Configuration Control of PPS FAC Review November 2008 E. Michael Saleski

advertisement
Configuration Control of PPS
FAC Review
November 2008
E. Michael Saleski
Controls Dept Safety Systems QC Manager
11/11/08
E. M. Saleski
FAC 2008
Saleski@SLAC.Stanford.edu
Configuration Control Elements
Prevention of Unintended Change
Physical Security of System
Labeling
Training
Control of Intended Change
Work Planning (adequate review of design)
Work Authorization (RSWCF)
Verification of Work (RSWCF)
Periodic Confirmation of System Integrity
Routine testing and inspections
11/11/08
E. M. Saleski
FAC 2008
Saleski@SLAC.Stanford.edu
SLAC Configuration Control Policies
Guidelines for Operations
Guideline 14 “Configuration Control of Radiation
Safety Systems”
Guideline 24 “Safety Review of Major
Modifications”
Guidelines 27 “Testing of PPS Systems”
Radiation Safety Systems Technical Basis
Document
11/11/08
E. M. Saleski
FAC 2008
Saleski@SLAC.Stanford.edu
CD Safety Systems Section
Configuration Control Documentation
Change Control Plan
Document Management Plan
Document Change Control Procedure
Document Change Order
Design Review Plan
Software Configuration Management
Engineering Change Order Procedure
Engineering Change Order
Drawing Management Procedure
11/11/08
E. M. Saleski
FAC 2008
Saleski@SLAC.Stanford.edu
Physical Security
PPS Equipment is situated in locked racks
Field devices are labeled as ‘PPS;’ checked
regularly by OPS
New PLC-relevant issues:
Program Storage Security
Version Management
Network Access Security
ADSO and the RSWCF are the gate-keepers
for work on the system
11/11/08
E. M. Saleski
FAC 2008
Saleski@SLAC.Stanford.edu
PLC Physical Security
Software Security:
Safety-critical program ‘smart card’ cannot be written on
while in the PLC
Communication with the ‘supervisor’ PLC is through
TCP/IP
Communication between the ‘supervisor’ PLC and the
safety-critical PLCs is through DeviceNet serial data
communication fully contained in a locked rack.
Operational Security:
Hardwire Enable from MCC required
Only specific IP addresses are allowed to issue PPS
commands
11/11/08
E. M. Saleski
FAC 2008
Saleski@SLAC.Stanford.edu
PPS PLC Architecture
Safety-Critical
Logic, Status
and Control
PLC PPS
Safety-Critical
Status Device
Chain ‘A’
MCC
Non SafetyCritical Status
PPS Hardwire
Enable
AB
ControlLogix
Digital Input
EPICS
Display Panel
Controls
Network
2-way
TCP/IP
DeviceNet
Pilz PLC
System ‘A’
Safety-Critical
Control
Chain ‘A’
AB
ControlLogix
5000
AB
ControlLogix
Digital Output
Non SafetyCritical
Control
Safety-Critical
Control
Chain ‘B’
Pilz PLC
System ‘B’
Safety-Critical
Doors, EO, EE, Search
Status, Keybank
Modulators, Stoppers
Non Safety-Critical
Access States
Door/Keybank release
Status reporting
Safety-Critical
Status Device
Chain ‘B’
11/11/08
E. M. Saleski
FAC 2008
Saleski@SLAC.Stanford.edu
Safety Lifecycle
Describes the development,
review, configuration
management and testing
process for the PPS from
inception, to design,
construction,
commissioning, and
through to operations and
system modifications.
Development
and Review
Cycle
Implementation,
Operations, and
Maintenance
Cycle
11/11/08
E. M. Saleski
FAC 2008
Saleski@SLAC.Stanford.edu
Initiate RSWCF
Implement Change
Initial Acceptance Test
Development
and Review
Cycle
Problems
Success
Close RSWCF
12 Months
Safety Assurance Test
Problems
Success
Implementation,
Operations, and
Maintenance
Lifecycle
6 Months
Interlock Checks
Problems
Success
Routine Testing
Per Guideline 27
System in Operation
Problems
Assessment of Failure
Correct the Procedure
Is the Failure Reportable?
Procedure
Error
Failed
Hardware
Initiate RSWCF;
Determine Tests
Assess Failure with RSO
Administrative
Mitigation
Undesired
Functionality
Discovered
Engineering
Change
Repair Hardware
Re-perform Test
Success
Need for New
Functional
Requirements
Close RSWCF
11/11/08
E. M. Saleski
FAC 2008
Saleski@SLAC.Stanford.edu
Problems
Need for New PPS
System
Safety Functions
Requirements
Specification
Validation Scope and
Methodology
Determination
Software Functions
Determination
Rework Proposal
Hardware Functions
Determination
Preliminary Design
Review
(Project and RSO/RSC)
Success
Development
and Review
Lifecycle
Withdraw Software
from Version-Control
Repository
Software Design and
Development
Safety Validation
Planning
Rework
Software
Hardware Design and
Development
Software
Bench Testing
Bench Testing
Specified?
Success
Deposit Software in
Version-Control
Repository
Assign New Version
Number
Rework
Procedure
Validation
Procedure Review
Rework Software
System Technical
Design Review
(Project and RSO/RSC)
Success
Success
Lifecycle Special Functions Key
System Review
or Assessment
System in
Operation
System Testing
or Validation
Additional
Cycle
Implementation,
Operations, and
Maintenance
Cycle
11/11/08
E. M. Saleski
FAC 2008
Saleski@SLAC.Stanford.edu
Rework Hardware
Software Portion of Dev&Rev Lifecycle
Hardware is design
and reviewed per
current SLAC practice
Software has a more
rigorous versioncontrol scheme
Includes documented
bench testing of
software
11/11/08
E. M. Saleski
FAC 2008
Saleski@SLAC.Stanford.edu
Software Configuration
Management Procedure
PPS Software is stored
in a dedicated PPS
repository
Released software
always has “N.0.0”
version tag
Documented software
bench testing is
performed prior to
deployment
11/11/08
E. M. Saleski
FAC 2008
Saleski@SLAC.Stanford.edu
Software Configuration Management Support
Software versions are checked during
annual certification
Written procedures exist for extracting PPS
code from CVS and for uploading it to PLCs
A documented training program tracks
personnel PLC qualifications in the Section
11/11/08
E. M. Saleski
FAC 2008
Saleski@SLAC.Stanford.edu
Download