i n v e. n s..y s,TM in V e. n s-. s.

TriconexOperations ManagementProject: PG&E PROCESS PROTECTION SYSTEM REPLACEMENTPurchase Order No.: 3500897372Project Sales Order: 993754

PACIFIC GAS & ELECTRICCOMPANY

NUCLEAR SAFETY-RELATEDPROCESS PROTECTION SYSTEM

REPLACEMENTDIABLO CANYON POWER PLANT

SOFTWARE QUALITY ASSURANCE PLAN(SQAP)

Document No. 993754-1-801 (-NP)

Revision 0

August 17, 2011

Non -Proprietary copy per I OCFR2.390- Areas of Invensys Operations Management proprietary

infonnation, marked as [P], have been redacted basedon I OCFR2.390(a)(4). I

Name Sig•, TitleAuthor: S. Dwire Project QA EngineerReviewers: H. Nguyen IV&V EngineerApprovals: J. Larson Director, Nuclear QAISI R. Shaffer 1 Project Manager

i n v e. n S*.• S"TM in V e. n l- .•o s-

TriconexOperations Management

I Document: I 993754-1-801 I Title: Software Quality Assurance PlanRevision: 0 Page: 2 of 21 Date: [ 08/17/11

Document Change HistoryRevision Date Change Author

0 08/17/11 Initial Issue. S. Dwire

n v* e. n s-.ý=j s-Im i n V e. n s-.,=j s-

Operations Management TriconexDocument.::[ 993754-1-801 Title: Software Quality Assurance Plan

Revision: 0 Page: 3 of 21 1 Date: r 08/17/11

TABLE OF CONTENTS

L ist of T ables ............................................................................................................ 5

1. PURPOSE AND SCOPE ................................................................................ 61. I.P u rp o se ................................................................................................................................................................ 61.2 . S c o p e .................................................................................................................................................................. 61.2.1 Embedded Software .......................................................................................................................................... 61.2.2 Software Tools .................................................................................................................................................. 7

2. R E F E R E N C E S ................................................................................................ 72. 1. Reference Documents ......................................................................................................................................... 72.2.Reference W ork Process ...................................................................................................................................... 8

2.2.1 TSAP W ork Process ............................................................................................................................... 82.2.2 V&V W ork Process ................................................................................................................................ 9

3. SOFTW ARE MANAGEMENT .................................................................... 93. 1. Software Team Organization .............................................................................................................................. 93.2. Software Tasks .................................................................................................................................................... 93.3. Project Responsibilities Table .......................................................................................................................... 103.4. Software Developm ent ..................................................................................................................................... 10

4. DOCUM ENTATION .................................................................................... 104. L M inimum Documentation Requirements .......................................................................................................... 10

4. 1.1 Software Requirements Specification (SRS) ........................................................................................ 114.1.2 Software Design Description (SDD ) .................................................................................................... 114.1.3 Software Verification and Validation Plan (SVVP) ............................................................................. 114.1.4 Software Verification and Validation Reports ..................................................................................... 114.1.5 User Documentation ............................................................................................................................. 114.1.6 Software Configuration M anagem ent Plan (SCM P) ............................................................................ 124.1.7 Project M anagement Plan (.PM P.) ......................................................................................................... 124 .1.8 T est P lan s ............................................................................................................................................. 124.1.9 Test Specifications ............................................................................................................................... 124. LI 0 Project Traceability M atrix (PTM ) ..................................................................................................... 12

5. STANDARDS, PRACTICES, CONVENTIONS, AND METRICS ........ 125. 1. Content Table ................................................................................................................................................... 125 .2 . M e tric s .............................................................................................................................................................. 13

5.2.1 Process M etrics .................................................................................................................................... 135.2.2 Product M etrics .................................................................................................................................... 145.2.3 Quality M etrics ..................................................................................................................................... 14

6. REVIEW S AND AUDITS ............................................................................ 146. L M inimum Requirements ................................................................................................................................... 14

6. 1.1 Software Requirements Evaluation (SRE) ........................................................................................... 146.1.2 Prelim inary Design Review (PDR) ...................................................................................................... 146.1.3 Critical Design Review (.CDR.) ............................................................................................................. 156.1.4 Software Verification and Validation Plan Review (SVVP Review) ................................................... 156.1.5 Functional Audits ................................................................................................................................. 156.1.6 Physical Audit ...................................................................................................................................... 15

0 9

i n v e. n s*.ýj s*W i n V e. n s-.t:s s-

Operations Management TriconexI DocumentEj 993754-1-801 Title: Software Quality Assurance Plan

Revision: 1 0 Page: 4 of 21 1 Date: 1 08/17/11

6 .1.7 M an agerial R ev iew s ............................................................................................................................. 166.1.8 Software Configuration Management Plan Review (SCMP Review) .................................................. 166.1.9 P ost M ortem R eview ............................................................................................................................ 16

6.2. IEEE 10 12-1998 SIL4 R equired R eview s ........................................................................................................ 166 .2 .1 C o d e R ev iew ........................................................................................................................................ 166.2.2 V & V T est Plan V erifi cations ............................................................................................................... 166.2.3 V & V Test Specification V erifications ................................................................................................. 166.2.4 V & V T est C ase V erifications ............................................................................................................... 166.2.5 V & V Test Procedure V erifications ...................................................................................................... 166.2.6 V & V Test R eport V erifications ............................................................................................................ 176 .2 .7 S afety A naly sis ..................................................................................................................................... 176 .2 .8 T raceab ility A naly sis ............................................................................................................................ 176.2.9 B aseline C hange A ssessm ent ............................................................................................................... 17

6.3. R eliability and A vailability A nalysis ................................................................................................................ 17

7. TEST .............................................................................................................. 17

8. PROBLEM REPORTING AND CORRECTIVE ACTION .................... 18

9. TOOLS, TECHNIQUES, AND METHODOLOGIES ............................. 18

10. CODE CONTROL ........................................................................................ 19

11. M EDIA CONTROL ...................................................................................... 20

12. SUPPLIER CONTROL ................................................................................ 20

13. RECORDS COLLECTION, MAINTENANCE AND RETENTION ..... 20

14. TRAINING .................................................................................................... 20

15. RISK M ANAGEM ENT ................................................................................ 21

in v e. nI s.Y s"OTMOperations Management

inv'e. ns'.. s"

TriconexDocument: I 993754-1-801 I title: I Software Quality Assurance Plan IRevision: 0 Page: 5 of 21 Date: 08/17/11

List of TablesT ab le 1. C ontent T ab le ........................................................................................................................................ 13

in ve. n s.ý' m

i n V 'e . n s '.i:: S "

Operations Management TriconexDocument: I 993754-1-801 Title: I Software Quality Assurance PlanRevision: 0 Page: 6 of 21 Date: 08/17/11

1. PURPOSE AND SCOPE

1.1. Purpose

This Software Quality Assurance Plan (SQAP) defines the activities to be followed in the design,development, review, and testing for the Pacific Gas and Electric Company's Plant ProtectionSystem Upgrade Phase 1 in accordance with Purchase Order #3500897372 [Reference 2.1.1],Master Service Agreement #4600018177 [Reference 2.1.2] and Invensys OperationsManagement Proposal # TPC061009291 [Reference 2.1.3]. Additional scope added to thisdocument for all phases of the upgrade project assumes contract award of sequential phases.

This SQAP is written using the guidance of IEEE 730.1-1995 [Reference 2.1.14], BranchTechnical Position 7-14 [Reference 2.1.23] and NUREG/CR-6101 [Reference 2.1.32].

1.2. Scope

There are four types of software involved in this project:1) TriStation Application Program (TSAP) Software2) Embedded Software (i.e., operating system software, communication software, and

firmware)3) Software Development Tools4) Software Verification and Validation (V&V) Tools

The activities outlined in this SQAP apply specifically to the design, development,implementation and testing of the TSAP. Subsections 1.2.1 and 1.2.2 of this plan describe therequired controls for embedded software, software development tools and software V&V tools.

The TSAP is the highest-level program organization unit within a project; it is an assembly offunctions and function blocks that provide the logic for the commands executed by the Tricon.

Embedded software is present on various Tricon System modules; this software is used forinternal diagnostics or other innate functions of the Tricon System. Refer to section 1.2.1 for thescope of embedded software for this project.

Invensys shall perform TSAP development and V&V activities as Safety-Related (Class IE).Class 1E is as defined in IEEE 603-1991 [Reference 2.1.12].

Cross-references to other documents that contain IEEE 730-1998 required information areprovided as permitted in Section 3 of IEEE 730-1998. Cross-references may refer to documentsprovided to PG&E, or to documents maintained internally at Invensys. In the latter case, thedocuments shall be made available to PG&E during technical and QA audits.

1.2.1 Embedded Software

The TRICON System's embedded software is under configuration control by Invensys; itsdevelopment is outside the scope of this project. Once a TRICON device(s) is received, thedevice's software configuration information (software version, revision, and maintenance

i n v'e. n s*.ý s'• • TM i r"n V" e. n7 s" .ý:: s"

Operations Management TriconexDocument:::[ 993754-1-801 ITitle: Software Quality Assurance PlanRevision: 0 Page: 7 of 21 1 Date: I 08/17/11

number) from the supplied Certificate of Conformance will be entered into configurationmanagement. The TRICON System and TRICON operating system have been qualified for usein safety-related systems and are listed on Invensys-Triconex Document No. 9100150-001,Tricon VIO Nuclear Qualified Equipment List (Tricon v0O NQEL) [Reference 2.1.27]. Thecurrent processes and procedures for their development were audited by the NRC, and wereshown to comply with 10 CFR Part 50, Appendix B [Reference 2.1.5], and 10 CFR Part 21[Reference 2.1.4].

1.2.2 Software Tools

The TriStation 1131 Developers Workbench (TS 1131) is used to develop, configure, test, debug,and document the TSAP. The TS 1131 software and associated libraries were qualified for use insafety-related applications by Invensys. The TS 1131 is under developmental control by Invensysand is outside the scope of this project. The TS 1131 (and other software development tools ifused) will have its software configuration information placed into configuration management inaccordance with the project Software Configuration Management Plan, 993754-1-909. Section 9of this plan describes requirements for the use of software development tools.

The TS 1131 Emulator and the Emulator Test Driver may be used to component test the TSAPstructured text code and/or custom function block diagrams. All software V&V tools used in theproject will be placed into configuration management in accordance with the project SoftwareConfiguration Management Plan, 993754-1-909. Section 9 of this plan described requirementsfor the use of software verification tools.

2. REFERENCES

2.1. Reference Documents

2.1.1. PG&E Purchase Order # 3500897372

2.1.2. Master Service Agreement # 4600018177

2.1.3. Invensys Proposal PPS Upgrade # TPC061009291 dated September 27, 2010

2.1.4. 10 CFR Part 21, Reporting of Defects and Nonconformance

2.1.5. 10 CFR Part 50 Appendix B, Quality Assurance Criteria for Nuclear Power Plants andFuel Reprocessing Plants

2.1.6. US NRC RG- 1.168, Verification, Validation, Reviews. and A udits for Digital ComputerSoftware Used in Safety Systems of Nuclear Power Plants

2.1.7. US NRC RG- 1.169, Configuration Management Plans for Digital Computer SoftwareUsed in Safey Systems of Nuclear Power Plants

2.1.8. US NRC RG- 1.170, Software Test Documentation for Digital Computer Software Usedin Safety Systems of Nuclear Power Plants

2.1.9. US NRC RG- 1.172, Software Requirements Speefications for Digital ComputerSoftware Used in Safety Systeins of Nuclear Power Plants

i n- v" e. nl s" .ý s"• • •, n V" e. n. ". s"

Operations Management TriconexI Documient: I 993754-1-80 1 I Title: I Software Quality Assurance Plan

Revision: 0 Page: 8 of 21 1 Date: I 08/17/11

2.1.10. ASME NQA- 1-1994 Subpart 2.7, Quality Assurance Requirements for ComputerSoftware for Nuclear Facility Applications (ASME NQA- I a- 1995 addenda)

2.1.11. IEEE 577-2004, IEEE Standard for Reliabilitv Analysis

2.1.12. IEEE 603-1991, Criteria for Safety Svsterns for Nuclear Power Generating Stations

2.1.13. IEEE 730-1998, Standard for Software Quality Assurance Plans

2.1.14. IEEE 730.1-1995, Guide for Software Quality Assurance Planning

2.1.15. IEEE 828-1998, Standard for Software Configuration Management Plans

2.1.16. IEEE 829-1998, Standard for Software Test Documentation

2.1.17. IEEE 830-1998, Guide to Software Requirements Specifications

2.1.18. IEEE 1008-1987, Standard for Software Unit Testing

2.1.19. IEEE 1012-1998, Standard for Software Verification and Validation

2.1.20. IEEE 1016-1998, Recommended Practice for Software Design Descriptions

2.1.21. IEEE 1028-1997, Standard for Software Reviews

2.1.22. IEEE 1042-1987, Guide to Software Configuration Management

2.1.23. Branch Technical Position 7-14, Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems, Revision 5, U.S. Nuclear RegulatoryCommission, dated March 2007

2.1.24. Invensys, Nuclear Quality Assurance Manual (IOM-Q2)

2.1.25. Invensys-Triconex, Nuclear System Integration Program Manual (NSIPM)2.1.26. Invensys-Triconex, Quality Project Manual (QPM)

2.1.27. Invensys-Triconex Document No. 9100150-001, Tricon VJO Nuclear QualifiedEquipment List (Tricon v1O NQEL.)

2.1.28. NRC Digital Instrumentation and Controls Interim Staff Guidance 06, DI&C-ISG-06,Revision I (ISG 06)

2.1.29. IEEE 7-4.3.2-2003, Standard Criteria for Digital Computers in Safety Systems of NuclearPower Generating Stations

2.1.30. Invensys-Triconex Document No. 9720068-001, TriStation 1131 Developers Workbench,Getting Started Manual

2.1.31. Invensys-Triconex, Project Procedures Manual (PPM)

2.1.32. NUREG/CR-6101, Software Reliability and Safety in Nuclear Reactor ProtectionSystems, U.S. Nuclear Regulatory Commission, dated June 11, 1993

2.2. Reference Work Process

2.2.1 TSAP Work Process

The TSAP work process is a set of efforts that transform design information/design requirementsinto software that perforns specific control, human interface, and communications functionswithin a control system. The inputs to this process are design information (e.g. Documents,

Sn v'e. n s ""T& n N/ inve. n s-.h s-5

Operations Management TriconexI DocumentI 993754-1-801 Title: Software Quality Assurance PlanI

Revision: 0 Page: 9 of 21 1 Date: ] 08/17/11

Logic Diagrams, and a Functional Requirements Specification, etc.), and relevant regulatoryrequirements and guidance.

Application engineers will develop application programs to enable a TRICON to manipulateprocess information using the TS 1131 software development tool and the PPS ReplacementProject Coding Guidelines document, 993754-1-907 for guidance. Application developmentnormally involves configuration Function Block Diagrams (FBD) and Ladder Diagrams (LD),but may also involve the development of source code using Structured Text (ST). FBD and LDprogramming languages are graphical, with standard software items interconnected andconfigured with attributes defined by the engineer. ST is a general purpose, high-levelprogramming language, specifically developed for process control applications. ST isparticularly useful for complex arithmetic calculations; event based sequential (procedurals)logic implementations, and can be used to implement complicated procedures that are not easilyexpressed in FBD or LD. ST allows the creation of Boolean and arithmetic expressions as wellas structured programming constructs such as conditional statements. The Structured Text editorallows the direct development of programs and functions by writing code.

2.2.2 V&V Work Process

The V&V activities for the TSAP are a combination of documentation reviews, code review, andtesting. Tasks required shall be specified in the Software Verification and Validation Plan(SVVP), 993754-1-802 following the guidance contained in IEEE 1012 [Reference 2.1.19]Safety Integrity Level (SIL) 4 requirements.

3. SOFTWARE MANAGEMENT

3.1. Software Team Organization

A project team shall be established, based on the resources needed to deliver the completedsystem in accordance with the contract. The project team's organizational structure shall beoutlined in the Project Management Plan (PMP), 993754-1-905.

Any conflicts between organizations that cannot be resolved at the lowest level shall beincreasingly escalated through the organization in accordance with the PMP.

3.2. Software Tasks

Invensys tasks and their relationships to planned major checkpoints are defined in the ProjectSchedule. The processes, reviews, and tests to be followed are outlined in the Invensys NuclearSystem Integration Program Manual (NSIPM) [Reference 2.1.25] as implemented by the ProjectProcedures Manual (PPM) [Reference 2.1.31 ].

The quality assurance processes to be applied to each task are described in this SQAP, theProject Quality Plan (PQP), 993754-1-900, IOM-Q2 [Reference 2.1.24], and in the applicableprocedures of the Invensys-Triconex Quality Procedures Manual (QPM) [Reference 2.1.26].

i n- v" e. n- s".-. s"11Ae nsv'e.n s'

Operations Management TriconexIDocument: I 993754-1-801 ITitle: Software Quality Assurance Plan

Revision: 0 Page: 10 of 21 Date: 08/17/11

Tasks covered by this SQAP are:1) 10 CFR Part 21 [Reference 2.1.4] Training2) Project Indoctrination Training3) Reviews and audits of the project activities to verify compliance with project plans and

procedures, compliance with customer contract and specifications, and compliance with10 CFR Part 50, Appendix B [Reference 2.1.5] and 10 CFR Part 21.

4) Inspections, tests, and reviews as required by the Software Verification and ValidationPlan (SVVP), 993754-1-802

Project tasks and their relationships are defined in the PQP and PMP. For Application ProgramSoftware, the following life cycle phases are applicable to this Project:

1) Requirements2) Design3) Implementation4) Test (Validation)

The quality assurance (QA) requirements applicable to these life cycles phases are described inthis SQAP, the SVVP and applicable procedures of the Invensys-Triconex QPM [Reference2.1.26], and NSIPM [Reference 2.1.25] as implemented by the PPM.

3.3. Project Responsibilities Table

Refer to the Project Management Plan (PMP), 993754-1-905, for a detailed explanation ofproject personnel responsibilities.

3.4. Software Development

The Software Designer shall develop the TriStation Application Project (TSAP) using TriStation1131 software in accordance with the requirements of the NSIPM [Reference 2.1.25] asimplemented by the PPM.

TSAP code will be developed specifically for the PG&E PPS Replacement Project and thisprogram code is subject to full verification and validation (V&V). The TSAP will not utilizepreviously developed, verified and validated program code from any other projects. Project V&Vactivities shall be documented in the final V&V report. See SVVP, 993754-1-802.

4. DOCUMENTATION

4.1. Minimum Documentation Requirements

The PE shall ensure reviews of supplied design input documents are performed, to ensure thedocuments are complete and adequate as specified in the NSIPM [Reference 2.1.25] asimplemented by the PPM. Section 6 of this document describes the review of project-generateddocumentation.

Changes to approved documents shall be controlled in accordance with the NSIPM asimplemented by the PPM.

i n v'e. n s'.y s'• • W inve n n'•s

Operations Management TriconexDocument::[ 993754-1-801 I Title: Software Quality Assurance PlanRevision: 0 Page: 11 of 21 1 Date: I 08/17/11

The following is a list of the minimum documentation required for the project.

4.1.1 Software Requirements Specification (SRS)

Using the provided and reviewed design inputs, Invensys shall develop a SRS draft and submit itto the customer for review and approval. The SRS shall be structured to capture all customersoftware functional requirements. The SRS shall describe each software function and each shallbe defined such that its achievement can be verified during the V&V process. Each softwaresafety-critical function shall be clearly identified. The requirements of the SRS are defined in theNSIPM as implemented by the PPM. The SRS shall be prepared using the guidance provided inRG 1.172 [Reference 2.1.8] and IEEE 830-1998 [Reference 2.1.17].

4.1.2 Software Design Description (SDD)

Based on the customer provided design inputs and the approved SRS, Invensys shall develop aSDD draft and submit it to the customer for review and approval. The SDD shall be structured tosatisfy the requirements of the SRS. The SDD shall describe the components and subcomponentsof the software design, including databases and internal interfaces. The requirements of the SDDare defined in the NSIPM [Reference 2.1.25] as implemented by the PPM. The SDD shall beprepared using the guidance provided in IEEE 1016-1998 [Reference 2.1.20].

4.1.3 Software Verification and Validation Plan (SVVP)

The Verification and Validation (V&V) Manager or designee shall prepare a Software V&VPlan in accordance with the NSIPM as implemented by the PPM. The SVVP, 993754-1-802,identifies the methods, tools and criteria used to determine the quality of items listed under thisSQAP. The requirements for the preparation, review, approval and control of the SVVP areestablished in the NSIPM. The V&V Plan shall be prepared using the guidance provided in RG-1.168, Rev. I [Reference 2.1.6], IEEE 1028-1997 [Reference 2.1.21], IEEE 829-1998 [Reference2.1.16] and IEEE 1012-1998, [Reference 2.1.19].

The SVVP shall also describe the requirements for a Validation Test Plan, 993754-1-813, and aSoftware Verification Test Plan, 993754-1-868.

4.1.4 Software Verification and Validation Reports

The SVVP shall outline the required IEEE 10 12-1998 V&V Reports. The V&V ActivitySummary Reports for each life cycle phase shall be developed and issued as required by theSVVP.

4.1.5 User Documentation

Invensys should supply standard installation, operation, programming, and maintenancedocumentation for the system. Invensys standard user documentation will specify the requireddata and control inputs, input sequences, options, program limitations and other activities oritems necessary for the use of the software. Error messages will be identified and correctiveactions described, and a method provided for communicating problems to the correct technical

i n v'e. n s'.ý-. s"Operations Management TriconexIDocument: 993754-1-801 ITitle: j Software Quality Assurance PlanRevision: 0 Page: 12 of 21 1 Date: 1 08/17/11

support organization. Installation instructions and operating and maintenance manuals shall beprovided to the extent defined in customer specifications.

4.1.6 Software Configuration Management Plan (SCMP)

A Software Configuration Management Plan shall be prepared using the guidance provided inIEEE 828-1998 [Reference 2.1.15] and IEEE 1042-1987 [Reference 2.1.22]. The SCMP is ameans through which the integrity and traceability of software are recorded, communicated, andcontrolled. The SCMP shall require configuration management and control activities to beperformed in accordance with the NSIPM [Reference 2.1.25] as implemented by the PPM.

4.1.7 Project Management Plan (PMP)

A PMP, 993754-1-905, shall be prepared as specified in the Project Procedures Manual (PPM)[Reference 2.1.31 ], using guidance from BTP 7-14 [Reference 2.1.23] and NUREG/CR-6101[Reference 2.1.28].

4.1.8 Test Plans

V&V Test Plans shall be created as specified in IEEE 1012-1998 [Reference 2.1.19]. The TestPlans prescribe the scope, approach, resources and schedule of V&V testing activities for theapplicable software listed under the SQAP. The requirements for the preparation, review,approval, and control of the Test Plans are established in the NSIPM [Reference 2.1.25] asimplemented by the PPM. The Test Plans will also be prepared using the guidance provided inthe PQP (99354-1-900), PPM, Test Specifications and SVVP, 993754-1-802.

4.1.9 Test Specifications

The Test Specifications identify the scope, approach and acceptance criteria of software V&Vtesting for the applicable software listed under this SQAP. The requirements for the preparation,review, approval, and control of the Test Specifications will also be prepared using the guidanceprovided in the PQP, SVVP, and ISG 06 [Reference 2.1.28].

4.1.10 Project Traceability Matrix (PTM)

Traceability of all activities and documents is critical to the success of the Project. Traceabilitywill be sufficient to trace design inputs to design outputs and to trace outputs back to inputs. Therequirements for the preparation, review, approval and control of the PTM are defined in thePMP, 993754-1-905 and SVVP, 993754-1-802.

5. STANDARDS, PRACTICES, CONVENTIONS, AND METRICS

This section identifies the standards, practices, conventions and metrics to be used, and qualityrequirements applied to the project.

5.1. Content Table

Table 1, below, identifies the standards and guidelines documents for the PPS ReplacementProject.

i n v'e. n s'.• s'Operations Management

inv'e. n s',• s"

TriconexI Document: I 993754-1-801 I Title: Software Quality Assurance Plan

Revision: 0 Page: 13 of 21 Date: 08/17/11

5.2. Metrics

The following metrics shall be analyzed at a minimum, to identify common features andpotential changes in procedure or process needed, to prevent recurrence:

w

i n V e. n s"..j s*i nve. n s'. s"

TriconexOperations Management

I Document I 993754-1-801 Title: SoftwareQualit Assurance PlanRevision: 0 Page: 14 of 21 1 Date: 1 08/17/1l

LiI

6. REVIEWS AND AUDITS

This section specifies the minimum reviews and audits required during the project.

6.1. Minimum Requirements

The SVVP shall define the V&V review and audit activities for the project, and shall identify thetasks required, tools that will be used, the acceptance criteria, and the required documentation foreach task. Subsection 4.1.3 of this plan describes the content of the SVVP, 993754-1-802.

Independent Reviewers shall perform technical reviews of software as required by IEEE 1012-1998 [Reference 2.1.19], Annex C, and "Classical V&V".

Technical reviews/audits will be performed in accordance with the PPM [Reference 2.1.31].These technical reviews/audits will be performed during the work on those software itemsidentified in the SRS. Reviews and audits by QA/IREN&V shall be performed in accordancewith the SVVP, PQP, and as directed by the Invensys Triconex QA Manager. Managementreviews and audits will be performed per the applicable audit plans and schedules, which arecontrolled in accordance with the NSIPM [Reference 2.1.25] as implemented by the PPM, toensure that all required tasks have been completed and appropriately documented.

Scheduling of reviews and audits will be conducted in accordance with the Project Schedule.Quality Assurance activities are required to be on the Project Schedule, where applicable.

EL

n v'e. n s'.y s"TM

Operations Management

Document: 993754-1-801 Title: S oftware Quality Assurance PlanRevision: 0 Page: 15 of 21 1 Date: I

i n Ve.n s'.I s"

Triconex

08/17/11

w

i n v e. n s*." . s"Operations Management

i i V e. n s' 5"

TriconexI D°cument.: 993754-1-801 Title: Software Qualit Assurance PlanRevision: 0 Page: 16 of 21 1 Date: I 08/17/11

6.2. IEEE 1012-1998 SIL4 Required Reviews

6.2.1 Code Review

Nuclear Project Delivery personnel shall conduct a code versus design input documentationreview during in-process TSAP development. The required documentation shall be specified inthe SVVP, 993754-1-802 and implemented via the Software Development Plan, 993754-1-910.

6.2.2 V&V Test Plan Verifications

An IRE shall perform a Test Plan Verification using a Design Review Checklist (DRC) toensure the V&V Test Plan using guidance from IEEE 1012-1998 is compliant. The requireddocumentation shall be specified in the SVVP.

6.2.3 V&V Test Specification Verifications

An IRE shall perform a Test Design Verification using a DRC, to ensure the V&V TestSpecifications using guidance from IEEE 1012-1998 is compliant. The required documentationshall be specified in the SVVP.

6.2.4 V&V Test Case Verifications

An IRE shall perform Test Case Verification using guidance from IEEE 10 12-1998 [Reference2.1.19]. The required documentation shall be specified in the SVVP.

6.2.5 V&V Test Procedure Verifications

An IRE shall perform Test Procedure Verification using a DRC and guidance from IEEE 1012-1998 to ensure compliance. The required documentation shall be specified in the SVVP.

i n v e. n s".* s5• • . M i n Ve n ' "

Operations Management TriconexI Document:[I 993754-1-801 Title: Software Quality Assurance Plan

Revision: 0 Page: 17 of 21 Date: I 08/17/11

6.2.6 V&V Test Report Verifications

An IRE shall perform V&V Test Report Verifications using the guidance provided in theNSIPM, as implemented by the PPM, to ensure the V&V Test Reports are compliant. Therequired documentation shall be specified in the SVVP.

6.2.7 Safety Analysis

Four separate analyses required by IEEE 10 12-1998 [Reference 2.1.19] shall be combined intothis single document: Criticality, Risk, Hazard and Interface Analyses. An IRE shall performthese analyses using IEEE 1012-1998 [Reference 2.1.19] and NSIPM [Reference 2.1.25], asimplemented by the PPM, as guidance during the Requirements, Design, Implementation andTest Phases. The required documentation shall be specified in the SVVP, 993754-1-802.

6.2.8 Traceability Analysis

An IRE shall perform a Traceability Analysis using a Project Traceability Matrix (PTM) duringthe Requirements, Design, Implementation and Test Phases. An updated PTM shall documentthe review.

6.2.9 Baseline Change Assessment

A Baseline Change Assessment as required by IEEE 1012-1998 [Reference 2.1.19] shall beperformed by an IRE during the Planning, Design, Implementation, and Test Phases. Therequired documentation shall be specified in the SVVP.

6.3. Reliability and Availability Analysis

A Reliability and Availability Analysis as required by IEEE 577-2004 [Reference 2.1.11] shallbe performed using the concepts and methods of the Markov Process.

7. TEST

The following tests shall be performed on the TSAP:1) Component2) Integration3) System4) Acceptance

Component Testing shall be performed on TS 1131 structured text programs, and/or customfunction block diagrams using guidance from IEEE 1012-1998 [Reference 2.1.19]. IEEE 1008-1987 [Reference 2.1.18] was evaluated for use in the project and it was determined that IEEE10 12-1998 is more restrictive; therefore, there is no benefit in performing software unit testing inaccordance with IEEE 1008-1987.

Component testing coverage shall include all functional and performance requirementspertaining to the test item, and shall be validated by test case. Internal structure coverage shall bevalidated by test case to include invalid inputs, full scope of valid inputs, and defined outputs.

i I Ve. rs.n S"inýe• ° '7M n 7 V" e. n• s" -S

Operations Management TriconexI Document: 993754-1-801 Title: Softxvare Quality Assurance Plan

Revision: 0 Page: 18 of 21 1 Date: 1 08/17/11

The SVVP, 993754-1-802, shall define all the V&V test activities, specify the V&V tools to use,the required acceptance criteria, and the documentation required for each task. The Test Plan andTest Specification will detail the scope, approach, resources, schedule and acceptance criteriarequired for Software Verification and Validation testing activities.

V&V of embedded software in hardware devices is outside the scope of the project team, butproper operation of the hardware devices is ensured during Integration and System testing.Integration and Acceptance testing shall be performed with all applicable 3rd party hardwareinstalled.

Embedded software will primarily be present in the Tricon modules, dedication of approval ofthis firmware is discussed in the V10 Tricon Topical Report. The firmware is part of the NRCSafety Evaluation of the V 10 Tricon Platform. 3rd party hardware that has firmware present willbe either supplied by the customer or dedicated through an approved process or manufacturer.

The PQAE shall monitor testing activities to assure that tests are conducted using approved testprocedures and tools, and that test anomalies and/or non-conformances are identified,documented, addressed, and tracked to closure. QA personnel shall review post-test executionrelated artifacts, including test reports, test results, nonconformance reports, and updatedtraceability matrices, to ensure the required documentation is prepared adequately.

Testing shall be performed and documented as specified in the NSIPM [Reference 2.1.25] andPPM [Reference 2.1.31 ].

8. PROBLEM REPORTING AND CORRECTIVE ACTION

Software problems (anomaly) identified during the design, implementation, and test phases shallbe documented and resolved in accordance with the NSIPM as implemented by the PPM. Whenunexpected test conditions and/or deviations from procedural requirements are identified, theproblem(s) is also documented and dispositioned on an Action Request Report (ARR).

All project personnel are responsible for reporting problems when and where they are found.

9. TOOLS, TECHNIQUES, AND METHODOLOGIES

The TriStation 1131 Developer's Workbench software tools will be used in this project. Invensyshas validated the TS 1131 and associated libraries. In the V9 SER, the NRC staff recognized thatTriStation 1131 is a non-safety-related tool used to develop software intended for safety-relatedapplications. Knowing this, the staff found that the TriStation 1131 is acceptable to producesoftware that is intended for safety-related use in nuclear power plants. The approval iscontingent on proper testing of the operational software. The staff also stated in the V9 SER thattest plans, procedures, and results are to be reviewed on a plant-specific basis. The InvensysOperations Management PPMs that were developed under an approved Appendix B programprovide traceability to the SER through a rigorous and well-defined software life cycle. The PPS

i n v'e. ns. s• • •,TM n. N/ e. rn s".ý: ,s"

Operations Management TriconexDocument: 993754-1-801 I tile: Software Quality Assurance PlanRevision: 0 Page: 19 of 21 1 Date: 1 08/17/11

Replacement Project documents (project plans, design specifications, procedures, and results)will be developed and maintained in accordance with the PPMs.

The V&V Manager shall identify any additional tools, techniques and methodologies needed toV&V software developed for the project in the SVVP, 993754-1-802. The V&V Manager shallensure that all software tools used are verified/validated using IEEE 1012-1998 SIL-4 criteria, todemonstrate the capability of the software tool to produce valid results.

The Lake Forest facilities shall be used in the development and testing of the software. Furtherdetails about the facilities features and physical security can be found in the Project ManagementPlan, 993754-1-905.

The V&V Manager shall place all software tools used in configuration management as specifiedin the SCMP.

10. CODE CONTROL

Software development is an activity in progress until the TriStation Application Project (TSAP)code is considered fully functional and ready for verification. No rigorous proceduralconfiguration controls are applied until that point.

Configuration controls are designed into the process from inception throughout the software lifecycles.

The Invensys TriStation 1131 Developer's Workbench tool creates a TSAP file that is underpassword and revision level control. The TS 1131 tool increments the revision level each time anactivity is compiled and adds an associated comments field. This information is retained in theproject file. Access to the TSAP file is password protected and only the TS 1131 tool can be usedto modify the software.

When the TSAP is ready for V&V, the code will be placed under the software configurationmanagement process described in the NSIPM [Reference 2.1.25] and SCMP, 993754-1-909.This will occur near the end of the implementation phase and continue until the software isprepared for turnover to the customer. Turnover is controlled in accordance with customerrequirements.

in ve. n s'.iv s"TM i n V'e. n s'.i s"

Operations Management TriconexDocument::[ 993754-1-801 Title: j Software Quality Assurance PlanRevision: 0 Page: 20 of 21 1 Date: I 08/17/11

Physical control of code is described in the NSIPM as implemented by the PPM.

11. MEDIA CONTROL

The software designer will keep the PM/PE informed of the TriStation Application Project(TSAP) location, TSAP filename and associated password(s) as required by the SCMP, 993754-1-909.

The original code, or a copy thereof, will be maintained on a server accessible to management.Backup provisions will be provided in accordance with local protocols. Alternatively, a copymay be retained on CD-ROM at a location known to the PM/PE. As long as the fundamentalrequirement of having a back up copy, which is retrievable by management, is maintained. Ifcontrol of the program code is transferred, for testing or otherwise, then it must be maintainedindependently and be retrievable by Project Management. Any server used for storage of originalcode will have access control protocols and permissions enabled.

After the software code has been validated and, subsequently approved by the customer, it willbe backed up onto a CD-ROM and labeled with the program (project) name and revision level,or otherwise controlled in accordance with customer requirements.

12. SUPPLIER CONTROL

Sub-suppliers and Subcontractors used in the project shall be managed in accordance with theNSIPM [Reference 2.1.25], and the QPM [Reference 2.1.26].

Processing and controlling purchase requisitions and purchase orders, the bidding and awardingof supplier contracts, and revisions to procurement documents for material and services, shall beperformed in accordance with the NSIPM as implemented by the PPM. Applicable customerspecified regulatory and contract requirements shall be passed down to sub-suppliers, andsubcontractors in accordance with the NSIPM.

13. RECORDS COLLECTION, MAINTENANCE AND RETENTION

All Project records will be collected, stored, maintained and retained in accordance with theNSIPM as implemented by the PPM.

14. TRAINING

Project personnel shall be trained and qualified in accordance with the Project Management Plan,993754-1-905, and NSIPM as implemented by the PPM. Training will be provided to customerpersonnel as per their requirements.

i n v e. n s".!= s"IM

Operations Managementin v'e. r s'

TriconexI Document: I 993754-1-801 I Ttle: I Software Quality Assurance Plan

Revision: 0 Page: 21 of 21 Date: 08/17/11

15. RISK MANAGEMENT

Risks are managed in accordance with the Project Risk Management Plan, 993754-1-908, ashighlighted in the PMP, 993754-1-905. The Risk Management Plan shall include all technicaland project risks.

The PM and PE will evaluate all identified risks and determine the methods to be used ineliminating and/or mitigating their consequences.