ML11319A064
| ML11319A064 | |
| Person / Time | |
|---|---|
| Site: | Diablo Canyon  |
| Issue date: | 09/06/2011 |
| From: | George Mcdonald Invensys Operations Management, Invensys/Triconex |
| To: | Office of New Reactors |
| References | |
| 3500897372 993754-1-913(NP), Rev 0 | |
| Download: ML11319A064 (62) | |
Text
i n v'e. ns'. 0 s TM i n ve. n s'.w s" Operations Management Triconex Project: PG&E PROCESS PROTECTION SYSTEM REPLACEMENT Purchase Order No.: 3500897372 Project Sales Order: 993754 PACIFIC GAS & ELECTRIC COMPANY NUCLEAR SAFETY-RELATED PROCESS PROTECTION SYSTEM REPLACEMENT DIABLO CANYON POWER PLANT REGULATORY GUIDE 1.152 CONFORMANCE REPORT Document No. 993754-1-913 (-NP)
Revision 0 September 6, 2011 Non -Proprietary copy per IOCFR2.390
- Areas of Invensys Operations Management proprietary information, marked as [P], have been redacted based on 10CFR2.390(a)(4).
Name Sign re/. - Title Author: G. McDonald Applicaton Engineer Reviewer: K. Harris ,, -*. Project Engineer Approval: ,R. Shaffer ""' Project Manager
n!- o V"* 2. n-* s" ý.j s--* n V" e. n1s.ý 5",Is" Operations Management Triconex Document: I993754-1-913 I
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 2 of 62 Dt:09/6/11 Document Change History Revision Date Change Author 0 09/6/11 Initial issue. G. McDonald G3. McDonald
n V e. n s-.ý=j s- Im i n V e. n s-.ý=j s-Operations Management Triconex Document: 993754-1-913
Title:
Regulatory Guide 1.152 Conforniance Report Revision: 0 Page: 3 of 62 1 Date: 09/6/11 Table of Contents L ist of T ab les ............................................................................................................ 5 L ist of F igu res ........................................................................................................... 6 1.0 In troduction .................................................................................................... 7 1.1 V 10 Tricon Conform ance to Regulatory Guide 1.152 ..................................................... 7 1.2 S c op e ....................................................................................... 9 1.3 Abbreviations and A cronym s ...................................................................... 9 1.4 Definitions ................................................................................... 11 2.0 Process Protection System Replacement Scope ........................................ 12 2.1 Existing System ................................................................................ 12 2.2 Replacem ent System ............................................................................ 13 2.3 Tricon System Architecture ........................................................................ 15 2.3.1 Tricon Chassis Configurations ..................................................................... 15 3.0 Secure Development Environment for the PPS Application ................... 18 3.1 System Integration Processes at Invensys Operations Management Development Facility .......................... 20 3.2 V 10 Tricon D evelopm ent Environm ent Security (Integration Facility) .......................................... 20 3.2.1 Access Control ................................................................................ 21 3.2.1.1 Physical A ccess ...................................................................... 21 3.2.1.2 N etwork Access ...................................................................... 22 3.2.2 Personnel Security .............................................................................. 22 3.2.2.1 Background Checks ................................................................... 22 3.2.2.2 Em ployee Separation ................................................................... 23 3.2.3 Adm inistrative Controls .......................................................................... 23 3.2.4 Application Program Configuration and Source Code Control ............................................... 23 3.3 V 10 Tricon Platform Design Features ................................................................ 24 3.3.1 H ardware D esign Features ........................................................................ 25 3.3.1.1 Tricon redundancy .................................................................... 25 3.3.1.2 M aintenance/Debug front-panel ports ....................................................... 25 3.3.1.3 Tricon K eysw itch ..................................................................... 25 3.3.1.4 Channel Out-of Service Sw itches .......................................................... 26 3.3.2 Software/Firm w are Security ....................................................................... :................
26 3.3.2.1 TS 1131 Application Program Protection ..................................................... 26 3.3.2.2 TS 1131 role-based access ............................................................... 27 3.3.2.3 Firmw are upgrades .................................................................... 28 3.3.3 Com munications Security ........................................................................ 28 3.3.3.1 Tricon Com m unication M odule ............................................................ 29 3.3.3.2 Com munication Bus ................................................................... 30 3.3.3.3 IOCCOM Processor ................................................................... 30 3.3.3.4 Dual-Port RAM ...................................................................... 30
n V e. n s-.9 s- TM n V e. n s-.ýj s-Operations Management Triconex Doe ment: 993754-1-913
Title:
Regulatory Guide 1.15 2 Conformance Report Revision: 0 Page: 4 of 62 1 Date: 1 09/6/11 3.3 .3.5 T CM C onfiguration ................................................................... 30 3.3.3.6 End-to-End Communication Link Integrity ................................................... 31 4.0 Regulatory Guide 1.152 Conformance Table ........................................... 32 1.0 Functional and Design Requirements ................................................................. 32 2.0 Secure Development and Operational Environment for the Protection of Digital Safety Systems ............... 33 2 .1 C on cep ts P hase ................................................................................ 37 2 .2 R equ irem ents Phase ............................................................................ 40 2 .2 .1 S y stem F eatures ........................................................................ 40 2.2.2 D evelopm ent A ctivities ................................................................... 43 2 .3 D esig n Ph ase ................................................................................. 43 2 .3.1 S y stem Featu res ........................................................................ 43 2.3.2 D evelopm ent A ctivities ................................................................... 47 2 .4 Imp lem entation Ph ase ........................................................................... 48 2 .4 .1 S y stem Features ........................................................................ 48 2.4 .2 D evelopm ent A ctivities ................................................................... 49 2 .5 T e st P h ase .................................................................................... 52 2 .5.1 Sy stem Featu res ........................................................................ 52 2.5.2 D evelopm ent A ctivities ................................................................... 54 5.0 R eferences ..................................................................................................... 56 A ppendix A ............................................................................................................. 58 1.0 Potential Vulnerabilities of V 10 Tricon ............................................................... 59
i n v . I-n S, Im n V e. nl s* .Y= s Operations Management Triconex Document: 1993754-1-913
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 5 of 62 Date: I 09/6/11 LIST OF TABLES Table 1. Invensys O perations M anagem ent Lifecycle ................................................................................................. 19
i n ve. n s.y s- i n V e. n s s" Operations Management Triconex Document: 1993754-1-913 I
Title:
I Regulatory Guide 1.152 Confornance Report Revision: 0 Page: 6 of 62 Date:. 09/6/11 LIST OF FIGURES Figure 1. W estinghouse PW R Protection Scheme ..................................................................................................... 7 Figure 2. Existing DCPP Reactor Protection System with Eagle 21 ..................................................................... 12 Figure 3. Process Protection System Replacement .................................................................................................. 13 Figure 4. PPS Replacement Architecture .................................................................................................................... 14 F igure 5 . Tricon M ain C h assis ..................................................................................................................................... 15 F igure 6 . I/O Bu s Ports ................................................................................................................................................ 16 Figure 7. VI 0 Tricon Pathway for Network Communications ............................................................................... 29
i n v'e. n s'.: s, 0 0 Im i n V e. n s s" Operations Management Triconex Document: 1993754-1-913 1
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 7 of 62 Date: 09/6/11
1.0 INTRODUCTION
The purpose of this document is to address the Diablo Canyon Power Plant (DCPP) Process Protection System (PPS) Replacement project with respect to conformance to the guidance contained in NRC Regulatory Guide (RG) 1.152, "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants" (Reference 1). The project replaces the Westinghouse Eagle 21 Process Protection System, currently housed in Protection Racks 1-16 in the Cable Spreading Room, with a V1O Tricon-based PPS. The scope of the replacement concept is illustrated by the shaded area in Figure 1 below. Section 2.0 of this document provides an overview of the specific changes being made to the PPS.
PWR Protection Concept Figure 1. Westinghouse PWR Protection Scheme 1.1 V10 Tricon Conformance to Regulatory Guide 1.152 The regulation section 10 CFR 50.55a(h) requires that protection systems for nuclear power plants meet the requirements of IEEE Std. 603-1991 (Reference 2) and the correction sheet dated January 30, 1995. With respect to the use of computers in safety systems, IEEE Std. 7-4.3.2-2003 (Reference 3) specifies computer-specific requirements to supplement the criteria and
i n v'e. n s'.* s" ** i n V e. n s-'.ýi s" Operations Management Triconex Document: 1993754-1-913 1
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 8 of 62 Date: 09/6/11 requirements of IEEE Std. 603-1998, "Standard Criteria for Safety Systems for Nuclear Power Generating Stations."
IEEE Std. 7-4.3.2-2003 evolved from IEEE Std. 7-4.3.2-1993 and reflects advances in digital technology. It also represents a continued effort by IEEE to support the specification, design, and implementation of computers in safety systems of nuclear power plants. In addition, IEEE Std. 7-4.3.2-2003 specifies computer-specific requirements to supplement the criteria and requirements of IEEE Std. 603-1998.
Clause 5.9, "Control of Access," of IEEE Std. 7-4.3.2-2003 refers to the requirements in Clause 5.9 of IEEE Std. 603-1998, which states, "The design shall permit the administrative control of access to safety system equipment. These administrative controls shall be supported by provisions within the safety systems, by provision in the generating station design, or by a combination thereof." IEEE Std. 7-4.3.2-2003 does not provide any additional guidance for computer-based system equipment and software systems to address the IEEE-603-1998 access control requirements of Clause 5.9 or the independence requirements of Clause 5.6.3.
Consequently, the NRC issued regulatory guidance in RG 1.152 concerning the security of the design and development phases of computer-based safety systems that was intended to address the criteria within these clauses. The regulatory guidance clarified the staff's regulatory positions specifically concerned with the access controls and protective measures applied to the development of digital safety systems and with the ability of security features within the system to maintain system integrity and reliability in the event of inadvertent operator actions and undesirable behavior of connected equipment. The guidance was not intended to address the ability of those security features to thwart malicious cyber attacks. Rather, the requirements of 10 CFR 73.54, "Protection of Digital Computer and Communication Systems and Networks,"
specifies the requirements for licensees to develop cyber-security plans and programs to protect critical digital assets, including digital safety systems, from malicious cyber attacks, with RG 5.71, "Cyber Security Programs for Nuclear Facilities" (Reference 4), providing guidance to meet the requirements of 10 CFR 73.54.
Secure Development Environment is defined as the condition of having appropriate physical, logical and programmatic controls during the system development phases (i.e., concepts, requirements, design, implementation, testing) to ensure that unwanted, unneeded and undocumented functionality (e.g., superfluous code) is not introduced into digital safety systems.
Secure Operational Environment is defined as the condition of having appropriate physical, logical and administrative controls within a facility to ensure that the reliable operation of digital safety systems are not degraded by undesirable behavior of connected systems and events initiated by inadvertent access to the system.
The establishment of a Secure Development and Operational Environment (SDOE) for digital safety systems, in the context of Regulatory Guide 1.152, refers to: (1) measures and controls taken to establish a secure environment for development of the digital safety system against undocumented, unneeded and unwanted modifications and (2) protective actions taken against a predictable set of undesirable acts (e.g., inadvertent operator actions or the undesirable behavior
i n ve. n s>.i s"
- TM n. V"e. n. s" .ý=s" Operations Management Triconex Document: I993754-1-9 13 I
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 9 of 62 1 Date: 1 09/6/11 of connected systems) that could challenge the integrity, reliability, or functionality of a digital safety system during operations. These SDOE actions may include adoption of protective design features into the digital safety system design to preclude inadvertent access to the system and/or protection against undesirable behavior from connected systems when operational.
The Tricon is a mature, flexible, robust, and fault tolerant controller and, as such, is ideally suited for critical control and safety-related applications in nuclear power plants. The Invensys Operations Management V10 Tricon Topical Report 7286-545-1 (Reference 6) demonstrates that the Tricon is sufficiently robust, and the quality of manufacturing hardware and operating software is sufficient for use in Nuclear Power Plant (NPP) and nuclear facility safety-related systems. In addition, the generic conformance of the V10 Tricon platform to RG 1..152 is addressed in Invensys Operations Management document NTX-SER-10-14 (Reference 8).
Based on the definition of "security" in the RG and discussions in this document, the V1O Tricon PPS conforms to the guidance in Regulatory Positions 2.1 through 2.5 contained in RG 1.152.
1.2 Scope The scope of this document is the conformance of the Tricon-based DCPP PPS Replacement to Regulatory Guide 1.152 for application phase development, testing, and delivery of the system.
Conformance of the system during the Operational Phase (Secure Operating Environment) is addressed by PG&E in other document(s).
Section 3.0 of this document provides a description of the Tricon PPS Replacement Development Environment Security during application design, manufacturing, and testing prior to delivery to DCPP.
Section 4.0, Regulatory Guide 1.152 Conformance Table, provides additional details on V10 Tricon conformance to Regulatory Positions 2.1 through 2.5 of the Regulatory Guide. Appendix A, Vulnerability Assessment of PPS, discusses potential vulnerabilities of the Tricon PPS Replacement that are not mitigated by platform or application design.
1.3 Abbreviations and Acronyms ACK Acknowledge (e.g., during network communication handshaking)
Al Analog Input ALS Advanced Logic System AO Analog Output CFR Code of Federal Regulations COM Communication(s)
COMBUS Communications Bus COTS Commercial Off-The Shelf (software)
CRC Cyclic Redundancy Check D3 Diversity and Defense in Depth DCPP Diablo Canyon Power Plant
in v'e. no siv9 sIm i n V e." n "s '.ý4 s "
Operations Management Triconex Document: 1993754-1-913 I
Title:
I Regulatory Guide 1.152 Conforma~nce Report Revision: 0 Page: 10 of 62 Date: 09/6/11 DCS Distributed Control System DI Digital Input DO Digital Output DPRAM Dual-Port Random Access Memory EDM Invensys Engineering Department Manual ESFAS Engineering Safety Features Actuation System ETSX Enhanced Tricon System Executive EXP Tricon Expansion Chassis FPGA Field Programmable Gate Array HSI Human/System Interface IEEE Institute of Electrical and Electronics Engineers I/O Input/Output IOCCOM I/O Controller/Communications Controller IP Internet Protocol ISG Interim Staff Guidance IV&V Independent Verification & Validation MP 3008N Main Processor NAK Negative Acknowledgement (e.g., during communication handshaking)
NPP Nuclear Power Plant NRC U.S. Nuclear Regulatory Commission NSIPM Invensys Nuclear Systems Integration Program Manual NUREG Nuclear Regulatory OSI Open Systems Interconnect P2P Peer-to-Peer PG&E Pacific Gas & Electric PLC Programmable Logic Controller PPM Invensys Project Procedures Manual PPS Process Protection System RG Regulatory Guide RPS Reactor Protection System RTS Reactor Trip System RXM Remote Expansion Chassis SAP System Application Protocol SER Safety Evaluation Report SSPS Solid State Protection System SVDU Safety(-related) Video Display Unit TCM Tricon Communication Module TCP Transmission Control Protocol TMR Triple-Modular Redundant TSAA Tricon System Access Application TR Technical Report VDU Video Display Unit
i \V" 2. nl s".:
s-fm i n* V" e. n* s".ý,1s" Operations Management Triconex Document: I993754-1-913 I
Title:
I Regulatory Guide 1.152 Conforma 'nce Report Revision: 0 Page: 11 of 62 Date: 09/6/11 1.4 Definitions Channel An arrangement of components, modules, and software as required to generate a single protective action signal when required by a generating station condition. A channel loses its identity where single action signals are combined.
Module Any assembly of interconnected components that constitutes an identifiable device, instrument, or piece of equipment. A module can be disconnected, removed as a unit, and replaced with a spare. It has definable performance characteristics that permit it to be tested as a unit. A module can be a card or other subassembly of a larger device, provided it meets the requirements of this definition.
Components Items from which the system is assembled (such as resistors, capacitors, wires, connectors, transistors, tubes, switches, and springs).
Protection Set A protection set is a physical grouping of process channels with the same Class-i electrical channel designation (I, II, III, or IV). Each of the four redundant protection sets is provided with separate and independent power feeds and process instrumentation transmitters. Thus, each of the four redundant protection sets is physically and electrically independent of the other sets.
Protective Function A protective function is the sensing of one or more variables associated with a particular generating station condition, signal processing, and the initiation and completion of the protective action at values established in the design bases.
Protective Action A protective action can be at the channel or the system level. A protective action at the channel level is the initiation of a signal by a single channel when the variable sensed exceeds a limit. A protective action at the system level is the initiation of the operation of a sufficient number of actuations to effect a protective function.
Diversity and Defense-In-Depth (D&D-in-D or D3)
Requirement imposed on the Protection System design to ensure that required protective actions will occur to protect against Anticipated Operational Occurrences and Design Basis Accidents (as described in the FSARU) concurrent with a common cause failure (usually assumed to be software) that disables one or more echelons of defense.
Single Failure Any single event that results in a loss of function of a component or components of a system.
Multiple failures resulting from a single event shall be treated as a single failure.
n ve. n s".9 s- i n V'e n s '. -
Operations Management Triconex Document: 1993754-1-913
Title:
I Regulatory Guide 1.152 Conforance Report Revision: 0 Page: 12 of 62 1 Date: 1 09/6/11 2.0 PROCESS PROTECTION SYSTEM REPLACEMENT SCOPE 2.1 Existing System The Process Protection System (PPS) monitors plant parameters, compares them against setpoints and provides signals to the Solid State Protection System (SSPS) if operating limits are exceeded. The SSPS evaluates the signals and performs Reactor Trip System (RTS) and Engineered Safety Feature Actuation (ESFAS) functions to mitigate the event that is in progress.
There are four separate PPS rack sets. Separation of redundant process channels begins at the process sensors and is maintained in the field wiring, containment penetrations, and process protection racks to the two redundant trains in the SSPS logic racks. Redundant process channels are separated by locating the electronics in different PPS rack sets.
The Westinghouse Eagle 21 PPS comprises Protection Racks 1-16. The functional relationship of Eagle 21 with the other components of the overall Reactor Protection System (RPS) is illustrated in Figure 2 below.
Typ of 2 Trains Dependent isolated Class II outputs to control systems Isolated Class II outputs to AMSAC Readw RTyS ShW ESFAS ESF CVI" Trip snsomerwm srmlom AdudwUom B
/ X/ Is Figure 2. Existing DCPP Reactor Protection System with Eagle 21
i n v'e. n s'.g s" fm inv e. n s't s" Operations Management Triconex Document: 1993754-1-913 1
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 13 of 62 Date: I 09/6/11 2.2 Replacement System The project replaces the Westinghouse Eagle 21 protection sets currently housed in Protection Racks I - 16. Figure 3 shows the Replacement PPS system.
NIS, 89ft *uAM&AL.,m
- A*". "%%no ftd Ifixt ktý Qw U
Cis 11Od" fit lwwbld *186vt Ow". 11PAW vg=W~d y,*dvaifi S~ PAM khAuffW-fl
- L~.IN.fl..
Rings Ti. Jr saw p.iwmUl by D&6 Figure 3. Process Protection System Replacement Replacement PPS protective functions are implemented in four (4) redundant protection sets, each using a software-based Invensys Triconex Tricon system to mitigate events where existing diverse and independent automatic mitigating functions are available per the Eagle 21 Diversity Report. For the events where existing analyses credit manual mitigative action, automatic protective functions are performed in a diverse Class I E CS Innovations, LLC Advanced Logic System (ALS). The Diversity and Defense in Depth analysis for the Replacement PPS is documented in PG&E Topical Report, "Process Protection System Replacement Diversity &
Defense-in-Depth Assessment" (Reference 15).
i n ve. n s..: s TM i nf V n E. s s-"
Operations Management Triconex I Document: 1993754-1-913
Title:
I Regulatory Guide 1.152 Confornance Report Revision: 0 Page: 14 of 62 1 Date: 1 09/6/11 Figure 4 shows the PPS Replacement Architecture with Tricon and ALS hardware, typical of each protection set. Interfaces between the Tricon and other plant systems in the Operating Environment are shown.
ALS Tapattra A TRICON RTDtnInpula (4-20 mA OhmS)
(2003 Platinum) Tdp to SOPS Containnent Spray (D ")a )
1 RCS low, (RS.48) ) M:VS/
= U
( 0(RS-42 2) er Contam Pr es (4-2 enant ure ;mA)
(ý20RCS FI-*
PZR pr P*u (420 n'A) I (4-20 MA) APS ST Pbomlotion*S Fllur. MainAnn.nolaor 10*t_)___ System (DM (MAS)
(DiogOtra n)dn is Mrtln Input Taps and (-0 Control Board Re1ardn & Indicators Isolation Devices Control Systems (Nota 2) AMSAC Signal, ay0 L-nai 6
Smsantina Pras-ora t~ot. 3) nA) i4-2 Turtmn ImpuienPrnsnura
- tnoofiow PZR 1-el Input TuCn* u* PMT1 (4-20 r TRICON T
=pl Pn Posde. MAIN l t CHASSIS RS-.85 Copper A Chana 10 P-1 3 Byp- RT-S RNAS RCN Tdiý ) I ChanIP-lyll0 O MPRIMARY RXM CHASSIS RAAR/S ToIPPS tewa
.... HCmmun
.. otl-e-2 u I d to b u n t c e a o tch Statu. m S'emt TREnOs P. C3 Trip S P.- CI Trip Swltch Status RXM CHASSIS RNAR" RINARB PN CS TrCp S l f o iy m t aSoWPtnnput PDote-.itp i 1S1u.
~ ~ ~
SSSIIriNa1:SRAG Note qupet Clnll'm(e) in Bypas MAS (Dicta) fI ALS 02.'-*--J - Noee MAINTENANCE WORKSTATION C lto fýI -M
- RCo. c Port e wrAggregator~a m*['Note 1: SSPS is original equipment.
To PPS Gateway Hub Note 2: Qualified Isolation devices to be used. Instrument classes are as =shown on Instmrument Schematics.
Note 3: Several Class IB PAM functions obtain their signals directly from the Class I input loop. No isolation Is necessary because the Input loop is the correct classification.
Det:ais are provided in the IRS, Note 4: The hardwired TAB Enable switch prevents the ALS Service Unit (ASU) function (performed in the PPS replacement MWS) from communicating with the ALS except when the switch Is activated.
Figure 4. PPS Replacement Architecture
j n v e.n s'.> s" a1m i n Ve, n s. s" Operations Management Triconex Document: 1993754-1-913 I
Title:
I Re ulatory Guide 1.152 Conformance Report Revision: 0 Page: 15 of 62 Date: 09/6/11 2.3 Tricon System Architecture 2.3.1 Tricon Chassis Configurations A Tricon system is composed of a Main Chassis and up to 14 Expansion (EXP) or Remote Expansion (RXM) Chassis. Two power supplies reside on the left side of all chassis, one above the other. In the Main Chassis (Figure 5), the three 3008N Main Processors (MPs) are located immediately to the right of the power supplies. The remainder of the chassis is divided into six logical slots for I/O and communication modules and one dedicated COM slot with no hot-spare position. Each logical slot provides two physical spaces for modules, one for the active module and the other for its optional hot-spare module.
-0
-- a C
D E F a A Kaye"Ch Vv~h Ch-fm N~umtbe BSC ftswOdftl Pow or .1
- 0. E. F Tfbnn *muAiMMQn Uodst (ICM) MI COOMSI D #rindMOmd. V-h Hot Sw.M R
DVOu 0~ Moad, Vh MoHot 8pm S
Figure 5. Tricon Main Chassis
in v"'e. n s" .n s-
- * ,*i n. V" e. n s" .t- s" Operations Management Triconex Document: 993754-1-913
Title:
Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 16 of 62 1 Date: 1 09/6/11 The layout of an Expansion Chassis is similar to that of the Main Chassis, except that Expansion Chassis provide eight logical slots for I/O modules. (The spaces used by the MPs and the COM slot in the Main Chassis are now available for other purposes.) The Main and Expansion Chassis are interconnected by means of triplicated I/O Bus copper cables. Figure 6 shows the arrangement of the connectors on the chassis.
W~ Piz Fbf Tricon Chassis, A A Front View
-UT it11 OUTA- Leg Irpti A port 1 INus
-eAne porr 6.io IN C - Leg C kptiport Figure 6'. 1/0 Bus Ports RXM Chassis are used for systems in which the total cable distance between the first chassis and the last chassis exceeds the distance that can be supported by copper. Each RXM Chassis houses a set of three RXM Modules in the same position as the Main Processors in the Main Chassis.
Six remaining logical slots are available in an RXM Chassis and one blank (unused) slot. The first RXM chassis after the Main Chassis, also called the "primary" RXM, is connected to the Main Chassis with the triplicated 1/O bus cables similar to the Expansion chassis. Subsequent RXM chassis, called the "remote" RXM, are connected to the primary RXM using three RXM 4200-series Modules.
The 4200 and 4201 RXM Modules convert the system I/O Bus to multi-mode fiber optic cable.
No network communications are routed through the RXM Modules. As discussed in the Topical Report (Reference 6), the 4200 and 4201 RXM Modules are qualified electrical isolation devices. The application software executed in the safety-related Main Chassis (i.e., the 3008N MPs mounted in the Main Chassis) is developed and tested in accordance with NRC regulatory requirements for safety-related software. Furthermore, there are no I/O hardware or software failures that could occur in the non-safety remote RXM chassis that would prevent the safety function in the safety-related Main Chassis and primary RXM.
The PPS Architecture shown in Figure 4 shows the arrangement of safety and non-safety Tricon chassis. The safety-related Tricon chassis include the Main, a primary RXM, and an Expansion chassis connected via the triplicated copper I/O bus cables. The primary RXM chassis connects non-safety remote RXM chassis using the 4200-series RXM modules (i.e., multi-mode fiber
i n v e. n S*.9 TM inv'e.n.*s. s-Operations Management Triconex Document: 1993754-1-913
Title:
I Regulatory Guide 1.152 Confonnance Report Revision: 0 Page: 17 of 62 1 Date:5 09/6/11 optic cables). All devices on the fiber optic path between the primary and remote RXM chassis would be non-safety related components.
Further detail on Tricon internal bus architecture and communication mechanisms are found in NTX-SER-09-10 (Reference 10). Generic vulnerabilities related to Communication links through the TCM and RXM modules are discussed in NTX-SER-10-14.
n- V" e. n-
- s".-.
s"T* i n7 V' e. n17.d s" -*
Operations Management Triconex Document: I993754-1-913 I
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 18 of 62 1 Date: 09/6/11 3.0 SECURE DEVELOPMENT ENVIRONMENT FOR THE PPS APPLICATION The Tricon-based PPS Replacement is designed and produced by Invensys Operations Management in accordance with DCPP plant design and licensing requirements. The PPS Replacement satisfies regulatory guidance provided in RG 1.152 by a combination of (1) the inherent design features of the V10 Tricon platform (2) the application-specific design features and development controls, and (3) the DCPP security controls on site. The Tricon platform security aspects are described in Invensys Operations Management Document NTX-SER- 10-14 (Reference 8). Site controls are addressed in the DCPP site-specific security plan.
Regulatory guidance addresses design of computer-based systems, both system hardware and software, such that they are secure from vulnerabilities that could impact the reliability of the system. In the context of RG 1.152, "vulnerabilities" are considered to be:
- 1) Deficiencies in the design that may allow inadvertent, unintended, or unauthorized access or modifications to the safety system that may degrade the reliability, integrity or functionality of the safety system during operations; or
- 2) Inability of the system to sustain the safety function in the presence of undesired behavior of connected systems.
Based on the regulatory guidance, computer security includes the protection of digital computer-based systems throughout the development lifecycle of the system to prevent unauthorized, unintended, and unsafe modifications to the system. In addition, consideration of hardware should include physical access control, modems, connectivity to external networks, data links, and open ports. Invensys Operations Management supports the licensee Secure Development and Operational Environment (SDOE) by (1) designing platform features that will meet the licensee's secure operational environment requirements for the systems, (2) ensuring that the system is developed without undocumented codes (e.g., backdoor coding), unwanted functions or applications, and any other coding that could adversely affect the reliable operation of the digital system, and (3) maintaining a secure development environment in digital safety system facilities in accordance with the administrative procedures and the licensee's requirements Regulatory Guide 1.152 uses the Waterfall lifecycle model as a framework for the computer secure development environment guidance. The framework waterfall lifecycle phases from RG 1.152 correlate with the analogous phases from the Invensys Operations Management Nuclear Systems Integration Program Manual, NTX-SER-09-2 1, (NSIPM, Reference 9) as follows:
in V'e. n s s" i n \i e. n ]s '
.ý: 's "
o ,,.
Operations Management Triconex Document: 993754-1-913
Title:
Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 19 of 62 1 Date: 09/6/11 Table 1. Invensys Operations Management Lifecycle RG 1.152 NSIPM Concepts Acquisition and Planning Requirements Requirements Design Design Implementation Implementation Test Test Installation, Checkout, Delivery and Acceptance Testing Operation (Invensys support is determined on Maintenance a project-by-project basis per Retirement project contract.)
It is important to note the differences in the above lifecycle models. The regulatory guidance addresses computer security from conceptual design through operation and maintenance to retirement. As a supplier of digital safety systems, Invensys Operations Management necessarily requires two lifecycle models. One is for the design development of the Tricon platform, which is described in the NTX-SER-10-14. The second lifecycle model, which is described in the NSIPM, is applied to nuclear safety-related system integration projects (application development and implementation at the Invensys Operations Management facility) when working with nuclear Licensees on site-specific upgrades using the Tricon platform. The NSIPM lifecycle essentially ends with the delivery of the customer's integrated system and does not cover the Operation, Maintenance, and Retirement lifecycle phases. Therefore, based on the structure of the regulatory guidance in RG 1.152, the approach to describing conformance in this document is to address the system integration development environment issues and controls through delivery to the plant.
In conformance with RG 1.152, Invensys Operations Management has taken measures to protect safety systems during application development from inadvertent actions that may result in unintended consequences to the system. Invensys Operations Management computer security controls include the protection of both physical and logical access to the nuclear integration project development data (engineering documents, quality records, etc.) and VI 0 Tricon equipment and software. Security controls are provided to prevent unauthorized changes via network connections during engineering development and nuclear system integration projects.
The following paragraphs (3.1 to 3.4) describe the system integration process and measures that protect the PPS Replacement application system integrity while being developed in the Invensys Operations Management Lake Forest, CA facility. Section 4.0 provides a matrix specifically addressing compliance with Regulatory Positions 2.1 through 2.5 of RG 1.152.
i n V 'e. n s '.t- s "
o 1.
Operations Management Triconex Document: 1993754-1-913 1
Title:
I Regulatory Guide 1.1 52 Conformance Report Revision: 0 Page: 20 of 62 1 Date: 1 09/6/11 3.1 System Integration Processes at Invensys Operations Management Development Facility During the integration process at the Lake Forest facility, Invensys Operations Management performs detailed design of the PPS Replacement, procurement and assembly of hardware, design and development of application software programs, and Factory Acceptance Testing.
Site-specific security requirements flow down to Invensys Operations Management via the procurement process.
Based on conceptual design information and plant specific security requirements, Invensys Operations Management designs, integrates, and tests the PPS Replacement Protection Sets at the Lake Forest Facility prior to shipment to the Diablo Canyon Power Plant for installation.
The following Design Input Documents contain the security performance requirements for the PPS Replacement Protection Sets:
PG&E PPS Replacement Conceptual Design Document (Reference 12)
PG&E PPS Replacement Functional Requirements Specification (Reference 13)
PG&E PPS Replacement Interface Requirements Specification (Reference 14)
The Invensys Operations Management NSIPM requires that these security requirements have traceability through system integration testing (typical Invensys scope of supply). This requirement is met, in part, through code reviews and walkthroughs of the site-specific V10 Tricon application software to prevent undocumented codes (e.g., backdoor coding), unwanted functions or applications, and any other coding that could adversely impact the reliable operation of the digital system. (See lifecycle compliance details in Section 4.0)
All requirements of the system, including security features, are validated and certified. While the PPS Replacement is under development in the Lake Forest facility, hardware and software development work is carried out under an Appendix B QA program as defined in the NSIPM and implemented by the Project Procedures Manual (PPM) (Reference 11). This includes application lifecycle activities consistent with RG 1.152 positions 2.1 through 2.5. Extensive measures as discussed below are provided to control access as appropriate to prevent inadvertent degradation of PPS Replacement hardware or software that could affect integrity, reliability, or functionality.
The sections below discuss further security controls over the Invensys Operations Management development environment and the security features built into the V10 Tricon.
3.2 V10 Tricon Development Environment Security (Integration Facility)
Security controls in place for the application software development environments include network firewall protection, server and workstation anti-virus protection, password-based access control, administrative restrictions on write permissions, and control of source code versions and protection of record versions. The ability to embed an access backdoor or malicious code in system or application software would require not only access but also expert knowledge of the
i n v e. n s..j s"
- m i n V'e. n s-.:: s" Operations Management Triconex Document: 1993754-1-913 I
Title:
I Regulatory Guide 1.152 Conforma nce Report Revision: 0 Page: 21 of 62 1 Date: 1 09/6/11 programming conventions and tools to avoid immediate detection through erratic behavior or design measures (e.g., comparison of code against checksums during initialization, failed execution of undefined or erroneous code, or rejection of communication messages based on format nonconformance). In-house measures at the Lake Forest facility ensure the fidelity of software and version control.
3.2.1 Access Control Tricon safety-related nuclear system integration projects are performed at the Invensys Operations Management facility in Lake Forest, California. This includes application program development and nuclear system integration testing. The safety-related nuclear procedures (PPMs) at the Lake Forest facility govern V10 Tricon safety-related nuclear system integration projects such as the PPS Replacement. These procedures implement the requirements of the NSIPM (Reference 9).
3.2.1.1 PhysicalAccess Lake Forest Facilities Management maintains physical access controls over the facility and, indirectly, critical network servers. The facility manager issues both access security cards and photo ID badges for full time employees. Part-time and contract employees and visitors are also issued special badges to wear. All security access cards are issued with associated security access documentation, with access authorized by the responsible management to areas appropriate to the employee job responsibilities.
The access to the Invensys Operations Management network servers is controlled by the Invensys Global Information Services (GIS) department, which serves a traditional information technology role for Invensys. The local GIS personnel are allowed to enter the room in which the network servers are located, as well as personnel responsible for maintaining the Lake Forest F-1 facility (e.g., lighting, electrical, heating and cooling).
in V'e. n s'.>v s- Im n \/'e. n s.ý- s',
Operations Management Triconex Document: 1993754-1-913 I
Title:
I Reg'ulatory Guide 1.152 Conforma 'nce Report Revision: 0 Page: 22 of 62 Date: 09/6/11 3.2.2 Personnel Security 3.2.2.1 Background Checks In North America, Canada, and Mexico Invensys Operations Management conducts background checks on all new hires. The check includes the following:
US Standard Package
" Social Security Trace
" County Criminal Felony & Misdemeanor - 7 years; addresses as revealed by the SSN trace
" Federal Criminal - per district
" Motor Vehicle - current state of residency
" Education Highest Degree
" Employment History - up to 7 years, and two previous employers
" National Criminal Database Search
" Professional Reference Check (1)
" Credit Check (if required for position)
Canadian Standard Package
" County Criminal Felony & Misdemeanor (1)
" Employment Report (2)
" Professional Reference Check (1)
" MVR
" Credit Check (if required for position)
Mexico Standard Package (Reynosa)
" Employment History - up to three previous employers
" Infonavit (national housing agency) - cross verification of previous employers
" Education History (diplomas, certifications)
" Birth and Marriage Certificate Verification
" Verification of Registration Document CURP
" Verification of RFC (tax ID#)
in o v'e. n s'.>
- s- ,,
" s i n -V e." n s .ý: "
Operations Management Triconex Document: 993754-1-913
Title:
Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 23 of 62 Date: 09/6/11
" Medical Examination
" Drug Test 3.2.2.2 Employee Separation On separation and/or termination of an employee, the picture ID badge and security badge are returned, the terminated employee is removed from the security system and access to the corporate network is disabled. In those cases when the badges are not returned, the account is monitored for a period of time after separation/termination.
3.2.3 Administrative Controls Administrative controls for safety related materials (and activities affecting safety related materials) are established in the Invensys Operations Management QA program, which by definition is established to prevent inadvertent or unauthorized activities from impacting the safety function or reliability of safety related equipment and systems. The NSIPM and supporting QA procedures define the Integration Process controls for all phases of the project to assure that the customer system requirements are correctly and completely translated into a certified nuclear Tricon System application. The nuclear application project phases, consistent with RG 1.152, are:
- Acquisition Phase
- Planning Phase
- Requirements Phase
- Design Phase
- Implementation Phase
- Test Phase
- Delivery Phase Details of the Integration Project controls in each phase are described in the NSIPM. Supporting procedures (PPMs, QPMs, etc.) define specific measures for access control, design control, material control, marking, inspection and test status tagging, software development, testing, and nonconforming material handling at the Lake Forest facility. Application software development lifecycle processes are defined in detail in procedures and, as noted in section 4.0 are compliant with RG 1.152 positions 2.1 through 2.5. Coupled with existing physical access controls, the standard Invensys Operations Management nuclear QA controls assure maintenance of hardware and software integrity during the integration project phase, through delivery to the customer.
3.2.4 Application Program Configuration and Source Code Control The PPS Replacement Project Software Configuration Management Plan (SCMP), 993754-1-909 (Reference 16), defines measures for Configuration Control of application programs created
i n Ve . n s*." . s" i n Ve.n s'.l s" Operations Management Triconex Document: 1993754-1-913
Title:
I Re ulatory Guide 1.152 Conformance Report Revision: 0 Page: 24 of 62 1 Date: 7 09/6/11 during the Implementation Phase. Application programs are assigned unique identifiers for each application project. TriStation 1131 (TS 1131 is the only qualified software tool used to generate Tricon System Application Programs. TS] 131 has built in configuration control features that assign revision numbers and automatically increment any changes, keeping a log of all changes and who made the changes (see Section 3.3.2). It is not possible to make changes to a TriStation program without the change being registered in the software program and being assigned a new version-increment number.
3.3 V10 Tricon Platform Design Features Security is part of the V1O Tricon system and (TS1131) designs. Invensys document NTX-SER-10-14 explains the several aspects of the V 10 Tricon design process and features that are intended to protect and reduce the vulnerability of the fielded VI 0 Tricon systems themselves.
For the PPS Replacement Project, the NSIPM (Reference 9) defines the overarching project integration activities, with the implementing procedures defined in the PPM. The Project
n v'e. n s*.y s" IM i n V'e.n s'.f 5" Operations Management Triconex Document: 1993754-1-913 I
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 25 of 62 Date: 09/6/11 Management Plan, 993754-1-905 (Reference 5), defines the PPS Replacement Project activities, including project team, organizational interfaces, etc. The Security features, including requirements specific to the DCPP PPS Replacement Protection Sets, built into the Tricon V10 PPS Replacement are verified and validated in accordance with project requirements as defined in PG&E Design Input Documents.
During development of the Tricon Protection Set application program, peer reviews are performed on documents, logic, tests, and other electronic documents to ensure that the contents are complete, logical, correct, and also that the Tricon and TS 1131 designs include only the required functionality. This eliminates the possibility of inadvertent or malicious injection of faults and failures into the system and application program logic.
3.3.1 Hardware Design Features The following sections discuss features of the Tricon that protect against single failures and mitigate unintended operator actions. The features protect against failure of a single module, removing the wrong module during maintenance, prevent unauthorized or unintended application code changes, and ensure a controlled firmware upgrade process for V10 Tricon modules. These features are generic to the V 10 Tricon, and taken in combination with Licensee procedures at site, they are expected to mitigate a majority of failures, whether hardware or human.
3.3.].] Tricon redundancy
" Triple-modular redundant 3008N MPs have a 3-2-1 fail sequence. Therefore, pulling an active MP module does not cause system shutdown, but causes a system alarm.
" Hot-spare I/O modules allow fail-over from active I/O module to hot spare.
" Pulling a hot-standby module does not affect the system, but causes an alarm.
3.3.1.2 Maintenance/Debugfront-panelports
" 3008N MP and TCM have physical ports on front panels for debug and firmware upgrades.
" Ports are not activated during run-time.
" The application must first be halted before initiating the firmware update.
" Firmware upgrades require specialized tools; these tools are not provided or sold to customers.
3.3.1.3 Tricon Keyswitch As discussed in the V1O Tricon Topical Report, 7286-545-1, and supporting documentation (e.g.,
NTX-SER-09-10, Reference 10), the Tricon Main Chassis has a keyswitch that sets the system operating mode.
i n v'e. n s IM
" inv'en s'. s" Operations Management Triconex i Document: 1993754-1-913 I
Title:
Regulatory Guide 1.152 Confornance Report Revision: 0 Page: 26 of 62 1 Date: T 09/6/11 w
3.3.2 Software/Firmware Security The following sections discuss features of the Tricon Protection Sets that ensure system software and firmware integrity .during development. These features taken in combination with programmatic controls contained in the Invensys Operations Management NSIPM (Reference 9),
project controls contained in the Project Management Plan (993754-1-905, Reference 5), project Coding Guidelines (993754-1-907, Reference 18), procedure controls contained in the Invensys PPM, and DCPP site procedural controls, are expected to mitigate a majority of failures, whether hardware or human.
3.3.2.1 TSJ 131 Application ProgramProtection TriStation (TS) 1131 Developer's Workbench is the engineering software tool used to develop and test the safety-related Protection Set application software. TS1 131 was included in the NRC safety evaluation of Tricon V9, as documented in the V9 SER (Reference 7). Invensys standard procedure is to verify proper installation of TS 1131 prior to developing the safety-related application program and downloading to the Tricon controller(s) (see project Coding Guidelines, 993754-1-907). The installation check ensures the TS 1131 engineering tool and associated files are not corrupted. Furthermore, the TS 1131 is installed on maintenance laptops that have ECC memory.
The TS 1131 application programs are identified by a ".PT2" extension, and the application programs are referred to as "PT2 files." Application programs (PT2 files) are protected with a CRC32 calculation. Any non-TS 1131 modification to the PT2 file corrupts the CRC and is not
in v'e. n s". sn TM i n V'e. n s'.ý_ s" Operations Management Triconex Document: 1993754-1-913 I
Title:
F Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 27 of 62 1 Date: 7 09/6/11 recognized when subsequently opened in TS 1131. The project Software Configuration Management Plan, 993754-1-909 (Reference 16), defines controls over the in-process and released application programs.
When downloading a PT2 file to the VI 0 Tricon controller, the TS 1131 workstation must be connected to the controller at the TCM. The target system version selected upon creation of the PT2 file must be the same as the system version (ETSX Firmware release) of the Tricon controller being modified, otherwise the TS 1131 workstation cannot connect to the controller.
3.3.2.2 TS] 13 ] role-basedaccess TS1 131 provides security controls configurable to satisfy project needs, particularly with regard to limiting access to important project data files. At a minimum, each new TriStation 1131 project is created with a user name and password. Every TS 1131 operation is assigned a default security level and each user is assigned a security level that defines what operations a user can perform. User privileges are based on the security level assigned to the user, from the highest level (01) to the lowest level (10). Each level of security includes default settings for the operation privileges allowed for that level. For example, the Level 03 includes privileges for operations associated with managing a TSI 131 project. In addition, higher security levels inherit the privileges of lower levels. For example, if a particular TS 1131 operation is set to Level 04, users with Levels 01, 02, and 03 privileges also have access to that operation. The multiple levels of access control help prevent unauthorized access to TriStation 1131.
If an existing TS 1131 project was created by a user with restricted or administrator-level rights in Windows, other users must have the same access rights to open that project. Windows security file access rules apply to all TriStation project files. A user must have read/write access to a TS 1131 project, and the folder it is located in, to be able to open the project. Access to project documents can be further restricted by settings on the documents and operating parameters. In accordance with Invensys Operations Management procedures, nuclear project
in v'e. n s9.Y s" *T.
i n V e.' n s. ý- s",*
Operations Management Triconex Document: 1993754-1-913 I
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 28 of 62 1 Date: 7 09/6/11 documentation is stored on limited access areas of the network. These network security controls provide additional protection of the PPS Replacement Project documentation against unauthorized access and modification.
3.3.2.3 Firmwareupgrades Firmware upgrades utilize Field Replaceable Software (FRS) files. A FRS file contains the image for updating a module's firmware. Firmware updates require that the module must first be removed from the chassis. Additional security controls over the firmware upgrade process:
- Before starting the download process, firmware update utility checks the module's hardware revision level to verify that it is compatible with the firmware version in the selected FRS.
- If the selected firmware version for upgrade is incompatible with the module being upgraded, an error message is generated and the firmware download is prevented to protect against downloading the wrong firmware to the module.
" A firmware download is made up of multiple sections (or images). By default, if a section in the FRS file is the same version as that in the module, the section is not downloaded.
- The firmware download cannot be stopped once the update process has begun.
- There is no harm in downloading the same firmware more than once.
" Once the firmware is installed, the installation is verified prior to reinstallation of the module into the Tricon chassis.
3.3.3 Communications Security L-1
n V'e. n s'.Y s" in V e. n s'.t s" Operations Management Triconex Document: 1993754-1-913 1
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 29 of 62 1 Date: 1 09/6/11 In terms of the communication pathway internal to the V10 Tricon Main Chassis, as shown in Figure 7 below, multiple layers of defense are designed into the Tricon, including the hardware, the software, and the Tricon communication protocols themselves.
-- LL ------ ---- iI I
I I
', plicationj
/:
PI ,111 d-o 1O0BASEFX -*,
TCM Application VO I oco Processor doa I I COMBUS (4c)
I 100BASEFX--.
Tricon System Figure 7. V1O Tricon Pathway for Network Communications The communication path comprises the multi-mode fiber optic cable, the TCM, the triplicated Communication Bus (COMBUS), and the triple-modular-redundant (TMR) 3008N MPs, which themselves contain the IOCCOM processor, dual-port RAM (DPRAM), and the embedded application processor that executes the control program.
3.3.3.1 Tricon Communication Module The TCM provides functional isolation by handling all the communications with external devices, and it has been qualified under the Invensys Operations Management Appendix B program for nuclear safety-related applications. The fiber optic cable prevents propagation of electrical faults into the safety processors. The open-standard communication protocol TCP is "connection-oriented" and thus contributes to the overall reliability of the communication link
n l V e. n- s"* s" i n V e." n s "..s- "
" 'm Operations Management Triconex Docume nt: 1993754-1-913 I
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 30 of 62 1 Date: 7 09/6/11 through the use of Cyclic Redundancy Checks (CRCs). Operating experience with the TCM demonstrates its reliability and that it fails no more often than any other Tricon module. Testing has demonstrated that it protects the safety core from network storms and other communication failures. Upon total loss of all TCMs, the safety core continues to function. Furthermore, the Tricon has been tested by Wurldtech and it has been shown to be resilient against the communication faults listed in ISG-04 (see Invensys Operations Management response to Staff Position 12 in document NTX-SER-09-10, Reference 10). Appendix A of that document discusses Wurldtech testing of the V10 Tricon.
3.3.3.2 Communication Bus The COMBUS is a triplicated internal communications bus utilizing a master-slave protocol with the TCM configured as the slave. The COMBUS uses a CRC for integrity checks.
3.3.3.3 IOCCOM Processor Each 3008N MP module contains an IOCCOM processor to handle the data exchange between the embedded application processor and either the I/O modules or the TCM. The IOCCOM processor is scan based, and does not utilize interrupts. Separate queues are provided in the IOCCOM for I/O bus (not shown in the figure) and COM messages, applying checks on both the link-level formatting and CRCs. To ensure adequate execution time for safety-related I/O, the IOCCOM executes COM messages only while waiting for I/O responses.
3.3.3.4 Dual-PortRAM The application processor and IOCCOM exchange data through the DPRAM. The application processor has higher priority, but the design guarantees that the interface is equally shared -
neither processor can starve the other processor accessing the DPRAM. The application processor assigns highest priority to executing the safety function, and messaging is rate-limited.
It is also important to note that the three 3008N MPs first vote on the message before acting on any message from the TCM.
3.3.3.5 TCM Configuration During development of the V 10 Tricon Protection Set application software, the application engineer(s) configure the Tricon IP addresses as required by the system architecture. In addition to the multiple layers of CRC and message checking on the internal busses, the Tricon rejects messages with unrecognized source IP addresses.
Communications between the V10 Tricon TCM and non-safety Maintenance Workstation utilize multicast IP communications. The Maintenance Workstation subscribes to the multicast group address. The TCM periodically transmits read-only data, such as process parameters and V1O Tricon diagnostic data, to the multicast address. The multicast group address and periodicity are configured by the application engineer during implementation of the application code design.
i n ve. n s'..y s" TM inv e. ns'.t s" Operations Management Triconex Document: 1993754-1-913 I
Title:
Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 31 of 62 Date: 09/6/11 3.3.3.6 End-to-End CommunicationLink Integrity Another layer of protection is provided by the communication protocols at the Application Layer of the OSI protocol stack. The Peer-to-Peer (P2P) protocol and the Safety Application Protocol (SAP) ensure end-to-end integrity of safety-critical messages. However, the PPS Replacement System does not utilize these protocols; the four Protection Sets are isolated from each other and thus Tricon-to-Tricon communication is not required; and the safety-related control room displays are driven by safety-related analog outputs.
i l v e. n s".9 s- TM in v'e.n s'.t s" Operations Management Triconex I Document: 1993754-1-913
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 32 of 62 - Date: F 09/6/11 4.0 REGULATORY GUIDE 1.152 CONFORMANCE TABLE The following compares NRC Regulatory Guide (RG) 1.152 (Reference 1) staff regulatory positions and the V 10 Tricon Protection Set compliance and comments in a point-by-point matrix. The table below is intended to describe the conformance of the VI 0 Tricon Protection Set to RG 1.152, Regulatory Positions 2.1 through 2.5, to support the NRC safety evaluation of the DCPP License Amendment Request application. Invensys Operations Management document NTX-SER-10-14 (Reference 8) addresses the V1O Tricon platform conformance to the RG. At various points RG 1.152 makes references to "licensee" and "developer" when describing the security-related activities that should be performed during the safety-related system lifecycle. Therefore, not every activity in RG 1.152 applies to the Invensys Operations Management development activities relative to the V 10 Tricon PPS Replacement application.
Activities specific to a given licensee are identified in the table.
DEVIATION INVENSYS OPERATIONS MANAGEMENT CONFORMANCE &
N/A = Not Applicable COMMENTS REGULATORY POSITION CO Conform DE = Deviation 1.0 Functional and Design Requirements Conformance with the requirements of N/A Conformance to the referenced IEEE standard is outside the scope of this IEEE Std. 7-4.3.2-2003 is a method that document, which is focused on the secure development and operating the NRC staff has deemed acceptable for environment for the PPS Replacement.
satisfying the NRC's regulations with respect to high functional reliability and design requirements for computers used in the safety systems of nuclear power plants.
i n v'e. n s" s i nv'e. ns Y s" Operations Management Triconex Document: P e993754-1-913
- Title: Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 1 33 of 62 1 Date: 109/6/11 DEVIATION INVENSYS OPERATIONS MANAGEMENT CONFORMANCE &
REGULATORY POSITION N/A = Not Applicable CO = Conform COMMENTS DE = Deviation 2.0 Secure Development and Operational Environment for the Protection of Digital Safety Systems This regulatory position uses the lifecycle N/A Information Only.
phases of the waterfall model only as a A modified Waterfall lifecycle model is used for both V 10 Tricon platform framework for describing specific guidance for the protection of digital safety development and the PPS Replacement Project (see below).
systems and establishment of a secure development and operating environments for those systems.
The digital safety system development CO Appropriate security controls are in place in each phase of the respective process should identify and mitigate lifecycles.
potential weakness or vulnerabilities in each phase of the digital safety system lifecycle that may degrade the secure development or operational environment or degrade the reliability of the system.
i n v e. n s*. s' i n V e. n s s" Operations Management Triconex Document: 993754-1-913
Title:
4 Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 1 34 of 62 1 Date: F09/6/11 DEVIATION INVENSYS OPERATIONS MANAGEMENT CONFORMANCE REGULATORY POSITION N/A = Not Applicable COMMENTS CO = Conform DE =_Deviation The framework for the waterfall lifecycle CO The framework of the Tricon nuclear system integration process is based on model consists of the following phases: a modified waterfall lifecycle approach similar to that used in RG 1.152.
The framework lifecycle phases from RG 1.152 correlate with the (1) concepts, analogous phases from the Invensys Operations Management Nuclear (2) requirements, Systems Integration Program Manual, NTX-SER-09-21, (NSIPM, (3) design, Reference 9) as follows:
(4) implementation, (5) test, RG 1.152 NSIPM (6) installation, checkout, and acceptance Concepts Acquisition and Planning testing, Requirements Requirements (7) operation, Design Design (8) maintenance, and Implementation Implementation (9) retirement. Test Test Installation, Checkout, and Delivery Acceptance Testing Operation (Invensys support is determined on a project-by-Maintenance project basis per project Retirement contract.)
The NSIPM describes the requirements for nuclear system integration project activities conducted at Invensys Operations Management facilities.
For the PPS Replacement Project, the project activities are conducted at the Lake Forest, California, facility. A system integration project is defined as any project that incorporates standard Tricon products into a fully
in v e. n s'.j s" TM inv'e, ns s s" Operations Management Triconex I Document: 1993754-1-913
Title:
Regulatory Guide 1.152 Conformance Report I Revision: 0 Page: 35 of 62 1 Date: I 09/6/11 DEVIATION INVENSYS OPERATIONS MANAGEMENT CONFORMANCE REGULATORY POSITION N/A = Not Applicable COMMENTS CO = Conform DE = Deviation operational integrated system in accordance with customer-specified requirements. The NSIPM specifically governs the implementation of safety-related nuclear system integration projects. Accordingly, the software implemented under the NSIPM for the PPS Replacement Project is assigned the highest Software Integrity Level (SIL), i.e., SIL4. PG&E is responsible for the last four phases of the RG 1.152 lifecycle (installation, operation, maintenance, and retirement) in accordance with project contract provisions as shown in the NSIPM column of the above table.
The NRC will evaluate the secure N/A Information Only development environment controls applied to safety system development through the test phase and any secure operational environment design features intended to ensure reliable system operation included in a submittal as part of its review of a license amendment request, design certification, or combined operating license application. Cyber-security and other security controls applied to the latter phases of the lifecycle that occur at a licensee's site (i.e., site installation, operation, maintenance, and retirement) are not part of the 10 CFR 50 licensing process and fall under the purview of other
in v' e. n s'.!t s" TM in V e. n s".i. s" Operations Management Triconex Document: 1993754-1-913 1
Title:
I Regulatory Guide 1.152 Conformance Report 09/6/11 I Revision: 1 0 1 Page: 1 36 of 62 1 Date: 0961 DEVIATION INVENSYS OPERATIONSCOMMENTS MANAGEMENT CONFORMANCE &
REGULATORY POSITION N/A = Not Applicable CO = Conform DE = Deviation licensee programs.
When vendors develop digital safety systems, licensees should include provisions in their procurement specification to ensure that the vendor takes appropriate measures to establish a secure development environment and includes any features in the system design required by the licensee to support a secure operational environment for the digital safety system.
Regulatory Positions 2.1 - 2.5 describe digital safety system guidance for establishment of a secure environment during the design and development phases of the lifecycle and are applicable to the review of license amendment requests, design certification, and combined operating license applications. The guidance is specifically intended to ensure reliable operation of digital safety systems.
i n ve. n s'.*. s* i nv'e. ns'.t s" Operations Management Triconex i Document: 1993754-1-913 I
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 37 of 62 I Date: F 09/6/11 DEVIATION INVENSYS OPERATIONS MANAGEMENT CONFORMANCE &
REGULATORY POSITION N/A = Not Applicable COMMENTS CO = Conform DE = Deviation 2.1 Concepts Phase In the concepts phase, the licensee should co With regard to the DCPP PPS Replacement application, plant specific identify safety system design features that requirements for design features to establish a secure operational should be implemented to establish a environment for the system are defined in DCPP documents, including, but secure operational environment for the not limited to:
system. A licensee should describe these design features as part of its application. (1) PPS Replacement Conceptual Design Document (Reference 12)
(bypass and test features to limit inadvertent modification)
(2) PPS Replacement Functional Requirements Specification (Reference 13) (physical security measures, system logon protection, communication access, human factors, maintainability, reliability)
(3) PPS Replacement Interface Requirements Specification (Reference 14)
(data communication one-way restrictions)
These plant-specific requirements are incorporated in hardware and software design output documentation (requirements specifications and design descriptions) in accordance with the NSIPM (Reference 9). A Project Traceability Matrix is generated to assure traceability of PG&E design requirements, including security related features, throughout the project lifecycle.
PG&E is responsible for generating the DCPP LAR application and subsequent submittal to the NRC.
i nv e. n s>. s inve, ns'.t s" Operations Management Triconex Document: 993754-1-913
Title:
Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 38 of 62 1 Date: 709/6/11 DEVIATION REGULATOR PINVENSYS OPERATIONS MANAGEMENT CONFORMANCE &
REGULATORY POSITION N/A = Not Applicable COMMENTS CO = Conform DE =Deviation I
+ 4 The licensee should assess the digital CO DCPP design requirements have been established as noted in the documents safety system's potential susceptibility to listed above, based on assessments of digital system susceptibilities and inadvertent access and undesirable challenges for a secure operational environment. Based on these behavior from connected systems over the requirements, the V10 Tricon PPS Replacement hardware and software course of the system's lifecycle that could design features are provided by Invensys Operations Management to satisfy degrade the system's reliable operation. the requirements for the platform and application design. DCPP This assessment should identify the requirements include a requirement for a secure development environment potential challenges to maintain a secure for the Tricon systems to be provided.
operational environment for the digital Invensys Operations Management currently has controls in place to ensure safety system and a secure development a secure development environment for safety-related nuclear systems environment for the system's development produced at the Lake Forest facility. These controls provide assurance that lifecycle phases the V10 Tricon plant-specific application code is protected from The results of the analysis should be used unauthorized access and modification. The existing security controls to establish design feature requirements include physical and administrative controls for Vi10 Tricon system (for both hardware and software) to hardware and software during development.
establish a secure operational environment and protective measures that are required As discussed previously, the Invensys Operations Management NSIPM to maintain a secure development (Reference 9) defines the safety-related application software development environment. lifecycle. Procedures implementing the NSIPM include consideration of RG 1.152 guidance. Section 3.0 addresses the Secure Development Environment for the PPS Replacement Application for the Invensys Operations Management facilities and processes.
i n v'e. n s'.* s TM inve, ns'.i s" Operations Management Triconex Document: 1993754-1-913 I
Title:
I Regulatory Guide 1.152 Conformance Report I Revision: 0 Page: 39 of 62 Date: 09/6/11 DEVIATION INVENSYS OPERATIONS MANAGEMENT CONFORMANCE &
REGULATORY POSITION N/A = Not Applicable COMMENTS CO = Conform DE = Deviation The licensee should not implement remote CO The PPS Replacement application does not allow for remote access to the access to the safety system. Tricon safety system. Remote is defined by RG 1.152 as access by a computer located in an area with less physical security (such as outside the protected area) than the safety system. In this application, two-way communication is only allowed between the V 10 Tricon system and the Maintenance Workstation, which is not considered external but rather an integral part of the PPS. The Workstation is in the same set of racks as the rest of the PPS components in the same Protection Set. The safety and reliability of the communication between the safety related Tricon and the non-safety Maintenance Workstation are discussed in PPS Replacement project document 993754-1-912 (Reference 17).
i n v'e. n s'.. s" inve, n s' "
Operations Management Triconex Document: 1993754-1-913
Title:
Regulatory Guide 1.152 Conformance ReportI Revision: 0 Page: 40 of 62 Date: 09/6/11 DEVIATION INVENSYS OPERATIONS MANAGEMENT CONFORMANCE &
N/A = Not Applicable COMMENTS REGULATORY POSITION CO = Conform DE = Deviation For the purposes of this guidance, remote N/A Information Only. See Invensys Operations Management document NTX-access is defined to be the ability to access SER-09-10 (Reference 10) for additional information on V10 Tricon a computer, node, or network resource that conformance to ISG-04.
performs a safety function or that can impact the safety function from a computer or node that is located in an area with less physical security (e.g., outside the protected area) than the safety system.
Other NRC staff positions and guidance govern unidirectional and bidirectional data communications between safety and nonsafety digital systems.
2.2 Requirements Phase 2.2.1 System Features The licensee functional CO For the plant-specific DCPP PPS Replacement application, the performance requirements and requirements for security performance and configuration, interfaces, system configuration for a secure qualification, human factors, and documentation are defined in key design operational environment; interfaces input documents for the project. Primary documents include:
external to the system; and the requirements for qualification, human factors engineering, data (1) PPS Replacement Conceptual Design Document (Reference 12) definitions, documentation for the (bypass and test features to limit inadvertent modification)
i n v'e. n s" s TM i n ve. n s'.w s" Operations Management Triconex I Document: 1993754-1-913 I
Title:
I Regulatory Guide 1.152 Conformance Report I Revision: 0 Page: 41 of 62 1 Date: I 09/6/11 DEVIATION INVENSYS OPERATIONS MANAGEMENT CONFORMANCE REGULATORY POSITION N/A = Not Applicable COMMENTS CO = Conform DE = Deviation software and hardware, installation (2) PPS Replacement Functional Requirements Specification and acceptance, operation and (Reference 13) (physical security measures, system logon protection, execution, and maintenance, communication access, human factors, maintainability, reliability)
(3) PPS Replacement Interface Requirements Specification (Reference 14)
(data communication one-way restrictions)
These plant-specific requirements are incorporated in hardware and software design output documentation (requirements specifications and design descriptions) in accordance with the NSIPM (Reference 9). A Project Traceability Matrix is generated to assure traceability of PG&E design requirements, including security related features, throughout the Invensys Operations Management nuclear integration project lifecycle described in response to Regulatory Position 2.0. PG&E is responsible for installation, operations, and maintenance of the V10 Tricon PPS Replacement equipment.
The design feature requirements CO For the V10 Tricon based PPS, the development process for safety-related intended to maintain a secure application software is governed by the Invensys Operations Management operating environment and ensure NSIPM (Reference 9). In compliance with the NSIPM, the PPS reliable system operation should be Replacement Project Software Verification and Validation Plan, 993754 part of the overall system 802 (Reference 19), describes the project V&V activities. The V&V requirements. Therefore, the activities are performed by the Nuclear Independent V&V (IV&V) verification and validation process organization, which is separate from the Nuclear Delivery organization of the overall system should ensure responsible for VlO Tricon PPS Replacement design activities. The Project the correctness, completeness, Management Plan, 993754-1-905 (Reference 5), describes the project
i n v'e. n s'.> s" TM inv'e ns'.n s" Operations Management Triconex I Document: 1993754-1-913 I
Title:
I Regulatory Guide 1.152 Conformance Report I Revision: 0 Page: 42 of 62 1 Date: T 09/6/11 DEVIATION INVENSYS OPERATIONS MANAGEMENT CONFORMANCE REGULATORY POSITION N/A = Not Applicable COMMENTS CO = Conform DE = Deviation accuracy, testability, and organizational structure.
consistency of the system secure Utilizing a Project Traceability Matrix, 993754-1-804 (Reference 20),
operational environment design Nuclear IV&V confirms the forward and backward traceability of the feature requirements overall system requirements between the project design inputs and design outputs, including security requirements.
The IV&V process applied to the PPS Replacement Project assures the correctness, completeness, accuracy, testability, and consistency of the system requirements, including safety and security.
Requirements specifying the use of CO The PPS Replacement uses no predeveloped application software. A new predeveloped software and systems application program is developed using the qualified Tricon TS 1131 (e.g., reused software and programming software in accordance with the NSIPM (Reference 9).
commercial off-the-shelf (COTS) Project procedures require the development of various documents such as systems) should address the SQAP, SRS, software V&V Plan, Test procedures, etc., and that all reliability of the safety system (e.g., software is tested and validated.
by using predeveloped software functions that have been tested and are supported by operating experience).
i n v'e. n 9.y s* TM i n Ve. n s'.* s" Operations Management Triconex I Document: 1993754-1-913 I
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 43 of 62 Date: 09/6/11 DEVIATION INVENSYS OPERATIONS MANAGEMENT CONFORMANCE &
REGULATORY POSITION N/A = Not Applicable CO = Conform COMMENTS DN = Dnvigtinn 2.2.2 Development Activities During the requirements phase, the CO As explained in the previous Invensys Operations Management response to licensee should prevent the Regulatory Position 2.1, security controls are in place at the Lake Forest introduction of unnecessary or facility to prevent unauthorized access and modification of nuclear systems extraneous requirements that may and related data during the integration process. The secure development result in inclusion of unwanted or environment for application programs is described in section 3.0. The unnecessary code. administrative controls for software development are described in the NSIPM (Reference 9) and supporting PPM procedures.
2.3 Design Phase 2.3.1 System Features The safety system design features CO For the V10 Tricon PPS Replacement application, the development process for a secure operational for safety-related application software is controlled under the NSIPM environment identified in the (Reference 9). The NSIPM describes the requirements for safety-related system requirements specification nuclear system integration project activities conducted at the Lake Forest should be translated into specific facility, including translation of customer requirements (e.g., security design configuration items in the related requirements) into design configuration items. The V 10 Tricon system design description. security performance requirements have been appropriately incorporated, into the requirements specifications to assure traceability of these requirements into the plant-specific application software design in accordance with the NSIPM.
i l v e. n s*.y! S" TM inv'e, n s- s" Operations Management Triconex Document: 993754-1-913
Title:
Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 44 of 62 1 Date: T_09/6/1 1 REGULATORY POSITION SDEVIATION N/A = Not Applicable INVENSYS OPERATIONS MANAGEMENT CONFORMANCE COMMENTS CO = Conform DE = Deviation I Licensees should be aware that N/A Information only digital safety systems will be considered Critical Digital Assets and must adhere to the requirements of 10 CFR 73.54.
Regulatory Guide 5.71 describes an acceptable defensive architecture to comply with 10 CFR 73.54. The architecture described in the guidance would have licensees place all digital safety systems in the highest level of their defensive architecture and only permit one-way communication (if any communication is desired) from the digital safety system to other systems in lower levels of the defensive architecture. Licensees should be aware that Section B. 1.4 of Appendix B to Regulatory Guide 5.71 notes that one-way communications should be enforced using hardware mechanisms. A licensee's adherence to the provisions of 10
i n v'e. n s.- s inv'e. ns s' Operations Management Triconex I Document: 1993754-1-913 I
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 45 of 62 1 Date: T 09/6/11 DEVIATION INVENSYS OPERATIONS MANAGEMENT CONFORMANCE REGULATORY POSITION N/A = Not Applicable COMMENTS CO = Conform DE = Deviation CFR 73.54 will be evaluated per regulatory programs specific to that regulation.
The safety system design CO The Vi10 Tricon security design configuration items inherent in the Tricon configuration items for a secure platform are described in NTX-SER-10-14 (Reference 8) The Invensys operational environment intended Operations Management response to Regulatory Position 2.1 in that to ensure reliable system operation document address the three items as follows:
should address control over (1) physical and logical access to the Concern Design Configuration Item system functions, (2) use of safety system services, and (3) data 1) Physical and logical access Tricon keyswitch, Role-based access controls communication with other systems. 2) Use of safety system services Triton keyswitch, Role-based access controls Design configuration items that incorporate predeveloped software 3) Data communication with End-to-end communication message integrity into the safety system should other systems checks, TCM access control list address the security vulnerabilities Within the PPS Replacement application design, design configuration of the safety system. requirements were addressed in DCPP documents provided to Invensys Operations Management, including:
(1) PPS Replacement Conceptual Design Document (Reference 12)
(bypass and test features to limit inadvertent modification)
(2) PPS Replacement Functional Requirements Specification (Reference 13) (physical security measures, system logon protection,
i n Ve. n s".9 s" TM i n v e. n .* s.
Operations Managemnent Triconex I Document: 1993754-1-913 I
Title:
I Regulatory Guide 1.152 Conformance Report I Revision: 0 Page: 46 of 62 1 Date: T 09/6/11 DEVIATION INVENSYS OPERATIONS MANAGEMENT CONFORMANCE REGULATORY POSITION N/A = Not Applicable COMMENTS CO = Conform DE = Deviation communication access, human factors, maintainability, reliability)
(3) PPS Replacement Interface Requirements Specification (Reference 14)
(data communication one-way restrictions)
The application software for the PPS Replacement is developed specifically for the DCPP PPS design and does not use predeveloped software beyond the nuclear qualified TS 1131 programming software.
Physical and logical access control CO The necessary security controls for the PPS Replacement are defined in the features should be based on the PG&E design input documents:
results of the security assessment performed in the concepts phase of (1) PPS Replacement Conceptual Design Document (Reference 12) the lifecycle. The results of this (2) PPS Replacement Functional Requirements Specification assessment may identify the need (Reference 13) for more complex access control measures, such as a combination of (3) PPS Replacement Interface Requirements Specification (Reference 14) knowledge (e.g., password), The above design inputs have been translated into V10 Tricon Protection property (e.g., key and smart card), Set hardware and software requirements. In turn, the requirements have or personal features (e.g., been translated into design elements described in the V 10 Tricon Protection fingerprints), rather than just a Set Software Design Description, 993754-1-810 (Reference 21). In password. addition, the project Coding Guidelines, 993754-1-907 (Reference 18),
have incorporated the security controls necessary for a secure design environment. See the response to Regulatory Position 2.1 for additional discussion of security controls.
i n v'e. n s.j s' 7M inve, ns'.o s" Operations Management Triconex I Document: 1993754-1-913 1
Title:
I Regulatory Guide 1.152 Conformance ReportI Revision: 0 Page: 47 of 62 1 Date: 1 09/6/11 DEVIATION INVENSYS OPERATIONS MANAGEMENT CONFORMANCE REGULATORY POSITION N/A = Not Applicable COMMENTS CO = Conform DE = Deviation 2.3.2 Development Activities During the design phase, measures CO For the VlO Tricon PPS Replacement configuration, the development should be taken to prevent the process for safety-related application software is governed by the NSIPM introduction of unnecessary design (Reference 9) and supporting PPM procedures. PPS Replacement Project features or functions that may PMP, 993754-1-905 (Reference 5), describes the security requirements at result in the inclusion of unwanted the project level based on PG&E design inputs. The SVVP, 993754-1-802 or unnecessary code. (Reference 19), discusses independent V&V activities required for the V&V effort. The SSP, 993754-1-911 (Reference 22), discusses the types of analyses performed. Finally, the project Coding Guidelines, 993754-1-907 (Reference 18), contain guidance to the Nuclear Delivery design team relevant to configuration of the TS 1131 application program.
The DCPP site Cyber Security Plan developed by PG&E to comply with 10 CFR 73.54 may require additional security considerations for the PPS Replacement that are beyond the scope of Invensys Operations Management project responsibility (e.g., physical security controls, administrative controls). These are addressed by PG&E in the DCPP LAR submittal.
n v'e. n s*.ý s TM i nv'e.n s'.o s" Operations Management Triconex I Document: 1993754-1-913 I
Title:
- I Regulatory Guide 1.152 Conformance ReportI Revision: 0 Page: 48 of 62 Date: 09/6/11 DEVIATION INVENSYS OPERATIONS MANAGEMENT CONFORMANCE &
N/A = Not Applicable COMMENTS REGULATORY POSITION CO = Conform DE Deviation 2.4 Implementation Phase In the system (integrated hardware and N/A Information Only software) implementation phase, the system design is transformed into code, database structures, and related machine executable representations.
The implementation activity addresses hardware configuration and setup, software coding and testing, and communication configuration and setup (including the incorporation of reused software and COTS products).
2.4.1 System Features The developer should ensure that CO The development process for the safety-related V10 Tricon PPS the transformation of the secure Replacement application software is controlled under the NSIPM operational environment design (Reference 9), with the implementing procedures defined in the PPM. The configuration items from the PPM procedures define the detailed software development process actions, system design specification are including periodic application code reviews during implementation. The correct, accurate, and complete. software design review requires, in part, structural walk-through of the VI 0 Tricon application program for the DCPP PPS Replacement based on PG&E requirements. The application code walk-through ensures that all
i n v e. n S'.Az S" TM i nvensen s" Operations Management Triconex I Document: 1993754-1-913 I
Title:
I Regulatory Guide 1.152 Conformance Report I Revision: 0 Page: 49 of 62 Date: 09/6/11 DEVIATION INVENSYS OPERATIONS MANAGEMENT CONFORMANCE &
REGULATORY POSITION N/A = Not Applicable COMMENTS CO = Conform DE = Deviation design configuration items from the Software Design Description, 993754-1-810, have been transformed/implemented in the application code correctly, accurately, and completely.
Utilizing a Project Traceability Matrix, 993754-1-804, Nuclear IV&V confirms the forward and backward traceability of the overall system requirements between the project design inputs and design outputs, including security requirements. Nuclear IV&V also independently confirms that all design configuration items from the Software Design Description, 993754-1-810, have been transformed/implemented in the application code correctly, accurately, and completely.
2.4.2 Development Activities The developer should implement CO As explained in Invensys Operations Management response to Regulatory secure operational enviroment Position 2.1, Invensys Operations Management has security controls over procedures and standards to physical and network access to nuclear system integration project data and minimize and mitigate any hardware. The secure development environment for application programs inadvertent or inappropriate is described in section 3.0. These controls provide protection against alterations of the developed system. unauthorized access and modification of any software, firmware, or The developer's standards and application project hardware under Invensys Operations Management procedures should include testing, control.
(such as scanning), as appropriate, to address undocumented codes or For the V10 Tricon PPS Replacement, the development process for safety-related application software is governed by the NSIPM (Reference 9) and
i n v'e. n s".. s i n V'e.n, s'.,-.j s Operations Management Triconex i Document:1993,54-,-9,3 ,Title: I Regulatory Guide 1.152 Conformance Report I Revision: 0 Page: 50 of 62 Date: 09/6/11 DEVIATION INVENSYS OPERATIONS MANAGEMENT CONFORMANCE REGULATORY POSITION N/A = Not Applicable COMMENTS CO = Conform DE = Deviation functions that might (1) allow supporting Invensys Operations Management QA procedures that are unauthorized access or use of the compliant with RG 1.152 positions. In addition to the NSIPM, the system or (2) cause systems to Application Software Coding Guide, Invensys Operations Management behave outside of the system document 993754-1-907 (Reference 18), provides guidance on V1O Tricon requirements or in an unreliable application programming for nuclear system integration projects.
manner. Specifically, in this life cycle phase, Nuclear IV&V executes the various test case scenarios in accordance with the SVVP. The test cases address all of the V 10 Tricon application code features (safety, security, etc.) to ensure correct implementation of the application code design developed in the previous life cycle phase.
The developer should account for CO The V 10 Tricon platform and TS 1131 engineering software have been hidden functions and vulnerable approved for use to develop V10 Tricon application code intended for use features embedded in the code, in safety-related applications, as described in the V10 Tricon Topical their purpose and their impact on Report (Reference 6). The PPS Replacement Project utilizes standard the integrity and reliability of the function block libraries available in TS 1131 for developing the V 10 Tricon safety system. These functions PPS Replacement application code. The libraries were included in the should be removed or (as a scope of the V10 Tricon platform evaluation, and thus have already been minimum) addressed (e.g., as part evaluated. See NTX-SER-10-14 for supplemental information on of the failure modes and affects compliance of the V1O Tricon and TS1 131 to RG1.152.
analysis of the application code) to prevent any unauthorized access or The PPM procedures implementing the NISPM define the detailed software impact the reliability of the safety development process actions, including periodic application code reviews system. during implementation. The software design review requires, in part,
i n v e. n s'., s" TM inv e. ns.i Ys Operations Management Triconex I Document: 1993754-1-913 I
Title:
I Regulatory Guide 1.152 Conformance Report I Revision: 0 Page: 51 of 62 Date: 09/6/11 DEVIATION INVENSYS OPERATIONS MANAGEMENT CONFORMANCE &
COMMENTS REGULATORY POSITION N/A = Not Applicable CO = Conform DE = Deviation structural walk-through of the V 10 Tricon application program, which is a unique program developed specifically for the PPS Replacement based on PG&E requirements. The application code walk-through ensures that all application code features are traceable back to the system specifications, thus accounting for hidden and vulnerable functions in the application code.
COTS systems are likely to be N/A Information Only proprietary and generally unavailable for review. In addition, a reliable method may not exist for use in determining security vulnerabilities for operating systems (e.g., operating system suppliers often do not provide access to the source code for operating systems and callable code libraries).
In such cases, unless the N/A The PPS Replacement does not contain any predeveloped COTS software.
application developer can modify such systems, the security development activity should ensure that the features within the system do not compromise the required
i n v'e. n s'.9 s TM inv'e. ns'.i s" Operations Management Triconex I Document: I993 754-1-913 I
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 52 of 62 1 Date: 1 09/6/11 DEVIATION INVENSYS OPERATIONS MANAGEMENT CONFORMANCE REGULATORY POSITION N/A = Not Applicable COMMENTS CO = Conform DE = Deviation security functions of the system in such a manner that the reliability of the safety system would be degraded.
2.5 Test Phase The objective of testing the design features N/A Information Only of the secure operational environment is to ensure that the design requirements intended to ensure system reliability are validated by the execution of integration, system, and acceptance tests where practical and necessary.
Testing includes system hardware configuration (including all connectivity to other systems, including external systems),
software integration testing, software qualification testing, system integration testing, system qualification testing, and system factory acceptance testing.
2.5.1 System Features The secure operational N/A Information Only environment design requirements
i n V e. n s". s* i nve.n s'.! s" Operations Management Triconex i Document: 1993754-1-913I
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 53 of 62 1 Date: 1 09/6/11 DEVIATION INVENSYS OPERATIONS MANAGEMENT CONFORMANCE REGULATORY POSITION N/A = Not Applicable COMMENTS CO = Conform DE = Deviation and configuration items intended to ensure reliable system operation are part of the validation of the overall system requirements and design configuration items. Therefore, design configuration items for the secure operational environment are just one element of the overall system validation.
Each system design feature of the CO Validation of platform specific features is described in Invensys Operations secure operational environment Management document NTX-SER-10-14 (Reference 8). For the PPS should be validated to verify that Replacement application program, the NISPM and supporting PPM the implemented feature achieves procedures are compliant with IEEE 1012, and assure, through program its intended function to protect independent V&V processes, that each feature (security features included) against inadvertent access and/or is verified and validated through all lifecycle phases.
the effects of undesirable behavior of connected systems and does not The TS 1131 security features are thoroughly tested prior to release of each reduce the reliability of system's version and subsequent inclusion on the Nuclear Qualified Equipment List, safety functions. and thus these features are not retested during the PPS Replacement Project.
In accordance with the NSIPM and implementing PPM procedures, the V10 Tricon application program is verified and the combined (V1O Tricon) hardware-software system is validated such that every system feature, including security features, is tested. The on-line test and calibration functions are tested to ensure that the V 10 Tricon Protection Set safety
i nve. n s".!:'z s TM i n V e.n s -. o s" Operations Management Triconex I Document: 1993754-1-913 1
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 54 of 62 1 Date: 1 09/6/11 DEVIATION INVENSYS OPERATIONS MANAGEMENT CONFORMANCE REGULATORY POSITION N/A = Not Applicable COMMENTS CO = Conform DE = Deviation function is not adversely impacted by undesirable operation of the Maintenance Workstation and inadvertent operator action during testing.
Note that this testing focuses on the V10 Tricon equipment, as discussed in the Validation Test Plan, 993754-1-813 (Reference 23).
Integrated testing of the V10 Tricon, ALS, and Maintenance Workstation is performed by PG&E during site acceptance testing, and thus is beyond the scope of this document.
2.5.2 DevelopmentActivities The developer should correctly CO The PPS Replacement hardware architecture is such that there is configure and enable the design communication between the Vi10 Tricon and the Maintenance Workstation features of the secure operational across ports A and B of the NetOptics Network Port Aggregator Tap. The environment. The developer should NetOptics mirrors the traffic between ports A and B onto port 1, which is also test the system hardware output only (unidirectional). The NRC has previously confirmed that the architecture, external NetOptics device operates in this manner, as discussed in the Oconee SER communication devices, and (Reference 25).
configurations for unauthorized For the DCPP PPS Replacement Project, the test-phase activities for the Attention should be focused on safety-related V 10 Tricon application software are controlled under the built-in original equipment Invensys Operations Management NSIPM (Reference 9) and implemented manufacturer features. in accordance with the PPM (Reference 11). The NSIPM describes the requirements for safety-related nuclear system integration project activities conducted at the Lake Forest facility, including hardware assembly, software development and integration, testing, and independent V&V. For
inv e.ns..s TM in.ens-n . v'*e.n . '* s
- ~
Operations Management Triconex IDocument: 993754-1-913
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 55 of 62 1 Date: 09/6/11 DEVIATION INVENSYS OPERATIONS MANAGEMENT CONFORMANCE REGULATORY POSITION N/A = Not Applicable COMMENTS CO = Conform DE_= Deviation the PPS Replacement application program, the project SVVP, 993754 802 (Reference 19), in adherence to IEEE 1012, describes the independent V&V activities for independently verifying and validating each engineering software feature (security features included) is through all lifecycle phases.
In summary, the VI10 Tricon application program is verified and the combined (V 10 Tricon) hardware-software system is validated such that every system feature, including security features, is tested. The on-line test and calibration functions are tested to ensure that the V 10 Tricon Protection Set safety function is not adversely impacted by undesirable operation of the Maintenance Workstation and inadvertent operator action during testing. Note that this testing focuses on the V10 Tricon equipment, as discussed in the Validation Test Plan, 993754-1-813 (Reference 23).
Validation of platform specific features is described in Invensys Operations Management document NTX-SER- 10-14 (Reference 8). The TS 1131 security features are thoroughly tested prior to release of each version and subsequent inclusion on the Nuclear Qualified Equipment List, and thus these features are not retested during the PPS Replacement Project.
Integrated testing of the V10 Tricon, ALS, Maintenance Workstation, and NetOptics Network Port Aggregator Tap is performed by PG&E during site acceptance testing, and thus is beyond the scope of this document.
i n v'e. n s'.9 s" Im i nV'e. ns'.ý- s" Operations Management Triconex Document: 1993754-1-913
Title:
I RegulaitoryGd 1.152 Conformance Report Revision: 0 Page: 56 of 62 Date: I 09/6/11
5.0 REFERENCES
- 1) Regulatory Guide 1.152, Rev. 3 "Criteria For Use Of Computers In Safety Systems Of Nuclear Power Plants."
- 2) IEEE Std. 603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations."
- 3) IEEE Std. 7-4.3.2-2003, "IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations."
- 4) Regulatory Guide 5.71, Rev. 0, "Cyber Security Programs for Nuclear Facilities," January 2010.
- 6) 7286-545-1, Rev 4, Triconex Topical Report, December 2010).
- 7) NRC SER for the V9 Tricon System, December 12, 2001.
- 8) NTX-SER-10-14, Tricon V10 Conformance to Regulatory Guide 1.152, July 2010.
- 9) NTX-SER-09-21, Nuclear System Integration Program Manual, Revision 1, July 2010.
- 10) NTX-SER-09-1 0, "Tricon Applications In Nuclear Reactor Protection Systems -
Compliance With NRC Interim Guidance ISG-2 & ISG-4," Revision 2, January 2011.
- 11) Invensys Operations Management Project Procedures Manual (PPM).
- 12) PG&E Process Protection System Replacement Conceptual Design Document.
- 13) PG&E Process Protection System Replacement Functional Requirements Specification 08-0015-SP-001.
- 14) PG&E Process Protection System Replacement Interface Requirements Specification.
- 15) PG&E Topical Report, "Process Protection System Replacement Diversity & Defense-in-Depth Assessment."
- 17) 993754-1-912, PPS Replacement Project ISG-04 Conformance Report.
- 18) 993754-1-907, PPS Replacement Project Coding Guidelines.
- 20) 993754-1-804, PPS Replacement Project Traceability Matrix (PTM).
- 21) 993754-1-8 10, PPS Replacement Project Software Design Description (SDD).
n v e. n s".g s" 7M nl V e.n s'.l S" 0 perations Management Tr iconex I I I Document:
Revision:
1993754-1-913 0
Title:
Page:
Regulatory Guide 1.152 Conformance Report 57 of 62 1 Date: 09/6/11
- 23) 993754-1-813, PPS Replacement Validation Test Plan.
i n v e.n
- s. "nse i n V"e. ni s" .5t s" Operations Management Triconex Document: 1993754-1-913 I
Title:
I Regulatoy Gud 1.152 Conformance Report Revision: 0 Page: 58 of 62 Date: 09/6/11 APPENDIX A Potential Vulnerabilities of the V1O Tricon Protection Set
i V" e. n s"..! s-OM i nV'e n 's-.-#s" Operations Management Triconex I Document: 1993754-1-913 I
Title:
I Regulatory Guide 1.152 Conformance Report I Revision: 0 Page: 59 of 62 Date: 09/6/11 1.0 POTENTIAL VULNERABILITIES OF V1O TRICON Below is a list of potential vulnerabilities for the V 10 Tricon PPS Replacement. Mitigation measures are also identified. The mitigations are implemented either during nuclear system integration projects, or at the Licensee's facility in accordance with the site Physical and/or Cyber Security Plans.
Vulnerability/Mitigation Description Domain (Physical, Computer)
None identified andApplicationSoftwareDevelopmentEnvironment None identified P
None identified None identified None identified Potential Vulnerability: All Tricon controllers are shipped with identical keys and there is Physical Security Keyswitch currently no procedure in place for a customer to order a different key for their systems.
Mitigation: Prior to shipment to Licensee site, ensure site procedures are revised Site administrative controls to provide adequate control over Tricon keys
i nv e. n s'.> s"OTM i nv'e. ns'.tl s Operations Management Triconex i Document: 1993754-1-913 I
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 60 of 62 1 Date: I 09/6/11 Potential Vulnerability: The fiber optic cables to extend the I/O Bus between RXM chassis Physical Security RXM 4200-series fiber optic cables can be cut/damaged Mitigation: Site Physical Security Plan ensures both proper routing of fiber optic Cable routing design and access cables and adequate access controls controls Tricon Communications Module Potential Vulnerability: Packet injection of valid packets Computer Security TSAA Mitigation: The PPS Replacement hardware architecture is such that there is Hardware architecture communication between the V 10 Tricon and the Maintenance Workstation across ports A and B of the NetOptics Network Port Aggregator Tap. The NetOptics mirrors the traffic between ports A and B onto port 1, which is output only (unidirectional).
Potential Vulnerability: The TCM can be configured to route network packets. Computer Security Network Routing capability Mitigation: The PPS Replacement hardware architecture is such that there is Hardware architecture communication only between the V 10 Tricon and the Maintenance Workstation across ports A and B of the NetOptics Network Port Aggregator Tap. The NetOptics mirrors the traffic between ports A and B onto port 1, which is output only (unidirectional).
Potential Vulnerability: The TCM has a Telnet server that can be accessed in the field. This Computer Security Telnet server allows reboot of TCM, placing the TCM in download mode, and changing route tables.
n v'e. n s. sTM inv'e. ns'.- s" Operations Management Triconex I Document: 1993754-1-913 I
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 61 of 62 1 Date: I 09/6/11 Mitigation: Only non-safety communications with the Maintenance Workstation.
Hardware architecture Therefore, reboot of the TCM does not impact the V 10 Tricon safety function.
The PPS Replacement hardware architecture is such that there is communication only between the V10 Tricon and the Maintenance Workstation across ports A and B of the NetOptics Network Port Aggregator Tap. The NetOptics mirrors the traffic between ports A and B onto port 1, which is output only (unidirectional). Therefore, devices external to the Protection Set cannot access the Telnet server.
Potential Vulnerability: The TCM has a FTP server that can be accessed in the field. This Computer Security FTP server allows transferring files to and from the TCM.
Mitigation: The FTP server has no practical use in the field. PG&E ensures that Hardware architecture all maintenance is done locally at the chassis/cabinet.
The PPS Replacement hardware architecture is such that there is communication only between the V10 Tricon and the Maintenance Workstation across ports A and B of the NetOptics Network Port Aggregator Tap. The NetOptics mirrors the traffic between ports A and B onto port 1, which is output only (unidirectional). Therefore, devices external to the Protection Set cannot access the FTP server.
TriStation 1131 Potential Vulnerability: TriStation 1131 provides the capability to create, modify, and Physical Security Security of TriStation 1131 download application programs to Tricon controllers. The tool is installed on maintenance workstations and laptops at Licensee facilities.
i n v'e. n s"- s- TM i nv'e.n s-.t s" Operations Management Triconex Document: 1993754-1-913 I
Title:
I Regulatory Guide 1.152 Conformance Report Revision: 0 Page: 62 of 62 1 Date: T 09/6/11 Mitigation: During development Invensys Operations Management provide Administrative controls physical access controls to staged equipment to prevent unauthorized changes using TriStation 1131.
After delivery to PG&E, administrative controls will be established protect the TriStation 1131 engineering tool from unauthorized access and inappropriate use.
Potential Vulnerability: TriStation 1131 projects are created with default username and Computer Security Default username and password password at the highest level of privilege.
Mitigation: Invensys Operations Management nuclear system integration project Password Management Policy controls assign passwords and access privileges that are dependent upon work responsibilities.
PG&E will manage TriStation passwords in accordance with the site Cyber Security Plan.
Potential Vulnerability: During download of an application program, the Tricon is placed into Computer Security Man-in-the-Middle during "PROGRAM" mode. The network connection is susceptible to Man-download in-the-Middle attack whereby malicious code could be installed.
Mitigation: Hardware architecture of the PPS Replacement requires physical
- Hardware architecture access to the V10 Tricon in order to download the application
" Administrative controls program.
PG&E will establish administrative procedures that define the download process, including authorizing signatures. PG&E will also establish controls over maintenance and test equipment to ensure application program downloads occur only from workstations and laptops that have not been connected to unknown and unsecured networks.