DCL-12-083, Response to Request for Additional Information on License Amendment Request for Digital Process Protection System Replacement

From kanterella
Jump to navigation Jump to search

Response to Request for Additional Information on License Amendment Request for Digital Process Protection System Replacement
ML12256A308
Person / Time
Site: Diablo Canyon  Pacific Gas & Electric icon.png
Issue date: 09/11/2012
From: Welsch J
Pacific Gas & Electric Co
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
DCL-12-083, TAC ME7522, TAC ME7523
Download: ML12256A308 (42)
v  d  e


Text

Pacific Gas and Electric Company James M. Welsch Diablo Canyon Power Plant Station Director Mail Code 104/5/502 P. O. Box 56 Avila Beach, CA 93424 805.545.3242 September 11, 2012 Internal: 691.3242 Fax: 805.545.4234 Internet: JMW1@pge.com PG&E Letter DCL-12-083 U.S. Nuclear Regulatory Commission 10 CFR 50.90 ATTN: Document Control Desk Washington, DC 20555-0001 Docket No. 50-275, OL-DPR-80 Docket No. 50-323, OL-DPR-82 Diablo Canyon Units 1 and 2 Response to Request for Additional Information on License Amendment Request for Digital Process Protection System Replacement

References:

1. PG&E Letter DCL-11-104, "License Amendment Request 11-07, Process Protection System Replacement," dated October 26,2011 (ADAMS Accession No. ML11307A331).
2. Digital Instrumentation and Controls DI&C-ISG-06 Task Working Group #6: "Licensing Process Interim Staff Guidance," Revision 1, January 19, 2011 (ADAMS Accession No. ML110140103).
3. NRC Letter "Diablo Canyon Power Plant, Unit Nos. 1 and 2 -

Acceptance Review of License Amendment Request for Digital Process Protection System Replacement (TAC Nos. ME7522 and ME7523)," dated January 13, 2012.

4. NRC Letter "Diablo Canyon Power Plant, Unit Nos. 1 and 2 -

Request For Additional Information Regarding Digital Replacement of the Process Protection System Portion of the Reactor Trip System and Engineered Safety Features Actuation System (TAC NOS. ME7522 AND ME7523)," dated August 7,2012 (ADAMS Accession No. ML12208A364).

Dear Commissioners and Staff:

In Reference 1, Pacific Gas and Electric (PG&E) submitted License Amendment Request (LAR) 11-07 to request NRC approval to replace the Diablo Canyon Power Plant (DCPP) Eagle 21 digital process protection system (PPS) with a new digital PPS that is based on the Invensys Operations Management Tricon, Version 10, Programmable Logic Controller and the CS Innovations, LLC (a Westinghouse Electric Company), Advanced Logic System. The LAR format and contents in Reference 1 are consistent with the guidance provided in Enclosure E and Section C.3, respectively, of Digital Instrumentation and Controls (I&C) Revision 1 of Interim Staff Guidance Digital I&C-ISG-06, "Licensing Process" (ISG-06) (Reference 2). In A member of the STARS (Strategic Teaming and Resource Sharing) Alliance Callaway

  • Comanche Peak
  • Diablo Canyon
  • Palo Verde
  • San Onofre
  • Wolf Creek

Docu ment Control Desk PG&E Letter DCL-12-083 September 11, 2012 Page 2 Reference 3, the NRC staff documented its acceptance of Reference 1 for review.

The NRC requested additional information to complete the review of Reference 1 in Reference 4. This letter responds to the additional information requested in Reference 4.

If you have any questions, or require additional information, please contact Mr. Tom Baldwin at (805) 545-4720.

This information does not affect the results of the technical evaluation or the significant hazards consideration determination previously transmitted in Reference 1.

This communication contains regulatory commitments (as defined by NEI 99-04).

The commitments are identified in Attachment 1 to the Enclosure.

I state under penalty of perjury that the foregoing is true and correct.

Executed on September 11, 2012.

Sincerely,

~~~

James M. Welsch Interim Site Vice President kjse/4328 SAPN 50505545 Enclosure cc: Diablo Distribution cc/enc: Elmo E. Collins, NRC Region IV Dean H. Overland, NRC, Senior Resident Inspector Gonzalo L. Perez, Branch Chief, California Department of Public Health Joseph M. Sebrosky, NRR Project Manager Alan B. Wang, NRR Project Manager A member of the STARS (Strategic Teaming and Resource Sharing) Alliance Callaway

  • Comanche Peak
  • Diablo Canyon
  • Palo Verde
  • San Onofre
  • Wolf Creek

Enclosure PG&E Letter DCL-12-083 Response to Request for Additional Information on License Amendment Request for Digital Process Protection System Replacement

Enclosure PG&E Letter DCL-12-083 Response to Request for Additional Information on License Amendment Request for Digital Process Protection System Replacement In Pacific Gas and Electric (PG&E) Letter DCL-11-1 04, "License Amendment Request 11-07, Process Protection System Replacement," dated October 26, 2011 (ADAMS Accession No. ML11307A331), PG&E submitted License Amendment Request (LAR) 11-07 to request NRC approval to replace the Diablo Canyon Power Plant (DCPP) Eagle 21 digital process protection system (PPS) with a new digital PPS that is based on the Invensys Operations Management Tricon, Version 10, Programmable Logic Controller and the CS Innovations, LLC (a Westinghouse Electric Company), field programmable gate array based Advanced Logic System (ALS). The LAR 11-07 format and contents are consistent with the guidance provided in Enclosure E and Section C.3, respectively, of Digital Instrumentation and Controls (I&C) Revision 1 of Interim Staff Guidance Digital I&C-ISG-06, "Licensing Process" (ISG-06). The staff documented its acceptance of LAR 11-07 for review in the NRC Letter "Diablo Canyon Power Plant, Unit Nos. 1 and 2 - Acceptance Review of License Amendment Request for Digital Process Protection System Replacement (TAC Nos. ME7522 and ME7523)," dated January 13, 2012.

The staff requested additional information to support the review of LAR 11-07 in NRC Letter "Diablo Canyon Power Plant, Unit Nos. 1 and 2 - Request For Additional Information Regarding Digital Replacement of the Process Protection System Portion of the Reactor Trip System and Engineered Safety Features Actuation System (TAC NOS. ME7522 AND ME7523)," dated August 7,2012 (ADAMS Accession No. ML12208A364). The requested additional information (RAI) is addressed below. Each RAI begins with a reference to an Open Item (01) that corresponds to the number of the item in the 01 table that PG&E has discussed with the NRC staff during various public meetings. RAls ten and fourteen were not used and therefore do not require a response.

To address 01 six and twenty, a change to the PPS replacement design is being implemented to use separate maintenance workstation (MWS) computers for the ALS and the Tricon subsystems, and to administratively control the ALS subsystem by physically disconnecting the communication link to the ALS MWS computer when the Test ALS Bus (TAB) is not being used for surveillance testing, maintenance, and trouble-shooting. This PPS replacement design change will be included in a supplement to LAR 11-07 to be submitted by November 30, 2012.

NRC RAI1 (016) LAR Sections 4.6,4.10.2.4, and 4.11.1.2 provide insufficient information on the plant-specific application environmental factors. The Tricon V10 Safety Evaluation (ADAMS Accession No. ML11298A246), Section 6.2 lists 19 application-specific actions items (ASAls) that the licensee should address for plant-specific applications. The licensee should address each of these for the Tricon portion of 1

Enclosure PG&E Letter DCL-12-083 the PPS replacement. Similar information for the ALS portion of the PPS replacement will also be required.

PG&E Response to RAI 1 PG&E will respond to the ALS ASAI's when they are issued as part of the NRC Safety Evaluation Report for the ALS Topical Report. PG&E will address the Tricon V10 Safety Evaluation ASAls in a submittal by December 1, 2012.

NRC RAI2 (0110) Plant Variable PPS Scope -In the Description section of the LAR, Section 4. 1.3, nine plant variables are defined as being required for reactor trip system [RTSj and Section 4. 1.4 lists seven plant variables that are required for the engineered safety features actuation system [ESFASj. Three additional plant variables were also listed in Section 4.10.3.4.

Some variables are not listed in Section 4.10.3.4 as being PPS monitored plant parameters. It is therefore assumed that these parameters are provided as direct inputs to the solid state protection system (SSPS) and that the PPS is not relied upon for the completion of required reactor trip or safety functions associated with them. Provide additional information to confirm that these plant parameters and associated safety functions will continue to operate independently from the PPS and that the replacement PPS will not adversely impact the system's ability to reliably petiorm these functions.

PG&E Response to RAI 2 The LAR 11-07 Sections 4.1.3 and 4.1.4 describe the plant variables from which RTS and ESFAS protective functions are generated. The initiation signal outputs to the SSPS coincidence logic are generated in the PPS or other independent systems, or in some cases, by discrete devices. Section 4.1.3 Items 6 (reactor coolant pump bus undervoltage, underfrequency, and breaker position), 8 (Main Turbine trip fluid pressure and stop valve position), and 9 (seismic acceleration) are generated by discrete devices outside the PPS and provide direct contact inputs to the SSPS. Section 1.4 Items 6 (Containment Exhaust Radiation) and 7 (reactor trip (RT) breaker position Permissive P-4) are also generated outside the PPS and are direct contact inputs to the SSPS. The initiation signals associated with these plant parameters operate independently from the PPS. The replacement PPS will not adversely affect the reliable performance of the safety functions associated with these plant parameters.

The three signals (Wide Range reactor coolant system (RCS) Temperature and Pressure and Turbine Impulse Chamber Pressure) not listed in Sections 4.1.3 and 4.1.4 are monitored by the PPS per Section 4.10.3.4. The Wide Range RCS 2

Enclosure PG&E Letter OCL-12-083 Pressure and Temperature signals are used to generate the low temperature overpressure function described in Section 5 of the OCPP Updated Final Safety Analysis Report (UFSAR). The PPS uses Turbine Impulse Chamber Pressure to generate an initiation signal that is used by the SSPS coincidence logic to develop Permissive P-13 as described in the response to RAI 3 below.

The Neutron Flux signal, which provides input to the Overtemperature h.

Temperature (OTOT) RT and the Overpower h. Temperature (OPOT) RT, will be added to the LAR 11-07 Section 4.2 Table 4-2 in the LAR supplement.

NRC RAI3 (01 12) Permissive Functions -Several permissive functions are described within the LAR. It is not clear to the NRC staff whether any of these functions are to be performed by the PPS or if the PPS will only be providing input to external systems that in turn perform the permissive logic described in the LAR.

LAR Section 4. 1.9, Pressurizer Pressure Protection Features, states, in pari, that

"[sjettings of the bistable comparators used to develop the permissives are not affected by the PPS Replacement Project", which implies that all of these permissive functions are performed by systems other than the PPS. However, it is still unclear if this statement applies to all permissive functions described throughout the LAR or if it applies only to those permissives relating to Pressurizer Pressure. It is also possible that the permissive functions are being performed by the existing PPS and will continue to be performed by the replacement system and therefore remain "not affected" by the PPS replacement project. Please provide additional information for the following permissive functions to clearly define what the role of the PPS system will be for each.

P-4 Reactor Trip P-6lntermediate Range Permissive P-7 Low Power Permissive (Bypasses low Ppzr reactor trip)[The LAR states that "These signals are generated in the PPS. '1 P-8 Loss of Flow Permissive P-9 Power Permissive P-10 Power Range Power Low Permissive P-11 Low Pressurizer Pressure SI Operational Bypass P-12 No-Load Low-Low Tave Temperature Permissive P-13 Turbine Low Power Permissive )[The LAR states that "These signals are generated in the PPS.'1 P-14 Hi-Hi Steam Generator Level 3

Enclos*ure PG&E Letter DCL-12-083 PG&E Response to RAI 3 Permissive function initiation signals generated within the existing PPS will continue to be performed by the replacement PPS; and therefore, remain "not affected" by the PPS replacement project. Permissive function initiation signals that are generated independently of the existing PPS will continue to be generated independently.

Permissive P-6, P-8, P-9, and P-10 initiation signals are bistable comparator outputs from the independent Nuclear Instrumentation System (NIS) to the SSPS. There is no interface with the PPS for Permissives P6, P-8, P-9, and P-10. Permissive P-4 initiation signals are direct contact inputs to the SSPS coincidence logic generated from contacts in the Reactor Trip Breakers (RTB). There is no interface with the PPS for Permissive P-4. Permissive P-11, P-12, P-13, and P-14 initiation signals are generated by bistable comparator outputs generated in the PPS and sent to the SSPS. Permissive P-7 is generated in the SSPS from 3 out of 4 power range NIS channels (from NIS - P-10) below setpoint, and 2 out of 2 turbine impulse chamber pressure channels below setpoint (from PPS - P-13).

The bistable initiation signals described above are monitored by the SSPS. The SSPS generates the Permissive when appropriate coincidence of initiation signals is detected. No SSPS permissive or safety-function coincidence logic is changed by the PPS replacement project.

Permissives P-6, P-7, P-8, P-9, P-10, and P-13 are functionally described in UFSAR Table 7.2-2. Permissives P-4, P-11, P-12, and P-14 are functionally described in UFSAR Table 7.3-3.

The bistable comparator setpoints for the above-listed permissives are not expected to change, and hence are not affected as part of the PPS Replacement Project.

NRC RAI4 (01 15) A DI&C-ISG-04 compliance matrix for the DCPP PPS system was not submitted with, or referenced in, the LAR for the WestinghouselALS (WIALS) platform. Instead, the DI&C-ISG-04 compliance Section 4.8 of the LAR refers the reader to the ALS licensing topical report for nearly all the points of DI&C-ISG-04.

Figures 4.4 and 4.5 of the LAR indicate various 1 E and non-1 E communication pathways to and from ALS processor (e.g., Maintenance Work Station, plant computer, process control, port aggregator, and 4-20 ma temperature signals to Tricon processor). These are all application-specific features of the PPS and the NRC staff expects a WestinghouselCS Innovations (WICSI) ALS document to be submitted, similar in scope and detail to the Invensys, "Pacific Gas & Electric Company Nuclear Safety-Related Process Protection System Replacement Diablo Canyon Power Plant DI&C-ISG-04 Conformance Report, " Document No. 993754 912 Revision 0, to be submitted on the docket, which explains how the ALS portion 4

Enclosure PG&E Letter DCL-12-083 of the PPS application conforms with the guidance of DI&C-ISG-04. Please provide this document with sufficient detail to determine how the W/ALS processor complies with DI&C-ISG-04.

PG&E Response to RAI 4 CS Innovations is developing the ISG-04 compliance matrix table for the ALS platform and PG&E will submit the table by October 15, 2012.

NRC RAI5 (01 16) PPS Network Equipment Testing -Section 1.4.4, System Communication (page 12/38) of Document No. 993754-1-813(P), Revision 0, "Pacific Gas & Electric Company, Nuclear Safety-Related Process Protection System Replacement, Diablo Canyon Power Plant, Validation Test Plan (VTP), " dated October 13, 2011, states, in part, that The network equipment, including media converter, NetOptics Network Aggregator Tap, and gateway hub, and the MWS will not be within the test scope of this VTP. The Nuclear Delivery (ND) group will coordinate with Pacific Gas & Electric for system staging prior to turn over to Nuclear IV& V

[independent verification and validation}. The Nuclear IV& V group will confirm proper operation of network communications system interfaces before beginning testing addressed in this VTP.

The NRC staff requests information on when, where, and what test plans and procedures will be used to test the network equipment. Test plans for testing this equipment should be submitted to the staff for review.

PG&E Response to RAI 5 The Invensys Operations Management Document "993754-1-813 Revision 0, Validation Test Plan" has been updated to Revision 1 and was submitted in 0 to the Enclosure of PG&E Letter DCL-12-069, dated August 2, 2012 (ADAMS Accession No. ML12222A094). Invensys Operations Management Document "993754-1-813 Revision 1, Validation Test Plan," addresses testing of the network equipment, including media converter, NetOptics Network Aggregator Tap, gateway switch, and the MWS.

NRC RAI6 (01 17) Section 5. 1.4, Hardware Validation Test (HVT), (page 27/38) of Document No. 993754-1-813(P) states that the ALS equipment will not be included in the factory acceptance testing (FA T). This issue was discussed with PG&E and its contractors and PG&E proposed performance of separate but overlapping tests at 5

Enclosure PG&E Letter DCL-1'2-083 each factory to accomplish the integration test. The NRC staff has concerns over the fact that the MWSs to be installed in the plant would only be tested during the Tricon FA T, and not tested in the fully integrated PPS configuration. In order to complete its safety evaluation, the new PPS configuration must be fully tested in an integrated manner so ,that all phases of the system's verification and validation (V& V) can be reviewed and credited in the safety finding. The staff requests information on where, when, and the test plans and/or procedures that will be used to fully test the Integrated PPS system (both Tricon V10 and ALS platforms together).

PG&E Response to RAI 6 To address the staff issues on testing of the fully integrated PPS replacement configuration in RAls six and twenty, PG&E has decided to revise the PPS replacement design to use separate MWSs for the ALS and the Tricon subsystems for each protection set. This design change provides separation of the MWSs and software for the ALS and the Tricon subsystems. The MWSs for the ALS and the Tricon subsystems will be connected to a keyboard/video/mouse/touchscreen (KVMT) switch. The use of a KVMT switch allows one keyboard, mouse, and touchscreen video display to be used for each protection set. The change to the PPS replacement design to use separate MWSs for the ALS and the Tricon subsystems will be included in a supplement to LAR 11-07.

An integrated FAT, with the ALS connected to the Tricon will not be performed because the ALS and Tricon FAT will be performed in different locations. The overlapping test methodology illustrated in Figure 1, PPS Replacement Acceptance Testing Overlap, and described below, will ensure that all specified PPS safety function requirements for each platform are verified at the respective FAT.

Following completion of the FAT at each vendor facility, PG&E will stage the integrated system and perform an integrated end-to-end test. A detailed description of the FAT and Site Acceptance Testing (SAT) for the revised PPS replacement design and the FAT and SAT plan outline is contained below.

Detailed Description of FAT and SAT for Revised PPS Replacement Design The ALS and the Tricon are directly connected via the analog RCS temperature channels. The ALS provides Class IE signal conditioning for the pressurizer vapor space temperature, RCS wide range temperature, and narrow range resistance temperature detector (RTD) inputs to the OPDT and OTDT thermal trip functions due to its improved ability to process 200 Ohm RTD inputs versus Triconex. The ALS processes the resistance (ohms) RTD input signals and transmits the temperature values to the Tricon as analog 4 to 20 milliamps (rnA) signals for the respective protection set.

6

Enclosure PG&E Letter DCL-12-083 The resistance to mA conversion will be tested at the ALS FAT to verify that all requirements specified for converting the resistance to current are met. The Tricon FAT will test these channels by injecting the corresponding 4 to 20 mA signals into the Tricon and verifying that all requirements specified for the temperature channels are met. After the FAT, the equipment will be shipped to DCPP, and then both systems will be integrated to perform the SAT which will test the analog interface directly along with other interfaces that cannot be tested at the FAT, such as the connection to the gateway switch connected to the plant data network (PDN) gateway computer. The gateway switch and gateway computer(s) were installed in the plant by a previous project and therefore are existing installed plant equipment and need not be tested explicitly at the FAT or SAT.

Within each protection set, the ALS and the Tricon are connected to separate and independent MWSs via dedicated digital communication links as shown in Figure 1.

The two MWS units share a common KVMT interface through a KVMT switch. The KVMT switch allows the two MWS computers to share common peripherals, but does not allow communications between or among any of the computers that are connected to it.

Tricon communications with its dedicated MWS computer are bidirectional (read/write) using Triconex NET2 port via the fiberoptic media 4352AN Tricon communications module (TCM). As discussed in Section 3.1.2.9 of the Triconex V1 0 Safety Evaluation Report [ADAMS Accession No. ML1209008902],

the TCM handles all Tricon communications with external devices, thus providing functional isolation.

The ALS communications with its dedicated MWS computer are via the unidirectional TXB2 communication links from the ALS-1 02 Boards. The TXB2 communication links are electrically isolated at the ALS-1 02 Boards. Unidirectional communications provides functional isolation from the MWS. The unidirectional nature of the links will be verified at the FAT.

For each protection set, the ALS and the Tricon are connected via dedicated digital communication links to the PDN gateway computer as shown in Figure 1. A port aggregator network tap is connected between the Tricon and the MWS via bidirectional Port A and Port B. All network traffic between Port A and Port B is reflected to unidirectional Port 1. There is no communication path from Port 1 to either Port A or Port B. In addition to the functional isolation provided by the TCM, the port aggregator provides further functional isolation between the Gateway computer and the Tricon. The connection between aggregator Ports A and B is passive. The port Aggregator does not perform any signal processing with respect to communications between Ports A and B, and loss of power to the port aggregator will not prevent communications between Ports A and B.

7

Enclosure PG&E Letter DCL-12-083 An unmanaged Ethernet switch is provided between the port aggregator network tap Port B and the Tricon MWS to ensure continued Multicast operation (and availability of Tricon data to the Gateway Computer) in the event of MWS network communication failure. Without the Ethernet switch, Multicast transmission would cease on loss of the link up to the MWS computer. Continued Multicast operation in the event of MWS failure will be verified at FAT.

The ALS communications with the Gateway computer are via the unidirectional TXB1 communication links from the ALS-102 Boards. The TXB1 communication links are electrically isolated at the ALS-1 02 Boards. Unidirectional communications provides functional isolation from the Gateway computer. The unidirectional nature of the links will be verified at the ALS FAT.

The ALS also communicates with ALS Service Unit (ASU) application software in the ALS MWS computer via the bidirectional TAB communication link. Per the ALS Topical Report [ADAMS Accession No. ML102570797], Table 5-2, Item 8, the TAB i bus is used for communication of information from and to the ASU with the ALS Platform. This communication process is independent from the safety function logic.

To enable the TAB bus to the ASU requires physical connection of a communications cable. When the TAB is enabled, an alarm is activated locally and in the main control room. The TAB will be physically disconnected from the ALS MWS computer when the TAB is not in use. The TAB bus and its interfaces are designed such the buses are nonintrusive in that the bus cannot interfere with processing of any information or data on the Reliable ALS Bus (RAB). The ALS FAT will verify that the TAB, when enabled, does not interfere with ALS logic processing.

Per the ALS System Design Specification, CS Innovations Document No. 6116-00011 [ADAMS Accession No. ML110600695], the ALS allows for online maintenance of an operational system such as the bypassing and control of individual ALS outputs and the calibration of individual ALS input/output (I/O) without affecting adjacent non bypassed safety channels. The ALS Topical Report, Section 3.4, describes calibration of an analog I/O channel using the ASU. The ASU is used to select the channel to be calibrated and place that particular channel in BYPASS mode before the external test equipment is connected to the channel wiring on test points located on the field terminal blocks. The channel is placed in CALIBRATE mode to perform the calibration. ALS Topical Report, Section 3.5, explains how specific digital output channels may also be placed in BYPASS or OVERRIDE mode from the ASU. The ALS FAT will verify that individual ALS outputs may be bypassed and controlled and individual ALS I/O may be calibrated without affecting adjacent non bypassed safety channels.

For the Tricon and ALS FAT, PG&E will provide the MWS computer, port aggregator network tap, network switches, KVMT switch, KVMT and media converters as needed to test the complete interface between the MWS and the Tricon. The interface between the MWS and the Tricon is shown in Figure 1. Each protection 8

Enclosure PG&E Letter DCL-12-083 set has its own separate and independent Tricon and ALS MWS computers. The MWS computers are. not shared between or among protection sets. The MWS computers share KVMT hardware through the KVMT switch described above.

The Tricon FAT will be performed on all four protection sets. Each protection set will be integrated with all equipment necessary to support the FAT. The functionality of the Tricon MWS computer will be tested during the FAT to verify requirements specified in the PPS replacement Functional and Interface Requirements Specifications and the Tricon System Requirements Specification. The FAT will verify correct two-way data communications between the Tricon and the MWS through Ports A and B of the port aggregator. The FAT will verify that there is no inbound communication path from the network port aggregator tap Port 1 to either Port A or Port B. The Tricon FAT will verify operation of the KVMT switch.

PG&E will provide an MWS computer for the ALS FAT. The port aggregator is not required for the ALS. The communications from both TxB1 and TxB2 one-way RS-422 Ports will be tested to verify all specified data is being transmitted correctly.

The MWS data display application will be running to display the read only parameters.

The ASU software running on the MWS will be tested during the FAT to verify its functionality and to identify any interactions between the ALS ASU software, the ALS MWS data display application, and/or the ALS MWS operating system. The two-way EIA-485 TAB Port will be tested by physically connecting and disconnecting the TAB interface cable to verify the ability to isolate the MWS from the ALS, to update specified ALS parameters, and to perform trouble-shooting and diagnostic tasks.

All boards of the same type in the ALS platform have the same capabilities. The boards can be configured by the user to meet the requirements of any protection set. The FAT will be performed on each protection set configuration, including power supplies, the ALS MWS computer, and all associated equipment that supports the safety function for the specific protection set. That is, Protection Set 1 will be configured and tested with all the associated sensor inputs and appropriate loads on the digital and analog outputs. Upon completion of testing, the equipment will be reconfigured as Protection Set 2 and tested. The same process will be used for Protection Sets 3 and 4.

The PG&E SAT will be performed on an integrated system, including the MWS computers, port aggregator network tap, network switches, KVMT switch, KVMT and media converters shown in Figure 1. The physical connection of the temperature channels from the ALS to the Tricon will be verified during the SAT. The SAT will verify functions and connections that cannot be tested at the Tricon or ALS FAT, prior to installation in the plant. The integrated system used for SAT will also be used to perform training and to develop and verify operational and maintenance procedures.

9

Enclosure PG&E Letter DCL-12-083 Figure 1 - PPS Replacement Acceptance Testing Overlap To PDN/PPC Not in PPS

  • I.

RS-422 Cu from ALS Replacement

--------/ Prot Set I ALS -A-Project Scope

-------/ Prot Set II ALS-A-

- ---- --- ---- ---/ Prot Set III ALS -A-

--------/ Prot Set IV ALS -A-

-- ------/ Prot Set I ALS -B'

--------/ Prot Set II ALS-B-

.----. ----- --- -/ Prot Set III ALS -B-

----------/ Prot Set IV ALS -B-To Control Room HMI (CC4) t / From Prot Set IV Port

\.

AggregatorTap \

(Typof2)

\

, , - - - - - . ___ - ~

. \

/' From From \

/' Prot Set II Port Prot Set III Port Aggregator Tap AggregatorTap I

/'

(Typof2)

I

/' I

/

,/ I

,/ I

/

,/ I

,/ I

/

I

/

, \

I I

I I I I

I I I I

!~~s~~~~~n~~~led I I I'Ihen not in use "-

I (Typ for ALS -A- and ALS -B-) \ I I I I I

I I

i ................... :

100BaseT (Copper)

(Typof2)

I I

TxB2 I

~S-422 I (T1~df':LtL_~:~- i l~ -

.J /*9./*'\1.

\  :

I I I

I

",~ I~" "~.

I.

I 1TCMl Optical Fiber (7L)ITCM2 (7R)

/ I i I I

P ro IS eI I NET2 I I  : I I

Class II Tricon t (Typ of2) Class II I I : i::::, " , - . / ". (

I I

Class I

,---1:JOOOOODOODDOD Class I I I : l********* __**********__*.... (Typ ~~~~~~A~~~~~~~ -B-) \ I

/ \  : I I ./  : i. RS-422 I \ i I I

Triplicated RS-485

- ,/ \  :

, Class II (Except TAB)

Class I /' I IL 4-20m

-..- -' I

(([II[]

110 Bus Analog I (Copper)

~~

RTDSign als /'

I TCMl ....... (TypforAL S-A- / ,/

I TCM2 (7R) ....... ....... andALS -B-) / /

I NETI

....... ,/ I mmo I (Not Used)

I ProlSel1 ....... ,/ I I

Primary RXM /'-

/ -l Scope of ALS FAT I I I l-~H:JODDDoDDDDDOD , /

ProlSel1 ALS ./

/

I I

I I '- - - - - - -- /

I I I--

I .- - I ,------- ---

I 1 Class I I I I ProlSel1 Class II I I Legend : ~~~~-~~~-~~~~~~~~~r 1OOBaseT Copper I Remole RXM I 4-20 rnA Analog Copper

//-l Scope of ALS FAT I ~::~~al~~:rf:;,~:~~~~on I o~~:~:~~r 1 DDDDDDDDODDOO I MWS I 1

/

/

/ NOI:~~

I I / 1. Unused ports physically blocked and glued I II-- / I

\

, \.

L 1--

,/

/

I

,/

,/,/ -l

,/

Scope of PG&E SAT I

/

"- ....... I

....... /

10

Enclosure PG&E Letter DCL-12-083 FAT Plan Outline The Tricon FAT will test all specified safety-related functions and will also test the following interfaces:

1. Safety-related 4 to 20 mA direct current (DC) analog temperature input signals from ALS; these signals will be generated by a loop simulator or equivalent test equipment.
2. The FAT will verify bidirectional nonsafety NET2-Port communications from Tricon TCM 1 and TCM2 to the Tricon MWS through the two Ethernet media converters, and Ports A and B of the two port aggregator network taps.
3. The FAT will verify continued Multicast transmission from TCM1 and TCM2 in the event of MWS network communication failure.
4. The Tricon FAT configuration will include the MWS computers, port aggregator network tap, network switches, KVMT switch, and KVMT and media converters shown in Figure 1.
5. The FAT will verify no inbound communication path from Port 1 of the port aggregator network tap to either Port A or Port B exists, as previously stated in Section 4.2.13.1 of LAR 11-07.

The ALS FAT will test all specified safety-related functions and will also test the following interfaces:

1. Safety-related 4 to 20 mA DC analog temperature output signals to Tricon:

This interface will be monitored by external equipment to verify conversion and scaling. The ALS analog temperature output channels will be terminated with 250 ohm resistors to simulate the Triconex external termination assembly (ETA) panel. Voltage across the resistors will be measured to verify analog output function.

2. Unidirectional only nonsafety EIA-422 communications from the ALS-1 02 Boards "A" and "B" TXB 1 channels: The TXB 1 channels will be monitored during the ALS FAT to verify data protocol. The test will verify no inbound communications via the TXB1 channel to either ALS-1 02 Boards "A" or "B".
3. Unidirectional only nonsafety EIA-422 communications to the ALS MWS computer from the ALS-1 02 Boards "A" and "B" TXB2 channels: The TXB2 channels will be monitored during ALS FAT to verify data protocol. The test will verify no inbound communications via the TXB2 channel to either ALS-102 Boards "A" or "B".
4. The ALS FAT configuration will include the MWS computer, KVMT switch, KVMT and media converters shown in Figure 1. .

11

Enclosure PG&E Letter DCL-12-083

5. Bidirectional EIA-485 TAB communication between ALS Chassis "A" and Chassis "B" and ASU software running on the ALS MWS computer can take place only if the communication links are physically connected and enabled.

The test will verify there is no communication between the ALS chassis and the ASU if the communications cables are not physically connected and enabled.

SAT Plan Outline

1. The PG&E SAT will be performed on an integrated system, including the Tricon and ALS subsystems, MWS computers, port aggregator network tap, network switches, KVMT switch, KVMT and media converters shown in Figure 1.
2. The physical connection of the temperature channels from the ALS to the Tricon will be verified during the SAT.
3. The SAT will verify interfaces that cannot be tested at the Tricon or ALS FAT, including, in part, verification of information that is transmitted to the Gateway computer and the control board display.
4. Additional testing of communications between the Tricon and its MWS computer (including network failure) will be performed at the SAT.
5. The integrated system used for SAT will also be used to perform training and to develop and verify operational and maintenance procedures.

NRC RAI7 (0118) Document No. 993754-1-B02(P), Revision 1, "Pacific Gas & Electric Company, Nuclear Safety-Related Process Protection System Replacement, Diablo Canyon Power Plant, Software Verification and Validation Plan (SWP), " dated October 13,2011, does not provide a clear explanation of how the Invensys SWP complies with Institute of Electrical and Electronics Engineers (IEEE) 1012-1998, "IEEE Standard for Software Verification and Validation." Please provide a cross-reference table that explains how the Invensys SWP implements the criteria of IEEE 1012-1998.

PG&E Response to RAI 7 Invensys Operations Management incorporated the IEEE-1 012 compliance table in the Invensys Operations Management Document "993754-1-802, Revision 2, Software Verification and Validation Plan," submitted in Attachment 9 to the Enclosure of PG&E Letter DCL-12-069, dated August 2, 2012 (ADAMS Accession No. ML12222A094).

12

Enclosure PG&E Letter DCL-12-083 NRC RAI8 (0118) The WestinghouselALS 6116-00000 Diablo Canyon PPS Management Plan does not provide a clear explanation of how the CSI SWP complies with IEEE 1012-1998. Please provide a cross-reference table that explains how the WICSI SWP implements the criteria of IEEE 1012-1998.

PG&E Response to RAI 8 Westinghouse incorporated the IEEE-1012 compliance table in Appendix A, Table A-1, of the ALS V&V plan document 6116-00003, submitted in Attachment 7 to the Enclosure of PG&E Letter DCL-12-050, dated June 6, 2012 (ADAMS Accession No. ML12170A837).

NRC RAI9 (0119) Section 4.1.1, SSPS, of the LAR states, in part, that The SSPS evaluates the signals and performs RTS and ESFAS functions to mitigate Abnormal Operational Occurrences and Design Basis Events described in FSAR [26} Chapter 15.

However, Chapter 15 of the DCPP final safety analysis report (FSAR) does not use the terms Abnormal Operational Occurrences (AOOs) or Design Basis Events (DBE). Instead, the accident analysis in Chapter 15 identifies conditions as follows:

CONDITION I -NORMAL OPERA TION AND OPERA TIONAL TRANSIENTS CONDITION II - FAUL TS OF MODERA TE FREQUENCY CONDITION III - INFREQUENT FAUL TS CONDITION IV - LIMITING FAUL TS Please explain the correlation between the conditions described in FSAR Chapter 15 and the AOOs and DBEs described in the LAR.

PG&E Response to RAI 9 The AOO's are referred to as ANS Condition I "Operational Transients" in UFSAR Chapter 15 and are addressed in UFSAR Chapter 15.1. The design basis accidents are referred to as ANS Condition II "faults of moderate frequency," ANS Condition III "infrequent faults," and ANS Condition IV "limiting faults" and are addressed in UFSAR Chapter 15.2, 15.3, and 15.. 4 respectively.

NRC RAI11 (01 23) PPS Integration Testing - Refer to Section 4.2. 13.1 of the LAR.

13

Enclosure PG&E Letter DCL-12-083 LAR Section 4.2.13.1, Tricon-Based PPS Equipment Communications, states, in pari, that Figure 4-13 only shows one TCM [Tricon Communications Module}

installed in the Tricon Main Chassis (Slot 7L), the PPS replacement will utilize two TCM cards in each main chassis (Slots 7L and 7-R). This will provide two non-safety-related communication paths to the MWS and the PPC [Plant Process Computer} Gateway Computer from each Protection Set to ensure continued communications if a single TCM fails.

The NetOptics Model PA-CU/PAD-CU PA-CU pori aggregator network tap was approved previously by NRC for a similar application in the Oconee [Reactor Protection System (RPS) Safety Evaluation Repori (SER)} Section 3. 1. 1.4.3 [18}. The NRC staff determined that due to the electrical isolation provided by use of fiber optic cables and the data isolation provided by the Pori Tap and the Maintenance and Service Interface (MSI) in the Oconee RPS, there was reasonable assurance that a fault or failure within the Oconee Gateway computer or the Operator Aid Computer will not adversely affect the ability of the Oconee RPS to accomplish its safety functions.

During the SA T [site acceptance testing} PG&E will test the Protection Set communications paths illustrated in Figure 4-13 to verify that there is no inbound communications path associated with pori aggregator network tap Pori 1. That is, PG&E will verify that communications from Pori 1 to either the TCM on Pori A or the MWS on Pori B of the pori aggregator network tap are not permitted. Results of this test will be documented in final System Verification and Validation Repori. Pori aggregator dual in-line package (DIP) switch positions will be controlled by DCPP configuration management processes.

In order for the NRC staff to approve the integrated configuration of the PPS, prior to shipment of the PPS equipment to DCPP site, all communications paths will require testing on or before FA T, and before completion of the safety evaluation repori (SER). This testing is typically completed during or before the PPS FA T, otherwise, the SER will not be completed until after the Site Acceptance Test (SA T). Please provide a test scheme and test plans or procedures that satisfies all regulatory requirements prior to or during the FA T. Otherwise, if this testing will be completed during the SA T, as stated in the LAR, please provide a detailed schedule and test plans (or procedures) for this testing so the NRC can revise its PPS LAR Review Plan accordingly.

14

Enclosure PG&E Letter DCL-12-083 PG&E Response to RAI 11 PG&E will perform the testing for the NetOptics Model PA-CU/PAD-CU PA-CU port aggregator network tap during the FAT performed for the Tricon V1 O. Invensys Operations Management Document "993754-1-813, Revision 1, Validation Test Plan," addresses testing of the NetOptics Network Aggregator Tap during the Tricon V10 FAT.

The testing of the NetOptics Network Aggregator Tap during the Tricon V10 FAT will be included in a supplement to LAR 11-07 ..

Additional information regarding FAT and SAT is provided in the response to RAI 6.

NRC RAI12 (01 26) The PG&E System Quality Assurance Plan (SyQAP) defines Supplier tasks that are related to assurance of software quality for each of the following phases of development:

  • Project Initiation and Planning
  • Conceptual Design
  • Requirements
  • Design
  • Implementation
  • Integration
  • Test These phases do not align with the phases used in the ALS or Tricon development life cycles. For instance, the Tricon SQAP defines the phases as Requirements, Design, Implementation, and Test (Validation). Because of this, it is not clear how assurance of task completion can be accomplished. Please clarify under which Tricon phases those tasks listed under Integration, Initiation and Planning, and Conceptual Design would be performed. The ALS Software Quality Assurance Plan (SQAP) does not mention phases but the ALS Management plan defines the development phases as: Planning, Development, Manufacturing, System Test, and Installation.

Please provide a mapping of Phases defined in the SyQAP to the Phases of the ALS and Tricon system development processes so that the staff can correctly identify and confirm performance of these Quality Assurance tasks.

15

Enclosure PG&E Letter DCL-12-083 PG&E Response to RAI 12 PG&E will provide a mapping of Phases defined in the SyQAP to the phases of the ALS and Tricon system development processes in a revision to the SyQAP to be submitted by October 15, 2012.

NRC RAI13 (0127 and 01 29) Software Management Plan - LAR, Attachment 3, describes the project organization, roles, and responsibilities for the PPS replacement project.

Please describe the oversight activities that PG&E will perform during the PPS replacement project, as well as the interface between PG&E and Invensys and WICSI, and the methodology to judge quality of the vendor efforl.

PG&E Response to RAI 13 Oversight activities for the project were discussed in Section 4.2.11, Appendix B Compliance, of LAR 11-07 that discusses the DCPP Quality Assurance Program and Procurement Control Program.

In support of the oversight activities, PG&E issued a project specific "Quality Assurance Plan for the Diablo Canyon Process Protection System Replacement" (QAP) that defines the oversight activities to be performed, incl,uding technical audits, cyber security audits, and software quality assurance audits. The QAP was submitted in Attachment 1 to the Enclosure of PG&E Letter DCL-12-069, dated August 2, 2012 (ADAMS Accession No. ML12222A094).

Following the performance of the QAP audits, audit reports will be created and a QAP Audit Summary Report will be created. PG&E will submit the QAP Audit Summary Report to the staff at the time the vendor hardware is delivered to PG&E.

The vendor hardware is currently expected to be delivered to PG&E in Spring 2013.

The QAP audit reports will not be submitted but will be made available to the NRC staff for review.

NRC RAI15 (01 31) Software Quality Assurance Plan - The PG&E SyQAP has been approved by the PG&E Diablo PPS Upgrade Project Manager and the Altran Project lead; however, there are several other organizations that have responsibilities delineated in the SQAP. The managers of these organizations have not approved the SyQAP.

The following organizations are assigned roles and responsibilities within Section 3.4 of the SyQAP. Please explain the means by which these organizations have committed to comply with the requirements stated in the SyQAP.

16

Enclosure PG&E Letter DCL-12-083

  • Vendor IW Projects Managers
  • Engineer of Choice (EOC) Design Change Package Team
  • PG&E Project Engineering Team
  • QA Organization
  • Testing and Integration Team
  • V& V Organization PG&E Response to RAI 15 The SyOAP will be revised to include approval by personnel responsible for the assigned roles and responsibilities within Section 3.4 of the SyOAP and the revised SyOAP will be submitted by October 15, 2012.

NRC RAI16 (0132) LAR Section 4.2.7, Power Supply, describes how power is supplied to the PPS. From these descriptions, it is not clear to the NRC staff how these vital power sources are configured in relation to the 120V alternating current (A C) panels that

. feed the PPS. Please provide a simplified diagram to show the relationship between the 125V Batteries/Dir~ct Current (DC) Buses, Battery Chargers, Inverters, and the 120V AC distribution Panels that supply power to the PPS.

PG&E Response to RAI 16 The following description clarifies the 120V vital instrument AC power supply to the PPS.

Safety-related 480 volts AC (VAC) from vital AC motor control center (MCC) is fed to the uninterruptible power supply (UPS) and rectified . Rectifier output is fed to the inverter and converted to 120 VAC.

Safety-related vital DC bus power is fed to UPS as immediate backup supply. The vital DC bus is backed up by the safety-related 125 vital DC station battery, which is charged from vital 480 VAC. Inverter output is fed through a static switch with integral manual bypass switch to vital instrument AC power distribution panels.

On loss of inverter output, the static switch will select backup regulating transformer output (120 VAC) to distribution panels. The backup regulating transformer receives input from the 480 VAC supply. The backup regulating transformer may be aligned via a transfer switch to either of two 480 VAC busses; the normal supply or an alternate supply. The alternate supply circuit breaker is normally open to prevent interconnection of redundant power supplies due to a failed transfer switch. The transfer switch may not be used under load. Refer to the Figure 2 - Power Supply Block Diagram below for additional detail.

17

Enclosure PG&E Letter DCL-12-083 Figure 2 - Power Supply Block Diagram SD11 (21) SD12 (22) SD13 (23)

I i UPS UPS UPS IY11 IY14 IY13 (21) (24) (23)

AC AC AC AC DC N (,\ Transfer Switch Transfer Switch DC NJA Transfer Switch Transfer Switch DC

--1------1---:  :--1-----1---:

~ I? ~-14 (2?) j To Protection Set I To Protection Set II To Protection Set IV To Protection Set III Legend:

IY: UPS and DC-AC Inverter PY: 120 VAC Distribution Panel SD: 125 VDC Distribution Panel TRY: 480 VAC/120 VAC Transformer and Regulator Normal Power Flow (N)

Bypass (120 VAC)/Backup (125 VDC) Power Flow Alternate Bypass Power Flow (A)

Unit 1 Component ID's are shown; Unit 2 Component ID's are in parentheses. For example, PY11 is Unit 1 Vital Instrument AC Distribution Panel 1; PY21 is Unit 2 Vital Instrument AC Distribution Panel 1.

18

Enclosure PG&E Letter DCL-12-083 NRC RAI17 (01 07) DI&C ISG-06, Revision 1, Enclosure B, Item 1. 16, Design Analysis Reports:

The LAR does not appear to comply with the Standard Review Plan (SRP) (DI&C-ISG-04) regarding the connectivity of the MWS to the PPS. The TriStation V10 platform relies on software to effect the disconnection of the TriStation's capability to modify the safety system software. Based on the information provided in the Tricon V10 licensing topical report (L TR), the NRC staff determined that the Tricon V10 platform does not comply with the NRC guidance provided in DI&C-ISG-04, Staff Position 1, Point 10, hence the DCPP PPS configuration does not fully comply with this guidance.

In order for the NRC staff to accept this Tricon V10 keyswitch function as an acceptable alternative to this staff position, please provide the DCPP PPS specific system communications control configuration-including the operation of the keys witch, the software affected by the keys witch, and any testing performed on failures of the hardware and software associated with the keys witch which demonstrates that failures of the keyswitch will not affect the PPS safety protection sets from performing its safety function.

Information pertaining to the design of the ALS platform disconnect keyswitch is unclear to the NRC staff at this time since the ALS L TR review has not been completed. Therefore, please provide a detailed description of the ALS MWS disconnect/mode change keyswitch-including the operation of the keys witch, the software/program execution affected by the keys witch, and any testing performed on failures of the hardware and software associated with the keyswitch which demonstrates that failures of the keys witch will not affect the PPS safety protection sets from performing its safety function.

PG&E Response to RAI 17 Tricon Summary information on the Tricon keyswitch is provided below followed by detailed information on operation of the keyswitch, software execution provided by the keyswitch, and testing on the keyswitch.

Overview of the operation of the Tricon keyswitch The operational mode change (OMC) keyswitch controls only the mode of the V10 Tricon 3008N Main Processors (MPs). In RUN position the 3008N MPs ignore all commands from external devices, whether WRITE commands from external operator interfaces or program-related commands from TriStation (TS) 1131.

TS1131 contains function blocks that allow WRITE-access to a limited set of parameters programmed into the application software. However, without these 19

Enclosure PG&E Letter DCL-12-083 function blocks programmed into the application program, neither the application program nor application program parameters can be modified with the OMC keyswitch in the RUN position. For the DCPP PPS replacement, the TS1131 is not used to change setpoints and a PPS protection set is considered inoperable when keyswitch is not in RUN position.

The keyswitch is a four-position, three-ganged switch that allows the three MP modules to monitor the position of the switch independently. The Operating System Executive (ETSX) executing on the MP application processor monitors the position of the keyswitch. The three MPs vote the position of the keyswitch. The voted position of the keyswitch is available as a read-only system variable that can be monitored by the Triconex Software Application Program (TSAP). This allows alarming the keyswitch position when it is taken out of the RUN position. The TS1131 messages to and from the Tricon (Le., ETSX executing on the MPs) are of a defined format. The TS1131 messages for control program (Le., TSAP) changes

- whether download of new control programs or modification of the executing control program - are uniquely identifiable. Such messages are received by ETSX and appropriate response provided depending upon, among other things, the position of the keyswitch. When a request from TS1131 is received by ETSX to download a new control program or modify the executing control program, ETSX accepts or rejects the request based on the voted keyswitch position. If the keyswitch is in RUN, all such messages are rejected. If the keyswitch is in PROGRAM, the Tricon is considered out of service and ETSX runs through the sequence of steps to download the new or modified control program, as appropriate.

There is no credible single failure on the V1 0 Tricon that would allow the safety-related application program to be inadvertently programmed (e.g., as a result of unexpected operation of the connected computer with TS 1131 installed on it).

Detailed description of the operation of the Tricon keyswitch The information contained below on the operation of the Tricon keyswitch is contained in Invensys Operations Management document 9600164-531, "Tricon V10 Failure Modes and Effects Analysis," Revision 1.2, which references Invensys Operations Management document 7286-545-1-A, "V10 Triconex Approved Topical Report."

A keyswitch on the main chassis selects the operating mode of the Tricon. The keyswitch is implemented with a three-gang switch and each gang is connected to one of the Tricon 3008N MPs:

20

Enclosure PG&E Letter DCL-12-083 Tricon Chassis Backplane Keyswitch Main Processors cable bus The values are read by each of the main processors as a two bit value based on position as follows:

Position Value Stop 0 Program 1 Run 2 Remote 3 The keyswitch position is voted among the three MPs and the voted value is used to perform keyswitch functions. The Tricon application program has access to the voted keyswitch position and can perform a specified action depending on the position of the keyswitch. For example, the PPS Replacement Application Program is designed to provide an alarm output to the Main Annunciator System when the keyswitch position is not in RUN.

The keyswitch is designed to mitigate any single hardware fault. If one of the gangs on the keyswitch fails or the inputs to the MPs fail, it only affects the MP that is attached to that gang. The other two MPs will continue to receive good input values and out vote the MP with the bad input(s). This protects against any single fault in the physical keyswitch or on the MP.

The MP is responsible for handling commands from external devices (Le., the MWS for the PPS Replacement) through the Tricon Communication Module. The software function, or the software "handler," inside the MP validates that the keyswitch is in the correct position before executing a command from the external device.

21

Enclosure PG&E Letter DCL-12-083 The required keyswitch setting for a subset of the categories of commands is as follows:

Command Category Required Key Switch Setting Application Changes Program Writes of Point Values Remote or Program Reads of Point Values Any Disabling of Points Program Read of Maintenance Information Any The MP checks whether the keyswitch is in the correct position before processing any command as depicted below:

Receive Command I

Vote Command I

No~ Reject Command Yes Process Command The implementation in the MP firmware prevents any command from being executed when the keyswitch is not in the correct position. Below is an example of the code for halting the execution of the application:

GLOBAL void haltProgram (int connNum)

{

/*

22

Enclosure PG&E Letter DCL-12-083

  • Make sure the key switch is in a position that allows this command.
  • /

if (! KEY PROGRAM) {

reject (WRONG_KEY_SETTING, connNum);

return;

} ,

my diagbuf.rll status.cpRunState = CP_HALTED; /* Note that we are halted. */

respond (PROGRAM_HALTED, connNum); /* Respond to the TRISTATION

  • /

return; Every command has an appropriate check for the keyswitch position at the beginning of the function. For the above example, the STOP position of the keyswitch stops reading inputs, forces nonretentive digital and analog outputs to 0, and halts the application program. Retentive outputs remain at the value they had before the keyswitch was turned to STOP.

TS1131 is configured during development to prevent the application from halting when the keyswitch is turned to STOP. A property named "Disable Stop on Keyswitch" determines whether the STOP position is disabled, as shown in the following graphic:

t' pperaling Parame ersl Jl TriStation Communicat t' Operating Parameters (iJ Mem.ory p,lIocation (iJ I1IIl Hardware ,6.Uoc.ation Target System Version: Tricon v10,6,)(

  • 3008 Main Pro{:es OJ r Password Required for Connection Password: I

~ lQ'.C~*~I~*,'§.~.~.~*.*~'6*.',~'~~.~~*!*~H r Di ~able Remote Changes to Output r Allow Di~abli ng of Poin s r Enable Tricon Node Time Synchronization TriStatioll > Controller tree .' Configuration > Operating: Paralneter~

If the checkbox is selected, setting the keyswitch to STOP does not halt the application. If not selected, then setting the keyswitch to STOP does halt the application. The checkbox is selected by default. It is important to note that the default setting is used for the DCPP PPS replacement, which means turning the keyswitch to STOP will not halt the application program.

Software Affected by the Keyswitch The keyswitch affects the firmware and application program executing on the MPs, commands from TS1131 software, and access by external devices (via the TCM):

23

Enclosure PG&E Letter DCL-12-083 The keyswitch must be in the PROGRAM position to accept commands from TS1131 to allow modifying the application program executing on the MPs. The keyswitch must be in the PROGRAM position or the REMOTE position to allow writing of points by an external device, except as permitted by the GATENB function described below.

The application program executing on each MP includes the system executive firmware and the application program as shown in the diagrams below:

PROGRAM position:

Download change Download all Halt, Pause, Run, Step Tricon Disable point Set value PC MPs TCM

~

I

~ Comm Bus

~ I I TriStation I Keyswitch Network

..... ..... Client IpROGRAM or REMOTE:

Write points 24

Enclosure PG&E Letter DCL-12-083 Tricon MP Application Program System Executive Firmware Vote Keyswitch Function Blocks Fault Analysis Command Execution Diagnostic Status- -

  • TR_SCAN_STATUS TR_SHUTDOWN GATENB GATDIS The firmware includes keyswitch voting, fault analysis, command execution, and a diagnostic status structure. The application can call function blocks affected by the keyswitch.

Vote Keyswitch - Keyswitch voting starts when the keyswitch values have stopped changing for three seconds. If all voting legs agree on one value, the voted value is the agreed value. For a single failure, if one leg disagrees, that leg is reset, failed, and taken out of the voting. For multiple failures, if all voting legs mismatch, then an error message is logged without reset, and the voted value is 0 (STOP). When the voted value changes to STOP, if key stop is enabled, then the application program is halted, otherwise the change is logged.

Fault Analysis - Resets the MP for a single failure, logs keyswitch errors, and logs changes in keyswitch position.

Command Execution - The firmware executes commands depending on the voted position of the keyswitch, as explained in the previous section on "Keyswitch Operation."

Diagnostic Status - Diagnostic status is a data structure with a keyswitch member that holds the voted keyswitch position. The keyswitch member is a system variable that can be read (Le., a read-only value) by an external device or by a TR_SCAN_STATUS function block in the application program.

An application can call any of the following four function blocks:

TR_SCAN_STATUS - The KEYSWITCH output provides the keyswitch position.

25

Enclosure PG&E Letter DCL-12-083 TR_SHUTDOWN - Provides ALARM_PROGRAMMING_PERMITTED and ALARM_REMOTE_ACCESS outputs that can be used to alert an operator as described in the V1 0 Tricon Topical Report. The Tricon is designed so that an application program output can be provided to activate an annunciator window in the control room when the keyswitch is not in the RUN position.

The TR SHUTDOWN function block is not used in the DCPP PPS replacement.

GATENB and GATDIS - Can be used to temporarily allow writes to specified points even when the keyswitch is in the RUN position. The GATENB and GATDIS function blocks are used in the DCPP PPS replacement On-Line Maintenance and Test feature for adjusting tunable parameters and modifying setpoints.

Keyswitch Tests The Tricon System Functional Validation, Invensys Operations Management document 9600158-002, tests the enable and disable of commands by the keyswitch. The Tricon System Test Procedure, document 9600127-004, includes the following tests:

o Stopping and starting the application - turning active LEDs on and off.

o Ability to disable points.

o Disable of the STOP position of the keyswitch.

o RUN mode inhibits the abil.ity to:

  • Disable variables
  • Change variable values
  • Download change
  • Halt
  • Download All
  • Change clock/calendar
  • Other commands in the command menu o REMOTE mode inhibits similar to RUN mode.

o Test the ALARM - PROGRAMMING- PERMITTED and ALARM_REMOTE_ACCESS outputs of the TR_SHUTDOWN function block.

o Operation of the GATENB and GATDIS function blocks.

o Test the KEYSWITCH output of the TR_SCAN_STATUS function block.

The analysis of the failure modes (i.e., list of failures, their severity, and potential impact) of the keyswitch is contained in Invensys Operations Management document 9600164-531, "Tricon V10 Failure Modes and Effects Analysis,"

Revision 1.2. The effects of failures in the V1 0 Tricon portion of the PPS Replacement will be evaluated in the Invensys Operation Management document 993754-1-811, "Failure Modes and Effects Analysis," to be submitted to the NRC in October 2012. Additionally, Invensys Operations Management will support the 26

Enclosure PG&E Letter DCL-12-083 staff's review of the hardware and software associated with the OMC keyswitch by making all of the technical data available for audit.

ALS Description of ALS MWS TAB Disconnect Each ALS PPS rack within a protection set provides one bidirectional communication link named the TAB for the purpose of performing surveillance testing, calibration, and parameter updates. Activation of the TAB communication link is monitored by the ALS subsystem and administratively controlled through physically disconnecting the communication link when the TAB is not in use. The TAB is connected infrequently under procedural control by trained personnel, and only when required during surveillance testing, maintenance, and trouble-shooting.

Operation of the TAB Disconnect The ALS subsystem of the DCPP PPS replacement will not use a keyswitch to enable and disable external TAB communications. The TAB communications are enabled by physically connecting the RS-485 data link from the ALS chassis to the MWS computer when necessary for surveillance testing, maintenance, or trouble-shooting. External TAB communications are disabled by physically disconnecting the data link between the ALS and the MWS computer when not in use. When the data link is disconnected, there is no TAB communication between the ALS and the MWS computer and the bus is electrically disconnected. TAB communication between the MWS and the ALS can only occur when the TAB communication link between the ALS chassis and the MWS computer is physically connected.

Software Affected by the TAB Disconnect The TAB communication link is continuously monitored by the ALS subsystem and the ALS generates a system level trouble alarm whenever TAB communications with an external device (Le., the MWS computer) are enabled by physical connection of the TAB data link.

Changes to process values contained in ALS nonvolatile memory and the calibration of ALS analog inputs and outputs can only be performed when the TAB data link is physically connected and when the ALS detects that the TAB data link has been connected to the MWS computer.

The ALS-1 02 Core Logic Board (CLB) contains logic that blocks safety-channel bypasses from occurring if the TAB is not enabled.

The ALS generates a system level failure alarm if any ALS I/O reports that its bypassed state has changed from a nonbypass state to a bypassed state or if an 27

Enclosure PG&E Letter DCL-12-083 ALS-102 logic bypass register reports that a change has occurred from a non bypassed state to a bypassed state for any partial trip logic comparator output if the TAB is not enabled.

Testing Performed on Failures of the TAB Disconnect The activation of the TAB via connecting the TAB data link to the MWS computer does not interfere with the ability of the ALS safety channels to perform their respective safety function and the ALS is still operable during activation of the TAB.

Therefore, individual instrument loops may be placed is bypass for maintenance and the rest of the ALS safety channel is still operable with respect to its safety function.

There is no software associated with physically connecting or disconnecting the TAB data link.

The ALS Reliability and Failure Modes and Effects Analysis (FEMA) document for the PPS replacement is CS Innovations Document "6116-00029, Revision 1, Diablo Canyon PPS ALS Reliability Analysis and FMEA," which was submitted in 1 to the Enclosure of PG&E Letter DCL-12-050, dated June 6, 2012 (ADAMS Accession No. ML12170A837). The Diablo Canyon PPS ALS Reliability Analysis and FMEA document includes Table 4-10, "Operational Hazards Related to Maintenance Errors." This table does not specifically call out a hazard for a keyswitch failure, but one hazard evaluated encompasses the safety-significant failure mode of the keyswitch failing such that the ASU remains connected to the' ALS chassis. The hazard "TAB enable keyswitch left in inappropriate position" encompasses this hazard, as well as if the TAB data link is left connected inadvertently.

NRC RAI18 The Tricon V10 system OMC keys witch changes operational modes of the 300BN Main Processors (MPs) and enables the TriStation 1131 personal computer (PC) to change parameters, software algorithms, etc., related to the application program of the safety channel without the channel or division being in bypass or in trip. As stated in Section 3.1.3.2 of the Tricon V1 0 SER, the TriStation 1131 PC should not normally be connected while the Tricon V10 is operational and performing safety critical functions. However, it is physically possible for the TriStation PC to be connected at all times, and this should be strictly controlled via administrative controls (e.g., place the respective channel out of service while changing the software, parameters, etc). The LAR does not mention any administrative controls such as this to control the operation of the OMC (operational mode change) keys witch.

However, in PG&E letter DCL-12-030 dated April 2, 2012 (ADAMS Accession No. ML12094A072), the licensee stated that connection of the TriStation will be controlled under administrative controls (password protection, key control, etc) and 28

Enclosure PG&E Letter DCL-12-083 that the affected PPS channel will procedurally be placed out of service any time the Tricon keys witch is not in the RUN position. PG&E furlher committed to provide a detailed failure mode and effects analysis (FMEA) of the TriStation 1131 PC system to ascerlain the potential effects this non-safety PC may have on the execution of the safety application program/operability of the PPS channel while the non-safety TriStation 1131 PC is permanently attached to the safety-related Tricon V10 system (with the OMC keyswitch in RUN position). Please ensure the TriStation and ALS FMEA addresses this matter so that the NRC staff can determine that the DCPP PPS complies with the NRC Staff Guidance provided in Staff Position 1, Point 11.

PG&E Response to RAI 18 The V1 0 Tricon FMEA is available in Invensys Operations Management document 9600164-531, "Tricon V1 0 Failure Modes and Effects Analysis," Revision 1.2. The FMEA is for the V1 0 Tricon platform and was included in the V1 0 Tricon safety evaluation (ADAMS Accession No. ML12158A403).

For the PPS Replacement Project, an application-specific FMEA will be documented in Invensys Operations Management project document 993754-1-811, "Failure Modes and Effects Analysis," to be submitted to the NRC in October 2012. The focus will be on the affects of internal and interface (e.g., transmitter inputs, TCM data communications) failures of the V1 0 Tricon portion of the PPS replacement within the context of the Process Protection System application. The analysis will address the interface between the V10 Tricon and the nonsafety PC with TS1131 installed. The analysis will assume a single failure of the safety system in the presence of all nondetectable failures with a worst-case failure scenario of the connected nonsafety PC and determine the effect on the V1 0 Tricon portion of the PPS replacement.

The statement made in PG&E Letter DCL-12-030, dated April 2, 2012 (ADAMS Accession No. ML12094A072), that connection of the TriStation will be controlled under administrative controls (password protection, key control, etc) and that the affected PPS channel will procedurally be placed out of service any time the Tricon keyswitch is not in the RUN position, applies to the OMC keyswitch.

ALS The failure modes for the TAB data link are either enabled when it should be disabled, or disabled when it should be enabled. In the case of it being disabled when it should be enabled, this failure mode prevents the user of the ASU to have access to the ALS chassis and thus there is no direct challenge to the safety function in this failure mode. In the case of it being enabled when it should be disabled, the ALS chassis generates an ALS Communication Enable alarm status signal to alert operations that the TAB data link between the ASU and the ALS 29

Enclosure PG&E Letter DCL-12-083 chassis is enabled. FMEA information for failure to disable the TAB communication link to the ASU is contained in the response to RAI 17.

NRC RAI19 (01 01) [ISG-06 Enclosure B. Item 1.3] Deterministic Nature of Software. The DCPP specific application should identify the board access sequence and provide corresponding analysis associated with digital response time performance. This analysis should be of sufficient detail to enable the NRC staff to determine that the logic-cycle:

a. has been implemented in conformance with the ALS Topical Report design
basis,
b. is deterministic, and
c. the response time is derived from plant safety analysis performance requirements and in full consideration of communication errors that have been observed during equipment qualification.

As stated in the LAR, information pertaining to response time performance will be submitted as a Phase 2 document. The NRC staff has received the digital response time calculation for the Tricon V10 portion of the PPS (Document No. 993754 817(P), Revision 1, "Pacific Gas & Electric Company, Nuclear Safety-Related Process Protection System Replacement, Diablo Canyon Power Plant, Maximum TSAP Scan Time," dated April 9, 2012)

However, the NRC staff has not yet received a similar calculation to predict the digital response time for the ALS platform. Please provide this calculation addressing the above subject matter accordingly.

PG&E Response to RAI 19 ALS Diablo Canyon PPS document 6116-00011, "ALS System Design Specification,"

Section 7.5, identifies the ALS board access sequence and provides an analysis associated with digital response time performance.

The Diablo Canyon PPS ALS system is configured in accordance with the qualification requirements of the ALS platform topical report. The analysis in Diablo Canyon PPS document 6116-00011, "ALS System Design Specification," Section 7, describes a logic cycle that is deterministic. The requirements for the response time of the PPS processing instrumentation (from input conditioner to conditioned output signal) is specified as not to exceed 0.409 seconds in Section 3.2.1.10 of the "Diablo Canyon Power Plant Units 1 and 2 Process Protection System Replacement Functional Requirements Specification (FRS)", Revision 4, submitted as 30

Enclosure PG&E Letter DCL-12-083 of the LAR. In Section 1.5.8 of the "Diablo Canyon Power Plant Units 1 and 2 Process Protection System Replacement Interface Requirements Specification (IRS)," Revision 4, submitted as Attachment 8 of the LAR, the 0.409 seconds PPS processing instrumentation response time is allocated between the ALS and Tricon as follows:

ALS: 175 ms for RTD processing Tricon: 200 ms Contingency: 34 ms The 0.409 seconds PPS processing instrumentation value is the same as the value that is currently allocated to PPS processing instrumentation. As long as the 0.409 second PPS processing instrumentation value is not exceeded, the total response time values assumed in the plant safety analyses contained in UFSAR Table 15.1-2 will not be exceeded.

Table 7-4 in Diablo Canyon PPS document 6116-00011 summarizes the calculated response times and their comparison to either the 175ms budget for RTD processing to the Tricon or the 409ms budget for direct output. To follow the calculation from ALS input to ALS output, Figure 7-1 is used to determine the appropriate signal path and delay times to be summed.

For instance, for the first entry in Table 7-4, "RCS Flow," the input type is designated as ALS-321 and the output type is designated as ALS-402. The Maximum Response Time is shown as "< 307 ms" and this can be compared to the allocated budget of 409 ms in the Allocated Time column. To verify the "< 307 ms" figure, the correct signal path in Figure 7-1 is selected. For this example, the third signal path down is selected, which has an ALS-321 analog input on the left and an ALS-402 digital output on the right. With this particular signal path, the intermediate delays are summed:

ALS-321 Filtering (250 ms) + RAB Transaction (1 ms) + ALS-1 02 CLB Processing (15 ms) + RAB Transaction (1 ms) + ALS-402 Output (40 ms) 307ms. =

The ALS response time will be verified as part of the FAT and the results will be included in the FAT summary report to be submitted by December 31,2012.

Tricon Invensys Operations Management provided detailed information on the deterministic operation of the V1 0 Tricon in Invensys Letter No. NRC V1 0-11-001, dated January 5, 2011. In support of the V1 0 Tricon safety evaluation, Invensys Operations Management submitted document 9600164-731, "Maximum Response Time Calculations," describing the worst-case response time for the V1 0 Tricon Qualification System. Included in document 9600164-731 are the standard 31

Enclosure PG&E Letter DCL-12-083 equations for calculating worst-case response time of a given V1 0 Tricon configuration. The time response calculation for the V1 0 Tricon PPS replacement architecture was submitted on April 30, 2012. The System Response Time Confirmation Report, 993754-1-818, will be submitted to the staff as part of the ISG-06, Phase 2, submittals at the completion of factory acceptance testing of the V10 Tricon PPS replacement.

The Tricon response time will be verified as part of the FAT and the results will be included in the FAT summary report.

NRC RAI20 (01 34) (Software Integration Plans) The integration planning documentation referenced in LAR Section 4.5.4, Software Integration Plan (Section 0.4.4.1.4 of 01&C-ISG-06), does not include integration of the two subsystems (ALS integrated with Tricon). Please provide additional documentation to describe how system integration is to be accomplished for the TriconlALS PPS combined system.

PG&E Response to RAI 20 To address the staff issues on testing of the fully integrated PPS replacement configuration in RAls 6 and 20, PG&E has decided to revise the PPS replacement design to use separate MWSs for the ALS and the Tricon subsystems for each protection set. This design change will provide separation of the MWSs and software for the ALS and the Tricon subsystems.

The MWSs for the ALS and the Tricon subsystems will be connected to a KVMT switch. The KVMT switch will be included in the FAT test procedures for the ALS and the Tricon subsystems as described in the response to RAI 6.

A supplement to LAR 11-07 to reflect the change to the PPS replacement design to use separate MWSs for the ALS and the Tricon subsystems will be submitted.

32

Enclosure Attachment 1 PG&E Letter DCL-12-083 Regulatory Commitments Commitment 1:

The PPS replacement design is being implemented to use separate MWS computers for the ALS and the Tricon subsystems, and to administratively control the ALS subsystem by physically disconnecting the communication link when the TAB is not being used for surveillance testing, maintenance, and trouble-shooting. This PPS replacement design change will be included in a supplement to LAR 11-07 to be submitted by November 30, 2012.

Commitment 2:

PG&E will respond to the ALS ASAI's when they are issued as part of the NRC SER for the ALS Topical Report.

Commitment 3:

PG&E will address the Tricon V1 0 Safety Evaluation ASAls in a submittal by December 1,2012.

Commitment 4:

The Neutron Flux signal, that provides input to the OTDT RT and the OPDT RT, will be added to the LAR 11-07 Section 4.2 Table 4-2 in the LAR supplement.

Commitment 5:

CS Innovations is developing the ISG-04 compliance matrix table for the ALS platform and PG&E will submit the table by October 15, 2012.

Commitment 6:

The resistance to rnA conversion will be tested at the ALS FAT to verify that all requirements specified for converting the resistance to current are met. The Tricon FAT will test these channels by injecting the corresponding 4 to 20 rnA signals into the Tricon and verifying that all requirements specified for the temperature channels are met.

1

Enclosure Attachment 1 PG&E Letter DCL-12-083 Regulatory Commitments Commitment 7:

After the FAT, the equipment will be shipped to DCPP and then both systems will be integrated to perform the SAT, which will test the analog interface directly along with other interfaces that cannot be tested at the FAT.

Commitment 8:

The ALS communications with its dedicated MWS computer are via the unidirectional TXB2 communication links from the ALS-1 02 boards. The unidirectional nature of the links will be verified at the FAT.

Commitment 9:

Continued Multicast operation in the event of MWS failure will be verified at FAT.

Commitment 10:

The ALS FAT will verify that the TAB, when enabled, does not interfere with ALS logic processing.

Commitment 11 :

The ALS FAT will verify that individual ALS outputs may be bypassed and controlled and individual ALS liD may be calibrated without affecting adjacent non bypassed safety channels.

Commitment 12:

For the Tricon and ALS FAT, PG&E will provide the MWS computer, port aggregator network tap, network switches, KVMT switch, KVMT and media converters as needed to test the complete interface between the MWS and the Tricon.

Commitment 13:

The Tricon FAT will be performed on all four protection sets. Each protection set will be integrated with all equipment necessary to support the FAT.

2

Enclosure Attachment 1 PG&E Letter DCL-12-083 Regulatory Commitments Commitment 14:

The functionality of the Tricon MWS computer will be tested during the FAT to verify requirements specified in the PPS replacement Functional and Interface Requirements Specifications and the Tricon System Requirements Specification.

Commitment 15:

The FAT will verify correct two-way data communications between the Tricon and the MWS through Ports A and B of the port aggregator.

Commitment 16:

The FAT will verify that there is no inbound communication path from the network port aggregator tap Port 1 to either Port A or Port B.

Commitment 17:

The Tricon FAT will verify operation of the KVMT switch.

Commitment 18:

PG&E will provide an MWS computer for the ALS FAT.

Commitment 19:

The communications from both TxB 1 and TxB2 one-way RS-422 Ports will be tested to verify all specified data is being transmitted correctly. .

Commitment 20:

The MWS data display application will be running to display the read only parameters.

The ASU software running on the MWS will be tested during the FAT to verify its functionality and to identify any interactions between the ALS ASU software, the ALS MWS data display application, and/or the ALS MWS operating system.

Commitment 21 :

The two-way EIA-485 TAB Port will be tested by physically connecting and disconnecting the TAB interface cable to verify the ability to isolate the MWS from the ALS, to update specified ALS parameters, and to perform trouble-shooting and diagnostic tasks.

3

Enclosure Attachment 1 PG&E Letter DCL-12-083 Regulatory Commitments Commitment 22:

The FAT will be performed on each protection set configuration, including power supplies, the ALS MWS computer, and all associated equipment that supports the safety function for the specific protection set. That is, Protection Set 1 will be configured and tested with all the associated sensor inputs and appropriate loads on the digital and analog outputs. Upon completion of testing, the equipment will be reconfigured as Protection Set 2 and tested. The same process will be used for Protection Sets 3 and 4.

Commitment 23:

The physical connection of the temperature channels from the ALS to the Tricon will be verified during the SAT.

Commitment 24:

The Tricon FAT will test all specified safety-related functions and will also test the following interfaces:

Safety~related 4 to 20 mA DC analog temperature input signals from ALS; these signals will be generated by a loop simulator or equivalent test equipment.

The FAT will verify bidirectional nonsafety NET2-Port communications from Tricon TCM 1 and TCM2 to the Tricon MWS through the two Ethernet media converters, and Ports A and B of the two port aggregator network taps.

The FAT will verify continued Multicast transmission from TCM1 and TCM2 in the event of MWS network communication failure.

The Tricon FAT configuration will include the MWS computers, port aggregator network tap, network switches, KVMT switch, and KVMT and media converters shown in Figure 1.

The FAT will verify no inbound communication path from Port 1 of the port aggregator network tap to either Port A or Port B exists, as previously stated in Section 4.2.13.1 of LAR 11-07.

Commitment 25:

The ALS FAT will test all specified safety-related functions and will also test the following interfaces:

4

Enclosure Attachment 1 PG&E Letter DCL-12-083 Regulatory Commitments Safety-related 4 to 20 mA DC analog temperature output signals to Tricon: This interface will be monitored by external equipment to verify conversion and scaling.

The ALS analog temperature output channels will be terminated with 250 ohm resistors to simulate the Triconex ETA panel. Voltage across the resistors will be measured to verify analog output function.

Unidirectional only nonsafety EIA-422 communications from the ALS-102 Boards "A" and "B" TXB 1 channels: The TXB 1 channels will be monitored during the ALS FAT to verify data protocol. The test will verify no inbound communications via the TXB 1 channel to either ALS-1 02 Boards "A" or "B".

Unidirectional only nonsafety EIA-422 communications to the ALS MWS computer from the ALS-1 02 Boards "A" and "B" TXB2 channels: The TXB2 channels will be monitored during ALS FAT to verify data protocol. The test will verify no inbound communications via the TXB2 channel to either ALS 102 Boards "A" or "B".

The ALS FAT configuration will include the MWS computer, KVMT switch, KVMT and media converters shown in Figure 1.

Bidirectional EIA-485 TAB communication between ALS Chassis "A" and Chassis "B" and ASU software running on the ALS MWS computer can take place only if the communication links are physically connected and enabled. The test will verify there is no communication between the ALS chassis and the ASU if the communications cables are not physically connected and enabled.

Commitment 26:

SAT Plan Outline The PG&E SAT will be performed on an integrated system, including the Tricon and ALS subsystems, MWS computers, port aggregator network tap, network switches, KVMT switch, KVMT and media converters shown in Figure 1.

The physical connection of the temperature channels from the ALS to the Tricon will be verified during the SAT.

The SAT will verify interfaces that cannot be tested at the Tricon or ALS FAT, including, in part, verification of information that is transmitted to the Gateway computer and the control board display.

Additional testing of communications between the Tricon and its MWS computer (including network failure) will be performed at the SAT.

The integrated system used for SAT will also be used to perform training and to develop and verify operational and maintenance procedures.

5

Enclosure Attachment 1 PG&E Letter DCL-12-083 Regulatory Commitments Commitment 27:

The testing of the NetOptics Network Aggregator Tap during the Tricon V10 FAT will be included in a supplement to LAR 11-07.

Commitment 28:

PG&E will provide a mapping of Phases defined in the SyQAP to the Phases of the ALS and Tricon system development processes in a revision to the SyQAP to be submitted by October 15, 2012.

Commitment 29:

PG&E will submit the QAP Audit Summary Report to the staff at the time the vendor hardware is delivered to PG&E.

Commitment 30:

The QAP audit reports will not be submitted but will be made available to the NRC staff for review.

Commitment 31:

The SyQAP will be revised to include approval by personnel responsible for the assigned roles and responsibilities within Section 3.4 of the SyQAP and the revised SyQAP will be submitted by October 15, 2012.

Commitment 32:

For the PPS Replacement Project, an application-specific FMEA will be documented in Invensys Operations Management project document 993754-1-811, "Failure Modes and Effects Analysis," to be submitted to the NRC in October 2012. The focus will be on the affects of internal and interface (e.g., transmitter inputs, TCM data communications) failures of the V1 0 Tricon portion of the PPS replacement within the context of the Process Protection System application. The analysis will address the interface between the V10 Tricon and the nonsafety PC with TS1131 installed. The analysis will assume a single failure of the safety system in the presence of all nondetectable failures with a worst-case failure scenario of the connected nonsafety PC and determine the effect on the V1 0 Tricon portion of the PPS replacement.

6

Enclosure Attachment 1 PG&E Letter DCL-12-083 Regulatory Commitments Commitment 33:

The ALS response time will be verified as part of the FAT and the results will be included in the FAT summary report to be submitted by December 31,2012.

Commitment 34:

The System Response Time Confirmation Report, 993754-1-818, will be submitted to the staff as part of the ISG-06, Phase 2, submittals at the completion of factory acceptance testing of the V1 0 Tricon PPS replacement.

Commitment 35:

The Tricon response time will be verified as part of the FAT and the results will be included in the FAT summary report.

7

Retrieved from "https://kanterella.com/w/index.php?title=DCL-12-083,_Response_to_Request_for_Additional_Information_on_License_Amendment_Request_for_Digital_Process_Protection_System_Replacement&oldid=2639133"