Instrumentation & Controls

Digital technology spawns need for configuration management

The human nervous system is one of the most complex systems in the human body. Though the nerves and brain are small in comparison with the mass of bones and muscles, without the work performed by the nervous system, nothing functions. The same goes for modern plant distributed control systems (DCSs) and other digital systems. Their importance and complexity are often overshadowed by the heavy metal: the boiler, turbine generator, pumps, heat exchangers, cooling towers, and other primary plant components. But if things are askew in the nervous system, the whole body or plant suffers.

Complex family tree. A well-designed relational database of important data tables is the first step in developing a comprehensive configuration management system. Courtesy: Hurst Technologies

The question facing plant operators is this: How do you know that everything is functioning correctly? After start-up, a new power station quickly begins to look less and less like its original design. Modifications are made, but documentation of those changes is rarely organized and accurate. This is as true for the heavy metal as it is for the control and automation system. Control system engineers call these documentation packages configuration management (CM), although CM is a subset of the larger field of change management.

For regulatory and safety reasons, CM is absolutely essential at nuclear power stations and is governed by an elaborate array of industry committees, regulatory bodies, and benchmarking activities. Continued use of legacy control systems and the loss of plant expertise are two factors making CM a challenge at nuclear plants today.

At fossil-fueled plants, CM may not yet be regulated, but it is no less important. New fossil-fueled plants typically have a DCS, and many older units have been retrofitted with one. The problem is that for plants commissioned a generation ago, it’s not unusual for as-built drawings to not exist or to exist only in the memory of a few senior staff members. However, most plants also have silos of data and information residing in home-grown spreadsheets or databases maintained by different staff members. Somewhere, the “current” configuration of the plant must reside apart from the DCS—if for no other reason than if a central processor is lost, the current configuration can be reloaded.

Manual approach is futile

The modern DCS contains hundreds of thousands of process input data points, internal points (conversions, calculations, setpoints, and the like), and output data points. Each of these points, in turn, is defined by 20 to 120-plus specific configuration selections and settings. To attempt to manage such a complex set of data manually is futile. An automated method of managing the true configuration of large digital-based systems is essential. It should include managing the initial design implementation as well as long-term system operation and changes over a plant’s life.

Fortunately, the nature of digital technology provides many options for developing and implementing automated tools.

The CM process needs to start in unison with the overall design and design control activities to ensure that functional design requirements are implemented correctly. This is typically a function of a system’s input/output (I/O) list. But the I/O list is just the tip of the iceberg. For each of the true system inputs and final control outputs, an extensive array of settings that number in the tens of thousands must be defined to properly characterize the physical state, the logic, and the performance of each point—both as anticipated and under abnormal conditions. In between the actual inputs and outputs, the verification, manipulation, display, storage, and interfacing of each point must be defined in detail.

The relational complexity of points within a typical DCS is shown in the figure. The key is to have an appropriately defined systems database and tools available to manage the complexity. For example, digital systems should include the ability to be self-documenting, producing many of the functional and physical design documents typically handled manually in the past. Such documents may include system control logics, physical wiring documents, and equipment layout drawings.

One of the most important attributes of a CM system is its ability to validate the installed configuration of the software. Once a DCS is installed and functioning, it undergoes continuous changes in configuration, such as operator setpoint adjustments, calibration changes, temporary functional changes (for example the blocking of an alarm during maintenance), historical data recording period changes, operator display changes, and many others. Though each of these changes is typically simple and seemingly inconsequential, over time they can cause the control system to behave unpredictably. This is especially true if the changes are not implemented under a controlled change process and if a convenient method of validating the correct settings does not exist. The simple act of failing to unblock a blocked alarm can cause significant operational or safety problems.

Configuration settings basically fall into one of three categories:

  • Engineered data
  • Configuration data
  • Operator-controlled data

Each type of data requires different configuration control.

Engineered data control the primary functional requirements for a system. They typically include the primary system I/O, control system logic, and communication settings. Changes to this set of data generally constitute a system design change and should be performed through a controlled plant design change process.

Configuration data define how the primary functional requirements are implemented. This category includes system calibration and controls tuning settings. Though these settings also need to be controlled through a defined change control process, they are typically controlled by the system technicians and/or system administrator.

Operator-controlled data include the numerous system control variables that require adjustment over the multiple phases of a plant’s operation. These settings are generally controlled through plant operating procedures within defined allowable ranges.

DCS CM tools lacking

As digital control systems appear in nuclear power plants, the need for comprehensive CM becomes paramount. Many DCS suppliers provide tools for developing and initially testing of systems, but those tools usually lack the comprehensive documentation capabilities needed. For example, at one plant, the vendor-supplied CM tool lacked a good way to validate processor configurations after they were installed. It also lacked the ability to capture field wiring termination information (see sidebar, below). These inadequacies had to be addressed through supplemental software tools and procedures.

The design control and final CM programs must include the ability to manage not only the primary control logics but also the specific settings. The tools must be commensurate with typical design control processes, including change tracking, review and approval processes, and required system verification and validation functions.

The CM program should include a regular validation of digital system configurations and settings to ensure proper operation. Not having such a program is tantamount to not having a preventive maintenance program for physical systems. The importance of the proper configuration of a plant’s DCSs cannot be understated nor ignored. Without a proper CM program, both a plant’s reliability and safety are being compromised.

Validating the current configuration at a nuclear plant

One nuclear plant needed a process to validate that the configuration running on the control processors matched that of the intended design—no easy task, because the DCS parameter settings can run into the tens of thousands. The goals of the CM application in this case became the following:

  • Fulfill the basic requirement of comparing the current configuration to an approved off-line design and present the discrepancies in a clear and concise format.
  • Provide flexibility to track configuration changes without altering the plant’s engineering change process.
  • Cover the gaps in the DCS vendor’s software, mainly in the areas of documenting the hardware and field wiring terminations.
  • Provide a mechanism for introducing new points and configurations into the DCS.
  • Wrap all of this functionality into an easy-to-use interface.

The first step was to select a database platform. It was expected that only one or two engineers would be actively using the database. Given budget and schedule constraints, Microsoft Access combined with Visual Basic won out over MySQL and Sequel Server because plant personnel would be most familiar with the former and setup time would be less. Access also does not require a dedicated server.

One challenge that had to be overcome was developing an extraction tool that would convert the DCS vendor’s proprietary information into a readable format.

The next step was to organize the data, segregating it into configuration information that is hardware independent and design information that is hardware dependent. (Hardware can advance rapidly while the design essentially remains the same.) In a subsequent layer of organization, the database fields were further classified as engineered, exempt, or reference information.

Each field was then controlled and secured relative to its importance, with engineered data at the top of the list. Fields classified as exempt include point classification, internal database revision numbers, and system codes. Reference information includes such data as drawing numbers, safety class, and sequence of events designation. Once this data is properly placed within the relational database tables, information can be presented in a clear, organized manner by using queries and forms.

To develop the tag or points list, the process engineer first adequately defines the desired inputs and outputs. This basic engineering information is then entered into the design database. Subsequently, a tag list is generated, which only contains the relevant engineering information needed by the software engineer. Fully defined block parameters received from the vendor are imported into the relational database, where they become part of the baseline (or off-line design) once new points are brought on-line in the field.

Validating the current on-line configuration is possible by using various software tools to report discrepancies in the parameter block settings as well as any new or missing configuration blocks. New block reporting also captures and verifies that new points were successfully migrated from the accepted off-line design into the control processors. Such verification supplements the plant’s engineering change process and provides complete confidence in the updated on-line configuration. Hardware integrity checks for the control processors, fieldbus modules, and termination assemblies are also built into the database.

Putting guards in place prevents improper changes from being implemented. “Improper” in this case means that they have not undergone required “doer, reviewer, approver” checks. The engineering modification coordinator has final control over implementing any change modification. Once the modification is validated with the Compare tool, the change is propagated throughout the database and archived for record-keeping purposes. Numerous reports can be generated, viewed, or printed. Examples include field wiring termination reports (by cable or termination assembly), block configuration parameters (vendor parameter settings), configuration validation exceptions (comparison), design block information (I/O list), and DCS plant modification report summary.

.

New regs coming to fossil-fueled plants

Looming requirements make CM just as important for fossil-fueled plants. Reliability standards are being imposed by the North American Electric Reliability Corp. (NERC), the reliability “cop on the beat” appointed by the Federal Energy Regulatory Commission. Some aspects of plant control and automation are likely to fall under these requirements, especially those involving how the plant interfaces with the grid.

NERC’s cyber-security standards (see “Time to get serious about security” in POWER, April 2008) may also come into play. Plants may have to prove that their grid interface controls are configured as designed in the event of a grid disturbance that requires investigation and analysis. Doing so could require an auditable trail.

In addition to helping owner/operators comply with these standards, a CM can be essential to corporate business processes, internal IT standards, Sarbanes-Oxley issues, and disaster-recovery programs.

Perhaps the best way to sum it all up is this: Make sure your plant’s nervous system is being governed by a CM system to keep you from being a nervous wreck about the possible consequences of not having one.

—Contributing Editor Timothy E. Hurst, PE ([email protected]) is president of Hurst Technologies (www.hcinc.com), a consulting engineering firm specializing in instrumentation and control systems for nuclear and fossil-fueled power stations.

SHARE this article