ML12297A243
| ML12297A243 | |
| Person / Time | |
|---|---|
| Site: | Diablo Canyon  |
| Issue date: | 10/31/2012 |
| From: | Joseph Sebrosky Plant Licensing Branch IV |
| To: | Pacific Gas & Electric Co |
| Sebrosky J | |
| References | |
| TAC ME7522, TAC ME7523 | |
| Download: ML12297A243 (81) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 October 31,2012 LICENSEE:
Pacific Gas and Electric Company FACILITY:
Diablo Canyon Power Plant, Unit Nos. 1 and 2
SUBJECT:
SUMMARY
OF OCTOBER 17, 2012, TELECONFERENCE MEETING WITH PACIFIC GAS AND ELECTRIC COMPANY ON DIGITAL REPLACEMENT OF THE PROCESS PROTECTION SYSTEM PORTION OF THE REACTOR TRIP SYSTEM AND ENGINEERED SAFETY FEATURES ACTUATION SYSTEM AT DIABLO CANYON POWER PLANT (TAC NOS. ME7522 AND ME7523)
On October 17, 2012, a Category 1 teleconference public meeting was held between the U.S. Nuclear Regulatory Commission (NRC) and representatives of Pacific Gas and Electric Company (PG&E, the licensee) at NRC Headquarters, One White Flint North, 11555 Rockville, Maryland. The purpose of the teleconference meeting was to discuss the license amendment request (LAR) submitted by PG&E on October 26, 2011, for the Digital Replacement of the Process Protection System (PPS) Portion of the Reactor Trip System and Engineered Safety Features Actuation System at Diablo Canyon Power Plant, Unit Nos. 1 and 2 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML113070457). A list of attendees is provided in Enclosure 1.
The teleconference meeting is one in a series of publicly noticed teleconference meetings to be held periodically to discuss issues associated with the NRC staff's LAR review. Preliminary issues that the NRC staff identified during the initial review, and the licensee's responses to these preliminary issues, were discussed during the teleconference meeting. The list of preliminary issues is provided in Enclosure 2.
The NRC staff and licensee confirmed that the next meeting on this topic would be held on November 28,2012. Highlights from the meeting on October 17, 2012, include the following:
The NRC staff and PG&E discussed the audit scheduled for November 13-16, 2012, at the Invensys Operations Management facility in Lake Forest, California.
The staff noted that the audit plan was sent to PG&E in a letter dated October 10, 2012 (ADAMS Accession No. ML12276A050). PG&E took an action to make the following documents available to the staff before the audit: 993754 11-810,993754-12-810,993754-13-810, and 993754-14-810, "Software Design Description." As stat~d in the audit plan, the staff also requested, prior to the audit. access to the current Requirements Traceability Matnx information in order to plan thread audit activities in advance of the meeting.
PG&E agreed to work with Westinghouse Electric Company LLC (Westinghouse) to clearly identify the scope of the Advanced Logic Systems (ALS) topical report related to the ALS-102 Core Logic Board. Specifically, PG&E and Westinghouse took an action to inform the NRC staff whether the design description of the
~ 2 ALS~102 board (Le., that the board is physically and electrically incapable of receiving information from outside the ALS-102 board) will be added to the ALS topical report that is currently under review by the staff. If this is the case, the communication isolation design features of the ALS-1 02 board will be reviewed as part of the ALS topical report and not as part of the PG&E PPS replacement LAR PG&E took an action to provide updates for items that are identified as "in progress" in Enclosure 2 prior to the next public phone call.
NRC took the following actions:
Simplify the information in Enclosure 2 and remove the items from the enclosure that have been closed to make the document more manageable going forward. For historical purposes, past meeting summaries that have a listing of the closed items may be referenced.
Move attachments 2 and 3 of Enclosure 2, into the table itself so that the questions and answers for these issues are tracked in a similar manner as other issues.
Provide an updated list of the NRC personnel that will be attending the Invensys audit discussed above. The staff noted that the individuals involved with the cyber security portion of the audit have changed.
Docket Nos. 50-275 and 50-323
Enclosures:
- 1. List of attendees
- 2. Staff identified issues cc w/encls: Distribution via Listserv
LIST OF ATTENDEES OCTOBER 17, 2012, TELECONFERENCE MEETING WITH PACIFIC GAS AND ELECTRIC COMPANY REGARDING DIABLO CANYON POWER PLANT DIGITAL UPGRADE DOCKET NOS. 50-275 AND 50-323 NAME Ken Schrader Scott Patterson John Hefler R. Lint E. Quinn G. Clarkson J. Basso W. Odess-Gillet Roman Shaffer Rich Stattel Bill Kemper Rossnyev Alvarado Shiattin Makor Eric Lee Jeff Knight Michael Shinn Joe Sebrosky Steve Kane ORGANIZATION Pacific Gas and Electric Pacific Gas and Electric Altran Altran Altran Altran Westinghouse Westinghouse I nvensys/T riconex Nuclear Regulatory Commission (NRC)
NRC NRC NRC NRC NRC - contractor NRC NRC AREVA
October 16,2012 DCPP PPS Open Item Summary Table Page 1 of 76 F
Comments RAI No.
RAI P&GE response:
Status Issue Description SrclRI
Response
(Date Sent)
(Due Date) 4/18/2012 - Staff RAI119
[ISG-06 Enclosure 8, Item 1.3] Deterministic Nature of Software:
Closed AR 001 The Diablo Canyon Specific Application should identify the board access reviewed time sequence and provide corresponding analysis associated with digital (80) response calc on response time performance. This analysis should be of sufficient detail to share point and enable the NRC staff to determine that the logic-cycle; agrees that this is the correct
- a. has been implemented in conformance with the ALS Topical Report design basis, information to
- b. is deterministic, and support the SE.
- c. the response time is derived from plant safety analysis performance Requested that requirements and in full consideration of communication errors that these calcs be have been observed during equipment qualification.
docketed.
As stated in the LAR, information pertaining to response time performance
Response
will be submitted as a Phase 2 document. Please ensure this matter is addressed accordingly.
received April29, I
2012. Staff will P&GE response:
review and discuss ALS further if needed at Diablo Canyon PPS document 6116-00011, "ALS System Design subsequent Specification", Section 7.5, identifies the ALS board access sequence and telecom meeting.
provides an analysis associated with digital response time performance.
- a.
The Diablo Canyon PPS ALS system is configured in accordance with the qualification requirements of the ALS platform topical report,
Response
- b.
The analysis in Diablo Canyon PPS document 6116-00011, "ALS acceptable; waiting System Design Specification", Section 7, describes a logic cycle that is on PG&E to deterministic.
provide the time
- c.
The requirements for the response time of the PPS processing response instrumentation (from input conditioner to conditioned output signal) is specified as not to exceed 0.409 seconds in Section 3.2.1.10 of the "Diablo calculation for the Canyon Power Plant Units 1 & 2 Process Protection System Replacement V10 Tricon PPS Functional Requirements Specification (FRS)" I Revision 4 submitted as Replacement of the LAR. In Section 1.5.8 of the "Diablo Canyon Power architecture by Plant Units 1 & 2 Process Protection System Replacement Interface April 16, 2012.
Requirements Specification (IRS)", Revision 4, submitted as Attachment 8 of the LAR, the 0.409 seconds PPSprocessing instrumentation response
October 16, 2012 DCPP PPS Open Item Summary Table Page 2 of 76 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
RA/
Response
(Due Date)
Comments time is allocated between the ALS and Tricon as follows:
ALS: 175 ms for RTD processing Tricon: 200 ms Contingency: 34 ms The 0.409 seconds PPS processing instrumentation value is the same as the value that is currently allocated to PPS processing instrumentation. As
. long as the 0.409 second PPS processing instrumentation value is not exceeded, the total response time values assumed in the plant safety analyses contained in FSAR Table 15.1-2 will not be exceeded; 7 seconds for Overtemperature ~T RT and Overpower ~T RT functions, 2 seconds for High pressurizer pressure RT, Low pressurizer pressure RT, and Low Low SG water level RT functions, 1 second for Low reactor coolant flow RT function, 25 seconds for Low pressurizer pressure, High containment pressure, and Low steam line pressure Safety Injection initiation, 60 seconds for Low low SG water level auxiliary feedwater initiation, 18 seconds for High containment pressure, Low pressurizer pressure, and Low steam line pressure Phase A containment isolation, 48.5 seconds for High High containment pressure containment spray initiation, 7 seconds for High High containment pressure steam line isolation, 66 seconds for High High SG water level auxiliary feedwater isolation, and 8 seconds for Low steam line pressure steam line isolation.
The ALS response time will be verified as part of the FAT and the results will be included in the FAT summary report to be submitted by 12/31/12.
Tricon Invensys provided detailed information on the deterministic operation of the V10 Tricon in Invensys Letter No. NRC V10-11-001, dated January 5,2011.
In support of the V1 0 Tricon safety evaluation, Invensys submitted document 9600164-731, Maximum Response Time Calculations, describing the worst-case response time for the V1 0 Tricon Qualification System.
Included in document 9600164-731 are the standard equations for calculating worst-case response time of a given V10 Tricon configuration.
The time response calculation for the V10 Tricon PPS Replacement architecture was submitted on April 30, 2012. The System Response Time Confirmation Report, 993754-1-818, will be submitted to the staff as part of the ISG-06 Phase 2 submittals at the completion of factory acceptance
_ testing of the V1 0 Tricon PPS Replacement.
Response time calc received Letter:
Calc:
October 16, 2012 DCPP PPS Open Item Summary Table Page 30f76 rNO ISrclRI ooiiAR (RA)
Issue Description
~tatus RA/
Comments RA/ No.
P&GE response:
S (Date Sent)
Response
(Due Date)
The Tricon response time will be verified as part of the FAT and the results will be included in the FAT summary report to be submitted by 12/31/12.
Licensee representatives stated that PG&E will provide the Tricon Time response calc's in a document submitted on the docket.
[ISG-06 Enclosure B, Item1. 4 ] C Software Management Plan: Regulatory Guide (RG) 1.168, Revision 1, "Verification, Validation, Reviews and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," dated February 2004 endorses IEEE (Institute of Electrical and Electronics Engineers) 1012 1998, "IEEE Standard for Software Verification and Validation," and IEEE 1 028-1997,"IEEE Standard for Software Reviews and Audits," with the exceptions stated in the Regulatory Position of RG 1.168. RG 1.168 describes a method acceptable to the NRC staff for complying with parts of the NRC's regulations for promoting high functional reliability and design quality in software used in safety systems. Standard Review Plan(SRP)
Table 7-1 and Appendix 7.1-A identify Regulatory Guide 1.168 as SRP acceptance criteria for reactor trip systems (RTS) and for engineered safety features losed NIA Westinghouse/ALS 6116-00000 Diablo Canyon PPS Management Plan, Figure 2-2, shows the Verification and Validation (V&V) organization reporting to the Project Manager. This is inconsistent with the information described in the ALS Manaaement Plan for the aeneric svstem olatform, 4/23/2012 - Staff has confirmed that the new version of the ALS SWP is available for review
Response
received April 29, 2012. Staff will review and discuss further if needed at subsequent telecom meeting.
(Kemper 4112/12)
Response
acceptable; the staff received the
October 16, 2012 DCPP PPS Open Item Summary Table Page 4 of 76 r--.
P&GE response:
RAI No.
RAI Comments Issue Description Status SrclRI No
Response
(Due Date)
(Date Sent)
~---
where the V&V organization is independent form the Project Manager. This is also inconsistent with the criteria of RG 1.168 and will need to be reconciled during the LAR and ALS L TR reviews.
P&GE response:
ALS The PPS Replacement LAR referenced Westinghouse document 6116 00000 Diablo Canyon PPS Management Plan, dated July 25, 2011, that was based on CSI document 6002-00003 ALS Verification and Validation Plan, Revision 4. CS Innovations subsequently submitted a revised V&V plan, "6002-00003 ALS Verification and Validation Plan", Revision 5, on November 11, 2011, that revised the required V&V organization structure such that the management of the verification personnel is separate and independent of the management of the development personnel. The Westinghouse 6116-00000 Diablo Canyon PPS Management Plan was revised to require a V&V organization structure in which the management of the verification personnel is separate and independent of the management of the development personnel. PG&E submitted the revised Westinghouse 6116-00000 Diablo Canyon PPS Management Plan, Revision 1, document on April 2, 2012.
[ISG-06 Enclosure S, Item 1.9]
Software V&V Plan: The ALS V&V plan states that Project Manager of the
. supplier is responsible for providing directions during implementation of V&V activities. Also, the organization chart in the Diablo Canyon PPS Management Plan shows the IW manager reporting to the PM.
The ALS V&V plan described in ISG-6 matrix for the ALS platform and the Diablo Canyon PPS Management Plan do not provide sufficient information about the activities to be performed during V&V. For example, the ALS V&V Plan states that for project specific systems, V&V activities are determined on a project by project basis and are described in the project Management Plan, in this case, 6116-00000, "Diablo Canyon PPS Management Plan."
However, the 6116-00000 Diablo Canyon PPS Management Plan states:
Closed N/A revised W/ALS PPS MP on April 2, 2012 and will review for consistency with RG 1.168.
Response
received April 2, 2012. Staff will review and discuss further if needed at subsequent telecom meeting.
Status: Fig. 3 of the PPS SWP (Pg.
16/46) indicates
October 16, 2012 DCPP PPS Open Item Summary Table Page 5 of 76 P&GE response:
RAI No.
RAI Comments SrclRI, Issue Description Status No
Response
(Due Date)
(Date Sent) r------~
sufficient IV&V team and the PPS Replacement project team."
"See the ALS V&V Plan for more information and the interface between the organizational independence The Triconex V&V plan states that the Engineering Project Plan defines the between the scope for V&V activities. As mentioned before, the Triconex EPP is not Nuclear Delivery listed in the ISG-6 matrix.
(Design)
These items will need further clarification during the LAR review to Organization and demonstrate compliance with Regulatory Guide (RG) 1.168, Revision 1, the IV&V "Verification, Validation, Reviews and Audits for Digital Computer Software Organization.
Used in Safety Systems of Nuclear Power Plants,"
Fig. 3 of the PPS P&GE response:
PMP (993754-1 ALS 905) (pg. 22/81)
The Westinghouse 6116-00000 Diablo Canyon PPS Management Plan was revised to include details on how the IV& V team has an independent also denotes the organizational reporting structure from the design and implementation team; DCPP PPS project the Scottsdale Operations Director and the ALS Platform & Systems organization, and Director report to different Westinghouse Vice Presidents. The IW provides sufficient Manager and Scottsdale Operations Director both report to the same independence Westinghouse Vice President, but via independent reporting structures.
between the ND and IV&V Description of 6116-00000 Diablo Canyon PPS Management Plan V&V was also revised to add information on the activities being performed for the Organizations.
V&V.
Close the Invensys PG&E submitted the revised Westinghouse 6116-00000 Diablo Canyon part of the 01.
PPS Management Plan that includes the above changes on April 2, 2012.
W/ALS response The organizational structure of Invensys Operations Management Tricon acceptable; comprises, in part, Engineering and Nuclear Delivery. Each of these (Kemper 4/12/12) organizations plays a specific role in the V1 0 Tricon application project life the staff received cycle. Invensys Engineering is responsible for designing and maintaining the revised W/ALS the V1 0 Tricon platform, and Nuclear Delivery is responsible for working PPS MP on April 2, with nuclear customers on safety-related V1 0 Tricon system integration
~
October 16,2012 DCPP PPS Open Item Summary Table Page 6 of 76 P&GE response:
Issue Description No SrclRI projects. Invensys Engineering department procedures require "Engineering Project Plans (EPP)," whereas Nuclear Delivery department procedures require "Project Plans." Invensys Engineering is not directly involved in system integration, but Nuclear Delivery may consult with Engineering on technical issues related to the V10 Tricon platform.
The NRC applied ISG-06 to the V1 0 Tricon safety evaluation. Invensys submitted a number of documents pertaining to the design of the V1 0 Tricon platform as well as process and procedure documents governing Invensys Engineering activities, including the EPP. In most cases, these platform-related documents are preceded with document number 9600164. The I platform-level documents reviewed by the staff during the V10 Tricon safety evaluation will not be resubmitted by Nuclear Delivery during application-specific system integration projects.
In support of the PG&E LAR for the DCPP PPS Replacement, Invensys Nuclear Delivery is required to submit the application design documents as defined in ISG-06. These project documents are preceded by document number 993754. The Phase 1 submittal under Invensys Project Letter 993754-026T, dated October 26, 2011, contained, in part, the following:
PPS Replacement Project Management Plan (PMP), 993754-1-905.
"Project Management Plan" was used to more closely match STP 7-14 with regard to "management plans"; and PPS Replacement Software Verification and Validation Plan (SWP),
993754-1-802.
The PMP describes the PPS Replacement Project management activities within the Invensys scope of supply. The guidance documents STP 7-14 and NUREG/CR-6101 were used as input during development of the PMP.
With regard to compliance with RG 1.168, the PPS Replacement PMP and SWP both describe the organizational structure and interfaces of the PPS Replacement Project. The documents describe the Nuclear Delivery (ND) design team structure and responsibilities, the Nuclear Independent Verification and Validation (IV&V) team structure and responsibilities, the Status RAI No.
(Date Sent)
Response
(Due Date)
Comments I
2012 and will review for consistency with RG 1.168.
Status: Fig. 3 of the PPS SWP (Pg.
16/46) indicates sufficient organizational independence between the Nuclear Delivery (Design)
Organization and I
the IV&V Organization.
I Fig. 3 of the PPS PMP (993754-1 905) (pg. 22/81) also denotes the DCPP PPS project organization, and provides sufficient independence between the ND and IV&V Organizations.
I i
October 16,2012 DCPP PPS Open Item Summary Table Page 7 of 76 No SrclRI Issue Description P&GE response:
Status interfaces between NO and Nuclear IV&V, lines of reporting, and degree of independence between NO and Nuclear IV&V. In addition, the PMP describes organizational boundaries between Invensys and the other external entities involved in the PPS Replacement project: PG&E, Altran, Westinghouse, and Invensys suppliers. The combination of the PMP and SWP demonstrate compliance of the Invensys organization with RG 1.168.
4 AR
[ISG-06 Enclosure B, Item 1.10]
Closed (RA)
Software Configuration Management Plan: The LAR includes PG&E CF2.ID2, "Software Configuration Management for Plant Operations and Operations Support," in Attachment 12. However, the document provided in 2 only provides a guideline for preparing Software Configuration Management (SCM) and SQA plans. Though it is understood that the licensee will not perform development of software, PGE personnel will become responsible for maintaining configuration control over software upon delivery from the vendor.
The staff requires the actual plan to be used by the licensee for maintaining configuration control over PPS software in order to evaluate against the acceptance criteria of the SRP. For example, the ALS Configuration Management (CM) Plan (6002-00002) describes initial design activities related to ALS generic boards. This plan does describe the configuration management activities to be used for the development and application of the ALS platform for the Diablo Canyon PPS System. The staff requires that configuration management for this design be described in the DCPP project specific plan. These items will need further clarification during the LAR review to demonstrate compliance with BTP-14.
-~---
P&GE response:
PG&E developed a SCMP procedure to address configuration control after shipment of equipment from the vendor and submitted the SCMP on June 6, 2012, in Attachment 4 to the Enclosure of PG&E Letter DCL-12-0S0.
~
'-------~
RAt No.
RAI Comments (Date Sent)
Response
(Due Date)
Close the Invensys part of the 01.
~
(Kemper 4-12-12)
Response
received April 2, 2012. Staff will review the PG&E SyCMP procedure when it arrives on May 31,2012.
N/A Alvarado (6/13/12):
PG&E placed a copy of their SyCMP SCM 36-01 in its SharePoint.
The staff will review this information and identify questions, if necessary.
5 October 16, 2012 DCPP PPS Open Item Summary Table P&GE response:
Issue Description INO Src/RI AR
[ISG-06 Enclosure B, Item 1.11 J (RA)
Software Test Plan: The V10 platform documents identified in ISG6 matrix state that the interface between the NGIO (Next Generation Input Output)
Core Software and 10-specific software will not be tested. It is not clear when and how this interface will be tested, and why this test is not part of the software unit testing and integration testing activities.
Further, the 993754-1-813 Diablo Canyon Triconex PPS Validation Test Plan states that the DCPP's TSAP will not be loaded on the system; instead Triconex will use another TSAP for the validation test. It is not clear why the DCPP's TSAP will not be used for the validation test or when the DCPP's TSAP will be loaded on the system and validated for the Diablo Canyon PPS System. These items will need further clarification during the LAR review to demonstrate compliance with BTP-14.
P&GE response:
Tricon The next-generation input/output (I/O) modules qualified for the V1 0 Tricon are the 3721 N 4-20 mA, 32-point analog input (AI) module, and the 3625N 24 Vdc, 32-point digital output (DO) module. Technical data on these two modules was provided to the NRC in support of the V10 Tricon safety evaluation. Configuration and functional testing is performed when the I/O modules (hardware and embedded core firmware) are manufactured. From the factory the I/O modules are shipped to Invensys Nuclear Delivery for use in nuclear system integration projects, i.e., application specific configurations. Because the module hardware and embedded core firmware are within the scope of the V1 0 Tricon safety evaluation, the verification and validation of the embedded core firmware will not be repeated as part of application-specific system integration projects.
Status Closed RA/ No.
(Date Sent)
N/A RA/
Response
(Due Date)
Page 8 of 76 Comments
Response
I received April 2, 29, 2012. Staff will review and discuss further if needed at subsequent I
telecom meeting.
Tricon Next Generation Input Output (NGIO)
Core software is tested and qualified as a platform com ponent. As such, it does not need to be separately tested during the application development process.
TSAP is a Test Specimen Application Program used for purposes of platform qualification.
There are certain design items that must be done with TriStation 1131 (TS 1131), such as specifying which I/O module is installed in a particular
--.-..... ~
October 16,2012 DCPP PPS Open Item Summary Table Page 90f76 No SrclRI Comments RAI RAI No.
P&GE response:
Status Issue Description
Response
(Due Date)
(Date Sent) physical slot of the Tricon chassis, resulting in each module having a unique hardware address in the system. Also, TS1131 is used to specify which Invensys stated application program parameters (i.e., program variable tagnames) are that assigned to a particular point on a given I/O module. The design items The Diablo Canyon configured in TS1131 will be within the scope of validation activities Application will be conducted by Invensys Nuclear IV&V for application-specific system loaded onto plant integration projects. The necessary collateral (system build documents, system hardware configuration tables, test procedures, test results, etc.) will be submitted to during FAT.
the NRC to support the staff's technical review of the PPS Replacement LAR in accordance with ISG-06.
The Phase 1 submittal under Invensys Project Letter 993754-026T, dated October 26, 2011, contained, in part, the Validation Test Plan (VTP),
Staff re-examined
. 993754-1-813. This document describes the scope, approach, and Invensys doc.
resources of the testing activities that are required for validation testing of "Validation Test the V10 Tricon portion of the PPS Replacement, including:
Plan (VTP),
Preparing for and conducting system integration tests 993754-1-813,"
Defining technical inputs to validation planning Section 1.3.2 of the Defining the test tools and environment necessary for system validation VTP that describes testing the Hardware Scheduling (and resource loading of the schedule)
Validation Test activities and Section 1.3.2 of the VTP describes the Hardware Validation Test activities Section 1.3.3 of the and Section 1.3.3 of the VTP describes the V1 0 Tricon portion of the VTP and Factory Acceptance Test activities for the V10 Tricon portion of the PPS determined that the Replacement. Details on the application program are proprietary and need application program to be provided to the staff separately.
TSAP will be used for the FAT (Section 5.1.5 FAT)
Close this portion of the 01.
October 16, 2012 DCPP PPS Open Item Summary Table Page 10 of 76 RAI Comments P&GE response:
RAI No.
SrclRI Issue Description Status No
Response
(Due Date)
(Date Sent)
Response
(SM)
Develop
[ISG-06 Enclosure B, Item 1.14]
Closed 6
AR a generic received April 2, Equipment Qualification Testing Plans - The LAR Sections 4.6, 4.10.2.4 and RAI to 29, 2012. Staff will environmental factors. The Tricon V10 Safety Evaluation, ML11298A246, 4.11.1.2 provide little information on the plant specific application review and discuss Section 6.2 lists 19 application specific actions Items (ASAI's) that the provide a response further if needed at licensee should address for plant specific applications. The licensee should to ASAls subsequent address each of these for Tricon portion of the PPS replacement. Similar telecom meeting.
information for the ALS portion of the PPS replacement will also be for both platforms required.
when the Staff agreed that SERs are PG&E should P&GE response:
submit a separate submittal (LAR issued.
ALS RA#01 amendment) to PG&E will respond to ALS ASAl's when they are available.
address the ASAls for both platforms.
Tricon it is not necessary IN PROGRESS. All of the Application Specific Action Items will be to delineate exactly addressed by March 21, 2012.
what will be done for each ASAI in this 01 matrix.
[ISG-06 Enclosure B, Item 1.16]
(Kemper 4-12-12)
(BK) 7 Closed Drafted RAI # 17
Response
Design Analysis Reports: The LAR does not appear to comply with the received April 2, SRP (ISG-04) regarding the connectivity of the Maintenance Work Station to
&18 to obtain an 29, 2012. Staff the PPS. The TriStation V10 platform relies on software to effect the answer I reviewed this item disconnection of the TriStation's capability to modify the safety system report to and still need software. Based on the information provided in the LTR, the NRC staff additional address determined that the Tricon V10 platform does not comply with the NRC this topic.
information to close guidance provided in ISG-04, Highly Integrated Control Rooms-Communications Issues, (ADAMS Accession No. ML083310185), Staff this item. The staff Position 1, Point 10, hence the DCPP PPS configuration does not fully will need to review comply with this guidance.
this item further
October 16, 2012 DCPP PPS Open Item Summary Table Page 11 of 76 Comments RAI RAII No.
Status Issue Description P&GE response:
No SrclRI
Response
(Due Date)
(Datie Sent) 1"---.
during an NRC deviation to this staff position, the staff will have to evaluate the DCPP PPS In order for the NRC staff to accept this keyswitch function as an acceptable audit at the specific system communications control configuration--including the Invensys facility.
operation of the keyswitch, the software affected by the keyswitch, and any All the items noted testing performed on failures of the hardware and software associated with below will be the the keyswitch. The status of the ALS platform on this matter is unclear at scope of the audit.
this time and will be resolved as the ALS L TR review is completed.
3/21/12 update: it Moreover, the Tricon V10 system Operational Mode Change (OMC) was agreed that keyswitch does change operational modes of the 3008N MPs and enables PG&EII nvensys the TriStation 1131 PC to change parameters, software algorithms, etc, and related to the application program of the safety channel without the channel PG&ElWestinghou or division being in bypass or in trip. As stated in Section 3.1.3.2 of the se/CSI would Tricon V10 SER, the TriStation 1131 PC should not normally be connected while the Tricon V10 is operational and performing safety critical functions.
provide a report However, it is physically possible for the TriStation PC to be connected at all (LAR supplement) times, and this should be strictly controlled via administrative controls (e.g.,
to explain how place the respective channel out of service while changing the software, these two issues parameters, etc). The LAR does not mention any administrative controls will be resolved and such as this to control the operation of the OMC (operational mode change) submit to NRC keyswitch. Furthermore, in order to leave the non-safety TriStation 1131 PC attached to the SR Tricon V10 system while the key switch is in the RUN Date to be provided
, position, a detailed FMEA of the TriStation 1131 PC system will be required TBD.
to ascertain the potential effects this non-safety PC may have on the execution of the safety application program/operability of the channel or Waiting for the V1 0 division. These issues must be addressed in order for the NRC staff to Tricon portion of determine that the DCPP PPS complies with the NRC Staff Guidance the PPS provided in Staff Position 1, Point 11. The status of the ALS platform on this Replacement point is unclear at this time.
P&GE response:
Failure Modes and Effects Analysis, an Tricon ISG-06 Phase 2 The OMC keyswitch controls only the mode of the V10 Tricon 3008N MPs.
document to be In RUN position the 3008N MPs ignore* all commands from external submitted to NRC devices, whether WRITE commands from external operator interfaces or in May 2012.
program-related commands from TS1131.
~-.-
~-
~-
October 16, 2012 DCPP PPS Open Item Summary Table Page 12 of 76 Comments RAI RAI No.
P&GE response:
Status Issue Description No SrclRI i
Response
(Due Date)
(Date Sent) i 3/21/12 Update:
Processor (MP) modules can monitor the position of the switch The keyswitch is a four-position, three-ganged switch so that the three Main PG&Ellnvensys independently. The Operating System Executive (ETSX) executing on the needs to provide a MP application processor monitors the position of the keyswitch. The three technical MPs vote the position of the keyswitch. The voted position of the keyswitch explanation of how is available as a read-only system variable that can be monitored by the the MP3008N TSAP. This allows alarming the keyswitch position when it is taken out of processor actually the RUN position. TS1131 messages to and from the Tricon (i.e., ETSX executing on the MPs) are of a defined format. TS1131 messages for ignores all control program (i.e., TSAP) changes - whether download of new control commands when in programs or modification of the executing control program - are uniquely RUN-address the identifiable. Such messages are received by ETSX and appropriate items in the 01.
response provided depending upon, among other things, the position of the 4/4/12 Update:
keyswitch. When a request from TS1131 is received by ETSX to download Need to explain a new control program or modify the executing control program, ETSX how this message
. accepts or rejects the request based on the voted keyswitch position. If the keyswitch is in RUN, all such messages are rejected. If the keyswitch is in format works to PROGRAM, the Tricon is considered out of service and ETSX runs through reject messages the sequence of steps to download the new or modified control program, as from the Tristation appropriate.
when in RUN??
Graphs and visual Multiple hardware and software failures would have to occur on the V1 0 presentation of Tricon (in combination with human-performance errors in the control room these concepts and at the computer with TS1131 installed) in order for the application would be helpful.
program to be inadvertently reprogrammed. Therefore, there is no credible single failure on the V1 0 Tricon that would allow the safety-related This issue will also application program to be inadvertently programmed, e.g., as a result of have to be unexpected operation of the connected computer with TS 1131 installed on addressed for the it.
ALS platform.
The above conclusion will be confirmed (for the V10 Tricon portion of the PPS Replacement) in the Failure Modes and Effects Analysis, an ISG-06 Phase 2 document planned for submittal to NRC in May 2012. Additionally, PG&EII nvensys Invensys Operations Management will support the staffs review of the
October 16, 2012 No SrclRI Issue Description DCPP PPS Open Item Summary Table P&GE response:
Status RAI No.
(Date Sent)
RA/
Response
(Due Date)
Page 13 of 76 Comments I
hardware and software associated with the OMC keyswitch by making all of needs to provide a the technical data available for audit.
technical explanation of how
- TS 1131 contains function blocks that allow WRITE-access to a limited set the MP3008N
. of parameters programmed into the application software, but only for a limited duration after which the capability is disabled until WRITE-access is re-enabled. However, without these function blocks programmed into the application program neither the application program nor application program parameters can be modified with the OMC keyswitch in the RUN position.
processor actually ignores all commands when in RUN-address the items in the 01.
PG&E Administrative controls on use of keyswitch will be provided with commitment to include in procedures in response.
Note, TS1131 is not used to change setpoints and protection set is inoperable when keyswitch is not in RUN position.
8 AR
[ISG-06 Enclosure B, Item 1.21]
Closed NIA Discussed at (RS)
Setpoint Methodology: The NRC staff understands that a summary of SP 4/18/2011 CC.
(setpoint) Calculations will be provided in Phase 2, however, section Requested that 4.10.3.8 of the LAR also states that PGE plans to submit a separate LAR to PGE add to the adopt TSTF 493. The NRC cannot accept this dependency on an response a unapproved future licensing action. The staff therefore expects the licensee statement that the to submit a summary of setpoint calculations which includes a discussion of setpoint changes the methods used for determining as-found and as-left tolerances. This associated with this submittal should satisfy all of the informational requirements set forth in modification will be ISG6 section 0.9.4.3.8 without a condition of TSTF 493 LAR approval submitted for evaluation independently with no reliance on P&GE response:
TSTF 439 licensing
. The evaluation of the setpoints for the PPS replacement will need to be performed by Westinghouse in two phases in order to provide sufficient documentation to support 95/95 s~iQLvalues fotlh~e~oints. This is action.
(Kemper 4-12-12)
Page 14 of 76 RAt No.
RAt Comments I
(Date Sent)
Response
(Due Date)
Res~
received April 2, 29,2012. PG&E's commitment to provide summary calc's by May 31, 2012 and not revise these setpoints via a TSTF-439 LAR addresses this 01.
Close this 01.
3/7/12 update:
PG&E stated that all setpoints determinations will be addressed as part of this LAR, and NOT submitted as a TSTF-493 licensing action.
3/21/12 update:
The staff may chose to review the Westinghouse calculations at the Westinghouse office in Washington DC.
However, if the safety finding is
October 16, 2012 DCPP PPS Open Item Summary Table Page 14 of 76 No-rSrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments because the NRC staff has been requesting additional information and additional data and analysis to demonstrate that the uncertainties used in the setpoint calculation have been based on a statistically sufficient quantity of sample data to bound the assumed values (to justify the confidence level of the calculation is appropriate) during recent Westinghouse projects involving setpoints. Significant information is required from the transmitter
Response
received April 2, 29, 2012. PG&E's commitment to provide summary and RTD vendors, that has never been obtained before, to support development of calculations that can support 95/95 setpoint values.
The first phase of the evaluation of the setpoints will include evaluation of the PPS replacement setpoints for the Tricon and ALS architecture using expected bounding uncertainty values. A setpoint summary evaluation which includes a discussion of the methods used for determining the as-found and as-left tolerances will be submitted by May 31, 2012. This is a change to the commitment 31 in Attachment 1 to the Enclosure to the PPS Replacement LAR. The setpoint information associated with the PPS replacement is being submitted independently of the LAR for TSTF-493 and does not rely on a TSTF-493 licensing action.
The second phase of the evaluation of the setpoints will include development of Westinghouse calculations of the PPS replacement setpoints for the Tricon and ALS architecture using sufficient information from vendors to substantiate that the setpoints are 95/95 values. The Westinghouse calculations will be completed by December 31, 2012 and will be available for inspection by NRC staff in Washington DC with support provided by Westinghouse setpoint group personnel. The NRC staff inspection of Westinghouse calculations in Washington DC has been performed for another recent utility project involving setpoints.
calc's by May 31, 2012 and not revise these setpoints via a TSTF-439 LAR addresses this 01.
Close this 01.
317112 update:
PG&E stated that all setpoints determinations will be addressed as part of this LAR, and NOT submitted as a TSTF-493 licensing action.
3/21/12 update:
The staff may chose to review the Westinghouse calculations at the Westinghouse office in Washington DC.
However, if the safety finding is
October 16, 2012 DCPP PPS Open Item Summary Table Page 15 of 76 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments dependent on these calculations, then the setpoint calculations will be required to be submitted on the docket per NRC licensing procedures 9
AR (BK)
L TR Safety Conclusion Scope and Applicability - Many important sections of the DCPP PPS LAR refer the reader to the ALS licensing topical report (L TR) to demonstrate compliance of the system with various Clauses of IEEE 603-1991, IEEE 7-4.3.2-203, and ISG-04. However, many important sections of the ALS L TR state that compliance with various Clauses of these IEEE Stds and ISG-04 are application specific and refer the reader to an application specific license amendment submittal (Le., the DCPP PPS LAR in this case). The staff has not yet had time to evaluate all the LAR information in detail and compare this information with that provided in the ALS L TR to ensure there is no missing information. However, PG&E and its contractors are encouraged to review these two licensing submittals promptly to verify that compliance with these IEEE Stds and ISG-04 are adequately addressed within both licensing documents.
Closed No specific RAI needed for this
- 01. RAI
- 4 addresse s this item as noted below in 0115.
complian ce matrix for the ALS platform.
(Kemper 4-12-12)
Response
received April 2, 29,2012. The PG&E response to this item address the 01. Close this
- 01.
P&GE response:
PG&E and Westinghouse have reviewed the LAR 11-07 and the ALS topical report to verify information is provided to justify compliance with IEEE 603-1991, IEEE 7-4.3.2-2003, and ISG-04 in either the LAR or the ALS topical report. As a result of the review, it was identified that neither the LAR nor the ALS topical report contain a matrix that documents compliance with ISG-04 Table 5-4 for the DCPP ALS platform. PG&E will submit a matrix that documents compliance with ISG-04 Table 5-4 for the DCPP ALS platform by May 31,2012.
October 16, 2012 DCPP PPS Open Item Summary Table No SrclRI Issue Description P&GE response:
10 RS Plant Variable PPS Scope - In the Description section of the LAR, section 4.1.3, nine plant variables are defined as being required for RTS and section 4.1.4 lists seven plant variables that are required for the ESFAS.
Three additional plant variables were also listed in section 4.10.3.4.
Status Closed RAI No.
(Date Sent)
RAI02 RAI
Response
(Due Date)
Page 16 of 76 Comments Some variables are not listed in section 4.10.3.4 as being PPS monitored plant parameters. It is therefore assumed that these parameters are provided as direct inputs to the SSPS and that the PPS is not relied upon for the completion of required reactor trip or safety functions associated with them. Please confirm that these plant parameters and associated safety functions will continue to operate independently from the PPS and that the replacement PPS will not adversely impact the system's ability to reliably perform these functions.
P&GE response:
The PPS Replacement LAR Sections 4.1.3 and 4.1.4 describe the plant variables from which RTS and ESFAS protective functions are generated.
The initiation signal outputs to the SSPS coincidence logic are generated in the PPS or other, independent systems, or in some cases, by discrete devices. Section 4.1.3 items 6 (RCP bus UF, UV, and breaker position, 8 (Main Turbine trip fluid pressure and stop valve position) and 9 (seismic acceleration) are generated by discrete devices outside the PPS and provide direct contact inputs to the SSPS. Section 1.4 items 6 (Containment Exhaust Radiation) and 7 (RT breaker position Permissive P
- 4) are also generated outside the PPS and are direct contact inputs to the SSPS. The initiation signals associated with these plant parameters operate independently from the PPS. The replacement PPS will not adversely affect the reliable performance of the safety functions associated with these plant parameters.
Neutron Flux is an input to Tricon but it is not listed in Table 4-2 "Process Variable inputs to Tricon" Signals not associated with PPS functions will be designated as such in the SE and
I October 16, 2012 DCPP PPS Open Item Summary Table Page 17 of 76 P&GE response:
Issue Description No SrclRI The three signals (Wide Range RCS Temperature and Pressure and Turbine Impulse Chamber Pressure) not listed in Sections 4.1.3 and 4.1.4 are monitored by the PPS per Section 4.10.3.4. The Wide Range RCS Pressure and Temperature signals are used to generate the LTOP function described in DCPP FSAR Section 5. The PPS uses Turbine Impulse Chamber Pressure to generate an initiation signal that is used by the SSPS coincidence logic to develop Permissive P-13 as discussed in RAI 3, below.
Neutron Flux should be added to Section 4.2 Table 4-2 as follows:
Input to Overtemperature fl.
Neutron Flux (Power Temperature (OTDT) RT Range, Upper & Lower)
Input to Overpower fl.
Temperature (OPDT) RT Status RAI No.
(Date Sent)
Response
(Due Date)
Comments they will not be described since they are not in scope.
11 RS Power Range NIS Function - Section 4.1.7 describes the Existing Power Range NIS Protection Functions and it states that the Power Range nuclear instrumentation provides input to the OTDT, and OPDT protection channels.
It is not entirely clear whether any of the described NIS protection functions will be performed by the PPS system. Please clarify exactly what the role of the PPS system is for these NIS Protection functions.
P&GE response:
Power range analog inputs are provided by the NIS to each PPS Protection Set for use in the calculation of the Overtemperature DeJta-T and Overpower Delta-T Setpoint in the Delta-TlTavg channels. No other NIS signals interface with the PPS. The NIS Protection functions (RT and power range permissives) are generated independently by Nuclear Instrumentation bistable comparators. The NIS bistable outputs are sent directly to the SSPS and have no phYSical interface with the PPS.
12 RS-Permissive Functions - Several Permissive functions are described within the LAR. It is not clear to the staff whether any of these functions are to be Closed*
Closed N/A RAI03 Only PPS Functions will be described in the SE.
5/30/12 Determined that no RAJ is needed for this item.
October 16, 2012 DCPP PPS Open Item Summary Table Page 18 of 76 No SrclRI Issue Description P&GE response:
Status RAINo.
(Date Sent)
Response
(Due Date)
Comments performed by the PPS or if the PPS will only be providing input to external systems that in turn perform the permissive logic described in the LAR.
Section 4.1.9 states that "Settings of the bistable comparators used to develop the permissives are not affected by the PPS Replacement Project",
which implies that all of these permissive functions are performed by systems other than the PPS. However, it is still unclear if this statement applies to all permissive functions described throughout the LAR or if it applies only to those permissives relating to Pressurizer Pressure. It is also possible that the permissive functions are being performed by the existing PPS and will continue to be performed by the replacement system and therefore remain "not affected" by the PPS replacement project.
Please provide additional information for the following permissive functions to clearly define what the role of the PPS system will be for each.
P-4 Reactor Trip P-6 Intermediate Range Permissive P-7 Low Power Permissive (Bypasses low Ppzr reactor trip)
- P-8 Loss of Flow Permissive P-9 Power Permissive P-10 Power Range Power Low Permissive P-11 Low Pressurizer Pressure 81 Operational Bypass P-12 No-Load Low-Low Tave Temperature Permissive P-13 Turbine Low Power Permissive
- P-14 Hi-Hi Steam Generator Level
Permissive function initiation signals generated within the existing PPS will continue to be performed by the replacement PPS and therefore remain "not affected" by the PPS replacement project. Permissive function initiation signals that are generated independently of the existing PPS will continue to be generated independently.
October 16, 2012 DCPP PPS Open Item Summary Table Page 19 of 76
,~~
No SrclRI Issue Description P&GE response:
Status RAI No.
RAI Comments (Date Sent)
Response
(Due Date)
Permissive P6, P-8, P-9, and P-10 initiation signals are bistable comparator outputs from the independent NIS to the SSPS. There is no interface with the PPS.
- Permissive P-4 initiation signals are direct contact inputs to the SSPS coincidence logic generated from contacts in the Reactor Trip Breakers (RTB). There is no interface with the PPS.
- Permissive P-11, P-12, P-13, and P-14 initiation signals are generated by bistable comparator outputs generated in the PPS and sent to the SSPS.
- Permissive P-7 is generated in the SSPS from 3 out of 4 power range NI channels (from NIS - P-10) below setpoint and 2/2 turbine impulse chamber pressure channels below setpoint (From PPS P13).
The bistable initiation signals described above are monitored by the SSPS.
The SSPS generates the Permissive when appropriate coincidence of initiation signals is detected. No SSPS permissive or safety function coincidence logic is changed by the PPS replacement project.
Permissives P-6, P-7, P-8, P-9, P-10, and P-13 are functionally described in FSAR Table 7.2-2. Permissives P-4, P-11, P-12, and P-14 are functionally described in FSAR Table 7.3-3.
The bistable comparator setpoints for the above-listed permissives are not expected to change at this time.
The NRC understands that all permissives are developed within the SSPS system.
Permissives P11 P14 use inputs provided by PPS system. All other permissives use inputs generated by external systems that are independent of the PPS.
See 13 below.
13 RS P12 Permissive Contradiction - The second paragraph of section 4.1.20 Closed N/A describes the P-12 interlock and states that "These signals are developed in
Jhe PPS". This statement is then contradicted in the third paraaraph by the
October 16, 2012 DCPP PPS Open Item Summary Table Page 20 of 76 ments No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
RA/
Response
(Due Date)
COl following statement; "These valves are not safety-related, but are interlocked with the P-12 signal from the SSPS."
In conjunction with the response to RA13, please provide a resolution for this contradiction in section 4.1.20 of the LAR TheNR underst the P12 generat SSPS u develop PPS.
5/30/20 Determi RAlwili for this i C
2 PGE Re resolves Item. CI status te P&GE response:
The word "signals" in the referenced Section 4.1.20 sentence, "These signals are developed... " is referring to the bistable comparator outputs which are monitored by the SSPS. The PPS does not generate the P-12 Permissive itself. The actual P-12 Permissive is generated by the SSPS when appropriate coincidence of initiation signals is detected. The SSPS output is interlocked with the valves as stated in the third paragraph of Section 4.1.20.
The LAR Section 4.1.20 is clarified by the following statement:
"... The P-12 Permissive is developed in the SSPS based on coincidence of the P-12 bistable comparator output initiation signals from the PPS...
Protection System Permissives (P-11 unblock SI from ALS, P13 Turbine power permissive from Tricon, and P-14 Steam Generator Level high-high from Tricon) are generated by coincident logic in the SSPS based on initiating signals (bistable outputs) from the PPS as noted in the response to 01 #12. Permissive development, including initiating signals and logic coincidence is shown in FSARU Tables 7.2-2 (RTS) and 7.3-3 (ESFAS).
The PPS does not perform coincident logic functions and does not "generate" any protection system permissives.
14 RS Section 4.1.1 SSPS contains the following statement in the last paragraph; "Information concerning the PPS status is transmitted to the control board status lamps and annunciators by way oJthe SSPS control board demultiplexer and to the P PS by way ojthe SSPS computer demultiplexer. "
Closed N/A nds that signal is d by the ing signals dinthe ed that no be needed em.
sponse this Open ange Closed.
October 16,2012 DCPP PPS Open Item Summary Table Page 21 of 76 Comments RAI No.
RAI Status P&GE response:
Issue Description No SrclRI
Response
(Due Date)
(Date Sent)
I Why would the PPS status need to be transmitted to the PPS as the sentence suggests in the last phrase?
PG&E response:
The sentence in Section 4.1.1 contains a a typographical error. The sentence should read:
"Information concerning the PPS status is transmitted to the control board status lamps and annunciators by way of the SSPS control board demultiplexer and to the Plant Process Computer (PPC) by way of the SSPS computer demultiplexer."
As used in the Section 4.1.1. paragraph, "PPS Status" means "PPS Ch~/1_r1el Trip Status."
15 Drafted (Kemper 4-4-12)
RAI#4 An ISG-04 compliance matrix for the DCPP PPS system was not submitted Closed (BK)
No further with, or referenced in, the LAR for the W/ALS platform. Instead the ISG-04 to obtain discussion compliance section 4.8 of the LAR refers the reader to the ALS L TR for an necessary until nearly all the points of ISG-04. Fig. 4.4 and 4.5 of the LAR indicate various answer I May 31,2012.
1 E and non-1 E communication pathways to and from ALS processor (e.g.,
report to Maintenance Work Station, plant computer, process control, port address 4/4/12 update: The are all application specific features of the PPS and the staff expects a aggregator, and 4-20 ma temperature signal to Tricon processor). These this ISG 04 draft ALS ISG-04 complian compliance matrix W/CSI ALS document to be submitted, similar in scope and detail to the ce matrix on the AL TRAN Invensys "PACIFIC GAS & ELECTRIC COMPANY NUCLEAR SAFETY-for the Sharepoint website RELATED PROCESS PROTECTION SYSTEM REPLACEMENT DIABLO ALS is not detailed CANYON POWER PLANT DI&C-ISG-04 CONFORMANCE REPORT" platform.
enough for the staff which explains how the ALS portion of the PPS application conforms with Document No. 993754-1-912 Revision 0, to be submitted on the docket, to use in approving the guidance of ISG-04.
the ALS portion of the PPS' comm unications
October 16, 2012 DCPP PPS Open Item Summary Table Page 22 of 76 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments PG&E response:
PG&E is developing the ISG-04 compliance matrixTable for the ALS platform and PG&E will submit the Table by July 31, 2012.
design. Suggest PG&E review the Invensys ISG-04 Doc. Document No.
993754-1-912 (-P)
Revision 0, and provide guidance for an ALS document at the same level of detail.
16 (BK)
Section 1.4.4 (pg. 12/38) of document 993754-1-813 Diablo Canyon Triconex PPS Validation Test Plan (VTM) states "The network equipment, including media converter, NetOptics Network Aggregator Tap, and gateway hub, and the MWS will not be within the test scope of this VTP. The Nuclear Delivery (NO) group will coordinate with Pacific Gas & Electric for system staging prior to turn over to Nuclear IV&V. The Nuclear IV&V group will confirm proper operation of network communications system interfaces before beginning testing addressed in this VTP." When, where, and what procedures will be used to test the network equipment??
Closed RAI05 Received two papers discussing integration test plans for PPS system. These papers were discussed at the 4/18/2011 CC.
The staff ag rees that the analog RTD signal loops may be tested separately at the Tricon FAT and at the ALS FAT to satisfy integration test requirements.
The staff expressed some concerns over the statement that "There is no digital data PG&E response: Additional information on the PPS testing is being provided to the staff. The information on the PPS testing was updated on May 9 to address staff comments provided in the 4/18/22 conference call. The VTM will need to be updated based on the additional information. A date that the updated VTM will be submitted will be provided after feedback from the staff is received on the additional information on the PPS testing.
October 16, 2012 DCPP PPS Open Item Summary Table Page 23 of 76 RA/ No.
RA/
Status P&GE response:
No SrclRI Issue Description
Response
(Due Date)
(Date Sent)
Comments connection between the Tricon and the ALS." This appears to be a misleading statement since both systems do have connections to the common MWS. Further clarification should be provided and the statement should be revised to describe the nature of the MWS connections to each system.
A follow-up discussion was had at the 5/16/12 conference call.
The NRC staff feels that the final integration to be performed during SAT as proposed, will have to be complete and the results submitted prior to issuance of the SE.
I
17 October 16, 2012 DCPP PPS Open Item Summary Table Page 24 of 76
~~~~~-
P&GE response:
Status No SrclRI Issue Description
Response
(Due Date)
(Date Sent)
RAI06-This issue was 993754-1-813 Diablo Canyon Triconex PPS Validation Test Plan (VTM)
Section 5.1.4.3, Hardware Validation Tests, (pg. 27/38) of document Closed (BK) discussed at the states that the ALS equipment will not be included in the FAT. Where, when, 4/18/2011 CC.
and what procedures will be used to fully test the Integrated PPS system PGE proposed (both Tricon V10 and ALS platforms together) be subjected to FAT.
performance of separate but overlapping tests at each factory to PG&E response: Additional information on the PPS testing is being accomplish the provided to the staff. The VTM will need to be updated based on the integration test.
additional information. A date that the updated VTM will be submitted will be provided after feedback from the staff is received on the additional The staff has some information on the PPS testing.
concern over the fact that the MWS's to be installed in the plant would only be tested during the Tricon FAT. A fifth MWS to be configured the same as the plant MWS's is to be used during the ALS FAT.
One option to resolve this concern may be to credit the SAT test results in the SE.
The current schedule for SAT (July 2013) does support this.
October 16, 2012 DCPP PPS Open Item Summary Table Page 25 of 76 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments 18 (BK)
Software Management Plan: Regulatory Guide (RG) 1.168, Revision 1, "Verification, Validation, Reviews and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," dated February 2004 endorses IEEE (Institute of Electrical and Electronics Engineers) 1012 1998, "IEEE Standard for Software Verification and Validation," and IEEE Closed RA17&8 (Kemper 4/12/12) update: The staff has reviewed the Invensys IEEE 1012 compliance matrix on the 1028-1997,"IEEE Standard for Software Reviews and Audits," with the exceptions stated in the Regulatory Position of RG 1.168. RG 1.168 describes a method acceptable to the NRC staff for complying with parts of the NRC's regulations for promoting high functional reliability and design quality in software used in safety systems. Standard Review Plan (SRP)
Table 7-1 and Appendix 7.1-A identify Regulatory Guide 1.168 as SRP acceptance criteria for reactor trip systems (RTS) and for engineered safety features actuation systems (ESFAS)
The Invensys PPS Replacement Software Verification and Validation Plan (SWP), 993754-1-802 does not provide a clear explanation of how the Invensys SWP complies with IEEE 1012-1998. Please provide a cross reference table that explains how the Invensys SWP implements the criteria of IEEE 1012-1998.
Also, the Westinghouse/ALS 6116-00000 Diablo Canyon PPS Management Plan, does not provide a clear explanation of how the CSI SWP complies with IEEE 1012-1998. Please provide a cross reference table that explains how the W/CSI SWP implements the criteria of IEEE 1012-1998.
PG&E/Altran sharepoint directory and it appears to be acceptable. The matrix appears to be comprehensive and indicates no exceptions to any clauses in IEEE 1012. No attempt was made to review/verify that where Invensys claims compliance with any particular Clause in the Std, that the respective section in their SWPis acceptable-the
19 October 16,2012 DCPP PPS Open Item Summary Table Page 26 of 76 r-::-c P&GE response:
Issue Description No SrclRI PG&E response:
Westinghouse incorporated the IEEE-1012 compliance table in the ALS V&V plan document 6116-00003 in Appendix A Table A-1 and PG&E submited the ALS V&V plan document 6116-00003 to the staff on June 6, 2012, in Attachment 7 to the Enclosure of PG&E Letter DCL-12-050.
Status RAINo.
(Date Sent)
Response
(Due Date)
Comments staff will work through this as the SWP is reviewed and evaluated for approval. Please submit the document on the docket.
This 01 will remain open pending review of the Westinghouse/CSI document.
Section 4.1.1 of the LAR states that; RS "The SSPS evaluates the signals and performs RTS and ESFAS functions to mitigate Abnormal Operational Occurrences and Design Basis Events described in FSAR [26] Chapter 15. IJ however, Chapter 15 of the DCPP FSAR does not use the terms Abnormal Operational Occurrence (AOO) or Design Basis Accident (DBE). Instead, the accident analysis in chapter 15 identifies conditions as follows; CONDITION I - NORMAL OPERATION AND OPERATIONAL TRANSIENTS CONDITION II - FAULTS OF MODERATE FREQUENCY CONDITION III - INFREQUENT FAULTS Closed RAI9 3/21/12 update:
PG&E has created a share point website for NRC to review PPS design drawings that will address this issue as well as 01 20 and 21. NRC staff will determine if they are needed to be submitted on the docket. PG&E will ensure the website is information is only applicable to this licensing action.
October 16, 2012 DCPP PPS Open Item Summary Table Page 27 of 76 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments CONDITION IV - LIMITING FAULTS As such, the statement that AOO's and DBE's are described in the FSAR appears to be inaccurate. Please explain the correlation between the Conditions described in FSAR chapter 15 and the Abnormal Operational Occurrences, and Design Basis Events described in the LAR.
PG&E response: The AOO's are referred to as ANS Condition I "Operational Transients" in FSAR Chapter 15 and are addressed in FSAR Chapter 15.1. The design basis accidents are referred to as ANS Condition II "faults of moderate frequency," ANS Condition III "infrequent faults," and ANS Condition IV "limiting faults" and are addressed in FSAR Chapter 15.2, 15.3, and 15.4 respectively.
October 16, 2012 DCPP PPS Open Item Summary Table Page 28 of76 No SrclRI Issue Description P&GE response:
20 RS The system description provided in Section 4 of the LAR includes "functions performed by other protective systems at DCPP in addition to the PPS functions". In many cases, there is no explanation of what system is performing the functions described nor is there a clarification of whether the described functions are being performed by the PPS system.
As an example, Section 4.1.16 describes a bypass function to support testing of the high-high containment pressure channel to meet requirements of IEEE 279 and IEEE 603. The description of this function does not however, state whether this latch feature is being implemented within the PPS system or in the SSPS.
The staff needs to have a clear understanding of the functional scope of the PPS system being modified in order to make its regulatory compliance determinations. Please provide additional information such as PPS function diagrams to help the staff distinguish PPS functions from functions performed by other external systems.
PG&E Response: PPS design drawings have been provided to the staff on the Sharepoint site.
Status Closed RAI No.
(Date Sent)
Response
(Due Date)
Comments 3/21112 update:
PG&E has created a share point website for NRC to review PPS design drawings that will address this issue.
NRC staff will determine if they are needed to be submitted on the docket. PG&E will ensure the website is information is only applicable to this licensing action.
5/30/12 Determined that no RAI will be needed for this item.
7/02/12 - Closed Item. Information in Function diagrams is sufficient for NRC to determine PPS fu n cti onality.
21 October 16,2012 DCPP PPS Open Item Summary Table Page 29 of 76 No SrclRI Comments RAI P&GE response:
Status RAI No.
Issue Description (Date Sent)
Response
(Due Date) 9-19-12 update Test Plan," states that the ALS-102 FPGA design is changed for the DCPPS Westinghouse/CSI document 6116-00005, "Diablo Canyon PPS System RAI10 Open RA (Alvarado): Waiting System. Further, Section 5.3.3 states: "Test as many of the ALS-102 (Hold)
Not used for ALS document requirements as possible."
to be submitted at the end of Please identify what document describes the design verification test for this September.
board.
6-13-12 update (Kemper):
PG&E response: The documents that describe the design verification tests PG&E understands for the ALS-1 02 are 6116-70140, "Diablo Canyon PPS System Test Design that they need to Specification," submitted June 6,2012, and 6116-10216, "Diablo Canyon provide an update PPS W Simulation Environment Specification" that will be submitted by to this response. In September 30,2012.
the meantime, PG&E and ALS have provided 2 design specifications that will address this 01.
These documents are placed on the PG&E sharepoint website. Doc. No 6116-10740 was submitted on June 6, 2012, which describes ALS system test design specification. Doc.
No 6116-00005 was also submitted on June 6, 2012, which describes ALS system test plan.
Doc. No. 6116 10216ALS W
October 16,2012 DCPP PPS Open Item Summary Table Page 30 of 76 Comments RAI No P&GE response:
Status RAI No.
SrclRI Issue Description (Date Sent)
Response
I (Due Date)
I Simulation I
Environment Specification will be provided in the future.
3121/12 update:
PG&E has created a share point website for NRC to review PPS design drawings that will address this issue.
NRC staff will determine if they are needed to be submitted on the docket. PG&E will ensure the website is information is only applicable to this licensing action.
NRC-the response provided does not address the question.
7/13/12 - rjs Deleted RAI 10 pending review of revised response.
Also decided to hold item open.
October 16,2012 DCPP PPS Open Item Summary Table Page 31 of 76 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
~-
Comments 22 BK Follow-on 01 # 5 question pertaining to the PPS VTP:
Section 1.4.4 (pg. 12/38) states liThe network equipment, including media converter, NetOptics Network Aggregator Tap, and gateway hub, and the MWS will not be within the test scope of this VTP. The Nuclear Delivery (NO) group will coordinate with Pacific Gas & Electric for system staging prior to turn over to Nuclear IV&V. The Nuclear IV&V group will confirm proper operation of network communications system interfaces before beginning testing addressed in this VTP." When, where, and what procedures will be used to test the network equipment??
Also, section 5.1.4 (3) Hardware Validation Tests states that the ALS equipment will not be included in the FAT (pg. 27/38). Where, when, and what procedures will be used to fully test the Integrated PPS system (both Tricon V10 and ALS platforms together) be subjected to FAT.
Closed RAI5 PG&E response:
Additional information on the PPS testing is being provided to the staff. The VTP will need to be updated based on the additional information. A date that the updated VTP will be submitted will be provided after feedback from the staff is received on the additional information on the PPS testing.
23 October 16, 2012 ocpp PPS Open Item Summary Table Page 32 of 76 RAI RAI No.
Comments P&GE response:
Status Issue Description No SrclRI
Response
(Due Date)
(Date Sent)
RAI11 TCM installed in the Tricon Main Chassis (Slot 7L), the PPS replacement will utilize two TCM cards in each main chassis (Slots 7L and 7-R). This will provide two non-safety-related communication paths to the MWS and the PPC Gateway Computer from each Protection Set to ensure continued communications if a single TCM fails.
The NetOptics Model PA-Cu/PAD-CU1 PA-CU port aggregator network tap was approved previously by NRC for a similar application in the Oconee RPS SER Section 3.1.1.4.3 [18]. The NRC staff determined that due to the electrical isolation provided by use of fiber optic cables and the data isolation provided by the Port Tap and the Maintenance and Service Interface (MSJ) in the Oconee RPS, there was reasonable assurance that a fault or failure within the Oconee Gateway computer or the Operator Aid Computer will not adversely affect the ability of the Oconee RPS to accomplish its safety functions.
During the SAT PG&E will test the Protection Set communications paths illustrated in Figure 4-13 to verify that there is no inbound communications path associated with port aggregator network tap Port 1. That is, PG&E will verify that communications from Port 1 to either the TCM on Port A or the MWS on Port B of the port aggregator network tap are not permitted.
Results of this test will be documented in final System Verification and Validation Report. Port aggregator dual in-line package (DIP) switch positions will be controlled by DCPP configuration management processes."
Closed Section 4.2.13.1 of the LAR (page 85) states; "Figure 4-13 only shows one BK In order for the Staff to approve the integrated configuration of the PPS, prior to shipment of the PPS equipment to DCPP site, all communications paths will require testing on or before FAT, and before completion of the SER. This testing is typically completed during or before the PPS FAT, otherwise, the SER will not be completed until after the SAT. Please provide a test scheme/procedures that satisfies all regUlatory requirements prior to or during the FAT. Otherwise, if this testing will be completed during the SAT, as stated in the LAR, please provide a detailed schedule for this testing so the NRC can revise its PPS LAR Review Plan accordingly.
-~
~
1 The NetOptics Model PAD-CU has two one-way output ports but is otherwise identical in function to the PA-CU.
24 October 16,2012 DCPP PPS Open Item Summary Table Page 33 of 76
'No P&GE response:
Issue Description SrclRI PG&E response: Additional information on the PPS testing for ALS is being provided to the staff. A date the additional information will be submitted will be provided after feedback from the staff is received on the additional information on the PPS testing for ALS.
- a. Section 4.1.17 paragraph 3 discusses the protection functions associated with High - High Steam Generator Level or P-14. In this discussion it is stated that the SI signal initiates the same two functions (Turbine Trip and Feedwater Isolation) however, there is no mention of this in section 4.1.9 or in the discussion of the P-14 permissive. Please confirm that P-14 can be initiated by either High
- High SG Level or by initiation of SI.
RJS
- b. This same section also states that the described latched in function serves to comply with IEEE Std. 279 Section 4.16. The replacement PPS system is not being evaluated against the criteria of IEEE 279.
Instead, IEEE 603-1991 is being used and the equivalent criteria is contained in section 5.2 of IEEE 6031991. PGE needs to understand that the criteria of IEEE 279 are not relevant to this review effort.
PG&E response:
- a. Turbine Trip can be initiated by either the P-14 steam generator level protection function OR by the latched Safety Injection (SI).
Section 4.1.17 describes the Steam Generator Level High-High Protection function P-14. Upon sensing high steam generator level, the PPS generates an initiation signal to the SSPS, which generates the turbine trip signal and initiates Auxiliary Feedwater when coincidence of 2 of 33 high-high level signals in any steam generator is detected.
Section 4.1.9 describes Pressurizer Protection Functions, one of which is initiation of Safety Injection through the SSPS when coincidence 3 of 4 Pressurizer Pressure Low-Low signals from the PPS is detected. The SI actuation signal also actuates turbine trip and Auxiliary Feedwater through the SSPS, but SI is not initiated by Steam Generator Level High-High The P-14 protection function is initiated ONLY by steam Generator Status Closed RAI No.
(Date Sent)
N/A RAI
Response
(Due Date)
Comments I
Item initiated on 4/23/2012.
I PGE Response accepted.
October 16,2012 DCPP PPS Open Item Summary Table Page 34 of 76 No 25 SrclRI RJS Issue Description P&GE response:
Level High-High. Through the SSPS, P-14 will trip the turbine and actuate Auxiliary Feedwater. A SI signal will also actuate Turbine trip and Auxiliary Feedwater, among other actions. Pressurizer Protection functions do not initiate P-14 and Steam Generator Level High-High P-14 does not initiate SI.
- b. PG&E intended Section 4.1 to describe the existing PPS and to apply only to the existing PPS, which complies with IEEE 279-1971.
Sections 4.2 to 4.13 of the LAR apply to the PPS Replacement.
Section 4.10.2.2 describes compliance of the PPS Replacement with IEEE 603-1991 Section 5.2. PG&E understands and appreciates that IEEE-603 applies to the PPS replacement.
Sections 4.1.17, and 4.1.21 state that the P-9 permissive is the "Power Range at Power" function while Section 4.1.9 states that the P-10 Permissive is also called the "Power Range at Power" function. Is it correct that both of these permissives are called "Power Range at Power" and that they perform different functions?
PG&E response:
Both P-9 and P-10 are "Power Range at Power" functions; both are active when the Power Range NI channels are at power.
Permissive P-9 blocks reactor trip on turbine trip when 3 of 4 Power Range NI channels are below 50%.
Permissive P-10 is active when 2 of 4 Power Range NI channels are above 10%. Permissive P-10 is combined with Turbine Power Permissive P-13 (which is active above approximately 10% turbine load) to provide input to Permissive P-7 that allows blocking several low power reactor trips.
In effect, Permissive P-10 is the "Power Range at Power - Low" permissive" and Permissive P-9 is the Power Range at Power - High" permissive. This is consistent with the response to 01 #12, above.
Status RAI No.
(Date Sent)
Closed N/A
~~-
RAI Comments
Response
(Due Date)
Item initiated on 4/23/2012.
PGE Response Accepted.
October 16, 2012 DCPP PPS Open Item Summary Table Page 35 of 76 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments 26 RJS The PG&E SyQAP defines Supplier tasks that are related to assurance of software quality for each of the following phases of development; Project Initiation and Planning Conceptual Design Requirements Design Implementation Integration
- Test These phases do not align with the phases used in the ALS or Tricon development lifecycles. For instance, the Tricon SOAP defines the phases as Requirements, Design, Implementation, and Test (Validation). Because of this, it is not clear how assurance of task completion can be accomplished. During which Tricon phases would those tasks listed under Integration, Initiation and Planning, and Conceptual Design be performed?
The ALS SOAP does not mention phases but the ALS Management plan defines the development phases as; Planning, Development, Manufacturing, System Test, and Installation.
Would it be possible for PGE to provide a mapping of Phases defined in the SyOAP to the Phases of the ALS and Tricon system development processes so that the staff can correctly identify and confirm performance of these OA tasks?
Closed RAI12 Item Initiated on 4/2512011 Will need formal response for this item. Therefore this will be an RAI.
Page 36 of 76 October 16,2012 DCPP PPS Open Item Summary Table
No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments PG&E response:
PGE will provide a mapping of Phases defined in the SyOAP to the Phases of the ALS and Tricon system development processes. The determination of the location of the mapping information and date to be submitted is IN PROGRESS.
27 RA Software Management Plan Closed RAI13 The POP will need to be submitted.
The LAR, Attachment 3, describes the project organization, roles and responsibilities for the PPS replacement project. This document does not describe oversight activities that PG&E will perform during the PPS replacement project, as well as the interface between PG&E and Invensys and WEC/CSI, and the methodology to judge quality of the vendor effort.
Please provide this information.
PG&E response:
Oversight activities for the project were discussed in Section 4.2.11, Appendix B Compliance, of the LAR that discusses the DCPP Ouality Assurance Program and Procurement Control Program and states that PG&E will audit 10M and CSI during the manufacturing phase under the PG&E Nuclear Procurement Program and associated directives.
In support of the oversight activities, a PG&E will issue a Project Ouality Plan (POP) that will define the oversight activities to be performed, including technical audits, cyber security audits, and software quality assurance audits.
The POP is expected to be issued in June and will be submitted to the staff by July 31, 2012.
Following the performance of the POP audits, audit reports will be created and a POP Audit Summary Report will be created. PG&E will submit the POP Audit Summary Report to the staff at the time the vendor hardware is
October 16,2012 DCPP PPS Open Item Summary Table Page 37 of 76 No SrclRI Issue Description P&GE response:
Status RAINo.
(Date Sent)
RAJ
Response
(Due Date)
Comments i
delivered to PG&E. The vendor hardware is currently expected to be delivered to PG&E in Spring 2013.
The pap audit reports will not be submitted but will be made available to the NRC staff for review.
28 RA Software Management Plan The LAR, Attachment 3, states that PG&E is responsible for the following activities in the lifecycle: project initiation and planning phase, conceptual design phase, requirements phase, installation and checkout phase, operation phase, and maintenance phase. Further, Section 3.1.10 states that PG&E will follow the activities described before for software Closed N/A Alvarado (6/13/12):
PG&E place a copy of their Software Configuration Management Plan in their Sharepoint site.
modifications. Please explain how PG&E will perform software modifications to the Tricon and ALS platforms once the PPS replacement project is completed.
. PG&E response:
The control of the software modifications to the Tricon and ALS platforms once the PPS replacement project is completed will be by the Process Protection System Replacement Software Configuration Management Plan, SCM 36-01, Revision 0, which was submitted as part of the Phase 2 document submittal on June 6, 2012, in Attachment 4 to the Enclosure of PG&E Letter DCL-12-050.
The SCM-01, Revision 0, document has been placed on the Sharepoint site.
29 RA Software Management Plan Closed RAI13 The LAR, Attachment 3, states that the PG&E Project Manager will share the responsibility for meeting the software quality goals and for implementing the software quality management throughout the project.
Please describe what responsibilities are going to be shared and how this is going to be performed.
~
October 16,2012 DCPP PPS Open Item Summary Table Page 38 of 76 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments I
PG&E response:
The PG&E Project Manager will share the responsibility for meeting the software quality goals with the PG&E Quality Verification organization personnel.
To implement the oversight activities, the PG&E Quality Verification organization will issue a Project Quality Plan (PQP) that will define the oversight activities to be performed, including technical audits, cyber security audits, and software quality assurance audits.
30 RA Software Development Plan Section 7 of the Invensys Nuclear System Integration Program Manual (NSIPM) requires that non-conforming procedures shall be used to control parts, components, or systems which do not conform to requirements.
Invensys documents 993754-1-906, Software Development Plan, and 993754-1-905, PPS Replacement DCPP Project Management Plan, do not identify non-confirming procedures to be followed when deviations are identified and how deviations should be corrected.
Please provide this information.
Closed RAI14 Not used Not required
--~.-
L-. __ ~
9/19/12 update (Alvarado): Rev. 1 of 993754-1-906 addressed this question.
7/13/12 rjs:
Decided to not use the RAJ and hold this item open pending review of updated phase 2 submittals.
PG&E response:
The Project Management Plan (PMP), 993754-1-905, is the overarching project management document for the Invensys scope of the PPS Replacement Project. It references other Invensys planning documents that discuss procedures to follow when deviations are identified and how they are corrected. The Software Development Plan, 993754-1-906, describes the software development process for the Invensys scope of the PPS Replacement Project. 993754-1-906, has been revised to Revision 1, to include new Section 3.2.6 that discusses problem reporting and corrective action. 993754-1-906, Revision 1, was submitted by PG&E on August 2, 2012.
-~
October 16, 2012 DCPP PPS Open Item Summary Table Page 39 of 76 I
No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments i
In addition, the Invensys Software Quality Assurance Plan, 993754-1-900, Section 8, and the Invensys Software Configuration Management Plan, 993754-1-909, Section 3.2, both provide reference to procedures to follow when deviations are identified and how deviations are corrected.
31 RJS Software Quality Assurance Plan:
IEEE 730 2002 stipulates in section 4 that 'The SQAP shall be approved by the manager of each of the organizations having responsibilities in the SQAP. The PGE SYQAP has been approved by the PGE Diablo PPS Upgrade Project Manager and the Altran Project lead; however, there are several other organizations that have responsibilities delineated in the SQAP. The managers of these organizations have not approved the SYQAP. The following organizations are assigned roles and Responsibilities within Section 3.4 of the SYQAP. Please explain the means by which these organizations have committed to comply with the requirements stated in the SYQAP.
- Vendor IW Projects Managers
- EOC Design Change Package Team PGE Project Engineering Team QA Organization Testing and Integration Team
- V&V Organization Closed RAI15 At the 5/16 meeting, the staff explained that PGE should have some commitment from all orgs that have activities in the SyQAP. This could be contractual or through activities that are delineated in other vendor plans or procedures.
I PG&E response:
The software quality assurance plan was discussed in Section 4.11.1.1.1 of the LAR, which did not commit to IEEE 730 2002 criteria in developing the SQAP. IEEE Standard 7-4.3.2-2003 [76] Clause 5.3.1 references IEEE Std 730-1998 for guidance but does not require it to be met.
PG&E is determining how to address the commitment from all organizations contained in the SyQAP as requested by the staff in the 5/16 meeting.
L-
October 16,2012 DCPP PPS Open Item Summary Table No SrclRI Issue Description P&GE response:
32 RJS Section 4.2.7 "Power Supply" of the LAR describes how power is supplied to the PPS. In this description, the 480V AC vital supply is described in the following ways.
- First it is described as back-up common bus to the 120 V distribution panels. We cannot tell if this is through a transformer or if this refers to the alternate supply to the inverters.
It is also described as a supply to an inverter.
- It is then described as supply to the battery charger Status Closed RAI No.
(Date Sent)
RAI16 RAI
Response
(Due Date)
Page 40 of 76 Comments PGE Response accepted.
From these descriptions, it is not clear to the staff how these vital power sources are configured in relation to the 120VAC panels that feed the PPS.
Would it be possible to provide a simplified diagram to show the relationship between the 125V Batteries I DC Buses, Battery Chargers, Inverters, and the 120V AC distribution Panels that supply power to the PPS, PG&E response:
The following description clarifies the 120 V vital instrument AC power supply to the pps:
1 2
3 4
5 6
Safety-related 480 VAC from vital AC motor control center (MCC) is fed to the UPS and rectified.
Rectifier output is fed to the inverter and converted to 120 VAC.
Safety related vital DC bus power is fed to UPS as immediate backup supply. The vital DC bus is backed up by the safety-related 125 VDC station battery, which is charged from vital 480 VAC.
Inverter output is fed through a static switch with integral manual bypass switch to vital instrument AC power distribution panels.
On loss of inverter output, the static switch will select backup regulating transformer output (120 VAC) to distribution panels.
The backup regulating transformer receives input from the 480 VAC supply. The backup regulating transformer may be aligned via a transfer switch to either of two 480 VAC busses; the normal supply or an alternate supply. The alternate supply circuit breaker is normally open to prevent interconnection of redundant power supplies due to a
October 16, 2012 DCPP PPS Open Item Summary Table Page 41 of 76 No SrclRI Issue Description P&GE response:
Status RAINo.
(Date Sent)
Response
(Due Date)
Comments failed transfer switch. The transfer switch may not be used under load.
Refer to the attached block diagram for additional detail.
33 RJS (ALS SQAP) Software tools are used extensively during the FPGA development process. The staff therefore considers these tools to be a key component to the assurance of quality in the ALS system development process. The ALS SQAP states that "no additional tools, techniques, or methodologies have been identified" for the ALS system. The staff considers the development tools, as well as the techniques and methodologies used during system development to be relevant to the assurance of quality for the ALS system. Please provide information on the tools, and methodologies used during system development to ensure quality of the ALS system products.
Open (Hold)
Item initiated on 6/5/12.
6-13-12 update (Kemper): W/ALS agrees with NRC's position on tools and will revise the document (Doc.
No. 6002-00001) accordingly to address this matter.
Placed this item on hold pending review of revised QA plan.
PG&E response: Westinghouse agrees that Section 8, Tools, Techniques, And Methodologies of the ALS QA Plan (6002-00001) should be revised to reference document 6002-00030, "ALS Design Tools." This document describes the tools used and how they are used in the design process. This document is also on the ALS docket. Westinghouse will submit a revision of the ALS QA Plan on the ALS docket.by October 30,2012.
34 RJS (Software Integration Plans) The integration planning documentation referenced in section 4.5.4 of the LAR does not include any integration of the two sub systems (ALS integrated with Tricon). The PGE papers provided that discuss how FAT's will be performed may resolve this but these papers would have to be docketed as integration planning documents to support our SE. We also need to come to some agreement on the scope of integration to be accomplished prior to issuance of the SE.
Closed RAI20 Item initiated on 6/7/2012 6-13-12 update (Kemper): This seems duplicate of 0116 & 23.
October 16, 2012 DCPP PPS Open Item Summary Table Page 42 of 76 No SrclRI Issue Description PG&E response: IN PROGRESS
-~
P&GE response:
Status RAI No.
RAI (Date Sent)
Response
(Due Date)
Comments 7/02112 - RJS This is related to 01 16 and 23, however, this specifically addresses the software integration planning documents being assessed. The current software integration plan discussed in section 4.5.4 of the LAR and the documents referenced from here do not adequately address this aspect of system integration.
As such the Integration Plan will have to be revised.
Just including integration in the FAT will not resolve the inadequacies of the integration planning documents.
I anticipate that a supplemental integration plan document will need to be submitted in
I October 16,2012 DCPP PPS Open Item Summary Table Page 43 of 76 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments i
i order for PGE to resolve this.
New RAI added and 01 closed.
35 RA Follow up of Item 21 - Software Test Plan In the response provided for Item 21, PG&E explained that a new revision (Rev. 1) of ALS document No. 6116-00005 was provided. The scope of Revision 1 is slightly different from the scope described in Rev. O. For example, Section 1.2 in both revisions states that test coverage includes all ALS modules, backplane, license sense modules (LSM), and ALS service unit (ATU). However Section 2, Test Items, for these revisions are different.
Revision 1 only focuses on ALS-102 and backplane assemblies. This section does not include other ALS modules, LSM and ATU. Please explain why these other ALS modules are not included in section 2 of the new revision.
Further, Table 1-2 identifies "Diablo Canyon PPS Test Plan" as document No. 6116-00005, which is the same number than "Diablo Canyon PPS System Test Plan". Please clarify if this is referring to a different document.
Closed RAI PG&E Response: The scope of both revisions are the same. Revision 1 changes added more detail into the overall scope. The details are broken down into 2 main parts: 1-The individual components, 2 - The System components. Both parts equal the entire ALS based Diablo Canyon system which includes all ALS modules, Backplane, ASU (incorrectly stated as ATU in the open item), LSM, ALS-102AIB specific to Diablo and full ALS sub system test which includes the testing of ALS slave cards required by the DCPP configuration.
The entry in Table 1-2 for the Diablo Canyon PPS Test Plan, 6116-00005 is the saFJIe document as Diablo Canyon PPS System Test Plan 6116-00005.
36 37 October 16, 2012 DCPP PPS Open Item Summary Table Page 44 of 76 Comments (Date Sent)
No I SrclRI I Issue Description P&GE response:
I Status IRAI No. i RAI
Response
(Due Date)
Closed Software Test Plan RA Section 5.3.6 of ALS Document No. 6116-00005 refers to a 'Test Team" to perform system level testing. However, the "Test Team" is not defined in ALS Document No. 6116-00000, "Diablo Canyon PPS Management Plan,"
which defines roles and responsibilities for the PPS Replacement Project.
Please clarify who is the Test Team and where their roles and responsibilities are defined.
This plan will be released by 30 September 2012.
RA Software Management Plan Closed PG&E "PPS Replacement Concept, Requirements, and Licensing Phase 1 Project Plan" does not address reporting mechanisms and controlling changes to the system. The only reference is that PG&E states that they will follow the activities describe before for software modifications. After reviewing the of PG&E's SyWP, we found that Section 6 states that Anomaly Resolution and Reporting shall be performed per the respective PG&E and 1 OCFR 50 Appendix B supplier control procedures. However, this statement does not identify the document to follow to report anomalies.
Please identify and describe the process that PG&E will follow for reporting mechanisms.
PG&E Response: PG&E administrative procedure OM7.ID1, "Problem Identification and Resolution," provides guidance for identification and resolution of both equipment and non-equipment problems, including vendor software problems. The OM7.ID1 procedure provides the process for documenting, reporting, evaluating, trending, and tracking the resolution of problems at DCPP. PG&E administrative procedure X11.ID2, "Regulatory Reoortina Reauirements and Reoortina Process," orovides the instructions
October 16, 2012 DCPP PPS Open Item Summary Table Page 45 of 76 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments for reporting facility events and conditions to the NRC. This procedure applies to plant problems, including software anomalies, and provides a list of regulatory reporting requirements applicable to the DCPP, including those contained in the NRC regulations (including 10 CFR), the plant operating license (including associated Technical Specifications), license amendments, and regulatory correspondence. The procedure summarizes the types of reporting requirements and references the source of the requirement, time-frame for reporting, reporting method, lead responsible organization, primary regulatory agency recipient, and implementing procedures.
38 RA Software Management Plan Section 2 of the PG&E "PPS Replacement Concept, Requirements, and Licensing Phase 1 Project Plan" does not describe the activities to be performed by the Engineering of Choice Design Change Package Team.
It is also not clear what the roles and responsibilities of this team are.
Please clarify and provide the applicable PG&E control document that describes PG&E roles and responsibilities specifically for the Engineering of Choice Design Change Package Team.
OPEN PG&E Response: The activity performed by the Engineering of Choice Design Change Package Team is to support PG&E in development of the design change package for the PPS Replacement. PG&E has a contract with an engineering company, currently Enercon Services, Inc., to be the "engineer of choice" to provide nuclear engineering services to PG&E. For individual scopes of work, PG&E develops a purchase request for the scope of work and a purchase order is issued to the engineering company that is the engineer of choice. When the engineer of choice is performing a design change package for Diablo Canyon Power Plant, the engineer of choice uses the PG&E Design Change Procedure, CF3.ID9, "Design Change Development" and PG&E performs an owner acceptance of the work using PG&E Procedure CF3.ID17, "Design and Analysis Documents Prepared by External Contractors."
39 October 16, 2012 DCPP PPS Open Item Summary Table Page 46 of 76 RAI No.
RAI Comments P&GE response:
Status No SrclRI Issue Description (Date Sent)
Response
(Due Date)
RAI Closed Software Management Plan RA Figure 2-1 of the PG&E "PPS Replacement Concept, Requirements, and Licensing Phase 1 Project Plan" and Figure 3-1 of the SyQAP identify Altran under the PG&E Project Engineering box. However, Figure 4-1 of the SyWP identifies PG&E project team under the PG&E Project Engineering box. Please explain the role and responsibilities for Altran during the PPS Replacement Project.
PG&E Response:
09/17/2012:
- 1. The PPS Organization Chart shown in SyWP Figure 4-1 is a simplified rendering of the organization charts in Project Plan Figure 2-1 and SyQAP Figure 3-1. The latter figures show an Altran Project Team under PG&E Project Engineering and a team of three PG&E individuals directly under PG&E Project Engineering.
The slight inconsistency between SyWP Figure 4-1 and the other figures may be resolved thus:
I In C;Hefte[]
Altran Lead DB~b~
~znn D LGreghlJ CI~~~__
October 16,2012 DCPP PPS Open Item Summary Table Page 47 of 76 RA/
RA/ No.
Comments I
P&GE response:
Status SrclR/
Issue Description No (Date Sent)
Response
(Due Date)
I the PG&E Project Team as shown above in the revised figure.
Altran supported LAR preparation and is providing continuing support through the LAR review process. Altran's work is governed by the Altran Engineering Procedures Manual. Documents submitted to PG&E are prepared in accordance with Altran EOP 3.3 (reports) and 5A (specifications). All Altran documents are verified in accordance with Altran EOP 3.4. In addition, PG&E accepts Altran documents under PG&E CF3.1D17 as noted in the Altran Verification Report.
40 OPEN RA Software Tools In the ALS Progress Update 2012-08-01 provided to the staff, Westinghouse/CSI described that they are replacing Automated Test Environment (ATE) from IW credited tools with a LabView based ALS Board Test System (ABTS). Also, in this presentation, Westinghouse/CSI noted that they are performing additional IV&V and equipment qualification tools.
Since this information needs to be reflected in the software planning documents, please identify how these items will affect Westinghouse/ALS documents related to PPS replacement project. Also, identify what document will be revised to include description of these modifications.
PG&E Response: The ALS Design Tools 6002-00030 requires revision to replace the ATE with the ABTS. The date for the release of this revision will be provided by September 7,2012.
09/17/2012: Forecast release date 9114112 for the ALS Design Tools 6002 00030.
41 RA Software V&V and Test Plan Closed RAI Westinghouse/ALS document 6116-0005, section 8.2 identifies the software tools to be used in the PPS replacement project. However, this list is not consistent with the list of IV&V tools identified in Section 3.6 of ALS W Plan 6002-00003. Specifically, the test tools identified in 6002-00003 are not listed in 6116-00005 and vice versa. For example, the W Plan (6002 09j)0~) identifies ATE tool for IV&V, but this tool is not listed in 6116-0005
--~-.--
October 16, 2012 DCPP PPS Open Item Summary Table Page 48 of 76 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments Rev. 1. Furthermore, the staff reviewed 6116-0005 Rev. 0, and found that the ATE tool was listed in this version. Please clarify what software tools will be used and what document describes them.
PG&E Response: A new revision of the ALS V&V Plan 6002-00003 identifies the ABTS and the ISE as the IV&V test tools. This new revision is being docketed the week of September 3 on the ALS platform docket. The ATE is removed from the set of IV&V test tools. The tools listed in document DCPP PPS Test Plan 6116-00005 section 8.2 and the tools listed in DCPP PPS W Simulation Environment Specification, 6116-10216, (to be released by 30 September 2012) encompass the IV& V test tools in the new revision of the ALS V&V Plan, 6002-00003.
42 RA Software V&V PG&E "PPS System Replacement System Verification and Validation Plan (SyWP)" does not describe the V&V activities to be performed during the Operation Phase and Maintenance Phase. This document states that these activities are covered by approved DCPP procedures. Please identify these DCPP procedures.
OPEN 9/17/12 update (Alvarado): during the conference call PG&E explained that modifications to the systems will be performed by the vendors.
PG&E will provide additional information on their plan to perform modifications to the PPS system during operation and maintenance.
PG&E Response:
Per the response to 01 #28, control of the software modifications to the Tricon and ALS platforms once the PPS replacement project is completed, and the PPS is in the Operations and Maintenance phase, will be by the Process Protection System Replacement Software Configuration Management Plan, SCM 36-01, Revision 0, which was submitted as part of the Phase 2 document submittal on June 6, 2012, in Attachment 4 to the Enclosure of PG&E Letter DCL-12-050.
43 RA Software V&V PG&E "PPS System Replacement System Verification and Validation Plan (SyWP)", Section 5.1.1, explains that during the Concept Phase, PG&E will verify system requirements in accordance with PG&E procedure CF2.ID9, "Software Quality Assurance for Software Development." However, Procedure CF2.ID9 is for in-house development of software applications.
Please explain how this procedure is going to be used for the PPS Closed RAI L-_~._._.... _
r~~c~ment project.
October 16, 2012 DCPP PPS Open Item Summary Table Page 49 of 76
-c- ----
P&GE response:
No SrclR/
Issue Description Further, Section 5.1.2 of the CF2.ID9 states that and independent review of the functional requirements prepared during the concept phase would be performed. The PG&E SyWP does not identify this review, and thus there is no specific V&V product for this phase. Please identify who will perform this review and if this is considered a V&V product.
PG&E Response:
09/17/2012: Altran developed the PPS Replacement FRS during the Concept phase in accordance with Altran EOP 5.4, and verified it in accordance with Altran EOP 3.4. Altran used PG&E procedure CF3.ID16 for additional guidance. PG&E accepted the FRS under CF3.ID17, which constituted verification of system requirements. This was a design activity rather than a V&V activity and there is no specific V&V product for this phase.
44 RA Software V& V Invensys prepared Document No. 993754-1-813, "DCPP PPS Validation Test Plan". It states that the Test Review Board and PG&E will review all validation testing documents. Please describe the composition of the Test Review Board, since its role/responsibility is not described in the Invensys V&V Plan or in the Validation Test Plan (Section 4.4)
PG&E Response: The composition of the Project Review Committee (PRC) or Test Review Board includes the Project Manager, Project Engineer, Project Quality Assurance Engineer, IV&V Manager, and Lead IV&VlTest Director. This is described in Invensys document 993754-1-905, Project Management Plan, Section 3.5.5. See Invensys response to 01 49 for additional statements on the PRC.
45 RA Follow up of item 18 - Software V&V RG 1.168 identifies five of the activities in IEEE Std.1012-1998, Annex G, "Optional V&V Tasks," as being considered by the NRC staff to be necessary components of acceptable methods for meeting the requirements of Appendices A and B to 10 CFR Part 50 as applied to software. These tasks are:
Status OPEN OPEN RA/ No.
(Date Sent)
Comments RA/
Response
(Due Date)
L---.... __
-~
October 16, 2012 DCPP PPS Open Item Summary Table No SrclRI Issue Description P&GE response:
- 1. Audits
- 2. Regression Analysis and Testing
- 3. Security Assessment
- 4. Test Evaluation
- 5. Evaluation of User Documentation Status RAI No.
(Date Sent)
Response
(Due Date)
Page 50 of 76 Comments Westinghouse/ ALS Document No. 6002-00003, "ALS W Plan" describes the following techniques for V&V: reviews, testing, traceability analysis, inspection/analysis, and IV&V regression (change) analysis. This plan does not include any of the optional V&V activities identified in IEEE Std.1012 1998, Annex G. Please explain if these activities are performed.
PG&E Response: The DCPP W Plan will be revised to include these optional V&V tasks required by RG 1.168 by September 30,2012 to align with the new ALS W Plan for the Optional Tasks.
46 RA Software V&V OPEN Several sections in the Invensys Software Verification and Validation Plan (SWP) reference "applicable Project Procedure Manual (PPM)" to perform certain activities. The reference section in this plan identifies PPM (Reference 2.4.4). It is not clear if the PPM is constituted by several procedures or if it is only one procedure. For example, Section 1.1, states the SWP was prepared in accordance with PPM 7.0 (Ref. 2.4.4), and then Section 4 states that V&V activities will be planned and scheduled in accordance with the applicable PPM. Please describe what the PPM is, and explain how this is going to be used in the PPS replacement project.
PG&E Response:
The Project Procedures Manual (PPM) provides appropriate controls for project activities conducted at the Invensys Operations Management (Invensys) Lake Forest facility. These controls will ensure that all nuclear Class 1 E projects (or non-1 E projects where the customer has specified certain 1 E requirements) processes, project activities, and project documents will meet the requirements of 10 CFR 50, Appendix 8, 10 CFR Part 21 and the Invensys Quality Management System. This procedures manual provides specific controls for NAD as well
October 16, 2012 DCPP PPS Open Item Summary Table Page 51 of 76 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments as other Invensys organizations that perform nuclear safety-related system integration project activities. The PPM is a collection of different procedures, including referenced Forms, and is a controlled document.
Each PPM procedure is intended to implement key areas of project activities. Each procedure within the PPM is assigned a unique document number and title.
V&V activities during the PPS Replacement Project will be governed by several procedures within the PPM as defined in the SWP document, Invensys document 993754-1-802. The SWP will be revised to add the title of each procedure within the PPM where referenced in the SWP. For example, in the SWP, Section 1.1, where it states that, "the SWP was prepared in accordance with PPM 7.0 (Ref. 2.4.4)," will be revised to state that "the SWP was prepared in accordance with PPM 7.0, Application Program Development." The revised SWP will be submitted by TBD.
47 RA Software V&V Invensys Document No. 993754-1-802, "Software Verification and Validation Plan" requires the use of V&V metrics to evaluate software development process and products. This section does not explain what methods and criteria will be used for software safety metrics. This information is required by section B.3.1 of BTP 7-14, RG 1.152. RG 1.173 and IEEE Stds. 1061 and 1074. Also BTP 7-14 Section B.3.1.1.2. Please provide this information.
OPEN i
PG&E Response:
The V&V metrics are used during development of the PPS Replacement software that will reside/execute on the V1 0 Tricon portion. The V&V metrics measure the thoroughness ofV&V reviews and testing efforts. These measurements yield data utilized to gain reasonable assurance that the design outputs are of high quality commensurate with the intended use in the PPS Replacement application. The V&V metrics methodology, utilizing a diversity of software measures, provides insight into the rigor of the PPS software development process. V&V uses three distinct metrics during PPS software development:
Software Quality Metrics The purpose of these metrics is to measure software quality by tracking the number of defects found in the design outputs (e.g.. design documents,
October 16, 2012 No SrclRI Issue Description DCPP PPS Open Item Summary Table P&GE response:
Status
,~..
RAI No.
(Date Sent)
Response
(Due Date)
Page 52 of 76 Comments software).
The method is to count and categorize defects found during V&V review of design outputs.
The acceptance criterion is that no technical defects remain at the end of the current phase to receive V&V recommendation to proceed to the next project phase. Any defects that cause the non-compliance with customer requirements and/or non-compliance with NRC guidance are considered technical defects.
V&V Effectiveness Metrics The purpose of these metrics is to measure the effectiveness of V&V reviews by measuring the percentage of design outputs which V&V reviews or tests. The method determines the percentage of design outputs actually reviewed by V&V (which is meaningful for in-process design changes necessitating a change impact analysis. revisions to released design outputs, and a regression analysis). The Acceptance Criterion is that 100 percent of comprehensive or delta change reviews is achieved in the current phase to receive V&V recommendation of proceeding to the next project phase.
Software Safety Metrics The purpose of these metrics is to assess whether software safety requirements are being met. Methods are to count software hazards found during V&V review or testing of design outputs and to confirm software hazard mitigation in each project phase, or, at a minimum. by the end of the project and approval at the completion of acceptance testing. The Acceptance Criterion is that all software hazards are mitigated by the end of the Test Phase to receive approval of the results of acceptance testing.
October 16,2012 DCPP PPS Open Item Summary Table Page 53 of 76 No r--- --
SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments 48 RA Software V&V PG&E SyWP, Section 6, requires that anomalies detected are identified, documented, and resolved during the V&V activities. This section states that anomaly reporting and resolution requirements are defined in the respective PG&E control procedures. Section 2 "Control Procedures does not include a reference for an anomaly reporting procedure. Please identify the PG&E control procedure used for anomaly reporting.
Further, Section 7 of the SyWP states that the PG&E authority responsible for approving deviations from SyWP is the PG&E Project Manager, who will document his/her approval a Change Notice or equivalent formal PG&E document. Please identify where the responsible PG&E authority will document its af:>proval.
OPEN 9/17/12 update (Alvarado): NRC staff received copies of OM7.1D1 and X11.1D2. This addressed item 1 of this open item.
PG&E Response:
- 1. The PG&E control procedure for anomaly reporting is OM7.ID1, "Problem Identification and Resolution." This procedure governs the PPS replacement after it has been turned over to PG&E by the suppliers. The suppliers' anomaly reporting procedures are applicable prior to this turnover.
- 2. IN PROGRESS 49 RA Software V& V Invensys Document No. 993754-1-802, "Software Verification and Validation Plan", Section 6.3 states that the Invensys personnel prepared System Deficiency Integration Report (SDIR) to document non-conformances and corrective actions during testing; the SDIR is prepared in accordance with PPM 10.0. Please explain what PPM this is.
Further, the Invensys "Validation Test Plan", Section 5.4.2 states that the Test Review Board and PG&E shall review SDIRs, but this is not indicated in the Invensys V&V plan. Please explain why this review activity is not identified as a V&V task in the V&V Plan..
-~....
-.~
OPEN
October 16, 2012 DCPP PPS Open Item Summary Table No SrclRI Issue Description P&GE response:
Status PG&E Response:
The PPM 10.0 procedure defines the process to control nonconforming items and identify appropriate corrective action for all nuclear application projects developed at the Invensys Operations Management (Invensys) Lake Forest facility. This procedure is intended to provide controls for nonconforming items and corrective actions related to project activities. As used in this procedure, the term "nonconformance" describes deficiencies in parts and materials (items), documentation, and/or deviations from stated requirements. This procedure addresses the identification, documentation, evaluation, and disposition of nonconforming items. This procedure also describes the corrective action process to be used for project-related issues where corrective action is warranted.
RAI No.
(Date Sent)
Response
(Due Date)
Page 54 of 76 Comments I
SWP Section 5.2.2.2.1 4) stated that Nuclear IV&V shall generate and verify the system-level Validation Test Plan, 993754-1-813, in accordance with PPM 6.0 [Ref 2.4.4], in conjunction with IEEE 829-1983. The SWP was developed in accordance with PPM 6.0, Test Control. In PPM 6.0, Test Control, it was stated that the Project Review Committee (PRC) shall review all test results for completeness, accuracy and acceptability. This review shall include all test documentation, e.g., the Test Procedures, the Test Logs, the System Integration Completion Checklist, the Test Report(s), and SIDRs.
50 RA Software V&V The Invensys Validation test plan, Section 8.2, states that the Narrative Test Logs are used to document conduct of testing and any anomalies that occur. Please explain if this is only used during validation, and why this is not mentioned in the Invensys SWP. Further, please explain how is this used in conjunction with Document Review Comment Sheet (DRCS) and System Deficiency Integration Report (SDIR)?
OPEN PG&E Response:
PPM 6.0, Test Control, defines the Test Logs. All test activities shall be recorded in a Test Log. The Test Log constitutes a continuous, hand-written journal of all test activities from the point of initial entry into the Test Procedure until the conclusion of all testing, including any required retesting. The Test Log shall include entries for sign-in and sign-out of all participating personnel, establishment of indicated prerequisites and initial conditions for testing, performance of testing and retesting,
October 16,2012 DCPP PPS Open Item Summary Table Page 55 of 76 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments identification of problems, etc. The Test Log is intended to be a detailed journal of all testing activities sufficient to fully document the actual sequence of testing performed, the test results achieved and any problems that occurred, including their impact on test performance. The Test Log shall be reviewed by the PRC as part of its evaluation of the test results.
The Test Logs are independent and separate from the Document Review Comment Sheet (DRCS) and System Deficiency Integration Report (SIDR).
However, as a test narrative, the Test Log may identify the fact that a SIDR was generated as a result of test anomaly.
I 51 RA Software Configuration Management See Attachment 2.
OPEN PG&E Response:
09/18/2012"
- 1. Configuration process
- a. ALS-102 Configuration The FPGA installed on the ALS-102 board and therefore the ALS 102 board itself is specific to the PPS Protection set and the ALS subsystem in which it is installed. PG&E will not have the capability to alter the FPGA Any change to the FPGA must be made by CS Innovations. Therefore, ALS-102 FPGA configuration management activities are covered by the ALS Configuration Management Plan.
PG&E capability to change ALS-102 configuration will be limited to board-level replacement.
- b. NVRAM Configuration ALS 110 boards are generic; that is, each board is configured using its NVRAM for the specific function it is to perform. This activity is described in SCM 36-01 Section 1.2.8, which states that the configuration of the NVRAM is changed by removing the subject board from the ALS chassis and inserting it into a special test fixture.
This would be performed as part of a maintenance activity, such as replacing a failed board. If the functionality of an 1/0 board required modification as a result of an application change, all required
October 16,2012 DCPP PPS Open Item Summary Table Page 56 of 76 No SrclRI Issue Description P&GE response:
Status RAINo.
(Date Sent)
Response
(Due Date)
Comments NVRAM configuration alterations would be performed by CS Innovations under their ALS Configuration Management Plan.
As with the ALS-102 FPGA discussed above, PG&E will not have the capability to alter the NVRAM configuration itself. PGE capability to change the NVRAM configuration for a specific 110 board will be limited to loading NVRAM images that are under CS Innovations configuration control and that have been previously verified and validated at the system level by CS Innovations.
Configuring the NVRAM in order to replace an 110 board will be performed by PG&E under an approved plant maintenance procedure.
- c. Invensys SCMP Response: There was no intent for the SCMP to do more than track the revision of Commercial Off The Shelf (COTS) software. In this case "Control" is defined as tracking the revision levels such that they are recorded on the project Master Configuration List, Invensys project document 993754-1-803. On page 7 of the SCMP, under "Limitations," it states, in part, that the revision levels of this type of software will be tracked.
- 2. Organization
- a. SCMP Inconsistent with CF2.I02
[IN PROGRESS]
- 3. Changes and Problem Identification
- a. PROG POCM Notification Process
[IN PROGRESS]
October 16, 2012 DCPP PPS Open Item Summary Table Page 57 of 76 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
RAI Comments
Response
(Due Date)
- b. Tracking changes in SAP
[IN PROGRESS]
- 4. Document Repository
- a. SourceSafe vs. SC-I-36-M
[IN PROGRESS]
- b. Control of Access to PPS Replacement Documentation
[IN PRGOGRESS]
52 RJS NSIR Security:
Open I
PG&E stated in its letters DCL-11-123 and DCL-11-1 04 that the PPS replacement will be fully compliant with the 10 CFR 73.54 cyber security requirements, including RG 5.71, Revision 0, "Cyber Security Programs for I
I
-~
Nuclear Facilities," dated January 2010, and is being reviewed to comply with 1 0 CFR 50.73, the DCPP Cyber Security Plan, and NEI 08-09, "Cyber Security Plan for Nuclear Power Reactors," Revision 6, dated April 2010.
The cyber security program that PG&E is implementing per its NRC approved cyber security plan includes provisions applicable to all phases of a systems' life cycle, including the digital upgrade or modification of critical digital assets.
Please explain how the provisions outlined in the PG&E's NRC-approved cyber security plan were considered, and/or implemented, as part of the PPS replacement. The provided explanations should include how all of the management, operational, and technical security controls contained within the plan, especially security controls associated with Configuration Management and System and Service Acquisition, are being addressed.
The provided explanations should also include any issues associated with partial implementation of the PPS replacement and full implementation of the cyber security plan for the site, and processes to identify and resolve any such issues.
--~
______ L
October 16, 2012 DCPP PPS Open Item Summary Table Page 58 of 76 Status Comments P&GE response:
Issue Description No SrclRI RAI No. IRAI (Date Sent)
Response
(Due Date)
PG&E Response:
The Cyber Security program manager and other members of the CSA T (Cyber Security Assessment team) met with the Process Protection System (PPS) Upgrade design engineer beginning in 2011. Many options were discussed.
The Cyber Security program manager and project manager have met with the procurement group to discuss cyber security principles that should be written into the procurement procedures, and what steps will help to ensure a secure supply chain.
The Cyber Security Assessment Team (CSAT) was formed in accordance with section 3.1.2 of the cyber security plan, and Milestone a, on 10/31/2011. A list of critical digital systems and assets was created in accordance with section 3.1.3 of the cyber security plan and Milestone b on 10/31/2011. The CSAT looked at scheduled digital upgrades, and added the future equipment to the list of critical digital systems. The CSAT determined the PPS equipment will be a critical system, with several CDAs.
From July 9-12 2012, the cyber security project manager accompanied members of the Quality Verification group to examine the design and production facilities of Invensys, and examined the code production practices and the development environment, and determined that Invensys has an SDE, and ensures their employees are reliable and trustworthy.
Activities planned for the future.
In December of 2012, the network that the PPS will eventually reside on will
October 16,2012 DCPP PPS Open Item Summary Table Page 59 of 76 Comments Status RAI No.
RAI No SrclRI Issue Description P&GE response:
(Date Sent)
Response
(Due Date) be isolated from internet connected networks by a deterministic network device, per milestone c of the DCPP Cyber Security Plan. Thus many network attacks, including many that depend on a back door created by a vendor, will not be possible.
Also by December of 2012, DCPP will have taken steps to lessen the likelihood of an attack initiated by a portable electronic device, or portable media such as a thumb drive per Milestone d, and section D 1.19 of NEI 08
- 09. This will mitigate portable media based attacks that depend on a back door created by a vendor.
The DCPP Cyber Security Team will interface with NUPIC (Nuclear Procurement Issues Committee) and the NEI/NITSL counterfeit parts task force to address digital equipment supply chain security.
The Cyber Security Implementation Project Manager has developed a detailed project plan, with several tasks and schedules. Several existing plant procedures will be revised. The PPS will inherit the controls implemented by these procedures. Many of the procedures will have been changed/created before the PPS is installed.
The CSAT is collecting design information as it becomes available. The collected design documentation is being reviewed as it is collected. The collected documentation will be reviewed in a formal desktop evaluation per the cyber security plan, section 3.1.5 prior to the PPS installation. The test set up in the offsite test lab near the plant will be visited on occasion by the CSAT, the system will be walked down repeatedly during installation, and the final walkdown will be performed when the system is ready to return to operations, per section 3.1.5 of the security plan.
The CSAT will make recommendations to enhance the cyber security posture of the PPS upgrade throughout the project, and will make their final
October 16, 2012 DCPP PPS Open Item Summary Table Page 60 of 76 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
RA/
Response
(Due Date)
Comments recommendations after the system walkdown, per section 3.1.6 of the cyber security plan.
Disposition of all controls will be documented in the cyber security assessment tool, CyberWiz. Recommended mitigation will be documented in CyberWiz, and the Corrective Action Program.
53 RJS Section 4.10.2.6.3 of LAR:
A tech specification change resulting from the recent Eagle 21 failure that affected the operability of the AFW control system is being reviewed by the staff. As part of this review PG&E has stated that the Independence between safety systems and other systems clause is not being met for all conditions of operation. If this is the case, then why does the PPS LAR not identify any exceptions to IEEE 603 clause 5.6.3? Even if the replacement PPS does not have an equivalent failure mode to the Eagle 21 system, the TS change would still apply after the upgrade is completed. The staff will need to confirm that the potential for this failure mode has been eliminated in the new design or that the criteria of IEEE 603 is otherwise being satisfied.
Closed 9/11/12 Per CC with PG&E, the position on compliance with IEEE 603 5.6.3 is being revised and there is no plan to take exception with this or any other criteria of IEEE 603.
PG&E Response: None Required 54 WEK PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR Changes, Insert 1 for FSAR Section 3.10.2.1.3 states that "The Process Protection System Tricon subsystem has been seismically qualified by Invensys Operations Management (see Reference 40) in accordance with requirements from Reference 44 that is endorsed by Reference 33."
What is reference 44 and where is this documented in the FSAR?
PG&E Response: Reference 44 IEEE 344-1987, the current Reference 44 in the FSAR. See FSAR page 3.10-40 that was included in the FSAR changes in PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2.
Closed Response Okay-no RAI required.
Should IEEE 344 1987 be included in 7.1.2.4, Conformance with IEEE Standards (page 7.1-13)??
--~.......-.-~
October 16, 2012 DCPP PPS Open Item Summary Table Page 61 of 76 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments 55 WEK PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR Changes, FSAR Section 7.1.2.5, Conformance With Other Applicable Documents (page 7.1-13) does not indicate the NRC Safety Evaluation that will be produced to approve the PPS. The staff's SER should become part of the DCPP Unit 1&2 licensing basis once it is issued. How will this be documented within the FSAR??
Closed RAI#
Acceptable response. Send this as an RAI so that the issue does not get lost.
PG&E Response: Reference to the staff SER will be included in FSAR Section 7.2.1.1.6 for the reactor trip portion of the process protection system and to Section 7.3.1.1.4.1 for the engineered safety features actuation system portion of the process protection system.
56 WEK PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR Changes, FSAR Section x.x.x.x, (page 7.2-23) states that the evaluation for the common mode failure in the PPS is presented in References 37 [DCPP PPS 03 L TR] and approved in Reference 38 [the staff's SER approving the DCPP PPS 03 L TR]. However, it is noted that in the staff's SER it was stated in several sections that the 03 design features were approved based on "... confirmation that the proposed built-in diversity of the ALS sub-system is found to be acceptable." This confirmation will be provided in the DCPP PPS SER, therefore, the staff's SER should also be referenced in this section.
Closed RAI#
Acceptable response. Send this as an RAI so that the issue does not get lost.
PG&E Response: Reference to the staff SER for LAR 11-07 will be included in FSAR Section 7.2.2.1.2 in addition to the staff SER for the DCPP 03 LTR.
57 WEK PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR Changes, FSAR Section 7.2.2.9.2, IEEE 603-1991 Clause 5, Clause 5.12 (page 12) states that"... the communication path between the maintenance workstation and the ALS subsystem is normally disabled with a hardwired switch... " Also, Attachment 3, PG&E PPS Interface Requirements Specification (IRS), Rev.6 to PG&E Letter DCL-12-069 dated August 2, 2012 states in section 1.5.6 "... TAB communications between the ALS and MWS takes place via RS-485 data link. The TAB is physically disconnected from the MWS when the TAB is not in use.... the TAB is open at all times unless maintenance is being performed on the ALS... " Please identify administrative controls and design features associated with the PPS that explains how the MWS is disconnected/disabled from the PPS (i.e., a means of physical cable disconnect, or a safety
___qualified hardware switch Closed RAI#
Acceptable response. Send this as an RAI so that the issue does not get lost.
October 16,2012 DCPP PPS Open Item Summary Table Page 62 of 76 No SrciR/
Issue Description P&GE response:
Status RA/ No.
(Date Sent)
RA/
Response
(Due Date)
Comments that either physically opens the data transmission circuit or interrupts the connection by means of hardwired logic. "Hardwired logic" as used here refers to circuitry that physically interrupts the flow of information, such as an electronic AND gate circuit (that does not use software or firmware) with one input controlled by the hardware switch and the other connected to the information source: the information appears at the output of the gate only when the switch is in a position that applies a "TRUE" or "1" at the input to which it is connected. Provisions that rely on software to effect the disconnection are not acceptable. It is noted that software may be used in the safety system or in the workstation to accommodate the effects of the open circuit or for status logging or other purposes) that demonstrate how this hardwired switch disconnects the ALS maintenance workstation from the ALS safety processor.
PG&E Response: For the ALS subsystem, instead of using a hardwire keyswitch, the ALS subsystem will be administratively controlled by physically disconnecting the communication link to the ALS MWS computer when the Test ALS Bus (TAB) is not being used for surveillance testing, maintenance, and trouble-shooting. This is a PPS replacement design change described in the response to NRC request for additional information in PG&E Letter DCL-12-083 and will be included in a supplement to LAR 11-07.
58 RJS ALS FMEA - There are several failure modes identified in Table 4-4 of the FMEA where the System Effects entry provides a description of functions that are not affected by the failure mode instead of stating what the effects of the failure mode are. For example, the System Effects in the ETT failure in line 5b of table 4-4 are that the Alarm Function remains operational.
Though this may be the case, it does not state what the effects of the failure mode are. Examples of this can be found in lines 5b, 6a, 6b, 7a, 9h, 9i, 11 b, 11c, and 11d.
Open
59 October 16, 2012 DCPP PPS Open Item Summary Table Page 63 of 76 RAI Comments RAI No.
Issue Description P&GE response:
Status No SrclRI
Response
(Due Date)
(Date Sent)
PG&E Response:
The System Effects entry does describe the functions that are affected by the failure mode. This entry must be read in the context of the entire FMEA table row.
For example, the cited row for m failure in line 5b discusses the effects of failures of the ALS-402-1 digital output board which sends Alarm Signals to other systems.
In the case of Energize to Trip outputs (En) a stuck open output channel will prevent the core A rack from being able to actuate the Alarm {in this case a specific instance of an En Alarm is cited, the "Containment Pressure in Test Alarm".
However, due to the compensating features, which in this case is the redundant implementation of the function in the core B rack, the System Effect is that the Alarm function remains operational. A similar reading applies to the other examples cited.
RJS Open ALS FMEA - Some of the identified failure modes of the ALS system are detectable only by operator observations, or by means that are not necessarily performed during routine operation or during surveillance testing. See lines 1 Dc, and 12a, What measures will be implemented to ensure that these failure modes would not occur and remain undetected for an indefinite period of time?
It is the staffs understanding that all failure modes which are not detectable through normal means such as surveillance tests or channel checks would need to be considered present for the purpose of satisfying single failure criteria for the system.
PG&E Response:
Surveillance testing includes visual inspection of the equipment in addition to the specified test cases that demonstrate functionality. Therefore, those failure modes that are detected by operator observations will be detected as part of the surveillance test. IEEE Std 379-2000 defines detectable failures as those failures that can be identified through periodic testing or that can be revealed by alarm or
60 October 16, 2012 DCPP PPS Open Item Summary Table Page 64 of 76 Comments No SrclRI Issue Description P&GE response:
Status RAI No.
Response
(Due Date)
(Date Sent) anomalous indication. Therefore, such failures do not need to be considered to be present for purposes of evaluating single failure criterion compliance.
The specific cases cited are clear examples. Line lOc discusses failures of the local partial trip indicators. Failures of the indicators do not affect the actual trip function. During the test the technician uses the indicators to confirm that the trip action occurs at the appropriate threshold. Thus the act of observation of the failure during surveillance testing is assured. Line l2a discusses failure of the serial link used for continuous monitoring of the ALS health. Failure of this link does not affect the safety functions of the rack, but would be immediately obvious at the workstation used to do the monitoring. This workstation is used in surveillance testing.
RJS Open RAI Technical Specifications:
(New)
In order for the staff to make a determination that the existing technical specifications and surveillance intervals remain acceptable for the replacement PPS system, an evaluation to compare the ALSfTricon PPS system reliability and performance characteristics with those of the Eagle 21 system must be performed.
Pease provide an evaluation summary report to support the application of existing technical specification and surveillance test intervals to the upgraded ALSfTricon based PPS system. This report is expected to include a quantitative analysis to demonstrate the new system's ability to perform its required safety functions between established surveillance intervals as well as a qualitative (i.e., deterministic) analysis which sites the self diagnosis and fault detection features of the replacement PPS. The report should address the staff's previous findings in Section 4.3, "Applicability of WCAPs to DCPP," of Amendment No. 179, dated January 31,2005 (ML050330315).
PG&E Response: An evaluation summary report to support application of the exiting TS and TS surveillance test intervals will be provided by January 31,2013.
~
October 16, 2012 DCPP PPS Open Item Summary Table Page 65 of 76 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments 61 RA Software V&V Plan:
ALS provided Revision 7 of its V&V plan (6002-00003). This revision provides a mapping and alignment with IEEE Std 1012-1998. This now cause a misalignment with the DCPP V&V Plan, 6116-00003, Thus, the DCPP V&V Plan will need to be revised. Please identify when this new revision will be submitted.
Open (New)
PG&E Response: IN PROGRESS 62 RA
~
Software Management Plan:
Revision 2 of the ALS "Diablo Canyon PPS Management Plan," 6116-0000, Section 2.1 and 2.2, defines the project organization. As described in guidance documents BTP 7-14 and NUREG/CR-61 01, licensees need to describe the management aspects of the software development process.
Please clarify the following:
- 1. The description provided in this section does not align with the organization structure provided in Figure 2-1. The description provided is not clear. For example, the bulleted list identifies "Scottsdale Operations Director', but then the 1 st paragraph refers to Scottsdale Operations Director and ALS Platform & System Director. It is not clear if this is the title for one person or for two. Further, Figure 2-1 does not identify the ALS Platform & System Director, if this role is performed by a separated individual. Please clarify this.
- 2. This section states that ALS V&V Plan provide information and the interface between the IV&V team and the PPS replacement project. It is not clear why the ALS V&V plan will provide this information, since the ALS V&V plan is for the generic platform. Please clarify what document contains this information.
- 3. This section states that the WEC Project Manager is responsible for the commercial process interface with PG&E. However, this role is not listed in the bulleted item list and not identified in Figure 2-1. Please clarify this role.
Open (New)
October 16, 2012 DCPP PPS Open Item Summary Table Page 66 of 76 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments
- 4. Figure 2-1 identifies a QA Manager, but this section only describes the QA Lead. Please describe the role and responsibility for the QA Manager.
- 5. Section 4.1, Planning Stage, mentions a "Project Leadership Team,"
which is not described in Section 2. Please explain the role and responsibilities for this team.
PG&E Response: IN PROGRESS 63 RA Software Management Plan:
Open (New)
Revision 2 of the ALS "Diablo Canyon PPS Management Plan," 6116-0000, Section 4.1, Planning Stage, identifies that deliverables from this phase are approved by the "Managerial Review Board." However, this document does not identify the role and responsibifities for this board. Furthermore, the ALS PPS V&V Plan, 6116-00003, Rev. 0 states that IV&V will review the planning stage documents. Please clarify the person/team responsible for this review and their role and responsibilities.
I PG&E Response: I N PROGRESS 64 RA Software Management Plan Open (New)
To close Items 27 and 29, PG&E issued the DCPPS Project Quality Assurance Plan to define the oversight activities to be performed during the PPS replacement project. Section 2 of this plan describes the responsibilities of those involved in oversight activities. However, it is not clear how these roles and responsibilities correlate to the project organization described in PG&E PPS Replacement Plan (Attachment 3 of the LAR) and PG&E PPS Replacement System Quality Assurance Plan (Attachment 4 of the LAR). For example, the Project Quality Assurance Plan describes the responsibilities of the PPS replacement Project Manager, but this role is not described in other documents, Further, the responsibility described seems to align with the responsibility of the PG&E
October 16, 2012 DCPP PPS Open Item Summary Table Page 67 of 76 No SrclRI Issue Description P&GE response:
Status RAI No.
(Date Sent)
Response
(Due Date)
Comments 65 RJS Project Manager. Please explain the relationship, if any, of the roles and responsibilities described in the DCPPS Project Quality Assurance Plan and those provided in other PG&E plans.
Open (New)
PG&E Response: The "Quality Assurance Plan for Diablo Canyon Process Protection System Replacement" (referred to as the "Project Quality Plan" in response to Ols 27 and 29) was a project specific document created by the Quality Verification group (a Quality Assurance organization) to identify the Quality Assurance tasks to be performed by the Quality Verification group for the project. The "Quality Assurance Plan for Diablo Canyon Process Protection System Replacement" provides the specific plan to be used by the "Supervisor Project QA" identified in Section 3.5.1 (page 19) of the SyQAP and the "Project QA Engineer or Equivalent" identified in Section 3.5.8 of the SyQAP to provide PG&E quality oversight for the project which in part supports meeting 10 CFR 50 appendix B quality assurance requirements for the project.
The "Supervisor Project QA" is not identified in the PPS Replacement Project Plan Figure 2-1 (PPS Replacement Project Organization) because they are not part of the Project Organization, but instead provide independent quality assurance oversight of the Project Organization.
Section 6.1, "System Quality Assurance Plan (SyQAP), of the PPS Replacement Project Plan discusses the SyQAP, which in turn references the "Supervisor Project QA" in Section 3.5.1 (page 19) and the "Project QA Engineer or Equivalent" in Section 3.5.8 to provide PG&E quality oversight for the project.
KVM Switch Questions:
See Attachment 3
66 October 16, 2012 DCPP PPS Open Item Summary Table Page 68 of 76 No SrclRI 1----------
WEK P&GE response:
Issue Description PG&E Response:
See Attachment 3 Section 4.2.13.1 of the LAR (page 85) states; H *** The NetOptics Model PA-CUIPAD CU2 PA-CU port aggregator network tap was approved previously by NRC for a similar application in the Oconee RPS SER Section 3.1.1.4.3 [18]. The NRC staff determined that due to the electrical isolation provided by use of fiber optic cables and the data isolation provided by the Port Tap and the Maintenance and Service Interface (MSI) in the Oconee RPS, there was reasonable assurance that a fault or failure within the Oconee Gateway computer or the Operator Aid Computer will not adversely affect the ability of the Oconee RPS to accomplish its safety functions."
In section 3.1.1.5.2.1 of the Oconee SER, the staff approved The NetOptics aggregator Port Tap, Model 96443, No. PA-CU, as a device intended to allow monitoring of a full duplex 10/1 OOBaseT Ethernet communication link by copying the communications and sending that copied communications to a one-way simplex communications link. Due to the importance of this one-way communications path functioning properly, the NRC staff performed a detailed review of the design aspect of this one-way communications path. Circuit diagrams on the device itself indicated that the communications using Port C (Port 1 in the case of DCPP PPS application) may be capable of two-way communications. Since the original review of Model 96443. part No. PAD-CU Port Tap required NRC staff examination of actual schematic drawings of the Circuitry to determine that there was no inbound communications path associated with Port C (Port 1 for the PPS), a similar schematic review for any replacement or updated model of the Port Tap must be evaluated in the same manner (by the licensee) to determine the manner in which it is being used and configured are acceptable, and that do not invalidate the conclusion of this SE that use of the Port Tap provides adequate data isolation between the Gateway computer and the digital RPS/ESPS.The Port Tap approved for Oconee was model 96443 PA-CU.
Please provide the model number of the Port Tap being used in the DCPP PPS.
Status NEW RAI No.
(Date Sent)
RAI Comments
Response
(Due Date)
I
October 16, 2012 DCPP PPS Open Item Summary Table Page 69 of 76 PG&E Response:
1--::---
67 WEK I
I 68 WEK I
WEK 69 I
Section 4.2.13.1 of the DCPP PPS LAR (pg. 85) states, "Port aggregator dual in-line package (DIP) switch positions will be controlled by DCPP configuration management processes."
Please provide a documented basis (e.g., a plant procedure, or engineering design package) that demonstrates how this will be controlled.
PG&E Response:
Please provide a detailed functional description of the DCPP PPS NSR Gateway Computer(s) system; including computers/processors, communications protocols, and data isolation details, Or, please indicate where this information is explained within the LAR and supporting documents. Also, please provide a detailed explanation of the Gateway Switch discussed within the LAR;including its operating principal (hardware, logic based, etc,,data/electrical isolation design features, and any other pertinent information pertaining to its failure mechanisms.
PG&E Response:
Please provide a detailed explanation of the application programs contained within the Tricon and ALS MWS computers; including how they will be used to enhance the performance of the PPS safety systems, provide required maintenance, surveillance, etc. Or, please indicate where this information is explained within the LAR and supporting documents.
PG&E Response:
PG&E Response:
NEW NEW NEW I
I
--~........-.--
-~
CD::c C'G l-f!'
C'G E
E
- l VJ E
S c
CD Q.
o VJ Q.
Q.
Q.
Q. o C
N o
N c.O s-ID
..0 f5 o
October 16, 2012 SD11 (21)
AC Nr
~
IY:
PY, SO:
TRY:
DCPP PPS Open Item Summary Table Figure 1 DCPP 120 Volt Vital Instrument AC System (Simplified) 480V BUS 1 H (2H)
AC Switcn To Protection Set II To Protection Set IV SD12 (22)
Nl~
TRY 12
~f-Transfer Switch AC DC UPS IY14 (24)
Transfer DC TRY 11 (21 ) r UPS and DC-AC Inverter 120 VAC Distribution Panel 125 VDC Distribution Panel 480 VAC/120 VAC Transformer and Regulator Normal Power Flow (N)
Bypass (120 VAC)/Backup (125 VDC) Power Flow Altemate Bypass Power Flow (A)
Unit 1 Component ID's are shown; Unit 2 Component ID's are in parentheses. For example, PY11 is Unit 1 Vital Instrument AC Distribution Panel 1; PY21 is Unit 2 Vital Instrument AC Distribution Panel 1.
Page 71 of 76 Transfer Switch SD13 (23)
UPS IY13 (23)
October 16, 2012 DCPP PPS Open Item Summary Table Open Items Related to Software Configuration Management Plan 1}
Configuration process a) In open item 4, the staff requested description of the software configuration management activities for configurable boards (e.g., ALS FPGA-102 board). Since the ALS FPGA-102 board is customer specific, its configuration management activities are not covered by "ALS Configuration Management Plan."
Even though item 4 is closed, this request was not addressed in the response for item 4.
b) The PG&E SCM 36-01, item 1.2.8, states that ALS board has two sets of NVRAM. Further, it explains that the configuration of the NVRAM can be changed only by removing the subject board from the ALS chassis and inserting it into a special test fixture. It is not clear who will control this process and configuration of the NVRAM. Please explain.
c} Section 1.2 of the Invensys Document No. 993754-1-909, "Software Configuration Management Plan,"
states that this plan controls operating system of the computers used to run TriStation 1131 and the signal simulation software used for testing purpose. However, the description provided throughout the plan only focuses on the configuration activities for the TSAP (e.g., Section 2.3 states that the SCM procedures are for the TSAP). Further, this same section (later on) identifies the software configuration to be managed, and this list does not include operating system of the computers used to run TriStation 1131 and the signal simulation software used for testing purpose. Please clarify the scope of this plan.
d)
- 2)
Organization a) The organization and responsibilities described in Section 4 of CF2.ID2 is not consistent with the information presented in Section 2 of SCMP 36-01. For example, Section 2 of SCMP 36-01 identifies system coordinator, application sponsor, and system team, who are not identified in Section 4 of Cf2.ID2. Further these descriptions are not identified in the project organization described in PG&E PPS Replacement Plan (Attachment 3 of the LAR). Please clarify the roles and responsibilities for SCM, and provide a cross reference of the PG&E organizations described in these documents.
- 3)
Changes and Problems Identification a} PG&E SCMP36-01 states that software, hardware, and configuration problems are reported in accordance with PG&E OM7.ID1 and that software and/or configuration problems are reported via a PROG PDCM Notification. Please clarify when and how these are used. For example, for software problems does one have to report the problem using both PG&E OM7.ID1 and PROG PDCM Notification. Note that PG&E CF2.ID2 states that all problems associated with plant computer system should be reported and document per OM7.ID1 (See section 5.11 and 5.16.10 (b) of CF2.ID2)
Further, Section 3.2.1 states that all PPS modifications should be initiated and tracked per plant procedures or CF4.ID1. Section 3.2.2 states that the implementation of the change is documented in the associated Change Package and a SAP notification and order. And Section 3.2.10 states that all identified problems and corrective actions using a notification, which is not specified.
So should software modifications require reporting and tracking using OM7.ID1, CF4.1D1, PROG PDCM Notification, Change Package, and SAP Order?
Please explain PG&E procedures for different changes and the documenting and tracking system used for all types of modification.
October 16,2012 DCPP PPS Open Item Summary Table b) Please clarify the means to track changes. Section 3.2.4.7 of the SCM 36-01 states that this is done using a SAP order, but Section 3.2.4.7 states that Change Package and SAP order are entered in the Record Management System, and Section 3.3 describes a Configuration Status Account, which is used to track changes of configuration items.
- 4) Document Repository a) SCM 36-01, Section 2.3.3 identifies the Digital Systems Engineering SourceSafe as the repository, but Section 3.2.5.5 identifies http://dcpp142/idmws/homelasp, and Section 3.29 states that the files necessary for recovery of the baseline are maintained in the PPS database in SC-I-36M, Eagle 21 Tunable Constants." It is not clear if these two sections are referring to the same document reporsitory or if it is the same. Please clarify.
b) PG&E has implemented restrictions to access files and documents associated with PPS replacement project. Further, PG&E requires user authentication and access to edit configuration, software, and data. It is not clear if these restrictions apply for access to the Digital Systems Engineering SourceSafe or the repository in http://dcpp142/idmws/home/asp.
October 16,2012 DCPP PPS Open Item Summary Table Open Items Related to the Keyboard Video Mouse (KVM) Switch Questions:
- 1. If the Enumerated USB switching function is used, will you be able to use the Keyboard hotkeys and mouse buttons to perform switching? The brochure seems to indicate on page 3 that the Enumeration switching process will not enable control switching using the USB keyboard or mouse. However, it further says that Emulation USB switching was developed to support these enhanced monitor switching functions/devices (keyboard hotkeys or mouse buttons}.... Albeit, other USB devices (e.g., printer) do not need to use the Emulated USB switching function. Could you please clarify this point.
- 2. Will the KVA switch will be on-line 24-7 monitoring data from either the Tricon or the ALS platform? If so, what can we say about the failure modes of the KVA switch? Can it fail in such a manner so as to inject faults into the MWS computers, and hence into the Tricon or ALS safety system processors? If not, why? If so, what can be done to circumvent this problem, and show conformance with ISG-04, Points 10 & 11? We will need to cover this matter in the SER.
- 3. Also, you will likely need to address how you will disable the features you are not using such as the audio interface, unused USB ports, remote control/channel switching by external control from and SDOE perspective-and probably a cyber security perspective later on (after SER).
- 4. If the KVM switch does fail in some manner allowing data flows between the two platforms, then the ALS system would not be affected because the ALS platform will only transmit data in one direction to its MWS (with the TAB cable disconnected of course). This is good, however, the LAR (or attachments) need to explain how the engineering design principals of the ALS platform physically prevent bad/erroneous data from corrupting the ALS platform. In other words, explain how these messages emanating from the MWS (regardless of origin) will be disregarded/rejected by the ALS platform thus allowing only one direction of data flow.
- 5. Please explain in detail how "Connection between the computers shall not be permitted." Will this be handled via a configuration control process, administrative controls, or a physical means of preventing connection between computers?
October 16, 2012 DCPP PPS Open Item Summary Table Open Items Related to the Keyboard Video Mouse (KVM) Switch PGE Responses:
- 1. The USB1 and USB2 ports, which use enumerated switching, pass data straight through the KVM switch without interpretation. Therefore, you cannot connect a keyboard to USB1 or USB2 and use the hotkeys to perform switching, and USB1 and USB2 traffic cannot cause an inadvertent switch. The block diagram shows the output of the emulated portion of the switch and the enumerated portion going to a USB hub before being sent to the computer. The keyboard and mouse will use the emulated switching function, not the enumerated switching function; only the keyboard and mouse can control the switch.
- 2. The KVM switch will be on-line 24-7 for monitoring data from either the Tricon or ALS platform via the respective MWS computers. There is additional isolation because the ALS communicates strictly one way to its MWS except when TAB communications are enabled by connecting the TAB cable.
Connection of the TAB is performed as directed by trained technician using an approved procedure Therefore, if the KVM switch failed in some way to connect the two MWS together, the ALS would not be affected. The Tricon might be affected, but the D3 analysis allows the Tricon to fail due to CCF.
The following paragraphs have been added to the IRS Section 2.3.7:
b, The KVM switch shall permit only connections between a single computer and the selected video display and HMI interface devices. Connection between the computers shall not be permitted.
- g. The AV4PRO-VGA KVM switch shall utilize the default switching mode, in which the video display, keyboard and mouse and the enumerated USB ports are all switched simultaneously.
Paragraph g was necessary to prevent the enumerated ports from being switched separately from the KVM.
- 3. Specific answers to these questions depend on the detailed design. Ports can be physically blocked, which might be appropriate for unused computer ports and the audio ports. It might not be appropriate for the unused USB port (which may be needed for a future printer) and the options port (which may be needed for firmware updates). Remote control switching or firmware update requires a custom serial cable. The firmware update requires specialized software on the computer being used to perform the update. Firmware update will be done by procedure. The MWS will be inside a locked cabinet inside a vital area inside the protected area. Inadvertent actions, while not impossible, will not be easy. If the switch is somehow manipulated, the ALS will not be affected even if the KVM switch fails because the ALS communicates only one-way with the MWS except for short periods when the TAB is enabled.
- 4. The design of the TxB1 and TxB2 data communication paths from the ALS-102 Core Logic Board and the Gateway Switch and MWS, respectively, are EIA-422 communication links in which Receive capability is physically disabled by hardware as described in 6002-102002, the ALS-102 Design Specification. The receiver is configured such that the transmit data is looped back for channel integrity testing. The ALS-1 02 is physically and electrically incapable of receiving information from outside the ALS-102. Therefore, messages are not disregarded or rejected by the ALS-1 02. This is better than a
October 16, 2012 DCPP PPS Open Item Summary Table "broken wire." The wire just isn't there, and there is no place to connect a wire if someone wanted to do so.
- 5. This section was intended to be a functional requirement for the KVM switch. Administrative and configuration controls will prevent inadvertent loading of an EPROM image that could corrupt operation of the KVM switch. If the KVM switch fails and connects the ALS and Tricon MWS together, the above-described physical and electrical restrictions of the KVM switch will prevent the ALS from being corrupted by its MWS computer.
- 2 ALS-102 board (i.e., that the board is physically and electrically incapable of receiving information from outside the ALS-1 02 board) will be added to the ALS topical report that is currently under review by the staff. If this is the case, the communication isolation design features of the ALS-1 02 board will be reviewed as part of the ALS topical report and not as part of the PG&E PPS replacement LAR.
PG&E took an action to provide updates for items that are identified as "in progress" in Enclosure 2 prior to the next public phone call.
NRC took the following actions:
Simplify the information in Enclosure 2 and remove the items from the enclosure that have been closed to make the document more manageable going forward. For historical purposes, past meeting summaries that have a listing of the closed items may be referenced.
Move attachments 2 and 3 of Enclosure 2, into the table itself so that the questions and answers for these issues are tracked in a similar manner as other issues.
Provide an updated list of the NRC personnel that will be attending the Invensys audit discussed above. The staff noted that the individuals involved with the cyber security portion of the audit have changed.
Please direct any inquiries to me at 301-415-1132 or at Joseph.Sebrosky@nrc.gov.
IRA!
Joseph M. Sebrosky, Senior Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-275 and 50-323
Enclosures:
- 1. List of attendees
- 2. Staff identified issues cc w/encls: Distribution via Listserv DISTRIBUTION:
PUBLIC RidsNsirDsp Resource SAchen. RIV/DRS/EB2 LPLIV Reading RidsOgcRp Resource ELee. NSIR/DSP/CSIRB RidsAcrsAcnw_MailCTR Resource RidsRgn4MailCenter Resource DParsons. NSIR/DSP/CSIRB RidsNrrDeEicb Resource SKennedy. EDO RIV GSimonds. NSIR/DSP/CSIRB RidsNrrDorl Resource 1Wertz. NRR THarris. NSIR/DSP/FCTSB RidsNrrDorlLpl4 Resource WKemper. NRR/DE/EICB MShinn. NRC/CSO RidsNrrDraApla Resource RStattel. NRRIDE/EICB CNickeli. NRR/DLR/RAPB RidsNrrDssStsb Resource RAlvarado. NRR/DE/EICB MSnodderly, NRR/DRAIAPLA RidsNrrLAJBurkhardt Resource WMaier. RIV KBucholtz. NRR/DSS/STSB RidsNrrPMDiabloCanyon Resource SMakor. RIV/DRS/EB2 A296; Meetlng Summary M 1 7 A243 ADAMS Accession Nos. Meeting Notice ML12275L229
- vla emai OFFICE NRRlDORULPL4/PM NRRlDORULPL4/LA NRRlDE/EICB NRR/DORULPL4/BC NRRlDORULPL4/PM NAME JSebrosky JBurkhardt RStattel*
MMarkley JSebrosky DATE 10/31/12 10/25/12 10/26/12 10/31/12 10/31/12 OFFICIAL RECORD COpy