ML121150504
| ML121150504 | |
| Person / Time | |
|---|---|
| Site: | Diablo Canyon  |
| Issue date: | 05/03/2012 |
| From: | Joseph Sebrosky Plant Licensing Branch IV |
| To: | |
| Sebrosky J, NRR/DORL/LPL4 301-415-1132 | |
| References | |
| TAC ME7522, TAC ME7523 | |
| Download: ML121150504 (38) | |
Text
~p.R REG U{
UNITED STATES
~~(,"
"'0."
NUCLEAR REGULATORY COMMISSION
~
WASHINGTON, D.C. 20555-0001 0
~
ca.
r:;
~
~
1-')
~o May 3, 2012 LICENSEE:
Pacific Gas and Electric Company FACILITY:
Diablo Canyon Power Plant, Unit Nos. 1 and 2
SUBJECT:
SUMMARY
OF APRIL 18, 2012, TELECONFERENCE MEETING WITH PACIFIC GAS AND ELECTRIC COMPANY ON DIGITAL REPLACEMENT OF THE PROCESS PROTECTION SYSTEM PORTION OF THE REACTOR TRIP SYSTEM AND ENGINEERED SAFETY FEATURES ACTUATION SYSTEM AT DIABLO CANYON POWER PLANT (TAC NOS. ME7522 AND ME7523)
On April 18, 2012, a Category 1 teleconference public meeting was held between the U.S. Nuclear Regulatory Commission (NRC) and representatives of Pacific Gas and Electric Company (PG&E, the licensee) at NRC Headquarters, One White Flint North, 11555 Rockville, Maryland. The purpose of the teleconference meeting was to discuss the license amendment request (LAR) submitted by PG&E on October 26, 2011, for the Digital Replacement of the Process Protection System (PPS) Portion of the Reactor Trip System and Engineered Safety Features Actuation System at Diablo Canyon Power Plant, Unit Nos. 1 and 2 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML113070457). A list of attendees is provided in Enclosure 1.
The teleconference meeting is one in a series of publicly noticed teleconference meetings to be held periodically to discuss issues associated with the NRC staff's LAR review. Preliminary issues that the NRC staff identified during the initial review, and the licensee's responses to these preliminary issues, were discussed during the teleconference meeting. The list of preliminary issues is provided in Enclosure 2.
During the discussion of the items in the table, the licensee verified that in response to item 8, PG&E's plans for a submittal of a separate LAR related to instrumentation and control setpoint changes would be pursued independently of the PPS LAR and that there would be no dependencies between these licensing actions. The licensee indicated that supplemental information would be provided to address any issues associated with the PPS setpoint changes as part of the October 26, 2011, LAR. The licensee agreed to revise the response to item 8 to reflect this expectation.
Items 16, 17 and 22 in Enclosure 2 relate to questions associated with the PPS factory acceptance testing (FAT) and site acceptance testing (SAT). The licensee's response to these items is provided in Enclosure 3. During the discussion of the information in Enclosure 3, the NRC staff indicated that the licensee may want to clarify the statement that there are no digital data connections between the Tricon and Advanced Logic System (ALS) systems. The staff indicated that because both systems are connected to the maintenance work station, the maintenance work station appeared to provide a path for a digital data connection. The licensee indicated statements found in Enclosure 3 in this area would be reviewed and a
-2 determination would be made if changes were needed when the underlying questions are formally issued as requests for additional information.
Item 23 in Enclosure 2 relates to an ALS system testing question. The licensee's response to this question is provided in Enclosure 4. The NRC staff indicated that a review of both Enclosures 3 and 4 would continue and feedback would be provided, as appropriate, on possible clarification to the responses.
The NRC staff and licensee confirmed that the next meeting on this topic would be held on May 16, 2012. In addition, a meeting related to the setpoint changes to support the LAR was tentatively scheduled for June 28, 2012. At the staff's request, the licensee stated that a more detailed agenda for the June 28, 2012, meeting would be provided so that the staff could better plan for the meeting and use the agenda in the notice for the meeting. The staff and the licensee agreed that they would consider the appropriate timing for additional meetings and whether these would be done on a monthly basis as opposed to every 2 weeks.
Docket Nos. 50-275 and 50-323
Enclosures:
- 1. List of Attendees
- 2. Staff identified issues
- 3. Process Protection System Factory Acceptance Testing and Site Acceptance Testing
- 4. Advanced Logic System Testing cc w/encls: Distribution via Listserv
LIST OF ATTENDEES APRIL 18, 2012, TELECONFERENCE MEETING WITH PACIFIC GAS AND ELECTRIC COMPANY REGARDING DIABLO CANYON POWER PLANT DIGITAL UPGRADE NAME Ken Schrader Scott Patterson Bob Lint John Hefler K. Brandt J. Basso W. Odess-Gillet B. Spence Roman Shaffer Rich Stattel Joe Sebrosky Shiattin Makor Gordon Clefton Sara Rudy Eric Mino DOCKET NO. 50-273 AND 50-323 ORGANIZATION Pacific Gas and Electric Pacific Gas and Electric Altran Altran Altran Westinghouse Westinghouse Westinghouse InvensyslTriconex U.S. Nuclear Regulatory Commission U.S. Nuclear Regulatory Commission U.S. Nuclear Regulatory Commission Nuclear Energy Institute General Electric-Hitachi General Electric-Hitachi
April 17, 12 DCPP PPS Open Item Summary Table Page 1 of 29 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments 001 AR (BD)
[ISG-06 Enclosure B, Item 1.3] Deterministic Nature of Software:
The Diablo Canyon Specific Application should identify the board access sequence and provide corresponding analysis associated with digital response time performance. This analysis should be of sufficient detail to enable the NRC staff to determine that the logic-cycle;
- a. has been implemented in conformance with the ALS Topical Report design basis,
- b. is deterministic, and
- c. the response time is derived from plant safety analysis performance requirements and in full consideration of communication errors that have been observed during equipment qualification.
As stated in the LAR, information pertaining to response time performance will be submitted as a Phase 2 document. Please ensure this matter is addressed accordingly.
Open N/A
Response
received April 2 29 1 2012 Staff will review and discuss further if needed at subseguent telecom meeting.
Response
acceptable; waiting on PG&E to provide the time response calculation for the V10 Tricon PPS Replacement architecture by April 16, 2012.
P&GE response:
ALS Diablo Canyon PPS document 6116-00011, "ALS System Design Specification", Section 7.5, identifies the ALS board access sequence and provides an analysis associated with digital response time performance.
a)
The Diablo Canyon PPS ALS system is configured in accordance with the qualification requirements of the ALS platform topical report, b)
The analysis in Diablo Canyon PPS document 6116-00011, "ALS System Design Specification", Section 7, describes a logic cycle that is deterministic.
c)
The requirements for the response time of the PPS processing instrumentation (from input conditioner to conditioned output signal) is specified as not to exceed 0.409 seconds in Section 3.2.1.10 of the "Diablo Canyon Power Plant Units 1 & 2 Process Protection System Replacement Functional Requirements Specification (FRS)", Revision 4 submitted as of the LAR. In Section 1.5.8 of the "Diablo Canyon Power Plant Units 1 & 2 Process Protection System Replacement Interface Requirements Specification (IRS)", Revision 4, submitted as Attachment 8 of the LAR, the 0.409 seconds PPS processing instrumentation response time is allocated between the ALS and Tricon as follows:
April 17, 12 No SrclRI Issue Description ALS: 175 ms for RTD processing Tricon: 200 ms Contingency: 34 ms DCPP PPS Open Item Summary Table P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Page 2 of 29 Comments The 0.409 seconds PPS processing instrumentation value is the same as the value that is currently allocated to PPS processing instrumentation. As long as the 0.409 second PPS processing instrumentation value is not exceeded, the total response time values assumed in the plant safety analyses contained in FSAR Table 15.1-2 will not be exceeded; 7 seconds for Overtemperature AT RT and Overpower AT RT functions, 2 seconds for High pressurizer pressure RT, Low pressurizer pressure RT, and Low Low SG water level RT functions, 1 second for Low reactor coolant flow RT function, 25 seconds for Low pressurizer pressure, High containment pressure, and Low steam line pressure Safety Injection initiation, 60 seconds for Low low SG water level auxiliary feedwater initiation, 18 seconds for High containment pressure, Low pressurizer pressure, and Low steam line pressure Phase A containment isolation, 48.5 seconds for High High containment pressure containment spray initiation, 7 seconds for High High containment pressure steam line isolation, 66 seconds for High High SG water level auxiliary feedwater isolation, and 8 seconds for Low steam line pressure steam line isolation.
The ALS response time will be verified as part of the FAT and the results will be included in the FAT summary report to be submitted by 12/31112.
Tricon Invensys provided detailed information on the deterministic operation of the V10 Tricon in Invensys Letter No. NRC V10-11-001, dated January 5,2011.
In support of the V10 Tricon safety evaluation, Invensys submitted document 9600164-731, Maximum Response Time Calculations, describing the worst-case response time for the V1 0 Tricon Qualification System. Included in document 9600164-731 are the standard equations for calculating worst-case response time of a given V10 Tricon configuration. The time response calculation for the V10 Tricon PPS Replacement architecture will be submitted by April 16, 2012. The System Response Time Confirmation Report, 993754-1-818, will be submitted to the staff as part of the ISG-06 Phase 2 submittals at the completion of factory acceptance testing of the V10 Tricon PPS Replacement.
The Tricon response time will be verified as part of the FAT and the results will
April 17, 12 DCPP PPS Open Item Summary Table Page 3 of 29 No I SrclRI I Issue De scription P&GE response:
Status RAINo.
(Date Sent)
Response
(Due Date)
Comments be included in the FAT summary report to be submitted by 12/31/12.
The staff will likely need the Tricon time response calc's submitted on the docket. It is not efficient for the staff to travel to a remote facility to audit SP calc's.
PG&E stated that they will provide the Tricon Time response calc's in a document submitted on the docket.
002 IAR (RA) nclosure B, Item 1.4]
Management Plan: Regulatory Guide (RG) 1.168, Revision 1,
[ISG-06 E Software "Verificat Used in S endorses "IEEE St 1997,"IEE stated in acceptab for promo safety sy identify R systems Westingh Fiaure 2 m, Validation, Reviews and Audits for Digital Computer Software afety Systems of Nuclear Power Plants," dated February 2004 IEEE (Institute of Electrical and Electronics Engineers) 1012-1998, ndard for Software Verification and Validation," and IEEE 1028 E Standard for Software Reviews and Audits," with the exceptions
'1e Regulatory Position of RG 1.168. RG 1.168 describes a method 3 to the NRC staff for complying with parts of the NRC's regulations
- ing high functional reliability and design quality in software used in tems. Standard Review Plan(SRP) Table 7-1 and Appendix 7.1-A
~gulatory Guide 1.168 as SRP acceptance criteria for reactor trip
~TS) and for engineered safety features
)Use/ALS 6116-00000 Diablo Canyon PPS Management Plan,
, shows the Verification and Validation (V&V) organization Open N/A
Response
received April 2 291 2012. Staff will review and discuss further if needed at subseguent telecom meeting.
3 April 17, 12 No SrclRI DCPP PPS Open Item Summary Table Issue Description P&GE response:
reporting to the Project Manager. This is inconsistent with the information described in the ALS Management Plan for the generic system platform, where the V&V organization is independent form the Project Manager. This is also inconsistent with the criteria of RG 1.168 and will need to be reconciled during the LAR and ALS L TR reviews.
P&GE response:
ALS The PPS Replacement LAR referenced Westinghouse document 6116 00000 Diablo Canyon PPS Management Plan, dated July 25, 2011, that was based on CSI document 6002-00003 ALS Verification and Validation Plan, Revision 4. CS Innovations subsequently submitted a revised V&V plan, "6002-00003 ALS Verification and Validation Plan", Revision 5, on November 11, 2011, that revised the required V&V organization structure such that the management of the verification personnel is separate and independent of the management of the development personnel. The Westinghouse 6116-00000 Diablo Canyon PPS Management Plan is being revised to require a V&V organization structure in which the management of the verification personnel is separate and independent of the management of the development personnel. PG&E will submit the revised Westinghouse 6116-00000 Diablo Canyon PPS Management Plan document by March 29, 2012.
Status RAI No.
(Date Sent)
Response
(Due Date)
Page 4 of 29 Comments (WEK 4/12/12)
Response
acceptable; the staff received the revised W/ALS PPS MP on April 2, 2012 and will review for consistency with RG 1.168.
[ISG-06 Enclosure B, Item 1.9]
Software V&V Plan: The ALS V&V plan states that Project Manager of the supplier is responsible for providing directions during implementation of V&V activities. Also, the organization chart in the Diablo Canyon PPS Management Plan shows the IW manager reporting to the PM.
The ALS V&V plan described in ISG-6 matrix for the ALS platform and the Diablo Canyon PPS Management Plan do not provide sufficient information about the activities to be performed during V&V. For example, the ALS V&V Plan states that for project specific systems, V&V activities are determined on a project by project basis and are described in the project Management Plan, in this case, 6116-00000, "Diablo Canyon PPS Management Plan."
However, the 6116-00000 Diablo Canyon PPS Management Plan states:
Open N/A
Response
received April 2 291 2012. Staff will review and discuss further if needed at subseguent telecom meeting, Status: Fig. 3 of the PPS SWP (Pg.
April 17, 12 DCPP PPS Open Item Summary Table Page 5 of 29 No SrclRI Issue Description P&GE response:
Status RAI No, (Date Sent)
Response
(Due Date)
Comments "See the ALS V&V Plan for more information and the interface between the IV&V team and the PPS Replacement project team."
The Triconex V&V plan states that the Engineering Project Plan defines the scope for V&V activities. As mentioned before, the Triconex EPP is not listed in the ISG-6 matrix.
These items will need further clarification during the LAR review to demonstrate compliance with Regulatory Guide (RG) 1.168, Revision 1, "Verification, Validation, Reviews and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants,"
16/46) indicates sufficient organizational independence between the Nuclear Delivery (Design)
Organization and the IV&V Organization.
Fig. 3 of the PPS PMP (993754-1 905) (pg. 22/81) also denotes the DCPP PPS project organization, and provides sufficient independence between the NO and IV&V Organizations.
Close the Invensys part of the 01.
W/ALS response acceptable; (WEK 4/12/12) the staff received the revised W/ALS PPS MP on April 2, P&GE response:
ALS The Westinghouse 6116-00000 Diablo Canyon PPS Management Plan is being revised to include details on how the IV&V team has an independent organizational reporting structure from the design and implementation team; the Scottsdale Operations Director and the ALS Platform & Systems Director report to different Westinghouse Vice Presidents. The IW Manager and Scottsdale Operations Director both report to the same Westinghouse Vice President, but via independent reporting structures.
Description of 6116-00000 Diablo Canyon PPS Management Plan V&V activity updates - IN PROGRESS PG&E will submit the revised Westinghouse 6116-00000 Diablo Canyon PPS Management Plan that includes the above changes by March 29,2012.
Tricon The organizational structure of Invensys Operations Management comprises, in part, Engineering and Nuclear Delivery. Each of these organizations plays a specific role in the V10 Tricon application project life cycle. Invensys Engineering is responsible for designing and maintaining the V1 0 Tricon platform, and Nuclear Delivery is responsible for working with nuclear customers on safety-related V10 Tricon system integration projects.
Invensys Engineering department procedures require "Engineering Project
April 17, 12 DCPP PPS Open Item Summary Table Page 6 of 29 No SrclRI Issue Description P&GE response:
Status RAI No.
RAI Comments (Date Sent)
Response
(Due Date)
Plans (EPP)," whereas Nuclear Delivery department procedures require 2012 and will "Project Plans." Invensys Engineering is not directly involved in system review for integration, but Nuclear Delivery may consult with Engineering on technical consistency with issues related to the V1 0 Tricon platform.
The NRC applied ISG-06 to the V10 Tricon safety evaluation. Invensys submitted a number of documents pertaining to the design of the V1 0 Tricon platform as well as process and procedure documents governing Invensys Status: Fig. 3 of the Engineering activities, including the EPP. In most cases, these platform-PPSSWP (Pg.
related documents are preceded with document number 9600164. The 16/46) indicates platform-level documents reviewed by the staff during the V1 0 Tricon safety sufficient evaluation will not be resubmitted by Nuclear Delivery during application-organizational specific system integration projects.
independence between the In support of the PG&E LAR for the DCPP PPS Replacement, Invensys Nuclear Delivery Nuclear Delivery is required to submit the application design documents as (Design) defined in ISG-06. These project documents are preceded by document Organization and number 993754. The Phase 1 submittal under Invensys Project Letter the IV&V 993754-026T, dated October 26, 2011, contained, in part, the following:
Organization.
PPS Replacement Project Management Plan (PMP), 993754-1-905. "Project Management Plan" was used to more closely match BTP 7-14 with regard to Fig. 3 of the PPS "management plans"; and PMP (993754-1 PPS Replacement Software Verification and Validation Plan (SWP),
993754-1-802.
905) (pg. 22/81) also denotes the The PMP describes the PPS Replacement Project management activities DCPP PPS project within the Invensys scope of supply_ The guidance documents BTP 7-14 and organization, and NUREG/CR-6101 were used as input during development of the PMP.
provides sufficient independence With regard to compliance with RG 1.168, the PPS Replacement PMP and between the NO SWP both describe the organizational structure and interfaces of the PPS and IV&V Replacement Project. The documents describe the Nuclear Delivery (NO)
Organizations.
design team structure and responsibilities, the Nuclear Independent Verification and Validation (IV&V) team structure and responsibilities, the Close the Invensys
April 17, 12 DCPP PPS Open Item Summary Table Page 7 of 29 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments interfaces between NO and Nuclear IV&V, lines of reporting, and degree of independence between NO and Nuclear IV&V. In addition, the PMP describes organizational boundaries between Invensys and the other external entities involved in the PPS Replacement project: PG&E, Altran, Westinghouse, and Invensys suppliers. The combination of the PMP and SWP demonstrate compliance of the Invensys organization with RG 1.168.
part of the 01.
4
,~~~~~~~~
[I SG-06 Enclosure B, Item 1.10]
Software Configuration Management Plan: The LAR includes PG&E CF2.ID2, "Software Configuration Management for Plant Operations and Operations Support," in Attachment 12. However, the document provided in 2 only provides a guideline for preparing Software Configuration Management (SCM) and SQA plans. Though it is understood that the licensee will not perform development of software, PGE personnel will become responsible for maintaining configuration control over software upon delivery from the vendor.
The staff requires the actual plan to be used by the licensee for maintaining configuration control over PPS software in order to evaluate against the acceptance criteria of the SRP. For example, the ALS Configuration Management (CM) Plan (6002-00002) describes initial design activities related to ALS generic boards. This plan does describe the configuration management activities to be used for the development and application of the ALS platform for the Diablo Canyon PPS System. The staff requires that configuration management for this deSign be described in the DCPP project specific plan. These items will need further clarification during the LAR review to demonstrate compliance with BTP-14.
Open N/A
{WEK 4-12-12}
Reseonse received AeriI 2 29 1 2012. Staff will review the PG&E S:y:CMP erocedure when it arrives on Ma:y: 31, 2012.
P&GE response:
PG&E will develop a SyCMP procedure to address configuration control after shipment of equipment from the vendor and will submit the document by May 31,2012.
April 17, 12 DCPP PPS Open Item Summary Table Page 8 of 29 No SrclRI Issue Description P&GE response:
[ISG-06 Enclosure B, Item 1.11]
Software Test Plan: The V1 0 platform documents identified in ISG6 matrix state that the interface between the NGIO (Next Generation Input Output)
Core Software and 10-specific software will not be tested. It is not clear when and how this interface will be tested, and why this test is not part of the software unit testing and integration testing activities.
Further, the 993754-1-813 Diablo Canyon Triconex PPS Validation Test Plan states that the DCPP's TSAP will not be loaded on the system; instead Triconex will use another TSAP for the validation test. It is not clear why the DCPP's TSAP will not be used for the validation test or when the DCPP's TSAP will be loaded on the system and validated for the Diablo Canyon PPS System. These items will need further clarification during the LAR review to demonstrate compliance with BTP-14.
Status Closed RAI No.
(Date Sent)
N/A RAI
Response
(Due Date)
Comments
Response
received April 2 29, 2012. Staff will review and discuss further if needed at subsequent telecom meeting.
NGIO Core software is tested and qualified as a platform component. As such, it does not 5
P&GE response:
Tricon The next-generation input/output (110) modules qualified for the V10 Tricon are the 3721 N 4-20 mA, 32-point analog input (AI) module, and the 3625N 24 Vdc, 32-point digital output (DO) module. Technical data on these two modules was provided to the NRC in support of the V10 Tricon safety evaluation. Configuration and functional testing is performed when the 110 modules (hardware and embedded core firmware) are manufactured. From the factory the 110 modules are shipped to Invensys Nuclear Delivery for use in nuclear system integration projects, i.e., application specific configurations.
Because the module hardware and embedded core firmware are within the scope of the V1 0 Tricon safety evaluation, the verification and validation of the embedded core firmware will not be repeated as part of application-specific system integration projects.
need to be separately tested during the application development process.
TSAP is a Test Specimen Application Program used for purposes of platform qualification.
There are certain deSign items that must be done with TriStation 1131 (TS1131), such as specifying which 110 module is installed in a particular
April 17, 12 DCPP PPS Open Item Summary Table Page 9 of 29 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments physical slot of the Tricon chassis, resulting in each module having a unique hardware address in the system. Also, TS1131 is used to specify which application program parameters (Le., program variable tag names) are assigned to a particular point on a given I/O module. The design items configured in TS1131 will be within the scope of validation activities conducted by Invensys Nuclear IV&V for application-specific system integration projects. The necessary collateral (system build documents, configuration tables, test procedures, test results, etc.) will be submitted to the NRC to support the staff's technical review of the PPS Replacement LAR in accordance with ISG-06.
The Phase 1 submittal under Invensys Project Letter 993754-026T, dated October 26,2011, contained, in part, the Validation Test Plan (VTP), 993754 1-813. This document describes the scope, approach, and resources of the testing activities that are required for validation testing of the V10 Tricon portion of the PPS Replacement, including:
Preparing for and conducting system integration tests Defining technical inputs to validation planning Defining the test tools and environment necessary for system validation testing Scheduling (and resource loading of the schedule)
Section 1.3.2 of the VTP describes the Hardware Validation Test activities and Section 1.3.3 of the VTP describes the V1 0 Tricon portion of the Factory Acceptance Test activities for the V10 Tricon portion of the PPS Replacement. Details on the application program are proprietary and need to be provided to the staff separately.
Invensys stated that The Diablo Canyon Application will be loaded onto plant system hardware during FAT.
Staff re-examined I nvensys doc.
"Validation Test Plan (VTP),
993754-1-813,"
Section 1.3.2 of the VTP that describes the Hardware Validation Test activities and Section 1.3.3 of the VTP and determined that the application program TSAP will be used for the FAT (Section 5.1.5 FAT)
Close this portion of the 01.
April 17, 12 DCPP PPS Open Item Summary Table Page 10 of 29 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date}
Comments 6
[ISG-06 Enclosure B, Item 1.14]
Equipment Qualification Testing Plans - The LAR Sections 4.6,4.10.2.4 and 4.11.1.2 provide little information on the plant specific application environmental factors. The Tricon V10 Safety Evaluation, ML11298A246, Section 6.2 lists 19 application specific actions Items (ASAI's) that the licensee should address for plant specific applications. The licensee should address each of these for Tricon portion of the PPS replacement. Similar information for the ALS portion of the PPS replacement will also be required.
Closed Develop a
generic RAlto provide a
respons eto ASAls for both platfor
Response
received April 2 29 1 2012. Staff will review and discuss further if needed at subseguent telecom meeting.
Staff agreed that PG&E should P&GE response:
ALS PG&E will respond to ALS ASAl's when they are available.
ms when submit a separate submittal (LAR Tricon the SERs amendment) to address the ASAls IN PROGRESS. All of the Application Specific Action Items will be are for both platforms.
addressed by March 21 2012.
issued.
RA#XX it is not necessary to delineate exactly what will be done for each ASAI in
April 17, 12 DCPP PPS Open Item Summary Table Page 11 of 29 No SrC/R/
Issue Description P&GE response:
Status RA/ No.
(Date Sent)
RA/
Response
(Due Date)
Comments
[ISG-06 Enclosure B, Item 1.16]
this 01 matrix.
7 AR (BK)
Open NIA
{WEK 4-12-12}
Response
Design Analysis Reports: The LAR does not appear to comply with the SRP received April 2 (ISG-04) regarding the connectivity of the Maintenance Work Station to the 29 1 2012. Staff PPS. The TriStation V1 0 platform relies on software to effect the reviewed this item disconnection of the TriStation's capability to modify the safety system software. Based on the information provided in the L TR, the NRC staff determined that the Tricon V10 platform does not comply with the NRC and still need additional guidance provided in ISG-04, Highly Integrated Control Rooms-Communications Issues, (ADAMS Accession No. ML083310185), Staff Position 1, Point 10, hence the DCPP PPS configuration does not fully comply with this guidance.
In order for the NRC staff to accept this keyswitch function as an acceptable deviation to this staff position, the staff will have to evaluate the DCPP PPS specific system communications control configuration--including the operation of the keyswitch, the software affected by the keyswitch, and any testing performed on failures of the hardware and software associated with the keyswitch. The status of the ALS platform on this matter is unclear at this time and will be resolved as the ALS L TR review is completed.
information to close this item.
The staff will need to review this item further during an NRC audit at the Invensys facilitv.
All the items noted below will be the scope of the audit Moreover, the Tricon V10 system Operational Mode Change (OMC) keyswitch does change operational modes of the 3008N MPs and enables the TriStation 1131 PC to change parameters, software algorithms, etc, related to the application program of the safety channel without the channel or division being in bypass or in trip. As stated in Section 3.1.3.2 of the Tricon V10 SER, the TriStation 1131 PC should not normally be connected while the Tricon V10 is operational and performing safety critical functions.
However, it is physically possible for the TriStation PC to be connected at all times, and this should be strictly controlled via administrative controls (e.g.,
3/21 update: it was agreed that PG&E/lnvensys and PG&ElWestinghou se/CSI would provide a report (LAR supplement) place the respective channel out of service while changing the software, parameters, etc). The LAR does not mention any administrative controls such as this to control the operation of the OMC (operational mode change) keyswitch. Furthermore, in order to leave the non-safety TriStation 1131 PC attached to the SR Tricon V1 0 system while the key switch is in the RUN position, a detailed FMEA of the TriStation 1131 PC system will be required to explain how these two issues will be resolved and submit to NRC-Date to be provided
April 17, 12 DCPP PPS Open Item Summary Table Page 12 of 29 No r-----------~
Src/RI Issue Description P&GE response:
Status RAI No.
(Date Sent)
RA/
Response
(Due Date)
Comments to ascertain the potential effects this non-safety PC may have on the execution of the safety application program/operability of the channel or division. These issues must be addressed in order for the NRC staff to determine that the DCPP PPS complies with the NRC Staff Guidance provided in Staff Position 1, Point 11. The status of the ALS platform on this point is unclear at this time.
TBD.
Waiting for the V10 Tricon portion of the PPS Replacement Failure Modes and Effects Analysis, an ISG-06 Phase 2 document to be submitted to NRC in May 2012.
3/21 Update:
PG&EII nvensys needs to provide a technical explanation of how the MP3008N processor actually ignores all commands when in RUN-address the items in the 01.
4/4/12 Update:
Need to explain how this message format works to reject messages from the Tristation when in RUN??
Graphs and visual presentation of P&GE response:
Tricon The OMC keyswitch controls only the mode of the V10 Tricon 3008N MPs.
In RUN position the 3008N MPs ignore* all commands from external devices, whether WRITE commands from external operator interfaces or program-related commands from TS1131.
The keyswitch is a four-position, three-ganged switch so that the three Main Processor (MP) modules can monitor the position of the switch independently. The Operating System Executive (ETSX) executing on the MP application processor monitors the position of the keyswitch. The three MPs vote the position of the keyswitch. The voted position of the keyswitch is available as a read-only system variable that can be monitored by the TSAP. This allows alarming the keyswitch position when it is taken out of the RUN position. TS1131 messages to and from the Tricon (Le., ETSX executing on the MPs) are of a defined format. TS1131 messages for control program (i.e., TSAP) changes - whether download of new control programs or modification of the executing control program are uniquely identifiable. Such messages are received by ETSX and appropriate response provided depending upon, among other things, the position of the keyswitch. When a request from TS1131 is received by ETSX to download a new control program or modify the executing control program, ETSX accepts or rejects the request based on the voted keyswitch position.
If the keyswitch is in RUN, all such messages are rejected. If the keyswitch is in PROGRAM, the Tricon is considered out of service and ETSX runs through the sequence of steps to download the new or modified control program, as appropriate.
Multiple hardware and software failures would have to occur on the V10 Tricon (in combination with human-performance errors in the control room
April 17, 12 DCPP PPS Open Item Summary Table Page 13 of 29 No SrC/RI Issue Description P&GE response:
Status RAI No.
(Date Sent)
RA/
Response
(Due Date)
Comments and at the computer with TS1131 installed) in order for the application program to be inadvertently reprogrammed. Therefore, there is no credible single failure on the V1 0 Tricon that would allow the safety-related application program to be inadvertently programmed, e.g., as a result of unexpected operation of the connected computer with TS1131 installed on it.
The above conclusion will be confirmed (for the V10 Tricon portion of the PPS Replacement) in the Failure Modes and Effects Analysis, an ISG-06 Phase 2 document planned for submittal to NRC in May 2012. Additionally, Invensys Operations Management will support the staffs review of the hardware and software associated with the OMC keyswitch by making all of the technical data available for audit.
- TS1131 contains function blocks that allow WRITE-access to a limited set of parameters programmed into the application software, but only for a limited duration after which the capability is disabled until WRITE-access is re-enabled. However, without these function blocks programmed into the application program neither the application program nor application program parameters can be modified with the OMC keyswitch in the RUN position.
these concepts would be helpful.
This issue will also have to be addressed for the ALS platform.
PG&EII nvensys needs to provide a technical explanation of how the MP3008N processor actually ignores all commands when in PG&E Administrative controls on use of keyswitch will be provided with commitment to include in procedures in response.
Note, TS1131 is not used to change setpoints and protection set is inoperable when keyswitch is not in RUN position.
RUN-address the items in the 01.
8 AR (RS)
[ISG-06 Enclosure B, Item 1.21]
Setpoint Methodology: The NRC staff understands that a summary of SP (setpoint) Calculations will be provided in Phase 2, however, section 4.10.3.8 of the LAR also states that PGE plans to submit a separate LAR to adopt TSTF 493. The NRC cannot accept this dependency on an unapproved future licensing action. The staff therefore expects the licensee to submit a summary of setpoint calculations which includes a discussion of the methods used for determining as-found and as-left tolerances. This submittal should Closed N/A
{WEK 4-12-12}
Res~onse received A~ril 2 291 2012. PG&E's commitment to I:!rovide summa!:!:
calc's b~ Ma~ 31 2 2012 and not
April 17, 12 DCPP PPS Open Item Summary Table Page 14 of 29 No SrciRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments satisfy all of the informational requirements set forth in ISG6 section D.9.4.3.8 without a condition of TSTF 493 LAR approval revise these setQoints via a TSTF-439 LAR addresses this 01.
Close this 01.
3/7/12 update:
PG&E stated that all setpoints P&GE response:
The evaluation of the setpoints for the PPS replacement will need to be performed by Westinghouse in two phases in order to provide sufficient documentation to support 95/95 two-sided uncertainty values for the setpoints. This is because the NRC staff has been requesting additional information and additional data and analysis to demonstrate that the uncertainties used in the setpoint calculation have been based on a statistically sufficient quantity of sample data to bound the assumed values (to justify the confidence level of the calculation is appropriate) during recent Westinghouse projects involving setpoints. Significant information is required from the transmitter and RTD vendors, that has never been obtained before, to support development of calculations that can support 95/95 two-sided uncertainty values.
The first phase of the evaluation of the setpoints will include evaluation of the PPS replacement setpoints for the Tricon and ALS architecture using expected bounding uncertainty values. A setpoint summary evaluation which includes a discussion of the methods used for determining the as-found and as-left tolerances will be submitted by May 31,2012. This is a change to the commitment 31 in Attachment 1 to the Enclosure to the PPS Replacement LAR.
The second phase of the evaluation of the setpoints will include development of Westinghouse calculations of the PPS replacement setpoints for the Tricon and ALS architecture using sufficient information from vendors to substantiate that the setpoints are based on 95/95 two-sided uncertainty values. The Westinghouse calculations will be completed by December 31, 2012 and will be available for inspection by NRC staff in Washington DC with support provided by Westinghouse setpoint group personnel. The NRC staff inspection of Westinghouse calculations in Washington DC has been performed for another recent utility project involving setpoints.
determinations will be addressed as part of this LAR, and NOT submitted as a TSTF-493 licensing action.
3121/12 update:
The staff may chose to review the Westinghouse calculations at the Westinghouse office in Washington DC.
However, if the safety finding is dependent on these calculations, then the setpoint calculations will be required to be submitted on the docket per NRC
April 17, 12 DCPP PPS Open Item Summary Table Page 15 of 29 No SrclRI Issue Description P&GE response:
Status RAI No.
RAI Comments (Date Sent)
Response
(Due Date) licensing procedures 9
AR L TR Safety Conclusion Scol2e and Al2l2licability - Many important sections of Closed N/A
{WEK 4-12-12}
(BK) the DCPP PPS LAR refer the reader to the ALS licensing topical report (L TR)
Res~onse to demonstrate compliance of the system with various Clauses of IEEE 603 received Al;!ril 2 1991, IEEE 7-4.3.2-203, and ISG-04. However, many important sections of 291 2012. The the ALS L TR state that compliance with various Clauses of these IEEE Stds and ISG-04 are application specific and refer the reader to an application PG&E resl;!onse to specific license amendment submittal (Le., the DCPP PPS LAR in this case).
this item address The staff has not yet had time to evaluate all the LAR information in detail the 01. Close this and compare this information with that provided in the ALS L TR to ensure
- 01.
there is no missing information. However, PG&E and its contractors are encouraged to review these two licensing submittals promptly to verify that compliance with these IEEE Stds and ISG-04 are adequately addressed within both licensing documents.
P&GE response:
PG&E and Westinghouse have reviewed the LAR 11-07 and the ALS topical report to verify information is provided to justify compliance with IEEE 603-1991, IEEE 7-4.3.2-2003, and ISG-04 in either the LAR or the ALS topical report. As a result of the review, it was identified that neither the LAR nor the ALS topical report contain a matrix that documents compliance with ISG-04 Table 5-4 for the DCPP ALS platform. PG&E will submit a matrix that documents compliance with ISG-04 Table 5-4 for the DCPP ALS platform by May 31, 2012.
10 RS Plant Variable PPS Scol2e - In the Description section of the LAR, section Closed RAI 4.1.3, nine plant variables are defined as being required for RTS and section Require 4.1.4 lists seven plant variables that are required for the ESFAS. Three d (RAI #
additional plant variables were also listed in section 4.10.3.4.
X)
Some variables are not listed in section 4.10.3.4 as being PPS monitored plant parameters. It is therefore assumed that these parameters are provided as direct inputs to the SSPS and that the PPS is not relied upon for the completion of required reactor trip or safety functions associated with
April 17, 12 DCPP PPS Open Item Summary Table Page 16 of 29 No SrclRI Issue Description P&GE response:
Status RAI No.
(Oate Sent)
Response
(OueOate)
Comments them. Please confirm that these plant parameters and associated safety functions will continue to operate independently from the PPS and that the replacement PPS will not adversely impact the system's ability to reliably perform these functions.
P&GE response:
The PPS Replacement LAR Sections 4.1.3 and 4.1.4 describe the plant variables from which RTS and ESFAS protective functions are generated.
The initiation signal outputs to the SSPS coincidence logic are generated in the PPS or other, independent systems, or in some cases, by discrete devices. Section 4.1.3 items 6 (RCP bus UF, UV, and breaker position, 8 (Main Turbine trip fluid pressure and stop valve position) and 9 (seismic acceleration) are generated by discrete devices outside the PPS and provide direct contact inputs to the SSPS. Section 1.4 items 6 (Containment Exhaust Radiation) and 7 (RT breaker position Permissive P-4) are also generated outside the PPS and are direct contact inputs to the SSPS. The initiation signals associated with these plant parameters operate independently from the PPS. The replacement PPS will not adversely affect the reliable performance of the safety functions associated with these plant parameters.
The three signals (Wide Range RCS Temperature and Pressure and Turbine Impulse Chamber Pressure) not listed in Sections 4.1.3 and 4.1.4 are monitored by the PPS per Section 4.10.3.4. The Wide Range RCS Pressure and Temperature signals are used to generate the L TOP function described in DCPP FSAR Section 5. The PPS uses Turbine Impulse Chamber Pressure to generate an initiation signal that is used by the SSPS coincidence logic to develop Permissive P-13 as discussed in RAI 3, below.
Neutron Flux is an input to Tricon but it is not listed in Table 4-2 "Process Variable inputs to Tricon" Signals not associated with PPS functions will be designated as such in the SE and they will not be described since they are not in scope.
Neutron Flux should be added to Section 4.2 Table 4-2 as follows:
April 17, 12 DCPP PPS Open Item Summary Table Page 17 of 29 No SrclRI Issue Description P&GE response:
Status RAI No.
RAI Comments (Date Sent)
Response
(Due Date)
Input to Overtemperature fl Neutron Flux (Power Temperature (OTOT) RT Range, Upper & Lower)
Input to Overpower fl Temperature (OPOT) RT 11 RS Power Range NIS Function -_Section 4.1.7 describes the Existing Power Closed RAI Range NIS Protection Functions and it states that the Power Range nuclear Require Only PPS instrumentation provides input to the OTOT, and OPOT protection channels.
d(RAI#
Functions will be It is not entirely clear whether any of the described NIS protection functions
- RAI X) described in the will be performed by the PPS system. Please clarify exactly what the role of the PPS system is for these NIS Protection functions.
still SE.
needs P&GE response:
to be sent.
Power range analog inputs are provided by the NIS to each PPS Protection Set for use in the calculation of the Overtemperature Delta-T and Overpower Delta-T Setpoint in the Oelta-TfTavg channels. No other NIS signals interface with the PPS. The NIS Protection functions (RT and power range permissives) are generated independently by Nuclear Instrumentation bistable comparators. The NIS bistable outputs are sent directly to the SSPS and have no physical interface with the PPS.
12 RS Permissive Functions - Several Permissive functions are described within the Close RAI LAR. It is not clear to the staff whether any of these functions are to be Require performed by the PPS or if the PPS will only be providing input to external d (RAI #
systems that in turn perform the permissive logic described in the LAR.
X)
Section 4.1.9 states that "Settings of the bistable comparators used to develop the permissives are not affected by the PPS Replacement Project",
which implies that all of these permissive functions are performed by systems other than the PPS. However, it is still unclear if this statement applies to all permissive functions described throughout the LAR or if it applies only to those permissives relating to Pressurizer Pressure. It is also possible that the permissive functions are being performed by the existing PPS and will COl1t!l1lJe tOQe (:Ierformed by the replacement system and therefore remain
April 17, 12 DCPP PPS Open Item Summary Table Page 18 of 29 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments "not affected" by the PPS replacement project.
Please provide additional information for the following permissive functions to clearly define what the role of the PPS system will be for each.
P-4 Reactor Trip P-6 Intermediate Range Permissive P-7 Low Power Permissive (Bypasses low P pzr reactor trip)
- P-8 Loss of Flow Permissive P-9 Power Permissive P-10 Power Range Power Low Permissive P-11 Low Pressurizer Pressure SI Operational Bypass P-12 No-Load Low-Low Tave Temperature Permissive P-13 Turbine Low Power Permissive
- P-14 Hi-Hi Steam Generator Level
- The LAR states that "These signals are generated in the PPS" The NRC understands that all permissives are developed within the SSPS system.
Permissives P11 -
P14 use inputs provided by PPS system. All other permissives use P&GE response:
Permissive function initiation signals generated within the existing PPS will continue to be performed by the replacement PPS and therefore remain "not affected" by the PPS replacement project. Permissive function initiation signals that are generated independently of the existing PPS will continue to be generated independently.
Permissive P6, P-8, P-9, and P-10 initiation signals are bistable comparator outputs from the independent NIS to the SSPS. There is no interface with the PPS.
Permissive P-4 initiation signals are direct contact inputs to the SSPS coincidence logic generated from contacts in the Reactor Trip Breakers (RTB). There is no interface with the PPS.
Permissive P-11, P-12, P-13, and P-14 initiation signals are generated by bistable comparator outputs generated in the PPS and sent to the SSPS.
April 17, 12 DCPP PPS Open Item Summary Table Page 19 of 29 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments Permissive P-7 is generated in the SSPS from 3 out of 4 power range NI channels (from NIS - P-10) below setpoint and 2/2 turbine impulse chamber pressure channels below setpoint (From PPS P13).
The bistable initiation signals described above are monitored by the SSPS.
The SSPS generates the Permissive when appropriate coincidence of initiation signals is detected. No SSPS permissive or safety function coincidence logic is changed by the PPS replacement project.
Permissives P-6, P-7, P-8, P-9, P-10, and P-13 are functionally described in FSAR Table 7.2-2. Permissives P-4, P-11, P-12, and P-14 are functionally described in FSAR Table 7.3-3.
The bistable comparator setpoints for the above-listed permissives are not expected to change at this time.
inputs generated by external systems that are independent of the PPS.
See 13 below.
13 RS P12 Permissive Contradiction - The second paragraph of section 4.1.20 describes the P-12 interlock and states that "These signals are developed in the PPS". This statement is then contradicted in the third paragraph by the following statement; "These valves are not safety-related, but are interlocked with the P-12 signal from the SSPS."
In conjunction with the response to RA13, please provide a resolution for this contradiction in section 4.1.20 of the LAR.
P&GE response:
The word "signals" in the referenced Section 4.1.20 sentence, "These signals are developed... " is referring to the bistable comparator outputs which are monitored by the SSPS. The PPS does not generate the P-12 Permissive Closed RAI Require d (RAI #
X)
The NRC understands that the P12 signal is generated by the SSPS using signals developed in the PPS.
April 17, 12 DCPP PPS Open Item Summary Table Page 20 of 29 No SrclRI ISsue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments itself. The actual P-12 Permissive is generated by the SSPS when appropriate coincidence of initiation signals is detected. The SSPS output is interlocked with the valves as stated in the third paragraph of Section 4.1.20.
The LAR Section 4.1.20 is clarified by the following statement:
"... The P-12 Permissive is developed in the SSPS based on coincidence of the P-12 bistable comparator output initiation signals from the PPS...
Protection System Permissives (P-11 unblock SI from ALS, P13 Turbine power permissive from Tricon, and P-14 Steam Generator Level high-high from Tricon) are generated by coincident logic in the SSPS based on initiating signals (bistable outputs) from the PPS as noted in the response to 01 #12. Permissive development, including initiating signals and logic coincidence is shown in FSARU Tables 7.2-2 (RTS) and 7.3-3 (ESFAS).
The PPS does not perform coincident logic functions and does not "generate" any protection system permissives.
14 RS Section 4.1.1 SSPS contains the following statement in the last paragraph; "Information concerning the P PS status is transmitted to the control board status lamps and annunciators by way ofthe SSPS control board demultiplexer and to the P PS by way ofthe SSPS computer demultiplexer. II Why would the PPS status need to be transmitted to the PPS as the sentence suggests in the last phrase?
Closed PGE Response resolves this Open Item. Change status to Closed.
PG&E response:
The sentence in Section 4.1 1 contains a a typographical error. The sentence should read:
"Information concerning the PPS status is transmitted to the control board status lamps and annunciators by way of the SSPS control board demultiplexer and to the Plant Process Computer (PPC) by way of the SSPS computer demultiplexer."
As used in the Section 4.1.1. paragraph, "PPS Status" means "PPS Channel Trip Statu!;."_
April 17, 12 DCPP PPS Open Item Summary Table Page 21 of 29 No-SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments 15 (BK)
An ISG-04 compliance matrix for the DCPP PPS system was not submitted with, or referenced in, the LAR for the W/ALS platform. Instead the ISG-04 compliance section 4.8 of the LAR refers the reader to the ALS L TR for nearly all the points of ISG-04. Fig. 4.4 and 4.5 of the LAR indicate various 1 E and non-1 E communication pathways to and from ALS processor (e.g.,
Maintenance Work Station, plant computer, process control, port aggregator, and 4-20 rna temperature signal to Tricon processor). These are all application specific features of the PPS and the staff expects a W/CSI ALS document to be submitted, similar in scope and detail to the Invensys "PACIFIC GAS & ELECTRIC COMPANY NUCLEAR SAFETY-RELATED PROCESS PROTECTION SYSTEM REPLACEMENT DIABLO CANYON POWER PLANT DI&C-ISG-04 CONFORMANCE REPORT" Document No.
993754-1-912 Revision 0, to be submitted on the docket, which explains how the ALS portion of the PPS application conforms with the guidance of ISG
- 04.
X)
(WEK 4-4-12} No further discussion necessary until May 31 1 2012.
4/4/12 update: The draft ALS ISG-04 compliance matrix on the ALTRAN Sharepoint website is not detailed enough for the staff to use in approving the ALS portion of the PPS' communications design. Suggest PG&E review the Invensys ISG-04 Doc. Document No. 993754-1-912
(-P) Revision 0, and provide guidance for an ALS document at the same level of detail.
PG&E response:
Westinghouse will provide a DCPP PPS specific ISG-4 Compliance Table by March 31, 2012 and PG&E will submit the Table by May 31, 2012.
April 17. 12 DCPP PPS Open Item Summary Table Page 22 of29 No SrclRI Issue Description P&GE response:
Status RAINo.
RAI Comments (Date Sent)
Response
16 (BK)
Section 1.4.4 (pg. 12/38) of document 993754-1-813 Diablo Canyon Triconex PPS Validation Test Plan (VTM) states "The network equipment, including media converter. NetOptics Network Aggregator Tap, and gateway hub. and the MWS will not be within the test scope of this VTP. The Nuclear Delivery (ND) group will coordinate with Pacific Gas & Electric for system staging prior to turn over to Nuclear IV&V. The Nuclear IV&V group will confirm proper operation of network communications system interfaces before beginning testing addressed in this VTP." When, where, and what procedures will be used to test the network equipment??
X)
(Due Date)
Please indicate when this action is scheduled for com~letion.
PG&E response: Additional information on the PPS testing is being provided to the staff. The VTM will need to be updated based on the additional information. A date that the updated VTM will be submitted will be provided after feedback from the staff is received on the 17 (BK) additional information on the PPS testing.
Section 5.1.4.3, Hardware Validation Tests, (pg. 27/38) of document 993754 1-813 Diablo Canyon Triconex PPS Validation Test Plan (VTM) states that the ALS equipment will not be included in the FAT. Where, when, and what procedures will be used to fully test the Integrated PPS system (both Tricon V10 and ALS platforms together) be subjected to FAT.
Open RAI Require d(RAI#
X)
Please indicate when this action is scheduled for com~letion.
PG&E response: Additional information on the PPS testing is being provided to the staff. The VTM will need to be updated based on the additional information. A date that the updated VTM will be submitted will be provided after feedback from the staff is received on the additional information on the PPS testing.
April 17, 12 DCPP PPS Open Item Summary Table Page 23 of 29 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments 18 (BK)
Software Management Plan: Regulatory Guide (RG) 1.168, Revision 1, "Verification, Validation, Reviews and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," dated February 2004 endorses IEEE (Institute of Electrical and Electronics Engineers) 1012-1998, "IEEE Standard for Software Verification and Validation," and IEEE 1028 1997,"IEEE Standard for Software Reviews and Audits," with the exceptions stated in the Regulatory Position of RG 1.168. RG 1.168 describes a method acceptable to the NRC staff for complying with parts of the NRC's regulations for promoting high functional reliability and design quality in software used in safety systems. Standard Review Plan (SRP) Table 7-1 and Appendix 7.1-A identify Regulatory Guide 1.168 as SRP acceptance criteria for reactor trip systems (RTS) and for engineered safety features actuation systems (ESFAS)
The Invensys PPS Replacement Software Verification and Validation Plan (SWP), 993754-1-802 does not provide a clear explanation of how the Invensys SWP complies with IEEE 1012-1998. Please provide a cross reference table that explains how the Invensys SWP implements the criteria of IEEE 1012-1998.
Also, the Westinghouse/ALS 6116-00000 Diablo Canyon PPS Management Plan, does not provide a clear explanation of how the CSI SWP complies with IEEE 1012-1998. Please provide a cross reference table that explains how the W/CSI SWP implements the criteria of IEEE 1012-1998.
X)
(WEK 4/12112) update: The staff has reviewed the Invensys IEEE 1012 compliance matrix on the PG&EJAltran sharepoint directory and it appears to be acceptable. The matrix appears to be comprehensive and indicates no exceptions to any clauses in IEEE 1012. No attempt was made to review/verify that where Invensys claims compliance with any particular Clause in the Std, that the respective section
April 17, 12 No SrclRI DCPP PPS Open Item Summary Table Issue Description P&GE response:
Status PG&E response:
Westinghouse will provide an IEEE-1 012 compliance map by May 4,2012 to PG&E and PG&E will submit the matrix to the staff by May 31,2012.
RAI No.
(Date Sent)
Response
(Due Date)
Page 24 of 29 Comments in their SWP is acceptable-the staff will work through this as theSWP is reviewed and evaluated for approval. Please submit the document on the docket.
This 01 will remain open pending review of the Westinghouse/CSI document.
19 RS Section 4.1.1 of the LAR states that;
'The SSPS evaluates the signals and performs RTS and ESFAS functions to mitigate Abnormal Operational Occurrences and Design Basis Events described in FSAR [26J Chapter 15."
- however, Chapter 15 of the DCPP FSAR does not use the terms Abnormal Operational Occurrence (AOO) or Design Basis Accident (DBE). Instead, the accident analysis in chapter 15 identifies conditions as follows; CONDITION I - NORMAL OPERATION AND OPERATIONAL TRANSIENTS CONDITION II - FAULTS OF MODERATE FREQUENCY CONDITION III-INFREQUENT FAULTS Open RAlwili eventual Iy be required (RAI#
X) 3/21/12 update:
PG&E has created a share point website for NRC to review PPS design drawings that will address this issue as well as 01 20 and 21. NRC staff will determine if they are needed to be submitted on the docket. PG&E will ensure the website is information is only applicable to this licensing action.
CONDITION IV - LIMITING FAULTS
April 17, 12 DCPP PPS Open Item Summary Table Page 25 of 29 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments i
As such, the statement that AOO's and DBE's are described in the FSAR appears to be inaccurate. Please explain the correlation between the Conditions described in FSAR chapter 15 and the Abnormal Operational Occurrences, and Design Basis Events described in the LAR.
PG&E response: The AOO's are referred to as ANS Condition I "Operational Transients" in FSAR Chapter 15 and are addressed in FSAR Chapter 15.1. The design basis accidents are referred to as ANS Condition II "faults of moderate frequency," ANS Condition III "infrequent faults," and ANS Condition IV "limiting faults" and are addressed in FSAR Chapter 15.2, 15.3, and 15.4 respectively.
April 17, 12 DCPP PPS Open Item Summary Table Page 26 of 29 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments 20 RS The system description provided in Section 4 of the LAR includes "functions performed by other protective systems at DCPP in addition to the PPS functions". In many cases, there is no explanation of what system is performing the functions described nor is there a clarification of whether the described functions are being performed by the PPS system.
As an example, Section 4.1.16 describes a bypass function to support testing of the high-high containment pressure channel to meet requirements of IEEE 279 and IEEE 603. The description of this function does not however, state whether this latch feature is being implemented within the PPS system or in the SSPS.
The staff needs to have a clear understanding of the functional scope of the PPS system being modified in order to make its regulatory compliance determinations. Please provide additional information such as PPS function diagrams to help the staff distinguish PPS functions from functions performed by other external systems.
Open RAlwili eventual Iy be required (RAI#
X) 3/21/12 update:
PG&E has created a share point website for NRC to review PPS design drawings that will address this issue.
NRC staff will determine if they are needed to be submitted on the docket. PG&E will ensure the website is information is only applicable to this licensing action.
PG&E Response: PPS design drawings have been provided to the staff on the Sharepoint site.
21 RA Westinghouse/CSI document 6116-00005, "Diablo Canyon PPS System Test Plan," states that the ALS-1 02 FPGA design is changed for the DCPPS System. Further, Section 5.3.3 states: "Test as many of the ALS-1 02 requirements as possible."
Please identify what document describes the design verification test for this Open RAlwili eventual Iy be required (RAI #
X) 3/21/12 update:
PG&E has created a share point website for NRC to review PPS design drawings that will
April 17, 12 DCPP PPS Open Item Summary Table Page 27 of 29 No SrC/R/
Issue Description P&GE response:
Status RA/ No.
(Date Sent)
RA/
Response
(Due Date)
Comments BK board.
address this issue.
NRC staff will determine if they are needed to be submitted on the docket. PG&E will ensure the website is information is only applicable to this licensing action.
PG&E response: PPS design drawings have been provided to the staff on the Sharepoint site.
22 Follow-on 01 # 5 question pertaining to the PPS VTP:
Section 1.4.4 (pg. 12/38) states "The network equipment, including media converter, NetOptics Network Aggregator Tap, and gateway hub, and the MWS will not be within the test scope of this VTP. The Nuclear Delivery (NO) group will coordinate with Pacific Gas & Electric for system staging prior to turn over to Nuclear IV&V. The Nuclear IV&V group will confirm proper operation of network communications system interfaces before beginning testing addressed in this VTP." When, where, and what procedures will be used to test the network equipment??
Also, section 5.1.4 (3) Hardware Validation Tests states that the ALS equipment will not be included in the FAT (pg. 27/38). Where, when, and what procedures will be used to fully test the Integrated PPS system (both Tricon V10 and ALS platforms together) be subjected to FAT.
Open RAlwill be required (RAI#
X)
PG&E response:
Additional information on the PPS testing is being provided to the staff.
The VTP will need to be updated based on the additional information. A date that the updated VTP will be submitted will be provided after feedback from the staff is received on the additional information on the PPS testing.
April 17, 12 DCPP PPS Open Item Summary Table Page 28 of 29 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments 23 BK Section 4.2.13.1 of the LAR (page 85) states; "Figure 4-13 only shows one TCM installed in the Tricon Main Chassis (Slot 7L), the PPS replacement will utilize two TCM cards in each main chassis (Slots 7L and 7 -R). This will provide two non-safety-related communication paths to the MWS and the PPC Gateway Computer from each Protection Set to ensure continued communications if a single TCM fails.
The NetOptics Model PA-CU/PAD-CU 1 PA-CU port aggregator network tap was approved previously by NRC for a similar application in the Oconee RPS SER Section 3.1.1.4.3 [18]. The NRC staff determined that due to the electrical isolation provided by use of fiber optic cables and the data isolation provided by the Port Tap and the Maintenance and Service Interface (MSI) in the Oconee RPS, there was reasonable assurance that a fault or failure within the Oconee Gateway computer or the Operator Aid Computer will not adversely affect the ability of the Oconee RPS to accomplish its safety functions.
During the SAT PG&E will test the Protection Set communications paths illustrated in Figure 4-13 to verify that there is no inbound communications path associated with port aggregator network tap Port 1. That is, PG&E will verify that communications from Port 1 to either the TCM on Port A or the MWS on Port B of the port aggregator network tap are not permitted.
Results of this test will be documented in final System Verification and Validation Report. Port aggregator dual in-line package (DIP) switch positions will be controlled by DCPP configuration management processes."
In order for the Staff to approve the integrated configuration of the PPS, prior to shipment of the PPS equipment to DCPP site, all communications paths will require testing on or before FAT, and before completion of the SER. This testing is typically completed during or before the PPS FAT, otherwise, the SER will not be completed until after the SAT. Please provide a test scheme/procedures that satisfies all regulatory requirements prior to or during the FAT. Otherwise, if this testing will be completed during the SAT, as stated in the LAR, please provide a detailed schedule for this testing so the NRC can revise its PPS LAR Review Plan accordingly.
Open RAlwili be required (RAI #
X) 1 The NetOptics Model PAO-CU has two one-way output ports but is otherwise identical in function to the PA-CU.
April 17, 12 DCPP PPS Open Item Summary Table Page 29 of 29 No SrciR/
Issue Description P&GE response:
PG&E response: Additional information on the PPS testing for ALS is being provided to the staff. A date the additional information will be submitted will be provided after feedback from the staff is received on the additional information on the PPS testing for ALS.
Status RA/ No.
RA/
(Date Sent)
Response
(Due Date)
Comments
Factory Acceptance Testing (FAT)
The overlapping test methodology illustrated in Figure 1 and described below will ensure that all specified PPS safety function requirements for each platform are verified at the FAT, and functions that cannot be verified at the FAT will be tested at the SAT. An integrated FAT, with the ALS connected to the Tricon will not be performed because the ALS and Tricon FAT will be performed in different locations. Data transfer from the Tricon through port aggregator port 1 to the gateway computer through the gateway switch is not required for the PPS to perform its safety function. The LAR commits to verifying that there is no inbound communications path from port 1 to ports A or B. A test will be run during Tricon FAT to verify that the port aggregator performs this function. These communications functions will be tested at the SAT The only connections between the ALS and the Tricon are the Reactor Coolant System temperature channels.
The ALS provides Class IE signal conditioning for the Pressurizer Vapor Space temperature, Reactor Coolant System wide range temperature and narrow range RTD inputs to the Overpower Delta Temperature (OPDT) and Overtemperature Delta Temperature (OTDT) thermal trip functions due to its improved ability to process 200 Ohm RTD inputs vs. Triconex. The ALS processes the resistance (ohms) RTD input signals and transmits the temperature values to the Tricon as analog 4-20 rnA signals. There is no digital data connection between the Tricon and the ALS.
The resistance to milliamp conversion will be tested at the ALS FAT to verify that all requirements specified for converting the resistance to current are met. The Tricon FAT will test these channels by injecting the corresponding 4 to 20 rnA signals into the Tricon and verifying that all requirements specified for the temperature channels are met. After the FAT, the equipment will be shipped to DCPP and then both systems will be integrated to perform the Site Acceptance Testing (SAT) which will test the analog interface directly along with others that cannot be tested at the FAT, such as the connection to the Plant Data Network (PDN)
Gateway Computer.
For the Tricon FAT, PG&E will provide the Maintenance Workstation (MWS), port aggregator network tap, network switches, and media converters as needed to test the complete interface between the MWS and the Tricon. The ALS Service Unit (ASU) software will also be loaded on the MWS to facilitate identification of any interaction between the MWS Wonderware application, the ASU software, and/or the MWS operating system.
Communications from the Tricon to the Plant Data Network (downstream of the port aggregator one-way port) will not be tested at the FAT but will be tested at the SAT. The MWS displays the same data that will be available to the PDN so verification of this data will be performed during the FAT. Each Protection Set has its own MWS. The MWS is not shared between or among Protection sets. Each protection set will be integrated in its own rack with all associated equipment to support FAT. The FAT will be performed on all four protection sets. The functionality of the MWS will be tested during the FAT to verify MWS requirements specified in the FRS and Tricon SRS. The FAT will verify correct two-way communications between the Tricon and the MWS through Ports A and B of the port aggregator, and will also verify that there is no inbound communication path from port 1 to either port A or B.
PG&E will provide a MWS for the ALS FAT. The port aggregator is not required for the ALS. The communications from both TxB1 and TxB2 one-way RS-422 ports will be tested to verify all specified data is being transmitted correctly. The MWS Wonderware application will be running to display the read only parameters. The ASU software running on the MWS will be tested during the FAT to verify its functionality and to identify any interactions between the ALS ASU software, the MWS Wonderware application, and/or the MWS operating system. The two-way RS-485 port will be tested with a mechanical switch to verify the ability to update parameters and to isolate the MWS from the ALS.
All boards of the same type in the ALS platform have the same capabilities. The boards can be configured by the user to meet the requirements of any protection set. The FAT will be performed on each protection set configuration, including power supplies, the MWS, and all associated equipment that supports the safety function for the specific protection set. That is, Protection Set 1 will be configured and tested with all the associated sensor inputs and appropriate loads on the digital and analog outputs. Upon completion of testing, 1
4/17/12
the equipment will be reconfigured as Protection Set 2 and tested. The same process will be used for Protection Sets 3 and 4.
The SAT will be performed on an integrated system. The connection of the safety-related temperature channels from the ALS to the Tricon will be verified during the SAT. The SAT will verify communications, including one-way communication from the port aggregator to the gateway, as well as other non-safety functions and connections that cannot be tested at the FAT, prior to installation in the plant. The integrated system used for SAT will be used to perform training and complete the operational and maintenance procedures prior to installation of the production system in the plant. Any application software changes from the time the equipment arrives at PG&E facilities until its installation in the plant is subject to configuration management controls.
2 4/17/12
- I NET2 Gateway (Typ of 2)
Class II i i Computer
~
<::1.-"
r............................... RS*422 Cu to Gateway Computer /
Prot Set 1 PrirnaryRXM Prot Set 1 RemoteRXM TCMl (7L)
TCM2(7R)
NET1 (Not U.ed)
I
\\
iii RS-422 i
~ :RS-422 t
4-ZOmA -+ ((((]1ll]
ALS~A*
A" I
\\
\\ IIIlllD A1.S*B~
\\
Class II CI***,
(Typ lor ALS
- A' and ALS 'B"),
/
I I
/
/
,\\
\\
I Prot Set I ALS
...-. +.-- -" -"
Class I Class II I
/
I Legend:
Triconex MuHi*Mode Optical Fiber RS-422/RS-485 Serial or 100BaseT 4-20 rnA Analog Copper FAT PG&E Figure 1: Replacement PPS Acceptance Testing with Overlap
/
I I
I I
I I
Cia** II Cla.sl r I
i T~i~~~ i l
I/0Su.
I I
\\
(Coppe~
\\
I
\\
I I
r Triplicale<!
Opllcal Flb.r I I
I I
I I
L 100Be.eT (Copper).
0"..
Prot Set I L
r--:::"~....,
100BaseT (Copper) i:
/'
. Two-way co~m~unjcaUon ~n~bje switch (Typof2)
,"/ i i RS.465'
'.(TypforALS A andALS B)
Optical Fiber
/
ITCM1 (7L)rrCM2 (7R)
I I
/ :
ITO PDN/PPC \\.
To Conlrol Room HMI (CC4)
To PDNIPPC*
RS*422 Cu ITom ALS
/
/
/.......1-----
I:
\\
t i :
1OOBa.e T (Copper)
(Typ of 2)
Galeway Sw~ch r..........................*..........**.... r...............................
(Typ of 2)
I i
i From Flm Prol Sel II Port Prot Set III Port Aggregalo, Tap AggregatorTap ct:t.e.OI~)_
(Typ of 2)
-t-~'"
1i Aggregator Tap (Typ of 2)
'AA~"
B L
MaIntenance Won<slalionJ Jl i JI-~' \\
f
/
I
-~ I..i'"
~
Gateway Computer(s)
............... y
............... y
............... y
............... y
............... y Prot Set I ALS 'B'
............... y Prot Sell! ALS"B"
............... y Prot Set III ALS 'B"
............... y Prot Set IV ALS 'S' From Prol Sal IV Port AggregatorTap (Typ 0(2)
~,",
3 4/17/12
FAT Verification ofTxB2 Communication Link Provided to Maintenance Workstation The TxB2 communication path from the ALS to the MWS is a single point-to-point unidirectional (one-way only) EIA-422 serial link. The TxB2 communication link is fixed in length, size, and update rate.
The TxB2 link contains ALS status information for determining system values, states, and health.
The connection of the ALS to the ASU running on the MWS hardware via the TxB2 communication path occurs by means of a local communication serial port that exists on the MWS hardware.
The MWS local communication serial port is only accessed by the ASU software upon user demand.
The MWS local communication serial port used by the ASU is a dedicated serial port and is not accessed by any other subsystem software running concurrently on the MWS.
The ASU application is assigned a static communication port value and the communication port assignment is hardcoded into the ASU application source code. The communication port assignment cannot be changed in the field.
ASU software functionality is verified through integration testing and FAT testing on representative MWS hardware with Tricon maintenance software running in parallel.
Tricon maintenance software will be executed on the MWS in a manner that mimics hardware utilization (memory, hardware utilization, processor utilization) and injected with a data stream that is representative of the actual data expected from the Tricon hardware subsystem.
ASU maintenance software will be run in parallel with the Tricon maintenance software to verify that no adverse effects exist during operation.
FAT Verification ofRTD Interface to the Tricon Verification of the ALS RTD to current loop conversion presented to the Tricon subsystem will occur by presenting simulated RTD inputs to the ALS-311 analog input (AI) cards and sweeping the full RTD input range and then verifying the corresponding current loop output at a simulated Tricon Load. Refer to Figure 1 for a high level diagram of the test setup.
The RTD input presented to the ALS-311 AI card is simulated using a precision programmable resistance output card. The Tricon load is simulated by using a precision analog input instrument that is capable of reading the full range of 4-20 mA output range provided by ALS-A and ALS-B. Both the precision programmable resistance output card and the precision analog input cards are commercially available cards based on the PCI eXtensions for Instrumentation (PXI) standard.
A fixed number of resistance steps based on the ALS subsystem accuracy requirements will be used to sweep the input of the ALS-311 with an input resistance range value that corresponds to the full range of output values that the ALS expects to present to the Tricon subsystem.
Program mabie Resistance I
RTD Input
- 3-Wire 14-Wire 1
1 1
L _ ________ J Programmable Resistance RTD Input I@'
1
, 4-Wi i
r---
Ire L
l r-""
ALS-311 ALS-311 ALS-A ALS-102 I-Simulated Tricon Lo ad 4-20mA ALS-421 16-Bit Analog Input ALS-B ALS-102 Simulated Tricon Lo ad 4-20mA 16-Bit Analog ALS-421 Input Figure I - RTD to Current p Verification Hardware Configuration
- 2 determination would be made if changes were needed when the underlying questions are formally issued as requests for additional information.
Item 23 in Enclosure 2 relates to an ALS system testing question. The licensee's response to this question is provided in Enclosure 4. The NRC staff indicated that a review of both Enclosures 3 and 4 would continue and feedback would be provided, as appropriate, on possible clarification to the responses.
The NRC staff and licensee confirmed that the next meeting on this topic would be held on May 16, 2012. In addition, a meeting related to the setpoint changes to support the LAR was tentatively scheduled for June 28, 2012. At the staff's request, the licensee stated that a more detailed agenda for the June 28, 2012, meeting would be provided so that the staff could better plan for the meeting and use the agenda in the notice for the meeting. The staff and the licensee agreed that they would consider the appropriate timing for additional meetings and whether these would be done on a monthly basis as opposed to every 2 weeks.
Please direct any inquiries to me at 301-415-1132 or at Joseph.Sebrosky@nrc.gov.
IRAJ Joseph M. Sebrosky, Senior Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-275 and 50-323
Enclosures:
- 1. List of Attendees
- 2. Staff identified issues
- 3. Process Protection System Factory Acceptance Testing and Site Acceptance Testing
- 4. Advanced Logic System Testing cc w/encls: Distribution via Listserv DISTRIBUTION:
PUBLIC RidsOgcRp Resource LPLIV Reading RidsRgn4MailCenter Resource RidsAcrsAcnw_MailCTR Resource WMaier, RIV RidsNrrDeEicb Resource TWertz, NRR RidsNrrDorl Resource WKemper, NRR/DE/EICB RidsNrrDorlLpl4 Resource RStattel, NRR/DE/EICB RidsNrrLAJBurkhardt Resource SMakor, RIV/DRS/EB2 RidsNrrPMDiabloCanyon Resource MMcCoppin, EDO RIV ADAMS Accession Nos. Meeting Notice L
ee mg umm<!'Y ML121150504 via emal *1 M 120720092, MrS OFFICE DORL/LPL4/PM DORLlLPL4/LA NRR/DE/EICB DORLlLPL4/BC DORL/LPL4/PIVI NAME JSebrosky JBurkhardt RStattel*
MMarkley JSebrosky DATE 5/1/12 4/27/12 5/1/12 5/3/12 5/3/12 OFFICIAL RECORD COpy