ML11307A332

From kanterella
Jump to navigation Jump to search
Evaluation of the Proposed Change License Amendment Request 11-07 Process Protection System Replacement
ML11307A332
Person / Time
Site: Diablo Canyon  Pacific Gas & Electric icon.png
Issue date: 10/26/2011
From:
Pacific Gas & Electric Co
To:
Office of Nuclear Reactor Regulation
Shared Package
ML113070457 List:
References
DCL-11-104
Download: ML11307A332 (410)
v  d  e


Text

Enclosure PG&E Letter DCL-1 1-104 Evaluation of the Proposed Change License Amendment Request 11-07 Process Protection System Replacement

1.

SUMMARY

DESCRIPTION ............................................................................................ 5

2. SIGNIFICANT HAZARDS CONSIDERATION AND ENVIRONMENTAL CONSIDERATION6 2.1 Significant Hazards Consideration .......................................................................... 6 2.2 Environmental Consideration ................................................................................... 9
3. SAFETY ANALYSIS ................................................................................................... 9 3.1 Current Eagle 21 PPS ............................................................................................ 9 3.2 P P S Replacem ent ................................................................................................ 11 3.2.1 Proposed Architecture ................................................................................... 11 3.2.2 Communications ........................................................................................... 15 3.2.3 Development Process ................................................................................... 19 3.2.4 Validation and Verification (V&V) ................................................................. 20 3.2.5 Software Configuration Management ........................................................... 20 3.2.6 Safety Analysis Summary ............................................................................ 20 3.3 Effect on TS and Accident Analyses ...................................................................... 21 3 .4 De fin itio ns ................................................................................................................. 22
4. SYSTEM DESCRIPTION (Section D.1 of DI&C-ISG-06) ............................................. 23 4.1 DCPP PPS Overview .......................................................................................... 24 4.1.1 Solid State Protection System ...................................................................... 29 4.1.2 Reactor Trip Switchgear .............................................................................. 29 4.1.3 RT S Functions .............................................................................................. 30 4.1.4 ESFAS Functions ......................................................................................... 31 4.1.5 Existing Source Range NIS Protection Functions ........................................... 32 4.1.6 Existing Intermediate Range NIS Protection Functions .................................. 32 4.1.7 Existing Power Range NIS Protection Functions ................................... ............. 32 4.1.8 Thermal Overtemperature and Overpower Protection Functions ................... 32 4.1.9 Pressurizer Pressure Protection Functions .................................................... 33 4.1.10 Pressurizer Level Protection Function ........................................................... 34 4.1.11 Reactor Coolant Loop Low Flow Protection Function ..................................... 34 4.1.12 RCP Bus Underfrequency Protection Function ............................................. 35 4.1.13 RCP Bus Undervoltage Protection Function .................................................. 35 4.1.14 RCP Breaker Position Protection Function ..................................................... 36 4.1.15 Seismic Acceleration Reactor Trip Function .................................................. 36 4.1.16 Containment Pressure Protection Functions .................................................. 36 4.1.17 Steam Generator Level Protection Functions ................................................ 37 4.1.18 Low Steamline Pressure Protection Function ................................................ 38 4.1.19 High Negative Steamline Pressure Rate Protection Function ........................ 38 4.1.20 Protection Functions Associated With Steam Dump Control System ............ 39 4.1.21 Turbine Derived Protection Function ............................................................. 39 4.1.22 Radiation Derived Protection Function ........................................................... 40 4.1.23 Manual Reactor Trip ..................................................................................... 40 4 .1.24 Ma nua l S I .................................................................................................... . . 40 4.1.25 Manual Steamline Isolation .......................................................................... 40 4.1.26 Manual Containment Isolation, Phase A ...................................................... 40 1

a Enclosure PG&E Letter DCL-1 1-104 4.1.27 Manual Containment Spray .......................................................................... 41 4.1.28 ATWS Mitigation System Actuation Circuitry ................................................ 41 4.2 DCPP PPS Replacement Description .................................................................... 42 4.2.1 Processor Subsystems (Platforms) ............................................................... 48 4.2.2 Safety Function Processors .......................................................................... 56 4.2.3 Input/Output (1/O) Modules ........... :................................................................ 57 4.2.4 Communications Modules or Means ............................................................. 61 4 .2 .5 Vo te rs ................................................................................................................ 62 4.2.6 Manual Channel Trip and Reset ................................................................... 65 4.2.7 P ow er S upply .............................................................................................. . . 66 4.2.8 Test S ubsystem ............................................................................................ 69 4.2.9 Other Subsystems - Maintenance Workstation ............................................. 73 4.2.10 Cabinets, Racks, and Mounting Hardware .................................................... 74 4.2.11 Appendix B Compliance Section (D.2.2 of DI&C-ISG-06) .............................. 77 4.2.12 System Response Time (Section D.9.4.2.4 of DI&C-ISG-06) ........................ 83 4.2.13 Communications (Section D.1.2 of DI&C-ISG-06) .......................................... 83 4.3 Hardware Development Process (Section D.2 of DI&C-ISG-06) ............................ 90 4.4 Software Architecture (Section D.3 of DI&C-ISG-06) ............................................ 91 4.5 Software Development Process (Section D.4 of DI&C-ISG-06) ............................ 92 4.5.1 Software Management Plan (Section D.4.4.1.1 of DI&C-ISG-06) .................. 93 4.5.2 Software Development Plan (Section D.4.4.1.2 of DI&C-ISG-06) ................. 95 4.5.3 Software QA Plan (Section D.4.4.1.3 of DI&C-ISG-06) .................................. 96 4.5.4 Software Integration Plan (Section D.4.4.1.4 of DI&C-ISG-06) ....................... 97 4.5.5 Software Safety Plan (Section D.4.4.1.9 of DI&C-ISG-06) ............................ 97 4.5.6 Software V&V Plan (Section D.4.4.1.10 of DI&C-ISG-06) .............................. 98 4.5.7 Software Configuration Management Plan (Sec. D.4.4.1.11 of DI&C-ISG-06) ...99 4.5.8 Software Test Plan (Section D.4.4.1.12 of DI&C-ISG-06) ................................ 100 4.5.9 Software Requirement Specification (Section D.4.4.3.1 of DI&C-ISG-06) ........ 101 4.5.10 Software Design Specification (Section D.4.4.3 of DI&C-ISG-06) ................... 102 4.6 Environmental Equipment Qualification (Section D.5.2 of DI&C-ISG-06) ................. 104 4.6.1 T riconex Q ualification ...................................................................................... 104 4 .6.2 A LS Q ualification ............................................................................................. 105 4.7 Defense-in-Depth & Diversity (Section D.6 of DI&C-ISG-06) ................................... 105 4.8 Communications (Section D.7 of DI&C-ISG-06) ..................................................... 108 4.8.1 ISG-04 Interdivisional Communications Staff Position #1 ................................. 108 4.8.2 ISG-04 Interdivisional Communications Staff Position #2 ................................. 109 4.8.3 ISG-04 Interdivisional Communications Staff Position #3 ................................. 110 4.8.4 ISG-04 Interdivisional Communications Staff Position #4 ................................. 112 4.8.5 ISG-04 Interdivisional Communications Staff Position #5 ................................. 113 4.8.6 ISG-04 Interdivisional Communications Staff Position #6 ................................. 114 4.8.7 ISG-04 Interdivisional Communications Staff Position #7 ................................. 115 4.8.8 ISG-04 Interdivisional Communications Staff Position #8 ................................. 116 4.8.9 ISG-04 Interdivisional Communications Staff Position #9 ................................. 117 4.8.10 ISG-04 Interdivisional Communications Staff Position #10 ............................... 118 4.8.11 ISG-04 Interdivisional Communications Staff Position #11 ............................... 119 4.8.12 ISG-04 Interdivisional Communications Staff Position #12 ............................... 120 4.8.13 ISG-04 Interdivisional Communications Staff Position #13 ............................... 122 4.8.14 ISG-04 Interdivisional Communications Staff Position #14 ............................... 122 4.8.15 ISG-04 Interdivisional Communications Staff Position #15 ............................... 123 4.8.16 ISG-04 Interdivisional Communications Staff Position #16 ............................... 123 2

Enclosure PG&E Letter DCL-1 1-104 4.8.17 ISG-04 Interdivisional Communications Staff Position #17 ............................... 124 4.8.18 ISG-04 Interdivisional Communications Staff Position #18 ............................... 125 4.8.19 ISG-04 Interdivisional Communications Staff Position #19 ............................... 125 4.8.20 ISG-04 Interdivisional Communications Staff Position #20 ............................... 126 4.9 System, Hardware, Software, and Methodology Modifications (Section D.8) ........... 126 4.10 Compliance with IEEE Standard 603(Section D.9 of DI&C-ISG-06) ........................ 127 4.10.1 Clause 4 Design Basis (Section D.9.4.1 of DI&C-ISG-06) ................................ 127 4.10.2 Clause 5 System (Section D.9.4.2 of DI&C-ISG-06) ........................................ 139 4.10.3 Clause 6 Sense and Command Features (Section D.9.4.3 of DI&C-ISG-06)... 159 4.10.4 Clause 7 Execute Features (Section D.9.4.4 of DI&C-ISG-06) ......................... 171 4.10.5 Clause 8 Power Source (Section D.9.4.5 of DI&C-ISG-06) .............................. 175 4.11 Conformance with IEEE Standard 7-4.3.2 (Section D.10 of DI&C-ISG-06) .............. 177 4.11.1 Clause 5 System (Section D.10.4.2 of DI&C-ISG-06) ....................................... 177 4.12 Technical Specifications (Section D.11 of DI&C-ISG-06) ......................................... 202 4.13 Secure Development and Operational Environment (Section D.12) ......................... 204

5. ABBREVIATIONS, ACRONYMS, AND REFERENCES ................................................... 205 5.1 A bbreviations and A cronym s ................................................................................... 205 5 .2 Re fe re nce s ............................................................................................................. 2 11 Figures Figure 3-1 E agle 2 1 P P S .............................................................................................. .. 13 Figure 3-2 P PS R eplacem ent ......................................................................................... 17 Figure 3-3 PPS Replacement Communications .............................. 18 Figure 4-1 Westinghouse Pressurized Water Reactor Protection System Concept ...... 27 Figure 4-2 Simplified Diablo Canyon Process Protection System (Existing Eagle 21) ......... 28 Figure 4-3 Simplified Diablo Canyon Process Protection System (After Replacement) ....... 44 Figure 4-4 Typical Replacement Protection Set ............................................................. 45 Figure 4-5 Simplified Functional Architecture .................................................................. 49 Figure 4-6 PPS Replacement Architecture ...................................................................... 50 Figure 4-7 Tricon Triple Modular Redundant Architecture .............................................. 51 Figure 4-8 Generic ALS FPGA Architecture .................................................................... 55 Figure 4-9 ALS Diversity Architecture ............................................................................ 65 Figure 4-10 Triconex Trip Output Diagnostic .................................................................... 71 Figure 4-11 P PS R ack Locations ..................................................................................... 75 Figure 4-12 PPS Replacement Communications - All Protection Sets ............................. 86 Figure 4-13 PPS Replacement Communications - Single Protection Set .......................... 87 3

Enclosure PG&E Letter DCL-1 1-104 Tables Table 4-1 Pressurizer Pressure Protection Channels and Protection Sets .................... 25 Table 4-2 Process Variable Inputs to Tricon for RTS/ESFAS Functions ....................... 46 Table 4-3 Process Variable Inputs to ALS for RTS/ESFAS Functions .......................... 47 Table 4-4 Diverse Protection Functions Not Affected by PPS Replacement .................. 47 Table 4-5 Platform Cross-Reference ............................................................................ 48 Table 4-6 Triconex I/O Modules ................................................................................... 59 Table 4-7 ALS I/O Modules ............................................................................................ 60 Table 4-8 Protection Set Assignments .......................................................................... 75 Table 4-9 Protection Set Input Parameters .................................................................... 76 Table 4-10 Total Loop Uncertainty ..................................................................................... 171 Table 5-1 Abbreviations & Acronyms ............................................................................... 205 ATTACHM ENTS

1. List of Regulatory Commitments
2. DI&C-ISG-06 Enclosure B Matrix
3. Diablo Canyon Power Plant Process Protection System (PPS) Replacement Concept, Requirements, and Licensing Phase 1 Project Plan, Revision 1
4. Diablo Canyon Power Plant Process Protection System (PPS) Replacement System Quality Assurance Plan (SyQAP), Revision 0
5. Diablo Canyon Power Plant Units 1 & 2 Process Protection System Replacement System Verification and Validation Plan (SyWP), Revision 0
6. Diablo Canyon Power Plant Units 1 & 2 Process Protection System Replacement Conceptual Design Document (CDD), Revision 4
7. Diablo Canyon Power Plant Units 1 & 2 Process Protection System Replacement Functional Requirements Specification (FRS), Revision 4
8. Diablo Canyon Power Plant Units 1 & 2 Process Protection System Replacement Interface Requirements Specification (IRS), Revision 4
9. 10115-J-NPG Revision 1, "DCPP Units 1 & 2 Process Protection System Replacement Controller Transfer Function Specification"
10. Diablo Canyon Power Plant Human System Interface (HSI) Development Guidelines, Revision 1
11. DCPP Procedure CF2. Revision 8, "Computer hardware, Software and Database Control"
12. DCPP Procedure CF2.1D2, Revision 10, "Software Configuration Management for Plant Operations and Operations Support"
13. DCPP Procedure CF2.1D9, Revision 2, "Software Quality Assurance for Software Development" 4

Enclosure PG&E Letter DCL-11-104 EVALUATION

1.

SUMMARY

DESCRIPTION This license amendment request (LAR) requests Nuclear Regulatory Commission (NRC) staff approval for Pacific Gas & Electric Company (PG&E) to permanently replace the Diablo Canyon Power Plant (DCPP) Eagle 21 digital process protection system (PPS) with a new digital PPS that is based on the Invensys Operations Management (IOM) Tricon Programmable Logic Controller (PLC), Version 10, and the CS Innovations, LLC (a Westinghouse Electric Company), (CSI) Advanced Logic System (ALS).

The current Eagle 21 PPS is a digital microprocessor-based system which provides process protection functions for the reactor protection system (RPS) that is comprised of the reactor trip (RT) system (RTS) and engineered safety features actuation system (ESFAS). The proposed PPS replacement consists of a microprocessor-based Tricon PLC and the field programmable gate array (FPGA) based ALS that will improve the reliability and diversity of the PPS.

The NRC has issued Interim Staff Guidance (ISG) in digital instrumentation and control (I&C) DI&C-ISG-06 [1] that describes the licensing process that may be used in the review of LARs associated with digital I&C system modifications. DI&C-ISG-06 [1]

includes a description of the applicable regulatory requirements and criteria for digital I&C system modifications. This LAR is the pilot application for use of DI&C-ISG-06 [1]

and the LAR format and contents are consistent with the guidance provided in Enclosure E and Section C.3, respectively, of DI&C-ISG-06 [1]. Prior to the submittal of this LAR, PG&E held four pre-application (DI&C-ISG-06 Phase 0) meetings with the staff on August 27, 2009, March 18, 2010, February 3, 2011, and June 7, 2011.

DI&C-ISG-06 [1] describes three different tiers of applications for approval of I&C system modifications. Tier 1 is applicable to LARs proposing to reference a previously approved topical report regarding a digital I&C platform or component(s). Tier 2 is applicable to LARs proposing to reference a previously approved topical report with deviations to suit the plant-specific application. Tier 3 is applicable to license amendments proposing to use a new digital I&C platform or component(s) with no generic approval. This application is a Tier 2 application for use of the Tricon PLC, Version 10, described in Reference 13 and a Tier 3 application for use of the CSI ALS described in Reference 15. The deviations from the NRC approved Tricon PLC, Version 9, are contained in Reference 12.

DI&C-ISG-06 [1], Enclosure B, lists documents that are typically submitted by the licensee in support of a typical Tier 2 and Tier 3 submittal during Phases 1 and 2 of review. The Phase 1 documents that are associated with this application are summarized in Attachment 2 to this Enclosure. Phase 2 documents that have not been previously submitted to the staff and that are required for of the review will be submitted 5

Enclosure PG&E Letter DCL-1 1-104 within 12 months of the requested approval date, by May 30, 2012, except for the Phase 2 documents that require manufacture and factory acceptance testing to complete. The Invensys Operations Management and Westinghouse Phase 2 documents that require manufacture and factory acceptance testing to complete will be submitted by December 2012. In addition, Final Safety Analysis Report (FSAR) [26]

changes and Technical Specification (TS) Bases [43] changes will be submitted for information only within 12 months of the requested approval date, by May 30, 2012. No TS changes are requested since the DCPP TS already contain the required definitions and requirements for a digital PPS.

The current Eagle 21 PPS is being replaced to address obsolescence, diagnostic, maintenance, and reliability issues. The Eagle 21 PPS has become obsolete due to multiple parts, such as computer chip sets, no longer being manufactured. Certain failures that can occur within the Eagle 21 PPS are difficult to diagnose due to a lack of comprehensive built-in diagnostic features. The Eagle 21 PPS requires a relatively high level of maintenance to support reliable operation, compared to current PPS designs that are available, which increases personnel occupational radiation exposure and ongoing cost to maintain the existing PPS. In addition, PG&E utilizes guidance provided in Institute of Nuclear Power Operations (INPO) AP 913, "Equipment Reliability Process Description," [96] that specifies zero tolerance for critical component failures.

The replacement of the Eagle 21 PPS with a currently available PPS that is significantly more fault tolerant is consistent with nuclear industry guidance provided in INPO AP 913.

2. SIGNIFICANT HAZARDS CONSIDERATION AND ENVIRONMENTAL CONSIDERATION 2.1 Significant Hazards Consideration PG&E has evaluated whether or not a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of Amendment," as discussed below:
1. Does the proposed change involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

The proposed change would allow Pacific Gas and Electric Company to permanently replace the Diablo Canyon Power Plant Eagle 21 digital process protection system with a new digital process protection system that is based on the Invensys Operations Management Tricon Programmable Logic Controller, Version 10, and the CS Innovations Advanced Logic System. The process protection system replacement is designed to applicable codes and standards for safety-grade protection systems for nuclear power plants and incorporates additional redundancy and diversity features and therefore, does not result in an 6

Enclosure PG&E Letter DCL-1 1-104 increase in the probability of inadvertent actuation or probability of failure to initiate a protective function. The process protection system replacement does not introduce any new credible failure mechanisms or malfunctions that cause an accident. The process protection system replacement design will continue to perform the reactor trip system and engineered safety features actuation system functions assumed in the Final Safety Analysis Report within the response time assumed in the Final Safety Analysis Report Chapter 6 and 15 accident analyses.

Therefore, the proposed change does not involve a significant increase in the probability or consequences of an accident previously evaluated.

2. Does the proposed change create the possibility of a new or different accident from any accident previously evaluated?

Response: No.

The proposed change is to permanently replace the current Diablo Canyon Power Plant Eagle 21 digital process protection system with a new digital process protection system. The process protection system performs the process protection functions for the reactor protection system that monitors selected plant parameters and initiates protective action as required. Accidents that may occur due to inadvertent actuation of the process protection system, such as an inadvertent safety injection actuation, are considered in the Final Safety Analysis Report accident analyses.

The protection system is designed with redundancy such that a single failure to generate an initiation signal in the process protection system will not cause failure to trip the reactor nor failure to actuate the engineered safeguard features when required. Neither will such a single failure cause spurious or inadvertent reactor trips or engineered safeguard features actuations because coincidence of two or more initiation signals is required for the solid state protection system to generate a trip or actuation command. If an inadvertent actuation occurs for any reason, existing control room alarms and indications will notify the operator to take corrective action.

The process protection system replacement design includes enhanced diversity features compared to the current process protection system to provide additional assurance that the protection system actions credited with automatic operation in the Final Safety Analysis Report accident analyses will be performed automatically when required should a common cause failure occur concurrently with a design basis event.

The process protection system replacement does not result in any new credible failure mechanisms or malfunctions. The current Eagle 21 process protection system utilizes digital technology and therefore the use of digital technology in 7

Enclosure PG&E Letter DCL-11-104 the process protection system replacement does not introduce a new type of failure mechanism. Although extremely unlikely, the current Eagle 21 process protection system is susceptible to a credible common-cause software failure that could adversely affect automatic performance of the protection function. The process protection system replacement contains new, additional diversity features that prevent a common-cause software failure from completely disabling the process protection system.

Therefore, the proposed change does not create the possibility of a new or different accident from any accident previously evaluated.

3. Does the proposed change involve a significant reduction in a margin of safety?

Response: No.

The reactor protection system is fundamental to plant safety and performs reactor trip system and engineered safety features actuation system functions to limit the consequences of Condition II (faults of moderate frequency), Condition III (infrequent faults), and Condition IV (limiting faults) events. This is accomplished by sensing selected plant parameters and determining whether predetermined instrument settings are being exceeded. If predetermined instrument settings are exceeded, the reactor protection system sends actuation signals to trip the reactor and actuate those components that mitigate the severity of the accident.

The process protection system replacement design will continue to perform the reactor trip system and engineered safety features actuation functions assumed in the Final Safety Analysis Report within the response time assumed Final Safety Analysis Report Chapter 6 and 15 accident analyses. The use of the process protection system replacement does not result in a design basis or safety limit being exceeded or changed. The change to the process protection system has no impact on the reactor fuel, reactor vessel, or containment fission product barriers. The reliability and availability of the reactor protection system is improved with the process protection system replacement, and the reactor protection system will continue to effectively perform its function of sensing plant parameters to initiate protective actions to limit or mitigate events.

Therefore, the proposed change does not involve a significant reduction in a margin of safety.

Based on the above evaluation, PG&E concludes that the proposed change does not involve a significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and accordingly, a finding of "no significant hazards consideration" is justified.

8

Enclosure PG&E Letter DCL-1 1-104 2.2 Environmental Consideration PG&E has evaluated the proposed amendment and has determined that the proposed amendment does not involve (i) a significant hazards consideration, (ii) a significant change in the types or significant increase in the amounts of any effluents that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure. Accordingly, the proposed amendment meets the eligibility criterion for categorical exclusion set forth in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed amendment.

3. SAFETY ANALYSIS 3.1 Current Eagle 21 PPS The existing PPS is part of the RPS process instrumentation. Process instrumentation is comprised of devices (and their associated interconnection into systems) which measure and process signals for temperature, pressure, fluid flow, and fluid levels, excluding nuclear and radiation measurements. Process instrumentation includes equipment that performs functions such as process measurement, signal conditioning, dynamic compensation, calculations, setpoint comparison, alarm actuation, indicating and recording, which are all necessary for operation of the Nuclear Steam Supply System as well as for monitoring the plant and providing initiation of protective functions whenever process parameters exceed the associated setpoint criteria. The PPS consists of the process instrumentation devices that monitor process parameters and initiate actuation of the RTS and ESFAS. The Eagle 21 PPS is described in FSAR [26]

Sections 7.1, 7.2, and 7.3 and TS and TS Bases [43] sections 3.3.1 and 3.3.2.

Figure 3-1 contains an overview of the RTS and ESFAS including the Eagle 21 PPS.

The Eagle 21 PPS contains four Protection Sets (Protection Set I, Protection Set II, Protection Set III, Protection Set IV) that receive input from sensors and provide output to two trains (Train A and Train B) of the solid state protection system (SSPS). Figure 3-1 also includes the nuclear instrumentation system (NIS) that provides diverse protection system input to the SSPS and the Anticipated Transient Without Scram Mitigation System Actuation Circuitry (AMSAC) that provides diverse commands to trip the main turbine and initiate auxiliary feedwater (AFW) flow. Steam generator blowdown and sample lines are isolated when the motor-driven AFW pumps start.

The current Eagle 21 PPS, which is located in instrument racks in the auxiliary building, contains analog input module(s), digital filter processor(s), a loop calculation processor, partial trip output module(s), and analog output module(s). The analog input module powers the field sensors and performs signal conditioning. The digital filter processor converts the analog input signals to digital signals, filters them and makes the data available to the loop calculation processor. The loop calculation processor is a centralized processor that provides summation, lead/lag, multiplication, comparator, 9

Enclosure PG&E Letter DCL-1 1-104 averaging, and square root conversion, and computes the algorithms and comparisons for the protective functions. The partial trip output modules provide trip and actuation logic. The analog output modules provide isolated analog output information to the plant computer and control systems.

The protection channels which are processed with the Eagle 21 PPS are as follows:

0 Reactor coolant average temperature and delta-temperature 0 Pressurizer pressure

  • Pressurizer water level
  • Turbine impulse chamber pressure 0 Steam pressure
  • Steam generator narrow range water level 0 Pressurizer vapor temperature The Eagle 21 protection functions assumed in the FSAR [26] accident analyses are as follows:
  • Overtemperature delta-temperature RT
  • Overpower delta-temperature RT
  • Low and high pressurizer pressure RTs
  • High pressurizer level RT
  • High-high containment pressure steam line isolation (SLI)
  • Low steam line pressure SLI and safety injection (SI)
  • Low pressurizer pressure SI
  • High containment pressure Sl
  • Steam generator water level high-high turbine trip and feedwater isolation PG&E requested NRC approval to install the Eagle 21 PPS, including associated TS changes, in PG&E Letter DCL-92-203, dated September 21, 1992 [97] and NRC approval was contained in License Amendments 84 and 83 to Licenses DPR-80 and DPR-82, respectively, dated October 7, 1993 [98].

The RTS and ESFAS, including the Eagle 21 PPS, meet the criteria of Institute of Electrical and Electronic Engineers (IEEE) Standard 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, dated 1971. The applicable standard for the Eagle 21 vendor validation and verification is the guidelines of Regulatory Guide (RG) 1.152, "Criteria for Programmable Digital Computer System Software in Safety-10

Enclosure PG&E Letter DCL-1 1-104 related Systems in Nuclear Plants," dated November 1985 [113], that endorses IEEE Standard 7-4.3.2, "Application Criteria for Programmable Digital Computer System in Safety Systems of Nuclear Power Generating Stations," dated 1982 [114]. The applicable standard for the safety system design is RG 1.153, "Criteria for Power, Instrumentation and Control Portions of Safety Systems," December 1985 [115] that endorses the guidance of IEEE Standard 603, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations," dated 1980 [116]. The vendor equipment qualification methodology conformed with IEEE Standard 323, "IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations,"

dated 1974 [117]. The Eagle 21 equipment racks and components were subject to multi-axis, multi-frequency seismic inputs in accordance with RG 1.100 "Seismic Qualification of Electrical Equipment for Nuclear Power Plants," dated March 1996

[118], that endorsed IEEE Standard 344, "IEEE Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations" dated 1975

[119].

The Eagle 21 PPS is configured to perform automatic surveillance testing via a centralized test sequence processor. To support installation of Eagle 21, the TS definitions were revised to allow a channel operational test for a digital channel, and to allow a channel functional test for a digital channel that includes the injection of a simulated signal into the channel as close to the sensor input to the process racks as practical to verify operability of all devices in the channel required for channel operability.

The Eagle 21 PPS allows bypassing of an inoperable channel when performing surveillance tests on an operable channel. Placing the inoperable channel in bypass results in an indication to the operator and allows placing an operable channel in the "Test" mode which results in it being placed in trip. The current TS reflect the capability for the inoperable channel to be placed in bypass.

To support the installation of Eagle 21, the setpoint analyses for the protection system functions processed through Eagle 21 were revised to reflect revised setpoint input values for rack calibration accuracy, rack drift, and measurement and test equipment accuracies temperature effect as discussed in Section D of PG&E Letter DCL-92-203.

The RTS and ESFAS TS [42] allowable values were revised to incorporate the results of the revised setpoint analysis.

A detailed description of the existing Eagle 21 PPS is contained in Section 4.1.

3.2 PPS Replacement 3.2.1 Proposed Architecture The PPS replacement is based on the Tricon PLC, Version 10, described in Tricon V10 Topical Report Submittal [13] and the CSI ALS described in [15].

11

Enclosure PG&E Letter DCL-1 1-104 The system functional requirements for a digital safety-related system have a significant impact on the quality and safety of the installed software product. PG&E personnel were highly involved in the development of the PPS replacement technology, including performing a review of industry operating experience for the technology, performing a review and inspection of installed applications of the technology, writing the specification requirements, and developing the enhanced diversity aspects of the PPS replacement. Several personnel that were originally involved in the development of the current Eagle 21 PPS were involved in the development of the PPS replacement.

The PPS replacement incorporates reliability and diversity improvements to the current PPS while maintaining simplicity in the architectural design. The microprocessor-based Tricon PLC portion of the platform utilizes a triple modular redundant (TMR) technology that allows continued operation in the presence of multiple faults within the system and allows detection and correction of faults on-line without interruption of the protection capabilities. The ALS portion of the platform is logic-based and does not utilize a microprocessor.

12

Enclosure PG&E Letter DCL-1 1-104 Although extremely unlikely, the current Eagle 21 PPS is susceptible to a credible common cause software failure (CCSF) that could adversely affect automatic performance of the protection function and require manual operator action to be taken.

The use of built-in diversity in the design of the PPS replacement eliminates the need for manual operator actions to address CCSF and precludes the need for an external diverse actuation system and enhances the simplicity of the PPS replacement.

In accordance with the guidance in NUREG-0800, Branch Technical Position (BTP) 7-19, "Guidance for Evaluation of Diversity and Defense-in-Depth (D3) in Digital Computer Based Instrumentation and Control Systems," Revision 5, March 2007 [4] PG&E completed and submitted the D3 topical report for the PPS Replacement to the NRC for approval in [6]. The NRC staff issued a Safety Evaluation Report (SER) for the D3 topical report in [7].

The PPS replacement has been designed to meet the following updated standards and new guidance:

  • IEEE Standard 7-4.3.2-2003, [80]
  • EPRI TR-1 07330 [81]
  • RG 1.152, Revision 3 "Criteria For Use Of Computers In Safety Systems Of Nuclear Power Plants." [45]

January 2010 [46]

  • ISG-04 [2]

The above standards and guidance apply only to the PPS portion of the protection system.

The proposed project replaces in its entirety the current Westinghouse Eagle 21 PPS with a new PPS that has improved reliability, diversity, diagnostic, and testing capabilities. Figure 3-2 contains an overview of the RTS and ESFAS including a simplified representation of the PPS replacement. The scope of the PPS replacement is illustrated in the shaded portion of Figure 3-2. Equipment in the unshaded portion of Figure 3-2 is not being replaced or modified as part of the PPS Replacement Project.

The existing Eagle 21 PPS four redundant Protection Sets, as shown in Figure 3-1, will be replaced with four redundant and independent Protection Sets (Protections Set I, Protection Set II, Protection Set III, Protection Set IV).that receive input from sensors and provide output to two trains (Train A and Train B) of the SSPS. Each Protection Set in the PPS replacement contains a software-based Triconex Tricon V10 processor subsystem described in Reference 13 and a diverse safety-related CSI ALS subsystem described in Reference 15.

14

Enclosure PG&E Letter DCL-1 1-104 The built-in diversity provided by the logic-based ALS ensures that all accidents and events credited with automatic PPS mitigation in DCPP FSAR [26] Chapter 15 analyses continue to be mitigated automatically with concurrent software CCF. The PPS replacement automatically mitigates events that currently require manual protective action should a CCF disable the primary and backup protection functions. A detailed description of the allocation of automatic protection functions between the Tricon subsystem and the ALS subsystem is presented in section 4.2.

Each Protection Set is independent of the other Protection Sets and is protected from adverse influence from the other Protection Sets. The PPS replacement does not utilize or implement inter-divisional safety-to-safety communications. Within a protection set, the PPS replacement does incorporate safety-to-non safety communications. The PPS replacement architecture is designed to ensure that communications between safety and non-safety equipment that resides within the Protection Set adhere to the guidance described in the ISG 4 Staff Positions.

Each of the four Protection Sets contains a non-safety related maintenance workstation (MWS). A detailed description of the PPS replacement is contained in Section 4.2.

3.2.2 Communications Figure 3-3 provides a simplified representation of the communications architecture for a single Protection Set. The Tricon, ALS, and MWS communications are summarized below.

3.2.2.1 Tricon Communications There are no communications paths between redundant Protection Sets in the Tricon portion of the PPS replacement. The non-safety-related MWS, discussed in detail in Section 4.2.13.3, within a redundant Protection Set communicates only with the safety-related controllers within that Protection Set. The Tricon Communications Module (TCM) output media from the Tricon is fiber optic to provide electrical isolation. A media converter converts the fiber optic media to 100baseT Ethernet.

A NetOptics Model PA-CU port aggregator tap device is utilized to ensure that only one-way communication takes place between the Tricon processors and the Plant Process Computer (PPC) Gateway Computer. The NetOptics device permits two-way communications between the Tricon TCM and the MWS, while permitting the PPC Gateway computer read-only access to the Tricon TCM and the MWS. The non-safety PPC Gateway computer is shared by all four Protection Sets:

3.2.2.2 ALS Communications There are no communication paths between redundant safety divisions in the ALS portion of the PPS replacement as shown in Figure 3-3. The two Electronic Industries Alliance EIA-422 standard ALS communication channels (TxB1 and TxB2) from the 15

Enclosure PG&E Letter DCL-1 1-104 ALS-1 02 in each ALS chassis to the Gateway computer and the MWS, respectively, are isolated, serial, and one-way. The communications channels do not receive any data, handshaking, or instructions from the Gateway computer. Handshaking is an automated process of negotiation that dynamically sets parameters of a communications channel established between two entities before normal communication over the channel begins. The ALS processes reactor coolant system (RCS) temperature signals and transmits the conditioned and scaled data to the Tricon via analog 4-20 milliampere (mA) signals.

The Test ALS Bus (TAB) communication channel provides communications between ALS Service Unit (ASU) maintenance software in the MWS and the ALS chassis. This Electronic Industries Alliance EIA-485 standard communication path is normally disabled, with two-way communication permitted only when a hardwired switch is closed to complete the circuit from the MWS back to the ALS. No communication is allowed on the TAB if the switch is not closed. The Protection Set containing the ALS chassis remains functional with TAB communications enabled. The information is collected in a non-obtrusive manner and does not affect the on-going operation of the system.

16

Enclosure PG&E Letter DCL-1 1-104 3.2.2.3 Non-Safety-Related MWS A single MWS is used to view data from both the Tricon and the ALS and to maintain both the Tricon and the ALS in a given protection set. The non-safety-related MWS is used to maintain and configure the Tricon and also to view data from both the Tricon and ALS. When the TAB has been placed in service as described above, the MWS is used to perform the maintenance functions associated with the ASU.

A MWS may access data only within its own Protection Set. Communication of any MWS with any other Protection Sets is not possible. There are no means of connecting any Protection Set to another MWS without reconfiguring the Protection Set controllers and communications cabling. There are no communications switches in the architecture that could allow inadvertent connection of a MWS or other device' to a Protection Set.

3.2.2.4 Triconex Communications with MWS Under operating plant conditions the MWS simply displays plant parameters and diagnostic information. The controls for access to functions beyond displaying data is security-related information per 10 CFR 2.390 and will be provided in a separate letter to the NRC staff. The MWS will be used for injecting test values and modifying Tricon safety system parameters. Use of the MWS is in accordance with site-specific administrative (procedural) and physical-access controls.

Data isolation between the safety-related Tricon control processor and the non-safety MWS is performed by the safety-related TCM. Fiber optic cable electrically isolates the Tricon from external non-safety-related devices.

3.2.2.5 ALS Communication with MWS Communications from the ALS to the MWS are via the transmit-only (no handshake)

ALS-102 communication channel TxB2. The TxB2 communications channel does not receive any data, handshaking, or instructions from the MWS.

Two-way TAB communications between ASU application software in the MWS and the ALS chassis are used to perform ALS maintenance and calibration functions. This EIA-485 communication path is normally disabled, with two-way communications permitted only when a hardwired switch is closed to complete the circuit between the MWS and the ALS chassis. Communications on the TAB are not possible if the switch is open.

3.2.3 Development Process The hardware and software development for the PPS replacement utilizes a development process that complies with IEEE Standard 603-1991 [211 Clause 5.3 "Quality," and IEEE Standard 7-4.3.2-2003 [80] Clause 5.3, "Quality," including the 19

Enclosure PG&E Letter DCL-1 1-104 digital system development life cycle. IOM used a product development process for the Tricon platform including processes distinctively tailored to development of software used in designing and maintaining programmable logic devices (PLDs). CSI used a hardware development process for development of the ALS. The ALS is an FPGA-based system that does not execute software. However, the FPGA is configured by using software tools and therefore a quality control procedure was used in the development of the FPGA. Details on the development process used is contained in Sections 4.2.11, 4.3, 4.5, 4.10.2.3, and 4.11.1.1.

3.2.4 Validation and Verification (V&V)

The validation and verification (V&V) effort for the PPS replacement utilizes a process and activities that comply with IEEE Standard 7-4.3.2-2003 [80] Clause 5.3.3, "Validation and Verification". IOM has a Software V&V Plan that establishes the V&V process for Tricon platform hardware including how V&V activities will be performed.

CSl has a V&V Plan that defines the techniques, procedures, and methodologies that will be used to provide V&V for the ALS platform design and test development and the test activities for the platform development and implementation. PG&E has a System Verification and Validation Plan for the PPS Replacement Project that defines the activities for V&V by PG&E, IOM, and CSI. Details on the software V&V process is contained in Section 4.5.6.

3.2.5 Software Configuration Management Software configuration management complies with IEEE Standard 7-4.3.2-2003 [80]

Clause 5.3.5, "Software Configuration Management". IOM has a PPS Replacement Configuration Management Plan (CMP) that defines how software configuration management is applied and establishes the content of the Software Configuration Management Plan (SCMP). CSI has an ALS CMP that describes the organization and practices used for the ALS. PG&E has a DCPP Software Configuration Management procedure for Software Configuration Management for Plant Operations and Operations Support to provide configuration management. Details on the software configuration management are contained in Section 4.5.7.

3.2.6 Safety Analysis Summary The PPS replacement incorporates redundancy, independence, and diversity while providing simplicity in the architectural design. PG&E has completed and submitted the D3 topical report for the PPS Replacement to the NRC and the NRC staff has issued a SER for the D3 topical report. The hardware and software development for the PPS replacement utilizes a development process that complies with IEEE Standard 603-1991 [21] Clause 5.3 "Quality," and IEEE Standard 7-4.3.2-2003 [80] Clause 5.3, "Quality," including the digital system development life cycle, in order to provide a high quality and well defined development process that results in a quality PPS. The V&V 20

Enclosure PGd&E Letter DCL-11-104 effort for the PPS replacement utilizes a process and activities that comply with IEEE Standard 7-4.3.2-2003 [80] Clause 5.3.3, "Validation and Verification" to ensure the PPS replacement meets required specified functional requirements and criteria. Finally, the Software configuration management used for the PPS Replacement Project complies with IEEE Standard 7-4.3.2-2003 [80] Clause 5.3.5, "Software Configuration Management," control the system and programming throughout its development and use. Therefore, PG&E concludes the proposed PPS replacement complies with the 10 CFR 50 regulations and that the public health and safety will be protected with NRC staff approval to use the PPS replacement.

3.3 Effect on TS and Accident Analyses The PPS replacement has been designed and specified such that it continues to meet the current TS [42] and FSAR [26] Chapter 6 and 15 accident analysis requirements.

This has been accomplished by providing functional requirements in the PPS Replacement Functional Requirements Specification (FRS) [28] that are the same as or better than the current Eagle 21 PPS for instrument rack calibration accuracy, rack drift, temperature effect values, and response time. Therefore, no revised TS are required for the PPS replacement. However, revised TS Bases will be submitted for information only by May 30, 2012, as stated in section 1.

To support the implementation of the current Eagle 21 digital PPS, the TS were revised in License Amendments 84 and 83, dated October 7, 1993 [98] to allow a channel operational test for a digital channel, to allow a channel functional test for a digital channel that includes the injection of a simulated signal into the channel as close to the sensor input to the process racks as practical to verify operability, and to allow bypassing an inoperable channel when performing surveillance tests on an operable channel.

In addition, to support the implementation'of the current Eagle 21 digital PPS, the setpoints analysis for the protection system functions processed through Eagle 21 were revised to reflect revised setpoint input values for rack calibration accuracy, rack drift, and temperature effect values as discussed in Section D of PG&E Letter DCL-92-203

[97] and the RTS and ESFAS TS [42] allowable values were revised to incorporate the results of the revised setpoint analysis.

The PPS replacement has been designed with sufficient diversity such that there is no credible single failure or CCSF that will prevent a required automatic protection function from being performed. Therefore, no revised FSAR [26] Chapter 6 or 15 accident analyses or revised accident analysis analytical methods are required for the PPS replacement.

21

Enclosure PG&E Letter DCL-1 1-104 3.4 Definitions Definitions for terms used in this LAR are defined below.

Component: Items from which the system is assembled (such as resistors, capacitors, wires, connectors, transistors, tubes, switches, and springs).

Module: Any assembly of interconnected components that constitutes an identifiable device, instrument, or piece of equipment. A module can be disconnected, removed as a unit, and replaced with a spare. It has definable performance characteristics that permit it to be tested as a unit. A module can be a card or other subassembly of a larger device, provided it meets the requirements of this definition.

Channel: An arrangement of components, modules and software as required to generate a single protective action signal when required by a generating station condition. A channel loses its identity where single action signals are combined.

Diversity and Requirement imposed on the Prote~ction System design to Defense-In-Depth ensure that required protective actions will occur to protect (DM) against Anticipated Operational Occurrences and Design Basis Accidents (as described in the FSAR [26]) concurrent with a CCF (usually assumed to be software) that disables one or more echelons of defense.

Protection Set: A Protection Set is a physical grouping of process channels with the same Class-lE electrical channel designation (I, II, III, or IV). Each of the four redundant Protection Sets is provided with separate and independent power feeds and process instrumentation transmitters. Thus, each of the four redundant Protection Sets is physically and electrically independent of the other sets. A Protection Set may be referred to as a "rack set".

Protective Function A protective function is the sensing of one or more variables associated with a particular generating station condition, signal processing, and the initiation and completion of the protective action at values established in the design bases.

22

Enclosure PG&E Letter DCL-1 1-104 Single Failure Any single event that results in a loss of function of a component or components of a system. Multiple failures resulting from a single event shall be treated as a single failure.

Train: The SSPS portion of RTS/ESFAS. The RTS contains the logic circuitry necessary to automatically open the RT breakers that consists of two redundant logic trains that receive input from the protection channels. Each of the two trains, A and B, is capable of opening a separate and independent RT breaker (52/RTA and 52/RTB). The ESFAS contains a logic portion consisting of two redundant logic trains that receive inputs from the process protection channels and perform the needed logic to actuate the ESF.

4. SYSTEM DESCRIPTION (Section D.1 of DI&C-ISG-06 [1])

This section has been prepared using the guidance of DI&C-ISG-06 [1], Section D.1, System Description. Section 4.1 first describes the existing PPS functions and functions performed by other protective systems at DCPP. Section 4.2 then identifies the scope of the PPS replacement, the hardware being used for the DCPP PPS replacement, how the hardware items function, how the various hardware items are interconnected, and the software that is integrated with the hardware components. The PPS replacement performs all protection functions performed by the current PPS.

For the PPS replacement, there are no exceptions to the guidance and regulatory documents cited in Section 4.2 and following sections. Compliance is described generally in the referenced vendor topical reports; however, the topical reports are generic and by their nature cannot discuss all aspects of the platform as used in a specific application such as the PPS replacement. The PG&E project specification documents provide requirements for the specific DCPP PPS replacement application.

Application-specific Phase 1 and Phase 2 vendor documentation describes how the project requirements are fulfilled. Such documentation includes:

1. DCPP Units 1 & 2 PPS Replacement FRS [28]
2. Westinghouse PPS Replacement Project ALS System Requirement Specification

[17].

3. CSI document Number (No.) 6116-00011, Diablo Canyon PPS ALS System Design Specification [19]
4. CSI document No. 6116-10201 Diablo Canyon PPS ALS-102 FPGA Requirements Specification [20]
5. DCPP Tricon Software Requirements Specification (SRS) [75]

Where vendor documents that discuss specific compliance are available, they are cited.

23

Enclosure PG&E Letter DCL-1 1-104 The documentation and description are on two levels. First, the individual Protection Sets (i.e., divisions) that implement the protective functions in the PPS replacement are described, including the signal flows between the various hardware items. Second, the overall system is described with particular emphasis on additional hardware items not included in the description of the channels or divisions, such as voters, communications with workstations or non-safety systems, bypass functions/switches, and diverse actuation systems. The data communication pathways are described in detail using the guidance in DI&C-ISG-06 [1] Section D.7, "Communications."

Throughout this document, mention will be made of Process Protection Sets and channels. It is important to understand these terms as used at DCPP because the terminology is somewhat different from that used at other installations.

A process channel is an arrangement of components, modules and software as required to generate a single protective action signal when required by a generating station condition [FSAR [26] Section 7.1].

Redundant process instrumentation channels are separated by locating the electronics in different protection "sets". The PPS at DCPP is comprised of four such Protection Sets. Each Protection Set is further comprised of various process "channels". Table 4-1 illustrates a typical relationship among Protection Sets and process channels for the Pressurizer Pressure Protection function.

4.1 DCPP PPS Overview The protective functions initiated by the PPS are broadly classified into the following two major categories: tripping of the reactor and the actuation of ESF. This discussion focuses on the PPS safety-related functions from two functionally defined systems: the RTS and the ESFAS.

The design basis of the PPS is to actuate the RTS and/or the ESFAS, whenever necessary to:

  • Prevent core damage from an anticipated transient
  • Limit core damage from infrequent faults
  • Preserve the integrity of the RCS pressure boundary during limiting fault conditions
  • Limit site radiological releases to acceptable limits 24

Enclosure PG&E Letter DCL-1 1-104 Table 4-1 Pressurizer Pressure Protection Channels and Protection Sets Protection Sensor Input Channel Output to Channel Set to Channel SSPS PZR Pressure Low Rx Trip PC-455C PZR Pressure High - Unblock PC-455B IPT-455 Sl (P-11)

PZR Pressure High Rx Trip PC-455A PZR Pressure Low-Low SI PC-455D PZR Pressure High - PORV PC-455E PZR Pressure Low Rx Trip PC-456C PZR Pressure High - Unblock PC-456B 1PT-456 Sl (P-11)

PZR Pressure High Rx Trip PC-456A PZR Pressure Low-Low Sl PC-456D PZR Pressure High - PORV PC-456E PZR Pressure Low Rx Trip PC-457C PZR Pressure High - Unblock PC-457B SI (P-11)

III PT-457 PZR Pressure High Rx Trip PC-457A PZR Pressure Low-Low Sl PC-457D PZR Pressure High - PORV PC-457E PZR Pressure Low Rx Trip PC-474A PZR Pressure High - PORV PC-474B IV PT-474 PZR Pressure High Rx Trip PC-474C PZR Pressure Low-Low SI PC-474D Note: Power Operated Relief Valve (PORV) outputs go to the Auxiliary Safeguards Rack, not the SSPS.

The PPS provides signals that automatically shut down the reactor when the limits of safe operation are approached. The safe operating region is defined by several considerations, such as mechanical/hydraulic limitations on equipment and heat transfer phenomena. Therefore, the PPS monitors process variables that are directly related to equipment mechanical limitations, such as pressurizer pressure and water level, and variables that directly affect the heat transfer capability of the reactor, such as reactor coolant flow and temperatures. Upon coincidence that multiple directly measured process or calculated variables exceed setpoints, the reactor is shut down to protect against damage to fuel cladding or loss of system integrity that could lead to release of radioactive fission products. The ESFAS actuates various engineered safety features (ESF) equipment that performs protective actions to mitigate the consequences of 25

Enclosure PG&E Letter DCL-1 1-104 postulated accidents. Coincidence logic functions are performed by the SSPS described in the next section of this LAR.

The PPS is highlighted in Figure 4-1 to illustrate the scope of this project, as well as to illustrate the major systems with which the PPS interfaces.

The remainder of this section describes PPS functions in detail Refer to Figure 4-2 for a simplified depiction of the existing Eagle 21 PPS architecture.

The DCPP FSAR [26] Chapter 15 design basis events described in this section are discussed in more detail in the previously approved DCPP D3 Assessment [6, 7]. The Assessment lists each event by FSAR [26] Chapter 15 section and includes primary, backup and diverse mitigation. The Assessment describes the methodology to ensure that events credited with automatic mitigation in the DCPP FSAR [26] will continue to be mitigated automatically given a concurrent CCF in the PPS replacement.

26

Enclosure PG&E Letter DCL-11-104 Figure 4-1 Westinghouse Pressurized Water Reactor Protection System Concept 27

Enclosure PG&E Letter DCL-1 1-104 4.1.1 SSPS The PPS monitors plant parameters, compares them against setpoints and provides signals to the SSPS if setpoints are exceeded. The SSPS evaluates the signals and performs RTS and ESFAS functions to mitigate Abnormal Operational Occurrences and Design Basis Events described in FSAR [26] Chapter 15. The SSPS is composed of two redundant, essentially identical trains (A and B) that are physically and electrically separated. The existing SSPS is not being modified by the PPS Replacement Project.

Inputs to the SSPS that are diverse from the PPS are derived from nuclear instrumentation sensors that are processed through the NIS, radiation monitoring sensors that are processed through the radiation monitoring system, and seismic sensors that are processed through the seismic monitoring system. Other diverse input signals are derived directly from the process sensor by way of contacts in the sensor (such as auto stop oil pressure switches on the turbine, auxiliary contacts on circuit breakers, limit switches on turbine stop valves, etc.) or from control switches located in the control room.

Contacts of the SSPS input relays provide inputs to the logic portion of the SSPS where the coincidence logic (2-out-of-3, 2-out-of-4, etc.) is performed. Additional redundant inputs enter the logic directly from the control board switches and pushbuttons.

Power is supplied to the undervoltage (UV) coils of the RT switchgear by the SSPS.

The RT signal to the UV coils de-energizes the power source for the coils. The SSPS logic provides automatic RT signals to the RT switchgear.

The solid state logic also operates master relays in the output bay of the SSPS. The master relay contacts, in turn, operate slave relays that actuate the ESF. The slave relays are used for contact multiplication.

Information concerning the PPS status is transmitted to the control board status lamps and annunciators by way of the SSPS control board demultiplexer and to the PPS by way of the SSPS computer demultiplexer. The SSPS provides about 200 isolated signals to the computer and the control board by way of demultiplexers. The multiplexing permits the transmittal of a large amount of status information over a small number of conductors, thereby simplifying and reducing the field wiring requirements.

Time sharing of the multiplexer conductors is the principle used by the multiplexing system.

4.1.2 RT Switchgear When the RT switchgear receives a RT signal from the SSPS, it de-energizes the RT breaker UV coil and energizes the shunt trip mechanism to open the RT breakers

[Figure 4-2]. Opening of the RT breakers removes power to the control rod drive mechanisms permitting the control rods to fall by gravity into the reactor core, which 29

Enclosure PG&E Letter DCL-1 1-104 rapidly inserts negative reactivity. The existing RT Switchgear is not being modified by the PPS Replacement Project.

The SSPS logic train A'sends a trip signal to trip RT breaker A and bypass breaker B by way of each respective breaker UV coil and the shunt trip relay (RT breaker only). An equivalent, but independent trip signal is sent simultaneously from train B to RT breaker B and bypass breaker A, also by way of the individual breaker UV coil and shunt trip relay.

4.1.3 RTS Functions Nuclear instrumentation, process protection instrumentation, seismic instrumentation or field sensors generates initiation signals which are sent to the SSPS when a plant parameter relative to plant safety exceeds a setpoint. The SSPS generates actuation signals to the RT breaker UV coil and shunt trip attachment when logical coincidence conditions are satisfied. This opens the RT breakers and releases the control rods, allowing them to fall by gravity into the reactor core.

The conditions that require a RT to prevent core damage are as follows:

1. Departure from nucleate boiling (DNB) ratio (DNBR) approaching the limiting value 2.. Fuel rod linear power density approaching its rated value
3. RCS overpressure creating stresses approaching system design limits The plant variables required to be monitored to generate a RT are as follows:
1. Neutron flux
2. RCS temperature (narrow range)
3. RCS pressure (pressurizer pressure)
4. Pressurizer water level
5. Reactor coolant flow
6. Reactor coolant pump (RCP) operational status (bus undervoltage, bus underfrequency, and pump motor circuit breaker position)
7. Steam generator water level (narrow range)
8. Turbine/generator operational status (trip fluid pressure and stop valve position)
9. Seismic acceleration In addition, a manual RT, a RT on manual or automatic SI, and a hardware problem related RT are provided.

PPS monitored variables are identified in Section 4.10.3.4.

30

Enclosure PG&E Letter DCL-1 1-104 4.1.4 ESFAS Functions The capability is provided to sense plant conditions that require the initiation of the ESF.

The ESF act to limit the consequences of faulted conditions. The ESFAS automatically provides output signals for the timely actuation of the various ESF functions, consistent' with the design bases of these systems.

The conditions that require the actuation of ESF are as follows:

1. Primary System Accidents
a. Rupture of small pipes or cracks in large pipes
b. Rupture of RCS pipes
c. Steam generator tube rupture (SGTR)
d. Rod ejection accident
2. Secondary System Accidents
a. Rupture of a major Steamline or Feedwater line
b. Minor secondary system pipe breaks
c. Loss of main feedwater (MFW)
d. Loss of offsite alternating current (AC) power
e. Feedwater malfunction (excessive feedwater flow accidents)

The plant variables required to be monitored for the automatic initiation of ESF are as follows:

1. RCS pressure (Pressurizer pressure)
2. Containment pressure
3. Steamline pressure
4. Steamline pressure rate of change
5. Steam generator water level (narrow range)
6. Containment exhaust radiation (generated outside the PPS)
7. RT breaker position (Permissive P-4) (generated outside the PPS)

Protective functions initiated by the ESFAS to limit plant fault conditions are as follows:

1. Sl Actuation (SI Signal)
2. Turbine Trip
3. Containment Spray
4. Containment Isolation Phase A
5. Containment Isolation Phase B
6. Containment Ventilation Isolation (CVI)
7. Main Steam Isolation
8. MFW Isolation
9. AFW Initiation 31

Enclosure PG&E Letter DCL-1 1-104 The low Steamline pressure, the low Pressurizer pressure, or the high containment pressure protection functions initiate SI actuation and a subsequent RT. SI actuation initiates an "S"safety signal, Feedwater Isolation, Containment Phase "A" Isolation, and CVI. Feedwater Isolation, Containment Phase "A" isolation, and CVI are individually latched, either in the SSPS cabinets or implicitly latched by the nature of the actuated component. The "S"signal is latched in the SSPS cabinet. Manual action is required to reset latched signals.

4.1.5 Existing Source Range NIS Protection Functions The source range and intermediate range nuclear instrumentation form the first two overlapping steps of nuclear protection. The power range nuclear instrumentation provides the third and final overlapping step in nuclear protection.

The source range NIS primary protection function is to provide input signals to the SSPS low power RTs and indication. The source range function trips the reactor when 1-out-of-2 source range channels read above the trip setpoint. The NIS is entirely independent of the PPS.

4.1.6 Existing Intermediate Range NIS Protection Functions The intermediate range nuclear instrumentation provides the second of three overlapping steps of nuclear protection. The intermediate range nuclear instrumentation function is to provide a high neutron flux RT. The intermediate range function trips the reactor when 1-out-of-2 intermediate range channels read above the trip setpoint. The NIS is entirely independent of the PPS.

4.1.7 Existing Power Range NIS Protection Functions The nuclear power range instrumentation provides the third overlapping step in nuclear protection. The power range nuclear instrumentation function provides high neutron flux RTs. Two trip setpoints are provided. The function of the high setpoint is to provide protection during power operation and is always active. The function of the low setpoint is to provide protection during 'startup. The power range function (high and low setpoints) trips the reactor when 2-out-of-4 power range channels read above the trip setpoint. The power range nuclear instrumentation also provides input to the Overtemperature and Overpower protection channels of the PPS. The NIS signal processing is entirely independent of the PPS.

4.1.8 Thermal Overtemperature and Overpower Protection Functions The Thermal Overpower and Overtemperature Protection functions ensure fuel integrity is maintained by initiating two RTs: the thermal overpower trip (also known as 32

Enclosure PG&E Letter DCL-1 1-104 overpower AT, OPAT, or OPDT) and the thermal Overtemperature trip (also known as Overtemperature AT, OTAT, or OTDT). These signals are generated in the PPS.

The thermal Overpower trip function is provided specifically to ensure operation within the fuel design basis. The overpower AT function trips the reactor when 2-out-of-4 overpower AT channels are above the trip setpoint.

The thermal Overtemperature trip function is provided specifically to ensure operation within the DNB design basis and to ensure operation within the hot leg boiling limit. The Overtemperature AT function trips the reactor when 2-out-of-4 Overtemperature AT channels are above the trip setpoint.

Reactor coolant temperature instrumentation also functions to generate the Tavg signal.

Permissive P-1 2 is enabled when 2-out-of-4 Tavg channels read below the low-low Tavg setpoint. The P-12 setpoint is set below the no-load Tavg temperature.

Permissive P-12 blocks closed all steam dump valves.

4.1.9 Pressurizer Pressure Protection Functions The Pressurizer pressure channels perform the following protection functions:

1. Provide a high Pressurizer pressure RT function to prevent over pressurization of the RCS.
2. Provide a low Pressurizer pressure RT function to limit core boiling.
3. Provide a low Pressurizer pressure SI System actuation for Loss of Coolant Accidents (LOCA) and Steamline break protection.
4. Provide PORV automatic actuation signal to prevent RCS Pressurizer overfill without challenging the Pressurizer safeties for inadvertent Sl at power.
5. Generate Pressurizer SI Permissive P-1 1, which allows the operator to manually block the low Pressurizer pressure Sl actuation and enable high negative Steamline pressure rate Steamline isolation actuation at low reactor coolant pressures.

The Pressurizer pressure signals are also used as an input to the OTAT and OPAT setpoints described above. These signals are generated in the PPS.

In addition, low temperature overpressure protection (LTOP) is provided by wide range RCS pressure measurement channels PT-403A and PT-405A, which open the Pressurizer PORV PCV-455C and PCV-456, respectively upon an overpressure condition while the reactor is at low temperature. This protection function is performed in the Auxiliary Safeguards Rack and is independent of the SSPS.

33

Enclosure PG&E Letter DCL-1 1-104 The high Pressurizer pressure RT works in conjunction with the Pressurizer relief valves and Pressurizer safety valves to prevent RCS over pressurization. The Pressurizer pressure function trips the reactor when 2-out-of-4 Pressurizer pressure channels read above the trip setpoint. This trip is always active.

The low Pressurizer pressure RT function limits core boiling. The Pressurizer pressure function trips the reactor when 2-out-of-4 Pressurizer pressure channels read below the trip setpoint. The low Pressurizer pressure RT is automatically blocked when Low Power Permissive P-7 is cleared. Permissive P-7 is developed as the logical "OR" of Permissive P-10 and Permissive P-13. Power Range at Power Permissive P-10 is enabled when 2-out-of-4 power range channels are above the P-10 setpoint.

Permissive P-1 3 is developed from 2-out-of-2 turbine impulse chamber pressure channels below the P-1 3 setpoint. Settings of the bistable comparators used to develop the permissives are not affected by the PPS Replacement Project.

The low Pressurizer pressure SI actuation provides protection in the event of a LOCA or Steamline break. The low Pressurizer pressure SI actuation setpoint is lower than the setpoint for low Pressurizer pressure RT discussed previously. The Pressurizer pressure function actuates SI when 2-out-of-4 Pressurizer pressure channels read below the actuation setpoint. The low Pressurizer pressure SI actuation is interlocked with Pressurizer SI Permissive P-1 1. The P-1 1 signal, generated by 2-out-of-3 Pressurizer pressure channels reading below the permissive setpoint, allows blocking of the low Pressurizer pressure SI actuation. Typically, low Pressurizer pressure SI is manually blocked during cooldown and depressurization of the RCS. The block may be manually removed for return to normal operation. The manual low Pressurizer pressure SI block is automatically removed when the Pressurizer pressure signals rise above the P-11 setpoint. Clearing of the P-11 signal also opens the accumulator isolation valves.

4.1.10 Pressurizer Level Protection Function The high Pressurizer water level trip is provided as a back-up to the high Pressurizer pressure trip. This trip also prevents releasing water through the Pressurizer safety valves for certain transient conditions. The Pressurizer level function trips the reactor when 2-out-of-3 Pressurizer level channels are above the trip setpoint. This trip is automatically blocked when Low Power Permissive P-7 is cleared. These signals are generated in the PPS.

4.1.11 Reactor Coolant Loop Low Flow Protection Function The primary reactor coolant loop low flow protection function is to protect the core from exceeding DNB limits during loss of reactor coolant flow by tripping the reactor. Forced reactor coolant flow would be reduced or lost following loss of power to one or more RCP, a loss of offsite power, or RCP bus underfrequency (UF). A RT is also required to ensure RCS cooling capability following an RCP locked rotor or shaft break. Since core flow decreases quickly during these transients, the Overtemperature AT trip does not 34

Enclosure PG&E Letter DCL-1 1-104 respond fast enough to provide protection for loss of coolant flow events. These signals are generated in the PPS.

Each reactor coolant loop has three reactor coolant flow channels. Low reactor coolant flow in 2-out-of-3 channels in a loop (flow below the trip setpoint) generates a low flow signal for the loop. These low loop flow signals are interlocked with Low Power Permissive P-7 and Loss of Flow Permissive P-8. When Permissive P-7 is cleared, RT on low flow is blocked. Between Permissives P-7 and P-8 (only P-7 enabled), a RT on low flow in any one loop is blocked and the low flow function trips the reactor when 2-out-of-4 reactor coolant loops generate low flow signals. When Permissive P-8 is enabled, the low flow function trips the reactor when 1-out-of-4 reactor coolant'loops generate a low flow signal.

With Low Power Permissive P-7 enabled, a RT is permitted on "low flow sensed" in any two loops. This "low flow sensed" for one loop may be in the form of the low flow signal for that loop or the RCP breaker open signal for that loop. Thus, combinations of low flow signals only, RCP breaker open signals only, or low flow signals and RCP breaker open signals may generate the RT.

4.1.12 RCP Bus Underfrequency Protection Function The RCP bus underfrequency RT is a protective function used to protect the core from exceeding DNB limits during loss of reactor coolant flow due to a grid underfrequency condition. The low flow RT is not necessarily adequate to prevent DNBR from exceeding the limit value under these conditions except for very small rates of frequency decrease. Underfrequency on the 12 kV bus trips the reactor when 2-out-of-3 underfrequency sensors on either 12 kV bus indicate below the trip setpoint.

The underfrequency trip is interlocked with Low Power Permissive P-7 so that the trip signal is blocked when P-7 is cleared.

The 2-out-of-3 underfrequency signals on either of the two 12 kV buses are also used as a non-safety-related trip of the four RCP breakers to protect the motors if the grid frequency decreases significantly. These signals are developed outside the PPS.

4.1.13 RCP Bus UV Protection Function The RCP bus UV protection function is to protect the core from exceeding DNB limits during loss of reactor coolant flow by tripping the reactor. This function provides protection to the core if AC power is lost to both RCP buses. The low flow RT does not respond quickly enough to provide adequate protection. UV on the 12 kV bus trips the reactor when 1-out-of-2 UV sensors on both 12 kV buses indicate below the trip setpoint. The UV trip is interlocked with Low Power Permissive P-7 so that the trip signal is blocked when Permissive P-7 is cleared. These signals are developed outside the PPS.

35

Enclosure PG&E Letter DCL-1 1-104 4.1.14 RCP Breaker Position Protection Function The RCP breaker position protection function is provided to protect the core from exceeding DNB limits during loss of reactor coolant flow by tripping the reactor. This trip provides backup protection for the partial loss of flow accident in more than one loop, in which low flow is the primary trip, and for the total loss of flow accident in which 12 KV UV and underfrequency are the primary trips. The RCP breaker position trip was included to enhance the overall reliability of the RTS. Its function is not assumed or credited in any analysis. These signals are developed outside the PPS.

4.1.15 Seismic Acceleration RT Function The seismic acceleration trip function provides a RT on seismic accelerometers sensing accelerations exceeding a predetermined setpoint to provide a RT due to the location of DCPP in a high seismic zone. The seismic trip is neither protective nor anticipatory; rather it is a DCPP licensing commitment. The seismic monitoring system provides digital inputs to the SSPS where the logic to generate a RT is performed. These signals are developed outside the PPS.

4.1.16 Containment Pressure Protection Functions The containment pressure functions protect the containment building against over pressurization and minimize the release of radioactive fission products following mass and energy releases resulting from a high energy line rupture. Events that could result in a mass and energy release include various size LOCA, Steamline breaks, and Feedline breaks. Two containment pressure signals are provided. These are designated high and high-high in order of increasing containment pressure setpoint.

These signals are generated in the PPS.

The protection functions performed by the high containment pressure signal are:

1. Sl initiation
2. RT on a Sl signal
3. Containment Isolation (Phase A Actuation)

The containment pressure function trips the reactor and initiates Sl when 2-out-of-3 containment pressure channels read above the high trip/actuation setpoint.

The protection functions performed by the high-high containment pressure signal are:

1. Steamline isolation
2. Containment spray actuation
3. Containment isolation (Phase B actuation)

The containment pressure function initiates the above actions when 2-out-of-4 containment pressure channels read above the high-high actuation setpoint.

36

Enclosure PG&E Letter DCL-1 1-104 To prevent inadvertent actuation, containment spray on either an automatic or a manual containment spray signal requires a SI signal to be present concurrently. In addition, manual containment spray actuation requires actuation of two manual switches simultaneously.

The high-high containment pressure containment spray actuation signal and containment isolation phase B actuation signal are both latched signals requiring manual reset to remove the actuation signals even if the high-high containment pressure signal has cleared. The containment spray actuation signal and the containment isolation phase B actuation signal each has its own momentary manual reset controls. The containment spray manual reset control also resets the manual containment spray actuation signal.

Each high-high containment pressure channel can be bypassed for testing by a test bypass control on that channel (Refer to Section 4.3.8 of IEEE Standard 279 [99],

Section 4.10 of this LAR, IEEE Standard 603 [21] compliance, and Section 4.11 of this LAR, IEEE Standard 7-4.3.2 [80] compliance). This is accomplished using manual bypass switches.

4.1.17 Steam Generator Level Protection Functions The steam generator level protection functions prevent loss of reactor heat sink. A RT and AFW actuation, including steam generator blowdown and sample line isolation, are generated on low-low steam generator level. The steam generator level function trips the reactor and actuates AFW flow when 2-out-of-3 steam generator level channels read below the low-low trip/actuation setpoint in one or more steam generators.

The low-low steam generator level trip signals are delayed by the PPS trip time delay (TTD) functions. The TTD time interval is a direct function of reactor power level and the number of low-low steam generator level trip signals per Protection Set. The TTD is based on a low-low level in any single steam generator (S/G) below 50 percent power determined from reactor coolant A T. The TTD is zero when power is at 50 percent or above.

The steam generator high-high level protection function provides a turbine trip and Feedwater Isolation when 2-out-of-3 steam generator channels in any loop read above the high-high actuation setpoint. The Turbine Trip and Feedwater Isolation are designed to protect the integrity of the main steam lines, to protect the turbine from excessive moisture carryover and to protect against overfilling the steam generator, but are not required for reactor protection. The SI signal, which initiates the same two functions, is latched-in by a retentive memory circuit in the SSPS. The signal must be reset manually from the control room The Feedwater Isolation consists of feedwater control valve and bypass control valve closure by both logic trains. Feedwater isolation valve closure is by Train A and feedwater pump trip is by Train B. When feedwater control valve and bypass control 37

Enclosure PG&E Letter DCL-1 1-104 valve closure on a Sl signal or high-high steam generator level (P-14) occurs coincident with RT (P-4), the valve closure signal is latched-in by a feedback signal. The only means of resetting these signals are to reset the RT breakers and to remove both the high-high steam generator level condition and the Sl signal. This latched-in function serves to comply with IEEE Standard 279 [99] Section 4.16 by providing a means of ensuring completion of a protective action once initiated and requiring deliberate action on the part of the operator to return to normal operation. This function is always active.

The Feedwater Isolation valve closure (Train A) signal, feedwater pump trip (Train B) signal and the turbine trip signal that results in a RT, if power is above the Power Range at Power Permissive P-9 setpoint, are generated from the output of a retentive memory for the same input signal from steam generator high-high level or SI signal. This retentive memory provides latched-in signals for these functions. These functions can be returned to normal operation by the Feedwater Isolation Manual Reset switch in the control room. These functions are always active.

Feedwater control valve and bypass control valve closure is also initiated by low Tavg coincident with RT (P-4). This signal is latched-in by a retentive memory circuit in the SSPS. The signal must be reset manually from the control Room. The manual reset overrides this actuation signal, if present, until the actuation signal is removed.

4.1.18 Low Steamline Pressure Protection Function This protection function actuates Steamline isolation and Sl to provide protection for high energy secondary line breaks. The low Steamline pressure protection function actuates Steamline isolation and SI when 2-out-of-3 rate compensated pressure channels on any Steamline read a pressure below the low pressure setpoint. These signals are developed in the PPS.

When the Pressurizer SI Permissive (P-1 1) is present, the low Steamline pressure protection function may be manually blocked and is automatically reset when the Pressurizer pressure is above the P-11 setpoint. Blocking the low Steamline pressure protection function enables the high negative Steamline pressure rate protection function.

4.1.19 High Negative Steamline Pressure Rate Protection Function This protection function actuates Steamline isolation to provide protection for Steamline break when the plant is between cold and hot shutdown conditions. The high negative Steamline pressure rate function actuates Steamline isolation when 2-out-of-3 pressure channels on any Steamline indicate a pressure rate greater than the negative pressure rate setpoint. These signals are developed in the PPS.

The high negative Steamline pressure rate Steamline isolation function is permitted when the low Steamline pressure protection function is manually blocked.

38

Enclosure PG&E Letter DCL-1 1-104 4.1.20 Protection Functions Associated With Steam Dump Control System This protection function blocks steam dump on Low-Low Tavg (P-1 2) to prevent excessive cooldown due to steam dump control system failure. The steam dump block function is to limit the consequences of a steam dump system failure to those associated with one stuck-open valve (the worst postulated single failure).

Steam dump is blocked when P-12 is enabled by 2/4 Tavg below the P-12 setpoint. The P-12 setpoint is set below the no-load Tavg temperature. The steam dump block signal blocks air to the dump valves and vents the valve diaphragms. These signals are developed in the PPS. The P-12 setpoint is not affected by the PPS Replacement project.

The steam dump control system is a non-safety-related system. The block signals are interlocked with two independent pilot solenoid valves on each steam dump valve.

These valves are not safety-related, but are interlocked with the P-12 signal from the SSPS. Each train of SSPS sends an independent signal to one of the pilot solenoid valves.

Four of the steam dump valves are designated as cooldown condenser dump valves, and are required for plant cooldown. Two manual controls (one per train) allow blocking the P-1 2 Permissive for the four cooldown condenser valves. The manual block can be manually reset if desired. The block is automatically reset when Permissive P-12 is cleared.

4.1.21 Turbine Derived Protection Function The following existing plant protection system functions are derived from the turbine:

1. RT on turbine trip (Developed independently of the PPS)
2. Turbine impulse chamber pressure input to Turbine Low Power Permissive P-1 3 (Developed in the PPS)

The RT on turbine trip (turbine trip-RT) protects the reactor against loss of heat sink. At power levels above the P-9 setpoint, a RT occurs when at least 2-out-of-3 turbine auto-stop trip fluid pressure signals (in either logic train A or B) are below a fixed setpoint or when all four turbine stop valves are closed. RT on turbine trip is blocked when Power Range at Power Permissive P-9 is cleared. Turbine trip also generates a non-safety-related generator unit trip. Permissive P-9 is generated by 2 of 4 power range channels above the P-9 permissive setpoint. The P-9 setpoint is not affected by the PPS Replacement Project.

Turbine impulse chamber pressure is used as an indicator of turbine load and provides input for Turbine Low Power Permissive P-1 3. Permissive P-1 3 provides input for Low Power Permissive P-7.

39

Enclosure PG&E Letter DCL-1 1-104 4.1.22 Radiation Derived Protection Function The existing radiation derived protection function terminates containment purging and pressure equalization during power operation and during core alterations or movement of irradiated fuel within containment. The containment exhaust is monitored for radioactivity by redundant radiation monitoring channels. When either of these monitoring channels reaches its high radiation alarm setpoint, a CVI signal is initiated.

During Modes 1-4, the CVI signal is generated in the SSPS. During refueling Mode 6, when the SSPS may be de-energized, means are provided to generate the CVI signal independently of the normal SSPS power supply.

4.1.23 Manual RT The function of the existing manual RT is to trip the reactor without using the automatic RT circuitry. Manual RT is accomplished by actuating open a normally closed contact wired in series between the SSPS output logic and the RT switchgear. This interrupts power to the trip breaker and bypass breaker undervoltage (UV) coils, resulting in a RT.

In addition, a shunt trip relay is wired in parallel for each RT breaker. This relay simultaneously actuates the shunt trip function in each trip breaker. Redundant contacts allow either of the two controls provided to initiate a RT in both trains.

The manual RT control at the control console is equipped with a momentary reset position for resetting the RT breakers. Resetting the RT breakers is not a safety-related function. The reset switch is required for reactor restart.

4.1.24 Manual SI There are two momentary controls in the existing control room systems level manual SI initiation. Redundant contacts allow either control to initiate SI in both trains. In addition, the manual SI actuation controls actuate the same RT breaker shunt trip function as the manual RT controls discussed in the previous section.

4.1.25 Manual Steamline Isolation Manual Steamline isolation is accomplished by closing the main steam isolation valves and all main steam isolation bypass valves using the existing individual control switches. These controls are located in the control room. This function is not a part of the PPS hardware but is implemented within the Steamline isolation and bypass valve operation function. These controls are electrically downstream of PPS initiations and are therefore functional at all times.

4.1.26 Manual Containment Isolation, Phase A 40

Enclosure PG&E Letter DCL-1 1-104 There are two existing controls in the control room for systems level containment isolation phase A. Actuating either control initiates containment isolation phase A and CVI. Redundant contacts allow either control to initiate these functions in both trains.

These controls are electrically downstream of PPS initiations and are therefore functional at all times.

4.1.27 Manual Containment Spray The existing manual containment spray function has special functions designed to reduce the risk of inadvertent containment spray while still meeting IEEE Standard 279

[99] single failure criteria. Four momentary controls are provided in the control room.

These controls are grouped into two pairs. Manual actuation of both controls in either pair initiates CVI and containment isolation phase B only. Concurrent manual containment spray signal and an interlocking automatic or manual SI actuation signal must be present to start the containment spray pumps and open the discharge valves.

Redundant contacts allow either pair of controls to initiate these functions in both trains.

These controls are electrically downstream of PPS initiations and are therefore functional at all times.

4.1.28 AMSAC Isolated non-safety-related steam generator narrow range level and turbine first stage pressure analog signals are provided to the existing non-safety-related AMSAC system.

The AMSAC trips the main turbine and, initiates AFW flow in the event an Anticipated Transient Without Scram (ATWS) results in the loss of the secondary heat sink. The steam generator blowdown and sample lines are isolated by signals from auxiliary contacts in the motor driven AFW pump control circuits.

The AMSAC is diverse and independent from the safety-related PPS, and is not safety-related. The level and pressure signals are isolated at the front end of the Eagle 21 PPS by analog current loop isolators that are independent of Eagle 21 digital processing. The PPS replacement provides equivalent isolation as, specified in the PPS replacement FRS [28], Section 3.2.

The AMSAC is initiated by steam generator water level below the AMSAC trip setpoint.

In addition to having a lower steam generator low water level setpoint than the PPS, a time delay is built into the initiating sequence to allow a RT to be initiated by the PPS before AMSAC is initiated. A main turbine load control interlock (C-20) is used to arm the AMSAC when turbine load is above a preset value. The AMSAC receives a single narrow range steam generator level signal from each steam generator (one from each of the four Protection Sets). The AMSAC initiation results when 3-out-of-4 steam generator level signals are below a predetermined setpoint. A preset time delay allows feedwater system transients to momentarily disrupt the feedwater flow without initiating the AMSAC. The AMSAC steam generator level trip setpoint is not affected by the PPS Replacement Project.

41

Enclosure PG&E Letter DCL-1 1-104 The AMSAC design is diverse from the design of the existing Eagle 21 PPS. Although both designs are based on microprocessors, each design uses a different type of microprocessor and interface bus to assure diversity and to eliminate common mode failures.

The non-safety related AMSAC input signals are isolated from the safety-related PPS measurement circuits by Instrument Class IA isolators which are part of the PPS and meet all of the Class IE requirements for isolators used for preventing control and protection system interaction. The isolators are used to prevent any electrical faults in the AMSAC from preventing the PPS from performing its safety-related functions.

The AMSAC output signals are isolated from the actuated devices by output relays which are classified Instrument Class IA. The output relays provide isolation between the safety-related control circuits actuated by the AMSAC and the non-safety-related AMSAC.

The AMSAC is diverse from the PPS replacement in terms of manufacturers, equipment design and software. The AMSAC was manufactured by Westinghouse using the now-obsolete Intel 8086 processor family. The Tricon portion of the PPS replacement is manufactured by Triconex using Motorola processors and entirely different architecture and programming. The ALS portion of the PPS replacement is manufactured by CSI using FPGA architecture and technology and does not utilize a microprocessor. With the AMSAC input signals isolated prior to any digital processing by Tricon or ALS PPS components, the AMSAC continues to satisfy the requirements of 10 CFR 50.62 regarding diversity from the protection system from sensor to actuated devices.

4.2 DCPP PPS Replacement Description The PPS Replacement Project replaces in its entirety the Westinghouse Eagle 21 PPS hardware currently housed in PPS Racks 1 - 16 as illustrated in the shaded portion of Figure 4-3 (corresponding to the shaded portion of Figure 4-1). Equipment in the unshaded portion of Figure 4-3 is not being replaced or modified by this project.

PPS replacement functions are implemented in the same four (4) redundant Protection Sets shown in the shaded portion of Figure 4-3 as the existing Eagle 21 PPS. Each Protection Set uses a software-based Triconex Tricon processor described in Tricon V1 0 Topical Report Submittal [13] to mitigate events where the previously approved DCPP Eagle 21 PPS Replacement D3 Analysis [6] determined that existing diverse and independent automatic mitigating functions are available to mitigate the effects of postulated CCF concurrent with FSAR [26] Chapter 15 events. For the events where the DCPP PPS Replacement Diversity and Defense in Depth Analysis [6] determined that additional diversity measures were necessary to preclude manual mitigative action, automatic protective functions are performed in the diverse safety-related CSI ALS described in the ALS Topical Report Submittal [15] shown in the shaded portion of Figure 4-3. The PPS Replacement D3 strategy is described in Section 4.7 of this LAR.

42

Enclosure PG&E Letter DCL-1 1-104 Figure 4-4 illustrates a typical allocation of the automatic protection functions described in the previous section between the Tricon and the ALS in each of the four (4) redundant Protection Sets illustrated in the shaded portion of Figure 4-3. Automatic protective functions identified in Table 4-2 are generated in a software-based Triconex Tricon processor. Automatic protective functions identified in Table 4-3 are generated in a diverse Class IE CSI ALS to preclude manual action that would otherwise be required to mitigate events that occur with a concurrent CCF to the PPS. Table 4-4 lists the diverse protection functions not affected by the PPS replacement.

Figure 4-4 also illustrates the equipment outside the shaded portion of Figure 4-3 that is not affected by the Eagle 21 PPS Replacement Project. The PPS Replacement Project does not make any changes to the SSPS.

43

Enclosure PG&E Letter DCL-11-104 Figure 4-4 Typical Replacement Protection Set Typical Protection Protection System Analog Inputs Set Overpower Delta T RT - ll Turbine Impulse Pressurr -_ Overtemperature Delta T RT-- -

Pressurizer Level-- Steam Generator Level High-High P14 ESF--Im

- Pressurizer Vapor Space Temp (from ALS)- -_ Steamline Pressure-Low ESF-- -

Bistable Power Range Flux (from NIS) -Steamline Pressure Rate-High ESF-- . Outputs to

__RCS Narrow Range Temperatures (from ALS)- _ PZR Level-High RT Existing SSPS

- P Tricon RCS Wide Range Temperatures (from ALS)- -Steam Generator Level Low-Low RT--

RCS Wide Range Pressur e _____Low Turbine Power P13 -1 NR Steam Generator Level - Cold Leg Temp-Low (LTOPS) -0 Bistable Steamline Pressure- - WR RCS Pressure-High (LTOPS) -0 Outputs to

, Pressurizer Pressure -WR RCS Pressure-Low (RHR Interlock))---o Auxiliary Safeguards

__WR RCS Pressure-High (PORV)---

_____ PZR Pressure-High RT --

_____PZR Pressure-Low RT - to ProttriTor Prott ra Pressurizer Pressure __ PZR Pressure Low-Low ESF -t

-RCS Flow -PZR Pressure-Low P11 ESF Block -N- Bistable Outputs to Existing SSPS Containment Pressure -l- _ RCS Flow-Low RT

- Containment Pressure-High ESF -1 ALS

-Containment Pressure High-High ESF-.

- Pressurizer Vapor Space Temp- - Pressurizer Vapor Space Temp------I 4-20 mA Temperature

-- RCS Narrow Range Temperatures- -RCS Narrow Range Temperatures -*- Outputs to Tricon

-RCS Wide Range Temperatures - __ RCS Wide Range Temperatures --

Diverse Systems Not Subject to DCCF Source Range Flux-High go NOT AFFECTED BY EtIntermediate Range Flux-High- 111-PPS REPLACEMENT Existing Nuclear Power Range Flux-High- ,-

Insturmentation - Power Range Flux Pos Rate-High-- I (NIS) - Power Range Flux Neg Rate-High- N-o

- Permissives P6, P7, P8, P9---

RCP Breaker Open ----

Existing RCP Breaker Bus UF/UV - .-

Class II Contacts - Turbine Auto Stop Oil Pressure Low--l-

- - Turbine Stop Valves Closed -1 NR Steam Gener -xstngTurbine Trip Existing S AMSAC AFW Initiation Turbine Impulse 45

Enclosure PG&E Letter DCL-1 1-104 Table 4-2 Process Variable Inputs to Tricon for RTS/ESFAS Functions Process Variable Protection Functions Pressurizer (PZR) Level Pressurizer High-Level RT Input to Overtemperature A Temperature (OTDT) RT RCS Narrow-Range Temperature Input to Overpower A Temperature (OPDT) RT Input to Steam Generator Low-Low Level TTD Steam Generator Low-Low Level RT Hi-Hi Level Feedwater Isolation Hi-Hi Level Turbine Trip Hi-Hi Level MFW Pump Trip Steam Generator Level Low-Low Level AFW Actuation; process sense performed by PPS.

AMSAC utilizes independently isolated level signals and independent turbine impulse pressure channels to provide diverse AFW initiation function High-Negative Pressure Rate SLI Steam Line Pressure Low-Pressure SI Low-Pressure SLI Permissive 13 (P-1 3) Low Turbine Power Turbine Impulse Pressure Permissive (Input.to P-7 Low Power RT Permissive) 46

Enclosure PG&E Letter DCL-1 1-104 Table 4-3 Process Variable Inputs to ALS for RTS/ESFAS Functions Process Variable Protection Functions Pressurizer Low-Low Pressure SI Pressurizer SI Permissive (P-1 1)

Pressurizer Pressure Pressurizer High-Pressure RT Pressurizer Low-Pressure RT Input to OTDT RT High Pressure SI High Pressure (Phase A) Containment Isolation Containment Pressure High Pressure (Phase B) Containment Isolation High-High Pressure Containment Spray RCS Flow RCS Low-Flow RT Table 4-4 Diverse Protection Functions Not Affected by PPS Replacement Process Variable Protection Functions Power-Range High-Flux (Low Setting) RT Power-Range High-Flux (High Setting) RT Power-Range Positive Flux Rate RT Neutron Flux Power Range Flux Control Rod Stop Intermediate-Range High-Flux RT Source-Range High-Flux RT Input to OTDT RT (from Power Range)

AMSAC Turbine Trip Above Control Interlock 20 (C-20)

Permissive/RT Above Power Range (Steam Generator Low Level) Permissive P-9 Main Turbine Stop Valve Position Turbine Auto Stop Oil Pressure Turbine Trip/RT Low RCP Bus UV RT RCP Bus Underfrequency RT RCP Circuit Breaker Open RT 47

Enclosure PG&E Letter DCL-1 1-104 4.2.1 Processor Subsystems (Platforms)

PPS replacement architecture components are discussed in this document as follows:

Table 4-5 Platform Cross-Reference PPS Architecture Component LAR Section(s)

FPGA-Based ALS Platform 4.2.1.2 ALS Processors 4.2.2.2 ALS Input/Output (I/O) Boards 4.2.3.2 Input 4.2.3.3 Output 4.2.7.2 Chassis Power Supplies ALS Power Supplies 4.2.7.3 I/O Power Supplies 4.2.7.5 I/O Power Supplies ALS Communications Modules 4.2.4.3 Tricon Platform

  • Main Chassis
  • Expansion Chassis 4.2.1.1

" External Termination Assembly (ETA)

Tricon Processors 4.2.2.1 Tricon I/O Boards 4.2.3.1 4.2.7.1 Chassis Power Supplies Tricon Power Supplies 4.2.7.3 Analog Inputs 4.2.7.4 I/O Power Supplies TCMs 4.2.4.1 (TCM - External systems) 4.2.4.2 Remote Expander Module (RXM) - Interchassis)

MWS 4.2.9 Port Aggregator Network Tap and 4.2.13 Media Converters Figure 4-5 illustrates typical functional architecture for a single Eagle 21 replacement Protection Set.

Figure 4-6 expands the shaded portion of Figure 4-3 to illustrate the relationship among the Protection Sets and interfacing systems.

48

Enclosure PG&E Letter DCL-1 1-104 4.2.1.1 Triconex Tricon-Based PPS Equipment The Tricon is triple redundant from input terminal to output terminal, as shown in Figure 4-7. The TMR architecture allows continued system operation in the presence of any single point of failure within the system. The TMR architecture also allows the Tricon to detect and correct individual faults on-line, without interruption of monitoring, control, and protection capabilities. In the presence of a fault, the Tricon alarms the condition, removes the affected portion of the faulted module from operation, and continues to function normally in a dual redundant mode. The system returns to the fully triple redundant mode of operation when the affected module is replaced.

Figure 4-7 shows the arrangement of the Tricon input, Main Processor, and output modules. As shown, each input and output module includes three separate and independent input or output circuits or legs. These legs communicate independently with the three Main Processor modules. Standard firmware is resident on the Main Processor modules for all three microprocessors as well as on the input and output modules and communication modules, which are not shown in Figure 4-7, but are described in subsequent sections.

Figure 4-7 Tricon Triple Modular Redundant Architecture Inut O1Bus uIu Leg - " Main e A ProcessorA Termination TriBus main Termination I/OBus Prceso The main components of a Tricon system are the chassis, the termination panels, the power supply modules, and the Main Processor, input/output (I/O), and communication modules. Functional requirements for this hardware are specified in Section 4.3 of EPRI TR-107330 [122]. A brief description of this hardware is provided below.

1. Main Chassis k A Tricon system consists of one main chassis and up to fourteen additional expansion chassis. The Tricon main chassis supports the following modules:

Two redundant power supply modules Three Main Processors 51

Enclosure PG&E Letter DCL-11-104

  • Communications modules I/O modules The main chassis has a key switch that sets the system operating mode:

0 RUN - Normal operation with read-only capability by externally connected systems, including TriStation. Normally, the switch is set to this position and the key is removed and stored in a secure location.

  • PROGRAM - Allows for control of the Tricon system using an externally connected personal computer running the TriStation software, including application program downloads.

0 STOP - Stops application program execution.

  • REMOTE - Allows writes to application program variables by a TriStation personal computer or by MODBUS masters and external hosts.

The STOP function is disabled in the application software configuration to prevent inadvertent application program halt [Triconex Application Guide [13]

Appendix B, page 13].

The Tricon keyswitch will be in the RUN position when the Tricon is performing safety related functions and is not bypassed or manually tripped. If the Tricon main chassis keyswitch is not in the RUN position, an alarm is initiated on the control room Main Annunciator System (MAS) and the Tricon is considered inoperable [Triconex Application Guide [13] Appendix B, page 31].

Safety-related operation in REMOTE mode is permitted [Triconex Application Guide [13] Appendix B, page 31]. This mode will not be used in the PPS replacement.

The Tricon normally does not contain any disabled points unless there is a specific reason for disabling them, such as testing. To disable points, the Tricon keyswitch must be in PROGRAM mode rather than RUN or REMOTE mode. If the system does contain one or more disabled variables, an alarm on the Control Room MAS will be activated to indicate that disabled points are present.

[Triconex Application Guide [13] Appendix B, page 52]. Disabling points for any reason will be under administrative control using an approved procedure.

A TriStation 1131 personal computer may be connected to an online Tricon with the keyswitch in the RUN position. In this mode, the TriStation cannot affect the program or variables and cannot pause or halt the application program. The TriStation 1131 includes password security features to lessen the chance of unauthorized access. For that reason, there are no restrictions to connecting a TriStation personal computer to a Tricon [Triconex Application Guide [13]

Appendix B, page 64].

52

Enclosure PG&E Letter DCL-1 1-104 The Tricon backplane is designed with dual independent power rails. Both power rails feed each of the three legs on each I/O module and each Main Processor module residing within the chassis. Power to each of the three legs is independently provided through dual voltage regulators on each module. Each power rail is fed from one of the two power supply modules residing in the chassis. Under normal circumstances, each of the three legs on each I/O module and each Main Processor module draw power from both power supplies through the dual power rails and the dual power regulators. If one of the power supplies or its supporting power line fails, the other power supply increases its power output to support the requirements of all modules in the chassis.

The Tricon has dual redundant batteries located on the main chassis backplane.

If a total power failure occurs, these batteries maintain data and programs on the Main Processor modules for a period of six months. The system generates an alarm when the battery power is too low to support the system.

2. Expansion Chassis An Expansion Chassis is connected to the Main Chassis via three separate RS-485 data links, one for each of the three I/O legs. RXM, discussed in Section 4.2.4.2 are installed in the expansion chassis; therefore, three separate RS-485 data links are required for the three communications busses between the Primary RXM and the Remote RXM. The Tricon expansion chassis supports the following modules:
  • Two redundant power supply modules 0 Communications modules
  • I/O modules
3. ETA The ETAs are printed circuit board panels used for landing field wiring. The panels contain terminal blocks, resistors, fuses, and blown fuse indicators. The standard panels are configured for specific applications (e.g. digital input, analog input, etc.). Each termination panel includes an interface cable that connects the termination panel to the Tricon chassis backplane.

The Main Processor, I/O boards, the power supply modules and communication modules are discussed in subsequent sections. Additional detail regarding Triconex components can be found in Section 2.1 of the Tricon Version 10 PLC topical report

[13] submittal to NRC.

In October of 2000 Triconex issued a topical report [8] to NRC as the basis for generic qualification of the TRICON PLC system for safety-related application in nuclear power plants for review by the staff of the NRC.

53

Enclosure PG&E Letter DCL-1 1-104 This document was also submitted to NRC by EPRI as a technical report entitled, "Generic Qualification of the Triconex Corporation Tricon Triple Modular Redundant Programmable Logic Controller System for Safety-Related Application in Nuclear Power Plants," document number 1000799, dated November 2000 [8].

By letter dated March 20, 2001, Triconex amended its original qualification summary report by submitting Topical Report 7286-546, "Amendment 1 to Qualification Summary Report," Revision 0, dated March 19, 2001 Agencywide Documents Access and Management System (ADAMS) Accession Number ML010810143) [9]. This amendment requested that NRC review and approve an update of the Triconex PLC from Version 9.3.1 to Version 9.5.3.

By letter dated June 26, 2001, Triconex again revised its qualification summary report by submitting Topical Report 7286-546, "Amendment 1 to Qualification Summary Report, Revision 1, dated June 25, 2001 (ADAMS Accession Number ML011790327)

[10].

Based on these submittals, NRC issued a SER [11] for the platform on December 11, 2001 documenting staff findings that the platform possesses acceptable hardware and operating system software quality to be applied in safety-related RTS and ESFAS applications in nuclear power plants.

In September 2009, Triconex submitted a Topical Report [12] that was updated for the Version 10 Tricon as well as to address current regulatory issues. On December 20, 2010 IOM submitted Revision 4 to the Tricon Version 10 PLC topical report to NRC [13]

as the basis for generic qualification of the system for safety-related application in nuclear power plants.

4.2.1.2 FPGA-Based ALS Platform The diverse ALS portion of the PPS replacement [Figure 4-8] platform utilizes FPGA hardware logic rather than a microprocessor and therefore has no software component required for operation of the system. The built-in diversity of the ALS subsystem [16]

ensures that the PPS replacement will perform the required safety functions automatically in the presence of a postulated CCF without an adverse impact on the operator's ability to diagnose the event or perform previously credited manual actuation activities.

Figure 4-8 does not illustrate the proprietary internal architecture of the ALS portion of the PPS replacement. Refer to the ALS Diversity Analysis [16] and Section 2 of the ALS System Design Specification [19] as well as Section 4.7 of this LAR for description of the internal ALS architecture including diversity aspects and interfaces.

The ALS platform is designed as a universal safety system platform. The ALS provides advanced diagnostics and testability functions which improve the ability of plant I&C 54

Enclosure PG&E Letter DCL-11-104 personnel to perform surveillance testing as well as diagnose failures should they occur.

System integrity is greatly improved over existing systems by eliminating single point vulnerabilities while adding the capability to identify and address any failure within the system without causing a plant transient.

A typical safety application implemented using the ALS platform is comprised of one or more ALS chassis, and peripheral equipment consisting of Cabinets, Power Supplies, Control Panels, Assembly Panels and ASU. The Assembly Panels incorporate field terminal blocks, fuse holders, switches, and other application specific hardware. The ALS chassis is an industry standard 19" chassis. The ALS chassis contains ALS core logic, and I/O cards that are a CSI proprietary design.

Figure 4-8 Generic ALS FPGA Architecture Table 4-3 identifies the PPS functions that are performed automatically by the ALS subsystem.

The ALS design practices and methodologies were first accepted by NRC in their review and approval of the much simpler Wolf Creek Main Steam and Feedwater Isolation System (MSFIS) [14]. However, the MSFIS safety evaluation [14] states that it is a unique application, and that future ALS applications, such as an RPS or ESFAS that receives input signals and makes trip decisions, may require additional design diversity. The PPS replacement receives input signals and makes trip decisions.

Therefore, the proposed PPS Replacement Project provides additional design diversity, appropriate to its complexity, as discussed in Section 4.7, and in the ALS Diversity Analysis [16].

55

Enclosure PG&E Letter DCL-1 1-104 By letter dated August 13, 2010, CSI submitted the ALS Topical Report Submittal [1 5]and supporting documentation, which describes generic qualification of the ALS for safety-related applications in nuclear power plants, for NRC approval.

The ALS Topical Report Submittal [15] and supporting documentation are currently being reviewed by NRC Staff. Therefore, this platform is referenced as a Tier 3 digital platform for application to the DCPP Eagle 21 PPS Replacement LAR and its approval is a prerequisite for NRC approval of this LAR.

4.2.2 Safety Function Processors 4.2.2.1 Triconex Main Processors The Tricon subsystem of the PPS replacement utilizes three safety-related Model 3008N Main Processor modules to control the three separate legs of the system shown in Figure 4-7. Each Main Processor module operates independently with no shared clocks, power regulators, or circuitry. Each module owns and controls one of the three signal processing legs in the system, and each contains two 32-bit processors. One of the 32-bit processors is a dedicated, leg-specific I/O and communication (IOCCOM) microprocessor that processes all communication with the system I/O modules and communication modules. The processors operate asynchronously, sharing information by means of dual-ported memory that is dedicated exclusively to this exchange of information. Communications are discussed further in Section 4.8.

The second 32-bit primary processor manages execution of the control program and all system diagnostics at the Main Processor module level. Between the primary processors is a dedicated dual port random access memory (DPRAM) allowing for direct memory access data exchanges.

The dual microprocessor architecture structure described above thus complies with Position 4 of DI&C ISG-04 [2] by executing the communications process separately from the processor that executes the safety function, so that communications errors and malfunctions will not interfere with the execution of the safety function.

Specific Tricon Main Processor and System Bus PPS Replacement Project compliance with ISG-04 [2] is addressed in Sections 3.1 and 5.0 of the Triconex DCPP PPS ISG-04 Conformance Report [25].

The operating system, run-time library, and fault analysis for the Main Processor is fully contained in flash memory on each module. The Main Processors communicate with one another through the TriBUS proprietary, high speed, voting, bi-directional serial channel. Each Main Processor has an I/O channel for communicating with one of the three legs of each I/O module. Each Main Processor has an independent clock circuit 56

Enclosure PG&E Letter DCL-1 1-104 and selection mechanism that enables all three Main Processors to synchronize their operations each scan to allow voting of data and exchange of diagnostic information.

Technical details regarding the Tricon Main Processor modules, including discussion of Control and IOCCOM processor architecture, communications, speed, internal memories, word width, and bus interface are provided in Section 2.1.2.6 of Tricon V10 Topical Report Submittal [13].

4.2.2.2 ALS Core Logic Boards The ALS-1 02 Core Logic Board (CLB) is the primary decision making board in the ALS FPGA system, and contains all the application specific logic circuits that define and control the operation of a given system. The ALS-1 02 is based on a generic ALS board that is configured with application specific logic. The ALS-102: (1) controls all sequencing within the ALS system; (2) issues requests to input boards to provide field input information as required; (3) makes decisions based on received inputs; and (4) commands the output boards to drive a specific output state to the field devices without using a microprocessor. The Design Specification for the ALS-1 02 is provided in [94].

A portion of the FPGA logic in the ALS-1 02 is customized by CSI for the PPS replacement application based on the DCPP Conceptual Design Document (CDD) [27],

FRS [28], Interface Requirements Specification (IRS) [29] and Controller Transfer Function Requirements Specification [120]. These documents specify the overall functionality requirements of the PPS replacement. From this design input, CSI develops the application-specific ALS-1 02 FPGA Requirements Specification [20] and from this specification CSI creates the detailed application specific logic specification for the ALS-1 02.

The CSI FPGA design process is described in Section 4.5 of this LAR.

4.2.3 I/O Modules 4.2.3.1 Triconex I/O Modules As shown in Figure 4-7, Tricon TMIR input modules contain three separate, independent processing systems, referred to as legs, for signal processing (Input Legs A, B, and C).

The legs receive signals from common field input termination points. The microprocessor in each leg continually polls the input points, and constantly updates a private input data table in each leg's local memory. Signal conditioning, isolation, or processing required for each leg is also performed independently. The I/O modules provide three complete signal paths in each leg for all boards used in the PPS replacement, except the Enhanced Relay Output (ERO) Module 3636T, which is simplex (one signal processing path per channel), thus providing data isolation and independence so that a component failure in one leg does not affect the signal 57

Enclosure PG&E Letter DCL-1 1-104 processing in the other two legs. The ERO module provides discrete outputs to non-safety-related systems such as the MAS, hence loss of the single leg does not affect a safety function and TMR capability is not required.

Input data is sampled, conditioned, and sent to the main processors. Each main processor communicates via an individual I/O bus with one of the triplicated microprocessors on each I/O module. In each main processor, the I/O bus microprocessor reads the data and provides it to the main processor through a DPRAM interface. For analog inputs, the three values of each point are compared, and the middle (",median") value is selected. The median selection process functions continuously without dead band or hysteresis. The control algorithm is invoked only on known good data. All input modules include self-diagnostic functions designed to detect single failures within the module.

After the main processors complete the control algorithm, data is sent to the output modules. Outputs from the main processors are provided to the I/O bus microprocessors through DPRAM. The use of DPRAM allows separation of the control and communications functions of the Main Processor to comply with Position 4 of DI&C ISG-04 [2]. The I/O bus microprocessors transfer that data to the triplicated microprocessors on the output modules. The output modules set the output hardware appropriately on each of the triplicated sections and vote on the appropriate state and/or verify correct operation. Discrete outputs use a unique, patented, power output voter circuit. This voter circuitry is based on parallel-series paths that pass power if the driver for legs A and B, or legs B and C, or legs A and C command them to close (i.e. 2-out-of-3 vote). Analog outputs use a switching arrangement tying the three legs of digital to analog converters to a single point. All output modules include self-diagnostic functions designed to detect single failures within the module.

The Triconex I/O modules listed in Table 4-6, voting processes, and fault detection processes are described in Section 2.1.2.7 of the Tricon V10 Topical Report Submittal

[13].

The following Triconex I/O Module types are used in the PPS replacement and are described in Reference 2.5.30 of the Tricon V10 Topical Report Submittal [13].

58

Enclosure PG&E Letter DCL-1 1-104 Table 4-6 Triconex 1/0 Modules MODULE TYPE MODEL NO. MODULE TYPE/DESCRIPTION Analog Input 3703EN Enhanced Analog Input Module, Isolated Next Generation Analog Input Module, 5 V Direct Current (DC)

Analog Output 3805HN Analog Output Module, 4-20 mA 3805E Analog Output Module, 4-20 mA Digital Input 3501TN2 Enhanced Digital Input Module, 115V AC/DC 3503EN2 Enhanced Digital Input Module, 24V AC/DC Digital Output 3601TN Enhanced Digital Output Module, 115 V AC 3601 E Enhanced Digital Output Module, 11 5V AC/DC Relay Output 3636T Enhanced Relay Output Module, N.O., Simplex 4.2.3.2 ALS Input Modules The ALS Input Boards perform sensor sampling, signal conditioning, filtering and analog-to-digital conversion of field input signals. Input Boards perform specific input functions, such as 24V or 48V digital contact sensing, 4-20 mA analog inputs, 0-1 OV analog inputs, resistance temperature detector (RTD) inputs, or thermocouple (TC) inputs.

The ALS input boards provide self-test capability that continuously verifies vital components within the channel are operational. Isolation between the channels and the ALS logic is maintained by utilizing galvanic isolators. The input channels are protected against electrostatic discharge (ESD) and surge voltages using transient voltage suppressors (TVS). Opto-isolator circuits are designed to maximize the life expectancy of the device. The input boards provide front panel light-emitting diode (LED) indicators which show the status of a particular input signal. Generally, all input channels are galvanically isolated from the ALS logic and the barriers can withstand more than 1500 Vrms difference between the field domain and the digital domain.

ALS Input Board scaling, range and calibration are configured during the system level design for the PPS replacement application.

The ALS Input Boards used in the PPS replacement are listed in Table 4-7 and described in Section 2.2 of the ALS Topical Report Submittal [15]. The design specifications listed in Table 4-7 describe input board fault detection, configuration and data validation processes.

59

Enclosure PG&E Letter DCL-1 1-104 4.2.3.3 ALS Output Modules The ALS Output Boards provide signals to control field devices such as actuators, indicators, and relays. The ALS output boards used in the PPS replacement are listed in Table 4-7 and described in Section 2.2 of the ALS Topical Report Submittal [15].

The output channels on the ALS output boards are based on isolated solid-state devices, similar to the input channels. Output channels include self-test capability and other specialized test functions to ensure the channel is operational. The output channels are protected against ESD and surge voltages. The output boards provide front panel LED indicators that show the status of a specific output.

All output boards have galvanic isolation between the channels and the ALS logic, and can withstand a minimum of 1500 Vrms. Depending on the board type, the output boards can have individually isolated channels, or they can be located on a common isolation domain.

Digital output channels in the PPS replacement are configured in the Output Board non-volatile RAM to drive the output to a predefined state in case of board failure or lack of communication with the ALS-1 02. These predefined states are Open, Closed or As Is. The predefined states are determined as part of the system level design of the PPS replacement application.

The output modules, fault detection, configuration and data validation processes are described in Section 2.2 of the ALS Topical Report Submittal [15]. The design specifications listed in Table 4-7 describe input board fault detection, configuration and data validation processes.

Table 4-7 ALS I/O Modules Type Description Function Design Specification ALS-302 Digital Input Board 32 Channel 48 V DC 6002-30202 [106]

Contact Input ALS-31 1 Analog Input Board 8 Channel RTD/TC Input 6002-31102 [1071 ALS-321 Analog Input Board 8 Channel 6002-32102 [108]

Voltage/Current Input ALS-402 Digital Output Board 16 Channel Contact 6002-40202 [109]

Output ALS-421 Analog Output 8Channel Voltage/Current 6002-42102 [110]

I Board Output 60

Enclosure PG&E Letter DCL-1 1-104 4.2.4 Communications Modules or Means 4.2.4.1 Triconex Communications Modules The TCM have three separate communication busses and three separate communication bus interfaces, one for each of the three main processors. The three communication bus interfaces are merged into a single microprocessor. That microprocessor votes on the communications messages from the three main processors and transfers only one of them to an attached device or external system. If two-way communications are enabled, messages received from the attached device are triplicated and provided to the three main processors.

The communication paths to external systems utilize Cyclic Redundancy Checks (CRC), handshaking, and other protocol-based functions to ensure data communication integrity. These functions are supported in hardware and firmware. Firmware provides core functionality common to all the communication modules with additional coding to support the specific communication protocol.

The TCM allows the Tricon to communicate with other Tricons and with external hosts over fiber optic networks. The TCM provides two fiber optic port connectors labeled Net 1 and Net 2, which support Peer-to-Peer (P2P), time synchronization, and open networking to external systems. In addition, the TCM contains four serial ports allowing the Tricon to communicate with Modbus master and slaves.

Reference 2.5.35 [24] in the Tricon Vl0 Topical Report Submittal [131 describes the Tricon V10 conformance to ISG-04 [2]. The TCM handles all communications with external devices, and it has been qualified under the IOM Appendix B program for nuclear applications. Upon total loss of all TCMs, the main processors continue to function.

Specific PPS Replacement Project TCM compliance with ISG-04 is addressed in Section 4.1 and 5.0 of the Triconex DCPP PPS ISG-04 Conformance Report [25].

4.2.4.2 Triconex RXMs The RXMs are single-mode fiber optic modules that allow expansion chasses to be located several kilometers away from the main chassis. An RXM connection consists of three identical modules, serving as repeaters/extenders of the Tricon I/O bus, and which also provide ground loop isolation. Refer to Figure 4-5.

Each RXM module has single channel transmit and receive cabling ports. Each of the three primary RXM modules is connected to the remote RXM modules housed in the remote chassis. Each pair of RXM modules is connected with two fiber optic cables operating at a communication rate of 375 KBaud. The interfacing cabling is unidirectional for each channel. One cable carries data transmitted from the primary 61

Enclosure PG&E Letter DCL-1 1-104 RXM to the remote RXM. The second cable carries data received by the primary RXM from the remote RXM. The RXM modules provide immunity against electrostatic and electromagnetic interference. Since the RXM modules are connected with fiber optic cables, they may be used as 1 E-to-non 1 E isolators between a safety-related main chassis and a non-safety-related expansion chassis. This isolation capability is utilized in the PPS Replacement Project for one-way non-safety-related outputs to external systems such as the MAS.

The RXM are described in Section 2.1.2.3 of the Tricon V1 0 Topical Report Submittal

[13].

Specific PPS replacement Remote RXM compliance with ISG-04 [2] is addressed in Section 4.2 and 5.0 of the Triconex DCPP PPS ISG-04 Conformance Report [25].

4.2.4.3 ALS Communications Modules The PPS replacement application does not utilize the ALS-601 Communications Board described in the ALS Topical Report Submittal [15]. Two (2) independent, dedicated, serial, transmit-only (no handshake) EIA-422 communication channels (TxB1 and TxB2) provided by the ALS-102 provides information to external systems [Figure 4-6]. The ALS-1 02 transmits application specific input and output states and values continuously to the MWS (which performs the function of the ASU via the one-way RS-422 communication channel TxB2 on the ALS-102. The second, one-way RS-422 communications channel TxB1 on the ALS-102 transmits application specific input and output states and values continuously to the non-safety PPC.

4.2.5 Voters The PPS monitors plant parameters, compares them against setpoints and provides signals to the SSPS if operating limits are exceeded. The SSPS evaluates the signals and performs coincident logic functions at the RTS and ESFAS levels to mitigate the event that is in progress. This voting takes place among the four Protection Sets and is outside the scope of the PPS replacement, because the SSPS is not being replaced by this change.

The PPS subsystems also perform internal voting functions, as described below.

4.2.5.1 Triconex Voting At the beginning of each scan, each main processor within a given Protection Set takes a snapshot of the input data table in DPRAM, and transmits the snapshots to the other main processor modules over the TriBUS described in Section 4.2.2.1. Each processor module independently forms a voted input table based on respective input data points across the three snapshot data tables. If a main processor module receives corrupted 62

Enclosure PG&E Letter DCL-1 1-104 data or loses communication with one of the other two processors in the same Protection Set, the local table representing that respective leg data defaults to the de-energized state. The voting scheme is designed for de-energize to trip applications, always defaulting to the de-energized state unless voted otherwise.

For digital inputs, the voted input table is formed by a 2-out-of-3 majority vote on respective inputs across the three data tables for each main processor within the same Protection Set. As above, the voting scheme is designed for de-energize to trip applications, and defaults to the de-energized state unless voted otherwise. Any single leg failure or corrupted signal feeding a main processor module is corrected or compensated at the main processor module level when the voted data table is formed.

For analog inputs, a mid-value selection algorithm chooses an analog input signal representation in the voted input table. The algorithm selects the median of the three signal values representing a particular input point for representation in the voted input tables. The median selection process takes place continuously and does not require configuration of dead band or hysteresis for operation. Any single leg failure or corrupted signal feeding a main processor module is compensated for at the main processor module level when the voted data table is formed. Significant errors between legs are alarmed. Refer to Section 2.1.2.6 of the Tricon V10 Topical Report Submittal

[13] for additional information.

The main processors then execute the application program in parallel on the voted input table data and produce an output table of values in DPRAM. The voting schemes explained above for analog and digital input data ensure that the process control programs are executed on the same input data value representations. The IOCCOM processors generate output tables, each corresponding to an individual output module in the system. Each output table is transmitted to the appropriate leg of the corresponding output module over the I/O data bus.

The Triconex voting methodology is described in Sections 2.1.2.6 (Main Processor),

2.1.2.7 (I/O Modules), and 2.1.2.8 (TCM) of the Tricon V10 Topical Report Submittal

[13].

4.2.5.2 ALS Voting The ALS subsystem in each Protection Set in the PPS replacement provides two complete and diverse execution paths "A" and "B" comprised of the ALS-1 02 CLBs, input boards and output boards shown in Figure 4-9.

Section 2.2 of the ALS Diversity Analysis [16] describes the internal logic within an ALS FPGA, called the FPGA image, which consists of two redundant cores each containing all the logic necessary to perform the function of the ALS-1 02. The two cores independently perform the same function with an independent redundancy checker verifying the results. The redundancy checker compares all outputs and critical internal 63

Enclosure PG&E Letter DCL-1 1-104 states from the two cores and will drive the board to a safe state if the outputs of the two cores do not agree. The redundancy multiplexer provides an additional diversity safety layer by performing simple voting on key outputs from the two cores to ensure that the desired outputs are generated if the two cores do not agree. This provides internal, or Core, diversity within an individual ALS-1 02.

Core Diversity is implemented for each of the FPGAs on all of the ALS boards to ensure there is sufficient diversity for simple applications. An additional level of design diversity is incorporated for more complex applications, such as the PPS replacement, which receives sensor signals and makes trip or actuation determinations. This additional level of diversity is called Embedded Design Diversity, and provides diverse "A" and "B" execution paths.

The diverse "A" and "B" execution path outputs are combined in hardwired logic as shown in Figure 4-9 to ensure that the protective action is taken if directed by either path. A single failed path cannot prevent a protective action. Either ALS-102 identifies itself as failed and sets its outputs to a fail-safe state before halting operation if it detects a mismatch between the outputs of its diverse logic cores.

The ALS-A and ALS-B voting arrangement is described in the ALS System Design Specification [19], Section 2.

Both logic cores within a diverse execution path have the same interface with field inputs and outputs and the TAB. It is not possible to bypass one core (i.e., "Al") without bypassing the other core (i.e., "A2") at the same time.

Figure 4-9 also illustrates the ALS manual trip and bypass switches discussed in Section 5.11.1.3.2 of this LAR.

64

Enclosure PG&E Letter DCL-1 1-104 Figure 4-9 ALS Diversity Architecture De-energize to Trip Configuration Energize to Trip Configuration Manual Bypass Switch Note: Manual Trip switch as required by detailed design 4.2.6 Manual Channel Trip and Reset The existing DCPP protection system design includes manual displays and controls in the control room for manual actuation and management of plant critical safety functions.

Where necessary and practical, the indications are derived from the raw sensor signal and the indications are not processed by any digital system. The available displays and 65

Enclosure PG&E Letter DCL-1 1-104 controls are listed in Table 3-5 and Table 3-6 of the approved DCPP D3 analysis [7] and include but are not limited to the following:

1. Reactivity Control RT may be initiated at any time by controls that are independent of the PPS.

Independent indication of rod position is provided as well. The NIS provides Class IE protection functions indication of neutron flux diverse from the PPS as discussed in the PPS Replacement D3 Assessment [7].

2. Reactor Core Cooling and Heat Removal AFW may be initiated manually and monitored by controls that are independent of the PPS.
3. RCS Integrity SI may be initiated manually and monitored by controls that are independent of the PPS.
4. Containment Isolation and Integrity Containment Spray, Containment Isolation and CVI may be initiated manually and monitored by controls that are independent of the PPS.

The system level manual trip and actuation functions described above are hardwired and are not affected by the PPS replacement. Once initiated, protective actions run to completion. Reset of the protective action must be initiated manually after the initiating cause is no longer present.

4.2.7 Power Supply The PPS is supplied vital uninterruptible AC power from four electrically independent and physically separated 120 V AC distribution panels. Each distribution panel is supplied from a separate, dedicated inverter and from a backup common 480 V AC vital bus. An inverter can be fed from the 125 V DC vital system or from the 480 V AC vital system. The 125 V DC system is designed with three vital batteries, with each battery having a dedicated charger supplied from a 480 V AC vital bus.

Protection Set Vital-.nst AC Bus I PY-11 (21)

II PY-12 (22)

IlI PY-13 (23)

IV PY-14 (24)

Each 480 V AC vital bus is designed to be supplied from the main generator, from the two independent offsite sources and from the onsite diesel generators.

PG&E practices power supply quality monitoring per the guidance of NRC RG 1.180

[23] As-found and as-left Total Harmonic Distortion measurements will be performed at 66

Enclosure PG&E Letter DCL-1 1-104 PPS 120 V AC power supply input terminals before and after installation of equipment powered from the 120 V AC vital instrument power supply. If needed, corrective measures will be implemented during installation.

4.2.7.1 Triconex Power Supply Modules The Triconex PPS subsystem utilizes two Triconex power supply modules in each chassis. The power supply modules have been qualified by Triconex per the Tricon V10 Topical Report Submittal [13] and operate from the redundant uninterruptible 120 V AC safety-related instrument power supply used to power the existing Eagle 21 PPS. Power supplies in non-safety-related chasses are isolated from the safety-related primary power source by qualified circuit breakers or fuses.

All power supply modules are rated for 175 watts, which is sufficient to supply the power requirements of a fully populated chassis. Two different power supply modules can be used in a single chassis. The PPS replacement utilizes 120 V AC modules.

The power supply modules possess built in diagnostic circuitry to check for out-of-range voltages and/or over temperature conditions. Indicator LEDs on the front face of each power module provide module status. The power supply modules also contain the system alarm contacts. The chassis backplane provides terminal strip interfaces for power and alarm connections. The alarm function operates independently for each power module. An AC line filter reduces incoming noise and suppresses conducted emissions and conducted susceptibility.

The alarm contacts on at least one of the chassis power supplies actuate when the following power conditions exist:

" A power module fails

" Primary power to a power module is lost

" Power module has a low battery or over temperature condition The alarm contacts on both power modules of an expansion chassis actuate when a fault is detected on an I/O module.

The alarm contacts on both power supply modules in the main chassis actuate when system trouble such as a processor or I/O module fault is detected. The alarm contacts on both power modules of an expansion chassis actuate when a fault is detected on an I/O module. The alarm contacts on individual power supply modules actuate when trouble is detected within the module or if primary power is lost.

Each of the three legs on each 1/O module and each Main Processor module normally draws power from both power supplies through the dual power rails and the dual power regulators. If one of the power supplies or its supporting power line fails, the other 67

Enclosure PG&E Letter DCL-1 1-104 power supply increases its power output to support the requirements of all modules in the chassis.

The Triconex power supply modules are described in Section 2.1.2.5 of the Tricon V10 Topical Report Submittal [13].

4.2.7.2 FPGA-Based ALS Logic Power Supplies The power supply system in each ALS safety system cabinet is comprised of two qualified, independent AC/DC power supplies. Each power supply is designed to provide 150 percent of the cabinet load, and operates in a redundant configuration. The power supplies are mounted in the same cabinet as the ALS chassis. Each ALS PPS subsystem chassis is powered via the Backplane Assembly from an external dual-redundant power supply system. The cabinet load consists of all ALS platform components and peripheral devices. Input/Output power is provided by separate power supplies as discussed below. Power supply failures (loss of output voltage) are alarmed. The ALS-A and ALS-B subchannels are supplied by the same 48 V DC power supplies (typical for each Protection Set).

Inside the PPS cabinet, an AC line filter reduces incoming noise and suppresses conducted emissions and conducted susceptibility. In addition to the power supplies and AC line filter the power distribution system consists of breakers and terminal blocks as necessary.

The individual 48 V DC chassis power supplies supplied by PG&E are redundant, hot swappable, and capable of being replaced while the system is operational without interruption of power to the ALS chassis or other safety system components. The 48 V DC from the redundant cabinet power supplies is fed to the ALS chassis, where they are diode auctioneered to provide a single local 48 V DC supply. Each ALS board contains DC/DC converters that generate stable local board power. All ALS boards are fused, filtered and over-voltage protected on the incoming cabinet 48 V DC supply voltage. The fuse ensures that local failures on an ALS board cannot disrupt the chassis power. The filtering prevents electrical noise propagation from the ALS backplane to the board itself and also prevents noise propagating from the ALS board to the ALS backplane.

The ALS power supply and distribution within the ALS chasses is described in Section 2.6.2 of the ALS Topical Report Submittal [15] and in Section 4.2.1 of the ALS Platform Specification [95].

4.2.7.3 Analog Input Power Supplies - Analog Inputs The Tricon and the ALS subsystem in each Protection Set are provided with its own pair of safety-related adjustable redundant loop power supplies capable of powering all 4-20 mA instrument input loops associated with that subsystem. Operating voltage will be 68

Enclosure PG&E Letter DCL-1 1-104 selected during detailed design to power instrument loops without exceeding voltage limitations of instrument loop sensors (transmitters). Separate I/O power supplies are provided and qualified by PG&E during detailed design for the Triconex and ALS subsystems.

4.2.7.4 Triconex Discrete I/O Power Supplies De-energize to trip discrete Triconex outputs to the SSPS and auxiliary relays utilize the 120 V AC safety-related PPS instrument power supply. Energize to trip discrete Triconex outputs to the SSPS and auxiliary relays are powered by safety-related redundant 24 V DC power supplies. Other discrete Triconex outputs are powered by the external system.

Triconex discrete inputs are powered by redundant 24 V DC power supplies, except trip output loopback signals, which are powered by the 120 V AC discrete output (DO)

[Figure 4-10]. Triconex analog 4-20 mA output loops are powered by redundant 24 V DC power supplies. The Triconex qualification requires that separate power supplies be used for analog and digital I/O.

4.2.7.5 ALS I/O Power Supplies All discrete ALS outputs to the SSPS are powered by safety-related 120 V AC Protection Set power. Other discrete ALS outputs such as output signals to the MAS are powered by the external system. Discrete ALS inputs are powered by safety-related redundant 48 V DC power supplies. Analog ALS 4-20 mA outputs are powered by the ALS internal power supply. The feedback signals shown in Figure 4-9 are powered by the redundant, safety-related 48 V DC discrete input power supply.

Failure of any Tricon or ALS I/O power supply is alarmed on the control room MAS.

4.2.8 Test Subsystem The PPS replacement permits any individual instrument channel to be maintained and calibrated in a bypassed condition, and when required, tested during power operation without initiating a protective action at the system level. This is accomplished without lifting electrical leads or installing temporary jumpers. The PPS replacement permits periodic testing during reactor power operation without initiating a protective action from the channel under test.

External hardwired switches are provided on all PPS replacement trip and actuation outputs. The switches may be used for SSPS input relay testing or to trip or actuate the channel manually if needed. Activation of the external trip switches is indicated in the control room through the SSPS partial trip indicators. Actuation of bypass switches (ALS) and out of service switches (Tricon) is indicated through the MAS.

69

Enclosure PG&E Letter DCL-1 1-104 Refer to Section 4.11.3.2 for test and bypass design details.

4.2.8.1 Tricon-Based PPS Equipment The Triconex portion of the PPS replacement continuously performs diagnostic functions as described in the Tricon V10 Topical Report Submittal [13]. The diagnostic functions within the main processor module monitor the status of each main processor as well as each I/O module and communication channel. The main processor modules process diagnostic information recorded within the main processor module and diagnostic information received from the diagnostics functions within the I/O module in order to make decisions about the health of the I/O modules in the system. All discrepancies are flagged and used by the built in fault analyzer routine to diagnose faults.

When a fault is detected on a main processor module, it is annunciated and voted out, and processing continues through the remaining two main processor modules. When the faulty main processor module is replaced, it runs a self-diagnostic to determine its basic health. When the self-diagnostic is successfully completed, the newly inserted main processor module then begins the process of "re-education" where the control program is transferred from each of the working units into the newly inserted main processor module. All three main processor modules then resynchronize data and voting, and the newly inserted main processor module is allowed back in service.

If one of the three legs within an I/O module fails to function, an alarm is raised to the main processor modules. If a standby I/O module is installed in the paired slot with the faulty I/O module, and standby I/O module is deemed healthy by the main processors, the system automatically switches over to the standby I/O module and takes the faulty I/O module off line. If no standby I/O module is in place, the faulty I/O module continues to operate on two of the three legs and protection and control is unaffected. The maintenance technician obtains a replacement I/O module and inserts it into the system at the logically paired slot associated with the failed I/O module. When the main processor modules detect the presence of a newly inserted I/O module, they initiate local health state diagnostics and, if the newly inserted I/O module is healthy, automatically switch over to the new I/O module. The faulty I/O module may then be removed and returned to the factory for repair.

Specific PPS replacement test and calibration functions and application diagnostics are supported by the platform but implemented in the application program. An example of such a diagnostic is a mismatch check that compares the trip demand from the PPS to a feedback signal. A mismatch occurs if the trip demand signal does not agree with the feedback signal, as shown in Figure 4-10:

70

Enclosure PG&E Letter DCL-1 1-104 Figure 4-10 Triconex Trip Output Diagnostic Alarm Signals to MAS:

0 1. Trip Switch Open (Output deenergized with energize command) 0 2. Bistable Fault (Output energized with deenergize command) 1 - RESET 0 - TRIP Manual "O J TRIP Switch Triconex self-test methodology is described in Sections 2.1.2.6 (Main Processor module), 2.1.2.7 (I/O Modules), and 2.1.2.8 (TCM) of the Tricon V10 Topical Report Submittal [13].

Specific testing provisions implemented in the PPS Triconex Software Application Program (TSAP) for compliance with 10 CFR 50 requirements, including IEEE 603 [21]

and IEEE 7-4.3.2 [80] are discussed in later sections of this LAR.

4.2.8.2 FPGA-Based ALS PPS Equipment The ALS platform incorporates self-diagnostic functions that provide a means to detect and alarm all significant failure(s) within the platform. Details of theALS Board self-diagnostic functions are described in the design specification listed in Table 4-7 associated with each board. Additional ALS platform fault detection and self-diagnostics information is provided in the ALS Platform Specification [95].

The ALS platform is designed to support the elimination of manual periodic surveillance testing of an installed ALS safety system. In typical safety system applications the ALS platform is operating at steady state where it is monitoring plant conditions to initiate RT or ESF actuations. To verify operability, it is necessary to test these static commands on a regular basis. Historically this has been done with periodic surveillance testing which involves plant personnel placing the system into a bypassed or partial tripped 71

Enclosure PG&E Letter DCL-1 1-104 state and then testing the critical functions. The ALS platform provides that facilitate extending the intervals for periodic surveillance testing. This can be done through a combination of redundancy and self-testing which automatically and transparently verifies critical system functions.

The ALS Platform uses a combination of implementation and test strategies in order to maintain its high integrity status. The four primary implementation and test strategies are described below. The testing is performed automatically by the ALS system without the need for interaction by plant personnel.

Redundancy All ALS FPGAs are implemented with redundant digital logic. This is to protect the ALS board against a type of failure which can potentially occur over time as a result of manufacturing defects, radiation damage or flash cell charge degradation. This section exclusively focuses on how the redundancy is implemented internal to the ALS FPGAs. Other levels of redundancy such as the redundant input or outputs, or application level redundancy are not covered in this section. Differences between the redundant circuits cause the ALS to take appropriate action. The redundancy implementation detects any deviation between the redundant circuits before a possible erroneous signal can propagate to the remainder of the system.

Diversity The diversity between the redundant logic modules has been achieved as a result of changing the Finite State Machine (FSM) encoding style and the module hierarchy between the two cores.

BIST The Built-In-Self-Test (BIST) is used for exercising all critical functions within a board. This is done to ensure that latent failures cannot build up in the system and make the system inoperable without the knowledge of plant personnel. The BIST typically applies input stimuli on the inputs to a sub-circuit and validates the correct response on the output.

Inherent Self- Inherent Self-Test is a method for implementing high integrity directly Test into the logic circuits by constructing it in a way that latent STUCK-AT or OPEN failures are instantly detected. An example of inherent self-testing is a serial communications link with CRC protection.

The ALS Platform self-test strategy is based on the following steps:

Detect The ALS Platform detects failures in its circuits or connected field 72

Enclosure PG&E Letter DCL-1 1-104 devices either by running nonintrusive background tests on a regular interval, or by redundancy.

Mitigate The circuits causing the failure are isolated before the failure is allowed to propagate to other systems.

Announce The detected failure is announced using the ALS rack alarm which typically ties into a master control board alarm. Other application specific indicators may also be added to the system to give a more detailed status indication to the control room, such as indicating in which function the failure occurred and to show if the system remains operable.

React The failure is announced using the system alarm and by other application specific means. The ALS system is designed so a failure in a sub-circuit causes the system to enter a specific state, such as a partial trip or bypass. A critical function is the system's ability to drive its output channels to a predefined state when a specified set of inputs events occur, such as digital inputs being activated or analog input going beyond a threshold.

The ALS self-test functions are described in Section 3.0 of the ALS Topical Report Submittal [15].

4.2.9 Other Subsystems - MWS Each Protection Set in the PPS replacement is provided with a dedicated non-safety-related MWS for the purpose of maintenance and calibration. The MWS wvithin a redundant Protection Set is connected to and communicates with the safety-related equipment in the associated Protection Set. A MWS is not connected to and cannot communicate with safety-related equipment outside its associated Protection Set. Refer to Figure 4-12.

The MWS is connected to both the Tricon and ALS PPS subsystems in read-only mode, except during testing and calibration, when two-way communication between the MWS and safety-related processors is required to perform the test or calibration function. The MWS is able to read, but not write, process instrumentation information for local display at the MWS during normal operation.

Using the MWS, the PPS replacement permits any individual instrument channel to be maintained in a bypassed condition, and when required, tested during power operation without initiating a protective action at the system level, and without lifting electrical leads or installing temporary jumpers.

73

Enclosure PG&E Letter DCL-1 1-104 On-line testing in the Tricon is controlled by the non-safety-related MWS and by safety related logic enabled via an external safety-related hardwired out of service switch.

When the out of service switch is activated, the safety-related logic in the associated Protection Set allows the associated instrument channel to be taken out of service while maintaining the rest of the instrument channels in the Protection Set operable. The individual out of service switch only removes an individual instrument channel from service and no other instrument channel. If the out of service switch is returned to the normal position during test, the safety-related logic automatically restores the instrument channel to safety-related operation.

On-line testing in the ALS is controlled by the TAB as described in Section 2.3.2 of the ALS Topical Report Submittal [15]. Two-way communications between the ASU function (performed by the MWS in the PPS Replacement) is enabled by activating the TAB Enable communication switch under bypass conditions as described in Section 5.3.3 of the ALS Topical Report Submittal [15].

Refer to Section 4.11.1.3.2 for discussion of Design for Test and Calibration.

4.2.10 Cabinets, Racks, and Mounting Hardware The PPS is housed in existing process instrumentation cabinets numbered 1 through 16 (DCPP Electrical Location Numbers RNP1A, RNP1B, RNP1C, RNP1 D, RNP1 E, RNP2A, RNP2B, RNP2C, RNP2D, RNP2E, RNP3A, RNP3B, RNP3C, RNP4A, RNP4B, RNP4C) [Figure 4-11].

The cabinets provide the same degree of physical separation and electrical isolation between Protection Sets as the previously approved Eagle 21 PPS [5]. The cabinets will be evaluated for seismic considerations as part of the detailed PPS replacement design. Non-safety-related hardware mounted in the PPS cabinets will be evaluated for seismic interactions during the detailed design.

74

Enclosure PG&E Letter DCL-1 1-104 Protection set cabinet assignments are as follows:

Table 4-8 Protection Set Assignments Protection Cabinet Electrical Location Set 1 RNP1A 2 RNP1B 3 RNP1C 4 RNP1D 5 RNP1E II 6 RNP2A 7 RNP2B 8 RNP2C 9 RNP2D 10 RNP2E IIl 11 RNP3A 12 RNP3B 13 RNP3C IV 14 RNP4A 15 RNP4B 16 RNP4C Figure 4-11 PPS Rack Locations The PPS rack locations is security-related information per 10 CFR 2.390 [88] and will be provided separately.

75

Enclosure PG&E Letter DCL-1 1-104 Parameters monitored by each Protection Set are shown in the following table:

Table 4-9 Protection Set Input Parameters I-Kx uooiant HIoW, Loops 1, 2, 6, 4 I, II, III Wide Range Rx Coolant Temperature (hot and cold legs), Loops 1, 2 I Wide Range Rx Coolant Temperature (hot and cold legs), Loops 3, 4 II Wide Range Rx Coolant Pressure, Loop 3 IV Wide Range Rx Coolant Pressure, Loop 4 I1l Narrow Range Rx Coolant Temperature (hot and cold legs), Loop 1 I Narrow Range Rx Coolant Temperature (hot and cold legs), Loop 2 II Narrow Range Rx Coolant Temperature (hot and cold legs), Loop 3 III Narrow Range Rx Coolant Temperature (hot and cold legs), Loop 4 IV Neutron Flux (from Nuclear Instrument System) I, II, Ill, IV Pressurizer Level 1,11,111 Pressurizer Pressure 1,11, 111, IV Pressurizer Vapor Temperature IV Steamflow, Steamline Pressure, S/Gs 1, 2, 3, 4 I, II Steamline Pressure, S/Gs 2, 3 III Steamline Pressure, S/Gs 1, 4 IV S/G Narrow Range Level, S/Gs 1, 2, 3, 4 III, IV S/G Narrow Range Level, S/Gs 2, 3 1 S/G Narrow Range Level, S/Gs 1, 4 II Turbine Impulse Chamber Pressure I, II Containment Pressure 1,11, 111, IV Each of the Protection Sets contains the following equipment that is dedicated to the specific Protection Set. There is no communication between the Protection Sets and no equipment is shared between Protection Sets, except for the PPC Gateway Computer, which is isolated from the Protection Sets via fiber-optic cable and a NetOptics port aggregator network tap for each Protection Set as described in Section 4.2.13.1 of this LAR.

The PPS replacement effectively consolidates the functions performed by the PPS such that more protective functions are implemented in fewer processors. The effects of this consolidation will be discussed in the system-level Phase 2 PPS replacement Failure Modes and Effects Analysis (FMEA).

76

Enclosure PG&E Letter DCL-1 1-104 a) Safety-Related Triconex Subsystem Physical details of the Triconex PPS subsystem are provided in Section 2.1.2 of the Triconex Submittal [13].

b) Safety-Related ALS PPS Subsystem Physical details of the ALS are provided in the ALS Topical Report Submittal [15], the ALS Platform Requirements Specification [68], and the ALS Platform Specification [95].

c) Non-safety-Related MWS The non-safety-related MWS is provided by PG&E and is described in Section 4.2.9 of this LAR.

4.2.11 Appendix B Compliance Section (D.2.2 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 5.3 states:

Components and modules shall be of a quality that is consistent with minimum maintenance requirementsand low failure rates. Safety system equipment shall be designed,manufactured, inspected, installed, tested, operated,and maintainedin accordancewith a prescribedquality assurance (QA) program (See American Society of Mechanical Engineers (ASME) NQA-1 -1989).

This section describes compliance with IEEE 603-1991 [21], Section 5.3. The following subsections describe the PG&E, IOM and CSI QA Programs, and how each applies to the PPS Replacement Project.

Compliance with IEEE Standard 7-4.3.2-2003 [80], "IEEE Standard for Digital Computers in Safety Systems of Nuclear Power Generating Stations," Clause 5.3 "Quality," is described below and in Section 4.11.1.1.

4.2.11.1 PG&E QA Program PG&E maintains full responsibility for assuring that its nuclear power plants are designed, constructed, tested and operated in conformance with accepted engineering practices, applicable regulatory requirements and specified design bases and in a manner to protect the public health and safety. To this end PG&E has established and implemented a quality assurance program (QAP) [142], which conforms to the criteria established in 10 CFR, Part 50, Appendix B, "Quality Assurance Criteria for Nuclear Power, Plants and Fuel Reprocessing Plants" [151]. The PG&E QAP [142] is contained in DCPP FSAR [26] Chapter 17, "Quality Assurance," and complies with Revision 1 of RG 1.70, "Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants - LWR Edition" [152] and subsequent NRC guidelines.

77

Enclosure PG&E Letter DCL-1 1-104 DCPP FSAR Chapter 17 [142] describes the QA requirements for those systems, components, items, and services which have been determined to be nuclear safety related (Design Class 1). PG&E's QAP [142] also provides a method of applying a graded QAP to certain non-safety related systems, components, items, and services.

The quality of systems, components, items, and services within the scope of the PG&E QAP is assured commensurate with the systems, components, items, or services importance to safety.

The affected RTS/ESFAS and associated components within the scope of this LAR are classified in accordance with the QAP [142]. Those systems and components that perform an active safety function are classified as Design Class I. Design Class I covers those systems "and their attendant components, items, and services which have been determined to be nuclear safety related."

Procedures and work instructions necessary to implement the requirements of the QAP

[142] are developed and approved by the organization responsible for the activity.

These procedures and instructions may be contained in manuals, station procedures and directives, administrative instructions and/or other documents. These documents identify the criteria to determine acceptable quality for the activity being performed. On-site implementation of procedures and work instructions is the responsibility of the Site Vice President.

The following sections describe the primary manuals, procedures and directives, by project phase, used in the course of the PPS Replacement Project.

4.2.11.1.1 Design Phase The design phase is performed within the context of the plant engineering change program, governed by department directives and design change program directives.

PG&E contracted with IOM and CSI to perform the I&C hardware and software portion of engineering change activities, following the PG&E owner requirements provided in

[27], [28], and [29], and the individual PG&E contracts with each firm for their scope of supply. The contract includes Outside Contractor Interface Agreements that describe how IOM and CSI performs engineering change activities per the requirements of the PG&E engineering change program while doing so under the respective IOM or CSI QA Program (described in Section 4.2.11.2 and 4.2.11.3, below). The actual engineering change is prepared by contracted engineering services under a defined task engineering services contract from PG&E. The engineering services contractor maintains an engineering resource pool that is qualified to the PG&E engineering change program. PG&E is performing the Owner Acceptance function in accordance with the engineering change program documents.

78

Enclosure PG&E Letter DCL-1 1-104 4.2.11.1.2 Manufacturing The manufacturing phase for the PPS replacement equipment is also contracted to IOM and CSI for their respective scope of supply. This phase includes basic hardware and software design, detailed hardware and software design, hardware manufacturing, software development, integration of the hardware and software, Factory Acceptance Test and Site Acceptance Test. These equipment activities are outsourced to IOM and CSI under the PG&E DCPP Procurement Control Program [153]. IOM and CSI are performing the contracted equipment scope under their QA program [31 and 331 and their implementing procedures (described in the following sections). Specifications describing the equipment requirements as well as the required development and manufacturing activities are included in the contract. IOM and CSI are approved suppliers, audited by PG&E, under the PG&E Nuclear Procurement Program and associated directives.

The PPS replacement chassis, cards, cables, ASU, and sensing modules are being procured from IOM and CSI as basic components, furnished with Certificates of Conformance to purchase order requirements.

4.2.11.1.3 Inspection Inspection of equipment purchased for implementation as part of design changes to PG&E nuclear facilities is governed by the PG&E DCPP Procurement Control Program

[153] and associated directives.

As part of the procurement process, inspections occur at various stages of the project.

Prior to submittal of specifications for bidding and eventual contract award to the vendor(s), verification is made that IOM and CSI are qualified per industry QA processes to provide the equipment identified within the specification.

Once the contract is awarded for procurement of the specified equipment and/or services, project related inspections begin. The vendors manufacturing facilities and service organizations undergo a general engineering inspection and familiarization.

More formalized inspections occur as the project progresses. Prior to shipment of the equipment, inspections occur at the vendor facilities with the purchaser to verify manufacture of the equipment to approved drawings, project documentation and perform pre-FAT assembly, hardware configuration, and if applicable, software configuration.

The equipment is then shipped to the DCPP site and upon arrival is inspected to verify the delivered materials are in general compliance with the equipment purchase specification(s) and the associated shipping documents. Additional detailed inspections occur by the engineering and implementation organizations to verify technical details of the received equipment as part of the staging for implementation. Various details such 79

Enclosure PG&ELetter DCL-1 1-104 as material counts, wiring, mountings, arrangements, configurations, and physical packaging (cabinetry) are inspected by PG&E.

As mentioned above, these activities are performed using both specific and general guidance provided in PG&E Nuclear Procurement and PG&E Nuclear Engineering directives and procedures.

4.2.11.1.4 Testing The PPS Replacement Project includes several testing activities. A complete description of the testing is included in Section 4.11.1.2.1.

A Modification Test Plan (MTP) will be developed for the project. The MTP specifies the necessary testing to be performed during and after installation of the PPS replacement systems and components. The actual test procedures used will be a combination of permanent operations procedures, permanent maintenance procedures, and temporary test procedures. These procedures are prepared, reviewed, approved, controlled, and performed under existing PG&E Project and Station programs.

4.2.11.1.5 Installation Installation of the PPS replacement systems and components will be performed in accordance with written installation procedures and work orders. The scope of the installation procedures and work orders includes safety tagging requirements, demolition and removal of old components, modification of racks for seismic requirements, installation of new equipment,, modification of supporting structures, cabling, terminations, checkout, and system power up. The PPS replacement systems, are not available or operable until all post modification testing is performed as required by the MTP and the implementation is accepted by the station staff in accordance with PG&E Project procedures.

Installation procedures are also prepared, reviewed, approved, controlled and performed under existing PG&E Project procedures. Work orders are planned, scheduled and controlled using the PG&E work process. PG&E is experienced in the installation of major engineering changes, and is solely responsible for.the quality of installation activities.

4.2.11.1.6 Operations Operability of the PPS replacement and components will be determined in accordance with TS 3.3.1 and 3.3.2.

Operation of the digital RPS/ESF and associated components is conducted under various department directives and procedures. Operations Procedures are used to 80

Enclosure PG&E Letter DCL-1 1-104 perform operational tasks with plant systems and components. Periodic test procedures are used to perform surveillance tests on plant systems and components.

4.2.11.1.7 Maintenance Maintenance of the PPS replacement and components will be conducted under the Preventive Maintenance Program described in Nuclear System Directives and the DCPP Maintenance Program.

The DCPP Maintenance Program provides policies and procedures which direct and support the conduct of work as it relates to the philosophy of the DCPP maintenance activities and other groups performing maintenance at DCPP.

Maintenance procedures are used to perform maintenance activities on plant systems and components. Instrument procedures are used to perform module checkouts, instrument and instrument loop calibrations and checks, system troubleshooting and corrective maintenance. Surveillance procedures are used to perform surveillance tests on plant systems and components. PG&E is solely responsible for the quality of maintenance on the RPS and ESF.

The procedures described above will be revised as needed for the PPS Replacement equipment in accordance with existing Nuclear System Directives.

4.2.11.2 Triconex QA Program Section 5.3 of Standard Review Plan [47] Appendix 7.1.C, "Guidance for Evaluation of Conformance to IEEE Standard 603 [21]," notes that for digital computer-based systems, the quality requirements described in Clause 5.3 of IEEE Standard 7-4.3.2-2003 [80] should be addressed. Compliance with Clause 5.3 of IEEE Standard, 7-4.3.2-2003 [80] is addressed in the following discussion and in section 4.11.1.1.

The IOM Nuclear QA Program Manual (IOM-Q2) [31] is the upper tier corporate document that defines the quality requirements for the design, manufacturing and testing of the Tricon system and associated engineering services provided by IOM for the DCPP digital PPS Replacement Project. The IOM Corporate Nuclear Quality Assurance Manual (NQAM) (IOM-Q2) [31] commits to 10 CFR 50 Appendix B [151],

10 CFR 21 [154] and NQA-1-1994 [58] as governing regulations along with international QA standards as a basis for the IOM Nuclear QA Program Manual [31]. The program is implemented by QA procedure manuals for engineering (EDM), manufacturing (EDM),

QA Program Manual (QPM), and project procedures manual (PPM). The IOM QAP has been reviewed by NRC in conjunction with the Tricon V10 Topical Report Submittal [13]

and audited on numerous occasions at the Lake Forest, CA facilities.

The IOM QAP Manual (IOM-Q2) [31] associated with both Tricon. operating software and project applications software was reviewed by NRC in conjunction with the Tricon 81

Enclosure PG&E Letter DCL-1 1-104 V10 Topical Report Submittal [13], and IOM Document NTX-SER-09-021, Nuclear System Integration Program Manual (NSIPM) [32]. A description of the project processes and the basis for implementing project procedures is provided in the NSIPM.

Project procedures (i.e., the PPM) govern all quality-affecting Project activities performed by IOM personnel for the DCPP PPS Replacement Project. The NSIPM implements the requirements of the IOM NQAM [31], 10 CFR 50 Appendix B [151],

NQA-1 -1994 [58], and the applicable Regulatory Guides and industry standards.

4.2.11.3 CSI QA Program The CSI document 9000-00000, "Quality Assurance Manual," Revision 4 [33] is the upper tier corporate document that defines the quality requirements for the design, manufacturing and testing of the ALS control systems and associated engineering services provided by CSI for the DCPP PPS Replacement Project.

The CSI QA Manual (QAM) [33] is under review by NRC in conjunction with the NRC review of the ALS Topical Report Submittal, document 6002-00301, Rev 1 [15]. The CSI QAM is based on 10 CFR 50 Appendix B [151]. Several 10 CFR 50 Appendix B

[151] audits by utilities and vendors have also been conducted on the CSI QAM [33]

and associated programs.

The CSI QA program described in the ALS System Topical Report Submittal [15],

Section 10, "Quality," is based on 10 CFR Part 50, Appendix B [151].

As discussed in Docket 50-482, Amendment 181 to License No. NPF 42 [14], Wolf Creek Generating Station (WCGS) conducted a 10 CFR Part 50, Appendix B audit of CSI on September 10-13, 2007. The scope of the audit was "to evaluate the effectiveness and proper implementation of an acceptable QA Program for the supply of ALS Control Systems, including Engineering Design, Analysis & Production of an FPGA Control and Signal Processing Application in support of nuclear safety related work as it applies to 10 CFR Part 50, Appendix B [151], and 10 CFR Part 21 [154] for the nuclear industry." The report on that audit was issued on November 21, 2007 and states that CSI is a WCGS qualified supplier for the audited scope. This determination meets the guidance acceptance criteria in SRP Chapter 7 [4], Appendix 7.1-C, Section 5.3, "Quality."

Westinghouse conducted an independent 10 CFR Part 50, Appendix B [151] audit of CSI on October 25, 2007. The scope of the audit was "to evaluate the effectiveness and proper implementation of an acceptable QA Program for the supply of I&C Hardware and Engineering Design Services in support of nuclear safety related work as it applies to 10 CFR Part 50, Appendix B [151] and 10 CFR Part 21 [154] for the nuclear industry." A report on that audit was issued on November 10, 2008, and it states that CSI is a Westinghouse qualified supplier for the audited scope.

82

Enclosure PG&E Letter DCL-1 1-104 Clause 5.3 of IEEE 7-4.3.2-2003 [80] states that hardware quality is addressed in IEEE 603-1991 [21], and that software quality is addressed in IEEE/EIA Standard 12207.0-1996 [1271 and supporting standards. The CSI QA program described in the ALS System Topical Report, Section 10 [15] is based on 10 CFR Part 50, Appendix B

[151]. The ALS platform Life Cycle Management Process is described in Section 6 of the ALS System Topical Report Submittal [15].

Clause 5.3.1 of IEEE 7-4.3.2-2003 [80] requires an approved QA plan consistent with the requirements of IEEE/EIA 12207.0-1996 [127] for all software that is resident at run time.

As described in Section 2, the ALS platform has no resident software. Software is, however, used to design the ALS boards. The QA plan used for this effort is described in the ALS System Topical Report, Section 10 [15].

4.2.12 System Response Time (Section D.9.4.2.4 of DI&C-ISG-06 [1])

In accordance with IEEE 603-1991 [21], Clause 6.1, Automatic Control, which is addressed in Section 4.10.3.1 of this Enclosure, the PPS replacement equipment for DCPP is designed to work in cooperation with plant specific functional logic to automatically initiate and execute protective actions, with precision and reliability for the range of conditions specified. In order to complete a plant specific design, an evaluation must be performed to identify the existing setpoints, margins, errors and, response times to ensure that existing plant safety analysis assumptions are enveloped.

The response time for the current Eagle 21 PPS is 0.409 seconds based on Westinghouse WCAP-1 1082 [39]. The PPS replacement has been specified to have a response time that is less than or equal to the current Eagle 21 PPS. For the PPS replacement, relevant setpoints, margins, errors and response times required for input to the digital PPS design are provided in the DCPP Units 1 & 2 PPS Replacement FRS

[28] and Westinghouse WCAP-1 1082 [39]. The PPS replacement is designed to operate within the bounds of the requirements provided in these documents so that the assumptions used in the existing safety analyses are not invalidated.

In accordance with DCPP Units 1 & 2 PPS Replacement FRS [28], the time response of the PPS processing instrumentation (from input signal conditioner to conditioned output signal) shall not exceed 0.409 seconds.

The analysis for response times will be provided in Phase 2 for NRC review.

4.2.13 Communications (Section D.1.2 of DI&C-ISG-06 [1])

The PPS replacement consists of four (4) Protection Sets architected such that each Protection Set is independent of and protected from adverse influence from the other 83

Enclosure PG&E Letter DCL-1 1-104 Protection Sets. The PPS replacement does not utilize interdivisional safety-to-safety communications. The PPS replacement does incorporate interdivisional safety-to-non safety communications. The PPS replacement architecture ensures that communications between a safety division and non-safety equipment that resides within the Protection Set adhere to the guidance described in the ISG 4 Staff Positions. Figure 4-12 illustrates the communications architecture for the PPS replacement that meets NRC DI&C ISG 4 Staff [2] Position 1, Interdivisional Communications, as discussed in Section 4.8 of this LAR.

Figure 4-13 illustrates the communication architecture for a single Protection Set. The sections below discuss the communications for the Tricon and ALS portions of the PPS replacement.

4.2.13.1 Tricon-Based PPS Equipment Communications The Tricon portion of the PPS replacement does not communicate data between redundant safety divisions. The P2P communication capability provided by the TCM is not used for the PPS replacement. The non-safety-related MWS [Section 4.2.9] within a redundant safety division communicates only with the safety-related controllers within that division. Two-way communications between the MWS and TCM are necessary because the TCM must be polled by the MWS in order to provide data. Additional information is provided in Section 4.8.

The PPS replacement design incorporates the NetOptics Model PA-CU port aggregator tap device shown in Figure 4-13 to ensure that only one-way communication takes place between the Tricon processors and the PPC Gateway Computer. The port aggregator tap is a hardware device that is installed between the Tricon processor, the MWS, and the Gateway computers. Ports A and B of the NetOptics are respectively connected to the Tricon TCM fiber optic NET2 port through a fiber optic-to-copper media convertor and directly to the MWS associated with the Tricon via copper Ethernet. The data link protocol from the NetOptics to the MWS and to the TCM media converter is Triconex NET2. The port aggregator tap copies all information that is flowing between Ports A and B to Port 1. Neither Port A nor B can read data from Port 1, and Port 1 cannot transmit data to Port A or Port B.

The PPC Gateway is connected 'to Port 1 of the NetOptics device, thus providing one-way communications from the PPS replacement system to the PPC. This design ensures that no data or command messages can be sent from the PPC to the MWS.

There is no transmitting capability from NetOptics Port 1 back to Ports A or B, which ensures security of the Tricon safety function. This NetOptics device permits two-way communications between the Tricon TCM and the MWS, while permitting the PPC Gateway computer read-only access to the Tricon TCM and the MWS.

Figure 4-13 only shows one TCM installed in the Tricon Main Chassis (Slot 7L), the PPS replacement will utilize two TCM cards in each main chassis (Slots 7L and 7-R).

84

Enclosure PG&E Letter DCL-1 1-104 This will provide two non-safety-related communication paths to the MWS and the PPC Gateway Computer from each Protection Set to ensure continued communications if a single TCM fails.

The NetOptics Model PA-CU/PAD-CU 1 PA-CU port aggregator network tap was approved previously by NRC for a similar application in the Oconee RPS SER Section 3.1.1.4.3 [181. The NRC staff determined that due to the electrical isolation provided by use of fiber optic cables and the data isolation provided by the Port Tap and the Maintenance and Service Interface (MSI) in the Oconee RPS, there was reasonable assurance that a fault or failure within the Oconee Gateway computer or the Operator Aid Computer will not adversely affect the ability of the Oconee RPS to accomplish its safety functions.

During the SAT PG&E will test the Protection Set communications paths illustrated in Figure 4-13 to verify that there is no inbound communications path associated with port aggregator network tap Port 1. That is, PG&E will verify that communications from Port 1 to either the TCM on Port A or the MWS on Port B of the port aggregator network tap are not permitted. Results of this test will be documented in final System Verification and Validation Report. Port aggregator dual in-line package (DIP) switch positions will be controlled by DCPP configuration management processes.

1 The NetOptics Model PAD-CU has two one-way output ports but is otherwise identical in function to the PA-CU.

85

Enclosure PG&E Letter DCL-1 1-104 4.2.13.2 FPGA-Based ALS Equipment Communications There are no communication paths between redundant safety divisions in the ALS portion of the PPS replacement as shown in Figure 4-12 and Figure 4-13. The EIA-422 ALS communication channel from each ALS chassis to the Gateway computer is isolated, serial, one-way, as described in Section 2.2.1.3 of the ALS Topical Report Submittal [15] and Section 3.9 of the ALS 102 Design Specification [94]. The communication channel is provided by the ALS-1 02. Isolation of the ALS-1 02 communications channels is described in Section 3.9.1 of the 6002-10202 ALS-102 Design Specification [94]. The ALS-102B broadcasts data via communications channel TxB1 to the non-safety-related Gateway computer, which is common to all four Protection Sets. The TxB1 communications channel does not receive any data, handshaking, or instructions from the Gateway computer. The EIA-422 communications channels on the ALS-1 02 are inherently one-way. Thus, the ALS does not require use of the NetOptics device to prevent communication back to the ALS from the Gateway computer. The EIA-422 TxB2 communication channel that transmits data to the non-safety-related MWS is also serial, one-way with no handshaking.

The third ALS serial communications channel enables TAB functions between ASU maintenance software in the MWS and the ALS controller. This EIA-485 communication path is normally disabled, with two-way communications permitted only when a hardwired switch is closed to complete the circuit from the MWS back to the ALS. No communications are allowed on the TAB if the switch is open. As explained in Section 2.2 of the ALS Platform Specification [95], the Protection Set containing the ALS chassis with TAB communications enabled remains functional during this action.

The TAB is only allowed to monitor the state of internal registers and cannot affect safety-related data per ALS Requirements Specification [68] Section 7.2.

The two transmit-only EIA-422 communication channels, TxB1 and TxB2, and the TAB are described in Section 5 of the ALS Platform Specification [95], and Section 7 of the ALS Requirements Specification [68].

4.2.13.3 Non-safety-Related MWS The non-safety-related MWS shown in Figure 4-3, Figure 4-12, and Figure 4-13 is used to maintain and configure the Tricon using the TriStation 1131 Developer's Workbench and also to view data from both the Tricon and ALS. In addition, when the TAB has been placed in service as described above, the MWS is used to perform the maintenance functions associated with the ASU described in Section 2.6.3 of the ALS Topical Report Submittal [15]. Thus, a single MWS may be used to view data from both the ALS and the Tricon and to maintain both the ALS and the Tricon in a given Protection Set.

88

Enclosure PG&E Letter DCL-1 1-104 A MWS may access data only within its own Protection Set. Communication with other Protection Sets is not permitted, and there are no means of connecting another ProtectionSet to another MWS without reconfiguring the Protection Set controllers and communications cabling. There are no communications switches in the architecture.

Direct access to safety-related Protection Set communications from outside the Protection Set is prevented by the NetOptics port aggregator network tap.

4.2.13.4 Tricon-Based PPS Equipment Communications with MWS Communication between a safety-related Tricon controller and a non-safety device as shown in Figure 4-12 and Figure 4-13 is discussed in Sections 3.2 and 5.0 of the Triconex platform ISG-02 and ISG-04 compliance document [24] and Section 4.1 and 5.0 of the DCPP ISG-04 compliance document [25]. Under operating plant conditions the MWS displays plant parameters, perhaps including division diagnostic information.

Access to functions beyond displaying data will be under administrative and physical controls. During plant on-line operation and during outages, the MWS will be used for injecting test values and modifying trip setpoints. Use of the MWS is in accordance with site-specific administrative (procedural) and physical-access controls to set and/or change Tricon safety system parameters while the channels are in bypass mode.

The application software utilizes the safety-critical Tricon library functions "GATENB" and "GATEDIS" to control MWS access to the Tricon in RUN mode. To update a parameter, the technician places the safety-related instrument-loop-specific out of service switch in the closed position. The Tricon will activate the pre-programmed "GATENB" and "GATDIS" functions to open a data window of limited range. Prior to updating the parameter in the Tricon control program, the new value will be staged on the MWS screen for acknowledgement. After the changes have been made and the maintenance technician has placed the switch in the open position, the safety-related control logic will close the data window to prevent further changes. The MWS interface will also have protective measures built in, such as password-protected log-on, role-based security functions to ensure only authorized individuals have the ability to update tuning parameters. If the out of service switch is de-activated before the change is made, the safety-related control logic will return the instrument loop to normal operation automatically. A similar series of request/confirm actions is used to direct maintenance and test functions from the MWS, always under control by the safety-related Tricon application program.

Section 4.0 of Appendix 1 to the Triconex platform conformance to DI&C ISG-02 and ISG-04 [24], "Non-safety VDU Communication To TRICON Example", discusses the use of the MWS and "GATENB/GATDIS". The GATENB/GATDIS functions are also discussed in Section 4.1 and Section 5.0, Point 3 of the DCPP specific evaluation of conformance to DI&C ISG-04 [25].

89

Enclosure PG&E Letter DCL-1 1-104 The PPS replacement design incorporates the NetOptics Model PA-CU port aggregator device described in Section 4.2.13.1 to ensure that only one-way communication takes place between the Tricon processors and the PPC Gateway computer. The NetOptics device permits two-way communications between the Triconex TCM and the MWS, while permitting the PPC Gateway computer read-only access to the Tricon TCM and the MWS. Two-way communications between the TCM are necessary because the TCM must be polled by the MWS in order to provide data.

Data isolation between the safety-related Tricon control processor and the non-safety MWS is performed by the safety-related TCM. Fiber optic cable electrically isolates the Tricon from external non-safety-related devices such as the NetOptics port aggregator network tap. DCPP PPS replacement specific TCM compliance with ISG-04 [2] is discussed in Sections 4.1 and 5.0 of the Triconex DCPP PPS ISG-04 Conformance Report [25].

4.2.13.5 FPGA-Based ALS PPS Equipment Communication with MWS Communications from the ALS to the MWS are via the transmit-only (no handshake)

ALS-102 communication channel TxB2. The TxB2 channel is a dedicated and independent serial communications channel which transmits application specific input and output states and values continuously to the ASU application implemented in the MWS. The TxB2 communications channel does not receive any data, handshaking, or instructions from the MWS. The EIA-422 communications channels on the ALS-1 02, as discussed in Section 3.9 of the 6002-61202 ALS 102 Design Specification [94], are electrically isolated and inherently one-way; therefore the use of the NetOptics device is not required.

Two-way TAB communications between ASU application software in the MWS and the ALS chassis are used to perform ALS maintenance and calibration functions. This EIA-485 communication path is normally disabled, with two-way communications permitted only when a hardwired switch is closed to complete the circuit between the MWS and the ALS chassis. No communications are allowed on the TAB if the switch is open per ALS Topical Report Submittal [15] Section 2.3.2.

4.3 Hardware Development Process (Section D.2 of DI&C-ISG-06 [1])

The hardware development process for the digital portions of the PPS replacement is discussed in the following sections for both the Tricon and the ALS. All safety-related digital hardware for the PPS replacement is being developed by IOM and CSI for their respective equipment, under PG&E contract.

Compliance with IEEE Standard 603-1991[21] Clause 5.3 Clause 5.3 "Quality," is described in Sections 4.2.11 and 4.10.2.3 of this Enclosure. Compliance with IEEE 90

Enclosure PG&E Letter DCL-1 1-104 Standard 7-4.3.2-2003 [80], Clause 5.3 "Quality," is described in Sections 4.2.11 and 4.11.1.1.

a) Tricon-Based PPS Equipment Section 5.1.2 of the 7286-545-1 Tricon V1 0 Topical Report Submittal [13] describes the product development process for the Tricon platform. IOM document NTX-SER-09-05, "Differences between the Tricon V9.5.3 System and the Tricon V1 0.2.1 System" [146]

discusses the differences between the previously approved Tricon V9.5.3 and the Tricon V10.2.1. One of the key differences between the V9.5.3 and the V10.2.1 is the fact that Triconex has added additional processes distinctively tailored to development of software used in designing and maintaining PLDs. Details of this process are provided in NTX-SER-09-06, "Triconex Development Processes for PLDs in Nuclear Qualified Products" [145].

b) FPGA-Based ALS PPS Equipment CSI Document No. 9000-00311, "Electronics Development Procedure" [62] is the CSI quality control procedure for the development of all electrical and electronics assemblies. Section 5 of the procedure provides a flow diagram of the CSI hardware development process.

The ALS is a FPGA-based hardware logic system that does not execute software. This was discussed in Section 3.0 of Docket 50-482, Amendment 181 to License No. NPF 42

[14]. The FPGA is however configured by using software tools. Therefore the development of the configuration for the FPGA is similar to a traditional microprocessor based software development program. Section 4.5 of this LAR describes the configuration portion of the FPGA development. The process for the final hardware result of the FPGA configuration is discussed in 9000-00313, "FPGA Development Procedure" [61]. This procedure is the CSI quality control procedure for the development of the FPGA. This concept was previously approved in section 3.0 of Docket 50-482, Amendment 181 to License No. NPF 42 [14],

4.4 Software Architecture (Section D.3 of DI&C-ISG-06'[1])

Following the LAR format recommended in DI&C-ISG-06 [1], the Software Architecture for IOM and CSI in support of the PPS replacement project following the guidance in BTP-7-14 [4], Section B.3.3.2 is described in the following sections.

a) Tricon-Based PPS Equipment The software architecture for the Tricon portion of the PPS Replacement Project is described in the Tricon V10 Topical Report Submittal [13] Section 2.1.3. Triconex Document No. 993754-11-914, Protection System Replacement DCPP PPS System Architecture Description [144], provides further information regarding the Triconex 91

Enclosure PG&E Letter DCL-1 1-104 platform operating system software and also provides an overview of the application software architecture and function. More detailed information regarding the PPS application is provided in the SRS [75].

b) FPGA-Based ALS PPS Equipment The ALS is a FPGA-based hardware logic system that does not utilize executable software. It instead incorporates a collection of logic elements such as "and" gates, "or' gates, bistable flip-flops, registers, inverters, adders, and other digital logic. Some logic elements are combinations of individual gates. The field programmable portion of the name refers to the ability to determine the functionality of the FPGA by the end user.

The FPGA logic elements are arranged in an array of open connections. This could be compared to a series of similar but unconnected discrete logic elements on a breadboard, where the functionality of the overall circuit is undetermined until the connections are made. The FPGA also contains a series of reconfigurable interconnects that allow the logic elements to be "wired together." An FPGA configured for a particular application results in a fixed piece of hardware comprised of basic logic and FSMs. A fixed hardware device comprised of basic logic and FSMs results in a completely deterministic circuit capable of realizing multiple aspects of the particular application functionality in a discrete non-sequential evaluation manner.

Further information regarding the generic ALS architecture is provided in 6002-00011 ALS Platform Specification [95] and the ALS Topical Report Submittal [15]. Further information regarding the PPS replacement specific software architecture is provided in section 2 of 6116-00011 Diablo Canyon PPS System Design Specification [19] and the ALS-102 FPGA Requirements Specification [20].

4.5 Software Development Process (Section D.4 of DI&C-ISG-06 [1])

IEEE Standard 7-4.3.2-2003 [80], Clause 5.3.1 states:

Computer software shall be developed, modified, or accepted in accordance with an approved software QA plan consistent with the requirementsof IEEE/EIA 12207.0-1996. The software QA plan shall addressall software that is resident on the computer at run time (i.e., application software, network software, interfaces, operating systems, and diagnostics). Guidance for developing software OA plans can be found in InternationalElectrotechnicalCommission (IEC) 60880 (1986-09) [128] and IEEE Std 730 TM- 1998 [129].

The software plans and specifications addressing software development for the DCPP PPS replacement are addressed in the following sections for both the Tricon and the ALS. All safety-related software for the PPS replacement is being developed by these two organizations for their respective equipment, under PG&E contract.

92

Enclosure PG&E Letter DCL-1 1-104 The following sections provide a description of each of the software plans associated with life cycle development for the respective platform applications for the DCPP PPS replacement. The PG&E PPS Replacement Project also has developed a project specific System Quality Assurance Plan (SyQAP) [52] and System Software Verification and Validation Plan [53], as described in the following sections, to address PG&E responsibilities after turnover from the vendors.

a) IOM Section 2.3 and 2.4 of the Tricon V10 Topical Report Submittal [13] describe the QA program and software life cycle processes for the design and qualification of the Tricon platform software (operating system software, application and software development tools). Section 2.3.2 of Reference [13] describes the software life cycle planning processes of the design and qualification of the Tricon platform.

The IOM NQAM Manual [31] describes the program measures incorporated by IOM to ensure the Tricon application software attains a level of quality commensurate with its importance to safety functions and required by 10 CFR 50 Appendix B [151], performs the required safety functions correctly, and conforms to established technical and documentation requirements, conventions, rules, and industry standards. The Triconex QPM applies to application software developed for all Tricon projects in the U.S.,

including the PPS Replacement Project.

b) CSI Section 6 of the ALS Topical Report Submittal [15] describes the QA and software life cycle processes for the development of ALS boards and systems. Section 6.2 of Reference [15] describes the software life cycle planning documentation required for software development on the ALS digital platform. A listing of the specific software planning documents described in the following sections is included in Section 12 of Reference [15].

The CSI QAM [33] describes the program measures incorporated by CSI to ensure all 10 CFR Appendix B [151] requirements are met in the development of ALS boards and systems, as approved previously by NRC under Docket 50-482, Amendment 181 to License No. NPF-42 [14] for use in a MFW isolation system (MSFIS) application at the WCGS.

4.5.1 Software Management Plan (Section D.4.4.1.1 of DI&C-ISG-06 [1])

Following the LAR format recommended in DI&C-ISG-06 [1], software management for PG&E and the Software Management Plan (SMP) for both IOM and CSI in support of the PPS replacement project and complying with IEEE Standard 7-4.3.2-2003 [80],

Clause 5.3.1and BTP-7-14 [4], are described in the following sections.

93

Enclosure PG&E Letter DCL-1 1-104 4.5.1.1 PG&E PG&E will not develop software for the PPS replacement. DCPP Program Directive CF2 [49] and procedures CF2.1D2 [50] and CF2.1D9 [51] control software development throughout the remaining life cycle phases (i.e., Operations, Maintenance, Retirement) under the control of PG&E after development and delivery of software and/or systems to PG&E from the 10 CFR 50 Appendix B Suppliers.

4.5.1.2 1IM Triconex Document No. 993754-1-905, PPS Replacement DCPP Project Management Plan (PMP) [69], meets the guidance of BTP 7-14 Section B 3.1.1 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136] and describes the management process for the PPS Replacement Project to ensure adherence to the IOM quality and process requirements for the development of nuclear safety-related software and hardware.

This plan addresses the following areas:

" Project Organization

  • Management Oversight
  • Organizational and Personnel Responsibilities
  • Project Risks
  • Development Environment and Product Security 4.5.1.3 CSI CSI Document No. 6002-00000, ALS Management Plan [591, meets the guidance of BTP 7-14 Section B3.1.1 [4] and defines the process used to manage the ALS Platform development project and overall project life-cycle. The Management Plan follows the CSI QA program as defined in the CSI Document 9000-00000, "Quality Assurance Manual," Revision 4 [33]. This management plan addresses two aspects of ALS platform management: 1) development project management and 2) overall product life-cycle management.

CSI Document No. 6116-00000, DCPP ALS Management Plan [60], meets the guidance of BTP 7-14 Section B3.1.1 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136] and defines the process used to manage the PPS Replacement project and overall product life-cycle. This plan follows the CSI QA program as defined in the CSI QA Manual, Rev 4 [33] and defines the set of unique activities as defined in IEEE Standard 1058-1998 "IEEE Standard for Software Project Management Plans"

[137], for delivery of the ALS-based chassis portion of the PPS replacement system.

94

Enclosure PG&E Letter DCL-1 1-104 4.5.2 Software Development Plan (Section D.4.4.1.2 of DI&C-ISG-06 [1])

Following the LAR format recommended in DI&C-ISG-06 [1], the Software Development Plans (SDP) for both IOM and CSI in support of the PPS Replacement Project and complying with IEEE Standard 7-4.3.2-2003 [80], Clause 5.3.1 and BTP-7-14 [4], are described in the following sections.

4.5.2.1 PG&E PG&E will not develop software for the PPS replacement.

4.5.2.2 IOM Triconex Document No. 993754-1-905, PPS Replacement DCPP PMP [69], meets the guidance of BTP 7-14 Section B 3.1.2 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136] and defines the development processes for the PPS Replacement Project to ensure adherence to the IOM quality and process requirements for the development of nuclear safety-related software and hardware.

This plan addresses the following areas:

  • Project Organization
  • Management Oversight

" Organizational and Personnel Responsibilities

" Project Risks

  • Development Environment and Product Security Triconex uses a standardized project management process to assess risks, as described in Section 3.4 and 3.5 of the Triconex DCPP Software PMP [69]. This methodology is used to identify, assess, monitor, and control areas of risk that arise during the software development project. In the course of project execution, the project risks are monitored, and the current assessment is reviewed to determine if it needs to be modified.

4.5.2.3 CSl CSI Document No. 6002-00000, ALS Management Plan [59], meets the guidance of BTP 7-14 Section B3.1.2 [4] and defines-the process used to manage the ALS Platform development project and overall project life-cycle. The Management Plan follows the CSI QA program as defined in the CSI Document 9000-00000, "Quality Assurance Manual," Revision 4 [33]. This management plan addresses two aspects of ALS platform management: 1) development project management and 2) overall product life-cycle management.

95

Enclosure PG&E Letter DCL-1 1-104 CSI Document No. 6116-0000, DCPP ALS Management Plan [60], meets the guidance of BTP 7-14 Section B3.1.2 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136] and defines the process used to manage the PPS Replacement project and overall product life-cycle. This plan follows the CSI QA program as defined in the CSI QA Manual, Rev 4 [33] and defines the set of unique activities as defined in IEEE Standard 1058-1998 "IEEE Standard for Software Project Management Plans" [137], for delivery of the ALS-based chassis portion of the PPS replacement system.

As described in the ALS Topical Report Submittal [15], Section 12, risk management for the ALS platform is a part of the SVP. This is included as part of the Life Cycle and is documented in the DCPP ALS Management Plan [60]. The ALS Life Cycle Management Process is described in Section 6 of ALS Topical Report Submittal [15].

4.5.3 Software QA Plan (Section D.4.4.1.3 of DI&C-ISG-06 [1])

Following the LAR format recommended in DI&C-ISG-06 [1], the Software QA Plan (SQAP) for IOM, CSI and PG&E in support of the PPS replacement project and complying with IEEE Standard 7-4.3.2-2003 [80], Clause 5.3.1 and BTP-7-14 [4], are described in the following sections.

4,5.3.1 PG&E The DCPP SyQAP for the PPS Replacement Project [52] meets the guidance of BTP 7-14 Section B3.1.3 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136]

and defines the activities to be followed in the design, development, review and testing for the PPS Replacement project, by PG&E, IOM and CSI. This plan establishes the goals, processes, and responsibilities required to implement effective software quality management for the PPS replacement software, ensure any required software performs correctly, and that the required software functions conform to established regulatory requirements, technical requirements, conventions, rules and standards. To achieve these goals, software development will proceed in a traceable, planned and orderly manner. Throughout this plan, "software" is used when referring to firmware and logic develOped from software based development systems.

4.5.3.2 IOM Triconex Document No. 993754-1-801, PPS Replacement DCPP SQAP [711, meets the guidance of BTP 7-14 Section B 3.1.3 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136] and defines the activities to be followed in the design, development, review, and testing for the IOM scope of supply in the PPS Replacement Project.

96

Enclosure PG&E Letter DCL-1 1-104 4.5.3.3 CS1 CSI Document No. 6002-00001 ALS QA Plan [63], meets the guidance of BTP 7-14 Section B3.1.3 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136] and defines the techniques, procedures, and methodologies that will be used by CSI to assure quality in the design and test developments of the ALS platform, and in particular in the FPGA design and test activities performed as part of the platform development and implementation for the PPS Replacement Project.

4.5.4 Software Integration Plan (Section D.4.4.1.4 of DI&C-ISG-06 [1])

Following the LAR format recommended in DI&C-ISG-06 [1], the Software Integration Plans for IOM and CSI in support of the PPS replacement project and complying with IEEE Standard 7-4.3.2-2003 [80], Clause 5.3.1 and BTP-7-14 [4], are described in the following sections.

4.5.4.1 IOM Triconex Document No. 993754-1-910 DCPP Tricon PPS Software Integration Plan

[76], meets the guidance of BTP 7-14 Section B 3.1.3 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136] and describes the system integration strategy for integrating the V1 0 Tricon Protection Set software functions together into a TSAP, integrating the TSAP with the hardware, and the steps involved in the software integration process.

4.5.4.2 CSI CSI Document No. 9000-00313 FPGA Development Procedure [61], meets the guidance of BTP 7-14 Section B3.1.4 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136] and defines the CSI FPGA Development Procedure for all phases of FPGA development for the ALS scope of supply in the PPS Replacement Project.

CSI Document No. 9000-00311 Electronics Development Procedure [62], meets the guidance of BTP 7-14 Section B3.1.4 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136] and defines the ALS procedure for development of all electrical and electronics assemblies. This plan includes specifying and designing electronics circuit designs, mechanical packaging, tests procedures and test equipment in the ALS scope of supply for the PPS Replacement Project.

4.5.5 Software Safety Plan (Section D.4.4.1.9 of DI&C-ISG-06 [1])

97

Enclosure PG&E Letter DCL-1 1-104 Following the LAR format recommended in DI&C-ISG-06 [1], the Software Safety Plan (SSP) for IOM and CSI in support of the PPS replacement project and complying with IEEE Standard 7-4.3.2-2003 [80], Clause 5.3.1 and BTP-7-14 [4], are described in the following sections.

4.5.5.1 PG&E PG&E will not develop software for the PPS replacement. Control of 10 CFR 50 Appendix B supplier software products while it is in PG&E's possession during the SAT and Design Verification Test are prescribed by the PG&E SyQAP and SWP.

4.5.5.2 IOM Triconex Document No. 993754-1-911, PPS Replacement DCPP SSP [72], meets the guidance of BTP 7-14 Section B 3.1.3 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136] and addresses the process and activities intended to improve software safety throughout the PPS software development lifecycle. The SSP for the IOM portion of the PPS Replacement is written based on the guidance provided by ISG-6 [1], IEEE Standard 1228-1994 [138] and NUREG/CR-6101 [139].

4.5.5.3 CSI CSI Document No. 6116-00000 Diablo Canyon PPS Management Plan Section 5.11

[60], meets the guidance of BTP 7-14 Section B3.1.3 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136] and establishes the approach to addressing software safety in the FPGA design and test activities performed as part of the platform development and implementation for the PPS Replacement Project.

4.5.6 Software V&V Plan (Section D.4.4.1.10 of DI&C-ISG-06 [1])

Following the LAR format recommended in DI&C-ISG-06 [1], the SWP for IOM, CSI and PG&E in support of the PPS Replacement Project and complying with IEEE Standard 7-4.3.2-2003 [80], Clause 5.3.1 and BTP-7-14 [4], are described in the following sections.

4.5.6.1 PG&E DCPP Project Procedure, System Verification and Validation Plan (SyWP) for the PPS Replacement Project [53] meets the guidance of BTP 7-14 Section B3.1.3 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136] and defines the activities to be followed in the verification and validation for the PPS Replacement project, by PG&E, IOM and CSI.

98

Enclosure PG&E Letter DCL-1 1-104 4.5.6.2 IOM Triconex Document No. 993754-1-802, PPS Replacement DCPP SVVP [73], meets the guidance of BTP 7-14 Section B 3.1.3 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136] and establishes the requirements for the V&V process to be applied to the TSAP software developed for the PPS Replacement Project, running on the safety-related V10 Tricon platform hardware. This SVVP also defines when, how, and by whom specific V&V activities are to be performed.

4.5.6.3 CSI CSI Document No. 6002-00003 DCPP ALS V&V Plan [54], meets the guidance of BTP 7-14 Section B3.1.3 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136]

and defines the techniques, procedures, and methodologies that will be used by CSI to provide independent Verification and Validation (IV&V) in the design and test development of the ALS platform, and in particular in the FPGA design and test activities performed as part of the platform development and implementation for the PPS Replacement Project.

4.5.7 SCMP (Section D.4.4.1.11 of DI&C-ISG-06 [1])

Following the LAR format recommended in DI&C-ISG-06 [1], the SCMP for IOM and CSI in support of the PPS Replacement Project and complying with IEEE Standard 7-4.3.2-2003 [80], Clause 5.3.1 and BTP-7-14 [4], are described in the following sections.

4.5.7.1 PG&E DCPP Procedure CF2.1D2, Software Configuration Management for Plant Operations and Operations Support [50], meets the guidance of BTP 7-14 Section B3.1.3 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136] and defines the activities to be followed in the Operations and Operations Support software configuration management for the PPS Replacement project.

4.5.7.2 IOM Triconex Document No. 993754-1-909, PPS Replacement DCPP CMP [77], meets the guidance of BTP 7-14 Section B 3.1.3 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136]. This CMP defines how Software Configuration Management is to be applied within the IOM scope according to RG1.169 132] which endorses IEEE Standard 828-1998 [140]. IEEE Standard 828-1998 (Standard for Software 99

Enclosure PG&E Letter DCL-1 1-104 Configuration Management Plans) establishes the minimum required content of the SCMP.. These standards are supplemented by IEEE Standard 1042-1998 [141] that provides approaches to good software configuration management planning.

4.5.7.3 CSI CSI Document No. 6002-00002 ALS CMP [66], meets the guidance of BTP 7-14 Section B3.1.3 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [1361 and describes the Configuration Management organization and practices used for baseline control of ALS related configuration items.

4.5.8 Software Test Plan (Section D.4.4.1.12 of DI&C-ISG-06 [1])

Following the LAR format recommended in DI&C-ISG-06 [1], the Software Test Plan (STP) for IOM and CSI in support of the PPS Replacement Project and complying with IEEE Standard 7-4.3.2-2003 [80], Clause 5.3.1 and BTP-7-14 [4], are described in the following sections.

4.5.8.1 1IM Triconex Document No. 993754-1-813, PPS Replacement DCPP STP [74], meets the guidance of BTP 7-14 Section B 3.1.3 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136]. This STP defines the scope, approach, and resources of the testing activities that are required to be performed for the V1 0 Tricon portion of the DCPP PPS replacement to support the following:

" To detail the activities required to prepare for and conduct the system integration tests.

  • To identify the tasks for responsible teams to perform and the schedule to be followed in performing the tasks.
  • To define the sources of the information used to prepare the plan.

" To define the test tools and environment needed to conduct the system test.

4.5.8.2 CSI CSI Document No. 6116-00005 DCPP PPS System Test Plan [67], meets the guidance of BTP 7-14 Section B3.1.3 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136] and covers the design verification, acceptance and release testing of the ALS portion of the PPS Replacement Project.

100

Enclosure PG&E Letter DCL-1 1-104 4.5.9 Software Requirement Specification (Section D.4.4.3.1 of DI&C-ISG-06 [1])

Following the LAR format recommended in DI&C-ISG-06 [1], the SRS for IOM and CSI in support of the PPS replacement project and complying with IEEE Standard 7-4.3.2-2003 [80], Clause 5.3.1 and BTP-7-14 [4], are described in the following sections.

These are developed based on the owner requirements identified in the following PG&E Documents:

" DCPP Units 1 & 2 PPS Replacement FRS [28]

  • DCPP Units 1 & 2 PPS Replacement Interface Requirements Specification [29]

4.5.9.1 IOM Triconex has developed the SRS for the PPS Replacement Project in four documents, with one applicable to each Protection Set as follows:

  • Triconex Document No. 993754-11-809, PPS Replacement DCPP SRS Protection Set I [75]

" Triconex Document No. 993754-12-809, PPS Replacement DCPP SRS Protection Set II [75]

" Triconex Document No. 993754-13-809, PPS Replacement DCPP SRS Protection Set III [75]

" Triconex Document No. 993754-14-809, PPS Replacement DCPP SRS Protection Set IV [75]

Each of these documents meet the guidance of BTP 7-14 Section B 3.1.3 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136] and defines how the conformed software design specifications (SDS) are to be satisfied by the project-specific design for the IOM scope of supply in the PPS Replacement Project. Each of these documents meets the guidance provided in NRC RG 1.172, "Software Requirements Specifications for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [135]

which endorses IEEE Standard 830-1993, "IEEE Recommended Practice for Software Requirements Specifications." [143]

Each SRS address the following for the associated Protection Set:

  • Functionality to describe what the software is supposed to do 101

Enclosure PG&E Letter DCL-11-104

  • External interfaces to describe how the software interacts with people, the system's hardware, other hardware, and other software
  • Performance in describing the speed, availability, response time, and recovery time of the software functions

" Attributes. What are the portability, correctness, maintainability, security, etc.

  • Design constraints imposed on an implementation listing any required standards in effect, implementation language, policies for database integrity, resource limits, or operating environment(s).

4.5.9.2 Westinghouse/CS1 Westinghouse/CSI has developed the SRS documentation for both the platform and also for the specific PPS Replacement Project requirements as follows:

" CSI Document No. 6002-00010, ALS Platform Requirements Specification, R7 [68]

  • Westinghouse Document No. WNA-DS-02442-PGE, Revision 2, ALS System Requirements Specification [17]

Each of these documents meet the guidance of BTP 7-14 Section B3.1.3 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136]. Each of these documents meets the guidance provided in NRC RG 1.172, "Software Requirements Specifications for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [135]

which endorses IEEE Standard 830-1993, "IEEE Recommended Practice for Software Requirements Specifications" [143].

CSI Document No. 6002-00010, ALS Platform Requirements Specification [68],

establishes the performance, design, manufacture, test and acceptance requirements for the ALS platform in support of the ALS Topical Report Submittal [15] submitted to the NRC.

Westinghouse ALS System Requirements Specification [17], establishes the specific performance, design, manufacture, test and acceptance requirements for the DCPP Replacement Project using the ALS platform. It identifies design and test requirements and criteria and references functional requirements which are applicable to the system design. It also provides requirements for functional features, defines normal and abnormal plant conditions during which the ALS must operate, and identifies applicable QA and verification and validation programs.

4.5.10 Software Design Specification (Section D.4.4.3 of DI&C-ISG-06 [1])

102

Enclosure PG&E Letter DCL-1 1-104 Following the LAR format recommended in DI&C-ISG-06 [1], the SDS for IOM and CSI in support of the PPS replacement project and complying with IEEE Standard 7-4.3.2-2003 [80], Clause 5.3.1 and BTP-7-14 [4], are described in the following sections.

4.5.10.1 1IM In the IOM software development process, the SRS is equivalent to the Software Design Description (SDD) in DI&C-ISG-06 [1] Section D.4.4.3.3.

The SRS for the PPS Replacement Project is made up of four documents, with one applicable to each Protection Set as follows:

  • Triconex Document No. 993754-11-809, PPS Replacement DCPP SRS Protection Set I [75]

" Triconex Document No. 993754-12-809, PPS Replacement DCPP SRS Protection Set II [75]

  • Triconex Document No. 993754-13-809, PPS Replacement DCPP SRS Protection Set III [75]
  • Triconex Document No. 993754-14-809, PPS Replacement DCPP SRS Protection Set IV [75]

The SDD for the IOM scope of the PPS Replacement Project will be submitted to the NRC for review in Phase 2.

4.5.10.2 CSI CSI has developed the System Design Specification documentation for both the platform and also for the specific PPS Replacement Project requirements as follows:

  • CSI Document No. 6002-00011, ALS Platform Specification [95]
  • CSI Document No. 6116-00011, DCPP PPS ALS System Design Specification [19]

Each of these documents meet the guidance of BTP 7-14 Section B3.1.3 [4] and NRC RG 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [136]. Each of these documents meets the guidance provided in NRC RG 1.172, "Software Requirements Specifications for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," [135]

which endorses IEEE Standard 830-1993, "IEEE Recommended Practice for Software Requirements Specifications" [143].

CSI Document No. 6002-00011, ALS Platform Specification [95], is the highest level specification for the ALS platform and describes the general philosophy and functionality in support of the ALS Topical Report Submittal [15].

103

Enclosure PG&E Letter DCL-1 1-104 CSI Document No. 6116-00011, DCPP PPS ALS System Design Specification [19],

provides the specification for the ALS component as part of the PPS Replacement Project. CSI is responsible for the ALS subsystem portion of the PPS system for Protection Sets 1-4. The ALS PPS subsystem includes ALS chassis hardware, ALS I/O cards (A & B), ALS CLBs with programmed functional logic (A & B), MWS software, standard cabling for terminating to ALS I/O boards, and logic validation and testing to verify the Protection Set safety functions.

4.6 Environmental Equipment Qualification (Section D.5.2 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 5.4 states:

Safety system equipment shall be qualified by type test, previous operatingexperience, or analysis, or any combination of these three methods, to substantiate that it will be capable of meeting, on a continuing basis, the performance requirements as specified in the design basis. Qualification of Class 1E equipment shall be in accordance with the requirements of IEEE Std 323-1983 and IEEE Std 627-1980.

Refer to Section 4.11.1.2 of this Enclosure for details regarding compliance with the additional requirements of IEEE Standard 7-4.3.2-2003 [80].

4.6.1 Triconex Qualification The Tricon portion of the PPS replacement incorporates the standard Tricon platform described in the Triconex Tricon V1 0 Topical Report Submittal [13], which was submitted to the NRC on December 20, 2010.

Section 2 of the Tricon V1 0 Topical Report [13] for the Tricon provides a summary of the equipment testing and analysis performed to meet the requirements of IEEE 603-1991 [21], IEEE Standard 323-1983 [65], EPRI TR-107330 [81], EPRI TR-102323 Revision 1 [79] and RG 1.180 Revision 1 [23]. This report addresses the specific required environmental conditions and testing/analysis performed to qualify this equipment. This testing/analysis confirmed that the Tricon safety system is fully qualified and capable of performing its designated safety functions while exposed to normal, abnormal, test, accident, and post-accident environmental conditions, as required.

Analysis of all components being installed as part of the Tricon portion of the PPS replacement to PG&E Environmental Quality (EQ) requirements will be provided in Phase 2.

104

Enclosure PG&E Letter DCL-1 1-104 4.6.2 ALS Qualification The ALS portion of the PPS replacement incorporates the standard ALS platform described in the ALS Topical Report Submittal [15], which was submitted to the NRC on August 11, 2010.

The ALS Topical Report Submittal Section 4 [15], for the ALS platform provides a summary of the equipment testing and analysis performed to meet the requirements of IEEE 603-1991, IEEE Standard 323-1983 [65], EPRI TR-107330, EPRI TR-102323 Revision 1 [79] and RG 1.180 Revision 1 [23]. This report addresses the specific required environmental conditions and testing/analysis performed to qualify this equipment. This testing/analysis confirmed that the ALS safety system is fully qualified and capable of performing its designated safety functions while exposed to normal, abnormal, test, accident, and post-accident environmental conditions, as required.

Analysis of all components being installed as part of the ALS portion of the PPS replacement to PG&E EQ requirements will be provided in Phase 2.

4.6.3 Ancillary Safety-Related Equipment Utilized In the PPS Replacement Project Components that were not included in either the Triconex or ALS qualification testing program but are utilized in the PPS replacement were either purchased as 1 E or qualified in accordance with the DCPP QAP [142], regulatory requirements, and standards provided by EPRI TR-107330 [122], RG. 1.180 R1 [23], 10 CFR 50 Appendix B [151], RG 1.100 Revision 2 [118], IEEE Standard 344-1975, IEEE Standard 381-1977, and Section 5.4 of IEEE Standard 603-1991 [21]. This equipment includes, but is not limited to:

" Rack power supplies

  • Isolators
  • Bypass switches
  • Trip switches
  • Termination modules

" Fuses 4.7 Defense-in-Depth & Diversity (Section D.6 of DI&C-ISG-06 [1])

The PPS replacement was designed to address diversity through use of Tricon and ALS subsystems and the diversity provided by the existing NIS, Class II contacts, and AMSAC.

105

Enclosure PG&E Letter DCL-1 1-104 PG&E submitted the D3 topical report for the PPS replacement to the NRC for approval

([6], ADAMS Accession No. ML 02580726) and the NRC has issued a SER for the D3 topical report ([7], ADAMS Accession No. MLl 10480845). The staff evaluated the PPS replacement D3 topical report in accordance with the guidance in NUREG-0800 [4],

BTP 7-19, "Guidance for Evaluation of D3 in Digital Computer Based Instrumentation and Control Systems," Revision 5, March 2007, as well as the supplemental'guidance provided by DI&C-ISG-02, "Task Working Group #2: D3 Issues, Interim Staff Guidance,"

Revision 2, dated June 5,2009 ([3], ADAMS Accession No. ML091590268). The SER for the D3 topical report concluded that the PPS replacement changes will not adversely impact the safety determination that was made for the Eagle 21 digital PPS and that there is adequate D3 within the PPS replacement such that plant responses to the design basis events concurrent with potential software CCF meet the acceptance criteria specified in BTP 7-19 [4].

In the SER for the D3 topical report, for NRC Staff Position 4, "Effects of CCF," in DI&C-ISG-02, the staff stated partial losses of the Tricon and the ALS portions of the PPS due to software CCF was not addressed, and therefore, the licensee will be required to develop and submit a FMEA Analysis to address this issue. The FMEA for the Tricon and ALS is addressed in Section 4.10.2.1.1.

In the SER for the D3 topical report, for NRC Staff Position 7, "Single Failure," in DI&C-ISG-02 [3], the staff stated because the PPS system design was not complete, it was not possible for the NRC staff to confirm that the documented basis for diversity is included in the overall system design. The single failure evaluation for the Tricon and ALS is addressed in Section 4.10.2.1. In the SER for the D3 topical report, for NRC Staff Position 7, "Single Failure," the staff also stated the displays and controls used should be independent and diverse from the computer-based PPS system. The information displays are addressed in Section 4.10.2.8 and the independence of the design is addressed in Section 4.10.2.6.

The Tricon portion of the PPS replacement uses the same processors, programming language and function blocks within redundant Protection Sets. However, the redundant Protection Set application programs are different from each other in the same manner that the Eagle 21 application programs in different redundant Protection Sets are different from each other.

Safety-related information (i.e., Pressurizer vapor space and RCS narrow and wide range temperature) transmitted from the logic-based ALS to the software-based Tricon is via analog signals. There is no communication of safety-related information from the software-based Tricon to the logic-based ALS. There is no software-based communication between or among redundant or diverse Protection Sets. No database information or equipment that uses software is shared between the Tricon and the diverse ALS or between redundant Protection Sets within Tricon or ALS portions of the replacement PPS.

106

Enclosure PG&E Letter DCL-1 1-104 Concern for ALS software CCF is addressed through incorporating additional design diversity in the FPGA-based hardware system as described in Section 4.1.1 and using qualified design practices and methodologies to develop and implement the hardware as described in Section 4.2.

As documented in the PPS replacement D3 topical report and determined by the D3 SER [7], the diverse ALS cannot be affected by a software CCF that affects the Tricon.

The PPS replacement provides sufficient design diversity to automatically mitigate the DCPP FSAR [26] Chapter 15 events should a software CCF occur in the PPS replacement concurrent with the event. The ability of the ALS portion of the PPS to perform credited automatic protective functions is not adversely affected by a software CCF as described in Section 3 of the ALS Diversity Analysis [16] and Section 9 of the CSI Topical Report Submittal [15].

As shown in Figure 4-7, the ALS provides Class IE signal conditioning for the Pressurizer Vapor Space temperature, RCS wide range temperature and narrow range RTD inputs to the OPDT and OTDT thermal trip functions. These temperature signals are passed from the ALS to the Tricon for processing by the Tricon portion of the PPS replacement. The NIS provides diverse automatic protection should a failure in either the ALS or Tricon disable the OPDT and OTDT trip functions.

The Tricon-based portion of the PPS replacement shares the Pressurizer Pressure analog signals with the ALS portion of the PPS replacement. The shared signals are not processed by software upstream of either the Tricon or ALS. The Pressurizer Pressure signal is used by the ALS to generate the diverse Pressurizer pressure-high and -low trips and the pressure-low safeguards functions. It is also used in the Tricon to calculate the OPDT and OTDT trip setpoints. Since the signal is shared at the transmitter (4-20 mA analog) output, a failure in either ALS or Tricon cannot affect the other subsystem. AMSAC shares steam generator level and turbine impulse pressure with the Tricon. The signals are shared at the transmitter (4-20 mA analog) outputs and isolated to meet 10 CFR 50.62 [22] diversity requirements. A Tricon failure cannot affect the AMSAC and an AMSAC failure cannot affect the Tricon. Each ALS instrument channel retains its identity from sensor through processing to coincident logic. Isolated signals from the ALS to other systems are analog.

The NRC SER determined that the design addresses Staff Position 1 of ISG-02 [3]

adequately.

Thus, the replacement PPS:

1. Replaces the entire Eagle 21 PPS with a system that is Class 1E, nuclear safety-related and which automatically performs all the automatic protection functions approved by NRC in the SER for the Eagle 21 PPS [7].

107

Enclosure PG&E Letter DCL-1 1-104

2. Provides Class IE safety-related automatic mitigation functions, which address CCF as described in the previously approved DCPP D3 Analysis [6], where previous evaluations relied upon manual operator action to mitigate events that occurred with a concurrent postulated CCF to the PPS.
3. Provides an architecture in which a CCF in the software-based TRICON portion of the replacement PPS cannot adversely affect the safety function of the logic-based ALS.
4. Provides an architecture in which a single failure of the diverse ALS cannot adversely affect the safety function of the TRICON.
5. Provides an architecture in which failure of either the Tricon or the ALS cannot adversely affect the ability of the operator to initiate RT or ESFAS functions.

4.8 Communications (Section D.7 of DI&C-ISG-06 [1])

The DI&C-ISG-04, Task Working Group #4, Highly Integrated Control Rooms -

Communications Issues (HICRs) [2] has provided ISG on the review of communications issues. DI&C ISG-04 [2] contains three sections: (1) Interdivisional Communications, (2) Command Prioritization, and (3) Multidivisional Control and Display Stations.

Sections 4.8.1 through 4.8.20 of this enclosure provide details of the PPS replacement compliance to ISG-04 for interdivisional communications. Figures 4-12 and 4-13 in Section 4.2.13 of this enclosure provide additional detail for interconnections of the PPS replacement communications architecture.

Command Prioritization and Multidivisional Control and Display Stations are not applicable to the PPS replacement.

4.8.1 ISG-04 Interdivisional Communications Staff Position No. 1 ISG-04 Interdivisional Communications, Staff Position No. 1 States:

A safety channel should not be dependent upon any information or resource originating or residing outside its own safety division to accomplish its safety function. This is a fundamental consequence of the independence requirementsof IEEE 603. It is recognized that division voting logic must receive inputs from multiple safety divisions.

The PPS replacement conforms to this Staff Position.

The PPS replacement consists of four (4) Protection Sets with architecture such that each safety channel within a given Protection Set is not dependent upon any information or resource originating outside the Protection Set which the channel is a 108

Enclosure PG&E Letter DCL-1 1-104 member. The details for the Tricon and ALS conformance to this staff position No. 1 are provided in the sections below.

a) Tricon-Based PPS Equipment The Tricon portion of the PPS replacement architecture does not depend on any information or resource originating or residing outside its own Protection Set to accomplish its safety function because the Tricon does not receive any information originating or residing outside its own Protection Set while online and performing its safety function. Each PPS division sends data from the safety TCM to the non-safety MWS within the division, and through a dedicated one-way NetOptics port aggregator network tap [Section 4.2.13] of this LAR, to the common Gateway Network Switch. The only time data is allowed to be received by the TCM is when the channel is out of service. The channel is taken out of service by taking multiple deliberate actions: 1) activating a safety-related hardware out of service switch locked in a cabinet and 2) activating a software switch on the Workstation requiring password access. The sensors connected to the Tricon are dedicated sensors and operate completely independent of other Tricon divisions. The Protection Set architecture includes a Remote RXM non-safety chassis which provides outputs to non-safety indicators and alarms. Further technical detail on the V10 Tricon, including RXM isolation functions, can be found in the NTX-SER-09-10, Tricon Applications in Nuclear RPSs - Compliance with NRC ISG-2 & ISG-4 [24].

b) FPGA-Based ALS Equipment The ALS portion of the PPS replacement does not depend on any information or resource originating outside its own Protection Set to accomplish its safety function because the ALS does not receive any information originating or residing outside its own Protection Set while online and performing its safety function. The ALS inputs, conditioning and outputs do not depend on data/information from any divisional input outside its own division.

4.8.2 ISG-04 Interdivisional Communications Staff Position No. 2 ISG-04 Interdivisional Communications, Staff Position No. 2 states:

The safety function of each safety channel should be protected from adverse influence from outside the division of which that channel is a member. Information and signals originatingoutside the division must not be able to inhibit or delay the safety function.

This protection must be implemented within the affected division (ratherthan in the sources outside the division), and must not itself be affected by any condition or information from outside the affected division. This protection must be sustained 109

Enclosure PG&E Letter DCL-1 1-104 despite any operation, malfunction, design error, communication error, or software error or corruption existing or originatingoutside the division.

The PPS replacement conforms to this Staff Position.

The PPS replacement consists of four (4) Protection Sets and is architected such that each safety channel within a given Protection Set is protected from adverse influence from outside the Protection Set which the channel is a member. The details for the Tricon and ALS conformance to this staff position No. 2 are provided in the sections below.

a) Tricon-Based PPS Equipment The Tricon portion of the PPS replacement is protected from adverse influence from outside its own division by the TCM and the Primary RXM Chassis. Design of the system precludes dependence on any information or resource originating outside its own Protection Set.

Section 5, Staff position No. 2 of 993754-1-912 Diablo Canyon Triconex PPS ISG-04 Conformance Report [25] provides additional details regarding the conformance of the Tricon portion of the PPS replacement to ISG-04 Interdivisional Communication Staff Position No. 2. Further details regarding the conformance of the Tricon platform to ISG-04 Interdivisional Communication staff position No. 2 are located in section 5, Staff position No. 2 of NTX-SER-09-10, Tricon Applications in Nuclear Reactor Protection Systems - Compliance with NRC ISG-2 & ISG-4 [24].

b) FPGA-Based ALS PPS Equipment The ALS portion of the PPS replacement is protected from adverse influence from outside its own division. This is accomplished by the design on the communications interface of the ALS. The ALS portion of the PPS replacement has no continuous two-way communication signals outside the division. The connection to the non-safety MWS is normally a one-way transmit only from the ALS. Two-way communications is permitted only when a hardwired switch is closed to complete the circuit from the MWS to the ALS. The two-way communications is provided via the TAB, as described in Section 5.2 of the ALS Platform Specification [95]. No communications are allowed on the TAB if the hardwired switch is open. As explained in Section 2.2 of the ALS Platform Specification [95], the Protection Set containing the ALS chassis with TAB communications enabled remains functional during this action. All other communication to non-safety equipment, i.e., Plant Computer, is via continuous one-way communication channels on the ALS-1 02.

4.8.3 ISG-04 Interdivisional Communications Staff Position No. 3 110.

Enclosure PG&E Letter DCL-1 1-104 ISG-04 Interdivisional Communications, Staff Position No. 3 States:

A safety channel should not receive any communication from outside its own safety division unless that communication supports or enhances the performance of the safety function. Receipt of information that does not support or enhance the safety function would involve the performance of functions that are not directly related to the safety function. Safety systems should be as simple as possible. Functions that are not necessary for safety, even if they enhance reliability,should be executed outside the safety system. A safety system designed to perform functions not directly related to the safety function would be more complex than a system that performs the same safety function, but is not designed to perform other functions. The more complex system would increase the likelihood of failures and software errors. Such a complex design, therefore, should be avoided within the safety system. For example, comparisonof readingsfrom sensors in different divisions may provide useful information concerning the behaviorof the sensors (for example, On-Line Monitoring). Such a function executed within a safety system, however, could also result in unacceptable influence of one division over another,or could involve functions not directly related to the safety functions, and should not be executed within the safety system. Receipt of information from outside the division, and the performance of functions not directly related to the safety function, if used, should be justified. It should be demonstrated that the added system/software complexity associatedwith the performance of functions not directly related to the safety function and with the receipt of information in support of those functions does not significantlyincrease the likelihood of software specification or coding errors, including errors that would affect more than one division. The applicant shouldjustify the definition of "significantly"used in the demonstration.

The PPS replacement conforms to this Staff Position.

The PPS replacement consists of four (4) Protection Sets and is architected such that each safety channel within a given Protection Set is protected from adverse influence from outside the Protection Set which the channel is a member. The details for the Tricon and ALS conformance to this staff position No. 3 are provided in the sections below.

a) Tricon-Based PPS Equipment The Tricon portion of the PPS replacement does not receive any communication from outside its own division. Each PPS division sends data from the safety TCM to the non-safety MWS within the division, and through a dedicated one-way NetOptics port aggregator network tap [Section 4.2.13] of this LAR, to the common Gateway Switch.

The only time data is allowed to be received by the TCM is when the channel is out of service. The channel is taken out of service by taking multiple deliberate actions: 1) activating a safety-related hardware out of service switch locked in a cabinet and 2) activating a software switch on the Workstation requiring password access. This added complexity is justified due to the added safety obtained by testing in bypass mode. The 111

Enclosure PG&E Letter DCL-1 1-104 sensors connected to the Tricon are dedicated sensors and operate completely independent of other Tricon Protection Sets. There is no data exchange between RXM chassis ih different Protection Sets. Further detail regarding the Tricon portion of the PPS replacement conformance to this staff position No. 3 can be found in section 5, Point No. 3 of 993754-1-912 Diablo Canyon Triconex PPS ISG-04 Conformance Report

[25].

Further technical detail on the Remote RXM non-safety chassis can be found in the Appendix 2 NTX-SER-09-10, Tricon Applications in Nuclear Reactor Protection Systems - Compliance with NRC ISG-2 & ISG-4 [24].

b) FPGA-Based ALS PPS Equipment The ALS portion of the PPS replacement does not receive any communication from outside its own division. The ALS platform does not make any comparisons of information between divisions including the sensors. All communication to non-safety related equipment is via one way communication with the exception of the non-safety MWS for the associated Protection Set. The MWS is used for changing certain plant parameters such as setpoints. This communication is enabled through the use of the TAB Enable keylock switch during bypass conditions. The key lock switch is alarmed both locally and in the control room. Further details regarding the MWS interface to the ALS can be found in section 5 of the ALS Topical Report Submittal [15].

4.8.4 ISG-04 Interdivisional Communications Staff Position No. 4 ISG-04 Interdivisional Communications, Staff Position No. 4 States:

The communication process itself should be carriedout by a communications processor separatefrom the processorthat executes the safety function, so that communications errorsand malfunctions will not interfere with the execution of the safety function. The communication and function processorsshould operate asynchronously,sharing information only by means of dual-portedmemory or some other shared memory resource that is dedicated exclusively to this exchange of information. The function processor,the communications processor,and the sharedmemory, along with all supporting circuits and software, are all considered to be safety-related, and must be designed, qualified, fabricated,etc., in accordancewith 10 C.F.R. Part 50, Appendix A and B. Access to the shared memory should be controlledin such a manner that the function processor has priorityaccess to the shared memory to complete the safety function in a deterministic manner. For example, if the communicationprocessoris accessing the shared memory at a time when the function processorneeds to access it, the function processorshould gain access within a timeframe that does not impact the loop cycle time assumed in the plant safety analyses. If the sharedmemory cannot support unrestrictedsimultaneous access by both processors, then the access controls should be configured such that the function processoralways has precedence. The 112

Enclosure PG&E Letter DCL-1 1-104 safety function circuits and program logic should ensure that the safety function will be performed within the timeframe establishedin the safety analysis, and will be completed successfully without data from the shared memory in the event that the function processoris unable to gain access to the sharedmemory.

The PPS replacement conforms to this Staff Position.

a) Tricon-Based PPS Equipment For the Tricon portion of the PPS replacement, communication with external devices is conducted and supervised by the TCM. The TCM operate asynchronously, sharing information only at end of the application processor scan. The TCM and the application processor are bridged with DPRAM. The DPRAM prevents direct communication between the application processor and the TCM interface with the MWS. When the host device requests data, the communication processor forwards the data from the application processor that was received at end of the previous scan. When a host device writes data, the communication processor passes the data to the application processor at next end of scan exchange. If there are any remaining communications tasks to be performed they are communicated in the next scan cycle(s). Further detail regarding the Tricon portion of the PPS replacement conformance to this staff position No. 4 can be found in section 5, Point No. 4 of 993754-1-912 Diablo Canyon Triconex PPS ISG-04 Conformance Report [25].

b) FPGA-Based ALS PPS Equipment The ALS does not contain processors. Instead, it contains FPGAs which are firmware based. The communication hardware is located on the CLB. Further details regarding the FPGA-based communication hardware are provided in section 5, Table 5-2, Item 4 of the ALS Topical Report Submittal [15].

4.8.5 ISG-04 Interdivisional Communications Staff Position No. 5 ISG-04 Interdivisional Communications, Staff Position No. 5 States:

The cycle time for the safety function processorshould be determined in consideration of the longest possible completion time for each access to the shared memory. This longest-possible completion time should include the response time of the memory itself and of the circuits associatedwith it, and should also include the longest possible delay in access to the memory by the function processorassuming worst-case conditions for the transfer of access from the communications processorto the function processor.

Failure of the system to meet the limiting cycle time should be detected and alarmed.

The PPS replacement conforms to this Staff Position.

113

Enclosure PG&E Letter DCL-1 1-104 The PPS Replacement does not utilize communications among the four Protection Sets (i.e., interdivisional communications). The details for the Tricon and ALS conformance to this staff position No. 5 are provided in the sections below.

a) Tricon-Based PPS Equipment The application processors and the IOCCOM process operate asynchronously.

Communication between the two processors takes place via DPRAM. The DPRAM prevents reads or writes from the IOCCOM communication processor from delaying access to the DPRAM by the safety processors. Similarly, the application processors and the TCM also communicate via DPRAM. The DPRAM prevents reads or writes from the TCM communication processor from delaying access to the DPRAM by the safety processors.

Further detail regarding the Tricon portion of the PPS replacement conformance to this staff position No. 5 can be found in section 5, Point No. 5 of 993754-1-912 Diablo Canyon Triconex PPS ISG-04 Conformance Report [25].

b) FPGA-Based ALS PPS Equipment The ALS does not use processors and, therefore, the access time of memory is not a consideration with the FPGA design. Further details regarding the FPGA-based communication hardware is provided in section 5, Table 5-2, Item 5 of the ALS Topical Report Submittal [15].

4.8.6 ISG-04 Interdivisional Communications Staff Position No. 6 ISG-04 Interdivisional Communications, Staff Position No. 6 States:

The safety function processor should perform no communication handshaking and should not accept interruptsfrom outside its own safety division.

The PPS replacement conforms to this Staff Position.

a) Tricon-Based PPS Equipment The safety function processors do not perform any communications tasks as these tasks are handled by the TCM processor and the RXM processors. (IOCCOM). The safety function processors do not perform any communication handshaking and do not accept any interrupts from outside their own safety division.

Tricon controllers are not dependent upon interdivisional communications or external systems to perform the safety function. This would include interrupts from external systems. The Tricon application processors are isolated from non-safety I/O data 114

Enclosure PG&E Letter DCL-1 1-104 communications by the combination of the DPRAM, the IOCCOM, and the safety-related Primary RX)M. There is no handshaking on the I/O bus.

Further information can be found in NTX-SER-09-1 0, Tricon Applications in Nuclear Reactor Protection Systems - Compliance with NRC ISG-2 & ISG-4 [24].

b) FPGA-Based ALS PPS Equipment The ALS does not use a processor. The ALS Platform communication functions are one-way, transmit only, and do not perform communication handshaking, nor do they accept any interrupts from any communication devices.

4.8.7 ISG-04 Interdivisional Communications Staff Position No. 7 ISG-04 Interdivisional Communications, Staff Position No. 7 States:

Only predefined data sets should be used by the receiving system. Unrecognized messages and data should be identified and dispositionedby the receiving system in accordancewith the pre-specified design requirements. Data from unrecognized messages must not be used within the safety logic executed by the safety function processor. Message format and protocol should be pre-determined. Every message should have the same message field structure and sequence, including message identification,status information, data bits, etc. in the same locationsin every message.

Every datum should be included in every transmitcycle, whether it has changed since the previous transmission or not, to ensure deterministicsystem behavior.

The PPS replacement conforms to this Staff Position.

a) Tricon-Based PPS Equipment For the Tricon portion of the PPS replacement all host communications are limited to Tricon-compatible protocols. Each protocol is well-defined and well-ordered, e.g.,

number of start and stop bits, timing, data frame format, number of data fields, and check sum or CRC field. Should an error occur, the communication processor rejects the message.

Data sets are pre-defined by the request sent by the receiving system; therefore, message length may vary, as a host device may request a different number of data points within each request. Further detail regarding the Tricon portion of the PPS replacement conformance to this staff position No. 7 can be found in section 5, Point No. 7 of 993754-1-912 Diablo Canyon Triconex PPS ISG-04 Conformance Report [25].

Further details regarding the Tricon compatible protocols are provided in section 4 of 993754-1-912 Diablo Canyon Triconex PPS ISG-04 Conformance Report [25].

115

Enclosure PG&E Letter DCL-1 1-104 Further information can be found in NTX-SER-09-1 0, Tricon Applications in Nuclear Reactor Protection Systems - Compliance with NRC ISG-2 & ISG-4 [24].

b) FPGA-Based ALS PPS Equipment For the ALS portion of the PPS replacement the ALS-1 02 validates the data being received. With this validation unrecognized messages are not accepted or used. All ALS data is transmitted at each cycle whether changes have occurred or not. No handshaking is required by the ALS-1 02. Further details regarding the FPGA-based communication hardware is provided in section 5 of the ALS Topical Report Submittal

[15].

4.8.8 ISG-04 Interdivisional Communications Staff Position No. 8 ISG-04 Interdivisional Communications, Staff Position No. 8 States:

Data exchanged between redundant safety divisions or between safety and non-safety divisions should be processed in a manner that does not adversely affect the safety function of the sending divisions, the receiving divisions, or any other independent divisions.

The PPS replacement conforms to this Staff Position.

The PPS replacement architecture does not perform data exchange between redundant safety divisions. Data exchange between safety and non-safety divisions are discussed in Sections 4.8.8.a and 4.8.8.b. The details for the Tricon and ALS conformance to this staff position No. 8 are provided in the sections below.

a) Tricon-Based PPS Equipment For the Tricon portion of the PPS replacement the data communications with non-safety systems such as the MWS are handled by the TCM. The non-safety system may request data points, and the TCM replies if the request is valid and error free.

The TCM accepts data "writes" from the non-safety system to the Tricon only if:

  • The data is valid and error free;
  • The main chassis keyswitch is in the correct position; and

" The specific memory tag name attribute is configured as 'writeable'.

If the Tricon main chassis keyswitch is not in the RUN position, an alarm is initiated on the Control Room MAS and the Tricon is considered inoperable.

116

Enclosure PG&E Letter DCL-1 1-104 Further detail regarding the Tricon portion of the PPS replacement conformance to this staff position No. 8 can be found in section 5, Point No. 8 of 993754-1-912 Diablo Canyon Triconex PPS ISG-04 Conformance Report [25].

b) FPGA-Based ALS PPS Equipment For the ALS portion of the PPS replacement the TAB is used for communication of information to and from the ALS chassis and the non-safety MWS. This communication process is independent from the safety function logic. To enable the TAB to the interface to the MWS requires the setting of a hardware key-lock switch which, when enabled, is alarmed locally and in the control room. This process is done while in the bypass mode under plant administrative controls. The TAB and its interfaces are designed such the buses are nonintrusive in that the bus cannot interfere with processing of any information or data on the Reliable ALS Bus (RAB). The ALS-102 TxB communication channels provide safety information to the non-safety related plant computer. This communication path is one way and isolated from the safety related ALS Platform. The communication logic is independent from the ALS-1 02 safety function logic and, as a result, cannot adversely affect the safety function of the transmitting division. Further details regarding the ALS communication with a non-safety MWS is provided in section 5 of the ALS Topical Report Submittal [15].

4.8.9 ISG-04 Interdivisional Communications Staff Position No. 9 ISG-04 Interdivisional Communications, Staff Position No. 9 States:

Incoming message data should be stored in fixed predeterminedlocations in the shared memory and in the memory associatedwith the function processor. These memory locations should not be used for any other purpose. The memory locations should be allocated such that input data and output data are segregatedfrom each other in separatememory devices or in separatepre-specified physical areas within a memory device.

The PPS replacement conforms to this Staff Position.

a) Tricon-Based PPS Equipment Tricon received data is stored in fixed memory locations, which are utilized by the application processor when executing application logic. Input data is segregated from output data within memory. All communication messages are conducted by and stored in separate communication processors. Data is exchanged with the application processors at the end of each application program scan. Further detail regarding the Tricon portion of the PPS replacement conformance to this staff position No. 9 can be found in Section 5, Point No. 9 of 993754-1-912 Diablo Canyon Triconex PPS ISG-04 Conformance Report [25].

117

Enclosure PG&E Letter DCL-1 1-104 b) FPGA-Based ALS PPS Equipment The FPGA architecture does not utilize the architecture guidance given in this criterion since processors are not part of the design. However, for the ALS, messages are stored in two distinct buffer areas for receive and transmit data. These areas are allocated in the FPGA, according to the configuration of the ALS design. Further details regarding the ALS communication messages are provided in section 5 of 6002-00011 ALS Specification [95].

4.8.10 ISG-04 Interdivisional Communications Staff Position No. 10 ISG-04 Interdivisional Communications, Staff Position No. 10 States:

Safety division software should be protected from alteration while the safety division is in operation. On-line changes to safety system software should be prevented by hardwiredinterlocks or by physical disconnection of maintenance and monitoring equipment. A workstation (e.g. engineeror programmerstation) may alteraddressable constants, setpoints, parameters,and other settings associatedwith a safety function only by way of the dual-processor/ shared-memory scheme described in this guidance, or when the associatedchannel is inoperable. Such a workstation should be physically restricted from making changes in more than one division at a time. The restriction should be by means of physical cable disconnect, or by means of keylock switch that either physically opens the data transmission circuit or interrupts the connection by means of hardwiredlogic. "Hardwiredlogic" as used here refers to circuitry that physically interrupts the flow of information, such as an electronic AND gate circuit (that does not use software or firmware) with one input controlledby the hardware switch and the other connected to the information source: the information appearsat the output of the gate only when the switch is in a position that applies a "TRUE" or "1" at the input to which it is connected. Provisions that rely on software to effect the disconnection are not acceptable. It is noted that software may be used in the safety system or in the workstation to accommodate the effects of the open circuit or for status logging or other purposes.

The PPS replacement conforms to this Staff Position.

For the PPS replacement architecture there are four MWS. One MWS is dedicated to its own Protection Set. A MWS within a given Protection Set cannot communicate with or modify a MWS from another Protection Set.

a) Tricon-Based PPS Equipment For the Tricon portion of the PPS replacement there are several layers of protection to prevent inadvertent application program changes. These include the Tricon keyswitch.

Additional reliability gains are realized by the TCM design itself (reliable design) and 118

Enclosure PG&E Letter DCL-1 1-104 configuration features to prevent access from unknown network nodes. Additional protection is provided by features in the TriStation 1131 programming interface, including password access.

The Tricon keyswitch is a physical interlock that controls the mode of the 3008N MPs. It prevents the 3008N MPs from accepting "write" messages when placed in the RUN position. The keyswitch is implemented by a three-gang, four-position switch. Each of the gangs is connected to one of the 3008N MPs. The keyswitch position is voted between the three 3008N MPs and the voted value is used to perform keyswitch functions.

The keyswitch design mitigates against any single hardware fault. If one of the gangs on the switch goes bad or an input to a 3008N MP fails (e.g., a single bit flip), the error would affect only the 3008N MPP that is attached to the failed gang. The other two 3008N MPs would continue to receive good input values and out vote the 3008N MP with the bad input. This protects against any single fault in the physical keyswitch or on the 3008N MP.

The TCM and the application processors communicate via DPRAM. The DPRAM prevents reads or writes from the TCM communication processor from delaying access to the DPRAM by the safety processors.

Further detail regarding the Tricon portion of the PPS replacement conformance to this staff position No. 10 can be found in section 5, Point No. 10 of 993754-1-912 Diablo Canyon Triconex PPS ISG-04 Conformance Report [25].

b) FPGA-Based ALS PPS Equipment For the ALS portion of the PPS replacement the safety firmware for the FPGAs is installed such that it can only be modified using special tools available to CSI and only upon board removal. Certain data parameters can be modified by the utility either during plant operation (Bypass mode) or while the plant is shutdown. These modifications are to tunable parameters. The non-safety MWS is used to perform these functions when physically connected by TAB Enable hardware keylock switch, which is alarmed at the ALS chassis and in the control room.

4.8.11 ISG-04 Interdivisional Communications Staff Position No. 11 ISG-04 Interdivisional Communications, Staff Position No. 11 States:

Provisionsfor interdivisionalcommunication should explicitly preclude the ability to send software instructionsto a safety function processorunless all safety functions associated with that processorare either bypassed or otherwise not in service. The progress of a safety function processorthrough its instruction sequence should not be affected by any message from outside its division. For example, a received message 119

Enclosure PG&E Letter DCL-1 1-104 should not be able to direct the processorto execute a subroutine or branch to a new instruction sequence.

The PPS replacement conforms to this Staff Position.

The MWS cannot communicate with a Tricon or ALS processor outside the Protection Set in which it is installed. Tricon or ALS processors in different Protection Sets cannot communicate with processors in other Protection Sets.

a) Tricon-Based PPS Equipment For the Tricon portion of the PPS replacement the primary protection is that the Tricon main chassis keyswitch must be in PROGRAM mode before reprogramming of the application program can occur. All "write" messages are ignored by the Tricon controller when not in PROGRAM or when GATEDIS is active, refer to section 4.8.3 of this LAR. Tricon controllers are qualified TMR systems and are not dependent upon interdivisional communications or external systems to perform the safety function. With the keyswitch in RUN, the Tricon application cannot be altered. With the external hardwired safety-related out of service switch in the open position, no external "writes" from the MWS are allowed. If the Tricon main chassis keyswitch is not in the RUN position, an alarm is initiated on the Control Room MAS and the Tricon is considered inoperable.

Further detail regarding the Tricon portion of the PPS replacement conformance to this staff position No. 11 can be found in section 5, Point No. 11 of 993754-1-912 Diablo Canyon Triconex PPS ISG-04 Conformance Report [25].

b) FPGA-Based ALS PPS Equipment For the ALS portion of the PPS replacement the ALS FPGA technology prevents the ALS Platform communication architecture from changing FPGA gate connections. The communication architecture is designed to preclude this from occurring by not providing the mechanism to alter the FPGA gate connections. Information or messages received through the Reliable ALS Bus(RAB) and TAB cannot be used to control the execution of the safety division application program.

4.8.12 ISG-04 Interdivisional Communications Staff Position No. 12 ISG-04 Interdivisional Communications, Staff Position No. 12 States:

Communication faults should not adversely affect the performance of requiredsafety functions in any way. Faults, including communication faults, originatingin non-safety equipment, do not constitute "single failures" as described in the single failure criterion of 10 C.F.R. Part 50, Appendix A. Examples of credible communication faults include, but are not limited to, the following:

120

Enclosure PG&E Letter DCL-1 1-104

  • Messages may be corrupted due to errorsin communicationsprocessors, errors introduced in buffer interfaces, errorsintroduced in the transmission media, or from interference or electricalnoise.
  • Messages may be repeatedat an incorrectpoint in time.
  • Messages may be sent in the incorrectsequence.
  • Messages may be lost, which includes both failures to receive an uncorrupted message or to acknowledge receipt of a message.
  • Messages may be delayed beyond their permitted arrivaltime window for several reasons, including errorsin the transmission medium, congested transmission lines, interference, or by delay in sending buffered messages.
  • Messages may be inserted into the communication medium from unexpected or unknown sources.

" Messages may be sent to the wrong destination, which could treat the message as a valid message.

" Messages may be longer than the receiving buffer, resulting in buffer overflow and memory corruption.

" Messages may contain data that is outside the expected range.

  • Messages may appearvalid, but data may be placed in incorrectlocations within the message.

" Messages may occur at a high rate that degrades or causes the system to fail (i.e., broadcaststorm).

" Message headersor addresses may be corrupted.

The PPS replacement conforms to this Staff Position.

The PPS replacement architecture does not depend on any information or resource originating or residing outside its own safety division to accomplish its safety function, thereby ensuring that interdivisional communication faults will not occur.

a) Tricon-Based PPS Equipment For the Tricon portion of the PPS replacement the design and operation of the Tricon prevents any communication fault altering the application program or its performance.

All data "writes" must be in proper format, have the proper address, and be within a given alias range. Further detail regarding the Tricon portion of the PPS replacement conformance to this staff position No. 12 can be found in section 5, Point No. 12 of 993754-1-912 Diablo Canyon Triconex PPS ISG-04 Conformance Report [25].

b) FPGA-Based ALS PPS Equipment For the ALS portion of the PPS replacement communication faults cannot adversely affect the performance of the ALS safety functions. The ALS-1 02 communication functions for the two TxB lines are accomplished by logic that is independent from the 121

Enclosure PG&E Letter DCL-1 1-104 FPGA logic performing the safety logic function. The same conclusions can be made for the RAB and TAB. These communication functions are also accomplished by logic that is independent from the FPGA logic performing the safety logic function. Further details regarding the ALS conformance to staff position No. 12 is provided in section 5, Table 5-2, Item 12 of the ALS Topical Report Submittal [15].

4.8.13 ISG-04 Interdivisional Communications Staff Position No. 13 ISG-04 Interdivisional Communications, Staff Position No. 13 States:

Vital communications, such as the sharing of channel trip decisions for the purpose of voting, should include provisionsfor ensuring that received messages are correct and are correctly understood. Such communications should employ error-detectingor error-correctingcoding along with means for dealing with corrupt,invalid, untimely or otherwise questionable data. The effectiveness of errordetection/correctionshould be demonstratedin the design and proof testing of the associatedcodes, but once demonstratedis not subject to periodic testing. Error-correctingmethods, if used, should be shown to always reconstructthe originalmessage exactly or to designate the message as unrecoverable. None of this activity should affect the operation of the safety-function processor.

The PPS replacement conforms to this Staff Position. The PPS replacement architecture does not depend on any information or resource originating or residing outside its own safety division to accomplish its safety function.

4.8.14 ISG-04 Interdivisional Communications Staff Position No. 14 ISG-04 Interdivisional Communications, Staff Position No. 14 States:

Vital communications should be point-to-pointby means of a dedicated medium (copper or optical cable). In this context, "point-to-point"means that the message is passed directly from the sending node to the receiving node without the involvement of equipment outside the division of the sending or receiving node. Implementation of other communication strategies should provide the same reliabilityand should be justified.

The PPS replacement conforms to this Staff Position.

The PPS replacement architecture does not depend on any information or resource originating or residing outside its own safety division to accomplish its safety function.

All safety-related communications are point-to-point with no switches, hubs, or routers.

There is no involvement of equipment outside the division of the sending or receiving node.

122

Enclosure PG&E Letter DCL-1 1-104 4.8.15 ISG-04 Interdivisional Communications Staff Position No. 15 ISG-04 Interdivisional Communications, Staff Position No. 15 States:

Communication for safety functions should communicate a fixed set of data (called the "state')at regularintervals, whether data in the set has changed or not.

The PPS replacement conforms to this Staff Position.

a) Tricon-Based PPS Equipment For the Tricon portion of the PPS replacement the Tricon is programmed to pass all values each scan, whether the values have changed or not. Further detail regarding the Tricon portion of the PPS replacement conformance to this staff position No. 15 can be found in section 5, Point No. 15 of 993754-1-912 Diablo Canyon Triconex PPS ISG-04 Conformance Report [25] and Section 5, NTX-SER-09-10, Tricon Applications in Nuclear Reactor Protection Systems - Compliance with NRC ISG-2 & ISG-4 [24].

b) FPGA-Based ALS PPS Equipment For the ALS portion of the PPS replacement, the communication for the TxB, RAB and TAB communication functions use predefined packets of information. These packets of information are transmitted at constant periodic intervals which are established during the design process whether the data has changed or not. The packets typically have a continuous stream of mask/status bits to alert the CLB to anomalies in the communicated information/data. Further details regarding the ALS communications are provided in section 5, 6002-00011 ALS Platform Specification [95].

4.8.16 ISG-04 Interdivisional Communications Staff Position No. 16 ISG-04 Interdivisional Communications, Staff Position No. 16 States:

Network connectivity, fiveness, and real-time propertiesessential to the safety applicationshould be verified in the protocol. Liveness, in particular,is taken to mean that no connection to any network outside the division can cause an RPS/ESFAS communication protocol to stall, either deadlock or livelock. (Note: This is also required by the independence criteria of: (1) 10 C.F.R. Part50, Appendix A, GeneralDesign Criteria 24, which states, "interconnectionof the protection and control systems shall be limited so as to assure that safety is not significantly impaired." and (2) IEEE 603-1991 IEEE Standard Criteriafor Safety Systems for Nuclear Power GeneratingStations.)

(Source: NUREG/CR-6082, 3.4.3)

The PPS replacement conforms to this Staff Position.

The PPS replacement architecture does not depend on any information or resource originating or residing outside its own safety division to accomplish its safety function.

123

Enclosure PG&E Letter DCL-11-104 a) Tricon-Based PPS Equipment Section 4.8.1 and 4.8.2 of this LAR describe the independence of Tricon controllers from external devices and the engineered layers of protection against communication failures.

b) FPGA-Based ALS PPS Equipment For the ALS portion of the PPS replacement, all ALS communication protocol is deterministic. The scan time is maintained at a constant rate even in the case of error.

RAB failures to receive/transmit are always processed a second time before the failure is alarmed. Further details regarding the ALS communications are provided in section 5, 6002-00011 ALS Platform Specification [95].

4.8.17 ISG-04 Interdivisional Communications Staff Position No. 17 ISG-04 Interdivisional Communications, Staff Position No. 17 States:

Pursuantto 10 C.F.R. § 50.49, the medium used in a vital communications channel should be qualified for the anticipatednormal and post-accident environments. For example, some optical fibers and components may be subject to gradual degradationas a result of prolonged exposure to radiationor to heat. In addition, new digital systems may need susceptibility testing for EMI/RFI and power surges, if the environments are significant to the equipment being qualified.

The PPS replacement conforms to this Staff Position.

4.8.17.1 Tricon-Based PPS Equipment Details regarding the Tricon portion of the PPS replacement conformance to this staff position No. 17 can be found in section 5, Point No. 17 of 993754-1-912 Diablo Canyon Triconex PPS ISG-04 Conformance Report [25].

4.8.117.2 FPGA-Based ALS PPS Equipment For the ALS portion of the PPS replacement, the ALS platform includes copper media for communication. These mediums are qualified at predefined electromagnetic interference/radio frequency interference (EMI/RFI) levels to meet NRC guidance and PG&E specific levels. Details regarding the ALS communications are provided in section 5, 6002-00011 ALS Platform Specification [95]. Details regarding the ALS equipment qualification are provided in 6002-0004 ALS EQ Plan [55].

124

Enclosure PG&E Letter DCL-1 1-104 4.8.18 ISG-04 Interdivisional Communications Staff Position No. 18 ISG-04 Interdivisional Communications, Staff Position No. 18 States:

Provisionsfor communications should be analyzed for hazards and performance deficits posed by unneeded functionality and complication.

The PPS replacement conforms to this Staff Position.

a) Tricon-Based PPS Equipment For the Tricon portion of the PPS replacement, the TCM handles all protocol, start/stop bits, handshaking, tasks. The main processor is neither burdened nor interrupted.

Communication errors and malfunctions do not interfere with the execution of the safety function. Further detail regarding the Tricon portion of the PPS replacement conformance to this staff position No. 18 can be found in section 5, Point No. 18 of 993754-1-912 Diablo Canyon Triconex PPS ISG-04 Conformance Report [25].

b) FPGA-Based ALS PPS Equipment For the ALS portion of the PPS replacement the CLBs are application specific. The only functions that exist in the design are those critical to the performance of the PPS safety function. Communication logic, while common to all CLBs, uses a simple master-slave protocol, with only enough functionality to ensure data integrity and reliability. Any relevant hazards and performance deficits are evaluated as part of the development process and handled accordingly. The communication architecture has been analyzed for hazards and performance deficits as reflected in the final ALS communication design. Unneeded functionality and complications are eliminated and will be rechecked and eliminated during the application design.

4.8.19 ISG-04 Interdivisional Communications Staff Position No. 19 ISG-04 Interdivisional Communications, Staff Position No. 19 States:

If data rates exceed the capacityof a communications link or the ability of nodes to handle traffic, the system will suffer congestion. All links and nodes should have sufficient capacity to support all functions. The applicantshould identify the true data rate, including overhead, to ensure that communication bandwidth is sufficient to ensure properperformance of all safety functions. Communicationsthroughput thresholds and safety system sensitivity to communications throughput issues should be confirmed by testing.

The PPS replacement conforms to this Staff Position.

125

Enclosure PG&E Letter DCL-1 1-104 Communications are point-to-point. There are no switches, hubs, etc within the Tricon safety-related architecture. ALS communications are all point-to-point serial.

a) Tricon-Based PPS Equipment Details regarding the Tricon portion of the PPS replacement conformance to this staff position No. 19 can be found in section 5, Point No. 19 of 993754-1-912 Diablo Canyon Triconex PPS ISG-04 Conformance Report [25].

b) FPGA-Based ALS PPS Equipment For the ALS portion of the PPS replacement, the ALS platform architecture is designed to eliminate data congestion. The communication hardware supports the necessary capacity to support the required design functions. The number of slaves that can transmit and receive is fixed during the PPS replacement design process. Data scan rates are also set during the PPS replacement design phase and are based on a constant cycle time. More importantly, the response time of a system is set during the design phase. This time is based on the PPS replacement requirements provided in DCPP Units 1 & 2 PPS Replacement FRS [28] and is verified during FAT testing.

Details regarding the ALS communications are provided in section 5, 6002-00011 ALS Platform Specification [95].

4.8.20 ISG-04 Interdivisional Communications Staff Position No. 20 ISG-04 Interdivisional Communications, Staff Position No. 20 States:

The safety system response time calculations should assume a data errorrate that is greaterthan or equal to the design basis error rate and is supported by the error rate observed in design and qualification testing.

The PPS replacement conforms to this Staff Position.

Details of the response time calculations are provided in Section 4.11.1.2.4 of this LAR.

4.9 System, Hardware, Software, and Methodology Modifications (Section D.8 of DI&CISG-06 [1])

a) Tricon-Based PPS Equipment The Tricon system being installed at DCPP is an identical functional design to the Tricon system platform described in the Triconex Tricon V10 Topical Report Submittal

[13], which was submitted to the NRC on December 20, 2010.

b) FPGA-Based ALS PPS Equipment 126

Enclosure PG&E Letter DCL-1 1-104 The ALS platform being installed at DCPP is an identical functional design to the ALS platform described in the ALS Topical Report Submittal [15], which was submitted to the NRC on August 11,2010.

4.10 Compliance with IEEE Standard 603(Section D.9 of DI&C-ISG-06 [1])

The requirements of IEEE Standard 603-1991 [21] contain safety related system requirements in five clauses (Clauses 4, 5, 6, 7 and 8). The PPS Replacement adherence to these five clauses and their sub-clauses is described in the subsections below.

4.10.1 Clause 4 Design Basis (Section D.9.4.1 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 4 states:

A specific basis shall be established for the design of each safety system of the nuclear power generatingstation. The design basis shall also be available as needed to facilitate the determination of the adequacy of the safety system, including design changes. The design basis shall be consistent with the requirementsof American NationalStandards Institute (ANSI)/American Nuclear Society (ANS) 51.1-1983 or ANSI/ANS 52.1-1983 and shall document as a minimum:

The purpose of the PPS replacement is to replace the existing Eagle 21 based PPS with the Tricon and ALS digital platforms. The PPS is designed to monitor a set number of plant parameters that are important to reactor safety during all plant conditions and provide RT and/or ESFAS signals when required.

The plant accident analysis and TS were compared to the PPS CDD [27], hardware and software functional requirements, detailed system and hardware drawings, Tricon and ALS Topical Reports, equipment qualification reports, and interface requirement specification reports. The PPS replacement continues to meet all necessary requirements. The conclusion was reached that the PPS replacement is designed such that it can accomplish its safety functions under the full range of all anticipated conditions and continue to enable DCPP to meet the requirements set forth in the FSAR Chapter 15 Safety Analysis [26].

The Eagle 21 digital system being replaced was required to undergo a D3 evaluation similar to the position outlined in NUREG-0800 BTP 7-19 [4] albeit not as detailed and without certain time restrictions. The PPS replacement has undergone a D3 evaluation to show how the DCPP upgraded design meets the latest D3 guidance by taking advantage of an internal diversity design within the ALS platform. A number of manual actuations that were credited during the NRC Eagle 21 PPS review will be eliminated.

This is described in detail in the DCPP D3 report [6] that was submitted to the NRC in 2010. The NRC issued a SER accepting this D3 report on April 19, 2011 [7].

127

Enclosure PG&E Letter DCL-11-104 Per NRC ISG-02 [3], automatic actuation not affected adversely by software CCF is preferred where operator action otherwise would be required to mitigate a FSAR Chapter 15 [26] event with a concurrent CCF. Therefore, where previous Eagle 21 PPS evaluations relied upon manual operator action to mitigate several such events, the PPS replacement automatic mitigation functions are generated in the indep6ndent, inherently diverse ALS portion of the PPS replacement for those events.

Therefore, the built-in diversity provided by the logic-based ALS portion of the PPS replacement ensures that all accidents and events credited with automatic PPS mitigation in the FSAR [26] Chapter 15 Safety Analyses continue to be mitigated automatically with a concurrent software CCF. The PPS replacement provides automatic mitigation for events that currently require manual protective action should a CCF disable the Eagle 21 primary and backup protection functions.

4.10.111 Clause 4.1 Identification of the Design Basis Events (Section D.9.4.1.1 of DI&C-ISG-06 [1])

IEEE 603-1991 [21], Clause 4.1 states:

The design basis events applicable to each mode of operation of the generatingstation along with the initial conditionsand allowable limits of plant conditions for each such event.

Clause 4.1 requires the identification of the design bases events applicable to each mode of operation. This information should be consistent with the analyses of FSAR Chapter 15 [26] events. NUREG-0800, BTP 7-4 [4] provides specific guidance on the failures and malfunctions that should be considered in identification of design bases events for systems that initiate and control AFW systems. NUREG-0800, BTP 7-5 [4]

provides specific guidance on the reactivity control malfunctions that should be considered in the identification of design basis events. The malfunctions postulated should be consistent with the control system failure modes described in the FSAR [26].

The PPS replacement is used as a direct replacement for the existing Eagle 21 PPS and has mostly the same design basis as the existing Eagle 21 PPS. For the D3 evaluation there is a change in the design basis due to more specific guidance being issued and the installation of an internally diverse ALS FPGA as part of the PPS replacement. A new DCPP D3 analysis was performed and the results submitted [6] to the NRC for review. The purpose of this analysis was to confirm that the PPS replacement satisfies the positions stated in BTP 7-19 [4] and the DCPP design basis

[26]. The NRC issued a SER [7] accepting the DCCP D3 approach.

The design basis events applicable to each mode of operation listed in Section 4.1 of this LAR are unchanged as a result of the PPS replacement. As a result, an evaluation was not necessary for any changes to the design basis. However, a beyond design basis event, a software CCF, was re-evaluated due to the installation of the Tricon and 128

Enclosure PG&E Letter DCL-11-104 ALS digital platforms as the PPS replacement. This event had previously been evaluated for the Eagle 21 digital platform installation with somewhat different guidance.

NUREG-0800, BTP 7-19 [4] was not issued until 1997 which was after the Eagle 21 installation.

Per NRC ISG-02 [3], automatic actuation not affected adversely by software CCF is preferred where operator action otherwise would be required to mitigate a FSAR Chapter 15 [26] event with a concurrent CCF. Where previous evaluations relied upon manual operator action to mitigate several such events, automatic mitigation functions are generated in the independent, inherently diverse ALS portion of the PPS replacement for those events.

The built-in diversity provided by the logic-based ALS portion of the PPS replacement ensures that all accidents and events credited with automatic PPS mitigation in DCPP FSAR Chapter 15 Safety Analyses [26] continue to be mitigated automatically with a concurrent software CCF. Thus, the PPS replacement provides automatic mitigation for events that currently require manual protective action should a CCF disable the Eagle 21 primary and backup protection functions.

a) Tricon-Based PPS Equipment The Tricon platform does not impact the DCPP design bases events.

b) FPGA-Based ALS PPS Equipment Section 12.1.1 of the ALS Topical Report Submittal [15] describes the FPGA-based ALS PPS replacement equipment conformance to Clause 4.1 by stating that conformance is application specific. The ALS platform does not impact DCPP design bases events.

4.10.1.2 Clause 4.2 Identification of Safety Functions and Protective Actions (Section D.9.4.1.2 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 4.2 states:

The safety functions and correspondingprotective actions of the execute features for each design basis event.

The DCPP safety functions and related protective actions for each FSAR Chapter 15

[26] design basis event are unchanged as a result of this PPS Replacement Project.

Therefore, an evaluation was not necessary for the DCPP safety functions and protective actions related to the PPS Replacement Project.

However, a beyond design basis event, a Software CCF was reevaluated due to the publication of newer guidance issued prior to this installation of the PPS replacement.

This event had previously been evaluated for the Eagle 21 digital platform installation but without the guidance provided in NUREG-0800, BTP 7-19 [4].

129

Enclosure PG&E Letter DCL-1 1-104 Per NRC ISG-02 [3], automatic actuation not affected adversely by software CCF is preferred where operator action otherwise would be required to mitigate a FSAR Chapter 15 [26] accident or event with a concurrent CCF. Therefore, where the previous D3 evaluation relied upon manual operator action to mitigate several such events, automatic mitigation functions are generated in the independent, diverse ALS portion of the PPS replacement for those events.

The design diversity provided by the logic-based ALS portion of the PPS replacement ensures that all accidents and events credited with automatic PPS mitigation in DCPP FSAR Chapter 15 [26] Safety Analyses continue to be mitigated automatically with a concurrent software CCF. Additionally, the PPS replacement provides automatic mitigation for events that currently require manual protective action should a CCF disable the Eagle 21 primary and backup protection functions. This is discussed in more detail in the D3 evaluation report [6] submitted to and accepted [7] by the NRC.

a) Tricon-Based PPS Equipment The Tricon platform does not impact the DCPP design basis for the safety functions and protective actions.

b) FPGA-Based ALS PPS Equipment Section 12.1.1 of the ALS Topical Report Submittal [15] describes the FPGA-based ALS PPS replacement equipment conformance to Clause 4.2 by stating that conformance is application specific. The ALS platform does not impact the DCPP design basis for safety functions and protective actions.

4.10.1.3 Clause 4.3 Permissive Conditions for Operating Bypasses (Section D.9.4.1.3 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 4.3 states:

The permissive conditions for each operatingbypass capability that is to be provided.

The permissive conditions for the DCPP operating bypasses have not changed as a result of the PPS replacement. The PPS replacement develops the comparator outputs for P14, P13, and P11 which are sent to the SSPS where the interlocks are developed.

a) Tricon-Based PPS Equipment The existing permissive conditions and how the Tricon supports them are discussed and defined in the project specification documents. The Tricon platform does not impact the DCPP design basis for permissive conditions regarding operating bypasses.

b) FPGA-Based ALS PPS Equipment 130

Enclosure PG&E Letter DCL-1 1-104 Section 12.1.1 of the ALS Topical Report Submittal [151 describes the FPGA-based ALS PPS replacement equipment conformance to Clause 4.3 by stating that conformance is application specific. The existing permissive conditions and how the ALS supports them are discussed and defined in the project specification documents. The ALS platform does not impact the DCPP design basis for permissive conditions regarding operating bypasses.

4.10.1.4 Clause 4.4 Identification of Variables Monitored (Section D.9.4.1.4 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 4.4 states:

The variables or combinations of variables, or both, that are to be monitored to manually or automatically,or both, control each protective action; the analyticallimit associated with each variable, the ranges (normal,abnormal,and accident conditions); and the rates of change of these variables to be accommodated until proper completion of the protective action is ensured.

The PPS Replacement Project is replacing the existing Eagle 21 PPS with the Tricon and ALS digital platforms. The PPS is designed to monitor a set number of plant parameters that are important to reactor safety during all plant conditions and provide RT and/or ESFAS signals when required. The safety variables to be monitored and their analytical limits have not changed as a result of the PPS replacement. However, system response times, accuracies and setpoints require evaluation to determine if changes are needed for these areas. The current setpoint methodology approved for the Eagle 21 PPS is provided in WCAP-1 1082 [39]. However, these calculations are being modified to consider applicable setpoint methodology guidance such as International Society of Automation (ISA) S67.04-2006 [78], Regulatory Information Summary (RIS) 2006-17 [40] and TSTF-493 R4 [41]. This setpoint modification will include the impact of replacing the Eagle 21 PPS with the Tricon and ALS PPS replacement. When complete, the methodology will show an acceptable margin between all trip setpoints and the respective analytical limits. This will assure acceptable completion criteria for all of the effected protective functions. A summary of the calculations will be provided to the NRC during the LAR Phase 2 submittal period.

The PPS FRS [28] provides additional details regarding setpoint calculations including response time requirements for all PPS safety input functions.

a) Tricon-Based PPS Equipment The existing variables to be monitored and how the Tricon supports them are discussed and defined in the project specification documents. The Tricon V10 Topical Report Submittal [13] does not provide additional information for this area.

b) FPGA-Based ALS PPS Equipment 131

Enclosure PG&E Letter DCL-1 1-104 Section 12.1.1 of the ALS Topical Report Submittal [15] describes the FPGA-based ALS PPS replacement equipment conformance to Clause 4.4 by stating that compliance is application specific. The existing variables to be monitored and how the ALS supports them are discussed and defined in the project specification documents.

4.10.1.5 Clause 4.5 Minimum Criteria for Manual Protective Actions (Section D.9.4.1.5 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 4.5 states:

The following minimum criteria for each action identified in 4.2 whose operation may be controlled by manual means initially or subsequent to initiation. See IEEE Std 494-1974.

4.5.1 The points in time and the plant conditions during which manual control is allowed.

4.5.2 The justification for permitting initiationor control subsequent to initiation solely by manualmeans.

4.5.3 The range of environmentalconditions imposed upon the operatorduring normal, abnormal, and accident circumstances throughout which the manual operationsshall be performed.

4.5.4 The variables in 4.4 that shall be displayed for the operatorto use in taking manual action.

The PPS is designed to monitor a set number of plant parameters that are important to reactor safety during all plant conditions and provide RT and/or ESFAS signals when required. The PPS Replacement Project does not alter the system level manual actuation configuration at DCPP. The timing associated with the DCPP condition, environmental criteria, information available to the operator and justification for allowing manual control remain the same. The timing responses discussed in the safety analysis will not be impacted by the PPS replacement.

As discussed in the approved DCPP D3 Topical Report [6, 7], several manual actuations previously credited in the Eagle 21 SER to mitigate FSAR Chapter 15 [26]

accident or event with a concurrent CCF have been eliminated by the PPS replacement due to the built-in diversity provided by the ALS equipment. Automatic mitigation functions will be initiated by the independent, inherently diverse ALS portion of the PPS replacement for the following events, which previously would require manual operator action for mitigation if the event were to occur with a concurrent postulated CCF to the PPS. This reduces the number of manual actions and lessens the burden on the operator.

132

Enclosure PG&E Letter DCL-11-104

1. Loss of forced reactor coolant flow in a single loop above P8 as indicated by 2/3 reactor coolant flow-low;
2. Pressurizer Pressure-low mitigation of RCS depressurization, including SGTR, Steam Line Break and LOCA; and
3. Containment Pressure-high mitigation of Steam Line Break and LOCA.

Per NRC ISG-02 [3], automatic actuation not affected adversely by software CCF is preferred where operator action otherwise would be required to mitigate a FSAR [26]

Chapter 15 accident or event with a concurrent CCF. Therefore, where previous evaluations relied upon manual operator action to mitigate several such events, automatic mitigation functions are generated in the independent, diverse ALS portion of the PPS replacement for those events.

The built-in design diversity provided by the logic-based ALS portion of the PPS replacement ensures that all accidents and events credited with automatic PPS mitigation in FSAR [26] Chapter 15 Safety Analyses continue to be mitigated automatically with a concurrent software CCF. Additionally, the PPS replacement provides automatic mitigation for events that currently require manual protective action should a CCF disable the Eagle 21 primary and backup protection functions.

a) Tricon-Based PPS Equipment The DCPP design bases for minimum criteria for manual protective actions have not changed as a result of the PPS replacement. Tricon support for these actions is discussed and defined in the project specification documents. The Tricon V10 Topical Report Submittal [13] does not provide additional information in this area.

b) FPGA-Based ALS PPS Equipment Section 12.1.1 of the ALS Topical Report Submittal [15] describes the FPGA-based ALS PPS replacement equipment conformance to Clause 4.5 by stating that conformance is application specific. The DCPP design basis for minimum criteria for manual protective actions has not changed as a result of the PPS replacement. ALS support for these actions is discussed and defined in the project specification documents.

4.10.1.6 Clause 4.6 Identification of the Minimum Number and Location of Sensors (Section D.9.4.1.6 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 4.6 states:

For those variables in 4.4 that have a spatial dependence (that is, where the variable varies as a function of position in a particularregion), the minimum number and locations of sensors required for protective purposes.

133

Enclosure PG&E Letter DCL-1 1-104 The Feedwater Flow signals and the Steam Flow/Feedwater Flow Mismatch alarms are being removed from the PPS as discussed in the PPS replacement CDD [27]. The feedwater flow signals are non-safety related and will be input to the Digital Feedwater Control System (DFWCS), which will then generate the Steam Flow/Feedwater Flow Mismatch alarms.

As described in the PPS replacement CDD [27], the spare RTDs in the thermowell of each hot leg will now be activated for use by the PPS replacement. Each thermowell contains two RTDs and currently only one in each thermowell is available for the averaging process. In the PPS replacement, a wiring change will enable the use of all 6 RTDs for this averaging process. This should improve AT/Tavg and increases conservatism.

The DCPP design bases for the location of sensors has not changed as a result of the PPS replacement. However, the number of sensors has been increased to include the use of the current spare hot leg RTD as described above.

a) Tricon-Based PPS Equipment Tricon support for the supplied sensors is discussed and defined in the project specification documents. The Tricon V1 0 Topical Report Submittal [13] does not provide additional information in this area.

b) FPGA-Based ALS PPS Equipment Section 12.1.1 of the ALS Topical Report Submittal [15] describes the FPGA-based ALS PPS replacement equipment conformance to Clause 4.6 by stating that conformance is application specific. ALS support for the supplied sensors is discussed and defined in the project specification documents.

4.10.1.7 Clause 4.7 Range of Transient and Steady-State Conditions (Section D.9.4.1.7 of DI&C-ISG-06 [1])

IEEE 603-1991 [21], Clause 4.7 states:

The range of transientand steady-state conditions of both motive and control power and the environment (for example, voltage, frequency, radiation,temperature, humidity, pressure,and vibration) during normal, abnormal,and accident circumstances throughout which the safety system shall perform.

Clause 4.7 requires, in part, that the range of transient and steady-state conditions be identified for both the energy supply and the environment during normal, abnormal, and accident conditions under which the system must perform. If these have not changed, this should be clearly identified in the information provided. The range of conditions specified is used in evaluating the adequacy of the design and qualification of the equipment.

134

Enclosure PG&E Letter DCL-1 1-104 The range of transient and steady-state conditions during normal, abnormal, and accident conditions has not changed as a result of the PPS Replacement Project. The FSAR Chapter 15 Safety Analysis [26] does not require modifications as a result of the PPS replacement.

Both replacement digital platforms, Tricon and ALS, are located in the same cabinets that house the existing PPS. Therefore, the environmental conditions experienced by the PPS replacement remain the same. The PPS replacement is qualified to envelope the existing plant environmental qualification (including EMC and seismic) requirements.

a) Tricon-Based PPS Equipment The PPS replacement does not impact the range of transients and accidents.

Equipment qualification information is provided in the Tricon Topical Reports [8] [13].

b) FPGA-Based ALS PPS Equipment The PPS replacement does not impact the range of transients and accidents. Section 4 of the ALS Topical Report Submittal [15] provides detailed information for the ALS equipment qualification.

4.10.1.8 Clause 4.8 Conditions Causing Functional Degradation (Section D.9.4.1.8 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 4.8 states:

The conditions having the potentialfor functional degradationof safety system performance and for which provisions shall be incorporatedto retain the capabilityfor performing the safety functions (for example, missiles, pipe breaks, fires, loss of ventilation, spurious operation of fire suppression systems, operatorerror, failure in non-safety-related systems).

The identification of conditions having the potential for causing functional degradation of safety system performance, and for which provisions must be incorporated to retain necessary protective action has not changed as a result of the PPS replacement.

The PPS replacement is located in the same area with a controlled environment as the existing Eagle 21 PPS. Environmental qualification requirements are provided in the PPS replacement FRS [28].

a) Tricon-Based PPS Equipment Equipment qualification information is provided in the Tricon Topical Reports [8] [13].

b) FPGA-Based ALS PPS Equipment 135

Enclosure PG&E Letter DCL-1 1-104 Section 4 of the ALS Topical Report Submittal [15] provides detailed information for the ALS equipment qualification.

4.10.1.9 Clause 4.9 Methods Used to Determine Reliability (Section D.9.4.1.9 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 4.9 states:

The methods to be used to determine that the reliabilityof the safety system design is appropriatefor each safety system design and any qualitative or quantitative reliability goals that may be imposed on the system design.

a) Tricon-Based PPS Equipment The platform level FMEA and reliability analyses for the Tricon digital platform has been reviewed and accepted by the NRC. In the Tricon V10 Topical Report Submittal [13],

Section 2.2.12 "Reliability and Availability," both reliability and availability were calculated with the assumption that periodic testing will uncover faults that are not normally detected by the Tricon system. For test periods ranging from 6 to 30 months the calculated reliability and availability were greater than 99.9 percent which exceeds the EPRI recommended goal found in EPRI TR-1 07330 [81], Section 4.2.3 "Availability, Reliability and FMEA." For a periodic test interval of 18 months the reliability is 99.9987 percent and the availability is 99.9990 percent.

b) FPGA-Based ALS PPS Equipment In the ALS topical Report Submittal [15], reliability numbers were calculated for seven different types of modules. These calculations can be found in the following documents:

6002-10212-ALS-102 FPA FMEA and Reliability Analysis [82], 6002-30212-ALS-302 FPA FMEA and Reliability Analysis [83], 6002-31112-ALS-311 FPA FMEA and Reliability Analysis [84], 6002-32112-ALS-321 FPA FMEA and Reliability Analysis [85],

6002-40212-ALS-402 FMEA and Reliability Analysis [86], and 6002-42112-ALS-421 FPA FMEA and Reliability Analysis [87].

4.10.1.10 Clause 4.10 Critical Points in Time or Plant Conditions (Section 9.4.1.10 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 4.10 states:

The criticalpoints in time or the plant conditions, after the onset of a design basis event, including:

4.10.1 The point in time or plant conditions for which the protective actions of the safety system shall be initiated.

136

Enclosure PG&E Letter DCL-11-104 4.10.2 The point in time or plant conditions that define the proper completion of the safety function.

4.10.3 The points in time or plant conditions that require automatic control of protective actions.

4.10.4 The point in time or plant conditions that allow returning a safety system to normal.

The critical points in time with regard to the DCPP FSAR Chapter 15 [26] events have not changed as a result of the PPS replacement. The points in time for required protective actions, required automatic protective control, and the return to normal safety system operation are the same.

a) Tricon-Based PPS Equipment There is no additional information for control after protective action in the Tricon Topical Reports [8] [13].

b) FPGA-Based ALS PPS Equipment Section 12.1.1 of the ALS Topical Report Submittal [15] describes the FPGA-based ALS PPS replacement equipment conformance to Clause 4.10 by stating that conformance is application specific. The critical points in time with regard to the DCPP FSAR Chapter 15 [26] events have not changed as a result of the PPS replacement.

4.10.1.11 Clause 4.11 Equipment Protective Provisions (Section D.9.4.1.11 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 4.11 states:

The equipment protective provisions that prevent the safety systems from accomplishing their safety functions.

There are no equipment protective provisions associated with the PPS replacement that would prevent the safety systems from accomplishing their safety functions.

However, it should be noted that several important new features will exist upon implementation of the PPS replacement. Examples are as follows:

Signal validation is required for the Overpressure AT and Overtemperature AT channels but not for any other PPS channels.

Input range checking is required for all PPS input channels. This includes out of range high and low setpoints.

137

Enclosure PG&E Letter DCL-1 1-104 PPS replacement platforms are equipped with sufficient diagnostics to alarm and isolate system faults to the card/module level.

These features enhance the reliability of the PPS replacement and do not provide equipment protective features that would prevent the PPS from performing the required safety functions.

a) Tricon-Based PPS Equipment There is no additional information for equipment protective provision in the Tricon Topical Reports [8] [13].

b) FPGA-Based ALS PPS Equipment Section 12.1.1 of the ALS Topical Report Submittal [15] describes the FPGA-based ALS PPS replacement equipment conformance to Clause 4.11 by stating that conformance is application specific. There are no equipment protective provisions associated with the PPS replacement that would prevent the safety systems from accomplishing their safety functions.

4.10.1.12 Clause 4.12 Special Design Bases (Section D.9.4.1.12 of DI&C-ISG-06

[1])

IEEE Standard 603-1991 [21], Clause 4.12 states:

Any other special design basis that may be imposed on the system design (example:

diversity, interlocks, regulatory agency criteria).

New design provisions, which could prevent the safety systems from accomplishing their safety functions, are not imposed by the PPS Replacement Project. However, the PPS Replacement Project initiated the need for a new diversity and D3 evaluation to be performed. Even though the previous D3 evaluation was still relevant for digital systems, the decision was made to eliminate the need for certain diverse manual actuations for the events where an operator's timed response was too short.

Per NRC ISG-02 [3], automatic actuation not affected adversely by software CCF is preferred where operator action otherwise would be required to mitigate a FSAR [26]

Chapter 15 event with a concurrent CCF. As discussed in the approved DCPP D3 Topical Report [6, 7], several manual actuations previously credited in the Eagle 21 SER to mitigate FSAR [26] Chapter 15 accident or event with a concurrent CCF have been eliminated by the PPS replacement due to the built-in diversity provided by the ALS equipment. Automatic mitigation functions will be initiated by the independent, inherently diverse ALS portion of the PPS replacement for events that previously would require manual operator action for mitigation if the event were to occur with a concurrent postulated CCF to the PPS.

138

Enclosure PG&E Letter DCL-1 1-104 Therefore, the design diversity provided by the logic-based ALS portion of the PPS replacement ensures that all accidents and events credited with automatic PPS mitigation in DCPP FSAR [26] Chapter 15 Safety Analyses continue to be mitigated automatically with a concurrent software CCF. The PPS replacement provides automatic mitigation for events that currently require manual protective action should a CCF disable the Eagle 21 primary and backup protection functions.

PG&E submitted the report, "Diablo Canyon Power Plant Topical Report, Process Protection System Replacement Diversity & Defense-in-Depth Assessment" [6], to the NRC for review. This report provides details on the PPS replacement designs and how the strategic use of the ALS FPGAs provides the necessary diversity features. The NRC issued the results of their review in a SER [7].

a) Tricon-Based PPS Equipment There is no additional information for special design basis in the Tricon Topical Reports

[8] [13].

b) FPGA-Based ALS PPS Equipment Section 12.1.1 of the ALS Topical Report Submittal [15] describes the FPGA-based ALS PPS replacement equipment conformance to Clause 4.12 by stating that conformance is application specific.

The D3 Assessment [6] and the ensuing NRC safety evaluation [7] provide details regarding the ALS D3 concept and conformance to this clause.

4.10.2 Clause 5 System (Section D.9.4.2 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 5 states:

The safety systems shall, with precision and reliability,maintainplant parameterswithin acceptable limits establishedfor each design basis event. The power, instrumentation, and control portions of each safety system shall be comprised of more than one safety group of which any one safety group can accomplish the safety function.

In addressing Clauses 5.1 through 5.15 below, the evaluation confirms that the general functional criteria for the PPS Replacement Project have been appropriately allocated to the various system components. The design review in this regard concludes that the system design fulfills the system DCPP design basis criteria established. This design review is from an integrated hardware/software perspective.

139

Enclosure PG&E Letter DCL-1 1-104 4.10.2.1 Clause 5.1 Single-Failure Criterion (Section D.9.4.2.1 of DI&C-ISG-06

[1])

IEEE Standard 603-1991 [21], Clause 5.1 states:

Clause 5.6 of IEEE 603-1991 The safety systems shall perform all safety functions required for a design basis event in the presence of: (1) any single detectable failure within the safety systems concurrentwith all identifiable but non-detectable failures; (2) all failures caused by the single failure; and (3) all failures and spurious system actions that cause or are caused by the design basis event requiring the safety functions. The single-failure criterion applies to the safety systems whether control is by automatic or manual means. IEEE Std 379-1988 provides guidance on the application of the single-failure criterion.

This criterion does not invoke coincidence (or multiple-channel)logic within a safety group; however, the applicationof coincidence logic may evolve from other criteria or considerationsto maximize plant availabilityor reliability. An evaluation has been performed and documented in other standardsto show that certain fluid system failures need not be consideredin the applicationof this criterionLB21. The performance of a probable assessment of the safety systems may be used to demonstrate that certain postulated failuresneed not be consideredin the applicationof the criterion. A probable assessment is intended to eliminate considerationof events and failures that are not credible; it shall not be used in lieu of the single-failure criterion, IEEE Std 352-1987 [41 and IEEE Std 577-1976 CiO3 provide guidance for reliabilityanalysis.

Where reasonableindication exists that a design that meets the single-failure criterion may not satisfy all the reliabilityrequirementsspecified in 4.9 of the design basis, a probable assessment of the safety system shall be performed. The assessment shall not be limited to single failures. If the assessment shows that the design basis requirementsare not met, design features shall be provided or corrective modifications shall be made to ensure that the system meets the specified reliabilityrequirements.

DCPP, Unit Nos. 1 and 2 - Safety Evaluation for Topical Report, "Process Protection System Replacement Diversity & Defense-In-Depth Assessment" [7] describes the PPS replacement system level D3 details.

A System Level FMEA, which meets the requirements of IEEE 603-1991 [21], Clause 5.1 will be performed during Phase 2 of the PPS replacement project to ensure the Single Failure Criterion is met at the combined Tricon and ALS PPS replacement system level.

a) Tricon-Based PPS Equipment PPS Replacement uses a V10 Tricon system in each of multiple process channels and trip logic trains. These redundant channels and trains are electrically isolated and 140

Enclosure PG&E Letter DCL-1 1-104 physically separated. The Tricon platform hardware is designed with triple redundant safety circuitry for single failure protection. Section 4.10 of EPRI TR-1 000799 "Generic Qualification of the Triconex Corporation TRICON Triple Modular Redundant PLC System for Safety-Related Applications in Nuclear Power Plants," [8] describes how the Tricon platform is designed such that no single failure will impact the ability of the equipment to perform the safety function. In addition, Section 2.2.11 of the Tricon V10 Topical Report Submittal [13], addresses the V10 FMEA submitted with the platform documentation.

b) FPGA-Based ALS PPS Equipment Section 12.1.2 of 6002-00301 ALS Topical Report Submittal [15] describes the ALS platform compliance with the Single Failure Criterion. 6002-00031 ALS Diversity Analysis [16] describes the built-in diversity features of the ALS platform.

4.10.2.1.1 FMEA Section D.9.4.2.1.1 of DI&C-ISG-06 [1])

A System Level FMEA will be performed during Phase 2 of the PPS replacement project to ensure the requirement of IEEE 603-1991 [21], Clause 5.1 is met at the combined Tricon and ALS PPS replacement system level. IEEE Standard 379 [148]

and NRC RG 1.53, R3 [149] provide guidance on application of the single-failure criterion to meet IEEE 603-1991 [21], Clause 5.1.

a) Tricon-Based PPS Equipment Section 2.2.11 of the NRC-approved Tricon V9 Topical Report [8] describes the platform level FMEA which was performed on the Tricon V9 PLC. Further details of the Tricon V10 FMEA are located in Appendix 1, Section 5 of NTX-SER-09-10 Tricon Applications in Nuclear Reactor Protection Systems - Compliance with NRC ISG-2 & ISG-4 [24]. A Tricon application level FMEA will be performed during Phase 2 of the PPS replacement project.

b) FPGA-Based ALS PPS Equipment Section 12.1.2 of the ALS Topical Report Submittal [15] discusses the board level FMEA performed on each of the ALS boards. An ALS application level FMEA will be performed during Phase 2 of the PPS replacement project.

4.10.2.2 Clause 5.2 Completion of Protective Action (Section D.9.4.2.2 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 5.2 states:

The safety systems shall be designed so that, once initiated'automaticallyor manually, the intended sequence of protective actions of the execute features shall continue until completion. Deliberate operatoraction shall be required to return the safety systems to 141

Enclosure PG&E Letter DCL-1 1-104 normal. This requirementshall not preclude the use of equipment protective devices identified in 4.11 of the design basis or the provision for deliberate operator interventions. Seal-in of individual channels is not required.

The design for the PPS replacement meets the requirements of IEEE 603-1991 [21]

Clause 5.2, Completion of Protective Action a) Tricon-Based PPS Equipment The Tricon scan-based architecture is such that, once initiated, the protective action proceeds to completion. Interrupts are not used and return to normal operation requires deliberate operator action. The NRC SER [11], dated December 11, 2001, Section 5.1 documents the NRC concurrence. In addition, the FMEA submitted with the Tricon V10 Topical Report Submittal [13] provides updated analysis for the V1 0 platform.

b) FPGA-Based ALS PPS Equipment Section 12.1.3 of 6101-00301 ALS Topical Report Submittal [15] discusses the capabilities of the ALS to ensure the protective action continues until complete. The ALS platform generates a partial trip and does not require manual intervention or acknowledgment of actuation commands to complete a protective action.

4.10.2.3 Clause 5.3 Quality (Section D.9.4.2.3 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 5.3 states:

Components and modules shall be of a quality that is consistent with minimum maintenance requirementsand low failure rates. Safety system equipment shall be designed, manufactured, inspected, installed,tested, operated, and maintainedin accordance with a prescribed QA program (See ASME NQA-1-1994). Guidance on the application of this criteria for safety system equipment employing digitalcomputers and programsor firmware is found in IEEE Std 7-4.3.2-1993.

Section 4.2.11 of this LAR addresses the compliance with 10 CFR 50 Appendix B for PG&E, Triconex and CSI.

The design for the PPS replacement meets the requirements of IEEE 603-1991 [21]

Clause 5.3, Quality.

PG&E has an NRC approved 10 CFR 50 Appendix B QA program. Procedural guidance for digital projects is provided in PG&E procedure CF2.1D9, Rev 1 Software QA for Software [51].

PPS replacement project specific QA requirements are provided in SyQAP for PPS Replacement Project [52].

142

Enclosure PG&E Letter DCL-1 1-104 a) Tricon-Based PPS Equipment Section 5.1.1 of the Tricon V10 Topical Report Submittal [13] describes the QA program for Invensys Operation Management. The Invensys Operation Management QAP is outlined in IOM Corporate NQAM (IOM-Q2) [31].

The Tricon PPS replacement project specific QA requirements are provided in DCPP Tricon PPS SQAP [71].

b) FPGA-Based ALS PPS Equipment Section 10 of 6101-00301 ALS Topical Report Submittal [15] describes the QA program for CSI. The CSI QAP is outlined in 9000-00000 "Quality Assurance Manual", Rev 4

[33].

6002-00001 ALS Quality Assurance Plan [63] provides definition for the techniques, procedures, and methodologies which are used by CSI to assure quality in the design and test developments of the ALS platform.

4.10.2.4 Clause 5.4 Equipment Qualification (Section D.9.4.2.4 of DI&C-ISG-06

[1])

IEEE Standard 603-1991 [21], Clause 5.4 states:

Safety system equipment shall be qualified by type test, previous operating experience, or analysis, or any combination of these three methods, to substantiate that it will be capable of meeting, on a continuing basis, the performance requirementsas specified in the design basis. Qualification of Class 1E equipment shall be in accordancewith the requirementsof IEEE Std 323-1983 and IEEE Std 627-1980.

Section 4.6 of this Enclosure addresses the conformance of the Tricon, ALS and ancillary equipment to the EQ requirements of IEEE 603 Clause 5.4. Additionally, Section 4.2.12 addresses the system time response requirements included in Section D 9.4.2.4 of DI&C-ISG-06 [1].

Refer to Section 4.11.1.2 of this Enclosure for additional details regarding the compliance with the requirements of IEEE Standard 7-4.3.2-2003 [80].

4.10.2.5 Cause 5.5 System Integrity (Section D.9.4.2.5 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 5.5 states:

Safety systems shall be designed to accomplish their safety functions under the full range of applicable conditions enumerated in the design basis.

143

Enclosure PG&E Letter DCL-1 1-104 The PPS Replacement Project is made up of both Tricon and ALS processors and associated components and has been designed and tested to confirm the equipment demonstrates system performance adequate to ensure completion of protective actions over the range of transient and steady-state plant conditions.

" In accordance with the DCPP Units 1 and 2 PPS Replacement FRS [28], Section 3, the PPS instrumentation is installed within 16 existing PPS equipment racks (per unit).

  • The PPS equipment racks are located in what is considered to be a mild environment including atmospheric pressure. The design basis specifies the range of ambient temperature conditions during normal and accident conditions as 40 -

104°F. For the new system, the heat load effects are less than the current system.

  • The design basis specifies the range of humidity conditions during normal and accident conditions as 0 - 95 percent relative humidity (non-condensing).
  • The design basis specifies the seismic response spectra for a design basis earthquake. This specification envelopes the range of seismic based vibration conditions that could occur during normal and accident conditions.
  • The design basis specifies the range of electrical power supply conditions during normal and accident conditions in the 120 volts (V) 60 hertz (Hz) AC vital power systems as +/-10 percent voltage and +/-3 percent frequency.

The PPS consists of four separate and isolated Protection Sets with adequate instrumentation to monitor the required reactor plant parameters and provide signals to the SSPS for use in determining when required RTS or ESFAS protective actions are required.

The PPS provides signals (isolated where appropriate) to drive indicators and/or recorders in the main control room to provide operators with operating plant information and to satisfy the requirements of RG 1.97 [36] as described in Section 7.5 of the DCPP FSAR [26].

The PPS provides isolated signals to the PPC and to various plant control systems such as the DFWCS and the Rod Control System. With the exception of AT/Tavg, these signals are derived from the PPS channel sensor input loops and are not processed by the PPS. The signal from the PPS sensors is supplied to the AMSAC via an independent isolator. A Tricon failure cannot affect the AMSAC and an AMSAC failure cannot affect the Tricon.

The Tricon and ALS systems have been designed and tested to confirm that the equipment demonstrates system performance adequate to ensure completion of protective actions over the range of transient and steady state plant conditions. Failure 144

Enclosure PG&E Letter DCL-1 1-104 modes are discussed in Paragraph 2.2.11 of the Tricon V10 Topical Report Submittal

[13] and in Section 7.1 of the ALS Topical Report Submittal [15].

Computer system integrity is addressed in Section 4.11.1.3 of this Enclosure.

4.10.2.6 Clause 5.6 Independence (Section D.9.4.2 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 5.6 states:

Clause 5.6 of IEEE 603-1991 requiresin part independence between 1) redundant portionsof a safety system, 2) safety systems and the effects of design basis events, and 3) safety systems and other systems. SRP Chapter 7, Appendix 7.1-C, Section 5.6, "Independence"providesacceptance criteria for system integrity. This acceptance criteriastates that three aspects of independence: 1) physical independence, 2) electricalindependence, and 3) communications independence, should be addressed for each previously listed cases. Guidance for evaluation of physical and electrical independence is provided in Regulatory Guide 1.75, Revision 3, "Criteriafor Independence of ElectricalSafety Systems" (Reference 126), which endorses IEEE Std 384-1992, "IEEE Standard Criteriafor Independence of Class 1E Equipment and Circuits." The safety system design should not have components that are common to redundantportions of the safety system, such as common switches for actuation, reset, mode, or test; common sensing lines; or any other features that could compromise the independence of redundantportionsof the safety system. Physical independence is attainedby physical separationand physical barriers. Electricalindependence should include the utilization of separatepower sources. Transmission of signals between independent channels should be through isolation devices.

SRP Chapter 7, Appendix 7.1-C, Section 5.6, "Independence"providesadditional acceptance criteriafor communications independence. Section 5.6 states that where data communication exists between different portions of a safety system, the analysis should confirm that a logical or software malfunction in one portion cannot affect the safety functions of the redundantportions, and that if a digital computer system used in a safety system is connected to a digital computer system used in a non-safety system, a logical or software malfunction of the non-safety system must not be able to affect the functions of the safety system.

4,10.2.6.1 Clause 5.6.1, Independence between Redundant Portions of a Safety System IEEE Standard 603-1991 [21], Clause 5.6.1 states:

5.6.1 Between Redundant Portionsof a Safety System. Redundant portions of a safety system provided for a safety function shall be independent of and physically separated from each other to the degree necessary to retain the capability to accomplish safety function during and following any design basis event requiringthat safety function.

145

Enclosure PG&E Letter DCL-11-104 The PPS replacement scope consists of four independent Protection Sets; each Protection Set is physically separated and electrically isolated from the other sets. The requirement for physical separation is provided in Section 1.2 of the DCPP Units 1 & 2 PPS Replacement FRS [28].

a) Tricon-Based PPS Equipment Section 2.2 of 993754-1-912 Diablo Canyon Triconex PPS ISG-04 Conformance Report

[25], describes the independence of the Tricon equipment.

b) FPGA-Based ALS PPS Equipment Section 1.3 and 2.2.2 of the ALS System Requirement Specification [17] describes the independence of the ALS equipment. Section 4 of ALS Topical Report Submittal [15]

describes the equipment qualification of the ALS platform.

4.10.2.6.2 Clause 5.6.2, Independence between Safety Systems and Effects of Design Basis Event IEEE Standard 603-1991 [21], Clause 5.6.2 states:

5.6.2 Between Safety Systems and Effects of Design Basis Event. Safety system equipment required to mitigate the consequences of a specific design basis event shall be independent of, and physically separatedfrom, the effects of the design basis event to the degree necessary to retain the capability to meet the requirementsof this standard. Equipment qualification in accordance with 5.4 is one method that can be used to meet this requirement.

The PPS replacement scope consists of four independent Protection Sets; each Protection Set is physically separated and electrically isolated from the other sets. The requirement for physical separation is provided in Section 1.2 of the DCPP Units 1 and 2 PPS Replacement FRS [28].

a) Tricon-Based PPS Equipment Section 2 of the Tricon V1 0 Topical Report [13] for the Tricon provides a summary of the equipment testing and analysis performed to meet the requirements of IEEE 603-1991 [21], IEEE Standard 323-1983 [65], EPRI TR-107330 [81], EPRI TR-102323 Revision 1 [79] and RG 1.180 Revision 1 [23]. This testing/analysis confirmed that the Tricon safety system is fully qualified and capable of performing its designated safety functions while exposed to normal, abnormal, test, accident, and 'post-accident environmental conditions, as required.

b) FPGA-Based ALS PPS Equipment 146

Enclosure PG&E Letter DCL-1 1-104 Section 4 of ALS Topical Report Submittal [15] describes the equipment qualification of the ALS platform.

4.10.2.6.3 Clause 5.6.3, Independence between Safety Systems and Other Systems IEEE Standard 603-1991 [21], Clause 5.6.3 states:

5.6.3 Between Safety Systems and Other Systems. Safety system design shall be such that credible failures in and consequentialactions by other systems, as documented in 4.8 of the design basis, shall not prevent the safety systems from meeting the requirementsof this standard.

5.6.3.1 InterconnectedEquipment (1) Classification:Equipment that is used for both safety and non-safety functions shall be classified as part of the safety systems, Isolation devices used to effect a safety system boundary shall be classified as part of the safety system.

(2) Isolation: No credible failure on the non-safety side of an isolation device shall prevent any portion of a safety system from meeting its minimum performance requirementsduring and following any design basis event requiringthat safety function.

A failure in an isolation device shall be evaluated in the same manner as a failure of other equipment in a safety system.

5.6.3.2 Equipment in Proximity (1) Separation:Equipment in other systems that is in physical proximity to safety system equipment, but that is neither an associatedcircuit nor another Class IE circuit, shall be physically separatedfrom the safety system equipment to the degree necessary to retain the safety systems' capability to accomplish their safety functions in the event of the failure of non-safety equipment. Physical separationmay be achieved by physical barriersor acceptable separationdistance. The separationof Class 1E equipment shall be in accordancewith the requirements of IEEE Std 384-1981.

(2) Barriers:Physical barriersused to effect a safety system boundary shall meet the requirements of 5.3, 5.4 and 5.5 for the applicableconditions specified in 4.7 and 4.8 of the design basis.

5.6.3.3 Effects of a Single Random Failure. Where a single random failure in a non-safety system can (1) result in a design basis event, and (2) also prevent proper action of a portion of the safety system designed to protect against that event, the remaining portions of the safety system shall be capable of providing the safety function even when degradedby any separate single failure.

See IEEE Std 379-1988 for the application of this requirement.

147

Endlosure PG&E Letter DCL-1 1-104 The PPS replacement scope consists of four independent Protection Sets; each Protection Set is physically separated and electrically isolated from the other sets. The requirement for physical separation is provided in Section 1.2 of the DCPP Units 1 & 2 PPS Replacement FRS [28].

a) Tricon-Based PPS Equipment EPRI TR-1 000799, "Generic Qualification of the Triconex Corporation TRICON Triple Modular Redundant PLC System for Safety-Related Applications in Nuclear Power Plants [8] describes the equipment qualification for the Tricon platform. 993754-1-912 Diablo Canyon Triconex PPS ISG-04 Conformance Report [25] describes the data and communications independence of the Tricon equipment. NTX-SER-09-1 0, Tricon Applications in Nuclear Reactor Protection Systems - Compliance with NRC ISG-2 &

ISG-4 [24] describes the communications independence capabilities of the Tricon platform.

b) FPGA-Based ALS PPS Equipment Section 4 of ALS Topical Report Submittal [15] describes the equipment qualification of the ALS platform. Section 5 of ALS Topical Report Submittal [15] describes the communication independence capabilities of the ALS equipment.

Section 12.1.19 of the ALS Topical Report Submittal [15] describes the FPGA-based ALS PPS replacement equipment conformance to Clause 5.6.3.

4.10.2.7 Clause 5.7 Capability for Test and Calibration (Section D.9.4.2.7 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 5.7 states:

Capability for testing and calibrationof safety system equipment shall be provided while retaining the capabilityof the safety systems to accomplish their safety functions. The capability for testing and calibrationof safety system equipment shall be provided during power operation and shall duplicate, as closely as practicable,performance of the safety function. Testing of Class 1E systems shall be in accordance with the requirementsof IEEE Std 338-1987 [3]. Exceptions to testing and calibrationduring power operation are allowed where this capability cannot be provided without adversely affecting the safety or operability of the generatingstation. In this case:

(1) appropriatejustification shall be provided (for example, demonstration that no practicaldesign exists),

(2) acceptable reliabilityof equipment operation shall be otherwise demonstrated,and (3) the capabilityshall be provided while the generating station is shut down.

148

Enclosure PG&E Letter DCL-1 1-104 The PPS replacement complies with Clause 5.7 as discussed below:

The PPS replacement is a digital replacement for the existing digital Eagle 21 PPS at DCPP. The capability for testing and calibration of the PPS replacement is not significantly different from that of the existing Eagle 21 PPS. The PPS replacement provides enhanced self-testing and diagnostic functions that reduce likelihood of undetected failures in both the Tricon and ALS subsystems. However, the existing Eagle 21 technical specification surveillance requirements (SR) do not require revision as a result of this project.

The requirement for periodic testing is addressed by channel calibrations. The channel calibrations are performed online using the bypass capability of the channel or during refueling outages when the PPS is not required to be operable. Calibration and testing will be performed according to approved procedures that establish specific surveillance techniques and surveillance intervals intended to maintain the high reliability of the PPS replacement.

If on-line testing is required for troubleshooting maintenance, the PPS replacement design allows for this testing without disconnecting wires, installing jumpers, or otherwise modifying the installed equipment. Simulated signal inputs into a channel can be applied using measuring and test equipment. During performance of testing or maintenance of the PPS replacement, it may be necessary to place the individual channel into the bypass mode. Indication of bypass status is discussed in Section 4.10.2.8 of this LAR.

Administrative procedures will provide appropriate guidance in the event a portion of the PPS replacement is in bypass or is manually tripped. These procedures are augmented by automatic indication at the system level that the system is in bypass or that a portion of the protection system and/or the systems actuated or controlled by the protection system is tripped.

Both the Triconex and the ALS platforms make extensive use of watchdog timers in performing built-in self-tests. The Triconex operating system provides "hooks" to the application to enable the application to take appropriate action upon watchdog timer time-out. Refer to:

  • Tricon V10 Topical Report Submittal [13] Section 2.1.2.6, 2.1.3.1, 2.2.10

" Appendix B to Tricon V10 Topical Report Submittal [13] Section 3.9.A, 3.9.B, 5.3.V

" ALS Topical Report Submittal [15] Section 2.3

  • ALS System Requirements Specification [17] Section 2.7.2, 2.7.3
  • ALS System Design Specification [19] Section 5.2.5 a) Tricon-Based PPS Equipment 149

Enclosure PG&E Letter DCL-1 1-104 The Triconex application program provides the means for periodic test and calibration of input sensors and output devices. Triconex PPS replacement application details are provided in the Triconex SRS [75]. Platform compliance with this clause is discussed in Tricon V10 Topical Report Submittal [13] Section 2.1 and Topical Report Appendix B Sections 3.0, 5.0, and 6.0.

b) FPGA-Based ALS PPS Equipment Section 3.1.1.3 of the ALS Topical Report Submittal [15] separates faults into categories and describes ALS platform diagnostics and actions taken upon failure detection.

Section 3.2 of the ALS Topical Report Submittal [15] describes the ALS design to support periodic surveillance testing, channel calibration and maintenance on a particular channel, while retaining the capability to accomplish the intended safety functions on the remaining channels.

Section 3.4 of the ALS Topical Report Submittal [15] describes the ALS design to support calibration of an analog input/output channel using the ASU or the MWS -

specific to the PPS replacement) and calibrated external test equipment.

Section 12.1.8 of the ALS Topical Report Submittal [15] describes the ALS platform compliance with this clause.

For both the Triconex and ALS subsystems, the platform self-tests and the application specific test and calibration functions will be performed during the FAT to verify that the safety function is not adversely affected by performance of either built-in or application specific test and calibration functions.

4.10.2.8 Clause 5.8 Information Displays (Section D.9.4.2.8 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 5.8 states:

5.8.1 Displays for Manually ControlledActions. The display instrumentationprovided for manually controlled actions for which no automatic control is provided and that are required for the safety systems to accomplish their safety functions shall be part of the safety systems and shall meet the requirements of IEEE Std 497-1981 [91]. The design shall minimize the possibility of ambiguous indicationsthat could be confusing to the operator.

5.8.2 System Status Indication. Display instrumentation shall provide accurate, complete, and timely information pertinent to safety system status. This information shall include indicationand identificationof protective actions of the sense and command features and execute features. The design shall minimize the possibility of ambiguous indicationsthat could be confusing to the operator. The display 150

Enclosure PG&E Letter DCL-1 1-104 instrumentationprovided for safety system status indication need not be part of the safety systems.

5.8.3 Indication of Bypasses. If the protective actions of some part of a safety system have been bypassed or deliberatelyrenderedinoperative for any purpose other than an operatingbypass, continued indication of this fact for each affected safety group shall be provided in the control room.

5.8.3.1 This display instrumentationneed not be part of the safety systems.

5.8.3.2 This indication shall be automatically actuated if the bypass or inoperative condition (a) is expected to occur more frequently than once a year, and (b) is expected to occur when the affected system is required to be operable.

5.8.3,3 The capabilityshall exist in the controlroom to manually activate this display indication.

5.8.4 Location. Information displays shall be located accessible to the operator.

Information displays provided for manually controlledprotective actions shall be visible from the location of the controls used to effect the actions.

4.10.2.8.1 The PPS replacement complies with Clause 5.8.1 as discussed below:

The display instrumentation provided for manually controlled actions for which no automatic control is provided and that are necessary for the safety systems to accomplish their safety functions are part of the safety systems and are unchanged from that which was approved for the Eagle 21 PPS [5]. The RTS instrumentation including manual initiations is listed in TS Table 4.3-1 of the Eagle 21 LAR [97] and the ESFAS instrumentation including manual initiations is listed in TS Table 3.3-3 of the Eagle 21 LAR [97].

a) Tricon-Based PPS Equipment The Tricon platform has flexible hardware and software capability for communicating with a variety of analog and digital devices, including main control board analog recorders and indicators and digital visual display units such as the MWS. The Triconex platform capability is described in the Topical Report Submittal [13] Section 2.1 and the DI&C-02 and -04 Compliance Report [24] Section 3.0. Triconex PPS replacement application details are provided in the Triconex SRS [75].

b) FPGA-Based ALS PPS Equipment ALS application details are provided in the DCPP System Design Specification [19] and the ALS-102 FPGA Requirements Specification [20]. The ALS Topical Report Submittal

[15] Section 12.1.9.1 discusses compliance of the ALS platform with IEEE Standard 603

[21] Clause 5.8.1.

151

Enclosure PG&E Letter DCL-1 1-104 4.10.2.8.2 The PPS replacement complies with Clause 5.8.2 as discussed below:

The display instrumentation that indicates and identifies protective actions of the sense and command features and execute features is unchanged by the PPS replacement.

This instrumentation is primarily associated with inputs and outputs of the SSPS, which is not affected by the PPS replacement. In addition, the status of all actuated components is indicated on the control boards together with the control switches that are provided for the individual components.

A bistable status light panel on the Control Board provides bistable monitoring information in the Control Room. A "postage stamp" indicator lamp on the panel illuminates to indicate that a protection channel has been activated. This panel is part of the SSPS and is not affected by the PPS replacement.

Display instrumentation that indicates and identifies the status of protective actions of sense and command features is specific to the application.

a) Tricon-Based PPS Equipment Triconex PPS replacement application details are provided in the Triconex SRS [75].

Platform compliance with this clause is described in Tricon Vl0 Topical Report Submittal [13] Section 2.1 and the Triconex DI&C-02 and -04 Compliance Report [24]

Section 3.0.

b) FPGA-Based ALS PPS Equipment ALS application details are provided in the DCPP System Design Specification [19]

Section 5.3.3.4 and the ALS-102 FPGA Requirements Specification [20]. The ALS Topical Report Submittal [15] Section 12.1.9.2 discusses compliance of the ALS platform with IEEE Standard 603 Clause 5.8.2.

4.10.2.8.3 The PPS replacement complies with Clause 5.8.3 as discussed below:

PPS Replacement FRS[28] paragraph 3.2.1.3.3 requires status indication signals that satisfy the requirements of RG 1.47 [105] be provided to the control room from each Protection Set for indication that a protection channel has been placed in an inoperable condition (e.g., bypassed).

Display instrumentation that indicates and identifies the status of protective actions of sense and command features is specific to the application.

a) Tricon-Based PPS Equipment Triconex PPS replacement application details are provided in the Triconex SRS [75].

Platform compliance with this clause is described in Tricon Vl0 Topical Report 152

Enclosure PG&E Letter DCL-1 1-104 Submittal [13] Section 2.1 and the Triconex DI&C-02 and -04 Compliance Report [24]

Section 3.0.

b) FPGA-Based ALS PPS Equipment ALS System Requirements Specification [17] requires indication of partial trip output bypasses to be provided locally at the cabinet. This requirement is implemented in ALS System Design Specification [19] Section 11.3, which requires indication that an input channel or output channel has been placed into or removed from a bypass mode or an override mode and describes means by which the information is made available for display in the control room. The ALS Topical Report Submittal [15] Section 12.1.9.2 discusses compliance of the ALS platform with IEEE Standard 603 Clause 5.8.2. ALS application details are provided in the DCPP System Design Specification [19] Section 5.3.3.4 and the ALS-102 FPGA Requirements Specification [20].

4.10.2.8.4 The PPS replacement complies with Clause 5.8.4 as discussed below:

Information displays in the control room are part of the safety systems and are unchanged from those approved for the Eagle 21 PPS [5]. The RTS instrumentation is listed in TS Table 4.3-1 of the Eagle 21 LAR [97] and the ESFAS instrumentation is listed in TS Table 3.3-3 of the Eagle 21 LAR [97].

a) Tricon-Based PPS Equipment Triconex PPS replacement application details are provided in the Triconex SRS [75].

Platform compliance with this clause is described in Tricon V10 Topical Report Submittal [13] Section 2.1 and the Triconex DI&C-02 and -04 Compliance Report [24]

Section 3.0.

b) FPGA-Based ALS PPS Equipment ALS application details are provided in the DCPP System Design Specification [19]

Section 5.3.3.4 and the ALS-1 02 FPGA Requirements Specification [20]. The ALS Topical Report Submittal [15] Section 12.1.9.4 discusses compliance of the ALS platform with IEEE Standard 603 Clause 5.8.4.

4.10.2.9 Clause 5.9 Control of Access (Section D.9.4.2.9 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 5.9 states:

The design shall permit the administrativecontrol of access to safety system equipment.

These administrative controls shall be supported by provisions within the safety systems, by provision in the generatingstation design, or by a combination thereof.

The location of safety related equipment is a plant specific implementation issue. In this PPS replacement, the equipment is located in a controlled area secured by the plant 153

Enclosure PG&E Letter DCL-1 1-104 security system in a manner that only allows authorized personnel access. This limits the means to bypass safety system functions, via access controls, to authorized plant personnel. The PPS replacement contains design features that provide means to control physical access to safety related equipment. This includes access to PPS replacement equipment which encompasses the test points and the capabilities for changing setpoints. Keys to the cabinet doors will be maintained under the administrative control of DCPP operating staff.

The description of most of the access features is considered by PG&E to be sensitive information and, therefore, withheld from public disclosure pursuant to 10 CFR 2.390

[88].

a) Tricon-Based PPS Equipment The Tricon has several design features to provide means to control the physical access including access to test points for verifying and changing. Control of the software and hardware during development is the responsibility of IOM. This is discussed in IOM document NTX-SER-1 0-14, Revision 0, "Tricon Vl0 conformance to RG 1.152,"

ML#1 02040062 [150] which describes the conformance of the V1 0 Tricon conformance to the security provisions of RG 1.152, Rev 2, "Criteria for use of Computers in Safety Systems of Nuclear Power Plants" [45]. Another document also discusses the provisions of RG 1.152, Triconex Document No. 993754-1-913, "Process Protection System Replacement DCPP RG 1.152 Conformance Report" [147].

In addition, access to equipment rooms and cabinets including the MWS will be controlled by DCPP only to personnel who are intended to have access.

b) FPGA-Based ALS PPS Equipment Section 12.1.10 of the ALS Topical Report Submittal [15] describes the FPGA-Based ALS PPS replacement equipment conformance to Clause 5.9.

4.10.2.10 Clause 5.10 Repair (Section D.9.4.2.10 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 5.10 states:

The safety systems shall be designed to facilitate timely recognition,location, replacement,repairand adjustment of malfunctioning equipment.

The PPS Replacement Project is designed with monitoring features to detect both hardware and software faults and to assist in diagnostic and repair activities. Most failures are detectable within each Protection Set including the processors, I/O modules, power supplies and the communication features.

154

Enclosure PG&E Letter DCL-1 1-104 a) Tricon-Based PPS Equipment The V1 0 Tricon is designed for high reliability, extensive self-diagnostics, minimal maintenance and simple on-line replacement of hardware. Maintenance and repair provisions are described in the Tricon V10 Topical Report Submittal [13].

b) FPGA-Based ALS PPS Equipment Section 12.1.11 of the ALS Topical Report Submittal [15] describes the FPGA-based ALS PPS replacement equipment conformance to Clause 5.10 4.10.2.11 Clause 5.11 Identification (Section D.9.4.2.11of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 5.11 states:

In orderto provide assurancethat the requirementsgiven in this standardcan be applied during the design, construction, maintenance, and operation of the plant, the following requirementsshall be met:

Safety system equipment shall be distinctly identified for each redundantportion of a safety system in accordancewith the requirementsof IEEEE Std 384-1981 and IEEE Std 420-1982.

Components for modules mounted in equipment or assemblies that are clearly identified as being in a single redundantportion of a safety system do not themselves require identification.

Identification of safety system equipment shall be distinguishablefrom identifying markings placed on equipment for other purposes (for example, identification of fire protection equipment, phase identification of power cables).

Identification of safety system equipment and its divisionalassignment shall not require frequent use of reference material.

The associateddocumentation shall be distinctly identified in accordance with the requirementsof IEEE Std 494-1974.

The PPS replacement is configured in accordance with plant specific identification requirements which provide a standardized method for identifying equipment, diagrams and signals for the purpose of consistency during the replacement process. There are four Process Protection Sets each having a color coded name plate with identification for each rack identifying Protection Set I, II, Ill or IV. Each field wiring termination point is tagged to aid in identification. Additional details regarding DCPP can be found in the FSAR, Section 7.1.2.3 [26].

155

Enclosure PG&E Letter DCL-1 1-104 a) Tricon-Based PPS Equipment Clause 5.11 addresses clear and distinct equipment identification. All V10 Tricon equipment is uniquely identified to assure compliance with 10CFR50 Appendix B [151]

requirements as described in the IOM Corporate QAM [31].

PPS replacement components are uniquely identified by subsystem/train designations per project procedures and as defined in DCPP specification/drawings.

b) FPGA-Based ALS PPS Equipment Section 12.1.12 of the ALS Topical Report Submittal [15] describes the FPGA-Based ALS PPS replacement equipment conformance to Clause 5.11.

4.10.2.12 Clause 5.12 Auxiliary Features (Section D.9.4.2.12 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 5.12 states:

Auxiliary supporting features shall meet all requirementsof this standard. Other auxiliary features that (1) perform a function that is not requiredfor the safety systems to accomplish their safety functions, and (2) are part of the safety systems by association (that is, not isolated from the safety system) shall be designed to meet those criteria necessary to ensure that these components, equipment, and systems do not degrade the safety systems below an acceptable level. Examples of these other auxiliary features are shown in Figure 3 and an illustrationof the application of this criteriais contained in Appendix A.

The PPS replacement features (components, equipment and systems) of the PPS Replacement Project that perform safety functions satisfy the Clause 5.12 requirements of IEEE Standard 603-1991 [21] as discussed below.

The Communication architecture provides the ability to transmit information to non-safety related devices such as the PPC and the MWS. The communication architecture is compared with ISG-04 [2] in Section 4.8 of this LAR.

a) Tricon-Based PPS Equipment Auxiliary features are not required for the Tricon based safety system to accomplish its safety function. At the V1 0 Tricon platform level, all hardware and software components are produced as safety related under the IOM 10CFR50 Appendix B [151] QA Program.

b) FPGA-Based ALS PPS Equipment Section 12.1.13 of the ALS Topical Report Submittal [15] describes the FPGA-Based ALS PPS Replacement equipment conformance to Clause 5.12.

156

Enclosure PG&E Letter DCL-11-104 4.10.2.13 Clause 5.13 Multi-Unit Stations (Section D.9.4.2.13 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 5.13 states:

The sharing of structures,systems, and components between units at multi-unit generatingstations is permissible provided that the ability to simultaneously perform required safety functions in all units is not impaired. Guidance on the sharingof electricalpower systems between units is contained in IEEE Std 308-1980. Guidance on the application of the single failure criterion to shared systems is contained in IEEE Std 379-1988.

The PPS Replacement Project does not allow sharing of any PPS structure, system, or component.

DCPP is currently committed to IEEE 308-1971 per Section 7.1.2.4 et al. of the FSAR

[26]. The PPS Replacement Project will conform to IEEE-308-1980 [30] for the replacement scope only as shown in the shaded portion of Figure 4-3.

a) Tricon-Based PPS equipment The Tricon-based PPS equipment is provided on a per unit basis with no sharing of any structure, system, or component.

b) FPGA-Based ALS PPS Equipment Section 12.1.14 of the ALS Topical Report Submittal [15] describes the FPGA-based ALS PPS replacement equipment conformance to Clause 5.13. The ALS-based PPS equipment is provided on a per unit basis with no sharing of any structure, system, or component.

4.10.2.14 Clause 5.14 Human Factors Considerations (Section D.9.4.2.14 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 5.4 states:

Human factors shall be consideredat the initialstages and throughout the design process to assure that the functions allocatedin whole or in part to the human operator(s)and maintainer(s)can be successfully accomplished to meet the safety system design goals, in accordancewith IEEE Std 1023-1988.

The PPS replacement uses existing hardwired devices located on the control room vertical boards and control console. The existing operator interface using control panel mounted switches and indicators is maintained.

157

Enclosure PG&E Letter DCL-1 1-104 The PPS will share a Human System Interface (HSI) unit on CC4 that will be installed by the PCS replacement project for system health and status displays. This HSI unit will obtain PPS data through a connection to the Gateway computer.

The Main Annunciator provides non-vital 125 V DC for interrogation of alarm output contacts. Existing PPS outputs to the MAS are modified to dry contacts. The existing AC/DC converters on the PPS outputs to the MAS are deleted. Additional outputs to the MAS are provided as described in [27] and [28].

In accordance with Reference [28], The PPS HSI design should follow the guidance provided in the DCPP HSI Development Guidelines Document [37], which reference NUREG 0700 [38], and which will be implemented during development of the formal design change following receipt by PG&E of the SER approving this change.

4.10.2.15 Clause 5.15 Reliability (Section D.9.4.2.15 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 5.15 states:

For those systems for which either quantitative or qualitative reliabilitygoals have been established,appropriateanalysis of the design shall be performed in orderto confirm that such goals have been achieved. IEEE Std 352-1987 and IEEE Std 577-1976 provide guidance for reliabilityanalysis.

a) Tricon-Based PPS Equipment Section 2.2.12 of the Tricon V10 Topical Report Submittal [13] describes the availability and reliability analysis performed on the Tricon, per the applicable requirements of IEEE-352 [121] and EPRI TR-107330 [122]. This analysis concluded the calculated reliability and availability were greater than 99.9 percent, which exceeds the recommended goal of 99.0 percent in EPRI TR-1 07330 [122].

b) FPGA-Based ALS PPS Equipment Section 5.5 of 6116-00011 Diablo Canyon PPS ALS System Design Specification [19]

describes the reliability and availability analysis performed on an ALS PPS configured chassis. The analysis concluded the calculated Mean-Time-Between-Failure for a single ALS PPS configured chassis is 38,725 hours0.00839 days <br />0.201 hours <br />0.0012 weeks <br />2.758625e-4 months <br />. The analysis concluded the calculated availability is 99.958 percent with an 18 month surveillance interval. The calculated availability of 99.958 percent exceeds the recommended goal of 99.0 percent in EPRI TR-107330 [122].

The analysis does not consider software because the ALS is a FPGA-based system and does not contain executable software. The analysis does consider individual component failures, including failure of components of the FPGA.

158

Enclosure PG&E Letter DCL-1 1-104 The ALS Diversity Analysis [16] provides an overview of the key design attributes for the ALS platform which are sufficient to eliminate the concern for CCF.

4.10.3 Clause 6 Sense and Command Features (Section D.9.4.3 of DI&C-ISG-06

[1])

IEEE Standard 603-1991 [21], Clause 6 states:

In addition to the functional and design requirementsin Section 5, the following requirements shall apply to the sense and command features:

Section 4.10.3.1 through 4.10.3.8 discusses the sense and command aspects of the PPS replacement. These sections provide responses to IEEE 603-1991 Clauses 6.1 through 6.8.

4.10.3.1 Clause 6.1 Automatic Control (Section D.9.4.3.1 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 6.1 states:

Means shall be provided to automaticallyinitiate and control all protective actions except as justified in 4.5. The safety system design shall be such that the operatoris not required to take any action prior to the time and plant conditions specified in 4.5 following the onset of each design basis event. At the option of the safety system designer,means may be provided to automaticallyinitiate and control those protective actions of 4.5.

The PPS conforms with this Clause 6.1 as discussed below:

The PPS performs sense and command functions by providing trip and actuation signals to the SSPS for use by the RTS, and ESFAS, which performs the execute functions.

The safety functions performed by the PPS and the SSPS are described in Section 4.1 of this LAR.

The PPS replacement setpoints, errors, and response times will be equal to or better than the setpoints, errors, and response times of the previously approved Eagle 21 PPS and described in Attachment B of the Eagle 21 LAR [97].

The PPS replacement adequately addresses the D3 considerations of BTP-19 as described in the approved DCPP D3 Topical Report [7]. The PPS replacement: (1) implements automatic protective functions in the Class IE software-based Triconex TRICON processor to mitigate events for which the Eagle 21 SER credited available diverse automatic mitigating functions; and (2) implements automatic protective functions in a logic-based Class IE CSI ALS that provides inherent, internal diversity to 159

Enclosure PG&E Letter DCL-1 1-104 address software CCF per NRC ISG-02 [3] Position 1 and automatically mitigate events that otherwise would require manual protective action if the events were to occur with a concurrent CCF to the PPS. Refer to D3 Topical Report [6] Section 2.3.2 for details.

Requirements for the protective actions described in Section 4.1 of this LAR to be performed automatically (where currently credited with automatic initiation in the DCPP FSAR [26]) are described in the following documents:

1. DCPP Units 1 & 2 PPS Replacement FRS [28]
2. Westinghouse PPS Replacement Project ALS System Requirement Specification

[17].

3. CSI document No. 6116-00011, Diablo Canyon PPS ALS System Design Specification [19]
4. CSI document No. 6116-10201 Diablo Canyon PPS ALS-102 FPGA Requirements Specification [20]
5. DCPP Tricon SRS [75]

Triconex platform compliance with this clause is discussed in Section 5.1 of the Tricon Version 9 SER [11].

ALS platform conformance is discussed in 12.1.17 of the ALS Topical Report Submittal

[15].

Test Design Specifications will be provided to NRC in the PPS replacement Phase 2 documentation per DI&C-ISG-06 [1] Section D4.4.2.4. The Triconex and ALS automatic safety functions are tested during the FAT to verify that the functions perform in accordance with specified requirements.

4.10.3.2 Clause 6.2 Manual Control (Section D.9.4.3.2 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 6.2 states:

6.2.1 Means shall be provided in the control room to implement manual initiation at the division level of the automaticallyinitiatedprotective actions. The means provided shall minimize the number of discrete operatormanipulationsand shall depend on the operation of a minimum of equipment consistent with the constraints of 5.6.1.

6.2.2 Means shall be provided in the control room to implement manual initiation and control of the protective actions identified in 4.5 that have not been selected for automatic control under 6.1.

The displays provided for these actions shall meet the requirementsof 5.8.1.

6.2.3 Means shall be provided to implement the manual actions necessary to maintain safe conditions after the protective actions are completed as specified in 4.10. The 160

Enclosure PG&E Letter DCL-1 1-104 information provided to the operators, the actions required of these operators,and the quantity and location of associateddisplays and controls shall be appropriatefor the time period within which the actions shall be accomplished and the number of available qualified operators. Such displays and controls shall be located in areas that are accessible, located in an environment suitable for the operator,and suitably arranged for operatorsurveillance and action.

4.10.3.2.1 The PPS replacement complies with Clause 6.2.1 as described below:

Existing means are provided in the control room for manual initiation at the division level (SSPS Train "A" and Train "B") of the automatically initiated protective actions described in Sections 4.1.23 (Manual RT), 4.1.24 (Manual SI), 4.1.25 (Manual SLI), 4.1.26, (Manual Containment Isolation Phase A), and 4.1.25, (Manual Containment Spray).

These means are provided at the SSPS actuation level, downstream of the PPS, and are independent of any PPS replacement hardware or software. The PPS replacement does not affect any of the division-level manual initiation features or functions in the DCPP protection system listed in DCPP TS [42], described in the approved Eagle 21 PPS SER [5], or described in the Eagle 21 LAR [97].

4.10.3.2.2 The PPS replacement complies with Clause 6.2.3 as described below:

The PPS replacement does not affect the information provided to the operators, the actions needed of the operators, and the quantity of the associated displays and controls available to the operators compared to that of the existing Eagle 21 PPS.

Safety-related controls and indicators remain Class IE; non-safety related indicators are driven by qualified isolation devices. As described in the approved PPS Replacement D3 Assessment [7], reliability and independence of non-safety indications is improved where appropriate by isolating the signals at the PPS input rather than through digital processing and isolation. The indicators are active and available as long as the instrument channel is powered, independent of digital processing.

4.10.3.2.3 The PPS replacement complies with Clause 6.2.2 as described below:

The existing means to implement manual actions at the division (SSPS Train "A" and Train "B") and the manual controls and indications required to maintain the plant in a safe condition following manual initiation are not affected adversely by the PPS replacement. Critical indications, such as those required for post-accident monitoring (PAM), are derived from raw instrument loop signals at the front end of the Replacement PPS, independent of any digital processing. Exceptions are steam flow signals and wide range RCS temperatures, where processing by the PPS is needed for compensation or signal type conversion. Isolation of non-safety related signals from safety related signals is performed by qualified isolation devices. Refer to the PPS replacement FRS [28] and IRS [29] for requirements. RCP flows are an exception, because the signals are normalized in the ALS subsystem before being output as non-safety related signals to indicators in the control room.

161 a

Enclosure PG&E Letter DCL-1 1-104 The existing means to implement manual actuations at the division level are not affected by the PPS replacement and need not be explicitly tested by the PPS Replacement Project. Such testing is not necessary because the controls and indications required to initiate manual actuations at the division level are periodically tested by existing DCPP surveillance test procedures.

DI&C-ISG-06 [1] advises that the manual controls required by Clause 6.2 may be different from manual actions that could be used as an acceptable diverse actuation to address BTP 7-19 Revision 6 [4], as defense against CCSF. The CCSF mitigation controls should be independent and therefore downstream of the digital portion of the safety system that is subject to the CCSF.

Means are provided in the control room for manual initiation at the division level (SSPS Train "A" and Train "B") of the automatically initiated protective actions described in Sections 4.1.23 (Manual RT), 4.1.24 (Manual SI), 4.1.25 (Manual SLI), 4.1.26, (Manual Containment Isolation Phase A), and 4.1.27, (Manual Containment Spray). These means are provided at the SSPS actuation level, downstream of the PPS, and are independent of any PPS replacement hardware or software. The PPS replacement does not affect any of the division-level manual initiation features or functions in the DCPP protection system listed in DCPP TS [42], described in the approved Eagle 21 PPS SER [5], or described in the Eagle 21 LAR [97].

Elimination (by the PPS replacement) of manual actions credited in the Eagle 21 SER

[5] for mitigation of design basis events in the event of CCSF is discussed in the approved PPS Replacement D3 Assessment [6, 7].

a) Tricon-Based PPS Equipment Triconex platform compliance with Clause 6.2.2 is discussed in Section 5.1 of the Tricon Version 9 SER [11], and in the Tricon Version 10 ISG-02 and ISG-04 Compliance Report [24].

b) FPGA-Based ALS PPS Equipment ALS platform conformance is discussed in 12.1.18 of the ALS Topical Report Submittal

[15].

4.10.3.3 Clause 6.3 Interaction with Other Systems (Section D.9.4.3.3 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 6.3 states:

6.3.1 Where a single credible event, including all direct and consequentialresults of that event, can cause a non-safety system action that results in a condition requiring protective action, and can concurrently prevent the protective action in those sense and 162

Enclosure PG&E Letter DCL-11-104 command feature channels designated to provide principalprotection againstthe condition, one of the following requirementsshall be met:

a) Alternate channels not subject to failure resulting from the same single event shall be provided to limit the consequences of this event to a value specified by the design basis. Alternate channels shall be selected from the following:

1. Channels that sense a set of variablesdifferent from the principalchannels.
2. Channels that use equipment different from that of the principalchannels to sense the same variable.
3. Channels that sense a set of variables different from those of the principal channels using equipment different from that of the principalchannels.
4. Both the principaland alternate channels shall be part of the sense and command features.

b) Equipment not subject to failure caused by the same single credible event shall be provided to detect the event and limit the consequences to a value specified by the design bases. Such equipment is considereda part of the safety system.

6.3.2 Provisionsshall be included so that the requirementsin 6.3.1 can be met in conjunction with the requirements of 6.7 if a channel is in maintenance bypass. These provisions include reducing the required coincidence, defeating the non-safety system signals taken from the redundant channels, or initiatinga protective action from the bypassed channel.

The DCPP D3 Topical Report [6] describes the PPS replacement capability to withstand events in conjunction with a software CCF. The NRC SER [7] provides the NRC response to the analyses presented in the D3 Topical Report [6].

For events not associated with software CCF the PPS replacement design minimizes the possibility of occurrence of events described in IEEE 603, Section 6.3.1 [21].

Transmitter (sensor) inputs required by both the PPS and the control system are provided to the control system via qualified isolation devices (independent of the PPS) located on the transmitter input circuit. The analog signal for use by the control system is not processed by the PPS equipment and thus is not subject to software CCF.

RTD inputs to PPS channels are an exception. RTD inputs are conditioned (resistance to temperature) by the ALS and output to the Tricon as 4-20 mA analog signals for processing by wide range temperature channels, pressurizer vapor temperature channel, and ATITavg (DTTA) channels. The DTTA channels provide analog outputs to the rod speed and direction control system.

Similarly, analog signals to control board indicators are provided from the transmitter input circuit (isolated where required) and are not processed by the PPS and thus not subject to software CCF. Reactor coolant flow, steamline flow and PPS temperature (Wide Range Temperature, Pressurizer Vapor Temperature, and DTTA) channels are 163

Enclosure PG&E Letter DCL-1 1-104 an exception. These channels process the inputs and provide analog signals to control board indicators/recorders (no control system interface).

a) Tricon-Based PPS Equipment The Tricon Version 10 Topical Report [13] provides no additional information regarding conformance to Clause 6.3.

b) FPGA-Based ALS PPS Equipment Section 12.1.19 of the ALS Topical Report Submittal [15] describes the FPGA-based ALS PPS replacement equipment conformance to Clause 6.3 by stating that conformance is application specific. Conformance to Clause 6.3 is discussed above.

4.10.3.4 Clause 6.4 Derivation of System Inputs (Section D.9.4.3.4 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 6.4 states:

To the extent feasible and practical,sense and command feature inputs shall be derived from signals that are direct measures of the desired variables as specified in the design basis.

The process variables and derived parameters used for the PPS replacement actuation functions are the same as those currently being used for the Eagle 21 PPS and do not change from those used by the current safety analysis.

The following reactor plant parameters are monitored by the PPS replacement as identified in Section 1.5 of the PPS FRS [28]:

" Wide Range Reactor Coolant Temperature (hot and cold legs, all loops)

" Power Range Neutron Flux (from the Nuclear Instrument System)

  • Pressurizer Level
  • Pressurizer Pressure

" Pressurizer Vapor Temperature

" Steam Generator Narrow Range Level (all steam generators)

  • Turbine Impulse Chamber Pressure
  • Containment Pressure 164

Enclosure PG&E Letter DCL-1 1-104 The Feedwater Flow signals and the Steam Flow/Feedwater Flow Mismatch alarms have been removed from the PPS replacement. The Feedwater Flow signals are non-safety related and will be input to the DFWCS, which will then generate the Steam Flow/Feedwater Flow Mismatch alarms.

a) Tricon-Based PPS Equipment The Tricon V10 Topical Report Submittal [13] does not provide additional information regarding conformance to Clause 6.4.

b) FPGA-Based ALS PPS Equipment The FPGA-based ALS platform will not adversely affect the performance characteristics (range, accuracy, resolution, response time, and sample rate) of the existing safety system transmitters and sensors, as discussed in Section 12.1.20 of the ALS Topical Report Submittal [15].

4.10.3.5 Clause 6.5 Capability for Testing and Calibration (Section D.9.4.3.5 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 6.5 states:

6.5.1 Means shall be provided for checking, with a high degree of confidence, the operationalavailabilityof each sense and command feature input sensor requiredfor a safety function during reactoroperation. This may be accomplished in various ways; for example:

(1) by perturbing the monitored variable, (2) within the constraintsof 6.6, by introducing and varying, as appropriate,a substitute input to the sensor of the same nature as the measured variable, or (3) by cross-checking between channels that beara known relationshipto each other and that have readoutsavailable.

6.5.2 One of the following means shall be provided for assuring the operational availabilityof each sense and command feature required during the post-accident period:

(1) Checking the operationalavailabilityof sensors by use of the methods described in 6.5.1.

(2) Specifying equipment that is stable and retains its calibrationduring the post-accident time period.

DI&C-ISG-06 [1], Section D.9.4.3.5 states:

Clause 6.5 requires that it must be possible to check, with a high degree df confidence, the operationalavailabilityof each sense and command feature input sensors needed for a safety function during reactoroperation, including the availabilityof each sense 165

Enclosure PG&E Letter DCL-1 1-104 and command feature needed during the post-accidentperiod. SRP Chapter 7, Appendix 7.1-C, Section 6.5, "Capabilityfor Testing and Calibration,"provides acceptance criteria for Clause 6.5.

The PPS replacement is a digital replacement for the digital Eagle 21 PPS at DCPP.

The existing Technical Specification SRs for Eagle 21 are applicable to the PPS replacement. The capability for testing/calibration of the PPS replacement is not significantly different than for the Eagle 21 PPS.

The PPS replacement incorporates self-testing diagnostic features as well as range checking on all sensor inputs. A trouble alarm is generated upon detection of an input failure or an out-of-range low or out-of-range high input condition at -5 percent (low) and 105 percent (high) of span.

The capability for testing or calibration in bypass or partial-trip mode at all power levels is provided with indication of bypass provided in the control room in accordance with the requirements of RG 1.47 [105].

The PPS replacement provides the capability for Channel Checks using indications provided in the control room.

Post-accident monitoring capabilities are enhanced with the PPS replacement. With the exception of Steamflow, reactor coolant flow, and temperature (loop wide range, loop Tavg, loop AT, and Pressurizer vapor temperature), all provided PPS process indications are from the transmitter input (via qualified isolation devices where required) and are not processed by the digital PPS replacement equipment. The temperature, Steamflow, and reactor coolant flow analog inputs require processing (RTD conversion or square root conversion) which is performed in the PPS as is currently done with the Eagle 21 PPS.

a) Tricon-Based PPS Equipment The Tricon V10 Topical Report Submittal [13] does not provide additional information regarding conformance to Clause 6.4.

b) FPGA-Based ALS PPS Equipment Section 12.1.21 of the ALS Topical Report Submittal [15] describes the FPGA-based ALS PPS replacement equipment conformance to Clause 6.5 by stating that conformance is application specific. Conformance to Clause 6.5 is discussed above.

4.10.3.6 Clause 6.6 Operating Bypasses (Section D.9.4.3.6 of DI&C-ISG-06 [1])

IEEE 603-1991 [21], Clause 6.6 states:

166

Enclosure PG&E Letter DCL-1 1-104 Whenever the applicablepermissive conditions are not met, a safety system shall automaticallyprevent the activation of an operating bypass or initiate the appropriate safety function(s). If plant conditions change so that an activated operating bypass is no longer permissible, the safety system shall accomplish one of the following actions:

1) Remove the appropriateactive operating bypass(es).
2) Restore plant conditions so that permissive conditions once again exist.
3) Initiate the appropriatesafety function(s).

The operating bypass design and conditions for the DCPP operating bypasses have not changed as a result of replacing the Eagle 21 digital PPS with the Tricon and ALS PPS.

Tricon and ALS develop the comparator outputs for the P14, P13, and P11 operating permissives which are sent to the SSPS where the interlocks are developed.

FSAR Table 7.3-3 [26] lists the operating bypasses for the ESF actuation system. This table shows the inputs and the functions performed for each of the interlocks. Likewise, FSAR Table 7.2-2,[26] lists the operating bypasses for the RTS. Interlock permissives P6, P7, P8, P9 and P10 are provided through the NIS and are independent of the PPS replacement..

Where operating requirements necessitate automatic or manual bypass of a protective function, the design is such that the bypass is removed automatically whenever permissive conditions for the bypass are not satisfied. Devices used to achieve automatic removal of the bypass of a protective function are considered part of the protective system and are designed accordingly. Indication is provided in the control room if some part of the protection system has been administratively bypassed or taken out of service.

If a protection channel has been bypassed for any purpose, a signal is provided to allow this condition to be continuously indicated in the control room. The design for the RTS and ESFAS operating bypasses satisfy IEEE 603 Clause 6.6 [21] requirements in that the operating bypasses shown in the two tables noted above are automatically removed when plant conditions require their removal and automatically restored when plant conditions require their restoration. The ability to initiate appropriate safety functions is available at all times.

a) Tricon-Based PPS Equipment Tricon documentation does not add any additional information pertaining to Clause 6.6.

b) FPGA-Based ALS PPS Equipment Section 12.1.22 of the ALS Topical Report Submittal [15] describes the FPGA-based replacement equipment conformance to Clause 6.6 by stating that conformance is application specific. Conformance with Clause 6.6 is discussed above.

167

Enclosure PG&E Letter DCL-11-104 4.10.3.7 Clause 6.7 Maintenance Bypass (Section D.9.4.3.7 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 6.7 states:

Capabilityof a safety system to accomplish its safety function shall be retained while sense and command features equipment is in maintenance bypass. During such operation, the sense and command features shall continue to meet the requirementsof 5.1 and 6.3.

EXCEPTION: One-out-of-two portionsof the sense and command features are not required to meet 5.1 and 6.3 when one portion is renderedinoperable,provided that acceptable reliability of equipment operation is otherwise demonstrated)that is, that the period allowed for removal from service for maintenance bypass is sufficiently short to have no significantly detrimentaleffect on overall sense and command features availability).

Clause 6.7 of IEEE 603-1991 [21] states that the capability of a safety system to accomplish its safety function shall be retained while sense and command features equipment is in maintenance bypass. Clause 6.7 further states that during such operation, the sense and command features shall continue to meet the requirements of Clauses 5.1 and 6.3, with the exception that one-out-of-two portions of the sense and command features are not required to meet Clauses 5.1 and 6.3 when one portion is rendered inoperable, provided that acceptable reliability of equipment operation is otherwise demonstrated (i.e., that the period allowed for removal from service for maintenance bypass is sufficiently short to have no significant detrimental effect on the overall sense and command features availability). SRP Chapter 7 [4], Appendix 7.1 C, Section 6.7, "Maintenance Bypass," provides acceptance criteria for IEEE 603-1991 Clause 6.7 [21]. This acceptance criterion states that provisions for this bypass need to be consistent with the required actions of the plant TS.

FSAR Section 7.2.2.2.1.7 [26] discusses testing in bypass and presents the normal method for removing channels for maintenance. Alternatively, administrative control allows, during channel testing, that the channel output be put in a trip condition that de-energizes (operates) the input relays in SSPS Train A and Train B cabinets. Of necessity this is done on only one channel at a time. Status lights and single channel trip alarms in the control room verify that the logic input relays have been de-energized and the channel outputs are in the trip mode. An exception to this is containment spray, which is energized to actuate two-out-of-four logic and reverts to two-out-of-three logic when one channel is in the maintenance bypass mode. Only one channel can be bypassed at any one time, i.e., bypass of two or more channels at the same time shall not be allowed as per DCPP TS [42].

For the PPS replacement, the configuration control for maintenance bypass is now through the Tricon and the ALS digital platforms. The Bypassed and Inoperable status indications in the control room have not been modified as a result of the PPS 168

Enclosure PG&E Letter DCL-11-104 replacement and continue to meet the guidance provisions of RG 1.47 [105]. As before, a PPS channel can be placed in Bypass mode to facilitate maintenance activities.

Indication is provided in the control room whenever a PPS channel has been administratively bypassed for maintenance or taken out of service.

The PPS replacement is designed to permit an inoperable channel to be placed in a bypass condition for the purpose of troubleshooting or periodic test of a redundant channel. Use of the bypass mode disables the individual channel comparator trip circuitry that forces the associated logic input relays to remain in the non-tripped state until the "bypass" is removed. If the PPS channel has been bypassed for any purpose, a signal is provided to allow this condition to be continuously indicated in the control room.

The DCPP FMEA, a Phase 2 deliverable, for the PPS Replacement Project assumes that one of the initial conditions is a PPS channel that is placed in the Bypass Mode.

This initial condition imposed on the FMEA determines the overall effect of an evaluated failure on the safety system's capability to perform the required safety functions in this non-conservative mode. The FMEA must show sufficient redundancy, independence and other required design fundamentals ensuring that the safety function can be performed even with a channel in the Bypass Mode.

a) Tricon-Based PPS Equipment The MWS supports maintenance activities, such as periodic maintenance, instrument loop testing, troubleshooting, etc. The MWS normally simply displays plant parameters, perhaps including division diagnostic information. Access to features beyond displaying data, such as the maintenance bypass, will be controlled using administrative and physical controls. During maintenance, the MWS would be used for injecting test values and modifying trip setpoints. These activities will be performed in accordance with site-specific administrative (procedural) and physical-access controls to set and/or change Tricon safety system parameters while the channel and protection loops are in bypass mode. Such procedures would require manipulation of the Tricon hardware out of service switch specific to a given instrument loop under test. These procedures are discussed in more detail in Section 4.2.4.5 of the LAR.

b) FPGA-Based ALS PPS Equipment Section 12.1.23 of the ALS Topical Report Submittal [15] describes the FPGA-based ALS PPS replacement equipment conformance to Clause 6.7.

Manual bypass switches are provided for each comparator output in the ALS as described in ALS System Design Specification [19], Section 3.3.4.2.

169

Enclosure PG&E Letter DCL-11-104 4.10.3.8 Clause 6.8 Setpoints (Section D.9.4.3.8 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 6.8 states:

The allowance for uncertaintiesbetween the process analyticallimit documented in Section 4.4 and the device setpoint shall be determined using a documented methodology. Refer to ANSI/ISA S67.04-1987.

Where it is necessary to provide multiple setpoints for adequate protection for a particularmode of operation or set of operatingconditions, the design shall provide positive means of ensuring that the more restrictive setpoint is used when required.

The devices used to prevent improperuse of less restrictive setpoints shall be part of the sense and command features.

The current calculations of record for the Eagle 21 PPS, a digital-based protection system, are provided in Westinghouse WCAP-1 1082 [39]. These calculations are in the process of being revised, including input from RIS 2006-17 [40] and TSTF-493 R4 [41].

This current calculation revision process is to take into account implementation of the PPS replacement for the effect of replacing the Eagle 21 system with the Tricon and ALS equipment. The revised calculations are intended to confirm that there is adequate margin between the trip setpoints and the safety limits (and analytical limits) such that the system initiates protective actions before safety limits are exceeded. This is also to confirm that there is adequate margin between operating limits (or alarm limits) and trip setpoints such that there is a low probability for inadvertent actuation of the system.

Since the setpoint calculations already consider a digital-based protection system, they are not expected to be any Nominal Trip Setpoints or TS Allowable Values that need to be changed as a result of the PPS replacement. The total loop uncertainties are utilized in the safety analyses to ensure that the analyzed values are bounding and conservative. Table 4-10 provides the summary of the analytical limits, total loop uncertainties and current setpoints for the PPS. The values calculated for the new Tricon and ALS system will be provided to NRC in Phase 2 and compared with the results in Table 4-10 to ensure that the analyzed values are bounding and conservative.

The summary of the setpoint calculations will be provided to NRC as a Phase 2 submittal, as part of the required documents per DI&C-ISG-06 [1].

PG&E has previously committed to the NRC to submit a separate LAR for TSTF-493

[41]. The implementation of the as-found tolerance and as-left tolerance guidance from Reference [40] and [41] to all applicable TS setpoints will be addressed as part of the LAR for TSTF-493.

170

Enclosure PG&E Letter DCL-1 1-104 4.10.4 Clause 7 Execute Features (Section D.9.4.4 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 7 states (in part):

In addition to the functional and design requirementsin Section 5, the following requirementsshall apply to the execute features.

Section 4.10.4.1 through 4.10.4.5 of this LAR discuss the execute features of the PPS replacement. These sections comply with and provide responses to IEEE 603-1991

[21] Clauses 7.1 through 7.5.

Table 4-10 Total Loop Uncertainty Trip Function Analytical Limit Total Loops Current DCPP TS Uncertainty Setpoint Overtemperature AT Function Function (Note 2) + Function (Note 2)

(Note 1) 0.46% AT Span Overpower AT Function Function (Note 2) + Function (Note 2)

(Note 1) 0.46% AT Span Pressurizer Pressure- 1845 PSIG +/-2.3%(69.00 PSI) 1950 PSIG Low, RT Pressurizer Pressure - 2445 PSIG +/-2.3%(28.75 PSI) 2385 PSIG High Pressurizer Water Level Not used in +9.12% Span 90% Span

- High Safety Analysis Loss of Flow 85% Flow +2.06% Span 90% Flow Steam Generator Water 0% Span +/-13.68% Span 15% Span Level - Low-Low Containment Pressure - 5 PSIG +/-2.2% (+/-1.32 PSI) 3 PSIG High Containment Pressure - 24.7 PSIG +/-2.2% (+/-132 PSI) 22.0 PSIG High-High Pressurizer Pressure - 1680 PSIG +/-9.18% (+/-114.75 1850 PSIG Low, SI PSI)

Steamline Pressure - 444.0 PSIG +/-8.03% (+/-96.36 600 PSIG Low (Rosemount) PSI)

Steamline Pressure - 444.0 PSIG +/-8.34% (+/-100.08 600 PSIG Low (Barton) PSI)

Steam Generator Water 98.78% Span +/-6.39% Span 90.0% Span Level - High-High RCS Loop AT Equivalent 59% RTP +/-3.13% AT Span 50% RTP To Power- AT I I I 171

Enclosure PG&E Letter DCL-1 1-104 Note 1: As noted in Figure 15.1-1 of Updates FSAR Note 2: As noted in Table 2.2-1 of DCPP TS 4.10.4.1 Clause 7.1 Automatic Control (Section D.9.4.4.1 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 7.1 states:

Capabilityshall be incorporatedin the execute features to receive and act upon automatic control signals from the sense and command features consistent with 4.4 of the design basis.

IEEE Standard 603-1991 [21], Clause 4.4 states:

The variables or combinationsof variables, or both, that are to be monitored to manually or automatically, or both, control each protective action; the analyticallimit associated with each variable, the ranges (normal, abnormal,and accident conditions); and the rates of change of these variables to be accommodated until propercompletion of the protective action is ensured.

The PPS conforms with Clause 7.1 as discussed below:

The PPS performs sense and command functions by providing trip and actuation signals to the SSPS for use by the RTS, and ESFAS. PPS protection outputs provide ON/OFF (partial trip) signals to the two trains of the SSPS whenever measured parameters indicate that safety limits are being approached (a pre-established setpoint is exceeded). The SSPS initiates a RT or actuates ESFAS when the requisite number of PPS channels have tripped (designed coincidence logic is satisfied).

Thus, execute features of the overall DCPP RPS are performed by the existing SSPS illustrated in Figure 4-1 of this LAR and the before and after PPS replacement depictions in Figure 4-2 and Figure 4-3, respectively. The SSPS and the functions it performs are described in Section 4.1 of this LAR.

RT, once initiated either automatically or manually, proceeds to completion because the mechanical action of the RT circuit breakers (also shown in Figures 4-2 and 4-3) require an external electrical reset command to reclose the breakers. The ESFAS functions described in Section 4.1 proceed to completion because the output signals from the SSPS are electrically latched and seal-in on command. These signals also require a manual operator action to unlatch them. In addition, the SI signal has a timer that prevents manual reset by the operator for 30 seconds following SI actuation to ensure the SI proceeds to completion.

The above execute features and functions are not affected by the PPS replacement, as illustrated in Figure 4-2 of this LAR.

172

Enclosure PG&E Letter DCL-1 1-104 4.10.4.2 Clause 7.2 Manual Control (Section D.9.4.4.2 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 7.2 states:

If manual control of any actuated component in the execute features is provided, the additionaldesign features in the execute features necessary to accomplish such manual control shall not defeat the requirementsof 5.1 and 6.2. Capability shall be provided in the execute features to receive and act upon manual control signals from the sense and command features consistent with the design basis.

The PPS replacement conforms to Clause 7.2 as discussed in the IEEE Standard 603 Clause 6.2 response in Section 4.10.3.2 of this LAR.

4.10.4.3 Clause 7.3 Completion of Protective Action (Section D.9.4.4.3 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 7.3 states:

The design of the execute features shall be such that once initiated,the protective actions of the execute features shall go to completion. This requirementshall not preclude the use of equipment protective devices identified in 4.11 of the design basis or the provision for deliberate operatorinterventions. When the sense and command features reset, the execute features shall not automaticallyreturn to normal; they shall require separate,deliberate operatoraction to be returned to normal. After the initial protective action has gone to completion, the execute features may require manual control or automatic control (that is, cycling) of specific equipment to maintain completion of the safety function.

Clause 7.3 requires that the design of the execute features be such that once initiated, the protective actions of the execute features shall go to completion. However, this requirement does not preclude the use of equipment protective devices identified in Clause 4.11 of the design basis or the provision for deliberate operator interventions.

Additionally, when the sense and command features reset, the execute features shall not automatically return to normal, but shall need separate, deliberate operator action to be returned to normal.

All execute features are performed by the SSPS. The execute features of the plant protection system are not changed. The SSPS is not being revised as part of the PPS Replacement Project and it functionality remains the same. RT and ESFAS actuation protection functions are not changed or modified by the PPS Replacement Project.

The PPS monitors plant parameters and sends partial trip/actuation signals to the SSPS when predetermined setpoints are exceeded. The SSPS provides sealed-in RT or ESFAS actuation signals when the coincidence logic for a particular trip/actuation function is satisfied. The SSPS does not require manual intervention or 173

Enclosure PG&E Letter DCL-1 1-104 acknowledgement of actuation commands to complete a protective function. The SSPS RT or ESFAS actuation signal requires manual action to reset following completion of the protective action and only after the PPS initiating signals have reset.

4.10.4.4 Clause 7.4 Operating Bypasses (Section D.9.4.4.4 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 7.4 states:

Whenever the applicable conditions are not met, a safety system shall automatically prevent the activation of an operatingbypass or initiate the appropriatesafety function(s). If plant conditions change so that an activated operatingbypass is no longer permissible, the safety system shall automaticallyaccomplish one of the following actions:

Remove the appropriateactive operatingbypass(es).

Restore plant conditions so that permissive conditions once again exist.

Initiate the appropriatesafety function(s).

The requirements of IEEE Standard 603-1991 Clause 7.4 [21] require that if applicable conditions are not met, a safety system must automatically prevent the activation of an operating bypass or initiate the appropriate safety function, and if plant conditions change so that an activated operating bypass is no longer permissible, the safety system must either remove the appropriate active operating bypass, restore plant conditions so that the permissive conditions once again exist, or initiate the appropriate safety function(s). This is the same as the requirements for Clause 6.6 [21] except the requirements are for the executive feature and not the sense and command features.

The operating bypasses are performed by the SSPS and are not performed by the PPS.

The existing SSPS operating bypass functions are maintained with the Tricon and ALS PPS replacement. They are automatically removed when plant conditions change to an operating mode in which protective actions are required to be operable so that a design basis event can be mitigated.

4.10.4.5 Clause 7.5 Maintenance Bypass (Section D.9.4.4.5 of DI&C-ISG-06 [1])

IEEE Standard 603-1991 [21], Clause 7.5 states:

The capabilityof a safety system to accomplish its safety function shall be retained while execute features equipment is in maintenance bypass. Portionsof the execute features with a degree of redundancy of one shall be designed such that when a portion is placed in maintenance bypass (that is, reducing temporarilyits degree of redundancy to zero), the remaining portionsprovide acceptablereliability.

174

Enclosure PG&E Letter DCL-1 1-104 Clause 7.5 of IEEE 603-1991 [21] states that the capability of a safety system to accomplish its safety function shall be retained while execute features equipment is in maintenance bypass. Furthermore it provides for acceptability of reducing redundancy to zero if the reliability of the execute features equipment is acceptable and reliability of equipment operation is otherwise demonstrated (i.e., that the period allowed for removal from service for maintenance bypass is sufficiently short to have no significant detrimental effect on the overall execute features availability). SRP Chapter 7, Appendix 7.1 C, Section 7.5 [4], "Maintenance Bypass," provides acceptance criteria for IEEE 603-1991 Clause 7.5 [21]. This acceptance criterion states that provisions for this bypass need to be consistent with the required actions of the plant TS.

The execute features and maintenance bypass functions are performed by the SSPS and are not being revised as part of the PPS Replacement Project. The Tricon and ALS PPS replacement only impacts the command features. The DCPP safety systems are still capable of accomplishing their safety functions when the execute features equipment is in bypass. The maintenance bypass features remain consistent with the required actions of the existing DCPP TS.

a) Tricon-Based PPS Equipment There is no impact by the Tricon on the separate SSPS bypass functions.

There are no communications switches in the architecture and there is no direct access to safety-related Protection Set communications from outside the Protection Set.

b) FPGA-Based ALS PPS Equipment There is no impact by the ALS on the separate SSPS bypass functions.

4.10.5 Clause 8 Power Source (Section D.9.4.5 of DI&C-ISG-06 [1])

DI&C-ISG-06 [1], Section D.9.4.5 states:

Clause 8 provides the requirementsfor the power sources supporting the digital /&C system. Clause 8 requires that those portions of the Class 1E power system that are needed to provide the power to the many facets of the safety system are governed by the criteriaof IEEE Std 603-1991 and are considered a portion of the safety systems.

Clauses 8.1 and 8.2 apply the requirements of IEEE Std 603-1991 to electricaland non-electricalpower sources, respectively.

Clause 8.3 requires that the capability of the safety system to accomplish its safety function be retainedwhen the power source is in maintenance bypass. Additionally, portions of the power sources with a degree of redundancy of one shall be designed such that when a portion is placed in maintenance bypass, the remainingportions provide acceptable reliability.

175

Enclosure PG&E Letter DCL-1 1-104 4.10.5.1 Clause 8.1, Electrical Power Sources IEEE Standard 603-1991 [21], Clause 8.1 states:

Those portions of the Class 1E power system that are requiredto provide the power to the many facets of the safety system are governed by the criteria of this document and are a portion of the safety systems. Specific criteria unique to the Class IE power systems are given in IEEE Std 308-1980.

DCPP is currently committed to IEEE 308-1971 per Section 7.1.2.4 et al. of the FSAR

[26]. The PPS Replacement Project will conform to IEEE-308-1980 for the replacement scope only as shown in the shaded portion of Figure 4-3.

The PPS replacement utilizes the existing Class 1 E power sources provided for use by the Eagle 21 PPS without change. Each PPS replacement Protection Set is powered from a separate 120 V AC vital bus via a Class 1E uninterruptible power supply as stated in Section 3.1.1.4 of the PPS FRS [28]. DCPP Class 1E power sources are implemented as stated in Section 8.1.1.4 of the DCPP FSAR [26].

Class 1E power sources used by safety systems actuated by signals generated from the PPS replacement are not affected by the PPS Replacement Project.

4.10.5.2 Clause 8.2, Non-Electrical Power Sources-IEEE Standard 603-1991 [21], Clause 8.2 states:

Non-electricalpower sources, such as control-airsystems, bottled-gassystems, and hydraulic systems, required to provide the power to the safety systems are a portion of the safety systems and shall provide power consistent with the requirements of this standard. Specific criteriaunique to non-electricalpower sources are outside the scope of this standardand can be found in other standards.

The PPS replacement does not rely on non-electrical power sources for performance of its safety related functions. The PPS replacement does not affect any non-electrical power source used by any safety system that is actuated based on signals generated by the PPS replacement in a manner different from the existing Eagle 21 PPS (e.g.,

PORV and Main Steam Isolation Valve actuator bottled gas backup systems).

4.10.5.3 Clause 8.3, Maintenance Bypass IEEE Standard 603-1991 [21], Clause 8.3 states:

The capability of the safety systems to accomplish their safety functions shall be retainedwhile power sources are in maintenancebypass. Portions of the power sources with a degree of redundancy of one shall be designed such that when a portion 176

-Enclosure PG&E Letter DCL-1 1-104 is placed in maintenance bypass (that is, reducing temporarilyits degree of redundancy to zero), the remainingportionsprovide acceptable reliability.

The PPS replacement is required to be operational in all modes as specified in the DCPP TS [421. In order to satisfy TS requirements, safety related power must be maintained to the PPS replacement when it is required to be operational.

The redundant power sources to the replacement PPS have not changed. If an external power source for a safety-related Protection Set (or division) fails, the remaining safety-related Protection Sets (divisions) will ensure that the safety system remains capable of performing the assigned safety function.

Additional redundancy to assure reliability is provided within the Protection Sets as described below.

a) Tricon-Based PPS Equipment Version 10 Tricon chassis power supplies are qualified Class 1E power modules. Each chassis has two redundant chassis power supplies that can be supplied from separate redundant external power sources. Each chassis power supply is capable of supplying full chassis load in the event of failure (or bypass) of the other power supply. See Section 2.1.2.5 of the Tricon Version 10 Topical Report Submittal [13].

b) FPGA-Based ALS PPS Equipment Section 12.1.30 of the ALS Topical Report Submittal [15] describes the FPGA-based ALS PPS replacement equipment conformance to Clause 8.0.

4.11 Conformance with IEEE Standard 7-4.3.2 (Section D.10 of DI&C-ISG-06

[1])

The PPS replacement is a digital system replacement for the digital Eagle 21 PPS. As such, it requires conformance with RG 1.152 [45] which endorses IEEE Standard 7-4.3.2 [80]. Compliance with IEEE Standard 7-4.3.2 [80] is discussed in the following Sections.

4.11.1 Clause 5 System (Section D.10.4.2 of DI&C-ISG-06 [1])

IEEE Standard 7-4.3.2-2003 [80], Clause 5 states:

The following subclauses list the safety system criteria in the order they are listed in IEEE Std 603-1998. For some criteria,there are no additionalrequirementsbeyond what is stated in IEEE Std 603-1998. For other criteria, additionalrequirements are described in 5.1 through 5.15.

177

Enclosure PG&E Letter DCL-1 1-104 LAR Section 4.11.1 provides the PPS replacement conformance with IEEE Standard 7-4.3.2-2003 [80] Clauses 5.1 through 5.15.

IEEE Standard 7-4.3.2-2003 [80], Clause 5.1, Single-Failure Criterion, states:

No requirementsbeyond IEEE Std 603-1998 are necessary (see also Annex B).

LAR Section 4.10.2.1 addresses the issues associated with Clause 5.1.

IEEE Standard 7-4.3.2-2003 [80], Clause 5.2, Completion of Protection Action, states:

No requirementsbeyond IEEE Std 603-1998 are necessary.

LAR Section 4.10.2.2 addresses the issues associated with Clause 5.2.

4.11.1.1 Clause 5.3 Quality (Section D.10.4.2.3 of DI&C-ISG-06 [1])

IEEE Standard 7-4.3.2-2003 [80], Clause 5.3 states:

Hardwarequality is addressedin IEEE Std 603-1998. Software quality is addressedin IEEE/EIA Std 12207.0-1996 and supporting standards. Computer development activities shall include the development of computer hardwareand software. The integrationof the computer hardware and software and the integration of the computer with the safety system shall be addressedin the development process.

A typical computer system development process consists of the following life cycle processes:

  • Creatingthe conceptual design of the system, translationof the concepts into specific system requirements 0 Using the requirements to develop a detailed system design
  • Implementing the design into hardware and software functions 0 Testing the functions to assure the requirementshave been correctly implemented
  • Installing the system and performing site acceptance testing 0 Operatingand maintaining the system
  • Retiring the system In addition to the requirements of IEEE Std 603-1998, the following activities necessitate additionalrequirements that are necessary to meet the quality criterion:
  • Software development
  • Qualificationof existing commercial computers (see 5.4.2)
  • Use of software tools 178

Enclosure PG&E Letter DCL-1 1-104

  • Verification and validation
  • Configurationmanagement
  • Risk Management LAR Sections 4.11.1.1.1 through 4.11.1.1.6 address the issues associated with Criterion 5.3.

a) Tricon-Based PPS Equipment Triconex software development and system integrity was evaluated and accepted by the NRC in the Tricon V9 SER [11]. Tricon V1 0 software quality conformance with Clause 5.3 is described in the V10 Topical Report Submittal [13].

b) FPGA-Based ALS PPS Equipment Section 12.2.4 of the ALS Topical Report Submittal [15] describes the FPGA-based ALS PPS replacement equipment conformance to Clause 5.3.

4.11.1.1.1 Clause 5.3.1 Software Development (Section D.10.4.2.3.1 of DI&C-ISG-06 [1])

IEEE Standard 7-4.3.2-2003 [76] Clause 5.3.1 states:

Computer software shall be developed, modified, or accepted in accordancewith an approved software quality assurance (QA) plan consistent with the requirementsof IEEEIEIA 12207.0-1996. The software QA plan shall address all software that is resident on the computer at run time (i.e., application software, network software, interfaces, operating systems, and diagnostics). Guidance for developing software QA plans can be found in IEC 60880 (1986-09) [B4] and IEEE Std 730TM-1998 [B8].

IEEE Standard 7-4.3.2-2003 [76] Clause 5.3.1.1 states:

The use of software quality metrics shall be consideredthroughout the software life cycle to assess whether software quality requirementsare being met. When software quality metrics are used, the following life cycle phase characteristicsshould be considered:

  • Correctness/Compleieness(Requirements phase)
  • Compliance with requirements (Designphase)
  • Compliance with design .(Implementationphase)
  • Functionalcompliance with requirements (Test and Integrationphase)
  • On-site functional compliance with requirements (Installationand Checkout phase) 179

Enclosure PG&E Letter DCL-1 1-104 Performance history (Operationand Maintenance phase)

The basis for the metrics selected to evaluate software quality characteristicsshould be included in the software development documentation. IEEE Std 1061 TM -1998 [B11]

provides a methodology for the application of software quality metrics.

Section 4.5 of this Enclosure provides a complete description of the Software Development Process for the PPS Replacement Project.

The DCPP SyQAP for the PPS Replacement Project [52] establishes the goals, processes, and responsibilities required to implement effective software quality management for the PPS system software at DCPP.

a) Tricon-Based PPS Equipment The Software QAP 993754-1-801 [71] establishes the activities to be followed in the design, development, review, and testing of the PPS replacement. Additional details on the Triconex software development process are included in Section 4.5 of this Enclosure.

b) FPGA-Based ALS PPS Equipment The 6002-00001 ALS QA Plan [63] established the techniques, procedures, and methodologies to be followed in the design, development, review, and testing of the PPS replacement. Additional details on the ALS software development process are included in Section 4.5 of this Enclosure.

4.11.1.1.2 Clause 5.3.2 Software Tools Section D.10.4.2.3.2 IEEE Standard 7-4.3.2-2003 [76] Clause 5.3.2 states:

Software tools used to support software development processes and verification and validation (V&V) processes shallbe controlled under configuration management. One or both of the following methods shall be used to confirm the software tools are suitable for use:

a) A test tool validation program shall be developed to provide confidence that the necessary features of the software tool function as required.

b) The software tool shall be used in a manner such that defects not detected by the software tool will be detected by V& V activities.

Tool operating experience may be used to provide additionalconfidence in the suitability of a tool, particularlywhen evaluating the potential for undetected defects.

a) Tricon-Based PPS Equipment 180

Enclosure PG&E Letter DCL-1 1-104 Section 2.3.3 of the Tricon Vl0 Topical Report Submittal [13] discusses the TUV-Rheinland hardware and software evaluation of V10.2.1. This evaluation included the application development tools software, TriStation 1131. In addition to the TriStation 1131, Triconex utilizes a validation tool which was developed under the Triconex 10CFR50 Appendix B QA program, called the Emulator Test Driver, which is addressed in the Triconex SQAP [71].

b) FPGA-Based ALS PPS Equipment Section 12.2.7 of CSI document No. 6002-00301 ALS Topical Report Submittal [15]

discusses the software tools used to support the development processes and V&V processes for the ALS platform.

The CSI tool assessment and qualification is performed using the CSI document No.

6002-00030 ALS Design Tools [126].

4.11.1.1.3 Clause 5.3.3 Verification and Validation (Section D.10.4.2.3.3 of DI&C-ISG-06 [1])

IEEE Standard 7-4.3.2-2003 [80], Clause 5.3.3 states:

NOTE-See IEEE Std 1012-1998 and IEEE Std 1012aTM-1998 [B10] for more information about software V&V.

V& V is an extension of the program management and systems engineering team activities. V&V is used to identify objective data and conclusions (i.e., proactive feedback) about digitalsystem quality, performance, and development process compliance throughout the system life cycle. Feedback consists of anomaly reports, performance improvements, and quality improvements regardingthe expected operating conditions across the full spectrum of the system and its interfaces.

V& V processes are used to determine whether the development products of an activity conform to the requirements of that activity, and whether the system performs according to its intended use and user needs. This determinationof suitability includes assessment, analysis,e valuation, review, inspection; and testing of products and processes.

This standardadopts the IEEE Std 10 12-1998 terminology of process, activity and task, in which software V& V processes are subdivided into activities, which are further subdivided into tasks. The term V&V effort is used to reference this framework of V&V processes,activities, and tasks.

V& V processes shall address the computer hardwareand software integrationof the digital system components, and the interaction of the resulting computer system with the nuclearpower plant.

181

Enclosure PG&E Letter DCL-1 1-104 The V&V activities and tasks shall include system testing of the final integrated hardware, software, firmware, and interfaces.

The software V&V effort shall be performed in accordancewith IEEE Std 10 12-1998.

The IEEE Std 10 12-1998 V&V requirementsfor the highest integrity level (level 4) apply to systems developed using this Std (i.e., IEEE Std 7-4.3.2). See IEEE Std 1012-1998 Annex B for a definition of integrity level 4 software.

In following the LAR format recommended in DI&C-ISG-06 [1], this subject is addressed in Section 4.5.6 of this Enclosure.

4.11.1.1.4 Clause 5.3.4 Independent V&V (IV&V) (Section D.10.4.2.3.4 of DI&C-ISG-06[1])

IEEE Standard 7-4.3.2-2003 [80], Clause 5.3.4 states:

The previous section addressesthe V&V activities to be performed. This section defines the levels of independence requiredfor the V&V effort. IV&V activities are defined by three parameters:technical independence, managerialindependence, and financial independence. These parametersare described in Annex C of IEEE Std 1012-1998.

The development activities and tests shall be verified and validated by individualsor groups with appropriatetechnical competence, other than those who developed the originaldesign.

Oversight of the IV& V effort shall be vested in an organization separatefrom the development and program management organizations. The V&V effort shall independently select:

a) The segments of the software and system to be analyzed and tested, b) The V&V techniques, and c) The technical issues and problems upon which to act.

The V& V effort shall be allocatedresources that are independent of the development resources.

See Annex C of IEEE Std 1012-1998 for additionalguidance.

In following the LAR format recommended of DI&C-ISG-06 [1], this subject is addressed in Section 4.5.6 of this Enclosure. Additional information is provided here to address organizational alignment for each vendor for complying with IEEE Standard 7-4.3.2-2003 [80], Clause 5.3.4 and BTP-7-14 [4].

182

Enclosure PG&E Letter DCL-1 1-104 a) Tricon-Based PPS Equipment Section 2.3.3 of the Tricon V1 0 Topical Report Submittal [13] provides an overview of the Software V&V Process for the Tricon. For the PPS replacement, a project specific IOM SVVP Section 4 [73], describes the independence of software V&V activities for the software development cycle including the organizational chart showing the different reporting chain of command for V&V functions from that of the design functions for the project. This supports technical, managerial and financial independence which are critical criteria in establishing the basis for independence. The V&V team is made up of personnel who are not involved in the development of the software and are sufficiently proficient in software engineering to ensure that software V&V is adequately implemented. The independent verifiers are also knowledgeable regarding nuclear safety applications. The V&V team reports to the IOM Nuclear IV&V Director who reports directly to the IOM Senior Vice President of Delivery and indirectly to the IOM Quality Management.

b) FPGA-Based ALS PPS Equipment Section 6.3 of the ALS Topical Report Submittal [15] provides an overview of the Software Verification and Validation process for the ALS. V&V activities are performed in a bottom-up fashion that progresses from the FPGA digital logic programming level, to the board level, and then up to the system level. The IV&V team is independent in management, schedule and finance. The specific guidance for V&V of the DCPP PPS Replacement Project is included in Reference [54], including roles and responsibilities for assigned personnel.

4.11.1.1.5 Clause 5.3.5 Software Configuration Management (Section D.10.4.2.3.5 of DI&C-ISG-06 [1])

IEEE Standard 7-4.3.2-2003 [80], Clause 5.3.5 states:

Software configurationmanagement shall be performed in accordance with IEEE Std 1042-1987. IEEE Std 8 2 8 TM-1 9 9 8 provides guidance for the development of software configuration managementplans.

The minimum set of activities shall address the following:

a) Identification and control of all software designs and code b) Identification and control of all software design functional data (e.g., data templates and data bases) c) Identification and control of all software design interfaces d) Control of all software design changes e) Control of software documentation (user, operating,and maintenance documentation) 183

Enclosure PG&E Letter DCL-1 1-104 0 Control of software vendor development activities for the supplied safety system software g) Control and retrievalof qualificationinformation associatedwith software designs and code h) Software configuration audits i.) Status accounting Some of these functions or documents may be performed or controlled by other QA activities. In this case, the software configuration managementplan shall describe the division of responsibility.

A software baseline shall be establishedat appropriatepoints in the software life cycle process to synchronize engineering and documentation activities. Approved changes that are created subsequent to a baseline shall be added to the baseline.

The labeling of the software for configurationcontrol shall include unique identification of each configurationitem, and revision and/or date time stamps for each configuration item.

Changesto the software/firmware shall be formally documented and approved consistent with the software configuration managementplan. The documentation shall include the reason for the change, identification of the affected software/firmware, and the impact of the change on the system. Additionally, the documentation should include the plan for implementing the change in the system (e.g., immediately implementing the change, or scheduling the change for a future version).

In following the LAR format recommended in DI&C-ISG-06 [1], this subject is addressed in Section 4.5.7 of this Enclosure.

4.11.1.1.6 Clause 5.3.6 Software Project Risk Management (Section D.10.4.2.3.6 of DI&C-ISG-06 [1])

IEEE Standard 7-4.3.2-2003 [80], Clause 5.3.6 states:

Software project risk management is a tool for problem prevention: identifying potential problems, assessing their impact, and determining which potentialproblems must be addressedto assure that software quality goals are achieved. Risk management shall be performed at all levels of the digital system project to provide adequate coverage for each potential problem area. Software project risks may include technical,schedule, or resource-relatedrisks that could compromise software quality goals, and thereby affect the ability of the safety computer -system to perform safety related functions. Software project risk management differs from hazard analysis, as defined in 3.1.3 1, in that hazard analysis is focused solely on the technical aspects of system failure mechanisms.

184

Enclosure PG&E Letter DCL-1 1-104 Risk management shall include the following steps:

a) Determine the scope of risk management to be performed for the digital system.

b) Define and implement appropriaterisk management strategies.

c) Identify risks to the software project in the project risk management strategy and as they develop during the conduct of the project.

d) Analyze risks to determine the priority for their mitigation.

e) Develop risk mitigation plans for risks that have the potential to significantly impact software quality goals, with appropriatemetrics for tracking resolution progress. (These risks may include technical,schedule, or resource-relatedproject risks that could compromise the ability of the safety computer system to perform safety related functions.)

0 Take corrective actions when expected quality is not achieved.

g) Establish a project environment that supports effective communications between individualsand groups for the resolution of software project risks.

Additional guidance on the topic of risk management is provided in IEEE/EIA 12207.0-1996, and IEEE Std 1540TM-2001.

In following the LAR format recommended by DI&C-ISG-06 [1], this subject is addressed in Section 4.5.1 of this Enclosure. Additional information is provided here to address organizational alignment for each vendor in complying with IEEE Standard 7-4.3.2-2003 [80], Clause 5.3.6 and BTP-7-14 [4].

a) Triconex-Based PPS Equipment Triconex uses a standardized project management process to assess risks, as described in Section 3.4 and 3.5 of the Triconex DCPP Software PMP [69]. This methodology is used to identify, assess, monitor, and control areas of risk that arise during the software development project. In the course of project execution, the project risks are monitored, and the current assessment is reviewed to determine if it needs to be modified.

b) FPGA-Based ALS Equipment As described in Reference [15], Section 12, risk management for the ALS platform is a part of the SDP. This is included as part of the Life Cycle and is documented in the ALS Management Plan [59]. The ALS Life Cycle Management Process is described in Section 6 of the ALS Management Plan [59].

185

Enclosure PG&E Letter DCL-1 1-104 4.11.1.2 Clause 5.4 Equipment Qualification (Section D.10.4.2.4 of DI&C-ISG-06

[11)

IEEE Standard 7-4.3.2-2003 [80], Clause 5.4 states:

In addition to the equipment qualification criteriaprovided in IEEE Std 603-1998, the requirementslisted in 5.4.1 and 5.4.2 are necessary to qualify digital computers for use in safety systems."

IEEE Standard 7-4.3.2 [80] Clauses 5.4.1 and 5.4.2 address computer system testing and qualification of existing commercial computers, respectively. Computer system qualification testing is discussed in Section 4.5 of this enclosure.

A multi-level test program is used to ensure quality in the hardware and software products. The testing addresses the hardware and software used, from input to output terminals. The testing also includes the MWS and the ASU. The overall qualification testing includes the following, as described in Section 4.11.1.2.1:

Component Testing Qualification Testing Development Testing PPS replacement equipment qualification testing for both the Tricon and ALS, was performed with the computers functioning, with software and diagnostics as representative of operational service. Future testing, including factory acceptance, installation and post-installation, will be performed with the computers fully functional as well. All portions of the computer used for safety functions, or whose operation or failure could impair safety functions, will be tested. The testing will demonstrate compliance with performance requirements related to safety functions.

a) Tricon-Based PPS Equipment The equipment qualification for the Tricon platform being installed at DCPP is described in the Triconex Tricon V10 Topical Report Submittal [13], which was submitted to the NRC on December 20, 2010.

b) FPGA-Based ALS PPS Equipment The equipment qualification for the ALS platform being installed at DCPP is described in the ALS Topical Report Submittal [15], which was submitted to the NRC on August 11, 2010. Equipment qualification information is provided in Section 4 of the ALS Topical Report Submittal [15]. There are no differences between the ALS platform submitted for generic approval and the ALS system being installed at DCPP.

186

Enclosure PG&E Letter DCL-1 1-104 4.11.1.2.1 Clause 5.4.1 Computer System Testing (Section D.10.4.2.4.1 of DI&C-ISG-06 [1])

IEEE Standard 7-4.3.2-2003 [76] Clause 5.4.1 states:

Computer system qualificationtesting (see 3.1.36) shall be performed with the computer functioning with software and diagnosticsthat are representativeof those used in actual operation. All portions of the computer necessary to accomplish safety functions, or those portions whose operation or failure could impair safety functions, shall be exercised during testing. This includes, as appropriate,exercising and monitoring the memory, the CPU, inputs and outputs, display functions, diagnostics,associated components, communication paths, and interfaces. Testing shall demonstrate that the performance requirementsrelated to safety functions have been met.

a) Tricon-Based PPS Equipment The Tricon PLC has been qualified in accordance with EPRI TR- 107330, which included extensive testing and encompasses IEEE- 7-4.3.2. The Tricon V9 system was endorsed in a NRC SER [11]. Changes for V10 of the Tricon platform were further qualified to the same standard (TR-1 07330) per Tricon V1 0 Topical Report Submittal

[13]. IEEE 7-4.3.2 aspects were reviewed in the Software Qualification Report 9600164-535 [124] and Critical Digital Review 9600164-539 [125].

The Triconex Software V&V Plan [73] provides the scope and content of the V&V program for the IOM scope of the PPS replacement as described in Section 4.5.6 of this Enclosure. The Triconex Software Validation Test Plan [74] provides and scope and content of the test program for the IOM scope of the PPS Replacement Project as described in Section 4.5.8 of this Enclosure.

b) FPGA-Based ALS PPS Equipment Section 12.2.12.1 of 6002-00301 ALS Topical Report Submittal [15] describes the qualification testing and how the testing meets the requirement of Clause 5.4.1.

The ALS V&V Plan [54] provides the scope and content of the V&V program for the CSI scope of the PPS replacement as described in Section 4.5.6 of this Enclosure. The ALS Diablo Canyon System Test Plan [67] describes scope and content of the test program for the CSI scope of the PPS Replacement Project as described in Section 4.5.8 of this Enclosure.

187

Enclosure PG&E Letter DCL-1 1-104 4.11.1.2.2 Clause 5.4.2 Qualification of Existing Commercial Computers (Section D.10.4.2.4.2 of DI&C-ISG-06 [1])

IEEE Standard 7-4.3.2-2003 [80], Clause 5.4.2, Qualification of commercial computers states:

NOTE-See Annex C for more information about commercial grade item dedication.

The qualificationprocess shall be accomplished by evaluating the hardware and software design using the criteriaof this standard. Acceptance shall be based upon evidence that the digitalsystem or component, including hardware,software, firmware, and interfaces, can perform its required functions. The acceptance and its basis shall be documented and maintainedwith the qualificationdocumentation.

In those cases in which traditionalqualificationprocesses cannot be applied, an alternative approachto verify a component is acceptable for use in a safety-related applicationis commercial grade dedication. The objective of commercialgrade dedication is to verify that the item being dedicatedis equivalent in quality to equipment developed under a 10 CFR 50 Appendix B program[B16].

The dedication process for the computer shall entail identificationof the physical, performance, and development process requirementsnecessary to provide adequate confidence that the proposed digital system or component can achieve the safety function. The dedication process shall apply to the computer hardware, software, and firmware that are required to accomplish the safety function. The dedication process for software and firmware shall, whenever possible, include an evaluation of the design process. There may be some instances in which a design process cannot be evaluated as part of the dedicationprocess. For example, the organizationperforming the evaluation may not have access to the design process information for a microprocessor chip to be used in the safety system. In this case, it would not be possible to perform an evaluation to support the dedication. Because the dedication process involves all aspects of life cycle processes and manufacturingquality, commercial grade item dedication should be limited to items that are relatively simple in function relative to their intended use.

Commercial grade item dedication involves preliminaryphase and detailed phase activities. These phase activities are described in 5.4.2.1 through 5.4.2.2.

5.4.2.1 Preliminaryphase of the COTS dedication process In the preliminaryphase, the risks and hazards are evaluated, the safety functions are identified, configurationmanagement is established,and the safety category of the system is determined.

5.4.2.1.1 Evaluate the system safety function risks and hazards 188

Enclosure PG&E Letter DCL-1 1-104 An analysis shall be performed to identify the functional and performance requirements of the safety system. This analysis shall identify the risks and hazards that could interfere with accomplishing the safety function.

5.4.2.1.2 Identify the safety function(s) the COTS item shall perform Once the system-level functions have been identified and the risks and hazards have been evaluated, the dedicatingorganization shall identify the safety functions to be performed by the COTS item. This process shall address all safety functions to be performed by the COTS, and the potentialaffect of the COTS function(s) on other safety-related functions or interfaces.

5.4.2.1.3 Establishconfigurationmanagement controls COTS items to be used in safety systems shall be controlledin a configuration management process that provides traceabilityof the COTS item development life cycle processes.

5.4.2.2 Detailedphase of the COTS dedication process Following this preliminaryphase of commercial dedication, the commercial grade item is evaluated for acceptabilityusing detailed acceptance criteria. The critical characteristicsby which a COTS item will be evaluated for use in a safety system shall be identified by a technical evaluation. Each criticalcharacteristicshall be verifiable' (e.g., by inspection, analysis, demonstration, or testing). This standarduses the following three categories of commercial grade item criticalcharacteristics:

Physical characteristicsinclude attributes such as physical dimensions, power requirements,part numbers, hardwareand software model and version numbers, and data communication physicalrequirements.

  • Performance characteristicsinclude attributes such as response time, human-machine functional requirements, memory allocation, safety function performance during abnormalconditions, reliability, errorhandling, required imbedded functions, and environmental qualificationrequirements(e.g., seismic, temperature, humidity, and electromagnetic compatibility).

Development process characteristicsinclude attributessuch as supporting life cycle processes (e.g., verification and validation activities, configuration managementprocesses, and hazard analyses), traceability,and maintainability.

As part of defining these criticalcharacteristics,analyses shall identify potential hazards that could interfere with the safety functions (see Annex D).

189

Enclosure PG&E Letter DCL-1 1-104 Annex C describes the processes that should be used individuallyor in combination to evaluate the physical, performance, and development process criticalcharacteristics.

5.4.2.3 Maintenance of commercial dedication If computer hardware,software, or firmware has been procuredas a commercial grade item and accepted through a commercial dedication process, then changes to the commercially dedicatedcomputer hardware,software, or firmware shall be traceable through formal documentation.

Changes to the commercially dedicated computer hardware, software, or firmware shall be evaluated in accordance with the process that formed the basis for the original acceptance. Included in this evaluation shall be considerationof the potential impact that computer hardware revisions may have on software or firmware. If any elements of the approvedprocess have been omitted during the computer hardware,software, or rewire revision process, further evaluation shall be required.

Commercialgrade dedication of computer hardware, software, or rewire is performed for a septic safety system application. Use of a commercially dedicateditem in safety system applicationsbeyond that included in the baseline dedication shall require additionalevaluation for the new application.

Documentation supporting the commercial grade item dedication shall be maintainedas a configurationitem.

IEEE Standard 7-4.3.2 [80] Clauses 5.4.1 and 5.4.2 address computer system testing and qualification of existing commercial computers, respectively. Computer system qualification testing is discussed in Section 4.5 of this enclosure.

The PPS replacement equipment does not contain any commercial digital computers.

All components are qualified in accordance with References [13] and [15]. Therefore, Clause 5.4.2 does not apply.

4.11.1.2.3 CLAUSE 5.4.3 Deterministic System Behavior (Section 3.10.1.2.3 of DI&C-ISG-06 [1])

Deterministic behavior for the PPS replacement is addressed in Section 4.4 of this Enclosure and in the approved Tricon V9 Topical Report [8] (Section 3.3.3 and Appendix A Section 4.4.1.3) and ALS Topical Report Submittal [15] Sections 2.2.1, 2.3.4, 3.1, and 12.1.7.

190

Enclosure PG&E Letter DCL-1 1-104 4.11.1.2.4 Performance - System Response Time (Section 3.10.1.2.4 of DI&C-ISG-06[1])

Response time analysis is addressed in Section 4.2.12, System Response Time, of this Enclosure.

4.11.1.3 Clause 5.5, System Integrity (Section D.10.4.2.5 of DI&C-ISG-06 [1])

IEEE Standard 7-4.3.2-2003 [80], Clause 5.5 states:

In addition to the system integrity criteria provided in IEEE STD 603-1998, the following are necessary to achieve system integrity in digital equipment for use in safety systems:

Design for computer integrity Design for test and calibration Fault detection and self-diagnostics In addition to the system integrity discussed in IEEE Standard 603 [21] and the guidance in NUREG 0800 Appendix 7.1-C, IEEE Standard 7-4.3.2-2003 [80] includes criteria in sub-clauses 5.5.1 thru 5.5.3 on designs for computer integrity, test and calibration, fault detection and self-diagnostics activities.

a) Tricon-Based PPS Equipment The Tricon has been designed and tested to confirm that the equipment demonstrates system performance adequate to ensure completion of protective actions over the range of transient and steady state plant conditions. Failure modes are discussed in Paragraph 2.2.11 of the Tricon V10 Topical Report Submittal [13].

b) FPGA-Based ALS Equipment The ALS equipment has been designed and tested to confirm that the equipment demonstrates system performance adequate to ensure completion of protective actions over the range of transient and steady state plant conditions. Failure modes are discussed in Section 7.1 of the ALS Topical Report Submittal [15].

4.11.1.3.1 Clause 5.5.1, Design for Computer Integrity (Section D.10.4.2.5.1of DI&C-ISG-06 [1])

IEEE 7-4.3.2-2003 [80], Clause 5.5.1 states:

The computer shall be designed to perform its safety function when subjected to conditions, external or internal,that have significant potentialfor defeating the safety function. For example, input and output processingfailures, precision or roundoff 191

Enclosure PG&E Letter DCL-1 1-104 problems, improperrecovery actions, electrical input voltage and frequency fluctuations, and maximum credible number of coincident signal changes.

If the system requirements identify a safety system preferred failure mode, failures of the computer shall not preclude the safety system form being placed in that mode.

Performance of computer system restartoperations shall not result in the safety system being inhibited from performing its function.

a) Tricon-Based PPS Equipment From Reference [13], Sections 2.1.1 and 2.1.2.6, the Tricon is triple redundant from input terminal to output terminal. The TMR architecture is intended to allow system operation in the presence of any single point of failure within the system. The TMR architecture is also intended to allow the Tricon to detect and correct individual faults on-line, without interruption of monitoring, control and protection capabilities. In the presence of a fault, the Tricon alarms the condition, removes the affected portion of the faulted module from operation, and continues to function normally in a dual redundant mode. The system returns to the fully triple redundant mode of operation when the affected module is replaced.

The Tricon main chassis is powered by two redundant power supply modules in the chassis which are rated to each provide the power requirements of a fully populated chassis. On the main Tricon chassis, the alarm contacts on both power supply modules actuate on the states listed in Section 4.11.1.3.3 below. In addition, at least one of the chassis power supply alarm contacts actuates when the following power condition exists:

  • A power supply module fails
  • Primary power to a power supply module is lost
  • A power module has a low battery or over temperature condition b) FPGA-Based ALS PPS Equipment As described in Reference [15], Sections 2 and 3, the ALS platform is designed with redundancy and embedded self-test capability to ensure system integrity by detecting and announcing faults. Diagnostics and testing capabilities are designed into the ALS platform to ensure there is a systematic approach to maintaining and testing the system.

From Reference [15] Section 2.6.2, each ALS safety system cabinet contains two qualified, independent AC/DC power supplies. Each power supply is capable of providing 150 percent of the cabinet load, and operates in a redundant configuration.

The cabinet load consists of all ALS platform components and peripheral devices.

Power supply failures (loss of output voltage) and opening of distribution breakers are alarmed.

192

Enclosure PG&E Letter DCL-1 1-104 4.11.1.3.2 Clause 5.5.2 Design for Test and Calibration (Section D.10.4.2.5.2 of DI&C-ISG-06 [1])

IEEE Standard 7-4.3.2 [80], Clause 5.5.2 states:

Test and calibrationfunctions shall not adversely affect the ability of the computer to perform its safety function. Appropriate bypass of one redundant channel is not consideredan adverse effect in this context. It shall'be verified that the test and calibrationfunctions do not affect computer functions that are not included in a calibrationchange (e.g., setpoint change).

V&V, configurationmanagement, and QA shall be requiredfor test and calibration functions on separate computers (e.g., test and calibrationcomputer) that provide the sole verification of test and calibrationdata.

V&V, configurationmanagement, and QA shall be requiredwhen the test and calibrationfunction is inherent to the computer that is part of the safety system.

V& V, configurationmanagement, and QA are not required when the test and calibration function is resident on a separate computer and does not provide the sole verification of test and calibrationdata for the computer that is part of the safety system.

The PPS replacement complies with Clause 5.5.2 as described below:

The PPS replacement permits any individual instrument channel to be maintained and calibrated in a bypassed condition, and, when required, tested during power operation without initiating a protective action at the system level. This is accomplished without lifting electrical leads or installing temporary jumpers. The PPS permits periodic testing during reactor power operation without initiating a protective action from the channel under test.

External hardwired switches are provided on PPS trip and actuation outputs. The switches may be used for SSPS input relay testing or to trip or actuate the channel manually if needed. Activation of the external trip switches is indicated in the control room through the SSPS partial trip indicators. Actuation of bypass switches is indicated through the MAS.

For both the Triconex and ALS subsystems, the platform self-tests and the application specific test and calibration functions will be verified during the FAT to ensure that the Protection Set safety function is not adversely affected by performance of either built-in or application specific test and calibration functions.

193

Enclosure PG&E Letter DCL-1 1-104 a) Tricon-Based PPS Equipment Figure 4-10 in this LAR illustrates the Tricon DO loopback feature, which enables the PPS to determine if the external trip switch is open, or if the DO channel is producing an erroneous output. A PPS trouble alarm is generated if the instrument loop is not out of service and if the comparator output is true (commanding an energized output) and the de-energize to trip DO loopback is sensed as de-energized. A PPS failure alarm is generated if the de-energize to trip DO loopback is sensed as energized and the comparator output is false (commanding a de-energized output), whether or not the instrument loop is out of service.

On-line testing in the Tricon is controlled by the non-safety related MWS and by safety related logic enabled via an external safety related hardwired out of service switch.

When the out of service switch is activated, the safety related logic in the associated Protection Set allows the associated instrument channel to be taken out of service while maintaining the rest of the instrument channels in the Protection Set operable; that is, an individual out of service switch only removes an individual instrument channel from service and no other instrument channel. If the out of service switch is returned to the normal position during test, the safety related logic automatically restores the instrument channel to safety related operation.

The test and calibration functions are initiated by the non-safety related MWS, but are controlled by the safety related Triconex processor application program. There is one MWS per Protection Set to ensure that a test or calibration function on one Protection Set will take place only on the Protection Set for which the action is intended, and that only one Protection Set can be affected by actions taken at any single MWS. The MWS from one Protection Set cannot communicate with any other Protection Set.

Data is allowed to be received by the safety related Protection Set from the non-safety MWS only when the channel is out of service. The channel is taken out of service by taking multiple deliberate actions: (1) activating a hardware out of service switch locked in a cabinet; and (2) activating a software switch on the Workstation requiring password access. In addition, feedback is provided to the user on the MWS that the out of service switch for the loop to be tested has been activated. If the safety related hardware out of service switch is not activated, non-safety related actions or failures cannot adversely affect the safety related function.

The non-safety Triconex MWS software is designed, developed and tested under the Triconex software development programs described in the Tricon V10 Topical Report Submittal [13] to address the Clause 5.5.2 requirement for V&V, configuration management, and QA shall be required for test and calibration functions on separate computers (e.g., test and calibration computer) that provide the sole verification of test and calibration data. Triconex platform compliance with this clause is discussed in the Software Qualification Report [124] Sections 4.0 and 8.0, the Critical Digital Review 194

Enclosure PG&E Letter DCL-1 1-104

[125] Sections 1.0, 2.0, 3.0, 4.0, and Appendix B and the Topical Report Submittal [13]

Section 2.1 and Appendix B Section 3.0.

b) FPGA-Based ALS PPS Equipment The ALS provides test and calibration capability as described in Section 2.3.2 and Section 3 of the ALS Topical Report Submittal [15] and Sections 10.2 and 10.3 of the ALS System Design Specification [19]. Each Protection Set has one ASU associated with the ALS subsystems in that set. The TAB allows the non-safety related ASU -

function performed by the PPS replacement MWS) to interact with the ALS components for test and calibration only when the TAB RS-485 communication switch described in Section 5.3.3 of the ALS Topical Report Submittal [15] is closed. ALS platform compliance with this clause is discussed in Section 12.2.13.2 of the ALS Topical Report Submittal [15].

In the PPS replacement, the MWS described in Section 4.2.4.5 of this LAR is the hardware platform on which the ASU function is implemented. The non-safety related ASU software is designed, developed, and tested under the CSI software development program to address the Clause 5.5.2 requirement that V&V, configuration management, and QA shall be required for test and calibration functions on separate computers.

4.11.1.3.3 Clause 5.5.3 Fault Detection and Self-Diagnostics (Section D.10.4.2.5.3 of DI&C-ISG-06 [1])

IEEE Standard 7-4.3.2-2003 [80], Clause 5.5.3 states:

Computer systems can experience partialfailures that can degrade the capabilitiesof the computer system, but may not be immediately detectable by the system. Self-diagnosticsare one means that can be used to assist in detecting these failures. Fault detection and self-diagnosticsrequirements are addressedin this subclause.

The reliabilityrequirementsof the safety system shall be used to establish the need for self-diagnostics. Self-diagnostics are not required for systems in which failures can be detected by alternate means in a timely manner. If self-diagnosticsare incorporated into the system requirements,these functions shall be subject to the same V&V processes as the safety system functions.

If reliabilityrequirements warrantself-diagnostics, then computer programsshall incorporatefunctions to detect and report computer system faults and failures in a timely manner. Conversely, self-diagnosticfunctions shall not adversely affect the ability of the computer system to perform its safety function, or cause spurious actuationsof the safety function. A typical set of self-diagnosticfunctions includes the following:

195

Enclosure PG&E Letter DCL-1 1-104

  • Memory functionality and integrity tests (e.g., programmableread-only memory checksum and random access memory (RAM) tests) 0 Computer system instruction set (e.g., calculation tests)
  • Computer peripheralhardwaretests (e.g., watchdog timers and keyboards) 0 Computer architecturesupport hardware (e.g., address lines and sharedmemory interfaces)
  • Communication link diagnostics (e.g., CRC checks)

Infrequent communication link failures that do not result in a system failure or a lack of system functionality do not requirereporting.

When self-diagnosticsare applied, the following self-diagnosticfeatures shall be incorporatedinto the system design:

  • Self-diagnostics during computer system startup
  • Periodicself-diagnosticswhile the computer system is operating
  • Self-diagnostic test failure reporting The PPS replacement complies with Clause 5.5.3 as discussed below:

a) Tricon-Based PPS Equipment The Tricon is a fault tolerant controller as described in Section 5.7 of the Triconex System Description [34]. As such, it is designed to run continuous diagnostics to detect and mask or override faults. Diagnostic results are available to host devices via communication modules and alarm contacts on the Main Chassis. The alarm contacts on Main Chassis Power Modules are asserted when:

1. The system configuration does not match the control-program configuration
2. A Digital Output Module experiences a LOAD/FUSE error
3. A module is missing somewhere in the system
4. A Main Processor, I/O or Communication module in the Main Chassis fails
5. An I/O or Communication module in an Expansion Chassis fails
6. A Main Processor detects a system fault
7. The inter-chassis I/O bus cables are incorrectly installed-for example, the cable for Leg-A is accidentally connected to Leg-B
8. A Power Module fails
9. Primary power to a Power Module is lost
10. A Power Module has a Low Battery or Over Temperature warning Extensive diagnostics validate the health of each Main Processor as well as each I/O module and communication channel. Transient faults are recorded and masked by the 196

Enclosure PG&E Letter DCL-1 1-104 hardware majority voting circuit. Persistent faults are diagnosed, and the errant module is hot-replaced or operated in a fault-tolerant manner until hot replacement is completed.

Main Processor diagnostics do the following:

1. Verify fixed-program memory
2. Verify the static portion of RAM
3. Test all basic processor instructions and operating modes
4. Test all basic floating-point processor instructions
5. Verify the shared memory interface with each I/O communication processor and communication leg
6. Verify handshake signals and interrupt signals between the Central Processing Unit (CPU), each I/O communication processor and communication leg
7. Check each I/O communication processor and communication leg microprocessor, ROM, shared memory access and Ioopback of RS-485 transceivers
8. Verify the TriClock interface
9. Verify the TriBUS interface All I/O modules sustain complete, ongoing diagnostics for each leg. Failure of any diagnostic on any leg, activates the module's FAULT indicator, which in turn activates the chassis alarm signal. The FAULT indicator points to a leg fault, not a module failure. The module is designed to operate properly in the presence of a single fault and may continue to operate properly with some multiple faults.

TMR Digital Input Modules with Self-Test continuously verify the ability of the Tricon to detect the transition of a normally energized circuit to the OFF state. TMR High-Density Digital Input Modules continuously verify the ability of the Tricon to detect transitions to the opposite state.

Each type of digital output module executes a particular type of Output Voter Diagnostic (OVD) for every point. In general, during OVD execution the commanded state of each point is momentarily reversed on one of the output drivers, one after another. Loop-back sensing on the module allows each microprocessor to read the output value for the point to determine whether a latent fault exists within the output circuit.

A DC voltage digital output module is specifically designed to control devices, which hold points in one state for long periods. The OVD strategy for a DC voltage digital output module ensures full fault coverage even if the commanded state of the points never changes. On this type of module, an output signal transition occurs during OVD execution, but is designed to be less than 2.0 milliseconds (500 microseconds is typical) and is transparent to most field devices.

197

Enclosure PG&E Letter DCL-1 1-104 The results of all diagnostic tests are available to a host device via each installed communication module. Individual diagnostic flags are asserted upon any module fault within any chassis, DO load fuse or output voter fault, printer fault, math error, scan time overrun, Tricon keyswitch out of position, host communication error, program change, and I/0 point disabled.

The Tricon Planning and Installation Guide [35] provide descriptions of the main processor and I/O modules diagnostics.

b) FPGA-Based ALS PPS Equipment As described in Reference [15], Section 3, the ALS platform incorporates advanced failure detection and isolation techniques. The operation of the system is deterministic in nature and allows the system to monitor itself in order to validate its functional performance. The ALS platform implements advanced failure detection and mitigation in the active path to avoid unintended plant events, and in the passive path to ensure inoperable systems do not remain undetected. The system utilizes logic to perform distributed control where no single failure results in an erroneous plant event while maintaining the ability to perform its intended safety function.

The ALS platform incorporated self-diagnostics, application specific diagnostics and self-test features into the input boards, bus communications, CLBs, and output boards.

In addition, system level diagnostics are incorporated as divided into four categories:

fatal, vital, non-vital, and undetectable, as described in Reference [15] Section 3.1.1.

IEEE Standard 7-4.3.2 [80] Clauses 5.4.1 and 5.4.2 address computer system testing and qualification of existing commercial computers, respectively. Computer system qualification testing is discussed in Section 4.6 of this enclosure.

4.11.1.4 Clause 5.6 Independence (Section D.10.4.2.6 of D&C-ISG-06 [1])

IEEE Standard 7-4.3.2-2003 [76] Clause 5.6 states:

In addition to the requirements of,IEEE Std 603-1998, data communication between safety channels or between safety and non-safety systems shall not inhibit the performance of the safety function.

IEEE Std 603-1998 requires that safety functions be separatedfrom non-safety functions such that the non-safety functions cannot prevent the safety system from performing its intended functions. In digital systems, safety and non-safety software may reside on the same computer and use the same computer resources.

Either of the following approachesis acceptable to address the previous issues:

198

Enclosure PG&E Letter DCL-1 1-104 a) Barrierrequirements shall be identified to provide adequate confidence that the non-safety functions cannot interfere with performance of the safety functions of the software or firmware. The barriersshall be designed in accordancewith the requirementsof this standard. The non-safety software is not required to meet these requirements.

b) If barriersbetween the safety software and non-safety software are not implemented, the non-safety software functions shall be developed in accordancewith the requirements of this standard.

Guidance for establishingcommunication independence is provided in Annex E.

PPS replacement conformance with this clause is discussed in the following paragraphs.

a) Tricon-Based PPS Equipment 993754-1-912 DCPP Triconex PPS ISG-04 Conformance Report [25], describes the data and communications independence of the Tricon equipment and compliance with DI&C-ISG-04 [2]. NTX-SER-09-10, Tricon Applications in Nuclear Reactor Protection Systems - Compliance with NRC ISG-2 & ISG-4 [24] describes the communications independence capabilities of the Tricon platform and generic Tricon platform and compliance with DI&C-ISG-04 [2].

b) FPGA-Based ALS PPS Equipment Section 5 of ALS Topical Report Submittal [15] describes the communication capabilities of the ALS equipment and compliance with DI&C-ISG-04 [2].

4.11.1.5 Clause 5.7 Capability for Test and Calibration (Section D.10.4.2.7 of DI&C-ISG-06 [1])

IEEE Standard 7-4.3.2 [76] Clause 5.7 states:

No requirements beyond IEEE Std 603-1998 are necessary.

The PPS replacement conforms with Clause 5.7 as discussed in Section 4.10.2.7 of this LAR.

4.11.1.6 Clause 5.8 Information Displays (Section D.10.4.2.8 of DI&C-ISG-06 [1])

IEEE Standard 7-4.3.2-2003 [80], Clause 5.8 states:

No requirements beyond IEEE Std 603-1998 are necessary.

The PPS replacement does not utilize any safety or non-safety related information display or control station to perform any control or protective action. The PPS 199

Enclosure PG&E Letter DCL-1 1-104 replacement does utilize a non-safety related MWS in each of the four Protection Sets for the purpose of performing maintenance activities on the Tricon and FPGA-based ALS PPS equipment. These MWS function with and communicate with the PPS replacement equipment as described in LAR Section 4.2.4.5.

a) Tricon-Based PPS Equipment The Tricon system architecture has flexible hardware and software capability for communicating with a variety of non-safety workstations. See Section 2.1 of the Tricon Version 10 Topical Report Submittal [13].

b) FPGA-Based ALS PPS Equipment Section 12.2.16 of the ALS Topical Report Submittal [15] describes the FPGA-based ALS PPS replacement equipment conformance to Clause 5.8.

4.11.1.7 Clause 5.11 Identification (Section D.10.4.2.11 of DI&C-ISG-06 [1])

IEEE Standard 7-4.3.2-2003 [80], Clause 5.11 states:

To provide assurance that the required computer system hardware and software are installed in the appropriatesystem configuration, the following identification requirements specific to software systems shall be met:

a) Firmware and software identification shall be used to assure the correct software is installed in the correcthardware component.

b) Means shall be included in the software such that the identification may be retrieved from the firmware using software maintenance tools.

c) Physicalidentification requirementsof the digital computer system hardwareshall be in accordancewith the identification requirementsin IEEE Std 603-1998 [21].

The PPS replacement equipment conformance to Clause 5.11 is discussed in Section 4.11.1.7.1 (Tricon-Based equipment) and Section 4.11.1.7.2 (FPGA-Based ALS equipment).

a) Tricon-Based PPS Equipment The following documents describe the Tricon-based PPS replacement equipment conformance to Clause 5.11.

Software identification control for embedded software is described in Sections 1.2.1 and 1.2,2 of the Triconex Software QAP [52].

200

Enclosure PG&E Letter DCL-1 1-104 Software identification control for application software is described in Section 3.1 of the Triconex DCPP SCMP [77].

Hardware identification control is described in Section 2.0 of the Tricon V10 Topical Report Submittal [13]. The Topical Report provides a reference to the Triconex Master Configuration List [93].

b) FPGA-Based ALS PPS Equipment Section 12.2.19 of the ALS Topical Report Submittal [15] describes the FPGA-based ALS PPS replacement equipment conformance to Clause 5.11.

Section 2.1.5.2 of the ALS Topical Report Submittal [15] provides the method for conformance with the identification requirement of Clause 5.11.

Section 1.2 of the ALS CMP [66] identifies the configuration requirements applicable to satisfying Clause 5.11.

4.11.1.8 Clause 5.1,5 Reliability (Section D.10.4.2.15 of DI&C-ISG-06 [1])

IEEE Standard 7-4.3.2-2003 [80] Clause 5.15 states:

In addition to the requirements of IEEE Std 603-1998, when reliabilitygoals are identified, the proof of meeting the goals shall include the software. The method for determiningreliabilitymay include combinationsof analysis,field experience, or testing.

Software errorrecordingand trending may be used in combination with analysis, field experience, or testing.

The PPS Replacement Project meets IEEE 7-4.3.2 [80] Clause 5.15 as described in the following sections. Additional information is provided in Section 4.10.2.15 of this Enclosure.

a) Tricon-Based PPS Equipment Reliability of the computer system is addressed in the Reliability/Availability Report 9600164-532 [123]. In addition, software reliability pursuant to IEEE 7-4.3.2 criteria has been addressed in the Software Qualification Report 9600164-535 [124] and the Critical Digital Review 9600164-539 [125].

b) FPGA-Based ALS PPS Equipment The ALS does not utilize executable software therefore there is no software to include when determining reliability. The ALS being an FPGA-based system is configured which results in a hard wired system consisting solely of hardware items. Once V&V has determined the quality of the FPGA configuration and testing has determined that the configuration functions correctly to perform the safety function, there is no 201

Enclosure PG&E Letter DCL-1 1-104 executable software used during the operation of the system. Therefore, there is no further contribution of software failure to the overall failure rate. Additional details regarding the V&V and testing for the PPS replacement are provided in 6002-00003 ALS V&V Plan [54], 6002-00005 ALS Test Plan [56], and ALS 6116-00005 Diablo Canyon PPS System Test Plan [67].

4.12 Technical Specifications (Section D.1 1 of DI&C-ISG-06 [1])

The four criteria of 10 CFR 50.36 (d) (2) (ii) require establishment of a TS Limiting Condition for Operation (LCO) for a system or function to define the lowest functional capability or performance level of a system.

There are no TS changes required to support the PPS replacement because the PPS replacement has been specified and designed such that it meets the current TS and FSAR Chapter 6 and 15 [26] accident analysis requirements. No new TS LCOs or SRs are required to be added because the current TS LCOs and SRs adequately specify the lowest functional capability and testing requirements for the PPS replacement.

The TS were revised in License Amendments 84 and 83, dated October 7; 1993 [98] to support the use of the existing Eagle 21 digital PPS. The TS changes made in Amendments 84 and 83 allow a channel operational test for a digital channel, allow a channel functional test for a digital channel including injection of a simulated signal into the channel, and allow bypassing an inoperable channel when performing surveillance tests on an operable channel. The PPS replacement has been specified and designed such that it meets these existing TS features.

To support installation of Eagle 21, the TS definitions were revised to allow a channel operational test for a digital channel and to allow a channel functional test for a digital channel, that includes the injection of a simulated signal into the channel as close to the sensor input to the process racks as practical, to verify operability of all devices in the channel required for channel operability. The PPS replacement has been specified and designed such that it meets these current TS definitions.

The Eagle 21 PPS has the capability to allow bypassing an inoperable channel when performing surveillance tests on an operable channel. Placing the inoperable channel in bypass results in an indication to the operator and allows testing of an operable channel including placing the operable channel in trip. The PPS replacement has been specified and designed such that it meets the current TS capability for the inoperable channel to be placed in bypass.

To support the installation of the existing Eagle 21 PPS, the setpoints analysis for the protection system functions processed through Eagle 21 were revised to reflect revised setpoint input values for rack calibration accuracy, rack drift, and temperature effect values as discussed in Section D of PG&E Letter DCL-92-203 [97] and the RTS and 202

Enclosure PG&E Letter DCL-1 1-104 ESFAS TS allowable values were revised to incorporate the results of the revised setpoint analysis in Amendments 84 and 83. The functional requirements in the PPS Replacement FRS [28] have been specified such that they are the same as or better than the current Eagle 21 PPS for instrument rack calibration accuracy, rack drift, temperature effect values, and response time. These functional requirements are the PPS parameters that impact the setpoint analysis and specifying the functional requirements in this manner allows the existing TS 3.3.1 RTS and TS 3.3.2 Nominal Trip Setpoints and Allowable Values to be applicable to the PPS replacement.

The DCPP TS have been revised to incorporate the TS 5.5.18 Surveillance Frequency Control Program and the TS 3.3.1 and 3.3.2 surveillance frequencies, except the TS 3.3.1 surveillances that are condition based, have been relocated to PG&E control in accordance with the Surveillance Frequency Control Program. Any changes to the TS 3.3.1 and 3.3.2 surveillance frequencies that would be required to support the PPS replacement can be performed by PG&E in accordance with the Surveillance Frequency Control Program.

Each of the four Protection Sets contains a Tricon subsystem comprised of three separate legs and an ALS subsystem comprised of an A core and B core. Any of the three Tricon legs and both the ALS A or B cores in each Protection Set can perform the protection function.

a) Tricon-Based PPS Equipment For the condition that one Tricon leg in a channel is out of service, the protection function can still be performed and the channel is operable, however the redundancy of the Tricon has been reduced and therefore the situation will be administratively controlled to require restoration of the Tricon leg within 30 days. For the condition that two Tricon legs in a channel are out of service, the protection function can still be performed and the channel is operable, however the redundancy of the Tricon has been significantly reduced and therefore the situation will be administratively controlled to require restoration of one of the two Tricon legs within 7 days. For the condition that all three Tricon legs in a channel are out of service, the protection function cannot be performed and the channel is inoperable and the appropriate TS Condition for the function will be entered.

b) FPGA-Based ALS PPS Equipment For the condition that the ALS A or B core is out of service, the protection function can still be performed and the channel is operable, however the redundancy and diversity of the ALS has been reduced and therefore the situation will be administratively controlled to require restoration of the ALS core within 30 days. For the condition that an ALS A or B core is out of service in Protections Sets I and II, TS 3.3.3 Condition A will also need to be entered because the RCS wide range temperature parameter provided by ALS to the Post Accident Monitoring Instrumentation RCS hot leg temperature, RCS cold leg 203

Enclosure PG&E Letter DCL-1 1-104 temperature, and reactor vessel water level indication system parameters will be inoperable. If both the ALS A and B core are out of service, then the protection function cannot be performed and the channel is inoperable and the appropriate TS Condition for the function will be entered.

4.13 Secure Development and Operational Environment (Section D.12 of DI&C-ISG-06 [1])

Following the LAR format recommended in DI&C-ISG-06 [1], the Secure Development and Operational Environment (SDOE) for IOM, CSI and PG&E in support of the PPS Replacement Project, are described in the following sections.

The NRC approved the DCPP Cyber Security Plan (CSP) in Amendment No. 210 to Facility Operating License DPR-80 and Amendment No. 212 to Facility Operating License DPR-82 for DCPP Unit No. 1 and 2, respectively on July 15, 2011 [48]. In Section 3.0 of the safety evaluation for Amendments 210 and 212, the staff found that the DCPP CSP [48], with the exception of deviations described in Section 4.0 of the safety evaluation, generally conformed to the guidance in NEI 08-09, "Cyber Security Plan for Nuclear Power Reactors," Revision 6 [47], which was found to be acceptable by the NRC staff as comparable to RG (RG) 5.71 [46], "Cyber Security Programs for Nuclear Facilities," to satisfy the requirements contained in 10 CFR 73.54 [44].

With regard to software development, NRC RG (RG) 1.152, Rev 3 [45], "Criteria for use of Computers in Safety Systems of Nuclear Power Plants," [45] describes a method that the NRC deems acceptable for complying with regulations for promoting high functional reliability, design quality, and security for the use of digital computers in safety systems for nuclear power plants. In the context of RG 1.152, "security" refers to protective actions taken against a predictable set of non-malicious acts that could challenge the integrity, reliability, or functionality of a digital safety system.

Both IOM and ALS have addressed establishment of a secure development and operational environment in their respective Topical Reports [13], Section 5.3 and [15],

Section 8) submitted to NRC for review. Procedures and programs have been put in place to address requirements in this area throughout the life cycle elements that are the primary responsibility of the vendor as described in the following sections.

The PPS replacement is being reviewed to comply with 10 CFR 50.73,'the DCPP CSP

[48] and NEI 08-09 R6 [47]. A description of the security controls to be included in the PPS replacement is security-related information per 10 CFR 2.390 and will be provided in a separate letter the NRC staff.

204

Enclosure PG&E Letter DCL-1 1-104 a) PG&ESDOE References [49], [50] and [51] provide the DCPP station control procedures for software development throughout the remaining life cycle phases under the control of PG&E after development and delivery of the software from the vendor to PG&E.

b) Invensys SDOE Triconex Document No. 993754-1-913, PPS Replacement DCPP RG 1.152 Conformance Report [147], meets the guidance in NRC RG 1.152, "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants," [45] and establishes the Secure Development and Operational Environment for the Triconex portion of the PPS Replacement Project, running on the safety-related V1 0 Tricon platform hardware.

c) CSI SDOE CSI Document No. 6002-00006 ALS Security Plan [64], meets the guidance of in NRC RG 1.152, "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants,"

[45] and establishes the Secure Development and Operational Environment for the CSI portion of the PPS Replacement Project, running on the safety-related ALS platform hardware.

5. ABBREVIATIONS, ACRONYMS, AND REFERENCES 5.1 Abbreviations and Acronyms Table 5-1 Abbreviations & Acronyms Acronym Definition AC Alternating Current ADAMS Agencywide Documents Access and Management System AFW Auxiliary Feedwater ALS Advanced Logic System ANS American Nuclear Society AMSAC ATWS Mitigation System Actuation Circuitry ANSI American National Standards Institute 205

Enclosure PG&E Letter DCL-1 1-104 Acronym Definition ASME American Society of Mechanical Engineers ASU ALS Service Unit ATWS Anticipated Transient Without Scram BIST Built-In-Self-Test BTP Branch Technical Position CCF Common Cause Failure CCSF Common Cause Software Failure CDD Conceptual Design Document CLB Core Logic Board CMP Configuration Management Plan CPU Central Processing Unit CRC Cyclic Redundancy Check CSl CS Innovations, Inc.

CSP Cyber Security Plan CVI Containment Ventilation Isolation D3 Diversity & Defense-in-Depth DC Direct Current DCPP Diablo Canyon Power Plant DFWCS Digital Feedwater Control System DI&C Digital Instrumentation & Controls DIP Dual In-line Package DNB Departure from Nucleate Boiling 206

Enclosure PG&E Letter DCL-1 1-104 Acronym Definition DNBR Departure from Nucleate Boiling Ratio DO Discrete Output DPRAM Dual Port Random Access Memory DTTA Delta-T/Tavg EQ Environmental Quality ERO Enhanced Relay Output ESD Electrostatic Discharge ESF Engineered Safety Features ESFAS Engineered Safety Features Actuation System ETA External Termination Assembly FAT Factory Acceptance Test FMEA Failure Modes and Effects Analysis FPGA Field Programmable Gate Array FRS Functional Requirements Specification FSAR Final Safety Analysis Report FSM Finite State Machine HICR Highly Integrated Control Room HSI Human System Interface Hz Hertz I&C Instrumentation & Controls IEC International Electrotechnical Commission IEEE Institute of Electrical and Electronic Engineers 207

Enclosure PG&E Letter DCL-1 1-104 Acronym Definition INPO Institute of Nuclear Power Operations I/O Input/Output IOCCOM I/O and Communication IOM Invensys Operations Management IRS Interface Requirements Specification ISA International Society of Automation ISG Interim Staff Guidance IV&V Independent Verification & Validation LAR License Amendment Request LCO Limiting Condition for Operation LED Light-Emitting Diode LOCA Loss of Coolant Accident LTOP Low Temperature Overpressure Protection mA Milliampere MAS Main Annunciator System MFW Main Feedwater MSFIS Main Steam and Feedwater Isolation System MSI Maintenance and Service Interface MTP Modification Test Plan MWS Maintenance Workstation NRC Nuclear Regulatory Commission NIS Nuclear Instrumentation System 208

Enclosure PG&E Letter DCL-1 1-104 Acronym Definition NQAM Nuclear Quality Assurance Manual NRC Nuclear Regulatory Commission NSIPM Nuclear System Integration Program Manual

OPAT, Overpower Trip OPDT
OTAT, Overtemperature Trip OTDT OVD Output Voter Diagnostic P2P Peer-to-Peer PG&E Pacific Gas & Electric Company PLC Programmable Logic Controller PLD Programmable Logic Device PMP Project Management Plan PORV Power Operated Relief Valves PPC Plant Process Computer PPM Project Procedures Manual PPS Process Protection System QA Quality Assurance QAM Quality Assurance Manual QAP Quality Assurance Program RAB Reliable ALS Bus RAM Random Access Memory RCP Reactor Coolant Pump 209

Enclosure PG&E Letter DCL-1 1-104 Acronym Definition RCS Reactor Coolant System RG Regulatory Guide RIS Regulatory Information Summary RPS Reactor Protection System RT Reactor Trip RTA Reactor Trip Circuit Breaker A RTB Reactor Trip Circuit Breaker B RTD Resistance Temperature Detector RTS Reactor Trip System RXM Remote Expander Module SAT Site Acceptance Test SCMP Software Configuration Management Plan SDD Software Design Description SDOE Secure Development and Operational Environment SDP Software Development Plan SDS Software Design Specification SER Safety Evaluation Report SGTR Steam Generator Tube Rupture SI Safety Injection SLI Steam Line Isolation SMP Software Management Plan SQAP Software Quality Assurance Plan 210

Enclosure PG&E Letter DCL-1 1-104 Acronym Definition SR Surveillance Requirements SRS Software Requirements Specification SSP Software Safety Plan SSPS Solid State Protection System STP Software Test Plan SyQAP System Software Quality Assurance Plan SyWP System Verification and Validation TAB Test ALS Bus TC Thermocouple TCM Tricon Communications Module TMR Triple Modular Redundant TS Technical Specifications TSAP Triconex Software Application Program TTD Trip Time Delay TVS Transient Voltage Suppressor UV Undervoltage V Volt V&V Validation & Verification WCGS Wolf Creek Generating Station 5.2 References

1. U.S. Nuclear Regulatory Commission, Digital Instrumentation and Controls, Revision 1, "DI&C-ISG-06 Task Working Group #6: Licensing Process Interim Staff Guidance," January 19, 2011 (ADAMS Accession No. ML110140103) 211

Enclosure PG&E Letter DCL-1 1-104

2. U.S. Nuclear Regulatory Commission, Digital Instrumentation and Controls, Revision 1, "DI&C-ISG-04, Task Working Group #4: Highly-Integrated Control Rooms - Communications Issues (HICRc)," March 6, 2009 (ADAMS Accession No.ML083310185)
3. U.S. Nuclear Regulatory Commission, Digital Instrumentation and Controls, Revision 2, "DI&C-ISG-02 Task Working Group #2: Diversity and Defense-in-Depth Issues Interim Staff Guidance," June 5, 2009 (ADAMS Accession No. ML091590268)
4. U.S. Nuclear Regulatory Commission, NUREG-0800, Revision 5, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants:

LWR [Light-Water Reactor] Edition," (SRP), (ADAMS Accession No. ML070880680)

5. U.S. Nuclear Regulatory Commission, Letter S. Peterson (NRC), to G. Rueger, (PG&E), "Issuance of Amendments for Diablo Canyon Nuclear Power Plant, Unit No.1 (TAC No. M84580) and Unit No.2 (TAC No. M84581)," October 7,1993 (ADAMS Accession No. ML022350074)
6. PG&E, Letter DCL-1 0-114, Revision 1, "Submittal of Diablo Canyon Power Plant Topical Report, Process Protection System Replacement Diversity & Defense-in-Depth Assessment," September 9, 2010 (ADAMS Accession No. ML102580726)
7. U.S. Nuclear Regulatory Commission, Letter "Diablo Canyon Power Plant, Unit Nos. 1 and 2 - Safety Evaluation for Topical Report, "Process Protection System Replacement Diversity & Defense-In-Depth Assessment" (TAC Nos.

ME4094 and ME4095)," April 19, 2011 (ADAMS Accession No. ML110480845)

8. Triconex Corporation, Triconex Topical Reports 7286-545, Revision 1, "Qualification Summary Report" and 7286-546, "Amendment 1 to Qualification Summary Report," published as EPRI TR-1000799, "Generic Qualification of the Triconex Corporation TRICON Triple Modular Redundant Programmable Logic Controller System for Safety-Related Applications in Nuclear Power Plants,"

November 2000 (ADAMS Accession No. ML003757032)

9. Triconex Corporation, Triconex Topical Report 7286-546, Revision 0, "Amendment 1 to Qualification Summary Report," March 19, 2001 (ADAMS Accession Number ML010810143)
10. Triconex Corporation, Triconex Topical Report 7286-546, Revision 1, "Amendment 1 to Qualification Summary Report," June 25, 2001 (ADAMS Accession Number ML011790327)
11. U.S. Nuclear Regulatory Commission, NRC Letter from S. Richards (NRC) to J. Martel (Triconex Corporation), "Review of Triconex Corporation Topical Reports 7286-545, "Qualification Summary Report" and 7286-546, "Amendment 1 to Qualification Summary Report," Revision 1 (TAC No.

MA8283)," December 11, 2001 (published as EPRI TR-1003114) (ADAMS Accession No. ML01.3470433) 212

Enclosure PG&E Letter DCL-1 1-104

12. Invensys Operations Management, Letter No. NRC-V10-11-001, B. Haynes (Invensys Operations Management) to NRC, "Nuclear Safety-Related Qualification of the Tricon TMR Programmable Logic Controller (PLC) - Update to Qualification Summary Report Submittal and "Application for withholding Proprietary Information from Public Disclosure (TAC No. ME2435),"" dated January 5, 2011 (ADAMS Accession No. ML110140437), supplementing Letter No. NRC-V10-09-01, J. Polcyn (Invensys Operations Management) to NRC, "Nuclear Safety-Related Qualification of the Tricon TMR Programmable Logic Controller (PLC) - Update to Qualification Summary Report Submittal and "Application for withholding Proprietary Information from Public Disclosure,""

September 9, 2009 (ADAMS Accession No. ML092870628)

13. Invensys Operations Management, Topical Report 7286-545-1, Revision 4, "Triconex topical Report," December 20, 2010, (ADAMS Accession No. ML110140443)
14. U.S. Nuclear Regulatory Commission, Letter to Wolf Creek Generating Station, "Issuance of Amendment Re: Modification of the Main Steam and Feedwater Isolation System Controls (TAC NO. MD4839)," March 31, 2009 (ADAMS Accession No. ML090610317)
15. CS Innovations, Letter No. 6002-00301, D. Dunsavage (CS Innovations) to NRC, "CS Innovations ALS Topical Report and Supporting Documents Submittal Follow Up of Non-proprietary Document Versions" dated August 13, 2010 (ADAMS Accession No. ML102570791), including CS Innovations, Document No. 6002-00301, Revision 1, "Advanced Logic System Topical Report," and CS Innovations, Document No. 6002-00301-NP, Revision 1, "ALS Topical Report and Supporting Documents Submittal," August 11, 2010 (ADAMS Accession No. ML102570797)
16. CS Innovations, Document No. 6002-00031, Revision 1, "ALS Diversity Analysis," July 29, 2010 (ADAMS Accession No. ML102160479)
17. Westinghouse Electric Company, Document No. WNA-DS-02442-PGE, Revision 2, "Diablo Canyon Units 1 & 2 Process Protection System Replacement Project

,Advanced Logic System (ALS) - System Requirements Specification (Proprietary)," September 2011, contained in Letter No. LTR-NRC-1 1-50, from J. Gresham (Westinghouse) to NRC, "Submittal of WNA-DS-02442-PGE, Rev. 2, "Diablo Canyon Units 1 & 2 Process Protection System Replacement Project, Advanced Logic System (ALS) System - Requirements Specification)

Proprietary),"" dated September 27, 2011.

18. U.S. Nuclear Regulatory Commission, NRC Letter to Duke Energy Carolinas, LLC, "Oconee, Units 1, 2 & 3, Issuance of Amendment Nos. 366, 368, and 367, Reactor Protective System and Engineered Safeguard Protection System Digital Upgrade," January 28, 2010 (ADAMS Accession No. ML100220016)
19. CS Innovations, Document No. 6116-00011, Revision 0 , "Diablo Canyon Process Protection System ALS System Design Specification," September 2011, 213

Enclosure PG&E Letter DCL-11-104 contained in Letter from S. Roberts (CS Innovations) to NRC, "Submittal of Advanced Logic System Documents (Proprietary)," dated September 28, 2011

20. CS Innovations, Document No. 6116-10201, Revision 0, "Diablo Canyon Process Protection System ALS-1 02 FPGA Requirements Specification," September 2011, contained in Letter from S. Roberts (CS Innovations) to NRC, "Submittal of Advanced Logic System Documents (Proprietary)," dated September 28, 2011
21. Institute of Electrical and Electronic Engineers, IEEE Standard 603-1991, "Standard Criteria for Safety Systems for Nuclear Power Generating Stations"
22. U.S. Nuclear Regulatory Commission, 10 CFR 50.62, "Requirements for Reduction of Risk from Anticipated Transients without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants"
23. U.S. Nuclear Regulatory Commission, Regulatory Guide 1.180, Revision 1, "Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems"
24. Invensys Operations Management, Document No. NTX-SER-09-10, Revision 2, "Tricon Applications in Nuclear Reactor Protection Systems - Compliance with NRC ISG-2 & ISG-4," January 5, 2011 (ADAMS Accession No. ML110140437)
25. Invensys Operations Management, Document No. 993754-1-912 "Diablo Canyon Triconex PPS ISG-04 Conformance Report"
26. PG&E, "Diablo Canyon Updated Final Safety Analysis Report," Revision 19
27. PG&E, "DCPP Process Protection System Replacement Conceptual Design Document (CDD)"
28. PG&E, "DCPP Units 1 & 2 Process Protection System Replacement Functional Requirements Specification (FRS)"
29. PG&E, "DCPP Units 1 & 2 Process Protection System Replacement Interface Requirements Specification (IRS)"
30. Institute of Electrical and Electronic Engineers, IEEE Standard 308-1980, "Criteria for Class 1E Electric Systems for Nuclear Power Generating Stations"
31. Invensys Operations Management, "Corporate Nuclear Quality Assurance Manual (IOM-Q2)"
32. Invensys Operations Management, Document No. NTX-SER-09-021, "Nuclear System Integration Program Manual"
33. CS Innovations, Document No. 9000-00000, Revision. 4, "Quality Assurance Manual,"
34. Invensys Operations Management, Document No. 9600164-541, "Triconex System Description," July 24, 2007
35. Invensys Operations Management, "Planning and Installation Guide for Tricon V9-VIO Systems, Part No. 97200077-002" (Appendix B to Triconex Topical Report 7286-545-1, Revision 4) (ADAMS Accession No. ML110140443) 214

Enclosure PG&E Letter DCL-1 1-104

36. U.S. Nuclear Regulatory Commission, U.S. NRC Regulatory Guide 1.97, Revision 4, "Criteria for Accident Monitoring Instrumentation of Nuclear Power Plants," March 28, 2006 (ADAMS Accession No. ML060870349)
37. PG&E, DCPP Human System Interface (HSI) Development Guidelines, Revision 1
38. U.S. Nuclear Regulatory Commission, NUREG-0700, "Human-System Interface Design Review Guidelines," 2002
39. Westinghouse, Document No. WCAP-11082, Revision 6, "Diablo Canyon:

Request for Withholding Information from Public Disclosure," October 28, 2003 (ADAMS Accession No. ML033020380)

40. U.S. Nuclear Regulatory Commission, Regulatory Information Summary 2006-17, "NRC Staff Position on the Requirements of 10 CFR 50.36, "Technical Specifications," Regarding Limiting Safety System Settings During Periodic Testing and Calibration of Instrument Channels," August 24, 2006
41. Technical Specification Task Force, TSTF-493, Revision 4, "Clarify Application of Setpoint Methodology for LSSS Functions," February 23, 2009 (ADAMS Accession No. ML092150990)
42. PG&E, "Diablo Canyon Power Plant Units 1 & 2Technical Specifications"
43. PG&E, "Diablo Canyon Power Plant Units 1 & 2, Technical Specifications Bases"
44. U.S. Nuclear Regulatory Commission, 10 CFR 73.54, "Protection of Digital Computer and Communication Systems and Networks"
45. U.S. Nuclear Regulatory Commission, Regulatory Guide 1.152, Revision 3, "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants"
46. U.S. Nuclear Regulatory Commission, Regulatory Guide 5.71, Revision 0, "Cyber Security Programs for Nuclear Facilities," January 2010
47. Nuclear Energy Institute, NEI 08-09, Revision 6, "Cyber Security Plan for Nuclear Reactors"
48. U.S. Nuclear Regulatory Commission, Letter to PG&E, "Diablo Canyon Power Plant, Units Nos.-1 and 2 - Issuance of Amendments RE: Approval of Cyber Security Plan (TAC Nos. ME4290 and ME4291), July 15, 2011, including approved Cyber Security Plan
49. PG&E, DCPP Procedure CF2, Revision 8, "Computer hardware, Software and Database Control"
50. PG&E, DCPP Procedure CF2.1D2, Revision 10, "Software Configuration Management for Plant Operations and Operations Support"
51. PG&E, DCPP Procedure CF2.1D9, Revision 2, "Software Quality Assurance for Software Development"
52. PG&E, DCPP "Process Protection System (PPS) Replacement System Quality Assurance Plan (SyQAP)", Revision 0 215

Enclosure PG&E Letter DCL-1 1-104

53. PG&E, "Software System V&V Plan (SyWP) for the PPS Replacement Project,"

Revision 0

54. CS Innovations, Document No. 6002-00003, Revision 4, "ALS V&V Plan" (ADAMS Accession No. ML110410380)
55. CS Innovations, Document No. 6002-00004, "ALS EQ Plan"
56. CS Innovations, Document No. 6002-00005, "ALS Test Plan"
57. PG&E, "DCPP Process Protection System Replacement Concept, Requirements, and Licensing Phase 1 Project Plan," Revision 1
58. American National Standards Institute, ANSI NQA-1, "Quality Assurance Requirements for Nuclear Facility Applications," 1994
59. CS Innovations, Document No. 6002-00000, Revision 2, "ALS Management Plan" (ADAMS Accession No. ML110410380)
60. CS Innovations, Document No. 6116-00000, Revision 0, "Diablo Canyon PPS Management Plan," contained in Letter from S. Roberts (CS Innovations) to NRC, "Submittal of Advanced Logic System Documents (Proprietary)," dated September 28, 2011
61. CS Innovations, Document No. 9000-00313, Revision 3, "FPGA Development Procedure"
62. CS Innovations, Document No. 9000-00311, Revision 5, "Electronics Development Procedure"
63. CS Innovations, Document No. 6002-00001, Revision 4, "ALS QualityAssurance Plan"
64. CS Innovations, Document No. 6002-00006, "ALS Security Plan"
65. Institute of Electrical and Electronic Engineers, IEEE Standard 323-1983, "IEEE Standard for Qualifying Class IE Equipment for Nuclear Power Generating Stations"
66. CS Innovations, Document No. 6002-00002, "ALS Configuration Management Plan"
67. CS Innovations, Document No. 6116-00005, Revision 0, "Diablo Canyon PPS System Test Plan," contained in Letter from S. Roberts (CS Innovations) to NRC, "Submittal of Advanced Logic System Documents (Proprietary)," dated September 28, 2011
68. CS Innovations, Document No. 6002-00010, Revision 7, "ALS Platform Requirements Specification" (ADAMS Accession No. ML110600671)
69. Invensys Operations Management, Triconex Document No. 993754-1-905, "Process Protection System Replacement DCPP Software Project Management Plan (PMP)"
70. Invensys Operations Management, Triconex Document No. 993754-1-906, "Process Protection System Replacement DCPP Software Development Plan (SDP)"

216

Enclosure PG&E Letter DCL-1 1-104

71. Invensys Operations Management, Triconex Document No. 993754-1-801, "Process Protection System Replacement DCPP Software Quality Assurance Plan (SQAP)"
72. Invensys Operations Management, Triconex Document No. 993754-1-911, "Process Protection System Replacement DCPP Software Safety Plan (SSP)"
73. Invensys Operations Management, Triconex Document No. 993754-1-802, "Process Protection System Replacement DCPP Software V&V Plan (SWP)"
74. Invensys Operations Management, Triconex Document No. 993754-1-813, "Process Protection System Replacement DCPP Software Validation Test Plan (VTP)"
75. Invensys Operations Management, DCPP Tricon, "SRS"
a. Triconex Document No. 993754-11-809, "Process Protection System Replacement DCPP Software Requirements Specification Protection Set I"
b. Triconex Document No. 993754-12-809, "Process Protection System Replacement DCPP Software Requirements Specification Protection Set I1"
c. Triconex Document No. 993754-13-809, "Process Protection System Replacement DCPP Software Requirements Specification Protection Set Ilr"
d. Triconex Document No. 993754-14-809, "Process Protection System Replacement DCPP Software Requirements Specification Protection Set IV"
76. Invensys Operations Management, Triconex Document No. 993754-1-910, "Process Protection System Replacement DCPP Tricon PPS Software Integration Plan (SIntP)"
77. Invensys Operations Management, Triconex Document No. 993754-1-909, "Process Protection System Replacement DCPP Software Configuration Management Plan (SCMP)"
78. International Society of Automation, ISA 67.04-2006, "Setpoints for Nuclear Safety-Related Instrumentation"
79. EPRI TR-1 02323, Revision 1, "Guidelines for Electromagnetic Interference Testing in Power Plants"
80. Institute of Electrical and Electronic Engineers, IEEE Standard 7-4.3.2-2003, "Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations"
81. EPRI, Document No. TR-1 07330, "Generic Requirements Specification for Qualifying Commercially Available PLC for Safety-Related Applications in Nuclear Power Plants"
82. CS Innovations, Document No. 6002-10212, Revision 1,"ALS-102, FPA, FMEA, and Reliability Analysis" (ADAMS Accession No. ML110410380)
83. CS Innovations, Document No. 6002-30212, Revision 1, "ALS-302 FPA, FMEA, and Reliability Analysis" (ADAMS Accession No. ML110410380) 217

Enclosure PG&E Letter DCL-1 1-104

84. CS Innovations, Document No. 6002-31112, "ALS-311FPA, FMEA, and Reliability Analysis," Revision 1 (ADAMS Accession No. ML110410380)
85. CS Innovations, Document No. 6002-32112, Revision 1, "ALS-321FPA, FMEA, and Reliability Analysis" (ADAMS Accession No. ML110410380)
86. CS Innovations, Document No. 6002-40212, Revision 1, "ALS-402 FPA, FMEA, and Reliability Analysis" (ADAMS Accession No. ML110410380)
87. CS Innovations, Document No. 6002-42112, Revision 1, "ALS-421 FPA, FMEA, and Reliability Analysis" (ADAMS Accession No. ML110410380)
88. U.S. Nuclear Regulatory Commission, 10 CFR 2.390, "Public Inspections, Exemptions, Requests for Withholding"
89. Institute of Electrical and Electronic Engineers, IEEE Standard 384-1981, "Standard Criteria for Independence of Class 1E Equipment and Circuits"
90. Institute of Electrical and Electronic Engineers, IEEE Standard 420-1982, "Design and Qualification of Class 1E Control Boards, Panels, and Racks Used in Nuclear Power Generating Stations"
91. Institute of Electrical and Electronic Engineers, IEEE Standard 494-1974 (R1 990), "Methods for Identification of Documents Related to Class 1 E Equipment and Systems for Nuclear Power Generating Stations"
92. Institute of Electrical and Electronic Engineers, IEEE Standard 384-1992, "Standard Criteria for Independence of Class 1 E Equipment and Circuits"
93. Invensys Operations Management, Triconex Document No. 7286-540, "Tricon Nuclear Qualification Program Master Configuration List (MCL)"
94. CS Innovations, Document No. 6002-10202, "ALS-102 Design Specification"
95. CS Innovations, Document No. 6002-00011, Revision 6, "ALS Platform Specification" (ADAMS Accession No. ML110600671)
96. Institute of Nuclear Power Operations, INPO AP 913, "Equipment Reliability Process"
97. PG&E, Letter DCL-92-203, "License Amendment Request 92-05, Eagle 21 Process Protection System Upgrade and Resistance Temperature Detector Bypass Elimination," September 21, 1992
98. U.S. Nuclear Regulatory Commission, Letter to PG&E "Issuance of Amendments for Diablo Canyon Nuclear Power Plant, Unit No. 1 (TAC No. M84580) and Unit No. 2 (TAC No. M84581)" dated October 7, 1993 (ADAMS Accession No. ML022350074)
99. Institute of Electrical and Electronic Engineers, IEEE Standard 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Systems" 100. Regulatory Guide 1.62, "Manual Initiation of Protective Actions" 101. Institute of Electrical and Electronic Engineers, IEEE Standard 338-1987, "Criteria for the Periodic Surveillance Testing of Nuclear Power Generating Station Safety Systems" 218

Enclosure PG&E Letter DCL-1 1-104 102. Institute of Electrical and Electronic Engineers, IEEE Standard 497-1981, "Criteria for Accident Monitoring Instrumentation for Nuclear Power Generating" 103. U.S. Nuclear Regulatory Commission, Regulatory Guide 1.22, "Periodic Testing of Protection System Actuation Functions" 104. U.S. Nuclear Regulatory Commission, Regulatory Guide 1.118, "Periodic Testing of Electric Power and Protection Systems" 105. U.S. Nuclear Regulatory Commission, Regulatory Guide 1.47, "Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems" 106. CS Innovations, Document No. 6002-30202, "ALS-302 Design Specification" 107. CS Innovations, Document No. 6002-31102, "ALS-311 Design Specification" 108. CS Innovations, Document No. 6002-32102, "ALS-321 Design Specification" 109. CS Innovations, Document No. 6002-40202, "ALS-402 Design Specification" 110. CS Innovations, Document No. 6002-42102, "ALS-421 Design Specification" 111. U.S. Nuclear Regulatory Commission, Regulatory Guide 1.153, Revision 1 "Criteria for Safety Systems," June ,1996 112. U.S. Nuclear Regulatory Commission, NUREG-0800, Branch Technical Position 7-17, "Guidance on Self-Test and Surveillance Test Provisions" 113. U.S. Nuclear Regulatory Commission, Regulatory Guide 1.152, "Criteria for Programmable Digital Computer System Software in Safety-related Systems in Nuclear Plants," November 1985 114. Institute of Electrical and Electronic Engineers, IEEE Standard 7-4.3.2, "Application Criteria for Programmable Digital Computer System in Safety Systems of Nuclear Power Generating Stations," 1982 115. U.S. Nuclear Regulatory Commission, RG 1.153, "Criteria for Power, Instrumentation and Control Portions of Safety Systems," December 1985 116. Institute of Electrical and Electronic Engineers, IEEE Standard 603, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations,"

1980 117. Institute of Electrical and Electronic Engineers, IEEE Standard 323, "IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations," 1974 118. U.S. Nuclear Regulatory Commission, Regulatory Guide 1.100 "Seismic Qualification of Electrical Equipment for Nuclear Power Plants," March 1996 119. Institute of Electrical and Electronic Engineers, IEEE Standard 344, "IEEE Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations" 1975 120. PG&E, Document No. 10115-J-NPG, Revision 1, "DCPP Units 1 & 2 Process Protection System Replacement Controller Transfer Function Specification" 219

Enclosure PG&E Letter DCL-11-104 121. Institute of Electrical and Electronic Engineers, IEEE Standard 352-1987, "Guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Safety Systems" 122. EPRI, Document No. TR-1 07330, "Generic Requirements Specification for Qualifying a Commercially Available PLC for Safety Related Applications in Nuclear Power Plants," December 1996 123. Invensys Operations Management, Triconex Report 9600164-532, Revision 0, "Reliability/Availability Report," November 17, 2009 (ADAMS Accession No. ML093280312) 124. Invensys Operations Management, Triconex Report 9600164-535, Revision 1, "Software Qualification Report," January 5, 2010 (ADAMS Accession No. ML100192059) 125. Invensys Operations Management, Triconex 9600164-539, Revision 1, "Critical Digital Review," October 5, 2009 (ADAMS Accession No. ML092070715) 126. CS Innovations Document No. 6002-00030, Revision 5, "ALS Design Tools" (ADAMS Accession No. ML110410380) 127. Institute of Electrical and Electronic Engineers, IEEE/EIA Standard 12207.0-1996, "Standard for Information Technology-Software Life Cycle Processes" 128. International Electrotechnical Commission, Document No. IEC 60880 (1989-09),

"Nuclear Power Plants-Instrumentation and Control Systems Important to Safety-Software Aspects for Computer-Based Systems Performing Category A Functions" 129. Institute of Electrical and Electronic Engineers, IEEE Standard 730 TM, "Software Quality Assurance Plans," 1998 130. Institute of Electrical and Electronic Engineers, IEEE Standard 1074-1995, "IEEE Standard for Developing Software Life Cycle Processes."

131. U.S. Nuclear Regulatory Commission, NRC Regulatory Guide 1.168, Revision 1, "Verification, Validation, Reviews, and Audits for digital Computer Software Used in Safety Systems of Nuclear Power Plants" 132. U.S. Nuclear Regulatory Commission, NRC Regulatory Guide 1.169, "Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants" 133. U.S. Nuclear Regulatory Commission, NRC Regulatory Guide 1.170, "Software Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants" 134. U.S. Nuclear Regulatory Commission, NRC Regulatory Guide 1.171, "Software Unit Testing for Digital Computer Software Used in Safety Systems of Nuclear Power Plants" 220

Enclosure PG&E Letter DCL-1 1-104 135. U.S. Nuclear Regulatory Commission, NRC Regulatory Guide 1.172, "Software Requirements Specifications for Digital Computer Software Used in Safety Systems of Nuclear Power Plants" 136. U.S. Nuclear Regulatory Commission, NRC Regulatory Guide 1.173, "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power" 137. Institute of Electrical and Electronic Engineers, IEEE Standard 1058-1998 "IEEE Standard for Software Project Management Plans."

138. Institute of Electrical and Electronic Engineers, IEEE Standard 1228-1994, "IEEE Standard for Software Safety Plans" 139. U.S. Nuclear Regulatory Commission, NUREG/CR-6101, "Software Reliability and Safety in Nuclear Reactor Protection Systems" 140. Institute of Electrical and Electronic Engineers, IEEE Standard 828-1998, June 25, 1998, "Software Configuration Management Plans" 141. Institute of Electrical and Electronic Engineers, IEEE Standard 1042-1998, "Software Configuration Management" 142. PG&E, DCPP Final Safety Analysis Report Chapter 17, "Quality Assurance,"

Revision 19 143. Institute of Electrical and Electronic Engineers, IEEE Standard 830-1993, "IEEE Recommended Practice for Software Requirements Specifications" 144. Invensys Operations Management, Triconex Document No. 993754-11-914, "Protection System Replacement DCPP PPS System Architecture Description" 145. Invensys Operations Management, Triconex Document No. NTX-SER-09-06, "Triconex Development Processes for PLDs in Nuclear Qualified Products" 146. Invensys Operations Management, Triconex Document No. NTX-SER-09-05, "Differences between the Tricon V9.5.3 System and the Tricon V10.2.1 System" 147. Invensys Operations Management, Triconex Document No. 993754-1-913, "Process Protection System Replacement DCPP Regulatory Guide 1.152 Conformance Report" 148. Institute of Electrical and Electronic Engineers, IEEE Standard 379-2000, "Single-Failure Criterion to Nuclear Power Generating Station Safety Systems" 149. U.S. Nuclear Regulatory Commission, NRC Regulatory Guide 1.53, Revision 2, "Application of the Single-Failure Criterion to Safety Systems," November 2003 150. Invensys Operations Management, Triconex Document No. NTX-SER-10-14, Revision 0, "Tricon V10 Conformance to Regulatory Guide 1.152" (ADAMS Accession No. ML102040062) 151. U.S. Nuclear Regulatory Commission, 10 CFR, Part 50, Appendix B, "Quality Assurance Criteria for Nuclear Power, Plants and Fuel Reprocessing Plants" 221

Yi Enclosure PG&E Letter DCL-1 1-104 152. U.S. Nuclear Regulatory Commission, Regulatory Guide 1.70, Revision 1, "Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants - LWR Edition" 153. PG&E, Diablo Canyon Power Plant Nuclear Procurement Control Program 154. U.S. Nuclear Regulatory Commission, 10 CFR, Part 21, "Reporting of Defects and Non Compliance" 222

Retrieved from "https://kanterella.com/w/index.php?title=ML11307A332&oldid=2550249"