ML13148A420

From kanterella
Revision as of 16:56, 22 March 2018 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
Jump to navigation Jump to search

2/20/13 Summary of Public Meeting with Pacific Gas and Electric Company to Discuss Digital Replacement of Process Protection System at Diablo Canyon Power Plant, Units 1 and 2 (TAC Nos. ME7522 and ME7523)
ML13148A420
Person / Time
Site: Diablo Canyon  Pacific Gas & Electric icon.png
Issue date: 06/06/2013
From: Polickoski J T
Plant Licensing Branch IV
To:
Pacific Gas & Electric Co
Polickoski J T NRR/DORL/LPL4
References
TAC ME7522, TAC ME7523
Download: ML13148A420 (39)
v  d  e


Text

UNITED NUCLEAR REGULATORY WASHINGTON, D.C. 20555-0001 June 6, 2013 LICENSEE: Pacific Gas and Electric Company FACILITY: Diablo Canyon Power Plant, Units 1 and 2 SUBJECT: SUMMARY OF FEBRUARY 20, 2013, TELECONFERENCE PUBLIC WITH PACIFIC GAS AND ELECTRIC COMPANY ON DIGITAL REPLACEMENT OF THE PROCESS PROTECTION SYSTEM PORTION OF THE REACTOR TRIP SYSTEM AND ENGINEERED SAFETY FEATURES ACTUATION SYSTEM AT DIABLO CANYON POWER PLANT, UNIT NOS. 1 AND 2 (TAC NOS. ME7522 AND ME7523) On February 20, 2013, a Category 1 teleconference public meeting was held between the U.S. Nuclear Regulatory Commission (NRC) and representatives of Pacific Gas and Electric Company (PG&E, the licensee) at NRC Headquarters, One White Flint North, 11555 Rockville Pike, Rockville, Maryland. The purpose of the teleconference meeting was to discuss the license amendment request (LAR) submitted by PG&E on October 26, 2011, for the Digital Replacement of the Process Protection System (PPS) Portion of the Reactor Trip System and Engineered Safety Features Actuation System at Diablo Canyon Power Plant (DCPP), Unit Nos. 1 and 2 (Agencywide Documents Access and Management System (ADAMS) Accession No. IVIL113070457). The meeting notice and agenda, dated February 4, 2013, is available in ADAMS at Accession No. ML 13028A202. A list of attendees is provided as Enclosure 1. This meeting is one in a series of publicly noticed teleconference meetings to be held periodically between NRC staff and PG&E to discuss issues associated with the NRC staff's LAR review. Preliminary issues identified by the NRC staff during the review and licensee responses to those issues were discussed during the meeting. The list of these preliminary issues is provided in Enclosure 2. The updated NRC staff's LAR review project plan was also discussed and is provided in Enclosure 3. Discussion highlights from this meeting include: A review of the submission method and/or document repository location (NRC docket submittal or SharePoint posting) for recently updated and/or submitted LAR documents and their applicable revisions. This discussion also included an overview of what documents were expected to be submitted and/or posted soon. A process discussion where preliminary issues identified and discussed in Enclosure 2 that resulted in NRC requests for additional information (RAls) will be transferred to a closed action table for archiving and presented at the next periodic teleconference public meeting. A licensee discussion on preliminary issues from Enclosure 2 that will be addressed in an upcoming LAR supplement.

-2 An NRC staff discussion on observations and questions from a recently completed onsite audit of a PG&E supporting vendor (February 11-14, 2013, CS InnovationslWestinghouse) and the issuance of the cyber security audit trip report from another PG&E supporting vendor (November 13-16, 2012, Invensys Operations Management). NRC staff from the Office of Nuclear Security and Incident Response (NSIR) present to discuss LAR submittal cyber security aspects and security measures related to the Maintenance Work Station. Additionally, the potential need for a non-public meeting to review proprietary and/or sensitive but unclassified items was discussed. NRC staff discussion regarding access needed to the Input/Output (I/O) list to support the review of the Interface Requirement Specification. NRC and PG&E staff discussion related to the Enclosure 3 project plan on the timing of the next licensee vendor NRC staff audit trip and the follow-on Factory Acceptance Testing (FAT). This project plan discussion also included updates to the anticipated dates for the next NRC staff RAls and LAR review final milestone dates. NRC staff discussion with PG&E staff regarding the potential for this LAR to impact or cause changes with the DCPP Technical Specifications (TS). The staffs discussed the injection of test signals and verification of setpoints for TS identified surveillance testing and potential LAR scope changes that could affect LAR acceptance. The NRC staff and the licensee agreed that the next periodic teleconference public meeting on this topic would be held on March 27, 2013 with a tentatively scheduled, non-public meeting to discuss proprietary and/or sensitive but unclassified items set for April 17, 2013. Members of the public were in attendance. Public Meeting Feedback forms were not received.

-3 a s T. Polickoski, Project Manager lant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-275 and 50-323 Enclosures: 1. List of Attendees 2. NRC Staff Identified Open Issues 3. LAR Review Project Plan cc w/encls: Distribution via Listserv LIST OF ATTENDEES FEBRUARY 20, 2013, TELECONFERENCE MEETI NG WITH PACIFIC GAS AND ELECTRIC COMPANY REGARDING PROCESS PROTECTION SYSTEM DIGITAL UPGRADE FOR DIABLO CANYON POWER PLANT, UNIT NOS. 1 AND 2 DOCKET NOS. 50-275 AND 50-323 NRC Participants: Rich Stattel, Senior Electronics Engineer, Instrumentation and Controls Branch, Bill Kemper, Senior Electronics Engineer, Instrumentation and Controls Branch, NRRIDE Rossnyev Alvarado, Electronics Engineer, Instrumentation and Controls Branch. Samir Darbali. Electronics Engineer. Instrumentation and Controls Branch, Chris Chenoweth, Electronics Engineer (contractor), Eric Lee, Senior Security Specialist, Cyber Security & Integrated Response Branch, Mike Shinn, Security Specialist (contractor), Joe Sebrosky, Senior Project Manager, Plant Licensing Branch IV, James Polickoski, Project Manager, Plant Licensing Branch IV, Christina Antonescu, Senior Staff Engineer, Technical Support Branch, Region Shiattin Makor, Reactor Inspector, Engineering Branch 2, RIVIDRS Pacific Gas and Electric Company Participants: Ken Schrader, Regulatory Services

  • Scott Patterson, Program Manager
  • J. Hefler, Altran R. Lint, Altran Ted Quinn, Altran J. Mauck, Altran Roman Shaffer, Invensys J. Basso, Westinghouse/CS Innovations S. Karaaslan, Westinghouse/CS Innovations W. Odess-Gillett, Westinghouse/CS Innovations Public: Gordon Clefion, Senior Project Manager, Nuclear Energy Tricia Bolian, Manager, Business Development, I&C and Electrical Systems, Areva Chris Doyel, Areva
  • denotes participating via teleconference Enclosure 1 February 18, 2013 DCPP PPS Open Item Summary Table Page 1 of 31 No SrclRI Issue Description P&GE response: Status RAI No. (Date Sent) RAI Response (Due Date) Comments 21 RA Westinghouse/CSI document 6116-00005, "Diablo Canyon PPS System Test Plan," states that the ALS-1 02 FPGA design is changed for the DCPPS System. Further, Section 5.3.3 states: "Test as many of the ALS-1 02 requirements as possible." Please identify what document describes the deSign verification test for this board. Open RAI10 Not used (Hold until response is received) 01/23/2013 update: This item will remain open until the document is available to the staff. 12/19/12 update: Westinghouse/ALS will submit the documents by 12/31/2012. 10-17-12 update (Alvarado): Westinghouse/ALS will submit the documents by 10/31/2012. 9-19-12 update (Alvarado): Waiting for ALS document to be submitted at the end of September. 6-13-12 update (Kemper): PG&E understands that they need to provide an update to this response. In the meantime, PG&E and ALS have provided 2 design PG&E response: The documents that describe the design verification tests for the ALS-102 are 6116-70140, "Diablo Canyon PPS System Test Design Specification," submitted June 6, 2012, and 6116-10216, "Diablo Canyon PPS W Simulation Environment Specification" that will be placed on the Sharepoint by March 21, 2013 and submitted by April 11, 2013. Enclosure 2 February 18, 2013 No ISrClRI1/ssue Description DCPP PPS Open Item Summary Table P&GE response: Status RA/ No. (Date Sent) RA/ Response (Due Date) Page 2 of 31 Comments specifications that will address this 01. These documents are placed on the PG&E sharepoint website. Doc. No 6116-10740 was submitted on June 6, 2012, which describes ALS system test design specification. Doc. No 6116-00005 was also submitted on June 6, 2012, which describes ALS system test plan. Doc. No. 10216ALS W Simulation Environment Specification will be provided in the future. 3/21/12 update: PG&E has created a share point website for NRC to review PPS design drawings that will address this issue. NRC staff will determine if they are needed to be submitted on the

40 February 18, 2013 DCPP PPS Open Item Summary Table Page 3 of 31 P&GE response:Issue Description SrclRINo Software Tools RA In the ALS Progress Update 2012-08-01 provided to the staff, Westinghouse/CSI described that they are replacing Automated Test Environment (ATE) from IW credited tools with a LabView based ALS Board Test System (ABTS). Also, in this presentation, Westinghouse/CSI noted that they are performing additionallV&V and equipment qualification tools. Since this information needs to be reflected in the software planning documents, please identify how these items will affect Westinghouse/ALS documents related to PPS replacement project. Also, identify what document will be revised to include description of these modifications. PG&E Response: The ALS Design Tool 6002-00030 requires revision to replace the ATE with the ABTS. The revised ALS Design Tool, Revision 9, document includes the ABST tool in Section 12 and was submitted by Westinghouse to the NRC on January 18, 2013 that addresses the tools used. Status Re-OPEN RAI No. (Date Sent) RAI Response (Due Date) Comments docket. PG&E will ensure the website is information is only applicable to this licensing action. NRC-the response provided does not address the question. 7/13112 -rjs Deleted RAI 10 pending review of revised response. Also decided to hold item open. 01/23/2013 update: CSI document 6002-00030 Rev. 9 is not available in ADAMS yet. Please clarify if the ATE tool is used for V& V review. This item will remain open until the document is available to the staff. 01/10/2013 update: The ALS Design Tool 6002-00030 Rev.8 indicates that Westinghouse/CS I February 18, 2013 DCPP PPS Open Item Summary Table Page 4 of 31 -No SrclRI Issue Description P&GE response: Status RAI No. (Date Sent) RAI Response (Due Date) Comments is using ATE. Further, Rev 7 of the 6002-00003, ALS V&V Plan, states that this plan was revised to identify ABTS as the primary board integration level test tool, replacing ATE. Please clarify the discrepancy between the response provided and the information in Rev. 8. 12/19/12 update: ALS Design Tool 6002-00030 was submitted to the NRC. NRC Staff will review this document and identify follow up questions, if necessary, creating a new open item. 10/17/12 update: Westinghouse/ALS will submit the ALS Design Tools on 10/31/2012 February 18, 2013 DCPP PPS Open Item Summary Table No SrclRI Issue Description P&GE response: 41 RA Software V&V and Test Plan Westinghouse/ALS document 6116-0005, section 8.2 identifies the software tools to be used in the PPS replacement project. However, this list is not consistent with the list of IV&V tools identified in Section 3.6 of ALS W Plan 6002-00003. Specifically, the test tools identified in 6002-00003 are not listed in 6116-00005 and vice versa. For example, the W Plan 00003) identifies ATE tool for IV&V, but this tool is not listed in 6116-0005 Rev. 1. Furthermore, the staff reviewed 6116-0005 Rev. 0, and found that the ATE tool was listed in this version. Please clarify what software tools will be used and what document describes them. PG&E Response: A new revision of the ALS V&V Plan 6002-00003, Revision 7, Figure 3-2, identifies the ABTS and the ISE as the IV&V test tools. This new revision was docketed October 31, 2012 on the ALS platform docket. The ATE is removed from the set of IV&V test tools. The tools listed in document DCPP PPS Test Plan 6116-00005 section 8.2 and the tools listed in DCPP PPS W Simulation Environment Specification, 6116-10216, (to be placed on the Sharepoint by March 21,2013 and submitted by April 11, 2013) encompass the IV& V test tools in the new revision of the ALS V&V Plan, 6002-00003. 48 RA Software V&V PG&E SyWP, Section 6, requires that anomalies detected are identified, documented, and resolved during the V&V activities. This section states that anomaly reporting and resolution requirements are defined in the respective PG&E control procedures. Section 2 "Control Procedures does not include a reference for an anomaly reporting procedure. Please identify the PG&E control procedure used for anomaly reporting. Status Re-Open OPEN RAI No. (Date Sent) RAI24 RAI Response (Due Date) Page 5 of 31 Comments 01/23/2013 update: This item to remain open because DCPPPPSW Simulation Environment Specification, 10216, has not been submitted. 01/10/2013: See comment provided in item 40. Also, DCPP PPS W Simulation Environment Specification, 10216, has not been submitted. 01/23/2013 update: Need to know when the new revision of SyWPwili be submitted 12/19/12: item 2 still pending Further, Section 7 of the SyWP states that the PG&E authority responsible for approving deviations from SyWP is the PG&E Project Manager, who will document his/her approval a Change Notice or equivalent formal PG&E document. Please identify where the responsible PG&E authority will document its approval. 10/17/12 update: For item 2 -PG&E will revise the SyWP and submit it on 11/30/2012 February 18, 2013 DCPP PPS Open Item Summary Table Page 6 of 31 No SrclRI Issue Description P&GE response: Status RAI No. (Date Sent) RAI Response (Due Date) Comments PG&E Response: 1. The PG&E control procedure for anomaly reporting is OM7.ID1, "Problem Identification and Resolution." This procedure governs the PPS replacement after it has been turned over to PG&E by the suppliers. The suppliers' anomaly reporting procedures are applicable prior to this turnover. 2. The responsible PG&E Project Manager will document approval in an SAP notification. This will be included in the revision of the SyWP currently in progress. It is noted that Section 7 of the SyWP states the deviation shall be incorporated into the SyWP as a revision at the first practical opportunity. 9/17/12 update (Alvarado): NRC staff received copies of OM7.ID1 and XI1.ID2. This addressed item 1 of this open item. 51.2 Software Configuration Management 1. Organization The organization and responsibilities described in Section 4 of CF2.ID2 is not consistent with the information presented in Section 2 of SCMP 36-01. For example, Section 2 of SCMP 36-01 identifies system coordinator, application sponsor, and system team, who are not identified in Section 4 of Cf2.ID2. Further these descriptions are not identified in the project organization described in PG&E PPS Replacement Plan (Attachment 3 of the LAR). Please clarify the roles and responsibilities for SCM, and provide a cross reference of the PG&E organizations described in these documents. Open 01/23/2013 update: identify date for next revision 12/17/12 update: Waiting for PG&E to revise SCMP. 10/17/12 update: PG&E will revise the SCMP to address several open items PG&E Response 12/16/2012: PG&E will revise the SCMP plan to be consistent with CF2.ID2 section 4 organization, ,including a description of additional roles and responsibilities not required by CF2.ID2.if needed. 60 RJS (STSB lAPLA ) Technical Specifications: In order for the staff to make a determination that the existing technical specifications and surveillance intervals remain acceptable for the replacement PPS system, an evaluation to compare the ALSfTricon PPS system reliability and performance characteristics with those of the Eagle 21 system must be performed. Please provide an evaluation summary report to support the application of Open RAI39 1 116/13-Waiting for Evaluation Summary Report which is due at end of January.

February 18, 2013 DCPP PPS Open Item Summary Table No SrclRI Issue Description P&GE response: existing technical specification and surveillance test intervals to the upgraded ALSfTricon based PPS system. This report is expected to include a quantitative analysis to demonstrate the new system's ability to perform its required safety functions between established surveillance intervals as well as a qualitative (i.e., deterministic) analysis which sites the self diagnosis and fault detection features of the replacement PPS. The report should address the staff's previous findings in Section 4.3, "Applicability of WCAPs to DCPP," of Amendment No. 179, dated January 31,2005 (ML050330315). Status RAI No. (Date Sent) RAI Response (Due Date) Page 7 of 31 Comments PG&E Response: An evaluation summary report to support application of the exiting TS and TS surveillance test intervals is contained in the Westinghouse Document, "Justification for the Application of Technical Specification Changes in WCAP-14333 and WCAP-15376 to the Tricon/ALS Process Protection System" that has been placed on the Sharepoint and will be submitted by March 5, 2013. The document provides a qualitative comparison of features important to the reliability of the Tricon and ALS subystems and the Eagle 21 system, evaluates the applicability of the WCAP-14333 P A, Revision 1, and WCAP-15376-P-A, Revision 1, analyses to the PPS replacement configuration, and evaluates the compliance with the staff conditions and limitations contained in the NRC safety evaluations for WCAP-14333 and WCAP 15376 and Section 4.3 of the Amendments 179 and 181. 64 RA Software Management Plan Closed RAI40 To close Items 27 and 29, PG&E issued the DCPPS Project Quality Assurance Plan to define the oversight activities to be performed during the PPS replacement project. Section 2 of this plan describes the responsibilities of those involved in oversight activities. However, it is not clear how these roles and responsibilities correlate to the project organization described in PG&E PPS Replacement Plan (Attachment 3 of the LAR) and PG&E PPS Replacement System Quality Assurance Plan (Attachment 4 of the LAR). For example, the Project Quality Assurance Plan describes the of the PPS Project February 18, 2013 DCPP PPS Open Item Summary Table Page 8 of 31 No SrclRI Issue Description P&GE response: Status RAI No. (Date Sent) RAI Response (Due Date) Comments Manager, but this role is not described in other documents, Further, the responsibility described seems to align with the responsibility of the PG&E Project Manager. Please explain the relationship, if any, of the roles and responsibilities described in the DCPPS Project Quality Assurance Plan and those provided in other PG&E plans. PG&E Response: The "Quality Assurance Plan for Diablo Canyon Process Protection System Replacement" (referred to as the "Project Quality Plan" in response to Ols 27 and 29) was a project specific document created by the Quality Verification group (a Quality Assurance organization) to identify the Quality Assurance tasks to be performed by the Quality Verification group for the project. The "Quality Assurance Plan for Diablo Canyon Process Protection System Replacement" provides the specific plan to be used by the "Supervisor Project QA" identified in Section 3.5.1 (page 19) of the SyQAP and the "Project QA Engineer or Equivalent" identified in Section 3.5.8 of the SyQAP to provide PG&E quality oversight for the project which in part supports meeting 10 CFR 50 appendix B quality assurance requirements for the project. The "Supervisor Project QA" is not identified in the PPS Replacement Project Plan Figure 2-1 (PPS Replacement Project Organization) because they are not part of the Project Organization, but instead provide independent quality assurance oversight of the Project Organization. Section 6.1, "System Quality Assurance Plan (SyQAP), of the PPS Replacement Project Plan discusses the SyQAP, which in turn references the "Supervisor Project QA" in Section 3.5.1 (page 19) and the "Project QA Engineer or Equivalent" in Section 3.5.8 to provide PG&E quality oversight for the project. 65 RJS KVM Switch Questions: See Attachment 3 Open I February 18, 2013 No SrclRI Issue Description DCPP PPS Open Item Summary Table P&GE response: Status RAI No. (Date Sent) RAI Response (Due Date) Page 9 of 31 Comments PG&E Response: See Attachment 3 68 WEK Please provide a detailed functional description of the DCPP PPS NSR Gateway Computer(s) system; including computers/processors, communications protocols, and data isolation details, Or, please indicate where this information is explained within the LAR and supporting documents. Also, please provide a detailed explanation of the Gateway Switch discussed within the LAR;including its operating principal (hardware, logic based, etc, ,data/electrical isolation design features, and any other pertinent information pertaining to its failure mechanisms. 11-28-2012 follow up question: Figure 4-13 (Pg 87) of the LAR indicates that data communications is provided directly between the SR ALS "A" &ALS "B" Protection Sets I, II, III, and IV, and the NSR Gateway Computers via RS-422 copper media (i.e., not through the Port Tap). Section 4.8.2 b) (page 110 of the LAR) states that " ... AII other communication to non-safety equipment, i.e., Plant Computer, is via continuous one-way communication channels on the 102." Please describe how the 1E1non-!E data communication and electrical isolation is implemented within the ALS for this configuration. Also, explain how the ALS "A" &I(B" inputs to the NSR Gateway Computers are isolated from each other, and data communication protocols associated with processing this data within the Gateway Computers. 12-19-2012 follow up question: As stated in the 12-17-2012 response below, the 1Elnon-1E data communications electrical isolation is not part of the ALS topical reort review. Please provide a detailed explanation of how all 1Elnon-1 E communications data electrical isolation between the ALS processor and NSR systems will be accomplished. Open RAI46 12-19-2012 update: Response did not answer the question about providing a functional description of the DCPP PPS NSR Gateway computers. The staff needs to understand how the Gateway computer and the Gateway Switch communication protocols will not corrupt the the data signals coming from the ALS Protections sets 4 and not impact the execution of the ALS safety function. A detailed response to this question is needed February 18, 2013 DCPP PPS Open Item Summary Table Page 10 of 31 No SrclRJ Issue Description P&GE response: Status RAINo. (Date Sent) RAJ Response (Due Date) Comments PG&E Response: The DCPP Gateway computer and Gateway switch are part of an existing system that was installed by a previous project, and therefore were not included in the scope of the changes requested for approval in the LAR. Communications from the Gateway Switch to the Tricon are functionally isolated by the Triconex Communication Module (TCM) and NetOptics Model PA-CU Network Port Aggregator Tap discussed in Tricon V10 SER Section 3.7.2.1. A fiberoptic data link provides electrical isolation. The NetOptics PA-CU Network Port Aggregator Tap was approved for this use in the Oconee RPS SER. The PA-CU prevents inbound communications from external devices or systems connected to Port 1 of the Port Aggregator from being sent to interactive Ports A and B. The Oconee SER described the methods they used to verify that Aggregator Port 1 provides one way outbound communications only. As a transmit only device, it does not listen to and is not affected by the communications protocol (or lack thereof) of the external device or system to which it is connected. The ability of the Port Aggregator Tap to prevent inbound communications to the Tricon from its Port 1 will be verified at the Tricon V10 FAT and the SAT as previously stated in PG&E Letter DCL-12-083 dated September 11, 2012. Updated PG&E Response 12/12/2013: The response to 01 #73, discusses Transmit Bus TxB2 data communication path from the ALS-102 Core Logic Board to the ALS MWS. Transmit Bus TxB1 transmits data from the ALS-102 CLB to the Gateway Computer. Both TxB1 and TxB2 are EIA-422 communication links in which Receive capability is physically disabled by hardware as described in the ALS-1 02 Design Specification, 6002-102002. The receiver is configured such that the transmit data is looped back for channel integrity testing. The ALS-1 02 is physically and electrically incapable of receiving information from outside the ALS-1 02 via the Transmit Busses TxB1 and TxB2. Therefore, messages are not disregarded or rejected by the ALS-102. This is better than a "broken wire." The wire just isn't there, and there is no place to in the LAR or supporting documents. See 12-19-2012 follow up question re: electrical isolation for the DCPP PPS ALS. 11-28-12 update: See 11-28-2012 follow up question.

February 18, 2013 DCPP PPS Open Item Summary Table No SrclRI Issue Description P&GE response: connect a wire if someone wanted to do so. Status RAI No. (Date Sent) RAI Response (Due Date) Page 11 of 31 Comments Updated WEC Response 12/17/2012: The 1 E/non-1 E data communication is described in the ALS Topical Report, Sections 2.2.1.3 and 5.3.2; and in 6116-00054, "Diablo Canyon PPS ISG04 Matrix", Position 2. The electrical isolation qualification of the 1E/non-1E data communication is not part of the ALS Platform review project, and will be qualified with an isolation fault test that will be conducted 1 st quarter 2013 per IEEE Std 384-1992, "IEEE Standard Criteria for Independence of Class 1 E Equipment and Circuits" and Regulatory Guide 1.75, "Criteria for Independence of Electrical Safety Systems." A supplemental test report will be issued 2nd quarter 2013. 69 WEK Please provide a detailed explanation of the application programs contained within the Tricon and ALS MWS computers; including how they will be used to supports or enhances the performance of the PPS safety function enhance the performance of the PPS safety systems, provide required maintenance, surveillance, etc. Or. please indicate where this information is explained within the LAR and supporting documents. 1/24/2013 Updated PG&E Response: The non-safety communications between the PPS controllers and their respective, dedicated MWS units improve PPS maintainability and thus reliability, and enabling on-line surveillance testing, calibration. and maintenance. Risk of challenging plant safety systems is reduced through the ability to test in bypass rather than requiring test in trip. The online Tricon and ALS non-safety communications capability provide real-time. online data and status information on the Plant Process Computer and in the Control Room that are required to perform maintenance, calibration and testing. Without the online data links from the Tricon and ALS to the MWS and the Plant Process Computer/Plant Data Network, only Open RAI47 12-19-2012 update: The DCPP PPS ALS MWS will not be approved via the ALS topical report. Therefore, the information requested is needed to address the regulatory criteria of ISG-04, Position 1, Point 3. W/ALS document 6116-00054, Rev. 0, Diablo Canyon PPS ISG-04 Matrix, does not address this subject in its response to Point 3. Please address February 18, 2013 DCPP PPS Open Item Summary Table No SrclRI Issue Description P&GE response: the control board indicators and recorders would be available to provide a "window" on the PPS. System trouble alarms would still be generated by the PPS on the Main Annunciator System, but without the alarm monitor and other data display capabilities provided by the MWS, there would be no direct means to determine the specific cause of an alarm. Lack of access to real-time, continuous, on-line PPS status data and diagnostic information introduces delay into PPS trouble identification and resolution, and substantially degrades the maintenance effectiveness and timeliness enabled by the diagnostic features built into the platforms and the application programs. The ability to make online use of the information provided by redundant, real-time data communications to the MWS and to the plant process computer improves PPS reliability and thus supports and enhances safety through providing timely diagnostic information and status details that assist performance of required trouble-shooting, maintenance, and surveillance activities. Status RAI No. (Date Sent) RAI Response (Due Date) Page 12 of 31 Comments this question for ALS. Tricon response is acceptable. Please add this to the LAR/Tricon V10 ISG-04 compliance matrix document 11-28-12 update: Additional clarification was provided, so the question was rephrased. I I The network switches between the Port Aggregator taps and the MWS ensure that Tricon multicast operation will continue if the Tricon MWS were to cease communications. The network switches are redundant to ensure continued Tricon multicast operation on failure of a single Tricon network link. The application programs contained in the ALS and Tricon MWS units provide the following functionality: A. Westinghouse/CSI ALS Maintenance Workstation The on-line ALS MWS is required to maintain the ALS, including surveillance testing per the Technical Specifications calibration, and other required maintenance, and is similar in effect to the existing, approved Test in Bypass capability. The diversity design of the ALS enables either (but not both) Chassis "An or Chassis "B" in a protection set to be bypassed for maintenance or testing while the other chassis remains fully operational (Although, in the bypassed condition, certain post-accident monitoring ,

February 18, 2013 DCPP PPS Open Item Summary Table Page 13 of 31 SrclRI Issue Description P&GE response:No functions may not be available; this may be controlled administratively). Without the flexibility provided by the ALS diversity design, Technical Specifications would require tripping all the channels associated with the chassis when removing a given protection set ALS chassis from service. In turn, this would make up one channel in the coincidence logic for all channels in the affected ALS protection set. Such action increases the risk of inadvertently challenging plant safety systems were another channel to trip with the ALS protection set out of service. 1. Microsoft Windows TM XP Service Pack 3 operating system 2. ALS Service Unit (ASU) Application The ALS MWS will utilize Microsoft Windows Ž based Westinghouse/CSI ALS Service Unit (ASU) software that is described in the ALS Topical Report Section 2.6.3. The ALS Service Unit (ASU) is the primary tool used when accessing a particular ALS system in operation. The ASU provides plant personnel access to advanced features of the ALS system such as system diagnostics, post-trip analysis, monitoring real-time operation, and assistance in performing user-initiated test, calibration and maintenance operations. The DCPP PPS Replacement MWS will be mounted permanently in the PPS rack containing the PPS in a manner similar to that shown in ALS Topical Report Figure 2-25; however, ASU functions that use interactive Test ALS Bus (TAB) communications will be available: (1) only when the TAB is physically connected to the ALS MWS by qualified personnel under administrative controls; and (2) only on one ALS "An or "B" subsystem at a time. The TAB from ALS-1 02 Chassis "A" and Chassis "B" is provided with individual EIA-485 ports on the ALS Maintenance Workstation computer. The ASU ensures that the correct TAB is connected to the respective Status RAI No. (Date Sent) -CommentsRAI Response (Due Date) I February 18, 2013 DCPP PPS Open Item Summary Table Page 14 of 31 No SrclRI Issue Description . P&GE response: Status RAI No. (Date Sent) RA/ Response (Due Date) Comments 485 port when the TAB is enabled. The main features of the ASU are:

  • State Information -Provides monitoring of real-time operation, including all 1/0 signals as well as detailed status information from debugging registers. The advanced monitoring capabilities enable fast system diagnostics and troubleshooting.
  • System and Board Information -Provides detailed information about the configuration of an ALS system, including board FPGA programming, board build information, and board configuration.
  • Blackbox -The ASU includes a so-called "blackbox" functionality where all events of an ALS system are transmitted by the ALS-1 02 CLB Transmit Bus TxB2 to the ASU for storage and subsequent retrieval. This allows plant personnel to inspect the ALS system's reaction to a past event. The blackbox function enhances ALS reliability and therefore safety by helping to reduce the time required to pinpoint the cause of a series of events. The ASU must be connected to the ALS via the Transmit Bus TxB2 during an event in order to capture and store the event via the blackbox function. Given the difficulty in predicting when an event will occur, the ASU should be connected to the ALS chassis via Transmit Bus TxB2 and receiving data during online operation in order to benefit from this capability.
  • Test -Application specific periodic surveillance tests can be implemented to be performed through the ASU. Based on the needs of the application features may be implemented in the CLB that allows surveillance testing to be performed andlor monitored through the ASU.
  • Calibration -The ASU is used to readout and change application Setpoints and channel calibration coefficients. The CLB holds the application Setpoints and according to the application, it will allow the ASU to modify these Setpoints. The ASU is also used during input/output channel calibration where it is used for selecting the board and board channel to be calibrated and to changes calibration coefficients based on the readings February 18, 2013 DCPP PPS Open Item Summary Table Page 15 of 31 No CommentsRAIStatus RAI No. Issue Description P&GE response: SrclRI (Date Sent) Response (Due Date) received on an external calibrator. Operation of the ASU is passive and non-intrusive, Le., it can only modify the safety system tunable parameters stored in NVM for which it is designed (Le., input/output calibration coefficients, set points and tuning constants). It is not possible to modify the safety algorithm or logic using the ASU. All communications initiated by the ASU take place on the TAB, and only when the TAB is physically connected between a protection set ALS and its dedicated MWS. No RAB interruption is possible, effectively isolating the ASU from ALS safety functions. 3. ALS Parameter Display The ASU also provides a passive parameter display function using one-way ALS-102 EIA-422 Transmit Bus TxB2. The ALS parameter display function allows the MWS to display parameters transmitted to it online by the one-way TxB2 transmit bus described in ALS Topical Report Section 2.2.1.3. The parameter display function does not require the TAB to be connected. The ASU parameter display function is a Visual C++ based application developed for the Microsoft Windows API using Microsoft Foundation Class (MFC) libraries to provide graphical user interfaces for displaying ALS system status on the MWS and for providing user controlled access to the ALS controllers for performing maintenance operations such as calibration. Upon start-up, the application establishes a dedicated serial port to the MWS RS-422 serial communication card port that is connected to ALS-102 unidirectional one-way TxB2 output in each ALS chassis "An "B." These dedicated MWS serial ports receive ALS system status at a of 10Hz (Le., once every 100 Upon establishing the dedicated serial port connection on the MWS, the ASU parameter display function spawns a software thread to receive, validate, and store the data received from the respective ALS-102 TxB2. Validation of the received data consists of checking the packet header contents, checking packet length, performing a CRC check on the packet '-

February 18, 2013 DCPP PPS Open Item Summary Table Page 16 of 31 No SrclRI Issue Description P&GE response: Status RAINa. (Date Sent) RAI Response (Due Date) Comments contents, and then comparing the calculated CRC with the CRC inside the TxB2 packet. If the data received by the parameter display application is invalid (Le. invalid CRC), the application indicates the issue on its graphical user interface (GUI) and an entry is made in the application status log. If the data received by the parameter display application is valid, the application records the ALS system status in a data class which contains methods that are called by different GUI to extract and display the specific ALS system status. Malfunctions of the ASU parameter display function cannot adversely affect ALS safety system operation because EIA-422 communications between the ALS and the ALS MWS via TxB2 are strictly one-way from the ALS-1 02 to the ALS MWS and the EIA-485 TAB is physically disconnected except for brief periods when the TAB for either ALS "A" OR "B" is connected to the MWS for maintenance under administrative control by trained technicians. 4. One way TxB1ITxB2 Communications Transmit Bus TxB1 transmits data from each ALS chassis "A" and "B" 102 CLB to the Gateway Computer. Transmit Bus TxB2 transmits data from each ALS chassis "A" and "B" ALS-102 CLB to dedicated EIA-422 ports on the ALS MWS. Both TxB1 and TxB2 are EIA-422 communication links in which Receive capability is physically disabled by hardware as described in the ALS-102 Design Specification, 6002-102002. The receiver is configured such that the transmit data is looped back for channel integrity testing. The ALS-102 does not disregard or reject external messages; rather, the 102 is physically and electrically incapable of receiving external messages via the Transmit Busses TxB1 and TxB2. In effect, this is the same as the data isolation achieved by a "broken wire." Interdivisional communications between the MWS and the ALS are also described in ALS Topical Report section 5.3. 5. TAB Disconnect TAB communications are enabled by physically connecting the TAB to the

February 18, 2013 DCPP PPS Open Item Summary Table Page 17 of 31 CommentsRAI No. RAISrclRI Issue Description StatusNo P&GE response: (Date Sent) Response (Due Date) respective MWS EIA-485 port under administrative control by technicians. TAB communications are disabled when not needed physically disconnecting the TAB from the MWS. The ASU is connected and communicates with the ALS via the TAB only when required to the ALS, normalize RCS flow coefficients, perform surveillances required Technical Specifications, as well as to troubleshoot and otherwise the ALS. The diverse ALS subsystem whose TAB has not been will continue to perform its safety function without impact. An ALS . alarm is initiated on the Main Annunciator when the TAB is enabled. non-safety communications provided by the Transmit busses will allow operator to ascertain quickly the cause of the alarm, if the operator is already aware of the maintenance activity being performed procedural TAB communications are described in ALS Topical Report Section 5.2. 6. Electrical Isolation The Transmit Bus TxB1 and TxB2 1 E/non-1 E data communication described in the ALS Topical Report, Sections 2.2.1.3 and 5.3.2; and 6116-00054, "Diablo Canyon PPS ISG04 Matrix", Position 2. The isolation of the Transmit Busses is performed by magnetic couplers on the ALS-102 CLB. The TxB isolators are described in "ALS-102 Hardware Design Specification," Section Fault isolation occurs by way of board mounted transient voltage suppressors, board mounted fuses, and external fuses. Qualification of the 1 E/non-1 E data communication is not part of the Platform review project, and will be qualified with an isolation fault test will be conducted 1 st quarter 2013 per IEEE Std 384-1992, "IEEE Criteria for Independence of Class 1 E Equipment and Circuits" Regulatory Guide 1.75, "Criteria for Independence of Electrical Systems." A supplemental test report will be issued 2nd quarter ,.. '-.

February 18, 2013 DCPP PPS Open Item Summary Table Page 18 of 31 No SrclRI Issue Description P&GE response: Status RAI No. (Date Sent) RAI Response (Due Date) Comments I B. Triconex Maintenance Workstation The Tricon MWS will implement four Microsoft Windows Ž application programs: (1) Invensys WonderWareŽ InTouchŽ PPS application; (2) TriLogger; (3) Tricon Diagnostic Monitor; and (4) TriStation 1131 (TS1131) Developers Workbench Version 4.9.0. 1. Microsoft Windows Ž XP Service Pack 3 operating system 2. WonderWareŽ InTouchTMPPS Application The WonderWare InTouch application provides online display of selected PPS internal parameters and trouble alarm details. The WonderWare InTouch application also is used for maintenance of individual PPS instrument channels in conjunction with the hardwired OOS switches that have been discussed in the response to other Open Items. The MWS WonderWare InTouch application will be the tool normally used to determine the specific cause of an alarm. The Main Annunciator System only displays system level alarms. The MWS InTouch application contains an alarm monitor, which is a troubleshooting aid that provides a detailed, specific display of the alarms generated by the Tricon PPS application. 3. Tricon Communications Communications from the Tricon to external non-safety systems are functionally isolated by the Triconex Communication Module (TCM) and NetOptics Model PA-CU Network Port Aggregator Tap discussed in Tricon V10 SER Section 3.7.2.1. A fiberoptic data link provides electrical isolation. The prevents inbound communications from external devices or systems connected to Port Aggregator Port 1 from being sent to interactive Ports A and B. Port 1 is a port that does not listen to and is not affected by the communications activity generated by the external device or system to which it is connected. Port Aggregator port 1 will provide one-way data to the Gateway Computer via the Gateway Switch. The Gateway Computer transmits the data to the I February 18, 2013 DCPP PPS Open Item Summary Table Page 19 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RAI (Date Response (Due Date) Plant Process Computer for use in the Control Room by the operators. Gateway Computer and Gateway Switch were installed by another The Plant Process Computer is an existing 4. Triconex TriLogger The TriLogger software provides the ability to record, display, play back and analyze data from the Tricon system. Data can be viewed in real-time on the MWS. The TriLogger provides data trending and analysis capabilities and can be configured to trigger on specific events to log detailed data to aid technicians in isolating, diagnosing, and troubleshooting problems. However, the TriLogger must be connected and running at all times to perform these functions. 5. Tricon Diagnostic Monitor Utility The Tricon Diagnostic Monitor utility displays Tricon system and status by mimicking the actual Tricon chassis and slots, so that the user find the exact location (chassis number and slot number) of a module may be experiencing a fault or other problem. The Tricon Monitor Utility improves reliability by aiding rapid troubleshooting and location at the Tricon system 6. Startup Delayer Startup Delayer delays WonderWare startup until DDE Server initialized. Otherwise, WindowViewer may startup first and never connect DDE 7. TriStation 1131 (TS1131) Developers Workbench TriStation 1131 is a PC-based application development workstation provides a comprehensive set of development, test, monitor, validation diagnostic tools for Triconex Programmable Logic Controllers (PLC). TS1131 program is utilized to maintain the PPS application program may also be used for monitoring and troubleshooting purposes. TS1131 program is described in the Tricon V10 SER Section ,--

February 18, 2013 DCPP PPS Open Item Summary Table Page 20 of 31 RAI No. RAIIssue Description StatusSrclRI P&GE response:No _comments Response (Due Date) (Date Sent) The TS1131 tool will be installed on the MWS. However, the TS1131 will not normally be running while the Tricon is performing its safety [Tricon V10 SER Section 3.10.2.9]. If the TS1131 workstation is I Iduring online safety operation for maintenance or troubleshooting its use will be controlled via administrative controls and I maintenance personnel. Write access to the operating Tricon is governed by the controller With the keyswitch in the RUN position, use of the TS1131 program limited to read only access to the Tricon. Parameters may be and application program logic operation may be observed in real time, changes are not possible. The TS1131 program can only write to the when the controller keyswitch is in the PROGRAM position. With keyswitch not in RUN, the PPS application will initiate an alarm on the Annunciator system and the affected PPS set will be declared with respect to its safety Regardless of whether the keyswitch has been deliberately manipulated whether the condition is the result of Tricon hardware or software failure, internal Tricon diagnostics will detect a "keyswitch not in RUN" and the PPS application program will initiate a PPS Trouble alarm on Main Annunciator System. When the "keyswitch not in RUN" exists, the affected Tricon is considered to be INOPERABLE with respect its safety function. The operator would enter the appropriate Specification LCO upon determination that the PPS trouble alarm caused by the "keyswitch not in RUN" The condition could be active in multiple Tricon protection sets because could occur as a result of common cause Tricon failure. Even with "keyswitch not in RUN" condition existing in multiple protection negative impact is limited because on-line maintenance will normally performed in one protection set at a time, and each Tricon protection has its own dedicated, independent MWS. Therefore, only one protection set at a time would be configured physically to make L ____

February 18, 2013 DCPP PPS Open Item Summary Table Page 21 of 31 CommentsRAIRAI No. P&GE response: StatusNo SrclRI Issue Description (Date Sent) Response (Due Date) changes. If the TS 1131 is not connected and running changes cannot occur even if the "keyswitch not in RUN" condition exists. That is, the mere existence of the "keyswitch not in RUN condition" does not initiate changes. Intentional action by a trained, knowledgeable individual is also required. Given the PPS trouble alarms that would be active in all affected protection sets, it is highly unlikely that unintended changes could occur. If a PPS Trouble alarm were to occur on the Main Annunciator System due to the "keyswitch not in RUN" condition, regardless of the cause, the operator would notify DCPP Maintenance. In the absence of the detailed alarm monitoring provided by an on-line MWS (via the TCM NET2 interface), the maintenance technicians would be required to obtain work orders, gain access to the affected protection set, connect and boot the MWS, and only then could begin to determine the cause of the alarm. The alarm information would not be available if the alarm were due to a transient condition that cleared between the time the condition initiated and when the MWS was operational. Diagnosis of the condition could be delayed for several hours. With the on-line MWS and the alarm monitor function, the condition -whether caused by intentional manipulation of the Tricon controller keyswitch or by a hardware or software failure involving the keyswitch-would be identified immediately. As with the ALS, the on-line Tricon MWS is essential to maintain the safety function, including surveillance testing per the Specifications and other required maintenance and is equivalent to existing, approved Eagle 21 Test in Bypass capability. The MWS required to bypass channels for testing. Removing a Tricon from during such routine maintenance would require tripping all the channels that protection set, which would make up one channel in the logic for all channels in the protection set. This condition increases the of challenging plant safety systems should another channel inadvertently with the protection set out of

71 February 18, 2013 DCPP PPS Open Item Summary Table Page 22 of 31 CommentsRAIRAI No. SrclRI Issue Description P&GE response: StatusNo (Date Sent) Response I (Due Date) 11-28-12 update: Response Okay. If the Enumerated USB switching function is used, will you be able to use RAI48KVM Switch Question 1: Open70 WEK Leave open until I the Keyboard hotkeys and mouse buttons to perform switching? The brochure seems to indicate on page 3 that the Enumeration switching process will not enable control switching using the USB keyboard or mouse. However, it further says that Emulation USB switching was developed to support these enhanced monitor switching functions/devices (keyboard hotkeys or mouse buttons) .... Albeit, other USB devices (e.g., printer) do not need to use the Emulated USB switching function. Could you please clarify this point. PG&E Response: The USB1 and USB2 ports, which use enumerated switching, pass data straight through the KVM switch without interpretation. Therefore, you cannot connect a keyboard to USB1 or USB2 and use the hotkeys to perform switching, and USB1 and USB2 traffic cannot cause an inadvertent switch. The block diagram shows the output of the emulated portion of the switch and the enumerated portion going to a USB hub before being sent to the computer. The keyboard and mouse will use the emulated switching function, not the enumerated switching function; only the keyboard and mouse can control the switch. WEK KVM Switch Question 2: Will the KVM switch will be on-line 24-7 monitoring data from either the Tricon or the ALS platform? If so, what can we say about the failure modes of the KVA switch? Can it fail in such a manner so as to inject faults into the MWS computers, and hence into the Tricon or ALS safety system processors? If not, why? If so, what can be done to circumvent this problem, and show conformance with ISG-04, Points 10 & 11? We will need to cover this matter in the SER. 10-17-12 Update: Response be/ow did not answer the question regarding failure modes of the KVM switch ... agree that it is Okay to the KVM Switch information is provided within the LAR revision. 12-19-2012 update: The staff will review 10202 and determine if this document provides the information requested. Nonetheless, PG&E needs to

February 18, 2013 DCPP PPS Open Item Summary Table Page 23 of 31 CommentsRAIRAI No.SrclRI Issue Description P&GE response: StatusNo (Date Sent) Response (Due Date) address thelose the Tricon but I do not see how the ALS is protected due to its inherent 1-Way communications 12-19-2012 Update question: In order for the staff to verify the response "inherent 1-way communications" design. Please explain this further. design and below regarding the ALS-102 Core Logic Board's one-way communications communications design attributes the staff will need to review the ALS-1 02 Design protocol of the Specification document 6002-10202, and any other documents that explain 102 board in this key design feature for the ALS Platform portion of the PPS (e.g., detail within this 00100, PPS ALS to ASU Communications Protocol??). ALS document Ol-as it relates 6002-10102 has not been submitted on the docket for staff review of the to the DCPPALS Platform Topical Report. Therefore, please submit this document (and PPS.any others that explain this communications protocol) on the docket as of the PPS LAR Also, need to PG&E Response: update the LAR to The KVM switch will be on-line 24-7 for monitoring data from either the cover the portions Tricon or ALS platform via the respective MWS computers. There is not being additional isolation because the ALS communicates strictly one way to its addressed in the MWS except when TAB communications are enabled by connecting the ALS TR SER, i.e., TAB cable. Connection of the TAB is performed as directed by trained 1E/non-1 E data technician using an approved procedure Therefore, if the KVM switch failed communicationsin some way to connect the two MWS together, the ALS would not be electrical isolation affected. The Tricon might be affected, but the 03 analysis allows the for ALS. SeeTricon to fail due to CCF. follow up question The following paragraphs have been added to the IRS Section 2.3.7: for 0168. 11-28-12 update: b, The KVM switch shall permit only connections between a single ALS ISG-04computer and the selected video display and HMI interface devices. compliance wasConnection between the computers shall not be permitted. submitted, and Westinghouse.g. The AV4PRO-VGA KVM switch shall utilize the default switching thinks that this will mode, in which the video display, keyboard and mouse and the answer thisenumerated USB ports are all switched simultaneously. question. PG&E needs to February 18, 2013 DCPP PPS Open Item Summary Table Page 24 of 31 No SrclRI Issue Description P&GE response: Status RAI No. (Date Sent) RAI Response (Due Date) Comments Paragraph g was necessary to prevent the enumerated ports from being switched separately from the KVM. Added PG&E Response 12/16/2012: During normal, non-maintenance operation, the ALS communicates one-way to its dedicated MWS computer via Transmit Bus TxB2 as discussed in the response to 01 #73. Inter-divisional safety to non-safety communications are addressed in ALS Topical Report Section 5.2.3. The TxB2 data communication paths from the ALS-1 02 Core Logic Board to the ALS MWS computer is a EIA-422 communication link in which Receive capability is physically disabled by hardware as described in 6002-102002, the ALS-102 Design Specification. The receiver is configured such that the transmit data is looped back for channel integrity testing. The ALS-1 02 is physically and electrically incapable of receiving information from outside the ALS-102. Therefore, the ALS cannot be affected by a malfunction in the dedicated, MWS computer associated with an ALS protection set regardless of whether the malfunction is caused by KVM switch malfunction or by malfunction of the MWS computer itself. WEC Response 12/17/2012: The 1 E/non-1 E data communication is described in the ALS Topical Report, Sections 2.2.1.3 and 5.3.2; and in 6116-00054, "Diablo Canyon PPS ISG04 Matrix", Position 2. The electrical isolation qualification of the 1 E/non-1 E data communication is not part of the ALS Platform review project, and will be qualified with an isolation fault test that will be conducted 1 st quarter 2013 per IEEE Std 384-1992, "IEEE Standard Criteria for Independence of Class 1 E Equipment and Circuits" and Regulatory Guide 1.75, "Criteria for Independence of Electrical Safety Systems." A supplemental test report will be issued 2nd quarter 2013. respond to 12 update in the description section. Leave open until the KVM Switch information is provided within the LAR revision. 10-17-12 Update: Note: "IRS" is the Interface Requirements Specification (Attachment 8 of the LAR). 72 WEK KVM Switch Question 3: Also, you will likely need to address how you will disable the features Open RAI43 , Or, this 12-19-2012 update: response acceptable,

February 18, 2013 DCPP PPS Open Item Summary Table Page 25 of 31 SrclRI Issue Description P&GE response: No you are not using such as the audio interface, unused USB ports, remote control/channel switching by external control from and SDOE perspective-and probably a cyber security perspective later on (after SER). 10-17-12 Update: The methods used to block Ports in the KVM Switch must be addressed in the LAR revision. Block all unused Ports and keep any that may need to be reopened under design or configuration control. Again, we need a detailed explanation ofhow this 1-way design feature will prevent the KVM switch failures from affecting the ALS system. PG&E Response: Specific answers to these questions depend on the detailed design. Ports can be physically blocked, which might be appropriate for unused computer ports and the audio ports. It might not be appropriate for the unused USB port (which may be needed for a future printer) and the options port (which may be needed for firmware updates). Remote control switching or firmware update requires a custom serial cable. The firmware update requires specialized software on the computer being used to perform the update. Firmware update will be done by procedure. The MWS will be inside a locked cabinet inside a vital area inside the protected area. Inadvertent actions, while not impossible, will not be easy. If the switch is somehow manipulated, the ALS will not be affected even if the KVM switch fails because the ALS communicates only one-way with the MWS except for short periods when the TAB is enabled. Revised PG&E Response 12/16/2012: PG&E will physically block the audio port, USB Port 2 and unused computer ports. Physical blocks will be verified at SAT and controlled thereafter by the SCMP. PG&E considers that opening any of the unused ports for use after the SAT is a modification of the physical plant configuration that will require an engineering design change. KVM Switch Question 4:WEK ---_.-Status RAI No. (Date Sent) informati on could be included in the next LAR update-need to decide which path is desired. RAI Response (Due Date) Comments however, this information needs to be provided in the LAR. Also, address how this will be maintained by the DCPP Configuration Management Process. 11-28-12 update: PG&E needs to respond to 12 update in the description section. Leave open until the KVM Switch information is provided within the LAR revision. Open 12-19-2012 update: 73

February 18, 2013 DCPP PPS Open Item Summary Table Page 26 of 31 CommentsRA/ No. RA/No SrciR/ Issue Description P&GE response: Status (Date Sent) Response (Due Date) As discussed in the If the KVM switch does fail in some manner allowing data flows Hold 1 0-17-2012 for this 01, and the between the two platforms, then the ALS system would not be 12-19-2012 Follow affected because the ALS platform will only transmit data in one up Question for 01direction to its MVVS (with the TAB cable disconnected of course). 71, the staff needs This is good, however, the LAR (or attachments) need to explain how ALS Design the engineering design principals of the ALS platform physically Specificationprevent bad/erroneous data from corrupting the ALS platform. In document other words, explain how these messages emanating from the MWS 10202 submitted (regardless of origin) will be disregarded/rejected by the ALS platform for its review in thus allowing only one direction of data flow. order to resolve this 01. This 01 will be placed on Hold until the documents are 10-17-12 Update: The ALS-102 Design Specification document 6002-10202 has not yet received on thebeen submitted to the NRC. When will it be submitted?? Will this docket.EIA-422 (or is it RS-422 per Fig. 4-13 in the LAR) communication link (twisted pair copper wire) also serve as the 1Elnon 1 E isolation devices as required by IEEE 603, Clause 5.6.3 and IEEE 7-4.3.2, 11-28-2012Clause 5. 6?? Please clarify. update: PG&E needs to11-28-2012 Update: respond to Still need more information re:1E1non-1E isolation of the ALS-102 12 u(2date in the board. description section. PG&E needs to respondPG&E Response: to 10-17-12 Revised PG&E Response 12/16/2012: u(2date in the The design of the TxB1 and TxB2 data communication paths from the ALS-description section. 102 Core LogiC Board and the Gateway Computer and MWS, respectively, are EIA-422 communication links in which Receive capability is physically 10-17-12 Update: disabled by hardware as described in 6002-102002, the ALS-102 Design there is a typo in Specification. The receiver is configured such that the transmit data is section 2.4.13.5 on looped back for channel integrity testing. The ALS-102 is physically and page 90 of the electrically incapable of receiving information from outside the ALS-1 02. LAR. The first February 18, 2013 DCPP PPS Open Item Summary Table To SrclRI Issue Description P&GE response: Therefore, messages are not disregarded or rejected by the ALS-102. This is better than a "broken wire." The wire just isn't there, and there is no place to connect a wire if someone wanted to do so. Updated PG&E Response 12/16/2012: Per the 10/17/2012 update, NRC is correct regarding the typographical error in Section 2.4.13.5 on page 90 of the LAR. The correct ALS-1 02 Design Specification.document number per LAR Reference 94 is 6002-10202. Per the 11/28/2012 update, RS-422 is the common short form title of American National Standards Institute (ANSI) standard ANSIITIAIEIA-422-B Electrical Characteristics of Balanced Voltage Differential Interface Circuits. This technical standard specifies the electrical characteristics of the balanced voltage digital interface circuit. For the purposes of the LAR, the two designations are equivalent and may be used interchangeably. Status RAI No. (Date Sent) RAI Response (Due Date) Page 27 of 31 Comments paragraph references ALS doc. 6002-61202 (typo) as the document that explains how the EIA-422 communication channels on the ALS-102 are electrically isolated and inherently way communications capability only. The document 6002-10202, in reference 94 is the correct document. 74 WEK KVM Switch Question 5: Please explain in detail how "Connection between the computers shall not be permitted." Will this be handled via a configuration control process, administrative controls, or a physical means of preventing connection between computers? PG&E Response: This section was intended to be a functional requirement for the KVM switch. Administrative and configuration controls will prevent inadvertent loading of an EPROM image that could corrupt operation of the KVM switch. If the KVM switch fails and connects the ALS and Tricon MWS together, the above-described physical and electrical restrictions of the KVM switch will prevent the ALS from being corrupted by its MWS computer. Open RAI50 11-28-12 update: Leave open until the KVM Switch information is provided within the LAR revision. 10-17-12 Update: Response is Okay, but the LAR revision will need to expand further on this matter to explain how these controls will provide this protection.

79 February 18, 2013 DCPP PPS Open Item Summary Table Page 28 of 31 No SrclRI Issue Description P&GE response: Status RAI No. RA/ Comments (Date Sent) Response (Due Date) 75 RJSI NSIR ALS Security Plan Document 6002-00006 references the CS Innovations Cyber security plan document (Reference 7) which is not docketed. Without having access to this referenced document, the staff is unable to confirm implementation of the system security requirements. We need to discuss if this document can be made available on the share point or if it can be made available during the audit. Open NoRAI Note: RJS -This is an ALS audit item. We will hold open pending the outcome of the February audit. In addition CS-00013-GEN, Development Environment Evaluation Report-CS Innovations Isolated Development Infrastructure might be another document of interest to the staff. It seems that this document would provide evidence that the actual development environment was in fact secure. This document was not docketed. PG&E Response: Westinghouse can make available during the audit both CSI document 9000-00360, "CS Innovations Cyber Security Plan" and WNA-CS-00013-GEN, "Development Environment Evaluation Report -CS Innovations Isolated Development Infrastructure." Invensys to confirm that the following terms are not used, and that they will Open be removed from their plans and replaced with the correct terms. RA

  • Test Review Board
  • Test Case Incident Report
  • Master Configuration Checklist
  • Configuration Database PG&E Response: The following Invensys documents wererevised to reflect correct terminology and placed on the Invensys Share Point on December 22,2012: '--_'--1) 993754-1-905, Project Management Plan -01/23/2013 update: These documents were posted on the Invensys SharePoint 01/22/2013. 12/19/12: item open until new document revisions February 18, 2013 DCPP PPS Open Item Summary Table Page 29 of 31 No SrclRJ Issue Description P&GE response: Status RAJ No. (Date Sent) RA/ Response (Due Date) Comments 2) 993754-1-906, Software Development Plan 3) 993754-1-909, Software Configuration Management Plan 4) 993754-1-813, Validation Test Plan The revised documents will be submitted by PG&E by March 21, 2013. are submitted 80 RA PG&E Response: Invensys to revise its plans to reflect the current project organization. Open 01/23/2013 update: These documents were posted on the Invensys SharePoint 01/22/2013. 12/19/12: item open until new document revision is submitted 1/25/13 This 01 was discussed at the 1/24/13 conference call. PGE agreed to consider presenting this as an acceptable alternative to the ISG 4 position 10 guidance. We expect a followup discussion during the 2/21 conference call. PG&E Response: The Invensys Project Management Plan (PMP), 1-905, was revised to reflect the current project organization and placed on the Invensys SharePoint on December 22, 2012. The revised PMP will be submitted by PG&E by March 21, 2013. 81 RJS Channel level Bypass Functionality The criteria in ISG-04 position 10 only allows for software configuration activities when the entire safety division, (Le. all channels and functions) is inoperable. The Diablo Canyon PPS design however, allows channel or specific function level configurability while the remaining safety division functions remain operable. This design does not meet the criteria of ISG-04 positions 10. The licensee will need to provide a justification for this as an alternative means of meeting the regulatory requirements of IEEE 603-1991 clauses 5.7,6.5, and 6.7 Open PG&E Response: PG&E will provide justification for an acceptable alternative to ISG-04 Position 10 for the PPS replacement design in section 4.8.10 of the LAR Supplement.

February 18, 2013 DCPP PPS Open Item Summary Table Page 30 of 31 No SrclRI Issue Description P&GE response: Status RAI No. (Date Sent) RAI Response (Due Date) Comments 01/23/2013 update: The document number is incorrect. The document is 6116-00003, and it was provided in Attachment 6 to PG&E Letter 12-121 82 RA V&V Plan Westinghouse/CSI document 6116-00001 Rev. 1 includes Table 2 in Appendix A. This table identifies several notes, which provide additional information. However, the descriptions for these notes are not included in the Appendix. Please provide this information. PG&E Response: CSI document 6116-00003 Rev. 1 (Diablo Canyon PPS W Plan) will need to be revised to provide descriptions for the notes. The revised 6116-00003 will be submitted by TBD? Open 83 RA V&V and Hazard Analysis Westinghouse/CSI documents 6116-00001 Rev. 1 and 6116-00000 Rev. 3 state that software hazard analysis of the ALS system is the responsibility of PG&E. However, the PG&E SyWP, which was submitted as Attachment 5 of the LAR, does not describe how PG&E will perform the software hazard analysis of the ALS system. The SyWP, Section 5.1.2.3 states that PG&E will verify that new hazards were not introduced during installation. Please clarify who will perform the hazard analysis activities for each phase of the development process that are required by IEEE 1012, for the ALS system. Open 1/25/13 This 01 was discussed during the 1/24/13 conference call. The current planning documents under review do not include provisions for performing the I hazard analysis activities. PG&E Response: Hazard analysis activities for design and building of the ALS system will be performed by Westinghouse and for installation will be performed by PG&E. Revision to CSI and PG&E documents are required to address the responsibilities for the hazard analyses during the different phases. -84 RA IRS Revision 7 of the Interface Requirement Specification, Section 3 Appendices, lists the I/O lists for each protection set. However, these appendices are no included in the document Open

85 February 18, 2013 DCPP PPS Open Item Summary Table Page 31 of 31 CommentsRA/Status RAI No. Issue Description P&GE response:SrclRINo Response (Due Date) (Date Sent) PG&E Response: The I/O list was not submitted with IRS Revision because it is not a document that is required to be submitted by Enclosure B based on previous discussions with the staff. The I/O list provided to the staff during the CSI audit. PG&E will submit the I/O list requested by the RJS What security measures will be implemented to the MWS so that the MWS is consistent with NEI 08-09, Appendix D .1.1? Explain the statement access to the maintenance workstation will be consistent with the NEI Appendix D.l.l. Additionally, explain whether security measures to implemented include technical and operational security design incorporated into the PG&E Response: Installation of the PPS replacement is scheduled September 2015 and assessment of the whole PPS replacement including the maintenance workstation, as prescribed in section 3 of Diablo Canyon CSP, will begin in April 2013. The assessment determine any security measures for the maintenance consistent with NEI 08-09 Appendices D and E, that need to be 2 6 Project Plan for Diablo Canyon Replacement of Digital RPS ESFAS (PPS) -LAR Review (Rev. i Step Planned Task Date PG&E LAR Submittal for NRC approval. Submittal includes all 26,2011 i Phase 1 documents needed to be docketed prior to acceptance for review per ISG-06, "Digital Licensing." 1 Oct. Oct. 26, 2011 3 4 5 Jan. Jan. March May 30 , Jan. 12, Acceptance Review complete. LAR accepted for detailed technical Jan. 12, 2012

  • review. Several issues identified that could present challenges for 2012 the staff to complete its review. Scheduled public meeting with PG&E to discuss the results of the acce tance review. Acceptance letter sent to licensee. Jan. 13, 2012 Conduct Public Meeting to discuss staff's findings during the LAR Jan. 18, acce tance review. Staff roceeds with LAR technical review. 2012 PG&E provides information requested in acceptance letter. Initiate April 2, bi-weekly telecoms with PG&E and its contractors to discuss 2012 potential RAI issues. Open Items spreadsheet will be maintained b NRC to document staff issues and lanned licensee res onses. PG&E provides partial set of Phase 2 documentation per June 6 , 2012 7 July 2012 8 8.1 June 2012 March 2013 9 10 September 2012 November 2012 11 December 2012 i commitments made in LAR. 2012* i *PG&E provided a subset ofthe Phase 2 documents on June flh and committed to sendthe rest by' July' 31, 2012. First RAI sent to PG&E on Phase 1 documentation (e.g., specifications, plans, and equipment qualification). Continue review of the application. Request 45 day response. (ML 12208A364) August 07, 2012 SER for Tricon V10 Platform issued final. This platform becomes a Tier 1 review of the LAR. (rylL12146t-01 0) May 15, 2012 SER for Westinghouse ALS Platform issued final. This platform becomes a Tier 1 review of the LAR. i Receive answers to first RAI. (ML12256A308) Sept. 11, 2012 Audit trip to Invensys facility for thread audit; audit the life cycle Nov. planning documents and outputs, with particular emphases on 16, 2012 . verification and validation, configuration management, quality Assurance, software safety, the Invensys application software development procedures, and application software program i deSign. Audit report provided to PG&E and its contractor. February i LAR revision and all supporting documentation associated with the 2013 change in ALS and Tricon V10 workstation designs for the PPS March 2013 11.2 I are submitted. Follow-up audit trip to Invensys facility for thread audit; audit the life cycle planning documents and outputs, with particular emphases on verification and validation, configuration management, quality assurance, software safety, the Invensys application software development procedures, and application software program design. Enclosure 3 Page 1 of 3 11.1 I Project Plan for Diablo Canyon Replacement of Digital RPS ESFAS (PPS) -LAR Review (Rev. 11.3 I 12 12.1 13 14 15 15.1 I 16 I 17 18 19 20 i I February 2012 March 2013 March 2013 April 2013 May 2013 March 2013 April 2013 +BQ May 2013 November 2013 November 2013 December 2013 December 2013 Audit trip to Westing house/CS I facility for thread audit; audit the life cycle planning documents and outputs, with particular emphases on verification and validation, con'figuration management, quality
  • Assurance software safety the W/ALS application software , , development procedures, and PPS ALS application software program design. Audit dates are planned for Feb. 11_15th , 2013.
  • PG&E provides remaining set of Phase 2 documentation per commitments made in LAR. All Documentation for DCPP W/CSI ALS and IOMlTriconex V10 processors applicable to the DCPP PPS LAR are submitted. Second RAI to PG&E on Phase 2 documentation (e.g., FEMA,
  • safety analysis, RTM, EQ Tests results, setpoint calcs, SW Tool analysis reports, and any incomplete or un-satisfactory response to ' first RAI. Continue review -hardware and program design and V& V activities Receive answers to second RAI. Continue review -V&V program, security requirements (RG ' 1.152, Rev.2) Audit trip to W/ALS facilities for additional thread audit items; audit hardware and software installation plans, configuration management reports, detailed system and hardware design, completed test procedures, V&V activities, summary test results (including FAT) and incident reports, and a'pplication code listings. Audit trip to Invensys facilities for additional thread audit items; Iaudit hardware and software installation plans, configuration management reports, detailed system and hardware design, completed test procedures, V&V activities, summary test results I(including FAT) and incident reports, and application code listings. AIiI8it ie test faeilities feF a88itieFiai al;HlIit items; i alil8it RBF8.!tlaFe aFl8 s*lft\!JaJ::e iFisiallati*lFl *leFifiglilFatieFi maRagemeRt 8eiaile8 system aR8 RaF8,-,laFe 8*1sigR, test V&V BGtivities, slilmmaPl test Feslillts 10 .......1, 1""1\ T\ ......rI . , Audit reports provided to PG&E and its contractors. Presentation to ACRS Subcommittee/Full ACRS Committee on I DCPP PPS LAR Safety Evaluation. Complete draft technical SER for management review and approval. Issue completed draft technical SER to DORL , Draft SER sent it to PG&E, Invensys, and W/CSI to perform I technical review and ensure no proprietary information was I i i i included. 21 January Receive comments from PG&E and its contractors on draft SER 2014 r()prietary review. -March
  • Approved License Amendment issued to PG&E '--_-'--_._2_0_1_4___________________________________'_____Page 2 of 3 22 Project Plan for Diablo Canyon Replacement of Digital RPS ESFAS (PPS) -LAR Review (Rev. 24 -September 2014 (tentative) -September 2015 Inspection trip to DCPP for PPS Site Acceptance Testing (SAT), I training and other preparation for installing the new system. To be coordinated with regional visit. Date based on receipt of new PPS I' system at the site in preparation for September 2015 Unit 1 Refueling Outage (1 R19). ,
  • Inspection trip to DCPP for PPS installation tests, training andT other system installation activities for the new system. To be coordinated with regional visit. Date based on September 2015 t----+-.-' ___1 Refueling Outage (1 R 19). I Page 3 of 3 Please direct any inquiries to me at 301-415-5430, or james.polickoski@nrc.gov. Docket Nos. 50-275 and 50-323 Enclosures: 1. List of Attendees 2. NRC Staff Identified Open Issues 3. LAR Review Project Plan cc wtencls: Distribution via Listserv DISTRIBUTION: PUBLIC LPLIV rtf RidsAcrsAcnw_MailCTR Resource RidsNrrDeEicb Resource RidsNrrDorlLpl4 Resource RidsNrrLAJBurkhardt Resource RidsNrrPMDiabloCanyon Resource RidsRgn4MailCenter Resource ADAMS Accession Nos.: IRA by JSebrosky forI James T. Polickoski, Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation SDarbali, RStattel, RAlvarado, CAntonescu, SMakor, DHuyck, EDO VDricks, OPA ML 13148A420 OFFICE NAME NRR/DORULPL4/PM JPolickoski NRR/DORULPL4/LA JBurkhardt NR MMarkley JSebrosky for JPolickoski DATE 5/31113 5/31113 6/6/13 6/6/13 OFFICIAL RECORD COpy
Retrieved from "https://kanterella.com/w/index.php?title=ML13148A420&oldid=516138"