I&C systems important to safety may be designed using conventional hard-wired equipment, computer-based equipment or by using a combination of both types of equipment. This International Standard provides requirements and recommendations1 for the overall architecture of I&C systems, which may contain either or both technologies. The scope of this standard is: to give requirements related to the avoidance of CCF of I&C systems that perform category A functions; to additionally require the implementation of independent I&C systems to overcome CCF, while the likelihood of CCF is reduced by strictly applying the overall safety principles of IEC SC 45A (notably IEC 61226, IEC 61513, IEC 60880 and IEC 60709); to give an overview of the complete scope of requirements relevant to CCF, but not to overlap with fields already addressed in other standards. These are referenced. This standard emphasises the need for the complete and precise specification of the safety functions, based on the analysis of design basis accidents and consideration of the main plant safety goals. This specification is the pre-requisite for generating a comprehensive set of detailed requirements for the design of I&C systems to overcome CCF. This standard provides principles and requirements to overcome CCF by means which ensure independence2: between I&C systems performing diverse safety functions within category A which contribute to the same safety target; between I&C systems performing different functions from different categories if e.g. a category B function is claimed as back-up of a category A function and; between redundant channels of the same I&C system. The implementation of these requirements leads to various types of defence against initiating CCF events. Means to achieve protection against CCF are discussed in this standard in relation to: susceptibility to internal plant hazards and external hazards; propagation of physical effects in the hardware (e.g. high voltages); and avoidance of specific faults and vulnerabilities within the I&C systems notably: propagation of functional failure in I&C systems or between different I&C systems (e.g. by means of communication, fault or error on shared resources), existence of common faults introduced during design or during system operation (e.g. maintenance induced faults), insufficient system validation so that the system behaviour in response to input signal transients does not adequately correspond to the intended safety functions, insufficient qualification of the required properties of hardware, insufficient verification of software components, or insufficient verification of compatibility between replaced and existing system components.