Text

Summary of Meeting Via Teleconference with Pacific Gas and Electric Company to Discuss Digital Replacement of Process Protection System at Diablo Canyon Power Plant, Units 1 and 2
	ML12341A123
Person / Time
Site:	Diablo Canyon
Issue date:	12/19/2012
From:	Joseph Sebrosky; Plant Licensing Branch IV
To:	;
	Sebrosky J
References
	TAC ME7522, TAC ME7523
	Download: ML12341A123 (90)
	v • d • e

~p.1\\ REG U(

UNITED STATES

.;:;v'-

.q~

<')~

/01>...

NUCLEAR REGULATORY COMMISSION t::"

WASHINGTON, D.C. 20555-0001 q

0 t;;

~

Oi V/

~

1-'} ****-1< ~o December 19, 2012 LICENSEE:

Pacific Gas and Electric Company FACILITY:

Diablo Canyon Power Plant, Unit Nos. 1 and 2 SUB..IECT:

SUMMARY

OF NOVEMBER 28,2012, TELECONFERENCE MEETING WITH PACIFIC GAS AND ELECTRIC COMPANY ON DIGITAL REPLACEMENT OF THE PROCESS PROTECTION SYSTEM PORTION OF THE REACTOR TRIP SYSTEM AND ENGINEERED SAFETY FEATURES ACTUATION SYSTEM AT DIABLO CANYON POWER PLANT, UNIT NOS. 1 AND 2 (TAC NOS. ME7522 AND ME7523)

On November 28, 2012, a Category 1 teleconference public meeting was held between the U.S. Nuclear Regulatory Commission (NRC) and representatives of Pacific Gas and Electric Company (PG&E, the licensee) at NRC Headquarters, One White Flint North, 11555 Rockville Pike, Rockville, Maryland. The purpose of the teleconference meeting was to discuss the license amendment request (LAR) submitted by PG&E on October 26, 2011, for the Digital Replacement of the Process Protection System (PPS) Portion of the Reactor Trip System and Engineered Safety Features Actuation System at Diablo Canyon Power Plant, Unit Nos. 1 and 2 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML113070457). A list of attendees is provided in Enclosure 1.

The teleconference meeting is one in a series of publicly noticed teleconference meetings to be held periodically to discuss issues associated with the NRC staff's LAR review. Preliminary issues that the NRC staff identified during the initial review, and the licensee's responses to these preliminary issues, were discussed during the teleconference meeting. The list of preliminary issues is provided in Enclosure 2.

The NRC staff and licensee confirmed that the next meeting on this topic would be held on December 19, 2012. Highlights from the meeting on November 28,2012, include the following:

Changes have been made to how preliminary issues are being tracked. contains only those issues that are considered open. Items that have been closed because PG&E has pointed the NRC staff to information that is available on the docket that resolves the issue, or items for which request for additional information (RAls) have been issued are no longer tracked in. However, the numbering system from the original list has been retained. This is why Enclosure 2 begins with item 21. The listing of the closed items can be found in Enclosure 3.

Because of recent changes to the schedule for key deliverables, the schedule for the review of the LAR has changed. Enclosure 4 contains the updated project plan that was discussed during the meeting. The previous target for NRC rendering a decision on the LAR was November 2013. The new revised target

- 2 for this milestone is March of 2014. Other milestones in the project plan have been updated to reflect the current schedule. Both the NRC and PG&E took an action to update the project plan as appropriate and to discuss the project plan at the next public meeting. The last version of the project plan that the NRC staff was using is available as part of an August 22,2012, meeting summary (ADAMS Accession No. ML12242A256).

Docket Nos. 50-275 and 50-323

Enclosures:

1. List of attendees

2. Staff identified issues that are open

3. Staff identified issues that are closed

4. Project plan cc w/encls: Distribution via Listserv

LIST OF ATIENDEES NOVEMBER 28, 2012, TELECONFERENCE MEETING WITH PACIFIC GAS AND ELECTRIC COMPANY REGARDING DIGITAL UPGRADE FOR DIABLO CANYON POWER PLANT, UNIT NOS. 1 AND 2 DOCKET NOS. 50-275 AND 50-323 NAME Ken Schrader Scott Patterson John Hefler R. Lint E. Quinn G. Clarkson J. Basso W. Odess-Gillet Roman Shaffer Bill Kemper Rossnyev Alvarado Shiattin Makor Alan Wang Steve Kane Gordon Clefton ORGANIZATION Pacific Gas and Electric Pacific Gas and Electric Altran Altran Altran Altran Westinghouse Westinghouse I nvensysfTriconex Nuclear Regulatory Commission (NRC)

NRC NRC NRC AREVA Nuclear Energy Institute

November 26, 2012 DCPP PPS Open Item Summary Table Page 1 of 40 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments 21 RA Westinghouse/CSI document 6116-00005, "Diablo Canyon PPS System Test Plan," states that the ALS-102 FPGA design is changed for the DCPPS System. Further, Section 5.3.3 states: "Test as many of the ALS-1 02 requirements as possible."

Please identify what document describes the design verification test for this board.

Open RAI10 Not used (Hold until response is received) 10-17-12 update (Alvarado):

Westinghouse/ALS will submit the documents by 10/31/2012.

9-19-12 update (Alvarado): Waiting for ALS document to be submitted at the end of September.

6-13-12 update (Kemper):

PG&E understands that they need to provide an update to this response. In the meantime, PG&E and ALS have provided 2 design specifications that will address this 01.

These documents are placed on the PG&E sharepoint website. Doc. No 6116-10740 was submitted on June 6, 2012, which describes ALS system test design specification. Doc.

No 6116-00005 PG&E response: The documents that describe the design verification tests for the ALS-102 are 6116-70140, "Diablo Canyon PPS System Test Design Specification," submitted June 6, 2012, and 6116-10216, "Diablo Canyon PPS W Simulation Environment Specification" that will be placed on the Sharepoint by December 14, 2012.

November 26, 2012 DCPP PPS Open Item Summary Table Page 2 of 40 No RAI No.

RAI SrclRI Issue Description Status Comments IP&GE response:

(Date Sent)

Response

(Due Date) was also submitted on June 6, 2012, which describes ALS system test plan.

Doc. No. 6116 10216ALS W Simulation Environment Specification will be provided in the future.

3/21/12 update:

PG&E has created a share point website for NRC to review PPS design drawings that will address this issue.

NRC staff will determine if they are needed to be submitted on the docket. PG&E will ensure the website is information is only applicable to this licensing action.

NRC-the response provided does not address the question.

7/13/12 - rjs

November 26,2012 DCPP PPS Open Item Summary Table Page 3 of 40 No P&GE response:

Status RAI SrclRI Issue Description RAI No.

Comments 33 RJS (ALS SOAP) Software tools are used extensively during the FPGA development process. The staff therefore considers these tools to be a key component to the assurance of quality in the ALS system development process. The ALS SOAP states that "no additional tools, techniques, or methodologies have been identified" for the ALS system. The staff considers the development tools, as well as the techniques and methodologies used during system development to be relevant to the assurance of quality for the ALS system. Please provide information on the tools, and methodologies used during system development to ensure quality of the ALS system products.

PG&E response: Westinghouse agrees that Section 8, Tools, Techniques, And Methodologies of the ALS QA Plan (6002-00001) should be revised to reference document 6002-00030, "ALS Design Tools." This document describes the tools used and how they are used in the design process. This document is also on the ALS docket. Westinghouse submitted a revision of the ALS OA Plan, Revision 9, on the ALS docket on October 31, 2012, that provides information on the tools and methodologies used.

35 RA Follow up of Item 21 - Software Test Plan In the response provided for Item 21, PG&E explained that a new revision (Rev. 1) of ALS document No. 6116-00005 was provided. The scope of Revision 1 is slightly different from the scope described in Rev. O. For example. Section 1.2 in both revisions states that test coverage includes all ALS modules, backplane, license sense modules (LSM). and ALS service unit (ATU). However Section 2, Test Items, for these revisions are different.

Revision 1 only focuses on ALS-102 and backplane assemblies. This section does not include other ALS modules. LSM and ATU. Please explain why these other ALS modules are not included in section 2 of the new Open (Hold)

Closed (Date Sent)

NEWRAI

Response

(Due Date)

Deleted RAI 10 pending review of revised response.

Also decided to hold item open.

Item initiated on 6/5/12.

6-13-12 update (Kemper): W/ALS agrees with NRC's position on tools and will revise the document (Doc.

No. 6002-00001) accordingly to address this matter.

Placed this item on hold pending review of revised QA plan.

November 26, 2012 DCPP PPS Open Item Summary Table Page 4 of 40 No SrclRI Issue Description P&GE response:

Status RAINo.

(Date Sent)

RAI

Response

(Due Date)

Comments revision.

Further, Table 1-2 identifies "Diablo Canyon PPS Test Plan" as document No. 6116-00005, which is the same number than "Diablo Canyon PPS System Test Plan". Please clarify if this is referring to a different document.

PG&E Response: The scope of both revisions are the same. Revision 1 changes added more detail into the overall scope. The details are broken down into 2 main parts: 1-The individual components, 2 - The System components. Both parts equal the entire ALS based Diablo Canyon system which includes all ALS modules, Backplane, ASU (incorrectly stated as ATU in the open item), LSM, ALS-102A1B specific to Diablo and full ALS sub system test which includes the testing of ALS slave cards required by the DCPP configuration.

The entry in Table 1-2 for the Diablo Canyon PPS Test Plan, 6116-00005 is the same document as Diablo Canyon PPS System Test Plan 6116-00005.

38 RA Software Management Plan Section 2 of the PG&E "PPS Replacement Concept, Requirements, and Licensing Phase 1 Project Plan" does not describe the activities to be performed by the Engineering of Choice Design Change Package Team.

It is also not clear what the roles and responsibilities of this team are.

Please clarify and provide the applicable PG&E control document that describes PG&E roles and responsibilities specifically for the Engineering of Choice Design Change Package Team.

Closed NEWRAI PG&E Response: The activity performed by the Engineering of Choice Design Change Package Team is to support PG&E in development of the deSign change package for the PPS Replacement PG&E has a contract with an engineering company, currently Enercon Services, Inc., to be the "engineer of choice" to provide nuclear engineering services to PG&E. For individual scopes of work, PG&E develops a purchase request for the scope of work and a purchase order is issued to the engineering com~any that is

November 26, 2012 DCPP PPS Open Item Summary Table No SrclRI Issue Description P&GE response:

the engineer of choice. When the engineer of choice is performing a design change package for Diablo Canyon Power Plant, the engineer of choice uses the PG&E Design Change Procedure, CF3.ID9, "Design Change Development" and PG&E performs an owner acceptance of the work using PG&E Procedure CF3.ID17, "Design and Analysis Documents Prepared by External Contractors."

39 RA Software Management Plan Status Closed RAINo.

(Date Sent)

NEWRAI RAI

Response

(Due Date)

Page 5 of 40 Comments Figure 2-1 of the PG&E "PPS Replacement Concept, Requirements, and Licensing Phase 1 Project Plan" and Figure 3-1 of the SyOAP identify Altran under the PG&E Project Engineering box. However, Figure 4-1 of the SyWP identifies PG&E project team under the PG&E Project Engineering box. Please explain the role and responsibilities for Altran during the PPS Replacement Project.

PG&E Response:

09/17/2012:

1. The PPS Organization Chart shown in SyWP Figure 4-1 is a simplified rendering of the organization charts in Project Plan Figure 2-1 and SyOAP Figure 3-1. The latter figures show an Altran Project Team under PG&E Project Engineering and a team of three PG&E individuals directly under PG&E Project Engineering.

The slight inconsistency between SyWP Figure 4-1 and the other figures may be resolved thus:

No I SrclRI I Issue Descn 40 RA D~lmtmn QT~d-,=-ulnn 1]

2.

Software To In the ALS P Westinghous Environment Board Test S noted that th tools.

Since this in docum~I"l!!s' November 26, 2012 DCPP PPS Open Item Summary Table Page 6 of 40

--~~~~

******IP&GE'espo:e:

ption Status RAI No.

RAI Comments (Date Sent)

Response

(Due Date)

&EProjeci PG-~

EnIgineering I

IjeciTeamJ

~

Ii II

~

II John Reinholdt II

+

Kris J.

II II Altra I is acting as a subcontractor providing engineering support to the P 3&E Project Team as shown above in the revised figure.

Altra I supported LAR preparation and is providing continuing supp )rt through the LAR review process. Altran's work is governed by th ~ Altran Engineering Procedures Manual. Documents submitted to PG&E are prepared in accordance with Altran EOP 3.3 (repo is) and 5.4 (specifications). All Altran documents are verified in ac :ordance with Altran EOP 3.4. In addition, PG&E accepts Altra I documents under PG&E CF3.ID17 as noted in the Altran Verifi ;ation Report.

,Is OPEN 10/17/12 update:

Westinghouse/ALS

'ogress Update 2012-08-01 provided to the staff, will submit the ALS e/CSI described that they are replacing Automated Test Design Tools on (ATE) from IW credited tools with a LabView based ALS 10/31/2012 ystem (ABTS). Also, in this presentation, Westinghouse/CSI

~y are performing additionallV&V and equipment qualification ormation needs to be reflected in the software planning

)Iease identify how these items Will affect Westinghouse/ALS

November 26, 2012 DCPP PPS Open Item Summary Table Page 7 of 40 No SrclRI Issue Description P&GE response:

Status RA/ No.

(Date Sent)

RA/

Response

(Due Date)

Comments documents related to PPS replacement project. Also, identify what document will be revised to include description of these modifications.

PG&E Response: The ALS Design Tool 6002-00030 requires revision to replace the ATE with the ABTS. The revised ALS Design Tool, Revision 9, document was submitted by Westinghouse on October 31 that addresses the tools used..

41 RA Software V&V and Test Plan Westinghouse/ALS document 6116-0005, section 8.2 identifies the software tools to be used in the PPS replacement project. However, this list is not consistent with the list of IV&V tools identified in Section 3.6 of ALS W Plan 6002-00003. Specifically, the test tools identified in 6002-00003 are not listed in 6116-00005 and vice versa. For example, the W Plan (6002 00003) identifies ATE tool for IV&V, but this tool is not listed in 6116-0005 Rev. 1. Furthermore, the staff reviewed 6116-0005 Rev. 0, and found that the ATE tool was listed in this version. Please clarify what software tools will be used and what document describes them.

Closed NewRAI PG&E Response: A new revision of the ALS V&V Plan 6002-00003 identifies the ABTS and the ISE as the IV&V test tools. This new revision is being docketed the week of September 3 on the ALS platform docket. The ATE is removed from the set of IV&V test tools. The tools listed in document DCPP PPS Test Plan 6116-00005 section 8.2 and the tools listed in DCPP PPS W Simulation Environment Specification, 6116-10216, (to be released by 30 September 2012) encompass the IV&V test tools in the new revision of the ALS V&V Plan, 6002-00003.

42 RA Software V & V PG&E "PPS System Replacement System Verification and Validation Plan (SyWP)" does not describe the V&V activities to be performed during the Operation Phase and Maintenance Phase. This document states that these activities are covered by approved DCPP procedures. Please identify these DCPP pr()c:~cJLJr~s.

OPEN 9/17/12 update (Alvarado): during the conference call PG&E explained that modifications to the systems will be performed by

November 26, 2012 DCPP PPS Open Item Summary Table Page 8 of 40 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments the vendors.

PG&E will provide additional information on their plan to perform modifications to the PPS system during operation and maintenance.

PG&E Response:

Per the response to 01 #28, control of the software modifications to the Tricon and ALS platforms once the PPS replacement project is completed, and the PPS is in the Operations and Maintenance phase, will be by the Process Protection System Replacement Software Configuration Management Plan, SCM 36-01, Revision 0, which was submitted as part of the Phase 2 document submittal on June 6,2012, in Attachment 4 to the Enclosure of PG&E Letter DCL-12-050. Modification to the PPS Replacement components produced by the vendors, CS Innovations and Invensys Operations Management, will be performed by the vendors and verification and validation will be controlled by the vendor verification and validation plans created for the Diablo Canyon PPS Replacement (6116 00003 for CS Innovations and 993754-1-860 for Invensys Operations Management),

43 RA Software V&V PG&E uPPS System Replacement System Verification and Validation Plan (SyWP)", Section 5.1.1, explains that during the Concept Phase, PG&E will verify system requirements in accordance with PG&E procedure CF2.ID9, "Software Quality Assurance for Software Development." However, Procedure CF2.ID9 is for in-house development of software applications.

Please explain how this procedure is going to be used for the PPS replacement project.

Further, Section 5.1.2 of the CF2.ID9 states that and independent review of the functional requirements prepared during the concept phase would be performed. The PG&E SyWP does not identify this review, and thus there is no specific V&V product for this phase. Please identify who will perform this review and if this is considered a V&V product.

Closed NEWRAI

November 26, 2012 DCPP PPS Open Item Summary Table Page 9 of 40

~~~~~~~~~~~

No 45 SrclRI RA Issue Description P&GE response:

PG&E Response:

09/17/2012: Altran developed the PPS Replacement FRS during the Concept phase in accordance with Altran EOP 5.4, and verified it in accordance with Altran EOP 3.4. Altran used PG&E procedure CF3.ID16 for additional guidance. PG&E accepted the FRS under CF3.ID17, which constituted verification of system requirements. This was a design activity rather than a V&V activity and there is no specific V&V product for this phase.

Follow up of item 18 - Software V&V RG 1.168 identifies five of the activities in IEEE Std. 1 012-1998, Annex G, "Optional V&V Tasks," as being considered by the NRC staff to be necessary components of acceptable methods for meeting the requirements of Appendices A and B to 10 CFR Part 50 as applied to software. These tasks are:

1. Audits

2. Regression Analysis and Testing

3. Security Assessment

4. Test Evaluation

5. Evaluation of User Documentation Westinghouse/ ALS Document No. 6002-00003, "ALS W Plan" describes the following techniques for V&V: reviews, testing, traceability analysis, inspection/analysis. and IV&V regression (change) analysis. This plan does not include any of the optional V&V activities identified in IEEE Std.1012 1998, Annex G. Please explain if these activities are performed.

PG&E Response: The DCPP W Plan has been revised to include these optional V&V tasks required by RG 1.168 to align with the new ALS W Plan for the Optional Tasks. The Diablo Canyon W Plan, Revision 1. was placed on the Sharepoint on November 22 and will be submitted by December 7.

Status OPEN RAI No.

(Date Sent)

RAI Comments

Response

(Due Date)

I 10/17/12 update:

Westinghouse/ALS will submit the DCPP V&V plan on 10/31/2012

November 26, 2012 DCPP PPS Open Item Summary Table Page 10 of 40 No 46 SrclRI RA Issue Description Software V&V P&GE response:

Status Closed RAINo.

(Date Sent)

NEWRAI RAI

Response

(Due Date)

Comments I

Several sections in the Invensys Software Verification and Validation Plan (SWP) reference "applicable Project Procedure Manual (PPM)" to perform certain activities. The reference section in this plan identifies PPM (Reference 2.4.4). It is not clear if the PPM is constituted by several procedures or if it is only one procedure. For example, Section 1.1, states the SWP was prepared in accordance with PPM 7.0 (Ref. 2.4.4), and then Section 4 states that V&V activities will be planned and scheduled in accordance with the applicable PPM. Please describe what the PPM is, and explain how this is going to be used in the PPS replacement project.

PG&E Response:

The Project Procedures Manual (PPM) provides appropriate controls for project activities conducted at the Invensys Operations Management (Invensys) Lake Forest facility. These controls will ensure that all nuclear Class 1 E projects (or non-1 E projects where the customer has specified certain 1 E requirements) processes, project activities, and project documents will meet the requirements of 10 CFR 50, Appendix B, 10 CFR Part 21 and the Invensys Quality Management System. This procedures manual provides specific controls for NAO as well as other Invensys organizations that perform nuclear safety-related system integration project activities. The PPM is a collection of different procedures, including referenced Forms, and is a controlled document.

Each PPM procedure is intended to implement key areas of project activities. Each procedure within the PPM is assigned a unique document number and title.

V&V activities during the PPS Replacement Project will be governed by several procedures within the PPM as defined in the SWP document, Invensys document 993754-1-802. The SWP will be revised to add the title of each procedure within the PPM where referenced in the SWP. For example, in the SWP, Section 1.1, where it states that, "the SWP was prepared in accordance with PPM 7.0 (Ref. 2.4.4)," will be revised to state that "the SWP was prepared in accordance with PPM 7.0, Application Program Development." The revised SWP will be submitted by TBO.

November 26, 2012 DCPP PPS Open Item Summary Table Page 11 of 40 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments 47 RA Software V&V Invensys Document No. 993754-1-802, "Software Verification and Validation Plan" requires the use of V&V metrics to evaluate software development process and products. This section does not explain what methods and criteria will be used for software safety metrics. This information is required by section B.3.1 of BTP 7-14, RG 1.152, RG 1.173 and IEEE Stds. 1061 and 1074. Also BTP 7-14 Section B.3.1.1.2. Please provide this information.

Closed NEWRAI PG&E Response:

The V&V metrics are used during development of the PPS Replacement software that will reside/execute on the V1 0 Tricon portion. The V&V metrics measure the thoroughness of V&V reviews and testing efforts. These measurements yield data utilized to gain reasonable assurance that the design outputs are of high quality commensurate with the intended use in the PPS Replacement application. The V&V metrics methodology, utilizing a diversity of software measures, provides inSight into the rigor of the PPS software development process. V&V uses three distinct metrics during PPS software development:

Software Quality Metrics The purpose of these metrics is to measure software quality by tracking the number of defects found in the deSign outputs (e.g., design documents, software).

The method is to count and categorize defects found during V&V review of design outputs.

The acceptance criterion is that no technical defects remain at the end of the current phase to receive V&V recommendation to proceed to the next project phase. Any defects that cause the non-compliance with customer requirements and/or non-compliance with NRC guidance are considered technical defects.

V&V Effectiveness Metrics The purpose of these metrics is to measure the effectiveness of V&V reviews by: measuring the ~ercentage of design out~uts which V&V reviews

November 26, 2012 DCPP PPS Open Item Summary Table Page 12 of 40 No SrclRI Issue Description P&GE response:

Status RAINo.

(Date Sent)

RAI

Response

(Due Date)

Comments or tests. The method determines the percentage of design outputs actually reviewed by V&V (which is meaningful for in-process design changes necessitating a change impact analysis, revisions to released design outputs, and a regression analysis). The Acceptance Criterion is that 100 percent of comprehensive or delta change reviews is achieved in the current phase to receive V&V recommendation of proceeding to the next project phase.

Software Safety Metrics The purpose of these metrics is to assess whether software safety requirements are being met. Methods are to count software hazards found during V&V review or testing of design outputs and to confirm software hazard mitigation in each project phase, or, at a minimum, by the end of the project and approval at the completion of acceptance testing. The Acceptance Criterion is that all software hazards are mitigated by the end of the Test Phase to receive approval of the results of acceptance testing.

48 RA Software V&V PG&E SyWP, Section 6, requires that anomalies detected are identified, documented, and resolved during the V&V activities. This section states that anomaly reporting and resolution requirements are defined in the respective PG&E control procedures. Section 2 "Control Procedures does not include a reference for an anomaly reporting procedure. Please identify the PG&E control procedure used for anomaly reporting.

Further, Section 7 of the SyWP states that the PG&E authority responsible for approving deviations from SyWP is the PG&E Project Manager, who will document his/her approval a Change Notice or equivalent formal PG&E document. Please identify where the responsible PG&E authority will document its approval.

PG&E Response:

1. The PG&E control procedure for anomaly reporting is OM7.ID1, "Problem Identification and Resolution." This procedure governs the PPS replacement after it has been turned over to PG&E by the suppliers. The suppliers' anomaly reporting procedures are applicable prior to this turnover.

OPEN 10/17/12 update:

For item 2 - PG&E will revise the SyWP and submit it on 11/30/2012 9/17/12 update (Alvarado): NRC staff received copies of OM7.ID1 and XI1.ID2. This addressed item 1 of this open item.

November 26, 2012 DCPP PPS Open Item Summary Table Page 13 of 40 No Status SrclRI Issue Description P&GE response:

RAI No.

RAI Comments (Date Sent)

Response

(Due Date)

~~~~~~

2. IN PROGRESS 49 RA Software V&V Closed NEWRAI Invensys Document No. 993754-1-802, "Software Verification and Validation Plan", Section 6.3 states that the Invensys personnel prepared System Deficiency Integration Report (SDIR) to document non-conformances and corrective actions during testing; the SDIR is prepared in accordance with PPM 10.0. Please explain what PPM this is.

Further, the Invensys "Validation Test Plan", Section 5.4.2 states that the Test Review Board and PG&E shall review SDIRs, but this is not indicated in the Invensys V&V plan. Please explain why this review activity is not identified as a V&V task in the V&V Plan..

PG&E Response:

The PPM 10.0 procedure defines the process to control nonconforming items and identify appropriate corrective action for all nuclear application projects developed at the Invensys Operations Management (Invensys) Lake Forest facility. This procedure is intended to provide controls for nonconforming items and corrective actions related to project activities. As used in this procedure, the term "nonconformance" describes deficiencies in parts and materials (items), documentation, and/or deviations from stated requirements. This procedure addresses the identification, documentation, evaluation, and disposition of nonconforming items. This procedure also describes the corrective action process to be used for project-related issues where corrective action is warranted.

SWP Section 5.2.2.2.1 4) stated that Nuclear IV&V shall generate and verify the system-level Validation Test Plan, 993754-1-813, in accordance with PPM 6.0 [Ref 2.4.4], in conjunction with IEEE 829-1983. The SWP was developed in accordance with PPM 6.0, Test Control. In PPM 6.0, Test Control, it was stated that the Project Review Committee (PRC) shall review all test results for completeness, accuracy and acceptability. This review

50 November 26, 2012 DCPP PPS Open Item Summary Table Page 14 of 40 No SrclRI RA P&GE response:

Issue Description shall include all test documentation, e.g., the Test Procedures, the Test Logs, the System Integration Completion Checklist, the Test Report(s), and SIDRs.

Software V&V The Invensys Validation test plan, Section 8.2, states that the Narrative Test Logs are used to document conduct of testing and any anomalies that occur. Please explain if this is only used during validation, and why this is not mentioned in the Invensys SWP. Further, please explain how is this used in conjunction with Document Review Comment Sheet (DRCS) and System Deficiency Integration Report (SDIR)?

PG&E Response:

PPM 6.0, Test Control, defines the Test Logs. All test activities shall be recorded in a Test Log. The Test Log constitutes a continuous, hand-written journal of all test activities from the point of initial entry into the Test Procedure until the conclusion of all testing, including any required retesting. The Test Log shall include entries for sign-in and sign-out of all participating personnel, establishment of indicated prerequisites and initial conditions for testing, performance of testing and retesting, identification of problems, etc. The Test Log is intended to be a detailed journal of all testing activities sufficient to fully document the actual sequence of testing performed, the test results achieved and any problems that occurred, including their impact on test performance. The Test Log shall be reviewed by the PRC as part of its evaluation of the test results.

The Test Logs are independent and separate from the Document Review Comment Sheet (DRCS) and System Deficiency Integration Report (SIDR).

However, as a test narrative, the Test Log may identify the fact that a SIDR was generated as a result of test anomaly.

Software Configuration Management

1. Configuration Process a) In open item 4, the staff requested description of the software configuration management activities for configurable boards (e.g.,

ALS FPGA-102 board). Since the ALS FPGA-102 board is customer specific, its configuration management activities are not covered by Status RAI No.

(Date Sent)

Closed NEWRAI RAI Comments

Response

(Due Date)

RA 51.1.a NEWRAI Closed

November 26, 2012 DCPP PPS Open Item Summary Table Page 15 of 40 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments "ALS Configuration Management Plan." Even though item 4 is closed, this request was not addressed in the response for item 4.

PG&E Response:

09/18/2012 ALS-102 Configuration The FPGA installed on the ALS-1 02 board and therefore the ALS-1 02 board itself is specific to the PPS Protection set and the ALS subsystem in which it is installed. PG&E will not have the capability to alter the FPGA. Any change to the FPGA must be made by CS Innovations. Therefore, ALS-102 FPGA configuration management activities are covered by the ALS Configuration Management Plan. PG&E capability to change ALS-1 02 configuration will be limited to board-level replacement.

51.1.b RA Software Configuration Management

1. Configuration Process b) The PG&E SCM 36-01, item 1.2.8, states that ALS board has two sets of NVRAM. Further, it explains that the configuration of the NVRAM can be changed only by removing the subject board from the ALS chassis and inserting it into a special test fixture. It is not clear who will control this process and configuration of the NVRAM.

Please explain.

Closed NEWRAI PG&E Response:

09/18/2012 ALS 1/0 boards are generic; that is, each board is configured using its NVRAM for the specific function it is to perform. This activity is described in SCM 36-01 Section 1.2.8, which states that the configuration of the NVRAM is changed by removing the subject board from the ALS chassis and inserting it into a special test fixture. This would be performed as part of a maintenance activity, such as replacing a failed board. If the functionality of an 110 board required modification as a result of an application change, all required NVRAM configuration alterations would be performed by CS Innovations under their ALS Configuration Management Plan.

As with the ALS-102 FPGA discussed above, PG&E will not have the

November 26, 2012 DCPP PPS Open Item Summary Table No SrclRI Issue Description P&GE response:

capability to alter the NVRAM configuration itself. PGE capability to change the NVRAM configuration for a specific 1/0 board will be limited to loading NVRAM images that are under CS Innovations configuration control and that have been previously verified and validated at the system level by CS Innovations.

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Page 16 of 40 Comments 51.1.c Configuring the NVRAM in order to replace an 1/0 board will be performed by PG&E under an approved plant maintenance procedure.

Software Configuration Management

1. Configuration Process c) Section 1.2 of the Invensys Document No. 993754-1-909, "Software Configuration Management Plan," states that this plan controls operating system of the computers used to run TriStation 1131 and the Signal simulation software used for testing purpose. However, the description provided throughout the plan only focuses on the configuration activities for the TSAP (e.g., Section 2.3 states that the SCM procedures are for the TSAP). Further, this same section (later on) identifies the software configuration to be managed, and this list does not include operating system of the computers used to run TriStation 1131 and the Signal simulation software used for testing purpose. Please clarify the scope of this plan.

PG&E Response:

09/18/2012 There was no intent for the SCMP to do more than track the revision of Commercial Off The Shelf (COTS) software. In this case "Control" is defined as tracking the revision levels such that they are recorded on the project Master Configuration List, Invensys project document 993754-1-803.

On page 7 of the SCMP, under "Limitations," it states, in part, that the revision levels of this type of software will be tracked.

Closed NEWRAI 51.2 Software Configuration Management

2. Organization The organization and responsibilities described in Section 4 of CF2.ID2 is Open 10/17/12 update:

PG&E will revise the SCMP to

November 26, 2012 DCPP PPS Open Item Summary Table Page 17 of 40 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments not consistent with the information presented in Section 2 of SCMP 36-01.

For example, Section 2 of SCMP 36-01 identifies system coordinator, application sponsor, and system team, who are not identified in Section 4 of Cf2.I02. Further these descriptions are not identified in the project organization described in PG&E PPS Replacement Plan (Attachment 3 of the LAR). Please clarify the roles and responsibilities for SCM, and provide a cross reference of the PG&E organizations described in these documents.

address several open items r-=-c--------

PG&E Response: [IN PROGRESS]

51.3.a Software Configuration Management

3. Changes and Problems Identification a) PG&E SCMP36-01 states that software, hardware, and configuration problems are reported in accordance with PG&E OM7.I01 and that software and/or configuration problems are reported via a PROG POCM Notification. Please clarify when and how these are used. For example, for software problems does one have to report the problem using both PG&E OM7.I01 and PROG POCM Notification. Note that PG&E CF2.I02 states that all problems associated with plant computer system should be reported and document per OM7.I01 (See section 5.11 and 5.16.10 (b) of CF2.I02)

Further, Section 3.2.1 states that all PPS modifications should be initiated and tracked per plant procedures or CF4.I01. Section 3.2.2 states that the implementation of the change is documented in the associated Change Package and a SAP notification and order. And Section 3.2.10 states that all identified problems and corrective actions using a notification, which is not specified.

So should software modifications require reporting and tracking using OM7.I01, CF4.1D1, PROG POCM Notification, Change Package, and SAP Order?

Please explain PG&E procedures for different changes and the documenting and tracking system used for all types of modification Open 10/17/12 update:

PG&E will revise the SCMP to address several open items

November 26, 2012 No SrclRI Issue Description DCPP PPS Open Item Summary Table P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Page 18 of 40 Comments PG&E Response: [IN PROGRESS]

,~~~~

51.3.b 51.4.a Software Configuration Management OPEN

3. Changes and Problems Identification b) Please clarify the means to track changes. Section 3.2.4.7 of the SCM 36-01 states that this is done using a SAP order, but Section 3.2.4.7 states that Change Package and SAP order are entered in the Record Management System, and Section 3.3 describes a Configuration Status Account, which is used to track changes of configuration items.

PG&E Response: The means to track changes is the SAP order. The Record Management System is the system used at Diablo Canyon to store and allow retrieval of documents to meet 10 CFR 50 Appendix B quality assurance requirements. Completed Change Packages and SAP orders are entered into the Record Management System for storage and to allow later retrieval.

Software Configuration Management OPEN

4. Document Repository

a. SCM 36-01, Section 2.3.3 identifies the Digital Systems Engineering SourceSafe as the repository, but Section 3.2.5.5 identifies http://dcpp142/idmws/home/asp, and Section 3.29 states that the files necessary for recovery of the baseline are maintained in the PPS database in SC-I-36M, Eagle 21 Tunable Constants." It is not clear if these two sections are referring to the same document repository or if it is the same. Please clarify.

PG&E Response: [IN PROGRESS]

Software Configuration Management OPEN

4. Document Repository

b. PG&E has implemented restrictions to access files and documents associated with PPS replacement project. Further, PG&E requires user authentication and access to edit configuration, software, and 51.4

November 26,2012 DCPP PPS Open Item Summary Table Page 19 of 40 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments data. It is not clear if these restrictions apply for access to the Digital Systems Engineering SourceSafe or the repository in httl2:lfdcI212142/idmws/home/asl2 PG&E Response: [IN PROGRESS]

52 RJS NSIR Security:

PG&E stated in its letters DCL-11-123 and DCL-11-104 that the PPS replacement will be fully compliant with the 10 CFR 73.54 cyber security requirements, including RG 5.71, Revision 0, "Cyber Security Programs for Nuclear Facilities," dated January 2010, and is being reviewed to comply with 10 CFR 50.73, the DCPP Cyber Security Plan, and NEI 08-09, "Cyber Security Plan for Nuclear Power Reactors," Revision 6, dated April 2010.

The cyber security program that PG&E is implementing per its NRC approved cyber security plan includes provisions applicable to all phases of a systems' life cycle, including the digital upgrade or modification of critical digital assets.

Please explain how the provisions outlined in the PG&E's NRC-approved cyber security plan were considered, and/or implemented, as part of the PPS replacement. The provided explanations should include how all of the management, operational, and technical security controls contained within the plan, especially security controls associated with Configuration Management and System and Service Acquisition, are being addressed.

The provided explanations should also include any issues associated with partial implementation of the PPS replacement and full implementation of the cyber security plan for the site, and processes to identify and resolve any such issues.

OPEN I

November 26, 2012 DCPP PPS Open Item Summary Table Page 20 of 40 No P&GE response:

Status RAINo.

SrclRI Issue Description RAI Comments (Date Sent)

Response

(Due Date)

PG&E Response:

The Cyber Security program manager and other members of the CSAT (Cyber Security Assessment team) met with the Process Protection System (PPS) Upgrade design engineer beginning in 2011. Many options were discussed.

The Cyber Security program manager and project manager have met with the procurement group to discuss cyber security principles that should be written into the procurement procedures, and what steps will help to ensure a secure supply chain.

The Cyber Security Assessment Team (CSAT) was formed in accordance with section 3.1.2 of the cyber security plan, and Milestone a, on 10/31/2011. A list of critical digital systems and assets was created in accordance with section 3.1.3 of the cyber security plan and Milestone b on 10/31/2011. The CSAT looked at scheduled digital upgrades, and added the future equipment to the list of critical digital systems. The CSAT determined the PPS equipment will be a critical system, with several CDAs.

From July 9-122012, the cyber security project manager accompanied members of the Quality Verification group to examine the design and production facilities of Invensys, and examined the code production practices and the development environment, and determined that Invensys has an SDE. and ensures their employees are reliable and trustworthy.

Activities planned for the future.

In December of 2012, the network that the PPS will eventually reside on will be isolated from internet connected networks by a deterministic network device, per milestone c of the DCPP Cyber Security Plan. Thus many network attacks, including many that depend on a back door created by a vendor, will not be possible.

November 26, 2012 DCPP PPS Open Item Summary Table Page 21 of 40 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments Also by December of 2012, DCPP will have taken steps to lessen the likelihood of an attack initiated by a portable electronic device, or portable media such as a thumb drive per Milestone d, and section D 1.19 of NEI 08

09. This will mitigate portable media based attacks that depend on a back door created by a vendor.

The DCPP Cyber Security Team will interface with NUPIC (Nuclear Procurement Issues Committee) and the NEI/NITSL counterfeit parts task force to address digital equipment supply chain security.

The Cyber Security Implementation Project Manager has developed a detailed project plan, with several tasks and schedules. Several existing plant procedures will be revised. The PPS will inherit the controls implemented by these procedures. Many of the procedures will have been changed/created before the PPS is installed.

The CSA T is collecting design information as it becomes available. The collected design documentation is being reviewed as it is collected. The collected documentation will be reviewed in a formal desktop evaluation per the cyber security plan, section 3.1.5 prior to the PPS installation. The test set up in the oftsite test lab near the plant will be visited on occasion by the CSAT, the system will be walked down repeatedly during installation, and the final walkdown will be performed when the system is ready to return to operations, per section 3.1.5 of the security plan.

The CSA T will make recommendations to enhance the cyber security posture of the PPS upgrade throughout the project, and will make their final recommendations after the system walkdown, per section 3.1.6 of the cyber security plan.

Disposition of all controls will be documented in the cyber security

November 26,2012 DCPP PPS Open Item Summary Table Page 22 of 40 No SrclRI 55 WEK 56 WEK 57 WEK Issue Description P&GE response:

asseSsment tool, CyberWiz. Recommended mitigation will be documented in CyberWiz, and the Corrective Action Program.

PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR Changes, FSAR Section 7.1.2.5, Conformance With Other Applicable Documents (page 7.1-13) does not indicate the NRC Safety Evaluation that will be produced to approve the PPS. The staff's SER should become part of the DCPP Unit 1 &2 licensing basis once it is issued. How will this be documented within the FSAR??

PG&E Response: Reference to the staff SER will be included in FSAR Section 7.2.1.1.6 for the reactor trip portion of the process protection system and to Section 7.3.1.1.4.1 for the engineered safety features actuation system portion of the process protection system.

PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR Changes, FSAR Section x.x.x.x, (page 7.2-23) states that the evaluation for the common mode failure in the PPS is presented in References 37 [DCPP PPS 03 L TR] and approved in Reference 38 [the staffs SER approving the DCPP PPS 03 L TR]. However, it is noted that in the staffs SER it was stated in several sections that the 03 design features were approved based on "... confirmation that the proposed built-in diversity of the ALS sub-system is found to be acceptable." This confirmation will be provided in the DCPP PPS SER, therefore, the staff's SER should also be referenced in this section.

PG&E Response: Reference to the staff SER for LAR 11-07 will be included in FSAR Section 7.2.2.1.2 in addition to the staff SER for the DCPP 03 LTR PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR Changes, FSAR Section 7.2.2.9.2, IEEE 603-1991 Clause 5, Clause 5.12 (page 12) states that"... the communication path between the maintenance workstation and the ALS subsystem is normally disabled with a hardwired switch... " Also, Attachment 3, PG&E PPS Interface Requirements Specification (IRS), Rev.6 to PG&E Letter DCL-12-069 dated August 2, 2012 states in section 1.5.6 "... TAB communications between the ALS and MWS takes place via RS-485 data link. The TAB is physically disconnected from the MWS when the TAB is not in use.... the IAI3 i!S Qpen at all times Status Closed Closed Closed RAI No.

(Date Sent)

New RAI New RAI NewRAI RAI

Response

(Due Date)

Comments Acceptable response. Send this as an RAI so that the issue does not get lost.

Acceptable response. Send this as an RAI so that the issue does not get lost.

November 26,2012 DCPP PPS Open Item Summary Table Page 23 of 40 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments RJS unless maintenance is being performed on the ALS. " Please identify administrative controls and design features associated with the PPS that explains how the MWS is disconnected/disabled from the PPS (Le., a means of physical cable disconnect, or a safety-qualified hardware switch that either physically opens the data transmission circuit or interrupts the connection by means of hardwired logic. "Hardwired logic" as used here refers to circuitry that physically interrupts the flow of information, such as an electronic AND gate circuit (that does not use software or firmware) with one input controlled by the hardware switch and the other connected to the information source: the information appears at the output of the gate only when the switch is in a position that applies a 'TRUE" or "1" at the input to which it is connected. Provisions that rely on software to effect the disconnection are not acceptable. It is noted that software may be used in the safety system or in the workstation to accommodate the effects of the open circuit or for status logging or other purposes) that demonstrate how this hardwired switch disconnects the ALS maintenance workstation from the ALS safety processor.

PG&E Response: For the ALS subsystem, instead of using a hardwire keyswitch, the AlS subsystem will be administratively controlled by physically disconnecting the communication link to the AlS MWS computer when the Test AlS Bus (TAB) is not being used for surveillance testing, maintenance, and trouble-shooting. This is a PPS replacement design change described in the response to NRC request for additional information in PG&E letter DCl-12-083 and will be included in a supplement to LAR 11-07.

58 ALS FMEA - There are several failure modes identified in Table 4-4 of the FMEA where the System Effects entry provides a description of functions that are not affected by the failure mode instead of stating what the effects of the failure mode are. For example, the System Effects in the ETT failure in line 5b of table 4-4 are that the Alarm Function remains operational.

Though this may be the case, it does not state what the effects of the failure mode are. Examples of this can be found in lines 5b, 6a, 6b, 7a, 9h, 9i, 11 b, 11c, and 11d.

Close New RAI 10/19/12: If I understand the PG&E response correctly, these system effects are being evaluated within the context of the local effects that are also

59 November 26, 2012 DCPP PPS Open Item Summary Table Page 24 of 40 Issue Description Status RAI No.

No SrclRI P&GE response:

RAI Comments (Date Sent)

Response

(Due Date) provided in the FMEA Application specific PG&E Response:

com pensati ng features that The System Effects entry does describe the functions that are affected by influence the systematic effects the failure mode. This entry must be read in the context of the entire FMEA of these failure table row. For example, the cited row for ETT failure in line 5b discusses the modes are thus effects of failures of the ALS-402-1 digital output board which sends Alarm accounted for Signals to other systems. In the case of Energize to Trip outputs (ETT) a within the analysis.

stuck open output channel will prevent the core A rack from being able to actuate the Alarm (in this case a specific instance of an ETT Alarm is cited, Agree to close but the "Containment Pressure in Test Alarm". However, due to the would like the PGE response on compensating features, which in this case is the redundant implementation record. Need RAI.

of the function in the core B rack, the System Effect is that the Alarm function remains operational. A similar reading applies to the other examples cited.

RJS Closed NIA 10/19/12 -

~s:

ALS FMEA - Some of the identified failure modes of the ALS system are

Response

detectable only by operator observations, or by means that are not accepted.

necessarily performed during routine operation or during surveillance testing. See lines 10c, and 12a, What measures will be implemented to ensure that these failure modes would not occur and remain undetected for an indefinite period oftime?

It is the staffs understanding that all failure modes which are not detectable through normal means such as surveillance tests or channel checks would need to be considered present for the purpose of satisfying single failure criteria for the system.

PG&E Response:

Surveillance testing includes visual inspection of the equipment in addition to the specified test cases that demonstrate functionality. Therefore, those

,~~~~~

November 26, 2012 DCPP PPS Open Item Summary Table Page 25 of 40 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments failure modes that are detected by operator observations will be detected as part of the surveillance test. IEEE Std 379-2000 defines detectable failures as those failures that can be identified through periodic testing or that can be revealed by alarm or anomalous indication. Therefore, such failures do not need to be considered to be present for purposes of evaluating single failure criterion compliance.

The specific cases cited are clear examples. Line 10c discusses failures of the local partial trip indicators. Failures of the indicators do not affect the actual trip function. During the test the technician uses the indicators to confirm that the trip action occurs at the appropriate threshold. Thus the act of observation of the failure during surveillance testing is assured. Line 12a discusses failure of the serial link used for continuous monitoring of the ALS health. Failure of this link does not affect the safety functions of the rack, but would be immediately obvious at the workstation used to do the monitoring.

This workstation is used in surveillance testing.

60 RJS Technical Specifications:

In order for the staff to make a determination that the existing technical specifications and surveillance intervals remain acceptable for the replacement PPS system, an evaluation to compare the ALSfTricon PPS system reliability and performance characteristics with those of the Eagle 21 system must be performed.

Pease provide an evaluation summary report to support the application of existing technical specification and surveillance test intervals to the upgraded ALSfTricon based PPS system. This report is expected to include a quantitative analysis to demonstrate the new system's ability to perform its required safety functions between established surveillance intervals as well as a qualitative (Le., deterministic) analysis which sites the self diagnosis and fault detection features of the replacement PPS. The report should address the staff's previous findings in Section 4.3, "Applicability of WCAPs to DCPP," of Amendment No. 179, dated January 31, 2005 (ML050330315).

Open NewRAI

November 26, 2012 DCPP PPS Open Item Summary Table Page 26 of 40 No SrC/RI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments PG&E Response: An evaluation summary report to support application of the exiting TS and TS surveillance test intervals will be provided by January 31,2013.

61 RA Software V&V Plan:

AlS provided Revision 7 of its V&V plan (6002-00003). This revision provides a mapping and alignment with IEEE Std 1012-1998. This now cause a misalignment with the DCPP V&V Plan, 6116-00003, Thus, the DCPP V&V Plan will need to be revised. Please identify when this new revision will be submitted.

f~~~~~~~

Open PG&E Response:

The DCPP V&V Plan, Revision 1 has been created to provide consistency with the AlV V&V Plan. The Diablo Canyon W Plan, Revision 1, was placed on the Sharepoint on November 22 and will be submitted by December 7.

62 RA Software Management Plan:

Revision 2 of the AlS "Diablo Canyon PPS Management Plan," 6116-0000, Section 2.1 and 2.2, defines the project organization. As described in guidance documents BTP 7-14 and NUREG/CR-61 01, licensees need to describe the management aspects of the software development process.

Please clarify the following:

1. The description provided in this section does not align with the organization structure provided in Figure 2-1. The description provided is not clear. For example, the bulleted list identifies "Scottsdale Operations Director", but then the 1 sl paragraph refers to Scottsdale Operations Director and AlS Platform & System Director. It is not clear if this is the title for one person or for two. Further, Figure 2-1 does not identify the AlS Platform & System Director, if this role is performed by a separated individual. Please clarify this.

2. This section states that AlS V&V Plan provide information and the Open

November 26, 2012 DCPP PPS Open Item Summary Table No SrclRI Issue Description P&GE response:

interface between the IV&V team and the PPS replacement project. It is not clear why the ALS V&V plan will provide this information, since the ALS V&V plan is for the generic platform. Please clarify what document contains this information.

3. This section states that the WEC Project Manager is responsible for the commercial process interface with PG&E. However, this role is not listed in the bulleted item list and not identified in Figure 2-1. Please clarify this role.

4. Figure 2-1 identifies a QA Manager, but this section only describes the QA Lead. Please describe the role and responsibility for the QA Manager.

5. Section 4.1, Planning Stage, mentions a "Project Leadership Team,>>

which is not described in Section 2. Please explain the role and responsibilities for this team.

Status RAINo.

(Date Sent)

RAI

Response

(Due Date)

Page 27 of 40 Comments RA PG&E Response: To address item 1. the Diablo Canyon PPS Management Plan, Revision 3, clarifies in Section 3 the organization details. To address Item 2. the Diablo Canyon IW Plan. Revision 1, provides information on the interface between the IV& V team and the PPS replacement project. To address items 3 to 5, the Diablo Canyon PPS Management Plan, Revision 3, clarifies in Section 3 the WEC Customer Project Manager is responsible for the commercial process interface with PG&E, the roles and responsibilities of the QA Manager, and the roles and responsibilities of the Project Leadership Team. The Diablo Canyon PPS Management Plan, Revision 3, was placed on the Sharepoint on November 15 and will be submitted by December 7. The Diablo Canyon W Plan, Revision 1, was placed on the Sharepoint on November 22 and will be submitted by December 7.

Software Management Plan:

Open Revision 2 of the ALS "Diablo Canyon PPS Management Plan," 6116-0000.

Section 4.1. Planning Stage. identifies that deliverables from this phase are approved by the "Managerial Review Board." However, this document does not identify the role and responsibilities for this board. Furthermore, the ALS PPS V&V Plan, 6116-00003, Rev. 0 states that IV&V will review the planning stage documents. Please clarify the person/team responsible for

~-----

-63

November 26, 2012 DCPP PPS Open Item Summary Table Page 28 of 40 No 64 SrclRI RA Issue Description P&GE response:

this review and their role and responsibilities.

PG&E Response:

The Managerial Review Board review and the IV& V reviews are two different reviews. The Managerial Review Board gives the final "exit criteria" approval for both the Planning and Development Stages; this Managerial Review Board approval is required for entrance into the next subsequent stage. Their role is clarified in the "exit criteria" details included in Section 4.1 's Planning Stage and Development Stage sub-sections. The IV&V team also reviews the planning stage documents according to the criteria in the V&V Plan. Additional details have been added to the Management Plan. The Diablo Canyon PPS Management Plan, Revision 3, was placed on the Sharepoint on November 15 and will be submitted by December 7.

Software Management Plan To close Items 27 and 29, PG&E issued the DCPPS Project Quality Assurance Plan to define the oversight activities to be performed during the PPS replacement project. Section 2 of this plan describes the responsibilities of those involved in oversight activities. However, it is not clear how these roles and responsibilities correlate to the project organization described in PG&E PPS Replacement Plan (Attachment 3 of the LAR) and PG&E PPS Replacement System Quality Assurance Plan (Attachment 4 of the LAR). For example, the Project Quality Assurance Plan describes the responsibilities of the PPS replacement Project Manager, but this role is not described in other documents, Further, the responsibility described seems to align with the responsibility of the PG&E Project Manager. Please explain the relationship, if any, of the roles and responsibilities described in the DCPPS Project Quality Assurance Plan and those provided in other PG&E plans.

PG&E Response: The "Quality Assurance Plan for Diablo Canyon Process Protection System Replacement" (referred to as the "Project Quality Plan" in response to Ols 27 and 29) was a project specific document created by the Quality Verification group (a Quality Assurance organization) to identify the Status Closed RAI No.

(Date Sent)

NewRAI RAI

Response

(Due Date)

Comments

November 26, 2012 DCPP PPS Open Item Summary Table Page 29 of 40 No SrclRI Issue Description P&GE response:

Status RAINo.

(Date Sent)

RAI

Response

(Due Date)

Comments Quality Assurance tasks to be performed by the Quality Verification group for the project. The "Quality Assurance Plan for Diablo Canyon Process Protection System Replacement" provides the specific plan to be used by the "Supervisor Project QA" identified in Section 3.5.1 (page 19) of the SyQAP and the "Project QA Engineer or Equivalent" identified in Section 3.5.8 of the SyQAP to provide PG&E quality oversight for the project which in part supports meeting 10 CFR 50 appendix B quality assurance requirements for the project.

The "Supervisor Project QA" is not identified in the PPS Replacement Project Plan Figure 2-1 (PPS Replacement Project Organization) because they are not part of the Project Organization, but instead provide independent quality assurance oversight of the Project Organization.

Section 6.1, "System Quality Assurance Plan (SyQAP), of the PPS Replacement Project Plan discusses the SyQAP, which in turn references the "Supervisor Project QA" in Section 3.5.1 (page 19) and the "Project QA Engineer or Equivalent" in Section 3.5.8 to provide PG&E quality oversight for the project.

65 RJS KVM Switch Questions:

See Attachment 3 Open PG&E Response:

See Attachment 3 66 WEK Section 4.2.13.1 of the LAR (page 85) states; <<*** The NetOptics Model PA CU/PAD-CU1 PA-CU port aggregator network tap was approved previously New

November 26,2012 DCPP PPS Open Item Summary Table Page 30 of 40 No SrclRI Issue Description P&GE response:

Status RAINo.

(Date Sent)

RAI

Response

(Due Date)

Comments by NRC for a similar application in the Oconee RPS SER Section 3.1.1.4.3

[18]. The NRC staff determined that due to the electrical isolation provided by use of fiber optic cables and the data isolation provided by the Port Tap and the Maintenance and Service Interface (MSI) in the Oconee RPS, there was reasonable assurance that a fault or failure within the Oconee Gateway computer or the Operator Aid Computer will not adversely affect the ability of the Oconee RPS to accomplish its safety functions."

In section 3.1.1.5.2.1 of the Oconee SER, the staff approved The NetOptics aggregator Port Tap, Model 96443, No. PA-CU, as a device intended to allow monitoring of a full duplex 10/1 OOBaseT Ethernet communication link by copying the communications and sending that copied communications to a one-way simplex communications link. Due to the importance of this one-way communications path functioning properly, the NRC staff performed a detailed review of the design aspect of this one-way communications path.

Circuit diagrams on the device itself indicated that the communications using Port C (Port 1 in the case of DCPP PPS application) may be capable of two-way communications. Since the original review of Model 96443, part No. PAD-CU Port Tap required NRC staff examination of actual schematic drawings of the circuitry to determine that there was no inbound communications path associated with Port C (Port 1 for the PPS), a similar schematic review for any replacement or updated model of the Port Tap must be evaluated in the same manner (by the licensee) to determine the manner in which it is being used and configured are acceptable, and that do not invalidate the conclusion of this SE that use of the Port Tap provides adequate data isolation between the Gateway computer and the digital RPS/ESPS.The Port Tap approved for Oconee was model 96443 PA-CU.

Please provide the model number of the Port Tap being used in the DCPP PPS.

PG&E Response: The PPS Replacement application will use the NetOptics PA-CU network port aggregator tap, in accordance with the Triconex V1 0

November 26, 2012 DCPP PPS Open Item Summary Table Page 31 of 40 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments SER page 76 line 24. The designation 96443 is not part of the information that is requested to be verified and does not appear to have any significance with respect to NetOptics model numbers.

67 WEK Section 4.2.13.1 of the DCPP PPS LAR (pg. 85) states, "Port aggregator dual in-line package (DIP) switch positions will be controlled by DCPP configuration management processes."

NEW Please provide a documented basis (e.g., a plant procedure, or engineering design package) that demonstrates how this will be controlled.

PG&E Response: The Port aggregator DIP switch positions will be controlled by a plant procedure or plan. The plant procedure or plan will be developed as part of the design change for installation of the PPS replacement after NRC approval of the LAR 68 WEK Please provide a detailed functional description of the DCPP PPS NSR Gateway Computer(s) system; including computers/processors, communications protocols, and data isolation details, Or, please indicate where this information is explained within the LAR and supporting documents. Also, please provide a detailed explanation of the Gateway Switch discussed within the LAR;including its operating principal (hardware, logic based, etc,,data/electrical isolation design features, and any other pertinent information pertaining to its failure mechanisms.

NEW PG&E Response: The DCPP Gateway computer and Gateway switch are part of an existing system that was installed by a previous project, and therefore were not included in the scope of the changes requested for approval in the LAR Communications from the Gateway Switch to the Tricon are functionally isolated by the Triconex Communication Module (TCM) and the One Way Link (OWL) implemented by the NetOptics Model PA-CU Network Port

November 26,2012 ocpp PPS Open Item Summary Table Page 32 of 40 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments Aggregator Tap discussed in Tricon V1 0 SER Section 3.7.2.1. A fiberoptic data link provides electrical isolation.

The NetOptics PA-CU Network Port Aggregator Tap was approved for this use in the Oconee RPS SER. The PA-CU prevents inbound communications from external devices or systems connected to Port 1 of the Port Aggregator from being sent to interactive Ports A and B. The Oconee SER described the methods they used to verify that Aggregator Port 1 provides one way outbound communications only. As a transmit only device, it does not listen to and is not affected by the communications protocol (or lack thereof) of the external device or system to which it is connected.

The ability of the OWL to prevent inbound communications to the Tricon from Port Aggregator Port 1 will be verified at the Tricon V10 FAT and the SAT as previously stated in PG&E Letter DCL-12-083 dated September 11, 2012.

69 WEK Please provide a detailed explanation of the application programs contained within the Tricon and ALS MWS computers; including how they will be used to enhance the performance of the PPS safety systems, provide required maintenance, surveillance, etc. Or, please indicate where this information is explained within the LAR and supporting documents.

NEW PG&E Response: IN PROGRESS 70

,~~~

~~

WEK KVM Switch Question 1:

If the Enumerated USB switching function is used, will you be able to use the Keyboard hotkeys and mouse buttons to perform switching?

The brochure seems to indicate on page 3 that the Enumeration switching process will not enable control switching using the USB keyboard or mouse. However, it further says that Emulation USB switching was developed to support these enhanced monitor Open Response Okay.

I

November 26, 2012 DCPP PPS Open Item Summary Table No SrclRI Issue Description P&GE response:

switching functions/devices (keyboard hotkeys or mouse buttons)....

Albeit, other USB devices (e.g., printer) do not need to use the Emulated USB switching function. Could you please clarify this point.

Status RAINo.

(Date Sent)

RAI

Response

(Due Date)

Page 33 of 40 Comments i

PG&E Response:

71 WEK The USB1 and USB2 ports, which use enumerated switching, pass data straight through the KVM switch without interpretation. Therefore, you cannot connect a keyboard to USB1 or USB2 and use the hotkeys to perform switching, and USB1 and USB2 traffic cannot cause an inadvertent switch. The block diagram shows the output of the emulated portion of the switch and the enumerated portion going to a USB hub before being sent to the computer. The keyboard and mouse will use the emulated switching function, not the enumerated switching function; only the keyboard and mouse can control the switch.

KVM Switch Question 2:

Will the KVM switch will be on-line 24-7 monitoring data from either the Tricon or the ALS platform? If so, what can we say about the failure modes of the KV A switch? Can it fail in such a manner so as to inject faults into the MWS computers, and hence into the Tricon or ALS safety system processors? If not, why? If so, what can be done to circumvent this problem, and show conformance with ISG-04, Points 10 & 11? We will need to cover this matter in the SER.

Open 10-17-12 Update:

Note: "IRS" is the Interface Requirements Specification (Attachment 8 of the LAR).

10-17 -12 Update: Response below did not answer the question regarding failure modes ofthe KVM switch... agree that it is Okay to lose the Tricon but I do not see how the ALS is protected due to its "inherent 1-way communications" design. Please explain this further.

PG&E Response:

The KVM switch will be on-line 24:-!fQLl'!1gnitoring data from either the

November 26, 2012 DCPP PPS Open Item Summary Table Page 34 of 40 Comments Status P&GE response:

RAI No.

RAI No SrclRI Issue Description (Date Sent)

Response

(Due Date) f------

Tricon or ALS platform via the respective MWS computers. There is additional isolation because the ALS communicates strictly one way to its MWS except when TAB communications are enabled by connecting the TAB cable. Connection of the TAB is performed as directed by trained technician using an approved procedure Therefore, if the KVM switch failed in some way to connect the two MWS together, the ALS would not be affected. The Tricon might be affected, but the D3 analysis allows the Tricon to fail due to CCE The following paragraphs have been added to the IRS Section 2.3.7:

b, The KVM switch shall permit only connections between a single computer and the selected video display and HMI interface devices.

Connection between the computers shall not be permitted.

g. The AV4PRO-VGA KVM switch shall utilize the default switching mode, in which the video display, keyboard and mouse and the enumerated USB ports are all switched simultaneously.

Paragraph g was necessary to prevent the enumerated ports from being switched separately from the KVM.

~---------

~--

f-------

KVM Switch Question 3:

Open WEK 72 Also, you will likely need to address how you will disable the features you are not using such as the audio interface, unused USB ports, remote control/channel switching by external control from and SDOE perspective-and probably a cyber security perspective later on (after SER).

10-17-12 Update: The methods used to block Ports in the KVM Switch must be addressed in the LAR revision. Block all unused Ports and keep any that may need to be reopened under design or configuration control.

Again, we need a detailed explanation of how this 1-way design feature will prevent the KVM switch failures from affecting the ALS

November 26,2012 DCPP PPS Open Item Summary Table Page 35 of 40 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments system.

PG&E Response:

Specific answers to these questions depend on the detailed design. Ports can be physically blocked, which might be appropriate for unused computer ports and the audio ports. It might not be appropriate for the unused USB port (which may be needed for a future printer) and the options port (which may be needed for firmware updates). Remote control switching or firmware update requires a custom serial cable. The firmware update requires specialized software on the computer being used to perform the update. Firmware update will be done by procedure. The MWS will be inside a locked cabinet inside a vital area inside the protected area.

Inadvertent actions, while not impossible, will not be easy. If the switch is somehow manipulated, the ALS will not be affected even if the KVM switch fails because the ALS communicates only one-way with the MWS except for short periods when the TAB is enabled.

PG&E will physically block the audio port and will install a removable block in unused USB port 2. This will be verified at SAT and controlled thereafter by the SCMP.

73 WEK KVM Switch Question 4:

If the KVM switch does fail in some manner allowing data flows between the two platforms, then the ALS system would not be affected because the ALS platform will only transmit data in one direction to its MWS (with the TAB cable disconnected of course).

This is good, however, the LAR (or attachments) need to explain how the engineering design principals of the ALS platform physically prevent bad/erroneous data from corrupting the ALS platform. In other words, explain how these messages emanating from the MWS (regardless of origin) will be disregarded/rejected by the ALS platform thus allowing only one direction of data flow.

10-17-12 Update:

Open 10-17-12 Update:

Note: there is a typo in section 2.4.13.5 on page 90 of the LAR.

The first paragraph references ALS doc. 6002-61202 (typo) as the document that explains how the EIA-422

November 26, 2012 DCPP PPS Open Item Summary Table Page 36 of 40 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments The ALS-102 Design Specification document 6002-10202 has not yet been submitted to the NRC. When will it be submitted?? Will this EIA-422 (or is it RS-422 per Fig. 4-13 in the LAR) communication link (twisted pair copper wire) also serve as the 1E/non 1 E isolation devices as required by IEEE 603, Clause 5.6.3 and IEEE 7-4.3.2, Clause 5.6?? Please clarify.

PG&E Response:

The design of the TxB1 and TxB2 data communication paths from the ALS 102 Core Logic Board and the Gateway Switch and MWS, respectively, are EIA-422 communication links in which Receive capability is physically disabled by hardware as described in 6002-102002, the ALS-102 Design communication channels on the ALS-102 are electrically isolated and inherently 1-way communications capability only.

The document 6002-10202, in reference 94 is the correct document.

Specification. The receiver is configured such that the transmit data is looped back for channel integrity testing. The ALS-1 02 is physically and electrically incapable of receiving information from outside the ALS-102.

Therefore, messages are not disregarded or rejected by the ALS-1 02. This is better than a "broken wire." The wire just isn't there, and there is no place to connect a wire if someone wanted to do so.

74 WEK KVM Switch Question 5:

Please explain in detail how "Connection between the computers shall not be permitted." Will this be handled via a configuration control process, administrative controls, or a physical means of preventing connection between computers?

Open 10-17-12 Update:

Response is Okay, but the LAR revision will need to expand further on this matter to explain how these controls will provide this protection.

PG&E Response:

This section was intended to be a functional requirement for the KVM switch. Administrative and configuration controls will prevent inadvertent loading of an EPROM image that could corrupt operation of the KVM switch. If the KVM switch fails and connects the ALS and Tricon MWS together, the above-descrii:>ed phY1Sjcal and electrical restrictions of the KVM

November 26, 2012 DCPP PPS Open Item Summary Table Page 37 of 40 No 75 76 SrclR/

Issue Description P&GE response:

Status switch will prevent the ALS from being corrupted by its MWS computer.

RJSI ALS Security Plan Document 6002-00006 references the CS Innovations Open NSIR Cyber security plan document (Reference 7) which is not docketed. Without (New) having access to this referenced document, the staff is unable to confirm implementation of the system security requirements. We need to discuss if this document can be made available on the share point or if it can be made available during the audit.

In addition CS-00013-GEN, Development Environment Evaluation Report-CS Innovations Isolated Development Infrastructure might be another document of interest to the staff. It seems that this document would provide evidence that the actual development environment was in fact secure. This document was not docketed.

PG&E Response: Westinghouse can make available during the audit both CSI document 9000-00360, lies Innovations Cyber Security Plan" and WNA-CS-00013-GEN, "Development Environment Evaluation Report - CS Innovations Isolated Development Infrastructure."

WEK The documents listed below are necessary for the staff to complete its Open assessment of the Tricon V10 platform changes/software revisions (New) that have occurred since the platform was approved generically, and will be applied to the DCPP PPS.

1. Reference Design Change Analysis (RDCA), 993754-1-916

2. Nuclear Qualified Equipment List (NQEL), 9100150-001, RA/ No.

(Date Sent)

RAJ RA/

Comments

Response

(Due Date)

Invensys Audit Item

November 26,2012 DCPP PPS Open Item Summary Table Page 38 of 40 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments Rev 16 Rev 11: Tricon V10.5.2 Rev 13: TriStation V4.9.0 Rev 14: Tricon V10.5.3 Tricon NGIO Software SRS, 6200155-001 Tricon V1 0.5 Verification and Validation Report (19 Sept, 2012)

~. V10.5.2 Documents a) PDR (lRTX) 21105 b) Technical Advisory Bulletin (TAB) 183 c) Engineering Project Plan (EPP) Tricon V10.5.2, 9100346-001 d) V10.5.2 V&V Test Report e) Software Release Definition (SRD), V10.5.2, 6200003-226

14. V1 0.5.3 Documents a) PDR (IRTX) 22481 b) Product Alert Notice (PAN) 25 c) Engineering Project Plan (EPP) Tricon V10.5.3, 9100428-001 d) Tricon PAN 25 Master Test Report e) Software Release Definition (SRD), V10.5.3, 6200003-230 f) NGDO SRS 6200170-001

~. Tristation V4.9.0 documents a) Product Alert Notice (PAN) 22 b) Product Alert Notice (PAN) 24 c) Technical Advisory Bulletin (TAB) 147

November 26, 2012 DCPP PPS Open Item Summary Table Page 39 of 40 No SrclRI Issue Description P&GE response:

Status RAI No.

RAI Comments (Date Sent)

Response

(Due Date) d) Engineering Project Plan (EPP) Tristation V4.9, 9100359-001 e) Tristation V4.9.0 Master Test Report f) Software Release Def. (SRD), Tristation V4.9.0, 6200097-038 g) Spec. Software Design - Tristation 1131 SDS, 6002168-002 (Section Applicable to V4.9.0 Change) h) TriStation 1131 V4.9 V&V Plan, 9600442-002 i) TriStation 1131 V&V Summary Report (26 Oct. 2012)

PG&E Response: Invensys will place the requested documents on the Invensys SharePoint by December 3, 2012, for access by the NRC. The documents will be marked in accordance with 10 CFR 2.390 prior to placing them on the SharePoint.

77 RJS The staff requests that the Purchase Order Compliance Matrices (Multiple Invensys Audit Item Documents) be placed on the SharePoint site to support verification of requirements traceability determinations.

PG&E Response: Invensys will place the requested documents on the Invensys SharePoint by December 7,2012, for access by the NRC. The documents will be marked in accordance with 10 CFR 2.390 prior to placing them on the SharePoint.

78 RA The staff requests that the Invensys Project Procedures Manual and Project Instructions (Multiple Documents) be placed on the Share Point site to support review of Invensys process to design, develop and test the Tricon

~~em.

PG&E Response: Invensys will place the requested documents on the Invensys SharePoint by December 14, 2012, for access by the NRC. The documents will be marked in accordance with 10 CFR 2.390 prior to placing them on the SharePoint.

79 RA Invensys to confirm that the following terms are not used, and that they will be removed from their plans and replaced with the correct terms.

Test Review Board

Test Case Incident Report Master Configuration Checklist

~-

80 November 26, 2012 DCPP PPS Open Item Summary Table Page 40 of 40 No Issue Description P&GE response:

RAIN SrclRI Status (Date S Configuration Database RAI Comments

Response

(Due Date)

PG&E Response: The following Invensys documents will be revised to reflect correct terminology and placed on the Invensys SharePoint by December 21,2012:

1) 993754-1-905, Project Management Plan

2) 993754-1-906, Software Development Plan

3) 993754-1-909, Software Configuration Management Plan

4) 993754-1-813, Validation Test Plan The revised documents will be marked in accordance with 10 CFR 2.390 prior to placing them on the SharePoint.

Invensys to revise its plans to reflect the current project organization.

RA PG&E Response: The Invensys Project Management Plan (PMP), 993754 1-905, will be revised to reflect the current project organization and placed on the Invensys SharePoint by December 21, 2012. The revised PMP will be marked in accordance with 10 CFR 2.390.

November 19, 2012 CPP PPS Closed Item Summary Table Page 1 of 43

--~------

No SrclRI 001 AR (BD)

Issue Description P&GE response:

[ISG-06 Enclosure B, Item 1.3] Deterministic Nature of Software:

The Diablo Canyon Specific Application should identify the board access sequence and provide corresponding analysis associated with digital response time performance. This analysis should be of sufficient detail to enable the NRC staff to determine that the logic-cycle;

a. has been implemented in conformance with the ALS Topical Report design basis,

b. is deterministic, and

c. the response time is derived from plant safety analysis performance requirements and in full consideration of communication errors that have been observed during equipment qualification.

As stated in the LAR, information pertaining to response time performance will be submitted as a Phase 2 document. Please ensure this matter is addressed accordingly.

P&GE response:

ALS Diablo Canyon PPS document 6116-00011, "ALS System Design Specification", Section 7.5, identifies the ALS board access sequence and provides an analysis associated with digital response time performance.

a.

The Diablo Canyon PPS ALS system is configured in accordance with the qualification requirements of the ALS platform topical report,

b.

The analysis in Diablo Canyon PPS document 6116-00011, "ALS System Design Specification", Section 7, describes a logic cycle that is deterministic.

c.

The requirements for the response time of the PPS processing instrumentation (from input conditioner to conditioned output signal) is specified as not to exceed 0.409 seconds in Section 3.2.1.10 of the "Diablo Canyon Power Plant Units 1 & 2 Process Protection System Replacement Functional Requirements Specification (FRS)". Revision 4 submitted as of the LAR. In Section 1.5.8 of the "Diablo Canyon Power Plant Units 1 & 2 Process Protection System Replacement Interface Requirements Specification (IRS)", Revision 4, submitted as Attachment 8 of the LAR, th~ 0.409 seconds PPS processing instrumentation response Status Closed RAI No.

(Date Sent)

RAil 19 RAI

Response

(Due Date)

Comments 4/18/2012 - Staff reviewed time response calc on share point and agrees that this is the correct information to support the SE.

Requested that these calcs be docketed.

Response

received April29, 2012. Staff will review and discuss further if needed at subsequent telecom meeting.

Response

acceptable; waiting on PG&E to provide the time response calculation for the V10 Tricon PPS Replacement architecture by April 16, 2012.

--~-

November 19, 2012 CPP PPS Closed Item Summary Table Page 2 of 43 No SrclRI

~-

Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

~~~~ ~~~~

~~~

Comments time is allocated between the ALS and Tricon as follows:

ALS: 175 ms for RTD processing Tricon: 200 ms Contingency: 34 ms The 0.409 seconds PPS processing instrumentation value is the same as the value that is currently allocated to PPS processing instrumentation. As long as the 0.409 second PPS processing instrumentation value is not exceeded, the total response time values assumed in the plant safety analyses contained in FSAR Table 15.1 will not be exceeded; 7 seconds for Overtemperature ilT RT and Overpower ilT RT functions, 2 seconds for High pressurizer pressure RT, Low pressurizer pressure RT, and Low Low SG water level RT functions, 1 second for Low reactor coolant flow RT function, 25 seconds for Low pressurizer pressure, High containment pressure, and Low steam line pressure Safety Injection initiation, 60 seconds for Low low SG water level auxiliary feedwater initiation, 18 seconds for High containment pressure, Low pressurizer pressure, and Low steam line pressure Phase A containment isolation, 48.5 seconds for High High containment pressure containment spray initiation, 7 seconds for High High containment pressure steam line isolation, 66 seconds for High High SG water level auxiliary feedwater isolation, and 8 seconds for Low steam line pressure steam line isolation.

The ALS response time will be verified as part of the FAT and the results will be included in the FAT summary report to be submitted by 12/31112.

Tricon Invensys provided detailed information on the deterministic operation of the V10 Tricon in Invensys Letter No. NRC V1 0-11-001, dated January 5, 2011.

In support of the V1 0 Tricon safety evaluation, Invensys submitted document 9600164-731, Maximum Response Time Calculations, describing the worst-case response time for the V10 Tricon Qualification System.

Included in document 9600164-731 are the standard equations for calculating worst-case response time of a given V1 0 Tricon configuration.

The time response calculation for the V10 Tricon PPS Replacement architecture was submitted on April 30, 2012. The System Response Time Confirmation Report, 993754-1-818, will be submitted to the staff as part of the ISG-06 Phase 2 submittals at the completion of factory acceptance testing of the V10 Tricon PPS Replacement.

Response time calc received Letter:

(ML12131A513)

Calc:

(ML12131A512

November 19, 2012 CPP PPS Closed Item Summary Table Page 3 of 43 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments The Tricon response time will be verified as part of the FAT and the results will be included in the FAT summary report to be submitted by 12/31/12.

Licensee representatives stated that PG&E will provide the Tricon Time response calc's in a document submitted on the docket.

002 AR (RA)

[ISG-06 Enclosure B, Item 1.4]

Software Management Plan: Regulatory Guide (RG) 1.168, Revision 1, "Verification, Validation, Reviews and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," dated February 2004 endorses IEEE (Institute of Electrical and Electronics Engineers) 1012 1998, "IEEE Standard for Software Verification and Validation," and IEEE 1 028-1997,"IEEE Standard for Software Reviews and Audits," with the exceptions stated in the Regulatory Position of RG 1.168. RG 1.168 describes a method acceptable to the NRC staff for complying with parts of the NRC's regulations for promoting high functional reliability and design quality in software used in safety systems. Standard Review Plan(SRP)

Table 7-1 and Appendix 7.1-A identify Regulatory Guide 1.168 as SRP acceptance criteria for reactor trip systems (RTS) and for engineered safety features WestinghouselALS 6116-00000 Diablo Canyon PPS Management Plan, Figure 2-2, shows the Verification and Validation (V&V) organization reporting to the Project Manager. This is inconsistent with the information described in the ALS Management Plan for the generic system platform, Closed N/A 4/23/2012 Staff has confirmed that the new version of the ALS SWP is available for review

Response

received April 29, 2012. Staff will review and discuss further if needed at subsequent telecom meeting.

(Kemper 4/12/12)

Response

acceptable; the staff received the

3 November 19, 2012 Cpp PPS Closed Item Summary Table Page 4 of 43

-~-

~No SrclRI

~-

AR (RA)

P&GE response:

Issue Description where the V&V organization is independent form the Project Manager. This is also inconsistent with the criteria of RG 1.168 and will need to be reconciled during the LAR and ALS L TR reviews.

P&GE response:

ALS The PPS Replacement LAR referenced Westinghouse document 6116 00000 Diablo Canyon PPS Management Plan, dated July 25, 2011, that was based on CSI document 6002-00003 ALS Verification and Validation Plan, Revision 4. CS Innovations subsequently submitted a revised V&V plan, "6002-00003 ALS Verification and Validation Plan", Revision 5, on November 11, 2011, that revised the required V&V organization structure such that the management of the verification personnel is separate and independent of the management of the development personnel. The Westinghouse 6116-00000 Diablo Canyon PPS Management Plan was revised to require a V&V organization structure in which the management of the verification personnel is separate and independent of the management of the development personnel. PG&E submitted the revised Westinghouse 6116-00000 Diablo Canyon PPS Management Plan, Revision 1, document on April 2, 2012.

[ISG-06 Enclosure 8, Item 1.9]

Software V&V Plan: The ALS V&V plan states that Project Manager of the supplier is responsible for providing directions during implementation of V&V activities. Also, the organization chart in the Diablo Canyon PPS Management Plan shows the IW manager reporting to the PM.

The ALS V&V plan described in ISG-6 matrix for the ALS platform and the Diablo Canyon PPS Management Plan do not provide sufficient information about the activities to be performed during V&V. For example, the ALS V&V Plan states that for project specific systems, V&V activities are determined on a project by project basis and are described in the project Management Plan, in this case, 6116-00000, "Diablo Canyon PPS Management Plan."

However, the 6116-00000 Diablo Canyon PPS Management Plan states:

Status Closed RAI No.

(Date Sent)

N/A RAI

Response

(Due Date)

Comments revised W/ALS PPS MP on April 2, 2012 and will review for consistency with RG 1.168.

Response

received April 2, 2012. Staff will review and discuss further if needed at subsequent telecom meeting.

Status: Fig. 3 of the PPS SWP (Pg.

16/46) indicates

November 19, 2012 CPP PPS Closed Item Summary Table Page 5 of 43 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments "See the ALS V&V Plan for more information and the interface between the IV&V team and the PPS Replacement project team."

The Triconex V&V plan states that the Engineering Project Plan defines the scope for V&V activities. As mentioned before. the Triconex EPP is not listed in the ISG-6 matrix.

These items will need further clarification during the LAR review to demonstrate compliance with Regulatory Guide (RG) 1.168. Revision 1.

"Verification, Validation. Reviews and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants,"

P&GE response:

sufficient organizational independence between the Nuclear Delivery (Design)

Organization and the IV&V Organization.

Fig. 3 of the PPS PMP (993754-1 ALS The Westinghouse 6116-00000 Diablo Canyon PPS Management Plan was 905) (pg. 22/81) revised to include details on how the IV&V team has an independent also denotes the organizational reporting structure from the design and implementation team; DCPP PPS project the Scottsdale Operations Director and the ALS Platform & Systems organization, and Director report to different Westinghouse Vice Presidents. The IW provides sufficient Manager and Scottsdale Operations Director both report to the same Westinghouse Vice President, but via independent reporting structures.

independence between the N D Description of 6116-00000 Diablo Canyon PPS Management Plan V&Vwas and IV&V also revised to add information on the activities being performed for the Organizations.

V&V.

Closethelnvensys PG&E submitted the revised Westinghouse 6116-00000 Diablo Canyon PPS Management Plan that includes the above changes on April 2. 2012.

part of the 01.

Tricon W/ALS response The organizational structure of I nvensys Operations Management acceptable; comprises, in part, Engineering and Nuclear Delivery. Each of these (Kemper 4/12/12) organizations plays a specific role in the V10 Tricon application project life the staff received cycle. Invensys Engineering is responsible for designing and maintaining the V10 Tricon platform, and Nuclear Delivery is responsible for working with nuclear customers on safety-related V10 Tricon system integration the revised W/ALS PPS MP on April 2,

---~-

November 19, 2012 CPP PPS Closed Item Summary Table Page 6 of 43 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent) projects. Invensys Engineering department procedures require "Engineering Project Plans (EPP)," whereas Nuclear Delivery department procedures require "Project Plans." Invensys Engineering is not directly involved in system integration, but Nuclear Delivery may consult with Engineering on technical issues related to the V10 Tricon platform.

The NRC applied ISG-06 to the V10 Tricon safety evaluation. Invensys submitted a number of documents pertaining to the design of the V10 Tricon platform as well as process and procedure documents governing Invensys Engineering activities, including the EPP. In most cases, these platform-related documents are preceded with document number 9600164. The platform-level documents reviewed by the staff during the V10 Tricon safety evaluation will not be resubmitted by Nuclear Delivery during application-specific system integration projects.

In support of the PG&E LAR for the DCPP PPS Replacement, Invensys Nuclear Delivery is required to submit the application design documents as defined in ISG-06. These project documents are preceded by document number 993754. The Phase 1 submittal under Invensys Project Letter 993754-026T, dated October 26, 2011, contained, in part, the following:

PPS Replacement Project Management Plan (PMP), 993754-1-905.

"Project Management Plan" was used to more closely match BTP 7-14 with regard to "management plans"; and PPS Replacement Software Verification and Validation Plan (SWP),

993754-1-802.

The PMP describes the PPS Replacement Project management activities within the Invensys scope of supply. The guidance documents BTP 7-14 and NUREG/CR-6101 were used as input during development of the PMP.

With regard to compliance with RG 1.168, the PPS Replacement PMP and SWP both describe the organizational structure and interfaces of the PPS Replacement Project. The documents describe the Nuclear Delivery (ND) design team structure and responsibilities, the Nuclear Independent Verification and Validation (lV&V) team structure and responsibilities, the RAI Comments

Response

(Due Date) 2012 and will review for consistency with RG 1.168.

Status: Fig. 3 of the PPS SWP (Pg.

16/46) indicates sufficient organizational independence between the Nuclear Delivery (Design)

Organization and the IV&V Organization.

Fig. 3 of the PPS PMP (993754-1 905) (pg. 22/81) also denotes the DCPP PPS project organization, and provides sufficient independence between the ND and IV&V Organizations.

---November 19, 2012 CPP PPS Closed Item Summary Table Page 7 of 43 No 4

SrclRI Issue Description P&GE response:

Status interfaces between NO and Nuclear IV&V, lines of reporting, and degree of independence between NO and Nuclear IV&V. In addition, the PMP describes organizational boundaries between Invensys and the other external entities involved in the PPS Replacement project: PG&E, Altran, Westinghouse, and Invensys suppliers. The combination of the PMP and SWP demonstrate compliance of the Invensys organization with RG 1.168.

AR

[ISG-06 Enclosure S, Item 1.10]

Closed (RA)

Software Configuration Management Plan: The LAR includes PG&E CF2.ID2, "Software Configuration Management for Plant Operations and Operations Support," in Attachment 12. However, the document provided in 2 only provides a guideline for preparing Software Configuration Management (SCM) and SQA plans. Though it is understood that the licensee will not perform development of software, PGE personnel will become responsible for maintaining configuration control over software upon delivery from the vendor.

The staff requires the actual plan to be used by the licensee for maintaining configuration control over PPS software in order to evaluate against the acceptance criteria of the SRP. For example, the ALS Configuration Management (CM) Plan (6002-00002) describes initial design activities related to ALS generic boards. This plan does describe the configuration management activities to be used for the development and application of the ALS platform for the Diablo Canyon PPS System. The staff requires that configuration management for this design be described in the DCPP project specific plan. These items will need further clarification during the LAR review to demonstrate compliance with STP-14.

P&GE response:

PG&E developed a SCMP procedure to address configuration control after shipment of equipment from the vendor and submitted the SCMP on June 6, 2012, in Attachment 4 to the Enclosure of PG&E Letter DCL-12-050.

RAI No.

RAI Comments (Date Sent)

Response

(Due Date)

Closethelnvensys part of the 01.

NIA (Kemper 4-12-12)

Response

received April 2, 2012. Staff will review the PG&E SyCMP procedure when it arrives on May 31,2012.

Alvarado (6/13/12):

PG&E placed a copy of their SyCMP SCM 36-01 in its SharePoint.

The staff will review this information and identify questions, if necessary.

5 November 19, 2012 CPP PPS Closed Item Summary Table Page 8 of 43 RAI No.

RAI Comments No SrclRI Issue Description P&GE response:

Status (Date Sent)

Response

(Due Date)

AR

[ISG-06 Enclosure B, Item 1.11]

(RA)

Software Test Plan: The V10 platform documents identified in ISG6 matrix state that the interface between the NGIO (Next Generation Input Output)

Core Software and 10-specific software will not be tested. It is not clear when and how this interface will be tested, and why this test is not part of the software unit testing and integration testing activities.

Further, the 993754-1-813 Diablo Canyon Triconex PPS Validation Test Plan states that the DCPP's TSAP will not be loaded on the system; instead Triconex will use another TSAP for the validation test. It is not clear why the DCPP's TSAP will not be used for the validation test or when the DCPP's TSAP will be loaded on the system and validated for the Diablo Canyon PPS System. These items will need further clarification during the LAR review to demonstrate compliance with BTP-14.

P&GE response:

Tricon The next-generation input/output (I/O) modules qualified for the V10 Tricon are the 3721 N 4-20 rnA, 32-point analog input (AI) module, and the 3625N 24 Vdc, 32-point digital output (DO) module. Technical data on these two modules was provided to the NRC in support of the V10 Tricon safety evaluation. Configuration and functional testing is performed when the I/O modules (hardware and embedded core firmware) are manufactured. From the factory the I/O modules are shipped to Invensys Nuclear Delivery for use in nuclear system integration projects, i.e., application specific configurations. Because the module hardware and embedded core firmware are within the scope of the V1 0 Tricon safety evaluation, the verification and validation of the embedded core firmware will not be repeated as part of application-specific system integration projects.

Closed N/A

Response

received April 2, 29, 2012. Staff will review and discuss further if needed at subsequent telecom meeting.

Tricon Next Generation Input Output (NGIO)

Core software is tested and qualified as a platform component. As such, it does not need to be separately tested during the application development process.

TSAP is a Test Specimen Application Program used for purposes of platform qualification.

There are certain design items that must be done with TriStation 1131 (TS 1131), such as specifying which I/O module is installed in a particular

November 19, 2012 CPP PPS Closed Item Summary Table Page 9 of 43 No 1----

SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RA'

Response

(Due Date)

Comments physical slot of the Tricon chassis, resulting in each module having a unique hardware address in the system. Also, TS 1131 is used to specify which application program parameters (i.e., program variable tag names) are assigned to a particular point on a given 1/0 module. The design items configured in TS1131 will be within the scope of validation activities conducted by Invensys Nuclear IV&V for application-specific system integration projects. The necessary collateral (system build documents, configuration tables, test procedures, test results, etc.) will be submitted to the NRC to support the staff's technical review of the PPS Replacement LAR in accordance with ISG-06.

The Phase 1 submittal under Invensys Project Letter 993754-026T, dated October 26,2011, contained, in part, the Validation Test Plan (VTP),

993754-1-813. This document describes the scope, approach, and resources of the testing activities that are required for validation testing of the V10 Tricon portion of the PPS Replacement, including:

Preparing for and conducting system integration tests Defining technical inputs to validation planning Defining the test tools and environment necessary for system validation testing Scheduling (and resource loading of the schedule)

Section 1.3.2 of the VTP describes the Hardware Validation Test activities and Section 1.3.3 of the VTP describes the V1 0 Tricon portion of the Invensys stated that The Diablo Canyon Application will be loaded onto plant system hardware during FAT.

Staff re-examined Invensys doc.

"Validation Test Plan (VTP),

993754-1-813,"

Section 1.3.2 of the VTP that describes the Hardware Validation Test activities and Section 1.3.3 of the VTP and Factory Acceptance Test activities for the V1 0 Tricon portion of the PPS Replacement. Details on the application program are proprietary and need to be provided to the staff separately.

determined that the application program TSAP will be used for the FAT (Section 5.1.5 FAT)

Close this portion of the 01.

November 19, 2012 CPP PPS Closed Item Summary Table Page 10 of 43 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments 6

AR (SM)

[ISG-06 Enclosure B, Item 1.14]

Equipment Qualification Testing Plans - The LAR Sections 4.6,4.10.2.4 and 4.11.1.2 provide little information on the plant specific application environmental factors. The Tricon V10 Safety Evaluation, ML11298A246, Section 6.2 lists 19 application specific actions Items (ASAI's) that the licensee should address for plant specific applications. The licensee should address each of these for Tricon portion of the PPS replacement. Similar information for the ALS portion of the PPS replacement will also be required.

Closed Develop a generic RAI to provide a response to ASAls for both platforms when the SERs are issued.

RA#01

Response

received April 2, 29, 2012. Staff will review and discuss further if needed at subsequent telecom meeting.

Staff agreed that PG&E should submit a separate submittal (LAR amendment) to address the ASAls P&GE response:

ALS PG&E will respond to ALS ASAl's when they are available.

Tricon IN PROGRESS. All of the Application Specific Action Items will be addressed by March 21, 2012.

for both platforms.

it is not necessary to delineate exactly what will be done for each ASAI in this 01 matrix.

(Kemper 4-12-12)

Response

received April 2, 29,2012. Staff reviewed this item and still need additional 7

AR (BK)

[ISG-06 Enclosure B, Item 1.16]

Design Analysis Reports: The LAR does not appear to comply with the SRP (ISG-04) regarding the connectivity of the Maintenance Work Station to the PPS. The TriStation V1 0 platform relies on software to effect the disconnection of the TriStation's capability to modify the safety system software. Based on the information provided in the L TR, the NRC staff determined that the Tricon V10 platform does not comply with the NRC Closed Drafted RAI # 17

&18 to obtain an answer I report to address guidance provided in ISG-04, Highly Integrated Control Rooms-Communications Issues, (ADAMS Accession No. ML083310185), Staff Position 1, Point 10, hence the DCPP PPS configuration does not fully comply with this guidance.

.........--............-.-~

-.-~

-~

this topic.

information to close this item. The staff will need to review this item further

November 19, 2012 CPP PPS Closed Item Summary Table Page 11 of43

--,----:=-

P&GE response:

Status RAI No.

RAI (Date Sent)

No SrclRI Issue Description Respon (Due Date)

In order for the NRC staff to accept this keyswitch function as an acceptable deviation to this staff position, the staff will have to evaluate the DCPP PPS specific system communications control configuration--including the operation of the keyswitch, the software affected by the keyswitch, and any testing performed on failures of the hardware and software associated with the keyswitch. The status of the ALS platform on this matter is unclear at this time and will be resolved as the ALS L TR review is completed.

Moreover, the Tricon V10 system Operational Mode Change (OMC) keyswitch does change operational modes of the 3008N MPs and enables the TriStation 1131 PC to change parameters, software algorithms, etc, related to the application program of the safety channel without the channel or division being in bypass or in trip. As stated in Section 3.1.3.2 of the Tricon V10 SER, the TriStation 1131 PC should not normally be connected while the Tricon V10 is operational and performing safety critical functions.

However, it is physically possible for the TriStation PC to be connected at all times, and this should be strictly controlled via administrative controls (e.g.,

place the respective channel out of service while changing the software, parameters, etc). The LAR does not mention any administrative controls such as this to control the operation of the OMC (operational mode change) keyswitch. Furthermore, in order to leave the non-safety TriStation 1131 PC attached to the SR Tricon V10 system while the key switch is in the RUN position, a detailed FMEA of the TriStation 1131 PC system will be required to ascertain the potential effects this non-safety PC may have on the execution of the safety application program/operability of the channel or division. These issues must be addressed in order for the NRC staff to determine that the DCPP PPS complies with the NRC Staff Guidance provided in Staff Position 1, Point 11. The status of the ALS platform on this point is unclear at this time.

P&GE response:

Comments se during an NRC audit at the Invensys facility.

All the items noted below will be the scope of the audit.

3/21112 update: it was agreed that PG&EII nvensys and PG&ElWestinghou se/CSI would provide a report (LAR supplement) to explain how these two issues will be resolved and submit to NRC Date to be provided TBD.

Waiting for the V1 0 Tricon portion of the PPS Replacement Failure Modes and Effects Analysis, an ISG-06 Phase 2 document to be submitted to NRC in May 2012.

Tricon The OMC keyswitch controls only the mode of the V10 Tricon 3008N MPs.

In RUN position the 3008N MPs ignore* all commands from external devices, whether WRITE commands from external operator interfaces or program-related commands from TS 1131.

i ______

November 19, 2012 CPP PPS Closed Item Summary Table Page 12 of 43 No SrclRI Issue Description P&GE response:

The keyswitch is a four-position, three-ganged switch so that the three Main Processor (MP) modules can monitor the position of the switch independently. The Operating System Executive (ETSX) executing on the MP application processor monitors the position of the keyswitch. The three MPs vote the position of the keyswitch. The voted position of the keyswitch is available as a read-only system variable that can be monitored by the TSAP. This allows alarming the keyswitch position when it is taken out of the RUN position. TS1131 messages to and from the Tricon (i.e., ETSX executing on the MPs) are of a defined format. TS1131 messages for control program (i.e., TSAP) changes - whether download of new control programs or modification of the executing control program - are uniquely identifiable. Such messages are received by ETSX and appropriate response provided depending upon, among other things, the position of the keyswitch. When a request from TS1131 is received by ETSX to download a new control program or modify the executing control program, ETSX accepts or rejects the request based on the voted keyswitch position. If the keyswitch is in RUN, all such messages are rejected. If the keyswitch is in PROGRAM, the Tricon is considered out of service and ETSX runs through the sequence of steps to download the new or modified control program, as appropriate.

Multiple hardware and software failures would have to occur on the V1 0 Tricon (in combination with human-performance errors in the control room and at the computer with TS1131 installed) in order for the application program to be inadvertently reprogrammed. Therefore, there is no credible single failure on the V1 0 Tricon that would allow the safety-related application program to be inadvertently programmed, e.g., as a result of unexpected operation of the connected computer with TS1131 installed on it.

The above conclusion will be confirmed (for the V1 0 Tricon portion of the PPS Replacement) in the Failure Modes and Effects Analysis, an ISG-06 Phase 2 document planned for submittal to NRC in May 2012. Additionally, Invensys Operations Management will support the staff's review of the Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments 3/21/12 Update:

PG&E/lnvensys needs to provide a technical explanation of how the MP3008N processor actually ignores all commands when in RUN-address the items in the 01.

4/4/12 Update:

Need to explain how this message format works to reject messages from the Tristation when in RUN??

Graphs and visual presentation of these concepts would be helpful.

This issue will also have to be addressed for the ALS platform.

PG&E/lnvensys

November 19, 2012 CPP PPS Closed Item Summary Table Page 13 of 43 P&GE response:

No Issue Description Status RAI No.

RAI SrclRI Comments (Date Sent)

Response

(Due Date) hardware and software associated with the OMC keyswitch by making all of needs to provide a the technical data available for audit.

technical explanation of how

T81131 contains function blocks that allow WRITE-access to a limited set the MP3008N of parameters programmed into the application software, but only for a processor actually limited duration after which the capability is disabled until WRITE-access is ignores all re-enabled. However, without these function blocks programmed into the commands when in application program neither the application program nor application program RUN-address the parameters can be modified with the OMC keyswitch in the RUN position.

items in the 01.

PG&E Administrative controls on use of keyswitch will be provided with commitment to include in procedures in response.

Note, T81131 is not used to change setpoints and protection set is inoperable when keyswitch is not in RUN position.

a-.-~R

[18G-06 Enclosure S, Item 1.21]

Closed NIA Discussed at (R8) 4/18/2011 CC.

(setpoint) Calculations will be provided in Phase 2, however, section 8etpoint Methodology: The NRC staff understands that a summary of 8P Requested that PGE add to the adopt T8TF 493. The NRC cannot accept this dependency on an 4.10.3.8 of the LAR also states that PGE plans to submit a separate LAR to response a unapproved future licensing action. The staff therefore expects the licensee statement that the to submit a summary of setpoint calculations which includes a discussion of setpoint changes the methods used for determining as-found and as-left tolerances. This associated with this submittal should satisfy all of the informational requirements set forth in modification will be 18G6 section 0.9.4.3.8 without a condition of T8TF 493 LAR approval submitted for evaluation independently with no reliance on P&GE response:

T8TF 439 licensing action.

The evaluation of the setpoints for the PP8 replacement will need to be performed by Westinghouse in two phases in order to provide sufficient (Kemper 4-12-12) documentation to support 95/95 setpoint values for the setpoints. This is L---.

November 19, 2012 CPP PPS Closed Item Summary Table Page 14 of 43 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments because the NRC staff has been requesting additional information and additional data and analysis to demonstrate that the uncertainties used in the setpoint calculation have been based on a statistically sufficient quantity of sample data to bound the assumed values (to justify the confidence level of the calculation is appropriate) during recent Westinghouse projects involving setpoints. Significant information is required from the transmitter and RTD vendors, that has never been obtained before, to support development of calculations that can support 95/95 setpoint values.

The first phase of the evaluation of the setpoints will include evaluation of the PPS replacement setpoints for the Tricon and AlS architecture using expected bounding uncertainty values. A setpoint summary evaluation which includes a discussion of the methods used for determining the as-found and as-left tolerances will be submitted by May 31,2012. This is a change to the commitment 31 in Attachment 1 to the Enclosure to the PPS Replacement LAR. The setpoint information associated with the PPS replacement is being submitted independently of the LAR for TSTF-493 and does not rely on a TSTF-493 licensing action.

Response

received April 2, 29, 2012. PG&E's commitment to provide summary calc's by May 31, 2012 and not revise these setpoints via a TSTF-439 LAR addresses this 01.

Close this 01.

3/7/12 update:

PG&E stated that all setpoints determinations will The second phase of the evaluation of the setpoints will include development of Westinghouse calculations of the PPS replacement setpoints for the Tricon and AlS architecture using sufficient information from vendors to substantiate that the setpoints are 95/95 values. The Westinghouse calculations will be completed by December 31, 2012 and will be available for inspection by NRC staff in Washington DC with support provided by Westinghouse setpoint group personnel. The NRC staff inspection of Westinghouse calculations in Washington DC has been performed for another recent utility project involving setpoints.

be addressed as part of this LAR, and NOT submitted as a TSTF-493 licensing action.

3/21/12 update:

The staff may chose to review the Westinghouse calculations at the Westinghouse office in Washington DC.

However, if the safety finding is

November 19, 2012 CPP PPS Closed Item Summary Table Page 15 of 43 No SrclRI Issue Description P&GE response:

Status RAI No.

RAI Comments (Date Sent)

Response

(Due Date) dependent on these calculations, then the setpoint calculations will be required to be submitted on the docket per NRC licensing 9

+ AR L TR Safety Conclusion Scope and Applicability - Many important sections of Closed No procedures (Kemper 4-12-12)

(BK) the DCPP PPS LAR refer the reader to the ALS licensing topical report specific

Response

(L TR) to demonstrate compliance of the system with various Clauses of IEEE 603-1991, IEEE 7-4.3.2-203, and ISG-04. However, many important sections of the ALS L TR state that compliance with various Clauses of these IEEE Stds and ISG-04 are application specific and refer the reader to an application specific license amendment submittal (i.e., the DCPP PPS RAI needed for this

01. RAI received April 2, 29,2012. The PG&E response to this item address LAR in this case). The staff has not yet had time to evaluate all the LAR

4 the 01. Close this information in detail and compare this information with that provided in the addresse

01.

ALS L TR to ensure there is no missing information. However, PG&E and its s this contractors are encouraged to review these two licensing submittals promptly to verify that compliance with these IEEE Stds and ISG-04 are adequately addressed within both licensing documents.

item as noted below in P&GE response:

0115.

PG&E and Westinghouse have reviewed the LAR 11-07 and the complian ALS topical report to verify information is provided to justify ce matrix compliance with IEEE 603-1991, IEEE 7-4.3.2-2003, and ISG-04 in for the either the LAR or the ALS topical report. As a result of the review, it ALS was identified that neither the LAR nor the ALS topical report contain platform.

a matrix that documents compliance with ISG-04 Table 5-4 for the DCPP ALS platform. PG&E will submit a matrix that documents compliance with ISG-04 Table 5-4 for the DCPP ALS platform by May 31,2012.

November 19,2012 CPP PPS Closed Item Summary Table Page 16 of 43 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments 10 RS Plant Variable PPS Scope - In the Description section of the LAR, section 4.1.3, nine plant variables are defined as being required for RTS and section 4.1.4 lists seven plant variables that are required for the ESFAS.

Three additional plant variables were also listed in section 4.10.3.4.

Some variables are not listed in section 4.10.3.4 as being PPS monitored plant parameters. It is therefore assumed that these parameters are provided as direct inputs to the SSPS and that the PPS is not relied upon for the completion of required reactor trip or safety functions associated with them. Please confirm that these plant parameters and associated safety functions will continue to operate independently from the PPS and that the replacement PPS will not adversely impact the system's ability to reliably perform these functions.

Closed RAI02 P&GE response:

The PPS Replacement LAR Sections 4.1.3 and 4.1.4 describe the plant variables from which RTS and ESFAS protective functions are generated.

The initiation signal outputs to the SSPS coincidence logic are generated in the PPS or other, independent systems, or in some cases, by discrete devices. Section 4.1.3 items 6 (RCP bus UF, UV, and breaker position, 8 (Main Turbine trip fluid pressure and stop valve position) and 9 (seismic acceleration) are generated by discrete devices outside the PPS and provide direct contact inputs to the SSPS. Section 1.4 items 6 (Containment Exhaust Radiation) and 7 (RT breaker position Permissive P

4) are also generated outside the PPS and are direct contact inputs to the SSPS. The initiation signals associated with these plant parameters operate independently from the PPS. The replacement PPS will not adversely affect the reliable performance of the safety functions associated with these plant parameters.

Neutron Flux is an input to Tricon but it is not listed in Table 4-2 "Process Variable inputs to Tricon" Signals not associated with PPS functions will be designated as such in the SE and

I November 19,2012 CPP PPS Closed Item Summary Table Page 17 of 43 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments The three signals (Wide Range RCS Temperature and Pressure and Turbine Impulse Chamber Pressure) not listed in Sections 4.1.3 and 4.1.4 are monitored by the PPS per Section 4.10.3.4. The Wide Range RCS Pressure and Temperature signals are used to generate the LTOP function described in DCPP FSAR Section 5. The PPS uses Turbine Impulse Chamber Pressure to generate an initiation signal that is used by the SSPS coincidence logic to develop Permissive P-13 as discussed in RAI 3, below.

Neutron Flux should be added to Section 4.2 Table 4-2 as follows:

[~~

Input to Overtemperature fl Neutron Flux (Power Temperature (OTDT) RT Range, Upper & Lower)

Input to Overpower fl Temperature (OPDT) RT they will not be described since they are not in scope.

11 RS Power Range NIS Function - Section 4.1.7 describes the Existing Power Range NIS Protection Functions and it states that the Power Range nuclear instrumentation provides input to the OTDT, and OPDT protection channels.

It is not entirely clear whether any of the described NIS protection functions will be performed by the PPS system. Please clarify exactly what the role of the PPS system is for these NIS Protection functions.

Closed* N/A Only PPS Functions will be described in the SE.

5/30/12 Determined that no RAI is needed for this item.

P&GE response:

Power range analog inputs are provided by the NIS to each PPS Protection Set for use in the calculation of the Overtemperature Delta-T and Overpower Delta-T Setpoint in the Delta-TlTavg channels. No other NIS signals interface with the PPS. The NIS Protection functions (RT and power range permissives) are generated independently by Nuclear Instrumentation bistable comparators. The NIS bistable outputs are sent directly to the SSPS and have no physical interface with the PPS.

12 RS Permissive Functions - Several Permissive functions are described within the LAR. It is not clear to the staff whether any of these functions are to be Closed RAI03

November 19, 2012 CPP PPS Closed Item Summary Table Page 18 of 43 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments performed by the PPS or if the PPS will only be providing input to external systems that in turn perform the permissive logic described in the LAR.

Section 4.1.9 states that "Settings of the bistable comparators used to develop the permissives are not affected by the PPS Replacement Project",

which implies that all of these permissive functions are performed by systems other than the PPS. However, it is still unclear if this statement applies to all permissive functions described throughout the LAR or if it applies only to those permissives relating to Pressurizer Pressure. It is also possible that the permissive functions are being performed by the existing PPS and will continue to be performed by the replacement system and therefore remain "not affected" by the PPS replacement project.

Please provide additional information for the following permissive functions to clearly define what the role of the PPS system will be for each.

P-4 Reactor Trip P-6 Intermediate Range Permissive P-7 Low Power Permissive (Bypasses low Ppzr reactor trip)

P-8 Loss of Flow Permissive P-9 Power Permissive P-10 Power Range Power Low Permissive P-11 Low Pressurizer Pressure SI Operational Bypass P-12 No-Load Low-Low Tave Temperature Permissive P-13 Turbine Low Power Permissive

P-14 Hi-Hi Steam Generator Level

The LAR states that "These signals are generated in the PPS" I

P&GE response:

Permissive function initiation signals generated within the existing PPS will continue to be performed by the replacement PPS and therefore remain "not affected" by the PPS replacement project Permissive function initiation signals that are generated independently of the existing PPS will continue to be generated independently.

November 19, 2012 CPP PPS Closed Item Summary Table Page 19 of 43

--~---

P&GE response:

No SrclRI Issue Description Status RAI No.

(Date Sent)

Permissive P6, P-8, P-9, and P-10 initiation signals are bistable comparator outputs from the independent NIS to the SSPS. There is no interface with the PPS.

Permissive P-4 initiation signals are direct contact inputs to the SSPS coincidence logic generated from contacts in the Reactor Trip Breakers (RTB). There is no interface with the PPS.

Permissive P-11, P-12, P-13, and P-14 initiation signals are generated by bistable comparator outputs generated in the PPS and sent to the SSPS.

Permissive P-7 is generated in the SSPS from 3 out of 4 power range NI channels (from NIS - P-10) below setpoint and 212 turbine impulse chamber pressure channels below setpoint (From PPS P13).

The bistable initiation signals described above are monitored by the SSPS.

The SSPS generates the Permissive when appropriate coincidence of initiation Signals is detected. No SSPS permissive or safety function coincidence logic is changed by the PPS replacement project.

Permissives P-6, P-7, P-8, P-9, P-10, and P-13 are functionally described in FSAR Table 7.2-2. Permissives P-4, P-11, P-12, and P-14 are functionally described in FSAR Table 7.3-3.

The bistable comparator setpoints for the above-listed permissives are not expected to change at this time.

RAI

Response

(Due Date)

Comments The NRC understands that all permissives are developed within the SSPS system.

Permissives P11 P14 use inputs provided by PPS system. All other permissives use inputs generated by external systems that are independent of the PPS.

See 13 below.

~--

13 RS P12 Permissive Contradiction - The second paragraph of section 4.1.20 Closed N/A describes the P-12 interlock and states that "These signals are developed in the PPS". This statement is then contradicted in the third paragraph by the

--~--

November 19, 2012 CPP PPS Closed Item Summary Table Page 20 of 43 RAI No.

RAI No SrclRI Status Comments Issue Description P&GE response:

(Date Sent)

Response

(Due Date) following statement; "These valves are not safety-related, but are interlocked with the P-12 signal from the SSPS."

The NRC In conjunction with the response to RA13, please provide a resolution for this understands that contradiction in section 4.1.20 of the LAR.

the P12 signal is P&GE response:

generated by the SSPS using signals The word "signals" in the referenced Section 4.1.20 sentence, "These developed in the signals are developed... " is referring to the bistable comparator outputs PPS.

which are monitored by the SSPS. The PPS does not generate the P-12 Permissive itself. The actual P-12 Permissive is generated by the SSPS 5/30/2012 when appropriate coincidence of initiation signals is detected. The SSPS Determined that no output is interlocked with the valves as stated in the third paragraph of RAI will be needed Section 4.1.20.

for this item.

The LAR Section 4.1.20 is clarified by the following statement:

"... The P-12 Permissive is developed in the SSPS based on coincidence of the P-12 bistable comparator output initiation signals from the PPS...

Protection System Permissives (P-11 unblock SI from ALS, P13 Turbine power permissive from Tricon, and P-14 Steam Generator Level high-high from Tricon) are generated by coincident logic in the SSPS based on initiating signals (bistable outputs) from the PPS as noted in the response to 01 #12. Permissive development, including initiating signals and logic coincidence is shown in FSARU Tables 7.2-2 (RTS) and 7.3-3 (ESFAS).

The PPS does not perform coincident logic functions and does not "generate" any protection system permissives.

RS Section 4.1.1 SSPS contains the following statement in the last paragraph; Closed N/A PGE Response resolves this Open Item. Change "Information concerning the PPS status is transmitted to the control board status lamps and annunciators by way ofthe SSPS control board status to Closed.

demultiplexer and to the P PS by way ofthe SSPS computer demultiplexer. "

.~~

14

15 November 19, 2012 CPP PPS Closed Item Summary Table Page 21 of 43 No P&GE response:

SrclRI Issue Description Status RAI No.

RAI Comments (Date Sent)

Response

(Due Date)

Why would the PPS status need to be transmitted to the PPS as the sentence suggests in the last phrase?

c-c-PG&E response:

The sentence in Section 4.1.1 contains a a typographical error. The sentence should read:

"Information concerning the PPS status is transmitted to the control board status lamps and annunciators by way of the SSPS control board demultiplexer and to the Plant Process Computer (PPC) by way of the SSPS computer demultiplexer."

As used in the Section 4.1.1. paragraph, "PPS Status" means "PPS Channel Trip Status."

(BK)

An ISG-04 compliance matrix for the DCPP PPS system was not submitted Closed Drafted (Kemper 4-4-12) with, or referenced in, the LAR for the W/ALS platform. Instead the ISG-04 RAI#4 No further to obtain compliance section 4.8 of the LAR refers the reader to the ALS L TR for discussion an nearly all the points of ISG-04. Fig. 4.4 and 4.5 of the LAR indicate various necessary until answer 1 1 E and non-1 E communication pathways to and from ALS processor (e.g.,

May 31,2012.

report to Maintenance Work Station, plant computer, process control, port address aggregator, and 4-20 rna temperature signal to Tricon processor). These 4/4/12 update: The are all application specific features of the PPS and the staff expects a this ISG 04 draft ALS ISG-04 complian W/CSI ALS document to be submitted, similar in scope and detail to the compliance matrix ce matrix Invensys "PACIFIC GAS & ELECTRIC COMPANY NUCLEAR SAFETY-on the AL TRAN for the RELATED PROCESS PROTECTION SYSTEM REPLACEMENT DIABLO Share point website ALS CANYON POWER PLANT DI&C-ISG-04 CONFORMANCE REPORT" is not detailed platform.

Document No. 993754-1-912 Revision 0, to be submitted on the docket, enough for the staff which explains how the ALS portion of the PPS application conforms with to use in approving the guidance of ISG-04.

the ALS portion of the PPS' communications

16 November 19, 2012 CPP PPS Closed Item Summary Table Page 22 of 43 P&GE response:

Status RAI No.

RAI No SrclRI Issue Description Comments (Date Sent)

Response

(Due Date) design. Suggest PG&E is developing the ISG-04 compliance matrixTable for the ALS PG&E response:

PG&E review the platform and PG&E will submit the Table by July 31, 2012.

Invensys ISG-04 Doc. Document No.

993754-1-912 (-P)

Revision 0, and provide guidance for an ALS document at the same level of detail.

(BK)

Section 1.4.4 (pg. 12/38) of document 993754-1-813 Diablo Canyon Closed RAI05 Received two Triconex PPS Validation Test Plan (VTM) states "The network equipment.

papers discussing including media converter. NetOptics Network Aggregator Tap. and gateway integration test hub. and the MWS will not be within the test scope of this VTP. The plans for PPS Nuclear Delivery system. These (ND) group will coordinate with Pacific Gas & Electric for system staging papers were prior to turn over to Nuclear IV&V. The Nuclear IV&V group will confirm discussed at the proper operation of network communications system interfaces before 4/18/2011 CC.

beginning testing addressed in this VTP." When, where, and what procedures will be used to test the network equipment??

The staff agrees that the analog PG&E response: Additional information on the PPS testing is being provided RTD signal loops to the staff. The information on the PPS testing was updated on May 9 to may be tested address staff comments provided in the 4118/22 conference call. The VTM separately at the will need to be updated based on the additional information. A date that the Tricon FAT and at updated VTM will be submitted will be provided after feedback from the staff the ALS FAT to is received on the additional information on the PPS testing.

satisfy integration test requirements.

The staff expressed some concerns over the statement that "There is no digital data

November 19, 2012 CPP PPS Closed Item Summary Table Page 23 of 43 No SrclRI Issue Description P&GE response:

Status RAINo.

(Date Sent)

RAI

Response

(Due Date)

Comments connection between the Tricon and the ALS,1l This appears to be a misleading statement since both systems do have connections to the common MWS. Further clarification should be provided and the statement should be revised to describe the nature of the MWS connections to each system.

A follow-up discussion was had at the 5/16/12 conference call.

The NRC staff feels that the final integration to be performed during SAT as proposed, will have to be complete and the results submitted prior to issuance of the SE.

17 November 19,2012 Cpp PPS Closed Item Summary Table Page 24 of 43 P&GE response:

Status RAI No.

RAI Comments (Date Sent)

No SrclRI Issue Description

Response

(Due Date)

Section 5.1.4.3, Hardware Validation Tests, (pg. 27/38) of document 993754-1-813 Diablo Canyon Triconex PPS Validation Test Plan (VTM) states that the ALS equipment will not be included in the FAT. Where, when, and what procedures will be used to fully test the Integrated PPS system (both Tricon V10 and ALS platforms together) be subjected to FAT.

(BK)

PG&E response: Additional information on the PPS testing is being provided to the staff. The VTM will need to be updated based on the additional information. A date that the updated VTM will be submitted will be provided after feedback from the staff is received on the additional information on the PPS testing.

Closed RAI06 This issue was discussed at the 4/18/2011 CC.

PGE proposed performance of separate but overlapping tests at each factory to accomplish the integration test.

The staff has some concern over the fact that the MWS's to be installed in the plant would only be tested during the Tricon FAT. A fifth MWS to be configured the same as the plant MWS's is to be used during the ALS FAT.

One option to resolve this concern may be to credit the SAT test results in the SE.

The current schedule for SAT (July 2013) does support this.

November 19, 2012 Cpp PPS Closed Item Summary Table Page 25 of 43

~No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments 18 (BK)

Software Management Plan: Regulatory Guide (RG) 1.168, Revision 1, "Verification, Validation, Reviews and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," dated February 2004 endorses IEEE (Institute of Electrical and Electronics Engineers) 1012 1998, "IEEE Standard for Software Verification and Validation," and IEEE Closed RA17&8 (Kemper 4/12/12) update: The staff has reviewed the Invensys IEEE 1012 compliance matrix on the 1028-1997,"IEEE Standard for Software Reviews and Audits," with the exceptions stated in the Regulatory Position of RG 1.168. RG 1.168 describes a method acceptable to the NRC staff for complying with parts of the NRC's regulations for promoting high functional reliability and design quality in software used in safety systems. Standard Review Plan (SRP)

Table 7-1 and Appendix 7.1-A identify Regulatory Guide 1.168 as SRP acceptance criteria for reactor trip systems (RTS) and for engineered safety features actuation systems (ESFAS)

The Invensys PPS Replacement Software Verification and Validation Plan (SWP), 993754-1-802 does not provide a clear explanation of how the Invensys SWP complies with IEEE 1012-1998. Please provide a cross reference table that explains how the Invensys SWP implements the criteria of IEEE 1012-1998.

Also, the Westinghouse/ALS 6116-00000 Diablo Canyon PPS Management Plan, does not provide a clear explanation of how the CSI SWP complies with IEEE 1012-1998. Please provide a cross reference table that explains how the W/CSI SWP implements the criteria of IEEE 1012-1998.

PG&E/Altran sharepoint directory and it appears to be acceptable. The matrix appears to be comprehensive and indicates no exceptions to any clauses in IEEE 1012. No attempt was made to reviewlverify that where I nvensys claims compliance with any particular Clause in the Std, that the respective section in their SWPis acceptable-the

19 November 19, 2012 Cpp PPS Closed Item Summary Table Page 26 of 43 No RAI No.

RAI P&GE response:

Status Comments I SrclRI I Issue Desc jption (Date Sent)

Response

(Due Date) staff will work Westinghou.e incorporated the I EEE-1 012 compliance table in the ALS PG&E respo nse:

through this as the SWP is reviewed V&V plan do cument 6116-00003 in Appendix A Table A-1 and PG&E and evaluated for submited th ! ALS V&V plan document 6116-00003 to the staff on June 6, approval. Please 2012, in Att chment 7 to the Enclosure of PG&E Letter DCL-12-050.

submit the document on the docket.

This 01 will remain open pending review of the Westinghouse/CSI document.

Closed RAI9 3/21/12 update:

PG&E has created Section 4.1 I of the LAR states that;

'The SSPS waluates the signals and performs RTS and ESFAS functions a share point to mitigate A bnormal Operational Occurrences and Design Basis Events website for NRC to review PPS design drawings that will

however, described in FSAR [26] Chapter 15. "

address this issue as well as 01 20 Chapter 15 )f the DCPP FSAR does not use the terms Abnormal and 21. NRC staff Operational Occurrence (AOO) or Design Basis Accident (DBE). Instead, will determine if the acciden analysis in chapter 15 identifies conditions as follows; they are needed to be submitted on the CONDITION I - NORMAL OPERATION AND docket. PG&E will OPERATIO JAL TRANSIENTS ensure the website is information is CONDITION 11-FAULTS OF MODERATE FREQUENCY only applicable to this licensing CONDITION III-INFREQUENT FAULTS action.

RS

November 19, 2012 Cpp PPS Closed Item Summary Table Page 27 of 43 SrclRI No Issue Description P&GE response:

CONDITION IV - LIMITING FAULTS As such, the statement that AOO's and DBE's are described in the FSAR appears to be inaccurate. Please explain the correlation between the Conditions described in FSAR chapter 15 and the Abnormal Operational Occurrences, and Design Basis Events described in the LAR.

PG&E response: The AOO's are referred to as ANS Condition I "Operational Transients" in FSAR Chapter 15 and are addressed in FSAR Chapter 15.1. The design basis accidents are referred to as ANS Condition II "faults of moderate frequency," ANS Condition III "infrequent faults," and ANS Condition IV "limiting faults" and are addressed in FSAR Chapter 15.2, 15.3, and 15.4 respectively.

RAI No.

RAI Status Comments (Date Sent)

Response

(Due Date)

20 November 19,2012 Cpp PPS Closed Item Summary Table Issue Description P&GE response:

No SrclRI The system description provided in Section 4 of the LAR includes "functions

-~~~

performed by other protective systems at DCPP in addition to the PPS functions". In many cases. there is no explanation of what system is performing the functions described nor is there a clarification of whether the described functions are being performed by the PPS system.

RS As an example. Section 4.1.16 describes a bypass function to support testing of the high-high containment pressure channel to meet requirements of IEEE 279 and IEEE 603. The description of this function does not however. state whether this latch feature is being implemented within the PPS system or in the SSPS.

The staff needs to have a clear understanding of the functional scope of the PPS system being modified in order to make its regulatory compliance determinations. Please provide additional information such as PPS function diagrams to help the staff distinguish PPS functions from functions performed by other external systems.

PG&E Response: PPS design drawings have been provided to the staff on the Sharepoint site.

Status Closed RAI No.

(Date Sent)

NIA Page 28 of 43 RAI Comments

Response

(Due Date) 3/21/12 update:

PG&E has created a share point website for NRC to review PPS design drawings that will address this issue.

NRC staff will determine if they are needed to be submitted on the docket. PG&E will ensure the website is information is only applicable to this licensing action.

5/30/12 Determined that no RAI will be needed for this item.

7/02/12 - Closed Item. Information in Function diagrams is sufficient for NRC to determine PPS functionality.

~ ~~-~~ '----~~~ ~

November 19,2012 Cpp PPS Closed Item Summary Table No SrclRI I Issue Description P&GE response:

Status I RAI No. I RAI Page 29 of 43 Comments (Date Sent)

Response

(Due Date) 22 BK Follow-on 01 # 5 question pertaining to the PPS VTP:

Closed I RAI 5 Section 1.4.4 (pg. 12/38) states "The network equipment, including media converter, NetOptics Network Aggregator Tap, and gateway hub, and the MWS will not be within the test scope of this VTP. The Nuclear Delivery (NO) group will coordinate with Pacific Gas & Electric for system staging prior to turn over to Nuclear IV&V. The Nuclear IV&V group will confirm proper operation of network communications system interfaces before beginning testing addressed in this VTP." When, where, and what procedures will be used to test the network equipment??

Also, section 5.1.4 (3) Hardware Validation Tests states that the ALS equipment will not be included in the FAT (pg. 27/38). Where, when, and what procedures will be used to fully test the Integrated PPS system (both Tricon V10 and ALS platforms together) be subjected to FAT.

PG&E response:

Additional information on the PPS testing is being provided to the staff. The VTP will need to be updated based on the additional information. A date that the updated VTP will be submitted will be provided after feedback from the staff is received on the additional information on the PPS testing.

November 19, 2012 CPP PPS Closed Item Summary Table Page 30 of 43

,-----~~~

No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments 23 BK Section 4.2.13.1 of the LAR (page 85) states; "Figure 4-13 only shows one TCM installed in the Tricon Main Chassis (Slot 7L), the PPS replacement will utilize two TCM cards in each main chassis (Slots 7L and 7 -R). This will provide two non-safety-related communication paths to the MWS and the PPC Gateway Computer from each Protection Set to ensure continued communications if a single TCM fails.

The NetOptics Model PA-CU/PAD-CU1 PA-CU port aggregator network tap was approved previously by NRC for a similar application in the Oconee RPS SER Section 3.1.1.4.3 [18]. The NRC staff determined that due to the electrical isolation provided by use of fiber optic cables and the data isolation provided by the Port Tap and the Maintenance and Service Interface (MSI) in the Oconee RPS, there was reasonable assurance that a fault or failure within the Oconee Gateway computer or the Operator Aid Computer will not adversely affect the ability of the Oconee RPS to accomplish its safety functions.

During the SAT PG&E will test the Protection Set communications paths illustrated in Figure 4-13 to verify that there is no inbound communications path associated with port aggregator network tap Port 1. That is, PG&E will verify that communications from Port 1 to either the TCM on Port A or the MWS on Port B of the port aggregator network tap are not permitted.

Results of this test will be documented in final System Verification and Validation Report. Port aggregator dual in-line package (DIP) switch positions will be controlled by DCPP configuration management processes."

I n order for the Staff to approve the integrated configuration of the PPS, prior to shipment of the PPS equipment to DCPP site, all communications paths will require testing on or before FAT, and before completion of the SER. This testing is typically completed during or before the PPS FAT, otherwise, the SER will not be completed until after the SAT. Please provide a test scheme/procedures that satisfies all regulatory requirements prior to or during the FAT. Otherwise, if this testing will be completed during the SAT, as stated in the LAR, please provide a detailed schedule for this testing so the NRC can revise its PPS LAR Review Plan accordingly.

~~

Closed RAI11 1 The NetOptics Model PAO-CU has two one-way output ports but is otherwise identical in function to the PA-CU.

November 19, 2012 CPP PPS Closed Item Summary Table Page 31 of 43

~~~~~~- r~~~~--~~~

No SrclRI Issue Description P&GE response:

24 RJS PG&E response: Additional information on the PPS testing for ALS is being provided to the staff. A date the additional information will be submitted will be provided after feedback from the staff is received on the additional information on the PPS testing for ALS.

a. Section 4.1.17 paragraph 3 discusses the protection functions associated with High - High Steam Generator Level or P-14. In this discussion it is stated that the SI signal initiates the same two functions (Turbine Trip and Feedwater Isolation) however, there is no mention of this in section 4.1.9 or in the discussion of the P-14 permissive. Please confirm that P-14 can be initiated by either High

- High SG Level or by initiation of SI.

b. This same section also states that the described latched in function serves to comply with IEEE Std. 279 Section 4.16. The replacement PPS system is not being evaluated against the criteria of IEEE 279.

Instead, IEEE 603-1991 is being used and the equivalent criteria is contained in section 5.2 of IEEE 603 1991. PGE needs to understand that the criteria of IEEE 279 are not relevant to this review effort.

PG&E response:

a. Turbine Trip can be initiated by either the P-14 steam generator level protection function OR by the latched Safety Injection (SI).

Section 4.1.17 describes the Steam Generator Level High-High Protection function P-14. Upon sensing high steam generator level, the PPS generates an initiation signal to the SSPS, which generates the turbine trip signal and initiates Auxiliary Feedwater when coincidence of 2 of 33 high-high level signals in any steam generator is detected.

Section 4.1.9 describes Pressurizer Protection Functions, one of which is initiation of Safety Injection through the SSPS when coincidence 3 of 4 Pressurizer Pressure Low-Low signals from the PPS is detected. The SI actuation signal also actuates turbine trip and Auxiliary Feedwater through the SSPS, but SI is not initiated by Steam Generator Level High-High The P-14 protection function is initiated ONL Y by steam Generator Status Closed RAI No.

(Date Sent)

N/A RAI

Response

(Due Date)

Comments Item initiated on 4/23/2012.

PGE Response accepted.

November 19, 2012 CPP PPS Closed Item Summary Table Page 32 of 43 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments Level High-High. Through the SSPS, P-14 will trip the turbine and actuate Auxiliary Feedwater. A SI signal will also actuate Turbine trip and Auxiliary Feedwater, among other actions. Pressurizer Protection functions do not initiate P-14 and Steam Generator Level High-High P-14 does not initiate SI.

b. PG&E intended Section 4.1 to describe the existing PPS and to apply only to the eXisting PPS, which complies with IEEE 279-1971.

Sections 4.2 to 4.13 of the LAR apply to the PPS Replacement.

Section 4.10.2.2 describes compliance of the PPS Replacement with IEEE 603-1991 Section 5.2. PG&E understands and appreciates that IEEE-603 applies to the PPS replacement.

25

~....

RJS Sections 4.1.17, and 4.1.21 state that the P-9 permissive is the "Power Range at Power" function while Section 4.1.9 states that the P-10 Permissive is also called the "Power Range at Power" function. Is it correct that both of these permissives are called "Power Range at Power" and that they perform different functions?

Closed N/A Item initiated on 4/23/2012.

PGE Response Accepted.

PG&E response:

Both P-9 and P-10 are "Power Range at Power" functions; both are active when the Power Range NI channels are at power.

Permissive P-9 blocks reactor trip on turbine trip when 3 of 4 Power Range NI channels are below 50%.

Permissive P-10 is active when 2 of 4 Power Range NI channels are above 10%. Permissive P-10 is combined with Turbine Power Permissive P-13 (which is active above approximately 10% turbine load) to provide input to Permissive P-7 that allows blocking several low power reactor trips.

In effect, Permissive P-10 is the "Power Range at Power - Low" permissive" and Permissive P-9 is the Power Range at Power - High" permissive. This is consistent with the response to 01 #12, above.

November 19,2012 CPP PPS Closed Item Summary Table Page 33 of 43 No I SrC/R/ Il.ssue Description Status RA/ No.

RA/

Comments (Date Sent)

P&GE response:

Response

(Due Date)

RAI12 The PG &E SyQAP defines Supplier tasks that are related to assurance of Closed Item Initiated on

' 26 I RJS 4/25/2011 softwa

~ quality for each of the following phases of development; Will need formal Jrojed Initiation and Planning response for this

onceptual Design item. Therefore

~equirements this will be an RAI.

)esign mplementation ntegration rest These hases do not align with the phases used in the ALS or Tricon develo ment lifecycles. For instance, the Tricon SQAP defines the phases as Req lirements, Design, Implementation, and Test (Validation). Because of this, t is not clear how assurance of task completion can be accom Iished. During which Tricon phases would those tasks listed under Integra on, Initiation and Planning, and Conceptual Design be performed?

TheAL ) SOAP does not mention phases but the ALS Management plan defines the development phases as; Planning, Development, Manuf ;turing, System Test, and Installation.

Would be possible for PGE to provide a mapping of Phases defined in the SyQAP to the Phases of the ALS and Tricon system development proces es so that the staff can correctly identify and confirm performance of these Q A tasks?

L--

November 19, 2012 CPP PPS Closed Item Summary Table Page 34 of 43 No SrclRI Issue Description P&GE response:

PG&E response:

PGE will provide a mapping of Phases defined in the SyOAP to the Phases Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments of the ALS and Tricon system development processes. The determination of the location of the mapping information and date to be submitted is IN PROGRESS.

I 27 RA Software Management Plan The LAR, Attachment 3, describes the project organization, roles and responsibilities for the PPS replacement project. This document does not describe oversight activities that PG&E will perform during the PPS replacement project, as well as the interface between PG&E and Invensys and WEC/CSI, and the methodology to judge quality of the vendor effort.

Please provide this information.

Closed RAI13 The POP will need to be submitted.

PG&E response:

Oversight activities for the project were discussed in Section 4.2.11, Appendix B Compliance, of the LAR that discusses the DCPP Ouality Assurance Program and Procurement Control Program and states that PG&E will audit 10M and CSI during the manufacturing phase under the PG&E Nuclear Procurement Program and associated directives.

In support of the oversight activities, a PG&E will issue a Project Ouality Plan (POP) that will define the oversight activities to be performed, including technical audits, cyber security audits, and software quality assurance audits.

The POP is expected to be issued in June and will be submitted to the staff by July 31,2012.

~~~~~~

Following the performance of the POP audits, audit reports will be created and a POP Audit Summary Report will be created. PG&E will submit the POP Audit Summary Report to the staff at the time the vendor hardware is

November 19, 2012 CPP PPS Closed Item Summary Table Page 35 of 43 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments delivered to PG&E. The vendor hardware is currently expected to be delivered to PG&E in Spring 2013.

The pap audit reports will not be submitted but will be made available to the NRC staff for review.

28 RA Software Management Plan The LAR, Attachment 3, states that PG&E is responsible for the following activities in the lifecycle: project initiation and planning phase, conceptual design phase, requirements phase, installation and checkout phase, operation phase, and maintenance phase. Further, Section 3.1.10 states that PG&E will follow the activities described before for software Closed NIA Alvarado (6/13/12):

PG&E place a copy of their Software Configuration Management Plan in their Sharepoint site.

modifications. Please explain how PG&E will perform software modifications to the Tricon and ALS platforms once the PPS replacement project is completed.

PG&E response:

The control of the software modifications to the Tricon and ALS platforms once the PPS replacement project is completed will be by the Process Protection System Replacement Software Configuration Management Plan, SCM 36-01, Revision 0, which was submitted as part of the Phase 2 document submittal on June 6, 2012, in Attachment 4 to the Enclosure of PG&E Letter DCL-12-050.

The SCM-01, Revision 0, document has been placed on the Sharepoint site.

29 RA Software Management Plan Closed RAI13 The LAR, Attachment 3, states that the PG&E Project Manager will share the responsibility for meeting the software quality goals and for implementing the software quality management throughout the project.

Please describe what responsibilities are going to be shared and how this is going to be performed.

30 November 19,2012 CPP PPS Closed Item Summary Table Page 36 of 43 No SrclRI Issue Description P&GE response:

Status RAI No.

RAI Comments (Date Sent)

Response

(Due Date)

PG&E response:

The PG&E Project Manager will share the responsibility for meeting the software quality goals with the PG&E Quality Verification organization personnel.

To implement the oversight activities, the PG&E Quality Verification organization will issue a Project Quality Plan (PQP) that will define the oversight activities to be performed, including technical audits, cyber security audits, and software quality assurance audits.

RA Software Development Plan Section 7 of the Invensys Nuclear System Integration Program Manual (NSIPM) requires that non-conforming procedures shall be used to control parts, components, or systems which do not conform to requirements.

Invensys documents 993754-1-906, Software Development Plan, and 993754-1-905, PPS Replacement DCPP Project Management Plan, do not identify non-confirming procedures to be followed when deviations are identified and how deviations should be corrected.

Please provide this information.

PG&E response:

The Project Management Plan (PMP), 993754-1-905, is the overarching project management document for the Invensys scope of the PPS Replacement Project. It references other Invensys planning documents that discuss procedures to follow when deviations are identified and how they are corrected. The Software Development Plan, 993754-1-906, describes the software development process for the I nvensys scope of the PPS Replacement Project. 993754-1-906, has been revised to Revision 1, to include new Section 3.2.6 that discusses problem reporting and corrective action. 993754-1-906, Revision 1, was submitted by PG&E on August 2, 2012.

RAI14 9/19112 update Closed Not used (Alvarado): Rev. 1 Not of 993754-1-906 required addressed this question.

7/13/12 rjs:

Decided to not use the RAI and hold this item open pending review of updated phase 2 submittals.

November 19, 2012 CPP PPS Closed Item Summary Table Page 37 of 43 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments In addition, the Invensys Software Quality Assurance Plan, 993754-1-900, Section 8, and the Invensys Software Configuration Management Plan, 993754-1-909, Section 3.2, both provide reference to procedures to follow when deviations are identified and how deviations are corrected.

31 RJS Software Quality Assurance Plan:

IEEE 7302002 stipulates in section 4 that "The SOAP shall be approved by the manager of each of the organizations having responsibilities in the SOAP. The PGE SYOAP has been approved by the PGE Diablo PPS Upgrade Project Manager and the Altran Project lead; however, there are several other organizations that have responsibilities delineated in the SOAP. The managers of these organizations have not approved the SYQAP. The following organizations are assigned roles and Responsibilities within Section 3.4 of the SYQAP. Please explain the means by which these organizations have committed to comply with the requirements stated in the SYQAP.

Vendor IW Projects Managers EOC Design Change Package Team PGE Project Engineering Team

OA Organization

Testing and Integration Team V&V Organization Closed RAI15 At the 5/16 meeting, the staff explained that PGE should have some commitment from all orgs that have activities in the SyOAP. This could be contractual or through activities that are delineated in other vendor plans or procedures.

PG&E response:

The software quality assurance plan was discussed in Section 4.11.1.1.1 of the LAR, which did not commit to IEEE 7302002 criteria in developing the SQAP. IEEE Standard 7-4.3.2-2003 [76] Clause 5.3.1 references IEEE Std 730-1998 for guidance but does not require it to be met.

PG&E is determining how to address the commitment from all organizations contained in the SyQAP as requested by the staff in the 5/16 meeting.

-~~~~

32 November 19,2012 Cpp PPS Closed Item Summary Table Page 38 of 43 RAI No.

(Date Sent)

RAI16

~

Issue Description

, P&GE response:

I Status No SrclRI Sectil n 4.2.7 "Power Supply" of the LAR describes how power is supplied to I Closed the P PS. In this description, the 480V AC vital supply is described in the folloVl ng ways.

RJS

First it is described as back-up common bus to the 120 V distribution panels. We cannot tell if this is through a transformer or if this refers to the alternate supply to the inverters.

It is also described as a supply to an inverter.

It is then described as supply to the battery charger From these descriptions, it is not clear to the staff how these vital power sourc es are configured in relation to the 120VAC panels that feed the PPS.

Woul it be possible to provide a simplified diagram to show the relationship betwl en the 125V Batteries I DC Buses, Battery Chargers, Inverters, and the 1. OV AC distribution Panels that supply power to the PPS, PG&I response:

The f( lowing description clarifies the 120 V vital instrument AC power supply to the PI 5:

1

( afety-related 480 VAC from vital AC motor control center (MCC) is fed t the UPS and rectified.

2 Fectifier output is fed to the inverter and converted to 120 VAC.

3

( afety related vital DC bus power is fed to UPS as immediate backup supply. The vital DC bus is backed up by the safety-related 125 VDC s ation battery, which is charged from vital 480 VAC.

4 I verter output is fed through a static switch with integral manual t ypass switch to vital instrument AC power distribution panels.

5

( n loss of inverter output, the static switch will select backup regulating t ansformer output (120 VAG) to distribution panels.

6 1 he backup regulating transformer receives input from the 480 VAC Supply. The backup regulating transformer may be aligned via a tl ansfer switch to either of two 480 VAC busses; the normal supply or

n alternate supply. The alternate supply circuit breaker is normally Cpen to prevent interconnection of redundant power supplies due to a RAI Comments

Response

(Due Date)

PGE Response accepted.

~~~...

34 November 19, 2012 CPP PPS Closed Item Summary Table Page 39 of 43 P&GE response:

Issue Description Status RAI No.

No SrclRI RAI Comments (Date Sent)

Response

(Due Date) failed transfer switch. The transfer switch may not be used under load.

Refer to the attached block diagram for additional detail.

(Software Integration Plans) The integration planning documentation referenced in section 4.5.4 of the LAR does not include any integration of the two sub systems (ALS integrated with Tricon). The PGE papers provided that discuss how FAT's will be performed may resolve this but these papers would have to be docketed as integration planning documents to support our SE. We also need to come to some agreement on the scope of integration to be accomplished prior to issuance of the SE.

RJS PG&E response: IN PROGRESS Closed RAI20

-~

Item initiated on 6/7/2012 6-13-12 update (Kemper): This seems duplicate of 0116 & 23.

7/02/12 - RJS This is related to 01 16 and 23, however, this specifically addresses the software integration planning documents being assessed. The current software integration plan discussed in section 4.5.4 of the LAR and the documents referenced from here do not adequately address this aspect of system integration.

36 November 19, 2012 CPP PPS Closed Item Summary Table Page 40 of 43 Comments No I SrclRI I Issl.lei5escription P&GE response:

IStatus I RAI No. IRAI (Date Sent)

Response

(Due

L----------------'I-----4--------l1 Date)

I As such the Integration Plan will have to be revised.

Just including integration in the FAT will not resolve the inadequacies of the integration planning documents.

I anticipate that a supplemental integration plan document will need to be submitted in order for PGE to resolve this.

New RAI added and 01 closed.

Closed RA Software Test Plan Section 5.3.6 of ALS Document No. 6116-00005 refers to a "Test Team" to perform system level testing. However, the "Test Team" is not defined in ALS Document No. 6116-00000, "Diablo Canyon PPS Management Plan,"

which defines roles and responsibilities for the PPS Replacement Project.

Please clarify who is the Test Team* and where their roles and responsibilities are defined.

November 19,2012 CPP PPS Closed Item Summary Table Page 41 of43 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments 37 This plan will be released by 30 September 2012.

RA Software Management Plan PG&E "PPS Replacement Concept, Requirements, and Licensing Phase 1 Project Plan" does not address reporting mechanisms and controlling changes to the system. The only reference is that PG&E states that they will follow the activities describe before for software modifications. After reviewing the of PG&E's SyWP, we found that Section 6 states that Anomaly Resolution and Reporting shall be performed per the respective PG&E and 10CFR 50 Appendix B supplier control procedures. However, this statement does not identify the document to follow to report anomalies.

Please identify and describe the process that PG&E will follow for reporting mechanisms.

Closed PG&E Response: PG&E administrative procedure OM7.ID1, "Problem Identification and Resolution," provides guidance for identification and resolution of both equipment and non-equipment problems, including vendor software problems. The OM7.1D1 procedure provides the process for documenting, reporting, evaluating, trending, and tracking the resolution of problems at DCPP. PG&E administrative procedure XI1.ID2, "Regulatory Reporting Requirements and Reporting Process," provides the instructions for reporting facility events and conditions to the NRC. This procedure applies to plant problems, including software anomalies, and provides a list of regulatory reporting requirements applicable to the DCPP, including those contained in the NRC regulations (including 10 CFR), the plant operating license (including associated Technical Specifications), license amendments, and regulatory correspondence. The procedure summarizes the types of reporting requirements and references the source of the requirement, time-frame for reporting, reporting method, lead responsible organization, primary regulatory agency recipient, and implementing procedures.

November 19, 2012 CPP PPS Closed Item Summary Table No SrclRI Issue Description IP&GEresponse:

44 Software V&V RA Invensys prepared Document No. 993754-1-813, "DCPP PPS Validation Test Plan", It states that the Test Review Board and PG&E will review all validation testing documents. Please describe the composition of the Test Review Board, since its role/responsibility is not described in the Invensys V&V Plan or in the Validation Test Plan (Section 4.4)

PG&E Response: The composition of the Project Review Committee (PRC) or Test Review Board includes the Project Manager, Project Engineer, Project Quality Assurance Engineer, IV&V Manager, and Lead IV&VlTest Director. This is described in Invensys document 993754-1-905, Project Management Plan, Section 3.5.5. See Invensys response to 0149 for additional statements on the PRC.

PG&E Response: [IN PROGRESS]

53 Section 4.10.2.6.3 of LAR:

RJS A tech specification change resulting from the recent Eagle 21 failure that affected the operability of the AFW control system is being reviewed by the staff. As part of this review PG&E has stated that the Independence between safety systems and other systems clause is not being met for all conditions of operation. If this is the case, then why does the PPS LAR not identify any exceptions to IEEE 603 clause 5.6.3? Even if the replacement PPS does not have an equivalent failure mode to the Eagle 21 system, the TS change would still apply after the upgrade is completed. The staff will need to confirm that the potential for this failure mode has been eliminated in the new design or that the criteria of IEEE 603 is otherwise being satisfied.

PG&E Response: None Required Status Closed Closed RAI No.

(Date Sent)

RAI

Response

(Due Date)

Page 42 of 43 Comments 9/11/12 - Per CC with PG&E, the position on compliance with IEEE 603 5.6.3 is being revised and there is no plan to take exception with this or any other criteria of lEE E 603.

November 19, 2012 CPP PPS Closed Item Summary Table Page 43 of 43 r~~c~~--~~

No SrclRI Issue Description P&GE response:

Status RAI No.

RAI Comments (Date Sent)

Response

(Due Date) 54 WEK PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR Closed Response Okay-Changes, Insert 1 for FSAR Section 3.10.2.1.3 states that "The no RAI required.

Process Protection System Tricon subsystem has been seismically qualified Should IEEE 344 by Invensys Operations Management (see Reference 40) in accordance 1987 be included in with requirements from Reference 44 that is endorsed by Reference 33."

7.1.2.4, What is reference 44 and where is this documented in the FSAR?

Conformance with PG&E Response: Reference 44 IEEE 344-1987, the current Reference 44 I EEE Standards in the FSAR. See FSAR page 3.10-40 that was included in the FSAR (page 7.1-13)??

changes in PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2.

PG&E Response: IN PROGRESS I------~ ~ ~

~ ------~ ~

~---~~

Project Plan for Diablo Canyon Replacement of Digital RPS and ESFAS (PPS) - LAR Review (Rev. 6)

Step Planned Task Date 1

Oct.

PG&E LAR Submittal for NRC approval. Submittal includes all 26,2011 Phase 1 documents needed to be docketed prior to acceptance for review per ISG-06, "Digital licensing."

2 Jan. 12, Acceptance Review complete. LAR accepted for detailed technical 2012

! review. Several issues identified that could present challenges for the staff to complete its review. Scheduled public meeting with PG&E to discuss the results of the acceptance review.

3 Jan. 13, Acceptance letter sent to licensee.

2012 4

Jan. 18, Conduct Public Meeting to discuss staff's findings during the LAR 2012 acceptance review. Staff proceeds with LAR technical review.

5 March 18, PG&E provides information requested in acceptance letter. Initiate 2012 bi-weekly telecoms with PG&E and its contractors to discuss potential RAI issues. Open Items spreadsheet will be maintained by NRC to document staff issues and planned licensee responses.

6 May 30, PG&E provides partial set of Phase 2 documentation per 2012 commitments made in LAR.

PG&E provided a subset of the Phase 2 documents on June &h and committed to send the rest by July 31, 2012.

7 July First RAI sent to PG&E on Phase 1 documentation (e.g.,

2012 specifications, plans, and equipment qualification). Continue review of the application. Request 45 day response.

(ML12208A364) 8 June SER for Tricon V10 Platform issued final. This platform becomes a 2012 Tier 1 review of the LAR. (ML12146A010) 8.1 March 2013 SER for Westinghouse ALS Platform issued final. This platform becomes a Tier 1 review of the LAR.

9 September Receive answers to first RAI. (ML12256A308) 2012 10 November Audit trip to Invensys facility for thread audit; audit the life cycle 2012 planning documents and outputs, with particular emphases on verification and validation, configuration management, quality Assurance, software safety, the Invensys application software development procedures, and application software program design.

11 December Audit report provided to PG&E and its contractor.

2012 11.1 TBD LAR revision and all supporting documentation associated with the change in ALS and Tricon V10 workstation designs for the PPS are submitted.

11.2 TBD Follow-up audit trip to Invensys facility for thread audit; audit the life cycle planning documents and outputs, with particular

emphases on verification and validation, configuration management, quality assurance, software safety, the Invensys

'application software development procedures, and application I software program design, Actual Date Oct. 26, 2011 Jan. 12, 2012 Jan. 13, 2012 Jan. 18, 2012 April 2, 2012 June 6, 2012*

August 07, 2012 May 15, 2012 Sept. 11, 2012 Nov. 13 16,2012 I

Page 1 of 3

Project Plan for Diablo Canyon Replacement of Digital RPS and ESFAS (PPS) - LAR Review (Rev. 6) 12 March 2013 PG&E provides remaining set of Phase 2 documentation per I

commitments made in LAR.

12.1 March 2013 All Documentation for DCPP W/CSI ALS and IOMlTriconex V1 0 processors applicable to the DCPP PPS LAR are submitted.

13 April 2013 Second RAI to PG&E on Phase 2 documentation (e.g., FEMA, safety analysis, RTM, EQ Tests results, setpoint calcs, SW Tool

. analysis reports, and any incomplete or un-satisfactory response to

first RAI. Continue review - hardware and program design and V& V activities 14 May Receive answers to second RAI.

2013 Continue review - V&V program, security requirements (RG 1.152, Rev.2) 15 Audit trip to W/ALS facilities for additional thread audit items; audit 2013 March hardware and software installation plans, configuration management reports, detailed system and hardware design, completed test procedures, V&V activities, summary test results (including FAT) and incident reports, and application code listings.

April Audit trip to Invensys facilities for additional thread audit items; 2013 15.1 audit hardware and software installation plans, configuration management reports, detailed system and hardware design, completed test procedures, V&V activities, summary test results (including FAT) and incident reports, and application code listings.

+.QQ Awsit tFilil ts Q~~~ teet ~liIfililitie8 fSF IiIssitie~el Uu:e&ls ≪Isit ite~8;

≪Isit RIiIFslI~IiIFe IiIAS 8Sf¥t"I&lFe i~8tlilll&ltie~ iiiIiii A8, ee~'igI;lF&ltisA

~IiIAIiI!Je~eAt FeF:il8R8, setlililes 8y8te~ &lAS RIiIFsWlilre S88igA, se~F:illstss te8t F:ilF8eeSl;lre8, ),J.&),J. IiIsti¥iti88, 81;1~~IiIFy tS8t 1'881;1"8

~

/;

.~.. A~

C 1\\ T\\ ~ A.* ~;...,..... ~

I Audit reports provided to PG&E and its contractors.

2013 May 16 I

November Presentation to ACRS Subcommittee/Full ACRS Committee on 2013 17 DCPP PPS LAR Safety Evaluation.

18 November Complete draft technical SER for management review and i

approval.

2013 I

December Issue completed draft technical SER to DORL 2013 20 19 December Draft SER sent it to PG&E, Invensys, and W/CSI to perform 2013 technical review and ensure no proprietary information was included.

21 January Receive comments from PG&E and its contractors on draft SER 2014 proprietary review.

22 Approved License Amendment issued to PG&E 2014 23

-March

-September Inspection trip to DCPP for PPS Site Acceptance Testing (SAT),

2014 training and other preparation for installing the new system. To be (tentative) coordinated with regional visit. Date based on receipt of new PPS system at the site in preparation for September 2015 Unit 1 Refueling Outage (1 R19).

24

-September Inspection trip to DCPP for PPS installation tests, training and Page 2 of 3

Project Plan for Diablo Canyon Replacement of Digital RPS and ESFAS (PPS) - LAR Review (Rev. 6) 2015 other system installation activities for the new system. To be coordinated with regional visit. Date based on September 2015 Unit 1 Refueling Outage (1 R19).

Page 3 of 3

Meeti "via email NRR/DORULPL4/PM NRR/DORULPL4/LA NRRlDE/EICB NRRlDORULPL4/BC NRRlDORULPL4/PM I DATE JSebrosky 12/18/12 12/17/12 12/17/12 12/19/12 12119112 JSebrosky JBurkhardt WKemper*

MMarkley

v t e Letter Sequence Meeting
TAC:ME7522, Clarify Application of Setpoint Methodology for LSSS Functions (Open) TAC:ME7523, Clarify Application of Setpoint Methodology for LSSS Functions (Open)
Initiation Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request Acceptance Supplement Administration Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, ... further results\|Meeting]] Questions 7 August 2012 12 April 2013 31 March 2014 Answers 11 September 2012 27 November 2012 9 May 2013 30 April 2014 Results Approval Other: ML120250079, ML120590119, ML12276A050, ML13018A149, ML13024A105, ML13029A667, ML13101A278, ML13192A314, ML13232A258, ML13339A428, ML14126A377, ML15103A010, ML15121A310, ML15223A968
MONTHYEAR2012-04-02 [Table View]

ML12341A123

Text

SUMMARY

Enclosures:

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response