6/13/2012 Summary of Meeting Via Teleconference with Pacific Gas and Electric Company to Discuss Digital Replacement of Process Protection System at Diablo Canyon Power Plant, Units 1 and 2

ML12170A866
Person / Time
Site:	Diablo Canyon
Issue date:	06/27/2012
From:	Joseph Sebrosky Plant Licensing Branch IV
To:	Pacific Gas & Electric Co
Sebrosky J
References
TAC ME7522, TAC ME7523
Download: ML12170A866 (49)
v • d • e

Text

"I'll REGU{ UNITED STATES vV'- "1>>

..~ .. 01'... NUCLEAR REGULATORY COMMISSION t:! C') WASHINGTON, D.C. 20555*0001

~ ~

~

~

t-'

.t' 1-'}****i<~O June 27, 2012 LICENSEE: Pacific Gas and Electric Company FACILITY: Diablo Canyon Power Plant, Unit Nos. 1 and 2

SUBJECT:

SUMMARY

OF JUNE 13,2012, TELECONFERENCE MEETING WITH PACIFIC GAS AND ELECTRIC COMPANY ON DIGITAL REPLACEMENT OF THE PROCESS PROTECTION SYSTEM PORTION OF THE REACTOR TRIP SYSTEM AND ENGINEERED SAFETY FEATURES ACTUATION SYSTEM AT DIABLO CANYON POWER PLANT (TAC NOS. ME7522 AND ME7523)

On June 13, 2012, a Category 1 teleconference public meeting was held between the U.S. Nuclear Regulatory Commission (NRC) and representatives of Pacific Gas and Electric Company (PG&E, the licensee) at NRC Headquarters, One White Flint North, 11555 Rockville, Maryland. The purpose of the teleconference meeting was to discuss the license amendment request (LAR) submitted by PG&E on October 26, 2011, for the Digital Replacement of the Process Protection System (PPS) Portion of the Reactor Trip System and Engineered Safety Features Actuation System at Diablo Canyon Power Plant, Unit Nos. 1 and 2 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML113070457). A list of attendees is provided in Enclosure 1.

The teleconference meeting is one in a series of publicly noticed teleconference meetings to be held periodically to discuss issues associated with the NRC staff's LAR review. Preliminary issues that the NRC staff identified during the initial review, and the licensee's responses to these preliminary issues, were discussed during the teleconference meeting. The list of preliminary issues is provided in Enclosure 2.

Items 16, 17, and 22 in Enclosure 2 relate to questions associated with the PPS factory acceptance testing (FAT). Subsequent to the last public meeting on the subject, which occurred on May 16, 2011, the NRC staff provided a document with comments to the licensee for its consideration related to the FAT. The staff's comments are provided in Enclosure 3. The staff indicated that any questions related to the FAT would be formally sent to the licensee as requests for additional information (RAls).

The NRC staff and licensee confirmed that the next meeting on this topic would be held on July 11,2012. There were several action items associated with the meeting. Specifically, the NRC took the following as action items:

• Schedule the next public meeting for July 11, 2012.

• Formally issue RAls associated with the Phase 1 documentation that the NRC staff has reviewed.

- 2

• Check the status for open item 20 in Enclosure 2 and update the status for items that have RAls that are issued or are in the process of being issued

• Check on open item 34 in Enclosure 2 because of similarity to open item 16 and 23 in Enclosure 2. If there are differences in the open items, provide more specifics. If the items are the same, delete the duplicate entry.

• Arrange a phone call with Westinghouse to discuss the Advanced Logic Systems (ALS) schedule for issuing the topical report safety evaluation report (SER) that is referenced in the PG&E LAR. The purpose of the phone call is to determine the schedule for the completion of this review and identify what effect, if any, the ALS topic report SER schedule will have on the PG&E LAR review.

PG&E took the following as action items:

• Provide a status of the phase 2 ALS documents.

• Provide a matrix for phase 2 documents similar to what was done for the phase 1 documents in accordance with Digital Instrumentation and Controls (DI&C)-ISG-06, "Task Working Group #6: Licensing Process, Interim Staff Guidance, Revision 1," dated January 19, 2011 (ADAMS Accession No. ML110140103). The phase 1 matrix is available as Enclosure 3 of a meeting summary dated February 29,2012 (ADAMS Accession No. ML120590119)

• In response to open item 20, PG&E agreed to place additional documents on the Share Point site for the NRC staff to view in order to better understand the design.

If the staff determines that the documents need to be placed on the docket, the documents will be requested through the RAI process. The documents requested included a functional block diagram of the input output devices for the PPS.

- 3 Docket Nos. 50-275 and 50-323

Enclosures:

1. List of attendees

2. Staff identified issues

3. Staff comments associated with PPS FAT cc w/encls: Distribution via Listserv

LIST OF ATTENDEES JUNE 13, 2012. TELECONFERENCE MEETING WITH PACIFIC GAS AND ELECTRIC COMPANY REGARDING DIABLO CANYON POWER PLANT DIGITAL UPGRADE DOCKET NOS. 50-273 AND 50-323 NAME ORGANIZATION Ken Schrader Pacific Gas and Electric Scott Patterson Pacific Gas and Electric John Hefler Altran J. Rengepis Altran J. Basso Westinghouse W. Odess-Gillet Westinghouse Roman Shaffer InvensyslTriconex Rich Stattel U.S. Nuclear Regulatory Commission Bill Kemper U. S. Nuclear Regulatory Commission Rossnyev Alvarado U.S. Nuclear Regulatory Commission Joe Sebrosky U.S. Nuclear Regulatory Commission Shiattin Makor U.S. Nuclear Regulatory Commission Gordon Clefton Nuclear Energy Institute Enclosure 1

June 11,12 DCPP PPS Open Item Summary Table Page 1 of 40 r-No SrcIRl Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 001 AR [ISG-06 Enclosure B, Item 1.3] Deterministic Nature of Software: Closed RAII# 19 4/18/2011 - Staff (BD) The Diablo Canyon Specific Application should identify the board access reviewed time sequence and provide corresponding analysis associated with digital response calc on response time performance. This analysis should be of sufficient detail to share point and enable the NRC staff to determine that the logic-cycle; agrees that this is

a. has been implemented in conformance with the ALS Topical Report the correct design basis, information to

b. is deterministic, and support the SE.

c. the response time is derived from plant safety analysis performance Requested that requirements and in full consideration of communication errors that these cales be have been observed during equipment qualification.

docketed.

As stated in the LAR, information pertaining to response time performance will be submitted as a Phase 2 document. Please ensure this matter is Response addressed accordingly. received April 2, 29, 2012. Staff will P&GE response: review and discuss ALS further if needed at Diablo Canyon PPS document 6116-00011, "ALS System Design subsequent Specification", Section 7.5, identifies the ALS board access sequence and provides an analysis associated with digital response time performance. telecom meeting.

a. The Diablo Canyon PPS ALS system is configured in accordance with the qualification requirements of the ALS platform topical report, Response

b. The analysis in Diablo Canyon PPS document 6116-00011, "ALS acceptable; waiting System Design Specification", Section 7, describes a logic cycle that is on PG&Eto deterministic.

provide the time

c. The requirements for the response time of the PPS processing instrumentation (from input conditioner to conditioned output signal) is response specified as not to exceed 0.409 seconds in Section 3.2.1.10 of the "Diablo calculation for the Canyon Power Plant Units 1 & 2 Process Protection System Replacement V10 Tricon PPS Functional Requirements Specification (FRS)", Revision 4 submitted as Replacement Attachment 7 of the LAR. In Section 1.5.8 of the "Diablo Canyon Power architecture by Plant Units 1 & 2 Process Protection System Replacement Interface April 16, 2012.

Requirements Specification (IRS)", Revision 4, submitted as Attachment 8 of the LAR, the 0.409 seconds PPS processing instrumentation response time Enclosure 2

June 11, 12

-~

DCPP PPS Open Item Summary Table Page 2 of 40 No Src/RI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) is allocated between the ALS and Tricon as follows:

ALS: 175 ms for RTD processing Tricon: 200 ms Response time calc Contingency: 34 ms received The 0.409 seconds PPS processing instrumentation value is the same as the value that is currently allocated to PPS processing instrumentation. As long Letter:

as the 0.409 second PPS processing instrumentation value is not exceeded, (ML12131A513) the total response time values assumed in the plant safety analyses contained in FSAR Table 15.1-2 will not be exceeded; 7 seconds for Calc:

Overtemperature AT RT and Overpower AT RT functions, 2 seconds for High (ML12131A512 pressurizer pressure RT, Low pressurizer pressure RT, and Low Low SG water level RT functions, 1 second for Low reactor coolant flow RT function, 25 seconds for Low pressurizer pressure, High containment pressure, and Low steam line pressure Safety Injection initiation, 60 seconds for Low low SG water level auxiliary feedwater initiation, 18 seconds for High containment pressure, Low pressurizer pressure, and Low steam line pressure Phase A containment isolation, 48.5 seconds for High High containment pressure containment spray initiation, 7 seconds for High High containment pressure steam line isolation, 66 seconds for High High SG water level auxiliary feedwater isolation, and 8 seconds for Low steam line pressure steam line isolation.

The ALS response time will be verified as part of the FAT and the results will be included in the FAT summary report to be submitted by 12/31112.

Tricon Invensys provided detailed information on the deterministic operation of the V10 Tricon in Invensys Letter No. NRC V1 0-11-001, dated January 5, 2011.

In support of the V10 Tricon safety evaluation, Invensys submitted document 9600164-731, Maximum Response Time Calculations, describing the worst-case response time for the V10 Tricon Qualification System. Included in document 9600164-731 are the standard equations for calculating worst-case response time of a given V10 Tricon configuration. The time response calculation for the V1 0 Tricon PPS Replacement architecture was submitted on April 30, 2012. The System Response Time Confirmation Report, 993754-1-818, will be submitted to the staff as part of the ISG-06 Phase 2 submittals at the completion of factory acceptance testing of the V1 0 Tricon PPS Replacement. _ __ __ _ _ _

June 11,12 DCPP PPS Open Item Summary Table Page 3 of 40 r

o SrclRI Issue Description P&GE response: Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments The T ricon response time will be verified as part of the FAT and the results will be included in the FAT summary report to be submitted by 12/31/12.

Licensee representatives stated that PG&E will provide the Tricon Time response calc's in a document submitted on the docket.

002 AR [ISG-06 Enclosure B, Item 1.4] Closed N/A 4/23/2011 - Staff (RA) Software Management Plan: Regulatory Guide (RG) 1.168, Revision 1, has confirmed that "Verification, Validation, Reviews and Audits for Digital Computer Software the new version of Used in Safety Systems of Nuclear Power Plants," dated February 2004 the ALS SWP is endorses IEEE (Institute of Electrical and Electronics Engineers) 1012-1998, available for review "IEEE Standard for Software Verification and Validation," and IEEE 1028 1997,"IEEE Standard for Software Reviews and Audits," with the exceptions Response stated in the Regulatory Position of RG 1.168. RG 1.168 describes a method received April 2, acceptable to the NRC staff for complying with parts of the NRC's regulations 29, 2012. Staff will for promoting high functional reliability and design quality in software used in review and discuss safety systems. Standard Review Plan(SRP) Table 7-1 and Appendix 7.1-A further if needed at identify Regulatory Guide 1.168 as SRP acceptance criteria for reactor trip subsequent systems (RTS) and for engineered safety features telecom meeting.

Westinghouse/ALS 6116-00000 Diablo Canyon PPS Management Plan, (Kemper 4/12/12)

Figure 2-2, shows the Verification and Validation (V&V) organization Response reporting to the Project Manager. This is inconsistent with the information acceptable; the described in the ALS Management Plan for the generic system platform, staff received the where the V&V organization is independent form the Project Manager. This

June 11,12 DCPP PPS Open Item Summary Table Page 4 of 40 No SrclRI Issue Description P&GE response: Status RAJ No. RAI Comments I (Date Sent) Response (Due Date) is also inconsistent with the criteria of RG 1.168 and will need to be revised W/ALS reconciled during the LAR and ALS LTR reviews. PPS MP on April 2, 2012 and will review for consistency with P&GE response: RG 1.168.

I ALS The PPS Replacement LAR referenced Westinghouse document 6116 00000 Diablo Canyon PPS Management Plan, dated July 25, 2011, that was based on CSI document 6002-00003 ALS Verification and Validation Plan, Revision 4. CS Innovations subsequently submitted a revised V&V plan, "6002-00003 ALS Verification and Validation Plan", Revision 5, on November 11,2011, that revised the required V&Vorganization structure such that the management of the verification personnel is separate and independent of the management of the development personnel. The Westinghouse 6116-00000 Diablo Canyon PPS Management Plan was revised to require a V&V organization structure in which the management of the verification personnel is separate and independent of the management of the development personnel. PG&E submitted the revised Westinghouse 6116-00000 Diablo Canyon PPS Management Plan, Revision 1, document on April 2, 2012.

3 AR [ISG-06 Enclosure B, Item 1.91 Closed N/A Response (RA) Software V&V Plan: The ALS V&V plan states that Project Manager of the received April 2, supplier is responsible for providing directions during implementation of V&V 2012. Staff will activities. Also, the organization chart in the Diablo Canyon PPS review and discuss Management Plan shows the IW manager reporting to the PM.

further if needed at The ALS V&V plan described in ISG-6 matrix for the ALS platform and the subsequent Diablo Canyon PPS Management Plan do not provide sufficient information telecom meeting.

about the activities to be performed during V&V. For example, the ALS V&V Plan states that for project specific systems, V&V activities are determined Status: Fig. 3 of the on a project by project basis and are described in the project Management PPS SWP (Pg.

Plan, in this case, 6116-00000, "Diablo Canyon PPS Management Plan."

16/46) indicates However, the 6116-00000 Diablo Canyon PPS Management Plan states:

"See the ALS V&V Plan for more information and the interface between the sufficient L..

IV&V team and the PPS Replacement project team." organizational

June 11, 12 DCPP PPS Open Item Summary Table Page 5 of 40

-No SrclRI Issue Description P&GE response: Status RAI No. RA/ Comments (Date Sent) Response (Due Date) .

i independence The Triconex V&V plan states that the Engineering Project Plan defines the between the scope for V&V activities. As mentioned before, the Triconex EPP is not listed Nuclear Delivery in the ISG-6 matrix.

(Design)

Organization and These items will need further clarification during the LAR review to demonstrate compliance with Regulatory Guide (RG) 1.168, Revision 1, the IV&V "Verification, Validation, Reviews and Audits for Digital Computer Software Organization.

Used in Safety Systems of Nuclear Power Plants,"

Fig. 3 of the PPS P&GE response: PMP (993754-1 ALS 905) (pg. 22/81)

The Westinghouse 6116-00000 Diablo Canyon PPS Management Plan was revised to include details on how the IV&V team has an independent also denotes the organizational reporting structure from the design and implementation team; DCPP PPS project the Scottsdale Operations Director and the ALS Platform & Systems Director organization, and report to different Westinghouse Vice Presidents. The IW Manager and provides sufficient Scottsdale Operations Director both report to the same Westinghouse Vice independence President, but via independent reporting structures. between the ND and IV&V Description of 6116-00000 Diablo Canyon PPS Management Plan V&V was also revised to add information on the activities being performed for the V&V. Organizations.

PG&E submitted the revised Westinghouse 6116-00000 Diablo Canyon PPS Close the Invensys Management Plan that includes the above changes on April 2, 2012. part of the 01.

Tricon W/ALS response The organizational structure of Invensys Operations Management comprises, in part, Engineering and Nuclear Delivery. Each of these organizations plays acceptable; a specific role in the V10 Tricon application project life cycle. Invensys (Kemper 4/12/12)

Engineering is responsible for designing and maintaining the V10 Tricon the staff received platform, and Nuclear Delivery is responsible for working with nuclear the revised W/ALS customers on safety-related V10 Tricon system integration projects. PPS MP on April 2, Invensys Engineering department procedures require "Engineering Project 2012 and will Plans (EPP)," whereas Nuclear Delivery department procedures require "Project Plans." Invensys Engineering is not directly involved in system I review for

June 11,12 DCPP PPS Open Item Summary Table Page 6 of 40 No SrclRI Issue Description P&GE response: Status RAI No. RA/ Comments I (Date Sent) Response (Due Date) ,

integration, but Nuclear Delivery may consult with Engineering on technical consistency with issues related to the V10 Tricon platform. RG 1.168.

The NRC applied ISG-06 to the V10 Tricon safety evaluation. Invensys submitted a number of documents pertaining to the design ofthe V10 Tricon platform as well as process and procedure documents governing Invensys Status: Fig. 3 of the I Engineering activities, including the EPP. In most cases, these platform-related documents are preceded with document number 9600164. The PPS SWP (Pg.

platform-level documents reviewed by the staff during the V10 Tricon safety 16/46) indicates evaluation will not be resubmitted by Nuclear Delivery during application- sufficient specific system integration projects. organizational independence In support of the PG&E LAR for the DCPP PPS Replacement, Invensys between the Nuclear Delivery is required to submit the application design documents as Nuclear Delivery defined in ISG-06. These project documents are preceded by document number 993754. The Phase 1 submittal under Invensys Project letter (Design)

\ 993754-026T, dated October 26,2011, contained, in part, the following: Organization and the IV&V PPS Replacement Project Management Plan (PMP), 993754-1-905. "Project Organization.

Management Plan" was used to more closely match BTP 7-14 with regard to "management plans"; and Fig. 3 ofthe PPS PPS Replacement Software Verification and Validation Plan (SWP), PMP (993754-1 993754-1-802. 905) (pg. 22/81) also denotes the The PMP describes the PPS Replacement Project management activities DCPP PPS project within the Invensys scope of supply. The guidance documents BTP 7-14 and organization, and NUREG/CR-6101 were used as input during development of the PMP. provides sufficient independence With regard to compliance with RG 1.168, the PPS Replacement PMP and SWP both describe the organizational structure and interfaces of the PPS between the NO Replacement Project. The documents describe the Nuclear Delivery (NO) and IV&V design team structure and responsibilities, the Nuclear Independent Organizations.

Verification and Validation (IV&V) team structure and responsibilities, the interfaces between NO and Nuclear IV&V, lines of reporting, and degree of Closethelnvensys independence between NO and Nuclear IV&V. In addition, the PMP part of the 01.

describes organizational boundaries between Invensys and the other

June 11, 12 DCPP PPS Open Item Summary Table Page 7 of 40 No Src/RI Issue Description P&GE response: Status RAJ No. RAI Comments (Date Sent) Response (Due Date) external entities involved in the PPS Replacement project: PG&E, Altran, Westinghouse, and Invensys suppliers. The combination of the PMP and SWP demonstrate compliance of the Invensys organization with RG 1.168.

4 AR [ISG-06 Enclosure B, Item 1.10] Open N/A (Kemper 4-12-12)

(RA) Software Configuration Management Plan: The LAR includes PG&E Response CF2.ID2, "Software Configuration Management for Plant Operations and received April 2, Operations Support," in Attachment 12. However, the document provided in 2012. Staff will Attachment 12 only provides a guideline for preparing Software Configuration Management (SCM) and SOA plans. Though it is understood that the review the PG&E licensee will not perform development of software, PGE personnel will SyCMP procedure become responsible for maintaining configuration control over software upon when it arrives on delivery from the vendor. May 31,2012.

The staff requires the actual plan to be used by the licensee for maintaining configuration control over PPS software in order to evaluate against the acceptance criteria of the SRP. For example, the ALS Configuration Management (CM) Plan (6002-00002) describes initial design activities related to ALS generic boards. This plan does describe the configuration management activities to be used for the development and application of the ALS platform for the Diablo Canyon PPS System. The staff requires that configuration management for this design be described in the DCPP project specific plan. These items will need further clarification during the LAR review to demonstrate compliance with BTP-14.

P&GE response:

PG&E developed a SCMP procedure to address configuration control after shipment of equipment from the vendor and submitted the SCMP on June 6, 2012, in Attachment 4 to the Enclosure of PG&E Letter DCL-12-050.

June 11, 12 DCPP PPS Open Item Summary Table Page 8 of 40 No SrclRI Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date) 5 AR [ISG-06 Enclosure B, Item 1.111 Closed N/A Response (RA) Software Test Plan: The V10 platform documents identified in ISG6 matrix received April 2, state that the interface between the NGIO (Next Generation Input Output) 29,2012. Staffwill Core Software and 10-specific software will not be tested. It is not clear review and discuss when and how this interface will be tested, and why this test is not part of the further if needed at software unit testing and integration testing activities.

subsequent Further, the 993754-1-813 Diablo Canyon Triconex PPS Validation Test Plan telecom meeting.

states that the DCPP's TSAP will not be loaded on the system; instead Triconex will use another TSAP for the validation test. It is not clear why the Tricon Next DCPP's TSAP will not be used for the validation test or when the DCPP's Generation Input TSAP will be loaded on the system and validated for the Diablo Canyon PPS Output (NGIO)

System. These items will need further clarification during the LAR review to Core software is demonstrate compliance with BTP-14.

tested and qualified as a platform component. As P&GE response: such, it does not need to be Tricon separately tested The next-generation input/output (110) modules qualified for the V10 Tricon during the are the 3721 N 4-20 mAo 32-point analog input (AI) module, and the 3625N application 24 Vdc, 32-point digital output (DO) module. Technical data on these two development modules was provided to the NRC in support of the V10 Tricon safety process.

evaluation. Configuration and functional testing is performed when the 1/0 modules (hardware and embedded core firmware) are manufactured. From TSAP is a Test the factory the 110 modules are shipped to Invensys Nuclear Delivery for use Specimen in nuclear system integration projects, i.e., application specific configurations.

Application Because the module hardware and embedded core firmware are within the Program used for scope of the V10 Tricon safety evaluation, the verification and validation of purposes of the embedded core firmware will not be repeated as part of application-platform specific system integration projects.

qualification.

There are certain design items that must be done with TriStation 1131 (TS1131), such as specifying which 110 module is installed in a particular

June 11,12 DCPP PPS Open Item Summary Table Page 9 of 40 No SrclRI Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date) physical slot of the Tricon chassis, resulting in each module having a unique hardware address in the system. Also, TS1131 is used to specify which I nvensys stated application program parameters (i.e., program variable tagnames) are that assigned to a particular point on a given 110 module. The design items The Diablo Canyon configured in TS 1131 will be within the scope of validation activities Application will be conducted by Invensys Nuclear IV&V for application-specific system loaded onto plant integration projects. The necessary collateral (system build documents, system hardware configuration tables, test procedures, test results, etc.) will be submitted to during FAT.

the NRC to support the staff's technical review of the PPS Replacement LAR in accordance with ISG-06.

The Phase 1 submittal under Invensys Project Letter 993754-026T, dated October 26,2011, contained, in part, the Validation Test Plan (VTP), 993754 Staff re-examined 1-813. This document describes the scope, approach, and resources of the Invensys doc.

testing activities that are required for validation testing of the V1 0 Tricon "Validation Test portion of the PPS Replacement, including: Plan (VTP),

Preparing for and conducting system integration tests 993754-1-813,"

Defining technical inputs to validation planning Section 1.3.2 of the Defining the test tools and environment necessary for system validation VTP that describes testing the Hardware Scheduling (and resource loading of the schedule) Validation Test activities and Section 1.3.2 of the VTP describes the Hardware Validation Test activities Section 1.3.3 of the and Section 1.3.3 of the VTP describes the V10 Tricon portion of the Factory VTP and Acceptance Test activities for the V10 Tricon portion of the PPS determined that the Replacement. Details on the application program are proprietary and need application program to be provided to the staff separately.

TSAP will be used for the FAT (Section 5.1.5 FAT)

Close this portion of the 01.

June 11, 12 DCPP PPS Open Item Summary Table Page 10 of 40 No SrclRI Issue Description P&GE response: Status RAI No. RA/ Comments (Date Sent) Response (Due Date) 6 AR [ISG-06 Enclosure B, Item 1.14} Closed Develop Response (SM) Equipment Qualification Testing Plans - The LAR Sections 4.6,4.10.2.4 and a generic received April 2, 4.11.1.2 provide little information on the plant specific application RAI to 29,2012. Staff will environmental factors. The Tricon V10 Safety Evaluation, ML11298A246, provide a review and discuss Section 6.2 lists 19 application specific actions Items (ASAl's) that the response further if needed at licensee should address for plant specific applications. The licensee should to ASAls subsequent address each of these for Tricon portion of the PPS replacement. Similar for both telecom meeting.

information for the ALS portion of the PPS replacement will also be required. platforms when the Staff agreed that P&GE response: SERs are PG&E should issued. submit a separate ALS submittal (LAR PG&E will respond to ALS ASAl's when they are available.

RA#01 amendment) to Tricon address the ASAls for both platforms.

IN PROGRESS. All of the Application Specific Action Items will be it is not necessary addressed by March 21,2012. to delineate exactly what will be done for each ASAI in this 01 matrix.

7 AR [JSG-06 Enclosure S, Item 1.16] Closed Drafted (Kemper 4-12-12)

(BK) RAJ # 17 Response Design Analysis Reports: The LAR does not appear to comply with the SRP &18 to received April 2, (ISG-04) regarding the connectivity of the Maintenance Work Station to the obtain an 29, 2012. Staff PPS. The TriStation V10 platform relies on software to effect the answer I reviewed this item disconnection of the TriStation's capability to modify the safety system report to and still need software. Based on the information provided in the LTR, the NRC staff address additional determined that the Tricon V10 platform does not comply with the NRC guidance provided in ISG-04, Highly Integrated Control Rooms- this topiC. information to close Communications Issues, (ADAMS Accession No. ML083310185), Staff this item. The staff Position 1, Point 10, hence the DCPP PPS configuration does not fully will need to review comply with this guidance. this item further during an NRC In order for the NRC staff to accept this keyswitch function as an acceptable

June 11, 12 DCPP PPS Open Item Summary Table Page 11 of 40 7\Jo SrclRI Issue Description P&GE response: Status RAI No. RA/ Comments (Date Sent) Response (Due Date) deviation to this staff position, the staff will have to evaluate the OCPP PPS audit at the specific system communications control configuration--including the Invensys facility.

operation of the keyswitch, the software affected by the keyswitch, and any All the items noted testing performed on failures of the hardware and software associated with below will be the the keyswitch. The status of the AlS platform on this matter is unclear at this time and will be resolved as the AlS l TR review is completed. scope of the audit.

3/21/12 update: it Moreover, the Tricon V10 system Operational Mode Change (OMC) was agreed that keyswitch does change operational modes of the 3008N MPs and enables PG&Ellnvensys the TriStation 1131 PC to change parameters, software algorithms, etc, and related to the application program of the safety channel without the channel PG&ElWestinghou or division being in bypass or in trip. As stated in Section 3.1.3.2 of the Tricon V10 SER, the TriStation 1131 PC should not normally be connected while se/CSI would the Tricon V10 is operational and performing safety critical functions. provide a report However, it is physically possible for the TriStation PC to be connected at all (LAR supplement) times, and this should be strictly controlled via administrative controls (e.g., to explain how place the respective channel out of service while changing the software, these two issues parameters, etc). The LAR does not mention any administrative controls will be resolved and such as this to control the operation of the OMC (operational mode change) submit to NRC-keyswitch. Furthermore, in order to leave the non-safety TriStation 1131 PC attached to the SR Tricon V10 system while the key switch is in the RUN Date to be provided position, a detailed FMEA of the TriStation 1131 PC system will be required TBO.

to ascertain the potential effects this non-safety PC may have on the execution of the safety application program/operability of the channel or Waiting for the V10 division. These issues must be addressed in order for the NRC staff to Tricon portion of determine that the OCPP PPS complies with the NRC Staff Guidance the PPS provided in Staff Position 1, Point 11. The status of the AlS platform on this point is unclear at this time. Replacement P&GE response: Failure Modes and Effects Analysis, an Tricon ISG-06 Phase 2 The OMC keyswitch controls only the mode of the V10 Tricon 3008N MPs. document to be In RUN position the 3008N MPs ignore* all commands from external devices, submitted to NRC whether WRITE commands from external operator interfaces or program- in May 2012.

related commands from TS1131.

_ .... - .... .. - .... ~ ..- -... .... .. .... .... - - _. __ .... _ .... _-_ .... _ .... .... _ _

June 11, 12 DCPP PPS Open Item Summary Table Page 12 of 40 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 3/21/12 Update:

The keyswitch is a four-position, three-ganged switch so that the three Main PG&E/lnvensys Processor (MP) modules can monitor the position of the switch needs to provide a independently. The Operating System Executive (ETSX) executing on the technical MP application processor monitors the position of the keyswitch. The three explanation of how MPs vote the position of the keyswitch. The voted position of the keyswitch the MP3008N is available as a read-only system variable that can be monitored by the TSAP. This allows alarming the keyswitch position when it is taken out of the processor actually RUN position. TS1131 messages to and from the Tricon (i.e., ETSX ignores all executing on the MPs) are of a defined format. TS1131 messages for control commands when in program (i.e., TSAP) changes - whether download of new control programs RUN-address the or modification of the executing control program - are uniquely identifiable. items in the 01.

Such messages are received by ETSX and appropriate response provided 4/4/12 Update:

depending upon, among other things, the position of the keyswitch. When a Need to explain request from TS1131 is received by ETSX to download a new control program or modify the executing control program, ETSX accepts or rejects how this message the request based on the voted keyswitch position. If the keyswitch is in format works to RUN, all such messages are rejected. If the keyswitch is in PROGRAM, the reject messages Tricon is considered out of service and ETSX runs through the sequence of from the Tristation steps to download the new or modified control program, as appropriate. when in RUN??

Graphs and visual Multiple hardware and software failures would have to occur on the V1 0 presentation of Tricon (in combination with human-performance errors in the control room these concepts and at the computer with TS 1131 installed) in order for the application would be helpful.

program to be inadvertently reprogrammed. Therefore, there is no credible single failure on the V10 Tricon that would allow the safety-related This issue will also application program to be inadvertently programmed, e.g., as a result of have to be unexpected operation of the connected computer with TS 1131 installed on it.

addressed for the ALS platform.

The above conclusion will be confirmed (for the V10 Tricon portion of the PPS Replacement) in the Failure Modes and Effects Analysis, an ISG-06 Phase 2 document planned for submittal to NRC in May 2012. Additionally, Invensys Operations Management will support the staff's review of the PG&Ellnvensys hardware and software associated with the OMC keyswitch by making all of needs to provide a the technical data available for audit.

June 11,12 DCPP PPS Open Item Summary Table Page 13 of 40

'ivo SrclRI Issue Description P&GE response: Status RAJ No. RA/ Comments (Date Sent) Response (Due Date) technical

• TS1131 contains function blocks that allow WRITE-access to a limited set of explanation of how parameters programmed into the application software, but only for a limited the MP300BN duration after which the capability is disabled until WRITE-access is re- processor actually enabled. However, without these function blocks programmed into the ignores all application program neither the application program nor application program commands when in parameters can be modified with the OMC keyswitch in the RUN position.

RUN-address the PG&E items in the 01.

Administrative controls on use of keyswitch will be provided with commitment to include in procedures in response.

Note, TS1131 is not used to change setpoints and protection set is inoperable when keyswitch is not in RUN position.

B AR [ISG-06 Enclosure B, Item 1.21] Closed NIA Discussed at (RS) Setpoint Methodology: The NRC staff understands that a summary of SP 4/1B/2011 CC.

(setpoint) Calculations will be provided in Phase 2, however, section 4.10.3.B Requested that of the LAR also states that PGE plans to submit a separate LAR to adopt PGE add to the TSTF 493. The NRC cannot accept this dependency on an unapproved response a future licensing action. The staff therefore expects the licensee to submit a statement that the summary of setpoint calculations which includes a discussion of the methods setpoint changes used for determining as-found and as-left tolerances. This submittal should associated with this satisfy all of the informational requirements set forth in ISG6 section modification will be D.9.4.3.B without a condition of TSTF 493 LAR approval submitted for evaluation independently with f-no reliance on P&GE response: TSTF 439 licensing action.

The evaluation of the setpoints for the PPS replacement will need to be performed by Westinghouse in two phases in order to provide sufficient (Kemper 4-12-12) documentation to support 95/95 setpoint values for the setpoints. This is because the NRC staff has been requesting additional information and Response additional data and analysis to demonstrate that the uncertainties used in the received April 2,

June 11,12 DCPP PPS Open Item Summary Table Page 14 of40 No SrclRl Issue Description P&GE response: Status RAI No. RAI Comments *

(Date Sent) Response (Due Date) setpoint calculation have been based on a statistically sufficient quantity of 29, 2012. PG&E's sample data to bound the assumed values (to justify the confidence level of commitment to the calculation is appropriate) during recent Westinghouse projects involving provide summary setpoints. Significant information is required from the transmitter and RTD calc's by May 31, vendors, that has never been obtained before, to support development of 2012 and not revise calculations that can support 95/95 setpoint values.

these setpoints via The first phase of the evaluation of the setpoints will include evaluation of the a TSTF-439 LAR PPS replacement setpoints for the Tricon and ALS architecture using addresses this 01.

expected bounding uncertainty values. A setpoint summary evaluation which Close this 01.

includes a discussion of the methods used for determining the as-found and as-left tolerances will be submitted by May 31,2012. This is a change to the 3/7/12 update:

commitment 31 in Attachment 1 to the Enclosure to the PPS Replacement LAR. The setpoint information associated with the PPS replacement is being PG&E stated that submitted independently of the LAR for TSTF-493 and does not rely on a all setpoints TSTF-493 licensing action. determinations will be addressed as The second phase of the evaluation of the setpoints will include development part of this LAR, of Westinghouse calculations of the PPS replacement setpoints for the and NOT submitted Tricon and ALS architecture using sufficient information from vendors to as a TSTF-493 substantiate that the setpoints are 95/95 values. The Westinghouse calculations will be completed by December 31,2012 and will be available licensing action.

for inspection by NRC staff in Washington DC with support provided by Westinghouse setpoint group personnel. The NRC staff inspection of 3/21/12 update:

Westinghouse calculations in Washington DC has been performed for The staff may another recent utility project involving setpoints. chose to review the Westinghouse calculations at the Westinghouse office in Washington DC.

However, if the safety finding is dependent on

- ' - - - - - _.. _ - .... _ .. _these

.... _ _ calculations,

June 11,12 DCPP PPS Open Item Summary Table Page 15 of 40 No SrclRI Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date)

I-then the setpoint calculations will be required to be submitted on the docket per NRC licensing I procedures I 9 AR LTR Safety Conclusion Scope and Applicability - Many important sections of Closed No (Kemper 4-12-12)

(BK) the DCPP PPS LAR refer the reader to the ALS licensing topical report (LTR) specific Response to demonstrate compliance of the system with various Clauses of IEEE 603 RAI received April 2, 1991, IEEE 7-4.3.2-203, and ISG-04. However, many important sections of needed 29,2012. The the ALS LTR state that compliance with various Clauses of these IEEE Stds and ISG-04 are application specific and refer the reader to an application for this PG&E response to specific license amendment submittal (Le., the DCPP PPS LAR in this case). 01. RAI this item address The staff has not yet had time to evaluate all the LAR information in detail #4 the 01. Close this and compare this information with that provided in the ALS LTR to ensure addresse 01.

there is no missing information. However, PG&E and its contractors are s this encouraged to review these two licensing submittals promptly to verify that item as compliance with these IEEE Stds and ISG-04 are adequately addressed noted within both licenSing documents.

below in P&GE response: 0115.

PG&E and Westinghouse have reviewed the LAR 11-07 and the ALS complian topical report to verify information is provided to justify compliance with ce matrix IEEE 603-1991, IEEE 7-4.3.2-2003, and ISG-04 in either the LAR or for the the ALS topical report. As a result of the review, it was identified that ALS neither the LAR nor the ALS topical report contain a matrix that platform.

documents compliance with ISG-04 Table 5-4 for the DCPP ALS platform. PG&E will submit a matrix that documents compliance with ISG-04 Table 5-4 for the DCPP ALS platform by May 31, 2012.

10 RS Plant Variable PPS Scope - In the Description section of the LAR, section Closed RAI02 4.1.3, nine plant variables are defined as being required for RTS and section

~.-

4.1.4 lists seven plant variables that are required for the ESFAS. Three

June 11.12 DCPP PPS Open Item Summary Table Page 16 of 40 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) additional plant variables were also listed in section 4.10.3.4.

Some variables are not listed in section 4.10.3.4 as being PPS monitored plant parameters. It is therefore assumed that these parameters are provided as direct inputs to the SSPS and that the PPS is not relied upon for the completion of required reactor trip or safety functions associated with them. Please confirm that these plant parameters and associated safety functions will continue to operate independently from the PPS and that the replacement PPS will not adversely impact the system's ability to reliably perform these functions.

P&GE response:

The PPS Replacement LAR Sections 4.1.3 and 4.1.4 describe the plant variables from which RTS and ESFAS protective functions are generated.

The initiation signal outputs to the SSPS coincidence logic are generated in Neutron Flux is an the PPS or other, independent systems, or in some cases, by discrete input to Tricon but it devices. Section 4.1.3 items 6 (RCP bus UF, UV, and breaker position, 8 is not listed in (Main Turbine trip fluid pressure and stop valve position) and 9 (seismic Table 4-2 "Process acceleration) are generated by discrete devices outside the PPS and provide Variable inputs to direct contact inputs to the SSPS. Section 1.4 items 6 (Containment Exhaust Tricon" Radiation) and 7 (RT breaker position Permissive P-4) are also generated outside the PPS and are direct contact inputs to the SSPS. The initiation Signals not signals associated with these plant parameters operate independently from associated with the PPS. The replacement PPS will not adversely affect the reliable PPS functions will performance of the safety functions associated with these plant parameters. be designated as such in the SE and The three signals (Wide Range RCS Temperature and Pressure and Turbine they will not be Impulse Chamber Pressure) not listed in Sections 4.1.3 and 4.1.4 are described since monitored by the PPS per Section 4.10.3.4. The Wide Range RCS Pressure they are not in

- ~

and Temperature signals are used to generate the LTOP function described

June 11,12 DCPP PPS Open Item Summary Table Page 17 of 40 No SrC/RI Issue Description P&GE response: Status RAI No. RA/ Comments (Date Sent) Response (Due Date) in DCPP FSAR Section 5. The PPS uses Turbine Impulse Chamber scope.

Pressure to generate an initiation signal that is used by the SSPS coincidence logic to develop Permissive P-13 as discussed in RAI 3, below.

Neutron Flux should be added to Section 4.2 Table 4-2 as follows:

Input to Overtemperature t::.

Neutron Flux (Power Temperature (OTDT) RT Range, Upper & Lower) I Input to Overpower t::.

. 'Iemperature (OPDT) RT 11 RS Power Range NIS Function - Section 4.1.7 describes the Existing Power Closed* N/A Range NIS Protection Functions and it states that the Power Range nuclear OnlyPPS instrumentation provides input to the OTDT, and OPDT protection channels. Functions will be It is not entirely clear whether any of the described NIS protection functions described in the will be performed by the PPS system. Please clarify exactly what the role of

. the PPS system is for these NIS Protection functions. SE.

P&GE response: 5/30/12 Determined that no Power range analog inputs are provided by the NIS to each PPS Protection RAI is needed for Set for use in the calculation of the Overtemperature Delta-T and Overpower this item.

Delta-T Setpoint in the Delta-TlTavg channels. No other NIS signals interface with the PPS. The NIS Protection functions (RT and power range permissives) are generated independently by Nuclear Instrumentation bistable comparators. The NIS bistable outputs are sent directly to the SSPS and have no physical interface with the PPS.

~- RS Permissive Functions - Several Permissive functions are described within the Closed RAI03 LAR. It is not clear to the staff whether any of these functions are to be performed by the PPS or if the PPS will only be providing input to external systems that in turn perform the permissive logic described in the LAR.

Section 4.1.9 states that "Settings of the bistable comparators used to develop the permissives are not affected by the PPS Replacement Project",

June 11,12 DCPP PPS Open Item Summary Table Page 18 of 40 No SrC/RI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) which implies that all of these permissive functions are performed by systems other than the PPS. However, it is still unclear if this statement applies to all permissive functions described throughout the LAR or if it applies only to those permissives relating to Pressurizer Pressure. It is also possible that the permissive functions are being performed by the existing PPS and will continue to be performed by the replacement system and therefore remain "not affected" by the PPS replacement project.

Please provide additional information for the following permissive functions to clearly define what the role of the PPS system will be for each.

P-4 Reactor Trip P-6 Intermediate Range Permissive P-7 Low Power Permissive (Bypasses low Ppzr reactor trip)

• P-8 Loss of Flow Permissive P-9 Power Permissive P-10 Power Range Power Low Permissive P-11 Low Pressurizer Pressure SI Operational Bypass P-12 No-Load Low-Low Tave Temperature Permissive P-13 Turbine Low Power Permissive

• P-14 Hi-Hi Steam Generator Level

• The LAR states that "These signals are generated in the PPS" P&GE response:

Permissive function initiation signals generated within the existing PPS will continue to be performed by the replacement PPS and therefore remain "not affected" by the PPS replacement project. Permissive function initiation signals that are generated independently of the existing PPS will continue to be generated independently.

The NRC

• Permissive P6, P-8, P-9, and P-10 initiation signals are bistable understands that all comparator outputs from the independent NIS to the SSPS. There is permissives are no interface with the PPS. developed within

• Permissive P-4 initiation signals are direct contact inputs to the SSPS

June 11, 12 DCPP PPS Open Item Summary Table Page 19 of 40 No SrclRI Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date) coincidence logic generated from contacts in the Reactor Trip the SSPS system.

Breakers (RTB). There is no interface with the PPS. Permissives P11 -

• Permissive P-11, P-12, P-13, and P-14 initiation signals are P14 use inputs generated by bistable comparator outputs generated in the PPS and provided by PPS sent to the SSPS. system. All other

• Permissive P-7 is generated in the SSPS from 3 out of 4 power range permissives use NI channels (from NIS - P-10) below setpoint and 2/2 turbine impulse inputs generated by chamber pressure channels below setpoint (From PPS - P13). external systems that are The bistable initiation signals described above are monitored by the SSPS. independent of the The SSPS generates the Permissive when appropriate coincidence of PPS.

initiation signals is detected. No SSPS permissive or safety function coincidence logic is changed by the PPS replacement project. See 13 below.

Permissives P-6, P-7, P-8, P-9, P-10, and P-13 are functionally described in FSAR Table 7.2-2. Permissives P-4, P-11, P-12, and P-14 are functionally described in FSAR Table 7.3-3.

The bistable comparator setpoints for the above-listed permissives are not expected to change at this time.

13 RS P12 Permissive Contradiction - The second paragraph of section 4.1.20 Closed N/A describes the P-12 interlock and states that "These signals are developed in the PPS". This statement is then contradicted in the third paragraph by the following statement; "These valves are not safety-related, but are interlocked with the P-12 signal from the SSPS."

The NRC In conjunction with the response to RA13, please provide a resolution for this understands that contradiction __

in.section

_ _ _ 4.1.20 of the LAR. - .... _ __. - - _ _

June 11, 12 DCPP PPS Open Item Summary Table Page 20 of 40 No SrclRI Issue Description P&GE response: Status RAI No. RA/ Comments (Date Sent) Response (Due Date) the P12 signal is P&GE response: generated by the SSPS using signals The word "signals" in the referenced Section 4.1.20 sentence, "These signals developed in the are developed ... " is referring to the bistable comparator outputs which are PPS.

monitored by the SSPS. The PPS does not generate the P-12 Permissive itself. The actual P-12 Permissive is generated by the SSPS when 5/30/2012 appropriate coincidence of initiation signals is detected. The SSPS output is Determined that no interlocked with the valves as stated in the third paragraph of Section 4.1.20. RAJ will be needed for this item.

The LAR Section 4.1.20 is clarified by the following statement:

" ... The P-12 Permissive is developed in the SSPS based on coincidence of the P-12 bistable comparator output initiation signals from the PPS ...

Protection System Permissives (P-11 unblock SI from ALS, P13 Turbine power permissive from Tricon, and P-14 Steam Generator Level high-high from Tricon) are generated by coincident logic in the SSPS based on initiating signals (bistable outputs) from the PPS as noted in the response to 01 #12. Permissive development. including initiating signals and logic coincidence is shown in FSARU Tables 7.2-2 (RTS) and 7.3-3 (ESFAS).

The PPS does not perform coincident logic functions and does not "generate" any protection system permissives.

14 RS Section 4.1.1 SSPS contains the following statement in the last paragraph; Closed N/A PGE Response "Information concerning the PPS status is transmitted to the control board resolves this Open status lamps and annunciators by way ofthe SSPS control board Item. Change demultiplexer and to the PPS by way ofthe SSPS computer demultiplexer." status to Closed.

Why would the PPS status need to be transmitted to the PPS as the sentence suggests in the last phrase?

PG&E response:

The sentence in Section 4.1.1 contains a a typographical error. The sentence should

~ .... ....

read:

June 11,12 DCPP PPS Open Item Summary Table Page 21 of 40 No SrC/RI Issue Description P&GE response: Status RAJ No. RAI Comments (Date Sent) Response (Due Date)

"Information concerning the PPS status is transmitted to the control board I

status lamps and annunciators by way of the SSPS control board demultiplexer and to the Plant Process Computer (PPC) by way of the SSPS computer demultiplexer."

As used in the Section 4.1.1. paragraph, "PPS Status" means "PPS Channel Trip Status.>>

~5 (BK) An ISG-04 compliance matrix for the DCPP PPS system was not submitted Closed Drafted (Kemper 4-4-12) with, or referenced in, the LAR for the W/ALS platform. Instead the ISG-04 RAI#4 No further compliance section 4.8 of the LAR refers the reader to the ALS LTR for to obtain discussion an nearly all the points of ISG-04. Fig. 4.4 and 4.5 of the LAR indicate various necessary until answer I 1E and non-1 E communication pathways to and from ALS processor (e.g., report to May 31,2012.

Maintenance Work Station, plant computer, process control, port aggregator, address and 4-20 rna temperature signal to Tricon processor). These are all this ISG 4/4/12 update: The application specific features of the PPS and the staff expects a W/CSI ALS 04 draft ALS ISG-04 document to be submitted, similar in scope and detail to the Invensys complian compliance matrix "PACIFIC GAS & ELECTRIC COMPANY NUCLEAR SAFETY-RELATED ce matrix on the ALTRAN for the PROCESS PROTECTION SYSTEM REPLACEMENT DIABLO CANYON Sharepoint website ALS POWER PLANT DI&C-ISG-04 CONFORMANCE REPORT" Document No. platform. is not detailed 993754-1-912 Revision 0, to be submitted on the docket, which explains how enough for the staff the ALS portion of the PPS application conforms with the guidance of ISG to use in approving

04. the ALS portion of the PPS' I communications

June 11, 12 DCPP PPS Open Item Summary Table Page 22 of 40 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

PG&E response: design. Suggest PG&E is developing the ISG-04 compliance matrixTable for the ALS PG&E review the platform and PG&E will submit the Table by July 31, 2012. Invensys ISG-04 Doc. Document No.

993754-1-912 (-P)

Revision 0, and provide guidance for an ALS document at the same level of detail.

16 (BK) Section 1.4.4 (pg. 12/38) of document 993754-1-813 Diablo Canyon Triconex Closed RAI05 Received two PPS Validation Test Plan (VTM) states 'The network equipment, including papers discussing media converter, NetOptics Network Aggregator Tap, and gateway hub, and integration test the MWS will not be within the test scope of this VTP. The Nuclear Delivery plans for PPS (NO) group will coordinate with Pacific Gas & Electric for system staging prior system. These to turn over to Nuclear IV&V. The Nuclear IV&V group will confirm proper papers were operation of network communications system interfaces before beginning discussed at the testing addressed in this VTP." When, where, and what procedures will be 4/18/2011 CC.

used to test the network equipment??

The staff agrees PG&E response: Additional information on the PPS testing is being provided that the analog to the staff. The information on the PPS testing was updated on May 9 to RTD signal loops address staff comments provided in the 4/18/22 conference call. The VTM may be tested will need to be updated based on the additional information. A date that the separately at the updated VTM will be submitted will be provided after feedback from the staff Tricon FAT and at is received on the additional information on the PPS testing. the ALS FAT to satisfy integration test requirements.

The staff expressed some concerns over the statement that "There is no

~i9i~L<tr!~ ___

June 11, 12 DCPP PPS Open Item Summary Table Page 23 of 40 No SrclRl Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) connection between the Tricon and the ALS." This appears to be a misleading statement since both systems do have connections to the common MWS. Further clarification should be provided and the statement should be revised to describe the nature of the MWS connections to each system.

A follow-up discussion was had at the 5/16/12 conference call.

The NRC staff feels that the final integration to be performed during SAT as proposed, will have to be complete and the results submitted prior to issuance of the SE.

~ ... - ..... - .... _-

....... .... .... .... _- .... _ - - - .... .... .... -~ ..... _ _ __

June 11, 12 DCPP PPS Open Item Summary Table Page 24 of 40 No SrclRI Issue Description P&GE response: Status RAI No. RA/ Comments (Date Sent) Response (Due Date) 17 (BK) Section 5.1.4.3, Hardware Validation Tests, (pg. 27/38) of document 993754 Closed RAI06 This issue was 1-813 Diablo Canyon Triconex PPS Validation Test Plan (VTM) states that discussed at the the ALS equipment will not be included in the FAT. Where, when, and what 4/18/2011 CC.

procedures will be used to fully test the Integrated PPS system (both Tricon PGE proposed V10 and ALS platforms together) be subjected to FAT. performance of separate but overlapping tests at each factory to PG&E response: Additional information on the PPS testing is being provided accomplish the to the staff. The VTM will need to be updated based on the additional integration test.

information. A date that the updated VTM will be submitted will be provided after feedback from the staff is received on the additional information on the The staff has some PPS testing. concern over the fact that the MWS's to be installed in the plant would only be tested during the Tricon FAT. A fifth MWS to be configured the same as the plant MWS's is to be used during the ALS FAT.

One option to resolve this concern may be to credit the SAT test results in the SE.

The current schedule for SAT (July 2013) does support this.

June 11,12 DCPP PPS Open Item Summary Table Page 25 of 40 No SrclRI Issue Description P&GE response: Status RAJ No. RA/ Comments (Date Sent) Response (Due Date) 18 (BK) Software Management Plan: Regulatory Guide (RG) 1.168, Revision 1, Closed RA17&8 (Kemper 4/12/12)

"Verification, Validation, Reviews and Audits for Digital Computer Software update: The staff Used in Safety Systems of Nuclear Power Plants," dated February 2004 has reviewed the Invensys IEEE endorses IEEE (Institute of Electrical and Electronics Engineers) 1012-1998, 1012 compliance "IEEE Standard for Software Verification and Validation," and IEEE 1028 matrix on the 1997,"IEEE Standard for Software Reviews and Audits," with the exceptions PG&E/Altran stated in the Regulatory Position of RG 1.168. RG 1.168 describes a method sharepoint directory acceptable to the NRC staff for complying with parts of the NRC's regulations and it appears to for promoting high functional reliability and design quality in software used in be acceptable. The safety systems. Standard Review Plan (SRP) Table 7-1 and Appendix 7.1-A matrix appears to be comprehensive identify Regulatory Guide 1.168 as SRP acceptance criteria for reactor trip and indicates no systems (RTS) and for engineered safety features actuation systems exceptions to any (ESFAS) clauses in IEEE The Invensys PPS Replacement Software Verification and Validation Plan 1012. No attempt (SWP), 993754-1-802 does not provide a clear explanation of how the was made to Invensys SWP complies with IEEE 1012-1998. Please provide a cross reviewlverify that reference table that explains how the Invensys SWP implements the criteria where Invensys of IEEE 1012-1998. claims compliance Also, the Westinghouse/ALS 6116-00000 Diablo Canyon PPS Management with any particular Plan, does not provide a clear explanation of how the CSI SWP complies Clause in the Std, with IEEE 1012-1998. Please provide a cross reference table that explains that the respective how the W/CSI SWP implements the criteria of IEEE 1012-1998. section in their SWPis acceptable-the

- ... ~ .... - -_ _ - - . - - -

.... .... .... ~ .... _- .... _ --

June 11, 12 DCPP PPS Open Item Summary Table Page 26 of 40 No Src/RI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

PG&E response: staff will work Westinghouse incorporated the IEEE-1012 compliance table in the ALS V&V through this as the plan document 6116-00003 in Appendix A Table A-1 and PG&E submited SWP is reviewed and evaluated for the ALS V&V plan document 6116-00003 to the staff on June 6,2012, in approval. Please Attachment 7 to the Enclosure of PG&E Letter DCL-12-050. submit the document on the docket.

This 01 will remain open pending review of the Westinghouse/CSI document.

19 RS Section 4.1.1 of the LAR states that; Open RAI9 3/21/12 update:

PG&E has created "The SSPS evaluates the signals and performs RTS and ESFAS functions to a share point mitigate Abnormal Operational Occurrences and Design Basis Events website for NRC to described in FSAR [26] Chapter 15. " . review PPS design drawings that will however, address this issue as well as 01 20 Chapter 15 of the DCPP FSAR does not use the terms Abnormal Operational and 21. NRC staff Occurrence (AOO) or Design Basis Accident (DBE). Instead, the accident will determine if analysis in chapter 15 identifies conditions as follows; they are needed to be submitted on the CONDITION I - NORMAL OPERATION AND docket. PG&E will OPERATIONAL TRANSIENTS ensure the website is information is CONDITION 11- FAULTS OF MODERATE FREQUENCY only applicable to this licensing CONDITION III - INFREQUENT FAULTS action.

June 11,12 DCPP PPS Open Item Summary Table Page 28 of 40 No SrclRl Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 20 RS The system description provided in Section 4 of the LAR includes "functions Open N/A 3/21/12 update:

performed by other protective systems at DCPP in addition to the PPS PG&E has created functions". In many cases, there is no explanation of what system is a share point performing the functions described nor is there a clarification of whether the website for NRC to described functions are being performed by the PPS system. review PPS design drawings that will As an example, Section 4.1.16 describes a bypass function to support testing address this issue.

of the high-high containment pressure channel to meet requirements of IEEE NRC staff will 279 and IEEE 603. The description of this function does not however, state determine if they whether this latch feature is being implemented within the PPS system or in are needed to be the SSPS. submitted on the docket. PG&E will The staff needs to have a clear understanding of the functional scope of the ensure the website PPS system being modified in order to make its regulatory compliance is information is determinations. Please provide additional information such as PPS function only applicable to diagrams to help the staff distinguish PPS functions from functions performed this licensing by other external systems. action.

PG&E Response: PPS design drawings have been provided to the staff on 5/30/12 the Sharepoint site. Determined that no RAI will be needed for this item.

21 RA Westinghouse/CSI document 6116-00005, "Diablo Canyon PPS System Test Open RAI10 3/21/12 update:

Plan," states that the ALS-1 02 FPGA design is changed for the DCPPS PG&E has created System. Further, Section 5.3.3 states: "Test as many of the ALS-102 a share point requirements as possible." website for NRC to review PPS design

June 11,12 DCPP PPS Open Item Summary Table Page 29 of 40 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

Please identify what document describes the design verification test for this drawings that will board. address this issue.

NRC staff will determine if they are needed to be PG&E response: PPS design drawings have been provided to the staff on submitted on the the Sharepoint site. docket. PG&E will ensure the website is information is only applicable to this licensing action.

NRC- the response provided does not address the question.

22 BK Follow-on 01 # 5 question pertaining to the PPS VTP: Closed RAI5 Section 1.4.4 (pg. 12/38) states "The network equipment, including media converter, NetOptics Network Aggregator Tap, and gateway hub, and the MWS will not be within the test scope of this VTP. The Nuclear Delivery (NO) group will coordinate with Pacific Gas & Electric for system staging prior to turn over to Nuclear IV&V. The Nuclear IV&V group will confirm proper operation of network communications system interfaces before beginning testing addressed in this VTP." When, where, and what procedures will be used to test the network equipment??

Also, section 5.1.4 (3) Hardware Validation Tests states that the ALS equipment will not be included in the FAT (pg. 27/38). Where, when, and what procedures will be used to fully test the Integrated PPS system (both Tricon V10 and ALS platforms together) be subjected to FAT.

PG&E response:

Additional information on the PPS testing is being provided to the staff. The VTP will need to be updated based on the additional information. A date that the updated VTP will be submitted will be provided after feedback from the staff is received on the additional information on the PPS testing.

June 11, 12 DCPP PPS Open Item Summary Table Page 30 of 40 No SrclRI Issue Description P&GE response: Status RAI No. RA/ Comments (Date Sent) Response (Due Date) 23 BK Section 4.2.13.1 ofthe LAR (page 85) states; "Figure 4-13 only shows one Closed RAI11 TCM installed in the Tricon Main Chassis (Slot 7L), the PPS replacement will utilize two TCM cards in each main chassis (Slots 7L and 7-R). This will provide two non-safety-related communication paths to the MWS and the PPC Gateway Computer from each Protection Set to ensure continued communications if a single TCM fails.

The NetOptics Model PA-CU/PAD-CU 1 PA-CU port aggregator network tap was approved previously by NRC for a similar application in the Oconee RPS SER Section 3.1.1.4.3 [18J. The NRC staff determined that due to the electrical isolation provided by use of fiber optic cables and the data isolation provided by the Port Tap and the Maintenance and Service Interface (MSI) in the Oconee RPS, there was reasonable assurance that a fault or failure within the Oconee Gateway computer or the Operator Aid Computer will not adversely affect the ability of the Oconee RPS to accomplish its safety functions.

During the SAT PG&E will test the Protection Set communications paths illustrated in Figure 4-13 to verify that there is no inbound communications path associated with port aggregator network tap Port 1. That is, PG&E will verify that communications from Port 1 to either the TCM on Port A or the MWS on Port B of the port aggregator network tap are not permitted.

Results of this test will be documented in final System Verification and Validation Report. Port aggregator dual in-line package (DIP) switch positions will be controlled by DCPP configuration management processes."

In order for the Staff to approve the integrated configuration of the PPS, prior to shipment of the PPS equipment to DCPP site, all communications paths will require testing on or before FAT, and before completion of the SER. This testing is typically completed during or before the PPS FAT, otherwise, the SER will not be completed until after the SAT. Please provide a test scheme/procedures that satisfies all regulatory requirements prior to or during the FAT. Otherwise, if this testing will be completed during the SAT, as stated in the LAR, please provide a detailed schedule for this testing so the NRC can revise its PPS LAR Review Plan accordingly.

- -~-----~--------

1 The NetOptics Model PAO-CU has two one-way output ports but is otherwise identical in function to the PA-CU.

June 11,12 ocpp PPS Open Item Summary Table Page 31 of 40 No SrclRI Issue Description P&GE response: Status RA/ No. RA/ Comments I (Date Sent) Response (Due Date) ,

PG&E response: Additional information on the PPS testing for ALS is being provided to the staff. A date the additional information will be submitted will be provided after feedback from the staff is received on the additional information on the PPS testing for ALS.

24 RJS a. Section 4.1.17 paragraph 3 discusses the protection functions Closed NIA Item initiated on associated with High - High Steam Generator Level or P-14. In this 4/23/2012.

discussion it is stated that the SI signal initiates the same two functions (Turbine Trip and Feedwater Isolation) however, there is no PGE Response mention of this in section 4.1.9 or in the discussion of the P-14 accepted.

permissive. Please confirm that P-14 can be initiated by either High-High SG Level or by initiation of SI.

b. This same section also states that the described latched in function serves to comply with IEEE Std. 279 Section 4.16. The replacement PPS system is not being evaluated against the criteria of IEEE 279.

Instead, IEEE 603-1991 is being used and the equivalent criteria is contained in section 5.2 of IEEE 6031991. PGE needs to understand that the criteria of IEEE 279 are not relevant to this review effort.

PG&E response:

a. Turbine Trip can be initiated by either the P-14 steam generator level protection function OR by the latched Safety Injection (SI).

Section 4.1.17 describes the Steam Generator Level High-High Protection function P-14. Upon sensing high steam generator level, the PPS generates an initiation signal to the SSPS, which generates the turbine trip signal and initiates Auxiliary Feedwater when coincidence of 2 of 33 high-high level signals in any steam generator is detected.

Section 4.1.9 describes Pressurizer Protection Functions, one of which is initiation of Safety Injection through the SSPS when coincidence 3 of 4 Pressurizer Pressure Low-Low signals from the PPS is detected. The SI actuation signal also actuates turbine trip and Auxiliary Feedwater through the SSPS, but SI is not initiated by Steam Generator Level High-High

... ... .... - The P-14 protection function is initiated ONLY by steam Generator _ .... _ .... _ .... __

June 11,12 DCPP PPS Open Item Summary Table Page 32 of 40 No SrC/RI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

Level High-High. Through the SSPS, P-14 will trip the turbine and actuate Auxiliary Feedwater. A SI signal will also actuate Turbine trip and Auxiliary Feedwater, among other actions. Pressurizer Protection functions do not initiate P-14 and Steam Generator Level High-High P-14 does not initiate SI.

b. PG&E intended Section 4.1 to describe the existing PPS and to apply only to the existing PPS, which complies with IEEE 279-1971.

Sections 4.2 to 4.13 of the LAR apply to the PPS Replacement.

Section 4.10.2.2 describes compliance of the PPS Replacement with IEEE 603-1991 Section 5.2. PG&E understands and appreciates that IEEE-603 applies to the PPS replacement.

25 RJS Sections 4.1.17, and 4.1.21 state that the P-9 permissive is the "Power Closed NIA Item initiated on Range at Power" function while Section 4.1.9 states that the P-10 Permissive 4/23/2012.

is also called the "Power Range at Power" function. Is it correct that both of these permissives are called "Power Range at Power" and that they perform PGE Response different functions? Accepted.

PG&E response:

Both P-9 and P-10 are "Power Range at Power" functions; both are active when the Power Range NI channels are at power.

Permissive P-9 blocks reactor trip on turbine trip when 3 of 4 Power Range NI channels are below 50%.

Permissive P-10 is active when 2 of 4 Power Range NI channels are above 10%. Permissive P-10 is combined with Turbine Power Permissive P-13 (which is active above approximately 10% turbine load) to provide input to Permissive P-7 that allows blocking several low power reactor trips.

In effect, Permissive P-10 is the "Power Range at Power - Low" permissive" and Permissive P-9 is the Power Range at Power - High" permissive. This is consistent with the response to 01 #12, above.

June 11, 12 DCPP PPS Open Item Summary Table Page 33 of 40 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response I (Due I Date) I 26 RJS The PG&E SyQAP defines Supplier tasks that are related to assurance of Open RAI12 Item Initiated on software quality for each of the following phases of development; 4/25/2011 Will need formal

• Project Initiation and Planning response for this

• Conceptual Design item. Therefore

• Requirements this will be an RAI.

• Design

• Implementation

• Integration

• Test These phases do not align with the phases used in the ALS or Tricon development lifecycles. For instance, the Tricon SOAP defines the phases as Requirements, Design, Implementation, and Test (Validation). Because of this, it is not clear how assurance of task completion can be accomplished.

During which Tricon phases would those tasks listed under Integration, Initiation and Planning, and Conceptual Design be performed?

The ALS SOAP does not mention phases but the ALS Management plan defines the development phases as; Planning, Development, Manufacturing, System Test, and Installation.

Would it be possible for PGE to provide a mapping of Phases defined in the SyOAP to the Phases of the ALS and Tricon system development processes so that the staff can correctly identify and confirm performance of these QA tasks?

June 11, 12 DCPP PPS Open Item Summary Table Page 34 of 40 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due

~.

Date) ,

PG&E response:

PGE will provide a mapping of Phases defined in the SyQAP to the Phases of the ALS and Tricon system development processes. The determination of the location of the mapping information and date to be submitted is IN PROGRESS.

27 RA Software Management Plan Open RAI13 The PQP will need to be submitted.

The LAR, Attachment 3, describes the project organization, roles and responsibilities for the PPS replacement project. This document does not describe oversight activities that PG&E will perform during the PPS replacement project, as well as the interface between PG&E and Invensys and WEC/CSI, and the methodology to judge quality of the vendor effort.

Please provide this information.

PG&E response:

I Oversight activities for the project were discussed in Section 4.2.11, Appendix B Compliance, of the LAR that discusses the DCPP Quality Assurance Program and Procurement Control Program and states that PG&E will audit 10M and CSI during the manufacturing phase under the PG&E Nuclear Procurement Program and associated directives.

In support of the oversight activities, a PG&E will issue a Project Quality Plan (PQP) that will define the oversight activities to be performed, including technical audits, cyber security audits, and software quality assurance audits.

The PQP is expected to be issued in June and will be submitted to the staff.

Following the performance of the PQP audits, audit reports will be created and a PQP Audit Summary Report will be created. PG&E will submit the PQP Audit Summary Report to the staff at the time the vendor hardware is delivered to PG&E. The vendor hardware is currently expected to be delivered to PG&E in Spring 2013.

June 11,12 DCPP PPS Open Item Summary Table Page 35 of 40 No SrC/R/ Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date)

The pap audit reports will not be submitted but will be made available to the NRC staff for review.

28 RA Software Management Plan Open N/A The LAR, Attachment 3, states that PG&E is responsible for the following activities in the lifecycle: project initiation and planning phase, conceptual design phase, requirements phase, installation and checkout phase, operation phase, and maintenance phase. Further, Section 3.1.10 states that PG&E will follow the activities described before for software modifications. Please explain how PG&E will perform software modifications to the Tricon and ALS platforms once the PPS replacement project is completed.

PG&E response:

The control of the software modifications to the Tricon and ALS platforms once the PPS replacement project is completed will be by the Process Protection System Replacement Software Configuration Management Plan, which wassubmitted as part of the Phase 2 document submittal on June 6, 2012, in Attachment 4 to the Enclosure of PG&E Letter DCL-12-050.

29 RA Software Management Plan Open N/A The LAR, Attachment 3, states that the PG&E Project Manager will share the responsibility for meeting the software quality goals and for implementing the software quality management throughout the project.

Please describe what responsibilities are going to be shared and how this is going to be performed.

"'---- ~"

June 11,12 DCPP PPS Open Item Summary Table Page 36 of 40 No SrC/RI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

PG&E response:

The PG&E Project Manager will share the responsibility for meeting the software quality goals with the PG&E Quality Verification organization personnel.

To implement the oversight activities, the PG&E Quality Verification organization will issue a Project Quality Plan (PQP) that will define the oversight activities to be performed, including technical audits, cyber security audits, and software quality assurance audits.

30 RA Software Development Plan Open RAI14 Section 7 of the Invensys Nuclear System Integration Program Manual (NSIPM) requires that non-conforming procedures shall be used to control parts, components, or systems which do not conform to requirements.

Invensys documents 993754-1-906, Software Development Plan, and 993754-1-905, PPS Replacement DCPP Project Management Plan, do not identify non-confirming procedures to be followed when deviations are identified and how deviations should be corrected.

Please provide this information.

PG&E response:

The Project Management Plan (PMP), 993754-1-905, is the overarching project management document for the Invensys scope of the PPS Replacement Project. It references other Invensys planning documents that discuss procedures to follow when deviations are identified and how they are corrected. The Software Development Plan, 993754-1-906, describes the software development process for the Invensys scope of the PPS Replacement Project. It will be revised to strengthen references to procedures to be followed when deviations are identified.

In addition, the Invensys Software Quality Assurance Plan, 993754-1-900, Section 8, and the Invensys Software Configuration Management Plan, 993754-1-909, Section 3.2, both provide reference to procedures to follow when deviations are identified and how deviations are corrected.

The revised Invensys project planning documents for the PPS Replacement

June 11, 12 DCPP PPS Open Item Summary Table Page 37 of 40 No SrC/RI Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date)

Project will be submitted as part of the Phase 2 document submittals to the staff by July 31, 2012.

31 RJS Software Ouality Assurance Plan: Open RAI15 At the 5/16 meeting, the staff IEEE 7302002 stipulates in section 4 that "The SOAP shall be approved by explained that PGE the manager of each of the organizations having responsibilities in the should have some SOAP. The PGE SYOAP has been approved by the PGE Diablo PPS commitment from Upgrade Project Manager and the Altran Project lead; however, there are all orgs that have several other organizations that have responsibilities delineated in the SOAP. activities in the The managers of these organizations have not approved the SYOAP. The SyOAP. This could following organizations are assigned roles and Responsibilities within Section be contractual or 3.4 of the SYOAP. Please explain the means by which these organizations through activities have committed to comply with the requirements stated in the SYOAP. that are delineated in other vendor

• Vendor IW Projects Managers plans or

• EOC Design Change Package Team procedures.

• PGE Project Engineering Team

• OA Organization

• Testing and Integration Team

• V&V Organization PG&E response:

The software quality assurance plan was discussed in Section 4.11.1.1.1 of the LAR, which did not commit to IEEE 730 2002 criteria in developing the SOAP. IEEE Standard 7-4.3.2-2003 [761 Clause 5.3.1 references IEEE Std 730-1998 for guidance but does not require it to be met.

PG&E is determining how to address the commitment from all organizations contained in the SyOAP as requested by the staff in the 5/16 meeting.

June 11,12 DCPP PPS Open Item Summary Table Page 38 of 40 No SrclRI Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date) 32 RJS Section 4.2.7 "Power Supply" of the LAR describes how power is supplied to Open RAI16 PGE Response the PPS. In this description, the 480V AC vital supply is described in the accepted.

following ways.

• First it is described as back-up common bus to the 120 V distribution panels. We cannot tell if this is through a transformer or if this refers to the alternate supply to the inverters.

• It is also described as a supply to an inverter.

• It is then described as supply to the battery charger From these descriptions, it is not clear to the staff how these vital power sources are configured in relation to the 120VAC panels that feed the PPS.

Would it be possible to provide a simplified diagram to show the relationship between the 125V Batteries I DC Buses, Battery Chargers, Inverters, and the 120V AC distribution Panels that supply power to the PPS, PG&E response:

The following description clarifies the 120 V vital instrument AC power supply to the pps:

1 Safety-related 480 VAC from vital AC motor control center (MCC) is fed to the UPS and rectified.

2 Rectifier output is fed to the inverter and converted to 120 VAC.

3 Safety related vital DC bus power is fed to UPS as immediate backup supply. The vital DC bus is backed up by the safety-related 125 VDC station battery, which is charged from vital 480 VAC.

4 Inverter output is fed through a static switch with integral manual bypass switch to vital instrument AC power distribution panels.

5 On loss of inverter output, the static switch will select backup regulating transformer output (120 VAC) to distribution panels.

6 The backup regulating transformer receives input from the 480 VAC supply. The backup regulating transformer may be aligned via a transfer switch to either of two 480 VAC busses; the normal supply or an alternate supply. The alternate supply circuit breaker is normally open to prevent interconnection of redundant power supplies due to a failed _ .... _ .... _ .... _ ....

June 11,12 DCPP PPS Open Item Summary Table Page 39 of 40 No SrclR/ Issue Description P&GE response: Status RAJ No. RA/ Comments (Date Sent) Response (Due Date) transfer switch. The transfer switch may not be used under load.

Refer to the attached block diagram for additional detail.

33 RJS (ALS SOAP) Software tools are used extensively during the FPGA New Item initiated on development process. The staff therefore considers these tools to be a key 6/5/12.

component to the assurance of quality in the ALS system development process. The ALS SOAP states that "no additional tools, techniques, or methodologies have been identified" for the ALS system. The staff considers the development tools, as well as the techniques and methodologies used during system development to be relevant to the assurance of quality for the ALS system. Please provide information on the tools, and methodologies used during system development to ensure quality of the ALS system products.

PG&E response: IN PROGRESS 34 RJS (Software Integration Plans) The integration planning documentation New Item initiated on referenced in section 4.5.4 of the LAR does not include any integration of the 6/7/2012 two sub systems (ALS integrated with Tricon). The PGE papers provided that discuss how FAT's will be performed may resolve this but these papers would have to be docketed as integration planning documents to support our SE. We also need to come to some agreement on the scope of integration to be accomplished prior to issuance of the SE.

PG&E response: IN PROGRESS

June 11, 12 DCPP PPS Open Item Summary Table Page 40 of 40 Figure 1 DCPP 120 Volt Vital Instrument AC System (Simplified) 480V BUS 1H (2H SDH (21) SD12 (22) SD13 (23)

T

~~i~-----uPsl

---:?1 .

IY131 (23)

DC Transfer I'r+-

J Ii I Transfer Transfer AC / I Transfer Switch I--U SWIKn Switch Swilcl1 DC TRY I AC L(~~.LI

~

To Protection Set I To Protection Set II To Protection Set IV To Protection Set III Legend:

IY: UPS and DC-AC Inverter PY: 120 VAC Distribution Panel SD: 125 VDC Distribution Panel TRY: 480 VACl120 VAC Transformer and Regulator Normal Power Flow (N)

Bypass (120 VAq/Backup (125 VDC) Power Flow Alternate Bypass Power Flow (A)

Unit 1 ComponentlD's are shown; Unit 2 ComponentlD's are in parentheses. For example, PY11 is Unit 1 Vital Instrument AC Distribution Panel 1; PY21 is Unit 2 Vital Instrument AC Distribution Panel 1.

DCPP PPS Replacement Factory Acceptance Testing (FAT)

A. Introduction An integrated FAT, with the ALS connected to the Tricon will not be performed because the ALS and Tricon FAT will be performed in different locations. The overlapping test methodology illustrated in Figure 1 and described below will ensure that all specified PPS safety function requirements for each platform are verified at the Respective FAT1.

B. Discussion The ALS and the Tricon are directly connected via the analog Reactor Coolant System temperature channels. The ALS provides Class IE signal conditioning for the Pressurizer Vapor Space temperature, Reactor Coolant System wide range temperature and narrow range RTD inputs to the Overpower Delta Temperature (OPDT) and Overtemperature Delta Temperature (OTDT) thermal trip functions due to its improved ability to process 200 Ohm RTD inputs vs. Triconex. The ALS processes the resistance (ohms) RTD input signals and transmits the temperature values to the Tricon as analog 4-20 mA signals for the respective Protection Set.

The resistance to milliamp conversion will be tested at the ALS FAT to verify that all requirements specified for converting the resistance to current are met. The Tricon FAT will test these channels by injecting the corresponding 4 to 20 mA signals into the Tricon and verifying that all requirements specified for the temperature channels are met. After the FAT, the equipment will be shipped to DCPP and then both systems will be integrated to perform the Site Acceptance Testing (SAT) which will test the analog interface directly along with others that cannot be tested at the FAT, such as the connection to the Plant Data Network (PDN) Gateway Computer.

Within each Protection Set, the ALS and the Tricon are both connected via digital communication links to the Maintenance Workstation (MWS) as shown in Figure 1; thus, the digital MWS is shared by the ALS and Tricon portions of the replacement PPS. Tricon communications with the MWS are bidirectional (readlwrite) using Triconex NET2 protocol via the fiberoptic media 4352AN Tricon Communications Module (TCM). As discussed in Section 3.1.2.9 of the Triconex V1 0 SER [ML1209008902], the TCM handles all Tricon communications with external devices, thus providing functional isolation. The ALS communications with the MWS are via the unidirectional TXB2 communication links from the ALS-1 02 board. The TXB2 communication links are electrically isolated at the ALS-102. Unidirectional communications provides functional isolation from the MWS. The unidirectional nature of the links will be verified at FAT as described below.

For each Protection Set, the ALS and the Tricon are both connected via digital communication links to the Plant Data Network (PDN) Gateway computer as shown in Figure 1. A port aggregator network tap is connected between the Tricon and the MWS via bidirectional Port A and Port B. All network traffic between Port A and Port B is reflected to unidirectional Port 1.

There is no communication path from Port 1 to either Port A or Port B. In addition to the 1 The gateway switch and gateway computer(s) shown shaded in Figure 1 were installed in the plant by a previous project. As existing installed plant equipment, these two items need not be tested explicitly at the FAT or SAT.

5/16/12 Enclosure 3

DCPP PPS Replacement Factory Acceptance Testing (FAT) functional isolation provided by the TCM, the port aggregator provides further functional isolation between the Gateway computer and the Tricon. The ALS communications with the Gateway computer are via the unidirectional TXB1 communication links from the ALS-102 boards. The TXB1 communication links are electrically isolated at the ALS-102. Unidirectional communications provides functional isolation from the Gateway computer. The unidirectional nature of the links will be verified at FAT as discussed below.

The ALS also \X>mlTlunicates with ALS Service Unit (ASU)app1iel:ltlQn software in the WANS via the bidirectional TestALS Bus (TAB) c;ommunicatil.)rilirik;P L,STopioa' Report

[ML102570797]. Table 5-2,ltem 8, the TAB bus is U$edfor '" " ' icatl,onofjnformatlonfrom and to the ASU with the ALS Platform. This communication process is Independent from the safety function logic. To enable the TAB bus to the ASU reqvires the setting of a switch which.

when enabled. is alarmed locally and in the main control room ... The TAB bus and its interfaces are designed such the buses are non-intrusive in thatthe bus cannot interfere with processing of any information or data on the Reliable ALS Bus (RAB). The FAT will verify that the TAB, when enabled, does not interfere with ALS logic processing~ Comment [WEK1): TIl~ staff wiD need a FAT that 18$\$ aU MWS functJol1$ In an Integrated manner. SIO<le lila MWS will be pe!TIl8ll£lntly Per the ALS System Design SpeCification 6116-00011 [ML110600695], the ALS allows for attached to Juttlized by both the ALS and Tricon online maintenance of an operational system such as the bypassing and control of individual Plalfot'lml forvllffOtlll functions, Ilowwill\hese functions be lestedto demonstrate !hEi full ALS outputs and the calibration of individual ALS I/O without affecting adjacent non-bypassed capability of \he MWS ( _ WEK 6 comment)??

safety channels. [rhe ALS Topical Report. Section 3.4. describes calibration of an analog input/output channel using the ASU. The ASU is used to select the channel to be calibrated and place that particular channel in BYPASS mode before the extemal test equipment is connected to the channel wiring on test points located on the field terminal blocks. [rhe chann~l. is placed e .' ~omment [WEIC2]; The staff needs 10 review in CALIBRATE mode to perform the calibration. ALS Topical Report Section 3.5 explains how the ALS platform SER 10 ensure thill feature is

, approved al the platform level-WEK.

specific digital output channels may also be placed in BYPASS or OVERRIDE mode from the ASU. The ALS FAT will verify that individual ALS outputs may be bypassed and controlled and individual ALS I/O may be calibrated without affecting adjacent non-bypassed safety channels.

For the Tricon FAT, PG&E will provide the Maintenance Workstation (MWS), port aggregator network tap, network switches, and media converters as needed to test the complete interface between the MWS and the Tricon. Each Protection Set has its own Maintenance Workstation (MWS). The MWS is not shared between or among Protection sets. The ALS Service Unit (ASU) software will be loaded on the MWS to facilitate identification of any interaction between the MWS Wonderware application, the ASU software, and/or the MWS operating system.

The Tricon FAT will be performed on all four protection sets. Each protection set will be integrated with all equipment necessary to support FAT. The functionality of the MWS will be tested during the FAT to verify requirements specified in the FRS and Tricon SRS. The FAT will verify correct two-way data communications between the Tricon and the MWS through Ports A and B of the port aggregator. jrhe FAT will verify that there is no inbound communication path  ? Comment [WEK3]; The NeIOptics Aggregator

/ Port Tap approved In the 0 _ SER was from network port aggregator tap Port 1 to either Port A or Port B. i _ __ __ __ __ Model 96443 No. PA-CU. SecIIon 4.2.13.1 of the LAR Indlcate$ thai Model PA-CU/PAO-eU PA-CU AgQrega\or Is being used, fQr the DCPP PG&E will provide another MWS for the ALS FAT. The port aggregator is not required for the PPS. WhkllllS very lIimllar 10 the O<;onee ALS. The communications from both TxB1 and TxB2 one-way RS-422 ports will be tested to Aggrega!Qr, bill bIIs 301'118 ~(e'lh has verify all specified data is being transmitted correctly. The MWS Wonderware application will be two cme-wayoulput ports)... II1eltaff will need information for 1f1i$ ,diffe/'eot 'modaI ~regatof running to display the read only parameters. 1rhe ASU software running on the WANS will be lIlalllQln9ll~a\llS it is ~ and furn;tiornl tested during the FAT to verify its functionality and to identify any interactions between the ALS the sa,,", B \he p'revlou$ly approved Oconee Aggregator.

2 5/16/12

DCPP PPS Replacement Factory Acceptance Testing (FAT)

ASU software, the Mt/VS Wonderware application, and/or the Mt/VS operating system. The two way EIA-465 port wilt be tested with a mechanical switch to verify the ability to update parameters and to isolate the Mt/VS from the ALS. l_ _ __ _ _ ~. _ _ __ _ __ _ __ ___ COIIIment [WEK4]: PG&I; should provide an explanation 01 how !he ASU software fuoctions; Speclflcally, since !he ASU SW is ~dent on All boards of the same type in the ALS platform have the same capabilities. The boards can be the MWS, II delail\;ld explanation for !he configured by the user to meet the requirements of any protection set. The FAT will be hardware and IlOf\wlIre features 01 the PPS (Including its NSf<. MWS) that justl!Ies how the performed on each protection set configuration, including power supplies, the Fv1WS, and all ASU SW cannot Iffect !he data communications associated equipment that supports the safety function for the specific protection set. That is, functions Within the MWS performing the bidirectional communications with the Trtoon Protection Set 1 will be configured and tested with all the associated sensor inputs and platform vla PortA and B of !he Port Tap appropriate loads on the digital and analog outputs, IUpon completion of testing, the equipment Aggregator, will be reconfigured as Protection Set 2 and tested, The same process will be used for Protection Sets 3 and 4. i . . Comment [WEKS): What physical interlocK prevents putting more then 1 Protection Set into maintenance bypass??

rrhe PG&E SAT will be performed on an integrated system. The oonnection of the temperature channels from the ALS to the Trioon will be verified during the SAT. The SAT will verify functions and oonnections that cannot be tested at the FAT, prior to installation in the plant. tyhe COIIIment [WEK6]1 This is slil problematic, integrated system used for SAT will also be used to perform training and to develop and verify The staff cannot approve an lnltlgrated system without completion of a compte\!! FAT on !he operational and maintenance procedures, Any application software changes from the time the entire system, This can be done e~her III" eqUipment arrives at PG&E facilities until its installation in the plant is subject to configuration vendor's facility, oret!he licensee's facllitt--it makes nodiffe!'9f1ll1il III \I1!1 st!lff; I-jowaver, management controls, each PAT activllyshould ~ done III the llama standards II!! deflriaal\;ld InJSG.Q6 and !he LAR (e,g., FAT Test Plan (submilted on !he Docket),

C. FAT Plan Outline test procedIJres (avwlabl& for audit), and test resIJlts summarized In a final FAT Report (submitted on the Docket), We need to lind a The Tricon FAT will test the safety-related functions specified in the LAR and will also test the way to resolve this.. ,

following interfaces:

1, Safety-related 4-20 mAde analog temperature input signals from ALS; these Signals will be generated by a loop simulator or equivalent test equipment.

2, The FAT will verify bidirectional non-safety NET2 communications between Tricon TCM1 and TCM2 and the MWS through the two Ethernet media converters, and Ports A and B of the two port aggregator network taps, 3, ALS data acquisition and display and ALS Service Unit (ASU) software will be running on the Fv1WS during the Tricon FAT to identify program conflicts and interactions, 4, The FAT will verify no inbound communication path from Port 1 of the port aggregator network tap to either Port A or Port B exists, per LAR commitment.

The ALS FAT will test the safety-related functions specified in the LAR and will also test the following interfaces:

1, Safety-related 4-20 mAdc analog temperature output signals to Tricon; these Signals will be monitored by external equipment to verify conversion and scaling, The ALS analog temperature output channels will be terminated with 250 ohm resistors to simulate the Triconex FTP module, Voltage across the resistors will be measured to verify analog output function, 3 5/16/12

DCPP PPS Replacement Factory Acceptance Testing (FAT)

2. Unidirectional only non-safety EIA-422 communications from the ALS-102 "A" and ALS 102 "B" TXB1 channels. The TXB1 channels will be monitored during ALS FAT to verify data protocol. The test will verify no inbound communications via the TXB1 channel to either ALS-102 "A" or "B".

3. Unidirectional only non-safety EIA-422 communications from the ALS-102 "A" and ALS 102 "B" TXB2 channels to the MWS. The TXB2 channels will be monitored during ALS FAT to verify data protocol. The test will verify no inbound communications via the TXB2 channel to either ALS-1 02 "A" or "8".

4. Irricon data acquisition and display and ALS Service Unit (ASU) software will be running on the MWS during the ALS FAT to"verify noP!Q9r<!nl ~I}f!i~ !iQQ i11!e!<!c;ti9r1~t _ _ _ _ ~ __ - COmment [WEI(1J: I would chose the

, language as revised. This should not be the

5. Bidirectional EIA-485 TAB communication between ALS Chassis "A" and Chassis "B" , , forst time eny program conflictS are Identified.

and ASU software running on MWS can take p[lace only if the communication links are Deleted: identify physically connected and enabled. The test will verify there is no communication between the ALS chassis and the ASU if communications are not phYSically connected and enabled.

4 5/16/12

DCPP PPS Replacement Factory Acceptance Testing (FAT)

Figure 1 Replacement PPS Acceptance Testing with Overlap Comtn,lill'lt.£WEKIl: PG&E', SAT aclMtie6 slloU!<l be executed as part of lhe PPS FAT 1hi.\$SJ*~!lliI1$ not responsive to 01# 23.

~~7?j7~77~77j7~77j7~~--:~:;'~~~~~

/"'-'-..y' ~~:ij~

_ _y'PftlWUIN.t!R

~~--NA!:I,"~

_......,,~Nt~;....

.....--,' ~$iI_IfM.S'"

::::::1 I

/ "" - -- "

,I I

,I I

I I

I I I

I I

I I

,I I

I I

/

/

5 5/16/12

- 3 Please direct any inquiries to me at 301-415-1132 or at Joseph.Sebrosky@nrc.gov.

IRAJ Joseph M. Sebrosky, Senior Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-275 and 50-323

Enclosures:

1. List of attendees

2. Staff identified issues

3. Staff comments associated with PPS FAT cc w/encls: Distribution via Listserv DISTRIBUTION:

PUBLIC RidsRgn4MailCenter Resource LPLIV Reading WMaier, RIV RidsAcrsAcnw_MailCTR Resource TWertz, NRR RidsNrrDeEicb Resource WKemper, NRR/DE/EICB RidsNrrDorl Resource RStattel, NRR/DE/EICB RidsNrrDorlLpl4 Resource RAlvarado, NRRIDE/EICB RidsNrrLAJBurkhardt Resource SMakor, RIVlDRS/EB2 RidsNrrPMDiabloCanyon Resource SAchen, RIV RidsOgcRp Resource MMcCoppin, EDO RIV ADAMS Accession Nos. Meeting Notice ML12142A214; Meetmg

. S ummary ML12170A866 *via email OFFICE DORULPL4/PM DORULPL4/LA NRRlDE/EICB DORULPL4/BC DORULPL4/PM NAME JSebrosky JBurkhardt WKemper* MMarkley JSebrosky DATE 6/26/12 6/21/12 6/25/12 6/27/12 6/27/12 OFFICIAL RECORD COpy