## **ATTACHMENT 2**

Letter from Mark L. Marchi (WPSC)

То

Document Control Desk (NRC)

Dated

July 30, 1999

## **Reactor Protection and Engineered Safety Features Upgrade**

E3 Design, Verification and Validation Plan for Class 1E aud Category A Systems

- Non-Proprietary Class 3



# **E3**

# Design, Verification and Validation Plan for Class 1E and Category A Systems

**Revision 0** 

27 July 1999

©1999 Westinghouse Electric Company LLC All Rights Reserved

## **RECORD OF CHANGES**

Revision 0 27 July 1999

Changes: Initial revision (created from Revision 0 of NPD-PD-00003-GEN).



E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

· · · ·

| TABLE OF CONTENTS                                                                       |                           |
|-----------------------------------------------------------------------------------------|---------------------------|
| 1. INTRODUCTION AND SCOPE                                                               | 1                         |
| 1.1. Purpose                                                                            | 1                         |
| 1.2. Scope                                                                              | 1                         |
| 1.3. Relationship to Previous Processes                                                 | 1                         |
| 2. DEFINITIONS                                                                          | 3                         |
| 2.1. Acronyms                                                                           | 3                         |
| 2.2. Terms                                                                              |                           |
| 3. REFERENCES                                                                           | 6                         |
| 4. REGULATORY GUIDANCE                                                                  | 7                         |
| 5. APPLICABLE STANDARDS                                                                 | 8                         |
| 6. OVERVIEW OF THE DESIGN, VERIFICATION AND VALIDATION PROCESS                          | ES9                       |
| 6.1. [ ] <sup>a,c</sup> Design, Verification and Validation Process Overview            | 9                         |
| 6.2. [ ] <sup>a,c</sup> Design, Verification and Validation Process Overview            |                           |
| 6.3. Supporting Processes                                                               | 11                        |
| 7. [ ] <sup>a,c</sup> DESIGN ACTIVITIES                                                 |                           |
| 7.1. [ ] <sup>a,c</sup> Definition Activity                                             |                           |
| 7.2. [ ] <sup>a,c</sup> System Design Activities                                        |                           |
| 7.2.1. System Requirements Analysis                                                     |                           |
| 7.2.2. System Architectural Design                                                      |                           |
| 7.3. [ ] <sup>a,c</sup> Software Design Activities                                      |                           |
| 7.3.1. Software Requirements Analysis                                                   |                           |
| 7.3.2. Software Architectural Design                                                    | 16                        |
| 7.3.3. Software Detailed Design                                                         |                           |
| 7.3.4. Software Coding and Engineering Testing                                          |                           |
| 7.4. [ ] <sup>a.c</sup> Hardware Design Activities                                      |                           |
| 7.4.1. Hardware Requirements Analysis                                                   |                           |
| 7.4.2. Hardware Implementation Decision                                                 |                           |
| 7.4.3. Hardware Implementation                                                          |                           |
| 7.4.4. Commercial Dedication Instruction                                                |                           |
| 7.4.5. Final Documentation Package                                                      |                           |
| 7.5. [ ] <sup>a,c</sup> Integration Activity                                            |                           |
| 8. [ ] <sup>ac</sup> VERIFICATION ACTIVITIES                                            |                           |
| E3 Design, Verification, and Validation Plan jii<br>for Class 1E and Category A Systems | Revision 0<br>27-JUL 1999 |

| 8.1. Review       | Турез                                                            | 22 |
|-------------------|------------------------------------------------------------------|----|
| 8.1.1. [          | ] <sup>a,c</sup>                                                 | 22 |
| 8.1.2. [          | ] <sup>a,c</sup>                                                 | 22 |
| 8.1.3. [          | ] <sup>a,c</sup>                                                 | 23 |
| 8.1.4. [          | ] <sup>a,c</sup>                                                 | 23 |
| 8.2. Review       | Techniques                                                       |    |
| 8.2.1. Insp       | pection                                                          | 23 |
| 8.2.2. Ana        | lysis                                                            |    |
| 8.2.3. Test       | ting                                                             | 24 |
| 8.2.4. Reg        | ression Analysis and Testing                                     | 24 |
| 8.3. [            | ] <sup>a,c</sup> Verification Effort                             |    |
| 9. [              | ] <sup>ac</sup> VALIDATION TEST AND EQUIPMENT QUALIFICATION TEST |    |
| 9.1. [            | ] <sup>a,c</sup> Validation Test                                 |    |
| 9.2. Equipme      | ent Qualification                                                |    |
| 10. [             | ] <sup>a,c</sup> DESIGN ACTIVITIES                               |    |
| 10.1. [           | ] <sup>a,c</sup> Definition Activity                             | 27 |
| 10.2. Functio     | nal Requirements Capture Activity                                |    |
| 10.3. [           | ] <sup>a,c</sup> System Design Activities                        |    |
| 10.3.1. [         | ] <sup>a,c</sup> Requirements Analysis                           | 29 |
| 10.3.2. [         | ] <sup>a,c</sup>                                                 | 29 |
| 10.4. [           | ] <sup>a,c</sup>                                                 |    |
| 10.5. [           | ] <sup>a,c</sup> Hardware Design Activities                      |    |
| 10.5.1. <b>Ha</b> | rdware System Configuration                                      |    |
| 10.5.2. Ha        | rdware Cabinet Configuration                                     |    |
| 10.5.3. Ma        | anufacturing                                                     |    |
| 10.6. [           | ] <sup>a,c</sup> Integration Activity                            | 31 |
| 11. [             | ] <sup>a,c</sup> VERIFICATION ACTIVITIES                         |    |
| 12. [             | ] <sup>a,c</sup> VALIDATION AND QUALIFICATION TESTS              |    |
| 12.1. [           | ] <sup>a,c</sup> Specific Qualification                          |    |
| 12.2. Factory     | Acceptance Test                                                  |    |
| 12.3. Site Ac     | ceptance Test                                                    |    |
| 13. SUMMARY       | Y OF DESIGN, VERIFICATION AND VALIDATION DOCUMENTS               |    |

•

## LIST OF TABLES

| Table 1: [ | ] <sup>a,c</sup> Design, Verification, and Validation Documents | 36 |
|------------|-----------------------------------------------------------------|----|
| Table 2: [ | ] <sup>a,c</sup> Design, Verification, and Validation Documents | 38 |

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

## Westinghouse Non-Proprietary Class 3

## **LIST OF FIGURES**

| Figure 1: [ | ] <sup>a,c</sup> Design Verification and Validation Overview |
|-------------|--------------------------------------------------------------|
| Figure 2: [ | ] <sup>a,c</sup> Design Verification and Validation Overview |
| Figure 3: [ | ] <sup>a,c</sup> Design Verification and Validation Detail14 |
| Figure 4: [ | ] <sup>a,c</sup> Hardware Design Process                     |
| Figure 5: [ | ] <sup>a,c</sup> Design, Verification, and Validation        |

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

vi

## **1. INTRODUCTION AND SCOPE**

This document was prepared in accordance to the [ ]<sup>a,c</sup>.

#### 1.1. Purpose

The purpose of this document is to define, at a high level, the design, verification, and validation processes that are used to produce safety systems using the E3 [  $]^{a,c}$ . The E3 [  $]^{a,c}$  represents the integration of the commercially available Ovation<sup>TM</sup> hardware (with some enhancements) and the Eagle Series embedded safety software developed for the Eagle 21<sup>TM</sup> product line and the Sizewell primary protection system and subsequently used for the Temelin and Ignalina projects.

The intended uses of this document include: internal guidance and instruction, support of licensing submittals, support of audits, and support of proposal efforts.

#### 1.2. Scope

This document addresses the design, verification and validation processes for the standard E3 [ and for projects using the [ ]<sup>a,c</sup> to implement Class 1E and Category A systems for specific applications and customers. [

]<sup>a,c</sup>.

]<sup>8,C</sup>

#### **I.3.** Relationship to Previous Processes

]<sup>a,c</sup>.

The processes defined in this document and the subordinate documents referred to herein, are based on the processes previously used by Westinghouse to develop microprocessor-based safety systems.

]<sup>a,c</sup>:

]<sup>a,c</sup>.

]<sup>a,ç</sup>

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

]<sup>a,c</sup>.

ſ

ſ

Revision 0 27-JUL 1999

]<sup>a,c</sup>.



E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

Revision 0 27-JUL 1999

## 2. **DEFINITIONS**

## 2.1. Acronyms

| E3   | E3 is the temporary internal Westinghouse NPD name for a safety system product line based upon the Eagle series software and an Ovation <sup>™</sup> compatible hardware platform. |
|------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| EMI  | Electromagnetic Interference                                                                                                                                                       |
| FAT  | Factory Acceptance Test                                                                                                                                                            |
| HDS  | Hardware Design Specification                                                                                                                                                      |
| HRS  | Hardware Requirements Specification                                                                                                                                                |
| 1&C  | Instrumentation and Control                                                                                                                                                        |
| 1/0  | Input/Output                                                                                                                                                                       |
| PL/M | PL/M is a microprocessor programming language specified by Intel Corporation. It is based on the PL/1 programming language.                                                        |
| SAT  | Site Acceptance Test                                                                                                                                                               |
| SDD  | Software Design Description                                                                                                                                                        |
| SDR  | System Design Requirements                                                                                                                                                         |
| SDS  | System Design Specification                                                                                                                                                        |
| SRS  | Software Requirements Specification                                                                                                                                                |
|      |                                                                                                                                                                                    |

| 2.2. Terms<br>Analysis |                  | A review technique that consists of a formally documented evaluation or calculation to confirm some aspect of a design. (See Section 8.2.2.) |                    |  |  |  |
|------------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------|--------------------|--|--|--|
| [                      | ] <sup>a,c</sup> | [                                                                                                                                            | ] <sup>a,c</sup> . |  |  |  |
| [<br>] <sup>a,c</sup>  |                  | [                                                                                                                                            | <b>,</b>           |  |  |  |

**Category** A

A Function, and the associated Systems and Equipment (FSE) that implement it, which plays a principal role in the achievement or maintenance of Nuclear Power Plant safety. Category A FSE prevent Postulated Initiating Events (PIEs) from leading to a significant sequence of events, or mitigate the consequences of PIEs. [IEC 1226]

]<sup>a,c</sup>.

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

Class 1E

]<sup>a,c</sup>

1

The safety classification of the electrical equipment and systems that are essential to emergency reactor shutdown, containment isolation, reactor core cooling, and containment and reactor heat removal, or are otherwise essential in preventing significant release of radioactive material to the environment. [IEEE 603]

A formal test that provides validation of the system functionality as specified in the

A model of a concurrent system that is expressed in a specific graphical notation and can be used to explore certain properties of the system. [Dictionary of Computing]

]<sup>a,c</sup>.

]<sup>a,c</sup>.

]<sup>a,c</sup>.

]<sup>a,c</sup>.

Factory Acceptance Test

]<sup>a,c</sup>

]<sup>a,c</sup>

T

I

ſ

]<sup>a,c</sup>.

Inspection

A review technique that consists of examining the entity being verified, either hardware or software. (See Section 8.2.1.)

]<sup>a,c</sup>.

system functional requirements. (See Section 12.2.)

Petri Net

I

í

Qualification Testing Regression

]<sup>a,c</sup>

]<sup>a,c</sup>

Testing

operational use. [IEEE 610.12] Selective retesting of a system or component to verify that modifications have not caused unintended effects, and that the system or component still complies with its specified requirements. [IEEE 610.12]

Testing conducted to determine whether a system or component is suitable for

Site Acceptance Test

1<sup>8,0</sup>

Site acceptance V&V accomplished through a testing activity in the nuclear power generating station. Site acceptance testing should be utilized to provide adequate confidence of the following:

a) No damage has occurred due to shipment or installation

b) Computer is compatible with the nuclear power generating station

c) Correctness of interfaces to other plant systems that may have been simulated during the FAT. [IEEE 7-4.3.2]

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

#### Westinghouse Non-Proprietary Class 3

Test

I

A review technique that consists of operating the system or component, either hardware or software, under specified conditions, observing or recording the results, and making an evaluation of some aspect of the system or component based upon the results. (See Section 8.2.3.)

Validation

Verification

]<sup>a,c</sup>

[

The test and evaluation of the integrated computer system (hardware and software) to ensure compliance with the functional, performance, and interface requirements. [IEC 880]

]<sup>a,c</sup>.

The process of determining whether or not the product of each phase of the computer system development process fulfills all the requirements imposed by the previous design phase. [IEC 880]



E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems Revision 0 27-JUL 1999

. .

]<sup>a,c</sup>

]<sup>a,c</sup>

]<sup>a,c</sup>

]<sup>a,c</sup>

]<sup>a,c</sup>

## 3. **REFERENCES**

[ [

[

[

1

Dictionary of Computing, Dictionary of Computing, Oxford University Press, 1983.

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

Revision 0 27-JUL 1999

## 4. **REGULATORY GUIDANCE**

The following documents provide regulatory guidance from the United States Nuclear Regulatory Commission:

- USNRC Regulatory Guide 1.152. "Criteria for Digital Computers in Safety Systems of Nuclear Power Plants."
- USNRC Regulatory Guide 1.168. "Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants."
- USNRC Regulatory Guide 1.169. "Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants."
- USNRC Regulatory Guide 1.170. "Software Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants."
- USNRC Regulatory Guide 1.171. "Software Unit Testing for Digital Computer Software Used in Safety Systems of Nuclear Power Plants."
- USNRC Regulatory Guide 1.172. "Software Requirements Specifications for Digital Computer Software Used in Safety Systems of Nuclear Power Plants."

USNRC Regulatory Guide 1.173. "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants."

. 7

## 5. APPLICABLE STANDARDS

The following standards are used for [ ]<sup>a,c</sup>:

ASME Std NQA-1-1994. "Quality Assurance Requirements for Nuclear Facility Applications."

CEI/IEC 1226-1993-05. "Nuclear power plants - Instrumentation and control systems important for safety - Classification."

IEC 880-1986. "Software for Computers in the Safety Systems of Nuclear Power Stations."

IEEE Std 7-4.3.2-1993. "IEEE Standard for Digital Computers in Safety Systems of Nuclear Power Generating Stations" as endorsed by Reg. Guide 1.152.

IEEE Std 603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations."

IEEE Std 610.12-1990, "IEEE Standard Glossary of Software Engineering Terminology."

IEEE Std 828-1990. "IEEE Standard for Software Configuration Management Plans" as endorsed by Reg. Guide 1.169.

IEEE Std 829-1983. "IEEE Standard for Software Test Documentation" as endorsed by Reg. Guide 1.170.

IEEE Std 830-1993. "IEEE Recommended Practice for Software Requirements Specifications" as endorsed by Reg. Guide 1.172.

IEEE Std 1008-1987. "IEEE Standard for Software Unit Testing" as endorsed by Reg. Guide 1.171.

IEEE Std 1012-1986. "IEEE Standard for Software Verification and Validation Plans" as endorsed by Reg. Guide 1.168.

IEEE Std 1028-1988. "IEEE Standard for Software Reviews and Audits" as endorsed by Reg. Guide 1.168.

- IEEE Std 1042-1987. "IEEE Guide to Software Configuration Management" as endorsed by Reg. Guide 1.169.
- IEEE Std 1074-1995. "IEEE Standard for Developing Software Life Cycle Processes" as endorsed by Reg. Guide 1.173.
- IEEE/EIA Std 12207.0-1996. "Industry Implementation of International Standard ISO/IEC 12207." This standard shall be used in preference to IEEE 1074 as the primary guidance for Software Life Cycle Processes.
- IEEE Std 12207.1. "IEEE Guide for Information Technology Software Life Cycle Processes Life Cycle Data" used as guidance in the application of ISO/IEC 12207.
- IEEE Std 12207.2. "IEEE Guide for Information Technology Software Life Cycle Processes -Implementation" used as guidance in the application of ISO/IEC 12207.

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

Revision 0 27-JUL 1999

# 6. OVERVIEW OF THE DESIGN, VERIFICATION AND VALIDATION PROCESSES

Figure 1 and Figure 2 show overviews of the design, verification, and validation processes. [

The Eagle Series embedded safety system software architecture recognizes [

]<sup>a,c</sup>.

]<sup>a,c</sup>.

## ]<sup>a,c</sup>.

## ]<sup>a,c</sup> Design, Verification and Validation Process Overview

]<sup>a,c</sup>.

ſ

6.1.

ĺ

Figure 1: []<sup>a,c</sup> Design Verification and Validation Overview(Detailed process is shown in Figure 3 and Figure 4)

## ]<sup>a,c</sup>.

6.2. [ ]<sup>a,c</sup> Design, Verification and Validation Process Overview Figure 2 graphically shows an overview of the [ ]<sup>a,c</sup> Design, Verification and Validation Process.

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

I

Revision 0 27-JUL 1999

a,c

Figure 2: [

# ]<sup>a,c</sup> Design Verification and Validation Overview (Detailed process is shown in Figure 5)

]<sup>a,c</sup>.

## ]<sup>\$,c</sup>.

## 6.3. Snpporting Processes

ĺ

Processes that support both the [ ]<sup>a,c</sup> Design, Verification and Validation Process and the [ ]<sup>a,c</sup> Design, Verification and Validation Process include the [

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems 11

Revision 0 27-JUL 1999 a<u>,c</u>

]<sup>a,c</sup> DESIGN ACTIVITIES

The [ ]<sup>a,c</sup> Design, Verification, and Validation Process is detailed in Figure 3. The figure emphasizes system and software activities. Hardware activities are presented in Figure 4. The figures show the activities as purely sequential (similar to the classic "Waterfall" methodology).

]<sup>a,c</sup>.

7.1. The [ [

7.

## ]<sup>a,c</sup> Definition Activity

]<sup>a,c</sup> Definition Activity produces the following types of items:

1. Identification of the intended application(s) of the [ ]<sup>a,c</sup>.

2. Identification of the licensing requirements for the intended applications.

3. Documentation of the objectives and/or goals of the [ ]<sup>a.c</sup>.

4. An early evaluation of potential problems.

5. Identification of external system interfaces.

6. Definition of particular options and features.

7. Identification of design constraints.

]<sup>ª,¢</sup>.

This information shall become part of the [

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

#### Westinghonse Non-Proprietary Class 3

Figure 3: [

]<sup>a,c</sup> Design Verification and Validation Detail (Overview is shown in Figure 1)

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems 13

Revision 0 27-JUL 1999 a,c-

## 7.2. [ ]<sup>a,c</sup> System Design Activities

The Platform System Design Activities include two major efforts: [ ]<sup>a,c</sup> System Requirements Analysis and [ ]<sup>a,c</sup> System Architectural Design.

#### 7.2.1. System Requirements Analysis

The System Requirements Analysis activity determines the system requirements based on the intended applications (and other information) as identified in the [ ]<sup>a,c</sup>. Items to be considered include:

- 1. Regulatory Requirements
- 2. Safety Requirements
- 3. Reliability and Availability Requirements
- 4. Qualification Requirements
- 5. Power and Grounding Requirements
- 6. Human System Interface Requirements
- 7. External Interface Requirements
- 8. Test Requirements
- 9. Development Tools
- 10. Maintenance Tools
- 11. Design Constraints
- 12. Typical Installation Constraints
- 13. Abnormal Conditions and Events
- 14. Verification and Validation Requirements
- 15. Quality Assurance Requirements
- 16. Time Response
- 17. Accuracy

This information is documented in the System Design Requirements. [

]<sup>a,c</sup>.

## 7.2.2. System Architectural Design

The System Architectural Design activity consists of defining the architectural elements that will be supported by the platform and establishing typical top-level [

]<sup>a,c</sup>. The architectures shall identify [

]<sup>a,c</sup>. It shall ensure that all system requirements are allocated among the items.

Items to be considered include:

- 1. Consistency with the System Design Requirements.
- 2. Appropriateness of reusing previously developed software items and previously developed hardware items.
- 3. Feasibility of developing the missing software items.

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

14

4. Feasibility of developing or purchasing the missing hardware items.

5. Ease of operation and maintenance.

- 6. Implementation constraints
  - ]<sup>a,c</sup>.

## 7.3. [ ]<sup>a,c</sup> Software Design Activities

The [ ]<sup>a,c</sup> Software Design Activities include Software Requirements Analysis, Software Architectural Design, Software Detailed Design, and Software Coding and Engineering Testing.

#### 7.3.1. Software Requirements Analysis

The [ ]<sup>a,c</sup> Software Requirements Analysis activity establishes and documents the software requirements for each software item identified in the System Design Specification.

Items to be considered include:

- 1. Functionality and capability requirements
- 2. Interfaces to other software items
- 3. Interfaces to hardware items
- 4. Safety requirements
- 5. Human factors requirements
- 6. Database requirements
- 7. Operation and maintenance requirements
- 8. Design standards
- 9. Verification requirements

]<sup>a,c</sup>.

#### 7.3.2. Software Architectural Design

The Software Architectural Design activity establishes an architecture for each software item based on its Software Requirements Specification. The architecture describes the top-level structure of the software items and identifies the software components required to implement the item. Each of the software item's requirements are refined and assigned to a software component. The top-level interface between software components is defined.

If the software components identified in this activity require further decomposition, the Software Requirements Analysis activity and the Software Architectural Design Activity should be applied recursively.

]<sup>a,c</sup>.



ſ

ſ

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

]<sup>a,c</sup>

]<sup>a,c</sup>.

#### 7.3.3. Software Detailed Design

ŧ

ſ

[

ſ

1

7.4.

The developer shall establish a detailed design for each software component. The components shall be refined into lower level software units that can later be coded, compiled, and tested. Software requirements shall be allocated from the components to the units. Detailed interfaces shall be defined to external software, other software items, other software components, and other software units, as necessary.

### 7.3.4. Software Coding and Engineering Testing

The developer shall write the code and otherwise complete the [ ]<sup>a,c</sup> modules in accordance with the appropriate language specific design and coding standards. [

]<sup>a,c</sup>

]<sup>&,c</sup>.

]<sup>a,c</sup>.

]<sup>a,c</sup> The developer shall compile the modules and test the software. [The testing performed at this stage also includes software integration testing]<sup>a,c</sup>. The developer shall combine the modules with other platform modules, application modules, and test modules. The test modules shall be designed to exercise the software in a configuration that is typical of its intended use.

]<sup>≞,c</sup>.

## ]<sup>a,c</sup> Hardware Design Activities

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

#### Westinghouse Non-Proprietary Class 3

a,c-

Figure 4: [ E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems ]<sup>a,c</sup> Hardware Design Process

17

## 7.4.1. Hardware Requirements Analysis

The Hardware Requirements Analysis activity establishes and documents the hardware requirements for each hardware item identified in the System Design Specification.

Items to be considered include:

- 1. Functional requirements
- 2. Interfaces to other hardware items
- 3. Interfaces to software items
- 4. Safety requirements
- 5. Human factors requirements
- 6. Qualification requirements
- 7. Operation and maintenance requirements
- 8. Design standards
- 9. Verification requirements

]<sup>a,c</sup>.

This information is documented in the Hardware Requirements Specification.

Some hardware functions are sufficiently complex as to require additional decomposition into subordinate hardware items (not directly referenced by the System Design Specification). The Hardware Requirements Analysis Activity will produce individual hardware requirements for these subordinate hardware items.

#### 7.4.2. Hardware Implementation Decision

The Hardware Implementation Decision activity determines the implementation path for each hardware item or component. Possible implementation paths include: Internal Design, Subcontract Desigu and Purchase of Commercial Product. This activity includes evaluation of Commercial Products against the hardware requirements.

#### 7.4.3. Hardware Implementation

The Hardware Implementation activity takes one of three paths based on the Hardware Implementation Decision. The separate steps in each path are described below. The three design paths re-converge later in the process.

#### 7.4.3.1. Internal Design Path

Items that have been identified to be designed in-house shall use the following steps.

#### 7.4.3.1.1. Hardware Preliminary Design

The developer produces a preliminary design that establishes the basic functions, an explanation of operation, the performance characteristics, and the user operation or interface characteristics of the item.

18

]<sup>a,c</sup>.

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

7.4.3.1.2. Hardware Implementation and Engineering Testing The developer produces a detailed design and tests the hardware. [

#### 7.4.3.2. Subcontractor Desigu Patb

Some items may be more effectively produced by an outside design organization. Typically, these items represent customization of a vendors' standard product. Items that have been identified to be designed by outside vendors shall use the following steps.

]<sup>a,c</sup>.

#### 7.4.3.2.1. Vendor Selection

The Hardware Requirements Document for the item is transmitted to potential vendors. Additional vendor requirements may be identified and transmitted to the vendor. Supply Management and Quality Assurance are involved in the process of defining additional vendor requirements. A vendor is selected based on the l

#### 7.4.3.2.2. Design

The vendor produces a preliminary design that meets the basic functions defined in the Hardware Requirements Document. [

]<sup>a,c</sup>. The results of the technical review are documented and transmitted to the vendor, and tracked for resolution.

#### 7.4.3.2.3. Quality Assurance Vendor Commercial Survey

Quality Assurance performs a survey of the vendor in accordance with  $]^{a,c}$ . Engineering provides inputs to the requirements that are placed on the sub-contractor. At a minimum, the sub-contractor is evaluated for design control. Control of the design is necessary to form a [ $]^{a,c}$ .

7.4.3.3. Commercial Product Path

Some functions may be provided by existing commercially available standard products. The specific activities for these items are described below.

#### 7.4.3.3.1. Vendor Selection

Item requirements are identified and transmitted to the vendor. Supply Management and Quality Assurance are involved in the process of defining any additional vendor requirements. A vendor is selected based on the [ ]<sup>a,c</sup>.



E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

Quality assurance performs a survey of the vendor in accordance with [ ]<sup>a,c</sup>. Engineering provides inputs to the requirements that are placed on the vendor. At a minimum, the vendor is evaluated for design control. Control of the design is necessary to form a [ ]<sup>a,c</sup>.

]<sup>a,c</sup>.

]<sup>a,c</sup>.

]<sup>a,c</sup>.

# 7.4.4. Commercial Dedication Instruction

A commercial dedication instruction is developed or an [

#### 7.4.5. Final Documentation Package

For each hardware item, whether internally designed, externally designed or purchased, a set of documentation will be produced. This may consist of [

## 7.5. [ ]<sup>a,c</sup> Integration Activity

The developers shall combine the software and hardware items with other product software and hardware and test equipment. The test setup shall be designed to exercise the system (or representative portions of the system) in configurations that are typical of its intended use.

]<sup>₽,¢</sup>.

[

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

## 8. [ ]<sup>a,c</sup> VERIFICATION ACTIVITIES

The following sections define the various review types, the review techniques that can be employed, and the required platform verification effort.

## 8.1. Review Types

Reviews are used to perform verification of the design. Documentation produced by these reviews, either review comments, responses to comments, or reports, will become part of the records. The reviews may consist of any of the following:



The [

ſ

1

ſ

[

]<sup>a,c</sup>.

]<sup>a,c</sup>

]<sup>a,c</sup>.

]<sup>a,c</sup>.

8.1.2.

]<sup>a,c</sup>.

]<sup>a,c</sup>.

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

21

]<sup>a,c</sup>

]<sup>a,c</sup>.

]<sup>a,c</sup>

]<sup>a,c</sup>.

# 8.1.4. [

ſ

ſ

ſ

8.1.3.

## 8.2. Review Techniques

#### 8.2.1. Inspection

Inspections consist of examining the entity being verified, either hardware or software. Typically, the item is (1) compared to a defined set of acceptance criteria, (2) compared to its requirements, and (3) examined for correctness.

]<sup>a,c</sup>

]<sup>a,c</sup>

### 8.2.2. Analysis

Analysis consists of a formally documented evaluation or calculation to confirm some aspect of the design. Analysis includes, but is not limited to, formal proofs, Petri Net and other graphical analysis methods, and related techniques. The analysis may be performed by the verifier, or the verifier may review an analysis performed by the designer.

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

Revision 0 27-JUL 1999

]<sup>a,c</sup>.

### 8.2.3. Testing

Testing consists of operating the system or component, either hardware or software, under specified conditions, observing or recording the results, and making an evaluation of some aspect of the system or component based upon the results. Testing will be performed in a

]<sup>a,c</sup>.

#### 8.2.4. Regression Aualysis and Testing

Regression analysis and testing are V&V techniques that are applicable to modifications of a previously verified item.

### 8.2.4.1. Regression Analysis

Regression analysis evaluates the differences between different releases of a controlled configuration item (e.g., documentation, hardware, software, or system) to determine the V&V actions required. The regression analysis should take account of the following when specifying the V&V technique:

- Type of change (e.g., Function, Configuration, Connection, etc.)
- Complexity of change

• Independence or modularity of the modification from the other parts of the system

• Impacts on interfacing systems

]<sup>ª,c</sup>.

# .

#### 8.2.4.2. Regression Tests

Regression tests are a selective retest of the system or component to verify the correctness of the modification. The regression analysis focuses the V&V test on the change. For the areas of the design that have not been changed, credit is taken for previously completed V&V actions. The regression tests should make use of existing test procedures when applicable.

## 8.3. [ ]<sup>a,c</sup> Verification Effort

As the [ ]<sup>a,c</sup> Design Activities proceed in a top-down fashion, the [ ]<sup>a,c</sup> Verification Activities are performed in a stepwise fashion. As shown in Figure 3 and Figure 4, the following design products are checked for consistency and correctness:

1. System Design Products

a) System Design Requirements -- [

b) System Design Specification --[

]<sup>₽,¢</sup>.

2. Software Design Products

a)

- Software Requirements Specifications -- [

]<sup>ª,c</sup>.

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems 23

]<sup>a,c</sup>.

]<sup>a,c</sup>.

]<sup>a,c</sup>.

]<sup>a,c</sup>.

b) Software Design Descriptions -- [c) [

d) Commented Source Code and Object Modules -- [

3. Hardware Design Products

[

a) Hardware Requirements Specifications -- [

b) Draft Hardware Design Specifications -- [

c) Draft Documentation Package -- [

d) Final Documentation Package -- [ ]<sup>a,c</sup>.

In addition to the reviews shown in these figures, one or more [

]<sup>a,c</sup>.

]<sup>a,c</sup>.

E3 Design, Verification, and Validation Plan for Class IE and Category A Systems

# 9. | |<sup>a,c</sup> VALIDATION TEST AND EQUIPMENT QUALIFICATION TEST

## 9.1. [ ]<sup>a,c</sup> Validation Test

The [ ]<sup>ac</sup> Validation Test confirms that the system meets the requirements specified in the platform System Design Requirements. The tests shall be conducted in accordance with a formal test plan and procedures. The required input signals, the anticipated output signals, and the acceptance criteria shall be stated in the procedures.

[  $]^{a,c}$  software items, platform hardware items, representative application software, and test equipment shall be arranged in configurations which represent the intended uses of the [  $]^{a,c}$ . The configurations may represent entire systems, portions of systems (overlapping validation testing), or "thread paths" through a system.

The test plan should include tests which stress the system beyond its intended uses.

The [

ſ

]<sup>a,c</sup>. They shall prepare the test plan, prepare the test procedures, perform or supervise the tests, and document the test results. The test results will be recorded and retained. The system configuration (including hardware and software version information), the test procedures, and the results shall be documented at a level sufficient to allow the tests to be repeated.

]<sup>a,c</sup>

## 9.2. Eqnipment Qualification

Modules must be shown to operate under the design basis for seismic, environmental and EMI conditions. Equipment may be qualified by type testing, analysis or some combination of the two.

]<sup>a,c</sup>.

This activity shall be conducted in accordance with a formal equipment qualification plan and shall be documented by a qualification report that summarizes which testing or analysis covers the equipment.

]<sup>8, c</sup>.

# 10. []<sup>a,c</sup> DESIGN ACTIVITIES The [ ]<sup>a,c</sup> Desigu, Verification, and Validation Process is detailed in

Figure 5. This section will focus on the design activities (with indication of where verification is required). The figure shows the activities as purely sequential (similar to the classic "Waterfall" methodology). In actuality, [

]<sup>a,c</sup>.

### 10.1. [ ]<sup>a,c</sup> Definition Activity

The [

]<sup>a,c</sup> Definition Activity includes the following types of items:

- 1. Identification of the plant systems involved in the scope of the project.
- 2. Identification of the system design basis for the project.
- 3. Identification of the licensing basis for the project.
- 4. Documentation of the objective of the new system or modification.
- 5. An early evaluation of potential failure modes and impacts on the licensing evaluations.
- 6. Documentation of what other plant systems are affected.
- 7. Documentation of project specific methods and activities used in the design, development, documentation, verification, validation, etc.
- 8. Definition of particular options, features, and plant specific configurations.

This information shall become part of the [

]<sup>a,c|</sup>.

## Westinghouse Non-Proprietary Class 3

Figure 5: [

]<sup>a,c</sup> Design, Verification, and Validation

(Overview is shown in Figure 2)

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems 27

Revision 0 27-JUL 1999

a,c

## 10.2. Functional Requirements Capture Activity

The Functional Requirements Capture Activity establishes and documents the design basis for the project. This includes:

- Transfer Function Requirements
- Time Response Requirements
- Accuracy Requirements
- Reliability Requirements
- Availability Requirements
- External Interface Requirements
- Setpoints and Tuning Constants
- Environmental and Seismic Requirements
- Human Factors Requirements
- Response to Failures

This information is documented in the Functional Requirements document. This document may be supplemented or replaced by [ ]<sup>a,c</sup>.

The effort associated with this activity varies with scope and format of information provided by the customer. The end result must be a complete set of functional requirements in a format usable for the remainder of the process.

]<sup>a,c</sup>.

# 10.3. []<sup>a,c</sup> System Design ActivitiesThe []<sup>a,c</sup> System Design Activities consist of two primary efforts: [

]<sup>a,c</sup>.

## 10.3.1. [ ]<sup>a,c</sup> Requirements Analysis

The [ ]<sup>a,c</sup> Requirements Analysis determines and documents the system requirements based on the [ ]<sup>a,c</sup> ]<sup>a,c</sup> System Design Requirements are reviewed to determine the applicability of the platform requirements to the application requirements.

ſ

I

ſ

]<sup>a,c</sup>.

10.3.2.

]<sup>a,c</sup>

Revision 0 27-JUL 1999

]<sup>ª,¢</sup>.

]<sup>a,c</sup>.



]<sup>a,c</sup>.

]<sup>a,c</sup>,

ſ

I

]<sup>a,c</sup>

]<sup>a,c</sup>.

## ]<sup>ª,C</sup>.

#### 10.5. [ ]<sup>a,c</sup> Hardware Design Activities

The [ ]<sup>a,c</sup> Hardware Design Activity consists largely of configuring the standard hardware [ ]<sup>a,c</sup> for a specific application. The following sections describe the steps involved.

#### 10.5.1. Hardware System Configuration

The project personnel configure the system according to the  $[ ]^{a,c}$  System Design Requirements and the architecture outlined in the  $[ ]^{a,c}$  System Design Specification. This is documented by the creation of [

]<sup>a,c</sup>.

## 10.5.2. Hardware Cabinet Configuration

Detailed configurations of the hardware and locations of hardware within cabinets are produced. This activity is documented by the creation of cabinet level configuration drawings. Typical information includes placement of cards, specific jumpering or keying of modules, definition of cable connection information, labeling of specific modules or cables, and identification of external termination points for field wiring. These drawings would typically refer to [standard platform drawings and only specify application specific customization. The drawings may be augmented or replaced by a database. [

]<sup>a,c</sup>.

#### 10.5.3. Manufacturing

Manufacturing involves the production of hardware modules from components according to hardware assembly drawings. This activity may take place internally or at an external manufacturing site. It includes

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

inspection processes that are defined in manufacturing procedures. Assembled modules typically go through module level testing as part of the manufacturing process. The results of this testing must be recorded for traceability to the module level. Items requiring commercial dedication are dedicated at the module level by the criteria described in the commercial dedication instruction. The applicable instruction for each module must be identified by a drawing or other manufacturing tracking system. The dedication activity must be recorded for [ $1^{a.c.}$ ]<sup>a.c.</sup>

## 10.6. [ ]<sup>a,c</sup> Integration Activity

]<sup>a,c</sup>.

The developers shall combine the application software and hardware items with [

]<sup>a,c</sup>, and test equipment. The test setup shall be designed to exercise the system (or portion of the system) in a configuration that is typical of its intended use. [

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems 30

| <b>1I.</b>     | [                  | ] <sup>a,c</sup> VERIFICATION ACTIVITIES                                                                           |                       |                                  |  |  |  |
|----------------|--------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------|----------------------------------|--|--|--|
| As th          | ne [               | ] <sup>a,c</sup> Design Activities proceed in a [<br>] <sup>a,c</sup>                                              |                       |                                  |  |  |  |
| The  <br>prese | L                  | ] <sup>a,c</sup> Verification Activities use the same definitions fo<br>Section 8.1 and Section 8.2, respectively. | r review types and to | echniques as                     |  |  |  |
| As sl          | nown in :          | 5, the following design products are checked for consiste                                                          | ncy and correctness:  | :                                |  |  |  |
| 1.             | Func               | tional Requirements Capture Products                                                                               |                       |                                  |  |  |  |
|                | a)                 | Functional Requirements [                                                                                          | ] <sup>a,c</sup> .    |                                  |  |  |  |
| 2.             | I.                 | ] <sup>a,c</sup>                                                                                                   |                       |                                  |  |  |  |
|                | a)                 | [                                                                                                                  |                       | ] <sup><b>a</b>,<b>c</b></sup> . |  |  |  |
|                | b)                 | ſ                                                                                                                  |                       | ] <sup>a,c</sup> .               |  |  |  |
| 3.             | [                  | ] <sup>a, c</sup>                                                                                                  |                       |                                  |  |  |  |
|                | a)                 | [                                                                                                                  | ] <sup>a,c</sup> .    |                                  |  |  |  |
| 4.             | Hard               | ware Design Products                                                                                               |                       |                                  |  |  |  |
|                | a)                 | System Level Documentation Package [                                                                               |                       | ] <sup>a,c</sup> .               |  |  |  |
|                | <b>b)</b>          | Cabinet Level Documentation Package [                                                                              |                       | ] <sup>a,c</sup> .               |  |  |  |
| In ad          | dition to          | the reviews shown in these figures, [                                                                              |                       |                                  |  |  |  |
|                |                    | ] <sup>a,c</sup> .                                                                                                 |                       |                                  |  |  |  |
| [              |                    | -<br>-                                                                                                             |                       |                                  |  |  |  |
| •              | 18.0               |                                                                                                                    |                       |                                  |  |  |  |
|                | ] <sup>a,c</sup> . |                                                                                                                    |                       |                                  |  |  |  |
| l              |                    |                                                                                                                    |                       |                                  |  |  |  |
|                |                    | <b>18</b> C                                                                                                        |                       |                                  |  |  |  |

]<sup>a,c</sup>.

The results of the software verification activities are documented in the Software Verification Report.

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

# 12. [ ]<sup>a,c</sup> VALIDATION AND QUALIFICATION TESTS

## 12.1. [ ]<sup>a,c</sup> Specific Qualification

]<sup>a,c</sup>

]<sup>a,c</sup>.

An application specific qualification analysis is undertaken to show that the system will meet its design basis for seismic, environmental and EMI conditions. This analysis may confirm that the system has been qualified by previous analysis or testing. It may also indicate that further testing or analysis is needed.

]<sup>ac</sup>. They shall prepare the qualification plan, prepare any required procedures, perform or supervise any required tests, and document the analysis and/or test results in the Equipment Qualification Report.

#### **12.2.** Factory Acceptance Test

I

I

ĺ

ſ

ſ

1

The Factory Acceptance Test (FAT) provides the formal validation of the system functionality as specified in the functional requirements. Additionally, the [

]<sup>a,c</sup>

]<sup>a,c</sup>.

]<sup>a,c</sup>

]<sup>a,c</sup>

]<sup>a,c</sup>. The required input signals, the anticipated output signals and the acceptance criteria shall be stated in the procedures.

]<sup>a,c</sup>:

]<sup>a,c</sup>



32

]<sup>a,c</sup>

]<sup>a,c</sup>.

]<sup>a,c</sup>.

## 12.3. Site Acceptance Test

I

l

[

The Site Acceptance Test (SAT) is performed in the plant. Its purpose is to provide adequate confidence of the following:

- 1. No damage has occurred due to shipment or installation
- 2. The system is compatible with the plant
- 3. The interfaces to other plant systems are correct (especially interfaces which were simulated during the FAT).

]<sup>a,c</sup>.

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems

# 13. SUMMARY OF DESIGN, VERIFICATION AND VALIDATION DOCUMENTS

The tables in this section summarize the documents that are produced in accordance to the design, verification and validation plans contained in this document.

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems 34

Westinghouse Non-Noprietary Class 3

| ······································ | Table 1: [ | [ <sup>a,c</sup> Design, Verific | ation, and Valida | tion Documents |         | a,c_     |
|----------------------------------------|------------|----------------------------------|-------------------|----------------|---------|----------|
|                                        |            |                                  |                   |                | · · · · |          |
|                                        |            |                                  |                   |                |         |          |
|                                        |            |                                  |                   |                | . ". ". | <br>     |
|                                        |            |                                  |                   |                |         |          |
|                                        |            |                                  |                   |                |         |          |
|                                        |            |                                  |                   |                |         | <br>     |
|                                        |            |                                  |                   |                |         | <u> </u> |
|                                        |            |                                  |                   |                |         |          |
|                                        |            |                                  |                   |                |         |          |
|                                        |            |                                  |                   |                |         |          |

. '

a,c

Westinghonse Non-Loprietary Class 3

|   |   |                                       |                                       |                               |                     |                  |           | a,c_ |
|---|---|---------------------------------------|---------------------------------------|-------------------------------|---------------------|------------------|-----------|------|
|   |   |                                       | Table 2: [                            | ] <sup>a,c</sup> Design, Veri | fication, and Valid | lation Documents |           |      |
|   |   |                                       |                                       |                               |                     |                  |           |      |
|   |   |                                       |                                       |                               |                     |                  |           |      |
| • |   |                                       |                                       | · ·                           |                     | · ·              | <br>      |      |
|   |   |                                       |                                       |                               |                     |                  | <br>      |      |
|   |   |                                       |                                       |                               |                     |                  |           | -    |
|   |   |                                       |                                       |                               |                     |                  |           |      |
|   | ` |                                       |                                       | : .                           |                     |                  |           |      |
|   |   |                                       |                                       |                               |                     |                  |           |      |
| _ |   |                                       |                                       |                               |                     |                  | <br>· · · |      |
|   |   |                                       |                                       |                               |                     | :                |           |      |
|   |   |                                       |                                       | - ···                         |                     |                  | <br>      |      |
|   |   |                                       | · · ·                                 |                               |                     |                  |           |      |
|   |   | · · · · · · · · · · · · · · · · · · · | · · · · · · · · · · · · · · · · · · · |                               |                     |                  |           |      |
|   |   |                                       |                                       |                               |                     |                  |           |      |
|   |   |                                       |                                       |                               |                     |                  |           |      |
|   |   |                                       |                                       | :                             |                     |                  |           |      |
|   |   |                                       |                                       |                               |                     |                  |           |      |
| L |   |                                       | 1                                     |                               |                     |                  |           |      |

E3 Design, Verification, and Validation Plan for Class 1E and Category A Systems Revision 0 23 JUL 1999



|  | · · · · · · · · · · · · · · · · · · · | · · · · · · · · · · · · · · · · · · · | · · · · · · · · · · · · · · · · · · · | <br>· . | · · · · · · · · · · · · · · · · · · · |
|--|---------------------------------------|---------------------------------------|---------------------------------------|---------|---------------------------------------|
|  |                                       |                                       |                                       |         |                                       |
|  |                                       |                                       |                                       |         |                                       |
|  |                                       |                                       |                                       |         |                                       |

a,c

NRC FORM 199 (9-1999) NRCMD 3.12

# **PROPRIETARY INFORMATION**

## NOTICE

THE ATTACHED DOCUMENT CONTAINS OR IS CLAIMED TO CONTAIN PROPRIETARY INFORMATION AND SHOULD BE HANDLED AS NRC SENSITIVE UNCLASSIFIED INFORMATION. IT SHOULD NOT BE DISCUSSED OR MADE AVAILABLE TO ANY PERSON NOT REQUIRING SUCH INFORMATION IN THE CONDUCT OF OFFICIAL BUSINESS AND SHOULD BE STORED, TRANSFERRED, AND DISPOSED OF BY EACH RECIPIENT IN A MANNER WHICH WILL ASSURE THAT ITS CONTENTS ARE NOT MADE AVAILABLE TO UNAUTHORIZED PERSONS.

| COPY NO.    |                                      |
|-------------|--------------------------------------|
| DOCKET NO.  |                                      |
| CONTROL NO. | •••••••••••••••••••••••••••••••••••• |
| REPORT NO.  |                                      |

REC'D W/LTR DTD.

# **PROPRIETARY INFORMATION**