ML13035A167
| ML13035A167 | |
| Person / Time | |
|---|---|
| Site: | Diablo Canyon  |
| Issue date: | 03/04/2013 |
| From: | Joseph Sebrosky Plant Licensing Branch IV |
| To: | Office of Nuclear Reactor Regulation |
| Sebrosky J | |
| References | |
| TAC ME7522, TAC ME7523 | |
| Download: ML13035A167 (66) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555"()001 March 4, 2013 LICENSEE: Pacific Gas and Electric Company FACILITY: Diablo Canyon Power Plant, Unit Nos. 1 and 2
SUBJECT:
SUMMARY
OF JANUARY 24, 2013, TELECONFERENCE MEETING WITH PACIFIC GAS AND ELECTRIC COMPANY ON DIGITAL REPLACEMENT OF THE PROCESS PROTECTION SYSTEM PORTION OF THE REACTOR TRIP SYSTEM AND ENGINEERED SAFETY FEATURES ACTUATION SYSTEM AT DIABLO CANYON POWER PLANT, UNIT NOS. 1 AND 2 (TAC NOS. ME7522 AND ME7523)
On January 24, 2013, a Category 1 teleconference public meeting was held between the U.S. Nuclear Regulatory Commission (NRC) and representatives of Pacific Gas and Electric Company (PG&E, the licensee) at NRC Headquarters, One White Flint North, 11555 Rockville Pike, Rockville, Maryland. The purpose of the teleconference meeting was to discuss the license amendment request (LAR) submitted by PG&E on October 26, 2011, for the Digital Replacement of the Process Protection System (PPS) Portion of the Reactor Trip System and Engineered Safety Features Actuation System at Diablo Canyon Power Plant, Unit Nos. 1 and 2 (DCPP) (Agencywide Documents Access and Management System (ADAMS) Accession No. ML113070457). A list of attendees is provided in Enclosure 1.
The teleconference meeting is one in a series of publicly noticed teleconference meetings to be held periodically to discuss issues associated with the NRC staff's LAR review. Preliminary issues that the NRC staff identified during the initial review, and the licensee's responses to these preliminary issues, were discussed during the teleconference meeting. The list of preliminary issues is provided in Enclosure 2.
The NRC staff and licensee confirmed that the next meeting on this topic would be held on February 21, 2013. Highlights from the meeting on January 24, 2013, include the following:
- The NRC and PG&E discussed the status of the February 11-15, 2013, audit at the Westinghouse/CS Innovations facility in Scottsdale, Arizona. The staff confirmed that members of the Nuclear Security and Incident Response (NSIR) will participate in the audit to review the cyber security aspects of this portion of the design. The staff indicated that PG&E should be receiving the audit plan shortly.
- The NRC staff discussed the status of the audit reports associated with a November 13 -16,2012, audit at the Invensys Operations Managementfacility in Lake Forest, California. The audit plan dated October 10, 2012, associated with this audit is available in ADAMS at Accession No. ML12276A050. The staff noted that two following separate audit reports are being written: 1) a cyber security audit report, and 2) an audit report associated with the audit that was
-2 performed to verify that the software products to be used at DCPP for the PPS system conform to applicable standard, guidelines, plans, and procedures by assessing the implementation of the systems developmental life cycle process (life cycle audit Both of the audit reports will be issued to PG&E shortly. Because the cyber security audit report contains security-related sensitive unclassified non safeguards information the cyber security audit report will be withheld from the public. The staff took an action to support phone calls with PG&E and Invensys as necessary to discuss results of the audits.
- The project plan for the review of the LAR (Enclosure 3) was discussed and the major upcoming milestones were confirmed. The project plan will be updated as appropriate and discussed at the next public meeting.
- The NRC staff stated that it should be issuing a second round of requests for additional information (RAls) shortly. Once the RAls are issued the items identified in Enclosure 2 as needing RAls will be closed and removed from the open item tracking list. This is because the RAls themselves will be used to track the closure of the issue.
- PG&E took an action to provide documents associated with open item number 76 in Enclosure 2 by the end of January.
Please direct any inquiries to me at 301-415-1132 or ar ::!:.:;.==.:..:.===~~J.='=
Project Manager Docket Nos. 50-275 and 50-323
Enclosures:
- 1. list of Attendees
- 2. Staff Identified Issues That are Open
- 3. Project Plan cc w/encls: Distribution via listserv
LIST OF ATTENDEES JANUARY 24, 2013, TELECONFERENCE MEETING WITH PACIFIC GAS AND ELECTRIC COMPANY REGARDING DIGITAL UPGRADE FOR DIABLO CANYON POWER PLANT, UNIT NOS. 1 AND 2 DOCKET NOS. 50-275 AND 50-323 NAME ORGANIZATION Ken Schrader Pacific Gas and Electric Scott Patterson Pacific Gas and Electric G. Hough Pacific Gas and Electric John Hefler Altran R. Lint Altran J. Mauck A/tran Ted Quin Altran J. Basso Westinghouse W. Odess-Gillet Westinghouse Stephanie Smith Westinghouse Roman Shaffer Invensysrrriconex Rich Stattel Nuclear Regulatory Commission (NRC)
Bill Kemper NRC Rossnyev Alvarado NRC Shiattin Makor NRC Jennie Rankin NRC Alan Wang NRC Eric Lee NSIR Chris Chenoweth NSIR George Simonds NSIR Michael Shinn NSIR Steve Kane AREVA Gordon Clefton Nuclear Energy Institute Ken Thompson Avila Valley Advisory Council Ken Scarola Nuclear Automation Yuichi Tanaka Mitsubishi Nuclear Energy Enclosure 1
January 24, 2013 DCPP PPS Open Item Summary Table Page 1 of 59 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 21 RA Westinghouse/CSI document 6116-00005, "Diablo Canyon PPS System Open RAI10 12/19/12 update:
Test Plan," states that the ALS-102 FPGA design is changed for the DCPPS Not used Westinghouse/ALS System. Further, Section 5.3.3 states: "Test as many of the ALS-102 (Hold will submit the requirements as possible." until documents by response 12/31/2012.
Please identify what document describes the design verification test for this is board. received) 10-17-12 update (Alvarado):
Westinghouse/ALS PG&E response: The documents that describe the design verification tests will submit the for the ALS-102 are 6116-70140, "Diablo Canyon PPS System Test Design documents by Specification," submitted June 6, 2012, and 6116-10216, "Diablo Canyon 10/31/2012.
PPS W Simulation Environment Specification" that will be placed on the Sharepoint by January 31, 2013 and submitted by February 21, 2013. 9-19-12 update (Alvarado): Waiting for ALS document to be submitted at the end of September.
6-13-12 update (Kemper):
PG&E understands that they need to provide an update to this response. In the meantime, PG&E and ALS have provided 2 design specifications that will address this 01.
These documents are placed on the PG&E sharepoint website. Doc. No Enclosure 2
January 24, 2013 DCPP PPS Open Item Summary Table Page 2 of 59
.----:c..
No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 6116-10740 was submitted on June 6, 2012, which describes ALS system test design specification. Doc.
No 6116-00005 was also submitted on June 6, 2012, which describes ALS system test plan.
Doc. No. 6116 10216 ALS W Simulation Environment Specification will be provided in the future.
3/21/12 update:
PG&E has created a share point website for NRC to review PPS design drawings that will address this issue.
NRC staff will determine if they are needed to be submitted on the docket. PG&E will ensure the website is information is only applicable to this licensing
January 24, 2013 DCPP PPS Open Item Summary Table Page 3 of 59
,--~ ~-~~
No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due
-~ ~-
Date) action.
NRC- the response provided does not address the question.
7/13/12 rjs Deleted RAI 10 pending review of revised response.
Also decided to hold item open.
33 RJS (ALS SQAP) Software tools are used extensively during the FPGA Closed Item initiated on development process. The staff therefore considers these tools to be a key 6/5/12.
component to the assurance of quality in the ALS system development process. The ALS SQAP states that "no additional tools, techniques, or 6-13-12 update methodologies have been identified" for the ALS system. The staff (Kemper): W/ALS considers the development tools, as well as the techniques and agrees with NRC's methodologies used during system development to be relevant to the position on tools assurance of quality for the ALS system. Please provide information on the and will revise the tools, and methodologies used during system development to ensure quality document (Doc.
of the ALS system products. No. 6002-00001) accordingly to address this matter.
PG&E response: Westinghouse agrees that Section 8, Tools, Techniques, And Methodologies of the ALS QA Plan (6002-00001) should be revised to Placed this item on reference document 6002-00030, "ALS Design Tools." This document hold pending describes the tools used and how they are used in the design process. This review of revised document is also on the ALS docket. Westinghouse submitted a revision of QA plan.
the ALS QA Plan, Revision 9, on the ALS docket on October 31, 2012, that provides information on the tools and methodologies used. RJS-Verified that Rev. 9 of QA Plan refers to 6002
~-
- ~-
_00030 which
January 24, 2013 DCPP PPS Open Item Summary Table Page 4 of 59 No SrciR/ Issue Description P&GE response: Status RAI No. RA/ Comments (Date Sent) Response (Due Date) includes Tool identification and assessments.
35 RA Follow up of Item 21 - Software Test Plan Closed RAI21 In the response provided for Item 21, PG&E explained that a new revision (Rev. 1) of ALS document No. 6116-00005 was provided. The scope of Revision 1 is slightly different from the scope described in Rev. O. For example, Section 1.2 in both revisions states that test coverage includes all ALS modules, backplane, license sense modules (LSM), and ALS service unit (ATU). However Section 2, Test Items, for these revisions are different.
Revision 1 only focuses on ALS-102 and backplane assemblies. This section does not include other ALS modules, LSM and ATU. Please explain why these other ALS modules are not included in section 2 of the new revision.
Further, Table 1-2 identifies "Diablo Canyon PPS Test Plan" as document No. 6116-00005, which is the same number than "Diablo Canyon PPS System Test Plan". Please clarify if this is referring to a different document.
PG&E Response: The scope of both revisions are the same. Revision 1 changes added more detail into the overall scope. The details are broken down into 2 main parts: 1- The individual components, 2 - The System components. Both parts equal the entire ALS based Diablo Canyon system which includes all ALS modules, Backplane, ASU (incorrectly stated as ATU in the open item), LSM, ALS-102A1B specific to Diablo and full ALS sub system test which includes the testing of ALS slave cards required by the DCPP configuration.
The entry in Table 1-2 for the Diablo Canyon PPS Test Plan, 6116-00005 is
- -- the~ame document as Diablo Canyon PPS System Test Plan 6116-00005.
January 24, 2013 DCPP PPS Open Item Summary Table Page 5 of 59 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 38 RA Software Management Plan Closed RAI22 Section 2 of the PG&E "PPS Replacement Concept, Requirements, and Licensing Phase 1 Project Plan" does not describe the activities to be performed by the Engineering of Choice Design Change Package Team.
It is also not clear what the roles and responsibilities of this team are.
Please clarify and provide the applicable PG&E control document that describes PG&E roles and responsibilities specifically for the Engineering of Choice Design Change Package Team.
PG&E Response: The activity performed by the Engineering of Choice Design Change Package Team is to support PG&E in development of the design change package for the PPS Replacement. PG&E has a contract with an engineering company, currently Enercon Services, Inc., to be the "engineer of choice" to provide nuclear engineering services to PG&E. For individual scopes of work, PG&E develops a purchase request for the scope of work and a purchase order is issued to the engineering company that is the engineer of choice. When the engineer of choice is performing a design change package for Diablo Canyon Power Plant, the engineer of choice uses the PG&E Design Change Procedure, CF3.ID9, "Design Change Development" and PG&E performs an owner acceptance of the work using PG&E Procedure CF3.ID17, "Design and Analysis Documents Prepared by External Contractors." -
39 RA Software Management Plan Closed RAI23 Figure 2-1 of the PG&E "PPS Replacement Concept, Requirements, and Licensing Phase 1 Project Plan" and Figure 3-1 of the SyQAP identify Altran under the PG&E Project Engineering box. However, Figure 4-1 of the SyWP identifies PG&E project team under the PG&E Project Engineering box. Please explain the role and responsibilities for Altran during the PPS Replacement Project.
'---~
January 24,2013 DCPP PPS Open Item Summary Table Page 6 of 59 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)
PG&E Response:
09/17/2012:
- 1. The PPS Organization Chart shown in SyWP Figure 4-1 is a simplified rendering of the organization charts in Project Plan Figure 2-1 and SyQAP Figure 3-1. The latter figures show an Altran Project Team under PG&E Project Engineering and a team of three PG&E individuals directly under PG&E Project Engineering.
The slight inconsistency between SyWP Figure 4-1 and the other figures may be resolved thus:
I PG&E Project
~_ngineering
- 2. Altran is acting as a subcontractor providing engineering support to the PG&E Project Team as shown above in the revised figure.
Altran supported LAR preparation and is providing continuing support through the LAR review process. Altran's work is governed by the Altran Engineering Procedures Manual. Documents submitted to PG&E are prepared in accordance with Altran EOP 3.3 (reports) and 5.4 (specifications). All Altran documents are verified in accordance with Altran EOP 3.4. In addition, PG&E accepts Altran documents under PG&E CF3.1 D-17 - as
.........- .noted
- - - in the-Altran
... -.~ ........... - .........- . - -~-~ ........... -~
January 24, 2013 DCPP PPS Open Item Summary Table Page 7 of 59
-~~ ~-~-~~
No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)
'--~
Verification Report.
40 RA Software Tools Re- 01110/2013 update:
OPEN The ALS Design In the ALS Progress Update 2012-08-01 provided to the staff, Tool 6002-00030 Westinghouse/CSI described that they are replacing Automated Test Rev.8 indicates that Environment (ATE) from IW credited tools with a LabView based ALS Westinghouse/CSI Board Test System (ABTS). Also, in this presentation, Westinghouse/CSI is using ATE.
noted that they are performing additionallV&V and equipment qualification Further, Rev 7 of tools. the 6002-00003, Since this information needs to be reflected in the software planning ALS V&V Plan, documents, please identify how these items will affect Westinghouse/ALS states that this plan documents related to PPS replacement project. Also, identify what was revised to document will be revised to include description of these modifications. identify ABTS as the PG&E Response: The ALS DeSign Tool 6002-00030 requires revision to primary board replace the ATE with the ABTS. The revised ALS Design Tool, Revision 9, integration level document includes the ABST tool and was submitted by Westinghouse to test tool, replacing the NRC on January 18, 2013 that addresses the tools used. ATE.
Please clarify the discrepancy between the response provided and the information in Rev. 8.
12/19/12 update:
ALS Design Tool 6002-00030 was submitted to the NRC. NRC Staff will review this document and identify follow up
January 24, 2013 DCPP PPS Open Item Summary Table Page 8 of 59 No SrciR/ Issue Description P&GE response: Status RAI No. RA/ Comments (Date Sent) Response (Due Date)
~ ----
questions, if necessary, creating a new open item.
10/17/12 update:
WestinghouselALS will submit the ALS Design Tools on 10/31/2012 41 RA Software V&V and Test Plan Re- RAI24 01/10/2013: See Open comment provided Westinghouse/ALS document 6116-0005, section 8.2 identifies the software in item 40.
tools to be used in the PPS replacement project. However, this list is not Also, DCPP PPS consistent with the list of IV&V tools identified in Section 3.6 of ALS W Plan W Simulation 6002-00003. Specifically, the test tools identified in 6002-00003 are not Environment listed in 6116-00005 and vice versa. For example, the W Plan (6002 Specification, 6116 00003) identifies ATE tool for IV&V, but this tool is not listed in 6116-0005 10216, has not Rev. 1. Furthermore, the staff reviewed 6116-0005 Rev. 0, and found that been submitted.
the ATE tool was listed in this version. Please clarify what software tools will be used and what document describes them.
PG&E Response: A new revision of the ALS V&V Plan 6002-00003, Revision 7, Figure 3-2, identifies the ABTS and the ISE as the IV&V test tools. This new revision was docketed October 31,2012 on the ALS platform docket. The ATE is removed from the set of IV&V test tools. The tools listed in document DCPP PPS Test Plan 6116-00005 section 8.2 and the tools listed in DCPP PPS W Simulation Environment Specification, 6116-10216, (to be released by 30 September 2012) encompass the IV&V test tools in the new revision of the ALS V&V Plan, 6002-00003.
42 RA Software V &V Closed RAI25 9/17/12 update (Alvarado): during PG&E "PPS System Replacement System Verification and Validation Plan the conference call (SyWP)" does not describe the V&V activities to be performed during the PG&E explained Operation Phase and Maintenance Phase. This document states that these that modifications activities are covered by approved DCPP procedures. Please identify these to the systems will DCPP procedures. ---
be performed by
January 24, 2013 DCPP PPS Open Item Summary Table Page 9 of 59 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) the vendors.
PG&E will provide additional information on their PG&E Response:
plan to perform Per the response to 01 #28, control of the software modifications to the modifications to the Tricon and ALS platforms once the PPS replacement project is completed, PPS system during and the PPS is in the Operations and Maintenance phase, will be by the operation and Process Protection System Replacement Software Configuration maintenance.
Management Plan, SCM 36-01, Revision 0, which was submitted as part of the Phase 2 document submittal on June 6, 2012, in Attachment 4 to the Enclosure of PG&E Letter DCL-12-050. Modification to the PPS Replacement components produced by the vendors, CS Innovations and Invensys Operations Management, will be performed by the vendors and verification and validation will be controlled by the vendor verification and validation plans created for the Diablo Canyon PPS Replacement (6116 00003 for CS Innovations and 993754-1-802 for Invensys Operations Management),
43 RA Software V& V Closed RAI26 PG&E "PPS System Replacement System Verification and Validation Plan (SyWP)", Section 5.1.1, explains that during the Concept Phase, PG&E will verify system requirements in accordance with PG&E procedure CF2.ID9, "Software Quality Assurance for Software Development." However, Procedure CF2.ID9 is for in-house development of software applications.
Please explain how this procedure is going to be used for the PPS replacement project.
Further, Section 5.1.2 of the CF2.ID9 states that and independent review of the functional requirements prepared during the concept phase would be performed. The PG&E SyWP does not identify this review, and thus there is no specific V&V product for this phase. Please identify who will perform this review and if this is considered a V&V product.
January 24, 2013 DCPP PPS Open Item Summary Table _. . ._ .
Page 10 of 59
.----------------------~
No SrclRI I Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)
PG&E Response:
09/17/2012: Altran developed the PPS Replacement FRS during the Concept phase in accordance with Altran EOP 5.4, and verified it in accordance with Altran EOP 3.4. Altran used PG&E procedure CF3.ID16 for additional guidance. PG&E accepted the FRS under CF3.ID17, which constituted verification of system requirements. This was a design activity rather than a V&V activity and there is no specific V&V product for this phase. ----- ._-_...
45 RA Follow up of item 18 - Software V&V Closed 12/19/12 update:
NRC Staff will RG 1.168 identifies five of the activities in IEEE Std.1 012-1998, Annex G, review the "Optional V&V Tasks," as being considered by the NRC staff to be document necessary components of acceptable methods for meeting the requirements submitted and of Appendices A and B to 10 CFR Part 50 as applied to software. These identify follow up tasks are: questions, if necessary, creating
- 1. Audits a new open item.
- 2. Regression Analysis and Testing
- 3. Security Assessment 10/17/12 update:
- 4. Test Evaluation Westi nghouse/ALS
- 5. Evaluation of User Documentation will submit the DCPP V&V plan on Westinghouse/ ALS Document No. 6002-00003, "ALS W Plan" describes 10/31/2012 the following techniques for V&V: reviews, testing, traceability analysis, inspection/analysis, and IV&V regression (change) analysis. This plan does not include any of the optional V&V activities identified in IEEE Std.1 012 1998, Annex G. Please explain if these activities are performed.
PG&E Response: The DCPP W Plan has been revised to include these optional V&V tasks required by RG 1.168 to align with the new ALS W Plan for the Optional Tasks. The Diablo Canyon W Plan, Revision 1, was placed on the Sharepoint on November 22 and was submitted by PG&E on December 5 in PG&E Letter DCL-12-121.
j
January 24,2013 DCPP PPS Open Item Summary Table Page 11 of 59 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 46 RA Software V&V Closed RAI27 Several sections in the Invensys Software Verification and Validation Plan (SWP) reference "applicable Project Procedure Manual (PPM)" to perform certain activities. The reference section in this plan identifies PPM (Reference 2.4.4). It is not clear if the PPM is constituted by several procedures or if it is only one procedure. For example, Section 1.1, states the SWP was prepared in accordance with PPM 7.0 (Ref. 2.4.4), and then Section 4 states that V&V activities will be planned and scheduled in accordance with the applicable PPM. Please describe what the PPM is, and explain how this is going to be used in the PPS replacement project.
---=----
PG&E Response: The Project Procedures Manual (PPM) provides appropriate controls for project activities conducted at the Invensys Operations Management (Invensys) Lake Forest facility. These controls will ensure that all nuclear Class 1E projects (or non-1 E projects where the customer has specified certain 1E requirements) processes, project activities, and project documents will meet the requirements of 10 CFR 50, Appendix B, 10 CFR Part 21 and the Invensys Quality Management System. This procedures manual provides specific controls for NAO as well as other Invensys organizations that perform nuclear safety-related system integration project activities. The PPM is a collection of different procedures, including referenced Forms, and is a controlled document.
Each PPM procedure is intended to implement key areas of project activities. Each procedure within the PPM is assigned a unique document number and title.
V&V activities during the PPS Replacement Project will be governed by several procedures within the PPM as defined in the SWP document, Invensys document 993754-1-802. The SWP will be revised to add the title of each procedure within the PPM where referenced in the SWP. For example, in the SWP, Section 1.1, where it states that, "the SWP was prepared in accordance with PPM 7.0 (Ref. 2.4.4)," will be revised to state that "the SWP was prepared in accordance with PPM 7.0, Application Program Development." The revised SWP will be submitted by TBO. i
January 24, 2013 DCPP PPS Open Item Summary Table Page 12 of 59 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 47 RA Software V&V Closed RAI28 Invensys Document No. 993754-1-802, "Software Verification and Validation Plan" requires the use ofV&V metrics to evaluate software development process and products. This section does not explain what methods and criteria will be used for software safety metrics. This information is required by section B.3.1 of BTP 7-14, RG 1.152, RG 1.173 and IEEE Stds. 1061 and 1074. Also BTP 7-14 Section B.3.1.1.2. Please provide this information.
PG&E Response: The V&V metrics are used during development of the PPS Replacement software that will reside/execute on the V1 0 Tricon portion. The V&V metrics measure the thoroughness of V&V reviews and testing efforts. These measurements yield data utilized to gain reasonable assurance that the design outputs are of high quality commensurate with the intended use in the PPS Replacement application. The V&V metrics methodology, utilizing a diversity of software measures, provides insight into the rigor of the PPS software development process. V&V uses three distinct metrics during PPS software development:
Software Quality Metrics The purpose of these metrics is to measure software quality by tracking the number of defects found in the design outputs (e.g., design documents, software).
The method is to count and categorize defects found during V&V review of design outputs.
The acceptance criterion is that no technical defects remain at the end of the current phase to receive V&V recommendation to proceed to the next project phase. Any defects that cause the non-compliance with customer requirements and/or non-compliance with NRC guidance are considered technical defects.
V&V Effectiveness Metrics The purpose of these metrics is to measure the effectiveness of V&V ----
January 24, 2013 DCPP PPS Open Item Summary Table ------
Page 13 of 59 No SrclR/ Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date) reviews by measuring the percentage of design outputs which V&V reviews or tests. The method determines the percentage of design outputs actually reviewed by V&V (which is meaningful for in-process design changes necessitating a change impact analysis, revisions to released design outputs, and a regression analysis). The Acceptance Criterion is that 100 percent of comprehensive or delta change reviews is achieved in the current phase to receive V&V recommendation of proceeding to the next project phase.
Software Safety Metrics The purpose of these metrics is to assess whether software safety requirements are being met. Methods are to count software hazards found during V&V review or testing of design outputs and to confirm software hazard mitigation in each project phase, or, at a minimum, by the end of the project and approval at the completion of acceptance testing. The Acceptance Criterion is that all software hazards are mitigated by the end of the Test Phase to receive approval of the results of acceptance testing. I 48 RA Software V&V OPEN 12/19/12: item 2
- still pending PG&E SyWP, Section 6, requires that anomalies detected are identified, documented, and resolved during the V&V activities. This section states 10/17/12 update:
that anomaly reporting and resolution requirements are defined in the For item 2 - PG&E respective PG&E control procedures. Section 2 "Control Procedures does will revise the not include a reference for an anomaly reporting procedure. Please identify SyWP and submit the PG&E control procedure used for anomaly reporting. it on 11/30/2012 Further, Section 7 of the SyWP states that the PG&E authority responsible 9/17112 update for approving deviations from SyWP is the PG&E Project Manager, who will (Alvarado): NRC document hislher approval a Change Notice or equivalent formal PG&E staff received document. Please identify where the responsible PG&E authority will copies of OM7.ID1
~~~~
ctClcument its approval. ----
and XI1.ID2. This
January 24.2013 DCPP PPS Open Item Summary Table -----
Page 14 of 59 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)
PG&E Response: addressed item 1 of
- 1. The PG&E control procedure for anomaly reporting is OM7.ID1, this open item.
"Problem Identification and Resolution." This procedure governs the PPS replacement after it has been turned over to PG&E by the suppliers. The suppliers' anomaly reporting procedures are applicable prior to this turnover.
- 2. The responsible PG&E Project Manager will document approval in an SAP notification. This will be included in the revision of the SyWP currently in progress. It is noted that Section 7 of the SyWP states the deviation shall be incorporated into the SyWP as a
_revision at the first practical opportunity.
49 RA Software V& V Closed RAI29 Invensys Document No. 993754-1-802, "Software Verification and Validation Plan", Section 6.3 states that the Invensys personnel prepared System Deficiency Integration Report (SDIR) to document non-conformances and corrective actions during testing; the SDIR is prepared in accordance with PPM 10.0. Please explain what PPM this is.
Further, the Invensys "Validation Test Plan", Section 5.4.2 states that the Test Review Board and PG&E shall review SDIRs, but this is not indicated in the Invensys V&V plan. Please explain why this review activity is not identified as a V&V task in the V&V Plan.
PG&E Response: The PPM 10.0 procedure defines the process to control nonconforming items and identify appropriate corrective action for all nuclear application projects developed at the Invensys Operations Management (Invensys) Lake Forest facility. This procedure is intended to provide controls for nonconforming items and corrective actions related to project activities. As used in this procedure, the term "nonconformance" describes deficiencies in parts and materials (items), documentation, and/or deviations from stated requirements. This procedure addresses the identification, documentation, evaluation, and disposition of nonconforming items. This procedure also describes the corrective action process to be used for project-related issues where corrective action is warranted.
~~~~~
~~~_~~~ _L-~~~ ~~~_~~~
January 24, 2013 DCPP PPS Open Item Summary Table Page 15 of 59 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)
SWP Section 5.2.2.2.1 4) stated that Nuclear IV&V shall generate and verify the system-level Validation Test Plan, 993754-1-813, in accordance with PPM 6.0 [Ref 2.4.4], in conjunction with IEEE 829-1983. The SWP was developed in accordance with PPM 6.0, Test Control. In PPM 6.0, Test Control, it was stated that the Project Review Committee (PRC) shall review all test results for completeness, accuracy and acceptability. This review shall include all test documentation, e.g., the Test Procedures, the Test Logs, the System Integration Completion Checklist, the Test Report(s), and SIDRs.
I-- -
50 RA Software V&V Closed RAI30 The Invensys Validation test plan, Section 8.2, states that the Narrative Test Logs are used to document conduct of testing and any anomalies that occur. Please explain if this is only used during validation, and why this is not mentioned in the Invensys SWP. Further, please explain how is this used in conjunction with Document Review Comment Sheet (ORCS) and System Deficiency Integration Report (SDJR)?
PG&E Response: PPM 6.0, Test Control, defines the Test Logs. All test activities shall be recorded in a Test Log. The Test Log constitutes a continuous, hand-written journal of all test activities from the point of initial entry into the Test Procedure until the conclusion of all testing, including any required retesting. The Test Log shall include entries for sign-in and sign-out of all participating personnel, establishment of indicated prerequisites and initial conditions for testing, performance of testing and retesting, identification of problems, etc. The Test Log is intended to be a detailed journal of all testing activities sufficient to fully document the actual sequence of testing performed, the test results achieved and any problems that occurred, including their impact on test performance. The Test Log shall be reviewed by the PRC as part of its evaluation of the test results.
The Test Logs are independent and separate from the Document Review Comment Sheet (ORCS) and System Deficiency Integration Report (SIDR).
However, as a test narrative, the Test Log may identify the fact that a SIDR was generated as a result of test anomaly.
January 24, 2013 DCPP PPS Open Item Summary Table Page 16 of 59 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 51.1.a RA Software Configuration Management Closed RAI31
- 1. Configuration Process a) In open item 4, the staff requested description of the software configuration management activities for configurable boards (e.g.,
ALS FPGA-102 board). Since the ALS FPGA-102 board is customer specific, its configuration management activities are not covered by "ALS Configuration Management Plan." Even though item 4 is closed, this request was not addressed in the response for item 4.
PG&E Response:
09/18/2012 ALS-102 Configuration The FPGA installed on the ALS-1 02 board and therefore the ALS-1 02 board itself is specific to the PPS Protection set and the ALS subsystem in which it is installed. PG&E will not have the capability to alter the FPGA. Any change to the FPGA must be made by CS Innovations. Therefore, ALS-1 02 FPGA configuration management activities are covered by the ALS Configuration Management Plan. PG&E capability to change ALS-102 configuration will be limited to board-level replacement.
51.1.b RA Software Configuration Management Closed RAI32
- 1. Configuration Process b) The PG&E SCM 36-01, item 1.2.8, states that ALS board has two sets of NVRAM. Further, it explains that the configuration of the NVRAM can be changed only by removing the subject board from the ALS chassis and inserting it into a special test fixture. It is not clear who will control this process and configuration of the NVRAM.
Please explain.
PG&E Response:
09/18/2012 ALS I/O boards are generic; that is, each board is configured using its NVRAM for the specific function it is to perform. This activity is described in SCM 36-01 Section 1.2.8, which states that the configuration of the NVRAM is changed by removing the subject board from the ALS chassis and inserting it into a special test fixture. This would be performed as part of a , - -_ __ _
January 24, 2013 DCPP PPS Open Item Summary Table Page 17 of 59 r --
No SrciR/ Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date) maintenance activity, such as replacing a failed board. If the functionality of an 110 board required modification as a result of an application change, all required NVRAM configuration alterations would be performed by CS Innovations under their ALS Configuration Management Plan.
As with the ALS-102 FPGA discussed above, PG&E will not have the capability to alter the NVRAM configuration itself. PGE capability to change the NVRAM configuration for a specific 110 board will be limited to loading NVRAM images that are under CS Innovations configuration control and that have been previously verified and validated at the system level by CS Innovations.
Configuring the NVRAM in order to replace an 110 board will be performed by PG&E under an approved plant maintenance procedure.
51.1.c Software Configuration Management Closed RAI33
- 1. Configuration Process c) Section 1.2 of the Invensys Document No. 993754-1-909, "Software Configuration Management Plan," states that this plan controls operating system of the computers used to run TriStation 1131 and the signal simulation software used for testing purpose. However, the description provided throughout the plan only focuses on the configuration activities for the TSAP (e.g., Section 2.3 states that the SCM procedures are for the TSAP). Further, this same section (later on) identifies the software configuration to be managed, and this list does not include operating system of the computers used to run TriStation 1131 and the signal simulation software used for testing purpose. Please clarify the scope of this plan.
PG&E Response:
09/18/2012 There was no intent for the SCMP to do more than track the revision of Commercial Off The Shelf (COTS) software. In this case "Control" is defined as tracking the revision levels such that they are recorded on the
January 24, 2013 DCPP PPS Open Item Summary Table Page 18 of 59 No SrciR/ Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date) project Master Configuration List, Invensys project document 993754-1-803.
On page 7 of the SCMP, under "Limitations," it states, in part, that the revision levels of this type of software will be tracked.
51.2 Software Configuration Management Open 12/17/12 update:
- 2. Organization Waiting for PG&E The organization and responsibilities described in Section 4 of CF2.I02 is to revise SCMP.
not consistent with the information presented in Section 2 of SCMP 36-01.
For example, Section 2 of SCMP 36-01 identifies system coordinator, 10/17/12 update:
PG&E will revise application sponsor, and system team, who are not identified in Section 4 of the SCMP to Cf2.I02. Further these descriptions are not identified in the project address several organization described in PG&E PPS Replacement Plan (Attachment 3 of open items the LAR). Please clarify the roles and responsibilities for SCM, and provide a cross reference of the PG&E organizations described in these documents.
PG&E Response 12/16/2012:
PG&E will revise the SCMP plan to be consistent with CF2.I02 section 4 organization, ,including a description of additional roles and responsibilities not required by CF2.I02.if needed.
51.3.a Software Configuration Management Open 12/19/12 update:
- 3. Changes and Problems Identification response pending a) PG&E SCMP36*01 states that software, hardware, and configuration problems are reported in accordance with PG&E OM7.I01 and that 10/17/12 update:
software and/or configuration problems are reported via a PROG PG&E will revise the SCMP to POCM Notification. Please clarify when and how these are used. For address several example, for software problems does one have to report the problem open items using both PG&E OM7.I01 and PROG POCM Notification. Note that PG&E CF2.I02 states that all problems associated with plant computer system should be reported and document per OM7.I01 (See section 5.11 and 5.16.10 (b) of CF2.I02)
Further, Section 3.2.1 states that a/l PPS modifications should be initiated and tracked per plant procedures or CF4.I01. Section 3.2.2 states that the implementation of the change is documented in the
January 24,2013 DCPP PPS Open Item Summary Table Page 19 of 59 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) associated Change Package and a SAP notification and order. And Section 3.2.10 states that all identified problems and corrective actions using a notification, which is not specified.
So should software modifications require reporting and tracking using OM7.I01, CF4.I01, PROG POCM Notification, Change Package, and SAP Order?
Please explain PG&E procedures for different changes and the documenting and tracking system used for all types of modification PG&E Response: a) All problems are entered into the corrective action program using PG&E administrative procedure OM7.I01 and are required to be entered into an SAP (electronic business management software) notification (electronic tracking document). Notifications can be identified as different Work Types in order to categorize the type of problem, the priority of the problem, and to facilitate routing the problem to appropriate personnel needed to review and resolve the problem. A "PROG POCM" type notification is a program (PROG) plant digital configuration management (POCM) type of problem and software and configuration problems are examples of problems that would be assigned a Work Type of "PROG POCM" in the notification. Plant hardware problems are assigned a Work Type of "EQPR" to identify the problem as an equipment problem.
Plant modifications, including software modifications, are requested using plant procedure CF4.I01, "Plant Modification Request and Approval" and the modifications are performed using paper/electronic image based change documentation (Change Package) and are tracked in SAP using a notification and an order. An order is an electronic tracking document that allows detailed tracking of job requirements, parts, details, schedule, and approval.
51.3.b Software Configuration Management Closed RAI34
- 3. Changes and Problems Identification b) Please clarify the means to track changes. Section 3.2.4.7 of the SCM 36-01 states that this is done using a SAP order, but Section 3.2.4.7 states that Change Package and SAP order are entered in the Record Management System, and Section 3.3 describes a Configuration Status Account, which is used to track changes of
January 24, 2013 DCPP PPS Open Item Summary Table Page 20 of 59 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) configuration items.
PG&E Response: The means to track changes is the SAP order. The Record Management System is the system used at Diablo Canyon to store and allow retrieval of documents to meet 10 CFR 50 Appendix B quality assurance requirements. Completed Change Packages and SAP orders are entered into the Record Management System for storage and to allow later retrieval.
51.4.a Software Configuration Management OPEN 12/19/12: response
- 4. Document Repository pending
- a. SCM 36-01, Section 2.3.3 identifies the Digital Systems Engineering SourceSafe as the repository, but Section 3.2.5.5 identifies http://dcpp142/idmws/home/asp, and Section 3.29 states that the files necessary for recovery of the baseline are maintained in the PPS database in SC-I-36M, Eagle 21 Tunable Constants." It is not clear if these two sections are referring to the same document repository or if it is the same. Please clarify.
PG&E Response: The SourceSafe is used for exacutable files (exe files),
source code, program code, and database files, etc, The link http://dcpp142/idmws/home/asp is to FileNet, an electronic file storage system. Filenet is used to store documentation like the PPS Replacement Project documents (e.g., Software Configuration Management document, Functional Requirements Specification, Interface Requirements Specification, etc.
51.4 Software Configuration Management OPEN 12/19/12: response
- 4. Document Repository pending
- b. PG&E has implemented restrictions to access files and documents associated with PPS replacement project. Further, PG&E requires user authentication and access to edit configuration, software, and data. It is not clear if these restrictions apply for access to the Digital Systems Engineering SourceSafe or the repository in http://dcpp 142/idmws/home/a~
January 24, 2013 DCPP PPS Open Item Summary Table Page 21 of 59 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)
PG&E Response: Microsoft SourceSafe requires special permissions to access the appropriate directory and then requires a login and special software to access the files. FileNet allows files to be viewed without a special login, but to modify. delete. or add, files special permissions need to be assigned. ----~-
52 RJS Security: OPEN 1/16/2013 NSIR Require NSIR input PG&E stated in its letters DCL-11-123 and DCL-11-104 that the PPS prior to closing this item. Requested replacement will be fully compliant with the 10 CFR 73.54 cyber security NSIR to either requirements. including RG 5.71, Revision 0, "Cyber Security Programs for provide written Nuclear Facilities," dated January 2010, and is being reviewed to comply response or with 10 CFR 50.73, the DCPP Cyber Security Plan, and NEI 08-09, "Cyber discuss the status Security Plan for Nuclear Power Reactors," Revision 6, dated April 2010. of this item at the The cyber security program that PG&E is implementing per its NRC 1/24/13 conference approved cyber security plan includes provisions applicable to all phases of call.
a systems' life cycle, including the digital upgrade or modification of critical digital assets.
Please explain how the provisions outlined in the PG&E's NRC-approved cyber security plan were considered, andlor implemented. as part of the PPS replacement. The provided explanations should include how all of the management, operational, and technical security controls contained within the plan, especially security controls associated with Configuration Management and System and Service Acquisition, are being addressed.
The provided explanations should also include any issues associated with partial implementation of the PPS replacement and full implementation of the cyber security plan for the site, and processes to identify and resolve any such issues.
PG&E Response:
The Cyber Security program manager and other members of the CSAT (Cyber Security Assessment team)-
met with the Process Protection
- - .......... -~
System --
January 24, 2013 DCPP PPS Open Item Summary Table Page 22 of 59 No SrclRI Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date)
(PPS) Upgrade design engineer beginning in 2011. Many options were discussed.
The Cyber Security program manager and project manager have met with the procurement group to discuss cyber security principles that should be written into the procurement procedures, and what steps will help to ensure a secure supply chain.
The Cyber Security Assessment Team (CSAT) was formed in accordance with section 3.1.2 of the cyber security plan, and Milestone a, on 10/31/2011. A list of critical digital systems and assets was created in accordance with section 3.1.3 of the cyber security plan and Milestone b on 10/31/2011. The CSAT looked at scheduled digital upgrades, and added the future equipment to the list of critical digital systems. The CSAT determined the PPS equipment will be a critical system, with several CDAs.
From July 9-12 2012, the cyber security project manager accompanied members of the Quality Verification group to examine the design and production facilities of Invensys , and examined the code production practices and the development environment, and determined that Invensys has an SDE, and ensures their employees are reliable and trustworthy.
Activities planned for the future.
In December of 2012, the network that the PPS will eventually reside on will be isolated from internet connected networks by a deterministic network device, per milestone c of the DCPP Cyber Security Plan. Thus many network attacks, including many that depend on a back door created by a vendor, will not be possible.
Also by December of 2012, DCPP will have taken steps to lessen the
_likelihood of an attack initiated by a portable electronic device, or portable
January 24, 2013 DCPP PPS Open Item Summary Table Page 23 of 59 No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date) media such as a thumb drive per Milestone d, and section 0 1.19 of NEI 08
- 09. This will mitigate portable media based attacks that depend on a back door created by a vendor.
The DCPP Cyber Security Team will interface with NUPIC (Nuclear Procurement Issues Committee) and the NEIINITSL counterfeit parts task force to address digital equipment supply chain security.
The Cyber Security Implementation Project Manager has developed a detailed project plan, with several tasks and schedules. Several existing plant procedures will be revised. The PPS will inherit the controls implemented by these procedures. Many of the procedures will have been changed/created before the PPS is installed.
The CSAT is collecting design information as it becomes available. The collected design documentation is being reviewed as it is collected. The collected documentation will be reviewed in a formal desktop evaluation per the cyber security plan, section 3.1.5 prior to the PPS installation. The test set up in the offsite test lab near the plant will be visited on occasion by the CSAT, the system will be walked down repeatedly during installation, and the final walkdown will be performed when the system is ready to return to operations, per section 3.1.5 of the security plan.
The CSAT will make recommendations to enhance the cyber security posture of the PPS upgrade throughout the project, and will make their final recommendations after the system walkdown, per section 3.1.6 of the cyber security plan.
Disposition of all controls will be documented in the cyber security assessment tool, CyberWiz. Recommended mitigation will be documented in CyberWiz, and the Corrective Action Program.
-- .......... ~
January 24, 2013 DCPP PPS Open Item Summary Table Page 24 of 59 No SrclR/ Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date) 55 WEK PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR Closed RAI35 Acceptable Changes, FSAR Section 7.1.2.5, Conformance With Other Applicable response. Send Documents (page 7.1-13) does not indicate the NRC Safety Evaluation that this as an RAI so will be produced to approve the PPS. The staffs SER should become part that the issue does of the DCPP Unit 1&2 licensing basis once it is issued. How will this be not get lost.
documented within the FSAR??
~-----
PG&E Response: Reference to the staff SER will be included in FSAR Section 7.2.1.1.6 for the reactor trip portion of the process protection system and to Section 7.3.1.1.4.1 for the engineered safety features actuation system portion of the process protection system.
--~~-
56 WEK PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR Closed RAI36 Acceptable Changes, FSAR Section X.X.X.x, (page 7.2-23) states that the evaluation for response. Send the common mode failure in the PPS is presented in References 37 [DCPP this as an RAI so PPS 03 LTR] and approved in Reference 38 [the staff's SER approving the that the issue does DCPP PPS 03 LTR]. However, it is noted that in the staff's SER it was not get lost.
stated in several sections that the 03 design features were approved based on " ... confirmation that the proposed built-in diversity of the ALS sub-system is found to be acceptable." This confirmation will be provided in the DCPP PPS SER, therefore, the staff's SER should also be referenced in this section.
PG&E Response: Reference to the staff SER for LAR 11-07 will be included in FSAR Section 7.2.2.1.2 in addition to the staff SER for the DCPP 03 LTR.
57 WEK PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR Closed RAI37 Acceptable Changes, FSAR Section 7.2.2.9.2, IEEE 603-1991 Clause 5, Clause 5.12 response. Send (page 12) states that " ... the communication path between the maintenance this as an RAI so workstation and the ALS subsystem is normally disabled with a hardwired that the issue does switch ... " Also, Attachment 3, PG&E PPS Interface Requirements not get lost.
Specification (IRS), Rev.6 to PG&E Letter DCL-12-069 dated August 2, 2012 states in section 1.5.6 " ... TAB communications between the ALS and MWS takes place via RS-485 data link. The TAB is physically disconnected from the MWS when the TAB is not in use .... the TAB is open at all times unless maintenance is being performed on the ALS ... " Please identify administrative controls and design features associated with the PPS that explains how the MWS is disconnected/disabled from the PPS (Le., a
January 24, 2013 DCPP PPS Open Item Summary Table ----
Page 25 of 59 No SrciR/ Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date) means of physical cable disconnect, or a safety-qualified hardware switch that either physically opens the data transmission circuit or interrupts the connection by means of hardwired logic. "Hardwired logic" as used here refers to circuitry that physically interrupts the flow of information, such as an electronic AND gate circuit (that does not use software or firmware) with one input controlled by the hardware switch and the other connected to the information source: the information appears at the output of the gate only when the switch is in a position that applies a "TRUE" or "1" at the input to which it is connected. Provisions that rely on software to effect the disconnection are not acceptable. It is noted that software may be used in the safety system or in the workstation to accommodate the effects of the open circuit or for status logging or other purposes} that demonstrate how this hardwired switch disconnects the ALS maintenance workstation from the ALS safety processor.
PG&E Response: For the ALS subsystem, instead of using a hardwire keyswitch, the ALS subsystem will be administratively controlled by physically disconnecting the communication link to the ALS MWS computer when the Test ALS Bus (TAB) is not being used for surveillance testing, maintenance, and trouble-shooting. This is a PPS replacement design change described in the response to NRC request for additional information in PG&E Letter DCL-12-083 and will be included in a supplement to LAR 11-07. --
58 RJS Close RAI38 10/19/12: If I ALS FMEA - There are several failure modes identified in Table 4-4 of the understand the FMEA where the System Effects entry provides a description of functions PG&E response that are not affected by the failure mode instead of stating what the effects correctly, these of the failure mode are. For example, the System Effects in the ETT failure system effects are in line 5b of table 4-4 are that the Alarm Function remains operational. being evaluated Though this may be the case, it does not state what the effects of the failure within the context mode are. Examples of this can be found in lines 5b, 6a, 6b, 7a, 9h, 9i, 11 b, of the local effects 11c, and 11d. that are also provided in the
,- FMEA. Application
January 24, 2013 DCPP PPS Open Item Summary Table Page 26 of 59
-~~--~~~~~~-~~-~~
No SrclRI Issue Description P&GE response: Status RAJ No. RA/ Comments (Date Sent) Response (Due Date) -----
specific compensating PG&E Response: features that influence the The System Effects entry does describe the functions that are affected by systematic effects of these failure the failure mode. This entry must be read in the context of the entire FMEA modes are thus table row. For example, the cited row for EIT failure in line 5b discusses the accounted for effects of failures of the ALS-402-1 digital output board which sends Alarm within the analysis.
Signals to other systems. In the case of Energize to Trip outputs (EIT) a stuck open output channel will prevent the core A rack from being able to Agree to close but actuate the Alarm (in this case a specific instance of an ETT Alarm is cited, would like the PGE the "Containment Pressure in Test Alarm". However, due to the response on record. Need RAI.
compensating features, which in this case is the redundant implementation of the function in the core B rack, the System Effect is that the Alarm function remains operational. A similar reading applies to the other examples cited.
59 RJS Closed N/A 10/19/12 - rjs:
ALS FMEA - Some of the identified failure modes of the ALS system are Response detectable only by operator observations, or by means that are not accepted.
necessarily performed during routine operation or during surveillance testing. See lines 10c, and 12a, What measures will be implemented to ensure that these failure modes would not occur and remain undetected for an indefinite period of time?
It is the staffs understanding that all failure modes which are not detectable through normal means such as surveillance tests or channel checks would need to be considered present for the purpose of satisfying single failure criteria for the system.
PG&E Response:
Surveillance testing includes visual inspection of the equipment in addition to the specified test cases that demonstrate functionality. Therefore, those ~~-
January 24, 2013 DCPP PPS Open Item Summary Table Page 27 of 59 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) failure modes that are detected by operator observations will be detected as part of the surveillance test. IEEE Std 379-2000 defines detectable failures as those failures that can be identified through periodic testing or that can be revealed by alarm or anomalous indication. Therefore, such failures do not need to be considered to be present for purposes of evaluating single failure criterion compliance.
The specific cases cited are clear examples. Line 1Oc discusses failures of the local partial trip indicators. Failures of the indicators do not affect the actual trip function. During the test the technician uses the indicators to confirm that the trip action occurs at the appropriate threshold. Thus the act of observation of the failure during surveillance testing is assured. Line 12a discusses failure of the serial link used for continuous monitoring of the ALS health. Failure of this link does not affect the safety functions of the rack, but would be immediately obvious at the workstation used to do the monitoring.
This workstation is used in surveillance testing.
50 RJS Open RAI39 1/15/13-Waiting for Technical Specifications: Evaluation Summary Report In order for the staff to make a determination that the existing technical which is due at end specifications and surveillance intervals remain acceptable for the of January.
replacement PPS system, an evaluation to compare the ALSfTricon PPS system reliability and performance characteristics with those of the Eagle 21 system must be performed, Pease provide an evaluation summary report to support the application of existing technical specification and surveillance test intervals to the upgraded ALSfTricon based PPS system. This report is expected to include a quantitative analysis to demonstrate the new system's ability to perform its required safety functions between established surveillance intervals as well as a qualitative (i,e., deterministic) analysis which sites the self diagnosis and fault detection features of the replacement PPS. The report should address the staff's previous findings in Section 4.3, "Applicability of WCAPs
--~
to DCEP," of Amendment No, 179, dated January 31,2005 (ML050330315).
January 24, 2013 DCPP PPS Open Item Summary Table Page 28 of 59 No SrciR/ Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date)
PG&E Response: An evaluation summary report to support application of the exiting TS and TS surveillance test intervals will be provided by January 31,2013.
61 RA Closed 12/19/12: NRC Software V&V Plan: Staff will review the document ALS provided Revision 7 of its V&V plan (6002-00003). This revision submitted and provides a mapping and alignment with IEEE Std 1012-1998. This now identify follow up cause a misalignment with the DCPP V&V Plan, 6116-00003, Thus, the questions, if DCPP V&V Plan will need to be revised. Please identify when this new necessary, creating revision will be submitted. a new open item.
PG&E Response: The DCPP V&V Plan, Revision 1 has been created to 11-28-12 update:
provide consistency with the ALV V&V Plan. The Diablo Canyon W Plan, The staff will review Revision 1, was placed on the Sharepoint on November 22 and was the V&V plan to submitted on December 5 in PG&E Letter DCL-12-121. determine if this item can be closed.
62 RA Software Management Plan: Closed 12/19/12: NRC Staff will review the Revision 2 of the ALS "Diablo Canyon PPS Management Plan," 6116-0000, document Section 2.1 and 2.2, defines the project organization. As described in submitted and guidance documents STP 7-14 and NUREG/CR-6101, licensees need to identify follow up describe the management aspects of the software development process. questions, if Please clarify the following: necessary, creating a new open item.
- 1. The description provided in this section does not align with the organization structure provided in Figure 2-1. The description provided is 11-28-12 update:
not clear. For example, the bulleted list identifies "Scottsdale Operations The staff will review Director", but then the 1sl paragraph refers to Scottsdale Operations the PPS Director and ALS Platform & System Director. It is not clear if this is the Management Plan title for one person or for two. Further, Figure 2-1 does not identify the and theyv I2lan to
January 24, 2013 DCPP PPS Open Item Summary Table Page 29 of 59 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)
ALS Platform & System Director, if this role is performed by a separated determine if this individual. Please clarify this. item can be closed
- 2. This section states that ALS V&V Plan provide information and the interface between the IV&V team and the PPS replacement project. It is not clear why the ALS V&V plan will provide this information, since the ALS V&V plan is for the generic platform. Please clarify what document contains this information.
- 3. This section states that the WEC Project Manager is responsible for the commercial process interface with PG&E. However, this role is not listed in the bulleted item list and not identified in Figure 2-1. Please clarify this role.
- 4. Figure 2-1 identifies a QA Manager, but this section only describes the QA Lead. Please describe the role and responsibility for the QA Manager.
- 5. Section 4.1, Planning Stage, mentions a "Project Leadership Team,"
which is not described in Section 2. Please explain the role and responsibilities for this team.
PG&E Response: To address item 1, the Diablo Canyon PPS Management Plan, Revision 3, clarifies in Section 3 the organization details. To address Item 2, the Diablo Canyon IW Plan, Revision 1, provides information on the interface between the IV&V team and the PPS replacement project. To address items 3 to 5, the Diablo Canyon PPS Management Plan, Revision 3, clarifies in Section 3 the WEC Customer Project Manager is responsible for the commercial process interface with PG&E, the roles and responsibilities of the QA Manager, and the roles and responsibilities of the Project Leadership Team. The Diablo Canyon PPS Management Plan, Revision 3, was placed on the Sharepoint on November 15 and was submitted on December 5 in PG&E Letter DCL-12-121. The Diablo Canyon W Plan, Revision 1, was placed on the Sharepoint on November 22 and was submitted on December 7 in PG&E Letter DCL-12-121.
63 RA Closed 12/19/12: NRC Software Management Plan: Staff will review the document Revision 2 of the ALS "Diablo Canyon PPS Management Plan," 6116-0000, submitted and Secticm 4.1, Planning Stage, identifies that deliverables from this phase are nidentifyf9Jlow up
January 24, 2013 DCPP PPS Open Item Summary Table -----------
Page 30 of 59 No SrciR/ Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date) approved by the "Managerial Review Board." However, this document does questions, if not identify the role and responsibilities for this board. Furthermore, the ALS necessary, creating PPS V&V Plan, 6116-00003, Rev. 0 states that IV&V will review the a new open item.
planning stage documents. Please clarify the person/team responsible for this review and their role and responsibilities.
PG&E Response: The Managerial Review Board review and the IV&V reviews are two different reviews. The Managerial Review Board gives the final "exit criteria" approval for both the Planning and Development Stages; this Managerial Review Board approval is required for entrance into the next subsequent stage. Their role is clarified in the "exit criteria" details included in Section 4.1 's Planning Stage and Development Stage sub-sections. The IV&V team also reviews the planning stage documents according to the criteria in the V&V Plan. Additional details have been added to the Management Plan. The Diablo Canyon PPS Management Plan, Revision 3, was placed on the Sharepoint on November 15 and was submitted on December 5 in PG&E Letter DCL-12-121.
64 RA Closed RAI40 Software Management Plan To close Items 27 and 29, PG&E issued the DCPPS Project Quality Assurance Plan to define the oversight activities to be performed during the PPS replacement project. Section 2 of this plan describes the responsibilities of those involved in oversight activities. However, it is not clear how these roles and responsibilities correlate to the project organization described in PG&E PPS Replacement Plan (Attachment 3 of the LAR) and PG&E PPS Replacement System Quality Assurance Plan (Attachment 4 of the LAR). For example, the Project Quality Assurance Plan describes the responsibilities of the PPS replacement Project Manager, but this role is not described in other documents, Further, the responsibility described seems to align with the responsibility of the PG&E Project Manager. Please explain the relationship, if any, of the roles and responsibilities described in the DCPPS Project Quality Assurance Plan and those provided in other PG&E plans.
January 24, 2013 DCPP PPS Open Item Summary Table Page 31 of 59 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)
PG&E Response: The "Quality Assurance Plan for Diablo Canyon Process Protection System Replacement" (referred to as the "Project Quality Plan" in response to Ols 27 and 29) was a project specific document created by the Quality Verification group (a Quality Assurance organization) to identify the Quality Assurance tasks to be performed by the Quality Verification group for the project. The "Quality Assurance Plan for Diablo Canyon Process Protection System Replacement" provides the specific plan to be used by the "Supervisor Project QA" identified in Section 3.5.1 (page 19) of the SyQAP and the "Project QA Engineer or Equivalent" identified in Section 3.5.8 of the SyQAP to provide PG&E quality oversight for the project which in part supports meeting 10 CFR 50 appendix B quality assurance requirements for the project.
The "Supervisor Project QA" is not identified in the PPS Replacement Project Plan Figure 2-1 (PPS Replacement Project Organization) because they are not part of the Project Organization, but instead provide independent quality assurance oversight of the Project Organization.
Section 6.1, "System Quality Assurance Plan (SyQAP), of the PPS Replacement Project Plan discusses the SyQAP, which in turn references the "Supervisor Project QA" in Section 3.5.1 (page 19) and the "Project QA Engineer or Equivalent" in Section 3.5.8 to provide PG&E quality oversight for the project.
65 RJS Open KVM Switch Questions:
See Attachment 3 PG&E Response:
See Attachment 3
January 24, 2013 DCPP PPS Open Item Summary Table Page 32 of 59 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 66 WEK Section 4.2.13.1 of the LAR (page 85) states; " ... The NetOptics Model PA- Close RAI41 12-19-2012 update:
CU/PAD-CU 1 PA-CU port aggregator network tap was approved previously Response by NRC for a similar application in the Oconee RPS SER Section 3.1.1.4.3 acceptable. 01 will
[18]. The NRC staff determined that due to the electrical isolation provided be closed to a new by use of fiber optic cables and the data isolation provided by the Port Tap RAI.
and the Maintenance and Service Interface (MSI) in the Oconee RPS, there was reasonable assurance that a fault or failure within the Oconee Gateway 11-28-12 update:
computer or the Operator Aid Computer will not adversely affect the ability See 11-28-2012 of the Oconee RPS to accomplish its safety functions." update question.
A new RAI will be In section 3.1.1.5.2.1 of the Oconee SER, the staff approved The NetOptics ' added to clarify this aggregator Port Tap, Model 96443, No. PA-CU, as a device intended to inconsistancy so it allow monitoring of a full duplex 10/1 OOBaseT Ethernet communication link will be on the by copying the communications and sending that copied communications to docket.
a one-way simplex communications link. Due to the importance of this one-way communications path functioning properly, the NRC staff performed a detailed review of the design aspect of this one-way communications path.
Circuit diagrams on the device itself indicated that the communications using Port C (Port 1 in the case of DCPP PPS application) may be capable of two-way communications. Since the original review of Model 96443, part No. PAD-CU Port Tap required NRC staff examination of actual schematic drawings of the circuitry to determine that there was no inbound communications path associated with Port C (Port 1 for the PPS), a similar schematic review for any replacement or updated model of the Port Tap must be evaluated in the same manner (by the licensee) to determine the manner in which it is being used and configured are acceptable, and that do not invalidate the conclusion of this SE that use of the Port Tap provides adequate data isolation
~
between the Gateway computer and the digital RPS/ESPS.The Port Tap
January 24. 2013 DCPP PPS Open Item Summary Table Page 33 of 59 F SrclRI Issue Description IP&GE response:
Status RAI No.
(Date Sent)
Response
(
(Due Date) approved for Oconee was model 96443 PA-CU.
11-28-2012 Update:
The response below still needs further clarification: Section 3.7.2.1 (page
- 71) of the approved Tricon V10 LTR SER (ML12146A010) states: "The I NetOptics Port aggregator Tap, Model 96443, No. PA-CU, or PAD-CU, is a device intended to allow monitoring of a 10/100 BaseT Ethernet communication link by communications and sending that copied information to a separate one-way communications link. Port A of the Port Tap is connected to the TCM, and Port B is connected to the Maintenance Terminal (maintenance video display unit (MVDU))." Since the LAR references the Port Tap approved within the Tricon V10 SER, this model number 96443 may still be confusing to the reader.
Please provide the model number of the Port Tap being that PG&C will use in the DCPP PPS and provide an explanation of its equivalency to the Port Tap approved for the Oconee RPS/ESPS LAR.
Revised PG&E Response 12/17/2012:
The PPS Replacement application will use the NetOptics Model PA-CU network port aggregator tap to isolate the Tricon portion of the PPS replacement from the gateway computer.
I NetOptics has confirmed via e-mail (Case# 205591) that part number "96443" is the same as PA-CU. It is the old SKU part number for the PA ,
CU.
67 WEK Section 4.2.13.1 of the DCPP PPS LAR (pg. 85) states, "Port aggregator Closed RAI42 11-28-12 update:
dual in-line package (DIP) switch positions will be controlled by DCPP Response is configuration management processes." acceptable.
Please provide a documented basis (e.g., a plant procedure, or engineering design package) that demonstrates how this will be controlled.
r-------- --
PG&E Response: The Port aggregator DIP switch positions will be
~
January 24, 2013 DCPP PPS Open Item Summary Table Page 34 of 59 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) ----- -
controlled by a plant procedure or plan. The plant procedure or plan will be developed as part of the design change for installation of the PPS replacement after NRC approval of the LAR.
68 WEK Please provide a detailed functional description of the DCPP PPS NSR Open 12-19-2012 update:
Gateway Computer(s) system; including computers/processors, Response did not communications protocols, and data isolation details, Or, please indicate answer the
' where this information is explained within the LAR and supporting question about documents. Also, please provide a detailed explanation of the Gateway providing a I Switch discussed within the LAR;including its operating principal (hardware, functional logic based, etc, ,data/electrical isolation design features, and any other description of the pertinent information pertaining to its failure mechanisms. DCPP PPS NSR Gateway 11-28-2012 follow up question: computers. The Figure 4-13 (Pg 87) of the LAR indicates that data communications is staff needs to provided directly between the SR ALS "A" & ALS "B" Protection Sets I, II, III, understand how the and IV, and the NSR Gateway Computers via RS-422 copper media (i.e., Gateway computer not through the Port Tap). Section 4.8.2 b) (page 110 of the LAR) states and the Gateway that ".. .AII other communication to non-safety equipment, i.e., Plant ' Switch Computer, is via continuous one-way communication channels on the ALS communication 102." Please describe how the 1Elnon-!E data communication and protocols will not electrical isolation is implemented within the ALS for this configuration. corrupt the the data Also, explain how the ALS "A" & "B" inputs to the NSR Gateway Computers signals coming are isolated from each other, and data communication protocols from the ALS associated with processing this data within the Gateway Computers. Protections sets 1 12-19-2012 follow up question: 4 and not impact As stated in the 12-17-2012 response below, the 1Elnon-1 E data the execution of the communications electrical isolation is not part of the ALS topical reort ALS safety review. Please provide a detailed explanation of how all 1Elnon-1 E function. A detailed communications data electrical isolation between the ALS processor and response to this NSR systems will be accomplished. question is needed
-- ~---
January 24, 2013 DCPP PPS Open Item Summary Table Page 35 of 59 No SrclRI Issue Description P&GE response: Status I RAI No. RAI Comments (Date Sent) Response (Due Date)
~-
PG&E Response: The DCPP Gateway computer and Gateway switch are in the LAR or part of an existing system that was installed by a previous project, and supporting therefore were not included in the scope of the changes requested for , documents.
approval in the LAR. See 12-19-2012 Communications from the Gateway Switch to the Tricon are functionally follow up question isolated by the Triconex Communication Module (TCM) and NetOptics re: electrical Model PA-CU Network Port Aggregator Tap discussed in Tricon V10 SER I isolation for the Section 3.7.2.1. A fiberoptic data link provides electrical isolation. DCPP PPS ALS.
The NetOptics PA-CU Network Port Aggregator Tap was approved for this 11-28-12 update:
use in the Oconee RPS SER. The PA-CU prevents inbound See 11-28-2012 communications from external devices or systems connected to Port 1 of
, the Port Aggregator from being sent to interactive Ports A and B. The follow up question.
Oconee SER described the methods they used to verify that Aggregator I Port 1 provides one way outbound communications only. As a transmit only device, it does not listen to and is not affected by the communications
. protocol (or lack thereof) of the external device or system to which it is connected.
The ability of the Port Aggregator Tap to prevent inbound communications to the Tricon from its Port 1 will be verified at the Tricon V10 FAT and the SAT as previously stated in PG&E Letter DCL-12-083 dated September 11, 2012.
Updated PG&E Response 12/1212013:
The response to 01 #73, discusses Transmit Bus TxB2 data communication path from the ALS-102 Core Logic Board to the ALS MWS. Transmit Bus TxB1 transmits data from the ALS-1 02 CLB to the Gateway Computer.
I Both TxB1 and TxB2 are EIA-422 communication links in which Receive capability is physically disabled by hardware as described in the ALS-102 Design Specification, 6002-102002. The receiver is configured such that the transmit data is looped back for channel integrity testing. The ALS-102 is physically and electrically incapable of receiving information from outside the ALS-102 via the Transmit Busses TxB1 and TxB2. Therefore, messages are not disregarded or rejected by the ALS-102. This is better
January 24, 2013 DCPP PPS Open Item Summary Table -- -
Page 36 of 59 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments I (Date Sent) Response (Due Date) -
than a "broken wire." The wire just isn't there, and there is no place to connect a wire if someone wanted to do so.
Updated WEC Response 12/17/2012:
The 1E/non-1 E data communication is described in the ALS Topical Report, Sections 2.2.1.3 and 5.3.2; and in 6116-00054, "Diablo Canyon PPS ISG04 Matrix", Position 2. The electrical isolation qualification of the 1E/non-1 E data communication is not part of the ALS Platform review project, and will be qualified with an isolation fault test that will be conducted 1st quarter 2013 per IEEE Std 384-1992, "IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits" and Regulatory Guide 1.75, "Criteria for Independence of Electrical Safety Systems." A supplemental test report will be issued 2nd quarter 2013.
69 WEK Please provide a detailed explanation of the application programs contained Open 12-19-2012 update:
within the Tricon and ALS MWS computers; including how they will be used The DCPP PPS to supports or enhances the performance of the PPS safety function ALS MWS will not enhance the performance of the PPS safety systems, provide required be approved via the maintenance, surveillance, etc. Or, please indicate where this information is ALS topical report.
explained within the LAR and supporting documents. Therefore, the information requested is needed to address 1/24/2013 Updated PG&E Response: the regulatory The non-safety communications between the PPS controllers and their criteria of ISG-04, respective, dedicated MWS units improve PPS maintainability and thus Position 1, Point 3.
reliability, and enabling on-line surveillance testing, calibration, and W/ALS document maintenance. Risk of challenging plant safety systems is reduced through 6116-00054, Rev.
the ability to test in bypass rather than requiring test in trip. 0, Diablo Canyon PPS ISG-04 Matrix, The online Tricon and ALS non-safety communications capability provide l
does not address real-time, online data and status information on the Plant Process Computer this subject in its and in the Control Room that are required --
to perform maintenance,
~- --
January 24, 2013 DCPP PPS Open Item Summary Table Page 37 of 59 No , SrclRI I Issue Description Ip&GE response: I Status I RAI No. RAI Comments (Date Sent) Response (Due I ~~
r-I calibration and testing. Without the online data links from the Tricon and I...
-~ ~--+-r-e-sp-o-n-s-e-t-o-P-o-i-nt-~
ALS to the MWS and the Plant Process Computer/Plant Data Network, only , 3. Please address the control board indicators and recorders would be available to provide a this question for "window" on the PPS. System trouble alarms would still be generated by ALS.
the PPS on the Main Annunciator System, but without the alarm monitor i Tricon response is and other data display capabilities provided by the MWS, there would be no acceptable. Please direct means to determine the specific cause of an alarm. add this to the LARlTricon V~
0 Lack of access to real-time, continuous, on-line PPS status data and diagnostic information introduces delay into PPS trouble identification and ISG-?4 compitance resolution, and substantially degrades the maintenance effectiveness and I matrix document.
timeliness enabled by the diagnostic features built into the platforms and the 11-28-12 update:
,I application programs. The ability to make online use of the information Additional provided by redundant, real-time data communications to the MWS and to clarification was the plant process computer improves PPS reliability and thus supports and provided, so the enhances safety through providing timely diagnostic information and status
- question was details that assist performance of required trouble-shooting, maintenance, rephrased.
and surveillance activities.
The network switches between the Port Aggregator taps and the MWS ensure that Tricon multicast operation will continue if the Tricon MWS were to cease communications. The network switches are redundant to ensure continued Tricon multicast operation on failure of a single Tricon network link.
The application programs contained in the ALS and Tricon MWS units provide the following functionality:
A. Westinghouse/CSI ALS Maintenance Workstation The on-line ALS MWS is required to maintain the ALS, including surveillance testing per the Technical Specifications calibration, and other required maintenance, and is similar in effect to the existing, approved Test I in Bypass capability. The diversity design of the ALS enables either (but not
January 24, 2013 DCPP PPS Open Item Summary Table Page 38 of 59 No SrclRI Issue Description P&GE response: Status RAI No. RA/ Comments (Date Sent) Response (Due Date) both) Chassis "A" or Chassis "8" in a protection set to be bypassed for maintenance or testing while the other chassis remains fully operational (Although, in the bypassed condition, certain post-accident monitoring functions may not be available; this may be controlled administratively).
Without the flexibility provided by the ALS diversity design, Technical Specifications would require tripping all the channels associated with the chassis when removing a given protection set ALS chassis from service. In turn, this would make up one channel in the coincidence logic for all channels in the affected ALS protection set. Such action increases the risk of inadvertently challenging plant safety systems were another channel to trip with the ALS protection set out of service. I 1 Microsoft Windows ' XP Service Pack 3 operating system 1 .
,2. ALS Service Unit (ASU) Application The ALS MWS will utilize Microsoft Windows ' based Westinghouse/CSI ALS Service Unit (ASU) software that is described in the ALS Topical Report Section 2.6.3.
The ALS Service Unit (ASU) is the primary tool used when accessing a particular ALS system in operation. The ASU provides plant personnel access to advanced features of the ALS system such as system diagnostics, post-trip analysis, monitoring real-time operation, and assistance in performing user-initiated test, calibration and maintenance operations.
The DCPP PPS Replacement MWS will be mounted permanently in the PPS rack containing the PPS in a manner similar to that shown in ALS Topical Report Figure 2-25; however, ASU functions that use interactive Test ALS Bus (TAB) communications will be available: (1) only when the TAB is physically connected to the ALS MWS by qualified personnel under administrative controls; and (2) only on one ALS "A" or "8" subsystem at a time.
_1
- 24. 2013 DCPP PPS Open Item Summary Table Page 39 of 59 INo .. ~. Sr~/RI Issue Description P&GE response: , Status RAI No.
(Date Sent)
Response
Comments (Due Date)
The TAB from AlS-102 Chassis "A" and Chassis "B" is provided with individual EIA-485 ports on the AlS Maintenance Workstation computer.
The ASU ensures that the correct TAB is connected to the respective EIA 485 port when the TAB is enabled.
The main features of the ASU are:
- State Information - Provides monitoring of real-time operation, including all 110 signals as well as detailed status information from debugging registers. The advanced monitoring capabilities enable fast system diagnostics and troubleshooting.
- System and Board Information - Provides detailed information about the configuration of an AlS system, including board FPGA programming, board build information, and board configuration.
- where allBlackbox - The ASU includes a so-called "blackbox" functionality events of an AlS system are transmitted by the AlS-102 ClB Transmit Bus TxB2 to the ASU for storage and subsequent retrieval. This allows plant personnel to inspect the AlS system's reaction to a past event.
The blackbox function enhances AlS reliability and therefore safety by helping to reduce the time required to pinpoint the cause of a series of events. The ASU must be connected to the AlS via the Transmit Bus TxB2 during an event in order to capture and store the event via the blackbox function. Given the difficulty in predicting when an event will occur, the ASU should be connected to the AlS chassis via Transmit Bus TxB2 and receiving data during online operation in order to benefit from this capability.
- implemented Test - Application specific periodic SUrveillance tests can be to be performed through the ASU. Based on the needs of the application features may be implemented in the ClB that allows surveillance LJ ~
testing to be performed andlor monitored through the ASU.
- Calibration - The ASU is used to readout and change application Setpoints and channel calibration- coefficients. The ClB holds the
January 24, 2013 DCPP PPS Open Item Summary Table Page 40 of 59 r---!&cIRI , Issue Description \ P&GE response: I Status RAI No. -I RAI *1 Comments (Date Sent) i Response
~~:) I I- I application Setpoints and according to the application, it will allow the ASU 1 -+-----+1- ~
to modify these Setpoints. The ASU is also used during input/output channel calibration where it is used for selecting the board and board channel to be calibrated and to changes calibration coefficients based on the readings received on an external calibrator.
Operation of the ASU is passive and non-intrusive, i.e., it can only modify the safety system tunable parameters stored in NVM for which it is designed (Le., input/output calibration coefficients, setpoints and tuning constants). It is not possible to modify the safety algorithm or logic using the ASU. All communications initiated by the ASU take place on the TAB, and only when the TAB is physically connected between a protection set ALS and its dedicated MWS. No RAB interruption is possible, effectively isolating the ASU from ALS safety functions.
- 3. ALS Parameter Display The ASU also provides a passive parameter display function using one-way ALS-102 EIA-422 Transmit Bus TxB2. The ALS parameter display function allows the MWS to display parameters transmitted to it online by the one-way TxB2 transmit bus described in ALS Topical Report Section 2.2.1.3.
I The parameter display function does not require the TAB to be connected.
The ASU parameter display function is a Visual C++ based application developed for the Microsoft Windows API using Microsoft Foundation Class (MFC) libraries to provide graphical user interfaces for displaying ALS system status on the MWS and for providing user controlled access to the ALS controllers for performing maintenance operations such as calibration.
Upon start-up, the application establishes a dedicated serial port connection to the MWS RS-422 serial communication card port that is connected to the ALS-102 unidirectional one-way TxB2 output in each ALS chassis uN and "B." These dedicated MWS serial ports receive ALS system status at a rate of 10 Hz (Le., once every 100 ms).
January 24, 2013 DCPP PPS Open Item Summary Table Page 41 of 59 I No I SrclRI I Is sue Description IP&GE response: Status RAt No.
(Date Sent)
RA/
Response
Comments I (Due Date)
U. on establishing the dedicated serial port connection on the MWS, the ASU parameter display function spawns a software thread to receive, va idate, and store the data received from the respective ALS-1 02 TxB2.
Va idation of the received data consists of checking the packet header co ltents, checking packet length, performing a CRC check on the packet co ltents, and then comparing the calculated CRC with the CRC inside the ,
Tx 32 packet. If the data received by the parameter display application is
. in alid (Le. invalid CRC), the application indicates the issue on its graphical us ~r interface (GUI) and an entry is made in the application status log. If th data received by the parameter display application is valid, the ap )Iication records the ALS system status in a data class which contains m thods that are called by different GUI to extract and display the specific I I AL 5 system status.
I M Ifunctions of the ASU parameter display function cannot adversely affect AL 5 safety system operation because EIA-422 communications between th ALS and the ALS MWS via TxB2 are strictly one-way from the ALS-102 to he ALS MWS and the EIA-485 TAB is physically disconnected except for br ~f periods when the TAB for either ALS "A" OR "B" is connected to the M VS for maintenance under administrative control by trained technicians.
- 4. One way TxB1/TxB2 Communications Tr lnsmit Bus TxB 1 transmits data from each ALS chassis "A" and "B" ALS 10 2 CLB to the Gateway Computer. Transmit Bus TxB2 transmits data from ea ;h ALS chassis "A" and "B" ALS-1 02 CLB to dedicated EIA-422 ports on th ALS MWS. Both TxB1 and TxB2 are EIA-422 communication links in w ich Receive capability is physically disabled by hardware as described in th ALS-102 Design Specification, 6002-102002. The receiver is configured su ~h that the transmit data is looped back for channel integrity testing. The AL 5-102 does not disregard or reject external messages; rather, the ALS 10 2 is physically and electrically incapable of receiving external messages vi the Transmit Busses TxB1 and TxB2. In effect, this is the same as the j
January 24,2013 DCPP PPS Open Item Summary Table Page 42 of 59 NO Comments i SrclRI Issue Description P&GE response: Status RAI No. RAI (Date Sent) Response (Due Date) 1 data isolation achieved by a "broken wire." Interdivisional communications between the MWS and the ALS are also described in ALS Topical Report section 5.3.
- 5. TAB Disconnect TAB communications are enabled by physically connecting the TAB to the respective MWS EIA-485 port under administrative control by trained technicians. TAB communications are disabled when not needed by physically disconnecting the TAB from the MWS. The ASU is connected to and communicates with the ALS via the TAB only when required to calibrate the ALS, normalize RCS flow coefficients, perform surveillances required by Technical Specifications, as well as to troubleshoot and othelWise maintain the ALS. The diverse ALS subsystem whose TAB has not been enabled will continue to perform its safety function without impact An ALS trouble alarm is initiated on the Main Annunciator when the TAB is enabled. The non-safety communications provided by the Transmit busses will allow the operator to ascertain quickly the cause of the alarm, if the operator is not already aware of the maintenance activity being performed under procedural control.
TAB communications are described in ALS Topical Report Section 5.2.
- 6. Electrical Isolation The Transmit Bus TxB1 and TxB2 1E/non-1E data communication is
. described in the ALS Topical Report, Sections 2.2.1.3 and 5.3.2; and in 6116-00054, "Diablo Canyon PPS ISG04 Matrix", Position 2. The electrical isolation of the Transmit Busses is performed by magnetic couplers located on the ALS-102 CLB. The TxB isolators are described in 6002-10202, "ALS-102 Hardware Design Specification," Section 3.9.1.
Fault isolation occurs by way of board mounted transient voltage suppressors, board mounted fuses, and external fuses.
L Qualification of the 1E/non-1 E data communication is not part of the ALS --
January 24, 2013 DCPP PPS Open Item Summary Table Page 43 of 59 I
I No I SrclRI /Issue Description I P&GE response: S tatus IRAI No. RA/ Comments (Date Sent) Response.
(Due Date)
Platform review project, and will be qualified with an isolation fault test that will be conducted 1st quarter 2013 per IEEE Std 384-1992, "IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits" and Regulatory Guide 1.75, "Criteria for Independence of Electrical Safety Systems." A supplemental test report will be issued 2nd quarter 2013.
B. Triconex Maintenance Workstation The Tricon MWS will implement four Microsoft Windows ' -based application programs: (1) Invensys WonderWare' InTouch' PPS application; (2) TriLogger; (3) Tricon Diagnostic Monitor; and (4) TriStation 1131 (TS1131) Developers Workbench Version 4.9.0.
- 1. Microsoft Windows ' XP Service Pack 3 operating system
- 2. WonderWare' InTouchTMPPS Application The WonderWare InTouch application provides online display of selected PPS internal parameters and trouble alarm details. The WonderWare InTouch application also is used for maintenance of individual PPS instrument channels in conjunction with the hardwired OOS switches that have been discussed in the response to other Open Items. The MWS WonderWare InTouch application will be the tool normally used to determine the specific cause of an alarm. The Main Annunciator System only displays system level alarms. The MWS InTouch application contains an alarm monitor, which is a troubleshooting aid that provides a detailed, specific display of the alarms generated by the Tricon PPS application.
- 3. Non-Safety Tricon Communications Communications from the Tricon to external non-safety systems are functionally isolated by the Triconex Communication Module (TCM) and NetOptics Model PA-CU Network Port Aggregator Tap discussed in Tricon V10 SER Section 3.7.2.1. A fiberoptic data link provides electrical isolation.
The PA-CU prevents inbound communications from external devices or L-. I syst~ms connected to Port Aggregator Port 1 from being sent to interactive
January 24, 2013 DCPP PPS Open Item Summary Table Page 44 of 59 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response*
(Due Date)
Ports A and B. Port 1 is a transmit-only port that does not listen to and is I not affected by the communications activity generated by the external II
. device or system to which it is connected.
I I Port Aggregator port 1 will provide one-way data to the Gateway Computer via the Gateway Switch. The Gateway Computer transmits the data to the Plant Process Computer for use in the Control Room by the operators. The I
Gateway Computer and Gateway Switch were installed by another project.
I The Plant Process Computer is an existing system.
I
- 4. Triconex TriLogger I The TriLogger software provides the ability to record, display, play back and I analyze data from the Tricon system. Data can be viewed in real-time on the MWS. The TriLogger provides data trending and analysis capabilities I and can be configured to trigger on specific events to log detailed data to aid technicians in isolating, diagnosing, and troubleshooting problems.
, I However, the TriLogger must be connected and running at all times to perform these functions.
- 5. Tricon Diagnostic Monitor Utility I
The Tricon Diagnostic Monitor utility displays Tricon system and module status by mimicking the actual Tricon chassis and slots, so that the user can find the exact location (chassis number and slot number) of a module that may be experiencing a fault or other problem. The Tricon Diagnostic I
Monitor Utility improves reliability by aiding rapid troubleshooting and fault location at the Tricon system level.
I
- 6. Startup Delayer Startup Delayer delays WonderWare startup until DOE Server has initialized. Otherwise, WindowViewer may startup first and never connect to I DOE Server.
__J 7. TriStation 1131 (TS1131) Developers Workbench
January 24, 2013 DCPP PPS Open Item Summary Table Page 45 of 59 No Is rclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) . Response (Due Date)
TriStation 1131 is a PC-based application development workstation that provides a comprehensive set of development, test, monitor, validation and diagnostic tools for Triconex Programmable Logic Controllers (PLC). The TS1131 program is utilized to maintain the PPS application program and I may also be used for monitoring and troubleshooting purposes. The TS 1131 program is described in the Tricon V10 SER Section 3.1.3.2.
The TS 1131 tool will be installed on the MWS. However, the TS 1131 tool will not normally be running while the Tricon is performing its safety function
[Tricon V10 SER Section 3.10.2.9]. If the TS1131 workstation is connected I
. during online safety operation for maintenance or troubleshooting purposes, its use will be controlled via administrative controls and qualified maintenance personnel. I Write access to the operating Tricon is governed by the controller keyswitch.
With the keyswitch in the RUN position, use of the TS1131 program is limited to read only access to the Tricon. Parameters may be examined, and application program logic operation may be observed in real time, but changes are not possible. The TS1131 program can only write to the Tricon when the controller keyswitch is in the PROGRAM position. With the I keyswitch not in RUN, the PPS application will initiate an alarm on the Main Annunciator system and the affected PPS set will be declared inoperable with respect to its safety function.
Regardless of whether the keyswitch has been deliberately manipulated or whether the condition is the result of Tricon hardware or software failure, the internal Tricon diagnostics will detect a "keyswitch not in RUN" condition and the PPS application program will initiate a PPS Trouble alarm on the I Main Annunciator System. When the "keyswitch not in RUN" condition I exists, the affected Tricon is considered to be INOPERABLE with respect to its safety function. The operator would enter the appropriate Technical
_J I Specification LCO upon determination that the PPS trouble alarm was caused by the "keyswitch not in RUN" condition.
-_ ...... ~- ...... -_...... - -...... ~- ...... ~-
January 24, 2013 DCPP PPS Open Item Summary Table Page 46 of 59 No SrclRI Issue Description P&GE response:
Status ---!;l RAI No. RAI Comments (Date Sent) Response i
(~.-+
Date) "
The condition could be active in multiple Tricon protection sets because it could occur as a result of common cause Tricon failure. Even with the "keyswitch not in RUN" condition existing in multiple protection sets, negative impact is limited because on-line maintenance will normally be performed in one protection set at a time, and each Tricon protection set has its own dedicated, independent MWS. Therefore, only one Tricon protection set at a time would be configured physically to make software changes. If the TS1131 is not connected and running changes cannot
- occur even if the "keyswitch not in RUN" condition exists. That is, the mere existence of the "keyswitch not in RUN condition" does not initiate changes.
Intentional action by a trained, knowledgeable individual is also required.
I Given the PPS trouble alarms that would be active in all affected protection sets, it is highly unlikely that unintended changes could occur.
Ilf a PPS Trouble alarm were to occur on the Main Annunciator System due
- to the "keyswitch not in RUN" condition, regardless of the cause, the operator would notify DCPP Maintenance. In the absence of the detailed alarm monitoring provided by an on-line MWS (via the TCM NET2 interface), the maintenance technicians would be required to obtain work orders, gain access to the affected protection set, connect and boot the MWS, and only then could begin to determine the cause of the alarm. The alarm information would not be available if the alarm were due to a transient condition that cleared between the time the condition initiated and when the MWS was operational. Diagnosis of the condition could be delayed for
- several hours. With the on-line MWS and the alarm monitor function, the condition - whether caused by intentional manipulation of the Tricon controller keyswitch or by a hardware or software failure involving the keyswitch- would be identified immediately.
As with the ALS, the on-line Tricon MWS is essential to maintain the Tricon safety function, including surveillance testing per the Technical Specifications and other required maintenance and is equivalent to the existing, approved Eagle 21 Test in Bypass capability.
... ...... ~- ...
The MWS is
January 24, 2013 DCPP PPS Open Item Summary Table Page 47 of 59 No SrclRI Issue Description P&GE response: Status RA/ No.
(Date Sent)
RA/
Response
Comments I
I (Due Date) required to bypass channels for testing. Removing a Tricon from service I during such routine maintenance would require tripping all the channels in I that protection set, which would make up one channel in the coincidence logic for all channels in the protection set. This condition increases the risk of challenging plant safety systems should another channel trip inadvertently with the protection set out of service.
70 wEi< KVM Switch Question 1: Open 11-28-12 update:
I Response Okay. I If the Enumerated USB switching function is used, will you be able to use ! Leave open until I
the Keyboard hotkeys and mouse buttons to perform switching? The brochure seems to indicate on page 3 that the Enumeration switching the KVM Switch information is I
I I I process will not enable control switching using the USB keyboard or I provided within the
. LAR revision.
mouse. However, it further says that Emulation USB switching was developed to support these enhanced monitor switching functions/devices (keyboard hotkeys or mouse buttons) .... Albeit, other USB devices (e.g.,
printer) do not need to use the Emulated USB switching function. Could you please clarify this point.
PG&E Response:
The USB1 and USB2 ports, which use enumerated switching, pass data straight through the KVM switch without interpretation. Therefore, you cannot connect a keyboard to USB1 or USB2 and use the hotkeys to perform switching, and USB1 and USB2 traffic cannot cause an inadvertent I switch. The block diagram shows the output of the emulated portion of the switch and the enumerated portion going to a USB hub before being sent to the computer. The keyboard and mouse will use the emulated switching function, not the enumerated switching function; only the keyboard and I
mouse can control the switch.
71 WEK KVM Switch Question 2: Open 12-19-2012 Hold update: The staff Will the KVM switch will be on-line 24-7 monitoring data from either
January 24, 2013 DCPP PPS Open Item Summary Table Page 48 of 59 No I SrclRI I Issue Description I P&GE response: -- -1 Status RA/ No. RA/ Comments (Date Sent) Response (Due Date) the Tricon or the ALS platform? If so, what can we say about the will review 6002 failure modes of the KVA switch? Can it fail in such a manner so as 10202 and to inject faults into the MWS computers, and hence into the Tricon or determine if this ALS safety system processors? If not, why? If so, what can be done document to circumvent this problem, and show conformance with ISG-04, provides the Points 10 & 11? We will need to cover this matter in the SER. information requested.
10-17-12 Update: Response below did not answer the question Nonetheless, regarding failure modes of the KVM switch ...agree that it is Okay to PG&E needs to lose the Tricon but I do not see how the ALS is protected due to its address the "inherent 1-way communications" design. Please explain this further. i inherent 1-Way communications 12-19-2012 Update question: In order for the staff to verify the response design and below regarding the ALS-102 Core Logic Board's one-way communications communications design attributes the staff will need to review the ALS-1 02 Design . protocol of the Specification document 6002-10202, and any other documents that explain 102 board in this key design feature for the ALS Platform portion of the PPS {e.g., 6116 detail within this 00100, PPS ALS to ASU Communications Protocol??}. ALS document ai-as it relates 6002-10102 has not been submitted on the docket for staff review of the ALS Platform Topical Report. Therefore, please submit this document (and to the DCPP any others that explain this communications protocol) on the docket as part PPS.
PG&E Response: Also, need to update the LAR to The KVM switch will be on-line 24-7 for monitoring data from either the cover the portions Tricon or ALS platform via the respective MWS computers. There is not being additional isolation because the ALS communicates strictly one way to its addressed in the MWS except when TAB communications are enabled by connecting the ALS TR SER, i.e.,
I TAB cable. Connection of the TAB is performed as directed by trained
- I technician using an approved procedure Therefore, if the KVM switch failed 1E/non-1 E data communications I in some way to connect the two MWS together, the ALS would not be electrical isolation L
affected. The Tricon might be affected, but the 03 analysis allows the Tricon to fail due to CCF. for ALS. See I follow up question
_. The following paragraphs have been added to the IRS Section 2.3.7:
.._. , for 0168.
January 24, 2013 DCPP PPS Open Item Summary Table Page 49 of 59 SrclRI Issue Description P&GE response: St'atus I RAI No. I RAI Comments fAA> (Date Sent) Response (Due Date) b, The KVM switch shall permit only connections between a single 11-28-12 update:
computer and the selected video display and HMI interface devices. ALS ISG-04 Connection between the computers shall not be permitted. compliance was submitted, and
- g. The AV4PRO-VGA KVM switch shall utilize the default switching Westinghouse mode, in which the video display, keyboard and mouse and the thinks that this will answer this enumerated USB ports are all switched simultaneously. I question.
. Paragraph g was necessary to prevent the enumerated ports from being I PG&E needs to
! respond to 10-17 switched separately from the KVM.
12 update in the Added PG&E Response 12/16/2012: description During normal, non-maintenance operation, the ALS communicates one- section.
way to its dedicated MWS computer via Transmit Bus TxB2 as discussed in ' Leave open until j the KVM Switch the response to 01 #73. Inter-divisional safety to non-safety communications are addressed in ALS Topical Report Section 5.2.3. The information is provided within TxB2 data communication paths from the ALS-102 Core Logic Board to the the LAR revision.
ALS MWS computer is a EIA-422 communication link in which Receive capability is physically disabled by hardware as described in 6002-102002, 10-17-12 Update:
the ALS-1 02 Design Specification. The receiver is configured such that the
/ Note: "IRS" is the I
transmit data is looped back for channel integrity testing. The ALS-102 is Interface physically and electrically incapable of receiving information from outside Requirements the ALS-102. Therefore, the ALS cannot be affected by a malfunction in the Specification I dedicated, MWS computer associated with an ALS protection set regardless (Attachment 8 of of whether the malfunction is caused by KVM switch malfunction or by the LAR).
I malfunction of the MWS computer itself.
WEC Response 12/17/2012:
The 1E/non-1 E data communication is described in the ALS Topical Report, Sections 2.2.1.3 and 5.3.2; and in 6116-00054, "Diablo Canyon PPS ISG04 Matrix", Position 2. The electrical isolation qualification of the 1E/non-1 E
January 24, 2013 DCPP PPS Open Item Summary Table Page 50 of 59 No SrciR/ I/ssue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date) data communication is not part of the ALS Platform review project, and will be qualified with an isolation fault test that will be conducted 1st quarter 2013 per IEEE Std 384-1992, "IEEE Standard Criteria for Independence of I Class 1E Equipment and Circuits" and Regulatory Guide 1.75, "Criteria for Independence of Electrical Safety Systems." A supplemental test report will be issued 2nd quarter 2013.
72 WEK KVM Switch Question 3: Open RAI43 12-19-2012 update:
response Also, you will likely need to address how you will disable the features Or, this acceptable, I you are not using such as the audio interface, unused USB ports, informati however, this remote control/channel switching by external control from and SDOE on could information needs perspective-and probably a cyber security perspective later on (after be . to be provided in included the LAR. Also, SER).
in the address how this 10-17-12 Update: The methods used to block Ports in the KVM next LAR will be maintained Switch must be addressed in the LAR revision. Block a/l unused update- by the DCPP Ports and keep any that may need to be reopened under design or need to Configuration
. configuration control.
I Again, we need a detailed explanation of how this 1-way design I decide which Management Process.
feature will prevent the KVM switch failures from affecting the ALS . path is system. I desired. 11-28-12 update:
PG&E needs to PG&E Response: respond to 10-17 12 update in the Specific answers to these questions depend on the detailed design. Ports description can be physically blocked, which might be appropriate for unused computer section.
ports and the audio ports. It might not be appropriate for the unused USB Leave open until port (which may be needed for a future printer) and the options port (which the KVM Switch may be needed for firmware updates). Remote control switching or information is firmware update requires a custom serial cable. The firmware update requires specialized software on the computer being used to perform the I provided within the LAR revision.
update. Firmware update will be done by procedure. The MWS will be inside a locked cabinet inside a vital area inside the protected area.
Inadvertent actions, while not impossible, will not be easy. If the switch is I I
January 24, 2013 DCPP PPS Open Item Summary Table Page 51 of 59 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) somehow manipulated, the ALS will not be affected even if the KVM switch
. fails because the ALS communicates only one-way with the MWS except for short periods when the TAB is enabled.
Revised PG&E Response 12/16/2012:
PG&E will physically block the audio port, USB Port 2 and unused computer ports. Physical blocks will be verified at SAT and controlled thereafter by the SCMP. PG&E considers that opening any of the unused ports for use I
-i I after the SAT is a modification of the physical plant configuration that will require an engineering design change.
I -
73 WEK KVM Switch Question 4: Open RAI44 I2-19-2012 update:
Hold . As discussed in the If the KVM switch does fail in some manner allowing data flows 110-17-2012 update between the two platforms, then the ALS system would not be for this ai, and the affected because the ALS platform will only transmit data in one 12-19-2012 Follow direction to its MWS (with the TAB cable disconnected of course). up Question for 01 71, the staff needs This is good, however, the LAR (or attachments) need to explain how ALS Design the engineering design principals of the ALS platform physically Specification prevent bad/erroneous data from corrupting the ALS platform. In document 6002 I other words, explain how these messages emanating from the MWS 10202 submitted (regardless of origin) will be disregarded/rejected by the ALS platform for its review in thus allowing only one direction of data flow. order to resolve this I 01. This 01 will be 10-17-12 Update: placed on Hold until The ALS-102 Design Specification document 6002-10202 has not yet the documents are I been submitted to the NRC. When will it be submitted?? Will this EIA-422 (or is it RS-422 per Fig. 4-13 in the LAR) communication link I I received on the docket.
(twisted pair copper wire) also serve as the 1Elnon 1E isolation devices as required by IEEE 603, Clause 5.6.3 and IEEE 7-4.3.2,
. 11-28-2012 Clause 5. 6?? Please clarify.
I I jga t eneeds to 11-28-2012 Update: PG&E Still need more information re: 1Elnon-1 E isolation of the ALS-1 02
- I I respond to 11-28
January 24, 2013 DCPP PPS Open Item Summary Table _ Page 52 of 59 No I SrclRI I Issue Description I P&GE response: I s.tatus RAI No.
(Date Sent)
Response
I Comments (Due Date)
--+-----\-.
I -
~
" board. -'-~=~s...;:;~=~-=~a=tit=~nin the section. PG&E PG&E Response: needs to respond
. to 10-17 -12 Revised PG&E Response 12/16/2012: update in the The design of the TxB1 and TxB2 data communication paths from the.ALS description section.
102 Core Logic Board and the Gateway Computer and MWS, respectively, are EIA-422 communication links in which Receive capability is physically 10-17-12 Update:
disabled by hardware as described in 6002-102002, the ALS-102 Design there is a typo in Specification. The receiver is configured such that the transmit data is section 2.4.13.5 on looped back for channel integrity testing. The ALS-1 02 is physically and page 90 of the electrically incapable of receiving information from outside the ALS-102. LAR. The first Therefore, messages are not disregarded or rejected by the ALS-1 02. This I paragraph is better than a "broken wire." The wire just isn't there, and there is no place references ALS
, to connect a wire if someone wanted to do so. i doc. 6002-61202 (typo) as the Updated PG&E Response 12/16/2012: document that Per the 10/17/2012 update, NRC is correct regarding the typographical error explains how the in Section 2.4.13.5 on page 90 of the LAR. The correct ALS-1 02 Design EIA-422 Specification.document number per LAR Reference 94 is 6002-10202. communication I Per the 11/28/2012 update, RS-422 is the common short form title of channels on the ALS-102 are American National Standards Institute (ANSI) standard ANSlrrIAlEIA-422-B electrically isolated Electrical Characteristics of Balanced Voltage Differential Interface Circuits. and inherently 1 This technical standard specifies the electrical characteristics of the way balanced voltage digital interface circuit. For the purposes of the LAR, the communications two designations are equivalent and may be used interchangeably. capability only.
The document 6002-10202, in reference 94 is the correct document.
~- I WEK " KVM Switch Question 5: I Open 1 111-28-12 update:
Leave open until Please explain in detail how "Connectio~between the computers KVM Switch
--~-----~---~-
nSrClRI January 24, 2013 DCPP PPS Open Item Summary Table Page 53 of 59 Issue Description P&GE response: Status RAI No. RA/ Comments (Date Sent) Response (Due Date)
I shall not be permitted." Will this be handled via a configuration information is control process, administrative controls, or a physical means of provided within the preventing connection between computers? LAR revision.
10-17-12 Update:
PG&E Response: Response is Okay, but the lAR This section was intended to be a functional requirement for the KVM revision will need to switch. Administrative and configuration controls will prevent inadvertent expand further on I loading of an EPROM image that could corrupt operation of the KVM this matter to I
I switch. If the KVM switch fails and connects the AlS and Tricon MWS explain how these controls will provide
! together, the above-described physical and electrical restrictions of the KVM switch will prevent the AlS from being corrupted by its MWS computer. I this protection.
I I I
75 RJSI AlS Security Plan Document 6002-00006 references the CS Innovations Open Note: RJS - We NSIR Cyber security plan document (Reference 7) which is not docketed. Without need to resolve if having access to this referenced document, the staff is unable to confirm document needs to implementation of the system security requirements. We need to discuss if be docketed now
. this document can be made available on the share point or if it can be made that we have available during the audit. reviewed it during audit. I
. In addition CS-00013-GEN, Development Environment Evaluation Report-CS Innovations Isolated Development Infrastructure might be another I
document of interest to the staff. It seems that this document would provide evidence that the actual development environment was in fact I
I secure. This document was not docketed.
I I
I I I
PG&E Response: Westinghouse can make available during the audit both CSI document 9000-00360, "CS Innovations Cyber Security Plan" and I
January 24, 2013 DCPP PPS Open Item Summary Table Page 54 of 59 IlsrclRI Issue Description P&GE response: Status RAI No.
(Date Sent)
RA/
Response
Comments (Due Date)
WNA-CS-00013-GEN, "Development Environment Evaluation Report - CS Innovations Isolated Development Infrastructure."
1 76 WEK The documents listed below are necessary for the staff to complete its Closed RAI45 12-19-2012 assessment of the Tricon V10 platform changes/software revisions that Update: the staff have occurred since the platform was approved generically, and will be has reviewed all of these documents applied to the DCPP PPS. I and some of them will require
- 1. Reference Design Change Analysis (RDCA), 993754-1-916
- 2. Nuclear Qualified Equipment List (NQEL), 9100150-001, i I submittal on the
- docket for approval Rev 16 I of these changes Rev 11: Tricon V1 0.5.2
- within the SER-Rev 13: TriStation V4.9.0 see 12-19-2012 follow up item for Rev 14: Tricon V10.5.3 this 01. I I
Tricon NGIO Software SRS, 6200155-001 Invensys Audit Item !
Tricon V10.5 Verification and Validation Report (19 Sept, 2012) I ,
11-28-112 update:
- 3. V10.5.2 Documents Response I Acceptable. We
, will also need this a) PDR (IRTX) 21105 I information b) Technical Advisory Bulletin (TAB) 183 i
- submitted on the c) Engineering Project Plan (EPP) Tricon V1 0.5.2, 9100346-001 docket.
d) V10.5.2 V&V Test Report I Invensys Audit Item e) Software Release Definition (SRD), V10.5.2, 6200003-226 r-I V10.5.3 Documents I
a) PDR (IRTX) 22481 b) Product Alert Notice (PAN) 25 c) Engineering Project Plan (EPP) Tricon V10.5.3, 9100428-001 I
January 24, 2013 DCPP PPS Open Item Summary Table Page 55 of 59 No SrclRI Issue Description P&GE response: Stat u s I RAI No. RAI Comments
~ (Date S'"~
Response
(Due Date) f-- --
d) Tricon PAN 25 Master Test Report e) Software Release Definition (SRD), V10.5.3, 6200003-230 f) NGDO SRS 6200170-001 I
(ii) Tristation V4.9.0 documents I
a) Product Alert Notice (PAN) 22 I b) Product Alert Notice (PAN) 24 I c) Technical Advisory Bulletin (TAB) 147 d) Engineering Project Plan (EPP) Tristation V4.9, 9100359-001 e) Tristation V4.9.0 Master Test Report f) Software Release Def. (SRD), Tristation V4.9.0, 6200097 -038 g) Spec. Software Design - Tristation 1131 SDS, 6002168-002 (Section Applicable to V4.9.0 Change) h) TriStation 1131 V4.9 V&V Plan, 9600442-002 i) TriStation 1131 V&V Summary Report (26 Oct.
2012) 12-19-2012 Follow up Item:
The staff has reviewed all of these documents, which have been placed on the Invensys Sharepoint website and concluded its assessment of the Tricon Platform changes from V10.5.1 to V10.5.3. The results of this I assessment will be published in the Invensys Audit Report. In order to provide a safety finding to approve these changes in the DCPP PPS SER It I , is necessary for the following documents to be formally submitted to the I staff to facilitate completion of its safety assessment of the Tricon V10 I platform changes/software revisions that have occurred since the platform I was approved generically, and will be applied to the DCPP PPS.
I J Please submit the following Documents on the Docket:
- 1. Product Discrepancy Report (PDR) IRTX#21105
January 24, 2013 DCPP PPS Open Item Summary Table Page 56 of 59 INo I SrclRI Issue Description P&GE response: Status RAI No. I RAI Comments
~
W_
(Date Sent) Response (Due Date)
I ..
~~-=-~.~.~.~.~.~.--~_~-.~.-.=_~.=_~.~._~_c--------------------~----~~----~
- 3. Engineering Project Plan (EPP) V10.5.2, 9100346-001, Rev. 1.4 I 4.
5.
Tricon V10.5.2 V&V Test Report, Rev. 1.1, January 14, 2011 Software Release Definition (SRD) V10.5.2, 6200003-226, Rev.1.0
- 6. PDR IRTX#22481
- 7. Product Alert Notice (PAN) 25 I I
- 8. Document "ARR 932 NSC Evaluation .pdf"
- 9. Tricon PAN 25 Fix Engineering Project Plan (EPP) 9100428-001, Rev.1.2 I I
- 10. Tricon PAN 25 Master Test Report, Rev.1.0
- 11. Software Release Definition (SRD) V10.5.3, 6200003-230, Rev.1.0 I I
- 12. Product Alert Notice (PAN) 22
- 13. Product Alert Notice (PAN) 24
- 14. Technical Advisory Notice (TAB) 147 I
- 15. Engineering Project Plan (EPP) TriStation V4.9 & Safety Suite Apps, 9100359-001, Rev.1.3 I
- 16. TriStation V4.9.0 Test Report, Rev. 0.4
- 17. Software Release Definition (SRD) 6200097-038, Rev.1.2 I I I
I PG&E Response: Invensys will place the requested documents on the Invensys SharePoint by December 3, 2012, for access by the NRC. The documents will be marked in accordance with 10 CFR 2.390 prior to placing them on the SharePoint.
L 77 RJS The staff requests that the Purchase Order Compliance Matrices (Multiple Invensys Audit Item Documents) be placed on the SharePoint site to support verification of requirements traceability determinations. RJS -I do not believe that the
--=-:.
PG&E Response: Invensys will place the requested documents on the I . POCM's will need Invensys SharePoint by December 7,2012, for access by the NRC. The to be docketed.
documents will be marked in accordance with 10 CFR 2.390 prior to placing
January 24, 2013 DCPP PPS Open Item Summary Table Page 57 of 59 No SrclRI , Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) I them on the Share Point.
78 RA The staff requests that the Invensys Project Procedures Manual and Project i Closed 12/19/12:
Instructions (Multiple Documents) be placed on the SharePoint site to Document was I support review of Invensys process to design, develop and test the Tricon posted in Invensys' I system. I Sharepoint I PG&E Response: Invensys will place the requested documents on the Invensys SharePoint by December 14,2012, for access by the NRC. The documents will be marked in accordance with 10 CFR 2.390 prior to placing I I I them on the SharePoint.
79 RA Iinvensys to confirm that the following terms are not used, and that they will Open 12/19/12: item I . be removed from their plans and replaced with the correct terms. open until new T est Review Board document revisions I I *
- Test Case Incident Report are submitted
- Master Configuration Checklist
- Configuration Database PG&E Response: The following Invensys documents will be revised to reflect correct terminology and placed on the Invensys SharePoint by I December 21, 2012:
I I
- 1) 993754-1-905, Project Management Plan
- 2) 993754-1-906, Software Development Plan I
i I 3) 993754-1-909, Software Configuration Management Plan
- 4) 993754-1-813, Validation Test Plan I The revised documents will be marked in accordance with 10 CFR 2.390 i
prior to placing them on the SharePoint.
80 RA PG&E Response: Invensys to revise its plans to reflect the current project Open 12/19/12: item organization. I open until new 1 I document revision I -
PG&E Response: The Invensys Project Management Plan (PMP), 993754- I is submitted 1-905, will be revised to reflect the current project organization and placed I ,
on the Invensys SharePoint by December 21,2012. The revised PMP will ! I I
be marked in accordance with 10 CFR 2.390.
I I I
January 24, 2013 DCPP PPS Open Item Summary Table Page 58 of 59 No SrclRI Issue Description P&GE response: Status I RAI No. RA/ Comments (Date Sent) Response (Due Date)
'81 RJS Channel level Bypass Functionality New The criteria in ISG-04 position 10 only allows for software configuration activities when the entire safety division, (i.e. all channels and functions) is I
I
. The Diablo Canyon PPS design however, allows channel or specific I I function level configurability while the remaining safety division functions remain operable. This design does not meet the criteria of ISG-04 positions
- 10. The licensee will need to provide a justification for this as an alternative I I
means of meeting the regulatory requirements of IEEE 603-1991 clauses 5.7,6.5, and 6.7 I PG&E Response: IN PROGRESS I
I 82 RA V&V Plan New Westinghouse/CSI document 6116-00001 Rev. 1 includes Table 2 in I Appendix A. This table identifies several notes, which provide additional information. However, the descriptions for these notes are not included in I I the Appendix. Please provide this information.
PG&E Response: I I Does this question refer to CSI document 6116-00003 Rev. 1 (Diablo Ganyon PPS W Plan) submitted December 5, 2012? ~
January 24, 2013 DCPP PPS Open Item Summary Table Page 59 of 59 fO SrclRI Issue Description P&GE response: Status RAI No.
(Date Sent)
Response
(Due Comments I83 V&V and Hazard Analysis New Date)
IRA i I I Westinghouse/CSI documents 6116-00001 Rev. 1 and 6116-00000 Rev. 3 I I I
I state that software hazard analysis of the ALS system is the responsibility of I PG&E. However, the PG&E SyWP, which was submitted as Attachment 5 I of the LAR, does not describe how PG&E will perform the software hazard analysis of the ALS system. The SyWP, Section 5.1.2.3 sates that PG&E i II will verify that new hazards were not introduced during installation.
Please clarify who will perform the hazard analysis activities for each phase of the development process that are required by IEEE 1012, for the ALS I
system.
PG&E Response: IN PROGRESS I
I
-~ I
)
Project Plan for Diablo Canyon Replacement of Digital RPS and ESFAS (PPS) - LAR Review (Rev. 7)
Step Planned Task Actual Date I Date 1 Oct. PG&E LAR Submittal for NRC approval. Submittal includes all , Oct. 26, 26,2011 Phase 1 documents needed to be docketed prior to acceptance for I 2011 review per ISG-06, "Digital Licensing."
2 Jan. 12, Acceptance Review complete. LAR accepted for detailed technical Jan. 12, 2012 review. Several issues identified that could present challenges for 2012 the staff to complete its review. Scheduled public meeting with i PG&E to discuss the results of the acce~tance review. I I 3 Jan. 13, Acceptance letter sent to licensee. Jan. 13, I
2012 ; 2012 4 Jan. 18, 2012 Conduct Public Meeting to discuss staff's findings during the LAR acceptance review. Staff proceeds with LAR technical review.
I Jan. 18, 2012 5 March 18, PG&E provides information requested in acceptance letter. Initiate April 2, 2012 bi-weekly telecoms with PG&E and its contractors to discuss 2012 potential RAI issues. Open Items spreadsheet will be maintained by NRC to document staff issues and planned licensee responses.
6 May 30, PG&E provides partial set of Phase 2 documentation per June 6, 2012 commitments made in LAR. 2012*
- PG&E provided a subset of the Phase 2 documents on June ffh
! and committed to send the rest by July 31, 2012.
7 July First RAI sent to PG&E on Phase 1 documentation (e.g., August 07, 2012 specifications, plans, and equipment qualification). Continue 2012 review of the application. Request 45 day response.
(ML12208A364) 8 June SER for Tricon V10 Platform issued final. This platform becomes a I May 15, 2012 i Tier 1 review of the LAR. (ML12146A010t . 2012 I 8.1 I March 2013 SER for Westinghouse ALS Platform issued final. This platform I
. becomes a Tier 1 review of the LAR.
9 September Receive answers to first RAI. (ML12256A308) Sept. 11, I 2012 2012 10 November Audit trip to Invensys facility for thread audit; audit the life cycle Nov. 13 2012 planning documents and outputs, with particular emphases on 16,2012 verification and validation, configuration management, quality Assurance, software safety, the Invensys application software I development procedures, and application software program I I design. I 11 December Audit report provided to PG&E and its contractor.
2012 11.1 TBD LAR revision and all supporting documentation associated with the change in ALS and Tricon V1 0 workstation designs for the PPS are submitted.
11.2 TBD Follow-up audit trip to Invensys facility for thread audit; audit the life cycle planning documents and outputs, with particular emphases on verification and validation, configuration management, quality assurance, software safety, the Invensys application software development procedures, and application I
I software program design. I I Page 1 of 3 Enclosure 3
Project Plan for Diablo Canyon Replacement of Digital RPS and ESFAS (PPS) - LAR Review (Rev. 7) 11.3 February Audit trip to Westinghouse/CSI facility for thread audit; audit the life 2012 cycle planning documents and outputs. with particular emphases on verification and validation. configuration management, quality Assurance, software safety. the W/ALS application software development procedures. and PPS ALS application software program design.
12 March 2013 PG&E provides remaining set of Phase 2 documentation per I
commitments made in LAR.
12.1 March 2013 All Documentation for DCPP W/CSI ALS and IOMfTriconex V1 0 processors applicable to the DCPP PPS LAR are submitted.
13 April 2013 Second RAI to PG&E on Phase 2 documentation (e.g .. FEMA.
safety analysis. RTM, EQ Tests results. setpoint calcs. SW Tool analysis reports. and any incomplete or un-satisfactory response to first RAI. Continue review - hardware and program design and I V&Vactivities 14 I May Receive answers to second RAI.
2013 Continue review - V&V program. security requirements (RG I 1.152. Rev.2) 15 March Audit trip to W/ALS facilities for additional thread audit items; audit 2013 hardware and software installation plans, configuration i management reports. detailed system and hardware design.
completed test procedures. V&V activities, summary test results i Oncluding FAT) and incident reports, and ap(:!lication code listings.
15.1 April Audit trip to Invensys facilities for additional thread audit items; 2013 audit hardware and software installation plans, configuration management reports. detailed system and hardware design, I
completed test procedures. V&V activities, summary test results (including FAT) and incident reports, and application code listings.
~ ~ Al:Ilii tFi~ is QG~~ test f8eilifies feF 811 iiieA81 tRFe81 8l:11it items; 8l:11it R8Flt,'i8Fe 8AilI Sstt.I;8Fe iAsl8118iisA ~18As, l sAfiSl:lF8iisA
~mem=F~8, Iet8il~:~A8fi.9W8fe 6es~
i oompkrt9Hest1*988aWF88r¥&V setwitie8r6WmMary to&tf88ht1te 16 I May I Audit reports provi d ed to PG &E and its contractors.
I 2013 17 I November I Presentation to ACRS Subcommittee/Fuli ACRS Committee on I
2013 i DCPP PPS LAR Safety Evaluation.
I 18 , November Complete draft technical SER for management review and I 2013 approval. l 19 I December . Issue completed draft technical SER to DORL I
2013 I
I 20 I December Draft SER sent it to PG&E. Invensys, and W/CSI to perform I
2013
- technical review and ensure no proprietary information was
- included.
21 January Receive comments from PG&E and its contractors on draft SER I 2014 proprietary review.
22 -March Approved License Amendment issued to PG&E
- 2014 I Page 2 of 3
Project Plan for Diablo Canyon Replacement of Digital RPS and ESFAS (PPS) - LAR Review (Rev. 7) 23 -September Inspection trip to DCPP for PPS Site Acceptance Testing (SAT),
I 2014 (tentative) training and other preparation for installing the new system. To be coordinated with regional visit. Date based on receipt of new PPS I
system at the site in preparation for September 2015 Unit 1 i Refueling Outage (1 R19).
24 -September Inspection trip to DCPP for PPS installation tests. training and 2015 other system installation activities for the new system. To be coordinated with regional visit. Date based on September 2015 I Unit 1 Refueling Outage (1R19).
I I Page 3 of 3
-2 performed to verify that the software products to be used at DCPP for the PPS system conform to applicable standard, guidelines, plans, and procedures by assessing the implementation of the systems developmental life cycle process (life cycle audit Both of the audit reports will be issued to PG&E shortly. Because the cyber security audit report contains security-related sensitive unclassified non safeguards information the cyber security audit report will be withheld from the public. The staff took an action to support phone calls with PG&E and Invensys as necessary to discuss results of the audits.
- The project plan for the review of the LAR (Enclosure 3) was discussed and the major upcoming milestones were confirmed. The project plan will be updated as appropriate and discussed at the next public meeting.
- The NRC staff stated that it should be issuing a second round of requests for additional information (RAls) shortly. Once the RAls are issued the items identified in Enclosure 2 as needing RAls will be closed and removed from the open item tracking list. This is because the RAls themselves will be used to track the closure of the issue.
- PG&E took an action to provide documents associated with open item number 76 in Enclosure 2 by the end of January.
Please direct any inquiries to me at 301-415-1132 or at Joseph.Sebrosky@nrc.gov.
IRA!
Joseph M. Sebrosky, Senior Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-275 and 50-323
Enclosures:
- 1. List of Attendees
- 2. Staff Identified Issues That are Open
- 3. Project Plan cc w/encls: Distribution via Listserv DISTRIBUTION:
PUBLIC RidsNsirDsp Resource SAchen, RIV/DRS/EB2 LPLIV Reading RidsOgcRp Resource ELee, NSIR/DSP/CSIRB RidsAcrsAcnw_MailCTR Resource RidsRgn4MailCenter Resource DParsons, NSIR/DSP/CSIRB RidsNrrDeEicb Resource JCassidy, EDO RIV GSimonds, NSIR/DSP/CSIRB RidsNrrDorl Resource TWe rtz , NRR THarris, NSIR/DSP/FCTSB RidsNrrDorlLpl4 Resource WKemper, NRR/DE/EICB MShinn, NRC/CSO RidsNrrDraApla Resource RStattel, NRR/DE/EICB CNickell, NRR/DLR/RAPB RidsNrrDssStsb Resource RAlvarado, NRR/DE/EICB MSnodderly, NRR/DRAIAPLA RidsNrrLAJBurkhardt Resource WMaier, RIV KBucholtz, NRR/DSS/STSB RidsNrrPMDiabloCanyon Resource SMakor, RIV/DRS/EB2 AD A MS Accession Nos. Meetmg No f Ice ML12355A138 , Mee f mg Summary ML13035A167 OFFICE NRR/DORLlLPL4/PM NRR/DORLlLPL4/LA NRR/DE/EICB NRR/DORLlLPL4/BC NRR/DORLlLPL4/PM NAME JSebrosky JBurkhardt RStattel MMarkley JSebrosky DATE 2/19/13 2/19/13 2/22/13 3/1113 3/4/13 OFFICIAL RECORD COPY