ML14205A039
ML14205A039 | |
Person / Time | |
---|---|
Site: | Diablo Canyon |
Issue date: | 04/03/2014 |
From: | Montellano M Invensys/Triconex |
To: | Office of Nuclear Reactor Regulation |
Shared Package | |
ML14205A031 | List:
|
References | |
3500897372, 993754, DCL-14-034 993754-1-868 (-NP), Rev 1 | |
Download: ML14205A039 (34) | |
Text
- 1 n v e. n s* s* i f1 v* e. f1 s* s* Project: Purchase Order No.: Project Sales Order: Triconex PG&E PROCESS PROTECTION SYSTEM REPLACEMENT 3500897372 993754 PACIFIC GAS & ELECTRIC COMPANY NUCLEAR SAFETY-RELATED PROCESS PROTECTION SYSTEM REPLACEMENT DIABLO CANYON POWER PLANT SOFTWARE VERIFICATION TEST PLAN (SVTP) Document No. 993754-1-868 Revision 1 April 03,2014 Author: Reviewer:
A roval: *
- I n v e. n 5' i r) v' e. r) s* Triconex Project: PG&E PROCESS PROTECTION SYSTEM REPLACEMENT Purchase Order No.: 3500897372 Project Sales Order: 993754 Author: Reviewer:
A royal: PACIFIC GAS & ELECTRIC COMPANY NUCLEAR SAFETY-RELATED PROCESS PROTECTION SYSTEM REPLACEMENT DIABLO CANYON POWER PLANT SOFTWARE VERIFICATION TEST PLAN (SVTP) Document No. 993754-1-868 Revision 1 April 03, 2014 Kevin Vu
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 2 of 34 Date: 0 4/0 3/2014 Document Change History Revision Date Change Author 0 11/12/2013 Initial issue M. Montellano 1 04/0 3/2014 Updated to incorporate Rev 9 Design Input documents M. Montellano
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 3 of 34 Date: 0 4/0 3/2014
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 4 of 34 Date: 0 4/0 3/2014
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 5 of 34 Date: 0 4/0 3/2014 -
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 6 of 34 Date: 0 4/0 3/2014 Table of Contents List Of Tables-----------------------...
....... 8 List Of Figures------------------------- 9 1. Test Plan Identifier-------------------- . 10 2. Introduction-----------------------.
10 2.1. Purpose .........................................................................................................................10
2.2. Background
..................................................................................................................10
2.3. Scope
............................................................................................................................10
2.4. Reference
Documents ..................................................................................................11
2.5. Definitions
And Acronyms ..........................................................................................12
2.6. Document
Overview ....................................................................................................14
- 3. Test Items------------------------.
14 4. Features Tested-------------------............
15 5. Features Not Tested--------------------.
15 6. Test Approach--------------------..........
16 6.1. Software Component Test Approach ...........................................................................18
6.2. Software
Integration Test Approach ............................................................................22
- 7. Item Acceptance Criteria and Pass/Fail Criteria--------
.25 8. Suspension Criteria and Resumption Requirements........................
.. 25 9. Test Deliverables---------------------..
26 10. Test Tasks------------------------.
26 11. Environmental Needs-------------------
.. 26 12. Responsibilities----------------------
27 13. Staffing and Training Needs----------------
27 14. Schedule-----------------------........
27 15. Risks and Contingencies---------------.............
27 16. Approvals-----------------------.....
27 17. Appendices-----------------------
.. 28 Appendix 1 - Project Overview ...........................................................................................28
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 7 of 34 Date: 0 4/0 3/2014 Appendix 2 - SVTP Mapping to PPM 6.0 and IEEE Std. 829-1983 ...................................34
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 8 of 34 Date: 0 4/0 3/2014 List of Tables Table 1. Software Features to be tested during the Software Verification Testing ................ 15 Table 2. Software Verification Laptop Configuration
............................................................ 16Table 3. Software Components and Software Features
.......................................................... 19Table 4. Integrated Software Components
.............................................................................. 23Table A-1. V10 Tricon PPS Protection Set Channel Safety Functions--------. 31
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 9 of 34 Date: 0 4/0 3/2014 List of Figures Figure 1. SDC Releases and Verification Strategy
................................................................. 18Figure A-1. Westinghouse PWR Protection Scheme
............................................................. 28Figure A-2. Tricon Protection Set Architecture for the PPS Replacement System
................ 30
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 10 of 34 Date: 0 4/0 3/2014 1. Test Plan Identifier The unique identifier assigned to this Software Verification Test Plan (SVTP) is document number 993754-1-868.
- 2. Introduction
2.1. Purpose
The purpose of this SVTP is to prescribe the scope, approach, and resources of the Software Verification testing (comprising both Software Component and Software Integration testing) activities for the V10 Tricon Protection Sets TriStation Application Project (TSAP) software developed for the Diablo Canyon Power Plant (DCPP) Process Protection System (PPS) Replacement Project. In addition , this SVTP is to identify: the items being tested; the features to be tested; the testing tasks to be performed; the personnel responsible for each task; and the risks associated with this plan.
This SVTP is generated as part of the Nuclear IV&V tasks listed in the SVVP, 993754-1-802 [Reference 2.4.4.6], complies with the IEEE Std 829-1983 "IEEE Standard for Software Test Documentation" [Reference 2.4.1.1
] test document purpose, format and content, and follows the guidelines described in IEEE Std1012-1998 "IEEE Standard for Software Verification and Validation"
[Reference 2.4
.1.2] all in accordance with Invensys PPM 6.0 "Test Control"
[Reference 2.4.4.2].
2.2. Background
General background information related to the Pacific Gas & Electric (PG&E) DCPP PPS Replacement Project is provided in Appendix 1 - "Project Overview". 2.3. Scope The scope of this SVTP is limited to the software verification testing comprising Software Component Testing and Software Integration Te sting of the V10 Tricon Protection Set TSAP software application for all PPS Protection Sets developed using TriStation 1131 (TS1131). Testing of the following are beyond the scope of this SVTP: 1) TSAP Performance testing
- 2) TriStation 1131(TS1131) - Triconex International Electrotechnical Commission (IEC) 1131-3 Developer Workbench V4.9
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 11 of 34 Date: 0 4/0 3/2014 3) Tricon Firmware
- 4) TS1131 Standard Libraries
- 5) ALS software
- 6) MWS software
- 7) DDE Server
- 8) Software procured by vendors other than Invensys Operations Management
- 9) Windows 2000/XP/Vista/7Ž - TriStation Laptop/Workstation OS
- 10) Wonderware Operating System (OS) and Graphics Support Software for the MWS
- 11) Diagnostics of Tricon hardware component failures
2.4. Reference
Documents
2.4.1. Industry
Documents 2.4.1.1 IEEE Std. 829 - 1983, Standard for Software Test Documentation 2.4.1.2 IEEE Std. 1012 - 1998, Standard for Software Verification and Validation 2.4.1.3 IEEE Std. 610.12-1990, Standard Glossary of Software Engineering Terminology 2.4.2. NRC Documents 2.4.2.1 Branch Technical Position 7-14, Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems, Revision 5, U.S. Nuclear Regulatory Commission 2.4.2.2 NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition, Chapter 7 - Instrumentation and Controls, Revision 4, U.S. Nuclear Regulatory Commission 2.4.2.3 U.S. NRC Regulatory Guide (RG) 1.168, Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants 2.4.2.4 U.S. NRC Regulatory Guide (RG) 1.170, Software Test Documentation for Digital Computer Software used in Safety Systems of Nuclear Power Plants 2.4.2.5 U.S. NRC Digital Instrumentation and Controls Interim Staff Guidance DI&C
-ISG-06 2.4.2.6 10 CFR50, Appendix A, GDC 21 "Protection System Reliability and Testability"
2.4.3. Pacific
Gas & Electric Documents 2.4.3.1 PG&E Purchase Order 3500897372 (CWA 3500897372 Rev 0) 2.4.3.2 Deleted
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 12 of 34 Date: 0 4/0 3/2014 2.4.3.3 PG&E Functional Requirements Specification, 08-0015-SP-001 2.4.3.4 PG&E Process Protection System Replacement Interface Requirements Specification 2.4.3.5 10115-J-NPG, Process Protection System Controller Transfer Functions Design Input Specification
2.4.4. Invensys
Operations Management Documents 2.4.4.1 Invensys Project Procedures Manual (PPM) 2.4.4.2 Invensys Project Procedures Manual (PPM) 6.0, Test Control 2.4.4.3 Invensys Project Procedures Manual (PPM) 7.01, Software Verification 2.4.4.4 Project Management Plan (PMP), 993754-1-905 2.4.4.5 Project Quality Plan (PQP), 993754-1-900 2.4.4.6 Software Verification and Validation Plan (SVVP), 993754-1-802 2.4.4.7 Software Configuration Management Plan (SCMP), 993754-1-909 2.4.4.8 Software Requirements Specification (SRS), 993754-11-809 2.4.4.9 Deleted 2.4.4.10 Deleted 2.4.4.11 Deleted 2.4.4.12 Protection Set I Software Design Description (SDD), 993754-11-810
2.4.4.13 PPS Project Schedule, 993754-1-059 2.4.4.14 Regulatory Guide 1.152 Conformance Report, 993754-1-913
2.5. Definitions
and Acronyms
2.5.1. Definitions
For the glossary of definition of terms in the field of Software Engineering, refer to the IEEE Std. 610.12-1990 [Reference 2.4.1.3].
Acceptance (Pass/Fail) Criteria
- The criteria that a system or component must satisfy in order to be accepted by a user, customer, or other authorized entity. Acceptance Testing
- Formal testing conducted to determine whether or not a system satisfies its acceptance criteria and to enable the customer to determine whether or not to accept the system. Anomaly - Anything observed in the documentation or operation of software that deviates from expectations based on previously verified software products or reference documents.
Component Testing
- Testing of individual hardware or software components or groups of related components.
Implementation
- The process of translating a design into hardware components, software components, or both.
Integration Testing - Testing in which software components, hardware components, or both are combined and tested to evaluate the interaction between them.
Test Case - A document specifying inputs, predicted results, and a set of execution conditions for each test item (may be included in the Test Specification).
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 13 of 34 Date: 0 4/0 3/2014 Test Design Specification - A document specifying the details of the test approach for a software feature or combination of software features and identifying the associated tests.
Test Item - A software item which is the object of testing.
Test Plan - A document describing the scope, approach, resources, and schedule of intended testing activities. It identifies test items, the features to be tested, the testing tasks, who will do each task, and any risks requiring contingency planning.
Test Procedure - Detailed instructions for the set-up, execution, and evaluation of results for a given test case.
Validation - The process of evaluating a system or component during or at the end of the development process to determine whether it satisfies specific requirements.
Verification- The process of evaluating a system or component to determine whether the products of a given development phase satisfy the conditions imposed at the start of that phase.
2.5.2. Acronyms
ALS Advanced Logic System CWA Contract Work Authorization DCPP Diablo Canyon Power Plant DDE Dynamic Data Exchange DNB Departure from Nucleate Boiling DTTA Delta-T / Tavg ESFAS Engineered Safety Features Actuation System ETD Emulator Test Driver FAT Factory Acceptance Test IEC International Electrotechnical Commission IEEE Institute of Electrical and Electronics Engineers IV&V Independent Verification and Validation LTOPS Low Temperature Overpressure Protection System MWS Maintenance Workstation NRC Nuclear Regulatory Commission OPDT Over-Power Delta-T OTDT Over-Temperature Delta-T OOS Out- Of- Service OS Operating System PG&E Pacific Gas and Electric PMP Project Management Plan PPM Project Procedures Manual PPS Process Protection System PQP Project Plan/Quality Plan PT2 File extension for the TriStation 1131 application code, i.e., *.PT2 PTM Project Traceability Matrix PWR Pressurized Water Reactor
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 14 of 34 Date: 0 4/0 3/2014 RG Regulatory Guide RHR Residual Heat Removal RTD Resistance Temperature Detector RTS Reactor Trip System RXM Remote Extender Module, Remote Expansion Chassis SDC Software Development Checklist SDD Software Design Description S/G Steam Generator SI DR System Integration Deficiency Report SIL Software Integrity Level SRS Software Requirements Specification SSPS Solid State Protection System SVT Software Verification Test SVTP Software Verification Test Plan SVVP Software Verification and Validation Plan TCM Tricon Communication Module TiB Test-in-Bypass TiT Test-in-Trip TS1131 TriStation 1131 TSAP TriStation Application Project TTD Trip Time Delay V&V Verification & Validation
2.6. Document
Overview The Software Verification test planning described in this document addresses both Software Component testing and Software Integration testing.
- 3. Test Items The Test Items under the purview of this SVTP for the software verification testing are identified as follows:
- 1) The V10 Tricon PPS Replacement Protection Sets (I, II, III or IV) TSAPs. The versions and revision levels are documented by its associated Software Development Checklist (SDC) as described in the SCMP, 993754-1-909 [Reference 2.4.4.7]. The references to the Test Item documentation are provided in Section 9, "Test Deliverables". For the list of the items that are to be specifically excluded from verification testing under this SVTP, refer to Section 2.3 "Scope".
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 15 of 34 Date: 0 4/0 3/2014 4. Features tested The software features planned to be tested during the Software Component Test and Software Integration Test for applicable Protection Sets are identified in Table 1 below. Table 1. Software Features to be tested during the Software Verification Testing Software Feature #
Software Feature Title Applicable Protection Set 1 Diagnostics I, II, III, IV 2 Online Maintenance and Test I, II, III, IV 3 Wide Range Reactor Coolant Temperature I, II 4 Pressurizer Vapor Temperature IV 5 Wide Range Reactor Coolant Pressure III, IV 6 Delta-T / Tavg (DTTA) I, II, III, IV 7 Steam Generator (S/G) Narrow Range Level I, II, III, IV 8 Steamline Break Protection I, II, III, IV 9 Steamflow I, II 10 Pressurizer Level I, II, III 11 Turbine Impulse Chamber Pressure I, II 12 Alarms I, II, III, IV
The test design specification associated with all software features and combination of software features to be tested during the Software Verification testing is specified in the Software Verification Test Specification (SVTS), 993754-1-869.
- 5. Features not tested The following features are not planned to be tested during the Software Verification testing:
TSAP security features (covered during verification testing of the TriStation 1131- refer to PMP, 993754-1-905, Section 6.1.3 [Reference 2.4.4.4
]) Signal interaction between MWS and V10 Tricon TSAP (covered in System Validation Test) Gate Enable function (covered in System Validation Test)
Test case traceability (covered in the PTM, 993754-1-804 review activity - refer to SVTS, 993754-1-869 )
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 16 of 34 Date: 0 4/0 3/2014 6. Test Approach In general, the Software Verification Test (SVT) approach is based on the Software Design Entities identified in the SDD, 993754-11-810 [Reference 2.4.4.12]. The SDD has identified Software Design Entities that are equivalent to the program modules (Components) for the major Software Functions (listed as Software Features in Table 1) within the PPS Tricon TSAP. For the purpose of the software verification testing, the custom function blocks are treated as Design entities, and will be also verified as specified in the SVTS, 993754-1-869.
The PPS verification test process is planned in accordance with PPM 7.01 "Software Verification" [Reference 2.4.4.3]. The Software Verification testing will be performed using four workstations/laptops, each dedicated to the verification of the TSAP for a given Protection Set. All test set-up instructions are included in the test procedures. All four laptop s have identical configurations as shown in Table 2 below.
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 17 of 34 Date: 0 4/0 3/2014
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 18 of 34 Date: 0 4/0 3/2014 6.1. Software Component Test Approach The Software Component testing is based on the Design Entities identified in the SDD. Software Component testing of the TSAP will verify the implementation of the Software Components identified and described in the SDD under the PPS Custom Function Blocks.
Table 3 below lists the 25 Software Components (PPS Custom Function Blocks and Functions) identified in the SDD, along with their associated Software Features.
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 19 of 34 Date: 0 4/0 3/2014
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 20 of 34 Date: 0 4/0 3/2014
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 21 of 34 Date: 0 4/0 3/2014
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 22 of 34 Date: 0 4/0 3/2014 6.2. S oftware Integration Test Approach The Software Integration testing approach is based on the Design Entities identified in the SDD. Software Integration testing is conducted on the TSAP to verify the incremental pieces of the TSAP in which software components (e.g., PPS Custom Function Blocks) or design entities (e.g., protective function, alarm, online maintenance and test) have been integrated.
All Software Features identified in Table 1 will be tested during Software Integration test by incremental integration of selected TSAP software components in Table 3. Table 4 below list s
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 23 of 34 Date: 0 4/0 3/2014 the number of software components and feature combinations that will be performed during Software Integration test. These are not shown in sequential order of testing.
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 24 of 34 Date: 0 4/0 3/2014
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 25 of 34 Date: 0 4/0 3/2014 7. Item Acceptance Criteria and Pass/Fail Criteria Each Test Item in Section 3 has passed the Verification Test when it has satisfied all test acceptance criteria for the specified Verification Test Procedure and Cases during Software Component Testing and Software Integration Testing.
The test acceptance criteria for verification testing can be qualitative (e.g., on/off, open/close), and/or quantitative (i.e., numerical calculation), depending on the type of test. For the quantitative acceptance criteria, the expected minimum/maximum values (e.g., range, tolerance) will be specified for each such test. For the qualitative acceptance criteria, the expected state (e.g., on/off, open/close) will be specified for each such test.
The pass/fail criteria along with any expected accuracy (applicable to the quantitative Pass/Fail criteria) for each test will be specified in the Software Verification Test Procedure and Cases , 993754-1-870.
- 8. Suspension Criteria and Resumption Requirements With regard to the Test Items, System Integration Deficiency Reports (SIDRs) will be used to document non-conforming items and to identify appropriate corrective actions. The criteria used to suspend all or a portion of the testing activity on the Test Items associated with this plan and the testing activities that must be repeated when testing is resumed shall follow the anomaly reporting process in accordance with the SCMP [Reference 2.4.4.7 ]
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 26 of 34 Date: 0 4/0 3/2014 9. Test Deliverables The project deliverables, including test deliverables, are specified in the PMP [Reference 2.4.4.4]. Appendix A, "PPS Replacement Project Documents List
," in the PMP lists the set of documents that Invensys Operations Management intends to deliver to PG&E for the PPS Replacement Project , separated into Phase 1 and Phase 2. The management and control of customer document deliverables are in accordance with the "Project Document & Data Control" procedure portion of the PPM [Reference 2.4.4.1]. 10. Test Tasks The IV&V effort shall perform the V&V tasks related to the Software Component testing and Software Integration testing listed in IEEE Std.1012-1998 [Reference 2.4.1.2], as appropriate for nuclear safety- related Software Integrity Level 4 described in SVVP, section 4.3 [Reference 2.4.4.6], which includes the following tasks:
- 1) Software Verification (Component /Integration) Test Plan Generation and Verification (one for all four Protection Sets). 2) Software Verification Test Design Generation and Verification (one for all four Protection Set TSAP). 3) Software Verification Test Procedure/Case Generation and Verification (one for each Protection Set TSAP). 4) Traceability Analysis (one for each Protection Set TSAP). 5) Software Component (Software Verification) Test Execution and Verification (independently for all four Protection Set TSAPs). 6) Software Integration (Software Verification) Test Execution and Verification (independently for all four Protection Set TSAPs). 7) Software Component (Software Verification) Test Reports (one for each Protection Set TSAP). 8) Software Integration (Software Verification) Test Reports (one for each Protection Set TSAP). 11. Environmental needs Invensys Operations Management utilizes several layers of defense to ensure protection of sensitive customer information and equipment. The overall level of security that must be provided for the different environments, including "Physical Access Controls", "Network Access Controls", and "Project Controls and Application Security" are described as part of the "Project Security Requirements" in the PMP, 993754-1-905 [Reference 2.4.4.4]. The list of test tools needed is identified in the SVVP, 993754-1-802 [Reference 2.4.4.
6]. Refer to RG1.152 Conformance Report, 993754-1-913 [Reference 2.4.4.14] for supplemental information on conformance to requirements for secure development environment.
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 27 of 34 Date: 0 4/0 3/2014 12. Responsibilities Invensys Operations Management has assigned a core group of engineers and support staff to the PPS Replacement Project. The groups responsible for the PPS Replacement Project management, design, preparation, execution, witnessing, checking, resolving related issues, providing the test items and the environmental needs are identified in the PMP [Reference
2.4.4.4]. The "V&V Organization" and "V&V Responsibilities" are also described in the SVVP [Reference 2.4.4.6
]. 13. Staffing and training needs The test staffing needs and the training options for providing necessary skills are identified in the SVVP [Reference 2.4.4.6
]. 14. Schedule The Software Verification Test schedule , the time estimates required to do each major testing task and the following milestones related to the Software Verification test effort are specified in the PPS Project Schedule, 993754-1-059 [Reference 2.4.4.13]: 1) Verification test plan; 2) Verification test specification; 3) Verification test cases and test procedures; 4) Verification test cases execution and test report. 15. Risks and Contingencies The PPS Project related major risk factors have been identified and contingency plans for each identified risk factor have been specified in the PMP [Reference 2.4.4.4
].
In particular, any delay in delivery of the identified Test Item(s) in Section 3 may require additional resources to meet the delivery schedule.
- 16. Approvals This Test Plan must be approved by the Nuclear IV&V Manager.
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 28 of 34 Date: 0 4/0 3/2014 17. Appendices Appendix 1 - Project Overview The Pacific Gas & Electric (PG&E) Diablo Canyon Power Plant (DCPP) Process Protection System (PPS) Replacement Project upgrades the existing Westinghouse Eagle 21 safety system. The scope of the equipment replacement is shown in the red box in Figure A-1, below. The red box represents the Process Protection racks that contain the safety
-related equipment.
The PPS monitors plant parameters, compares them against setpoints and provides signals to the Solid State Protection System (SSPS) if setpoints are exceeded. The SSPS evaluates the signals and performs Reactor Trip System (RTS) and Engineered Safety Feature Actuation System (ESFAS) functions to mitigate the event that is in progress. The SSPS, RTS, and ESFAS functions are not within the scope of the PPS Replacement Project. Figure A-1. Westinghouse PWR Protection Scheme The PPS comprises four Protection Sets in sixteen racks. Redundant process channels are separated by locating the electronics in different Protection Sets.
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 29 of 34 Date: 0 4/0 3/2014 As shown in Figure A-2, the replacement Protection Sets (I thru IV) each comprise the V10 Tricon, the Westinghouse Advanced Logic System (ALS) platform, the Maintenance Workstation, and various interface devices, such as the NetOptics Network Aggregator Tap and instrument loop isolators. The ALS is not within Invensys Operations Management scope of supply. However, the ALS converts sensor inputs to a signal type compatible with the V10 Tricon hardware. Specifically, the ALS processes resistance temperature detector (RTD) inputs and converts them to 4-20 milliamp signals. This conversion is necessary to satisfy Diablo Canyon Power Plant loop accuracy requirements. See the Functional Requirements Specification [Reference 2.4.3.3] for additional information.
The V10 Tricon portion of the PPS Replacement System comprises three V10 Tricon chassis per Protection Set: one safety
-related Main Chassis, one safety-related Remote Expansion Chassis (RXM), and one nonsafety-related RXM chassis
- see FigureA-2. The Network Aggregator Tap, which is intended as an isolation device between the Tricon and the nonsafety plant network, is provided by PG&E to Invensys Operations Management for factory acceptance testing (FAT). The media converter, between the Tricon Main Chassis and the Network Aggregator Tap, will be provided by Invensys Operations Management and is necessary to convert the fiberoptic medium at the output of the Tricon Communication Module (TCM) to copper medium at the input of the Network Aggregator Tap.
The Maintenance Workstation is a nonsafety device developed separately from the PPS Replacement Project under a separate PG&E Purchase Order, budget, and staff. Development of the Maintenance Workstation is handled under a different project plan and by a separate project team. The functions required in each V10 Tricon Protection Set are listed in Table A-1 below. See the Functional Requirements Specification for additional details on the protection functions and their design bases. As can be seen in Table A-1, the PPS Protection Sets do not have the same channel safety functions. This difference among Protection Sets influences the PPS Replacement Project approach to hardware and software development, and independent verification and validation. The Functional Requirements Specification has additional detail on the hardware configuration of the PPS.
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 30 of 34 Date: 0 4/0 3/2014 Gateway Switch (Typ of 2)
From Prot Set II Port Aggregator Tap (Typ of 2)
From Prot Set IV Port Aggregator Tap (Typ of 2)
From Prot Set III Port AggregatorTap (Typ of 2)100BaseT (Copper)(Typ of 2)
Prot Set I ALS Legend: Multi-Mode Optical Fiber RS-422/RS-485 Serial or 100BaseT Copper
4-20 mA Analog Copper
Maintenance Workstation
Network Interface Controller To Control Room HMI (CC4)Prot Set I MWS HMI Peripherals Prot Set I ALS MWS Computer MWS NIC Analog/USB Copper Prot Set I Port Aggregator Tap (Typ of 2) 1 4-20 mA Analog RTD Signals TCM1 (7L)TCM2 (7R)NET1 (Not Used)
Prot Set I Tricon Class II Class I Prot Set 1 Primary RXM Triplicated RS-485 I/O Bus (Copper)Prot Set 1 Remote RXM Triplicated Optical Fiber Class I Class II A B Media Converter (Typ of 2) 100BaseT (Copper)(Typ of 2)
Class II Class I Optical Fiber TCM1 (7L)/TCM2 (7R)
NET2 (Typ of 2)(Typ for ALS "A" and ALS "B")
KVM Switch Prot Set I Tricon MWS Computer 1 2 Ethernet Switch (Typ of 2)
NIC 1 (Typ of 2)
To Gateway Server Figure A-2. Tricon Protection Set Architecture for the PPS Replacement System
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 31 of 34 Date: 0 4/0 3/2014 The four Protection Sets have different hardware and software requirements. The Main processor boards (installed in the Main Chassis) in each Protection Set execute the TriStation 1131 application code (the PT2 file), therefore the PPS requires four application programs (four PT2 files). The application programs are developed as nuclear safety-related Software Integrity Level 4 (SIL4) software per IEEE Std. 1012-1998 [Reference 2.4.1.2
]. Because of the differences between the Protection Sets, two sets of design documents are developed for the nuclear safety
-related software.
Table A-1. V10 Tricon PPS Protection Set Channel Safety Functions Channel(s)
Purpose Protection Set Function I II III IV Wide Range Reactor Coolant Temperature Channels Input to Low Temperature Overpressure Protection System (LTOPS)
Provides protection against over
-pressurization at low plant temperature X X Wide Range Reactor Coolant Pressure Channels Input to LTOPS Provides protection against over
-pressurization at low plant temperature X X Input to Residual Heat Removal (RHR) valve interlock circuit Provides protection against improper operation of RHR isolation valves X X Delta-T / Tavg (DTTA) Channels Overtemperature Delta
-T (OTDT) Reactor Trip Provides DNB protection X X X X Overpower Delta
-T (OPDT) Reactor Trip Provides protection against excessive power (fuel rod rating protection)
X X X X Low-Low Tavg P-12 Blocks steam dump to prevent undesired cooldown X X X X Low Tavg Feedwater Isolation Prevents excessive cooling after trip to maintain shutdown margin X X X X Pressurizer Level Channels Pressurizer High Water Level Reactor Trip Provides backup protection to the Pressurizer High Pressure Reactor Trip, and Prevents the pressurizer from becoming water solid during low-worth and
-power rod withdrawal accidents X X X Pressurizer Vapor Temperature Channel
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 32 of 34 Date: 0 4/0 3/2014 Table A-1. V10 Tricon PPS Protection Set Channel Safety Functions Channel(s)
Purpose Protection Set Function I II III IV Pressurizer Vapor Space Temperature Low RHR valve V
-8701 interlock circuit input X Steam Generator Steam Flow Channel Steam Flow Indication Provide safety
-related outputs for post
-accident monitoring (S/G 1 thru 4) X X Steamline Break Protection Channels Steamline Pressure Low SI and Steamline Isolation Initiate the automatic starting of boron injection and decay heat removal systems and Provide protection against steamline break accidents X X X X Steamline Pressure High Negative Rate Steamline Isolation Provide protection in the case of a steamline break when Pressurizer Pressure is less than the P-11 setpoint and Low Steamline Pressure SI is blocked X X X X Steam Generator Narrow Range Level Channels Steam Generator (S/G) High
-High Level Turbine Trip and Feedwater Isolation (P-14, S/G High Level Permissive)
Provides protection against S/G overfill and damage to the main steamlines or main turbine X X X X S/G Low-Low Level Reactor Trip and Auxiliary Feedwater (AFW) Pump Start Protects the reactor from loss of heat sink in the event of loss of feedwater to one or more S/Gs or a major feedwater line rupture X X X X Turbine Impulse Chamber Pressure (TICP) Channels Turbine Impulse Chamber Pressure High to P-13 Interlock Provide an input to P-7 indicative of low turbine power when less than the setpoint P-7 permissive disables selected Reactor Trip signals at low power levels X X Turbine Impulse Chamber Pressure Low Interlock C-5 Blocks control rod withdrawal The purpose of the C-5 interlock is to prevent automatic outward rod motion when power is less than the design limit for the Rod Control System X The following documents are developed for the four Protection Sets:
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 33 of 34 Date: 0 4/0 3/2014 1) Hardware Requirements Specification
- 2) Software Requirements Specification
- 3) Software Design Description
- 4) Application Program (PT2 file)
A single Project Traceability Matrix (PTM), 993754-1-804, is maintained, but is formatted to facilitate requirements traceability for each Protection Set.
The SIL4 application code (i.e., PT2 file) that is executed on the Main processor boards of the safety-related Tricon Main Chassis is developed as safety-related software using approved processes and procedures that adhere to current regulatory requirements.
Additional information is provided in the PMP [Reference 2.4.4.4], SRS [References 2.4.4.8] and SDD [Reference 2.4.4.
12].
Document: 993754-1-868 Title: Software Verification Test Plan Revision: 1 Page: 34 of 34 Date: 0 4/0 3/2014 Appendix 2 - SVTP Mapping to PPM 6.0 and IEEE Std. 829-1983 PPM 6.0 Section 4.3.1 IEEE Std 829-19 83 Sections SVTP Sections Cover Page 3.2.1 Test plan identifier
1.0 PURPOSE
AND SCOPE
1.1 PURPOSE
1.2 SCOPE 3.2.2 Introduction
- 2. Introduction
2.1 Purpose
2.2 Background
2.3 Scope
2.0 REFERENCE DOCUMENTS
3.2.2 Introduction
2.4 Reference
Documents
3.0 DEFINITIONS
3.2.2 Introduction
2.5 Definitions
and Acronyms 4.0 TEST OVERVIEW
4.1 ORGANIZATION
3.2.11 Environmental needs 3.2.13 Staffing and training needs
- 11. Environmental needs
- 13. Staffing and training needs
4.2 SCHEDULE
3.2.14 Schedule 14. Schedule
4.3 RESOURCES
3.2.6 Approach
3.2.13 Staffing and training needs
- 6. Test Approach
- 13. Staffing and training needs
4.4 RESPONSIBILITIES
3.2.12 Responsibilities
- 12. Responsibilities 4.5 TOOLS, TECHNIQUES, AND METHODOLOGIES
3.2.6 Approach
- 6. Test Approach 5.0 TEST REQUIREMENTS 3.2.3 Test items 3.2.4 Features to be tested
3.2.5 Features
not to be tested 3.2.15 Risks and contingencies
- 3. Test Items
- 4. Features tested
- 5. Features not tested
- 15. Risk and Contingencies 6.0 TEST IMPLEMENTATION
3.2.6 Approach
3.2.10 Testing tasks 3.2.14 Schedule 6. Test Approach
6.1 Software
Component Test Approach
6.2 Software
Integration Test Approach
- 10. Test Tasks
- 11. Schedule
7.0 ACCEPTANCE
CRITERIA 3.2.7 Item pass/fail criteria
3.2.8 Suspension
criteria and resumption requirements
- 7. Item Acceptance and pass/Fail Criteria 8. Suspension Criteria and Resumption Requirements 8.0 TEST IMPLEMENTATION AND DOCUMENTATION 3.2.9 Test deliverables
- 9. Test Deliverables Cover Page 3.2.16 Approvals 16. Approvals