EH-91-1 Computer Code Quality Assurance
ENVIRONMENT,SAFETY & HEALTH
BULLETIN
Assistant Secretary for U.S. Department of Energy
Environment, Safety & Health Washington, D.C. 20585
DOE/EH-0167 Issue No. 91-1 February 1991
COMPUTER CODE QUALITY ASSURANCE
BACKGROUND
Computer codes are used throughout the Department of Energy (DOE) complex for
the design, control, and monitoring of nuclear, physical, and chemical
processes. Codes are also used to model, analyze, and calculate data vital to
DOE facilities and laboratories to support determination of facility
compliance with various worker protection and environmental requirements. This
safety and health Bulletin is in response to several problems stemming from
inadequate verification and validation of computer codes and from code users
not having a thorough knowledge and understanding of the assumptions and
default values employed in computer code software. These problems have thus
compromised the resulting calculations.
DISCUSSION
In April 1986, Westinghouse Hanford identified a coding error in software
associated with the TRU (transuranic) Waste Assayer. The software, developed
by another DOE contractor and referred to as GENII code, incorrectly
calculated the activity concentration (nCi/gm) of the waste. Approximately 16
55-gallon drums were classified as low-level waste when, in fact, they were
TRU waste. (SPMS UOR-ID: 3305)
The software calculates the potential doses that might result from routine
emissions, as well as postulated accidental releases, of radioactive materials
from the Hanford Site (Napier, Peloquin, Strenge, and Ramsdell, 1988. GENII -
The Hanford Environmental Dosimetry Software System, PNL-6584, Pacific
Northwest Laboratory, Richland, WA). During hand verification of Version
1.395 in December 1989, an error was discovered in the acute dispersion module
of GENII. The wind directions used in computing the atmospheric dilution
following hypothetical acute releases were off by 180 degrees. The net effect
of the program error was that results of many acute release calculations
performed the previous year were in error by as much as a factor of 2. Results
from GENII have been used in safety analysis reports and hazard
classifications for new and/or modified facilities. (SPMS UOR-ID: 4689)
More recently, Westinghouse Hanford identified the use of default values
within the GENII code that were inappropriate for the intended calculations.
The code contained default values for solubility classes of various
radioisotopes. For plutonium, GENII used a "Y" solubility class
(characteristic of oxides) as a default, typical of the majority of Hanford
operations. The "W" solubility class for plutonium (characteristic of
nitrates), although less commonly used, resulted in a higher calculated
committed effective dose equivalent. GENII code calculations were performed
using the default "Y" solubility class when "W" was indicated. This resulted
in underestimating the calculated dose by a factor of less than 10, depending
on the combination of radionuclides assumed to be released and the pathways
evaluated. The error required recalculation of reported doses for routine
releases and potential accident situations for several facilities.
The FIREONE/FIRETWO computer code calculates fire duration and fire severity
in compartments as a function of compartment geometry, ventilation, heat
dissipation properties, and combustible quantities. The code is used to
predict fire severity from postulated combustibles as a basis for evaluating
the adequacy of fire barrier configurations, ratings, and fire protection
systems (FIREONE/FIRETWO Fire Duration and Severity Calculation Software,
HEDL-7542, G. F. Larson, September 1984). During verification of
FIREONE/FIRETWO by Westinghouse Hanford in February 1990, a software error was
discovered that apparently had existed since the release of the code in 1984.
The error in the code involved the computation of the maximum average gas
temperature resulting from burning the postulated combustibles in the
compartment. The effect of the error was to underpredict the maximum average
gas temperature. The FIREONE/FIRETWO code was used in design studies and
safety analyses with the results of, and recommendations resulting from, the
studies being incorporated into various Preliminary Safety Analysis Reports
(PSAR) and Final Safety Analysis Reports (FSAR). (SPMS UOR-Id: 5023)
Standards for software quality assurance dictate that the software must
perform the functions for which it is intended, and further, does not perform
any unintended function (ASME NQA-2, Draft, Part 2.7). Software-developing
organizations must assure that the appropriate level of verification and
validation has been performed prior to use or distribution of all software
codes. However, this does not relieve the user from the responsibility of
assuring that acquired codes adequately perform the functions for which they
are intended.
Users also must have a thorough knowledge and understanding of the assumptions
and default values used in the design of the software as documented in
Technical Manuals and User Guides. All assumptions and defaults must be
challenged by a qualified expert in the discipline for which the software is
used. The documentation that accompanies the software should include a
rationale for the system assumptions, a description of the defaults, and the
methodology for changing the defaults.
RECOMMENDATIONS
Order DOE 1330.lC, Computer Software Management, of 1-12-90, is a requirement
for all DOE facilities, and each site should develop their own software
methodology. To avoid misleading or poor computer code calculations and to
support safe operations, we recommend as part of your methodology that you
consider the following:
1. Conduct a thorough evaluation of all critical software in use.
a. Identify all critical software to determine if adequate verification and
validation have been performed and documented to assure software functions
only as designed.
b. Ensure the adequacy of all critical software documentation. This should
include both technical and user manuals.
c. Identify all generic and site-specific parameters to determine if they are
appropriate for their current application.
d. Challenge all assumptions and their default values, employing a qualified
expert.
2. Train all users.
a. Assure that each user understands the assumptions and default values used.
b. Assure that each user understands how and why to change a default value.
c. Assure that each user understands who is authorized to change a default
value.
3. Verify that modifications perform only the function for which they were
designed and do not perform unintended functions.
-----------------------------------------------------------------------------
This Safety Bulletin is one in a series of publications issued by EH to share
occupational safety and health information throughout the DOE complex. For
more information contact Eleanor Crampton, Performance Assessment Division,
Office of Environment, Safety and Health, U.S. Department of Energy,
Washington, DC 20545; Telephone FTS 233-3732, Commercial (301) 353-3732.
-----------------------------------------------------------------------------
U.S. G.P.O. 1991-281-714:40061