PDF generated on 17 Dec 2014DISCLAIMER : UNCONTROLLED WHEN PRINTED – PLEASE CHECK THE STATUS OF THE DOCUMENT IN IDM

Technical Specifications (In-Cash Procurement)

Plant System I&C Architecture

This technical note discusses the architecture of the ITER Plant System Instrumentation & Control System. There will be more than 160 of these systems, each with different characteristics and requirements. They all have to be integrated in the ITER I&C System.

IDM UID

32GEBHVERSION CREATED ON / VERSION / STATUS

26 Nov 2014 / 2.5 / Approved

EXTERNAL REFERENCE

ITER_D_32GEBH v2.5

1

Table of Contents

1 INTRODUCTION................................................................................................................................... 3

1.1 Objective .......................................................................................................................................... 3

1.2 Assumptions ................................................................................................................................... 3

1.3 References ...................................................................................................................................... 3

1.4 Acronyms ........................................................................................................................................ 4

2 PHYSICAL ARCHITECTURE .............................................................................................................. 5

2.1 OSI layer 2 switch ........................................................................................................................... 6

2.2 Plant System Host .......................................................................................................................... 6

2.3 Fast Controller ................................................................................................................................ 6

2.4 Slow Controller ............................................................................................................................... 6

2.5 Interlock Controller......................................................................................................................... 7

2.6 Occupational Safety Controller ..................................................................................................... 7

2.7 Nuclear Safety Logic Solvers ........................................................................................................ 7

2.8 COTS Intelligent Device ................................................................................................................. 7

2.9 Remote I/O ....................................................................................................................................... 7

2.10 Signal Interface ............................................................................................................................... 7

2.11 Cubicles ........................................................................................................................................... 7

2.12 CODAC Terminal ............................................................................................................................. 8

2.13 High Performance Networks ......................................................................................................... 8

2.14 CODAC System / Mini-CODAC ...................................................................................................... 8

2.15 Central Interlock System ............................................................................................................... 8

2.16 Central Safety System for Occupational Safety .......................................................................... 8

2.17 Central Safety System for Nuclear Safety .................................................................................... 8

3 FUNCTIONAL ARCHITECTURE ......................................................................................................... 9

3.1 Simplest possible Plant System I&C ............................................................................................ 9

3.2 Small Industrial Plant System I&C .............................................................................................. 10

3.3 Small Mixed Plant System I&C .................................................................................................... 11

ITER_D_32GEBH v2.5

2

3.4 Industrial Plant System I&C with Fast Acquisition ................................................................... 12

3.5 Complex Diagnostics Plant System I&C connected to PCS .................................................... 14

4 CONCLUSIONS.................................................................................................................................. 16

ITER_D_32GEBH v2.5

3

1 INTRODUCTION 1.1 Objective

This technical note discusses the architecture of plant system I&C. The objectives are to identify and define the plant system I&C components and their relations, to analyze the feasibility of implementing different types of plant system I&C using these components and to identify any weaknesses and problems in the approach.

This document is part of the PCDH documentation package (Fig 1.1).

Core PCDH (27LH2V)

Plant system control philosophy

Plant system control Life Cycle

Plant system control specifications

CODAC interface specifications

Interlock I&C specification

Safety I&C specification

PCDH core and satellite documents: v7PS CONTROL DESIGN

Plant system I&C architecture (32GEBH)

Methodology for PS I&C specifications (353AZY)

CODAC Core System Overview (34SDZ5) INTERLOCK CONTROLS

Guidelines for PIS design (3PZ2D2)

Guidelines for PIS integration & config. (7LELG4)

Management of local interlock functions (75ZVTY)

PIS Operation and Maintenance (7L9QXR)

I&C CONVENTIONS

I&C Signal and variable naming (2UT8SH)

ITER CODAC Glossary (34QECT)

ITER CODAC Acronym list (2LT73V)

PS SELF DESCRIPTION DATA

Self description schema documentation (34QXCP)

CATALOGUES for PS CONTROL

Slow controllers products (333J63)

Fast controller products (345X28)

Cubicle products (35LXVZ)

Integration kit for PS I&C (C8X9AE)

PS CONTROL INTEGRATION

The CODAC -PS Interface (34V362)

PS I&C integration plan (3VVU9W)

ITER alarm system management (3WCD7T)

ITER operator user interface (3XLESZ)

Guidelines for PON archiving (B7N2B7)

PS Operating State management (AC2P4J)

Guidelines for Diagnostic data structure (354SJ3)

PS CONTROL DEVELOPMENT

I&C signal interface (3299VT)

PLC software engineering handbook (3QPL4H)

Guidelines for fast controllers (333K4C)

Software engineering and QA for CODAC (2NRS2K)

Guidelines for I&C cubicle configurations (4H5DW6)

CWS case study specifications (35W299)

NUCLEAR PCDH (2YNEFU)

OCCUPATIONAL SAFETY CONTROLS

Guidelines for PSS design (C99J7G)

Available and approved

Legend

This document

(XXXXXX) IDM ref.

Plant system I&C architecture (32GEBH)

Figure 1.1 Schema of PCDH documents

1.2 Assumptions

The analysis is based on the system design descriptions [RD1, RD4, RD6] and the Plant Control Design Handbook (PCDH) [RD2]. Design decisions taken between 2009 and 2014 are incorporated.

1.3 References

[RD1] CODAC DDD (ITER_D_6M58M9 v2.3)

[RD2] Plant Control Design Handbook (ITER_D_27LH2V v7.0)

[RD3] Signal and plant system I&C Variable Naming Convention (ITER_D_2UT8SH v8.1)

[RD4] Central Interlock System - Preliminary DDD (ITER_D_CW5PKC v3.3)

[RD5] I&C signal interface (ITER_D_3299VT v5.0)

[RD6] Central Safety System for Occupational Safety (CSS-OS) - Preliminary DDD (ITER_D_DFY725 v1.0)

ITER_D_32GEBH v2.5

4

1.4 Acronyms

CIN Central Interlock Network

CIS Central Interlock System

CODAC Control, Data Access and Communication

COS Common Operating State

COTS Commercial Off-The-Shelf

cRIO Compact Remote Input / Output

CSS Central Safety Systems

CSS-N Central Safety System for Nuclear

CSS-OS Central Safety System for Occupational Safety

DAN Data Archiving Network

EPICS Experimental Physics and Industrial Control System

FPGA Field Programmable Gate Array

HMI Human-Machine Interface

HPN High Performance Networks

I&C Instrumentation & Control

I/O Input / Output

IO ITER Organization

IOC Input / Output Controller

NTP Network Time Protocol

MRG-R Real-time enabled version of RHEL

OSI Open System Interconnect

PCI Peripheral Component Interconnect

PCIe PCI Express

PCS Plasma Control System

PLC Programmable Logic Controller

PON Plant Operation Network

PS Plant System

PSH Plant System Host

PV Process Variable

RD Reference Document

RHEL Red Hat Enterprise Linux

SDN Synchronous Databus Network

SIC Safety Important Component

TCN Time Communication Network

ITER_D_32GEBH v2.5

5

2 PHYSICAL ARCHITECTURE

Any plant system I&C is made up of a set of standard components. These standard components can be selected and combined in different ways to address the particular plant system I&C characteristics and requirements. The set of components can be viewed like Lego blocks to be assembled by the plant system I&C designer.

Figure 2-1illustrates how the plant system I&C components can be connected to the central I&C networks. Normally a particular plant system I&C does not require all shown connections. Hardwired connections used by interlock discharge loop and nuclear safety are not shown.

Figure 2-1 Network connections of plant system I&C

The baseline physical network topology is flat, i.e. all non-safety components are connected to the Plant Operation Network (PON) via a switch as illustrated in Figure 2-2. Although it is possible to physically connect components in a hierarchical way using private networks, this is not recommended since it will make remote maintenance more difficult. For example, a development station for a controller (not shown) could be connected anywhere on the PON and reach the target controller. On the other hand a plant system may need to deploy field networks below a controller, an example indicated as the connection from controller to remote I/O in Figure 2-2. The Central Interlock Network (CIN) is an independent network connecting the interlock controller to the Central Interlock System. The Central Safety System is split in two parts, one for occupational safety and one for nuclear safety. The Central Safety Networks (CSN-OS and CSN-N) are independent segregated networks connecting safety controllers and logic solvers to the Central Safety Systems. The High Performance Networks (HPN) are physically separated networks, which may connect to the Plant System Host and/or fast controllers depending on the particular plant system I&C. The HPN lines pointing to the grey area indicate a possible connection as detailed in Chapter 3. All network connections are provided by network panels distributed throughout all ITER site buildings. Nuclear safety logic solvers connect to CCS-N SIC cubicles in dedicated SIC rooms.

Actuators, sensors and analogue signal conditioning are considered outside the scope of plant system I&C.

ITER_D_32GEBH v2.5

6

Figure 2-2 Illustration of a possible plant system I&C physical architecture. Lines are cables.

2.1 OSI layer 2 switch

The OSI layer 2 switch is an IO furnished standard Ethernet switch which allows full management of the Plant Operation Network (PON). The OSI layer 2 switch is installed in a plant system I&C cubicle. There are one or more OSI layer 2 switches in a particular plant system I&C.

2.2 Plant System Host

The Plant System Host (PSH) is an IO furnished hardware and software component installed in a plant system I&C cubicle. There is one and only one PSH in a plant system I&C. The PSH runs RHEL (Red Hat Enterprise Linux) and has EPICS (Experimental Physics and Industrial Control System) soft IOC’s (Input Output Controllers). It provides standard CODAC services such as health monitoring, common state management, maintenance functions and time source. The PSH is fully data driven, i.e. it is customized for a particular plant system I&C by self-description. There is no plant specific code in a PSH. A PSH has no I/O.

2.3 Fast Controller

A fast controller is a dedicated industrial controller implemented in PCI family form factor with PCIe communication fabric installed in a plant system I&C cubicle. There may be zero, one or many fast controllers in a plant system I&C. A fast controller runs RHEL or MRG-R and has EPICS IOC’s, it acts as a channel access server and exposes process variables (PV) [RD3] to PON. A fast controller normally has I/O and the IO supports a set of standard I/O modules with associated EPICS drivers. A fast controller may have interfaces to high performance networks (HPN), i.e. the Synchronous Databus Network (SDN) for real-time control and events, Time Communication Network (TCN) for absolute time synchronization and/or Data Archive Network (DAN) for high throughput archiving. Fast controllers involved in critical real-time operations run a real time (RT) enabled version of Linux (MRG-R) on a separate core or CPU. A fast controller can have plant-specific logic and can act as supervisor for other fast controllers and/or slow controllers. The Plant System Operating State is maintained by the supervising controller.

2.4 Slow Controller

A slow controller is a Siemens Simatic S7 industrial programmable logic controller (PLC) installed in a plant system I&C cubicle. There may be zero, one or many slow controllers in a plant system I&C. A slow controller runs software and plant-specific logic programmed with Step 7 and interfaces to either the PSH or a fast controller using an IO-furnished interface (EPICS driver and self description). A slow controller normally has I/O and the IO supports a set of standard I/O modules. A slow controller has no interface to the HPN. A slow controller can synchronize its time using NTP over PON. A slow controller can act as supervisor for other slow controllers. The Plant System Operating State is maintained by the supervising controller.

ITER_D_32GEBH v2.5

7

2.5 Interlock Controller

An interlock controller is a Siemens Simatic S7 FH industrial programmable logic controller (PLC) and/or a cRIO FPGA controller installed in a plant system I&C cubicle, possibly with hardwired logic for high performance protection functions. There may be zero, one or many interlock controllers in a plant system I&C. An interlock controller runs software and plant specific logic programmed with Step 7 or LabVIEW FPGA, interfaces to the Central Interlock System via CIN and to PSH via PON for non-critical data. An interlock controller normally has I/O and IO supports a set of standard I/O modules. An interlock controller can act as supervisor for other interlock controllers.

2.6 Occupational Safety Controller

The technology for occupational safety controllers is identical to Siemens Interlock Controller. There may be zero, one or many occupational safety controllers in a plant system I&C. An occupational safety controller has I/O and IO supports a set of standard I/O modules.

2.7 Nuclear Safety Logic Solvers

A nuclear safety logic solver is a Siemens Simatic S7-400F/FH PLC for SIC 2 cat C and SR cat C systems, and HIMA Planar 4 solid state for SIC 1 cat A and SIC 2 cat B systems. There may be zero, one or many nuclear safety logic solvers in a plant system I&C. A nuclear safety logic solver has I/O and IO supports a set of standard I/O modules.

2.8 COTS Intelligent Device

A COTS intelligent device is a commercial off-the-shelf controller, which implements an integrated control function, e.g. a building management system or a power supply controller (such as intelligent electronic devices as defined by IEC 61850). A COTS intelligent device has an ethernet interface and is considered a black box in the ITER I&C System. A COTS intelligent device can be physically connected either to the OSI layer 2 switch or as a slave to a slow or fast controller. It is the responsibility of the plant system I&C developer to design and implement an interface, either to a slow controller or to a fast controller. The use of a COTS intelligent device in a plant system I&C has to be approved by the IO through the deviations policy defined in [RD2]. A COTS intelligent device is not maintained by the IO.

2.9 Remote I/O

A remote I/O device is an I/O chassis, with or without intelligence, geographically separated from other plant system I&C components. A remote I/O device is connected to a slow controller or fast controller via a field network or a field bus. The IO provides a catalogue of standard remote I/O devices. An intelligent remote I/O device can be a slow controller or an EPICS enabled controller viewed as a fast controller from the CODAC System / Mini-CODAC.

2.10 Signal Interface

A signal interface is the mechanics, cabling and electronics between the actuators/sensors/analogue signal conditioning and the controllers. Signal interfaces are described in [RD5].

2.11 Cubicles

The components (switches, PSH, fast and slow controllers, part of signal interface) are embedded within cubicles defined in an IO catalogue of products. The unit for hardware delivery between the PS suppliers and IO, is a cubicle together with spare parts.

ITER_D_32GEBH v2.5

8

2.12 CODAC Terminal

A CODAC terminal is a standard terminal, connected to PON, providing a display unit and input devices (keyboard and mouse) to allow a human user to interact with the plant system I&C.

2.13 High Performance Networks

High performance networks are physically dedicated networks to implement functions which are not achievable with the conventional Plant Operation Network. These functions are distributed real-time feedback control, high accuracy time synchronization and bulk data distribution.

2.14 CODAC System / Mini-CODAC

The CODAC System / Mini-CODAC is not part of the plant system I&C. Mini-CODAC, which is a scaled down version of the CODAC System, is provided by the IO to all plant system I&C developers as a software package. Mini-CODAC provides all of the tools necessary to configure the plant system I&C, to implement the HMI, to monitor and supervise the plant system I&C, to configure and manage the networks and to perform the factory acceptance test. The early use of Mini-CODAC in the development process will make later on-site integration seamless.

2.15 Central Interlock System

The Central Interlock System (CIS) is not part of the plant system I&C. The Central Interlock System provides all necessary tools to configure the interlock controller(s), to monitor and supervise the interlock controller(s), to configure and manage the CIN and to carry out the inter-plant protection functions.

2.16 Central Safety System for Occupational Safety

The Central Safety System for Occupational Safety (CSS-OS) is not part of the plant system I&C.

2.17 Central Safety System for Nuclear Safety

The Central Safety System for Nuclear Safety (CSS-N) is not part of the plant system I&C.

ITER_D_32GEBH v2.5

9

3 FUNCTIONAL ARCHITECTURE

Despite the flat network topology explained in the previous chapter, the functional architecture may be more hierarchical. In this chapter a number of example architectures are analysed. Arrows are functional data flows, which can be mapped to the flat physical architecture presented in Chapter 2.

3.1 Simplest possible Plant System I&C

In this example (Figure 3.1) we have the simplest possible plant system I&C consisting of only one slow controller. The slow controller interfaces via a signal interface to actuators and sensors.

Figure 3.1. Functional architecture and dataflow of the simplest possible plant system I&C

The CODAC System / Mini-CODAC send commands and, if required, publishes data from other plant system I&C to the PSH using the channel access protocol (1). This interface is also used to set runtime configuration properties. The PSH publishes data, alarms and logs to CODAC System / Mini-CODAC using the channel access protocol (2). This interface is also used to retrieve configuration properties. The interface between the PSH and the CODAC System / Mini-CODAC is fully defined and configured by self-description.

The PSH and slow controller exchange data using the standard interface provided by the IO (3). This interface is fully defined and configured by self-description. The PSH manages the COS.

The slow controller interfaces to actuators and sensors via a signal interface and contains plant-specific software and logic programmed with Step 7.

The PSH receives absolute time from the TCN (4). The absolute time on the slow controller can be set using NTP with the PSH as the NTP relay.

ITER_D_32GEBH v2.5

10

3.2 Small Industrial Plant System I&C

In this example (Figure 3.2) we have a small plant system I&C consisting of three slow controllers. One slow controller is elevated as the supervising controller. The other two slow controllers interface to actuators and sensors via a signal interface. In addition, the plant system I&C implements interlock and occupational safety functions.

Figure 3.2. Functional architecture and dataflow of a small industrial plant system I&C

The CODAC System / Mini-CODAC sends commands and, if required, publishes data from other plant system I&C to the PSH using the channel access protocol (1). This interface is also used to set runtime configuration properties. The PSH publishes data, alarms and logs to CODAC System / Mini-CODAC using the channel access protocol (2). This interface is also used to retrieve configuration properties. The interface between the PSH and CODAC System / Mini-CODAC is fully defined and configured by self-description.

The PSH and supervising slow controller exchange data using the standard interface provided by the IO (3). This interface is fully defined and configured by self-description. The PSH supervises the supervising slow controller to manage COS.

The supervising slow controller implements plant specific coordination software and logic programmed with Step 7. The supervising slow controller interfaces to two other slow controllers (5) through the PON. The supervising slow controller could also have a direct interface to actuators and sensors via a signal interface (not shown). Non supervising slow controllers could also have direct interfaces to the PSH (not shown).

Two slow controllers interface to actuators and sensors via a signal interface and contain plant specific software and logic programmed with Step 7.

ITER_D_32GEBH v2.5

11

The PSH receives absolute time from TCN (4). The absolute time on the slow controllers can be set using NTP with the PSH as an NTP relay.

The Central Interlock System sends commands to the interlock controller using the CIN (15). This interface is also used to set configuration properties. The interlock controller sends events, publishes data, alarms and logs to the Central Interlock System using the CIN (16). This interface is also used to retrieve configuration properties.

The interlock controller sends analogue and digital non-critical data to the PSH (17) for monitoring and logging purposes. The absolute time can be set using NTP.

The CODAC System receives data from the Central Interlock System to be displayed via the HMI and to be archived for post-mortem analysis following an interlock event via a dedicated secured gateway (not shown) using the channel access protocol (18). It sends its interlock signals by means of a dedicated secured gateway (19) and the requests for acknowledgement of alarms via a dedicated secured gateway using the channel access protocol (19).

The Central Safety System Occupational sends commands to the safety controller using the CSN-OS (20). This interface is also used to set configuration properties and to distribute the absolute time. The occupational safety controller sends events, publishes data, alarms and logs to the Central Safety System Occupational using the CSN-OS (21). This interface is also used to retrieve configuration properties.

The CODAC System receives very limited data from the Central Safety System Occupational to be displayed via the HMI and to be archived for post-mortem analysis following an occupational safety event via a dedicated secured gateway (not shown) using the channel access protocol (22).

3.3 Small Mixed Plant System I&C

In this example (Figure 3.3) we have a small plant system I&C consisting of one slow controller and one fast controller. The fast controller may be supervising the slow controller or they may be independent (not needing any coordination). The two controllers both interface to actuators and sensors via a signal interface. In addition the plant system I&C implements interlock functions.

The CODAC System / Mini-CODAC sends commands and, if required, publishes data from other plant system I&C to the PSH using the channel access protocol (1). This interface is also used to set runtime configuration properties. The CODAC System / Mini-CODAC may also send commands and, if required, publish data from other plant system I&C to the fast Controller using the channel access protocol (6). The PSH publishes data, alarms and logs to the CODAC System / Mini-CODAC using the channel access protocol (2). This interface is also used to retrieve configuration properties. The fast controller may also publish data, alarms and logs to CODAC System / Mini-CODAC using the channel access protocol (7). The interface between the PSH and the CODAC System / Mini-CODAC is fully defined and configured by self-description.

The PSH and slow controller exchange data using the standard interface provided by the IO (3). This interface is fully defined and configured by self-description.

The PSH supervises the fast controller (8) to manage COS.

The slow controller implements plant-specific software and logic programmed with Step 7. The slow controller interfaces via the signal interface to actuators and sensors.

The fast controller implements plant-specific logic in EPICS. The fast controller interfaces to actuators and sensors via the signal interface.

The fast controller could also interface directly to the slow controller using the standard interface provided by the IO (9).

ITER_D_32GEBH v2.5

12

The PSH receives absolute time from the TCN (4). The absolute time on the slow controller and fast controller can be set using NTP with the PSH as an NTP relay. Alternatively, the fast controller could also be connected to the TCN.

Figure 3.3. Functional architecture and dataflow of a small mixed plant system I&C

The Central Interlock System sends commands to the interlock controller using the CIN (15). This interface is also used to set configuration properties. The interlock controller sends events, publishes data, alarms and logs to the Central Interlock System using the CIN (16). This interface is also used to retrieve configuration properties.

The interlock controller sends analogue and digital non-critical data to the PSH (17) for monitoring and logging purposes. The absolute time can be set using NTP.

The CODAC System receives data from the Central Interlock System to be displayed via the HMI and to be archived for post-mortem analysis following an interlock event via a dedicated secured gateway (not shown) using the channel access protocol (18). It sends its interlock signals by means of a dedicated secured gateway (19) and the requests for acknowledgement of alarms via a dedicated secured gateway using the channel access protocol (19).

3.4 Industrial Plant System I&C with Fast Acquisition

In this example (Figure 3.4) we have a plant system I&C consisting of many slow controllers, one COTS intelligent device, one remote I/O and one fast controller dedicated to fast acquisition. In addition, the plant system I&C implements interlock functions.

ITER_D_32GEBH v2.5

13

Figure 3.4. Functional architecture and dataflow of an industrial plant system I&C with fast acquisition

The CODAC System / Mini-CODAC sends commands and, if required, publishes data from other plant system I&C to the PSH using the channel access protocol (1). This interface is also used to set runtime configuration properties. The CODAC System / Mini-CODAC may also send commands and, if required, publish data from other plant system I&C to the fast controller using the channel access protocol (6). The PSH publishes data, alarms and logs to the CODAC System / Mini-CODAC using the channel access protocol (2). This interface is also used to retrieve configuration properties. The fast controller may also publish data, alarms and logs to CODAC System / Mini-CODAC using the channel access protocol (7). This interface can also be used to transfer acquired data for visualization and archiving. The interface between the PSH and the CODAC System / Mini-CODAC is fully defined and configured by self-description.

The PSH and supervising slow controller exchange data using the standard interface provided by the IO (3). This interface is also fully defined and configured by self-description. The PSH manages the COS.

The supervising slow controller implements plant-specific coordination software and logic programmed with Step 7. The supervising slow controller interfaces to four other slow controllers and one COTS intelligent device (5). The supervising slow controller could also have a direct interface to actuators and sensors via the signal interface (not shown). The non-supervising slow controllers could also have direct interfaces to the PSH (not shown).

The slow controllers implement plant-specific software and logic programmed with Step 7. One slow controller interfaces to a remote I/O (11).

The slow controllers, remote I/O and COTS intelligent device interface to actuators and sensors.

The PSH supervises the fast controller (8) to manage the COS.

The fast controller implements plant-specific logic in EPICS. The fast controller interfaces to actuators and sensors via the signal interface.

ITER_D_32GEBH v2.5

14

Data acquisition by the fast controller can be triggered by the PSH (8), slow controller (9), CODAC System / Mini-CODAC (6) and/or the TCN (10). The latter can be through a pre-programmed trigger(s) or pre-programmed absolute time(s). The acquired data is streamed out on DAN (20) to the high throughput archive system.

The PSH receives absolute time from the TCN (4). The fast controller receives absolute time from the TCN (10). The absolute time on the slow controllers can be set using the NTP with the PSH as an NTP relay.

Central Interlock System sends commands to the interlock controllers using the CIN (15). This interface is also used to set configuration properties. The interlock controller sends events, publishes data, alarms and logs to the Central Interlock System using the CIN (16). This interface is also used to retrieve configuration properties.

The interlock controller sends analogue and digital non-critical data to the PSH (17) for monitoring and logging purposes. The absolute time can be set using NTP.

The CODAC System receives data from the Central Interlock System to be displayed via the HMI and data to be archived for post-mortem analysis following an interlock event via a dedicated secured gateway (not shown) using the channel access protocol (18).It sends its interlock signals by means of a dedicated secured gateway (19) and the requests for acknowledgement of alarms via a dedicated secured gateway using the channel access protocol (19).

3.5 Complex Diagnostics Plant System I&C connected to PCS

In this example (Figure 3.5) we have a complex diagnostics plant system I&C participating in plasma control and consisting of many fast controllers and one slow controller. In addition the plant system I&C implements interlock functions.

The CODAC System / Mini-CODAC sends commands and, if required, publishes data from other plant system I&C to the PSH using the channel access protocol (1). This interface is also used to set runtime configuration properties. The CODAC System / Mini-CODAC may also send commands and, if required, publish data from other plant system I&C to fast controller using the channel access protocol (6).The PSH publishes data, alarms and logs to CODAC System / Mini-CODAC using the channel access protocol (2). This interface is also used to retrieve configuration properties. The fast controller may also publish data, alarms and logs to the CODAC System / Mini-CODAC using the channel access protocol (7). The interface between the PSH and the CODAC System / Mini-CODAC is fully defined and configured by self-description.

The PSH supervises the fast controller (8) to manage the COS.

ITER_D_32GEBH v2.5

15

Figure 3.5. Functional architecture and dataflow of a complex diagnostics plant system I&C connected to PCS

The supervising fast controller implements plant-specific coordination logic in EPICS. It also implements real-time logic using a real-time operating system on a different core or CPU. The supervising fast controller interfaces to three other fast controllers and one slow controller (5). The supervising fast controller and slow controller exchange data using the standard interface provided by the IO (8). The fast controllers may or may not run EPICS. The fast controllers implement plant-specific logic. The slow controller implements plant-specific software and logic programmed with Step 7. The supervising fast controller could also have a direct interface to actuators and sensors via a signal interface (not shown). The non supervising fast and slow controllers could also have direct interfaces to the PSH (not shown). The non supervising fast controllers could also have a direct interface to the CODAC System / Mini-CODAC (not shown).

The supervising fast controller streams data over PON to the CODAC System / Mini-CODAC for visualization (12). One of the fast controllers streams data on DAN (20) to the high throughput archive system.

The PSH receives absolute time from the TCN (4). The fast controller receives absolute time from the TCN (10). The absolute time on the slow controller and other fast controllers can be set using the NTP with the PSH as an NTP relay. Alternatively, other fast controllers could also be connected to the TCN.

The supervising fast controller pre-processes and publishes data for the PCS on the SDN (13). The raw data may originate from multiple other fast controllers. In addition, any fast controller could receive data from the SDN according to specific events in order to change acquisition behaviour.

The interlock controller sends analogue and digital non-critical data to the PSH (17) for monitoring and logging purposes. Central Interlock System sends commands to the interlock controller using the CIN (15). This interface is also used to set configuration properties. The interlock controller sends events, publishes data, alarms and logs to Central Interlock System using the CIN (16). This interface is also used to retrieve configuration properties.

The CODAC System receives data from the Central Interlock System to be displayed via the HMI and to be archived for post-mortem analysis following an interlock event via a dedicated secured gateway (not shown) using the channel access protocol (18). It send its interlock signals by means of a dedicated secured gateway (19) and the requests for acknowledgement of alarms via a dedicated secured gateway using the channel access protocol (19).

ITER_D_32GEBH v2.5

16

4 CONCLUSIONS

In this technical note the standard components making up a plant system I&C have been identified and defined. The flexibility in combining these standard components in the design of different types of plant system I&C has been emphasized.