Slides and Viewgraphs of September 24, 2002, Summary of Meeting with Rochester Gas and Electric Corporation Proposed Digital Upgrades to the Emergency Control Room Air Treatment System Actuation Instrumentation

ML022820048
Person / Time
Site:	Ginna
Issue date:	10/08/2002
From:	Clark R NRC/NRR/DLPM/LPD1
To:	NRC/NRR/DLPM/LPD1
References
TAC MB1887
Download: ML022820048 (82)
v • d • e

Text

024 0l RG&E GINNA STATION PRESENTATION TO NRC SEPTEMBER 24, 2002 Ginna License Amendment Request CREATS Actuation Instrumentation LCO 3.3.6 1

RG&E - Ginna Station

PURPOSE OF BRIEFING

"* Provide NRC with an overview of the proposed responses to the 36 NRC questions dated Aug 28, 2002

"* Provide NRC with an overview of the Inovision V&V Program for the Model 956

"* Review schedule RG&E - Ginna Station 2

NRC QUESTION RESPONSES

• For each of the 36 NRC questions from the August 28th letter, proposed responses have been developed along with the attachments requested or needed to provide more detail. An overview of the answers and description of the associated attachments is included here. The purpose is to gain NRC feedback on the level of detail and ensure the necessary documentation responds to the question.

RG&E - Ginna Station 3

BACKGROUND

• Pre-1984 - Single radiation monitor (R-1) in the control room

• 1984 - Installed 3 diverse radiation monitors (R-36, R-37, and R-38) which take a suction from the control room ventilation system intake and provide input to a single train of actuation logic RG&E - Ginna Station 4

BACKGROUND The current system has had a number of failures and issues associated with it

- component failures

- electronic noise

- replacement part quality concerns

- obsolescence of replacement parts RG&E - Ginna Station 5

BACKGROUND

• Replace existing actuation instrumentation system with 2 redundant radiation monitors placed directly within the control room ventilation system intake

• Configure radiation monitors and actuation logic into 2 redundant trains, including 2 manual actuation switches 6

RG&E - Ginna Station

QUESTION 36

"* Large LOCA is the accident analyzed in Ginna UFSAR Section 6.4, "'Habitability Systems"ý

"* FHA has higher source term, but shorter duration, so initiation setpoint is acceptable

"* Remaining accidents have no specific Control Room dose analysis available. Instead, qualitative reviews of offsite doses were reviewed/performed.

Rod ejection/SBLOCA - 10% fuel failure results in rapid system response SGTR and MSLB - qualitative review using X/Q ratio shows < GDC 19 without isolation RG&E - Ginna Station 7

QUESTION 36 (Cont.)

Tornado Missile - plant procedures require placing ventilation system in recirculation for a tornado watch 8

RG&E - Ginna Station

QUESTION 1

"* Inovision Model 956A unit has been qualified for EMI/RFI in accordance with EPRI TR-102323 Rev. 1 as documented in Attachment 1.

"* Testing performed by F-Squared Lab in Ohio.

"* Exceptions to range or testing in TR Rev. 1 under evaluation per TR Rev. 2

"* For any exceptions to Rev. 2, testing will be re performed by Nov. 1, 2002.

RG&E - Ginna Station 9

QUESTION 2

• RG&E FMEA Performed for CREATS Instrumentation System

• To be provided to NRC as Attachment 2.

10 RG&E - Ginna Station

QUESTION 3

• EE-171 is to be provided to NRC as Attachment 3.

• C of C to RG&E to be provided as Attachment 4.

• NUPIC audit of Inovision to be provided as.

RG&E - Ginna Station 11

QUESTION 4 4.A) Same hardware and software design for 94X and 956A. Difference is in the process application:

- 942 - Process instrument

- 946 - Ion Chamber

- 956A - G-M Tube

- Software for each is configured for the application 12 RG&E - Ginna Station I

QUESTION 4 (Cont.)

4.B) Model 94X and 956A design and testing, per the Victoreen QA Manual was done in the 1980's.

- Since then Victoreen (now Syncor) has been audited by NUPIC and approved.

- Now, Syncor is performing a V&V Program following EPRI TR-103291 Rev. 1 (addressed in detail in a later question) 13 RG&E - Ginna Station

QUESTION 4 (Cont.)

4.C) Over 200 Model 956A's in service throughout the U.S. and world in nuclear and non nuclear applications. Attachment 6 will be provided to the NRC documenting the listing of locations for use.

RG&E - Ginna Station 14

QUESTION 5

• There has never been a reported failure in the nuclear OE database.

• The vendor noted that replacement parts are ordered by clients. All customer noted interactions as related to model 956 have been non-failure mode maintenance.

RG&E - Ginna Station 15

QUESTION 6

• 6.A) Memory chips are not the same as timing and system interface and are CMOS type devices

• 6.B) Chips are soldered in place and are qualified as documented in Syncor Qualification Report 950.366 included.

RG&E - Ginna Station 16

QUESTION 6 (Cont.)

• 6.C) The memory organization is very simple intended to perform only the very limited functions required for each model application. It is not a complex program with multi-functions or tasks running at the same time.

RG&E - Ginna Station 17

QUESTION 7

• 7.A) The assembled code was compared through functional testing such that the differences are considered minor.

• 7.B) HP64100 and American Arium Development System were commercially available software development tools, when the software was developed.

- Firmware was subjected to the factory acceptance testing for Appendix B qualification RG&E - Ginna Station 18

QUESTION 8

• Software V&V Plan

• The V&V will be forwarded to the NRC as Attachment 7 and includes:

Software Requirements Specification (SRS) 0 Software requirements specifications Software Design Description (SDS)

• Software description, software flow diagram, interrupts, watchdogs Software V&V Test Procedure Software V&V Test Report Software V&V Matrix Software Design Reviews RG&E - Ginna Station 19

V&V PLAN OUTLINE 1

Purpose 2

Referenced Documents 3

Definitions 4

Verification and Validation Overview 5

Life-Cycle Verification and Validation 6

Software Verification and Validation Reporting 7

Verification and Validation Administrative Procedures RG&E - Ginna Station 20

SRS OUTLINE 1

Introduction 2

Overall Description 3

Specific functional requirements 3.1 External interface requirements 3.1.1 User interfaces 3.1.2 Hardware interfaces 3.1.3 Software interfaces 3.1.4 Communications interfaces 3.2 System features 3.3 Performance requirements 3.4 Design constraints 3.5 Software system attributes 3.6 Other requirements RG&E - Ginna Station 21

SDD OUTLINE 1

Introduction 1.1 Purpose 1.2 Scope 1.3 Definitions and Acronyms 2

References 3

Decomposition Description 3.1 Module Decomposition 3.2 Concurrent Process Description 3.3 Data Decomposition 4

Dependency Description 5

Interface Description 5.1 Module Interface 5.2 Process Interface 6

Detailed Design 6.1 Module Detailed Design RG&E - Ginna Station 22

QUESTION 9

• Model 956 completed design and QA testing in 1985.

• Since then over 200 model 956 units have been installed and operated over 3 million hours

• Originally designed and tested per 10 CFR 50 B

• Software V&V per EPRI TR-103291 App.

RG&E - Ginna Station 23

QUESTION 10

• Earlier qualification program documents being provided to NRC as Attachment 8.

• Attachment 9 will provide:

Current vendor test plan and procedures System manual Operator instruction manual Written factory acceptance test procedure

• Attachment 10 will provide RG&E review of factory acceptance testing.

24 RG&E - Ginna Station

QUESTION 11

• As requested, vendor manual will be provided in V.

• Attachment 11 will provide RG&E procedures:

- IP-DES-2

- IP-DES-4 RG&E - Ginna Station 25

QUESTION 12

"* Syncor has a NUPIC audited design control program that documents by Engineering Change Notice upgrades for both hardware and software. QSP-205 is the control procedure in QA Manual.

"* Syncor QA Manual will be provided as Attachment 12.

"* EPROM controlled by Revision level.

"* RG&E currently does not have equipment to perform upgrades at this time.

26 RG&E - Ginna Station

QUESTION 13

• From IEEE Std 603 Review Document Section 4.9

- "The appropriate reliability level requirements for this safety function have been determined by reviewing the operating requirements and comparing them to the criticality of operation of the safety function with respect to time and consequences. Factors considered in qualitatively evaluating reliability were redundancy of components, independence of the redundant trains, fail safe operation of safety function actuating components, and cross-train connection of isolation signals to minimize the possibility of an actuating signal from being prevented. All of these factors have been incorporated into the design to maximize the reliability of the safety system, consistent with the criticality of the performance of this safety system.

27 RG&E - Ginna Station

QUESTION 14

• The Ginna CREATS Instrumentation PSA is to be included as Attachment 13.

• Common cause failures (CCFs) were determined using beta factor method

- Used device with highest failure probability (radiation element)

- Assumed beta factor of 2.5% (per NUREG/CR-5485)

- CCFs account for 76% of calculated results RG&E - Ginna Station 28

QUESTION 15

• Syncor documents to be included in Attachment 9.

RG&E - Ginna Station 29

QUESTION 16

• A copy of the latest NUPIC audit with two findings is included in Attachment 5. The statement on non conformances means that no non-conformances were received by Syncor for the model 956.

• Users are not required to report non-conformances but are encouraged to report operation or performance issues that affect customer satisfaction.

RG&E - Ginna Station 30

QUESTION 17

• No specific evaluation of software common mode failure was performed.

• V&V process and quality control will provide reasonable assurance that likelihood of software failure is sufficiently low.

RG&E - Ginna Station 31

QUESTION 18

• Yes - see section 4.8 of the referenced response The equipment has been specified, designed, and installed in a configuration and in locations that will not result in the degradation of safety system performance for any conditions described in the UFSAR for the applicable design basis events listed in section 4.1. All appropriate design provisions have been incorporated to retain the capability for performing the safety functions required for those events. Other events, (such as fires, loss of ventilation, spurious operation of fire suppression systems, operator error, failure in a non-safety system, or missiles and pipe breaks not listed in section 4.1), either do not degrade the system or do not result in a condition that will require the system to perform its safety function.

32 RG&E - Ginna Station I

QUESTION 19

• Isolators purchased as safety related from an Appendix B vendor (Sciencetech/NUS) and perform the isolation function as specified in IEEE 384-1981.

RG&E - Ginna Station I

33

QUESTION 20

• Fuses provide isolation of 120VAC control circuits only and are not relied upon for signal isolation.

RG&E - Ginna Station 34

QUESTION 21

• The Syncor Product Information Bulletin is being provided as Attachment 14 which is a summary of the product history.

RG&E - Ginna Station 35

QUESTION 22 5 contains a listing of all components including those purchased as safety related including:

- Radiation monitors (detector and ratemeters)

- Control board components

- Control relays

- Terminal blocks 36 RG&E - Ginna Station

QUESTION 23

• RG&E document EE-100 is included as 6.

RG&E - Ginna Station 37

QUESTION 24

• RG&E Nuclear Assessment Procedure QA-PES-1 is included as Attachment 17.

RG&E - Ginna Station I

38

QUESTION 25

• 25.A) The safety function of the computer is to read data, determine when the setpoint is reached, and change the output state of a contact to initiate CREATS isolation.

• 25.B) Characteristics are identified in the SRS, SDD, Matrix and V&V Test Procedure (Attachment 7)

• 25.C) Demonstrated by V&V Test Procedure and documented in V&V report.

RG&E - Ginna Station 39

QUESTION 26

• Qualification Report included as Attachment 1 documents temperature and humidity range.

• Environmental requirements bound those specified in the Ginna UFSAR for those accidents which CREATS instrumentation is required to operate.

40 RG&E - Ginna Station I

QUESTION 27

• Attachment 1 has a copy of the IRM Qualification Test Report and Data (Qual. Report 950.366.)

RG&E - Ginna Station 41

QUESTION 28

• Diagnostic coverage for computer functions will be identified in the SRS and SDD to be provided to NRC with the V&V Report.

42 RG&E - Ginna Station

QUESTION 29

• The RG&E test plans are contained in the Test Instructions contained in Attachment 18.

RG&E - Ginna Station 43

QUESTION 30

• Backup provided in the non-safety related area radiation monitor, R-1, in the control room. This monitor (model 946) also provides an alarm and partial control room isolation.

• Also, the Ginna Nuclear Emergency Response Plan provides for on-shift radiation protection technician support which includes control room monitoring.

RG&E - Ginna Station 44

QUESTION 31

• Review to IEEE 384 provided in RG&E design analysis DA-EE-2001-009, Section 5.6 being provided to the NRC as Attachment 19.

RG&E - Ginna Station 45

QUESTION 32

"* Similar to Question 16.

"* A copy of the latest NUPIC audit with two findings is included in Attachment 5.

"* Users are not required to report non-conformances but are encouraged to report operation or performance issues that affect customer satisfaction.

RG&E - Ginna Station 46

QUESTION 33

• Required system response time described in RG&E Engineering Analysis DA-EE-2001-013 (previously submitted).

• Response time testing of CREATS is verified using end-to-end testing that UFSAR assumptions during required RG&E - Ginna Station currently confirms TS tests.

47 I --

QUESTION 34

• Monitors calibrated per RG&E Procedure CPI MON-R45 and CPI-MON-R46.

• Data sheets with as-found values, required values, and allowable tolerances defined

• Out-of-tolerance values addressed immediately by corrective action process per RG&E Procedure IP CAP-1.

RG&E - Ginna Station 48 I

QUESTION 35

"* RG&E setpoint program updated in the past three years per ISA-S67.04-1994 Part I and II.

"* Calculations performed to 95/95 per the ISA Standard and NRC Regulatory Guide 1.105 Rev. 2.

"* Drift analysis provided for all Tech. Spec. calculations 49 RG&E - Ginna Station I

SCHEDULE

• Submit by October 4,

- 2, 3,4, 5,,,7, 10, 11, 21, 22, 23, 24, 26, 27, responses to questions:

12, 13, 14, 15, 29, 30, 31, 32, 16, 17, 18, 19, 20, 33, 34, 35, 36 9 Submit by November 1, responses to questions:

- 1, 8,9,25,28, RG&E - Ginna Station 50

SOFTWARE VERIFICATION AND VALIDATION PLAN FOR PROM PIN 94095603 GM-AREA MONITOR REV. LEVEL ECN #

DESCRIPTION!PAGES AFFECTED ENGINEERING DATE

=-

O MANUFACTURING DATE QUALITY ASSURANCE DATE DATE TITLE SOFTWARE VERIFIdATI AND SYNCOR RADIATION MANAGEMENT 9111102 VALIDATION PLAN, 94095603 REV ECN NO.

RELEASED FOR DOC CTRL SHEET NO.

S1ZE 1

3044 PRODUCTION I of 27

4 I

Table of Contents Section Description Page I

Purpose.....................................................................................

3 2

Referenced Documents.....................................................

3 3

Definitions................................................................................

4 3.1 D efinitions..................................................................................

4 3.2 Abbreviations.............................................................................

5 3.3 Acronyms & Notations..........................................................

6 3.4 Documentation Names..........................................................

6 4

Verification and Validation Overview.................................. 7 4.1 Organization...............................................................................

7 4.2 Master Schedule..................................................................

9 4.3 Resources Summary............................................................

11 4.4 Responsibilities....................................................................

11 4.5 Tools, Techniques, and Methodologies............................... 12 5

Life-cycle Verification and Validation............................... 13 5.1 Management of V & V.........................................................

13 5.2 Acquisition Phase of V&V......................................................

15 5.3 Planning Phase of V&V........................................................

15 5.4 Development Phase of V&V.................................................

15 5.4.1 Concept Phase of V&V........................................................

15 5.4.2 Requirements Phase of V & V.............................................

16 5.4.3 Design Phase of V & V........................................................

17 5.4.4 Implementation Phase of V & V...........................................

18 5.4.5 Test Phase of V & V............................................................

19 5.4.6 Installation and Checkout Phase of V & V............................ 20 5.5 Operation Phase of V & V...................................................

21 5.6 Maintenance Phase of V & V...............................................

22 6

Software Verification and Validation Reporting.............. 23 6.1 Task Reporting...................................................................

23 6.2 V&V Phase Summary Report..............................................

23 6.3 Anomaly Report...................................................................

23 6.4 Final Software Verification & Validation Report.................... 23 7

Verification and Validation Administrative Procedures....... 25 7.1 Anomaly Reporting and Resolution......................................

25 7.2 Task Iteration Policy............................................................

25 7.3 Deviation Policy...................................................................

25 7.4 Control Procedures..............................................................

25 7.5 Standards, Practices, and Conventions................................

26 APPENDIX A: List of all documents to be generated under this SVVP.............. 27 ADDENDUM 1: Firmware Flow Chart.....................................................................

1-3 R II MAN ITR3T T1ITlE2 SOFTWARE VERIFICATION AND SYNCOR RADIATION MANAJEIwjENT 9/11/02 VALIDATION PLAN, 94095603 RO ECN NO.

RELEASED FOR DOC CTRL SHEET NO.

94095603VVP SIZE En PRE LE DU FION 2 of 27

• PURPOSE The purpose of this Verification and Validation plan is to develop a series of activities, and their associated inputs and outputs, that will demonstrate that the firmware in the PIN 94095603 EPROM, used in the Victoreen Model 956A Digital G-M Area Monitor Readout, manufactured by Syncor Radiation Measurements meets the monitor's design requirements and exhibits a high degree of reliability.

Note that although the base firmware was developed in the early 1980s, prior to the availability of the current industry software development standards, this V&V plan is intended to demonstrate that the existing firmware is suitable for use in safety related applications.

1 REFERENCE DOCUMENTS The reference standards used for guiding the preparation of this document and for SV&V implementation are listed below:

1.1 IEEE Std 7-4.3.2-1993, Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations 1.2 IEEE Std 610.12-1990, Glossary of Software Engineering Terminology 1.3 IEEE Std 729-1983, Standard Glossary of Software Engineering Terminology 1.4 IEEE Std 829-1991, Standards for Software Test Documentation 1.5 IEEE Std 830-1993, Recommended Practice for Software Requirements Specifications 1.6 IEEE Std 1012-1996, Standard for Software Verification and Validation Plans 1.7 IEEE Std 1016-1987, Recommended Practice for Software Design Descriptions 1.8 IEEE Std 1074-1991, Standard for Developing Software Life Cycle Processes 1.9 EPRI Std TR-103291-CD Handbook for Verification and Validation of Digital Systems (12/1998) 1.10 EPRI Std TR-1 02348, Rev. 1, Guidelines on Licensing Digital Upgrade 1.11 Syncor Radiation Management Quality Assurance Manual, QSP-1 00, Version 004, Rev.

1/2/02, Implemented 3/14/02 1.12 Syncor Radiation Management Quality Procedure QSP-205, Document Control 1.13 Syncor Radiation Management Quality Procedure QSP-05-05, Engineering Change Notice TITLE SOFTWARE VERIFICATION AND SYNCOR RADIATION MANAGEMENT 9110SOTAEVRFCINAD 9/11/02 VALIDATION PLAN, 94095603 R"V ECN NO.

RELEASED FOR DOC CTRL SHEET NO.

94095603VVPSIZE REV

,,ECN,

P( fl" ICTI('N 3 of 27 1

2.11 10CFR50, Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, Jan. 20, 1975 2.12 ANSI/ASME NQA1-1994, Quality Assurance Program Requirements for Nuclear Facility Applications 2

DEFINITIONS 2.1 Definitions 2.1.1 Acceptance testing - Formal testing conducted to determine whether or not the system satisfies its acceptance criteria and to enable the customer to determine whether or not to accept the system.

2.1.2 Anomaly.- Anything observed in operation of the UDR that deviates from expectations based on previously verified software/firmware products or reference documents.

2.1.3 Development team -Team of qualified engineers in charge of applying software development life cycle.

2.1.4 Developer - Member of the development team.

2.1.5 Firmware - The combination of software and data that reside in read-only memory 2.1.6 Firmware component - Assembly language module (set of functions).

2.1.7 Hardware - Physical equipment used to process, store, or transmit computer programs and data.

2.1.8 Life-cycle phase - Any period of time during software development or operation that may be characterized by a primary type of activity (such as design or testing) that is being conducted. These phases may overlap one another; for V&V purpose, no phase is concluded until its development products are fully verified.

2.1.9 Safety related firmware - Firmware for the RMS safety related equipment.

2.1.10 Software - Computer programs and data pertaining to the operation of a computer system.

2.1.11 Software/firmware testing - The process of testing an integrated hardware and software/firmware system to verify that the system meets its specified requirements.

I --

TITLE SYNCOR RADIATION MANAGEMENT 911/02 SOFTWARE VERIFICATION AND I

VALIDATION PLAN, 94095603 REV ECN NO.

RELEASED FOR DOC CTRL SHEET NO.

SIZE 1

3044 PRODUCTION 4 of 27 94095603VVP

2.1.12 Software tools - A computer program used in the development, testing, analysis, or maintenance of a program or it's documentation. Examples include CASE software, decompiler, driver, editor, flow charter, monitor, test case generator, or timing analyzer.

2.1.13 Software verification and validation plan - A plan for the conduct of software verification and validation.

2.1.14 SSC. - Systems, Structure and Components 2.1.15 Test procedure - Documentation that is part of the test report, specifying a sequence of actions for the execution of a test 2.1.16 Traceability-The degree to which a relationship is established between two or more products of the development process, especially product having a predecessor-successor or master-subordinate relationship to one another; for example the degree to which the requirements and design of a given software component match.

2.1.17 Validation - The process of evaluating software/firmware at the end of the software development process to ensure compliance with software requirements.

2.1.18 Validator - Member of the SV&V team who carries out validation.

2.1.19 Verification -The process of determining whether or not the products of a given phase of the software/firmware development cycle fulfill the requirements established during the previous phase.

2.1.20 Verifier - Member of the project team who carries out verification.

2.2 Abbreviations ANSI - American National Standards Institute ASCII - American Standard Code for Information Interchange DOS - Disk Operating System ECN - Engineering Change Notice EPROM - Erasable Programmable Read Only Memory IEEE - Institute of Electrical and Electronics Engineers PC - Personal Computer QA - Quality Assurance RMS - Radiation Monitoring System SRM - Syncor Radiation Management

-U SYNCOR RADIATION MANAGE SOFTWARE VERIFICATION AND SYCO RDITIN ANGEEN 9110 VALIDATION PLAN, 94095603 REV ECN NO.

RELEASED FOR DOC CTRL SHEET NO.

SIZE 1

3044 PRODUCTION 5 of 27 94095603VVP

SV&V Software Verification and Validation UDR - Universal Digital Ratemeter VVTP - Verification and Validation Test Plan VVTR - Verification and Validation Test Report V&V - Verification and Validation 2.3 Acronyms & Notations PE - Project Engineer PM - Project Manager QE - Quality Engineer QM - Quality Management PM - Project Manager PE - Project Engineer RE - Reliability Engineer SE - Software Engineer SM - Syncor Management SRM - Syncor Radiation Management "TT - Test Technician 2.4 Documentation Names SRS - Software Requirements Specification SDD - Software Design Description SVVP - Software V&V Plan VVTP - Verification and Validation Test Plan VVTR - Verification and Validation Test Report MANAE*

TITLE SOFTWARE VERIFICATION AND SYNCOR RADIATION MANAG ENT 9/11/02 VALIDATION PLAN, 94095603 REV ECN NO.

RELEASED FOR D00 CTRL SHEET NO.

SIZE 1

3044 PRODUCTION 6 of 27 9

4 0

9 5

603hVP

3 Verification & Validation Overview The overall objective of the V&V Plan for the 94095603 firmware is to assure the program promotes a quality and highly reliable product through an independent process of technical review and evaluation. Note the firmware does not contain an operating system, and performs specific functions on a cyclic basis. A flow chart of the firmware operation is provided in Addendum 1.

The embedded and operating system software and associated tools are predeveloped, or commonly known as legacy software. Like other predeveloped software, it is important to examine the development history to understand how the software has matured with time into the quality product it is today. When the Prom P/N 94095603 firmware was conceived, there was very little guidance in the way of industry standards to base the software development and design on. Good programming practices were used based on the objective of producing a highly reliable safety system.

As expressed in SRP 0800, Appendix 7.OA, the use of digital I&C systems presents the concern that minor errors in design and implementation can cause them to exhibit unexpected behavior. To minimize this potential problem, the design qualification of digital systems needs to focus on a high quality development process that incorporated disciplined specification and implementation of design requirements. Potential common mode failures caused by software errors are also a concern. One of the protection means against - common-mode software failures is also accomplished by an emphasis on the quality process.

The Prom P/N software was initially developed approximately 15 years ago, evolving into the present day configuration. Within this time frame the product that matured to incorporate enhancements and facility improved hardware design. The evolutionary process will be evaluated to ensure that the pre-developed (Legacy) software is sufficiently reliable for use in nuclear safety related applications.

3.1 Organization In order to ensure the program supports high quality and reliability, a process of independent technical reviews and evaluations will be performed. The project will be functionally organized under a Project Engineering Manager. The Project Manager will co-ordinate the V&V activities, schedule formal reviews, and document the results of the V&V reviews. The Project Engineering manager may also serve as a member of the V&V review team. A Quality Assurance Engineer will also participate in design reviews to ensure the overall quality of the project is maintained.

The software testing process was strengthened by designating the responsibility for the validation testing to an independent V&V engineer and technician.

SYNCOR RADIATION MANAGEENT 9/11/02 SOFTWARE VERIFICATION AND SYCORRADIATIONMANAGEMENT_9___/02 VALIDATION PLAN, 94095603 REV ECN NO.

RELEASED FOR DOC CTRL SHEET No.

99IZ 1

3044 PRODUCTION 7 of 27

An overall project organizational chart is provided below:

Management

-Organization

-Resources

-Follow-up Qualification

-Quality Assurance

-Quality Control

-V&V Proiect Team Development

-Concept Phase

-Design Phase

-Manufacturing Phase The project organization is described below:

Syncor Management (SM) ------------------------------------------ Quality Management (QM)

I--Project Manager (PM)

I I---Project Engineer (PE)

I I ------ Independent SV&V Engineer (V&V)

I -..----

V&V Test Support Technician (V&V)

I I---Quality Engineer (V&V)

The staff members that will participate in the V&V effort are:

Name:

J. Hale Zis Giatis Judy Ellis Andy Lasko Dave Warner Dave Smith George Buck Function Systems Business Manager QA Manager Software Engineer Project Manager Reliability Engineer Quality Engineer Test Technician The Project Manager will participate in the V&V reviews, and has the authority to resolve issues raised during the V&V.

c..

n.h...

v TITLE SYN *

• N

• i~i,.ap pcrol**c cu ments$WXAOiv~d*M*ll8AY-l=eD S

VALIDATION PLAN, 94095603 REV ECN NO.

RELEASED FOR DOC CTRL SHEET NO.

94095603VVP 1

3044 PRODUCTION 8 of 2S7 U

Team SM QM V&V PM V&V V&V V&V Resource SM QM SE PM RE QE TT

3.2 Master Schedule The V&V project is presently planned for completion on an expedited basis, over a 3 month period. At the end of the process, a formal SV&V report will be issued. Progress will be reported on a periodic basis, typically monthly.

The SVV overview shown below summarizes the life-cycle model used for the project. It is based on the sample model defined in IEEE 1012, except as follows:

-For this project, the design phase has been previously completed, but has not been formally documented. This plan is designed to document the firmware that has been designed. The product is presently in the Maintenance phase.

-Installation, checkout, and operation are performed by the user Major schedule milestones are listed below:

Complete SRS Complete SDD Complete VVTP Complete VVTR Sep. 30, 2002 Oct. 15, 2002 Oct. 30, 2002 Nov. 1, 2002 i

TITLE SYNCOR RADIATION MANAGEMENT 1/

TT SOFTWARE VERIFICATION AND I

VALIDATION PLAN, 94095603 REV ECN NO.

RELEASED FOR DOC CTRL I SHEET NO.

SIZE 1

3044 1

PRODUCTION 1

9 of 27 4

6 3 VVP I-

i ! I Iiif cý 11 IIS La 9 B

Jij I

!],,m,.

1111 ji 11 iii 4 ljlitilli tpF1!g :ge CB, USEB ES age 9

U EE ES 1s*AhJ111jf ='- : 1!!!'!x eea Et

° 0

f s g aE;cFO SB LU

,,! B, msI

!,~

lj~

11Ji!l~ i

£8I l c£

£ ul I

its t

sE Be fel Es

!1 l I

£

'"fill 1Es -, -

E S SYNCOR RADIATION MANAG"'EN-9/11/02 TITLE SOFTWARE VERIFICATION AND NCO.

REASEDIAFIOR DC 9VALIDATION PLAN, 94095603 DEV CRL

~

NO.SIZE LREV ECN NO.

RELEASED FOR DOG CTL SHEET NO.

94095603VVP 3044 PRODUCTION 10 of 27

3.3 Resources Summary Resources available for this project will include:

3.3.1 Project Manager 3.3.2 Project Engineer 3.3.3 Software/Firmware Engineer 3.3.4 Test Technician 3.3.5 Quality Assurance Engineer In addition to the above, the following equipment will be required:

3.3.6 1, 956A-201 UDR 3.3.7 1, Signal Generator 3.3.8 1, Digital Voltmeter 3.3.9 1, 94095603 EPROM 3.4 Responsibilities 3.4.1 The SRM Project Manager/Project Engineer is responsible for the implementation of this plan, identifying requirements, resolving problems, and ensuring compliance to the requirements identified by SRM personnel and any subcontractors employed.

3.4.2 The Software Engineer is responsible for reviewing the code, and providing the documents identified in the SV&V Plan. The Software Engineer is also responsible for implementing the V&V tests.

3.4.3 The Test Technician is responsible for assisting the Software Engineer with the V&V tests.

3.4.4 The Quality Assurance Engineer is responsible for reviewing the documents, and ensuring the quality requirements of the SV&V Plan are maintained.

I....

TITLE SYNCOR RADIATION MANAGEMENT 9

T11/02 SOFTWARE VERIFICATION AND 9

VALIDATION PLAN, 94095603 REV ECN NO.

RELEASED FOR DOC CTRL SHEET NO.

SIZE 1

3044 PRODUCTION 11 of 27 U

a 3.5 Tools, Techniques, and Methodologies The methods used in the V&V process will include review by cognizant engineering personnel, independent verification, and formal reviews.

The tools that will be used for the V&V process are as follows:

Document Preparation:

-Networked PC, Microsoft Word for Windows

-The documentation provided shall be written on a PC using a word processor program; e.g., Microsoft Word or a flat ASCII text editor, or similar. Each page of the document shall have a page header. The page header shall include the document name, part number, revision level and page number.

Target Hardware

-Model 956A-201 UDR with 94095603 EPROM Test Signal Generator Software Testing

-American Arium Assembler/Linker

--DOS Based Personal Computer For this project, Third Party Software is limited to assembly, emulation, linking and program development tools identified above. The Model 956 firmware is programmed assembly language, and does not include an operating system T

TITLE SYNCOR RADIATION MANAGEMENT 9111/02 SOFTWARE VERIFICATION AND I

VALIDATION PLAN, 94095603 REV ECN NO.

RELEASED FOR DOC CTRL SHEET NO.

94095603VVP 1

3044 PRODUCTION 12 of 27 O 3 V

p 4

Life-Cycle Verification and Validation Outputs from phase tasks are used to develop corresponding V&V phase summary reports and are ongoing inputs to the SVVR. Outputs of V&V tasks become inputs to subsequent life-cycle V&V tasks.

5.1 Management of V&V 4.1.1 V&V Tasks, Inputs/Outputs, Resources and Responsibilities V & V Tasks Required Inputs Required Outputs Resources Responsibilities Software Verification and SVVP (previous update)

SVVP and Updates PM Validation Plan (SVVP)

Contract Generation. Generate an SVVP for all life cycle processes. The SVVP may require updating throughout the life cycle. Outputs of other activities are inputs to the SVVP.

Baseline Change Assessment.

SVVP Updated SVVP Task PM Evaluate proposed software Proposed Changes Report(s) changes (e.g., anomaly Risks identified by V & V Baseline Change connections and requirement Tasks Assessment changes) for effects on Anomaly Report(s) previously completed V & V tasks. Plan iteration of affected tasks or initiate new tasks to address software baseline changes or iterative development processes. Verify and validate that the change is consistent with system requirements and does not adversely affect requirements directly or indirectly. An adverse effect is a change that could create new system hazards and risks or impact previously resolved hazards and risks.

Management Review of V &

SVVP and Updates Updated SVVP PM, SM, QE V. Review and summarize the Task Report(s)

V & V effort to define changes Recommendations to V & V tasks or to redirect V & V Activity Summary the V & V effort. Recommend Reports whether to proceed to the next Recommendations to the set of V & V and development V&V Final Report life cycle activities, and provide task reports, anomaly reports, and V&V Activity Summary Reports to the organizations identified in the SVVP. Verify that all V & V tasks comply with task reuirements defined in the VP.

I....

TITLE SYNCOR RADIATION MANAGEMENT 9

T11102 SOFTWARE VERIFICATION AND I

VALIDATION PLAN, 94095603 REV ECN NO.

RELEASED FOR DOC CTRL SHEET NO.

9 SIZE 1

3044 PRODUCTION 1

13 of 27 953

4.1.2 Risks The risks identified to date are:

4.1.2.1 V&V personnel requires capabilities and attitudes that differ from those encountered during software development.

Impact: A reduction in the motivation of the verifier/validator may have a negative effect on the quality of the product.

Action: Periodically, (each week), a meeting is held between the members of the V&V team and project manager. This meeting promotes teamwork:

- Each member of the V&V team to report work progress, to express any technical and personal communication problems encountered.

-Anticipation of events before they occur thus avoiding technical and motivational problems.

4.1.2.2 The projection of the workload involved in the V&V tasks may be incorrect (over-or underestimated, workload not well distributed).

Impact: adverse effect on schedule Action: The periodic monitoring (monthly) perceives these shortcomings and defines corrective actions.

S....

TITLESOTAEVRFAINAD SYNCOR RADIATION MANAGEMENT 9/11/02SOFTWARE VERIVFICATION AND REV ECN NO.

RELEASED FOR DOC CTRL SHEET NO.

9 N94033 SIZE 1

3044 PRODUCTION 14 of 27 p

4.2 Acquisition Support (Acquisition Process) - Not Required; Customer inputs are specified in purchase documents, and customer review/approval of SVVP, SRS, and SDD will be obtained.

4.3 Planning (Supply Process) - Not Required; See 5.2 above 4.4 Development Process 4.4.1 Concept Phase of V&V 4.4.1.1 V&V tasks, Inputs/Outputs, Resources and Responsibilities V & V Tasks Required Inputs Required Outputs Resources Responsibilities Concept Documentation Concept Documentation Task Report-PM, QE, SM, SE Evaluation. Verify that the User Needs Concept concept documentation Acquisition Needs Documentation satisfies user needs and is Evaluation consistent with acquisition Anomaly Report(s) needs. Identify major constraints of interfacing systems and constraints or limitations of proposed approach. Assess criticality of each software item.

4.4.1.2 Risks 4.4.1.2.1 Product performance may not fully envelope customer requirements.

Impact: Be aware that initial performances may fall short of meeting all customer expectations.

Action: Anomalies will be identified and reviewed with the customer for ultimate disposition.

TITLE VLDToSFWR EIIAI~LN 4963N II SYNCOR RADIATION MANAGEMENT 9/11/02 TLESOFTWARE VERIFICATION AND I

VALIDATION PLAN, 94095603 REV EON NO. IRELEASED FOR DOC CTRL SHEET NO.

9053VPSIZE 1

3044 PRODUCTION 15 of 27

4.4.2 Requirements Phase of V&V 4.4.2.1 V&V tasks, Inputs/Outputs, Resources and Responsibilities V & V Tasks Required Inputs Required Outputs Resources Responsibilities Traceability Analysis. Trace the Concept Documentation Task Report-PM, QE, SM, SE software requirements (SRS) to SRS Traceability Analysis system requirements (Concept Anomaly Report(s)

Documentation) and system requirements. Analyze identified relationships for correctness, consistency, completeness, and accuracy.

Software Requirements Concept Documentation Task Report(s)-Software PM, QE, SM, SE Evaluation. Evaluate the SRS Requirements requirements (e.g., functional, Evaluation capability, interface, Anomaly Report(s) qualification, safety, security, human factors, data definitions, user documentation, installation and acceptance, user operation, and user maintenance) of the SRS for correctness, consistency, completeness, accuracy, readability, and testability.

Interface Analysis. Verify and Concept Documentation Task Report(s) -

PM, QE, SM, SE validate that the requirements for SRS Interface software interfaces with Analysis Anomaly hardware, user, operator, and Report(s) other systems are connected, consistent, complete, accurate, and testable Criticality Analysis. Review and Task Report(s ) -

Task Report(s ) -

PM, QE, SM, SE update any existing criticality Criticality Criticality analysis results from the prior SRS SRS Criticality Task Report using the SRS.

System V & V Test Plan Concept Documentation Anomaly Report(s)

PM, QE, SM, SE Generation and Verification. (For (System requirements)

System V&V Test Plan Software Integrity Levels I and 2)

SRS Verify that developer's System Test User Documentation Plans conform to Project defined test System Test Plan document purpose, format, and content (eg., see IEEE Std 829 1991). Validate that the System Test Plan satisfies the following criteria

1) test coverage of system requirements; 2) appropriateness of test methods and standards used; 3) conformance to expected results; 4) feasibility of system qualification testing; and 5) capability to be operated and maintained.

4.4.2.2 Risks Not applicable SOFTWARE VERIFICATION AND VALIDATION PLAN, 94095603 94095603VVP I

SIZE I SIZE

4.4.3.1 V&V tasks, Inputs/Outputs, Resources and Responsibilities Required Inputs S..Requ*redt Ou..tputs presources

.l*

Resources Resnonsibilities

-~

-K np Vr-....t, SPAF M

Traceability Analysis. Trace design elements (SDD), to requirements (SRS), and requirements to design elements. Analyze relationships for correctness, consistency, and com pleteness..

Software Daign Evaluation.

Evaluate the design elements (SDD) for correctness, consistency, completeness, accuracy, readability, and testability.

Interface Analysis. Verify and validate that the software design interfaces with hardware, user, operator, software, and other systems for correctness, consistency, completeness, accuracy, and testability.

SRS SDD SRS SDD Design Standards (e.g.,

standards, practices, and conventions)

I db~h Repol LkaF Traceability Analysis Anomaly Report(s)

Task Report(s)-

PM, Qb, SM, Sb Task Report(s)

Software Design Evaluation Anomaly Report(s)

I_____

i

i.

Concept Documentation (System requirements)

SRS SDD Task Report(s)

Interface Analysis Anomaly Report(s)

V & V Test Design Generation SDD System V&V Test PM, QE, SM, SE and Verification. 1) system User Documentation Design(s) Acceptance testing; and 2) acceptance testing.

Test Plans V&V Test Design(s)

Continue tracing required by the V Test Designs Anomaly Report(s)

& V Test Plan. Verify that the V&V Test Designs comply with Project defined test document purpose, format, and content (e.g, see IEEE Std 829-1991). Validate that the V & V Test Designs satisfy the criteria in V&V tasks.

4.4.3.2 Risks Not applicable SYNCOR RADIATION MANAGEMENT 9/11/02 SOFTWARE VERIFICATION AND I

VALIDATION PLAN, 94095603 REV I ECN NO. I RELEASED FOR I DOC CTRL SHEET NO.

SIZE 11 3044 PRODUCTION 17 of 27 94095603VVP 4.4.3 Design Phase of V&V V & V Tasks PM, QE, SM. SE K-MVl

• Il~,*.

Required Outputs I

I I

I

4.4.4 Implementation Phase of V & V 4.4.4.1 V&V tasks, Inputs/Outputs, Resources and Responsibilities The code will be reviewed for conventional indenting formatting. File headers, which includes the file name, the author, a description/purpose, definition of variables, sub-routines called, and the modification history, will be used for module modifications.

V & V Tasks Required Inputs Required Outputs Resources Responsibilities Traceability Analysis. Trace the SDD Task Report(s) -

PM, QE, SM, SE source code components to Source Code Traceability Analysis corresponding design Anomaly Reports specifications(s), and design specification(s) to source code components. Analyze identified relationships for correctness, consistency, and completeness.

Source Code and Source Code Source Code Task Report(s) -

PM, QE, SM, SE Documentation Evaluation.

SDD Source Code and Evaluate the source code Coding Standards Source Code components (Source documentation)

User Documentation Documentation for correctness, consistency, Evaluation completeness, accuracy, readability, Anomaly Report(s) and testability.

Interface Analysis. Verify and Concept Documentation Task Report(s) - Interface PM, QE, SM, SE validate that the software source SDD Analysis code interfaces with hardware, user, Source Code Anomaly Report(s) operator, software, and other User Documentation systems for correctness, consistency, completeness, accuracy, and testability.

V&V Test Case Generation and SRS System V&V Test Cases PM, QE, SM, SE Verification. Verify that the SDD Acceptance V&V Test developer's Test Cases conform to User Documentation Cases Project defined test document Test Design Anomaly Report(s) purpose, format, and content.

Test Cases Validate that the developer's Test Cases satisfy the criteria for system and acceptance testing.

V&V Test Procedure Generation SRS System V&V Test PM, QE, SM, SE and Verification. Verify that the SDD Procedures developer's Test Procedures User Documentation Anomaly Report(s) conform to Project defined test Test Cases document purpose, format, and Test Procedures content. Validate that the developer's Test Procedures satisfy the criteria in V&V tasks for system and acceptance testing.

Hazard Analysis. Verify that the Source Code Task Report(s) - Hazard PM, QE. SM, SE implementation and associated data SDD Analysis elements correctly implement the Hazard Analysis Report Anomaly Report(s) critical requirements and introduces no new hazards. Update the hazard analysis.

Risk Analysis. Review and update Source Code Task Report(s) - Risk PM, QE, SM, SE risk analysis using prior reports.

Hazard Analysis Report Analysis Provide recommendations to V&V task results Anomaly Report(s) eliminate, reduce or mitigate the risks.

4.4.4.2 Risks Not Applicable SYNCOR RADIATION MANAGEIENT TITLE SOFTWARE VERIFICATION AND E

9/11/02 VALIDATION PLAN, 94095603 REV ECN NO.

RELEASED FOR DOC CTRL SHEET 94095603VVP 1

3044 IPRODUCTION 1

18 of 27,

I3V~

V & V Tasks U

I 4.4.5 Test Phase of V & V 4.4.5.1 V&V tasks, Inputs/Outputs, Resources and Responsibilities Required Inputs

equxrea uupuis I\\UUI LC

Resnonsibilities Traceability Analysis. Analyze V&V Test Plans Task Report(s) -

PM, QE, SM, SE relationships in the V&V Test Plans, V&V Test Designs Traceability Analysis Designs, Cases, and Procedures for V&V Test Procedures correctness and completeness. For Anomaly Report(s) correctness, verify that there is a valid relationship between the V&V Test Plans, Designs, Cases, and Procedures. For completeness, verify that all V&V Test Procedures are traceable to the V&V Test Plans.

Acceptance V&V Test Procedure SDD Acceptance V&V Test PM, QE, SM, SE, Generation and Verification.

Source Code Procedures RE Verify that the developer's User Documentation Anomaly Report(s)

Acceptance Test Procedures Acceptance Test Plan conform to Project defined test Acceptance Test document purpose, format, and Procedures content.

System V&V Test Execution and Source Code Test Report(s) - Test PM, QE, SM, SE, Verification. Use the developer's Executable Code Results RE, 'IT system test results to verify that the User Documentation software satisfies the test acceptance Acceptance Test Plan Anomaly Report(s) criteria.

Acceptance Test Procedures Acceptance Test Results Hazard Analysis. Verify that the Source Code Task Report(s) - Hazard PM, QE, SM, SE test instrumentation does not Executable Code Analysis introduce new hazards. Update the Test Results hazard analysis Hazard Analysis Report Anomaly Report(s)

Rick Analysis. Review and update Hazard Analysis Report Task Report(s) - Risk PM, QE, SM, SE risk analysis using prior task reports.

V&V task results Analysis Provide recommendations to eliminate, reduce, or mitigate the Anomaly Report(s) risks 4.4.5.2 Risks Not Applicable SYNCOR RADIATION MANAGEENT 911/02ILE SOFTWARE VERIFICATION AND I

VALIDATION PLAN, 94095603 REV ECN NO.

RELEASED FOR DOC CTRL SHEET NO.

SIZ 1

3044 PRODUCTION I19 of 27 9409603VVPj~

Required Inputs Required Oumtputs

4.4.6 Installation and Checkout Phase of V & V 4.4.6.1 V&V tasks, Inputs/Outputs, Resources and Responsibilities 4.4.6.2 Risks Not Applicable SYNCOR RADIATION MANAGFENT 9/11/02 TITLE SOFTWARE VERIFICATION AND 1R A

1VALIDATION PLAN, 94095603 REV EN NO.

RELEASED FOR DOC CTRL SHEET O.

94095603VVP SIZE 1

3044 IPRODUCTION 20 2of 27 o

V J

p V & V Tasks Required Inputs Required Outputs Resources Responsibilities Installation Configuration Audit.

Installation Package (e.g..

Task Report(s) -

PM, QE, SM, SE Verify that all software products Source Code, Executable Installation required to correctly install and Code, User Configuration Audit operate the software are present in Documentation, SDD, Anomaly Report(s) the installation package. Validate SRS, Concept that all site-dependent parameters or Documentation, conditions to verify supplied values Installation Procedures, are correct.

site-specific parameters, Installation Tests, and Configuration Management Data)

Installation Checkout. Conduct User Documentation Task Report(s) -

PM, QE, SM, SE analyses or tests to verify that the Installation Package Installation installed software corresponds to the Checkout software subjected to V & V. Verify Anomaly Report(s) that the software code and databases initialize, execute, and terminate as specified. In the transition from one version of software to the next, the V & V effort shall validate that the software can be removed from the system without affecting the functionality of the remaining system components. The V & V effort shall verify the requirements for continuous operation and service during transition, including user notification Hazard Analysis. Verify that the Installation Package Task Report(s) -

PM, QE, SM, SE installation procedures and Hazard Analysis Report Hazard Analysis installation environment does not Anomaly Report(s) introduce new hazards Update the hazard analysis Risk Analysis Review and update Installation Package Task Report(s) - Risk PM, QE, SM, SE risk analysis using prior task reports.

Supplier Development Analysis Anomaly Plans and Schedules Report(s)

V&V Task Results V & V Final Report Generation.

V & V Activity Summary V&V Final Report PM, QE, SM, SE Summarize in th, V & V final report Report(s) the V&V activities, tasks and results, including Report (s) status and disposition of anomalies.

4.5 Operation Phase of V & V 4.5.1 V&V tasks, Inputs/Outputs, Resources and Responsibilities 4.5.1.1 Risks Not Applicable N MANA i -'-TITLE SOFTWARE VERIFICATION AND SYNCOR VALIDATION PLAN, 94095603 REV EON NO.

RELEASED FOR 000O CTRL ISHEET NO.

9053VPSIZE 1

3044 PRODUCTION 21 of. 27 U

V & V Tasks Required Inputs Required Outputs Resources Responsibilities Evaluation of New Constraints.

SVVP Task Report(s) -

PM, QE, SM, SE Evaluate new constraints (e.g.,

New constraints Evaluation of New operational requirements, platform Constraints characteristics, operating environment) on the system or software requirements to verify the applicability of the SVVP. Software changes are maintenance activities (see 5.6.1)

Proposed Change Assessment.

Proposed Changes Task Report(s)-

PM, QE, SM, SE Assess proposed changes (e.g.,

Installation Package Proposed Change modifications, enhancements, or Assessment additions) to determine the effect of the changes on the system.

Determine the extent to which V &

V tasks would be iterated.

Operating Procedures Evaluation.

Operating Procedures Task Report(s) -

PM, QE, SM, SE Verify that the operating procedures User Documentation Operating Procedures are consistent with the user Concept Documentation Evaluation documentation and conform to the Anomaly Report(s) system requirements Hazard Analysis. Verify that the Operating Procedures Task Report(s) - Hazard PM, QE, SM, SE operating procedures and Hazard Analysis Report Analysis operational environment does not Anomaly Report(s) introduce new hazards. Update the hazard analysis.

Risk Analysis Review and update Installation Package Task Report(s) - Risk PM, QE, SM, SE risk analysis using prior task Proposed Changes Analysis Anomaly reports. Provide recommendations Hazard Analysis Report Report(s) to eliminate, reduce, or mitigate the Supplier Development risks.

Plans and Schedules Operation problem reports V&V task results Installation and Operation. These Installation Package, Anomaly Report PM, QE, SM, SE,,

tasks are assigned to Syncor Concept Documentation, QM Radiation Management.

SRS, Source Code Listings, Executable Code, User Documentation, SVVP, SVVR

p 3

4.6 Maintenance Phase of V & V 4.6.1 V&V tasks, Inputs/Outputs, Resources and Responsibilities 4.6.1.1 During the maintenance phase, the developers may be assigned to other projects and may not be readily available to assist.

Impact: Lack of resources for immediate response to problems.

Action: Plan that resources familiar with the development be available to complete the maintenance phase work.

SYNCOR RADIATION MANAGEMENT 9

2TITLE SOFTWARE VERIFICATION AND ENT 9/11/02 VALIDATION PLAN, 94095603 REV ECN NO.

RELEASED FOR DOC CTRL SHEET NO.

9SIZE 1

3044 PRODUCTION 22 of 27 V & V Tasks Required Inputs Required Outputs Resources Responsibilities SVVP Revision. Revise the SVVP SVVP Updated SVVP PM, QE, SM, SE to comply with approved changes.

Approved Changes Installation Package Proposed Change Assessment.

Proposed Changes Task Report(s)-

PM, QE, SM. SE Assess proposed changes (e.g.,

Installation Package Proposed Change modifications, enhancements, or Assessment additions) to determine the effect of the changes on the system.

Determine the extent to which V &

V tasks would be iterated.

Anomaly Evaluation. Evaluate the Anomaly Report(s)

Task Report(s) -

PM, QE, SM, SE effect of software operation Anomaly Reports anomalies.

Retirement Assessment. For Installation Package Task Report(s) -

PM, QE, SM, SE software retirement, assess whether Approved Changes Retirement Assessment the installation package addresses:

software support, impact on existing Anomaly Report(s) systems, software archiving, transition to a new software product, and user notification.

Hazard Analysis. Verify that Proposed Changes Task Report(s) - Hazard PM, QE, SM, SE software modifications correctly Installation Package Analysis implement the critical requirements Hazard Analysis Report and introduce no new hazards.

Anomaly Report Update the hazard analysis.

Risk Analysis. Review and update Installation Package Task Report(s) - Risk PM, QE, SM, SE risk analysis using prior task Proposed Changes Analysis Anomaly reports. Provide recommendations Hazard Analysis Report Report(s) to eliminate, reduce, or mitigate the Supplier Development risks.

Plans and Schedules Operation problem reports V&V task results

5 Software Verification and Validation Reporting This section describes how the results of implementing the Plan will be documented.

5.1 Task Reporting A report of each of the Tasks/Sub-tasks performed in the SVVP shall be developed and issued as they are completed. Listed below are the different reports to be generated.

Management Documentation Evaluation Software/Firmware Testing Acceptance Testing Others Progress reporting and internal notes Documentation checking forms with review reports Software test report Acceptance Test Report Meeting reports or internal notes 5.2 V&V Phase Summary Report A phase Summary Report shall summarize the results of V&V tasks performed in each of the following life-cycle phases: Requirements, Design, Implementation and Test.

Each V&V Phase Summary report shall contain the following:

5.2.1 Description of SV&V tasks performed 5.2.2 Summary of test results 5.2.3 Summary of anomalies and resolutions 5.2.4 Recommendations 5.3 Anomaly Report An anomaly report shall document each anomaly detected in the SV&V. The report content and administrative controls are provided in 7.1 5.4 Final Software Verification and Validation Report The final report shall include a summary of the V&V activities and results. Deviation from the SV&V plan will be noted. Both positive and negative findings will be reported.

Based on the results of the V&V, a conclusion and recommendations for further actions will be provided.

I...

TITLE SYNCOR RADIATION MANAGEMENT 911/02 SOFTWARE VERIFICATION AND I

VALIDATION PLAN, 94095603 REV ECN NO.

RELEASED FOR DOC CTRL SHEET NO.

SIZE 1

1 3044 PRODUCTION 23 of 27 953

The format of the final report will be as follows:

Summary of each phase, to include:

5.4.1 Task results 5.4.2 Anomalies 5.4.3 Anomaly Resolution 5.4.4 Overall Quality Assessment 5.4.5 Conclusions 5.4.6 Recommendations I....

TITLE SYNCOR RADIATION MANAGEMENT 9/11/02 SOFTWARE VERIFICATION AND I

VALIDATION PLAN, 94095603 REV ECN NO.

RELEASED FOR IDOC CTRL SHEET NO.

SIZE 1

3044 PRODUCTION 24 of 27 1613VVP

3 i

6 Verification and Validation Administrative Procedures 6.1 Anomaly Reporting and Resolution As identified, anomalies will be written, and forwarded to the PM for logging. Each anomaly will be sequentially numbered by the PM.

Each anomaly will be presented to the review team for discussion and resolution. If mutual agreement cannot be reached, the PM will resolve the anomaly, and the process completed. Based on the severity of the anomaly, the originator may stop work, and request an immediate review meeting. Otherwise, the anomaly will be reviewed at the completion of the current V&V task, or phase.

6.2 Task Iteration Policy A change request regarding a version results in the following processing with respect to the SV&V life cycle:

6.2.1 Analysis of the impact of the change (identification of items involved and the degree of the modification) 6.2.2 Repetition of the V&V cycle on items which change in order to check that the modifications have been taken into account in version n+1 6.3 Deviation Policy When a deviation to the SVVP is identified, generation of an ECN, as described in QSP 05-08 will be required.

6.4 Control Procedures All documents produced under the V&V program Will be controlled and stored as any other engineering document, as described in QSP-05-08.

SRM classifies firmware as a drawing and therefore, follows SRM QSP-205 and QSP 05-08, Engineering/Document Change Notice Procedure, for its control. To this extent, the problem is documented using the Engineering Change Notice (ECN) procedure and sent to the Project Manager. Upon evaluation, the ECN will: 1) Be approved and implemented; 2) Be forwarded to the appropriate department for further action or; 3)

Be returned with an explanation. Upon resolving the problem, the applicable documentation will be revised, and the corrected firmware will be released using the Engineering Change Notice (ECN).

Problems relating to monitor operation must be formally directed to the cognizant project engineer or Project Manager in the form of a field problem report. The format of the field problem report is not critical; however sufficient information (i.e., tag number, description of problem, operating mode, results observed, etc.) must be provided to permit the problem to be reproduced. The project engineer, or manager, will be responsible for resolving the problem report and, if required, initiate an internal ECN (per QSP 08) to revise the applicable firmware and documentation as required in this SWP. Testing of revised firmware will be performed on hardware similar to that originally tested on.

a....

TITLE SYNCOR RADIATION MANAGEMET 9/11/02 SOFTWARE VERIFICATION AND R

VALIDATION PLAN, 94095603 REV ECN NO.

RELEASED FOR DOC CTRL SHEET NO.

SIZE 1

3044 PRODUCTION 25 of 27 9603VVP

U I

Repetition of the affected portion of the V&V program will be required for and change affecting software that has been formally subjected to a V&V program.

6.5 Standards, Practices, and Conventions Refer to Section 4.0 SYNCOR RADIATION MANAGEMENT 9/11/02 TITLE SOFTWARE VERIFICATION AND I

VALIDATION PLAN, 94095603 REV ECN NO.

RELEASED FOR DOC CTRL SHEET NO.

SIZE 1

3044 PRODUCTION 26 of 27 94095603VVP

APPENDIX A: List of all documents to be generated under this SVVP Document Number:

94095603SDD 94095603SRS 94095603VVTP 94095603VVTR

==

Description:==

Software Design Description Software Requirements Specification Verification and Validation Test Procedure Verification and Validation Test Report J

TITLESOTAEVRFCTOAN SYNCOR RADIATION MANAGEMENT 9111/02 SOFTWARE VERIFICATION AND I

VALIDATION PLAN, 94095603 REV ECN NO.

RELEASED FOR DOC CTRL SHEET NO.

SIZE 1

3044 PRODUCTION 27 of 27 9

3 U

ADDENDUM 1 - Firmware Flowchart, Page 1 of 3 pages SOFTWARE VERIFICATION AND VALIDATION PLAN, 94095603

p F7 i....

TITLE SYNCOR RADIATION MANAGEMENT 9/11/02 SOFTWARE VERIFICATION AND I

VALIDATION PLAN, 94095603 REV ECN NO.

RELEASED FOR DOG CTRL SHEET NO.

SIZE 1

j 3044 PRODUCTION 2 of :0

SYNCOR RADIATION MANAGEMENT 9/11/02 TITLE SOFTWARE VERIFICATION AND I

VALIDATION PLAN, 94095603 REV ECN NO.

RELEASED FOR DOC CTRL SHEET NO.

ESZE 1

3044 PRODUCTION 3 of E!

U

Victoreen Model 94X UDR Product Information Bulletin MODEL 94X DIGITAL RATEMETER PRODUCT INFORMATION BULLETIN

Subject:

Firmware Verification and Validation The Victoreen 94X Series Digital Ratemeters were originally designed in 1984, for the purpose of upgrading the 1960s vintage Analog Ratemeters that were currently being used in the nuclear power industry. Since its introduction, well over 1000 units have been successfully installed and are in operation on a daily basis.

The 94X Series Digital Ratemeter (ULDR) is a microprocessor based device, whose operation is controlled by the installed firmware. The.basic functions of the Digital Ratemeter are to convert the input pulses from the detector into a digital value, and to compare this value with an operator entered alarm setpoint. When the alarm setpoint is exceeded, a relay, operated in the fall-safe mode, changes state, advising plant personnel that a significant change in radiation level has occurred. The relay contact output may be interlocked with a plant annunciator or a process control interlock.

At the time of the Digital Ratemeter's initial design, -formal firmware verification and validation (V & V) requirements were not in widespread use in the industry. Formal V & V documentation, therefore, does not exist for this device. The basic firmware itself, however, has been in use since 1985, and has been an extremely reliable product for Victoreen's customers. We believe the large installed base of UDR radiation monitors is sufficient to justify an exemption to formal V & V documentation. The actual firmware installed in each Digital Ratemeter, including changes, is controlled and verified as follows:

.ee

~..

S ax.*2'

_:i48930

• All firmware/software releases and changes are controlled under Engineering Instruction EIOO 1. This document controls the following items:

Final Product Master Set:

Media required to produce copies of the firmware/software for shipment.

Source Files: Files and data required to reproduce the Final Product Master Set.

Software Control Document: Provides information necessary to modify or reproduce the Final Product Master Set. Include information on editors, compilers, development system, assemblers, linkers, etc. used in developing the master set. A revision history summary is now also required.

Preparation of a second Final Product Master Set for off-site storage.

Part Numbering Format Defines the firmware/software as a document, and imposes generic document review and change control measures.

All firmware changes are controlled under our generic Document Control Procedure, S.O.P. 410.307. This requires definition of changes and review by Engineering and Quality Assurance.

"* All firmware operated products are subjected to a functional test prior to shipment by an independent Test Department.

" All customer specific firmware changes are,identified and controlled by the assignment of a unique part number. Specific test procedures are prepared to verify the change requested has been properly implemented.

The firmware in the UDR does not contain a sophisticated operating system.

Its operation is a basic clock-controlled loop, repeating once each second. That is, from the main loop program, the firmware jumps to a specific series of program subroutines. In the event the firmware does not complete all of the subroutines (up to 31) and return to the main loop, the hardware "Watchdog" timer will time out, illuminating the FAIL lamp, and de-energizing the FAIL relay.

F' F.

. ~