Latest revision as of 08:15, 11 January 2025

Text

3/27/2013 - Summary of Meeting with Pacific Gas and Electric Company to Discuss Digital Replacement of Process Protection System at Diablo Canyon Power Plant, Units 1 and 2
	ML13149A068
Person / Time
Site:	Diablo Canyon
Issue date:	06/04/2013
From:	Polickoski J; Plant Licensing Branch IV
To:	Halpin E; Pacific Gas & Electric Co
	Polickoski J
References
	TAC ME7522, TAC ME7523
	Download: ML13149A068 (114)
	v • d • e

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 June 4, 2013 LICENSEE:

Pacific Gas and Electric Company FACILITY:

Diablo Canyon Power Plant, Units 1 and 2

SUBJECT:

SUMMARY

OF MARCH 27, 2013, TELECONFERENCE PUBLIC WITH PACIFIC GAS AND ELECTRIC COMPANY ON DIGITAL REPLACEMENT OF THE PROCESS PROTECTION SYSTEM PORTION OF THE REACTOR TRIP SYSTEM AND ENGINEERED SAFETY FEATURES ACTUATION SYSTEM AT DIABLO CANYON POWER PLANT. UNIT NOS. 1 AND 2 (TAC NOS. ME7522 AND ME7523)

On March 27,2013, a Category 1 teleconference public meeting was held between the U.S. Nuclear Regulatory Commission (NRC) and representatives of Pacific Gas and Electric Company (PG&E, the licensee) at NRC Headquarters, One White Flint North, 11555 Rockvi"e Pike, Rockvi"e, Maryland. The purpose of the teleconference meeting was to discuss the license amendment request (LAR) submitted by PG&E on October 26, 2011, for the Digital Replacement of the Process Protection System (PPS) Portion of the Reactor Trip System and Engineered Safety Features Actuation System at Diablo Canyon Power Plant (DCPP), Unit Nos. 1 and 2 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML113070457). The meeting notice and agenda, dated March 15, 2013, is available in ADAMS at Accession No, IVIL1307 4A 118. A list of attendees is provided as Enclosure 1.

This meeting is one in a series of publicly noticed teleconference meetings to be held periodically between NRC staff and PG&E to discuss issues associated with the NRC staff's LAR review. Preliminary issues identified by the NRC staff during the review and licensee responses to those issues were discussed during the meeting. The list of preliminary issues that are still in discussion and review is provided in Enclosure 2 ("open items"). Those preliminary issues that have either been closed as questions or resulted in NRC requests for additional information (RAls) were archived in a "closed items" tracking table in Enclosure 3, The updated NRC staff's LAR review project plan was also discussed and is provided in.

Discussion highlights from this meeting include:

The NRC staff from the Office of Nuclear Security and Incident Response (NSIR) was present to discuss how PG&E is implementing the security measures described in the NRC-approved DCPP Cyber Security Plan within the PPS digital upgrade. PG&E's staff reviewed the licensee's methods for incorporating cyber security reviews during PPS development. The NRC's NSIR staff wi" update cyber security-related action items prior to the next meeting, and meeting attendees concurred that an additional, non-public meeting for review of proprietary and/or sensitive but unclassified items will not be needed.

- 2 The NRC staff discussed a number of action items from Enclosure 2 that will be closed and transitioned to Enclosure 3 due to incorporation in a set of RAls to be issued shortly by the NRC.

The NRC and PG&E staff discussed a number of action items from Enclosure 2 that are awaiting PG&E document submission. These include docket submission or SharePoint posting of the remainder of the Phase 2 documents, a PG&E LAR supplement, and PG&E's responses to the above RAls. Since PG&E's staff stated that these documents will not be available until late April, the next periodic teleconference public meeting will not be scheduled until at least 2 weeks after PG&E document submission to allow time for the NRC staff's review.

The NRC staff discussed the recent receipt of the PG&E summary report regarding this LAR's potential impacts with the DCPP Technical Specifications (TS). Further, NRC staff discussion will be guided by NRC TS Branch input following their review of this report.

The NRC and PG&E staff discussed the responsibility, timing, performance, and documentation of the software hazard analysis during the various design, development, testing, and implementation phases.

The NRC and PG&E staff discussed the Enclosure 4 project plan on the timing of the following: safety evaluation report (SER) for the Westinghouse Advanced

, Logic System (ALS) Platform; NRC staff audit reports (technical and cyber security) and completion of the February 11-14, 2013 onsite audit of the PG&E supporting vendor CS InnovationslWestinghouse; and PG&E LAR supplement and RAI responses. Additionally, the NRC and licensee discussed the timing of the remaining PG&E Phase 2 document submittals and the next licensee-vendor NRC staff audit and Factory Acceptance Testing (FAT) trips.

The NRC staff discussed the impact of the changing PG&E document submission milestones on completion of the NRC safety evaluation.

The NRC staff and the licensee agreed that the next periodic teleconference public meeting on this topic would be held in approximately mid-May 2013 with the exact timing dependent on PG&E document submission including a minimum two-week NRC review allowance.

A member of the public was in attendance. Public Meeting Feedback forms were not received.

- 3 Please direct any inquiries to me at 301-415-5430, or)J*~~IL!::!!.~~~~~f!!..

Ja es 1. Polickoski, Pr 'ect M Plant Licensing Branch I Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-275 and 50-323

Enclosures:

1. List of Attendees

2. NRC Staff Identified Open Issues

3. NRC Staff Identified Closed Issues 4, LAR Review Project Plan cc w/encls: Distribution via Listserv

LIST OF ATTENDEES MARCH 27, 2013, TELECONFERENCE MEETING WITH PACIFIC GAS AND ELECTRIC COMPANY REGARDING PROCESS PROTECTION SYSTEM DIGITAL UPGRADE FOR DIABLO CANYON POWER PLANT. UNIT NOS. 1 AND 2 DOCKET NOS. 50-275 AND 50-323 NRC

Participants:

Headquarters:

Rich Stattel, Senior Electronics Engineer, Instrumentation and Controls Branch, NRRIDE Rossnyev Alvarado, Electronics Engineer, Instrumentation and Controls Branch, NRR/DE

Eric Lee, Senior Security SpeCialist, Cyber Security & Integrated Response Branch, NSIRJDSP James Polickoski, Project Manager, Plant Licensing Branch IV, NRR/DORL Region IV:

Shiattin Makor, Reactor Inspector, Engineering Branch 2, RIVlDRS

Pacific Gas and Electric Company

Participants:

Ken Schrader, Regulatory Services

Scott Patterson, Program Manager

R. Lint, Altran

Ted Quinn, Altran

J. Rengepis, Altran

Roman Shaffer, Invensys

J. Basso, Westinghouse/CS Innovations

S. Karaaslan, Westinghouse/CS Innovations

W. Odess-Gillett, Westinghouse/CS Innovations

Public:

Gordon Clefton, Senior Project Manager, Nuclear Energy Institute

denotes participating via teleconference

March 25, 2013 DCPP PPS Open Item Summary Table Page 1 of 32 No SrclRl Issue Description P&GE response:

Status 40 Software Tools Close In the ALS Progress Update 2012-OS-01 provided to the staff, Westinghouse/CSI described that they are replacing Automated Test Environment (ATE) from IW credited tools with a LabView based ALS Board Test System (ABTS). Also, in this presentation, Westinghouse/CSI noted that they are performing additionallV&V and equipment qualification tools.

Since this information needs to be reflected in the software planning documents, please identify how these items will affect Westinghouse/ALS documents related to PPS replacement project. Also, identify what document will be revised to include description of these modifications.

PG&E Response: The ALS Design Tool 6002-00030 requires revision to replace the ATE with the ABTS. The revised ALS Design Tool, Revision 9, document includes the ABST tool in Section 12 and was submitted by Westinghouse to the NRC on January 1S, 2013 that addresses the tools used.

RAI Comments RAINo.

(Date Sent)

Response

(Due Date) 01/23/2013 update:

CSI document 6002-00030 Rev. 9 is not available in ADAMS yet. Please clarify if the ATE tool is used for V&V review. This item will remain open until the document i is available to the staff.

01/10/2013 update:

The ALS Design Tool 6002-00030 Rev.S indicates that Westinghouse/CSI is using ATE.

Further, Rev 7 of the 6002-00003, ALS V&V Plan, states that this plan was revised to identify ABTS as the primary board integration level test tool. replacing ATE.

Please clarify the discrepancy between the response provided and the information in Rev. S.

41 March 25,2013 DCPP PPS Open Item Summary Table SrclRI Issue Description No

["&(;E"'8"0"**:

RA Software V&V and Test Plan Westinghouse/ALS document 6116-0005, section 8.2 identifies the software tools to be used in the PPS replacement project. However, this list is not consistent with the list of IV&V tools identified in Section 3.6 of ALS W Plan 6002-00003. Specifically, the test tools identified in 6002-00003 are not listed in 6116-00005 and vice versa. For example, the W Plan (6002 00003) identifies ATE tool for IV&V, but this tool is not listed in 6116-0005 Rev. 1. Furthermore, the staff reviewed 6116-0005 Rev. 0, and found that the ATE tool was listed in this version. Please clarify what software tools will be used and what document describes them.

PG&E Response: A new revision of the ALS V&V Plan 6002-00003, Revision 7, Figure 3-2, identifies the ABTS and the ISE as the IV&V test tools. This new revision was docketed October 31,2012 on the ALS platform docket. The ATE is removed from the set of IV&V test tools. The tools listed in document DCPP PPS Test Plan 6116-00005 section 8.2 and the tools listed in DCPP PPS W Simulation Environment SpeCification, 6116-10216, (to be placed on the Sharepoint by April 18, 2013 and submitted by May 17, 2013) encompass the IV&V test tools in the new Status Re-Open RAINo.

(Date Sent)

RAI24 RAI

Response

(Due Date)

Page 2 of 32 Comments 12/19/12 update:

ALS Design Tool 6002-00030 was submitted to the NRC. NRC Staff will review this document and identify follow up questions, if necessary, creating a new open item.

10/17/12 update:

Westinghouse/ALS will submit the ALS Design Tools on 10/31/2012 01/23/2013 update:

This item to remain open because DCPP PPSW Simulation Environment Specification, 6116 10216, has not been submitted.

01/10/2013: See comment provided in item 40.

Also, DCPP PPS W Simulation Environment SpeCification, 6116 10216, has not been submitted.

48 March 25,2013 DCPP PPS Open Item Summary Table No...... I SrclRI I Issue D ~scription P&GE response:

revision of the AlS V&V Plan, 6002-00003.

RA Softwa PG&ES docume that ano respect not incl the PG Further for app docume docume docume PG&E

1.

2.

Softwa

1.

The org not con For exa

,V&V yWP, Section 6, requires that anomalies detected are identified,

,ted, and resolved during the V&V activities. This section states rnaly reporting and resolution requirements are defined in the fe PG&E control procedures. Section 2 "Control Procedures does de a reference for an anomaly reporting procedure. Please identify E control procedure used for anomaly reporting.

Section 7 of the SyWP states that the PG&E authority responsible wing deviations from SyWP is the PG&E Project Manager, who will

,t hislher approval a Change Notice or equivalent formal PG&E

,t. Please identify where the responsible PG&E authority will

,t its approval.

esponse:

'he PG&E control procedure for anomaly reporting is OM7.1D1, Problem Identification and Resolution." This procedure governs the IPS replacement after it has been turned over to PG&E by the uppliers. The suppliers' anomaly reporting procedures are IPplicable prior to this turnover.

rhe responsible PG&E Project Manager will document approval in in SAP notification. This has been included in revision 1 of the iyWP placed on the Sharepoint and submitted in Attachment 1 to

,e Enclosure of PG&E letter DCl-13-028 submitted March 25, 013.. It is noted that Section 7 of the SyWP states the deviation hall be incorporated into the SyWP as a revision at the first

.lractical opportunity.

e Configuration Management Jrganization anization and responsibilities described in Section 4 of CF2.1D2 is listent with the information presented in Section 2 of SCMP 36-01.

rnple, Section 2 of SCMP 36-01 identifies system coordinator, RAINo.

Status (Date Sent)

Closed Open Page 3 of 32 RAI

Response

(Due Date) comm.n~

2/22/13 New version of SyWP is on Sharepoint.

01/23/2013 update:

Need to know when the new revision of SyWPwilibe submitted 12119/12: item 2 still pending 10/17/12 update:

For item 2 - PG&E will revise the SyWP and submit it on 11/30/2012 9/17112 update (Alvarado): NRC staff received copies of OM7.ID1 and XI1.ID2. This addressed item 1 of this open item.

01/23/2013 update:

identify date for next revision 12/17/12 update:

51.2

60 March 25, 2013 DCPP PPS Open Item Summary Table Page 4 of 32 SrclRI No

,----~~~

RJS (STSB IAPLA Issue Description P&GE response:

application sponsor, and system team, who are not identifiedm Section 4 of Cf2.ID2. Further these descriptions are not identified in the project organization described in PG&E PPS Replacement Plan (Attachment 3 of the LAR). Please clarify the roles and responsibilities for SCM. and provide a cross reference of the PG&E organizations described in these documents.

PG&E Response 12/16/2012:

PG&E will revise the SCMP plan to be consistent with CF2.ID2 section 4 organization,,including a description of additional roles and responsibilities not required by CF2.ID2.if needed. The revised 36-01 document will be submitted by April 26. 2013.

Technical Specifications:

i

)

~ In order for the staff to make a determination that the existing technical specifications and surveillance intervals remain acceptable for the replacement PPS system, an evaluation to compare the ALSrrricon PPS system reliability and performance characteristics with those of the Eagle 21 system must be performed by PG&E.

Please provide an evaluation summary report to support the application of existing technical specification and surveillance test intervals to the upgraded ALSrrricon based PPS system. This summary report is expected to include a quantitative analysis to demonstrate the new system's ability to perform its required safety functions between established surveillance test intervals. This report should also include a qualitative (Le., deterministic) analysis which describes the self diagnosis and fault detection features of the replacement PPS. In addition, this summary report should address the staffs previous findings in Section 4.3, "Applicability ofWCAPs to DCPP," of Amendment No. 179, dated January 31,2005 (ML050330315).

Status Open

~~~~~~

RAI No.

(Date Sent)

RAI39

~~~~~------~~~~~

RAI Comments

Response

(Due Date)

Waiting for PG&E to revise SCMP.

10/17/12 update:

PG&E will revise the SCMP to address several open items 1/16/13-Waiting for Evaluation Summary Report which is due at end of January.

PG&E Response: An evaluation summary report to support application of

March 25, 2013 DCPP PPS Open Item Summary Table Page 5 of 32 No

~~~~

~---~~

SrclRI Issue Description P&GE response:

Status RAINo.

RAI Comments (Date Sent)

Response

(Due r-:--~ ~

~ ------~ ~ ~

~ ~ -------~ ~

Date) the exiting TS and TS surveillance test intervals is contained in the Westinghouse Document, "Justification for the Application of Technical Specification Changes in WCAP-14333 and WCAP-15376 to the Tricon/AlS Process Protection System" that was submitted in Attachment 9 to the Enclosure of PG&E letter DCl-13-016 dated March 7,2013. The document provides a qualitative comparison of features important to the reliability of the Tricon and AlS subystems and the Eagle 21 system, evaluates the applicability of the WCAP-14333 P A, Revision 1, and WCAP 15376-P-A, Revision 1, analyses to the PPS replacement configuration, and evaluates the compliance with the staff conditions and limitations contained in the NRC safety evaluations forWCAP-14333 and WCAP 15376 and Section 4.3 ofthe Amendments 179 and 181.

64 RA Closed RAI40 Software Management Plan To close Items 27 and 29, PG&E issued the DCPPS Project Quality Assurance Plan to define the oversight activities to be performed during the PPS replacement project. Section 2 of this plan describes the responsibilities of those involved in oversight activities. However, it is not clear how these roles and responsibilities correlate to the project organization described in PG&E PPS Replacement Plan (Attachment 3 of the LAR) and PG&E PPS Replacement System Quality Assurance Plan (Attachment 4 of the LAR). For example, the Project Quality Assurance Plan describes the responsibilities of the PPS replacement Project Manager, but this role is not described in other documents, Further, the responsibility described seems to align with the responsibility of the PG&E Project Manager. Please explain the relationship, if any, of the roles and responsibilities described in the DCPPS Project Quality Assurance Plan and those provided in other PG&E plans.

-=-=-:~~

~~-------~~

PG&E Response: The "Quality Assurance Plan for Diablo Canyon Process Protection System Replacement" (referred to as the "Project Quality Plan" in response to Ols 27 and 29) was a project specific document created by the Quality Verification group (a Quality Assurance organization) to identify the

March 25, 2013 DCPP PPS Open Item Summary Table Page 6 of 32 No SrclRl Issue Description P&GE response:

Status RAINo.

(Date Sent)

RAI

Response

(Due Date)

Commen~

Quality Assurance tasks to be performed by the Quality Verification group for the project. The "Quality Assurance Plan for Diablo Canyon Process Protection System Replacement" provides the specific plan to be used by the "Supervisor Project QA" identified in Section 3.5.1 (page 19) of the SyQAP and the "Project QA Engineer or Equivalent" identified in Section 3.5.8 of the SyQAP to provide PG&E quality oversight for the project which in part supports meeting 10 CFR 50 appendix B quality assurance requirements for the project.

The "Supervisor Project QA" is not identified in the PPS Replacement Project Plan Figure 2-1 (PPS Replacement Project Organization) because they are not part of the Project Organization, but instead provide independent quality assurance oversight of the Project Organization.

Section 6.1, "System Quality Assurance Plan (SyQAP), of the PPS Replacement Project Plan discusses the SyQAP, which in turn references the "Supervisor Project QA" in Section 3.5.1 (page 19) and the "Project QA Engineer or Equivalent" in Section 3.5.8 to provide PG&E quality oversight for the project.

65 RJS Open KVM Switch Questions:

See Attachment 3 I

PG&E Response:

See Attachment 3 68 WEK Please provide a detailed functional description of the DCPP PPS NSR Gateway Computer(s) system; including computers/processors, communications protocols, and data isolation details, Or, please indicate where this information is explained within thel..AR and supporting Open RAI46 12-19-2012 update:

Response did not answer the question about

March 25, 2013 DCPP PPS Open Item Summary Table No SrelRl RAJiio~ RAJ Status Issue DescriPtion IP&GEieSPonse:_

(Date Sent)

Response

(Due Date) documents. Also, please provide a detailed explanation of the Gateway Switch discussed within the LAR;including its operating principal (hardware, logic based, etc,,data/electrical isolation design features, and any other pertinent information pertaining to its failure mechanisms.

11-28-2012 follow up question:

Figure 4-13 (Pg 87) of the LAR indicates that data communications is provided directly between the SR ALS "A" &ALS "B" Protection Sets I, II, III, and IV, and the NSR Gateway Computers via RS-422 copper media (i.e.,

not through the Port Tap). Section 4.8.2 b) (page 110 of the LAR) states that "... AII other communication to non-safety equipment, i.e., Plant Computer, is via continuous one-way communication channels on the ALS 102." Please describe how the 1Elnon-!E data communication and e/ectrical isolation is implemented within the ALS for this configuration.

Also, explain how the ALS "A" & dB" inputs to the NSR Gateway Computers are isolated from each other, and data communication protocols associated with processing this data within the Gateway Computers.

12-19-2012 follow up question:

As stated in the 12-17-2012 response below, the 1Elnon-1 E data communications electrical isolation is not part of the ALS topical reort review. Please provide a detailed explanation ofhow all 1Elnon-1E communications data electrical isolation between the ALS processor and NSR systems will be accomplished.

PG&E Response: The DCPP Gateway computer and Gateway switch are part of an existing system that was installed by a previous project, and therefore were not included in the scope of the changes requested for approval in the LAR.

Communications from the Gateway Switch to the Tricon are functionally isolated by the Triconex Communication Module (TCM) and NetOptics Model PA-CU Networl<: Port Aggregator Tap discussed in Tricon V10 SER Section 3.7.2.1. A fiberoptic data link provides electrical isolation.

The NetOptics PA-CU Networl<: Port Aooreoator Tap was approved for this Page 7 of 32

-Comments providing a functional description of the DCPP PPS NSR Gateway computers. The staff needs to understand how the Gateway computer and the Gateway Switch communication protocols will not corrupt the the data i signals coming from the ALS Protections sets 1 4 and not impact the execution of the ALS safety function. A detailed response to this question is needed in the LAR or supporting documents.

See 12-19-2012 followup question re: electrical isolation for the DCPP PPS ALS.

March 25, 2013 DCPP PPS Open Item Summary Table Page 8 of 32 RAI Comments i

SrclRl Issue Description P&GEresponse:

RAINo.

No Status (Date Sent)

Response

(Due i

Date) use in the Oconee RPS SER. The PA-CU prevents inbound 11-28-12 update:

communications from external devices or systems connected to Port 1 of See 11-28-2012 the Port Aggregator from being sent to interactive Ports A and B. The follow up question.

Oconee SER described the methods they used to verify that Aggregator Port 1 provides one way outbound communications only. As a transmit only device, it does not listen to and is not affected by the communications protocol (or lack thereof) of the external device or system to which it is connected.

The ability of the Port Aggregator Tap to prevent inbound communications to the Tricon from its Port 1 will be verified at the Tricon V10 FAT and the SAT as previously stated in PG&E Letter DCL-12-083 dated September 11, 2012.

Updated PG&E Response 12/12/2013:

The response to 01 #73, discusses Transmit Bus TxB2 data communication path from the ALS-102 Core Logic Board to the ALS MWS. Transmit Bus TxB1 transmits data from the ALS-102 CLB to the Gateway Computer.

Both TxB1 and TxB2 are EIA-422 communication links in which Receive capability is physically disabled by hardware as described in the ALS-102 Design Specification, 6002-10202. The receiver is configured such that the transmit data is looped back for channel integrity testing. The ALS-102 is physically and electrically incapable of receiving information from outside the ALS-102 via the Transmit Busses TxB1 and TxB2. Therefore, messages are not disregarded or rejected by the ALS-102. This is better than a "broken wire." The wire just isn't there, and there is no place to connect a wire if someone wanted to do so.

Updated WEC Response 12/17/2012:

The 1E/non-1 E data communication is described in the ALS Topical Report, Sections 2.2.1.3 and 5.3.2; and in 6116-00054, "Diablo Canyon PPS ISG04 Matrix", Position 2. The electrical isolation qualification of the 1E/non-1 E data communication is not part of the ALS Platform review project, and will be qualified with an isolation fault test that will be conducted 1st quarter 2013 per IEEE Std 384-1992, "IEEE Standard Criteria for Independence of Class 1 E Equipment and Circuits" and Regulatory Guide 1.75. "Criteria for Independence of Electrical Safety Systems." A supplemental test report will

March 25, 2013 DCPP PPS Open Item Summary Table Page 9 of 32 Issue Description P&GE response:

Status RAINo.

RAI Comments NolSrelRl (Date Sent)

Response

(Due Date)_

I be issued 2nd quarter 2013.

12-19-2012 update:

within the Tricon and ALS MWiS computers; including how they will be used Please provide a detailed explanation of the application programs contained RAI47 69 I WIEK Open The DCPP PPS to supports or enhances the performance of the PPS safety function, ALS MWiS will not provide required maintenance, surveillance, etc. Or, please indicate where be approved via the this information is explained within the LAR and supporting documents.

ALS topical report.

Therefore, the information requested is 1/24/2013 Updated PG&E Response:

needed to address The non-safety communications between the PPS controllers and their the regulatory respective, dedicated MWiS units improve PPS maintainability and thus criteria of ISG-04, reliability, and enabling on-line surveillance testing, calibration, and Position 1, Point 3.

maintenance. Risk of challenging plant safety systems is reduced through Wl/ALS document the ability to test in bypass rather than requiring test in trip.

6116-00054, Rev.

0, Diablo Canyon The online Tricon and ALS non-safety communications capability provide PPS ISG-04 Matrix, real-time, online data and status information on the Plant Process Computer does not address and in the Control Room that are required to perform maintenance, this subject in its calibration and testing. Wlithout the online data links from the Tricon and response to Point ALS to the MWiS and the Plant Process Computer/Plant Data Network, only

3. Please address the control board indicators and recorders would be available to provide a this question for "window" on the PPS. System trouble alarms would still be generated by ALS.

the PPS on the Main Annunciator System, but without the alarm monitor Tricon response is and other data display capabilities provided by the MWlS, there would be no acceptable. Please direct means to determine the specific cause of an alarm.

add this to the Lack of access to real-time, continuous, on-line PPS status data and LARlTricon V10 diagnostic information introduces delay into PPS trouble identification and ISG-04 compliance resolution, and substantially degrades the maintenance effectiveness and matrix document.

timeliness enabled by the diagnostic features built into the platforms and the application programs. The ability to make online use of the information 11-28-12 update:

I

March 25, 2013 DCPP PPS Open Item Summary Table Page 10 of 32 No

~~

SrclRI Issue Description P&GE response:

Status RAINa.

(Date Sent)

RAJ

Response

(Due Date)

Comments provided by redundant, real-time data communications to the MWS and to the plant process computer improves PPS reliability and thus supports and enhances safety through providing timely diagnostic information and status details that assist performance of required trouble-shooting, maintenance, and surveillance activities.

The network switches between the Port Aggregator taps and the MWS ensure that Tricon multicast operation will continue if the Tricon MWS were to cease communications. The network switches are redundant to ensure continued Tricon multicast operation on failure of a single Tricon network link.

The application programs contained in the ALS and Tricon MWS units provide the following functionality:

A.

Westinghouse/CSI ALS Maintenance Workstation The on-line ALS MWS is required to maintain the ALS, including surveillance testing per the Technical Specifications calibration, and other required maintenance, and is similar in effect to the existing, approved Test in 8ypass capability. The diversity design of the ALS enables either (but not both) Chassis uN or Chassis "8" in a protection set to be bypassed for maintenance or testing while the other chassis remains fully operational (Although, in the bypassed condition, certain post-accident monitoring functions may not be available; this may be controlled administratively).

Without the flexibility provided by the ALS diversity design, Technical Specifications would require tripping all the channels associated with the chassis when removing a given protection set ALS chassis from service. In turn, this would make up one channel in the coincidence logic for all channels in the affected ALS protection set. Such action increases the risk of inadvertently challenging plant safety systems were another channel to trip with the ALS protection set out of service.

1.

Microsoft Windows 'XP Service Pack 3 operating system Additional clarification was provided, so the question was rephrased.

..~

March 25, 2013 INo SrclRI I Issue Description DCPP PPS Open Item Summary Table P&GE response:

RAt

Response

(Due Page 11 of 32 CommfmtS

2.

ALS Service Unit (ASU) Application The ALS MWS will utilize Microsoft Windows TM based Westinghouse/CSI ALS Service Unit (ASU) software that is described in the ALS Topical Report Section 2.6.3.

The ALS Service Unit (ASU) is the primary tool used when accessing a particular ALS system in operation. Jrhe ASU provides plant personnel access to advanced features of the ALS system such as system diagnostics, post-trip analysis, monitoring real-time operation, and assistance in performing user-initiated test, calibration and maintenance operations.]

The DCPP PPS Replacement MWS will be mounted permanently in the PPS rack containing the PPS in a manner similar to that shown in ALS Topical Report Figure 2-25; however, ASU functions that use interactive Test ALS Bus (TAB) communications will be available: (1) only when the TAB is physically connected to the ALS MWS by qualified personnel under administrative controls; and (2) only on one ALS "An or "Bn subsystem at a time.

The TAB from ALS-102 Chassis "An and Chassis "B" is provided with individual EIA-485 ports on the ALS Maintenance Workstation computer.

The ASU ensures that the correct TAB is connected to the respective EIA 485 port when the TAB is enabled.

The main features of the ASU are:

State Information - Provides monitoring of real-time operation, including all 110 signals as well as detailed status information from debugging registers. :rhe advanced monitoring capabilities enable fast system diagnostics and troubleshooting.1 <.

System and Board Information Provides detailed information about the configuration of an ALS system, including board FPGA programming, board build information, and board configuration.

., Comment [WEKl]: The functional deScription of these features are good. However, this discussion should be expanded to explain how these features and information" supports or enhances execution of the safety function" for the PPS?? Explain how the continuous availability and use of this data is consistent with ISG-04, Position 1, Point 3.

(Q-,mment (WEK2]: Good explanation!

"" J

March 25,2013 DCPP PPS Open Item Summary Table Page 12 of 32 No I Src/j~I Issue Description RAI No.

RAI Comments P&GE response:

Status (Date Sent)

Response

(Due Date)

Blackbox-ASU includes a so-called "blackbox" functionality where all events of an ALS system are transmitted by the ALS-102 CLB Transmit Bus TxB2 to the ASU for storage and subsequent retrieval. This allows plant personnel to inspect the ALS system's reaction to a past event.

The blackbox function enhances ALS reliability and therefore safety by helping to reduce the time required to pinpoint the cause of a series of events. The ASU must be connected to the ALS via the Transmit Bus TxB2 during an event in order to capture and store the event via the blackbox function. Given the difficulty in predicting when an event will occur, the ASU should be connected to the ALS chassis via Transmit Bus TxB2 and receiving data during online operation in order to benefit from this capability.

{comment [WEK3]: Good explanation! I Test - Application specific periodic surveillance tests can be implemented to be performed through the ASU. Based on the needs of the application features may be implemented in the CLB that allows surveillance testing to be performed and/or monitored through the ASU.

i

Calibration - The ASU is used to readout and change application Setpoints and channel calibration coefficients. The CLB holds the application Setpoints and according to the application, it will allow the ASU to mOdify these Setpoints. The ASU is also used during inpuUoutput channel calibration where it is used for selecting the board and board channel to be calibrated and to changes calibration coefficients based on the readings received on an external calibrator.

Operation of the ASU is passive and non-intrusive, i.e., it can only modify the safety system tunable parameters stored in NVM for which it is designed (Le., inpuUoutput calibration coefficients, setpoints and tuning constants). It is not possible to modify the safety algorithm or logic using the ASU. All communications initiated by the ASU take place on the TAB, and only when the TAB is physically connected between a protection set ALS and its dedicated MWS. No RAB interruption is possible, effectively isolating the ASU from ALS safety functions.

I March 25, 2013 DCPP PPS Open Item Summary Table Page 13 of 32

~-r-.;;~~~~

~~~ ----;~~~

~ ~ ~ ~~~

SrclRI Issue Description P&GE response:

RAINo.

RAI Comments Status ro (Date Sent)

Response

(Due Date)

3.

t\\LS Parameter Display:

The ASU also provides a passive parameter display function using one-way ALS-102 EIA-422 Transmit Bus TxB2. The ALS parameter display function allows the MWS to display parameters transmitted to it online by the one-way TxB2 transmit bus described in ALS Topical Report Section 2.2.1.3.

The parameter display function does not require the TAB to be connected.

The ASU parameter display function is a Visual C++ based application developed for the Microsoft Windows API using Microsoft Foundation Class (MFC) libraries to provide graphical user interfaces for displaying ALS system status on the MWS and for providing user controlled access to the ALS controllers for performing maintenance operations such as calibration.

Upon start-up, the application establishes a dedicated serial port connection to the MWS RS-422 serial communication card port that is connected to the ALS-102 unidirectional one-way TxB2 output in each ALS chassis "N and "B: These dedicated MWS serial ports receive ALS system status at a rate of 10 Hz (i.e., once every 100 ms).

Upon establishing the dedicated serial port connection on the MWS, the ASU parameter display function spawns a software thread to receive, validate, and store the data received from the respective ALS-102 TxB2.

Validation of the received data consists of checking the packet header contents, checking packet length, performing a CRC check on the packet contents, and then comparing the calculated CRC with the CRC inside the TxB2 packet. If the data received by the parameter display application is invalid (i.e. invalid CRC), the application indicates the issue on its graphical user interface (GUI) and an entry is made in the application status log. If the data received by the parameter display application is valid, the application records the ALS system status in a data class which contains methods that are called by different GUI to extract and display the specific ALS system status.

Malfunctions of the ASU Pflrameter display function cannot adversely affect

~1 Comment (WEK4]: The functional description of the ALS Parameter Display is good.

However, as stated previously, this discussion should be expanded to explain how the

information provided by this display system will be used to " support or enhance execution of the safety function" for the PPS?? Explain how the continuous availability and use of this data Is consistent with ISG-04, Position 1, Point 3.

March 25,2013 DCPP PPS Open Item Summary Table SrclRI Issue Description P&GE response:

No Status ALS safety system operation because EIA-422 communications between the ALS and the ALS MWS via TxB2 are strictly one-way from the ALS-102 to the ALS MWS and the EIA-485 TAB is physically disconnected except for brief periods when the TAB for either ALS "A" OR "B" is connected to the MWS for maintenance under administrative control by trained technicians.

4.

One way TxB1fTxB2 Communications Transmit Bus TxB1 transmits data from each ALS chassis "A" and "B" ALS 102 CLB to the Gateway Computer. Transmit Bus TxB2 transmits data from each ALS chassis "A" and "B" ALS-102 CLB to dedicated EIA-422 ports on the ALS MWS. Both TxB1 and TxB2 are EIA-422 communication links in which Receive capability is physically disabled by hardware as described in the ~LS-102 Design Specification, 6002-10202.1 Tbe receiv~r i~_co[lfjgured..

such that ~he transmit data is looped back for channel integrity testing. The ALS-102 does not disregard or reject external messages; rather, the ALS 102 is physically and electrically incapable of receiving external messages via the Transmit Busses TxB1 and TxB2. In effect, this is the same as the data isolation achieved by a "broken wire." Interdivisional communications between the MWS and the ALS are also described in ALS Topical Report section 5.3. I I"

5.

TAB Disconnect TAB communications are enabled by physically connecting the TAB to the respective MWS EIA-485 port under administrative control by trained technicians. TAB communications are disabled when not needed by physically disconnecting the TAB from the MWS. The ASU is connected to and communicates with the ALS via the TAB only when required to calibrate the ALS, normalize RCS flow coefficients, perform surveillances required by Technical Specifications, as well as to troubleshoot and otherwise maintain the ALS. The diverse ALS subsystem whose TAB has not been enabled will continue to perform its safety function without impact. An ALS trouble alarm is initiated on the Main Annunciator when the TAB is enabled. The non-safety communications provided by the Transmit busses will allow the RAiNo:

(Date Sent)

RAI

Response

(Due Date)

Page 14 of 32 Comments Comment [WEKS]: Should be 6002*10202.

Please go through all references to this document within the LAR, this 01 Matrix and supporting documents and correct this typographical error.

_1 Comment [WEK6]: A graphical depiction of this feature will be needed to fully explain this feature in the SE. Hopefully. 6002*10202 provides graphical illustrations of how this circuit is configured to better understand this If not, please provide this Information response to this question.

I

March 25,2013 No Src/R/

DCPP PPS Open Item Summary Table

/Ssue Oescrlpt/Otl I..P&.GE response:.......

- - - Status operator to ascertain quickly the cause of theaTarm, if the operator is not already aware of the maintenance activity being performed under procedural control.

RAI No.

(Date Sent)

RAI I

Response

(Due Date)

Page 15 of 32 Comments ~

TAB communications are described in ALS Topical Report Section 5.2.

6.

Electrical Isolation The Transmit Bus TxB1 and TxB21E/non-1E data communication is described in the ALS Topical Report, Sections 2.2.1.3 and 5.3.2; and in 6116-00054, "Diablo Canyon PPS ISG04 Matrix", Position 2. The electrical isolation of the Transmit Busses is performed by magnetic couplers located on the ALS-102 CLB. The TxB isolators are described in 6002-10202, "ALS-102 Hardware Design Specification," Section 3.9.1.

Fault isolation occurs by way of board mounted transient voltage suppressors, board mounted fuses, and external fuses.

Qualification of the 1 E/non-1 E data communication is not part of the ALS Platform review project, and will be qualified with an isolation fault test that will be conducted 1st quarter 2013 per IEEE Std 384-1992, "IEEE Standard Criteria for Independence of Class 1 E Equipment and Circuits" and Regulatory Guide 1.75, "Criteria for Independence of Electrical Safety Systems." A supplemental test report will be issued 2nd quarter 2013.

B.

Triconex Maintenance Workstation The Tricon MWS will implement four Microsoft Windows TM -based application programs: (1) Invensys WonderWare' InTouchTM PPS application; (2) TriLogger; (3) Tricon Diagnostic Monitor; and (4) TriStation 1131 (TS1131) Developers Workbench Version 4.9.0.

1.

Microsoft Windows TM XP SelVice Pack 3 operating system

2.

WonderWare' InTouchTMppS Application The WonderWare InTouch application provides online display of selected PPS internal parameters and trouble alarm details. The WonderWare

March 25, 2013 DCPP PPS Open Item Summary Table Page 16 of 32 No SrclRI Issue Description P&GE response:

InTouch application also is used for maintenance of individual PPS instrument channels in conjunction with the hardwired OOS switches that have been discussed in the response to other Open Items. The MWS WonderWare InTouch application will be the tool normally used to determine the specific cause of an alarm. The Main Annunciator System only displays system level alarms. The MWS InTouch application contains an alarm monitor, which is a troubleshooting aid that provides a detailed, specific display of the alarms generated by the Tricon PPS application.

Status RAINo.

(Date Sent)

RAI

Response

(Due Date)

Comments

3.

Non-Safety Tricon Communications Communications from the Tricon to external non-safety systems are functionally isolated by the Triconex Communication Module (TCM) and NetOptics Model PA-CU Network Port Aggregator Tap discussed in Tricon V10 SER Section 3.7.2.1. A fiberoptic data link provides electrical isolation.

The PA-CU prevents inbound communications from external devices or systems connected to Port Aggregator Port 1 from being sent to interactive Ports A and B. Port 1 is a transmit-only port that does not listen to and is not affected by the communications activity generated by the external device or system to which it is connected.

Port Aggregator port 1 will provide one-way data to the Gateway Computer via the Gateway Switch. The Gateway Computer transmits the data to the Plant Process Computer for use in the Control Room by the operators. The Gateway Computer and Gateway Switch were installed by another project.

The Plant Process Computer is an existing system.

4.

Triconex TriLogger The TriLogger software provides the ability to record, display, play back and analyze data from the Tricon system. Data can be viewed in real-time on the MWS. The TriLogger provides data trending and analysis capabilities and can be configured to trigger on specific events to log detailed data to aid technicians in isolating, diagnosing, and troubleshooting problems.

However, the TriLogger must be connected and running at all times to

March 25, 2013 No SrclRl DCPP PPS Open Item Summary Table Issue Description P&GE response:

perform these functions.

Status RAINo.

(Date Sent) kAT-

Response

(Due Date)

Page 17 of 32 Comments

5.

Tricon Diagnostic Monitor Utility The Tricon Diagnostic Monitor utility displays Tricon system and module status by mimicking the actual Tricon chassis and slots, so that the user can find the exact location (chassis number and slot number) of a module that may be experiencing a fault or other problem. The Tricon Diagnostic Monitor Utility improves reliability by aiding rapid troubleshooting and fault location at the Tricon system level.

6.

Startup Delayer Startup Delayer delays WonderWare startup until DDE Server has initialized. Otherwise, WindowViewer may startup first and never connect to DDE Server.

7.

TriStation 1131 (TS1131) Developers Workbench TriStation 1131 is a PC-based application development workstation that provides a comprehensive set of development, test, monitor, validation and diagnostic tools for Triconex Programmable Logic Controllers (PLC). The TS1131 program is utilized to maintain the PPS application program and may also be used for monitoring and troubleshooting purposes. The TS1131 program is described in the Tricon V10 SER Section 3.1.3.2.

The TS1131 tool will be installed on the MWS. However, the TS1131 tool will not normally be running while the Tricon is performing its safety function

[Tricon V1 0 SER Section 3.1 0.2.9J. If the TS1131 workstation is connected during online safety operation for maintenance or troubleshooting purposes, its use will be controlled via administrative controls and qualified maintenance personnel.

Write access to the operating Tricon is govemed by the controller keyswitch.

With the keyswitch in the RUN position, use of the TS1131 program is limited to read only access to the Tricon. Parameters may be examined, and application program logi~ operation may be observed in real time, but

March 25, 2013 No SrclRl Issue Description DCPP PPS Open Item Summary Table P&GE response:

Status RAINo.

(Date Sent)

RAI

Response

(Due Date)

Page 18 of 32 Comments changes are not possible. The TS1131 program can only write to the Tricon when the controller keyswitch is in the PROGRAM position. With the keyswitch not in RUN, the PPS application will initiate an alarm on the Main Annunciator system and the affected PPS set will be declared inoperable with respect to its safety function.

Regardless of whether the keyswitch has been deliberately manipulated or whether the condition is the result of Tricon hardware or sofilNare failure, the internal Tricon diagnostics will detect a "keyswitch not in RUN" condition and the PPS application program will initiate a PPS Trouble alarm on the Main Annunciator System. When the "keyswitch not in RUN" condition exists, the affected Tricon is considered to be INOPERABLE with respect to its safety function. The operator would enter the appropriate Technical Specification LCO upon determination that the PPS trouble alarm was caused by the "keyswitch not in RUN" condition.

The condition could be active in multiple Tricon protection sets because it could occur as a result of common cause Tricon failure. Even with the "keyswitch not in RUN" condition existing in multiple protection sets, negative impact is limited because on-line maintenance will normally be performed in one protection set at a time, and each Tricon protection set has its own dedicated, independent MWS. Therefore, only one Tricon protection set at a time would be configured physically to make sofilNare changes. If the TS1131 is not connected and running changes cannot occur even if the "keyswitch not in RUN" condition exists. That is, the mere existence of the "keyswitch not in RUN condition" does not initiate changes.

Intentional action by a trained, knowledgeable individual is also required.

Given the PPS trouble alarms that would be active in all affected protection sets, it is highly unlikely that unintended changes could occur.

If a PPS Trouble alarm were to occur on the Main Annunciator System due to the "keyswitch not in RUN" condition, regardless of the cause, the operator would notify DCPP Maintenance. In the absence of the detailed alarm monitoring provided by an on-line MWS (via the TCM NET2

70 March 25,2013 DCPP PPS Open Item Summary Table Page 19 of 32

~..............----..

~**Src/Rr Issue Description Status RAINa.

RAI Comments IP/l.GE reSpon**,

Response

(Due Date)

(Date Sent) interface), the maintenance technicians would be required to obtain work orders, gain access to the affected protection set, conned and boot the MWS, and only then could begin to determine the cause of the alarm. The alarm information would not be available if the alarm were due to a transient condition that cleared between the time the condition initiated and when the MWS was operational. Diagnosis of the condition could be delayed for several hours. With the on-line MWS and the alarm monitor function, the condition - whether caused by intentional manipulation of the Tricon controller keyswitch or by a hardware or software failure involving the keyswitch-would be identified immediately.

As with the ALS, the on-line Tricon MWS is essential to maintain the Tricon safety function, including surveillance testing per the Technical Specifications and other required maintenance and is equivalent to the existing, approved Eagle 21 Test in Bypass capability. The MWS is required to bypass channels for testing. Removing a Tricon from service during such routine maintenance would require tripping aU the channels in that protection set, which would make up one channel in the coincidence logic for all channels in the protection set. This condition increases the risk of challenging plant safety systems should another channel trip inadvertently with the protection set out of service.

KVM Switch Question 1:

Open RAI48 11-28-12 update:

Response Okay.

The KVM Switch brochure indicates on page 3 that the Enumeration WEK Leave open until switching process will not enable control switching using the USB keyboard the KVM Switch information is or mouse. However, it further states that Emulation USB switching was provided within the developed to support these enhanced monitor switching functions/devices LAR revision.

(keyboard hotkeys or mouse buttons.)

WiU the Enumerated USB switching function is used in the PPS design? If so, then wiU the Keyboard hotkeys and mouse buttons be used to perform switching between the Tricon MWS and the ALS MWS? Please clarify how

71 March 25,2013 DCPP PPS Open Item Summary Table

~.=:-;-

~--~~

SrclRI No I

Issue Description P..G" respons.;

the KVM switching function will be accomplished and controlled during PPS system operation and maintenance. Also, please submit technical information pertaining to the operation of the KVM switch for review by the staff.

PG&E Response:

The USB1 and USB2 ports, which use enumerated switching, pass data

! straight through the KVM switch without interpretation. Therefore, you cannot connect a keyboard to USB1 or USB2 and use the hotkeys to perform switching, and USB1 and USB2 traffic cannot cause an inadvertent switch. The block diagram shows the output of the emulated portion of the switch and the enumerated portion going to a USB hub before being sent to the computer. The keyboard and mouse will use the emulated switching function, not the enumerated switching function; only the keyboard and mouse can control the switch.

KVM Switch Question 2:

WEK Will the KVM switch be on-line 24-7 while the MWS's are monitoring data from either the Tricon or the ALS platform? If so, please provide a failure modes and affects analysis for the KVM switch? Can it fail in such a manner so as to inject faults into the MWS computers, and hence into the Tricon or ALS safety system processors? If not, why?

If so, what can be done to circumvent this problem, and show conformance with ISG-04, Points 10 & 11? We will need to cover this matter in the SER.

! 10-17-12 Update: Response below did not answer the question regarding failure modes of the KVM switch...agree that it is Okay to lose the Tricon but I do not see how the ALS is protected due to its "inherent 1-way communications" design. Please explain this further.

12-19-2012 Update question: In order for the staff to verify the response Status Open Hold RAINo.

(Date Sent)

RAI49 RAI

Response

(Due Date)

Page 20 of 32 Comments 12-19-2012 update: The staff will review 6002 10202 and determine if this document provides the information requested.

Nonetheless, PG&E needs to address the inherent 1-Way communications design and communications

March 25, 2013 ocpp PPS Open Item Summary Table Page 21 of 32 Comments SrclRI Issue Description P&GE response:

RAINo.

R~

Status No (Date Sent)

Response

(Due Date) r-------

below regarding the ALS-102 Core Logic Board's one-way communications protocol of the design attributes the staff will need to review the ALS-102 Design 102 board in Specification document 6002-10202, and any other documents that explain detail within this this key design feature for the ALS Platform portion of the PPS (e.g., 6116 Ol-as it relates 00100, PPS ALS to ASU Communications Protocol??). ALS document to the DCPP 6002-10102 has not been submitted on the docket for staff review of the PPS.

ALS Platform Topical Report. Therefore, please submit this document (and I any others that explain this communications protocol) on the docket as part Also, need to of the PPS LAR review.

update the LAR to PG&E Response:

cover the portions The KVM switch will be on-line 24-7 for monitoring data from either the not being Tricon or ALS platform via the respective MWS computers. There is addressed in the additional isolation because the ALS communicates strictly one way to its ALS TR SER, I.e.,

MWS except when TAB communications are enabled by connecting the 1E/non-1 E data TAB cable. Connection of the TAB is performed as directed by trained communications technician using an approved procedure Therefore, if the KVM switch failed electrical isolation in some way to connect the two MWS together, the ALS would not be for ALS. See affected. The Tricon might be affected, but the D3 analysis allows the follow up question Tricon to fail due to CCF.

for 0168.

The following paragraphs have been added to the IRS Section 2.3.7:

11-28-12 update:

ALS ISG-04 b, The KVM switch shall permit only connections between a single compliance was computer and the selected video display and HMI interface devices.

submitted, and Connection between the computers shall not be permitted.

Westinghouse thinks that this will

g. The AV4PRO-VGA KVM switch shall utilize the default switching answer this mode, in which the video display, keyboard and mouse and the question.

enumerated USB ports are all switched simultaneously.

PG&E needs to respond to 1 0-17 Paragraph g was necessary to prevent the enumerated ports from being 12 update in the switched separately from the KVM.

description section.

Added PG&E Response 12/16/2012:

Leave open until

March 25,2013 DCPP PPS Open Item Summary Table Page 22 of 32 No SrclRI 72 WEK

~~~~~~~~

~

~ ~~~~-~~~

Issue Description P&GE response:

Status RAINo.

RAr-Comments (Date Sent)

Response

(Due Date)

During normal, non-maintenance operation, the ALS communicates one the KVM Switch way to its dedicated MWS computer via Transmit Bus TxB2 as discussed in information is the response to 01 #73.

Inter-divisional safety to non-safety provided within communications are addressed in ALS Topical Report Section 5.2.3. The the LAR revision.

TxB2 data communication paths from the ALS-102 Core Logic Board to the ALS MWS computer is a EfA-422 communication link in which Receive 10-17-12 Update:

capability is physically disabled by hardware as described in 6002-10202, Note: "IRS" is the the ALS-102 Design SpeCification. The receiver is configured such that the Interface transmit data is looped back for channel integrity testing. The ALS-102 is Requi rements physically and electrically incapable of receiving information from outside Specification of the ALS-102. Therefore, the ALS cannot be affected by a malfunction in the

(

the LAR).

dedicated, MWS computer associated with an ALS protection set regardless of whether the malfunction is caused by KVM switch malfunction or by malfunction of the MWS computer itself.

WEC Response 12/17/2012:

The 1 E/non-1 E data communication is described in the ALS Topical Report, Sections 2.2.1.3 and 5.3.2; and in 6116-00054, "Diablo Canyon PPS ISG04 Matrix", Position 2. The electrical isolation qualification of the 1 E/non-1 E data communication is not part of the ALS Platform review project, and will be qualified with an isolation fault test that will be conducted 1 st quarter 2013 per IEEE Std 384-1992, "IEEE Standard Criteria for Independence of Class 1 E Equipment and Circuits" and Regulatory Guide 1.75, "Criteria for Independence of Electrical Safety Systems." A supplemental test report will be issued 2nd quarter 2013.

KVM Switch Question 3:

Open RAI43 12-19-2012 update:

Also, you will likely need to address how you will disable the features Or, this r

a esponse cceptable, you are not using such as the audio interface, unused USB ports, informati however, this remote control/channel switching by external control from and SDOE perspective-and probably a cyber security perspective later on (atter SER).

--~~~

on could be included to the LAR.

information needs be provided in

Also,

March 25, 2013 DCPP PPS Open Item Summary Table Page 23 of 32 No SrclRi Issue Description P&GE response:

RAINo.

RAI Comments Status (Date Sent)

Response

(Due Date) 10-17-12 Update: The methods used to block Poris in the KVM Switch must be addressed in the LAR revision. Block all unused Poris and keep any that may need to be reopened under design or configuration control.

Again, we need a detailed explanation of how this 1-way design feature will prevent the KVM switch failures from affecting the ALS system.

PG&E Response:

Specific answers to these questions depend on the detailed design. Ports can be physically blocked, which might be appropriate for unused computer ports and the audio ports. It might not be appropriate for the unused USB port (which may be needed for a future printer) and the options port (which may be needed for firmware updates). Remote control switching or firmware update requires a custom serial cable. The firmware update requires specialized software on the computer being used to perform the update. Firmware update will be done by procedure. The MWS will be inside a locked cabinet inside a vital area inside the protected area.

Inadvertent actions, while not impossible. will not be easy. If the switch is somehow manipulated. the ALS will not be affected even if the KVM switch fails because the ALS communicates only one-way with the MWS except for short periods when the TAB is enabled.

Revised PG&E Response 12/16/2012:

PG&E will physically block the audio port. USB Port 2 and unused computer ports. Physical blocks will be verified at SAT and controlled thereafter by the SCMP. PG&E considers that opening any of the unused ports for use after the SAT is a modification of the phYSical plant configuration that will require an engineering design change.

WEK KVM Switch Question 4:

If the KVM switch does fail in some manner allowing data flows between the two platforms, then the ALS system would not be affected because the ALS platform will onlv transmit data in one Open Hold in the next LAR update-need to decide which path is desired.

RAI44 address how this will be maintained by the DCPP Configuration Management Process.

11-28-12 update:

PG&E needs to respond to 10-17 12 update in the description section.

Leave open until the KVM Switch information is provided within the LAR revision.

12-19-2012 update:

As discussed in the 10-17-2012 update for this 01, and the 12-19-2012 Follow 73

March 25. 2013 DCPP PPS Open Item Summary Table Page 24 of 32 SrclRl Issue Description No P&GE response:

RAINo.

RAI Comments Status (Date Sent)

Response

(Due Date) up Question for 01 This is good, however, the LAR (or attachments) need to explain how direction to its MWS (with the TAB cable disconnected of course).

71, the staff needs ALS Design the engineering design principals of the ALS platform physically Specification prevent bad/erroneous data from corrupting the ALS platform. In document 6002 other words, explain how these messages emanating from the MWS 10202 submitted (regardless of origin) will be disregarded/rejected by the ALS platform for its review in thus allowing only one direction of data flow.

order to resolve this

01. This 01 will be 10-17-12 Update:

placed on Hold until The ALS-102 Design Specification document 6002-10202 has not yet the documents are been submitted to the NRC. When will it be submitted?? Will this received on the docket.

EIA-422 (or is it RS-422 per Fig. 4-13 in the LAR) communication link (twisted pair copper wire) also serve as the 1Elnon 1E isolation devices as required by IEEE 603, Clause 5.6.3 and IEEE 7-4.3.2, Clause 5.6?? Please clarify.

11-28-2012 update:

PG&E needs to 11-28-2012 Update:

respond to 11-28 Still need more information re: 1Elnon-1 E isolation of the ALS-1 02 12 uQdate in the description section. PG&E PG&E Response:

board.

needs to respond to 10-17-12 Revised PG&E Response 12/16/2012:

update in the The design of the TxB1 and TxB2 data communication paths from the ALS-description section.

102 Core Logic Board and the Gateway Computer and MWS, respectively, are EIA422 communication links in which Receive capability is physically 10-17-12 Update:

disabled by hardware as described in 6002-10202, the ALS-102 Design there is a typo in Specification. The receiver is configured such that the transmit data is section 2.4.13.5 on looped back for channel integrity testing. The ALS-102 is physically and page 90 of the electrically incapable of receiving information from outside the ALS-102.

LAR. The first Therefore, messages are not disregarded or rejected by the ALS-102. This paragraPh~

is better than a "broken wire." The wire just isn't there, and there is no place references ALS to connect a wire if someone wanted to do so.

doc. 6002-61202 (tyl=lQLasthe I

March 25, 2013 No SrclRI DCPP PPS Open Item Summary Table Issue Description P&GE response:

Updated PG&E Response 12f16f2012:

Per the 1 Of17f2012 update, NRC is correct regarding the typographical error in Section 2.4.13.5 on page 90 of the LAR.

The correct ALS-102 Design Specification.document number per LAR Reference 94 is 6002-10202.

Per the 11/28f2012 update, RS-422 is the common short form title of American National Standards Institute (ANSI) standard ANSlrrlAlEIA-422-B Electrical Characteristics of Balanced Voltage Differential Interface Circuits.

This technical standard specifies the electrical characteristics of the balanced voltage digital interface circuit. For the purposes of the LAR, the two designations are equivalent and may be used interchangeably.

Status RAI RAINo.

(Date Sent)

Response

(Due Date)

Page 25 of 32 Comments document that explains how the EIA-422 communication channels on the ALS-102 are electrically isolated and inherently 1 way communications capability only.

The document 6002-10202, in reference 94 is the correct document.

74 WEK KVM Switch Question 5:

Please explain in detail how connection between the MWS computers via the KVM switch will be prevented. Will this be handled via a configuration control process, administrative controls, or a physical means of preventing connection between computers?

Open RAI50 11-28-12 update:

Leave open until the KVM Switch information is provided within the LAR revision.

PG&E Response:

This section was intended to be a functional requirement for the KVM switch. Administrative and configuration controls will prevent inadvertent loading of an EPROM image that could corrupt operation of the KVM switch. If the KVM switch fails and connects the ALS and Tricon MWS together, the above-described physical and electrical restrictions of the ALS 102 board will prevent the ALS from being corrupted by its MWS computer.

10-17-12 Update:

Response is Okay, but the LAR revision will need to expand further on this matter to explain how these controls will provide this protection.

Page 26 of 32 March 25, 2013 DCPP PPS Open Item Summary Table

---c-------------

Src/RI Issue Description No P&GE response:

Status RAINo.

RAI Comments (Date Sent)

Response

(Due Date)

RJSI AlS Security Plan Document 6002-00006 references the CS Innovations NSIR 75 Cyber security plan document (Reference 7) (Title has changed) which is not docketed. Without having access to this referenced document, the staff is unable to confirm implementation of the system security requirements.

We need to discuss if this document can be made available on the share point or if it can be made available during the audit.

In addition CS-00013-GEN, Development Environment Evaluation Report-CS Innovations Isolated Development Infrastructure might be another document of interest to the staff. It seems that this document would provide evidence that the actual development environment was in fact secure. This document was not docketed.

1--=-=------

PG&E Response: Westinghouse can make available during the audit both CSI document 9000-00360, "CS Innovations Cyber Security Plan" and WNA-CS-00013-GEN, "Development Environment Evaluation Report - CS Innovations Isolated Development Infrastructure."

79 RA Invensys to confirm that the following terms are not used, and that they will be removed from their plans and replaced with the correct terms.

Test Review Board Test Case Incident Report Master Configuration Checklist Configuration Database PG&E Response: The following Invensys documents were revised to reflect correct terminology and placed on the Invensys Share Point on December 22,2012:

1) 993754-1-905, Project Management Plan

2) 993754-1-906, Software Development Plan

3) 993754-1-909, Software Configuration Management Plan

4) 993754-1-813, Validation Test Plan Closed Open NoRAI Note: RJS - This is an AlS audit item.

We will hold open pending the outcome of the February audit.

01123/2013 update:

These documents were posted on the Invensys SharePoint 01/22/2013.

12/19/12: item open until new document revisions are submitted

March 25, 2013 DCPP PPS Open Item Summary Table Page 27 of32 No

--- SrclRI Issue Description Comments P&GE response:

Status RAINo.

RAI (Date Sent)

Response

(Due Date)

The revised documents were placed on the Sharepoint and submitted by PG&E in Letter DCL-13-028 dated March 25, 2013.

01/23/2013 update:

organization.

RA PG&E Response: Invensys to revise its plans to reflect the current project Open 80 These documents were posted on the PG&EResponse: The Invensys Project Management Plan (PMP), 993754 Invensys 1-905, was revised to reflect the current project organization and placed on SharePoint the Invensys SharePoint on December 22, 2012. The revised PMP was 01/22/2013.

submitted by PG&E in Letter DCL-13-028 dated March 25,2013.

12/19/12: item open until new document revision is submitted 81 Channel level Bypass Functionality Open RJS 1/25113 - This 01 was discussed at The criteria in ISG-04 position 10 only allows for software configuration the 1/24/13 activities when the entire safety division, (Le. all channels and functions) is Conference call.

inoperable.

PGE agreed to consider presenting The Diablo Canyon PPS design however, allows channel or specific this as an function level configurability while the remaining safety division functions acceptable remain operable. This design does not meetthe criteria of ISG-04 positions alternative to the

10. The licensee will need to provide a justification for this as an alternative ISG 4 position 10 means of meeting the regulatory requirements of IEEE 603-1991 clauses guidance. We 5.7,6.5, and 6.7 expect a followup discussion during PG&E Response: PG&E will provide justification for an acceptable the 2121 alternative to I SG-04 Position 10 for the PPS replacement design in section conference call.

4.8.10 of the LAR Supplement.

March 25,2013 DCPP PPS Open Item Summary Table Page 28 of 32 No 82 SrclRI RA Issue Description P8.GE response:

Status RAINo.

(Date Sent)

RAI

Response

(Due Date)

Comments V&V Plan Westinghouse/CSI document 6116-00001 Rev. 1 includes Table 2 in Appendix A. This table identifies several notes, which provide additional information. However, the descriptions for these notes are not included in the Appendix. Please provide this information.

PG&E Response:

CSI document 6116-00003 Rev. 1 (Diablo Canyon PPS W Plan) will need to be revised to provide descriptions for the notes. The revised 6116-00003 will be submitted by April 26, 2013?

Open 01123/2013 update:

The document number is incorrect.

The document is 6116-00003, and it was provided in to PG&E letter DCl 12-121 83 RA V&V and Hazard Analysis Westinghouse/CSI documents 6116-00001 Rev. 1 and 6116-00000 Rev. 3 state that software hazard analysis of the AlS system is the responsibility of PG&E. However, the PG&E SyWP, which was submitted as Attachment 5 of the LAR, does not describe how PG&E will perform the software hazard analysis of the AlS system. The SyWP, Section 5.1.2.3 states that PG&E will verify that new hazards were not introduced during installation.

Please clarify who will perform the hazard analysis activities for each phase of the development process that are required by IEEE 1012, for the AlS system.

Open 2/22/13 The descriptions of PHA SHA need to be included in the vendor V&V Plans and the PGE SyW Plan. New rev of V&V plans should resolve this.

1/25113 This 01 was discussed during the 1/24/13 conference call.

The current planning documents under review do not include provisions for performing the hazard analysis activities.

PG&E Response: There is no V&V performed during the IEEE-1012 Project Initiation and Planning, and Conceptual Design phases. During the IEEE-1012 Development and Factory Acceptance Test portion of the Test phase, the hazard analysis activities for the ALS system will be performed by Westinghouse and for the IEEE-1012 Integration and Site Acceptance Test portion of the Test phase, the hazard analysis will be performed by PG&E. Revision to CSI and PG&E documents are required to address the responsibilities for the hazard analyses during the different phases. The revised Westinghouse/CSI document 6116-00000 Rev. 3 to address the hazard analysis for the Development and Factory Acceptance Test portion of the Test phase will be submitted by April 26, 2013. The performance of a hazard analysis for the Integration and Site Acceptance Test portion of the Test phase, including update ofthe hazard analysis, is included in Section 5.1.2.3 of the SyWP Revision 1 submitted in Attachment 1 to the Enclosure of PG&E letter DCl-13-028 submitted March 25,2013.

March 25, 2013 DCPP PPS Open Item Summary Table Page 29 of 32 No 84 85 86 87 SrclRI Issue Description P&GE response:

Status RA IRS Open Revision 7 of the Interface Requirement SpeCification, Section 3 Appendices, lists the 110 lists for each protection set. However, these appendices are no included in the document PG&E Response: PG&E will submit the 110 list with the IRS Revision 8 to be submitted by April 26, 2013.

RJS What security measures will be implemented to the MWS so that the MWS Open NSIR is consistent with NEI 08-09, Appendix D.1.1? Explain the statement that access to the maintenance workstation will be consistent with the NEI 08-09, Appendix 0.1.1. Additionally, explain whether security measures to be implemented include technical and operational security design measures incorporated into the system.

PG&E Response: Installation of the PPS replacement is scheduled for September 2015 and assessment of the whole PPS replacement system, including the maintenance workstation, as prescribed in section 3 of the Diablo Canyon CSP, will begin in April 2013. The assessment will determine any security measures for the maintenance workstation, consistent with NEI 08-09 Appendices D and E, that need to be applied.

RJSI Eric to supply new question to elaborate on 01 85.

New NSIR PG&E Response:

RJS (ALS Audit Item)

New FPGA versions 1, 2, 3, descriptions were explained to the NRC during the ALS audit in February but these release processes are not captured in the RAINo.

(Date Sent)

RAI Comments

Response

(Due Date) 2/22/13 The 110 list appendix will be included with IRS Revision 8. This is currently on the sharepoint but will be docketed as well.

~~~-

March 25,2013 No-SrclRi DCPP PPS Open Item Summary Table Issue Description P8.GE response:

system development plan or system management plan.

PG&E Response: FPGA versions 1, 2, 3, descriptions will be covered in 6116*00000 Diablo Management Plan Revision 4 to be placed on the Sharepoint by March 28, 2013 and submitted by April 26, 2013.

Status RAt No.

(Date Sent)

RAt

Response

(Due Date)

Page 30 of 32 Comments 88 RJS (ALS Audit Item)

Please describe why there is a misalignment of document numbers between the platform 6002*xxx01, 6002*xxx06 and application specific documents 6116*10201. For example, why is there no 6116*10206?

PG&E Response: Both the 6002*10201 and 6002*10206 are ALS Platform documents that are applicable to Diablo Canyon. The document numbering scheme is project*specific. 6116*10201 is specific to Diablo Canyon and is in addition to the ALS Platform documents. Because 6002*10201 includes hardware design that is not duplicated for Diablo Canyon (the board is already designed), there is no need to replicate a board requirements document at the Diablo Canyon document level.

A summary of the documents is as follows:

1.

6002-10201 - Platform 102 Board Requirements (applies to the ALS Platform and all applications)

2.

6002-10206 - Platform 102 FPGA Design SpeCification (applies to the ALS Platform and all applications, with the exception of the sequencer definition which is application specific)

3.

6116-10201 - Diablo 102 FPGA Requirements (includes application specific info including sequencer definition)

4.

6116*10203/10204 - Diablo 102 FPGA DeSign Specifications for CoreA& B New 89 RJS (ALS Audit Item)

Ensure that the audit schedule issues (Pennatronics) identified during the cyber security review portion of the ALS audit is resolved prior to issuance New

March 25, 2013 DCPP PPS Open Item Summary Table Page 31 of 32 No SrclRI Issue Description P&GE response:

Status RAfFio.

(Date Sent)

RAI

Response

(Due Date)

Comments of the Diablo PPS safety evaluation, The NRC will be reviewing the responses to the CAP's that Westinghouse has written on this issue to access if there are any implications on the Diablo Canyon PPS system, PG&E Response:

The apparent cause analysis for the CAP IR has been completed. All commitments associated with the CAP IR are scheduled to be completed by Westinghouse by July 2013.

90 SO (ALS Audit Item)

New Once CSI has completed the SDOE evaluation to show conformance to RG 1.152 requirements, the NRC will need to have the results docketed.

PG&E Response: IN PROGRESS 91 RJS (ALS Audit Item)

Please provide the NRC access to the following documents via sharepoint:

New

Work instruction for Human Diversity Management for FPGA Based Development and Test Activities, Document number 9006-00037, Rev. 0

ALS Core A FPGA Build Procedure, Document number 9006-00043, Rev. 3

ALS Core B FPGA Build Procedure, Document number 9006-00071, Rev. 1

6116-10203/4 Core A and Core B Design Specifications

RTM sorted by FRS.

PG&E Response: PG&E Response:

The documents 9006-00037, Rev. D. 9006-00043, Rev. 3. and 9006-00071, Rev. 1 were placed on the SharePoint on March 25. 2013. The RTM sorted by FRS for the RTM (pre-revision B version) was placed on the SharePoint

March 25, 2013 No SrclRI 92 RA DCPP PPS Open Item Summary Table Issue Description P&GE response:

On March 25, 2013. The 6116-10203 Revision 0 and 6116-10204 Revision oCore Design specifications will be placed on the Share point by April 26, 2013.

(ALS Audit Item)

Status NEW RAINo.

(Date Senti RAI

Response

(Due Date)

Page 32 of 32 Comments The Requirements Traceability Matrix (RTM) does not trace to CSI documents 6116-10203/4 Core A and Core B Design Specifications. Please include this traceability to the RTM once the 6116-10203/4 Core A and Core B Design Specifications are finalized.

PG&E Response: The RTM revision 1 release which will include tracing down to the 6116-10203 revision 0 and 6116*10204 revision 0 will be placed on the Sharepoint by April 30, 2013.

~~~~~-

March 25, 2013 DCPP PPS Closed Item Summary Table Page 1 of 74 No SrclRI Issue Description P&GE response:

Status RAINo.

(Date Sent)

RAI

Response

(Due Date)

Comments 001 AR (80)

[ISG-06 Enclosure 8, Item 1.3] Deterministic Nature of Software:

The Diablo Canyon Specific Application should identify the board access sequence and provide corresponding analysis associated with digital response time performance. This analysis should be of sufficient detail to enable the NRC staff to determine that the logic-cycle;

a. has been implemented in conformance with the ALS Topical Report design basis,

b. is deterministic, and

c. the response time is derived from plant safety analysis performance requirements and in full consideration of communication errors that have been observed during equipment qualification.

As stated in the LAR, information pertaining to response time performance will be submitted as a Phase 2 document. Please ensure this matter is addressed accordingly.

Closed RAI119

Response

Received 09/11/12 4/18/2012 Staff reviewed time response calc on share point and agrees that this is the correct information to support the SE.

Requested that these calcs be docketed.

Response

received April29, 2012. Staff wiII review and discuss P&GE response:

ALS further if needed at Diablo Canyon PPS document 6116-00011, "ALS System Design Specification", Section 7.5, identifies the ALS board access sequence and subsequent provides an analysis associated with digital response time performance.

telecom meeting.

a.

The Diablo Canyon PPS ALS system is configured in accordance with the qualification requirements of the ALS platform topical report,

Response

b.

The analysis in Diablo Canyon PPS document 6116-00011, "ALS acceptable; waiting System Design Specification", Section 7, describes a logic cycle that is deterministic.

c.

The requirements for the response time of the PPS processing on PG&E to provide the time instrumentation (from input conditioner to conditioned output signal) is response specified as not to exceed 0.409 seconds in Section 3.2.1.10 of the "Diablo calculation for the Canyon Power Plant Units 1 & 2 Process Protection System Replacement V10 Tricon PPS Functional Requirements Specification (FRS)", Revision 4 submitted as Replacement of the LAR. In Section 1.5.8 of the "Diablo Canyon Power architecture by Plant Units 1 & 2 Process Protection System Replacement Interface Requirements Specification (IRS)", Revision 4, submitted as Attachment 8 April 16, 2012.

of !b~LAR, the 0.409 seconds PPS processing instrumentation response

March 25, 2013 DCPP PPS Closed Item Summary Table Page 2 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments I

time is allocated between the ALS and Tricon as follows:

ALS: 175 ms for RTD processing Tricon: 200 ms Contingency: 34 ms The 0.409 seconds PPS processing instrumentation value is the same as the value that is currently allocated to PPS processing instrumentation. As long as the 0.409 second PPS processing instrumentation value is not exceeded, the total response time values assumed in the plant safety analyses contained in FSAR Table 15.1-2 will not be exceeded; 7 seconds for Overtemperature LlT RT and Overpower LlT RT functions, 2 seconds for High pressurizer pressure RT, Low pressurizer pressure RT, and Low Low SG water level RT functions, 1 second for Low reactor coolant flow RT function, 25 seconds for Low pressurizer pressure, High containment pressure, and Low steam line pressure Safety Injection initiation, 60 seconds for Low low SG water level auxiliary feedwater initiation, 18 seconds for High containment pressure, Low pressurizer pressure, and Low steam line pressure Phase A containment isolation, 48.5 seconds for High High containment pressure containment spray initiation, 7 seconds for High High containment pressure steam line isolation, 66 seconds for High High SG water level auxiliary feedwater isolation, and 8 seconds for Low steam line pressure steam line isolation.

The ALS response time will be verified as part of the FAT and the results will be included in the FAT summary report to be submitted by 12/31/12.

Tricon Invensys provided detailed information on the deterministic operation of the V10 Tricon in I nvensys Letter No. NRC V1 0-11-001, dated Jan uary 5, 2011.

In support of the V10 Tricon safety evaluation, Invensys submitted document 9600164-731, Maximum Response Time Calculations, describing the worst-case response time for the V1 0 Tricon Qualification System.

Included in document 9600164-731 are the standard equations for calculating worst-case response time of a given V10 Tricon configuration.

The time response calculation for the V10 Tricon PPS Replacement architecture was submitted on April 30, 2012. The System Response Time Confirmation Report, 993754-1-818, will be submitted to the staff as part of the ISG-06 Phase 2 submittals at the completion of factory acceptance testing of the V1 0 Tricon PPS Replacement.

Response time calc received Letter:

(ML12131A513)

Calc:

(ML12131A512

March 25, 2013 DCPP PPS Closed Item Summary Table Page 3 of 74 No SrclRI Issue Description P&GE response:

Status RAINa.

(Date Sent)

RAI

Response

(Due Date)

Comments The Tricon response time will be verified as part of the FAT and the results will be included in the FAT summary report to be submitted by 12/31/12.

Licensee representatives stated that PG&E will provide the Tricon Time response calc's in a document submitted on the docket.

002 AR (RA)

[ISG-06 Enclosure B, Item 1.4]

Software Management Plan: Regulatory Guide (RG) 1.168, Revision 1, "Verification, Validation, Reviews and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," dated February 2004 endorses IEEE (Institute of Electrical and Electronics Engineers) 1012 1998, "IEEE Standard for Software Verification and Validation," and IEEE 1 028-1997,"IEEE Standard for Software Reviews and Audits," with the exceptions stated in the Regulatory Position of RG 1.168. RG 1.168 describes a method acceptable to the NRC staff for complying with parts of the NRC's regulations for promoting high functional reliability and design quality in software used in safety systems. Standard Review Plan(SRP)

Table 7-1 and Appendix 7.1-A identify Regulatory Guide 1.168 as SRP acceptance criteria for reactor trip systems (RTS) and for engineered safety features Westinghouse/ALS 6116-00000 Diablo Canyon PPS Management Plan, Figure 2-2, shows the Verification and Validation (V&V) organization reporting to the Project Manager. This is inconsistent with the information described in the ALS Management Plan for the generic system platform, Closed NIA 4/23/2012 Staff has confirmed that the new version of the ALS SWP is available for review

Response

received April 29, 2012. Staff will review and discuss further if needed at subsequent telecom meeting.

(Kemper 4/12/12)

Response

acceptable; the staff received the

March 25, 2013 DCPP PPS Closed Item Summary Table Page 4 of 74 No SrclR/

Issue Description P&GE response:

Status RA/ No.

(Date Sent)

RA/

Response

(Due Date)

Comments where the V&V organization is independent form the Project Manager. This is also inconsistent with the criteria of RG 1.168 and will need to be reconciled during the LAR and ALS L TR reviews.

revised W/ALS PPS MP on April 2, 2012 and will review for consistency with RG 1.168.

P&GE response:

ALS The PPS Replacement LAR referenced Westinghouse document 6116 00000 Diablo Canyon PPS Management Plan, dated July 25, 2011, that was based on CSI document 6002-00003 ALS Verification and Validation Plan, Revision 4. CS Innovations subsequently submitted a revised V&V plan, "6002-00003 ALS Verification and Validation Plan", Revision 5, on November 11, 2011, that revised the required V&V organization structure such that the management of the verification personnel is separate and independent of the management of the development personnel. The Westinghouse 6116-00000 Diablo Canyon PPS Management Plan was revised to require a V&V organization structure in which the management of the verification personnel is separate and independent of the management of the development personnel. PG&E submitted the revised Westinghouse 6116-00000 Diablo Canyon PPS Management Plan, Revision 1, document on April 2, 2012.

3 AR (RA)

[ISG-06 Enclosure B, Item 1.9]

Software V&V Plan: The ALS V&V plan states that Project Manager of the supplier is responsible for providing directions during implementation of V&V activities. Also, the organization chart in the Diablo Canyon PPS Management Plan shows the IW manager reporting to the PM.

Closed N/A

Response

received April 2, 2012. Staff will review and discuss further if needed at The ALS V&V plan described in ISG-6 matrix for the ALS platform and the Diablo Canyon PPS Management Plan do not provide sufficient information about the activities to be performed during V&V. For example, the ALS V&V Plan states that for project specific systems, V&V activities are determined on a project by project basis and are described in the project Management Plan, in this case, 6116-00000, "Diablo Canyon PPS Management Plan."

However, the 6116-00000 Diablo Canyon PPS Management Plan states:

subsequent telecom meeting.

Status: Fig. 3 of the PPS SWP (Pg.

16/46) indicates

March 25, 2013 DCPP PPS Closed Item Summary Table Page 5 of 74 No SrclRI Issue Description P&GE response:

Status RAINo.

(Date Sent)

RAI

Response

(Due Date)

Comments "See the ALS V&V Plan for more information and the interface between the IV&V team and the PPS Replacement project team."

The Triconex V&V plan states that the Engineering Project Plan defines the scope for V&V activities. As mentioned before, the Triconex EPP is not listed in the ISG-6 matrix.

These items will need further clarification during the LAR review to demonstrate compliance with Regulatory Guide (RG) 1.168, Revision 1, "Verification, Validation, Reviews and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants,"

sufficient organizational independence between the Nuclear Delivery (Design)

Organization and the IV&V Organization.

Fig. 3 of the PPS PMP (993754-1 P&GE response:

ALS The Westinghouse 6116-00000 Diablo Canyon PPS Management Plan was 905) (pg. 22/81) revised to include details on how the IV&V team has an independent also denotes the organizational reporting structure from the design and implementation team; DCPP PPS project the Scottsdale Operations Director and the ALS Platform & Systems organization, and Director report to different Westinghouse Vice Presidents. The IW provides sufficient Manager and Scottsdale Operations Director both report to the same Westinghouse Vice President, but via independent reporting structures.

independence between the NO Description of 6116-00000 Diablo Canyon PPS Management Plan V&V was and IV&V also revised to add information on the activities being performed for the Organizations.

V&V.

Close the lnvensys PG&E submitted the revised Westinghouse 6116-00000 Diablo Canyon PPS Management Plan that includes the above changes on April 2, 2012.

part of the 01.

Tricon W/ALS response The organizational structure of Invensys Operations Management acceptable; comprises, in part, Engineering and Nuclear Delivery. Each of these (Kemper 4/12/12) organizations plays a specific role in the V1 0 Tricon application project life the staff received cycle. Invensys Engineering is responsible for designing and maintaining the V10 Tricon platform, and Nuclear Delivery is responsible for working with nuclear customers on safety-related V1 0 Tricon system integration the revised W/ALS PPS MP on April 2,

March 25, 2013 DCPP PPS Closed Item Summary Table Page 6 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments projects. Invensys Engineering department procedures require "Engineering Project Plans (EPP)," whereas Nuclear Delivery department procedures require "Project Plans." Invensys Engineering is not directly involved in system integration, but Nuclear Delivery may consult with Engineering on technical issues related to the V1 0 Tricon platform.

2012 and will review for consistency with RG 1.168.

The NRC applied ISG-06 to the V1 0 Tricon safety evaluation. Invensys submitted a number of documents pertaining to the design of the V1 0 Tricon platform as well as process and procedure documents governing Invensys Engineering activities, including the EPP. In most cases, these platform-related documents are preceded with document number 9600164. The platform-level documents reviewed by the staff during the V10 Tricon safety evaluation will not be resubmitted by Nuclear Delivery during application-specific system integration projects.

In support of the PG&E LAR for the DCPP PPS Replacement, Invensys Nuclear Delivery is required to submit the application design documents as defined in ISG-06. These project documents are preceded by document number 993754. The Phase 1 submittal under Invensys Project Letter 993754-026T, dated October 26,2011, contained, in part, the following:

PPS Replacement Project Management Plan (PMP), 993754-1-905.

"Project Management Plan" was used to more closely match BTP 7-14 with regard to "management plans"; and PPS Replacement Software Verification and Validation Plan (SWP),

993754-1-802.

The PMP describes the PPS Replacement Project management activities within the Invensys scope of supply. The guidance documents BTP 7-14 and NUREG/CR-6101 were used as input during development of the PMP.

With regard to compliance with RG 1.168, the PPS Replacement PMP and SWP both describe the organizational structure and interfaces of the PPS Replacement Project. The documents describe the Nuclear Delivery (ND) design team structure and responsibilities, the Nuclear Independent Verification and Validation (lV&V) team structure and responsibilities, the Status: Fig. 3 of the PPS SWP (Pg.

16/46) indicates sufficient organizational independence between the Nuclear Delivery (Design)

Organization and the IV&V Organization.

Fig. 3 of the PPS PMP (993754-1 905) (pg. 22/81) also denotes the DCPP PPS project organization, and provides sufficient independence between the N D and IV&V Organizations.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 7 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments interfaces between NO and Nuclear IV&V, lines of reporting, and degree of independence between NO and Nuclear IV&V. In addition, the PMP describes organizational boundaries between Invensys and the other external entities involved in the PPS Replacement project: PG&E, Altran, Westinghouse, and Invensys suppliers. The combination of the PMP and SWP demonstrate compliance of the Invensys organization with RG 1.168.

Close the Invensys part of the 01.

4 AR (RA)

[ISG-06 Enclosure B, Item 1.10]

Software Configuration Management Plan: The LAR includes PG&E CF2.ID2, "Software Configuration Management for Plant Operations and Operations Support," in Attachment 12. However, the document provided in 2 only provides a guideline for preparing Software Configuration Management (SCM) and SQA plans. Though it is understood that the licensee will not perform development of software, PGE personnel will become responsible for maintaining configuration control over software upon delivery from the vendor.

The staff requires the actual plan to be used by the licensee for maintaining configuration control over PPS software in order to evaluate against the acceptance criteria of the SRP. For example, the ALS Configuration Management (CM) Plan (6002-00002) describes initial design activities related to ALS generic boards. This plan does describe the configuration management activities to be used for the development and application of the ALS platform for the Diablo Canyon PPS System. The staff requires that configuration management for this design be described in the DCPP project specific plan. These items will need further clarification during the LAR review to demonstrate compliance with BTP-14.

P&GE response:

PG&E developed a SCMP procedure to address configuration control after shipment of equipment from the vendor and submitted the SCMP on June 6, 2012, in Attachment 4 to the Enclosure of PG&E Letter DCL-12-050.

Closed N/A (Kemper 4-12-12)

Response

received April 2, 2012. Staff will review the PG&E SyCMP procedure when it arrives on May 31,2012.

Alvarado (6/13/12):

PG&E placed a copy of their SyCMP SCM 36-01 in its SharePoint.

The staff will review this information and identify questions, if necessary.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 8 of 74 Comments No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date) 5 L--

AR (RA)

[ISG-06 Enclosure B, Item 1.11]

Software Test Plan: The V10 platform documents identified in ISG6 matrix state that the interface between the NGIO (Next Generation Input Output)

Core Software and 10-specific software will not be tested. It is not clear when and how this interface will be tested, and why this test is not part of the software unit testing and integration testing activities.

Further, the 993754-1-813 Diablo Canyon Triconex PPS Validation Test Plan states that the DCPP's TSAP will not be loaded on the system; instead Triconex will use another TSAP for the validation test. It is not clear why the DCPP's TSAP will not be used for the validation test or when the DCPP's TSAP will be loaded on the system and validated for the Diablo Canyon PPS System. These items will need further clarification during the LAR review to demonstrate compliance with BTP-14.

Closed N/A

Response

received April 2, 29,2012. Staff will review and discuss further if needed at subsequent telecom meeting.

Tricon Next Generation Input Output (NGIO)

Core software is tested and qualified as a platform component. As such, it does not need to be separately tested during the application development process.

TSAP is a Test Specimen Application Program used for purposes of platform qualification.

P&GE response:

Tricon The next-generation input/output (I/O) modules qualified for the V1 0 Tricon are the 3721 N 4-20 mA, 32-point analog input (AI) module, and the 3625N 24 Vdc, 32-point digital output (DO) module. Technical data on these two modules was provided to the NRC in support of the V1 0 Tricon safety evaluation. Configuration and functional testing is performed when the 110 modules (hardware and embedded core firmware) are manufactured. From the factory the I/O modules are shipped to Invensys Nuclear Delivery for use in nuclear system integration projects, i.e., application specific configurations. Because the module hardware and embedded core firmware are within the scope of the V10 Tricon safety evaluation, the verification and validation of the embedded core firmware will not be repeated as part of application-specific system integration projects.

There are certain design items that must be done with TriStation 1131 (TS 1131), such as specifying which 110 module is installed in a particular

March 25, 2013 DCPP PPS Closed Item Summary Table Page 9 of 74 Comments RAI No.

RAI SrclRI Issue Description No P&GE response:

Status (Date Sent)

Response

(Due Date) physical slot of the Tricon chassis, resulting in each module having a unique hardware address in the system. Also, TS1131 is used to specify which Invensys stated application program parameters (i.e., program variable tagnames) are that assigned to a particular point on a given 1/0 module. The design items The Diablo Canyon configured in TS1131 will be within the scope of validation activities Application will be conducted by Invensys Nuclear IV&V for application-specific system loaded onto plant integration projects. The necessary collateral (system build documents, system hardware configuration tables, test procedures, test results, etc.) will be submitted to during FAT.

the NRC to support the staff's technical review of the PPS Replacement LAR in accordance with ISG-06.

The Phase 1 submittal under Invensys Project Letter 993754-026T, dated October 26, 2011, contained, in part, the Validation Test Plan (VTP),

Staff re-examined 993754-1-813. This document describes the scope, approach; and Invensys doc.

resources of the testing activities that are required for validation testing of "Validation Test the V10 Tricon portion of the PPS Replacement, including:

Plan (VTP),

Preparing for and conducting system integration tests 993754-1-813,"

Defining technical inputs to validation planning Section 1.3.2 of the Defining the test tools and environment necessary for system validation VTP that describes testing the Hardware Scheduling (and resource loading of the schedule)

Validation Test activities and Section 1.3.2 of the VTP describes the Hardware Validation Test activities Section 1.3.3 of the and Section 1.3.3 of the VTP describes the V10 Tricon portion of the VTP and Factory Acceptance Test activities for the V1 0 Tricon portion of the PPS determined that the Replacement. Details on the application program are proprietary and need application program to be provided to the staff separately.

TSAP will be used for the FAT (Section 5.1.5 FAT)

Close this portion of the 01.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 10 of 74

'No Status RA/ No.

RA/

Comments SrciR/

Issue Description P&GE response:

(Date Sent)

Response

(Due Date)

Response

Response Closed Develop AR

[ISG-06 Enclosure B, Item 1 141 6

Received received April 2, (SM) a generic Equipment Qualification Testing Plans - The LAR Sections 4.6, 4.10.2.4 and 09/11/12 29, 2012. Staff will environmental factors. The Tricon V1 0 Safety Evaluation, ML11298A246, RAI to 4.11.1.2 provide little information on the plant specific application review and discuss Section 6.2 lists 19 application specific actions Items (ASAl's) that the provide a further if needed at licensee should address for plant specific applications. The licensee should response subsequent address each of these for Tricon portion of the PPS replacement. Similar to ASAls telecom meeting.

information for the ALS portion of the PPS replacement will also be for both platforms required.

when the Staff agreed that SERs are PG&E should P&GE response:

issued.

submit a separate submittal (LAR ALS RA# 01 amendment) to PG&E will respond to ALS ASAl's when they are available.

address the ASAls for both platforms.

Tricon it is not necessary IN PROGRESS. All of the Application Specific Action Items will be to delineate exactly addressed by March 21, 2012.

what will be done for each ASAI in this 01 matrix.

Response

RAI # 17 (Kemper 4-12-12)

AR

[ISG-06 Enclosure B, Item 1.161 Closed 7

Received (BK)

&18 to

Response

09/11/12 DeSign Analysis Reports: The LAR does not appear to comply with the obtain an received April 2, SRP (ISG-04) regarding the connectivity of the Maintenance Work Station to answer I 29, 2012. Staff the PPS. The TriStation V10 platform relies on software to effect the report to reviewed this item disconnection of the TriStation's capability to modify the safety system address and still need software. Based on the information provided in the L TR, the NRC staff this topic.

additional determined that the Tricon V10 platform does not comply with the NRC information to close guidance provided in ISG-04, Highly Integrated Control Rooms-Communications Issues, (ADAMS Accession No. ML083310185), Staff this item. The staff Position 1, Point 10, hence the DCPP PPS configuration does not fully will need to review comply with this guidance.

this item further

March 25, 2013 DCPP PPS Closed Item Summary Table Page 11 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments In order for the NRC staff to accept this keyswitch function as an acceptable deviation to this staff position, the staff will have to evaluate the DCPP PPS specific system communications control configuration--including the operation of the keyswitch, the software affected by the keyswitch, and any testing performed on failures of the hardware and software associated with the keyswitch. The status of the ALS platform on this matter is unclear at this time and will be resolved as the ALS L TR review is completed.

Moreover, the Tricon V10 system Operational Mode Change (OMC) keyswitch does change operational modes of the 3008N MPs and enables the TriStation 1131 PC to change parameters, software algorithms, etc, related to the application program of the safety channel without the channel or division being in bypass or in trip. As stated in Section 3.1.3.2 of the Tricon V1 0 SER, the TriStation 1131 PC should not normally be connected while the Tricon V10 is operational and performing safety critical functions.

However, it is physically possible for the TriStation PC to be connected at all times, and this should be strictly controlled via administrative controls (e.g.,

place the respective channel out of service while changing the software, parameters, etc). The LAR does not mention any administrative controls such as this to control the operation of the OMC (operational mode change) keyswitch. Furthermore, in order to leave the non-safety TriStation 1131 PC attached to the SR Tricon V10 system while the key switch is in the RUN position, a detailed FMEA of the TriStation 1131 PC system will be required to ascertain the potential effects this non-safety PC may have on the execution of the safety application program/operability of the channel or division. These issues must be addressed in order for the NRC staff to determine that the DCPP PPS complies with the NRC Staff Guidance provided in Staff Position 1, Point 11. The status of the ALS platform on this point is unclear at this time.

during an NRC audit at the Invensys facility.

All the items noted below will be the scope of the audit.

3/21/12 update: it was agreed that PG&E/lnvensys and PG&ElWestinghou se/CSI would provide a report (LAR supplement) to explain how these two issues will be resolved and submit to NRC-Date to be provided TBD.

Waiting for the V1 0 Tricon portion of the PPS Replacement Failure Modes and Effects Analysis, an P&GE response:

Tricon ISG-06 Phase 2 The OMC keyswitch controls only the mode of the V10 Tricon 3008N MPs.

document to be In RUN position the 3008N MPs ignore* all commands from external submitted to NRC devices, whether WRITE commands from external operator interfaces or in May 2012.

program-related commands from TS 1131.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 12 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments The keyswitch is a four-position, three-ganged switch so that the three Main 3/21/12 Update:

Processor (MP) modules can monitor the position of the switch PG&Ellnvensys independently. The Operating System Executive (ETSX) executing on the needs to provide a MP application processor monitors the position of the keyswitch. The three technical MPs vote the position of the keyswitch. The voted position of the keyswitch is available as a read-only system variable that can be monitored by the explanation of how TSAP. This allows alarming the keyswitch position when it is taken out of the MP3008N the RUN position. TS1131 messages to and from the Tricon (Le., ETSX processor actually executing on the MPs) are of a defined format. TS1131 messages for ignores all control program (i.e., TSAP) changes - whether download of new control commands when in programs or modification of the executing control program - are uniquely RUN-address the identifiable. Such messages are received by ETSX and appropriate items in the 01.

response provided depending upon, among other things, the position of the keyswitch. When a request from TS1131 is received by ETSX to download 4/4/12 Update:

a new control program or modify the executing control program, ETSX Need to explain accepts or rejects the request based on the voted keyswitch position. If the how this message keyswitch is in RUN, all such messages are rejected. If the keyswitch is in format works to PROGRAM, the Tricon is considered out of service and ETSX runs through reject messages the sequence of steps to download the new or modified control program, as from the Tristation appropriate.

when in RUN??

Multiple hardware and software failures would have to occur on the V1 0 Tricon (in combination with human-performance errors in the control room and at the computer with TS1131 installed) in order for the application program to be inadvertently reprogrammed. Therefore, there is no credible Graphs and visual presentation of these concepts would be helpful.

single failure on the V10 Tricon that would allow the safety-related application program to be inadvertently programmed, e.g., as a result of unexpected operation of the connected computer with TS1131 installed on it.

This issue will also have to be addressed for the ALS platform.

The above conclusion will be confirmed (for the V1 0 Tricon portion of the PPS Replacement) in the Failure Modes and Effects Analysis, an ISG-06 Phase 2 document planned for submittal to NRC in May 2012. Additionally, I nvensys Operations Management will support the staff's review of the PG&EII nvensys

March 25, 2013 DCPP PPS Closed Item Summary Table Page 13 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments hardware and software associated with the OMC keyswitch by making all of the technical data available for audit.

TS1131 contains function blocks that allow WRITE-access to a limited set of parameters programmed into the application software, but only for a limited duration after which the capability is disabled until WRITE-access is re-enabled. However, without these function blocks programmed into the application program neither the application program nor application program parameters can be modified with the OMC keyswitch in the RUN position.

needs to provide a technical explanation of how the MP3008N processor actually ignores all commands when in RUN-address the PG&E Administrative controls on use of keyswitch will be provided with commitment to include in procedures in response.

Note, TS1131 is not used to change setpoints and protection set is inoperable when keyswitch is not in RUN position.

items in the 01.

8 AR (RS)

[ISG-06 Enclosure B, Item 1.21]

Setpoint Methodology: The NRC staff understands that a summary of SP (setpoint) Calculations will be provided in Phase 2, however, section 4.10.3.8 of the LAR also states that PGE plans to submit a separate LAR to adopt TSTF 493. The NRC cannot accept this dependency on an unapproved future licensing action. The staff therefore expects the licensee to submit a summary of setpoint calculations which includes a discussion of the methods used for determining as-found and as-left tolerances. This submittal should satisfy all of the informational requirements set forth in ISG6 section 0.9.4.3.8 without a condition of TSTF 493 LAR approval Closed NIA Discussed at 4/18/2011 CC.

Requested that PGE add to the response a statement that the setpoint changes associated with this modification will be submitted for evaluation independently with no reliance on TSTF 439 licensing action.

(Kemper 4-12-12)

P&GE response:

The evaluation of the setpoints for the PPS replacement will need to be performed by Westinghouse in two phases in order to provide sufficient documentation to support 95/95 setpoint values for the setpoints. This is

March 25, 2013 DCPP PPS Closed Item Summary Table Page 14 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments because the NRC staff has been requesting additional information and

Response

additional data and analysis to demonstrate that the uncertainties used in received April 2, the setpoint calculation have been based on a statistically sufficient quantity 29, 2012. PG&E's of sample data to bound the assumed values (to justify the confidence level of the calculation is appropriate) during recent Westinghouse projects involving setpoints. Significant information is required from the transmitter commitment to provide summary and RTD vendors, that has never been obtained before, to support calc's by May 31,

development of calculations that can support 95/95 setpoint values.

2012 and not revise these setpoints via The first phase of the evaluation of the setpoints will include evaluation of a TSTF-439 LAR the PPS replacement setpoints for the Tricon and ALS architecture using addresses this 01.

expected bounding uncertainty values. A setpoint summary evaluation which includes a discussion of the methods used for determining the as-Close this 01.

found and as-left tolerances will be submitted by May 31, 2012. This is a change to the commitment 31 in Attachment 1 to the Enclosure to the PPS 3/7/12 update:

Replacement LAR. The setpoint information associated with the PPS PG&E stated that replacement is being submitted independently of the LAR for TSTF-493 and all setpoints does not rely on a TSTF-493 licensing action.

determinations will The second phase of the evaluation of the setpoints will include development of Westinghouse calculations of the PPS replacement be addressed as part of this LAR, setpoints for the Tricon and ALS architecture using sufficient information and NOT submitted from vendors to substantiate that the setpoints are 95/95 values. The as a TSTF-493 Westinghouse calculations will be completed by December 31,2012 and licensing action.

will be available for inspection by NRC staff in Washington DC with support provided by Westinghouse setpoint group personnel. The NRC staff 3/21/12 update:

inspection of Westinghouse calculations in Washington DC has been performed for another recent utility project involving setpoints.

The staff may chose to review the Westinghouse calculations at the Westinghouse office in Washington DC.

However, if the safety finding is

March 25, 2013 DCPP PPS Closed Item Summary Table Page 15 of 74 No SrclRI Issue Description P&GE response:

Status RAINo.

(Date Sent)

RAI

Response

(Due Date)

Comments dependent on these calculations, then the setpoint calculations will be required to be submitted on the docket per NRC licensing procedures 9

AR (SK)

L TR Safety Conclusion Scope and Applicability - Many important sections of the DCPP PPS LAR refer the reader to the ALS licensing topical report (L TR) to demonstrate compliance of the system with various Clauses of IEEE 603-1991, IEEE 7-4.3.2-203, and ISG-04. However, many important sections of the ALS L TR state that compliance with various Clauses of these IEEE Stds and ISG-04 are application specific and refer the reader to an application specific license amendment submittal (Le., the DCPP PPS LAR in this case). The staff has not yet had time to evaluate all the LAR information in detail and compare this information with that provided in the ALS L TR to ensure there is no missing information. However, PG&E and its contractors are encouraged to review these two licensing submittals promptly to verify that compliance with these IEEE Stds and ISG-04 are adequately addressed within both licensing documents.

Closed No specific RAI needed for this

01. RAI

4 addresse s this item as noted below in 0115.

complian ce matrix for the ALS platform.

(Kemper 4-12-12)

Response

received April 2, 29, 2012. The PG&E response to this item address the 01. Close this

01.

P&GE response:

PG&E and Westinghouse have reviewed the LAR 11-07 and the ALS topical report to verify information is provided to justify compliance with IEEE 603-1991, IEEE 7-4.3.2-2003, and ISG-04 in either the LAR or the ALStopical report. As a result of the review, it was identified that neither the LAR nor the ALS topical report contain a matrix that documents compliance with ISG-04 Table 5-4 for the DCPP ALS platform. PG&E will submit a matrix that documents compliance with ISG-04 Table 5-4 for the DCPP ALS platform by May 31,2012.

March 25, 2013 No SrclRI 10 RS DCPP PPS Closed Item Summary Table Issue Description P&GE response:

Plant Variable PPS Scope - In the Description section of the LAR, section 4.1.3, nine plant variables are defined as being required for RTS and section 4.1.4 lists seven plant variables that are required for the ESFAS.

Three additional plant variables were also listed in section 4.10.3.4.

Status Closed RAI No.

(Date Sent)

RAI02 RAI

Response

(Due Date)

Response

Received 09/11/12 Page 16 of 74 Comments Some variables are not listed in section 4.10.3.4 as being PPS monitored plant parameters. It is therefore assumed that these parameters are provided as direct inputs to the SSPS and that the PPS is not relied upon for the completion of required reactor trip or safety functions associated with them. Please confirm that these plant parameters and associated safety functions will continue to operate independently from the PPS and that the replacement PPS will not adversely impact the system's ability to reliably perform these functions.

P&GE response:

The PPS Replacement LAR Sections 4.1.3 and 4.1.4 describe the plant variables from which RTS and ESFAS protective functions are generated.

The initiation signal outputs to the SSPS coincidence logic are generated in the PPS or other, independent systems, or in some cases, by discrete devices. Section 4.1.3 items 6 (RCP bus UF, UV, and breaker position, 8 (Main Turbine trip fluid pressure and stop valve position) and 9 (seismic acceleration) are generated by discrete devices outside the PPS and provide direct contact inputs to the SSPS. Section 1.4 items 6 (Containment Exhaust Radiation) and 7 (RT breaker position Permissive P

4) are also generated outside the PPS and are direct contact inputs to the SSPS. The initiation signals associated with these plant parameters operate independently from the PPS. The replacement PPS will not adversely affect the reliable performance of the safety functions associated with these plant parameters.

Neutron Flux is an input to Tricon but it is not listed in Table 4-2 "Process Variable inputs to Tricon" Signals not associated with PPS functions will be designated as such in the SE and

March 25, 2013 No SrclRI DCPP PPS Closed Item Summary Table Issue Description P&GE response:

The three signals (Wide Range RCS Temperature and Pressure and Turbine Impulse Chamber Pressure) not listed in Sections 4.1.3 and 4.1.4 are monitored by the PPS per Section 4.10.3.4. The Wide Range RCS Pressure and Temperature signals are used to generate the L TOP function described in DCPP FSAR Section 5. The PPS uses Turbine Impulse Chamber Pressure to generate an initiation signal that is used by the SSPS coincidence logic to develop Permissive P-13 as discussed in RAI 3, below.

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Page 17 of 74 Comments they will not be described since they are not in scope.

Neutron Flux should be added to Section 4.2 Table 4-2 as follows:

Input to Overtemperature ~

Neutron Flux (Power Temperature (OTDT) RT Range, Upper & Lower)

Input to Overpower ~

Temperature (OPDT) RT 11 RS Power Range NIS Function - Section 4.1.7 describes the Existing Power Range NIS Protection Functions and it states that the Power Range nuclear instrumentation provides input to the OTDT, and OPDT protection channels.

It is not entirely clear whether any of the described NIS protection functions will be performed by the PPS system. Please clarify exactly what the role of the PPS system is for these NIS Protection functions.

P&GE response:

Power range analog inputs are provided by the NIS to each PPS Protection Set for use in the calculation of the Overtemperature Delta-T and Overpower Delta-T Setpoint in the Delta-TlTavg channels. No other NIS signals interface with the PPS. The NIS Protection functions (RT and power range permissives) are generated independently by Nuclear Instrumentation bistable comparators. The NIS bistable outputs are sent directly to the SSPS and have no physical interface with the PPS.

12 RS Permissive Functions - Several Permissive functions are described within the LAR. It is not clear to the staff whether any of these functions are to be Closed*

Closed N/A RAI03

Response

Received Only PPS Functions will be described in the SE.

5/30/12 Determined that no RAI is needed for this item.

March 25,2013 DCPP PPS Closed Item Summary Table Page 18 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments performed by the PPS or if the PPS will only be providing input to external systems that in turn perform the permissive logic described in the LAR.

Section 4.1.9 states that "Settings of the bistable comparators used to develop the permissives are not affected by the PPS Replacement Project",

which implies that all of these permissive functions are performed by systems other than the PPS. However, it is still unclear if this statement applies to all permissive functions described throughout the LAR or if it applies only to those permissives relating to Pressurizer Pressure. It is also possible that the permissive functions are being performed by the existing PPS and will continue to be performed by the replacement system and therefore remain "not affected" by the PPS replacement project.

Please provide additional information for the following permissive functions to clearly define what the role of the PPS system will be for each.

P-4 Reactor Trip P-6 Intermediate Range Permissive P-7 Low Power Permissive (Bypasses low Ppzr reactor trip)

P-8 Loss of Flow Permissive P-9 Power Permissive P-10 Power Range Power Low Permissive P-11 Low Pressurizer Pressure SI Operational Bypass P-12 No-Load Low-Low Tave Temperature Permissive P-13 Turbine Low Power Permissive

P-14 Hi-Hi Steam Generator Level

The LAR states that "These signals are generated in the PPS" 09/11/12 I

P&GE response:

Permissive function initiation signals generated within the existing PPS will continue to be performed by the replacement PPS and therefore remain "not affected" by the PPS replacement project. Permissive function initiation signals that are generated independently of the existing PPS will continue to be generated independently.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 19 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments Permissive P6, P-8, P-9, and P-10 initiation signals are bistable comparator outputs from the independent NIS to the SSPS. There is no interface with the PPS.

Permissive P-4 initiation signals are direct contact inputs to the SSPS coincidence logic generated from contacts in the Reactor Trip Breakers (RTB). There is no interface with the PPS.

Permissive P-11, P-12, P-13, and P-14 initiation signals are generated by bistable comparator outputs generated in the PPS and sent to the SSPS.

Permissive P-7 is generated in the SSPS from 3 out of 4 power range NI channels (from NIS - P-10) below setpoint and 2/2 turbine impulse chamber pressure channels below setpoint (From PPS P13).

The bistable initiation signals described above are monitored by the SSPS.

The SSPS generates the Permissive when appropriate coincidence of initiation signals is detected. No SSPS permissive or safety function coincidence logic is changed by the PPS replacement project.

Permissives P-6, P-7, P-8, P-9, P-10, and P-13 are functionally described in FSAR Table 7.2-2. Permissives P-4, P-11, P-12, and P-14 are functionally described in FSAR Table 7.3-3.

The bistable comparator setpoints for the above-listed permissives are not expected to change at this time.

The NRC understands that all permissives are developed within the SSPS system.

Permissives P11 -

P14 use inputs provided by PPS system. All other permissives use inputs generated by external systems that are independent of the PPS.

See 13 below.

13 RS P12 Permissive Contradiction - The second paragraph of section 4.1.20 describes the P-12 interlock and states that "These signals are developed in the PPS". This statement is then contradicted in the third paragraph by the Closed N/A

March 25, 2013 DCPP PPS Closed Item Summary Table Page 20 of 74 No SrclRI Issue Description P&GE response:

Status RAINa.

(Date Sent)

RAI

Response

(Due Date)

Comments following statement; "These valves are not safety-related, but are interlocked with the P-12 signal from the SSPS,"

In conjunction with the response to RA13, please provide a resolution for this contradiction in section 4.1.20 of the LAR.

The NRC understands that the P12 signal is generated by the SSPS using signals developed in the PPS.

5/30/2012 Determined that no RAI will be needed for this item.

P&GE response:

The word "signals" in the referenced Section 4.1.20 sentence, "These signals are developed... " is referring to the bistable comparator outputs which are monitored by the SSPS. The PPS does not generate the P-12 Permissive itself. The actual P-12 Permissive is generated by the SSPS when appropriate coincidence of initiation signals is detected. The SSPS output is interlocked with the valves as stated in the third paragraph of Section 4.1.20.

The LAR Section 4.1.20 is clarified by the following statement:

"... The P-12 Permissive is developed in the SSPS based on coincidence of the P-12 bistable comparator output initiation signals from the PPS...

Protection System Permissives (P-11 unblock SI from ALS, P13 Turbine power permissive from Tricon, and P-14 Steam Generator Level high-high from Tricon) are generated by coincident logic in the SSPS based on initiating signals (bistable outputs) from the PPS as noted in the response to 01 #12. Permissive development, including initiating signals and logic coincidence is shown in FSARU Tables 7.2-2 (RTS) and 7.3-3 (ESFAS).

The PPS does not perform coincident logic functions and does not "generate" any protection system permissives.

14 RS Section 4.1.1 SSPS contains the following statement in the last paragraph; "Information 'Concerning the PPS status is transmitted to the control board status lamps and annunciators by way ofthe SSPS control board demultiplexer and to the PPS bl wal ofthe SSPS computer demultpL~~er."

Closed N/A PGE Response resolves this Open Item. Change status to Closed.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 21 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments Why would the PPS status need to be transmitted to the PPS as the sentence suggests in the last phrase?

PG&E response:

The sentence in Section 4.1.1 contains a a typographical error. The sentence should read:

"Information concerning the PPS status is transmitted to the control board status lamps and annunciators by way of the SSPS control board demultiplexer and to the Plant Process Computer (PPC) by way of the SSPS computer demultiplexer."

As used in the Section 4.1.1. paragraph, "PPS Status" means "PPS Channel Trip Status."

15 (BK)

An ISG-04 compliance matrix for the DCPP PPS system was not submitted with, or referenced in, the LAR for the W/ALS platform. Instead the ISG-04 compliance section 4.8 of the LAR refers the reader to the ALS L TR for nearly all the points of ISG-04. Fig. 4.4 and 4.5 of the LAR indicate various 1 E and non-1 E communication pathways to and from ALS processor (e.g.,

Closed Drafted RAI#4 to obtain an answer I report to

Response

Received 09/11/12 (Kemper 4-4-12)

No further discussion necessary until May 31, 2012.

Maintenance Work Station, plant computer, process control, port aggregator, and 4-20 ma temperature signal to Tricon processor). These are all application specific features of the PPS and the staff expects a W/CSI ALS document to be submitted, similar in scope and detail to the Invensys "PACIFIC GAS & ELECTRIC COMPANY NUCLEAR SAFETY RELATED PROCESS PROTECTION SYSTEM REPLACEMENT DIABLO CANYON POWER PLANT DI&C-ISG-04 CONFORMANCE REPORT" Document No. 993754-1-912 Revision 0, to be submitted on the docket, which explains how the ALS portion of the PPS application conforms with the guidance of ISG-04.

address this ISG 04 complian ce matrix for the ALS platform.

4/4/12 update: The draft ALS ISG-04 compliance matrix on the AL TRAN Sharepoint website is not detailed enough for the staff to use in approving the ALS portion of the PPS' communications

March 25, 2013 DCPP PPS Closed Item Summary Table Page 22 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments PG&E response:

PG&E is developing the ISG-04 compliance matrixTable for the ALS platform and PG&E will submit the Table by July 31, 2012.

design. Suggest PG&E review the Invensys ISG-04 Doc. Document No.

993754-1-912 (-P)

Revision 0, and provide guidance for an ALS document at the same level of detail.

16 (BK)

Section 1.4.4 (pg. 12/38) of document 993754-1-813 Diablo Canyon Triconex PPS Validation Test Plan (VTM) states "The network equipment, including media converter, NetOptics Network Aggregator Tap, and gateway hub, and the MWS will not be within the test scope of this VTP. The Nuclear Delivery (ND) group will coordinate with Pacific Gas & Electric for system staging prior to turn over to Nuclear IV&V. The Nuclear IV&V group will confirm proper operation of network communications system interfaces before beginning testing addressed in this VTP." When, where, and what procedures will be used to test the network equipment??

Closed RAI05

Response

Received 09/11/12 Received two papers discussing integration test plans for PPS system. These papers were discussed at the 4/18/2011 CC.

The staff agrees that the analog RTD signal loops may be tested separately at the Tricon FAT and at the ALS FAT to satisfy integration test requirements.

The staff expressed some concerns over the statement that "There is no digital data PG&E response: Additional information on the PPS testing is being provided to the staff. The information on the PPS testing was updated on May 9 to address staff comments provided in the 4/18/22 conference call. The VTM will need to be updated based on the additional information. A date that the updated VTM will be submitted will be provided after feedback from the staff is received on the additional information on the PPS testing.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 23 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments connection between the Tricon and the ALS." This appears to be a misleading statement since both systems do have connections to the common MWS. Further clarification should be provided and the statement should be revised to describe the nature of the MWS connections to each system.

A follow-up discussion was had at the 5/16/12 conference call.

The NRC staff feels that the final integration to be performed during SAT as proposed, will have to be complete and the results submitted prior to issuance of the SE.

I

March 25, 2013 DCPP PPS Closed Item Summary Table Page 24 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments 17 (BK)

Section 5.1.4.3, Hardware Validation Tests, (pg. 27/38) of document 993754-1-813 Diablo Canyon Triconex PPS Validation Test Plan (VTM) states that the ALS equipment will not be included in the FAT. Where, when, and what procedures will be used to fully test the Integrated PPS system (both Tricon V10 and ALS platforms together) be subjected to FAT.

Closed RAI06

Response

Received 09/11/12 This issue was discussed at the 4/1812011 CC.

PGE proposed performance of separate but overlapping tests at each factory to accomplish the integration test.

The staff has some concern over the fact that the MWS's to be installed in the plant would only be tested during the Tricon FAT. A fifth MWS to be configured the same as the plant MWS's is to be used during the ALS FAT.

One option to resolve this concern may be to credit the SAT test results in the SE.

The current schedule for SAT (July 2013) does support this.

PG&E response: Additional information on the PPS testing is being provided to the staff. The VTM will need to be updated based on the additional information. A date that the updated VTM will be submitted will be provided after feedback from the staff is received on the additional information on the PPS testing.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 25 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments 18 (BK)

Software Management Plan: Regulatory Guide (RG) 1.168, Revision 1, "Verification, Validation, Reviews and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," dated February 2004 endorses IEEE (Institute of Electrical and Electronics Engineers) 1012 1998, "IEEE Standard for Software Verification and Validation," and IEEE 1028-1997,"IEEE Standard for Software Reviews and Audits," with the exceptions stated in the Regulatory Position of RG 1.168. RG 1.168 describes a method acceptable to the NRC staff for complying with parts of the NRC's regulations for promoting high functional reliability and design quality in software used in safety systems. Standard Review Plan (SRP)

Table 7-1 and Appendix 7.1-A identify Regulatory Guide 1.168 as SRP acceptance criteria for reactor trip systems (RTS) and for engineered safety features actuation systems (ESFAS)

The Invensys PPS Replacement Software Verification and Validation Plan (SWP), 993754-1-802 does not provide a clear explanation of how the Invensys SWP complies with IEEE 1012-1998. Please provide a cross reference table that explains how the Invensys SWP implements the criteria of IEEE 1012-1998.

Also, the Westinghouse/ALS 6116-00000 Diablo Canyon PPS Management Plan, does not provide a clear explanation of how the CSI SWP complies with IEEE 1012-1998. Please provide a cross reference table that explains how the W/CSI SWP implements the criteria of IEEE 1012-1998.

Closed RA17&8

Response

Received 09/11/12 (Kemper 4/12/12) update: The staff has reviewed the Invensys IEEE 1012 compliance matrix on the PG&E/Altran sharepoint directory and it appears to be acceptable. The matrix appears to be comprehensive and indicates no exceptions to any clauses in IEEE 1012. No attempt was made to reviewlverify that where Invensys claims compliance with any particular Clause in the Std, that the respective section in their SWPis acceptable-the

March 25, 2013 No SrclRI DCPP PPS Closed Item Summary Table Issue Description P&GE response:

PG&E response:

Westinghouse incorporated the IEEE-1 012 compliance table in the ALS V&V plan document 6116-00003 in Appendix A Table A-1 and PG&E submited the ALS V&V plan document 6116-00003 to the staff on June 6, 2012, in Attachment 7 to the Enclosure of PG&E Letter DCL-12-050.

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Page 26 of 74 Comments staff will work through this as the SWP is reviewed and evaluated for approval. Please submit the document on the docket.

This 01 will remain open pending review of the Westinghouse/CSI document.

19 RS Section 4.1.1 of the LAR states that; "The SSPS evaluates the signals and performs RTS and ESFAS functions to mitigate Abnormal Operational Occurrences and Design Basis Events described in FSAR [26J Chapter 15. "

however, Chapter 15 of the DCPP FSAR does not use the terms Abnormal Operational Occurrence (AOO) or Design Basis Accident (DBE). Instead, the accident analysis in chapter 15 identifies conditions as follows; CONDITION I - NORMAL OPERATION AND OPERATIONAL TRANSIENTS CONDITION II - FAULTS OF MODERATE FREQUENCY CONDITION III - INFREQUENT FAULTS Closed RAI9

Response

Received 09/11/12 3/21/12 update:

PG&E has created a share point website for NRC to review PPS design drawings that will address this issue as well as 01 20 and 21. NRC staff will determine if they are needed to be submitted on the docket. PG&E will ensure the website is information is only applicable to this licensing action.

March 25. 2013 DCPP PPS Closed Item Summary Table Page 27 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments CONDITION IV - LIMITING FAULTS As such, the statement that AOO's and DBE's are described in the FSAR appears to be inaccurate. Please explain the correlation between the Conditions described in FSAR chapter 15 and the Abnormal Operational Occurrences, and Design Basis Events described in the LAR.

PG&E response: The AOO's are referred to as ANS Condition I "Operational Transients" in FSAR Chapter 15 and are addressed in FSAR Chapter 15.1. The design basis accidents are referred to as ANS Condition II "faults of moderate frequency," ANS Condition III "infrequent faults," and ANS Condition IV "limiting faults" and are addressed in FSAR Chapter 15.2, 15.3, and 15.4 respectively.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 28 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments 20 RS The system description provided in Section 4 of the LAR includes "functions performed by other protective systems at DCPP in addition to the PPS functions". In many cases, there is no explanation of what system is performing the functions described nor is there a clarification of whether the described functions are being performed by the PPS system.

As an example, Section 4.1.16 describes a bypass function to support testing of the high-high containment pressure channel to meet requirements of IEEE 279 and IEEE 603. The description of this function does not however, state whether this latch feature is being implemented within the PPS system or in the SSPS.

The staff needs to have a clear understanding of the functional scope of the PPS system being modified in order to make its regulatory compliance determinations. Please provide additional information such as PPS function diagrams to help the staff distinguish PPS functions from functions performed by other external systems.

Closed NIA 3/21112 update:

PG&E has created a share point website for NRC to review PPS design drawings that will address this issue.

NRC staff will determine if they are needed to be submitted on the docket. PG&E will ensure the website is information is only applicable to this licensing action.

5/30/12 Determined that no RAI will be needed for this item.

7/02/12 Closed Item. Information in Function diagrams is sufficient for NRC to determine PPS functionality.

PG&E Response: PPS design drawings have been provided to the staff on the Sharepoint site.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 29 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments 21 RA Westinghouse/CSI document 6116-00005, "Diablo Canyon PPS System Test Plan," states that the ALS-102 FPGA design is changed for the DCPPS System. Further, Section 5.3.3 states: "Test as many of the ALS-1 02 requirements as possible."

Please identify what document describes the design verification test for this board.

CLosed RAI21 01/23/2013 update:

This item will remain open until the document is available to the staff.

12/19/12 update:

Westinghouse/ALS will submit the documents by 12/31/2012.

10-17-12 update (Alvarado):

Westinghouse/ALS will submit the documents by 10/31/2012.

9-19-12 update (Alvarado): Waiting for ALS document to be submitted at the end of September.

6-13-12 update (Kemper):

PG&E understands that they need to provide an update to this response. In the meantime, PG&E and ALS have provided 2 design PG&E response: The documents that describe the design verification tests for the ALS-102 are 6116-70140, "Diablo Canyon PPS System Test Design Specification," submitted June 6, 2012, and 6116-10216, "Diablo Canyon PPS W Simulation Environment Specification" that will be placed on the Sharepoint by April 18, 2013 and submitted by May 17, 2013.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 30 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments specifications that will address this 01.

These documents are placed on the PG&E sharepoint website. Doc. No 6116-10740 was submitted on June 6, 2012, which describes ALS system test design specification. Doc.

No 6116-00005 was also submitted on June 6, 2012, which describes ALS system test plan.

Doc. No. 6116 10216ALS W Simulation Environment Specification will be provided in the future.

3/21/12 update:

PG&E has created a share point website for NRC to review PPS design drawings that will address this issue.

NRC staff will determine if they are needed to be submitted on the

March 25, 2013 DCPP PPS Closed Item Summary Table Page 31 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments docket. PG&E will ensure the website is information is only applicable to this licensing action.

NRC-the response provided does not address the question.

7/13/12-rjs Deleted RAI 10 pending review of revised response.

Also decided to hold item open.

22 BK Follow-on 01 # 5 question pertaining to the PPS VTP:

Section 1.4.4 (pg. 12/38) states "The network equipment, including media converter, NetOptics Network Aggregator Tap, and gateway hub, and the MWS will not be within the test scope of this VTP. The Nuclear Delivery (NO) group will coordinate with Pacific Gas & Electric for system staging prior to turn over to Nuclear IV&V. The Nuclear IV&V group will confirm proper operation of network communications system interfaces before beginning testing addressed in this VTP." When, where, and what procedures will be used to test the network equipment??

Also, section 5.1.4 (3) Hardware Validation Tests states that the ALS equipment will not be included in the FAT (pg. 27/38). Where, when, and what procedures will be used to fully test the Integrated PPS system (both Tricon V1 0 and ALS platforms together) be subjected to FAT.

Closed RAI5

Response

Received 09/11/12

March 25, 2013 DCPP PPS Closed Item Summary Table Page 32 of 74

,--~~~~~~~

No SrclRI Issue Description P&GE response:

Status RAI No.

RAI Comments (Date Sent)

Response

(Due Date)

PG&E response:

Additional information on the PPS testing is being provided to the staff. The VTP will need to be updated based on the additional information. A date that the updated VTP will be submitted will be provided after feedback from 23 BK the staff is received on the additional information on the PPS testing.

Section 4.2.13.1 of the LAR (page 85) states; "Figure 4-13 only shows one TCM installed in the Tricon Main Chassis (Slot 7L), the PPS replacement will utilize two TCM cards in each main chassis (Slots 7L and 7 -R). This will Closed RAI11

Response

Received 09/11/12 provide two non-safety-related communication paths to the MWS and the PPC Gateway Computer from each Protection Set to ensure continued communications if a single TCM fails.

The NetOptics Model PA-CU/PAD-CU1 PA-CU port aggregator network tap was approved previously by NRC for a similar application in the Oconee RPS SER Section 3.1.1.4.3 [18]. The NRC staff determined that due to the electrical isolation provided by use of fiber optic cables and the data isolation provided by the Port Tap and the Maintenance and Service Interface (MSI) in the Oconee RPS, there was reasonable assurance that a fault or failure within the Oconee Gateway computer or the Operator Aid Computer will not adversely affect the ability of the Oconee RPS to accomplish its safety functions.

During the SAT PG&E will test the Protection Set communications paths illustrated in Figure 4-13 to verify that there is no inbound communications path associated with port aggregator network tap Port 1. That is, PG&E will verify that communications from Port 1 to either the TCM on Port A or the MWS on Port B of the port aggregator network tap are not permitted.

Results of this test will be documented in final System Verification and Validation Report. Port aggregator dual in-line package (DIP) switch positions will be controlled by DCPP configuration management processes."

In order for the Staff to approve the integrated configuration of the PPS, prior to shipment of the PPS equipment to DCPP site, all communications paths will require testing on or before FAT, and before completion of the SER. This testing is typically completed during or before the PPS FAT, otherwise, the SER will not be completed until after the SAT. Please Qrovide a test scheme/procedures that satisfies all regulatory requirements 1 The NetOptics Model PAD-CU has two one-way output ports but is otherwise identical in function to the PA-CU.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 33 of 74 No SrclRI Issue Description P&GE response:

Status RAINo.

(Date Sent)

RAI

Response

(Due Date)

Comments prior to or during the FAT. Otherwise, if this testing will be completed during the SAT, as stated in the LAR, please provide a detailed schedule for this testing so the NRC can revise its PPS LAR Review Plan accordingly.

PG&E response: Additional information on the PPS testing for ALS is being provided to the staff. A date the additional information will be submitted will be provided after feedback from the staff is received on the additional information on the PPS testing for ALS.

24 RJS

a. Section 4.1.17 paragraph 3 discusses the protection functions associated with High - High Steam Generator Level or P-14. In this discussion it is stated that the SI signal initiates the same two functions (Turbine Trip and Feedwater Isolation) however, there is no mention of this in section 4.1.9 or in the discussion of the P-14 permissive. Please confirm that P-14 can be initiated by either High

- High SG Level or by initiation of SI.

b. This same section also states that the described latched in function Closed NIA Item initiated on 4/23/2012.

PGE Response accepted.

serves to comply with IEEE Std. 279 Section 4.16. The replacement

March 25, 2013 DCPP PPS Closed Item Summary Table Page 34 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments PPS system is not being evaluated against the criteria of IEEE 279.

Instead, IEEE 603-1991 is being used and the equivalent criteria is contained in section 5.2 of IEEE 603 1991. PGE needs to understand that the criteria of IEEE 279 are not relevant to this review effort.

PG&E response:

a. Turbine Trip can be initiated by either the P-14 steam generator level protection function OR by the latched Safety Injection (SI).

Section 4.1.17 describes the Steam Generator Level High-High Protection function P-14. Upon sensing high steam generator level, the PPS generates an initiation signal to the SSPS, which generates the turbine trip signal and initiates Auxiliary Feedwater when coincidence of 2 of 33 high-high level signals in any steam generator is detected.

Section 4.1.9 describes Pressurizer Protection Functions, one of which is initiation of Safety Injection through the SSPS when coincidence 3 of 4 Pressurizer Pressure Low-Low signals from the PPS is detected. The SI actuation signal also actuates turbine trip and Auxiliary Feedwater through the SSPS, but SI is not initiated by Steam Generator Level High-High The P-14 protection function is initiated ONLY by steam Generator Level High-High. Through the SSPS, P-14 will trip the turbine and actuate Auxiliary Feedwater. A SI signal will also actuate Turbine trip and Auxiliary Feedwater, among other actions. Pressurizer Protection functions do not initiate P-14 and Steam Generator Level High-High P-14 does not initiate SI.

b. PG&E intended Section 4.1 to describe the existing PPS and to apply only to the existing PPS, which complies with IEEE 279-1971.

Sections 4.2 to 4.13 of the LAR apply to the PPS Replacement.

Section 4.10.2.2 describes compliance of the PPS Replacement with IEEE 603-1991 Section 5.2. PG&E understands and appreciates that IEEE-603 applies to the PPS replacement.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 35 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments 25 RJS Sections 4.1.17, and 4.1.21 state that the P-9 permissive is the "Power Range at Power" function while Section 4.1.9 states that the P-1 0 Permissive is also called the "Power Range at Power" function. Is it correct that both of these permissives are called "Power Range at Power" and that they perform different functions?

Closed N/A Item initiated on 4/23/2012.

PGE Response Accepted.

PG&E response:

Both P-9 and P-10 are "Power Range at Power" functions; both are active when the Power Range NI channels are at power.

Permissive P-9 blocks reactor trip on turbine trip when 3 of 4 Power Range NI channels are below 50%.

Permissive P-10 is active when 2 of 4 Power Range NI channels are above 10%. Permissive P-10 is combined with Turbine Power Permissive P-13 (which is active above approximately 10% turbine load) to provide input to Permissive P-7 that allows blocking several low power reactor trips.

In effect, Permissive P-10 is the "Power Range at Power-Low" permissive" and Permissive P-9 is the Power Range at Power - High" permissive. This is consistent with the response to 01 #12, above.

26 RJS The PG&E SyOAP defines Supplier tasks that are related to assurance of software quality for each of the following phases of development; Project Initiation and Planning Conceptual Design Requirements Design Implementation Integration Test These phases do not align with the phases used in the ALS or Tricon development lifecycles. For instance, the Tricon SOAP defines the phases as Requirements, Design, Implementation, and Test (Validation). Because Closed RAI12

Response

Received 09/11/12 Item Initiated on 412512011 Will need formal response for this item. Therefore this will be an RAI.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 36 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments of this, it is not clear how assurance of task completion can be accomplished. During which Tricon phases would those tasks listed under Integration, Initiation and Planning, and Conceptual Design be performed?

The ALS SQAP does not mention phases but the ALS Management plan defines the development phases as; Planning, Development, Manufacturing, System Test, and Installation.

Would it be possible for PGE to provide a mapping of Phases defined in the SyQAP to the Phases of the ALS and Tricon system development processes so that the staff can correctly identify and confirm performance of these QA tasks?

PG&E response:

PGE provided a mapping of Phases defined in the SyQAP to the Phases of the ALS and Tricon system development processes in the SyQAP revision 1 placed on the Sharepoint on March 25, 2013 and to be submitted by April 26, 2013.

27 RA Software Management Plan The LAR, Attachment 3, describes the project organization, roles and responsibilities for the PPS replacement project. This document does not describe oversight activities that PG&E will perform during the PPS replacement project, as well as the interface between PG&E and Invensys and WEC/CSI, and the methodology to judge quality of the vendor effort.

Please provide this information.

Closed RAI13

Response

Received 09/11/12 The PQP will need to be submitted.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 37 of 74 No SrclRI Issue Description P&GE response:

Status RAINo.

(Date Sent)

RAI

Response

(Due Date)

Comments PG&E response:

Oversight activities for the project were discussed in Section 4.2.11, Appendix B Compliance, of the LAR that discusses the DCPP Quality Assurance Program and Procurement Control Program and states that PG&E will audit 10M and CSI during the manufacturing phase under the PG&E Nuclear Procurement Program and associated directives.

In support of the oversight activities, a PG&E will issue a Project Quality Plan (PQP) that will define the oversight activities to be performed, including technical audits, cyber security audits, and software quality assurance audits.

The PQP is expected to be issued in June and will be submitted to the staff by July 31, 2012.

Following the performance of the PQP audits, audit reports will be created and a PQP Audit Summary Report will be created. PG&E will submit the PQP Audit Summary Report to the staff at the time the vendor hardware is delivered to PG&E. The vendor hardware is currently expected to be delivered to PG&E in Spring 2013.

The PQP audit reports will not be submitted but will be made available to the NRC staff for review.

28 RA Software Management Plan The LAR, Attachment 3, states that PG&E is responsible for the following activities in the lifecycle: project initiation and planning phase, conceptual design phase, requirements phase, installation and checkout phase, operation phase, and maintenance phase. Further, Section 3.1.10 states that PG&E will follow the activities described before for software modifications. Please explain how PG&E will perform software modifications to the Tricon and ALS platforms once the PPS replacement project is completed.

Closed NIA Alvarado (6/13/12):

PG&E place a copy of their Software Configuration Management Plan in their Sharepoint site.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 38 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments PG&E response:

The control of the software modifications to the Tricon and ALS platforms once the PPS replacement project is completed will be by the Process Protection System Replacement Software Configuration Management Plan, SCM 36-01, Revision 0, which was submitted as part of the Phase 2 document submittal on June 6, 2012, in Attachment 4 to the Enclosure of PG&E Letter DCL-12-050.

The SCM-01, Revision 0, document has been placed on the Sharepoint site.

29 RA Software Management Plan The LAR, Attachment 3, states that the PG&E Project Manager will share the responsibility for meeting the software quality goals and for implementing the software quality management throughout the project.

Please describe what responsibilities are going to be shared and how this is going to be performed.

Closed RAI13

Response

Received 09/11/12 PG&E response:

The PG&E Project Manager will share the responsibility for meeting the software quality goals with the PG&E Quality Verification organization personnel.

To implement the oversight activities, the PG&E Quality Verification organization will issue a Project Quality Plan (PQP) that will define the oversight activities to be performed, including technical audits, cyber security audits, and software quality assurance audits.

30 RA Software Development Plan Section 7 of the Invensys Nuclear System Integration Program Manual (NSIPM) requires that non-conforming procedures shall be used to control parts, components, or systems which do not conform to requirements.

Invensys documents 993754-1-906, Software Development Plan, and 993754-1-905, PPS Replacement DCPP Project Management Plan, do not Closed RAI14 Not used Not required 9/19/12 update (Alvarado): Rev. 1 of 993754-1-906 addressed this question.

7/13/12 - rjs:

March 25, 2013 DCPP PPS Closed Item Summary Table Page 39 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments identify non-confirming procedures to be followed when deviations are identified and how deviations should be corrected.

Please provide this information.

Decided to not use the RAI and hold this item open pending review of updated phase 2 submittals.

PG&E response:

The Project Management Plan (PMP), 993754-1-905, is the overarching project management document for the Invensys scope of the PPS Replacement Project. It references other Invensys planning documents that discuss procedures to follow when deviations are identified and how they are corrected. The Software Development Plan, 993754-1-906, describes the software development process for the Invensys scope of the PPS Replacement Project. 993754-1-906, has been revised to Revision 1, to include new Section 3.2.6 that discusses problem reporting and corrective action. 993754-1-906, Revision 1, was submitted by PG&E on August 2, 2012.

In addition, the Invensys Software Quality Assurance Plan, 993754-1-900, Section 8, and the Invensys Software Configuration Management Plan, 993754-1-909, Section 3.2, both provide reference to procedures to follow when deviations are identified and how deviations are corrected.

31 RJS Software Quality Assurance Plan:

IEEE 730 2002 stipulates in section 4 that "The SQAP shall be approved by the manager of each of the organizations having responsibilities in the SQAP. The PGE SYQAP has been approved by the PGE Diablo PPS Upgrade Project Manager and the Altran Project lead; however, there are several other organizations that have responsibilities delineated in the SQAP. The managers of these organizations have not approved the SYQAP. The following organizations are assigned roles and Responsibilities within Section 3.4 of the SYQAP. Please explain the means by which these organizations have committed to comply with the requirements stated in the SYQAP.

Vendor IW Projects Managers EOC Design Change Package Team Closed RAI15

Response

Received 09/11/12 At the 5/16 meeting, the staff explained that PGE should have some commitment from all orgs that have activities in the SyQAP. This could be contractual or through activities that are delineated in other vendor plans or procedures.

I

March 25, 2013 DCPP PPS Closed Item Summary Table Page 40 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments PGE Project Engineering Team QA Organization Testing and Integration Team

V&V Organization PG&E response:

The software quality assurance plan was discussed in Section 4.11.1.1.1 of the LAR, which did not commit to IEEE 730 2002 criteria in developing the SQAP. IEEE Standard 7-4.3.2-2003 [76] Clause 5.3.1 references IEEE Std 730-1998 for guidance but does not require it to be met.

The SyQAP Revision 1 placed on the Sharepoint on March 25,2013 and to be submitted by April 26, 2013, included changes that identified the work performed by vendors is performed through a contract,and added a signoff for Supplier Quality, Cyber Security Lead, and Licensing Lead, and clarified roles of the EOC Design Change Package Team, the PGE Project Engineering Team.and the Testing and Integration Team.

32 RJS Section 4.2.7 "Power Supply" of the LAR describes how power is supplied to the PPS. In this description, the 480V AC vital supply is described in the following ways.

First it is described as back-up common bus to the 120 V distribution panels. We cannot tell if this is through a transformer or if this refers to the alternate supply to the inverters.

It is also described as a supply to an inverter.

It is then described as supply to the battery charger From these descriptions, it is not clear to the staff how these vital power sources are configured in relation to the 120VAC panels that feed the PPS.

Would it be possible to provide a simplified diagram to show the relationship between the 125V Batteries I DC Buses, Battery Chargers, Inverters, and Closed RAI16

Response

Received 09/11/12 PGE Response accepted.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 41 of 74 RAI Comments Issue Description RAINo.

SrclRI P&GE response:

Status No (Date Sent)

Response

(Due Date) the 120V AC distribution Panels that supply power to the PPS, PG&E response:

The following description clarifies the 120 V vital instrument AC power supply to the pps:

1 Safety-related 480 VAC from vital AC motor control center (MCC) is fed to the UPS and rectified.

2 Rectifier output is fed to the inverter and converted to 120 VAC.

3 Safety related vital DC bus power is fed to UPS as immediate backup supply. The vital DC bus is backed up by the safety-related 125 VDC station battery, which is charged from vital 480 VAC.

4 Inverter output is fed through a static switch with integral manual bypass switch to vital instrument AC power distribution panels.

5 On loss of inverter output, the static switch will select backup regulating transformer output (120 VAC) to distribution panels.

6 The backup regulating transformer receives input from the 480 VAC supply. The backup regulating transformer may be aligned via a transfer switch to either of two 480 VAC busses; the normal supply or an alternate supply. The alternate supply circuit breaker is normally open to prevent interconnection of redundant power supplies due to a failed transfer switch. The transfer switch may not be used under load.

Refer to the attached block diagram for additional detail.

i

March 25, 2013 DCPP PPS Closed Item Summary Table Page 42 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments 33 RJS (ALS SQAP) Software tools are used extensively during the FPGA development process. The staff therefore considers these tools to be a key component to the assurance of quality in the ALS system development process. The ALS SQAP states that "no additional tools, techniques, or methodologies have been identified" for the ALS system. The staff considers the development tools, as well as the techniques and methodologies used during system development to be relevant to the assurance of quality for the ALS system. Please provide information on the tools, and methodologies used during system development to ensure quality of the ALS system products.

PG&E response: Westinghouse agrees that Section 8, Tools, Techniques, And Methodologies of the ALS QA Plan (6002-00001) should be revised to reference document 6002-00030, "ALS Design Tools." This document describes the tools used and how they are used in the design process. This document is also on the ALS docket. Westinghouse submitted a revision of the ALS QA Plan, Revision 9, on the ALS docket on October 31, 2012, that provides information on the tools and methodologies used.

Closed NoRAI Item initiated on 6/5/12.

6-13-12 update (Kemper): W/ALS agrees with NRC's position on tools and will revise the document (Doc.

No. 6002-00001) accordingly to address this matter.

Placed this item on hold pending review of revised QA plan.

RJS-Verified that Rev. 9 of QA Plan refers to 6002 00030 which includes Tool identification and assessments.

34 RJS (Software Integration Plans) The integration planning documentation referenced in section 4.5.4 of the LAR does not include any integration of the two sub systems (ALS integrated with Tricon). The PGE papers provided that discuss how FAT's will be performed may resolve this but these papers would have to be docketed as integration planning documents to support our SE. We also need to come to some agreement on the scope of integration to be accomplished prior to issuance of the SE.

Closed RAI20

Response

Received 09/11/12 Item initiated on 6/7/2012 6-13-12 update (Kemper): This seems duplicate of 0116 & 23.

7/02/12 RJS This PG&E response: The PPS replacement design was revised to include a separate maintenance workstation for the ALS and Tricon subystems to is related to 01 16 facilitate separation of the subsystems and to support FAT at each vendor.

and 23, however, The design changes and the FAT all~?AT testing will be included in the this specifically

March 25, 2013 No SrclRI DCPP PPS Closed Item Summary Table Issue Description P&GE response; LAR supplement to be submitted in April 2013.

Status RAI No.

(Date Sent)

RA/

Response

(Due Date)

Page 43 of 74 Comments addresses the software integration planning documents being assessed. The current software integration plan discussed in section 4.5.4 of the LAR and the documents referenced from here do not adequately address this aspect of system integration.

As such the Integration Plan will have to be revised.

Just including integration in the FAT will not resolve the inadequacies of the integration planning documents.

I anticipate that a supplemental integration plan document will need to be submitted in order for PGE to resolve this.

-~~~~~

New RAI added

March 25, 2013 DCPP PPS Closed Item Summary Table

~~~~~~

SrclRI Issue Description No P&GE response:

Follow up of Item 21 - Software Test Plan In the response provided for Item 21, PG&E explained that a new revision (Rev. 1) of ALS document No. 6116-00005 was provided. The scope of Revision 1 is slightly different from the scope described in Rev. O. For example, Section 1.2 in both revisions states that test coverage includes all ALS modules, backplane, license sense modules (LSM), and ALS service unit (ASU). However Section 2, Test Items, for these revisions are different.

Revision 1 only focuses on ALS-102 and backplane assemblies. This section does not include other ALS modules, LSM and ATU. Please explain why these other ALS modules are not included in section 2 of the new revision.

35 RA Further, Table 1-2 identifies "Diablo Canyon PPS Test Plan" as document No. 6116-00005, which is the same number than "Diablo Canyon PPS System Test Plan". Please clarify if this is referring to a different document.

PG&E Response: The scope of both revisions are the same. Revision 1 changes added more detail into the overall scope. The details are broken down into 2 main parts: 1-The individual components, 2 - The System components. Both parts equal the entire ALS based Diablo Canyon system which includes all ALS modules, Backplane, ASU (incorrectly stated as ATU in the open item), LSM, ALS-102A1B specific to Diablo and full ALS sub system test which includes the testing of ALS slave cards required by the DCPP configuration.

The entry in Table 1-2 for the Diablo Canyon PPS Test Plan, 6116-00005 is the same document as Diablo Canyon PPS System Test Plan 6116-00005.

36 Software Test Plan RA Section 5.3.6 of ALS Document No. 6116-00005 refers to a 'Test Team" to perform system level testing. However, the "Test Team" is not defined in ALS Document No. 6116-00000, "Diablo Canyon PPS Management Plan,"

which defines roles and responsibilities for the PPS Replacement Project.

Page 44 of 74 RAINo.

RAI Comments Status (Date Sent)

Response

(Due Date) and 01 closed.

RAI21 Closed Closed NoRAI

37 Page 45 of 74 No I SrclRI I Issue Description Comments P&GE response:

I Status I RAI No. IRAI (Date Sent)

March 25, 2013 DCPP PPS Closed Item Summary Table

The Test team and its responsibilities are described in

~.~.'~im_-'~~~i~~._~._~._~theIVV

Response

(Due Date)

Please clarify who is the Test Team and where their roles and responsibilities are defined.

manager. The 6116-00003 Revision 1 was submitted in Attachment 6 to the Enclosure of PG&E Letter DCL-12-121 dated December 5,2012.

RA Software Management Plan PG&E "PPS Replacement Concept, Requirements, and Licensing Phase 1 Project Plan" does not address reporting mechanisms and controlling changes to the system. The only reference is that PG&E states that they will follow the activities describe before for software modifications. After reviewing the of PG&E's SyVVP, we found that Section 6 states that Anomaly Resolution and Reporting shall be performed per the respective PG&E and 10CFR 50 Appendix B supplier control procedures. However, this statement does not identify the document to follow to report anomalies.

Please identify and describe the process that PG&E will follow for reporting mechanisms.

PG&E Response: PG&E administrative procedure OM7.ID1, "Problem Identification and Resolution," provides guidance for identification and resolution of both equipment and non-equipment problems, including vendor software problems. The OM7.ID1 procedure provides the process for documenting, reporting, evaluating, trending, and tracking the resolution of problems at DCPP. PG&E administrative procedure X11.ID2, "Regulatory Reporting Requirements and Reporting Process," provides the instructions for reporting facility events and conditions to the NRC. This procedure applies to plant problems, including software anomalies, and provides a list of regulatory reporting requirements applicable to the DCPP, including those contained in the NRC regulations (including 10 CFR), the plant operating license (including associated Technical Specifications), license Closed I No RAI

March 25, 2013 DCPP PPS Closed Item Summary Table Page 46 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RA/

Response

(Due Date)

Comments amendments, and regulatory correspondence. The procedure summarizes the types of reporting requirements and references the source of the requirement, time-frame for reporting, reporting method, lead responsible organization, primary regulatory agency recipient, and implementing procedures.

38 RA Software Management Plan Section 2, "Project Organization" of the PG&E "PPS Replacement Concept, Requirements, and Licensing Phase 1 Project Plan", revision 1 (attachment 3 of the LAR) does not describe the activities to be performed by the Engineering of Choice Design Change Package Team.

It is also not clear what the roles and responsibilities of this team are.

Please clarify and provide the applicable PG&E control document that describes PG&E roles and responsibilities specifically for the Engineering of Choice Design Change Package Team.

Closed RAI22 PG&E Response: The activity performed by the Engineering of Choice Design Change Package Team is to support PG&E in development of the design change package for the PPS Replacement. PG&E has a contract with an engineering company, currently Enercon Services, Inc., to be the "engineer of choice" to provide nuclear engineering services to PG&E. For individual scopes of work, PG&E develops a purchase request for the scope of work and a purchase order is issued to the engineering company that is the engineer of choice. When the engineer of choice is performing a design change package for Diablo Canyon Power Plant, the engineer of choice uses the PG&E Design Change Procedure, CF3.ID9, "Design Change Development" and PG&E performs an owner acceptance of the work using PG&E Procedure CF3.1D17, "Design and Analysis Documents Prepared by External Contractors."

39 RA Software Management Plan Figure 2-1 of the PG&E "PPS Replacement Concept, Requirements, and Licensing Phase 1 Project Plan" and Figure 3-1 of the SyQAP identify Altran under the PG&E Project Engineering box. However, Figure 4-1 of the SyWP identifies PG&E project team under the PG&E Project Engineering Closed RAI23 I

March 25, 2013 DCPP PPS Closed Item Summary Table Page 47 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments box. Please explain the role and responsibilities for Altran during the PPS Replacement Project.

PG&E Response:

09/17/2012:

1. The PPS Organization Chart shown in SyWP Figure 4-1 is a simplified rendering of the organization charts in Project Plan Figure 2-1 and SyQAP Figure 3-1. The latter figures show an Altran Project Team under PG&E Project Engineering and a team of three PG&E individuals directly under PG&E Project Engineering.

The slight inconsistency between SyWP Figure 4-1 and the other figures may be resolved thus:

I PG&E Project I Engineering 1

I Project Team I I

+

I Altran I

[

PG&E I

i John Hefler I

~O~JO~

Altran Lead L_ n S0'int

~

II Ted QUinnTI II Gregg Jj Clari<50n

~---

2. Altran is acting as a subcontractor providing engineering support to the PG&E Project Team as shown above in the revised figure.

Altran supported LAR preparation and is providing continuing support through the LAR review process. Altran's work is governed by the Altran Engineering Procedures Manual. Documents submitted to PG&E are prepared in accordance with Altran EOP 3.3

March 25, 2013 DCPP PPS Closed Item Summary Table Page 48 of 74 Comments RAI No.

RAI SrclRI Issue Description Status No P&GE response:

(Date Sent)

Response

(Due Date)

(reports) and 5.4 (specifications). All Altran documents are verified in accordance with Altran EOP 3.4. In addition, PG&E accepts Altran documents under PG&E CF3.ID17 as noted in the Altran Verification Report.

9/17/12 update (Alvarado): during PG&E "PPS System Replacement System Verification and Validation Plan RAI25 RA Software V&V Closed 42 the conference call (SyWP)" does not describe the V&V activities to be performed during the PG&E explained Operation Phase and Maintenance Phase. This document states that these that modifications activities are covered by approved DCPP procedures. Please identify these to the systems will DCPP procedures.

be performed by the vendors.

PG&E Response:

PG&E will provide Per the response to 01 #28, control of the software modifications to the additional Tricon and ALS platforms once the PPS replacement project is completed, information on their and the PPS is in the Operations and Maintenance phase, will be by the plan to perform Process Protection System Replacement Software Configuration modifications to the Management Plan, SCM 36-01, Revision 0, which was submitted as part of PPS system during the Phase 2 document submittal on June 6, 2012, in Attachment 4 to the operation and Enclosure of PG&E Letter DCL-12-050. Modification to the PPS maintenance.

Replacement components produced by the vendors, CS Innovations and Invensys Operations Management, will be performed by the vendors and verification and validation will be controlled by the vendor verification and validation plans created for the Diablo Canyon PPS Replacement (6116 00003 for CS Innovations and 993754-1-802 for Invensys Operations Management),

43 Closed RAI26 RA Software V&V PG&E "PPS System Replacement System Verification and Validation Plan (SyWP)". Section 5.1.1, explains that during the Concept Phase, PG&E will verify system requirements in accordance with PG&E procedure CF2.ID9, "Software Quality Assurance for Software Development." However, Procedure CF2.ID9 is for in-house development of software applications.

Please explain how this procedure is going to be used for the PPS replacement project.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 49 of 74 No SrciR/

Issue Description P&GE response:

Status RA/ No.

(Date Sent)

RA/

Response

(Due Date)

Comments Further, Section 5.1.2 of the CF2.ID9 states that and independent review of the functional requirements prepared during the concept phase would be performed. The PG&E SyWP does not identify this review, and thus there is no specific V&V product for this phase. Please identify who will perform this review and if this is considered a V&V product.

PG&E Response:

09/17/2012: Altran developed the PPS Replacement FRS during the Concept phase in accordance with Altran EOP 5.4, and verified it in accordance with Altran EOP 3.4. Altran used PG&E procedure CF3.ID16 for additional guidance. PG&E accepted the FRS under CF3.ID17, which constituted verification of system requirements. This was a design activity rather than a V&V activity and there is no specific V&V product for this phase.

44 RA Software V&V Invensys prepared Document No. 993754-1-813, "DCPP PPS Validation Test Plan". It states that the Test Review Board and PG&E will review all validation testing documents. Please describe the composition of the Test Review Board, since its role/responsibility is not described in the Invensys V&V Plan or in the Validation Test Plan (Section 4.4)

Closed NoRAI PG&E Response: The composition of the Project Review Committee (PRC) or Test Review Board includes the Project Manager, Project Engineer, Project Quality Assurance Engineer, IV&V Manager, and Lead IV&VlTest Director. This is described in Invensys document 993754-1-905, Project Management Plan, Section 3.5.5. See Invensys response to 01 49 for additional statements on the PRC.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 50 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments 45 RA Follow up of item 18 - Software V&V RG 1.168 identifies five of the activities in IEEE Std.1012-1998, Annex G, "Optional V&V Tasks," as being considered by the NRC staff to be necessary components of acceptable methods for meeting the requirements of Appendices A and B to 10 CFR Part 50 as applied to software. These tasks are:

1. Audits

2. Regression Analysis and Testing

3. Security Assessment

4. Test Evaluation

5. Evaluation of User Documentation Westinghouse/ ALS Document No. 6002-00003, "ALS W Plan" describes the following techniques for V&V: reviews, testing, traceability analysis, inspection/analysis, and IV&V regression (change) analysis. This plan does not include any of the optional V&V activities identified in IEEE Std.1 012 1998, Annex G. Please explain if these activities are performed.

Closed No RAI 12/19/12 update:

NRC Staff will review the document submitted and identify follow up questions, if necessary, creating a new open item.

10/17/12 update:

Westinghouse/ALS will submit the DCPP V&V plan on 10/31/2012 PG&E Response: The DCPP W Plan has been revised to include these optional V&V tasks required by RG 1.168 to align with the new ALS W Plan for the Optional Tasks. The Diablo Canyon W Plan, Revision 1, was placed on the Sharepoint on November 22 and was submitted by PG&E on December 5 in PG&E Letter DCL-12-121.

46 RA Software V&V Several sections in the Invensys Software Verification and Validation Plan (SWP) reference "applicable Project Procedure Manual (PPM)" to perform certain activities. The reference section in this plan identifies PPM (Reference 2.4.4). It is not clear if the PPM is constituted by several procedures or if it is only one procedure. For example, Section 1.1, states the SWP was prepared in accordance with PPM 7.0 (Ref. 2.4.4), and then Section 4 states that V&V activities will be planned and scheduled in accordance with the applicable PPM. Please describe what the PPM is, and explain how this is going to be used in the PPS replacement project.

Closed RAI27

March 25, 2013 DCPP PPS Closed Item Summary Table Page 51 of 74 No SrclRI Issue Description P&GE response:

Status RAINa.

(Date Sent)

RAI

Response

(Due Date)

Comments PG&E Response:

The Project Procedures Manual (PPM) provides appropriate controls for project activities conducted at the Invensys Operations Management (Invensys) Lake Forest facility. These controls will ensure that all nuclear Class 1 E projects (or non-1 E projects where the customer has specified certain 1 E requirements) processes, project activities, and project documents will meet the requirements of 10 CFR 50, Appendix B, 10 CFR Part 21 and the Invensys Quality Management System. This procedures manual provides specific controls for NAD as well as other Invensys organizations that perform nuclear safety-related system integration project activities. The PPM is a collection of different procedures, including referenced Forms, and is a controlled document.

Each PPM procedure is intended to implement key areas of project activities. Each procedure within the PPM is assigned a unique document number and title.

V& V activities during the PPS Replacement Project will be governed by several procedures within the PPM as defined in the SWP document, Invensys document 993754-1-802. The SWP will be revised to add the title of each procedure within the PPM where referenced in the SWP. For example, in the SWP, Section 1.1, where it states that, "the SWP was prepared in accordance with PPM 7.0 (Ref. 2.4.4)," will be revised to state that "the SWP was prepared in accordance with PPM 7.0, Application Program Development." The revised SWP Revision 3 wassubmitted in PG&E Letter DCL-12-028 on March 25, 2013.

47 RA Software V& V Invensys Document No. 993754-1-802, "Software Verification and Validation Plan" requires the use of V&V metrics to evaluate software development process and products. This section does not explain what methods and criteria will be used for software safety metrics. This information is required by section B.3.1 of BTP 7-14, RG 1.152, RG 1.173 and IEEE Stds. 1061 and 1074. Also BTP 7-14 Section B.3.1.1.2. Please provide this information.

Closed RAI28 PG&E Response:

The V&V metrics are used during development of the PPS Replacement software that will reside/execute on the V10 Tricon portion. The V&V metrics measure the thoroughness of V&V reviews and testing efforts. These measurements yield data utilized to gain reasonable assurance that the design out~uts are of high gualit~ commensurate with

March 25, 2013 DCPP PPS Closed Item Summary Table Page 52 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments the intended use in the PPS Replacement application. The V&V metrics methodology, utilizing a diversity of software measures, provides insight into the rigor of the PPS software development process. V&V uses three distinct metrics during PPS software development:

Software Quality Metrics The purpose of these metrics is to measure software quality by tracking the number of defects found in the design outputs (e.g., design documents, software).

The method is to count and categorize defects found during V&V review of design outputs.

The acceptance criterion is that no technical defects remain at the end of the current phase to receive V&V recommendation to proceed to the next project phase. Any defects that cause the non-compliance with customer requirements and/or non-compliance with NRC guidance are considered technical defects.

V&V Effectiveness Metrics The purpose of these metrics is to measure the effectiveness of V&V reviews by measuring the percentage of design outputs which V&V reviews or tests. The method determines the percentage of design outputs actually reviewed by V&V (which is meaningful for in-process design changes necessitating a change impact analysis, revisions to released design outputs, and a regression analysis). The Acceptance Criterion is that 100 percent of comprehensive or delta change reviews is achieved in the current phase to receive V&V recommendation of proceeding to the next project phase.

Software Safety Metrics The purpose of these metrics is to assess whether software safety requirements are being met. Methods are to count software hazards found during V&V review or testing of design outputs and to confirm software

March 25, 2013 DCPP PPS Closed Item Summary Table Page 53 of 74 No SrclRI Issue Description P&GE response:

Status RAINo.

(Date Sent)

RAI

Response

(Due Date)

Comments hazard mitigation in each project phase, or, at a minimum, by the end of the project and approval at the completion of acceptance testing. The Acceptance Criterion is that all software hazards are mitigated by the end of the Test Phase to receive approval of the results of acceptance testing.

49 RA Software V&V Invensys Document No. 993754-1-802, "Software Verification and Validation Plan", Section 6.3 states that the Invensys personnel prepared System Deficiency Integration Report (SDIR) to document non-conformances and corrective actions during testing; the SDIR is prepared in accordance with PPM 10.0. Please explain what PPM this is.

Further, the Invensys "Validation Test Plan", Section 5.4.2 states that the Test Review Board and PG&E shall review SDIRs, but this is not indicated in the Invensys V&V plan. Please explain why this review activity is not identified as a V&V task in the V&V Plan.

Closed RAI29 PG&E Response:

The PPM 10.0 procedure defines the process to control nonconforming items and identify appropriate corrective action for all nuclear application projects developed at the Invensys Operations Management (Invensys) Lake Forest facility. This procedure is intended to provide controls for nonconforming items and corrective actions related to project activities. As used in this procedure, the term "nonconformance" describes deficiencies in parts and materials (items), documentation, and/or deviations from stated requirements. This procedure addresses the identification, documentation, evaluation, and disposition of nonconforming items. This procedure also describes the corrective action process to be used for project-related issues where corrective action is warranted.

SWP Section 5.2.2.2.1 4) stated that Nuclear IV&V shall generate and verify the system-level Validation Test Plan, 993754-1-813, in accordance with PPM 6.0 [Ref 2.4.4], in conjunction with IEEE 829-1983. The SWP was developed in accordance with PPM 6.0, Test Control. In PPM 6.0, Test Control, it was stated that the Project Review Committee (PRC) shall review all test results for completeness, accuracy and acceptability. This review shall include all test documentation, e.g., the Test Procedures, the Test Logs, the System Integration Completion Checklist, the Test Report(s), and

March 25, 2013 DCPP PPS Closed Item Summary Table Page 54 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments SIDRs.

50 RA Software V&V The Invensys Validation test plan, Section 8.2, states that the Narrative Test Logs are used to document conduct of testing and any anomalies that occur. Please explain if this is only used during validation, and why this is not mentioned in the Invensys SWP. Further, please explain how is this used in conjunction with Document Review Comment Sheet (ORCS) and System Deficiency Integration Report (SDIR)?

Closed RAI30 PG&E Response:

PPM 6.0, Test Control, defines the Test Logs. All test activities shall be recorded in a Test Log. The Test Log constitutes a continuous, hand-written journal of all test activities from the point of initial entry into the Test Procedure until the conclusion of all testing, including any required retesting. The Test Log shall include entries for sign-in and sign-out of all participating personnel, establishment of indicated prerequisites and initial conditions for testing, performance of testing and retesting, identification of problems, etc. The Test Log is intended to be a detailed journal of all testing activities sufficient to fully document the actual sequence of testing performed, the test results achieved and any problems that occurred, including their impact on test performance. The Test Log shall be reviewed by the PRC as part of its evaluation of the test results.

The Test Logs are independent and separate from the Document Review Comment Sheet (ORCS) and System Deficiency Integration Report (SIDR).

However, as a test narrative, the Test Log may identify the fact that a SIDR was generated as a result of test anomaly.

51.1.a RA Software Configuration Management

1. Configuration Process a) In open item 4, the staff requested description of the software configuration management activities for configurable boards (e.g.,

ALS FPGA-102 board). Since the ALS FPGA-102 board is customer specific, its configuration management activities are not covered by Closed RAI31

March 25,2013 DCPP PPS Closed Item Summary Table Page 55 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments "ALS Configuration Management Plan." Even though item 4 is closed, this request was not addressed in the response for item 4.

PG&E Response:

09/18/2012 ALS-102 Configuration The FPGA installed on the ALS-1 02 board and therefore the ALS-1 02 board itself is specific to the PPS Protection set and the ALS subsystem in which it is installed. PG&E will not have the capability to alter the FPGA. Any change to the FPGA must be made by CS Innovations. Therefore, ALS-102 FPGA configuration management activities are covered by the ALS Configuration Management Plan. PG&E capability to change ALS-1 02 configuration will be limited to board-level replacement.

51.1.b RA Software Configuration Management

1. Configuration Process b) The PG&E SCM 36-01, item 1.2.8, states that ALS board has two sets of NVRAM. Further, it explains that the configuration of the NVRAM can be changed only by removing the subject board from the ALS chassis and inserting it into a special test fixture. It is not clear who will control this process and configuration of the NVRAM.

Please explain.

Closed RAI32 PG&E Response:

09/18/2012 ALS I/O boards are generic; that is, each board is configured using its NVRAM for the specific function it is to perform. This activity is described in SCM 36-01 Section 1.2.8, which states that the configuration of the NVRAM is changed by removing the subject board from the ALS chassis and inserting it into a special test fixture. This would be performed as part of a maintenance activity, such as replacing a failed board. If the functionality of an 1/0 board required modification as a result of an application change, all required NVRAM configuration alterations would be performed by CS Innovations under their ALS Configuration Management Plan.

As with the ALS-1 02 FPGA discussed above, PG&E will not have the

March 25, 2013 DCPP PPS Closed Item Summary Table Page 56 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments capability to alter the NVRAM configuration itself. PGE capability to change the NVRAM configuration for a specific 1/0 board will be limited to loading NVRAM images that are under CS Innovations configuration control and that have been previously verified and validated at the system level by CS Innovations.

Configuring the NVRAM in order to replace an 1/0 board will be performed by PG&E under an approved plant maintenance procedure.

51.1.c Software Configuration Management

1. Configuration Process c) Section 1.2 of the Invensys Document No. 993754-1-909, "Software Configuration Management Plan," states that this plan controls operating system of the computers used to run TriStation 1131 and the signal simulation software used for testing purpose. However, the description provided throughout the plan only focuses on the configuration activities for the TSAP (e.g., Section 2.3 states that the SCM procedures are for the TSAP). Further, this same section (later on) identifies the software configuration to be managed, and this list does not include operating system of the computers used to run TriStation 1131 and the signal simulation software used for testing purpose. Please clarify the scope of this plan and how the configuration of TriStation 1131 and the signal simulation software is managed.

Closed RAI33 PG&E Response:

09/18/2012 There was no intent for the SCMP to do more than track the revision of Commercial Off The Shelf (COTS) software. In this case "Control" is defined as tracking the revision levels such that they are recorded on the project Master Configuration list, Invensys project document 993754-1-803.

On page 7 of the SCMP, under "limitations," it states, in part, that the revision levels of this type of software will be tracked.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 57 of 74 RAI No.

RAI Comments (Date Sent)

SrclRI Issue Description Status No P&GE response:

Response

(Due Date) 51.3.a Software Configuration Management

2. Changes and Problems Identification a) PG&E SCMP36-01 states that software, hardware, and configuration problems are reported in accordance with PG&E OM7.I01 and that software and/or configuration problems are reported via a PROG POCM Notification. Please clarify when and how these are used. For example, for software problems does one have to report the problem using both PG&E OM7.I01 and PROG POCM Notification. Note that PG&E CF2.I02 states that all problems associated with plant computer system should be reported and document per OM7.I01 (See section 5.11 and 5.16.10 (b) of CF2.I02)

Further, Section 3.2.1 states that all PPS modifications should be initiated and tracked per plant procedures or CF4.101. Section 3.2.2 states that the implementation of the change is documented in the associated Change Package and a SAP notification and order. And Section 3.2.10 states that all identified problems and corrective actions using a notification, which is not specified.

So should software modifications require reporting and tracking using OM7.I01, CF4.I01, PROG POCM Notification, Change Package, and SAP Order?

Please explain PG&E procedures for different changes and the documenting and tracking system used for all types of modification PG&E Response: a) All problems are entered into the corrective action program using PG&E administrative procedure OM7.I01 and are required to be entered into an SAP (electronic business management software) notification (electronic tracking document). Notifications can be identified as different Work Types in order to categorize the type of problem, the priority of the problem, and to facilitate routing the problem to appropriate personnel needed to review and resolve the problem. A "PROG POCM" type notification is a program (PROG) plant digital configuration management (POCM) type of problem and software and configuration problems are examples of problems that would be assigned a Work Type of "PROG POCM" in the notification. Plant hardware problems are assigned a Work Type of "EQPR" to identify the problem as an equipment problem.

Plant modifications, including software modifications, are requested using Closed RAI51 12/19/12 update:

response pending 10/17/12 update:

PG&E will revise the SCMP to address several open items

March 25, 2013 DCPP PPS Closed Item Summary Table Page 58 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments I

plant procedure CF4.ID1, "Plant Modification Request and Approval" and the modifications are performed using paper/electronic image based change documentation (Change Package) and are tracked in SAP using a notification and an order. An order is an electronic tracking document that allows detailed tracking of job requirements, parts, details, schedule, and approval.

51.3.b Software Configuration Management

3. Changes and Problems Identification b) Please clarify the means to track changes. Section 3.2.4.7 of the SCM 36-01 states that this is done using a SAP order, but Section 3.2.4.7 states that Change Package and SAP order are entered in the Record Management System, and Section 3.3 describes a Configuration Status Account, which is used to track changes of configuration items.

Closed RAI34 PG&E Response: The means to track changes is the SAP order. The Record Management System is the system used at Diablo Canyon to store and allow retrieval of documents to meet 10 CFR 50 Appendix B quality assurance requirements. Completed Change Packages and SAP orders are entered into the Record Management System for storage and to allow later retrieval.

51.4.a Software Configuration Management

3. Document Repository

a. SCM 36-01, Section 2.3.3 identifies the Digital Systems Engineering SourceSafe as the repository, but Section 3.2.5.5 identifies http://dcpp142/idmws/homelasp, and Section 3.29 states that the files necessary for recovery of the baseline are maintained in the PPS database in SC-I-36M, Eagle 21 Tunable Constants." It is not clear if these two sections are referring to the same document repository or if it is the same. Please clarify.

Closed RAI52 12/19/12: response pending PG&E Response: The SourceSafe is used for exacutable files (exe files),

source code, program code, and database files, etc, The link http://dcpp142/idmws/home/asp is to FileNet, an electronic file storage system. Filenet is used to store documentation like the PPS Replacement Project documents (e.g., Software Configuration Management document, Functional Requirements Specification, Interface Requirements Specification, etc.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 59 of 74 No SrclRI Issue Description P&GE response:

Status RAINo.

(Date Sent)

RAI

Response

(Due Date)

Comments 51.4b Software Configuration Management

4. Document Repository PG&E has implemented restrictions to access files and documents associated with PPS replacement project. Further, PG&E requires user authentication and access to edit configuration, software, and data. It is not clear if these restrictions apply for access to the Digital Systems Engineering SourceSafe or the repository in http://dcpp142/idmws/home/asp.

Please clarify and explain the applicability of access restrictions.

Closed RAI53 12/19/12: response pending PG&E Response: Microsoft SourceSafe requires special permisSions to access the appropriate directory and then requires a login and special software to access the files. File Net allows files to be viewed without a special login, but to modify, delete, or add, files special permissions need to be assigned.

52 RJS NSIR Security:

PG&E stated in its letters DCL-11-123 and DCL-11-104 that the PPS replacement will be fully compliant with the 10 CFR 73.54 cyber security requirements, including RG 5.71, Revision 0, "Cyber Security Programs for Nuclear Facilities," dated January 2010, and is being reviewed to comply with 1 0 CFR 50.73, the DCPP Cyber Security Plan, and NEI 08-09, "Cyber Security Plan for Nuclear Power Reactors," Revision 6, dated April 2010.

The cyber security program that PG&E is implementing per its NRC approved cyber security plan includes provisions applicable to all phases of a systems' life cycle, including the digital upgrade or modification of critical digital assets.

Please explain how the provisions outlined in the PG&E's NRC-approved cyber security plan were considered, and/or implemented, as part of the PPS replacement. The provided explanations should include how all of the management, operational, and technical security controls contained within the plan, especially security controls associated with Configuration Closed No RAI NIA 2/01/13 See Open Item 85 for follow-up to this 01.

1/25/13 NSIR to provide follow-up Open Items. Close this 01 when these new Ol's are entered.

1/16/2013 Require NSIR input prior to closing this item. Requested NSIR to either provide written response or discuss the status of this item at the

March 25, 2013 DCPP PPS Closed Item Summary Table Page 60 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments Management and System and Service Acquisition, are being addressed.

The provided explanations should also include any issues associated with partial implementation of the PPS replacement and full implementation of the cyber security plan for the site, and processes to identify and resolve any such issues.

1/24/13 conference call.

PG&E Response:

The Cyber Security program manager and other members of the CSAT (Cyber Security Assessment team) met with the Process Protection System (PPS) Upgrade design engineer beginning in 2011. Many options were discussed.

The Cyber Security program manager and project manager have met with the procurement group to discuss cyber security principles that should be written into the procurement procedures, and what steps will help to ensure a secure supply chain.

The Cyber Security Assessment Team (CSAT) was formed in accordance with section 3.1.2 of the cyber security plan, and Milestone a, on 10/31/2011. A list of critical digital systems and assets was created in accordance with section 3.1.3 of the cyber security plan and Milestone b on 10/31/2011. The CSAT looked at scheduled digital upgrades, and added the future equipment to the list of critical digital systems. The CSA T determined the PPS equipment will be a critical system, with several CDAs.

From July 9-12 2012, the cyber security project manager accompanied members of the Quality Verification group to examine the design and production facilities of Invensys, and examined the code production practices and the development environment, and determined that Invensys has an SDE, and ensures their employees are reliable and trustworthy.

Activities planned for the future.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 61 of 74 No SrclRI Issue Description P&GE response:

In December of 2012, the network that the PPS will eventually reside on will be isolated from internet connected networks by a deterministic network device, per milestone c of the DCPP Cyber Security Plan. Thus many network attacks, including many that depend on a back door created by a vendor, will not be possible.

Also by December of 2012, DCPP will have taken steps to lessen the likelihood of an attack initiated by a portable electronic device, or portable media such as a thumb drive per Milestone d, and section D 1.19 of NEI 08

09. This will mitigate portable media based attacks that depend on a back door created by a vendor.

The DCPP Cyber Security Team will interface with NUPIC (Nuclear Procurement Issues Committee) and the NEIINITSL counterfeit parts task force to address digital equipment supply chain security.

The Cyber Security Implementation Project Manager has developed a detailed project plan, with several tasks and schedules. Several existing plant procedures will be revised. The PPS will inherit the controls implemented by these procedures. Many of the procedures will have been changed/created before the PPS is installed.

The CSAT is collecting design information as it becomes available. The collected design documentation is being reviewed as it is collected. The collected documentation will be reviewed in a formal desktop evaluation per the cyber security plan, section 3.1.5 prior to the PPS installation. The test set up in the offsite test lab near the plant will be visited on occasion by the CSAT, the system will be walked down repeatedly during installation, and the final walkdown will be performed when the system is ready to return to operations, per section 3.1.5 of the security plan.

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments

March 25, 2013 DCPP PPS Closed Item Summary Table Page 62 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments The CSAT will make recommendations to enhance the cyber security posture of the PPS upgrade throughout the project, and will make their final recommendations after the system walkdown, per section 3.1.6 of the cyber security plan.

Disposition of all controls will be documented in the cyber security assessment tool, CyberWiz. Recommended mitigation will be documented in CyberWiz, and the Corrective Action Program.

53 RJS Section 4.10.2.6.3 of LAR:

A tech specification change resulting from the recent Eagle 21 failure that affected the operability of the AFW control system is being reviewed by the staff. As part of this review PG&E has stated that the Independence between safety systems and other systems clause is not being met for all conditions of operation. If this is the case, then why does the PPS LAR not identify any exceptions to IEEE 603 clause 5.6.3? Even if the replacement PPS does not have an equivalent failure mode to the Eagle 21 system, the TS change would still apply after the upgrade is completed. The staff will need to confirm that the potential for this failure mode has been eliminated in the new design or that the criteria of IEEE 603 is otherwise being satisfied.

Closed No RAI 9/11/12 - Per CC with PG&E, the position on compliance with IEEE 603 5.6.3 is being revised and there is no plan to take exception with this or any other criteria of IEEE 603.

PG&E Response: None Required 54 WEK PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR Changes, Insert 1 for FSAR Section 3.10.2.1.3 states that "The Process Protection System Tricon subsystem has been seismically qualified by Invensys Operations Management (see Reference 40) in accordance with requirements from Reference 44 that is endorsed by Reference 33."

What is reference 44 and where is this documented in the FSAR?

Closed No RAI Response Okay-no RAI required.

Should IEEE 344 1987 be included in 7.1.2.4, Conformance with

March 25, 2013 DCPP PPS Closed Item Summary Table Page 63 of 74 No SrclR/

Issue Description P&GE response:

Status RA/ No.

(Date Sent)

RA/

Response

(Due Date)

Comments PG&E Response: Reference 44 IEEE 344-1987, the current Reference 44 in the FSAR. See FSAR page 3.10-40 that was included in the FSAR changes in PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2.

IEEE Standards (page 7.1-13)??

55 WEK PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR Changes, FSAR Section 7.1.2.5, Conformance With Other Applicable Documents (page 7.1-13) does not indicate the NRC Safety Evaluation that will be produced to approve the PPS. The staffs SER should become part of the DCPP Unit 1 &2 licensing basis once it is issued. How will this be documented within the FSAR??

Closed RAI35 Acceptable response. Send this as an RAI so that the issue does not get lost.

PG&E Response: Reference to the staff SER will be included in FSAR Section 7.2.1.1.6 for the reactor trip portion of the process protection system and to Section 7.3.1.1.4.1 for the engineered safety features actuation system portion of the process protection system.

56 WEK PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR Changes, FSAR Section x.x.x.x, (page 7.2-23) states that the evaluation for common mode failure in the PPS is presented in the DCPP PPS 03 LTR and approved in the staff's SER for the DCPP PPS 03 L TR. It is noted, however, that the staff's SER states that the 03 design features were approved based on confirmation that the proposed built-in diversity of the ALS sub-system is found to be acceptable. This confirmation will be performed as part of the DCPP PPS SER. Please confirm that a reference to the SER for the DCPP PPS will be included in the FSAR.

Closed RAI36 Acceptable response. Send this as an RAI so that the issue does not get lost.

PG&E Response: Reference to the staff SER for LAR 11-07 will be included in FSAR Section 7.2.2.1.2 in addition to the staff SER for the DCPP D3 LTR.

57 WEK PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR Changes, FSAR Section 7.2.2.9.2, IEEE 603-1991 Clause 5, Clause 5.12 (page 12) states that"... the communication path between the maintenance workstation and the ALS subsystem is normally disabled with a hardwired switch... " Also, Attachment 3, PG&E PPS Interface Requirements Closed RAI37 Acceptable response. Send this as an RAI so that the issue does not get lost.

March 25. 2013 DCPP PPS Closed Item Summary Table Page 64 of 74 No SrclR/

Issue Description P&GE response:

Status RA/ No.

(Date Sent)

RA/

Response

(Due Date)

Comments Specification (IRS). Rev.6 to PG&E Letter DCL-12-069 dated August 2.

2012 states in section 1.5.6 "... TAB communications between the ALS and MWS takes place via RS-485 data link. The TAB is physically disconnected from the MWS when the TAB is not in use.... the TAB is open at all times unless maintenance is being performed on the ALS... " Please identify administrative controls and design features associated with the PPS that explains how the MWS is disconnected/disabled from the PPS (Le., a means of physical cable disconnect, or a safety-qualified hardware switch that either physically opens the data transmission circuit or interrupts the connection by means of hardwired logic. "Hardwired logic" as used here refers to circuitry that physically interrupts the flow of information, such as an electronic AND gate circuit (that does not use software or firmware) with one input controlled by the hardware switch and the other connected to the information source: the information appears at the output of the gate only when the switch is in a position that applies a "TRUE" or "1" at the input to which it is connected. Provisions that rely on software to effect the disconnection are not acceptable. It is noted that software may be used in the safety system or in the workstation to accommodate the effects of the open circuit or for status logging or other purposes) that demonstrate how this hardwired switch disconnects the ALS maintenance workstation from the ALS safety processor.

10/19/12: If I understand the PG&E response correctly, these system effects are PG&E Response: For the ALS subsystem, instead of using a hardwire keyswitch, the ALS subsystem will be administratively controlled by physically disconnecting the communication link to the ALS MWS computer when the Test ALS Bus (TAB) is not being used for surveillance testing, maintenance, and trouble-shooting. This is a PPS replacement design change described in the response to NRC request for additional information in PG&E Letter DCL-12-083 and will be included in a supplement to LAR 11-07.

58 RJS ALS FMEA - There are several failure modes identified in Table 4-4 of the FMEA where the System Effects entry provides a description of functions that are not affected by the failure mode instead of stating what the effects of the failure mode are. For example, the System Effects in the ETT failure Close RAI38

59 March 25, 2013 DCPP PPS Closed Item Summary Table Page 65 of 74 Comments Status I RAI No.

I RAI No SrclRI I Issue Description P&GE response:

Response

(Due Date)

(Date Sent) in line 5b of table 4-4 are that the Alarm Function remains operational.

Though this may be the case, it does not state what the effects of the failure mode are. Examples of this can be found in lines 5b, 6a, 6b, 7a, 9h, 9i, 11 b, 11 c, and 11 d. Please provide appropriate and complete information for System Effects in Table 4-4.

PG&E Response:

The System Effects entry does describe the functions that are affected by the failure mode. This entry must be read in the context of the entire FMEA table row. For example, the cited row for ETT failure in line 5b discusses the effects of failures of the ALS-402-1 digital output board which sends Alarm Signals to other systems. In the case of Energize to Trip outputs (ETT) a stuck open output channel will prevent the core A rack from being able to actuate the Alarm (in this case a specific instance of an ETT Alarm is cited, the "Containment Pressure in Test Alarm". However, due to the compensating features, which in this case is the redundant implementation of the function in the core B rack, the System Effect is that the Alarm function remains operational. A similar reading applies to the other examples cited.

RJS ALS FMEA - Some of the identified failure modes of the ALS system are detectable only by operator observations, or by means that are not necessarily performed during routine operation or during surveillance testing. See lines 10c, and 12a, What measures will be implemented to ensure that these failure modes would not occur and remain undetected for an indefinite period of time?

It is the staffs understanding that all failure modes which are not detectable through normal means such as surveillance tests or channel checks would need to be considered present for the purpose of satisfying single failure criteria for the s~stem.

being evaluated within the context of the local effects that are also provided in the FMEA. Application specific compensating features that influence the systematic effects of these failure modes are thus accounted for within the analysis.

Agree to close but would like the PGE response on record. Need RAI.

Closed I No RAI 10/19/12 - rjs:

Response

accepted.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 66 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments PG&E Response:

Surveillance testing includes visual inspection of the equipment in addition to the specified test cases that demonstrate functionality. Therefore, those failure modes that are detected by operator observations will be detected as part of the surveillance test. IEEE Std 379-2000 defines detectable failures as those failures that can be identified through periodic testing or that can be revealed by alarm or anomalous indication. Therefore, such failures do not need to be considered to be present for purposes of evaluating single failure criterion compliance.

The specific cases cited are clear examples. Line 10c discusses failures of the local partial trip indicators. Failures of the indicators do not affect the actual trip function. During the test the technician uses the indicators to confirm that the trip action occurs at the appropriate threshold. Thus the act of observation of the failure during surveillance testing is assured. Line 12a discusses failure of the serial link used for continuous monitoring of the ALS health. Failure of this link does not affect the safety functions of the rack, but would be immediately obvious at the workstation used to do the monitoring.

This workstation is used in surveillance testing.

61 RA Software V& V Plan:

ALS provided Revision 7 of its V&V plan (6002-00003). This revision provides a mapping and alignment with IEEE Std 1012-1998. This now cause a misalignment with the DCPP V&V Plan, 6116-00003, Thus, the DCPP V&V Plan will need to be revised. Please identify when this new revision will be submitted.

Closed NoRAI 12/19/12: NRC Staff will review the document submitted and identify follow up questions, if necessary, creating a new open item.

11-28-12 update:

The staff will review the V&V plan to determine if this PG&E Response:

The DCPP V&V Plan, Revision 1 has been created to provide consistency with the ALV V&V Plan. The Diablo Canyon W Plan, Revision 1, was placed on the Sharepoint on November 22 and was submitted on December 5 in PG&E Letter DCL-12-121.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 67 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments item can be closed.

62 RA Software Management Plan:

Revision 2 of the ALS "Diablo Canyon PPS Management Plan," 6116-0000, Section 2.1 and 2.2, defines the project organization. As described in guidance documents STP 7-14 and NUREG/CR-6101, licensees need to describe the management aspects of the software development process.

Please clarify the following:

1. The description provided in this section does not align with the organization structure provided in Figure 2-1. The description provided is not clear. For example, the bulleted list identifies "Scottsdale Operations Director", but then the 1st paragraph refers to Scottsdale Operations Director and ALS Platform & System Director. It is not clear if this is the title for one person or for two. Further, Figure 2-1 does not identify the ALS Platform & System Director, if this role is performed by a separated individual. Please clarify this.

2. This section states that ALS V&V Plan provide information and the interface between the IV&V team and the PPS replacement project. It is not clear why the ALS V&V plan will provide this information, since the ALS V&V plan is for the generic platform. Please clarify what document contains this information.

3. This section states that the WEC Project Manager is responsible for the commercial process interface with PG&E. However, this role is not listed in the bulleted item list and not identified in Figure 2-1. Please clarify this role.

4. Figure 2-1 identifies a QA Manager, but this section only describes the QA Lead. Please describe the role and responsibility for the QA Manager.

5. Section 4.1, Planning Stage, mentions a "Project Leadership Team,"

which is not described in Section 2. Please explain the role and responsibilities for this team.

Closed No RAI 12/19/12: NRC Staff will review the document submitted and identify follow up questions, if necessary, creating a new open item.

11-28-12 update:

The staff will review the PPS Management Plan and the W plan to determine if this item can be closed PG&E Response: To address item 1, the Diablo Canyon PPS Management Plan, Revision 3, clarifies in Section 3 the organization details. To address Item 2, the Diablo Canyon IW Plan, Revision 1, provides information on the

March 25, 2013 DCPP PPS Closed Item Summary Table Page 68 of 74 Comments SrclRI Issue Description RAI No.

RAI No P&GE response:

Status (Date Sent)

Response

(Due Date) interface between the IV&V team and the PPS replacement project. To address items 3 to 5, the Diablo Canyon PPS Management Plan, Revision 3, clarifies in Section 3 the WEC Customer Project Manager is responsible for the commercial process interface with PG&E, the roles and responsibilities of the QA Manager, and the roles and responsibilities of the Project Leadership Team. The Diablo Canyon PPS Management Plan, Revision 3, was placed on the Sharepoint on November 15 and was submitted on December 5 in PG&E Letter DCL-12-121. The Diablo Canyon W Plan, Revision 1, was placed on the Sharepoint on November 22 and was submitted on December 7 in PG&E Letter DCL-12-121.

Closed NoRAI 12/19/12: NRC Staff will review the Revision 2 of the ALS "Diablo Canyon PPS Management Plan," 6116-0000, Software Management Plan:

63 RA document Section 4.1, Planning Stage, identifies that deliverables from this phase are submitted and approved by the "Managerial Review Board." However, this document does identify follow up not identify the role and responsibilities for this board. Furthermore, the ALS questions, if PPS V&V Plan, 6116-00003, Rev. 0 states that IV&V will review the necessary, creating planning stage documents. Please clarify the person/team responsible for a new open item.

this review and their role and responsibilities.

PG&E Response:

The Managerial Review Board review and the IV&V reviews are two different reviews. The Managerial Review Board gives the final "exit criteria" approval for both the Planning and Development Stages; this Managerial Review Board approval is required for entrance into the next subsequent stage. Their role is clarified in the "exit criteria" details included in Section 4.1 's Planning Stage and Development Stage sub-sections. The IV&V team also reviews the planning stage documents according to the criteria in the V&V Plan. Additional details have been added to the Management Plan. The Diablo Canyon PPS Management Plan, Revision 3, was placed on the Sharepoint on November 15 and was submitted on December 5 in PG&E Letter DCL-12-121.

I _

March 25, 2013 DCPP PPS Closed Item Summary Table Page 69 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments 66 WEK Section 4.2.13.1 of the LAR (page 85) states; "... The NetOptics Model PA CU/PAD-CU2 PA-CU port aggregator network tap was approved previously by NRC for a similar application in the Oconee RPS SER Section 3.1.1.4.3

[18]. The NRC staff determined that due to the electrical isolation provided by use of fiber optic cables and the data isolation provided by the Port Tap and the Maintenance and Service Interface (MSI) in the Oconee RPS, there was reasonable assurance that a fault or failure within the Oconee Gateway computer or the Operator Aid Computer will not adversely affect the ability of the Oconee RPS to accomplish its safety functions."

Close RAI41 12-19-2012 update:

Response

acceptable. 01 will be closed to a new RAI.

11-28-12 update:

See 11-28-2012 update question.

In section 3.1.1.5.2.1 of the Oconee SER, the staff approved The NetOptics aggregator Port Tap, Model 96443, No. PA-CU, as a device intended to allow monitoring of a full duplex 10/1 OOBaseT Ethernet communication link by copying the communications and sending that copied communications to a one-way simplex communications link. Due to the importance of this one-A new RAI will be added to clarify this inconsistancy so it will be on the docket.

way communications path functioning properly, the NRC staff performed a detailed review of the design aspect of this one-way communications path.

Circuit diagrams on the device itself indicated that the communications using Port C (Port 1 in the case of DCPP PPS application) may be capable of two-way communications. Since the original review of Model 96443, part No. PAD-CU Port Tap required NRC staff examination of actual schematic drawings of the circuitry to determine that there was no inbound communications path associated with Port C (Port 1 for the PPS), a similar schematic review for any replacement or updated model of the Port Tap must be evaluated in the same manner (by the licensee) to determine the manner in which it is being used and configured are acceptable, and that do not invalidate the conclusion of this SE that use of the Port Tap provides adequate data isolation between the Gateway computer and the digital RPS/ESPS.The Port Tap approved for Oconee was model 96443 PA-CU.

11-28-2012 Update:

The response below still needs further clarification: Section 3.7.2.1 (palle

March 25, 2013 DCPP PPS Closed Item Summary Table Page 70 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments

71) of the approved Tricon V10 L TR SER (ML12146A010) states: "The NetOptics Port aggregator Tap, Model 96443, No. PA-CU, or PAD-CU, is a device intended to allow monitoring of a 101100 Base T Ethernet communication link by communications and sending that copied information to a separate one-way communications link. Port A of the Port Tap is connected to the TCM, and Port B is connected to the Maintenance Terminal (maintenance video display unit (MVDU))." Since the LAR references the Port Tap approved within the Tricon V10 SER, this model number 96443 may still be confusing to the reader.

Please provide the model number of the Port Tap being that PG&C will use in the DCPP PPS and provide an explanation of its equivalency to the Port Tap approved for the Oconee RPS/ESPS LAR.

Revised PG&E Response 12/17/2012:

The PPS Replacement application will use the NetOptics Model PA-CU network port aggregator tap to isolate the Tricon portion of the PPS replacement from the gateway computer.

NetOptics has confirmed via e-mail (Case# 205591) that part number "96443" is the same as PA-CU. It is the old SKU part number for the PA CU.

67 WEK Section 4.2.13.1 of the DCPP PPS LAR (pg. 85) states, "Port aggregator dual in-line package (DIP) switch positions will be controlled by DCPP configuration management processes."

Closed RAI42 11-28-12 update:

Response is acceptable.

Please provide a documented basis (e.g., a plant procedure, or engineering design package) that demonstrates how this will be controlled.

PG&E Response: The Port aggregator DIP switch positions will be controlled by a plant procedure or plan. The plant procedure or plan will be developed as part of the design change for installation of the PPS replacement after NRC approval of the LAR.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 71 of 74 Issue Description P&GE response:

No SrclRI WEK The documents listed below are necessary for the staff to complete its assessment of the Tricon V10 platform changes/software revisions that have occurred since the platform was approved generically, and will be applied to the DCPP PPS.

76

1. Reference Design Change Analysis (RDCA), 993754-1-916

2. Nuclear Qualified Equipment List (NQEL), 9100150-001, Rev 16 Rev 11: Tricon V10.5.2 Rev 13: TriStation V4.9.0 Rev 14: Tricon V1 0.5.3 Tricon NGIO Software SRS, 6200155-001 Tricon V10.5 Verification and Validation Report (19 Sept, 2012)

3. V10.5.2 Documents a) PDR (IRTX) 21105 b) Technical Advisory Bulletin (TAB) 183 c) Engineering Project Plan (EPP) Tricon V10.5.2, 9100346-001 d) V1 0.5.2 V&V Test Report e) Software Release Definition (SRD), V10.5.2, 6200003-226

4. V10.5.3 Documents a) PDR (IRTX) 22481 b) Product A!ert Notice (PAN) 25 c) Engineering Project Plan (EPP) Tricon V10.5.3, 9100428-001 d) Tricon PAN 25 Master Test Report e) Software Release Definition (SRD), V10.5.3, 6200003-230 f) NGDO SRS 6200170-001 L __

Status Closed RAINa.

(Date Sent)

RAI45 RAI

Response

(Due Date)

Comments 12-19-2012 Update: the staff has reviewed all of these documents and some of them will require submittal on the docket for approval of these changes within the SER-see 12-19-2012 follow up item for this 01.

Invensys Audit Item 11-28-112 update:

Response

Acceptable. We will also need this information submitted on the docket.

Invensys Audit Item

March 25, 2013 DCPP PPS Closed Item Summary Table Page 72 of 74 -

Comments (Date Sent)

RAINo.

RAI SrclRI Status No Issue Description P&GE response:

Response

(Due Date)

(ii) Tristation V4.9.0 documents a) Product Alert Notice (PAN) 22 b) Product Alert Notice (PAN) 24 c) Technical Advisory Bulletin (TAB) 147 d) Engineering Project Plan (EPP) Tristation V4.9, 9100359-001 e) Tristation V4.9.0 Master Test Report f) Software Release Def. (SRD), Tristation V4.9.0, 6200097 -038 g) Spec. Software Design - Tristation 1131 SDS, 6002168-002 (Section Applicable to V4.9.0 Change) h) TriStation 1131 V4.9 V&V Plan, 9600442-002 i) TriStation 1131 V&V Summary Report (26 Oct.

2012) 12-19-2012 Follow up Item:

The staff has reviewed all of these documents, which have been placed on the Invensys Sharepoint website and concluded its assessment of the Tricon Platform changes from V10.5.1 to V1 0.5.3. The results of this assessment will be published in the Invensys Audit Report. In order to provide a safety finding to approve these changes in the DCPP PPS SER It is necessary for the following documents to be formally submitted to the staff to facilitate completion of its safety assessment of the Tricon V10 platform changes/software revisions that have occurred since the platform was approved generically, and will be applied to the DCPP PPS.

Please submit the following Documents on the Docket:

1. Product Discrepancy Report (PDR) IRTX#211 05

2. Technical Advisory Bulletin (TAB) 183

3. Engineering Project Plan (EPP) V10.5.2, 9100346-001, Rev. 1.4

4. Tricon V1 0.5.2 V&V Test Report, Rev. 1.1, January 14, 2011

5. Software Release Definition (SRD) V10.5.2, 6200003-226, Rev.1.0

March 25, 2013 DCPP PPS Closed Item Summary Table Page 73 of 74 No SrclRI Issue Description P&GE response:

Status RAI No.

(Date Sent)

RAI

Response

(Due Date)

Comments

6. PDR IRTX#22481

7. Product Alert Notice (PAN) 25

8. Document "ARR 932 NSC Evaluation.pdf"

9. Tricon PAN 25 Fix Engineering Project Plan (EPP) 9100428-001, Rev.1.2

10. Tricon PAN 25 Master Test Report, Rev.1.0

11. Software Release Definition (SRD) V10.5.3, 6200003-230, Rev.1.0

12. Product Alert Notice (PAN) 22

13. Product Alert Notice (PAN) 24

14. Technical Advisory Notice (TAB) 147

15. Engineering Project Plan (EPP) TriStation V4.9 & Safety Suite Apps, 9100359-001, Rev.1.3

16. TriStation V4.9.0 Test Report, Rev. 0.4

17. Software Release Definition (SRD) 6200097-038, Rev.1.2 PG&E Response: The documents were submitted by Invensys Operations Management in Letter 993754-53T dated February 11, 2013.

77 RJS The staff requests that the Purchase Order Compliance Matrices (Multiple Documents) be placed on the SharePoint site to support verification of requirements traceability determinations.

Closed No RAI Invensys Audit Item RJS -I do not believe that the PG&E Response: Invensys will place the requested documents on the Invensys SharePoint by December 7,2012, for access by the NRC. The documents will be marked in accordance with 10 CFR 2.390 prior to placing them on the SharePoint.

POCM's will need to be docketed.

78 RA The staff requests that the Invensys Project Procedures Manual and Project Instructions (Multiple Documents) be placed on the SharePoint site to support review of Invensys process to design, develop and test the Tricon system.

PG&E Response: Invensys will place the requested documents on the Invensys SharePoint by December 14,2012, for access by the NRC. The documents will be marked in accordance with 10 CFR 2.390 prior to placing Closed No RAI 12/19/12:

Document was posted in Invensys' Sharepoint

March 25, 2013 DCPP PPS Closed Item Summary Table Page 74 of 74 No SrclRI Issue Description P&GE response:

Status RAINo.

(Date Sent)

RAI

Response

(Due Date)

Comments them on the SharePoint.

Project Plan for Diablo Canyon Replacement of Digital RPS and ESFAS (PPS) - LAR Review (Rev. 10)

Step Planned Task Actual Date Date 1

Oct. 26, PG&E LAR Submittal for NRC approval. Submittal includes all Oct. 26, 2011 2011 for review per ISG-06, "Digital Licensing."

Phase 1 documents needed to be docketed prior to acceptance 2

Jan. 12, Acceptance Review complete. LAR accepted for detailed Jan. 12, 2012 technical review. Several issues identified that could present 2012 challenges for the staff to complete its review. Scheduled public meeting with PG&E to discuss the results of the acceptance review.

3 Jan. 13, Jan. 13, 2012 Acceptance letter sent to licensee.

2012 4

Jan. 18, Conduct Public Meeting to discuss staff's findings during the LAR Jan. 18, 2012 acceptance review. Staff proceeds with LAR technical review.

2012 5

March 18, PG&E provides information requested in acceptance letter. Initiate April 2, 2012 bi-weekly telecoms with PG&E and its contractors to discuss 2012 potential RAI issues. Open Items spreadsheet will be maintained by NRC to document staff issues and planned licensee responses.

6 May 3D, PG&E provides partial set of Phase 2 documentation per June 6, 2012 commitments made in LAR.

2012*

PG&E provided a subset of the Phase 2 documents on June 6th See step 14 which is a milestone for submittal of al/ remaining Phase 2 documents.

7 July First RAI sent to PG&E on Phase 1 documentation (e.g.,

August 07, 2012 specifications, plans, and equipment qualification). Continue 2012 review of the application. Request 45 day response.

(ML12208A364) 8 June SER for Tricon V10 Platform issued final. This platform becomes i May 15, 2012 a Tier 1 review of the LAR. (ML12146A010) 2012 8.1 March SER for Westinghouse ALS Platform issued final. This platform 2013 becomes a Tier 1 review of the LAR.

9 September Receive answers to first RAI. (ML12256A308)

Sept. 11, 2012 2012 10 November Audit trip to Invensys facility for thread audit; audit the life cycle Nov. 13 2012 planning documents and outputs, with particular emphases on 16,2012 verification and validation, configuration management, quality Assurance, software safety, the Invensys application software development procedures, and application software program design.

10.1 I December Audit report provided to PG&E.

ruary 2012 2013 11 February Audit trip to Westinghouse/CSI facility for thread audit; audit the February 2013 life cycle planning documents and outputs, with particular 21,2013 emphases on verification and validation, configuration management, quality Assurance, software safety, the W/ALS application software development procedures, and PPS ALS applicatigD~()ftware program design.

Page 1 of 3

Project Plan for Diablo Canyon Replacement of Digital RPS and ESFAS (PPS) - LAR Review (Rev. 10) 11.1 April 2013 Audit report provided to PG&E and its contractor.

Pending 12 March 2013 Second RAI Letter to PG&E on Phase 1 documentation March 20, 2013 12.1 April 2013 Receive responses to Second set of RAI's 13 April 2013 LAR revision and all supporting documentation associated with the change in ALS and Tricon V10 workstation designs for the PPS are submitted.

14 May 2013 PG&E provides remaining set of Phase 2 documentation per commitments made in LAR. See step 6 for initial submittal of Phase 2 documents.

15 May 2013 All Documentation for DCPP W/CSI ALS and IOM/Triconex V1 0 processors applicable to the DCPP PPS LAR are submitted.

16 June 2013 Follow-up audit trip to Invensys facility for thread audit; audit the life cycle planning documents and outputs, with particular emphases on verification and validation, configuration management, quality assurance, software safety, the Invensys application software development procedures, and application software program design.

16.1 August 2013 Audit report provided to PG&E.

17 August 2013 Third RAI Letter to PG&E on Phase 2 documentation (e.g., FMEA, safety analysis, RTM, EO test results, setpoint calculations. )

17.1 September 2013 Receive responses to third set of RAl's.

18 September 2013 Audit trip to W/ALS facilities for additional thread audit items; audit hardware and software installation plans, configuration management reports, detailed system and hardware design, completed test procedures, V&V activities, summary test results (including FAT) and incident reports, and application code listings.

18.1 October 2013 Audit report provided to PG&E.

19 TBD (Optional) Audit trip to Invensys facilities for additional thread audit items; audit hardware and software installation plans, configuration management reports, detailed system and hardware design, completed test procedures, V&V activities, summary test results (including FAT) and incident reports, and application code listings.

20 TBD (Optional) Audit trip to DCPP test facilities for additional thread audit items.

Page 2 of 3

Project Plan for Diablo Canyon Replacement of Digital RPS and ESFAS (PPS) - LAR Review (Rev. 10) 21 Februaryl Presentation to ACRS SubcommitteelFull ACRS Committee on March DCPP PPS LAR Safety Evaluation.

2014 22 March 2014 Complete draft technical SER for management review and approval.

23 March 2014 Issue completed draft technical SER to DORL 24 March 2014 Draft SER sent it to PG&E, Invensys, and W/CSI to perform technical review and ensure no proprietary information was included.

25 April 2014 Receive comments from PG&E and its contractors on draft SER proprietary review.

26 May 2014 Approved License Amendment issued to PG&E 27

-September Inspection trip to DCPP for PPS Site Acceptance Testing (SAT),

2014 training and other preparation for installing the new system. To be (tentative) coordinated with regional visit. Date based on receipt of new PPS system at the site in preparation for September 2015 Unit 1 Refueling Outage (1 R 19).

28

-September Inspection trip to DCPP for PPS installation tests, training and 2015 other system installation activities for the new system. To be coordinated with regional visit. Date based on September 2015 Unit 1 Refueling Outage (1R19).

Page 3 of 3

- 3 Please direct any inquiries to me at 301-415-5430, or james.polickoski@nrc.gov.

Docket Nos. 50-275 and 50-323

Enclosures:

1. List of Attendees

2. NRC Staff Identified Open Issues

3. NRC Staff Identified Closed Issues

4. LAR Review Project Plan cc w/encls: Distribution via Listserv DISTRIBUTION:

PUBLIC LPLIV r/f RidsAcrsAcnw_MailCTR Resource RidsNrrDeEicb Resource RidsNrrDorlLpl4 Resource RidsNrrLAJBurkhardt Resource RidsNrrPMDiabloCanyon Resource IRA by JSebrosky forI James T. Polickoski, Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation RidsRgn4MailCenter Resource ELee. NSIRIDSP RStattel, NRRlDE/EICB RAlvarado. NRRlDE/EICB SMakor, RIVlDRS/EB2 DHuyck, EDO RIV VDricks, OPA RIV o Ice ML13074A118 MrS ADAMS Accesslon N os.: Meefmg N f ee mg ummary ML13149A068 OFFICE N RRIDORULPL4/PM NRR/DORULPL4/LA NRRlDORULPL4/BC NRR/DORULPL4/PM NAME JPolickoski JBurkhardt MMarkley JSebrosky for.IPolickoski DATE 5/31/13 5/31/13 6/4113 6/4/13 OFFICIAL RECORD COPY

v t e Letter Sequence Meeting
TAC:ME7522, Clarify Application of Setpoint Methodology for LSSS Functions (Open) TAC:ME7523, Clarify Application of Setpoint Methodology for LSSS Functions (Open)
Initiation Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request Acceptance Supplement Administration Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, ... further results\|Meeting]] Questions 7 August 2012 12 April 2013 31 March 2014 Answers 11 September 2012 27 November 2012 9 May 2013 30 April 2014 Results Approval Other: ML120250079, ML120590119, ML12276A050, ML13018A149, ML13024A105, ML13029A667, ML13101A278, ML13192A314, ML13232A258, ML13339A428, ML14126A377, ML15103A010, ML15121A310, ML15223A968
MONTHYEAR2012-04-02 [Table View]

ML13149A068: Difference between revisions

Latest revision as of 08:15, 11 January 2025

Text

SUBJECT:

SUMMARY

Enclosures:

Participants:

Participants:

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response