Text

Diablo Canyon, Units 1 and 2 - Revision 9 to 993754-1-915-NP, Safety Analysis
	ML16061A460
Person / Time
Site:	Diablo Canyon
Issue date:	12/09/2014
From:	Mai D, Nguyen H, Vu K; Invensys/Triconex
To:	; Office of Nuclear Reactor Regulation
Shared Package
ML16061A481	List: DCL-16-020, Diablo Canyon, Units 1 and 2 - 9Revision 1 to 93754-12-862-NP, V&V Implementation Phase Summary Report PPSII-IV; DCL-16-020, Diablo Canyon, Units 1 and 2 - Revision 0 to 993754-11-818-NP, Protection Set I, System Time Response Confirmation Report; DCL-16-020, Diablo Canyon, Units 1 and 2 - Revision 0 to 993754-12-818-NP, Protection Set Ii, System Time Response Confirmation Report; DCL-16-020, Diablo Canyon, Units 1 and 2 - Revision 0 to 993754-12-854-0-NP, Protection Set Ii, Hardware Validation Test Report; DCL-16-020, Diablo Canyon, Units 1 and 2 - Revision 0 to 993754-12-854-1-NP, Protection Set Ii, Factory Acceptance Report; DCL-16-020, Diablo Canyon, Units 1 and 2 - Revision 0 to 993754-12-861-NP, V&V Design Phase Summary Report PPSII-IV; DCL-16-020, Diablo Canyon, Units 1 and 2 - Revision 0 to 993754-13-818-NP, Protection Set Ii, System Time Response Confirmation Report; DCL-16-020, Diablo Canyon, Units 1 and 2 - Revision 0 to 993754-13-854-0-NP, Protection Set Iii, Hardware Validation Test Report; DCL-16-020, Diablo Canyon, Units 1 and 2 - Revision 0 to 993754-14-818-NP, Protection Set Iv, System Time Response Confirmation Report; DCL-16-020, Diablo Canyon, Units 1 and 2 - Revision 0 to 993754-14-854-0-NP, Protection Set Iv, Hardware Validation Test Report; DCL-16-020, Diablo Canyon, Units 1 and 2 - Revision 0 to 993754-14-854-1-NP, Protection Set Iv, Factory Acceptance Test Report; DCL-16-020, Diablo Canyon, Units 1 and 2 - Revision 1 to 993754-11-854-0-NP, Protection Set I, Hardware Validation Test Report; DCL-16-020, Diablo Canyon, Units 1 and 2 - Revision 1 to 993754-11-862-NP, V&V Implementation Phase Summary Report Ppsi; DCL-16-020, Diablo Canyon, Units 1 and 2 - Revision 3 to 993754-11-854-1-NP, Protection Set I, Factory Acceptance Test Report; DCL-16-020, Diablo Canyon, Units 1 and 2 - Revision 3 to 993754-11-861-NP, V&V Design Phase Summary Report Ppsi; DCL-16-020, Diablo Canyon, Units 1 and 2 - Revision 9 to 993754-1-915-NP, Safety Analysis; DCL-16-020, Diablo Canyon, Units 1 and 2 - Submittal of Tricon Phase 2 Documents for the License Amendment Request for Process Protection System Replacement; DCL-16-020, Revision 0 to 993754-13-854-1-NP, Protection Set III, Factory Acceptance Test Report; ML16061A452; ML16061A459; ML16061A460; ML16061A461; ML16061A463; ML16061A464; ML16061A465; ML16061A466; ML16061A467; ML16061A468; ML16061A469; ML16061A470; ML16061A471; ML16061A473; ML16061A474; ML16061A475; ML16061A476;
References
	DCL-16-020 993754-1-915-NP, Rev. 9
	Download: ML16061A460 (116)
	v • d • e

. I n v e. n s* i I"! v'e, I"! S'.!:::1 s* TOO Triconex Project: PG&E PROCESS PROTECTION SYSTEM REPLACEMENT Purchase Order No.: 3500897372 Project Sales Order: 993754 PACIFIC GAS & ELECTRIC COMPANY NUCLEAR SAFETY-RELATED PROCESS PROTECTION SYSTEM REPLACEMENT DIABLO CANYON POWER PLANT SAFETY ANALYSIS Document No. 993754-1-915 Revision 9 I DECEMBER 9 , 2014 I Name Si2nature Title Author: HoanN2uyen V &V En2ineer Reviewer:

DienMai -

---V &V Engineer Approval:

Kevin Vu IV & V Manager 993754-1-915 Safety Analysis 9 2 of 112 12/09/2014 0 02/29/2012 Initial Issue for Use Hoan Nguyen 1 10/24/2012

993754-1-915 Safety Analysis 9 3 of 112 12/09/2014 2 11/13/2013

993754-1-915 Safety Analysis 9 4 of 112 12/09/2014 3 01/28/2014 4 04/03/2014

993754-1-915 Safety Analysis 9 5 of 112 12/09/2014 5 05/20/2014 6 07/03/2014 7 08/07/2014

993754-1-915 Safety Analysis 9 6 of 112 12/09/2014 8 10/22/2014 9 12/09/2014 993754-1-915 Safety Analysis 9 7 of 112 12/09/2014 1.1Purpose .......................................................................................................................

................. 91.2Scope ......................................................................................................................................... 102.1PPS Documents .................................................................................................................

........ 122.2Invensys Documents ............................................................................................................

...... 122.3Miscellaneous Documents .......................................................................................................

.. 133.1Abbreviations and Acronyms ....................................................................................................

143.2Definitions ...................................................................................................................

.............. 154.1Preliminary Hazard List .......................................................................................................

...... 244.2Results ....................................................................................................................................... 405.1Purpose ...................................................................................................................................... 415.2Scope ......................................................................................................................................... 425.3Output ........................................................................................................................................ 506.1Purpose ...................................................................................................................................... 566.2Scope ......................................................................................................................................... 576.3Output ........................................................................................................................................ 577.1Purpose ...................................................................................................................................... 607.2Scope ......................................................................................................................................... 927.3Output ........................................................................................................................................ 938.1Purpose .......................................................................................................................

............. 1038.2Scope .........................................................................................................................

.............. 1038.3Output ........................................................................................................................

.............. 104 993754-1-915 Safety Analysis 9 8 of 112 12/09/2014 Figure1-ScopeofSafetyAnalysis..............................................................................................................................11Figure2-IdentificationofTOPLEVELHAZARD..........................................................................................................16Figure3-FTADiagram(TopLevelHazard)................................................................................................................18Figure4-FTADiagram(HazardGroup1)..................................................................................................................18Figure5-FTADiagram(EventGroup1 1)..................................................................................................................19Figure6-FTADiagram(EventGroup1 2)..................................................................................................................19Figure7-FTADiagram(EventGroup1 3)..................................................................................................................20Figure8-FTADiagram(EventGroup1 4).................................................................................................................20Figure9-FTADiagram(EventGroup1 5)..................................................................................................................21Figure10-FTADiagram(EventGroup1 6)................................................................................................................21Figure11-FTADiagram(EventGroup1 7)...............................................................................................................22Figure12-FTADiagram(EventGroup1 8)................................................................................................................22Figure13-FTADiagram(EventGroup2)...................................................................................................................23Figure14-FTADiagram(EventGroup3)..................................................................................................................23Figure15-InterfacesbetweenTriconandexternal/internalsystems/devices..........................................................43Figure16-ExternalOnlineAccesswithoutOOSactivation.......................................................................................54Figure17-OnlineMaintenancewithOOSactivation.................................................................................................55Figure18-DesignPhasePostulatedInitiatingEvents................................................................................................76Figure19-PIE#1........................................................................................................................................................78Figure20-PIE#2........................................................................................................................................................79Figure21-PIE#3........................................................................................................................................................81Figure22-PIE#4 a.....................................................................................................................................................83Figure23-PIE#4 b.....................................................................................................................................................84Figure24-Hazard#3Illustration.............................................................................................................................102Table1.DesignandInstrumentClass..........................................................................................................................17Table2.PreliminaryHazardList..................................................................................................................................24Table3.PreliminaryHazardListResults......................................................................................................................40Table4.InterfaceSpecification....................................................................................................................................45Table5.ListofInterfaceHazard..................................................................................................................................51Table6.ApplicationSoftwareIntegrityLevel..............................................................................................................56Table7.ListofHazards................................................................................................................................................97Table 8.List ofRiskAssessments

...............................................................................................................................107 993754-1-915 Safety Analysis 9 9 of 112 12/09/2014 The Pacific Gas & Electric Company (PG&E)

Westinghouse Eagle 21 Process Protection System (E21 PPS) for Diablo Canyon Power Plan t (DCPP) Units 1 and 2 is to be replaced with the new Invensys Tricon-based Process Protection System (PPS). The new DCPP PPS is capable of monitoring the required parameters, comparing them against set points and providing signals to the external interfaces if operating limits are exceeded. The PPS comprises four Protection Sets. The Protection Sets (I through IV) each comprises three main hardware components such as the Tricon V10, the Westinghouse Advanced Logic System (ALS) platform, and the Maintenance Workstation (MWS). The PPS will provide: Trip and actuation signals to the Solid State Protection System (SSPS) for initiating reactor trip and or ESFAS actuation Analog output of plant parameters to the Main Control Room (MCR) for recording and/or indication Plant parameters to the Plant Process Computer (PPC) for monitoring Output signals to the Main Annunciator System (MAS) for alarming The primary functionality provided by the new PPS will include: Monitor Reactor Coolant System Temp erature and Pressure, S/G Level and Pressurizer Level Provide signal isolation for pro cess inputs(without processing) Perform Safety functions Signal Reactor Trips and/or ESFAS actuations This functionality will be implemented in four TriStation Application Programs (TSAPs),

one for each of the four separate PPS Protection Sets. The TSAPs will be downloaded to and executed by the Tricon 3008N main processors.

The PPS is classified as nuclear safety-related. This report documents the methodology and results of the Safety Analysis. The Safety Analysis report consists of the Interface Analysis, the Criticality Analysis, the Hazard Analysis, and the Risk Analysis. Based on the guidance of IEEE Std 1012-1998

[Reference 2.3.6] , the Safety Analysis is created at the Requirement Phase of the DCPP PPS project and updated incrementally in the subsequent Design Phase, Implementation Phase and Test Phase. The Interface Analysis is a structured evaluation of the software interfaces with hardware, user, and other PPS components fo r potential hazards resulting from insufficient interface definitions and/or poor interface design.

993754-1-915 Safety Analysis 9 10 of 112 12/09/2014 The Criticality Analysis is a structured evalua tion of the assigned Software Integrity Level (SIL) of the PPS software with regard to undesirable consequences resulting from an incorrect SIL assigned to the deliverables. The Hazard and Risk Analyses are qualitative or quantitative evaluati ons of the Protection Set software for undesirable outcome(s) resulting from development defects or erroneous operation of the PPS. The possible outcome(s) include injury, illness, death, mission failure, economic loss, property loss, environmental loss, or adverse social impact. The evaluation includes screening or analysis methods to categorize, eliminate, reduce, and/or mitigate hazards. The analyses will be used together to examine the role of Tricon Protection Set software in the overall PPS system and its impact on the operation of the PPS. The ultimate objectives of the Safety Analysis program are to identify and correct deficiencies and to provide information on the necessary safeguards to prevent failure and/or mitigate deleterious

consequences. The scope of this Safety Analysis is limited to the delivered PPS equipment as defined in the Software Requirements Specification (SRS). However, as the Preliminary Hazard Analysis (PHA) has wider coverage, certain aspects of the analysis will contain information that falls outside the delivered system. Information of this nature will be identified as such. The delivered system can be broken into ha rdware and software. Analysis of the V10 Tricon hardware is discussed in details in the Failure Modes and Effects Analysis (FMEA) for the platform [Reference2.2.2] and NTX-SER-09-10 [Reference 2.2.12]. FMEA for DCPP PPS configuration will be developed later in a separate document. Figure 1 illustrates the scope of Safety Analysis. Only safety impact of the Tricon Protection Set software (also called TSAP) will be addressed in this Safety Analysis. Safety impact of the Westinghouse Advanced Logic System (ALS) software and the Maintenance Workstation (MWS) software are not within the scope of this Safety Analysis.

The scope of the Safety Analysis is discu ssed in depth in the a ssociated, subsequent subsections under Interface, Hazard, Criticality and Risk Analysis.

993754-1-915 Safety Analysis 9 11 of 112 12/09/2014 Scope of Safety Analysis 993754-1-915 Safety Analysis 9 12 of 112 12/09/2014 2.1.1PPS Interface Requirements Specification Rev 9 2.1.208-0015-SP-001, PPS Functional Requirements Specification Rev 9 2.1.3[DELETED] 2.2.17286-545-1, V10 Tricon Topical Report- Application Guide, Appendix B 2.2.29600164-531, Failure Modes and Effects Analysis (FMEA) for Tricon version 10.2 Programmable Logic Controller 2.2.39600164-532, Reliability / Availability Study for Tricon version 10 Programmable Logic Controller 2.2.4[DELETED]

2.2.59700100-012, TriStation 1131 Developer's Workbench 2.2.6[DELETED]

2.2.7[DELETED]

2.2.8993754-11-809, PPS Software Requirements Specification 2.2.9[DELETED] 2.2.10[DELETED] 2.2.11[DELETED] 2.2.12NTX-SER-09-10, Tricon V10 Conformance to ISG-04 2.2.13993754-1-817, Maximum TSAP Scan Time 2.2.14993754-11-810, PPS Software Design Description Protection Set I 2.2.15993754-1-811, PPS Failure Modes and Effect Analysis 2.2.16993754-1-819, Reliability Analysis 2.2.17993754-1-830, TAB-PAN-TAN Review 2.2.187286-545-1, Triconex Topical Report 2.2.19993754-1-907, Software Development Plan Coding Guidelines 2.2.20993754-11-700 PGE DCPP PPS (TSAP) 2.2.21993754-11-902-1 Protection Set I FAT Procedure 2.2.22993754-11-902-0 Protection Set I HVT Procedure 2.2.23993754-12-810, Software Design Description PPSII-IV 2.2.24993754-12-700 PGE DCPP PPS (TSAP) 2.2.25993754-13-700 PGE DCPP PPS (TSAP) 2.2.26993754-14-700 PGE DCPP PPS (TSAP) 2.2.27993754-12-SWR-45 Software Walkthrough Report 2.2.28993754-13-SWR-46 Software Walkthrough Report 2.2.29993754-14-SWR-47 Software Walkthrough Report

993754-1-915 Safety Analysis 9 13 of 112 12/09/2014 2.3.1CEI/IEC 300-3-9, Dependability Management, Part 3 - Section 9: Risk Analysis of Technological Systems 2.3.2NUREG-0492, Fault Tree Handbook 2.3.3NUREG/CR-6430, Software Safety Hazard Analysis 2.3.4Regulatory Guide 1.152, Criteria for Digital Computers in Safety Systems of Nuclear Power Plants 2.3.5RG 1.53, Application of the Single-Failure Criterion to Safety Systems 2.3.6IEEE Standard 1012-1998, IEEE Standard for Software Verification and Validation 2.3.7NUREG/CR-6101, Software Reliability and Safety in Nuclear Reactor Protection Systems 2.3.8BTP 7-14, Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems 993754-1-915 Safety Analysis 9 14 of 112 12/09/2014 ALS BTP Advanced Logic System

Branch Technical Position CRC Cyclic Redundancy Code DCPP Diablo Canyon Power Plant DDE Dynamic Data Exchange Delta-T Differential (Reactor) Coolant Temperature DTTA DeltaT/Tavg (Differential Temperature & Average Temperature) ETA External Termination Assembly FAT Factory Acceptance Test FMEA Failure Modes and Effects Analysis FPGA Field Programmable Gate Array FTA Fault Tree Analysis (in the context of a Preliminary Hazard Analysis) IEEE Institute of Electrical and Electronics Engineers HVT Hardware Validation Test I/O Input/Output IV&V Independent Verification & Validation KVM Keyboard, Video Display, and Mouse MAS Main Annunciator System MCR Main Control Room

MP Main Processor MWS Maintenance Workstation M&TE Measuring and Test Equipment

NIS Nuclear Instrument System NRC US Nuclear Regulatory Commission NUREG US Nuclear Regulatory Commission Regulation OOS Out of Service OTDT Overtemperature Delta-Temperature PHA Preliminary Hazard Analysis PHL Preliminary Hazard List PIE Postulated Initiating Event PLC Programmable Logic Controller PG&E Pacific Gas & Electric Company PPC Plant Process Computer 993754-1-915 Safety Analysis 9 15 of 112 12/09/2014 PPS Process Protection System RNARA Rack Nuclear Auxiliary Relay A RNASA Rack Nuclear Auxiliary Safeguards A RTD Resistance Temperature Detector RXM Remote Extender Modules SIL Software Integrity Level SRS Software Requirements Specification SSPS Solid State Protection System TCM Tricon Communication Module TS1131 TriStation 1131 Developer Workbench TSAA Tricon System Access Application TSAP TriStation Application Program TSX Tricon Operating System Accident An undesired and unplanned (but not necessarily unexpected) event that results in (at least) a specified level of loss Criticality Analysis A structured evaluation of the software characteristics (e.g., safety, security, complexity, performance) for severity of impact of system failure, system degradation, or failure to meet software requirements or system objectives. Incident An event that involves no loss (or only minor loss) but with the potential for loss under different circumstances Hazard A state or set of conditions that, together with other conditions in the environment, will lead to an accident (loss event). Hazard Identification Process of recognizing that a hazard exists and defining its characteristics. Risk Combination of the frequency, or probability, of occurrence and the consequence of a specified hazardous event. Risk Analysis Systematic use of available information to identify hazards and to estimate the risk to individual or populations, property or the environment. Safety Freedom from accidents or losses. Trip Reactor Trip or ESFAS Actuation signal.

993754-1-915 Safety Analysis 9 16 of 112 12/09/2014 The Preliminary Hazard Analysis (PHA) is performed by Invensys Operations Management IV&V engineers at the Requirements Phase based on guidance contained in NUREG/CR-6430 [Reference 2.3.3]. The PHA is updated in the Design Phase and Implementation Phase per NUREG/CR-6430, and additional hazards may be identified in

the subsequent phases. The PHA identifies possible hazards to the PPS, evaluates each of the hazards and describes their expected impact of the Invensys Tricon-based Protection Set software functionality. The expected impact of Westinghouse ALS FPGA and MWS software functionality are not within the scope of this analysis. The PHA process uses the Fault Tree Analysis (FTA) method. The analysis is performed in the Requirements Phase of the project life cycle to identify the basic events that could potentially lead to a hazard. The process of focusing on a particular undesired event and the Fault Tree construction is based on the guidance of NUREG-0492 [Reference 2.3.2].

FTA is based on analysis of the logical system architecture illustrated in Figure 2. The FTA diagram below comprises rectangles that represent factors that could contribute to hazards and circles that represent basic events. The TOP LEVEL HAZARD is the failure of the PPS Tricon Protection Set software (TSAP): To send Class I trip signals to the SSPS To annunciate Class II Trouble/Failure Alarms at the MAS Identification of TOP LEVEL HAZARD 993754-1-915 Safety Analysis 9 17 of 112 12/09/2014 Class I Trip signals are discrete outputs from the safety-related Tricon Primary RXM Chassis in each Protection Set. See Section 3.1.1.2.1 in SRS Protection Set I, II, III, and IV for a complete listing of partial trip signals in four Protection Sets. Class II Trouble or Failure Alarms are discrete outputs from the non-safety-related Tricon Remote RXM chassis in each Protection Set. See Section 3.1.1.2.8.1 in

SRS for a complete listing of Trouble or Failure Alarms in fo ur Protection Sets.Design and Instrument Class are defined as follows in the PG&E FRS [Reference 2.1.2]:

Design and Instrument ClassInstrument Class IA Instrument Class IA instruments and controls are those that initiate and maintain safe shutdown of the reactor, mitigate the consequences of an accident, or prevent exceeding 10 CFR 100 off-site dose limits. Instrument Class IB Class IB instruments and controls are those that are required for post-accident monitoring of Category 1 and 2 variables in accordance with Regulatory Guide 1.97, Revision 3. Instrument Class II Instrument Class II components are Design Class II devices with non-safety-related functions. However, certain Class II components are subjected to some graded quality assurance requirements.

993754-1-915 Safety Analysis 9 18 of 112 12/09/2014 993754-1-915 Safety Analysis 9 19 of 112 12/09/2014 993754-1-915 Safety Analysis 9 20 of 112 12/09/2014

993754-1-915 Safety Analysis 9 21 of 112 12/09/2014

993754-1-915 Safety Analysis 9 22 of 112 12/09/2014

993754-1-915 Safety Analysis 9 23 of 112 12/09/2014

993754-1-915 Safety Analysis 9 24 of 112 12/09/2014 The following Preliminary Hazard List (PHL) documents the basic events elaborated during the FTA and ties each event to a potential hazardous consequence. Three elements comprising a hazard are identified in the PHL: : indicates source of the hazard : describes initiating mechanism : describes impacts on the PPS whic h TSAP in each Protection Set might have 993754-1-915 Safety Analysis 9 25 of 112 12/09/2014 993754-1-915 Safety Analysis 9 26 of 112 12/09/2014 993754-1-915 Safety Analysis 9 27 of 112 12/09/2014 993754-1-915 Safety Analysis 9 28 of 112 12/09/2014 993754-1-915 Safety Analysis 9 29 of 112 12/09/2014 993754-1-915 Safety Analysis 9 30 of 112 12/09/2014 993754-1-915 Safety Analysis 9 31 of 112 12/09/2014 993754-1-915 Safety Analysis 9 32 of 112 12/09/2014 993754-1-915 Safety Analysis 9 33 of 112 12/09/2014 993754-1-915 Safety Analysis 9 34 of 112 12/09/2014 993754-1-915 Safety Analysis 9 35 of 112 12/09/2014 993754-1-915 Safety Analysis 9 36 of 112 12/09/2014 993754-1-915 Safety Analysis 9 37 of 112 12/09/2014 993754-1-915 Safety Analysis 9 38 of 112 12/09/2014 993754-1-915 Safety Analysis 9 39 of 112 12/09/2014 993754-1-915 Safety Analysis 9 40 of 112 12/09/2014 993754-1-915 Safety Analysis 9 41 of 112 12/09/2014 The Interface Analysis is intended to verify and validate the requirements for the Protection Set software interfaces with hardware, user, operator, and other systems. The following criteria will be used for verifying and validating the interface requirements: Correctness Consistency Completeness Accuracy Testability See IEEE Std 1012-1998 for definition of the above criteria. Input documents to the Interface Analysis are:

1)PPS Replacement Interface Requirements Specification (IRS) [Reference 2.1.1]

2)PPS Replacement Functional Requirements Specification (FRS) [Reference 2.1.2]

3)Software Requirements Specification (SRS) [Reference 2.2.8] There is no separate Invensys Interface Requirements Specification. It is a part of the Invensys SRS, Section 3.1 (External Interface Requirements).

The Interface Analysis is prepared based on the guidance of IEEE Std 1012-1998. The Interface Analysis is intended to verify and validate the Protection Set software design interfaces with hardware, user, operator, and other software. The IEEE 1012-1998 criteria below will be used for verifying and validating the interface designs: Correctness Consistency Completeness Accuracy Testability In addition, this section also intends to satisfy NUREG/CR-6101- recommended Design Interface Analysis. It will verify that the interfaces among the design elements in each PPS Protection Set have been properly desi gned and do not introduce a safety hazard.

993754-1-915 Safety Analysis 9 42 of 112 12/09/2014 Input documents to the Interface Analysis are:

1)PPS Replacement Interface Requirements Specification (IRS) [Reference 2.1.1]

2)Software Requirements Specification (SRS) [Reference 2.2.8]

3)Software Design Descripti ons (SDD) [Reference 2.2.14] There is no separate Invensys Interface Design Specification. It is a part of the Invensys SDD. The Interface Analysis is prepared ba sed on the guidance of IEEE Std 1012-1998 and NUREG/CR-6101 [Reference 2.3.7]. The scope of the Interface Analysis is limited to verifying and validating the interface requirements for the Protection Set software (also known as TSAP). The interface requirements consist of the following six entities that the Protection Set TSAP interfaces with:

993754-1-915 Safety Analysis 9 43 of 112 12/09/2014 993754-1-915 Safety Analysis 9 44 of 112 12/09/2014 .

993754-1-915 Safety Analysis 9 45 of 112 12/09/2014 993754-1-915 Safety Analysis 9 46 of 112 12/09/2014 993754-1-915 Safety Analysis 9 47 of 112 12/09/2014 993754-1-915 Safety Analysis 9 48 of 112 12/09/2014 993754-1-915 Safety Analysis 9 49 of 112 12/09/2014 993754-1-915 Safety Analysis 9 50 of 112 12/09/2014 Outputs of the Interface Analysis are an IV&V Task Report and a list of hazards. The Task Report is documented in this section. The Interface Analysis task in the Requirement Phase Revisited was based on the following input documents:

1)993754-11-809 SRS revision 4 2)PG&E FRS revision 9 3)PG&E IRS revision 9 IV&V performed the Interface Analysis by reviewing the Rev 9-based requirements in

one SRS. The evaluation criteria are to verify and validate the requirements for the Protection Set software interfaces with hardware, user, operator, and other systems for correctness, consistency, completeness, accuracy, and testability. The evaluation result is that the criteria are met and no new interface hazard is identified. The Interface Analysis task in the Design Phase Revisited was based on the following input documents:

1)993754-11-810 SDD revision 2 2)PG&E FRS revision 9 3)PG&E IRS revision 9 4)CD-ER 993754-27, CD-ER 993754-28 and CD-ER 993754-29 IV&V performed the Interface Analysis by reviewing the Rev 9-based detailed design elements in the SDD. The evaluation criteria are to verify and validate that the PPSI software design interfaces with hardware, software and other components for correctness, consistency, completeness, accuracy, and testability in accordance with IEEE 1012-1998

guidance on Design V&V Interface Analysis activity. The evaluation result is that the criteria are met and no new interface hazard is identified. The Interface Analysis task conducted in the Implementation Phase was based on the following input documents: 1) 993754-11-810 PPSI SDD revision 3

2) 993754-11-700 PGE DCPP PPS rev 1 The Interface Analysis was performed by anal yzing the PPSI TSAP to identify potential hazards. The evaluation criteria are to verify that the PPSI TSAP source code interfaces with hardware, software and other components for correctness, consistency, completeness, accuracy and testability in accordance with IEEE 1012-1998 guidance on Implementation Phase V&V Hazard Analysis activity. The evaluation result is that the criteria are met and no new interface hazard is identified.

993754-1-915 Safety Analysis 9 51 of 112 12/09/2014 The Interface Analysis task in the PPSII - IV Design Phase was based on the following input documents:

1)993754-12-810 SDD PPS II - IV revision 0 [Reference 2.2.23]

2)PG&E FRS revision 9 3)PG&E IRS revision 9 IV&V performed the Interface Analysis by reviewing the delta changes between PPSI design elements and those for PPSII, III and IV. The evaluation criteria are to verify and validate that the PPSII - IV software design interfaces with hardware, software and other components for correctness, consistency, completeness, accuracy, and testability in accordance with IEEE 1012-1998 guidance on Desi gn V&V Interface Analysis activity. The evaluation result is that the criteria are met and no new interface hazard is identified. The Interface Analysis task conducted in the Implementation Phase was based on the following input documents: 1) 993754-12-810 SDD PPSII-IV revision 1

2) 993754-12-700 PGE DCPP PPS (TSAP)

3) 993754-13-700 PGE DCPP PPS (TSAP)

4) 993754-14-700 PGE DCPP PPS (TSAP)

5) 993754-12-SWR-45 Software Walkthrough Report

6) 993754-13-SWR-46 Software Walkthrough Report 7) 993754-14-SWR-47 Software Walkthrough Report The Interface Analysis was performed by anal yzing the PPSII - IV TSAP and based on findings from IV&V Software Code Walk-throughs to iden tify potential hazards. The evaluation criteria are to verify that the PPSII - IV TSAP source code interfaces with hardware, software and other components fo r correctness, consistency, completeness, accuracy and testability in accordance with IEEE 1012-1998 guidance on Implementation Phase V&V Hazard Analysis activity. The evaluation result is that the criteria are met and no new interface hazard is identified. Each hazard is uniquely identified by an ID, namely H-<number>(alphabetic character). The Hazard ID is tied to a specific requirement number in the SRS, namely R-<number>. The hazard ID will be used by the Hazard Tracking mechanism to track each hazard status and its mitigation in each phase of the Protection Sets software development.

List of Interface Hazard 993754-1-915 Safety Analysis 9 52 of 112 12/09/2014 993754-1-915 Safety Analysis 9 53 of 112 12/09/2014 993754-1-915 Safety Analysis 9 54 of 112 12/09/2014

993754-1-915 Safety Analysis 9 55 of 112 12/09/2014

993754-1-915 Safety Analysis 9 56 of 112 12/09/2014 The Requirement-Phase Criticality Analysis is intended to review and verify the software integrity level of the Protect ion Set software components. The Software Integrity Level (SIL) of the Prot ection Set software is established as SIL-4 because the functionality of the replacement PPS applicati on software, as specified in the FRS, affects the critical performance of the nuclear-safety-related Reactor Trip and Engineered Safety Features functions.

The individual Protection Set software components at the Requirement Phase are the Invensys Software Requirements Specifications (SRS) for Protection Set I, II, III, and IV. Because the Protection Set software was already assigned SIL-4, its SRSs must be also assigned SIL-4. Application Software Integrity Level Input documents to the Criticality Analysis are:

1)PG&E PPS IRS 2)PG&E PPS FRS 3)Invensys SRSs (Protection Set I, II, III, IV) The Criticality Analysis is prepared based on the guidance of IEEE Std 1012-1998. The Design-Phase Criticality Analysis is inte nded to review and verify the SIL of the Protection Set software components. Invensys Tricon Interface technologies and the prior Criticality Task Report do not cause the PG

&E-assigned SIL-4 to be lowered for the software components.

The individual Protection Set software com ponents at the Design Phase are the Invensys Software Design Description (SDD) for Protection Set I.

Input documents to the Criticality Analysis are:

1)Invensys SDDs (Protection Set I) Software Requirements Specifications (SRS) 4 Software Design Description (SDD) 4 993754-1-915 Safety Analysis 9 57 of 112 12/09/2014 The Criticality Analysis is prepared based on the guidance of IEEE Std 1012-1998. The scope of the Criticality Analysis is limited to reviewing and verifying the software integrity level of the Tricon Protection Set software and its i ndividual components. The ALS and MWS software components are not in the scope of this analysis. It has the same scope as the Requirements Criticality Analysis.

Output of the Criticality Analysis is an IV&V Task Report and it is documented in this section. The Criticality Analysis task in the Requirement Phase Revisited was based on the following input documents: 1) 993754-11-809 SRS revision 4 2)PG&E FRS revision 9 3)PG&E IRS revision 9 The Criticality Analysis was conducted in the Requirements Phase Revisited using one

SRS. As the Diablo Canyon project is moving from Rev 5 to Rev 9, the SRS is re-structured to capture the requirements common for all four Protection Sets and the delta changes applicable to each Protection Set.

The evaluation criterion is to verify the SIL assignment of the SRS for correctness. The result of the evaluation is that the SIL-4 assignment is correct. No anomaly was found. It is recommended that the software components at the Design Phase be maintained at the same SIL, i.e., SIL-4 even w ith PG&E design input changes. The Criticality Analysis task in the Design Phase Revisited was based on the following input documents:

1)993754-11-810 SDD revision 2 2)PG&E FRS revision 9 3)PG&E IRS revision 9 4)CD-ER 993754-27, CD-ER 993754-28 and CD-ER 993754-29 The evaluation criteria are to verify that the software design, implementation methods, and interfacing technologies don't cause previously-assigned software integrity levels to be 993754-1-915 Safety Analysis 9 58 of 112 12/09/2014 raised or lowered for a software element in accordance with IEEE 1012-1998 guidance on Design V&V Criticality Analysis activity. The evaluation result is that the criteria are met with no incons istent or undesired software integrity consequences introduced in the Design Phase Revisited. The Criticality Analysis task conducted in the Implementation Phase was based on the following input documents: 1) 993754-11-810 PPSI SDD revision 3

2) 993754-11-700 PGE DCPP PPS rev 1 The evaluation criteria are to verify that the PPSI TSAP source codes don't cause

previously-assigned software integrity levels to be raised or lowered for a software element in accordance with IEEE 1012-1998 guidance on Implementation V&V Criticality

Analysis activity. The evaluation result is that the criteria are met with no inconsistent or

undesired software integrity consequences introduced in the Implementation Phase. The Criticality Analysis task in the PPSII - IV Design Phase was based on the following input documents:

1)993754-12-810 SDD revision 0 2)PG&E FRS revision 9 3)PG&E IRS revision 9 The evaluation criteria are to verify that the differences between PPSI and PPSII, III, and IV in software design, implementation methods, and interfacing technologies don't cause

previously-assigned software integrity levels to be raised or lowered for a software element in accordance with IEEE 10 12-1998 guidance on Design V&V Criticality Analysis activity. The evaluation result is that the criteria are met with no incons istent or undesired software integrity consequences introduced in the PPSII- IV Design Phase. The Criticality Analysis task conducted in the Implementation Phase was based on the following input documents: 1) 993754-12-810 SDD PPSII-IV revision 1

2) 993754-12-700 PGE DCPP PPS (TSAP)

3) 993754-13-700 PGE DCPP PPS (TSAP)

4) 993754-14-700 PGE DCPP PPS (TSAP)

5) 993754-12-SWR-45 Software Walkthrough Report

6) 993754-13-SWR-46 Software Walkthrough Report

7) 993754-14-SWR-47 Software Walkthrough Report

993754-1-915 Safety Analysis 9 59 of 112 12/09/2014 The evaluation criteria are to verify that the PPSII, III, IV TSAP source codes don't cause previously-assigned software integrity levels to be raised or lowered for a software element in accordance with IEEE 1012-1998 guidance on Implementation V&V Criticality

Analysis activity. The evaluation result is that the criteria are met with no inconsistent or

undesired software integrity consequences introduced in the Implementation Phase.

993754-1-915 Safety Analysis 9 60 of 112 12/09/2014 The Hazard Analysis is intended to identify the Protection Set software requirements that contribute to the PPS Replacement hazards and validate that the software addresses and mitigates each hazard. The functional requirements within the four SRSs have been analyzed with guidance from IEEE Std 1012-1998 and NUREG/CR-6430, Section 3.

Input documents to the Hazard Analysis are:

1)PG&E PPS IRS 2)PG&E PPS FRS 3)Invensys SRSs (Protection Set I, II, III, IV) 4)Invensys Maximum TSAP Scan Time [Reference 2.2.13]

The objective of the assessment below is to analyze and evaluate all software command-triggered or hardware switch-triggered bypassed, tripped and incident conditions to identify potential hazards of the Tr icon Protection Set. The Tr icon Protection Set software deviating from requirement specifications could lead to an inadvertent or unintended response by PG&E plant operation; in that manner it facilitates a hazard. Total thirty one (31) conditions are divided into six (6) groups. Conditions with the same current state belong to the same group. Result of the assessment is the identification of one new hazard.

The following notes are used in the assessment:

1): denotes the existing condition of a protective function right before the request is made.

2): refers to plant operator's attempt to place a protective function/channel out-of-service for online test and maintenance.

3): refers to the happening of a non-deliberate action (e.g. detectable Tricon hardware component failures).

4): refers to the following two circumstances: In many conditions, the Tricon Protecti on Set supposes to behave correctly because the stated behaviors follow the PG&E design inputs (stated in FRS and IRS sections) and Invensys software requirement specifications.

993754-1-915 Safety Analysis 9 61 of 112 12/09/2014 The presumption of how the Tricon Protection Set would behave as if intended by PG&E design. The presumptions are made for several conditions due to lack of the PG&E sections or Invensys explicit software requirements.

5): a detectable failure that could result in loss of ability to perform a safety function.

6): Raw out signal from the software comparator.

7): Discrete output from the Tricon 8): Discrete output from the PPS Rack (Input to SSPS).

993754-1-915 Safety Analysis 9 62 of 112 12/09/2014 993754-1-915 Safety Analysis 9 63 of 112 12/09/2014 993754-1-915 Safety Analysis 9 64 of 112 12/09/2014 993754-1-915 Safety Analysis 9 65 of 112 12/09/2014 993754-1-915 Safety Analysis 9 66 of 112 12/09/2014 993754-1-915 Safety Analysis 9 67 of 112 12/09/2014 993754-1-915 Safety Analysis 9 68 of 112 12/09/2014 993754-1-915 Safety Analysis 9 69 of 112 12/09/2014 The Hazard Analysis is intended to verify that logic design and associated data elements correctly implement the PPS software requirements and introduce no new hazard in accordance with IEEE 1012-1998 guidance. The Hazard Analysis also intends to satisfy the following four NUREG/CR-6101- recommended analyses: Design Logic Analysis - to determine whether the PPS software design algorithms and control logic correctly implement the Protection Set safety requirements. Design Data Analysis - to determine whether the PPS data-related design elements are consistent with the Protection Set software requirements. Design Constraint Analysis - to evaluate restrictions imposed on the PPS software requirements if any by the design of the PPS software system, and determines that no new safety hazards have been created. Timing and Sizing Analysis - to evaluate whether there are sufficient resources to satisfy the timing and sizing requirements.

993754-1-915 Safety Analysis 9 70 of 112 12/09/2014 Input documents to the Hazard Analysis are: 1) Invensys SDDs (Protection Set I) 2) PPS Failure Modes and Eff ects Analysis [Reference 2.2.15] 3) Reliability Anal ysis [Reference 2.2.16] 4) Invensys Maximum TSAP Scan Time 993754-1-915 Safety Analysis 9 71 of 112 12/09/2014 993754-1-915 Safety Analysis 9 72 of 112 12/09/2014 993754-1-915 Safety Analysis 9 73 of 112 12/09/2014 993754-1-915 Safety Analysis 9 74 of 112 12/09/2014 993754-1-915 Safety Analysis 9 75 of 112 12/09/2014 993754-1-915 Safety Analysis 9 76 of 112 12/09/2014 993754-1-915 Safety Analysis 9 77 of 112 12/09/2014 993754-1-915 Safety Analysis 9 78 of 112 12/09/2014 993754-1-915 Safety Analysis 9 79 of 112 12/09/2014 993754-1-915 Safety Analysis 9 80 of 112 12/09/2014

993754-1-915 Safety Analysis 9 81 of 112 12/09/2014 993754-1-915 Safety Analysis 9 82 of 112 12/09/2014

993754-1-915 Safety Analysis 9 83 of 112 12/09/2014 993754-1-915 Safety Analysis 9 84 of 112 12/09/2014 993754-1-915 Safety Analysis 9 85 of 112 12/09/2014 The Hazard Analysis is intended to verify that the PPSI TSAP source codes correctly implement the PPS software design elements and introduce no new hazards. The hazard analysis process in this phase is performed in accordance with NUREG/CR-6101 guidance, which is based on guidelines in BTP 7-14 [Reference 2.3.8]. Input documents to the Hazard Analysis in the Implementation Phase are:

1)PPSI SDD 2)PPSI TSAP [Reference 2.2.20]

3)Maximum TSAP Scan Time The Hazard Analysis also intends to satisfy the following four NUREG/CR-6101- recommended analyses: Code Logic Analysis - to determin e whether the PPSI TSAP correctly implements the PPSI software design. Code Data Analysis - to determine whether the definitions of TSAP tagnames correctly implement the PPSI I/O design. Code Interface Analysis - to verify the compatibility of internal and external interfaces among software components (TSAP Custom Function Blocks and Program Modules) and other PPSI system component (MWS software). Code Constraint Analysis - to ensure the PPSI TSAP operates within the constraints imposed by the application performance requirements and the PPSI

software design. The Code Logic Analysis evaluates the sequence of operations presented by the Structured-Text (ST) and Function Block Diagram (FBD) codes of the PPSI TSAP to identify hazards and safety violations. The potential hazards in the Implementation Phase would be software failures that cause TSAP to produce incorrect or unexpected results and/or scan overrun. The codes in Custom Function Blocks and Program Modules are analyzed for the common causes of software failures. Also included is the discussion of how a potential hazard associated with each common cause is mitigated in the specific implementation.

993754-1-915 Safety Analysis 9 86 of 112 12/09/2014 993754-1-915 Safety Analysis 9 87 of 112 12/09/2014 993754-1-915 Safety Analysis 9 88 of 112 12/09/2014 993754-1-915 Safety Analysis 9 89 of 112 12/09/2014 Internal and external interfaces are evaluated to ensure their implementations are consistent with the TSAP interface design and do not create a potential hazard.

993754-1-915 Safety Analysis 9 90 of 112 12/09/2014 The Hazard Analysis is intended to verify the PPSI test instrumentation does not introduce new hazards. The hazard analysis process in this phase is performed in accordance with IEEE 1012-1998 guidance. Input documents to the Hazard Analysis in the Test Phase include:

1)PPSI TSAP [Reference 2.2.20]

2)PPSI FAT procedure [Reference 2.2.21]

3)PPSI HVT procedure [Reference 2.2.22]

The potential hazards in the Test Phase could be created with the vali dation testing tools and methods capable of altering the TSAP logics while the TSAP is running on a real hardware. Six validation tools and methods are analyzed below for hazard identification. Also included is the discussion of how a potential hazard is mitigated in the specific validation method.

993754-1-915 Safety Analysis 9 91 of 112 12/09/2014 993754-1-915 Safety Analysis 9 92 of 112 12/09/2014 The scope of the Hazard Analysis is limited to analyzing the Tricon Protection Set requirements that could potentially cause system hazards. The ALS-related functional or performance requirements are not evaluated for hazards in this analysis. The functional and performance requirements that specify the MWS in normal operation are not evaluated for hazards in this analysis.

993754-1-915 Safety Analysis 9 93 of 112 12/09/2014 Outputs of the Hazard Analysis are an IV&V Task Report and a set of hazard lists. The Task Report is documented in this section. The Hazard Analysis task conducted in the Requirement Phase Revisited was based on the following input documents:

1)993754-11-809 SRS revision 4 2)PG&E PPS FRS revision 9 3)PG&E IRS revision 9 The Hazard Analysis was performed by analyzing the Rev 9-based functional requirements in one SRS for potential haza rd identifications. As the Diablo Canyon project is moving from Rev 5 to Rev 9, th e SRS is re-structured to capture the requirements common for all four Protection Sets and the delta changes applicable to each Protection Set. The evaluation criteria are to analyze the software requirements for satisfying software qualities relating to potential hazards such as Accuracy, Capacity, Functionality, Reliability, Robustness, Safety and Security per guidance from NUREG/CR-6430, Section 3 - Requirement Hazard Analysis. PG&E Cyper Security policy is beyond the scope of this document because it is implemented in MWS. The evaluation result includes the identification of one new hazard (see detail for H-6 in Section 7.3.2) and closure of two Rev 5-based hazards (see details for H-4 and H-5 in

Section 8.3.2). The Hazard Analysis task conducted in the Design Phase Revisited was based on the following input documents:

a.993754-11-810 SDD revision 2 b.PG&E PPS FRS revision 9 c.PG&E IRS revision 9 d.CD-ER 993754-27, CD-ER 993754-28 and CD-ER 993754-29 The Hazard Analysis was performed by analyzin g the Rev 9-based detailed designs in the SDD for potential hazard identifications. The evaluation criteria are to verify that the software design and associated data elements correctly implement the critical requirements and introduce no new hazards in accordance with IEEE 1012-1998 guidance on Design V&V Hazard Analysis activity. The evaluation result includes the closure of one Rev 9-based hazard (see detail for H-6 in Section 7.3.2). No new hazard is identified in the Design Phase Revisited.

993754-1-915 Safety Analysis 9 94 of 112 12/09/2014 The Hazard Analysis task conducted in the Implementation Phase was based on the following input documents: 1) 993754-11-810 PPSI SDD revision 3 2) 993754-11-700 PGE DCPP PPS rev 1

3) 993754-1-817 Maximum TSAP Scan Time revision 1 The Hazard Analysis was performed by analyzing the Rev 9-based Structured Texts and Function Block Diagrams in the PPSI TSAP for potential hazard identifications. The evaluation criteria are to verify that the PPSI TSAP source codes correctly implement the PPSI software design elements and introduce no new hazards in accordance with IEEE 1012-1998 guidance on Implementation V&V Hazard Analysis activity. The evaluation result is that no new hazards were identified in the Implementation Phase. The Hazard Analysis task conducted in the Test Phase was based on the following input documents:

1)993754-11-700 PGE DCPP PPS rev 3 2)993754-11-902-1 PPSI FAT Procedure 3)993754-11-902-0 PPSI HVT Procedure The Hazard Analysis was performed by analyzing the validation tools and methods for potential hazard identifications. The evaluati on criterion is to verify that the test instrumentation does not introduce new hazards in accordance with IEEE 1012-1998 guidance on Test V&V Hazard Analysis activity. The evaluation result is that no new hazard was identified in the Test Phase. The Hazard Analysis task conducted in the PPSII - IV Design Phase was based on the following input documents:

1)993754-12-810 SDD PPS II - IV revision 0 2)PG&E PPS FRS revision 9 3)PG&E IRS revision 9 The Hazard Analysis was performed by analyzing the delta changes between PPSI design

and that for PPS II, III, and IV to identify potential hazards. In general, the PPSI hazard analysis and mitigation discussion in Section 7.1.2 (Design Hazard Analysis) is also applicable to the PPS II, III and IV.

The evaluation criteria are to verify that th e software design differe nces between PPSI and PPSII, III and IV correctly implement the critical requirements and introduce no new hazards in accordance with IEEE 1012-1998 guidance on Design V&V Hazard Analysis activity.

993754-1-915 Safety Analysis 9 95 of 112 12/09/2014 The evaluation result is that no new hazard is identified in the PPSII - IV Design Phase. The Hazard Analysis task conducted in the Implementation Phase was based on the following input documents: 1) 993754-12-810 SDD PPSII-IV revision 1 2) 993754-12-700 PGE DCPP PPS (TSAP)

3) 993754-13-700 PGE DCPP PPS (TSAP)

4) 993754-14-700 PGE DCPP PPS (TSAP)

5) 993754-1-817 Maximum TSAP Scan Time revision 1

6) 993754-12-SWR-45 Software Walkthrough Report

7) 993754-13-SWR-46 Software Walkthrough Report

8) 993754-14-SWR-47 Software Walkthrough Report Deficiency findings from the IV&V Software Code Walk-throughs [Reference 2.2.27 through 2.2.29] were evaluated for potential hazard identifications.

993754-1-915 Safety Analysis 9 96 of 112 12/09/2014 The evaluation result is that no new hazards were identified in the PPSII - IV Implementation Phase. The Hazard Analysis task conducted in the Test Phase was based on the following input documents:

1)993754-12-700 PGE DCPP PPS 2)993754-13-700 PGE DCPP PPS 3)993754-14-700 PGE DCPP PPS 4)993754-12-902-1 PPSII FAT Procedure 5)993754-13-902-1 PPSIII FAT Procedure 6)993754-14-902-1 PPSIV FAT Procedure 7)993754-12-902-0 PPSII HVT Procedure 8)993754-13-902-0 PPSIII HVT Procedure 9)993754-14-902-0 PPSIV HVT Procedure The Hazard Analysis was performed by analyzing the validation tools and methods for potential hazard identifications. The evaluati on criterion is to verify that the test instrumentation does not introduce new hazards in accordance with IEEE 1012-1998 guidance on Test V&V Hazard Analysis activity. The evaluation result is that no new hazard was identified in the Test Phase.

993754-1-915 Safety Analysis 9 97 of 112 12/09/2014 Each hazard is uniquely identified by an ID, namely H-<number>(alphabetic character). The Hazard ID is tied to a specific requirement number in the SRS, namely R-<number>. The hazard ID will be used by the Hazard Tracking mechanism to track each hazard status and its mitigation in each phase of the Protection Sets software development.

993754-1-915 Safety Analysis 9 98 of 112 12/09/2014 993754-1-915 Safety Analysis 9 99 of 112 12/09/2014 993754-1-915 Safety Analysis 9 100 of 112 12/09/2014 993754-1-915 Safety Analysis 9 101 of 112 12/09/2014 993754-1-915 Safety Analysis 9 102 of 112 12/09/2014

993754-1-915 Safety Analysis 9 103 of 112 12/09/2014 The Risk Analysis is intended to review and evaluate the frequency of occurrence and the severity of the consequence(s) associated with a hazard. The analysis also provides recommendations to eliminate or mitigate the risks. Input documents to the Risk Analysis are:

1)PG&E PPS IRS 2)PG&E PPS FRS 3)Invensys SRS 4)The Hazard Lists, Section 7.0 and Section 5.0 The Risk Analysis is prepared based on the guidance of IEEE Std 1012-1998 and CEI/IEC 300-3-9-1995 [Reference 2.3.1]. The scope of the Risk Analysis is limited to evaluating the risks related to the Tricon Protection Set software hazards.

The ALS-related risks are not evaluated in this analysis.

The MWS-related risks in normal operation are not evaluated in this analysis.

993754-1-915 Safety Analysis 9 104 of 112 12/09/2014 Outputs of the Risk Analysis are an IV&V Task Report and a list of risk assessments. The Task Report is documented in this section. The Risk Analysis task conducted in the Requirement Phase Revisited was based on the following input documents:

1)993754-11-809 SRS revision 4 2)PG&E FRS revision 9 3)PG&E IRS revision 9 The Risk Analysis was performed in the Requirements Phase Revisi ted by reviewing and evaluating the new Rev 9-based hazard found in the Hazard Analysis. The evaluation criteria are to review the potential hazards for consequence severity and occurrence frequency. The evaluation result is that a mitigation plan is recommended for one new hazard. The Risk Analysis task conducted in the Design Phase Revisited was based on the following input documents: 1) 993754-11-810 SDD revision 2

2) PG&E IRS revision 9

3) PG&E IRS revision 9

4) CD-ER 993754-27, CD-ER 993754-28 and CD-ER 993754-29 The Risk Analysis was performed in the Requirements Phase Revisi ted by reviewing and evaluating the new Rev 9-based hazard found in the Hazard Analysis. The evaluation criteria are to review the Design Phase hazards for consequence severity and occurrence frequency in accordance with IEEE 1012-1998 guidance on Design V&V Risk Analysis activity. The evaluation result is that no mitigation plan is recommended because all hazards identified in the previous phase are closed. The Risk Analysis task conducted in the Implementation Phase was based on the following input documents: 1) 993754-11-810 PPSI SDD revision 3

2) 993754-11-700 PGE DCPP PPS rev 1 The Risk Analysis was performed by revi ewing and evaluating the new Rev 9-based

hazard if any found in the Hazard Analysis. The evaluation criteria are to review the Implementation Phase hazards for consequen ce severity and occurrence frequency in accordance with IEEE 1012-1998 guidance on Implementation V&V Risk 993754-1-915 Safety Analysis 9 105 of 112 12/09/2014 Analysisactivity. The evaluation result is that no mitigation plan is recommended because no new hazard is identified in the Implementation Phase. The Risk Analysis task conducted in the Te st Phase was based on the following input documents:

1)993754-11-700 PGE DCPP PPS rev 3 2)993754-11-902-1 PPSI FAT Procedure 3)993754-11-902-0 PPSI HVT Procedure The Risk Analysis was performed by revi ewing and evaluating th e new hazard if any found in the Hazard Analysis. The evaluation criteria are to review the Test Phase hazards for consequence severity and occurrence frequency in accordance with IEEE 1012-1998 guidance on Test V&V Risk Analysis activity. The evaluation result is that no mitigation plan is recommended because no new hazard was identified in the Test Phase. The Risk Analysis task conducted in the PPSII - IV Design Phase was based on the following input documents: 1) 993754-12-810 SDD revision 0

2) PG&E FRS revision 9

3) PG&E IRS revision 9 The Risk Analysis was performed by revi ewing and evaluating th e new hazard found in the Hazard Analysis.

The evaluation criteria are to review the PPSII - IV Design Phase hazards for consequence severity and occurrence frequency in accordance with IEEE 1012-1998 guidance on Design V&V Risk Analysis activ ity. The evaluation result is that no mitigation plan is recommended because no new hazard is identified. The Risk Analysis task conducted in the Implementation Phase was based on the following input documents: 1) 993754-12-810 SDD PPSII-IV revision 1 2) 993754-12-700 PGE DCPP PPS (TSAP)

3) 993754-13-700 PGE DCPP PPS (TSAP)

4) 993754-14-700 PGE DCPP PPS (TSAP) 5) 993754-12-SWR-45 Software Walkthrough Report 6) 993754-13-SWR-46 Software Walkthrough Report 7) 993754-14-SWR-47 Software Walkthrough Report 993754-1-915 Safety Analysis 9 106 of 112 12/09/2014 The Risk Analysis was performed by revi ewing and evaluating the new Rev 9-based hazard if any found in the Hazard Analysis. The evaluation criteria are to review the Implementation Phase hazards for consequen ce severity and occurrence frequency in accordance with IEEE 1012-1998 guidance on Implementation V&V Risk Analysis activity. The evaluation result is that no mitigation plan is recommended because no new hazard is identified in the Implementation Phase. The Risk Analysis task conducted in the Te st Phase was based on the following input documents:

1)993754-12-700 PGE DCPP PPS 2)993754-13-700 PGE DCPP PPS 3)993754-14-700 PGE DCPP PPS 4)993754-12-902-1 PPSII FAT Procedure 5)993754-13-902-1 PPSIII FAT Procedure 6)993754-14-902-1 PPSIV FAT Procedure 7)993754-12-902-0 PPSII HVT Procedure 8)993754-13-902-0 PPSIII HVT Procedure 9)993754-14-902-0 PPSIV HVT Procedure The Risk Analysis was performed by revi ewing and evaluating th e new hazard if any found in the Hazard Analysis. The evaluation criteria are to review the Test Phase hazards for consequence severity and occurrence frequency in accordance with IEEE 1012-1998 guidance on Test V&V Risk Analysis activity. The evaluation result is that no mitigation plan is recommended because no new hazard was identified in the Test Phase.

993754-1-915 Safety Analysis 9 107 of 112 12/09/2014 The below list is the result of the quantitative risk analysis, including estimates of the frequency of the hazard and the associated severity.

993754-1-915 Safety Analysis 9 108 of 112 12/09/2014 993754-1-915 Safety Analysis 9 109 of 112 12/09/2014 993754-1-915 Safety Analysis 9 110 of 112 12/09/2014 993754-1-915 Safety Analysis 9 111 of 112 12/09/2014 It is recommended that hazard H-6 be mitigated in the Design Phase Revisited. There is no further recommendation because there is no outstanding hazard. Although mitigations are provided for the potential hazards discussed in Section 7.1.3.1 (Code Logic Analysis), there are two recommendations strictly from a good programming practice:

1)Checking for a non-zero denominator should be performed before the division operation.

2)Checking for a non negative number should be performed before the square root

function invocation. There is no further recommendation because there is no outstanding hazard. There is no recommendation because there is no outstanding hazard. There is no recommendation because there is no outstanding hazard. There is no further recommendation because there is no outstanding hazard.

993754-1-915 Safety Analysis 9 112 of 112 12/09/2014 The Hazard Tracking List is attached below.

DCPP PPS Hazard Tracking ListDocument NoteDCPP Hazard Tracking List is the attachment to the Safety Analysis, 993754-1-915.Revision #

9AuthorHoan NguyenDate9-Dec-14Page 1 of 4 Page 2 of 4 Page 3 of 4 Page 4 of 4

. I n v e. n s* i I"! v'e, I"! S'.!:::1 s* TOO Triconex Project: PG&E PROCESS PROTECTION SYSTEM REPLACEMENT Purchase Order No.: 3500897372 Project Sales Order: 993754 PACIFIC GAS & ELECTRIC COMPANY NUCLEAR SAFETY-RELATED PROCESS PROTECTION SYSTEM REPLACEMENT DIABLO CANYON POWER PLANT SAFETY ANALYSIS Document No. 993754-1-915 Revision 9 I DECEMBER 9 , 2014 I Name Si2nature Title Author: HoanN2uyen V &V En2ineer Reviewer: