EXECUTIVE SUMMARY - Engineered Solutions, Inc ... Attachment... · Web view8.2Failure Mode and Effects Analysis (FMEA)15 8.3Common Mode Software Failure Considerations15 8.4System

Engineered Solutions, Inc.

Critical Design Review

Critical Design Review (for non-safety related applications) This Attachment is used as a template to document that items or services are of sufficient quality to provide their intended function in a quality related and non-quality related applications in a nuclear power facility (or non-nuclear application) and will not adversely impact or challenge a plant safety system.

The terms “Commercial Grade” and “Dedication” have legal definitions under 10 CFR Part 21 and are only applicable to Safety Related applications. For applications that are not Safety related Attachment B “Critical Design Review” is used.

QAP-19.7, Attachment B Rev. 0

CRITICAL DESIGN REVIEW

PROJECT TITLE

PROJECT NUMBER

REVISION xx

Proprietary InformationThe information contained in this document is proprietary and confidential to Engineered Solutions, Inc. for the

specific use of {customer name}. No copies shall be transmitted or otherwise disclosed without written permission from Engineered Solutions, Inc.

QAP-19.7, Attachment B Rev. 0 Page 1 of 15



REVISION LOG

REV. NO. DATE DESCRIPTION OF REVISION0

Prepared by:Date

Verified by:Date




EXECUTIVE SUMMARY




TABLE OF CONTENTSEXECUTIVE SUMMARY.................................................................................................31.0 INTRODUCTION...................................................................................................6

1.1 Purpose and Scope of Review..................................................................................61.2 Vendor Relationships and Responsibilities................................................................61.3 Review Approach and Methodology.........................................................................6

2.0 MODIFICATION SCOPE:......................................................................................63.0 SYSTEM DESIGN OR FUNCTIONAL REQUIREMENTS......................................7

3.1 {system} Operational Design Bases..........................................................................73.2 {system} Procurement Requirements.......................................................................73.3 {system} Safety Classification...................................................................................7

4.0 QUALITY ASSURANCE REQUIREMENTS TRACEABILITY.............................7Table 4-1: QA Documentation Requirements Traceability Matrix....................................8

5.0 SYSTEM CRITICAL CHARACTERISTICS – REQUIREMENTS..........................95.1 Critical Characteristics – Requirements Evaluation..................................................9Table 5-1: Critical Characteristics Matrix..........................................................................105.2 If needed….............................................................................................................115.3 If needed….............................................................................................................11

6.0 EVALUATION PROCESS...................................................................................116.1 Methods of Evaluation of the Vendor Items and Services......................................116.2 Evaluation of the Vendor Items and Services.........................................................116.3 Additional Digital System Considerations...............................................................116.4 Testing and Qualification of Commercial Grade Items and Services......................11

7.0 SOFTWARE DIGITAL SYSTEM CONTROL - CYBER SECURITY...................117.1 Software Lifecycle – Compliance with Regulatory Guide 1.173..............................11Table 7-1: Software Lifecycle Traceability Matrix..........................................................127.2 Software Configuration Control...............................................................................147.3 Secure Development Environment.........................................................................147.3 Password Control...................................................................................................147.5 Virus Scanning........................................................................................................147.6 Intrusion Detection..................................................................................................147.7 Backup or Recovery...............................................................................................147.8 Network Communications Security.........................................................................15

8.0 HAZARD ANALYSIS..........................................................................................158.1 System Safety Functional Requirements................................................................158.2 Failure Mode and Effects Analysis (FMEA)............................................................158.3 Common Mode Software Failure Considerations...................................................158.4 System Level Diversity and Defense in Depth Considerations...............................15




8.5 Electrical Separations, Impact of Power Transfers, etc..........................................158.6 Appendix R or NFPA 805 Considerations...............................................................158.7 Equipment Qualification Considerations.................................................................15

9.0 OBSERVATIONS AND CONCLUSIONS............................................................1510.0 REFERENCES....................................................................................................15




1.0 INTRODUCTION

1.1 Purpose and Scope of ReviewDescribe the purpose and scope of the report.

ExampleThis report documents the evaluation of {item or service} and demonstrates that it will successfully perform its intended design function for {application}.

1.2 Vendor Relationships and ResponsibilitiesDefine the scope of supply of each vendor and responsibilities.

1.3 Review Approach and MethodologyDescribe the process and standards used.

ExampleThis CDR is prepared using the processes described in EPRI Topical Report TR-106439, “Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications”. The Safety Evaluation for EPRI TR- 106439 (ADAMS ML092190664) stated that “The staff has determined that TR-I06439 contains an acceptable method for dedicating commercial grade digital equipment for use in nuclear power plant safety applications and meets the requirements of 10 CFR Part 21. Further, the staff concludes that when digital equipment is dedicated using the methods described in TR-I06439, it may be considered equivalent to digital equipment designed and manufactured under a 10 CFR Part 50, Appendix B quality assurance program. Licensees may utilize the TR-I06439 approach when installing digital modifications utilizing commercial grade equipment. This includes microprocessors that are embedded in electrical and mechanical equipment as well as process instrumentation and control systems. While the staff finds TR-I06439 acceptable, it is a generic proposal and therefore, licensees referencing TR-I06439 will need to document the details regarding the dedication process and specific critical characteristics including the verification information described in Standard Review Plan Chapter 7 such as qualification reports, system description and software and hardware design and quality assurance documentation.”

2.0 MODIFICATION SCOPE:Describe the modification, items or service. Where applicable identify specific vendor part numbers and software/firmware versions.




3.0 SYSTEM DESIGN OR FUNCTIONAL REQUIREMENTSDescribe the requirements of the system or item. Refer to plant FSAR, and other design bases documents.

3.1 {system} Operational Design Bases

3.2 {system} Procurement RequirementsAlso define any specific digital or software requirements as applicable.

3.3 {system} Safety ClassificationAlso define any specific software classification as applicable.

4.0 QUALITY ASSURANCE REQUIREMENTS TRACEABILITYThe purpose of Table 4-1 (below) is to document the review of the vendor quality assurance program, software documentation, etc. to determine if the vendor documents satisfy the customer requirements. Where applicable the vendor document number is cross-reference to the customer requirement. If the vendor provided documentation does not fully satisfy the customer requirements for describes how the gap between the customer requirements and the vendor documents are addressed.




Table 4-1: QA Documentation Requirements Traceability Matrix

Requirement

{customer} Requirements,

Regulatory Requirements,

Reference Standards

{Vendor} DocumentsSatisfies

{customer} Requirements

Comments /Documentation Required to Satisfy {customer} Requirements

Quality Assurance

Procurement

Software Classification

Requirements Specifications

Design Descriptions

Software Configuration Management

Disaster Recovery

Security

System Testing







5.0 SYSTEM CRITICAL CHARACTERISTICS – REQUIREMENTS

5.1 Critical Characteristics – Requirements EvaluationDescribe how the critical characteristics were determined

Example

Critical characteristics are those important design, material, and performance characteristics of a commercial grade item that, once verified, will provide reasonable assurance that the item will perform its intended safety function.

The system critical characteristics and system requirements are defined by the equipment Functional Requirements Specification {customer document}. Table 5-1 provides a traceability matrix from the {customer} specific critical characteristics and requirements, to the vendor provided evaluations and reports that demonstrate that the system will perform its safety related functions. Where required, this review identifies the gaps between the vendor provided documentation and {customer} requirements, and the method of mitigation of those gaps.




Table 5-1: Critical Characteristics MatrixSpecification

Section Description of Requirement Comments / Compliance With Requirements and Additional Mitigation Actions Applicable Standards Method of

VerificationVerification References




5.2 If needed….

5.3 If needed…. Provide a detailed description or evaluation of any item in table 5-1. Reference these sections in the table.

6.0 EVALUATION PROCESS

6.1 Methods of Evaluation of the Vendor Items and ServicesDescribe the Method(s) used. Although not a “dedication”, the processes described in section 7.0 of QAP-19.7 may be referred to help determine a method of evaluation. The scope of evaluation and controls should consider the potential impact of the item on operations.

6.2 Evaluation of the Vendor Items and ServicesDescribe the evaluation and the results.

6.3 Additional Digital System ConsiderationsIf applicable, describe any additional requirements from section 10.0 of procedure QAP-19.7 such as software V&V activities.

6.4 Testing and Qualification of Commercial Grade Items and ServicesDescribe the testing and qualification of the item or services.

Seismic (i.e. II over I) EMI/RFI (i.e. emissions) Environmental (will be reliable in the normal environment) Functional – operational

7.0 SOFTWARE DIGITAL SYSTEM CONTROL - CYBER SECURITY

7.1 Software Lifecycle – Compliance with Regulatory Guide 1.173

Regulatory Guide 1.173, Rev 1, “Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants,” which endorses IEEE Std 1074- 2006, “IEEE Standard for Developing Software Life Cycle Processes,” subject to the provisions and exceptions identified in the regulatory guide, as providing an approach acceptable to the NRC staff for meeting the regulatory requirements and guidance as they apply to development processes for safety system software.




Table 7-1: Software Lifecycle Traceability MatrixIEEE Std 1074- 2006

Requirement (as endorsed by RG

1.173)

{Customer} References,Regulatory Guides or Standards

IEEE Std 1074 Software Lifecycle Activities /Documentation Required to Satisfy Regulatory and {customer} Requirements

A.1 Project Management Section

A.1.1 Project Initiation

A.1.2 Project Planning

A.1.3 Project Monitoring and Control

A.2 Pre-development Section

A.2.1 Concept Exploration

A.2.2 System Allocation

A.3 Development Section

A.3.1 Requirements Process

A.3.2 Design

A.3.3 Implementation

A.4. Post-development Section




Table 7-1: Software Lifecycle Traceability MatrixIEEE Std 1074- 2006

Requirement (as endorsed by RG

1.173)

{Customer} References,Regulatory Guides or Standards

IEEE Std 1074 Software Lifecycle Activities /Documentation Required to Satisfy Regulatory and {customer} Requirements

A.4.1 Installation

A.4.2 Operation and Support

A.4.3 Maintenance

A.4.4 Retirement

A.5 Support Section

A.5.1 Evaluation

A.5.2 Software Configuration Management

A.5.3 Documentation Development

A.5.4 Training




7.2 Software Configuration Control

Regulatory Guide 1.169 Revision 1, “Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants,” endorses IEEE Standard 828-2005, “IEEE Standard for Configuration Management Plans,” as providing an acceptable approach for planning configuration management.

7.3 Secure Development Environment

Secure Development Environment is defined in Regulatory Guide 1.152, Revision 3 as the condition of having appropriate physical, logical and programmatic controls during the system development phases (i.e., concepts, requirements, design, implementation, testing) to ensure that unwanted, unneeded and undocumented functionality (e.g., superfluous code) is not introduced into digital safety systems.

Secure Operational Environment is defined as the condition of having appropriate physical, logical and administrative controls within a facility to ensure that the reliable operation of digital safety systems are not degraded by undesirable behavior of connected systems and events initiated by inadvertent access to the system.

The establishment of a Secure Development and Operational Environment (SDOE) for digital safety systems, in the context of Regulatory Guide 1.152, refers to:

(1) measures and controls taken to establish a secure environment for development of the digital safety system against undocumented, unneeded and unwanted modifications and

(2) protective actions taken against a predictable set of undesirable acts (e.g., inadvertent operator actions or the undesirable behavior of connected systems) that could challenge the integrity, reliability, or functionality of a digital safety system during operations.

These SDOE actions may include adoption of protective design features into the digital safety system design to preclude inadvertent access to the system and/or protection against undesirable behavior from connected systems when operational.

7.3 Password Control Describe the provisions provided as applicable.

7.5 Virus ScanningDescribe the provisions provided as applicable.

7.6 Intrusion DetectionDescribe the provisions provided as applicable.

7.7 Backup or RecoveryDescribe the provisions provided as applicable.




7.8 Network Communications SecurityDescribe the provisions provided as applicable.

8.0 HAZARD ANALYSIS

8.1 System Safety Functional RequirementsDescribe the system safety functions as described in the FSAR and other design basis documents. Refer to NEI 01-01 Supplement A for other considerations to be addressed.

Also address any beyond design basis events where the system is used to mitigate the event.

8.2 Failure Mode and Effects Analysis (FMEA)Refer to EP-11. Discuss the system level effects of any failures and impact on functional requirements.

8.3 Common Mode Software Failure ConsiderationsRefer to NUREG 0800, Chapter 7, BTP-7-19. Identify if any common mode failures are postulated and how mitigated. Address system level D3 analysis below.

8.4 System Level Diversity and Defense in Depth ConsiderationsRefer to NUREG 0800, Chapter 7, BTP-7-19.

8.5 Electrical Separations, Impact of Power Transfers, etc.

8.6 Appendix R or NFPA 805 Considerations

8.7 Equipment Qualification Considerations Seismic (i.e. II over I) EMI/RFI (i.e. emissions) Environmental (will be reliable in the normal environment) Etc.

9.0 OBSERVATIONS AND CONCLUSIONS

10.0 REFERENCES
