Configuration Management for Digital Upgrades Configuration Management Benchmarking Group 2008 Conference Scott Patterson Program Manager for I&C Obsolescence Pacific Gas & Electric Co. Diablo Canyon Power Plant Tuesday June 3 rd, 2008

PAGE 2 Configuration Management for Digital Upgrades Digital vs. Analog 1.Digital Equipment goes obsolete much faster than analog equipment In some cases the equipment is obsolete before you install it Technology is changing very fast and is hard to keep up with it Digital requires a CM program that can handle a dynamic change process and that is more complex than analog 2.Digital Equipment is much more capable and flexible It takes many analog modules to do complex algorithms Analog is very hard to modify Not much analog equipment currently made or supported Digital is more accurate – convert to digital once, then accuracy stays the same With capability and flexibility comes complexity 3.Digital Equipment contains significantly more configurable parameters Hardware Firmware Communication Parameters Software

PAGE 3 Configuration Management for Digital Upgrades Hardware 1.Monitors, Workstations, Servers, Printers, …. Availability of a monitor or workstation is 6 months to 1 year which is shorter than most design processes We are developing specifications for these devices that list the minimum requirements Minimizes design changes when equipment is no longer available Allows flexibility for these less critical components In most cases the new equipment is faster and more capable How do you handle this?

PAGE 4 Configuration Management for Digital Upgrades Hardware (cont) 1. PLC or Embedded Systems Lifetime is usually much longer DCPP has selected two main hardware platforms based on a detailed evaluation to try to minimize obsolescence issues Key attributes to minimize obsolescence Customer base Past history OEM equipment Fewer platforms means fewer differences in CM Can have many revision levels of hardware and firmware Configuration is documented on plant drawings How do you document this?

PAGE 5 Configuration Management for Digital Upgrades Hardware (cont) 1.Configurable Devices Paperless Recorders Single Loop Controllers Digital Indicators 2.If the device is simple enough, SQA plans are not required 3.Configuration is documented in a plant drawing Available for disaster recovery Maintenance needs this information if the component is replaced

PAGE 6 Configuration Management for Digital Upgrades Firmware 1.How do you maintain configuration or version control of Firmware? In most cases the vendor maintains the firmware CM for non-safety and safety systems since they wrote or are responsible for it However tracking is still needed to keep track of what version is installed Firmware versions are usually flashed and are accessed through a diagnostic utility Needs to be part of the disaster recovery procedure Revision levels can change fast when consecutive upgrades are being installed

PAGE 7 Configuration Management for Digital Upgrades Firmware (cont) 1.Compatibility of different firmware versions New hardware and software may require a new firmware version to be functional or to take advantage of new features Need to know what versions are compatible This information is usually controlled by the vendor but it is still important to understand this and document it How do you document what firmware works with what hardware or software?

PAGE 8 Configuration Management for Digital Upgrades Communication Parameters 1.Plant Data Network IP Addresses Switch, Firewall, and Router Configurations Cyber Security How do you document these parameters? 2. Communications between systems Safety to Non-Safety Systems Control Systems to other control systems Isolated networks Connection to the LAN

PAGE 9 Configuration Management for Digital Upgrades Software 1.PLC or Embedded Software Usually one file – Tricon =.pt2 file, AB =.acd file Simple to program – IEC compliant – Function Blocks, Ladders, Structured Text, etc. Most have version control and security built in Configuration software has defensive measures built in Compilers have error checking Self Documenting Easier to specify requirements and test, the algorithm is usually well defined

PAGE 10 Configuration Management for Digital Upgrades Software (cont) 1.HMI or Display Software Much harder to V&V and track changes Limited error checking or defensive measures to prevent you from doing something that will not work Hundreds of files are generated Different scripts can be used for every window/object Very hard to document the configuration due to the number of attributes and variables Requirements are hard to define Hard to test for negative requirements Licensing of the software and tracking where each license is installed can be hard How do you manage this?

PAGE 11 Configuration Management for Digital Upgrades Software Lifecycle Phases 1.Design Phase – Conceptual Design and Specification Development 2.Implementation Phase – Software Development and V&V Activities 3.Maintenance Phase – Operation and Maintenance

PAGE 12 Configuration Management for Digital Upgrades Software Lifecyle

PAGE 13 Configuration Management for Digital Upgrades IEEE Documents Used as Reference IEEE 1059 ‑ 1993: Guide for Software Verification and Validation Plans. IEEE 1012 ‑ 1998: Standard for Software Verification and Validation. IEEE 730 ‑ 1998: Standard for Software Quality Assurance Plans. IEEE 830 ‑ 1998: Recommended Practice for Software Requirements Specifications. IEEE 1233 ‑ 1998: Guide for Developing System Requirements Specifications. IEEE 1016 ‑ 1987: Recommended Practice for Software Design Descriptions. IEEE ‑ 1993: Guide to Software Design Descriptions.

PAGE 14 Configuration Management for Digital Upgrades Software Integrity Levels 1.IEEE “Software integrity levels are a range of values that represent software complexity, criticality, risk, safety level, security level, desired performance, reliability, or other project-unique characteristics that define the importance of the software to the user and acquirer.” 2.High-integrity software requires a larger set of V&V processes and a more rigorous application of V&V tasks.

PAGE 15 Configuration Management for Digital Upgrades Software Integrity Levels (IEEE ) SIL 4 – Software element must execute correctly or grave consequences (loss of life, loss of system, economic or social loss) will occur. No mitigation is possible. SIL 3 – Software element must execute correctly or the intended use (mission) of the system software will not be realized, causing serious consequences (permanent injury, major system degradation, economic or social impact). Partial to complete mitigation is possible. SIL 2 – Software element must execute correctly or an intended function will not be realized, causing minor consequences. Complete mitigation possible. SIL 1 – Software element must execute correctly or intended function will not be realized, causing negligible consequences. Mitigation not required.

PAGE 16 Configuration Management for Digital Upgrades Software O&M 1.CF2.ID2 – Configuration Management for Computers and Software Used for Plant Operations and Operations Support 2.This procedure provides guidance for developing the SQA Plan for a system. 3.IEEE Std 828 ‑ 1998, IEEE Standard for Software Configuration Management Plans

PAGE 17 Configuration Management for Digital Upgrades Software O&M 1.The SQA Plan for a system Describes if this is vendor supplied software or in-house developed software and how it will be controlled Contains Disaster Recovery Instructions How to make/document a software change Media Control (Source Safe, Location of backup disks, etc.) What modifications require a design change What approvals are needed to make a change An O&M software change will go through a similar process to the software development stage for V&V activities

PAGE 18 Configuration Management for Digital Upgrades Summary 1.Digital requires a much more rigorous CM program 2.Take advantage of the IEEE documents as guidance 3.Start with non-safety systems to develop the processes used to track CM 4.Develop and refine the process early establish a consistent process 5.A good CM process will minimize issues with digital equipment

PAGE 19 Configuration Management for Digital Upgrades Questions? Scott Patterson Pacific Gas & Electric Co. Diablo Canyon Power Plant Program Manager for I&C Obsolescence Project Manager, Supervisor