Engineered Solutions, Inc.

Critical Design Review

Critical Design Review (for non-safety related applications)

This Attachment is used as a template to document that items or services are of sufficient quality to provide their intended function in a quality related and non-quality related applications in a nuclear power facility (or non-nuclear application) and will not adversely impact or challenge a plant safety system.

The terms “Commercial Grade” and “Dedication” have legal definitions under 10 CFR Part 21 and are only applicable to Safety Related applications. For applications that are not Safety related Attachment B “Critical Design Review” is used.

QAP-19.7, Attachment B Rev. 0

CRITICAL DESIGN REVIEW

PROJECT TITLE

PROJECT NUMBER

REVISION xx

Proprietary Information
The information contained in this document is proprietary and confidential to Engineered Solutions, Inc. for the specific use of {customer name}. No copies shall be transmitted or otherwise disclosed without written permission from Engineered Solutions, Inc.

QAP-19.7, Attachment B Rev. 0 Page 8 of 15

Engineered Solutions, Inc.

Critical Design Review

REVISION LOG

REV. NO. / DATE / DESCRIPTION OF REVISION
0
Prepared by:
Date
Verified by:
Date

EXECUTIVE SUMMARY

TABLE OF CONTENTS

EXECUTIVE SUMMARY 3

1.0 INTRODUCTION 6

1.1 Purpose and Scope of Review 6

1.2 Vendor Relationships and Responsibilities 6

1.3 Review Approach and Methodology 6

2.0 MODIFICATION SCOPE: 6

3.0 SYSTEM DESIGN OR FUNCTIONAL REQUIREMENTS 7

3.1 {system} Operational Design Bases 7

3.2 {system} Procurement Requirements 7

3.3 {system} Safety Classification 7

4.0 QUALITY ASSURANCE REQUIREMENTS TRACEABILITY 7

Table 4-1: QA Documentation Requirements Traceability Matrix 8

5.0 SYSTEM CRITICAL CHARACTERISTICS – REQUIREMENTS 9

5.1 Critical Characteristics – Requirements Evaluation 9

Table 5-1: Critical Characteristics Matrix 10

5.2 If needed…. 11

5.3 If needed…. 11

6.0 EVALUATION PROCESS 11

6.1 Methods of Evaluation of the Vendor Items and Services 11

6.2 Evaluation of the Vendor Items and Services 11

6.3 Additional Digital System Considerations 11

6.4 Testing and Qualification of Commercial Grade Items and Services 11

7.0 SOFTWARE DIGITAL SYSTEM CONTROL - CYBER SECURITY 11

7.1 Software Lifecycle – Compliance with Regulatory Guide 1.173 11

Table 7-1: Software Lifecycle Traceability Matrix 12

7.2 Software Configuration Control 14

7.3 Secure Development Environment 14

7.3 Password Control 14

7.5 Virus Scanning 14

7.6 Intrusion Detection 14

7.7 Backup or Recovery 14

7.8 Network Communications Security 15

8.0 HAZARD ANALYSIS 15

8.1 System Safety Functional Requirements 15

8.2 Failure Mode and Effects Analysis (FMEA) 15

8.3 Common Mode Software Failure Considerations 15

8.4 System Level Diversity and Defense in Depth Considerations 15

8.5 Electrical Separations, Impact of Power Transfers, etc. 15

8.6 Appendix R or NFPA 805 Considerations 15

8.7 Equipment Qualification Considerations 15

9.0 OBSERVATIONS AND CONCLUSIONS 15

10.0 REFERENCES 15

1.0 INTRODUCTION

1.1 Purpose and Scope of Review

Describe the purpose and scope of the report.

Example

This report documents the evaluation of {item or service} and demonstrates that it will successfully perform its intended design function for {application}.

1.2 Vendor Relationships and Responsibilities

Define the scope of supply of each vendor and responsibilities.

1.3 Review Approach and Methodology

Describe the process and standards used.

Example

This CDR is prepared using the processes described in EPRI Topical Report TR-106439, “Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications”. The Safety Evaluation for EPRI TR- 106439 (ADAMS ML092190664) stated that “The staff has determined that TR-I06439 contains an acceptable method for dedicating commercial grade digital equipment for use in nuclear power plant safety applications and meets the requirements of 10 CFR Part 21. Further, the staff concludes that when digital equipment is dedicated using the methods described in TR-I06439, it may be considered equivalent to digital equipment designed and manufactured under a 10 CFR Part 50, Appendix B quality assurance program. Licensees may utilize the TR-I06439 approach when installing digital modifications utilizing commercial grade equipment. This includes microprocessors that are embedded in electrical and mechanical equipment as well as process instrumentation and control systems. While the staff finds TR-I06439 acceptable, it is a generic proposal and therefore, licensees referencing TR-I06439 will need to document the details regarding the dedication process and specific critical characteristics including the verification information described in Standard Review Plan Chapter 7 such as qualification reports, system description and software and hardware design and quality assurance documentation.”

2.0 MODIFICATION SCOPE:

Describe the modification, items or service. Where applicable identify specific vendor part numbers and software/firmware versions.

3.0 SYSTEM DESIGN OR FUNCTIONAL REQUIREMENTS

Describe the requirements of the system or item. Refer to plant FSAR, and other design bases documents.

3.1 {system} Operational Design Bases

3.2 {system} Procurement Requirements

Also define any specific digital or software requirements as applicable.

3.3 {system} Safety Classification

Also define any specific software classification as applicable.

4.0 QUALITY ASSURANCE REQUIREMENTS TRACEABILITY

The purpose of Table 4-1 (below) is to document the review of the vendor quality assurance program, software documentation, etc. to determine if the vendor documents satisfy the customer requirements. Where applicable the vendor document number is cross-reference to the customer requirement.

If the vendor provided documentation does not fully satisfy the customer requirements for describes how the gap between the customer requirements and the vendor documents are addressed.

QAP-19.7, Attachment B Rev. 0 Page 8 of 15

Engineered Solutions, Inc.

Critical Design Review
Table 4-1: QA Documentation Requirements Traceability Matrix /
Requirement / {customer} Requirements,
Regulatory Requirements,
Reference Standards / {Vendor} Documents / Satisfies {customer} Requirements / Comments /
Documentation Required to Satisfy {customer} Requirements /
Quality Assurance
Procurement
Software Classification
Requirements Specifications
Design Descriptions
Software Configuration Management
Disaster Recovery
Security
System Testing

QAP-19.7, Attachment B Rev. 0 Page 8 of 15

Engineered Solutions, Inc.

Critical Design Review

5.0 SYSTEM CRITICAL CHARACTERISTICS – REQUIREMENTS

5.1 Critical Characteristics – Requirements Evaluation

Describe how the critical characteristics were determined

Example

Critical characteristics are those important design, material, and performance characteristics of a commercial grade item that, once verified, will provide reasonable assurance that the item will perform its intended safety function.

The system critical characteristics and system requirements are defined by the equipment Functional Requirements Specification {customer document}. Table 5-1 provides a traceability matrix from the {customer} specific critical characteristics and requirements, to the vendor provided evaluations and reports that demonstrate that the system will perform its safety related functions. Where required, this review identifies the gaps between the vendor provided documentation and {customer} requirements, and the method of mitigation of those gaps.

QAP-19.7, Attachment B Rev. 0 Page 8 of 15

Engineered Solutions, Inc.

Critical Design Review
/ /

Table 5-1: Critical Characteristics Matrix

/ / /
Specification Section / Description of Requirement / Comments / Compliance With Requirements and Additional Mitigation Actions / Applicable Standards / Method of Verification / Verification References /

QAP-19.7, Attachment B Rev. 0 Page 8 of 15

Engineered Solutions, Inc.

Critical Design Review

5.2 If needed….

5.3 If needed….

Provide a detailed description or evaluation of any item in table 5-1. Reference these sections in the table.

6.0 EVALUATION PROCESS

6.1 Methods of Evaluation of the Vendor Items and Services

Describe the Method(s) used. Although not a “dedication”, the processes described in section 7.0 of QAP-19.7 may be referred to help determine a method of evaluation. The scope of evaluation and controls should consider the potential impact of the item on operations.

6.2 Evaluation of the Vendor Items and Services

Describe the evaluation and the results.

6.3 Additional Digital System Considerations

If applicable, describe any additional requirements from section 10.0 of procedure QAP-19.7 such as software V&V activities.

6.4 Testing and Qualification of Commercial Grade Items and Services

Describe the testing and qualification of the item or services.

·  Seismic (i.e. II over I)

·  EMI/RFI (i.e. emissions)

·  Environmental (will be reliable in the normal environment)

·  Functional – operational

7.0 SOFTWARE DIGITAL SYSTEM CONTROL - CYBER SECURITY

7.1 Software Lifecycle – Compliance with Regulatory Guide 1.173

Regulatory Guide 1.173, Rev 1, “Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants,” which endorses IEEE Std 1074- 2006, “IEEE Standard for Developing Software Life Cycle Processes,” subject to the provisions and exceptions identified in the regulatory guide, as providing an approach acceptable to the NRC staff for meeting the regulatory requirements and guidance as they apply to development processes for safety system software.

QAP-19.7, Attachment B Rev. 0 Page 8 of 15

Engineered Solutions, Inc.

Critical Design Review
Table 7-1: Software Lifecycle Traceability Matrix /
IEEE Std 1074- 2006 Requirement (as endorsed by RG 1.173) / {Customer} References,
Regulatory Guides or Standards / IEEE Std 1074 Software Lifecycle Activities /
Documentation Required to Satisfy Regulatory and {customer} Requirements /
A.1 Project Management Section
A.1.1 Project Initiation
A.1.2 Project Planning
A.1.3 Project Monitoring and Control
A.2 Pre-development Section
A.2.1 Concept Exploration
A.2.2 System Allocation
A.3 Development Section
A.3.1 Requirements Process
A.3.2 Design
A.3.3 Implementation
A.4. Post-development Section
A.4.1 Installation
A.4.2 Operation and Support
A.4.3 Maintenance
A.4.4 Retirement
A.5 Support Section
A.5.1 Evaluation
A.5.2 Software Configuration Management
A.5.3 Documentation Development
A.5.4 Training

QAP-19.7, Attachment B Rev. 0 Page 8 of 15

Engineered Solutions, Inc.

Critical Design Review

7.2 Software Configuration Control

Regulatory Guide 1.169 Revision 1, “Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants,” endorses IEEE Standard 828-2005, “IEEE Standard for Configuration Management Plans,” as providing an acceptable approach for planning configuration management.

7.3 Secure Development Environment

Secure Development Environment is defined in Regulatory Guide 1.152, Revision 3 as the condition of having appropriate physical, logical and programmatic controls during the system development phases (i.e., concepts, requirements, design, implementation, testing) to ensure that unwanted, unneeded and undocumented functionality (e.g., superfluous code) is not introduced into digital safety systems.

Secure Operational Environment is defined as the condition of having appropriate physical, logical and administrative controls within a facility to ensure that the reliable operation of digital safety systems are not degraded by undesirable behavior of connected systems and events initiated by inadvertent access to the system.

The establishment of a Secure Development and Operational Environment (SDOE) for digital safety systems, in the context of Regulatory Guide 1.152, refers to:

(1) measures and controls taken to establish a secure environment for development of the digital safety system against undocumented, unneeded and unwanted modifications and

(2) protective actions taken against a predictable set of undesirable acts (e.g., inadvertent operator actions or the undesirable behavior of connected systems) that could challenge the integrity, reliability, or functionality of a digital safety system during operations.

These SDOE actions may include adoption of protective design features into the digital safety system design to preclude inadvertent access to the system and/or protection against undesirable behavior from connected systems when operational.

7.3 Password Control

Describe the provisions provided as applicable.

7.5 Virus Scanning

Describe the provisions provided as applicable.

7.6 Intrusion Detection

Describe the provisions provided as applicable.

7.7 Backup or Recovery

Describe the provisions provided as applicable.

7.8 Network Communications Security

Describe the provisions provided as applicable.

8.0 HAZARD ANALYSIS

8.1 System Safety Functional Requirements

Describe the system safety functions as described in the FSAR and other design basis documents. Refer to NEI 01-01 Supplement A for other considerations to be addressed.

Also address any beyond design basis events where the system is used to mitigate the event.

8.2 Failure Mode and Effects Analysis (FMEA)

Refer to EP-11.

Discuss the system level effects of any failures and impact on functional requirements.

8.3 Common Mode Software Failure Considerations

Refer to NUREG 0800, Chapter 7, BTP-7-19. Identify if any common mode failures are postulated and how mitigated. Address system level D3 analysis below.

8.4 System Level Diversity and Defense in Depth Considerations

Refer to NUREG 0800, Chapter 7, BTP-7-19.

8.5 Electrical Separations, Impact of Power Transfers, etc.

8.6 Appendix R or NFPA 805 Considerations

8.7 Equipment Qualification Considerations

·  Seismic (i.e. II over I)

·  EMI/RFI (i.e. emissions)

·  Environmental (will be reliable in the normal environment)

·  Etc.

9.0 OBSERVATIONS AND CONCLUSIONS

10.0 REFERENCES

QAP-19.7, Attachment B Rev. 0 Page 8 of 15