ML14071A181
| ML14071A181 | |
| Person / Time | |
|---|---|
| Site: | Diablo Canyon  |
| Issue date: | 03/31/2014 |
| From: | Peter Bamford Plant Licensing Branch IV |
| To: | Halpin E Pacific Gas & Electric Co |
| Kim J | |
| References | |
| TAC MF7522, TAC MF7523 | |
| Download: ML14071A181 (8) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 Mr. Edward D. Halpin Senior Vice President and Chief Nuclear Officer Pacific Gas and Electric Company Diablo Canyon Power Plant P.O. Box 56, Mail Code 104/6 Avila Beach, CA 93424 March 31, 2014
SUBJECT:
DIABLO CANYON POWER PLANT, UNIT NOS. 1 AND 2 - REQUEST FOR ADDITIONAL INFORMATION REGARDING DIGITAL REPLACEMENT OF THE PROCESS PROTECTION SYSTEM PORTION OF THE REACTOR TRIP SYSTEM AND ENGINEERED SAFETY FEATURES ACTUATION SYSTEM (TAC NOS. ME7522 AND ME7523)
Dear Mr. Halpin:
By letter dated October 26, 2011, as supplemented by letters dated December 20, 2011; April 2, April 30, June 6, August 2, September 11, November 27, and December 5, 2012; and March 7, March 25, April 30, May 9, May 30, and September 17, 2013 (Agencywide Documents Access and Management System (ADAMS) Accession Nos. ML1130703457, ML113610541, ML12094A072, ML12131A513, ML12170A837, ML12222A094, ML12256A308, ML13004A468, ML12342A149, ML13267A129, ML13093A311, ML13121A089, ML13130A059, ML13154A049, and ML13261A354, respectively), Pacific Gas and Electric (PG&E, the licensee), requested the U.S. Nuclear Regulatory Commission (NRC) staff's approval of an amendment for the Diablo Canyon Power Plant, Unit Nos. 1 and 2 (DCPP). The proposed license amendment request would provide a digital replacement of the Process Protection System (PPS) portion of the Reactor Trip System and Engineered Safety Features Actuation System at DCPP.
The NRC staff has been reviewing the submittal and has determined that additional information is needed to complete its review. The specific questions are found in the enclosed request for additional information (RAI). The questions were discussed, in draft form, in a meeting with your staff on March 12, 2014. It was agreed that a response to this RAI would be submitted within 30 days from the date of this letter. It was also agreed that no proprietary or security-related information was contained in the RAI.
If you have any questions, please contact me at 301-415-2833, or by e-mail at peter. bamford@nrc.gov.
Docket Nos. 50-275 and 50-323
Enclosure:
Request for Additional Information cc w/encl: Distribution via Listserv Sincerely, Peter Bamford, Project Manager Plant Licensing Branch 4-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation
REQUEST FOR ADDITIONAL INFORMATION LICENSE AMENDMENT REQUEST FOR DIGITAL REPLACEMENT OF THE PROCESS PROTECTION SYSTEM PORTION OF THE REACTOR TRIP SYSTEM AND ENGINEERED SAFETY FEATURES ACTUATION SYSTEM DIABLO CANYON POWER PLANT. UNIT NOS. 1 AND 2 DOCKET NOS. 50-275 AND 50-323 By letter dated October 26, 2011, as supplemented by letters dated December 20, 2011; April 2, April 30, June 6, August 2, September 11, November 27, and December 5, 2012; and March 7, March 25, April30, May 9, May 30, and September 17, 2013 (Agencywide Documents Access and Management System (ADAMS) Accession Nos. ML1130703457, ML113610541, ML12094A072, ML12131A513, ML12170A837, ML12222A094, ML12256A308, ML13004A468, ML12342A149, ML13267A129, ML13093A311, ML13121A089, ML13130A059, ML13154A049, and ML13261A354, respectively), Pacific Gas and Electric (PG&E, the licensee), requested the U.S. Nuclear Regulatory Commission (NRC) staffs approval of an amendment for the Diablo Canyon Power Plant, Unit Nos. 1 and 2 (DCPP). The proposed license amendment request (LAR) would provide a digital replacement of the Process Protection System (PPS) portion of the Reactor Trip System (RTS) and Engineered Safety Features Actuation System (ESFAS) at DCPP.
The NRC staff has reviewed the information provided by the licensee and determined that additional information is needed to complete its review. Each request for additional information begins with a reference to an Open Item (01). The 01 number that follows corresponds to the number of the item in the open item table that the NRC staff discussed with the licensee during periodic public meetings. This letter will commence with request for additional information (RAI) number 54 to maintain clarity in the tracking of these multiple information requests:
- 54.
(Open Item 81) Channel level Bypass Functionality - The DCPP PPS design of the Advanced Logic System (ALS) subsystem, allows channel or specific function level configurability while the remaining safety division functions remain operable. This design does not appear to meet the criteria of ISG-04 position 10, which only allows for software configuration activities when the entire safety division (i.e., all channels and functions) is inoperable. Please provide a justification for this as an alternative means of meeting the regulatory requirements of Institute of Electrical and Electronics Engineers, Inc. (IEEE) standard IEEE 603-1991 clauses 5.7, 6.5, and 6.7.
- 55.
(Open Item 88) ALS Documentation - Please explain the numbering scheme between the ALS Generic platform documents 6002-xxx01, 6002-xxx06, and application-specific documents 6116-10201. For example, there is no Document 6116-10206 for the DCPP PPS. Please explain why certain documents do not appear to have been created.
Enclosure
- 56.
(Open Item 100) IEEE 603, Section 5.2, Completion of Protective Action-Section 4.1 0.2.2 of the LAR states that "The design for the PPS replacement meets the requirements of IEEE 603-1991 Clause 5.2, Completion of Protective Action." The NRC reviewed the PPS Functional Requirements Specification (FRS) and has found no system specifications for safety function logic that would ensure the completion of protective actions or that could be credited for meeting the criteria of Clause 5.2.
Instead, it appears that the completion of protective action or latching functions are performed by external systems such as the Solid State Protection System (SSPS) that are not being impacted by the PPS replacement. Please provide an explanation of how this criterion is being satisfied for each RTS and ESFAS safety function and provide details of any PPS functions that are to be credited as a basis for meeting these criteria.
- 57.
(Open Item 104) Functional Requirements for Channel Bypass-The PG&E FRS Section 2.2.3.1 & 2, and 3.2.1.3.5 & 6 seem to indicate that channel bypass functions are only implemented for Containment Pressure High-High actuation of Containment Spray, and Turbine Impulse Pressure High P-13 actuation; however, the Function diagrams for Reactor Coolant System Flow signals, Pressurizer Pressure Reactor Trip, Safety Injection actuation, Power Operated Relief Valve (PORV) actuation P-11 also show manual bypass switch capability. Additionally, the detailed channel specifications for these functions (i.e., 3.2.7) do not provide any specifications for these channel bypass functions. Please explain why these channel bypass functions are not specified in the PPS FRS.
- 58.
(Open Item 1 06) Please provide a description of how the information provided by the ALS Parameter Display system will be used to "support or enhance execution of the safety function." In particular, please explain how the continuous availability and use of this data is consistent with ISG-04, Position 1, Point 3.
- 59.
(Open Item 94) ALS Plant Specific Action Items-Please provide documentation to identify how each applicable Plant Specific Action Item (PSAI) in the ALS Topical Report safety evaluation is being addressed for the PPS project. This document should include references to the LAR and supporting documents where PSAis are addressed.
- 60.
(Open Item 99) Virtual Channel-CSI document 6116-00054, "Diablo Canyon PPS ISG-04 Matrix," responses to ISG-04 Position 1, points 4 and 10 describe the use of Virtual Channel. Furthermore, the response to point 10 states that virtual channels are described in 6002-10206, "ALS-102 FPGA [Field Programmable Gate Array] Design Specification," and their use in the ALS PPS subsystem are described in 6116-10201, "DC PPS ALS-102 FPGA Requirements Specification." However, the 6002-10206 document only provides general information on how a virtual channel can be used (for which implementation will be application specific). This information cannot be referenced in the DCPP PPS safety evaluation because it has not been docketed. In addition, this information is too generic, and it does not describe how Virtual Channels are used in the ALS platform portion of the DCPP PPS replacement system. Thus, the NRC staff requires detailed information on how virtual channels will be used for the DCPP PPS.
When trying to search and trace the requirement for the use of virtual channel, the NRC staff could not find information in either 6116-00011, "ALS PPS System Design Specification," or 6002-00010, "ALS Platform Requirements Specification." ALS document 6116-10201 only lists virtual channel in Table 6-7, which does not provide any description about use of ALS virtual channels for DCPP PPS replacement system.
Thus, it is not clear what the original requirement is for this function, and how the design is being implemented for the DCPP PPS replacement system.
Please describe the ALS Virtual Channels, requirements, design specification, and how they are used for the ALS portion of the DCPP PPS replacement system. In addition, clarify the use of virtual channels to address points 4 and 10 of ISG-04, specifically for setpoint modification.
- 61.
(Open Item 101) Environmental Qualification Documentation - Per ISG-06, Section D.5.1, the NRC staff needs to determine if the PPS equipment has been demonstrated to be able to operate within the specified environment. In order to do this, the staff needs to have plant specific environmental data for the plant and specifically for the cable spreading room. The ISG-06 matrix (item 2.12) states that this information has been provided in the two vendor Topical Reports, however, these reports do not contain any plant specific data.
Please provide plant specific environmental condition data for normal operating conditions and the worst conditions expected during abnormal and accident conditions where the PPS equipment is expected to perform its safety function.
- 62.
(Open Item 1 05) Interaction with other systems - In PG&E's response to IEEE 603 Clause 6.3 criteria, there is no mention of the effects of using shared sensor signals between the PPS and control systems such as the Digital Feedwater Control System (DFWCS), or the Auxiliary Feedwater (AFW) system. The NRC staff recognizes that the general specifications for the replacement PPS are similar to the Eagle 21 system and that the PPS project would not adversely impact the compliance of the system to this criteria however, it is necessary for the NRC to confirm that the criteria is still being met.
Please provide a description of the effects of sensor failure for those systems that use common shared sensor data from the PPS.
- 63.
(Open Item 1 06) Describe the mechanism of the ALS 102 board's transmission logic to restrict one way communication (i.e., only configuration data added to specify the points going over the TxB communication link) and how it cannot impact the safety function logic embedded in the ALS-102.
- 64.
(Open Item 11 0) Safe State Definition-Section 4.2.5.2 of the LAR (Page 64) states that "the redundancy checker compares outputs and critical internal states from the two cores and will drive the board to a safe state if the outputs of the cores do not agree."
The NRC staff reviewed the FRS and Interface Requirement Specification (IRS) documents to determine what the "safe state" is for any given ALS function, but was unable to identify licensee specifications that define what these safe states represent.
The NRC staff determined that the fail safe states are defined in the ALS FPGA specifications (6116-1 0201 ); however, it is not clear how the system vendors determined the fail safe states, if they were not derived from licensee input (i.e., FRS and IRS). If the system safe states are not defined by the licensee, then please explain the basis used by the vendor to determine what the safe states are for each ALS function.
- 65.
(Open Item 111) ALS Manual Alarm Bypass Function - In the FPGA Requirements Specification (6116-10201 page 4-13), R4082 states that the Bypass alarm logic will be bypassed when the channels logic enable is not set. The rationale provided is that the trip command is not being calculated so there would presumably be no need to actuate the alarm. This requirement seems to contradict requirement R4130 which requires alarm reflash as well as Clause 5.8.3 of IEEE 603.
Please provide an explanation of the benefit of providing this means of defeating the alarm bypass logic. The NRC staff feels that operators should be aware of the bypass status of each safety channel regardless of whether the safety function is operable or not. The staff is also concerned that situations could exist when the operator could be misled into believing that a channel is not bypassed (because of the cleared alarm) when in fact the channel bypass switch is in bypass.
- 66.
(Open Item 95) Test ALS Bus (TAB) Communication-Sections 3.2.2.5 and 4.2.13.2 of the updated LAR describe the TAB communication between the ALS and the ALS maintenance workstation (MWS). Furthermore, Section 4.8.3 of the updated LAR, item b, states that the TAB communication is enabled through the use of the TAB access connector. The information provided in these sections implies that the TAB has to be enabled to communicate with the MWS. It is understood that the communication link has to be physically connected between the TAB and the ALS MWS for communication to occur. However, it is not clear if other means are included to enable TAB communication. Specifically, the ALS Platform Specification states: "If needed by the application a Communication Enable key switch may be located between the ALS Service Unit (ASU) and the ALS rack."
Westinghouse Electric Company/CS Innovations (WEC/CSI) document 6116-00011, ALS PPS System Design Specification, describes the use of the communication enable switch. Specifically, SDS-081 states that the ALS is connected to the ASU through the link when enabled through a key switch. However, PG&E's response to RAI-17 states that the ALS subsystem of the DCPP PPS will not use a key switch to enable and disable external TAB communications; and that TAB communication will be enabled by physically connecting the data link. This response contradicts the information provided in the updated LAR, Section 4.8., item b, which states "To enable the TAB to the interface to the MWS requires the setting of a hardware key-lock switch which, when enabled is alarmed locally and in the control room."
Please clarify how TAB communication will be enabled for the ALS subsystem of the DCPP PPS, and whether an ALS key switch will be used.
- 67.
(Open Item 96) ALS Parameter Display-Section 4.2.13.5 of the updated LAR describes the ALS Parameter Display function. This section states that this function will acquire data from the ALS via the TxB2 bus. However, the 2nd paragraph in this section states that this function will "provide graphical user interfaces for displaying ALS system status on the MWS and for providing user controlled access to the ALS controllers for performing maintenance operations such as calibration." It is not clear how the ALS Parameter Display function will provide access to the ALS controllers for performing maintenance operations. If this function is gathering data through TxB2, it cannot access the ALS-102 controller. Furthermore, access from the MWS to the ALS is only through the TAB communication, when the communication link is connected. Please clarify if the ALS Parameter Display function can access the ALS controller.
- 68.
(Open Item 112) The licensee discussed having the option of connecting a thumb drive to the MWS, in addition to connecting a printer, in order to allow technicians to print-to-file. Please clarify if a thumb drive will be connected to the MWS, and if so, what procedures will be implemented to maintain and secure the thumb drive. Please clarify how unused ports in the MWSs will be controlled.
- 69.
(Open item 113) In the response provided to RAI 48, the licensee only addressed control of the USB ports of the Keyboard Video Mouse (KVM) switch. The KVM switch user guide states control of the switch can be performed using external switching control RC4 remote, RS-232 or input lines through the options port. The IRS Rev. 9, item 2.3.7.1 item (1) does not identify that the KVM switch can be controlled remotely. The LAR states that a custom serial cable is required to use the options port. Please confirm if PG&E expects to use the options port to control the KVM switch.
The KVM user guide states the KVM switch can be locked with a password to restrict access to the MWS connected. Please clarify if PG&E will use this feature. The KVM switch includes an autoscan mode switch, which allows the KVM to cycle through the MWS during a defined period. Please clarify if PG&E will use this feature.
- 70.
(Open Item 114) The LAR, Section 4.8.10, notes that when the Tricon keyswitch is in the STOP mode, the application program will not halt. It is not clear why this setting was selected, when the safety evaluation for the Tricon V1 0 requires the keyswitch to be in the STOP position to remove a module and perform maintenance or firmware upgrade, as well as imposing administrative controls to perform such functions. Please explain the reasoning for not halting the application program when in STOP mode. Please describe how PG&E will halt operation of the main chassis to support maintenance or firmware upgrade activities.
ML14071A181 OFFICE NRR/DORL/LPL4-1/PM NRRIDORULPL4-1/LA**
NAME JKim JBurkhardt DATE 03/13/14 03/13/14 Sincerely, IRA/
Peter Bamford, Project Manager Plant Licensing Branch 4-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation
- via memo dated 2/27/2014 **via email NRR/DE/EICB/BC*
NRRIDORULPL4-1/PM NRR/DORL/LPL4-1/PM JThorp MMarkley PBamford 02/27/14 03/31/14 03/31/14