UNICOS-like system for interlocks II Workshop on PLC-based interlocks systems ITER, Dec 2014 Jeronimo ORTOLA VIDAL CERN Engineering Department, Industrial Controls Group
Industrial Controls Engineering Department Outline Current solutions WIC, PIC, DSS Under study UNICOS protection systems UNICOS safety systems 2 December, 2014 J. Ortola (CERN, EN/ICE)
Industrial Controls Engineering Department Warm magnet power converters interlock system Power electrical circuits interlock system Based on simple Boolean conditions (matrix) Safety and standard version for WIC. Standard fast PLC fro PIC UNICOS TSPP in the communication with SCADA. UNICOS in SCADA. Same generic code applied to all the WIC and PIC protection system Configuration of the interlock conditions by a configuration flies produced externally 3 December, 2014 J. Ortola (CERN, EN/ICE) WIC, PIC
Industrial Controls Engineering Department DSS overview DSS “Detector” Alarm-Action Matrix Read the Sensors Evaluate the Alarm Conditions Set the Actuators ~1 Hz 4 December, 2014 J. Ortola (CERN, EN/ICE)
Industrial Controls Engineering Department Detector Evaluate the Alarm Conditions Read the Sensors Set the Actuators Configure Monitor S7 Driver Operator Display Configuration Interface WinCC OA SCADA systemRedundant Siemens PLC The Back-End deals with User Interaction The Front-End deals with Safety 5 December, 2014 J. Ortola (CERN, EN/ICE)
Industrial Controls Engineering Department How does the “data-driven” approach work The details of the Sensors, Alarms and Actuators will not be “hardcoded” in the software. These details, which describe the peculiarities of each system protected by the DSS, will instead be confined into “data structures”. The DSS software will interpret the data contained in the above mentioned structures. Benefits The software will then be identical for every DSS. This approach automatically eliminates the risk of introducing software bugs when the User adds new items. Software: the data-driven approach 6 December, 2014 J. Ortola (CERN, EN/ICE)
Industrial Controls Engineering Department UCI … UCI UCI “Compare” blocks UCI … UCI UCI Sub-conditions If “A”=TRUE or “B”=TRUE or “C”=TOO_HIGH or “D”=TOO_LOW then ALARM “E” UCI 3 … UCI 1 UCI 2 Digital sensors A = true B = true… … UCI 8193 UCI 8194 Analogue sensors UCI UCI C = high D = high C = low D = low delay = 2 … UCI UCI Alarm-Action links … UCI … UCI UCI Actuators If ALARM “E” then ACTION “F” (after 2 secs.) UCI = 1 UCI = 3 UCI = 8193 UCI = UCI = 0 (empty) N = 1 (OR) … Alarm “E” value UCI = 0 (empty) Alarm conditions UCI 16421UCI … Step 1: read digital sensors Step 2: read analogue sensors and compare with thresholds Step 5: evaluate Alarm Conditions Step 6: look at Alarm-Action links Step 7: set Actuator values (execute Actions) 7 December, 2014 J. Ortola (CERN, EN/ICE)
Industrial Controls Engineering Department WinCCOA DATABASE (DATAPOINTS) DSS EVENT MANAGER ARCHIVE MANAGER MANAGER LOG MANAGERS ORACLE DATABASE SMS/ WinCCOA ARCHIVE PLC DATABLOCKS Front-End PLC S7 Driver User Interaction part MONITOR PANELS CONFIGURE PANELS Parameter changes (from User) Status changes (Front-End “events”) 8 December, 2014 J. Ortola (CERN, EN/ICE)
Industrial Controls Engineering Department
Industrial Controls Engineering Department
Industrial Controls Engineering Department Many consistency checks are needed when defining an Alarm Condition Check that, depending on the sensor values, the condition can actually be TRUE or FALSE ex. (A too_high and A too_low) is bad ex. (B true or B false) is bad Check against the same sensors being reused in a redundant way ex. (B true or B true) : maybe the User has made a mistake 11 December, 2014 J. Ortola (CERN, EN/ICE)
Industrial Controls Engineering Department Data server: gateway to the Back-End redundant in the Front-End communication using the native WinCCOA S7 driver Redundancy: up to the level of I/O interfaces backup in case a power supply, CPU, Profibus failure optical link between CPU modules step-by-step comparison inside the processing of the PLC cycle Front-End: Siemens S7-400 station programmed through the Siemens STEP7 development environment implementation and processing of the DSS Front-End Software monitors itself CPU crate: redundant PS CPU 414-4H Ethernet adapter (CP 443-1) Back End: WinCCOA user interface for display & logging modification of the Alarm/Action-Matrix Profibus Opt. Link DSS COM Data Server WinCC OA CERN LAN 12 December, 2014 J. Ortola (CERN, EN/ICE)
Industrial Controls Engineering Department I/O modules are not redundant, but sensors can be connected redundantly by doubling (tripling) their number. Reliability Single Incident Robustness: Power supplies are redundant. Optical fiber break leads to stop of CPU slave. CPU crates are redundant. PROFIbus is redundant. Communication modules are redundant. Power is back-up’ed by UPS. UPS failure will bypass current from main lines. 13 December, 2014 J. Ortola (CERN, EN/ICE)
Industrial Controls Engineering Department Surface Cavern Shaft Optical Link DSS COM NTP Server CERN LAN CPUs are comfortably separated to minimize danger of accidental damage Experiment’s Configuration I/O crates act as cable concentrators near sensors/actuators Connection of both CPUs to NTP. Synchronization is better than 20ms. Redundant cables running through two cable paths. Spares for all cables are foreseen. PROFIbus Back-End situated in the control room. Front-end Control Room Back-end CERN LAN 14 December, 2014 J. Ortola (CERN, EN/ICE)
Industrial Controls Engineering Department Experiment’s Configuration Cavern Surface Shaft Optical Link DSS COM PROFIbus Functionality grouped into “ Detector Safety Units ” All DSUs are alike. Each DSU is responsible for a distinct geographic area. 2-4 DSUs typical, 16 DSUs maximal possible per experiment. Front-end Control Room Back-end CERN LAN 15 December, 2014 J. Ortola (CERN, EN/ICE)
Industrial Controls Engineering Department DSU Layout Patch Panel Terminals to connect sensors / actuators (max. 352 digital channels OR 120 analog channels; optimum is 224 digital PLUS 64 analog channels) Table / Drawer Control Room Panel, Gyro & Siren (not part of a DSU) External Crate with dedicated Monitoring Module 2 nd External Crate possible Ethernet Switch for DSS COM (in DSUs with CPU crate) CPU crate (in two DSUs) Redundant 24V Power Supplies & Distribution Modules Front-End Display Gateway PC (in one DSU) Uninterruptible Power Supply (UPS) 52 units standard ) All parts are compliant to CERN’s technical and safety requirements (by TIS). 16 December, 2014 J. Ortola (CERN, EN/ICE)
Industrial Controls Engineering Department The five installed DSSs The five installed DSSs: some figures ALICEATLASCMSCMSXLHCb DSUs Analog Sensors Digital Sensors Alarm Conditions Alarm->Action links~220~2000~770~1850~1150 Actions December, 2014 J. Ortola (CERN, EN/ICE)
Industrial Controls Engineering Department DSS highlights Five DSS systems, each running the same identical software Additional features ORACLE logging of all events and configuration modifications Monitoring the status of the PLC system itself Preventing configuration modifications if the communication is not working Sophisticated WinCCOA-based User Interface 18 December, 2014 J. Ortola (CERN, EN/ICE)
Industrial Controls Engineering Department The data-driven approach has led to Simplicity and stability in the Critical part Very well established interface between control and supervision. Reduced software development and maintenance Independence from the data details. There is nothing “CERN-specific”. The system can be reused “as it is” in other environments. 19 December, 2014 J. Ortola (CERN, EN/ICE) DSS highlights
Industrial Controls Engineering Department Future: UNICOS-CPC protection system Automated generation of interlock matrix code with UAB. UNICOS-CPC objects (No safety functions). Functions to evaluate the matrix Digital: MooN Analog: HH, LL, equal, max, min Digital and Analog actuators Online reconfiguration of matrix from SCADA Fast interlocks (Interruption Inputs) 20 December, 2014 J. Ortola (CERN, EN/ICE)
Industrial Controls Engineering Department Future: UNICOS-CPC safety systems UNICOS-CPC for the non-safety protection Manual development of safety functions linked to CPC objects. 21 December, 2014 J. Ortola (CERN, EN/ICE)