psnn-2014-0869i us safety-related · 2015-09-28 · psnn-2014-0869i us safety-related] [document...

PSNN-2014-0869IUS Safety-Related

][Document No. j FPG-PLN-C51-0002 7 Rev 2

rhe use of the information contained in this document b)myone for any purpose other than that for which it is intended i,lot authorized. In the event the information is used withouisuthorization from TOSHIBA CORPORATION, TOSHIBAE~ORPORATION makes no representation or warranty aurresumnes no liability as to the completeness, accuracy, oissefuslness of the information contained in this document.

TOSHIBA CORPORATIONNUCLEAR ENERGY SYSTEMS & SERVICES DIV.

TOSHIBA NED verified this Design Document;

Method : Design Verification

Verification Report No. : DVR-1M-20070608-1Verified by • •e- (- •

Group Name: Monitoring System Engineering GroupDate ,• / .- r,

NRW-FPGA-Based PRM System Qualification Project

Document TitleSoftware Quality Assurance Plan

CUSTOMER NAME NonePROJECT NAME NRW-FPGA-~Based PRM

_________________________________ System Qualification ProjectITEM NAME PRM EquipmentITEM NO. C51

-JOB NO. "FPG

TOSHIBA NED verified this Design Report;

•Method:" 2 ~~~Verification Report No." ThA/e-2"P-'* o/z

Verifed by •,: , ,• ---

Grouu 'Name /••.

Date TOSHIBA

Prpae Document Filing No.

TOSHIBA C•ORiPORATIrON Nuclear Energy. Systems & Services Division

1/38

• (

TOSHIBAnflfl nrfl n~.4 flflt1~. . -

Re N. at HstryApprovedby Reviewed byPrepared b

0 Jlunedi3.2005 The first issue N.Oda Y.Goto T.Miyazaki

1 .3uly.10.2005 . Description review N.Oda Y.Goto T.Miyazaki

2 Me,:•I, 2o0 6 Correct N.Oda Y.Goto T.Miyazaki

l TOSMIBA CORPORATION NED 232/38

TOSHIBASoftware QA Plan FPG- PLN- C51-0 0 02 Rev. 2

Table of ContentsPAGE

1 Purpose ..................................................................................... 41.1 Background.................................................................................. 41.2 Scope ....................................................................................... 51.3 Differentiation between New Software and Legacy Software......................... 5

2 Reference Documents ..................................................................... 73 Management ............................................................................... 8

3.1 Organization ............................................................................... 83.2 Tasks and Responsibilities .............................................................. 10

4 Documentation ............................ i............................................... 124.1 Minimum Documentation Requirements for the PRM Life Cycle .................. 124.2 Other Documentation.................................................................... 15

5 Standards, Practices, Conventions and Metrics........................................ 185.1 Documentation Standards ............................................................... 195.2 Design Standards........ ................................................................. 195.3 Coding Standards......................................................................... 195.4 Testing Standards ........................................................................ 195.5 Metrics .................................................................................... 19

6 Software Reviews ........................................................................ 206.1 Equipment Requirements Specification Review ...................................... 206.2 Software Requirements Specifications Review........................................ 216.3 Detailed Design Review.. .............................................................. 216.4 Verification and Validation Plans Review............................................. 226.5 NICSD Documents Review ............................................................. 236.6 Configuration Management (CM) Plan Review ....................................... 23

7 Test .......... .............................................................................. 238 Problem Reporting arid Corrective Action............................................. 24

8.1 Problem Reporting and Corrective Action during FPGA and Unit/ModuleValidation Testing ....................................................................... 25

8.2 Problem Reporting and Corrective Action other than 8.1 ............................ 259 Tools, Techniques and Methodologies ................................................. 2510 Configuration Management and Media Control ....................................... 28

10.1 Basis for Preparing a Project Specific CM Plan ....................................... 2810.2 Project Specific Configuration Management Requirements.......................... 2910.3 Project Specific Configuration Management Procedure.............................. 3010.4 Media Control ............................................................................ 31

11 Vendor Control ........................................................................... 3312 Recotds Collection, Maintenance and Retention...................................... 3413 Trainnmm .................................................................................. 3414 Risk Management .................................................................. ...... 3515 Abbreviations ............................................................................. 35.17 SQAP Maintenance .............................................................................. 37Appendix A: Software Integrity Level Determination ............................................ 3 8

TOSHIWA CORPORlATION NED 3/38I

TOSHIBASoftware QA Pian FPQ-PLN-C51- 0002 Rev. 2

1 PurposeThis Softwrare Quality Assurance Plan (SQAP) describes the requirements and methodologyto be followed by NED in developing, acquiring, using, and maintaining software ofN on-Rewritable Field Programmable Gate Array (NRW-FPGA) Based Power Range Monitor

(PRM) System or PRM System.

This SQAP is intended to govern activities that are specifically related to the qualificationprogram for the PRM system.

The SQAP is defined in order to comply with NED AS-200A128 "Digital System Life CycleProcedure," and also to comply with the documentation requirements in EPRI TR-107330,

ISection 8.7. This SQAP has been developed using IEEE Std 730-2002 as a guide.

1.1 BackgroundT his SQAP is developed for PRM System Qualification Project (hereinafter calledFPGA/SER project)..The PRM System is used at Boiling Water Reactors to) measure localand average power levels in the reactor core. Specifically, the local power level is measuredby local power range monitors (LPRMs) that measure neutron flux at many locations withinthe reactor and provide a signal to monitoring equipment located outside of containment. Inaddition, the reactor recirculation flow is monitored by Recirculation Flow Measurement thatthe differential pressure signal from the recirculation system differential pressure sensors istransmitted. This PRM System converts the incoming signals to averaged power and flowmeasurements, which are provided as output to the plant trip system and to the processcomputers.

SToshiba is currently enhanced their prototype PRM System for Japanese plant. The PRM

System consists of modules that receive and process input signals from LPRM detectorsinside containment and differential pressure transmitters located outside containment.Modules are placed inside chassis, to form units. Each module contains one or more circuitboards, upon which are mounted FPGAs containing embedded logic. FPGAs are composedof FEs, which are discrete logic elements made from the logic primitives. FPGAs are createdby arranging and combining specific Functional Elements (FEs). Toshiba uses a softwaretools called Synplify, Designer, and Silicon Sculptor provided by Actel, to embed the desiredprogramming logic in the form of a fuse map into the FPGA chips. Also, Toshiba uses asoftware test tools called as ModelSina, and Netlist Viewer.

IThe development work of the prototype PRM System will be performed by two organizationsat Toshiba: NED, which has a Quality Assurance Program in accordance with US 10 CFR 50Appendix B requirements; and NICSD in Fuchu-IP, which has a quality assurance program inaccordance with ISO-9001:2000.' Therefore, NED will use the process described in EPRITR-107330 to qualify FPGA equipment as a commercial grade dedication (CGD).

NED will lead this FPGA/SER project, and contract with Fuchu-IP as a commercial gradevendor to produce the required equipment. NED will then complete the testing and analysisactivities needed for the qualification process as Appendix B activities.

Toshiba will produce new units, modules, and FPGAs during this qualification project. ThisSQAP defines the software quality assurance activities to be performed in the CGD procedure.The Figure 9-1 of the Qualification Plan shows the relation between this SQAP and otherproject documents.

TOSHIBA CORPORATION NED 43

TOSHIBASoftware QA Plan FPG- PLN- C5i- 0 00 2 Rev. 2

To define the requirements and methodology for the life cycle process to be followed for thisFPGA!SER project, this SQAP forms the basis for the following project documents:

* The Project Verification and Validation Plan (VVP)* The Software Qualification Report, which is established for the FPGA/SER project

1.2 ScopeThis SQAP addresses the plan for software quality assurance for the following activities inthis FPGA/SER project:

* Developing the logic for implementing functions for FPGAs.* Using Actel's software tool suite to translate the codes VHDL written by NICSD

design engineers into fuse maps, to test the logic, and to embed the logic onto theFPGA chips (e.g., the Synplifyr, the Designer, the Netlist Viewer, and the SiliconSculptor tools that are used to embed the fuse map onto the FPGA, etc.).

* Using Mentor Graphics' ModelSim software tool to test the FPGA chips.* Using commercially available software programs for the test equipment (e.g., data

acquisition, signal generators, etc.) for:o Unit/Module Validation testingo System Validation and acceptance testing

For these activities, this SQAP provides the following information:

I1. A description of the project software Quality Assurance (QA) planning measures to beused to demonstrate how the project requirements are met. This description is providedfor NED's basic approach in this SQAP.

2. A description of the required interactions between NED and NICSD and subcontractorsfor the FPGAISER project. This description is provided in the SQAP where specialprovisions must be made to define an interaction or division of responsibilities betweenNED and NJCSD.

3. A determination of the Software Integrity Level (SIL) for the types of software covered bythis SQAP. See Appendix A of this SQAP for the SIL levels to be used for the varioustypes of software covered by this SQAP.

The following soft•ware is excluded from the requirements of this SQAP:

* Administrative software used for purposes such as ordering, scheduling and projectmanagement.

* Commercial applications software for use in database management Systems, word* processing, and commercially purchased CAD systems not used for FPGA

development (for example, Excel, Word, AutoCAD, and electrical schematicdrawing tools).

1.3 Differentiation between New Software and Legacy Software


TOSHIBASoftware QA Plan FPG-PLN-C5I- 0002 Rev. 21.3.1 New SoftwareThe term "New Software" applies to software to be created under this SQAP. For thissoftware, Toshiba shall follow the life cycle process presented in NED ProcedureAS-200A128 through AS-200A132.

When NED accepts new software from NICSD, NED shall require necessary activities toassure the new software integrity. The activities vary according to the Software IntegrityLevel (SIL) defined in Appendix A.

For SIL 4 and 3 software, in accordance with Section 7.4 of EPRI TR-107330, NED shallconfirm the following basic requirements are met:

* NICSD has an acceptable VVP and process for developing FPGA products, and isfollowing this acceptable process.

* NICSD develops software in accordance with a life cycle approach.• NICSD prepares software requirements docuiments.* NICSD provides adequate traceability of requirements throughout the life cycle,

and performs both functional and structural testing of the software.

NED shall perform activities including Critical Digital Review and Commercial Grade Surveyof NICSD to ensure that the NICSD practices are acceptable. Where needed, NED willinvoke special provisions on NICSD in the NED Job Order to ensure that NED requirementsare met. Depending on the results of these activities, this SQAP may be revised to reflectthese requirements.

For SIlL 2 software, e.g. test equipment software,* NICSD has acceptable quality assurance procedures including configuration

management for developing test equipment software, and is following this qualityassurance procedure.

* NICSD develops software in accordance with a life cycle approach under its ISOprogram;

* MICSD prepares software requirements documents.

1.3.2 Legacy Software"Legacy Software" is any software to be used in this project that meets the following

requirements:

1. It was created prior to the implementation of an Appendix B program.

AND

2. It has already been in use at NED or NICSD prior to this project.

NICSD may use legacy software of SIW 2 for work in this project, provided the following

requirements are met:

* For the software used by NED, the software is controlled under NED configurationmanagement; for the software used by NICSD, the software is controlled under NICSDconfiguration maniagement.

TOUHIBA CORPORATION NED 636/38

TOSHIBASoftware QA Plan FPG-PLN-C51-0002 Rev. 2* The software functions used in this project are well documented, and validated with

appropriate testing.* The test results are controlled under the configuration management program with the

software that was used in the testing.* A hazard analysis is performed to ensure that the software causes no harm to the

products.* In the case NICSD uses any software, NJCSD shall inform NED prior to the use of the

software.

Design documentation and code for Legacy Software can be used without conformance to theformat or content requirements of this SQAP. Modifications to this software can be made inaccordance with prior documentation and code format.

The PRM System software products that are contracted for development by a subvendor mustmeet the requirements of a program that complies with USNRC expectation. Softwareprocured from subcontractors that already exists and is in use, is evaluated and treated asLegacy Software. Legacy software that is unverified will not be shipped with the PRMequipment. NICSD must distinguish between New software and Legacy software.

2 Reference Documents2.1 EPRI TR-1073 30, "Generic Requirements Specification for Qualifying a

Commercially Available PLC for Safety-Related Applications in Nuclear PowerPlants", Final Report dated December, 1996

2.2 IEEE Standard 7-4.3.2-1993, "Standard Criteria for Digital Computers in SafetySystems of Nuclear Power Generating Stations"

2.3 IEEE Standard 730-2002, "!FEE Standard for Software Quality Assurance Plans"2.4 IEEE Standard 828-1990, "/FEE Standard for Software Configuration Management

Plans"2.5 IEEE Standard 829-1983, "/FEE Standard for Software Test Documentation"

2.6 IEEE Standard 1012-1998, "Standard for Software Verification and ValidationPlans"

2.7 IEEE Standard 1074-1997, "Standard for Developing Software Life CycleProcesses"~

2.8 AS-100A004, "Document Control Procedure"2.9 AS-100A007, "Filing Procedure for Quality Assurance Records"2.10 AS- 100A008, 'Procedure for Indoctrination and Training"2.11 AS-200A001, "Engineering and Design Procedure"2.12 AS-200A002, "Design Verification Procedure."2.13 AS-200A010, "Control Procedure of vendor generated documents. "2.14 AS-200A1 16, "Preparation Procedure for Equipment Requirement Specification"2.15 AS-200A128, "Digital System Life Cycle Procedure."2.16 AS-200A 129, "Digital System Development Procedure."2.17 AS-200A130, "Digital System Verification & Validation Procedure"2.18 AS-200A 131, "Digital System Configuration Management Procedure"2.19 AS-200A132, "Digital System Safety and Hazards Analysis Procedure"2.20 AS-300A006, "`Nonconformance Control Procedure for Procured Items and

Services"2.21 AS-300A008, "Nonconformance Control and Corrective Action Procedure"2.22 AS-300A009, "Corrective Action Request Application Procedure"


TOSHIBASoftware QA Plan FPG-PLN-C51- 0002 Rev. 2

2.23 AS-300AI03, "Test Control Procedure"2.24 P-101, "NICSD Manufacture of FPGA-Based Equipment."2.25 D-680 16, "NqICSD Procedural Standard for FPGA Products Development. "2.26 D-680 17, "NICSD Procedural Standard for FPGA Device Development. "2.27 D-680 18, "NICSD Procedural Standard for Functional Element Development. "2.28 D-680 19, "NICSD Procedural Standard for Configuration Management. "2.29 D-68020, '"NICSD Procedural Standard for Control of Software Tools Used with

FPGA Based Systems. "2.30 FQS-E105-2, "Fuchu-TP QA Manual"2.31 FPG-PLN-C5 1-0003, "NRW-FPGA-Based PRM System Qualification Project

Quality Assurance Plan."

Notice: Upon application of above NED, NICSD and other Toshiba internal standards,the latest version shall be used.

3 ManagementThis section describes the project's organization structure, the tasks to be completed, and theroles and responsibilities.

3.1 OrganizationThe implementation of an effective SQAP is the responsibility of all persons involved in thelife cycle. Each person responsible for the activities in the life cycle shall perform their workin accordance with the methods and procedures identified in this SQAP.

3.1.1 NED Organization

The NED Engineering!/Design Group (i.e. Monitoring System Engineering Group) Managershall ensure that the software and the associated documentation has been developed inaccordance with the requirements specified in this SQAP. This includes ensuring that thecoding standards, the testing standards established in the test plan, and the documentationstandards have been followed.

Within NED, software life cycle activities are performed by the following groups, as shown inthe Figure3-1:

* The Engineering!/Design Group establishes the system requirements.* The V&V Team performs all V&V activities within NED's scope. This includes

V&V of NED Engineering!/Design Group output documents, and providingoversight of NICSD activities performed on the PRM System.

* The QA Group performs all system testing activities.

TOSHIBA CORPORAI'ION NED 838/38

•TOSHIBASoftware QA Plan

FPQ-PLN-C51-0002 Re'v2

Sourc'.ng Dept Plant Project IEngineering Dept

* The V&V Team consists of the persons who belong to the Control & Electrical Systems Design & Engineeringdepartmnent, and who are independent from the Monitoring System Engineering Group with separate cost, schedule and

resources.

Figure3-1: NED Organization

Personnel are assigned the specific responsibilities and authority to ensure theaccomplishment of software management and control through written plans, procedures,standards, and instructions. NED Procedures AS-200A128 through AS-200A132 define theactivities and roles of NED personnel for the digital system life cycle. Control & ElectricalSystems Design & Engineering Department (ICDD) Procedure P-i101 describes how therequirements of NED Procedures AS-200A128 through AS-200A132 are to be implementedin the development and procurement of FPGA-based systems from NICSD. Table 1 ofICDD Procedure P- 101, "NICSD Manufacture of FPGA-Based Equipment", provides adetailed description of the life cycle activities.

3.1.2 Fuchu-IP Organization

For this project, NED purchases the FPGA based unit from Toshiba FuchuOperations-Industrial and Power. Systems & Services (Fuchu IP) as a commercial vendor.

Within Fuchu-IiP, software life cycle activities are performed by the following groups, asshown in Figure3 -2:

TOSHIBA CORPORATION NED 939/38

TOSHIBASoftware QA Plan FPG-PLN-C51-0002 Rev. 2

Prodution DesinFGrupuQalit

Section Control Sect

Figure3-2:Fuchu-IP Organization

3.2 Tasks and Responsibilities

3.2.1 Tasks and Responsibilities for the PRM System Life Cycle[NED Procedures AS-200A128 through AS-200A132 describe the specific tasks andresponsibilities to be performed by NED for the typical software life cycle. The typical lifecycle phases are as follows:

* Project Planning and Concept Definition Phase* Requirements Definition Phase* Design Phase* Implementation and Integration Phase* Validation Testing Phase* Operation and Maintenance Phase* Retirement Phase

For projects where NED purchases the FPGA-based system from NICSD, ICDD ProcedureP-101 separates the Validation Testing Phase into the Unit/Module Validation Testing Phaseperformed by NIC SD, and the System Validation Testing Phase performed by NED. TheRetirement Phase is not applicable; and, the Operation & Maintenance Phase is considered tobe equivalent to the Qualification Testing. Accordingly, for this FPGAISER project, the lifecycle phases are as follows:

* Project Planning and Concept Definition Phase* Requirements Definition Phase* Design Phase* Implementation and Integration Phase (includes FPGA validation tests)* Unit/Module Validation Testing Phase* System Validation Testing Phase* Operation & Maintenance Phase

For above life cycle, NED Procedures AS-200A128 through 200A132 describe the followingfour parallel activities (tasks):* Software development


TOSHIBASoftware QA Plan FPG- PLN- C51 - 0 002 Rev. 2* Verification and Validation (V&V)* Configuration management* System hazard analyses

ICDD Procedure P-101 provides more detailed description about above tasks, and defines thedivision of responsibility between NED and NICSD.

NED has the responsibility to review and approve the NICSD activities through CDR andSCommercial Grade (CG) survey, and through V&V oversight to be performed throughout thecourse of NICSD's work.

3.2.2 Tasks and Responsibilities for Using FEsIt is expected that, the FE life cycle process used by NICSD personnel includes the followingphases:

* Requirements Definition Phase* Design and Implementation Phase* Testing Phase

The specific tasks and responsibilities for these activities are documented in NICSD standardD-68018.

NED has the responsibility to review and approve the NICSD activities through CDR and CGsurvey, and through V&V oversight to be performed throughout the course of NMCSD's work.

3.2.3 Tasks and Responsibilities for Using Software ToolsNICSD engineers shall follow NICSD standard D-68 020, when they use software tools in thedesign activities. In addition, NICSD shall perform necessary activities to ensure thereliability of the software tools. The activities may include the following items:* Confirming that the software tools used are applicable to the project objectives.* Establishing the software tool SIL based on the significance of the tool usage.* Establishing the software tool acceptance criteria, and determining if the software tool

meets the criteria.I Establishing the software tool update criteria, and the version control methods based on

the criteria in accordance with the configuration management.* Establishing the procedure to use the software tool, including the methods to record and

resolve any errors in accordance-with the configuration management.I Training and recording the personnel to use the software tool.

NED has the responsibility to review and approve the NICSD activities through CDR and CGsurvey, and through V&V oversight to be performed throughout the course of NICSD's work.

3.2.4 Tasks and Responsibilities for Test Equipment SoftwareIIf NED or NICSD uses any Test Equipment software, the following activities shall beperformed:

* Defining the Test Equipment software functions required in the project• Establishing the Test Equipment software acceptance criteria* Establishing the procedure to use the Test Equipment software

TOSHIBA CORPORATION NED 1/311/38

TOSHIBASoftware QA Plan FPG-PLN-C51- 0002 Rev. 2

• Training and recording the personnel to use the Test Equipment software.

These activities shall be described in appropriate Test Documents.

For NICSD activities, NED has the responsibility to review and approve the NICSD activitiesthrough CDR and CG survey, and through V&V oversight to be performed throughout thecourse of NICSD's work.

4 DocumentationThis section identifies the documentation governing the development, verification andvalidation of the software. This section identifies which documents are to be reviewed oraudited for adequacy and the criteria by Which adequacy is to be confir-med.

4.1 Minimum Documentation Requirements for the PRM Life CycleNED Procedure AS-200A128, Table 1 lists the documentation required for NED's softwarelife cycle activities. Requirements for preparation, review and approval of these documentsare described in Procedures AS-200A129 through AS-200A132. For projects in which NEDuses NICSD to manufacture NRW-FPGA based products, ICDD Procedure P-101 definesdivision of responsibility between NED and NICSD.

The following sections describe the major documents prepared for this qualification projectthat are related to software quality, and describe how NED and NICSD interact to producethese documents.

4.1.1 Equipment Requirements Specification (ERS)The Equipment Requirements Specification (ERS) describes the equipment requirements ofthe PRM System units. These requirements consist of specific functional and designrequirements for the hardware and software, including any detailed logicerequirements. TheERS also specifies qualification requirements.

For FPGA manufacture, ICDD Procedure P-101 states that the ERS shall be established byICDD. NED shall establish the ERS in accordance with AS-200All16. The functional andsoftware requirements in the ERS shall be collected into the Project Planning and ConceptDefinition Phase Requirements Traceability Matrix (called as Concept Phase RTM) inaccordance with AS -200A 130.

NED shall provide a copy of the ERS to NICSD as part of the Job Order process. NICSDshall review applicable requirements in the ERS. If NICSD finds any concerns, MICSD shalldocument the concerns and transmit them to NED using the process defined in NICSDstandard D-680 16.

4.1.2 Software Requirements Specification (SRS)The Software Requirements Specification (SRS),which is outlined in AS200A129 and whichis equivalent to the Software Requirements Description as defined in IEEE 730-2002,addresses the basic issues of functionality, external interfaces, performance, attributes anddesign constraints imposed on implementation for software. The SRS identifies functions tobe implemented in software or hardware and distinguishes the implementation method.

[For. the FPGA manufacture, ICDD Procedure P-101 states that the Unit!/Module DesignSpecifications, which are equivalent to the SRS, shall be established by NICSD. NLCSD

TOSH-IBA CORPORATION NED 12812/38

TOSHIBASoftware QA Plan FPG- PLN- C51I-0 0 02 Rev. 2shall establish the SRS in accordance with D-680 16. NICSD shall perform V&V activitiesto verify the Unit/Module Design Specifications are in accordance with the NICSD VV-P.NED shall review and approve the results of the NICSD V&V activities.

Prior to the project, NED shall perform a CG Survey and Critical Digital Review (CDR) ofNICSD's process. Based on the results of these activities, NED will determine whether theNICSD process shown in NICSD standard D-68016 is acceptable. I~fthe process isacceptable, NED may accept the NICSD document with limited review (at least processcompliance). Alternately, NED may conclude that compensatory actions are needed tosatisfy NED requirements. These could include special requirements to be imposed onNICSD in the NED's Job Order, or special reviews or inspections to be performed by NED.NED's acceptance of the document would then be contingent on verifying that thesecompensatory actions were completed to NED's satisfaction.

4.1.3 Software Design Description (SDD)The Software Design Description (SDD) generally depicts how the softwcare or logic will bestructured to satisfy the requirements of the SRS, including software safety requirements,databases and interfaces. The SDD provides a detailed description of the software to becoded. It describes decomposition of the software into entities (such as FEs). Each entity isdescribed by its type, purpose or function, subordinate entities, dependencies, interfaces,resources, processing and data.

For the FPGA manufacture, ICDD Procedure P-l01 states that the FPGA Specifications,which are equivalent to the SDD, shall be established by NICSD. NICSD shall establish theFPGA Specifications ini accordance with NICSD standard D-68017. NICSD shall performV&V activities to verify the FPGA Specifications are in accordance with the NICSD VVP.NED shall review and approve the results of the NICSD V&V activities.

As described in Section 4.1.2, prior to this FPGA/SER project, NED shall determine whetherany compensatory actions are needed to satisfy NED requirements. These could includespecial requirements to be imposed on NICSD in the NED's Job Order, or special reviews orinspections to be performed by NED. NED's acceptance of the document would then becontingent on verifying that these compensatory actions were completed to NED'ssatisfaction.

4.1.4 Verification and Validation Plan (WP)Verification and validation processes are used to determine if developed software productsconform to their requirements and whether the softwgare products fulfill the intended use anduser expectations. This includes analysis, evaluation, review, inspection, assessment, andtesting of the software products and the processes that produced the products. Also, thesoftware testing, validation and verification processes apply when integrating purchasedsoftware products into the developed product.

The Verification and Validation Plan (VVP) defines the V&V activities and required inputsand outputs needed to maintain the appropriate software integrity level. It also provides ameans of verifying the implementation of the requirements of the SRS in the design asexpressed in the SDD, and in the testing as expressed in the project's test documentation.NED Procedure AS-200A130 describes the establishment of the VVP.

STOSHIBA CORPORATION NED 13/38

TOSHIBASoftware QA Plan FPG-PLN-C51-0002 Rev. 2For the FPGA manufacture, ICDD Procedure P-i101 states that ICDD shall establish a VVPand NICSD shall establish their own VVP based on the ICDD VVP.

4.1.5 Verification and Validation Report (VVR)

The NED V&V Team shall produce a VVR at the end of each phase. The VVRs includedocumentation of validation test results, problem reports and corrective actions, andindependent review results. The VVRs shall form the basis for the development of the FinalVerification and Validation Report (FVVR). The VVR is established and maintained by theNED V&V Team.

For the Requirements Definition Phase, the Design Phase, the Implementation & IntegrationPhase, and the Unit/Module Validation Testing Phase, NICSD shall produce the NICSD VVRat the end of each phase. ICDD shall produce the VVRs for these phases based on the NICSDVYRs.

The FVVR shall document all V&V activities performed by NED and by NICSD throughoutthe this FPGA/SER project life cycle, either by inclusion of V&V documentation directly inthe report, or by reference to retrievable records.

4.1.6 User documentationThe purpose of User documentation is to provide sufficient information to users for installing,operating and maintaining the PRM System. User documentation describes the data controlinputs, input sequences, options, program limitations and all other essential information forthe system. User Documentation shall include all error messages and identify the necessarycorrectiye-action procedures. Also, it shall provide the means for the user to report problemslto the Engineering!/Design Group Manager.;

For the qualification project, the User Documentation includes the following:

* Instructions for interpreting and responding to alarms I

* Requirements for user-supplied power source* Environmental conditions for equipment operation and installation* Commissioning* Routine operating checks* Maintenance and Surveillance recommendations* Instructions on changing setpoints and ranges* Data needed to compute setpoint values for ISA recommended practice* Error reporting* Recommendations for recording configuration* Description of the system architecture (configuration requirements, schematics, etc.)

Procedure AS-200A 129 provides requfirements to establish software development UserDocumentation.

For the FPGA manufacture, ICDD Procedure P- 101 states that the User Documentation shallbe established by NICSD. NICSD shall establish the User documentation in accordance withD-680 16. This NICSD documentation will be for the Units/Modules produced by NICSD.

As described in 4.1.2, prior to the project, NED shall determine w.hether any compensatoryactions are needed to satisfy NED requirements. These could include special requirementsto be imposed on NICSD in the NED's Job Order, or special reviews or inspections to beF

TOSHIBA CORP=OR=ATIION NED 14/38

TOSHIBASoftware QA Plan FPG-PLN-C5I- 0002 Rev. 2performed by NED. NED's acceptance of the document would then be contingent onverifying that these compensatory actions were completed to NED's satisfaction.

After NICSD establishes the unit/module User documentation , NED shall establish Userdocumentation for the PRM System for the qualification project. (This User documentationwill form the basis for the Qualification Project Application Guide.) NED shall establish

Ithis system-level User documentation in accordance with NED Procedure AS-200A129.Alternately, NED could require that NICSD establish the system level User Documentation,with special compensatory actions required as necessary.

4.2 Other Documentation

4.2.1 Requirements Traceability Matrix (RTM)Throughout the project life cycle, a requirements traceability analysis will be performed and aRTM maintained for SIL-3 or SIL-4 software. The RTM provides a method for verifyingthat requirements are carried through each phase of the project life cycle. In this FPGAISER

Iproject, NED will create the Concept Phase RTM, and use it to verify that the requirementsare satisfied during the system integration and test phases. During the other life cycle phases,

INICSD shall develop and maintain the RTM to ensure requirements that are tracked andverified. The specific process to be used in this FPGA/SER project is described below.

1. At the Project Planning and Concept Definition Phase for this FPGA/SER project, NEDshall establish the Concept Phase RTM in accordance with NED ProcedureAS-200A130.

2. NICSD shall use the requirements from the Concept Phase RTM as the starting pointfor establishing its own RTM process. NICSD shall update the RTMs from theRequirements Phase through the Unit!/Module Validation Testing Phase. This NICSDPRTM process shall be performed as follows:

(1) Requirements Definition PhaseNICSD shall develop the RTM for units and modules.

(2) Design PhaseNICSD shall develop the RTM for FPGAs.

(3) Implementation and Integration PhaseNICSD shall develop the RTM for FPGA test procedures based on the Design PhaseRTM.

(4) Unit/Module Validation Testing PhaseNICSD shall develop the R•TM for Units and Modules Validation Testing Proceduresbased on the Requirements Definition Phase RTM.

NICSD shall use the RTM process defined in NICSD VVP. NICSD may propose aprocess for a creating and maintaining an RTM, and NICSD shall document thatprocess inthe NICSD VVP. NED will review and approve this process and NICSDmay use it after receipt of NED's authorization. NED will determine the need forspecial provisions (if any) based on NED's CDR and CG Survey of NICSD. NED willspecify any needed special provisions for the NICSD RTM process in the NEDProcurement Specification atta.ched to NED's Job Order to NICSD.L


TOSHIBASoftware QA Plan FPG-PLN-C5I-0002 Rev. 2

During the NICSD portion of the RTM work, NED will review the NICSD RTM at theend of each life cycle phase. NED's project VVP shall state the specific instructionsfor performing and documenting this NED review.

3. During the system Implementation and Integration Phase, NED shall update the NEDRTM, which NED created in the Project Planning and Concept Phase, to verify that thetraceability of all requirements. Then, NED shall update the RTM in the SystemValidation Testing Phase. NED shall follow NED Procedure AS-200A130 forupdating the RTM in these steps.

4. At the end of this FPGA/SER project, NED shall prepare an RTM report whichdocuments the results of the NED RTM effort. This report shall be established inaccordance with the NED Appendix B QA program, and shall refer to the NICSD RTMoutput documents, or include these NICSD documents as an attachment.

4.2.2 Source Code DocumentationSource code documentation shall include source code listings which reflect the translateddesign representation into a programming language. Any associated documentationgenerated during the coding, module testing, and unit testing process such as code reviews,test procedures, test cases or test results should be referenced in the source codedocumentation.

The VHDL, which is equivalent to the source code in the FPGA/SER project, shall betraceable to the FPGA Specifications and the Unit!/Module Design Specifications. It shallinclude sufficient comments to provide the user of the source code with an understanding ofthe functioning and programming of each module.

For this FPGA/SER project, ICDD Procedure P-l01 states that the Code Documentation shallbe established by NICSD. NICSD shall establish the Code Documentation meeting therequirements of ICDD Procedure P-101.

As described in 4.1.2, prior to in this SER/FPGA project, NED shall determine whether anycompensatory actions are needed to satisfy NED requirements. These could include specialrequirements to be imposed on NICSD in the NED's Job Order, or special reviews orinspections to be performed by NED. NED's acceptance of the document would then becontingent on verifying that these compensatory actions were completed to NED'ssatisfaction.

4.2.3 Test DocumentationTest documentation includes Test Plans, Test Procedures and Test Reports. For the SystemValidation Testing, Test Plan which is established by NED can be included in Test Procedure.

For the FPGA manufacture, ICDD Procedure P-101 states that the FGPA and Unit/ModuleTesting shall be established by NICSD. NICSD shall establish the FGPA and Unit/ModuleTesting in accordance with Fuchu-IP QA Manual.

•As described in 4.1.2, prior to this FPGA/SER project, NED shall determine whether anycompensatory actions are needed to satisfy NED requirements. These could include specialrequirements to be imposed on NICSD in the NED's Job Order, or special reviews or


TOSHIBASoftware QA Plan FPG-PLN-C51-0002 Rev. 2inspections to be perfonned by NED. NED's acceptance of NICSD's testing process wouldthen be contingent on verifying that these compensatory actions were completed to NED'ssatisfaction.

ICDD Procedure P-101 states that NED performs the System Validation Testing. TheSystem Validation Testing shall be performed in accordance with NED ProcedureAS-200A1 29, AS-200A 130, and AS-300A1 03.

4.2.4 Hazard Analysis ReportHazard analysis is performed to determine if the design and associated activities throughoutthe life cycle are established in a manner that minimizes risk and design errors. Thus, hazardanalysis is used to ensure that potential failures are identified, evaluated and resolved as thedesign evolves.

ICDD shall establish the Preliminary Hazard Analysis (PHA) at the beginning of the projectand update as the project progresses, in accordance with NED Procedure AS-200A 132 and

IICDD Procedure P-i101. The more detailed process is as follows:

1. Project Planning and Concept Definition Phase PHAICDD shall prepare the PHA based on the ERS. Fault Tree Analysis shall be used inthis analysis.

2. Requirement Definition Phase PHAICDD shall update the PHA based on the Unit/Module Design Specifications, which shallbe submitted by NICSD to ICDD at the end of this phase. In addition, NICSD shallanswer ICDD questions regarding potential hazards in the design. The updated PHA shalladdress the concerns identified in the Project Planning and Concept Definition PhasePHA. It should be noted that the Fault Trees first developed in the previous phase wouldnot need to be developed into more detailed level than the modules. If applicable, FailureMode and Effect Analysis (FMEA) will be performed at this phase.

3. Design Phase PHAJCDD shall update the PHA based on the FPGA Specifications, which shall be submittedbyNICSD to ICDD at the end of this phase. In addition, MICSD shall answer ICDDquestions regarding potential hazards in the design. The updated PHA shall address theconcerns remaining from the Requirements Definition Phase PHA. Failure Modes andEffects Analysis (FMEA) shall be performed (or updated if it is performed in the previousphase) during this phase.

4. Implementation & Integration Phase PHAICDD shall update the PHiA based on the NICSD produced documents and the NICSDprovided information. The following are documents produced by N[CSD and shall besubmitted to ICDD at the end of this phase:

* FPGA Validation Testing Procedures* FPGA Validation Testing Reports* Unit/Module Validation Testing Procedures

NICSD shall provide the following information to ICDD:* Verification of VHDL codes



* The methods with which Software tools are used* Potential hazards in the design

5. Unit/Module Validation Testing Phase PHAICDD shall update the PLIA based on the Unit/Module test reports, system test procedure,and the problem reporting sheets, which shall be submitted by NICSD to ICDD. Inaddition, NICSD shall answer ICDD questions regarding potential hazards in the design.

6. System Validation Testing PhaseICDD shall update the PHA based on the System Validation Test reports and the problemreporting sheets, and produce the final Hazard Analysis report.

NICSD shall make notice when they make any substantial modifications in the documentsIbeing submitted to ICDD for PHA updating.

4.2.5 Software Qualification ReportThe Software Qualification Report is created to summarize the activities performedthroughout the software life cycle. It also identifies the design errors found during thesoftware life cycle. This report is produced only for FPGA/SER project. For this purpose,requirements for establishing the Software Qualification Report are as follows:

* The Software Qualification Report shall be prepared by NED. NED shall establish thisreport in accordance with the 10 CFR 50 Appendix B Quality Assurance Program.

* The Preparer(s) of the SQ Report shall:o Be independent of the Engineering/Design Group (that is, be from the V&V

Team, which has separate cost, schedule and resources from the DesignGroup).

o Not have contributed to the design.o Be technically qualified for the work performed.

* The Independent Reviewer of the SQ Report shall:•o Be from the V&V Team.o Not have contributed to the design.o Must not have collaborated on the preparation of the SQ Report.o Be technically qualified for the work being reviewed.

* The Approver of the SQ Report shall:o Be manager-level.o Not be same person as the Preparer.o Not be the same person as the Independent Reviewer.o Be cognizant of the role of this report in order to be sure that the document is

appropriate and serves its intended purpose.

5 Standards, Practices, Conventions and MetricsThe section describes the standards, practices and conventions to be applied to the PRMSystem. It identifies general statistical techniques and metrics to be applied in the qualityassurance process.


TOSHIBASoftware QA Pian FPG-PLN-C51-00O2 Rev. 2Compliance with these standards shall be monitored and assured through the review and auditprocess described in Section 6.

5.1 Documentation StandardsAll documents developed by NED for the PRM System shall comply with the requirements inNED Procedure AS- 100A004, Document Control Procedure.

All documents developed by NICSD for the PRM System shall comply with the requirementsfor format and content described in NICSD Fushu-IP QA Manual with special provisions tobe specified in the Job Order by NED.

5.2 Design StandardsAll Engineering!/Design work developed by NED for the PRM System shall comply with therequirements described in NED Procedure AS-200A001, Engineering and Design ControlProcedure.

All design work developed by NICSD for the PRM System shall comply with therequirements described in NICSD Procedure D-680 16 and D-680 17, with special provisionsto be specified in the Job Order by NED.

5.3 Coding StandardsThe software development process shall provide guidance to ensure standardization,compatibility and maintainability of resulting softwgare products. The process shall provide acoding standard for each language as well as usage guidelines for each software fool.

* For this FPGA/SER project, the VHDL source coding should conform to the AppendixA of NICSD standard D-68017.

NED shall confirm that NICSD uses the coding standard appropriately by reviewing andI accepting NICSD's VVR in which NICSD confirms development of the FPGA source code.

5.4 Testing StandardsTest Plan (See 4.2.3) shall be established accordance to AS-300A103. Software testingmethodologies, policies and practices shall be described in the NED Test Plan. Specificformat and content for test procedures (with test cases) and test reports shall also be identifiedin the Test Plan.

System Validation Testing by NED for the PRM System shall comply with the requirementsdescribed in NED Procedure AS-300A103, Test Control Procedure.

Testing of FPGAs and Unit/Modules by NICSD for the PRM System shall comply with therequirements described in Fuchu-IP QA Manual with special provisions to be specified in theJob Order by NED.

5.5 MetricsThe following metrics should be maintained for the PRM system:* The number of changes applied to a project document when it is revised should be

tracked to measure the document maturity.

TOBI-IBA CORPORATION NED 98

TOSHIBASoftware QA Plan FPG-PLN-C51-0002 Rev. 2* The errors discovered during FPGA Validation Testing and Unit/Module Validation

Testing should be identified through the use of Problem Reporting Sheet (PRS) (see8.1) so that the number of errors discovered can be tracked for error discovery metricreporting. The overall goal is to identify a decreasing number and severity of errors asthe testing progresses.

* The errors discovered during System Validation Testing should be identified throughthe use of Nonconformance Notice Report (NNR) (see 8.2) so that the number of errorsdiscovered can be tracked for error discovery metric reporting. The overall goal is toidentify a decreasing number and severity of errors as the testing progresses.

* Each PRS and NNR should be recorded with date and time in the log.* Software errors discovered during Site Acceptance Test (SAT) shall be tracked through

the use of NNRs and the number and severity shall be identified for error discoverymetric reporting.

* Software errors discovered after SAT shall be tracked through the use ofNonconformance Notice Report (NNR). To issue an NNR. for problem caused by NED,NED Procedure AS-300A008 shall be applied, and for problem caused by NICSD,NED Procedure AS-300A006 shall be applied.

• In cases where the determination of whether the problem was caused by NED orNICSD could not be readily made, NED has the responsibility to determine the cause.

6 Software ReviewsThe pur~pose of this section is to address the review requirements throughout the software lifecycle. Reviews are designed to ensure that software documentation and processes complywith procedures, and with the established standards and guidelines set forth for thisFPGA/SER project. Reviews are technical in nature and are designed to verify the technicaladequacy and completeness of the design and development of the software. In thisF PGA/SER project, these reviews are considered in the V&V activities in accordance with

VVP.

Software reviews are the responsibility of the personnel identified in NED ProceduresAS-200A128 through AS-200A132. These NED procedures also identify the methodologyof performing reviews.

Software reviews shall evaluate specific software elements (such as files, functions, modules,or complete systems) to ensure that the requirements are adequate, technically feasible andcomplete.

The soft-ware reviews verify both the adequacy of the software documentation and theadequacy of the software source code itself.

The software review shall be performed in accordance with VVP.

6.1 Equipment Requirements Specification Review]The Equipment Requirement Specification Review (ERSR) shall examine the EquipmentRequirements Specification (ERS) to verify completeness, correctness, consistency, andaccuracy. Specific ERSR items shall be described in detail in the VVP. As a minimum,the following items shall be included:

* Compliance to the regulations


TOSHIBASoftware OA Pian FPG-PLN-C51-0002 Rev. 2* Conformance to the vendor package* Testability of functional requirements* Adequacy and completeness of functional requirements* Adequacy and completeness of interface requirements* Adequacy and feasibility of performance requirements* Conformance to documentation standards

For this FPGA/SER project, this review shall be performed by a NED V&V team member,and approved by the Group Manager.

NED shall perform the ERSR when the NED Design Engineer prepares ERS, and NICSDshall perform the ERSR when NICSD receives the NED's purchase order.

6.2 Software Requirements Specifications ReviewThe Softwvare Requirements Specifications Review (SRSR) shall examine the Unit]/ModuleDesign Specification to verify~ completeness, correctness, consistency, and accuracy.Specific SRSR items shall be described in detail in the VVP. As a minimum, these itemsshall include:

* Testability of functional requirements* Conformance to documentation standards* Adequacy and feasibility of performance requirements* Adequacy and completeness of interface requirements* Detailed functional interfaces with other software, system equipment, communication

systems, etc.* Identification of requirements for functional simulation, environmental recording,

configuration

Frequently encountered categories or types of errors normally found in the SRS shall also beincluded in the VVP in order to aid the reviewer.

For the FPGA/SER project, NICSD shall perform this review in accordance with VVP.

NED V&V team shall review the NICSD VVR.

The SRSR shall be performed before the Design Phase.

6.3 Detailed Design ReviewThe Detailed Design Review (DDR) evaluates acceptability of the detailed designdocumented in the SDD, and establishes that the detailed design satisfies the requirements ofthe SRS. The review also verifies the design's compatibility withi the other software andhardware that the product is required to interact with and assess technical, cost and schedulerisks of the product design.

The DDR shall include a review of the FPGA Specification for the following items:

* The compatibility of the detailed design with the Unit]/Module Design Specification* Available data in the form of logic diagrams, algorithms, storage allocation charts, and

detailed design representations* Safety of Interfaces


TOSHIBASoftware QA Plan FPG-PLN-C51-0002 Rev. 2* Testability of interfaces* Compatibility and completeness of interface requirements* All external and internal interfaces* Technical accuracy of all available test documentation and its compatibility with the test

requirements of the Unit!/Module Design Specification* Requirements for the support and test software and hardware to be used in the

development of the product* Final design including function flow, timing, response time, sizing, storage

requirements, memory maps, data base, and other performance factors, if applicable tothe PRM systems

The results of the review shall be documented, including all deficiencies identified in thereview and a plan and schedule for corrective action.

For FPGA/SER projects, NICSD shall perform this review in accordance with the NICSDVVP.

NED V&V team shall review and approve NICSD VVR.

6.4 Verification and Validation Plans ReviewFor FPGA/SER projects, the VVP is reviewed for adequacy and completeness of theverification and validation methods as follows.

The review of NED VVP shall be performed by a V&V team member who is not same as itspreparer, and did not aid in its the preparation. The review shall be performed as follows:

* Verify that the plan correctly implements the requirements of AS-200A1 30, P-1 01, andthis SQAP.

* Verify that the plan covers V&V activities from the Project Planning and ConceptDefinition Phase to the System Validation Testing Phase.

* Verify that the plan has adequate direction for performing V&V activities, includingdefinition of responsibility, schedule(in terms of sequence), and reporting.

* Verify that the plan has no inconsistency.* Evaluate if the methods used in the plan are practical and appropriate for the purpose of

the V&V.* Evaluate if the plan specifies adequate resources to perform the planned V&V activities.

The review of the NICSD VVP shall be performed by NICSD V&V personnel. Thereviewer shall not be the same person who prepares the NICSD VVP. The review shall beperformed as follows:

• Verify that the plan meets the requirements of the NED VVP.* Verify that the plan has adequate direction for performing the NICSD V&V activities.* Evaluate if the methods used in the plan are practical and appropriate for the purpose of

V&V.* Evaluate if the plan specifies adequate resources to perform the planned V&V activities.

NED V&V personnel shall review the NICSD VYP to assure that the Plan meets therequirements of the NED VVP.


TOSHIBASoftware QA Plan FPG-PLN-C5I-0002 Rev.2•6.5 NICSD Documents ReviewFor the FPGA/SER Project, NED requires NICSD to submit documents. NED shall reviewand approve the NICSD documents in accordance with NED Procedure AS-200A0 10. Table6-1 shows the document name and responsible reviewer and approver.

Table 6-1.NJCSD Documents to be Reviewed and Approved by NEDNJCSD Documents NED Reviewer NED ApproverDevelopment Plan ICDD / Design, ICDD / GPM

ICDD / V&V*~ _____

VVP ICDD / V&V ICDD / GPMUnit/Module Design Specification ICDD I Design ICDD / GPMUser documentation of Units and Modules ICDD I Design ICDD / GPMFPGA Specification ICDD I Design ICDD / GPMSource Code Documentation ICDD / Design ICDD / GPMUnit/Module Test Documentation ICDD / V&V ICDD I GPMRTMs for the Requirements Definition Phase, the ICDD / V&V ICDD / GPMDesign Phase, the Implementation and IntegrationPhase, and the Unit/Module Validation Testing PhaseV&V reports for the Requirements Definition Phase, ICDD I V&V ICDD / GPMthe Design Phase, the Implementation and IntegrationPhase, and the Unit/Module Validation Testing PhaseUnit/Module V&V Report ICDD V&V ICDD / GPM

I * V&V personnel shall review the test plan described in the development plan.

6.6 Configuration Management (CM) Plan ReviewThe CM Plan Review is held to evaluate the adequacy and completeness of the configurationmanagement methods defined in the CM Plan and their implementation. The resultsdocumented shall identify all deficiencies found and plans for their resolution.

The NICSD CM Procedure shall meet the requirements of NED Procedure AS-200A13 1.Review of the NICSD CM plan shall be performed in accordance with NICSD VVP.

/1NED may also perform in-process review activities to verify that NICSD is working incompliance with the procedures, and pay attention to security concerns.

7 TestRequired testing to be performed in the scope of this SQAP includes:

(1) FPGA validation testing(2) Unit/ Module validation testing(3) System validation testing(4) Pre-Qualification testing

For these testing, test plans (if needed) and procedures shall be established. in prior to theirexecution, as stated in ICDD Procedure P- 101. The test plans and procedures, along withother project documents shall cover the requirements of test documentation in IEEE Std 829.In addition, the Pre-Qualification testing shall be planed and designed in accordance with

TOSHIBA CORPOR:ATION NED 23823/38

TOSHIBASoftware QA Plan FPG-PLN-C51-0002 Rev.2EPRI TR-107330. The VVP shall describe more details about the validation testing, and theERS shall describe more details about the Pre-Qualification testing.

NICSD shall perform the FPGA and Unit/Module Validation Testing in accordance with theFuchu-IIP QA Manual. These tests are considered part of NICSD's V&V activities, and shallmeet the requirements of NICSD VVP. Special notices in performing the FPGA ValidationTesting are that:

* NICSD shall verify that full pattern coverage tests have been performed for every FEused in this FPGA/SER project.

* N[CSD shall plan FPGA validation testing so that the tests achieve 100% togglecoverage ratio for the connections between FEs. The toggle coverage ratio consistsof the number of toggled connections in the test vector to the number of operative,non-static connections. VVP shall describe more detail about toggle coveragescheme.

NICSD shall document the test results in the tests reports.

INED shall be responsible for the System Validation Testing and the Qualification Testing.These tests shall be performed in accordance with NED Procedures AS-300A103, test plans

-and test procedures.

NED shall document the test results in the tests reports.

8 Problem Reporting and Corrective ActionThe purpose of a formal procedure for problem reporting and corrective action is to ensurethat all errors and failures are promptly acted upon and in a uniform manner encompassing allproject software. This procedure ties together the requirements of the VVP and the CM Plan.V&V activities are the primary vehicle to uncover problems, while the CM Plan shall ensurethat actions taken to correct problems by changing design artifacts are consistent andtraceable.

Problem reporting shall be required for the following documentation:* ERS* SRS• SDD• VVP•*VVR• RTM* Source Code Documentation* Source Code* Test Documentation• HAR* SQ Report* User documentation• Operation and Maintenance Manual* Schematics

In addition, any problem of the following devices and equipment shall be reported.

TOSHIBA CORPORATION NED 2/824/38 "


* FPGAs* Modules* Units* PRM System

SThese documentation, devices, and equipment are quality related configuration items:

There are two types of problem reporting and corrective action process. The first type shallbe used for the problems found during the FPGA and the Unit/Module Validation Testing.Section 8.1 describes the reporting process and corrective action for these problems. Thesecond type of problem reporting shall be used for the other activities. Section 8.2 describesthis reporting process.

8.1 Problem Reporting and Corrective Action during FPGA andUnitiModule Validation TestingIf NICSD finds any problem of the configuration items during FPGA validation testing, theproblems shall be reported with the Problem Reporting Sheets (PRS) in accordance withNICSD Procedure D-680 16. If NICSD finds any problem in documents, duringUnit/Module validation testing, the problems shall be reported with the Problem ReportingSheets (PRS) in accordance with NICSD Procedure D-680 17.

8.2 Problem Reporting and Corrective Action other than 8.1Any problems of the configuration items that are not covered by Section 8.1 shall be reportedin the .following manner:

* For the problem caused by NED, the problem shall be reported and corrected inaccordance with NED Procedure AS-300A008.

* For the problem caused by NICSD, the problem shall be reported and corrected inaccordance with NED Procedure AS-300A006.

For the cases where it is not obvious to determine which organization caused the problem, i.e.,which procedure shall be applied, NED has the final responsibility to determine theorganization.

The problems found during the RTM efforts shall be reported in the RTM reports.

9 Tools, Techniques and MethodologiesSoftware development for FPGA/SER projects shall use a number of techniques to helpassure all software is designed, implemented, and documented in accordance with the projectobjectives, which meets the requirements and which is maintainable over time in the mostcost effective manner. The tools, techniques and methodologies employed in this processshall ensure that the software is verifiable from each phase of the project to the next. Tools,techniques and methodologies which can be used include the following:

* Use of structured design techniques for analyzing and developing the software design.These shall include data flow diagrams, where applicable, to represent the interactionsamong modular elements and the flow of data among them.

* Use of VHDL simulator to check the FPGA functions


TOSHIBASoftware QA Plan FPG-PLN-C51-0002 Rev. 2* VHDL design rules are to be applied to avoid design errors.* State transition diagrams and analysis using the diagram shall be performed if the use of

state machine cannot be avoided in FPGA design.* Inspection of netlist files shall be performed to verify the correctness of logic

conversion by the design tool.* VHDL design rules limiting maximum logic depth shall be applied to prevent

undesirable switching phenomena in FPGA called glitches. However the maximumlogic depth can be set larger than would be allowed for the timing constraint, as long asthere are documented evaluations of logic timing.

* Static timing analysis can be. applied to assure that glitches are avoided in the design.* All members of the Engineering!/Design Group and V&V Team shall be trained in the

contents of this SQAP. This training shall be documented in each individual's QAtraining record.

* Use of the waterfall model of software development and testing techniques to helpassure that the requirements are correctly translated into design and implementationproducts (The concept of "water-fall" are shown in Figure9-1).

* All logics shall be constructed from only FEs.


TOSHIBASoftware QA Plan FPG-PLN-C5I-0002 Rev. 2

Life Cycle Phase Primary waterfalls nested waterfalls

Retirement.. . . . . . . . . . . . . . . . . . .,

Figure9- 1: An example of nested waterfalls

It should be noted that the use of the waterfall model includes the nested waterfall, becausedevelopment processes frequently need to be iterated. Figure9- 1 shows the concept of nestedwaterfalls. In the figure, the left arrows indicate the primary waterfalls corresponding to theprogress of development process. If a non-conformance is found, e.g.. at the Implementation& Integration Phase, the process shall pause at the phase in which non-conformance found.The cause of non-conformance shall be identified, and then corrective actions shall be takenas a nested waterfall. In the figure the nested waterfall flows from the Design Phase throughthe Implementation & Integration Phase, where the activities affected by the correctiveactions shall be updated. After the nested waterfalls reach the paused phase, thedevelopment process restarts.


TOSHIBASoftware QA Plan FPG-PLN.-C51-0002 Rev. 2

10 Configuration Management and Media Control

10.1 Basis for Preparing a Project Specific CM PlanConfiguration Management (CM) is the process for identifying software con~figuration items,controlling the implementation of changes to those items, recording and reporting the status ofchanges, and verifying the completeness and correctness of the released items. The CMactivities that NED shall perform include Document Control (DC) and Media Control. TheCM Plan shall be used in conjunction with AS-200A13 1, Digital System ConfigurationManagement Procedure.

This project has the following unique circumstances that complicate controlling andmaintaining project documents and configuration management items. Specifically, thesecomplicating circumstances include:

* EPRI TR-107330, Section 7.7 establishes requirements for hardware and softwareconfiguration management. These EPRI requirements differ from the normal practicesand procedural requirements at NED.

*This qualification project includes activities by NED and byMNCSD. Each of thesetwo groups has its own procedures for configuration and documentation control.Although configuration management for this project is ultimately the responsibility ofNED, NICSD will perform many activities and will have a role in conifigurationmanagement.

For these reasons, a Project Specific Configuration Management Plan-shall be defined andimplemented in this project to control the configuration management process so that all therequirements of NED, NICSD and EPRI TR-107330 are satisfied. Use of a Project SpecificConfiguration Management Plan is established in NED Procedure AS-200A1 31.

IEEE Std 828 is an industry standard for the SCM Plan, which defines the six classes ofSoftware Configuration Management (SCM) information: Introduction, Management,Activities, Schedules, Resources, and Plan Maintenance. The CM activities in this projecthas the relationship with the information as follows:

(1) IntroductionSee Section 1 and 10.1 above.

(2) Management

The Monitoring System engineering Group shall be responsible for the CM in the NED,while the NICSD Design Group shall be responsible for the CM in the NICSD.

(3) ActivitiesAS-200A13 1 describes the CM activities performed in the NED. NICSD shall performthe CM activities in accordance with applicable NICSD procedures covering therequirements of the IEEE Std 828. NLCSD may establish a project specific CM ifnecessary.Section 10.2 and 10.3 describe additional information about the CM activities.

(4) Schedules


TOSHIBASoftware QA Plan FPG-PLN-C51-0002 Rev. 2As stated in AS-200A128, the CM activities are carried out parallel to the software

development activities, they shall be performed in accordance with the engineeringschedules.

(5) ResourcesThe resources needed in CM activities shall be prepared by the responsibleEngineering/Design Group. Master Configuration List (MCL) is a technique used forCM in this project, see Section 10.3.

(6) Plan MaintenanceThe CM Plan shall be maintained as part of the SQAP. See Section 17.

10.2 Project Specific Configuration Management RequirementsThis Project Specific CM Plan provides the configuration management process for theFPGA/SER project. In accordance with AS-200A13 1, this plan shall state:

* How to maintain all data required to reproduce the digital system and developmentenvironment throughout all phases of the project.

* That Software Baselines shall be used to document the software configuration atphases during the development life cycle.

The CM Plan must state how the following materials will be controlled, for all FEs, FPGAs,modules and units used in the Test Specimen (including spare modules ordered for thisprocurement):

* Version and release information of development system operating system software,required support utilities, and libraries.

* Version and release information of soft ware development tools, utilities, and thirdparty soft ware component.V

* Firmware revision levels.* Document numbers and revision numbers for the documents, which are needed for the

reproduction of circuit board.* Document numbers and revision numbers for the documents, which include the setting

information for switch and jumper.* Electronic copies of each release of the software shipped with the system.* Document number and revision number for The Software Quality Assurance Plan.* Document number and revision number for the Verification and Validation Plan.* Document numbers and revision numbers for the design documents.* Document number and revision number for the RTM.* Document numbers and revision numbers for the User documents.* Document numbers and revision numbers for the test procedures.* Version and release information of the test equipment software.* Electronic copies of each release of the test equipment software.* Document numbers and revision numbers for the Validation Test Reports.* Nonconformance Notice Reports (NNRs).* Design change notices (DCNs).


TOSHIBASoftware QA Plan FPG- PLN- C5i- 0 00 2 Rev. 210.3 Project Specific Configuration Management ProcedureThis SQAP section states the requirements for project specific configuration management tobe used in FPGAJSER project, as follows:

* Overview of CM Process and Responsibilities throughout the Project:- NED shall prepare and maintain its own NED MCL throughout FPGA/SER project.- NED shall provide a copy of the current MCL to NICSD with the procurement

documents.- NICSD shall maintain the MCL current throughout their activities in this project, using

NICSD Procedure D-680 19.- NICSD shall provide the most current NICSD MCL to NED at the end of each lifecycle

phase (or more frequently, if requested by NED).- Upon receipt of the updated NICSD MCL, NED shall update the NED MCL to include

all NICSD configuration items listed in the NICSD MCL, plus any new or revisedNED configuration items. NED personnel know the most current status of NEDconfiguration items by using the Project Controlled Document List (PCDL) inaccordance with Procedure AS-i100A004.

- NED shall control the NICSD MCL as vendor generated document in accordance withAS-200A0 10.

- After acceptance of the units and modules from NICSD, NJCSD's obligation tomaintain the NICSD MCL shall finalize. At that time., NED shall maintain the NEDMCL current in accordance with Procedure A&S-100A13 1.

Note: Table 10-1 shows the CM activities and responsibilities for each phase of thisproject.

*MCL Contents:- The MCL shall contain information needed to manage the configuration of software

and hardware.

*Change Control:- NED shall use the method of Section 6.4 of Procedure AS-200A13 1 to manage

changes.- NICSD shall use the method of'Section 5.5 of NICSD Procedure D-68019 to

manage changes.

*V&V Activities- The NED V&V Team shall perform V&V activities on the NED MCL throughout

the project life cycle in accordance with the requirements of ProcedureAS-200A130.

- The NICSD V&V Team shall perform V&V activities on the NICSD MCLthroughout the NICSD effort in accordance with NICSD Procedure D-680 19. TheNICSD V&V team shall document the results of NICSD V&V activities in theNICSD VVR for each phase.

- The NED V&V Team shall review the NICSD V&V Team VVR to ensure thatNICSD is performing the appropriate V&V activities for the NICSD MCL.

Note: The VVPs to be prepared by NED and NICSD shall include the requirementsfor the above activities, as applicable.

STOSHIBA CORPORATION NED 303

TOSHIBASoftware QA Plan FPG-PLN-C51-0002 Rev.2

0 Security- NED and NJCSD shall pay special attention to ensure that the developed products

do not contain any undocumented codes nor malicious codes. The MCL should bemaintained to prevent the infiltration of those codes into the products.

10.4 Media ControlN[CSD shall perform media control activities in accordance with NICSD Procedure D-680 19.

NED shall store final NED and NISCD configuration items, including the final MCL, as QArecords in accordance with AS-100A007, "Filing Procedure for Quality Assurance Records."

SAs a special provision for NICSD, NICSD shall submit the FE library files used in the

FPGA/SER project to NED by storing them in an appropriate media, such as CD-R. NEDshall preserve the media as a permanent record.

STOSHIEA CORPORATION NED 31831/38

TOSHIBASoftware QA Plan FPQ-PLN-C51-0002 Rev.2

Table 10-1 Project Specific Configuration Management Process* Activit I. ' ap~licabl•e * - Documents Listed i

.,AciitResponsibility "Procedure " "' MCL ":

* Preare hi~ *NED PCDL contents,MCL for the Project*NE AS2A11(nldgNDIPlanning and Concept • E S2011Project Planning andDefinition Phase Concept Definition

Phase Documents)I Prepare NICSD * NED MCLIMCL for theIRequirements *NICSD • D-68019 * NJCSD documentsDefinition Phase from this phase

* Update NED MCL * NICSD MCLat end of this phase

I(based on NICSD's *NED * AS-200A131 * NED updated PCDL

MCL) contents

* Updte NCSD NICSD documentsMCL for the Design *NICSD * D-68019frmtiphsPhase

•MNCSD MCL* Update NED MCLat end of this phase *NED * AS-200A131 * NED updated PCDL

contentsI Update NICSDMCL for the * NICSD documentsImplementation & *NCD D809from this phaseIntegration Phase

* NICSD MCL* Update NED MCLat end of this phase *NED * AS-200A131 * NED updated PCDL

contents

* Update NICSDMCL for the

* NICSD documentsUnit/Module *NICSD * D-68019frmtiphsValidation Testingfrmtiphs

Phase

* NICSD MCL• Update NED MCLat end of this phase *NED * AS-200A131 * NED updated PCDL

contents

* Updte NE MCL NED updated PCDL• Updte NE MCLcontents

for the SystemIValidation Testing *NED * AS-200A131 * Test specimenPhase configuration changes

(if necessary)


TOSHIBASoftware QA Plan FPG- PLN.-C51 - 0 002 Rev. 2i• .' ; Act.. i vityi.?ii.... " *" "Respqnsibility, I'in Applic~able i n" .. iDocuments Listed• in

" , • Activty. ,Kesp~nPrilcedure• MCL" .: •.'•..•• ... ,::

• NED updated PCDL•Update NED MCL contents

[Ifor Qualification * NED * AS-200A13 1 * Test specimen[Testing (if necessary) configuration changes

_____________ "________ ________(if necessary)

*Note: NED shall maintain the PCDL for this FPGA/SER project in accordance withProcedure AS-i100A004 throughout this FPGAISER project. This FPGA/SER ProjectSpecific Configuration Management Plan does not address these PCDL procedurerequirements.

Note: For the purpose of this FPGA/SER Project Specific Configuration Management Plan,the Qualification Testing is equivalent to the Operations and Maintenance Phase of theSoftware Life Cycle (as described in AS-200A128).

11 Vendor ControlThe purpose of this section is to describe the software quality assurance measures to beapplied to software supplied to the PRM System from parties other than NED.

In this case NICSD shall perform supplier control for the software tools in accordance withNICSD standard D-68020.

NED shall review D-68 020 to verify that the standard meets the reliability and safety goals ofFPGA/SER project.

11.1 Legacy SoftwareLegacy Software has been previously developed, but not under this SQAP, to satisfy acommercial market need. For this FPGA/SER project, Legacy Software is only softwarewhich is used in the development, production, or testing of the delivered FEs, FPGAs, andUnits/Modules.

For FPGA/SER project, no legacy software classified as SIL3 or S1L4 is used; no Legacysoftware is included in the PRM system.

In the case NICSD uses any SIL 2 legacy software, NICSD shall conform to the requirementsin Section 1.3.2.

11.2 Sub-Contracted SoftwarelServicesSoftware which is developed by a sub-contractor shall adhere to the quality assurancerequirements specified in this SQAP for this software.

Where available, third party contractors who supply software are required to provide feedbackto the NED Engineering!/Design Group Manager of problems encountered by the supplier orother users of similar software. Where available, this feedback information shall be suppliedto the NED Engineering!/Design Group Manager automatically without request. Also, the

ITOSHIBA CORP=ORATION NED 338

TOSHIBASoftware QA Plan FPG-.PLN-C5I-0002 Rev. 2Engineering/Design Group has the responsibility of informing the supplier of such software ofany problems encountered by the user in the use or maintenance of the software.

Additional requirements for subcontracted software and services are as follows:

* Software and services must be procured from suppliers who are approved in accordancewith the NED 10 CFR 50 Appendix B Quality Assurance program.

* Suppliers must have a written quality assurance policies which meet the principles andintent of this SQAP.

* Purchase orders shall require the Supplier to make available documents which areevidence of compliance with the principles and intent of this SQAP.

* Purchase orders shall require the Supplier to deliver adequate user documentation, testprocedures and test reports.

For the FPGAISER project, NICSD uses a manufacturer for the chips included in the system.Therefore, NICSD monitors the vendor activities related to software and softwareconfiguration in accordance with standard D-68020. Specifically, NICSD controls and/ormonitors Vendor activities using the following methods:* Commercial Grade Survey* CDR.NED will assist NICSD to perform the activities if needed.

For SIh 1 or 0 legacy software, no special requirements are made in the FPGA/SER project,as long as the software is controlled in accordance with NED or NICSD standards, whichprescribe installation records for the software and security control measures.

12 Records Collection, Maintenance and RetentionRecords collection, maintenance and retention, shall be in accordance with the NED 10 CFR50 Appendix B Quality Assurance program, as described in NED Procedure AS-300A008.

Requirements for records collection, maintenance and retention by N[CSD for the PRIVSystem shall comply with the requirements described in NED Procedure AS-300A0 10,General Instruction for preparing "QA Record Control Procedure" with special provisions tobe specified in the Job Order by NED.

13 TrainingAll personnel involved with the PRM System software shall be trained on this SQAP (eitherby classroom training or self-study).

Training and training documentation by NED for the PRM system shall comply with therequirements described in NED Procedure AS-100A008, Procedure for Indoctrination andTraining.

Training and training documentation by NICSD for the PRM System shall comply with therequirements described in NICSD Procedure D-680 16, with special provisions to be specifiedin the-Job Order by NED if needed.


TOSHIBASoftware QA Plan FPG-PLN-C5I- 0002 Rev. 214 Risk ManagementMethods and procedures shall be employed to identify, assess, monitor and control areas ofrisk arising during the software development life cycle. As a minimum this shall includeidentification of risks known at the start of the project and periodic reviews with Managementto assess those risks and identify any new risks that arise during the project.

The PITA shall be used as a tool for risk management. NED Procedure AS-200A132describes the processes and procedures to carry out this analysis as this FPGA/SER projectprogresses.

Risk management shall be performed at the managerial meetings conducted by the NEDGroup Manager.

15 AbbreviationsBWR - Boiling Water Reactor

ICAD - Computer Aided DesignCDR - Critical Digital ReviewCFR - US Code of Federal RegulationsCG - Commercial GradeCM - Configuration ManagementDC - Document ControlDCN - Design Change NoticeDDR - Detailed Design ReviewERS - Equipment Requirements SpecificationFAT - Factory Acceptance Test

IFE - Functional ElementsFPGA - Field-Programmable Gate ArrayGPM - Group ManagerHA - Hazard AnalysisI-IVI - Human Machine InterfaceICDD - Control & Electrical System Design & Engineering DepartmentIEEE - Institute of Electrical and Electronic EngineersIPSNE - Toshiba Corporation, Industrial and Power Systems & Service Company,

Nuclear EnergyIR - Independent ReviewerLAN - Local Area NetworkLPRM - Local Power Range MonitorMCL - Master Configuration List

INED - Nuclear Energy Systems & Services DivisionNICSD - Nuclear Instrumentation & Control Systems Department, Fuchu IPNNR - Nonconfornance Notice ReportNRC - Nuclear Regulatory CommissionNRW-FPGA

-Non-Rewritable Field Programmable Gate ArrayPCDL - Project Control Document(s) ListPHTA - Preliminary Hazard AnalysisPRM - Power Range MonitorPRS - Problem Reporting SheetQA - Quality AssuranceRTM - Requirements Traceability Matrix


TOSHIBASoftware QA Plan FPG- PLN- C51 - 0 O02 Rev. 2SAT - Site Acceptance TestSER - Safety Evaluation ReportSDD - Software Design Description (Note: In other NED procedures, SDD means

System Design Description)SIL - Software Integrity LevelSQ - Software QualitySQAP - Software Quality Assurance PlanSRS - Software Requirements SpecificationSRSR -Software Requirements Specification ReviewVHDL - Very high speed integrated circuit Hardware Descrip9tion LanguageV&V - Verification and ValidationVVP - Verification and Validation PlanVVR - Verification and Validation Report

STOSH-IBA CORPORATION NEDll /3

TOSHIBASoftware QA Plan FPG-PLN-CS1-0002 Rev.2

16 Requirements consistency between SQAP and EPRITR-1 07330

EPRI TR-107330 provides detailed software quality assurance requirements for qualificationprojects. These requirements are incorporated into this SQAP by this reference. Thefollowing table shows where each EPRI TR requirement related to software quality assuranceis included in this report.

4.2.2 Control Function Requirements. The PLC shall provide a high5.- level language designed for control algorithams.Configuration Management. All PLC devices that include

4.4.5.2.E firmware shall be marked with an identifier that includes revision 10level.Parts Replacement Life Cycle Requirements. The baseline 1configuration of the qualified PLC shall be established.

4.7.8.1 Records shall be maintained for tracking failures. 5.5 and 8Testing shall be performed as necessary to maintain a qualified 7

_____platform based on future revisions or replacements.Requirements for Third Party/Sub-Vendor Items. All items

4.8 provided by sub-vendors or third parties shall be subjected to all 11applicable requirements and tests. Compatibility of operationwith the PLC shall be demonstrated through tests.Application Obiects Testing. Testing of the software objects in7

5.2.A the PLC library shall be performed. This testing shall be inaddition to any testing performed by the manufacturer.

5.2.C System Integration. System integration testing portion of TSAP 7V&V shall be performed during acceptance testing.

7.2.G V&V Program Evaluation. Qualifier shall evaluate the6.manufacturer's V&V program to the criteria in Section 7.4.6.Verification and Validation Requirements. Qualifier shallevaluate the manufacturer's V&V process for software, firmwareand software tools against IEEE 7-4.3.2 and IEEE 1012. The

7. qualifier shall confirm the following basic requirements are met:6.a) there is a VVP for the PLC product, b) software development6.shall be done in accordance with a life cycle approach (see IEEEStd 1074-1995), and c) the software requirements document shallbe reviewable.Hardware Configuration Management Requirements. SoftwareConfiguration Management Requirements.

7.7 10

17 SQAP Maintenance

The design engineers of the Engineering!/Design Group shall be responsible for themaintenance of this SQAP. The updated SQAP shall be prepared, verified and approved inthe sane manner as the SQAP was first established.

STOW-HIBA CORPORATION NED 37837/38

TOSHIBASoftware QA Plan FPg-PL~-cs1-oOA2 R~v2

Appendix A:- Software Integrity Level Determination

IEEE Standard 1012-1998 defines Software Integrity Levels (SIW). The SIL shall be definedfor all software, including software created under Appendix B QA program and Legacysoftware, for the PRM System. Appendix A of NED Procedure AS-200A129 provtidesinformation that can be used to determine the SIL designation for the software.

Table A-i shows the SIL for software used in the project.

Table A-i SIR for the project software.

Software SIW

Safety-related PRM software 4Non-safety PRM software (e.g. software for user interface) 4Test equipment software, 2Actel Development software,_ModelSim, Pinport______Programming Editor, Word Processor, Spread Sheet, Database, Mail Agent,1Any other software used for the project management, Operating Systems tooperate SIL 1 and 2 application software
