pacific gas & companyproject development and testing phase. the project post-development safety...

in v'e. n s'.y s"Operations Management

in vNe. ns.o s-

TriconexProject: PG&E PROCESS PROTECTION SYSTEM REPLACEMENTPurchase Order No.: 3500897372

Project Sales Order: 993754

PACIFIC GAS & ELECTRICCOMPANY

NUCLEAR SAFETY-RELATEDPROCESS PROTECTION SYSTEM

REPLACEMENTDIABLO CANYON POWER PLANT

SOFTWARE SAFETY PLAN(SSP)

Document No. 993754-1-911 (-NP)

Revision 1

October 13, 2011

Non -Proprietary copy per I OCFR2.390- Areas of Invensys Operations Management proprietary

information, marked as [P], have been redacted basedon IOCFR2.390(a)(4).

Name Sign ture TitleAuthor: Hoan Nguyen o1t4 • IV&V EngineerReviewer: Son Phan q__ A ----- IV&V EngineerApproval: Kevin Vu IV&V Manager

in V'e. ns- .ýl s"Operations Management

in Ve. s'.j s"

Triconexi Document: I 993754-1-911 I Title: I Software Safety Plan

Revision: I Page: 2 of 47 Date: 10/13/11 I

Document Change HistoryRevision Date Change

0 08/17/11 Initial Release1 10/13/11 Organization chart was removed from Section 3.1

AuthorHoan NguyenHoan Nguyen

i n v . e. n s'.ýj s* n V e. n s-

Operations Management TriconexI Document: 993754-1-911 Title: Software Safe!z Plan

I Revision: I Paize: 1 3 of 47 Date: 1 10/13/11 I

Table of Contents

L IST O F T A B L E S ................................................................................................... 4

L IST O F F IG U R E S ................................................................................................. 5

1. P U R P O SE ....................................................................................................... 61.1 Scope .......................................................................................................................................................... 7

2. DEFINITIONS, ACRONYMS, ABBREVIATIONS, ANDR E F E R E N C E S ............................................................................................ 10

2.1 Abbreviations and Acronyms ................................................................................................................... 10

2.2 Definitions ................................................................................................................................................ 11

2.3 References ................................................................................................................................................ 12

3. SOFTWARE SAFETY MANAGEMENT ................................................ 143.1 Organization and Responsibilities ............................................................................................................ 14

3.2 Resources .................................................................................................................................................. 16

3.3 Staff Qualifications and Training ............................................................................................................. 19

3.4 Software Life Cycle .................................................................................................................................. 21

3.5 Documentation Requirements ................................................................................................................... 25

3.6 Software Safety Program Records .............................................................................................................. 28

3.7 Software Configuration M anagement Activities ...................................................................................... 31

3.8 Software Quality Assurance Activities ..................................................................................................... 33

3.9 Software Verification and Validation Activities ....................................................................................... 33

3.10 Tool Support and Approval ...................................................................................................................... 34

3.11 Previously Developed or Purchased Software .......................................................................................... 36

3.12 Subcontract M anagement ......................................................................................................................... .. 7

3.13 Process Certification ................................................................................................................................. 37

4. SOFTWARE SAFETY ANALYSES ......................................................... 404.1 Software Safety Analyses Preparation ...................................................................................................... 40

4.2 Software Safety Requirements Analysis ................................................................................................... 40

4.3 Software Safety Design Analysis ............................................................................................................. 41

4.4 Code Safety Analysis ................................................................................................................................ 42

4.5 Software Safety Test Analysis .................................................................................................................. 43

4.6 Software Safety Change Analysis ............................................................................................................ 43

5. POST DEVELOPM ENT ............................................................................ 465.1 Training .................................................................................................................................................... 46

5.2 Deployment .............................................................................................................................................. 46

5.3 M onitoring ................................................................................................................................................ 46

5.4 M aintenance ............................................................................................................................................. 46

5.5 Retirement and Notification ..................................................................................................................... 46

6. PLAN APPROVAL ..................................................................................... 47

in V'e. ns-.4 S"Operations Management

i n V e n s'.t s

TriconexDocument: 993754-1-911 Title: I Software Saferz PlanRevision: I I Paee: 1 4 of 47 I Date: I 10/13/11 I

List of Tables

Table 1. O rganizational Responsibilities and Relationships .................................... .................................. 14Table 2. D ocum entation Requirem ents & D eviations ............................................................................ 25Table 3. Softw are Safety M etrics ................................................................................................................ 30Table 4. Softw are Configuration M anagem ent A ctivities ...................................................................... 31Table 5. Project Tool Sum m ary .................................................................................................................. 34Table 6. Process Certification M ethods .................................................................................................. 37

inV'2. n s'.•I s"

Operations Management

Document: 993754-1-911 Title:Revision: I j Page:

i n V e. n s .,j s

TriconexSoftware Safe4 Plan

Date: II

i q Ve.n s'.u s"

Triconex !

L

5 of 47

ist of Figures

10/13/11 Ii

Figure 1. Software Safety Scope ................................................................................................................... 8

in v e. n s".9 s- n n s.

Operations Management TriconexDocument: I 993754-1-911 I Title: I Software Safety Plan

Revision: I Page: 6 of 47 Date: 10/13/11

1. PurposeThis Software Safety Plan (SSP or Plan) addresses software safety concerns during thedevelopment of application software for the four Protection Sets of the Diablo Canyon PowerPlant (DCPP) Process Protection System (PPS). The SSP will address the process and activitiesintended to improve software safety throughout the PPS software development lifecycle.

The software safety plan for the Diablo Canyon PPS Replacement is written based on theguidance provided by ISG-6, IEEE Std 1228-1994 and NUREG/CR-6101.Role of software in PPS and its impacts on the operation of the system:

1) The PPS consists of four Protection Sets, each set comprising an Invensys Tricon portion,Westinghouse ALS portion, and Maintenance Workstation. The Invensys Tricon portionincludes three VI0 Tricon chassis (one safety-related Main Chassis, one safety-relatedRemote Expansion (RXM) Chassis, and one nonsafety-related RXM chassis). T heTricon VI0 Protection Set application software is rated Software Integrity Level (SIL) 4,per IEEE Standard 1012 Annex B.

The replacement PPS application software is assigned Software Integrity Level (SIL) 4[IEEE 1012-1998 Reference 3.1.4] because it is directly associated with nuclear-safety-related Reactor Trip and Engineered Safety Features functions [Reference 2.3.1.2].

2) In the normal plant operation, Invensys Tricon portion of each Protection Set performsthe following fundamental functions:

a. Acquiring input data from instrumentation sensors monitoring the status of DiabloCanyon nuclear power plant variables such as temperature, pressure, and level.

b. Comparing the plant variables against setpoints.c. Sending trip signals to the plant protection system if operating limits are exceeded

and other output to the recorder, alarm and indication system.

The Tricon Protection Set application program, known as the TSAP, performs the above safetyfunctions. The TSAP is programmed by the ND engineer to manage the Tricon hardwareconfiguration for each chassis and to control Tricon behavior. The application software (TSAP)is the focal point of the Software Safety Plan because it has a SIL-4 rating and plays a criticalrole in Tricon operations.

The following safety goals were extracted from PG&E Design Inputs and applicable regulatoryguidance, including IEEE 1228, BTP 7-14, and NUREG/CR-6430. The safety goals areexpected to be achieved by adherence to the plan:

1) Software failures will not compromise or degrade the nuclear reactor protection system.

2) Software provides the reliable and accurate trip signal.

3) Software responds promptly to a change in process parameter.

4) Software processes the sensor data as intended and sends output data as expected torecorders, indicators, and plant computers for display or alarming purpose.

in v e. n s". n V e. n

Operations Management TriconexDocument: I993754-1-911 I Title: ISoftwvare Safety PlanRevision: I Page: 7 of 47 Date: I 10/3/11

5) Application software-related hazards will be mitigated or their risks will be reduced to anacceptable level.

The acceptable risks and safety objectives are:

1) A software-caused failure in a single instrument channel will not adversely affect theoutput of the redundant instrument channels.

2) Run-time errors in the Maintenance Workstation (MWS) or the plant computer in theControl Room will not affect the safety function of the Tricon application software.

3) The software will be able to handle bad input due to signal calibration error orsensor/transmitter failures.

4) Diversity in the software test design (i.e., a unique test specification for each ProtectionSet TSAP) for the redundant application software safety functions will be utilized toprovide an additional barrier against common-cause application software defects.

5) Run-time errors in calculation functions (diagnostics such as divide-by-zero) shall bealarmed to operators and the erroneous value shall not be used in subsequent functions.

6) Failures in the MWS associated with a Protection Set may degrade another non-safetypart of the same Protection Set but the safety function of the Tricon application softwareis not affected (e.g. a loss-of-view failure will not prevent a safety trip).

1.1 Scope

The scope of this Software Safety Plan is limited to addressing the safety concerns of theInvensys-developed software portion of the PPS Replacement. SIL-4 application software(TSAP) running on the Invensys Tricon hardware will be assessed in the context of its associatedhardware, environment, internal and external interfaces. See Figure 1 below for the scope of thePlan.

However, there are exceptions to the scope of the Plan:

I ) The software safety concerns regarding the application software (TSAP) apply to theproject development and testing phase. The project post-development safety concerns(e.g., PPS Protection Set(s) installation, maintenance, operations support, and retirement)are beyond the scope of this Plan. This limitation is stipulated by the contractualarrangement with PG&E as specified in the Purchase Order [Reference 2.3.1.1 ].Software safety concerns during installation, maintenance, operation, and retirement areout of scope of this Plan. It is licensee's responsibility to develop the SSP for thosephases.

2) The Tricon firmware plays a vital role in the Tricon operations, and ultimately affect theperformance and functionality of the PPS Replacement. However, the Tricon firmware isnot within the scope of this project because the qualification and safety aspects of theV1O Tricon platform are addressed in the VIO Tricon Topical Report, 7286-545-1, as partof the NRC safety evaluation.

in V e. n s'.9 s"Operations Management

i vn , r e n. s'.v s

TriconexDocument: 993754-1-911 Title: Software Safe PlanRevision: I 1 Paee: 1 8 of 47 I Date: I 10/13/11 I

3) With regard to Secure Development & Operating Environment (SDOE), NTX-SER-10-14 [Reference 2.3.2.13], and also 993754-1-913, RG 1.152 Conformance Report[Reference 2.3.2.7], explain Invensys Operations Management compliance to RG 1.152.The former is for the VI 0 Tricon safety evaluation, the latter for the PPS ReplacementProject specifically.

The safety aspects of the following software and firmware will be excluded from the scope ofthis Plan though they are internal units of each Protection Set:

1) Westinghouse Advanced Logic System (ALS) hardware.

2) Maintenance Workstation.

ALS and Maintenance Workstation will interface with Tricon within the Protection Set. Safetyconcerns during the Installation, Operations, Maintenance, and Retirement phases of the systemlife cycle are the responsibility of the Licensee, PG&E.

One Typical Protection Set

IIFUInvensys-developed Firmware

Invensys-developedSoftware in the Scope of

Software Safety Plan

Figure 1. Software Safety Scope

Concerning application software verification, the IV&V activities described in the SVVP mayoverlap with certain activities in the SSP, but their purposes differ.

Purpose of the SSP activities:

in v"e.n s. s- n e. n s'.ts-

Operations Management TriconexDocument: I993754-1-911 I Title: ISoftware Safety PlanRevision: I Page: 9 of 47 Date: 1 10/13/11

" Identify and document hazards which could be introduced in the Tricon Vi10 ProtectionSet software during the development life cycle.

" Recommend and track hazard reduction efforts.Purpose of the SVVP activities:

* Verify that the customer-specified Tricon V10 Protection Set application requirements(Section 2.3.1) are correctly satisfied.

" Validate that the Tricon V 10 Protection Set application functions work as specified bythe customer (Section 2.3.1 ).

I

in Ve. n s'.ý •5 s"TmOperations Management

i n Ve n s'., s"

TriconexDocument: 993754-1-911 Title: I Software Safe PlanRevision: I Page: 1 10 of 47 1 Date: 1 10/13/11 I

2. Definitions, Acronyms, Abbreviations, and ReferencesDefinitions used in the Software Safety Plan shall be consistent with IEEE Std 610.12-1990[Reference 2.3.4.11].

2.1 Abbreviations and Acronyms

ALS Advanced Logic System

BTP Branch Technical Position

CFR Code of Federal Regulations

DCPP Diablo Canyon Power PlantDI&C Digital Instrumentation And Controls

EPRI Electric Power Research Institute

ETD Emulator Test Driver

FAT Factory Acceptance Test

IEC International Electrotechnical Commission

IEEE Institute of Electrical and Electronics EngineersISG Interim Staff Guidance

IV&V Independent Verification and Validation

MAS Main Annunciator System

MCR Main Control Room

ND Nuclear Delivery

NRC US Nuclear Regulatory Commission

NSIPM Nuclear System Integration Program Manual

NQA Nuclear Quality Assurance

NQEL Nuclear Qualified Equipment List

NUREG US Nuclear Regulatory Commission Regulation

QA Quality Assurance

QPM Quality Procedures Manual

PAN Product Alert Notice

PDF Portable Document Format

PG&E Pacific Gas & Electric CompanyPI Project Instruction

PLC Programmable Logic Controllers

PM Project Manager

PPM Project Procedures Manual

PPS Process Protection System

in V e. n s". S" in Ve. ns'. s"

Operations Management TriconexDocument: I 993754-1-911 Title: Software Safe PlanRevision: I Page: 11 of 47 Date: 10/13/11

PQAE Project Quality Assurance Engineer

PQAM Project Quality Assurance Manager

SDC Software Development Checklist

SDD Software Design DescriptionSDOE Secure Development & Operating Environment

SIL Software Integrity Level

SRS Software Requirements Specification

SSO Software Safety Officer

SSPS Solid State Protection System

TSAP TriStation Application Program

TS 1131 TriStation 1131

2.2 Definitions

Accident: An unplanned event or series of events that results in death, injury, illness,environmental damage, or damage to or loss of equipment or propertyPreviously developed software: Software that has been produced prior to or independent of theproject for which the Plan is prepared, including software that is obtained or purchased fromoutside sources.

Risk: A measure that combines both the likelihood that a system hazard will cause an accidentand the severity of that accident.

Safety-critical software: Software that falls into one or more of the following categories:a) Software whose inadvertent response to stimuli, failure to respond

when required, response out-of-sequence, or response incombination with other responses can result in an accident.

b) Software that is intended to mitigate the result of an accidentc) Software that is intended to recover from the result of an accident

Software Hazard: A software condition that is a prerequisite to an accident.

Software Safety: Freedom from software hazards.

Software Safety Program: A systematic approach to reducing software risks.

System Hazard: A system condition that is a prerequisite to an accident.

System Safety: Freedom from system hazards.

i n v e. n s". s" in V e. n s'.ts

Operations Management TriconexDocument: I993754-1-911 I Title: ISoftware Safety PlanRevision: 1 Page: 12 of 47 Date: 10/13/11

2.3 References

2.3.1 PG&E Documents

2.3.1.1 PG&E Purchase Order # 35008973722.3.1.2 Pacific Gas & Electric Company Diablo Canyon Power Plant Units I & 2 Process Protection

System Replacement Conceptual Design Document2.3.1.3 Process Protection System Replacement Interface Requirements Specification2.3.1.4 08-0015-SP-001, PPS Functional Requirements Specification2.3.1.5 PG&E Process Protection System Controller Transfer Functions Design Input Specification,

101 15-J-NPG.2.3.1.6 PG&E Process Protection System (PPS) Function Block Diagram (FBD) 08-0015-D Series.

2.3.2 Invensys Documents

2.3.2.1 9100150-001, Tricon V10 Nuclear Qualified Equipment List2.3.2.2 993754-1-801, Software Quality Assurance Plan (SQAP)2.3.2.3 993754-1-802, Software Verification and Validation Plan (SVVP)2.3.2.4 993754-1-905, Project Management Plan (PMP)2.3.2.5 993754-1-907, Software Development Plan Coding Guideline2.3.2.6 993754-1-909, Software Configuration Management Plan (SCMP)2.3.2.7 993754-1-913, RG 1.152 Conformance Report2.3.2.8 993754-1-916, Project Training Plan2.3.2.9 IOM-Q2, Invensys Operations Management Nuclear Quality Assurance Manual2.3.2.10 NSIPM, Nuclear System Integration Program Manual, NTX-SER-09-212.3.2.11 Quality Procedure Manual (QPM)2.3.2.12 Project Procedures Manual (PPM)2.3.2.13 Tricon VI 0 Conformance to Regulatory Guide 1.152, NTX-SER-10-142.3.2.14 Project Instruction 1.0, Application Project Administrative Controls for the PPS Replacement

Project2.3.2.15 Project Instruction 7.0, Application Program Development for the PPS Replacement Project

2.3.3 Industry Documents

2.3.3.1 BTP 7-14, NRC Guidance on Software Reviews for Digital Computer-Based Instrumentationand Control Systems

2.3.3.2 CFR Part 50, Appendix A - General Design Criteria for Nuclear Power Plants2.3.3.3 CFR Part 50, Appendix B - Quality Assurance Criteria for Nuclear Power Plants and Fuel

Reprocessing Plants2.3.3.4 EPRI Topical Report TR-106439, Guideline on Evaluation and Acceptance of Commercial

Grade Digital Equipment for Nuclear Safety Applications2.3.3.5 DI&C-ISG-1, Digital Instrumentation and Controls, Task Working Group #1: Cyber Security2.3.3.6 DI&C-ISG-4, Digital Instrumentation and Controls, Task Working Group #4: Highly-

Integrated Control Rooms - Communications Issues2.3.3.7 DI&C-ISG-6, Digital Instrumentation and Controls, Task Working Group #6: Licensing

Process2.3.3.8 NUREG/CR-6101, Software Reliability and Safety in Nuclear Reactor Protection Systems

i n v e. n s".ý-j S ne.n

Operations Management TriconexIDocument: I993754-1-911 I Title: ISoftware Safety Plan

Revision: 1 Page: 13 of 47 Date: 10/13/11

2.3.3.9 NUREG-0800, Standard Review Plan

2.3.4 NRC Documents

2.3.4.1 IEEE Std 610.12-1990, IEEE Standard Glossary of Software Engineering Terminology2.3.4.2 IEEE Std 730-1989, IEEE Standard for Software Quality Assurance Plans2.3.4.3 IEEE Std 828-1990, IEEE Standard for Software Configuration Management Plans2.3.4.4 IEEE Std 829-1983, IEEE Standard for Software Test Documentation2.3.4.5 IEEE Std 830-1993, IEEE Guide to Software Requirements Specifications2.3.4.6 IEEE Std 1012-1998, IEEE Standard for Software Verification and Validation2.3.4.7 IEEE Std 1016-1987, IEEE Recommended Practice for Software Design Descriptions2.3.4.8 IEEE Std 1028-1988, IEEE Standard for Software Reviews and Audits2.3.4.9 IEEE Std 1042-1987, IEEE Guide to Software Configuration Management2.3.4.10 IEEE Std 1058.1-1987, IEEE Standard for Software Project Management Plans2.3.4.11 IEEE Std 1074-1991, IEEE Standard for Developing Software Life Cycle Processes2.3.4.12 IEEE Std 1228-1994, IEEE Standard for Software Safety Plans

I

in v e. n s'.y s"Operations Management

i n V c-. n s-. . "

TriconexDocument: 993754-1-911 Title: I Software Safe PlanRevision: I Page: 1 14 of 47 1 Date: 1 10/13/11 I

I

3. Software Safety Management

3.1 Organization and Responsibilities

The organizational structure of Invensys Operations Management PPS Replacement Project teamis described below. Because this project is nuclear-safety-related, all the software safetyconcerns are addressed by the project's activities and under the oversight, review and approvalby the described organizations. Fundamentally, the organizational structure consists of threeorganizations:

1) Nuclear Delivery (ND)

2) Nuclear Quality Assurance (NQA)

3) Nuclear Independent Verification and Validation (Nuclear IV&V)

The relationships between organizations having responsibility for tasks impacting softwaresafety and approval authority of software safety program tasks are presented in the table below.See the Project Management Plan, 993754-1-905, for additional discussion of projectresponsibilities.

Table 1. Organizational Responsibilities and Relationships

Organization Task AuthorityNuclear - Defining Software Functional Requirements - IOM Director,Delivery - Designing Application Software Nuclear Delivery

- Implementing Application Software - Project ManagerNuclear - Performing reviews and audits of project activities - IOM Nuclear QualityQuality - Verifying compliance with project plans and DirectorAssurance procedures - Project NQA

- Verifying compliance with customer contract and Managerspecifications

Nuclear - Reviewing Project Documents - IOM Nuclear IV&VIndependent - Performing Verification & Validation DirectorVerification - Nuclear IV&Vand ManagerValidation

will act as the Software Safety Officer (SSO) and will be responsible for the overallconduct of the software safety program. Per PI 1.0 [Reference 2.3.2.14], as InvensysOperations Management Nuclear IV&V manager is the most qualified person to handle thesoftware safety management. The SSO reports to the Invensys Operations Management Directorof Nuclear Independent Verification and Validation (Nuclear IV&V) and is responsible forimplementation of the Nuclear IV&V activities conducted at the Invensys Lake Forest Facility.The Nuclear IV&V Manager has the authority and organizational freedom to ensure that V&V

n ' v" e. n] s" .ý s" i n Ve. n'. s"

Operations Management TriconexDocument: I993754-1-91 1 I Title: ISoftware Safety PlanRevision: 1 Page: 15 of 47 Date: 1 10/13/11

activities are managerially, technically, and financially independent of the Nuclear Deliveryorganization.

The SSO will have the following responsibilities:

1) Obtain and allocate resources to ensure effective implementation of the Software SafetyPlan.

2) Coordinate safety task planning with other organizational functions such as ND group,and NQA group.

3) Participate in audits of software safety plan implementation.

4) Ensure training of safety and other Nuclear IV&V personnel in methods, tools, andtechniques used in software safety tasks.

a Nuclear IV&V engineer, is assigned to carry out software safety activitiesincluding the following responsibilities:

1) Prepare the Software Safety Plan.

2) Coordinate the technical issues related to software safety with other functions such as NDEngineers and NQA engineers.

3) Ensure that adequate records are kept to document the conduct of software safetyactivities.

4) Report to the SSO the progress of software safety activities.

The accomplishment of software safety program activities will be integrated with and performedby both ND Engineers and Nuclear IV&V Engineers in four phases of PPS Replacementsoftware development lifecycle (Requirement, Design, Implementation, and Testing). w-

in v'e. n s". snv-. ns

Operations Management TriconexDocument: 993754-1-911 Title: Software Safe: PlanRevision: I Page: I 16 of 47 Dt: I10/13/11

3.2 Resources

This section specifies how the resources are allocated and monitored for the PPS Replacementsafety software implementation.

3.2.1 Schedule

The PPS Replacement Project schedule, 993754-1-059, includes document deliverables to meetthe intent of DI&C-ISG-06 deliverables and IEEE Std 1228-1994 documentation requirements.For each document deliverable, a reasonable amount of time is allocated for such tasks ascreating the document, reviewing the document, and resolving issues found during reviews.Project status/progress and issues will be monitored in the following ways:

1) Weekly Project Hours Tracking Sheets

2) Project Schedule Weekly Updates

3) Project Phase Summary Reports and Exits Meetings

4) NQA Audits and Surveillance

See the Project Management Plan [Reference 2.3.2.4], 993754-1-905, Section 3.4 (Monitoringand Controlling Mechanism) for details.

3.2.2 Personnel

3.2.3 Standards

Invensys Operations Management conforms to the following international, national and industrystandards for its software safety program:

NRC Staff Review Guidance:• NUREG-0800, Standard Review Plan, Chapter 7• Branch Technical Position 7-14, Guidance on Software Reviews for Digital Computer-

Based Instrumentation and Control Systems

Regulatory Guides0 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants

I

in ve.ns.ý s- n V e. .n ss" .

Operations Management TriconexDocument: 993754-1-911 Title: Software Safe: Plan

Revision: I Page: j 17 of 47 I Dt: 10/13/11 I* 1.168, Verification, Validation, Reviews and Audits for Digital Computer Software Used in

Safety Systems of Nuclear Power Plants* 1.169, Configuration Management Plans for Digital Computer Software Used in Safety

Systems of Nuclear Power Plants* 1.170, Software Test Documentation for Digital Computer Software Used in Safety

Systems of Nuclear Power Plants* 1.172, Software Requirements Specifications for Digital Computer Software Used in

Safety Systems of Nuclear Power Plants* 1.173, Developing Software Life Cycle Processes for Digital Computer Software Used in

Safety Systems of Nuclear Power Plants* 1.180, Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in

Safety-related Instrumentation and Control Systems

Nuclear Regulatory Reports0 NUREG/CR-6101, Software Reliability and Safety in Nuclear Reactor Protection Systems

IEEE standards:* 603, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations* 7-4.3.2, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power

Generating Stations0 730, IEEE Standard for Quality Assurance Plansa 828, IEEE Standard for Configuration Management Plans0 829, IEEE Standard for Software Test Documentation0 830, IEEE Recommended Practice for Software Requirements Specifications* 1012, IEEE Standard for Software Verification and Validation0 1016, IEEE Recommended Practice for Software Design Descriptions* 1028, IEEE Standard for Software Reviews and Audits* 1058, IEEE Standard for Software Project Management Plans* 1059, IEEE Guide for Software Verification and Validation Plans* 1074, IEEE Standard for Developing Software Life Cycle Processes0 1228, IEEE Standard for Software Safety Plans

Other standards" ANSI/ASME NQA-1-1983, Quality Assurance Program Requirements for Nuclear

Facilities" ANSI/ASME NQA-l a-1983 (Addenda), Addenda to ANSI/ASME NQA-l-1983, Quality

Assurance Program Requirements for Nuclear Facilities* ANSI/ASME NQA-l-1994, the basis for the PPM

3.2.4 Company Development Procedures

The Protection Set software safety program implementation also follows Invensys OperationsManagement development procedures listed below.

n -V" . n S ".ýj s" in ve n s..! 5-

Operations Management TriconexDocument:. 993754-1-911 I Title: ISoftware Safety PlanRevision: I Page: 18 of 47 I3Date: 101131

As an approved 10 CFR Part 50 Appendix B supplier, Invensys Operations Management willadhere to the Invensys Nuclear Systems Integration Program Manual (NSIPM) to ensurecompliance with NRC requirements regarding safety-related software development. TheInvensys Operations Management Quality Procedures Manual (QPM), Project ProceduresManual (PPM), and Manufacturing Department Manual (MDM) are the implementingprocedures under the NSIPM. These procedures have been audited numerous times by thirdparties, including the NRC, and found compliant with a 10 CFR Part 50 Appendix B program aswell as the NRC requirements for development of safety-related software.

IOM-Q2: This is the corporate policy manual applicable to nuclear safety-related activities atInvensys Operations Management facilities. The Nuclear Quality Assurance Manual, IOM-Q2[Reference 2.3.2.9], will govern the quality affecting activities performed by ND personnel atIOM facilities. Nuclear quality affecting activities will be conducted in accordance with theIOMQ2 and the Project Quality Plan, 993754-1-900.

NTX-SER-09-21: This is the Nuclear System Integration Program Manual. This programmanual is the overarching lifecycle document for nuclear system integration projects, and it iscurrently being reviewed by the NRC as part of the V10 Tricon safety evaluation.

Project Procedures Manual: This manual contains the ND implementing procedures under theNSIPM. The PPM describes the process lifecycle for nuclear safety system integration projects.

Quality Procedures Manual: Defines the quality (implementing) procedures for nuclear safety-related activities. This program manual is not specific to integration projects, but rather for anyissue pertinent to nuclear safety-related activities, materials, and systems. NQA ispredominantly responsible for the implementation of the QPM procedures.

3.2.5 Equipment Support and Tools

in v*e. n s'.j s"Operations Management

in V -.2 n ' .t s"

TriconexDocument: 993754-1-911 Title: Software Safe Plan

Revision: I 1 Page: 1 19 of 47 I Date: I 10/13/11

w3.3 Staff Qualifications and Training

The PPS Replacement Project requires a ND project team with combined knowledge andexperience with the U.S. NRC regulations and processes, software engineering lifecyclemanagement, and technical design and implementation of nuclear safety-related hardware andsoftware. Specific skills and knowledge are required in the following areas:

1) Design and procedural compliance with 10 CFR Part 50 Appendices A and B [Reference2.3.3.2 and 2.3.3.3].

2) Application of U.S. NRC Regulatory Guides relevant to safety-system softwaredevelopment.

3) Application of relevant U.S. NRC staff guidance related to design of nuclear safetysystems, such as BTP 7-14 [Reference 2.3.3.1], DI&C-ISG-01 [Reference 2.3.3.5],DI&C-ISG-04 [Reference 2.3.3.6], and DI&C-ISG-06 [Reference 2.3.3.7].

4) Understanding of staff guidance contained in Chapter 7 of U.S. NRC NUREG-0800[Reference 2.3.3.9].

5) Application of relevant Institute of Electrical and Electronics Engineers standards (e.g.,those endorsed by U.S. NRC Regulatory Guides) to nuclear safety-related system designand implementation.

6) Implementation of the Invensys Operations Management NSIPM and PPM to nuclearsafety-related projects.

7)

8)Tricon system hardware design and construction.

Tricon application code (PT2 file) development using TriStation 1131.

In addition to the above skill sets for the ND project team, the Nuclear IV&V team requiresspecific skills and knowledge in the following areas:

1) Application of U.S. NRC Regulatory Guides relevant to independent verification andvalidation safety-system software.

2) Application of Institute of Electrical and Electronics Engineers standards (e.g., thoseendorsed by U.S. NRC Regulatory Guides) relevant to independent verification andvalidation of software for nuclear safety-related applications.

The ND and Nuclear IV& teams are knowledgeable of process and protection systemscollectively.

in Ve. n s'.= s- ifn V e. n s-.is-

Operations Management TriconexIDocument: I993754-1-911 I Title: ISoftware Safety Plan

Revision: 1 Page: 20 of 47 T Date: 10/13/11

In addition to the above skill sets for the Nuclear IV&V team, the NQA Engineer requiresspecific skills and knowledge in the following areas:

I) Invensys Operations Management PPMs.

2) Invensys Operations Management corporate Nuclear Quality Policy, IOM-Q2.

3) U.S. NRC Appendix B criteria and application of such criteria to nuclear safety-relatedprojects involving hardware and software design.

4) NQA-l criteria and application of such criteria to nuclear safety-related projectsinvolving hardware and software design.

Project personnel shall be appropriately qualified and trained in accordance with the NSIPMSection 9.0 and PPM 9.0 [Reference 2.3.2.12]. A copy of project personnel qualification andtraining records will be included in the PPS Replacement Project document file.

Minimum Requirements. At a minimum, PPS Replacement Project team members will havedocumented training in the following areas. Equivalent training and experience will satisfy thebelow minimal requirements.

I

in Ve. n s'.• s"Operations Management

Document: 993754-1-911 Ti

Revision: I P:

i n V e. n s'.; s"

TriconexSoftware Safety Plan

21 of 47 I Date: 1 10/13/11ite: I

I1I | i" I Ige: I

w

The Project Management Plan, 993754-1-905 [Reference 2.3.2.4], addresses project trainingrequirements in more detail.

3.4 Software Life Cycle

The software development life cycle used for the PPS Replacement project is described in theNSIPM.

Software safety tasks are addressed as an integral part of development life cycle phase activities(Requirements, Design, Implementation, and Testing).

w

in v e. n s'.> s"Operations Management

in V e. n s'.l S s"

TriconexDocument: 993754-1-911 Title: I Software Safe4 PlanRevision: I Page: 1 22 of 47 I Date: I 10/13/11 I

w

in v'e. n s'.• s"Operations Management

i i vN e. n s'. s"

TriconexDocument: 993754-1-911 Title: Software Safe PlanRevision: I Page: 1 23 of 47 ] Date: 1 10/13/11 IL

in ve. n s'.> s"Operations Management

Document: 993754-1-911 Title:Revision: I Paze:

i nl V e. n s-.tj s-


24 of 47 I Date:I

iQv'e, qE.• s"

Triconex I10/13/11 II

LIZ

in ve. n s. sOperations Management

i n V e. n s"

TriconexDocument: 993754-1-911 Title: I Software Safet PlanRevision: 1 Paee: 1 25 of 47 I Date: I 10/13/11 I

w

3.5 Documentation Requirements

This section specifies the Invensys-provided software safety documents for the Tricon portion ofPPS. The Westinghouse ALS documents are not covered here. The Software Safety Programelects to integrate the safety documentation with other project documents.

The following table addresses the deviations of Invensys-provided documentations with IEEE1228 [Reference 2.3.4.12] documentation requirements for safety-critical software and how thedeviations are justified.

Table 2. Documentation Requirements & Deviations

IEEE 1228 Invensys-Provided Intents to Satisfy IEEE 1228 RequirementsDocumentation DocumentationRequirements

a) Software a) Project The Plan documents how the software safety is integratedProject Management Plan, and managed with other activities with respect to projectManagement 993754-1-905 schedule, resource, budget, risk management, constraints

and dependencies.

The document is based on the guidance provided by BTP7-14, NUREG/CR-6 101 [Reference 2.3.3.8].

b) Software b) Software The Plan documents the method and mechanism forConfiguration Configuration configuration/access/change control of the critical safetyManagement Management Plan, software (e.g. TSAP codes, TS 1131 Developer

993754-1-909 Workbench).

The document is based on the guidance provided by IEEEStd 828-1990 [Reference 2.3.4.3].

c) Software c) Software Quality The Plan documents the role of NQA in ensuring processQuality Assurance Plan, compliance of key software safety activities.Assurance 993754-1-801 The document is based on the guidance provided by IEEE

Std 730-1989 [Reference 2.3.4.2].

d) Software d) Software The SRS specifies the software functional and performanceSafety Requirements requirements to create the TSAP for Tricon portion of theRequirements Specifications Protection Set. The specification of the software

(SRS), 993754-1n- requirements is decomposed to four sets based on the809 * hardware configurations of the Tricon portion of the

Protection Set.

I Specifications of safety requirements are integrated in the

in v*e. n s.9 sOperations Management

i nv'e.n, s'.fl s

TriconexDocument: 993754-1-911 Title: I Software Safet PlanRevision: I Paee: 1 26 of 47 1 Date: 1 10/13/11 I


SRS. The document is based on the guidance provided byIEEE Std 830-1993 [Reference 2.3.4.5].

e) Software e) Software Design The SDD describes the details design of the TSAP forSafety Design Descriptions Tricon portion of the Protection Set. The details design is

(SDD), 993754-1n- partitioned into four design sets based on hardware810 * configurations of the Tricon portion of the Protection Set.

Each design set defines attributes describing intrinsicdesign information such as channel safety functions,internal and external interfaces, dependencies.

The safety design elements are integrated in the SDD. Thedocument is based on the guidance provided by IEEE Std1016-1987 [Reference 2.3.4.7].

f) Software fl) Software The Plan describes or references the Invensys softwareDevelopment Development Plan, development methodology, and coding/comment standardsMethodology, 993754-1-906 to be used in the development of TSAP for the TriconStandards, f2) Software portion of the Protection Set. The document is based onPractices, f2)eloftw a n the guidance provided by IEEE Std 730-1989.Metrics, and Development PlanConventions Coding Guidelines, Coding Guidelines contain guidance for the ND staff

993754-1-907 regarding TriStation 1131 project configuration,

application code layout, tagname convention, and generalguidance on programming style. The guidance alsodiscusses proper usage of the PPS-specific function blocksin the V 10 Tricon Protection Set application code.

g) Test gl) Validation Test The Validation Test Plan develops the plan for validationDocumentation Plan, 993754-1-813 testing of the Protection Sets.

g2) Software Software Verification Test Plan develops the plan forVerification Test verifying the TSAP codes for the Protection Sets.Plan, 993754-1 -868 Validation Test Specification develops the validation test

g3) Validation Test requirements and acceptance criteria.Specification, Software Verification Test Specification develops the993754-1-8 12 software verification test requirements and acceptance

g4) Software criteria.Verification Test Software Verification Test Procedure/Test Cases createsSpecification, the procedure and test cases for verifying the Protection Set993754-1-869 application code against the Software Requirements

g5) Software Specification.Verification Test Software Verification Test Cases Execution/Report

i n V'e. n s'. s"Operations Management

i n v e. n s-.ij s.

TriconexDocument: 993754-1-911 Title: Software Safe PlanRevision: I Pai!e: 1 27 of 47 F Date: I 10/13/11 I


Procedure/Test documents the executions of the software verification testCases, 993754-1n- cases and creation of the test results report. It also870-k * generates test incident reports and System Integration

g6) Software Deficiency Reports if test anomalies are encountered.

Verification Test These documents are based on the guidelines of PPM 6.0Cases and 7.0 1.Execution/Report,993754-1-853

h) Software h I) Software The document develops the plan for managing theVerification and Verification and independent verification and validation activities during theValidation Validation Plan, PPS Replacement Project. It is based on the guidance

993754-1-802 provided by IEEE Std 1012-1986 [Reference 2.3.4.6].

h2) Project The Matrix provides a mechanism to ensure traceability ofTraceability safety requirements to the design descriptions,Matrix, 993754-1- implementation, and test cases.804

i) Reporting i) Final Verification The Final V&V Report records the following information:Safety & Validation - Description of the verification and validation activitiesVerification and Report, 993 754-1 - including the software safety-related activities.Validation 814

- Summary of the verification and validation results.

- Summary of all anomalies and their corrective actions.

- Assessment of the application program's overall quality.

- Assessment of the software safety overall efforts andeffectiveness of the software safety plan.

j) Software User j) Tricon V10 User Tricon V10 User Manual provides significant platformDocumentation Manual information to the safe PPS installation, use, maintenance,

and retirement of the PPS.

k) Results of k) Safety Analysis The analysis identifies potential hazards, and estimates theSoftware Safety (Requirements frequency of occurrence and consequence of hazardousRequirements Phase), 993754-1- events based on the Software Requirements Specifications.Analysis 915

1) Results of i) Safety Analysis The analysis evaluates compliance of the design with theSoftware Safety (Design), 993754- software safety requirements and establishes theDesign Analysis 1-915 relationship between the system hazards and the design

in ve. n s"Operations Management

in v-/ e. n s .t 5

TriconexDocument: 993754-1-911 Title: I Software Safey PlanRevision: I Page: 28 of47 Date: 1 10/13/11


elements of the Protection Set software.

m) Results of m) Safety Analysis The analysis evaluates the compliance of the TSAP codesSoftware Safety (Implementation), with the Protection Set software requirements and identifiesCode Analysis 993754-1-915 any new hazards introduced by the codes.n) Results of n) Safety Analysis The analysis determines whether each Protection Setn)ftwres ofey n t S hafety software safety requirement has been satisfactorilySoftware Safety (Test Phase),

Test Analysis 993754-1-915 addressed by one or more software test, makes anassessment of risk associated with the implementation ofthe Protection Set software.

o) Results of o) Software Change The analysis determines the impact of the softwareSoftware Safety Analysis changes, and the extent of the regression tests to beChange Analysis performed as a consequence of modifications to the

software. It also points out which documentations are to berevised to reflect the changes.

I

'I, Note:(1) n = I ... 4 (to match Protection Set)(2) k = I ... total subprograms in each TSAP

3.6 Software Safety Program Records

IZI

The Master Configuration List (MCL) shall be used as record tracking system to monitor thestatus of the safety-related documents. The MCL shall categorize and identify each safety-related document/record by its document number, revision, title description and date.The software safety program records to be generated include:

" Phase analyses* Phase summary and final test reports* Records of personnel training* Certification Evidence

in ve. n s'.• s"Operations Management

i n V e. nfs'.! s-

TriconexDocument: 993754-1-911 Title: Software Safe PlanRevision: 1 Page: 29 of 47 I Date: ] 10/13/11 I

|

3.6.1 Phase Analyses

The Nuclear IV&V engineers are responsible for generating and maintaining the following PhaseAnalyses:

" Requirements Phase Safety Analysis" Design Phase Safety Analysis" Implementation Phase Safety Analysis* Test Phase Safety Analysis

w-

3.6.2 Test Reports

The Nuclear IV&V engineers are responsible for generating and maintaining the following thetest reports:

1) Requirement Phase Summary Report

2) Design Phase Summary Report

3) Implementation Phase Summary Report

4) Test Phase Summary Report

in vwe. n s.ýý s"Operations Management

i n v e. n s•. s

TriconexDocument: 993754-1-911 Title: Software Safe! PlanRevision: I Page: 30 of 47 I Date: I 10/13/11 I

|

5) Final Verification and Validation Report

w

3.6.3 Records of Training:

The following records will be generated by the PPS Replacement Project team members:

1) Project Personnel Training Reading List (Project Reading materials)

2) Project Personnel Training Reading List (General Reading materials)

3) Classroom Training Certificates if applicable

4) Specialized Training Certificates if applicable

The first two records (Reading List) must be completed by each ND, NQA and Nuclear IV&Vengineer and submitted to the Project Manager.

w1

in ve. n s.sOperations Management

i n V n S. -S

TriconexDocument: 993754-1-911 Title: Software Safet PlanRevision: 1 Page: 31 of 47 I Date: I 10/13/11 I

IEI

in v'e. n s'.> s"Operations Management

i n Ve n s'.Y s"

TriconexDocument: 993754-1-911 Title: Software Safe4 Plan

Revision: I Page: 32 of 47 I Date: I 10/13/11I I

in Ve. n s'.• s"Operations Management

i n Va. n f '.Y 5"

Triconexi Documen I 993754-1-911 I Title: I Software Safey Plan

Revision: I Page: 33 of 47 1 Date: 1 10/13/1I

w

3.8 Software Quality Assurance Activities

The NQA organization ensures that the software safety activities are properly performed inaccordance with the approved process specified in the NSIPM. A NQA engineer prepares thesoftware quality assurance plan. It will be reviewed by ND engineer and Nuclear IV&Vengineer. The document will be approved for issue by the Project Manager.

liz

See the SQAP, 993754-1-801, [Reference 2.3.2.2] for details.

3.9 Software Verification and Validation Activities

The Nuclear IV&V organization's tasks in the Software Safety Plan are to ensure that theProtection Set software safety requirements have been satisfied by the life cycle phases and noadditional hazards have been introduced by the work done during the life cycle activities.In order to accomplish its tasks, the Nuclear IV&V engineers perform the phase activitiesdescribed in the following subsections.

w

i n v'e. n s'.• s"Operations Management

i n. V e. n s'.d s"

TriconexDocument: 993754-1-911Revision: I

Title: I Software Safety Plan

I1Paee: I 34 of 47 I Date: I 10/13/11

EIEIJ

3.10 Tool Support and Approval

This section describes the criteria to be applied in selecting, approving, and controlling toolsused in the PPS Replacement project. It also describes how the possibility of inadvertentintroduction of software hazards by the project tools will be controlled. Table 5 below providesan overview of tools used in either development or verification/validation of the TSAP for theProtection Sets.

Table 5. Project Tool Summary

in v'e. n s'.- s"Operations Management

i n. V e. n s'.t s"

TriconexDocument: 993754-1-911 Title: Software Safe4 Plan

Revision: I Paee: 35 of47 I Date: I 10/13/11 I

EL

in Ve. ns-.j S"Operations Management

in V e. n s".-

TriconexDocument: 993754-1-911 Title: Software Safe: Plan

IRevision: I I Page: I 36 of 47 I Dt: 10/13/11 I

3.11 Previously Developed or Purchased Software

This section is not applicable to Invensys scope of this project because previously developed orpurchased software will not be used in the development of the Protection Set software.

in v e. ns. s ine. n'.--

Operations Management TriconexDocument: I993754-1-911 I Title: ISoftware Safetýy PlanRevision: I Page: 37 of 47 Date: 10/13/11

3.12 Subcontract Management

This section is not applicable to Invensys scope of the Diablo Canyon PPS project. Invensysdevelopers of the critical Tricon software for use in the PPS don't employ the services of asubcontractor to modify or develop any piece of software that will be used in safety-criticalsituations. All critical Tricon operating and application software is developed in-house.

3.13 Process Certification

The PPS Replacement project will be certified per this Software Safety Plan (see Table 6 below)as the project processes, activities, and documents meet the requirements of 10 CFR Part 50Appendix B and the controls of activities are in accordance with approved PPMs.

NQA is mainly responsible for performing process oversight to ensure that the PPS Replacementsoftware will be produced in accordance with the processes specified in the Software SafetyPlan. The process certification involves both the Nuclear IV&V and NQA efforts as follows:

1) Nuclear IV&V's reports certify their own works.

2) NQA's surveillance and internal audits certify V&V procedure compliance.

The following table lists the Nuclear IV&V's and NQA's methods to be used for certifying theprocesses in the SSP.

in ve. n s'.> s"Operations Management

i n V e. n s"

TriconexDocument: 993754-1-911 Title: I Software Safe PlanRevision: I Page: 1 38 of 47 Date: I 10/13/11

I I

i n v'e. n s'.> s"Operations Management

i n V e. n s'.- s.

Triconexi Document: I 993754-1-911 Title: Software Safety Plan

Revision: I Page: 39 of 47 1Date: 0/13/11 I

in V e. n s" .: s- inVe. ns-.i-

Operations Management TriconexI Document: I 993754-1-911I Title: Software Safety Plan

Revision: I Page: 40 of 47 Date: 10/13/11

4. Software Safety AnalysesAs part of the Protection Set software development process, safety analysis shall be performedand documented on each of the principal design documents: requirements specifications, designdescriptions, and TSAP application code.

Except for Software Safety Change Analysis, the analyses listed in this section are included inthe work packages described in the Project Management Plan, 993754-1-905, as documentdeliverables. With regard to SDOE, NTX-SER-10-14 and 993754-1-913, RGI.152Conformance Report, explain Invensys Operations Management compliance with RGI.152. Theformer is for the Tricon V 10 safety evaluation, the latter for the PPS Replacement Projectspecifically.

4.1 Software Safety Analyses Preparation

The following activities will be carried out during the Requirement Phase of the PPSReplacement Project:

1) Create a Preliminary Hazard List to identify all PPS Replacement system-level hazards.The system-level hazards include software hazards, procedural hazards, human-contributed hazards and interface hazards.

2) Conduct a Preliminary Hazards Analysis to identify and evaluate all Protection Sethazards with regard to sequences of actions that could cause risks/hazards to the DiabloCanyon Power Plant safety functions and protective actions to mitigate the consequences.

3) Use the Fault Tree Analysis method in the Preliminary Hazard Analysis process.4) Identify the Protection Set internal interfaces (between Tricon and ALS/ Maintenance

Workstation) and Protection Set external interfaces (between Tricon andSSPS/MCR/MAS).

I I

wq

in V'e. n s'.• S"Operations Management

inv'e.sn s

TriconexDocument: 993754-1-911 Title: Software Safe PlanRevision: I Page: 1 41 of 47 I Date: I 10/13/11 I

I

w

i n v'e. n s'.y s"Operations Management

in V e. n su 5-

TriconexDocument: 993754-1-911 Title: Software Safe PlanRevision: I Page: 42 of 47 I Date: I 10/13/11 I

w

in V'e.n 5-. '•Operations Management

i n V e. n s-. s"

TriconexDocument: 993754-1-911 Title: Software Safetz PlanRevision: I Page: 1 43 of 47 Date: 1 10/13/11 I

I

w

in v'e. n s'.> s"Operations Management

i n V e. n 5",

TriconexDocument: I 993754-1-911 Title: I Software Safe PlanRevision: I Page: 44 of 47 1 Date: 1 10/13/11 I

in v'e. n s'.• s"Operations Management

Document: 993754-1-911 Title:Revision: I I Paie:

in V e. nl s-.,Y s


45 of 47 I Date: II

i n.v'e.q s'.• s"

TriconexI

10/13/11 II|

LU

i n v e. n s".Y s" iv n s'.n s"

Operations Management TriconexDocument: 993754-1-911 Title: Software Safe: Plan

I Revision: I Page: I 46 of 47---- Date: 1 10/13/11

5. Post DevelopmentInvensys Operations Management scope of supply is defined in the Project Management Plan,993754-1-905. In summary, Invensys Operations Management is responsible up to delivery ofthe PPS Protection Set equipment to the DCPP site. PG&E is responsible for the subsequentsystem lifecycle phases. However, as an Appendix B supplier of the VIO Tricon PPS ProtectionSets, Invensys Operations Management holds 10 CFR Part 21 reporting responsibilitiesthroughout the design life of the equipment.

5.1 Training

This section is beyond the scope of this document.

5.2 Deployment


5.2.1 Installation


5.2.2 Startup and Transition


5.2.3 Operations Support


5.3 Monitoring


5.4 Maintenance


5.5 Retirement and Notification


in V'e. n s'.• s- inN/-e. n

Operations Management TriconexDocument: 993754-1-911 Title: Software Safe PlanRevision: I Page: 47 of 47 I Date: 10/13/11 I

|

6. Plan ApprovalThis Plan will be controlled as a Configuration Item in accordance with the NSIPM, Section10.0, Project Document and Data Control. In accordance with the NSIPM, this Plan will belisted on a master configuration list that will identify the current revision level of the SSP toensure project personnel are using the approved version. The initial and subsequent releases ofthe SSP will be reviewed and approved by the Project Manager and the Nuclear IV&V Manager,or designee, prior to use by project personnel. Upon each release of the SSP for project use, theproject master configuration list will be updated.

Releases of any version to PG&E will be done in accordance with the NSIPM, Section 10. SeeInvensys document 993754-1-909, Software Configuration Management Plan, for additionaldetails on the Configuration Management activities during the PPS Replacement Project.