ITER CODAC Plant Control Design Handbook October 2008 Anders Wallander & Luigi Scibile CHD Department

PCDH Objectives The Plant Control Design Handbook (PCDH) defines standards, specifications and interfaces applicable to ITER Plant Systems Instrumentation & Control (I&C) I&C standards are essential for ITER to Integrate all Plant Systems into one integrated control system Maintain all Plant Systems after delivery acceptance Contain cost by economy of scale (spare parts, expertise) The PCDH is applicable to all Procurement Arrangements ITER International Organization (IO) Develop Support Maintain Enforce these standards

History and Future of PCDH The development of PCDH started from the conceptual design The process to get consensus within an intercontinental group takes time The purpose of the official release IDM v.3 in July was to communicate current thinking, not to provide a contractual document Therefore the current version is conceptual We have inserted “hold-points” in the first PA The first ones elapse in April 2009 (hard deadline) Next release of PCDH IDM v.4 before April 2009 PCDH is a living document and will be released throughout the lifetime of ITER The list of standards and specifications will be extended and will evolve PCDH shall address obsolescence management

Three tiers, two layers I&C structure Segregation of ITER I&C into 3 tiers and 2 layers Conventional Control Control and monitoring for all ITER PS Interlock Protects the investment Independent network and I&C Safety Protects personnel, and environment Two train systems Plant Operation Zone (POZ) Communication, command and control boundary for Tokamak plant

What are the Plant Systems? Product Breakdown Structure A CODAC Plant System has one and only one Plant System Host

IN FUND (PBS 45,46,48) CONTROL INTERLOCK interface IN KIND (PBS XX) SAFETY interface PLANT SYSTEMS IN KIND (PBS XX)

Plant System Instrumentation & Control

Plant System Instrumentation & Control Plant System Host Provided by IO with standard software Provides single point of entry for asynchronous communication Supports set of standard field-buses to Local Controllers Data driven (Plant System customization is done by self-description) May come on different platforms to address scalability PCDH chapter 5.4.1

Plant System Instrumentation & Control Plant System Host Mini CODAC Provided by IO with standard software Tool to verify functionality and interface at factory and on site (FAT, SAT) Provides SCADA functionality including HMI Can be used as platform for developing higher level Plant System functionalities later integrated in proper CODAC PCDH chapter 2.8.9

Plant System Instrumentation & Control Plant System Host Mini CODAC Local Controller and Field Buses Selected from catalogue of standard components Can be “slow” control (PLC) or “fast” control (embedded) PCDH chapter 5.4.2-5

Plant System Instrumentation & Control Plant System Host Mini CODAC Local Controller and Field Buses High Performance Network I/F Selected from catalogue of standard components High Performance Networks (HPN) are SDN – Synchronous Databus Network TCN – Time Communication Network EDN – Event Distribution Network AVN – Audio/Video Network Not all Plant Systems require HPN Interface boards/drivers provided for selected platforms PCDH chapter 4.3

Plant System Instrumentation & Control Plant System Host Mini CODAC Local Controller and Field Buses High Performance Network I/F Actuators, sensors, signal conditionings Selected by Plant System Developer PCDH will provide recommendations PCDH chapter 5.4.7

Plant System Instrumentation & Control Cubicles Selected from catalogue of standard components Racks Chassis Power Supply Cooling Terminal strips … PCDH chapter 5.4.8

Plant System Instrumentation & Control Cubicles I&C Bridge Provided by IO Patch Panel connecting to ITER infrastructure (mainly fiber optics) Wall mounted or in “CODAC hutch” close to I&C cubicles Specifies cables and connectors Plant System developer provides cables from cubicle to I&C bridge PCDH chapter 4.3.4

Plant System Instrumentation & Control Cubicles I&C Bridge Cabling Rules and Recommendations cables and connectors internal and external naming & labeling grounding & earthing electrical isolation cable distances EMC radiation PCDH ch. 5.4.9 & Electrical Design Handbook

Plant System Instrumentation & Control Software environment and development process Specified by IO Operating Systems on the different platforms (PSH, PLC, Embedded) Communication middleware Open source SCADA/software framework Format and schemas for Self description data Programming languages on the different platforms Programming standards Methodology Naming rules Design and development tools Testing tools Configuration control PCDH chapter 5.5

Interlock Systems Main system requirements Highest level interlock functions shall be designed to a high integrity level conforming to a Safety Integrity Level (SIL) 3 according to the standard IEC 61508 The Central Interlock System shall acquire the critical digital signals from the Plant Interlock Systems and deliver outputs to Plant Systems (either via the corresponding “Plant Interlock Systems” or via direct interlocks) on the basis of boolean logic on the full set of inputs and on the latched outputs. The Central Interlock Systems are classified as non-SIC The interlock protective actions shall be graded at three levels: Level 1 interlock events (Fast shutdown) Level 2 interlock events (Fast Controlled Pulse Shutdown) Level 3 interlock events (Inhibit) Covered by PCDH

Interlock Systems Equipment required: PCDH chapter 6 Highly reliable and available PLC systems (SIL3) Some hardwired systems (2oo3 redundancy) Various type of transducers and actuators Various type of networks: TCP/IP, field buses, monitored hardwired links. Supervisory systems Short term data storage Operator synoptic via CODAC + Gateway PCDH chapter 6 Covered by PCDH

Safety Systems Main system requirements The CSS for Nuclear risk and Personnel access shall be classified as a SIC system classed as implementing safety functions of category B (IEC 61226) with systems of class 2 (IEC 61513) The CSS for conventional risks shall be designed to a high integrity level conforming to a Safety Integrity Level (SIL) 3 (IEC 61508). Safety functions of category A shall be implemented via hardwired logic with systems of class 1. No Common Cause of Failure Multiple line of defense Covered by PCDH

Safety Systems Equipment required: PCDH chapter 7 Highly reliable and available PLC systems (Class 2) Hardwired logic (Class 1) Various type of transducers Various type of networks: TCP/IP, Safety field buses, monitored hardwired links. Supervisory systems Long term safe data storage Safety operator’s desks PCDH chapter 7 Covered by PCDH

Plant System I&C – Life Cycle PCDH chapter 2.4 and 3

Plant System I&C – Life Cycle IO -> <- DA Build to print Procurement Arrangement

Plant System I&C – Life Cycle IO -> <- DA Detailed design Procurement Arrangement

Plant System I&C – Life Cycle IO -> <- DA Functional specifications Procurement Arrangement

Plant System I&C – Life Cycle Check points

A proper long term plan shall be developed in the next months Short-term Schedule A proper long term plan shall be developed in the next months

Some ideas for 2009-2011 Cooperation agreement CERN Machine Protection Interlock & Safety Support (Framework contract, in-sourcing) CODAC Engineering Support (Framework contract, in-sourcing) SW Tools for packaging and training Customization/improvements CODAC comm middleware and SCADA func. Supply Mini CODAC application layer modules Supply customized Mini CODAC systems for NB, Cryo, PS, etc. Design and supply CODAC networks Study scientific data streaming Prototype Data Acquisition and Data Streaming Architecture Prototype and case study for plasma feedback control Prototype Plasma Control System Architectures Prototype CODAC Supervisor Prototype Integration of Pulse Execution System Analysis of fault scenarios for machine protection Prototype evaluation of highly available interlock architectures Formal models for Instrumented Central Safety Systems Supply of Central Interlock System

Conclusions The Plant Control Design Handbook (PCDH) defines standards, specifications and interfaces applicable to ITER Plant Systems Instrumentation & Control (I&C) PCDH is applicable to all Procurement arrangement having any I&C PCDH covers hardware, software and development process PCDH contains mandatory standards and recommendations Next release of PCDH is due in April 2009 PCDH is a living document and will be released on a regular basis throughout the lifetime of ITER

First prototype in IO lab Sep’08 Conclusions ITER IO is committed to develop support maintain enforce PCDH standards in order to successfully integrate contain the cost of the ITER control system First prototype in IO lab Sep’08

END

Backup Slides

Contract strategy (1/2) CODAC sub-systems Development 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 Q4 Q3 Q2 Q1 Start of Tokamak assembly Start Integrated commissioning First Plasma Assistance Contracts I&C Support for Plant Systems CODAC Support Central Interlock and Safety Systems Support Prototypes realization (x 10) Prototypes realization (x 10) Procurement Contracts Central Interlock Systems realization (x 3) Central Interlock Systems realization (x 3) Central Interlock Systems realization (x 3) Central Safety Systems realization (x 3) Central Safety Systems realization (x 3) Central Safety Systems realization (x 3) CODAC sub-systems Development CODAC sub-systems realization (~x 10) CODAC sub-systems Development CODAC sub-systems Development I&C Plant Systems Development I&C Plant Systems realization (~ x100) I&C Plant Systems Development I&C Plant Systems Development In fund, contracts placed by ITER IO In kind, contracts placed by ITER DAs Task agreements, most probably no contracts with with Industry

Contract strategy (1/2) Support: Performance evaluations Realization: Technical Specifications Engineering design Engineering studies Performance evaluations Safety studies Modeling and simulations Pre-construction drawings PID and Functional drawings Security engineering technical reviews Provisioning and logistics Quality Assurance Contract preparation Planning and Scheduling Verification and Validation Commissioning coordination Realization: Final Design Software (SW) development Procurement of equipment Hardware (HW) assembly SW & HW Integration Configuration and data management Overall documentation Detailed design documents PID and Functional drawings Construction drawings As built folders Installation procedures Commissioning procedures Operation manuals Maintenance manuals Factory and site acceptance Site installation Site Commissioning

Interlock Systems Equipment required: Highly reliable and available PLC systems (SIL3) Some hardwired systems Various type of transducers and actuators Various type of networks: TCP/IP, field buses, monitored hardwired links. Supervisory systems Short term data storage Operator synoptic via CODAC + Gateway

Interlock Systems Equipment required: Highly reliable and available PLC systems (SIL3) Some hardwired systems Various type of transducers and actuators Various type of networks: TCP/IP, field buses, monitored hardwired links. Supervisory systems Short term data storage Operator synoptic via CODAC + Gateway

Interlock Systems Equipment required: Highly reliable and available PLC systems (SIL3) Some hardwired systems Various type of transducers and actuators Various type of networks: TCP/IP, field buses, monitored hardwired links. Supervisory systems Short term data storage Operator synoptic via CODAC + Gateway

Interlock Systems Equipment required: Highly reliable and available PLC systems (SIL3) Some hardwired systems Various type of transducers and actuators Various type of networks: TCP/IP, field buses, monitored hardwired links. Supervisory systems Short term data storage Operator synoptic via CODAC + Gateway

Interlock Systems Equipment required: Highly reliable and available PLC systems (SIL3) Some hardwired systems Various type of transducers and actuators Various type of networks: TCP/IP, field buses, monitored hardwired links. Supervisory systems Short term data storage Operator synoptic via CODAC + Gateway

Interlock Systems Equipment required: Highly reliable and available PLC systems (SIL3) Some hardwired systems Various type of transducers and actuators Various type of networks: TCP/IP, field buses, monitored hardwired links. Supervisory systems Short term data storage Operator synoptic via CODAC + Gateway

Interlock Systems Equipment required: Highly reliable and available PLC systems (SIL3) Some hardwired systems Various type of transducers and actuators Various type of networks: TCP/IP, field buses, monitored hardwired links. Supervisory systems Short term data storage Operator synoptic via CODAC + Gateway

Safety Systems Equipment required: Highly reliable and available PLC systems (Class 2) Hardwired logic (Class 1) Various type of transducers Various type of networks: TCP/IP, Safety field buses, monitored hardwired links. Supervisory systems Long term safe data storage Safety operator’s desks

Safety Systems Equipment required: Highly reliable and available PLC systems (Class 2) Hardwired logic (Class 1) Various type of transducers Various type of networks: TCP/IP, Safety field buses, monitored hardwired links. Supervisory systems Long term safe data storage Safety operator’s desks

Safety Systems Equipment required: Highly reliable and available PLC systems (Class 2) Hardwired logic (Class 1) Various type of transducers Various type of networks: TCP/IP, Safety field buses, monitored hardwired links. Supervisory systems Long term safe data storage Safety operator’s desks

Safety Systems Equipment required: Highly reliable and available PLC systems (Class 2) Hardwired logic (Class 1) Various type of transducers Various type of networks: TCP/IP, Safety field buses, monitored hardwired links. Supervisory systems Long term safe data storage Safety operator’s desks

Safety Systems Equipment required: Highly reliable and available PLC systems (Class 2) Hardwired logic (Class 1) Various type of transducers Various type of networks: TCP/IP, Safety field buses, monitored hardwired links. Supervisory systems Long term safe data storage Safety operator’s desks

Safety Systems Equipment required: Highly reliable and available PLC systems (Class 2) Hardwired logic (Class 1) Various type of transducers Various type of networks: TCP/IP, Safety field buses, monitored hardwired links. Supervisory systems Long term safe data storage Safety operator’s desks

Safety Systems Equipment required: Highly reliable and available PLC systems (Class 2) Hardwired logic (Class 1) Various type of transducers Various type of networks: TCP/IP, Safety field buses, monitored hardwired links. Supervisory systems Long term safe data storage Safety operator’s desks

CODAC contracts today

Self-description dataflow: development CODAC test data 12 PS development progress 12 PS requirements and needs 12 Regular transfer 11 Problem report 10 PS parameters 4 PS description 1 PS response 9 PS dynamic parameters 5 PSH static configuration 2 Devel tools project files 2 PS data 8 PS data 7 PS devices dynamic parameters 6 PS devices programs + static configuration 3