

**GPU Nuclear Corporation** 

Post Office Box 388 Route 9 South Forked River, New Jersey 08731-0388 609 971-4000 Writer's Direct Dial Number:

June 6, 1984

Mr. Darrell G. Eisenhut, Director Division of Licensing U.S. Nuclear Regulatory Commission Washington, DC 20555

Dear Mr. Eisenhut:

Subject: Oyster Creek Nuclear Generating Station Docket No. 50-219 Supplement 1 to NUREG-0737 SPDS Implementation Plan

Reference: Letter dated April 15, 1983, P.B. Fiedler to D.G. Eisenhut

Our submittal fulfilling the original response requirements of Supplement 1 to NUREG 0737 (Emergency Response Capabilities) was forwarded to you by the referenced letter. That submittal included a commitment to have a Safety Parameter Display System (SPDS) Safety Analysis/Parameter Selection Study and an SPDS Implementation Plan submitted. The Safety Analysis was forwarded to you on April 2, 1984. This letter forwards to you the Implementation Plan which includes the Verification and Validation Plan for Oyster Creek's SPDS.

Should you have any questions about this plan, please contact me or Mr. Drew Holland of my staff at (609)971-4643.

Very truly yours,

de

Peter B. Fiedler Vice President and Director Oyster Creek

PBF:RJ:dam Attachment

cc: Mr. J. Lombardo, Project Manager U.S. Nuclear Regulatory Commission 7920 Norfolk Avenue Bethesda, MD 20014

> NRC Resident Inspector Oyster Creek Nuclear Generating Station Forked River, NJ 08731

8406120111 840606 PDR ADOCK 05000219

GPU Nuclear Corporation is a subsidiary of the General Public Utilities Corporation

### ATTACHMENT

#### SPDS IMPLEMENTATION PLAN

#### A) Current Status of SPDS

The SPDS is being designed as a subset of the Plant Computer System (PCS). The schedule of the PCS installation is shown on the PCS/SPDS implementation plan shown in Table 1.

A formal Safety Analysis/Parameter Selection Study has recently been completed where a minimum SPDS parameter set has been identified. A large portion of the instruments required for the selected parameters are being installed at present as part of the plant computer schedule. Work will be started shortly on the User Guidelines and display design. It is expected that SPDS specifications and system requirements will be documented October 1984. During 1985, it is expected that hardware procurement and software coding and testing will be completed followed by system integration which is expected to be completed during the 1985/1986 outage. If during this process different parameters become necessary for SPDS requirements, such parameters will be installed during this outage.

#### B) SPDS Verification and Validation (V&V) Program

The Oyster Creek SPDS V&V plan is detailed in the attached document. This program runs parallel to the SPDS implementation plan. A complete system requirements review will be carried out once the specification/system requirements documents are done. This will be followed by hardware/software design reviews. The methods and techniques used for the V&V effort are the same as those used for the plant computer software/hardware program. At the end of this verification effort, a validation test plan is formulated such that this test will be carried out during 1985/1986 outage. A detailed description of the V&V program is enclosed.

#### C) Operator Training

Towards the end of 1985/1986 outage, and when the plant computer becomes operational, user training will start. The training will involve general computer use followed by SPDS specific training programs. It is expected that by the end of 1986, a basic SPDS will be operational.

## OYSTER CREEK SPDS IMPLEMENTATION PLAN

|                                                                                                                                                                                                               | -     | 1984   |        |     |     |     |     | 1985 |     |     |     |     |        |      |        |     | 1986 |     |  |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------|--------|--------|-----|-----|-----|-----|------|-----|-----|-----|-----|--------|------|--------|-----|------|-----|--|
| Computer<br>Deliver PCS Hardware to<br>Vender (SSS)<br>Basic PCS Software Develop.<br>and System Integration<br>Deliver to Site/Install/<br>Accept. Test<br>Basic PCS Operational                             | J-F   | M-A    | M-J    | J-A | 5-0 | N-D | J-F | M-A  | M-J | J-A | S-0 | N-D | J-F    | M-A  | M-J    | J-A | 5-0  | N-D |  |
| Input Signals<br>Phase I: Installation*<br>Phase II: Design<br>Installation*                                                                                                                                  | -     |        |        |     |     |     |     |      |     |     |     | Ì   |        |      |        |     |      |     |  |
| SPDS<br>Safety Analysis<br>User Guidelines (Preliminary/Final)<br>Display Design<br>System Requirements Documents<br>Hardware Specs & Procurement<br>Software Design, Coding and Test*<br>System Integration* |       |        |        |     | _   |     |     |      |     |     |     |     |        |      |        |     |      |     |  |
| SPDS V&V Program<br>V&V PTan<br>System Requirements Review<br>Hardware Design Review<br>Software Design Review<br>Validation Test Plan<br>Validation Test                                                     | -     |        |        |     |     |     | -   | _    |     |     |     |     |        |      |        |     | -    |     |  |
| Operator Training<br>Computer Use<br>SPDS Use                                                                                                                                                                 |       |        |        |     |     |     |     |      |     |     |     |     |        | _    |        |     | -    |     |  |
| <ul> <li>Outage Dependent: Will require<br/>adjustment if the outage schedules<br/>shown here are changed.</li> </ul>                                                                                         | Prese | nt 198 | 4 Outa | ge  |     |     |     |      |     |     |     | Sc  | pedule | 1986 | Outage |     |      |     |  |
|                                                                                                                                                                                                               |       |        |        |     |     |     |     |      |     |     |     |     |        |      |        |     |      |     |  |

1

1

Although A

VERIFICATION AND VALIDATION PLAN FOR OYSTER CREEK SAFETY PARAMETER DISPLAY SYSTEM (SPDS)

8

# TABLE OF CONTENTS

- 1.0 INTRODUCTION AND SCOPE
- 2.0 OVERVIEW OF V&V ACTIVITIES AND DOCUMENTATION REQUIREMENTS
- 3.0 SYSTEM REQUIREMENTS REVIEW ACTIVITIES
- 4.0 HARDWARE CONFIGURATION DESIGN REVIEW ACTIVITIES
- 5.0 SOFTWARE DESIGN REVIEW ACTIVITIES
- 6.0 VALIDATION TEST PLANNING AND PERFORMANCE ACTIVITIES
- 7.0 FIELD VERIFICATION TEST ACTIVITIES
- 8.0 REFERENCES

## 1.0 INTRODUCTION AND SCOPE

The verification and validation (V&V) plan described herein will be applied to the Safety Parameter Display System (SPDS) for the Oyster Creek Nuclear Generating Station, which is owned and operated by GPU Nuclear Corporation (GPUNC).

The purpose of the SPDS V&V program is to assure that the SPDS as installed satisfies its functional requirements in accordance with all applicable standards and regulations. The scope of the SPDS V&V program includes and is limited to the computer hardware and software that constitute the SPDS. The SPDS will be implemented on the Oyster Creek plant computer system (PCS) presently under procurement from Scientific System Services. A separate V&V program for the PCS is being implemented by Scientific System Services. The scope of the SPDS V&V program does not include PCS hardware and software covered by the PCS V&V program.

## 2.0 OVERVIEW OF V&V ACTIVITIES AND DOCUMENTATION REQUIREMENTS

Figure 1 diagrams all the V&V related activities for the OC SPDS program. The five main V&V activities as illustrated in Figure 1 are:

- System Requirements Review;
- Hardware Configuration Design Review;
- o Software Design Review;
- o Validation Test Planning and Performance; and
- o Field Verification Testing

The intent of the verification/review activities is to provide a comprehensive evaluation of the system requirements to determine that the right problem is being solved; and to provide a phase-by-phase check to determine that each phase is a consistent, complete and correct translation of the previous phase. The intent of the validation activities is to test and evaluate the integrated hardware and software system to determine compliance with the system requirements.

The people who perform the V&V activities of Figure 1 will not participate in the SPDS design or implementation.



FIGURE 1: FLOW DIAGRAM OF OC SPDS V&V RELATED ACTIVITIES

The V&V documentation provides formal evidence that the system has been verified and validated. Table 1 lists the documentation that will be produced by the SPDS V&V program. Seven major reports in addition to the V&V plan documented here will be produced during the program. The documentation will provide an audit trail in that non-associated personnel will be able to reconstruct the program activities and the results of those activities from the documentation. In general the results of each major V&V task of Figure 1 are documented in a separate report in accordance with Table 1.

¥.

# TABLE 1: OC SPDS V&V PROGRAM DOCUMENTATION

## DOCUMENT

# DISCUSSION

-

-----

The initial document

Verification and Validation Plan

System Requirements Review Report

Requirements Traceability Matrix (RTM) The cross referencing document for the entire SPDS V&V program

Hardware Configuration Design Review Report

Software Design Review Report

Validation Test Plan and Report

Field Verification Test Plan and Report

SPDS V&V Program Final Report

Summary of all previous activities with conclusions. Closure of all open items. The "Validation Report" of Figure 1.

### 3.0 SYSTEM REQUIREMENTS REVIEW ACTIVITIES

The system requirements are the foundation on which the completed system is designed, built and accepted. The principal goal of the system requirements review is to independently determine if fulfilling the system requirements will result in an effective, functional SPDS that is in compliance with all the applicable standards and regulations.

The design basis for both the hardware configuration and software design shall be examined in the system requirements review. The major objective shall be to determine whether the system requirements are consistent with the system purpose, correct, complete, understandable, feasible, testable, and traceable.

A key system requirements review activity will be the creation of a Requirements Traceability Matrix (RTM). The RTM for the SPDS will list every functional, performance and project requirement for the program in a tabular format. Each item in the RTM will be cross-referenced to the paragraphs in each of the other major program documents. Figure 2 illustrates one page from the RTM for the Oyster Creek plant computer system. A similar format will be used for the Oyster Creek SPDS.

|                     | AND PERFORMANCE   | TECHNICAL<br>SPECIFICATIONS<br>1362-07-002<br>REV 1 06/30/83 | SPECIFICATION                            | DOCUMENT |       |                 |         |
|---------------------|-------------------|--------------------------------------------------------------|------------------------------------------|----------|-------|-----------------|---------|
|                     |                   | 1                                                            |                                          |          |       |                 |         |
|                     | **************    | 1                                                            |                                          |          |       |                 |         |
|                     |                   | 1                                                            |                                          |          |       |                 | 1       |
| ** OPERATING S      | YSTEM SOFTWARE ** | 1                                                            |                                          | i i      |       |                 | i       |
|                     | **                |                                                              |                                          |          | - i   | i               | 1       |
|                     | *************     | 1                                                            |                                          | 1        | i     | i               | i       |
|                     | *******           | 1                                                            |                                          | i i      | i     | i               | i       |
|                     |                   | 1 1                                                          |                                          | 1        | 1     | 1               | 1       |
| 1/7 Operating syste |                   | 5.2                                                          | 15.1                                     |          | 1     | 1               | 1       |
| an executive-t      |                   | 1                                                            |                                          |          | 1     | 1               | 1       |
| operating syst      |                   |                                                              |                                          |          |       |                 |         |
| following capa      |                   | 1 1                                                          |                                          |          |       |                 |         |
| a. Activate t       |                   | 1.1.2.1                                                      | 10.2.3                                   |          |       |                 | 1       |
|                     |                   |                                                              | 15.1.1                                   |          |       | 1               |         |
| d. Delete tas       |                   |                                                              | 10.2.3                                   |          |       |                 |         |
| e. Wait             | **                |                                                              | 15.1.1                                   |          |       |                 |         |
| f. Enable int       | erruots           |                                                              | 15.1.1                                   |          |       |                 |         |
| g. Initiate i       |                   |                                                              | 15.1.1                                   |          |       |                 |         |
| h. Disable in       |                   | 1                                                            | 15.1.1                                   |          | 1     |                 |         |
| 1 i. Schedule p     |                   | j                                                            | 10.1                                     |          |       |                 |         |
|                     | y or periodic     | 1                                                            |                                          |          |       |                 |         |
| j. Control tr       | ansfers between   | 1                                                            | 15.1.1                                   |          |       | 1.1.1.1         | - 1     |
| main and a          | uxiliary memory   | 1 1                                                          |                                          |          | 1     | - i -           | · ·     |
|                     | lendar functions  | 1 1                                                          | 11.3.1                                   | 1        | i .   | 1 1             | 1       |
| 1. utilize al       |                   | 1 1                                                          | 15.1.2                                   | I        | 1     | 1               | 1       |
|                     | tly released 0/S  | 1                                                            | 15.1.1                                   |          |       | 1 1             | 1       |
|                     | MAX IV G.2 or     | 1                                                            |                                          | 1        | 1     | 1               | 1       |
| MPX 3.2 ve          |                   |                                                              |                                          |          | 1.1.1 | · · · 1 · · · · | 1       |
| n. Provide 1/0      |                   |                                                              | 10.4                                     | 1        |       |                 | 1       |
| all device          |                   | 1                                                            | 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. |          |       |                 | · · · · |

FIGURE 2: SAMPLE PAGE FROM OYSTER CREEK PCS REQUIREMENTS TRACEABILITY MATRIX (RTM)

# 4.0 HARDWARE CONFIGURATION DESIGN REVIEW ACTIVITIES

The hardware configuration design review will trace the design to the system requirements. The review will also ensure that the design documents are complete, detailed and unambiguous.

The RTM shall be updated as part of the review, i.e. columns shall be added to Figure 2 as necessary to cover the design configuration documents and the tabulated items shall be cross-referenced to paragraphs in the documents.

## 5.0 SOFTWARE DESIGN REVIEW ACTIVITIES

The software design review shall be conducted on the entire SPDS software system, and trace the design to the system requirements. Criteria that shall be used for the software design review will include completeness, consistency and testability.

The software design review activity shall assure that the software design documentation is complete, understandable, and unambiguous. Furthermore, the verification activity shall assure that the design documentation describes the relationship of SPDS functions with the other plant computer functions.

The RTM shall be updated as part of the review, i.e. columns shall be added to Figure 2 as necessary to cover the software design documents, and the tabulated items shall be cross-referenced to paragraphs in the documents.

#### 6.1 General

The validation tests are intended to confirm by demonstration that the SPDS hardware and software meet the system requirements. The tests are initially planned based on the system requirements, but may be modified based on the results of the hardware and software design reviews.

#### 6.2 Test Plan

The test plan shall establish the detailed requirements for testing the hardware and software functionality of the overall system. The test plan shall fulfill all the testing requirements specified in the SPDS system requirements document. Furthermore, it shall incorporate the results of the hardware configuration and software design specification reviews. Specific test plan items shall be cross-referenced in the RTM to the system requirements that they address. The test plan shall include startup, shutdown, initiation, display selection, data archive, and test feature tests as applicable in addition to the operational tests. The degree of isolation between SPDS operation and other functions that are performed on the same computer system shall be demonstrated by tests described in the test plan.

The test plan shall include all the forms that will be completed during the tests.

# 6.3 Validation Test

A 4 4

The validation test shall demonstrate the proper performance of each function and the fulfillment of the design requirements for the overall system. The validation test shall implement the requirements of the test plan and shall be witnessed by the Project Manager and V&V personnel. All successes and problems identified during the tests shall be documented during the test program.

#### 7.0 FIELD VERIFICATION TEST ACTIVITIES

The purpose of the field verification test is to verify that the validated system is properly installed. Since the plant computer system (PCS) will have been installed previously and since there will be no movement of the SPDS hardware or software following the completion of the validation tests, the field verification will be concerned with those aspects of "going live" that were not present during the validation test. In particular, it will be necessary to check input signal levels, and it may be appropriate to monitor the on-line performance for some reasonable period of time immediately after going live.

## 8.0 REFERENCES

The following references are some of the applicable standards and regulations for the SPDS.

- Verification and Validation for Safety Parameter Display Systems. NSAC/39. December 1982.
- Human Factors Review Guidelines for the Safety Parameter Display System. NUREG-0835 (Draft). June 1982.
- Guidelines for Control Room Design Review. NUREG-0700. September 1981.
- Supplement 1 to NUREG-0737 Requirements for Emergency Response Capability (Generic Letter No. 82-33). December 1982.
- Functional Criteria for Emergency Response Facilities Final Report. NUREG-0696. February 1981.