E. M. Saleski FAC [email protected] 11/11/08 Configuration Control of PPS FAC Review November 2008 E. Michael Saleski Controls Dept Safety.

E. M. Saleski

FAC 2008 [email protected]

11/11/08

Configuration Control of PPSFAC Review

November 2008

E. Michael SaleskiControls Dept Safety Systems QC Manager

E. M. Saleski

FAC 2008 [email protected]

11/11/08

Configuration Control Elements

Prevention of Unintended ChangePhysical Security of SystemLabelingTraining

Control of Intended ChangeWork Planning (adequate review of design)Work Authorization (RSWCF)Verification of Work (RSWCF)

Periodic Confirmation of System IntegrityRoutine testing and inspections

E. M. Saleski

FAC 2008 [email protected]

11/11/08

SLAC Configuration Control Policies

Guidelines for OperationsGuideline 14 “Configuration Control of Radiation Safety Systems”

Guideline 24 “Safety Review of Major Modifications”

Guidelines 27 “Testing of PPS Systems”

Radiation Safety Systems Technical Basis Document

E. M. Saleski

FAC 2008 [email protected]

11/11/08

CD Safety Systems SectionConfiguration Control Documentation

Change Control PlanDocument Management Plan

Document Change Control ProcedureDocument Change Order

Design Review PlanSoftware Configuration Management

Engineering Change Order ProcedureEngineering Change Order

Drawing Management Procedure

E. M. Saleski

FAC 2008 [email protected]

11/11/08

Physical SecurityPPS Equipment is situated in locked racksField devices are labeled as ‘PPS;’ checked regularly by OPSNew PLC-relevant issues:

Program Storage SecurityVersion ManagementNetwork Access Security

ADSO and the RSWCF are the gate-keepers for work on the system

E. M. Saleski

FAC 2008 [email protected]

11/11/08

PLC Physical Security

Software Security:Safety-critical program ‘smart card’ cannot be written on while in the PLCCommunication with the ‘supervisor’ PLC is through TCP/IPCommunication between the ‘supervisor’ PLC and the safety-critical PLCs is through DeviceNet serial data communication fully contained in a locked rack.

Operational Security:Hardwire Enable from MCC requiredOnly specific IP addresses are allowed to issue PPS commands

E. M. Saleski

FAC 2008 [email protected]

11/11/08

PPS PLC Architecture

Safety-CriticalDoors, EO, EE, Search Status, Keybank

Modulators, Stoppers

Non Safety-CriticalAccess States

Door/Keybank release

Status reporting

AB ControlLogix Digital Input

AB ControlLogix

5000

AB ControlLogix Digital Output

Non Safety-Critical Status

Non Safety-Critical Control

Pilz PLCSystem ‘A’

Safety-Critical Control

Chain ‘A’

Safety-Critical Status Device

Chain ‘A’

Pilz PLCSystem ‘B’

Safety-Critical Control

Chain ‘B’

Safety-Critical Status Device

Chain ‘B’

PPS Hardwire Enable

EPICS Display Panel

Controls Network

PLC PPSSafety-Critical Logic, Status and Control

MCC

2-wayTCP/IP

DeviceNet

E. M. Saleski

FAC 2008 [email protected]

11/11/08

Safety Lifecycle

Describes the development, review, configuration management and testing process for the PPS from inception, to design, construction, commissioning, and through to operations and system modifications.

Implementation, Operations, and

Maintenance Cycle

Development and Review

Cycle

E. M. Saleski

FAC 2008 [email protected]

11/11/08

Implementation, Operations, and

Maintenance Lifecycle

6 Months

12 Months

Correct the Procedure

Initiate RSWCF; Determine Tests

Repair Hardware

Close RSWCFNeed for New

Functional Requirements

Initiate RSWCF

Implement Change

Close RSWCF

Development and Review

CycleInitial Acceptance Test

Success

Problems

Safety Assurance TestSuccess

Problems

Interlock ChecksSuccess

Problems

Re-perform TestSuccess

Problems

System in OperationRoutine Testing Per Guideline 27 Problems

Assess Failure with RSO

Administrative Mitigation

Engineering Change

Assessment of Failure

Procedure Error

Failed Hardware

Undesired Functionality Discovered

Is the Failure Reportable?

E. M. Saleski

FAC 2008 [email protected]

11/11/08

Development and Review

Lifecycle

Safety Functions Requirements Specification

Software Functions Determination

Hardware Functions Determination

Hardware Design and Development

Safety Validation Planning

Deposit Software in Version-Control

Repository

Software Design and Development

Withdraw Software from Version-Control

Repository

Assign New Version Number

Need for New PPS System

Validation Scope and Methodology Determination

Implementation, Operations, and

Maintenance Cycle

Software Bench Testing

Rework Software

Success

ValidationProcedure Review

Success

Rework Procedure

System Review or Assessment

System Testing or Validation

System in Operation

Additional Cycle

Lifecycle Special Functions Key

Preliminary Design Review

(Project and RSO/RSC)Success

Rework Proposal

System Technical Design Review

(Project and RSO/RSC)

Rework Software

Success

Rework Hardware

Bench Testing Specified?

E. M. Saleski

FAC 2008 [email protected]

11/11/08

Software Portion of Dev&Rev Lifecycle

Hardware is design and reviewed per current SLAC practice

Software has a more rigorous version-control scheme

Includes documented bench testing of software

E. M. Saleski

FAC 2008 [email protected]

11/11/08

Software Configuration Management Procedure

PPS Software is stored in a dedicated PPS repositoryReleased software always has “N.0.0” version tagDocumented software bench testing is performed prior to deployment

E. M. Saleski

FAC 2008 [email protected]

11/11/08

Software Configuration Management Support

Software versions are checked during annual certification

Written procedures exist for extracting PPS code from CVS and for uploading it to PLCs

A documented training program tracks personnel PLC qualifications in the Section