ML13148A420

From kanterella
Jump to navigation Jump to search

2/20/13 Summary of Public Meeting with Pacific Gas and Electric Company to Discuss Digital Replacement of Process Protection System at Diablo Canyon Power Plant, Units 1 and 2
ML13148A420
Person / Time
Site: Diablo Canyon  Pacific Gas & Electric icon.png
Issue date: 06/06/2013
From: Polickoski J
Plant Licensing Branch IV
To:
Pacific Gas & Electric Co
Polickoski J NRR/DORL/LPL4
References
TAC ME7522, TAC ME7523
Download: ML13148A420 (39)


Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 June 6, 2013 LICENSEE: Pacific Gas and Electric Company FACILITY: Diablo Canyon Power Plant, Units 1 and 2

SUBJECT:

SUMMARY

OF FEBRUARY 20, 2013, TELECONFERENCE PUBLIC WITH PACIFIC GAS AND ELECTRIC COMPANY ON DIGITAL REPLACEMENT OF THE PROCESS PROTECTION SYSTEM PORTION OF THE REACTOR TRIP SYSTEM AND ENGINEERED SAFETY FEATURES ACTUATION SYSTEM AT DIABLO CANYON POWER PLANT, UNIT NOS. 1 AND 2 (TAC NOS. ME7522 AND ME7523)

On February 20, 2013, a Category 1 teleconference public meeting was held between the U.S. Nuclear Regulatory Commission (NRC) and representatives of Pacific Gas and Electric Company (PG&E, the licensee) at NRC Headquarters, One White Flint North, 11555 Rockville Pike, Rockville, Maryland. The purpose of the teleconference meeting was to discuss the license amendment request (LAR) submitted by PG&E on October 26, 2011, for the Digital Replacement of the Process Protection System (PPS) Portion of the Reactor Trip System and Engineered Safety Features Actuation System at Diablo Canyon Power Plant (DCPP), Unit Nos. 1 and 2 (Agencywide Documents Access and Management System (ADAMS) Accession No. IVIL 113070457). The meeting notice and agenda, dated February 4, 2013, is available in ADAMS at Accession No. ML13028A202. A list of attendees is provided as Enclosure 1.

This meeting is one in a series of publicly noticed teleconference meetings to be held periodically between NRC staff and PG&E to discuss issues associated with the NRC staff's LAR review. Preliminary issues identified by the NRC staff during the review and licensee responses to those issues were discussed during the meeting. The list of these preliminary issues is provided in Enclosure 2. The updated NRC staff's LAR review project plan was also discussed and is provided in Enclosure 3.

Discussion highlights from this meeting include:

  • A review of the submission method and/or document repository location (NRC docket submittal or SharePoint posting) for recently updated and/or submitted LAR documents and their applicable revisions. This discussion also included an overview of what documents were expected to be submitted and/or posted soon.
  • A process discussion where preliminary issues identified and discussed in Enclosure 2 that resulted in NRC requests for additional information (RAls) will be transferred to a closed action table for archiving and presented at the next periodic teleconference public meeting.
  • A licensee discussion on preliminary issues from Enclosure 2 that will be addressed in an upcoming LAR supplement.

-2

  • An NRC staff discussion on observations and questions from a recently completed onsite audit of a PG&E supporting vendor (February 11-14, 2013, CS InnovationslWestinghouse) and the issuance of the cyber security audit trip report from another PG&E supporting vendor (November 13-16, 2012, Invensys Operations Management).
  • NRC staff from the Office of Nuclear Security and Incident Response (NSIR) present to discuss LAR submittal cyber security aspects and security measures related to the Maintenance Work Station. Additionally, the potential need for a non-public meeting to review proprietary and/or sensitive but unclassified items was discussed.
  • NRC staff discussion regarding access needed to the Input/Output (I/O) list to support the review of the Interface Requirement Specification.
  • NRC and PG&E staff discussion related to the Enclosure 3 project plan on the timing of the next licensee vendor NRC staff audit trip and the follow-on Factory Acceptance Testing (FAT). This project plan discussion also included updates to the anticipated dates for the next NRC staff RAls and LAR review final milestone dates.
  • NRC staff discussion with PG&E staff regarding the potential for this LAR to impact or cause changes with the DCPP Technical Specifications (TS). The staffs discussed the injection of test signals and verification of setpoints for TS identified surveillance testing and potential LAR scope changes that could affect LAR acceptance.

The NRC staff and the licensee agreed that the next periodic teleconference public meeting on this topic would be held on March 27, 2013 with a tentatively scheduled, non-public meeting to discuss proprietary and/or sensitive but unclassified items set for April 17, 2013.

Members of the public were in attendance. Public Meeting Feedback forms were not received.

-3 a s T. Polickoski, Project Manager lant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-275 and 50-323

Enclosures:

1. List of Attendees
2. NRC Staff Identified Open Issues
3. LAR Review Project Plan cc w/encls: Distribution via Listserv

LIST OF ATTENDEES FEBRUARY 20, 2013, TELECONFERENCE MEETI NG WITH PACIFIC GAS AND ELECTRIC COMPANY REGARDING PROCESS PROTECTION SYSTEM DIGITAL UPGRADE FOR DIABLO CANYON POWER PLANT, UNIT NOS. 1 AND 2 DOCKET NOS. 50-275 AND 50-323 NRC

Participants:

Headquarters:

Rich Stattel, Senior Electronics Engineer, Instrumentation and Controls Branch, NRR/DE Bill Kemper, Senior Electronics Engineer, Instrumentation and Controls Branch, NRRIDE

  • Rossnyev Alvarado, Electronics Engineer, Instrumentation and Controls Branch. NRR/DE Samir Darbali. Electronics Engineer. Instrumentation and Controls Branch, NRR/DE Chris Chenoweth, Electronics Engineer (contractor), NRR/DE Eric Lee, Senior Security Specialist, Cyber Security & Integrated Response Branch, NSIRIDSP Mike Shinn, Security Specialist (contractor), NSIR/DSP Joe Sebrosky, Senior Project Manager, Plant Licensing Branch IV, NRR/DORL James Polickoski, Project Manager, Plant Licensing Branch IV, NRR/DORL Christina Antonescu, Senior Staff Engineer, Technical Support Branch, ACRS Region IV:

Shiattin Makor, Reactor Inspector, Engineering Branch 2, RIVIDRS

  • Pacific Gas and Electric Company

Participants:

Ken Schrader, Regulatory Services

  • Scott Patterson, Program Manager
  • J. Hefler, Altran
  • R. Lint, Altran
  • Ted Quinn, Altran
  • J. Mauck, Altran
  • Roman Shaffer, Invensys
  • J. Basso, Westinghouse/CS Innovations
  • S. Karaaslan, Westinghouse/CS Innovations
  • W. Odess-Gillett, Westinghouse/CS Innovations
  • Public:

Gordon Clefion, Senior Project Manager, Nuclear Energy Institute Tricia Bolian, Manager, Business Development, I&C and Electrical Systems, Areva

  • Chris Doyel, Areva *
  • denotes participating via teleconference Enclosure 1

February 18, 2013 DCPP PPS Open Item Summary Table Page 1 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 21 RA Westinghouse/CSI document 6116-00005, "Diablo Canyon PPS System Open RAI10 01/23/2013 update:

Test Plan," states that the ALS-1 02 FPGA design is changed for the DCPPS Not used This item will System. Further, Section 5.3.3 states: "Test as many of the ALS-1 02 (Hold remain open until requirements as possible." until the document is response available to the Please identify what document describes the deSign verification test for this is staff.

board. received) 12/19/12 update:

Westinghouse/ALS PG&E response: The documents that describe the design verification tests will submit the for the ALS-102 are 6116-70140, "Diablo Canyon PPS System Test Design documents by Specification," submitted June 6, 2012, and 6116-10216, "Diablo Canyon 12/31/2012.

PPS W Simulation Environment Specification" that will be placed on the Sharepoint by March 21, 2013 and submitted by April 11, 2013. 10-17-12 update (Alvarado):

Westinghouse/ALS will submit the documents by 10/31/2012.

9-19-12 update (Alvarado): Waiting for ALS document to be submitted at the end of September.

6-13-12 update (Kemper):

PG&E understands that they need to provide an update to this response. In the meantime, PG&E and ALS have provided 2 design Enclosure 2

February 18, 2013 DCPP PPS Open Item Summary Table Page 2 of 31 No ISrClRI1/ssue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date) specifications that will address this 01.

These documents are placed on the PG&E sharepoint website. Doc. No 6116-10740 was submitted on June 6, 2012, which describes ALS system test design specification. Doc.

No 6116-00005 was also submitted on June 6, 2012, which describes ALS system test plan.

Doc. No. 6116 10216ALS W Simulation Environment Specification will be provided in the future.

3/21/12 update:

PG&E has created a share point website for NRC to review PPS design drawings that will address this issue.

NRC staff will determine if they are needed to be submitted on the

February 18, 2013 DCPP PPS Open Item Summary Table Page 3 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) docket. PG&E will ensure the website is information is only applicable to this licensing action.

NRC- the response provided does not address the question.

7/13112 - rjs Deleted RAI 10 pending review of revised response.

Also decided to hold item open.

40 RA Software Tools Re- 01/23/2013 update:

OPEN CSI document In the ALS Progress Update 2012-08-01 provided to the staff, 6002-00030 Rev. 9 Westinghouse/CSI described that they are replacing Automated Test is not available in Environment (ATE) from IW credited tools with a LabView based ALS ADAMS yet. Please Board Test System (ABTS). Also, in this presentation, Westinghouse/CSI clarify if the ATE noted that they are performing additionallV&V and equipment qualification tool is used for V&V tools. review. This item Since this information needs to be reflected in the software planning will remain open documents, please identify how these items will affect Westinghouse/ALS until the document documents related to PPS replacement project. Also, identify what is available to the document will be revised to include description of these modifications. staff.

PG&E Response: The ALS Design Tool 6002-00030 requires revision to 01/10/2013 update:

replace the ATE with the ABTS. The revised ALS Design Tool, Revision 9, The ALS Design document includes the ABST tool in Section 12 and was submitted by Tool 6002-00030 Westinghouse to the NRC on January 18, 2013 that addresses the tools Rev.8 indicates that used. -----------

Westinghouse/CS I

February 18, 2013 DCPP PPS Open Item Summary Table Page 4 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) is using ATE.

Further, Rev 7 of the 6002-00003, ALS V&V Plan, states that this plan was revised to identify ABTS as the primary board integration level test tool, replacing ATE.

Please clarify the discrepancy between the response provided and the information in Rev. 8.

12/19/12 update:

ALS Design Tool 6002-00030 was submitted to the NRC. NRC Staff will review this document and identify follow up questions, if necessary, creating a new open item.

10/17/12 update:

Westinghouse/ALS will submit the ALS Design Tools on 10/31/2012

February 18, 2013 DCPP PPS Open Item Summary Table Page 5 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 41 RA Software V&V and Test Plan Re- RAI24 01/23/2013 update:

Open This item to remain Westinghouse/ALS document 6116-0005, section 8.2 identifies the software open because tools to be used in the PPS replacement project. However, this list is not DCPPPPSW consistent with the list of IV&V tools identified in Section 3.6 of ALS W Plan Simulation 6002-00003. Specifically, the test tools identified in 6002-00003 are not Environment listed in 6116-00005 and vice versa. For example, the W Plan (6002 Specification, 6116 00003) identifies ATE tool for IV&V, but this tool is not listed in 6116-0005 10216, has not Rev. 1. Furthermore, the staff reviewed 6116-0005 Rev. 0, and found that been submitted.

the ATE tool was listed in this version. Please clarify what software tools will be used and what document describes them. 01/10/2013: See comment provided PG&E Response: A new revision of the ALS V&V Plan 6002-00003, in item 40.

Revision 7, Figure 3-2, identifies the ABTS and the ISE as the IV&V test Also, DCPP PPS tools. This new revision was docketed October 31, 2012 on the ALS W Simulation platform docket. The ATE is removed from the set of IV&V test tools. The Environment tools listed in document DCPP PPS Test Plan 6116-00005 section 8.2 and Specification, 6116 the tools listed in DCPP PPS W Simulation Environment Specification, 10216, has not 6116-10216, (to be placed on the Sharepoint by March 21,2013 and been submitted.

submitted by April 11, 2013) encompass the IV&V test tools in the new revision of the ALS V&V Plan, 6002-00003.

48 RA Software V&V OPEN 01/23/2013 update:

Need to know when PG&E SyWP, Section 6, requires that anomalies detected are identified, the new revision of documented, and resolved during the V&V activities. This section states SyWPwili be that anomaly reporting and resolution requirements are defined in the submitted respective PG&E control procedures. Section 2 "Control Procedures does not include a reference for an anomaly reporting procedure. Please identify 12/19/12: item 2 the PG&E control procedure used for anomaly reporting. still pending Further, Section 7 of the SyWP states that the PG&E authority responsible 10/17/12 update:

for approving deviations from SyWP is the PG&E Project Manager, who will For item 2 - PG&E document his/her approval a Change Notice or equivalent formal PG&E will revise the document. Please identify where the responsible PG&E authority will SyWP and submit document its approval. it on 11/30/2012

February 18, 2013 DCPP PPS Open Item Summary Table Page 6 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

PG&E Response:

1. The PG&E control procedure for anomaly reporting is OM7.ID1, 9/17/12 update "Problem Identification and Resolution." This procedure governs the (Alvarado): NRC PPS replacement after it has been turned over to PG&E by the staff received suppliers. The suppliers' anomaly reporting procedures are copies of OM7.ID1 applicable prior to this turnover. and XI1.ID2. This
2. The responsible PG&E Project Manager will document approval in addressed item 1 of an SAP notification. This will be included in the revision of the this open item.

SyWP currently in progress. It is noted that Section 7 of the SyWP states the deviation shall be incorporated into the SyWP as a revision at the first practical opportunity.

51.2 Software Configuration Management Open 01/23/2013 update:

1. Organization identify date for The organization and responsibilities described in Section 4 of CF2.ID2 is next revision not consistent with the information presented in Section 2 of SCMP 36-01.

For example, Section 2 of SCMP 36-01 identifies system coordinator, 12/17/12 update:

Waiting for PG&E application sponsor, and system team, who are not identified in Section 4 of to revise SCMP.

Cf2.ID2. Further these descriptions are not identified in the project organization described in PG&E PPS Replacement Plan (Attachment 3 of 10/17/12 update:

the LAR). Please clarify the roles and responsibilities for SCM, and provide PG&E will revise a cross reference of the PG&E organizations described in these documents. the SCMP to PG&E Response 12/16/2012: address several open items PG&E will revise the SCMP plan to be consistent with CF2.ID2 section 4 organization, ,including a description of additional roles and responsibilities not required by CF2.ID2.if needed.

60 RJS Open RAI39 1116/13-Waiting for (STSB Technical Specifications: Evaluation lAP LA Summary Report

) In order for the staff to make a determination that the existing technical which is due at end specifications and surveillance intervals remain acceptable for the of January.

replacement PPS system, an evaluation to compare the ALSfTricon PPS system reliability and performance characteristics with those of the Eagle 21 system must be performed.

Please provide an evaluation summary report to support the application of

February 18, 2013 DCPP PPS Open Item Summary Table Page 7 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) existing technical specification and surveillance test intervals to the upgraded ALSfTricon based PPS system. This report is expected to include a quantitative analysis to demonstrate the new system's ability to perform its required safety functions between established surveillance intervals as well as a qualitative (i.e., deterministic) analysis which sites the self diagnosis and fault detection features of the replacement PPS. The report should address the staff's previous findings in Section 4.3, "Applicability of WCAPs to DCPP," of Amendment No. 179, dated January 31,2005 (ML050330315).

PG&E Response: An evaluation summary report to support application of the exiting TS and TS surveillance test intervals is contained in the Westinghouse Document, "Justification for the Application of Technical Specification Changes in WCAP-14333 and WCAP-15376 to the Tricon/ALS Process Protection System" that has been placed on the Sharepoint and will be submitted by March 5, 2013. The document provides a qualitative comparison of features important to the reliability of the Tricon and ALS subystems and the Eagle 21 system, evaluates the applicability of the WCAP-14333 P A, Revision 1, and WCAP-15376-P-A, Revision 1, analyses to the PPS replacement configuration, and evaluates the compliance with the staff conditions and limitations contained in the NRC safety evaluations for WCAP-14333 and WCAP 15376 and Section 4.3 of the Amendments 179 and 181.

64 RA Closed RAI40 Software Management Plan To close Items 27 and 29, PG&E issued the DCPPS Project Quality Assurance Plan to define the oversight activities to be performed during the PPS replacement project. Section 2 of this plan describes the responsibilities of those involved in oversight activities. However, it is not clear how these roles and responsibilities correlate to the project organization described in PG&E PPS Replacement Plan (Attachment 3 of the LAR) and PG&E PPS Replacement System Quality Assurance Plan (Attachment 4 of the LAR). For example, the Project Quality Assurance Plan describes the res~onsibilities of the PPS re~lacement Project

February 18, 2013 DCPP PPS Open Item Summary Table Page 8 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

Manager, but this role is not described in other documents, Further, the responsibility described seems to align with the responsibility of the PG&E Project Manager. Please explain the relationship, if any, of the roles and responsibilities described in the DCPPS Project Quality Assurance Plan and those provided in other PG&E plans.

PG&E Response: The "Quality Assurance Plan for Diablo Canyon Process Protection System Replacement" (referred to as the "Project Quality Plan" in response to Ols 27 and 29) was a project specific document created by the Quality Verification group (a Quality Assurance organization) to identify the Quality Assurance tasks to be performed by the Quality Verification group for the project. The "Quality Assurance Plan for Diablo Canyon Process Protection System Replacement" provides the specific plan to be used by the "Supervisor Project QA" identified in Section 3.5.1 (page 19) of the SyQAP and the "Project QA Engineer or Equivalent" identified in Section 3.5.8 of the SyQAP to provide PG&E quality oversight for the project which in part supports meeting 10 CFR 50 appendix B quality assurance requirements for the project.

The "Supervisor Project QA" is not identified in the PPS Replacement Project Plan Figure 2-1 (PPS Replacement Project Organization) because they are not part of the Project Organization, but instead provide independent quality assurance oversight of the Project Organization.

Section 6.1, "System Quality Assurance Plan (SyQAP), of the PPS Replacement Project Plan discusses the SyQAP, which in turn references the "Supervisor Project QA" in Section 3.5.1 (page 19) and the "Project QA Engineer or Equivalent" in Section 3.5.8 to provide PG&E quality oversight for the project.

65 RJS Open KVM Switch Questions:

See Attachment 3 I

February 18, 2013 DCPP PPS Open Item Summary Table Page 9 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

PG&E Response:

See Attachment 3 68 WEK Please provide a detailed functional description of the DCPP PPS NSR Open RAI46 12-19-2012 update:

Gateway Computer(s) system; including computers/processors, Response did not communications protocols, and data isolation details, Or, please indicate answer the where this information is explained within the LAR and supporting question about documents. Also, please provide a detailed explanation of the Gateway providing a Switch discussed within the LAR;including its operating principal (hardware, functional logic based, etc, ,data/electrical isolation design features, and any other description of the pertinent information pertaining to its failure mechanisms. DCPP PPS NSR Gateway 11-28-2012 follow up question: computers. The Figure 4-13 (Pg 87) of the LAR indicates that data communications is staff needs to provided directly between the SR ALS "A" & ALS "B" Protection Sets I, II, III, understand how the and IV, and the NSR Gateway Computers via RS-422 copper media (i.e., Gateway computer not through the Port Tap). Section 4.8.2 b) (page 110 of the LAR) states and the Gateway that " ... AII other communication to non-safety equipment, i.e., Plant Switch Computer, is via continuous one-way communication channels on the ALS communication 102." Please describe how the 1E1non-!E data communication and protocols will not electrical isolation is implemented within the ALS for this configuration. corrupt the the data Also, explain how the ALS "A" & I(B" inputs to the NSR Gateway Computers signals coming are isolated from each other, and data communication protocols from the ALS associated with processing this data within the Gateway Computers. Protections sets 1 12-19-2012 follow up question: 4 and not impact As stated in the 12-17-2012 response below, the 1Elnon-1E data the execution of the communications electrical isolation is not part of the ALS topical reort ALS safety review. Please provide a detailed explanation of how all 1Elnon-1 E function. A detailed communications data electrical isolation between the ALS processor and response to this NSR systems will be accomplished. question is needed

February 18, 2013 DCPP PPS Open Item Summary Table Page 10 of 31 No SrclRJ Issue Description P&GE response: Status RAINo. RAJ Comments (Date Sent) Response (Due Date)

PG&E Response: The DCPP Gateway computer and Gateway switch are in the LAR or part of an existing system that was installed by a previous project, and supporting therefore were not included in the scope of the changes requested for documents.

approval in the LAR. See 12-19-2012 follow up question Communications from the Gateway Switch to the Tricon are functionally isolated by the Triconex Communication Module (TCM) and NetOptics re: electrical Model PA-CU Network Port Aggregator Tap discussed in Tricon V10 SER isolation for the Section 3.7.2.1. A fiberoptic data link provides electrical isolation. DCPP PPS ALS.

The NetOptics PA-CU Network Port Aggregator Tap was approved for this 11-28-12 update:

use in the Oconee RPS SER. The PA-CU prevents inbound See 11-28-2012 communications from external devices or systems connected to Port 1 of the Port Aggregator from being sent to interactive Ports A and B. The follow up question.

Oconee SER described the methods they used to verify that Aggregator Port 1 provides one way outbound communications only. As a transmit only device, it does not listen to and is not affected by the communications protocol (or lack thereof) of the external device or system to which it is connected.

The ability of the Port Aggregator Tap to prevent inbound communications to the Tricon from its Port 1 will be verified at the Tricon V10 FAT and the SAT as previously stated in PG&E Letter DCL-12-083 dated September 11, 2012.

Updated PG&E Response 12/12/2013:

The response to 01 #73, discusses Transmit Bus TxB2 data communication path from the ALS-102 Core Logic Board to the ALS MWS. Transmit Bus TxB1 transmits data from the ALS-102 CLB to the Gateway Computer.

Both TxB1 and TxB2 are EIA-422 communication links in which Receive capability is physically disabled by hardware as described in the ALS-1 02 Design Specification, 6002-102002. The receiver is configured such that the transmit data is looped back for channel integrity testing. The ALS-1 02 is physically and electrically incapable of receiving information from outside the ALS-1 02 via the Transmit Busses TxB1 and TxB2. Therefore, messages are not disregarded or rejected by the ALS-102. This is better than a "broken wire." The wire just isn't there, and there is no place to

February 18, 2013 DCPP PPS Open Item Summary Table Page 11 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) connect a wire if someone wanted to do so.

Updated WEC Response 12/17/2012:

The 1E/non-1 E data communication is described in the ALS Topical Report, Sections 2.2.1.3 and 5.3.2; and in 6116-00054, "Diablo Canyon PPS ISG04 Matrix", Position 2. The electrical isolation qualification of the 1E/non-1E data communication is not part of the ALS Platform review project, and will be qualified with an isolation fault test that will be conducted 1st quarter 2013 per IEEE Std 384-1992, "IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits" and Regulatory Guide 1.75, "Criteria for Independence of Electrical Safety Systems." A supplemental test report will be issued 2nd quarter 2013.

69 WEK Please provide a detailed explanation of the application programs contained Open RAI47 12-19-2012 update:

within the Tricon and ALS MWS computers; including how they will be used The DCPP PPS to supports or enhances the performance of the PPS safety function ALS MWS will not enhance the performance of the PPS safety systems, provide required be approved via the maintenance, surveillance, etc. Or. please indicate where this information is ALS topical report.

explained within the LAR and supporting documents. Therefore, the information requested is needed to address 1/24/2013 Updated PG&E Response: the regulatory The non-safety communications between the PPS controllers and their criteria of ISG-04, respective, dedicated MWS units improve PPS maintainability and thus Position 1, Point 3.

reliability, and enabling on-line surveillance testing, calibration. and W/ALS document maintenance. Risk of challenging plant safety systems is reduced through 6116-00054, Rev.

the ability to test in bypass rather than requiring test in trip. 0, Diablo Canyon PPS ISG-04 Matrix, The online Tricon and ALS non-safety communications capability provide does not address real-time. online data and status information on the Plant Process Computer this subject in its and in the Control Room that are required to perform maintenance, response to Point calibration and testing. Without the online data links from the Tricon and

3. Please address ALS to the MWS and the Plant Process Computer/Plant Data Network, only ~~~~~~~~~~

February 18, 2013 DCPP PPS Open Item Summary Table Page 12 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) the control board indicators and recorders would be available to provide a this question for "window" on the PPS. System trouble alarms would still be generated by ALS.

the PPS on the Main Annunciator System, but without the alarm monitor Tricon response is and other data display capabilities provided by the MWS, there would be no acceptable. Please I

direct means to determine the specific cause of an alarm. add this to the LAR/Tricon V10 Lack of access to real-time, continuous, on-line PPS status data and ISG-04 compliance diagnostic information introduces delay into PPS trouble identification and matrix document resolution, and substantially degrades the maintenance effectiveness and I timeliness enabled by the diagnostic features built into the platforms and the 11-28-12 update:

application programs. The ability to make online use of the information Additional provided by redundant, real-time data communications to the MWS and to clarification was the plant process computer improves PPS reliability and thus supports and provided, so the enhances safety through providing timely diagnostic information and status question was details that assist performance of required trouble-shooting, maintenance, rephrased.

and surveillance activities.

The network switches between the Port Aggregator taps and the MWS ensure that Tricon multicast operation will continue if the Tricon MWS were to cease communications. The network switches are redundant to ensure continued Tricon multicast operation on failure of a single Tricon network link.

The application programs contained in the ALS and Tricon MWS units provide the following functionality:

A. Westinghouse/CSI ALS Maintenance Workstation The on-line ALS MWS is required to maintain the ALS, including surveillance testing per the Technical Specifications calibration, and other required maintenance, and is similar in effect to the existing, approved Test in Bypass capability. The diversity design of the ALS enables either (but not both) Chassis "An or Chassis "B" in a protection set to be bypassed for maintenance or testing while the other chassis remains fully operational (Although, in the bypassed condition, certain post-accident monitoring ---_. , ---_.

February 18, 2013 DCPP PPS Open Item Summary Table Page 13 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI - Comments (Date Sent) Response (Due Date) r--

functions may not be available; this may be controlled administratively).

Without the flexibility provided by the ALS diversity design, Technical Specifications would require tripping all the channels associated with the chassis when removing a given protection set ALS chassis from service. In turn, this would make up one channel in the coincidence logic for all channels in the affected ALS protection set. Such action increases the risk of inadvertently challenging plant safety systems were another channel to I trip with the ALS protection set out of service.

1. Microsoft Windows TM XP Service Pack 3 operating system
2. ALS Service Unit (ASU) Application The ALS MWS will utilize Microsoft Windows ' based Westinghouse/CSI ALS Service Unit (ASU) software that is described in the ALS Topical Report Section 2.6.3.

The ALS Service Unit (ASU) is the primary tool used when accessing a particular ALS system in operation. The ASU provides plant personnel access to advanced features of the ALS system such as system diagnostics, post-trip analysis, monitoring real-time operation, and assistance in performing user-initiated test, calibration and maintenance operations.

The DCPP PPS Replacement MWS will be mounted permanently in the PPS rack containing the PPS in a manner similar to that shown in ALS Topical Report Figure 2-25; however, ASU functions that use interactive Test ALS Bus (TAB) communications will be available: (1) only when the TAB is physically connected to the ALS MWS by qualified personnel under administrative controls; and (2) only on one ALS "An or "B" subsystem at a time.

The TAB from ALS-1 02 Chassis "A" and Chassis "B" is provided with individual EIA-485 ports on the ALS Maintenance Workstation computer.

The ASU ensures that the correct TAB is connected to the respective EIA

February 18, 2013 DCPP PPS Open Item Summary Table Page 14 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RA/ Comments

. (Date Sent) Response (Due Date) 485 port when the TAB is enabled.

The main features of the ASU are:

  • State Information - Provides monitoring of real-time operation, including all 1/0 signals as well as detailed status information from debugging registers. The advanced monitoring capabilities enable fast system diagnostics and troubleshooting.
  • System and Board Information - Provides detailed information about the configuration of an ALS system, including board FPGA programming, board build information, and board configuration.
  • Blackbox - The ASU includes a so-called "blackbox" functionality where all events of an ALS system are transmitted by the ALS-1 02 CLB Transmit Bus TxB2 to the ASU for storage and subsequent retrieval. This allows plant personnel to inspect the ALS system's reaction to a past event.

The blackbox function enhances ALS reliability and therefore safety by helping to reduce the time required to pinpoint the cause of a series of events. The ASU must be connected to the ALS via the Transmit Bus TxB2 during an event in order to capture and store the event via the blackbox function. Given the difficulty in predicting when an event will occur, the ASU should be connected to the ALS chassis via Transmit Bus TxB2 and receiving data during online operation in order to benefit from this capability.

  • Test - Application specific periodic surveillance tests can be implemented to be performed through the ASU. Based on the needs of the application features may be implemented in the CLB that allows surveillance testing to be performed andlor monitored through the ASU.
  • Calibration - The ASU is used to readout and change application Setpoints and channel calibration coefficients. The CLB holds the application Setpoints and according to the application, it will allow the ASU to modify these Setpoints. The ASU is also used during input/output channel calibration where it is used for selecting the board and board channel to be calibrated and to changes calibration coefficients based on the readings

February 18, 2013 DCPP PPS Open Item Summary Table Page 15 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

I----~~

received on an external calibrator.

Operation of the ASU is passive and non-intrusive, Le., it can only modify the safety system tunable parameters stored in NVM for which it is designed (Le., input/output calibration coefficients, set points and tuning constants). It is not possible to modify the safety algorithm or logic using the ASU. All communications initiated by the ASU take place on the TAB, and only when the TAB is physically connected between a protection set ALS and its dedicated MWS. No RAB interruption is possible, effectively isolating the ASU from ALS safety functions.

3. ALS Parameter Display The ASU also provides a passive parameter display function using one-way ALS-102 EIA-422 Transmit Bus TxB2. The ALS parameter display function allows the MWS to display parameters transmitted to it online by the one-way TxB2 transmit bus described in ALS Topical Report Section 2.2.1.3.

The parameter display function does not require the TAB to be connected.

The ASU parameter display function is a Visual C++ based application developed for the Microsoft Windows API using Microsoft Foundation Class (MFC) libraries to provide graphical user interfaces for displaying ALS system status on the MWS and for providing user controlled access to the ALS controllers for performing maintenance operations such as calibration.

Upon start-up, the application establishes a dedicated serial port connection to the MWS RS-422 serial communication card port that is connected to the ALS-102 unidirectional one-way TxB2 output in each ALS chassis "An and "B." These dedicated MWS serial ports receive ALS system status at a rate of 10Hz (Le., once every 100 ms).

Upon establishing the dedicated serial port connection on the MWS, the ASU parameter display function spawns a software thread to receive, validate, and store the data received from the respective ALS-102 TxB2.

Validation of the received data consists of checking the packet header

-~~

contents, checking packet length, performing a CRC check on the packet ~

'- ~

February 18, 2013 DCPP PPS Open Item Summary Table Page 16 of 31 No SrclRI Issue Description P&GE response: Status RAINa. RAI Comments (Date Sent) Response (Due Date) contents, and then comparing the calculated CRC with the CRC inside the TxB2 packet. If the data received by the parameter display application is invalid (Le. invalid CRC), the application indicates the issue on its graphical user interface (GUI) and an entry is made in the application status log. If the data received by the parameter display application is valid, the application records the ALS system status in a data class which contains methods that are called by different GUI to extract and display the specific ALS system status.

Malfunctions of the ASU parameter display function cannot adversely affect ALS safety system operation because EIA-422 communications between the ALS and the ALS MWS via TxB2 are strictly one-way from the ALS-1 02 to the ALS MWS and the EIA-485 TAB is physically disconnected except for brief periods when the TAB for either ALS "A" OR "B" is connected to the MWS for maintenance under administrative control by trained technicians.

4. One way TxB1ITxB2 Communications Transmit Bus TxB1 transmits data from each ALS chassis "A" and "B" ALS 102 CLB to the Gateway Computer. Transmit Bus TxB2 transmits data from each ALS chassis "A" and "B" ALS-102 CLB to dedicated EIA-422 ports on the ALS MWS. Both TxB1 and TxB2 are EIA-422 communication links in which Receive capability is physically disabled by hardware as described in the ALS-102 Design Specification, 6002-102002. The receiver is configured such that the transmit data is looped back for channel integrity testing. The ALS-102 does not disregard or reject external messages; rather, the ALS 102 is physically and electrically incapable of receiving external messages via the Transmit Busses TxB1 and TxB2. In effect, this is the same as the data isolation achieved by a "broken wire." Interdivisional communications between the MWS and the ALS are also described in ALS Topical Report section 5.3.
5. TAB Disconnect TAB communications are enabled by physically connecting the TAB to the

February 18, 2013 DCPP PPS Open Item Summary Table Page 17 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) respective MWS EIA-485 port under administrative control by trained technicians. TAB communications are disabled when not needed by physically disconnecting the TAB from the MWS. The ASU is connected to and communicates with the ALS via the TAB only when required to calibrate the ALS, normalize RCS flow coefficients, perform surveillances required by Technical Specifications, as well as to troubleshoot and otherwise maintain the ALS. The diverse ALS subsystem whose TAB has not been enabled will continue to perform its safety function without impact. An ALS trouble

. alarm is initiated on the Main Annunciator when the TAB is enabled. The non-safety communications provided by the Transmit busses will allow the operator to ascertain quickly the cause of the alarm, if the operator is not already aware of the maintenance activity being performed under procedural control.

TAB communications are described in ALS Topical Report Section 5.2.

6. Electrical Isolation The Transmit Bus TxB1 and TxB2 1 E/non-1 E data communication is described in the ALS Topical Report, Sections 2.2.1.3 and 5.3.2; and in 6116-00054, "Diablo Canyon PPS ISG04 Matrix", Position 2. The electrical isolation of the Transmit Busses is performed by magnetic couplers located on the ALS-102 CLB. The TxB isolators are described in 6002-10202, "ALS-102 Hardware Design Specification," Section 3.9.1.

Fault isolation occurs by way of board mounted transient voltage suppressors, board mounted fuses, and external fuses.

Qualification of the 1E/non-1 E data communication is not part of the ALS Platform review project, and will be qualified with an isolation fault test that will be conducted 1st quarter 2013 per IEEE Std 384-1992, "IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits" and Regulatory Guide 1.75, "Criteria for Independence of Electrical Safety Systems." A supplemental test report will be issued 2nd quarter 2013.

.. ~- '-.

February 18, 2013 DCPP PPS Open Item Summary Table Page 18 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) I B. Triconex Maintenance Workstation The Tricon MWS will implement four Microsoft Windows ' ~based application programs: (1) Invensys WonderWare' InTouch' PPS application; (2) TriLogger; (3) Tricon Diagnostic Monitor; and (4) TriStation 1131 (TS1131) Developers Workbench Version 4.9.0.

1. Microsoft Windows ' XP Service Pack 3 operating system I
2. WonderWare' InTouchTMPPS Application The WonderWare InTouch application provides online display of selected PPS internal parameters and trouble alarm details. The WonderWare InTouch application also is used for maintenance of individual PPS instrument channels in conjunction with the hardwired OOS switches that have been discussed in the response to other Open Items. The MWS WonderWare InTouch application will be the tool normally used to determine the specific cause of an alarm. The Main Annunciator System only displays system level alarms. The MWS InTouch application contains an alarm monitor, which is a troubleshooting aid that provides a detailed, specific display of the alarms generated by the Tricon PPS application.
3. Non~Safety Tricon Communications Communications from the Tricon to external non-safety systems are functionally isolated by the Triconex Communication Module (TCM) and NetOptics Model PA-CU Network Port Aggregator Tap discussed in Tricon V10 SER Section 3.7.2.1. A fiberoptic data link provides electrical isolation.

The PA~CU prevents inbound communications from external devices or systems connected to Port Aggregator Port 1 from being sent to interactive Ports A and B. Port 1 is a transmit~only port that does not listen to and is not affected by the communications activity generated by the external device or system to which it is connected.

Port Aggregator port 1 will provide one-way data to the Gateway Computer via the Gateway Switch. The Gateway Computer transmits the data to the

~----.- ~----.- ---_.

February 18, 2013 DCPP PPS Open Item Summary Table Page 19 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI ~omments (Date Sent) Response (Due Date)

Plant Process Computer for use in the Control Room by the operators. The Gateway Computer and Gateway Switch were installed by another project.

The Plant Process Computer is an existing system.

4. Triconex TriLogger The TriLogger software provides the ability to record, display, play back and analyze data from the Tricon system. Data can be viewed in real-time on the MWS. The TriLogger provides data trending and analysis capabilities and can be configured to trigger on specific events to log detailed data to aid technicians in isolating, diagnosing, and troubleshooting problems.

However, the TriLogger must be connected and running at all times to perform these functions.

5. Tricon Diagnostic Monitor Utility The Tricon Diagnostic Monitor utility displays Tricon system and module status by mimicking the actual Tricon chassis and slots, so that the user can find the exact location (chassis number and slot number) of a module that may be experiencing a fault or other problem. The Tricon Diagnostic Monitor Utility improves reliability by aiding rapid troubleshooting and fault location at the Tricon system level.
6. Startup Delayer Startup Delayer delays WonderWare startup until DDE Server has initialized. Otherwise, WindowViewer may startup first and never connect to DDE Server.
7. TriStation 1131 (TS1131) Developers Workbench TriStation 1131 is a PC-based application development workstation that provides a comprehensive set of development, test, monitor, validation and diagnostic tools for Triconex Programmable Logic Controllers (PLC). The TS1131 program is utilized to maintain the PPS application program and may also be used for monitoring and troubleshooting purposes. The TS1131 program is described in the Tricon V10 SER Section 3.1.3.2.

February 18, 2013 DCPP PPS Open Item Summary Table Page 20 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI _comments (Date Sent) Response (Due Date)

The TS1131 tool will be installed on the MWS. However, the TS1131 tool will not normally be running while the Tricon is performing its safety function

[Tricon V10 SER Section 3.10.2.9]. If the TS1131 workstation is connected I I

during online safety operation for maintenance or troubleshooting purposes, its use will be controlled via administrative controls and qualified I maintenance personnel.

Write access to the operating Tricon is governed by the controller keyswitch.

With the keyswitch in the RUN position, use of the TS1131 program is limited to read only access to the Tricon. Parameters may be examined, and application program logic operation may be observed in real time, but changes are not possible. The TS1131 program can only write to the Tricon when the controller keyswitch is in the PROGRAM position. With the keyswitch not in RUN, the PPS application will initiate an alarm on the Main Annunciator system and the affected PPS set will be declared inoperable with respect to its safety function.

Regardless of whether the keyswitch has been deliberately manipulated or whether the condition is the result of Tricon hardware or software failure, the internal Tricon diagnostics will detect a "keyswitch not in RUN" condition and the PPS application program will initiate a PPS Trouble alarm on the Main Annunciator System. When the "keyswitch not in RUN" condition exists, the affected Tricon is considered to be INOPERABLE with respect to its safety function. The operator would enter the appropriate Technical Specification LCO upon determination that the PPS trouble alarm was caused by the "keyswitch not in RUN" condition.

The condition could be active in multiple Tricon protection sets because it could occur as a result of common cause Tricon failure. Even with the "keyswitch not in RUN" condition existing in multiple protection sets, negative impact is limited because on-line maintenance will normally be performed in one protection set at a time, and each Tricon protection set has its own dedicated, independent MWS. Therefore, only one Tricon L ____

protection set at a time would be configured physically to make software

February 18, 2013 DCPP PPS Open Item Summary Table Page 21 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) changes. If the TS 1131 is not connected and running changes cannot occur even if the "keyswitch not in RUN" condition exists. That is, the mere existence of the "keyswitch not in RUN condition" does not initiate changes.

Intentional action by a trained, knowledgeable individual is also required.

Given the PPS trouble alarms that would be active in all affected protection sets, it is highly unlikely that unintended changes could occur.

If a PPS Trouble alarm were to occur on the Main Annunciator System due to the "keyswitch not in RUN" condition, regardless of the cause, the operator would notify DCPP Maintenance. In the absence of the detailed alarm monitoring provided by an on-line MWS (via the TCM NET2 interface), the maintenance technicians would be required to obtain work orders, gain access to the affected protection set, connect and boot the MWS, and only then could begin to determine the cause of the alarm. The alarm information would not be available if the alarm were due to a transient condition that cleared between the time the condition initiated and when the MWS was operational. Diagnosis of the condition could be delayed for several hours. With the on-line MWS and the alarm monitor function, the condition - whether caused by intentional manipulation of the Tricon controller keyswitch or by a hardware or software failure involving the keyswitch- would be identified immediately.

As with the ALS, the on-line Tricon MWS is essential to maintain the Tricon safety function, including surveillance testing per the Technical Specifications and other required maintenance and is equivalent to the existing, approved Eagle 21 Test in Bypass capability. The MWS is required to bypass channels for testing. Removing a Tricon from service during such routine maintenance would require tripping all the channels in that protection set, which would make up one channel in the coincidence logic for all channels in the protection set. This condition increases the risk of challenging plant safety systems should another channel trip inadvertently with the protection set out of service.


_. ~~---.-

February 18, 2013 DCPP PPS Open Item Summary Table Page 22 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response I (Due Date) 70 WEK KVM Switch Question 1: Open RAI48 11-28-12 update:

Response Okay.

If the Enumerated USB switching function is used, will you be able to use Leave open until I the Keyboard hotkeys and mouse buttons to perform switching? The the KVM Switch brochure seems to indicate on page 3 that the Enumeration switching information is provided within the process will not enable control switching using the USB keyboard or LAR revision.

mouse. However, it further says that Emulation USB switching was developed to support these enhanced monitor switching functions/devices (keyboard hotkeys or mouse buttons) .... Albeit, other USB devices (e.g.,

printer) do not need to use the Emulated USB switching function. Could you please clarify this point.

PG&E Response:

The USB1 and USB2 ports, which use enumerated switching, pass data straight through the KVM switch without interpretation. Therefore, you cannot connect a keyboard to USB1 or USB2 and use the hotkeys to perform switching, and USB1 and USB2 traffic cannot cause an inadvertent switch. The block diagram shows the output of the emulated portion of the switch and the enumerated portion going to a USB hub before being sent to the computer. The keyboard and mouse will use the emulated switching function, not the enumerated switching function; only the keyboard and mouse can control the switch.

71 WEK KVM Switch Question 2: Open RAI49 12-19-2012 Hold update: The staff Will the KVM switch will be on-line 24-7 monitoring data from either will review 6002 the Tricon or the ALS platform? If so, what can we say about the 10202 and failure modes of the KVA switch? Can it fail in such a manner so as determine if this to inject faults into the MWS computers, and hence into the Tricon or document ALS safety system processors? If not, why? If so, what can be done provides the to circumvent this problem, and show conformance with ISG-04, information Points 10 & 11? We will need to cover this matter in the SER. requested.

Nonetheless, 10-17-12 Update: Response be/ow did not answer the question PG&E needs to regarding failure modes of the KVM switch ...agree that it is Okay to

February 18, 2013 DCPP PPS Open Item Summary Table Page 23 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) lose the Tricon but I do not see how the ALS is protected due to its address the "inherent 1-way communications" design. Please explain this further. inherent 1-Way communications 12-19-2012 Update question: In order for the staff to verify the response design and below regarding the ALS-102 Core Logic Board's one-way communications communications design attributes the staff will need to review the ALS-1 02 Design protocol of the Specification document 6002-10202, and any other documents that explain 102 board in this key design feature for the ALS Platform portion of the PPS (e.g., 6116 detail within this 00100, PPS ALS to ASU Communications Protocol??). ALS document Ol-as it relates 6002-10102 has not been submitted on the docket for staff review of the ALS Platform Topical Report. Therefore, please submit this document (and to the DCPP any others that explain this communications protocol) on the docket as part PPS.

of the PPS LAR review.

PG&E Response: Also, need to update the LAR to The KVM switch will be on-line 24-7 for monitoring data from either the cover the portions Tricon or ALS platform via the respective MWS computers. There is not being additional isolation because the ALS communicates strictly one way to its addressed in the MWS except when TAB communications are enabled by connecting the ALS TR SER, i.e.,

TAB cable. Connection of the TAB is performed as directed by trained 1 E/non-1 E data technician using an approved procedure Therefore, if the KVM switch failed communications in some way to connect the two MWS together, the ALS would not be electrical isolation affected. The Tricon might be affected, but the 03 analysis allows the Tricon to fail due to CCF. for ALS. See follow up question The following paragraphs have been added to the IRS Section 2.3.7: for 0168.

b, The KVM switch shall permit only connections between a single 11-28-12 update:

computer and the selected video display and HMI interface devices. ALS ISG-04 Connection between the computers shall not be permitted. compliance was submitted, and Westinghouse

.g. The AV4PRO-VGA KVM switch shall utilize the default switching thinks that this will mode, in which the video display, keyboard and mouse and the answer this enumerated USB ports are all switched simultaneously.

question.

PG&E needs to

February 18, 2013 DCPP PPS Open Item Summary Table Page 24 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

Paragraph g was necessary to prevent the enumerated ports from being respond to 10-17 switched separately from the KVM. 12 update in the description Added PG&E Response 12/16/2012: section.

During normal, non-maintenance operation, the ALS communicates one- Leave open until way to its dedicated MWS computer via Transmit Bus TxB2 as discussed in the KVM Switch the response to 01 #73. Inter-divisional safety to non-safety information is communications are addressed in ALS Topical Report Section 5.2.3. The provided within TxB2 data communication paths from the ALS-1 02 Core Logic Board to the the LAR revision.

ALS MWS computer is a EIA-422 communication link in which Receive capability is physically disabled by hardware as described in 6002-102002, 10-17-12 Update:

the ALS-102 Design Specification. The receiver is configured such that the Note: "IRS" is the transmit data is looped back for channel integrity testing. The ALS-1 02 is Interface physically and electrically incapable of receiving information from outside Requirements the ALS-102. Therefore, the ALS cannot be affected by a malfunction in the Specification dedicated, MWS computer associated with an ALS protection set regardless (Attachment 8 of the LAR).

of whether the malfunction is caused by KVM switch malfunction or by malfunction of the MWS computer itself.

WEC Response 12/17/2012:

The 1E/non-1 E data communication is described in the ALS Topical Report, Sections 2.2.1.3 and 5.3.2; and in 6116-00054, "Diablo Canyon PPS ISG04 Matrix", Position 2. The electrical isolation qualification of the 1E/non-1 E data communication is not part of the ALS Platform review project, and will be qualified with an isolation fault test that will be conducted 1st quarter 2013 per IEEE Std 384-1992, "IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits" and Regulatory Guide 1.75, "Criteria for Independence of Electrical Safety Systems." A supplemental test report will be issued 2nd quarter 2013.

72 WEK KVM Switch Question 3: Open RAI43 12-19-2012 update:

response Also, you will likely need to address how you will disable the features , Or, this acceptable,

February 18, 2013 DCPP PPS Open Item Summary Table -----

Page 25 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) you are not using such as the audio interface, unused USB ports, informati however, this remote control/channel switching by external control from and SDOE on could information needs perspective-and probably a cyber security perspective later on (after be to be provided in SER). included the LAR. Also, in the address how this 10-17-12 Update: The methods used to block Ports in the KVM next LAR will be maintained Switch must be addressed in the LAR revision. Block all unused update- by the DCPP Ports and keep any that may need to be reopened under design or need to Configuration configuration control. decide Management Again, we need a detailed explanation of how this 1-way design which Process.

feature will prevent the KVM switch failures from affecting the ALS path is system. desired. 11-28-12 update:

PG&E needs to PG&E Response: respond to 10-17 12 update in the Specific answers to these questions depend on the detailed design. Ports description can be physically blocked, which might be appropriate for unused computer section.

ports and the audio ports. It might not be appropriate for the unused USB Leave open until port (which may be needed for a future printer) and the options port (which the KVM Switch may be needed for firmware updates). Remote control switching or information is firmware update requires a custom serial cable. The firmware update provided within the requires specialized software on the computer being used to perform the LAR revision.

update. Firmware update will be done by procedure. The MWS will be inside a locked cabinet inside a vital area inside the protected area.

Inadvertent actions, while not impossible, will not be easy. If the switch is somehow manipulated, the ALS will not be affected even if the KVM switch fails because the ALS communicates only one-way with the MWS except for short periods when the TAB is enabled.

Revised PG&E Response 12/16/2012:

PG&E will physically block the audio port, USB Port 2 and unused computer ports. Physical blocks will be verified at SAT and controlled thereafter by the SCMP. PG&E considers that opening any of the unused ports for use after the SAT is a modification of the physical plant configuration that will require an engineering design change.

73 WEK KVM Switch Question 4: Open RAI44 12-19-2012 update:

---_.- ~----.- ---_.

February 18, 2013 DCPP PPS Open Item Summary Table Page 26 of 31 No SrciR/ Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date) ----

Hold As discussed in the If the KVM switch does fail in some manner allowing data flows 10-17-2012 ~pdate between the two platforms, then the ALS system would not be for this 01, and the affected because the ALS platform will only transmit data in one 12-19-2012 Follow direction to its MVVS (with the TAB cable disconnected of course). up Question for 01 71, the staff needs This is good, however, the LAR (or attachments) need to explain how ALS Design the engineering design principals of the ALS platform physically Specification prevent bad/erroneous data from corrupting the ALS platform. In document 6002 other words, explain how these messages emanating from the MWS 10202 submitted (regardless of origin) will be disregarded/rejected by the ALS platform for its review in thus allowing only one direction of data flow. order to resolve this

01. This 01 will be 10-17-12 Update: placed on Hold until The ALS-102 Design Specification document 6002-10202 has not yet the documents are been submitted to the NRC. When will it be submitted?? Will this received on the EIA-422 (or is it RS-422 per Fig. 4-13 in the LAR) communication link docket.

(twisted pair copper wire) also serve as the 1Elnon 1E isolation devices as required by IEEE 603, Clause 5.6.3 and IEEE 7-4.3.2, Clause 5. 6?? Please clarify. 11-28-2012 update:

11-28-2012 Update: PG&E needs to Still need more information re:1E1non-1E isolation of the ALS-102 respond to 11-28 board. 12 u(2date in the description section. PG&E PG&E Response: needs to respond to 10-17-12 Revised PG&E Response 12/16/2012: u(2date in the The design of the TxB1 and TxB2 data communication paths from the ALS- description section.

102 Core LogiC Board and the Gateway Computer and MWS, respectively, are EIA-422 communication links in which Receive capability is physically 10-17-12 Update:

disabled by hardware as described in 6002-102002, the ALS-102 Design there is a typo in Specification. The receiver is configured such that the transmit data is section 2.4.13.5 on looped back for channel integrity testing. The ALS-102 is physically and page 90 of the electrically incapable of receiving information from outside the ALS-1 02. ._-- LAR. The first

February 18, 2013 DCPP PPS Open Item Summary Table Page 27 of 31 To SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

Therefore, messages are not disregarded or rejected by the ALS-102. This paragraph is better than a "broken wire." The wire just isn't there, and there is no place references ALS to connect a wire if someone wanted to do so. doc. 6002-61202 (typo) as the Updated PG&E Response 12/16/2012: document that Per the 10/17/2012 update, NRC is correct regarding the typographical error explains how the in Section 2.4.13.5 on page 90 of the LAR. The correct ALS-1 02 Design EIA-422 Specification.document number per LAR Reference 94 is 6002-10202. communication channels on the Per the 11/28/2012 update, RS-422 is the common short form title of ALS-102 are American National Standards Institute (ANSI) standard ANSIITIAIEIA-422-B electrically isolated Electrical Characteristics of Balanced Voltage Differential Interface Circuits. and inherently 1 This technical standard specifies the electrical characteristics of the way balanced voltage digital interface circuit. For the purposes of the LAR, the communications two designations are equivalent and may be used interchangeably. capability only.

The document 6002-10202, in reference 94 is the correct document.

74 WEK KVM Switch Question 5: Open RAI50 11-28-12 update:

Leave open until Please explain in detail how "Connection between the computers the KVM Switch shall not be permitted." Will this be handled via a configuration information is control process, administrative controls, or a physical means of provided within the preventing connection between computers? LAR revision.

-~~~~-~

10-17-12 Update:

PG&E Response: Response is Okay, but the LAR This section was intended to be a functional requirement for the KVM revision will need to switch. Administrative and configuration controls will prevent inadvertent expand further on loading of an EPROM image that could corrupt operation of the KVM this matter to switch. If the KVM switch fails and connects the ALS and Tricon MWS explain how these together, the above-described physical and electrical restrictions of the KVM controls will provide switch will prevent the ALS from being corrupted by its MWS computer. this protection.

- -'---~~ '--

February 18, 2013 DCPP PPS Open Item Summary Table Page 28 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RA/ Comments (Date Sent) Response (Due Date) 75 RJSI ALS Security Plan Document 6002-00006 references the CS Innovations Open NoRAI Note: RJS - This is NSIR Cyber security plan document (Reference 7) which is not docketed. Without an ALS audit item.

having access to this referenced document, the staff is unable to confirm We will hold open implementation of the system security requirements. We need to discuss if pending the this document can be made available on the share point or if it can be made outcome of the available during the audit. February audit.

In addition CS-00013-GEN, Development Environment Evaluation Report-CS Innovations Isolated Development Infrastructure might be another document of interest to the staff. It seems that this document would provide evidence that the actual development environment was in fact secure. This document was not docketed.

PG&E Response: Westinghouse can make available during the audit both CSI document 9000-00360, "CS Innovations Cyber Security Plan" and WNA-CS-00013-GEN, "Development Environment Evaluation Report - CS Innovations Isolated Development Infrastructure."

79 RA Invensys to confirm that the following terms are not used, and that they will Open 01/23/2013 update:

be removed from their plans and replaced with the correct terms. These documents

  • Test Review Board were posted on the
  • Test Case Incident Report Invensys
  • Master Configuration Checklist SharePoint
  • Configuration Database 01/22/2013.

PG&E Response: The following Invensys documents wererevised to reflect correct terminology and placed on the Invensys Share Point on December 12/19/12: item 22,2012: open until new

_'-- 1) 993754-1-905, Project Management Plan document revisions

February 18, 2013 DCPP PPS Open Item Summary Table Page 29 of 31

,~~~ ~~-~

No SrclRJ Issue Description P&GE response: Status RAJ No. RA/ Comments (Date Sent) Response (Due Date)

2) 993754-1-906, Software Development Plan are submitted
3) 993754-1-909, Software Configuration Management Plan
4) 993754-1-813, Validation Test Plan The revised documents will be submitted by PG&E by March 21, 2013.

80 RA PG&E Response: Invensys to revise its plans to reflect the current project Open 01/23/2013 update:

organization. These documents were posted on the PG&E Response: The Invensys Project Management Plan (PMP), 993754 Invensys 1-905, was revised to reflect the current project organization and placed on SharePoint the Invensys SharePoint on December 22, 2012. The revised PMP will be 01/22/2013.

submitted by PG&E by March 21, 2013.

12/19/12: item open until new document revision is submitted 81 RJS Channel level Bypass Functionality Open 1/25/13 This 01 was discussed at The criteria in ISG-04 position 10 only allows for software configuration the 1/24/13 activities when the entire safety division, (Le. all channels and functions) is conference call.

inoperable. PGE agreed to consider presenting The Diablo Canyon PPS design however, allows channel or specific this as an function level configurability while the remaining safety division functions acceptable remain operable. This design does not meet the criteria of ISG-04 positions alternative to the

10. The licensee will need to provide a justification for this as an alternative ISG 4 position 10 means of meeting the regulatory requirements of IEEE 603-1991 clauses guidance. We 5.7,6.5, and 6.7 expect a followup discussion during PG&E Response: PG&E will provide justification for an acceptable the 2/21 alternative to ISG-04 Position 10 for the PPS replacement design in section conference call.

4.8.10 of the LAR Supplement.

February 18, 2013 DCPP PPS Open Item Summary Table Page 30 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 82 RA V&V Plan Open 01/23/2013 update:

The document Westinghouse/CSI document 6116-00001 Rev. 1 includes Table 2 in number is incorrect.

Appendix A. This table identifies several notes, which provide additional The document is information. However, the descriptions for these notes are not included in 6116-00003, and it the Appendix. Please provide this information. was provided in Attachment 6 to PG&E Response: PG&E Letter DCL CSI document 6116-00003 Rev. 1 (Diablo Canyon PPS W Plan) will need 12-121 to be revised to provide descriptions for the notes. The revised 6116-00003 will be submitted by TBD?

83 RA V&V and Hazard Analysis Open 1/25/13 This 01 was discussed Westinghouse/CSI documents 6116-00001 Rev. 1 and 6116-00000 Rev. 3 during the 1/24/13 state that software hazard analysis of the ALS system is the responsibility of conference call.

PG&E. However, the PG&E SyWP, which was submitted as Attachment 5 The current of the LAR, does not describe how PG&E will perform the software hazard planning analysis of the ALS system. The SyWP, Section 5.1.2.3 states that PG&E documents under will verify that new hazards were not introduced during installation. review do not Please clarify who will perform the hazard analysis activities for each phase include provisions of the development process that are required by IEEE 1012, for the ALS for performing the system. hazard analysis activities. I PG&E Response: Hazard analysis activities for design and building of the ALS system will be performed by Westinghouse and for installation will be performed by PG&E. Revision to CSI and PG&E documents are required to address the responsibilities for the hazard analyses during the different phases.

84 RA IRS Open Revision 7 of the Interface Requirement Specification, Section 3 Appendices, lists the I/O lists for each protection set. However, these appendices are no included in the document

February 18, 2013 DCPP PPS Open Item Summary Table Page 31 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RA/ Comments (Date Sent) Response (Due Date)

PG&E Response: The I/O list was not submitted with IRS Revision 7 because it is not a document that is required to be submitted by ISG-06 Enclosure B based on previous discussions with the staff. The I/O list was provided to the staff during the CSI audit. PG&E will submit the I/O list if requested by the staff.

85 RJS What security measures will be implemented to the MWS so that the MWS NEW NSIR is consistent with NEI 08-09, Appendix D.1.1? Explain the statement that access to the maintenance workstation will be consistent with the NEI 08-09, Appendix D.l.l. Additionally, explain whether security measures to be implemented include technical and operational security design measures incorporated into the system.

PG&E Response: Installation of the PPS replacement is scheduled for September 2015 and assessment of the whole PPS replacement system, including the maintenance workstation, as prescribed in section 3 of the Diablo Canyon CSP, will begin in April 2013. The assessment will determine any security measures for the maintenance workstation, consistent with NEI 08-09 Appendices D and E, that need to be applied.

Project Plan for Diablo Canyon Replacement of Digital RPS and ESFAS (PPS) - LAR Review (Rev. 8) i Step Planned Task Actual Date Date 1 Oct. PG&E LAR Submittal for NRC approval. Submittal includes all Oct. 26, 26,2011 i Phase 1 documents needed to be docketed prior to acceptance for 2011 review per ISG-06, "Digital Licensing."

~~~--~----~--------~--------- ----~---------------~~----+-----~~

2 Jan. 12, Acceptance Review complete. LAR accepted for detailed technical Jan. 12, 2012

  • review. Several issues identified that could present challenges for 2012 the staff to complete its review. Scheduled public meeting with PG&E to discuss the results of the acce tance review.

~---+--------~-------- ------~~----------------~--------~

3 Jan. 13, Acceptance letter sent to licensee. Jan. 13, 2012 2012 4 Jan. 18, Conduct Public Meeting to discuss staff's findings during the LAR Jan. 18, 2012 acce tance review. Staff roceeds with LAR technical review. 2012 5 March 18, PG&E provides information requested in acceptance letter. Initiate April 2, 2012 bi-weekly telecoms with PG&E and its contractors to discuss 2012 potential RAI issues. Open Items spreadsheet will be maintained b NRC to document staff issues and lanned licensee res onses.

6 May 30 , PG&E provides partial set of Phase 2 documentation per June 6 ,

2012 i commitments made in LAR. 2012*

i *PG&E provided a subset of the Phase 2 documents on June flh and committed to send the rest by' July' 31, 2012.

7 July First RAI sent to PG&E on Phase 1 documentation (e.g., August 07, 2012 specifications, plans, and equipment qualification). Continue 2012 review of the application. Request 45 day response.

(ML12208A364) 8 June SER for Tricon V10 Platform issued final. This platform becomes a May 15, 2012 Tier 1 review of the LAR. (rylL 12146t-01 0) 2012 8.1 March 2013 SER for Westinghouse ALS Platform issued final. This platform i becomes a Tier 1 review of the LAR.

9 September Receive answers to first RAI. (ML12256A308) Sept. 11, 2012 2012 10 November Audit trip to Invensys facility for thread audit; audit the life cycle Nov. 13 2012 planning documents and outputs, with particular emphases on 16, 2012

. verification and validation, configuration management, quality Assurance, software safety, the Invensys application software development procedures, and application software program i deSign.

11 December Audit report provided to PG&E and its contractor.

2012 11.1 February i LAR revision and all supporting documentation associated with the 2013 change in ALS and Tricon V10 workstation designs for the PPS are submitted. I 11.2 March Follow-up audit trip to Invensys facility for thread audit; audit the 2013 life cycle planning documents and outputs, with particular emphases on verification and validation, configuration management, quality assurance, software safety, the Invensys application software development procedures, and application I software program design.

Page 1 of 3 Enclosure 3

Project Plan for Diablo Canyon Replacement of Digital RPS and ESFAS (PPS) - LAR Review (Rev. 8) 11.3 February Audit trip to Westing house/CS I facility for thread audit; audit the life 2012 cycle planning documents and outputs, with particular emphases on verification and validation, con'figuration management, quality

  • Assurance , software safety , the W/ALS application software development procedures, and PPS ALS application software I program design. Audit dates are planned for Feb. 11_15th , 2013.

12 March 2013

  • PG&E provides remaining set of Phase 2 documentation per commitments made in LAR.

12.1 March 2013 All Documentation for DCPP W/CSI ALS and IOMlTriconex V10 processors applicable to the DCPP PPS LAR are submitted.

13 April 2013 Second RAI to PG&E on Phase 2 documentation (e.g., FEMA,

  • safety analysis, RTM, EQ Tests results, setpoint calcs, SW Tool analysis reports, and any incomplete or un-satisfactory response to '

first RAI. Continue review - hardware and program design and V& V activities 14 May Receive answers to second RAI.

2013 Continue review - V&V program, security requirements (RG

' 1.152, Rev.2) I 15 March Audit trip to W/ALS facilities for additional thread audit items; audit i 2013 hardware and software installation plans, configuration management reports, detailed system and hardware design, completed test procedures, V&V activities, summary test results (including FAT) and incident reports, and a'pplication code listings.

15.1 April Audit trip to Invensys facilities for additional thread audit items; i 2013 audit hardware and software installation plans, configuration I

~

I management reports, detailed system and hardware design, completed test procedures, V&V activities, summary test results (including FAT) and incident reports, and application code listings. I I~ +BQ AIiI8it tJ::i~ ie QG~~ test faeilities feF a88itieFiai n~Fea8 al;HlIit items; i alil8it RBF8.!tlaFe aFl8 slft\!JaJ::e iFisiallatilFl ~laFls, leFifiglilFatieFi maRagemeRt Fe~IRS, 8eiaile8 system aR8 RaF8,-,laFe 81sigR, elm~lete8 test ~Fl6e8Ii1FeS, V&V BGtivities, slilmmaPl test Feslillts 10 .......1, ,rI~ 1""1\ T\ ......rI .

16 May Audit reports provided to PG&E and its contractors.

2013 17 November Presentation to ACRS Subcommittee/Full ACRS Committee on I 2013 I DCPP PPS LAR Safety Evaluation.

18 November Complete draft technical SER for management review and 2013 approval.

19 December Issue completed draft technical SER to DORL i 2013 I

20 December , Draft SER sent it to PG&E, Invensys, and W/CSI to perform 2013 I technical review and ensure no proprietary information was i included.

21 January Receive comments from PG&E and its contractors on draft SER 2014 r----+--~----~~

r()prietary review.

22 -March

  • Approved License Amendment issued to PG&E

'--_-'--_._2_0_1_4_______________________________~____'___ _ _~

Page 2 of 3

Project Plan for Diablo Canyon Replacement of Digital RPS and ESFAS (PPS) - LAR Review (Rev. 8)

-September Inspection trip to DCPP for PPS Site Acceptance Testing (SAT), I 2014 training and other preparation for installing the new system. To be (tentative) coordinated with regional visit. Date based on receipt of new PPS I' system at the site in preparation for September 2015 Unit 1 Refueling Outage (1 R19). ,

  • 24 -September Inspection trip to DCPP for PPS installation tests, training a n d T 2015 other system installation activities for the new system. To be coordinated with regional visit. Date based on September 2015 t - - - - + - . - ' _ _ _--+--=U~n.it 1 Refueling Outage (1 R 19).

I Page 3 of 3

-3 Please direct any inquiries to me at 301-415-5430, or james.polickoski@nrc.gov.

IRA by JSebrosky forI James T. Polickoski, Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-275 and 50-323

Enclosures:

1. List of Attendees
2. NRC Staff Identified Open Issues
3. LAR Review Project Plan cc wtencls: Distribution via Listserv DISTRIBUTION:

PUBLIC SDarbali, NRRlDE LPLIV rtf RStattel, NRRlDEtEICB RidsAcrsAcnw_MailCTR Resource RAlvarado, NRRlDE/EICB RidsNrrDeEicb Resource CAntonescu, ACRS RidsNrrDorlLpl4 Resource SMakor, RIV/DRS/EB2 RidsNrrLAJBurkhardt Resource DHuyck, EDO RIV RidsNrrPMDiabloCanyon Resource VDricks, OPA RIV RidsRgn4MailCenter Resource ADAMS Accession Nos.: ML13148A420 OFFICE NRR/DORULPL4/PM NRR/DORULPL4/LA NR NAME JPolickoski JBurkhardt MMarkley JSebrosky for JPolickoski DATE 5/31113 5/31113 6/6/13 6/6/13 OFFICIAL RECORD COpy