Text

Summary of Meeting with Pacific Gas and Electric Company to Discuss Digital Replacement of Process Protection System at Diablo Canyon Power Plant, Units 1 and 2
	ML121150504
Person / Time
Site:	Diablo Canyon
Issue date:	05/03/2012
From:	Joseph Sebrosky; Plant Licensing Branch IV
To:	;
	Sebrosky J, NRR/DORL/LPL4 301-415-1132
References
	TAC ME7522, TAC ME7523
	Download: ML121150504 (38)
	v • d • e

~p.R REG U{ UNITED STATES

~~(," "'0." NUCLEAR REGULATORY COMMISSION

~ WASHINGTON, D.C. 20555-0001

~

ca.

0 r:;

~ ~

1-') ~o May 3, 2012 LICENSEE: Pacific Gas and Electric Company FACILITY: Diablo Canyon Power Plant, Unit Nos. 1 and 2

SUBJECT:

SUMMARY

OF APRIL 18, 2012, TELECONFERENCE MEETING WITH PACIFIC GAS AND ELECTRIC COMPANY ON DIGITAL REPLACEMENT OF THE PROCESS PROTECTION SYSTEM PORTION OF THE REACTOR TRIP SYSTEM AND ENGINEERED SAFETY FEATURES ACTUATION SYSTEM AT DIABLO CANYON POWER PLANT (TAC NOS. ME7522 AND ME7523)

On April 18, 2012, a Category 1 teleconference public meeting was held between the U.S. Nuclear Regulatory Commission (NRC) and representatives of Pacific Gas and Electric Company (PG&E, the licensee) at NRC Headquarters, One White Flint North, 11555 Rockville, Maryland. The purpose of the teleconference meeting was to discuss the license amendment request (LAR) submitted by PG&E on October 26, 2011, for the Digital Replacement of the Process Protection System (PPS) Portion of the Reactor Trip System and Engineered Safety Features Actuation System at Diablo Canyon Power Plant, Unit Nos. 1 and 2 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML113070457). A list of attendees is provided in Enclosure 1.

The teleconference meeting is one in a series of publicly noticed teleconference meetings to be held periodically to discuss issues associated with the NRC staff's LAR review. Preliminary issues that the NRC staff identified during the initial review, and the licensee's responses to these preliminary issues, were discussed during the teleconference meeting. The list of preliminary issues is provided in Enclosure 2.

During the discussion of the items in the table, the licensee verified that in response to item 8, PG&E's plans for a submittal of a separate LAR related to instrumentation and control setpoint changes would be pursued independently of the PPS LAR and that there would be no dependencies between these licensing actions. The licensee indicated that supplemental information would be provided to address any issues associated with the PPS setpoint changes as part of the October 26, 2011, LAR. The licensee agreed to revise the response to item 8 to reflect this expectation.

Items 16, 17 and 22 in Enclosure 2 relate to questions associated with the PPS factory acceptance testing (FAT) and site acceptance testing (SAT). The licensee's response to these items is provided in Enclosure 3. During the discussion of the information in Enclosure 3, the NRC staff indicated that the licensee may want to clarify the statement that there are no digital data connections between the Tricon and Advanced Logic System (ALS) systems. The staff indicated that because both systems are connected to the maintenance work station, the maintenance work station appeared to provide a path for a digital data connection. The licensee indicated statements found in Enclosure 3 in this area would be reviewed and a

-2 determination would be made if changes were needed when the underlying questions are formally issued as requests for additional information.

Item 23 in Enclosure 2 relates to an ALS system testing question. The licensee's response to this question is provided in Enclosure 4. The NRC staff indicated that a review of both Enclosures 3 and 4 would continue and feedback would be provided, as appropriate, on possible clarification to the responses.

The NRC staff and licensee confirmed that the next meeting on this topic would be held on May 16, 2012. In addition, a meeting related to the setpoint changes to support the LAR was tentatively scheduled for June 28, 2012. At the staff's request, the licensee stated that a more detailed agenda for the June 28, 2012, meeting would be provided so that the staff could better plan for the meeting and use the agenda in the notice for the meeting. The staff and the licensee agreed that they would consider the appropriate timing for additional meetings and whether these would be done on a monthly basis as opposed to every 2 weeks.

Docket Nos. 50-275 and 50-323

Enclosures:

1. List of Attendees

2. Staff identified issues

3. Process Protection System Factory Acceptance Testing and Site Acceptance Testing

4. Advanced Logic System Testing cc w/encls: Distribution via Listserv

LIST OF ATTENDEES APRIL 18, 2012, TELECONFERENCE MEETING WITH PACIFIC GAS AND ELECTRIC COMPANY REGARDING DIABLO CANYON POWER PLANT DIGITAL UPGRADE DOCKET NO. 50-273 AND 50-323 NAME ORGANIZATION Ken Schrader Pacific Gas and Electric Scott Patterson Pacific Gas and Electric Bob Lint Altran John Hefler Altran K. Brandt Altran J. Basso Westinghouse W. Odess-Gillet Westinghouse B. Spence Westinghouse Roman Shaffer InvensyslTriconex Rich Stattel U.S. Nuclear Regulatory Commission Joe Sebrosky U.S. Nuclear Regulatory Commission Shiattin Makor U.S. Nuclear Regulatory Commission Gordon Clefton Nuclear Energy Institute Sara Rudy General Electric-Hitachi Eric Mino General Electric-Hitachi Enclosure 1

April 17, 12 DCPP PPS Open Item Summary Table Page 1 of 29 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 001 AR [ISG-06 Enclosure B, Item 1.3] Deterministic Nature of Software: Open N/A Response (BD) The Diablo Canyon Specific Application should identify the board access received April 2 sequence and provide corresponding analysis associated with digital 29 1 2012 Staff will response time performance. This analysis should be of sufficient detail to review and enable the NRC staff to determine that the logic-cycle; discuss further if

a. has been implemented in conformance with the ALS Topical Report needed at design basis, subseguent

b. is deterministic, and telecom meeting.

c. the response time is derived from plant safety analysis performance requirements and in full consideration of communication errors that have been observed during equipment qualification.

Response

As stated in the LAR, information pertaining to response time performance acceptable; waiting will be submitted as a Phase 2 document. Please ensure this matter is on PG&E to addressed accordingly. provide the time response P&GE response: calculation for the ALS V10 Tricon PPS Diablo Canyon PPS document 6116-00011, "ALS System Design Replacement Specification", Section 7.5, identifies the ALS board access sequence and provides an analysis associated with digital response time performance. architecture by April 16, 2012.

a) The Diablo Canyon PPS ALS system is configured in accordance with the qualification requirements of the ALS platform topical report, b) The analysis in Diablo Canyon PPS document 6116-00011, "ALS System Design Specification", Section 7, describes a logic cycle that is deterministic.

c) The requirements for the response time of the PPS processing instrumentation (from input conditioner to conditioned output signal) is specified as not to exceed 0.409 seconds in Section 3.2.1.10 of the "Diablo Canyon Power Plant Units 1 & 2 Process Protection System Replacement Functional Requirements Specification (FRS)", Revision 4 submitted as Attachment 7 of the LAR. In Section 1.5.8 of the "Diablo Canyon Power Plant Units 1 & 2 Process Protection System Replacement Interface Requirements Specification (IRS)", Revision 4, submitted as Attachment 8 of the LAR, the 0.409 seconds PPS processing instrumentation response time is allocated between the ALS and Tricon as follows:

Enclosure 2

April 17, 12 DCPP PPS Open Item Summary Table Page 2 of 29 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

ALS: 175 ms for RTD processing Tricon: 200 ms Contingency: 34 ms The 0.409 seconds PPS processing instrumentation value is the same as the value that is currently allocated to PPS processing instrumentation. As long as the 0.409 second PPS processing instrumentation value is not exceeded, the total response time values assumed in the plant safety analyses contained in FSAR Table 15.1-2 will not be exceeded; 7 seconds for Overtemperature AT RT and Overpower AT RT functions, 2 seconds for High pressurizer pressure RT, Low pressurizer pressure RT, and Low Low SG water level RT functions, 1 second for Low reactor coolant flow RT function, 25 seconds for Low pressurizer pressure, High containment pressure, and Low steam line pressure Safety Injection initiation, 60 seconds for Low low SG water level auxiliary feedwater initiation, 18 seconds for High containment pressure, Low pressurizer pressure, and Low steam line pressure Phase A containment isolation, 48.5 seconds for High High containment pressure containment spray initiation, 7 seconds for High High containment pressure steam line isolation, 66 seconds for High High SG water level auxiliary feedwater isolation, and 8 seconds for Low steam line pressure steam line isolation.

The ALS response time will be verified as part of the FAT and the results will be included in the FAT summary report to be submitted by 12/31112.

Tricon Invensys provided detailed information on the deterministic operation of the V10 Tricon in Invensys Letter No. NRC V10-11-001, dated January 5,2011.

In support of the V10 Tricon safety evaluation, Invensys submitted document 9600164-731, Maximum Response Time Calculations, describing the worst-case response time for the V1 0 Tricon Qualification System. Included in document 9600164-731 are the standard equations for calculating worst-case response time of a given V10 Tricon configuration. The time response calculation for the V10 Tricon PPS Replacement architecture will be submitted by April 16, 2012. The System Response Time Confirmation Report, 993754-1-818, will be submitted to the staff as part of the ISG-06 Phase 2 submittals at the completion of factory acceptance testing of the V10 Tricon PPS Replacement.

The Tricon response time will be verified as part of the FAT and the results will

April 17, 12 DCPP PPS Open Item Summary Table Page 3 of 29 No I SrclRI I Issue De scription P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date) be included in the FAT summary report to be submitted by 12/31/12. The staff will likely need the Tricon time response calc's submitted on the docket. It is not efficient for the staff to travel to a remote facility to audit SP calc's.

PG&E stated that they will provide the Tricon Time response calc's in a document submitted on the docket.

002 I AR [ISG-06 Enclosure B, Item 1.4] Open N/A Response (RA) Software Management Plan: Regulatory Guide (RG) 1.168, Revision 1, received April 2 "Verificat m, Validation, Reviews and Audits for Digital Computer Software 29 1 2012. Staff will Used in S afety Systems of Nuclear Power Plants," dated February 2004 review and endorses IEEE (Institute of Electrical and Electronics Engineers) 1012-1998, discuss further if "IEEE St ndard for Software Verification and Validation," and IEEE 1028 needed at 1997,"IEEE Standard for Software Reviews and Audits," with the exceptions subseguent stated in '1e Regulatory Position of RG 1.168. RG 1.168 describes a method telecom meeting.

acceptab 3 to the NRC staff for complying with parts of the NRC's regulations for promo :ing high functional reliability and design quality in software used in safety sy tems. Standard Review Plan(SRP) Table 7-1 and Appendix 7.1-A identify R ~gulatory Guide 1.168 as SRP acceptance criteria for reactor trip systems ~TS) and for engineered safety features Westingh )Use/ALS 6116-00000 Diablo Canyon PPS Management Plan, Fiaure 2 , shows the Verification and Validation (V&V) organization

April 17, 12 DCPP PPS Open Item Summary Table Page 4 of 29 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) reporting to the Project Manager. This is inconsistent with the information (WEK 4/12/12) described in the ALS Management Plan for the generic system platform, Response where the V&V organization is independent form the Project Manager. This acceptable; the is also inconsistent with the criteria of RG 1.168 and will need to be staff received the reconciled during the LAR and ALS LTR reviews.

revised W/ALS PPS MP on April 2, 2012 and will P&GE response: review for consistency with ALS RG 1.168.

The PPS Replacement LAR referenced Westinghouse document 6116 00000 Diablo Canyon PPS Management Plan, dated July 25, 2011, that was based on CSI document 6002-00003 ALS Verification and Validation Plan, Revision 4. CS Innovations subsequently submitted a revised V&V plan, "6002-00003 ALS Verification and Validation Plan", Revision 5, on November 11, 2011, that revised the required V&V organization structure such that the management of the verification personnel is separate and independent of the management of the development personnel. The Westinghouse 6116-00000 Diablo Canyon PPS Management Plan is being revised to require a V&V organization structure in which the management of the verification personnel is separate and independent of the management of the development personnel. PG&E will submit the revised Westinghouse 6116-00000 Diablo Canyon PPS Management Plan document by March 29, 2012.

3 AR [ISG-06 Enclosure B, Item 1.9] Open N/A Response (RA) Software V&V Plan: The ALS V&V plan states that Project Manager of the received April 2 supplier is responsible for providing directions during implementation of V&V 29 1 2012. Staff will activities. Also, the organization chart in the Diablo Canyon PPS review and Management Plan shows the IW manager reporting to the PM.

discuss further if The ALS V&V plan described in ISG-6 matrix for the ALS platform and the needed at Diablo Canyon PPS Management Plan do not provide sufficient information subseguent about the activities to be performed during V&V. For example, the ALS V&V telecom meeting, Plan states that for project specific systems, V&V activities are determined on a project by project basis and are described in the project Management Status: Fig. 3 of the Plan, in this case, 6116-00000, "Diablo Canyon PPS Management Plan."

PPS SWP (Pg.

However, the 6116-00000 Diablo Canyon PPS Management Plan states:

April 17, 12 DCPP PPS Open Item Summary Table Page 5 of 29 No SrclRI Issue Description P&GE response: Status RAI No, RAI Comments (Date Sent) Response (Due Date)

"See the ALS V&V Plan for more information and the interface between the 16/46) indicates IV&V team and the PPS Replacement project team." sufficient organizational The Triconex V&V plan states that the Engineering Project Plan defines the independence scope for V&V activities. As mentioned before, the Triconex EPP is not listed in the ISG-6 matrix. between the Nuclear Delivery These items will need further clarification during the LAR review to (Design) demonstrate compliance with Regulatory Guide (RG) 1.168, Revision 1, Organization and "Verification, Validation, Reviews and Audits for Digital Computer Software the IV&V Used in Safety Systems of Nuclear Power Plants," Organization.

P&GE response:

ALS Fig. 3 of the PPS The Westinghouse 6116-00000 Diablo Canyon PPS Management Plan is PMP (993754-1 being revised to include details on how the IV&V team has an independent 905) (pg. 22/81) organizational reporting structure from the design and implementation team; also denotes the the Scottsdale Operations Director and the ALS Platform & Systems Director DCPP PPS project report to different Westinghouse Vice Presidents. The IW Manager and organization, and Scottsdale Operations Director both report to the same Westinghouse Vice provides sufficient President, but via independent reporting structures.

independence Description of 6116-00000 Diablo Canyon PPS Management Plan V&V between the NO activity updates - IN PROGRESS and IV&V Organizations.

PG&E will submit the revised Westinghouse 6116-00000 Diablo Canyon PPS Management Plan that includes the above changes by March 29,2012.

Close the Invensys part of the 01.

Tricon The organizational structure of Invensys Operations Management comprises, in part, Engineering and Nuclear Delivery. Each of these organizations plays W/ALS response a specific role in the V10 Tricon application project life cycle. Invensys acceptable; (WEK Engineering is responsible for designing and maintaining the V1 0 Tricon 4/12/12) the staff platform, and Nuclear Delivery is responsible for working with nuclear received the customers on safety-related V10 Tricon system integration projects. revised W/ALS Invensys Engineering department procedures require "Engineering Project PPS MP on April 2,

April 17, 12 DCPP PPS Open Item Summary Table Page 6 of 29 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

Plans (EPP)," whereas Nuclear Delivery department procedures require 2012 and will "Project Plans." Invensys Engineering is not directly involved in system review for integration, but Nuclear Delivery may consult with Engineering on technical consistency with issues related to the V1 0 Tricon platform. RG 1.168.

The NRC applied ISG-06 to the V10 Tricon safety evaluation. Invensys submitted a number of documents pertaining to the design of the V1 0 Tricon platform as well as process and procedure documents governing Invensys Status: Fig. 3 of the Engineering activities, including the EPP. In most cases, these platform- PPSSWP (Pg.

related documents are preceded with document number 9600164. The 16/46) indicates platform-level documents reviewed by the staff during the V1 0 Tricon safety sufficient evaluation will not be resubmitted by Nuclear Delivery during application- organizational specific system integration projects. independence between the In support of the PG&E LAR for the DCPP PPS Replacement, Invensys Nuclear Delivery Nuclear Delivery is required to submit the application design documents as (Design) defined in ISG-06. These project documents are preceded by document Organization and number 993754. The Phase 1 submittal under Invensys Project Letter the IV&V 993754-026T, dated October 26, 2011, contained, in part, the following: Organization.

PPS Replacement Project Management Plan (PMP), 993754-1-905. "Project Management Plan" was used to more closely match BTP 7-14 with regard to Fig. 3 of the PPS "management plans"; and PMP (993754-1 PPS Replacement Software Verification and Validation Plan (SWP), 905) (pg. 22/81) 993754-1-802. also denotes the The PMP describes the PPS Replacement Project management activities DCPP PPS project within the Invensys scope of supply_ The guidance documents BTP 7-14 and organization, and NUREG/CR-6101 were used as input during development of the PMP. provides sufficient independence With regard to compliance with RG 1.168, the PPS Replacement PMP and between the NO SWP both describe the organizational structure and interfaces of the PPS and IV&V Replacement Project. The documents describe the Nuclear Delivery (NO) Organizations.

design team structure and responsibilities, the Nuclear Independent Verification and Validation (IV&V) team structure and responsibilities, the Close the Invensys

April 17, 12 DCPP PPS Open Item Summary Table Page 7 of 29 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) interfaces between NO and Nuclear IV&V, lines of reporting, and degree of part of the 01.

independence between NO and Nuclear IV&V. In addition, the PMP describes organizational boundaries between Invensys and the other external entities involved in the PPS Replacement project: PG&E, Altran, Westinghouse, and Invensys suppliers. The combination of the PMP and SWP demonstrate compliance of the Invensys organization with RG 1.168.

4 AR [I SG-06 Enclosure B, Item 1.10] Open N/A {WEK 4-12-12}

(RA) Software Configuration Management Plan: The LAR includes PG&E Reseonse CF2.ID2, "Software Configuration Management for Plant Operations and received Aeri I 2 Operations Support," in Attachment 12. However, the document provided in 29 1 2012. Staff will Attachment 12 only provides a guideline for preparing Software Configuration Management (SCM) and SQA plans. Though it is understood that the review the PG&E licensee will not perform development of software, PGE personnel will S:y:CMP erocedure become responsible for maintaining configuration control over software upon when it arrives on delivery from the vendor. Ma:y: 31, 2012.

The staff requires the actual plan to be used by the licensee for maintaining configuration control over PPS software in order to evaluate against the acceptance criteria of the SRP. For example, the ALS Configuration Management (CM) Plan (6002-00002) describes initial design activities related to ALS generic boards. This plan does describe the configuration management activities to be used for the development and application of the ALS platform for the Diablo Canyon PPS System. The staff requires that configuration management for this deSign be described in the DCPP project specific plan. These items will need further clarification during the LAR review to demonstrate compliance with BTP-14.

P&GE response:

PG&E will develop a SyCMP procedure to address configuration control after shipment of equipment from the vendor and will submit the document by May 31,2012.

,~~~~~~~~

April 17, 12 DCPP PPS Open Item Summary Table Page 8 of 29 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 5 AR [ISG-06 Enclosure B, Item 1.11] Closed N/A Response (RA) Software Test Plan: The V1 0 platform documents identified in ISG6 matrix received April 2 state that the interface between the NGIO (Next Generation Input Output) 29, 2012. Staff will Core Software and 10-specific software will not be tested. It is not clear review and when and how this interface will be tested, and why this test is not part of the discuss further if software unit testing and integration testing activities.

needed at Further, the 993754-1-813 Diablo Canyon Triconex PPS Validation Test Plan subsequent states that the DCPP's TSAP will not be loaded on the system; instead telecom meeting.

Triconex will use another TSAP for the validation test. It is not clear why the DCPP's TSAP will not be used for the validation test or when the DCPP's NGIO Core TSAP will be loaded on the system and validated for the Diablo Canyon PPS software is tested System. These items will need further clarification during the LAR review to and qualified as a demonstrate compliance with BTP-14.

platform component. As such, it does not P&GE response: need to be separately tested Tricon during the The next-generation input/output (110) modules qualified for the V10 Tricon application are the 3721 N 4-20 mA, 32-point analog input (AI) module, and the 3625N development 24 Vdc, 32-point digital output (DO) module. Technical data on these two process.

modules was provided to the NRC in support of the V10 Tricon safety evaluation. Configuration and functional testing is performed when the 110 TSAP is a Test modules (hardware and embedded core firmware) are manufactured. From Specimen the factory the 110 modules are shipped to Invensys Nuclear Delivery for use Application in nuclear system integration projects, i.e., application specific configurations.

Program used for Because the module hardware and embedded core firmware are within the purposes of scope of the V1 0 Tricon safety evaluation, the verification and validation of platform the embedded core firmware will not be repeated as part of application-qualification.

specific system integration projects.

There are certain deSign items that must be done with TriStation 1131 (TS1131), such as specifying which 110 module is installed in a particular

April 17, 12 DCPP PPS Open Item Summary Table Page 9 of 29 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) physical slot of the Tricon chassis, resulting in each module having a unique Invensys stated hardware address in the system. Also, TS1131 is used to specify which that application program parameters (Le., program variable tag names) are The Diablo Canyon assigned to a particular point on a given I/O module. The design items Application will be configured in TS1131 will be within the scope of validation activities loaded onto plant conducted by Invensys Nuclear IV&V for application-specific system system hardware integration projects. The necessary collateral (system build documents, during FAT.

configuration tables, test procedures, test results, etc.) will be submitted to the NRC to support the staff's technical review of the PPS Replacement LAR in accordance with ISG-06.

The Phase 1 submittal under Invensys Project Letter 993754-026T, dated Staff re-examined October 26,2011, contained, in part, the Validation Test Plan (VTP), 993754 Invensys doc.

1-813. This document describes the scope, approach, and resources of the "Validation Test testing activities that are required for validation testing of the V10 Tricon Plan (VTP) ,

portion of the PPS Replacement, including: 993754-1-813,"

Preparing for and conducting system integration tests Section 1.3.2 of the Defining technical inputs to validation planning VTP that describes Defining the test tools and environment necessary for system validation the Hardware testing Validation Test Scheduling (and resource loading of the schedule) activities and Section 1.3.3 of the Section 1.3.2 of the VTP describes the Hardware Validation Test activities VTP and and Section 1.3.3 of the VTP describes the V1 0 Tricon portion of the Factory determined that the Acceptance Test activities for the V10 Tricon portion of the PPS application program Replacement. Details on the application program are proprietary and need TSAP will be used to be provided to the staff separately.

for the FAT (Section 5.1.5 FAT)

Close this portion of the 01.

April 17, 12 DCPP PPS Open Item Summary Table Page 10 of 29 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date}

6 AR [ISG-06 Enclosure B, Item 1.14] Closed Develop Response (SM) Equipment Qualification Testing Plans - The LAR Sections 4.6,4.10.2.4 and a received April 2 4.11.1.2 provide little information on the plant specific application generic 29 1 2012. Staff will environmental factors. The Tricon V10 Safety Evaluation, ML11298A246, RAlto review and Section 6.2 lists 19 application specific actions Items (ASAI's) that the provide discuss further if licensee should address for plant specific applications. The licensee should a needed at address each of these for Tricon portion of the PPS replacement. Similar respons subseguent information for the ALS portion of the PPS replacement will also be required. eto telecom meeting.

ASAls P&GE response: for both Staff agreed that platfor PG&E should ALS ms submit a separate PG&E will respond to ALS ASAl's when they are available.

when submittal (LAR Tricon the amendment) to SERs address the ASAls IN PROGRESS. All of the Application Specific Action Items will be are for both platforms.

addressed by March 21 2012. issued. it is not necessary to delineate exactly RA#XX what will be done for each ASAI in

April 17, 12 DCPP PPS Open Item Summary Table Page 11 of 29 No SrC/R/ Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date) this 01 matrix.

7 AR [ISG-06 Enclosure B, Item 1.16] Open NIA {WEK 4-12-12}

(BK) Response Design Analysis Reports: The LAR does not appear to comply with the SRP received April 2 (ISG-04) regarding the connectivity of the Maintenance Work Station to the 29 1 2012. Staff PPS. The TriStation V1 0 platform relies on software to effect the reviewed this item disconnection of the TriStation's capability to modify the safety system and still need software. Based on the information provided in the LTR, the NRC staff additional determined that the Tricon V10 platform does not comply with the NRC guidance provided in ISG-04, Highly Integrated Control Rooms- information to Communications Issues, (ADAMS Accession No. ML083310185), Staff close this item.

Position 1, Point 10, hence the DCPP PPS configuration does not fully The staff will need comply with this guidance. to review this item further during an In order for the NRC staff to accept this keyswitch function as an acceptable NRC audit at the deviation to this staff position, the staff will have to evaluate the DCPP PPS specific system communications control configuration--including the Invensys facilitv.

operation of the keyswitch, the software affected by the keyswitch, and any All the items testing performed on failures of the hardware and software associated with noted below will the keyswitch. The status of the ALS platform on this matter is unclear at this be the scope of time and will be resolved as the ALS LTR review is completed. the audit 3/21 update: it was Moreover, the Tricon V10 system Operational Mode Change (OMC) keyswitch does change operational modes of the 3008N MPs and enables agreed that the TriStation 1131 PC to change parameters, software algorithms, etc, PG&E/lnvensys related to the application program of the safety channel without the channel and or division being in bypass or in trip. As stated in Section 3.1.3.2 of the Tricon PG&ElWestinghou V10 SER, the TriStation 1131 PC should not normally be connected while se/CSI would the Tricon V10 is operational and performing safety critical functions. provide a report However, it is physically possible for the TriStation PC to be connected at all (LAR supplement) times, and this should be strictly controlled via administrative controls (e.g.,

place the respective channel out of service while changing the software, to explain how parameters, etc). The LAR does not mention any administrative controls these two issues such as this to control the operation of the OMC (operational mode change) will be resolved and keyswitch. Furthermore, in order to leave the non-safety TriStation 1131 PC submit to NRC-attached to the SR Tricon V1 0 system while the key switch is in the RUN Date to be provided position, a detailed FMEA of the TriStation 1131 PC system will be required

April 17, 12 DCPP PPS Open Item Summary Table Page 12 of 29 r-----------~

No Src/RI Issue Description P&GE response: Status RAI No. RA/ Comments (Date Sent) Response (Due Date) to ascertain the potential effects this non-safety PC may have on the TBD.

execution of the safety application program/operability of the channel or division. These issues must be addressed in order for the NRC staff to Waiting for the V10 determine that the DCPP PPS complies with the NRC Staff Guidance Tricon portion of provided in Staff Position 1, Point 11. The status of the ALS platform on this point is unclear at this time. the PPS P&GE response: Replacement Failure Modes and Tricon Effects Analysis, an The OMC keyswitch controls only the mode of the V10 Tricon 3008N MPs. ISG-06 Phase 2 In RUN position the 3008N MPs ignore* all commands from external devices, document to be whether WRITE commands from external operator interfaces or program- submitted to NRC related commands from TS1131. in May 2012.

The keyswitch is a four-position, three-ganged switch so that the three Main 3/21 Update:

Processor (MP) modules can monitor the position of the switch PG&EII nvensys independently. The Operating System Executive (ETSX) executing on the needs to provide a MP application processor monitors the position of the keyswitch. The three technical MPs vote the position of the keyswitch. The voted position of the keyswitch is available as a read-only system variable that can be explanation of how monitored by the TSAP. This allows alarming the keyswitch position when the MP3008N it is taken out of the RUN position. TS1131 messages to and from the Tricon processor actually (Le., ETSX executing on the MPs) are of a defined format. TS1131 ignores all messages for control program (i.e., TSAP) changes - whether download of commands when in new control programs or modification of the executing control program are RUN-address the uniquely identifiable. Such messages are received by ETSX and items in the 01.

appropriate response provided depending upon, among other things, the position of the keyswitch. When a request from TS1131 is received by ETSX 4/4/12 Update:

to download a new control program or modify the executing control program, Need to explain ETSX accepts or rejects the request based on the voted keyswitch position. how this message If the keyswitch is in RUN, all such messages are rejected. If the keyswitch format works to is in PROGRAM, the Tricon is considered out of service and ETSX runs reject messages through the sequence of steps to download the new or modified control from the Tristation program, as appropriate.

when in RUN??

Graphs and visual Multiple hardware and software failures would have to occur on the V10 presentation of Tricon (in combination with human-performance errors in the control room

April 17, 12 DCPP PPS Open Item Summary Table Page 13 of 29 No SrC/RI Issue Description P&GE response: Status RAI No. RA/ Comments (Date Sent) Response (Due Date) and at the computer with TS1131 installed) in order for the application these concepts program to be inadvertently reprogrammed. Therefore, there is no credible would be helpful.

single failure on the V1 0 Tricon that would allow the safety-related application program to be inadvertently programmed, e.g., as a result of This issue will also unexpected operation of the connected computer with TS1131 installed on it. have to be addressed for the The above conclusion will be confirmed (for the V10 Tricon portion of the ALS platform.

PPS Replacement) in the Failure Modes and Effects Analysis, an ISG-06 Phase 2 document planned for submittal to NRC in May 2012. Additionally, Invensys Operations Management will support the staffs review of the hardware and software associated with the OMC keyswitch by making all of PG&EII nvensys the technical data available for audit. needs to provide a technical

TS1131 contains function blocks that allow WRITE-access to a limited set of explanation of how parameters programmed into the application software, but only for a limited the MP3008N duration after which the capability is disabled until WRITE-access is re- processor actually enabled. However, without these function blocks programmed into the ignores all application program neither the application program nor application program parameters can be modified with the OMC keyswitch in the RUN position. commands when in RUN-address the PG&E items in the 01.

Administrative controls on use of keyswitch will be provided with commitment to include in procedures in response.

Note, TS1131 is not used to change setpoints and protection set is inoperable when keyswitch is not in RUN position.

8 AR [ISG-06 Enclosure B, Item 1.21] Closed N/A {WEK 4-12-12}

(RS) Setpoint Methodology: The NRC staff understands that a summary of SP Res~onse (setpoint) Calculations will be provided in Phase 2, however, section 4.10.3.8 received A~ril 2 of the LAR also states that PGE plans to submit a separate LAR to adopt 29 1 2012. PG&E's TSTF 493. The NRC cannot accept this dependency on an unapproved commitment to future licensing action. The staff therefore expects the licensee to submit a I:!rovide summa!:!:

summary of setpoint calculations which includes a discussion of the methods calc's b~ Ma~ 31 2 used for determining as-found and as-left tolerances. This submittal should 2012 and not

April 17, 12 DCPP PPS Open Item Summary Table Page 14 of 29 No SrciRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) satisfy all of the informational requirements set forth in ISG6 section revise these D.9.4.3.8 without a condition of TSTF 493 LAR approval setQoints via a TSTF-439 LAR addresses this 01.

Close this 01.

P&GE response:

3/7/12 update:

The evaluation of the setpoints for the PPS replacement will need to be PG&E stated that performed by Westinghouse in two phases in order to provide sufficient all setpoints documentation to support 95/95 two-sided uncertainty values for the setpoints. This is because the NRC staff has been requesting additional determinations will information and additional data and analysis to demonstrate that the be addressed as uncertainties used in the setpoint calculation have been based on a part of this LAR, statistically sufficient quantity of sample data to bound the assumed values and NOT submitted (to justify the confidence level of the calculation is appropriate) during recent as a TSTF-493 Westinghouse projects involving setpoints. Significant information is required licensing action.

from the transmitter and RTD vendors, that has never been obtained before, to support development of calculations that can support 95/95 two-sided uncertainty values. 3121/12 update:

The staff may The first phase of the evaluation of the setpoints will include evaluation of the chose to review the PPS replacement setpoints for the Tricon and ALS architecture using Westinghouse expected bounding uncertainty values. A setpoint summary evaluation which calculations at the includes a discussion of the methods used for determining the as-found and Westinghouse as-left tolerances will be submitted by May 31,2012. This is a change to the commitment 31 in Attachment 1 to the Enclosure to the PPS Replacement office in LAR. Washington DC.

However, if the The second phase of the evaluation of the setpoints will include development safety finding is of Westinghouse calculations of the PPS replacement setpoints for the dependent on Tricon and ALS architecture using sufficient information from vendors to these calculations, substantiate that the setpoints are based on 95/95 two-sided uncertainty then the setpoint values. The Westinghouse calculations will be completed by December 31, 2012 and will be available for inspection by NRC staff in Washington DC with calculations will be support provided by Westinghouse setpoint group personnel. The NRC staff required to be inspection of Westinghouse calculations in Washington DC has been submitted on the performed for another recent utility project involving setpoints. docket per NRC

April 17, 12 DCPP PPS Open Item Summary Table Page 15 of 29 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) licensing procedures 9 AR LTR Safety Conclusion Scol2e and Al2l2licability - Many important sections of Closed N/A {WEK 4-12-12}

(BK) the DCPP PPS LAR refer the reader to the ALS licensing topical report (LTR) Res~onse to demonstrate compliance of the system with various Clauses of IEEE 603 received Al;!ril 2 1991, IEEE 7-4.3.2-203, and ISG-04. However, many important sections of 29 1 2012. The the ALS LTR state that compliance with various Clauses of these IEEE Stds and ISG-04 are application specific and refer the reader to an application PG&E resl;!onse to specific license amendment submittal (Le., the DCPP PPS LAR in this case). this item address The staff has not yet had time to evaluate all the LAR information in detail the 01. Close this and compare this information with that provided in the ALS LTR to ensure 01.

there is no missing information. However, PG&E and its contractors are encouraged to review these two licensing submittals promptly to verify that compliance with these IEEE Stds and ISG-04 are adequately addressed within both licensing documents.

P&GE response:

PG&E and Westinghouse have reviewed the LAR 11-07 and the ALS topical report to verify information is provided to justify compliance with IEEE 603-1991, IEEE 7-4.3.2-2003, and ISG-04 in either the LAR or the ALS topical report. As a result of the review, it was identified that neither the LAR nor the ALS topical report contain a matrix that documents compliance with ISG-04 Table 5-4 for the DCPP ALS platform. PG&E will submit a matrix that documents compliance with ISG-04 Table 5-4 for the DCPP ALS platform by May 31, 2012.

10 RS Plant Variable PPS Scol2e - In the Description section of the LAR, section Closed RAI 4.1.3, nine plant variables are defined as being required for RTS and section Require 4.1.4 lists seven plant variables that are required for the ESFAS. Three d (RAI #

additional plant variables were also listed in section 4.10.3.4. X)

Some variables are not listed in section 4.10.3.4 as being PPS monitored plant parameters. It is therefore assumed that these parameters are provided as direct inputs to the SSPS and that the PPS is not relied upon for the completion of required reactor trip or safety functions associated with

April 17, 12 DCPP PPS Open Item Summary Table Page 16 of 29 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Oate Sent) Response (OueOate) them. Please confirm that these plant parameters and associated safety functions will continue to operate independently from the PPS and that the replacement PPS will not adversely impact the system's ability to reliably perform these functions.

P&GE response:

The PPS Replacement LAR Sections 4.1.3 and 4.1.4 describe the plant variables from which RTS and ESFAS protective functions are generated.

The initiation signal outputs to the SSPS coincidence logic are generated in Neutron Flux is an the PPS or other, independent systems, or in some cases, by discrete input to Tricon but it devices. Section 4.1.3 items 6 (RCP bus UF, UV, and breaker position, 8 is not listed in (Main Turbine trip fluid pressure and stop valve position) and 9 (seismic Table 4-2 "Process acceleration) are generated by discrete devices outside the PPS and provide Variable inputs to direct contact inputs to the SSPS. Section 1.4 items 6 (Containment Exhaust Tricon" Radiation) and 7 (RT breaker position Permissive P-4) are also generated outside the PPS and are direct contact inputs to the SSPS. The initiation Signals not signals associated with these plant parameters operate independently from associated with the PPS. The replacement PPS will not adversely affect the reliable PPS functions will performance of the safety functions associated with these plant parameters. be designated as such in the SE and The three signals (Wide Range RCS Temperature and Pressure and Turbine they will not be Impulse Chamber Pressure) not listed in Sections 4.1.3 and 4.1.4 are described since monitored by the PPS per Section 4.10.3.4. The Wide Range RCS Pressure they are not in and Temperature signals are used to generate the LTOP function described scope.

in DCPP FSAR Section 5. The PPS uses Turbine Impulse Chamber Pressure to generate an initiation signal that is used by the SSPS coincidence logic to develop Permissive P-13 as discussed in RAI 3, below.

Neutron Flux should be added to Section 4.2 Table 4-2 as follows:

April 17, 12 DCPP PPS Open Item Summary Table Page 17 of 29 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

Input to Overtemperature fl Neutron Flux (Power Temperature (OTOT) RT Range, Upper & Lower) Input to Overpower fl Temperature (OPOT) RT 11 RS Power Range NIS Function -_Section 4.1.7 describes the Existing Power Closed RAI Range NIS Protection Functions and it states that the Power Range nuclear

Require Only PPS instrumentation provides input to the OTOT, and OPOT protection channels. d(RAI# Functions will be It is not entirely clear whether any of the described NIS protection functions

RAI X) described in the will be performed by the PPS system. Please clarify exactly what the role of the PPS system is for these NIS Protection functions. still SE.

needs P&GE response: to be sent.

Power range analog inputs are provided by the NIS to each PPS Protection Set for use in the calculation of the Overtemperature Delta-T and Overpower Delta-T Setpoint in the Oelta-TfTavg channels. No other NIS signals interface with the PPS. The NIS Protection functions (RT and power range permissives) are generated independently by Nuclear Instrumentation bistable comparators. The NIS bistable outputs are sent directly to the SSPS and have no physical interface with the PPS.

12 RS Permissive Functions - Several Permissive functions are described within the Close RAI LAR. It is not clear to the staff whether any of these functions are to be Require performed by the PPS or if the PPS will only be providing input to external d (RAI #

systems that in turn perform the permissive logic described in the LAR.

X)

Section 4.1.9 states that "Settings of the bistable comparators used to develop the permissives are not affected by the PPS Replacement Project",

which implies that all of these permissive functions are performed by systems other than the PPS. However, it is still unclear if this statement applies to all permissive functions described throughout the LAR or if it applies only to those permissives relating to Pressurizer Pressure. It is also possible that the permissive functions are being performed by the existing PPS and will COl1t!l1lJe tOQe (:Ierformed by the replacement system and therefore remain --------

April 17, 12 DCPP PPS Open Item Summary Table Page 18 of 29 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

"not affected" by the PPS replacement project.

Please provide additional information for the following permissive functions to clearly define what the role of the PPS system will be for each.

P-4 Reactor Trip P-6 Intermediate Range Permissive P-7 Low Power Permissive (Bypasses low Ppzr reactor trip)

P-8 Loss of Flow Permissive P-9 Power Permissive P-10 Power Range Power Low Permissive P-11 Low Pressurizer Pressure SI Operational Bypass P-12 No-Load Low-Low Tave Temperature Permissive P-13 Turbine Low Power Permissive

P-14 Hi-Hi Steam Generator Level

The LAR states that "These signals are generated in the PPS" P&GE response:

Permissive function initiation signals generated within the existing PPS will continue to be performed by the replacement PPS and therefore remain "not affected" by the PPS replacement project. Permissive function initiation signals that are generated independently of the existing PPS will continue to be generated independently.

The NRC

Permissive P6, P-8, P-9, and P-10 initiation signals are bistable understands that all comparator outputs from the independent NIS to the SSPS. There is permissives are no interface with the PPS.

developed within

Permissive P-4 initiation signals are direct contact inputs to the SSPS the SSPS system.

coincidence logic generated from contacts in the Reactor Trip Permissives P11 -

Breakers (RTB). There is no interface with the PPS.

P14 use inputs

Permissive P-11, P-12, P-13, and P-14 initiation signals are provided by PPS generated by bistable comparator outputs generated in the PPS and system. All other sent to the SSPS.

permissives use

April 17, 12 DCPP PPS Open Item Summary Table Page 19 of 29 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

Permissive P-7 is generated in the SSPS from 3 out of 4 power range inputs generated by NI channels (from NIS - P-10) below setpoint and 2/2 turbine impulse external systems chamber pressure channels below setpoint (From PPS P13). that are independent of the The bistable initiation signals described above are monitored by the SSPS. PPS.

The SSPS generates the Permissive when appropriate coincidence of initiation signals is detected. No SSPS permissive or safety function See 13 below.

coincidence logic is changed by the PPS replacement project.

Permissives P-6, P-7, P-8, P-9, P-10, and P-13 are functionally described in FSAR Table 7.2-2. Permissives P-4, P-11, P-12, and P-14 are functionally described in FSAR Table 7.3-3.

The bistable comparator setpoints for the above-listed permissives are not expected to change at this time.

13 RS P12 Permissive Contradiction - The second paragraph of section 4.1.20 Closed RAI describes the P-12 interlock and states that "These signals are developed in Require the PPS". This statement is then contradicted in the third paragraph by the d (RAI #

following statement; X)

"These valves are not safety-related, but are interlocked with the P-12 signal from the SSPS."

The NRC In conjunction with the response to RA13, please provide a resolution for this understands that contradiction in section 4.1.20 of the LAR. the P12 signal is generated by the P&GE response:

SSPS using signals developed in the The word "signals" in the referenced Section 4.1.20 sentence, "These signals are developed ... " is referring to the bistable comparator outputs which are PPS.

monitored by the SSPS. The PPS does not generate the P-12 Permissive

April 17, 12 DCPP PPS Open Item Summary Table Page 20 of 29 No SrclRI ISsue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) itself. The actual P-12 Permissive is generated by the SSPS when appropriate coincidence of initiation signals is detected. The SSPS output is interlocked with the valves as stated in the third paragraph of Section 4.1.20.

The LAR Section 4.1.20 is clarified by the following statement:

" ... The P-12 Permissive is developed in the SSPS based on coincidence of the P-12 bistable comparator output initiation signals from the PPS ...

Protection System Permissives (P-11 unblock SI from ALS, P13 Turbine power permissive from Tricon, and P-14 Steam Generator Level high-high from Tricon) are generated by coincident logic in the SSPS based on initiating signals (bistable outputs) from the PPS as noted in the response to 01 #12. Permissive development, including initiating signals and logic coincidence is shown in FSARU Tables 7.2-2 (RTS) and 7.3-3 (ESFAS).

The PPS does not perform coincident logic functions and does not "generate" any protection system permissives.

14 RS Section 4.1.1 SSPS contains the following statement in the last paragraph; Closed PGE Response "Information concerning the PPS status is transmitted to the control board resolves this Open status lamps and annunciators by way ofthe SSPS control board Item. Change demultiplexer and to the PPS by way ofthe SSPS computer demultiplexer. II status to Closed.

Why would the PPS status need to be transmitted to the PPS as the sentence suggests in the last phrase?

PG&E response:

The sentence in Section 4.1 1 contains a a typographical error. The sentence should read:

"Information concerning the PPS status is transmitted to the control board status lamps and annunciators by way of the SSPS control board demultiplexer and to the Plant Process Computer (PPC) by way of the SSPS computer demultiplexer."

As used in the Section 4.1.1. paragraph, "PPS Status" means "PPS Channel Trip Statu!;."_

April 17, 12 DCPP PPS Open Item Summary Table Page 21 of 29 No- SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 15 (BK) An ISG-04 compliance matrix for the DCPP PPS system was not submitted Open RAI (WEK 4-4-12} No with, or referenced in, the LAR for the W/ALS platform. Instead the ISG-04 Require further discussion compliance section 4.8 of the LAR refers the reader to the ALS LTR for d (RAI # necessary until X) nearly all the points of ISG-04. Fig. 4.4 and 4.5 of the LAR indicate various May 31 1 2012.

1E and non-1 E communication pathways to and from ALS processor (e.g.,

Maintenance Work Station, plant computer, process control, port aggregator, 4/4/12 update: The and 4-20 rna temperature signal to Tricon processor). These are all draft ALS ISG-04 application specific features of the PPS and the staff expects a W/CSI ALS compliance matrix document to be submitted, similar in scope and detail to the Invensys on the ALTRAN "PACIFIC GAS & ELECTRIC COMPANY NUCLEAR SAFETY-RELATED Sharepoint PROCESS PROTECTION SYSTEM REPLACEMENT DIABLO CANYON website is not POWER PLANT DI&C-ISG-04 CONFORMANCE REPORT" Document No. detailed enough 993754-1-912 Revision 0, to be submitted on the docket, which explains how for the staff to use the ALS portion of the PPS application conforms with the guidance of ISG in approving the

04. ALS portion of the PPS' communications PG&E response: design. Suggest Westinghouse will provide a DCPP PPS specific ISG-4 Compliance Table by PG&E review the March 31, 2012 and PG&E will submit the Table by May 31, 2012. Invensys ISG-04 Doc. Document No. 993754-1-912

(-P) Revision 0, and provide guidance for an ALS document at the same level of detail.

April 17. 12 DCPP PPS Open Item Summary Table Page 22 of29 No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date) 16 (BK) Section 1.4.4 (pg. 12/38) of document 993754-1-813 Diablo Canyon Triconex Open RAI Please indicate PPS Validation Test Plan (VTM) states "The network equipment, including Require when this action media converter. NetOptics Network Aggregator Tap, and gateway hub. and d (RAI # is scheduled for the MWS will not be within the test scope of this VTP. The Nuclear Delivery X) com~letion.

(ND) group will coordinate with Pacific Gas & Electric for system staging prior to turn over to Nuclear IV&V. The Nuclear IV&V group will confirm proper operation of network communications system interfaces before beginning testing addressed in this VTP." When, where, and what procedures will be used to test the network equipment??

PG&E response: Additional information on the PPS testing is being provided to the staff. The VTM will need to be updated based on the additional information. A date that the updated VTM will be submitted will be provided after feedback from the staff is received on the additional information on the PPS testing.

17 (BK) Section 5.1.4.3, Hardware Validation Tests, (pg. 27/38) of document 993754 Open RAI Please indicate 1-813 Diablo Canyon Triconex PPS Validation Test Plan (VTM) states that Require when this action the ALS equipment will not be included in the FAT. Where, when, and what d(RAI# is scheduled for procedures will be used to fully test the Integrated PPS system (both Tricon X) com~letion.

V10 and ALS platforms together) be subjected to FAT.

PG&E response: Additional information on the PPS testing is being provided to the staff. The VTM will need to be updated based on the additional information. A date that the updated VTM will be submitted will be provided after feedback from the staff is received on the additional information on the PPS testing.

April 17, 12 DCPP PPS Open Item Summary Table Page 23 of 29 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 18 (BK) Software Management Plan: Regulatory Guide (RG) 1.168, Revision 1, Open RAI (WEK 4/12112)

"Verification, Validation, Reviews and Audits for Digital Computer Software Require update: The staff Used in Safety Systems of Nuclear Power Plants," dated February 2004 d (RAI # has reviewed the X) Invensys IEEE endorses IEEE (Institute of Electrical and Electronics Engineers) 1012-1998, 1012 compliance "IEEE Standard for Software Verification and Validation," and IEEE 1028 matrix on the 1997,"IEEE Standard for Software Reviews and Audits," with the exceptions PG&EJAltran stated in the Regulatory Position of RG 1.168. RG 1.168 describes a method sharepoint acceptable to the NRC staff for complying with parts of the NRC's regulations directory and it for promoting high functional reliability and design quality in software used in appears to be safety systems. Standard Review Plan (SRP) Table 7-1 and Appendix 7.1-A acceptable. The matrix appears to identify Regulatory Guide 1.168 as SRP acceptance criteria for reactor trip be comprehensive systems (RTS) and for engineered safety features actuation systems and indicates no (ESFAS) exceptions to any The Invensys PPS Replacement Software Verification and Validation Plan clauses in IEEE (SWP), 993754-1-802 does not provide a clear explanation of how the 1012. No attempt Invensys SWP complies with IEEE 1012-1998. Please provide a cross was made to reference table that explains how the Invensys SWP implements the criteria review/verify that of IEEE 1012-1998. where Invensys Also, the Westinghouse/ALS 6116-00000 Diablo Canyon PPS Management claims Plan, does not provide a clear explanation of how the CSI SWP complies compliance with with IEEE 1012-1998. Please provide a cross reference table that explains any particular how the W/CSI SWP implements the criteria of IEEE 1012-1998. Clause in the Std, that the respective section

April 17, 12 DCPP PPS Open Item Summary Table Page 24 of 29 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

PG&E response: in their SWP is Westinghouse will provide an IEEE-1 012 compliance map by May 4,2012 to acceptable-the PG&E and PG&E will submit the matrix to the staff by May 31,2012. staff will work through this as theSWP is reviewed and evaluated for approval. Please submit the document on the docket.

This 01 will remain open pending review of the Westinghouse/CSI document.

19 RS Section 4.1.1 of the LAR states that; Open RAlwili 3/21/12 update:

eventual PG&E has created

'The SSPS evaluates the signals and performs RTS and ESFAS functions to Iy be a share point mitigate Abnormal Operational Occurrences and Design Basis Events required website for NRC to described in FSAR [26J Chapter 15." (RAI# review PPS design X) drawings that will however, address this issue as well as 01 20 Chapter 15 of the DCPP FSAR does not use the terms Abnormal Operational and 21. NRC staff Occurrence (AOO) or Design Basis Accident (DBE). Instead, the accident will determine if analysis in chapter 15 identifies conditions as follows; they are needed to be submitted on the CONDITION I - NORMAL OPERATION AND docket. PG&E will OPERATIONAL TRANSIENTS ensure the website is information is CONDITION II - FAULTS OF MODERATE FREQUENCY only applicable to this licensing CONDITION III-INFREQUENT FAULTS action.

CONDITION IV - LIMITING FAULTS

April 17, 12 DCPP PPS Open Item Summary Table Page 25 of 29 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments i (Date Sent) Response (Due Date)

As such, the statement that AOO's and DBE's are described in the FSAR appears to be inaccurate. Please explain the correlation between the Conditions described in FSAR chapter 15 and the Abnormal Operational Occurrences, and Design Basis Events described in the LAR.

PG&E response: The AOO's are referred to as ANS Condition I "Operational Transients" in FSAR Chapter 15 and are addressed in FSAR Chapter 15.1. The design basis accidents are referred to as ANS Condition II "faults of moderate frequency," ANS Condition III "infrequent faults," and ANS Condition IV "limiting faults" and are addressed in FSAR Chapter 15.2, 15.3, and 15.4 respectively.

April 17, 12 DCPP PPS Open Item Summary Table Page 26 of 29 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 20 RS The system description provided in Section 4 of the LAR includes "functions Open RAlwili 3/21/12 update:

performed by other protective systems at DCPP in addition to the PPS eventual PG&E has created functions". In many cases, there is no explanation of what system is Iy be a share point performing the functions described nor is there a clarification of whether the required website for NRC to described functions are being performed by the PPS system. (RAI# review PPS design X) drawings that will As an example, Section 4.1.16 describes a bypass function to support testing address this issue.

of the high-high containment pressure channel to meet requirements of IEEE NRC staff will 279 and IEEE 603. The description of this function does not however, state determine if they whether this latch feature is being implemented within the PPS system or in are needed to be the SSPS. submitted on the docket. PG&E will The staff needs to have a clear understanding of the functional scope of the ensure the website PPS system being modified in order to make its regulatory compliance is information is determinations. Please provide additional information such as PPS function only applicable to diagrams to help the staff distinguish PPS functions from functions performed this licensing by other external systems. action.

PG&E Response: PPS design drawings have been provided to the staff on the Sharepoint site.

21 RA Westinghouse/CSI document 6116-00005, "Diablo Canyon PPS System Test Open RAlwili 3/21/12 update:

Plan," states that the ALS-1 02 FPGA design is changed for the DCPPS eventual PG&E has created System. Further, Section 5.3.3 states: "Test as many of the ALS-1 02 Iy be a share point requirements as possible." required website for NRC to (RAI # review PPS design Please identify what document describes the design verification test for this X) drawings that will

April 17, 12 DCPP PPS Open Item Summary Table Page 27 of 29 No SrC/R/ Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date) board. address this issue.

NRC staff will determine if they are needed to be submitted on the PG&E response: PPS design drawings have been provided to the staff on docket. PG&E will the Sharepoint site. ensure the website is information is only applicable to this licensing action.

22 BK Follow-on 01 # 5 question pertaining to the PPS VTP: Open RAlwill Section 1.4.4 (pg. 12/38) states "The network equipment, including media be converter, NetOptics Network Aggregator Tap, and gateway hub, and the required MWS will not be within the test scope of this VTP. The Nuclear Delivery (RAI#

(NO) group will coordinate with Pacific Gas & Electric for system staging prior X) to turn over to Nuclear IV&V. The Nuclear IV&V group will confirm proper operation of network communications system interfaces before beginning testing addressed in this VTP." When, where, and what procedures will be used to test the network equipment??

Also, section 5.1.4 (3) Hardware Validation Tests states that the ALS equipment will not be included in the FAT (pg. 27/38). Where, when, and what procedures will be used to fully test the Integrated PPS system (both Tricon V10 and ALS platforms together) be subjected to FAT.

PG&E response:

Additional information on the PPS testing is being provided to the staff.

The VTP will need to be updated based on the additional information. A date that the updated VTP will be submitted will be provided after feedback from the staff is received on the additional information on the PPS testing.

April 17, 12 DCPP PPS Open Item Summary Table Page 28 of 29 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 23 BK Section 4.2.13.1 of the LAR (page 85) states; "Figure 4-13 only shows one Open RAlwili TCM installed in the Tricon Main Chassis (Slot 7L), the PPS replacement will be utilize two TCM cards in each main chassis (Slots 7L and 7-R). This will required provide two non-safety-related communication paths to the MWS and the (RAI #

PPC Gateway Computer from each Protection Set to ensure continued X) communications if a single TCM fails.

The NetOptics Model PA-CU/PAD-CU 1 PA-CU port aggregator network tap was approved previously by NRC for a similar application in the Oconee RPS SER Section 3.1.1.4.3 [18]. The NRC staff determined that due to the electrical isolation provided by use of fiber optic cables and the data isolation provided by the Port Tap and the Maintenance and Service Interface (MSI) in the Oconee RPS, there was reasonable assurance that a fault or failure within the Oconee Gateway computer or the Operator Aid Computer will not adversely affect the ability of the Oconee RPS to accomplish its safety functions.

During the SAT PG&E will test the Protection Set communications paths illustrated in Figure 4-13 to verify that there is no inbound communications path associated with port aggregator network tap Port 1. That is, PG&E will verify that communications from Port 1 to either the TCM on Port A or the MWS on Port B of the port aggregator network tap are not permitted.

Results of this test will be documented in final System Verification and Validation Report. Port aggregator dual in-line package (DIP) switch positions will be controlled by DCPP configuration management processes."

In order for the Staff to approve the integrated configuration of the PPS, prior to shipment of the PPS equipment to DCPP site, all communications paths will require testing on or before FAT, and before completion of the SER. This testing is typically completed during or before the PPS FAT, otherwise, the SER will not be completed until after the SAT. Please provide a test scheme/procedures that satisfies all regulatory requirements prior to or during the FAT. Otherwise, if this testing will be completed during the SAT, as stated in the LAR, please provide a detailed schedule for this testing so the NRC can revise its PPS LAR Review Plan accordingly.

1 The NetOptics Model PAO-CU has two one-way output ports but is otherwise identical in function to the PA-CU.

April 17, 12 DCPP PPS Open Item Summary Table Page 29 of 29 No SrciR/ Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date)

PG&E response: Additional information on the PPS testing for ALS is being provided to the staff. A date the additional information will be submitted will be provided after feedback from the staff is received on the additional information on the PPS testing for ALS.

Factory Acceptance Testing (FAT)

The overlapping test methodology illustrated in Figure 1 and described below will ensure that all specified PPS safety function requirements for each platform are verified at the FAT, and functions that cannot be verified at the FAT will be tested at the SAT. An integrated FAT, with the ALS connected to the Tricon will not be performed because the ALS and Tricon FAT will be performed in different locations. Data transfer from the Tricon through port aggregator port 1 to the gateway computer through the gateway switch is not required for the PPS to perform its safety function. The LAR commits to verifying that there is no inbound communications path from port 1 to ports A or B. A test will be run during Tricon FAT to verify that the port aggregator performs this function. These communications functions will be tested at the SAT The only connections between the ALS and the Tricon are the Reactor Coolant System temperature channels.

The ALS provides Class IE signal conditioning for the Pressurizer Vapor Space temperature, Reactor Coolant System wide range temperature and narrow range RTD inputs to the Overpower Delta Temperature (OPDT) and Overtemperature Delta Temperature (OTDT) thermal trip functions due to its improved ability to process 200 Ohm RTD inputs vs. Triconex. The ALS processes the resistance (ohms) RTD input signals and transmits the temperature values to the Tricon as analog 4-20 rnA signals. There is no digital data connection between the Tricon and the ALS.

The resistance to milliamp conversion will be tested at the ALS FAT to verify that all requirements specified for converting the resistance to current are met. The Tricon FAT will test these channels by injecting the corresponding 4 to 20 rnA signals into the Tricon and verifying that all requirements specified for the temperature channels are met. After the FAT, the equipment will be shipped to DCPP and then both systems will be integrated to perform the Site Acceptance Testing (SAT) which will test the analog interface directly along with others that cannot be tested at the FAT, such as the connection to the Plant Data Network (PDN)

Gateway Computer.

For the Tricon FAT, PG&E will provide the Maintenance Workstation (MWS), port aggregator network tap, network switches, and media converters as needed to test the complete interface between the MWS and the Tricon. The ALS Service Unit (ASU) software will also be loaded on the MWS to facilitate identification of any interaction between the MWS Wonderware application, the ASU software, and/or the MWS operating system.

Communications from the Tricon to the Plant Data Network (downstream of the port aggregator one-way port) will not be tested at the FAT but will be tested at the SAT. The MWS displays the same data that will be available to the PDN so verification of this data will be performed during the FAT. Each Protection Set has its own MWS. The MWS is not shared between or among Protection sets. Each protection set will be integrated in its own rack with all associated equipment to support FAT. The FAT will be performed on all four protection sets. The functionality of the MWS will be tested during the FAT to verify MWS requirements specified in the FRS and Tricon SRS. The FAT will verify correct two-way communications between the Tricon and the MWS through Ports A and B of the port aggregator, and will also verify that there is no inbound communication path from port 1 to either port A or B.

PG&E will provide a MWS for the ALS FAT. The port aggregator is not required for the ALS. The communications from both TxB1 and TxB2 one-way RS-422 ports will be tested to verify all specified data is being transmitted correctly. The MWS Wonderware application will be running to display the read only parameters. The ASU software running on the MWS will be tested during the FAT to verify its functionality and to identify any interactions between the ALS ASU software, the MWS Wonderware application, and/or the MWS operating system. The two-way RS-485 port will be tested with a mechanical switch to verify the ability to update parameters and to isolate the MWS from the ALS.

All boards of the same type in the ALS platform have the same capabilities. The boards can be configured by the user to meet the requirements of any protection set. The FAT will be performed on each protection set configuration, including power supplies, the MWS, and all associated equipment that supports the safety function for the specific protection set. That is, Protection Set 1 will be configured and tested with all the associated sensor inputs and appropriate loads on the digital and analog outputs. Upon completion of testing, 1 4/17/12 Enclosure 3

the equipment will be reconfigured as Protection Set 2 and tested. The same process will be used for Protection Sets 3 and 4.

The SAT will be performed on an integrated system. The connection of the safety-related temperature channels from the ALS to the Tricon will be verified during the SAT. The SAT will verify communications, including one-way communication from the port aggregator to the gateway, as well as other non-safety functions and connections that cannot be tested at the FAT, prior to installation in the plant. The integrated system used for SAT will be used to perform training and complete the operational and maintenance procedures prior to installation of the production system in the plant. Any application software changes from the time the equipment arrives at PG&E facilities until its installation in the plant is subject to configuration management controls.

2 4/17/12

Figure 1: Replacement PPS Acceptance Testing with Overlap To Conlrol Room HMI (CC4) To PDNIPPC RS*422 Cu ITom ALS

............... y

............... y Gateway Computer(s)

...............y Prot Set I ALS 'B'

...............y Prot Sell! ALS"B"

............... y Prot Set III ALS 'B"

............... y Prot Set IV ALS 'S' ti 1OOBa.eT (Copper) From (Typ of 2) Galeway Sw~ch Prol Sal IV Port r ..........................*..........**.... r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..

(Typ of 2) AggregatorTap

!! I (Typ 0(2) i !

Flm From i Prol Sel II Port Prot Set III Port

-t-~'" Aggregalo, Tap AggregatorTap Jl

_

ct:t.e.OI~)_ (Typ of 2) 1i : > " ' - - - ....... -'- -"-.

JI-~' \

'AA~"

/

I Aggregator Tap i MaIntenance I..i '" ,",

I (Typ of 2)

Won<slalion J I

I 0"..

100Be.eT ( C o p p e r ) .

r--:::"~....,

L B

100BaseT (Copper)

(Typof2) ,"/

f i

i i RS.465'

-~

/

/' ~ . ~ OM' Two-way co~m~unjcaUon ~n~bje switch

'.(TypforALS A andALS B)

I !

I:

1+._ . ..1

\

I

/ ::

I Prot Set I Optical Fiber ITCM 1 (7L)rrCM2 (7R)

NET2 I I : "

ITO PDN/PPC

Gateway

\ .

/

I

I Cia** II (Typ of 2) Class II , i i Computer * - ~

Cla.sl _ <::1.-" r............................... RS*422 Cu to Gateway Computer /

ri (Typ lor ALS *A' and ALS 'B") ,

, iii I RS-422 i ~ : RS-422

/

t ! Class II I T~i~~~ i \ /

-+I ((((]1ll]

4-ZOmA CI*** ,

I/0Su. l (Coppe~

I ALS~A*

TCMl (7L) I I ! TCM2(7R)

NET1 A"

\ ! Prot Set 1 (Not U.ed) \ \

IIIlllD A1.S*B~ I PrirnaryRXM L \ /

\ ,\ ...

Prot Set I ALS FAT I \ .. .-. + .--

\

I I Prot Set 1 Class I Class II

,I RemoteRXM

/ Legend:

MuHi*Mode Optical Fiber r Triplicale<!

Opllcal Flb.r I I RS-422/RS-485 Serial or 100BaseT 4-20 rnA Analog Copper I I I I I I L

/

/ /. . .1----- . Triconex FAT

............ ---..--- -- PG&E 3 4/17/12

FAT Verification ofTxB2 Communication Link Provided to Maintenance Workstation The TxB2 communication path from the ALS to the MWS is a single point-to-point unidirectional (one-way only) EIA-422 serial link. The TxB2 communication link is fixed in length, size, and update rate.

The TxB2 link contains ALS status information for determining system values, states, and health.

The connection of the ALS to the ASU running on the MWS hardware via the TxB2 communication path occurs by means of a local communication serial port that exists on the MWS hardware.

The MWS local communication serial port is only accessed by the ASU software upon user demand.

The MWS local communication serial port used by the ASU is a dedicated serial port and is not accessed by any other subsystem software running concurrently on the MWS.

The ASU application is assigned a static communication port value and the communication port assignment is hardcoded into the ASU application source code. The communication port assignment cannot be changed in the field.

ASU software functionality is verified through integration testing and FAT testing on representative MWS hardware with Tricon maintenance software running in parallel.

Tricon maintenance software will be executed on the MWS in a manner that mimics hardware utilization (memory, hardware utilization, processor utilization) and injected with a data stream that is representative of the actual data expected from the Tricon hardware subsystem.

ASU maintenance software will be run in parallel with the Tricon maintenance software to verify that no adverse effects exist during operation.

FAT Verification ofRTD Interface to the Tricon Verification of the ALS RTD to current loop conversion presented to the Tricon subsystem will occur by presenting simulated RTD inputs to the ALS-311 analog input (AI) cards and sweeping the full RTD input range and then verifying the corresponding current loop output at a simulated Tricon Load. Refer to Figure 1 for a high level diagram of the test setup.

The RTD input presented to the ALS-311 AI card is simulated using a precision programmable resistance output card. The Tricon load is simulated by using a precision analog input instrument that is capable of reading the full range of 4-20 mA output range provided by ALS-A and ALS-B. Both the precision programmable resistance output card and the precision analog input cards are commercially available cards based on the PCI eXtensions for Instrumentation (PXI) standard.

A fixed number of resistance steps based on the ALS subsystem accuracy requirements will be used to sweep the input of the ALS-311 with an input resistance range value that corresponds to the full range of output values that the ALS expects to present to the Tricon subsystem.

Enclosure 4

ALS-A r-"" ALS-102 I-Program mabie Resistance RTD Input I Simulated Tricon Lo ad

,, : 3-Wire 4-20mA 14-Wire 16-Bit Analog

,, 1 ALS-311 ALS-421 Input L _ ________

1 1

J ALS-B

, ALS-102 -

Programmable Resistance

.----------., Simulated Tricon Lo ad

RTD Input :

I@'

1 i

L _________ l r---

, 4-WiIre ALS-311 ALS-421 4-20mA 16-Bit Analog Input Figure I - RTD to Current p Verification Hardware Configuration

-2 determination would be made if changes were needed when the underlying questions are formally issued as requests for additional information.

Item 23 in Enclosure 2 relates to an ALS system testing question. The licensee's response to this question is provided in Enclosure 4. The NRC staff indicated that a review of both Enclosures 3 and 4 would continue and feedback would be provided, as appropriate, on possible clarification to the responses.

The NRC staff and licensee confirmed that the next meeting on this topic would be held on May 16, 2012. In addition, a meeting related to the setpoint changes to support the LAR was tentatively scheduled for June 28, 2012. At the staff's request, the licensee stated that a more detailed agenda for the June 28, 2012, meeting would be provided so that the staff could better plan for the meeting and use the agenda in the notice for the meeting. The staff and the licensee agreed that they would consider the appropriate timing for additional meetings and whether these would be done on a monthly basis as opposed to every 2 weeks.

Please direct any inquiries to me at 301-415-1132 or at Joseph.Sebrosky@nrc.gov.

IRAJ Joseph M. Sebrosky, Senior Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-275 and 50-323

Enclosures:

1. List of Attendees

2. Staff identified issues

3. Process Protection System Factory Acceptance Testing and Site Acceptance Testing

4. Advanced Logic System Testing cc w/encls: Distribution via Listserv DISTRIBUTION:

PUBLIC RidsOgcRp Resource LPLIV Reading RidsRgn4MailCenter Resource RidsAcrsAcnw_MailCTR Resource WMaier, RIV RidsNrrDeEicb Resource TWertz, NRR RidsNrrDorl Resource WKemper, NRR/DE/EICB RidsNrrDorlLpl4 Resource RStattel, NRR/DE/EICB RidsNrrLAJBurkhardt Resource SMakor, RIV/DRS/EB2 RidsNrrPMDiabloCanyon Resource MMcCoppin, EDO RIV ADAMS Accession Nos. Meeting Notice M L120720092 , Mee r mgSumm<!'Y ML121150504 *via

. emal*1 OFFICE DORL/LPL4/PM DORLlLPL4/LA NRR/DE/EICB DORLlLPL4/BC DORL/LPL4/PIVI NAME JSebrosky JBurkhardt RStattel* MMarkley JSebrosky DATE 5/1/12 4/27/12 5/1/12 5/3/12 5/3/12 OFFICIAL RECORD COpy

v t e Letter Sequence Meeting
TAC:ME7522, Clarify Application of Setpoint Methodology for LSSS Functions (Open) TAC:ME7523, Clarify Application of Setpoint Methodology for LSSS Functions (Open)
Initiation Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request Acceptance Supplement Administration Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, ... further results\|Meeting]] Questions 7 August 2012 12 April 2013 31 March 2014 Answers 11 September 2012 9 May 2013 30 April 2014 Results Approval... Other: ML120250079, ML120590119, ML12276A050, ML13018A149, ML13024A105, ML13029A667, ML13101A278, ML13192A314, ML13232A258, ML13232A263, ML13339A428, ML15103A010, ML15121A310, ML15223A968
MONTHYEAR2012-03-20 [Table View]

ML121150504

Text

SUBJECT:

SUMMARY

Enclosures:

Response

Enclosures:

Navigation menu

Search