ML120900688
| ML120900688 | |
| Person / Time | |
|---|---|
| Site: | Diablo Canyon  |
| Issue date: | 04/04/2012 |
| From: | Joseph Sebrosky Plant Licensing Branch IV |
| To: | Pacific Gas & Electric Co |
| Sebrosky J, NRR/DORL/LPL4, 415-1132 | |
| References | |
| TAC ME7522, TAC ME7523 | |
| Download: ML120900688 (29) | |
Text
~"l\ REG u( UNITED STATES
""v'"
",+"01'-<.
"';. NUCLEAR REGULATORY COMMISSION
~ Cl WASHINGTON, D.C. 20555*0001
~
\ii :
°
~ Pi
""+.., ~o.e> April 4, 2012
- 1':
LICENSEE: Pacific Gas and Electric Company FACILITY: Diablo Canyon Power Plant, Unit Nos. 1 and 2
SUBJECT:
SUMMARY
OF MARCH 21,2012, TELECONFERENCE MEETING WITH PACIFIC GAS AND ELECTRIC COMPANY ON DIGITAL REPLACEMENT OF THE PROCESS PROTECTION SYSTEM PORTION OF THE REACTOR TRIP SYSTEM AND ENGINEERED SAFETY FEATURES ACTUATION SYSTEM AT DIABLO CANYON POWER PLANT (TAC NOS. ME7522 AND ME7523)
On March 21,2012, a Category 1 teleconference public meeting was held between the U.S. Nuclear Regulatory Commission (NRC) and representatives of Pacific Gas and Electric Company (PG&E, the licensee) at NRC Headquarters, One White Flint North, 11555 Rockville, Maryland. The purpose of the teleconference meeting was to discuss the license amendment request (LAR) submitted by PG&E on October 26,2011, for the Digital Replacement of the Process Protection System (PPS) Portion of the Reactor Trip System and Engineered Safety Features Actuation System at Diablo Canyon Power Plant, Unit Nos. 1 and 2 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML113070457). A list of attendees is provided in Enclosure 1.
The teleconference meeting is one in a series of publicly noticed teleconference meetings to be held approximately every 2 weeks to discuss issues associated with the NRC staff's LAR review. Preliminary issues that the NRC staff identified during its initial review and the licensee's responses to these preliminary issues were discussed during the teleconference meeting. The list of preliminary issues is provided in Enclosure 2.
During the discussion, the NRC staff indicated that in the near future it expects to address some of the issues identified in Enclosure 2 as requests for additional information. There was also a discussion that some detailed design information that would help the staff understand the LAR will be provided through a secure internet site that is password protected. The staff will review the material and determine if any of the documents need to be placed on the docket as part of the review.
-2 Docket Nos. 50-275 and 50-323
Enclosures:
- 1. List of Attendees
- 2. Staff Identified Issues cc w/encls: Distribution via Listserv
LIST OF ATrENDEES MARCH 21,2012, TELECONFERENCE MEETING WITH PACIFIC GAS AND ELECTRIC COMPANY REGARDING DIGITAL UPGRADE AT DIABLO CANYON POWER PLANT, UNITS 1 AND 2 DOCKET NOS. 50-273 AND 50-323 NAME ORGANIZATION Scott Patterson Pacific Gas and Electric Bob Lint Altran John Hefler Altran J. Basso Westinghouse Steve Seaman Westinghouse Roman Shaffer InvensyslTriconex Bill Kemper U.S. Nuclear Regulatory Commission Rich Stattel U.S. Nuclear Regulatory Commission Bernard Dittman U.S. Nuclear Regulatory Commission Joe Sebrosky U.S. Nuclear Regulatory Commission Shiattin Makor U. S. Nuclear Regulatory Commission Geoffrey Miller U. S. Nuclear Regulatory Commission James Byam Exelon Gordon Clefton Nuclear Energy Institute Enclosure 1
March 19, 12 OCPP PPS Open Item Summary Table Page 1 of 25 No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date) 001 AR [ISG-06 Enclosure 8, Item 1.3] Deterministic Nature of Software: Open N/A (8D) The Diablo Canyon Specific Application should identify the board access sequence and provide corresponding analysis associated with digital Response response time performance. This analysis should be of sufficient detail to acceptable; waiting enable the NRC staff to determine that the logic-cycle; on PG&E to
- a. has been implemented in conformance with the ALS Topical Report provide the time design basis, response
- b. is deterministic, and calculation for the
- c. the response time is derived from plant safety analysis performance V10 Tricon PPS requirements and in full consideration of communication errors that Replacement have been observed during equipment qualification.
architecture by As stated in the LAR, information pertaining to response time performance April 16, 2012.
will be submitted as a Phase 2 document. Please ensure this matter is addressed accordingly.
- ---c P&GE response:
ALS Diablo Canyon PPS document 6116-00011, "ALS System Design Specification", Section 7.5, identifies the ALS board access sequence and provides an analysis associated with digital response time performance.
a) The Diablo Canyon PPS ALS system is configured in accordance with the qualification requirements of the ALS platform topical report, b) The analysis in Diablo Canyon PPS document 6116-00011, "ALS System Design Specification", Section 7, describes a logic cycle that is deterministic.
c) The requirements for the response time of the PPS processing instrumentation (from input conditioner to conditioned output signal) is specified as not to exceed 0.409 seconds in Section 3.2.1.10 of the "Diablo Canyon Power Plant Units 1 & 2 Process Protection System Replacement Functional Requirements Specification (FRS)", Revision 4 submitted as Attachment 7 of the LAR In Section 1.5.8 of the "Diablo Canyon Power Plant Units 1 & 2 Process Protection System Replacement Interface Requirements Specification (IRS)", Revision 4, submitted as Attachment 8 of the LAR, the 0.409 seconds PPS processing instrumentation response time is allocated between the ALS and Tricon as follows:
osure 2
March 19, 12 DCPP PPS Open Item Summary Table Page 2 of 25 No SrC/RI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date)
ALS: 175 ms for RTD processing Tricon: 200 ms Contingency: 34 ms The 0.409 seconds PPS processing instrumentation value is the same as the value that is currently allocated to PPS processing instrumentation. As long as the 0.409 second PPS processing instrumentation value is not exceeded, the total response time values assumed in the plant safety analyses contained in FSAR Table 15.1-2 will not be exceeded; 7 seconds for Overtemperature LlT RT and Overpower LlT RT functions, 2 seconds for High pressurizer pressure RT, Low pressurizer pressure RT, and Low Low SG water level RT functions, 1 second for Low reactor coolant flow RT function, 25 seconds for Low pressurizer pressure, High containment pressure, and Low steam line pressure Safety Injection initiation, 60 seconds for Low low SG water level auxiliary feed water initiation, 18 seconds for High containment pressure, Low pressurizer pressure, and Low steam line pressure Phase A containment isolation, 48.5 seconds for High High containment pressure containment spray initiation, 7 seconds for High High containment pressure steam line isolation, 66 seconds for High High SG water level auxiliary feedwater isolation, and 8 seconds for Low steam line pressure steam line isolation.
The ALS response time will be verified as part of the FAT and the results will be included in the FAT summary report to be submitted by 12/31/12.
Tricon Invensys provided detailed information on the deterministic operation of the V10 Tricon in Invensys Letter No. NRC V10-11-001, dated January 5,2011.
In support of the V10 Tricon safety evaluation, Invensys submitted document 9600164-731, Maximum Response Time Calculations, describing the worst-case response time for the V10 Tricon Qualification System. Included in The staff will likely I
document 9600164-731 are the standard equations for calculating worst-need the Tricon case response time of a given V10 Tricon configuration. The time response calculation for the V10 Tricon PPS Replacement architecture will be time response submitted by April 16, 2012. The System Response Time Confirmation calc's submitted on Report, 993754-1-818, will be submitted to the staff as part of the ISG-06 the docket. It is not Phase 2 submittals at the completion of factory acceptance testing of the V1 0 efficient for the staff Tricon PPS Replacement. to travel to a remote facility to The Tricon response time will be verified as part of the FAT and the results will
March 19, 12 DCPP PPS Open Item Summary Table Page 3 of 25 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) be included in the FAT summary report to be submitted by 12/31/12. audit SP calc's.
PG&E stated that they will provide the Tricon Time response calc's in a document submitted on the docket.
002 AR [ISG-06 Enclosure S, Item 1.4] Open N/A (RA) Software Management Plan: Regulatory Guide (RG) 1.168, Revision 1, "Verification, Validation, Reviews and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," dated February 2004 endorses IEEE (Institute of Electrical and Electronics Engineers) 1012-1998, "IEEE Standard for Software Verification and Validation," and IEEE 1028 1997,"IEEE Standard for Software Reviews and Audits," with the exceptions stated in the Regulatory Position of RG 1.168. RG 1.168 describes a method acceptable to the NRC staff for complying with parts of the NRC's regulations for promoting high functional reliability and design quality in software used in safety systems. Standard Review Plan(SRP) Table 7-1 and Appendix 7.1-A identify Regulatory Guide 1.168 as SRP acceptance criteria for reactor trip systems (RTS) and for engineered safety features Response acceptable; waiting Westinghouse/ALS 6116-00000 Diablo Canyon PPS Management Plan, on revised W/ALS Figure 2-2, shows the Verification and Validation (V&V) organization PPS MP, which is reporting to the Project Manager. This is inconsistent with the information due on March 29.
described in the ALS Management Plan for the generiC system platform, 2012.
where the V&V organization is independent form the Project Manager. This is also inconsistent with the criteria of RG 1.168 and will need to be reconciled during the LAR and ALS LTR reviews.
P&GE response:
March 19, 12 DCPP PPS Open Item Summary Table Page 4 of 25 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)
ALS The PPS Replacement LAR referenced Westinghouse document 6116 00000 Diablo Canyon PPS Management Plan, dated July 25, 2011, that was based on CSI document 6002-00003 ALS Verification and Validation Plan, Revision 4. CS Innovations subsequently submitted a revised V&V plan, "6002-00003 ALS Verification and Validation Plan", Revision 5, on November 11, 2011, that revised the required V&V organization structure such that the management of the verification personnel is separate and independent of the management of the development personnel. The Westinghouse 6116-00000 Diablo Canyon PPS Management Plan is being revised to require a V&V organization structure in which the management of the verification personnel is separate and independent of the management of the development personnel. PG&E will submit the revised Westinghouse 6116-00000 Diablo Canyon PPS Management Plan document by March 29, 2012.
3 AR [ISG-06 Enclosure B, Item 1.9] Open N/A (RA) Software V&V Plan: The ALS V&V plan states that Project Manager of the Status: Fig. 3 of supplier is responsible for providing directions during implementation of V&V the PPS SWP activities. Also, the organization chart in the Diablo Canyon PPS (Pg. 16/46)
Management Plan shows the IW manager reporting to the PM.
indicates The ALS V&V plan described in ISG6 matrix for the ALS platform and the sufficient Diablo Canyon PPS Management Plan do not provide sufficient information organizational about the activities to be performed during V&V. For example, the ALS V&V independence Plan states that for project specific systems, V&V activities are determined between the on a project by project basis and are described in the project Management Nuclear Delivery Plan, in this case, 6116-00000, "Diablo Canyon PPS Management Plan."
(Design)
However, the 6116-00000 Diablo Canyon PPS Management Plan states:
"See the ALS V&V Plan for more information and the interface between the Organization and IV&V team and the PPS Replacement project team." the IV&V Organization.
The Triconex V&V plan states that the Engineering Project Plan defines the scope for V&V activities. As mentioned before, the Triconex EPP is not listed Fig. 3 of the PPS in the ISG6 matrix. PMP (993754-1 905) (pg. 22/81)
These items will need further clarification during the LAR review to demonstrate compliance with Regulatory Guide (RG) 1.168, Revision 1, also denotes the
March 19, 12 OCPP PPS Open Item Summary Table Page 5 of 25 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response *
(Due Date)
"Verification, Validation, Reviews and Audits for Digital Computer Software DCPP PPS project Used in Safety Systems of Nuclear Power Plants," organization, and provides P&GE response: sufficient ALS independence The Westinghouse 6116-00000 Diablo Canyon PPS Management Plan is being revised to include details on how the IV&V team has an independent between the NO organizational reporting structure from the design and implementation team; and IV&V the Scottsdale Operations Director and the ALS Platform & Systems Director Organizations.
report to different Westinghouse Vice Presidents. The IW Manager and Scottsdale Operations Director both report to the same Westinghouse Vice Close the President. but via independent reporting structures.
Invensys part of Description of 6116-00000 Diablo Canyon PPS Management Plan V&V the 01.
activity updates - IN PROGRESS PG&E will submit the revised Westinghouse 6116-00000 Diablo Canyon PPS W/ALS response Management Plan that includes the above changes by March 29, 2012. acceptable; waiting on revised W/ALS PPS MP, Tricon The organizational structure of Invensys Operations Management comprises, which is due on in part, Engineering and Nuclear Delivery. Each of these organizations plays March 29. 2012.
a specific role in the V10 Tricon application project life cycle. Invensys Engineering is responsible for designing and maintaining the V10 Tricon platform. and Nuclear Delivery is responsible for working with nuclear customers on safety-related V10 Tricon system integration projects. Status: Fig. 3 of Invensys Engineering department procedures require UEngineering Project the PPS SWP Plans (EPP), n whereas Nuclear Delivery department procedures require (Pg.16/46)
"Project Plans." Invensys Engineering is not directly involved in system indicates integration. but Nuclear Delivery may consult with Engineering on technical sufficient issues related to the V10 Tricon platform. organizational independence The NRC applied ISG-06 to the V1 0 Tricon safety evaluation. Invensys between the submitted a number of documents pertaining to the design of the V10 Tricon Nuclear Delivery platform as well as process and procedure documents governing Invensys (Design)
~-
March 19, 12 oCPP PPS Open Item Summary Table Page 6 of 25 No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date)
Engineering activities, including the EPP. In most cases, these platform- Organization and related documents are preceded with document number 9600164. The the IV&V platform-level documents reviewed by the staff during the V10 Tricon safety Organization.
evaluation will not be resubmitted by Nuclear Delivery during application-specific system integration projects. Fig. 3 of the PPS PMP (993754-1 In support of the PG&E LAR for the DCPP PPS Replacement, Invensys 905) (pg. 22/81)
Nuclear Delivery is required to submit the application design documents as also denotes the defined in ISG-06. These project documents are preceded by document OCPP PPS project number 993754. The Phase 1 submittal under Invensys Project Letter organization, and 993754-026T, dated October 26, 2011, contained, in part, the following: provides PPS Replacement Project Management Plan (PMP), 993754-1-905. "Project sufficient Management Plan" was used to more closely match BTP 7-14 with regard to independence "management plans"; and between the NO PPS Replacement Software Verification and Validation Plan (SWP),
andlV&V 993754-1-802.
Organizations.
The PMP describes the PPS Replacement Project management activities within the Invensys scope of supply. The guidance documents BTP 7-14 and Close the NUREG/CR-6101 were used as input during development of the PMP.
Invensys part of the 01.
With regard to compliance with RG 1.168, the PPS Replacement PMP and SWP both describe the organizational structure and interfaces of the PPS Replacement Project. The documents describe the Nuclear Delivery (NO) design team structure and responsibilities, the Nuclear Independent Verification and Validation (IV&V) team structure and responsibilities, the interfaces between NO and Nuclear IV&V, lines of reporting, and degree of independence between NO and Nuclear IV&V. In addition, the PMP describes organizational boundaries between Invensys and the other external entities involved in the PPS Replacement project: PG&E, Altran, Westinghouse, and Invensys suppliers. The combination of the PMP and SWP demonstrate compliance ofthe Invensys organization with RG 1.168.
March 19, 12 DCPP PPS Open Item Summary Table Page 7 of 25 No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date) 4 AR [ISG-06 Enclosure B, Item 1.10] Open N/A (RA) Software Configuration Management Plan: The LAR includes PG&E CF2.ID2, "Software Configuration Management for Plant Operations and Operations Support," in Attachment 12. However, the document provided in Attachment 12 only provides a guideline for preparing Software Configuration Management (SCM) and SQA plans. Though it is understood that the licensee will not perform development of software, PGE personnel will become responsible for maintaining configuration control over software upon delivery from the vendor.
The staff requires the actual plan to be used by the licensee for maintaining configuration control over PPS software in order to evaluate against the acceptance criteria of the SRP. For example, the ALS Configuration Management (CM) Plan (6002-00002) describes initial design activities related to ALS generic boards. This plan does describe the configuration management activities to be used for the development and application of the ALS platform for the Diablo Canyon PPS System. The staff requires that configuration management for this design be described in the DCPP project specific plan. These items will need further clarification during the LAR review to demonstrate compliance with BTP-14.
P&GE response:
PG&E will develop a SyCMP procedure to address configuration control after shipment of equipment from the vendor and will submit the document by May 31,2012.
March 19, 12 DCPP PPS Open Item Summary Table Page 8 of 25 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 5 AR [ISG-06 Enclosure B, Item 1.111 Closed N/A (RA) Software Test Plan: The V10 platform documents identified in ISG6 matrix NGIO Core state that the interface between the NGIO (Next Generation Input Output) software is tested Core Software and 10-specific software will not be tested. It is not clear and qualified as a when and how this interface will be tested, and why this test is not part of the platform software unit testing and integration testing activities.
component. As Further, the 993754-1-813 Diablo Canyon Triconex PPS Validation Test Plan such, it does not states that the DCPP's TSAP will not be loaded on the system; instead need to be Triconex will use another TSAP for the validation test. It is not clear why the separately tested DCPP's TSAP will not be used for the validation test or when the DCPP's during the TSAP will be loaded on the system and validated for the Diablo Canyon PPS application System. These items will need further clarification during the LAR review to development demonstrate compliance with BTP-14.
process.
(BK) Follow-on question pertaining to the PPS VTM:
Section 1.4.4 (pg. 12/38) states "The network equipment, including media TSAP is a Test converter, NetOptics Network Aggregator Tap, and gateway hub, and the Specimen MWS will not be within the test scope of this VTP. The Nuclear Delivery Application (NO) group will coordinate with Pacific Gas & Electric for system staging prior Program used for to turn over to Nuclear IV&V. The Nuclear IV&V group will confirm proper purposes of operation of network communications system interfaces before beginning testing addressed in this VTP.n When, where, and what procedures will be platform used to test the network equipment?? qualification.
Also, section 5.1.4 (3) Hardware Validation Tests states that the ALS equipment will not be included in the FAT (pg. 27/38) . Where, when, and what procedures will be used to fully test the Integrated PPS system (both Tricon V10 and ALS platforms together) be subjected to FAT.
Invensys stated that The Diablo Canyon P&GE response: Application will be loaded onto plant Tricon system hardware The next-generation input/output (1/0) modules qualified for the V1 0 Tricon during FAT.
are the 3721 N 4-20 mA, 32-point analog input (AI) module, and the 3625N 24 Vdc, 32-point digital output (~O) module. Technical data on these two
March 19, 12 DCPP PPS Open Item Summary Table Page 9 of25 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) modules was provided to the NRC in support of the V1 0 Tricon safety evaluation. Configuration and functional testing is performed when the 1/0 modules (hardware and embedded core firmware) are manufactured. From Staff re-examined the factory the 1/0 modules are shipped to Invensys Nuclear Delivery for use Invensys doc.
in nuclear system integration projects, i.e., application specific configurations. "Validation Test Because the module hardware and embedded core firmware are within the Plan (VTP) ,
scope of the V10 Tricon safety evaluation, the verification and validation of 993754-1-813,"
the embedded core firmware will not be repeated as part of application- Section 1.3.2 of the specific system integration projects. VTP that describes the Hardware There are certain design items that must be done with TriStation 1131 Validation Test (TS 1131), such as specifying which 1/0 module is installed in a particular activities and physical slot of the Tricon chassis, resulting in each module having a unique Section 1.3.3 of the hardware address in the system. Also, TS1131 is used to specify which VTP and application program parameters (i.e., program variable tagnames) are determined that the assigned to a particular point on a given 1/0 module. The design items application configured in TS1131 will be within the scope of validation activities program TSAP conducted by Invensys Nuclear IV&V for application-specific system will be used for integration projects. The necessary collateral (system build documents, the FAT (Section configuration tables, test procedures, test results, etc.) will be submitted to 5.1.5 FAT) the NRC to support the staff's technical review of the PPS Replacement LAR Close this portion in accordance with ISG-06. of the 01.
The Phase 1 submittal under Invensys Project Letter 993754-026T, dated October 26, 2011, contained, in part, the Validation Test Plan (VTP) , 993754 1-813. This document describes the scope, approach, and resources of the testing activities that are required for validation testing of the V1 0 Tricon portion of the PPS Replacement, including:
Preparing for and conducting system integration tests Defining technical inputs to validation planning Defining the test tools and environment necessary for system validation testing Scheduling (and resource loading of the schedule)
March 19,12 DCPP PPS Open Item Summary Table Page 10 of 25 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)
Section 1.3.2 of the VTP describes the Hardware Validation Test activities and Section 1.3.3 ofthe VTP describes the V10 Tricon portion ofthe Factory Acceptance Test activities for the V10 Tricon portion of the PPS Replacement. Details on the application program are proprietary and need to be provided to the staff separately.
6 AR [ISG-06 Enclosure B, Item 1.14] Closed Develop (SM) Equipment Qualification Testing Plans - The LAR Sections 4.6, 4.10.2.4 and a Staff agreed that 4.11.1.2 provide little information on the plant specific application generic PG&E should environmental factors. The Tricon V10 Safety Evaluation, ML11298A246, RAI to submit a separate Section 6.2 lists 19 application specific actions Items (ASAI's) that the provide submittal (LAR licensee should address for plant specific applications. The licensee should a amendment) to address each of these for Tricon portion of the PPS replacement. Similar respons address the ASAls information for the ALS portion of the PPS replacement will also be required. e to for both platforms.
ASAls it is not necessary P&GE response: for both to delineate exactly platform what will be done ALS swhen for each ASAI in PG&E will respond to ALS ASAl's when they are available.
the this 01 matrix.
Tricon SERs are IN PROGRESS. All of the Application Specific Action Items for the Tricon issued.
V10 will be addressed by March 29 2012 in a submittal to the NRC.
7 AR [ISG-06 Enclosure B, Item 1.16] Open N/A (BK) Waiting for t he the Design Analysis Reports: The LAR does not appear to comply with the SRP V10 Tricon portion (ISG-04) regarding the connectivity of the Maintenance Work Station to the of the PPS PPS. The TriStation V10 platform relies on software to effect the Replacement disconnection of the TriStation's capability to modify the safety system Failure Modes and software. Based on the information provided in the LTR, the NRC staff Effects Analysis, an determined that the Tricon V10 platform does not comply with the NRC
March 19, 12 DCPP PPS Open Item Summary Table Page 11 of 25 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) guidance provided in ISG-04, Highly Integrated Control Rooms- ISG-06 Phase 2 Communications Issues, (ADAMS Accession No. ML083310185), Staff document to be Position 1, Point 10, hence the DCPP PPS configuration does not fully submitted to NRC comply with this guidance.
in May 2012.
In order for the NRC staff to accept this keyswitch function as an acceptable deviation to this staff position, the staff will have to evaluate the DCPP PPS PG&E/I nvensys specific system communications control configuration--including the needs to provide a operation of the keyswitch, the software affected by the keyswitch, and any technical testing performed on failures of the hardware and software associated with explanation of how the keyswitch. The status of the ALS platform on this matter is unclear at this the MP3008N time and will be resolved as the ALS LTR review is completed.
processor actually ignores all commands when in Moreover, the Tricon V10 system Operational Mode Change (OMC) RUN-address the keyswitch does change operational modes of the 3008N MPs and enables items in the 01.
the TriStation 1131 PC to change parameters, software algorithms, etc, related to the application program of the safety channel without the channel This issue will also or division being in bypass or in trip. As stated in Section 3.1.3.2 of the Tricon have to be V10 SER, the TriStation 1131 PC should not normally be connected while the Tricon V10 is operational and performing safety critical functions. addressed for the However, it is physically possible for the TriStation PC to be connected at all ALS platform.
times, and this should be strictly controlled via administrative controls (e.g.,
place the respective channel out of service while changing the software, parameters, etc). The LAR does not mention any administrative controls such as this to control the operation of the OMC (operational mode change) keyswitch. Furthermore, in order to leave the non-safety TriStation 1131 PC attached to the SR Tricon V10 system while the key switch is in the RUN position, a detailed FMEA of the TriStation 1131 PC system will be required to ascertain the potential effects this non-safety PC may have on the execution of the safety application program/operability of the channel or I division. These issues must be addressed in order for the NRC staff to determine that the DCPP PPS complies with the NRC Staff Guidance provided in Staff Position 1, Point 11. The status of the ALS platform on this
~oint is unclear at this time.
P&GE response:
March 19, 12 DCPP PPS Open Item Summary Table Page 12 of 25 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)
Tricon The OMC keyswitch controls only the mode of the V1 0 Tricon 3008N MPs.
In RUN position the 30D8N MPs ignore*' all commands from external devices, whether WRITE commands from external operator interfaces or program-related commands from TS 1131. Multiple hardware and software failures would have to occur on the V10 Tricon (in combination with human-performance errors in the control room and at the computer with TS 1131 installed) in order for the application program to be inadvertently reprogrammed. Therefore, there is no credible single failure on the V1 0 Tricon that would allow the safety-related application program to be inadvertently programmed, e.g., as a result of unexpected operation of the connected computer with TS 1131 installed on it.
The above conclusion will be confirmed (for the V1 0 Tricon portion of the PPS Replacement) in the Failure Modes and Effects Analysis, an ISG-06 Phase 2 document planned for submittal to NRC in May 2012. Additionally, Invensys Operations Management will support the staff's review of the hardware and software associated with the OMC keyswitch by making all of the technical data available for audit.
- 'TS1131 contains function blocks that allow WRITE-access to a limited set of parameters programmed into the application software, but only for a limited duration after which the capability is disabled until WRITE-access is re-enabled. However, without these function blocks programmed into the application program neither the application program nor application program
' parameters can be modified with the OMC keyswitch in the RUN position .
PG&E/lnvensys PG&E needs to provide a Administrative controls on use of keyswitch will be provided with commitment technical to include in procedures in response. explanation of how Note, TS 1131 is not used to change set points and protection set is the MP3008N inoperable when keyswitch is not in RUN position.
processor actually ignores all commands when in
March 19, 12 DCPP PPS Open Item Summary Table Page 13 of 25 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments
{Date Sent} Response (Due Date)
RUN-address the items in the 01.
8 AR [ISG-06 Enclosure B, Item 1.21] Open N/A (RS) Setpoint Methodology: The NRC staff understands that a summary of SP (setpoint) Calculations will be provided in Phase 2, however, section 4.10.3.8 of the LAR also states that PGE plans to submit a separate LAR to adopt TSTF 493. The NRC cannot accept this dependency on an unapproved future licensing action. The staff therefore expects the licensee to submit a summary of setpoint calculations which includes a discussion of the methods used for determining as-found and as-left tolerances. This submittal should satisfy all of the informational requirements set forth in ISG6 section D.9.4.3.8 without a condition of TSTF 493 LAR approval P&GE response:
The evaluation of the setpoints for the PPS replacement will need to be performed by Westinghouse in two phases in order to provide sufficient documentation to support 95/95 two-sided uncertainty values for the setpoints. This is because the NRC staff has been requesting additional information and additional data and analysis to demonstrate that the uncertainties used in the setpoint calculation have been based on a statistically sufficient quantity of sample data to bound the assumed values (to justify the confidence level of the calculation is appropriate) during recent Westinghouse projects involving setpoints. Significant information is required from the transmitter and RTD vendors, that has never been obtained before, to support development of calculations that can support 95/95 two-sided uncertainty values.
The first phase of the evaluation of the setpoints will include evaluation of the PPS replacement setpoints for the Tricon and ALS architecture using expected bounding uncertainty values. A setpoint summary evaluation which includes a discussion of the methods used for determining the as-found and as-left tolerances will be submitted by May 31, 2012. This is a change to the commitment 31 in Attachment 1 to the Enclosure to the PPS Replacement
March 19, 12 DCPP PPS Open Item Summary Table Page 14 of 25 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due DateJ LAR.
The second phase of the evaluation of the setpoints will include development of Westinghouse calculations of the PPS replacement setpoints for the Tricon and ALS architecture using sufficient information from vendors to substantiate that the setpoints are based on 95/95 two-sided uncertainty !
values. The Westinghouse calculations will be completed by December 31, 2012 and will be available for inspection by NRC staff in Washington DC with support provided by Westinghouse setpoint group personnel. The NRC staff inspection of Westinghouse calculations in Washington DC has been performed for another recent utility project involving setpoints.
9 AR LTR Safet~ Conclusion ScoQe and AQQlicabilit~ - Many important sections of Open N/A (BK) the DCPP PPS LAR refer the reader to the ALS licensing topical report (LTR) to demonstrate compliance of the system with various Clauses of IEEE 603 1991, IEEE 7-4.3.2-203, and ISG-04. However, many important sections of the ALS LTR state that compliance with various Clauses of these IEEE Stds and ISG-04 are application specific and refer the reader to an application specific license amendment submittal (i.e., the DCPP PPS LAR in this case).
The staff has not yet had time to evaluate all the LAR information in detail and compare this information with that provided in the ALS LTR to ensure there is no missing information. However, PG&E and its contractors are encouraged to review these two licensing submittals promptly to verify that compliance with these IEEE Stds and ISG-04 are adequately addressed within both licensing documents.
P&GE response:
IN PROGRESS, review by Westinghouse and PG&E to date has not found a clause where no justification is provided in LAR.
10 RS Plant Variable PPS ScoQe - In the Description section of the LAR, section Closed 1 4.1.3, nine plant variables are defined as being required for RTS and section 4.1.4 lists seven plant variables that are required for the ESFAS. Three additional plant variables were also listed in section 4.10.3.4.
March 19, 12 DCPP PPS Open Item Summary Table Page 15 of 25 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)
Some variables are not listed in section 4.10.3.4 as being PPS monitored plant parameters. It is therefore assumed that these parameters are provided as direct inputs to the SSPS and that the PPS is not relied upon for the completion of required reactor trip or safety functions associated with them. Please confirm that these plant parameters and associated safety functions will continue to operate independently from the PPS and that the replacement PPS will not adversely impact the system's ability to reliably perform these functions.
P&GE response:
The PPS Replacement LAR Sections 4.1.3 and 4.1.4 describe the plant variables from which RTS and ESFAS protective functions are generated.
The initiation signal outputs to the SSPS coincidence logic are generated in Neutron Flux is an the PPS or other, independent systems, or in some cases, by discrete input to Tricon but it devices. Section 4.1.3 items 6 (RCP bus UF, UV, and breaker position, 8 is not listed in (Main Turbine trip fluid pressure and stop valve position) and 9 (seismic Table 4-2 "Process acceleration) are generated by discrete devices outside the PPS and provide Variable inputs to direct contact inputs to the SSPS. Section 1.4 items 6 (Containment Exhaust Tricon" Radiation) and 7 (RT breaker position Permissive P-4) are also generated outside the PPS and are direct contact inputs to the SSPS. The initiation Signals not signals associated with these plant parameters operate independently from associated with the PPS. The replacement PPS will not adversely affect the reliable PPS functions will performance of the safety functions associated with these plant parameters. be designated as such in the SE and The three signals (Wide Range RCS Temperature and Pressure and Turbine they will not be Impulse Chamber Pressure) not listed in Sections 4.1.3 and 4.1.4 are described since monitored by the PPS per Section 4.10.3.4. The Wide Range RCS Pressure they are not in and Temperature signals are used to generate the LTOP function described scope.
in DCPP FSAR Section 5. The PPS uses Turbine Impulse Chamber Pressure to generate an initiation signal that is used by the SSPS
March 19, 12 DCPP PPS Open Item Summary Table Page 16 of 25 No SrclR/ Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date) coincidence logic to develop Permissive P-13 as discussed in RAI 3, below.
Neutron Flux should be added to Section 4.2 Table 4-2 as follows:
Input to Overtemperature II Neutron Flux (Power Temperature (OTOT) RT
~~~~~~ ----------
Range, Upper & Lower) Input to Overpower II Temperature (OPOT) RT 11 RS Power Range NIS Function -_Section 4.1.7 describes the Existing Power Closed"" 2 Range NIS Protection Functions and it states that the Power Range nuclear Only PPS instrumentation provides input to the OTOT, and OPOT protection channels. ""RAI Functions will be It is not entirely clear whether any of the described NIS protection functions still described in the will be performed by the PPS system. Please clarify exactly what the role of the PPS system is for these NIS Protection functions. needs SE.
to be P&GE response: sent.
Power range analog inputs are provided by the NIS to each PPS Protection Set for use in the calculation of the Overtemperature Oelta-T and Overpower Oelta-T Setpoint in the Oelta-TfTavg channels. No other NIS signals interface with the PPS. The NIS Protection functions (RT and power range permissives) are generated independently by Nuclear Instrumentation bistable comparators. The NIS bistable outputs are sent directly to the SSPS and have no physical interface with the PPS.
I I
12 RS Permissive Functions - Several Permissive functions are described within the Open 3 I LAR. It is not clear to the staff whether any of these functions are to be performed by the PPS or if the PPS will only be providing input to external systems that in turn perform the permissive logic described in the LAR.
Section 4.1.9 states that "Settings of the bistable comparators used to develop the permissives are not affected by the PPS Replacement Project",
which implies that all of these permissive functions are performed by systems other than the PPS. However, it is still unclear if this statement applies to all permissive functions described throughout the LAR or if it applies only to ~~~~~~
March 19,12 DCPP PPS Open Item Summary Table Page 17 of 25 No I SrclRI I Issue Description P&GE response: I Status I RAI No. I RAI Comments (Date Sent) Response (Due Date) those permissives relating to Pressurizer Pressure. It is also possible that the permissive functions are being performed by the existing PPS and will continue to be performed by the replacement system and therefore remain "not affected" by the PPS replacement project.
Please provide additional information for the following permissive functions to clearly define what the role of the PPS system will be for each.
P-4 Reactor Trip Intermediate Permissive P-7 Low Power Permissive (Bypasses low Ppzr reactor trip)
- P-8 P-9 o Ran~ie Low Permissive P-11 Low Pressurizer Pressure SI Operational Bypass P-12 No-Load Low-Low Tave Temperature Permissive P-13 Turbine Low Power Permissive
- P-14 Hi-Hi Steam Generator Level
Permissive function initiation signals generated within the existing PPS will continue to be performed by the replacement PPS and therefore remain "not affected" by the PPS replacement project. Permissive function initiation signals that are generated independently of the existing PPS will continue to be generated independently.
.. I-'prml~c:.I"p I-"h I-'-i"i and P-10 slgnais are The response from the NIS to There IS states that P 14 is no Interface w!th the PPS. generated in the
- Permissive P-4 initiation signals are direct contact inputs to the SSPS NIS independently coincidence logic generated from contacts in the Reactor Trip from PPS and it Breakers (RTB). There is no interface with the PPS. states that P14 is
- Permissive P-11, P-12, P-13, and P-14 initiation signals are generated by the
March 19, 12 DCPP PPS Open Item Summary Table Page 18 of 25
'No SrclRI Issue Description P&GE response: Status RAI No.
(Date Sent)
Response
Comments (Due Date) generated by bistable comparator outputs generated in the PPS and PPS. Which is it?
sent to the SSPS.
- Permissive P-7 is generated in the SSPS from 3 out of 4 power range The coincidence of NI channels (from NIS - P-10) below setpoint and 2/2 turbine impulse P7 is not performed chamber pressure channels below setpoint (From PPS - P13). as a function of PPS.
The bistable initiation signals described above are monitored by the SSPS.
The SSPS generates the Permissive when appropriate coincidence of The NRC initiation signals is detected. No SSPS permissive or safety function understands that coincidence logic is changed by the PPS replacement project. only P11, P13, and P14 are developed Permissives P-6, P-7, P-8, P-9, P-10, and P-13 are functionally described in within the PPS FSAR Table 7.2-2. Permissives P-4, P-11, P-12, and P-14 are functionally system. All other described in FSAR Table 7.3-3. permissives are generated by The bistable comparator setpoints for the above-listed permissives are not external systems expected to change at this time. independently of the PPS.
See 13 below.
13 RS P12 Permissive Contradiction - The second paragraph of section 4.1.20 Open 4 describes the P-12 interlock and states that "These signals are developed in the PPS". This statement is then contradicted in the third paragraph by the following statement;
'These valves are not safety-related, but are interlocked with the P-12 signal from the SSPS."
The NRC In conjunction with the response to RAI3, please provide a resolution for this understands that contradiction in section 4.1.20 of the LAR. the P12 signal is generated by the P&GE response:
SSPS using signals developed in the The word "signals" in the referenced Section 4.1.20 sentence, 'These signals PPS.
March 19, 12 DCPP PPS Open Item Summary Table Page 19 of 25 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) are developed ... " is referring to the bistable comparator outputs which are monitored by the SSPS. The PPS does not generate the P-12 Permissive Does this response itself. The actual P-12 Permissive is generated by the SSPS when also apply to the appropriate coincidence of initiation signals is detected. The SSPS output is P11, P13, and P14 interlocked with the valves as stated in the third paragraph of Section 4.1.20. permissives? If so then no The LAR Section 4.1.20 is clarified by the following statement: permissives are
" ... The P-12 Permissive is developed in the SSPS based on coincidence of generated by the the P-12 bistable comparator output initiation signals from the PPS ...
PPS. Is that Protection System Permissives (P-11 unblock SI from ALS, P13 Turbine correct?
power permissive from Tricon, and P-14 Steam Generator Level high-high from Tricon) are generated by coincident logic in the SSPS based on initiating signals (bistable outputs) from the PPS as noted in the response to 01 #12. Permissive development, including initiating signals and logic coincidence is shown in FSARU Tables 7.2-2 (RTS) and 7.3-3 (ESFAS).
The PPS does not perform coincident logic functions and does not "generate" any protection system permissives.
14 Section 4.1.1 SSPS contains the following statement in the last paragraph; New "Information concerning the PPS status is transmitted to the control board status lamps and annunciators by way ofthe SSPS control board demultiplexer and to the PPS by way ofthe SSPS computer demultiplexer."
Why would the PPS status need to be transmitted to the PPS as the sentence suggests in the last phrase?
PG&E response:
The sentence in Section 4.1.1 contains a a typographical error. The sentence should read:
"Information concerning the PPS status is transmitted to the control board status lamps and annunciators by way of the SSPS control board demultiplexer and to the Plant Process Computer (PPC) by way of the SSPS computer demultiplexer. II
March 19, 12 DCPP PPS Open Item Summary Table Page 20 of 25 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)
As used in the Section 4.1.1. paragraph, "PPS Status" means "PPS Channel Trip Status."
15 (BK) An ISG-04 compliance matrix for the DCPP PPS system was not submitted New with. or referenced in, the LAR for the W/ALS platform. Instead the ISG-04 compliance section 4.8 of the LAR refers the reader to the ALS LTR for nearly all the points of ISG-04. Fig. 4.4 and 4.5 of the LAR indicate various 1E and non-1E communication pathways to and from ALS processor (e.g.,
Maintenance Work Station, plant computer, prococess control, port aggregator, and 4-20 rna temperature signal to Tricon processor). These are all application specific features of the PPS and the staff expects a W/CSI ALS document to be submitted similar to the Invensys "PACIFIC GAS &
ELECTRIC COMPANY NUCLEAR SAFETY-RELATED PROCESS PROTECTION SYSTEM REPLACEMENT DIABLO CANYON POWER PLANT DI&C-ISG-04 CONFORMANCE REPORT" Document No. 993754-1 912 Revision 0, to be submitted on the docket, which explains how the ALS portion of the PPS application comforms with the guidance of ISG-04.
PG&E response:
Westinghouse will provide a DCPP PPS specific ISG-4 Compliance Table by March 31,2012 and PG&E will submit the Table by May 31,2012.
I
March 19, 12 ocpp PPS Open Item Summary Table Page 21 of 25 No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date) 16 (BK) Section 1.4.4 (pg. 12/38) of document 993754-1-813 Diablo Canyon Triconex New PPS Validation Test Plan (VTM) states 'The network equipment, including media converter, NetOptics Network Aggregator Tap, and gateway hub, and the MWS will not be within the test scope of this VTP. The Nuclear Delivery (ND) group will coordinate with Pacific Gas & Electric for system staging prior to turn over to Nuclear IV&V. The Nuclear IV&V group will confirm proper operation of network communications system interfaces before beginning testing addressed in this VTP." When, where, and what procedures will be used to test the network equipment??
PG&E response: IN PROGRESS 17 (BK) Section 5.1.4.3, Hardware Validation Tests, (pg. 27/38) of document 993754 New 1-813 Diablo Canyon Triconex PPS Validation Test Plan (VTM) states that the ALS equipment will not be included in the FAT. Where, when, and what procedures will be used to fully test the Integrated PPS system (both Tricon V10 and ALS platforms together) be subjected to FAT.
PG&E response: IN PROGRESS
March 19, 12 DCPP PPS Open Item Summary Table Page 22 of 25 No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date) 18 (BK) Software Management Plan: Regulatory Guide (RG) 1.168, Revision 1, New "Verification, Validation, Reviews and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," dated February 2004 endorses IEEE (Institute of Electrical and Electronics Engineers) 1012-1998, "IEEE Standard for Software Verification and Validation," and IEEE 1028 1997,"IEEE Standard for Software Reviews and Audits," with the exceptions stated in the Regulatory Position of RG 1.168. RG 1.168 describes a method acceptable to the NRC staff for complying with parts of the NRC's regulations for promoting high functional reliability and design quality in software used in safety systems. Standard Review Plan (SRP) Table 7-1 and Appendix 7.1-A identify Regulatory Guide 1.168 as SRP acceptance criteria for reactor trip systems (RTS) and for engineered safety features actuation systems (ESFAS)
The Invensys PPS Replacement Software Verification and Validation Plan (SWP), 993754-1-802 does not provide a clear explanation of how the Invensys SWP complies with IEEE 1012-1998. Please provide a cross reference table that explains how the Invensys SWP implements the criteria of IEEE 1012-1998.
Also, the Westinghouse/ALS 6116-00000 Diablo Canyon PPS Management Plan, does not provide a clear explanation of how the CSI SWP complies with IEEE 1012-1998. Please provide a cross reference table that explains how the W/CSI SWP implements the criteria of IEEE 1012-1998.
L--~~~~~~~ ----------- -- ------
March 19, 12 ----------
DCPP PPS Open Item Summary Table Page 23 of 25 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)
PG&E response:
Westinghouse will provide an IEEE-1012 compliance map by May 4.2012 to PG&E and PG&E will submit the matrix to the staff by May 31.2012.
19 RS Section 4.1.1 of the LAR states that; New
'The SSPS evaluates the signals and performs RTS and ESFAS functions to mitigate Abnormal Operational Occurrences and Design Basis Events described in FSAR [26J Chapter 15."
however, Chapter 15 of the DCPP FSAR does not use the terms Abnormal Operational Occurrence (AOO) or Design Basis Accident (DBE). Instead, the accident analysis in chapter 15 identifies conditions as follows; CONDITION I - NORMAL OPERATION AND OPERATIONAL TRANSIENTS CONDITION 11- FAULTS OF MODERATE FREQUENCY CONDITION III - INFREQUENT FAULTS CONDITION IV - LIMITING FAULTS
March 19, 12 DCPP PPS Open Item Summary Table Page 24 of 25 No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date)
As such, the statement that AOO's and DBE's are described in the FSAR appears to be inaccurate. Please explain the correlation between the Conditions described in FSAR chapter 15 and the Abnormal Operational Occurrences, and Design Basis Events described in the LAR.
PG&E response: IN PROGRESS
March 19, 12 DCPP PPS Open Item Summary Table Page 25 of 25 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 20 RS The system description provided in Section 4 of the LAR includes "functions New The NRC could performed by other protective systems at DCPP in addition to the PPS consider auditing functions". In many cases, there is no explanation of what system is the system performing the functions described nor is there a clarification of whether the Function Diagrams described functions are being performed by the PPS system. in lieu of having them submitted.
As an example, Section 4.1.16 describes a bypass function to support testing of the high-high containment pressure channel to meet requirements of IEEE 279 and IEEE 603. The description of this function does not however, state whether this latch feature is being implemented within the PPS system or in the SSPS.
The staff needs to have a clear understanding of the functional scope of the PPS system being modified in order to make its regulatory compliance determinations. Please provide additional information such as PPS function diagrams to help the staff distinguish PPS functions from functions performed by other extemal systems.
PG&E Response: IN PROGRESS 21 RA Westinghouse/CSI document 6116-00005, "Diablo Canyon PPS System Test New Plan," states that the ALS-102 FPGA design is changed for the DCPPS System. Further, Section 5.3.3 states: 'Test as many of the ALS-102 requirements as possible."
Please identify what document describes the design verification test for this board.
PG&E response:
The ALS-1 02 product subsystem-level test verification will be covered in CS Innovations document 6116-70140, "Diablo Canyon PPS System Test Design Specification". Document 6116-70140 will be submitted to the NRC byTBD.
-2 Please direct any inquiries to me at 301-415-1132 or at Joseph.Sebrosky@nrc.gov.
lRAJ Joseph M. Sebrosky, Senior Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-275 and 50-323
Enclosures:
- 1. List of Attendees
- 2. Staff Identified Issues cc w/encls: Distribution via Listserv DISTRIBUTION:
PUBLIC LPLIV Reading RidsAcrsAcnw_MaiICTR Resource RidsNrrDeEicb Resource RidsNrrDorl Resource RidsNrrDorlLpl4 Resource RidsNrrLAJBurkhardt Resource RidsNrrPMDiabloCanyon Resource RidsOgcRp Resource RidsRgn4MailCenter Resource WMaier, RIV TWertz, NRR WKemper, NRRlDE/EICB RStattel, NRR/DE/EICB SMakor, RIVIDRS/EB2 LChang, EDO RIV ADAMS Accession Nos. Meeting Not ice ML120530074; MeefIng S ummary ML120900688 *per emai OFFICE DORULPL4/PM DORULPL4/LA NRR/DE/EICB DORULPL4/BC DORULPL4/PM MMarkley NAME JSebrosky JBurkhardt WKemper* (JSebrosky for) JSebrosky DATE 4/4/12 4/2/12 4/2/12 4/4/12 4/4/12 OFFICIAL RECORD COpy