instrumentation systems and components at nuclear · pdf file2.2 instrumentation, ......

This Guide remains in force as of 1 March 2003 until further notice. It replacesGuide YVL 5.5, issued on 7 June 1985.

INSTRUMENTATION SYSTEMSAND COMPONENTS ATNUCLEAR FACILITIES

1 GENERAL REQUIREMENTS 5

2 DESIGN BASES OF I&C SYSTEMS AND EQUIPMENT 52.1 Ensuring the safety functions 52.2 Instrumentation, control and monitoring 72.3 Main control room and man–machine interface 82.4 Emergency control posts and local control systems 92.5 Accident instrumentation 92.5.1 General requirements 92.5.2 Postulated accidents 102.5.3 The accident management support function 102.5.4 Severe accident 10

3 GENERAL DESIGN REQUIREMENTS 113.1 Qualification to environmental conditions 113.2 Electromagnetic compatibility 123.3 Fire analyses 123.4 Information security 123.5 Other requirements 12

4 DESIGN AND IMPLEMENTATION OF I&C SYSTEMS 134.1 General requirements 134.2 Quality management 144.2.1 General requirements 144.2.2 Quality management system 144.2.3 Quality management of the design and implementation of an I&C system 154.3 Design process 154.3.1 General requirements 154.3.2 Requirement specification 164.3.3 Documentation 164.3.4 Change management during the design process 16

ISBN 951-712-621-9 (print)ISBN 951-712-622-0 (pdf)ISBN 951-712-623-9 (html)ISSN 0783-2400

Third, revised editionHelsinki 2002Dark Oy

GUIDE YVL 5.5 / 13 SEPTEMBER 2002

STUK • SÄTEILYTURVAKESKUSSTRÅLSÄKERHETSCENTRALEN

RADIATION AND NUCLEAR SAFETY AUTHORITY

Osoite/Address • Laippatie 4, 00880 HelsinkiPostiosoite / Postal address • PL / P.O.Box 14, FIN-00881 Helsinki, FINLANDPuh./Tel. (09) 759 881, +358 9 759 881 • Fax (09) 759 88 500, +358 9 759 88 500 • www.stuk.fi

continues

4.4 Qualification plan 164.4.1 General requirements 164.4.2 Design and manufacturing process 174.4.4 Analyses related to safety 184.4.5 Operating experiences 184.4.6 Type approval 184.4.7 Suitability analysis 194.5 Installation and commissioning 194.6 Specific requirements for computer-based systems

and equipment 204.6.1 Qualification of the platform and the application 204.6.2 Software tools and design methods 204.6.3 Pre-existing software and equipment 204.6.4 Prevention and analysis of common cause failures 214.6.5 Testing of a computer-based system or equipment 214.6.6 Other requirements for a computer-based system or equipment 21

5 AGEING MANAGEMENT 22

6 CONTROL BY THE FINNISH RADIATION AND NUCLEAR SAFETY

AUTHORITY 226.1 General regulatory principles 226.2 Conceptual design plan 236.3 System pre-inspection documents 236.4 Equipment suitability analysis 256.5 Regulatory control of manufacturing, factory tests 256.6 Regulatory control of installations 256.7 Commissioning inspections 266.8 Regulatory control of equipment quality management 266.9 Regulatory control during plant operation 266.10 System and equipment modifications during operation 27

7 DEFINITIONS 27

8 REFERENCES 30

GUIDE YVL 5.5 / 13 SEPTEMBER 2002

AuthorisationBy virtue of the below acts and regulations, the Radiation and Nuclear SafetyAuthority (STUK) issues detailed regulations that apply to the safe use ofnuclear energy and to physical protection, emergency preparedness and safe-guards:• Section 55, paragraph 2, point 3 of the Nuclear Energy Act (990/1987)• Section 29 of the Council of State Resolution (395/1991) on the Safety of

Nuclear Power Plants• Section 13 of the Council of State Resolution (396/1991) on the Physical

Protection of Nuclear Power Plants• Section 11 of the Council of State Resolution (397/1991) on the Emergency

Preparedness of Nuclear Power Plants• Section 8 of the Council of State Resolution (398/1991) on the Safety of a

Disposal Facility for Reactor Waste• Section 30 of the Council of State Resolution (478/1999) on the Safety of

Disposal of Spent Nuclear Fuel.

Rules for applicationThe publication of a YVL guide does not, as such, alter any previous decisionsmade by STUK. After having heard those concerned, STUK makes a separatedecision on how a new or revised YVL guide applies to operating nuclear powerplants, or to those under construction, and to licensees’ operational activities.The guides apply as such to new nuclear facilities.

When considering how new safety requirements presented in YVL guides applyto operating nuclear power plants, or to those under construction, STUK takesinto account section 27 of the Council of State Resolution (395/1991), whichprescribes that for further safety enhancement, measures shall be taken whichcan be regarded as justified considering operating experience and the results ofsafety research as well as the advancement of science and technology.

If deviations are made from the requirements of a YVL guide, STUK shall bepresented with some other acceptable procedure or solution by which the safetylevel set forth in the guide is achieved.

Translation. Original text in Finnish.

Guide YVL 5.5 S T U K

5

1 General requirementsThe operation of the reactor and the systems atthe nuclear power plant is controlled, monitoredand protected by the instrumentation and con-trol systems (I & C). The function of the moni-toring and information systems is to provide theoperators with reliable information on the stateof the reactor itself, the systems at the plant ortheir environment. The instrumentation andcontrol systems are actuated automatically ormanually by the operator necessitated as by theplant operation and safety. The protection auto-mation is especially designed to detect depar-tures from acceptable plant conditions and toinitiate automatically and maintain the opera-tion of appropriate safety systems as necessary(reactor shutdown, the functioning of the con-tainment building and residual heat removalfrom the reactor to the ultimate heat sink, etc.).

General safety requirements for nuclear powerplants are presented in the Government Resolu-tion (395/1991). In this resolution there arepresented general requirements concerning allsafety systems and also requirements specific tothe instrumentation and control systems of anuclear power plant. These requirements arepresented for detection and control of operation-al transients and accidents (13 §), ensuring ofsafety functions (18 §), avoidance of human er-ror (19 §), safety classification (21 §), monitoringand control of a nuclear power plant (22 §). Thegeneral requirements are specified in GuideYVL 1.0. Among other things there are require-ments concerning protection instrumentationand control, the needed automation degree andpossibilities for manual controls.

Requirements for instrumentation and controlsystems and equipment are presented also inseveral other YVL guides. Guide YVL 2.0 ap-plies generally to the design and regulatorycontrol of the systems for a nuclear power plant.The requirements related to failure criteria arepresented in Guide YVL 2.7. The classificationrequirements of the instrumentation and con-trol systems are presented in Guide YVL 2.1. InGuides YVL 2.2 and YVL 2.8 are presented re-quirements for safety goals and their demon-

stration. Guide YVL 1.8 presents how the Finn-ish Centre for Radiation and Nuclear Safetyregulates modifications, repairs and preventivemaintenance of systems, equipment and struc-tures at nuclear facilities during operation. Theguide further describes the obligations related tothis work imposed on licensees. The generalrequirements for and regulatory control of nu-clear power plant pre-operational and start-uptesting are presented in Guide YVL 2.5. GuideYVL 1.1 summarizes STUK’s regulatory func-tions during nuclear power plant design, con-struction and operation.

According to section 5 of the Government Reso-lution (395/1991), advanced quality assuranceprogrammes shall be employed in all activitieswhich affect safety and relate to the design,construction and operation of a nuclear powerplant. General requirements for quality man-agement at a nuclear power plant are presentedin Guide YVL 1.4 and the requirements for qual-ity management during operation of nuclearpower plants are presented in Guide YVL 1.9.The necessary precondition for assuring the de-pendability of modern I&C technology is that, inparticular the special features of the technologyutilized shall be considered in the quality man-agement system.

This guide presents the requirements for licen-sees concerning the design, implementation andoperation of the I&C systems and equipment ata nuclear facility and how STUK controls andinspects these.

2 Design bases of I&Csystems andequipment

2.1 Ensuring the safety functions

The protection I&C systems are designed todetect automatically deviations from the normaloperation conditions of the nuclear reactor andthe systems and to form the signals for initiatingand maintaining the required safety functions.The most important safety functions are shut-

S T U K Guide YVL 5.5

6

down of the reactor, residual heat removal to theultimate heat sink and functions of the contain-ment. The protection I&C systems encompass allequipment including measurements of the proc-ess variables to the actuation devices. The re-quirements for the protection I&C systems areapplied to all I&C systems belonging to systemsin Safety Class 2.

According to Guide YVL 1.0, section 3.4, theprotection system shall be so designed that incase of its failure it settles in a state preferablefrom the plant safety point of view. So the differ-ent failure modes and their causes shall beanalysed and the state preferable from the plantsafety point of view shall be justified.

According to Guide YVL 1.0, section 3.4, theprotection system which initiates the safety func-tions shall operate during anticipated operation-al transients and postulated accidents even inthe event of a single failure, although any compo-nent affecting a safety function would simultane-ously be inoperable due to repair or maintenance.Also the diversity principle shall be compliedwith in the design of the reactor protection sys-tem.

According to Guide YVL 2.7, chapter 4, the reac-tor protection system measures at least two dif-ferent process parameters which are both physi-cally dependent on a transient or accident andwhose trip limits can be so chosen that they arereached early enough. If this is not possible forall protection functions, different measurementprinciples shall be used in the measuring of theprocess parameter in question.

According to Guide YVL 1.0, subsection 3.4, inthe first place, the protection system shall beseparated from the control system and otherautomation systems. Any possible interdepend-ence between the protection, control or otherautomation systems shall not endanger safety.

At the main control room the operators shallhave reliable information of the status of theprotection I&C system.

The functions of the protection I&C systemsshall be testable also during the operation of theplant. It shall be ensured by these tests that thedesign basis functional requirements of the sys-tem are met.

The periodic testing of the protection I&C sys-tem shall encompass the whole channel includ-ing the measurements to the actuation devicesthemselves. To perform the periodic testing thesubsystem shall be set to a state preferable fromthe plant safety point of view. The possibility fortesting shall be incorporated into the systemdesign.

The protection I&C systems shall be designed sothat they monitor the validity of the input andoutput signals and their internal operation andgive an alarm signal when needed. The selfdiagnostics of the protection I&C systems shallbe adequate and well tested. The analysis of thecoverage of the self diagnostics shall include aseparate assessment of hardware and softwarefaults.

According to Guide YVL 2.0 subsystems of theprotection system performing the same safetyfunction shall be separated physically. Thesesubsystems shall also be separated functionally.The protection I&C systems shall be functional-ly separated from other systems and their physi-cal separation from other systems shall be ade-quate.

Further it is presented in Guide YVL 1.0, sub-section 3.4, that the manual initiation of theprotection system shall be implemented usingtechnology as reliable as possible. In addition tothe manual initiation of individual devices, itshall also be possible to manually trip protectivesignals, if necessary.

The protection I&C systems shall monitor theoperating parameters of the plant and displaythe operators the parameters needed for themanual initiation of the protection signal.

The effects of operator-initiated manual actua-tions, if needed during different protective tasks,


7

shall be analysed. Also, where manual actua-tions are provided, they shall be independent ofthe equipment of the automatic protection sys-tem to the extent practicable. In addition, themanual actuation of the protection signal shallbe functionally independent of other systems inthe control room.

Probabilistic design goals and numerical goalsare presented in Guide YVL 2.8.

2.2 Instrumentation, control andmonitoring

Guide YVL 1.0 subsection 3.6 provides that theplant shall have reliable control systems forkeeping the process parameters and systemswithin the specified operating range. Togetherwith the systems and components they control,these control systems shall ensure that duringoperational conditions, or in the event of a singlefailure of the control systems, there will be noneed to start safety systems designed for postu-lated accidents.

The I&C systems of the plant shall be sufficientfor monitoring and control of the reactor and theprocess systems. The function of these opera-tional control systems is to keep process param-eters during operational conditions within thenormal operational range of the parameters andto control the condition of the systems andequipment at the plant.

The operational I&C systems shall be designedso that sufficient state and alarm information isavailable for automatic or operator-assisted ac-tuation of corrective control actions in case theplant parameters depart from the normal opera-tional range.

The alarm limits of the operational I&C systemsshall be set such that the mitigation actions likecontrol can be performed and completed so thatthe limits for the actuation of the safety func-tions are not reached.

To ensure that a single failure of the operationalI&C systems does not change the process pa-

rameters so that the limits for the actuation ofthe reactor safety functions are reached, theoperation of the operational I&C systems shallbe ensured by milder functions than those of thesafety systems.

Guide YVL 1.0, subsection 3.6, provides that thereactor and other structures, systems and compo-nents of the nuclear power plant shall be provid-ed with sufficient instrumentation for monitor-ing the process parameters and the operationand condition of systems.

The measurements of the nuclear reactor shallallow precise and reliable enough input data forthe calculation of the performance of the reactorand the protection, control and monitoring sys-tems.

At least the following parameters related to thereactor shall be controlled:• the neutron power and thermal power of the

reactor• the pressure of the reactor• the water level in the reactor• the main circulation flow of the reactor• the temperature at different parts of the

primary circuit• the water level and the pressure of the pres-

surizer (PWR)• the flows in and out from the primary circuit• the water level and pressure of the steam

generator (PWR)• the boron concentration in the primary cir-

cuit (PWR)• the position of the control rods.

In the design of the monitoring of the reactor,the following requirements shall be considered:• The power distribution in the reactor shall be

defined reliably and the thermal margins ofthe reactor shall be calculated regularly.

• Any incorrect operational conditions of thereactor core shall be able to observe reliablywith the aid of reactor instrumentation.

• The reactor shall be monitored by measure-ments or other means so that any incorrectposition of the internals or the fuel can bedetected reliably.


8

• The control of possible loose parts in theprocess shall be adequate.

According to Guide YVL 1.0 the measurementsystems shall be capable of measuring accuratelyenough over the entire range within which themeasured parameters vary during operationalconditions or accidents. As far as possible, themeasurements shall be so planned that the oper-ators will easily see if the measurement fails orthe measurement range is exceeded.

Guide YVL 1.0, subsection 3.6, provides that thecontrol equipment shall be designed to recordprocess parameters indicating plant state andalso system control signals so that the plant’soperational events can be analysed afterwards.

2.3 Main control room andman–machine interface

According to paragraph one of section 22 of theGovernment Resolution (395/1991), a nuclearpower plant’s control rooms shall contain equip-ment which provide information about theplant’s operational state and any deviations fromnormal operation as well as systems which moni-tor the state of the plant’s safety systems duringoperation and their functioning during opera-tional transients and accidents.

According to section 19 of the Government Reso-lution (395/1991), special attention shall be paidto the avoidance, detection and repair of humanerrors. The possibility of human errors shall betaken into account both in the design of thenuclear power plant and in the planning of itsoperation so that the plant withstands well er-rors and deviations from planned operationalactions.

The functions assigned to the operators and tothe automatically actuated tasks shall be de-signed conducting an analysis of the controlfunctions needed during operational occurrencesand accidents so that limitations of human capa-bilities are considered. During the design of themain control room and its functions the methodsprovided by control room ergonomics shall beused to minimize human faults in the operationat the control room.

An independent expert assessment of the designof the main control room is included in a gooddesign practice.

The I&C systems at the main control room andthe procedures needed to control the nuclearpower plant shall be planned as a whole. Thefunctioning of planned systems and proceduresshall be verified at the plant simulator. Alsochanges in the functions of the control room andsignificant ergonomic changes shall be verifiedat the plant simulator before making the chang-es at the control room. The requirements for theplant simulator are presented in Guide YVL 1.6.

According to Guide YVL 1.0 the control roomshall be so designed that the measures necessaryto control the plant can be performed there dur-ing operational conditions and accidents. Thestructures and safety systems of the control roomshall be so designed that safe working is possiblethere even during accidents.

According to Guide 1.0 also ergonomic principleswhich apply to control room work and whichmake possible the reliable performance of controlmeasures shall be considered in the design of thecontrol room, the emergency control post andlocal control posts. Particular attention shall bepaid to the design of control panels, alarm sys-tems and computer-based display systems sothat, in the event of a transient or accident, theoperators can obtain a good overall picture of theplant state and that data most important for theplant’s safety are clearly displayed.

According to Guide YVL 1.0, the diversity princi-ple shall be complied with, if possible, in thedesign of systems which give an overall picture ofthe plant state and provide data relating toalarms.

The displays and alarms at the control roomshall be designed and implemented so that withthe help of these operators get reliable informa-tion on any plant occurrences needing operatoractions. The alarms shall be prioritized based onthe safety significance of the events. The process-ing and display of alarms of the I&C systems inthe control room shall be designed such that


9

alarms important to safety are noticed as relia-bly as possible.

The hierarchy of the displays shall be logical andthe process information needed shall be easilyavailable. In addition, a logical marking systemshall be used when displaying the information ofthe process systems.

The control room is an essential premise at thenuclear power plant encompassing systems andequipment belonging to different safety classesas well as non-classified systems. In the designof the control room, the physical and functionalseparation between and/or within redundantsafety systems and systems and equipment be-longing to different safety classes shall be con-sidered.

The electrical power supply of the I&C systemsin the control room shall be ensured according toGuide YVL 5.2.

The requirements of fire protection, protectionagainst flooding, lighting, air conditioning, noisereduction, radiation protection and access con-trol shall be considered in the design of thecontrol room.

2.4 Emergency control posts and localcontrol systems

According to paragraph 3, section 22, of theGovernment Resolution (395/1991), there shallbe an emergency control post at a nuclear powerplant which is independent of the control roomand the necessary local control systems by themeans of which the nuclear reactor can be shutdown and cooled and residual heat from thenuclear reactor and spent fuel stored at the plantcan be removed.

According to Guide 1.0 the emergency controlpost shall be so designed that the reactor can beshut down from there and the plant can bebrought to a stable shutdown state. The shut-down of the reactor and the actuation and main-taining of the functions needed for residual heatremoval shall be possible from the emergencycontrol post. The emergency control post can be

located in one room or in multiple rooms. Inaddition, adequate facilities for communicationshall be ensured.

The plant shall be designed such that it ispossible to move safely and fast enough from themain control room to the emergency controlpost.

According to Guide YVL 1.0 the control systemsof the emergency control post outside the controlroom shall be separated from the control systemsof the control room in such a way that if theequipment in one fire compartment are entirelydestroyed by fire this does not harm both controlsystems so much that safety functions could notbe carried out.

The main control room and the emergency con-trol post shall be independent. This independ-ence shall be carried out using physical segrega-tion and functional independence. The nuclearpower plant shall be designed such that themain control room and the emergency controlpost are located in different fire departments.The functional separation of the main controlroom and the emergency control post shall besuch that they are separated electrically. Thedesign of the nuclear power plant shall be suchthat the nuclear reactor and the removal ofresidual heat can be controlled only from themain control room or the emergency control postat a time.

The functions located at the emergency controlpost and the adequacy of the status informationof the plant systems shall be analysed in differ-ent situations needing control in case the plantcan not be controlled and monitored from themain control room. The applicability of the solu-tions chosen shall be examined under variouscircumstances which make the use of the controlroom impossible.

2.5 Accident instrumentation

2.5.1 General requirements

According to Guide YVL 1.0 for the purpose ofaccident monitoring and management, appropri-


10

ate measuring and monitoring instrumentationshall be designed for the plant by which theoperating personnel obtains sufficient data forevent assessment and for the planning and im-plementation of countermeasures.

The measuring and monitoring systems for acci-dent monitoring and management shall operatealso in the case of a single failure.

Information on postulated accidents shall beavailable for the operators in the main controlroom. The measurements belonging to the acci-dent instrumentation shall be identifiable at themain control room so that the main control roompersonnel can easily distinguish them from oth-er measurements.

In the case of an accident the process informa-tion shall be recorded so that the data can beanalysed afterwards.

The requirements for the environmental qualifi-cation of equipment belonging to the accidentinstrumentation and the severe accident instru-mentation are presented in subsection 3.1.

2.5.2 Postulated accidents

At least the following types of measurementsshall be included in the instrumentation for themonitoring and management of postulated acci-dents:• measurements used in a later phase for man-

ual actuation of safety functions neededwhich have not been actuated automatically

• measurements to ensure completion of safetyfunctions by the control room personnel

• measurements giving information about theoperation of individual safety systems andassociated equipment

• measurements to monitor the integrity ofmultiple, subsequent technical barriers forpreventing radioactive releases

• measurements to estimate radioactive releas-es.

The number of measurements shall be sufficientto facilitate observation of changes in local cir-

cumstances, e.g. inside the containment, thathave a bearing on accident management.

2.5.3 The accident management supportfunction

According to paragraph 3, section 13, of theGovernment Resolution (395/1991) effective tech-nical and administrative measures shall be tak-en for the mitigation of the consequences of anaccident. Counter-measures for bringing an acci-dent under control and for preventing radiationhazards shall be planned in advance (mitigationof consequences).

The nuclear power plant shall be designed sothat, to help the operators in accident manage-ment, there shall be a support function in addi-tion to the other alarm information at the maincontrol room. This support function is for moni-toring and displaying the status information ofthe needed safety functions. It shall be imple-mented using an independent function, a socalled accident management support function.The information shall be displayed in such formthat the operators can easily define the status ofthe plant. The information shall be separatedfrom other information at the control room bydifferent means of displaying the information.The accident management support function shallbe available during all operational conditions ofthe plant and during postulated accidents.

The corresponding support function shall beavailable also for the shutdown state of theplant.

2.5.4 Severe accident

For the management and monitoring of a severeaccident the nuclear power plant shall beequipped with the monitoring instrumentationrequired by Guide YVL 1.0 subsection 3.6.

The design of the monitoring instrumentationfor severe accidents shall fulfil the followingrequirements:• The measuring methods chosen shall be suit-

able for monitoring severe accidents.


11

• The instrumentation shall be independentfrom all the other instrumentation at theplant.

• The power supply of the instrumentation(electricity, compressed air, etc.) shall be inde-pendent from all other power supplies of theplant.

The requirements apply also to control actionspossibly needed during a severe reactor acci-dent.

3 General designrequirements

3.1 Qualification to environmentalconditions

Environmental conditions and stresses of I&Csystems and equipment of a nuclear power plantshall be specified for all planned operationalconditions and for storage and transportation.The equipment shall be designed such that theirfunctional performance will be maintained inaccordance with the specified requirementsthroughout their planned service lifetime. Thesafety classified equipment shall be qualified tothe planned environmental conditions andstresses through tests prescribed by standards.The tests shall correspond to the most unfavora-ble, potential local operational conditions.

The structure and materials of automationequipment needed in accidents shall be selectedsuch that the functional performance of theequipment in accidents will be maintainedthroughout their planned service lifetime, inaccordance with the specified requirements.

The influence of environmental conditions andstresses and internal process conditions in pos-tulated accidents shall be accounted for in thedesign of measurements that use other thanelectrical signals, such as hydraulic and mechan-ical signals. An example of such signals occurs inmeasurements using impulse pipes.

The type tests of equipment needed during orafter postulated accident situations shall form auniform series of tests in which the same testsamples are subjected to anticipated environ-mental stresses of the design basis of the appli-cation. Prior to the tests corresponding with theaccident conditions, the test samples shall un-dergo artificial ageing equivalent to the plannedservice lifetime.

Artificial ageing of the equipment shall be car-ried out such that it with adequate confidencecorresponds to real ageing. The ageing is usuallycarried out so that the equipment first under-goes thermally induced ageing and then radia-tion-induced ageing. After this, a mechanicalload test is performed for the equipment, andfinally the afore-described tests correspondingto the postulated accidents are performed.

A test of the postulated accidents shall includeexposures to radiation and stresses caused bytemperature, pressure and humidity correspond-ing to accident conditions, as well as rapidchanges in conditions. The composition of waterused in the tests, eg. spraying the components,must correspond to that of the water occurringin accident conditions. If the equipment may besubmerged in water in a postulated accident andif it needs to function also under such conditions,functional performance shall be demonstratedalso for such a situation. The tests shall bedesigned such that they demonstrate, with asufficient confidence, the functional performanceof the device under accident conditions through-out the planned service lifetime of the equip-ment.

Seismic tests and analyses shall be performed inaccordance with Guide YVL 2.6.

If an automation device is to function in severereactor accidents it shall be qualified for thispurpose by using suitable methods. The mainte-nance of the functional performance of automa-tion devices located in the reactor containmentduring hydrogen fires shall be demonstrated ifthe equipment needs to operate in accident situ-


12

ations in which the occurrence of hydrogen firesis possible.

3.2 Electromagnetic compatibility

I&C systems and equipment in a nuclear powerplant shall be reliably protected against theeffects of electrical and magnetic interferencefields, mains interference, radio induced inter-ference and disturbances caused by telecommu-nication.

I&C equipment shall be designed and installedin such a way that they themselves do not causeany harmful electromagnetic interference intheir operational environment.

In accordance with section 2.1 of Guide YVL 5.2,earthing systems and lightning protection sys-tems shall be designed to effectively protect peo-ple, buildings, equipment as well as electricaland I&C systems against overvoltages, overcur-rents and any other possible electromagneticinterference due to climatic factors.

Also other sources of disturbances caused bynature and man shall be considered. The meth-ods and technical solutions used for adequateprotection of I&C systems at the nuclear powerplant against electromagnetic disturbances shallbe justified.

3.3 Fire analyses

Guide YVL 4.3 presents requirements for thedesign and implementation of fire protection atnuclear power plants, as well as the fire protec-tion related documentation to be submitted toSTUK. In accordance with section 3.8 of GuideYVL 4.3, fire hazards analyses shall always beperformed for the containment and the controlroom. By means of the fire hazard analysis of thecontrol room it shall be demonstrated that thecontrol of the necessary safety functions can beaccomplished in the event of a fire in the controlroom or in any other fire compartment. In thiscontext, also the influence of fires on the cablesof I&C systems shall be examined, including theway in which the subsequent disturbances and

faults are reflected in the implementation ofprotection and control functions.

The analyses shall examine such fire situationsthat may affect the I&C systems and equipmentin the form of heat, smoke or other fire inducedeffects or fire fighting measures and substances.

The potential failure modes of systems, equip-ment and cables, as caused by elevated tempera-tures, smoke and fire fighting measures, shall beidentified. Their influence on the passing troughand correctness of control signals shall be exam-ined. Failure modes affecting protection func-tions shall be identified. The risk of a fault or adisturbance spreading through power suppliesor the data transmission network, shall be eval-uated. The analysis shall examine the availabili-ty and correctness of plant status information inthe control room and the emergency control postas well as the options for operator action toensure plant safety functions in different distur-bance and fault situations caused by fires.

The analysis shall examine uncertainties associ-ated with the most essential factors.

3.4 Information security

In the design, operation and maintenance of theI&C system attention shall be paid to securityissues. Unauthorized access to equipment, soft-ware or information systems important to thedisturbance free plant operation shall be pre-vented. Unauthorized access to equipment ofsystems important to safety shall be preventedby using physical, technical and administrativesecurity measures. The installation of unauthor-ized parts of software during design, manufac-turing, commissioning, periodic testing andmaintenance shall be reliably prevented. Au-thorized accesses to a system, and any modifica-tions made during such accesses, shall be tracea-ble.

3.5 Other requirements

In accordance to section 2.5.3 of Guide YVL 2.0,subsystems performing the same safety function,


13

whether they be similar or diverse to each other,shall be physically separated such that the po-tential occurrence of a common cause failure dueto external influences is very unlikely (separationprinciple). The I&C systems of the subsystemsshall be physically and functionally separated.

In accordance to section 2.7 of Guide YVL 2.0,when a system connects to another system theirinterfaces shall be defined and designed suchthat the connection between the systems does notendanger the operation of systems carrying out asafety function. In addition, the interfaces of asafety system and its support systems shall bedesigned such, if possible, that the failure of theinterfaces does not endanger the system’s own, orany other system’s, safety function, and so as toprevent failure propagation across interfaces. Itshall be ensured in the design that a function ora fault of an I&C system or equipment belongingto a lower safety class does not cause a failure ofa function of an I&C system belonging to ahigher safety class.

Data communication inside and between I&Csystems shall be designed such that errors indata communication do not cause faulty func-tions or prevent the functioning of safety func-tions. The data communication system shall ful-fill the response time requirements during nor-mal plant operation, operational disturbances,and accidents. This shall be demonstrated forSafety Class 2 and 3 I&C systems in all theirpotential load situations.

In accordance with section 3.13 of GuideYVL 1.0, a clear marking system shall beplanned to identify components. In order to makeit easier to identify equipment and to avoidhuman errors, the equipment and cables of plantI&C systems shall be equipped with labeling ofdurable material that can be easily read duringinspection, maintenance and troubleshooting.

Versions of software and hardware shall beequipped with unambiguous identifications inorder to facilitate version management of pro-grammable systems and to avoid human errors.The licensee shall have implemented appropri-

ate configuration and version management pro-cedures that cover different systems, their hard-ware and software.

In the design of user interfaces for systems andequipment attention shall be paid to humanfactors.

A particular justification shall be provided for aneed to use wireless controls. A device or asystem comprising wireless control shall be de-signed such that the control action is possibleonly through a connection signal designed forthe control and that the system or the devicegoes quickly enough in a state preferable fromthe safety point of view in case the control signalbreaks off.

Guide YVL 5.2 presents requirements for thepower supplies of I&C systems and equipment.

4 Design andimplementation ofI&C systems

4.1 General requirements

In the design of I&C systems and equipment innuclear power plants, the principle of preventionshall be employed, according to which in design,construction and operation proven or otherwisecarefully examined high quality technology shallbe employed to prevent operational transientsand accidents [ Government Resolution (395/1991), section 13 , 1st paragraph].

Guide YVL 2.0 presents general requirementsfor the organization designing nuclear powerplant systems and equipment, for the independ-ent assessment, as well as the deterministic andprobabilistic principles to be used in the design.

The general principle is that applicable nuclearguidelines and standards are used in the designand implementation of safety classified I&C sys-tems. Standards and guidelines intended fornuclear engineering applications as well as qual-


14

ity management measures that comply withthem are used in the design and implementationof Safety Class 2 equipment. In the design ofSafety Class 3 and 4 equipment applicablestandards are used as well as quality manage-ment measures that are in compliance withthem.

The standards used in design and implementa-tion shall be specified and their applicabilityjustified. Potential deviations from the specifiedstandards shall be evaluated and justified forI&C systems and equipment belonging to SafetyClass 2 or 3.

The requirements for specification, design, im-plementation, maintenance and quality manage-ment of I&C systems and equipment shall becommensurate with their safety class and safetysignificance. Also the reliability requirements ofthe design basis functions shall be accounted forwhen specifying requirements for the design,implementation and qualification of I&C sys-tems and equipment.

In accordance with Guide YVL 1.4, the licenseehas an overall responsibility that the regula-tions in force and the requirements inYVL Guides are taken into account in the quali-ty management systems of different organiza-tions. The licensee has the main responsibility toensure that the specified quality requirementsare followed and that a sufficient quality level isachieved. It shall be ensured that the qualityrequirements are appropriately conveyed to theorganizations and their subsuppliers responsiblefor the design, manufacturing and maintenanceof I&C systems and equipment.

4.2 Quality management


In accordance with the Government Resolution(395/1991), section 21, 2nd paragraph, the sys-tems, structures and components important tosafety shall be designed, manufactured, installedand operated so that their quality level and theinspections and tests required to verify theirquality level are adequate considering any item’ssafety significance.

Quality management procedures of the licenseeshall be used to ensure this. They shall describethe systematic procedures used during design,construction and operational activities of a nu-clear power plant, as affecting the quality.

Advanced design, manufacturing and changemanagement methods, taking into account thespecific features of the technology being applied,shall be utilized in the design, manufacturing,installation, operation and maintenance of I&Csystems and equipment of nuclear power plants.High-standard quality management is essentialin the qualification of programmable systems, inparticular. Quality management measures en-sure that the structure and features of theproduct batches procured to the plant are inaccordance with those of the products that havebeen qualified.

4.2.2 Quality management system

Concerning the construction and operationalphases of a nuclear power plant, general qualitymanagement requirements shall be specified forI&C systems and equipment, taking into ac-count the safety importance of the item. Qualitymanagement during construction shall cover thequality management of the various parties en-gaged in design, manufacturing, receiving, in-stallation and commissioning. The quality man-agement of operating plants shall cover corre-sponding measures as well as the operation,maintenance and modification design of existingsystems and equipment. It shall be applied to allthe parties involved.

The quality management system used duringoperation shall include, among other things, pro-cedures for periodic maintenance and tests, eval-uation of the test results, repairs and modifica-tions, version management, replacement withspare parts, urgent repairs, and ensuring andmaintaining the accuracy of measuring equip-ment. In addition, the quality management sys-tem shall describe the procedures for ensuringthat the quality of I&C equipment needed inoperational and accident situations is main-tained throughout the service lifetime of theplant.


15

In addition to the general quality managementrequirements, quality assurance plans shall beprepared. They shall include detailed instruc-tions for the procurement, manufacturing, re-ceiving, installation, commissioning and mainte-nance phases.

The design, implementation and modificationprojects of I&C systems shall be facilitated by aseparate quality plan, in accordance with sub-section 4.2.3.

4.2.3 Quality management of the designand implementation of an I&C system

A quality plan specifying the quality manage-ment measures to be used shall be drawn up forthe design and implementation of an I&C sys-tem. The quality plan shall cover the design,implementation and commissioning of the sys-tem as a whole. The quality plan shall be pre-pared in accordance with an applicable stand-ard. The quality plan shall ensure that potentialerrors are detected, that adequate measures aretaken to correct them, and that the qualitymanagement requirements imposed by the li-censee are fulfilled in the procurement.

The quality plan shall describe the interfaces oforganizations participating in design, interfacemanagement, responsibilities for project qualityfunctions in the various organizations involved,as well as the control of subsuppliers. The quali-ty plan shall describe the measures used toensure the correctness and completion of docu-mentation at the end of each phase of theproject. Furthermore, the plan shall specify theversion and change management measures to beused in the design and implementation of thesystem, as well as the procedures used to revisethe quality plan.

The quality plan shall specify an appropriatereview procedure for intermediate results, wherethe licensee evaluates the design process of thesupplier, in particular. The objective of the re-views is to eliminate design errors as early aspossible and to ensure that the design basis,safety, operational and maintenance require-ments are taken into account as well as toensure the correctness of technical implementa-

tion and the timely progress of the qualificationprocess. Reviews concerning the design of thesystem shall cover the system and equipmentqualification described in section 4.4.

The quality plan of a Safety Class 2 I&C systemshall include an assessment that is independentfrom design and implementation and assessescompliance with the quality plan and the ade-quacy of the measures taken to correct anyrevealed deficiencies. Those making the assess-ment shall have competence in the quality man-agement of safety applications and in the tech-nology in question. These competences shallhave been proven in practice and be relevant tothe specific assessment to be performed.

Suppliers of I&C systems and equipment be-longing to Safety Class 2 or 3 shall employ aquality management system in compliance withan appropriate standard and that system hasbeen independently assessed.

The licensee shall specify the procedures used toevaluate, select and control the suppliers of I&Csystems and equipment. Before design and im-plementation is started, it shall be confirmedthat the organizations involved fulfill the pre-requisites for high quality work.

4.3 Design process


Simplicity, fault tolerance, and a timely detectionof potential failures shall be aimed at in thedesign of an I&C system for the nuclear powerplant. Design and implementation shall utilizefault avoiding and revealing methods.

The I&C systems and equipment of a nuclearpower plant shall be designed and documentedsuch that, during the different phases of thedesign process, it can be ensured that thespecified requirements are transferred correctlyinto the system to be commissioned. The firstphase of this so-called life cycle model is therequirement specification. The different phasesof the design process shall be described in thequalification plan (section 4.4).


16

The inputs and the results of each phase shall bedocumented such that they can be assessed by aperson who is independent from the supplier,the licensee, and the design. Each design phaseof a Safety Class 2 system shall be verifiedagainst the requirements specified by the pre-ceding phase. The design process as a wholeshall be transparent and verifiable. A designprocess consisting of different phases has beendescribed in many guidelines and standards,such as the IAEA guidelines and the IEC stand-ards referenced in this guide.

4.3.2 Requirement specification

The requirement specification of the I&C sys-tems or equipment of a nuclear power plantshall include all significant functional, perform-ance and reliability requirements. In addition, itshall describe other requirements affecting sys-tem design such as environmental conditionsand stresses as well as requirements concerninginterfaces, periodic testing, maintenance, infor-mation security and lifetime. Requirements thatare important to safety shall be consistent withthe assumptions made in the safety analysis ofthe plant. The man machine interfaces of asystem, and the interfaces to the other systemsof the plant, shall be clearly specified.

The requirement specification shall be mademore precise when the design proceeds to subse-quent phases. The final requirement specifica-tion of systems, equipment, hardware and soft-ware shall be sufficiently detailed and compre-hensive, such that implementation can be testedor verified against corresponding requirements.The requirements shall be consistent and unam-biguous. The fulfillment of the requirementsshall be verifiable. The requirement specifica-tion shall be maintained throughout the wholedesign, manufacturing and operational life cycleof the system.

The plant specific requirement specifications ofI&C systems and equipment belonging to SafetyClass 2 or 3, shall be sufficiently detailed for thesystem validation, as well as for the suitabilityanalysis that is performed in accordance withsection 4.4.7 for the equipment selected to thesystem.

The correctness, completeness and consistencyof the requirement specification of a Safety Class2 system shall be independently assessed. Theassessment report shall present the observa-tions made, and a justified conclusion.

4.3.3 Documentation

In the beginning of the design process of I&Csystems or equipment, the documentation re-quirements and the documentation managementprocedures, which are applied since the start ofthe project, shall be specified. In the principaldesign phase, a clear and precise presentationmethod, understandable to experts in differentfields, shall be used for functional specificationof the system. The use of functional block dia-grams or corresponding design presentationmethods belongs to a good design practice.

The documentation describing the system shallbe structurally clear and comprehensive. Theinformation included in the documentation shallbe up-to-date and sufficient to support the verifi-cation and validation of the system.

The documentation of I&C systems and equip-ment shall be updated in connection with modi-fications. Guide YVL 1.4 presents requirementsfor the documentation management part of thequality management system of the licensee.

4.3.4 Change management during thedesign process

An appropriate change management procedure,which is applied throughout the whole designprocess, shall be specified in the beginning of thedesign process of I&C systems or equipment.

4.4 Qualification plan


The systems and equipment at a nuclear facilityshall be qualified to their intended use. Thelicensee shall draw up a special qualificationplan to demonstrate the suitability of SafetyClass 2 and 3 I&C systems and equipment fortheir intended use. The qualification plan shall


17

include material from four areas: design andmanufacturing process, tests, analyses, and op-erating experiences. If there is little qualifica-tion material in one subarea, the lack of it shallbe compensated for with additional materialfrom another subarea. The qualification planshall describe the suitability analyses to be per-formed. The reports of previous type test approv-als of systems or equipment shall be attached tothe qualification plan in case they are to beutilized in the demonstration of the qualifica-tions.

Independent expert assessment is used as partof the qualification of a Safety Class 2 system.Plans shall be drawn up for the independentverifications and validations to be performed.The scope, criteria and mechanisms of the inde-pendent assessment, the observations of theassessment and a justified conclusion shall bepresented in the assessment report.

The licensee shall evaluate and present a justi-fied conclusion on the acceptability of the quali-fication results.

The qualification plan shall be updated if therequirement specification of the system ischanged such that this affects the qualification,or if essential new information has been ob-tained about the system and this informationmay be considered to affect the qualificationplan.

4.4.2 Design and manufacturing process

The qualification plan shall describe the phasesof the system design and manufacturing process,as well as the verification made after each phaseand validation.

Those performing the verifications and valida-tion shall be technical experts of the designorganization, independent of the design or im-plementation of the system and piece of equip-ment. They shall verify that each work phasefulfills the requirements specified by the preced-ing phase. Verification shall be performed for alldesign and manufacturing phases of a SafetyClass 2 I&C system, and for all essential phases

of a Safety Class 3 I&C system, up until the finalproduct. The final product shall be validatedagainst the requirements of the product. Theverification and validation plans, and the re-sults, shall be documented such that they can beevaluated by an external party if necessary.

4.4.3 Tests

Tests can be divided into tests performed duringthe design and manufacturing process and testsperformed for the implemented I&C systemsand equipment. The equipment consists of fieldequipment and I&C equipment.

Tests performed during the design and manufac-turing process include, among other things, unittests, integration tests and system tests. Thetests performed for software can be divided intostatic and dynamic tests. The purpose of thetests performed during design and manufactur-ing is to ensure that the I&C systems or equip-ment fulfill the functional and performance re-quirements specified for them. These tests arecompleted by factory tests. Statistical testingmay be used to support reliability considera-tions, in particular.

A test plan shall be drawn up for the tests to beperformed for an I&C system and its equipment.Test experts, who are independent from designand manufacturing, shall perform the tests inaccordance with the test plan. The test plan,acceptance criteria and results shall be docu-mented such that they can be independentlyassessed.

With the testing and analyses it shall also beensured that there are no unintentional func-tions in the system or its equipment that couldbe detrimental for safety.

The adequacy of tests performed for a SafetyClass 2 system shall be justified and the testcoverage analyzed against the requirementsspecified for the system.

The compliance with requirements and the fault-freeness of an I&C system or piece of equipmentshall be evaluated after the factory tests in order


18

to ensure that the system or the piece of equip-ment may be transported to the plant site. Theproject time schedule shall be designed suchthat the potential design modifications neededafter the factory tests can be made in accordancewith procedures commensurate with the safetyimportance of I&C systems or equipment.

Tests required for the equipment of an imple-mented system are typically type tests and envi-ronmental tests, which are performed takinginto account the application (system and plantenvironment). Acceptance tests and commission-ing tests, among other things, are performed forthe implemented system at the plant.

The final testing shall demonstrate that the I&Csystem or equipment fulfill the functional andperformance requirements specified for it. Thetesting can be partially based on simulation. Thefinal testing shall, however, be performed in thefinal operational environment.

Guide YVL 2.5 presents requirements for thesystem commissioning tests to be performed atthe plant.

Specific requirements for programmable systemsand equipment are given in section 4.6.5.

4.4.4 Analyses related to safety

The fulfillment of the functional and perform-ance requirements shall be demonstrated aspart of the system and equipment qualification,including the analyses needed for this.

Safety Class 2 systems shall be subjected to afailure mode and effects analysis, a commoncause failure analysis, an operating experienceanalysis, and a quantitative reliability analysis.

Safety Class 3 I&C systems shall be subjected toa failure mode and effects analysis, a commoncause failure analysis and an operating experi-ence analyses, and, depending on the safetysignificance, a quantitative reliability analysis.

Safety Class 2 and 3 systems shall be subjectedto a safety assessment, which demonstrates ful-

fillment of the safety requirements. Plant specif-ic PSA shall be updated to correspond to themodified system.

Specific requirements for programmable systemsand equipment are given in section 4.6.

4.4.5 Operating experiences

Former operating experiences shall be analyzedfor I&C systems belonging to Safety Class 2 or 3,for Safety Class 2 equipment, and for equipmentbelonging to essential accident instrumentationin Safety Class 3. The operating experiencesshall be collected with a well specified method.The comprehensiveness of the collection processand its significance for the reliability of the datashall be evaluated. The operating experiencesshall be representative for the application underconsideration. The collection time period shall belong enough. The use of operating experiencesfrom other hardware or software versions, set-ups and operational profiles, for the qualificationof a system or equipment, shall be justified.

4.4.6 Type approval

All equipment in Safety Class 2 and essentialaccident instrumentation in Safety Class 3 (NRCRegulatory Guide 1.97, cat. 1) shall possess atype acceptance certificate according to an appli-cable nuclear engineering standard awarded byan accredited body or a body performing inspec-tions with corresponding competence. The certif-icate shall cover the assessment of the equip-ment design and the quality management of itsmanufacturing. The equipment conformity tothe requirements shall be demonstrated by testsand analyses and by practical type tests.

The assessment of the quality management shallinclude the inspection of the equipment manu-facturing documents and the evaluation of themanufacturing process. The assessors shall havea competence proven in practice in the evalua-tion of quality control systems and in the assess-ment of the conformity with technical require-ments of the equipment used in safety applica-tions. Special attention in the evaluation of thequality management shall be paid on measures


19

used to assure that serial production equipmentcorrespond to inspected equipment.

The certification report shall present the obser-vations made in the inspection, the justificationfor the acceptability of the product and theterms of the validity of the acceptance.

The certificate of a piece of computer-basedequipment shall cover the evaluation of bothsoftware and hardware. Additional requirementsfor the software are presented in subsection 4.6.

4.4.7 Suitability analysis

A suitability analysis shall be performed to allSafety Class 2 and 3 equipment. In the analysisthe functional and performance capabilities ofthe piece of equipment shall be assessed againstthe requirements specified for it as a part of theI&C system. In particular, one shall examineenvironmental tests, software evaluation, equip-ment operating experiences, and the reliabilityof the functioning of the piece of equipment inrelation to its safety importance.

In the suitability analysis it shall be presentedhow the supplier fulfills the prerequisites forproduct delivery as per section 4.2.

The suitability analysis shall be performed inaccordance with an instruction belonging to thequality management system of the licensee.

4.5 Installation and commissioning

A receiving inspection shall be made to equip-ment and software belonging to Safety Class 2, 3or 4. In the receiving inspections, the licenseeshall ensure that the I&C equipment correspondto the design plans and that the results of theirquality control are acceptable. Furthermore, itshall be ensured that the equipment has notbeen damaged during transport. Potential testsbelonging to the receiving inspection shall beperformed with acceptable results. The receivinginspection shall be appropriately documented.

The licensee shall perform an installation in-spection on installed equipment belonging to

Safety Class 2, 3 or 4. In the inspection, thelicensee shall ensure that the receiving inspec-tion has been acceptably performed and that theinstallation is appropriate. An installation timeschedule shall be specified for the installations.Also the procedures used in documenting theinstallations as well as the scope of installationand connection inspections and of functionaltests shall be specified.

The licensee shall perform a commissioning in-spection on installed or modified systems be-longing to Safety Class 2, 3 or 4. It verifies thatthe installed system is in accordance with theaccepted design documents and that this hasbeen ensured by sufficient inspections and tests.It shall also be verified that any deficiencies andfaults identified in the inspections have beencorrected. The commissioning inspection shallalso ensure that potential changes made in thecommissioning phase have been implementedaccording to procedures specified for changemanagement.

The commissioning inspections shall deal with,and make a collected summary of, the fulfill-ment of quality management by the licensee andensure that there are no obstacles for the com-missioning. The commissioning inspection shallensure that the installation place and environ-ment of the equipment and systems are consist-ent with the requirements specified. The instal-lation inspections and functional tests shall havebeen acceptably performed and there shall be nosuch deficiencies in the commissioning resultdocumentation and the protocols related to com-missioning as would form obstacles to commis-sioning. The completion of instructions relatedto the system shall be ensured. The commission-ing inspection shall also ensure that any re-marks made by STUK during earlier regulatorymeasures have been appropriately taken care of.

Procedures used during the receiving, installa-tion and commissioning of I&C systems andequipment shall be presented in the qualitymanagement system of the licensee. They shalldescribe the duties of the organizations respon-sible for a specific measure, the division of work,the responsibilities, and the procedures used for


20

documentation and the scope of inspections to bemade.

The organization unit responsible of the com-missioning inspections shall fulfill applicablerequirements concerning inspection bodies pre-sented in Guide YVL 1.3.

4.6 Specific requirements forcomputer-based systems andequipment

4.6.1 Qualification of the platformand the application

The qualification plan for a computer-based sys-tem shall include the qualification of both theplatform and the application. Section 4.4.6presents general requirements for type approv-als. These requirements apply also to platform.It shall be considered whether platform andequipment belonging to Safety Class 3, but re-quiring no type approval according to section4.4.6, should be subjected to a software evalua-tion against a suitable standard. This considera-tion shall be based on the reliability target setfor the system or the piece of equipment. Theevaluation report shall present the observationsmade in the inspection, the need for potentialcorrective measures, and a justified decision onthe acceptability of the software for the intendedpurpose.

The factors used to demonstrate the reliability ofa computer-based system are especially a high-standard design process of the platform and theapplication, the competence of the personnelparticipating in the design and implementation,as well as the use of standards applicable tosoftware production. Various independent in-spections and assessments of compliance withthe requirements, as well as applicable tools, areessential parts of a high-standard software de-sign process.

4.6.2 Software tools and design methods

The qualification plan shall identify all softwaretools, as well as test and design methods, used inthe design and implementation of systems and

equipment belonging to Safety Class 2 or 3. Thetools include for example translators, code gen-erators, analyzers, etc.

The operating experiences of software tools thatare used in the design and implementation ofSafety Class 2 systems and equipment, shallhave been collected and documented in a com-prehensive and systematic manner. The designand implementation of Safety Class 3 systemsand equipment shall utilize standard softwaretools, whose version management, maintenanceand fault data collection are appropriately docu-mented. Standard software tools shall be used inthe design and implementation of Safety Class 4systems.

Version management, maintenance and modifi-cation design of those tools that are used forconfiguration or object code generation shall beimplemented with procedures in accordancewith the safety importance of system or equip-ment.

The influence of a potential tool-induced erroron safety shall be accounted for when specifyingqualification measures for software tools.

In the potential case of software tool error theprocedures used to ensure the reliable function-ing of systems installed at the plant shall bedocumented.

Proven, high-standard tools and test methodsshall be used in the design and implementationof software belonging to Safety Class 2 or 3. Thetools used for designing and implementing Safe-ty Class 2 software shall be qualified to theirintended use.

4.6.3 Pre-existing software and equipment

Pre-existing software is subject to the samerequirements as software to be developed. Anypotential deficiencies in the documentation andimplementation of the design process may besubstituted for by analyses and testing. Suchcompensating measures are evaluated by takinginto account requirements corresponding to safe-ty class and safety significance.


21

Software structure, functions, and functions tobe left out shall be analysed for the suitabilityanalysis of pre-existing software.

Documentation of the software and the systemshall be comprehensive enough to manage theversions of a piece of equipment or software inaccordance with procedures corresponding tothe safety importance of the piece of equipmentor the software.

4.6.4 Prevention and analysis ofcommon cause failures

Software faults are typically caused by designerrors. This means that the same failure modemay surface simultaneously in redundant partsof the system. The risk of a common causefailure related to design errors shall be broughtto a low enough level by using the diversityprinciple and other possible means to ensure asufficiently high reliability of the system func-tion. The measures taken to avoid a commoncause failure shall be documented and justifiedand presented as part of the analyses requiredby Guide YVL 2.7.

4.6.5 Testing of a computer-basedsystem or equipment

The test plan and procedures used for a systemor a piece of equipment belonging to the safetyclasses shall be sufficient, taking into accountthe safety importance and reliability target ofsystem or piece of equipment. Software shall betested also in the equipment setup to be in-stalled.

The final testing of a system belonging to SafetyClass 2 or 3 shall cover all system functions andtimings, and, as far as practically possible, selfdiagnostic functions.

Static and dynamic tests shall be used to testsoftware modules. The test cases shall include,among other things, transient situations used intransient and accident analyses.

The coverage of tests for Safety Class 2 systemsand equipment in the various test phases shall

be analyzed. The selection and amount of finaltests performed for Safety Class 2 systems andequipment shall be justified.

4.6.6 Other requirements for a computer-based system or equipment

The publication “Common position of Europeannuclear regulators for the licensing of safetycritical software for nuclear reactors”, (Europe-an Commission’s Advisory Expert Group, Nucle-ar Regulators Working Group, 2000) presents indetail some differences between the require-ments in different safety categories concerningdesign, implementation and maintenance of soft-ware. The requirements of this publication shallbe taken into account, when applicable, in thedesign of I&C systems and equipment.

The design of Safety Class 2 systems and equip-ment shall aim at simplicity. The structure of asystem shall minimize the spreading of the in-fluence of a single software error, and make itpossible to verify the requirements specified forthe system. The execution cycles of softwareshall be specified. Those software parts that areunnecessary for functional performance are tobe identified and their safety significance shallbe analyzed and taken account of in the designof the system.

The failure modes of the software shall be iden-tified and analyzed to a sufficient detail.

Programmable systems and equipment shall bedesigned with self diagnostic functions that arecommensurate with the safety importance of thesystem.

The coverage of failures by self diagnostic func-tions and periodic tests shall be analyzed forprogrammable I&C systems and equipment inSafety Class 2. Also the influence of potentialfailures in self diagnostic functions on the func-tioning of the protection I&C, shall be analyzed.

The traceability of requirements in the differentdesign phases of a computer-based system inSafety Class 2 shall be demonstrated as part ofthe qualification of the system.


22

5 Ageing managementAccording to subsection 3.15 of Guide YVL 1.0 innuclear power plant design, the service life andthe effect of ageing on the safety of all safetysignificant structures, components and materialsshall be assessed using sufficient safety margins.Furthermore, provision shall be made for thesurveillance of their ageing and, if necessary,their replacement or repair.

According to subsection 2.2 of Guide YVL 2.0during design, when choosing basic technologies,the life cycles of technologies and componentsshall be considered and any restrictions result-ing thereof anticipated. As great an independ-ence as possible from any single technology shallbe aimed at in the design solutions. Also compo-nent replacements and potential technologicalturning points shall be considered in advance sothat any modifications required at the plant canbe designed controllably and in good time.

An ageing management programme shall beestablished to monitor the residual lifetime ofthe systems and equipment at the plant or theneed for replacement. The different ageingmechanisms related to various components andtheir significance shall be considered when plan-ning the programme. The programme shall cov-er the methods for collecting and analysing thefailure data of the systems and equipment todetect possible changes in the failure rates toanticipate the need for replacement. The pro-gramme shall cover also other possible analysisand testing made for the assessment of theageing of the systems and equipment. Also fail-ure data from other plants and vendors shall bemade use of, to the extent possible, in ageingmanagement. The ageing management pro-gramme shall include all systems and equip-ment important to safety, regardless of theirsafety class. The choice of systems and equip-ment to the programme shall be justified in theprogramme. Specific attention is to be paid tothe condition of equipment needed in accidentsas well as the condition of their cables andinstallations. The requirements of the ageingmanagement of cables is presented in GuideYVL 5.2. The scope and efficiency of the ageing

management programme shall be assessedreqularly.

The ageing management programme of the I&Csystems and equipment of the nuclear powerplant shall also consider the ageing of the tech-nology of systems and equipment and the possi-ble need for remedial actions.

The results of ageing management shall be pre-sented in a yearly report. In addition to theresults of the fault history analysis of monitoredobjects and the results of possible other analy-ses, any repair measures required as well asdevelopment plans with their schedules shall begiven.

6 Control by the FinnishRadiation and NuclearSafety Authority

6.1 General regulatory principles

General requirements applicable to the prelimi-nary inspection of systems are given in GuideYVL 2.0. The guide prescribes that systems ap-proval is to be carried out as part of the reviewof the preliminary and final safety analysisreports.

During the operation of a nuclear power plant,when a system is modified or added, its prelimi-nary inspection is conducted according to a sepa-rate conceptual design documents for the modifi-cation and on the basis of pre-inspection docu-ments. According to the general principle ap-plied in the regulation of instrumentation andcontrol systems at nuclear power plants, theconceptual design documents and system-specif-ic pre-inspection documents of Safety Class 2and 3 systems, as well as those of systems whoseinspection is separately required by a STUKdecision, shall be sent to STUK for approval. Thepre-inspection documents of Safety Class 4 sys-tems shall be sent to STUK for information.

According to subsection 3.4.1 of Guide YVL 2.0the contents of the documentation submitted


23

can vary according to the safety significance tosafety and the scope of modification.

Any changes required to the final safety analysisreport after a modification shall be made with-out delay. Modifications are dealt with in GuideYVL 1.8.

A suitability analysis of Safety Class 2 I&Cequipment and essential Safety Class 3 accidentinstrumentation equipment shall be sent toSTUK for approval. Corresponding analysis ofother Safety Class 3 equipment are to be sent toSTUK for information.

YVL guides that apply to mechanical compo-nents, as well as to their pre-inspections andstructural inspections, place requirements onthose automation equipment whose mechanicalproperties have safety-significance, e.g. pres-sure-bearing equipment.

6.2 Conceptual design plan

The contents of a conceptual design documentsfor Safety Class 2 and 3 I&C equipment mainlycorrespond to those of the preliminary safetyanalysis report. The plan shall contain the de-scriptions below:• system design principles and bases• system functions, operating principles, essen-

tial design parameters and the assignment offunctions to equipment

• a description of a system’s importance in theaccomplishment of a safety function proper ifthe system supports a system performing asafety function

• the separation principles of a system and itscomponents (compartments, shielding) andtheir preliminary location at the plant, as persubsection 3.3 of Guide YVL 4.3

• preliminary safety classification of systemfunctions and equipment

• the environmental conditions and stresses ofthe system and the consequent design re-quirements

• requirements and dependencies arising fromother systems including auxiliary systems,support systems and the process controlledby the system

• system interfaces, including man machineinterface and interfaces with other I&C sys-tems

• a description of the principles of quality man-agement and of the competence of organisa-tions contributing to system design

• preliminary qualification plan• designer’s preliminary safety assessment• licencee’s own safety assessment in accord-

ance with subsection 2.3 of Guide YVL 2.0.

A system’s design bases shall present the guide-lines and standards according to which the sys-tem is designed. The preliminary safety classifi-cation of the system plus its equipment as wellas its environmental conditions and consequentdesign requirements shall also be given.

A plan of qualification according to subsection4.4, and any previous qualifications to be uti-lised in the qualification of the system, shall beincluded in the preliminary qualification plan ofthe conceptual design plan phase. The prelimi-nary qualification plan shall include a scheduleon the provision of the result documentation toSTUK.

The preliminary safety assessment shall demon-strate how the system fulfils the safety require-ments imposed on it. It shall also give a prelimi-nary assessment of how modifications to thesystem affect probabilistic safety analyses (PSA).

6.3 System pre-inspection documents

The pre-inspection documents of Safety Class 2and 3 I&C systems and, for applicable parts,those of Safety Class 4 I&C systems shall prima-rily contain descriptions equivalent to the con-tents of the final safety analysis report, and theyshall include the descriptions below:• detailed system design bases• detailed description of system operation and

configuration• system environmental conditions and stress-

es, and consequent design requirements• the location, segregation, protection (fire com-

partments, physical protection) of subsystemsimportant to safety


24

• impact on a nuclear power plant’s other sys-tems, and dependencies from other systemsas well as prevention of fault propagation

• a probabilistic assessment of the system’simpact on plant safety

• quality plan• information security plan• qualification plan• qualification result documentation• designer’s safety assessment of how the sys-

tem meets its safety requirements• licensee’s own safety assessment in accord-

ance with subsection 2.3 of Guide YVL 2.0• system specific requirements in the Technical

Specifications• other necessary descriptions.

The pre-inspection documents of systems aresubmitted for approval in stages such that thequalification result documentation and inde-pendent assessments are submitted only afterdesign and implementation have reached therelevant phases.

Instructions are provided in Guide YVL 2.0 onwhat system design bases should be included inthe pre-inspection documents. The requirementspecification of Safety Class 2 and 3 I&C sys-tems shall be sent to STUK for information. Thereport of the independent assessment of thecorrectness, completeness and consistency of therequirements specification of Safety Class 2 I&Cshall be sent to STUK for information.

Guide YVL 2.0 contains guidelines on the con-tents of the description of a system’s operation.A system’s operational description shall includealso the self-diagnostics of programmable sys-tems plus analysis of the coverage of the self-diagnostics.

System construction and operation shall be pre-sented in the form of schematic diagrams, wherenecessary, showing the below data, among otherthings:• principal diagrams and functional diagrams

of control functions, automatically actuatedtasks, interlocking, etc.

• a summary of the service data of measure-ments (symbol, measurement range, protec-tion and alarm limits)

• in case of a computer-based system, also thesystem’s and software architecture diagramsand flow diagrams are to be given

• software tools and their functional descrip-tion

• functional diagrams of electrical protections• principal design diagrams of auxiliary volt-

age supplies.

The means of quality management pertaining tosystem design and implementation shall be pre-sented in a quality plan. The instructions andprocedures relating to the quality plan are sentto STUK for information.

The qualification plan shall include data pre-sented in subsection 4.4 of this guide. The quali-fication result documents shall include the licen-see’s assessment of the realisation of qualifica-tion.

The system’s safety significance and the reliabil-ity targets of its functions are considered whenthe quality plan and the qualification plan arereviewed.

An information security plan containing the sys-tem’s data security related procedures and in-structions for operation shall be sent to STUKfor information.

A safety assessment shall be conducted for Safe-ty Class 2 and 3 systems by which fulfilment ofthe provisions of YVL guides and of the require-ment specification is demonstrated as well asthe effect on PSA.

Along with the system’s pre-inspection docu-ments, any impacts to the Technical Specifica-tions at principal level shall be stated.

As regards extensive plans with a significantbearing on nuclear safety, or plans requiringspecial know-how, the licensee shall considerwhether to commission their independent safety


25

assessment to an assessor entirely independentof the licensee’s organisation. The minimumcompetence required of individuals and organi-sations conducting design audits and independ-ent safety assessments is that which is requiredin the design task, and it shall have been provenin practice. After the assessments have beencarried out the licensee shall satisfy himself ofthe acceptability of the design by safety assess-ments based on sufficiently profound own know-how.

6.4 Equipment suitability analysis

STUK reviews the licensee’s suitability assess-ment as regards the below equipment:• Safety Class 2 I&C equipment• Safety Class 3 essential accident instrumen-

tation (NRC Regulatory Guide 1.97, cat. 1[1]).

A preliminary suitability analysis is submittedto STUK for approval in case a piece of equip-ment needs to be subjected to type approval aspart of its qualification. The preliminary suita-bility analysis shall state the standards applica-ble in the type approval process and the compe-tent body. Of that organisation, its accreditationor the data on inspection bodies required inGuide YVL 1.3 shall be given, as applicable.

In conjunction with the suitability analysis, thebelow data on each piece of equipment shall besubmitted for information:• plant and application specific requirement

specification• design bases• description of operation, design and construc-

tion as well as drawings• vendor data• quality plan• type approval report.

The suitability analysis of Safety Class 3 equip-ment is submitted for information without theaforementioned documents.

The guidelines and standards to be applied inthe design, manufacture, testing and installa-tion of equipment shall be stated in the designbases of each piece of equipment. Possible devia-

tions from applicable standards and guidelinesshall be presented and justified in accordancewith subsection 4.1.

The operation and construction descriptions aswell as drawings of equipment shall be sufficientto facilitate the evaluation of the type approvaland the review of the suitability analysis. Soft-ware tool descriptions shall be incorporated inequipment descriptions.

Vendor data shall include vendor organisation,competence and how their quality system hasbeen assessed. The assessment results of thequality system shall be presented.

6.5 Regulatory control ofmanufacturing, factory tests

At its discretion STUK controls by inspectionsthe manufacturing of I&C systems and equip-ment subject to pre-inspection. During the in-spections STUK must be provided with the op-portunity to check, among other things, thequality management systems of the manufactur-er, the documents on quality control duringmanufacturing and the documents referred to inthe qualification plan.

For the purpose of potential inspections bySTUK at the premises of vendors and suppliers,STUK shall be sent for information the testingschedules of systems (performance and function-al tests). The testing programmes of those facto-ry tests that STUK informs to monitor shall besubmitted for information.

6.6 Regulatory control of installations

At its discretion STUK controls the installationof Safety Class 2 and 3 I&C systems and equip-ment.

For installation control by STUK the installationschedule of Safety Class 2 and 3 I&C systemsand equipment shall be sent for informationprior to the commencement of their installation.During the inspection the licensee is to presentSTUK with the results of its own inspectionsplus the related documents.


26

STUK assesses during the inspections that theoverall implementation of installations corre-sponds to the plans in approved pre-inspectiondocuments and that it is up to the requiredquality level.

6.7 Commissioning inspections

STUK controls the commissioning testing of I&Csystems by onsite tests in accordance with GuideYVL 2.5. STUK witnesses onsite testing at itsdiscretion. The commissioning testing pro-grammes of Safety Class 2 and 3 I&C systemsshall be sent to STUK for approval and the testschedules for information well in advance of thecommencement of start-up testing.

The result documentation of the commissioningtests of the systems belonging to the safety class2 and 3 shall be submitted to STUK for approv-al. During the pre-inspection of the safety class 4systems STUK specifies which commissioningprogrammes, test schedules and result docu-mentation shall be submitted to STUK for infor-mation.

During the pre-inspection of I&C systems STUKspecifies the systems whose commissioning in-spections it will conduct. During these inspec-tions the licensee shall present STUK with thesystem modifications implemented and the re-sults of inspections made by the licensee accord-ing to subsection 4.5 plus related result docu-ments.

System commissioning inspections by STUKshall be carried out prior to plant start-up froman annual maintenance outage or during opera-tion prior to the commissioning of a system. Thelicensee shall request for these inspections inwriting well in advance of the inspection day.

Commissioning and functional testing requiredby the operational safety of the measurementand control equipment of a nuclear power plant’spressure equipment other than the reactor pres-sure vessel are dealt with in Guide YVL 3.7.

6.8 Regulatory control of equipmentquality management

The licensee shall draw up general plans forquality control in the design, manufacturing,receiving, installation and commissioning phas-es of equipment in various safety classes, asrequired in subsection 4.2. The plans shall besubmitted to STUK for approval prior to theaforementioned phases.

6.9 Regulatory control during plantoperation

During the operation of nuclear facilities STUKcontrols I&C systems and equipment by inspect-ing the repairs and modifications of systems andindividual pieces of equipment. At the same timeSTUK assesses the operations of the licenseeand the efficiency of his procedures in assuringthe reliable operation of the systems and equip-ment. Licensee operations are regularly assessedin inspections of the periodic inspection pro-gramme.

As part of the periodic inspection programme,STUK ensures that the below functions areappropriately implemented for safety classifiedobjects• assigning of requirements, design and main-

tenance of I&C systems and equipment• quality management, equipment procure-

ment, spare parts management and receivinginspections

• the operation and the condition the operabili-ty and condition of I&C systems and equip-ment is ensured by periodic testing

• assessment of the environmental and operat-ing conditions of equipment

• assessment of the assessment of the equip-ment ageing

• maintenance of the accuracy of measuringequipment

• equipment surveillance, failure data, failuredata gathering systems and analyses

• the preventive maintenance of the equip-ment, repair and spare part service


27

• configuration and version management ofequipment and systems.

The periodic testing programmes of I&C sys-tems and equipment, the procedures to be fol-lowed during them and the guidelines for condi-tion monitoring shall be sent to STUK for infor-mation. Test results shall be recorded onsitesuch that STUK can assess them and comparethem with previous test results.

The acceptability of requirements pertaining tothe availability of safety-important I&C systemsand equipment, as well as the scope of periodictests, are assessed by STUK during the review ofthe Technical Specifications of nuclear facilities.

In addition, STUK regularly checks that theenvironmental and operating conditions of safe-ty-classified equipment are properly monitoredby measurements at relevant locations and,where necessary, measures are taken to reviewmaintenance programmes, service life assess-ments and qualification. STUK checks onsite themeasurement results in the extent it deemsnecessary.

STUK monitors the realisation and results ofthe licensee’s I&C systems and equipment age-ing follow-up programme in connection with theperiodic inspection programme, among otherthings.

The results of the ageing management shall bepresented in a report every year, which is sent toSTUK for information.

6.10 System and equipmentmodifications during operation

Guides YVL 2.0 and YVL 1.8 present require-ments pertaining to modifications at nuclearfacilities.

STUK carries out pre-inspections of safety-clas-sified I&C systems and equipment in the extentspecified in subsection 6.1.

Work on modifications may only be started whenSTUK has approved the pre-inspection docu-ments and when requirements for the com-mencement and supervision of work, which mayhave been included in STUK’s decision on ap-proval, have been fulfilled. The commissioningoperation programmes of modified system sec-tions and equipment shall be drawn up suchthat they, as well as possible, correspond to theoriginal commissioning programmes.

STUK’s approval of modifications to Safety Class4 and non-nuclear (EYT) systems shall be ob-tained in case they affect the realisation of thedesign bases presented in Guide YVL 1.0.

Prior to a system’s commissioning, the licenseeshall obtain approval for any changes that needto be made to the Technical Specifications. Alsoprior to system commissioning, the emergency,transient and operating instructions shall beupdated to correspond to the modified system.

After the system’s commissioning, any changesproposed to the Final Safety Analysis Reportshall be submitted to STUK for approval with-out delay.

7 DefinitionsDeterministic design principle

System design is based on pre-establisheddesign requirements and on a set of postula-ted initiating events (PIE) whose effect onplant safety is considered in system design.

Dynamic testingSystem or component evaluation based on itsbehaviour during execution of functionaltests.

Integration testsThe task of the integration test is to verifyinterconnections between system units or thecompatibility of the system units. The integ-ration tests of a computer-based system assu-re software/hardware compatibility as well.


28

Self-diagnosticsA system or piece of equipment’s built-infunction for monitoring system/equipment er-ror-free operation and failure and which,upon error-detection, carries out pre-deter-mined functions.

QualificationQualification demonstrates the ability of I&Csystems or equipment to fulfil the functionaland performance requirements imposed onthem in all their operating conditions anddesign basis environmental conditions.

Operational conditionsOperational conditions mean a nuclear powerplant’s normal operational conditions and an-ticipated operational transients.

Quality planThe quality plan is a document setting outthe specific quality practices, resources andsequence of activities relevant to a particularproduct or project.

Normal operational conditionsNormal operational conditions denote theoperation of a nuclear power plant in accor-dance with the Technical Specifications. Theyalso include systems and equipment testing,plant unit start-up and shutdown, as well asmaintenance and refuelling.

Anticipated operational transientsAn anticipated operational transient meanssuch a milder-than-an-accident deviationfrom normal operational conditions the ex-pectation value of whose occurrence frequen-cy is higher than once in a hundred operatingyears.

Software toolA tool used for software development, compi-ling, generating, testing and analysis.

Computer-based systemA computer-based system is an instrumenta-tion and control system whose functions have,for the most part or entirely, been imple-mented using a microprocessor, a computer-based piece of equipment or a computer. Thesystem encompasses all system units, such asinternal power supply units, sensors and ot-her input units, communication routes, out-put units and other communication channelsto actuators.

A piece of computer-based equipmentA piece of computer-based equipment con-sists of one or several units in a computer-based system. It is an independent, definablesystem unit that is often detachable. It canalso be an independent piece of equipmentcontaining computer-based technology.

Pre-existing softwarePre-existing software denotes software orprogram developed prior to a project. It’sscope ranges from a simple program to anextensive I&C system.

Postulated accidentA postulated accident means such a nuclearpower plant safety system design-basis eventas the nuclear power plant is required tomanage without any serious damage to thefuel, and discharges of radioactive substancesso large that in the plant’s vicinity, extensivemeasures should be taken to limit the radia-tion exposure of the population.

AccidentAn accident means such a deviation fromnormal operational conditions as is not ananticipated operational transient. There aretwo classes of accident: postulated accidentsand severe accidents.


29

Accident instrumentationAccident instrumentation is the measuringand control instrumentation for accident mo-nitoring and management. It provides theoperating personnel with sufficient informa-tion for situation assessment as well as forthe planning and implementation of counter-measures.

I&C system platformI&C system platform is that section of aninstrumentation and control system which isindependent of the application and is used aspart of an operating system.

Independent inspection or assessmentIndependent inspection and assessmentcomes in three different levels: the performerof an inspection or assessment is an indivi-dual, organisation unit or organisation inde-pendent of the design and implementation ofthe object. The level of independence to beused is dictated by the character of the taskto be carried out and the assessment result’simportance to the assurance of safety. Moredetailed requirements applicable to the va-rious levels of independencies can be found instandard SFS-EN 45004 “General require-ments for the operation of various types ofbodies performing inspection”.

ApplicationA computer-based system application is thatpart of the system which carries out thefunctions needed for controlling the process.

Static testingStatic testing is a process of assessing asystem or component on the basis of its form,structure, content or documentation. Examp-les of static testing include, among otherthings, verification of software design, codeand compliance with standards (e.g. the Fa-gan method), analysis of control and dataflow diagrams, symbolic program executionand formal code verification.

Unintentional functionAn unintentional function is one that is un-necessary for the actual functioning of asystem or piece of equipment. Functions notrequired to accomplish a task, but whosesafety significance has been analysed andconsidered in system design, are not uninten-tional.

Functional independenceAn I&C system’s functional independence isimplemented by means of electrical and com-munication independence.

Safety systemA safety system is a system which carries outa certain safety function.

Safety functionSafety functions are safety-significant func-tions to prevent the occurrence or propagati-on of transients and accidents or to mitigatethe consequences of accidents. A safety func-tion encompasses the equipment carrying outa function, i.e. measuring, logic and actuator.

Severe accidentA severe accident means an event duringwhich a significant part of the fuel in thereactor sustains damage.

Common cause failureA common cause failure denotes the simulta-neous failure of several systems, pieces ofequipment or structures in consequence ofthe same single failure or cause.

Single failureA single failure means a random failure andits consequent effects which are assumed tooccur either during a normal operational con-dition or in addition to the initial event andits consequent effects. Further guidelines onsingle failures and how to provide for themcan be found in Guide YVL 2.7.


30

8 References1. U. S. Nuclear Regulatory Commission, Regu-

latory Guide 1.97, revision 3, May 1983.

2. “Common position of European nuclear regu-lators for the licensing of safety critical soft-ware for nuclear reactors”, EUR 19265, 2000.

3. IAEA Safety Standards Series, NS-G-1.3, “In-strumentation and control systems importantto safety in nuclear power plants”, SafetyGuide, March 2002.

4. IAEA Safety Standards Series No. NS-G-1.1,“Software for Computer Based Systems Im-portant to Safety in Nuclear Power Plants”,Safety Guide, September 2000.

5. IEC 61513 “Nuclear power plants – Instru-mentation and control for systems importantto safety – General requirements for sys-tems”, First edition 2001-03.

6. IEC 60880 “Software for computers in thesafety systems of nuclear power stations”,First edition 1986.

7. IEC 60880-2 “Software for computers impor-tant to safety for nuclear power plants – Part2: Software aspects of defence against com-mon cause failure, use of software tools andof pre-developed software”, First edition2000-12.

8. IEC 60987 “Programmed digital computersimportant to safety for nuclear power sta-tions”, First edition 1989-11.

9. IEC 62138 “Nuclear Power Plants Instru-mentation and Control-Computers-based sys-tems important for safety-Software aspectsfor I&C systems of class 2 and 3”, Draft 2001.

10.IEC 60780 “Nuclear Power Plants – Electricalequipment of the safety systems – Qualifica-tion”, Second edition 1998-10.

instrumentation systems and components at nuclear · pdf file2.2 instrumentation, ......

Documents