6. Life cycle activities

6.1. GS-R-3 paragraph 5.1 states:

The processes of the management system that are needed to achieve the goals, provide the means to meet all requirements and deliver the products of the organization shall be identified, and their development shall be planned, implemented, assessed and continually improved.

6.2. Modern nuclear power plant I&C systems are complex entities that need design and qualification approaches beyond those that were typically applied to older systems. Often the functional characteristics and performance of previous generations of I&C systems could be well characterized by models based upon physics principles and testing that validates these models.

6.3. Modern I&C systems, in particular systems whose functionality depends upon software or HDL code, are fundamentally different from older systems in that their behaviour is determined by internal logic and not externally by the continuity of physical laws. Consequently, minor errors in design and implementation can cause software-based systems to exhibit unexpected behaviour.

6.4. As a result, demonstration that the final product is fit for its purpose depends greatly on the use of a high-quality development process that provides for disciplined specification and implementation of design requirements. In modern I&C systems, inspection and testing support verification and validation that the final product is suitable for use, but correct system performance over the full range of conditions cannot be inferred from the combination of testing and physics models to the same extent that this may be done for hardware systems. Consequently, confidence in the correctness of modern systems derives more from the discipline of the development process, than was the case for systems implemented purely with hardware.

6.5. In response to this situation the nuclear power community has developed a extensive guidance regarding processes for developing I&C systems. I&C development processes are commonly represented as life cycle models that describe the necessary activities for the development of I&C systems and the relationships between these activities. Normally, activities related to a given development step are grouped into phases.

Process implementation

6.6. The life cycle process guidance in this chapter supplements the requirements of GS-R-3, Ref. [4] and the recommendations of GS-G-3.1, Ref. [5] and GS-G-3.5, Ref. [6] as they apply to I&C system development.

6.7. Three fundamental levels of life cycles are needed to describe the development of I&C systems:

• An overall I&C development life cycle;

• One or more individual I&C system development life cycles; and

• One or more individual component development life cycles. Component life cycles for computer-based systems are typically divided into separate life cycles for the development of hardware and software.

6.8. I&C development life cycles must be coordinated with two other life cycles that deal with more than I&C, but have a strong influence on I&C development:

• A human factors engineering (HFE) life cycle; and

• A cyber security life cycle.

6.9. Figure 2 shows an example I&C development life cycle and the main inputs received from the HFE and cyber security life cycles. Figure 3 shows more detail of the hardware and software life cycles that are included in Figure 2.

6.10. The V-model shown in Figure 4 is a useful alternative view of life cycle models. This model illustrates the relationship between requirement specification, design, integration, and validation activities and how V&V activities relate to development activities. Figure 4 applies to both computer-based and non-computer-based systems. Of course if there is no software the software activities are unnecessary.

6.11. At any time lessons learned might result in a need to revise work done in any previous phase. These changes will then flow through and affect work from the intervening phases. For simplicity, these figures do not show the iteration paths.

6.12. There are different types of life cycle models, such as waterfall, spiral, and incremental development. Regardless of the model the necessary activities are basically the same. This document describes life cycles as a linear sequence of activities. This is for simplicity of explanation, and is not intended to indicate a necessity to use a waterfall model. Indeed, any complicated development process follows a hybrid approach.

6.13. Regardless of the structure of the overall I&C life cycle and the individual I&C system life cycles, all life cycle activities should be completed, and traceability established from requirements to installed systems and components before plant I&C is declared operable.

6.14. A requirements tracking system should be used so that the I&C requirements can be traced through all life cycle stages of the development project.

6.15. The recommendations for life cycle processes described in this chapter also apply to life cycle activities described in chapters 9, and 10.

FIG. 2. Typical I&C life cycle activities

FIG. 3 Typical individual component life cycle

FIG. 4 Relationship Between life cycle processes and V&V activities

LIFE CYCLE ACTIVITIES

Process planning

6.16. As a minimum the following I&C development processes should be defined and documented.

1. Classification of items important to safety;

2. Life cycle models;

3. Configuration management;

4. Requirements specification;

5. Design;

6. Implementation, e.g., hardware manufacture and software coding;

7. Procurement;

8. Integration;

9. Installation;

10. Specification of commissioning activities;

11. Design change;

12. Verification and validation;

13. Qualification and use of tools;

14. Production and maintenance of documentation;

15. Resource management, including personnel; and

16. Risk management.

Use of life cycle models

6.17. The engineering of an overall I&C architecture is a complex process involving many technical disciplines and activities where correct information is necessary at all times.

6.18. All activities associated with development, implementation, and operation of the overall I&C architecture, individual I&C systems, and I&C components (including hardware, software, and HDL code development) should be carried out in the framework of an appropriate development life cycle.

6.19. Each life cycle should cover the period of time that starts with deriving I&C requirements from the plant safety design base and finishes when none of the I&C systems are required for the safety of the plant.

6.20. Before initiation of any life cycle phase (see Figures 2, and 3), a plan describing the activities required in that phase should be prepared and approved.

6.21. The approved plan for each life cycle phase should integrate HFE and cyber security activities with the I&C life cycle activities of that phase.

6.22. Human Factors Engineering and cyber security activities have a broader purpose than support of I&C design. Therefore, there will generally be separate plans for these topics.

6.23. All life cycle activities should be carried out in accordance with the approved plan.

Verification and validation

6.24. In the application of safety life cycles, each phase uses information developed in earlier phases, and provides results to be used as the input for later phases.

6.25. The results of each safety life cycle phase should be verified against the requirements set by the previous phases.

6.26. Each item should be validated to confirm that the results comply with all the functional and other requirements, and to investigate for the existence of unintended behaviour.

6.27. Note that software modules, integrated software, firmware, integrated software and hardware, and HDL code, and software are included in the term item.

6.28. Verification and validation should be carried out by teams, individuals, or groups that are independent of the designers and developers.

6.29. Independence of verification and validation teams normally involves establishing that they are not subject to budget or schedule constraints or to pressure from the design organization, and that they report to a level of management which is not exerting direct pressure for a favourable V&V report.

6.30. HFE verification and validation activities should be carried out to:

1. Verify the resolution to HFE recommendations and deficiencies identified during analyses;

2. Verify that the I&C systems conform to applicable HFE design guidelines;

3. Verify that the design supports operator tasks with adequate I&C systems, other equipment, and operator aids;

4. Validate, using performance based measures, that personnel can carry out their functions using the I&C system under all conditions under which the system is expected to function;

5. Verify the as-built design conforms to the validated design

Design analysis

6.31. Design analyses, including the following specific activities, should be performed to confirm that they fulfil their design basis requirements.

1. Verification that safety systems comply with the single failure criterion.

2. Verification that the design of I&C systems includes adequate test provisions.

Failure Mode and Effects Analysis is often used to confirm compliance with the single failure criterion, and to confirm that all known failure modes are either self-revealing or detectable by planned testing.

3. Verification that the overall I&C system supports the plant defence-in-depth concept.

4. Verification that common cause failure vulnerabilities of I&C safety systems are known and have been adequately addressed.

Defence-in-Depth and Diversity Analysis is one means of investigating vulnerability of safety systems to common cause failure.

Common cause failure vulnerabilities may be addressed by eliminating the vulnerability, providing diverse means of achieving the safety functions subject to the CCF, or justifying acceptance of the vulnerability.

5. Verification that design basis reliability requirements are met.

This demonstration may be based on a balance of application of deterministic criteria and quantitative reliability analysis that considers design features such as, for example, redundancy, testability, failure modes, and rigour of qualification.

For complicated systems a combination of qualitative analysis, quantitative analysis, and testing is usually needed to verify compliance with design basis reliability requirements.

Test facilities that are part of the safety system must be considered when determining system availability.

6. Confirmation that all system requirements have been implemented and validated.

Typically traceability analysis is used to confirm implementation and validation of requirements.