Configuration Control of PPS FAC Review November 2008 E. Michael Saleski Controls Dept Safety Systems QC Manager 11/11/08 E. M. Saleski FAC 2008 Saleski@SLAC.Stanford.edu Configuration Control Elements Prevention of Unintended Change Physical Security of System Labeling Training Control of Intended Change Work Planning (adequate review of design) Work Authorization (RSWCF) Verification of Work (RSWCF) Periodic Confirmation of System Integrity Routine testing and inspections 11/11/08 E. M. Saleski FAC 2008 Saleski@SLAC.Stanford.edu SLAC Configuration Control Policies Guidelines for Operations Guideline 14 “Configuration Control of Radiation Safety Systems” Guideline 24 “Safety Review of Major Modifications” Guidelines 27 “Testing of PPS Systems” Radiation Safety Systems Technical Basis Document 11/11/08 E. M. Saleski FAC 2008 Saleski@SLAC.Stanford.edu CD Safety Systems Section Configuration Control Documentation Change Control Plan Document Management Plan Document Change Control Procedure Document Change Order Design Review Plan Software Configuration Management Engineering Change Order Procedure Engineering Change Order Drawing Management Procedure 11/11/08 E. M. Saleski FAC 2008 Saleski@SLAC.Stanford.edu Physical Security PPS Equipment is situated in locked racks Field devices are labeled as ‘PPS;’ checked regularly by OPS New PLC-relevant issues: Program Storage Security Version Management Network Access Security ADSO and the RSWCF are the gate-keepers for work on the system 11/11/08 E. M. Saleski FAC 2008 Saleski@SLAC.Stanford.edu PLC Physical Security Software Security: Safety-critical program ‘smart card’ cannot be written on while in the PLC Communication with the ‘supervisor’ PLC is through TCP/IP Communication between the ‘supervisor’ PLC and the safety-critical PLCs is through DeviceNet serial data communication fully contained in a locked rack. Operational Security: Hardwire Enable from MCC required Only specific IP addresses are allowed to issue PPS commands 11/11/08 E. M. Saleski FAC 2008 Saleski@SLAC.Stanford.edu PPS PLC Architecture Safety-Critical Logic, Status and Control PLC PPS Safety-Critical Status Device Chain ‘A’ MCC Non SafetyCritical Status PPS Hardwire Enable AB ControlLogix Digital Input EPICS Display Panel Controls Network 2-way TCP/IP DeviceNet Pilz PLC System ‘A’ Safety-Critical Control Chain ‘A’ AB ControlLogix 5000 AB ControlLogix Digital Output Non SafetyCritical Control Safety-Critical Control Chain ‘B’ Pilz PLC System ‘B’ Safety-Critical Doors, EO, EE, Search Status, Keybank Modulators, Stoppers Non Safety-Critical Access States Door/Keybank release Status reporting Safety-Critical Status Device Chain ‘B’ 11/11/08 E. M. Saleski FAC 2008 Saleski@SLAC.Stanford.edu Safety Lifecycle Describes the development, review, configuration management and testing process for the PPS from inception, to design, construction, commissioning, and through to operations and system modifications. Development and Review Cycle Implementation, Operations, and Maintenance Cycle 11/11/08 E. M. Saleski FAC 2008 Saleski@SLAC.Stanford.edu Initiate RSWCF Implement Change Initial Acceptance Test Development and Review Cycle Problems Success Close RSWCF 12 Months Safety Assurance Test Problems Success Implementation, Operations, and Maintenance Lifecycle 6 Months Interlock Checks Problems Success Routine Testing Per Guideline 27 System in Operation Problems Assessment of Failure Correct the Procedure Is the Failure Reportable? Procedure Error Failed Hardware Initiate RSWCF; Determine Tests Assess Failure with RSO Administrative Mitigation Undesired Functionality Discovered Engineering Change Repair Hardware Re-perform Test Success Need for New Functional Requirements Close RSWCF 11/11/08 E. M. Saleski FAC 2008 Saleski@SLAC.Stanford.edu Problems Need for New PPS System Safety Functions Requirements Specification Validation Scope and Methodology Determination Software Functions Determination Rework Proposal Hardware Functions Determination Preliminary Design Review (Project and RSO/RSC) Success Development and Review Lifecycle Withdraw Software from Version-Control Repository Software Design and Development Safety Validation Planning Rework Software Hardware Design and Development Software Bench Testing Bench Testing Specified? Success Deposit Software in Version-Control Repository Assign New Version Number Rework Procedure Validation Procedure Review Rework Software System Technical Design Review (Project and RSO/RSC) Success Success Lifecycle Special Functions Key System Review or Assessment System in Operation System Testing or Validation Additional Cycle Implementation, Operations, and Maintenance Cycle 11/11/08 E. M. Saleski FAC 2008 Saleski@SLAC.Stanford.edu Rework Hardware Software Portion of Dev&Rev Lifecycle Hardware is design and reviewed per current SLAC practice Software has a more rigorous versioncontrol scheme Includes documented bench testing of software 11/11/08 E. M. Saleski FAC 2008 Saleski@SLAC.Stanford.edu Software Configuration Management Procedure PPS Software is stored in a dedicated PPS repository Released software always has “N.0.0” version tag Documented software bench testing is performed prior to deployment 11/11/08 E. M. Saleski FAC 2008 Saleski@SLAC.Stanford.edu Software Configuration Management Support Software versions are checked during annual certification Written procedures exist for extracting PPS code from CVS and for uploading it to PLCs A documented training program tracks personnel PLC qualifications in the Section 11/11/08 E. M. Saleski FAC 2008 Saleski@SLAC.Stanford.edu