Engineering Committee had the following membership:

Paul Yanosy, Chair

David Horvath, Secretary

Wesley Bowers

Robert Copyak

John Disosway

Britton Grim

Randy Jamison

Jim Keiper

Tom Klein

Glenn Lang

Evangelos Marinos

Mike Miller

Charles Roslund

John Waclo

David Zaprazny

The following members of the balloting committee voted on this standard. Balloters may have voted for approval, disapproval, or abstention.

Stan J. Arnot

Vincent Bacanskas

Farouk Baxter

James Bongarra, Jr.

Wesley Bowers

Daniel Brosnan

John P. Carter

Guru Dutt dhingra

Surin Dureja

Robert Fuld

Wilmer Gangloff

Britton Grim

Randall Groves

David Horvath

Paul Johnson

James T. Keiper

Scott Malcolm

John R. Matras

Richard Meininger

Gary Michel

William Mindick

Radhakrishna Rebbapragada

Charles Roslund

James Ruggieri

Barry Skoras

Neil P. Smith

James Stoner

James Thomas

T.J. Voss

John Waclo

When the IEEE-SA Standards Board approved this standard on 11 September 2003, it had the following membership:

Don Wright, Chair

Howard M. Frazier, Vice Chair

Judith Gorman, Secretary

H. Stephen Berger

Joe Bruder

Bob Davis

Richard DeBlasio

Julian Forster*

Toshio Fukuda

Arnold M. Greenspan

Raymond Hapeman

Donald M. Heirman

Laura Hitchcock

Richard H. Hulett

Anant Jain

Lowell G. Johnson

Joseph L. Koepfinger*

Tom McGean

Steve Mills

Daleep C. Mohla

William J. Moylan

Paul Nikolich

Gary Robinson

Malcolm V. Thaden

Geoffrey O. Thompson

Doug Topping

Howard L. Wolfman 

*Member Emeritus

Also included are the following nonvoting IEEE-SA Standards Board liaisons:

Alan Cookson, NIST Representative

Satish K. Aggarwal, NRC Representative

Michelle D. Turner

IEEE Standards Project Editor 

Scope

This standard serves to amplify criteria in IEEE Std 603™ -1998 to address the use of computers as part of safety systems in nuclear power generating stations. The criteria contained herein, in conjunction with criteria in IEEE Std 603-1998, establish minimum functional and design requirements for computers used as components of a safety system.