Text

3/27/2013 - Summary of Meeting with Pacific Gas and Electric Company to Discuss Digital Replacement of Process Protection System at Diablo Canyon Power Plant, Units 1 and 2 (TAC Nos. ME7522 and ME7523)
	ML13149A068
Person / Time
Site:	Diablo Canyon
Issue date:	06/04/2013
From:	Polickoski J; Plant Licensing Branch IV
To:	Halpin E; Pacific Gas & Electric Co
	Polickoski J
References
	TAC ME7522, TAC ME7523
	Download: ML13149A068 (114)
	v • d • e

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 June 4, 2013 LICENSEE: Pacific Gas and Electric Company FACILITY: Diablo Canyon Power Plant, Units 1 and 2

SUBJECT:

SUMMARY

OF MARCH 27, 2013, TELECONFERENCE PUBLIC WITH PACIFIC GAS AND ELECTRIC COMPANY ON DIGITAL REPLACEMENT OF THE PROCESS PROTECTION SYSTEM PORTION OF THE REACTOR TRIP SYSTEM AND ENGINEERED SAFETY FEATURES ACTUATION SYSTEM AT DIABLO CANYON POWER PLANT. UNIT NOS. 1 AND 2 (TAC NOS. ME7522 AND ME7523)

On March 27,2013, a Category 1 teleconference public meeting was held between the U.S. Nuclear Regulatory Commission (NRC) and representatives of Pacific Gas and Electric Company (PG&E, the licensee) at NRC Headquarters, One White Flint North, 11555 Rockvi"e Pike, Rockvi"e, Maryland. The purpose of the teleconference meeting was to discuss the license amendment request (LAR) submitted by PG&E on October 26, 2011, for the Digital Replacement of the Process Protection System (PPS) Portion of the Reactor Trip System and Engineered Safety Features Actuation System at Diablo Canyon Power Plant (DCPP), Unit Nos. 1 and 2 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML113070457). The meeting notice and agenda, dated March 15, 2013, is available in ADAMS at Accession No, IVIL 13074A 118. A list of attendees is provided as Enclosure 1.

This meeting is one in a series of publicly noticed teleconference meetings to be held periodically between NRC staff and PG&E to discuss issues associated with the NRC staff's LAR review. Preliminary issues identified by the NRC staff during the review and licensee responses to those issues were discussed during the meeting. The list of preliminary issues that are still in discussion and review is provided in Enclosure 2 ("open items"). Those preliminary issues that have either been closed as questions or resulted in NRC requests for additional information (RAls) were archived in a "closed items" tracking table in Enclosure 3, The updated NRC staff's LAR review project plan was also discussed and is provided in .

Discussion highlights from this meeting include:

The NRC staff from the Office of Nuclear Security and Incident Response (NSIR) was present to discuss how PG&E is implementing the security measures described in the NRC-approved DCPP Cyber Security Plan within the PPS digital upgrade. PG&E's staff reviewed the licensee's methods for incorporating cyber security reviews during PPS development. The NRC's NSIR staff wi" update cyber security-related action items prior to the next meeting, and meeting attendees concurred that an additional, non-public meeting for review of proprietary and/or sensitive but unclassified items will not be needed.

-2

The NRC staff discussed a number of action items from Enclosure 2 that will be closed and transitioned to Enclosure 3 due to incorporation in a set of RAls to be issued shortly by the NRC.

The NRC and PG&E staff discussed a number of action items from Enclosure 2 that are awaiting PG&E document submission. These include docket submission or SharePoint posting of the remainder of the Phase 2 documents, a PG&E LAR supplement, and PG&E's responses to the above RAls. Since PG&E's staff stated that these documents will not be available until late April, the next periodic teleconference public meeting will not be scheduled until at least 2 weeks after PG&E document submission to allow time for the NRC staff's review.

The NRC staff discussed the recent receipt of the PG&E summary report regarding this LAR's potential impacts with the DCPP Technical Specifications (TS). Further, NRC staff discussion will be guided by NRC TS Branch input following their review of this report.

The NRC and PG&E staff discussed the responsibility, timing, performance, and documentation of the software hazard analysis during the various design, development, testing, and implementation phases.

The NRC and PG&E staff discussed the Enclosure 4 project plan on the timing of the following: safety evaluation report (SER) for the Westinghouse Advanced

, Logic System (ALS) Platform; NRC staff audit reports (technical and cyber security) and completion of the February 11-14, 2013 onsite audit of the PG&E supporting vendor CS InnovationslWestinghouse; and PG&E LAR supplement and RAI responses. Additionally, the NRC and licensee discussed the timing of the remaining PG&E Phase 2 document submittals and the next licensee-vendor NRC staff audit and Factory Acceptance Testing (FAT) trips.

The NRC staff discussed the impact of the changing PG&E document submission milestones on completion of the NRC safety evaluation.

The NRC staff and the licensee agreed that the next periodic teleconference public meeting on this topic would be held in approximately mid-May 2013 with the exact timing dependent on PG&E document submission including a minimum two-week NRC review allowance.

A member of the public was in attendance. Public Meeting Feedback forms were not received.

-3 Please direct any inquiries to me at 301-415-5430, or)J*~~IL!::!!.~~~~~f!!..

Ja es 1. Polickoski, Pr 'ect M Plant Licensing Branch I Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-275 and 50-323

Enclosures:

1. List of Attendees

2. NRC Staff Identified Open Issues

3. NRC Staff Identified Closed Issues 4, LAR Review Project Plan cc w/encls: Distribution via Listserv

LIST OF ATTENDEES MARCH 27, 2013, TELECONFERENCE MEETING WITH PACIFIC GAS AND ELECTRIC COMPANY REGARDING PROCESS PROTECTION SYSTEM DIGITAL UPGRADE FOR DIABLO CANYON POWER PLANT. UNIT NOS. 1 AND 2 DOCKET NOS. 50-275 AND 50-323 NRC

Participants:

Headquarters:

Rich Stattel, Senior Electronics Engineer, Instrumentation and Controls Branch, NRRIDE Rossnyev Alvarado, Electronics Engineer, Instrumentation and Controls Branch, NRR/DE

Eric Lee, Senior Security SpeCialist, Cyber Security & Integrated Response Branch, NSIRJDSP James Polickoski, Project Manager, Plant Licensing Branch IV, NRR/DORL Region IV:

Shiattin Makor, Reactor Inspector, Engineering Branch 2, RIVlDRS

Pacific Gas and Electric Company

Participants:

Ken Schrader, Regulatory Services

Scott Patterson, Program Manager

R. Lint, Altran

Ted Quinn, Altran

J. Rengepis, Altran

Roman Shaffer, Invensys

J. Basso, Westinghouse/CS Innovations

S. Karaaslan, Westinghouse/CS Innovations

W. Odess-Gillett, Westinghouse/CS Innovations

Public:

Gordon Clefton, Senior Project Manager, Nuclear Energy Institute

denotes participating via teleconference Enclosure 1

March 25, 2013 DCPP PPS Open Item Summary Table Page 1 of 32

No SrclRl Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due

Date) 40 Software Tools Close 01/23/2013 update:

CSI document In the ALS Progress Update 2012-OS-01 provided to the staff, 6002-00030 Rev. 9 Westinghouse/CSI described that they are replacing Automated Test is not available in Environment (ATE) from IW credited tools with a LabView based ALS ADAMS yet. Please Board Test System (ABTS). Also, in this presentation, Westinghouse/CSI clarify if the ATE noted that they are performing additionallV&V and equipment qualification tool is used for V&V tools. review. This item Since this information needs to be reflected in the software planning will remain open documents, please identify how these items will affect Westinghouse/ALS until the document documents related to PPS replacement project. Also, identify what i is available to the document will be revised to include description of these modifications. staff.

PG&E Response: The ALS Design Tool 6002-00030 requires revision to 01/10/2013 update:

replace the ATE with the ABTS. The revised ALS Design Tool, Revision 9, The ALS Design document includes the ABST tool in Section 12 and was submitted by Tool 6002-00030 Westinghouse to the NRC on January 1S, 2013 that addresses the tools Rev.S indicates that used. Westinghouse/CSI is using ATE.

Further, Rev 7 of the 6002-00003, ALS V&V Plan, states that this plan was revised to identify ABTS as the primary board integration level test tool. replacing ATE.

Please clarify the discrepancy between the response provided and the information in Rev. S.

Enclosure 2

March 25,2013 DCPP PPS Open Item Summary Table Page 2 of 32 No SrclRI Issue Description ----------["&(;E"'8"0"**: Status RAINo.

(Date Sent)

RAI

Response

Comments (Due Date) !

12/19/12 update:

ALS Design Tool 6002-00030 was submitted to the NRC. NRC Staff will review this document and identify follow up questions, if necessary, creating a new open item.

10/17/12 update:

Westinghouse/ALS will submit the ALS Design Tools on 10/31/2012 41 RA Software V&V and Test Plan Re- RAI24 01/23/2013 update:

Open This item to remain Westinghouse/ALS document 6116-0005, section 8.2 identifies the software open because tools to be used in the PPS replacement project. However, this list is not DCPP PPSW consistent with the list of IV&V tools identified in Section 3.6 of ALS W Plan Simulation 6002-00003. Specifically, the test tools identified in 6002-00003 are not Environment listed in 6116-00005 and vice versa. For example, the W Plan (6002 Specification, 6116 00003) identifies ATE tool for IV&V, but this tool is not listed in 6116-0005 10216, has not Rev. 1. Furthermore, the staff reviewed 6116-0005 Rev. 0, and found that been submitted.

the ATE tool was listed in this version. Please clarify what software tools will be used and what document describes them. 01/10/2013: See comment provided PG&E Response: A new revision of the ALS V&V Plan 6002-00003, in item 40.

Revision 7, Figure 3-2, identifies the ABTS and the ISE as the IV&V test Also, DCPP PPS tools. This new revision was docketed October 31,2012 on the ALS W Simulation platform docket. The ATE is removed from the set of IV&V test tools. The Environment tools listed in document DCPP PPS Test Plan 6116-00005 section 8.2 and SpeCification, 6116 the tools listed in DCPP PPS W Simulation Environment SpeCification, 10216, has not 6116-10216, (to be placed on the Sharepoint by April 18, 2013 and been submitted.

submitted by May 17, 2013) encompass the IV&V test tools in the new

March 25,2013 DCPP PPS Open Item Summary Table Page 3 of 32 No ...... I SrclRI I Issue D ~scription P&GE response: Status RAINo.

(Date Sent)

RAI

Response

comm.n~

(Due Date) revision of the AlS V&V Plan, 6002-00003.

48 RA Softwa ,V&V Closed 2/22/13 New version of SyWP is PG&ES yWP, Section 6, requires that anomalies detected are identified, on Sharepoint.

docume ,ted, and resolved during the V&V activities. This section states that ano rnaly reporting and resolution requirements are defined in the 01/23/2013 update:

respect fe PG&E control procedures. Section 2 "Control Procedures does Need to know when not incl de a reference for an anomaly reporting procedure. Please identify the new revision of the PG E control procedure used for anomaly reporting. SyWPwilibe submitted Further Section 7 of the SyWP states that the PG&E authority responsible for app wing deviations from SyWP is the PG&E Project Manager, who will 12119/12: item 2 docume ,t hislher approval a Change Notice or equivalent formal PG&E still pending docume ,t. Please identify where the responsible PG&E authority will docume ,t its approval. 10/17/12 update:

PG&E esponse: For item 2 - PG&E

1. 'he PG&E control procedure for anomaly reporting is OM7.1D1, will revise the Problem Identification and Resolution." This procedure governs the SyWP and submit IPS replacement after it has been turned over to PG&E by the it on 11/30/2012 uppliers. The suppliers' anomaly reporting procedures are IPplicable prior to this turnover. 9/17112 update

2. rhe responsible PG&E Project Manager will document approval in (Alvarado): NRC in SAP notification. This has been included in revision 1 of the staff received iyWP placed on the Sharepoint and submitted in Attachment 1 to copies of OM7.ID1

,e Enclosure of PG&E letter DCl-13-028 submitted March 25, and XI1.ID2. This 013.. It is noted that Section 7 of the SyWP states the deviation addressed item 1 of hall be incorporated into the SyWP as a revision at the first this open item.

.lractical opportunity.

51.2 Softwa e Configuration Management Open 01/23/2013 update:

1. Jrganization identify date for The org anization and responsibilities described in Section 4 of CF2.1D2 is next revision not con listent with the information presented in Section 2 of SCMP 36-01.

For exa rnple, Section 2 of SCMP 36-01 identifies system coordinator, 12/17/12 update:

March 25, 2013 DCPP PPS Open Item Summary Table ~~~~~~ ~~~~~------~~~~~

Page 4 of 32 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

,----~~~

application sponsor, and system team, who are not identifiedm Section 4 of Waiting for PG&E Cf2.ID2. Further these descriptions are not identified in the project to revise SCMP.

organization described in PG&E PPS Replacement Plan (Attachment 3 of 10/17/12 update:

the LAR). Please clarify the roles and responsibilities for SCM. and provide PG&E will revise a cross reference of the PG&E organizations described in these documents. the SCMP to PG&E Response 12/16/2012: address several open items PG&E will revise the SCMP plan to be consistent with CF2.ID2 section 4 organization, ,including a description of additional roles and responsibilities not required by CF2.ID2.if needed. The revised 36-01 document will be submitted by April 26. 2013.

60 RJS Open RAI39 1/16/13-Waiting for (STSB Technical Specifications: Evaluation IAPLA i Summary Report

) ~ In order for the staff to make a determination that the existing which is due at end technical specifications and surveillance intervals remain acceptable of January.

for the replacement PPS system, an evaluation to compare the ALSrrricon PPS system reliability and performance characteristics with those of the Eagle 21 system must be performed by PG&E.

Please provide an evaluation summary report to support the application of existing technical specification and surveillance test intervals to the upgraded ALSrrricon based PPS system. This summary report is expected to include a quantitative analysis to demonstrate the new system's ability to perform its required safety functions between established surveillance test intervals. This report should also include a qualitative (Le., deterministic) analysis which describes the self diagnosis and fault detection features of the replacement PPS. In addition, this summary report should address the staffs previous findings in Section 4.3, "Applicability ofWCAPs to DCPP," of Amendment No. 179, dated January 31,2005 (ML050330315).

PG&E Response: An evaluation summary report to support application of

-

March 25, 2013 DCPP PPS Open Item Summary Table Page 5 of 32

~~~~ ~---~~

No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due r-:--~ ~ ~ ------~ ~ ~ ~ ~ -------~ ~

Date) the exiting TS and TS surveillance test intervals is contained in the Westinghouse Document, "Justification for the Application of Technical Specification Changes in WCAP-14333 and WCAP-15376 to the Tricon/AlS Process Protection System" that was submitted in Attachment 9 to the Enclosure of PG&E letter DCl-13-016 dated March 7,2013. The document provides a qualitative comparison of features important to the reliability of the Tricon and AlS subystems and the Eagle 21 system, evaluates the applicability of the WCAP-14333 P A, Revision 1, and WCAP 15376-P-A, Revision 1, analyses to the PPS replacement configuration, and evaluates the compliance with the staff conditions and limitations contained in the NRC safety evaluations forWCAP-14333 and WCAP 15376 and Section 4.3 ofthe Amendments 179 and 181.

64 RA Closed RAI40 Software Management Plan To close Items 27 and 29, PG&E issued the DCPPS Project Quality Assurance Plan to define the oversight activities to be performed during the PPS replacement project. Section 2 of this plan describes the responsibilities of those involved in oversight activities. However, it is not clear how these roles and responsibilities correlate to the project organization described in PG&E PPS Replacement Plan (Attachment 3 of the LAR) and PG&E PPS Replacement System Quality Assurance Plan (Attachment 4 of the LAR). For example, the Project Quality Assurance Plan describes the responsibilities of the PPS replacement Project Manager, but this role is not described in other documents, Further, the responsibility described seems to align with the responsibility of the PG&E Project Manager. Please explain the relationship, if any, of the roles and responsibilities described in the DCPPS Project Quality Assurance Plan and those provided in other PG&E plans.

-=-=-:~~ ~~-------~~

PG&E Response: The "Quality Assurance Plan for Diablo Canyon Process Protection System Replacement" (referred to as the "Project Quality Plan" in response to Ols 27 and 29) was a project specific document created by the Quality Verification group (a Quality Assurance organization) to identify the --------

March 25, 2013 DCPP PPS Open Item Summary Table Page 6 of 32 No SrclRl Issue Description P&GE response: Status RAINo. RAI Commen~

(Date Sent) Response (Due Date)

Quality Assurance tasks to be performed by the Quality Verification group for the project. The "Quality Assurance Plan for Diablo Canyon Process Protection System Replacement" provides the specific plan to be used by the "Supervisor Project QA" identified in Section 3.5.1 (page 19) of the SyQAP and the "Project QA Engineer or Equivalent" identified in Section 3.5.8 of the SyQAP to provide PG&E quality oversight for the project which in part supports meeting 10 CFR 50 appendix B quality assurance requirements for the project.

The "Supervisor Project QA" is not identified in the PPS Replacement Project Plan Figure 2-1 (PPS Replacement Project Organization) because they are not part of the Project Organization, but instead provide independent quality assurance oversight of the Project Organization.

Section 6.1, "System Quality Assurance Plan (SyQAP), of the PPS Replacement Project Plan discusses the SyQAP, which in turn references the "Supervisor Project QA" in Section 3.5.1 (page 19) and the "Project QA Engineer or Equivalent" in Section 3.5.8 to provide PG&E quality oversight for the project.

65 RJS Open KVM Switch Questions:

See Attachment 3 I

PG&E Response:

See Attachment 3 68 WEK Please provide a detailed functional description of the DCPP PPS NSR Open RAI46 12-19-2012 update:

Gateway Computer(s) system; including computers/processors, Response did not communications protocols, and data isolation details, Or, please indicate answer the where this information is explained within thel..AR and supporting question about

March 25, 2013 DCPP PPS Open Item Summary Table Page 7 of 32 No SrelRl Issue DescriPtion IP&GEieSPonse:_ Status RAJiio~ RAJ (Date Sent) Response

-Comments (Due Date)

-

documents. Also, please provide a detailed explanation of the Gateway providing a Switch discussed within the LAR;including its operating principal (hardware, functional logic based, etc, ,data/electrical isolation design features, and any other description of the pertinent information pertaining to its failure mechanisms. DCPP PPS NSR Gateway 11-28-2012 follow up question: computers. The Figure 4-13 (Pg 87) of the LAR indicates that data communications is staff needs to provided directly between the SR ALS "A" & ALS "B" Protection Sets I, II, III, understand how the and IV, and the NSR Gateway Computers via RS-422 copper media (i.e., Gateway computer not through the Port Tap). Section 4.8.2 b) (page 110 of the LAR) states and the Gateway that " .. .AII other communication to non-safety equipment, i.e., Plant Switch Computer, is via continuous one-way communication channels on the ALS communication 102." Please describe how the 1Elnon-!E data communication and protocols will not e/ectrical isolation is implemented within the ALS for this configuration. corrupt the the data Also, explain how the ALS "A" & dB" inputs to the NSR Gateway Computers i signals coming are isolated from each other, and data communication protocols from the ALS associated with processing this data within the Gateway Computers. Protections sets 1 12-19-2012 follow up question: 4 and not impact As stated in the 12-17-2012 response below, the 1Elnon-1 E data the execution of the communications electrical isolation is not part of the ALS topical reort ALS safety review. Please provide a detailed explanation of how all 1Elnon-1E function. A detailed communications data electrical isolation between the ALS processor and response to this NSR systems will be accomplished. question is needed PG&E Response: The DCPP Gateway computer and Gateway switch are in the LAR or part of an existing system that was installed by a previous project, and supporting therefore were not included in the scope of the changes requested for documents.

approval in the LAR. See 12-19-2012 Communications from the Gateway Switch to the Tricon are functionally followup question isolated by the Triconex Communication Module (TCM) and NetOptics re: electrical Model PA-CU Networl<: Port Aggregator Tap discussed in Tricon V10 SER isolation for the Section 3.7.2.1. A fiberoptic data link provides electrical isolation. DCPP PPS ALS.

The NetOptics PA-CU Networl<: Port Aooreoator Tap was approved for this

March 25, 2013 DCPP PPS Open Item Summary Table Page 8 of 32 P&GEresponse:

No SrclRl Issue Description Status RAINo. RAI Comments i (Date Sent) Response (Due i Date)

,-------

use in the Oconee RPS SER. The PA-CU prevents inbound 11-28-12 update:

communications from external devices or systems connected to Port 1 of See 11-28-2012 the Port Aggregator from being sent to interactive Ports A and B. The follow up question.

Oconee SER described the methods they used to verify that Aggregator Port 1 provides one way outbound communications only. As a transmit only device, it does not listen to and is not affected by the communications protocol (or lack thereof) of the external device or system to which it is connected.

The ability of the Port Aggregator Tap to prevent inbound communications to the Tricon from its Port 1 will be verified at the Tricon V10 FAT and the SAT as previously stated in PG&E Letter DCL-12-083 dated September 11, 2012.

Updated PG&E Response 12/12/2013:

The response to 01 #73, discusses Transmit Bus TxB2 data communication path from the ALS-102 Core Logic Board to the ALS MWS. Transmit Bus TxB1 transmits data from the ALS-102 CLB to the Gateway Computer.

Both TxB1 and TxB2 are EIA-422 communication links in which Receive capability is physically disabled by hardware as described in the ALS-102 Design Specification, 6002-10202. The receiver is configured such that the transmit data is looped back for channel integrity testing. The ALS-102 is physically and electrically incapable of receiving information from outside the ALS-102 via the Transmit Busses TxB1 and TxB2. Therefore, messages are not disregarded or rejected by the ALS-102. This is better than a "broken wire." The wire just isn't there, and there is no place to connect a wire if someone wanted to do so.

Updated WEC Response 12/17/2012:

The 1E/non-1 E data communication is described in the ALS Topical Report, Sections 2.2.1.3 and 5.3.2; and in 6116-00054, "Diablo Canyon PPS ISG04 Matrix", Position 2. The electrical isolation qualification of the 1E/non-1 E data communication is not part of the ALS Platform review project, and will be qualified with an isolation fault test that will be conducted 1st quarter 2013 per IEEE Std 384-1992, "IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits" and Regulatory Guide 1.75. "Criteria for Independence of Electrical Safety Systems." A supplemental test report will

March 25, 2013 DCPP PPS Open Item Summary Table -- ----

Page 9 of 32 NolSrelRl Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date)_ ------ I be issued 2nd quarter 2013.

69 I WIEK Please provide a detailed explanation of the application programs contained Open RAI47 12-19-2012 update:

within the Tricon and ALS MWiS computers; including how they will be used The DCPP PPS to supports or enhances the performance of the PPS safety function, ALS MWiS will not provide required maintenance, surveillance, etc. Or, please indicate where be approved via the this information is explained within the LAR and supporting documents. ALS topical report.

Therefore, the information requested is 1/24/2013 Updated PG&E Response: needed to address The non-safety communications between the PPS controllers and their the regulatory respective, dedicated MWiS units improve PPS maintainability and thus criteria of ISG-04, reliability, and enabling on-line surveillance testing, calibration, and Position 1, Point 3.

maintenance. Risk of challenging plant safety systems is reduced through Wl/ALS document the ability to test in bypass rather than requiring test in trip. 6116-00054, Rev.

0, Diablo Canyon The online Tricon and ALS non-safety communications capability provide PPS ISG-04 Matrix, real-time, online data and status information on the Plant Process Computer does not address and in the Control Room that are required to perform maintenance, this subject in its calibration and testing. Wlithout the online data links from the Tricon and response to Point ALS to the MWiS and the Plant Process Computer/Plant Data Network, only

3. Please address the control board indicators and recorders would be available to provide a this question for "window" on the PPS. System trouble alarms would still be generated by ALS.

the PPS on the Main Annunciator System, but without the alarm monitor Tricon response is and other data display capabilities provided by the MWlS, there would be no acceptable. Please direct means to determine the specific cause of an alarm.

add this to the Lack of access to real-time, continuous, on-line PPS status data and LARlTricon V10 diagnostic information introduces delay into PPS trouble identification and ISG-04 compliance resolution, and substantially degrades the maintenance effectiveness and matrix document.

timeliness enabled by the diagnostic features built into the platforms and the application programs. The ability to make online use of the information 11-28-12 update: I

March 25, 2013 ~~

DCPP PPS Open Item Summary Table Page 10 of 32 No SrclRI Issue Description P&GE response: Status RAINa. RAJ Comments (Date Sent) Response (Due Date)

, provided by redundant, real-time data communications to the MWS and to Additional the plant process computer improves PPS reliability and thus supports and clarification was enhances safety through providing timely diagnostic information and status provided, so the details that assist performance of required trouble-shooting, maintenance, question was and surveillance activities. rephrased.

The network switches between the Port Aggregator taps and the MWS ensure that Tricon multicast operation will continue if the Tricon MWS were to cease communications. The network switches are redundant to ensure continued Tricon multicast operation on failure of a single Tricon network link.

The application programs contained in the ALS and Tricon MWS units provide the following functionality:

A. Westinghouse/CSI ALS Maintenance Workstation The on-line ALS MWS is required to maintain the ALS, including surveillance testing per the Technical Specifications calibration, and other required maintenance, and is similar in effect to the existing, approved Test in 8ypass capability. The diversity design of the ALS enables either (but not both) Chassis uN or Chassis "8" in a protection set to be bypassed for maintenance or testing while the other chassis remains fully operational (Although, in the bypassed condition, certain post-accident monitoring functions may not be available; this may be controlled administratively).

Without the flexibility provided by the ALS diversity design, Technical Specifications would require tripping all the channels associated with the chassis when removing a given protection set ALS chassis from service. In turn, this would make up one channel in the coincidence logic for all channels in the affected ALS protection set. Such action increases the risk of inadvertently challenging plant safety systems were another channel to trip with the ALS protection set out of service.

1. Microsoft Windows ' XP Service Pack 3 operating system

-------- ..~

March 25, 2013 DCPP PPS Open Item Summary Table Page 11 of 32 I No SrclRI I Issue Description P&GE response: RAt CommfmtS

Response

(Due

2. ALS Service Unit (ASU) Application The ALS MWS will utilize Microsoft Windows TM based Westinghouse/CSI ALS Service Unit (ASU) software that is described in the ALS Topical Report Section 2.6.3.

The ALS Service Unit (ASU) is the primary tool used when accessing a particular ALS system in operation. Jrhe ASU provides plant personnel access to advanced features of the ALS system such as system diagnostics, post-trip analysis, monitoring real-time operation, and assistance in performing user-initiated test, calibration and maintenance operations.] ., Comment [WEKl]: The functional deScription of these features are good. However, this The DCPP PPS Replacement MWS will be mounted permanently in the discussion should be expanded to explain how these features and information" supports or PPS rack containing the PPS in a manner similar to that shown in ALS enhances execution of the safety function" for the PPS?? Explain how the continuous Topical Report Figure 2-25; however, ASU functions that use interactive availability and use of this data is consistent Test ALS Bus (TAB) communications will be available: (1) only when the with ISG-04, Position 1, Point 3.

TAB is physically connected to the ALS MWS by qualified personnel under administrative controls; and (2) only on one ALS "An or "Bn subsystem at a time.

The TAB from ALS-102 Chassis "An and Chassis "B" is provided with individual EIA-485 ports on the ALS Maintenance Workstation computer.

The ASU ensures that the correct TAB is connected to the respective EIA 485 port when the TAB is enabled.

The main features of the ASU are:

State Information - Provides monitoring of real-time operation, including all 110 signals as well as detailed status information from debugging registers. :rhe advanced monitoring capabilities enable fast system diagnostics and troubleshooting.1 <. (Q-,mment (WEK2]: Good explanation! "" J System and Board Information Provides detailed information about the configuration of an ALS system, including board FPGA programming, board build information, and board configuration.

March 25,2013 DCPP PPS Open Item Summary Table Page 12 of 32 No I Src/j ~I Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

Blackbox- ASU includes a so-called "blackbox" functionality where all events of an ALS system are transmitted by the ALS-102 CLB Transmit Bus TxB2 to the ASU for storage and subsequent retrieval. This allows plant personnel to inspect the ALS system's reaction to a past event.

The blackbox function enhances ALS reliability and therefore safety by helping to reduce the time required to pinpoint the cause of a series of events. The ASU must be connected to the ALS via the Transmit Bus TxB2 during an event in order to capture and store the event via the blackbox function. Given the difficulty in predicting when an event will occur, the ASU should be connected to the ALS chassis via Transmit Bus TxB2 and receiving data during online operation in order to benefit from this capability. .... .... {comment [WEK3]: Good explanation! I Test - Application specific periodic surveillance tests can be implemented to be performed through the ASU. Based on the needs of the application features may be implemented in the CLB that allows surveillance testing to be performed and/or monitored through the ASU.

i

Calibration - The ASU is used to readout and change application Setpoints and channel calibration coefficients. The CLB holds the application Setpoints and according to the application, it will allow the ASU to mOdify these Setpoints. The ASU is also used during inpuUoutput channel calibration where it is used for selecting the board and board channel to be calibrated and to changes calibration coefficients based on the readings received on an external calibrator.

Operation of the ASU is passive and non-intrusive, i.e., it can only modify the safety system tunable parameters stored in NVM for which it is designed (Le., inpuUoutput calibration coefficients, setpoints and tuning constants). It is not possible to modify the safety algorithm or logic using the ASU. All communications initiated by the ASU take place on the TAB, and only when the TAB is physically connected between a protection set ALS and its dedicated MWS. No RAB interruption is possible, effectively isolating the ASU from ALS safety functions.

March 25, 2013

~-r-.;;~~~~ ~~~ ----;~~~ ~ ~ ~ ~~~

DCPP PPS Open Item Summary Table Page 13 of 32 SrclRI Issue Description P&GE response: Status RAINo. RAI Comments ro 3. t\LS Parameter Display: -- - _.

(Date Sent) Response (Due Date)

- - --

- ~1 Comment (WEK4]: The functional description

- - - - - - - -

of the ALS Parameter Display is good.

I The ASU also provides a passive parameter display function using one-way However, as stated previously, this discussion should be expanded to explain how the ALS-102 EIA-422 Transmit Bus TxB2. The ALS parameter display function ; information provided by this display system will be used to " support or enhance execution of allows the MWS to display parameters transmitted to it online by the one- the safety function" for the PPS?? Explain how way TxB2 transmit bus described in ALS Topical Report Section 2.2.1.3. the continuous availability and use of this data Is consistent with ISG-04, Position 1, Point 3.

The parameter display function does not require the TAB to be connected.

The ASU parameter display function is a Visual C++ based application developed for the Microsoft Windows API using Microsoft Foundation Class (MFC) libraries to provide graphical user interfaces for displaying ALS system status on the MWS and for providing user controlled access to the ALS controllers for performing maintenance operations such as calibration.

Upon start-up, the application establishes a dedicated serial port connection to the MWS RS-422 serial communication card port that is connected to the ALS-102 unidirectional one-way TxB2 output in each ALS chassis "N and "B: These dedicated MWS serial ports receive ALS system status at a rate of 10 Hz (i.e., once every 100 ms).

Upon establishing the dedicated serial port connection on the MWS, the ASU parameter display function spawns a software thread to receive, validate, and store the data received from the respective ALS-102 TxB2.

Validation of the received data consists of checking the packet header contents, checking packet length, performing a CRC check on the packet contents, and then comparing the calculated CRC with the CRC inside the TxB2 packet. If the data received by the parameter display application is invalid (i.e. invalid CRC), the application indicates the issue on its graphical user interface (GUI) and an entry is made in the application status log. If the data received by the parameter display application is valid, the application records the ALS system status in a data class which contains methods that are called by different GUI to extract and display the specific ALS system status.

Malfunctions of the ASU Pflrameter display function cannot adversely affect

March 25,2013 DCPP PPS Open Item Summary Table Page 14 of 32 No SrclRI Issue Description P&GE response: Status RAiNo: RAI Comments (Date Sent) Response (Due Date)

ALS safety system operation because EIA-422 communications between the ALS and the ALS MWS via TxB2 are strictly one-way from the ALS-102 to the ALS MWS and the EIA-485 TAB is physically disconnected except for brief periods when the TAB for either ALS "A" OR "B" is connected to the MWS for maintenance under administrative control by trained technicians.

4. One way TxB1fTxB2 Communications Transmit Bus TxB1 transmits data from each ALS chassis "A" and "B" ALS 102 CLB to the Gateway Computer. Transmit Bus TxB2 transmits data from each ALS chassis "A" and "B" ALS-102 CLB to dedicated EIA-422 ports on the ALS MWS. Both TxB1 and TxB2 are EIA-422 communication links in which Receive capability is physically disabled by hardware as described in the ~LS-102 Design Specification, 6002-10202.1 Tbe receiv~r i~ _co[lfjgured .. - . - - Comment [WEKS]: Should be 6002*10202.

Please go through all references to this such that ~he transmit data is looped back for channel integrity testing. The document within the LAR, this 01 Matrix and ALS-102 does not disregard or reject external messages; rather, the ALS supporting documents and correct this typographical error.

102 is physically and electrically incapable of receiving external messages via the Transmit Busses TxB1 and TxB2. In effect, this is the same as the data isolation achieved by a "broken wire." Interdivisional communications between the MWS and the ALS are also described in ALS Topical Report section 5.3. I I" .. . _1 Comment [WEK6]: A graphical depiction of this feature will be needed to fully explain this

5. TAB Disconnect feature in the SE. Hopefully. 6002*10202 provides graphical illustrations of how this circuit is configured to better understand this TAB communications are enabled by physically connecting the TAB to the If not, please provide this Information respective MWS EIA-485 port under administrative control by trained response to this question.

technicians. TAB communications are disabled when not needed by physically disconnecting the TAB from the MWS. The ASU is connected to and communicates with the ALS via the TAB only when required to calibrate the ALS, normalize RCS flow coefficients, perform surveillances required by Technical Specifications, as well as to troubleshoot and otherwise maintain the ALS. The diverse ALS subsystem whose TAB has not been enabled will continue to perform its safety function without impact. An ALS trouble alarm is initiated on the Main Annunciator when the TAB is enabled. The non-safety communications provided by the Transmit busses will allow the I

March 25,2013 DCPP PPS Open Item Summary Table Page 15 of 32 No Src/R/ /Ssue Oescrlpt/Otl I..

P&.GE response: ....... ****Status RAI No.

(Date Sent)

RAI

Response

I Comments ~

(Due Date) operator to ascertain quickly the cause of theaTarm, if the operator is not already aware of the maintenance activity being performed under procedural control.

TAB communications are described in ALS Topical Report Section 5.2.

6. Electrical Isolation The Transmit Bus TxB1 and TxB21E/non-1E data communication is described in the ALS Topical Report, Sections 2.2.1.3 and 5.3.2; and in 6116-00054, "Diablo Canyon PPS ISG04 Matrix", Position 2. The electrical isolation of the Transmit Busses is performed by magnetic couplers located on the ALS-102 CLB. The TxB isolators are described in 6002-10202, "ALS-102 Hardware Design Specification," Section 3.9.1.

Fault isolation occurs by way of board mounted transient voltage suppressors, board mounted fuses, and external fuses.

Qualification of the 1E/non-1 E data communication is not part of the ALS Platform review project, and will be qualified with an isolation fault test that will be conducted 1st quarter 2013 per IEEE Std 384-1992, "IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits" and Regulatory Guide 1.75, "Criteria for Independence of Electrical Safety Systems." A supplemental test report will be issued 2nd quarter 2013.

B. Triconex Maintenance Workstation The Tricon MWS will implement four Microsoft Windows TM -based application programs: (1) Invensys WonderWare' InTouchTM PPS application; (2) TriLogger; (3) Tricon Diagnostic Monitor; and (4) TriStation 1131 (TS1131) Developers Workbench Version 4.9.0.

1. Microsoft Windows TM XP SelVice Pack 3 operating system

2. WonderWare ' InTouchTMppS Application The WonderWare InTouch application provides online display of selected PPS internal parameters and trouble alarm details. The WonderWare

March 25, 2013 DCPP PPS Open Item Summary Table Page 16 of 32

No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date)

InTouch application also is used for maintenance of individual PPS instrument channels in conjunction with the hardwired OOS switches that have been discussed in the response to other Open Items. The MWS WonderWare InTouch application will be the tool normally used to determine the specific cause of an alarm. The Main Annunciator System only displays system level alarms. The MWS InTouch application contains an alarm monitor, which is a troubleshooting aid that provides a detailed, specific display of the alarms generated by the Tricon PPS application.

3. Non-Safety Tricon Communications Communications from the Tricon to external non-safety systems are functionally isolated by the Triconex Communication Module (TCM) and NetOptics Model PA-CU Network Port Aggregator Tap discussed in Tricon V10 SER Section 3.7.2.1. A fiberoptic data link provides electrical isolation.

The PA-CU prevents inbound communications from external devices or systems connected to Port Aggregator Port 1 from being sent to interactive Ports A and B. Port 1 is a transmit-only port that does not listen to and is not affected by the communications activity generated by the external device or system to which it is connected.

Port Aggregator port 1 will provide one-way data to the Gateway Computer via the Gateway Switch. The Gateway Computer transmits the data to the Plant Process Computer for use in the Control Room by the operators. The Gateway Computer and Gateway Switch were installed by another project.

The Plant Process Computer is an existing system.

4. Triconex TriLogger The TriLogger software provides the ability to record, display, play back and analyze data from the Tricon system. Data can be viewed in real-time on the MWS. The TriLogger provides data trending and analysis capabilities and can be configured to trigger on specific events to log detailed data to aid technicians in isolating, diagnosing, and troubleshooting problems.

However, the TriLogger must be connected and running at all times to

March 25, 2013 DCPP PPS Open Item Summary Table Page 17 of 32 No SrclRl Issue Description P&GE response: Status RAINo. kAT- Comments (Date Sent) Response (Due

Date) perform these functions.

5. Tricon Diagnostic Monitor Utility The Tricon Diagnostic Monitor utility displays Tricon system and module status by mimicking the actual Tricon chassis and slots, so that the user can find the exact location (chassis number and slot number) of a module that may be experiencing a fault or other problem. The Tricon Diagnostic Monitor Utility improves reliability by aiding rapid troubleshooting and fault location at the Tricon system level.

6. Startup Delayer Startup Delayer delays WonderWare startup until DDE Server has initialized. Otherwise, WindowViewer may startup first and never connect to DDE Server.

7. TriStation 1131 (TS1131) Developers Workbench TriStation 1131 is a PC-based application development workstation that provides a comprehensive set of development, test, monitor, validation and diagnostic tools for Triconex Programmable Logic Controllers (PLC). The TS1131 program is utilized to maintain the PPS application program and may also be used for monitoring and troubleshooting purposes. The TS1131 program is described in the Tricon V10 SER Section 3.1.3.2.

The TS1131 tool will be installed on the MWS. However, the TS1131 tool will not normally be running while the Tricon is performing its safety function

[Tricon V1 0 SER Section 3.1 0.2.9J. If the TS1131 workstation is connected during online safety operation for maintenance or troubleshooting purposes, its use will be controlled via administrative controls and qualified maintenance personnel.

Write access to the operating Tricon is govemed by the controller keyswitch.

With the keyswitch in the RUN position, use of the TS1131 program is limited to read only access to the Tricon. Parameters may be examined, and application program logi~ operation may be observed in real time, but

March 25, 2013 DCPP PPS Open Item Summary Table Page 18 of 32 No SrclRl Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date) changes are not possible. The TS1131 program can only write to the Tricon when the controller keyswitch is in the PROGRAM position. With the keyswitch not in RUN, the PPS application will initiate an alarm on the Main Annunciator system and the affected PPS set will be declared inoperable with respect to its safety function.

Regardless of whether the keyswitch has been deliberately manipulated or whether the condition is the result of Tricon hardware or sofilNare failure, the internal Tricon diagnostics will detect a "keyswitch not in RUN" condition and the PPS application program will initiate a PPS Trouble alarm on the Main Annunciator System. When the "keyswitch not in RUN" condition exists, the affected Tricon is considered to be INOPERABLE with respect to its safety function. The operator would enter the appropriate Technical Specification LCO upon determination that the PPS trouble alarm was caused by the "keyswitch not in RUN" condition.

The condition could be active in multiple Tricon protection sets because it could occur as a result of common cause Tricon failure. Even with the "keyswitch not in RUN" condition existing in multiple protection sets, negative impact is limited because on-line maintenance will normally be performed in one protection set at a time, and each Tricon protection set has its own dedicated, independent MWS. Therefore, only one Tricon protection set at a time would be configured physically to make sofilNare changes. If the TS1131 is not connected and running changes cannot occur even if the "keyswitch not in RUN" condition exists. That is, the mere existence of the "keyswitch not in RUN condition" does not initiate changes.

Intentional action by a trained, knowledgeable individual is also required.

Given the PPS trouble alarms that would be active in all affected protection sets, it is highly unlikely that unintended changes could occur.

If a PPS Trouble alarm were to occur on the Main Annunciator System due to the "keyswitch not in RUN" condition, regardless of the cause, the operator would notify DCPP Maintenance. In the absence of the detailed alarm monitoring provided by an on-line MWS (via the TCM NET2

March 25,2013 DCPP PPS Open Item Summary Table Page 19 of 32 IP/l.GE reSpon**,

~ . . . . . . . . . . . . . .- - - -. .

~**Src/Rr Issue Description Status RAINa. RAI Comments (Date Sent) Response (Due Date) .... _

interface), the maintenance technicians would be required to obtain work orders, gain access to the affected protection set, conned and boot the MWS, and only then could begin to determine the cause of the alarm. The alarm information would not be available if the alarm were due to a transient condition that cleared between the time the condition initiated and when the MWS was operational. Diagnosis of the condition could be delayed for several hours. With the on-line MWS and the alarm monitor function, the condition - whether caused by intentional manipulation of the Tricon controller keyswitch or by a hardware or software failure involving the keyswitch- would be identified immediately.

As with the ALS, the on-line Tricon MWS is essential to maintain the Tricon safety function, including surveillance testing per the Technical Specifications and other required maintenance and is equivalent to the existing, approved Eagle 21 Test in Bypass capability. The MWS is required to bypass channels for testing. Removing a Tricon from service during such routine maintenance would require tripping aU the channels in that protection set, which would make up one channel in the coincidence logic for all channels in the protection set. This condition increases the risk of challenging plant safety systems should another channel trip inadvertently with the protection set out of service.

70 WEK KVM Switch Question 1: Open RAI48 11-28-12 update:

Response Okay.

The KVM Switch brochure indicates on page 3 that the Enumeration Leave open until switching process will not enable control switching using the USB keyboard the KVM Switch or mouse. However, it further states that Emulation USB switching was information is developed to support these enhanced monitor switching functions/devices provided within the LAR revision.

(keyboard hotkeys or mouse buttons.)

WiU the Enumerated USB switching function is used in the PPS design? If so, then wiU the Keyboard hotkeys and mouse buttons be used to perform switching between the Tricon MWS and the ALS MWS? Please clarify how

March 25,2013 No

~.=:-;- ~--~~

SrclRI Issue Description I DCPP PPS Open Item Summary Table P..G" respons.; Status RAINo.

(Date Sent)

RAI

Response

(Due Date)

Page 20 of 32 Comments the KVM switching function will be accomplished and controlled during PPS system operation and maintenance. Also, please submit technical information pertaining to the operation of the KVM switch for review by the staff.

PG&E Response:

The USB1 and USB2 ports, which use enumerated switching, pass data

! straight through the KVM switch without interpretation. Therefore, you cannot connect a keyboard to USB1 or USB2 and use the hotkeys to perform switching, and USB1 and USB2 traffic cannot cause an inadvertent switch. The block diagram shows the output of the emulated portion of the switch and the enumerated portion going to a USB hub before being sent to the computer. The keyboard and mouse will use the emulated switching function, not the enumerated switching function; only the keyboard and mouse can control the switch.

71 WEK KVM Switch Question 2: Open RAI49 12-19-2012 Hold update: The staff Will the KVM switch be on-line 24-7 while the MWS's are monitoring will review 6002 data from either the Tricon or the ALS platform? If so, please provide 10202 and a failure modes and affects analysis for the KVM switch? Can it fail in determine if this such a manner so as to inject faults into the MWS computers, and document hence into the Tricon or ALS safety system processors? If not, why? provides the If so, what can be done to circumvent this problem, and show information conformance with ISG-04, Points 10 & 11? We will need to cover this requested.

matter in the SER. Nonetheless, PG&E needs to

! 10-17-12 Update: Response below did not answer the question address the regarding failure modes of the KVM switch .. .agree that it is Okay to inherent 1-Way lose the Tricon but I do not see how the ALS is protected due to its communications "inherent 1-way communications" design. Please explain this further. design and communications 12-19-2012 Update question: In order for the staff to verify the response

March 25, 2013 . . . . . . _--

ocpp PPS Open Item Summary Table Page 21 of 32 No SrclRI Issue Description P&GE response: Status RAINo. R~ Comments (Date Sent) Response (Due Date) r-------

below regarding the ALS-102 Core Logic Board's one-way communications protocol of the design attributes the staff will need to review the ALS-102 Design 102 board in Specification document 6002-10202, and any other documents that explain detail within this this key design feature for the ALS Platform portion of the PPS (e.g., 6116 Ol-as it relates 00100, PPS ALS to ASU Communications Protocol??). ALS document to the DCPP 6002-10102 has not been submitted on the docket for staff review of the PPS.

ALS Platform Topical Report. Therefore, please submit this document (and I any others that explain this communications protocol) on the docket as part of the PPS LAR review. Also, need to PG&E Response: update the LAR to cover the portions The KVM switch will be on-line 24-7 for monitoring data from either the not being Tricon or ALS platform via the respective MWS computers. There is addressed in the additional isolation because the ALS communicates strictly one way to its ALS TR SER, I.e.,

MWS except when TAB communications are enabled by connecting the 1E/non-1 E data TAB cable. Connection of the TAB is performed as directed by trained communications technician using an approved procedure Therefore, if the KVM switch failed electrical isolation in some way to connect the two MWS together, the ALS would not be for ALS. See affected. The Tricon might be affected, but the D3 analysis allows the Tricon to fail due to CCF. follow up question for 0168.

The following paragraphs have been added to the IRS Section 2.3.7:

11-28-12 update:

b, The KVM switch shall permit only connections between a single ALS ISG-04 computer and the selected video display and HMI interface devices. compliance was submitted, and Connection between the computers shall not be permitted.

Westinghouse thinks that this will

g. The AV4PRO-VGA KVM switch shall utilize the default switching answer this mode, in which the video display, keyboard and mouse and the question.

enumerated USB ports are all switched simultaneously. PG&E needs to respond to 10-17 Paragraph g was necessary to prevent the enumerated ports from being 12 update in the switched separately from the KVM. description section.

Added PG&E Response 12/16/2012:

Leave open until

March 25,2013 ~~~~~~~~ ~ ~ ~ ~ ~ ~ ~~~~-~~~

DCPP PPS Open Item Summary Table Page 22 of 32 No SrclRI Issue Description P&GE response: Status RAINo. RAr- Comments (Date Sent) Response (Due Date)

During normal, non-maintenance operation, the ALS communicates one the KVM Switch way to its dedicated MWS computer via Transmit Bus TxB2 as discussed in information is the response to 01 #73. Inter-divisional safety to non-safety provided within communications are addressed in ALS Topical Report Section 5.2.3. The the LAR revision.

TxB2 data communication paths from the ALS-102 Core Logic Board to the ALS MWS computer is a EfA-422 communication link in which Receive 10-17-12 Update:

capability is physically disabled by hardware as described in 6002-10202, Note: "IRS" is the the ALS-102 Design SpeCification. The receiver is configured such that the Interface transmit data is looped back for channel integrity testing. The ALS-102 is Requi rements Specification physically and electrically incapable of receiving information from outside

( Attachment 8 of the ALS-102. Therefore, the ALS cannot be affected by a malfunction in the the LAR).

dedicated, MWS computer associated with an ALS protection set regardless of whether the malfunction is caused by KVM switch malfunction or by malfunction of the MWS computer itself.

WEC Response 12/17/2012:

The 1E/non-1 E data communication is described in the ALS Topical Report, Sections 2.2.1.3 and 5.3.2; and in 6116-00054, "Diablo Canyon PPS ISG04 Matrix", Position 2. The electrical isolation qualification of the 1E/non-1 E data communication is not part of the ALS Platform review project, and will be qualified with an isolation fault test that will be conducted 1st quarter 2013 per IEEE Std 384-1992, "IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits" and Regulatory Guide 1.75, "Criteria for Independence of Electrical Safety Systems." A supplemental test report will be issued 2nd quarter 2013.

72 WEK KVM Switch Question 3: Open RAI43 12-19-2012 update:

response Also, you will likely need to address how you will disable the features Or, this acceptable, you are not using such as the audio interface, unused USB ports, informati however, this remote control/channel switching by external control from and SDOE on could information needs perspective-and probably a cyber security perspective later on (atter be to be provided in included the LAR. Also, SER). --~~~

March 25, 2013 DCPP PPS Open Item Summary Table Page 23 of 32 No SrclRi Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date) 10-17-12 Update: The methods used to block Poris in the KVM in the address how this Switch must be addressed in the LAR revision. Block all unused next LAR will be maintained Poris and keep any that may need to be reopened under design or update- by the DCPP configuration control. need to Configuration Again, we need a detailed explanation of how this 1-way design decide Management which Process.

feature will prevent the KVM switch failures from affecting the ALS path is system. desired. 11-28-12 update:

PG&E needs to PG&E Response:

respond to 10-17 12 update in the Specific answers to these questions depend on the detailed design. Ports can be physically blocked, which might be appropriate for unused computer description ports and the audio ports. It might not be appropriate for the unused USB section.

port (which may be needed for a future printer) and the options port (which Leave open until may be needed for firmware updates). Remote control switching or the KVM Switch firmware update requires a custom serial cable. The firmware update information is requires specialized software on the computer being used to perform the provided within the update. Firmware update will be done by procedure. The MWS will be LAR revision.

inside a locked cabinet inside a vital area inside the protected area.

Inadvertent actions, while not impossible. will not be easy. If the switch is somehow manipulated. the ALS will not be affected even if the KVM switch fails because the ALS communicates only one-way with the MWS except for short periods when the TAB is enabled.

Revised PG&E Response 12/16/2012:

PG&E will physically block the audio port. USB Port 2 and unused computer ports. Physical blocks will be verified at SAT and controlled thereafter by the SCMP. PG&E considers that opening any of the unused ports for use after the SAT is a modification of the phYSical plant configuration that will require an engineering design change.

73 WEK KVM Switch Question 4: Open RAI44 12-19-2012 update:

Hold As discussed in the If the KVM switch does fail in some manner allowing data flows 10-17-2012 update between the two platforms, then the ALS system would not be for this 01, and the affected because the ALS platform will onlv transmit data in one 12-19-2012 Follow

March 25. 2013 DCPP PPS Open Item Summary Table Page 24 of 32 No SrclRl Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date) direction to its MWS (with the TAB cable disconnected of course). up Question for 01 This is good, however, the LAR (or attachments) need to explain how 71, the staff needs the engineering design principals of the ALS platform physically ALS Design prevent bad/erroneous data from corrupting the ALS platform. In Specification document 6002 other words, explain how these messages emanating from the MWS 10202 submitted (regardless of origin) will be disregarded/rejected by the ALS platform for its review in thus allowing only one direction of data flow. order to resolve this

01. This 01 will be 10-17-12 Update: placed on Hold until The ALS-102 Design Specification document 6002-10202 has not yet the documents are been submitted to the NRC. When will it be submitted?? Will this received on the EIA-422 (or is it RS-422 per Fig. 4-13 in the LAR) communication link docket.

(twisted pair copper wire) also serve as the 1Elnon 1E isolation devices as required by IEEE 603, Clause 5.6.3 and IEEE 7-4.3.2, Clause 5.6?? Please clarify. 11-28-2012 update:

11-28-2012 Update: PG&E needs to Still need more information re: 1Elnon-1 E isolation of the ALS-1 02 respond to 11-28 board. 12 uQdate in the description section. PG&E PG&E Response: needs to respond to 10-17-12 Revised PG&E Response 12/16/2012: update in the The design of the TxB1 and TxB2 data communication paths from the ALS- description section.

102 Core Logic Board and the Gateway Computer and MWS, respectively, are EIA422 communication links in which Receive capability is physically 10-17-12 Update: I disabled by hardware as described in 6002-10202, the ALS-102 Design there is a typo in Specification. The receiver is configured such that the transmit data is section 2.4.13.5 on looped back for channel integrity testing. The ALS-102 is physically and page 90 of the electrically incapable of receiving information from outside the ALS-102. LAR. The first Therefore, messages are not disregarded or rejected by the ALS-102. This is better than a "broken wire." The wire just isn't there, and there is no place paragraPh~

references ALS to connect a wire if someone wanted to do so. doc. 6002-61202

_ (tyl=lQLasthe

March 25, 2013 DCPP PPS Open Item Summary Table Page 25 of 32

No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date)

Updated PG&E Response 12f16f2012: document that Per the 1Of17f2012 update, NRC is correct regarding the typographical error explains how the in Section 2.4.13.5 on page 90 of the LAR. The correct ALS-102 Design EIA-422 Specification.document number per LAR Reference 94 is 6002-10202. communication channels on the Per the 11/28f20 12 update, RS-422 is the common short form title of ALS-102 are American National Standards Institute (ANSI) standard ANSlrrlAlEIA-422-B electrically isolated Electrical Characteristics of Balanced Voltage Differential Interface Circuits. and inherently 1 This technical standard specifies the electrical characteristics of the way balanced voltage digital interface circuit. For the purposes of the LAR, the communications two designations are equivalent and may be used interchangeably. capability only.

The document 6002-10202, in reference 94 is the correct document.

74 WEK KVM Switch Question 5: Open RAI50 11-28-12 update:

Leave open until Please explain in detail how connection between the MWS computers the KVM Switch via the KVM switch will be prevented. Will this be handled via a information is configuration control process, administrative controls, or a physical provided within the means of preventing connection between computers? LAR revision.

10-17-12 Update:

PG&E Response: Response is Okay, but the LAR This section was intended to be a functional requirement for the KVM revision will need to switch. Administrative and configuration controls will prevent inadvertent expand further on loading of an EPROM image that could corrupt operation of the KVM this matter to switch. If the KVM switch fails and connects the ALS and Tricon MWS explain how these together, the above-described physical and electrical restrictions of the ALS controls will provide 102 board will prevent the ALS from being corrupted by its MWS computer. this protection.

March 25, 2013 DCPP PPS Open Item Summary Table Page 26 of 32

---c-------------

No Src/RI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date) 75 RJSI AlS Security Plan Document 6002-00006 references the CS Innovations Closed NoRAI Note: RJS - This is NSIR Cyber security plan document (Reference 7) (Title has changed) which is an AlS audit item.

not docketed. Without having access to this referenced document, the staff We will hold open is unable to confirm implementation of the system security requirements. pending the We need to discuss if this document can be made available on the share outcome of the point or if it can be made available during the audit. February audit.

In addition CS-00013-GEN, Development Environment Evaluation Report-CS Innovations Isolated Development Infrastructure might be another document of interest to the staff. It seems that this document would provide evidence that the actual development environment was in fact secure. This document was not docketed.

1--=-=------

PG&E Response: Westinghouse can make available during the audit both CSI document 9000-00360, "CS Innovations Cyber Security Plan" and WNA-CS-00013-GEN, "Development Environment Evaluation Report - CS Innovations Isolated Development Infrastructure."

79 RA Invensys to confirm that the following terms are not used, and that they will Open 01123/2013 update:

be removed from their plans and replaced with the correct terms. These documents

Test Review Board were posted on the

Test Case Incident Report Invensys

Master Configuration Checklist SharePoint

Configuration Database 01/22/2013.

PG&E Response: The following Invensys documents were revised to reflect correct terminology and placed on the Invensys Share Point on December 12/19/12: item 22,2012: open until new

1) 993754-1-905, Project Management Plan document revisions

2) 993754-1-906, Software Development Plan are submitted

3) 993754-1-909, Software Configuration Management Plan

4) 993754-1-813, Validation Test Plan

--

March 25, 2013 DCPP PPS Open Item Summary Table Page 27 of32

---

No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date)

The revised documents were placed on the Sharepoint and submitted by PG&E in Letter DCL-13-028 dated March 25, 2013.

80 RA PG&E Response: Invensys to revise its plans to reflect the current project Open 01/23/2013 update:

organization. These documents were posted on the PG&EResponse: The Invensys Project Management Plan (PMP), 993754 Invensys 1-905, was revised to reflect the current project organization and placed on SharePoint the Invensys SharePoint on December 22, 2012. The revised PMP was 01/22/2013.

submitted by PG&E in Letter DCL-13-028 dated March 25,2013.

12/19/12: item open until new document revision is submitted 81 RJS Channel level Bypass Functionality Open 1/25113 - This 01 was discussed at The criteria in ISG-04 position 10 only allows for software configuration the 1/24/13 activities when the entire safety division, (Le. all channels and functions) is Conference call.

inoperable. PGE agreed to consider presenting The Diablo Canyon PPS design however, allows channel or specific this as an function level configurability while the remaining safety division functions acceptable remain operable. This design does not meetthe criteria of ISG-04 positions alternative to the

10. The licensee will need to provide a justification for this as an alternative ISG 4 position 10 means of meeting the regulatory requirements of IEEE 603-1991 clauses guidance. We 5.7,6.5, and 6.7 expect a followup discussion during PG&E Response: PG&E will provide justification for an acceptable the 2121 alternative to ISG-04 Position 10 for the PPS replacement design in section conference call.

4.8.10 of the LAR Supplement.

,

March 25,2013 DCPP PPS Open Item Summary Table Page 28 of 32 No SrclRI Issue Description P8.GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date) 82 RA V&V Plan Open 01123/2013 update:

The document Westinghouse/CSI document 6116-00001 Rev. 1 includes Table 2 in number is incorrect.

Appendix A. This table identifies several notes, which provide additional The document is information. However, the descriptions for these notes are not included in 6116-00003, and it the Appendix. Please provide this information. was provided in Attachment 6 to PG&E Response: PG&E letter DCl CSI document 6116-00003 Rev. 1 (Diablo Canyon PPS W Plan) will need 12-121 to be revised to provide descriptions for the notes. The revised 6116-00003 will be submitted by April 26, 2013?

83 RA V&V and Hazard Analysis Open 2/22/13 The descriptions of PHA Westinghouse/CSI documents 6116-00001 Rev. 1 and 6116-00000 Rev. 3 SHA need to be state that software hazard analysis of the AlS system is the responsibility of included in the PG&E. However, the PG&E SyWP, which was submitted as Attachment 5 vendor V&V Plans of the LAR, does not describe how PG&E will perform the software hazard and the PGE SyW analysis of the AlS system. The SyWP, Section 5.1.2.3 states that PG&E Plan. New rev of will verify that new hazards were not introduced during installation. V&V plans should Please clarify who will perform the hazard analysis activities for each phase resolve this.

of the development process that are required by IEEE 1012, for the AlS system. 1/25113 This 01 PG&E Response: There is no V&V performed during the IEEE-1012 was discussed Project Initiation and Planning, and Conceptual Design phases. During the during the 1/24/13 IEEE-1012 Development and Factory Acceptance Test portion of the Test conference call.

phase, the hazard analysis activities for the ALS system will be performed The current by Westinghouse and for the IEEE-1012 Integration and Site Acceptance planning Test portion of the Test phase, the hazard analysis will be performed by documents under PG&E. Revision to CSI and PG&E documents are required to address the review do not responsibilities for the hazard analyses during the different phases. The include provisions revised Westinghouse/CSI document 6116-00000 Rev. 3 to address the for performing the hazard analysis for the Development and Factory Acceptance Test portion hazard analysis of the Test phase will be submitted by April 26, 2013. The performance of a activities.

hazard analysis for the Integration and Site Acceptance Test portion of the Test phase, including update ofthe hazard analysis, is included in Section 5.1.2.3 of the SyWP Revision 1 submitted in Attachment 1 to the Enclosure of PG&E letter DCl-13-028 submitted March 25,2013.

March 25, 2013 DCPP PPS Open Item Summary Table Page 29 of 32 No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date) 84 RA IRS Open 2/22/13 The 110 list Revision 7 of the Interface Requirement SpeCification, Section 3 appendix will be Appendices, lists the 110 lists for each protection set. However, these included with IRS appendices are no included in the document Revision 8. This is currently on the sharepoint but will be docketed as PG&E Response: PG&E will submit the 110 list with the IRS Revision 8 to well.

be submitted by April 26, 2013.

85 RJS What security measures will be implemented to the MWS so that the MWS Open NSIR is consistent with NEI 08-09, Appendix D.1.1? Explain the statement that access to the maintenance workstation will be consistent with the NEI 08-09, Appendix 0.1.1. Additionally, explain whether security measures to be implemented include technical and operational security design measures incorporated into the system.

PG&E Response: Installation of the PPS replacement is scheduled for September 2015 and assessment of the whole PPS replacement system, including the maintenance workstation, as prescribed in section 3 of the Diablo Canyon CSP, will begin in April 2013. The assessment will determine any security measures for the maintenance workstation, consistent with NEI 08-09 Appendices D and E, that need to be applied.

86 RJSI Eric to supply new question to elaborate on 01 85. New NSIR PG&E Response:

87 RJS (ALS Audit Item) New FPGA versions 1, 2, 3, descriptions were explained to the NRC during the ALS audit in February but these release processes are not captured in the ~~~- -------

March 25,2013 DCPP PPS Open Item Summary Table Page 30 of 32 No-SrclRi Issue Description P8.GE response: Status RAt No. RAt Comments (Date Sent) Response (Due Date) system development plan or system management plan.

PG&E Response: FPGA versions 1, 2, 3, descriptions will be covered in 6116*00000 Diablo Management Plan Revision 4 to be placed on the Sharepoint by March 28, 2013 and submitted by April 26, 2013.

88 RJS (ALS Audit Item) New Please describe why there is a misalignment of document numbers between the platform 6002*xxx01, 6002*xxx06 and application specific documents 6116*10201. For example, why is there no 6116*10206?

PG&E Response: Both the 6002*10201 and 6002*10206 are ALS Platform documents that are applicable to Diablo Canyon. The document numbering scheme is project*specific. 6116*10201 is specific to Diablo Canyon and is in addition to the ALS Platform documents. Because 6002*10201 includes hardware design that is not duplicated for Diablo Canyon (the board is already designed), there is no need to replicate a board requirements document at the Diablo Canyon document level.

A summary of the documents is as follows:

1. 6002-10201 - Platform 102 Board Requirements (applies to the ALS Platform and all applications)

2. 6002-10206 - Platform 102 FPGA Design SpeCification (applies to the ALS Platform and all applications, with the exception of the sequencer definition which is application specific)

3. 6116-10201 - Diablo 102 FPGA Requirements (includes application specific info including sequencer definition)

4. 6116*10203/10204 - Diablo 102 FPGA DeSign Specifications for CoreA& B 89 RJS (ALS Audit Item) New Ensure that the audit schedule issues (Pennatronics) identified during the cyber security review portion of the ALS audit is resolved prior to issuance

March 25, 2013 DCPP PPS Open Item Summary Table Page 31 of 32 No SrclRI Issue Description P&GE response: Status RAfFio. RAI Comments (Date Sent) Response (Due Date) of the Diablo PPS safety evaluation, The NRC will be reviewing the responses to the CAP's that Westinghouse has written on this issue to access if there are any implications on the Diablo Canyon PPS system, PG&E Response:

The apparent cause analysis for the CAP IR has been completed. All commitments associated with the CAP IR are scheduled to be completed by Westinghouse by July 2013.

90 SO (ALS Audit Item) New Once CSI has completed the SDOE evaluation to show conformance to RG 1.152 requirements, the NRC will need to have the results docketed.

PG&E Response: IN PROGRESS 91 RJS (ALS Audit Item) New Please provide the NRC access to the following documents via sharepoint:

Work instruction for Human Diversity Management for FPGA Based Development and Test Activities, Document number 9006-00037, Rev. 0

ALS Core A FPGA Build Procedure, Document number 9006-00043, Rev. 3

ALS Core B FPGA Build Procedure, Document number 9006-00071, Rev. 1

6116-10203/4 Core A and Core B Design Specifications

RTM sorted by FRS.

PG&E Response: PG&E Response:

The documents 9006-00037, Rev. D. 9006-00043, Rev. 3. and 9006-00071, Rev. 1 were placed on the SharePoint on March 25. 2013. The RTM sorted

---

by FRS for the RTM (pre-revision B version) was placed on the SharePoint ----

March 25, 2013 DCPP PPS Open Item Summary Table Page 32 of 32 No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Senti Response (Due Date)

On March 25, 2013. The 6116-10203 Revision 0 and 6116-10204 Revision o Core Design specifications will be placed on the Share point by April 26, 2013.

92 RA (ALS Audit Item) NEW The Requirements Traceability Matrix (RTM) does not trace to CSI documents 6116-10203/4 Core A and Core B Design Specifications. Please include this traceability to the RTM once the 6116-10203/4 Core A and Core B Design Specifications are finalized.

PG&E Response: The RTM revision 1 release which will include tracing down to the 6116-10203 revision 0 and 6116*10204 revision 0 will be placed on the Sharepoint by April 30, 2013.

~~~~~-

------

March 25, 2013 DCPP PPS Closed Item Summary Table Page 1 of 74

No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date) 001 AR [ISG-06 Enclosure 8, Item 1.3] Deterministic Nature of Software: Closed RAI119 Response 4/18/2012 Staff Received (80) The Diablo Canyon Specific Application should identify the board access 09/11/12 reviewed time sequence and provide corresponding analysis associated with digital response calc on response time performance. This analysis should be of sufficient detail to share point and enable the NRC staff to determine that the logic-cycle; agrees that this is

a. has been implemented in conformance with the ALS Topical Report the correct design basis, information to

b. is deterministic, and support the SE.

c. the response time is derived from plant safety analysis performance Requested that requirements and in full consideration of communication errors that these calcs be have been observed during equipment qualification.

docketed.

As stated in the LAR, information pertaining to response time performance will be submitted as a Phase 2 document. Please ensure this matter is Response addressed accordingly. received April29, 2012. Staff wi II P&GE response: review and discuss ALS further if needed at Diablo Canyon PPS document 6116-00011, "ALS System Design subsequent Specification", Section 7.5, identifies the ALS board access sequence and provides an analysis associated with digital response time performance. telecom meeting.

a. The Diablo Canyon PPS ALS system is configured in accordance with the qualification requirements of the ALS platform topical report, Response

b. The analysis in Diablo Canyon PPS document 6116-00011, "ALS acceptable; waiting System Design Specification", Section 7, describes a logic cycle that is on PG&E to deterministic.

provide the time

c. The requirements for the response time of the PPS processing instrumentation (from input conditioner to conditioned output signal) is response specified as not to exceed 0.409 seconds in Section 3.2.1.10 of the "Diablo calculation for the Canyon Power Plant Units 1 & 2 Process Protection System Replacement V10 Tricon PPS Functional Requirements Specification (FRS)", Revision 4 submitted as Replacement Attachment 7 of the LAR. In Section 1.5.8 of the "Diablo Canyon Power architecture by Plant Units 1 & 2 Process Protection System Replacement Interface April 16, 2012.

Requirements Specification (IRS)", Revision 4, submitted as Attachment 8 of !b~LAR, the 0.409 seconds PPS processing instrumentation response Enclosure 3

March 25, 2013 DCPP PPS Closed Item Summary Table Page 2 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) I time is allocated between the ALS and Tricon as follows:

ALS: 175 ms for RTD processing Tricon: 200 ms Response time calc Contingency: 34 ms received The 0.409 seconds PPS processing instrumentation value is the same as the value that is currently allocated to PPS processing instrumentation. As Letter:

long as the 0.409 second PPS processing instrumentation value is not (ML12131A513) exceeded, the total response time values assumed in the plant safety analyses contained in FSAR Table 15.1-2 will not be exceeded; 7 seconds Calc:

for Overtemperature LlT RT and Overpower LlT RT functions, 2 seconds for (ML12131A512 High pressurizer pressure RT, Low pressurizer pressure RT, and Low Low SG water level RT functions, 1 second for Low reactor coolant flow RT function, 25 seconds for Low pressurizer pressure, High containment pressure, and Low steam line pressure Safety Injection initiation, 60 seconds for Low low SG water level auxiliary feedwater initiation, 18 seconds for High containment pressure, Low pressurizer pressure, and Low steam line pressure Phase A containment isolation, 48.5 seconds for High High containment pressure containment spray initiation, 7 seconds for High High containment pressure steam line isolation, 66 seconds for High High SG water level auxiliary feedwater isolation, and 8 seconds for Low steam line pressure steam line isolation.

The ALS response time will be verified as part of the FAT and the results will be included in the FAT summary report to be submitted by 12/31/12.

Tricon Invensys provided detailed information on the deterministic operation of the V10 Tricon in I nvensys Letter No. NRC V1 0-11-001, dated Jan uary 5, 2011.

In support of the V10 Tricon safety evaluation, Invensys submitted document 9600164-731, Maximum Response Time Calculations, describing the worst-case response time for the V1 0 Tricon Qualification System.

Included in document 9600164-731 are the standard equations for calculating worst-case response time of a given V10 Tricon configuration.

The time response calculation for the V10 Tricon PPS Replacement architecture was submitted on April 30, 2012. The System Response Time Confirmation Report, 993754-1-818, will be submitted to the staff as part of the ISG-06 Phase 2 submittals at the completion of factory acceptance testing of the V1 0 Tricon PPS Replacement.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 3 of 74 No SrclRI Issue Description P&GE response: Status RAINa. RAI Comments (Date Sent) Response (Due Date)

The Tricon response time will be verified as part of the FAT and the results will be included in the FAT summary report to be submitted by 12/31/12.

Licensee representatives stated that PG&E will provide the Tricon Time response calc's in a document submitted on the docket.

002 AR [ISG-06 Enclosure B, Item 1.4] Closed NIA 4/23/2012 Staff (RA) Software Management Plan: Regulatory Guide (RG) 1.168, Revision 1, has confirmed that "Verification, Validation, Reviews and Audits for Digital Computer Software the new version of Used in Safety Systems of Nuclear Power Plants," dated February 2004 the ALS SWP is endorses IEEE (Institute of Electrical and Electronics Engineers) 1012 available for review 1998, "IEEE Standard for Software Verification and Validation," and IEEE 1028-1997,"IEEE Standard for Software Reviews and Audits," with the Response exceptions stated in the Regulatory Position of RG 1.168. RG 1.168 received April 29, describes a method acceptable to the NRC staff for complying with parts of 2012. Staff will the NRC's regulations for promoting high functional reliability and design review and discuss quality in software used in safety systems. Standard Review Plan(SRP) further if needed at Table 7-1 and Appendix 7.1-A identify Regulatory Guide 1.168 as SRP subsequent acceptance criteria for reactor trip systems (RTS) and for engineered safety telecom meeting.

features (Kemper 4/12/12)

Westinghouse/ALS 6116-00000 Diablo Canyon PPS Management Plan, Response Figure 2-2, shows the Verification and Validation (V&V) organization acceptable; the reporting to the Project Manager. This is inconsistent with the information staff received the described in the ALS Management Plan for the generic system platform,

March 25, 2013 DCPP PPS Closed Item Summary Table Page 4 of 74 No SrclR/ Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date) where the V&V organization is independent form the Project Manager. This revised W/ALS is also inconsistent with the criteria of RG 1.168 and will need to be PPS MP on April 2, reconciled during the LAR and ALS LTR reviews. 2012 and will review for consistency with RG 1.168.

P&GE response:

ALS The PPS Replacement LAR referenced Westinghouse document 6116 00000 Diablo Canyon PPS Management Plan, dated July 25, 2011, that was based on CSI document 6002-00003 ALS Verification and Validation Plan, Revision 4. CS Innovations subsequently submitted a revised V&V plan, "6002-00003 ALS Verification and Validation Plan", Revision 5, on November 11, 2011, that revised the required V&V organization structure such that the management of the verification personnel is separate and independent of the management of the development personnel. The Westinghouse 6116-00000 Diablo Canyon PPS Management Plan was revised to require a V&V organization structure in which the management of the verification personnel is separate and independent of the management of the development personnel. PG&E submitted the revised Westinghouse 6116-00000 Diablo Canyon PPS Management Plan, Revision 1, document on April 2, 2012.

3 AR [ISG-06 Enclosure B, Item 1.9] Closed N/A Response (RA) Software V&V Plan: The ALS V&V plan states that Project Manager of the received April 2, supplier is responsible for providing directions during implementation of V&V 2012. Staff will activities. Also, the organization chart in the Diablo Canyon PPS review and discuss Management Plan shows the IW manager reporting to the PM.

further if needed at The ALS V&V plan described in ISG-6 matrix for the ALS platform and the subsequent Diablo Canyon PPS Management Plan do not provide sufficient information telecom meeting.

about the activities to be performed during V&V. For example, the ALS V&V Plan states that for project specific systems, V&V activities are determined Status: Fig. 3 of the on a project by project basis and are described in the project Management PPS SWP (Pg.

Plan, in this case, 6116-00000, "Diablo Canyon PPS Management Plan."

16/46) indicates However, the 6116-00000 Diablo Canyon PPS Management Plan states:

March 25, 2013 DCPP PPS Closed Item Summary Table Page 5 of 74 No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date)

"See the ALS V&V Plan for more information and the interface between the sufficient IV&V team and the PPS Replacement project team." organizational independence The Triconex V&V plan states that the Engineering Project Plan defines the between the scope for V&V activities. As mentioned before, the Triconex EPP is not Nuclear Delivery listed in the ISG-6 matrix.

(Design)

These items will need further clarification during the LAR review to Organization and demonstrate compliance with Regulatory Guide (RG) 1.168, Revision 1, the IV&V "Verification, Validation, Reviews and Audits for Digital Computer Software Organization.

Used in Safety Systems of Nuclear Power Plants,"

Fig. 3 of the PPS P&GE response:

ALS PMP (993754-1 The Westinghouse 6116-00000 Diablo Canyon PPS Management Plan was 905) (pg. 22/81) revised to include details on how the IV&V team has an independent also denotes the organizational reporting structure from the design and implementation team; DCPP PPS project the Scottsdale Operations Director and the ALS Platform & Systems organization, and Director report to different Westinghouse Vice Presidents. The IW provides sufficient Manager and Scottsdale Operations Director both report to the same independence Westinghouse Vice President, but via independent reporting structures.

between the NO Description of 6116-00000 Diablo Canyon PPS Management Plan V&V was and IV&V also revised to add information on the activities being performed for the Organizations.

V&V.

Close the lnvensys PG&E submitted the revised Westinghouse 6116-00000 Diablo Canyon part of the 01.

PPS Management Plan that includes the above changes on April 2, 2012.

Tricon W/ALS response The organizational structure of Invensys Operations Management acceptable; comprises, in part, Engineering and Nuclear Delivery. Each of these (Kemper 4/12/12) organizations plays a specific role in the V1 0 Tricon application project life the staff received cycle. Invensys Engineering is responsible for designing and maintaining the revised W/ALS the V10 Tricon platform, and Nuclear Delivery is responsible for working with nuclear customers on safety-related V1 0 Tricon system integration PPS MP on April 2,

March 25, 2013 DCPP PPS Closed Item Summary Table Page 6 of 74

No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) projects. Invensys Engineering department procedures require 2012 and will "Engineering Project Plans (EPP)," whereas Nuclear Delivery department review for procedures require "Project Plans." Invensys Engineering is not directly consistency with involved in system integration, but Nuclear Delivery may consult with RG 1.168.

Engineering on technical issues related to the V1 0 Tricon platform.

The NRC applied ISG-06 to the V1 0 Tricon safety evaluation. Invensys submitted a number of documents pertaining to the design of the V1 0 Tricon platform as well as process and procedure documents governing Invensys Status: Fig. 3 of the Engineering activities, including the EPP. In most cases, these platform- PPS SWP (Pg.

related documents are preceded with document number 9600164. The 16/46) indicates platform-level documents reviewed by the staff during the V10 Tricon safety sufficient evaluation will not be resubmitted by Nuclear Delivery during application-organizational specific system integration projects.

independence In support of the PG&E LAR for the DCPP PPS Replacement, Invensys between the Nuclear Delivery is required to submit the application design documents as Nuclear Delivery defined in ISG-06. These project documents are preceded by document (Design) number 993754. The Phase 1 submittal under Invensys Project Letter Organization and 993754-026T, dated October 26,2011, contained, in part, the following: the IV&V Organization.

PPS Replacement Project Management Plan (PMP), 993754-1-905.

"Project Management Plan" was used to more closely match BTP 7-14 with Fig. 3 of the PPS regard to "management plans"; and PPS Replacement Software Verification and Validation Plan (SWP), PMP (993754-1 993754-1-802. 905) (pg. 22/81) also denotes the The PMP describes the PPS Replacement Project management activities DCPP PPS project within the Invensys scope of supply. The guidance documents BTP 7-14 organization, and and NUREG/CR-6101 were used as input during development of the PMP. provides sufficient independence With regard to compliance with RG 1.168, the PPS Replacement PMP and between the N D SWP both describe the organizational structure and interfaces of the PPS and IV&V Replacement Project. The documents describe the Nuclear Delivery (ND)

Organizations.

design team structure and responsibilities, the Nuclear Independent Verification and Validation (lV&V) team structure and responsibilities, the

March 25, 2013 DCPP PPS Closed Item Summary Table Page 7 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) interfaces between NO and Nuclear IV&V, lines of reporting, and degree of Close the Invensys independence between NO and Nuclear IV&V. In addition, the PMP part of the 01.

describes organizational boundaries between Invensys and the other external entities involved in the PPS Replacement project: PG&E, Altran, Westinghouse, and Invensys suppliers. The combination of the PMP and SWP demonstrate compliance of the Invensys organization with RG 1.168.

4 AR [ISG-06 Enclosure B, Item 1.10] Closed N/A (Kemper 4-12-12)

(RA) Software Configuration Management Plan: The LAR includes PG&E Response CF2.ID2, "Software Configuration Management for Plant Operations and received April 2, Operations Support," in Attachment 12. However, the document provided in 2012. Staff will Attachment 12 only provides a guideline for preparing Software Configuration Management (SCM) and SQA plans. Though it is understood review the PG&E that the licensee will not perform development of software, PGE personnel SyCMP procedure will become responsible for maintaining configuration control over software when it arrives on upon delivery from the vendor. May 31,2012.

The staff requires the actual plan to be used by the licensee for maintaining Alvarado (6/13/12):

configuration control over PPS software in order to evaluate against the PG&E placed a acceptance criteria of the SRP. For example, the ALS Configuration Management (CM) Plan (6002-00002) describes initial design activities copy of their related to ALS generic boards. This plan does describe the configuration SyCMP SCM 36-01 management activities to be used for the development and application of in its SharePoint.

the ALS platform for the Diablo Canyon PPS System. The staff requires The staff will review that configuration management for this design be described in the DCPP this information and project specific plan. These items will need further clarification during the identify questions, if LAR review to demonstrate compliance with BTP-14.

necessary.

P&GE response:

PG&E developed a SCMP procedure to address configuration control after shipment of equipment from the vendor and submitted the SCMP on June 6, 2012, in Attachment 4 to the Enclosure of PG&E Letter DCL-12-050.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 8 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 5 AR [ISG-06 Enclosure B, Item 1.11] Closed N/A Response (RA) Software Test Plan: The V10 platform documents identified in ISG6 matrix received April 2, state that the interface between the NGIO (Next Generation Input Output) 29,2012. Staff will Core Software and 10-specific software will not be tested. It is not clear review and discuss when and how this interface will be tested, and why this test is not part of further if needed at the software unit testing and integration testing activities.

subsequent Further, the 993754-1-813 Diablo Canyon Triconex PPS Validation Test telecom meeting.

Plan states that the DCPP's TSAP will not be loaded on the system; instead Triconex will use another TSAP for the validation test. It is not clear why the Tricon Next DCPP's TSAP will not be used for the validation test or when the DCPP's Generation Input TSAP will be loaded on the system and validated for the Diablo Canyon Output (NGIO)

PPS System. These items will need further clarification during the LAR Core software is review to demonstrate compliance with BTP-14.

tested and qualified as a platform component. As P&GE response: such, it does not need to be Tricon separately tested The next-generation input/output (I/O) modules qualified for the V1 0 Tricon during the are the 3721 N 4-20 mA, 32-point analog input (AI) module, and the 3625N application 24 Vdc, 32-point digital output (DO) module. Technical data on these two development modules was provided to the NRC in support of the V1 0 Tricon safety process.

evaluation. Configuration and functional testing is performed when the 110 modules (hardware and embedded core firmware) are manufactured. From TSAP is a Test the factory the I/O modules are shipped to Invensys Nuclear Delivery for Specimen use in nuclear system integration projects, i.e., application specific

, Application configurations. Because the module hardware and embedded core Program used for firmware are within the scope of the V10 Tricon safety evaluation, the purposes of verification and validation of the embedded core firmware will not be platform repeated as part of application-specific system integration projects.

qualification.

There are certain design items that must be done with TriStation 1131 L-- ..... _ ... -----

(TS 1131), such as specifying which 110 module is installed in a particular

March 25, 2013 DCPP PPS Closed Item Summary Table Page 9 of 74

No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) physical slot of the Tricon chassis, resulting in each module having a unique hardware address in the system. Also, TS1131 is used to specify which Invensys stated application program parameters (i.e., program variable tagnames) are that assigned to a particular point on a given 1/0 module. The design items The Diablo Canyon configured in TS1131 will be within the scope of validation activities Application will be conducted by Invensys Nuclear IV&V for application-specific system loaded onto plant integration projects. The necessary collateral (system build documents, system hardware configuration tables, test procedures, test results, etc.) will be submitted to during FAT.

the NRC to support the staff's technical review of the PPS Replacement LAR in accordance with ISG-06.

The Phase 1 submittal under Invensys Project Letter 993754-026T, dated October 26, 2011, contained, in part, the Validation Test Plan (VTP) , Staff re-examined 993754-1-813. This document describes the scope, approach; and Invensys doc.

resources of the testing activities that are required for validation testing of "Validation Test the V10 Tricon portion of the PPS Replacement, including: Plan (VTP),

Preparing for and conducting system integration tests 993754-1-813,"

Defining technical inputs to validation planning Section 1.3.2 of the Defining the test tools and environment necessary for system validation VTP that describes testing the Hardware Scheduling (and resource loading of the schedule) Validation Test activities and Section 1.3.2 of the VTP describes the Hardware Validation Test activities Section 1.3.3 of the and Section 1.3.3 of the VTP describes the V10 Tricon portion of the VTP and Factory Acceptance Test activities for the V1 0 Tricon portion of the PPS determined that the Replacement. Details on the application program are proprietary and need application program to be provided to the staff separately.

TSAP will be used for the FAT (Section 5.1.5 FAT)

Close this portion of the 01.

--

March 25, 2013 DCPP PPS Closed Item Summary Table Page 10 of 74

'No SrciR/ Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date) 6 AR [ISG-06 Enclosure B, Item 1 141 Closed Develop Response Response Received (SM) Equipment Qualification Testing Plans - The LAR Sections 4.6, 4.10.2.4 and a generic 09/11/12 received April 2, 4.11.1.2 provide little information on the plant specific application RAI to 29, 2012. Staff will environmental factors. The Tricon V1 0 Safety Evaluation, ML11298A246, provide a review and discuss Section 6.2 lists 19 application specific actions Items (ASAl's) that the response further if needed at licensee should address for plant specific applications. The licensee should to ASAls subsequent address each of these for Tricon portion of the PPS replacement. Similar for both telecom meeting.

information for the ALS portion of the PPS replacement will also be platforms required. when the Staff agreed that SERs are PG&E should P&GE response: issued. submit a separate submittal (LAR ALS RA# 01 amendment) to PG&E will respond to ALS ASAl's when they are available.

address the ASAls Tricon for both platforms.

it is not necessary IN PROGRESS. All of the Application Specific Action Items will be to delineate exactly addressed by March 21, 2012. what will be done for each ASAI in this 01 matrix.

7 AR [ISG-06 Enclosure B, Item 1.161 Closed RAI # 17 Response (Kemper 4-12-12)

Received (BK) &18 to 09/11/12 Response DeSign Analysis Reports: The LAR does not appear to comply with the obtain an received April 2, SRP (ISG-04) regarding the connectivity of the Maintenance Work Station to answer I 29, 2012. Staff the PPS. The TriStation V10 platform relies on software to effect the report to reviewed this item disconnection of the TriStation's capability to modify the safety system address and still need software. Based on the information provided in the LTR, the NRC staff determined that the Tricon V10 platform does not comply with the NRC this topic. additional guidance provided in ISG-04, Highly Integrated Control Rooms- information to close Communications Issues, (ADAMS Accession No. ML083310185), Staff this item. The staff Position 1, Point 10, hence the DCPP PPS configuration does not fully will need to review comply with this guidance. this item further

March 25, 2013 DCPP PPS Closed Item Summary Table Page 11 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

In order for the NRC staff to accept this keyswitch function as an acceptable during an NRC deviation to this staff position, the staff will have to evaluate the DCPP PPS audit at the specific system communications control configuration--including the Invensys facility.

operation of the keyswitch, the software affected by the keyswitch, and any All the items noted testing performed on failures of the hardware and software associated with the keyswitch. The status of the ALS platform on this matter is unclear at below will be the this time and will be resolved as the ALS LTR review is completed. scope of the audit.

3/21/12 update: it Moreover, the Tricon V10 system Operational Mode Change (OMC) was agreed that keyswitch does change operational modes of the 3008N MPs and enables PG&E/lnvensys the TriStation 1131 PC to change parameters, software algorithms, etc, and related to the application program of the safety channel without the channel or division being in bypass or in trip. As stated in Section 3.1.3.2 of the PG&ElWestinghou Tricon V1 0 SER, the TriStation 1131 PC should not normally be connected se/CSI would while the Tricon V10 is operational and performing safety critical functions. provide a report However, it is physically possible for the TriStation PC to be connected at all (LAR supplement) times, and this should be strictly controlled via administrative controls (e.g., to explain how place the respective channel out of service while changing the software, these two issues parameters, etc). The LAR does not mention any administrative controls will be resolved and such as this to control the operation of the OMC (operational mode change) keyswitch. Furthermore, in order to leave the non-safety TriStation 1131 PC submit to NRC-attached to the SR Tricon V10 system while the key switch is in the RUN Date to be provided position, a detailed FMEA of the TriStation 1131 PC system will be required TBD.

to ascertain the potential effects this non-safety PC may have on the execution of the safety application program/operability of the channel or Waiting for the V1 0 division. These issues must be addressed in order for the NRC staff to Tricon portion of determine that the DCPP PPS complies with the NRC Staff Guidance provided in Staff Position 1, Point 11. The status of the ALS platform on this the PPS point is unclear at this time. Replacement P&GE response: Failure Modes and Effects Analysis, an Tricon ISG-06 Phase 2 The OMC keyswitch controls only the mode of the V10 Tricon 3008N MPs. document to be In RUN position the 3008N MPs ignore* all commands from external submitted to NRC devices, whether WRITE commands from external operator interfaces or in May 2012.

program-related commands from TS 1131.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 12 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

The keyswitch is a four-position, three-ganged switch so that the three Main 3/21/12 Update:

Processor (MP) modules can monitor the position of the switch PG&Ellnvensys independently. The Operating System Executive (ETSX) executing on the needs to provide a MP application processor monitors the position of the keyswitch. The three technical MPs vote the position of the keyswitch. The voted position of the keyswitch explanation of how is available as a read-only system variable that can be monitored by the TSAP. This allows alarming the keyswitch position when it is taken out of the MP3008N the RUN position. TS1131 messages to and from the Tricon (Le., ETSX processor actually executing on the MPs) are of a defined format. TS1131 messages for ignores all control program (i.e., TSAP) changes - whether download of new control commands when in programs or modification of the executing control program - are uniquely RUN-address the identifiable. Such messages are received by ETSX and appropriate items in the 01.

response provided depending upon, among other things, the position of the 4/4/12 Update:

keyswitch. When a request from TS1131 is received by ETSX to download a new control program or modify the executing control program, ETSX Need to explain accepts or rejects the request based on the voted keyswitch position. If the how this message keyswitch is in RUN, all such messages are rejected. If the keyswitch is in format works to PROGRAM, the Tricon is considered out of service and ETSX runs through reject messages the sequence of steps to download the new or modified control program, as from the Tristation appropriate. when in RUN??

Graphs and visual Multiple hardware and software failures would have to occur on the V1 0 presentation of Tricon (in combination with human-performance errors in the control room these concepts and at the computer with TS1131 installed) in order for the application would be helpful.

program to be inadvertently reprogrammed. Therefore, there is no credible single failure on the V10 Tricon that would allow the safety-related This issue will also application program to be inadvertently programmed, e.g., as a result of have to be unexpected operation of the connected computer with TS1131 installed on addressed for the it.

ALS platform.

The above conclusion will be confirmed (for the V1 0 Tricon portion of the PPS Replacement) in the Failure Modes and Effects Analysis, an ISG-06 Phase 2 document planned for submittal to NRC in May 2012. Additionally, PG&EII nvensys Invensys Operations Management will support the staff's review of the

March 25, 2013 DCPP PPS Closed Item Summary Table Page 13 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) hardware and software associated with the OMC keyswitch by making all of needs to provide a the technical data available for audit. technical explanation of how

TS1131 contains function blocks that allow WRITE-access to a limited set the MP3008N of parameters programmed into the application software, but only for a processor actually limited duration after which the capability is disabled until WRITE-access is ignores all re-enabled. However, without these function blocks programmed into the commands when in application program neither the application program nor application program RUN-address the parameters can be modified with the OMC keyswitch in the RUN position.

items in the 01.

PG&E Administrative controls on use of keyswitch will be provided with commitment to include in procedures in response.

Note, TS1131 is not used to change setpoints and protection set is inoperable when keyswitch is not in RUN position.

8 AR [ISG-06 Enclosure B, Item 1.21] Closed NIA Discussed at (RS) Setpoint Methodology: The NRC staff understands that a summary of SP 4/18/2011 CC.

(setpoint) Calculations will be provided in Phase 2, however, section Requested that 4.10.3.8 of the LAR also states that PGE plans to submit a separate LAR to PGE add to the adopt TSTF 493. The NRC cannot accept this dependency on an response a unapproved future licensing action. The staff therefore expects the licensee statement that the to submit a summary of setpoint calculations which includes a discussion of setpoint changes the methods used for determining as-found and as-left tolerances. This associated with this submittal should satisfy all of the informational requirements set forth in modification will be ISG6 section 0.9.4.3.8 without a condition of TSTF 493 LAR approval submitted for evaluation independently with no reliance on P&GE response: TSTF 439 licensing action.

The evaluation of the setpoints for the PPS replacement will need to be performed by Westinghouse in two phases in order to provide sufficient documentation to support 95/95 setpoint values for the setpoints. This is (Kemper 4-12-12)

March 25, 2013 DCPP PPS Closed Item Summary Table Page 14 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) because the NRC staff has been requesting additional information and Response additional data and analysis to demonstrate that the uncertainties used in received April 2, the setpoint calculation have been based on a statistically sufficient quantity 29, 2012. PG&E's of sample data to bound the assumed values (to justify the confidence level commitment to of the calculation is appropriate) during recent Westinghouse projects provide summary involving setpoints. Significant information is required from the transmitter and RTD vendors, that has never been obtained before, to support calc's by May 31 ,

development of calculations that can support 95/95 setpoint values. 2012 and not revise these setpoints via The first phase of the evaluation of the setpoints will include evaluation of a TSTF-439 LAR the PPS replacement setpoints for the Tricon and ALS architecture using addresses this 01.

expected bounding uncertainty values. A setpoint summary evaluation Close this 01.

which includes a discussion of the methods used for determining the as-found and as-left tolerances will be submitted by May 31, 2012. This is a change to the commitment 31 in Attachment 1 to the Enclosure to the PPS 3/7/12 update:

Replacement LAR. The setpoint information associated with the PPS PG&E stated that replacement is being submitted independently of the LAR for TSTF-493 and all setpoints does not rely on a TSTF-493 licensing action. determinations will be addressed as The second phase of the evaluation of the setpoints will include part of this LAR, development of Westinghouse calculations of the PPS replacement setpoints for the Tricon and ALS architecture using sufficient information and NOT submitted from vendors to substantiate that the setpoints are 95/95 values. The as a TSTF-493 Westinghouse calculations will be completed by December 31,2012 and licensing action.

will be available for inspection by NRC staff in Washington DC with support provided by Westinghouse setpoint group personnel. The NRC staff 3/21/12 update:

inspection of Westinghouse calculations in Washington DC has been The staff may performed for another recent utility project involving setpoints.

chose to review the Westinghouse calculations at the Westinghouse office in Washington DC.

However, if the safety finding is

March 25, 2013 DCPP PPS Closed Item Summary Table Page 15 of 74 No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date) dependent on these calculations, then the setpoint calculations will be required to be submitted on the docket per NRC licensing procedures 9 AR LTR Safety Conclusion Scope and Applicability - Many important sections of Closed No (Kemper 4-12-12)

(SK) the DCPP PPS LAR refer the reader to the ALS licensing topical report specific Response (L TR) to demonstrate compliance of the system with various Clauses of RAI received April 2, IEEE 603-1991, IEEE 7-4.3.2-203, and ISG-04. However, many important 29, 2012. The needed sections of the ALS LTR state that compliance with various Clauses of these IEEE Stds and ISG-04 are application specific and refer the reader to for this PG&E response to an application specific license amendment submittal (Le., the DCPP PPS 01. RAI this item address LAR in this case). The staff has not yet had time to evaluate all the LAR #4 the 01. Close this information in detail and compare this information with that provided in the addresse 01.

ALS LTR to ensure there is no missing information. However, PG&E and its s this contractors are encouraged to review these two licensing submittals item as promptly to verify that compliance with these IEEE Stds and ISG-04 are noted adequately addressed within both licensing documents.

below in P&GE response: 0115.

PG&E and Westinghouse have reviewed the LAR 11-07 and the complian ALS topical report to verify information is provided to justify ce matrix compliance with IEEE 603-1991, IEEE 7-4.3.2-2003, and ISG-04 in for the either the LAR or the ALStopical report. As a result of the review, it ALS was identified that neither the LAR nor the ALS topical report contain platform.

a matrix that documents compliance with ISG-04 Table 5-4 for the DCPP ALS platform. PG&E will submit a matrix that documents compliance with ISG-04 Table 5-4 for the DCPP ALS platform by May 31,2012.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 16 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 10 RS Plant Variable PPS Scope - In the Description section of the LAR, section Closed RAI02 Response Received 4.1.3, nine plant variables are defined as being required for RTS and 09/11/12 section 4.1.4 lists seven plant variables that are required for the ESFAS.

Three additional plant variables were also listed in section 4.10.3.4.

Some variables are not listed in section 4.10.3.4 as being PPS monitored plant parameters. It is therefore assumed that these parameters are provided as direct inputs to the SSPS and that the PPS is not relied upon for the completion of required reactor trip or safety functions associated with them. Please confirm that these plant parameters and associated safety functions will continue to operate independently from the PPS and that the replacement PPS will not adversely impact the system's ability to reliably perform these functions.

P&GE response:

The PPS Replacement LAR Sections 4.1.3 and 4.1.4 describe the plant variables from which RTS and ESFAS protective functions are generated.

The initiation signal outputs to the SSPS coincidence logic are generated in Neutron Flux is an the PPS or other, independent systems, or in some cases, by discrete input to Tricon but it devices. Section 4.1.3 items 6 (RCP bus UF, UV, and breaker position, 8 is not listed in (Main Turbine trip fluid pressure and stop valve position) and 9 (seismic Table 4-2 "Process acceleration) are generated by discrete devices outside the PPS and Variable inputs to provide direct contact inputs to the SSPS. Section 1.4 items 6 Tricon" (Containment Exhaust Radiation) and 7 (RT breaker position Permissive P

4) are also generated outside the PPS and are direct contact inputs to the Signals not SSPS. The initiation signals associated with these plant parameters associated with operate independently from the PPS. The replacement PPS will not PPS functions will adversely affect the reliable performance of the safety functions associated be designated as with these plant parameters.

such in the SE and

March 25, 2013 DCPP PPS Closed Item Summary Table Page 17 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

The three signals (Wide Range RCS Temperature and Pressure and they will not be Turbine Impulse Chamber Pressure) not listed in Sections 4.1.3 and 4.1.4 described since are monitored by the PPS per Section 4.10.3.4. The Wide Range RCS they are not in Pressure and Temperature signals are used to generate the LTOP function scope.

described in DCPP FSAR Section 5. The PPS uses Turbine Impulse Chamber Pressure to generate an initiation signal that is used by the SSPS coincidence logic to develop Permissive P-13 as discussed in RAI 3, below.

Neutron Flux should be added to Section 4.2 Table 4-2 as follows:

Input to Overtemperature ~

Neutron Flux (Power Temperature (OTDT) RT Range, Upper & Lower) Input to Overpower ~

Temperature (OPDT) RT 11 RS Power Range NIS Function - Section 4.1.7 describes the Existing Power Closed* N/A Range NIS Protection Functions and it states that the Power Range nuclear Only PPS instrumentation provides input to the OTDT, and OPDT protection channels. Functions will be It is not entirely clear whether any of the described NIS protection functions described in the will be performed by the PPS system. Please clarify exactly what the role of the PPS system is for these NIS Protection functions. SE.

P&GE response: 5/30/12 Determined that no Power range analog inputs are provided by the NIS to each PPS Protection RAI is needed for Set for use in the calculation of the Overtemperature Delta-T and this item.

Overpower Delta-T Setpoint in the Delta-TlTavg channels. No other NIS signals interface with the PPS. The NIS Protection functions (RT and power range permissives) are generated independently by Nuclear Instrumentation bistable comparators. The NIS bistable outputs are sent directly to the SSPS and have no physical interface with the PPS.

12 RS Permissive Functions - Several Permissive functions are described within Closed RAI03 Response Received the LAR. It is not clear to the staff whether any of these functions are to be

March 25,2013 DCPP PPS Closed Item Summary Table Page 18 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) performed by the PPS or if the PPS will only be providing input to external 09/11/12 systems that in turn perform the permissive logic described in the LAR.

Section 4.1.9 states that "Settings of the bistable comparators used to develop the permissives are not affected by the PPS Replacement Project",

which implies that all of these permissive functions are performed by systems other than the PPS. However, it is still unclear if this statement applies to all permissive functions described throughout the LAR or if it applies only to those permissives relating to Pressurizer Pressure. It is also possible that the permissive functions are being performed by the existing PPS and will continue to be performed by the replacement system and therefore remain "not affected" by the PPS replacement project.

Please provide additional information for the following permissive functions to clearly define what the role of the PPS system will be for each.

P-4 Reactor Trip P-6 Intermediate Range Permissive P-7 Low Power Permissive (Bypasses low Ppzr reactor trip)

P-8 Loss of Flow Permissive P-9 Power Permissive P-10 Power Range Power Low Permissive P-11 Low Pressurizer Pressure SI Operational Bypass P-12 No-Load Low-Low Tave Temperature Permissive P-13 Turbine Low Power Permissive

P-14 Hi-Hi Steam Generator Level

The LAR states that "These signals are generated in the PPS" P&GE response:

Permissive function initiation signals generated within the existing PPS will continue to be performed by the replacement PPS and therefore remain "not affected" by the PPS replacement project. Permissive function initiation signals that are generated independently of the existing PPS will continue to be generated independently. I

March 25, 2013 DCPP PPS Closed Item Summary Table Page 19 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

Permissive P6, P-8, P-9, and P-10 initiation signals are bistable The NRC comparator outputs from the independent NIS to the SSPS. There is understands that all no interface with the PPS. permissives are

Permissive P-4 initiation signals are direct contact inputs to the developed within SSPS coincidence logic generated from contacts in the Reactor Trip the SSPS system.

Breakers (RTB). There is no interface with the PPS. Permissives P11 -

Permissive P-11, P-12, P-13, and P-14 initiation signals are P14 use inputs generated by bistable comparator outputs generated in the PPS and provided by PPS sent to the SSPS. system. All other

Permissive P-7 is generated in the SSPS from 3 out of 4 power permissives use range NI channels (from NIS - P-10) below setpoint and 2/2 turbine inputs generated by impulse chamber pressure channels below setpoint (From PPS external systems P13). that are independent of the The bistable initiation signals described above are monitored by the SSPS. PPS.

The SSPS generates the Permissive when appropriate coincidence of initiation signals is detected. No SSPS permissive or safety function See 13 below.

coincidence logic is changed by the PPS replacement project.

Permissives P-6, P-7, P-8, P-9, P-10, and P-13 are functionally described in FSAR Table 7.2-2. Permissives P-4, P-11, P-12, and P-14 are functionally described in FSAR Table 7.3-3.

The bistable comparator setpoints for the above-listed permissives are not expected to change at this time.

13 RS P12 Permissive Contradiction - The second paragraph of section 4.1.20 Closed N/A describes the P-12 interlock and states that "These signals are developed in the PPS". This statement is then contradicted in the third paragraph by the

March 25, 2013 DCPP PPS Closed Item Summary Table Page 20 of 74 No SrclRI Issue Description P&GE response: Status RAINa. RAI Comments (Date Sent) Response (Due Date) following statement; "These valves are not safety-related, but are interlocked with the P-12 signal from the SSPS,"

The NRC In conjunction with the response to RA13, please provide a resolution for this contradiction in section 4.1.20 of the LAR. understands that the P12 signal is P&GE response: generated by the SSPS using signals The word "signals" in the referenced Section 4.1.20 sentence, "These developed in the signals are developed ... " is referring to the bistable comparator outputs PPS.

which are monitored by the SSPS. The PPS does not generate the P-12 Permissive itself. The actual P-12 Permissive is generated by the SSPS 5/30/2012 when appropriate coincidence of initiation signals is detected. The SSPS Determined that no output is interlocked with the valves as stated in the third paragraph of RAI will be needed Section 4.1.20. for this item.

The LAR Section 4.1.20 is clarified by the following statement:

" ... The P-12 Permissive is developed in the SSPS based on coincidence of the P-12 bistable comparator output initiation signals from the PPS ...

Protection System Permissives (P-11 unblock SI from ALS, P13 Turbine power permissive from Tricon, and P-14 Steam Generator Level high-high from Tricon) are generated by coincident logic in the SSPS based on initiating signals (bistable outputs) from the PPS as noted in the response to 01 #12. Permissive development, including initiating signals and logic coincidence is shown in FSARU Tables 7.2-2 (RTS) and 7.3-3 (ESFAS).

The PPS does not perform coincident logic functions and does not "generate" any protection system permissives.

14 RS Section 4.1.1 SSPS contains the following statement in the last paragraph; Closed N/A PGE Response "Information 'Concerning the PPS status is transmitted to the control board resolves this Open status lamps and annunciators by way ofthe SSPS control board Item. Change demultiplexer and to the PPS bl wal ofthe SSPS computer demultpL~~er." status to Closed.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 21 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

Why would the PPS status need to be transmitted to the PPS as the sentence suggests in the last phrase?

PG&E response:

The sentence in Section 4.1.1 contains a a typographical error. The sentence should read:

"Information concerning the PPS status is transmitted to the control board status lamps and annunciators by way of the SSPS control board demultiplexer and to the Plant Process Computer (PPC) by way of the SSPS computer demultiplexer."

As used in the Section 4.1.1. paragraph, "PPS Status" means "PPS Channel Trip Status."

15 (BK) An ISG-04 compliance matrix for the DCPP PPS system was not submitted Closed Drafted Response (Kemper 4-4-12)

Received with, or referenced in, the LAR for the W/ALS platform. Instead the ISG-04 RAI#4 09/11/12 No further compliance section 4.8 of the LAR refers the reader to the ALS LTR for to obtain discussion an nearly all the points of ISG-04. Fig. 4.4 and 4.5 of the LAR indicate various necessary until answer I 1E and non-1 E communication pathways to and from ALS processor (e.g., report to May 31, 2012.

Maintenance Work Station, plant computer, process control, port address aggregator, and 4-20 ma temperature signal to Tricon processor). These this ISG 4/4/12 update: The are all application specific features of the PPS and the staff expects a 04 draft ALS ISG-04 W/CSI ALS document to be submitted, similar in scope and detail to the complian compliance matrix Invensys "PACIFIC GAS & ELECTRIC COMPANY NUCLEAR SAFETY ce matrix on the AL TRAN for the RELATED PROCESS PROTECTION SYSTEM REPLACEMENT DIABLO Sharepoint website ALS CANYON POWER PLANT DI&C-ISG-04 CONFORMANCE REPORT" platform. is not detailed Document No. 993754-1-912 Revision 0, to be submitted on the docket, enough for the staff which explains how the ALS portion of the PPS application conforms with to use in approving the guidance of ISG-04. the ALS portion of the PPS' communications

March 25, 2013 DCPP PPS Closed Item Summary Table Page 22 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

PG&E response: design. Suggest PG&E is developing the ISG-04 compliance matrixTable for the ALS PG&E review the platform and PG&E will submit the Table by July 31, 2012. Invensys ISG-04 Doc. Document No.

993754-1-912 (-P)

Revision 0, and provide guidance for an ALS document at the same level of detail.

16 (BK) Section 1.4.4 (pg. 12/38) of document 993754-1-813 Diablo Canyon Closed RAI05 Response Received two Received Triconex PPS Validation Test Plan (VTM) states "The network equipment, 09/11/12 papers discussing including media converter, NetOptics Network Aggregator Tap, and gateway integration test hub, and the MWS will not be within the test scope of this VTP. The plans for PPS Nuclear Delivery system. These (ND) group will coordinate with Pacific Gas & Electric for system staging papers were prior to turn over to Nuclear IV&V. The Nuclear IV&V group will confirm discussed at the proper operation of network communications system interfaces before 4/18/2011 CC.

beginning testing addressed in this VTP." When, where, and what procedures will be used to test the network equipment?? The staff agrees that the analog PG&E response: Additional information on the PPS testing is being provided RTD signal loops to the staff. The information on the PPS testing was updated on May 9 to may be tested address staff comments provided in the 4/18/22 conference call. The VTM separately at the will need to be updated based on the additional information. A date that the Tricon FAT and at updated VTM will be submitted will be provided after feedback from the staff the ALS FAT to is received on the additional information on the PPS testing. satisfy integration test requirements.

The staff expressed some concerns over the statement that "There is no digital data

March 25, 2013 DCPP PPS Closed Item Summary Table Page 23 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) connection between the Tricon and the ALS." This appears to be a misleading statement since both systems do have connections to the common MWS. Further clarification should be provided and the statement should be revised to describe the nature of the MWS connections to each system.

A follow-up discussion was had at the 5/16/12 conference call.

The NRC staff feels that the final integration to be performed during SAT as proposed, will have to be complete and the results submitted prior to issuance of the SE.

I

March 25, 2013 DCPP PPS Closed Item Summary Table Page 24 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 17 (BK) Section 5.1.4.3, Hardware Validation Tests, (pg. 27/38) of document Closed RAI06 Response This issue was Received 993754-1-813 Diablo Canyon Triconex PPS Validation Test Plan (VTM) 09/11/12 discussed at the states that the ALS equipment will not be included in the FAT. Where, when, 4/1812011 CC.

and what procedures will be used to fully test the Integrated PPS system PGE proposed (both Tricon V10 and ALS platforms together) be subjected to FAT. performance of separate but overlapping tests at each factory to PG&E response: Additional information on the PPS testing is being accomplish the provided to the staff. The VTM will need to be updated based on the integration test.

additional information. A date that the updated VTM will be submitted will be provided after feedback from the staff is received on the additional The staff has some information on the PPS testing. concern over the fact that the MWS's to be installed in the plant would only be tested during the Tricon FAT. A fifth MWS to be configured the same as the plant MWS's is to be used during the ALS FAT.

One option to resolve this concern may be to credit the SAT test results in the SE.

The current schedule for SAT (July 2013) does support this.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 25 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 18 (BK) Software Management Plan: Regulatory Guide (RG) 1.168, Revision 1, Closed RA17&8 Response (Kemper 4/12/12)

Received "Verification, Validation, Reviews and Audits for Digital Computer Software 09/11/12 update: The staff Used in Safety Systems of Nuclear Power Plants," dated February 2004 has reviewed the Invensys IEEE endorses IEEE (Institute of Electrical and Electronics Engineers) 1012 1012 compliance 1998, "IEEE Standard for Software Verification and Validation," and IEEE matrix on the 1028-1997,"IEEE Standard for Software Reviews and Audits," with the PG&E/Altran exceptions stated in the Regulatory Position of RG 1.168. RG 1.168 sharepoint directory describes a method acceptable to the NRC staff for complying with parts of and it appears to the NRC's regulations for promoting high functional reliability and design be acceptable. The quality in software used in safety systems. Standard Review Plan (SRP) matrix appears to be comprehensive Table 7-1 and Appendix 7.1-A identify Regulatory Guide 1.168 as SRP and indicates no acceptance criteria for reactor trip systems (RTS) and for engineered safety exceptions to any features actuation systems (ESFAS) clauses in IEEE The Invensys PPS Replacement Software Verification and Validation Plan 1012. No attempt (SWP), 993754-1-802 does not provide a clear explanation of how the was made to Invensys SWP complies with IEEE 1012-1998. Please provide a cross reviewlverify that reference table that explains how the Invensys SWP implements the where Invensys criteria of IEEE 1012-1998. claims compliance Also, the Westinghouse/ALS 6116-00000 Diablo Canyon PPS Management with any particular Plan, does not provide a clear explanation of how the CSI SWP complies Clause in the Std, with IEEE 1012-1998. Please provide a cross reference table that explains that the respective how the W/CSI SWP implements the criteria of IEEE 1012-1998. section in their SWPis acceptable-the

March 25, 2013 DCPP PPS Closed Item Summary Table Page 26 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

PG&E response: staff will work Westinghouse incorporated the IEEE-1 012 compliance table in the ALS through this as the V&V plan document 6116-00003 in Appendix A Table A-1 and PG&E SWP is reviewed and evaluated for submited the ALS V&V plan document 6116-00003 to the staff on June 6, approval. Please 2012, in Attachment 7 to the Enclosure of PG&E Letter DCL-12-050. submit the document on the docket.

This 01 will remain open pending review of the Westinghouse/CSI document.

19 RS Section 4.1.1 of the LAR states that; Closed RAI9 Response 3/21/12 update:

Received 09/11/12 PG&E has created "The SSPS evaluates the signals and performs RTS and ESFAS functions a share point to mitigate Abnormal Operational Occurrences and Design Basis Events website for NRC to described in FSAR [26J Chapter 15. " review PPS design drawings that will however, address this issue as well as 01 20 Chapter 15 of the DCPP FSAR does not use the terms Abnormal and 21. NRC staff Operational Occurrence (AOO) or Design Basis Accident (DBE). Instead, will determine if the accident analysis in chapter 15 identifies conditions as follows; they are needed to be submitted on the CONDITION I - NORMAL OPERATION AND docket. PG&E will OPERATIONAL TRANSIENTS ensure the website is information is CONDITION II - FAULTS OF MODERATE FREQUENCY only applicable to this licensing CONDITION III - INFREQUENT FAULTS action.

March 25. 2013 DCPP PPS Closed Item Summary- Table Page 27 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

CONDITION IV - LIMITING FAULTS As such, the statement that AOO's and DBE's are described in the FSAR appears to be inaccurate. Please explain the correlation between the Conditions described in FSAR chapter 15 and the Abnormal Operational Occurrences, and Design Basis Events described in the LAR.

PG&E response: The AOO's are referred to as ANS Condition I "Operational Transients" in FSAR Chapter 15 and are addressed in FSAR Chapter 15.1. The design basis accidents are referred to as ANS Condition II "faults of moderate frequency," ANS Condition III "infrequent faults," and ANS Condition IV "limiting faults" and are addressed in FSAR Chapter 15.2, 15.3, and 15.4 respectively.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 28 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 20 RS The system description provided in Section 4 of the LAR includes "functions Closed NIA 3/21112 update:

performed by other protective systems at DCPP in addition to the PPS PG&E has created functions". In many cases, there is no explanation of what system is a share point performing the functions described nor is there a clarification of whether the website for NRC to described functions are being performed by the PPS system. review PPS design drawings that will As an example, Section 4.1.16 describes a bypass function to support address this issue.

testing of the high-high containment pressure channel to meet requirements NRC staff will of IEEE 279 and IEEE 603. The description of this function does not determine if they however, state whether this latch feature is being implemented within the are needed to be PPS system or in the SSPS. submitted on the docket. PG&E will The staff needs to have a clear understanding of the functional scope of the ensure the website PPS system being modified in order to make its regulatory compliance is information is determinations. Please provide additional information such as PPS function only applicable to diagrams to help the staff distinguish PPS functions from functions this licensing performed by other external systems. action.

PG&E Response: PPS design drawings have been provided to the staff on 5/30/12 the Sharepoint site. Determined that no RAI will be needed for this item.

7/02/12 Closed Item. Information in Function diagrams is sufficient for NRC to determine PPS functionality.

-

March 25, 2013 DCPP PPS Closed Item Summary Table Page 29 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 21 RA Westinghouse/CSI document 6116-00005, "Diablo Canyon PPS System CLosed RAI21 01/23/2013 update:

Test Plan," states that the ALS-102 FPGA design is changed for the DCPPS This item will System. Further, Section 5.3.3 states: "Test as many of the ALS-1 02 remain open until requirements as possible." the document is available to the Please identify what document describes the design verification test for this staff.

board.

12/19/12 update:

Westinghouse/ALS PG&E response: The documents that describe the design verification tests will submit the for the ALS-102 are 6116-70140, "Diablo Canyon PPS System Test Design documents by Specification," submitted June 6, 2012, and 6116-10216, "Diablo Canyon 12/31/2012.

PPS W Simulation Environment Specification" that will be placed on the Sharepoint by April 18, 2013 and submitted by May 17, 2013. 10-17-12 update (Alvarado):

Westinghouse/ALS will submit the documents by 10/31/2012.

9-19-12 update (Alvarado): Waiting for ALS document to be submitted at the end of September.

6-13-12 update (Kemper):

PG&E understands that they need to provide an update to this response. In the meantime, PG&E and ALS have provided 2 design

March 25, 2013 DCPP PPS Closed Item Summary Table Page 30 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) specifications that will address this 01.

These documents are placed on the PG&E sharepoint website. Doc. No 6116-10740 was submitted on June 6, 2012, which describes ALS system test design specification. Doc.

No 6116-00005 was also submitted on June 6, 2012, which describes ALS system test plan.

Doc. No. 6116 10216ALS W Simulation Environment Specification will be provided in the future.

3/21/12 update:

PG&E has created a share point website for NRC to review PPS design drawings that will address this issue.

NRC staff will determine if they are needed to be submitted on the

March 25, 2013 DCPP PPS Closed Item Summary Table Page 31 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) docket. PG&E will ensure the website is information is only applicable to this licensing action.

NRC- the response provided does not address the question.

7/13/12-rjs Deleted RAI 10 pending review of revised response.

Also decided to hold item open.

22 BK Follow-on 01 # 5 question pertaining to the PPS VTP: Closed RAI5 Response Received Section 1.4.4 (pg. 12/38) states "The network equipment, including media 09/11/12 converter, NetOptics Network Aggregator Tap, and gateway hub, and the MWS will not be within the test scope of this VTP. The Nuclear Delivery (NO) group will coordinate with Pacific Gas & Electric for system staging prior to turn over to Nuclear IV&V. The Nuclear IV&V group will confirm proper operation of network communications system interfaces before beginning testing addressed in this VTP." When, where, and what procedures will be used to test the network equipment??

Also, section 5.1.4 (3) Hardware Validation Tests states that the ALS equipment will not be included in the FAT (pg. 27/38). Where, when, and what procedures will be used to fully test the Integrated PPS system (both Tricon V1 0 and ALS platforms together) be subjected to FAT.

March 25, 2013

,--~~~~~~~

DCPP PPS Closed Item Summary Table Page 32 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

PG&E response:

Additional information on the PPS testing is being provided to the staff. The VTP will need to be updated based on the additional information. A date that the updated VTP will be submitted will be provided after feedback from the staff is received on the additional information on the PPS testing.

23 BK Section 4.2.13.1 of the LAR (page 85) states; "Figure 4-13 only shows one Closed RAI11 Response Received TCM installed in the Tricon Main Chassis (Slot 7L), the PPS replacement 09/11/12 will utilize two TCM cards in each main chassis (Slots 7L and 7 -R). This will provide two non-safety-related communication paths to the MWS and the PPC Gateway Computer from each Protection Set to ensure continued communications if a single TCM fails.

The NetOptics Model PA-CU/PAD-CU 1 PA-CU port aggregator network tap was approved previously by NRC for a similar application in the Oconee RPS SER Section 3.1.1.4.3 [18]. The NRC staff determined that due to the electrical isolation provided by use of fiber optic cables and the data isolation provided by the Port Tap and the Maintenance and Service Interface (MSI) in the Oconee RPS, there was reasonable assurance that a fault or failure within the Oconee Gateway computer or the Operator Aid Computer will not adversely affect the ability of the Oconee RPS to accomplish its safety functions.

During the SAT PG&E will test the Protection Set communications paths illustrated in Figure 4-13 to verify that there is no inbound communications path associated with port aggregator network tap Port 1. That is, PG&E will verify that communications from Port 1 to either the TCM on Port A or the MWS on Port B of the port aggregator network tap are not permitted.

Results of this test will be documented in final System Verification and Validation Report. Port aggregator dual in-line package (DIP) switch positions will be controlled by DCPP configuration management processes."

In order for the Staff to approve the integrated configuration of the PPS, prior to shipment of the PPS equipment to DCPP site, all communications paths will require testing on or before FAT, and before completion of the SER. This testing is typically completed during or before the PPS FAT, otherwise, the SER will not be completed until after the SAT. Please Qrovide a test scheme/procedures that satisfies all regulatory requirements 1 The NetOptics Model PAD-CU has two one-way output ports but is otherwise identical in function to the PA-CU.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 33 of 74

No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date) prior to or during the FAT. Otherwise, if this testing will be completed during the SAT, as stated in the LAR, please provide a detailed schedule for this testing so the NRC can revise its PPS LAR Review Plan accordingly.

PG&E response: Additional information on the PPS testing for ALS is being provided to the staff. A date the additional information will be submitted will be provided after feedback from the staff is received on the additional information on the PPS testing for ALS.

24 RJS a. Section 4.1.17 paragraph 3 discusses the protection functions Closed NIA Item initiated on associated with High - High Steam Generator Level or P-14. In this 4/23/2012.

discussion it is stated that the SI signal initiates the same two functions (Turbine Trip and Feedwater Isolation) however, there is PGE Response no mention of this in section 4.1.9 or in the discussion of the P-14 accepted.

permissive. Please confirm that P-14 can be initiated by either High

- High SG Level or by initiation of SI.

b. This same section also states that the described latched in function serves to comply with IEEE Std. 279 Section 4.16. The replacement

March 25, 2013 DCPP PPS Closed Item Summary Table Page 34 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

PPS system is not being evaluated against the criteria of IEEE 279.

Instead, IEEE 603-1991 is being used and the equivalent criteria is contained in section 5.2 of IEEE 603 1991. PGE needs to understand that the criteria of IEEE 279 are not relevant to this review effort.

PG&E response:

a. Turbine Trip can be initiated by either the P-14 steam generator level protection function OR by the latched Safety Injection (SI).

Section 4.1.17 describes the Steam Generator Level High-High Protection function P-14. Upon sensing high steam generator level, the PPS generates an initiation signal to the SSPS, which generates the turbine trip signal and initiates Auxiliary Feedwater when coincidence of 2 of 33 high-high level signals in any steam generator is detected.

Section 4.1.9 describes Pressurizer Protection Functions, one of which is initiation of Safety Injection through the SSPS when coincidence 3 of 4 Pressurizer Pressure Low-Low signals from the PPS is detected. The SI actuation signal also actuates turbine trip and Auxiliary Feedwater through the SSPS, but SI is not initiated by Steam Generator Level High-High The P-14 protection function is initiated ONLY by steam Generator Level High-High. Through the SSPS, P-14 will trip the turbine and actuate Auxiliary Feedwater. A SI signal will also actuate Turbine trip and Auxiliary Feedwater, among other actions. Pressurizer Protection functions do not initiate P-14 and Steam Generator Level High-High P-14 does not initiate SI.

b. PG&E intended Section 4.1 to describe the existing PPS and to apply only to the existing PPS, which complies with IEEE 279-1971.

Sections 4.2 to 4.13 of the LAR apply to the PPS Replacement.

Section 4.10.2.2 describes compliance of the PPS Replacement with IEEE 603-1991 Section 5.2. PG&E understands and appreciates that IEEE-603 applies to the PPS replacement.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 35 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 25 RJS Sections 4.1.17, and 4.1.21 state that the P-9 permissive is the "Power Closed N/A Item initiated on Range at Power" function while Section 4.1.9 states that the P-1 0 4/23/2012.

Permissive is also called the "Power Range at Power" function. Is it correct that both of these permissives are called "Power Range at Power" and that PGE Response they perform different functions? Accepted.

PG&E response:

Both P-9 and P-10 are "Power Range at Power" functions; both are active when the Power Range NI channels are at power.

Permissive P-9 blocks reactor trip on turbine trip when 3 of 4 Power Range NI channels are below 50%.

Permissive P-10 is active when 2 of 4 Power Range NI channels are above 10%. Permissive P-10 is combined with Turbine Power Permissive P-13 (which is active above approximately 10% turbine load) to provide input to Permissive P-7 that allows blocking several low power reactor trips.

In effect, Permissive P-10 is the "Power Range at Power- Low" permissive" and Permissive P-9 is the Power Range at Power - High" permissive. This is consistent with the response to 01 #12, above.

26 RJS The PG&E SyOAP defines Supplier tasks that are related to assurance of Closed RAI12 Response Item Initiated on Received software quality for each of the following phases of development; 09/11/12 412512011 Will need formal

Project Initiation and Planning response for this

Conceptual Design item. Therefore

Requirements this will be an RAI.

Design

Implementation

Integration

Test These phases do not align with the phases used in the ALS or Tricon development lifecycles. For instance, the Tricon SOAP defines the phases as Requirements, Design, Implementation, and Test (Validation). Because

March 25, 2013 DCPP PPS Closed Item Summary Table Page 36 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) of this, it is not clear how assurance of task completion can be accomplished. During which Tricon phases would those tasks listed under Integration, Initiation and Planning, and Conceptual Design be performed?

The ALS SQAP does not mention phases but the ALS Management plan defines the development phases as; Planning, Development, Manufacturing, System Test, and Installation.

Would it be possible for PGE to provide a mapping of Phases defined in the SyQAP to the Phases of the ALS and Tricon system development processes so that the staff can correctly identify and confirm performance of these QA tasks?

PG&E response:

PGE provided a mapping of Phases defined in the SyQAP to the Phases of the ALS and Tricon system development processes in the SyQAP revision 1 placed on the Sharepoint on March 25, 2013 and to be submitted by April 26, 2013.

27 RA Software Management Plan Closed RAI13 Response The PQP will need Received 09/11/12 to be submitted.

The LAR, Attachment 3, describes the project organization, roles and responsibilities for the PPS replacement project. This document does not describe oversight activities that PG&E will perform during the PPS replacement project, as well as the interface between PG&E and Invensys and WEC/CSI, and the methodology to judge quality of the vendor effort.

Please provide this information.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 37 of 74

No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date)

PG&E response:

Oversight activities for the project were discussed in Section 4.2.11, Appendix B Compliance, of the LAR that discusses the DCPP Quality Assurance Program and Procurement Control Program and states that PG&E will audit 10M and CSI during the manufacturing phase under the PG&E Nuclear Procurement Program and associated directives.

In support of the oversight activities, a PG&E will issue a Project Quality Plan (PQP) that will define the oversight activities to be performed, including technical audits, cyber security audits, and software quality assurance audits.

The PQP is expected to be issued in June and will be submitted to the staff by July 31, 2012.

Following the performance of the PQP audits, audit reports will be created and a PQP Audit Summary Report will be created. PG&E will submit the PQP Audit Summary Report to the staff at the time the vendor hardware is delivered to PG&E. The vendor hardware is currently expected to be delivered to PG&E in Spring 2013.

The PQP audit reports will not be submitted but will be made available to the NRC staff for review.

28 RA Software Management Plan Closed NIA Alvarado (6/13/12):

PG&E place a copy The LAR, Attachment 3, states that PG&E is responsible for the following of their Software activities in the lifecycle: project initiation and planning phase, conceptual Configuration design phase, requirements phase, installation and checkout phase, Management Plan operation phase, and maintenance phase. Further, Section 3.1.10 states in their Sharepoint that PG&E will follow the activities described before for software site.

modifications. Please explain how PG&E will perform software modifications to the Tricon and ALS platforms once the PPS replacement project is completed.

.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 38 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

PG&E response:

The control of the software modifications to the Tricon and ALS platforms once the PPS replacement project is completed will be by the Process Protection System Replacement Software Configuration Management Plan, SCM 36-01, Revision 0, which was submitted as part of the Phase 2 document submittal on June 6, 2012, in Attachment 4 to the Enclosure of PG&E Letter DCL-12-050.

The SCM-01, Revision 0, document has been placed on the Sharepoint site.

29 RA Software Management Plan Closed RAI13 Response Received 09/11/12 The LAR, Attachment 3, states that the PG&E Project Manager will share the responsibility for meeting the software quality goals and for implementing the software quality management throughout the project.

Please describe what responsibilities are going to be shared and how this is going to be performed.

PG&E response:

The PG&E Project Manager will share the responsibility for meeting the software quality goals with the PG&E Quality Verification organization personnel.

To implement the oversight activities, the PG&E Quality Verification organization will issue a Project Quality Plan (PQP) that will define the oversight activities to be performed, including technical audits, cyber security audits, and software quality assurance audits.

30 RA Software Development Plan RAI14 9/19/12 update Closed Not used (Alvarado): Rev. 1 Section 7 of the Invensys Nuclear System Integration Program Manual Not of 993754-1-906 (NSIPM) requires that non-conforming procedures shall be used to control required addressed this parts, components, or systems which do not conform to requirements. question.

Invensys documents 993754-1-906, Software Development Plan, and 993754-1-905, PPS Replacement DCPP Project Management Plan, do not 7/13/12 - rjs:

March 25, 2013 DCPP PPS Closed Item Summary Table Page 39 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) identify non-confirming procedures to be followed when deviations are Decided to not use identified and how deviations should be corrected. the RAI and hold Please provide this information. this item open pending review of PG&E response: updated phase 2 The Project Management Plan (PMP), 993754-1-905, is the overarching submittals.

project management document for the Invensys scope of the PPS Replacement Project. It references other Invensys planning documents that discuss procedures to follow when deviations are identified and how they are corrected. The Software Development Plan, 993754-1-906, describes the software development process for the Invensys scope of the PPS Replacement Project. 993754-1-906, has been revised to Revision 1, to include new Section 3.2.6 that discusses problem reporting and corrective action. 993754-1-906, Revision 1, was submitted by PG&E on August 2, 2012.

In addition, the Invensys Software Quality Assurance Plan, 993754-1-900, Section 8, and the Invensys Software Configuration Management Plan, 993754-1-909, Section 3.2, both provide reference to procedures to follow when deviations are identified and how deviations are corrected.

31 RJS Software Quality Assurance Plan: Closed RAI15 Response At the 5/16 Received 09/11/12 meeting, the staff IEEE 730 2002 stipulates in section 4 that "The SQAP shall be approved by explained that PGE the manager of each of the organizations having responsibilities in the should have some SQAP. The PGE SYQAP has been approved by the PGE Diablo PPS commitment from Upgrade Project Manager and the Altran Project lead; however, there are all orgs that have several other organizations that have responsibilities delineated in the activities in the SQAP. The managers of these organizations have not approved the SyQAP. This could SYQAP. The following organizations are assigned roles and be contractual or Responsibilities within Section 3.4 of the SYQAP. Please explain the through activities means by which these organizations have committed to comply with the that are delineated requirements stated in the SYQAP. in other vendor plans or

Vendor IW Projects Managers procedures.

EOC Design Change Package Team I

March 25, 2013 DCPP PPS Closed Item Summary Table Page 40 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

PGE Project Engineering Team

QA Organization

Testing and Integration Team

V&V Organization PG&E response:

The software quality assurance plan was discussed in Section 4.11.1.1.1 of the LAR, which did not commit to IEEE 730 2002 criteria in developing the SQAP. IEEE Standard 7-4.3.2-2003 [76] Clause 5.3.1 references IEEE Std 730-1998 for guidance but does not require it to be met.

The SyQAP Revision 1 placed on the Sharepoint on March 25,2013 and to be submitted by April 26, 2013, included changes that identified the work performed by vendors is performed through a contract,and added a signoff for Supplier Quality, Cyber Security Lead, and Licensing Lead, and clarified roles of the EOC Design Change Package Team, the PGE Project Engineering Team.and the Testing and Integration Team.

32 RJS Section 4.2.7 "Power Supply" of the LAR describes how power is supplied to Closed RAI16 Response PGE Response Received the PPS. In this description, the 480V AC vital supply is described in the 09/11/12 accepted.

following ways.

First it is described as back-up common bus to the 120 V distribution panels. We cannot tell if this is through a transformer or if this refers to the alternate supply to the inverters.

It is also described as a supply to an inverter.

It is then described as supply to the battery charger From these descriptions, it is not clear to the staff how these vital power sources are configured in relation to the 120VAC panels that feed the PPS.

Would it be possible to provide a simplified diagram to show the relationship between the 125V Batteries I DC Buses, Battery Chargers, Inverters, and

March 25, 2013 DCPP PPS Closed Item Summary Table Page 41 of 74

No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date) the 120V AC distribution Panels that supply power to the PPS, PG&E response:

The following description clarifies the 120 V vital instrument AC power supply to the pps:

i 1 Safety-related 480 VAC from vital AC motor control center (MCC) is fed to the UPS and rectified.

2 Rectifier output is fed to the inverter and converted to 120 VAC.

3 Safety related vital DC bus power is fed to UPS as immediate backup supply. The vital DC bus is backed up by the safety-related 125 VDC station battery, which is charged from vital 480 VAC.

4 Inverter output is fed through a static switch with integral manual bypass switch to vital instrument AC power distribution panels.

5 On loss of inverter output, the static switch will select backup regulating transformer output (120 VAC) to distribution panels.

6 The backup regulating transformer receives input from the 480 VAC supply. The backup regulating transformer may be aligned via a transfer switch to either of two 480 VAC busses; the normal supply or an alternate supply. The alternate supply circuit breaker is normally open to prevent interconnection of redundant power supplies due to a failed transfer switch. The transfer switch may not be used under load.

Refer to the attached block diagram for additional detail.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 42 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 33 RJS (ALS SQAP) Software tools are used extensively during the FPGA Closed NoRAI Item initiated on development process. The staff therefore considers these tools to be a key 6/5/12.

component to the assurance of quality in the ALS system development process. The ALS SQAP states that "no additional tools, techniques, or 6-13-12 update methodologies have been identified" for the ALS system. The staff (Kemper): W/ALS considers the development tools, as well as the techniques and agrees with NRC's methodologies used during system development to be relevant to the position on tools assurance of quality for the ALS system. Please provide information on the and will revise the tools, and methodologies used during system development to ensure quality document (Doc.

of the ALS system products. No. 6002-00001) accordingly to

address this matter.

PG&E response: Westinghouse agrees that Section 8, Tools, Techniques, And Methodologies of the ALS QA Plan (6002-00001) should be revised to Placed this item on reference document 6002-00030, "ALS Design Tools." This document hold pending describes the tools used and how they are used in the design process. This review of revised document is also on the ALS docket. Westinghouse submitted a revision of QA plan.

the ALS QA Plan, Revision 9, on the ALS docket on October 31, 2012, that provides information on the tools and methodologies used. RJS-Verified that Rev. 9 of QA Plan refers to 6002 00030 which includes Tool identification and assessments.

34 RJS (Software Integration Plans) The integration planning documentation Closed RAI20 Response Item initiated on Received referenced in section 4.5.4 of the LAR does not include any integration of 09/11/12 6/7/2012 the two sub systems (ALS integrated with Tricon). The PGE papers provided that discuss how FAT's will be performed may resolve this but 6-13-12 update these papers would have to be docketed as integration planning documents (Kemper): This to support our SE. We also need to come to some agreement on the scope seems duplicate of of integration to be accomplished prior to issuance of the SE. 0116 & 23.

PG&E response: The PPS replacement design was revised to include a 7/02/12 RJS This separate maintenance workstation for the ALS and Tricon subystems to is related to 01 16 facilitate separation of the subsystems and to support FAT at each vendor. and 23, however, The design changes and the FAT all~?AT testing will be included in the this specifically

March 25, 2013 DCPP PPS Closed Item Summary Table Page 43 of 74 No SrclRI Issue Description P&GE response; Status RAI No. RA/ Comments (Date Sent) Response (Due Date)

LAR supplement to be submitted in April 2013. addresses the software integration planning documents being assessed. The current software integration plan discussed in section 4.5.4 of the LAR and the documents referenced from here do not adequately address this aspect of system integration.

As such the Integration Plan will have to be revised.

Just including integration in the FAT will not resolve the inadequacies of the integration planning documents.

I anticipate that a supplemental integration plan document will need to be submitted in order for PGE to resolve this.

-~~~~~

New RAI added

March 25, 2013 DCPP PPS Closed Item Summary Table Page 44 of 74

~~~~~~

No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date) and 01 closed.

35 RA Follow up of Item 21 - Software Test Plan Closed RAI21 In the response provided for Item 21, PG&E explained that a new revision (Rev. 1) of ALS document No. 6116-00005 was provided. The scope of Revision 1 is slightly different from the scope described in Rev. O. For example, Section 1.2 in both revisions states that test coverage includes all ALS modules, backplane, license sense modules (LSM), and ALS service unit (ASU). However Section 2, Test Items, for these revisions are different.

Revision 1 only focuses on ALS-102 and backplane assemblies. This section does not include other ALS modules, LSM and ATU. Please explain why these other ALS modules are not included in section 2 of the new revision.

Further, Table 1-2 identifies "Diablo Canyon PPS Test Plan" as document No. 6116-00005, which is the same number than "Diablo Canyon PPS System Test Plan". Please clarify if this is referring to a different document.

PG&E Response: The scope of both revisions are the same. Revision 1 changes added more detail into the overall scope. The details are broken down into 2 main parts: 1- The individual components, 2 - The System components. Both parts equal the entire ALS based Diablo Canyon system which includes all ALS modules, Backplane, ASU (incorrectly stated as ATU in the open item), LSM, ALS-102A1B specific to Diablo and full ALS sub system test which includes the testing of ALS slave cards required by the DCPP configuration.

The entry in Table 1-2 for the Diablo Canyon PPS Test Plan, 6116-00005 is the same document as Diablo Canyon PPS System Test Plan 6116-00005.

36 RA Software Test Plan Closed NoRAI Section 5.3.6 of ALS Document No. 6116-00005 refers to a 'Test Team" to perform system level testing. However, the "Test Team" is not defined in ALS Document No. 6116-00000, "Diablo Canyon PPS Management Plan,"

which defines roles and responsibilities for the PPS Replacement Project.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 45 of 74 No I SrclRI I Issue Description P&GE response: I Status I RAI No.

(Date Sent)

IRAI

Response

Comments (Due Date)

Please clarify who is the Test Team and where their roles and responsibilities are defined.

The Test team and its responsibilities are described in

~.~.'~im_-'~~~i~~._~._~._~theIVV manager. The 6116-00003 Revision 1 was submitted in Attachment 6 to the Enclosure of PG&E Letter DCL-12-121 dated December 5,2012.

37 RA Software Management Plan Closed I No RAI PG&E "PPS Replacement Concept, Requirements, and Licensing Phase 1 Project Plan" does not address reporting mechanisms and controlling changes to the system. The only reference is that PG&E states that they will follow the activities describe before for software modifications. After reviewing the of PG&E's SyVVP, we found that Section 6 states that Anomaly Resolution and Reporting shall be performed per the respective PG&E and 10CFR 50 Appendix B supplier control procedures. However, this statement does not identify the document to follow to report anomalies.

Please identify and describe the process that PG&E will follow for reporting mechanisms.

PG&E Response: PG&E administrative procedure OM7.ID1, "Problem Identification and Resolution," provides guidance for identification and resolution of both equipment and non-equipment problems, including vendor software problems. The OM7.ID1 procedure provides the process for documenting, reporting, evaluating, trending, and tracking the resolution of problems at DCPP. PG&E administrative procedure X11.ID2, "Regulatory Reporting Requirements and Reporting Process," provides the instructions for reporting facility events and conditions to the NRC. This procedure applies to plant problems, including software anomalies, and provides a list of regulatory reporting requirements applicable to the DCPP, including those contained in the NRC regulations (including 10 CFR), the plant operating license (including associated Technical Specifications), license

March 25, 2013 DCPP PPS Closed Item Summary Table Page 46 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RA/ Comments (Date Sent) Response (Due Date) amendments, and regulatory correspondence. The procedure summarizes the types of reporting requirements and references the source of the requirement, time-frame for reporting, reporting method, lead responsible organization, primary regulatory agency recipient, and implementing procedures.

38 RA Software Management Plan Closed RAI22 Section 2, "Project Organization" of the PG&E "PPS Replacement Concept, Requirements, and Licensing Phase 1 Project Plan", revision 1 (attachment 3 of the LAR) does not describe the activities to be performed by the Engineering of Choice Design Change Package Team.

It is also not clear what the roles and responsibilities of this team are.

Please clarify and provide the applicable PG&E control document that describes PG&E roles and responsibilities specifically for the Engineering of Choice Design Change Package Team.

PG&E Response: The activity performed by the Engineering of Choice Design Change Package Team is to support PG&E in development of the design change package for the PPS Replacement. PG&E has a contract with an engineering company, currently Enercon Services, Inc., to be the "engineer of choice" to provide nuclear engineering services to PG&E. For individual scopes of work, PG&E develops a purchase request for the scope of work and a purchase order is issued to the engineering company that is the engineer of choice. When the engineer of choice is performing a design change package for Diablo Canyon Power Plant, the engineer of choice uses the PG&E Design Change Procedure, CF3.ID9, "Design Change Development" and PG&E performs an owner acceptance of the work using PG&E Procedure CF3.1D17, "Design and Analysis Documents Prepared by External Contractors."

39 RA Software Management Plan Closed RAI23 Figure 2-1 of the PG&E "PPS Replacement Concept, Requirements, and Licensing Phase 1 Project Plan" and Figure 3-1 of the SyQAP identify Altran under the PG&E Project Engineering box. However, Figure 4-1 of the SyWP identifies PG&E project team under the PG&E Project Engineering I

March 25, 2013 DCPP PPS Closed Item Summary Table Page 47 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) box. Please explain the role and responsibilities for Altran during the PPS Replacement Project.

PG&E Response:

09/17/2012:

1. The PPS Organization Chart shown in SyWP Figure 4-1 is a simplified rendering of the organization charts in Project Plan Figure 2-1 and SyQAP Figure 3-1. The latter figures show an Altran Project Team under PG&E Project Engineering and a team of three PG&E individuals directly under PG&E Project Engineering.

The slight inconsistency between SyWP Figure 4-1 and the other figures may be resolved thus:

I PG&E Project Engineering I

1 I Project Team I I

+ +

Altran PG&E I I [

I i ...

John Hefler Altran Lead I ~O~JO~

L_

S0'i n

~

nt

.

II Ted QUinnTI

!

II Gregg Clari<50n Jj

2. Altran is acting as a subcontractor providing engineering support to the PG&E Project Team as shown above in the revised figure.

Altran supported LAR preparation and is providing continuing support through the LAR review process. Altran's work is governed by the Altran Engineering Procedures Manual. Documents

~---

submitted to PG&E are prepared in accordance with Altran EOP 3.3

March 25, 2013 DCPP PPS Closed Item Summary Table Page 48 of 74

No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

(reports) and 5.4 (specifications). All Altran documents are verified in accordance with Altran EOP 3.4. In addition, PG&E accepts Altran documents under PG&E CF3.ID17 as noted in the Altran Verification Report.

42 RA Software V&V Closed RAI25 9/17/12 update (Alvarado): during PG&E "PPS System Replacement System Verification and Validation Plan the conference call (SyWP)" does not describe the V&V activities to be performed during the PG&E explained Operation Phase and Maintenance Phase. This document states that these that modifications activities are covered by approved DCPP procedures. Please identify these to the systems will DCPP procedures. be performed by the vendors.

PG&E Response: PG&E will provide Per the response to 01 #28, control of the software modifications to the additional Tricon and ALS platforms once the PPS replacement project is completed, information on their and the PPS is in the Operations and Maintenance phase, will be by the plan to perform Process Protection System Replacement Software Configuration modifications to the Management Plan, SCM 36-01, Revision 0, which was submitted as part of PPS system during the Phase 2 document submittal on June 6, 2012, in Attachment 4 to the operation and Enclosure of PG&E Letter DCL-12-050. Modification to the PPS maintenance.

Replacement components produced by the vendors, CS Innovations and Invensys Operations Management, will be performed by the vendors and verification and validation will be controlled by the vendor verification and validation plans created for the Diablo Canyon PPS Replacement (6116 00003 for CS Innovations and 993754-1-802 for Invensys Operations Management),

43 RA Software V&V Closed RAI26 PG&E "PPS System Replacement System Verification and Validation Plan (SyWP)". Section 5.1.1, explains that during the Concept Phase, PG&E will verify system requirements in accordance with PG&E procedure CF2.ID9, "Software Quality Assurance for Software Development." However, Procedure CF2.ID9 is for in-house development of software applications.

Please explain how this procedure is going to be used for the PPS replacement project.

-

March 25, 2013 DCPP PPS Closed Item Summary Table Page 49 of 74 No SrciR/ Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date)

Further, Section 5.1.2 of the CF2.ID9 states that and independent review of the functional requirements prepared during the concept phase would be performed. The PG&E SyWP does not identify this review, and thus there is no specific V&V product for this phase. Please identify who will perform this review and if this is considered a V&V product.

PG&E Response:

09/17/2012: Altran developed the PPS Replacement FRS during the Concept phase in accordance with Altran EOP 5.4, and verified it in accordance with Altran EOP 3.4. Altran used PG&E procedure CF3.ID16 for additional guidance. PG&E accepted the FRS under CF3.ID17, which constituted verification of system requirements. This was a design activity rather than a V&V activity and there is no specific V&V product for this phase.

44 RA Software V&V Closed NoRAI Invensys prepared Document No. 993754-1-813, "DCPP PPS Validation Test Plan". It states that the Test Review Board and PG&E will review all validation testing documents. Please describe the composition of the Test Review Board, since its role/responsibility is not described in the Invensys V&V Plan or in the Validation Test Plan (Section 4.4)

PG&E Response: The composition of the Project Review Committee (PRC) or Test Review Board includes the Project Manager, Project Engineer, Project Quality Assurance Engineer, IV&V Manager, and Lead IV&VlTest Director. This is described in Invensys document 993754-1-905, Project Management Plan, Section 3.5.5. See Invensys response to 01 49 for additional statements on the PRC.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 50 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 45 RA Follow up of item 18 - Software V&V Closed No RAI 12/19/12 update:

NRC Staff will RG 1.168 identifies five of the activities in IEEE Std.1012-1998, Annex G, review the "Optional V&V Tasks," as being considered by the NRC staff to be document necessary components of acceptable methods for meeting the requirements submitted and of Appendices A and B to 10 CFR Part 50 as applied to software. These identify follow up tasks are: questions, if necessary, creating

1. Audits a new open item.

2. Regression Analysis and Testing

3. Security Assessment 10/17/12 update:

4. Test Evaluation Westinghouse/ALS

5. Evaluation of User Documentation will submit the DCPP V&V plan on Westinghouse/ ALS Document No. 6002-00003, "ALS W Plan" describes 10/31/2012 the following techniques for V&V: reviews, testing, traceability analysis, inspection/analysis, and IV&V regression (change) analysis. This plan does not include any of the optional V&V activities identified in IEEE Std.1 012 1998, Annex G. Please explain if these activities are performed.

PG&E Response: The DCPP W Plan has been revised to include these optional V&V tasks required by RG 1.168 to align with the new ALS W Plan for the Optional Tasks. The Diablo Canyon W Plan, Revision 1, was placed on the Sharepoint on November 22 and was submitted by PG&E on December 5 in PG&E Letter DCL-12-121.

46 RA Software V&V Closed RAI27 Several sections in the Invensys Software Verification and Validation Plan (SWP) reference "applicable Project Procedure Manual (PPM)" to perform certain activities. The reference section in this plan identifies PPM (Reference 2.4.4). It is not clear if the PPM is constituted by several procedures or if it is only one procedure. For example, Section 1.1, states the SWP was prepared in accordance with PPM 7.0 (Ref. 2.4.4), and then Section 4 states that V&V activities will be planned and scheduled in accordance with the applicable PPM. Please describe what the PPM is, and explain how this is going to be used in the PPS replacement project.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 51 of 74

.

No SrclRI Issue Description P&GE response: Status RAINa. RAI Comments (Date Sent) Response (Due Date)

PG&E Response: The Project Procedures Manual (PPM) provides appropriate controls for project activities conducted at the Invensys Operations Management (Invensys) Lake Forest facility. These controls will ensure that all nuclear Class 1E projects (or non-1 E projects where the customer has specified certain 1E requirements) processes, project activities, and project documents will meet the requirements of 10 CFR 50, Appendix B, 10 CFR Part 21 and the Invensys Quality Management System. This procedures manual provides specific controls for NAD as well as other Invensys organizations that perform nuclear safety-related system integration project activities. The PPM is a collection of different procedures, including referenced Forms, and is a controlled document.

Each PPM procedure is intended to implement key areas of project activities. Each procedure within the PPM is assigned a unique document number and title.

V& V activities during the PPS Replacement Project will be governed by several procedures within the PPM as defined in the SWP document, Invensys document 993754-1-802. The SWP will be revised to add the title of each procedure within the PPM where referenced in the SWP. For example, in the SWP, Section 1.1, where it states that, "the SWP was prepared in accordance with PPM 7.0 (Ref. 2.4.4)," will be revised to state that "the SWP was prepared in accordance with PPM 7.0, Application Program Development." The revised SWP Revision 3 wassubmitted in PG&E Letter DCL-12-028 on March 25, 2013.

47 RA Software V&V Closed RAI28 Invensys Document No. 993754-1-802, "Software Verification and Validation Plan" requires the use of V&V metrics to evaluate software development process and products. This section does not explain what methods and criteria will be used for software safety metrics. This information is required by section B.3.1 of BTP 7-14, RG 1.152, RG 1.173 and IEEE Stds. 1061 and 1074. Also BTP 7-14 Section B.3.1.1.2. Please provide this information.

PG&E Response: The V&V metrics are used during development of the PPS Replacement software that will reside/execute on the V10 Tricon portion. The V&V metrics measure the thoroughness of V&V reviews and testing efforts. These measurements yield data utilized to gain reasonable assurance that the design out~uts are of high gualit~ commensurate with

March 25, 2013 DCPP PPS Closed Item Summary Table Page 52 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) the intended use in the PPS Replacement application. The V&V metrics methodology, utilizing a diversity of software measures, provides insight into the rigor of the PPS software development process. V&V uses three distinct metrics during PPS software development:

Software Quality Metrics The purpose of these metrics is to measure software quality by tracking the number of defects found in the design outputs (e.g., design documents, software).

The method is to count and categorize defects found during V&V review of design outputs.

The acceptance criterion is that no technical defects remain at the end of the current phase to receive V&V recommendation to proceed to the next project phase. Any defects that cause the non-compliance with customer requirements and/or non-compliance with NRC guidance are considered technical defects.

V&V Effectiveness Metrics The purpose of these metrics is to measure the effectiveness of V&V reviews by measuring the percentage of design outputs which V&V reviews or tests. The method determines the percentage of design outputs actually reviewed by V&V (which is meaningful for in-process design changes necessitating a change impact analysis, revisions to released design outputs, and a regression analysis). The Acceptance Criterion is that 100 percent of comprehensive or delta change reviews is achieved in the current phase to receive V&V recommendation of proceeding to the next project phase.

Software Safety Metrics The purpose of these metrics is to assess whether software safety requirements are being met. Methods are to count software hazards found during V&V review or testing of design outputs and to confirm software

March 25, 2013 DCPP PPS Closed Item Summary Table Page 53 of 74

..................................

No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date) hazard mitigation in each project phase, or, at a minimum, by the end of the project and approval at the completion of acceptance testing. The Acceptance Criterion is that all software hazards are mitigated by the end of the Test Phase to receive approval of the results of acceptance testing.

49 RA Software V&V Closed RAI29 Invensys Document No. 993754-1-802, "Software Verification and Validation Plan", Section 6.3 states that the Invensys personnel prepared System Deficiency Integration Report (SDIR) to document non-conformances and corrective actions during testing; the SDIR is prepared in accordance with PPM 10.0. Please explain what PPM this is.

Further, the Invensys "Validation Test Plan", Section 5.4.2 states that the Test Review Board and PG&E shall review SDIRs, but this is not indicated in the Invensys V&V plan. Please explain why this review activity is not identified as a V&V task in the V&V Plan.

PG&E Response: The PPM 10.0 procedure defines the process to control nonconforming items and identify appropriate corrective action for all nuclear application projects developed at the Invensys Operations Management (Invensys) Lake Forest facility. This procedure is intended to provide controls for nonconforming items and corrective actions related to project activities. As used in this procedure, the term "nonconformance" describes deficiencies in parts and materials (items), documentation, and/or deviations from stated requirements. This procedure addresses the identification, documentation, evaluation, and disposition of nonconforming items. This procedure also describes the corrective action process to be used for project-related issues where corrective action is warranted.

SWP Section 5.2.2.2.1 4) stated that Nuclear IV&V shall generate and verify the system-level Validation Test Plan, 993754-1-813, in accordance with PPM 6.0 [Ref 2.4.4], in conjunction with IEEE 829-1983. The SWP was developed in accordance with PPM 6.0, Test Control. In PPM 6.0, Test Control, it was stated that the Project Review Committee (PRC) shall review all test results for completeness, accuracy and acceptability. This review shall include all test documentation, e.g., the Test Procedures, the Test Logs, the System Integration Completion Checklist, the Test Report(s), and

March 25, 2013 DCPP PPS Closed Item Summary Table Page 54 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

SIDRs.

50 RA Software V&V Closed RAI30 The Invensys Validation test plan, Section 8.2, states that the Narrative Test Logs are used to document conduct of testing and any anomalies that occur. Please explain if this is only used during validation, and why this is not mentioned in the Invensys SWP. Further, please explain how is this used in conjunction with Document Review Comment Sheet (ORCS) and System Deficiency Integration Report (SDIR)?

PG&E Response: PPM 6.0, Test Control, defines the Test Logs. All test activities shall be recorded in a Test Log. The Test Log constitutes a continuous, hand-written journal of all test activities from the point of initial entry into the Test Procedure until the conclusion of all testing, including any required retesting. The Test Log shall include entries for sign-in and sign-out of all participating personnel, establishment of indicated prerequisites and initial conditions for testing, performance of testing and retesting, identification of problems, etc. The Test Log is intended to be a detailed journal of all testing activities sufficient to fully document the actual sequence of testing performed, the test results achieved and any problems that occurred, including their impact on test performance. The Test Log shall be reviewed by the PRC as part of its evaluation of the test results.

The Test Logs are independent and separate from the Document Review Comment Sheet (ORCS) and System Deficiency Integration Report (SIDR).

However, as a test narrative, the Test Log may identify the fact that a SIDR was generated as a result of test anomaly.

51.1.a RA Software Configuration Management Closed RAI31

1. Configuration Process a) In open item 4, the staff requested description of the software configuration management activities for configurable boards (e.g.,

ALS FPGA-102 board). Since the ALS FPGA-102 board is customer specific, its configuration management activities are not covered by

March 25,2013 DCPP PPS Closed Item Summary Table Page 55 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

"ALS Configuration Management Plan." Even though item 4 is closed, this request was not addressed in the response for item 4.

PG&E Response:

09/18/2012 ALS-102 Configuration The FPGA installed on the ALS-1 02 board and therefore the ALS-1 02 board itself is specific to the PPS Protection set and the ALS subsystem in which it is installed. PG&E will not have the capability to alter the FPGA. Any change to the FPGA must be made by CS Innovations. Therefore, ALS-102 FPGA configuration management activities are covered by the ALS Configuration Management Plan. PG&E capability to change ALS-1 02 configuration will be limited to board-level replacement.

51.1.b RA Software Configuration Management Closed RAI32

1. Configuration Process b) The PG&E SCM 36-01, item 1.2.8, states that ALS board has two sets of NVRAM. Further, it explains that the configuration of the NVRAM can be changed only by removing the subject board from the ALS chassis and inserting it into a special test fixture. It is not clear who will control this process and configuration of the NVRAM.

Please explain.

PG&E Response:

09/18/2012 ALS I/O boards are generic; that is, each board is configured using its NVRAM for the specific function it is to perform. This activity is described in SCM 36-01 Section 1.2.8, which states that the configuration of the NVRAM is changed by removing the subject board from the ALS chassis and inserting it into a special test fixture. This would be performed as part of a maintenance activity, such as replacing a failed board. If the functionality of an 1/0 board required modification as a result of an application change, all required NVRAM configuration alterations would be performed by CS Innovations under their ALS Configuration Management Plan.

As with the ALS-1 02 FPGA discussed above, PG&E will not have the

March 25, 2013 DCPP PPS Closed Item Summary Table Page 56 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) capability to alter the NVRAM configuration itself. PGE capability to change the NVRAM configuration for a specific 1/0 board will be limited to loading NVRAM images that are under CS Innovations configuration control and that have been previously verified and validated at the system level by CS Innovations.

Configuring the NVRAM in order to replace an 1/0 board will be performed by PG&E under an approved plant maintenance procedure.

51.1.c Software Configuration Management Closed RAI33

1. Configuration Process c) Section 1.2 of the Invensys Document No. 993754-1-909, "Software Configuration Management Plan," states that this plan controls operating system of the computers used to run TriStation 1131 and the signal simulation software used for testing purpose. However, the description provided throughout the plan only focuses on the configuration activities for the TSAP (e.g., Section 2.3 states that the SCM procedures are for the TSAP). Further, this same section (later on) identifies the software configuration to be managed, and this list does not include operating system of the computers used to run TriStation 1131 and the signal simulation software used for testing purpose. Please clarify the scope of this plan and how the configuration of TriStation 1131 and the signal simulation software is managed.

PG&E Response:

09/18/2012 There was no intent for the SCMP to do more than track the revision of Commercial Off The Shelf (COTS) software. In this case "Control" is defined as tracking the revision levels such that they are recorded on the project Master Configuration list, Invensys project document 993754-1-803.

On page 7 of the SCMP, under "limitations," it states, in part, that the revision levels of this type of software will be tracked.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 57 of 74

No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 51.3.a Software Configuration Management RAI51 12/19/12 update:

2. Changes and Problems Identification Closed response pending a) PG&E SCMP36-01 states that software, hardware, and configuration problems are reported in accordance with PG&E OM7.I01 and that 10/17/12 update:

software and/or configuration problems are reported via a PROG PG&E will revise the SCMP to POCM Notification. Please clarify when and how these are used. For address several example, for software problems does one have to report the problem open items using both PG&E OM7.I01 and PROG POCM Notification. Note that PG&E CF2.I02 states that all problems associated with plant computer system should be reported and document per OM7.I01 (See section 5.11 and 5.16.10 (b) of CF2.I02)

Further, Section 3.2.1 states that all PPS modifications should be initiated and tracked per plant procedures or CF4.101. Section 3.2.2 states that the implementation of the change is documented in the associated Change Package and a SAP notification and order. And Section 3.2.10 states that all identified problems and corrective actions using a notification, which is not specified.

So should software modifications require reporting and tracking using OM7.I01, CF4.I01, PROG POCM Notification, Change Package, and SAP Order?

Please explain PG&E procedures for different changes and the documenting and tracking system used for all types of modification PG&E Response: a) All problems are entered into the corrective action program using PG&E administrative procedure OM7.I01 and are required to be entered into an SAP (electronic business management software) notification (electronic tracking document). Notifications can be identified as different Work Types in order to categorize the type of problem, the priority of the problem, and to facilitate routing the problem to appropriate personnel needed to review and resolve the problem. A "PROG POCM" type notification is a program (PROG) plant digital configuration management (POCM) type of problem and software and configuration problems are examples of problems that would be assigned a Work Type of "PROG POCM" in the notification. Plant hardware problems are assigned a Work Type of "EQPR" to identify the problem as an equipment problem.

Plant modifications, including software modifications, are requested using

March 25, 2013 DCPP PPS Closed Item Summary Table Page 58 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) I plant procedure CF4.ID1, "Plant Modification Request and Approval" and the modifications are performed using paper/electronic image based change documentation (Change Package) and are tracked in SAP using a notification and an order. An order is an electronic tracking document that allows detailed tracking of job requirements, parts, details, schedule, and approval.

51.3.b Software Configuration Management Closed RAI34

3. Changes and Problems Identification b) Please clarify the means to track changes. Section 3.2.4.7 of the SCM 36-01 states that this is done using a SAP order, but Section 3.2.4.7 states that Change Package and SAP order are entered in the Record Management System, and Section 3.3 describes a Configuration Status Account, which is used to track changes of configuration items.

PG&E Response: The means to track changes is the SAP order. The Record Management System is the system used at Diablo Canyon to store and allow retrieval of documents to meet 10 CFR 50 Appendix B quality assurance requirements. Completed Change Packages and SAP orders are entered into the Record Management System for storage and to allow later retrieval.

51.4.a Software Configuration Management Closed RAI52 12/19/12: response

3. Document Repository pending

a. SCM 36-01, Section 2.3.3 identifies the Digital Systems Engineering SourceSafe as the repository, but Section 3.2.5.5 identifies http://dcpp142/idmws/homelasp, and Section 3.29 states that the files necessary for recovery of the baseline are maintained in the PPS database in SC-I-36M, Eagle 21 Tunable Constants." It is not clear if these two sections are referring to the same document repository or if it is the same. Please clarify.

PG&E Response: The SourceSafe is used for exacutable files (exe files),

source code, program code, and database files, etc, The link http://dcpp142/idmws/home/asp is to FileNet, an electronic file storage system. Filenet is used to store documentation like the PPS Replacement Project documents (e.g., Software Configuration Management document, Functional Requirements Specification, Interface Requirements Specification, etc.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 59 of 74 No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date) 51.4b Software Configuration Management Closed RAI53 12/19/12: response

4. Document Repository pending PG&E has implemented restrictions to access files and documents associated with PPS replacement project. Further, PG&E requires user authentication and access to edit configuration, software, and data. It is not clear if these restrictions apply for access to the Digital Systems Engineering SourceSafe or the repository in http://dcpp142/idmws/home/asp.

Please clarify and explain the applicability of access restrictions.

PG&E Response: Microsoft SourceSafe requires special permisSions to access the appropriate directory and then requires a login and special software to access the files. File Net allows files to be viewed without a special login, but to modify, delete, or add, files special permissions need to be assigned.

52 RJS Security: Closed No RAI NIA 2/01/13 See NSIR Open Item 85 for PG&E stated in its letters DCL-11-123 and DCL-11-104 that the PPS follow-up to this 01.

replacement will be fully compliant with the 10 CFR 73.54 cyber security 1/25/13 NSIR to requirements, including RG 5.71, Revision 0, "Cyber Security Programs for provide follow-up Nuclear Facilities," dated January 2010, and is being reviewed to comply Open Items. Close with 10 CFR 50.73, the DCPP Cyber Security Plan, and NEI 08-09, "Cyber this 01 when these Security Plan for Nuclear Power Reactors," Revision 6, dated April 2010. new Ol's are The cyber security program that PG&E is implementing per its NRC entered.

approved cyber security plan includes provisions applicable to all phases of 1/16/2013 a systems' life cycle, including the digital upgrade or modification of critical Require NSIR input digital assets. prior to closing this item. Requested Please explain how the provisions outlined in the PG&E's NRC-approved NSIR to either cyber security plan were considered, and/or implemented, as part of the provide written PPS replacement. The provided explanations should include how all of the response or management, operational, and technical security controls contained within discuss the status of this item at the the plan, especially security controls associated with Configuration .......

March 25, 2013 DCPP PPS Closed Item Summary Table Page 60 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

Management and System and Service Acquisition, are being addressed. 1/24/13 conference The provided explanations should also include any issues associated with call.

partial implementation of the PPS replacement and full implementation of the cyber security plan for the site, and processes to identify and resolve any such issues.

PG&E Response:

The Cyber Security program manager and other members of the CSAT (Cyber Security Assessment team) met with the Process Protection System (PPS) Upgrade design engineer beginning in 2011. Many options were discussed.

The Cyber Security program manager and project manager have met with the procurement group to discuss cyber security principles that should be written into the procurement procedures, and what steps will help to ensure a secure supply chain.

The Cyber Security Assessment Team (CSAT) was formed in accordance with section 3.1.2 of the cyber security plan, and Milestone a, on 10/31/2011. A list of critical digital systems and assets was created in accordance with section 3.1.3 of the cyber security plan and Milestone b on 10/31/2011. The CSAT looked at scheduled digital upgrades, and added the future equipment to the list of critical digital systems. The CSAT determined the PPS equipment will be a critical system, with several CDAs.

From July 9-12 2012, the cyber security project manager accompanied members of the Quality Verification group to examine the design and production facilities of Invensys, and examined the code production practices and the development environment, and determined that Invensys has an SDE, and ensures their employees are reliable and trustworthy.

Activities planned for the future.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 61 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

In December of 2012, the network that the PPS will eventually reside on will be isolated from internet connected networks by a deterministic network device, per milestone c of the DCPP Cyber Security Plan. Thus many network attacks, including many that depend on a back door created by a vendor, will not be possible.

Also by December of 2012, DCPP will have taken steps to lessen the likelihood of an attack initiated by a portable electronic device, or portable media such as a thumb drive per Milestone d, and section D 1.19 of NEI 08

09. This will mitigate portable media based attacks that depend on a back door created by a vendor.

The DCPP Cyber Security Team will interface with NUPIC (Nuclear Procurement Issues Committee) and the NEIINITSL counterfeit parts task force to address digital equipment supply chain security.

The Cyber Security Implementation Project Manager has developed a detailed project plan, with several tasks and schedules. Several existing plant procedures will be revised. The PPS will inherit the controls implemented by these procedures. Many of the procedures will have been changed/created before the PPS is installed.

The CSAT is collecting design information as it becomes available. The collected design documentation is being reviewed as it is collected. The collected documentation will be reviewed in a formal desktop evaluation per the cyber security plan, section 3.1.5 prior to the PPS installation. The test set up in the offsite test lab near the plant will be visited on occasion by the CSAT, the system will be walked down repeatedly during installation, and the final walkdown will be performed when the system is ready to return to operations, per section 3.1.5 of the security plan.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 62 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

The CSAT will make recommendations to enhance the cyber security posture of the PPS upgrade throughout the project, and will make their final recommendations after the system walkdown, per section 3.1.6 of the cyber security plan.

Disposition of all controls will be documented in the cyber security assessment tool, CyberWiz. Recommended mitigation will be documented in CyberWiz, and the Corrective Action Program.

53 RJS Section 4.10.2.6.3 of LAR: Closed No RAI 9/11/12 - Per CC A tech specification change resulting from the recent Eagle 21 failure that with PG&E, the affected the operability of the AFW control system is being reviewed by the position on staff. As part of this review PG&E has stated that the Independence compliance with between safety systems and other systems clause is not being met for all IEEE 603 5.6.3 is conditions of operation. If this is the case, then why does the PPS LAR not being revised and identify any exceptions to IEEE 603 clause 5.6.3? Even if the replacement there is no plan to PPS does not have an equivalent failure mode to the Eagle 21 system, the take exception with TS change would still apply after the upgrade is completed. The staff will this or any other need to confirm that the potential for this failure mode has been eliminated criteria of IEEE in the new design or that the criteria of IEEE 603 is otherwise being 603.

satisfied.

PG&E Response: None Required 54 WEK PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR Closed No RAI Response Okay-Changes, Insert 1 for FSAR Section 3.10.2.1.3 states that "The no RAI required.

Process Protection System Tricon subsystem has been seismically qualified Should IEEE 344 by Invensys Operations Management (see Reference 40) in accordance 1987 be included in with requirements from Reference 44 that is endorsed by Reference 33." 7.1.2.4, What is reference 44 and where is this documented in the FSAR? Conformance with

March 25, 2013 DCPP PPS Closed Item Summary Table Page 63 of 74 No SrclR/ Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date)

PG&E Response: Reference 44 IEEE 344-1987, the current Reference 44 IEEE Standards in the FSAR. See FSAR page 3.10-40 that was included in the FSAR (page 7.1-13)??

changes in PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2.

55 WEK PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR Closed RAI35 Acceptable Changes, FSAR Section 7.1.2.5, Conformance With Other Applicable response. Send Documents (page 7.1-13) does not indicate the NRC Safety Evaluation that this as an RAI so will be produced to approve the PPS. The staffs SER should become part that the issue does of the DCPP Unit 1&2 licensing basis once it is issued. How will this be not get lost.

documented within the FSAR??

PG&E Response: Reference to the staff SER will be included in FSAR Section 7.2.1.1.6 for the reactor trip portion of the process protection system and to Section 7.3.1.1.4.1 for the engineered safety features actuation system portion of the process protection system.

56 WEK PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR Closed RAI36 Acceptable Changes, FSAR Section x.x.x.x, (page 7.2-23) states that the response. Send evaluation for common mode failure in the PPS is presented in the this as an RAI so DCPP PPS 03 LTR and approved in the staff's SER for the DCPP that the issue does not get lost.

PPS 03 LTR. It is noted, however, that the staff's SER states that the 03 design features were approved based on confirmation that the proposed built-in diversity of the ALS sub-system is found to be acceptable. This confirmation will be performed as part of the DCPP PPS SER. Please confirm that a reference to the SER for the DCPP PPS will be included in the FSAR.

PG&E Response: Reference to the staff SER for LAR 11-07 will be included in FSAR Section 7.2.2.1.2 in addition to the staff SER for the DCPP D3 LTR.

57 WEK PG&E Letter DCL-12-050, Phase 2 Documents, Attachment 2 FSAR Closed RAI37 Acceptable Changes, FSAR Section 7.2.2.9.2, IEEE 603-1991 Clause 5, Clause 5.12 response. Send (page 12) states that"... the communication path between the maintenance this as an RAI so workstation and the ALS subsystem is normally disabled with a hardwired that the issue does switch ... " Also, Attachment 3, PG&E PPS Interface Requirements not get lost.

March 25. 2013 DCPP PPS Closed Item Summary Table Page 64 of 74

No SrclR/ Issue Description P&GE response: Status RA/ No. RA/ Comments (Date Sent) Response (Due Date)

Specification (IRS). Rev.6 to PG&E Letter DCL-12-069 dated August 2.

2012 states in section 1.5.6 " ... TAB communications between the ALS and MWS takes place via RS-485 data link. The TAB is physically disconnected from the MWS when the TAB is not in use .... the TAB is open at all times unless maintenance is being performed on the ALS ... " Please identify administrative controls and design features associated with the PPS that explains how the MWS is disconnected/disabled from the PPS (Le., a means of physical cable disconnect, or a safety-qualified hardware switch that either physically opens the data transmission circuit or interrupts the connection by means of hardwired logic. "Hardwired logic" as used here refers to circuitry that physically interrupts the flow of information, such as an electronic AND gate circuit (that does not use software or firmware) with one input controlled by the hardware switch and the other connected to the information source: the information appears at the output of the gate only when the switch is in a position that applies a "TRUE" or "1" at the input to which it is connected. Provisions that rely on software to effect the disconnection are not acceptable. It is noted that software may be used in the safety system or in the workstation to accommodate the effects of the open circuit or for status logging or other purposes) that demonstrate how this hardwired switch disconnects the ALS maintenance workstation from the ALS safety processor.

PG&E Response: For the ALS subsystem, instead of using a hardwire keyswitch, the ALS subsystem will be administratively controlled by physically disconnecting the communication link to the ALS MWS computer when the Test ALS Bus (TAB) is not being used for surveillance testing, maintenance, and trouble-shooting. This is a PPS replacement design change described in the response to NRC request for additional information in PG&E Letter DCL-12-083 and will be included in a supplement to LAR 11-07. -------------------------

58 RJS Close RAI38 10/19/12: If I ALS FMEA - There are several failure modes identified in Table 4-4 of the understand the FMEA where the System Effects entry provides a description of functions PG&E response that are not affected by the failure mode instead of stating what the effects correctly, these of the failure mode are. For example, the System Effects in the ETT failure system effects are

March 25, 2013 DCPP PPS Closed Item Summary Table Page 65 of 74

,

No SrclRI I Issue Description P&GE response: Status I RAI No. I RAI Comments (Date Sent) Response (Due Date) in line 5b of table 4-4 are that the Alarm Function remains operational. being evaluated Though this may be the case, it does not state what the effects of the failure within the context mode are. Examples of this can be found in lines 5b, 6a, 6b, 7a, 9h, 9i, 11 b, of the local effects 11 c, and 11 d. Please provide appropriate and complete information for that are also System Effects in Table 4-4. provided in the FMEA. Application specific compensating PG&E Response: features that influence the The System Effects entry does describe the functions that are affected by systematic effects the failure mode. This entry must be read in the context of the entire FMEA of these failure modes are thus table row. For example, the cited row for ETT failure in line 5b discusses the accounted for effects of failures of the ALS-402-1 digital output board which sends Alarm within the analysis.

Signals to other systems. In the case of Energize to Trip outputs (ETT) a stuck open output channel will prevent the core A rack from being able to Agree to close but actuate the Alarm (in this case a specific instance of an ETT Alarm is cited, would like the PGE the "Containment Pressure in Test Alarm". However, due to the response on record. Need RAI.

compensating features, which in this case is the redundant implementation of the function in the core B rack, the System Effect is that the Alarm function remains operational. A similar reading applies to the other examples cited.

59 RJS Closed I No RAI 10/19/12 - rjs:

ALS FMEA - Some of the identified failure modes of the ALS system are Response detectable only by operator observations, or by means that are not accepted.

necessarily performed during routine operation or during surveillance testing. See lines 10c, and 12a, What measures will be implemented to ensure that these failure modes would not occur and remain undetected for an indefinite period of time?

It is the staffs understanding that all failure modes which are not detectable through normal means such as surveillance tests or channel checks would need to be considered present for the purpose of satisfying single failure criteria for the s~stem.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 66 of 74

No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

PG&E Response:

Surveillance testing includes visual inspection of the equipment in addition to the specified test cases that demonstrate functionality. Therefore, those failure modes that are detected by operator observations will be detected as part of the surveillance test. IEEE Std 379-2000 defines detectable failures as those failures that can be identified through periodic testing or that can be revealed by alarm or anomalous indication. Therefore, such failures do not need to be considered to be present for purposes of evaluating single failure criterion compliance.

The specific cases cited are clear examples. Line 10c discusses failures of the local partial trip indicators. Failures of the indicators do not affect the actual trip function. During the test the technician uses the indicators to confirm that the trip action occurs at the appropriate threshold. Thus the act of observation of the failure during surveillance testing is assured. Line 12a discusses failure of the serial link used for continuous monitoring of the ALS health. Failure of this link does not affect the safety functions of the rack, but would be immediately obvious at the workstation used to do the monitoring.

This workstation is used in surveillance testing.

61 RA Closed NoRAI 12/19/12: NRC Software V&V Plan: Staff will review the document ALS provided Revision 7 of its V&V plan (6002-00003). This revision submitted and provides a mapping and alignment with IEEE Std 1012-1998. This now identify follow up cause a misalignment with the DCPP V&V Plan, 6116-00003, Thus, the questions, if DCPP V&V Plan will need to be revised. Please identify when this new necessary, creating revision will be submitted. a new open item.

PG&E Response: The DCPP V&V Plan, Revision 1 has been created to 11-28-12 update:

provide consistency with the ALV V&V Plan. The Diablo Canyon W Plan, The staff will review Revision 1, was placed on the Sharepoint on November 22 and was the V&V plan to submitted on December 5 in PG&E Letter DCL-12-121. -------- ..

determine if this

March 25, 2013 DCPP PPS Closed Item Summary Table Page 67 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) item can be closed.

62 RA Software Management Plan: Closed No RAI 12/19/12: NRC Staff will review the Revision 2 of the ALS "Diablo Canyon PPS Management Plan," 6116-0000, document Section 2.1 and 2.2, defines the project organization. As described in submitted and guidance documents STP 7-14 and NUREG/CR-6101, licensees need to identify follow up describe the management aspects of the software development process. questions, if Please clarify the following: necessary, creating a new open item.

1. The description provided in this section does not align with the organization structure provided in Figure 2-1. The description provided is 11-28-12 update:

not clear. For example, the bulleted list identifies "Scottsdale Operations The staff will review Director", but then the 1st paragraph refers to Scottsdale Operations the PPS Director and ALS Platform & System Director. It is not clear if this is the Management Plan title for one person or for two. Further, Figure 2-1 does not identify the and the W plan to ALS Platform & System Director, if this role is performed by a separated determine if this individual. Please clarify this. item can be closed

2. This section states that ALS V&V Plan provide information and the interface between the IV&V team and the PPS replacement project. It is not clear why the ALS V&V plan will provide this information, since the ALS V&V plan is for the generic platform. Please clarify what document contains this information.

3. This section states that the WEC Project Manager is responsible for the commercial process interface with PG&E. However, this role is not listed in the bulleted item list and not identified in Figure 2-1. Please clarify this role.

4. Figure 2-1 identifies a QA Manager, but this section only describes the QA Lead. Please describe the role and responsibility for the QA Manager.

5. Section 4.1, Planning Stage, mentions a "Project Leadership Team,"

which is not described in Section 2. Please explain the role and responsibilities for this team.

PG&E Response: To address item 1, the Diablo Canyon PPS Management Plan, Revision 3, clarifies in Section 3 the organization details. To address Item 2, the Diablo Canyon IW Plan, Revision 1, provides information on the

March 25, 2013 DCPP PPS Closed Item Summary Table Page 68 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) interface between the IV&V team and the PPS replacement project. To address items 3 to 5, the Diablo Canyon PPS Management Plan, Revision 3, clarifies in Section 3 the WEC Customer Project Manager is responsible for the commercial process interface with PG&E, the roles and responsibilities of the QA Manager, and the roles and responsibilities of the Project Leadership Team. The Diablo Canyon PPS Management Plan, Revision 3, was placed on the Sharepoint on November 15 and was submitted on December 5 in PG&E Letter DCL-12-121. The Diablo Canyon W Plan, Revision 1, was placed on the Sharepoint on November 22 and was submitted on December 7 in PG&E Letter DCL-12-121.

63 RA Software Management Plan: Closed NoRAI 12/19/12: NRC Staff will review the Revision 2 of the ALS "Diablo Canyon PPS Management Plan," 6116-0000, document Section 4.1, Planning Stage, identifies that deliverables from this phase are submitted and approved by the "Managerial Review Board." However, this document does identify follow up not identify the role and responsibilities for this board. Furthermore, the ALS questions, if PPS V&V Plan, 6116-00003, Rev. 0 states that IV&V will review the necessary, creating planning stage documents. Please clarify the person/team responsible for a new open item.

this review and their role and responsibilities.

PG&E Response: The Managerial Review Board review and the IV&V reviews are two different reviews. The Managerial Review Board gives the final "exit criteria" approval for both the Planning and Development Stages; this Managerial Review Board approval is required for entrance into the next subsequent stage. Their role is clarified in the "exit criteria" details included in Section 4.1 's Planning Stage and Development Stage sub-sections. The IV&V team also reviews the planning stage documents according to the criteria in the V&V Plan. Additional details have been added to the Management Plan. The Diablo Canyon PPS Management Plan, Revision 3, was placed on the Sharepoint on November 15 and was submitted on December 5 in PG&E Letter DCL-12-121.

I _

March 25, 2013 DCPP PPS Closed Item Summary Table Page 69 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date) 66 WEK Section 4.2.13.1 of the LAR (page 85) states; " ... The NetOptics Model PA Close RAI41 12-19-2012 update:

CU/PAD-CU 2 PA-CU port aggregator network tap was approved previously Response by NRC for a similar application in the Oconee RPS SER Section 3.1.1.4.3 acceptable. 01 will

[18]. The NRC staff determined that due to the electrical isolation provided be closed to a new by use of fiber optic cables and the data isolation provided by the Port Tap RAI.

and the Maintenance and Service Interface (MSI) in the Oconee RPS, there was reasonable assurance that a fault or failure within the Oconee Gateway 11-28-12 update:

computer or the Operator Aid Computer will not adversely affect the ability See 11-28-2012 of the Oconee RPS to accomplish its safety functions." update question.

A new RAI will be In section 3.1.1.5.2.1 of the Oconee SER, the staff approved The NetOptics added to clarify this aggregator Port Tap, Model 96443, No. PA-CU, as a device intended to inconsistancy so it allow monitoring of a full duplex 10/1 OOBaseT Ethernet communication link will be on the by copying the communications and sending that copied communications to docket.

a one-way simplex communications link. Due to the importance of this one-way communications path functioning properly, the NRC staff performed a detailed review of the design aspect of this one-way communications path.

Circuit diagrams on the device itself indicated that the communications using Port C (Port 1 in the case of DCPP PPS application) may be capable of two-way communications. Since the original review of Model 96443, part No. PAD-CU Port Tap required NRC staff examination of actual schematic drawings of the circuitry to determine that there was no inbound communications path associated with Port C (Port 1 for the PPS), a similar schematic review for any replacement or updated model of the Port Tap must be evaluated in the same manner (by the licensee) to determine the manner in which it is being used and configured are acceptable, and that do not invalidate the conclusion of this SE that use of the Port Tap provides adequate data isolation between the Gateway computer and the digital RPS/ESPS.The Port Tap approved for Oconee was model 96443 PA-CU.

11-28-2012 Update:

The response below still needs further clarification: Section 3.7.2.1 (palle

March 25, 2013 DCPP PPS Closed Item Summary Table Page 70 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

71) of the approved Tricon V10 L TR SER (ML12146A010) states: "The NetOptics Port aggregator Tap, Model 96443, No. PA-CU, or PAD-CU, is a device intended to allow monitoring of a 101100 Base T Ethernet communication link by communications and sending that copied information to a separate one-way communications link. Port A of the Port Tap is connected to the TCM, and Port B is connected to the Maintenance Terminal (maintenance video display unit (MVDU))." Since the LAR references the Port Tap approved within the Tricon V10 SER, this model number 96443 may still be confusing to the reader.

Please provide the model number of the Port Tap being that PG&C will use in the DCPP PPS and provide an explanation of its equivalency to the Port Tap approved for the Oconee RPS/ESPS LAR.

Revised PG&E Response 12/17/2012:

The PPS Replacement application will use the NetOptics Model PA-CU network port aggregator tap to isolate the Tricon portion of the PPS replacement from the gateway computer.

NetOptics has confirmed via e-mail (Case# 205591) that part number "96443" is the same as PA-CU. It is the old SKU part number for the PA CU.

67 WEK Section 4.2.13.1 of the DCPP PPS LAR (pg. 85) states, "Port aggregator Closed RAI42 11-28-12 update:

dual in-line package (DIP) switch positions will be controlled by DCPP Response is configuration management processes." acceptable.

Please provide a documented basis (e.g., a plant procedure, or engineering design package) that demonstrates how this will be controlled.

PG&E Response: The Port aggregator DIP switch positions will be controlled by a plant procedure or plan. The plant procedure or plan will be developed as part of the design change for installation of the PPS replacement after NRC approval of the LAR.

March 25, 2013 DCPP PPS Closed Item Summary Table Page 71 of 74

No SrclRI Issue Description P&GE response: Status RAINa. RAI Comments (Date Sent) Response (Due Date) 76 WEK The documents listed below are necessary for the staff to complete its Closed RAI45 12-19-2012 assessment of the Tricon V10 platform changes/software revisions that Update: the staff have occurred since the platform was approved generically, and will be has reviewed all of these documents applied to the DCPP PPS.

and some of them will require

1. Reference Design Change Analysis (RDCA), 993754-1-916 submittal on the

2. Nuclear Qualified Equipment List (NQEL), 9100150-001, docket for approval Rev 16 of these changes Rev 11: Tricon V10.5.2 within the SER-Rev 13: TriStation V4.9.0 see 12-19-2012 follow up item for Rev 14: Tricon V1 0.5.3 this 01.

Tricon NGIO Software SRS, 6200155-001 Invensys Audit Item Tricon V10.5 Verification and Validation Report (19 Sept, 2012) 11-28-112 update:

3. V10.5.2 Documents Response Acceptable. We will also need this a) PDR (IRTX) 21105 information b) Technical Advisory Bulletin (TAB) 183 submitted on the c) Engineering Project Plan (EPP) Tricon V10.5.2, 9100346-001 docket.

d) V1 0.5.2 V&V Test Report e) Software Release Definition (SRD), V10.5.2, 6200003-226 Invensys Audit Item

4. V10.5.3 Documents a) PDR (IRTX) 22481 b) Product A!ert Notice (PAN) 25 c) Engineering Project Plan (EPP) Tricon V10.5.3, 9100428-001 d) Tricon PAN 25 Master Test Report e) Software Release Definition (SRD), V10.5.3, 6200003-230 f) NGDO SRS 6200170-001 L __

March 25, 2013 DCPP PPS Closed Item Summary Table Page 72 of 74 RAINo. RAI Comments

-

No SrclRI Issue Description P&GE response: Status (Date Sent) Response (Due Date)

(ii) Tristation V4.9.0 documents a) Product Alert Notice (PAN) 22 b) Product Alert Notice (PAN) 24 c) Technical Advisory Bulletin (TAB) 147 d) Engineering Project Plan (EPP) Tristation V4.9, 9100359-001 e) Tristation V4.9.0 Master Test Report f) Software Release Def. (SRD), Tristation V4.9.0, 6200097 -038 g) Spec. Software Design - Tristation 1131 SDS, 6002168-002 (Section Applicable to V4.9.0 Change) h) TriStation 1131 V4.9 V&V Plan, 9600442-002 i) TriStation 1131 V&V Summary Report (26 Oct.

2012) 12-19-2012 Follow up Item:

The staff has reviewed all of these documents, which have been placed on the Invensys Sharepoint website and concluded its assessment of the Tricon Platform changes from V10.5.1 to V1 0.5.3. The results of this assessment will be published in the Invensys Audit Report. In order to provide a safety finding to approve these changes in the DCPP PPS SER It is necessary for the following documents to be formally submitted to the staff to facilitate completion of its safety assessment of the Tricon V10 platform changes/software revisions that have occurred since the platform was approved generically, and will be applied to the DCPP PPS.

Please submit the following Documents on the Docket:

1. Product Discrepancy Report (PDR) IRTX#211 05

2. Technical Advisory Bulletin (TAB) 183

3. Engineering Project Plan (EPP) V10.5.2, 9100346-001, Rev. 1.4

4. Tricon V1 0.5.2 V&V Test Report, Rev. 1.1, January 14, 2011

5. Software Release Definition (SRD) V10.5.2, 6200003-226, Rev.1.0

March 25, 2013 DCPP PPS Closed Item Summary Table Page 73 of 74 No SrclRI Issue Description P&GE response: Status RAI No. RAI Comments (Date Sent) Response (Due Date)

6. PDR IRTX#22481

7. Product Alert Notice (PAN) 25

8. Document "ARR 932 NSC Evaluation .pdf"

9. Tricon PAN 25 Fix Engineering Project Plan (EPP) 9100428-001, Rev.1.2

10. Tricon PAN 25 Master Test Report, Rev.1.0

11. Software Release Definition (SRD) V10.5.3, 6200003-230, Rev.1.0

12. Product Alert Notice (PAN) 22

13. Product Alert Notice (PAN) 24

14. Technical Advisory Notice (TAB) 147

15. Engineering Project Plan (EPP) TriStation V4.9 & Safety Suite Apps, 9100359-001, Rev.1.3

16. TriStation V4.9.0 Test Report, Rev. 0.4

17. Software Release Definition (SRD) 6200097-038, Rev.1.2 PG&E Response: The documents were submitted by Invensys Operations Management in Letter 993754-53T dated February 11, 2013.

77 RJS The staff requests that the Purchase Order Compliance Matrices (Multiple Closed No RAI Invensys Audit Item Documents) be placed on the SharePoint site to support verification of requirements traceability determinations. RJS -I do not believe that the PG&E Response: Invensys will place the requested documents on the POCM's will need Invensys SharePoint by December 7,2012, for access by the NRC. The to be docketed.

documents will be marked in accordance with 10 CFR 2.390 prior to placing them on the SharePoint.

78 RA The staff requests that the Invensys Project Procedures Manual and Project Closed No RAI 12/19/12:

Instructions (Multiple Documents) be placed on the SharePoint site to Document was support review of Invensys process to design, develop and test the Tricon posted in Invensys' system. Sharepoint PG&E Response: Invensys will place the requested documents on the Invensys SharePoint by December 14,2012, for access by the NRC. The documents will be marked in accordance with 10 CFR 2.390 prior to placing

March 25, 2013 DCPP PPS Closed Item Summary Table Page 74 of 74 No SrclRI Issue Description P&GE response: Status RAINo. RAI Comments (Date Sent) Response (Due Date) them on the SharePoint.

Project Plan for Diablo Canyon Replacement of Digital RPS and ESFAS (PPS) - LAR Review (Rev. 10)

Step Planned Task Actual Date Date 1 Oct. 26, PG&E LAR Submittal for NRC approval. Submittal includes all Oct. 26, 2011 Phase 1 documents needed to be docketed prior to acceptance 2011 for review per ISG-06, "Digital Licensing."

2 Jan. 12, Acceptance Review complete. LAR accepted for detailed Jan. 12, 2012 technical review. Several issues identified that could present 2012 challenges for the staff to complete its review. Scheduled public meeting with PG&E to discuss the results of the acceptance review.

3 Jan. 13, Acceptance letter sent to licensee. Jan. 13, 2012 2012 4 Jan. 18, Conduct Public Meeting to discuss staff's findings during the LAR Jan. 18, 2012 acceptance review. Staff proceeds with LAR technical review. 2012 5 March 18, PG&E provides information requested in acceptance letter. Initiate April 2, 2012 bi-weekly telecoms with PG&E and its contractors to discuss 2012 potential RAI issues. Open Items spreadsheet will be maintained by NRC to document staff issues and planned licensee responses.

6 May 3D, PG&E provides partial set of Phase 2 documentation per June 6, 2012 commitments made in LAR. 2012*

PG&E provided a subset of the Phase 2 documents on June 6th See step 14 which is a milestone for submittal of al/ remaining Phase 2 documents.

7 July First RAI sent to PG&E on Phase 1 documentation (e.g., August 07, 2012 specifications, plans, and equipment qualification). Continue 2012 review of the application. Request 45 day response.

(ML12208A364) 8 June 2012 SER for Tricon V10 Platform issued final. This platform becomes a Tier 1 review of the LAR. (ML12146A010) i May 15, 2012 8.1 March SER for Westinghouse ALS Platform issued final. This platform 2013 becomes a Tier 1 review of the LAR.

9 September Receive answers to first RAI. (ML12256A308) Sept. 11, 2012 2012 10 November Audit trip to Invensys facility for thread audit; audit the life cycle Nov. 13 2012 planning documents and outputs, with particular emphases on 16,2012 verification and validation, configuration management, quality Assurance, software safety, the Invensys application software development procedures, and application software program design.

10.1 I December Audit report provided to PG&E. ruary 2012 2013 11 February Audit trip to Westinghouse/CSI facility for thread audit; audit the February 2013 life cycle planning documents and outputs, with particular 21,2013 emphases on verification and validation, configuration management, quality Assurance, software safety, the W/ALS application software development procedures, and PPS ALS applicatigD~()ftware program design.

Enclosure 4 Page 1 of 3

Project Plan for Diablo Canyon Replacement of Digital RPS and ESFAS (PPS) - LAR Review (Rev. 10) 11.1 April Audit report provided to PG&E and its contractor. Pending 2013 12 March Second RAI Letter to PG&E on Phase 1 documentation March 20, 2013 2013 12.1 April Receive responses to Second set of RAI's 2013 13 April LAR revision and all supporting documentation associated with 2013 the change in ALS and Tricon V10 workstation designs for the PPS are submitted.

14 May PG&E provides remaining set of Phase 2 documentation per 2013 commitments made in LAR. See step 6 for initial submittal of Phase 2 documents.

15 May All Documentation for DCPP W/CSI ALS and IOM/Triconex V1 0 2013 processors applicable to the DCPP PPS LAR are submitted.

16 June Follow-up audit trip to Invensys facility for thread audit; audit the 2013 life cycle planning documents and outputs, with particular emphases on verification and validation, configuration management, quality assurance, software safety, the Invensys application software development procedures, and application software program design.

16.1 August Audit report provided to PG&E.

2013 17 August Third RAI Letter to PG&E on Phase 2 documentation 2013 (e.g., FMEA, safety analysis, RTM, EO test results, setpoint calculations. )

17.1 September Receive responses to third set of RAl's.

2013 18 September Audit trip to W/ALS facilities for additional thread audit items; audit 2013 hardware and software installation plans, configuration management reports, detailed system and hardware design, completed test procedures, V&V activities, summary test results (including FAT) and incident reports, and application code listings.

18.1 October Audit report provided to PG&E.

2013 19 TBD (Optional) Audit trip to Invensys facilities for additional thread audit items; audit hardware and software installation plans, configuration management reports, detailed system and hardware design, completed test procedures, V&V activities, summary test results (including FAT) and incident reports, and application code listings.

20 TBD (Optional) Audit trip to DCPP test facilities for additional thread audit items.

Page 2 of 3

Project Plan for Diablo Canyon Replacement of Digital RPS and ESFAS (PPS) - LAR Review (Rev. 10) 21 Februaryl Presentation to ACRS SubcommitteelFull ACRS Committee on March DCPP PPS LAR Safety Evaluation.

2014 22 March 2014 Complete draft technical SER for management review and approval.

23 March 2014 Issue completed draft technical SER to DORL 24 March 2014 Draft SER sent it to PG&E, Invensys, and W/CSI to perform technical review and ensure no proprietary information was included.

25 April 2014 Receive comments from PG&E and its contractors on draft SER proprietary review.

26 May 2014 Approved License Amendment issued to PG&E 27 -September Inspection trip to DCPP for PPS Site Acceptance Testing (SAT),

2014 training and other preparation for installing the new system. To be (tentative) coordinated with regional visit. Date based on receipt of new PPS system at the site in preparation for September 2015 Unit 1 Refueling Outage (1 R 19).

28 -September Inspection trip to DCPP for PPS installation tests, training and 2015 other system installation activities for the new system. To be coordinated with regional visit. Date based on September 2015 Unit 1 Refueling Outage (1R19).

Page 3 of 3

-3 Please direct any inquiries to me at 301-415-5430, or james.polickoski@nrc.gov.

IRA by JSebrosky forI James T. Polickoski, Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-275 and 50-323

Enclosures:

1. List of Attendees

2. NRC Staff Identified Open Issues

3. NRC Staff Identified Closed Issues

4. LAR Review Project Plan cc w/encls: Distribution via Listserv DISTRIBUTION:

PUBLIC RidsRgn4MailCenter Resource LPLIV r/f ELee. NSIRIDSP RidsAcrsAcnw_MailCTR Resource RStattel, NRRlDE/EICB RidsNrrDeEicb Resource RAlvarado. NRRlDE/EICB RidsNrrDorlLpl4 Resource SMakor, RIVlDRS/EB2 RidsNrrLAJBurkhardt Resource DHuyck, EDO RIV RidsNrrPMDiabloCanyon Resource VDricks, OPA RIV ADAMS A ccesslon Nos.: Meef mg NofIce ML13074A118 , M ee r mgSummary ML13149A068 OFFICE N RRIDORULPL4/PM NRR/DORULPL4/LA NRRlDORULPL4/BC NRR/DORULPL4/PM NAME JPolickoski JBurkhardt MMarkley JSebrosky for .IPolickoski DATE 5/31/13 5/31/13 6/4113 6/4/13 OFFICIAL RECORD COPY

v t e Letter Sequence Meeting
TAC:ME7522, Clarify Application of Setpoint Methodology for LSSS Functions (Open) TAC:ME7523, Clarify Application of Setpoint Methodology for LSSS Functions (Open)
Initiation Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request Acceptance Supplement Administration Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, Meeting, ... further results\|Meeting]] Questions 7 August 2012 12 April 2013 31 March 2014 Answers 11 September 2012 27 November 2012 9 May 2013 30 April 2014 Results Approval Other: ML120250079, ML120590119, ML12276A050, ML13018A149, ML13024A105, ML13029A667, ML13101A278, ML13192A314, ML13232A258, ML13339A428, ML14126A377, ML15103A010, ML15121A310, ML15223A968
MONTHYEAR2012-04-02 [Table View]

ML13149A068

Text

SUBJECT:

SUMMARY

Enclosures:

Participants:

Participants:

Response

Response

Response

Response

Response

Response

Enclosures:

Navigation menu

Search