IEEE 7-4.3.2-2016 pdf download
IEEE 7-4.3.2-2016 pdf download.IEEE Standard Criteria for Programmable Digital Devices in Safety Systems of Nuclear Power Generating Stations.
f) Take corrective actions when expected quality is not achieved.
g) Establish a project environment that supports etlective communications between individuals and groups for the resolution of sofhvare project risks.
Additional guidance on the topic of risk management is provided in ISO/IEC 12207:2008 (IEEE Std 12207- 2008) and 1S0fJEC15288:2008 (IEEE Std 15288-2008).
5.4 Equipment qualification
The requirements in this subclause shall be applied in addition to the equipment qualification criteria provided
by IEEE Std 603-2009, based on IEEE Std 323-2003.
Equipment qualification testing shall be performed with the system functioning with software and diagnostics representative of those intended to be used in actual operation. The PDD functions necessary to perform safety functions and those PDD functions whose operation or failure could impair safety functions shall be exercised during testing. This includes, as appropriate and practicable, exercising and monitoring the memory. the logic, inputs and outputs, display functions, diagnostics, associated components, communication paths, and interfaces. Testing shall demonstrate that the performance requirements related to safety functions have been met in the presence of all defined environmental and plant input and output stressors. Equipment qualification is required for commercial grade items as well as equipment produced under a nuclear quality assurance program.
5.5 System integrity
In addition to the system integrity criteria provided by IEEE Std 603-2009, the following shall be considered to achieve system integrity in digital equipment br use in safety systems:
— Design for PDD integrity
— Design for test and calibration
Fault detection and self-diagnostics
Prioritization of functions
5.5.1 Design for PDD integrity
The PDI shall be designed to perform its safety function when subjected to hazards, external or internal, that have significant potential for defeating the safety function. Such hazards include input and output processing failures: precision or roundoti problems; improper recovery actions; electrical supply. input voltage and frequency fluctuations; maximum credible number of coincident signal changes; and environmental stressors.
If the system requirements identify a safety system preferred failure mode, failures of the PDD shall not preclude the safety system from being placed in that mode. Performance of PDD restart operations shall not result in the safety system being inhibited from performing its function including causing a spurious safety system actuation.
A hazard analysis (see Annex D for guidance) shall be performed to identify and address potential hazards of the system.
5.5.2 Design for test and calibration
Test and calibration functions shall not adversely affect the ability of the system to perform its safety function. Appropriate bypass of one redundant channel is not considered an adverse effect in this context. The test and calibration functions shall not affect system functions that are not included in a calibration change (e.g., set- point change).
V&V, configuration management, and QA shall be required for test and calibration functions on separate PDDs (e.g., test and calibration computer) when the test and calibration functions provide the sole verification of test and calibration data. V&V, configuration management, and QA shall be required when the test and call- brat ion function is inherent to the PDD that is part of the safety system. The calibration shall he traceable to an appropriate national standard.
V&V, configuration management, and QA are not required when the test and calibration function is resident on a separate PDD and does not provide the sole verification of test and calibration data for the PDD that is part of the safety system.
5.5.3 Fault detection and self-diagnostics
Self-diagnostics are a means to provide timely detection of failures. Self-diagnostics are not required for systems in which failures can be detected by alternate means in a timely manner. If self-diagnostic functions are integrated into the safety system, these functions shall be subject to the same V&V processes as the safety functions.