993754-1-911(NP), Revision 1, Software Safety Plan (Ssp).

ML11319A071
Person / Time
Site:	Diablo Canyon
Issue date:	10/13/2011
From:	Nguyen H Invensys Operations Management, Invensys/Triconex
To:	Office of New Reactors
References
3500897372 993754-1-911(NP), Rev 1
Download: ML11319A071 (47)
v • d • e

Text

in v'e. n s'.y s" in vNe. ns.o s-Operations Management Triconex Project: PG&E PROCESS PROTECTION SYSTEM REPLACEMENT Purchase Order No.: 3500897372 Project Sales Order: 993754 PACIFIC GAS & ELECTRIC COMPANY NUCLEAR SAFETY-RELATED PROCESS PROTECTION SYSTEM REPLACEMENT DIABLO CANYON POWER PLANT SOFTWARE SAFETY PLAN (SSP)

Document No. 993754-1-911 (-NP)

Revision 1 October 13, 2011 Non -Proprietary copy per I OCFR2.390

- Areas of Invensys Operations Management proprietary information, marked as [P], have been redacted based on IOCFR2.390(a)(4).

Name Sign ture Title Author: Hoan Nguyen o1t4

• IV&V Engineer Reviewer: Son Phan q__ A ----- IV&V Engineer Approval: Kevin Vu IV&V Manager

in V'e. ns- .ýl s" in Ve. s'.j s" Operations Management Triconex i Document: I 993754-1-911 I

Title:

I Software Safety Plan Revision: I Page: 2 of 47 Date: 10/13/11 I Document Change History Revision Date Change Author 0 08/17/11 Initial Release Hoan Nguyen 1 10/13/11 Organization chart was removed from Section 3.1 Hoan Nguyen

i n v . e. n s'.ýj s* nV e.n s-Operations Management Triconex I Document: 993754-1-911

Title:

Software Safe!z Plan I Revision: I Paize: 1 3 of 47 Date: 1 10/13/11 I Table of Contents L IST O F T A B L E S ................................................................................................... 4 L IST O F FIG U R E S ................................................................................................. 5

1. P U R P O SE ....................................................................................................... 6 1.1 Scope .................................................................................... 7

2. DEFINITIONS, ACRONYMS, ABBREVIATIONS, AND R E F E R E N C E S ............................................................................................ 10 2.1 Abbreviations and Acronyms ............................................................................ 10 2.2 Definitions ........................................................................................... 11 2.3 References ........................................................................................... 12

3. SOFTWARE SAFETY MANAGEMENT ................................................ 14 3.1 Organization and Responsibilities ......................................................................... 14 3.2 Resources ............................................................................................ 16 3.3 Staff Qualifications and Training ................................................................. 19 3.4 Software Life Cycle .................................................................................... 21 3.5 Documentation Requirements ............................................................................ 25 3.6 Software Safety Program Records ......................................................................... 28 3.7 Software Configuration M anagement Activities ............................................................. 31 3.8 Software Quality Assurance Activities ..................................................................... 33 3.9 Software Verification and Validation Activities .............................................................. 33 3.10 Tool Support and Approval .............................................................................. 34 3.11 Previously Developed or Purchased Software ................................................................ 36 3.12 Subcontract M anagement ............................................................................... ..7 3.13 Process Certification ................................................................................... 37

4. SOFTWARE SAFETY ANALYSES ......................................................... 40 4.1 Software Safety Analyses Preparation ...................................................................... 40 4.2 Software Safety Requirements Analysis .................................................................... 40 4.3 Software Safety Design Analysis ......................................................................... 41 4.4 Code Safety Analysis ................................................................................... 42 4.5 Software Safety Test Analysis ............................................................................ 43 4.6 Software Safety Change Analysis ......................................................................... 43

5. POST DEVELOPM ENT ............................................................................ 46 5.1 Training ............................................................................................. 46 5.2 Deployment .......................................................................................... 46 5.3 Monitoring ........................................................................................... 46 5.4 Maintenance ......................................................................................... 46 5.5 Retirement and Notification ............................................................................. 46

6. PLAN APPROVAL ..................................................................................... 47

in V'e. ns-.4 S" in V e n s'.t s Operations Management Triconex Document: 993754-1-911

Title:

I Software Saferz Plan Revision: I I Paee: 1 4 of 47 I Date: I 10/13/11 I List of Tables Table 1. O rganizational Responsibilities and Relationships .................................... .................................. 14 Table 2. Docum entation Requirem ents & D eviations ............................................................................ 25 Table 3. Softw are Safety M etrics ................................................................................................................ 30 Table 4. Softw are Configuration M anagem ent A ctivities ...................................................................... 31 Table 5. Project Tool Sum m ary .................................................................................................................. 34 Table 6. Process Certification M ethods .................................................................................................. 37

inV'2. n s'.*I s" i n V e. n s .,j s Operations Management Triconex Document: 993754-1-911

Title:

Software Safe4 Plan s'.u s" I!

i q Ve.n Revision: I j Page: 5 of 47 Date: I Triconex 10/13/11 Ii L ist of Figures Figure 1. Software Safety Scope ................................................................................................................... 8

in v e. n s".9 s- n n s.

Operations Management Triconex Document: I 993754-1-911 I

Title:

I Software Safety Plan Revision: I Page: 6 of 47 Date: 10/13/11

1. Purpose This Software Safety Plan (SSP or Plan) addresses software safety concerns during the development of application software for the four Protection Sets of the Diablo Canyon Power Plant (DCPP) Process Protection System (PPS). The SSP will address the process and activities intended to improve software safety throughout the PPS software development lifecycle.

The software safety plan for the Diablo Canyon PPS Replacement is written based on the guidance provided by ISG-6, IEEE Std 1228-1994 and NUREG/CR-6101.

Role of software in PPS and its impacts on the operation of the system:

1) The PPS consists of four Protection Sets, each set comprising an Invensys Tricon portion, Westinghouse ALS portion, and Maintenance Workstation. The Invensys Tricon portion includes three VI0 Tricon chassis (one safety-related Main Chassis, one safety-related Remote Expansion (RXM) Chassis, and one nonsafety-related RXM chassis). T he Tricon VI0 Protection Set application software is rated Software Integrity Level (SIL) 4, per IEEE Standard 1012 Annex B.

The replacement PPS application software is assigned Software Integrity Level (SIL) 4

[IEEE 1012-1998 Reference 3.1.4] because it is directly associated with nuclear-safety-related Reactor Trip and Engineered Safety Features functions [Reference 2.3.1.2].

2) In the normal plant operation, Invensys Tricon portion of each Protection Set performs the following fundamental functions:

a. Acquiring input data from instrumentation sensors monitoring the status of Diablo Canyon nuclear power plant variables such as temperature, pressure, and level.

b. Comparing the plant variables against setpoints.

c. Sending trip signals to the plant protection system if operating limits are exceeded and other output to the recorder, alarm and indication system.

The Tricon Protection Set application program, known as the TSAP, performs the above safety functions. The TSAP is programmed by the ND engineer to manage the Tricon hardware configuration for each chassis and to control Tricon behavior. The application software (TSAP) is the focal point of the Software Safety Plan because it has a SIL-4 rating and plays a critical role in Tricon operations.

The following safety goals were extracted from PG&E Design Inputs and applicable regulatory guidance, including IEEE 1228, BTP 7-14, and NUREG/CR-6430. The safety goals are expected to be achieved by adherence to the plan:

1) Software failures will not compromise or degrade the nuclear reactor protection system.

2) Software provides the reliable and accurate trip signal.

3) Software responds promptly to a change in process parameter.

4) Software processes the sensor data as intended and sends output data as expected to recorders, indicators, and plant computers for display or alarming purpose.

in v e. n s". n V e. n Operations Management Triconex Document: I993754-1-911 I

Title:

ISoftwvare Safety Plan Revision: I Page: 7 of 47 Date: I 10/3/11

5) Application software-related hazards will be mitigated or their risks will be reduced to an acceptable level.

The acceptable risks and safety objectives are:

1) A software-caused failure in a single instrument channel will not adversely affect the output of the redundant instrument channels.

2) Run-time errors in the Maintenance Workstation (MWS) or the plant computer in the Control Room will not affect the safety function of the Tricon application software.

3) The software will be able to handle bad input due to signal calibration error or sensor/transmitter failures.

4) Diversity in the software test design (i.e., a unique test specification for each Protection Set TSAP) for the redundant application software safety functions will be utilized to provide an additional barrier against common-cause application software defects.

5) Run-time errors in calculation functions (diagnostics such as divide-by-zero) shall be alarmed to operators and the erroneous value shall not be used in subsequent functions.

6) Failures in the MWS associated with a Protection Set may degrade another non-safety part of the same Protection Set but the safety function of the Tricon application software is not affected (e.g. a loss-of-view failure will not prevent a safety trip).

1.1 Scope The scope of this Software Safety Plan is limited to addressing the safety concerns of the Invensys-developed software portion of the PPS Replacement. SIL-4 application software (TSAP) running on the Invensys Tricon hardware will be assessed in the context of its associated hardware, environment, internal and external interfaces. See Figure 1 below for the scope of the Plan.

However, there are exceptions to the scope of the Plan:

I ) The software safety concerns regarding the application software (TSAP) apply to the project development and testing phase. The project post-development safety concerns (e.g., PPS Protection Set(s) installation, maintenance, operations support, and retirement) are beyond the scope of this Plan. This limitation is stipulated by the contractual arrangement with PG&E as specified in the Purchase Order [Reference 2.3.1.1 ].

Software safety concerns during installation, maintenance, operation, and retirement are out of scope of this Plan. It is licensee's responsibility to develop the SSP for those phases.

2) The Tricon firmware plays a vital role in the Tricon operations, and ultimately affect the performance and functionality of the PPS Replacement. However, the Tricon firmware is not within the scope of this project because the qualification and safety aspects of the V1O Tricon platform are addressed in the VIO Tricon Topical Report, 7286-545-1, as part of the NRC safety evaluation.

in V e. n s'.9 s" i vn, e rn. s'.v s Operations Management Triconex Document: 993754-1-911

Title:

Software Safe Plan Revision: I 1 Paee: 1 8 of 47 I Date: I 10/13/11 I

3) With regard to Secure Development & Operating Environment (SDOE), NTX-SER 14 [Reference 2.3.2.13], and also 993754-1-913, RG 1.152 Conformance Report

[Reference 2.3.2.7], explain Invensys Operations Management compliance to RG 1.152.

The former is for the VI 0 Tricon safety evaluation, the latter for the PPS Replacement Project specifically.

The safety aspects of the following software and firmware will be excluded from the scope of this Plan though they are internal units of each Protection Set:

1) Westinghouse Advanced Logic System (ALS) hardware.

2) Maintenance Workstation.

ALS and Maintenance Workstation will interface with Tricon within the Protection Set. Safety concerns during the Installation, Operations, Maintenance, and Retirement phases of the system life cycle are the responsibility of the Licensee, PG&E.

One Typical Protection Set FUII Invensys-developed Firmware Invensys-developed Software in the Scope of Software Safety Plan Figure 1. Software Safety Scope Concerning application software verification, the IV&V activities described in the SVVP may overlap with certain activities in the SSP, but their purposes differ.

Purpose of the SSP activities:

in v"e.n s. s- n e. n s'.ts-Operations Management Triconex Document: I993754-1-911 I

Title:

ISoftware Safety Plan Revision: I Page: 9 of 47 Date: 1 10/13/11 I

" Identify and document hazards which could be introduced in the Tricon Vi10 Protection Set software during the development life cycle.

" Recommend and track hazard reduction efforts.

Purpose of the SVVP activities:

• Verify that the customer-specified Tricon V10 Protection Set application requirements (Section 2.3.1) are correctly satisfied.

" Validate that the Tricon V 10 Protection Set application functions work as specified by the customer (Section 2.3.1 ).

in Ve. n s'.ý *5s" Tm i n Ve n s'., s" Operations Management Triconex Document: 993754-1-911

Title:

I Software Safe Plan Revision: I Page: 1 10 of 47 1 Date: 1 10/13/11 I

2. Definitions, Acronyms, Abbreviations, and References Definitions used in the Software Safety Plan shall be consistent with IEEE Std 610.12-1990

[Reference 2.3.4.11].

2.1 Abbreviations and Acronyms ALS Advanced Logic System BTP Branch Technical Position CFR Code of Federal Regulations DCPP Diablo Canyon Power Plant DI&C Digital Instrumentation And Controls EPRI Electric Power Research Institute ETD Emulator Test Driver FAT Factory Acceptance Test IEC International Electrotechnical Commission IEEE Institute of Electrical and Electronics Engineers ISG Interim Staff Guidance IV&V Independent Verification and Validation MAS Main Annunciator System MCR Main Control Room ND Nuclear Delivery NRC US Nuclear Regulatory Commission NSIPM Nuclear System Integration Program Manual NQA Nuclear Quality Assurance NQEL Nuclear Qualified Equipment List NUREG US Nuclear Regulatory Commission Regulation QA Quality Assurance QPM Quality Procedures Manual PAN Product Alert Notice PDF Portable Document Format PG&E Pacific Gas & Electric Company PI Project Instruction PLC Programmable Logic Controllers PM Project Manager PPM Project Procedures Manual PPS Process Protection System

in V e. n s". S" in Ve. ns'. s" Operations Management Triconex Document: I 993754-1-911

Title:

Software Safe Plan Revision: I Page: 11 of 47 Date: 10/13/11 PQAE Project Quality Assurance Engineer PQAM Project Quality Assurance Manager SDC Software Development Checklist SDD Software Design Description SDOE Secure Development & Operating Environment SIL Software Integrity Level SRS Software Requirements Specification SSO Software Safety Officer SSPS Solid State Protection System TSAP TriStation Application Program TS 1131 TriStation 1131 2.2 Definitions Accident: An unplanned event or series of events that results in death, injury, illness, environmental damage, or damage to or loss of equipment or property Previously developed software: Software that has been produced prior to or independent of the project for which the Plan is prepared, including software that is obtained or purchased from outside sources.

Risk: A measure that combines both the likelihood that a system hazard will cause an accident and the severity of that accident.

Safety-critical software: Software that falls into one or more of the following categories:

a) Software whose inadvertent response to stimuli, failure to respond when required, response out-of-sequence, or response in combination with other responses can result in an accident.

b) Software that is intended to mitigate the result of an accident c) Software that is intended to recover from the result of an accident Software Hazard: A software condition that is a prerequisite to an accident.

Software Safety: Freedom from software hazards.

Software Safety Program: A systematic approach to reducing software risks.

System Hazard: A system condition that is a prerequisite to an accident.

System Safety: Freedom from system hazards.

i n v e. n s". s" inV e.n s'.ts Operations Management Triconex Document: I993754-1-911 I

Title:

ISoftware Safety Plan Revision: 1 Page: 12 of 47 Date: 10/13/11 2.3 References 2.3.1 PG&E Documents 2.3.1.1 PG&E Purchase Order # 3500897372 2.3.1.2 Pacific Gas & Electric Company Diablo Canyon Power Plant Units I & 2 Process Protection System Replacement Conceptual Design Document 2.3.1.3 Process Protection System Replacement Interface Requirements Specification 2.3.1.4 08-0015-SP-001, PPS Functional Requirements Specification 2.3.1.5 PG&E Process Protection System Controller Transfer Functions Design Input Specification, 101 15-J-NPG.

2.3.1.6 PG&E Process Protection System (PPS) Function Block Diagram (FBD) 08-0015-D Series.

2.3.2 Invensys Documents 2.3.2.1 9100150-001, Tricon V10 Nuclear Qualified Equipment List 2.3.2.2 993754-1-801, Software Quality Assurance Plan (SQAP) 2.3.2.3 993754-1-802, Software Verification and Validation Plan (SVVP) 2.3.2.4 993754-1-905, Project Management Plan (PMP) 2.3.2.5 993754-1-907, Software Development Plan Coding Guideline 2.3.2.6 993754-1-909, Software Configuration Management Plan (SCMP) 2.3.2.7 993754-1-913, RG 1.152 Conformance Report 2.3.2.8 993754-1-916, Project Training Plan 2.3.2.9 IOM-Q2, Invensys Operations Management Nuclear Quality Assurance Manual 2.3.2.10 NSIPM, Nuclear System Integration Program Manual, NTX-SER-09-21 2.3.2.11 Quality Procedure Manual (QPM) 2.3.2.12 Project Procedures Manual (PPM) 2.3.2.13 Tricon VI 0 Conformance to Regulatory Guide 1.152, NTX-SER-10-14 2.3.2.14 Project Instruction 1.0, Application Project Administrative Controls for the PPS Replacement Project 2.3.2.15 Project Instruction 7.0, Application Program Development for the PPS Replacement Project 2.3.3 Industry Documents 2.3.3.1 BTP 7-14, NRC Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems 2.3.3.2 CFR Part 50, Appendix A - General Design Criteria for Nuclear Power Plants 2.3.3.3 CFR Part 50, Appendix B - Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants 2.3.3.4 EPRI Topical Report TR-106439, Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications 2.3.3.5 DI&C-ISG-1, Digital Instrumentation and Controls, Task Working Group #1: Cyber Security 2.3.3.6 DI&C-ISG-4, Digital Instrumentation and Controls, Task Working Group #4: Highly-Integrated Control Rooms - Communications Issues 2.3.3.7 DI&C-ISG-6, Digital Instrumentation and Controls, Task Working Group #6: Licensing Process 2.3.3.8 NUREG/CR-6101, Software Reliability and Safety in Nuclear Reactor Protection Systems

i n v e. n s".ý-j S ne.n Operations Management Triconex IDocument: I993754-1-911 I

Title:

ISoftware Safety Plan Revision: 1 Page: 13 of 47 Date: 10/13/11 I 2.3.3.9 NUREG-0800, Standard Review Plan 2.3.4 NRC Documents 2.3.4.1 IEEE Std 610.12-1990, IEEE Standard Glossary of Software Engineering Terminology 2.3.4.2 IEEE Std 730-1989, IEEE Standard for Software Quality Assurance Plans 2.3.4.3 IEEE Std 828-1990, IEEE Standard for Software Configuration Management Plans 2.3.4.4 IEEE Std 829-1983, IEEE Standard for Software Test Documentation 2.3.4.5 IEEE Std 830-1993, IEEE Guide to Software Requirements Specifications 2.3.4.6 IEEE Std 1012-1998, IEEE Standard for Software Verification and Validation 2.3.4.7 IEEE Std 1016-1987, IEEE Recommended Practice for Software Design Descriptions 2.3.4.8 IEEE Std 1028-1988, IEEE Standard for Software Reviews and Audits 2.3.4.9 IEEE Std 1042-1987, IEEE Guide to Software Configuration Management 2.3.4.10 IEEE Std 1058.1-1987, IEEE Standard for Software Project Management Plans 2.3.4.11 IEEE Std 1074-1991, IEEE Standard for Developing Software Life Cycle Processes 2.3.4.12 IEEE Std 1228-1994, IEEE Standard for Software Safety Plans

in v e. n s'.y s" i n V c-. n s-. . "

Operations Management Triconex Document: 993754-1-911

Title:

I Software Safe Plan Revision: I Page: 1 14 of 47 1 Date: 1 10/13/11 I I

3. Software Safety Management 3.1 Organization and Responsibilities The organizational structure of Invensys Operations Management PPS Replacement Project team is described below. Because this project is nuclear-safety-related, all the software safety concerns are addressed by the project's activities and under the oversight, review and approval by the described organizations. Fundamentally, the organizational structure consists of three organizations:

1) Nuclear Delivery (ND)

2) Nuclear Quality Assurance (NQA)

3) Nuclear Independent Verification and Validation (Nuclear IV&V)

The relationships between organizations having responsibility for tasks impacting software safety and approval authority of software safety program tasks are presented in the table below.

See the Project Management Plan, 993754-1-905, for additional discussion of project responsibilities.

Table 1. Organizational Responsibilities and Relationships Organization Task Authority Nuclear - Defining Software Functional Requirements - IOM Director, Delivery - Designing Application Software Nuclear Delivery

- Implementing Application Software - Project Manager Nuclear - Performing reviews and audits of project activities - IOM Nuclear Quality Quality - Verifying compliance with project plans and Director Assurance procedures - Project NQA

- Verifying compliance with customer contract and Manager specifications Nuclear - Reviewing Project Documents - IOM Nuclear IV&V Independent - Performing Verification & Validation Director Verification - Nuclear IV&V and Manager Validation will act as the Software Safety Officer (SSO) and will be responsible for the overall conduct of the software safety program. Per PI 1.0 [Reference 2.3.2.14], as Invensys Operations Management Nuclear IV&V manager is the most qualified person to handle the software safety management. The SSO reports to the Invensys Operations Management Director of Nuclear Independent Verification and Validation (Nuclear IV&V) and is responsible for implementation of the Nuclear IV&V activities conducted at the Invensys Lake Forest Facility.

The Nuclear IV&V Manager has the authority and organizational freedom to ensure that V&V

n' v" e. n] s" .ý s" i n Ve. n'. s" Operations Management Triconex Document: I993754-1-91 1 I

Title:

ISoftware Safety Plan Revision: 1 Page: 15 of 47 Date: 1 10/13/11 activities are managerially, technically, and financially independent of the Nuclear Delivery organization.

The SSO will have the following responsibilities:

1) Obtain and allocate resources to ensure effective implementation of the Software Safety Plan.

2) Coordinate safety task planning with other organizational functions such as ND group, and NQA group.

3) Participate in audits of software safety plan implementation.

4) Ensure training of safety and other Nuclear IV&V personnel in methods, tools, and techniques used in software safety tasks.

a Nuclear IV&V engineer, is assigned to carry out software safety activities including the following responsibilities:

1) Prepare the Software Safety Plan.

2) Coordinate the technical issues related to software safety with other functions such as ND Engineers and NQA engineers.

3) Ensure that adequate records are kept to document the conduct of software safety activities.

4) Report to the SSO the progress of software safety activities.

The accomplishment of software safety program activities will be integrated with and performed by both ND Engineers and Nuclear IV&V Engineers in four phases of PPS Replacement software development lifecycle (Requirement, Design, Implementation, and Testing).

w-

in v'e. n s". snv-. ns Operations Management Triconex Document: 993754-1-911

Title:

Software Safe: Plan Revision: I Page: I 16 of 47 Dt: I10/13/11 I 3.2 Resources This section specifies how the resources are allocated and monitored for the PPS Replacement safety software implementation.

3.2.1 Schedule The PPS Replacement Project schedule, 993754-1-059, includes document deliverables to meet the intent of DI&C-ISG-06 deliverables and IEEE Std 1228-1994 documentation requirements.

For each document deliverable, a reasonable amount of time is allocated for such tasks as creating the document, reviewing the document, and resolving issues found during reviews.

Project status/progress and issues will be monitored in the following ways:

1) Weekly Project Hours Tracking Sheets

2) Project Schedule Weekly Updates

3) Project Phase Summary Reports and Exits Meetings

4) NQA Audits and Surveillance See the Project Management Plan [Reference 2.3.2.4], 993754-1-905, Section 3.4 (Monitoring and Controlling Mechanism) for details.

3.2.2 Personnel 3.2.3 Standards Invensys Operations Management conforms to the following international, national and industry standards for its software safety program:

NRC Staff Review Guidance:

• NUREG-0800, Standard Review Plan, Chapter 7

• Branch Technical Position 7-14, Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems Regulatory Guides 0 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants

in ve.ns.ý .n s- n V e. ss".

Operations Management Triconex Document: 993754-1-911

Title:

Software Safe: Plan Revision: I Page: j 17 of 47 I Dt: 10/13/11 I

• 1.168, Verification, Validation, Reviews and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants

• 1.169, Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants

• 1.170, Software Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants

• 1.172, Software Requirements Specifications for Digital Computer Software Used in Safety Systems of Nuclear Power Plants

• 1.173, Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants

• 1.180, Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-related Instrumentation and Control Systems Nuclear Regulatory Reports 0 NUREG/CR-6101, Software Reliability and Safety in Nuclear Reactor Protection Systems IEEE standards:

• 603, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations

• 7-4.3.2, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations 0 730, IEEE Standard for Quality Assurance Plans a 828, IEEE Standard for Configuration Management Plans 0 829, IEEE Standard for Software Test Documentation 0 830, IEEE Recommended Practice for Software Requirements Specifications

• 1012, IEEE Standard for Software Verification and Validation 0 1016, IEEE Recommended Practice for Software Design Descriptions

• 1028, IEEE Standard for Software Reviews and Audits

• 1058, IEEE Standard for Software Project Management Plans

• 1059, IEEE Guide for Software Verification and Validation Plans

• 1074, IEEE Standard for Developing Software Life Cycle Processes 0 1228, IEEE Standard for Software Safety Plans Other standards

" ANSI/ASME NQA-1-1983, Quality Assurance Program Requirements for Nuclear Facilities

" ANSI/ASME NQA-l a-1983 (Addenda), Addenda to ANSI/ASME NQA-l-1983, Quality Assurance Program Requirements for Nuclear Facilities

• ANSI/ASME NQA-l-1994, the basis for the PPM 3.2.4 Company Development Procedures The Protection Set software safety program implementation also follows Invensys Operations Management development procedures listed below.

n-V" . n S ".ýj s" in ve n s..!

5-Operations Management Triconex Document:. 993754-1-911 I

Title:

ISoftware Safety Plan Revision: I Page: 18 of 47 I3Date: 101131 As an approved 10 CFR Part 50 Appendix B supplier, Invensys Operations Management will adhere to the Invensys Nuclear Systems Integration Program Manual (NSIPM) to ensure compliance with NRC requirements regarding safety-related software development. The Invensys Operations Management Quality Procedures Manual (QPM), Project Procedures Manual (PPM), and Manufacturing Department Manual (MDM) are the implementing procedures under the NSIPM. These procedures have been audited numerous times by third parties, including the NRC, and found compliant with a 10 CFR Part 50 Appendix B program as well as the NRC requirements for development of safety-related software.

IOM-Q2: This is the corporate policy manual applicable to nuclear safety-related activities at Invensys Operations Management facilities. The Nuclear Quality Assurance Manual, IOM-Q2

[Reference 2.3.2.9], will govern the quality affecting activities performed by ND personnel at IOM facilities. Nuclear quality affecting activities will be conducted in accordance with the IOMQ2 and the Project Quality Plan, 993754-1-900.

NTX-SER-09-21: This is the Nuclear System Integration Program Manual. This program manual is the overarching lifecycle document for nuclear system integration projects, and it is currently being reviewed by the NRC as part of the V10 Tricon safety evaluation.

Project Procedures Manual: This manual contains the ND implementing procedures under the NSIPM. The PPM describes the process lifecycle for nuclear safety system integration projects.

Quality Procedures Manual: Defines the quality (implementing) procedures for nuclear safety-related activities. This program manual is not specific to integration projects, but rather for any issue pertinent to nuclear safety-related activities, materials, and systems. NQA is predominantly responsible for the implementation of the QPM procedures.

3.2.5 Equipment Support and Tools

in v*e. n s'.j s" in V 2-. n ' .t s" Operations Management Triconex Document: 993754-1-911

Title:

Software Safe Plan Revision: I 1 Page: 1 19 of 47 I Date: I 10/13/11 w

3.3 Staff Qualifications and Training The PPS Replacement Project requires a ND project team with combined knowledge and experience with the U.S. NRC regulations and processes, software engineering lifecycle management, and technical design and implementation of nuclear safety-related hardware and software. Specific skills and knowledge are required in the following areas:

1) Design and procedural compliance with 10 CFR Part 50 Appendices A and B [Reference 2.3.3.2 and 2.3.3.3].

2) Application of U.S. NRC Regulatory Guides relevant to safety-system software development.

3) Application of relevant U.S. NRC staff guidance related to design of nuclear safety systems, such as BTP 7-14 [Reference 2.3.3.1], DI&C-ISG-01 [Reference 2.3.3.5],

DI&C-ISG-04 [Reference 2.3.3.6], and DI&C-ISG-06 [Reference 2.3.3.7].

4) Understanding of staff guidance contained in Chapter 7 of U.S. NRC NUREG-0800

[Reference 2.3.3.9].

5) Application of relevant Institute of Electrical and Electronics Engineers standards (e.g.,

those endorsed by U.S. NRC Regulatory Guides) to nuclear safety-related system design and implementation.

6) Implementation of the Invensys Operations Management NSIPM and PPM to nuclear safety-related projects.

7) Tricon system hardware design and construction.

8) Tricon application code (PT2 file) development using TriStation 1131.

In addition to the above skill sets for the ND project team, the Nuclear IV&V team requires specific skills and knowledge in the following areas:

1) Application of U.S. NRC Regulatory Guides relevant to independent verification and validation safety-system software.

2) Application of Institute of Electrical and Electronics Engineers standards (e.g., those endorsed by U.S. NRC Regulatory Guides) relevant to independent verification and validation of software for nuclear safety-related applications.

The ND and Nuclear IV& teams are knowledgeable of process and protection systems collectively.

in Ve. n s'.= s- ifn V e. n s-.is-Operations Management Triconex IDocument: I993754-1-911 I

Title:

ISoftware Safety Plan Revision: 1 Page: 20 of 47 T Date: 10/13/11 I In addition to the above skill sets for the Nuclear IV&V team, the NQA Engineer requires specific skills and knowledge in the following areas:

I) Invensys Operations Management PPMs.

2) Invensys Operations Management corporate Nuclear Quality Policy, IOM-Q2.

3) U.S. NRC Appendix B criteria and application of such criteria to nuclear safety-related projects involving hardware and software design.

4) NQA-l criteria and application of such criteria to nuclear safety-related projects involving hardware and software design.

Project personnel shall be appropriately qualified and trained in accordance with the NSIPM Section 9.0 and PPM 9.0 [Reference 2.3.2.12]. A copy of project personnel qualification and training records will be included in the PPS Replacement Project document file.

Minimum Requirements. At a minimum, PPS Replacement Project team members will have documented training in the following areas. Equivalent training and experience will satisfy the below minimal requirements.

in Ve. n s'.* s" i n V e. n s'.; s" Operations Management Triconex Document: 993754-1-911 Tiite: I Software Safety Plan Revision:

I l I P: i" I 21 of 47 I Ige:

Date: 1 10/13/11 I1 I

w The Project Management Plan, 993754-1-905 [Reference 2.3.2.4], addresses project training requirements in more detail.

3.4 Software Life Cycle The software development life cycle used for the PPS Replacement project is described in the NSIPM.

Software safety tasks are addressed as an integral part of development life cycle phase activities (Requirements, Design, Implementation, and Testing).

w

in v e. n s'.> s" S in V e. n s'.l s" Operations Management Triconex Document: 993754-1-911

Title:

I Software Safe4 Plan Revision: I Page: 1 22 of 47 I Date: I 10/13/11 I w

in v'e. n s'.* s" ii vNe. n s'. s" Operations Management Triconex Document: 993754-1-911

Title:

Software Safe Plan Revision: I Page: 1 23 of 47 ] Date: 1 10/13/11 IL

in ve. n s'.> s" i nl V e. n s-.tj s-Operations Management Triconex Document: 993754-1-911

Title:

Software Safety Plan I qE.* s" I Revision: I Paze: 24 of 47 I Date:

Triconex iQv'e, 10/13/11 II LIZ

in ve. n s. s i n V e. n s" Operations Management Triconex Document: 993754-1-911

Title:

I Software Safet Plan Revision: 1 Paee: 1 25 of 47 I Date: I 10/13/11 I w

3.5 Documentation Requirements This section specifies the Invensys-provided software safety documents for the Tricon portion of PPS. The Westinghouse ALS documents are not covered here. The Software Safety Program elects to integrate the safety documentation with other project documents.

The following table addresses the deviations of Invensys-provided documentations with IEEE 1228 [Reference 2.3.4.12] documentation requirements for safety-critical software and how the deviations are justified.

Table 2. Documentation Requirements & Deviations IEEE 1228 Invensys-Provided Intents to Satisfy IEEE 1228 Requirements Documentation Documentation Requirements a) Software a) Project The Plan documents how the software safety is integrated Project Management Plan, and managed with other activities with respect to project Management 993754-1-905 schedule, resource, budget, risk management, constraints and dependencies.

The document is based on the guidance provided by BTP 7-14, NUREG/CR-6 101 [Reference 2.3.3.8].

b) Software b) Software The Plan documents the method and mechanism for Configuration Configuration configuration/access/change control of the critical safety Management Management Plan, software (e.g. TSAP codes, TS 1131 Developer 993754-1-909 Workbench).

The document is based on the guidance provided by IEEE Std 828-1990 [Reference 2.3.4.3].

c) Software c) Software Quality The Plan documents the role of NQA in ensuring process Quality Assurance Plan, compliance of key software safety activities.

Assurance 993754-1-801 The document is based on the guidance provided by IEEE Std 730-1989 [Reference 2.3.4.2].

d) Software d) Software The SRS specifies the software functional and performance Safety Requirements requirements to create the TSAP for Tricon portion of the Requirements Specifications Protection Set. The specification of the software (SRS), 993754-1n- requirements is decomposed to four sets based on the 809

• hardware configurations of the Tricon portion of the Protection Set.

I Specifications of safety requirements are integrated in the

in v*e. n s.9 s i nv'e.n, s'.fl s Operations Management Triconex Document: 993754-1-911

Title:

I Software Safet Plan Revision: I Paee: 1 26 of 47 1 Date: 1 10/13/11 I IEEE 1228 Invensys-Provided Intents to Satisfy IEEE 1228 Requirements Documentation Documentation Requirements SRS. The document is based on the guidance provided by IEEE Std 830-1993 [Reference 2.3.4.5].

e) Software e) Software Design The SDD describes the details design of the TSAP for Safety Design Descriptions Tricon portion of the Protection Set. The details design is (SDD), 993754-1n- partitioned into four design sets based on hardware 810

• configurations of the Tricon portion of the Protection Set.

Each design set defines attributes describing intrinsic design information such as channel safety functions, internal and external interfaces, dependencies.

The safety design elements are integrated in the SDD. The document is based on the guidance provided by IEEE Std 1016-1987 [Reference 2.3.4.7].

f) Software fl) Software The Plan describes or references the Invensys software Development Development Plan, development methodology, and coding/comment standards Methodology, 993754-1-906 to be used in the development of TSAP for the Tricon Standards, f2) Software portion of the Protection Set. The document is based on Practices, f2)eloftw a n the guidance provided by IEEE Std 730-1989.

Metrics, and Development Plan Conventions Coding Guidelines, Coding Guidelines contain guidance for the ND staff 993754-1-907 regarding TriStation 1131 project configuration, application code layout, tagname convention, and general guidance on programming style. The guidance also discusses proper usage of the PPS-specific function blocks in the V 10 Tricon Protection Set application code.

g) Test gl) Validation Test The Validation Test Plan develops the plan for validation Documentation Plan, 993754-1-813 testing of the Protection Sets.

g2) Software Software Verification Test Plan develops the plan for Verification Test verifying the TSAP codes for the Protection Sets.

Plan, 993754-1 -868 Validation Test Specification develops the validation test g3) Validation Test requirements and acceptance criteria.

Specification, Software Verification Test Specification develops the 993754-1-8 12 software verification test requirements and acceptance g4) Software criteria.

Verification Test Software Verification Test Procedure/Test Cases creates Specification, the procedure and test cases for verifying the Protection Set 993754-1-869 application code against the Software Requirements g5) Software Specification.

Verification Test Software Verification Test Cases Execution/Report

i n V'e. n s'. s" i n v e. n s-.ij s.

Operations Management Triconex Document: 993754-1-911

Title:

Software Safe Plan Revision: I Pai!e: 1 27 of 47 F Date: I 10/13/11 I IEEE 1228 Invensys-Provided Intents to Satisfy IEEE 1228 Requirements Documentation Documentation Requirements Procedure/Test documents the executions of the software verification test Cases, 993754-1n- cases and creation of the test results report. It also 870-k

• generates test incident reports and System Integration g6) Software Deficiency Reports if test anomalies are encountered.

Verification Test These documents are based on the guidelines of PPM 6.0 Cases and 7.0 1.

Execution/Report, 993754-1-853 h) Software h I) Software The document develops the plan for managing the Verification and Verification and independent verification and validation activities during the Validation Validation Plan, PPS Replacement Project. It is based on the guidance 993754-1-802 provided by IEEE Std 1012-1986 [Reference 2.3.4.6].

h2) Project The Matrix provides a mechanism to ensure traceability of Traceability safety requirements to the design descriptions, Matrix, 993754 implementation, and test cases.

804 i) Reporting i) Final Verification The Final V&V Report records the following information:

Safety & Validation - Description of the verification and validation activities Verification and Report, 993 754 including the software safety-related activities.

Validation 814

- Summary of the verification and validation results.

- Summary of all anomalies and their corrective actions.

- Assessment of the application program's overall quality.

- Assessment of the software safety overall efforts and effectiveness of the software safety plan.

j) Software User j) Tricon V10 User Tricon V10 User Manual provides significant platform Documentation Manual information to the safe PPS installation, use, maintenance, and retirement of the PPS.

k) Results of k) Safety Analysis The analysis identifies potential hazards, and estimates the Software Safety (Requirements frequency of occurrence and consequence of hazardous Requirements Phase), 993754 events based on the Software Requirements Specifications.

Analysis 915

1) Results of i) Safety Analysis The analysis evaluates compliance of the design with the Software Safety (Design), 993754- software safety requirements and establishes the Design Analysis 1-915 relationship between the system hazards and the design

in ve. n s" in v-/ e. n s .t 5 Operations Management Triconex Document: 993754-1-911

Title:

I Software Safey Plan Revision: I Page: 28 of47 Date: 1 10/13/11 I IEEE 1228 Invensys-Provided Intents to Satisfy IEEE 1228 Requirements Documentation Documentation Requirements elements of the Protection Set software.

m) Results of m) Safety Analysis The analysis evaluates the compliance of the TSAP codes Software Safety (Implementation), with the Protection Set software requirements and identifies Code Analysis 993754-1-915 any new hazards introduced by the codes.

n) Results of n) Safety Analysis The analysis determines whether each Protection Set n)ftwres ofey n S t hafety software safety requirement has been satisfactorily Software Safety (Test Phase),

Test Analysis 993754-1-915 addressed by one or more software test, makes an assessment of risk associated with the implementation of the Protection Set software.

o) Results of o) Software Change The analysis determines the impact of the software Software Safety Analysis changes, and the extent of the regression tests to be Change Analysis performed as a consequence of modifications to the software. It also points out which documentations are to be revised to reflect the changes.

'I, Note:

(1) n = I ... 4 (to match Protection Set)

(2) k = I ... total subprograms in each TSAP 3.6 Software Safety Program Records IZI The Master Configuration List (MCL) shall be used as record tracking system to monitor the status of the safety-related documents. The MCL shall categorize and identify each safety-related document/record by its document number, revision, title description and date.

The software safety program records to be generated include:

" Phase analyses

• Phase summary and final test reports

• Records of personnel training

• Certification Evidence

in ve. n s'.* s" i n V e. nfs'.! s-Operations Management Triconex Document: 993754-1-911

Title:

Software Safe Plan Revision: 1 Page: 29 of 47 I Date: ] 10/13/11 l I

3.6.1 Phase Analyses The Nuclear IV&V engineers are responsible for generating and maintaining the following Phase Analyses:

" Requirements Phase Safety Analysis

" Design Phase Safety Analysis

" Implementation Phase Safety Analysis

• Test Phase Safety Analysis w-3.6.2 Test Reports The Nuclear IV&V engineers are responsible for generating and maintaining the following the test reports:

1) Requirement Phase Summary Report

2) Design Phase Summary Report

3) Implementation Phase Summary Report

4) Test Phase Summary Report

in vwe. n s.ýý s" i n v e. n s*. s Operations Management Triconex Document: 993754-1-911

Title:

Software Safe! Plan Revision: I Page: 30 of 47 I Date: I 10/13/11 l I

5) Final Verification and Validation Report w

3.6.3 Records of Training:

The following records will be generated by the PPS Replacement Project team members:

1) Project Personnel Training Reading List (Project Reading materials)

2) Project Personnel Training Reading List (General Reading materials)

3) Classroom Training Certificates if applicable

4) Specialized Training Certificates if applicable The first two records (Reading List) must be completed by each ND, NQA and Nuclear IV&V engineer and submitted to the Project Manager.

w1

in ve. n s.s inV n S. S-Operations Management Triconex Document: 993754-1-911

Title:

Software Safet Plan Revision: 1 Page: 31 of 47 I Date: I 10/13/11 I IEI

in v'e. n s'.> s" i n Ve n s'.Y s" Operations Management Triconex Document: 993754-1-911

Title:

Software Safe4 Plan Revision: I Page: 32 of 47 I Date: I 10/13/11 I I

in Ve. n s'.* s" i n Va. f n '.Y 5" Operations Management Triconex i Documen I 993754-1-911 I

Title:

I Software Safey Plan Revision: I Page: 33 of 47 1 Date: 1 10/13/1I w

3.8 Software Quality Assurance Activities The NQA organization ensures that the software safety activities are properly performed in accordance with the approved process specified in the NSIPM. A NQA engineer prepares the software quality assurance plan. It will be reviewed by ND engineer and Nuclear IV&V engineer. The document will be approved for issue by the Project Manager.

liz See the SQAP, 993754-1-801, [Reference 2.3.2.2] for details.

3.9 Software Verification and Validation Activities The Nuclear IV&V organization's tasks in the Software Safety Plan are to ensure that the Protection Set software safety requirements have been satisfied by the life cycle phases and no additional hazards have been introduced by the work done during the life cycle activities.

In order to accomplish its tasks, the Nuclear IV&V engineers perform the phase activities described in the following subsections.

w

i n v'e. n s'.* s" i n. V e. n s'.d s" Operations Management Triconex Document: 993754-1-911

Title:

I Software Safety Plan Revision: I Paee: I 34 of 47 I Date: I 10/13/11 I1 EIEIJ 3.10 Tool Support and Approval This section describes the criteria to be applied in selecting, approving, and controlling tools used in the PPS Replacement project. It also describes how the possibility of inadvertent introduction of software hazards by the project tools will be controlled. Table 5 below provides an overview of tools used in either development or verification/validation of the TSAP for the Protection Sets.

Table 5. Project Tool Summary

in v'e. n s'.- s" i n. V e. n s'.t s" Operations Management Triconex Document: 993754-1-911

Title:

Software Safe4 Plan Revision: I Paee: 35 of47 I Date: I 10/13/11 I EL

in Ve. ns-.j S" in V e. n s".-

Operations Management Triconex Document: 993754-1-911

Title:

Software Safe: Plan IRevision: I I Page: I 36 of 47 I Dt: 10/13/11 I 3.11 Previously Developed or Purchased Software This section is not applicable to Invensys scope of this project because previously developed or purchased software will not be used in the development of the Protection Set software.

in v e. ns. s ine. n'.--

Operations Management Triconex Document: I993754-1-911 I

Title:

ISoftware Safetýy Plan Revision: I Page: 37 of 47 Date: 10/13/11 3.12 Subcontract Management This section is not applicable to Invensys scope of the Diablo Canyon PPS project. Invensys developers of the critical Tricon software for use in the PPS don't employ the services of a subcontractor to modify or develop any piece of software that will be used in safety-critical situations. All critical Tricon operating and application software is developed in-house.

3.13 Process Certification The PPS Replacement project will be certified per this Software Safety Plan (see Table 6 below) as the project processes, activities, and documents meet the requirements of 10 CFR Part 50 Appendix B and the controls of activities are in accordance with approved PPMs.

NQA is mainly responsible for performing process oversight to ensure that the PPS Replacement software will be produced in accordance with the processes specified in the Software Safety Plan. The process certification involves both the Nuclear IV&V and NQA efforts as follows:

1) Nuclear IV&V's reports certify their own works.

2) NQA's surveillance and internal audits certify V&V procedure compliance.

The following table lists the Nuclear IV&V's and NQA's methods to be used for certifying the processes in the SSP.

in ve. n s'.> s" inV e. n s" Operations Management Triconex Document: 993754-1-911

Title:

I Software Safe Plan Revision: I Page: 1 38 of 47 Date: I 10/13/11 I I

i n v'e. n s'.> s" i n V e. n s'.- s.

Operations Management Triconex i Document: I 993754-1-911

Title:

Software Safety Plan Revision: I Page: 39 of 47 1Date:

0/13/11 I

in V e. n s" .: s- inVe. ns-.i-Operations Management Triconex I Document: I 993754-1-911I

Title:

Software Safety Plan Revision: I Page: 40 of 47 Date: 10/13/11 II

4. Software Safety Analyses As part of the Protection Set software development process, safety analysis shall be performed and documented on each of the principal design documents: requirements specifications, design descriptions, and TSAP application code.

Except for Software Safety Change Analysis, the analyses listed in this section are included in the work packages described in the Project Management Plan, 993754-1-905, as document deliverables. With regard to SDOE, NTX-SER-10-14 and 993754-1-913, RGI.152 Conformance Report, explain Invensys Operations Management compliance with RGI.152. The former is for the Tricon V 10 safety evaluation, the latter for the PPS Replacement Project specifically.

4.1 Software Safety Analyses Preparation The following activities will be carried out during the Requirement Phase of the PPS Replacement Project:

1) Create a Preliminary Hazard List to identify all PPS Replacement system-level hazards.

The system-level hazards include software hazards, procedural hazards, human-contributed hazards and interface hazards.

2) Conduct a Preliminary Hazards Analysis to identify and evaluate all Protection Set hazards with regard to sequences of actions that could cause risks/hazards to the Diablo Canyon Power Plant safety functions and protective actions to mitigate the consequences.

3) Use the Fault Tree Analysis method in the Preliminary Hazard Analysis process.

4) Identify the Protection Set internal interfaces (between Tricon and ALS/ Maintenance Workstation) and Protection Set external interfaces (between Tricon and wq SSPS/MCR/MAS).

in V'e. n s'.* S" inv'e.sn s Operations Management Triconex Document: 993754-1-911

Title:

Software Safe Plan Revision: I Page: 1 41 of 47 I Date: I 10/13/11 I I

w

i n v'e. n s'.y s" in V e. n su 5-Operations Management Triconex Document: 993754-1-911

Title:

Software Safe Plan Revision: I Page: 42 of 47 I Date: I 10/13/11 I w

in V'e.n '* 5-. in V e. n s-. s" Operations Management Triconex Document: 993754-1-911

Title:

Software Safetz Plan Revision: I Page: 1 43 of 47 Date: 1 10/13/11 I I

w

in v'e. n s'.> s" i n V e. n 5",

Operations Management Triconex Document: I 993754-1-911

Title:

I Software Safe Plan Revision: I Page: 44 of 47 1 Date: 1 10/13/11 I

in v'e. n s'.* s" in V e. nl s-.,Y s Operations Management Triconex Document: 993754-1-911

Title:

Software Safety Plan s'.* s" II Revision: I I Paie: 45 of 47 I Date: I Triconex i n.v'e.q 10/13/11 IIl LU

i n v e. n s".Y s" ivn s'.n s" Operations Management Triconex Document: 993754-1-911

Title:

Software Safe: Plan I Revision: I Page: I 46 of 47---- Date: 1 10/13/11

5. Post Development Invensys Operations Management scope of supply is defined in the Project Management Plan, 993754-1-905. In summary, Invensys Operations Management is responsible up to delivery of the PPS Protection Set equipment to the DCPP site. PG&E is responsible for the subsequent system lifecycle phases. However, as an Appendix B supplier of the VIO Tricon PPS Protection Sets, Invensys Operations Management holds 10 CFR Part 21 reporting responsibilities throughout the design life of the equipment.

5.1 Training This section is beyond the scope of this document.

5.2 Deployment This section is beyond the scope of this document.

5.2.1 Installation This section is beyond the scope of this document.

5.2.2 Startup and Transition This section is beyond the scope of this document.

5.2.3 Operations Support This section is beyond the scope of this document.

5.3 Monitoring This section is beyond the scope of this document.

5.4 Maintenance This section is beyond the scope of this document.

5.5 Retirement and Notification This section is beyond the scope of this document.

in V'e. n s'.* s- inN/-e. n Operations Management Triconex Document: 993754-1-911

Title:

Software Safe Plan Revision: I Page: 47 of 47 I Date: 10/13/11 l I

6. Plan Approval This Plan will be controlled as a Configuration Item in accordance with the NSIPM, Section 10.0, Project Document and Data Control. In accordance with the NSIPM, this Plan will be listed on a master configuration list that will identify the current revision level of the SSP to ensure project personnel are using the approved version. The initial and subsequent releases of the SSP will be reviewed and approved by the Project Manager and the Nuclear IV&V Manager, or designee, prior to use by project personnel. Upon each release of the SSP for project use, the project master configuration list will be updated.

Releases of any version to PG&E will be done in accordance with the NSIPM, Section 10. See Invensys document 993754-1-909, Software Configuration Management Plan, for additional details on the Configuration Management activities during the PPS Replacement Project.