ML12361A360: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
||
Line 13: | Line 13: | ||
| document type = Meeting Summary | | document type = Meeting Summary | ||
| page count = 57 | | page count = 57 | ||
| project = TAC:ME7522, TAC:ME7523 | |||
}} | |||
=Text= | |||
{{#Wiki_filter:t-p.n ",iI!, 01'", UNITED STATES NUCLEAR REGULATORY COMMISSION t:! <C ()0 WASHINGTON, D.C. 20555*0001 Ii; . : cO V/. 'l-I) ****. January 10, 2013 Pacific Gas and Electric Company Diablo Canyon Power Plant, Unit Nos. 1 and 2 SUMMARY OF DECEMBER 19, 2012, TELECONFERENCE MEETING WITH PACIFIC GAS AND ELECTRIC COMPANY ON DIGITAL REPLACEMENT OF THE PROCESS PROTECTION SYSTEM PORTION OF THE REACTOR TRIP SYSTEM AND ENGINEERED SAFETY FEATURES ACTUATION SYSTEM AT DIABLO CANYON POWER PLANT, UNIT NOS. 1 AND 2 (TAC NOS. ME7522 AND ME7523) On December 19, 2012, a Category 1 teleconference public meeting was held between the U.S. Nuclear Regulatory Commission (NRC) and representatives of Pacific Gas and Electric Company (PG&E. the licensee) at NRC Headquarters, One White Flint North, 11555 Rockville Pike, Rockville, Maryland. The purpose of the teleconference meeting was to discuss the license amendment request (LAR) submitted by PG&E on October 26, 2011, for the Digital Replacement of the Process Protection System (PPS) Portion of the Reactor Trip System and Engineered Safety Features Actuation System at Diablo Canyon Power Plant, Unit Nos. 1 and 2 (DCPP) (Agencywide Documents Access and Management System (ADAMS) Accession No. ML 113070457). A list of attendees is provided in Enclosure 1. The teleconference meeting is one in a series of publicly noticed teleconference meetings to be held periodically to discuss issues associated with the NRC staff's LAR review. Preliminary issues that the NRC staff identified during the initial review, and the licensee's responses to these preliminary issues, were discussed during the teleconference meeting. The list of preliminary issues is provided in Enclosure 2. The NRC staff and licensee confirmed that the next meeting on this topic would be held on January 24, 2013. Highlights from the meeting on December 19, 2012, include the following: The NRC staff discussed the status of the audit reports associated with a November 13 -16,2012, audit at the Invensys Operations Management facility in Lake Forest, California. The audit plan dated October 10, 2012, associated with this audit is available in ADAMS at Accession No. ML 12276A050. The staff noted that two following separate audit reports are being written: 1) a cyber security audit report, and 2) an audit report associated with the audit that was performed to verify that the software products to be used at DCPP for the PPS system conform to applicable standard, guidelines, plans, and procedures by | |||
-2 assessing the implementation of the systems developmental life cycle process (life cycle audit). The staff and PG&E took the following actions associated with this November 13-16, 2012 audit: The NRC staff will provide a copy of the life cycle audit report to PG&E for a review of proprietary information before the audit report is made publicly available. If proprietary information is identified, PG&E will identify this information to the staff using the 10 CFR 2.390 process. Invensys will submit documentation identified by the staff in the life cycle audit report as needing to be placed on the DCPP Unit 1 and 2 dockets to the NRC in accordance with the established process. The NRC staff will provide an updated status to PG&E regarding the cyber security audit report prior to the next public meeting. The project plan for the review of the LAR (Enclosure 3) was discussed. The NRC staff and PG&E confirmed that the audit trip to Westinghouse/CS Innovations facility (item 11.3 in the project plan) will be held the week of February 11-15, 2013. The NRC staff took an action to provide PG&E an audit plan for this audit by the end of January 2013, so that PG&E and Westinghouse can prepare for the audit. Both the NRC staff and PG&E agreed that the project plan will be updated prior to the next public meeting to reflect the date for the Westinghouse audit and to make other changes as appropriate to other milestones in the project plan to reflect the most current schedule. The updated project plan will be discussed at the next public meeting. The NRC staff stated that it would develop a second round of requests for additional information (RAls) in the January 2013 time frame based on those items identified in Enclosure 2 as needing RAls. PG&E and the NRC staff discussed recent interactions with industry associated with ensuring that seismic effects were properly accounted for in engineered safety features (ESF) setpoint calculations. PG&E indicated that changes to the ESF setpoints may be needed at DCPP to account for seismic effects on transmitters that are used to provide signals to the PPS. PG&E noted that the transmitters are outside the scope of the October 26, 2011, digital PPS LAR and that if ESF setpoint changes were needed to address seismic effects, PG&E would address this through a separate LAR. The staff indicated that this approach sounded reasonable and that it would check with other NRC staff and management and identify to PG&E in the next public meeting if there were any issues with PG&E's proposed approach. | |||
-3 Please direct any inquiries to me at 301-415-1132 or Docket Nos. 50-275 and 50-323 Enclosures: 1. List of Attendees 2. Staff Identified Issues That are Open 3. Project Plan cc w/encls: Distribution via Listserv LIST OF DECEMBER 19, 2012, TELECONFERENCE MEETING PACIFIC GAS AND ELECTRIC COMPANY DIGITAL UPGRADE FOR DIABLO POWER PLANT, UNIT NOS. 1 AND DOCKET NOS. 50-275 AND NAME Ken Schrader Scott Patterson John Hefler R. Lint J. Basso W. Odess-Gi"et Roman Shaffer Rich Stattel Bill Kemper Rossnyev Alvarado Shiattin Makor Joe Sebrosky Steve Kane Gordon Clefton Ken Thompson ORGANIZATION Pacific Gas and Electric Pacific Gas and Electric Altran Altran Westinghouse Westinghouse Invensys/Triconex Nuclear Regulatory Commission (NRC) NRC NRC NRC NRC AREVA Nuclear Energy Institute Avila Valley Advisory Council Enclosure 1 | |||
------I December 17, DCPP PPS Open Item Summary Table No ---SrclRI Issue P&GE response: Status 21 Westinghouse/CSI document 6116-00005, "Diablo Canyon PPS System Open Test Plan," states that the ALS-102 FPGA design is changed for the DCPPS System. Further, Section 5.3.3 states: ''Test as many of the ALS-102 requirements as possible." Please identify what document describes the design verification test for this board. c-PG&E response: The documents that describe the design verification tests for the ALS-1 02 are 6116-70140, "Diablo Canyon PPS System Test Design Specification," submitted June 6,2012, and 6116-10216, "Diablo Canyon PPS W Simulation Environment Specification" that will be placed on the Sharepoint by December 31, 2012. RAI No. I RAI (DaleSent) Response (Due Date) R) 110 Nc used (Hold un I ponse is reI eived) Page 1 of 49 Comments 10-17-12 update (Alvarado): Westinghouse/ALS will submit the documents by 10/31/2012. 9-19-12 update (Alvarado): Waiting for ALS document to be submitted at the end of September. 6-13-12 update (Kemper): PG&E understands that they need to provide an update to this response. In the meantime, PG&E and ALS have provided 2 design specifications that will address this 01. These documents are placed on the PG&E sharepoint website. Doc. No 6116-10740 was submitted on June 6, 2012, which describes ALS system test design soecification. Doc. Enclosure 2 RAI No. (Date Sent) ----II R(DI RAI I esponse Due ate) Comments No 6116-00005 was also submitted on June 6, 2012, which describes ALS system test plan. Doc. No. 10216ALS W Simulation Environment Specification will be provided in the future. 3/21/12 update: PG&E has created a share point website for NRC to review PPS design drawings that will address this issue. NRC staff will determine if they are needed to be submitted on the docket. PG&E will ensure the website is information is only applicable to this licensing action. NRC-the response provided does not address the uestion. December 17,2012 No SrclRI Issue Description DCPP PPS Open Item Summary Table P&GE response: Status Page 2 of 49 | |||
-----------December 17, 2012 DCPP PPS Open Item Summary Table Page 30f49 P&GE response: Status RAI No. RAI CommentsSrclRI Issue Description No (Date Sent) Response (Due Date) I-7/13/12-rjs Deleted RAI 10 pending review of revised response. Also decided to hold item open. Item initiated on development process. The staff therefore considers these tools to be a key (ALS SOAP) Software tools are used extensively during the FPGA Open33 RJS (Hold) 6/5/12. component to the assurance of quality in the ALS system process. The ALS SOAP states that "no additional tools, techniques, 6-13-12 update methodologies have been identified" for the ALS system. The staff (Kemper): W/ALS considers the development tools, as well as the techniques and agrees with NRC's methodologies used during system development to be relevant to the position on tools assurance of quality for the ALS system. Please provide information on the and will revise the tools, and methodologies used during system development to ensure quality document (Doc. of the ALS system products. No. 6002-00001) accordingly to address this matter. PG&E response: Westinghouse agrees that Section 8, Tools, And Methodologies of the ALS OA Plan (6002-00001) should be revised Placed this item on reference document 6002-00030, "ALS Design Tools." This document hold pending describes the tools used and how they are used in the design process. This review of revised document is also on the ALS docket. Westinghouse submitted a revision of OAplan. the ALS QA Plan, Revision 9, on the ALS docket on October 31, 2012, that provides information on the tools and methodologies used. | |||
December 17, 2012 DCPP PPS Open Item Summary Table Page 4 of 49 No --:=-:-SrclRI RA Issue Description P&GE response: Status RAI No. (Date Sent) RAI Response (Due Date) Comments 35 38 Follow up of Item 21 -Software Test Plan In the response provided for Item 21, PG&E explained that a new revision (Rev. 1) of ALS document No. 6116-00005 was provided. The scope of Revision 1 is slightly different from the scope described in Rev. O. For example, Section 1.2 in both revisions states that test coverage includes all ALS modules, backplane, license sense modules (LSM), and ALS service unit (ATU). However Section 2, Test Items, for these revisions are different. Revision 1 only focuses on ALS-102 and backplane assemblies. This section does not include other ALS modules, LSM and ATU. Please explain why these other ALS modules are not included in section 2 of the new revision. Further, Table 1-2 identifies "Diablo Canyon PPS Test Plan" as document No. 6116-00005, which is the same number than "Diablo Canyon PPS System Test Plan". Please clarify if this is referring to a different document. Closed Closed NEWRAI I I PG&E Response: The scope of both revisions are the same. Revision 1 changes added more detail into the overall scope. The details are broken down into 2 main parts: 1-The individual components, 2 -The System components. Both parts equal the entire ALS based Diablo Canyon system which includes all ALS modules, Backplane, ASU (incorrectly stated as ATU in the open item), LSM, ALS-102A1B specific to Diablo and full ALS system test which includes the testing of ALS slave cards required by the DCPP configuration. The entry in Table 1-2 for the Diablo Canyon PPS Test Plan, 6116-00005 is the same document as Diablo Canyon PPS System Test Plan 6116-00005. RA Software Management Plan Section 2 of the PG&E "PPS Replacement Concept, Requirements, and Licensing Phase 1 Project Plan" does not describe the activities to be performed by the Engineering of Choice Design Change Package Team. It is also not clear what the roles and responsibilities of this team are. Please clarify and provide the applicable PG&E control document that describes PG&E roles and responsibilities specificall}l' for the Eflgineering of NEWRAI : | |||
-------0 December 17,2012 DCPP PPS Open Item Summary Page 5 of 49 P&GE response: Issue Description Status RA/ No. RA/ CommentsSrclRI (Date Sent) Response (Due Date) -Choice Design Change Package Team. PG&E Response: The activity performed by the Engineering of Choice Design Change Package Team is to support PG&E in development of the design change package for the PPS Replacement. PG&E has a contract with an engineering company, currently Enercon Services, Inc., to be the "engineer of choice" to provide nuclear engineering services to PG&E. For individual scopes of work, PG&E develops a purchase request for the scope of work and a purchase order is issued to the engineering company that is the engineer of choice. When the engineer of choice is performing a design change package for Diablo Canyon Power Plant, the engineer of choice uses the PG&E Design Change Procedure, CF3.1D9, "Design Change Development" and PG&E performs an owner acceptance of the work using PG&E Procedure CF3.ID17, "Design and Analysis Documents Prepared by External Contractors." RA Software Management Plan Closed NEWRAI Figure 2-1 of the PG&E "PPS Replacement Concept, Requirements, Licensing Phase 1 Project Plan" and Figure 3-1 of the SyQAP identify under the PG&E Project Engineering box. However, Figure 4-1 of SyWP identifies PG&E project team under the PG&E Project ) box. Please explain the role and responsibilities for Altran during the PPS Replacement Project. PG&E Response: 09/17/2012: The PPS Organization Chart shown in SyWP Figure 4-1 is simplified rendering of the organization charts in Project Plan 2-1 and SyQAP Figure 3-1. The latter figures show an Altran Team under PG&E Project Engineering and a team of three individuals directly under PG&E Project ---The slight between Figure 4-1 and the other I i | |||
__ December 17,2012 DCPP PPS Open Item Summary Table Page 6 of 49 P&GE response: StatuSTRAI No. I RAI Comments (Date Sent) I Response (Due '--Nol SrclRI I Issue Description 1-----40 RA IPG&E Project IIl Engineering . .. Project Team 1 -1 l PG&EAllran .. + 2. Altran is acting as a subcontractor providing engineering support to the PG&E Project Team as shown above in the revised figure. Altran supported LAR preparation and is providing continuing support through the LAR review process. Altran's work is governed by the Altran Engineering Procedures Manual. Documents submitted to PG&E are prepared in accordance with A/tran EOP 3.3 (reports) and 5.4 (specifications). All A/tran documents are verified in accordance with Altran EOP 3.4. In addition, PG&E accepts Altran documents under PG&E CF3.1D17 as noted in the Altran Verification Report. Software Tools 1OPEN 110/17/12 update: In the ALS Progress Update 2012-08-01 provided to the staff, Westinghouse/CSI described that they are replacing Automated Test Environment (ATE) from IW credited tools with a LabView based ALS Board Test System (ABTS). Also, in this presentation, Westinghouse/CSI Westinghouse/ALS will submit the ALS Design Tools on 10/31/2012 I noted that they are performing additionallV&V and equipment qualification December 17, 2012 DCPP PPS Open Item Summary Table Page 7 of 49 No --SrciR/ Issue Description P&GE response: Status RA/ No. (Date Sent) RA/ Response (Due Date) Comments tools. Since this information needs to be reflected in the software planning documents, please identify how these items will affect Westinghouse/ALS documents related to PPS replacement project. Also, identify what document will be revised to include description of these modifications. PG&E Response: The ALS Design Tool 6002-00030 requires revision to replace the ATE with the ABTS. The revised ALS Design Tool, Revision 9, document was submitted by Westinghouse on October 31 that addresses the tools used. 41 RA Software V&V and Test Plan Westinghouse/ALS document 6116-0005, section 8.2 identifies the software tools to be used in the PPS replacement project. However, this list is not consistent with the list of IV&V tools identified in Section 3.6 of ALS W Plan 6002-00003. Specifically, the test tools identified in 6002-00003 are not listed in 6116-00005 and vice versa. For example, the W Plan 00003) identifies ATE tool for IV&V, but this tool is not listed in 6116-0005 Rev. 1. Furthermore, the staff reviewed 6116-0005 Rev. 0, and found that the ATE tool was listed in this version. Please clarify what software tools will be used and what document describes them. Closed New RAI 9/17/12 update (Alvarado): during the conference call PG&E PG&E Response: A new revision of the ALS V&V Plan 6002-00003 identifies the ABTS and the ISE as the IV&V test tools. This new revision is being docketed the week of September 3 on the ALS platform docket. The ATE is removed from the set of IV&V test tools. The tools listed in document DCPP PPS Test Plan 6116-00005 section 8.2 and the tools listed in DCPP PPS W Simulation Environment Specification, 6116-10216, (to be released by 30 September 2012) encompass the IV&V test tools in the new revision of the ALS V&V Plan, 6002-00003. Software V&V PG&E "PPS System Replacement System Verification and Validation Plan (SyWP)" does not describe the V&V activities to be performed durin9. the 42 RA OPEN | |||
--December 17,2012 DCPP PPS Open Item Summary Table Page 8 of 49 No SrclRI RA ._. P&GE response: Issue Description Operation Phase and Maintenance Phase. This document states that these activities are covered by approved DCPP procedures. Please identify these DCPP procedures. PG&E Response: Per the response to 01 #28, control of the software modifications to the Tricon and AlS platforms once the PPS replacement project is completed, and the PPS is in the Operations and Maintenance phase, will be by the Process Protection System Replacement Software Configuration Management Plan, SCM 36-01, Revision 0, which was submitted as part of the Phase 2 document submittal on June 6, 2012, in Attachment 4 to the Enclosure of PG&E letter DCl-12-050. Modification to the PPS Replacement components produced by the vendors, CS Innovations and Invensys Operations Management, will be performed by the vendors and verification and validation will be controlled by the vendor verification and validation plans created for the Diablo Canyon PPS Replacement 00003 for CS Innovations and 993754-1-860 for Invensys Operations Software V&V PG&E "PPS System Replacement System Verification and Validation Plan (SyWP)", Section 5.1.1, explains that during the Concept Phase, PG&E will verify system requirements in accordance with PG&E procedure CF2.ID9, "Software Quality Assurance for Software Development." However, Procedure CF2.ID9 is for in-house development of software applications. Please explain how this procedure is going to be used for the PPS replacement project. Further, Section 5.1.2 of the CF2.ID9 states that and independent review of the functional requirements prepared during the concept phase would be performed. The PG&E SyWP does not identify this review, and thus there is no specific V&V product for this phase. Please identify who will perform this review and if this is considered a V& V product. ........ --........ --.-... ....... ....... ....... -_......... ---...... Stat'Us I RAI No. (Date Sent) Clos ed I NEW CommentsIRAI . __that modifications to the systems will be performed by the vendors. PG&E will provide additional information on their plan to perform modifications to the PPS system during operation and maintenance. | |||
--December 17, 2012 DCPP PPS Open Item Summary Table Page 9 of 49 No SrclRI Issue Description P&GE response: Status RAI No. (Date Sent) RAI Response (Due Date) Comments --PG&E Response: 09/17/2012: Altran developed the PPS Replacement FRS during the Concept phase in accordance with Altran EOP 5.4, and verified it in accordance with Altran EOP 3.4. Altran used PG&E procedure CF3.1D16 for additional guidance. PG&E accepted the FRS under CF3.ID17, which constituted verification of system requirements. This was a design activity rather than a V&V activity and there is no specific V&V product for this phase. I I 45 RA Follow up of item 18 -Software V&V RG 1.168 identifies five of the activities in IEEE Std.1012-1998, Annex G, I'Optional V& V Tasks," as being considered by the NRC staff to be necessary components of acceptable methods for meeting the requirements of Appendices A and B to 10 CFR Part 50 as applied to software. These tasks are: 1. Audits 2. Regression Analysis and Testing 3. Security Assessment 4. Test Evaluation 5. Evaluation of User Documentation Westinghousel ALS Document No. 6002-00003, "ALS W Plan" describes the following techniques for V&V: reviews, testing, traceability analysis, inspection/analysis, and IV&V regression (change) analysis. This plan does not include any of the optional V&V activities identified in IEEE 1998, Annex G. Please explain if these activities are performed. PG&E Response: The DCPP W Plan has been revised to include these optional V&V tasks required by RG 1.168 to align with the new ALS W Plan for the Optional Tasks. The Diablo Canyon W Plan, Revision 1, was placed on the Sharepoint on November 22 and was submitted by PG&E on December 5 in PG&E Letter DCL-12-121. OPEN --10/17/12 update: Westinghouse/ALS will submit the DCPP V&V plan on 10/31/2012 , | |||
46 December 17,2012 DCPP PPS Open Item Summary Page 10 of 49 -No CommentsSrclRI Issue Description Status RAI No. RAIlP&GE response: (Date Sent) Response (Due Date) -Closed NEWRAISoftware V&V RA Several sections in the Invensys Software Verification and Validation (SWP) reference "applicable Project Procedure Manual (PPM)" to certain activities. The reference section in this plan identifies (Reference 2.4.4). It is not clear if the PPM is constituted by procedures or if it is only one procedure. For example, Section 1.1, the SWP was prepared in accordance with PPM 7.0 (Ref. 2.4.4), and Section 4 states that V&V activities will be planned and scheduled accordance with the applicable PPM. Please describe what the PPM and explain how this is going to be used in the PPS replacement PG&E Response: The Project Procedures Manual (PPM) appropriate controls for project activities conducted at the Operations Management (Invensys) Lake Forest facility. These controls ensure that all nuclear Class 1 E projects (or non-1 E projects where customer has specified certain 1 E requirements) processes, activities, and project documents will meet the requirements of 10 CFR Appendix 8,10 CFR Part 21 and the Invensys Quality System. This procedures manual provides specific controls for NAO as as other Invensys organizations that perform nuclear safety-related integration project activities. The PPM is a collection of procedures, including referenced Forms, and is a controlled Each PPM procedure is intended to implement key areas of activities. Each procedure within the PPM is aSSigned a unique number and V&V activities during the PPS Replacement Project will be governed several procedures within the PPM as defined in the SWP Invensys document 993754-1-802. The SWP will be revised to add the of each procedure within the PPM where referenced in the SWP. example, in the SWP, Section 1.1, where it states that, "the SWP prepared in accordance with PPM 7.0 (Ref. 2.4.4)," will be revised to that "the SWP was prepared in accordance with PPM 7.0, Program Development." The revised SWP will be submitted by 47 December 17,2012 DCPP PPS Open Item Summary Table Page 11 of 49 No Issue Description P&GE response: Status RAI No. (Date Sent) RAI Response (Due Date) Comments Software V&V Invensys Document No. 993754-1-802, "Software Verification and Validation Plan" requires the use of V&V metrics to evaluate software development process and products, This section does not explain what methods and criteria will be used for software safety metrics. This information is required by section B.3.1 of BTP 7-14, RG 1.152, RG 1.173 and IEEE Stds. 1061 and 1074. Also BTP 7-14 Section B.3.1.1.2. Please provide this information. Closed NEWRAI PG&E Response: The V&V metrics are used during development of the PPS Replacement software that will reside/execute on the V1 0 Tricon portion. The V&V metrics measure the thoroughness of V&V reviews and testing efforts. These measurements yield data utilized to gain reasonable assurance that the design outputs are of high quality commensurate with the intended use in the PPS Replacement application. The V&V metrics methodology, utilizing a diversity of software measures, provides insight into the rigor of the PPS software development process. V&V uses three distinct metrics during PPS software development: Software Quality Metrics The purpose of these metrics is to measure software quality by tracking the number of defects found in the design outputs (e.g., design documents, software). The method is to count and categorize defects found during V&V review of design outputs. The acceptance criterion is that no technical defects remain at the end of the current phase to receive V&V recommendation to proceed to the next project phase. Any defects that cause the non-compliance with customer requirements and/or non-compliance with NRC guidance are considered technical defects. V&V Effectiveness Metrics The Ql!rpQse of i§ to otV&V | |||
---December 17,2012 DCPP PPS Open Item Summary Table Page 12 of 49 N,0 4SrclRIIssue Description -IP_&GE response: reviews by measuring the percentage of design outputs which V&V reviews or tests. The method determines the percentage of design outputs actually reviewed by V&V (which is meaningful for in-process design changes necessitating a change impact analysis, revisions to released design outputs, and a regression analysis). The Acceptance Criterion is that 100 percent of comprehensive or delta change reviews is achieved in the current phase to receive V&V recommendation of proceeding to the next project phase. Software Safety Metrics The purpose of these metrics is to assess whether software safety requirements are being met. Methods are to count software hazards found during V&V review or testing of design outputs and to confirm software hazard mitigation in each project phase, or, at a minimum, by the end of the project and approval at the completion of acceptance testing. The Acceptance Criterion is that all software hazards are mitigated by the end of the Test Phase to receive approval of the results of acceptance testing. Software V&V PG&E SyWP, Section 6, requires that anomalies detected are identified, documented, and resolved during the V&V activities. This section states that anomaly reporting and resolution requirements are defined in the respective PG&E control procedures. Section 2 "Control Procedures does not include a reference for an anomaly reporting procedure. Please identify the PG&E control procedure used for anomaly reporting. Further, Section 7 of the SyWP states that the PG&E authority responsible for approving deviations from SyWP is the PG&E Project Manager, who will document his/her approval a Change Notice or equivalent formal PG&E Status RAI No. (Date Sent) RA/ Response (Due Date) Comments 10/17/12 update: For item 2 -PG&E | |||
* will revise the SyWP and submit it on 11/30/2012 9/17/12 update (Alvarado): NRC staff received copies of OM7.ID1 and XI1.ID2. This addressed item 1 of document. Please identify where the responsible PG&E authority will this open item. document its approval. --...... ...... --...... --.... --...----I December 17, 2012 DCPP PPS Open Item Summary Table Page 13 of 49 --No 49 SrclRI RA Issue Description P&GE response: PG&E Response: 1. The PG&E control procedure for anomaly reporting is OM7.ID1, "Problem Identification and Resolution." This procedure governs the PPS replacement after it has been turned over to PG&E by the suppliers. The suppliers' anomaly reporting procedures are applicable prior to this turnover. 2. IN PROGRESS Software V&V Status Closed RAI No. (Date Sent) NEWRAI RAI Response (Due Date) Comments Invensys Document No. 993754-1-802, "Software Verification and Validation Plan", Section 6.3 states that the Invensys personnel prepared System Deficiency Integration Report (SDIR) to document non-conformances and corrective actions during testing; the SDIR is prepared in accordance with PPM 10.0. Please explain what PPM this is. Further, the Invensys "Validation Test Plan", Section 5.4.2 states that the Test Review Board and PG&E shall review SDIRs, but this is not indicated in the Invensys V&V plan. Please explain why this review activity is not identified as a V&V task in the V&V Plan.. PG&E Response: The PPM 10.0 procedure defines the process to control nonconforming items and identify appropriate corrective action for aI/ nuclear application projects developed at the Invensys Operations Management (lnvensys) Lake Forest facility. This procedure is intended to provide controls for nonconforming items and corrective actions related to project activities. As used in this procedure, the term "nonconformance" describes deficiencies in parts and materials (items), documentation, and/or deviations from stated requirements. This procedure addresses the identification, documentation, evaluation, and disposition of nonconforming items. This procedure also describes the corrective action process to be used for project-related issues where corrective action is warranted. SWP Section 5.2.2.2.1 4) stated that Nuclear IV&V shall generate and verify the system-level Validation Test Plan, 993754-1-813, in accordance with PPM 6.0 [Ref 2.4.4], in conjunction with IEEE 829-1983. The SWP \I\Ias developed in accordance with PPM 6.0, Test Control. In PPM 6.0, Test 50 December 17,2012 DCPP PPS Open Item Summary Page 14 of 49 No SrclRI RA P&GE response:Issue Description Control, it was stated that the Project Review Committee (PRC) shall review all test results for completeness, accuracy and acceptability. This review shall include all test documentation, e.g., the Test Procedures, the Test Logs, the System Integration Completion Checklist, the Test Report(s), and SIDRs. Software V&V The Invensys Validation test plan, Section 8.2, states that the Narrative Test Logs are used to document conduct of testing and any anomalies that occur. Please explain if this is only used during validation, and why this is not mentioned in the Invensys SWP. Further, please explain how is this used in conjunction with Document Review Comment Sheet (ORCS) and System Deficiency Integration Report (SDIR)? PG&E Response: PPM 6.0, Test Control, defines the Test Logs. All test activities shall be recorded in a Test Log. The Test Log constitutes a continuous, hand-written journal of all test activities from the point of initial entry into the Test Procedure until the conclusion of all testing, including any required retesting. The Test Log shall include entries for sign-in and sign-out of all participating personnel, establishment of indicated prerequisites and initial conditions for testing, performance of testing and retesting, identification of problems, etc. The Test Log is intended to be a detailed journal of all testing activities sufficient to fully document the actual sequence of testing performed, the test results achieved and any problems that occurred, including their impact on test performance. The Test Log shall be reviewed by the PRC as part of its evaluation of the test results. The Test Logs are independent and separate from the Document Review Comment Sheet (ORCS) and System Deficiency Integration Report (SIDR). However, as a test narrative, the Test Log may identify the fact that a SIDR was generated as a result of test anomaly. Software Configuration Management Configuration Process In open item 4, the staff requested description of the software configuration management activities for configurable boards (e.g., Status Closed RAI No. (Date Sent) RAI Comments Response (Due Date) ! 51.1.a RA Closed L. board). Since the __ _._--... -_..... -_...... __.... --..... .. | |||
I Issue Description P&GE response: No--SrclRI 51.1.b RA December DCPP PPS Open Item Summary Table specific, its configuration management activities are not covered by "ALS Configuration Management Plan." Even though item 4 is closed, this request was not addressed in the response for item 4. PG&E Response: 09/18/2012 ALS-102 Configuration The FPGA installed on the ALS-102 board and therefore the ALS-102 board itself is specific to the PPS Protection set and the ALS subsystem in which it is installed. PG&E will not have the capability to alter the FPGA. Any change to the FPGA must be made by CS Innovations. Therefore, ALS-102 FPGA configuration management activities are covered by the ALS Configuration Management Plan. PG&E capability to change ALS-102 configuration will be limited to board-level replacement. Software Configuration Management Configuration Process The PG&E SCM 36-01, item 1.2.8, states that ALS board has two sets of NVRAM. Further, it explains that the configuration of the NVRAM can be changed only by removing the subject board from the ALS chassis and inserting it into a special test fixture. It is not clear who will control this process and configuration of the NVRAM. Please explain. PG&E Response: 09/18/2012 ALS 1/0 boards are generic; that is, each board is configured using its NVRAM for the specific function it is to perform. This activity is described in SCM 36-01 Section 1.2.8, which states that the configuration of the NVRAM is changed by removing the subject board from the ALS chassis and inserting it into a special test fixture. This would be performed as part of a maintenance activity, such as replacing a failed board. If the functionality of an I/O board required modification as a result of an application change, all required NVRAM configuration alterations would be performed by CS Innovations under their ALS Configuration Management Plan. Status Closed RAI No. (Date Sent) Page 15 of 49 RAI Comments Response (Due Date) I December 17,2012 DCPP PPS Open Item Summary Table Page 16 of 49 No SrclRI -51.1.c I L_L Issue Description P&GE response: As with the AlS-102 FPGA discussed above, PG&E will not have the capability to alter the NVRAM configuration itself. PGE capability to change the NVRAM configuration for a specific 1/0 board will be limited to loading NVRAM images that are under CS Innovations configuration control and that have been previously verified and validated at the system level by CS Innovations. Configuring the NVRAM in order to replace an I/O board will be performed by PG&E under an approved plant maintenance procedure. Software Configuration Management 1. Configuration Process c) Section 1.2 of the Invensys Document No. 993754-1-909, "Software Configuration Management Plan," states that this plan controls operating system of the computers used to run TriStation 1131 and the signal simulation software used for testing purpose. However, the description provided throughout the plan only focuses on the configuration activities for the TSAP (e.g., Section 2.3 states that the SCM procedures are for the TSAP). Further, this same section (later on) identifies the software configuration to be managed, and this list does not include operating system of the computers used to run TriStation 1131 and the signal simulation software used for testing purpose. Please clarify the scope of this plan. PG&E Response: 09/18/2012 There was no intent for the SCMP to do more than track the revision of Commercial Off The Shelf (COTS) software. In this case "Control" is defined as tracking the revision levels such that they are recorded on the project Master Configuration list, Invensys project document 993754-1-803. On page 7 of the SCMP, under "limitations," it states, in part, that the revision levels of this type of software will be tracked. Status RAI No. (Date Sent) i Closed NEWRAI RAI Response (Due Date) i Comments 51.2 December 17, 2012 DCPP PPS Open Item Summary Table Page 17 of 49 !No . SrclRI RAI Comments (Date Sent) Issue Description P&GE response: Status RAI No. Response (Due Date) Open 10/17112 update:Software Configuration Management PG&E will revise The organization and responsibilities described in Section 4 of CF2.ID2 is 2. Organization the SCMP to not consistent with the information presented in Section 2 of SCMP 36-01. address several open items For example, Section 2 of SCMP 36-01 identifies system coordinator, application sponsor, and system team, who are not identified in Section 4 of Cf2.ID2. Further these descriptions are not identified in the project organization described in PG&E PPS Replacement Plan (Attachment 3 of the LAR). Please clarify the roles and responsibilities for SCM, and provide a cross reference of the PG&E organizations described in these documents. PG&E Response 12/16/2012: PG&E will revise the SCMP plan to be consistent with CF2.ID2 section 4 organization, ,including a description of additional roles and responsibilities not required by CF2.1D2.if needed. Open 10/17/12 update:Software Configuration Management 51.3.a PG&E will revise a) PG&E SCMP36-01 states that software, hardware, and configuration 3. Changes and Problems Identification the SCMP to problems are reported in accordance with PG&E OM7.ID1 and that address several open items software and/or configuration problems are reported via a PROG PDCM Notification. Please clarify when and how these are used. For example, for software problems does one have to report the problem using both PG&E OM7.1D1 and PROG PDCM Notification. Note that PG&E CF2.ID2 states that all problems associated with plant computer system should be reported and document per OM7.ID1 (See section 5.11 and 5.16.10 (b) of CF2.ID2) Further, Section 3.2.1 states that all PPS modifications should be initiated and tracked per plant procedures or CF4.ID1. Section 3.2.2 states that the implementation of the change is documented in the associated Change Package and a SAP notification and order. And Section 3.2.10 states that all identified problems and corrective actions using a notification, which is not specified. So should software modifications require reporting and tracking using OM7.ID1, CF4.ID1, PROG PDCM Notification, Change | |||
--I December 17, 2012 DCPP PPS Open Item Summary Page 18 of 49 No SrclRI Issue Description IP&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) Package, and SAP Please explain PG&E procedures for different changes and documenting and tracking system used for all types of PG&E Response: [IN PROGRESS] 51.3.b Software Configuration Management OPEN 3. Changes and Problems Identification Please clarify the means to track changes. Section 3.2.4. 7 of SCM 36-01 states that this is done using a SAP order, but 3.2.4.7 states that Change Package and SAP order are entered the Record Management System, and Section 3.3 describes Configuration Status Account, which is used to track changes configuration PG&E Response: The means to track changes is the SAP order. Record Management System is the system used at Diablo Canyon to and allow retrieval of documents to meet 10 CFR 50 Appendix B assurance requirements. Completed Change Packages and SAP are entered into the Record Management System for storage and to later Software Configuration Management OPEN51.4.a 4. Document Repository SCM 36-01, Section 2.3.3 identifies the Digital Systems SourceSafe as the repository, but Section 3.2.5.5 htlp:lldcpp142/idmwslhome/asp, and Section 3.29 states that files necessary for recovery of the baseline are maintained in PPS database in SC-I-36M, Eagle 21 Tunable Constants." It is clear if these two sections are referring to the same repository or if it is the same. Please PG&E Response: [IN PROGRESS] i December 17,2012 DCPP PPS Open Item Summary Page 19 of 49 SrclRI Issue Description P&GE response: No 51.4 Software Configuration Management 4. Document Repository PG&E has implemented restrictions to access files and documents associated with PPS replacement project. Further, PG&E requires user authentication and access to edit configuration, software, and data. It is not clear if these restrictions apply for access to the Digital Systems Engineering SourceSafe or the repository in httQ:lldcoo 142/idmws/home/aso PG&E Response: [IN PROGRESS] 52 RJS Security: NSIR PG&E stated in its letters DCL-11-123 and DCL-11-104 that the PPS replacement will be fully compliant with the 10 CFR 73.54 cyber security requirements, including RG 5.71, Revision 0, "Cyber Security Programs for Nuclear Facilities," dated January 2010, and is being reviewed to comply with 1 0 CFR 50.73, the DCPP Cyber Security Plan, and NEI 08-09, "Cyber Security Plan for Nuclear Power Reactors," Revision 6, dated April 2010. The cyber security program that PG&E is implementing per its NRC approved cyber security plan includes provisions applicable to all phases of a systems' life cycle, including the digital upgrade or modification of critical digital assets. Please explain how the provisions outlined in the PG&E's NRC-approved cyber security plan were considered, and/or implemented, as part of the PPS replacement. The provided explanations should include how all of the management, operational, and technical security controls contained within the plan, especially security controls associated with Configuration Management and System and Service Acquisition, are being addressed. Status OPEN RAI No. (Date Sent) RAI Comments Response (Due Date) The provided explanations should also include any issues associated with partial implementation of the PPS replacement and full implementation of December 17,2012 DCPP PPS Open Item Summary Table Page 20 of49 I I No SrclRI Issue Description P&GE response: Status RA/ No. (Date Sent) RA/ Comments Response (Due Date) the cyber security plan for the site, and processes to identify and resolve any such issues. I PG&E Response: The Cyber Security program manager and other members of the CSA T (Cyber Security Assessment team) met with the Process Protection System (PPS) Upgrade design engineer beginning in 2011. Many options were discussed. The Cyber Security program manager and project manager have met with the procurement group to discuss cyber security principles that should be written into the procurement procedures, and what steps will help to ensure a secure supply chain. The Cyber Security Assessment Team (CSAT) was formed in accordance with section 3.1.2 of the cyber security plan, and Milestone a, on 10/31/2011. A list of critical digital systems and assets was created in accordance with section 3.1.3 of the cyber security plan and Milestone b on 10/31/2011. The CSAT looked at scheduled digital upgrades, and added the future equipment to the list of critical digital systems. The CSAT determined the PPS equipment will be a critical system, with several CDAs. From July 9-122012, the cyber security project manager accompanied members of the Quality Verification group to examine the design and production facilities of Invensys, and examined the code production practices and the development environment, and determined that Invensys has an SDE, and ensures their employees are reliable and trustworthy. Activities planned for the future. | |||
December 17,2012 DCPP PPS Open Item Summary Table Page 21 of 49 No ,-SrclRI Issue Description P&GE response: In December of 2012, the network that the PPS will eventually reside on will be isolated from internet connected networks by a deterministic network device, per milestone c of the DCPP Cyber Security Plan. Thus many network attacks, including many that depend on a back door created by a vendor, will not be possible. Also by December of 2012, DCPP will have taken steps to lessen the likelihood of an attack initiated by a portable electronic device, or portable media such as a thumb drive per Milestone d, and section D 1.19 of NEI 09. This will mitigate portable media based attacks that depend on a back door created by a vendor. The DCPP Cyber Security Team will interface with NUPIC (Nuclear , Procurement Issues Committee) and the NEIINITSL counterfeit parts task force to address digital equipment supply chain security. The Cyber Security Implementation Project Manager has developed a detailed project plan, with several tasks and schedules. Several existing plant procedures will be revised. The PPS will inherit the controls implemented by these procedures. Many of the procedures will have been changed/created before the PPS is installed. The CSA T is collecting design information as it becomes available. The collected design documentation is being reviewed as it is collected. The collected documentation will be reviewed in a formal desktop evaluation per the cyber security plan, section 3.1.5 prior to the PPS installation. The test set up in the offsite test lab near the plant will be visited on occasion by the CSAT, the system will be walked down repeatedly during installation, and the final walkdown will be performed when the system is ready to return to operations, per section 3.1.5 of the security plan. The CSA T will make recommendations to enhance the cyber security -Status RAI No. (Date Sent) RAI Response (Due Date) Comments December 17, 2012 DCPP PPS Open Item Summary Table Page 22 of P&GE response: RAI No. RAIStatus Comments Issue Description No SrclRI (Date Sent) Response (Due Date) posture of the PPS upgrade throughout the project, and will make their recommendations after the system walkdown, per section 3.1.6 of the security Disposition of all controls will be documented in the cyber assessment tool, CyberWiz. Recommended mitigation will be in CyberWiz, and the Corrective Action Program. NewRAIClosed Acceptable Changes, FSAR Section 7.1.2.5, Conformance With Other Applicable PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR WEK response. Send Documents (page 7.1-13) does not indicate the NRC Safety Evaluation that this as an RAI so will be produced to approve the PPS. The staff's SER should become part that the issue does of the DCPP Unit 1 &2 licensing basis once it is issued. How will this be not get lost. documented within the FSAR?? PG&E Response: Reference to the staff SER will be included in FSAR Section 7.2.1.1.6 for the reactor trip portion of the process protection system and to Section 7.3.1.1.4.1 for the engineered safety features actuation system portion of the process protection system. ClosedPG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR NewRAI Acceptable Changes, FSAR Section x.x.x.x, (page 7.2-23) states that the evaluation for WEKresponse. Send the common mode failure in the PPS is presented in References 37 [DCPP this as an RAI so PPS 03 L TR] and approved in Reference 38 [the staffs SER approving the that the issue does DCPP PPS 03 LTR1. However, it is noted that in the staff's SER it was not get lost. stated in several sections that the 03 design features were approved based on " ... confirmation that the proposed built-in diversity of the ALS sub-system is found to be acceptable.>> This confirmation will be provided in the DCPP PPS SER, therefore, the staff's SER should also be referenced in this section. PG&E Response: Reference to the staff SER for LAR 11-07 will be included in FSAR Section 7.2.2.1.2 in addition to the staff SER for the DCPP 03 LTR -WEK NewRAI Acceptable Changes, FSAR Section 7.2.2.9.2, IEEE 603-1991 Clause 5 , Clause 5.12 '57 PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR Closed response. Send (page 12) states that"... the communication path between the maintenance this as an RAI so December 17,2012 DCPP PPS Open Item Summary Table Page 23 of 49 P&GE response: Status RAI No. RAI CommentsIssue DescriptionSrclRINo (Date Sent) Response (Due Date) workstation and the ALS subsystem is normally disabled with a hardwired that the issue does . switch ... " Also, Attachment 3, PG&E PPS Interface Requirements not get lost. Specification (IRS), Rev.6 to PG&E Letter DCL-12-069 dated August 2, 2012 states in section 1.5.6 " ... TAB communications between the ALS and MWS takes place via RS-485 data link. The TAB is physically disconnected from the MWS when the TAB is not in use .... the TAB is open at a" times unless maintenance is being performed on the ALS ... " Please identify administrative controls and design features associated with the PPS that explains how the MWS is disconnected/disabled from the PPS (i.e., a means of physical cable disconnect, or a safety-qualified hardware switch that either physically opens the data transmission circuit or interrupts the connection by means of hardwired logic. "Hardwired logic" as used here refers to circuitry that physically interrupts the flow of information, such as an electronic AND gate circuit (that does not use software or firmware) with one input controlled by the hardware switch and the other connected to the I information source: the information appears at the output of the gate only when the switch is in a position that applies a "TRUE" or "1" at the input to which it is connected. Provisions that rely on software to effect the disconnection are not acceptable. It is noted that software may be used in the safety system or in the workstation to accommodate the effects of the open circuit or for status logging or other purposes) that demonstrate how this hardwired switch disconnects the ALS maintenance workstation from the ALS safety processor. PG&E Response: For the ALS subsystem, instead of using a hardwire keyswitch, the ALS subsystem will be administratively controlled by physically disconnecting the communication link to the ALS MWS computer when the Test ALS Bus (TAB) is not being used for surveillance testing, maintenance, and trouble-shooting. This is a PPS replacement design change described in the response to NRC request for additional information in PG&E Letter DCL-12-083 and will be included in a supplement to LAR 11-07. RJS 10/19/12: If I ALS FMEA -There are several failure modes identified in Table 4-4 of the Close NewRAI understand the I December 17, 2012 DCPP PPS Open Item Summary Table No SrclRI Issue Description P&GE response: FMEA where the System Effects entry provides a description of functions that are not affected by the failure mode instead of stating what the effects of the failure mode are. For example, the System Effects in the ETT failure in line 5b of table 4-4 are that the Alarm Function remains operational. Though this may be the case, it does not state what the effects of the failure mode are. Examples of this can be found in lines 5b, 6a, 6b, 7a, 9h, 9i, 11 b, 11c, and 11d. r=-.:. PG&E Response: The System Effects entry does describe the functions that are affected by the failure mode. This entry must be read in the context of the entire FMEA table row. For example, the cited row for ETT failure in line 5b discusses the effects of failures of the ALS-402-1 digital output board which sends Alarm Signals to other systems. In the case of Energize to Trip outputs (ETT) a stuck open output channel will prevent the core A rack from being able to actuate the Alarm (in this case a specific instance of an ETT Alarm is cited, the "Containment Pressure in Test Alarm". However, due to the compensating features, which in this case is the redundant implementation of the function in the core B rack, the System Effect is that the Alarm function remains operational. A similar reading applies to the other examples cited. Status RAI No. (Date Sent) -RAI Response (Due Date) Page 24 of 49 Comments PG&E response correctly, these system effects are being evaluated within the context of the local effects that are also provided in the FMEA. Application specific compensating features that influence the systematic effects of these failure modes are thus accounted for within the analysis. Agree to close but would like the PGE response on record. Need RAI. I 59 RJS ALS FMEA -Some of the identified failure modes of the ALS system are detectable only by operator observations, or by means that are not necessarily performed during routine operation or during surveillance testing. See lines 10c, and 12a, What measures will be implemented to ensure that these failure modes would not occur and remain undetected for an indefinite period of time? Closed NIA 10/19/12 Response accepted. rjs: It is the staffs understanding that all failure modes which are not detectable December 17, 2012 DCPP PPS Open Item Summary Table Page 25 of 49 iNO SrclRI Issue Description P&GE response: Status RAI No. (Date Sent) RAI Response (Due Date) Comments through normal means such as surveillance tests or channel checks would need to be considered present for the purpose of satisfying single failure criteria for the system. ! I I PG&E Response: Surveillance testing includes visual inspection of the equipment in addition to the specified test cases that demonstrate functionality. Therefore, those failure modes that are detected by operator observations will be detected as part of the surveillance test. IEEE Std 379-2000 defines detectable failures as those failures that can be identified through periodic testing or that can be revealed by alarm or anomalous indication. Therefore, such failures do not need to be considered to be present for purposes of evaluating single failure criterion compliance. The specific cases cited are clear examples. Line 10c discusses failures of the local partial trip indicators. Failures of the indicators do not affect the actual trip function. During the test the technician uses the indicators to confirm that the trip action occurs at the appropriate threshold. Thus the act of observation of the failure during surveillance testing is assured. Line 12a discusses failure of the serial link used for continuous monitoring of the ALS health. Failure of this link does not affect the safety functions of the rack, but would be immediately obvious at the workstation used to do the monitoring. This workstation is used in surveillance testing. 60 RJS Technical Specifications: In order for the staff to make a determination that the existing technical specifications and surveillance intervals remain acceptable for the replacement PPS system, an evaluation to compare the ALSfTricon PPS system reliability and performance characteristics with those of the Eagle 21 system must be performed. Pease provide an evaluation summary report to support the application of Open NewRAI I | |||
___ December 17,2012 DCPP PPS Open Item Summary Table Page 26 of 49 'No 61 I 62 Issue Description P&GE response: SrclRI existing technical specification and surveillance test intervals to the upgraded ALSfTricon based PPS system. This report is expected to include a quantitative analysis to demonstrate the new system's ability to perform its required safety functions between established surveillance intervals as well as a qualitative (i.e., deterministic) analysis which sites the self diagnosis and fault detection features of the replacement PPS. The report should address the staffs previous findings in Section 4.3, "Applicability of WCAPs to DCPP," of Amendment No. 179, dated January 31,2005 (ML050330315). -PG&E Response: An evaluation summary report to support application of the exiting TS and TS surveillance test intervals will be provided by January 31,2013. RA Software V&V Plan: ALS provided Revision 7 of its V&V plan (6002-00003). This revision provides a mapping and alignment with IEEE Std 1012-1998. This now cause a misalignment with the DCPP V&V Plan, 6116-00003, Thus, the DCPP V&V Plan will need to be revised. Please identify when this new revision will be submitted. PG&E Response: The DCPP V&V Plan, Revision 1 has been created to provide consistency with the ALV V&V Plan. The Diablo Canyon W Plan, Revision 1, was placed on the Sharepoint on November 22 and was submitted on December 5 in PG&E Letter DCL-12-121. RA Software Management Plan: Revision 2 oftheALS "Diablo Canyon PPS Management Plan," 6116-0000, Section 2.1 and 2.2, defines the project organization. As described in guidance documents BTP 7-14 and NUREG/CR-6101, licensees need to Idescribe the management aspects of the software development process. Status RAI No. (Date Sent) Open I RAI Response (Due Date) Comments 11-28-12 update: The staff will review the V&V plan to determine if this item can be closed. 11-28-12 update: The staff will review the PPS Management Plan and the W plan to determine if this Please clarify the following: item can be closed _..... ..... --_..... _.... -_... ..... --... --..... -_.... __... | |||
I December 17,2012 DCPP PPS Open Item Summary Page 27 of 49 StatusNo Src/Rt Issue IP&GE response: RAt No. RAI Comments r The description provided in this section does not align with the organization structure provided in Figure 2-1. The description provided is not clear. For example, the bulleted list identifies "Scottsdale Operations Director", but then the 1 5t paragraph refers to Scottsdale Operations Director and ALS Platform & System Director. It is not clear if this is the title for one person or for two. Further, Figure 2-1 does not identify the ALS Platform & System Director, if this role is performed by a separated individual. Please clarify this. This section states that ALS V&V Plan provide information and the interface between the IV&V team and the PPS replacement project. It is not clear why the ALS V&V plan will provide this information, since the ALS V&V plan is for the generic platform. Please clarify what document contains this information. This section states that the WEC Project Manager is responsible for the commercial process interface with PG&E. However, this role is not listed in the bulleted item list and not identified in Figure 2-1. Please clarify this role. Figure 2-1 identifies a QA Manager, but this section only describes the QA Lead. Please describe the role and responsibility for the QA Manager. Section 4.1, Planning Stage, mentions a "Project Leadership Team," which is not described in Section 2. Please explain the role and responsibilities for this team. PG&E Response: To address item 1, the Diablo Canyon PPS Management Plan, Revision 3, clarifies in Section 3 the organization details. To address Item 2, the Diablo Canyon IW Plan, Revision 1, provides information on the interface between the IV&V team and the PPS replacement project. To address items 3 to 5, the Diablo Canyon PPS Management Plan, Revision 3, clarifies in Section 3 the WEC Customer Project Manager is responsible for the commercial process interface with PG&E, the roles and responsibilities of the QA Manager, and the roles and responsibilities of the Project Leadership Team. The Diablo Canyon PPS Management Plan, Revision 3, was placed on the Sharepoint on November 15 and was submitted on December 5 in PG&E Letter DCL-12-121. The Diablo Canyon Plan, Revision 1, was placed on the Sharepoint on November 22 and (Date Sent) Response (Due Date) | |||
December 17, 2012 DCPP PPS Open Item Summary Table Page 28 of 49 P&GE response: Status RAI No. Issue Description RAINo SrclRI Comments (Date Sent) Response (Due Date) 'was submitted on December 7 in PG&E Letter DCL-12-121. Software Management 63 RA . Revision 2 oftheALS "Diablo Canyon PPS Management Plan," Section 4.1, Planning Stage, identifies that deliverables from this phase approved by the "Managerial Review Board." However, this document not identify the role and responsibilities for this board. Furthermore, the PPS V&V Plan, 6116-00003, Rev. 0 states that IV&V will review planning stage documents. Please clarify the person/team responsible this review and their role and PG&E Response: The Managerial Review Board review and the reviews are two different reviews. The Managerial Review Board gives final "exit criteria" approval for both the Planning and Development this Managerial Review Board approval is required for entrance into the subsequent stage. Their role is clarified in the "exit criteria" details in Section 4.1 's Planning Stage and Development Stage sub-sections. IV&V team also reviews the planning stage documents according to criteria in the V&V Plan. Additional details have been added to Management Plan. The Diablo Canyon PPS Management Plan, 3, was placed on the Sharepoint on November 15 and was submitted December 5 in PG&E Letter -64 RA Closed NewRAI Software Management Plan L To close Items 27 and 29, PG&E issued the DCPPS Project Assurance Plan to define the oversight activities to be performed during PPS replacement project. Section 2 of this plan describes responsibilities of those involved in oversight activities. However, it is clear how these roles and responsibilities correlate to the organization described in PG&E PPS Replacement Plan (Attachment 3 the LAR} and PG&E PPS Reelacement System Quality Assurance DCPP PPS Open Item Summary Table Page 29 of 49 December 17,2012 P&GE response: RAIStatus RAI No. CommentsIssue Description No SrC/RI Response (Due Date) (Date Sent) (Attachment 4 of the LAR). For example, the Project Quality Plan describes the responsibilities of the PPS replacement Manager, but this role is not described in other documents, Further, responsibility described seems to align with the responsibility of the Project Manager. Please explain the relationship, if any, of the roles responsibilities described in the DCPPS Project Quality Assurance Plan those provided in other PG&E I PG&E Response: The "Quality Assurance Plan for Diablo Canyon Protection System Replacement" (referred to as the "Project Quality Plan" response to Ols 27 and 29) was a project specific document created by Quality Verification group (a Quality Assurance organization) to identify Quality Assurance tasks to be performed by the Quality Verification for the project. The "Quality Assurance Plan for Diablo Canyon Protection System Replacement" provides the specific plan to be used the "Supervisor Project QA" identified in Section 3.5.1 (page 19) of SyQAP and the "Project QA Engineer or Equivalent" identified in 3.5.8 of the SyOAP to provide PG&E quality oversight for the project in part supports meeting 10 CFR 50 appendix B quality requirements for the The "Supervisor Project QA" is not identified in the PPS Replacement Project Plan Figure 2-1 (PPS Replacement Project Organization) because they are not part of the Project Organization, but instead provide independent quality assurance oversight of the Project Organization. Section 6.1, "System Quality Assurance Plan (SyOAP), of the PPS Replacement Project Plan discusses the SyQAP, which in turn references the "Supervisor Project QA" in Section 3.5.1 (page 19) and the "Project QA Engineer or Equivalent" in Section 3.5.8 to provide PG&E quality oversight for the project. KVM Switch 65 RJS December 17,2012 DCPP PPS Open Item Summary Table Page 30 of 49 r-No SrclRI Issue Description IP&GE response: I Status RAI No. (Date Sent) RAI Response (Due Date) Comments See Attachment 3 r66 i WEK PG&E Response: See Attachment 3 Section 4.2.13.1 of the LAR (page 85) states; " ... The NetOptics Model PA-Open Cu/PAD-CU1 PA-CU port aggregator network tap was approved previously by NRC for a similar application in the Oconee RPS SER Section 3.1.1.4.3 [18]. The NRC staff determined that due to the electrical isolation provided by use of fiber optic cables and the data isolation provided by the Port Tap and the Maintenance and Service Interface (MSI) in the Oconee RPS, there was reasonable assurance that a fault or failure within the Oconee Gateway computer or the Operator Aid Computer will not adversely affect the ability of the Oconee RPS to accomplish its safety functions." In section 3.1.1.5.2.1 of the Oconee SER, the staff approved The NetOptics aggregator Port Tap, Model 96443, No. PA-CU, as a device intended to allow monitoring of a full duplex 10/1 OOBaseT Ethernet communication link by copying the communications and sending that copied communications to a one-way simplex communications link. Due to the importance of this one-way communications path functioning properly, the NRC staff performed a detailed review of the design aspect of this one-way communications path. Circuit diagrams on the device itself indicated that the communications using Port C (Port 1 in the case of DCPP PPS application) may be capable of two-way communications. Since the original review of Model 96443, part No. PAD-CU Port Tap required NRC staff examination of actual schematic drawings of the circuitry to determine that there was no inbound communications path associated with Port C (Port 1 for the PPS), a similar schematic review for any replacement or updated model of the Port Tap ----.-........ ......--.-....... .... ... -_... _..... __.... -.... _ ... -_... _..... __... __... --New RAI I -11-28-12 update: 11-28-12 update: See 11-28-2012 update question. A new RAJ will be added to clarify this inconsistancy so it will be on the docket. -........... .... .. - | |||
December 17,2012 DCPP PPS Open Item Summary Table Page 31 of 49 No SrclRI Issue Description IP&GE response: must be evaluated in the same manner (by the licensee) to determine the manner in which it is being used and configured are acceptable, and that do not invalidate the conclusion of this SE that use of the Port Tap provides adequate data isolation between the Gateway computer and the digital RPS/ESPS.The Port Tap approved for Oconee was model 96443 PA-CU. Status RAI No. (Date Sent) RAI Response (Due Date) Comments 67 WEK 11-28-2012 Update: The response below still needs further clarification: Section 3.7.2.1 (page 71) of the approved Tricon V10 LTR SER (ML 12146A010) states: "The NetOptics Port aggregator Tap, Model 96443, No. PA-CU, or PAD-CU, is a device intended to allow monitoring ofa 101100 BaseT Ethernet communication link by communications and sending that copied information to a separate one-way communications link. Port A ofthe Port Tap is connected to the TCM, and Port B is connected to the Maintenance Terminal (maintenance video display unit (MVDU))." Since the LAR references the Port Tap approved within the Tricon V10 SER, this model number 96443 may still be confusing to the reader. Please provide the model number of the Port Tap being that PG&C will use in the DCPP PPS and provide an explanation of its equivalency to the Port Tap approved for the Oconee RPS/ESPS LAR. Revised PG&E Response 12/17/2012: The PPS Replacement application will use the NetOptics Model PA-CU network port aggregator tap to isolate the Tricon portion of the PPS replacement from the gateway computer. NetOptics has confirmed via e-mail (Case# 205591) that part number "96443" is the same as PA-CU. It is the old SKU part number for the CU. Section 4.2.13.1 of the DCPP PPS LAR (pg. 85) states, "Port aggregator dual in-line package (DIP) switch positions will be controlled by DCPP configuration management processes." Closed NewRAI 11-28-12 update: Response is acceptable. | |||
I December 17,2012 DCPP PPS Open Item Summary Table Page 32 of 49 No SrclRI I WEK68 P&GE response:Issue Description Status Please provide a documented basis (e.g., a plant procedure, or engineering design package) that demonstrates how this will be controlled. PG&E Response: The Port aggregator DIP switch positions will be controlled by a plant procedure or plan. The plant procedure or plan will be developed as part of the design change for installation of the PPS replacement after NRC approval of the LAR. Open Gateway Computer(s) system; including computers/processors, communications protocols, and data isolation details, Or, please indicate where this information is explained within the LAR and supporting documents. Also, please provide a detailed explanation of the Gateway Switch discussed within the LAR;including its operating principal (hardware, I logic based, etc, ,data/electrical isolation design features, and any other pertinent information pertaining to its failure mechanisms. Please provide a detailed functional description of the DCPP PPS NSR 11-28-2012 follow up Figure 4-13 (Pg 87) of the LAR indicates that data communications provided directly between the SR ALS "A" & ALS "B" Protection Sets I, II, RAI No. (Date Sent) RAI Response (Due Date) Comments I r 11-28-12 update: See 11-28-2012 follow up question. I I -and IV, and the NSR Gateway Computers via RS-422 copper media (i.e., not through the Port Tap). Section 4.8.2 b) (page 110 ofthe LAR) states that " ... AII other communication to non-safety equipment, i.e., Plant Computer, is via continuous one-way communication channels on the 102." Please describe how the 1Elnon-!E data communication and electrical isolation is implemented within the ALS for this configuration. Also, explain how the ALS "A" & "B" inputs to the NSR Gateway Computers are isolated from each other, and data communication protocols associated with processing this data within the Gateway Computers. PG&E Response: The DCPP Gateway computer and Gateway switch are -L --...-... --.. | |||
December 17,2012 DCPP PPS Open Item Summary Table Page 33 of 49 No I SrclRI I Issue Description P&GE response: part of an existing system that was installed by a previous project, and therefore were not included in the scope of the changes requested for approval in the LAR. Communications from the Gateway Switch to the Tricon are functionally isolated by the Triconex Communication Module (TCM) and NetOptics Model PA-CU Network Port Aggregator Tap discussed in Tricon V10 SER Section 3.7.2.1. A fiberoptic data link provides electrical isolation. Status RA/ No. (Date Sent) RA/ Response (Due Date) Comments The NetOptics PA-CU Network Port Aggregator Tap was approved for this use in the Oconee RPS SER. The PA-CU prevents inbound communications from external devices or systems connected to Port 1 of the Port Aggregator from being sent to interactive Ports A and B. The Oconee SER described the methods they used to verify that Aggregator Port 1 provides one way outbound communications only. As a transmit only device, it does not listen to and is not affected by the communications protocol (or lack thereof) of the external device or system to which it is connected. The ability of the Port Aggregator Tap to prevent inbound communications to the Tricon from its Port 1 will be verified at the Tricon V10 FAT and the SAT as previously stated in PG&E Letter DCL-12-083 dated September 11, 2012. Updated PG&E Response 12112/2013: The response to 01 #73, discusses Transmit Bus TxB2 data communication path from the ALS-102 Core Logic Board to the ALS MWS. Transmit Bus TxB1 transmits data from the ALS-102 CLB to the Gateway Computer. Both TxB1 and TxB2 are EIA-422 communication links in which Receive capability is physically disabled by hardware as described in the ALS-1 02 Design Specification, 6002-102002. The receiver is configured such that the transmit data is looped back for channel integrity testing. The ALS-102 is physically and electrically incapable of receiving information from outside the ALS-102 via the Transmit Busses TxB1 and TxB2. Therefore, messages are not disregarded or rejected by the ALS-1 02. This is better than a "broken wire." The wire just isn't there, and there is no place to December 17,2012 DCPP PPS Open Item Summary Table Page 34 of 49 C-StatusNo SrclRI Issue Description P&GE response: RAI No. RAI Comments I (Date Sent) Response (Due Date) I I Iconnect a wire if someone wanted to do so. I Updated WEC Response The 1E/non-1 E data communication is described in the ALS Topical Sections 2.2.1.3 and 5.3.2; and in 6116-00054, "Diablo Canyon PPS Matrix", Position 2. The electrical isolation qualification of the 1 E/non-1 data communication is not part of the ALS Platform review project, and be qualified with an isolation fault test that will be conducted 1st 2013 per IEEE Std 384-1992, "IEEE Standard Criteria for Independence of Class 1 E Equipment and Circuits" and Regulatory Guide 1.75, "Criteria for Independence of Electrical Safety Systems." A supplemental test report will be issued 2nd quarter 2013. 69 WEK Please provide a detailed explanation of the application programs contained Open 11-28-12 update: within the Tricon and ALS MWS computers; including how they will be used Additional to supports or enhances the performance of the PPS safety function ! clarification was enhanGe the performance of the PPS safety systems, provide required provided, so the maintenance, surveillance, etc. Or, please indicate where this information is question was explained within the LAR and supporting documents. rephrased. PG&E Response December 17,2012: The ALS MWS will utilize Microsoft Windows Ž based Westinghouse/CSI ALS Service Unit (ASU) software that is described in the ALS Topical Report Section 2.6.3. The DCPP PPS Replacement MWS will be mounted permanently in the PPS rack containing the PPS in a manner similar to ALS Topical Report Figure 2-25; however, interactive Test ALS Bus (TAB) communications will be enabled only when the TAB is physically connected to the ALS MWS by qualified personnel under administrative controls such that the TAB is enabled only on one ALS "An or "B" subsystem at a time. r The ability to use the TAB to communicate with the ALS is essential to LJmaintain the ALS safety function. The ASU communicates with the ALS via the TAB only when required to calibrate the ALS, normalize RCS flow ___ coefficients, perform surveillances in accordance with Technical I December 17,2012 DCPP PPS Open Item Summary Table Page 35 of 49 No I Src/RI I P&GE response: Issue Description Specifications, as well as to troubleshoot and otherwise maintain the ALS. TAB communications are disabled at all other times by physically disconnecting the TAB from the MWS. The diverse ALS subsystem whose TAB has not been enabled will continue to perform its safety function without impact. TAB communications are described in ALS Topical Report Section 5.2. The ALS MWS will also display parameters transmitted to it online by the one-way TxB2 transmit bus described in ALS Topical Report Section 2.2.1.3. Interdivisional communications between the MWS and the ALS are described in ALS Topical Report section 5.3. The Tricon MWS will implement five Microsoft Windows Ž -based application programs: (1) Invensys WonderWareŽ InTouchŽ PPS application; (2) TriLogger; (3) Tricon Diagnostic Monitor; (4) Triconex Dynamic Data Exchange (DOE) Server; and (5) T riStation 1131 (TS 1131 ) Developers Workbench Version 4.9.0. 1. WonderWareŽ InTouchŽPPS Application The WonderWare InTouch application provides online display of selected PPS internal parameters and trouble alarm details. The WonderWare InTouch application also is used for maintenance of individual PPS instrument channels in conjunction with the hardwired OOS switches that have been discussed in the response to other Open Items. The MWS WonderWare InTouch application will be the tool normally used to determine the specific cause of an alarm. The Main Annunciator System only displays system level alarms. The MWS InTouch application contains an alarm monitor, which is a troubleshooting aid that provides a detailed, specific display of the alarms generated by the Tricon PPS application. 2. Triconex TriLogger The TriLogger software provides the ability to record, display, play back and analyze data from the Tricon system. Data can be viewed in real-time on the MWS. The TriLogger is designed to provide real-time data trending and -_... -..... ..--... -.....--... .....-..... --.... --.... --...--.... --...--... --.... -...--... --... -...--.--.. -..... --... _ .... __ .... _ ...... __.... -_... --.... -......__ I Status --... -..... RAI No. (Date Sent) CommentsRAI Response (Due Date) --... --.... --L. | |||
I December 17,2012 DCPP PPS Open Item Summary Table* Page 36 of 49 P&GE response: Status RAI No. Issue Description RA/ CommentsSrclR/r No (Date Sent) Response (Due Date) analysis capabilities and can be configured to trigger on specific events log detailed data to aid technicians in isolating, diagnosing, troubleshooting problems. The TriLogger may not identify transient events that occur while it is off-line. ! 3. Tricon Diagnostic Monitor Utility The Tricon Diagnostic Monitor utility displays Tricon system and module status by mimicking the actual Tricon chassis and slots, so that the user can find the exact location (chassis number and slot number) of a module that may be experiencing a fault or other problem. The Tricon Diagnostic Monitor Utility improves reliability by aiding rapid troubleshooting and fault location at the Tricon system level. 4. Triconex Dynamic Data Exchange (DOE) Server Triconex DOE Server utility enables the DOE-compliant WonderWare Intouch client to request data from the Tricon and, when allowed during maintenance of PPS instrument channels in conjunction with the hardwired OOS switches, to change data (e.g., setpoints and tunable parameters) in I the Tricon application program. 5. TriStation 1131 (TS1131) Developers Workbench TriStation 1131 is a PC-based application development workstation that provides a comprehensive set of development, test, monitor, validation and diagnostic tools for Tricon Programmable Logic Controllers (PLC). The TS1131 program is utilized to maintain the PPS application program and I may also be used for monitoring and troubleshooting purposes. The TS1131 program is described in the Tricon V10 SER Section 3.1.3.2. The TS1131 tool will be installed on the MWS. However, the TS1131 tool will not normally be running while the Tricon is performing its safety function L [Tricon V10 SER Section 3.10.2.9]. If the TS1131 workstation is connected during online safety operation for maintenance or troubleshooting purposes, its use will be controlled via administrative controls and qualified I I December 17, 2012 DCPP PPS Open Item Summary Table Page 37 of 49 No SrC/RI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) maintenance personnel. Access to the operating Tricon is governed by the controller With the keyswitch in the RUN position, use of the TS1131 program limited to read only access to the Tricon. Parameters may be and application program logic operation may be observed in real time, changes are not permitted. The TS1131 program can only write to Tricon when the controller keyswitch is in the PROGRAM position. With I keyswitch not in RUN, the PPS application will initiate an alarm on the Main I Annunciator system and the affected PPS set will be declared inoperable with respect to its safety function. Regardless of whether the keyswitch has been deliberately manipulated or whether the condition is the result of Tricon hardware or software failure, the Tricon diagnostics will detect a "keyswitch not in RUN" condition and the ! PPS application program will initiate a PPS Trouble alarm on the Main Annunciator System. When the "keyswitch not in RUN" condition exists, the affected Tricon is considered to be INOPERABLE with respect to its safety function. A Technical Specification LCO would be entered upon operator determination that the PPS trouble alarm was caused by the "keyswitch not in RUN" condition. The condition could be active in multiple Tricon protection sets because it I could occur as a result of common cause software failure. Even in the condition with multiple "keyswitch not in RUN" conditions, negative impact of the condition in multiple protection sets is limited because on-line r maintenance will normally be performed in one protection set at a time, each Tricon protection set has its own dedicated, independent MWS. It not possible for a single MWS to be connected to other than its own Therefore, only one Tricon protection set at a time would be physically to allow software changes. Given the PPS trouble alarms would be active in all affected protection sets. it is highly unlikely unintended changes could L ... _____._-_.. __... -... -... --.--.. ... -.... .... --.. --.. .. ... -.. .. -... -.... -...--..--..-... -.... _ .... __.. __... ----....--.--.----_.. -_... --_ ... -... --.--..--I I December 17,2012 DCPP PPS Open Item Summary Table Page 38 of 49 P&GE response: RAI No. Status RAI CommentsNo Issue DescriptionSrclRI (Date Sent) Response (Due Date) If a PPS Trouble alarm were to occur on the Main Annunciator System due to the "keyswitch not in RUN" condition, regardless of the cause, the operator would notify DCPP Maintenance. In the absence of the detailed alarm monitoring provided by an on-line MWS, the maintenance technicians would be required to obtain work orders, gain access to the affected protection set, connect and boot the MWS, and only then could begin to determine the cause of the alarm. The alarm information would not be available if the alarm were due to a transient condition that cleared between the time the condition initiated and when the MWS was operational. Diagnosis of the condition could be delayed for several hours. With the line MWS and the alarm monitor function, the condition -whether caused by intentional manipulation of the Tricon controller keyswitch or by a hardware or software failure involving the keyswitch-would be identified immediately. As with the ALS, the on-line Tricon MWS is essential to performing maintenance of the Tricon, including surveillance testing per the Specifications and is equivalent to the existing, approved Eagle 21 Test Bypass capability. The MWS is required to bypass channels for Removing a Tricon from service during such routine maintenance require tripping all the channels in that protection set, which would make one channel in the coincidence logic for all channels in the protection This condition increases the risk of challenging plant safety systems another channel trip inadvertently with the protection set out of Without the data links from the Tricon and ALS to the MWS (which data available to the Plant Process Computer/Plant Data Network) only control board indicators and recorders will be available to provide "window" on the PPS. The Tricon will continue to perform its function. System trouble alarms will still be generated by the PPS on Main Annunciator System, but without the alarm monitor and other display capabilities provided by the MWS, there is no direct means determine the specific cause of the alarm. The network switch between -_..... -_.... __.... __...... ...... _ ...... _._... - | |||
December 17,2012 DCPP PPS Open Item Summary Table Page 39 of 49 No SrclRI Issue Description P&GE response: I Port Aggregator tap and the MWS ensures continued Tricon data transmission on loss of the Tricon MWS. The network switches are redundant to ensure continued data transfer from the Tricon to the MWS on failure of a single Tricon network link. Status RAI No. (Date Sent) RAI Response (Due Date) Comments rI I I I Conclusion: IThe non-safety communications between the PPS controllers and their respective, dedicated MWS units enhance and support the PPS safety function through improving maintainability and thus reliability, and enabling on-line surveillance testing, calibration, and maintenance. Risk of challenging plant safety systems is reduced through the ability to test in bypass rather than requiring test in trip. Further, the MWS units provide essential support for surveillance testing and maintenance functions. Without the online non-safety communications capability, neither Tricon nor ALS real-time data and status information will be available on the Plant I Process Computer or in the Control Room on other than dedicated control board indicators and recorders. Lack of access to real-time, continuous, line PPS status data and diagnostic information introduces delay into PPS trouble identification and resolution, and substantially degrades the maintenance effectiveness and timeliness enabled by the diagnostic features built into the platform s and the application programs. The ability to make online use of the information provided by redundant, real-time data communications to the MWS and to the plant process computer improves I I 70 !WEK ,__ L PPS reliability and thus supports and enhances safety by providing timely diagnostic information and status details that assist performance of required trouble-shooting, maintenance, and surveillance activities. KVM Switch Question 1: If the Enumerated USB switching function is used, will you be able to use the Keyboard hotkeys and mouse buttons to perform switching? Open -11-28-12 update: Response Okay. Leave open until the KVM Switch 71 December 17,2012 DCPP PPS Open Item Summary Table Page 40 of 49 F Issue Description RAISrclRI P&GE response: Status RAI No. Comments Response(Date Sent) (Due Date) information is provided within the The brochure seems to indicate on page 3 that the Enumeration switching process will not enable control switching using the USB LAR revision.keyboard or mouse. However, it further says that Emulation switching was developed to support these enhanced switching functions/devices (keyboard hotkeys or mouse buttons) Albeit, other USB devices (e.g., printer) do not need to use Emulated USB switching function. Could you please clarify PG&E Response: The USB1 and USB2 ports, which use enumerated switching, pass straight through the KVM switch without interpretation. Therefore, cannot connect a keyboard to USB1 or USB2 and use the hotkeys perform switching, and USB1 and USB2 traffic cannot cause an switch. The block diagram shows the output of the emulated portion of switch and the enumerated portion going to a USB hub before being sent the computer. The keyboard and mouse will use the emulated function, not the enumerated switching function; only the keyboard mouse can control the WEK KVM Switch Question 2: Open 11-28-12 update: ALS ISG-04 Will the KVM switch will be on-line 24-7 monitoring data from either compliance was the Tricon or the ALS platform? If so, what can we say about the submitted, and failure modes of the KVA switch? Can it fail in such a manner so as Westinghouse to inject faults into the MWS computers, and hence into the Tricon or thinks that this will . ALS safety system processors? If not, why? If so, what can be done answer this to circumvent this problem, and show conformance with ISG-04, question. Points 10 & 11? We will need to cover this matter in the SER. PG&E needs to respond to 1 10-17-12 Update: Response below did not answer the question 12 update in the regarding failure modes of the KVM switch ... agree that it is Okay to descriptionj lose the Tricon but I do not see how the ALS is protected due to its I December 17, 2012 DCPP PPS Open Item Summary Table Page 41 of 49 No [ SrclRI Issue Description P&GE response: Status RAI No. CommentsRAI I (Date Sent) Response (Due Date) "inherent 1-way communications" design. Please explain this further. section. Leave open until the KVM Switch PG&E Response: information is provided within The KVM switch will be on-line 24-7 for monitoring data from either the the LAR revision. Tricon or ALS platform via the respective MWS computers. There is additional isolation because the ALS communicates strictly one way to its MWS except when TAB communications are enabled by connecting the TAB cable. Connection of the TAB is performed as directed by trained technician using an approved procedure Therefore, if the KVM switch failed in some way to connect the two MWS together, the ALS would not be affected. The Tricon might be affected, but the D3 analysis allows the Tricon to fail due to CCF. The following paragraphs have been added to the IRS Section 2.3.7: b, The KVM switch shall permit only connections between a single computer and the selected video display and HMI interface devices. Connection between the computers shall not be permitted. g. The AV4PRO-VGA KVM switch shall utilize the default switching mode, in which the video display, keyboard and mouse and the enumerated USB ports are all switched simultaneously. Paragraph g was necessary to prevent the enumerated ports from being switched separately from the KVM. Added PG&E Response 12116/2012: During normal, non-maintenance operation, the ALS communicates one-way to its dedicated MWS computer via Transmit Bus TxB2 as discussed in the response to 01 #73. Inter-divisional safety to non-safety communications are addressed in ALS Topical Report Section 5.2.3. The TxB2 data communication paths from the ALS-102 Core Logic Board to the 10-17-12 Update: Note: "IRS" is the Interface Requirements Specification (Attachment 8 of the LAR). | |||
December 17, 2012 DCPP PPS Open Item Summary Page 42 of 49,0 P&GE response:Issue Description RAISrclRI CommentsStatus 'RAI No. . (Date Sent) Response (Due Date) I ALS MWS computer is a EIA-422 communication link in which Receive capability is physically disabled by hardware as described in the ALS-1 02 Design Specification. The receiver is configured such that transmit data is looped back for channel integrity testing. The ALS-1 02 is physically and electrically incapable of receiving information from the ALS-102. Therefore, the ALS cannot be affected by a malfunction in dedicated, MWS computer associated with an ALS protection set of whether the malfunction is caused by KVM switch malfunction or malfunction of the MWS computer I I I WEC Response The 1 E/non-1 E data communication is described in the ALS Topical Sections 2.2.1.3 and 5.3.2; and in 6116-00054, "Diablo Canyon PPS Matrix", Position 2. The electrical isolation qualification of the 1 E/non-1 data communication is not part of the ALS Platform review project, and be qualified with an isolation fault test that will be conducted 1 st 2013 per IEEE Std 384-1992, "IEEE Standard Criteria for Independence Class 1 E Equipment and Circuits" and Regulatory Guide 1.75, "Criteria Independence of Electrical Safety Systems." A supplemental test report be issued 2nd quarter n WEK KVM Switch Question 3: 11-28-12 update: PG&E needs to Open Also, you will likely need to address how you will disable the features respond to 1 you are not using such as the audio interface, unused USB ports, 12 update in the remote control/channel switching by external control from and SDOE description perspective-and probably a cyber security perspective later on (after section. SER). Leave open until the KVM Switch 10-17-12 Update: The methods used to block Ports in the KVM information is provided within the Switch must be addressed in the LAR revision. Block all unused Ports and keep any that may need to be reopened under design or LAR revision. configuration control. | |||
I December 17,2012 DCPP PPS Open Item Summary Table Page 43 of 49 !No I SrclRI Issue Description P&GE response: Status RAI No. (Date Sent) RAI Response (Due Date) Comments Again, we need a detailed explanation ofhow this 1-way design feature will prevent the KVM switch failures from affecting the ALS system. PG&E Response: Specific answers to these questions depend on the detailed design. Ports can be physically blocked, which might be appropriate for unused computer ports and the audio ports. It might not be appropriate for the unused USB port (which may be needed for a future printer) and the options port (which may be needed for firmware updates). Remote control switching or firmware update requires a custom serial cable. The firmware update requires specialized software on the computer being used to perform the update. Firmware update will be done by procedure. The MWS will be inside a locked cabinet inside a vital area inside the protected area. Inadvertent actions, while not impossible, will not be easy. If the switch is somehow manipulated, the ALS will not be affected even if the KVM switch fails because the ALS communicates only one-way with the MWS except for short periods when the TAB is enabled. Revised PG&E Response 12/16/2012: PG&E will physically block the audio port, USB Port 2 and unused computer ports. Physical blocks will be verified at SAT and controlled thereafter by the SCMP. PG&E considers that opening any of the unused ports for use after the SAT is a modification of the physical plant configuration that will require an engineering design change. 73 WEK KVM Switch Question 4: If the KVM switch does fail in some manner allowing data flows between the two platforms, then the ALS system would not be affected because the ALS platform will only transmit data in one direction to its MWS (with the TAB cable disconnected of course). This is good, however, the LAR (or attachments) need to explain how the engineering design principals of the ALS platform physically Open 11-28-2012 update: PG&E needs to respond to 12 ul2date in the description section. PG&E December 17, 2012 DCPP PPS Open Item Summary Table Page 44 of 49 RAI No. RAIISric/RI Issue Description P&GE response: Status Comments (Date Sent) Response (Due Date) prevent bad/erroneous data from corrupting the ALS platform. In needs to respond other words, explain how these messages emanating from the MWS to 10-17-12 (regardless of origin) will be disregarded/rejected by the ALS platform update in the thus allowing only one direction of data flow. description section. 10-17-12 Update: 10-17-12 Update: there is a typo in The ALS-1 02 Design Specification document 6002-10202 has not yet section 2.4.13.5 on been submitted to the NRC. When will it be submitted?? Will this page 90 of theEIA-422 (or is it RS-422 perFig. 4-13 in the LAR) communication link LAR. The first (twisted pair copper wire) also serve as the 1Elnon 1E isolation paragraphdevices as required by IEEE 603, Clause 5.6.3 and IEEE 7-4.3.2, references ALS Clause 5.6?? Please clarify. doc. 6002-61202 (typo) as the 11-28-2012 Update: document that Still need more information re:1E1non-1 E isolation of the ALS-102 explains how the EIA-422 communication channels on the ALS-102 are board. II PG&E Response: electrica"y isolated and inherently Revised PG&E Response 12/16/2012: wayThe design of the TxB1 and TxB2 data communication paths from the ALS-communications102 Core Logic Board and the Gateway Computer and MWS, respectively, capability only. are EIA-422 communication links in which Receive capability is physically The document disabled by hardware as described in 6002-102002, the ALS-102 Design 6002-10202, in Specification. The receiver is configured such that the transmit data is reference 94 is the looped back for channel integrity testing. The ALS-1 02 is physically and correct document. electrica"y incapable of receiving information from outside the ALS-1 Therefore, messages are not disregarded or rejected by the ALS-102. is better than a "broken wire." The wire just isn't there, and there is no to connect a wire if someone wanted to do Updated PG&E Response Per the 10/17/2012 update, NRC is correct regarding the typographical _ in Section 2.4.13.5 on page 90 of the LAR. The correct ALS-1 02 Design_1-_l--_..... __..... - | |||
December 17,2012 DCPP PPS Open Item Summary Table Page 45 of 49 No 1---.-SrclRI Issue Description P&GE response: Specification. document number per LAR Reference 94 is 6002-10202. Per the 11/28/2012 update, RS-422 is the common short form title of American National Standards Institute (ANSI) standard ANSIITIAIEIA-422-B Electrical Characteristics of Balanced Voltage Differential Interface Circuits. This technical standard specifies the electrical characteristics of the balanced voltage digital interface circuit. For the purposes of the LAR, the two designations are equivalent and may be used interchangeably. Westinghouse to address ALS-1 02 board 1 E/non-1 E electrical isolation. Status RAI No. (Date Sent) RAI Response (Due Date) Comments 74 WEK KVM Switch Question 5: Please explain in detail how "Connection between the computers shall not be permitted." Will this be handled via a configuration control process, administrative controls, or a physical means of preventing connection between computers? Open 11-28-12 update: Leave open until the KVM Switch information is provided within the LAR revision. 10-17-12 Update: Response is Okay, but the LAR revision will need to expand further on this matter to explain how these controls will provide this protection. PG&E Response: This section was intended to be a functional requirement for the KVM switch. Administrative and configuration controls will prevent inadvertent loading of an EPROM image that could corrupt operation of the KVM switch. If the KVM switch fails and connects the ALS and Tricon MWS together, the above-described physical and electrical restrictions of the KVM switch will prevent the ALS from being corrupted by its MWS computer. 75 RJSI NSIR ALS Security Plan Document 6002-00006 references the CS Innovations Cyber security plan document (Reference 7) which is not docketed. Without having access to this referenced document, the staff is unable to confirm Open Note: RJS -We need to resolve if document needs to | |||
--------------------------December 17, 2012 DCPP PPS Open Item Summary Table Page 46 of 49 P&GE response: RAI No. Status CommentsNo I SrclRI I Issue Description RAI (Date Sent) Response (Due Date) im )Iementation of the system security requirements. We need to discuss if be docketed now th ; document can be made available on the share point or if it can be made that we have av Iilable during the audit. reviewed it during audit. In iddition CS-00013-GEN, Development Environment Evaluation Report-CS Innovations Isolated Development Infrastructure might be another do of interest to the staff. It seems that this document would pr, vide evidence that the actual development environment was in fact se ;ure. This document was not docketed. PG&E Response: Westinghouse can make available during the audit both CSI document 9000-00360, "CS Innovations Cyber Security Plan" and W IA-CS-00013-GEN, "Development Environment Evaluation Report -CS In ovations Isolated Development Infrastructure." Closed NewRAI Invensys Audit Item 76 I WEK I Th documents listed below are necessary for the staff to complete its as iessment of the Tricon V10 platform changes/software revisions 11-28-112 update: th t have occurred since the platform was approved generically, and Responsew' be applied to the DCPP PPS. Acceptable. We will also need this information1. Design Change Analysis (RDCA), 993754-1-916 submitted on the Qualified Equipment List (NQEL), 9100150-001, docket. I 16 Invensys Audit Item Rev 11: Tricon V10.5.2 Rev 13: TriStation V4.9.0 Note: rjs -Bill is Rev 14: Tricon V10.5.3 asking for all of these documents to iricon NGIO Software SRS, 6200155-001 be docketed and PG&E has only iricon V10.5 Verification and Validation Report (19 Sept, 2012) committed to | |||
-------------------December 17,2012 DCPP PPS Open Item Summary Table Page 47 of 49 No I src/Rillssue Description P&GE response: Status RA/ No. (Date Sent) RA/ Response (Due Date) Comments V10.5.2 Documents a) PDR (lRTX) 21105 b) Technical Advisory Bulletin (TAB) 183 c) Engineering Project Plan (EPP) Tricon V1 0.5.2, 9100346-001 d) V10.5.2 V&V Test Report e) Software Release Definition (SRD), V10.5.2, 6200003-226 V10.5.3 Documents a) PDR (IRTX) 22481 b) Product Alert Notice (PAN) 25 c) Engineering Project Plan (EPP) Tricon V10.5.3, 9100428-001 d) Tricon PAN 25 Master Test Report e) Software Release Definition (SRD), V10.5.3, 6200003-230 f) NGDO SRS 6200170-001 Tristation V4.9.0 documents a) Product Alert Notice (PAN) 22 b) Product Alert Notice (PAN) 24 c) Technical Advisory Bulletin (TAB) 147 d) Engineering Project Plan (EPP) Tristation V4.9, 9100359-001 e) Tristation V4.9.0 Master Test Report f) Software Release Def. (SRD), Tristation V4.9.0, 6200097-038 g) Spec. Software Design -Tristation 1131 SDS, 6002168-002 (Section Applicable to V4.9.0 Change) h) TriStation 1131 V4.9 V&V Plan, 9600442-002 i) TriStation 1131 V&V Summary Report (26 Oct. 2012) -putting them on the sharepoint. We need to resolve this! | |||
December 17,2012 DCPP PPS Open Item Summary Table Page 48 of 49 No SrciR/ Issue Description P&GE response: Status RA/ No. (Date Sent) RA/ Response (Due Date) Comments RJS PG&E Response: Invensys will place the requested documents on the Invensys SharePoint by December 3,2012, for access by the NRC. The documents will be marked in accordance with 10 CFR 2.390 prior to placing them on the SharePoint. 77 The staff requests that the Purchase Order Compliance Matrices (Multiple Documents) be placed on the SharePoint site to support verification of requirements traceability determinations. PG&E Response: Invensys will place the requested documents on the Invensys SharePoint by December 7,2012, for access by the NRC. The documents will be marked in accordance with 10 CFR 2.390 prior to placing them on the SharePoint. Invensys Audit Item RJS -I do not believe that the POCM's will need to be docketed. 78 RA The staff requests that the Invensys Project Procedures Manual and Project Instructions (Multiple Documents) be placed on the SharePoint site to support review of Invensys process to design, develop and test the Tricon !;ystem. PG&E Response: Invensys will place the requested documents on the Invensys SharePoint by December 14,2012, for access by the NRC. The documents will be marked in accordance with 10 CFR 2.390 prior to placing them on the SharePoint. 79 RA ------------Invensys to confirm that the following terms are not used, and that they will be removed from their plans and replaced with the correct terms. | |||
* Test Review Board | |||
* Test Case Incident Report | |||
* Master Configuration Checklist | |||
* Configurationpatabase PG&E Response: The following Invensys documents will be revised to reflect correct terminology and placed on the Invensys SharePoint by December 21, 2012: 1) 993754-1-905, Project Management Plan 2) 993754-1-906, Software Development Plan ..Software Configuration Management Plan December 17, 2012 DCPP PPS Open Item Summary Table Page 49 of 49 No 80 SrclRI Issue Description P&GE response: 4) 993754-1-813, Validation Test Plan The revised documents will be marked in accordance with 10 CFR 2.390 prior to placing them on the SharePoint. RA Invensys to revise its plans to reflect the current project organization. PG&E Response: The Invensys Project Management Plan (PMP), 1-905, will be revised to reflect the current project organization and placed on the Invensys SharePoint by December 21,2012. The revised PMP will be marked in accordance with 10 CFR 2.390. Status RAI No. (Date Sent) RAI Response (Due Date) Comments Project Plan for Diablo Canyon Replacement of Digital RPS ESFAS (PPS) -LAR Review (Rev. Step Planned Task 1 Date Oct. PG&E LAR Submittal for NRC approval. Submittal includes all 26,2011 Phase 1 documents needed to be docketed prior to acceptance for Actual Date Oct. 26, 2011 I review per ISG-06, "Digital Licensing." Jan. 12, Acceptance Review complete. LAR accepted for detailed technical Jan. review. Several issues identified that could present challenges for the staff to complete its review. Scheduled public meeting I : PG&E to discuss the results of the acceptance Jan. Jan. 13, IAcceptance letter sent to licensee. Jan. 18, i Conduct Public Meeting to discuss staffs findings during the LAR Jan. 18, acceptance review. Staff proceeds with LAR technical review. 5 I March PG&E provides information requested in acceptance letter. April bi-weekly telecoms with PG&E and its contractors to discuss potential RAI issues. Open Items spreadsheet will be maintained NRC to document staff issues and !2Ianned licensee responses. May PG&E provides partial set of Phase 2 documentation June commitments made in LAR. 2012* *PG&E provided a subset of the Phase 2 documents on June 6th and committed to send the rest by July 31, 2012. First RAI sent to PG&E on Phase 1 documentation August review of the application. Request 45 day specifications, plans, and equipment qualification). Continue (ML 12208A3641 8 June SER for Tricon V10 Platform issued final. This platform becomes a May 15, Tier 1 review of the LAR. (ML 12146A010) 2012 ! ,8.1 I March 2013 SER for Westinghouse ALS Platform issued final. This platform | |||
* becomes a Tier 1 review of the I 9 I September I Receive answers to first RAI. (ML Sept. 11, November Audit trip to Invensys facility for thread audit; audit the life cycle Nov. planning documents and outputs, with particular emphases on 16, verification and validation, configuration management, Assurance, software safety, the Invensys application | |||
* development procedures, and application software deSign. December Audit report provided to PG&E and its contractor. 11.1 TBD LAR and all docume.ntation .associated with the I I , change In ALS and Tncon V10 workstation deSigns for the | |||
* are Follow-up audit trip to Invensys facility for thread audit; audit the life cycle planning documents and outputs, with particular emphases on verification and validation, configuration management, quality assurance, software safety, the Invensys application software development procedures, and application | |||
* software ro ram desi n. 11.2 TBD Enclosure Page 1 of Project Plan for Diablo Canyon Replacement of Digital RPS ESFAS (PPS) -LAR Review (Rev. 11.3 February Audit trip to Westinghouse/CSI facility for thread audit; audit the life 2012 cycle planning documents and outputs, with particular emphases on verification and validation, configuration management, quality I Assurance, software safety, the W/ALS application software development procedures, and PPS ALS application software I program design . . 12 March 2013 PG&E provides remaining set of Phase 2 documentation per commitments made in LAR. 12.1 March 2013 All Documentation for DCPP W/CSI ALS and IOMlTriconex V1 0 processors applicable to the DCPP PPS LAR are submitted. 13 April 2013 Second RAI to PG&E on Phase 2 documentation (e.g., FEMA, safety analysis, RTM, EQ Tests results, setpoint calcs, SW Tool analysis reports, and any incomplete or un-satisfactory response to i first RAI. Continue review -hardware and program design and V&Vactivities 14 May Receive answers to second RAI. 2013 Continue review -V&V program, security requirements (RG 1.152, Rev.2) 15 March Audit trip to W/ALS facilities for additional thread audit items; audit 2013 hardware and software installation plans, configuration management reports, detailed system and hardware design, completed test procedures, V&V activities, summary test results (including FAT) and incident reports, and application code listings. 15.1 April Audit trip to Invensys facilities for additional thread audit items; 2013 audit hardware and software installation plans, configuration management reports, detailed system and hardware design, i completed test procedures, V&V activities, summary test results (including FAT) and incident reports, and application code listings. +a{;) tFiJil i8 J8*liliti88 feli U'lFesilI swsit swillit RSFS"'"SF8 sFlill 88ft¥ISF8 iR8tsIIsti8Fl ji)lsR8, EU)Flfi!iJwFsli8R I Fl'lSFlS!iJeFl'l8Flt FeJil8RS, setsiles sY8teFl'l SRilI RSFS'l:'SFe ilI88i!iJFl, 88Fl'lJilletes test ji)F88eSWFe8, v,&lJ. S*lti¥ities, 8WFl'lFl'lSFY test Fe8wlts I ,; i,..,., t: J\ T\ ...",,..,( . ....."',..,( .............,..,(,.. I, , 16 May Audit reports provided to PG&E and its contractors. I I 2013 17 i November Presentation to ACRS Subcommittee/Full ACRS Committee on 2013 DCPP PPS LAR Safety Evaluation. 18 November Complete draft technical SER for management review and 2013 approval. 19 December I Issue completed draft technical SER to DORL 2013 20 December | |||
* Draft SER sent it to PG&E, Invensys, and W/CSI to perform 2013 technical review and ensure no proprietary information was i included. I 21 January Receive comments from PG&E and its contractors on draft SER 2014 proprietary review. 22 -March Approved License Amendment issued to PG&E 2014 Page 2 of 3 Project Plan for Diablo Canyon Replacement of Digital RPS and ESFAS (PPS) -LAR Review (Rev. 7) Inspection trip to DCPP for PPS Site Acceptance Testing (SAT), I 23 -September 2014 training and other preparation for installing the new system. To be ! coordinated with regional visit. Date based on receipt of new PPS system at the site in preparation for September 2015 Unit 1 (tentative) | |||
* Refueling Outage (1 -September Inspection trip to DCPP for PPS installation tests, training and I 2015 other system installation activities for the new system. To be coordinated with regional visit. Date based on September 2015 Unit 1 Refueling Outage (1R19). Page 3 of 3 | |||
-Please direct any inquiries to me at 301-415-1132 or at Joseph.Sebrosky@nrc.govDocket Nos. 50-275 and 50-323 Enclosures: 1. List of Attendees 2. Staff Identified Issues That are Open 3. Project Plan cc w/encls: Distribution via Listserv DISTRIBUTION: PUBLIC LPLIV Reading RidsAcrsAcnw_MailCTR Resource RidsNrrDeEicb Resource RidsNrrDorl Resource RidsNrrDorlLpl4 Resource RidsNrrDraApla Resource RidsNrrDssStsb Resource RidsNrrLAJBurkhardt Resource RidsNrrPMDiabloCanyon Resource RidsNsirDsp Resource RidsOgcRp Resource RidsRgn4MailCenter Resource CSantos, EDO RIV TWertz, NRR IRA! Joseph M. Sebrosky, Senior Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation WKemper, RStattel, RAlvarado, WMaier, SMakor, SAchen, ELee, DParsons, GSimonds, THarris, MShinn, CNickell, MSnodderly, KBucholtz, L 2338A093 , Meetmg Summary ML12361A360ADAMS Accession Nos. Meeting Notice M 1 OFFICE NRR/DORULPL4/PM NRR/DORULPL4/LA NRRIDE/EICB NRR/DORULPL4/BC NAME JSebrosky .IBurkhardt RStattel MMarkley DATE 1/8/13 1/4/13 1/9/13 1110/13 NRR/DORULPL4/PM JSebrosky 1/10/13 OFFICIAL RECORD COpy | |||
}} | }} |
Revision as of 07:47, 28 March 2018
ML12361A360 | |
Person / Time | |
---|---|
Site: | Diablo Canyon |
Issue date: | 01/10/2013 |
From: | Joseph Sebrosky Plant Licensing Branch IV |
To: | |
Sebrosky J M | |
References | |
TAC ME7522, TAC ME7523 | |
Download: ML12361A360 (57) | |
Text
t-p.n ",iI!, 01'", UNITED STATES NUCLEAR REGULATORY COMMISSION t:! <C ()0 WASHINGTON, D.C. 20555*0001 Ii; . : cO V/. 'l-I) ****. January 10, 2013 Pacific Gas and Electric Company Diablo Canyon Power Plant, Unit Nos. 1 and 2 SUMMARY OF DECEMBER 19, 2012, TELECONFERENCE MEETING WITH PACIFIC GAS AND ELECTRIC COMPANY ON DIGITAL REPLACEMENT OF THE PROCESS PROTECTION SYSTEM PORTION OF THE REACTOR TRIP SYSTEM AND ENGINEERED SAFETY FEATURES ACTUATION SYSTEM AT DIABLO CANYON POWER PLANT, UNIT NOS. 1 AND 2 (TAC NOS. ME7522 AND ME7523) On December 19, 2012, a Category 1 teleconference public meeting was held between the U.S. Nuclear Regulatory Commission (NRC) and representatives of Pacific Gas and Electric Company (PG&E. the licensee) at NRC Headquarters, One White Flint North, 11555 Rockville Pike, Rockville, Maryland. The purpose of the teleconference meeting was to discuss the license amendment request (LAR) submitted by PG&E on October 26, 2011, for the Digital Replacement of the Process Protection System (PPS) Portion of the Reactor Trip System and Engineered Safety Features Actuation System at Diablo Canyon Power Plant, Unit Nos. 1 and 2 (DCPP) (Agencywide Documents Access and Management System (ADAMS) Accession No. ML 113070457). A list of attendees is provided in Enclosure 1. The teleconference meeting is one in a series of publicly noticed teleconference meetings to be held periodically to discuss issues associated with the NRC staff's LAR review. Preliminary issues that the NRC staff identified during the initial review, and the licensee's responses to these preliminary issues, were discussed during the teleconference meeting. The list of preliminary issues is provided in Enclosure 2. The NRC staff and licensee confirmed that the next meeting on this topic would be held on January 24, 2013. Highlights from the meeting on December 19, 2012, include the following: The NRC staff discussed the status of the audit reports associated with a November 13 -16,2012, audit at the Invensys Operations Management facility in Lake Forest, California. The audit plan dated October 10, 2012, associated with this audit is available in ADAMS at Accession No. ML 12276A050. The staff noted that two following separate audit reports are being written: 1) a cyber security audit report, and 2) an audit report associated with the audit that was performed to verify that the software products to be used at DCPP for the PPS system conform to applicable standard, guidelines, plans, and procedures by
-2 assessing the implementation of the systems developmental life cycle process (life cycle audit). The staff and PG&E took the following actions associated with this November 13-16, 2012 audit: The NRC staff will provide a copy of the life cycle audit report to PG&E for a review of proprietary information before the audit report is made publicly available. If proprietary information is identified, PG&E will identify this information to the staff using the 10 CFR 2.390 process. Invensys will submit documentation identified by the staff in the life cycle audit report as needing to be placed on the DCPP Unit 1 and 2 dockets to the NRC in accordance with the established process. The NRC staff will provide an updated status to PG&E regarding the cyber security audit report prior to the next public meeting. The project plan for the review of the LAR (Enclosure 3) was discussed. The NRC staff and PG&E confirmed that the audit trip to Westinghouse/CS Innovations facility (item 11.3 in the project plan) will be held the week of February 11-15, 2013. The NRC staff took an action to provide PG&E an audit plan for this audit by the end of January 2013, so that PG&E and Westinghouse can prepare for the audit. Both the NRC staff and PG&E agreed that the project plan will be updated prior to the next public meeting to reflect the date for the Westinghouse audit and to make other changes as appropriate to other milestones in the project plan to reflect the most current schedule. The updated project plan will be discussed at the next public meeting. The NRC staff stated that it would develop a second round of requests for additional information (RAls) in the January 2013 time frame based on those items identified in Enclosure 2 as needing RAls. PG&E and the NRC staff discussed recent interactions with industry associated with ensuring that seismic effects were properly accounted for in engineered safety features (ESF) setpoint calculations. PG&E indicated that changes to the ESF setpoints may be needed at DCPP to account for seismic effects on transmitters that are used to provide signals to the PPS. PG&E noted that the transmitters are outside the scope of the October 26, 2011, digital PPS LAR and that if ESF setpoint changes were needed to address seismic effects, PG&E would address this through a separate LAR. The staff indicated that this approach sounded reasonable and that it would check with other NRC staff and management and identify to PG&E in the next public meeting if there were any issues with PG&E's proposed approach.
-3 Please direct any inquiries to me at 301-415-1132 or Docket Nos. 50-275 and 50-323 Enclosures: 1. List of Attendees 2. Staff Identified Issues That are Open 3. Project Plan cc w/encls: Distribution via Listserv LIST OF DECEMBER 19, 2012, TELECONFERENCE MEETING PACIFIC GAS AND ELECTRIC COMPANY DIGITAL UPGRADE FOR DIABLO POWER PLANT, UNIT NOS. 1 AND DOCKET NOS. 50-275 AND NAME Ken Schrader Scott Patterson John Hefler R. Lint J. Basso W. Odess-Gi"et Roman Shaffer Rich Stattel Bill Kemper Rossnyev Alvarado Shiattin Makor Joe Sebrosky Steve Kane Gordon Clefton Ken Thompson ORGANIZATION Pacific Gas and Electric Pacific Gas and Electric Altran Altran Westinghouse Westinghouse Invensys/Triconex Nuclear Regulatory Commission (NRC) NRC NRC NRC NRC AREVA Nuclear Energy Institute Avila Valley Advisory Council Enclosure 1
I December 17, DCPP PPS Open Item Summary Table No ---SrclRI Issue P&GE response: Status 21 Westinghouse/CSI document 6116-00005, "Diablo Canyon PPS System Open Test Plan," states that the ALS-102 FPGA design is changed for the DCPPS System. Further, Section 5.3.3 states: Test as many of the ALS-102 requirements as possible." Please identify what document describes the design verification test for this board. c-PG&E response: The documents that describe the design verification tests for the ALS-1 02 are 6116-70140, "Diablo Canyon PPS System Test Design Specification," submitted June 6,2012, and 6116-10216, "Diablo Canyon PPS W Simulation Environment Specification" that will be placed on the Sharepoint by December 31, 2012. RAI No. I RAI (DaleSent) Response (Due Date) R) 110 Nc used (Hold un I ponse is reI eived) Page 1 of 49 Comments 10-17-12 update (Alvarado): Westinghouse/ALS will submit the documents by 10/31/2012. 9-19-12 update (Alvarado): Waiting for ALS document to be submitted at the end of September. 6-13-12 update (Kemper): PG&E understands that they need to provide an update to this response. In the meantime, PG&E and ALS have provided 2 design specifications that will address this 01. These documents are placed on the PG&E sharepoint website. Doc. No 6116-10740 was submitted on June 6, 2012, which describes ALS system test design soecification. Doc. Enclosure 2 RAI No. (Date Sent) ----II R(DI RAI I esponse Due ate) Comments No 6116-00005 was also submitted on June 6, 2012, which describes ALS system test plan. Doc. No. 10216ALS W Simulation Environment Specification will be provided in the future. 3/21/12 update: PG&E has created a share point website for NRC to review PPS design drawings that will address this issue. NRC staff will determine if they are needed to be submitted on the docket. PG&E will ensure the website is information is only applicable to this licensing action. NRC-the response provided does not address the uestion. December 17,2012 No SrclRI Issue Description DCPP PPS Open Item Summary Table P&GE response: Status Page 2 of 49
December 17, 2012 DCPP PPS Open Item Summary Table Page 30f49 P&GE response: Status RAI No. RAI CommentsSrclRI Issue Description No (Date Sent) Response (Due Date) I-7/13/12-rjs Deleted RAI 10 pending review of revised response. Also decided to hold item open. Item initiated on development process. The staff therefore considers these tools to be a key (ALS SOAP) Software tools are used extensively during the FPGA Open33 RJS (Hold) 6/5/12. component to the assurance of quality in the ALS system process. The ALS SOAP states that "no additional tools, techniques, 6-13-12 update methodologies have been identified" for the ALS system. The staff (Kemper): W/ALS considers the development tools, as well as the techniques and agrees with NRC's methodologies used during system development to be relevant to the position on tools assurance of quality for the ALS system. Please provide information on the and will revise the tools, and methodologies used during system development to ensure quality document (Doc. of the ALS system products. No. 6002-00001) accordingly to address this matter. PG&E response: Westinghouse agrees that Section 8, Tools, And Methodologies of the ALS OA Plan (6002-00001) should be revised Placed this item on reference document 6002-00030, "ALS Design Tools." This document hold pending describes the tools used and how they are used in the design process. This review of revised document is also on the ALS docket. Westinghouse submitted a revision of OAplan. the ALS QA Plan, Revision 9, on the ALS docket on October 31, 2012, that provides information on the tools and methodologies used.
December 17, 2012 DCPP PPS Open Item Summary Table Page 4 of 49 No --:=-:-SrclRI RA Issue Description P&GE response: Status RAI No. (Date Sent) RAI Response (Due Date) Comments 35 38 Follow up of Item 21 -Software Test Plan In the response provided for Item 21, PG&E explained that a new revision (Rev. 1) of ALS document No. 6116-00005 was provided. The scope of Revision 1 is slightly different from the scope described in Rev. O. For example, Section 1.2 in both revisions states that test coverage includes all ALS modules, backplane, license sense modules (LSM), and ALS service unit (ATU). However Section 2, Test Items, for these revisions are different. Revision 1 only focuses on ALS-102 and backplane assemblies. This section does not include other ALS modules, LSM and ATU. Please explain why these other ALS modules are not included in section 2 of the new revision. Further, Table 1-2 identifies "Diablo Canyon PPS Test Plan" as document No. 6116-00005, which is the same number than "Diablo Canyon PPS System Test Plan". Please clarify if this is referring to a different document. Closed Closed NEWRAI I I PG&E Response: The scope of both revisions are the same. Revision 1 changes added more detail into the overall scope. The details are broken down into 2 main parts: 1-The individual components, 2 -The System components. Both parts equal the entire ALS based Diablo Canyon system which includes all ALS modules, Backplane, ASU (incorrectly stated as ATU in the open item), LSM, ALS-102A1B specific to Diablo and full ALS system test which includes the testing of ALS slave cards required by the DCPP configuration. The entry in Table 1-2 for the Diablo Canyon PPS Test Plan, 6116-00005 is the same document as Diablo Canyon PPS System Test Plan 6116-00005. RA Software Management Plan Section 2 of the PG&E "PPS Replacement Concept, Requirements, and Licensing Phase 1 Project Plan" does not describe the activities to be performed by the Engineering of Choice Design Change Package Team. It is also not clear what the roles and responsibilities of this team are. Please clarify and provide the applicable PG&E control document that describes PG&E roles and responsibilities specificall}l' for the Eflgineering of NEWRAI :
0 December 17,2012 DCPP PPS Open Item Summary Page 5 of 49 P&GE response: Issue Description Status RA/ No. RA/ CommentsSrclRI (Date Sent) Response (Due Date) -Choice Design Change Package Team. PG&E Response: The activity performed by the Engineering of Choice Design Change Package Team is to support PG&E in development of the design change package for the PPS Replacement. PG&E has a contract with an engineering company, currently Enercon Services, Inc., to be the "engineer of choice" to provide nuclear engineering services to PG&E. For individual scopes of work, PG&E develops a purchase request for the scope of work and a purchase order is issued to the engineering company that is the engineer of choice. When the engineer of choice is performing a design change package for Diablo Canyon Power Plant, the engineer of choice uses the PG&E Design Change Procedure, CF3.1D9, "Design Change Development" and PG&E performs an owner acceptance of the work using PG&E Procedure CF3.ID17, "Design and Analysis Documents Prepared by External Contractors." RA Software Management Plan Closed NEWRAI Figure 2-1 of the PG&E "PPS Replacement Concept, Requirements, Licensing Phase 1 Project Plan" and Figure 3-1 of the SyQAP identify under the PG&E Project Engineering box. However, Figure 4-1 of SyWP identifies PG&E project team under the PG&E Project ) box. Please explain the role and responsibilities for Altran during the PPS Replacement Project. PG&E Response: 09/17/2012: The PPS Organization Chart shown in SyWP Figure 4-1 is simplified rendering of the organization charts in Project Plan 2-1 and SyQAP Figure 3-1. The latter figures show an Altran Team under PG&E Project Engineering and a team of three individuals directly under PG&E Project ---The slight between Figure 4-1 and the other I i
__ December 17,2012 DCPP PPS Open Item Summary Table Page 6 of 49 P&GE response: StatuSTRAI No. I RAI Comments (Date Sent) I Response (Due '--Nol SrclRI I Issue Description 1-----40 RA IPG&E Project IIl Engineering . .. Project Team 1 -1 l PG&EAllran .. + 2. Altran is acting as a subcontractor providing engineering support to the PG&E Project Team as shown above in the revised figure. Altran supported LAR preparation and is providing continuing support through the LAR review process. Altran's work is governed by the Altran Engineering Procedures Manual. Documents submitted to PG&E are prepared in accordance with A/tran EOP 3.3 (reports) and 5.4 (specifications). All A/tran documents are verified in accordance with Altran EOP 3.4. In addition, PG&E accepts Altran documents under PG&E CF3.1D17 as noted in the Altran Verification Report. Software Tools 1OPEN 110/17/12 update: In the ALS Progress Update 2012-08-01 provided to the staff, Westinghouse/CSI described that they are replacing Automated Test Environment (ATE) from IW credited tools with a LabView based ALS Board Test System (ABTS). Also, in this presentation, Westinghouse/CSI Westinghouse/ALS will submit the ALS Design Tools on 10/31/2012 I noted that they are performing additionallV&V and equipment qualification December 17, 2012 DCPP PPS Open Item Summary Table Page 7 of 49 No --SrciR/ Issue Description P&GE response: Status RA/ No. (Date Sent) RA/ Response (Due Date) Comments tools. Since this information needs to be reflected in the software planning documents, please identify how these items will affect Westinghouse/ALS documents related to PPS replacement project. Also, identify what document will be revised to include description of these modifications. PG&E Response: The ALS Design Tool 6002-00030 requires revision to replace the ATE with the ABTS. The revised ALS Design Tool, Revision 9, document was submitted by Westinghouse on October 31 that addresses the tools used. 41 RA Software V&V and Test Plan Westinghouse/ALS document 6116-0005, section 8.2 identifies the software tools to be used in the PPS replacement project. However, this list is not consistent with the list of IV&V tools identified in Section 3.6 of ALS W Plan 6002-00003. Specifically, the test tools identified in 6002-00003 are not listed in 6116-00005 and vice versa. For example, the W Plan 00003) identifies ATE tool for IV&V, but this tool is not listed in 6116-0005 Rev. 1. Furthermore, the staff reviewed 6116-0005 Rev. 0, and found that the ATE tool was listed in this version. Please clarify what software tools will be used and what document describes them. Closed New RAI 9/17/12 update (Alvarado): during the conference call PG&E PG&E Response: A new revision of the ALS V&V Plan 6002-00003 identifies the ABTS and the ISE as the IV&V test tools. This new revision is being docketed the week of September 3 on the ALS platform docket. The ATE is removed from the set of IV&V test tools. The tools listed in document DCPP PPS Test Plan 6116-00005 section 8.2 and the tools listed in DCPP PPS W Simulation Environment Specification, 6116-10216, (to be released by 30 September 2012) encompass the IV&V test tools in the new revision of the ALS V&V Plan, 6002-00003. Software V&V PG&E "PPS System Replacement System Verification and Validation Plan (SyWP)" does not describe the V&V activities to be performed durin9. the 42 RA OPEN
--December 17,2012 DCPP PPS Open Item Summary Table Page 8 of 49 No SrclRI RA ._. P&GE response: Issue Description Operation Phase and Maintenance Phase. This document states that these activities are covered by approved DCPP procedures. Please identify these DCPP procedures. PG&E Response: Per the response to 01 #28, control of the software modifications to the Tricon and AlS platforms once the PPS replacement project is completed, and the PPS is in the Operations and Maintenance phase, will be by the Process Protection System Replacement Software Configuration Management Plan, SCM 36-01, Revision 0, which was submitted as part of the Phase 2 document submittal on June 6, 2012, in Attachment 4 to the Enclosure of PG&E letter DCl-12-050. Modification to the PPS Replacement components produced by the vendors, CS Innovations and Invensys Operations Management, will be performed by the vendors and verification and validation will be controlled by the vendor verification and validation plans created for the Diablo Canyon PPS Replacement 00003 for CS Innovations and 993754-1-860 for Invensys Operations Software V&V PG&E "PPS System Replacement System Verification and Validation Plan (SyWP)", Section 5.1.1, explains that during the Concept Phase, PG&E will verify system requirements in accordance with PG&E procedure CF2.ID9, "Software Quality Assurance for Software Development." However, Procedure CF2.ID9 is for in-house development of software applications. Please explain how this procedure is going to be used for the PPS replacement project. Further, Section 5.1.2 of the CF2.ID9 states that and independent review of the functional requirements prepared during the concept phase would be performed. The PG&E SyWP does not identify this review, and thus there is no specific V&V product for this phase. Please identify who will perform this review and if this is considered a V& V product. ........ --........ --.-... ....... ....... ....... -_......... ---...... Stat'Us I RAI No. (Date Sent) Clos ed I NEW CommentsIRAI . __that modifications to the systems will be performed by the vendors. PG&E will provide additional information on their plan to perform modifications to the PPS system during operation and maintenance.
--December 17, 2012 DCPP PPS Open Item Summary Table Page 9 of 49 No SrclRI Issue Description P&GE response: Status RAI No. (Date Sent) RAI Response (Due Date) Comments --PG&E Response: 09/17/2012: Altran developed the PPS Replacement FRS during the Concept phase in accordance with Altran EOP 5.4, and verified it in accordance with Altran EOP 3.4. Altran used PG&E procedure CF3.1D16 for additional guidance. PG&E accepted the FRS under CF3.ID17, which constituted verification of system requirements. This was a design activity rather than a V&V activity and there is no specific V&V product for this phase. I I 45 RA Follow up of item 18 -Software V&V RG 1.168 identifies five of the activities in IEEE Std.1012-1998, Annex G, I'Optional V& V Tasks," as being considered by the NRC staff to be necessary components of acceptable methods for meeting the requirements of Appendices A and B to 10 CFR Part 50 as applied to software. These tasks are: 1. Audits 2. Regression Analysis and Testing 3. Security Assessment 4. Test Evaluation 5. Evaluation of User Documentation Westinghousel ALS Document No. 6002-00003, "ALS W Plan" describes the following techniques for V&V: reviews, testing, traceability analysis, inspection/analysis, and IV&V regression (change) analysis. This plan does not include any of the optional V&V activities identified in IEEE 1998, Annex G. Please explain if these activities are performed. PG&E Response: The DCPP W Plan has been revised to include these optional V&V tasks required by RG 1.168 to align with the new ALS W Plan for the Optional Tasks. The Diablo Canyon W Plan, Revision 1, was placed on the Sharepoint on November 22 and was submitted by PG&E on December 5 in PG&E Letter DCL-12-121. OPEN --10/17/12 update: Westinghouse/ALS will submit the DCPP V&V plan on 10/31/2012 ,
46 December 17,2012 DCPP PPS Open Item Summary Page 10 of 49 -No CommentsSrclRI Issue Description Status RAI No. RAIlP&GE response: (Date Sent) Response (Due Date) -Closed NEWRAISoftware V&V RA Several sections in the Invensys Software Verification and Validation (SWP) reference "applicable Project Procedure Manual (PPM)" to certain activities. The reference section in this plan identifies (Reference 2.4.4). It is not clear if the PPM is constituted by procedures or if it is only one procedure. For example, Section 1.1, the SWP was prepared in accordance with PPM 7.0 (Ref. 2.4.4), and Section 4 states that V&V activities will be planned and scheduled accordance with the applicable PPM. Please describe what the PPM and explain how this is going to be used in the PPS replacement PG&E Response: The Project Procedures Manual (PPM) appropriate controls for project activities conducted at the Operations Management (Invensys) Lake Forest facility. These controls ensure that all nuclear Class 1 E projects (or non-1 E projects where customer has specified certain 1 E requirements) processes, activities, and project documents will meet the requirements of 10 CFR Appendix 8,10 CFR Part 21 and the Invensys Quality System. This procedures manual provides specific controls for NAO as as other Invensys organizations that perform nuclear safety-related integration project activities. The PPM is a collection of procedures, including referenced Forms, and is a controlled Each PPM procedure is intended to implement key areas of activities. Each procedure within the PPM is aSSigned a unique number and V&V activities during the PPS Replacement Project will be governed several procedures within the PPM as defined in the SWP Invensys document 993754-1-802. The SWP will be revised to add the of each procedure within the PPM where referenced in the SWP. example, in the SWP, Section 1.1, where it states that, "the SWP prepared in accordance with PPM 7.0 (Ref. 2.4.4)," will be revised to that "the SWP was prepared in accordance with PPM 7.0, Program Development." The revised SWP will be submitted by 47 December 17,2012 DCPP PPS Open Item Summary Table Page 11 of 49 No Issue Description P&GE response: Status RAI No. (Date Sent) RAI Response (Due Date) Comments Software V&V Invensys Document No. 993754-1-802, "Software Verification and Validation Plan" requires the use of V&V metrics to evaluate software development process and products, This section does not explain what methods and criteria will be used for software safety metrics. This information is required by section B.3.1 of BTP 7-14, RG 1.152, RG 1.173 and IEEE Stds. 1061 and 1074. Also BTP 7-14 Section B.3.1.1.2. Please provide this information. Closed NEWRAI PG&E Response: The V&V metrics are used during development of the PPS Replacement software that will reside/execute on the V1 0 Tricon portion. The V&V metrics measure the thoroughness of V&V reviews and testing efforts. These measurements yield data utilized to gain reasonable assurance that the design outputs are of high quality commensurate with the intended use in the PPS Replacement application. The V&V metrics methodology, utilizing a diversity of software measures, provides insight into the rigor of the PPS software development process. V&V uses three distinct metrics during PPS software development: Software Quality Metrics The purpose of these metrics is to measure software quality by tracking the number of defects found in the design outputs (e.g., design documents, software). The method is to count and categorize defects found during V&V review of design outputs. The acceptance criterion is that no technical defects remain at the end of the current phase to receive V&V recommendation to proceed to the next project phase. Any defects that cause the non-compliance with customer requirements and/or non-compliance with NRC guidance are considered technical defects. V&V Effectiveness Metrics The Ql!rpQse of i§ to otV&V
---December 17,2012 DCPP PPS Open Item Summary Table Page 12 of 49 N,0 4SrclRIIssue Description -IP_&GE response: reviews by measuring the percentage of design outputs which V&V reviews or tests. The method determines the percentage of design outputs actually reviewed by V&V (which is meaningful for in-process design changes necessitating a change impact analysis, revisions to released design outputs, and a regression analysis). The Acceptance Criterion is that 100 percent of comprehensive or delta change reviews is achieved in the current phase to receive V&V recommendation of proceeding to the next project phase. Software Safety Metrics The purpose of these metrics is to assess whether software safety requirements are being met. Methods are to count software hazards found during V&V review or testing of design outputs and to confirm software hazard mitigation in each project phase, or, at a minimum, by the end of the project and approval at the completion of acceptance testing. The Acceptance Criterion is that all software hazards are mitigated by the end of the Test Phase to receive approval of the results of acceptance testing. Software V&V PG&E SyWP, Section 6, requires that anomalies detected are identified, documented, and resolved during the V&V activities. This section states that anomaly reporting and resolution requirements are defined in the respective PG&E control procedures. Section 2 "Control Procedures does not include a reference for an anomaly reporting procedure. Please identify the PG&E control procedure used for anomaly reporting. Further, Section 7 of the SyWP states that the PG&E authority responsible for approving deviations from SyWP is the PG&E Project Manager, who will document his/her approval a Change Notice or equivalent formal PG&E Status RAI No. (Date Sent) RA/ Response (Due Date) Comments 10/17/12 update: For item 2 -PG&E
- will revise the SyWP and submit it on 11/30/2012 9/17/12 update (Alvarado): NRC staff received copies of OM7.ID1 and XI1.ID2. This addressed item 1 of document. Please identify where the responsible PG&E authority will this open item. document its approval. --...... ...... --...... --.... --...----I December 17, 2012 DCPP PPS Open Item Summary Table Page 13 of 49 --No 49 SrclRI RA Issue Description P&GE response: PG&E Response: 1. The PG&E control procedure for anomaly reporting is OM7.ID1, "Problem Identification and Resolution." This procedure governs the PPS replacement after it has been turned over to PG&E by the suppliers. The suppliers' anomaly reporting procedures are applicable prior to this turnover. 2. IN PROGRESS Software V&V Status Closed RAI No. (Date Sent) NEWRAI RAI Response (Due Date) Comments Invensys Document No. 993754-1-802, "Software Verification and Validation Plan", Section 6.3 states that the Invensys personnel prepared System Deficiency Integration Report (SDIR) to document non-conformances and corrective actions during testing; the SDIR is prepared in accordance with PPM 10.0. Please explain what PPM this is. Further, the Invensys "Validation Test Plan", Section 5.4.2 states that the Test Review Board and PG&E shall review SDIRs, but this is not indicated in the Invensys V&V plan. Please explain why this review activity is not identified as a V&V task in the V&V Plan.. PG&E Response: The PPM 10.0 procedure defines the process to control nonconforming items and identify appropriate corrective action for aI/ nuclear application projects developed at the Invensys Operations Management (lnvensys) Lake Forest facility. This procedure is intended to provide controls for nonconforming items and corrective actions related to project activities. As used in this procedure, the term "nonconformance" describes deficiencies in parts and materials (items), documentation, and/or deviations from stated requirements. This procedure addresses the identification, documentation, evaluation, and disposition of nonconforming items. This procedure also describes the corrective action process to be used for project-related issues where corrective action is warranted. SWP Section 5.2.2.2.1 4) stated that Nuclear IV&V shall generate and verify the system-level Validation Test Plan, 993754-1-813, in accordance with PPM 6.0 [Ref 2.4.4], in conjunction with IEEE 829-1983. The SWP \I\Ias developed in accordance with PPM 6.0, Test Control. In PPM 6.0, Test 50 December 17,2012 DCPP PPS Open Item Summary Page 14 of 49 No SrclRI RA P&GE response:Issue Description Control, it was stated that the Project Review Committee (PRC) shall review all test results for completeness, accuracy and acceptability. This review shall include all test documentation, e.g., the Test Procedures, the Test Logs, the System Integration Completion Checklist, the Test Report(s), and SIDRs. Software V&V The Invensys Validation test plan, Section 8.2, states that the Narrative Test Logs are used to document conduct of testing and any anomalies that occur. Please explain if this is only used during validation, and why this is not mentioned in the Invensys SWP. Further, please explain how is this used in conjunction with Document Review Comment Sheet (ORCS) and System Deficiency Integration Report (SDIR)? PG&E Response: PPM 6.0, Test Control, defines the Test Logs. All test activities shall be recorded in a Test Log. The Test Log constitutes a continuous, hand-written journal of all test activities from the point of initial entry into the Test Procedure until the conclusion of all testing, including any required retesting. The Test Log shall include entries for sign-in and sign-out of all participating personnel, establishment of indicated prerequisites and initial conditions for testing, performance of testing and retesting, identification of problems, etc. The Test Log is intended to be a detailed journal of all testing activities sufficient to fully document the actual sequence of testing performed, the test results achieved and any problems that occurred, including their impact on test performance. The Test Log shall be reviewed by the PRC as part of its evaluation of the test results. The Test Logs are independent and separate from the Document Review Comment Sheet (ORCS) and System Deficiency Integration Report (SIDR). However, as a test narrative, the Test Log may identify the fact that a SIDR was generated as a result of test anomaly. Software Configuration Management Configuration Process In open item 4, the staff requested description of the software configuration management activities for configurable boards (e.g., Status Closed RAI No. (Date Sent) RAI Comments Response (Due Date) ! 51.1.a RA Closed L. board). Since the __ _._--... -_..... -_...... __.... --..... ..
I Issue Description P&GE response: No--SrclRI 51.1.b RA December DCPP PPS Open Item Summary Table specific, its configuration management activities are not covered by "ALS Configuration Management Plan." Even though item 4 is closed, this request was not addressed in the response for item 4. PG&E Response: 09/18/2012 ALS-102 Configuration The FPGA installed on the ALS-102 board and therefore the ALS-102 board itself is specific to the PPS Protection set and the ALS subsystem in which it is installed. PG&E will not have the capability to alter the FPGA. Any change to the FPGA must be made by CS Innovations. Therefore, ALS-102 FPGA configuration management activities are covered by the ALS Configuration Management Plan. PG&E capability to change ALS-102 configuration will be limited to board-level replacement. Software Configuration Management Configuration Process The PG&E SCM 36-01, item 1.2.8, states that ALS board has two sets of NVRAM. Further, it explains that the configuration of the NVRAM can be changed only by removing the subject board from the ALS chassis and inserting it into a special test fixture. It is not clear who will control this process and configuration of the NVRAM. Please explain. PG&E Response: 09/18/2012 ALS 1/0 boards are generic; that is, each board is configured using its NVRAM for the specific function it is to perform. This activity is described in SCM 36-01 Section 1.2.8, which states that the configuration of the NVRAM is changed by removing the subject board from the ALS chassis and inserting it into a special test fixture. This would be performed as part of a maintenance activity, such as replacing a failed board. If the functionality of an I/O board required modification as a result of an application change, all required NVRAM configuration alterations would be performed by CS Innovations under their ALS Configuration Management Plan. Status Closed RAI No. (Date Sent) Page 15 of 49 RAI Comments Response (Due Date) I December 17,2012 DCPP PPS Open Item Summary Table Page 16 of 49 No SrclRI -51.1.c I L_L Issue Description P&GE response: As with the AlS-102 FPGA discussed above, PG&E will not have the capability to alter the NVRAM configuration itself. PGE capability to change the NVRAM configuration for a specific 1/0 board will be limited to loading NVRAM images that are under CS Innovations configuration control and that have been previously verified and validated at the system level by CS Innovations. Configuring the NVRAM in order to replace an I/O board will be performed by PG&E under an approved plant maintenance procedure. Software Configuration Management 1. Configuration Process c) Section 1.2 of the Invensys Document No. 993754-1-909, "Software Configuration Management Plan," states that this plan controls operating system of the computers used to run TriStation 1131 and the signal simulation software used for testing purpose. However, the description provided throughout the plan only focuses on the configuration activities for the TSAP (e.g., Section 2.3 states that the SCM procedures are for the TSAP). Further, this same section (later on) identifies the software configuration to be managed, and this list does not include operating system of the computers used to run TriStation 1131 and the signal simulation software used for testing purpose. Please clarify the scope of this plan. PG&E Response: 09/18/2012 There was no intent for the SCMP to do more than track the revision of Commercial Off The Shelf (COTS) software. In this case "Control" is defined as tracking the revision levels such that they are recorded on the project Master Configuration list, Invensys project document 993754-1-803. On page 7 of the SCMP, under "limitations," it states, in part, that the revision levels of this type of software will be tracked. Status RAI No. (Date Sent) i Closed NEWRAI RAI Response (Due Date) i Comments 51.2 December 17, 2012 DCPP PPS Open Item Summary Table Page 17 of 49 !No . SrclRI RAI Comments (Date Sent) Issue Description P&GE response: Status RAI No. Response (Due Date) Open 10/17112 update:Software Configuration Management PG&E will revise The organization and responsibilities described in Section 4 of CF2.ID2 is 2. Organization the SCMP to not consistent with the information presented in Section 2 of SCMP 36-01. address several open items For example, Section 2 of SCMP 36-01 identifies system coordinator, application sponsor, and system team, who are not identified in Section 4 of Cf2.ID2. Further these descriptions are not identified in the project organization described in PG&E PPS Replacement Plan (Attachment 3 of the LAR). Please clarify the roles and responsibilities for SCM, and provide a cross reference of the PG&E organizations described in these documents. PG&E Response 12/16/2012: PG&E will revise the SCMP plan to be consistent with CF2.ID2 section 4 organization, ,including a description of additional roles and responsibilities not required by CF2.1D2.if needed. Open 10/17/12 update:Software Configuration Management 51.3.a PG&E will revise a) PG&E SCMP36-01 states that software, hardware, and configuration 3. Changes and Problems Identification the SCMP to problems are reported in accordance with PG&E OM7.ID1 and that address several open items software and/or configuration problems are reported via a PROG PDCM Notification. Please clarify when and how these are used. For example, for software problems does one have to report the problem using both PG&E OM7.1D1 and PROG PDCM Notification. Note that PG&E CF2.ID2 states that all problems associated with plant computer system should be reported and document per OM7.ID1 (See section 5.11 and 5.16.10 (b) of CF2.ID2) Further, Section 3.2.1 states that all PPS modifications should be initiated and tracked per plant procedures or CF4.ID1. Section 3.2.2 states that the implementation of the change is documented in the associated Change Package and a SAP notification and order. And Section 3.2.10 states that all identified problems and corrective actions using a notification, which is not specified. So should software modifications require reporting and tracking using OM7.ID1, CF4.ID1, PROG PDCM Notification, Change
--I December 17, 2012 DCPP PPS Open Item Summary Page 18 of 49 No SrclRI Issue Description IP&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) Package, and SAP Please explain PG&E procedures for different changes and documenting and tracking system used for all types of PG&E Response: [IN PROGRESS] 51.3.b Software Configuration Management OPEN 3. Changes and Problems Identification Please clarify the means to track changes. Section 3.2.4. 7 of SCM 36-01 states that this is done using a SAP order, but 3.2.4.7 states that Change Package and SAP order are entered the Record Management System, and Section 3.3 describes Configuration Status Account, which is used to track changes configuration PG&E Response: The means to track changes is the SAP order. Record Management System is the system used at Diablo Canyon to and allow retrieval of documents to meet 10 CFR 50 Appendix B assurance requirements. Completed Change Packages and SAP are entered into the Record Management System for storage and to later Software Configuration Management OPEN51.4.a 4. Document Repository SCM 36-01, Section 2.3.3 identifies the Digital Systems SourceSafe as the repository, but Section 3.2.5.5 htlp:lldcpp142/idmwslhome/asp, and Section 3.29 states that files necessary for recovery of the baseline are maintained in PPS database in SC-I-36M, Eagle 21 Tunable Constants." It is clear if these two sections are referring to the same repository or if it is the same. Please PG&E Response: [IN PROGRESS] i December 17,2012 DCPP PPS Open Item Summary Page 19 of 49 SrclRI Issue Description P&GE response: No 51.4 Software Configuration Management 4. Document Repository PG&E has implemented restrictions to access files and documents associated with PPS replacement project. Further, PG&E requires user authentication and access to edit configuration, software, and data. It is not clear if these restrictions apply for access to the Digital Systems Engineering SourceSafe or the repository in httQ:lldcoo 142/idmws/home/aso PG&E Response: [IN PROGRESS] 52 RJS Security: NSIR PG&E stated in its letters DCL-11-123 and DCL-11-104 that the PPS replacement will be fully compliant with the 10 CFR 73.54 cyber security requirements, including RG 5.71, Revision 0, "Cyber Security Programs for Nuclear Facilities," dated January 2010, and is being reviewed to comply with 1 0 CFR 50.73, the DCPP Cyber Security Plan, and NEI 08-09, "Cyber Security Plan for Nuclear Power Reactors," Revision 6, dated April 2010. The cyber security program that PG&E is implementing per its NRC approved cyber security plan includes provisions applicable to all phases of a systems' life cycle, including the digital upgrade or modification of critical digital assets. Please explain how the provisions outlined in the PG&E's NRC-approved cyber security plan were considered, and/or implemented, as part of the PPS replacement. The provided explanations should include how all of the management, operational, and technical security controls contained within the plan, especially security controls associated with Configuration Management and System and Service Acquisition, are being addressed. Status OPEN RAI No. (Date Sent) RAI Comments Response (Due Date) The provided explanations should also include any issues associated with partial implementation of the PPS replacement and full implementation of December 17,2012 DCPP PPS Open Item Summary Table Page 20 of49 I I No SrclRI Issue Description P&GE response: Status RA/ No. (Date Sent) RA/ Comments Response (Due Date) the cyber security plan for the site, and processes to identify and resolve any such issues. I PG&E Response: The Cyber Security program manager and other members of the CSA T (Cyber Security Assessment team) met with the Process Protection System (PPS) Upgrade design engineer beginning in 2011. Many options were discussed. The Cyber Security program manager and project manager have met with the procurement group to discuss cyber security principles that should be written into the procurement procedures, and what steps will help to ensure a secure supply chain. The Cyber Security Assessment Team (CSAT) was formed in accordance with section 3.1.2 of the cyber security plan, and Milestone a, on 10/31/2011. A list of critical digital systems and assets was created in accordance with section 3.1.3 of the cyber security plan and Milestone b on 10/31/2011. The CSAT looked at scheduled digital upgrades, and added the future equipment to the list of critical digital systems. The CSAT determined the PPS equipment will be a critical system, with several CDAs. From July 9-122012, the cyber security project manager accompanied members of the Quality Verification group to examine the design and production facilities of Invensys, and examined the code production practices and the development environment, and determined that Invensys has an SDE, and ensures their employees are reliable and trustworthy. Activities planned for the future.
December 17,2012 DCPP PPS Open Item Summary Table Page 21 of 49 No ,-SrclRI Issue Description P&GE response: In December of 2012, the network that the PPS will eventually reside on will be isolated from internet connected networks by a deterministic network device, per milestone c of the DCPP Cyber Security Plan. Thus many network attacks, including many that depend on a back door created by a vendor, will not be possible. Also by December of 2012, DCPP will have taken steps to lessen the likelihood of an attack initiated by a portable electronic device, or portable media such as a thumb drive per Milestone d, and section D 1.19 of NEI 09. This will mitigate portable media based attacks that depend on a back door created by a vendor. The DCPP Cyber Security Team will interface with NUPIC (Nuclear , Procurement Issues Committee) and the NEIINITSL counterfeit parts task force to address digital equipment supply chain security. The Cyber Security Implementation Project Manager has developed a detailed project plan, with several tasks and schedules. Several existing plant procedures will be revised. The PPS will inherit the controls implemented by these procedures. Many of the procedures will have been changed/created before the PPS is installed. The CSA T is collecting design information as it becomes available. The collected design documentation is being reviewed as it is collected. The collected documentation will be reviewed in a formal desktop evaluation per the cyber security plan, section 3.1.5 prior to the PPS installation. The test set up in the offsite test lab near the plant will be visited on occasion by the CSAT, the system will be walked down repeatedly during installation, and the final walkdown will be performed when the system is ready to return to operations, per section 3.1.5 of the security plan. The CSA T will make recommendations to enhance the cyber security -Status RAI No. (Date Sent) RAI Response (Due Date) Comments December 17, 2012 DCPP PPS Open Item Summary Table Page 22 of P&GE response: RAI No. RAIStatus Comments Issue Description No SrclRI (Date Sent) Response (Due Date) posture of the PPS upgrade throughout the project, and will make their recommendations after the system walkdown, per section 3.1.6 of the security Disposition of all controls will be documented in the cyber assessment tool, CyberWiz. Recommended mitigation will be in CyberWiz, and the Corrective Action Program. NewRAIClosed Acceptable Changes, FSAR Section 7.1.2.5, Conformance With Other Applicable PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR WEK response. Send Documents (page 7.1-13) does not indicate the NRC Safety Evaluation that this as an RAI so will be produced to approve the PPS. The staff's SER should become part that the issue does of the DCPP Unit 1 &2 licensing basis once it is issued. How will this be not get lost. documented within the FSAR?? PG&E Response: Reference to the staff SER will be included in FSAR Section 7.2.1.1.6 for the reactor trip portion of the process protection system and to Section 7.3.1.1.4.1 for the engineered safety features actuation system portion of the process protection system. ClosedPG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR NewRAI Acceptable Changes, FSAR Section x.x.x.x, (page 7.2-23) states that the evaluation for WEKresponse. Send the common mode failure in the PPS is presented in References 37 [DCPP this as an RAI so PPS 03 L TR] and approved in Reference 38 [the staffs SER approving the that the issue does DCPP PPS 03 LTR1. However, it is noted that in the staff's SER it was not get lost. stated in several sections that the 03 design features were approved based on " ... confirmation that the proposed built-in diversity of the ALS sub-system is found to be acceptable.>> This confirmation will be provided in the DCPP PPS SER, therefore, the staff's SER should also be referenced in this section. PG&E Response: Reference to the staff SER for LAR 11-07 will be included in FSAR Section 7.2.2.1.2 in addition to the staff SER for the DCPP 03 LTR -WEK NewRAI Acceptable Changes, FSAR Section 7.2.2.9.2, IEEE 603-1991 Clause 5 , Clause 5.12 '57 PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR Closed response. Send (page 12) states that"... the communication path between the maintenance this as an RAI so December 17,2012 DCPP PPS Open Item Summary Table Page 23 of 49 P&GE response: Status RAI No. RAI CommentsIssue DescriptionSrclRINo (Date Sent) Response (Due Date) workstation and the ALS subsystem is normally disabled with a hardwired that the issue does . switch ... " Also, Attachment 3, PG&E PPS Interface Requirements not get lost. Specification (IRS), Rev.6 to PG&E Letter DCL-12-069 dated August 2, 2012 states in section 1.5.6 " ... TAB communications between the ALS and MWS takes place via RS-485 data link. The TAB is physically disconnected from the MWS when the TAB is not in use .... the TAB is open at a" times unless maintenance is being performed on the ALS ... " Please identify administrative controls and design features associated with the PPS that explains how the MWS is disconnected/disabled from the PPS (i.e., a means of physical cable disconnect, or a safety-qualified hardware switch that either physically opens the data transmission circuit or interrupts the connection by means of hardwired logic. "Hardwired logic" as used here refers to circuitry that physically interrupts the flow of information, such as an electronic AND gate circuit (that does not use software or firmware) with one input controlled by the hardware switch and the other connected to the I information source: the information appears at the output of the gate only when the switch is in a position that applies a "TRUE" or "1" at the input to which it is connected. Provisions that rely on software to effect the disconnection are not acceptable. It is noted that software may be used in the safety system or in the workstation to accommodate the effects of the open circuit or for status logging or other purposes) that demonstrate how this hardwired switch disconnects the ALS maintenance workstation from the ALS safety processor. PG&E Response: For the ALS subsystem, instead of using a hardwire keyswitch, the ALS subsystem will be administratively controlled by physically disconnecting the communication link to the ALS MWS computer when the Test ALS Bus (TAB) is not being used for surveillance testing, maintenance, and trouble-shooting. This is a PPS replacement design change described in the response to NRC request for additional information in PG&E Letter DCL-12-083 and will be included in a supplement to LAR 11-07. RJS 10/19/12: If I ALS FMEA -There are several failure modes identified in Table 4-4 of the Close NewRAI understand the I December 17, 2012 DCPP PPS Open Item Summary Table No SrclRI Issue Description P&GE response: FMEA where the System Effects entry provides a description of functions that are not affected by the failure mode instead of stating what the effects of the failure mode are. For example, the System Effects in the ETT failure in line 5b of table 4-4 are that the Alarm Function remains operational. Though this may be the case, it does not state what the effects of the failure mode are. Examples of this can be found in lines 5b, 6a, 6b, 7a, 9h, 9i, 11 b, 11c, and 11d. r=-.:. PG&E Response: The System Effects entry does describe the functions that are affected by the failure mode. This entry must be read in the context of the entire FMEA table row. For example, the cited row for ETT failure in line 5b discusses the effects of failures of the ALS-402-1 digital output board which sends Alarm Signals to other systems. In the case of Energize to Trip outputs (ETT) a stuck open output channel will prevent the core A rack from being able to actuate the Alarm (in this case a specific instance of an ETT Alarm is cited, the "Containment Pressure in Test Alarm". However, due to the compensating features, which in this case is the redundant implementation of the function in the core B rack, the System Effect is that the Alarm function remains operational. A similar reading applies to the other examples cited. Status RAI No. (Date Sent) -RAI Response (Due Date) Page 24 of 49 Comments PG&E response correctly, these system effects are being evaluated within the context of the local effects that are also provided in the FMEA. Application specific compensating features that influence the systematic effects of these failure modes are thus accounted for within the analysis. Agree to close but would like the PGE response on record. Need RAI. I 59 RJS ALS FMEA -Some of the identified failure modes of the ALS system are detectable only by operator observations, or by means that are not necessarily performed during routine operation or during surveillance testing. See lines 10c, and 12a, What measures will be implemented to ensure that these failure modes would not occur and remain undetected for an indefinite period of time? Closed NIA 10/19/12 Response accepted. rjs: It is the staffs understanding that all failure modes which are not detectable December 17, 2012 DCPP PPS Open Item Summary Table Page 25 of 49 iNO SrclRI Issue Description P&GE response: Status RAI No. (Date Sent) RAI Response (Due Date) Comments through normal means such as surveillance tests or channel checks would need to be considered present for the purpose of satisfying single failure criteria for the system. ! I I PG&E Response: Surveillance testing includes visual inspection of the equipment in addition to the specified test cases that demonstrate functionality. Therefore, those failure modes that are detected by operator observations will be detected as part of the surveillance test. IEEE Std 379-2000 defines detectable failures as those failures that can be identified through periodic testing or that can be revealed by alarm or anomalous indication. Therefore, such failures do not need to be considered to be present for purposes of evaluating single failure criterion compliance. The specific cases cited are clear examples. Line 10c discusses failures of the local partial trip indicators. Failures of the indicators do not affect the actual trip function. During the test the technician uses the indicators to confirm that the trip action occurs at the appropriate threshold. Thus the act of observation of the failure during surveillance testing is assured. Line 12a discusses failure of the serial link used for continuous monitoring of the ALS health. Failure of this link does not affect the safety functions of the rack, but would be immediately obvious at the workstation used to do the monitoring. This workstation is used in surveillance testing. 60 RJS Technical Specifications: In order for the staff to make a determination that the existing technical specifications and surveillance intervals remain acceptable for the replacement PPS system, an evaluation to compare the ALSfTricon PPS system reliability and performance characteristics with those of the Eagle 21 system must be performed. Pease provide an evaluation summary report to support the application of Open NewRAI I
___ December 17,2012 DCPP PPS Open Item Summary Table Page 26 of 49 'No 61 I 62 Issue Description P&GE response: SrclRI existing technical specification and surveillance test intervals to the upgraded ALSfTricon based PPS system. This report is expected to include a quantitative analysis to demonstrate the new system's ability to perform its required safety functions between established surveillance intervals as well as a qualitative (i.e., deterministic) analysis which sites the self diagnosis and fault detection features of the replacement PPS. The report should address the staffs previous findings in Section 4.3, "Applicability of WCAPs to DCPP," of Amendment No. 179, dated January 31,2005 (ML050330315). -PG&E Response: An evaluation summary report to support application of the exiting TS and TS surveillance test intervals will be provided by January 31,2013. RA Software V&V Plan: ALS provided Revision 7 of its V&V plan (6002-00003). This revision provides a mapping and alignment with IEEE Std 1012-1998. This now cause a misalignment with the DCPP V&V Plan, 6116-00003, Thus, the DCPP V&V Plan will need to be revised. Please identify when this new revision will be submitted. PG&E Response: The DCPP V&V Plan, Revision 1 has been created to provide consistency with the ALV V&V Plan. The Diablo Canyon W Plan, Revision 1, was placed on the Sharepoint on November 22 and was submitted on December 5 in PG&E Letter DCL-12-121. RA Software Management Plan: Revision 2 oftheALS "Diablo Canyon PPS Management Plan," 6116-0000, Section 2.1 and 2.2, defines the project organization. As described in guidance documents BTP 7-14 and NUREG/CR-6101, licensees need to Idescribe the management aspects of the software development process. Status RAI No. (Date Sent) Open I RAI Response (Due Date) Comments 11-28-12 update: The staff will review the V&V plan to determine if this item can be closed. 11-28-12 update: The staff will review the PPS Management Plan and the W plan to determine if this Please clarify the following: item can be closed _..... ..... --_..... _.... -_... ..... --... --..... -_.... __...
I December 17,2012 DCPP PPS Open Item Summary Page 27 of 49 StatusNo Src/Rt Issue IP&GE response: RAt No. RAI Comments r The description provided in this section does not align with the organization structure provided in Figure 2-1. The description provided is not clear. For example, the bulleted list identifies "Scottsdale Operations Director", but then the 1 5t paragraph refers to Scottsdale Operations Director and ALS Platform & System Director. It is not clear if this is the title for one person or for two. Further, Figure 2-1 does not identify the ALS Platform & System Director, if this role is performed by a separated individual. Please clarify this. This section states that ALS V&V Plan provide information and the interface between the IV&V team and the PPS replacement project. It is not clear why the ALS V&V plan will provide this information, since the ALS V&V plan is for the generic platform. Please clarify what document contains this information. This section states that the WEC Project Manager is responsible for the commercial process interface with PG&E. However, this role is not listed in the bulleted item list and not identified in Figure 2-1. Please clarify this role. Figure 2-1 identifies a QA Manager, but this section only describes the QA Lead. Please describe the role and responsibility for the QA Manager. Section 4.1, Planning Stage, mentions a "Project Leadership Team," which is not described in Section 2. Please explain the role and responsibilities for this team. PG&E Response: To address item 1, the Diablo Canyon PPS Management Plan, Revision 3, clarifies in Section 3 the organization details. To address Item 2, the Diablo Canyon IW Plan, Revision 1, provides information on the interface between the IV&V team and the PPS replacement project. To address items 3 to 5, the Diablo Canyon PPS Management Plan, Revision 3, clarifies in Section 3 the WEC Customer Project Manager is responsible for the commercial process interface with PG&E, the roles and responsibilities of the QA Manager, and the roles and responsibilities of the Project Leadership Team. The Diablo Canyon PPS Management Plan, Revision 3, was placed on the Sharepoint on November 15 and was submitted on December 5 in PG&E Letter DCL-12-121. The Diablo Canyon Plan, Revision 1, was placed on the Sharepoint on November 22 and (Date Sent) Response (Due Date)
December 17, 2012 DCPP PPS Open Item Summary Table Page 28 of 49 P&GE response: Status RAI No. Issue Description RAINo SrclRI Comments (Date Sent) Response (Due Date) 'was submitted on December 7 in PG&E Letter DCL-12-121. Software Management 63 RA . Revision 2 oftheALS "Diablo Canyon PPS Management Plan," Section 4.1, Planning Stage, identifies that deliverables from this phase approved by the "Managerial Review Board." However, this document not identify the role and responsibilities for this board. Furthermore, the PPS V&V Plan, 6116-00003, Rev. 0 states that IV&V will review planning stage documents. Please clarify the person/team responsible this review and their role and PG&E Response: The Managerial Review Board review and the reviews are two different reviews. The Managerial Review Board gives final "exit criteria" approval for both the Planning and Development this Managerial Review Board approval is required for entrance into the subsequent stage. Their role is clarified in the "exit criteria" details in Section 4.1 's Planning Stage and Development Stage sub-sections. IV&V team also reviews the planning stage documents according to criteria in the V&V Plan. Additional details have been added to Management Plan. The Diablo Canyon PPS Management Plan, 3, was placed on the Sharepoint on November 15 and was submitted December 5 in PG&E Letter -64 RA Closed NewRAI Software Management Plan L To close Items 27 and 29, PG&E issued the DCPPS Project Assurance Plan to define the oversight activities to be performed during PPS replacement project. Section 2 of this plan describes responsibilities of those involved in oversight activities. However, it is clear how these roles and responsibilities correlate to the organization described in PG&E PPS Replacement Plan (Attachment 3 the LAR} and PG&E PPS Reelacement System Quality Assurance DCPP PPS Open Item Summary Table Page 29 of 49 December 17,2012 P&GE response: RAIStatus RAI No. CommentsIssue Description No SrC/RI Response (Due Date) (Date Sent) (Attachment 4 of the LAR). For example, the Project Quality Plan describes the responsibilities of the PPS replacement Manager, but this role is not described in other documents, Further, responsibility described seems to align with the responsibility of the Project Manager. Please explain the relationship, if any, of the roles responsibilities described in the DCPPS Project Quality Assurance Plan those provided in other PG&E I PG&E Response: The "Quality Assurance Plan for Diablo Canyon Protection System Replacement" (referred to as the "Project Quality Plan" response to Ols 27 and 29) was a project specific document created by Quality Verification group (a Quality Assurance organization) to identify Quality Assurance tasks to be performed by the Quality Verification for the project. The "Quality Assurance Plan for Diablo Canyon Protection System Replacement" provides the specific plan to be used the "Supervisor Project QA" identified in Section 3.5.1 (page 19) of SyQAP and the "Project QA Engineer or Equivalent" identified in 3.5.8 of the SyOAP to provide PG&E quality oversight for the project in part supports meeting 10 CFR 50 appendix B quality requirements for the The "Supervisor Project QA" is not identified in the PPS Replacement Project Plan Figure 2-1 (PPS Replacement Project Organization) because they are not part of the Project Organization, but instead provide independent quality assurance oversight of the Project Organization. Section 6.1, "System Quality Assurance Plan (SyOAP), of the PPS Replacement Project Plan discusses the SyQAP, which in turn references the "Supervisor Project QA" in Section 3.5.1 (page 19) and the "Project QA Engineer or Equivalent" in Section 3.5.8 to provide PG&E quality oversight for the project. KVM Switch 65 RJS December 17,2012 DCPP PPS Open Item Summary Table Page 30 of 49 r-No SrclRI Issue Description IP&GE response: I Status RAI No. (Date Sent) RAI Response (Due Date) Comments See Attachment 3 r66 i WEK PG&E Response: See Attachment 3 Section 4.2.13.1 of the LAR (page 85) states; " ... The NetOptics Model PA-Open Cu/PAD-CU1 PA-CU port aggregator network tap was approved previously by NRC for a similar application in the Oconee RPS SER Section 3.1.1.4.3 [18]. The NRC staff determined that due to the electrical isolation provided by use of fiber optic cables and the data isolation provided by the Port Tap and the Maintenance and Service Interface (MSI) in the Oconee RPS, there was reasonable assurance that a fault or failure within the Oconee Gateway computer or the Operator Aid Computer will not adversely affect the ability of the Oconee RPS to accomplish its safety functions." In section 3.1.1.5.2.1 of the Oconee SER, the staff approved The NetOptics aggregator Port Tap, Model 96443, No. PA-CU, as a device intended to allow monitoring of a full duplex 10/1 OOBaseT Ethernet communication link by copying the communications and sending that copied communications to a one-way simplex communications link. Due to the importance of this one-way communications path functioning properly, the NRC staff performed a detailed review of the design aspect of this one-way communications path. Circuit diagrams on the device itself indicated that the communications using Port C (Port 1 in the case of DCPP PPS application) may be capable of two-way communications. Since the original review of Model 96443, part No. PAD-CU Port Tap required NRC staff examination of actual schematic drawings of the circuitry to determine that there was no inbound communications path associated with Port C (Port 1 for the PPS), a similar schematic review for any replacement or updated model of the Port Tap ----.-........ ......--.-....... .... ... -_... _..... __.... -.... _ ... -_... _..... __... __... --New RAI I -11-28-12 update: 11-28-12 update: See 11-28-2012 update question. A new RAJ will be added to clarify this inconsistancy so it will be on the docket. -........... .... .. -
December 17,2012 DCPP PPS Open Item Summary Table Page 31 of 49 No SrclRI Issue Description IP&GE response: must be evaluated in the same manner (by the licensee) to determine the manner in which it is being used and configured are acceptable, and that do not invalidate the conclusion of this SE that use of the Port Tap provides adequate data isolation between the Gateway computer and the digital RPS/ESPS.The Port Tap approved for Oconee was model 96443 PA-CU. Status RAI No. (Date Sent) RAI Response (Due Date) Comments 67 WEK 11-28-2012 Update: The response below still needs further clarification: Section 3.7.2.1 (page 71) of the approved Tricon V10 LTR SER (ML 12146A010) states: "The NetOptics Port aggregator Tap, Model 96443, No. PA-CU, or PAD-CU, is a device intended to allow monitoring ofa 101100 BaseT Ethernet communication link by communications and sending that copied information to a separate one-way communications link. Port A ofthe Port Tap is connected to the TCM, and Port B is connected to the Maintenance Terminal (maintenance video display unit (MVDU))." Since the LAR references the Port Tap approved within the Tricon V10 SER, this model number 96443 may still be confusing to the reader. Please provide the model number of the Port Tap being that PG&C will use in the DCPP PPS and provide an explanation of its equivalency to the Port Tap approved for the Oconee RPS/ESPS LAR. Revised PG&E Response 12/17/2012: The PPS Replacement application will use the NetOptics Model PA-CU network port aggregator tap to isolate the Tricon portion of the PPS replacement from the gateway computer. NetOptics has confirmed via e-mail (Case# 205591) that part number "96443" is the same as PA-CU. It is the old SKU part number for the CU. Section 4.2.13.1 of the DCPP PPS LAR (pg. 85) states, "Port aggregator dual in-line package (DIP) switch positions will be controlled by DCPP configuration management processes." Closed NewRAI 11-28-12 update: Response is acceptable.
I December 17,2012 DCPP PPS Open Item Summary Table Page 32 of 49 No SrclRI I WEK68 P&GE response:Issue Description Status Please provide a documented basis (e.g., a plant procedure, or engineering design package) that demonstrates how this will be controlled. PG&E Response: The Port aggregator DIP switch positions will be controlled by a plant procedure or plan. The plant procedure or plan will be developed as part of the design change for installation of the PPS replacement after NRC approval of the LAR. Open Gateway Computer(s) system; including computers/processors, communications protocols, and data isolation details, Or, please indicate where this information is explained within the LAR and supporting documents. Also, please provide a detailed explanation of the Gateway Switch discussed within the LAR;including its operating principal (hardware, I logic based, etc, ,data/electrical isolation design features, and any other pertinent information pertaining to its failure mechanisms. Please provide a detailed functional description of the DCPP PPS NSR 11-28-2012 follow up Figure 4-13 (Pg 87) of the LAR indicates that data communications provided directly between the SR ALS "A" & ALS "B" Protection Sets I, II, RAI No. (Date Sent) RAI Response (Due Date) Comments I r 11-28-12 update: See 11-28-2012 follow up question. I I -and IV, and the NSR Gateway Computers via RS-422 copper media (i.e., not through the Port Tap). Section 4.8.2 b) (page 110 ofthe LAR) states that " ... AII other communication to non-safety equipment, i.e., Plant Computer, is via continuous one-way communication channels on the 102." Please describe how the 1Elnon-!E data communication and electrical isolation is implemented within the ALS for this configuration. Also, explain how the ALS "A" & "B" inputs to the NSR Gateway Computers are isolated from each other, and data communication protocols associated with processing this data within the Gateway Computers. PG&E Response: The DCPP Gateway computer and Gateway switch are -L --...-... --..
December 17,2012 DCPP PPS Open Item Summary Table Page 33 of 49 No I SrclRI I Issue Description P&GE response: part of an existing system that was installed by a previous project, and therefore were not included in the scope of the changes requested for approval in the LAR. Communications from the Gateway Switch to the Tricon are functionally isolated by the Triconex Communication Module (TCM) and NetOptics Model PA-CU Network Port Aggregator Tap discussed in Tricon V10 SER Section 3.7.2.1. A fiberoptic data link provides electrical isolation. Status RA/ No. (Date Sent) RA/ Response (Due Date) Comments The NetOptics PA-CU Network Port Aggregator Tap was approved for this use in the Oconee RPS SER. The PA-CU prevents inbound communications from external devices or systems connected to Port 1 of the Port Aggregator from being sent to interactive Ports A and B. The Oconee SER described the methods they used to verify that Aggregator Port 1 provides one way outbound communications only. As a transmit only device, it does not listen to and is not affected by the communications protocol (or lack thereof) of the external device or system to which it is connected. The ability of the Port Aggregator Tap to prevent inbound communications to the Tricon from its Port 1 will be verified at the Tricon V10 FAT and the SAT as previously stated in PG&E Letter DCL-12-083 dated September 11, 2012. Updated PG&E Response 12112/2013: The response to 01 #73, discusses Transmit Bus TxB2 data communication path from the ALS-102 Core Logic Board to the ALS MWS. Transmit Bus TxB1 transmits data from the ALS-102 CLB to the Gateway Computer. Both TxB1 and TxB2 are EIA-422 communication links in which Receive capability is physically disabled by hardware as described in the ALS-1 02 Design Specification, 6002-102002. The receiver is configured such that the transmit data is looped back for channel integrity testing. The ALS-102 is physically and electrically incapable of receiving information from outside the ALS-102 via the Transmit Busses TxB1 and TxB2. Therefore, messages are not disregarded or rejected by the ALS-1 02. This is better than a "broken wire." The wire just isn't there, and there is no place to December 17,2012 DCPP PPS Open Item Summary Table Page 34 of 49 C-StatusNo SrclRI Issue Description P&GE response: RAI No. RAI Comments I (Date Sent) Response (Due Date) I I Iconnect a wire if someone wanted to do so. I Updated WEC Response The 1E/non-1 E data communication is described in the ALS Topical Sections 2.2.1.3 and 5.3.2; and in 6116-00054, "Diablo Canyon PPS Matrix", Position 2. The electrical isolation qualification of the 1 E/non-1 data communication is not part of the ALS Platform review project, and be qualified with an isolation fault test that will be conducted 1st 2013 per IEEE Std 384-1992, "IEEE Standard Criteria for Independence of Class 1 E Equipment and Circuits" and Regulatory Guide 1.75, "Criteria for Independence of Electrical Safety Systems." A supplemental test report will be issued 2nd quarter 2013. 69 WEK Please provide a detailed explanation of the application programs contained Open 11-28-12 update: within the Tricon and ALS MWS computers; including how they will be used Additional to supports or enhances the performance of the PPS safety function ! clarification was enhanGe the performance of the PPS safety systems, provide required provided, so the maintenance, surveillance, etc. Or, please indicate where this information is question was explained within the LAR and supporting documents. rephrased. PG&E Response December 17,2012: The ALS MWS will utilize Microsoft Windows Ž based Westinghouse/CSI ALS Service Unit (ASU) software that is described in the ALS Topical Report Section 2.6.3. The DCPP PPS Replacement MWS will be mounted permanently in the PPS rack containing the PPS in a manner similar to ALS Topical Report Figure 2-25; however, interactive Test ALS Bus (TAB) communications will be enabled only when the TAB is physically connected to the ALS MWS by qualified personnel under administrative controls such that the TAB is enabled only on one ALS "An or "B" subsystem at a time. r The ability to use the TAB to communicate with the ALS is essential to LJmaintain the ALS safety function. The ASU communicates with the ALS via the TAB only when required to calibrate the ALS, normalize RCS flow ___ coefficients, perform surveillances in accordance with Technical I December 17,2012 DCPP PPS Open Item Summary Table Page 35 of 49 No I Src/RI I P&GE response: Issue Description Specifications, as well as to troubleshoot and otherwise maintain the ALS. TAB communications are disabled at all other times by physically disconnecting the TAB from the MWS. The diverse ALS subsystem whose TAB has not been enabled will continue to perform its safety function without impact. TAB communications are described in ALS Topical Report Section 5.2. The ALS MWS will also display parameters transmitted to it online by the one-way TxB2 transmit bus described in ALS Topical Report Section 2.2.1.3. Interdivisional communications between the MWS and the ALS are described in ALS Topical Report section 5.3. The Tricon MWS will implement five Microsoft Windows Ž -based application programs: (1) Invensys WonderWareŽ InTouchŽ PPS application; (2) TriLogger; (3) Tricon Diagnostic Monitor; (4) Triconex Dynamic Data Exchange (DOE) Server; and (5) T riStation 1131 (TS 1131 ) Developers Workbench Version 4.9.0. 1. WonderWareŽ InTouchŽPPS Application The WonderWare InTouch application provides online display of selected PPS internal parameters and trouble alarm details. The WonderWare InTouch application also is used for maintenance of individual PPS instrument channels in conjunction with the hardwired OOS switches that have been discussed in the response to other Open Items. The MWS WonderWare InTouch application will be the tool normally used to determine the specific cause of an alarm. The Main Annunciator System only displays system level alarms. The MWS InTouch application contains an alarm monitor, which is a troubleshooting aid that provides a detailed, specific display of the alarms generated by the Tricon PPS application. 2. Triconex TriLogger The TriLogger software provides the ability to record, display, play back and analyze data from the Tricon system. Data can be viewed in real-time on the MWS. The TriLogger is designed to provide real-time data trending and -_... -..... ..--... -.....--... .....-..... --.... --.... --...--.... --...--... --.... -...--... --... -...--.--.. -..... --... _ .... __ .... _ ...... __.... -_... --.... -......__ I Status --... -..... RAI No. (Date Sent) CommentsRAI Response (Due Date) --... --.... --L.
I December 17,2012 DCPP PPS Open Item Summary Table* Page 36 of 49 P&GE response: Status RAI No. Issue Description RA/ CommentsSrclR/r No (Date Sent) Response (Due Date) analysis capabilities and can be configured to trigger on specific events log detailed data to aid technicians in isolating, diagnosing, troubleshooting problems. The TriLogger may not identify transient events that occur while it is off-line. ! 3. Tricon Diagnostic Monitor Utility The Tricon Diagnostic Monitor utility displays Tricon system and module status by mimicking the actual Tricon chassis and slots, so that the user can find the exact location (chassis number and slot number) of a module that may be experiencing a fault or other problem. The Tricon Diagnostic Monitor Utility improves reliability by aiding rapid troubleshooting and fault location at the Tricon system level. 4. Triconex Dynamic Data Exchange (DOE) Server Triconex DOE Server utility enables the DOE-compliant WonderWare Intouch client to request data from the Tricon and, when allowed during maintenance of PPS instrument channels in conjunction with the hardwired OOS switches, to change data (e.g., setpoints and tunable parameters) in I the Tricon application program. 5. TriStation 1131 (TS1131) Developers Workbench TriStation 1131 is a PC-based application development workstation that provides a comprehensive set of development, test, monitor, validation and diagnostic tools for Tricon Programmable Logic Controllers (PLC). The TS1131 program is utilized to maintain the PPS application program and I may also be used for monitoring and troubleshooting purposes. The TS1131 program is described in the Tricon V10 SER Section 3.1.3.2. The TS1131 tool will be installed on the MWS. However, the TS1131 tool will not normally be running while the Tricon is performing its safety function L [Tricon V10 SER Section 3.10.2.9]. If the TS1131 workstation is connected during online safety operation for maintenance or troubleshooting purposes, its use will be controlled via administrative controls and qualified I I December 17, 2012 DCPP PPS Open Item Summary Table Page 37 of 49 No SrC/RI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) maintenance personnel. Access to the operating Tricon is governed by the controller With the keyswitch in the RUN position, use of the TS1131 program limited to read only access to the Tricon. Parameters may be and application program logic operation may be observed in real time, changes are not permitted. The TS1131 program can only write to Tricon when the controller keyswitch is in the PROGRAM position. With I keyswitch not in RUN, the PPS application will initiate an alarm on the Main I Annunciator system and the affected PPS set will be declared inoperable with respect to its safety function. Regardless of whether the keyswitch has been deliberately manipulated or whether the condition is the result of Tricon hardware or software failure, the Tricon diagnostics will detect a "keyswitch not in RUN" condition and the ! PPS application program will initiate a PPS Trouble alarm on the Main Annunciator System. When the "keyswitch not in RUN" condition exists, the affected Tricon is considered to be INOPERABLE with respect to its safety function. A Technical Specification LCO would be entered upon operator determination that the PPS trouble alarm was caused by the "keyswitch not in RUN" condition. The condition could be active in multiple Tricon protection sets because it I could occur as a result of common cause software failure. Even in the condition with multiple "keyswitch not in RUN" conditions, negative impact of the condition in multiple protection sets is limited because on-line r maintenance will normally be performed in one protection set at a time, each Tricon protection set has its own dedicated, independent MWS. It not possible for a single MWS to be connected to other than its own Therefore, only one Tricon protection set at a time would be physically to allow software changes. Given the PPS trouble alarms would be active in all affected protection sets. it is highly unlikely unintended changes could L ... _____._-_.. __... -... -... --.--.. ... -.... .... --.. --.. .. ... -.. .. -... -.... -...--..--..-... -.... _ .... __.. __... ----....--.--.----_.. -_... --_ ... -... --.--..--I I December 17,2012 DCPP PPS Open Item Summary Table Page 38 of 49 P&GE response: RAI No. Status RAI CommentsNo Issue DescriptionSrclRI (Date Sent) Response (Due Date) If a PPS Trouble alarm were to occur on the Main Annunciator System due to the "keyswitch not in RUN" condition, regardless of the cause, the operator would notify DCPP Maintenance. In the absence of the detailed alarm monitoring provided by an on-line MWS, the maintenance technicians would be required to obtain work orders, gain access to the affected protection set, connect and boot the MWS, and only then could begin to determine the cause of the alarm. The alarm information would not be available if the alarm were due to a transient condition that cleared between the time the condition initiated and when the MWS was operational. Diagnosis of the condition could be delayed for several hours. With the line MWS and the alarm monitor function, the condition -whether caused by intentional manipulation of the Tricon controller keyswitch or by a hardware or software failure involving the keyswitch-would be identified immediately. As with the ALS, the on-line Tricon MWS is essential to performing maintenance of the Tricon, including surveillance testing per the Specifications and is equivalent to the existing, approved Eagle 21 Test Bypass capability. The MWS is required to bypass channels for Removing a Tricon from service during such routine maintenance require tripping all the channels in that protection set, which would make one channel in the coincidence logic for all channels in the protection This condition increases the risk of challenging plant safety systems another channel trip inadvertently with the protection set out of Without the data links from the Tricon and ALS to the MWS (which data available to the Plant Process Computer/Plant Data Network) only control board indicators and recorders will be available to provide "window" on the PPS. The Tricon will continue to perform its function. System trouble alarms will still be generated by the PPS on Main Annunciator System, but without the alarm monitor and other display capabilities provided by the MWS, there is no direct means determine the specific cause of the alarm. The network switch between -_..... -_.... __.... __...... ...... _ ...... _._... -
December 17,2012 DCPP PPS Open Item Summary Table Page 39 of 49 No SrclRI Issue Description P&GE response: I Port Aggregator tap and the MWS ensures continued Tricon data transmission on loss of the Tricon MWS. The network switches are redundant to ensure continued data transfer from the Tricon to the MWS on failure of a single Tricon network link. Status RAI No. (Date Sent) RAI Response (Due Date) Comments rI I I I Conclusion: IThe non-safety communications between the PPS controllers and their respective, dedicated MWS units enhance and support the PPS safety function through improving maintainability and thus reliability, and enabling on-line surveillance testing, calibration, and maintenance. Risk of challenging plant safety systems is reduced through the ability to test in bypass rather than requiring test in trip. Further, the MWS units provide essential support for surveillance testing and maintenance functions. Without the online non-safety communications capability, neither Tricon nor ALS real-time data and status information will be available on the Plant I Process Computer or in the Control Room on other than dedicated control board indicators and recorders. Lack of access to real-time, continuous, line PPS status data and diagnostic information introduces delay into PPS trouble identification and resolution, and substantially degrades the maintenance effectiveness and timeliness enabled by the diagnostic features built into the platform s and the application programs. The ability to make online use of the information provided by redundant, real-time data communications to the MWS and to the plant process computer improves I I 70 !WEK ,__ L PPS reliability and thus supports and enhances safety by providing timely diagnostic information and status details that assist performance of required trouble-shooting, maintenance, and surveillance activities. KVM Switch Question 1: If the Enumerated USB switching function is used, will you be able to use the Keyboard hotkeys and mouse buttons to perform switching? Open -11-28-12 update: Response Okay. Leave open until the KVM Switch 71 December 17,2012 DCPP PPS Open Item Summary Table Page 40 of 49 F Issue Description RAISrclRI P&GE response: Status RAI No. Comments Response(Date Sent) (Due Date) information is provided within the The brochure seems to indicate on page 3 that the Enumeration switching process will not enable control switching using the USB LAR revision.keyboard or mouse. However, it further says that Emulation switching was developed to support these enhanced switching functions/devices (keyboard hotkeys or mouse buttons) Albeit, other USB devices (e.g., printer) do not need to use Emulated USB switching function. Could you please clarify PG&E Response: The USB1 and USB2 ports, which use enumerated switching, pass straight through the KVM switch without interpretation. Therefore, cannot connect a keyboard to USB1 or USB2 and use the hotkeys perform switching, and USB1 and USB2 traffic cannot cause an switch. The block diagram shows the output of the emulated portion of switch and the enumerated portion going to a USB hub before being sent the computer. The keyboard and mouse will use the emulated function, not the enumerated switching function; only the keyboard mouse can control the WEK KVM Switch Question 2: Open 11-28-12 update: ALS ISG-04 Will the KVM switch will be on-line 24-7 monitoring data from either compliance was the Tricon or the ALS platform? If so, what can we say about the submitted, and failure modes of the KVA switch? Can it fail in such a manner so as Westinghouse to inject faults into the MWS computers, and hence into the Tricon or thinks that this will . ALS safety system processors? If not, why? If so, what can be done answer this to circumvent this problem, and show conformance with ISG-04, question. Points 10 & 11? We will need to cover this matter in the SER. PG&E needs to respond to 1 10-17-12 Update: Response below did not answer the question 12 update in the regarding failure modes of the KVM switch ... agree that it is Okay to descriptionj lose the Tricon but I do not see how the ALS is protected due to its I December 17, 2012 DCPP PPS Open Item Summary Table Page 41 of 49 No [ SrclRI Issue Description P&GE response: Status RAI No. CommentsRAI I (Date Sent) Response (Due Date) "inherent 1-way communications" design. Please explain this further. section. Leave open until the KVM Switch PG&E Response: information is provided within The KVM switch will be on-line 24-7 for monitoring data from either the the LAR revision. Tricon or ALS platform via the respective MWS computers. There is additional isolation because the ALS communicates strictly one way to its MWS except when TAB communications are enabled by connecting the TAB cable. Connection of the TAB is performed as directed by trained technician using an approved procedure Therefore, if the KVM switch failed in some way to connect the two MWS together, the ALS would not be affected. The Tricon might be affected, but the D3 analysis allows the Tricon to fail due to CCF. The following paragraphs have been added to the IRS Section 2.3.7: b, The KVM switch shall permit only connections between a single computer and the selected video display and HMI interface devices. Connection between the computers shall not be permitted. g. The AV4PRO-VGA KVM switch shall utilize the default switching mode, in which the video display, keyboard and mouse and the enumerated USB ports are all switched simultaneously. Paragraph g was necessary to prevent the enumerated ports from being switched separately from the KVM. Added PG&E Response 12116/2012: During normal, non-maintenance operation, the ALS communicates one-way to its dedicated MWS computer via Transmit Bus TxB2 as discussed in the response to 01 #73. Inter-divisional safety to non-safety communications are addressed in ALS Topical Report Section 5.2.3. The TxB2 data communication paths from the ALS-102 Core Logic Board to the 10-17-12 Update: Note: "IRS" is the Interface Requirements Specification (Attachment 8 of the LAR).
December 17, 2012 DCPP PPS Open Item Summary Page 42 of 49,0 P&GE response:Issue Description RAISrclRI CommentsStatus 'RAI No. . (Date Sent) Response (Due Date) I ALS MWS computer is a EIA-422 communication link in which Receive capability is physically disabled by hardware as described in the ALS-1 02 Design Specification. The receiver is configured such that transmit data is looped back for channel integrity testing. The ALS-1 02 is physically and electrically incapable of receiving information from the ALS-102. Therefore, the ALS cannot be affected by a malfunction in dedicated, MWS computer associated with an ALS protection set of whether the malfunction is caused by KVM switch malfunction or malfunction of the MWS computer I I I WEC Response The 1 E/non-1 E data communication is described in the ALS Topical Sections 2.2.1.3 and 5.3.2; and in 6116-00054, "Diablo Canyon PPS Matrix", Position 2. The electrical isolation qualification of the 1 E/non-1 data communication is not part of the ALS Platform review project, and be qualified with an isolation fault test that will be conducted 1 st 2013 per IEEE Std 384-1992, "IEEE Standard Criteria for Independence Class 1 E Equipment and Circuits" and Regulatory Guide 1.75, "Criteria Independence of Electrical Safety Systems." A supplemental test report be issued 2nd quarter n WEK KVM Switch Question 3: 11-28-12 update: PG&E needs to Open Also, you will likely need to address how you will disable the features respond to 1 you are not using such as the audio interface, unused USB ports, 12 update in the remote control/channel switching by external control from and SDOE description perspective-and probably a cyber security perspective later on (after section. SER). Leave open until the KVM Switch 10-17-12 Update: The methods used to block Ports in the KVM information is provided within the Switch must be addressed in the LAR revision. Block all unused Ports and keep any that may need to be reopened under design or LAR revision. configuration control.
I December 17,2012 DCPP PPS Open Item Summary Table Page 43 of 49 !No I SrclRI Issue Description P&GE response: Status RAI No. (Date Sent) RAI Response (Due Date) Comments Again, we need a detailed explanation ofhow this 1-way design feature will prevent the KVM switch failures from affecting the ALS system. PG&E Response: Specific answers to these questions depend on the detailed design. Ports can be physically blocked, which might be appropriate for unused computer ports and the audio ports. It might not be appropriate for the unused USB port (which may be needed for a future printer) and the options port (which may be needed for firmware updates). Remote control switching or firmware update requires a custom serial cable. The firmware update requires specialized software on the computer being used to perform the update. Firmware update will be done by procedure. The MWS will be inside a locked cabinet inside a vital area inside the protected area. Inadvertent actions, while not impossible, will not be easy. If the switch is somehow manipulated, the ALS will not be affected even if the KVM switch fails because the ALS communicates only one-way with the MWS except for short periods when the TAB is enabled. Revised PG&E Response 12/16/2012: PG&E will physically block the audio port, USB Port 2 and unused computer ports. Physical blocks will be verified at SAT and controlled thereafter by the SCMP. PG&E considers that opening any of the unused ports for use after the SAT is a modification of the physical plant configuration that will require an engineering design change. 73 WEK KVM Switch Question 4: If the KVM switch does fail in some manner allowing data flows between the two platforms, then the ALS system would not be affected because the ALS platform will only transmit data in one direction to its MWS (with the TAB cable disconnected of course). This is good, however, the LAR (or attachments) need to explain how the engineering design principals of the ALS platform physically Open 11-28-2012 update: PG&E needs to respond to 12 ul2date in the description section. PG&E December 17, 2012 DCPP PPS Open Item Summary Table Page 44 of 49 RAI No. RAIISric/RI Issue Description P&GE response: Status Comments (Date Sent) Response (Due Date) prevent bad/erroneous data from corrupting the ALS platform. In needs to respond other words, explain how these messages emanating from the MWS to 10-17-12 (regardless of origin) will be disregarded/rejected by the ALS platform update in the thus allowing only one direction of data flow. description section. 10-17-12 Update: 10-17-12 Update: there is a typo in The ALS-1 02 Design Specification document 6002-10202 has not yet section 2.4.13.5 on been submitted to the NRC. When will it be submitted?? Will this page 90 of theEIA-422 (or is it RS-422 perFig. 4-13 in the LAR) communication link LAR. The first (twisted pair copper wire) also serve as the 1Elnon 1E isolation paragraphdevices as required by IEEE 603, Clause 5.6.3 and IEEE 7-4.3.2, references ALS Clause 5.6?? Please clarify. doc. 6002-61202 (typo) as the 11-28-2012 Update: document that Still need more information re:1E1non-1 E isolation of the ALS-102 explains how the EIA-422 communication channels on the ALS-102 are board. II PG&E Response: electrica"y isolated and inherently Revised PG&E Response 12/16/2012: wayThe design of the TxB1 and TxB2 data communication paths from the ALS-communications102 Core Logic Board and the Gateway Computer and MWS, respectively, capability only. are EIA-422 communication links in which Receive capability is physically The document disabled by hardware as described in 6002-102002, the ALS-102 Design 6002-10202, in Specification. The receiver is configured such that the transmit data is reference 94 is the looped back for channel integrity testing. The ALS-1 02 is physically and correct document. electrica"y incapable of receiving information from outside the ALS-1 Therefore, messages are not disregarded or rejected by the ALS-102. is better than a "broken wire." The wire just isn't there, and there is no to connect a wire if someone wanted to do Updated PG&E Response Per the 10/17/2012 update, NRC is correct regarding the typographical _ in Section 2.4.13.5 on page 90 of the LAR. The correct ALS-1 02 Design_1-_l--_..... __..... -
December 17,2012 DCPP PPS Open Item Summary Table Page 45 of 49 No 1---.-SrclRI Issue Description P&GE response: Specification. document number per LAR Reference 94 is 6002-10202. Per the 11/28/2012 update, RS-422 is the common short form title of American National Standards Institute (ANSI) standard ANSIITIAIEIA-422-B Electrical Characteristics of Balanced Voltage Differential Interface Circuits. This technical standard specifies the electrical characteristics of the balanced voltage digital interface circuit. For the purposes of the LAR, the two designations are equivalent and may be used interchangeably. Westinghouse to address ALS-1 02 board 1 E/non-1 E electrical isolation. Status RAI No. (Date Sent) RAI Response (Due Date) Comments 74 WEK KVM Switch Question 5: Please explain in detail how "Connection between the computers shall not be permitted." Will this be handled via a configuration control process, administrative controls, or a physical means of preventing connection between computers? Open 11-28-12 update: Leave open until the KVM Switch information is provided within the LAR revision. 10-17-12 Update: Response is Okay, but the LAR revision will need to expand further on this matter to explain how these controls will provide this protection. PG&E Response: This section was intended to be a functional requirement for the KVM switch. Administrative and configuration controls will prevent inadvertent loading of an EPROM image that could corrupt operation of the KVM switch. If the KVM switch fails and connects the ALS and Tricon MWS together, the above-described physical and electrical restrictions of the KVM switch will prevent the ALS from being corrupted by its MWS computer. 75 RJSI NSIR ALS Security Plan Document 6002-00006 references the CS Innovations Cyber security plan document (Reference 7) which is not docketed. Without having access to this referenced document, the staff is unable to confirm Open Note: RJS -We need to resolve if document needs to
December 17, 2012 DCPP PPS Open Item Summary Table Page 46 of 49 P&GE response: RAI No. Status CommentsNo I SrclRI I Issue Description RAI (Date Sent) Response (Due Date) im )Iementation of the system security requirements. We need to discuss if be docketed now th ; document can be made available on the share point or if it can be made that we have av Iilable during the audit. reviewed it during audit. In iddition CS-00013-GEN, Development Environment Evaluation Report-CS Innovations Isolated Development Infrastructure might be another do of interest to the staff. It seems that this document would pr, vide evidence that the actual development environment was in fact se ;ure. This document was not docketed. PG&E Response: Westinghouse can make available during the audit both CSI document 9000-00360, "CS Innovations Cyber Security Plan" and W IA-CS-00013-GEN, "Development Environment Evaluation Report -CS In ovations Isolated Development Infrastructure." Closed NewRAI Invensys Audit Item 76 I WEK I Th documents listed below are necessary for the staff to complete its as iessment of the Tricon V10 platform changes/software revisions 11-28-112 update: th t have occurred since the platform was approved generically, and Responsew' be applied to the DCPP PPS. Acceptable. We will also need this information1. Design Change Analysis (RDCA), 993754-1-916 submitted on the Qualified Equipment List (NQEL), 9100150-001, docket. I 16 Invensys Audit Item Rev 11: Tricon V10.5.2 Rev 13: TriStation V4.9.0 Note: rjs -Bill is Rev 14: Tricon V10.5.3 asking for all of these documents to iricon NGIO Software SRS, 6200155-001 be docketed and PG&E has only iricon V10.5 Verification and Validation Report (19 Sept, 2012) committed to
December 17,2012 DCPP PPS Open Item Summary Table Page 47 of 49 No I src/Rillssue Description P&GE response: Status RA/ No. (Date Sent) RA/ Response (Due Date) Comments V10.5.2 Documents a) PDR (lRTX) 21105 b) Technical Advisory Bulletin (TAB) 183 c) Engineering Project Plan (EPP) Tricon V1 0.5.2, 9100346-001 d) V10.5.2 V&V Test Report e) Software Release Definition (SRD), V10.5.2, 6200003-226 V10.5.3 Documents a) PDR (IRTX) 22481 b) Product Alert Notice (PAN) 25 c) Engineering Project Plan (EPP) Tricon V10.5.3, 9100428-001 d) Tricon PAN 25 Master Test Report e) Software Release Definition (SRD), V10.5.3, 6200003-230 f) NGDO SRS 6200170-001 Tristation V4.9.0 documents a) Product Alert Notice (PAN) 22 b) Product Alert Notice (PAN) 24 c) Technical Advisory Bulletin (TAB) 147 d) Engineering Project Plan (EPP) Tristation V4.9, 9100359-001 e) Tristation V4.9.0 Master Test Report f) Software Release Def. (SRD), Tristation V4.9.0, 6200097-038 g) Spec. Software Design -Tristation 1131 SDS, 6002168-002 (Section Applicable to V4.9.0 Change) h) TriStation 1131 V4.9 V&V Plan, 9600442-002 i) TriStation 1131 V&V Summary Report (26 Oct. 2012) -putting them on the sharepoint. We need to resolve this!
December 17,2012 DCPP PPS Open Item Summary Table Page 48 of 49 No SrciR/ Issue Description P&GE response: Status RA/ No. (Date Sent) RA/ Response (Due Date) Comments RJS PG&E Response: Invensys will place the requested documents on the Invensys SharePoint by December 3,2012, for access by the NRC. The documents will be marked in accordance with 10 CFR 2.390 prior to placing them on the SharePoint. 77 The staff requests that the Purchase Order Compliance Matrices (Multiple Documents) be placed on the SharePoint site to support verification of requirements traceability determinations. PG&E Response: Invensys will place the requested documents on the Invensys SharePoint by December 7,2012, for access by the NRC. The documents will be marked in accordance with 10 CFR 2.390 prior to placing them on the SharePoint. Invensys Audit Item RJS -I do not believe that the POCM's will need to be docketed. 78 RA The staff requests that the Invensys Project Procedures Manual and Project Instructions (Multiple Documents) be placed on the SharePoint site to support review of Invensys process to design, develop and test the Tricon !;ystem. PG&E Response: Invensys will place the requested documents on the Invensys SharePoint by December 14,2012, for access by the NRC. The documents will be marked in accordance with 10 CFR 2.390 prior to placing them on the SharePoint. 79 RA ------------Invensys to confirm that the following terms are not used, and that they will be removed from their plans and replaced with the correct terms.
- Test Review Board
- Test Case Incident Report
- Master Configuration Checklist
- Configurationpatabase PG&E Response: The following Invensys documents will be revised to reflect correct terminology and placed on the Invensys SharePoint by December 21, 2012: 1) 993754-1-905, Project Management Plan 2) 993754-1-906, Software Development Plan ..Software Configuration Management Plan December 17, 2012 DCPP PPS Open Item Summary Table Page 49 of 49 No 80 SrclRI Issue Description P&GE response: 4) 993754-1-813, Validation Test Plan The revised documents will be marked in accordance with 10 CFR 2.390 prior to placing them on the SharePoint. RA Invensys to revise its plans to reflect the current project organization. PG&E Response: The Invensys Project Management Plan (PMP), 1-905, will be revised to reflect the current project organization and placed on the Invensys SharePoint by December 21,2012. The revised PMP will be marked in accordance with 10 CFR 2.390. Status RAI No. (Date Sent) RAI Response (Due Date) Comments Project Plan for Diablo Canyon Replacement of Digital RPS ESFAS (PPS) -LAR Review (Rev. Step Planned Task 1 Date Oct. PG&E LAR Submittal for NRC approval. Submittal includes all 26,2011 Phase 1 documents needed to be docketed prior to acceptance for Actual Date Oct. 26, 2011 I review per ISG-06, "Digital Licensing." Jan. 12, Acceptance Review complete. LAR accepted for detailed technical Jan. review. Several issues identified that could present challenges for the staff to complete its review. Scheduled public meeting I : PG&E to discuss the results of the acceptance Jan. Jan. 13, IAcceptance letter sent to licensee. Jan. 18, i Conduct Public Meeting to discuss staffs findings during the LAR Jan. 18, acceptance review. Staff proceeds with LAR technical review. 5 I March PG&E provides information requested in acceptance letter. April bi-weekly telecoms with PG&E and its contractors to discuss potential RAI issues. Open Items spreadsheet will be maintained NRC to document staff issues and !2Ianned licensee responses. May PG&E provides partial set of Phase 2 documentation June commitments made in LAR. 2012* *PG&E provided a subset of the Phase 2 documents on June 6th and committed to send the rest by July 31, 2012. First RAI sent to PG&E on Phase 1 documentation August review of the application. Request 45 day specifications, plans, and equipment qualification). Continue (ML 12208A3641 8 June SER for Tricon V10 Platform issued final. This platform becomes a May 15, Tier 1 review of the LAR. (ML 12146A010) 2012 ! ,8.1 I March 2013 SER for Westinghouse ALS Platform issued final. This platform
- becomes a Tier 1 review of the I 9 I September I Receive answers to first RAI. (ML Sept. 11, November Audit trip to Invensys facility for thread audit; audit the life cycle Nov. planning documents and outputs, with particular emphases on 16, verification and validation, configuration management, Assurance, software safety, the Invensys application
- development procedures, and application software deSign. December Audit report provided to PG&E and its contractor. 11.1 TBD LAR and all docume.ntation .associated with the I I , change In ALS and Tncon V10 workstation deSigns for the
- are Follow-up audit trip to Invensys facility for thread audit; audit the life cycle planning documents and outputs, with particular emphases on verification and validation, configuration management, quality assurance, software safety, the Invensys application software development procedures, and application
- software ro ram desi n. 11.2 TBD Enclosure Page 1 of Project Plan for Diablo Canyon Replacement of Digital RPS ESFAS (PPS) -LAR Review (Rev. 11.3 February Audit trip to Westinghouse/CSI facility for thread audit; audit the life 2012 cycle planning documents and outputs, with particular emphases on verification and validation, configuration management, quality I Assurance, software safety, the W/ALS application software development procedures, and PPS ALS application software I program design . . 12 March 2013 PG&E provides remaining set of Phase 2 documentation per commitments made in LAR. 12.1 March 2013 All Documentation for DCPP W/CSI ALS and IOMlTriconex V1 0 processors applicable to the DCPP PPS LAR are submitted. 13 April 2013 Second RAI to PG&E on Phase 2 documentation (e.g., FEMA, safety analysis, RTM, EQ Tests results, setpoint calcs, SW Tool analysis reports, and any incomplete or un-satisfactory response to i first RAI. Continue review -hardware and program design and V&Vactivities 14 May Receive answers to second RAI. 2013 Continue review -V&V program, security requirements (RG 1.152, Rev.2) 15 March Audit trip to W/ALS facilities for additional thread audit items; audit 2013 hardware and software installation plans, configuration management reports, detailed system and hardware design, completed test procedures, V&V activities, summary test results (including FAT) and incident reports, and application code listings. 15.1 April Audit trip to Invensys facilities for additional thread audit items; 2013 audit hardware and software installation plans, configuration management reports, detailed system and hardware design, i completed test procedures, V&V activities, summary test results (including FAT) and incident reports, and application code listings. +a{;) tFiJil i8 J8*liliti88 feli U'lFesilI swsit swillit RSFS"'"SF8 sFlill 88ft¥ISF8 iR8tsIIsti8Fl ji)lsR8, EU)Flfi!iJwFsli8R I Fl'lSFlS!iJeFl'l8Flt FeJil8RS, setsiles sY8teFl'l SRilI RSFS'l:'SFe ilI88i!iJFl, 88Fl'lJilletes test ji)F88eSWFe8, v,&lJ. S*lti¥ities, 8WFl'lFl'lSFY test Fe8wlts I ,; i,..,., t: J\ T\ ...",,..,( . ....."',..,( .............,..,(,.. I, , 16 May Audit reports provided to PG&E and its contractors. I I 2013 17 i November Presentation to ACRS Subcommittee/Full ACRS Committee on 2013 DCPP PPS LAR Safety Evaluation. 18 November Complete draft technical SER for management review and 2013 approval. 19 December I Issue completed draft technical SER to DORL 2013 20 December
- Draft SER sent it to PG&E, Invensys, and W/CSI to perform 2013 technical review and ensure no proprietary information was i included. I 21 January Receive comments from PG&E and its contractors on draft SER 2014 proprietary review. 22 -March Approved License Amendment issued to PG&E 2014 Page 2 of 3 Project Plan for Diablo Canyon Replacement of Digital RPS and ESFAS (PPS) -LAR Review (Rev. 7) Inspection trip to DCPP for PPS Site Acceptance Testing (SAT), I 23 -September 2014 training and other preparation for installing the new system. To be ! coordinated with regional visit. Date based on receipt of new PPS system at the site in preparation for September 2015 Unit 1 (tentative)
- Refueling Outage (1 -September Inspection trip to DCPP for PPS installation tests, training and I 2015 other system installation activities for the new system. To be coordinated with regional visit. Date based on September 2015 Unit 1 Refueling Outage (1R19). Page 3 of 3
-Please direct any inquiries to me at 301-415-1132 or at Joseph.Sebrosky@nrc.govDocket Nos. 50-275 and 50-323 Enclosures: 1. List of Attendees 2. Staff Identified Issues That are Open 3. Project Plan cc w/encls: Distribution via Listserv DISTRIBUTION: PUBLIC LPLIV Reading RidsAcrsAcnw_MailCTR Resource RidsNrrDeEicb Resource RidsNrrDorl Resource RidsNrrDorlLpl4 Resource RidsNrrDraApla Resource RidsNrrDssStsb Resource RidsNrrLAJBurkhardt Resource RidsNrrPMDiabloCanyon Resource RidsNsirDsp Resource RidsOgcRp Resource RidsRgn4MailCenter Resource CSantos, EDO RIV TWertz, NRR IRA! Joseph M. Sebrosky, Senior Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation WKemper, RStattel, RAlvarado, WMaier, SMakor, SAchen, ELee, DParsons, GSimonds, THarris, MShinn, CNickell, MSnodderly, KBucholtz, L 2338A093 , Meetmg Summary ML12361A360ADAMS Accession Nos. Meeting Notice M 1 OFFICE NRR/DORULPL4/PM NRR/DORULPL4/LA NRRIDE/EICB NRR/DORULPL4/BC NAME JSebrosky .IBurkhardt RStattel MMarkley DATE 1/8/13 1/4/13 1/9/13 1110/13 NRR/DORULPL4/PM JSebrosky 1/10/13 OFFICIAL RECORD COpy