Latest revision as of 16:24, 5 December 2019

Text

Document 993754-1-915(NP), Rev. 1, Pacific Gas & Electric Company Nuclear Safety-Related Process Protection System Replacement, Diablo Canyon Power Plant, Safety Analysis.
	ML13004A474
Person / Time
Site:	Diablo Canyon
Issue date:	10/24/2012
From:	Nguyen H; Invensys Operations Management
To:	; Office of Nuclear Reactor Regulation
Shared Package
ML130040687	List: DCL-12-120, Submittal of Revised Phases 1 & 2 Documents for License Amendment Request for Digital Process Protection System Replacement; ML13004A469; ML13004A470; ML13004A471; ML13004A472; ML13004A473; ML13004A474;
References
	993754-1-915(NP), Rev 1
	Download: ML13004A474 (69)
	v • d • e

Attachments 8-13 to the Enclosure contain Proprietary Information - Withhold Under 10 CFR 2.390 Enclosure Attachment 7 PG&E Letter DCL-12-120 Invensys Operations Management Document "993754-1-915, Revision 1, Process Protection System Replacement Diablo Canyon Power Plant Safety Analysis" (Non-Proprietary)

Attachments 8-13 to the Enclosure contain Proprietary Information When separated from Attachments 8-13 to the Enclosure, this document is decontrolled.

in Ve. n s'.> s" i n Ve, n s.w s-Operations Management Triconex Project: IPG&E PROCESS PROTECTION SYSTEM REPLACEMENT, Purchase Order No.: 13500897372 Project Sales Order: 1993754 PACIFIC GAS & ELECTRIC COMPANY NUCLEAR SAFETY-RELATED PROCESS PROTECTION SYSTEM REPLACEMENT DIABLO CANYON POWER PLANT SAFETY ANALYSIS Document No. 993754-1-915(-NP)

Revision I October 24, 2012 I Non -Proprietary copy per 10CFR2.390

- Areas of Invensys Operations Management proprietary information, marked as [P], have been redacted based on 10CFR2.390(a)(4).

Name Signature Title Author: Hoan Nguyen J7--a V&V Engineer Reviewers: Son Phan I IV&V Engineer Approvals: Kevin Vu IV&V Manager

i n v'e. n s'.y s" in fe .wx.s Operations Management Triconex Document: 993754-1-915

Title:

Safey Anal sis-----

Revision: I Page: 2 of 59 Date: 10/24/2012 Document Change History Revision Date Change Author 0 02/29/2012 Initial Issue for Use Hoan Nguyen Hoan Nguyen

in v"*e. n s" .ý s" i n.Ve.n s'.w s" Operations Management Triconex Document: 993754-1-915

Title:

Safet Anal sis Revision: I Page: 3 of 59 1 Date: 10/24/2012 Table of Contents 1.0 INTR O D UCTIO N ................................................................................... 5 1.1 P urpo se ........................................................................................................................................ 5 1.2 S co pe ........................................................................................................................................... 6 2.0 R EFEREN C ES .......................................................................................... 8 2.1 PPS Documents ........................................................................................................................... 8 2.2 Invensys Documents .......................................................................................................... 8 2.3 Miscellaneous Documents ...................................................................................................... 8 3.0 ABBREVIATIONS, ACRONYMS AND DEFINITIONS ..................... 9 3.1 Abbreviations and Acronyms ................................................................................................. 9 3.2 Definitions ................................................................................................................................. 10 4.0 PRELIMINARY HAZARD ANALYSIS ............................................... 11 4.1 Preliminary Hazard List....................................................................................................... 19 4.2 Resu lts ....................................................................................................................................... 36 5.0 IN TERFA CE A NA LY SIS ...................................................................... 37 5 .1 Pu rpo se ...................................................................................................................................... 37 5 .2 Scop e ......................................................................................................................................... 38 5 .3 Output ........................................................................................................................................ 43 6.0 CRITICALITY ANALYSIS .................................................................. 48 6 .1 P urpose ...................................................................................................................................... 48 6 .2 S co pe ......................................................................................................................................... 48 6 .3 Output ........................................................................................................................................ 48 7.0 H A ZAR D A NA LY SIS ............................................................................. 50 7.1 P urpose ...................................................................................................................................... 50 7 .2 S co pe ......................................................................................................................................... 50 7.3 O utput ........................................................................................................................................ 50 8.0 R ISK AN A LY SIS ................................................................................... 54 8 .1 P urpo se ...................................................................................................................................... 54 8 .2 S co pe ......................................................................................................................................... 54 8.3 O utput ........................................................................................................................................ 55 9.0 C O N CLU SIO N S .......................................................................................... 58 10.0 A TTA CH M ENTS .................................................................................... 59 I

n v" e. n s".-J s- iov...,...s, Operations Management Triconex Document: 993754-1-915

Title:

Safet Anal sis Revision: I Page: 4 of 59 Date: 10/24/2012 LIST OF FIGURES Figure 1 - Scope of Safety Analysis................................................................................................................................ 7 Figure2 - Identification of TOP LEVEL HAZARD .................................................................................................... 11 Figure3 - FTA Diagram (Top Level Hazard)....................................................................................... 13 Figure4 - FTA Diagram (HazardGroup 1) .................................................................................................................. 13 Figure5 - FTA Diagram (Event Group 1-1) .................................................................................................................. 14 Figure 6- FTA Diagram (Event Group 1-2) .................................................................................................................. 14 Figure 7- FTA Diagram (Event Group 1-3) .................................................................................................................. 15 Figure8 - FTA Diagram (Event Group 1-4) ........................................................................................................... 15 Figure9 - FTA Diagram (Event Group 1-5) .................................................................................................................. 16 Figure 10 - FTA Diagram (Event Group 1-6) ........................................................................................................... 16 Figure 11 - FTA Diagram(Event Group 1-7) ......................................................................................................... 17 Figure 12 - FTA Diagram (Event Group 1-8) ........................................................................................................... 17 Figure 13 - FTA Diagram (Event Group 2) ................................................................................................................... 18 Figure 14 - FTA Diagram (Event Group 3) .................................................................................................................. 18 Figure 15 - Interfaces between Tricon and external/internalsystems/devices ..................................................... 39 Figure 16 - ExternalOnline Access without OOS activation................................................................................. 46 Figure 17- Online Maintenance with OOS activation........................................................................................... 47 Figure 18 - Hazard #3 Illustration............................................................................................................................... 53 LIST OF TABLES Table 1. Design and Instrument Class.......................................................................................................................... 12 Table 2. Preliminary Hazard List .................................................................................................................................. 19 Table 3. Preliminary Hazard List Results...................................................................................................................... 36 Table 4. Interface Specification.................................................................................................................................... 41 Table 5. List of Interface Hazard.................................................................................................................................. 44 Table 6. ApplicationSoftware Integrity Level ......................................................................................................... 48 Table 7. List of Hazards................................................................................................................................................ 51 Table 8. List of Risk Assessm ents ................................................................................................................................. 55 I

n V e. n s". s i" V. n s'.ws" Operations Management Triconex Document: 993754-1-915

Title:

Safety Anal sis Revision: 1 Page: 5 of 59 Date: 10/24/2012 1.0 Introduction The Pacific Gas & Electric Company (PG&E) Westinghouse Eagle 21 Process Protection System (E21 PPS) for Diablo Canyon Power Plant (DCPP) Units I and 2 is to be replaced with the new Invensys Tricon-based Process Protection System (PPS). The new DCPP PPS is capable of monitoring the required parameters, comparing them against set points and providing signals to the external interfaces if operating limits are exceeded. The PPS comprises four Protection Sets. The Protection Sets (I through IV) each comprises three main hardware components such as the Tricon VI10, the Westinghouse Advanced Logic System (ALS) platform, and the Maintenance Workstation (MWS).

The PPS will provide:

" Trip and actuation signals to the Solid State Protection System (SSPS) for initiating reactor trip and or ESFAS actuation

Analog output of plant parameters to the Main Control Room (MCR) for recording and/or indication

Plant parameters to the Plant Process Computer (PPC) for monitoring

Output signals to the Main Annunciator System (MAS) for alarming The primary functionality provided by the new PPS will include:

Monitor Reactor Coolant System Temperature and Pressure, S/G Level and Pressurizer Level

Provide signal isolation for process inputs(without processing)

Perform Safety functions

Signal Reactor Trips and/or ESFAS actuations This functionality will be implemented in four TriStation Application Programs (TSAPs),

one for each of the four separate PPS Protection Sets. The TSAPs will be downloaded to and executed by the Tricon 3008N main processors.

The PPS is classified as nuclear safety-related (Class IE).

1.1 Purpose This report documents the methodology and results of the Safety Analysis. The Safety Analysis report consists of the Interface Analysis, the Criticality Analysis, the Hazard Analysis, and the Risk Analysis. Based on the guidance of IEEE Std 1012-1998

[Reference 2.3.6], the Safety Analysis is created at the Requirement Phase of the DCPP PPS project and updated incrementally in the subsequent Design Phase, Implementation Phase and Test Phase.

The Interface Analysis is a structured evaluation of the software interfaces with hardware, user, and other PPS components for potential hazards resulting from insufficient interface definitions and/or poor interface design.

2 in v e. n s". s inV e.n s'.ws" Operations Management Triconex Document: 993754-1-915

Title:

Safety Anal sis Revision: I Page: 6 of 59 1 Date: 10/24/2012 The Criticality Analysis is a structured evaluation of the assigned Software Integrity Level (SIL) of the PPS software with regard to undesirable consequences resulting from an incorrect SIL assigned to the deliverables.

The Hazard and Risk Analyses are qualitative or quantitative evaluations of the Protection Set software for undesirable outcome(s) resulting from development defects or erroneous operation of the PPS. The possible outcome(s) include injury, illness, death, mission failure, economic loss, property loss, environmental loss, or adverse social impact. The evaluation includes screening or analysis methods to categorize, eliminate, reduce, and/or mitigate hazards.

The analyses will be used together to examine the role of Tricon Protection Set software in the overall PPS system and its impact on the operation of the PPS. The ultimate objectives of the Safety Analysis program are to identify and correct deficiencies and to provide information on the necessary safeguards to prevent failure and/or mitigate deleterious consequences.

1.2 Scope The scope of this Safety Analysis is limited to the delivered PPS equipment as defined in the Software Requirements Specification (SRS). However, as the Preliminary Hazard Analysis (PHA) has wider coverage, certain aspects of the analysis will contain information that falls outside the delivered system. Information of this nature will be identified as such.

The delivered system can be broken into hardware and software. Analysis of the V10 Tricon hardware is discussed in details in the Failure Modes and Effects Analysis (FMEA) for the platform [Reference2.2.2] and NTX-SER-09-10 [Reference 2.2.12]. FMEA for DCPP PPS configuration will be developed later in a separate document.

Figure 1 illustrates the scope of Safety Analysis. Only safety impact of the Tricon Protection Set software (also called TSAP) will be addressed in this Safety Analysis.

Safety impact of the Westinghouse Advanced Logic System (ALS) software and the Maintenance Workstation (MWS) software are not within the scope of this Safety Analysis.

The scope of the Safety Analysis is discussed in depth in the associated, subsequent subsections under Interface, Hazard, Criticality and Risk Analysis.

I

in Ve.n s'.4 s" i ve.n s'.w s" Operations Management Triconex Document: 993754-1-915

Title:

Safety Analsis Revision: 1 Page: 7 of 59 1 Date: 10/24/2012 ALS MWS FPGA Application Software I task I task I task Legend: Software and Tasks In-Scope of Safety Analysis m Software Out-Of-Scope of Safety Analysis Figure I - Scope of Safety Analysis I

in V'e. n s'.%- s" inV'e.ns'.w" Operations Management Triconex I Document: 993754-1-915

Title:

Safety Analysis Revision: I Page: 8 of 59 Date: 10/24/2012 2.0 References 2.1 PPS Documents 2.1.1 Pacific Gas & Electric Company Diablo Canyon Power Plant Units I & 2 Process Protection System Replacement Conceptual Design Document Rev 4 2.1.2 PPS Interface Requirements Specification Rev 6 2.1.3 08-0015-SP-001, PPS Functional Requirements Specification Rev 5 2.1.4 1011 5-J-NPG, PPS Controller Transfer Functions, Rev 1 2.2 Invensys Documents 2.2.1 7286-545-1, V10 Tricon Topical Report- Application Guide, Appendix B 2.2.2 9600164-53 1, Failure Modes and Effects Analysis (FMEA) for Tricon version 10.2 Programmable Logic Controller 2.2.3 9600164-532, Reliability / Availability Study for Tricon version 10 Programmable Logic Controller 2.2.4 9600164-535, Software Qualification Report 2.2.5 9700100-012, TriStation 1131 Developer's Workbench 2.2.6 9700114-001, Application Guide for the TCM 2.2.7 993754-1-802, Software Verification and Validation Plan 2.2.8 993754-11-809, PPS Software Requirements Specification Protection Set I 2.2.9 993754-11-809, PPS Software Requirements Specification Protection Set 1I 2.2.10 993754-11-809, PPS Software Requirements Specification Protection Set III 2.2.11 993754-11-809, PPS Software Requirements Specification Protection Set IV 2.2.12 NTX-SER-09-10, Tricon VI0 Conformance to ISG-04 2.2.13 993754-1-817, Maximum TSAP Scan Time 2.3 Miscellaneous Documents 2.3.1 CEI/IEC 300-3-9, Dependability Management, Part 3 - Section 9: Risk Analysis of Technological Systems 2.3.2 NUREG-0492, Fault Tree Handbook 2.3.3 NUREG/CR-6430, Software Safety Hazard Analysis 2.3.4 Regulatory Guide 1.152, Criteria for Digital Computers in Safety Systems of Nuclear Power Plants 2.3.5 IEEE Standard 379-1977, IEEE Standard Application of the Single-Failure Criterion to Nuclear Power Generating Station Safety Systems 2.3.6 IEEE Standard 1012-1998, IEEE Standard for Software Verification and Validation I

in NV e. n s .ý s" inV e. n ..WS.

Operations Management Triconex Document: 993754-1-915

Title:

Safety Anal sis Revision: I Page: 9 of 59 1 Date: 10/24/2012 3.0 Abbreviations, Acronyms and Definitions 3.1 Abbreviations and Acronyms ALS Advanced Logic System CRC Cyclic Redundancy Code DCPP Diablo Canyon Power Plan DDE Dynamic Data Exchange Delta-T Differential (Reactor) Coolant Temperature DTTA DeltaT/Tavg (Differential Temperature & Average Temperature)

ETA External Termination Assembly FMEA Failure Modes and Effects Analysis FPGA Field Programmable Gate Array FTA Fault Tree Analysis (in the context of a Preliminary Hazard Analysis)

IEEE Institute of Electrical and Electronics Engineers I/O Input/Output IV&V Independent Verification & Validation MAS Main Annunciator System MCR Main Control Room MP Main Processor MWS Maintenance Workstation NIS Nuclear Instrument System NRC US Nuclear Regulatory Commission NUREG US Nuclear Regulatory Commission Regulation OOS Out of Service OTDT Overtemperature Delta-Temperature PHA Preliminary Hazard Analysis PHL Preliminary Hazard List PLC Programmable Logic Controller PG&E Pacific Gas & Electric Company PPC Plant Process Computer PPS Process Protection System RNARA Rack Nuclear Auxiliary Relay A RNASA Rack Nuclear Auxiliary Safeguards A RTD Resistance Temperature Detector I

in Ve.lns-.* s" i n v'e. r s.w

- s" Operations Management Triconex Document: 993754-1-915

Title:

Safet AnalsisI Revision: I Page: 10 of 59 1 Date: 10/24/2012 1 RXM Remote Extender Modules SIL Software Integrity Level SRS Software Requirements Specification SSPS Solid State Protection System TCM Tricon Communication Module TS 1131 TriStation 1131 Developer Workbench TSAA Tricon System Access Application TSAP TriStation Application Program TSX Tricon Operating System 3.2 Definitions Accident An undesired and unplanned (but not necessarily unexpected) event that results in (at least) a specified level of loss Criticality A structured evaluation of the software characteristics (e.g., safety, security, Analysis complexity, performance) for severity of impact of system failure, system degradation, or failure to meet software requirements or system objectives.

Incident An event that involves no loss (or only minor loss) but with the potential for loss under different circumstances Hazard A state or set of conditions that, together with other conditions in the environment, will lead to an accident (loss event).

Hazard Process of recognizing that a hazard exists and defining its characteristics.

Identification Risk Combination of the frequency, or probability, of occurance and the consequence of a specified hazardous event.

Risk Analysis Systematic use of available information to identify hazards and to estimate the risk to individual or populations, property or the environment.

Safety Freedom from accidents or losses.

Trip Reactor Trip or ESFAS Actuation signal.

I

~

n v'e. n s . s" i nv n. 5".ws" Operations Management Triconex Document: 993754-1-915

Title:

Safety Anal sis Revision: I Page: II of 59 Date: 10/24/2012 4.0 Preliminary Hazard Analysis The Preliminary Hazard Analysis (PHA) is performed by Invensys Operations Management IV&V engineers at the Requirements Phase based on guidance contained in NUREG/CR-6430 [Reference 2.3.3]. The PHA is updated in the Design Phase and Implementation Phase per NUREG/CR-6430, and additional hazards may be identified in the subsequent phases.

The PHA identifies possible hazards to the PPS, evaluates each of the hazards and describes their expected impact of the Invensys Tricon-based Protection Set software functionality. The expected impact of Westinghouse ALS FPGA and MWS software functionality are not within the scope of this analysis.

The PHA process uses the Fault Tree Analysis (FTA) method. The analysis is performed in the Requirements Phase of the project life cycle to identify the basic events that could potentially lead to a hazard. The process of focusing on a particular undesired event and the Fault Tree construction is based on the guidance of NUREG-0492 [Reference 2.3.2].

FTA is based on analysis of the logical system architecture illustrated in Figure 2. The FTA diagram below comprises rectangles that represent factors that could contribute to hazards and circles that represent basic events. The TOP LEVEL HAZARD is the failure of the PPS Tricon Protection Set software (TSAP):

" To send Class I trip signals to the SSPS

" To annunciate Class II Trouble/Failure Alarms at the MAS Z Z

n V'e. n s..i s" i n V'e. n s'.w s" Operations Management Triconex Document:

IRevision: I 993754-1-915 I

Title:

Pa~e: I Safet Ana9 sis 12 of 59 1 Date: I10/24/20 12 I LI Table 1. Design and Instrument Class Term Definition Electrical Class IE Design Class I electrical systems, components and equipment perform safety-related functions. Instrument Class IA and IB Category I are considered to serve Class I E functions. All other instrument classes are considered to serve non-Class IE functions.

Instrument Class IA Instrument Class IA instruments and controls are those that initiate and maintain safe shutdown of the reactor, mitigate the consequences of an accident, or prevent exceeding 10 CFR 100 off-site dose limits.

Instrument Class I1 Instrument Class II components are Design Class II devices with non-safety-related functions. However, certain Class II components are subjected to some graded quality assurance requirements.

I

n V'e. n s. s i n v e. n. s*.w s*

Operations Management Triconex IDocument:

Revision:

993754-1-915 I

Title:

Page:

Safety Analysis 13 of 59 1 Date: 10/24/2012 EIP

n v'e. n s'.! s" i n\/ex. s .w 5 Operations Management Triconex Document: 993754-1-915

Title:

SafetyAnal'sis s

Revision: 1 Page: 14 of 59 1 Date: 10/24/2012 LiZ I

n V'e. n s'.* s" i n v e. n s-.w s" Operations Management Triconex Document: 993754-1-915

Title:

Safe Anal sis Revision: I Page: 15 of 59 1 Date: 10/24/2012 LiZ I

in v'e. n s'.! s" i n Vae. n s'.w s' Operations Management Triconex Document: 993754-1-915

Title:

SafetyAnalsis Revision: I Page: 16 of 59 1 Date: 10/24/2012 wP I

in Ve.n s'.4 s" i n Ve. n s w s" Operations Management Triconex Document:

Revision:

993754-1-915 I

Title:

Page:

i Safety Analysis 17 of 59 1 Date: 10/24/2012 IPI

in v'e. n s-.- s" i nV e. nls'.w s' Operations Management Triconex i Document: I 993754-1-915

Title:

I Safety Analysis Revision: 1 Page: 18 of 59 Date: 10/24/2012 LIZ-I

in Ve. n s'.y s" i nV e. n s..w s" Operations Management Triconex Document: 993754-1-915

Title:

Safe Anal sis IRevision: I I Page: I 19 of 59 1 Date: I10/24/20 12 II I

in v'e. n s. i n. Ve.9 . .W s "

Operations Management Triconex Document: 993754-1-915

Title:

Safety Analsis Revision: I Page: 20 of 59 1 Date: 10/24/2012 I P 0

n V'e. n s'.y s" in ve. n s'.w s-Operations Management Triconex Document:

Revision:

993754-1-915 I

Title:

Page:

Safety Analsis 21 of 59 1 Date: 10/24/2012 I, PI I

i n V'e. n s'.> s" i n) e. n s-.w s" Operations Management Triconex Document:

Revision:

993754-1-915 I

Title:

Page:

SafeAnalsis 22 of 59 1 Date: 10/24/2012 I

I I PI I

i n V'e. n s'.4 s" i n Ve.n n s" Operations Management Triconex Document: 993754-1-915

Title:

Safety Analysis Revision: 1 Page: 23 of 59 1 Date: 10/24/2012 11 P I I

in V e. n s'.4 s" i nVQ s-. .W w s" Operations Management Triconex 1I II Document:

I I

Revision:

1I 993754-1-915 1I I I I

Title:

Pare:

II I

Safety Analysis 24 of 59 I Date: I 10/24/2012 I

II F P I

in Ve.n s'.4 s" inVe. n s-. s" Operations Management Triconex Document: 993754-1-915

Title:

SafetyAnalsis I Revision: I Page: 25 of 59 1 Date: 10/24/2012 [LP I

i n V'e. n s'.4 s" i q V.. n s'.w s" Operations Management Triconex Document:

Revision:

993754-1-915 I

Title:

Page:

Safety Analysis 26 of 59 1 Date: 10/24/20 12 I,I

i n v'e. n s'.* s" in V e. n s'.w s*

Operations Management Triconex Document:

Revision:

993754-1-915 1

Title:

Page:

Safe 27 of 59 Anal'sis 1 Date: 10/24/2012 EII I

n v'e. n s'.y s" inv'e. n.s. s" Operations Management Triconex Document: 993754-1-915

Title:

ýSafety Analýsis Revision: I Page: 28 of 59 1 Date: 10/24/2012

in Ve. n s'.i s" i n V e. n s .w s" Operations Management Triconex Document:

Revision:

993754-1-915 I

Title:

Page:

Safe 29 of 59 Analss 1 Date: 10/24/2012 I

1 I PI I

i nV e. n s'.y s" i nV v e. n s'.w s Operations Management Triconex Document:

Revision:

993754-1-915 I

Title:

Page:

I Safety Analsis 30 of 59 1 Date: 10/24/2012 I

1Lfl I

in Ve. n s'.! s" in Ve. l s. s" Operations Management Triconex Document: 993754-1-915

Title:

Safety Analss sl-Revision: I Page: 31 of 59 1 Date: 10/24/2012 1 I

in Ve. n s'.i s" i nVe. n s'.w s" Operations Management Triconex I Document:

Revision:

I 993754-1-915 I

Title:

Page:

I Safety Analysis 32 of 59 1 Date: 10/24/2012 I PI I

n V'e.-n s'.y1 s" i n Ve. n s.w s" Operations Management Triconex Document: 993754-1-915

Title:

Safety Analsis I Revision: I Page: 33 of 59 1 Date: 10/24/2012 11 P I

n V'e. n s'.ý s" i nV . n s5.w s" Operations Management Triconex I Document: I993754-1-915

Title:

Safety Analysis I Revision: I Page: 34 of 59 1 Date: 10/24/2012 1 I

n V'e. n s'.y s" i n V e. n s.w s" Operations Management Triconex Document:

Revision:

993754-1-915 I

Title:

Page:

Safet Analss 35 of 59 Date: 10/24/2012 I

1 P I

n V'e. n s'.4 s" i- Ve.n s*.w s" Operations Management Triconex Document: 993754-1-915

Title:

Safety Analysis Revision: 1 Page: 36 of 59 1 Date: 10/24/2012 w

I

in V" e. n s" .ý= s" in N/e. n s'.ws" Operations Management Triconex Document: 993754-1-915

Title:

ýSafety Analxsis Revision: 1 Page: 37 of 59 Date: 10/24/2012 5.0 Interface Analysis 5.1 Purpose The Interface Analysis is intended to verify and validate the requirements for the Protection Set software interfaces with hardware, user, operator, and other systems. The following criteria will be used for verifying and validating the interface requirements:

" Correctness

Consistency

" Completeness

" Accuracy

Testability See IEEE Std 1012-1998 for definition of the above criteria.

Input documents to the Interface Analysis are:

1) PPS Replacement Interface Requirements Specification (IRS) [Reference 2.1.2]

2) PPS Replacement Functional Requirements Specification (FRS)

3) Protection Set I Software Requirements Specification (SRS) [Reference 2.2.8]

4) Protection Set 11 SRS [Reference 2.2.9]

5) Protection Set III SRS [Reference 2.2.10]

6) Protection Set IV SRS [Reference 2.2.11]

There is no separate Invensys Interface Requirements Specification. It is a part of the Invensys SRS, Section 3.1 (External Interface Requirements).

The Interface Analysis is prepared based on the guidance of IEEE Std 1012-1998.

~

i n v'e.n s'.* s" i r v e. n s'.w s" Operations Management Triconex Document: 993754-1-915

Title:

Safet Analsis Revision: 1 Page: 38 of 59 Date: 10/24/2012

I n V'e. n s-.% s" i n V'e.n s'.w s" Operations Management Triconex Document: 993754-1-915

Title:

Safety Analsis Revision: I Page: 39 of 59 1 Date: 10/24/2012 I IPI

in Ve.n s'.y s" i nve. n s-.w s-Operations Management Triconex Document: 993754-1-915

Title:

Safety Analsis Revision: I Page: 40 of 59 1 Date: 10/24/2012 w'

in Ve. n s'.i s" i V'e. s'.w s" Operations Management Triconex Document: 993754-1-915

Title:

Safety Analsis Revision: I Page: 41 of 59 1 Date: 10/24/2012 IEI

n vNe. n s'.y s" i Ve.n s'.w s" Operations Management Triconex Document: 993754-1-915

Title:

Safet Anal sis Revision: I Page: 42 of 59 1 Date: 10/24/2012

i n v'e. n s'.> s" i n V e. n s'.w s" Operations Management Triconex Pagetwe: S Da t Rvso:IPg:43 of 59 1l ae 10/24/2012I

n vNe. n s'.y s" i n v'e.n s'.w s" Operations Management Triconex Document: 993754-1-915

Title:

Safet*Analss -is Revision: I Page: 44 of 59 1 Date: 10/24/20,12 IE1 I

in Ve. n s".! s" i n, V e. l. s, "

Operations Management Triconex Document: 993754-1-915

Title:

Safet AnalXsis IEI Revision: I Page: 45 of 59 1 Date: 10/24/2012

in Ve. n s.>Y S" i n V e. n s'. s" Operations Management Triconex Document: 993754-1-915

Title:

s Safety Anal'sis Revision: 1 Page: 46 of 59 1 Date: 10/24/2012 EL

in Ve.lns-.ý1 s" i n vt. n s'.w S Operations Management Triconex Document: 993754-1-915

Title:

Safety Analysis Revision: I Page: 47 of 59 1 Date: 10/24/2012 IW

n v" e. n s". s" Ve. n s*.w Operations Management Triconex Document: 993754-1-915 I

Title:

Safety Anal~sis Revision: I Page: 48 of 59 Date: 10/24/2012 6.0 Criticality Analysis 6.1 Purpose The Requirement-Phase Criticality Analysis is intended to review and verify the software integrity level of the Protection Set software components.

The Software Integrity Level (SIL) of the Protection Set software is established as SIL-4 because the functionality of the replacement PPS application software, as specified in the FRS, affects the critical performance of the nuclear-safety-related Reactor Trip and Engineered Safety Features functions.

The individual Protection Set software components at the Requirement Phase are the Invensys Software Requirements Specifications (SRS) for Protection Set I, II, III, and IV.

Because the Protection Set software was already assigned SIL-4, its SRSs must be also assigned SIL-4.

Table 6. Application Software Integrity Level Software Requirements Specifications (SRS) 14 Input documents to the Criticality Analysis are:

1) PG&E PPS IRS

2) PG&E PPS FRS

3) Invensys SRSs (Protection Set 1, II, Ill, IV)

The Criticality Analysis is prepared based on the guidance of IEEE Std 1012-1998.

6.2 Scope The scope of the Criticality Analysis is limited to reviewing and verifying the software integrity level of the Tricon Protection Set software and its individual components.

The ALS and MWS software components are not in the scope of this analysis.

6.3 Output Output of the Criticality Analysis is an IV&V Task Report and it is documented in this section.

6.3.1 Criticality Analysis Task Report The Criticality Analysis was conducted in the Requirements Phase using the four SRSs.

The evaluation criterion is to verify the SIL assignment of the SRSs for correctness. The I

in Ve.n s'.y s" i n V e. n s'.W s" Operations Management Triconex Document: 993754-1-915

Title:

Safety Anal*sis Revision: I Page: 49 of 59 1 Date: 10/24/2012 result of the evaluation is that the SIL-4 assignment is correct. No anomaly was found. It is recommended that the software components at the Design Phase be maintained at the same SIL. i.e., SIL-4.

n NI-V e. nI-I '.ý! s" i n.ave.w. '.

Operations Management Triconex Document: 993754-1-915

Title:

Safety Analsis Revision: I Page: 50 of 59 Date: 10/24/2012 7.0 Hazard Analysis 7.1 Purpose The Hazard Analysis is intended to identify the Protection Set software requirements that contribute to the PPS Replacement hazards and validate that the software addresses and mitigates each hazard.

The functional requirements within the four SRSs have been analyzed with guidance from IEEE Std 1012-1998 and NUREG/CR-6430, Section 3.

Input documents to the Hazard Analysis are:

1) PG&E PPS IRS

2) PG&E PPS FRS

3) Invensys SRSs (Protection Set 1, II, III, IV)

4) Invensys Maximum TSAP Scan Time [Reference 2.2.13]

7.2 Scope The scope of the Hazard Analysis is limited to analyzing the Tricon Protection Set requirements that could potentially cause system hazards.

The ALS-related functional or performance requirements are not evaluated for hazards in this analysis.

The functional and performance requirements that specify the MWS in normal operation are not evaluated for hazards in this analysis.

7.3 Output Outputs of the Hazard Analysis are an IV&V Task Report and a set of hazard lists. The Task Report is documented in this section.

I

i n v'e. n s'., s" i nv e. n s-.w 5" Operations Management Triconex Document: 993754-1-915

Title:

Safet Anal sis Revision: I Page: 51 of 59 1 Date: 10/24/2012 w

i i n V'e. n s'.* s" i n. V e. n. s..w s-Operations Management Triconex Document: 993754-1-915

Title:

Safet Analxsis Revision: I Page: 52 of 59 1 Date: 10/24/2012 IEI I

in v'e. n s'.4 s" i nV e. n s'.w s" Operations Management Triconex Document: 993754-1-915

Title:

Safety Anal*sis Revision: 1 Page: 53 of 59 1 Date: 10/24/2012

i n V" e. n s" .ý s" i nVe.n s-.w-Operations Management Triconex Document: 993754-1-915

Title:

Safety Anal sis Revision: I Page: 54 of 59 Date: 10/24/2012 8.0 Risk Analysis 8.1 Purpose The Risk Analysis is intended to review and evaluate the frequency of occurrence and the severity of the consequence(s) associated with a hazard. The analysis also provides recommendations to eliminate or mitigate the risks.

Input documents to the Risk Analysis are:

1) PG&E PPS IRS

2) PG&E PPS FRS

3) Invensys SRSs (Protection Set I, 11, Ill, IV)

4) The Hazard Lists, Section 7.0 and Section 5.0 The Risk Analysis is prepared based on the guidance of IEEE Std 1012-1998 and CEI/IEC 300-3-9-1995 [Reference 2.3.1].

8.2 Scope The scope of the Risk Analysis is limited to evaluating the risks related to the Tricon Protection Set software hazards.

The ALS-related risks are not evaluated in this analysis.

The MWS-related risks in normal operation are not evaluated in this analysis.

in Ve. n s'.- s" i n V e. n s'.w s" Operations Management Triconex Document: 993754-1-915

Title:

Safety Analýsis Revision: I Page: 55 of 59 1 Date: 10/24/2012 8.3 Output Outputs of the Risk Analysis are an IV&V Task Report and a list of risk assessments. The Task Report is documented in this section.

ELI I

I i n V'e. n s'.u s" inV .e.ns'.w s" Operations Management Triconex Document: 993754-1-915

Title:

Safe Anal'sis I Revision: 1 Page: 56 of 59 1 Date: 10/24/2012

in V'e. n s'.5=1 s" i n. V'e. n. s'. s Operations Management Triconex Document: 993754-1-915

Title:

Safety Analsis -

Revision: 1 Page: 57 of 59 Date: 10/24/2012

i n V'e. n s'., s" in V e. n s'.w s" Operations Management Triconex Document: 993754-1-915

Title:

Safety Analýsis Revision: 1 Page: 58 of 59 Date:

D 10/24/2012 9.0 Conclusions It is the recommendation of this Safety Analysis that the subsequent actions should be taken:

I

. A list of hazards identified during the safety analysis of the reouirements definitions will be monitored in the Design phase.

S The identified hazards will be mitigated by adequate design elements.

S The recommendations for safety-constraint design will not be required.

I

in Ve. n s'.* s" i n V e. fi s'.w s Operations Management Triconex Document: 993754-1-915

Title:

Safety Analsis Revision: I Page: 59 of 59 1 Date: 10/24/2012 10.0Attachments The Hazard Tracking List is attached below.

DCPP Hazard Trackling list.xls

DCPP PPS Hazard Tracking List Document DCPP Hazard Tracking List is the attachment to the Note Safety Analysis, 993754-1-915.

Revision # 1 Author Hoan Nguyen Date 24-Oct-12 Revision History Date Change Fp--I Page 1 of 3

w--P Page 2 of 3

Page 3 of 3 Attachments 8-13 to the Enclosure contain Proprietary Information - Withhold Under 10 CFR 2.390 Enclosure Attachment 8 PG&E Letter DCL-12-120 Invensys Operations Management Document "993754-1-801, Revision 1, Process Protection System Replacement Diablo Canyon Power Plant Software Quality Assurance Plan (SQAP)"

(Invensys Operations Management Proprietary)