RiskCAT Nuclear User`s Manual
Contents
1. RiskCAT Nuclear User s Manual 12 February 2006 4 19 DOORS export The RiskCAT Interfaces to Requirements Management Tools offer to export the measures actually selected to the requirements management tool DOORS by Telelogic AB The RiskCAT Interfaces to Requirements Management Tools are a package of its own and need an extra licence Export for each selected measure consists of e The identifier of the measure e The measure text text of the level 1 presentation e The reference to part as well as clause of IEC 61508 e The note the user may have issued with respect to the measure e The degree of obligation for the measure First step to export measures from RiskCAT to DOORS is the selection of the measures to be exported Then the export itself is started via the menu File Xx For the export itself there are Data to be exported some options given in the menu in a self explaining manner Identifier The measure related items MM checked on the left will Finally the Export button needs Iv Measure exported in cvs textfile format to be pushed to choose the name F Source of the export file and to start its the items are seperated by pipe generation Note string items are enclosed in iv Obligation Quit Export Export of RisKCAT for DOORS is one file e cvs with the information selected on the Doors export form The im2. Page 8 of 32 RiskCAT Nuclear User s Manual 12 February 2006 CAUTION The screen shown in Figure 2 has all levels Recommended Highly recommended Mandatory NOT recommended and informative All users who may be colour blind should go to 7 Software Design and development D D and Tab SW Architecture and set the SIL to 3 Then select in turn each of the measure settings to get the check mark by the relevant measures 3 5 Structure of the measures presentation used with RiskCAT RiskCAT starts from standards So the original sets of measures are the standards represented by the standard tabs marked with a in Figure 2 A standard may consist of different parts as e g IEC 61508 has 7 parts The standard or even its parts may be such voluminous that it is not appropriate to use all measures as an entity This has been the reason to break down some standards into areas represented by the area tabs marked with c in Figure 2 Depending on the standard an area may consist of a part of a standard some clauses of a standard or some clauses of a part of a standard For details see the standard specific descriptions in this manual Most standards cover a variety of topics represented by the topic tabs marked with d in Figure 2 The approach has been to have an assignment between standards chapters and RiskCAT topics However in some cases standard chapters have been further split up because of a high number of
3. r CEVEC 615132001 The XpdfViewer provides the following functions e First page e Last page e Previous page e Next page e Back to selection e Goto page e Find e Find next e Add page to hotlist e Adjust to page height e Adjust to page width e Copy text to clipboard Page 16 of 32 RiskCAT Nuclear User s Manual 12 February 2006 4 13 Context related retrieval in the original standards Besides the interface for full text browsing RiskCAT offers an interface for context sensitive browsing in original standards Again prerequisite for this task is the availability of licensed standard files With RiskCAT Nuclear IEC 61513 as well as IEC 62138 are available The context related retrieval is activated via context menu in the measure window screen part e in Figure 2 The steps are Standard measure group select Aspect based selection Copy measure to clipboard Ba OT ere e Mark the measure establishing the context by a single left mouse button click Otherwise the page selected by context related retrieval is somewhat arbitrary View standard Measure explanation Literature e Activate context menu depress right mouse button Term D irigun while the pointer is in the measure window e Choose View standard RiskCAT will show the page of the standard highlighting the clause in context The size of the standards window may be changed by positioning the mouse on the w
4. IEC 61226 Category 3 SW requirements spec lt 6 After development 2 Pre developed SW D186 1 General 5 New SW implementation 4 SW design o measures measures informativ measures possible measures highly measures recommended mandatory SW modification SW at system validation SW at system integration This subclause provides requirements in addition to those for the system specific or of particular importance Development of SW modifications so as to maintain consistency with the requirements of 6 1 6 2 6 3 6 4 and On site installation of SW modifications in accordance with the requirements for installation integration and validation of SW modifications consistent with the requirements for integration and for validati F extent of SW modification does not necessitate full application of the requirements for integration integrati F extent of SW modification does not necessitate full application of the requirernents for validation Integration Justification of adequacy and thoroughness of the regression sw pee o J jn SW validation plan giving cc n SW validation plan giving cc Records of ine application of the plans shall be produced a e in SW integration plan and r Regr in SW integration plan and r Comprehensive documentation of SW modifications Updating all SW paella affected by the SW modification idet cl C the objec r mod g th Bae umentation of such that c rie af
5. X The upper line in the besides figure identifies the version of RiskCAT Nuclear V 1 16 lt RiskCAT Nuclear Pe 2 Vile The lower line identifies the CATS IEC 61513 V1 1 versions of the databases CodeAnalyzer ToolSet IEC 62138 V1 1 IEC 61513 V1 1 and IEC 62138 V1 1 which are included in RiskCAT Copyright 1996 2006 by G Gloee and E U Mainka RiskCAT Nuclear User s Manual 12 February 2006 6 IEC 61513 and IEC 62138 specific features 6 1 Presentation of the degree of obligation of the requirements Up to date IEC standards as IEC 61513 and 62138 use four key words to identify their requirements the first three explanations are from of the introduction to IEC 61226 shall indicates requirements that are mandatory for compliance with the standard should indicates requirements that are not mandatory for compliance with the standard but are strongly recommended may indicates that compliance with the recommendation is optional must not shall not indicates requirements that are mandatory for compliance with the standard Within the RiskCAT tools family only one set of key words is used for the degree of obligation To realize this e shall requirements are classified as mandatory e should requirements are classified as highly recommended e may recommendations are classified as possible e mustnot requirements are classified as not recommended for all categories Contents
6. RiskCAT offers an interface for context sensitive browsing the explanations from the original standard Standard measure group select The context related explanation is activated via context Aspect based selection menu in the measure window The steps are Copy measure to clipboard e Mark the measure establishing the context by a single left mouse button click Otherwise the page selected by context related retrieval is somewhat arbitrary Edit note for measure View standard Measure explanation e Activate context menu depress right mouse button Literature while the pointer is in the measure window Ferr Bitte r e Choose Measure explanation RiskCAT will show the page of the standard highlighting the explanation in context The size of the standards window may be changed by positioning the mouse on the windows border preferred on the left or right hand side followed by pressing the left mouse button and then moving it If other PDF versions of the standards have been installed than those supplied by CATS RiskCAT may show the wrong page and may highlight the wrong clause Therefore only those standards supplied by CATS should be used with the RiskCAT tools Page 95 S5 Boundary value analysis iafety Integrity level z a nb T IL gu Control flow analvsis m Data flow analysis Error quessing E Fagan inspections a Sneak circuit analysis i Symbolic execution LA AL threinheddacian vno i
7. e Qualify system e Qualify SW For RiskCAT Nuclear following activities have been added to those given by IEC 61513 e All e Assess e NA not applicable e Evaluate e Inspect e Operate e Test e Verify Page 31 of 32 RiskCAT Nuclear User s Manual 12 February 2006 Additionally RiskCAT Nuclear uses the activities from IEC 62138 First Edition 2004 01 which are Activity Reference Remarks Plan SW 6 1 6 Specify SW 6 3 Design SW 6 4 Development 6 1 1 1 is Design plus Implementation Implement SW 6 5 see Figure 3 Coding 6 5 1 Integrate SW 6 6 Validate SW 6 7 Install SW 6 8 Modify SW 6 10 For RiskCAT following activity has been added to those given by IEC 62138 e Manage Safety Page 32 of 32
8. 4 14 to the respective clause in the chapter for category C chapter 5 As already explained in the chapter above in some cases the RiskCAT short presentation of the clauses indicates by that the original clause has much more information then the RiskCAT short form For IEC 62138 this happens about 20 times Dedicated to efficient work other RiskCATs e g RiskCAT 61508 tend to combine related requirements into one presentation Because of the nuclear focus this has not been felt to be appropriate for RiskCAT Nuclear So the presentation of IEC 62138 may seem to be more detailed than that e g in RiskCAT 61508 resulting in a higher number of measures Page 27 of 32 RiskCAT Nuclear User s Manual 12 February 2006 6 6 Abbreviations Abbreviations used in CATS database of IEC 61513 and or IEC 62138 AFTS DB IF HW SQAP NPP OR QA SOP SVAP SVP SW Assigning application functions important to safety to systems and subsystems Database see chapter 6 3 About some Key Words in the individual measure presentation in RiskCAT Hardware System quality assurance plan Nuclear power plant see chapter 6 3 About some Key Words in the individual measure presentation in RiskCAT Quality assurance System operation plan System validation plan System verification plan Software see chapter 6 3 About some Key Words in the individual measure presentation in RiskCAT Page 28 of 32 RiskCAT Nuclear
9. Export Export of RiskCAT for CaliberRM are two files e Export Info txt with e the items delimiter character I and e the text enclosure character used for the export e cvs with the information selected on the Caliber export form These files are inputs for the Caliber RM tools e Import factory and e Import utility The import by CaliberRM is specified in the CaliberRM user documentation Please apply that for the further procedure Page 23 of 32 RiskCAT Nuclear User s Manual 12 February 2006 5 Menu functions 5 1 File menu Functions within file menu are Load project Re e Load project see chapter 4 17 Project session reload from a file e Store project see chapter 4 16 Project session storage in a file Result storage e Result storage see chapter 4 18 Result storage as RTF file Doors export Caliber RM export e Doors export see chapter 4 19 DOORS export e CaliberRM export see chapter 4 20 CaliberRM export e Exit closes RiskCAT Exit 5 2 Standard Text menu Functions within standards text menu are e Standard view by XpdfViewer see chapter 4 12 Retrieval in the original standards 5 3 Help menu Functions within help menu are e Help Main texts of this user s manual are supplied as help e About Informs about RiskCAT version and copyright
10. Others v System req spec System req spec Functions Sys p lt 6 1 System Lifecycle 6 3 Output Documentation y v IF subsystem of lower class Design requiremen IF subsystem of lower class Design such that re Inclusion of redundancy in the system design ne Inclusion of redundancy in the system design ne Inclusion of other features than redundancy in th Inclusion of other features than redundancy in th Design satisfying any independence requirement IF class 1 system Sufficient redundancy to met IF class 1 system Sufficient redundancy to met 7 Overall Integration and Commissioning 5 1 5 2 Requirements for the I amp C FSE 8 Overall Operation and M aintenance I amp C architecture ification Planning System design modification System installatit Individual measures are System detailed design implementation selected deselected by a double click with left mouse button System spec Software specification OR CEN Selection is visible by A check mark v to the left ofthe measure itself A check mark V to the left of the corresponding topic tab a check mark V to the left of the corresponding area tab The selection is in addition to already selected measures If the real interest is just to concentrate on the measures actually selected precautions need to be applied to de select any measures that may have been selected previously See next chapter of this manual for global selection
11. User s Manual 12 February 2006 7 Appendix 7 1 List of Documents RiskCAT Nuclear uses the documents from IEC 61513 First Edition 2001 03 which are Document Reference Document Reference Overall requirements spec 5 2 Detailed I amp C architecture design 5 5 1 System requirements spec 5 5 2 6 3 1 Overall QA plan 5 4 1 Overall security plan 5 4 2 Overall integration plan 5 4 3 1 Overall integration doc 7 2 Overall commissioning plan 5 4 3 2 Overall operation plan 5 4 4 Overall maintenance plan 5 4 5 Overall user doc 8 System spec 6 3 2 SW spec 6 3 2 1 d System design doc 6 3 3 System QA plan 6 2 1 System verification plan 6 2 1 1 System configuration 6 2 1 2 management plan System security plan 6 2 2 System integration plan 6 2 3 System integration report 6 3 4 System validation plan 6 2 4 System validation report 6 3 5 System installation plan 6 2 5 System installation report Table 3 6 1 6 System operation plan 6 2 6 System maintenance plan 6 2 7 System modification request 6 3 6 System modification record 6 3 6 System qualification plan 6 4 1 Page 29 of 32 RiskCAT Nuclear User s Manual 12 February 2006 For RiskCAT Nuclear following documents have been added to those given by IEC 61513 e All e All Overall plans e All System plans e Communication link e HW e NA not applicable e SW e
12. alert corr Functions necessary to re Functions to reduce the di Functions which perform 1 Functions to warn personi Functions to monitor and 1 O Functions provided for the Functions provided to min Functions which provide z IEC 61226 Category v IEC61513 MIEC 61513 measures measures not measures applicable possible Documentation of Phase Output Overall Planning Maintenance Overall Planning Operation Overall Planning Integration Commissioning Overall Planning Security Overall Planning QA Overall Planning General Design Analysis Design Functional assignment v Architecture Defence against CCF Architecture Tools for later phases Architecture Data communication Architecture Human machine interfaces Architecture General Measures to ensure functionality even in case of internal and external hazards which can lead t Identification of components with demand depending load Assessment of possible failure modes and sequences with regard to CCF Minimisation of the risk for CCF by providing systems that operate in the same way before durin Provision of independent systems or subsystems for different lines of defence for the same PIE IF common resources Resources consistent with the required reliability target for the safety gr Provision of independent means for monitoring and operation and systems important to safety Minimisation of the risk for CCF when using manual control actio
13. consi Plant process control func The resulting category is the maximum of the categories v Plant process control func of the selected functions Functions used to prevent v Functions which alert con O Functions necessary to re v Functions to reduce the di Functions which perform 1 Functions to monitor and 1 Functions to warn personi Functions to monitor and 1 O Functions provided for the vi Functions provided to min Functions which provide z IEC 61226 Category Category Y 4 2 Manual pre selection of the category e The category applied to the measures can be modified directly and independently from selection of the functions by using the up down switches of the IEC 61226 Category control In this case the background for the category is greyed to indicate there is a mismatch between the category used and the selected functions 4 3 Structured overview on the recommended measures Each of the area tabs represents an important theme within the scope of embedded controllers and their software And each of the topic tabs represents a coherent set of measures Just by selection of corresponding tabs RiskCAT provides an overview about the measures with respect to the topic given as tab text Page 10 of 32 RiskCAT Nuclear User s Manual 12 February 2006 4 4 Selection of individual measures System spec Pre existing components System req spec
14. from notes and informative annexes have not been adopted to RiskCAT generally 6 2 About the license for the standards supplied with RiskCAT By contract with the German Chapter of the IEC DKE CATS has been asked to declare with RiskCAT The data from the international standards are in use with permission of the IEC International Electrotechnical Commission Geneva They have not been checked by IEC or their deputies Authoritative for the application of the standard are the versions with newest edition which may be received from VDE VERLAG GMBH Bismarckstr 33 D 10625 Berlin www vde verlag de The user shall pay attention to the national standards CATS declares that texts used correspond to the actual state of the IEC standards 2001 09 24 CATS gt The original clause is in German language Because no official translation has been available this translation is by CATS Page 25 of 32 RiskCAT Nuclear User s Manual 12 February 2006 6 3 About some Key Words in the individual measure presentation in RiskCAT To a certain extent IEC 61513 or IEC 22138 clauses themselves give a condition for their applicability To ease identification of these conditionally applicable clauses RiskCAT presents the respective individual measures starting with the Key Word IF The end of the condition is denoted by To a certain extent again within a single IEC 61513 or IEC 22138 clause there is a choice between different mea
15. measures or because of different matters covered in the same chapter A further structuring is by grey shaded areas in the measure window This presentation indicates that the marked requirements are alternatives to each other 1 Short form which is used for Overview purpose searching and selection via the RiskCAT window Rich text format output e g to create checklists 2 Standard text itself The detailed and precise wording of the standards clauses needs to be considered to claim conformance with the standards For each clause 3 Additional explanation provided by the standard itself As additional basis for detailed work development assessment As support for users not experienced with the standard Figure 3 Presentation of the standard clauses in four levels Page 9 of 32 RiskCAT Nuclear User s Manual 12 February 2006 4 Tasks IEC 81228 Categorysation 4 1 Selection of the functions to be Categorysation criteria performed Functions required to reac The categorisation of the functions to be performed by v Functions the failure or s the I amp C system and its software is based on IEC 61226 Functions required to prov O Functions required after tr Functions required to prov It is by selection of the function to be performed Several functions may be selected in parallel Functions the failure of w Functions to reduce
16. of the nuclear focus this has not been felt to be appropriate for RiskCAT Nuclear So the presentation of IEC 61513 may seem to be more detailed than that e g in RiskCAT 61508 resulting in a higher number of measures 6 5 About the IEC 62138 presentation by RiskCAT IEC 62138 is concerned with the functions to be implemented as well as with the software providing the functions Based on IEC 61226 the IEC 62138 uses categories for the functions However for the software IEC 62138 uses classes RiskCAT Nuclear uses categories to control the degree of obligation of the IEC 62138 clauses IEC 62138 has chapters of its own for category C and category B The category B chapter involves the category C chapter see IEC 62138 at the beginning of chapter 6 partly in a slightly modified manner For purpose of the Context related retrieval in the original Page 26 of 32 RiskCAT Nuclear User s Manual 12 February 2006 standards see chapter 4 13 in IEC 62138 RiskCAT Nuclear references the chapter for category B chapter 6 as well for category B as for category C IF e the degree of obligation for category C differs from that for category B AND e the degree of obligation for category C is not not applicable AND e there are no real explanation by IEC 62138 for the measure THEN RiskCAT will give reference at The context related presentation of explanations to the clause provided by IEC 61513 or IEC 62138 themselves see chapter
17. the degree of obligation of this manual 3 3 Measure states RiskCAT applies a three dimensional state to each measure The three state dimensions are e marked unmarked e selected deselected e with comment without comment The state marked may be assigned to one measure only at any time Marking of a measure is by a single left mouse button click It is visible by a box around the text describing the measure The state selected may be assigned to one several or even all measures at the same time Manual election of a measure is by a single left mouse button click It is visible by a tick v left of the text describing the measure Automatic selection is discussed later in this manual see chapters 4 5 Selection of groups of measures according to the degree of obligation to 4 8 Selection of measures related to key words The state with comment may be assigned to one several or even all measures at the same time Adding comments to a measure is via context menu depress of right mouse button in the measure list boxes It is visible by a E left of the text describing the measure 3 4 Measure colours The measures in screen part e are dynamically coloured depending on their level Not applicable olive Possible grey Recommended black Highly recommended red Mandatory green NOT recommended red and informative pink as indicated by the SIL selected in screen area b
18. the m to the applicat uirements ol Assessment of the effects of a SW modification on the rest of the I amp C system and on the other systems with m Taking any necessary action to ensure the correct operation of the I amp C system Assessment of the effects on SW of modifications in the rest of the I amp C system or in the other systems with wt Justification of adequacy and thoroughness of the regression SW validation plan Source IEC 62138 6 10 2 Figure 2 RiskCAT screen parts Ss Standard tabs Risk window c Area tabs d Topic tabs e Measure window f Information line Page 7 of 32 RiskCAT Nuclear User s Manual 12 February 2006 3 2 Interrelationship between the screen parts The screen parts c d and e are used to present the measures The Safety Integrity Level SIL selected in screen part b controls the degree of obligation of the measures given in screen part e However the two screen parts are largely independent from each other The screen relationship between the measures group parts c d amp e and the SIL block on the left may be adjusted This is accomplished by a single left mouse button click on the boarder line between the screen parts b and c and moving the mouse afterwards CAUTION The measures selected in screen part e are consistent with the safety integrity level shown in screen part b only if the RiskCAT usage is according to chapter 4 5 Selection of groups of measures according to
19. 5 3 6 1 6 2 6 3 6 4 6 5 6 6 7 1 7 2 Retrieval in the original standards Context related retrieval in the original standards The context related presentation of explanations to the clause provided by IEC 61513 or IEC 62138 themselves The context related presentation of terms used in the measure texts given in IEC 61513 or IEC 62138 themselves Project session storage in a file Project session reload from a file Result storage as RTF file DOORS export CaliberRM export MENU FUNCTIONS File menu Standard Text menu Help menu IEC 61513 AND IEC 62138 SPECIFIC FEATURES Presentation of the degree of obligation of the requirements About the license for the standards supplied with RiskCAT About some Key Words in the individual measure presentation in RiskCAT About the IEC 61513 presentation by RiskCAT About the IEC 62138 presentation by RiskCAT Abbreviations APPENDIX List of Documents List of Activities Page III 15 17 18 19 20 20 20 22 23 24 24 24 24 25 25 25 26 26 26 28 29 29 31 RiskCAT Nuclear User s Manual 12 February 2006 Figures Figure 1 RiskC AT Nuclear SCPeer ido euo isole Opel ga be se 3 Fig re 2 Rask AT sereen Pants ese uot de en Re i e assii 7 Figure 3 Presentation of the standard clauses in four levels 9 Page IV RiskCAT Nuclear User s Manual 12 February 2006 Acknowledgements and trademarks All
20. Edit note for measure For looking to existing notes or modifying them choose Edit note for measure again Notes are saved via Project storage see chapter 4 16 Project session storage in a file of this manual They may be reloaded by Project reload Page 14 of 32 RiskCAT Nuclear User s Manual 12 February 2006 4 11 Overview on defined terms in the measures texts As shown in the figure below terms defined in IEC 61513 or IEC 62138 are highlighted in bold type in the presentation of the measure texts lel x File Standard Text Help IEC61508 r Measures within the standard es Measures Measures highly Measures Measures not Measures le P recommended recommended mandatory M recommended informative I R HR NR HW Architecture Behaviour under random failures Random hardware failure rate computation HW Fault avoidance Probability of failure due to random hardware failures less than target failure measure Estimation of failure probability taking into account architecture Estimation of failure probability taking into account common cause failures IF Hardware fault tolerance gt 0 diagnostic test interval for required HVV failure probability see 7 4 3 2 1 IF Hardware fault tolerance 0 low demand mode diagnostic test interval for required HVV failure probability see 7 4 3 2 1 IF Hardware fault tolerance 0 high demand or continuous mode diagnostic test interval plus safe
21. RiskCAT Nuclear V1 le User s Manual T SCANS A CodeAnalyzerToolSet 12 February 2006 RiskCAT Nuclear Requirements derivation from Risk classes A Tool of the Code Analyzer Too Set User s Manual G nter Gl e amp Ernst Ulrich Mainka Hamburg www cats tools de RiskCAT Nuclear User s Manual 12 February 2006 Contents 1 OVERVIEW 2 INSTALLATION FIRST START DEINSTALLATION 2 1 The components of RiskCAT 2 2 Local Operation on a PC 23 Uninstallation on a local PC 2 4 Network Installation of RiskCAT 2 5 Network Uninstallation 3 BASICS 3 1 Screen parts 3 2 Interrelationship between the screen parts 3 3 Measure states 3 4 Measure colours 3 5 Structure of the measures presentation used with RiskCAT 4 TASKS 4 1 Selection of the functions to be performed 4 2 Manual pre selection of the category 4 3 Structured overview on the recommended measures 4 4 Selection of individual measures 4 5 Selection of groups of measures according to the degree of obligation 4 6 Selection of measures related to documents 4 7 Selection of measures related to activities life cycle phases 4 8 Selection of measures related to key words 4 9 Copying the actually marked measure into the clipboard 4 10 Edit notes to the marked measure 4 11 Overview on defined terms in the measures texts Page IT 10 10 10 10 11 11 12 13 13 14 14 15 RiskCAT Nuclear User s Manual 12 February 2006 5 1 5 2
22. System e System Interconnected Additionally RiskCAT Nuclear uses the documents from IEC 62138 First Edition 2004 01 which are Document Reference Document Reference SW QA plan 6 1 1 1 SW QA record 6 1 1 11 SW configuration management 6 1 3 1 plan Security assurance plan 6 1 6 1 SW verification plan 6 1 2 1 SW verification record 6 5 4 2 SW requirements spec 6 1 2 4 6 3 washes o Jemeet 00000 oo Doc for Safety 6 2 Development tools instruction 6 1 5 4 Development tools log 6 5 1 2 Code Executable 6 5 1 3 Program doc 6 5 1 2 6 5 2 1 Coding rules 6 5 3 4 Regression SW integration plan 6 10 2 6 10 2 SW Vans plan 6 1 2 4 SW validation record 6 7 5 Regression SW validation plan 6 10 2 6 10 2 SW installation plan 6 8 1 Anomaly report 6 9 1 SW modification plan 6 10 SW modification records 6 10 4 Page 30 of 32 RiskCAT Nuclear User s Manual 12 February 2006 7 2 List of Activities RiskCAT Nuclear uses the documents from IEC 61513 First Edition 2001 03 table 1 page 47 and table 3 page 83 which are e Review plant requirements e Design I amp C architecture e Assign functions e Plan overall e Overall validation e Overall integration e Overall commissioning e Specify system requirements e Specify system e Design system e Implement system e Integrate system e Validate system e Install system e Modify system
23. ce For both types of network installation a single RiskCAT executable is relocated on the server USB disk drive Additionally one XPDF Viewer is installed on each client CAUTION The number of simultaneous usage is limited by the licensed number of users The installation procedure for the two installation types differs In case of CATS USB memory stick usage e The stick just needs to be connected to the server and e the local XPDF Viewer installation needs to be performed by calling the XpdfViewerCtrl 3 1 00 04 exe located in the stick directory XPDF Installation before the first RiskCAT Nuclear client session is started Page 5 of 32 RiskCAT Nuclear User s Manual 12 February 2006 For a server disk drive based installation The contents of the CATS USB memory stick or of the CATS CD need to be copied into a suitable RiskCAT target directory on the server disk or the minimum runtime environment for RiskCAT Nuclear needs to be to installed on the server by running the Setup exe from the root of the USB memory stick or of the CATS CD In this case the XPDF subdirectory must be copied manually into the RiskCAT Nuclear target directory created by the Setup As for the USB memory stick usage the local XPDF Viewer installation needs to be performed by calling the XpdfViewerCtrl 3 1 00 04 exe located in the stick directory XPDF Installation before the first RiskCAT Nuclear client session is started Please contact us for fu
24. ction and the DeSelect the set of deselected measures may be different from the selected set So here DeSelect is only the inverse function to Select if SIL is the same for both actions The selection is in addition to already selected measures If the real interest is just to concentrate on the measures you are about to select then precautions need to be applied that at on starting measure selection no measures are already selected 4 6 Selection of measures related to documents The document related selection functionality is activated via context menu depress of right mouse button in the measure window screen part e in Figure 2 Standard measure group select election Copy measure to clipboard Edit note for measure View standard Measure explanation Literature Term Definitio n x After choice of Aspect selection aspect QCharacteristic rselection range J based selection the SW integration plan actual standard O SW integration record O SW modification plan X aspect related selection selection form shown on the left appears QCharacteris C all standards Document O SW modification record selection type M MSW QA pian or type C Activity RSV QA record The set of documents is SW requirements spec C andtype x 1 C Keyword CSW spec listed in Appendix 7 L1 SW validation plan L1 SW validation record xl Qu
25. de selection of measures 4 5 Selection of groups of measures according to the degree of obligation Standard measure group The selection of groups according to the Aspect based selection Copy measure to clipboard Edit note for measure View standard Measure explanation Literature Figure 2 Term Definition degree of obligation3 under the currently selected SIL of the measures is activated via context menu depress of right mouse button in the measure window screen part e in For the degree of obligation please refer as well to chapter 6 1 Presentation of the degree of obligation of the requirements Page 11 of 32 RiskCAT Nuclear User s Manual 12 February 2006 IEC measure group selection X After choice of Standard measure group r Measures to be de selected Selection range selection the selection form shown on the Measures possible whole standard left appears Measures recommended actual page F Measures highly recommended If the whole standard is activated the F Se selection will be for all measures in all areas Measures not recommended for all topics C DeSelect m OR If the actual page is activated the selection ow _ OK will be just for the measures in visible topic tab The visibility of the selection is same as for individual measures selection CAUTION If you change the SIL between group sele
26. ection of measures related to activities life cycle phases DUO Um ee 9 the selection of measures related to key words 9 the copy function for actually marked measure into the clipboard 10 the possibility to edit notes for each individual measure 11 overview on defined terms in the measures texts The set of documents used is given in Appendix 7 1 List of Documents The set of life cycle phases used is given in Appendix 7 2 List of Activities Page 1 of 32 RiskCAT Nuclear User s Manual 12 February 2006 12 retrieval in the original standards available only if user has installed pdf files of the concerned standard in the RiskCAT target installation directory 13 the context related presentation of the original standards clause 14 the context related presentation of explanations to the clause given by IEC 61513 or IEC 62138 themselves 15 the context related presentation of terms used in the measure texts given in IEC 61513 or IEC 62138 themselves 16 the storage of measure profiles as project or company templates in a project file project storage 17 the reloading of measure profiles 18 the result storage as text file Rich Text Format RTF consisting of e selected risk parameters e risk class e selected measures and e the notes related to the selected measures 19 the result export to DOORS available only with an RiskCAT Interface to Requirements Management Tools 20 the re
27. indows border preferred on the left or right hand side followed by pressing the left mouse button and then moving it iba 3 Conti Planning including strategies tools evaluation of results Verification in accordance with the plan Documented evidence for satisfactory completion of verified phase Documentation of verified iterns scale non conformances Availability of information for correct execution of the next phase Verification of information for correct execution of the next phase Verification of safety requirements architecture system design SW safety requirements verification after specification before design including SW architecture verification after architectural design including SW system design verification after system design including SW module design verification after module design including Code verification by static methods to ensure conformance to design 4 Page 38 If other PDF versions of the standards have been installed than those supplied by CATS RiskCAT may show the wrong page and may highlight the wrong clause Therefore only those standards supplied by CATS should be used with the RiskCAT tools Page 17 of 32 RiskCAT Nuclear User s Manual 12 February 2006 4 14 The context related presentation of explanations to the clause provided by IEC 61513 or IEC 62138 themselves For certain clauses IEC 61513 or IEC 62138 themselves provides additional explanations
28. interrupt and resume RiskCAT tool sessions For this purpose the actual status is stored in binary RiskCAT project files e For the project leader or the quality manager it offers the possibility to fill in the comments to the measures Thereby advice may be given to the normal user by which means e g tools procedures forms compliance with the measure shall be achieved in a specific project If certain measures are not applicable in a specific project or for a specific part of a project background for this may be supplied as comment as well So the comments result in a company or project specific framework This framework or requirements capture may be stored and used as a starting point by the normal users The storage function is chosen by item Store project in File menu 4 17 Project session reload from a file e For a new session the framework prepared by the project leader or the quality manager may be loaded e An interrupted and stored tool session may be resumed The restore function is chosen by item Load project in File menu 4 18 Result storage as RTF file For further documentation e g creation of checklists or test plans RiskCAT offers storage as text file Rich Text Format RTF of e The selected risk parameter e The Safety Integrity Level SIL as shown in the risk window that is either the SIL resulting from risk parameters or the manually pre selected one e Three sets
29. it Ok E C Deselect List of Documents page 29 of this manual Page 12 of 32 RiskCAT Nuclear User s Manual 12 February 2006 Apart from the possibility to select according to the documents list RiskCAT offers selection according to activity life cycle phase Of course documents and life cycle phases are related to each other However a phase may result in several documents and on the other hand a document may be used for different phases Therefore RiskCAT uses documents as well as activities If you are interested in a specific selection you should just apply a single document or activity If your interest is to get a complete view you should run two selections after each other e In one or type selection choose the document of your specific interest as well as AIL Terminate it with Ok e In the other or type selection choose the activity related to the document of your specific interest as well as All Terminate it again with OK The selection is in addition to already selected measures So precautions need to be applied that at starting no measures are selected 4 7 Selection of measures related to activities life cycle phases As the with the document related selection functionality the activity related selection is activated via context menu depress of right mouse button in the measure window screen 66 pa
30. ked measure into the clipboard The copy to clipboard functionality is activated via context menu in the measure window screen part e in Figure 2 The steps are e Mark the measure to be copied by a single left mouse button click Otherwise no measure will be found on the clipboard later on e Activate context menu depress right mouse button while the pointer is in the measure window e Choose Copy selected measure to clipboard to copy contents of the state line e Use an application with clipboard functionality e Insert or paste clipboard contents 4 10 Edit notes to the marked measure Purpose of edit notes is to provide e Space for comments on a specific project e g to log the reasoning for not selecting particular measures for the project e Company specific frames of prescribed measures as well as company specific interpretations of measures e Log results from audits reviews or tests The edit measure note functionality is activated via context menu in the measure window S Measure Note 250 characters max ojx The steps are Semi formal methods not applied Ve use structured method SADT instead e Mark the measure for which the item note shall be edited by a single left mouse button click Otherwise nothing visible to the user will occur e Activate context menu Depress right Cencel mouse button while the pointer is in the measure window screen part e in Figure 2 e choose
31. mas Page 18 of 32 RiskCAT Nuclear User s Manual 12 February 2006 4 15 The context related presentation of terms used in the measure texts given in IEC 61513 or IEC 62138 themselves For certain terms IEC 61508 or IEC 62138 themselves provide definitions RiskCAT offers an interface for context sensitive browsing the definitions from the original standard The defined terms used in the measures presentation are presented in bold The context related term definition is activated via context menu in the measure window The steps are Standard measure group select Aspect based selection e Go with the cursor to a defined bold term The type of the cursor which normally is then will change to d Copy measure to clipboard Edit note for measure view standard Measure explanation e Activate context menu depress right mouse button literature while the pointer is in the measure window e Choose Term Definition RiskCAT will show the page of the standard highlighting the definition in context The size of the standards window may be changed by positioning the mouse on the windows border preferred on the left or right hand side followed by pressing the left mouse button and then moving it 0 a T Overall safety requirements I Safetey requirements allocation Frequency of and B exposure time in the 5 E Operation and maintenance plan Validation
32. ns as back up IF opposite actuations of different systems may occur Analysis to determine action under faifun Avoidance of undetected faults by high quality planning Tailoring of the quality of the I amp C systems according to provisions of this standard Self supervision for detection of systematic failures Eail predefined behaviour for detected failures F required reliability higher then predicted reliability design modification IF high reliability is required diversity Consideration of functional and signal diversity Consideration of equipment diversity for complex systems with limited operational experience Usage of diverse verification procedures or methods Usage of diverse validation procedures or methods IF diversity is used Analysis of the effectiveness of diverse features Justification for the benefits and drawbacks of diverse features nanumantatinn of tho hanafite and droslacli af diunran fastirse IEC 62138 measures informativ measures recommended recommended measures highly measures measures not mandatory recommended 6 1 System Lifecycle T Overall Integration and Commissioning 6 3 Output Documentation 8 Overall Operation and Maintenance 5 1 5 2 Requirements for the I amp C FSE 64 System Qualification lt 5 3 5 5 Total I amp C architecture 6 2 System Planning IF required reliability higher then predicted reliability design modification Source IEC 61513 5 3 1 5 4 c Figu
33. of licensing conditions the standard files e IEC61226 GB 1 pdf e EC61513 GB_1 pdf and e IEC62138 GB I pdf are for use with RiskCAT only Page 4 of 32 RiskCAT Nuclear User s Manual 12 February 2006 2 2 Local Operation on a PC RiskCAT Nuclear does not need any installation Just run the executable file RiskCAT_Nuclear_V11le exe from the directory RiskCAT Nuclear on the USB memory stick CAUTION The execution of RiskCAT_Nuclear_V1le is possible only from the original USB memory stick For backup purpose the stick contents may be copied to any backup device However RiskCAT_Nuclear_V1le will operate from the memory stick only CAUTION The first execution of RiskCAT_Nuclear_V11e will install the XpdfViewer ActiveX Control Version 3 0 on the local PC In case of version conflicts with a XpdfViewer already installed please contact CATS via info cats tools de 2 3 Uninstallation on a local PC As RiskCAT Nuclear does not need any installation so it does neither need any uninstallation Uninstallation of XpdfViewer is accomplished by running WINDOWS System Control gt Software gt Installation Uninstallation gt selecting the XpdfViewer control 2 4 Network Installation of RiskCAT RiskCAT offers two different possibilities for network installations e You may access RiskCAT_Nuclear_V1le on the CATS USB memory stick network wide or e you may use a server disk drive based installation This option needs an extra licen
34. of measures e Measures contained in more than one set are stored once only For each measure following items are stored e The measure text text of the level 1 presentation e The reference to the standard as well as to the clause e The degree of obligation e The note Page 20 of 32 RiskCAT Nuclear User s Manual 12 February 2006 Be Result storage is started via the Standards Data to be stored iv IEC 61508 safety integrity l EA M measures selected iv measures with itemnotes measures not selected Delimiter Char menu File For result storage there are some options given in the menu in a self explaining manner The option to select a delimiter character supports an import of the stored data in tables by a text processor Quit Store RiskCAT Nuclear Results IEC 61226 category Category_B Criteria checked IEC 61513 measures selected IC Architecture Design CCF Avoidance of undetected faults by x M high quality planning IC Architecture Design CCF IF required reliability higher then x P predicted reliability design modification IEC 62138 measures selected Requirements Content SW requirements spec stating the SW x M quality objectives Requirements Content SW requirements spec stating the x P constraints to be respected by SW design and implementation because of correctness
35. plan Installation and commissioning plan hasardane sana ps md E 3 1 Em 1 m z m 1 Bporviewrorm i i 14 di 4 ml alal 3 5 12 mode of operation m way in which a safety related system is intended to be used with respect to the frequency of mi demands made upon it which may be either lem t f tion ma nan twice t t ss Page 20 Safety Integrity level a E Indication whether the SIL is for the sow demand mode or the high demand or continuous mode of op 5 p d IF different SiLs in one system highest requirements OR independence z a IF a single system which may be redundant is used for SIL 4 meet criteria 3 m Lower bounds for fa ure probabilities allocated to a single system are 10 exp 5 per demand respectiv T E 8 Documentation of safety requirements allocation G A fr Exception of requirements from compliance for low complexity systems Clause IEC 61508 Partt 4 2 If other PDF versions of the standards have been installed than those supplied by CATS RiskCAT may show the wrong page and may highlight the wrong clause Therefore only those standards supplied by CATS should be used with the RiskCAT tools Page 19 of 32 RiskCAT Nuclear User s Manual 12 February 2006 4 16 Project session storage in a file Project storage has two distinct purposes one for the normal user and another for the project leader or the quality manager e For the normal user it offers the possibility to
36. port by DOORS is specified in the DOORS user documentation Please apply that for the further procedure Page 22 of 32 RiskCAT Nuclear User s Manual 12 February 2006 4 20 CaliberRM export The RiskCAT Interfaces to Requirements Management Tools offer to export the measures actually selected to the requirements management tool CaliberRM by Borland Software Corporation The RiskCAT Interfaces to Requirements Management Tools are a package of its own and need an extra licence Export for each selected measure consists of e The identifier of the measure e The measure text text of the level 1 presentation e The reference to part as well as clause of IEC 61508 e The note the user may have issued with respect to the measure e The degree of obligation for the measure First step to export measures from RiskCAT to CaliberRM is the selection of the measures to be exported Then the export itself is started via the menu File Caliber export x rData to be exported For the export itself there are some options given in the menu in a self explaining manner The measure related iterns checked on the left will Measure exported in cvs textfile format Finally the Export button needs to be pushed to choose the name of one of the export files v Source and to start their generation the items are seperated by pipe Note string items are enclosed in iv Obligation Quit
37. quirements generally result from two different sources One source is the specific requirements from requirements from requirements of the customer or producer e g state of the art or customer or based on their applications or marketing standards project strategy The other sources are the requirements imposed on the embedded system and its software by the state of the art represented e g Requirements by national or international standards Specification RiskCAT is a tool of Code Analyzer Tool Set CATS for requirements capturing from standards thereby providing the starting point for high quality development and products in the area of embedded systems and their software The state of the art in quality of Instrumentation and control for systems important to safety is provided to a large extent by IEC 61513 as well as IEC 62138 The design of RiskCAT is modular and widely configurable It is possible for CATS to adopt the tool to modifications and enhancements of the standards applied as well as the extension to additional standards or other technical rules The work tasks assisted by RiskCAT Nuclear are 1 Selection of the functions to be performed 2 manual pre selection of the category the structured overview on the recommended measures the selection of individual measures the selection of groups of measures according to the degree of obligation the selection of measures related to documents the sel
38. re 1 RiskCAT Nuclear screen RiskCAT is designed for use by embedded systems software professionals Experience of using Windows on PCs is required Page 3 of 32 RiskCAT Nuclear User s Manual 12 February 2006 2 Installation First Start Deinstallation 2 1 The components of RiskCAT RiskCAT is an application for Windows 2000 NT XP It is distributed on an USB memory stick The USB memory stick has the following directory structure e RiskCAT Nuclear with the subdirectory e XPDF e Tool Documentation e CATS Information The directory RisKCAT Nuclear contains besides other files e The RiskCAT executable RisKCAT Nuclear Vl1le exe e The help file RisKCAT Nuclear V11e hlp e The help content file RisKCAT Nuclear V1le cnt e The standard files e EC61226 GB I pdf e EC61513 GB I pdf e EC62138 GB I pdf The subdirectory XPDF of directory RiskCAT_ Nuclear contains e The XpdfViewer ActiveX Control Version 3 0 XpdfViewerCtrl ocx The sub subdirectory tlfonts in the subdirectory XPDF contains e the fonts needed by the XpdfViewer The directory Tool_Documentation contains e This user manual RisKCAT Nuclear UserManual 11e pdf The directory CATS Information contains e The product description RisKCAT 61508 V5 Product 4 pdf e The product description RisKCAT 50128 V411 Product pdf e The description of the Static Analyzers of the Code Analyzer Tool Set Overview and Motivation StaticAnalyzers 5 pdf Because
39. rt e in Figure 2 X aspect related selection n x After choice of Aspect selection aspect Activity selection range based selection the Overall commissioning actual standard fect f h th OCharacterie Overall integration all standards SEEE CO OUR Sowa gn ele O Overall validation left appears C Document O Plan overall rselection type 1 Plan SW ortype Activity O Qualify SW ivit iH O Quality SW Tool i PE The set of APULIEN 15 listed C Keyword O Qualify system in Appendix 7 2 List of M Review plant requirements O Specify SW Activities page 31 of this manual Ed C Deselect vs d I Quit The selection is in addition to already selected measures So precautions need to be applied that at starting no measures are selected 4 8 Selection of measures related to key words The Keyword related selection functionality is activated via context menu depress of right mouse button in the measure window screen part e in Figure 2 The set of keywords has been created based on work with and discussion about quality of embedded systems and their software by the authors The selection is in addition to already selected measures So precautions need to be applied Page 13 of 32 RiskCAT Nuclear User s Manual 12 February 2006 that at starting no measures are selected 4 9 Copying the actually mar
40. rther information via info 9 cats tools de 2 5 Network Uninstallation The network uninstallation is performed by uninstallation of client based XPDF Viewers by calling XpdfViewerCtrl 3 1 00 04 exe and in case of server disk drive based installations additionally by deletion of the RiskCAT Nuclearcomponents copied on the server or in case of having used Setup exe for installation of the minimum runtime environment for RiskCAT Nuclear on the server using WINDOWS system control or Setup exe to remove the minimum runtime environment for RiskCAT Nuclear from the server Page 6 of 32 RiskCAT Nuclear User s Manual 12 February 2006 3 Basics 3 1 Screen parts X RiskCAT Nuclear V11e File Standards texts Help 51226 C for v TEC61513 mj O M Category C x EUOrysatiu Categorysation criteria Functions required to reac Functions the failure or st O Functions required to prov O Functions required after t Functions required to prov O Functions the failure of w Functions to reduce consi Plant process control func O Plant process control func O Functions used to prevent O Functions which alert con O Functions necessary to re O Functions to reduce the di Functions which perform 1 Functions to monitor and 1 Functions to warn personi Functions to monitor and 1 O Functions provided forthe Functions which provide z
41. sult export to CaliberRM available only with an RiskCAT Interface to Requirements Management Tools An important advantage of the tool supported approach is the possibility to vary interactively risk parameters risk classes and sets of process and realization measures defining alternative or optimized sets of measures to reach specified quality safety or reliability targets The purpose of RiskCAT Nuclear is to assist the user in application of the IEC 61513 as well as IEC 62138 However it is of course not the purpose of the tool to replace the standard Anyhow the detailed and precise wording of the standards clauses needs to be considered to claim conformance with the standards RiskCAT s condensed presentation of the standards contents has been established for the purpose of ease of work overview and general navigation Page 2 of 32 RiskCAT Nuclear User s Manual 12 February 2006 IEC 61226 Categorysation O Functions to monitor and 1 Y RiskCAT Nuclear Y11e Standardstexts Help Categorysation criteria Functions required to reac Functions the failure or st Functions required to prov Functions required after tr Functions required to prov Functions the failure of w Functions to reduce consi Plant process control func Plant process control func Functions used to prevent Functions which
42. sures To present this situation without splitting up the clause into too many individual measures RiskCAT uses the Key Word OR in its presentation To a certain extent again within a single IEC 61513 or IEC 22138 clause several measures are required e g several documents To present this situation without splitting up the clause into too many individual measures RisKCAT may give some of the measures the most important ones hopefully ending up with 6 4 About the IEC 61513 presentation by RiskCAT IEC 61513 is concerned with the functions to be implemented as well as with the systems providing the functions Based on IEC 61226 the IEC 61513 uses categories for the functions However for the systems IEC 61513 uses classes RiskCAT Nuclear uses categories to control the degree of obligation of the IEC 61513 clauses As usual the scope of IEC 61513 is not intended to provide requirements on I amp C systems and their software However there is one basic statement about the safety lifecycle in the scope So CATS decided to include the scope into RiskCAT Nuclear As already explained in the chapter above in some cases the RiskCAT short presentation of the clauses indicates by that the original clause has much more information then the RiskCAT short form For IEC 61513 this happens about 30 times Dedicated to efficient work other RiskCATs e g RiskCAT 61508 tend to combine related requirements into one presentation Because
43. trademarks used in this manual are acknowledged Windows 9 NT 2000 and XP are trademarks of Microsoft PDF is a trademark of Adobe Corporation USA XpdfViewer is a trademark of Glyph amp Cog InstallShield is a trademark of Macrovision Corporation DOORS is a trademark of Telelogic AB CaliberRM is a trademark of Borland Software Corporation CATS Software Tools GmbH would like to thank our UK distributor PhaedruS Systems Ltd for proof reading amp editing the English version of this manual www phaedsys org CATS Software Tools GmbH thanks the DKE Deutsche Kommission Elektrotechnik Elektronik Informationstechnik im DIN und VDE and the IEC International Electrotechnical Commission for permission to reproduce extracts from International Standard IEC 61508 All such extracts are copyright of IEC Geneva Switzerland All rights reserved Further information on DKE is available from www dke de and on the IEC is available from www iec ch DKE and IEC have no responsibility for the placement and context in which the extracts and contents are reproduced by CATS Software Tools GmbH nor are DKE IEC in any way responsible for the other content or accuracy therein Page V RiskCAT Nuclear User s Manual 12 February 2006 1 Overview Prerequisite to produce and certify high quality embedded systems including their software is to know about the functional and non functional Heal Nets requirements imposed on the embedded system M These re
44. ty action time lt proces IF target failure measure is not achieved Prescribed steps to improve the safety integrity 1 General 3 Control System lt tnot D D lopment D D are Just scrolling through the measures provides an overview about the defined terms used in the measures texts 4 12 Retrieval in the original standards RiskCAT offers an interface for viewing the original standards For this the XpdfViewer XpdfViewerCtrl ocx library is implemented Prerequisite for the retrieval is the availability of licensed standard files With RiskCAT Nuclear IEC 61513 as well as IEC 62138 are available Retrieval is started via Standard Text menu The size of the standards window may be changed by positioning the mouse on the windows border preferred on the left or right hand side followed by pressing the left mouse button and then moving it Page 15 of 32 RiskCAT Nuclear User s Manual 12 February 2006 ELITTTITINENEEEESSSS M dol orf 5 gae A GIE T NORME CEI INTERNATIONALE IEC INTERNATIONAL 61513 STANDARD Premi re diton 2001 03 Centrales nucl aires Instrumentation et contr le commande des syst mes importants pour la s ret Prescriptions g n rales pour les syst mes Nuclear power plants Instrumentation and control for systems important to safety General requirements for systems Num ro de r f rence IEC Ires
Download Pdf Manuals
Related Search