IEC 61500:2009

IEC 61500 ®
Edition 2.0 2009-10
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Nuclear power plants – Instrumentation and control important to safety – Data
communication in systems performing category A functions

Centrales nucléaires de puissance – Instrumentation et contrôle-commande
importants pour la sûreté – Communication de données dans les systèmes
réalisant des fonctions de catégorie A

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by

any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either IEC or

IEC's member National Committee in the country of the requester.
If you have any questions about IEC copyright or have an enquiry about obtaining additional rights to this publication,
please contact the address below or your local IEC member National Committee for further information.

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite
ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie
et les microfilms, sans l'accord écrit de la CEI ou du Comité national de la CEI du pays du demandeur.

Si vous avez des questions sur le copyright de la CEI ou si vous désirez obtenir des droits supplémentaires sur cette

publication, utilisez les coordonnées ci-après ou contactez le Comité national de la CEI de votre pays de résidence.

IEC Central Office
3, rue de Varembé
CH-1211 Geneva 20
Switzerland
Email: inmail@iec.ch
Web: www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
ƒ Catalogue of IEC publications: www.iec.ch/searchpub
The IEC on-line Catalogue enables you to search by a variety of criteria (reference number, text, technical committee,…).
It also gives information on projects, withdrawn and replaced publications.
ƒ IEC Just Published: www.iec.ch/online_news/justpub
Stay up to date on all new IEC publications. Just Published details twice a month all new publications released. Available
on-line and also by email.
ƒ Electropedia: www.electropedia.org
The world's leading online dictionary of electronic and electrical terms containing more than 20 000 terms and definitions
in English and French, with equivalent terms in additional languages. Also known as the International Electrotechnical
Vocabulary online.
ƒ Customer Service Centre: www.iec.ch/webstore/custserv
If you wish to give us your feedback on this publication or need further assistance, please visit the Customer Service
Centre FAQ or contact us:
Email: csc@iec.ch
Tel.: +41 22 919 02 11
Fax: +41 22 919 03 00
A propos de la CEI
La Commission Electrotechnique Internationale (CEI) est la première organisation mondiale qui élabore et publie des
normes internationales pour tout ce qui a trait à l'électricité, à l'électronique et aux technologies apparentées.

A propos des publications CEI
Le contenu technique des publications de la CEI est constamment revu. Veuillez vous assurer que vous possédez
l’édition la plus récente, un corrigendum ou amendement peut avoir été publié.
ƒ Catalogue des publications de la CEI: www.iec.ch/searchpub/cur_fut-f.htm
Le Catalogue en-ligne de la CEI vous permet d’effectuer des recherches en utilisant différents critères (numéro de référence,
texte, comité d’études,…). Il donne aussi des informations sur les projets et les publications retirées ou remplacées.
ƒ Just Published CEI: www.iec.ch/online_news/justpub
Restez informé sur les nouvelles publications de la CEI. Just Published détaille deux fois par mois les nouvelles
publications parues. Disponible en-ligne et aussi par email.
ƒ Electropedia: www.electropedia.org
Le premier dictionnaire en ligne au monde de termes électroniques et électriques. Il contient plus de 20 000 termes et
définitions en anglais et en français, ainsi que les termes équivalents dans les langues additionnelles. Egalement appelé
Vocabulaire Electrotechnique International en ligne.
ƒ Service Clients: www.iec.ch/webstore/custserv/custserv_entry-f.htm
Si vous désirez nous donner des commentaires sur cette publication ou si vous avez des questions, visitez le FAQ du
Service clients ou contactez-nous:
Email: csc@iec.ch
Tél.: +41 22 919 02 11
Fax: +41 22 919 03 00
IEC 61500 ®
Edition 2.0 2009-10
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Nuclear power plants – Instrumentation and control important to safety – Data
communication in systems performing category A functions

Centrales nucléaires de puissance – Instrumentation et contrôle-commande
importants pour la sûreté – Communication de données dans les systèmes
réalisant des fonctions de catégorie A

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
PRICE CODE
INTERNATIONALE
P
CODE PRIX
ICS 27.120.20 ISBN 978-2-88910-523-6
– 2 – 61500 © IEC:2009
CONTENTS
FOREWORD.3

INTRODUCTION.5

1 Scope.7

2 Normative references .7

3 Terms and definitions .8

4 Symbols and abbreviations.9

5 General requirements .9

5.1 Principles of selection of data communication techniques and equipment.9
5.2 Functional requirements .9
5.3 Performance requirements .10
5.4 Failure detection .10
5.5 Communication within division.10
5.6 Interfaces to systems of lower importance to safety.10
6 Physical separation and isolation.11
6.1 Electrical isolation .11
6.2 Physical separation .11
7 Functional independence.11
8 Reliability .12
8.1 Self-supervision and failure mitigation .12
8.1.1 Communication error detection .12
8.1.2 Response to failure .12
8.2 Test.12
8.3 Prevention of failures (including CCF) .13
9 Qualification .13
10 Maintenance and modification .14
Bibliography.15

61500 © IEC:2009 – 3 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION

____________
NUCLEAR POWER PLANTS –
INSTRUMENTATION AND CONTROL IMPORTANT TO SAFETY –

DATA COMMUNICATION IN SYSTEMS PERFORMING

CATEGORY A FUNCTIONS
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.

International Standard IEC 61500 has been prepared by subcommittee 45A: Instrumentation
and control of nuclear facilities, of IEC technical committee 45: Nuclear instrumentation.
This second edition cancels and replaces the first edition published in 1996. This edition
constitutes a technical revision.
The revision of the standard is intended to accomplish the following:
• To change the focus from multiplexed data transmission to data communication
• To restrict the scope to communication in systems performing category A functions
• To clarify definitions
• To up-date the reference to new standards published since the first issue.

– 4 – 61500 © IEC:2009
The text of this standard is based on the following documents:

FDIS Report on voting
45A/772/FDIS 45A/783/RVD
Full information on the voting for the approval of this standard can be found in the report on

voting indicated in the above table.

This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.

The committee has decided that the contents of this publication will remain unchanged until
the maintenance result date indicated on the IEC web site under "http://webstore.iec.ch" in
the data related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
61500 © IEC:2009 – 5 –
INTRODUCTION
a) Technical background, main issues and organization of the standard

The equipment for data communication of on-line plant data can simplify the hardwired cables
connecting distributed systems for instrumentation, control, protection and monitoring needed

for safe Nuclear Power Plants operation. Such communication systems can have advantages

over direct cables, for electrical isolation, for reduction of cable fire loads or other reasons. In

a distributed computer based system, communication equipment is an essential part of the

system. Data communication is usually essential for implementing I&C systems important to

safety in nuclear power plants.

It is intended that the standard be used by operators of NPPs (utilities), manufacturers of data
communication equipment, systems evaluators and by licensors.
b) Situation of the current standard in the structure of the IEC SC 45A standard series
IEC 61500 is the third level IEC SC 45A document tackling the generic issue of data
communication for equipment performing category A functions.
IEC 61500 is to be read in association with IEC 61513, which is the appropriate IEC SC 45A
document providing guidance on general requirements for instrumentation and control
systems important to safety, IEC 60880, which is the appropriate IEC SC 45A document
providing guidance on software aspects for computer based systems performing category A
functions, and IEC 60987 which is the appropriate IEC SC 45A document providing guidance
on hardware aspects for computer based systems .
For more details on the structure of the IEC SC 45A standard series, see item d) of this
introduction.
c) Recommendations and limitations regarding the application of the standard
It is important to note that this standard establishes no additional functional requirements for
safety systems.
Aspects for which special recommendations have been provided in this standard are:
• Requirements for data communication within systems performing category A functions.
• Requirements for data communication between divisions of a system performing category
A functions.
• Requirements for data communication of systems performing category A functions with
systems of lower safety importance.
• Reliability requirements for data communication.
To ensure that the standard will continue to be relevant in future years, emphasis is placed on
principles, rather than on specific technologies.
d) Description of the structure of the IEC SC 45A standard series and relationships
with other IEC documents and other bodies’ documents (IAEA, ISO)
The top-level document of the IEC SC 45A standard series is IEC 61513. It provides general
requirements for I&C systems and equipment that are used to perform functions important to
safety in NPPs. IEC 61513 structures the IEC SC 45A standard series.
IEC 61513 refers directly to other IEC SC 45A standards for general topics related to
categorization of functions and classification of systems, qualification, separation of systems,

– 6 – 61500 © IEC:2009
defense against common cause failure, software aspects of computer-based systems,

hardware aspects of computer-based systems, and control room design. The standards

referenced directly at this second level should be considered together with IEC 61513 as a

consistent document set.
At a third level, IEC SC 45A standards not directly referenced by IEC 61513 are standards

related to specific equipment, technical methods, or specific activities. Usually these

documents, which make reference to second-level documents for general topics, can be used

on their own.
A fourth level extending the IEC SC 45A standard series, corresponds to the technical reports

which are not normative.
IEC 61513 has adopted a presentation format similar to the basic safety publication
IEC 61508 with an overall safety life-cycle framework and a system life-cycle framework and
provides an interpretation of the general requirements of IEC 61508-1, IEC 61508-2 and
IEC 61508-4, for the nuclear application sector. Compliance with IEC 61513 will facilitate
consistency with the requirements of IEC 61508 as they have been interpreted for the nuclear
industry. In this framework, IEC 60880 and IEC 62138 correspond to IEC 61508-3 for the
nuclear application sector.
IEC 61513 refers to ISO as well as to IAEA GS-R-3 for topics related to quality assurance
(QA).
The IEC SC 45A standards series consistently implements and details the principles and
basic safety aspects provided in the IAEA code on the safety of NPPs and in the IAEA safety
series, in particular the Requirements NS-R-1, establishing safety requirements related to the
design of nuclear power plants, and the Safety Guide NS-G-1.3 dealing with instrumentation
and control systems important to safety in nuclear power plants. The terminology and
definitions used by SC 45A standards are consistent with those used by the IAEA.

61500 © IEC:2009 – 7 –
NUCLEAR POWER PLANTS –
INSTRUMENTATION AND CONTROL IMPORTANT TO SAFETY –

DATA COMMUNICATION IN SYSTEMS PERFORMING

CATEGORY A FUNCTIONS
1 Scope
This International Standard establishes requirements for data communication which is used in
systems performing category A functions in nuclear power plants.
It covers also interface requirements for data communication of equipment performing
category A functions with other systems including those performing category B and C
functions and functions not important to safety.
The scope of this standard is restricted to the consideration of data communication within the
plant I&C systems. It does not cover communication by telephone, radio, voice, fax, email,
public address etc.
The internal operation and the detailed technical specification of data communication
equipment are not in the scope of this standard. This standard is not applicable to the internal
connections and data communication of a processor unit, its memory and control logic. It does
not concern the internal processing of instrumentation and control computer systems.
This standard gives requirements for functions and properties of on-line plant data
communications by reference to IEC 60880 and IEC 60987, produced within the framework of
IEC 61513. It requires classification of the communication functions in accordance with
IEC 61226, which in turn requires environmental and seismic qualification (i.e., the
environment where the safety function is required to operate) according to IEC 60780 and
IEC 60980.
2 Normative references
The following referenced documents are indispensable for the application of this document.
For dated references, only the edition cited applies. For undated references, the latest edition
of the referenced document (including any amendments) applies.
IEC 60709, Nuclear power plants – Instrumentation and control systems important to safety –

Separation
IEC 60780:1998, Nuclear power plants – Electrical equipment of the safety system –
Qualification
IEC 60880:2006, Nuclear power plants – Instrumentation and control systems important to
safety – Software aspects for computer-based systems performing category A functions
IEC 60980, Recommended practices for seismic qualification of electrical equipment of the
safety system for nuclear generating stations
IEC 60987:2007, Nuclear power plants – Instrumentation and control important to safety –
Hardware design requirements for computer-based systems
IEC 61000 (all parts), Electromagnetic compatibility (EMC)

– 8 – 61500 © IEC:2009
IEC 61226, Nuclear power plants – Instrumentation and control systems important to safety –

Classification of instrumentation and control functions

IEC 61513, Nuclear power plants – Instrumentation and control for systems important to

safety – General requirements for systems

IEC 62340:2007, Nuclear power plants – Instrumentation and control systems important to

safety – Requirements for coping with common cause failure (CCF)

IAEA safety guide No. NS-G-1.3:2002, Instrumentation and Control Systems Important to

Safety in Nuclear Power Plants

3 Terms and definitions
For the purposes of this document, the terms and definitions of IEC 60880, IAEA safety
glossary and safety guide No. NS-G-1.3 and the following definitions are applicable.
3.1
communication channel
logical connection between two end-points within a communication system
[IEC 61784-3, 2007]
3.2
communication node
connection point on a communication network, at which data is conveyed via communication
channels to or from that point to other points on the network
3.3
communication system
arrangement of hardware, software and propagation media to allow the transfer of messages
(ISO/IEC 7498 application layer) from one application to another
[IEC 61784-3, 2007]
3.4
data communication
exchange of data between communication nodes via communication channels
3.5
data communication equipment
embodiment of the media, modulation and coding-dependent portion of a bus-connected
device, comprising the lower portions of the physical layer within the device
[IEC 61784-3, 2007, modified]
3.6
message
ordered series of digital states in defined groups, used to convey information
[IEC 61784-3, 2007, modified]
3.7
protocol
convention about the data formats, time sequences, and error correction in the data exchange
of communication systems
[IEC 61158-3-19, 2007]
61500 © IEC:2009 – 9 –
3.8
processing unit
one or more processing cores whose instructions are specialized to handle networking or

communication-related functions, in this specific communication standard

4 Symbols and abbreviations
CCF Common cause failure
EMC Electromagnetic compatibility

FMEA Failure mode and effects analysis
I&C Instrumentation and control
QA Quality assurance
5 General requirements
5.1 Principles of selection of data communication techniques and equipment
The communications equipment shall meet requirements for systems performing category A
functions.
NOTE To ensure acceptability for nuclear applications one of the following principles for selection of data
communication techniques and equipment can be applied:
• use of protocols implementing safety features;
• use of industrial standard protocols with added safety layers;
• use of protocols where higher protocol layers implementing unsafe or not needed functionality are removed or
replaced by ones with reduced and safe functionality.
The hardware and the software shall be qualified, see Clause 9.
5.2 Functional requirements
Generally each data communication channel is part of an overall system providing services of
information gathering and presentation, control or protection of the nuclear power plant.
Equipment providing cyclic data over a communication channel shall not depend on the
receipt of acknowledge messages from the receiver for continued operation.

Communication channels shall not be allocated dynamically during the run time of the system
but shall be statically allocated and predefined by design.
All messages of application software shall be transmitted periodically within a pre-defined
variation of cycle time.
Messages should have fixed length predefined by design.
The communication system shall enable messages from instruments or other outstation
equipment using a communications channel to be sent and received within a specified time
frame, together with data integrity status information (if implemented).
The data communication network topology and media access control shall be designed and
implemented to avoid CCF of independent systems or subsystems (see 8.3).

– 10 – 61500 © IEC:2009
Data may be distributed via data communication to redundant systems to enable continued

operation if one system is damaged.

The security threats arising from the use of data communication shall be taken into

consideration within the scope of the security plans according to IEC 61513.

5.3 Performance requirements
Data communication channels shall provide sufficient performance to ensure that any

message sent from any communication node is received by the intended destination node in a

timely manner.
Data communication shall meet the requirements of the functions. The mechanisms and
protocols used shall guarantee that any delay which may occur during communication or
during access to the communication equipment is known and bounded by design.
Communication channels shall be verified to meet the specified real time response
requirements of the Category A functions to be performed, under credible worst-case
conditions. The required real time response and the worst-case conditions shall be justified by
analysis. Deterministic communications shall be used so that communications load does not
vary, irrespective of plant conditions.
Where communication equipment is used for manual plant control and indication through a
control room, the time from operating the physical switch or soft control until the confirmation
of the action by indication of the changed state in the control room should be assessed under
all potential circumstances including worst case conditions.
5.4 Failure detection
Hardware failures of Communication equipment shall be detected and reported. Detected
failures of the communication equipment that result in unacceptable degradation of the
nuclear safety functions of the I&C system shall be indicated to the plant operators in control
rooms.
The data communication including operation of error response features (if used) shall be
verified and validated prior to operational use of the equipment to perform category A
functions.
5.5 Communication within division
The data communication within a segregated division (train) shall be protected from adverse
influences from outside of the division. Thus messages in a division shall be passed directly

from the sending communication node to the receiving one without involvement of the
communication equipment outside the division.
Data communication in a division shall be separated from the other divisions
However, communication between divisions may be acceptable if it is required by voting logic.
5.6 Interfaces to systems of lower importance to safety
Communication equipment of systems performing category A functions shall be adequately
segregated from communication equipment of systems performing only lower category
functions.
When plant systems of different categories are required to communicate over communication
channels, then the plant data flow should be from category A functions to lower category
functions.
61500 © IEC:2009 – 11 –
Data flow from lower categories to category A functions should be prevented unless the

design of the communications channel is such that category A functions cannot be adversely

affected by such a connection.

6 Physical separation and isolation

6.1 Electrical isolation
The electrical isolation of systems performing category A functions connected by

communication channels to other systems shall be considered in accordance with IEC 60709.

The degree of electrical isolation will depend on the station power supply voltages present,

national practice, and plant-specific requirements.
NOTE A method of achieving a high degree of electrical isolation is by means of optical fibre connections or opto-
electronic isolators.
Appropriate isolation shall be demonstrated between data communication equipment and
connected equipment. This shall be sufficient to prevent faults of the connected equipment
and cables from affecting the operation of the data communication equipment adversely.
Connected equipment includes sensors, contacts, power supplies and other communication
equipment.
6.2 Physical separation
The communication equipment should be designed such that faults are not propagated from
one part of the equipment to another, or to another system. IEC 60709 gives requirements for
this and specifically for communication from equipment performing functions of one category
to equipment performing functions of another category.
The requirements of IEC 60709 shall be applied to the cables of communication channels
important to safety.
The preferred method of physical separation and protection of the cables of communication
channels, whether carrying electrical or optical signals, should be by the use of dedicated
cable enclosures or trunking, providing adequate protection against hazards.
A system can require redundant paths for communication, which can be required to provide
redundancy in the event of a hazard such as a fire which may affect a localized area.
Redundant equipment which is providing protection against such a physical hazard shall be
separated physically.
NOTE Requirements for coping with common cause failures are given in IEC 62340.

7 Functional independence
For receiving and transmitting data from and to separate processing units, software modules
shall be provided which have specified interfaces with the communications network and with
the system software and the application software of the related processing unit, to avoid fault
propagation.
The design should use separate software modules for numerical and logical operations
performed on signals and message contents, from those used for data transmission and
message checking. This will reduce complexity and simplify verification and validation.

– 12 – 61500 © IEC:2009
8 Reliability
8.1 Self-supervision and failure mitigation

8.1.1 Communication error detection

Communication equipment shall check the integrity of communicated data to confirm correct

transmission, or to record/report transmission failures.

The communication equipment shall provide error detection facilities according to the relevant

requirements of 4.2 d) of IEC 60987, and 4.8 of IEC 60880. These facilities shall provide
appropriate assurance that data communication errors will be detected so that erroneous data
will not affect the performance of category A functions. In particular, these should address:
a) faulty insertion of single bits or a group of bits in the transmitted message,
b) corruption of bits of the transmitted message,
c) transmission of out-of-date data,
d) message loss.
8.1.2 Response to failure
I&C systems performing category A functions shall take suitable actions, when communication
faults are detected.
When failures of communication equipment are detected, appropriate automatic measures
should be taken: e.g.
a) isolation of failed communication channels,
b) indication of the failed equipment to warn operators of failure (see also 5.4).
The action to be taken upon the detection of failures shall be specified, e.g., logging, warning
to the maintenance team, alarm for immediate corrective or mitigation action.
As part of the design substantiation process, data communication equipment and processes
shall be systematically analyzed using appropriate methods e.g. FMEA with respect to the
consequences of failures upon category A functions.
Failures or malfunctions of a single communication node shall not affect the availability and
reliability of the I&C system.
The potential affect upon the performance of category A functions of the failure of any

communication node or channel shall be considered during the design process, and this
analysis shall be documented. Any required actions to be taken by the system upon the
detection of failure shall be defined, e.g. record the failure, produce an alarm, or drive plant to
a safe state.
Communication channels should be tolerant of ‘soft’ errors, such as a missed message or an
error in a single message, providing the frequency of such errors is not high enough to
compromise the performance of category A functions; such ‘soft’ errors should not lead to the
shutdown of a channel, but these errors should be logged by the system.
8.2 Test
The relevant testing requirements of IEC 60987, Clause 10, shall apply to class 1
communication channels. Also, the relevant subclauses 7.10 (testability), 7.11 (operational
bypasses) and 7.12 (control of access to protection systems equipment) of IAEA safety guide
No. NS-G-1.3 shall apply to communication channels of systems performing category A
functions.
61500 © IEC:2009 – 13 –
The performance of data communication functions shall be verified before equipment is

placed in full operational service. The following aspects of system functionality shall be

covered:
a) transmission error handling,

b) correct operation when under the maximum data transfer rates.

IEC 60880 and IEC 60987 require that the data communication system shall have self-test

capabilities (see 8.1). Additional periodic tests as a supplement to self-tests should be
possible during the lifetime of the equipment as required to reduce the probability of

unrevealed hardware failures compromising the performance of category A functions, e.g.

1) alteration of the state or value of input signals, and monitoring of the alteration at the
receiving equipment;
2) interruption of transmission, and confirmation that the receiving equipment will detect this
and take correct actions.
NOTE Nuclear safety considerations may make such testing undesirable at power operation.
The communication equipment shall be qualified for operational use by functional testing in
accordance with 4.79 to 4.96 of IAEA safety guide No. NS-G-1.3. Testing of the equipment
modules shall be performed during factory tests or on-site commissioning tests, or evidence
of previous type testing in accordance with 5.3 of IEC 60780 shall be provided.
8.3 Prevention of failures (including CCF)
Data communication equipment could be affected by conditions which cause several
redundant parts of the system to fail at the same time. In order to eliminate or minimize the
possibility of simultaneous failures of several modules by hazards which a system is required
to survive, consideration shall be given to the following potential hazards:
• seismic disturbance or other relevant external hazards;
• fire, smoke or flooding in equipment or cable areas;
• loss of environmental control, heating and ventilation;
• excessive radiation or other factors external to the equipment, and
• factors internal to the equipment itself.
The cable trays which contain the cables for data communication between separated
redundancies/trains shall be designed and separated in accordance with the requirements of
IEC 60709, so that possible hazards are limited and the required fault tolerance for the overall
I&C system is met.
Data communication shall be designed to prevent failure propagation, e.g. by transfer of
corrupted data (see IEC 62340, 7.4).
The potential failures taken into account and the claimed features to prevent or mitigate these
failures shall be analyzed and documented.
NOTE Requirements for coping with common cause failures are given in IEC 62340.
9 Qualification
Class 1 communication hardware of systems shall be qualified in accordance with the relevant
requirements of IEC 60780 (environmental qualification), IEC 60980 (seismic qualification, if
the equipment is to be seismically qualified), and an appropriate EMC Standard such as
IEC 62003 or the IEC 61000 series (EMC Testing).

– 14 – 61500 © IEC:2009
Communication software of system performing category A functions should be designed,

verified and validated in accordance with nuclear standards (e.g. IEC 60880) or other

appropriate standards (e.g. IEC 61508 series). The suitability of the selected qualification

standard shall be analysed and justified by formal documentation.

10 Maintenance and modification

Communication hardware and software of systems performing category A functions shall be
maintained and modified in accordance with IEC 61513, IEC 60880 and IEC 60987.

If one of the communication nodes fails, prompt replacement of a part should be possible at
power. A communication node replacement should be accomplished in a simple manner
without adversely affecting the operability of the system and within the targeted availability of
the system.
Modifications of the data communication equipment shall be done under the strict procedures
of the plant modification process.
Modifications shall be based on clear requirements. These modifications shall be confirmed to
be in accordance with the original safety, functional and performance requirements of the data
communication equipment by suitable verification consistent with IEC 61513, IEC 60880 or
IEC 60987 as applicable.
When modifications have been made, the data communication shall be proven to meet their
functional and performance requirements by testing prior to the installation at the plant (e.g.,
in a representative testbed regarding functional testing), and after installation into the target
system (e.g., meet the system performance and interface requirements)(see 8.2).

61500 © IEC:2009 – 15 –
Bibliography
IEC 60068 (all parts), Environmental testing

IEC 60721 (all parts), Classification of environmental conditions

IEC 60964, Nuclear power plants – Control rooms – Design

IEC 60965, Nuclear power plants – Control rooms – Supplementary control points for reactor

shutdown without access to the main control room

IEC 61158-3-19, Industrial communication networks – Fieldbus specifications – Part 3-19:
Data-link layer service definition – Type 19 elements
IEC 61508-1, Functional safety of electrical/electronic/programmable electronic safety-related
systems – Part 1: General requirements
IEC 61508-2, Functional safety of electrical/electronic/programmable electronic safety-related
systems – Part 2: Requirements for electrical/electronic/programmable electronic safety-
related systems
IEC 61508-3, Functional safety of electrical/electronic/programmable electronic safety-related
systems – Part 3: Software requirements
IEC 61508-4, Functional safety of electrical/electronic/programmable electronic safety-related
systems – Part 4: Definitions and abbreviations
IEC 61784-3, Industrial communication networks – Profiles – Part 3: Functional safety
fieldbuses
IEC 62003, Nuclear power plants – Instrumentation and control important to safety –
Requirements for electromagnetic compatibility testing
IEC 62138, Nuclear power plants – Instrumentation and control important for safety –
Software aspects for computer-based systems performing category B or C functions
IEC 62241, Nuclear power plants – Main control room – Alarm functions and presentation
ISO/IEC 7498, Information processing systems – Open systems interconnection – Basic
reference model
___________
– 16 – 61500 © CEI:2009
SOMMAIRE
AVANT-PROPOS.17

INTRODUCTION.19

1 Domaine d’application .21

2 Références normatives.21

3 Termes et définitions .22

4 Symboles et abréviations.23

5 Exigences générales .23

5.1 Principes de sélection des équipements et des techniques de communication
de données .23
5.2 Exigences fonctionnelles .23
5.3 Exigences de performance .24
5.4 Détection des défaillances.24
5.5 Communication entre voies .25
5.6 Interfaces avec les systèmes d’une importance de sûreté moindre .25
6 Isolement et séparation physique .25
6.1 Isolement électrique .25
6.2 Séparation physique.25
7 Indépendance fonctionnelle .26
8 Fiabilité .26
8.1 Auto-surveillance et limitation des conséquences des défaillances.26
8.1.1 Détection des erreurs de communication .26
8.1.2 Réponse aux défaillances.26
8.2 Essais .27
8.3 Prévention des défaillances (y compris les DCC).28
9 Qualification .28
10 Maintenance et modification .28
B
...