BS IEC 60880-2:2000 pdf download-Software for computers important to safety for nuclear power plant.
4.1.1.2 Rationale for defence against CCF due to software The rationale for defence against software faults is that any software fault will remain in the system or channel concerned until detected and corrected, and can cause failure if a specific signal trajectory challenges it. If two or more systems or channels implementing different lines of defence for the same PIE (see 5.3.1.5 of IEC 61513) contain the fault, and are exposed to specific signal trajectories within a sensitive time period, both (or all) systems or channels can fail, which is called a CCF. A more detailed description of these conditions is given in clause A.1. The potential for CCF due to software should therefore be considered during design. If postulated conditions of CCF can be foreseen, design changes and defence features, including software diversity, may be needed for protection against CCF due to software. The degree of improvement of defence against CCF and improvement in reliability that can be achieved by diversity cannot be quantified. Judgement is required based on an evaluation of the qualitative reliability which the software can achieve. If human errors are made before software design starts, they may lead to faults of require- ments and potential system failures against which software engineering alone cannot provide a defence. Defence against such CCF is discussed at the system level in 5.3.1.5 of IEC 61513. If human errors are made during the software engineering process, they may lead to software faults and potential system failures. Where such faults lead to the failure of more than one line of protection the failures are considered to be CCFs due to software.
4.1.2 Design of software against CCF The basic, and most important, defence against CCF due to software is to produce software of the highest quality, i.e. as error-free as possible. The extent of coverage of self-monitoring features, such as for data plausibility, parameter range checking, and loop timing etc. as addressed by 4.8, 5.1 and A.2.8 in IEC 60880 is a further important factor in limiting the potential for CCF due to software. Requirements to achieve highly reliable software with self-monitoring features are given in IEC 60880 and the following paragraphs of this standard. The use of well-developed software engineering methods with software tool support for software development and verification can help to reduce the number of human design decisions and so potentially reduce the number of faults in the developed software.