The human nervous system is one of the most complex systems in the human body. Though the nerves and brain are small in comparison with the mass of bones and muscles, without the work performed by the nervous system, nothing functions. The same goes for modern plant distributed control systems (DCSs) and other digital systems. Their importance and complexity are often overshadowed by the heavy metal: the boiler, turbine generator, pumps, heat exchangers, cooling towers, and other primary plant components. But if things are askew in the nervous system, the whole body or plant suffers.
Complex family tree. A well-designed relational database of important data tables is the first step in developing a comprehensive configuration management system. Courtesy: Hurst Technologies
The question facing plant operators is this: How do you know that everything is functioning correctly? After start-up, a new power station quickly begins to look less and less like its original design. Modifications are made, but documentation of those changes is rarely organized and accurate. This is as true for the heavy metal as it is for the control and automation system. Control system engineers call these documentation packages configuration management (CM), although CM is a subset of the larger field of change management.
For regulatory and safety reasons, CM is absolutely essential at nuclear power stations and is governed by an elaborate array of industry committees, regulatory bodies, and benchmarking activities. Continued use of legacy control systems and the loss of plant expertise are two factors making CM a challenge at nuclear plants today.
At fossil-fueled plants, CM may not yet be regulated, but it is no less important. New fossil-fueled plants typically have a DCS, and many older units have been retrofitted with one. The problem is that for plants commissioned a generation ago, it’s not unusual for as-built drawings to not exist or to exist only in the memory of a few senior staff members. However, most plants also have silos of data and information residing in home-grown spreadsheets or databases maintained by different staff members. Somewhere, the “current” configuration of the plant must reside apart from the DCS—if for no other reason than if a central processor is lost, the current configuration can be reloaded.
Manual approach is futile
The modern DCS contains hundreds of thousands of process input data points, internal points (conversions, calculations, setpoints, and the like), and output data points. Each of these points, in turn, is defined by 20 to 120-plus specific configuration selections and settings. To attempt to manage such a complex set of data manually is futile. An automated method of managing the true configuration of large digital-based systems is essential. It should include managing the initial design implementation as well as long-term system operation and changes over a plant’s life.
Fortunately, the nature of digital technology provides many options for developing and implementing automated tools.
The CM process needs to start in unison with the overall design and design control activities to ensure that functional design requirements are implemented correctly. This is typically a function of a system’s input/output (I/O) list. But the I/O list is just the tip of the iceberg. For each of the true system inputs and final control outputs, an extensive array of settings that number in the tens of thousands must be defined to properly characterize the physical state, the logic, and the performance of each point—both as anticipated and under abnormal conditions. In between the actual inputs and outputs, the verification, manipulation, display, storage, and interfacing of each point must be defined in detail.
The relational complexity of points within a typical DCS is shown in the figure. The key is to have an appropriately defined systems database and tools available to manage the complexity. For example, digital systems should include the ability to be self-documenting, producing many of the functional and physical design documents typically handled manually in the past. Such documents may include system control logics, physical wiring documents, and equipment layout drawings.
One of the most important attributes of a CM system is its ability to validate the installed configuration of the software. Once a DCS is installed and functioning, it undergoes continuous changes in configuration, such as operator setpoint adjustments, calibration changes, temporary functional changes (for example the blocking of an alarm during maintenance), historical data recording period changes, operator display changes, and many others. Though each of these changes is typically simple and seemingly inconsequential, over time they can cause the control system to behave unpredictably. This is especially true if the changes are not implemented under a controlled change process and if a convenient method of validating the correct settings does not exist. The simple act of failing to unblock a blocked alarm can cause significant operational or safety problems.
Configuration settings basically fall into one of three categories:
- Engineered data
- Configuration data
- Operator-controlled data
Each type of data requires different configuration control.
Engineered data control the primary functional requirements for a system. They typically include the primary system I/O, control system logic, and communication settings. Changes to this set of data generally constitute a system design change and should be performed through a controlled plant design change process.
Configuration data define how the primary functional requirements are implemented. This category includes system calibration and controls tuning settings. Though these settings also need to be controlled through a defined change control process, they are typically controlled by the system technicians and/or system administrator.
Operator-controlled data include the numerous system control variables that require adjustment over the multiple phases of a plant’s operation. These settings are generally controlled through plant operating procedures within defined allowable ranges.
DCS CM tools lacking
As digital control systems appear in nuclear power plants, the need for comprehensive CM becomes paramount. Many DCS suppliers provide tools for developing and initially testing of systems, but those tools usually lack the comprehensive documentation capabilities needed. For example, at one plant, the vendor-supplied CM tool lacked a good way to validate processor configurations after they were installed. It also lacked the ability to capture field wiring termination information (see sidebar, below). These inadequacies had to be addressed through supplemental software tools and procedures.
The design control and final CM programs must include the ability to manage not only the primary control logics but also the specific settings. The tools must be commensurate with typical design control processes, including change tracking, review and approval processes, and required system verification and validation functions.
The CM program should include a regular validation of digital system configurations and settings to ensure proper operation. Not having such a program is tantamount to not having a preventive maintenance program for physical systems. The importance of the proper configuration of a plant’s DCSs cannot be understated nor ignored. Without a proper CM program, both a plant’s reliability and safety are being compromised.
New regs coming to fossil-fueled plants
Looming requirements make CM just as important for fossil-fueled plants. Reliability standards are being imposed by the North American Electric Reliability Corp. (NERC), the reliability “cop on the beat” appointed by the Federal Energy Regulatory Commission. Some aspects of plant control and automation are likely to fall under these requirements, especially those involving how the plant interfaces with the grid.
NERC’s cyber-security standards (see “Time to get serious about security” in POWER, April 2008) may also come into play. Plants may have to prove that their grid interface controls are configured as designed in the event of a grid disturbance that requires investigation and analysis. Doing so could require an auditable trail.
In addition to helping owner/operators comply with these standards, a CM can be essential to corporate business processes, internal IT standards, Sarbanes-Oxley issues, and disaster-recovery programs.
Perhaps the best way to sum it all up is this: Make sure your plant’s nervous system is being governed by a CM system to keep you from being a nervous wreck about the possible consequences of not having one.
—Contributing Editor Timothy E. Hurst, PE (firstname.lastname@example.org) is president of Hurst Technologies (www.hcinc.com), a consulting engineering firm specializing in instrumentation and control systems for nuclear and fossil-fueled power stations.